Tracking & Management of Business Associates

Roles and Responsibilities in Identifying Business Associates

In accordance with Yale Policy 5033, disclosures of Protected Health Information (PHI) to Business Associates, Yale must require that all Business Associates sign agreements assuring Yale that they will safeguard PHI originating from Yale and will protect the integrity and confidentiality of PHI (See flowchart for determining a Business Associate). As a result of these requirements;

Departmental Business Offices are responsible for:

  1. Determining if PHI is shared with another entity and if so,
  2. Check List of Business Associates to see if an agreement is already signed and on file here at Yale (or at least it has been requested):
  3. Submitting the Business Associates Tracking Form to the Yale HIPAA Privacy Office when a Business Associate Agreement is needed. This form is to be completed by the Yale Department seeking a BAA with a vendor.    

Note that a Business Associate Agreement may still be required even if the supplier already has or will get Epic access.

Yale HIPAA Privacy Office is responsible for:

  1. Tracking and managing signed Business Associate agreements
  2. Providing easy access to relevant Business Associate information to the Yale community.

For more information, please feel free to contact someone at

Who is a Business Associate?

A Business Associate is an entity or person who performs a function involving the use or disclosure of Protected Health Information (PHI) on behalf of a covered entity (such as claims processing, data analysis, case management, utilization review, quality assurance, billing, benefit management, practice management, repricing) or provides certain specified services where the provision of the service involves the disclosure of PHI (such as data storage including cloud servers, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services) for a covered entity

(See flowchart for determining a Business Associate). In some cases, Yale may serve as a Business Associate of another Covered Entity.

What is a Covered Entity?

Covered entity means an entity that is subject to HIPAA. Yale University is the covered entity for HIPAA compliance purposes. Because Yale is a Hybrid Entity, only Yale’s designated Covered Components are subject to HIPAA requirements. These Designated Covered Components include the School of Medicine (excluding the School of  Public Health, the Animal Resources Center, and the basic science departments: Cell Biology, Cellular and Molecular Physiology, Comparative Medicine, History of Medicine, Immunobiology, Microbial Pathogenesis, Molecular Biophysics & Biochemistry, Neurobiology, and Pharmacology), the School of Nursing, Yale Health, the Department of Psychology, and the Group Health Plan.