Business Associate Agreements (BAAs)
What is a Business Associate?
A Business Associate (BA) is a person who or entity that performs a function or service for a HIPAA Covered Entity (CE) for the benefit of the CE, e.g. analytics, accounting and training, and where the work function involves access to, transmission of, or storage of the CE’s Protected Health Information (PHI). The circumstances surrounding a particular arrangement will vary. Sometimes the University can serve as the CE or the BA.
What is a Business Associate Agreement (BAA)?
A BAA is a required legal document that defines the relationship, roles and responsibilities of a Business Associate (BA) and a HIPPA Covered Entity (CE) for safeguarding Protected Health Information (PHI) in compliance with Health Insurance Portability and Accountability Act (HIPAA). All BAAs accompany some other type of underlying agreement. Typically, the accompanying agreement defines the terms of the relationship between parties, but sometimes these underlying agreements can be as simple as a purchase order. Both a BA and a CE are directly liable for HIPAA violations and impermissible disclosures of PHI. The terms within a BAA determine how the parties choose to contract for that liability.
How do I get a BAA?
The process for obtaining a BAA depends on where the purchase is in the procurement process.
Option 1) RFP Process prior to vendor selection: Ensure that University Procurement Services is aware that a BAA is required and that the University’s template BAA is included in the RFP document. This approach is encouraged and preferred.
Note: If the University template BAA is NOT included as part of the RFP process, then the process of obtaining a BAA cannot begin until funding is approved, a vendor is selected, and a purchase is imminent. At that point, University Procurement Services will provide the University template BAA as part of the purchasing process. It is often much more difficult to include this Federally-required document at this point, but must occur pursuant to HIPAA requirements before the product or service can be used.
Option 2) If the vendor is known and approved because the RFP process is not required (e.g., the purchase is being made under a UNC General Administration, Internet2, state contract, or another agreement, the purchase amount does not require an RFP, or there is a renewal and now PHI will be part of the service), please contact your unit’s Privacy Liaison to start the BAA process early with the University template BAA. If your unit does not have a Privacy Liaison designated, you may contact the Institutional Privacy Office.
Using the UNC-CH template BAA is a straightforward and quick process. If the vendor is unwilling to sign the UNC-CH template BAA or requests changes to the terms, then University Procurement Services or your unit’s Privacy Liaison will involve the Institutional Privacy Office to conduct negotiations. Please note that this process will take at least 6-8 weeks. In some cases, a complex negotiation may take longer and involve the Office of University Counsel. There is no guarantee that such negotiations will successfully result in an agreed-to BAA.
Questions regarding how to obtain a BAA should be directed to your unit’s Privacy Liaison or Purchasing. If your unit does not have a Privacy Liaison or you need further assistance, please contact us.