IT S ALL ABOUT THE DATA!!

Size: px
Start display at page:

Download "IT S ALL ABOUT THE DATA!!"

Transcription

1 American Health Lawyers Association In House Counsel Program New York City, June 29,2014 IT S ALL ABOUT THE DATA!! Bernadette M. Broccolo McDermott Will & Emery LLP Thomas J. Kiser University HealthSystem Consortium McDermott Will & Emery. The following legal entities are collectively referred to as "McDermott Will & Emery," "McDermott" or "the Firm": McDermott Will & Emery LLP, McDermott Will & Emery AARPI, McDermott Will & Emery Belgium LLP, McDermott Will & Emery Rechtsanwälte Steuerberater LLP, McDermott Will & Emery Studio Legale Associato and McDermott Will & Emery UK LLP. These entities coordinate their activities through service agreements. This communication may be considered attorney advertising. Previous results are not a guarantee of future outcome. Current Reality: Data is the new Natural Resource Accelerating the development and implementation of a Big Data strategy is essential, not optional, for the full spectrum of industry stakeholders Health Reform Demands on Providers, Payors (Both Public and Private Sector) New Care Delivery Models Coordination, Accountability, Outcomes, Patient Experience, Population Health New Payment Models - Value not Volume (quality and cost benchmarking, comparative effectiveness) Real Time Clinical Care Delivery Decision Support, Evidence-Based and Personalized Medicine Biomedical Research Innovation (Treatment/Diagnosis/Product Development) Streamlining to Accelerate and Reduce Cost through Secondary Research as an Alternative to Clinical Trials Diversification and Maximization of Revenue Streams Operating Cost Efficiencies Mandated Manufacturer Post-Market Product Surveillance and Risk Mitigation (REMS) 2 1

2 Current Reality There will be: Some old, tried and true approaches and players Some new, untested ones Mixed Messages and Sentiments: Excitement v. Skepticism Changes in technology, business needs, resources, players and relationships Need for a strategy that evolves along the spectrum from the sublime to the ridiculous and is nimble enough to adapt to changes and developments in technology, business needs, resources, players and relationships, and law False starts, failures and delayed optimization are inevitable Compliance considerations are complex Public policy messages are conflicting Don t wait to start Proceed swiftly but cautiously not hastily! 3 Focus of Today s Discussion Current quest for Big Data: Who, What, Where, Why, When and How Big Data = Big Topic Overview of Spectrum of Big Data Initiatives Key Building Blocks for Moving Along the Spectrum Enterprise Risks and Associated Risk Management Strategies 4 2

3 The Mantra It s ALL about the DATA!!! what we know is that transfer of information is critical [t]hat's the human rocket science of how you make health care systems work well. Source: Bill Moyers Journal, Transcript of Interview of Dr. Jim Yong Kim, President of Dartmouth College and co-founder of Partners in Health, September 11, 2009, The reality is that hospitals are going to need data from outside the organization. No one will be able to operate in a bubble anymore it s not going to be adequate in an accountable care environment Jennifer Covich Bordenick, CEO, ehealth Initiative But, as with most buzz-attracting topics, gaining value through big data isn t as easy as it seems. Big Data doesn t necessarily mean good data Optum, Moneyball Analytics 5 5 Big Data: The Newest Enterprise Risk Frontier Data is now seen as a highly valuable corporate asset. Data is a key ingredient for delivering and improving high quality and effective care and getting paid for it. BUT, Big Data strategies implicate key areas of enterprise risk: strategic, operational, financial, legal liability, regulatory compliance, reputation, etc. Identifying and managing the enterprise risks during the full life cycle of a Big Data initiative should be a priority focus of Board oversight. Effective Board Oversight and Risk Management require: Education, and Integrated, Enterprise-Wide Data Governance Infrastructure. 6 3

4 Key Elements of Big Data Strategy Both Retrospective and Predictive Dimensions of: Electronic Data Collection Data Access and Exchange Data Aggregation, Extraction, Normalization and Validation Data Analytics and Reporting 7 Approaches to Data Access and Aggregation One, Some or All Of the Following: Drawing data solely/primarily from one s own internal EHR systems Accessing internal and external EHRs through interoperable EHR systems HIE participation (public v. private sector) Exchanging/combining clinical data with payer claims data Patient portals Access to public and private data Clouds Building a robust internal data warehouse by collecting and aggregating data from various internal and external sources Access to other third party data repositories for disease and population management (e.g., disease registries offered by professional societies, health industry consortia and trade associations, CDC, CMS and other government agencies) 8 4

5 Harnessing EHR Capabilities to Collect Data in Robust Electronic Data Warehouses Big Data Cornerstone Integration of Systems Provider Transition From Paper to Electronic Records Clinical Trial Management Systems Implementation Institutional Review Board Transition to Electronic Records Institutions Providing EHR Access To Medical Staff And Others HIEs (Private/Public) Institutions Physicians Labs Pharmacies Private/Public HIEs Electronic Data Warehouse (EDW) Electronic Data Warehouse (EDW) - Consortia - Pharma - CROs - Universities - Payors and Affiliates - Gov t - Other EDWs 9 Source of Tools and Expertise to Analyze Data Some Combination of the Following: Industry Consortia and Industry Trade Associations Payers and their Affiliates Home-grown medical informatics department, algorithms and other tools In-license third party analytical tools Outsourcing analytical support function to a third party 10 5

6 Emerging Stakeholder Collaborations Illustrative Purposes Revenue Cycle Management Automated Data Extraction Data Analytics to Produce Actionable Data (e.g., performance measurement) Clinical Decision Support and Artificial Intelligence Evidence/Information Based Medicine Personalized Medicine Acceleration of Clinical Research through Secondary Research Common Collaboration Structures Service and Support contracts/license Arrangements Contractual Joint Ventures Joint Venture Entities 11 Myriad Collaboration Participants Limitless permutations and combinations of: Stand-alone community hospital and regional and national healthcare systems Single and multi-specialty medical groups, large and small Other Providers Government and Private payers Industry Consortia, Trade Associations and Professional Societies Myriad Research Stakeholders AMCs/Universities Regional and National Health Systems Research Institutes Manufacturers CROs Other research Vendors and Service Providers Other Emerging Vendor and Support Organizations (analytics firms, cloud vendors) 12 6

