HIPAA Business Associate Agreements (BAA)
As a Hybrid Entity under HIPAA, UNC-Chapel Hill requires that all Business Associates sign a Business Associate Agreement assuring UNC-Chapel Hill that they will adopt reasonable safeguards to protect Protected Health Information, including electronic Protected Health Information (ePHI), originating from UNC-Chapel Hill and will protect the integrity, availability and confidentiality of PHI throughout the data lifecycle. Likewise, there may be instances in which UNC-Chapel Hill acts as a Business Associate to an external Covered Entity and is required to sign a Business Associate Agreement. This page contains general information about Business Associate Agreements, responses to frequently asked questions and information on the process for obtaining a Business Associate Agreement at UNC-Chapel Hill.
If you are unsure as to whether a BAA is required when UNC-Chapel Hill is serving in the capacity of the Covered Entity contact the Institutional Privacy Office, email@example.com, for final determination.
The HIPAA Privacy Rule requires that a Covered Entity or Business Associate enter into a BAA any time a person or entity, including any downstream Subcontractor hired by a Business Associate, provides covered services to, or performs covered services or activities on behalf of the UNC-Chapel Hill HIPAA Hybrid Entity and Covered Component Designation, the Covered Entity or other Business Associate if the person or entity creates, receives, maintains or transmits PHI in the course of providing such services. The primary purposes of the BAA are to ensure that the Business Associate appropriately safeguards the PHI and to outline the permissible uses and disclosure of the PHI by the Business Associate.
The HIPAA Privacy Rule requires that that a BAA must be written and include several terms and conditions. In general, for BAAs where UNC-Chapel Hill is serving in the capacity of the Covered Entity, this includes the following topics:
- Permitted Uses and Disclosures of PHI
- Limitations on Use and Disclosure of PHI
- Privacy and Security Requirements
- Availability of PHI, Amendments and Accounting of Disclosures
- Availability of Books and Records
- Reporting Obligations
- Mitigation, Cooperation, Indemnification and Insurance Obligations
- Term and Termination
- Miscellaneous Requirements
For additional guidance on what information constitutes PHI, refer to the UNC-Chapel Hill HIPAA Data Reference Guide or consult the Institutional Privacy Office, firstname.lastname@example.org, for final determination.
- data processing
- data analysis
- utilization review
- cloud storage vendor services
- transcription services
- legal services
- data aggregation
- administrative functions
- financial services
- management services
- consulting services
- accounting services
- actuarial services
- accreditation services
- UNC-Chapel Hill Covered Component Identifies Need for BAA. You are in a UNC-Chapel Hill Covered Component and know, or believe, that you are purchasing a service, software, or other product from an external person or entity who will receive create, receive, maintain or transmit PHI in the course of providing such services; or
- UNC-Chapel Hill Purchasing Agent Identifies Need for BAA. As part of the purchasing process, you are notified by the UNC-Chapel Hill purchasing agent that a BAA is, or may be, required.
- Data Protection Checklist. As part of the purchasing process, you complete the required Data Protection Checklist and identify that a vendor may have access to Sensitive Information, including PHI, to perform the underlying services.
- External Entity Request. You receive a request from an external person or entity requesting that UNC-Chapel Hill enter a BAA with that person or entity.
Regardless of how a Business Associate Agreement may be triggered, follow the process below to request a Business Associate Agreement at UNC-Chapel Hill:
- Complete the Business Associate Agreement Intake Form.
- If the Institutional Privacy Office determines that a BAA is required, the Institutional Privacy Office will provide the appropriate UNC-Chapel Hill template BAA to the provided UNC-Chapel Hill contact — typically the Privacy Liaison or Business Owner.
- The Privacy Liaison or Business Owner must provide the UNC-Chapel Hill template BAA to the appropriate contact with the vendor for review and signature. This individual, not the Institutional Privacy Office, will primarily interface with the vendor.
- If the vendor signs the BAA with no changes, Purchasing Services can execute the BAA on behalf of the Institutional Privacy Office.
- If the vendor requests to negotiate the terms of the UNC-Chapel Hill template BAA, the Institutional Privacy Office will negotiate the terms of the BAA and execute the BAA with the vendor. While the Institutional Privacy Office negotiates the terms of the BAA, the Institutional Privacy Office may request that the Privacy Liaison or Business Owner interface with the vendor.
- Upon execution, the requesting unit’s Privacy Liaison or responsible Business Owner/representative must upload a copy of the BAA to the UNC-Chapel Hill Business Associate Agreement Repository (BAAR). A copy of the underlying agreement must be uploaded along with the BAA. The Institutional Privacy Office is not involved in the negotiating of the underlying services agreement. The requesting unit should also retain a copy of these documents.
