Presenting a live 90-minute webinar with interactive Q&A. Today s faculty features:
|
|
- Horatio Hubbard
- 8 years ago
- Views:
Transcription
1 Presenting a live 90-minute webinar with interactive Q&A Cloud Computing in Healthcare: Mitigating Privacy Risks and Negotiating Business Associate Agreements Navigating HIPAA, HITECH, State Law and International Jurisdiction Challenges WEDNESDAY, JUNE 11, pm Eastern 12pm Central 11am Mountain 10am Pacific Today s faculty features: Joshua Carlson, Principal, Joshua Carlson, P.A., Minneapolis Patrick X. Fowler, Partner, Snell & Wilmer, Phoenix Richard L. Green, Partner, McCarter & English, Hartford, Conn. The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions ed to registrants for additional information. If you have any questions, please contact Customer Service at ext. 10.
2 FOR LIVE EVENT ONLY Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory, you may listen via the phone: dial and enter your PIN when prompted. Otherwise, please send us a chat or sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.
3 FOR LIVE EVENT ONLY For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps: In the chat box, type (1) your company name and (2) the number of attendees at your location Click the word balloon button to send
4 Cloud Computing in Healthcare: Mitigating Privacy Risks and Negotiating Business Associate Agreements Joshua Carlson Esq. CIPP/G, CISSP, PCI-ISA Joshua Carlson P.A. 800 Washington Avenue North, Ste. 704 Minneapolis, MN, CIPP /G Governmental Privacy Programs CISSP Information Security Programs PCI-ISA PCI Payment Card Industry Security Assessor Member - American Health Lawyers Association Vice Chair: Minnesota State Bar Computer Technology Law Section Co-Chair: Data Privacy Subcommittee Minnesota State Bar Computer Technology Law Section Mr. Carlson practices nationally in the area of privacy law, cyber security, cloud security, computer and technology law, data security and HIPAA compliance. Data Privacy & Compliance - TheCarlsonFirm.Com
5 Intended Audience 5 Healthcare Lawyers In-house & Outside Counsel Compliance Attorneys Plaintiff & Defense Counsel Boards and Organizational Leadership Data Privacy & Compliance - TheCarlsonFirm.Com
6 Legal Framework HIPAA & States 6 47 states have their own data breach and data breach notification requirements, few states are the same, all require specific adherence. HIPAA Final Omnibus Rule has increased required compliance, increased monetary fine capabilities and created full downstream liability for violations. Managing these risks of compliance is possible, and counsel must be involved in projects involving ephi, new vendors, cloud service providers and risk assessments. Data Privacy & Compliance - TheCarlsonFirm.Com
7 Legal Framework HIPAA & States 7 One Common Element of All States and HIPAA related to Liability Among the 47 different state data protection and data notification laws, and HIPAA one things is common to them all: Data encryption allows for a safe harbor related to many aspects of data incidents analysis, data incident reporting and actual data disclosure for all states and HIPAA. Encryption of sensitive data to and from -and in- the Cloud can greatly reduce potential risks when it comes to a data incident. Data Privacy & Compliance - TheCarlsonFirm.Com
8 HIPAA Background Health Insurance Portability and Accountability Act (HIPAA) 2009 Health Information Technology for Economic and Clinical Health Act (HITECH Act) 2012 Omnibus Final Rule Made significant updates in requirements and scope for HIPAA Privacy, Security, Enforcement, as well as Breach Notification Rules under the HITECH Act. This went into effect in September Data Privacy & Compliance - TheCarlsonFirm.Com
9 HIPAA Background 9 HIPAA Omnibus allows for an increase in and stepped up enforcement for firms which show Willful Neglect e.g., not performing a risk analysis on an organizations ephi HITECH made BAs subject to Security Rule and certain Privacy Rule provisions Breach analysis changed: Is now a presumption of a disclosure. Standard of review changed from "harm standard" to requirement for proper risk assessment which shows it was not a disclosure. Data Privacy & Compliance - TheCarlsonFirm.Com
10 Cloud 10 Cloud services adoption is growing at a compound annual growth rate of over 40% - 50% per year, and is increasing momentum. On premise IT growth is estimated between 5-8% and is declining. If your entity is not in the cloud now, plan that it will be, and it probably already unknowingly is. If your entity is in the cloud now, it is critical you manage that contract and BAA service to avoid costly and public mistakes. Get involved and get ahead of current and future cloud use of your entity. image via CloudProviderUSA.com Data Privacy & Compliance - TheCarlsonFirm.Com
11 Cloud Computing Models 11 Cloud Computing: Service Models 1. Infrastructure-as-a-Service ( IaaS ) 2. Platform-as-a-Service ( PaaS ) 3. Software-as-a-Service ( SaaS ) * Noting there are many iterations and naming of this, with hybrids of each. Data Privacy & Compliance - TheCarlsonFirm.Com
12 Cloud Models 12 Data Privacy & Compliance - TheCarlsonFirm.Com
13 Cloud Computing Models 13 Cloud Computing: Service Models 1. Infrastructure-as-a-Service ( IaaS ) Most user/consumer control and most responsibility for entities for managing and securing the system, OS, Apps, Logging, Licensing etc. 2. Platform-as-a-Service ( PaaS ) More provider control and less consumer control, some shifting of responsibility from user to provider. Data Privacy & Compliance - TheCarlsonFirm.Com
14 Cloud Computing Models 14 Cloud Computing: Service Models 3. Software-as-a-Service ( SaaS ) Most provider control and responsibility. Providers provide the platform and services, and perform software development and sell it as a subscription service. Least responsibility upon the entity or consumer. Data Privacy & Compliance - TheCarlsonFirm.Com
15 Cloud Services & Business Associates 15 Business Associate Defined: On behalf of a covered entity, any entity that: Creates, receives, maintains, or transmits protected health information. Subcontractor Defined: Explicitly in scope, entities which a business associate has delegated a function or service to perform on behalf of the business associate. Cloud service providers are specifically included in scope with added definition language. Data Privacy & Compliance - TheCarlsonFirm.Com
16 Cloud Services & Business Associates 16 Cloud services included in added definition language: "A data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis." Omnibus HIPAA Final Rule. Cloud service providers are in scope as business associates and must sign a BAA, if they won't sign a BAA then don't use that Cloud service provider. Data Privacy & Compliance - TheCarlsonFirm.Com
