MenuSearchA-ZSeven Schools One University

Menu

Close Menu
Info For
Resources
Seven Schools One University

A–Z

Close Menu
Strategic Sourcing and Acquisition Services
A Division of Administration and Finance

HIPAA BAA

HIPAA Business Associate Agreements (BAA)

Guidelines for HIPAA Business Associate Agreements

A Business Associate Agreement (BAA) is used when fully 
identifiable protected health information (PHI) is being shared 
with another party.


BAAs are meant for specific circumstances and if those circumstances are not met, a Data 
Use Agreement (DUA) should be used.


A Business Associate, as defined in the Health Insurance Portability and Accountability Act (HIPAA), is 
a person or entity who performs functions or activities on behalf of, or provides certain services to, a 
covered entity that involve access by the Business Associate to PHI. A covered entity may be a 
Business Associate of another covered entity if it performs such services for the other covered 
entity. A covered entity may disclose protected health information to an entity in its role as a 
Business Associate only to help the covered entity carry out its health care functions – not for the 
Business Associate’s independent use or purposes. Business Associate services are: legal; actuarial; 
accounting; consulting; data aggregation; management; administrative; accreditation; and financial.


Business Associate Agreement (BAA)


The HIPAA regulations generally require that covered entities and Business Associates enter into 
contracts to ensure that the Business Associates will appropriately safeguard PHI. The BAA also 
serves to clarify and limit, as appropriate, the permissible uses and disclosures of PHI by the 
Business Associate, based on the relationship between the parties and the activities or services 
being performed by the Business Associate. A Business Associate is directly liable under the HIPAA 
Rules for making uses or disclosures of PHI not authorized by the BAA or required by law. The 
following items must be addressed in the BAA to ensure compliance with current regulation:


• Safeguards for protecting PHI
• Reporting mechanism for inappropriate use/disclosure of PHI
• Pass-through of provisions to any agent/subcontractor
• Access to PHI for amendment and mechanism for Accounting of Disclosures
• Provision stating that Business Associate will make available its internal practices, books 
and records relating to the use and disclosure of PHI for audit by the U.S. Department of 
Health and Human Services
• Plan for return/destruction of PHI and termination of underlying agreement

The University of Maryland, Baltimore is the founding campus of the University System of Maryland.

620 W. Lexington St., Baltimore, MD
21201 | 410-706-3100

The University of Maryland, Baltimore prohibits sex discrimination in any education program or activity that it operates. Individuals may report concerns or questions to the Title IX Coordinator. Read the UMB Notice of Non-Discrimination.
© 2025-2026 University of Maryland, Baltimore. All rights reserved.