Authorized. User Agreement

Size: px
Start display at page:

Download "Authorized. User Agreement"

Transcription

1 Authorized User Agreement

2 CareAccord Health Information Exchange (HIE) Table of Contents Authorized User Agreement... 3 CareAccord Health Information Exchange (HIE) Polices and Procedures... 5 SECTION 1: DEFINITIONS... 5 SECTION 2: AUTHORIZATION... 8 SECTION 3: AUTHENTICATION... 9 SECTION 4: ACCESS... 9 SECTION 5: AUDIT...11 SECTION 6: BREACH...12 SECTION 7: MISCELLANEOUS...13 CareAccord Health Information Exchange (HIE) Security Best Practices... 14

3 Authorized User Agreement Terms of Access to Oregon Health Authority Health Information Exchange The Oregon Health Authority (OHA) facilitates the electronic availability of protected health information through the CareAccord health information exchange (the HIE). Access to the HIE is granted to organizations that have entered into an Organizational Participation Agreement with OHA and to individuals affiliated with these organizations. You have been identified by Participant (the hospital, clinic, physician s office, health plan or other entity with whom you are affiliated) as needing access to the HIE. OHA agrees to provide you with access to the HIE only if you agree to the terms and conditions of this Agreement, which are intended to maintain the confidentiality, security and integrity of protected health information and other patient information (Patient Data) accessed via the HIE. You are being provided with a user name and the ability to select a unique password (your Login Credentials) that will provide you with access to Patient Data available through the HIE. In order to be provided this access, you must agree to abide by the following rules: You will never reveal your Login Credentials to anyone. You will not allow others, including other staff members with whom you work, to access the HIE using your Login Credentials. You will log out of the HIE before leaving your workstation to prevent others from accessing the HIE. You will not fax/print/ /download/copy/photograph or otherwise provide Patient Data to any third parties except in accordance with HIE Policies and Procedures and applicable law. You will not make unauthorized copies of the Patient Data. You will not save Patient Data to portable media devices (such as CDs, USB drives, or handheld devices) except in accordance with the HIE Policies and Procedures. You will not use the HIE or access or view any Patient Data except as required for your job with Participant. You will only access information as necessary to perform your professional obligations to a patient. You will notify your point of contact designated by the Participant immediately if you have reason to believe that your Login Credentials have been compromised. You will maintain the confidentiality of all information in accordance with state and federal laws governing the privacy and security of health information, including HIPAA, and in accordance with Participant s privacy and security policies and procedures as well as the HIE Policies and Procedures. This includes but is not limited to obtaining the necessary patient consent or authorizations for disclosing Patient Data. 3

4 You will not access the HIE via public use workstations or devices. Public-use workstations and devices are those where general public access is allowed. HIPAA administrative, technical and physical security requirements cannot be applied and controlled on such devices. Failure to comply with these terms and conditions may result in disciplinary actions against you, which may include without limitation, denial of your privileges to access Data and other actions in accordance with Participant s policies and the HIE Policies and Procedures. OHA and Participant have the right at all times to review and audit your use of the HIE and compliance with the terms of this Agreement. Participant or OHA may terminate this Agreement at any time. This Agreement grants you a nonexclusive, nontransferable right to use the HIE. This right is specific to you. You may not share, sell or sublicense this right with or to anyone else. THIS IS A BINDING AGREEMENT. By indicating that you agree on the CareAccord website, you agree to comply with all terms and conditions for access to Patient Data under this Agreement and all HIE policies and procedures. 4

5 CareAccord Health Information Exchange (HIE) Polices and Procedures The scope of these HIE Policies and Procedures includes the full range of privacy and security policies for interoperable health information exchange, including: authorization, authentication, access, audit, and breach. The State of Oregon, acting by and through its Oregon Health Authority (the OHA ) has developed these HIE Policies and Procedures. Who Must Comply with the HIE Policies and Procedures All Participating Entities that have signed an Organizational Participation Agreement ( Agreement ) and wish to participate in the State of Oregon s Health Information Exchange program must comply with these HIE Policies and Procedures. A Participating Entity s failure to comply with these HIE Policies and Procedures stated below constitutes a breach of the Agreement and may result in termination of the Agreement, denial of access to the System, or other sanctions as may be designated in the Agreement and in these HIE Policies and Procedures. All the Authorized Users of a Participating Entity that have signed an Authorized User Agreement and wish to participate in the State of Oregon s Health Information Exchange program must comply with the provisions of these HIE Policies and Procedures that are applicable to Authorized Users. An Authorized User s failure to comply with the provisions of these HIE Policies and Procedures applicable to Authorized Users constitutes a breach of the Authorized User Agreement and may result in termination of the Authorized User Agreement, denial of access to the System by the Authorized User, or other sanctions as may be designated in the Authorized User Agreement and in these HIE Policies and Procedures. Process for Amending the HIE Policies and Procedures The HIE Policies and Procedures are as follows: OHA may implement any new HIE Policies and Procedures, or amend, or repeal and replace any existing HIE Policies and Procedures, at any time by providing all Participating Entities with notice of the change at least thirty days prior to the effective date of the change. Within fifteen days of receiving notice of the change, a Participant may request that OHA delay implementation of the change based on unforeseen complications or other good cause. OHA shall respond to a request to delay implementation within seven days of receiving the request. OHA may establish a process for receiving Participating Entity and/or public comments on material changes, at OHA s discretion. SECTION 1: DEFINITIONS 1. Authorized Users shall mean those persons who have been authorized by Participant to access Patient Data through the System. Authorized Users may include, but are not limited to, health care providers and employees, staff, contractors, or agents of the Participant. 2. Business Associate shall mean any person that is a business associate of a Covered Entity Participant under 45 CFR