17 Cloud & Business Associates 17 Subcontractors + ephi are now Business Associates and Business Associates must follow the security rule BAs are subject to Security Rule and certain Privacy Rule provisions Must have proper contracts in place with subcontracted entities, e.g., Cloud Service providers all the way down the chain of data (more on that shortly) Security Rule requires Risk Analysis Data Privacy & Compliance - TheCarlsonFirm.Com
18 Cloud & Business Associates 18 Liability when: Impermissible uses and disclosures Failure to comply with the applicable requirements of the Security Rule Failure to provide e-copy of ephi as specified in the business associate contract Failure to disclose PHI to HHS for HIPAA investigation Data Privacy & Compliance - TheCarlsonFirm.Com
19 19 Legal considerations under HIPAA, HITECH and state privacy laws HIPAA Omnibus Regulations are in full force Record fines are being assessed for HIPAA security rule violations many involve "inadvertent cloud use, inadvertent cloud access or cloud transmission of e- PHI" Performing a proper risk analysis is a must, not doing so may put an entity into willful neglect Entities must perform a risk analysis on systems that store, process or transmit ephi, including cloud Data Privacy & Compliance - TheCarlsonFirm.Com
20 20 Legal considerations under HIPAA OCR identified risk areas What has the Office For Civil Rights (OCR) Identified as initial key areas of risk? Data Privacy & Compliance - TheCarlsonFirm.Com
21 Initial 20 Findings Analysis Overview Data Privacy & Compliance - TheCarlsonFirm.Com 21
22 Initial 20 Findings Security Issues Data Privacy & Compliance - TheCarlsonFirm.Com 22
23 Initial 20 Findings Security Top Issues 30 Data Privacy & Compliance - TheCarlsonFirm.Com 23
24 24 Legal considerations under HIPAA, HITECH and state privacy laws Cloud providers need to sign a BAA and be managed and under contract Avoid cloud subcontractors that won't sign a BAA Know where your cloud provider is, and if they use other subcontracted entities Lack of awareness, knowledge or understanding of where an entities data is and goes is not a defense Data Privacy & Compliance - TheCarlsonFirm.Com
25 25 Legal considerations for violations of HIPAA Patient and entity lawsuits related to unlawful disclosures Governmental civil monetary penalty (CMP) may be imposed Governmental signed resolution agreement may be required Data Privacy & Compliance - TheCarlsonFirm.Com
26 26 Legal considerations for violations of HIPAA Resolution agreements may require added scrutiny for a set number of years, e.g., 3 years added monitoring. Resolution agreements may have corrective action plan (CAP) provisions required of the entity. Data Privacy & Compliance - TheCarlsonFirm.Com
27 Recent HIPAA Rulings 27 Reported by OCR May 2014 Data breach results in $4.8 million HIPAA settlements Two health care organizations have agreed to settle charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to secure thousands of patients electronic protected health information (ephi) held on their network. The monetary payments of $4,800,000 include the largest HIPAA settlement to date. Data Privacy & Compliance - TheCarlsonFirm.Com
28 Recent HIPAA Rulings 28 May 2014 NYP has paid OCR a monetary settlement of $3,300,000 and CU $1,500,000, with both entities agreeing to a substantive corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and providing progress reports. Data Privacy & Compliance - TheCarlsonFirm.Com
29 HIPAA Legal Considerations: 29 Cloud / Decrees Guidance HHS investigation indicated that the following conduct occurred ( Covered Conduct ): a. NYP impermissibly disclosed the ephi of 6,800 patients to Google and other Internet search engines when a computer server that had access to NYP ephi information systems was errantly reconfigured. b. NYP failed to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ephi. Data Privacy & Compliance - TheCarlsonFirm.Com
30 HIPAA Legal Considerations: Real World 30 c. NYP failed to implement processes for assessing and monitoring all IT equipment, applications, and data systems that were linked to NYP patient data bases prior to the breach incident, and failed to implement security measures sufficient to reduce the risks and vulnerabilities to its ephi to a reasonable and appropriate level. d. NYP failed to implement appropriate policies and procedures for authorizing access to its NYP patient data bases, and it failed to comply with its own policies on information access management. Data Privacy & Compliance - TheCarlsonFirm.Com
31 HIPAA Legal Considerations: Corrective Action Plan (CAP) 31 A. Modify Existing Risk Analysis Process B. Develop and Implement a Risk Management Plan C. Review and Revise Policies and Procedures on Information Access Management D. Review and Revise Policies and Procedures on Device and Media Controls E. Implement Process for Evaluating Environmental and Operational Changes F. Develop an Enhanced Privacy and Security Awareness Training Program Data Privacy & Compliance - TheCarlsonFirm.Com
32 8 Practical Legal Mitigation Strategies Perform a Risk Analysis and include any interaction in or with the Cloud providers 2. Find all your PHI/Map/Flow PHI movement within your organization, as well as flows to/from third parties 3. Have an accurate map of where your ephi data flows from beginning to end and in-between 4. Have an accurate list of all vendors and subcontractors that are involved in ephi and maintain proper vendor management Data Privacy & Compliance - TheCarlsonFirm.Com
33 8 Practical Legal Mitigation Strategies Conduct a robust review & assessment of where ephi is, and encrypt it wherever possible 6. Have and enforce a Cloud policy 7. Don't get stuck with a mystery cloud where no one (or 1 person) knows how the Cloud really works 8. Strategize and learn how to use and negotiate the contracts, master service agreements, service level agreements, business associate agreements involved Data Privacy & Compliance - TheCarlsonFirm.Com
34 Joshua Carlson Esq. CIPP/G, CISSP, PCI-ISA Joshua Carlson P.A. 800 Washington Avenue North, Ste. 704 Minneapolis, MN, 55401
35 BOSTON // HARTFORD // NEW YORK // NEWARK // PHILADELPHIA // STAMFORD // WASHINGTON, DC // WILMINGTON Cloud Computing in Healthcare: Contracting to Protect Your Data Presented by: Rich Green, Partner June 11, 2014
36 What we ll cover: What is the Cloud? Reality check: When the Cloud isn t. A few good clauses go a long way Where s your data? Who s accessing it? What are they doing with it? When will it be available? What if there s a disaster? Who will be responsible for a security incident? 36
37 Managed Service What is the Cloud: 37
38 What is the Cloud [W]e ve redefined cloud computing to include everything that we already do [...] I can t think of anything that isn t cloud computing. [...] I mean it is the stupidest [thing]. Oh, I am going to access data on a server on the Internet. That is cloud computing? Maybe I m an idiot, but I have no idea what anyone is talking about. [...] It s complete gibberish. It s insane. Larry Ellison CEO of Oracle Corp. September
