Standard:
YALE-MSS-1.3: Ensure appropriate contracts for all third-party relationships are in place
YALE-MSS-1.3.2: A Business Associate Agreement (BAA) is in place
Details
A Business Associate Agreement (BAA) is required when Yale University discloses PHI to a business associate. It is also required when Yale allows a business associate to create or receive PHI on its behalf.
University HIPAA Policy defines a Business Associate as: an entity or person who performs a function involving the use or disclosure of Protected Health Information (PHI) on behalf of a covered entity (such as claims processing, case management, utilization review, quality assurance, billing) or provides services for a covered entity that require the disclosure of PHI (such as legal, actuarial, accounting, accreditation).
Whether an entity is serving as a business associate is determined through HIPAA definition and Policy 5033.
A business associate is any individual authorized to contract for Yale University. It is an individual who enters into any form of relationship on behalf of Yale in which PHI is exchanged. This business associate could be another entity that has access to PHI other than a relationship with another treating provider relating to the treatment of patients. They may be responsible to obtain satisfactory assurances of protecting health information. This is made through the approved business associate contracting process and with the approved business associate contract.
Failure to meet this responsibility is subject to disciplinary action up to and including termination and/or dismissal. For more information, see University HIPAA Policy 5033.