HIPAA Business Associate Agreements (BAA)

The HIPAA Privacy Rule requires that a Covered Entity or Business Associate enter into a BAA any time a person or entity, including any downstream Subcontractor hired by a Business Associate, provides covered services to, or performs covered services or activities on behalf of the UNC-Chapel Hill HIPAA Hybrid Entity and Covered Component Designation, the Covered Entity or other Business Associate if the person or entity creates, receives, maintains or transmits PHI in the course of providing such services. The primary purposes of the BAA are to ensure that the Business Associate appropriately safeguards the PHI and to outline the permissible uses and disclosure of the PHI by the Business Associate.

The HIPAA Privacy Rule requires that that a BAA must be written and include several terms and conditions. In general, for BAAs where UNC-Chapel Hill is serving in the capacity of the Covered Entity, this includes the following topics:

1. Permitted Uses and Disclosures of PHI
2. Limitations on Use and Disclosure of PHI
3. Privacy and Security Requirements
4. Availability of PHI, Amendments and Accounting of Disclosures
5. Availability of Books and Records
6. Reporting Obligations
7. Mitigation, Cooperation, Indemnification and Insurance Obligations
8. Term and Termination
9. Miscellaneous Requirements

Since 2002, UNC-Chapel Hill has designated itself as a Hybrid Entity in accordance with the HIPAA Privacy Rule. As a Hybrid Entity, only the parts of UNC-Chapel Hill performing covered functions or supporting those units that are engaged in covered functions (each a “Covered Component”) are subject to HIPAA. For a complete list of the UNC-Chapel Hill Covered Components, refer to the UNC-Chapel Hill HIPAA Hybrid Entity and Covered Component Designation.

PHI includes all individually identifiable health information relating to the past, present or future health status, provision of health care or payment for health care of/for an individual that is created or received by a Covered Entity or Business Associate.

For additional guidance on what information constitutes PHI, refer to the UNC-Chapel Hill HIPAA Data Reference Guide or consult the Institutional Privacy Office, privacy@unc.edu, for final determination.

Some Business Associate services or activities that may be performed on behalf of a Covered Entity/UNC-Chapel Hill that requires a BAA include:

• data processing
• data analysis
• utilization review
• billing
• cloud storage vendor services
• transcription services
• legal services
• data aggregation
• administrative functions
• financial services
• management services
• consulting services
• accounting services
• actuarial services
• accreditation services

There are several ways to trigger a Business Associate Agreement at UNC-Chapel Hill, including:

1. UNC-Chapel Hill Covered Component Identifies Need for BAA. You are in a UNC-Chapel Hill Covered Component and know, or believe, that you are purchasing a service, software, or other product from an external person or entity who will create, receive, maintain or transmit PHI in the course of providing such services; or
2. UNC-Chapel Hill Purchasing Agent Identifies Need for BAA. As part of the purchasing process, you are notified by the UNC-Chapel Hill purchasing agent that a BAA is, or may be, required.
3. Data Protection Checklist. As part of the purchasing process, you complete the required Data Protection Checklist and identify that a vendor may have access to Sensitive Information, including PHI, to perform the underlying services.
4. External Entity Request. You receive a request from an external person or entity requesting that UNC-Chapel Hill enter a BAA with that person or entity.

Regardless of how a Business Associate Agreement may be triggered, follow the process below to request a Business Associate Agreement at UNC-Chapel Hill:

1. Complete the Business Associate Agreement Intake Form.
2. If the Institutional Privacy Office determines that a BAA is required, the Institutional Privacy Office will provide the appropriate UNC-Chapel Hill template BAA to the provided UNC-Chapel Hill Business Owner.
3. The Business Owner must provide the UNC-Chapel Hill template BAA to the appropriate contact with the vendor for review and signature. This individual, not the Institutional Privacy Office, will primarily interface with the vendor.
4. If the vendor signs the BAA with no changes, Purchasing Services can execute the BAA on behalf of the Institutional Privacy Office.
5. If the vendor requests to negotiate the terms of the UNC-Chapel Hill template BAA, the Institutional Privacy Office will negotiate the terms of the BAA and execute the BAA with the vendor. While the Institutional Privacy Office negotiates the terms of the BAA, the Institutional Privacy Office may request that the Business Owner interface with the vendor.
6. Upon execution, the requesting unit’s responsible Business Owner/representative must upload a copy of the BAA to the UNC-Chapel Hill Business Associate Agreement Repository (BAAR). A copy of the underlying agreement must be uploaded along with the BAA. The Institutional Privacy Office is not involved in the negotiating of the underlying services agreement. The requesting unit should also retain a copy of these documents.

The University Purchasing Card (P-Card) is a method of payment available to University employees through their departments, with appropriate approval from their department heads. It provides fast payment for goods or services allowable under Policy 1252 – Small Order Purchase via P-Card, and can be used for purchases up to and including $5,000.00.

However, the use of the P-Card is NOT an exception to the BAA process and does NOT exempt the department from any of the University’s other policies and procedures. If you are using a P-Card for a purchase that you know, or believe, involves the purchase of a service, software or other product and the person or entity that you are purchasing the services from will receive create, receive, maintain or transmit PHI, then you must complete the Business Associate Agreement Intake Form to determine whether a BAA is required. Additionally, Policy 1231 on Solicitation of Quotations, Bids, and Proposals requires a requisition for purchases of goods and/or services regardless of the dollar amount, if the purchasing involves one or more of the following:

• Suppliers that only accept Purchase Orders
• Purchases were Sensitive Information is in scope
• Purchases that require the University to execute a purchasing document (e.g., order form, agreement, etc.)