39 What is the Cloud By implementing hybrid/ cloud computing, [survey] respondents hoped to achieve improved provisioning time, data center scalability and data center security. The gap between expectations and reality, however, was [substantial]. Evolution to the Cloud Survey at page 10 conducted by Symantec Corp.,
40 Reality check On Prem installed on your server at your facility license fee separate from maint/support fee substantial implementation Hosted installed on your or vendor server at vendor facility hosting fee added hosting environment set up needed in addition to implementation X-a-a-S vendor s server vendor s facility single fee minimal set up 40
41 Reality check Why it matters: overpay under-protect unavailable balance sheet 41
42 a few good clauses Scaling Contracts to Risk high risk moderate risk (e.g, TriZetto) (e.g., PBMs/ASOs, EHR s) low risk (e.g., Medacist) 42
43 a few good clauses Where s Your Data? On-shore or off? Facilities Quality? Change of location? 43
44 a few good clauses Where s Your Data? On-shore or off? In no event, whether by itself or through any otherwise approved Third Party Supplier, shall Supplier perform Services outside the continental United States or its commonwealths, territories and possessions (including indirectly via remote network access) without the prior written consent of Customer in each instance. 44
45 a few good clauses Where s Your Data? Facilities Quality? Facility Standards. Supplier will use only data center facilities located in the United States which, in all cases, meet, at least at the facilities level, the Recognized Facility Standards in each of the financial controls, security and infrastructure and operations categories, as defined below ( Approved Facility ). As used herein, Recognized Facility Standards means any of the following within each category: for financial controls, the SSAE 16 standard (and any successor thereto) promulgated by the American Institute of Certified Public Accountants; for security, the AT 101 standards (and any successor thereto) promulgated by the American Institute of Certified Public Accountants, the series standards promulgated by the International Standards Organization (and any successor thereto) for infrastructure and operations the TIA-942/Tier III classification promulgated by the Uptime Institute and the Telecommunications Industry Association (and any successor thereto). 45
46 a few good clauses Where s Your Data? Change of Location? Migration. Supplier shall provide reasonable advance notice of any change in any Approved Facility location with reasonable assurances that the new data center meets the requirements hereunder. Supplier shall perform, at no additional charge (for either fees or expenses), all such services as are necessary to complete the orderly transition of the applicable services and data to the new facilities (the Migration Services ). The Migration Services shall be performed in accordance with a plan and on a schedule approved by Customer, which approval shall not be unreasonably withheld, delayed or conditioned. There shall be no suspension or change in any service levels during the Migration Services unless otherwise agreed in writing by the parties and a discount or waiver of fees is provided to Customer in an amount reasonably proportionate to the period of suspension or magnitude of change. 46
47 a few good clauses Who s Accessing Your Data? Vendor Personnel Subcontractors Third Parties HIPPA BA Issues 47
48 a few good clauses Who s Accessing Your Data? Vendor Personnel All Supplier Personnel shall be screened: (a) for convictions of felonies and financialrelated crimes committed during the last seven years; (b) to verify they are not subject to or included on, or otherwise prohibited or debarred under the Lists of Excluded Individuals/Entities maintained by the Office of the Inspector General of the U.S. Health and Human Services Agency; and/or the regulations administered by the Office of Foreign Assets Control of the United States Department of the Treasury through the General Services Administration s Federal Acquisition Regulation compliance program; and (c) for compliance with immigration laws. Without limiting the screening required above, Supplier Personnel having direct access to Customer Data shall be screened for: (i) verification of Social Security Number; (ii) seven-year county of residence criminal conviction (CORI) search; (iii) minimum 5 panel drug screen; (iv) five-year work history; and (v) fingerprinting with the search sent to and conducted by the Department of Justice/FBI; and (vi) education and professional licenses, if applicable. Supplier personnel failing any such screening shall not be assigned to perform Services or shall be removed upon notice to the applicable Customer if discovered after the commencement of performance. 48
49 a few good clauses Who s Accessing Your Data? Subcontractors Supplier shall not, without the prior written consent of Customer, provide the Services through any third party including any Affiliates of Supplier (each a Third Party Supplier ). If a Customer approves Supplier s use of a Third Party Supplier: (a) Supplier shall be the prime contractor to the applicable Customer with respect to such Third Party Supplier and shall assume full responsibility and liability for the Services and performance of the Third Party Supplier; and (b) prior to disclosing any of Customer s or its Affiliates Confidential Information or performance of Services by such Third Party Supplier, Supplier shall have or enter into a written agreement with the Third Party Supplier expressly binding such Third Party Supplier to the confidentiality and data security provisions of this Agreement and such terms shall govern the Third Party Supplier irrespective of any contrary term or condition that may be contained in a separate agreement between Supplier and any Third Party Supplier. Supplier shall provide the applicable Customer with written evidence in a form reasonably acceptable to the Customer of compliance with the foregoing. 49
50 a few good clauses Who s Accessing Your Data? Non-Subcontractor Third Parties Facilities Standards AT101 and ISO 2700x dual-factor access control (with at least one biometric factor) at principal facility access points single-factor biometric authentication to all interior secure areas single-factor biometric access control at individual cage access points 24x7x365 on-site security, CCTV surveillance of interior and exterior strategic locations and access points with a minimum of 10 days video retention 50