6 OHA acts as a Business Associate pursuant to this Agreement when it, (i) on behalf of a Covered Entity Participant, performs or assists in the performance of any function or activity involving the disclosure of Protected Health Information, or any other function or activity regulated by the HIPAA Regulations, or (ii) provides consulting, data aggregation (as defined in 45 CFR ), management, administrative, or other services to or for a Covered Entity Participant, where the provision of the service involves the disclosure of Protected Health Information from such Covered Entity Participant, or from another business associate of the Covered Entity Participant to the Business Associate. 3. Covered Entity Participant shall mean a Participating Entity that is a health care provider that transmits any health information in electronic form in connection with a transaction covered by 45 CFR Parts 160, 162, or 164, or a health plan as that term is defined at 45 CFR Part , in connection with its functions or activities to which this Agreement applies. 4. Documentation shall mean all materials, documentation, technical manuals, operator and user manuals, flow diagrams, file descriptions, and other written information made generally available by OHA to users of the System, including all updates thereto, that describe the functions, operational characteristics, and specifications and use of the System. 5. Effective Date shall mean the date the Agreement was signed by Participant. 6. Health Information Exchange or ( HIE ) shall mean the process of exchanging health information electronically among Participating Entities in accordance with established standards. 7. HIPAA shall mean the Health Insurance Portability and Accountability Act of 1996, Public Law , as amended by HITECH and as otherwise may be amended. 8. HIPAA Regulations shall mean the Standards for Privacy of Individually Identifiable Health Information and the Security Standards for the Protection of Electronic Protected Health Information (45 CFR Parts 160, 162 and 164) promulgated by the U.S. Department of Health and Human Services under HIPAA, as may be amended. 9. HITECH shall mean the Health Information Technology for Economic and Clinical Health Act of 2009 (which is part of the American Recovery and Reinvestment Act of 2009 (ARRA)), as may be amended, and any of its implementing regulations. 10. HIE Policies and Procedures shall mean OHA s written policies and procedures pertaining to the use of the System and participation in the HIE program, as may be amended. 11. OHA Software shall mean any software provided in or as an element of the System for the Participant s use of the System, including any upgrades of or modifications to such software, or new versions of such software. 12. Participating Entity shall mean the Participant and any other individual or organization that (i) meets the requirements for participation in the Health Information Exchange as set forth in the HIE Policies and Procedures, (i) is accepted by the OHA for participation, and (iii) is a signatory to a Participation Agreement similar to this Agreement. 6

7 13. Participant shall mean the organization that is a signatory to this Agreement. 14. Party shall mean either OHA or Participant, and they will collectively be referred to as the Parties. 15. Patient Data shall mean all data requested, disclosed, stored on, made available on, or sent by a Participating Entity, or requested or sent by OHA through the System. Patient Data includes (i) Protected Health Information; (ii) patient information locator data comprised of domain location, date, type of medical service, class of medical services, URL associated with location of information derived from the patient information made available by a Participating Entity; (iii) patient demographic data and organization domain information that is derived from the patient information made available by a Participating Entity; and (iv) clinical data, medical records, registration information and such other information as shall be consistent with the HIE Policies and Procedures and made available by a Participating Entity in accordance with this Agreement. 16. Protected Health Information or PHI, as defined under 45 CFR is health information, including demographic information collected from an individual, maintained or transmitted by a covered entity and: (1) is created or received by a health care provider, health plan, employer or health care clearinghouse; and (2) relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment information or billing records pertaining to the provision of health care to an individual; and (i) that identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual. 17. Qualified Service Organization or QSO shall have the same meaning as 42 CFR Registered Sub-Organization shall mean an affiliated function or department of the Participant s organization that Participant has designated to OHA as a Sub-Organization and that has been approved by OHA to participate in the Health Information Exchange. 19. System shall mean the web-based electronic information exchange network provided by OHA, including the OHA Software and Documentation, for exchange of health information pursuant to this Agreement. 20. System Operating Policies and Technical Requirements shall mean the technical requirements, policies and procedures that Participant must meet or have in place to exchange information through the System. System Operating Policies and Technical Requirements are set forth in the Service Level Attachment(s) to this Agreement. 7

8 21. Unauthorized Users shall mean individuals who accessed the System by use of any password, identifier or log-on received or obtained, directly or indirectly, lawfully or unlawfully without authority. 22. URL shall mean Universal Resource Locator. 23. Vendor shall mean a vendor who provides software and/or services to OHA for the System, including but not limited to: Health Information Exchange vendors; vendors providing software to facilitate patient identification, record location, authentication or similar services; vendors providing clinical information services software; EHR and patient health record vendors; other health information technology vendors; and vendors providing environmental support services and adoption services or other services to OHA in carrying out its Health Information Exchange operations. SECTION 2: AUTHORIZATION Purpose Authorization is the process of determining whether a particular Authorized User within a Participant has the right to access Protected Health Information via the System. Authorization is based on role-based access standards that take into account an individual s job function and the information needed to successfully carry out a role within the Participant. This Section 2 sets forth minimum requirements that Participants shall follow when establishing role-based access standards and authorizing individuals to access information about a patient via the System. They are designed to limit exchange of information to the minimum necessary for accomplishing the intended purpose of the exchange, thereby allowing patients to have confidence in the privacy of their health information as it moves among Participating Entities. Policies and Procedures 2.1 Role-Based Access Standards Participants shall establish and implement policies and procedures that: a. Establish categories of Authorized Users; b. Define the purposes for which Authorized Users in those categories may access Patient Data via the System, consistent with the limitations set forth in the Organizational Participation Agreement; and c. Define the types of Patient Data that Authorized Users within such categories may access (e.g., demographic data only, clinical data) The purposes for which an Authorized User may access information via the System and the types of information an Authorized User may access shall be based, at a minimum, on the Authorized User s job function and relationship to the patient. 8

