HIPAA
Home Contacts Site Map
Data Extraction / Business Associates
Up HIPAA worksheet Data Extraction / Business Associates Identifiers UB Research FAQ Authorizations Waiver of Authorization Review Prep to Research Research on Decedents Transition Provisions Limited Datasets

BAC Instructions

Business Associate Contracts / Agreements

HIPAA permits data to obtained from Covered Entities for use in research through a number of mechanisms (see worksheet).

Some Covered Entities may request that a researcher enter into an additional agreement, known variously as a "Business Associate Contract" (BAC) or "Business Associate Agreement" (BAA) in order to obtain information for use in research.  As the HIPAA regulations do not identify the BAC/BAA as a mechanism through which information may be obtained for use in research, and these agreements are designed for providing services to a Covered Entity, it is the University's policy not to enter into such agreements to obtain research data.  Additional detail on the issues involved and the University's guidance in this area is available in the Guidance section here.

There is one scenario, however, where a BAC/BAA is potentially appropriate, and that is when the researcher or a member of their team must perform data extraction within a Covered Entity in order to obtain their research data.

Data Extraction

When the information a researcher seeks access to is a subset of the information contained in source documents maintained by the Covered Entity, HIPAA requires that the Covered Entity extract that information from the source documents.  Once extracted, it may be released to a UB researcher in accordance with the terms of the specific release mechanism being utilized.

Although a Covered Entity may not have the resources to perform this service for the researcher, there are mechanisms under HIPAA by which any UB researcher, or member of a research team, can perform this activity on behalf of the Covered Entity.  Note that a mechanism for engaging in the extraction activity must be associated with every individual who will be performing data extraction activities at a Covered Entity, including the PI and any research team member:

  1. The transfer mechanism by which a UB researcher will receive information from the Covered Entity is the HIPAA Authorization, and the authorization permits the researcher to receive the subjects entire or complete medical record.  In this case the information the researcher is permitted to receive is the full set (rather than a subset) of the information maintained by the Covered Entity.  Since the process of extraction does not disclose to the researcher more information than they are permitted to receive, they can perform the extraction process.  NB: anyone who will be using this mechanism to extract information must be adequately identified on the authorization as being able to receive information via the authorization.
  2. Individual to perform data extraction is part of the Covered Entity's workforce in a role that is separate and distinct from their UB research function (e.g., practice plan clinician with staff privileges in the Covered Entity).  Under these circumstances the individual may perform the data extraction function as part of the Covered Entity's workforce under this separate role.
  3. Individual to perform data extraction is a UB student who is covered by a SUNY Clinical Affiliation Agreement with the Covered Entity.  Under these circumstances the individual may perform the data extraction function as part of the Covered Entity's workforce under the "Operations" section of HIPAA.
  4. Individual to perform data extraction is placed on a Business Associate Contract between UB and the Covered Entity which specifically permits these activities.

It is important to realize that in each of these cases the data extraction is being performed by the Covered Entity, even if the individual also happens to be a member of the research team.  Any information conveyed to the research team beyond that permitted by the specific transfer mechanism would be a violation of HIPAA.

It is also important to realize that when the Business Associate Contract mechanism is to be used by a UB researcher or member of their research team, this Contract is executed between UB and the Covered Entity.  These contracts must be reviewed and approved by the UB Director of HIPAA Compliance, and must be signed by the appropriate UB signatory agent (not the researcher, their chair, their dean, etc.)

For a list of Business Associate Contracts that have been negotiated between UB and various Covered Entities, and instructions on how to use them, click on the BAC Instructions link in the upper left corner of this page).

This material is designed for internal University at Buffalo use only and is copyrighted.  Information and documents available on this site may be freely copied and used with appropriate attribution to the University at Buffalo.  None of the information on these pages should be construed as legal advice or expert opinion with respect to how any particular function or entity engages in work to come into compliance with HIPAA.
Last updated: July 28, 2009.  Privacy Policy
Hit Counter