51 a few good clauses Who s Accessing Your Data? HIPAA BA If BA is permitted to use a Subcontractor under the Underlying Agreement, BA and such Subcontractor shall enter into a written business associate agreement containing the same restrictions and conditions that apply to BA under this BA Agreement. BA also may disclose PHI to a third party (who is not a Subcontractor) to the extent required for the proper management and administration of BA or to carry out BA s legal responsibilities, provided that such third party disclosure is either: (a) Required by Law; or (b) occurs only after BA has obtained reasonable assurance from the third party person or entity to which BA will disclose PHI stating that such person or entity will (i) hold the PHI in confidence and use or further disclose the PHI only for the purpose for which BA disclosed PHI to the person or entity or as such third party is Required by Law to further disclose, and (ii) promptly notify BA of any instance of which the person or entity becomes aware in which the confidentiality of PHI was breached. 51
52 a few good clauses What are they doing with your Data? Restricting Use Allowing Aggregation HIPAA BA Issues 52
53 a few good clauses What are they doing with it? Option 1 - Restrictive Customer Data. As between Supplier and Customer, all data provided to Supplier by or on behalf of Customer under an Agreement ( Customer Data ), remains the sole property of Customer. Customer Data shall be considered Confidential Information, subject to the terms of an Agreement. Supplier Personnel shall not have the right to copy Customer Data except to the limited extent necessary to perform under an Agreement. Supplier shall be responsible for deletion, destruction or alteration of Customer Data while in the possession or custody or under the control of Supplier Personnel. The Customer Data shall not be used by Supplier for any purpose other than that of providing Services, nor shall the Customer Data be disclosed, sold, assigned, leased, benchmarked, aggregated or otherwise disposed of to third parties by Supplier or commercially exploited by or on behalf of Supplier and Supplier Personnel. 53
54 a few good clauses What are they doing with it? Option 2 Less Restrictive Disclosure of Claims Data. Notwithstanding any other provision of this Agreement, TPA and TPA s Affiliates shall have the right to use and disclose Claims Data collected in the performance of Services under this Agreement, so long as: (a) the Claims Data is aggregated and de-identified in a manner consistent with the requirements of HIPAA and in all instances shall not disclose Claim Data in any manner that would reveal the identity of patients, Plan Participants, the pharmaceuticals authorized for them or any clinical and PHI about them sufficient to identify them; and the Claims Data is used or disclosed for research, health oversight activities, benchmarking, and analysis of industry and health care trends or other substantially similar purposes permitted by law and consistent with the disclosure practices described to BSC upon entering into this Agreement; or (b) a Member has consented to the release of his or her individually identifiable data. Under no circumstances shall the Claims Data be sold to any third party or used (whether or not sold) by any Affiliate of TPA for commercial gain. 54
55 a few good clauses What are they doing with it? HIPAA BA BA shall not use or disclose PHI except to the Minimum Necessary degree required to perform for the benefit of CE under the Underlying Contract and then only to the extent permitted by this BA Agreement or as Required by Law. BA shall develop, implement, maintain and use appropriate safeguards to protect the privacy of PHI to comply with HIPAA Rules. This shall include appropriate administrative, technical and physical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of ephi that BA creates, receives, maintains or transmits. BA may use PHI internally for its proper management and administration or to carry out its legal responsibilities. 55
56 a few good clauses When will your data be available? Uptime SLA Periodic Delivery Post-Termination HIPPA BA Issues 56
57 a few good clauses When will your data be available? Uptime SLA the basics Without limiting Supplier s obligations to meet the Availability Service Level (defined below), Supplier shall use commercially reasonable efforts to make sure that the Software and portions thereof will be available to Authorized Users 24 hours per day, 7 days per week, 365 days per year. Notwithstanding the foregoing, Supplier shall ensure that the Software is available for use by Authorized Users ninety-nine and nine tenths percent (99.9%) of the time 7 days per week, 365 days per year excluding Scheduled Downtime (the Availability Service Level ). For purposes of this Agreement, System available and its variants means a working database server with the Software and Customer s database(s) mounted, running, and accessible from all servers to the public Internet. Scheduled Downtime means 6:00 p.m. Saturday Eastern prevailing time through 5 a.m. Monday Eastern prevailing time. 57
58 a few good clauses When will your data be available? Uptime SLA tricks of the trade Supplier will be responsible for the hardware, equipment, telecommunications and networking infrastructure necessary to provide the Software from a point of demarcation starting with the Appliance permitting ingress to the Data Center from the WAN Circuit, continuing thereafter to the Data Center s egress Appliance back to the Public Circuit. For avoidance of doubt, Supplier is not responsible for the Public Circuit itself, except that Supplier shall perform an industry-accepted ping-like monitoring test of the telecommunications line connected to its ingress/egress Appliance every ten (10) minutes and immediately take corrective action if such test does not return a signal indicating proper functioning. As used herein the term Appliance means either a router, or if a dedicated PBX or switching software is leased or owned by Supplier, such PBX or switching software; and where the term Public Circuit means the third party provided circuits, overland and/or submarine cabling and other connectivity infrastructure from a point of demarcation starting at the point immediately after the ingress/egress Appliance at the Customer site to the point immediately before the ingress/egress Appliance router at the Data Centers. 58
59 a few good clauses When will your data be available? Periodic Delivery Data Refreshes; Backup and Data Return. On a continuous basis, Supplier shall refresh Customer Data transmitted through the Software provided by Customer s Authorized Users. Upon Customer s written request from time to time (but no more than once per quarter), Supplier shall provide to Customer a copy of all of Customer Data provided by Customer s Authorized Users in a format mutually agreed to by the parties. Unless more frequent back-ups are provided under Supplier s separate back-up and DR-BC Plan, back-up services shall be performed for all Customer Data at least daily with offsite storage of all media used therefor. 59
