Effective Date: July 1, 2025
Issuing Authority: Senior Vice President of Finance and Administration
Policy Contact: University HIPAA Officer, 478-301-2300
Purpose
A covered entity is required to assure, to the extent practicable, that any business associate with whom it shares health information handles that information in compliance with HIPAA privacy regulations. The purpose of this policy is to set forth the requirements necessary to document the University’s efforts to assure that business associates, their agents and sub-contractors, comply with HIPAA privacy standards and that the University knows of and has an opportunity to take remedial action regarding any breach there under.
Scope
This policy applies to all business associates of Mercer University.
Exclusions
None
Policy Statement
From time to time, the University may share identifiable health information with external parties, referred to as business associates, who are contracted specifically to provide Mercer services utilizing that health information. It is the policy of the Mercer University (Mercer) that identifiable health information may only be shared with business associates pursuant to an approved business associate agreement.
Health information may only be shared with business associates pursuant to an approved business associate agreement. Business associate agreements must be in writing and must contain University approved HIPAA compliant language and authorized signatures.
At any time the University determines that a business associate has violated a material term or obligation under the agreement relating to HIPAA compliance, the department that is responsible for performing under the agreement and/or the University HIPAA Privacy Officer shall be notified and shall seek to remedy the breach immediately, or if that is not possible, to alter or terminate the agreement. Violations may also be reported by the University to the Secretary of the Department of Health and Human Services.
It is the responsibility of each department, division, or operating unit contracting for services with third parties with whom identifiable health information will be shared, to assure that valid business associate agreements are executed. All agreements must be approved by the Office of General Counsel and signed by an authorized corporate officer or their designee. All new Business Associates must have a contract and that contract must contain HIPAA language. Each department must notify the Office of General Counsel and the University HIPAA Privacy Office about the existence of each new Business Associate.
Additional Resources
The above represents a general statement of University operating policy. For further details regarding this statement, see Statutory Requirement 45 CFR Sections 164.502 and 164.504.
Employees of the Mercer Health System should reference the Mercer Health System Policies and Procedures for HIPAA compliance guidelines.
History
Revised June 2003
Revised July 1, 2025