YALE-MSS-1.3.2: A Business Associate Agreement (BAA) is in place

Standard:
YALE-MSS-1.3: Ensure appropriate contracts for all third-party relationships are in place

Low Risk Endpoint Not Required Moderate Risk Endpoint Not Required High Risk Endpoint Not Required Low Risk Server Not Required Moderate Risk Server Not Required High Risk Server Required for HIPAA Low Risk Mobile Device Not Required Moderate Risk Mobile Device Not Required High Risk Mobile Device Not Required Low Risk Network Printer Not Required Moderate Risk Network Printer Not Required High Risk Network Printer Not Required

Details

Details and definitions

A Business Associate Agreement (BAA) is required when Yale University discloses PHI to a business associate. It is also required when Yale allows a business associate to create or receive PHI on its behalf.

University HIPAA Policy defines a Business Associate as an entity or person who performs a function involving the use or disclosure of Protected Health Information (PHI) on behalf of a covered entity (such as claims processing, case management, utilization review, quality assurance, billing) or provides services for a covered entity that require the disclosure of PHI (such as legal, actuarial, accounting, accreditation).

Whether an entity is serving as a business associate is determined through HIPAA definition and Policy 5033.

Guidance

Contact the University HIPAA Privacy Office to determine if a BAA is already in place with a vendor or if one is needed.

YALE-MSS-1.3.2: A Business Associate Agreement (BAA) is in place

Standard:YALE-MSS-1.3: Ensure appropriate contracts for all third-party relationships are in place

Details

Standard:
YALE-MSS-1.3: Ensure appropriate contracts for all third-party relationships are in place