B Institute of Medicine Report on HIT and Patient Safety

Size: px
Start display at page:

Download "B. 2011 Institute of Medicine Report on HIT and Patient Safety"

Transcription

1 Ongoing Challenges in HIPAA Compliance Are We Having Fun Yet? Marilyn Lamar, Esq. Liss & Lamar, P.C. AHLA Physicians and Hospitals Law Institute New Orleans, Louisiana February 5-7, 2014 On September 23, 2013, the Omnibus Rule 1 became effective, significantly expanding the privacy and security obligations of Business Associates and Covered Entities under the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ). The Omnibus Rule consists of a set of amendments to the privacy, security, enforcement and breach notification regulations that implement HIPAA, many of which were required by the Health Information Technology for Economic and Clinical Health ( HITECH ) Act 2 or the Genetic Information Nondiscrimination Act ( GINA ). 3 Counsel for Covered Entities and Business Associates are now dealing with significant challenges in assisting clients with Omnibus Rule compliance including those arising from acts and omissions of a Covered Entity s Business Associates that may be deemed agents despite being described as contractors in an agreement. Some of this increased risk may be mitigated by applying rigorous selection criteria, conducting a thorough due diligence review and negotiating contract language that assigns an appropriate level of responsibility to the Business Associate. Section II of this outline discusses the increased risk presented by agents under the Omnibus Rule and Section IV provides contract language and considerations for indemnification to assist in mitigation. The safety of health information technology (IT) has also drawn a great deal of attention from federal regulators, especially with respect to the safety of electronic health records ( EHRs ). In addition to concerns about patient safety and how to comply with evolving rules, these new studies and tools may change the standard of care and become the focus of plaintiff lawsuits. The government initiatives are discussed in Section I below. Another overall issue in the health IT landscape is the goal of having complete patient information despite the obstacle presented by the significant limitations on disclosures by federally assisted substance abuse treatment centers under 42 C.F.R. Part 2. Section III below describes these limitations, some possible exceptions and an ongoing pilot program to make electronic forms of such information more readily available. Other issues arising from the Omnibus Rule are addressed in the outline prepared by Patricia A. Markus for the 2014 AHLA Hospitals and Health Systems Law Institute. Capitalized terms used in this outline without definition have the respective meanings assigned to them in the rules promulgated under HIPAA and HITECH. This outline assumes a basic understanding of the 1 Modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule, 78 Fed. Reg (Jan. 25, 2013) (amending 45 C.F.R. Parts 160 and 164). 2 Health Information Technology for Economic and Clinical Health (HITECH) Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (ARRA), Pub. L. No , 123 Stat. 226 (Feb. 17, 2009), codified at 42 U.S.C. 300jj et seq.; et seq.; 3 Genetic Information Nondiscrimination Act of 2008 (GINA), Pub. L. No , 122 Stat. 881 (May 21, 2008). 1

2 Omnibus Rule, the Privacy Rule, 4 the Security Rule, 5 and the Enforcement Rule 6 promulgated by HHS under HIPAA and HITECH. I. Federal Government Initiatives Focusing on Health IT Safety A. Overview and Background Health IT patient safety issues have drawn significant attention from the Office of the National Coordinator for Health Information Technology ( ONC ) and are likely to have considerable impact on health care providers and IT developers alike. Recent examples of ONC s efforts in this area are the Health IT Patient Safety Action & Surveillance Plan 7 issued on July 2, 2013 and the SAFER Guides 8 issued on January 15, 2014, each of which are discussed in Sections C and D below. Health IT was also addressed as part of changes to the medical device provisions of the Food and Drug Administration Safety and Innovation Act of 2012, Pub. L. No ( FDASIA ). Specifically, Section 618 of the FDSIA requires the Secretary of HHS to post a report by January 2014 with a proposed strategy and recommendations on a risk-based regulatory framework pertaining to health IT, including mobile applications, that promotes innovation, protects patient safety, and avoids regulatory duplication. The report had not been issued when this outline was prepared, but the draft recommendations of a committee formed to make recommendations is discussed below in Section E. These efforts were preceded by the 2011 Institute of Medicine report on health IT and patient safety (the IOM Report ) discussed in Section B below. The focus on safety of electronic health records was also seen in portions of the Stage 2 meaningful use requirements adopted for the Medicare and Medicaid Electronic Health Record ( EHR ) Incentive Program. 9 Although the increased focus on safety may in fact improve patient care, counsel for providers and developers should also note the possibility that the increasing amount of safety data, studies and tools could affect the standard of care that may apply in negligence cases. For example, members of the plaintiff malpractice bar may use this information to argue that health care providers should be liable for health IT-related patient harm if they did not select a safe system or did not report, monitor or take appropriate action regarding health IT-related patient safety events. This is an evolving area which should be evaluated on an ongoing basis in light of industry developments and new case law. B Institute of Medicine Report on HIT and Patient Safety While EHRs and other HIT are often touted as improving patient safety, some studies have indicated that they can present complicated risks if not carefully designed, implemented and monitored in use. These risks appear to arise from numerous factors including (i) the wide range of health information that may be recorded by numerous personnel; (ii) the lack of uniform standards for how various types of health information are recorded and made accessible; (iii) constantly changing technology and standards of 4 Standards for Privacy of Individually Identifiable Health Information; Final Rule, 65 Fed. Reg (Dec. 28, 2000) (as amended) (amending 45 C.F.R., Parts 160 and 164). 5 Standards for Privacy of Individually Identifiable Health Information; Final Rule, 65 Fed. Reg (Dec. 28, 2000) (as amended) (amending 45 C.F.R., Parts 160 and 164). 6 HIPAA Administrative Simplification: Enforcement; Interim Final Rule, 74 Fed. Reg (Oct. 30, 2009). 7 (last visited Jan. 26, 2014). 8 News Release, U.S. Department of Health & Human Services, HHS makes progress on Health IT Safety Plan with release of SAFER Guides (Jan. 15, 2014), available at: (last visited Jan. 16, 2014) Fed. Reg

