Sharing Organization Data with External Entities
Drexel University Clinical Covered Entities
Privacy Program Policies and Procedures
Policy Title: Sharing Organization Data with External Entities
Policy Number: IM-03
Effective Date: April 14, 2003; September 23, 2013
Last Revision Date: September 1, 2017
Responsible Officer: Vice President, Chief Compliance, Privacy and Internal Audit Officer
Table of Contents
This policy applies to all Covered Entities within Drexel University.
Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
It shall be the policy of Drexel University (DU) to capture, share, secure, maintain and enhance the value of DU's health information assets in all mediums through appropriate information management policies and actions that meet Federal, State, regulatory, or contractual requirements and support DU's mission, vision and values. Furthermore, it shall be the policy of DU to support and adhere to the rights and responsibilities of patients as specified in the Commonwealth of Pennsylvania Public Health and Mental Health Codes.
It is the responsibility of DU to ensure that these principles and policies are upheld even when individually identifiable health information in the custody of DU needs to be shared with other entities. Sharing of data shall be done by requiring potential data sharing partners to execute an information sharing agreement which obliges them to handle the data in a manner consistent with DU policies and procedures or a Business Associate agreement approved by the Legal Department.
The purpose of this policy is to inform DU personnel of the procedures that must be followed if individually identifiable health information is to be shared with an external entity.
NOTE: Definition of terms used in this policy are found in DU's Policy Number IM-01, "Information Management Policy" and should be referenced for use with this policy.
- External data users must not be permitted to access DU's data assets unless the external users have completed a Business Associate Agreement or Information Sharing Agreement with DU that establishes at least the following:
- Identification of the external party's Delegated Access Coordinator(s) and a representative from DU to communicate with them regarding the data sharing, and the procedures that will be used to authenticate and authorize external data users.
- The external entity's intended use(s) of the data.
- The method used to identify which individuals' information will be shared.
- The method the external users will use to access the data.
- The scope of access that will be permitted.
- Description of audit reports that will be required, including:
- what they will cover;
- who is responsible for generating them; and
- how often they are to be generated (biannually at a minimum, or as necessary).
- The procedures that will be used for reporting and responding to security breaches, including the external entity's responsibility to report security breaches affecting the shared data to DU and what steps the external entity will take to enforce its policies.
- Demonstration that the potential Authorized External Data User will maintain the data with security at a level compliant with HIPAA and any applicable professional standards.
- Such other terms that may be required by law under a Business Associate Agreement.
If any external personnel are to be granted accounts on DU's health information resources (e.g., via Electronic Health Record accounts), the agreement must also include:
- A provision specifying that any and all external personnel granted accounts on DU's health information resources are subject to the DU Confidentiality and Data Security Policies and requiring that they individually sign statements attesting to their knowledge of and compliance with those policies.
This agreement may, if appropriate, also include the following elements:
- Access by DU's unit or its designee on a regular basis to audit the security of the external data user.
- Fees, if any, and assignment of responsibility for costs incurred in sharing the data.
- Damages for breaches of the agreement.
- Indemnification between the parties.
- There may be cases in which a state, federal, or regulatory agency requires that access be granted to it under law or regulation. In such cases, to the extent possible, an Information Sharing Agreement meeting the criteria above shall be negotiated between DU and the agency before access is granted to DU data assets.
- All Information Sharing Agreements, Non-Employee Associate (NEA), Data Use Agreements (DUA), Business Associate Agreement (BAA), and Allscripts Security Access forms must be approved by Deans, General Counsel of DU, and the Chief Privacy Officer.
Drexel University Information Management Policy, IM-01
Back to Top