HIPAA Business Associate Agreements

What is a Business Associate Agreement (BAA)?

HIPAA requires that a Covered Entity/Hybrid Covered Entity enter into a Business Associate Agreement (BAA) any time it will use a contractor or other non-workforce member to perform "Business Associate" services or activities on behalf of the Covered Entity.  The purpose of the BAA is to protect the data and ensure that any party who performs functions/activities on behalf of the covered entity and will adhere to certain standards to protect the PHI.

HIPAA requires that that a BAA includes several terms and conditions for maintaining compliance with federal privacy regulations, including written assurances that the Business Associate:

  1. Will not use/disclose PHI other than as permitted or required by the agreement or as otherwise required by law.
  2. Will use appropriate safeguards to prevent unauthorized use or disclosure of PHI.
  3. Will report any use or disclosure not provided for in the BAA for which it becomes aware.
  4. Ensures that any subcontractors that create, receive, maintain or transmit PHI agree to the same restrictions/conditions as the business associate. 

To request a BAA, complete the Intake Form

For more information about obtaining a BAA, contact University Privacy.

Who is a Business Associate?

An individual or organization is only considered a Business Associate if they perform a function or service on behalf of the Covered Entity/Hybrid Covered Entity (such as UA) and handle Protected Health Information (PHI) as a part of the job function or service they perform.

In some cases, UA may serve as a Business Associate of another Covered Entity if UA is handling PHI and is performing services on behalf of the other Covered Entity.  When UA is acting in its capacity as a Business Associate and will be disclosing any of the Covered Entity’s PHI to a third party, a Subcontractor, to perform any of its services—UA is required to enter into Business Associate Agreement with any downstream Subcontractor that will have access to the Covered Entity’s PHI. 

BAA Process

Once it is determined that a BAA is required, the following actions must be taken:

  1. Complete the Business Associate Agreement Intake Form. 

  1. If it is determined that a BAA is required, University Privacy will provide the BAA template to the business owner. 

  1. The business owner must provide the template to the appropriate contact with the vendor for review. This individual, not University Privacy, will primarily interface with the vendor. 

  1. If the vendor agrees to the BAA with no changes, Vendor Resources can execute the BAA. 

  1. If the vendor requests to negotiate the terms of the BAA, University Privacy will work with Vendor Resrouces and the Office of the General Counsel to negotiate the terms of the BAA. While University Privacy and others help to negotiate the terms of the BAA, the requesting unit will continue to act as the primary contact with the vendor. 

  1. Upon execution, the requesting unit must send an executed copy of the BAA to University Privacy. The requesting unit should also retain a copy of these documents. 

Note: University Privacy is not involved in negotiating the underlying services agreement. Once University Privacy is provided with all information required to assess the request for a BAA, it will generally take between four to six weeks to negotiate and finalize a BAA with a third party. In complex cases, such as situations where the third-party refuses to utilize the U of A templates, the process can exceed six weeks. Additionally, there is no guarantee that negotiations will successfully result in a BAA. The exact timeline will also depend on the timeliness of the vendor or other non-workforce member responses.