UPMC is required to adhere to rules established by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) which is a federal law governing:
HIPAA applies to health care providers, health plans, health care clearinghouses and such third parties that perform services involving PHI or that exchange electronic data on behalf of UPMC (referred to as Business Associates). HIPAA has been modified on a number of occasions, as more fully described below.
In order to comply with HIPAA, UPMC developed the “UPMC Terms and Conditions" (PDF) for Business Associates” that all of UPMC’s Business Associates must adhere to.
The American Recovery and Reinvestment Act of 2009 (ARRA) included provisions that modify HIPAA. These provisions required, among other things, that UPMC amend the “UPMC Terms and Conditions (PDF) for Business Associates.”
As a result, UPMC developed the following documentation:
In January 2013, HIPAA was further revised by what is known as the HIPAA Omnibus Rule. The HIPAA Omnibus Rule includes obligations in addition to those that were set forth under HIPAA and ARRA. Further, the HIPAA Omnibus Rule includes changes to the obligations of Business Associates, requiring a Second Amendment to the “UPMC Terms and Conditions for Business Associates.”
As a result, UPMC also has developed the following documentation in order to comply with the HIPAA Omnibus Rule:
UPMC also must address requirements related to the Federal Trade Commission’s (FTC) “Red Flag” Rules. The Rules were issued under the Fair and Accurate Credit Transactions Act (FACTA). The purpose of the Rules is to aid in the prevention, mitigation and response to incidents of identity theft.
FACTA has been interpreted so that health care providers, such as UPMC, are “creditors” and are therefore subject to the Rules. The Rules provide that a creditor is responsible for ensuring that its service providers are in compliance with the Rules as well.
As a result, to the extent that you have access to any UPMC information that may be used to commit identity theft (such as names, Social Security numbers, account numbers, and birth dates), you agree to the following:
Questions about HIPAA, the ARRA guidelines for business associates or the "Red Flag" Rules should be directed to the Customer Service Group of Supply Chain Management at 412-647-8070. Detailed information about the HIPAA Privacy Rule may be found on the website of the U.S. Department of Health and Human Services.
To ensure that UPMC information systems and sensitive information remain secure, UPMC requires that all organization seeking access to UPMC information systems have an authorized individual first sign the “UPMC Third Party Computer Systems Access Agreement”. Further, the organization must have each staff member sign the “UPMC Confidentiality Agreement for Third Party Staff Accessing UPMC Information Systems” prior to the staff member being provided with access to UPMC information systems.
This is a requirement separate from and in addition to any other agreements that may be in place with the organization. (e.g., Clinical Trial Agreement, Master Clinical Trial Site Agreement).
With the large number of agreements in place, it is not possible to track and ensure compliance with any variations to the terms of these agreements. Therefore, modifications to neither agreement can be accepted.
UPMC has made every attempt to ensure that these agreements are reasonable and consistent with accepted industry practices. They have been agreed to by many organizations without modification.
We appreciate your support as UPMC takes appropriate steps to protect its information systems and sensitive information.