Skip to Main Navigation
Skip to Main Content
The University of Texas at Dallas

HIPAA Privacy Manual

Section 26: Business Associates

Policy: UTD protects the confidentiality and integrity of confidential medical information as required by law, professional ethics, and accreditation requirements. This policy is to define the guidelines and procedures that must be followed for business associates who come into contact with PHI.

In general:

  • A business associate is a person or entity who provides certain functions, activities, or services for or to UTD, involving the use and/or disclosure of PHI.
  • A business associate is not a UTD employee.
  • A business associate may include one of the additional components of the University of Texas system, other medical schools or other health care providers.

UTD is not liable for privacy violations of its business associates and is not required to actively monitor or oversee the means by which its business associates carry out safeguards, or the extent to which the business associates abide by the requirements of the contract. However, UTD is required to act if it becomes aware of a practice or pattern that constitutes a material breach of this policy.


UTD must enter into contracts with business associates that contain specific language. The UT System Office of General Counsel will provide the language for contracts.

  • The contract must include language that provides that the business associate will: Not use or further disclose the information other than as permitted or required by the contract or as required by law;
  • Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by its contract;
  • Report to UTD any use or disclosure of the information not provided for by its contract of which it becomes aware;
  • Ensure that any agents, including a subcontractor, to whom it provides PHI received from, or created by, or on behalf of UTD, agree to the same restrictions and conditions that apply to the business associate with respect to such information;
  • Make available PHI in accordance with the UTD policy on Patient Access to PHI;
  • Make available PHI for amendment and incorporate any amendments to PHI in accordance with the UTD policy on Patient’s Right to Amend or Correct PHI;
  • Make available the information required to provide an accounting of disclosures in accordance with the UTD policy on Accounting of PHI Disclosures;
  • Make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created by or on behalf of UTD, available to HHS for purposes of determining UTD’s compliance; and
  • At termination of the contract, if feasible, return or destroy all PHI received from, or created by or on behalf of, UTD that the business associate still maintains in any form and retain no copies of such information. If such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.

In the event UTD becomes aware of a pattern or practice of the business associate that constitutes a material breach or violation of the business associate's obligations under its contract, UTD must take reasonable steps to cure the breach or to end the violation, as applicable. In the event that the business associate can not or will not remedy the practice or pattern, UTD must terminate the contract if feasible. Where termination is not feasible, contact the UTD Privacy Officer for reporting to HHS, as required.