Compliance & Privacy Office

Compliance FAQ

When is a BAA needed?

The HIPAA rules require a BAA from every vendor third-party service provideryou a Covered Entity engages with use that will use, access, or disclose  could be exposed to your clients' PHI on its behalf.

How do you determine if a BAA is needed?

Essentially, if an vendororganization is hired engaged to handle, use, distribute, or access protected health information (PHI), the vendory would likely qualify as a BA under the HIPAA regulation. The quick rule to remember with BABusiness Associates: before you share PHI, you mustmust have a signed BAA in place.

Why do I need to submit a BAA request?

To conduct do business with a new vendor that will have access to Protected Health Information ( PHI), you will need to complete the BAAthe Business Associates Agreements request and send a copy of the underlying contract between the vendor and the University to the Compliance and Privacy ourOoffice via email Privacyagremments@med.cornell.edu. We will then determine if a BAA business associate agreement is required and begin the process, if necessary.

What is PHI?

PHI is any individually identifiable health information created or received by the University. Such information may relate to past, present, or future physical or mental health of a patient or research study participant. PHI either identifies or could be used to identify the individual and has been transmitted or maintained in any form or medium (electronic, paper, or oral), such as patient demographics, medical record number, Social Security number, etc.

What are the 18 direct/indirect identifiers related to PHI?

  1. Names
  2. All geographical subdivisions smaller than a State, usually except for the initial three digits of a zip code
  3. All elements of dates except year
  4. Phone numbers
  5. Fax numbers
  6. Electronic mail addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web Universal Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger and voice prints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code

Submit Compliance Incident

Weill Cornell Medicine Compliance & Privacy Office 575 Lexington Avenue, 9th Fl New York, NY 10022 Phone: (866)-293-3077