60 a few good clauses When will your data be available? Post Termination The Disengagement Services shall include the performance by Supplier of such services as shall be necessary to facilitate the orderly transfer of the Client Data to Client or its designee including delivery of Client Data in native or other agreed format which shall in all events be readable/useable with common, commercially available software. Supplier shall have no right to delete Client Data from its servers until 180 days after termination or expiration or 10 days following completion of the agreed Disengagement Services, whichever is later. At that time, Supplier shall certify to such destruction in writing. 60
61 a few good clauses When will your data be available? HIPAA - BA BA agrees to provide access to PHI in a Designated Record Set, in the time and manner Required by Law, to CE or, as directed by CE, to a Data Subject, in order to meet the requirements under 45 C.F.R BA may impose a reasonable cost-based fee for the provision of copies of PHI in a Designated Record Set in accordance with 45 C.F.R (c)(4). In addition, BA will, upon receipt of written notice from the Requesting Party, promptly amend or permit the Requesting Party access to amend any portion of a Data Subject s PHI that is in a Designated Record Set in the custody or control of BA, so that CE may meet its access obligations under 45 C.F.R BA shall also, as necessary to satisfy CE s obligations under 45 C.F.R , maintain and make available such information as is required to provide an accounting of disclosure to Data Subjects. If CE requests an accounting of a Data Subject s PHI more than once in any twelve (12) month period, BA will impose a reasonable fee for such accounting in accordance with 45 C.F.R (c). As used herein Data Subject means the person to whom the applicable PHI relates; Requesting Party means CE or the Data Subject, as applicable to each request. 61
Health Partners HIPAA Business Associate Agreement
Health Partners HIPAA Business Associate Agreement This HIPAA Business Associate Agreement ( Agreement ) by and between Health Partners of Philadelphia, Inc., the Covered Entity (herein referred to as
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BAA ) is effective ( Effective Date ) by and between ( Covered Entity ) and Egnyte, Inc. ( Egnyte or Business Associate ). RECITALS
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is entered into by and between Professional Office Services, Inc., with principal place of business at PO Box 450, Waterloo,
More informationBENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT
BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT This BUSINESS ASSOCIATE AGREEMENT ( Agreement ) dated as of the signature below, (the Effective Date ), is entered into by and between the signing organization
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT The parties to this ( Agreement ) are, a _New York_ corporation ( Business Associate ) and ( Client ) you, as a user of our on-line health record system (the "System"). BY
More informationModel Business Associate Agreement
Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model
More informationHIPAA Compliance: Are you prepared for the new regulatory changes?
HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed
More informationData Breach and Senior Living Communities May 29, 2015
Data Breach and Senior Living Communities May 29, 2015 Todays Objectives: 1. Discuss Current Data Breach Trends & Issues 2. Understanding Why The Senior Living Industry May Be A Target 3. Data Breach Costs
More informationData Breach Cost. Risks, costs and mitigation strategies for data breaches
Data Breach Cost Risks, costs and mitigation strategies for data breaches Tim Stapleton, CIPP/US Deputy Global Head of Professional Liability Zurich General Insurance Data Breaches: Greater frequency,
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is effective as of, 2013, and is by and between SOUTHWEST DEVELOPMENTAL SERVICES, INC. ( Covered Entity ) and ( Business Associate
More informationBUSINESS ASSOCIATE AGREEMENT
COLUMBIA AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is entered into as of ( Effective Date ) by and between The Trustees of Columbia University in the City of
More informationEnclosure. Dear Vendor,
Dear Vendor, As you may be aware, the Omnibus Rule was finalized on January 25, 2013 and took effect on March 26, 2013. Under the Health Insurance Portability & Accountability Act (HIPAA) and the Omnibus
More informationBUSINESS ASSOCIATE AGREEMENT
Note: This form is not meant to encompass all the various ways in which any particular facility may use health information and should be specifically tailored to your organization. In addition, as with
More informationEXHIBIT C BUSINESS ASSOCIATE AGREEMENT
EXHIBIT C BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT is made and entered into by and between ( Covered Entity ) and KHIN ( Business Associate ). This Agreement is effective as of, 20 ( Effective Date
More informationBusiness Associate Agreement
Business Associate Agreement This Agreement is entered into as of ("Effective Date"), between ( Covered Entity ), and ( Business Associate ). RECITALS WHEREAS, Business Associate provides services on behalf
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) is entered into by and between (the Covered Entity ), and Iowa State Association of Counties (the Business Associate ). RECITALS
More informationDisclaimer: Template Business Associate Agreement (45 C.F.R. 164.308)
HIPAA Business Associate Agreement Sample Notice Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) The information provided in this document does not constitute, and is no substitute
More informationUniversity Healthcare Physicians Compliance and Privacy Policy
Page 1 of 11 POLICY University Healthcare Physicians (UHP) will enter into business associate agreements in compliance with the provisions of the Health Insurance Portability and Accountability Act of
More informationBusiness Associate Agreement
This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement
More informationMobile Medical Devices and BYOD: Latest Legal Threat for Providers
Presenting a live 90-minute webinar with interactive Q&A Mobile Medical Devices and BYOD: Latest Legal Threat for Providers Developing a Comprehensive Usage Strategy to Safeguard Health Information and
More informationSAMPLE BUSINESS ASSOCIATE AGREEMENT
SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (the AGREEMENT ) is entered into this (the "Effective Date"), between Delta Dental of Tennessee ( Covered Entity ) and ( Business Associate
More informationBUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc.
BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc. THIS BUSINESS ASSOCIATE AGREEMENT (BAA) is entered into by and between First Choice Community Healthcare, with a principal place of
More informationBUSINESS ASSOCIATE AGREEMENT. Emory University and/or Emory Healthcare, Inc. ( Emory ) ( Covered Entity ) and
BUSINESS ASSOCIATE AGREEMENT Emory University and/or Emory Healthcare, Inc. ( Emory ) ( Covered Entity ) and Associate ) ( Business This Business Associate Agreement (this Agreement ) effective as of (the
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( Agreement ) is by and between ( Covered Entity ) and Xelex Digital, LLC ( Business Associate ), and is effective as of. WHEREAS,
More informationBUSINESS ASSOCIATE AGREEMENT
PREVIEW VERSION ONLY This Business Associate Agreement (BAA) is made available for preview purposes only. It is indicative of the BAA that will be presented through the online user interface for acceptance
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ), is made effective as of the sign up date on the login information page of the CarePICS.com website, by and between CarePICS,
More informationTerms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013
Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013 The City of Philadelphia is a Covered Entity as defined in the regulations
More informationHIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND
HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN Stewart C. Miller & Co., Inc. (Business Associate) AND City of West Lafayette Flexible Spending Plan (Covered Entity) TABLE OF CONTENTS
More informationINFORMATION SECURITY AND PRIVACY INSURANCE WITH ELECTRONIC MEDIA LIABILITY COVERAGE. I. GENERAL INFORMATION Full Name:
INFORMATION SECURITY AND PRIVACY INSURANCE WITH ELECTRONIC MEDIA LIABILITY COVERAGE NOTICE: COVERAGE UNDER THIS POLICY IS PROVIDED ON A CLAIMS MADE AND REPORTED BASIS AND APPLIES ONLY TO CLAIMS FIRST MADE
More informationINFORMATION SECURITY & PRIVACY INSURANCE WITH BREACH RESPONSE SERVICES
INFORMATION SECURITY & PRIVACY INSURANCE WITH BREACH RESPONSE SERVICES NOTICE: INSURING AGREEMENTS I.A., I.C. AND I.D. OF THIS POLICY PROVIDE COVERAGE ON A CLAIMS MADE AND REPORTED BASIS AND APPLY ONLY
More informationThis form may not be modified without prior approval from the Department of Justice.
This form may not be modified without prior approval from the Department of Justice. Delete this header in execution (signature) version of agreement. HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate
More informationInfinedi HIPAA Business Associate Agreement RECITALS SAMPLE
Infinedi HIPAA Business Associate Agreement This Business Associate Agreement ( Agreement ) is entered into this day of, 20 between ( Company ) and Infinedi, LLC, a Limited Liability Corporation, ( Contractor
More informationUNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S):
UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S): THIS AGREEMENT is made by and between UNIVERSITY PHYSICIANS OF BROOKLYN, INC., located at 450 Clarkson Ave., Brooklyn,
More informationWhy Lawyers? Why Now?
