For a better experience, click the Compatibility Mode icon above to turn off Compatibility Mode, which is only for viewing older websites.

Business Associate Policies

Drexel University Clinical Covered Entities
Privacy Program Policies and Procedures

Policy Title: Business Associate Policies
Policy Number: IM-26
Effective Date: September 23, 2013
Last Revision: September 1, 2017
Responsible Officer: Vice President, Chief Compliance, Privacy and Internal Audit Officer

Table of Contents

Applicability

This policy applies to all Covered Entities within Drexel University.

Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.

I. Overview

Effective as of September 23, 2013, Business Associates are directly responsible for compliance with many of the privacy and security provisions under HIPAA. This is the case whether or not the Business Associate has entered into a Business Associate agreement with a covered entity. Under HIPAA, a "Business Associate" is a person or entity that creates, receives, maintains or transmits protected health information on behalf of a HIPAA covered entity or another Business Associate. An entity that is a covered entity may also be a Business Associate for another covered entity, when it is providing Business Associate services for the other covered entity; provided, however, if Drexel University (DU) or its clinicians are providing treatment services only for a covered entity, it is NOT acting as a Business Associate, but rather as a covered entity.

DU may be a Business Associate in the following three (3) ways: (i) DU's clinical practice providers are providing services under a services agreement with another covered entity or Business Associate; (ii) DU's clinical researchers are providing services to a covered entity or Business Associate such as creating a data base using protected health information or de-identifying protected health information; or (iii) DU’s professional staff (e.g., IT) is providing services to another covered entity or Business Associate which is a separate legal entity and not part of an Organized Healthcare Arrangement (OCHA) with DU (as American Academic Health System (AAHS) is).

II. Policies (solely in connection with DU's role as a Business Associate)

  1. DU must enter into a Business Associate agreement with the applicable covered entity and shall abide by the terms of each Business Associate agreement. All such Business Associate agreements must be approved by the Legal department and may only be signed by the Chief Privacy Officer.
  2. No work should begin under the Business Associate agreement until it is signed.
  3. DU must enter into Business Associate agreements (that meet, at a minimum, the requirements set forth on Information Security Policy IS-06); with each subcontractor that they provide protected health information or who creates, receives, maintains or transmits protected health information on behalf of DU ("Subcontractors"). These agreements must also be approved by the Legal department and signed by the Chief Privacy Officer.
  4. DU must require each Subcontractor to enter into Business Associate agreements with each of their respective Subcontractors.
  5. DU shall maintain a master log of Business Associate Agreements.
  6. DU shall maintain each of the DU Security Policies (relating to administrative, physical and technical standards) set forth below and included in DU's Privacy and Security Program, and shall abide by each such policy in its role of a Business Associate; provided, however, in the event that the applicable Business Associate agreement requires a higher standard of compliance than in any of policies set forth below, then DU shall abide by such higher standard:
    1. HIPAA Security Policies and Procedures for Drexel University Overview);
    2. Information Security Policy IS-01 (Access to PHI);
    3. Information Security Policy IS-02 (Risk Analysis);
    4. Information Security Policy IS-03 (Appointment of Security Officer);
    5. Information Security Policy IS-04 (Training and Awareness);
    6. Information Security Policy IS-05 (Security Incident Reporting)
    7. Information Security Policy IS-06 (Business Associate Agreements);
    8. Information Security Policy IS-07 (Contingency Plan);
    9. Information Security Policy IS-08 (Assignment and Management of Access Privileges);
    10. Information Security Policy IS-09 (Sanctions);
    11. Information Security Policy IS-10 (Evaluation);
    12. Information Security Policy IS-11 (Workstation Security);
    13. Information Security Policy IS-12 (Device and Media Controls);
    14. Information Security Policy IS-13 (Access Controls and Authentication);
    15. Information Security Policy IS-14 (Audit Controls);
    16. Information Security Policy IS-15 (Electronic Transmission); and
    17. Information Security Policy IS-16 (Integrity).
  7. DU shall maintain each of the DU Privacy Policies set forth below and included in DU's Privacy and Security Program, and to the extent applicable, shall abide by each such policy in its role of a Business Associate; provided, however, in the event that the applicable Business Associate agreement requires a higher standard of compliance than in any of policies set forth below, then DU shall abide by such higher standard:
    1. HIPAA Privacy and Security Compliance Plan;
    2. Privacy Program Policy IM-01 (Information Management);
    3. Privacy Program Policy IM-02 (Minimum Necessary);
    4. Privacy Program Policy IM-03 (Sharing Data);
    5. Privacy Program Policy IM-04 (Individual Right of Access);
    6. Privacy Program Policy IM-05 (Right to Request Correction);
    7. Privacy Program Policy IM-07 (Complaint Process);
    8. Privacy Program Policy IM-08 (Training);
    9. Privacy Program Policy IM-09 (Incident Reporting);
    10. Privacy Program Policy IM-10 (External Investigations);
    11. Privacy Program Policy IM-11 (Accounting of Disclosures);
    12. Privacy Program Policy IM-14 (Restrictions Requested by Patients);
    13. Privacy Program Policy IM-16 (Fee for Copying Records);
    14. Privacy Program Policy IM-18 (Password and System Confidentiality);
    15. Privacy Program Policy IM-20 (PHI in Classroom);
    16. Privacy Program Policy IM-22(Sale of PHI);
    17. Privacy Program Policy IM-24(Breach Notification);
    18. Privacy Program Policy IM-25(Decedents); and
    19. Privacy Program Policy IM-27(De-Identification of PHI).
  8. It is understood that DU may be asked to enter into Business Associate agreement in cases where it is only providing treatment services. Although, in such cases, DU is not technically a Business Associate, it should follow each of its Security and Privacy Polices with respect to its role as a covered entity, the policies and procedures set forth in subsections 6 and 7 above, as well as all contractual obligations set forth in the Business Associate agreement.
  9. In the event of a HIPAA breach by DU in its role as a Business Associate, under the guidance of the Chief Privacy Officer, DU shall notify the applicable covered entity; and will be responsible for the distribution of breach notifications to applicable individuals, Health and Human Services, and the media, unless otherwise set forth in the Business Associate agreement. In the event DU is required under an applicable Business Associate agreement to provide notification, then such notification shall be made in accordance with Privacy Program Policy IM-24 (Breach Notification).

 Back to Top