Legal Issues Related to State Procurement of Cloud Computing. Linda Hamel 1. American Bar Associate State and Local Procurement Symposium

Size: px
Start display at page:

Download "Legal Issues Related to State Procurement of Cloud Computing. Linda Hamel 1. American Bar Associate State and Local Procurement Symposium"

Transcription

1 Legal Issues Related to State Procurement of Cloud Computing Linda Hamel 1 American Bar Associate State and Local Procurement Symposium April 24, 2015 I Introduction I have been asked to address issues that arise in the context of state procurement of cloud services. Part II of this memorandum contains some general observations, and Part III consists of the standard cloud terms used by the Commonwealth of Massachusetts. This is a fascinating time to be considering this topic. There has been an explosion of state procurements of cloud services, and, based on my experience, cloud vendors are still reworking their cloud legal terms to adapt to the public sector market. II General Observations. State agencies are like any cloud customers in some respects. They care about features and functionality, data security and privacy, and competitive pricing. But they are faced with some unique legal and practical issues, summarized below, along with some recommended strategies that cloud firms can use to address these issues. Federal and state laws pertaining to data security and privacy. Agencies contemplating cloud procurements must first consider the security classification of the data that they will send to, receive or create in the cloud. Private companies face privacy and security concerns as well, but many state organizations are subject to overlapping layers of Federal and state privacy and security laws that may or may not apply to private sector customers. Many private sector customers in Massachusetts, for instance, are subject to HIPAA and its privacy and security rules, or to the Family Educational Rights and Privacy Act, 20 USC 1232g, but few of them are subject to our state Fair Information Practices Act (applicable only to state agencies), the FBI Criminal Justice Information regulation, 28 CFR (dissemination of criminal history record information) or IRS Publication 1075 (prescribing security and privacy requirements for ITS systems processing Federal Tax Information received from the IRS). So a fundamental question for every state agency contemplating a cloud relationship is what laws, regulations and policies is my data subject to and does the cloud provider provide privacy and security services that meet these requirements? Cloud providers can succeed with state customers by starting their discussion with a frank discussion of the difference between the data security and privacy offered through, and the cost of, their basic service, and that offered through the vendor s higher security services. If the state cloud customer needs to enter a special agreement or pay higher fees to obtain cloud services consistent with 1 The opinions expressed in this document are those of the author and cannot be attributed to MassIT, the Commonwealth of Massachusetts or the Baker-Polito Administration. 1

2 the customer s legal needs, the cloud vendor should discuss this matter upfront. It may seem obvious that cloud providers should offer this information to prospective state customers, but in my experience many fail to do so unless specifically asked for HIPAA, CJIS or other special security related contracting terms. Public Records Laws. All states have a public records law; in Massachusetts we are subject to MGL ch. 66 s. 10. Many cloud computing agreements include gag provisions prohibiting not only the disclosure of the cloud agreement but disclosure of the verbal negotiation terms and other documents leading up to the final agreement. Because this information is public record in many states, cloud vendors need to be ready to strike gag provisions from their cloud documentation. The public records law poses an additional burden on state cloud procurement. State agencies are required to provide public access to much of the state data involved in cloud relationships. States as customers therefore have a low tolerance for cloud terms providing broad downtime and other rights to vendors that might result in restrictions on data access. Cloud vendors who offer virtually unlimited free access to customer data and applications with minimal scheduled downtime (and in practice minimal actual downtime) are more likely to satisfy state agency customers. Reorganization. Many private sector customers are subject to frequent reorganization, but few at the pace of government entities, who can expect to be reorganized with every incoming administration and in the wake of every fiscal crisis. Cloud terms that do not address the changing identity of the customer organization and the need to transfer rights and obligations with minimum fuss to the new organizational structure are impediments to state cloud contracting. Indemnification. Most technology vendors exclude from their agreements provisions that would require the state to indemnify the vendor. But these provisions, which most states are prohibited, under their state constitution, from executing, still appear frequently in cloud computing contracts. Cloud vendors should be aware that states cannot negotiate these terms. Breach Notification Terms. Many cloud agreements include data breach notification terms. Some states, like Massachusetts with its Identity Theft Law, MGL ch. 93H, have stricter terms than do other states. Cloud vendors that have crafted the breach notification terms of their agreements to conform to average state terms may not be able to satisfy breach notification laws in states with the strictest provisions. Data Location. Some cloud vendors make no commitment about the geographic location of their data centers and support personnel. But many state agencies are subject to Federal laws, regulations and policies that prohibit the transfer of data outside the United States, like IRS Publication Cloud providers should be frank with their state government customers about the physical locations at which their data will be stored and serviced. Those offering services that will keep state data in the US have an edge. 24 x 7 x 365 Support. Many state agencies run mission critical, life and death services round the clock, every day of the year. Cloud vendors who provide support only during business hours will fall short of the operational needs of these customers. Accessibility. Public sector entities are subject to requirements that the information technology that they acquire or present to the public online be accessible to persons with disabilities. When 2

3 agencies bought COTS and installed it in their own data centers, accessibility of an otherwise inaccessible or poorly accessible technology could sometimes be achieved by customizing the software for the state agency. In a SaaS world, customization for one customer will cause an impossibly burdensome customization for 1,000,000 preexisting SaaS customers. Thus the accessibility needs of state agencies may become a barrier to particular SaaS cloud transactions, particularly in states like Massachusetts with robust accessibility programs. III MassIT Cloud Terms 2 How we Use them. The MassIT Cloud Terms below were designed to address some of the issues raised in Part II of this memorandum. But Massachusetts understands that cloud services are factory offerings; large cloud vendors are not going to change their offerings for one small state government. Thus the MassIT Cloud Terms are used for a different purpose than our mandatory boilerplate terms. MassIT, in negotiating cloud terms, will accept cognate provisions that fairly deliver the benefit we seek through the MassIT Cloud terms. Furthermore we accept that some of the MassIT Cloud terms are but for requirements that, if they cannot be met by the SaaS vendor, may require the state agency to look elsewhere for cloud services. Other terms can only be met if the agency acquires higher level, more expensive services than the vendor s basic offering. The MassIT Cloud Terms. Cloud Procurement Terms MassIT Draft 1/13/15 The following legal terms apply to subscriptions to cloud offerings (each referred to as the Service ) by an eligible entity ( Customer ) within the Commonwealth of Massachusetts ( Commonwealth ). These terms shall supplement any terms provided by the service provider ( Service Provider ). Changes to the terms below that adversely affect the Commonwealth must be approved by legal counsel at the Massachusetts Office of Information Technology; however, terms may be removed without approval if Service Provider s terms contain similar provisions that are no less protective of the Commonwealth than the provisions contained herein. These terms must be attached to and made part of the executed contract. DEFINITIONS Cloud offerings include the following: Infrastructure-as-a-Service (IaaS) means the capability provided to the consumer is to provision processing, storage, networks and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed application; and possibly limited control of select networking components (e.g., host firewalls). 2 These terms, which constitute public record, were drafted by my colleague MassIT Deputy General Counsel Pia Owens and the author, and contain multiple contributions from the National Association of State and Local Chief Information Officers Legal Workgroup. 3

