New contracting requirement to better protect health information, reduce risk to UTSW

August 13, 2021

When patients choose us for their care, we don’t want them to have to think about the possible exposure of their protected health information (PHI). Safeguarding their privacy is important to UT Southwestern – and mandated by the Health Insurance Portability and Accountability Act (HIPAA). This extends to work vendors perform for us or on our behalf.

Part of our contracting process includes having third-party organizations and individuals sign business associates agreements (BAAs) designed to confirm they have standards and processes in place to protect PHI. While many vendors already sign these agreements in compliance with HIPAA, our Compliance and Contracts Management teams identified the need to apply BAAs to more vendor relationships, beginning August 15.

Most vendors must now sign BAAs to work with UTSW

When you initiate a vendor agreement in the procurement portal, you’ll answer questions related to the exchange of PHI as part of the contract request process. Then, Contracts Management will evaluate a vendor’s access to PHI. This includes evident, planned, and potential exposure to identifiable patient information, ranging from a name to any facts about the medical care someone received at UTSW.

We will require most vendors to sign BAAs, including many of those supporting ongoing operations and research.

Negotiating BAAs may require a few weeks to complete. This may add time to the contracting process, so consider this when setting timetables to begin working with vendors.

Application of this new requirement

If the agreement requires a BAA, the vendor must sign it to work with UTSW. The only exception is if a UTSW EVP agrees to waive this requirement. This waiver only applies if there is no plan to exchange PHI with a vendor. The EVP must then sign and submit a waiver form to move the contracting process forward.

The need for BAAs applies to all new contracts, as well as renewals. This requirement is not retroactive, but, our Compliance and Contracting teams may be working with departments to update or include BAAs, as part of agreements with existing vendors.

We appreciate your support in making sure PHI remains private. If you have questions about BAAs, email the Privacy Office at privacyoffice@utsouthwestern.edu.