7 University HealthSystem Consortium A unique strategic co-operative of leading academic medical centers, their affiliated hospitals and physician practices UHC helps its members to meet the unique challenges of, and to succeed in today s changing health care environment by creating knowledge, fostering collaboration and promoting innovation. Databases containing records of 100 million individuals (one-third of entire US population) Key Data Strategy Elements with both Retrospective and Predictive Dimensions

8 Creation and Use of EDWs for HCO Purposes General Rules Covered Entity s (CE s) Creation and use of an EDW solely for its own HCO purposes is an HCO purpose CE may retain a BA to assist in creation of the EDW Creation and use of a shared EDW with other CEs for certain HCO purposes CEs may retain a BA to assist in creation of the shared EDW as a Data Aggregator BA must conduct analysis and produce reports in de-identified form as a Data Aggregator that relate to the HCO Purposes of CEs providing the data CEs may directly share EDW data on all patients in fully identifiable form for any of one another s HCO purpose if the CEs are members of an OHCA CEs that are not members of an OHCA may directly share fully identifiable data on common patients for more limited HCO purposes CEs may share EDW data in the form of a limited data set for one another s HCO purposes pursuant to a Data Use Agreement 15 UHC Clinical Performance Intelligence Program Secondary Use of Aggregated Member Data UHC Performance Intelligence Program begins with submission of a copy of administrative data (e.g., ICD data) and certain EHR data (including PHI such as lab values) by Member-Participants through a Secure Server (See Handout Data Flow Diagram) UHC normalizes, standardizes, and error corrects the data to create a Data Mart Data Mart is used first in a Test Environment before becoming Active. A separate Data Mart and separate license agreement exists for each UHC Program UHC neither creates nor hosts a data warehouse comprised of Participant data in its original or adapted form; nor does it retain a copy of Participant s data submission in any other form. UHC places a filter on top of Data Mart (i.e., code that draws data out of the Data Mart) to protect against prohibited access to PHI. No one ever gets direct access to the Data Mart

9 UHC Data License Agreements UHC Rights to Create and Use Derivative Works UHC may create statistically de-identified version of the Data Mart for any purpose, free of any restrictions (e.g., use to populate other data bases to support other products, integrate products, etc.), UHC may create Limited Data Sets (LDS), but uses of LDS are subject to Participants approval. Participant Rights to Access to the Data Mart Participants may access the data mart and use it to submit queries and produce reports. Access by Participants is: Solely via a VPN, Only to their own PHI (for use to compare their own performance against aggregated benchmarks), and Only to data of other Participants that is statistically certified as de-identified. No third party access to any UHC data bases is permitted. 17 UHC Data License Agreements Participant s Data Ownership Rights Participant is sole owner of data it sends to UHC Participants retain physical possession and sole ownership of the original data. Participant owns reports generated from its own queries, subject to restrictions on their ability to share them. UHC Ownership Rights UHC owns the data in the aggregated form in the Data Mart UHC owns the supporting technology, architecture, tools UHC owns other Derivative Works (subject to license terms applicable to original work) 18 9

10 UHC Data License Agreements Battle of the Policies: Which ones control? Data storage and Use Security Infrastructure Encryption Data Transparency Representations and Warranties of the Participant and UHC Data Accuracy and Completeness Compliance Proper data sharing between and among Participant and its affiliates Data Liaison Due Diligence: UHC conducts an analysis of each participant s corporate structure to assure appropriate data access 19 UHC Data License Agreement UHC Disclaimers of Warranties Data AS IS UHC Performance Intelligence Program is not a substitute for exercise of professional diligence and judgment Limitations of Liability FTC Safe Harbor Requirements

11 UHC Business Associate Agreement One BAA is used for each Participant and governs all individual license agreements involving submission of PHI. Minimum Necessary Requirement Internal Controls Only Need to Know UHC personnel may not attempt to re-identify the de-identified data Data Drives Removing Access External Controls (e.g., Participant will not attempt to re-identify the de-identified data Includes UHC s right to create Limited Data Sets Breach Notification UHC does not report pings or unsuccessful log-ins to Participants UHC requests 10-day notice period to report a breach Return of Data Invokes the Infeasibility standard (unless termination occurs before Participant data submitted to Data Mart) 21 Data Governance Generally Data Governance as a means of Identifying and Managing Enterprise Risk Still an evolving concept with many variations Scope: All operational domains (not only IT) But Phased implementation will likely be more effective Common governance framework as foundation for domain-specific policies and procedures Principles, Organization, Standards and Process, Technology Tools Key Focus Areas Data definitions, architecture, strategy, quality/integrity, availability, integration, ownership, sensitivity, compliance, strategy, financial, storage and retention, leveraging, third party relationships

12 UHC Data Governance Governing Board Level Committee Performance Improvement and Comparative Data Committee Committee Charter Oversees: Policy and Procedure development and implementation Data Storage and Use Responds to Audit Requests UHC Does not allow Participants to Audit its system or logs 23 UHC Internal Controls Privacy and Security Policies (UHC has AT601 Attestation Credential) Proper Data Storage Designated Drives Limited Access to persons with Need to Know Internal Storage Cloud Storage UHC requires data privacy and security representations and warranties from the cloud provider. UHC requires specific cyber liability insurance from the cloud provider. UHC flows certain requirements down to the data base participants. UHC does not allow any off-shore data storage. Security Safeguards Data transmission Policies Using the Secure Data Exchange 24 12

