University of Michigan Procurement Services

FAQs

Contacts

Green Purchasing

Glossary

Forms

Doing Business w/U-M

HIPAA COMPLIANCE

What is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. While the title suggests that this rule only applies to insurance information, a major part of HIPAA addresses the privacy of "Protected Health Information," the patient's health information (PHI).

PHI is information:

Sent or stored in any form

That identifies the patient, or can be used to identify the patient

That is created or received by a covered entity

That generally is about a patient’s past, present, and/or future treatment and payment of services

How does HIPAA affect vendors doing business with the University of Michigan?

HIPAA requires the University of Michigan to sign confidentiality agreements with all Business Associates. A Business Associate is someone who does not work for the University of Michigan and needs access to our patients’ protected health information (PHI).

In order for the University to share PHI with a Business Associate, a Business Associate Agreement must be signed by both parties.

What are some examples of when a Business Associate Agreement may or may not be required?

Scenario Business Associate Agreement with Vendor

1. Technical vendors who have access into computer systems or database containing PHI Required

2. Accreditation organizations Required

3. Temporary agencies that place personnel in areas where they may have access to PHI Required

4. Record storage facilities Required

5. Lawyers, accountants, consultants (non-university employees) Required

6. A non-covered entity with access to PHI (e.g. orthotics manufacturer) Not required if the entity is also a health care provider

7. Vendors who only have incidental access usually are not considered Business Associates (e.g., copy repair technicians) Not required

Who should I contact if I have questions about my contract with the University of Michigan?

Vendors uncertain of their status as a Business Associate should contact the Procurement buyer handling their current contract. Contact information for the Procurement Teams is available on the Contacts page.

Where can I find more information about HIPAA?
Visit the United States Department of Health and Human Services web site http://www.hhs.gov/ocr/hipaa/.

University of Michigan Procurement Services, 3003 South State Street, Ann Arbor, MI 48109 Phone 734-764-8212
Copyright © 2007 the Regents of the University of Michigan