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) by and between OUR LADY OF LOURDES HEALTH CARE SERVICES, INC., hereinafter referred to as Covered Entity, and hereinafter referred
More informationTulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY
Tulane University DEPARTMENT: General Counsel s POLICY DESCRIPTION: Business Associates Office -- HIPAA Agreement PAGE: 1 of 1 APPROVED: April 1, 2003 REVISED: November 29, 2004, December 1, 2008, October
More informationPreferred Professional Insurance Company Subcontractor Business Associate Agreement
Preferred Professional Insurance Company Subcontractor Business Associate Agreement THIS SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT ( Agreement ) amends and is made a part of all Services Agreements (as
More informationVendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire
Vendor Management Challenges and Solutions for HIPAA Compliance Jim Sandford Vice President, Coalfire Housekeeping You may submit questions throughout the webinar using the question area in the control
More informationUse & Disclosure of Protected Health Information by Business Associates
Applicability: Policy Title: Policy Number: Use & Disclosure of Protected Health Information by Business Associates PP-12 Superseded Policy(ies) or Entity Policy: N/A Date Established: January 31, 2003
More informationVERSION DATED AUGUST 2013/TEXAS AND CALIFORNIA
VERSION DATED AUGUST 2013/TEXAS AND CALIFORNIA This Business Associate Addendum ("Addendum") supplements and is made a part of the service contract(s) ("Contract") by and between St. Joseph Health System
More informationBy Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN
Major Changes to HIPAA Security and Privacy Rules Enacted in Economic Stimulus Package By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN The HITECH Act is the
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (Hereinafter "Agreement") dated as of, 2013, is made by and between (Hereinafter Covered Entity ) and (Hereinafter Business Associate ). ARTICLE
More informationHHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers
Compliance Tip Sheet National Hospice and Palliative Care Organization www.nhpco.org/regulatory HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Hospice Provider Compliance To Do List
More informationBUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM RECITALS
BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM This Business Associate Addendum ( Addendum ), effective, 20 ( Effective Date ), is entered into by and between University of Southern California, ( University
More informationThe Institute of Professional Practice, Inc. Business Associate Agreement
The Institute of Professional Practice, Inc. Business Associate Agreement This Business Associate Agreement ( Agreement ) effective on (the Effective Date ) is entered into by and between The Institute
More informationPage 1 of 15. VISC Third Party Guideline
Page 1 of 15 VISC Third Party Guideline REVISION CONTROL Document Title: Author: File Reference: VISC Third Party Guidelines Andru Luvisi CSU Information Security Managing Third Parties policy Revision
More informationINFORMATION SECURITY & PRIVACY INSURANCE WITH ELECTRONIC MEDIA LIABILITY APPLICATION
INFORMATION SECURITY & PRIVACY INSURANCE WITH ELECTRONIC MEDIA LIABILITY APPLICATION NOTICE: COVERAGE UNDER THIS POLICY IS PROVIDED ON A CLAIMS MADE AND REPORTED BASIS AND APPLIES ONLY TO CLAIMS FIRST
More informationOFFICE OF CONTRACT ADMINISTRATION 60400 PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA)
Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA) BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) supplements and is made a part of the contract ( Contract
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (this Agreement ) is made effective as of ( Effective Date ) by and between Sentara Health Plans, Inc. ( Covered Entity ) and ( Business Associate
More informationWhat would you do if your agency had a data breach?
What would you do if your agency had a data breach? 80% of businesses fail to recover from a breach because they do not know this answer. Responding to a breach is a complicated process that requires the
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) by and between (hereinafter known as Covered Entity ) and Office Ally, LLC. (hereinafter known as Business Associate ), and
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT Please complete the following and return signed via Fax: 919-785-1205 via Mail: Aesthetic & Reconstructive Plastic Surgery, PLLC 2304 Wesvill Court Suite 360 Raleigh, NC 27607
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BA Agreement ) is entered into by Medtep Inc., a Delaware corporation ( Business Associate ) and the covered entity ( Covered Entity
More informationAre You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.
Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP
More informationAm I a Business Associate?
Am I a Business Associate? Now What? JENNIFER L. RATHBURN Quarles & Brady LLP KATEA M. RAVEGA Quarles & Brady LLP agenda» Overview of HIPAA / HITECH» Business Associate ( BA ) Basics» What Do BAs Have
More informationSTANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT
STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT THIS AGREEMENT is entered into and made effective the day of, 2014 (the Effective Date ), by and between (a) GI Quality Improvement Consortuim,
More informationName of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:
PLEASE NOTE: THIS DOCUMENT IS SUBMITTED AS A SAMPLE, FOR INFORMATIONAL PURPOSES ONLY TO ABC ORGANIZATION. HIPAA SOLUTIONS LC IS NOT ENGAGED IN THE PRACTICE OF LAW IN ANY STATE, JURISDICTION, OR VENUE OF
More informationMontclair State University. HIPAA Security Policy
Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that
More informationBUSINESS ASSOCIATE AND DATA USE AGREEMENT NAME OF COVERED ENTITY: COVERED ENTITY FEIN/TAX ID: COVERED ENTITY ADDRESS:
BUSINESS ASSOCIATE AND DATA USE AGREEMENT NAME OF COVERED ENTITY: COVERED ENTITY FEIN/TAX ID: COVERED ENTITY ADDRESS:, City State Zip This Business Associate and Data Use Agreement ( Agreement ) is effective
More informationBUSINESS ASSOCIATE CONTRACTUAL ADDENDUM
BUSINESS ASSOCIATE CONTRACTUAL ADDENDUM This HIPAA Addendum ("Addendum") is entered into effective this first day of November 1, 2015, by and between "Business Associate" AND COUNTY OF OTTAWA Ottawa County
More informationCreating Stable Security & Compliance Relationships
Creating Stable Security & Compliance Relationships David Holtzman JD, CIPP/G VP, Compliance CynergisTek, Inc. James Wieland JD Principal Ober Kaler Welcome The slides for today s webinar are available
More informationHIPAA 101. March 18, 2015 Webinar
HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses
More informationBusiness Associate Agreement
Business Associate Agreement This Business Associate Agreement (this Agreement ) is entered into as of _September 23_, 2013, (the Effective Date ) by and between Denise T. Nguyen, DDS, PC ( Dental Practice
More informationBusiness Associate Agreement Involving the Access to Protected Health Information
School/Unit: Rowan University School of Osteopathic Medicine Vendor: Business Associate Agreement Involving the Access to Protected Health Information This Business Associate Agreement ( BAA ) is entered
More informationCyber and Privacy Risk What Are the Trends? Is Insurance the Answer?
