UC Davis Health
Compliance and Privacy Services
Showmenu

Business Associate Agreement | Compliance and Privacy Services | UC Davis Health

Business Associate Agreement

A Business Associate Agreement (BAA) is required if business partners or their subcontractors might see Protected Health Information (PHI) while performing work on behalf of UC Davis Health (UCDH). However, not every business that handles PHI is required to make this agreement; the necessity is determined by the specific nature of the relationship and the data being handled. In some cases where a BAA is not required, alternative agreements, such as a Data Use Agreement (DUA) or Data Security (DS) agreement, may still be required to protect the data.

When a Business Associate Agreement (BAA) is Required

A BAA is required if any of the following scenarios are met:

  • The person or entity is outside of UC.
  • The outside person or entity is receiving, maintaining, transmitting, or creating PHI.
  • The outside person or entity is a healthcare provider receiving, maintaining, transmitting, or creating PHI for treatment purposes, but does not meet any specific exceptions listed below.
  • The outside person or entity is performing functions or activities on behalf of UC Davis Health, but does not meet any of the specific exceptions listed below.

When a Business Associate Agreement (BAA) is NOT Required

A BAA is not required if any of the following scenarios are met:

  • The person or entity is a member of the UC workforce.
  • The outside person or entity is not receiving, maintaining, transmitting, or creating PHI.
  • The outside person or entity is a healthcare provider and receives, maintains, transmits, or creates PHI, but also meets the specific exceptions listed below.
  • The outside person or entity does not perform functions or activities on behalf of UC Davis Health.

Specific Exceptions

Even if PHI is involved, a BAA is not required if the data is one of the following:

  • The PHI has been properly de-identified.
  • Claims sent to a health plan.
  • Payments to a provider.
  • Fund transfers to financial institutions.
  • Data going to a Health Oversight Agency as part of federal or state programs.
  • Data sent in response to law enforcement/subpoenas, or legal reporting requirements.

For additional information, please contact the Compliance Privacy Team directly at 916-734-8808 or via email at privacyprogram@health.ucdavis.edu