9 SECTION 3: AUTHENTICATION Purpose Authentication is the process of verifying that an Authorized User who has been authorized and is seeking to access information via the System is who he or she claims to be. This is accomplished by providing proof of identity. This Section 3 sets forth minimum requirements that Participants shall follow when authenticating Authorized User prior to allowing them to access information via the System. These Policies and Procedures represent an important technical security safeguard for protecting a patient s information from various internal and external risks, including unauthorized access. Policies and Procedures 3.1 Obligation to Authorize and Authenticate Identity of Authorized Users Prior to Access. The Participant s Organizational Liaison or Point of Contact is responsible for authorizing and authenticating Participant s Authorized Users. Participant may delegate this responsibility to a Registered Sub-Organization and its Point of Contact. The process of authorizing and authenticating Authorized Users must include verifying the identity of the individual, his/her affiliation with the Participant and functional role with the Participant, and whether it is appropriate for the individual to send or receive Patient Data using the System. The Organizational Liaison or designated Point of Contact will attest to performing these functions and must inform OHA whether an individual is approved for a Direct Secure Messaging account in order for OHA to establish an Authorized User account. The Organizational Liaison or designated Point of Contact must inform OHA if at any point an Authorized User s approval has been or should be revoked, in accordance with the procedures set forth in Section 4.7. SECTION 4: ACCESS Purpose Access controls govern when and how a patient s information may be accessed by Authorized Users. This Section 4 sets forth minimum controls Participating Entities shall implement to ensure that: (1) only Authorized Users access information via the System; and (2) they do so only in accordance with the requirements (specified herein) that limit their access to specified information (e.g., that which is relevant to a patient s treatment). These access policies are designed to minimize unauthorized access and ensure that Patient Data is used for authorized purposes. Policies and Procedures 4.1 General. OHA requires that each Participating Entity enter into an Organizational Participation Agreement or substantially similar agreement prior to being granted access to and use of the System. 4.2 Authorized Users. Participant shall be responsible for facilitating Authorized Users access to the System Participant will identify individuals within its organization that need access to the System to carry out their professional responsibilities. 9

10 This may include, but are not limited to, health care providers, employees, staff, contractors, or agents of Participant Participant will identify an individual responsible for granting access to Authorized Users, including requiring that Authorized Users sign an Authorized User Agreement and take the steps necessary to obtain a user name and password. Participant may request that each Registered Sub-Organization designate an individual responsible for managing all Authorized Users affiliated with the Registered Sub-Organization. Authorized Users shall be informed of the individual point of contact within Participant or the Registered Sub-Organization responsible for all questions, training, and to whom reports of any potential unauthorized access shall be made. This contact information shall be readily available to all Authorized Users within the organization. 4.3 Access Specifications. OHA shall provide each Authorized User with a unique System user name and the ability to select a unique password to access Patient Data via the System Authorized Users shall be authenticated in accordance with the provisions of Section Group or temporary user names shall be prohibited Authorized Users shall be prohibited from sharing their user names and/or passwords with others and from using the user names and/or passwords of others. 4.4 Authorized Purposes. Participants shall permit Authorized Users to access Patient Data via the System only for purposes consistent with the Participant Agreement, these HIE Policies and Procedures, and the Authorized User Agreement. 4.5 Access Limited to Minimum Necessary Information. Participants shall ensure that reasonable efforts are made, except in the case of access for treatment, to limit the information accessed via the System to the minimum amount necessary to accomplish the intended purpose for which the information is accessed. 4.6 Training. The access controls set forth above will only be effective if: (1) a Participant s privacy and security policies and procedures are clear; (2) Authorized Users understand the HIE Policies and Procedures, and (3) Authorized Users understand their responsibilities to comply with both the Participant s policies and procedures and these HIE Policies and Procedures OHA will provide training materials for Participant use in training Authorized Users in the technical aspects of use of the System Participants shall provide on-site training, web-based training, or comparable training tools to ensure that Authorized Users are familiar with these HIE Policies and Procedures governing access to information via the System. This training may be provided in conjunction with the Participant s regular HIPAA training activities. 10

11 4.6.3 Participants shall ensure that each Authorized User undergoes the training specified in section Participants shall ensure that each Authorized User signs a certification that he or she has received training and will comply with the HIE Policies and Procedures and the Authorized User Agreement, and with Participant s own privacy and security policies and procedures. Such certification shall be retained by Participants for at least six years Participants may, but shall not be required to, ensure that each Authorized User undergo continuing and/or refresher training on a periodic basis as a condition of maintaining authorization to access Patient Data via the System. At a minimum, Participant will provide updated training for any new HIE service for which Participant enters into a new Service Level Attachment with OHA. 4.7 Termination of Access and Other Sanctions. Participants shall develop policies and procedures to terminate the access of Authorized Users and/or to impose sanctions as necessary Participants shall ensure that an Authorized User s access to the System is terminated in the following situations and in accordance with the processes described: a. Immediately or as promptly as reasonably practicable but in any event within one business day of termination of a Participant s Organizational Participation Agreement with the OHA; b. Immediately following an Authorized User s breach of the Authorized User Agreement; and/or c. Immediately or as promptly as reasonably practicable but in any event within one business day of notification of termination of an Authorized User s employment or affiliation with the Participant Participants shall notify OHA immediately via upon termination of an Authorized User s access to the System. SECTION 5: AUDIT Purpose Audits are useful oversight tools for recording and examining access to information through the System (e.g., who accessed what data and when) and are necessary for verifying compliance with access controls, like those specified in Section 4, developed to prevent/limit inappropriate access to information. This Section 5 sets forth minimum requirement that Participants shall follow for audits regarding access to health information via the System. Policies and Procedures 5.1 OHA Audits. OHA (or a third party engaged by OHA) may audit Participating Entities on a periodic basis. The purpose of these audits will be to confirm compliance with and proper use of the System in accordance with this Agreement and the HIE Policies and Procedures. 11