4 Platform-as-a-Service (PaaS) means the capability provided to the consumer to deploy onto the cloud infrastructure consumer-created or -acquired applications created using programming languages and tools supported by the provider. This capability does not necessarily preclude the use of compatible programming languages, libraries, services and tools from other sources. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems or storage, but has control over the deployed applications and possibly application hosting environment configurations. Software-as-a-Service (SaaS) means the capability provided to the consumer to use the provider s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin-client interface such as a Web browser (e.g., Web-based ) or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. SUBSCRIPTION TERMS 1. Service Provider grants to Customer a license or right to (i) access and use the Service, (ii) for SaaS, use underlying software as embodied or used in the service, and (iii) view, copy, download (if applicable), and use documentation. 2. No terms, including a standard click-through license or website terms of use or privacy policy, shall apply to Customer unless Customer has expressly agreed to such terms by including them in a signed agreement. SUPPORT AND TRAINING 1. Service Provider must provide technical support via online helpdesk and toll-free phone number, at minimum during Business Hours (Monday through Friday from 8:00 a.m. to 6:00 p.m. Eastern Time), and 24x7x365 if required by Customer and requested prior to contract execution. 2. Service Provider must make training available online to users. Training must be accessible, per the Commonwealth Web Accessibility Standards. 3. All support and training shall be provided at no additional cost to Customer, except for customized support and training expressly requested by Customer. SERVICE LEVELS Service Provider must provide a Service Level Agreement (SLA) that contains, at minimum, the following terms: Uptime; scheduled maintenance 1. SLA must include (1) specified guaranteed annual or monthly uptime percentage, at minimum 99.99%; and (2) definition of uptime and how it is calculated. 2. For purposes of calculating uptime percentage, scheduled maintenance may be excluded up to ten (10) hours per month, but unscheduled maintenance and any scheduled maintenance in excess of ten (10) hours must be included as downtime 3. Scheduled maintenance must occur: with at least two (2) business days advance notice; at agreedupon times when a minimum number of users will be using the system; and in no event during Business Hours. Defects; other SLA metrics 5. SLA must include: (1) response and resolution times for defects; (2) at least three levels of defect classifications (severe, medium, low); and (3) any other applicable performance metrics (e.g., latency, transaction time) based on industry standards. 6. While the Service Provider may initially classify defects, Customer determines final classification of defects. Remedies 4

5 7. SLA must include remedies for failure to meet guaranteed uptime percentage, response and resolution times, and other metrics, which may include fee reductions and extensions in service period at no cost. 8. Repeated or consistent failures to meet SLA metrics result in (1) a refund of all fees paid by Customer for the period in which the failure occurred; (2) participation by Service Provider in a root cause analysis and corrective action plan at Customer s request; and (3) a right for Customer to terminate without penalty and without waiver of any rights upon written notice to Service Provider. Reports 9. Service Provider will provide Customer with a written report (which may be electronic) of performance metrics, including uptime percentage and record of service support requests, classifications, and response and resolution times, at least quarterly or as requested by Customer. Customer may independently audit the report at Customer s expense. 10. Representatives of Service Provider and Customer shall meet as often as may be reasonably requested by either party to review the performance of the Service and to discuss technical plans, financial matters, system performance, service levels, and any other matters related to this Agreement. 11. Service Provider will provide to Customer regular status reports during unscheduled downtime, at least twice per day or upon request 12. Service Provider will provide Customer with root cause analysis within thirty (30) days of unscheduled downtime at no additional cost UPDATES AND UPGRADES 1. Service Provider will make updates and upgrades available to Customer at no additional cost when Service Provider makes such updates and upgrades generally available to its users. 2. Service Provider will notify Customer at least sixty (60) days in advance prior to any major update or upgrade. 3. Service Provider will notify Customer at least five (5) business days in advance prior to any minor update or upgrade, including hotfixes and installation of service packs, except in the case of an emergency such as a security breach. 4. No update, upgrade or other change to the Service may decrease the Service s functionality, adversely affect Customer s use of or access to the Service, or increase the cost of the Service to Customer. CUSTOMER DATA 1. Customer retains full right and title to data provided by Customer and any data derived therefrom, including metadata (collectively, the Customer Data ). 2. Service Provider shall not collect, access, or use user-specific Customer Data except as strictly necessary to provide Service to Customer. No information regarding Customer s use of the Service may be disclosed, provided, rented or sold to any third party for any reason unless required by law or regulation or by an order of a court of competent jurisdiction. This obligation shall extend beyond the term of the Agreement in perpetuity. 3. Service Provider shall not use any information collected in connection with the Agreement, including the Customer Data, for any purpose other than fulfilling its obligations under the Agreement. 4. At no time may any Data or processes which either belong to Customer, or are intended for Customer s exclusive use, be copied, disclosed, or retained by Service Provider for subsequent use in any transaction that does not include Customer. 5. Customer Data must remain at all times within the continental United States. Service Provider must disclose to Customer the identity of any third-party host of Customer Data prior to the signing of this Agreement. 6. Customer may export the Customer Data at any time during the term of the Agreement or for up to three (3) months after the term (so long as the Customer Data remains in the Service Provider s possession) in an agreed-upon file format and medium. 5

