Roadmap. What is Big Data? Big Data for Educational Institutions 5/30/2014. A Framework for Addressing Privacy Compliance and Legal Considerations

Size: px
Start display at page:

Download "Roadmap. What is Big Data? Big Data for Educational Institutions 5/30/2014. A Framework for Addressing Privacy Compliance and Legal Considerations"

Transcription

1 Big Data for Educational Institutions A Framework for Addressing Privacy Compliance and Legal Considerations Roadmap Introduction What is Big Data? How are educational institutions using Big Data? What privacy, security and compliance risks exist? Framework for addressing risks What is Big Data? Big Data is a collection of data sets so large and complex that it becomes difficult to process using on-hand database management tools or traditional data processing applications. The challenges include capture, curation, storage, search, sharing, analysis, and visualization. - en.wikipedia.org/wiki/big_data 1

2 What is Big Data? Characteristic Description Volume The sheer amount of data generated or data intensity that must be ingested, analyzed, and managed to make decisions based on complete data analysis Velocity How fast data is being produced and changed and the speed with which data must be received, understood, and processed Variety The rise of information coming from new sources both inside and outside the walls of the enterprise or organization creates integration, management, governance, and architectural pressures on IT What does Big Data mean to organizations? Analyzing Large Data Sets. The ability of the organization to access unimaginable amounts of structured and unstructured data (much more of it likely in the unstructured category) both internally and through external resources (e.g. data brokers, affiliates or partners). Purpose. Understanding the relationships within large data sets and correlations between data elements, in order to gain valuable insights (often precise and non-obvious) to improve business processes and goals. What does Big Data mean to organizations? Specialized Tools and Personnel. The need to leverage specialized tools and specialized employees (e.g. data scientists) to enable the capture, curation, storage, search, sharing and analysis of the data in a way that is valuable to the organization. Limitations and Legal Risk. Analyzing and addressing the potential limitations and legal risks and issues associated the collection, analysis and use of Big Data (and the insights derived from it). 2

3 Big Data Ecosystem Infrastructure Analytics Big Data Players Applications Integrators / consultants Data scientists Big Data In the Education Context What Data? Financial information Healthcare information Student records (grades, attendance, classes) Online activity Mobile activity / location information Social relationships Campus activity (lights on, visits to library) Data brokers 3

4 Big Data In the Education Context How Used? Admission process Student wellness/performance programs Resource allocation and budgeting Marketing? Privacy Security Compliance Key Legal Concerns Privacy and Security Compliance Optics / student relationship Compliance with internal policies Compliance with laws HIPAA GLB State law 4

5 Privacy and Security Compliance Can the institution collect? Can the institution disclose? Limitations on use? How must student data be protected? Privacy and Security Compliance Internal privacy policies concerning collection, use and disclosure of student data Multiple / inconsistent privacy policies which policy governs a particular data element? Failure to follow own policies may lead to regulatory / litigation risk or liability Policy changes may be needed Key Legal Issue Under, can personally identifiable information be disclosed to third parties to conduct the Big Data analytics? 5

6 Under, personally identifiable Information includes, but is not limited to: (a) The student's name; (b) The name of the student's parent or other family members; (c) The address of the student or student's family; (d) A personal identifier, such as the student's social security number, student number, or biometric record; (e) Other indirect identifiers, such as the student's date of birth, place of birth, and mother's maiden name; (f) Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; or (g) Information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates. Obtain consent (34 CFR 99.30) Key exceptions: School official exception (34 CFR 99.30(a)(1)) Studies exception (34 CFR 99.30(a)(6)) Directory information (34 CFR 99.30(a)(11)) De-identified records and information (34 CFR 99.31(b)(1)) School Officials Exception Performs an institutional service the school would otherwise use employees for Under the direct control of the agency or institution with respect to the use and maintenance of education records No redisclosure without consent (99.33(a)(1)) An educational agency or institution must limit access to only those education records in which school officials have legitimate educational interests (via technical, physical or administrative controls). 6

7 Study Exception Study purposes: Develop, validate, or administer predictive tests; Administer student aid programs; or Improve instruction. Study is conducted in a manner that does not permit personal identification of parents and students by individuals other than representatives of the organization that have legitimate interests in the information PII destroyed when no longer needed Study Exception -- Written agreement: Specify purpose, scope, and duration of the study or studies and the information to be disclosed Limits use of PII to meet purpose of study Conduct study in a manner that does not permit personal identification of parents and students, as defined in this part, by anyone other than representatives of the organization with legitimate interests PII is destroyed when no longer needed Directory Information Directory information means information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed. Examples: the student's name; address; telephone listing; electronic mail address; photograph; date and place of birth; major field of study; grade level; enrollment status (e.g., undergraduate or graduate, full-time or parttime); dates of attendance; participation in officially recognized activities and sports; weight and height of members of athletic teams; degrees, honors, and awards received; and the most recent educational agency or institution attended. SSN or Student ID (with exceptions) not included Notice and opt-out opportunity must be provided (34 CFR 99.37) 7