3 practice; and (v) complex human factors that affect clinical interaction with HIT, including the impact on care processes and workflows. For example, a poorly designed EHR that requires a user to remember specific patient information while navigating multiple screens to enter an order may increase the user s cognitive load to a degree that makes errors more likely, especially if the user is subject to interruptions while trying to enter the order. Drop down menus of medications listed alphabetically rather than by type (antibiotics, anti-depressants, etc.) has also been noted as a design factor that may lead to prescribing errors (sometimes referred to as juxtaposition errors ). Clinical alerts generated by EHRs are overridden surprisingly often, especially if the clinicians feel that they do not provide useful information. 10 The Joint Commission ( TJC ) was one of the first organizations to identify these risks and how they can be addressed in its 2008 Sentinel Event Alert titled Safely implementing health information and converging technologies ( SEA 42 ). SEA 42 suggested 13 actions ranging from an early examination of workflows and involving clinicians in planning to monitoring systems after implementation to track errors and close calls. 12 To date reporting of sentinel events is voluntary and statistics on SEA 42 reports are not published but there are pressures for more reporting and transparency as evidenced in the Plan described below. Perhaps recognizing that the increased use of EHRs encouraged by billions of dollars in meaningful use incentives could lead to increased risk, the Department of Health and Human Services ( HHS ) funded an Institute of Medicine report 13 examining how the use of HIT affects the safety of patient care (the IOM Report ). Although significant improvements were noted from use of CPOE (computerized provider order entry) and bar coding, the IOM Report also reviewed studies that reported some instances of HITassociated harm. 14 Although the full report should be reviewed for additional detail and context, some of the recommendations of the IOM Report 15 are summarized below: 1. HHS should publish an action and surveillance plan within 12 months with a schedule for working with the private sector to assess the impact of HIT on patient safety and minimize the risk of implementation and use. The plan should include actions by several government entities and accreditation organizations to (a) develop measures for safety; (b) work with vendors on promoting safety in development; (c) work with vendors and health care providers on post-implementation safety testing of EHRs for high prevalence, high impact EHR-related patient safety risks; and (d) adopt criteria for EHR safety for use by accrediting organizations. 2. HHS should ensure insofar as possible that vendors support and do not prohibit the free exchange of information about HIT safety, including details such as screenshots. 10 Several studies of unintended adverse consequences of HIT are summarized in materials provided for the 2007 and 2008 AHLA Annual meetings. See M. Lamar, Planning to Minimize the Pitfalls of Electronic Systems and Metadata (2007) and Lessons Learned from Electronic Health Record and Health Information Exchange Projects (2008). Additional studies are cited in the 2011 IOM Report and the Draft Report issued in connection with the FDASIA, both of which are cited below. 11 converging_technologies, accessed Jan. 16, Id. 13 IOM (Institute of Medicine) Health IT and Patient Safety: Building Safer Systems for Better Care. 14 IOM report at S-2 15 IOM Report at S-4 through S-11. 3

4 3. ONC should work with the private and public sectors to make comparative user experiences across vendors publicly available. 4. HHS should specify the quality and risk management process requirements that HIT vendors must adopt, with a particular focus on human factors, safety culture and usability. 5. HHS should establish a mechanism for vendors and users to report HIT-related deaths, serious injuries or unsafe conditions. Reporting would be (a) mandatory for vendors and (b) voluntary, confidential and non-punitive for users. Efforts should be made to encourage reporting by removing contractual, legal, logistical and other barriers to reporting. Reports then would be analyzed and the circumstances would be investigated. 6. HHS should monitor and publicly report on the safety of HIT. If it determines that sufficient progress is not being made, it should direct the FDA to regulate EHRs, HIEs and personal health records (although this would require a determination that these are medical devices in the scope of the FDA s regulatory authority). The FDA should begin to develop a regulatory framework. With respect to disclosures of HIT-related adverse events, software contracts commonly include confidentiality provisions that are intended to protect the vendor s intellectual property. The broad scope of these non-disclosure clauses apparently led the authors of the IOM Report to conclude that these provisions are a significant barrier to the full reporting of errors that the authors believe is necessary to improve patient safety. 16 C ONC Health IT Patient Safety Action and Surveillance Plan. As recommended by the 2011 IOM Report, ONC issued its Health IT Patient Safety Action and Surveillance Plan 17 (the Plan ) in July 2013 following a notice and comment period. 18 The Plan is a joint effort between ONC and the Agency for Healthcare Research and Quality ( AHRQ ) with two fundamental objectives: 1. Promote the use of health IT to make care safer; and 2. Continuously improve the safety of health IT itself. 19 To coordinate and implement the Plan, ONC established the Health IT Safety Program led by ONC s chief medical officer. 20 The Plan relies on substantial participation by the private sector to be successful. 21 ONC expects that through the Plan: 16 IOM Report at News Release, U.S. Department of Health & Human Services, Final HHS Health IT Safety Plan issued (July 2, 2013), available at hhs.gov/news/press/2013pres/07/ a.html (last visited Jan. 16, 2014). 19 U.S. Department of Health and Human Services, Office of the National Coordinator for Health Information Technology, ONC Fact Sheet: Health Information Technology Patient Safety Action and Surveillance Plan (July 2, 2013) available at: (last accessed Jan. 16, 2014). 20 Pfister, Helen and Ingargiola, Susan, ONC Unveils Final Health IT Safety Plan, ihealthbeat, July 29, 2013 at 3 available at: ihealthbeat.org/insight/2013/onc-unveils-final-health-it-patient-safety-plan (last accessed Jan. 16, 2014). 21 News Release, U.S. Department of Health & Human Services, Final HHS Health IT Safety Plan issued (July 2, 2013), available at hhs.gov/news/press/2013pres/07/ a.html (last visited Jan. 16, 2014). 4