6 7. Three (3) months after the termination or expiration of the Agreement or upon Customer s earlier written request, and in any event after Customer has had an opportunity to export and recover the Customer Data, Service Provider shall at its own expense destroy and erase from all systems it directly or indirectly uses or controls all tangible or intangible forms of the Customer Data and Customer s Confidential Information, in whole or in part, and all copies thereof except such records as are required by law. To the extent that any applicable law prevents Service Provider from destroying or erasing Customer Data as described in the preceding sentence, Service Provider shall retain, in its then current state, all such Customer Data then within its right of control or possession in accordance with the confidentiality, security and other requirements of this Agreement, and perform its obligations under this section as soon as such law no longer prevents it from doing so. Service Provider shall, upon request, send a written certification to Customer certifying that it has destroyed the Customer Data and Confidential Information in compliance with this section. DATA PRIVACY AND SECURITY 1. Service Provider must comply with all applicable laws related to data privacy and security. 2. Prior to contract execution, Service Provider and Customer must cooperate and hold a meeting to determine whether: a. Personal data, as defined in Mass. Gen. Laws c. 66A, will be stored or used in the Service. If so, then Service Provider is a holder of personal data, as such terms are defined in M.G.L. C. 66A, solely to the extent that the obligations of a holder are applicable to Service Provider s delivery of services under the Agreement and impose obligations directly upon Service Provider in its role as an information technology services provider with respect to the services performed under an applicable order for cloud services. The eligible entity purchasing cloud services remains solely responsible for all other obligations of a holder set forth in M.G.L.C. 66A. b. Any sensitive or personal information will be stored or used in the Service that is subject to any law, rule or regulation providing for specific compliance obligations (e.g., HIPAA, FERPA, IRS Pub. 1075). If so, then Service Provider must document in the Agreement how the Service complies with such law. If either of the above is true, then Service Provider and Customer must review the Service specifications to determine whether the Service is appropriate for the level of sensitivity of the data to be stored or used in the Service, and how Customer and Service Provider will comply with applicable laws. Service Provider and Customer must document the results of this discussion and attach the document to the Agreement. 3. Service Provider shall provide a secure environment for Customer Data, and any hardware and software, including servers, network and data components provided by Service Provider as part of its performance under this Agreement, in order to protect, and prevent unauthorized access to and use or modification of, the Service and Customer Data. 4. Customer Data must be partitioned from other data in such a manner that access to it will not be impacted or forfeited due to e-discovery, search and seizure or other actions by third parties obtaining or attempting to obtain Service Provider s records, information or data for reasons or activities that are not directly related to Customer s business. 5. Service Provider shall not access Customer user accounts, or Customer Data, except in the course of data center operations, response to service or technical issues, as required by the express terms of this Agreement, or at Customer s written request. 6. Service Provider may not share Customer Data with its parent company or other affiliate without Customer s express written consent. 6

7 7. In the event of any breach of the Service s security that adversely affects Customer Data or Service Provider s obligations with respect thereto, or any evidence that leads Service Provider to reasonably believe that such a breach is imminent, Service Provider shall immediately (and in no event more than twenty-four hours after discovering such breach) notify Customer. Service Provider shall identify the affected Customer Data and inform Customer of the actions it is taking or will take to reduce the risk of further loss to Customer. Service Provider shall provide Customer the opportunity to participate in the investigation of the breach and to exercise control over reporting the unauthorized disclosure, to the extent permitted by law. 8. In the event that personally identifiable information is compromised, Service Provider shall be responsible for providing breach notification to data owners in coordination with Customer and the Commonwealth as required by M.G.L. ch. 93H or other applicable law or Commonwealth policy. 9. Service Provider shall indemnify, defend, and hold Customer harmless from and against any and all fines, criminal or civil penalties, judgments, damages and assessments, including reasonable expenses suffered by, accrued against, charged to or recoverable from the Commonwealth, on account of the failure of Service Provider to perform its obligations pursuant to this Section. WARRANTY At minimum, Service Provider must warrant that: 1. Service Provider has acquired any and all rights, grants, assignments, conveyances, licenses, permissions and authorizations necessary for Service Provider to provide the Service to Customer; 2. The Service will perform materially as described in the Agreement; 3. Service Provider will provide to Customer commercially reasonable continuous and uninterrupted access to the Service, and will not interfere with Customer s access to and use of the Service during the term of the Agreement; 4. The Service is compatible with and will operate successfully with any environment (including web browser and operating system) specified by Service Provider in its documentation; 5. The Service will be performed in accordance with industry standards, provided however that if a conflicting specific standard is provided in this Agreement or the documentation provided by Service Provider, such specific standard will prevail; 6. Service Provider will maintain adequate and qualified staff and subcontractors to perform its obligations under this Agreement; and 7. Service Provider and its employees, subcontractors, partners and third party providers have taken all necessary and reasonable measures to ensure that all software provided under this Agreement shall be free of Trojan horses, back doors, known security vulnerabilities, malicious code, degradation, or breach of privacy or security. ACCESSIBILITY For SaaS and PaaS, Service Provider must comply with the Commonwealth s established standards for accessibility as described in a separate attachment. If such attachment is not provided, the Service Provider must request the accessibility terms from Customer. The accessibility terms provide, among other things, that Service Provider must (1) give Customer a VPAT or other results of accessibility testing prior to contract execution; (2) provide Customer with access to the Service so that Customer can conduct accessibility testing, and cooperate with Customer or third party accessibility testing of the Service; and (3) make available, both prior to and during the course of the engagement, Service Provider personnel to discuss accessibility and compliance with the Commonwealth s accessibility standards. SUBCONTRACTORS 1. Before and during the term of this Agreement, Service Provider must notify Customer prior to any subcontractor providing any services, directly or indirectly, to Customer under this Agreement that materially affect the Service being provided to Customer, including: hosting; data storage; security and 7

