Skip to main content

A business associate (BA) is a person, or entity, that performs a function or service on behalf of or to a HIPAA covered entity (CE) where the work involves access to, transmission of, or storage of the CE’s Protected Health Information (PHI).  The University can serve as the CE or the BA.


To ensure that PHI is handled appropriately by outside vendors and entities, a business associate agreement (BAA) may be required.  A BAA is a contract between a CE and a BA which is a requirement of the HIPAA Privacy Rule.  The BAA details how PHI is handled, disclosed and safeguarded by the BA.


For more information on the procedure for executing a BAA, please reference the University’s Institutional Privacy Office website here.