Skip to main content

Business Associate Agreements

Who is a Business Associate?

An individual or organization is only considered a Business Associate if they perform a function or service on behalf of the Covered Entity/Hybrid Covered Entity (such as the U of A) and handle Protected Health Information (PHI) as a part of the job function or service they perform.

In some cases, the U of A may serve as a Business Associate of another Covered Entity if the U of A is handling PHI and is performing services on behalf of the other Covered Entity.  When the U of A is acting in its capacity as a Business Associate and will be disclosing any of the Covered Entity’s PHI to a third party (a subcontractor), to perform any of its services— the U of A is required to enter into Business Associate Agreement with any downstream subcontractor that will have access to the Covered Entity’s PHI. 

What is a Business Associate Agreement?

HIPAA requires that a Covered Entity/Hybrid Covered Entity enter into a Business Associate Agreement (BAA) any time it will use a contractor or other non-workforce member to perform "Business Associate" services or activities on behalf of the Covered Entity.  The purpose of the BAA is to protect the data and ensure that any party who performs functions/activities on behalf of the covered entity and will adhere to certain standards to protect the PHI.

HIPAA requires that that a BAA includes several terms and conditions for maintaining compliance with federal privacy regulations, including written assurances that the Business Associate:

  1. Will not use/disclose PHI other than as permitted or required by the agreement or as otherwise required by law.
  2. Will use appropriate safeguards to prevent unauthorized use or disclosure of PHI.
  3. Will report any use or disclosure not provided for in the BAA for which it becomes aware.
  4. Ensures that any subcontractors that create, receive, maintain or transmit PHI agree to the same restrictions/conditions as the business associate. 

BAA Process

If you believe the work a vendor is performing on your behalf may require a BAA, please reach out to your contact from the Supply Chain team. The moment the Supply Chain team thinks a BAA is, or may be required, they must first complete the BAA intake form. Once the form is completed, University Privacy will review it and respond. 

If it is determined that a BAA is required, the follow steps will be completed:
 
  1. A representative from the supply chain team will provide the template to the vendor for review. University Privacy does not interface with the vendor unless necessary. 
    • There may be instances when a contract that needs to include a BAA is already being negotiated and University Privacy has not been informed of the BAA. In this or other similar circumstances, regardless of what point the negotiations are at, University Privacy should be made aware of the BAA and should have the chance to review it and provide their input prior to the finalization of any contract that includes a BAA.
  2. University Privacy may need to partner with Information Technology and Information Security to perform a risk assessment of the business associate to determine if they have the necessary people, processes, and technologies in place to comply with the terms and conditions outlined in the BAA. This will be determined on an individual basis.
  3. If the vendor agrees to the BAA with no changes, the supply chain team can execute the BAA. University Privacy will sign the BAA first before representatives from the vendor or the University sign it.
  4. If the vendor requests to negotiate the terms of the BAA, University Privacy will work with the supply chain team and the Office of the General Counsel to negotiate the terms of the BAA. While University Privacy and others help to negotiate the terms of the BAA, the supply chain team will continue to act as the primary contact with the vendor. 
  5. When the terms of the BAA have been agreed to, University Privacy will first sign the BAA. Upon final execution, the supply chain team must send a signed copy of the BAA to University Privacy.

Note: University Privacy is not involved in negotiating the underlying services agreement. Once University Privacy is provided with all information required to assess the request for a BAA, it will generally take around four weeks negotiate and finalize a BAA with a third party. In complex cases, such as situations where the third-party refuses to utilize the U of A templates, the process can exceed six weeks. Additionally, there is no guarantee that negotiations will successfully result in a BAA. The exact timeline will also depend on the timeliness of the vendor or other non-workforce member responses. 

Handshake

Need to request a BAA? 

BAA Intake Form