HIPAA requires that a Covered Entity/Hybrid Covered Entity enter into a Business Associate Agreement (BAA) any time it will use a contractor or other non-workforce member to perform "Business Associate" services or activities on behalf of the Covered Entity. The purpose of the BAA is to protect the data and ensure that any party who performs functions/activities on behalf of the covered entity and will handle PHI in carrying out those duties adhere to certain standards to protect the data.
HIPAA requires that that a BAA must be written and must include several terms and conditions for maintaining compliance with federal privacy regulations, including written assurances that the Business Associate:
- Will not use/disclose PHI other than as permitted or required by the agreement or as otherwise required by law;
- Will use appropriate safeguards to prevent unauthorized use or disclosure of PHI (other than as provided for by the BAA);
- Will report any use or disclosure not provided for in the BAA for which it becomes aware; and
- Ensures that any subcontractors that create, receive, maintain or transmit PHI agree to the same restrictions/conditions as the business associate.
For more information about obtaining a BAA, contact the UA Privacy Office.