HIPAA Transactions and Code Sets

IT Procurement

Purchasing an IT boutique software item

Departments MUST use this process when procuring with a purchasing requisition:

Use current purchasing requisition (if you do not have a requisition dated 5-04 or later, please ensure you follow the steps below and include the correct attachments).

  1. Make sure the front of the requisition is filled out completely and signed.
  2. Make sure the back of the requisition is filled out completely and signed, which includes the sole source information as well as the new information system question and paragraph. It should be similar to the following: :

Is this purchase a computer or software system that will store, display, or transmit electronic patient information, now or in the future?

_____yes _____ no. If yes, please read and sign below:

    My signature below certifies that I am abiding by the VUMC Health Insurance Portability and Accountability Act (HIPAA) and IT Procurement guidelines (see http://www.mc.vanderbilt.edu/root/vumc.php?site=TCS&doc=6694). I have attached the vendor contract to this Purchase Requisition that includes, if applicable:

    1) the Business Associates Agreement (BAA), and

    2) the VUMC Architectural and HIPAA centric RFP/RFI both found at http://www.mc.vanderbilt.edu/root/vumc.php?site=rfi.

    Applicability for these is indicated on the website.

    For any questions related to these attachments or the Vanderbilt IT Procurement process, please contact IT.Procurements.and.Contracting@vanderbilt.edu or visit the website above.

    Signature ___________________ Print Name____________________ Date __/_____/____

    Click here to write to the IT Procurement and Contract team. One of us will reply to you within 2 business days.

Biomedical Equipment


Taken from the HIMSS site: http://himss.org/ASP/ContentRedirector.asp?ContentID=59072:   The American College of Clinical Engineering (ACCE), ECRI (formerly the Emergency Care Research Institute), the National Electrical Manufacturers Association (NEMA) and the Healthcare Information and Management Systems Society (HIMSS) have endorsed the MDS 2, which was adapted from portions of the ACCE/ECRI Biomedical Equipment Survey Form, a key tool found in Information Security for Biomedical Technology:  A HIPAA Compliance Guide (ACCE/ECRI, 2004) .  "The MDS 2 holds the promise of playing a major role in the dissemination of critical medical device security information between manufacturers and healthcare providers,” said Stephen L. Grimes, FACCE, chair of the HIMSS Medical Device Security Workgroup and senior consultant and analyst with GENTECH in Saratoga Springs, NY. “The MDS2 form  represents a universal reporting form allowing medical device manufacturers to supply providers with model-specific information on precisely which devices are capable of transmitting or maintaining electronic Protected Health Information as well as a description of any security features built into those devices.”

Manufacturers may contact ECRI to obtain a free list of Universal Medical Device Nomenclature (UMDNS) terms for their products. The list can be requested by sending an e-mail to ECRI at the following address: himss-mds@ecri.org. ECRI authorizes medical device manufacturers to freely enter ECRI’s UMDNS terms for its products in the HIMSS Manufacturers Disclosure Statement for Medical Device Security (MDS2). ECRI also authorizes medical device manufacturers to freely distribute the MDS2 with this information (i.e., with UMDNS terms manufacturers have entered for their products). For information on UMDNS, please visit ECRI’s Web site at www.ecri.org.

Adapted from Information Security for Biomedical Technology: A HIPAA Compliance Guide, ACCE/ECRI, 2004. Used by permission of ECRI (formerly the Emergency Care Research Institute) and the American College of Clinical Engineering.


Manufacturer Disclosure Statement for Medical Device Security - MDS2 - Other Pubs (12/17/2004)

ACCE ECRI Info for Biomedical Technology - Presentation (11/22/2004)

Letter from NCVHS Chair to HHS Secretary on Medical Device Security - Other Pubs (3/1/2005)

FAQ: Information for Healthcare Organizations about FDA's 'Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off-The-Shelf (OTS) Software' - Other Pubs (2/8/2005)

Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off-The-Shelf (OTS) Software - Other Pubs (1/14/2005)

University HealthSystem Consortium Medical Device Security - Other Pubs (1/10/2005)

HIPAA Security Rule and its Implications for Medical Devices (12/20/2004)

Defending Medical Information Systems Against Malicious Software - White Paper (12/14/2004)

Patching Off-the-Shelf Software Used in Medical Information Systems - White Paper (12/14/2004)

HIPAA and Medical Device Security - HIMSS Audio - Presentation (12/9/2004)

IHE - Key to Future of the Digital Hospital - Other Pubs (10/1/2004)

Security - A New Clinical Engineering Paradigm - Other Pubs (9/1/2004)

Tools and Resources

Medical Device Security Workgroup Bibliography (3/15/2005)

Department of Veterans Affairs Medical Device Isolation Architecture Guide - Other Pubs (2/3/2005)

Intro to HIPAA Security Rule (Medical Devices) - Presentation (9/1/2004)


The Business Associate Agreement (BAA) MUST be included with each information system procurement contract if that system will contain electronic protected health information (EPHI) and the data will be visible to an outside entity, either by maintenance, support or information sharing. 

The BAA is not designed to be a stand alone agreement. The agreement either needs to be a reference in the main agreement that ties the BAA to the specific relationship or an amendment needs to be drafted if the main agreement has already been signed. 

Click here to access the latest BAA on our HIPAA webpage


The VUMC Architectural and HIPAA centric RFI/RFP

All contracts that include information systems SHOULD have an RFI/RFP included as an attachment.  This document should be filled out by your vendor indicating Yes or No answers.  This completed document should be an attachment and should be referred to in your contract. 

If you have questions as to how to interpret the answers once you receive this back from your vendor, please write or call (at 322-2841) the IT Procurement and Contract team   One of us will reply to you within 2 business days.


This page was last updated March 9, 2016 and is maintained by