Business Associate Agreements


As a Hybrid Covered Entity under the Health Insurance Portability and Accountability Act (HIPAA), the University of Florida requires that all Business Associates sign a Business Associate Agreement (BAA) assuring UF that they will adopt reasonable safeguards to protect Protected Health Information, including electronic Protected Health Information (ePHI), originating from UF/UF Health and will protect the integrity, availability, and confidentiality of PHI throughout the data lifecycle. 

This page contains general information about Business Associate Agreements, responses to frequently asked questions and information on the process for obtaining a Business Associate Agreement at UF/UF Health. For any additional questions regarding BAA’s, please contact the Privacy Office at privacy@ufl.edu. 

A Business Associate is a person or entity who, provides covered services to, or performs covered services or activities on behalf of, a HIPAA Covered Entity or other Business Associate, if the person or entity creates, receives, maintains, or transmits Protected Health Information (PHI) in the course of providing such services. 

A BAA is a contract between the covered entity and the business associate that ensures that business associates will appropriately safeguard protected health information. The contract also serves to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate. 

A BAA must be written and include the following terms and conditions: 

  1. Permitted Uses and Disclosures of PHI
  2. Limitations on Use and Disclosure of PHI
  3. Privacy and Security Requirements
  4. Availability of PHI, Amendments and Accounting of Disclosures
  5. Availability of Books and Records
  6. Reporting Obligations
  7. Mitigation, Cooperation, Indemnification and Insurance Obligations
  8. Term and Termination
  9. Miscellaneous Requirements 

Services or activities may include data analysis, claims processing or administration, utilization review, and quality assurance reviews, or any other function or activity regulated by the HIPAA Administrative Simplification Rules, including the Privacy Rule. Additional activities may include legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity where performing those services involves disclosure of individually identifiable health information by the covered entity or another business associate of the covered entity to that person or entity.  

Please contact the Office of Privacy Compliance at privacy@ufl.edu