Home >> For Vendors >> Purchasing Terms & Conditions >> Business Associate Addendum
Business Associate Addendum
TO UNIVERSITY OF VIRGINIA PURCHASING TERMS & CONDITIONS
This is an addendum to University of Virginia Purchasing Terms & Conditions. This Addendum is applicable only in those situations where the Vendor providing goods or services to the University will receive, create, or come into more than incidental contact with Protected Health Information (“PHI”) as defined in 45 C.F.R § 160.103 (e.g. individually identifiable health information of patients of the University of Virginia).
This Business Associate Addendum (“Addendum”) becomes effective when the Vendor accepts an order from the University of Virginia for the purchase of goods and/or services. It is entered into by the Vendor (“the Business Associate”) and The Rector and Visitors of the University of Virginia (“University”), (each a “Party” and collectively the “Parties”).
Uses and Disclosures: Vendor agrees that it shall be prohibited from using or disclosing the PHI provided or made available by the University or viewed while on the premises for any purpose other than as expressly permitted or required by the order or as required by law. These uses and disclosures must be within the scope of the Vendor’s goods or services provided to the University. Vendor shall report to the University any use or disclosure of PHI not provided by the order or this Addendum of which it becomes aware.
Appropriate Safeguards: Vendor will establish and maintain reasonable safeguards to prevent any use or disclosure of the PHI, other than as specified by the order or required by law. By April 21, 2005, (the date by which compliance with the Security Rule (45 C.F.R Parts 160, 162, and 164) is required), Vendor will implement and use administrative procedures and physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI, and will also report to the University any Security Incident (as defined in 45 C.F.R. 164.304) of which Vendor becomes aware.
Subcontractors and Agents: Vendor agrees that anytime it provides or makes available PHI to any subcontractors or agents, it must enter into a subcontract that contains the same terms, conditions and restrictions on the use and disclosure of PHI as contained in this Addendum.
Provide Accounting: Vendor agrees to make information available if required to provide an accounting of disclosures under the HIPAA Privacy Rule (45 C.F.R. 164.528).
Access to Books and Records: Vendor agrees to make its internal practices, books, and records relating to the use or disclosure of PHI received from, or created or received by Vendor on behalf of the University, available to the Secretary of HHS for purposes of determining compliance with the HHS Privacy Regulations. Termination of Contract: Vendor agrees that the University has the right to immediately terminate the order if it determines that Vendor has violated a material term of this Addendum.
Return or Destruction of Information: At termination of the order under which the services and good have been provided, Vendor agrees to return or destroy all PHI received from, or created on behalf of the University. If not feasible, Vendor agrees to extend the protections of this Addendum to the PHI and limit further uses and disclosures.