HIPAA Business Associate Agreements

The HIPAA Regulations reflect the understanding that a covered entity, such as the University of California, often requires the services of third parties ("business associates") to conduct its operations. A business associate is a person or entity that creates, receives, maintains or transmits protected health information ("PHI") on behalf of the University. A business associate relationship exists when an individual or entity, acting on behalf of the University, assists in the performance of a function, activity or service involving the use or disclosure of PHI. These functions, activities and services, to or on behalf of the covered entity, include, but are not limited to:

  • Accounting Services
  • Accreditation Services
  • Actuarial Services
  • Administrative Services
  • Benefit Management
  • Billing
  • Claims Processing or Administration
  • Consulting Services
  • Data Aggregation Services
  • Data Analysis, Processing or Administration
  • Financial Services
  • Information Technology Services
  • Legal Services
  • Management Services
  • Practice Management
  • Quality Assurance
  • Repricing
  • Utilization Review

The HIPAA Regulations require the University, as a covered entity, to have a business associate agreement ("BA agreement") whenever a non-University person or entity provides services to the University involving the use or disclosure of the University's PHI. HIPAA requires that agreements with business associates include specific provisions. The University has standard HIPAA BA agreements that should be used whenever a business associate agreement is required.

The definition of PHI under HIPAA is broad and includes information relating to a person's health, the care received and payment for services maintained by or for the "covered entity." Within the University, the covered entity is comprised of its health care components, primarily University hospitals, clinics, physicians' offices, self-insured health plans, and student health services. PHI does not include health information in employment records maintained by the University in its role as employer.

Please refer any questions concerning the necessity for a BA agreement in a particular situation to your campus privacy officer.