8 data integrity; payment; and disaster recovery. Customer must approve all such subcontractors identified after the effective date of the Agreement. 2. Service Provider is responsible for its subcontractors compliance with the Agreement, and shall be fully liable for the actions and omissions of subcontractors as if such actions or omissions were performed by Service Provider. DISASTER RECOVERY 1. Service Provider agrees to maintain and follow a disaster recovery plan designed to maintain Customer access to the Service, and to prevent the unintended destruction or loss of Customer Data. The disaster recovery plan shall provide for and be followed by Service Provider such that in no event shall the Service be unavailable to Customer for a period in excess of twenty-four (24) hours. 2. If Customer designates the Service as mission-critical, as determined by Customer in its sole discretion: (1) Service Provider shall review and test the disaster recovery plan regularly, at minimum twice annually; (2) Service Provider shall back up Customer Data no less than twice daily in an off-site hardened facility located within the continental United States; and (3) in the event of Service failure, Service Provider shall be able to restore the Service, including Customer Data, with loss of no more than twelve (12) hours of Customer Data and transactions prior to failure. RECORDS AND AUDIT 1. Records. Service Provider shall maintain accurate, reasonably detailed records pertaining to: (i) The substantiation of claims for payment under this Agreement, and (ii) Service Levels, including service availability and downtime. 2. Records Retention. Service Provider shall keep such records for a minimum retention period of seven (7) years from the date of creation, and will preserve all such records for five (5) years after termination of this Agreement. No applicable records may be discarded or destroyed during the course of any litigation, claim, negotiation, audit or other inquiry involving this Agreement. 3. Audit. Customer or its designated agent shall have the right, upon reasonable notice to Service Provider, to audit, review and copy, or contract with a third party to audit, any and all records collected by Service Provider pursuant to item (1) above, as well as any other Service Provider records that may reasonably relate to Customer s use of the Service, no more than twice per calendar year. Such records will be made available to Customer at no cost in a format that can be downloaded or otherwise duplicated. TRANSITION ASSISTANCE 1. Service Provider shall reasonably cooperate with other parties in connection with all services to be delivered under this Agreement, including without limitation any successor provider to whom Customer Data is to be transferred in connection with termination. Service Provide shall assist Customer in exporting and extracting the Customer Data, in a format usable without the use of the Service and as agreed to by Customer, at no additional cost. Any transition services requested by Customer involving additional knowledge transfer and support may be subject to a separate transition SOW on a time and materials basis either for a fixed fee or at rates to be mutually agreed upon by the parties. 2. If Customer determines in its sole discretion that a documented transition plan is necessary, then no later than sixty (60) days prior to termination, Service Provider and Customer shall jointly create a written Transition Plan Document identifying transition services to be provided and including an SOW if applicable. Both parties shall comply with the Transition Plan Document both prior to and after termination as needed. 8

9 Is Cloud SaaS Ready for Government Primetime Software as a Service Considerations Sherry Amos Managing Director, Industry Strategy Education and Government Workday

10 Agenda Whose Cloud is It Common Definitions Top Ten Industry IT Issues in Education and Government Session Objectives Who and What is Workday Saas Evaluations What is Different Pre-RFP Process RFP Process Evaluation Process Contracting Process Cloud Value and Technology Other Considerations

11 Cloud Definitions Cloud Type Natively Built Hosted/Managed Hybrid Software as a Service Platform as a Service Infrastructure as a Service Workday Salesforce Google Salesforce Amazon Microsoft ADP Ellucian/Datatel Oracle SAP IBM HP Oracle SAP Oracle SAP Why Does It Matter? Is it enterprise-class? Is it scalable? Is it secure? Is it innovative? Is it mobile? Does it improve our efficiency, effectiveness, and/or service delivery in meaningful ways?

12 Top Ten Industry IT Issues in E & G No Education Government 1 Leveraging wireless and device explosion on campus IT project and portfolio management 2 Improving student outcomes with technology IT procurement process and contracting reform 3 Develop institution-wide cloud strategy to help select right sourcing and solution strategies 4 Develop staffing and org model to support changing IT environment agile and open 5 Achieve better understanding and balance of open infrastructure and security Sourcing managed services, outsourcing, SaaS Cybersecurity Identity and access management 6 Funding information technology strategically Disaster recovery and business continuity 7 Determine role and sustainable strategy for online learning 8 Supporting trends toward IT consumerization and BYOD 9 Transforming the institutions business with information technology 10 Using analytics to support critical institutional outcomes Cross-jurisdictional collaboration Business intelligence and analytics Mobility and social media Cloud services WORKDAY CONFIDENTIAL Education Source: 2013 Educause ECAR IT Issues Panel and Core Survey Government Source: 2013 NASCIO Grant Thornton CIO Survey

13 Objectives for our Session " Saas Evaluations " Pre-RFP Research " RFP Development " The Innovation Cycle " Scoring and Evaluation " Contracting

14 SaaS Evaluations What is Different Business services not software or technology Subscription not perpetual license Operating expense not capital expense Subscription term lengths and renewals are variable but usually 3-5 years in government Configuration not customization Multi-tenant vs hosted matters a lot Service level agreements same for all customers no customization Security evaluations different Ensure alignment early between business owners, IT, security officers and contracting

15 Pre-RFP Market Research Approximately 60% of early market research is conducted online and / or with industry analysts with no vendor engagement Engage early vendor involvement and discussion you cannot learn enough online or through 3 rd parties this can still be done in a fair, competitive, and controlled manner Think about invitation to demo/preview days vendors need to understand your requirements and strategies prior to a formal procurement process Join public webinars for introductions to market solutions Join regional events held in your area Ask both the vendor and your network for other customers that you can speak with

16 RFP Development Skinny mandatory requirements down to what are core business functions and processes Keep flexibility both in the breadth of solutions and the depth of requirements you require to allow you to mix and match the best overall solution for your organization allow flexible bidding partners, i.e., not just the same ones over last 20 years Scrub the use of requirements databases that contain thousands of static requirements from many organizations many of which are never implemented and have led to shelfware - and related costs due to scope inflation Include consideration for how to evaluate innovation in the future, not just current static requirements If your RFP is complex give vendors ample time to assemble quality response 30 days is often too short if you have taken months to assemble your RFP and it s complex requirements

17 Evaluation Process Response timeframes are they reasonable for RFP complexity Clarification process need active discussion not just written questions and responses interpreted through 3 rd party consultants or procurement Demonstration process allow flexibility in the scripted demo to allow for demonstration of fully integrated business processes not just single checklist requirement eg: mobile, embedded analytics, process changes, etc References broaden reference mandatories not just 5 or 10 others just like me. Eg any government, university or NFP customer of certain size; any customer with unions, any customer with complex regulatory reporting, etc Scoring include forward looking innovation and ability to deliver in the formal scoring process

18 Contracting T s and C s for true cloud solutions are different understand this early in the process Industry is moving to use of Cooperative Agreements which are competitively bid work with procurement to identify these suitable for your organization Also investigate if vendor offers piggyback contract vehicles from another governmental organization in your region Be prepared to negotiate shared risk reputable vendors and public companies will not accept unlimited liability provisions Know which T s and C s are actually statutory requirements and which are preferred practice Do these things early in your procurement cycle, prior to RFP, and certainly not at the end of selection