5 ONC will make it easier for clinicians to report health-it related incidents and hazards through use of certified electronic health record technology ( CEHRTs ). AHRQ will encourage reporting to patient safety organizations and will update its standardized reporting forms to enable ambulatory reporting of health IT events. CMS will encourage the use of standardized reporting forms in hospital incident reporting systems, and train surveyors to identify safe and unsafe practices associated with heath IT. ONC and CMS will consider adopting safety-related objectives, measures, and capabilities for CEHRTs through the Medicare and Medicaid EHR Incentive Program and ONC s standards and certification criteria. 22 To further these goals, the ONC contracted with The Joint Commission ( TJC ) to better detect and proactively address potential health-it related safety issues [including] as a contributing cause of adverse events. 23 TJC is to enhance the use of its Sentinel Events database and reporting program to identify, investigate, and ultimately prevent sentinel events 24 so the results can inform and potentially drive the direction of the Program. Under the contract, TJC will conduct at least 10 investigations (5 hospitals, 5 ambulatory sites) of HIT events and provide a written summary of the events. TJC will also produce a final report that will identify the resources needed to effectively conduct investigations and what factors may impact the ability of an external organization to conduct health-it related investigations. 25 D. SAFER Guides Implementation of the Health IT Safety Plan has started to take shape in the nine Safety Assurance Factors for EHR Resilience ( SAFER ) guides released on January 15, The goal of the SAFER guides is to offer health care providers an interactive self-assessment tool to evaluate where their EHR is vulnerable to patient safety risks and then determine how to optimize safety. 27 Each SAFER guide may be used interactively online or may be downloaded as a fillable PDF. 28 The nine SAFER guides consist of the following and are divided into three broad categories: Foundational Guides - High Priority Practices - Organizational Responsibilities 22 Id. 23 Id. 24 U.S. Department of Health and Human Services, Office of the National Coordinator for Health Information Technology, Investigation of Health IT-related Deaths, Serious Injuries, or Unsafe Conditions (ONC Contract #HHSP C) (July 2, 2013) available at: (last visited Jan. 16, 2014). 25 Id. 26 News Release, U.S. Department of Health & Human Services, HHS makes progress on Health IT Safety Plan with release of SAFER Guides (Jan. 15, 2014), available at: (last visited Jan. 16, 2014). 27 Id. and Health IT Videos: How to Use the SAFER Guides available at: (last visited Jan. 16, 2014). 28 News Release, U.S. Department of Health & Human Services, HHS makes progress on Health IT Safety Plan with release of SAFER Guides (Jan. 15, 2014), available at: (last visited Jan. 16, 2014). 5

6 Infrastructure Guides - Contingency Planning - System Configuration - System Interfaces Clinical Process Guides - Patient Identification - Computerized Provider Order Entry (CPOE) with Decision Support - Test Results Reporting and Follow-up - Clinician Communication The SAFER guides rely on a variety of checklists, evaluative tools, and recommended practice objectives that ONC and other stakeholders believe combine the latest applied knowledge of health IT safety with practical tools that will help providers according to ONC chief medical officer, Jacob Reider, M.D. 29 Each SAFER guide includes references to the sources of its recommended practices which the authors believe represent current industry best practices. Although they are not based on HIPAA or the EHR Incentive Program, there are references throughout the SAFER guides to the relevant portions of those regulations. 30 ONC also posted a short introductory video to the SAFER guides to be used by the team or risk manager performing the review. 31 The video explains that while each SAFER guide s checklist may only be 1-2 pages long, each checklist topic has an associated worksheet to help the user evaluate the organization s level of implementation of the recommended practice. Each guide also lists other types of professionals to potentially consult for further information, along with examples of relevant sample situations. 32 The High Priority Practice Guide, 33 for example, recommends completing the self-assessment with a multidisciplinary team to enable an accurate snapshot and lead to consensus about the organization s future path to optimize EHR-related safety and quality. 34 It is too early to tell whether the SAFER guides will be widely used and prove to be successful. However, they will likely be a valuable tool for organizations to begin their own internal self-assessment and evaluation processes, as well as for outside consulting groups looking to assist organizations with their health IT safety concerns. 29 Id. 30 U.S. Department of Health and Human Services, Office of the National Coordinator for Health IT, HIPAA: High Priority Practices available at: (last accessed Jan. 16, 2014). 31 Health IT Videos: How to Use the SAFER Guides available at: (last visited Jan. 16, 2014). 32 Health IT Videos: How to Use the SAFER Guides available at: (last visited Jan. 16, 2014). 33 U.S. Department of Health and Human Services, Office of the National Coordinator for Health IT, SAFER Guide - Self Assessment - High Priority Practices available at: (last accessed Jan. 16, 2014). 34 Id. at 2. 6

