Skip to Content
800-533-8762
  • Careers
  • Newsroom
  • Health Care Professionals
  • About Us
  • Contact Us
UPMC
  • Find a Doctor
  • Services
    • Frequently Searched Services
    • Frequently Searched Services
      Allergy & Immunology Behavioral & Mental Health Cancer Ear, Nose & Throat Endocrinology Gastroenterology Heart & Vascular Imaging Neurosciences Orthopaedics
      Physical Rehabilitation Plastic & Reconstructive Surgery Primary Care Senior Services Sports Medicine Telemedicine Transplant Surgery Walk-In Care Weight Management Women’s Health
      See all Services
    • Services by Region
    • Find a UPMC health care facility close to you quickly by browsing by region.
      UPMC in Western Pa. Western Pa. and New York
      UPMC in Central Pa. Central Pa.
      UPMC in North Central Pa. North Central Pa.
      UPMC in Western Md. Maryland & West Virginia
    • See All Services
  • Locations
    • Locations by Type
    • Locations by Type
      UPMC hospitals
      Hospitals
      Physical Therapy
      Physical Therapy
      Urgent care
      Walk-In Care
      UPMC Outpatient Centers
      Outpatient Centers
      UPMC Imaging Services
      Imaging
      Community Health Centers
      Community Health Centers
      See All Locations
    • Locations by Region
    • Locations by Region
      UPMC in Southwest Pa. Southwest Pa.
      UPMC in North Central Pa. North Central Pa.
      UPMC in Northwest Pa and Ny. Northwest Pa. & Western N.Y.
      UPMC in West Central Pa. West Central Pa.
      UPMC in Central Pa. Central Pa.
      UPMC in Western Md. Maryland & West Virginia
    • See All Locations
  • Patients & Visitors
    • Patient & Visitor Resources
    • Patient & Visitor Resources
      Patients and Visitors Resources Pay a Bill Classes & Events Medical Records Health Library Patient Information
      Patient Portals Privacy Information Shared Decision Making Traveling Patients Visitor Information
      Man uses mobile phone
      Pay a Bill
      Nurse reviews medical chart
      Request Medical Records
  • Patient Portals
  • Find Covid-19 updates
  • Schedule an appointment
  • Request medical records
  • Pay a bill
  • Learn about financial assistance
  • Find classes & events
  • Send a patient an eCard
  • Make a donation
  • Volunteer
  • Read HealthBeat blog
  • Explore UPMC Careers
Skip to Content
UPMC
  • Patient Portals
  • For Patients & Visitors
    • Find a Doctor
    • Locations
    • Patient & Visitor Resources
    • Pay a Bill
    • Services
    • More
      • Medical Records
      • Financial Assistance
      • Classes & Events
      • HealthBeat Blog
      • Health Library
  • About UPMC
    • Why UPMC
    • Facts & Stats
    • Supply Chain Management
    • Community Commitment
    • More
      • Financials
      • Support UPMC
      • UPMC Apps
      • UPMC Enterprises
      • UPMC International
  • For Health Care Professionals
    • Physician Information
    • Resources
    • Education & Training
    • Departments
    • Credentialing
  • Careers
  • Contact Us
  • Newsroom
  • UPMC >
  • About UPMC >
  • Supply Chain Management >
  • Guidelines for Business Associates
Supply Chain Management
Inquiries
Supplier Information
Sustainability
Vendor Compliance
Guidelines for Business Associates
UPMC Perks Vendor Information
Supply Chain Management
Inquiries
Supplier Information
Sustainability
Vendor Compliance
Guidelines for Business Associates
UPMC Perks Vendor Information

Chat Keywords List

  • cancel or exit: Stops your conversation
  • start over: Restarts your current scenario
  • help: Shows what this bot can do
  • terms: Shows terms of use and privacy statement
  • feedback: Give us feedback
Continue
Chat with UPMC
RESTART
MENU
CLOSE

Guidelines for Business Associates

UPMC Content 3

View UPMC’s current HIPAA Terms and Conditions (PDF).

HIPAA

UPMC is required to adhere to rules established by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) which is a federal law governing:

  • The privacy of identifiable health information—referred to as protected health information (PHI)—regardless of the format in which it exists (this includes electronic, written, and verbal information)
  • Electronic data interchange and code set standards
  • Security of PHI

HIPAA applies to health care providers, health plans, health care clearinghouses and such third parties that perform services involving PHI or that exchange electronic data on behalf of UPMC (referred to as Business Associates). HIPAA has been modified on a number of occasions, as more fully described below.

In order to comply with HIPAA, UPMC developed the “UPMC Terms and Conditions" (PDF) for Business Associates” that all of UPMC’s Business Associates must adhere to.

American Recovery and Reinvestment Act (2009)

The American Recovery and Reinvestment Act of 2009 (ARRA) included provisions that modify HIPAA. These provisions required, among other things, that UPMC amend the “UPMC Terms and Conditions (PDF) for Business Associates.”

As a result, UPMC developed the following documentation:

  • “First Amendment to the Business Associate Agreement” (PDF).
    This amendment modifies those terms that UPMC was required to change due to ARRA. If UPMC negotiated HIPAA Business Associate terms and conditions with you prior to February 17, 2010, this First Amendment modified those terms and conditions. By continuing to perform services after February 17, 2010, you agree to comply with the “First Amendment to the Business Associate Agreement.”
  • “ARRA Revised Terms and Conditions for Business Associates” (PDF).
    These terms consolidated the terms from the “UPMC Terms and Conditions for Business Associates” and the “First Amendment to the Business Associate Agreement.” If you were a new Business Associate after February 17, 2010, you agreed to comply with the “ARRA Revised Terms and Conditions for Business Associates.”

