Business Associate Agreements (BAAs)

Business Associate Agreements are required under the HIPAA privacy and security rules when a covered entity contracts or otherwise obtains a service from a third party that involves the use or disclosure of protected health information (PHI).  There may be instances in which your school, department, business unit, or organization is the covered entity.  There may also be instances in which your school, department, business unit, or organization is the business associate.  

FAQs
If you are unclear whether your organization has a business associate arrangement needing a business associate agreement, we have provided frequently asked questions to assist you.

Decision Trees

Templates

For guidance in using these templates, please visit HIPAA Guidance AR-04 - Business Associates (log-in required).  For a decision flowchart regarding BAAs, see information above.  If you still have questions regarding which template to use, please contact us at privacy(@)louisville.edu.

Important Note: The Privacy Office does not have signature authority to bind the University of Louisville to any contract; however, we can sign as “Recommended By”, which can help to ensure that the language in the contract is appropriate from a HIPAA perspective.  Thus, it is advisable that all business associate agreements utilizing any language other than the templates noted above should be reviewed by the University of Louisville Privacy Office prior to signature. This includes all business associate agreements for the University of Louisville, University of Louisville Research Foundation, or other entity for which the University of Louisville Privacy Office has oversight.  In addition, the Privacy Office requests that a copy of the BAA be sent to privacy(@)louisville.eduonce all signatures are obtained.