7 As noted above, tools like the SAFER guide may be cited by plaintiffs lawyers trying to establish a higher standard of care. However, the General Instructions for the SAFER self-assessment guides state that they are for informational purposes only and are not intended to be an exhaustive or definitive source. 35 E. Recommendations from FDASIA Committee As noted above, Section 618 of the FDASIA requires the Secretary of HHS to issue a report by January 2014 regarding health IT acting through the Commissioner of the Food and Drug Administration ( FDA ), in consultation with ONC and the Federal Communication Commission ( FCC ). Although the final report had not been issued when this outline was prepared, some elements of the draft FDASIA Committee Report issued in September may be helpful in anticipating what will be covered by the report and generally evaluating issues in this area. The Draft Committee Report initially considered what types of health IT should be subject to a risk-based regulatory framework (e.g., decision support algorithms) or excluded (e.g., claims and eligibility software). It used eleven characteristics of IT (e.g., purpose, intended users, possible severity of injury and transparency) and provided examples of low, medium and high risk on each characteristic in several use cases ranging from a nutrition app to an insulin pump with a glucose monitor. This approach intentionally did not provide a numerical calculation of risk. The Draft Report also evaluated current regulation by the FDA, ONC and the FCC on various dimensions including the impact each was likely to have on innovation and whether ambiguities and overlap could be eliminated. The many recommendations in the Draft Report included the following: Health IT should not be subject to FDA pre-market requirements except for medical device accessories, high risk clinical decision support and high risk software use cases (including those where the intended use elevates risk). Vendors should list products with some risk (assuming there is a non-burdensome way to do so). Need a collaborative post-market approach to surveillance of HIT including reports from users and vendors as well as post implementation testing. Safety issues should be aggregated on a nationwide basis. No federal agency was suggested to take the lead but inter-agency cooperation was deemed essential. Existing standards should be adopted and new standards developed. An independent group should administer a public process for customer rating of HIT to enhance transparency using validated measurement results. In its summary of lessons learned, the Draft Report noted that certification should be used judiciously so creativity and innovation are not discouraged. It also noted that transparency in the marketplace was preferred to innovation that is often limited to compliance with government requirements. National goals such as the meaningful use standards were also encouraged. 35 U.S. Department of Health and Human Services, Office of the National Coordinator for Health IT, SAFER Guide - Self Assessment - High Priority Practices available at: (last accessed Jan. 16, 2014). 36 (last accessed Jan. 26, 2014). 7

8 II. Liability for Business Associates and Subcontractors A. Liability in General. The HITECH Act and the Omnibus Rule extend direct liability for compliance with certain provisions of HIPAA to business associates, making them civilly and criminally liable for violations of the applicable provisions. In the Preamble, HHS clarified that a person becomes a business associate by definition, not by contract, as previously mentioned. Therefore, liability for compliance with the applicable provisions of HIPAA attaches immediately when a person meets the definition of a business associate. B. Agents. In general, and subject to certain affirmative defenses, HHS will impose a civil money penalty upon a covered entity or a business associate for violating the applicable provisions of HIPAA. Despite the fact that HITECH made business associates directly liable for breaches of many provisions of the HIPAA rules, the Omnibus Rule eliminated a provision in the Enforcement Rule that previously protected a covered entity from liability for the acts of an agent so long as: (a) the agent was a business associate of the covered entity, (b) the requirements of the business associate agreement were met, (c) the covered entity did not know of a pattern or practice of the business associate in violation of its business associate agreement, and (d) the covered entity did not fail to act to cure the breach or end the violation, or, if such steps were unsuccessful, terminate the agreement or report it to the Secretary, as applicable. Instead, the Omnibus Rule makes a covered entity or a business associate liable when an agent of the covered entity or business associate, as applicable, is responsible for the violation. This liability may attach even when the covered entity or business associate, as applicable, has a compliant business associate agreement in place. Principles of the federal common law of agency determine whether an entity will be liable for the acts of its business associate or subcontractor, as applicable. Although the federal common law of agency is beyond the scope of this outline, HHS has provided some guidance behind these revisions. First, it expects that the federal common law of agency will offer a uniform platform for the definitions of principal, agent, and scope of agency, which it believes important when enforcing a federal law. In addition, HHS points out that an analysis of whether a business associate or a subcontractor is an agent will be fact-specific, taking into account the terms of the agreement between the parties and the totality of the circumstances. The most important factor is whether the covered entity or business associate controls the conduct of its business associate or subcontractor as it performs services. For instance, a relationship between a covered entity and a business associate where the only ability to control the business associate is to amend the agreement or sue for breach is more likely not to be an agency relationship than a relationship that provides that the covered entity will provide instructions to the business associate as it performs the services. Some of the other factors that may be considered include: The time, place, and purpose of the conduct; Whether the conduct is commonly done by a business associate or subcontractor to accomplish the service performed; Whether or not the covered entity (or business associate) reasonably expected that a business associate (or subcontractor) would engage in the conduct in question; and The type of service and skill level required to perform the services. 8

9 The labels associated with the relationship (such as independent contractor) are not definitive, although we would expect that such language will be incorporated into many business associate agreements. In addition, we would expect that indemnification provisions will become more heavily negotiated as covered entities and business associates attempt to manage this potential liability. Finally, in a somewhat ironic twist, covered entities or business associates that attempt to define by contract the terms of conduct of the business associate or subcontractor, as applicable, in order to better protect the privacy and security of PHI may find themselves taking on more liability. It is possible such efforts could be viewed as attempts to control the conduct of the business associate or subcontractor, thereby creating an agency relationship. III. Compliance with Federal Substance Abuse Program Records Requirements Liability for Business Associates and Subcontractors A. Specific Patient Consent Required. One of the continuing obstacles to achieving complete medical records are the stringent consent requirements of 42 C.F.R. Part 2 that generally prohibits the disclosure 37 or use of patient health records 38 maintained in connection with any federally assisted drug or alcohol program except as permitted by the rule or pursuant to a prior written consent of the patient that is compliant with 42 C.F.R. Part The consent to disclosure under the Part 2 regulations must be in writing and include all of the following items: (i) (ii) the specific name or general designation of the program or person permitted to make the disclosure; the name or title of the individual or the name of the organization to which disclosure is to be made; (iii) the name of the patient; (iv) the purpose of the disclosure; (v) how much and what kind of information to be disclosed; (vi) the signature of the patient and, when required for a patient who is a minor, the signature of a person authorized to give consent under 2.14; or, when required for a patient who is incompetent or deceased, the signature of a person authorized to sign under 2.15 in lieu of the patient; (vii) the date on which the consent is signed; (viii) a statement that the consent is subject to revocation at any time except to the extent that the program or person which is to make the disclosure has already acted in reliance on it (acting 37 Disclosure means the communication of patient identifying information, the affirmative verification of another person s communication of patient identifying information, or the communication of any information from the records of a patient who has been identified. 42 C.F.R Records mean any information, whether recorded or not, relating to a patient received or acquired by a federally assisted alcohol or drug program; Patient identifying information means the name, address, social security number, fingerprints, photographs, or similar information by which the identity of a patient can be determined with reasonable accuracy and speed either directly or by reference to other publicly available information. 42 C.F.R C.F.R

