Section 12: Business Associates
This policy applies to all employees of UT Dallas regardless of whether they are employed by a department or office that is included in the UT Dallas healthcare component. Violation of this policy is grounds for disciplinary action.
HIPAA requires the Callier Center to enter into a Business Associate Agreement (BAA) with any person or entity who provides certain functions, activities, or services for or to the Center involving the use and/or disclosure of PHI. Members of the Callier Center workforce are not Business Associates. Faculty and staff employed by other UT Dallas’ offices and departments that provide services to the Center that involve the use or disclosure of the Center’s PHI are included within the UT Dallas Healthcare Component and are not Business Associates of the Callier Center. Examples of Business Associate services include: billing, contractors that provide support and services for durable medical equipment such as hearing aids, and software hosting.
UT Dallas shall enter into and maintain BAAs with all persons or entities that meet the definition of a Business Associate which must include all of the required protections for the use and disclosure of Callier Center PHI required by the HIPAA Privacy Rule. The agreement must also require the Business Associate to ensure that all subcontractors with whom the Business Associate contracts who will have access to Callier Center PHI will abide by the terms set forth in the BAA.
No UT Dallas employee is authorized to enter into an agreement or other arrangement with an individual or entity that meets the definition of a Business Associate that has not been approved by the UT Dallas attorney or the Office of General Counsel (OGC) unless it tracks a template that has been approved by the UT Dallas attorney or OGC as HIPAA compliant. It is the responsibility of each UT Dallas employee who participates in a procurement or contract to determine if the proposed contract involves access to PHI that requires a HIPAA BAA.
UT Dallas is required to investigate and take corrective action if it becomes aware of a Business Associate that does not comply with the requirements set forth in the BAA. Any UT Dallas employee with knowledge of a Business Associate who has violated the terms of a BAA shall notify the HIPAA Privacy Officer and the Office of Audit and Compliance without delay.
In the event that UT Dallas determines that a Business Associate has engaged in a pattern or practice that constitutes a material breach or violation of the business associate's obligations under its contract, UT Dallas must take reasonable steps to cure the breach or to end the violation, as applicable. In the event that the Business Associate cannot or will not remedy the practice or pattern, UT Dallas must terminate the contract if feasible. Where termination is not feasible, UT Dallas must report that information to HHS, as required by the HIPAA Privacy Rule.