Navigate Up

Guidelines for Business Associates

HIPAA

UPMC is required to adhere to rules established by the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (the Privacy Rule). HIPAA, a federal law, governs:

  • The privacy of identifiable health information – referred to as protected health information (PHI) – regardless of the format in which it exists (this includes electronic, written, and verbal information)
  • Electronic data interchange and code set standards
  • Security of PHI

HIPAA applies to health care providers, health plans, health care clearinghouses and such third parties that perform services involving PHI or exchange electronic data on behalf of UPMC.

American Recovery and Reinvestment Act

On February 17, 2009, President Obama signed the American Recovery and Reinvestment Act (ARRA).  ARRA, also known as the federal stimulus bill, includes both privacy and security related provisions that require, among other things, an amendment to the HIPAA Business Associate Terms and Conditions that UPMC has in place with third parties that have access to patient information (called Business Associates).

As a result, UPMC has developed the following documentation:

  • UPMC Terms and Conditions (PDF) for Business Associates. These are the terms and conditions that UPMC has historically required its HIPAA Business Associates to comply with.
  • First Amendment to the Business Associate Agreement (PDF). This amendment modifies those terms that UPMC is required to amend due to ARRA. If UPMC negotiated Business Associate terms and conditions with you, this amendment modifies those terms and conditions.

    If we negotiated HIPAA Business Associate terms and conditions, by continuing to perform services after February 17, 2010, you agree to comply with the First Amendment to the Business Associate Agreement.
  • ARRA Revised Terms and Conditions for Business Associates. These terms consolidate terms from the “UPMC Terms and Conditions for Business Associates” and the “First Amendment to the Business Associate Agreement.”

    If you either (a) agreed to the UPMC Terms and Conditions for Business Associates or (b) are a new Business Associate, by continuing to perform services after February 17, 2010, you agree to comply with the Revised Terms and Conditions for Business Associates.

FTC "Red Flags" Rules

UPMC must also address requirements related to the Federal Trade Commission’s (FTC) “Red Flags” Rules. The Rules were issued under the Fair and Accurate Credit Transactions Act (FACTA). The purpose of the Rules is to aid in the prevention, mitigation and response to incidents of identity theft.

FACTA has been interpreted so that health care providers, such as UPMC, are “creditors” and are therefore subject to the Rules. The Rules provide that a creditor is responsible for ensuring its service providers are in compliance with the Rules as well.

As a result, to the extent that you have access to any UPMC information that may be used to commit identity theft (such as names, Social Security numbers, account numbers, and birth dates), you agree to the following:

  • You have implemented sufficient precautions (policies and procedures) to prevent, detect and mitigate identity theft; and
  • You have trained your appropriate staff/employees on these policies and procedures as required by the Red Flag Rules.

Questions about HIPAA, the ARRA guidelines for business associates or the "Red Flag" rules should be directed to the Customer Service Group of Supply Chain Management at 412-647-8070. Detailed information about the HIPAA Privacy Rule may be found on the web site of the U.S. Department of Health and Human Services.

Additional Resources

Updating Your Business Information

If your information is incorrect on our Business Associates listing below, please fill out this form to update your contact information.

©  UPMC | Affiliated with the University of Pittsburgh Schools of the Health Sciences
Supplemental content provided by A.D.A.M. Health Solutions. All rights reserved.

For help in finding a doctor or health service that suits your needs, call the UPMC Referral Service at 412-647-UPMC (8762) or 1-800-533-UPMC (8762). Select option 1.

UPMC is an equal opportunity employer. UPMC policy prohibits discrimination or harassment on the basis of race, color, religion, ancestry, national origin, age, sex, genetics, sexual orientation, marital status, familial status, disability, veteran status, or any other legally protected group status. Further, UPMC will continue to support and promote equal employment opportunity, human dignity, and racial, ethnic, and cultural diversity. This policy applies to admissions, employment, and access to and treatment in UPMC programs and activities. This commitment is made by UPMC in accordance with federal, state, and/or local laws and regulations.

Medical information made available on UPMC.com is not intended to be used as a substitute for professional medical advice, diagnosis, or treatment. You should not rely entirely on this information for your health care needs. Ask your own doctor or health care provider any specific medical questions that you have. Further, UPMC.com is not a tool to be used in the case of an emergency. If an emergency arises, you should seek appropriate emergency medical services.

For UPMC Mercy Patients: As a Catholic hospital, UPMC Mercy abides by the Ethical and Religious Directives for Catholic Health Care Services, as determined by the United States Conference of Catholic Bishops. As such, UPMC Mercy neither endorses nor provides medical practices and/or procedures that contradict the moral teachings of the Roman Catholic Church.

© UPMC
Pittsburgh, PA, USA UPMC.com