8 De-identification In general Rendering identifiable data unable to be tied back to a particular identifiable individual Risk of re-identification Too many data elements Unique combination of data elements Combination with other data elements Expertise may be needed De-identification is a process not a state of being De-identification FTC General Standard Reasonable measures to ensure that the data is de-identified. A reasonable level of justified confidence that the data cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer, computer, or other device. Factors Available methods and technologies nature of the data at issue the purposes for which it will be used The standard is not an absolute one; rather, companies The standard is not an absolute one; rather, companies must take reasonable steps to ensure that data is de-identified. "Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers" De-identification Definition of Personally Identifiable Information Research study exception Stand-alone de-identification exception 8

9 De-identification PII Defintion Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty. De-identification Exception De-identified records and information.an educational agency or institution, or a party that has received education records or information from education records under this part, may release the records or information without the consent required by after the removal of all personally identifiable information provided that the educational agency or institution or other party has made a reasonable determination that a student's identity is not personally identifiable, whether through single or multiple releases, and taking into account other reasonably available information. Research Study Exception Conduct study in a manner that does not permit personal identification of parents and students, as defined in this part, by anyone other than representatives of the organization with legitimate interests. 9

10 Making it Happen In house capabilities? De-identification at least? Use of third parties Do they need identifiable data? Assistance with de-identification Reduce risk by not relinquishing control Data Element and Flow Analysis. Understand the source and nature of the data elements that will be disclosed/analyzed Data elements and flow reveal compliance concerns Consider limiting data elements to reduce risk Statutory Basis for Disclosure & Use basis for disclosure of student personally identifiable information Consent School official Research HIPAA? GLB? 10

11 Internal Policy Compliance Which policy governs a particular data element? Internal privacy policies / statements IT acceptable use or similar policies External facing privacy policies: Intranet, Websites, Applications (online and mobile) Policy modifications / presentation De-Identification Strategies Methodology for de-identification Analyze risk of re-identification Internal versus third-party de-identification Bifurcating de-identification and data analysis Student Relations and Legal Risk Assume that Big Data activities will be revealed Communications strategy (pre- and post-) Clear, consistent and unified across channels Articulate benefits Articulate safeguards 11

12 Third Party Big Data Analytics Vendors Identify appropriate vendors Vet security and privacy practices before choosing a single vendor Draft and negotiate agreements basis for disclosure Limitations on use of student information Security and incident response requirements Audit / assessment rights Indemnification and liability Third Party Big Data Analytics Vendors Identify appropriate vendors Vet security and privacy practices before choosing a single vendor Draft and negotiate agreements basis for disclosure Limitations on use of student information Security and incident response requirements Audit / assessment rights Indemnification and liability Contract Terms basis for disclosure Basis for disclosure relative to other statutes (HIPAA, GLB, etc.) Limitations on use of student information Security and incident response requirements Audit / assessment rights Indemnification and liability 12

13 Q&A David Navetta, Esq., CIPP/US Partner, InfoLawGroup LLP

Virginia Commonwealth University Information Security Standard

Virginia Commonwealth University Information Security Standard Virginia Commonwealth University Information Security Standard Title: Scope: Data Classification Standard This document provides the classification requirements for all data generated, processed, stored,

More information

What is FERPA? This act is enforced by the Family Policy Compliance Office, U.S. Department of Educational, Washington, D.C.

What is FERPA? This act is enforced by the Family Policy Compliance Office, U.S. Department of Educational, Washington, D.C. What is FERPA? The Family Educational Rights and Privacy Act of 1974 (FERPA), as amended (also referred to as the Buckley Amendment), is a Federal law designed to protect the confidentiality of a student

More information

July 2016 1101 CONNECTICUT AVENUE NW, SUITE 1100 WASHINGTON, DC 20036-4303 202.785.0453 FAX. 202.785.1487 WWW.NASFAA.ORG

July 2016 1101 CONNECTICUT AVENUE NW, SUITE 1100 WASHINGTON, DC 20036-4303 202.785.0453 FAX. 202.785.1487 WWW.NASFAA.ORG July 2016 1101 CONNECTICUT AVENUE NW, SUITE 1100 WASHINGTON, DC 20036-4303 202.785.0453 FAX. 202.785.1487 WWW.NASFAA.ORG Financial Aid Data Sharing I. Introduction Financial aid professionals collect and

More information

ENROLLMENT DATA SHARING AGREEMENT Between «Institution» and the Minnesota Office of Higher Education

ENROLLMENT DATA SHARING AGREEMENT Between «Institution» and the Minnesota Office of Higher Education ENROLLMENT DATA SHARING AGREEMENT Between «Institution» and the Minnesota Office of Higher Education The «Institution» is an educational agency or institution subject to the Family Educational Rights and

More information

Family Educational Rights and Privacy Act Regulations

Family Educational Rights and Privacy Act Regulations Family Educational Rights and Privacy Act Regulations 34 CFR Part 99 Subpart A-General Section 99.1 To which educational agencies or institutions do these regulations apply? 99.2 What is the purpose of

More information

Minnesota s Statewide Longitudinal Education Data System (SLEDS) Data Access & Management Policy

Minnesota s Statewide Longitudinal Education Data System (SLEDS) Data Access & Management Policy Minnesota s Statewide Longitudinal Education Data System (SLEDS) Data Access & Management Policy October 23, 2014 Approved by SLEDS Governance 1 Contents Section 1 - Overview... 5 1.1 Purpose... 5 Policy

More information

Information Security Policy

Information Security Policy Information Security Policy Introduction The purpose of the is policy is to protect Rider University information resources from accidental or intentional unauthorized access, modification, or damage and

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the "Agreement") is made and entered into this day of,, by and between Quicktate and idictate ("Business Associate") and ("Covered Entity").

