Business Associate Agreements
Sidebar
The HIPAA Privacy & Security Rules apply to covered entities which include health plans, health care clearinghouses, and certain health care providers. However, most covered entities use the services of other persons or companies in their day to day business. HIPAA allows a covered entity to disclose protected health information to these persons and companies, which are referred to by HIPAA as “business associates,” so long as the covered entity obtains satisfactory assurances that the business associate will use the information only for the purposes for which it is working with the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule. The covered entity obtains these assurances from the business associate by entering into a Business Associate Agreement (BAA).
BAAs are required under the HIPAA privacy and security rules when a covered entity contracts or otherwise obtains a service from a third party that involves the use or disclosure of protected health information (PHI). There may be instances in which your school, department, business unit, or organization is the covered entity, while in other instances, your school, department, business unit, or organization is the business associate.
Determining whether a BAA is necessary, and whether you are the covered entity or business associate, can be difficult. Please contact the Privacy Office if you are unsure if you need a Business Associate Agreement, or whether you are the covered entity or the business associate.
BAA Templates
For guidance in using these templates, please visit the UofL HIPAA Policy Manual, PO-8 Business Associate Agreements (available on the HIPAA Policies & Procedures page, log-in required). If you have questions regarding which template to use, please contact us at 502-852-3803 or privacy@louisville.edu.
- When UofL is the Covered Entity receiving a service - The Covered Entity BAA template (Word Doc) is to be used when your school, department, business unit or organization is the covered entity.
- When UofL is the Business Associate performing the service - The Business Associate BAA template (Word Doc) is to be used when your school, department, business unit or organization is the business associate.
Please send a copy of all BAAs to privacy@louisville.edu once all signatures are obtained.
Important Note: All Business Associate Agreements utilizing any language other than the templates on this page, or changes suggested to the templates, must be reviewed by the University of Louisville Privacy Office prior to signature. This includes all Business Associate Agreements for the University of Louisville, University of Louisville Research Foundation, and other entity for which the University of Louisville Privacy Office has oversight.
Business Associate Agreement FAQs
A Business Associate Agreement (BAA) is a contract between a Business Associate (BA) and a Covered Entity (CE) that outlines requirements a BA must follow regarding the confidentiality, security, use and disclosure of PHI in providing services to a CE.
HIPAA requires that BAAs include specific legal provisions, so it is important that a BAA has the approval of the University's Privacy Office to ensure that all such provisions are included. If Agreements other than the UofL BAA templates included on this site are used, the Privacy Office must review the BAA to ensure that it meets all of HIPAA’s requirements. The UofL Privacy Office can be reached at 502-852-3803 or via email at privacy(@)louisville.edu.
The UofL HIPAA Policy Manual, PO-8 Business Associate Agreements, (log-in required) provides additional information on Business Associates and Business Associate Agreements.
A BAA is needed whenever a business associate relationship exists. A Business Associate (BA) is a person or organization that creates, receives, maintains or transmits PHI for a covered entity for a function or activity regulated by HIPAA. BAs are generally vendors that provide services such as billing or claims processing, quality assurance, patient safety activities, legal or accounting services, transcription, data storage or transmission services, etc. (This is not a complete listing.)
The UofL HIPAA Policy Manual, PO-8 Business Associate Agreements, (log-in required) provides additional information on Business Associates and Business Associate Agreements.
The UofL Privacy Office can be reached at 502-852-3803 or via email at privacy(@)louisville.edu.
A health care provider who electronically transmits health information in connection with certain transactions (such as claims, benefit eligibility inquiries or referral authorization requests), a health plan or a health care clearinghouse.
Examples of Covered Entities include:
- Doctors, Clinics, Nursing Homes and Pharmacies that transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard
- Health insurance companies
- Company health plans
- Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs
- Entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
The information above is provided by the Department of Health & Human Services, Office for Civil Rights.
A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate. A “business associate” also is a subcontractor that creates, receives, maintains or transmits protected health information on behalf of another business associate.
A covered health care provider, health plan or health care clearinghouse can be a business associate of another covered entity.
Business associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing. Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial.
Examples of Business Associates.
- A third party administrator that assists a health plan with claims processing.
- A CPA firm whose accounting services to a health care provider involve access to protected health information.
- An attorney whose legal services to a health plan involve access to protected health information.
- A consultant that performs utilization reviews for a hospital.
- A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.
- An independent medical transcriptionist that provides transcription services to a physician.
- A pharmacy benefits manager that manages a health plan’s pharmacist network.
The information above is provided by the Department of Health & Human Services, Office for Civil Rights.
The Privacy Rule defines “protected health information” (PHI) as individually identifiable health information, held or maintained by a covered entity or its business associates, that is transmitted or maintained in any form or medium. This includes identifiable demographic and other information relating to the past, present, or future physical or mental health or condition of an individual, or the provision or payment of health care to an individual that is created or received by a health care provider, health plan, employer or health care clearinghouse. For purposes of the Privacy Rule, genetic information is considered to be health information.