Guidelines for Business Associates
UPMC is required to adhere to rules established by the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (the Privacy Rule). HIPAA, a federal law, governs:
- The privacy of identifiable health information – referred to as protected health information (PHI) – regardless of the format in which it exists (this includes electronic, written, and verbal information)
- Electronic data interchange and code set standards
- Security of PHI
HIPAA applies to health care providers, health plans, health care clearinghouses and such third parties that perform services involving PHI or exchange electronic data on behalf of UPMC.
American Recovery and Reinvestment Act
On February 17, 2009, President Obama signed the American Recovery and Reinvestment Act (ARRA). ARRA, also known as the federal stimulus bill, includes both privacy and security related provisions that require, among other things, an amendment to the HIPAA Business Associate Terms and Conditions that UPMC has in place with third parties that have access to patient information (called Business Associates).
As a result, UPMC has developed the following documentation:
- UPMC Terms and Conditions (PDF) for Business Associates. These are the terms and conditions that UPMC has historically required its HIPAA Business Associates to comply with.
- First Amendment to the Business Associate Agreement (PDF). This amendment modifies those terms that UPMC is required to amend due to ARRA. If UPMC negotiated Business Associate terms and conditions with you, this amendment modifies those terms and conditions.
If we negotiated HIPAA Business Associate terms and conditions, by continuing to perform services after February 17, 2010, you agree to comply with the First Amendment to the Business Associate Agreement.
- ARRA Revised Terms and Conditions for Business Associates. These terms consolidate terms from the “UPMC Terms and Conditions for Business Associates” and the “First Amendment to the Business Associate Agreement.”
If you either (a) agreed to the UPMC Terms and Conditions for Business Associates or (b) are a new Business Associate, by continuing to perform services after February 17, 2010, you agree to comply with the Revised Terms and Conditions for Business Associates.
FTC "Red Flags" Rules
UPMC must also address requirements related to the Federal Trade Commission’s (FTC) “Red Flags” Rules. The Rules were issued under the Fair and Accurate Credit Transactions Act (FACTA). The purpose of the Rules is to aid in the prevention, mitigation and response to incidents of identity theft.
FACTA has been interpreted so that health care providers, such as UPMC, are “creditors” and are therefore subject to the Rules. The Rules provide that a creditor is responsible for ensuring its service providers are in compliance with the Rules as well.
As a result, to the extent that you have access to any UPMC information that may be used to commit identity theft (such as names, Social Security numbers, account numbers, and birth dates), you agree to the following:
- You have implemented sufficient precautions (policies and procedures) to prevent, detect and mitigate identity theft; and
- You have trained your appropriate staff/employees on these policies and procedures as required by the Red Flag Rules.
Questions about HIPAA, the ARRA guidelines for business associates or the "Red Flag" rules should be directed to the Customer Service Group of Supply Chain Management at 412-647-8070. Detailed information about the HIPAA Privacy Rule may be found on the web site of the U.S. Department of Health and Human Services.