BAA Guidance

  • Guidance is also available in Portable Document Format (PDF)

Business Associate Agreements (BAAs) are required with the Data Use Agreement (DUA) submissions in two ways, 1) between the Department and the Requesting organization and 2) between the Requesting organization and any organization the need to further share Medicaid Confidential Data (MCD).

BAA: DOH and Requesting Organization

A BAA is required between the Department of Health Office, Health Insurance Programs (OHIP) and the Requesting organization. This BAA is Attachment A of the DUA, is required to be submitted as part of the DUA submission and is to be signed by the same individual who signed the DUA.

A BAA is required between OHIP and a Requesting organization because OHIP may only share Medicaid Confidential Data (MCD) for purposes that administer the Medicaid program. In order for a Requesting Organization to access or possess MCD from OHIP, they must be performing a service to OHIP that administers the Medicaid program. The Requesting Organization then becomes a Business Associate of OHIP, a Covered Entity.

BAA: Requesting Organization and Third-Party

If the Requesting Organization needs to share MCD with another organization the Requesting Organization must submit to the Security and Privacy Bureau an executed copy of the BAA between the Requesting Organization and the third party. MCD us not to be shared with any third party until the Security and Privacy Bureau reviews and acknowledges the BAA. In order for the BAA to be acknowledged it must contain the Third-Party Confidentiality Language. This language is found in Section 11.III of the DUA, or a copy of the required language can be found in the Third Party Confidentiality Guidance.

These third-party BAAs can be submitted either with the DUA submission or any time after the DUA is executed. If the BAA is submitted after the DUA is accepted it must be accompanied by a complete and executed DUA Addendum. Once the Addendum is accepted and the BAA acknowledged, the third-party may begin accessing MCD.

The Security and Privacy Bureau does not review draft BAAs or provide a copy of a BAA for the Requesting organization’s use. As the BAA is a legal document between the Requesting entity and its Business Associate it should be reviewed by the Requesting organization’s legal counsel. The Security and Privacy Bureau will only review executed BAAs.