19 Cloud SaaS Value What s In It For You? What You Get What Your Organization Gets Newest innovations Modern Rapid implementation Immediate upgrades Lower operating costs Future Proof Unified Mobile Better service levels Comprehensive security Social WORKDAY CONFIDENTIAL

20 The significant problems we face today cannot be solved at the same level of thinking we were at when we created them. - Albert Einstein

Page 1 of 15. VISC Third Party Guideline

Page 1 of 15. VISC Third Party Guideline Page 1 of 15 VISC Third Party Guideline REVISION CONTROL Document Title: Author: File Reference: VISC Third Party Guidelines Andru Luvisi CSU Information Security Managing Third Parties policy Revision

More information

INTERNATIONAL ASSOCIATION OF CHIEFS OF POLICE. Guiding Principles on Cloud Computing in Law Enforcement

INTERNATIONAL ASSOCIATION OF CHIEFS OF POLICE. Guiding Principles on Cloud Computing in Law Enforcement INTERNATIONAL ASSOCIATION OF CHIEFS OF POLICE Guiding Principles on Cloud Computing in Law Enforcement Cloud computing technologies offer substantial potential benefits to law enforcement and government

More information

Cloud Computing Contracts Top Issues for Healthcare Providers

Cloud Computing Contracts Top Issues for Healthcare Providers Cloud Computing Contracts Top Issues for Healthcare Providers North Carolina Bar Association Health Law Section Annual Meeting NC Bar Center Cary, North Carolina April 23, 2015 Presenters Kathryn Brucks,

More information

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN Stewart C. Miller & Co., Inc. (Business Associate) AND City of West Lafayette Flexible Spending Plan (Covered Entity) TABLE OF CONTENTS

More information

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S):

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S): UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S): THIS AGREEMENT is made by and between UNIVERSITY PHYSICIANS OF BROOKLYN, INC., located at 450 Clarkson Ave., Brooklyn,

More information

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 Policy and Procedure Templates Reflects modifications published in the Federal Register

More information

Overview Software Assurance is an annual subscription that includes: Technical Support, Maintenance and Software Upgrades.

Overview Software Assurance is an annual subscription that includes: Technical Support, Maintenance and Software Upgrades. Software Maintenance & Support Agreement This agreement ( Support Agreement, Software Assurance, Agreement ) is for the purpose of defining the terms and conditions under which Technical Support, Maintenance

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT Note: This form is not meant to encompass all the various ways in which any particular facility may use health information and should be specifically tailored to your organization. In addition, as with

More information

Business Associate Agreement

Business Associate Agreement This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement and is made between BEST Life and Health Insurance Company ( BEST Life ) and ( Business Associate ). RECITALS WHEREAS, the U.S.

More information

OFFICE OF CONTRACT ADMINISTRATION 60400 PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA)

OFFICE OF CONTRACT ADMINISTRATION 60400 PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA) Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA) BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) supplements and is made a part of the contract ( Contract

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BAA ) is effective ( Effective Date ) by and between ( Covered Entity ) and Egnyte, Inc. ( Egnyte or Business Associate ). RECITALS

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT The parties to this ( Agreement ) are, a _New York_ corporation ( Business Associate ) and ( Client ) you, as a user of our on-line health record system (the "System"). BY

More information

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013 CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE October 2, 2013 By: Diane M. Gorrow Soule, Leslie, Kidder, Sayward & Loughman, P.L.L.C. 220 Main Street

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University

More information

Cloud Computing and Records Management

Cloud Computing and Records Management GPO Box 2343 Adelaide SA 5001 Tel (+61 8) 8204 8773 Fax (+61 8) 8204 8777 DX:336 srsarecordsmanagement@sa.gov.au www.archives.sa.gov.au Cloud Computing and Records Management June 2015 Version 1 Version

More information

Managing Cloud Computing Risk

Managing Cloud Computing Risk Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify

More information

INTERNATIONAL ASSOCIATION OF CHIEFS OF POLICE. Guiding Principles on Cloud Computing in Law Enforcement

INTERNATIONAL ASSOCIATION OF CHIEFS OF POLICE. Guiding Principles on Cloud Computing in Law Enforcement INTERNATIONAL ASSOCIATION OF CHIEFS OF POLICE Guiding Principles on Cloud Computing in Law Enforcement Cloud computing technologies offer substantial potential benefits to law enforcement and government

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) by and between (hereinafter known as Covered Entity ) and Office Ally, LLC. (hereinafter known as Business Associate ), and

More information

Model Business Associate Agreement

Model Business Associate Agreement Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Health Plan Select, Inc. Business Associate Privacy Addendum To The Service Agreement

Health Plan Select, Inc. Business Associate Privacy Addendum To The Service Agreement This (hereinafter referred to as Addendum ) by and between Athens Area Health Plan Select, Inc. (hereinafter referred to as HPS ) a Covered Entity under HIPAA, and INSERT ORG NAME (hereinafter referred

More information

Legal Issues in the Cloud: A Case Study. Jason Epstein

Legal Issues in the Cloud: A Case Study. Jason Epstein Legal Issues in the Cloud: A Case Study Jason Epstein Outline Overview of Cloud Computing Service Models (SaaS, PaaS, IaaS) Deployment Models (Private, Community, Public, Hybrid) Adoption Different types

More information

Business Associate Agreement Involving the Access to Protected Health Information

Business Associate Agreement Involving the Access to Protected Health Information School/Unit: Rowan University School of Osteopathic Medicine Vendor: Business Associate Agreement Involving the Access to Protected Health Information This Business Associate Agreement ( BAA ) is entered

More information

Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013

Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013 Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013 The City of Philadelphia is a Covered Entity as defined in the regulations

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,

More information

Reference Table of Special Terms & Conditions for IT Contracts

Reference Table of Special Terms & Conditions for IT Contracts Reference Table of Special Terms & Conditions for IT Contracts Definitions Term & Termination Software License Transition of Services Contract Kick- Off Meeting Contract Closeout License Grant License

More information

CATHOLIC SOCIAL SERVICES BUSINESS ASSOCIATE AGREEMENT

CATHOLIC SOCIAL SERVICES BUSINESS ASSOCIATE AGREEMENT CATHOLIC SOCIAL SERVICES BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (Agreement) is made this day of, 20, between the Catholic Social Services ( CSS ), whose business address is 3710

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BA Agreement ) is entered into by Medtep Inc., a Delaware corporation ( Business Associate ) and the covered entity ( Covered Entity

More information

This form may not be modified without prior approval from the Department of Justice.

