Under HIPAA, a Business Associate (BA) is a person who or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity. When such a relationship exists, a Business Associate Agreement (BAA) holds the BA accountable for protecting KP’s PHI.
Research collaborators are NOT considered Business Associates, so BAAs in the context of research are relatively uncommon. However, there are a few situations when BA relationships do exist in research:
· Transcription or translation services provided by someone outside KP
· Use of a mailing house or similar vendor services
· Use of a commercial lab for specimen testing
· Certain types of consulting relationships for protocol development or quality assurance
When a BAA is needed, there is usually an associated vendor purchasing contract, and the BAA is incorporated into or attached to that agreement. This will be handled in the purchasing process. You do not need to contact Compliance for these types of BAAs.
If there is no associated vendor contract but you think you need a BAA for your study, please contact CHR_ComplianceApprovals@kpchr.org for guidance. Note: If you have a DTA/DUA/MDTA you do not also need a BAA.
The KPNW Regional Compliance Department’s website has some excellent resources and guidance about BAAs, including a decision tree to help determine when a BAA is required. The most current BAA template is available on the KFRI Contracting website.