Training and Education

Code of Conduct

To assure vendor compliance with the UMHS policies, vendor representatives who work on site with University health care providers or who have access to sensitive information created or maintained by those providers are required to follow the UMHS Code of Conduct and Compliance Program and execute our Code of Conduct Attestation.

HIPAA

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. While the title suggests that this rule only applies to insurance information, a major part of HIPAA addresses the privacy of "Protected Health Information," the patient's health information (PHI). Patients are provided information about how we use and share patient information through our Notice of Privacy Practices. A copy of The HIPAA Privacy and Security Regulations in a Nutshell is available here.

PHI is information:

• Sent or stored in any form
• That identifies the patient, or can be used to identify the patient
• That is created or received by a covered entity
• That generally is about a patient’s past, present, and/or future treatment and payment of services

How does HIPAA affect vendors doing business with the University of Michigan?

HIPAA requires the University of Michigan to sign a Business Associate Agreement (BAA) with all of its business associates. A Business Associate is someone who does not work for the University of Michigan and needs access to our patients’ protected health information (PHI).

What are some examples of when a Business Associate Agreement may or may not be required?

Who should I contact if I have questions about my contract with the University of Michigan?

Vendors uncertain of their status as a Business Associate should contact the Procurement buyer handling their current contract. Contact information for the Procurement Teams is available on the Contacts page.

Where can I find more information about HIPAA?