13 UHC Internal Controls Third Party Firewall Testing Due Diligence Data Privacy and Security Attestations of Third Parties/Subcontractors No offshore storage, access and/or downloading Disaster Recovery Plan Insurance Coverage Policy Coverage Broker risk analysis addresses: Data De-Identification Storage Method Access controls (internal and external personnel) Segregation of databases # or Individuals whose records are included in database # of Individuals with access Data encryption (in motion and at rest) Disaster Recovery Business Continuity 25 Think Ahead: Use of EDW to Conduct Secondary Research Attorney Client Communication & Attorney Work Product: Privileged & Confidential -- DRAFT Research Health Care Operations for compliance purposes Anticipate possible future use of HCO Warehouse for Secondary Research so as to maximize flexibility of the warehouse Secondary Research use raises different compliance considerations than HCO use Common Rule Consent Requirement - generally permits researchers to seek informed consent to future research activities provided such future research is described in sufficient detail Recent Harmonization of HIPAA and Common Rule regarding Secondary Research Uses Under recent rules implementing HITECH Act, OCR will no longer require an authorization to identify the specific study for which PHI will be used and will allow an authorization to include a general description of the purposes of potential future research uses 26 13

14 EDW Creation and Secondary Research Use Under LDS Option Use of a limited data set (LDS) structure involving a BA as an Honest Broker provides additional flexibility to use EDW for research Avoids the need to obtain up-front HIPAA authorization and, possible Common Rule consent to: Create the EDW Mine the data to identify clinical cohorts Re-identify patients to present clinical trials Be sure to distinguish between: Creation of Research EDW Subsequent use of Research EDW Both are compliance moments for both HIPAA and the Common Rule 27 LDS Option: Honest Broker Strategy Can the same entity act as both the researcher using the LDS and the Honest Broker that both creates the LDS and performs the Re-Identification/Patient Contacting Role? Preamble to HITECH Final Rule raises question regarding longstanding practice of using an internal firewall to prohibit persons in the same organization from both creating the LDS and using the LDS for research. However, the Preamble language is largely consistent with prior statements from the Office for Civil Rights on the issue Supports the argument that the Preamble did not intend to diminish or eliminate the effectiveness of the firewall approach. A Covered Entity should consider consulting with an IRB for endorsement of this approach

15 Universal Privacy and Security Compliance Planning Considerations What stakeholders are involved in providing, accessing and exchanging information? What due diligence was performed to validate the privacy and security infrastructure of participants? What data will be contributed and exchanged? Will it contain identifiers/sensitive information when contributed? Competitively sensitive information? For what purpose was data originally gathered (clinical care? primary research study?) Was consent/authorization obtained and what scope of use did it cover? Was more data gathered than necessary for the original purpose? For what will the date be subsequently used? Was a consent/authorization obtained? Does the Notice of Privacy Practices address some or all of the Big Data Strategy? Directly or indirectly? 29 Universal Privacy and Security Compliance Planning Considerations Will data be made available to other than those who contributed it? For what purpose? Will any remuneration (financial or non-financial) be exchanged for contribution of or access to the data by participants in the arrangement? By others? What is the amount and, for data contributors, how does it compare to cost of contributing the data? Will the collection, aggregation, storage, analysis or reporting of data involve the use of external infrastructure/services provided by third party support organizations? Prime? Subcontractors? Due Diligence? Will data provided by one participant be returned or destroyed by other participants in the event of termination or withdrawal of that participant? What transition support will be provided upon such termination or withdrawal?

16 Risk Management Guideposts A thoughtful and thorough approach to risk allocation and risk management at the front-end will enhance the likelihood of short-term and long-term success and overall sustainability Need to anticipate scope of the risk in both the short-term and the long-term ALL parties play a role in creating and managing potential risks. Key Questions/Guideposts Who is in the best to manage/prevent against the risk? Who is able to insure against the risk? Need a multi-faceted risk management strategy: Technology infrastructure features, functions and performance capabilities Business processes synchronization with IT and proper training Policies, procedures and training and enforcement related to them Contracting due diligence and allocation of risk in third party relationships There is no one size fits all solution 31 Contractual Risk Allocation Developing new agreements and restructuring existing agreements Traditional IT application vendors (prime and subcontractors) Niche/emerging IT infrastructure and analytics vendors (prime and subcontractors) Collaborations (EHR, HIE, Peer to Peer, ACO, Registries) Note: It s a new ballgame even with some of the veteran players: Risk posture of vendors and other third parties has changed on some key issues due to environmental and regulatory uncertainties and ongoing changes Demands new approaches to allocation of risk on key issues

17 Supplemental Material 2013 McDermott Will & Emery. The following legal entities are collectively referred to as "McDermott Will & Emery," "McDermott" or "the Firm": McDermott Will & Emery LLP, McDermott Will & Emery AARPI, McDermott Will & Emery Belgium LLP, McDermott Will & Emery Rechtsanwälte Steuerberater LLP, McDermott Will & Emery Studio Legale Associato and McDermott Will & Emery UK LLP. These entities coordinate their activities through service agreements. This communication may be considered attorney advertising. Previous results are not a guarantee of future outcome. Final Rule s Enhanced HIPAA Privacy and Security Protections Extends HIPAA s Privacy and Security compliance requirements/standards and sanctions directly to Business Associates and their Subcontractors Policies, Procedures and Safeguards BA must notify Covered Entity of Breach of Unsecured PHI BA must enter into downstream BAs with Subcontractors Clarifies definition of BA to include data center operators, cloud service vendors, and other vendors that maintain or transmit PHI (even though they do not actively access PHI) Any individual that creates, maintains, or transmits PHI for a function or activity on behalf of a Covered Entity Lower threshold for triggering data breach notification and reporting Covered entity must rebut presumption that a breach occurred by demonstrating Low Probability that privacy of PHI has been compromised

