Standard for Business Associates to the University

1. The Privacy Officer (or a member of the OU staff designated by the Privacy Officer) will consider the proposed functions of each new OU vendor to determine whether the vendor will need to use and / or disclose PHI as part of its functions. A vendor that will use and/or disclose PHI as part of its functions is a business associate. A business associate agreement between OU and the business associate must be signed before the business associate receives PHI.
2. A business associate will determine the minimum necessary type and amount of PHI required to perform services for OU.  OU may rely on the professional judgement of business associates to determine the type and amount of PHI necessary for their purposes.   
3. OU is required by law to notify affected individuals without unreasonable delay (and not later than 60 days) after the discovery of a breach.  See Standard #10, Breach Notification Standard. 
   1. Although OU retains the ultimate legal responsibility for breach notification, it may delegate tasks related to breach notification to business associates.   
   2. OU will work with each of its business associates to determine which tasks will be undertaken by the business associate in the event of a breach of the PHI that the business associate accesses or holds on behalf of OU.  The allocation of tasks will be incorporated into a business associate agreement or otherwise memorialized so as to be available in the event of a breach. 
4. The Privacy Officer will review (or direct the review of) any complaints regarding privacy violations by a business associate.   
   1. See Standard for HIPAA Complaints and Investigations for any complaint, inquiry or other notice to the Privacy Officer or to any member of the OU administrative staff that alleges inappropriate acquisition, access use or disclosure of PHI (an “Incident”).
   2. If the Privacy Officer is aware of a material violation of the business associate’s duties with regard to privacy, the Privacy Officer will take reasonable steps to end the violation.  If such steps are unsuccessful, the Privacy Officer will determine whether termination of the services contract is feasible. 
5. All executed Business Associate Agreements (BAA) must be submitted to Legal Affairs. 

This standard will be reviewed and approved by the University HIPAA Steering Committee, and other key stakeholders in the interest of ensuring the privacy and security of individual’s health information, as deemed appropriate based on the current regulatory requirement mandates.