HIPAA Security and Business Associate Agreements
Drexel University Clinical Covered Entities
HIPAA Privacy and Security Program
Security Policies and Procedures
Policy Title: HIPPA Security and Business Associate Agreements
Policy Number: IS-06 (Administrative Safeguard)
Effective Date: April 20, 2005; September 23, 2013
Revision Date: September 1, 2017
Responsible Officer: Vice President, Chief Compliance, Privacy and Internal Audit Officer
Table of Contents
This policy applies to all Covered Entities within Drexel University.
Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
This Policy provides that Drexel University (DU) shall enter into HIPAA Security Rule – compliant contracts with Business Associates that create, receive, maintain or transmit electronic protected health information (e-PHI) on its behalf.
DU shall permit a Business Associate to create, receive, maintain or transmit e-PHI on its behalf only if the Business Associate enters into a contract that contains the requirements of the HIPAA Security Rule.
This supplements the DU Policy on entering into Business Associate Agreements in compliance with the HIPAA Privacy Rule.
Business Associate: An entity or person who performs a function or activity on behalf of DU involving the creation, transmission, retention, maintenance, use or disclosure of PHI or e-PHI.
Security Incident: The attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system.
E-PHI: PHI that is maintained in electronic media or transmitted by electronic media. "Electronic Media" means electronic storage media, which includes a digital memory device as in computers such as in hard drives and disks, and transmission media used to exchange digitally-stored information, such as the Internet and the physical transport of electronic storage media. E-PHI is a subset of PHI.
- Any Workforce Member who believes they have a business arrangement that falls under this Policy should contact the Office of the General Counsel for assistance in preparing a Business Associate Agreement.
- Such a Business Associate Agreement shall include the following promises by the Business Associate, in addition to those required under the HIPAA Privacy Rule (45 CRF § 164.504(e)).
- It will implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the electronic protected health information that it creates, receives, maintains or transmits on behalf of DU;
- It will ensure that any subcontractor, to whom it provides such information, agrees to implement reasonable and appropriate safeguards to protect it; and
- It will report to DU any Security Incident of which it becomes aware.
- All Business Associate Agreements must be approved by the Office of the General Counsel of DU.
- Contracts between DU and Business Associates may contain the following statements or provisions, as may be applicable to the circumstances of the Business Associate contracts.
- The Business Associate is permitted to use PHI for its own proper management and administration, or to carry out its legal responsibilities.
- The Business Associate may disclose PHI to third parties for the purpose of its own proper management and administration, or as required by law, provided that:
- The disclosure is required by law, or
- The Business Associate has obtained from the third party:
- Reasonable assurances that the PHI will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the third party by the Business Associate; and
- An agreement to notify the Business Associate of any instances of which it (the third party) is aware in which the confidentiality of the information has been breached.
- Confidentiality Clause: For contracts between DU and entities that are not a Business Associate but that may come in contact with PHI in the course of performing their contractual responsibilities (such as building maintenance services) a special confidentiality clause, approved by the Office of the General Counsel, shall be in the contract.
- Material breaches of a Business Associate Agreement shall be reported to the Privacy Officer and to the Office of General Counsel. When a material breach is reported, the Office of General Counsel will so inform the Business Associate. If the Business Associate fails to cure the breach to the satisfaction of General Counsel, the General Counsel will send notice of immediate termination of the Agreement.
- All findings and correspondence regarding the material breach of a Business Associate Agreement will be retained for six (6) years following the date such contract is terminated, or, if termination is not feasible, for six (6) years from the date that notice is sent to the Secretary of the Department of Health and Human Services as to why it is not feasible to terminate the contract.
- All Business Associate contracts will be retained by the Office of the General Counsel for at least six (6) years after the date when they are no longer in effect.
- Existing contracts with entities that meet the definition of Business Associate must be amended to meet the requirements of this policy by the next renewal date, but in no event later than September 22, 2014.
45 CFR §§ 164.308(b); 164.314(a); 164.502(e); 164.504(e)
Back to Top