12 5.2 Conduct of Audits. Audits will take place during normal business hours and at mutually agreeable times and shall be limited to such records, personnel and other resources of Participant as are necessary to determine proper use of the System, compliance with this Agreement, or the HIE Policies and Procedures, or to comply with applicable state or federal requirements. Such audits will be performed at the expense of OHA, and in a manner designed to reasonably minimize interference with Participant s day-to-day operations. SECTION 6: BREACH Purpose This Section 6 sets forth minimum standards OHA and Participating Entities shall follow in the event of a breach. These standards are designed to hold violators accountable for violations, assure patients about the HIE s commitment to privacy, and mitigate any harm that privacy violations may cause. Policies and Procedures 6.1 Obligation of Participants to Report Actual or Suspected Breaches. Participants shall notify the OHA in the event that a Participant becomes aware of any actual or suspected Breach of Unsecured Protected Health Information accessed via the System Notification shall be made in the most expedient time possible and without unreasonable delay Notification shall be made in writing. 6.2 Responsibilities of OHA. OHA shall be required to develop a Breach plan as part of its policies and procedures. The plan shall provide that, in the event OHA becomes aware of any actual or suspected Breach of Unsecured Protected Health Information, either through notification by a Participant or otherwise, OHA must, at a minimum: Notify any Participants whose data is affected by the Breach In the most expedient time possible and without unreasonable delay, investigate (or require the applicable Participant to investigate) the scope and magnitude of such actual or suspected Breach, and identify the root cause of the Breach Mitigate (or require the applicable Participant to mitigate) to the extent practicable, any harmful effect of such Breach that is known to OHA or the Participant. OHA s mitigation efforts shall correspond with and be dependent upon their internal risk analyses Notify (or require the applicable Participant to notify) the patient and any applicable regulatory agencies as required by and in accordance with applicable federal, state and local laws and regulations, including but not limited to HITECH. 12

13 6.3 Sanctions OHA may impose sanctions that apply to Participants and their Authorized Users in the event of a Breach of Unsecured Protected Health Information and may impose, or may require its Participants to impose, such sanctions. Such sanctions may include but shall not be limited to temporarily restricting an Authorized User s access to the System; requiring Authorized Users to undergo additional training in the use of the System; terminating the access of an Authorized User to the System; or terminating a Participant s participation in the Health Information Exchange program. SECTION 7: MISCELLANEOUS Purpose This section 7 addresses miscellaneous topics pertaining to the operation and administration of the Health Information Exchange program. Policies and Procedures 7.1 Notification of New Participants. The provider directory will contain a listing of all Participants that are participating in the Health Information Exchange program. OHA will notify Participating Entities of new Participating Entities by updating the Participating Entity directory in a timely manner when new Participants are accepted into the Health Information Exchange program. The Participating Entity directory is available to Authorized Users via the program web site. 7.2 Best Practices. The Participant shall review and require each of its Authorized Users to review, the CareAccord Health Information Exchange Security Best Practices document. 13

14 CareAccord Health Information Exchange (HIE) Security Best Practices The following are recommended best practices for user-controlled activities related to the use of the CareAccord Health Information Exchange Services and Direct Secure Messaging. These practices are designed to promote safeguards and controls to ensure the security of electronic protected health information (EPHI). In addition, health care organizations and individuals who participate in Oregon s CareAccord Direct Secure Messaging should follow their organization s policies, procedures and practices for health information security and privacy, and must comply with the Oregon Health Authority s HIE Policies and Procedures. The following practices alone do not ensure that a user is fully compliant with HIPAA Security and Privacy requirements as defined in Security Standards for the Protection of Electronic Protected Health Information (45 CFR Part 164, Subpart C), commonly known as the Security Rule and in Privacy of Individually Identifiable Health Information (45 CFR Part 164, Subpart E), commonly known as the Privacy Rule. Accessing CareAccord Direct Messaging Service via Mobile Devices Appropriate security measures are necessary to protect against the risks associated with the use of mobile computing and communication devices. Each participating organization and Direct Secure Messaging user should examine the risks associated with sharing and accessing patient data and potentially storing Electronic Protected Health Information (EPHI) on mobile devices. Special care should be taken to ensure that protected health information is not compromised in what can be considered unprotected environments. The following controls should be applied to mobile computing devices such as notebooks, palmtops, laptops, smartcards, smart phones, tablets, thumb drives, etc.: a. All mobile devices should have up-to-date anti-virus software in use at all times. b. Mobile devices should use encryption and a password to access the device. Encryption schemes that use strong encryption methods such as AES, RSA, WPA2, etc. are preferable. c. Device password lockout should be activated after five minutes of inactivity. d. Users should be aware of their surroundings in order to ensure that protected health information cannot be easily viewed by unauthorized persons (aka shoulder surfing.) e. All mobile computing devices should be secured and out of view when not in use. Equipment and media taken off the premises should not be left unattended in public places. f. Notebook computers should be carried as hand luggage and disguised where possible when traveling and should be locked out of sight in the trunk of a car when not in use. g. Notebooks and mobile devices should not connect to public networks without appropriate transmission encryption controls in place to protect the device s data. 14