Model Business Associate Agreement

Model Business Associate Agreement Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model

More information

EXHIBIT C BUSINESS ASSOCIATE AGREEMENT

EXHIBIT C BUSINESS ASSOCIATE AGREEMENT EXHIBIT C BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT is made and entered into by and between ( Covered Entity ) and KHIN ( Business Associate ). This Agreement is effective as of, 20 ( Effective Date

More information

University Healthcare Physicians Compliance and Privacy Policy

University Healthcare Physicians Compliance and Privacy Policy Page 1 of 11 POLICY University Healthcare Physicians (UHP) will enter into business associate agreements in compliance with the provisions of the Health Insurance Portability and Accountability Act of

More information

Tulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY

Tulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY Tulane University DEPARTMENT: General Counsel s POLICY DESCRIPTION: Business Associates Office -- HIPAA Agreement PAGE: 1 of 1 APPROVED: April 1, 2003 REVISED: November 29, 2004, December 1, 2008, October

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University

More information

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN Major Changes to HIPAA Security and Privacy Rules Enacted in Economic Stimulus Package By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN The HITECH Act is the

More information

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN Stewart C. Miller & Co., Inc. (Business Associate) AND City of West Lafayette Flexible Spending Plan (Covered Entity) TABLE OF CONTENTS

More information

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is made and entered into to be effective as of, 20 (the Effective Date ), by and between ( Covered Entity ) and

More information

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308)

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) HIPAA Business Associate Agreement Sample Notice Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) The information provided in this document does not constitute, and is no substitute

More information

FirstCarolinaCare Insurance Company Business Associate Agreement

FirstCarolinaCare Insurance Company Business Associate Agreement FirstCarolinaCare Insurance Company Business Associate Agreement THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement"), is made and entered into as of, 20 (the "Effective Date") between FirstCarolinaCare Insurance

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Agreement, dated as of, 2015 ("Agreement"), by and between, on its own behalf and on behalf of all entities controlling, under common control with or controlled

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) is entered into by and between (the Covered Entity ), and Iowa State Association of Counties (the Business Associate ). RECITALS

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Agreement is entered into as of ("Effective Date"), between ( Covered Entity ), and ( Business Associate ). RECITALS WHEREAS, Business Associate provides services on behalf

More information

The Institute of Professional Practice, Inc. Business Associate Agreement

The Institute of Professional Practice, Inc. Business Associate Agreement The Institute of Professional Practice, Inc. Business Associate Agreement This Business Associate Agreement ( Agreement ) effective on (the Effective Date ) is entered into by and between The Institute

More information

Business Associate Agreement

Business Associate Agreement This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) by and between (hereinafter known as Covered Entity ) and Office Ally, LLC. (hereinafter known as Business Associate ), and

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ), is made effective as of the sign up date on the login information page of the CarePICS.com website, by and between CarePICS,

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) by and between OUR LADY OF LOURDES HEALTH CARE SERVICES, INC., hereinafter referred to as Covered Entity, and hereinafter referred

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is effective as of, 2013, and is by and between SOUTHWEST DEVELOPMENTAL SERVICES, INC. ( Covered Entity ) and ( Business Associate

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT 1. The terms and conditions of this document entitled Business Associate Agreement ( Business Associate Agreement ), shall be attached to and incorporated by reference in the

More information

PARTICIPATION AGREEMENT For ELECTRONIC HEALTH RECORD TECHNICAL ASSISTANCE

PARTICIPATION AGREEMENT For ELECTRONIC HEALTH RECORD TECHNICAL ASSISTANCE PARTICIPATION AGREEMENT For ELECTRONIC HEALTH RECORD TECHNICAL ASSISTANCE THIS AGREEMENT, effective, 2011, is between ( Provider Organization ), on behalf of itself and its participating providers ( Providers

More information

Data Breach, Electronic Health Records and Healthcare Reform

Data Breach, Electronic Health Records and Healthcare Reform Data Breach, Electronic Health Records and Healthcare Reform (This presentation is for informational purposes only and it is not intended, and should not be relied upon, as legal advice.) Overview of HIPAA

More information

This form may not be modified without prior approval from the Department of Justice.

