Checklist on Business Associates


A Covered Component may permit a business associate to create, receive, maintain, or transmit Protected Health Information on the Covered Component’s behalf only if the Covered Component obtains satisfactory assurances, in accordance with a compliant form of Business Associate Agreement or other arrangement, that the business associate will appropriately safeguard the information.  A Covered Component is not required to obtain such satisfactory assurances from a business associate that is a subcontractor. R – § 164.308(b)(1)

The Covered Components and their support units are each responsible for identifying their Business Associates and making sure that a compliant form of Business Associate Agreement has been executed by BU with each Business Associate before the Business Associate is permitted to create, receive, maintain, or transmit PHI on behalf of or for the Covered Component.

A Business Associate Agreement is appropriate only if the intended relationship with the outside entity actually falls within the Definition of Business Associate. In all other cases, the outside entity may create, receive, maintain, or transmit PHI for the Covered Component only if (i) the individual has given written authorization or (ii) the HIPAA Privacy Rule permits the intended use and disclosure of PHI without the individual’s authorization (e.g., for treatment, payment, or operations purposes).

Contact the BU Office of the General Counsel for assistance in identifying all Business Associates.

Document the satisfactory assurances required by paragraph (b)(1) [the Business Associate Contracts and Other Arrangements] of this section through a written contract or other arrangement with the business associate that meets the applicable HIPAA requirements. R – § 164.308(b)(4)

See Organizational Requirements below.

If your unit is entering into a relationship with a hospital, clinic, health care practice, or other organization that is a HIPAA covered entity and your unit will be functioning as a Business Associate for that outside entity, a Business Associate Agreement will need to be executed. Contact the BU Office of the General Counsel for assistance if you think your unit will be a Business Associate for an outside entity.



(i) The contract or other arrangement required by § 164.308(b)(4) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable. R – § 164.314(a)(1)

A Business Associate contract is required that must provide that the Business Associate will:

(A) Comply with the applicable requirements of the HIPAA Security Rule

(B) Ensure that any subcontractors that create, receive, maintain, or transmit electronic Protected Health Information on behalf of the Business Associate agree to comply with the applicable requirements of the Security Rule by entering into a contract or other arrangement that complies with this section

(C) Report to the Covered Component any security incident of which it becomes aware, including breaches of unsecured Protected Health Information

R – § 164.314(a)(2)(i)

The BU Office of the General Counsel has developed a compliant form of Business Associate Agreement. It must be signed by the BU Treasurer or authorized Assistant Treasurer. If a Business Associate requests changes to the BU form of Business Associate Agreement or requests that you sign the Business Associate’s own form of Business Associate Agreement, contact the BU Office of the General Counsel.

The Covered Component is in compliance with paragraph (a)(1) of this section if it has another arrangement in place that meets the requirements of § 164.504(e)(3):

(i) If a Covered Component and its Business Associate are both governmental entities…

(ii) If a Business Associate is required by law to perform a function or activity on behalf of a Covered Component…

iii) …if the termination authorization is inconsistent with the statutory obligations of the Covered Component or its Business Associate.

(iv) …if the Covered Component discloses only a limited data set to a Business Associate for the Business Associate to carry out a health care operations function and the Covered Component has a Data Use Agreement with the Business Associate…

R – § 164.314(a)(2)(ii)

This describes the very few circumstances under which you can use an arrangement with a Business Associate that is an alternative to a Business Associate Agreement.  Clause (iv) refers to an alternative form of agreement known as a Data Use Agreement. It can be used with a Business Associate that is carrying out a health care operations function for the Covered Component but only if the Business Associate has access to information that contains only certain limited HIPAA Identifiers that qualify as a “limited data set” as defined in HIPAA.   If you believe your activities fall into one of these statutory areas, contact the Office of General Counsel for assistance. [See References]

The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section apply to the contract or other arrangement between a business associate and a subcontractor required by § 164.308(b)(4) in the same manner as such requirements apply to contracts or other arrangements between a Covered Component and Business Associate. R – § 164.314(a)(2)(iii)

If your Business Associate carries out its functions through a subcontractor, the Business Associate must have its own compliant agreement with the subcontractor.

Except when the only electronic Protected Health Information disclosed to a plan sponsor is disclosed pursuant to §164.504(f)(1)(ii) or (iii), or as authorized under §164.508, a group health plan must ensure that its plan documents provide that the plan sponsor will reasonably and appropriately safeguard electronic Protected Health Information created, received, maintained, or transmitted to or by the plan sponsor on behalf of the group health plan. R – § 164.314(b)(1)