Business Associates

Business Associates are persons or entities outside of BU that provide services to the BU Health Plans or any of the BU Covered Components and who may need to access, use, create or disclose HIPAA Protected Health Information in order to provide those services.  Policy 3.9 of the HIPAA Policy Manual covers Business Associates in more detail but we provide some guidance here.

We do not need to get a HIPAA Business Associate Agreement (BAA) with a health care provider we are coordinating care with.  For example, if the 930 Dental Health Center wants to send fabrication requests to a licensed lab who will only create fabrications, we do not need a BAA with the lab.  However, if we are sending fabrications to a licensed lab, whose cloud based platform can also be used to store and analyze data or to send fabrications to other labs or entities, we do need a BAA with the lab because they do more than simply provide patient fabrications.

We do not need to get a BAA with a software vendor if we are simply purchasing software that will go on computers used by providers at BU.  However, we do need a BAA with a software vendor or supplier if they will provide support for the software (e.g., remote access provided by Dental IT using TeamViewer).

If you are considering a new Business Associate, bring the proposal to your HIPAA Contact.  Your HIPAA Contact will ask BU Information Security to conduct a security review.  After a review is completed, your HIPAA Contact can proceed to asking BU Procure to Pay (P2P) to obtain a contract and BAA with the vendor.

All purchases by BU departments – outside small office purchases – should be handled by P2P.  They will obtain the BAA along with negotiating and signing the contract for you.  New to working with P2P?  Take their training here.

P2P does review purchases by BU HIPAA Components and includes our template BAA when it makes sense to include one.  But try to give them a heads up that a BAA should accompany the contract by leaving a comment or note in Guided Buying.  P2P will fill out and use our approved BU Template BAA, and when a vendor asks for changes, P2P works with the HIPAA Privacy and Security Officers to review and negotiate changes.