Business Associate Agreement FAQs

A Business Associate Agreement (BAA) is a contract between a Business Associate (BA) and a Covered Entity (CE) that outlines requirements a BA must follow regarding the confidentiality, security, use, and disclosure of PHI in providing services to a CE.

HIPAA requires that BAAs contain certain legal provisions, so it is important that a BAA has the approval of the entity’s Privacy Office to ensure that all such provisions are included. If language other than the UofL standard BAA template is used, it is important that the Privacy Office review it to ensure that it meets all of HIPAA’s requirements. The UofL Privacy Office can be reached at 502-852-3803 or via email at privacy(@)louisville.edu.

HIPAA Privacy Guidance AR-16 (log-in required) provides additional information on suspected breaches and responses to them.

A BAA is needed whenever a business associate relationship exists. A Business Associate (BA) is a person or organization that creates, receives, maintains, or transmits PHI for a covered entity for a function or activity regulated by HIPAA. BAs are generally vendors that provide services such as billing or claims processing, quality assurance, patient safety activities, legal or accounting services, transcription, data storage or transmission services, etc. (This is not a complete listing.)

HIPAA Privacy Guidance AR-04 (log-in required) provides additional information regarding business associate relationships and agreements.

The UofL Privacy Office can be reached at 502-852-3803 or via email at privacy(@)louisville.edu.