UNIVERSITY OF MAINE SYSTEM HIPAA GENERAL OPERATING POLICY #39 BUSINESS ASSOCIATES
I. Policy Statement
From time to time, the University of Maine System Health Care Component (“UMS”), may share protected health information with external parties referred to as business associates, who are specifically contracted to provide the UMS with services utilizing that health information. It is the policy of the UMS that protected health information may only be shared with business associates pursuant to an approved business associate agreement.
II Policy Purpose
A campus health care component is required to assure, to the extent practicable, that any business associate with whom it shares protected health information handles that information in compliance with privacy and security regulations. The purpose of this policy is to set forth the requirements necessary to document those efforts to assure that business associates, their agents, and sub-contractors, comply with HIPAA privacy and security standards, and that the campus knows of and has an opportunity to take remedial action regarding any breach thereunder.
III Policy Standards
Protected health information may only be shared with business associates pursuant to an approved business associate agreement.
Business associate agreements must be in writing and must contain UMS-approved HIPAA compliant language and authorized signatures.
If at any time the campus determines that a business associate has violated a material term or obligation under the agreement relating to HIPAA compliance, the Privacy Official shall be notified and shall seek to immediately remedy the breach or, if that is not possible, to alter or terminate the agreement. Violations may also be reported by the Campus to the Secretary of the U.S. Department of Health and Human Services.
Each campus that contracts for services with third parties with whom protected health information will be shared is responsible to assure that valid business associate agreements are executed.
Revised 05-09-05