Managing Business Associate Arrangements

Layout for printing

Policy Number:

UW-116

Old Policy Number:

6.1

Responsible Office:

Office of Compliance

University Policy

Rationale/​Purpose:

This policy establishes how UW-Madison manages business associate arrangements, whether the university is acting as the covered entity or a business associate under HIPAA (Health Insurance Portability and Accountability Act). The HIPAA Privacy Rule and HITECH ( Heath Information Technology for Economic and Clinical Health) Act allow PHI (Protected Health Information) to be shared with a business associate if there is a written agreement (i.e., a contract with the terms required by HIPAA) ensuring the information will be properly safeguarded.

At UW-Madison, responsibility for managing these agreements is shared among the involved business unit, the authorized signatory, and the HIPAA Privacy Office. This policy outlines the requirements that UW-Madison staff must follow to ensure that appropriate agreements are in place and that PHI is protected in all business associate relationships.

Definitions:

Business associate

A person or entity that performs functions on behalf of a covered entity which involve the use of the covered entity's protected health information (PHI).

Business associate agreement (BAA)

Contractual terms required by the HIPAA regulations between a covered entity and a business associate that specifies how the business associate can use protected health information (PHI).

Covered entity

A health plan, health care clearinghouse, or health care provider that transmits any health information in electronic form in connection with a transaction covered by HIPAA.

Protected health information (PHI)

Health information about an individual that contains at least one of the identifiers specified in the HIPAA regulations. PHI does not include student records held by educational institutions or employment records held by employers.

Signatory authority

An individual who has the power to sign contracts on behalf of UW-Madison. These individuals are listed in the Signature Authority Memo.

University of Wisconsin-Madison Health Care Component (UW HCC):

Those units of the University of Wisconsin–Madison that have been designated by the university as part of its health care component under HIPAA. See UW-100 Designation of UW-Madison Health Care Component for a listing of these units.

Scope:

Applies to all departments, units, and employees of UW-Madison.

Policy:

1. When information about patients/research participants is involved, UW-Madison units providing services to or receiving services from an external party are responsible for:
   1. Determining whether a business associate agreement (BAA) is needed, either through completion of the BAA tool or consulting directly with the HIPAA Privacy office.
   2. If it is determined no BAA is needed: providing proof to the involved signatory authority that the HIPAA Privacy office was involved in the determination, either through completion of the BAA tool or direct consultation.
2. UW-Madison units initiating a business associate relationship, either as the business associate or covered entity, are responsible for:
   1. Reviewing UW-Madison’s Guidance on Business Associate Relationships
   2. Providing proof to the signatory authority that the HIPAA Privacy office was involved in the BAA process, either through completion of the BAA tool or consulting directly with the HIPAA Privacy office.
   3. Informing the external entity that a BAA is needed
   4. Initiating a UW-Madison cybersecurity review
   5. Routing BAA to appropriate signatory authorities at UW-Madison
   6. Only sharing or receiving protected health information (PHI) once the UW-Madison cybersecurity review has been completed and the BAA signed by all parties
   7. Reporting possible violations of BAA terms to HIPAA Privacy office
   8. Informing HIPAA Privacy office of BAA expiration and appropriate disposition of the PHI
   9. When UW-Madison is the business associate: completing the Business Associate Checklist
3. Signatory authorities are responsible for:
   1. Confirming a BAA is needed in consultation with the HIPAA Privacy office
   2. Negotiating terms with the external entity and consulting with the HIPAA Privacy office to obtain approval of any terms that deviate from UW-Madison's BAA template
   3. Signing the agreement and ensuring it is signed by the external party
   4. Routing a fully signed copy of the BAA to the HIPAA Privacy office
4. The HIPAA Privacy office is responsible for:
   1. Approving any terms that deviate from UW-Madison's BAA template
   2. Maintaining a copy of the BAA in compliance with the HIPAA regulations and UW-Madison records retention requirements
   3. Assessing material breaches of BAA terms
   4. Confirming the disposal and/or return of PHI upon termination

Related UW-Madison Policies:

UW-100 Designation of UW–Madison Health Care Component

Related UW–Madison Documents, Web Pages, or Other Resources:

Business Associate Checklist   

Guidance on Business Associate Relationships

Office of Compliance Policies and Forms

External References:

45 C.F.R. § 164.502(e)

45 C.F.R. § 164.504(e)

Policy Administration

Approval Authority:

Vice Chancellor for Legal Affairs

Policy Manager:

HIPAA Privacy Officer

Contact:

HIPAA Privacy Officer -- Jack Talaska, JACK.TALASKA@WISC.EDU, (608) 265-4077

Effective Date:

03-12-2003

Revised Dates:

07-20-2014: Effective date of the revised policy: 07-20-2014.
03-26-2020: Effective date of the revised policy: 03-26-2020.
10-19-2025

Retrieved:

02-10-2026 07:29:39