Business Associate Agreements are required under the HIPAA privacy and security rules when a covered entity contracts or otherwise obtains a service from a third party that involves the use or disclosure of protected health information (PHI).  There may be instances in which your school, department, business unit, or organization is the covered entity.  There may also be instances in which your school, department, business unit, or organization is the business associate.  

FAQs
If you are unclear whether your organization has a business associate arrangement needing a business associate agreement, we have provided frequently asked questions to assist you.

Decision Flowcharts

• Business Associate Agreements when your organization is the Covered Entity
• Business Associate Agreements when your organization is the Business Associate

Templates
If you need a business associate agreement template, please use one of the two HIPAA compliant templates provided.

• This template is to be used when your school, department, business unit, or organization is the covered entity.
• This template is to be used when your school, department, business unit, or organization is the business associate.

Please Note: All business associate agreements must be reviewed by the University of Louisville Privacy Office prior to signature.  This includes all business associate agreements where the University of Louisville, University of Louisville Research Foundation, or an affiliated physician practice group, or other entity for which the University of Louisville Privacy Office has oversight.  If you use anything other than the templates provided, the review process is likely to take additional time and may require further negotiation with the third party.