Business Associates

The HIPAA Privacy & Security Rules apply to covered entities which include health plans, health care clearinghouses, and certain health care providers. However, most covered entities use the services of other persons or companies in their day to day business.  HIPAA allows a covered entity to disclose protected health information to these persons and companies, which are referred to by HIPAA as “business associates,” so long as the covered entity obtains satisfactory assurances that the business associate will use the information only for the purposes for which it is working with the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule.  The covered entity obtains these assurances from the business associate by entering into a Business Associate Agreement (BAA).    

BAAs are required under the HIPAA privacy and security rules when a covered entity contracts or otherwise obtains a service from a third party that involves the use or disclosure of protected health information (PHI).  There may be instances in which your school, department, business unit, or organization is the covered entity, while in other instances, your school, department, business unit, or organization is the business associate.  

Determining whether a BAA is necessary, and whether you are the covered entity or business associate, can be difficult.  Please contact the Privacy Office if you are unsure if you need a Business Associate Agreement, or whether you are the covered entity or the business associate. 

BAA Templates

For guidance in using these templates, please visit the Privacy Office HIPAA Policy Manual, PO-8 Business Associate Agreements (available on the HIPAA Policies & Procedures page, log-in required). If you have questions regarding which template to use, please contact us at (502) 852-3803 or

Please send a copy of all BAAs to once all signatures are obtained.

See our frequently asked questions for further information about business associate arrangements.

Important Note: The Privacy Office does not have signatory authority to bind the University of Louisville to any contract; however, we can sign as “Recommended By”, which can help to ensure that the language in the contract is appropriate from a HIPAA perspective.  Thus, it is advisable that all business associate agreements utilizing any language other than the templates noted above, or changes suggested to the templates, should be reviewed by the University of Louisville Privacy Office prior to signature by the School or Department. This includes all business associate agreements for the University of Louisville, University of Louisville Research Foundation, and other entity for which the University of Louisville Privacy Office has oversight.