Alert

Contact Us

To report a known or suspected violation of a patient’s privacy please contact the UNC Health Care Privacy Office by email (below), online or at (984) 974-1069.

Business Associates Agreements (BAAs)

A business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a covered entity. A business associate agreement is required under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule when a covered entity contracts or otherwise obtains a service from a third party that involved the use or disclosure of PHI.

What is a Business Associate Agreement (BAA)?

A business associate agreement is a contract between a business associate and a covered entity that outlines requirements a business associate must follow regarding the confidentiality, security, use and disclosure of PHI in providing services to the covered entity.

HIPAA requires that business associate agreements contain certain provisions, which are included in the UNC Health Care System business associate template.

When is a BAA needed?

If a person or entity creates, receives, maintains or transmits PHI for a covered entity, then a business associate relationship exists and a BAA is required.

Can organizations be both business associates and covered entities?

Yes, organizations, such as UNC Health Care, can operate as both covered entities and business associates in different situations. If an individual or entity performs certain activities on behalf of UNC Health Care, that individual is the business associate and UNC Health Care is the covered entity. If your department performs certain services on behalf of another entity that creates a business associate relationship, UNC Health Care is the business associate for another covered entity.

How to enter into a Business Associate Agreement with another entity or determine if UNC Health Care is a business associate to a covered entity.

The UNC Health Care System Privacy Office does not have signature authority on contracts; however, the Privacy Office can consult with departments that are considering agreements that have business associate relationship implications. More information about entering into business associate agreements can be obtained from the UNC Health Care Purchasing Department.

Top