Skip to main content

Procedure for Executing a SOM HIPAA Business Associate Agreement

Do you contract with vendors who may have access or be exposed to Patient Health Information (PHI) while completing their work for you?

If so, the vendor should sign a Business Associate Agreement (BAA) prior to performing any work.

How do you go about getting a BAA executed for School of Medicine vendors?

Click here for more information on the BAA process.

When SOM departments enter into agreements with outside vendors involving the vendor’s access or exposure to information considered to be PHI, pursuant to the Health Information Privacy and Portability Act (HIPAA), a BAA is required. The SOM is the Covered Entity (custodian of the information) and the Business Associate is the vendor (providing services to the SOM).

When the SOM acts as the Business Associate, the HIPAA Coordinator requests that the SOM standard template be used, and facilitates the same process as below.

Persons involved in the process of executing BAAs on behalf of the SOM may include:

  • SOM Privacy Officer and HIPAA Coordinator
  • Department/Division Business Managers or other persons making purchases or contracting for services on behalf of SOM
  • University Purchasing
  • Office of University Counsel Attorneys and Paralegal

The SOM Privacy Officer and HIPAA Coordinator review all SOM requests for BAAs. If it is determined that a BAA is required when the SOM acts as Covered Entity, the HIPAA Coordinator:

  1. records a brief description of products or services being provided by the vendor, together with contact information for the vendor and the SOM department requesting the BAA, and the renewal date of the agreement;
  2. drafts a BAA using the SOM standard template with a copy of the underlying agreement/contract/purchase order attached to the BAA as Exhibit A;
  3. forwards two original BAAs to the Business Associate for signature.
  4. forwards the two BAAs signed by the Business Associate to the appropriate SOM official for signature on behalf of the University; and
  5. retains one fully executed, original BAA on file, returns the other to the Business Associate, and forwards a copy to the appropriate SOM contact person involved.

If you have any further questions contact Privacy by phone at 919-962-6332 or email at

BAA samples can be found here, they are only to be used as references.