15 h. Organizations should have established policies for protecting EPHI mobile devices including: 1. data deletion policies and media disposal procedures for mobile devices; 2. maintenance of an accurate mobile device tracking and asset management program; and 3. policies for the proper use or restriction of personal mobile devices for access to any system that provides access to EPHI. Confidentiality Each CareAccord Direct Secure Messaging user has a responsibility to ensure the protection of EPHI that is viewed, shared or discussed through Direct Secure Messaging consistent with the HIPAA Privacy Rule, including prohibiting disclosures to unauthorized individuals. Each Direct Secure Messaging user must ensure that communications involving patient data are between authorized individuals. It is recommended that users: a. renew their account password periodically or as needed; b. log out of the HIE before switching to another tab in a Browser session to prevent others from accessing the HIE; c. lock your computer before leaving your workstation to prevent others from accessing the HIE; and d. include signatures containing wording similar to the following: The information contained in this message may be privileged and confidential. If you are NOT the intended recipient, please notify the sender immediately and delete this message. 15

FirstCarolinaCare Insurance Company Business Associate Agreement

FirstCarolinaCare Insurance Company Business Associate Agreement FirstCarolinaCare Insurance Company Business Associate Agreement THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement"), is made and entered into as of, 20 (the "Effective Date") between FirstCarolinaCare Insurance

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BAA ) is effective ( Effective Date ) by and between ( Covered Entity ) and Egnyte, Inc. ( Egnyte or Business Associate ). RECITALS

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BA Agreement ) is entered into by Medtep Inc., a Delaware corporation ( Business Associate ) and the covered entity ( Covered Entity

More information

Please print the attached document, sign and return to privacy@covermymeds.com or contact Erica Van Treese, Account Manager, Provider Relations &

Please print the attached document, sign and return to privacy@covermymeds.com or contact Erica Van Treese, Account Manager, Provider Relations & Please print the attached document, sign and return to privacy@covermymeds.com or contact Erica Van Treese, Account Manager, Provider Relations & Solutions. Office: 866-452-5017, Fax: 615-379-2541, evantreese@covermymeds.com

More information

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( BAA ) is by and between the National Association of Boards of Pharmacy

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This BUSINESS ASSOCIATE AGREEMENT (the "Agreement") is entered into by and between the Board of Regents of the University of Wisconsin System on behalf of the [insert name

More information

AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION BETWEEN WAKE FOREST UNIVERSITY BAPTIST MEDICAL CENTER AND

AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION BETWEEN WAKE FOREST UNIVERSITY BAPTIST MEDICAL CENTER AND AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION BETWEEN WAKE FOREST UNIVERSITY BAPTIST MEDICAL CENTER AND THIS AGREEMENT for Access to Protected Health Information ( PHI ) ( Agreement ) is entered

More information

Model Business Associate Agreement

Model Business Associate Agreement Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model

More information

LCD SOLUTIONS and CLICKTATE.COM BUSINESS ASSOCIATE AGREEMENT and DISCLOSURE of RIGHTS to COVERED ENTITIES

LCD SOLUTIONS and CLICKTATE.COM BUSINESS ASSOCIATE AGREEMENT and DISCLOSURE of RIGHTS to COVERED ENTITIES LCD SOLUTIONS and CLICKTATE.COM BUSINESS ASSOCIATE AGREEMENT and DISCLOSURE of RIGHTS to COVERED ENTITIES This agreement ("Agreement") is effective upon its execution and delivery to LCD SOLUTIONS, INC.

More information

Medical Privacy Version 2015.12.10 - Standard. Business Associate Agreement. 1. Definitions

Medical Privacy Version 2015.12.10 - Standard. Business Associate Agreement. 1. Definitions Medical Privacy Version 2015.12.10 - Standard Business Associate Agreement This Business Associate Agreement (the Agreement ) shall apply to the extent that the Lux Scientiae HIPAA Customer signee is a

More information

BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc.

BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc. BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc. THIS BUSINESS ASSOCIATE AGREEMENT (BAA) is entered into by and between First Choice Community Healthcare, with a principal place of

More information

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into as of ( Effective Date ) by and between ( Covered Entity ) and American Academy of Sleep Medicine ( Business Associate

More information

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions A. Business Associate. Business Associate shall have the meaning given to such term under the Privacy and Security Rules, including,

More information

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS The following HIPAA Business Associate Terms and Conditions (referred to hereafter as the HIPAA Agreement ) are part of the Brevium Software License

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University

More information

BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION

BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION This Agreement governs the provision of Protected Health Information ("PHI") (as defined in 45 C.F.R.

More information

HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as

HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as required by HIPAA. 1. Definitions. a. Business Associate, as used in this Contract, means the

More information

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is made and entered into to be effective as of, 20 (the Effective Date ), by and between ( Covered Entity ) and

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the "Agreement") is made and entered into this day of,, by and between Quicktate and idictate ("Business Associate") and ("Covered Entity").