More information

PII Personally Identifiable Information Training and Fraud Prevention

PII Personally Identifiable Information Training and Fraud Prevention PII Personally Identifiable Information Training and Fraud Prevention Topics What is Personally Identifiable Information (PII)? Why are we committed to protecting PII? What laws govern us? How do we comply?

More information

Family Educational Rights and Privacy Act (FERPA) Final Rule 34 CFR Part 99. Section-by-Section Analysis December 2008

Family Educational Rights and Privacy Act (FERPA) Final Rule 34 CFR Part 99. Section-by-Section Analysis December 2008 Family Educational Rights and Privacy Act (FERPA) Final Rule 34 CFR Part 99 Section-by-Section Analysis December 2008 Under FERPA, 20 U.S.C. 1232g, a parent or eligible student has a right to inspect and

More information

Technology and Data Privacy Committee. 2014-2015 June 30, 2014

Technology and Data Privacy Committee. 2014-2015 June 30, 2014 Technology and Data Privacy Committee 2014-2015 June 30, 2014 Agenda 6/30 Committee Chair FERPA Review Policies Policy Example Tech Initiative - Title 1 Schools 1-to-1 Wrap-up Calendar Data Governance

More information

Legal Insight. Big Data Analytics Under HIPAA. Kevin Coy and Neil W. Hoffman, Ph.D. Applicability of HIPAA

Legal Insight. Big Data Analytics Under HIPAA. Kevin Coy and Neil W. Hoffman, Ph.D. Applicability of HIPAA Big Data Analytics Under HIPAA Kevin Coy and Neil W. Hoffman, Ph.D. Privacy laws and regulations such as the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule can have a significant

More information

Family Educational Rights Privacy (FERPA) Act

Family Educational Rights Privacy (FERPA) Act F l o r i d a H o u s e o f R e p r e s e n t a t i v e s Family Educational Rights Privacy (FERPA) Act EDUCATION FACT SHEET 2010-11 What is the Family Educational Rights Privacy Act? The Family Educational

More information

Privacy Impact Assessment

Privacy Impact Assessment DECEMBER 20, 2013 Privacy Impact Assessment MARKET ANALYSIS OF ADMINISTRATIVE DATA UNDER RESEARCH AUTHORITIES Contact Point: Claire Stapleton Chief Privacy Officer 1700 G Street, NW Washington, DC 20552

More information

THE CITY UNIVERSITY OF NEW YORK FERPA RELEASE FORM PERMISSION FOR ACCESS TO EDUCATIONAL RECORDS

THE CITY UNIVERSITY OF NEW YORK FERPA RELEASE FORM PERMISSION FOR ACCESS TO EDUCATIONAL RECORDS THE CITY UNIVERSITY OF NEW YORK FERPA RELEASE FORM PERMISSION FOR ACCESS TO EDUCATIONAL RECORDS This form allows students to grant third parties, including parents, access to their educational records

More information

Addressing Student Privacy Issues

Addressing Student Privacy Issues Addressing Student Privacy Issues Data Quality Institute November 4, 2015 Hot Topics Privacy is a national interest and high profile Congressional interest in FERPA State legislatures passing privacy laws

More information

HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets

HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets FULL POLICY CONTENTS Scope Policy Statement Reason for Policy Definitions ADDITIONAL DETAILS Web Address Forms Related Information

More information

LANDER UNIVERSITY STUDENT INFORMATION SECURITY AND PRIVACY PROCEDURE

LANDER UNIVERSITY STUDENT INFORMATION SECURITY AND PRIVACY PROCEDURE founded in 1872 LANDER UNIVERSITY Office of Information Technology Services LANDER UNIVERSITY STUDENT INFORMATION SECURITY AND PRIVACY PROCEDURE 2012 REVISION TABLE OF CONTENTS I. PRIVACY.....................................................

