Business Associate Agreement (BAA)

A required legal document that defines the relationship, roles and responsibilities of a business associate and a HIPAA covered entity for safeguarding Protected Health Information (PHI) in compliance with the HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule. All BAAs accompany some other type of underlying agreement. Typically, the accompanying agreement defines the terms of the relationship between parties, but sometimes, these underlying agreements can be as simple as a purchase order. Both the business associate and HIPAA covered entity are directly liable for HIPAA violations and impermissible disclosures of PHI. The terms within a BAA determine how the parties choose to contract for that liability. HIPAA: Summary of the HIPAA Privacy Rule

If your UNC-Chapel Hill department is using a 3^rd party vendor for any purpose that involves the disclosure of PHI to that vendor or permits the vendor to access or transmit PHI on you or your department’s behalf, you need a contract with that vendor that includes a BAA. Questions regarding how to obtain a BAA should be directed to your unit’s Privacy Liaison or Purchasing. Additional information about how to obtain a BAA is available on the UNC-Chapel Hill Institutional Privacy Office (IPO) BAA webpage.