More information

Business Associate and Data Use Agreement

Business Associate and Data Use Agreement Business Associate and Data Use Agreement This Business Associate and Data Use Agreement (the Agreement ) is entered into by and between ( Covered Entity ) and HealtHIE Nevada ( Business Associate ). W

More information

COVERMYMEDS BUSINESS ASSOCIATE AGREEMENT

COVERMYMEDS BUSINESS ASSOCIATE AGREEMENT COVERMYMEDS BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (the Agreement ) is entered into between Covered Entity and CoverMyMeds LLC, a Delaware limited liability company ( Business Associate

More information

BUSINESS ASSOCIATE AGREEMENT WITH TRANSFUSION FACILITIES

BUSINESS ASSOCIATE AGREEMENT WITH TRANSFUSION FACILITIES 1 BUSINESS ASSOCIATE AGREEMENT WITH TRANSFUSION FACILITIES This BUSINESS ASSOCIATE AGREEMENT (this Agreement ) is entered into as of the date first written in the signature block below (the Effective Date

More information

BUSINESS ASSOCIATE ADDENDUM. WHEREAS, Provider (as defined below) has a contractual relationship with FHCCP requiring this Addendum;

BUSINESS ASSOCIATE ADDENDUM. WHEREAS, Provider (as defined below) has a contractual relationship with FHCCP requiring this Addendum; BUSINESS ASSOCIATE ADDENDUM This BUSINESS ASSOCIATE ADDENDUM (this Addendum ) is made and entered into as of July 1, 2012, ( Effective Date ) and supplements and is made a part of the services agreement

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is entered between ("Covered Entity" or "CE") and, ("Business Associate" or "BA"), collectively the Parties, who agree as follows:

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is between you, a healthcare provider, its employees and agents ( Covered Entity ) and Doc Halo, LLC ( Business Associate ).

More information

Definitions. Catch-all definition:

Definitions. Catch-all definition: BUSINESS ASSOCIATE AGREEMENT THESE PROVISIONS MAY STAND ALONE AS A BUSINESS ASSOCIATE AGREEMENT, OR MAY BE INCORPORATED INTO A LARGER, MORE COMPREHENSIVE CONTRACT WITH THE BUSINESS ASSOCIATE TO COVER OTHER

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is effective as of, 2013, and is by and between SOUTHWEST DEVELOPMENTAL SERVICES, INC. ( Covered Entity ) and ( Business Associate

More information

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security

More information

BUSINESS ASSOCIATE AGREEMENT. Recitals

BUSINESS ASSOCIATE AGREEMENT. Recitals BUSINESS ASSOCIATE AGREEMENT This Agreement is executed this 8 th day of February, 2013, by BETA Healthcare Group. Recitals BETA Healthcare Group consists of BETA Risk Management Authority (BETARMA) and

More information

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean. BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement is made as of the day of, 2010, by and between Methodist Lebonheur Healthcare, on behalf of itself and all of its affiliates ( Covered Entity

More information

HIPAA Business Associate Agreement

HIPAA Business Associate Agreement HIPAA Business Associate Agreement User of any Nemaris Inc. (Nemaris) products or services including but not limited to Surgimap Spine, Surgimap ISSG, Surgimap SRS, Surgimap Office, Surgimap Ortho, Surgimap

More information

Business Associates Agreement

Business Associates Agreement Business Associates Agreement This Business Associate Agreement (the Agreement ) between Customer,( Covered Entity ) and Kareo ( Business Associate ) will be in effect during any such time period that

More information

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S):

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S): UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S): THIS AGREEMENT is made by and between UNIVERSITY PHYSICIANS OF BROOKLYN, INC., located at 450 Clarkson Ave., Brooklyn,

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,

More information

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help

More information

The Basics of HIPAA Privacy and Security and HITECH

The Basics of HIPAA Privacy and Security and HITECH The Basics of HIPAA Privacy and Security and HITECH Protecting Patient Privacy Disclaimer The content of this webinar is to introduce the principles associated with HIPAA and HITECH regulations and is

More information

Infinedi HIPAA Business Associate Agreement RECITALS SAMPLE

Infinedi HIPAA Business Associate Agreement RECITALS SAMPLE Infinedi HIPAA Business Associate Agreement This Business Associate Agreement ( Agreement ) is entered into this day of, 20 between ( Company ) and Infinedi, LLC, a Limited Liability Corporation, ( Contractor

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is entered into by and between Professional Office Services, Inc., with principal place of business at PO Box 450, Waterloo,

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT 1. DEFINITIONS: 1.1 Undefined Terms: Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms defined by the Health Insurance Portability

More information

Business Associate Agreement Involving the Access to Protected Health Information

Business Associate Agreement Involving the Access to Protected Health Information School/Unit: Rowan University School of Osteopathic Medicine Vendor: Business Associate Agreement Involving the Access to Protected Health Information This Business Associate Agreement ( BAA ) is entered

More information

District of Columbia Health Information Exchange Policy and Procedure Manual

District of Columbia Health Information Exchange Policy and Procedure Manual District of Columbia Health Information Exchange Policy and Procedure Manual HIPAA Privacy & Direct Privacy Policies (Version 1 November 27, 2012) Table of Contents Policy # Policy/Procedure Description

More information

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014 HIPAA PRIVACY AND SECURITY AWARENESS Covering Kids and Families of Indiana April 10, 2014 GOALS AND OBJECTIVES The goal is to provide information to you to promote personal responsibility and behaviors

More information

Appendix : Business Associate Agreement

Appendix : Business Associate Agreement I. Authority: Pursuant to 45 C.F.R. 164.502(e), the Indian Health Service (IHS), as a covered entity, is required to enter into an agreement with a business associate, as defined by 45 C.F.R. 160.103,

More information

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE

More information

BUSINESS ASSOCIATE ADDENDUM

BUSINESS ASSOCIATE ADDENDUM BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) adds to and is made a part of the Q- global Subscription and License Agreement by and between NCS Pearson, Inc. ( Business Associate

More information

OFFICE OF CONTRACT ADMINISTRATION 60400 PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA)

OFFICE OF CONTRACT ADMINISTRATION 60400 PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA) Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA) BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) supplements and is made a part of the contract ( Contract

More information

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM BETWEEN The Division of Health Care Financing and Policy Herein after referred to as the Covered Entity and (Enter Business

More information

This form may not be modified without prior approval from the Department of Justice.

