What is a Business Associate?

A Business Associate (BA) is a person who or entity that performs a function or service for a HIPAA Covered Entity (CE) for the benefit of the CE, e.g. analytics, accounting and training, and where the work function involves access to, transmission of, or storage of the CE’s Protected Health Information (PHI). The circumstances surrounding a particular arrangement will vary. Sometimes the University can serve as the CE or the BA.

What is a Business Associate Agreement (BAA)?

A BAA is a required legal document that defines the relationship, roles and responsibilities of a BA and a CE for safeguarding PHI in compliance with HIPAA. All BAAs accompany some other type of underlying agreement. Typically, the accompanying agreement defines the terms of the relationship between parties, but sometimes these underlying agreements can be as simple as a purchase order. Both a BA and a CE are directly liable for HIPAA violations and impermissible disclosures of PHI. The terms within a BAA determine how the parties choose to contract for that liability.

Where can I get a BAA?

Questions regarding how to obtain a BAA should be directed to your unit’s Privacy Liaison or Purchasing.  If your unit does not have a Privacy Liaison or you need further assistance, please contact us.

Submit an executed Business Associate Agreement and underlying agreement (Onyen required)

Directions on use of the BAA Repository


HIPAA NEWS