However, the use of the P-Card is NOT an exception to the BAA process and does NOT exempt the department from any of the University’s other policies and procedures. If you are using a P-Card for a purchase that you know, or believe, involves the purchase of a service, software or other product and the person or entity that you are purchasing the services from will receive create, receive, maintain or transmit PHI, then you must complete the Business Associate Agreement Intake Form to determine whether a BAA is required. Additionally, Policy 1231 on Solicitation of Quotations, Bids, and Proposals requires a requisition for purchases of goods and/or services regardless of the dollar amount, if the purchasing involves one or more of the following:
- Suppliers that only accept Purchase Orders
- Purchases were Sensitive Information is in scope
- Purchases that require the University to execute a purchasing document (e.g., order form, agreement, etc.)
If the purchase involves Sensitive Information, including PHI, it must be submitted to Purchasing Services via a requisition regardless of the dollar amount. The requisition must include a completed Data Protection Checklist. If a Risk Assessment is required, depending on the context of the request, such responsibility falls to the UNC-Chapel Hill’s Information Technology Services or the School of Medicine’s Information Security Office. Similarly, any purchase that requires the University execute a purchasing document, regardless of the dollar amount, must be submitted to Purchasing Services via a requisition. If the total cost of the purchase is $5,000 or less, then a zero-dollar requisition may be submitted and the requestor can select the “CONTRACT REVIEW ONLY” Supplier Name. Once the document is signed, an executed copy will be returned to the requestor so that payment can be made via the P-Card. Purchasing Services does not consider a clickthrough agreement associated with an online purchase a purchasing agreement that requires review and signature by Purchasing Services.
As BAAs are not standalone documents, if the Institutional Privacy Office determines that a BAA is required with any P-Card purchase an underlying services agreement or contract will also be required with the vendor and the business owner must follow all other applicable University policies for obtaining the underlying services agreement or contract.
- Are BAA standalone contracts?
- A BAA is not a standalone contract. Instead, a BAA is tied to a specific arrangement or services agreement with a vendor or other non-workforce member. This is required regardless of whether the P-Card is used for the transaction or if the services are provided at no cost. For contract reviews involving the use of the P-Card or zero-dollar contracts where a BAA is required, the requestor must submit the contract to UNC-Chapel Hill Purchasing Services on a requestion. This will trigger the Data Protection Checklist process. To the extent a BAA is required, Purchasing Services will contact the Institutional Privacy Office if the Institutional Privacy Office is not already involved. If a Risk Assessment is required, depending on the context of the request, such responsibility falls to the UNC-Chapel Hill’s Information Technology Services or the School of Medicine’s Information Security Office.
- If there is a BAA with a specific vendor or other non-workforce member in the BAA Repository, does that mean that there is a valid BAA with that vendor for any future arrangement or services with that vendor?
- A BAA with a vendor or other non-workforce member is tied to a specific arrangement or services agreement. The fact that the repository lists that there is a BAA with a specific vendor or other non-workforce member is not necessarily indicative that the BAA extends to the particular arrangement or services you are seeking to cover. Please direct all questions about whether a BAA with a particular third-party is still valid or extends to cover your proposed arrangement and/or services to the Institutional Privacy Office, email@example.com.
- What information will the Institutional Privacy Office require to assess whether a BAA is required?
- At a minimum, before the Institutional Privacy Office can begin to assess whether a BAA is required the Institutional Privacy Office will need:
*NOTE: if the underlying service will involve integration/interface with a UNC Health information system, then a separate Security Risk Assessment or other approval from UNC Health’s Information Security Department (ISD) may be required.
- A completed Business Associate Agreement Intake Form
- A description of the proposed services
- Contact information for the UNC-Chapel Hill business owner responsible for interfacing with the vendor or other non-workforce member
- Contact information for the relevant representatives with the vendor or other non-workforce member
- A copy of the underlying services agreement
- A copy of the completed UNC-Chapel Hill Information Technology Services or School of Medicine vendor Security Risk Assessment.*
- Who can sign BAAs on behalf of UNC-Chapel Hill?
- Only UNC-Chapel Hill’s Chief Privacy Officer, or other authorized delegate, can sign a BAA on behalf of UNC-Chapel Hill.
- Will UNC-Chapel Hill execute a BAA with a vendor or other non-workforce member before the underlying services agreement is executed?
- Generally, a BAA must be executed contemporaneously with the underlying services agreement. A BAA is not a standalone document. Instead, a BAA is tied to a specific arrangement or services agreement with a vendor or other non-workforce member. Nevertheless, there may be limited circumstances in which the Institutional Privacy Office may negotiate the terms of a BAA before the underlying services agreement is executed; however, disclosure of PHI cannot generally commence until the specific arrangement or services agreement has been fully executed.
- How long does it take to negotiate and execute a BAA with a vendor or other non-workforce member?
- It depends. Generally, once the Institutional Privacy Office is provided all information required to assess a particular request for a BAA, it will take at least six to eight weeks to negotiate and finalize a BAA with a third-party. In complex cases, such as situations where the third-party refuses to utilize UNC-Chapel Hill’s template BAA, the process can exceed eight weeks. Additionally, there is no guarantee that negotiations will successfully result in a BAA. The exact timeline will also depend on the timeliness of the vendor or other non-workforce member responses.