18 Final Rule s Enhanced HIPAA Privacy and Security Protections Sale of Data Prohibition inhibits secondary market for sale and mining of data, with certain exceptions, including research, treatment and public health purposes Research exception restricts amount of remuneration to no more than cost incurred to contribute the data Restriction applies to both financial and non-financial (in kind) remuneration Increases flexibility for secondary research and other secondary uses of data Ability to combine authorizations for conditional and unconditional research into one document Description of Future Research Purposes no longer needs to identify a specific study Modified and expanded sanctions for violations Accounting for all treatment, payment and health care operations disclosures Not addressed by Final Rule 35 Other Privacy, Security and Confidentiality Laws State Sensitive Information Privacy/Confidentiality Laws Create additional restrictions that can preempt HIPAA The nature of the restriction can vary by state and by category of information May require a consent to: Disclose information for any purpose (even treatment or healthcare operations purposes) to other than members of the treatment team Retain a Business Associate to create a Limited Data Set or to De-Identify information Use sensitive information even in fully De-Identified form to conduct quality studies, comparative effectiveness and outcomes research, and clinical research May not recognize key aspects of HIPAA (e.g., De-Identified Data and Limited Data Sets, HCO v. Research )

19 Other Privacy, Security and Confidentiality Laws FTC s Health Breach Notification Rule State Data Breach Laws HIPAA federal breach notification laws preempt state breach notification laws only if the state laws are contrary to the federal law (i.e., impossible to comply with both state and federal requirements. All but a handful of states have security breach notification laws. Duty to notify generally arises when there is a reasonable belief that unencrypted electronic personal information has been acquired or accessed by an unauthorized person (e.g., SSN; DLN or other state ID number; account number, credit/debit card number that with other information allows access to financial information) Several have expanded personal information definition to include health-related information. GINA FDA and Common Rule Informed Consent Requirements More to come (Note: White House Big Data and Privacy Study) 37 UHC Data License Agreement Language Data Sharing and Access within Participant s System Data Liaison Language Participant further warrants that it has all necessary documentation and/or legal authority, including as appropriate data sharing agreements amongst its participating health care system members, to permit its on-site administrators access to Program Data and Participant Data. Participant agrees to indemnify UHC from any and all liability or breaches

20 UHC Data License Agreement Data sharing clauses for Participant and its Covered Affiliates HIPAA. All Parties will adhere to all statutory privacy rules and regulations, including HIPAA as amended. Attached hereto and incorporated herein as Exhibit 4 is Participant s Business Associate Agreement, as may be required by HIPAA. The Parties recognize that some safety and quality functions may be handled jointly by Participant and/or its Covered Affiliate(s), and that as a result employees of Participant and/or a Covered Affiliate may need sign-on privileges with respect to other entities participating under this agreement (either as Participant or as a Covered Affiliate). As a condition to UHC granting such signon privileges, Participant and Covered Affiliates represent and warrant that they are in compliance with all statutory privacy rules and regulations, and have all necessary documentation and/or legal authority, including if appropriate, data sharing agreements, to permit authorized users with sign on privileges to access the Materials and Participant Data. Participant agrees to indemnify UHC from any and all liability or breaches of this provision as provided in Section 12 below. 39 Universal Contracting Considerations How many agreements do you need? Need for a Master Agreement? Subcontractor Agreements? Data Availability and Integrity (accuracy and completeness) Changing Roles and Relationships of the Parties Change of control of one or more of the parties Exit and Transition Strategy Return of Data

21 Business Associate Relationships Does the BA know it is a BA? (e.g., HIE, Cloud Vendor) HIPAA-Compliant Security and Privacy Infrastructure HIPAA-Compliant Security Assessment HIPAA-Compliant Policies and Procedures Interplay with Covered Entity HIPAA Policies and Procedures Global privacy and security compliance program may not square with HIPAA Use of Subcontractors and Downstream Agreements Downstream Due Diligence Downstream BAA 41 Business Associate Relationships Prohibitions/Limitations on BA right to use data for other than services to Covered Entity Need for a separate agreement? Avoid Agency Relationship CE is liable for violations resulting from acts or omissions of a BA that is an agent of CE and acting within the scope of agency Use of Subcontractors Offshore Data Storage and Access Workforce Security-Related Pre-Screening

22 Business Associate Relationships Data Breach BA is subject to HITECH Act Data Breach Requirements and corresponding enforcement by OCR But, BAA should expressly require BA to cooperate if a potential breach occurs BA to promptly notify Covered Entity of incidents/coordinate timing with CE s notice and reporting deadlines BA to cooperate with Covered Entity in investigating and determining whether breach occurred Allocate responsibility for notice to patients and OCR/CMS between BA and Covered Entity for data breach responsibility 43 Business Associate Relationships Data Breach Review BA assessment practices and tools mindful of heightened risk that an unauthorized disclosure is a breach General indemnification by BA for: CE costs of notice and reporting and OCR sanctions Damages and costs in third party claims arising from data breach and breach of other privacy and security obligations Carve BA indemnity obligations out of damage caps and liability disclaimers Large BAs v. Small/Niche BAs Is Insurance a realistic alternative to indemnity?