This form may not be modified without prior approval from the Department of Justice. This form may not be modified without prior approval from the Department of Justice. Delete this header in execution (signature) version of agreement. HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Agreement is entered into as of ("Effective Date"), between ( Covered Entity ), and ( Business Associate ). RECITALS WHEREAS, Business Associate provides services on behalf

More information

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE How to Use this Assessment The following risk assessment provides you with a series of questions to help you prioritize the development and implementation

More information

PHI- Protected Health Information

PHI- Protected Health Information HIPAA Policy 2014 The Health Insurance Portability and Accountability Act is a federal law that protects the privacy and security of patients health information and grants certain rights to patients. Clarkson

More information

SaaS. Business Associate Agreement

SaaS. Business Associate Agreement SaaS Business Associate Agreement This Business Associate Agreement ( BA Agreement ) becomes effective pursuant to the terms of Section 5 of the End User Service Agreement ( EUSA ) between Customer ( Covered

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ), is made effective as of the sign up date on the login information page of the CarePICS.com website, by and between CarePICS,

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT This is a draft business associate agreement based on the template provided by HHS. It is not intended to be used as is and you should only use the agreement after you

More information

BUSINESS ASSOCIATE AGREEMENT. (Contractor name and address), hereinafter referred to as Business Associate;

BUSINESS ASSOCIATE AGREEMENT. (Contractor name and address), hereinafter referred to as Business Associate; BUSINESS ASSOCIATE AGREEMENT (Agreement #) THIS DOCUMENT CONSTITUTES AN AGREEMENT BETWEEN: AND (Contractor name and address), hereinafter referred to as Business Associate; The Department of Behavioral

More information

BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM RECITALS

BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM RECITALS BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM This Business Associate Addendum ( Addendum ), effective, 20 ( Effective Date ), is entered into by and between University of Southern California, ( University

More information

The Institute of Professional Practice, Inc. Business Associate Agreement

The Institute of Professional Practice, Inc. Business Associate Agreement The Institute of Professional Practice, Inc. Business Associate Agreement This Business Associate Agreement ( Agreement ) effective on (the Effective Date ) is entered into by and between The Institute

More information

HIPAA Business Associate Addendum

HIPAA Business Associate Addendum HIPAA Business Associate Addendum THIS HIPAA BUSINESS ASSOCIATE ADDENDUM (this Addendum ) is by and between ( Covered Entity ) and TALKSOFT CORPORATION ( Business Associate ) (hereinafter, Covered Entity

More information

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT BUSINESS ASSOCIATE TERMS AND CONDITIONS

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT BUSINESS ASSOCIATE TERMS AND CONDITIONS COVERYS RRG, INC. HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT BUSINESS ASSOCIATE TERMS AND CONDITIONS WHEREAS, the Administrative Simplification section of the Health Insurance Portability and

More information

My Docs Online HIPAA Compliance

My Docs Online HIPAA Compliance My Docs Online HIPAA Compliance Updated 10/02/2013 Using My Docs Online in a HIPAA compliant fashion depends on following proper usage guidelines, which can vary based on a particular use, but have several

More information

Business Associate Agreement

Business Associate Agreement This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement

More information

PARTICIPATION AGREEMENT For ELECTRONIC HEALTH RECORD TECHNICAL ASSISTANCE

PARTICIPATION AGREEMENT For ELECTRONIC HEALTH RECORD TECHNICAL ASSISTANCE PARTICIPATION AGREEMENT For ELECTRONIC HEALTH RECORD TECHNICAL ASSISTANCE THIS AGREEMENT, effective, 2011, is between ( Provider Organization ), on behalf of itself and its participating providers ( Providers

More information

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Compliance: Are you prepared for the new regulatory changes? HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed

More information

HIPAA BUSINESS ASSOCIATE SUBCONTRACTOR AGREEMENT

HIPAA BUSINESS ASSOCIATE SUBCONTRACTOR AGREEMENT This HIPAA Sub Business Associate Agreement ("Sub Agreement") is entered into by and between HR Simplified, Inc. ( Business Associate ) and [Vendor Name] on behalf of itself and its Affiliates ( Subcontractor

More information

University Healthcare Physicians Compliance and Privacy Policy

University Healthcare Physicians Compliance and Privacy Policy Page 1 of 11 POLICY University Healthcare Physicians (UHP) will enter into business associate agreements in compliance with the provisions of the Health Insurance Portability and Accountability Act of

More information

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES I. Overview / Definitions The Health Insurance Portability and Accountability Act is a federal law

More information

Montclair State University. HIPAA Security Policy

Montclair State University. HIPAA Security Policy Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) is entered into by and between (the Covered Entity ), and Iowa State Association of Counties (the Business Associate ). RECITALS

More information

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Business Associate Agreement (the Agreement ) is made by and between Business Associate, [Name of Business Associate], and Covered Entity, The Connecticut Center for Health,

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (the AGREEMENT ) is entered into this (the "Effective Date"), between Delta Dental of Tennessee ( Covered Entity ) and ( Business Associate

More information

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN Stewart C. Miller & Co., Inc. (Business Associate) AND City of West Lafayette Flexible Spending Plan (Covered Entity) TABLE OF CONTENTS