More information

Privacy Impact Assessment

Privacy Impact Assessment MAY 24, 2012 Privacy Impact Assessment matters management system Contact Point: Claire Stapleton Chief Privacy Officer 1700 G Street, NW Washington, DC 20552 202-435-7220 claire.stapleton@cfpb.gov DOCUMENT

More information

SOUTH DAKOTA DEPARTMENT OF EDUCATION

SOUTH DAKOTA DEPARTMENT OF EDUCATION SOUTH DAKOTA DEPARTMENT OF EDUCATION Data Access Policy DOE Data Management Office (605) 773-3248 05/05/2015 1 P age TABLE OF CONTENTS Contents TABLE OF CONTENTS... 2 POLICY STATEMENT... 3 PURPOSE... 3

More information

Vendor Management Challenge Doing More with Less

Vendor Management Challenge Doing More with Less Vendor Management Challenge Doing More with Less Megan Hertzler Assistant General Counsel Director of Data Privacy Xcel Energy Boris Segalis Partner InfoLawGroup LLP Session ID: GRC-402 Insert presenter

More information

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean. BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement is made as of the day of, 2010, by and between Methodist Lebonheur Healthcare, on behalf of itself and all of its affiliates ( Covered Entity

More information

BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc.

BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc. BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc. THIS BUSINESS ASSOCIATE AGREEMENT (BAA) is entered into by and between First Choice Community Healthcare, with a principal place of

More information

EXHIBIT C BUSINESS ASSOCIATE AGREEMENT

EXHIBIT C BUSINESS ASSOCIATE AGREEMENT EXHIBIT C BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT is made and entered into by and between ( Covered Entity ) and KHIN ( Business Associate ). This Agreement is effective as of, 20 ( Effective Date

More information

Alphabet Soup - GLBA, FERPA and HIPAA: Security Best Practices

Alphabet Soup - GLBA, FERPA and HIPAA: Security Best Practices Alphabet Soup - GLBA, FERPA and HIPAA: Security Best Practices (Session ID: 152) Maureen Carver, Assistant Dean and Registrar, Law School, Villanova University Rita Garner, Registrar, Medical College of

More information

PII = Personally Identifiable Information

PII = Personally Identifiable Information PII = Personally Identifiable Information EMU is committed to protecting the privacy of personally identifiable information of its students, faculty, staff, and other individuals associated with the University.

More information

Winthrop-University Hospital

Winthrop-University Hospital Winthrop-University Hospital Use of Patient Information in the Conduct of Research Activities In accordance with 45 CFR 164.512(i), 164.512(a-c) and in connection with the implementation of the HIPAA Compliance

More information

APPENDIX I: STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT (2012 Version)

APPENDIX I: STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT (2012 Version) APPENDIX I: STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT (2012 Version) THIS AGREEMENT is entered into and made effective the day of, 2012 (the Effective Date ), by and between (a)

More information

Business Associate and Data Use Agreement

Business Associate and Data Use Agreement Business Associate and Data Use Agreement This Business Associate and Data Use Agreement (the Agreement ) is entered into by and between ( Covered Entity ) and HealtHIE Nevada ( Business Associate ). W

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Agreement, dated as of, 2015 ("Agreement"), by and between, on its own behalf and on behalf of all entities controlling, under common control with or controlled

More information

What is Covered by HIPAA at VCU?

What is Covered by HIPAA at VCU? What is Covered by HIPAA at VCU? The Privacy Rule was designed to protect private health information from incidental disclosures. The regulations specifically apply to health care providers, health plans,

More information

BUSINESS ASSOCIATE AND DATA USE AGREEMENT NAME OF COVERED ENTITY: COVERED ENTITY FEIN/TAX ID: COVERED ENTITY ADDRESS:

BUSINESS ASSOCIATE AND DATA USE AGREEMENT NAME OF COVERED ENTITY: COVERED ENTITY FEIN/TAX ID: COVERED ENTITY ADDRESS: BUSINESS ASSOCIATE AND DATA USE AGREEMENT NAME OF COVERED ENTITY: COVERED ENTITY FEIN/TAX ID: COVERED ENTITY ADDRESS:, City State Zip This Business Associate and Data Use Agreement ( Agreement ) is effective

More information

How to De-identify Data. Xulei Shirley Liu Department of Biostatistics Vanderbilt University 03/07/2008

How to De-identify Data. Xulei Shirley Liu Department of Biostatistics Vanderbilt University 03/07/2008 How to De-identify Data Xulei Shirley Liu Department of Biostatistics Vanderbilt University 03/07/2008 1 Outline The problem Brief history The solutions Examples with SAS and R code 2 Background The adoption

More information

Administrative Services

Administrative Services Policy Title: Administrative Services De-identification of Client Information and Use of Limited Data Sets Policy Number: DHS-100-007 Version: 2.0 Effective Date: Upon Approval Signature on File in the

More information

Infinedi HIPAA Business Associate Agreement RECITALS SAMPLE

Infinedi HIPAA Business Associate Agreement RECITALS SAMPLE Infinedi HIPAA Business Associate Agreement This Business Associate Agreement ( Agreement ) is entered into this day of, 20 between ( Company ) and Infinedi, LLC, a Limited Liability Corporation, ( Contractor

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Addendum is made part of the agreement between Boston Medical Center ("Covered Entity ) and ( Business Associate"), dated [the Underlying Agreement ]. In connection with

More information

Kentucky Wesleyan College Policy & Procedure Manual

Kentucky Wesleyan College Policy & Procedure Manual Kentucky Wesleyan College Policy & Procedure Manual Student Information Privacy Policy Approval: President Policy Type: College Policy Owner: Registrar Responsible Office: Registrar Revision History Approval

More information

Young Scholars of Central Pennsylvania Charter School 1530 Westerly Parkway State College, PA 16801. 2015-2016 School Year

Young Scholars of Central Pennsylvania Charter School 1530 Westerly Parkway State College, PA 16801. 2015-2016 School Year Young Scholars of Central Pennsylvania Charter School 1530 Westerly Parkway State College, PA 16801 2015-2016 School Year Annual Notification of Rights under Family Educational Rights and Privacy Act (FERPA)

More information

HIPAA COMPLIANCE. What is HIPAA?