23 Contracting Considerations HIT Application Vendor Thorough front-end due diligence of application s features and functions and data and security architecture is essential to assess ability of technology to contribute to reduction/management of data sharing compliance risks System access controls and firewalls to supplement break the glass approaches Track consent and authorizations Distinguish/segregate sensitive information Restrict access to sensitive information Audit and monitor system access Track data origination (Source, Date, Pre- and Post- Consent) Distinguish/segregate research record from medical record Corresponding detailed contractual description (including documentation, specifications etc.) is also key. 45 Contracting Considerations HIT Application Vendor Changes, upgrades, enhancements necessary for providers to comply with changes to/new interpretations of their applicable laws Vendor obligation to make the changes Corresponding Fees Beware of vendor disclaimer of responsibility for problems arising from use of the system by provider. Vendor s Use of Coordinated Bundle of Third Party Products Relational Database and Database Server Products Codes and Vocabularies Interfaces to other existing systems and Third Party Products Avoiding gaps in vendor accountability in HIT infrastructure involving multiple vendors and changing technology

24 Cloud Vendor Contracting Considerations Segregation of Data in Multi-Tenant Environment Location of Data Centers/Subcontractors Domestic v. Foreign Disaster Recovery Plan 47 HIE Relationship Complexities Founding Members/Founding Participants EHRs P E R M I T T E D HIE Cloud Vendor U S E Non-Founding Participants R = Ownership/ S = Policies = Contract Control = IT

25 HIE Contracting Considerations Scope of participation/exchange initially and over time Should the HIE be viewed as the alter ego of Founding Participants? HIE responsibility for providing adequate security compliance infrastructure and compliance-related HIT features, functions and performance (either directly or through IT vendor agreements) Policies and Procedures for Managing Privacy/Security Compliance Interplay of HIE and Participant Policies and Procedures Participant s influence/approval rights with regard to adoption and amendment of HIE Policies and Procedures Each Participant s obligation to have a solid internal privacy/security compliance program to support participation in the HIE Insurance coverage of HIE and the Participants 49 American Health Lawyers Association In House Counsel Program New York City, June 29,2014 IT S ALL ABOUT THE DATA!! Bernadette M. Broccolo McDermott Will & Emery LLP Thomas J. Kiser University HealthSystem Consortium McDermott Will & Emery. The following legal entities are collectively referred to as "McDermott Will & Emery," "McDermott" or "the Firm": McDermott Will & Emery LLP, McDermott Will & Emery AARPI, McDermott Will & Emery Belgium LLP, McDermott Will & Emery Rechtsanwälte Steuerberater LLP, McDermott Will & Emery Studio Legale Associato and McDermott Will & Emery UK LLP. These entities coordinate their activities through service agreements. This communication may be considered attorney advertising. Previous results are not a guarantee of future outcome. 25

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 Policy and Procedure Templates Reflects modifications published in the Federal Register

More information

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015 Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015 Katherine M. Layman Cozen O Connor 1900 Market Street Philadelphia, PA 19103 (215) 665-2746

More information

Data Breach, Electronic Health Records and Healthcare Reform

Data Breach, Electronic Health Records and Healthcare Reform Data Breach, Electronic Health Records and Healthcare Reform (This presentation is for informational purposes only and it is not intended, and should not be relied upon, as legal advice.) Overview of HIPAA

More information

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Business Associates, HITECH & the Omnibus HIPAA Final Rule Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS

More information

Am I a Business Associate?

Am I a Business Associate? Am I a Business Associate? Now What? JENNIFER L. RATHBURN Quarles & Brady LLP KATEA M. RAVEGA Quarles & Brady LLP agenda» Overview of HIPAA / HITECH» Business Associate ( BA ) Basics» What Do BAs Have

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ), is made effective as of the sign up date on the login information page of the CarePICS.com website, by and between CarePICS,

More information

Isaac Willett April 5, 2011

Isaac Willett April 5, 2011 Current Options for EHR Implementation: Cloud or No Cloud? Regina Sharrow Isaac Willett April 5, 2011 Introduction Health Information Technology for Economic and Clinical Health Act ( HITECH (HITECH Act

More information

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various

More information

Business Associate Agreement (BAA) Guidance

Business Associate Agreement (BAA) Guidance Business Associate Agreement (BAA) Guidance Introduction The purpose of this document is to provide guidance for creating or updating business associate agreements between your Practice ( Covered Entity

More information

AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION BETWEEN WAKE FOREST UNIVERSITY BAPTIST MEDICAL CENTER AND

AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION BETWEEN WAKE FOREST UNIVERSITY BAPTIST MEDICAL CENTER AND AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION BETWEEN WAKE FOREST UNIVERSITY BAPTIST MEDICAL CENTER AND THIS AGREEMENT for Access to Protected Health Information ( PHI ) ( Agreement ) is entered

More information

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information

More information

BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc.

BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc. BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc. THIS BUSINESS ASSOCIATE AGREEMENT (BAA) is entered into by and between First Choice Community Healthcare, with a principal place of

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,

More information

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations

More information

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM BETWEEN The Division of Health Care Financing and Policy Herein after referred to as the Covered Entity and (Enter Business

More information

Tulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY

Tulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY Tulane University DEPARTMENT: General Counsel s POLICY DESCRIPTION: Business Associates Office -- HIPAA Agreement PAGE: 1 of 1 APPROVED: April 1, 2003 REVISED: November 29, 2004, December 1, 2008, October

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) by and between (hereinafter known as Covered Entity ) and Office Ally, LLC. (hereinafter known as Business Associate ), and

More information

EXHIBIT C BUSINESS ASSOCIATE AGREEMENT

EXHIBIT C BUSINESS ASSOCIATE AGREEMENT EXHIBIT C BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT is made and entered into by and between ( Covered Entity ) and KHIN ( Business Associate ). This Agreement is effective as of, 20 ( Effective Date

More information

Why Lawyers? Why Now?

Why Lawyers? Why Now? TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business

More information

Evolving Issues for Healthcare IT Contracting

Evolving Issues for Healthcare IT Contracting Evolving Issues for Healthcare IT Contracting By: Alan L. Friel This client advisory is based in part on an article appearing in FierceHealthIT. The emergence of mega-suite vendors, more use of the cloud,

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BAA ) is effective ( Effective Date ) by and between ( Covered Entity ) and Egnyte, Inc. ( Egnyte or Business Associate ). RECITALS

More information

This form may not be modified without prior approval from the Department of Justice.

