Skip to content. | Skip to navigation

Advanced Search…
Personal tools
You are here: Home FAQs Privacy FAQs BAAFAQs

BAAFAQs

BUSINESS ASSOCIATE AGREEMENTS
FREQUENTLY ASKED QUESTIONS

Q1. What is a Business Associate Agreement?

A1. A Business Associate Agreement is contractual document required between a Covered Entity and its service entities that have access to protected health information (PHI). This agreement sets forth requirements the Business Associates must follow with regard to confidentiality, security, use and disclosure of protected health information in providing services to help the covered entity with its health care operations.

Q2. Who is a Business Associate?

A2. A Business Associate is a person or company that performs certain functions or activities that involve the creation, use, or disclosure of protected health information on behalf of, or provides services to, a covered entity. Covered entities like hospitals, physician practices, pharmacies, etc. may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care operations, but not for the business associate's independent use or purposes, except as needed for the proper management and administration of the business associate.

Q3. If I am employed by or volunteer at a hospital or a physician practice group am I a business associate?

A3. No, you would be considered a member of the covered entity's workforce. A member of the covered entity's workforce is not a business associate.

Q4. If I go to a hospital, physician practice or other clinical location as part of my residency or clinical requirements for my degree, am I a business associate?

A4. No, you would be considered a member of the covered entity's workforce. A member of the covered entity's workforce is not a business associate.

Q5. What are Examples of Business Associate Functions and Activities?

A5. Claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and off-site shredding of medical records. Examples: third party billing companies, transcriptionists' data storage companies, data shredding companies, etc.

Q6. What are Examples of Business Associate Services?

A6. Legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial services. Examples: attorneys defending a medical malpractice claim or helping with a billing audit; external consultants conducting compliance audits; accreditation boards and committees. NOTE: if a covered entity provides these types of services for another covered entity they are a business associate.

Q7. Is a Business Associate Agreement needed for Janitorial or Similar Services?

A7. No. A business associate contract is not required with persons or organizations whose functions, activities, or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons, such as janitorial service staff, would be incidental, if at all.

Q8. Are Entities such as Mail Carriers or Delivery Companies Business Associates?

A9. No, the Privacy Rule does not require a covered entity to enter into business associate contracts with organizations, such as the US Postal Service, certain private couriers and their electronic equivalents that act merely as conduits for protected health information. A conduit transports information but does not access it other than on a random or infrequent basis as necessary for the performance of the transportation service or as required by law.

Q10. Can a Health Care Provider be a Business Associate of another Health Care Provider?

A10. Yes. Any covered health care provider may share protected health information with another health care provider for treatment purposes without a business associate contract. However, this exception does not preclude one health care provider from establishing a business associate relationship with another health care provider for some other purpose. For example, a UofL Clinic may contract with an outside physician practice group to provide the UofL Clinic's computer billing system. In this case, a business associate contract would be required before the UofL Clinic could allow the outside physician practice group to access to patient health information for application and maintenance of the billing system.

Q11. Is a flowchart available to help me determine if a Business Associate Agreement is needed?

A11. Yes. Use the following Links to access two business associate agreements (BAA) decision flowcharts:

  1. BAA decision flowchart when your School, Department, or Practice Group is the Covered Entity
  2. BAA decision flowchart when your School, Department, or Practice Group is the Business Associate

Q12. If a Business Associate Agreement is needed, is there a University of Louisville template form that can be used?

A12. Yes. Use the following Links to access two template business associate agreements (BAA) for use by UofL Schools, Departments, or Practice Groups:

  1. BAA where the UofL entity is the Covered Entity
  2. BAA where the UofL entity is the Business Associate of another Covered Entity

Q13. Does any one need to review the Business Associate Agreements with a University of Louisville School, Department, or Practice Group as a Party?

A13. Yes. All Business Associate Agreements including a UofL School, Department, or Practice Group as a party to the agreement (as either the Covered Entity or Business Associate) should be forwarded to the UofL Privacy Office for review prior to execution.

Please forward the BAA for review to:

     University of Louisville Privacy Office
     Med Center One
     501 East Broadway, Suite 110
     Louisville, KY 40202
     privacy@gwise.louisville.edu

Q14. If my department or practice plan gets a Business Associate Agreement from our vendor what should we do?

A14. You can either send the vendor the standard UofL BA template or send the BA to the University of Louisville Privacy Office for review to ensure it meets all the required criteria under the Privacy and Security Rules.

Q15. Is there someone available to answer University of Louisville School, Department, or Practice Group questions regarding Business Associate Agreements?

A15. Yes. Remember, the University of Louisville Privacy Office is here to serve you. Please feel free to contact the UofL Privacy Office via privacy@gwise.louisville.edu or by calling 502-852-3803 for assistance.

Q16. Will I ever need a BAA for a research project?

A16. As a general rule no. Research sponsors are not considered Business Associates. However, if you engage someone outside of UofL to assist you in your research project you may need a BAA. If you are unsure contact the Privacy Office.

Document Actions

10/27/2008
University of Louisville Selects GuardianEdge to Protect Sensitive Data for Faculty, Staff, Doctors and Researchers

  • GuardianEdge, the leader in enterprise endpoint data protection, today announced that the University of Louisville has selected the GuardianEdge Hard Disk Encryption, Smartphone Protection and Device Control solutions to safeguard data for faculty and staff, doctors and researchers. [Click here for more information]

10/20/08
Fourth Annual Cyber-Security Awareness Week was a BIG Success!

08/25/08
Safe computing starts with knowing the rules of the road (InfoSec Bulletin #7 - August 25, 2008)

08/20/07
Information Security Policies
and Standards Approved: