Business Associate Agreement FAQs

A Business Associate Agreement (BAA) is a contract between a Business Associate (BA) and a Covered Entity (CE) that outlines requirements a BA must follow regarding the confidentiality, security, use, and disclosure of PHI in providing services to a CE.

HIPAA requires that BAAs include specific legal provisions, so it is important that a BAA has the approval of the  University's Privacy Office to ensure that all such provisions are included. If Agreements other than the UofL BAA templates included on this site are used, the Privacy Office must review the BAA to ensure that it meets all of HIPAA’s requirements.  The UofL Privacy Office can be reached at 502-852-3803 or via email at privacy(@)louisville.edu.

The UofL Privacy Office HIPAA Policy Manual, PO-8 Business Associate Agreements, (log-in required) provides additional information on Business Associates and Business Associate Agreements.  

A BAA is needed whenever a business associate relationship exists. A Business Associate (BA) is a person or organization that creates, receives, maintains, or transmits PHI for a covered entity for a function or activity regulated by HIPAA. BAs are generally vendors that provide services such as billing or claims processing, quality assurance, patient safety activities, legal or accounting services, transcription, data storage or transmission services, etc. (This is not a complete listing.)

The UofL Privacy Office HIPAA Policy Manual, PO-8 Business Associate Agreements, (log-in required) provides additional information on Business Associates and Business Associate Agreements. 

The UofL Privacy Office can be reached at 502-852-3803 or via email at privacy(@)louisville.edu.