For a better experience, click the Compatibility Mode icon above to turn off Compatibility Mode, which is only for viewing older websites.

Students as Business Associates

Drexel University Clinical Covered Entities
Privacy Program Policies and Procedures

Policy Title: Students as Business Associates
Policy Number: IM-28
Effective Date: September 23, 2013
Last Revision: September 2017
Responsible Officer: Vice President, Chief Compliance, Privacy and Internal Audit Officer

Table of Contents

Applicability

This policy applies to all Covered Entities within Drexel University.

Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.

I. Overview

Effective as of September 23, 2013, Business Associates are directly responsible for compliance with many of the privacy and security provisions under HIPAA. This is the case whether or not the Business Associate has entered into a Business Associate agreement with a covered entity. Under HIPAA a "Business Associate" is a person or entity that creates, receives, maintains or transmits protected health information on behalf of a HIPAA covered entity. An entity that is a covered entity may also be a Business Associate for another covered entity, when it is providing Business Associate services for the other covered entity; provided, however, if Drexel University (DU) or its clinicians are providing treatment services only for a covered entity, it is NOT acting as a Business Associate, but rather as a covered entity.

DU students may be a Business Associate for example when DU's students are providing services to a covered entity such as creating a database using protected health information or de-identifying protected health information.

II. Policy

  1. If the student is or will be acting as a Business Associate, DU must enter into a Business Associate agreement with the applicable covered entity and shall abide by the terms of each Business Associate agreement. The student is not authorized to contract or subcontract any services, or sign any such agreements and must notify the Legal department if asked to provide services as a Business Associate.
  2. All such Business Associate agreements must be approved by the Legal department and may only be signed by Chief Privacy Officer.
  3. No work should begin until the Business Associate agreement is signed.
  4. When acting as a Business Associate, the student must comply with the terms of the Business Associate Agreement as well as the policies set forth in the Business Associate Policies found at IM-26.

III. References

IM-26: Business Associate Policies

 Back to Top