Reporting a Concern

Business Associate Agreement (BAA)

When is a Business Associate Agreement (BAA) required? 

A BAA is required when we do business with another entity who will have access to, transmit, or store our patient Protected Health Information (PHI) as part of the services it is rendering on our behalf.  However, the following services do not require a BAA:

  1. When we share PHI with another treating provider or health care organization for the treatment of a shared patient or for the referral of a patient;
  2. when we transmit a prescription to a pharmacy to be filled for the patient; or
  3. when we transmit medical information or billing records to an insurance company for payment.   

Generally, USF will be institution engaging another entity to render services on our behalf that require access to our PHI; however, other entities can also hire USF to render services on their behalf and require use to enter into a BAA.  

Please remember that all BAAs must be reviewed and approved by our office before they can be executed on USF’s behalf.  

How do I request a Business Associate Agreement (BAA) be reviewed or drafted?  

Our simple CompliancePro Solutions BAA request form must be completed (this link is also on the Tampa site as well where contracts are submitted for review and signature): https://usf.complianceprohealth.com/request/business_associate.

If you are uncertain whether a BAA is needed, go ahead and complete a BAA request form and our office will review the request to determine if a BAA is needed.  Further instructions are included on the CompliancePro Solutions site.   Please note:  Our office will not draft or review a BAA that comes to us via email or a message within the Tampa system without a BAA request form being completed within CompliancePro.  Additionally, a copy of the underlying agreement/contract must be uploaded into CompliancePro.  If you have a copy of the vendor’s BAA, please upload that as well.   

Why do we need a BAA?  

A BAA is required under HIPAA (Health Insurance Portability and Accountability Act) regulations and a BAA is binding contract between USF and the other entity that outlines what each entities legal obligations are with regard to PHI and what liability is incurred should such PHI be disclosed in violation of HIPAA.  

More information on BAAs can be found on this BAA presentation.