This form may not be modified without prior approval from the Department of Justice. This form may not be modified without prior approval from the Department of Justice. Delete this header in execution (signature) version of agreement. HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate

More information

The Institute of Professional Practice, Inc. Business Associate Agreement

The Institute of Professional Practice, Inc. Business Associate Agreement The Institute of Professional Practice, Inc. Business Associate Agreement This Business Associate Agreement ( Agreement ) effective on (the Effective Date ) is entered into by and between The Institute

More information

Model Business Associate Agreement

Model Business Associate Agreement Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model

More information

University Healthcare Physicians Compliance and Privacy Policy

University Healthcare Physicians Compliance and Privacy Policy Page 1 of 11 POLICY University Healthcare Physicians (UHP) will enter into business associate agreements in compliance with the provisions of the Health Insurance Portability and Accountability Act of

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University

More information

Business Associate Liability Under HIPAA/HITECH

Business Associate Liability Under HIPAA/HITECH Business Associate Liability Under HIPAA/HITECH Joseph R. McClure, JD, CHP Siemens Healthcare WEDI Security & Privacy SNIP Co-Chair Reece Hirsch, CIPP, Partner Morgan Lewis & Bockius LLP ` Fifth National

More information

PARTICIPATION AGREEMENT For ELECTRONIC HEALTH RECORD TECHNICAL ASSISTANCE

PARTICIPATION AGREEMENT For ELECTRONIC HEALTH RECORD TECHNICAL ASSISTANCE PARTICIPATION AGREEMENT For ELECTRONIC HEALTH RECORD TECHNICAL ASSISTANCE THIS AGREEMENT, effective, 2011, is between ( Provider Organization ), on behalf of itself and its participating providers ( Providers

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is entered into by and between Professional Office Services, Inc., with principal place of business at PO Box 450, Waterloo,

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT Please complete the following and return signed via Fax: 919-785-1205 via Mail: Aesthetic & Reconstructive Plastic Surgery, PLLC 2304 Wesvill Court Suite 360 Raleigh, NC 27607

More information

Cloud Computing: Legal Risks and Best Practices

Cloud Computing: Legal Risks and Best Practices Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (this Agreement ) is made effective as of the day of 2014 (the Effective Date ), by and between Sarasota County Public Hospital District,

More information

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act by Lane W. Staines and Cheri D. Green On February 17, 2009, The American Recovery and Reinvestment Act

More information

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S):

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S): UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S): THIS AGREEMENT is made by and between UNIVERSITY PHYSICIANS OF BROOKLYN, INC., located at 450 Clarkson Ave., Brooklyn,

More information

Health Plan Select, Inc. Business Associate Privacy Addendum To The Service Agreement

Health Plan Select, Inc. Business Associate Privacy Addendum To The Service Agreement This (hereinafter referred to as Addendum ) by and between Athens Area Health Plan Select, Inc. (hereinafter referred to as HPS ) a Covered Entity under HIPAA, and INSERT ORG NAME (hereinafter referred

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Agreement, dated as of, 2015 ("Agreement"), by and between, on its own behalf and on behalf of all entities controlling, under common control with or controlled

More information

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements Protecting Patient Information in an Electronic Environment- New HIPAA Requirements SD Dental Association Holly Arends, RHIT Clinical Program Manager Meet the Speaker TRUST OBJECTIVES Overview of HIPAA

More information

BUSINESS ASSOCIATE ADDENDUM

BUSINESS ASSOCIATE ADDENDUM BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) adds to and is made a part of the Q- global Subscription and License Agreement by and between NCS Pearson, Inc. ( Business Associate

More information

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq.

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq. The HITECH Act: Implications to HIPAA Covered Entities and Business Associates Linn F. Freedman, Esq. Introduction and Overview On February 17, 2009, President Obama signed P.L. 111-05, the American Recovery

More information

OFFICE OF CONTRACT ADMINISTRATION 60400 PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA)

OFFICE OF CONTRACT ADMINISTRATION 60400 PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA) Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA) BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) supplements and is made a part of the contract ( Contract

More information

BUSINESS ASSOCIATE AGREEMENT ( BAA )

BUSINESS ASSOCIATE AGREEMENT ( BAA ) BUSINESS ASSOCIATE AGREEMENT ( BAA ) Pursuant to the terms and conditions specified in Exhibit B of the Agreement (as defined in Section 1.1 below) between EMC (as defined in the Agreement) and Subcontractor

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BA Agreement ) is entered into by Medtep Inc., a Delaware corporation ( Business Associate ) and the covered entity ( Covered Entity

More information

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308)

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) HIPAA Business Associate Agreement Sample Notice Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) The information provided in this document does not constitute, and is no substitute

More information

It s a New Regulatory Landscape: Do You Know Where Your Business Associates are and What They are Doing?

It s a New Regulatory Landscape: Do You Know Where Your Business Associates are and What They are Doing? It s a New Regulatory Landscape: Do You Know Where Your Business Associates are and What They are Doing? The AMC Privacy & Security Conference Series Securely Connecting Communities for Improved Health

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) by and between OUR LADY OF LOURDES HEALTH CARE SERVICES, INC., hereinafter referred to as Covered Entity, and hereinafter referred

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is effective as of, 2013, and is by and between SOUTHWEST DEVELOPMENTAL SERVICES, INC. ( Covered Entity ) and ( Business Associate

More information

WellDyneRxWEST Customer (TPA, Broker, Consultant, Group Health Plan, and other).