This form may not be modified without prior approval from the Department of Justice. This form may not be modified without prior approval from the Department of Justice. Delete this header in execution (signature) version of agreement. HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT is made and entered into as of the day of, 2013 ( Effective Date ), by and between [Physician Practice] on behalf of itself and each of its

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is entered into by and between Professional Office Services, Inc., with principal place of business at PO Box 450, Waterloo,

More information

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 Policy and Procedure Templates Reflects modifications published in the Federal Register

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BAA ) is effective ( Effective Date ) by and between ( Covered Entity ) and Egnyte, Inc. ( Egnyte or Business Associate ). RECITALS

More information

BUSINESS ASSOCIATE ADDENDUM

BUSINESS ASSOCIATE ADDENDUM BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) is entered into this day of 2014. Perry Memorial Hospital ( Covered Entity ) and [ABC Company] ( Business Associate ) referred

More information

BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM RECITALS

BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM RECITALS BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM This Business Associate Addendum ( Addendum ), effective, 20 ( Effective Date ), is entered into by and between University of Southern California, ( University

More information

BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT

BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT This BUSINESS ASSOCIATE AGREEMENT ( Agreement ) dated as of the signature below, (the Effective Date ), is entered into by and between the signing organization

More information

HIPAA Data Use Agreement Policy R&G Template Updated for Omnibus Rule HIPAA DATE USE AGREEMENT 1

HIPAA Data Use Agreement Policy R&G Template Updated for Omnibus Rule HIPAA DATE USE AGREEMENT 1 HIPAA DATE USE AGREEMENT 1 This Data Use Agreement (the "Agreement") is effective as of (the "Agreement Effective Date") by and between ("Covered Entity") and ("Data User"). RECITALS WHEREAS, Covered Entity

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT The parties to this ( Agreement ) are, a _New York_ corporation ( Business Associate ) and ( Client ) you, as a user of our on-line health record system (the "System"). BY

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (this Agreement ) is made effective as of the day of 2014 (the Effective Date ), by and between Sarasota County Public Hospital District,

More information

BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc.

BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc. BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc. THIS BUSINESS ASSOCIATE AGREEMENT (BAA) is entered into by and between First Choice Community Healthcare, with a principal place of

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the "Agreement") is made and entered into this day of,, by and between Quicktate and idictate ("Business Associate") and ("Covered Entity").

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) between Inphonite, LLC ( Business Associate and you, as our Customer ( Covered Entity ) (each individually, a Party, and collectively,

More information

Health Partners HIPAA Business Associate Agreement

Health Partners HIPAA Business Associate Agreement Health Partners HIPAA Business Associate Agreement This HIPAA Business Associate Agreement ( Agreement ) by and between Health Partners of Philadelphia, Inc., the Covered Entity (herein referred to as

More information

Louisiana State University System

Louisiana State University System PM-36: Attachment 4 Business Associate Contract Addendum On this day of, 20, the undersigned, [Name of Covered Entity] ("Covered Entity") and [Name of Business Associate] ("Business Associate") have entered

More information

HSHS BUSINESS ASSOCIATE AGREEMENT BACKGROUND AND RECITALS

HSHS BUSINESS ASSOCIATE AGREEMENT BACKGROUND AND RECITALS HSHS BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement, ( Agreement ) is entered into on the date(s) set forth below by and between Hospital Sisters Health System on its own behalf and

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT Please complete the following and return signed via Fax: 919-785-1205 via Mail: Aesthetic & Reconstructive Plastic Surgery, PLLC 2304 Wesvill Court Suite 360 Raleigh, NC 27607

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT 1. DEFINITIONS: 1.1 Undefined Terms: Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms defined by the Health Insurance Portability

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement and is made between BEST Life and Health Insurance Company ( BEST Life ) and ( Business Associate ). RECITALS WHEREAS, the U.S.

More information

Participation Agreement Medicaid Provider Program

Participation Agreement Medicaid Provider Program Participation Agreement Medicaid Provider Program PLEASE FAX THE FOLLOWING PAGES #4, #7, #8, #14, #15 211 Warren Street Newark, NJ 07103 PHONE: 973-642-4777 FAX: 973-645-0457 E-mail: info@njhitec.org www.njhitec.org

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( Agreement ) is by and between ( Covered Entity ) and Xelex Digital, LLC ( Business Associate ), and is effective as of. WHEREAS,

More information

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq.

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq. The HITECH Act: Implications to HIPAA Covered Entities and Business Associates Linn F. Freedman, Esq. Introduction and Overview On February 17, 2009, President Obama signed P.L. 111-05, the American Recovery

More information

Health Plan Select, Inc. Business Associate Privacy Addendum To The Service Agreement

Health Plan Select, Inc. Business Associate Privacy Addendum To The Service Agreement This (hereinafter referred to as Addendum ) by and between Athens Area Health Plan Select, Inc. (hereinafter referred to as HPS ) a Covered Entity under HIPAA, and INSERT ORG NAME (hereinafter referred

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (this Agreement ) is made effective as of ( Effective Date ) by and between Sentara Health Plans, Inc. ( Covered Entity ) and ( Business Associate

More information

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S):

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S): UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S): THIS AGREEMENT is made by and between UNIVERSITY PHYSICIANS OF BROOKLYN, INC., located at 450 Clarkson Ave., Brooklyn,

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BA Agreement ) is entered into by Medtep Inc., a Delaware corporation ( Business Associate ) and the covered entity ( Covered Entity

More information

Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013

Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013 Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013 The City of Philadelphia is a Covered Entity as defined in the regulations

More information

BUSINESS ASSOCIATE AGREEMENT ( BAA )

BUSINESS ASSOCIATE AGREEMENT ( BAA ) BUSINESS ASSOCIATE AGREEMENT ( BAA ) Pursuant to the terms and conditions specified in Exhibit B of the Agreement (as defined in Section 1.1 below) between EMC (as defined in the Agreement) and Subcontractor

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the BAA ) is made and entered into as of the day of, 20, by and between Delta Dental of California (the Covered Entity ) and (the Business

More information

BUSINESS ASSOCIATE AND DATA USE AGREEMENT NAME OF COVERED ENTITY: COVERED ENTITY FEIN/TAX ID: COVERED ENTITY ADDRESS:

BUSINESS ASSOCIATE AND DATA USE AGREEMENT NAME OF COVERED ENTITY: COVERED ENTITY FEIN/TAX ID: COVERED ENTITY ADDRESS: BUSINESS ASSOCIATE AND DATA USE AGREEMENT NAME OF COVERED ENTITY: COVERED ENTITY FEIN/TAX ID: COVERED ENTITY ADDRESS:, City State Zip This Business Associate and Data Use Agreement ( Agreement ) is effective

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (the AGREEMENT ) is entered into this (the "Effective Date"), between Delta Dental of Tennessee ( Covered Entity ) and ( Business Associate

More information

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM BETWEEN The Division of Health Care Financing and Policy Herein after referred to as the Covered Entity and (Enter Business

More information

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Business Associates, HITECH & the Omnibus HIPAA Final Rule Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS

More information

Enclosure. Dear Vendor,

Enclosure. Dear Vendor, Dear Vendor, As you may be aware, the Omnibus Rule was finalized on January 25, 2013 and took effect on March 26, 2013. Under the Health Insurance Portability & Accountability Act (HIPAA) and the Omnibus

More information

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT H I P AA B U S I N E S S AS S O C I ATE AGREEMENT This HIPAA BUSINESS ASSOCIATE AGREEMENT (the BAA ) is entered into by and between Opticare of Utah, Inc. ( Covered Entity ), and,( Business Associate ).

More information

BUSINESS ASSOCIATE ADDENDUM

BUSINESS ASSOCIATE ADDENDUM BUSINESS ASSOCIATE ADDENDUM This BA Agreement, effective as of the effective date of the Terms of Use, adds to and is made part of the Terms of Use by and between Business Associate and Covered Entity.

More information

APPENDIX I: STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT (2012 Version)

APPENDIX I: STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT (2012 Version) APPENDIX I: STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT (2012 Version) THIS AGREEMENT is entered into and made effective the day of, 2012 (the Effective Date ), by and between (a)

More information

VERSION DATED AUGUST 2013/TEXAS AND CALIFORNIA

VERSION DATED AUGUST 2013/TEXAS AND CALIFORNIA VERSION DATED AUGUST 2013/TEXAS AND CALIFORNIA This Business Associate Addendum ("Addendum") supplements and is made a part of the service contract(s) ("Contract") by and between St. Joseph Health System

More information

Business Associate Agreement Involving the Access to Protected Health Information

Business Associate Agreement Involving the Access to Protected Health Information School/Unit: Rowan University School of Osteopathic Medicine Vendor: Business Associate Agreement Involving the Access to Protected Health Information This Business Associate Agreement ( BAA ) is entered

More information

Iowa Health Information Network BUSINESS ASSOCIATE AGREEMENT

Iowa Health Information Network BUSINESS ASSOCIATE AGREEMENT Iowa Health Information Network BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (the Agreement ) is made entered into and effective on the day of, 201_ ( Effective Date ) by and between

More information

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean. BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement is made as of the day of, 2010, by and between Methodist Lebonheur Healthcare, on behalf of itself and all of its affiliates ( Covered Entity

More information

BUSINESS ASSOCIATE CONTRACTUAL ADDENDUM

BUSINESS ASSOCIATE CONTRACTUAL ADDENDUM BUSINESS ASSOCIATE CONTRACTUAL ADDENDUM This HIPAA Addendum ("Addendum") is entered into effective this first day of November 1, 2015, by and between "Business Associate" AND COUNTY OF OTTAWA Ottawa County

More information

AMWELL SERVICE PROVIDER SUBSCRIPTION AGREEMENT

AMWELL SERVICE PROVIDER SUBSCRIPTION AGREEMENT Revised: July 27, 2015 AMWELL SERVICE PROVIDER SUBSCRIPTION AGREEMENT Welcome to the AmWell Exchange Service (the Service ), which is owned and operated by American Well Corporation, a Delaware corporation

More information

OFFICE OF CONTRACT ADMINISTRATION 60400 PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA)

OFFICE OF CONTRACT ADMINISTRATION 60400 PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA) Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA) BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) supplements and is made a part of the contract ( Contract

More information

HIPAA Privacy and Security Changes in the American Recovery and Reinvestment Act

HIPAA Privacy and Security Changes in the American Recovery and Reinvestment Act International Life Sciences Arbitration Health Industry Alert If you have questions or would like additional information on the material covered in this Alert, please contact the author: Brad M. Rostolsky

More information

UNIVERSITY PHYSICIANS OF BROOKLYN, INC. POLICY AND PROCEDURE. No: Supersedes Date: Distribution: Issued by:

UNIVERSITY PHYSICIANS OF BROOKLYN, INC. POLICY AND PROCEDURE. No: Supersedes Date: Distribution: Issued by: UNIVERSITY PHYSICIANS OF BROOKLYN, INC. POLICY AND PROCEDURE Subject: ALCOHOL & SUBSTANCE ABUSE INFORMATION Page 1 of 10 No: Prepared by: Shoshana Milstein Original Issue Date: NEW Reviewed by: HIPAA Policy

More information

BAC to the Basics: Business Associate Contracts Made Easy

BAC to the Basics: Business Associate Contracts Made Easy BAC to the Basics: Business Associate Contracts Made Easy Prepared by Jen C. Salyers BAC to the Basics: Business Associate Contracts Made Easy Table of Contents Page I. Approaches to Creating a Business

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT Note: This form is not meant to encompass all the various ways in which any particular facility may use health information and should be specifically tailored to your organization. In addition, as with

More information

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES I. Overview / Definitions The Health Insurance Portability and Accountability Act is a federal law

More information

HIPAA Business Associate Agreement

HIPAA Business Associate Agreement HIPAA Business Associate Agreement User of any Nemaris Inc. (Nemaris) products or services including but not limited to Surgimap Spine, Surgimap ISSG, Surgimap SRS, Surgimap Office, Surgimap Ortho, Surgimap

More information

Strategies for Electronic Exchange of Substance Abuse Treatment Records

Strategies for Electronic Exchange of Substance Abuse Treatment Records Strategies for Electronic Exchange of Substance Abuse Treatment Records Patricia Gray, J. D., LL. M. Prepared for the Texas Health and Human Services Commission and the Texas Health Services Authority

More information

DISCLOSURE OF ALCOHOL AND SUBSTANCE/DRUG ABUSE RECORDS. This Policy describes permissible disclosures of Alcohol and Substance/Drug Abuse Records.