HIPAA COMPLIANCE. What is HIPAA? HIPAA COMPLIANCE What is HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) also known as the Privacy Rule specifies the conditions under which protected health information may be used

More information

Extracting value from HIPAA Data James Yaple Jackson-Hannah LLC

Extracting value from HIPAA Data James Yaple Jackson-Hannah LLC Extracting value from HIPAA Data James Yaple Jackson-Hannah LLC Session Objectives Examine the value of realistic information in research and software testing Explore the challenges of de-identifying health

More information

HIPAA BUSINESS ASSOCIATES CONTRACT FOR EYE CARE PROVIDERS 1 ST ADDENDUM

HIPAA BUSINESS ASSOCIATES CONTRACT FOR EYE CARE PROVIDERS 1 ST ADDENDUM HIPAA BUSINESS ASSOCIATES CONTRACT FOR EYE CARE PROVIDERS 1 ST ADDENDUM The HIPAA BUSINESS ASSOCIATES CONTRACT FOR EYE CARE PROVIDERS ( Original Agreement ) was made available on the Visionweb website

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT Express Scripts, Inc. and one or more of its subsidiaries ( ESI ), and Sponsor or one of its affiliates ( Sponsor ), are parties to an agreement ( PBM Agreement ) whereby ESI

More information

BUSINESS ASSOCIATE AGREEMENT FOR ATTORNEYS

BUSINESS ASSOCIATE AGREEMENT FOR ATTORNEYS BUSINESS ASSOCIATE AGREEMENT FOR ATTORNEYS This Business Associate Agreement (this Agreement ), is made as of the day of, 20 (the Effective Date ), by and between ( Business Associate ) and ( Covered Entity

More information

NORTH CAROLINA DEPARTMENT OF PUBLIC INSTRUCTION. Division of Data, Research and Federal Policy July 29, 2013

NORTH CAROLINA DEPARTMENT OF PUBLIC INSTRUCTION. Division of Data, Research and Federal Policy July 29, 2013 NORTH CAROLINA DEPARTMENT OF PUBLIC INSTRUCTION Transmitting Private Information Electronically Best Practices Guide for Communicating Personally Identifiable Information by Email, Fax or Other Electronic

More information

UPMC POLICY AND PROCEDURE MANUAL

UPMC POLICY AND PROCEDURE MANUAL UPMC POLICY AND PROCEDURE MANUAL POLICY: INDEX TITLE: HS-EC1807 Ethics & Compliance SUBJECT: Honest Broker Certification Process Related to the De-identification of Health Information for Research and

More information

SaaS. Business Associate Agreement

SaaS. Business Associate Agreement SaaS Business Associate Agreement This Business Associate Agreement ( BA Agreement ) becomes effective pursuant to the terms of Section 5 of the End User Service Agreement ( EUSA ) between Customer ( Covered

More information

Implementing an HMIS within HIPAA

Implementing an HMIS within HIPAA Implementing an HMIS within HIPAA Jon Neiditz Atlanta, GA (678) 427-7809 jneiditz@hunton.com September 14th and 15th, 2004 Chicago, IL Sponsored by the U.S. Department of Housing and Urban Development

More information

Program, you consent to the data practices described in this Privacy Policy.

Program, you consent to the data practices described in this Privacy Policy. Privacy Policy. To the extent Gramm-Leach-Bliley Act, 15 U.S.C. 6802 (the GLB Act ) may apply to our services, this Privacy Policy shall serve as your initial Privacy Notice as defined under the GLB Act.

More information

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES I. Overview / Definitions The Health Insurance Portability and Accountability Act is a federal law

More information

BUSINESS ASSOCIATE AGREEMENT. Recitals

BUSINESS ASSOCIATE AGREEMENT. Recitals BUSINESS ASSOCIATE AGREEMENT This Agreement is executed this 8 th day of February, 2013, by BETA Healthcare Group. Recitals BETA Healthcare Group consists of BETA Risk Management Authority (BETARMA) and

More information

Synapse Privacy Policy

Synapse Privacy Policy Synapse Privacy Policy Last updated: April 10, 2014 Introduction Sage Bionetworks is driving a systems change in data-intensive healthcare research by enabling a collective approach to information sharing

More information

Privacy Law Basics and Best Practices

Privacy Law Basics and Best Practices Privacy Law Basics and Best Practices Information Privacy in a Digital World Stephanie Skaff sskaff@fbm.com What Is Information Privacy? Your name? Your phone number or home address? Your email address?

