About Business Associates Agreements


Vendors providing services at CUIMC must have a Business Associates Agreement (BAA) if the service may create, store, maintain or transmit Protected Health Information (PHI), as per University Policy: https://universitypolicies.columbia.edu/content/business-associate-agreement

The CUIMC Privacy Office has information on their Business Associates page including a list of current vendors with executed agreements, and examples and templates of BAAs.

For those who need to determine whether a BAA is required, the CUIMC IT Project Management Office offers the following workflow (click the image for a larger view or see an outline of steps further below).

PMO BAA Workflow chart

BAA Workflow Steps

  1. Will PHI be shared?
    1. No - no BAA is required
    2. Yes - Is there an existing BAA?
      NOTE: If you are not sure please check the Privacy Office's list of vendors: https://www.hipaa.cuimc.columbia.edu/business-associates
      1. Yes - workflow ends
      2. No - Will it be a Columbia BAA?
        1. Yes
          1. Send the Columbia BAA to the vendor for signature
          2. Submit Vendor signed BAA to the CUIMC Privacy Office
          3. BAA Review Process
            NOTE: If the vendor wants to change the language of the BAA, negotiations with CU privacy and legal will be required.*
          4. Fully Executed BAA
        2. No - Will it be an OHCA BAA?
          1. No (if PHI is being exchanged it must be either an OHCA or Columbia BAA; return to Yes above)
          2. Yes
            1. Submit the OHCA BAA request along with the service agreement to the CUIMC Privacy Office
            2. Columbia signed OHCA BAA and summary of services submitted to NYP PMO and WCM privacy for review/signature
            3. NYP PMO and Legal review and signature
              1. If needed, WCM privacy and legal review and signature
            4. The OHCA BAA with 3 institution signatures is sent to the vendor for signature
              NOTE: If the vendor wants to change the language of the BAA, negotiations with CU, WCM, and NYP privacy and legal will be required.
            5. Fully Executed BAA

* Columbia prefers obtaining the vendor signature first, NYP prefers the vendor signing last.