If the purchase involves Sensitive Information, including PHI, it must be submitted to Purchasing Services via a requisition regardless of the dollar amount. The requisition must include a completed Data Protection Checklist. If a Risk Assessment is required, depending on the context of the request, such responsibility falls to the UNC-Chapel Hill’s Information Technology Services or the School of Medicine’s Information Security Office. Similarly, any purchase that requires the University execute a purchasing document, regardless of the dollar amount, must be submitted to Purchasing Services via a requisition. If the total cost of the purchase is $5,000 or less, then a zero-dollar requisition may be submitted and the requestor can select the “CONTRACT REVIEW ONLY” Supplier Name. Once the document is signed, an executed copy will be returned to the requestor so that payment can be made via the P-Card. Purchasing Services does not consider a clickthrough agreement associated with an online purchase a purchasing agreement that requires review and signature by Purchasing Services.

As BAAs are not standalone documents, if the Institutional Privacy Office determines that a BAA is required with any P-Card purchase an underlying services agreement or contract will also be required with the vendor and the business owner must follow all other applicable University policies for obtaining the underlying services agreement or contract.

If negotiation of the BAA is required, it may take at least six to eight weeks to negotiate and finalize a BAA with a vendor. In complex cases, such as situations where the vendor refuses to utilize UNC-Chapel Hill’s template BAA, the process can exceed eight weeks. Additionally, there is no guarantee that negotiations will successfully result in a BAA and the exact timeline will depend on the timeliness of the vendor’s responses.

The UNC-Chapel Hill Business Associate Agreement Repository is the location where all UNC-Chapel Hill BAAs are stored so they can be tracked, organized and managed. Once a BAA is fully executed by all parties, the BAA and all supporting documents (e.g., underlying services agreement) must be uploaded to the BAAR. The Institutional Privacy Office may request for the unit’s responsible business owner/representative to upload the BAA and supporting documentation into the BAAR. The requesting unit should also retain a copy of these documents. If you are unable to upload the BAA to the BAAR, a copy of the BAA and all supporting documents must be emailed to the Institutional Privacy Office at privacy@unc.edu.

Are BAA standalone contracts?

A BAA is not a standalone contract. Instead, a BAA is tied to a specific arrangement or services agreement with a vendor or other non-workforce member. This is required regardless of whether the P-Card is used for the transaction or if the services are provided at no cost. For contract reviews involving the use of the P-Card or zero-dollar contracts where a BAA is required, the requestor must submit the contract to UNC-Chapel Hill Purchasing Services on a requsition. This will trigger the Data Protection Checklist process. To the extent a BAA is required, Purchasing Services will contact the Institutional Privacy Office if the Institutional Privacy Office is not already involved. If a Risk Assessment is required, depending on the context of the request, such responsibility falls to the UNC-Chapel Hill’s Information Technology Services or the School of Medicine’s Information Security Office.

If there is a BAA with a specific vendor or other non-workforce member in the BAA Repository, does that mean that there is a valid BAA with that vendor for any future arrangement or services with that vendor?

A BAA with a vendor or other non-workforce member is tied to a specific arrangement or services agreement. The fact that the repository lists that there is a BAA with a specific vendor or other non-workforce member is not necessarily indicative that the BAA extends to the particular arrangement or services you are seeking to cover. Please direct all questions about whether a BAA with a particular third-party is still valid or extends to cover your proposed arrangement and/or services to the Institutional Privacy Office, privacy@unc.edu.

What information will the Institutional Privacy Office require to assess whether a BAA is required?

At a minimum, before the Institutional Privacy Office can begin to assess whether a BAA is required the Institutional Privacy Office will need:

1. A completed Business Associate Agreement Intake Form
2. A description of the proposed services
3. Contact information for the UNC-Chapel Hill business owner responsible for interfacing with the vendor or other non-workforce member
4. Contact information for the relevant representatives with the vendor or other non-workforce member
5. A copy of the underlying services agreement
6. A copy of the completed UNC-Chapel Hill Information Technology Services or School of Medicine vendor Security Risk Assessment.*

*NOTE: if the underlying service will involve integration/interface with a UNC Health information system, then a separate Security Risk Assessment or other approval from UNC Health’s Information Security Department (ISD) may be required.

Who can sign BAAs on behalf of UNC-Chapel Hill?

Only UNC-Chapel Hill’s Chief Privacy Officer, or other authorized delegate, can sign a BAA on behalf of UNC-Chapel Hill.

Will UNC-Chapel Hill execute a BAA with a vendor or other non-workforce member before the underlying services agreement is executed?

Generally, a BAA must be executed contemporaneously with the underlying services agreement. A BAA is not a standalone document. Instead, a BAA is tied to a specific arrangement or services agreement with a vendor or other non-workforce member. Nevertheless, there may be limited circumstances in which the Institutional Privacy Office may negotiate the terms of a BAA before the underlying services agreement is executed; however, disclosure of PHI cannot generally commence until the specific arrangement or services agreement has been fully executed.

How long does it take to negotiate and execute a BAA with a vendor or other non-workforce member?

It depends. Generally, once the Institutional Privacy Office is provided all information required to assess a particular request for a BAA, it will take at least six to eight weeks to negotiate and finalize a BAA with a third-party. In complex cases, such as situations where the third-party refuses to utilize UNC-Chapel Hill’s template BAA, the process can exceed eight weeks. Additionally, there is no guarantee that negotiations will successfully result in a BAA. The exact timeline will also depend on the timeliness of the vendor or other non-workforce member responses.