Minnesota Society for Healthcare Risk Management September 22, 2011 Cyber and Privacy Risk What Are the Trends? Is Insurance the Answer? Melissa Krasnow, Partner, Dorsey & Whitney, and Certified Information
More informationDATA BREACH COVERAGE
THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ THIS CAREFULLY. DATA BREACH COVERAGE SCHEDULE OF COVERAGE LIMITS Coverage Limits of Insurance Data Breach Coverage $50,000 Legal Expense Coverage $5,000
More informationHEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( BAA ) is by and between the National Association of Boards of Pharmacy
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement and is made between BEST Life and Health Insurance Company ( BEST Life ) and ( Business Associate ). RECITALS WHEREAS, the U.S.
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the BAA ) is made and entered into as of the day of, 20, by and between Delta Dental of California (the Covered Entity ) and (the Business
More informationFORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT
FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is made and entered into to be effective as of, 20 (the Effective Date ), by and between ( Covered Entity ) and
More informationBusiness Associates, HITECH & the Omnibus HIPAA Final Rule
Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS
More informationLessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd
Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual
More informationBusiness Associate and Data Use Agreement
Business Associate and Data Use Agreement This Business Associate and Data Use Agreement (the Agreement ) is entered into by and between ( Covered Entity ) and HealtHIE Nevada ( Business Associate ). W
More informationWellDyneRxWEST Customer (TPA, Broker, Consultant, Group Health Plan, and other).
WellDyneRxWEST Customer (TPA, Broker, Consultant, Group Health Plan, and other). RE: HIPAA Business Associate Agreement Effective 4/14/04 Business Associate: WellDyneRxWEST, Inc., a Colorado Corporation
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT This Agreement, dated as of, 2015 ("Agreement"), by and between, on its own behalf and on behalf of all entities controlling, under common control with or controlled
More informationThe HIPAA Omnibus Final Rule
WHITE PAPER The HIPAA Omnibus Final Rule Four risk exposure events that can uncover compliance issues leading to investigations, potential fines, and damage to your organization s reputation. By Virginia
More informationNetwork Security and Data Privacy Insurance for Physician Groups
Network Security and Data Privacy Insurance for Physician Groups February 2014 Lockton Companies While exposure to medical malpractice remains a principal risk MIKE EGAN, CPCU Senior Vice President Unit
More informationJoe A. Ramirez Catherine Crane
RIMS/RMAFP PRESENTATION Joe A. Ramirez Catherine Crane RISK TRANSFER VIA INSURANCE Most Common Method Involves Assessment of Risk and Loss Potential Risk of Loss Transferred For a Premium Insurance Contract
More informationFIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS
FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS James J. Eischen, Jr., Esq. October 2013 Chicago, Illinois JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher
More informationFirstCarolinaCare Insurance Company Business Associate Agreement
FirstCarolinaCare Insurance Company Business Associate Agreement THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement"), is made and entered into as of, 20 (the "Effective Date") between FirstCarolinaCare Insurance
More informationTHE HARTFORD ASSET MANAGEMENT CHOICE sm POLICY NETWORK
THE HARTFORD ASSET MANAGEMENT CHOICE sm POLICY NETWORK SECURITY AND THEFT OF DATA COVERAGE APPLICATION Name of Insurance Company to which application is made NOTICE: THIS POLICY PROVIDES CLAIMS MADE COVERAGE.
More informationHIPAA and the HITECH Act Privacy and Security of Health Information in 2009
HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:
More informationEnterprise PrivaProtector 9.0
IRONSHORE INSURANCE COMPANIES 75 Federal St Boston, MA 02110 Toll Free: (877) IRON411 Enterprise PrivaProtector 9.0 Network Security and Privacy Insurance Application THE APPLICANT IS APPLYING FOR A CLAIMS
More informationGALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability
GALLAGHER CYBER LIABILITY PRACTICE Tailored Solutions for Cyber Liability and Professional Liability Are you exposed to cyber risk? Like nearly every other business, you have probably capitalized on the
More informationParticipation Agreement Medicaid Provider Program
Participation Agreement Medicaid Provider Program PLEASE FAX THE FOLLOWING PAGES #4, #7, #8, #14, #15 211 Warren Street Newark, NJ 07103 PHONE: 973-642-4777 FAX: 973-645-0457 E-mail: info@njhitec.org www.njhitec.org
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT Express Scripts, Inc. and one or more of its subsidiaries ( ESI ), and Sponsor or one of its affiliates ( Sponsor ), are parties to an agreement ( PBM Agreement ) whereby ESI
More informationBUSINESS ASSOCIATE AGREEMENT. Recitals
BUSINESS ASSOCIATE AGREEMENT This Agreement is executed this 8 th day of February, 2013, by BETA Healthcare Group. Recitals BETA Healthcare Group consists of BETA Risk Management Authority (BETARMA) and
More informationA How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1
A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 Policy and Procedure Templates Reflects modifications published in the Federal Register
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is entered between ("Covered Entity" or "CE") and, ("Business Associate" or "BA"), collectively the Parties, who agree as follows:
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT 1. The terms and conditions of this document entitled Business Associate Agreement ( Business Associate Agreement ), shall be attached to and incorporated by reference in the
More informationAGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION BETWEEN WAKE FOREST UNIVERSITY BAPTIST MEDICAL CENTER AND
AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION BETWEEN WAKE FOREST UNIVERSITY BAPTIST MEDICAL CENTER AND THIS AGREEMENT for Access to Protected Health Information ( PHI ) ( Agreement ) is entered
More informationTen Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder
Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (this Agreement ) is made effective as of the day of 2014 (the Effective Date ), by and between Sarasota County Public Hospital District,
More informationHeather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
More informationHIPAA Business Associate Agreement
HIPAA Business Associate Agreement User of any Nemaris Inc. (Nemaris) products or services including but not limited to Surgimap Spine, Surgimap ISSG, Surgimap SRS, Surgimap Office, Surgimap Ortho, Surgimap
More information