Compliance & Privacy Office

Compliance FAQ

How long will it take to process a BAA request?

The Compliance and Privacy Office processes most BAA requests within two business days. If the vendor is not identified as a BA, the Compliance and Privacy Office will notify the rRequester(s) and business may continue. If athe vendor needs a BAA, the Compliance and  Privacy Office will send a draft BAA to the vendor for negotiations and signatures and include the rRequester in ththeat communication.

How long do vendors take to return the signed BAA?

It depends on the vendor. If the vendor requests changes to the agreement, the time needed to process the paperwork could increase by weeks to months, as any changes may need approval from General Counsel, ITS, etc. If no changes are made, the entire process is often completed within 10 business days.

What does a “Fully Executed” BAA mean?

A “Fully Executed” BAA means that all parties have agreed to the terms and conditions of the contract and any revisions thereto, and they have signed and initialed the written contract.

Is there anything that needs to be done differently if I am working with a BA as opposed to a member of the University’s workforce?

Yes, if PHI is being shared with a BA, you must ensure that a proper BAA is in place. Please consult the Compliance and Privacy Office for review of all BAA documents. The BAA to execute will depend upon the circumstances of each situation.

Is a covered entity liable for, or required to monitor, the actions of its business associates?

No. The HIPAA Privacy Rule requires covered entities to enter into written contracts or other arrangements with BAs which protect the privacy of PHI; but covered entities are not required to monitor or oversee the means by which their BAs carry out privacy safeguards or the extent to which the BA abides by the privacy requirements of the contract. Nor is the covered entity responsible or liable for the actions of its BAs. However, if a covered entity finds out about a material breach or violation of the contract by the BA, it must take reasonable steps to cure the breach or end the violation, and, if unsuccessful, terminate the contract with the BA. If termination is not feasible (e.g., where there are no other viable business alternatives for the covered entity), the covered entity must report the problem to the HHS/OCR. See 45 CFR 164.504(e)(1).

Submit Compliance Incident

Weill Cornell Medicine Compliance & Privacy Office 575 Lexington Avenue, 9th Fl New York, NY 10022 Phone: (866)-293-3077