Business Associate Agreement (BAA)

Who is responsible for ensuring that BAAs are in place?

UA’s Contract Offices and Business Owners are responsible for:

  1. Determining if PHI is being shared with another entity, and if so;
  2. Determining whether:
    1. (a) UA is sharing its PHI (or the PHI UA holds on behalf of another Covered Entity in its capacity as a Business Associate) with a third party (company, sponsor, institution) and the third party is the Business Associate.
    2. (b) The third party (company, sponsor, institution) is sharing its PHI and UA is the Business Associate

Submit the Business Associate Intake Form to the UA HIPAA Privacy Office when a Business Associate Agreement is needed.

What is a Business Associate Agreement (BAA)?

HIPAA requires that a Covered Entity/Hybrid Covered Entity enter into a Business Associate Agreement (BAA) any time it will use a contractor or other non-workforce member to perform "Business Associate" services or activities on behalf of the Covered Entity.  The purpose of the BAA is to protect the data and ensure that any party who performs functions/activities on behalf of the covered entity and will handle PHI in carrying out those duties adhere to certain standards to protect the data.

HIPAA requires that that a BAA must be written and must include several terms and conditions for maintaining compliance with federal privacy regulations, including written assurances that the Business Associate:

  1. Will not use/disclose PHI other than as permitted or required by the agreement or as otherwise required by law;
  2. Will use appropriate safeguards to prevent unauthorized use or disclosure of PHI (other than as provided for by the BAA);
  3. Will report any use or disclosure not provided for in the BAA for which it becomes aware; and
  4. Ensures that any subcontractors that create, receive, maintain or transmit PHI agree to the same restrictions/conditions as the business associate.  

For more information about obtaining a BAA, contact the UA Privacy Office.