WellDyneRxWEST Customer (TPA, Broker, Consultant, Group Health Plan, and other). WellDyneRxWEST Customer (TPA, Broker, Consultant, Group Health Plan, and other). RE: HIPAA Business Associate Agreement Effective 4/14/04 Business Associate: WellDyneRxWEST, Inc., a Colorado Corporation

More information

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions A. Business Associate. Business Associate shall have the meaning given to such term under the Privacy and Security Rules, including,

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) between Inphonite, LLC ( Business Associate and you, as our Customer ( Covered Entity ) (each individually, a Party, and collectively,

More information

Participation Agreement Medicaid Provider Program

Participation Agreement Medicaid Provider Program Participation Agreement Medicaid Provider Program PLEASE FAX THE FOLLOWING PAGES #4, #7, #8, #14, #15 211 Warren Street Newark, NJ 07103 PHONE: 973-642-4777 FAX: 973-645-0457 E-mail: info@njhitec.org www.njhitec.org

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) is entered into by and between (the Covered Entity ), and Iowa State Association of Counties (the Business Associate ). RECITALS

More information

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI January 23, 2013 HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI Executive Summary HHS has issued final regulations that address recent legislative

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Agreement is entered into as of ("Effective Date"), between ( Covered Entity ), and ( Business Associate ). RECITALS WHEREAS, Business Associate provides services on behalf

More information

Louisiana State University System

Louisiana State University System PM-36: Attachment 4 Business Associate Contract Addendum On this day of, 20, the undersigned, [Name of Covered Entity] ("Covered Entity") and [Name of Business Associate] ("Business Associate") have entered

More information

Business Associates: HITECH Changes You Need to Know

Business Associates: HITECH Changes You Need to Know Business Associates: HITECH Changes You Need to Know Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine LLP beckywilliams@dwt.com 1 Who Is a Business Associate? A

More information

Business Associate Agreement

Business Associate Agreement This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement

More information

The Patient Portal Ecosystem: Engaging Patients while Protecting Privacy and Security

The Patient Portal Ecosystem: Engaging Patients while Protecting Privacy and Security The Patient Portal Ecosystem: Engaging Patients while Protecting Privacy and Security NCHICA 11th Academic Medical Center Security & Privacy Conference, June 22-24, 2015 Panel Leader: Panelists: Amy Leopard,

More information

Covered Entities and Business Associates: An Evolving Relationship

Covered Entities and Business Associates: An Evolving Relationship Covered Entities and Business Associates: An Evolving Relationship Rebecca L. Williams, RN, JD Partner, Chair of HEALTH/HIPAA Practice Davis Wright Tremaine LLP beckywilliams@dwt.com 1 No health care provider

More information

BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT

BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT This BUSINESS ASSOCIATE AGREEMENT ( Agreement ) dated as of the signature below, (the Effective Date ), is entered into by and between the signing organization

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT The parties to this ( Agreement ) are, a _New York_ corporation ( Business Associate ) and ( Client ) you, as a user of our on-line health record system (the "System"). BY

More information

HIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule )

HIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule ) HIPAA and HITECH Compliance Under the New HIPAA Final Rule Presented Presented by: by: Barry S. Herrin, Attorney CHPS, Name FACHE Smith Smith Moore Moore Leatherwood Leatherwood LLP LLP Atlanta Address

More information

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Brought to you by Winston & Strawn s Health Care Practice Group 2013 Winston & Strawn LLP Today s elunch Presenters

More information

Dissecting New HIPAA Rules and What Compliance Means For You

Dissecting New HIPAA Rules and What Compliance Means For You Dissecting New HIPAA Rules and What Compliance Means For You A White Paper by Cindy Phillips of CMIT Solutions and Kelly McClendon of CompliancePro Solutions TABLE OF CONTENTS Introduction 3 What Are the

More information

HIPAA Breach Notification Interim Final Rule

HIPAA Breach Notification Interim Final Rule HIPAA Breach Notification Interim Final Rule The American Recovery and Reinvestment Act of 2009 ( the Act ) made several changes to the HIPAA privacy rules including adding a requirement for notice to

More information

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:

More information

BUSINESS ASSOCIATE AND DATA USE AGREEMENT NAME OF COVERED ENTITY: COVERED ENTITY FEIN/TAX ID: COVERED ENTITY ADDRESS:

BUSINESS ASSOCIATE AND DATA USE AGREEMENT NAME OF COVERED ENTITY: COVERED ENTITY FEIN/TAX ID: COVERED ENTITY ADDRESS: BUSINESS ASSOCIATE AND DATA USE AGREEMENT NAME OF COVERED ENTITY: COVERED ENTITY FEIN/TAX ID: COVERED ENTITY ADDRESS:, City State Zip This Business Associate and Data Use Agreement ( Agreement ) is effective

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT This is a draft business associate agreement based on the template provided by HHS. It is not intended to be used as is and you should only use the agreement after you

More information

Business Associate Management Methodology

Business Associate Management Methodology Methodology auxilioinc.com 844.874.0684 Table of Contents Methodology Overview 3 Use Case 1: Upstream of s I manage business associates 4 System 5 Use Case 2: Eco System of s I manage business associates

More information

BUSINESS ASSOCIATE ADDENDUM

BUSINESS ASSOCIATE ADDENDUM BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) is entered into this day of 2014. Perry Memorial Hospital ( Covered Entity ) and [ABC Company] ( Business Associate ) referred

More information

HIPAA Changes 2013. Mike Jennings & Jonathan Krasner BEI For MCMS 07/23/13

HIPAA Changes 2013. Mike Jennings & Jonathan Krasner BEI For MCMS 07/23/13 HIPAA Changes 2013 Mike Jennings & Jonathan Krasner BEI For MCMS 07/23/13 BEI Who We Are DC Metro IT Service Provider since 1987 Network Design/Upgrade Installation/Managed IT Services for small to medium-sized

More information

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS James J. Eischen, Jr., Esq. October 2013 Chicago, Illinois JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher

More information

what your business needs to do about the new HIPAA rules

what your business needs to do about the new HIPAA rules what your business needs to do about the new HIPAA rules Whether you are an employer that provides health insurance for your employees, a business in the growing health care industry, or a hospital or

More information

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What

More information

FirstCarolinaCare Insurance Company Business Associate Agreement

FirstCarolinaCare Insurance Company Business Associate Agreement FirstCarolinaCare Insurance Company Business Associate Agreement THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement"), is made and entered into as of, 20 (the "Effective Date") between FirstCarolinaCare Insurance

More information

Creating Stable Security & Compliance Relationships

Creating Stable Security & Compliance Relationships Creating Stable Security & Compliance Relationships David Holtzman JD, CIPP/G VP, Compliance CynergisTek, Inc. James Wieland JD Principal Ober Kaler Welcome The slides for today s webinar are available

More information

HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS

HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS James J. Eischen, Jr., Esq. November 2013 San Diego, California JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher & Mack, LLP 26+ years of experience

More information

HIPAA 101. March 18, 2015 Webinar

HIPAA 101. March 18, 2015 Webinar HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses

More information

Understanding HIPAA Regulations and How They Impact Your Organization!