More information

2. Privacy Policy Guidance Memorandum 2008-02, OHS Policy Regarding Privacy Impact Assessments (December 30, 2008)

2. Privacy Policy Guidance Memorandum 2008-02, OHS Policy Regarding Privacy Impact Assessments (December 30, 2008) 3/30/2016 IV. Definitions 1. Privacy Policy Guidance Memorandum 2008-01, The Fair Information Practice Principles: Framework for Privacy Policy at the Department of Homeland Security (December 29, 2008)

More information

2015 NMSBA SCHOOL LAW CONFERENCE

2015 NMSBA SCHOOL LAW CONFERENCE 2015 NMSBA SCHOOL LAW CONFERENCE NETWORK SECURITY, DISTRICT POLICIES ON INTERNET USE, AND THE LAW Andrew M. Sanchez David A. Richter Cuddy & McCarthy, LLP 1 FEDERAL LAWS The Family Educational Rights and

More information

APPENDIX I: STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT

APPENDIX I: STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT APPENDIX I: STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT THIS AGREEMENT is entered into and made effective the day of, 20 (the Effective Date ), by and between (a) THE SOCIETY OF GYNECOLOGIC

More information

Data Governance and Big Data - A Necessary Convergence. Richard Goldberg Chief Data Governance Officer Citibank Global Consumer Bank

Data Governance and Big Data - A Necessary Convergence. Richard Goldberg Chief Data Governance Officer Citibank Global Consumer Bank Governance and Big - A Necessary Convergence Richard Goldberg Chief Governance Officer Citibank Global Consumer Bank Governance and Big A Necessary Convergence As our businesses continue to expand its

More information

De-identification, defined and explained. Dan Stocker, MBA, MS, QSA Professional Services, Coalfire

De-identification, defined and explained. Dan Stocker, MBA, MS, QSA Professional Services, Coalfire De-identification, defined and explained Dan Stocker, MBA, MS, QSA Professional Services, Coalfire Introduction This perspective paper helps organizations understand why de-identification of protected

More information

Am I a Business Associate?

Am I a Business Associate? Am I a Business Associate? Now What? JENNIFER L. RATHBURN Quarles & Brady LLP KATEA M. RAVEGA Quarles & Brady LLP agenda» Overview of HIPAA / HITECH» Business Associate ( BA ) Basics» What Do BAs Have

More information

HIPAA COMPLIANCE INFORMATION. HIPAA Policy

HIPAA COMPLIANCE INFORMATION. HIPAA Policy HIPAA COMPLIANCE INFORMATION HIPAA Policy Use of Protected Health Information for Research Policy University of North Texas Health Science Center at Fort Worth Applicability: All University of North Texas

More information

Note to Users: Page 1 of 5

Note to Users: Page 1 of 5 Note to Users: The subsequent pages contain a Sample Business Associate Agreement that may be used by healthcare facilities. Be advised that this is strictly a sample and any formal Business Associate

More information

Information Systems Security Policy

Information Systems Security Policy Information Systems Security Policy Northeast Alabama Community College Center for Information Assurance Northeast Alabama Community College 138 AL Hwy 35, Rainsville, AL 35986 (256) 228-6001 1 5/22/2014

More information

Wheaton College Audit Committee Red Flag Identity Theft Prevention Program Meeting of February 20, 2009

Wheaton College Audit Committee Red Flag Identity Theft Prevention Program Meeting of February 20, 2009 Wheaton College Audit Committee Red Flag Identity Theft Prevention Program Meeting of February 20, 2009 Late last year, the Federal Trade Commission (FTC) and Federal banking agencies issued a regulation

More information

Submission to the National Telecommunications and Information Administration (NTIA), U.S. Department of Commerce

Submission to the National Telecommunications and Information Administration (NTIA), U.S. Department of Commerce Submission to the National Telecommunications and Information Administration (NTIA), U.S. Department of Commerce Docket No. 140514424 4424 01 RIN 0660 XC010 Comments of the Information Technology Industry

More information

A Privacy and Data Security Checklist for All

A Privacy and Data Security Checklist for All July 2015 Many companies know they have to follow privacy and data security rules. Companies in the health care industry know about Health Insurance Portability and Accountability Act (HIPAA). Financial

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) by and between OUR LADY OF LOURDES HEALTH CARE SERVICES, INC., hereinafter referred to as Covered Entity, and hereinafter referred

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT This is a draft business associate agreement based on the template provided by HHS. It is not intended to be used as is and you should only use the agreement after you

More information

Preparing to Serve: Online Training Modules

Preparing to Serve: Online Training Modules Preparing to Serve: Online Training Modules MASSEN, A. AND KOWALEWSKI, B. (EDS.) COPYRIGHT 2010. WEBER STATE UNIVERSITY PREPARING TO SERVE: ONLINE TRAINING MODULES PROFESSIONALISM CULTURAL SENSITIVITY

