Business Associates are entities which perform services for HIPAA Covered Entities that involve the use or disclosure of Protected Health Information. Covered Entities are required by law to enter into agreements known as Business Associate Contracts (aka Business Associate Agreements), or BACs/BAAs.
HIPAA makes specific exceptions for research, and in general a BAC is not required to conduct research activities (see guidance here).
At UB, authority to negotiate and execute Business Associate Contracts is limited as follows depending on which entity is executing the agreement:
In addition, the need for a Business Associate Contract must first be verified by the UB Director of HIPAA Compliance. If you are being asked to enter into a Business Associate Contract, please bring it to the attention of the UB Director of HIPAA compliance for review and implementation assistance. In general, Business Associates Agreements are not appropriate for the activities UB engages in, but there are some exceptions.
In 2009 the rules of the game changed significantly for Business Associates as new law extended portions of HIPAA that used to apply only to Covered Entities to Business Associates, as well as the significant penalties that used to apply only to Business Associates, came into effect. You can read more about the impact of the HITECH act on Business Associates here. In July of 2009 UB circulated a memo designed to identify any Business Associate Contracts that may have been executed without the knowledge of the HIPAA compliance office.
This material is designed for internal University at Buffalo use only and is
copyrighted. Information and documents available on this site may be
freely copied and used with appropriate attribution to the University at
Buffalo. None of the information on these pages should be construed as
legal advice or expert opinion with respect to how any particular function or
entity engages in work to come into compliance with HIPAA.