HIPAA Omnibus Rule (2013)

In January 2013, HIPAA was further revised by what is known as the HIPAA Omnibus Rule. The HIPAA Omnibus Rule includes obligations in addition to those that were set forth under HIPAA and ARRA. Further, the HIPAA Omnibus Rule includes changes to the obligations of Business Associates, requiring a Second Amendment to the “UPMC Terms and Conditions for Business Associates.”

As a result, UPMC also has developed the following documentation in order to comply with the HIPAA Omnibus Rule:

  • “Second Amendment to the Business Associate Agreement” (PDF).
    This amendment modifies those terms that UPMC was required to change due to the HIPAA Omnibus Rule. If UPMC negotiated HIPAA Business Associate terms and conditions (including the “First Amendment to the Business Associate Agreement”) with you prior to September 23, 2013, by continuing to perform services after September 23, 2013, you agree to comply with the “Second Amendment to the Business Associate Agreement.”
  • “HIPAA Omnibus Rule Revised Terms and Conditions for Business Associates” (PDF).
    These terms consolidated the terms from the “UPMC Terms and Conditions for Business Associates,” the “First Amendment to the Business Associate Agreement.” and the “Second Amendment to the Business Associate Agreement.” If you are a new Business Associate after September 23, 2013, you must comply with the “HIPAA Omnibus Rule Revised Terms and Conditions for Business Associates.”

FTC "Red Flag" Rules

UPMC also must address requirements related to the Federal Trade Commission’s (FTC) “Red Flag” Rules. The Rules were issued under the Fair and Accurate Credit Transactions Act (FACTA). The purpose of the Rules is to aid in the prevention, mitigation and response to incidents of identity theft.

FACTA has been interpreted so that health care providers, such as UPMC, are “creditors” and are therefore subject to the Rules. The Rules provide that a creditor is responsible for ensuring that its service providers are in compliance with the Rules as well.

As a result, to the extent that you have access to any UPMC information that may be used to commit identity theft (such as names, Social Security numbers, account numbers, and birth dates), you agree to the following:

  • You have implemented sufficient precautions (policies and procedures) to prevent, detect, and mitigate identity theft; and
  • You have trained your appropriate staff/employees on these policies and procedures as required by the Red Flag Rules.

Questions about HIPAA, the ARRA guidelines for business associates or the "Red Flag" Rules should be directed to the Customer Service Group of Supply Chain Management at 412-647-8070. Detailed information about the HIPAA Privacy Rule may be found on the website of the U.S. Department of Health and Human Services.

Third Party Access Agreements

To ensure that UPMC information systems and sensitive information remain secure, UPMC requires that all organization seeking access to UPMC information systems have an authorized individual first sign the “UPMC Third Party Computer Systems Access Agreement”. Further, the organization must have each staff member sign the “UPMC Confidentiality Agreement for Third Party Staff Accessing UPMC Information Systems” prior to the staff member being provided with access to UPMC information systems.

This is a requirement separate from and in addition to any other agreements that may be in place with the organization. (e.g., Clinical Trial Agreement, Master Clinical Trial Site Agreement).

With the large number of agreements in place, it is not possible to track and ensure compliance with any variations to the terms of these agreements. Therefore, modifications to neither agreement can be accepted.

UPMC has made every attempt to ensure that these agreements are reasonable and consistent with accepted industry practices. They have been agreed to by many organizations without modification.

We appreciate your support as UPMC takes appropriate steps to protect its information systems and sensitive information.

  • UPMC Confidentiality Agreement for Third Party Staff Accessing UPMC Information Systems (PDF)
  • UPMC Third Party Computer Systems Access Agreement (PDF)

Additional Resources

  • Initial version of UPMC Terms and Conditions for Business Associates (PDF)
  • First Amendment to the Business Associate Agreement (PDF)
  • ARRA Revised Terms and Conditions for Business Associates (PDF)
  • Second Amendment to the Business Associate Agreement (PDF)
  • HIPAA Omnibus Rule Revised Terms and Conditions for Business Associates [For use with new and revised Business Associate relationships] (PDF)
  • Business Associates Cover Letter (PDF)
  • Guidance for Business Associates (PDF)

Updating Your Business Information

If your information is incorrect on our Business Associates listing below, please fill out this form to update your contact information.

  • UPMC Business Associate Listing (PDF)
UPMC
200 Lothrop Street Pittsburgh, PA 15213

412-647-8762 800-533-8762

Patients And Visitors
  • Find a Doctor
  • Locations
  • Pay a Bill
  • Patient & Visitor Resources
  • Disabilities Resource Center
  • Services
  • Medical Records
  • No Surprises Act
  • Price Transparency
  • Financial Assistance
  • Classes & Events
  • Health Library
Health Care Professionals
  • Physician Information
  • Resources
  • Education & Training
  • Departments
  • Credentialing
Newsroom
  • Newsroom Home
  • Inside Life Changing Medicine Blog
  • News Releases
About
  • Why UPMC
  • Facts & Stats
  • Supply Chain Management
  • Community Commitment
  • Financials
  • Supporting UPMC
  • HealthBeat Blog
  • UPMC Apps
  • UPMC Enterprises
  • UPMC Health Plan
  • UPMC International
  • Nondiscrimination Policy
Life changing is...
Follow UPMC
  • Contact Us
  • Website/Email Terms of Use
  • Medical Advice Disclaimer
  • Privacy Information
  • Active Privacy Alerts
  • Sitemap
© 2025 UPMC I Affiliated with the University of Pittsburgh Schools of the Health Sciences Supplemental content provided by Healthwise, Incorporated. To learn more, visit healthwise.org
Find Care
Providers
Video Visit
Portal Login