More information

Red Flag Rules and Aging Services: What You Need to Know

Red Flag Rules and Aging Services: What You Need to Know Red Flag Rules and Aging Services: What You Need to Know Late in 2007, six federal agencies, including the Federal Trade Commission ( FTC ), jointly issued final rules and accompanying guidelines to implement

More information

HIPAA Privacy: Refining Your Implementation. Presented by Rhys W. Jones HCCA Compliance Institute April 28, 2003

HIPAA Privacy: Refining Your Implementation. Presented by Rhys W. Jones HCCA Compliance Institute April 28, 2003 HIPAA Privacy: Refining Your Implementation Presented by Rhys W. Jones HCCA Compliance Institute April 28, 2003 Designated Record Sets (DRS) Covered entities must document contents of DRS For Providers:

More information

STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT

STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT THIS AGREEMENT is entered into and made effective the day of, 2014 (the Effective Date ), by and between (a) GI Quality Improvement Consortuim,

More information

HIPAA-Compliant Research Access to PHI

HIPAA-Compliant Research Access to PHI HIPAA-Compliant Research Access to PHI HIPAA permits the access, disclosure and use of PHI from a HIPAA Covered Entity s or HIPAA Covered Unit s treatment, payment or health care operations records for

More information

HIPAA POLICY REGARDING DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION AND USE OF LIMITED DATA SETS

HIPAA POLICY REGARDING DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION AND USE OF LIMITED DATA SETS HIPAA POLICY REGARDING DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION AND USE OF LIMITED DATA SETS SCOPE OF POLICY: What Units Are Covered by this Policy?: This policy applies to the following units

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ), is made effective as of the sign up date on the login information page of the CarePICS.com website, by and between CarePICS,

More information

HIPAA and Big Data Twenty Third National HIPAA Summit. March 17, 2015 Mitchell W. Granberg, Optum Chief Privacy Officer

HIPAA and Big Data Twenty Third National HIPAA Summit. March 17, 2015 Mitchell W. Granberg, Optum Chief Privacy Officer HIPAA and Big Data Twenty Third National HIPAA Summit March 17, 2015 Mitchell W. Granberg, Optum Chief Privacy Officer Overview HIPAA and Big Data Big Data Definitions Big Data and Health Care Benefits

More information

INTERMACS REGISTRY BUSINESS ASSOCIATE AGREEMENT

INTERMACS REGISTRY BUSINESS ASSOCIATE AGREEMENT INTERMACS REGISTRY BUSINESS ASSOCIATE AGREEMENT This Agreement dated as of is made by and between The Board of Trustees of the University of Alabama, on behalf of INTERMACS Registry ( Business Associate

More information

This Instruction implements Department of Homeland Security (DHS) Directive 110-01, Privacy Policy for Operational Use of Social Media.

This Instruction implements Department of Homeland Security (DHS) Directive 110-01, Privacy Policy for Operational Use of Social Media. I. Purpose Department of Homeland Security DHS Directives System Instruction Number: 110-01-001 Revision Number: 00 Issue Date: 6/8/2012 PRIVACY POLICY FOR OPERATIONAL USE OF SOCIAL MEDIA This Instruction

More information

This form may not be modified without prior approval from the Department of Justice.

This form may not be modified without prior approval from the Department of Justice. This form may not be modified without prior approval from the Department of Justice. Delete this header in execution (signature) version of agreement. HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate

More information

Privacy and Data Breach Issues

Privacy and Data Breach Issues 15-013 Privacy and Data Breach Issues Konstantin Dino Tsibouris Founding Principal Tsibouris & Associates Columbus, Ohio Kirk Herath Associate General Counsel Nationwide Insurance Columbus, Ohio Table

More information

FirstCarolinaCare Insurance Company Business Associate Agreement

FirstCarolinaCare Insurance Company Business Associate Agreement FirstCarolinaCare Insurance Company Business Associate Agreement THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement"), is made and entered into as of, 20 (the "Effective Date") between FirstCarolinaCare Insurance

More information

BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION

BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION This Agreement governs the provision of Protected Health Information ("PHI") (as defined in 45 C.F.R.

More information

Information for Agents and Brokers Regarding the HIPAA Business Associate Agreement

Information for Agents and Brokers Regarding the HIPAA Business Associate Agreement Information for Agents and Brokers Regarding the HIPAA Business Associate Agreement You may be aware that the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) requires health plans

More information

PsyBar, LLC 6600 France Avenue South, Suite 640 Edina, MN 55435 Telephone: (952) 285-9000 Facsimile: (952) 848-1798

PsyBar, LLC 6600 France Avenue South, Suite 640 Edina, MN 55435 Telephone: (952) 285-9000 Facsimile: (952) 848-1798 PsyBar, LLC 6600 France Avenue South, Suite 640 Edina, MN 55435 Telephone: (952) 285-9000 Facsimile: (952) 848-1798 Updated 12/8/15 PSYBAR, L. L. C. INDEPENDENT CONTRACTOR AGREEMENT PsyBar attempts to

More information

BUSINESS ASSOCIATE ADDENDUM

BUSINESS ASSOCIATE ADDENDUM BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) adds to and is made a part of the Q- global Subscription and License Agreement by and between NCS Pearson, Inc. ( Business Associate

More information

MMA SAMPLE FORM *REVIEW CAREFULLY & ADAPT TO YOUR PRACTICE*

MMA SAMPLE FORM *REVIEW CAREFULLY & ADAPT TO YOUR PRACTICE* This is only sample language. The language should be changed to accurately reflect business arrangements between a covered entity and business associate or business associate and subcontractor. In addition,

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University

More information

Spring 2016. 23 Invoices for Spring will be available 15 Installment Plan 3 of 5 due by 5 p.m.