This form may not be modified without prior approval from the Department of Justice. This form may not be modified without prior approval from the Department of Justice. Delete this header in execution (signature) version of agreement. HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate

More information

APPENDIX A that is not acceptable. Arbitration settled by arbitration arbitration shall be held in New Jersey substantive law of New Jersey

APPENDIX A that is not acceptable. Arbitration settled by arbitration arbitration shall be held in New Jersey substantive law of New Jersey APPENDIX A The attorneys in the Office of University Counsel at the University of Colorado Denver Anschutz Medical Campus review many different types of contracts on behalf of the University. Legal review

More information

BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT

BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT This BUSINESS ASSOCIATE AGREEMENT ( Agreement ) dated as of the signature below, (the Effective Date ), is entered into by and between the signing organization

More information

STATE MODEL CLOUD COMPUTING SERVICES SPECIAL PROVISIONS (Software as a Service)

STATE MODEL CLOUD COMPUTING SERVICES SPECIAL PROVISIONS (Software as a Service) SHI THESE SPECIAL PROVISIONS ARE ONLY TO BE USED FOR SOFTWARE AS A SERVICE (SaaS), AS DEFINED BELOW. THESE SPECIAL PROVISIONS ARE TO BE ATTACHED TO THE GENERAL PROVISIONS INFORMATION TECHNOLOGY AND ACCOMPANIED

More information

Enclosure. Dear Vendor,

Enclosure. Dear Vendor, Dear Vendor, As you may be aware, the Omnibus Rule was finalized on January 25, 2013 and took effect on March 26, 2013. Under the Health Insurance Portability & Accountability Act (HIPAA) and the Omnibus

More information

Louisiana State University System

Louisiana State University System PM-36: Attachment 4 Business Associate Contract Addendum On this day of, 20, the undersigned, [Name of Covered Entity] ("Covered Entity") and [Name of Business Associate] ("Business Associate") have entered

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ), is made effective as of the sign up date on the login information page of the CarePICS.com website, by and between CarePICS,

More information

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012 A COALFIRE PERSPECTIVE Moving to the Cloud A Summary of Considerations for Implementing Cloud Migration Plans into New Business Platforms NCHELP Spring Convention Panel May 2012 DALLAS DENVER LOS ANGELES

More information

University Healthcare Physicians Compliance and Privacy Policy

University Healthcare Physicians Compliance and Privacy Policy Page 1 of 11 POLICY University Healthcare Physicians (UHP) will enter into business associate agreements in compliance with the provisions of the Health Insurance Portability and Accountability Act of

More information

EXHIBIT C BUSINESS ASSOCIATE AGREEMENT

EXHIBIT C BUSINESS ASSOCIATE AGREEMENT EXHIBIT C BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT is made and entered into by and between ( Covered Entity ) and KHIN ( Business Associate ). This Agreement is effective as of, 20 ( Effective Date

More information

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable: PLEASE NOTE: THIS DOCUMENT IS SUBMITTED AS A SAMPLE, FOR INFORMATIONAL PURPOSES ONLY TO ABC ORGANIZATION. HIPAA SOLUTIONS LC IS NOT ENGAGED IN THE PRACTICE OF LAW IN ANY STATE, JURISDICTION, OR VENUE OF

More information

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean. BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement is made as of the day of, 2010, by and between Methodist Lebonheur Healthcare, on behalf of itself and all of its affiliates ( Covered Entity

More information

PARTICIPATION AGREEMENT For ELECTRONIC HEALTH RECORD TECHNICAL ASSISTANCE

PARTICIPATION AGREEMENT For ELECTRONIC HEALTH RECORD TECHNICAL ASSISTANCE PARTICIPATION AGREEMENT For ELECTRONIC HEALTH RECORD TECHNICAL ASSISTANCE THIS AGREEMENT, effective, 2011, is between ( Provider Organization ), on behalf of itself and its participating providers ( Providers

More information

ISSUE BRIEF. Cloud Security for Federal Agencies. Achieving greater efficiency and better security through federally certified cloud services

ISSUE BRIEF. Cloud Security for Federal Agencies. Achieving greater efficiency and better security through federally certified cloud services ISSUE BRIEF Cloud Security for Federal Agencies Achieving greater efficiency and better security through federally certified cloud services This paper is intended to help federal agency executives to better

More information

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308)

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) HIPAA Business Associate Agreement Sample Notice Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) The information provided in this document does not constitute, and is no substitute

More information

Orchestrating the New Paradigm Cloud Assurance

Orchestrating the New Paradigm Cloud Assurance Orchestrating the New Paradigm Cloud Assurance Amsterdam 17 January 2012 John Hermans - Partner Current business challenges versus traditional IT Organizations are challenged with: Traditional IT seems

More information

STATE OF NEW JERSEY Security Controls Assessment Checklist

STATE OF NEW JERSEY Security Controls Assessment Checklist STATE OF NEW JERSEY Security Controls Assessment Checklist Appendix D to 09-11-P1-NJOIT P.O. Box 212 www.nj.gov/it/ps/ 300 Riverview Plaza Trenton, NJ 08625-0212 Agency/Business (Extranet) Entity Response

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (this Agreement ) is made effective as of ( Effective Date ) by and between Sentara Health Plans, Inc. ( Covered Entity ) and ( Business Associate

More information

BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc.

BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc. BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc. THIS BUSINESS ASSOCIATE AGREEMENT (BAA) is entered into by and between First Choice Community Healthcare, with a principal place of

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT PREVIEW VERSION ONLY This Business Associate Agreement (BAA) is made available for preview purposes only. It is indicative of the BAA that will be presented through the online user interface for acceptance

More information

ADDENDUM 5 - BUSINESS ASSOCIATE AGREEMENT

ADDENDUM 5 - BUSINESS ASSOCIATE AGREEMENT ADDENDUM 5 - BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the BAA ) is effective as of (the Effective Date ) and is entered into by and between, with an address of (the Covered Entity

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT 1. The terms and conditions of this document entitled Business Associate Agreement ( Business Associate Agreement ), shall be attached to and incorporated by reference in the

More information

Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate.

Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate. Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate. Presented by: Sabrina M. Segal, USITC, Counselor to the Inspector General, Sabrina.segal@usitc.gov Reference

More information

Cloud Computing Policy 1.0 INTRODUCTION 2.0 PURPOSE. Effective Date: July 28, 2015

Cloud Computing Policy 1.0 INTRODUCTION 2.0 PURPOSE. Effective Date: July 28, 2015 Cloud Computing Policy Effective Date: July 28, 2015 1.0 INTRODUCTION Cloud computing services are application and infrastructure resources that users access via the Internet. These services, contractually

More information

Tulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY

Tulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY Tulane University DEPARTMENT: General Counsel s POLICY DESCRIPTION: Business Associates Office -- HIPAA Agreement PAGE: 1 of 1 APPROVED: April 1, 2003 REVISED: November 29, 2004, December 1, 2008, October

More information

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin Best Practices for Security in the Cloud John Essner, Director

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT COLUMBIA AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is entered into as of ( Effective Date ) by and between The Trustees of Columbia University in the City of

More information

University of Alaska. Cloud Computing Guidelines

University of Alaska. Cloud Computing Guidelines University of Alaska Cloud Computing Guidelines Guidelines for the Use of 3 rd Party or Cloud Computing Services at the University of Alaska Why is this important to me? If you manage a service and plan

More information

Wednesday, January 16, 2013

Wednesday, January 16, 2013 Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative of clients 321 N. Clark Street, Suite 2800, Chicago, IL 60654 312.832.4500 Wednesday,

More information

DATA SECURITY AGREEMENT. Addendum # to Contract #

DATA SECURITY AGREEMENT. Addendum # to Contract # DATA SECURITY AGREEMENT Addendum # to Contract # This Data Security Agreement (Agreement) is incorporated in and attached to that certain Agreement titled/numbered and dated (Contract) by and between the

More information

ADDENDUM TO STATE OF MARYLAND PURCHASES ISSUED UNDER STATE CONTRACT NO. 060B2490021-2015.

ADDENDUM TO STATE OF MARYLAND PURCHASES ISSUED UNDER STATE CONTRACT NO. 060B2490021-2015. ADDENDUM TO STATE OF MARYLAND PURCHASES ISSUED UNDER STATE CONTRACT NO. 060B2490021-2015. This addendum is applicable to each purchase order that is subject to the State of Maryland s contract number 060B2490021-2015.

More information

VERSION DATED AUGUST 2013/TEXAS AND CALIFORNIA

VERSION DATED AUGUST 2013/TEXAS AND CALIFORNIA VERSION DATED AUGUST 2013/TEXAS AND CALIFORNIA This Business Associate Addendum ("Addendum") supplements and is made a part of the service contract(s) ("Contract") by and between St. Joseph Health System

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Agreement, dated as of, 2015 ("Agreement"), by and between, on its own behalf and on behalf of all entities controlling, under common control with or controlled

More information

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015 Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015 The following comprises a checklist of areas that genomic research organizations or consortia (collectively referred

More information

Health Partners HIPAA Business Associate Agreement

Health Partners HIPAA Business Associate Agreement Health Partners HIPAA Business Associate Agreement This HIPAA Business Associate Agreement ( Agreement ) by and between Health Partners of Philadelphia, Inc., the Covered Entity (herein referred to as

More information

Use & Disclosure of Protected Health Information by Business Associates

Use & Disclosure of Protected Health Information by Business Associates Applicability: Policy Title: Policy Number: Use & Disclosure of Protected Health Information by Business Associates PP-12 Superseded Policy(ies) or Entity Policy: N/A Date Established: January 31, 2003

More information

Cloud Computing In a Post Snowden World. Guy Wiggins, Kelley Drye & Warren LLP Alicia Lowery Rosenbaum, Microsoft Legal and Corporate Affairs

Cloud Computing In a Post Snowden World. Guy Wiggins, Kelley Drye & Warren LLP Alicia Lowery Rosenbaum, Microsoft Legal and Corporate Affairs Cloud Computing In a Post Snowden World Guy Wiggins, Kelley Drye & Warren LLP Alicia Lowery Rosenbaum, Microsoft Legal and Corporate Affairs Guy Wiggins Director of Practice Management Kelley Drye & Warren

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) is entered into by and between (the Covered Entity ), and Iowa State Association of Counties (the Business Associate ). RECITALS

More information

The Institute of Professional Practice, Inc. Business Associate Agreement

The Institute of Professional Practice, Inc. Business Associate Agreement The Institute of Professional Practice, Inc. Business Associate Agreement This Business Associate Agreement ( Agreement ) effective on (the Effective Date ) is entered into by and between The Institute

More information

THE UNIVERSITY OF UTAH INDEPENDENT CONTRACTOR SERVICES AGREEMENT INSTRUCTIONS

THE UNIVERSITY OF UTAH INDEPENDENT CONTRACTOR SERVICES AGREEMENT INSTRUCTIONS THE UNIVERSITY OF UTAH INDEPENDENT CONTRACTOR SERVICES AGREEMENT INSTRUCTIONS Contracting for Independent Contractor services with the University of Utah may require completion of the following: Employee/Independent

More information

COMPLIANCE ALERT 10-12

COMPLIANCE ALERT 10-12 HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment

More information

AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION BETWEEN WAKE FOREST UNIVERSITY BAPTIST MEDICAL CENTER AND

AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION BETWEEN WAKE FOREST UNIVERSITY BAPTIST MEDICAL CENTER AND AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION BETWEEN WAKE FOREST UNIVERSITY BAPTIST MEDICAL CENTER AND THIS AGREEMENT for Access to Protected Health Information ( PHI ) ( Agreement ) is entered

More information

BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM RECITALS

BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM RECITALS BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM This Business Associate Addendum ( Addendum ), effective, 20 ( Effective Date ), is entered into by and between University of Southern California, ( University

More information

Kaiser Permanente Affiliate Link Provider Web Site Application

Kaiser Permanente Affiliate Link Provider Web Site Application Kaiser Foundation Health Plan of Colorado Kaiser Permanente Affiliate Link Provider Web Site Application FOR PROVIDERS CONTRACTED WITH KAISER IN THE COLORADO REGION ONLY Page 1 of 7 Kaiser Permanente Affiliate

More information

Cloud Computing. Bringing the Cloud into Focus

Cloud Computing. Bringing the Cloud into Focus Cloud Computing Bringing the Cloud into Focus November 2011 Introduction Ken Cochrane CEO, IT/NET Partner, KPGM Performance and Technology National co-leader IT Advisory Services KPMG Andrew Brewin Vice

More information

TAFT LIBRARY ADDENDUM STANDARD FORM OF AGREEMENT BETWEEN TOWN OF MENDON ( THE TOWN ) AND ( ARCHITECT ) 1.1 Delete space if no additional information.

