The University of Arizona

HIPAA Business Associate Agreements

HIPAA Privacy Links

Report a Privacy Incident

Submit a Business Associate Agreement Request
Submit a Data Use Agreement Request

HIPAA training questions?
Email: vpr-irb@email.arizona.edu
Call: 520.626.4444

Contact the HIPAA Privacy Program
Katherine Georger, JD, CHC, CHRC, CIPP/US
HIPAA Privacy Officer
EmailPrivacyOffice@email.arizona.edu
Phone: 520.621.1465
Fax: 520.621.3355

Street Address:
1618 E. Helen Street
Tucson, AZ 85719

Mailing Address:
Attn: Privacy Officer
The University of Arizona
PO Box 210409
Tucson, AZ 85721

*Subscribe to the HIPAA Program listserv

HIPAA Privacy Program Updates
HIPAA Training now in UAccess Learning
*NEW: HIPAA Data Reference Guide
*NEW: Report a Privacy Incident

HIPAA in the News
HIPAA Enforcement Activities
HHS Off for Civil Rights YouTube Channel

Roles & Responsibilities

UA must require that all Business Associates sign agreements assuring UA that they will safeguard Protected Health Information (PHI)—including electronic Protected Health Information (ePHI)—originating from UA and will protected the integrity, availability and confidentiality of PHI.  As a result of these requirements:

UA’s Contract Offices and Business Owners are responsible for:

    1. Determining if PHI is being shared with another entity, and if so;
    2. Determining whether: 

      (a) UA is sharing its PHI (or the PHI UA holds on behalf of another Covered Entity in its capacity as a Business Associate) with a third party (company, sponsor, institution) and the third party is the Business Associate.

      (b) The third party (company, sponsor, institution) is sharing its PHI and UA is the Business Associate

    3.       Submit the Business Associate Intake Form to the UA HIPAA Privacy Office when a Business Associate Agreement is needed.

Who is a Business Associate?

A Business Associate is a person or entity who, on behalf of a HIPAA Covered Entity, or Hybrid Covered Entity like UA, performs or assists in the performance of a function or activity or provides support services, while not a member of the workforce, to the Covered Entity involving the use or disclosure of individually identifiable health information.  

Some Business Associate functions or activities that may be performed on behalf of a Covered Entity/Hybrid Covered Entity include:

      • data processing
      • data analysis
      • utilization review
      • billing
      • cloud storage vendor services
      • transcription services
      • legal services
      • data aggregation
      • administrative functions
      • financial services
      • management services
      • consulting services
      • accounting services
      • legal services
      • actuarial services
      • accreditation services 

An individual or organization is only considered a Business Associate if they perform a function or service on behalf of the Covered Entity/Hybrid Covered Entity (such as UA) and handle or are expected to Protected Health Information (PHI) as a part of the job function or service they perform/provide on behalf of the Covered Entity/Hybrid Covered Entity.

In some cases, UA may serve as a Business Associate of another Covered Entity if UA is performing services, functions or activities on behalf of the other Covered Entity and handling PHI as part of the services performed.  When UA is acting in its capacity as a Business Associate and will be disclosing any of the Covered Entity’s PHI to a third party, a Subcontractor, to perform any of its services—UA is required to enter into Business Associate Agreement with any downstream Subcontractor that will have access to the Covered Entity’s PHI. 

What is a Business Associate Agreement (BAA)?

HIPAA requires that a Covered Entity/Hybrid Covered Entity enter into a Business Associate Agreement (BAA) any time it will use a contractor or other non-workforce member to perform "Business Associate" services or activities on behalf of the Covered Entity.  The purpose of the BAA is to protect the data and ensure that any party who performs functions/activities on behalf of the covered entity and will handle PHI in carrying out those duties adhere to certain standards to protect the data.

HIPAA requires that that a BAA must be written and must include several terms and conditions for maintaining compliance with federal privacy regulations, including written assurances that the Business Associate:

    1. Will not use/disclose PHI other than as permitted or required by the agreement or as otherwise required by law;
    2. Will use appropriate safeguards to prevent unauthorized use or disclosure of PHI (other than as provided for by the BAA);
    3. Will report any use or disclosure not provided for in the BAA for which it becomes aware; and
    4. Ensures that any subcontractors that create, receive, maintain or transmit PHI agree to the same restrictions/conditions as the business associate.  

For more information about obtaining a BAA, contact the UA Privacy Office.