Spring 2016. 23 Invoices for Spring will be available 15 Installment Plan 3 of 5 due by 5 p.m. Spring 2016 Payment Deadlines Frequently Asked Questions Tuition and Fee Rates Payment Plans Refund Information December March 23 Invoices for Spring will be available 15 Installment Plan 3 of 5 due by

More information

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014 HIPAA PRIVACY AND SECURITY AWARENESS Covering Kids and Families of Indiana April 10, 2014 GOALS AND OBJECTIVES The goal is to provide information to you to promote personal responsibility and behaviors

More information

Pacific University. Policy Governing. Identity Theft Prevention Program. Red Flag Guidelines. Approved June 10, 2009

Pacific University. Policy Governing. Identity Theft Prevention Program. Red Flag Guidelines. Approved June 10, 2009 Pacific University Policy Governing Identity Theft Prevention Program Red Flag Guidelines Approved June 10, 2009 Program adoption Pacific University developed this identity Theft Prevention Program ( Program

More information

HIPAA Privacy and Business Associate Agreement

HIPAA Privacy and Business Associate Agreement HR 2011-07 ATTACHMENT D HIPAA Privacy and Business Associate Agreement This Agreement is entered into this day of,, between [Employer] ( Employer ), acting on behalf of [Name of covered entity/plan(s)

More information

THE UNIVERSITY OF MICHIGAN

THE UNIVERSITY OF MICHIGAN SECTION: General University Policies Number: 601.11 Revised: 9/7/2004 SUBJECT: Privacy and the Need to Monitor and Date Issued: 12/1/93 Access Records Review Date: 9/7/08 Attachment(s) 0 APPLIES TO: All

More information

STATE OF KANSAS HOUSE OF REPRESENTATIVES. I move to amend Substitute for Substitute for HB 2292, on page 1, following line 4, by

STATE OF KANSAS HOUSE OF REPRESENTATIVES. I move to amend Substitute for Substitute for HB 2292, on page 1, following line 4, by fa_2016_hb2292_h_4162 STATE OF KANSAS HOUSE OF REPRESENTATIVES MR. CHAIRMAN: I move to amend Substitute for Substitute for HB 2292, on page 1, following line 4, by inserting: "New Section 1. Sections 1

More information

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - De-identification of PHI 10030

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - De-identification of PHI 10030 IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - De-identification of PHI 10030 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel & Compliance Policy

More information

Big Data, Not Big Brother: Best Practices for Data Analytics Peter Leonard Gilbert + Tobin Lawyers

Big Data, Not Big Brother: Best Practices for Data Analytics Peter Leonard Gilbert + Tobin Lawyers Big Data, Not Big Brother: Best Practices for Data Analytics Peter Leonard Gilbert + Tobin Lawyers March 2013 How Target Knew a High School Girl Was Pregnant Before Her Parents Did just because you can,

More information

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information I. PREAMBLE ( Covered Entity ) and ( Business Associate ) (jointly the Parties ) wish to enter into an Agreement to comply with the requirements

More information

Anonymizing Unstructured Data to Enable Healthcare Analytics Chris Wright, Vice President Marketing, Privacy Analytics

Anonymizing Unstructured Data to Enable Healthcare Analytics Chris Wright, Vice President Marketing, Privacy Analytics Anonymizing Unstructured Data to Enable Healthcare Analytics Chris Wright, Vice President Marketing, Privacy Analytics Privacy Analytics - Overview For organizations that want to safeguard and enable their

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is entered into by and between Professional Office Services, Inc., with principal place of business at PO Box 450, Waterloo,

More information

ADDENDUM TO ADMINISTRATIVE SERVICES AGREEMENT FOR HIPAA PRIVACY/SECURITY RULES

ADDENDUM TO ADMINISTRATIVE SERVICES AGREEMENT FOR HIPAA PRIVACY/SECURITY RULES ADDENDUM TO ADMINISTRATIVE SERVICES AGREEMENT FOR HIPAA PRIVACY/SECURITY RULES This Addendum is entered into effective as of, by and among Delta Dental of Virginia ("Business Associate"), and ( Covered

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT THIS IS A TEMPLATE ONLY. CERTAIN STATES MAY NOT PERMIT THE TYPES OF ACTIVITIES ALLOWED HEREUNDER RELATING TO PROTECTED HEALTH INFORMATION. THUS THIS AGREEMENT MAY NEED TO BE MODIFIED IN ORDER TO COMPLY

More information