1 TITLE AND INFORMATION TECHNOLOGY RESOURCES DOCUMENT # 1107 APPROVAL LEVEL Alberta Health Services Executive Committee SPONSOR Legal & Privacy / Information Technology CATEGORY Information and Technology Management INITIAL APPROVAL DATE June 24, 2009 INITIAL EFFECTIVE DATE June 24, 2009 REVISION EFFECTIVE DATE January 10, 2012 NEXT REVIEW January 10, 2015 The Corporate Policy website is the official source of current approved corporate policies, procedures, PURPOSE To outline to Contractors and individuals negotiating, administering, or managing contracts on behalf of Alberta Health Services ( AHS ) the Security requirements for using, accessing, or provisioning AHS information or Information Technology ( IT ) Resources. To comply with the Freedom of Information and Protection of Privacy Act (Alberta) ( FOIPP ) and the Health Information Act (Alberta) ( HIA ). POLICY STATEMENT Contractors using, accessing, or provisioning of AHS information or IT Resources (e.g. third party service providers) shall implement and maintain controls for the Security of information and IT Resources and comply with applicable AHS policies and AHS IT Security and Compliance Program Standards. Individuals negotiating, administering, or managing AHS contracts shall ensure Contractors comply with this and other applicable AHS policies, the AHS IT Security and Compliance Program Standards, and with the terms, such as information management, specified in applicable contracts. Prior to establishing a contractual relationship, AHS shall evaluate Contractors for potential Security risks. Contracts or agreements, which may specify additional Security requirements, shall be completed and signed before a Contractor is granted privileges for Access to, or provisioning of, AHS information or IT Resources. Alberta Health Services 2012 PAGE: 1 of 8
2 January 10, of 8 APPLICABILITY Compliance with this policy is required by all AHS employees, members of the medical and midwifery staffs, students, volunteers, and other persons acting on behalf of AHS (including contracted services providers as necessary). This policy is subject to all applicable laws. POLICY ELEMENTS 1. Contractor Overall Security Responsibilities 1.1 Security Infrastructure Contractors shall ensure Security controls are implemented and maintained. Contractors shall set out the roles and responsibilities of its staff with responsibility for information management and IT Security and Compliance, and provide a current list of staff responsible for the implementation of Security policies, procedures, practices, and standards. 1.2 Monitoring AHS Information Technology may monitor a Contractor to ensure compliance with applicable AHS policies and AHS IT Security and Compliance Program Standards. Monitoring may include, but is not limited to, ongoing or random Security audits. 1.3 Annual Review and Audit a) The AHS IT Security and Compliance Office may require a Contractor to conduct an annual review and/or an annual technical audit of its Security policies, procedures, practices, and standards. Any identified Security gaps or areas of non-compliance shall be clearly documented. b) Completed reviews and/or technical audits shall be submitted to the AHS IT Security and Compliance Office within seven (7) days of completion. The AHS IT Security and Compliance Office shall prepare a final report, including recommendations for remedying deficiencies where appropriate, and forward the report to the Contractor and applicable AHS staff and committees. c) Where the AHS IT Security and Compliance Office identifies deficiencies, Contractors shall have thirty (30) calendar days to implement remedies and notify the AHS IT Security and Compliance Office that such deficiencies have been addressed. Contractors failing to remedy the identified deficiencies shall be penalized in accordance with the provisions of their specific contracts. 1.4 Privacy Impact Assessments The AHS Information & Privacy Office shall determine whether the goods and services performed by the Contractor require a Privacy Impact Assessment ( PIA ) (see Privacy Impact Assessments policy (#1145)). Contractors shall be notified as necessary, and shall participate, cooperate, and comply with the AHS PIA process.
