Business Associate Contracts / Agreements
HIPAA permits data to obtained from Covered Entities for use in research through a number of mechanisms (see worksheet).
Some Covered Entities may request that a researcher enter into an additional agreement, known variously as a "Business Associate Contract" (BAC) or "Business Associate Agreement" (BAA) in order to obtain information for use in research. As the HIPAA regulations do not identify the BAC/BAA as a mechanism through which information may be obtained for use in research, and these agreements are designed for providing services to a Covered Entity, it is the University's policy not to enter into such agreements to obtain research data. Additional detail on the issues involved and the University's guidance in this area is available in the Guidance section here.
There is one scenario, however, where a BAC/BAA is potentially appropriate, and that is when the researcher or a member of their team must perform data extraction within a Covered Entity in order to obtain their research data.
When the information a researcher seeks access to is a subset of the information contained in source documents maintained by the Covered Entity, HIPAA requires that the Covered Entity extract that information from the source documents. Once extracted, it may be released to a UB researcher in accordance with the terms of the specific release mechanism being utilized.
Although a Covered Entity may not have the resources to perform this service for the researcher, there are mechanisms under HIPAA by which any UB researcher, or member of a research team, can perform this activity on behalf of the Covered Entity. Note that a mechanism for engaging in the extraction activity must be associated with every individual who will be performing data extraction activities at a Covered Entity, including the PI and any research team member:
It is important to realize that in each of these cases the data extraction is being performed by the Covered Entity, even if the individual also happens to be a member of the research team. Any information conveyed to the research team beyond that permitted by the specific transfer mechanism would be a violation of HIPAA.
It is also important to realize that when the Business Associate Contract mechanism is to be used by a UB researcher or member of their research team, this Contract is executed between UB and the Covered Entity. These contracts must be reviewed and approved by the UB Director of HIPAA Compliance, and must be signed by the appropriate UB signatory agent (not the researcher, their chair, their dean, etc.)
For a list of Business Associate Contracts that have been
negotiated between UB and various Covered Entities, and instructions on how to
use them, click on the
Instructions link in the upper left corner of this page).
This material is designed for internal University at Buffalo use only and is
copyrighted. Information and documents available on this site may be
freely copied and used with appropriate attribution to the University at
Buffalo. None of the information on these pages should be construed as
legal advice or expert opinion with respect to how any particular function or
entity engages in work to come into compliance with HIPAA.