Business Associate Agreements

A BAA is used when fully identifiable PHI is being shared with another party.

What is a Business Associate (BA)?

A Business Associate is a person or entity who performs functions or activities on behalf of, or provides certain services to, a covered entity (CE) (i.e. the University) that involve access by the BA to protected health information (PHI).

A "business associate" also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate. A CE may be a BA of another CE if it performs such services for the other CE.

Business Associate Agreement (BAA)

HIPAA generally requires that CEs and BAs enter into contracts with their BAs to ensure that BAs appropriately safeguard PHI. The BAA also serves to clarify and limit, as appropriate, the permissible uses and disclosures of PHI by the BA, based on the relationship between the parties and the activities or services being performed by the BA. A BA is directly liable under HIPAA for any uses or disclosures of PHI not authorized by the BAA or required by law.

The University’s BAA template fulfills all regulatory requirements and can be requested via the Data Sharing Request Intake form.

The following items must be addressed in the BAA to ensure compliance with current regulation:

1

Safeguards for protecting PHI

2

Reporting mechanism for inappropriate use/disclosure of PHI

3

Pass-through of provisions to any agent/subcontractor

4

Access to PHI for amendment and mechanism for Accounting of Disclosures (AOD)

5

Provision stating that BA will make available its internal practices, books and records relating to the use and disclosure of PHI for audit by HHS

6

Plan for return/destruction of PHI and termination of underlying agreement

Process

1

BAA Request is made via the Data Sharing Request Intake form

Data Sharing Request Intake

2

REDCap sends email notification to appropriate staff advising that a new BAA request has been submitted

3

Staff review the BAA submission and contact requestor with any questions. BAA will be reviewed and negotiated in accordance with institutional compliance and legal standards

4

Final DRAFT of the agreement is reviewed and signed off in REDCap by ORC staff

5

ORC staff route the final version of the agreement to ORC Signing Official for review, approval and signature

6

Copy of fully executed agreement is electronically distributed to all stakeholders by ORC

See HIPAA BAA Decision Tree

HIPAA Contacts

Regulatory Compliance

CU Anschutz

Fitzsimons Building

13001 East 17th Place

WG109

Aurora, CO 80045

303-724-1010

Tools & Resources

Schools & Colleges

CU Denver

CU Anschutz Medical Campus

CU Campuses

HIPAA/Privacy

Regulatory Compliance

Business Associate Agreements

What is a Business Associate (BA)?

Business Associate Agreement (BAA)

The following items must be addressed in the BAA to ensure compliance with current regulation:

Safeguards for protecting PHI

Reporting mechanism for inappropriate use/disclosure of PHI

Pass-through of provisions to any agent/subcontractor

Access to PHI for amendment and mechanism for Accounting of Disclosures (AOD)

Provision stating that BA will make available its internal practices, books and records relating to the use and disclosure of PHI for audit by HHS

Plan for return/destruction of PHI and termination of underlying agreement

Process

BAA Request is made via the Data Sharing Request Intake form

REDCap sends email notification to appropriate staff advising that a new BAA request has been submitted

Staff review the BAA submission and contact requestor with any questions. BAA will be reviewed and negotiated in accordance with institutional compliance and legal standards

Final DRAFT of the agreement is reviewed and signed off in REDCap by ORC staff

ORC staff route the final version of the agreement to ORC Signing Official for review, approval and signature

Copy of fully executed agreement is electronically distributed to all stakeholders by ORC

HIPAA Contacts

Regulatory Compliance

Business Associate Agreements

What is a Business Associate (BA)?

Business Associate Agreement (BAA)

The following items must be addressed in the BAA to ensure compliance with current regulation:

Safeguards for protecting PHI

Reporting mechanism for inappropriate use/disclosure of PHI

Pass-through of provisions to any agent/subcontractor

Access to PHI for amendment and mechanism for Accounting of Disclosures (AOD)

Provision stating that BA will make available its internal practices, books and records relating to the use and disclosure of PHI for audit by HHS

Plan for return/destruction of PHI and termination of underlying agreement

Process

BAA Request is made via the Data Sharing Request Intake form

REDCap sends email notification to appropriate staff advising that a new BAA request has been submitted

Staff review the BAA submission and contact requestor with any questions. BAA will be reviewed and negotiated in accordance with institutional compliance and legal standards

Final DRAFT of the agreement is reviewed and signed off in REDCap by ORC staff

ORC staff route the final version of the agreement to ORC Signing Official for review, approval and signature

Copy of fully executed agreement is electronically distributed to all stakeholders by ORC

HIPAA Contacts

Lori Hopper

HIPAA Privacy Official

Alison Lakin

Signatory Official, Empowered Official Research Integrity Officer

Charlotte Russell

HIPAA Security Officer

Regulatory Compliance