TAFT LIBRARY ADDENDUM STANDARD FORM OF AGREEMENT BETWEEN TOWN OF MENDON ( THE TOWN ) AND ( ARCHITECT ) 1.1 Delete space if no additional information. TAFT LIBRARY ADDENDUM STANDARD FORM OF AGREEMENT BETWEEN TOWN OF MENDON ( THE TOWN ) AND ( ARCHITECT ) This Addendum is attached to and modifies the Standard Form of Agreement between the Town and Architect,

More information

State of the States: IT Trends, Priorities and Issues

State of the States: IT Trends, Priorities and Issues State of the States: IT Trends, Priorities and Issues OSC Financial Conference 2012 Doug Robinson, Executive Director National Association of State Chief Information Officers Fiscal recovery: budgets are

More information

Kroll Ontrack VMware Forum. Survey and Report

Kroll Ontrack VMware Forum. Survey and Report Kroll Ontrack VMware Forum Survey and Report Contents I. Defining Cloud and Adoption 4 II. Risks 6 III. Challenging Recoveries with Loss 7 IV. Questions to Ask Prior to Engaging in Cloud storage Solutions

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services

More information

Cloud Computing and HIPAA Privacy and Security

Cloud Computing and HIPAA Privacy and Security Cloud Computing and HIPAA Privacy and Security This is just one example of the many online resources Practical Law Company offers. Christine A. Williams, Perkins Coie LLP, with PLC Employee Benefits &

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (the AGREEMENT ) is entered into this (the "Effective Date"), between Delta Dental of Tennessee ( Covered Entity ) and ( Business Associate

More information

John Essner, CISO Office of Information Technology State of New Jersey

John Essner, CISO Office of Information Technology State of New Jersey John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Business Associate Agreement (this "Agreement") is made as of, 201_ (the Effective Date ), and is entered into between ( Covered Entity ) and Delta Business System, Inc.

More information

SAAS SERVICES ORDER FORM

SAAS SERVICES ORDER FORM SAAS SERVICES ORDER FORM Customer: Address: Contact: Phone: E-Mail: Services: CloudBerry Managed Backup Service allows you to offer managed online backup services under your own brand powered by the CloudBerry

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT is made and entered into as of the day of, 2013 ( Effective Date ), by and between [Physician Practice] on behalf of itself and each of its

More information

FedRAMP Standard Contract Language

FedRAMP Standard Contract Language FedRAMP Standard Contract Language FedRAMP has developed a security contract clause template to assist federal agencies in procuring cloud-based services. This template should be reviewed by a Federal

More information

BUSINESS ASSOCIATE AGREEMENT TERMS

BUSINESS ASSOCIATE AGREEMENT TERMS BUSINESS ASSOCIATE AGREEMENT TERMS This Addendum ( Addendum ) is incorporated into and made part of the Agreement between SIGNATURE HEALTHCARE CORPORATION ("Covered Entity ) and ( Business Associate"),

More information

FirstCarolinaCare Insurance Company Business Associate Agreement

FirstCarolinaCare Insurance Company Business Associate Agreement FirstCarolinaCare Insurance Company Business Associate Agreement THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement"), is made and entered into as of, 20 (the "Effective Date") between FirstCarolinaCare Insurance

More information

HSHS BUSINESS ASSOCIATE AGREEMENT BACKGROUND AND RECITALS

HSHS BUSINESS ASSOCIATE AGREEMENT BACKGROUND AND RECITALS HSHS BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement, ( Agreement ) is entered into on the date(s) set forth below by and between Hospital Sisters Health System on its own behalf and

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is entered into by and between Professional Office Services, Inc., with principal place of business at PO Box 450, Waterloo,

More information

BUSINESS ASSOCIATE AGREEMENT ( BAA )

BUSINESS ASSOCIATE AGREEMENT ( BAA ) BUSINESS ASSOCIATE AGREEMENT ( BAA ) Pursuant to the terms and conditions specified in Exhibit B of the Agreement (as defined in Section 1.1 below) between EMC (as defined in the Agreement) and Subcontractor

More information

SECTION A: DESCRIPTION/SPECIFICATIONS/WORK STATEMENT

SECTION A: DESCRIPTION/SPECIFICATIONS/WORK STATEMENT SECTION A: DESCRIPTION/SPECIFICATIONS/WORK STATEMENT Article A.1 Introduction This contract is intended to provide IT solutions and services as defined in FAR 2.101(b) and further clarified in the Clinger-Cohen

More information

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations

More information

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS Shirley Radack, Editor Computer Security Division Information

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT Please complete the following and return signed via Fax: 919-785-1205 via Mail: Aesthetic & Reconstructive Plastic Surgery, PLLC 2304 Wesvill Court Suite 360 Raleigh, NC 27607

More information

Infinedi HIPAA Business Associate Agreement RECITALS SAMPLE

Infinedi HIPAA Business Associate Agreement RECITALS SAMPLE Infinedi HIPAA Business Associate Agreement This Business Associate Agreement ( Agreement ) is entered into this day of, 20 between ( Company ) and Infinedi, LLC, a Limited Liability Corporation, ( Contractor

More information

C-DAC Medical Informatics Software Development Kit End User License Agreement

C-DAC Medical Informatics Software Development Kit End User License Agreement C-DAC Medical Informatics Software Development Kit End User License Agreement BY DOWNLOADING AND INSTALLING, COPYING OR OTHERWISE USING THE CENTRE FOR DEVELOPMENT OF ADVANCED COMPUTING ( C-DAC ) MEDICAL

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (this Agreement ) is made effective as of the day of 2014 (the Effective Date ), by and between Sarasota County Public Hospital District,

More information