Guidelines for HIPAA Business Associate Agreements

A Business Associate Agreement (BAA) is used when fully identifiable personal health information (PHI) is being shared with another party.

BAAs are meant for specific circumstances and if those circumstances are not met, a Data Use Agreement (DUA) should be used.

A Business Associate, as defined in the Health Insurance Portability and Accountability Act (HIPAA), is a person or entity who performs functions or activities on behalf of, or provides certain services to, a covered entity (such as the School of Medicine) that involve access by the Business Associate to PHI. A covered entity may be a Business Associate of another covered entity if it performs such services for the other covered entity. A covered entity may disclose protected health information to an entity in its role as a Business Associate only to help the covered entity carry out its health care functions – not for the Business Associate’s independent use or purposes. Business Associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial.

Business Associate Agreement (BAA)

The HIPAA regulations generally require that covered entities and Business Associates enter into contracts to ensure that the Business Associates will appropriately safeguard PHI. The BAA also serves to clarify and limit, as appropriate, the permissible uses and disclosures of PHI by the Business Associate, based on the relationship between the parties and the activities or services being performed by the Business Associate. A Business Associate is directly liable under the HIPAA Rules for making uses or disclosures of PHI not authorized by the BAA or required by law. The following items must be addressed in the BAA to ensure compliance with current regulation:

  • Safeguards for protecting PHI
  • Reporting mechanism for inappropriate use/disclosure of PHI
  • Pass-through of provisions to any agent/subcontractor
  • Access to PHI for amendment and mechanism for Accounting of Disclosures
  • Provision stating that Business Associate will make available its internal practices, books and records relating to the use and disclosure of PHI for audit by the U.S. Department of Health and Human Services
  • Plan for return/destruction of PHI and termination of underlying agreement