Understanding HIPAA Regulations and How They Impact Your Organization! Understanding HIPAA Regulations and How They Impact Your Organization! Presented by: HealthInfoNet & Systems Engineering! April 25 th 2013! Introductions! Todd Rogow Director of IT HealthInfoNet Adam Victor

More information

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT H I P AA B U S I N E S S AS S O C I ATE AGREEMENT This HIPAA BUSINESS ASSOCIATE AGREEMENT (the BAA ) is entered into by and between Opticare of Utah, Inc. ( Covered Entity ), and,( Business Associate ).

More information

NJ-HITEC PARTICIPATION AGREEMENT FOR MEDICAID SPECIALISTS

NJ-HITEC PARTICIPATION AGREEMENT FOR MEDICAID SPECIALISTS NJ-HITEC PARTICIPATION AGREEMENT FOR MEDICAID SPECIALISTS The undersigned practice (the Practice ) and participating providers (each, a Provider, and collectively, Providers ) presently intend to become

More information

VERSION DATED AUGUST 2013/TEXAS AND CALIFORNIA

VERSION DATED AUGUST 2013/TEXAS AND CALIFORNIA VERSION DATED AUGUST 2013/TEXAS AND CALIFORNIA This Business Associate Addendum ("Addendum") supplements and is made a part of the service contract(s) ("Contract") by and between St. Joseph Health System

More information

BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM RECITALS

BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM RECITALS BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM This Business Associate Addendum ( Addendum ), effective, 20 ( Effective Date ), is entered into by and between University of Southern California, ( University

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( Agreement ) is entered into as of the day of, 2013 by and between RUTGERS UNIVERSITY, a Hybrid Entity, on behalf and for the

More information

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate? HIPAA Information Who does HIPAA apply to? HIPAA applies to all Covered Entities (entities that collect, access, use and/or disclose Protected Health Data (PHI) and are subject to HIPAA regulations). What

More information

Enclosure. Dear Vendor,

Enclosure. Dear Vendor, Dear Vendor, As you may be aware, the Omnibus Rule was finalized on January 25, 2013 and took effect on March 26, 2013. Under the Health Insurance Portability & Accountability Act (HIPAA) and the Omnibus

More information

Key HIPAA HITECH Changes. Gina Kastel, Partner, Health and Life Sciences

Key HIPAA HITECH Changes. Gina Kastel, Partner, Health and Life Sciences Key HIPAA HITECH Changes Gina Kastel, Partner, Health and Life Sciences Agenda Business Associates Restrictions on Disclosures Access to PHI Notice of Privacy Practices Fundraising 2 Business Associates

More information

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN Stewart C. Miller & Co., Inc. (Business Associate) AND City of West Lafayette Flexible Spending Plan (Covered Entity) TABLE OF CONTENTS

More information

The benefits you need... from the name you know and trust

The benefits you need... from the name you know and trust The benefits you need... Privacy and Security Best at Practices the price you can afford... Guide from the name you know and trust The Independence Blue Cross (IBC) Privacy and Security Best Practices

More information

Health Partners HIPAA Business Associate Agreement

Health Partners HIPAA Business Associate Agreement Health Partners HIPAA Business Associate Agreement This HIPAA Business Associate Agreement ( Agreement ) by and between Health Partners of Philadelphia, Inc., the Covered Entity (herein referred to as

More information

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES CONTENTS Introduction 3 Brief Overview of HIPPA Final Omnibus Rule 3 Changes to the Definition of Business Associate

More information

EGUIDE BRIDGING THE GAP BETWEEN HEALTHCARE & HIPAA COMPLIANT CLOUD TECHNOLOGY

EGUIDE BRIDGING THE GAP BETWEEN HEALTHCARE & HIPAA COMPLIANT CLOUD TECHNOLOGY Bridging The Gap Between Healthcare & Hipaa Compliant Cloud Technology and outsource computing resources to external entities, would provide substantial relief to healthcare service providers. Data stored

More information

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection

More information

New HIPAA Rules: A Guide for Radiology Providers

New HIPAA Rules: A Guide for Radiology Providers New HIPAA Rules: A Guide for Radiology Providers Adrienne Dresevic, Esq and Clinton Mikel, Esq The credit earned from the Quick Credit TM test accompanying this article may be applied to the AHRA certified

More information

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT BUSINESS ASSOCIATE TERMS AND CONDITIONS

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT BUSINESS ASSOCIATE TERMS AND CONDITIONS COVERYS RRG, INC. HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT BUSINESS ASSOCIATE TERMS AND CONDITIONS WHEREAS, the Administrative Simplification section of the Health Insurance Portability and

More information

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant 1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad

More information

HIPAA BUSINESS ASSOCIATE SUBCONTRACTOR AGREEMENT

HIPAA BUSINESS ASSOCIATE SUBCONTRACTOR AGREEMENT This HIPAA Sub Business Associate Agreement ("Sub Agreement") is entered into by and between HR Simplified, Inc. ( Business Associate ) and [Vendor Name] on behalf of itself and its Affiliates ( Subcontractor

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement and is made between BEST Life and Health Insurance Company ( BEST Life ) and ( Business Associate ). RECITALS WHEREAS, the U.S.

More information