Oklahoma State University Center for Health Sciences
OSU-CHS Centernet

Security Policies & Procedures

Section 8 - Business Associate Contracts and Arrangements


Title: Business Associate Written Contract and Other Arrangements Policy: SEC-08.01
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
Standard: Business Associate Contracts and Other Arrangements Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013

To ensure the confidentiality of all PHI when there is a need to secure services from outside entities in the process of treatment, payment and operations.


OSU will document the satisfactory assurances required by The Security Rule through a written contract or other arrangement with the business associate that meets the applicable requirements of § 164.314(a) Business Associate Contracts or Other Arrangements.  §164.308(b)(3)


OSU will seek to obtain Business Associate Agreements (BAA), or other arrangements with every person or entity that will have access to PHI where required by law.

The HIPAA Compliance Office will work with the OSU Tulsa Business Affairs office in maintaining an up to date list of all known BAA’s, and will also work to keep the actual BAA document up to date with all applicable laws and regulations.

This list of current Business Associates is accessible on the Business Affairs website.

This list should be checked before signing contracts or make arrangements with others to see if a BAA is on file.  If not, a BAA must be in place before services are to be provided.

All BAA’s will be stored on file at the Business Affairs Office, and will be made available for review upon request.

The Procedure from the Business Affairs Office is as follows:

  1. Determine whether a Business Associate Agreement is required for a particular purchase.  If the Business Associate will be receiving and/or transmitting any electronic form of PHI, you must include a Business Associate Chain of Trust Addendum with the Business Associate Agreement form.
  2. Requisition Purchase – When a BAA is required, the Purchasing Department will automatically include a Business Associates Agreement and Business Associate Agreement Addendum (if required) with the contract paperwork for the same dates as the contract.
  3. The Purchasing Department will, upon request make sure that your desired vendor has not been red-listed (usually due to a history of inability or refusal to accept the terms of our agreement).  If this is the case, contact the Purchasing Department before pursuing that vendor. 
  4. Use ONLY the Business Associate Agreement Form provided by the Purchasing to submit to the vendor for signature.  Explain to the vendor that the agreement must be completed and considered to be a part of the procurement transaction.  We will not accept a vendor’s version of a BAA.
  5. Whoever initiates the BAA (Purchasing or Department Employee) is responsible for sending a copy of the fully executed Business Associate Agreement along with a copy of the purchase order stating contract dates, to the Purchasing Department. 

­EXAMPLES OF SOME SERVICES THAT REQUIRE A BUSINESS ASSOCIATES AGREEMENT (This list is not all-inclusive.  Please contact the Compliance Office if you need assistance in determining the need for a BAA and/or Addendum.)

Billing/Claims Service
Collection Agency
Transcription Service                                                 
Answering Service                                                     
External Data Processing
Data Analysis Service                                                
Software Vendors
Hardware Maintenance                                              
Off-site Record Storage
Business Contractors                                                 
Independent Clinical Contractors
Courier Services                                                         
E-Prescribing Gateway
Repairmen (copier, x-ray, lab equipment, etc.)          
Laboratory Services
Health Information Organization

Mail and parcel carrying services such as USPS, FedEx, UPS, etc., are not Business Associates, and should not have any access to PHI other than delivery.

In the event of a breach by any Business Associate, OSU expects the Business Associate to comply with Subpart D, the Breach Notification Rules §164.400-414 of HIPAA.

top of page top


OSU-CHS on Facebook OSU-CHS on Twitter OSU Medicine on You Tube