3 January 10, of Disaster Recovery Plan Contractors shall, as specified in a contract or on the request of IT Security & Compliance Office, prepare and submit disaster recovery and/or business continuity plans to ensure ongoing protection of access to or provisioning of AHS information and IT Resources in the event of a disaster or disruption in normal business operations. 2. Access to AHS Information and IT Resources 2.1 Contractor Access Review The AHS Information & Privacy Office or the AHS IT Security and Compliance Office shall identify and document deficiencies and risks associated with a Contractor s access to AHS information or IT Resources through an initial access review. Contractors may be requested to perform a full Security review as a result of an access review. 2.2 Access Privileges Individuals negotiating, administering, or managing AHS contracts, in conjunction with the AHS IT Security and Compliance Office, Information & Privacy Office, and/or Protective Services (or Facility Designate) as appropriate, shall evaluate Contractors to determine the appropriate Access Privileges for Contractors. Contractor Access Privileges, including remote access, shall be granted in compliance with AHS Access to Information (Physical, Electronic, Remote) policy (#1105). a) Contractors shall not receive Access Privileges until: i. the Contractor has signed an approved contract with AHS; ii. the Contractor has completed designated pre-requirements set out in the contract; and identified deficiencies have been corrected to the satisfaction of the AHS IT Security and Compliance Office and Information & Privacy Office. b) Contractors must request and receive approval before granting Access Privileges to other individuals or organizations. Contractors may be required by the AHS IT Security and Compliance Office to perform a Security review prior to the Contractor granting any Access Privileges to other individuals or organizations. c) Where Contractors have approval to grant Access Privileges to other individuals or organizations, the access shall be for the minimum information necessary to fulfil their responsibilities on behalf of AHS. The Contractor shall inform the access recipients of their responsibility to comply with applicable AHS policies while exercising their granted access rights. 2.3 Contract or Agreement Expiration or Termination
4 January 10, of 8 Immediately upon expiration or termination of a Contractor s agreement or contract with AHS, all Access Privileges shall be revoked, and AHS information and IT Resources returned. 3. Contractor Human Resource Requirements 3.1 Contractors shall have human resource processes and practices in place to maintain the Security and integrity of AHS information and IT Resources. 3.2 Contractors shall ensure that: a) an employment screening process, including reference verification, is implemented and complied with; b) all employment agreements and job descriptions contain confidentiality requirements during and upon termination of employment, including specific penalties or disciplinary action for intentional, accidental, or unintentional Information Security Incidents or loss or damage to AHS information or IT Resources ; and c) policies are implemented requiring staff or representatives of the Contractor to comply with generally accepted principles for computing use, applicable AHS policies, and clearly defined information and IT Resource management procedures. 3.3 Contractors, individual or firms, shall ensure staff who have or will have access to AHS information or IT Resources: a) are familiar with, understand, and agree to comply with all applicable AHS policies and AHS IT Security and Compliance Program Standards; b) receive appropriate Security awareness training consistent with AHS training standards; c) visibly display an identification badge clearly indicating the individual is acting on behalf of the Contractor, while working in AHS facilities; d) sign and agree to comply with the terms of a confidentiality agreement; and e) receive suitable supervision during job training to ensure the Security of AHS information and IT Resources are protected and maintained. 4. Information Security Contractors shall have mechanisms and comply with applicable AHS policies processes to ensure AHS information and IT Resources are managed in compliance with AHS policies and AHS IT Security and Compliance Program Standards. 4.1 Retention, Destruction, and Disposal Contractors shall ensure that retention, destruction, and disposal of AHS information and IT Resources are in accordance with the AHS Records Retention
5 January 10, of 8 Schedule (# ), Records Destruction procedure (# ), and AHS IT Security and Compliance Program Standards. 4.2 Classification and Inventory All information generated by Contractors and or IT Resources acquired on behalf of AHS shall be classified and inventoried by Contractors. Contractors shall: a) maintain and review the inventory on a quarterly basis and forward a copy of the inventory list and quarterly review to either the AHS contract manager of record, the IT Security & Compliance Office or the Information & Privacy Office upon request; b) provide written confirmation that any information and or IT Resource destroyed has been destroyed in accordance with the AHS Records Retention Schedule (# ), Records Destruction procedure (# ), and the AHS IT Security and Compliance Program standards; c) upon expiration or termination of a contract, forward the inventory to AHS and return the information and IT Resources listed in the inventory; and d) confirm that no copies of AHS information have been made or retained by the Contractor. 4.3 Information Transport, Transmission, and Log Contractors shall ensure that all transportation of AHS information or IT Resources, or transmission of information complies with applicable AHS policies and AHS IT Security and Compliance Program standards. Contractors shall maintain accurate logs to record the internal and external movement of AHS information and IT Resources. 5. Access Control Contractors shall have in place access control mechanisms and procedures to comply with the provisions of the contract or agreement and AHS Access to Information (Physical, Electronic, Remote) policy (#1105) and other applicable AHS policies, including but not limited to: a) Storage Contractors shall ensure that AHS information and IT Resources are securely stored or placed in secure locations to prevent unauthorized access, loss, damage, or corruption. b) Unattended Equipment Contractors shall ensure that inactive terminals are automatically logged off from AHS information systems after a defined period of inactivity. Logged-in or otherwise unsecured workstations or Mobile Computing Devices containing or accessing AHS information shall not be left unattended by the Contractor.
