Administrative Announcement

Recent regulations under the Health Insurance Portability and Accountability Act (HIPAA) require that the University sign "business associate agreements" with vendors who do work for the University and its departments that involves access to Protected Health Information.

• Sent or stored in any form,
• That identifies a patient, or can be used to identify a patient,
• That is created or received by a covered entity, and
• That generally is about a patient's past, present, and/or future treatment or payment of services.

As part of a much larger HIPAA compliance and education effort, the University and Hospitals have been working together for several months to identify their respective business associates and to implement business associate agreements with them by the initial April 14, 2003 HIPAA compliance date. While we believe we have already identified those departments and offices that are most likely to have business associate relationships, we wanted to make sure you are aware of this new requirement so that you can bring to our attention any existing relationships in your area of responsibility that might involve vendor access to Protected Health Information, and so that you can spot these relationships as they may develop in the future.

Note that business associate agreements are not required where Protected Health Information is being disclosed to an outside party for research purposes, but that other regulations govern such research disclosures.

For each existing and future business associate relationship, we must have a business associate agreement in place. The University's Central Procurement Services (CPS) has appropriate form agreements for this purpose, and can assist you with any question you might have. Please contact Gene Suwanski, Director, g-suwanski@uchicago.edu, or Diane Stanek, Associate Director, d-stanek@uchicago.edu, at CPS at 702-3320.