If your unit is contracting for a vendor service or product that will have access to institutional data, regardless of data sensitivity, you will need to include the appropriate agreements:
- Data Protection Addendum that specifies the vendor's responsibilities and requirements related to the management and disclosure of U-M data.
- If Protected Health Information (PHI) data that falls under HIPAA protections is involved, a Business Associate Agreement is also required.
Include the Data Protection Addendum
The data protection addendum (DPA) is to be a part of all contracts where a service provider has access to institutional data, regardless of data sensitivity. A DPA is required whenever university data leaves the U-M IT environment. If software is installed locally and never stores, transmits, or processes university data outside the UM IT environment, then a DPA is not required.
Procurement Services facilitates the receipt of a properly executed data protection addendum when you are working through the final stages of the vendor selection process. Additional U-M units may participate in the process as needed. Work with Procurement Services to obtain an official version of the DPA as needed.
Business Associate Agreement Needed for HIPAA Data
If Protected Health Information (PHI) regulated by HIPAA is involved, a Business Associate Agreement (BAA) is also required. Michigan Medicine Corporate Compliance serves as the U-M data steward for PHI and can help if a BAA is needed. Request help by sending email to email@example.com.