Protected Health Information (HIPAA)

Protected Health Information (HIPAA)

#Why is this Important
#Sample RFP Language
#Sample Contract Clauses

Why is this Important:
Institutions of higher education might have other obligations regarding use of data under federal, state, or local laws, regulations, or contractual obligations. Generally speaking, an institution may not be able to alleviate such obligations by contracting with a third party to perform functions that use regulated data. Clauses that include instructions to contracting third parties regarding regulatory requirements help to protect the institution in the event of an unauthorized disclosure or breach. Third party contracts between HIPAA covered components of an institution and a third party must include a Business Associate Agreement when a contract affects protected health information.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub. L. No. 104-191, § 264 (1996), codified at 42 U.S.C. § 1320d; Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. § 160 (2002), 45 C.F.R. § 164 subpts. A, E (2002).

Appendix 1 ISO/IEC 27002:2005, Reference 6.2.3(r); (s)

Criticality: Category 1, Category 2, and Category 4.

Sample RFP Language:

  1. Proposer may create, receive from or on behalf of Institution, or have access to, records or record systems that are subject to the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (Public Law 104-191). Describe the security features incorporated into the product to safeguard records subject to HIPAA.
  2. Does the Proposer monitor the HIPAA Security Rule (45 C.F.R. § 164 subpts. A, E (2002)) Required safeguards and the Proposer's own information security practices to ensure continued compliance? If yes, describe the Proposer's monitoring activities and their frequency.


Sample Contract Clauses:

  1. HIPAA Compliance. [Vendor] agrees that it will execute a HIPAA Business Associate Agreement ("BAA") with Institution and the BAA will be in the form set forth in Exhibit D, HIPAA Business Associate Agreement, attached and incorporated for all purposes.]


Federal, state, or local law, regulation, or contractual obligation

Questions or comments? Contact us.

Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).