What is a Business Associate (BA)?

A Business Associate is a person or entity who performs functions or activities on behalf of, or provides certain services to, a covered entity (CE) (i.e. the University) that involve access by the BA to protected health information (PHI).

A "business associate" also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate. A CE may be a BA of another CE if it performs such services for the other CE.

Business Associate Agreement (BAA)

HIPAA generally requires that CEs and BAs enter into contracts with their BAs to ensure that BAs appropriately safeguard PHI. The BAA also serves to clarify and limit, as appropriate, the permissible uses and disclosures of PHI by the BA, based on the relationship between the parties and the activities or services being performed by the BA. A BA is directly liable under HIPAA for any uses or disclosures of PHI not authorized by the BAA or required by law.

The University’s BAA template fulfills all regulatory requirements and can be requested via the Data Sharing Request Portal.

The following items must be addressed in the BAA to ensure compliance with current regulation:


Safeguards for protecting PHI


Reporting mechanism for inappropriate use/disclosure of PHI


Pass-through of provisions to any agent/subcontractor


Access to PHI for amendment and mechanism for Accounting of Disclosures (AOD)


Provision stating that BA will make available its internal practices, books and records relating to the use and disclosure of PHI for audit by HHS


Plan for return/destruction of PHI and termination of underlying agreement



Upon IRB approval, department/research PI completes the University’s HIPAA BAA Template


When approved, signed BAA is returned and research project may begin.


Copies of signed BAA need to be kept by both parties.


Subsequent BAAs signed by subcontractors must be kept by contracted parties.

HIPAA Contacts

Lori Hopper

HIPAA Privacy Official

Alison Lakin

Signatory Official, Empowered Official Research Integrity Officer

Laura Morris

Interim HIPAA Security Officer