More information

EXHIBIT C BUSINESS ASSOCIATE AGREEMENT

EXHIBIT C BUSINESS ASSOCIATE AGREEMENT EXHIBIT C BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT is made and entered into by and between ( Covered Entity ) and KHIN ( Business Associate ). This Agreement is effective as of, 20 ( Effective Date

More information

HIPAA and Mental Health Privacy:

HIPAA and Mental Health Privacy: HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association

More information

VMware vcloud Air HIPAA Matrix

VMware vcloud Air HIPAA Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory

More information

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information I. PREAMBLE ( Covered Entity ) and ( Business Associate ) (jointly the Parties ) wish to enter into an Agreement to comply with the requirements

More information

MaxMD 2200 Fletcher Ave. 5 th Floor Fort Lee, NJ (201) 963 0005 www.max.md www.mdemail.md support@max.md Page 1of 10

MaxMD 2200 Fletcher Ave. 5 th Floor Fort Lee, NJ (201) 963 0005 www.max.md www.mdemail.md support@max.md Page 1of 10 Business Associate Agreement This Business Associate Agreement (the Agreement ) shall apply to the extent that the MaxMD Customer signee is a Covered Entity or "HIPAA Business Associate," as defined below.

More information

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate? HIPAA Information Who does HIPAA apply to? HIPAA applies to all Covered Entities (entities that collect, access, use and/or disclose Protected Health Data (PHI) and are subject to HIPAA regulations). What

More information

Participation Agreement Medicaid Provider Program

Participation Agreement Medicaid Provider Program Participation Agreement Medicaid Provider Program PLEASE FAX THE FOLLOWING PAGES #4, #7, #8, #14, #15 211 Warren Street Newark, NJ 07103 PHONE: 973-642-4777 FAX: 973-645-0457 E-mail: info@njhitec.org www.njhitec.org

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT The parties to this ( Agreement ) are, a _New York_ corporation ( Business Associate ) and ( Client ) you, as a user of our on-line health record system (the "System"). BY

More information

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security

More information

HIPAA and HITECH Compliance for Cloud Applications

HIPAA and HITECH Compliance for Cloud Applications What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Business Associate Agreement (this Agreement ) is entered into as of _September 23_, 2013, (the Effective Date ) by and between Denise T. Nguyen, DDS, PC ( Dental Practice

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) between Inphonite, LLC ( Business Associate and you, as our Customer ( Covered Entity ) (each individually, a Party, and collectively,

More information

BUSINESS ASSOCIATE ADDENDUM

BUSINESS ASSOCIATE ADDENDUM BUSINESS ASSOCIATE ADDENDUM This BA Agreement, effective as of the effective date of the Terms of Use, adds to and is made part of the Terms of Use by and between Business Associate and Covered Entity.

More information

NJ-HITEC PARTICIPATION AGREEMENT FOR MEDICAID SPECIALISTS

NJ-HITEC PARTICIPATION AGREEMENT FOR MEDICAID SPECIALISTS NJ-HITEC PARTICIPATION AGREEMENT FOR MEDICAID SPECIALISTS The undersigned practice (the Practice ) and participating providers (each, a Provider, and collectively, Providers ) presently intend to become

More information

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE This Notice of Privacy Practices describes the legal obligations of Ave Maria University, Inc. (the plan ) and your legal rights regarding your protected health

More information

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 Policy and Procedure Templates Reflects modifications published in the Federal Register

More information

BUSINESS ASSOCIATE AGREEMENT TERMS

BUSINESS ASSOCIATE AGREEMENT TERMS BUSINESS ASSOCIATE AGREEMENT TERMS This Addendum ( Addendum ) is incorporated into and made part of the Agreement between SIGNATURE HEALTHCARE CORPORATION ("Covered Entity ) and ( Business Associate"),

More information

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY School Board Policy 523.5 The School District of Black River Falls ( District ) is committed to compliance with the health information

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( Agreement ) is by and between ( Covered Entity ) and Xelex Digital, LLC ( Business Associate ), and is effective as of. WHEREAS,

More information

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS Dear Physician Member: Thank you for contacting the California Medical Association and thank you for your membership. In order to advocate on your behalf,

More information

Tulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY

Tulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY Tulane University DEPARTMENT: General Counsel s POLICY DESCRIPTION: Business Associates Office -- HIPAA Agreement PAGE: 1 of 1 APPROVED: April 1, 2003 REVISED: November 29, 2004, December 1, 2008, October

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (this Agreement ), effective as of May 1, 2014 (the Effective Date ), by and between ( Covered Entity ) and Orchard Software Corporation,

More information

Policy #: HEN-005 Effective Date: April 4, 2012 Program: Hawai i HIE Revision Date: July 17, 2013 Approved By: Hawai i HIE Board of Directors

Policy #: HEN-005 Effective Date: April 4, 2012 Program: Hawai i HIE Revision Date: July 17, 2013 Approved By: Hawai i HIE Board of Directors TITLE: Access Management Policy #: Effective Date: April 4, 2012 Program: Hawai i HIE Revision Date: July 17, 2013 Approved By: Hawai i HIE Board of Directors Purpose The purpose of this policy is to describe

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( the Agreement ) is entered into this day of, 20 by and between the Tennessee Chapter of the American Academy of Pediatrics ( Business Associate

More information

BUSINESS ASSOCIATE AGREEMENT HIPAA Omnibus Rule (Final Rule)

BUSINESS ASSOCIATE AGREEMENT HIPAA Omnibus Rule (Final Rule) BUSINESS ASSOCIATE AGREEMENT HIPAA Omnibus Rule (Final Rule) This Business Associate Agreement (the Agreement ), dated September 9, 2013, is entered into by and between ( Covered Entity ) and Schuster

More information