DISCLOSURE OF ALCOHOL AND SUBSTANCE/DRUG ABUSE RECORDS. This Policy describes permissible disclosures of Alcohol and Substance/Drug Abuse Records. PRIVACY 11.0 DISCLOSURE OF ALCOHOL AND SUBSTANCE/DRUG ABUSE RECORDS Scope: Purpose: All workforce members (employees and non-employees), including employed medical staff, management, and others who have

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (this Agreement ), effective as of May 1, 2014 (the Effective Date ), by and between ( Covered Entity ) and Orchard Software Corporation,

More information

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Compliance Tip Sheet National Hospice and Palliative Care Organization www.nhpco.org/regulatory HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Hospice Provider Compliance To Do List

More information

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Business Associate Agreement (this "Agreement") is made as of, 201_ (the Effective Date ), and is entered into between ( Covered Entity ) and Delta Business System, Inc.

More information

California Department of Corrections and Rehabilitation (CDCR) BUSINESS ASSOCIATES AGREEMENT (HIPAA)

California Department of Corrections and Rehabilitation (CDCR) BUSINESS ASSOCIATES AGREEMENT (HIPAA) California Department of Corrections and Rehabilitation (CDCR) BUSINESS ASSOCIATES AGREEMENT (HIPAA) IN PRISON SUBSTANCE USE DISORDER TREATMENT PROGRAM WHEREAS, Provider, hereinafter referred to in this

More information

NJ-HITEC PARTICIPATION AGREEMENT FOR MEDICAID SPECIALISTS

NJ-HITEC PARTICIPATION AGREEMENT FOR MEDICAID SPECIALISTS NJ-HITEC PARTICIPATION AGREEMENT FOR MEDICAID SPECIALISTS The undersigned practice (the Practice ) and participating providers (each, a Provider, and collectively, Providers ) presently intend to become

More information

Page 1 of 15. VISC Third Party Guideline

Page 1 of 15. VISC Third Party Guideline Page 1 of 15 VISC Third Party Guideline REVISION CONTROL Document Title: Author: File Reference: VISC Third Party Guidelines Andru Luvisi CSU Information Security Managing Third Parties policy Revision

More information

AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION BETWEEN WAKE FOREST UNIVERSITY BAPTIST MEDICAL CENTER AND

AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION BETWEEN WAKE FOREST UNIVERSITY BAPTIST MEDICAL CENTER AND AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION BETWEEN WAKE FOREST UNIVERSITY BAPTIST MEDICAL CENTER AND THIS AGREEMENT for Access to Protected Health Information ( PHI ) ( Agreement ) is entered

More information

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act by Lane W. Staines and Cheri D. Green On February 17, 2009, The American Recovery and Reinvestment Act

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is by and between ( Covered Entity )and CONEX Med Pro Systems ( Business Associate ). This Agreement has been attached to,

More information

ADDENDUM 5 - BUSINESS ASSOCIATE AGREEMENT

ADDENDUM 5 - BUSINESS ASSOCIATE AGREEMENT ADDENDUM 5 - BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the BAA ) is effective as of (the Effective Date ) and is entered into by and between, with an address of (the Covered Entity

More information

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate? HIPAA Information Who does HIPAA apply to? HIPAA applies to all Covered Entities (entities that collect, access, use and/or disclose Protected Health Data (PHI) and are subject to HIPAA regulations). What

More information

Definitions. Catch-all definition:

Definitions. Catch-all definition: BUSINESS ASSOCIATE AGREEMENT THESE PROVISIONS MAY STAND ALONE AS A BUSINESS ASSOCIATE AGREEMENT, OR MAY BE INCORPORATED INTO A LARGER, MORE COMPREHENSIVE CONTRACT WITH THE BUSINESS ASSOCIATE TO COVER OTHER

More information

HIPAA in an Omnibus World. Presented by

HIPAA in an Omnibus World. Presented by HIPAA in an Omnibus World Presented by HITECH COMPLIANCE ASSOCIATES IS NOT A LAW FIRM The information given is not intended to be a substitute for legal advice or consultation. As always in legal matters

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT Express Scripts, Inc. and one or more of its subsidiaries ( ESI ), and Sponsor or one of its affiliates ( Sponsor ), are parties to an agreement ( PBM Agreement ) whereby ESI

More information

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT This is a draft business associate agreement based on the template provided by HHS. It is not intended to be used as is and you should only use the agreement after you

More information

HIPAA Privacy and Business Associate Agreement

HIPAA Privacy and Business Associate Agreement HR 2011-07 ATTACHMENT D HIPAA Privacy and Business Associate Agreement This Agreement is entered into this day of,, between [Employer] ( Employer ), acting on behalf of [Name of covered entity/plan(s)

More information

Business Associate Agreement (BAA) Guidance

Business Associate Agreement (BAA) Guidance Business Associate Agreement (BAA) Guidance Introduction The purpose of this document is to provide guidance for creating or updating business associate agreements between your Practice ( Covered Entity

More information

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions A. Business Associate. Business Associate shall have the meaning given to such term under the Privacy and Security Rules, including,

More information