Departments MUST use this process when procuring with a purchasing requisition:
Use current purchasing requisition (if you do not have a requisition dated 5-04 or later, please ensure you follow the steps below and include the correct attachments).
Is this purchase a computer or software system that will store, display, or transmit electronic patient information, now or in the future?
_____yes _____ no. If yes, please read and sign below:
My signature below certifies that I am abiding by the VUMC Health Insurance Portability and Accountability Act (HIPAA) and IT Procurement guidelines (see /TCS/6694). I have attached the vendor contract to this Purchase Requisition that includes, if applicable:
1) the Business Associates Agreement (BAA), and
2) the VUMC Architectural and HIPAA centric RFP/RFI both found at /rfi.
Applicability for these is indicated on the website.
For any questions related to these attachments or the Vanderbilt IT Procurement process, please contact IT.Procurements.and.Contracting@vanderbilt.edu or visit the website above.
Signature ___________________ Print Name____________________ Date __/_____/____
Click here to write to the IT Procurement and Contract team. One of us will reply to you within 2 business days.
Taken from the HIMSS site: http://himss.org/ASP/ContentRedirector.asp?ContentID=59072: The American College of Clinical Engineering (ACCE), ECRI (formerly the Emergency Care Research Institute), the National Electrical Manufacturers Association (NEMA) and the Healthcare Information and Management Systems Society (HIMSS) have endorsed the
Manufacturers may contact ECRI to obtain a free list of Universal Medical Device Nomenclature (UMDNS) terms for their products. The list can be requested by sending an e-mail to ECRI at the following address: firstname.lastname@example.org. ECRI authorizes medical device manufacturers to freely enter ECRI’s UMDNS terms for its products in the HIMSS Manufacturers Disclosure Statement for Medical Device Security (
Adapted from Information Security for Biomedical Technology: A HIPAA Compliance Guide, ACCE/ECRI, 2004. Used by permission of ECRI (formerly the Emergency Care Research Institute) and the American
Tools and Resources
The Business Associate Agreement (BAA) MUST be included with each information system procurement contract if that system will contain electronic protected health information (EPHI) and the data will be visible to an outside entity, either by maintenance, support or information sharing.
The BAA is not designed to be a stand alone agreement. The agreement either needs to be a reference in the main agreement that ties the BAA to the specific relationship or an amendment needs to be drafted if the main agreement has already been signed.
All contracts that include information systems SHOULD have an RFI/RFP included as an attachment. This document should be filled out by your vendor indicating Yes or No answers. This completed document should be an attachment and should be referred to in your contract.
If you have questions as to how to interpret the answers once you receive this back from your vendor, please write or call (at