6 January 10, of 8 c) Access Security Audit Contractors shall maintain a log of all successful and unsuccessful requests for physical, environmental, or electronic access to AHS information and IT Resources. The log shall be available, upon request, to the AHS IT Security and Compliance Office for audit purposes. 6. Incident Management 6.1 All Breaches shall be immediately assessed by Contractors for impact and risk, and appropriate action to mitigate harm and risks shall be taken as soon as possible. 6.2 Contractors shall report all Information Security Incidents involving IT Resources or physical access to the AHS IT Security and Compliance Office as soon as possible. Other Breaches shall be reported to Information & Privacy Office. Contractors shall cooperate with any AHS investigation conducted by IT Security and Compliance and/or the Information & Privacy Office. 6.3 After receiving and reviewing a report of a Breach, either the AHS IT Security and Compliance Office or the Information & Privacy Office shall advise Contractors of appropriate remedies. Any remedial action taken by AHS relating to an Information Security Incident or privacy incident shall be in accordance with legal, contractual, and other AHS requirements. 7. Mobile Computing and Mobile Storage Device Security 7.1 Contractor-assigned Mobile Computing Devices and Mobile Storage Devices that contain or have access to AHS information or IT Resources shall be protected in accordance with AHS IT Security and Compliance Program Standards. Mobile Computing Devices and Mobile Storage Devices shall utilize AHS-approved encryption tools. 7.2 To prevent a loss of information or theft of Mobile Computing Devices or Mobile Storage Devices, Contractors shall comply with the requirements set out in the applicable AHS policies and procedures. 7.3 Contractors shall also ensure that all Mobile Computing Devices and Mobile Storage Devices containing or having access to AHS information or IT Resources have: a) an automatic log-off mechanism; b) processes to prevent unauthorized viewing of user-ids or passwords; c) appropriate password protection (e.g., log-on, hard-drive, and screen saver passwords); and d) AHS approved anti-virus software installed and updated.
7 January 10, of 8 8. Information Managers 8.1 Contractors acting as information managers on behalf of AHS shall sign an information management agreement with AHS. 8.2 Information managers may store, retrieve, or dispose of AHS information pursuant to the terms of the information manager agreement and in accordance with applicable legislation and AHS policies. Information disclosed to information managers shall be protected in accordance with applicable legislation and AHS policies. 8.3 Information managers shall not collect, use, disclose or destroy records, including Health or Personal Information, for any purpose other than those authorized by the information management agreement and in accordance with applicable legislation and AHS policies. DEFINITIONS Access Privileges means privileges granted to Contractors for the use of AHS information or IT Resources to perform contracted responsibilities. Access Privileges may be granted for physical, environmental or electronic resources. Breach means a failure to observe security or privacy processes, procedures or policies, whether deliberate or accidental, which results in the information being viewed, or having the potential to be, accessed, used, transmitted or held by unauthorized persons. Contractor means: a) an affiliate (a person performing a service on behalf of AHS as an appointee, or under a contract or agency relationship), business partner, consultant, contractor, non-employee, outsourcer, service provider, information manager, or third party engaged by AHS to perform services for or on behalf of AHS; or b) an agent, employee or third party to the Contractor engaged by AHS to perform services for or on behalf of AHS. Facility Designate means the individual or Department responsible for ensuring access controls are met at an AHS facility. A Facility Designate shall be identified in facilities where AHS Protective Services is not employed. Information Security Incident means any incident where there is a Violation or Breach of the Security of information or a weakness or malfunction of IT infrastructure that could potentially cause a violation or breach, is identified. IT Resource means any AHS-owned or controlled asset used to generate, process, transmit, store, or access AHS information, which includes but is not limited to IT infrastructure, computer facilities, systems, hardware, software, information systems, networks, shared drives, computer
HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as required by HIPAA. 1. Definitions. a. Business Associate, as used in this Contract, means the
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is
Annual Continuing Education (ACE) (Print version) Information Privacy and I.T. Security and Compliance Information Privacy and IT Security & Compliance The information in this module in addition to the
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that
Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive
BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October
R345, Information Technology Resource Security 1 R345-1. Purpose: To provide policy to secure the private sensitive information of faculty, staff, patients, students, and others affiliated with USHE institutions,
Health Insurance Portability and Accountability Act State HIPAA Security Policy State of Connecticut Release 2.0 November 30 th, 2004 Table of Contents Executive Summary... 1 Policy Definitions... 3 1.
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
TITLE CELL PHONES AND OTHER MOBILE DEVICES DOCUMENT # 1160 APPROVAL LEVEL Alberta Health Services Executive Leadership Team SPONSOR Information Technology CATEGORY Information & Technology Management INITIAL
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
BERKELEY COLLEGE DATA SECURITY POLICY BERKELEY COLLEGE DATA SECURITY POLICY TABLE OF CONTENTS Chapter Title Page 1 Introduction 1 2 Definitions 2 3 General Roles and Responsibilities 4 4 Sensitive Data
Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081
EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES This document describes Eastern Oklahoma State College s policy and procedures for the proper
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.
HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE How to Use this Assessment The following risk assessment provides you with a series of questions to help you prioritize the development and implementation
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
Privacy Compliance Healthcare Compliance Solutions Trust and privacy are essential for building meaningful human relationships. Let Protected Trust be your Safe Harbor The U.S. Department of Health and
State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE IT RESOURCES POLICY Effective December 15, 2008 State of Illinois Department of Central Management Services Bureau
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. firstname.lastname@example.org www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between
INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in
Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Data Handling and Storage Standard This standard is applicable to all VCU School of Medicine personnel. Approval
State of Illinois Department of Central Management Services MOBILE DEVICE SECURITY Effective: October 01, 2009 State of Illinois Department of Central Management Services Bureau of Communication and Computer
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) Background Due to increased threat of identity theft, fraudulent credit card activity and other instances where cardholder
Healthcare Compliance Solutions Let Protected Trust be your Safe Harbor In the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the U.S. Department of Health and Human
DHHS Information Technology (IT) Access Control Standard Issue Date: October 1, 2013 Effective Date: October 1,2013 Revised Date: Number: DHHS-2013-001-B 1.0 Purpose and Objectives With the diversity of
MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) 201 CMR 17.00 Standards for the Protection of Personal Information Of Residents of the Commonwealth of Massachusetts Revised April 28,
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
Responsible Access and Use of Information Technology Resources and Services Policy Functional Area: Information Technology Services (IT Services) Applies To: All users and service providers of Armstrong
The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures to protect and secure a covered entity s electronic information
HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment
Brooklyn Community Services Policies and Compliance Guide relating to the HIPAA Security Rule June 2013 Table of Contents INTRODUCTION... 3 GUIDE TO BCS COMPLIANCE WITH THE HIPAA SECURITY REGULATION...
Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access
University of Aberdeen Information Security Policy Contents Introduction to Information Security... 1 How can information be protected?... 1 1. Information Security Policy... 3 Subsidiary Policy details:...
TABLE OF CONTENTS University of Northern Colorado HIPAA Policies and Procedures Page # Development and Maintenance of HIPAA Policies and Procedures... 1 Procedures for Updating HIPAA Policies and Procedures...
ISO 27001 COMPLIANCE WITH OBSERVEIT OVERVIEW ISO/IEC 27001 is a framework of policies and procedures that include all legal, physical and technical controls involved in an organization s information risk
SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY School Board Policy 523.5 The School District of Black River Falls ( District ) is committed to compliance with the health information
HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record
LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed
7 Security Standards: Implementation for the Small Provider What is the Security Series? The security series of papers provides guidance from the Centers for Medicare & Medicaid Services (CMS) on the rule
Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help
HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,
Technical Monograph C.T. Hellmuth & Associates, Inc. Technical Monographs usually are limited to only one subject which is treated in considerably more depth than is possible in our Executive Newsletter.
Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the
HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million
M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice
HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association
Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major
Ohio Supercomputer Center Portable Security Computing No: Effective: OSC-09 05/27/09 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original Publication
Introduction Per UCSC's HIPAA Security Rule Compliance Policy 1, all UCSC entities subject to the HIPAA Security Rule ( HIPAA entities ) must implement the UCSC Practices for HIPAA Security Rule Compliance
BUSINESS ASSOCIATE AGREEMENT Please complete the following and return signed via Fax: 919-785-1205 via Mail: Aesthetic & Reconstructive Plastic Surgery, PLLC 2304 Wesvill Court Suite 360 Raleigh, NC 27607
Microsoft Online Subscription Agreement Amendment adding Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Proposal ID MOSA number Microsoft to complete This Amendment
HIPAA Security and HITECH Compliance Checklist A Compliance Self-Assessment Tool HIPAA SECURITY AND HITECH CHECKLIST The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires physicians
CITY UNIVERSITY OF HONG KONG Handling Standard (Approved by the Information Strategy and Governance Committee in December 2013) PUBLIC Date of Issue: 2013-12-24 Document Control Document Owner Classification
A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 Policy and Procedure Templates Reflects modifications published in the Federal Register
HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed
BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information I. PREAMBLE ( Covered Entity ) and ( Business Associate ) (jointly the Parties ) wish to enter into an Agreement to comply with the requirements
Title: Data Security Policy Code: 1-100-200 Date: 11-6-08rev Approved: WPL INTRODUCTION The purpose of this policy is to outline essential roles and responsibilities within the University community for
Procedure Title: TennDent HIPAA Security Awareness and Training Number: TD-QMP-P-7011 Subject: Security Awareness and Training Primary Department: TennDent Effective Date of Procedure: 9/23/2011 Secondary
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is effective as of, 2013, and is by and between SOUTHWEST DEVELOPMENTAL SERVICES, INC. ( Covered Entity ) and ( Business Associate
INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information