Texas A&M School of Public Health HIPAA Privacy Compliance Manual For Researchers

Size: px
Start display at page:

Download "Texas A&M School of Public Health HIPAA Privacy Compliance Manual For Researchers"

Transcription

1 Texas A&M School of Public Health HIPAA Privacy Compliance Manual For Researchers Final: Approved by the SPH Executive Committee, 01/12/2016 1

2 Table of Contents INTRODUCTION... 3 PURPOSE... 4 LEGAL STATUS OF TEXAS A&M SCHOOL OF PUBLIC HEALTH... 4 HIPAA COMPLIANCE FOR RESEARCH PURPOSES... 4 HIPAA S 18 PHI IDENTIFIERS...5 LIMITED & DE-IDENTIFIED DATA SETS, WAIVER OF HIPAA AUTHORIZATION...6 HIPAA COMPLIANCE FLOWCHART SPH MONITORING OF PROTOCOLS FOR HIPAA COMPLIANCE:... 8 UTILIZATION OF CLOUD SERVERS FOR STORAGE AND FILE SHARING:... 8 UTILIZATION OF PHI IN RESEARCH BY AUTHORIZATION:... 8 UTILIZATION OF PHI IN RESEARCH WITH A WAIVER OF AUTHORIZATION... 9 DATA ANALYSIS PREPARATORY TO RESEARCH PHI OF DECEDENTS TRACKING OF PHI DISCLOSURES REVOCATION OF PHI OR IRB AUTHORIZATION BY PARTICIPANT STORAGE AND SECURITY FOR DATA CONTAINING PHI RESEARCH COMMENCED PRIOR TO HIPAA S EFFECTIVE DATE APRIL 14, WAIVER OF CONSENT REQUIREMENT BY IRB FOR RESEARCH PRIOR TO APRIL 14, FORMS FOR RESEARCHERS TAMHSC BUSINESS ASSOCIATE AGREEMENT TAMHSC DATA USE AND CONFIDENTIALITY AGREEMENT CASE STUDY AUTHORIZATION FORM DATA USE PREPARATORY-TO-RESEARCH CERTIFICATION & GUIDANCE NOTICE OF PRIVACY PRACTICES ACKNOWLEDGEMENT POLICIES & STANDARD OPERATING PROCEDURES PRIVACY OFFICER OPERATING PROCEDURE HIPAA COMPLIANCE AND PRIVACY OFFICER JOB DESCRIPTION COMPLAINT OPERATING PROCEDURE HIPAA PRIVACY & COMPLIANCE COMPLAINT FORM WORKFORCE TRAINING OPERATING PROCEDURE FOR HIPAA HIPAA EMPLOYEE TRAINING RECORD OPERATING PROCEDURE FOR DISCIPLINARY ACTION RELATING TO SANCTIONS RECORD OPERATING PROCEDURE FOR BUSINESS ASSOCIATES OPERATING PROCEDURE FOR CHANGES TO POLICIES AND PROCEDURES OPERATING PROCEDURE FOR CONFIDENTIALITY OF PHI CONFIDENTIALITY AGREEMENT BREACH NOTIFICATION OPERATING PROCEDURE BREACH NOTIFATION OPERATING PROCEDURE FURTHER INFORMATION

3 HIPAA/HITECH PRIVACY COMPLIANCE MANUAL FOR RESEARCHERS INTRODUCTION: This TEXAS A&M SCHOOL OF PUBLIC HEALTH HIPAA PRIVACY COMPLIANCE POLICY MANUAL is designed to assist A&M School of Public Health Researchers in complying with the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) privacy standards and the Health Information Technology for Economic and Clinical Health Act OF 2009 ( HITECH ) (collectively referred to as HIPAA in this Manual) and the Texas Medical Privacy Act, (HB 300). TEXAS A&M SCHOOL OF PUBLIC HEALTH firmly believes that any SPH faculty member, student, employee or Business Associate entrusted with Protected Health Information ( PHI ) must treat the PHI with the utmost confidentiality. Please note: If you, your employees, your students, or your program are providing actual services or interventions to persons, including, but not limited to, services such as counseling, health coaching, behavior training, or self-management education, then you may be covered under the full TAMHSC HIPAA regulations which may be found at To determine if you are covered under HIPAA please see HIPAA Flow Chart, page 7, and/or contact the SPH HIPAA Privacy Officer. This Manual does not provide guidance as to the HIPAA security and transaction standards which may be found at Security standards are mentioned only to the extent that they overlap with the privacy standards. The following HIPAA Compliance for Researchers Manual provides policies and procedures pertaining only to research. Emphasis is placed on: Distinguishing HIPAA compliance for research purposes as opposed to patient services Data and documentation management SPH audit and tracking of data used by researchers Allowable disclosure of PHI Business Associate Agreements, DUAs, and other frequently used documents HIPAA Training Requirements Operating Procedures and Procedure Documentation Please be aware that regardless of HIPAA and state law retention of records requirements discussed in this manual, if you have any notice of a health care liability claim, you should never destroy any records or related data. If you have any questions or concerns at any time, please feel free to contact me directly at jbolin@sph.tamhsc.edu Sincerely, JANE N. BOLIN, RN, JD, PhD SPH-HIPAA Compliance & Privacy Officer 3

4 PURPOSE: HIPAA places on the Texas A&M School of Public Health a duty to protect the confidentiality and integrity of an individual's health information, including all information designated as PHI. Protecting the confidentiality of PHI is not only required by federal HIPAA and HITECH laws, but it is also required by the Texas Medical Privacy Act (Texas HB 300), as well as professional ethics, and A&M SPH accreditation requirements. HIPAA governs how health information is protected, used and disclosed, including use and disclosure for research purposes. The purpose of this manual is to set forth the policies and procedures that will be applicable to data used for evaluation and research. LEGAL STATUS OF TEXAS A&M SCHOOL OF PUBLIC HEALTH: Texas A&M University is an entity that has chosen hybrid status, meaning it is a single legal entity with some components, including SPH that are covered under HIPAA. The Texas A&M Health Science Center and the School of Public Health are HIPAA covered components that must comply with HIPAA. HIPAA Affected Components and Operations are those units at Texas A&M University that have access to, or keep or maintain PHI, as defined by HIPAA, because the component falls under one of the following definitions: Is either a covered healthcare component (healthcare provider or a health plan), provides services to covered components and as such receives PHI to perform those tasks, or uses PHI for education or research purposes. (emphasis supplied) HIPAA COMPLIANCE FOR RESEARCH PURPOSES Any study or evaluation that involves health information about a human subject obtained for purposes of evaluation or research invokes some level of obligation to comply with HIPAA. HIPAA privacy and security laws are designed to protect individually identifiable health information known as protected health information (PHI), when this information is in the possession of entities subject to HIPAA, including SPH. A full list of the 18 PHI identifiers may be found on the next page 4

5 HIPAA s 18 PHI Identifiers HIPAA compliance duties apply to protected health information (PHI), falling within any of the following 18 PHI identifiers: 1. Names 2. Addresses 1 3. Dates 2 4. Telephone numbers 5. Fax numbers 6. addresses; 7. Social Security numbers 8. Medical record numbers 9. Health plan numbers 10. Account numbers 11. Certificate/license numbers 12. Vehicle identifiers and serial numbers, including license plate numbers 13. Device identifiers and serial numbers 14. Web Universal Resource Locators (URLs) 15. Internet Protocol (IP) address numbers 16. Biometric identifiers, including finger and voice prints 17. Full face photographic images and any comparable images; and 18. Any other unique identifying number, characteristic, or code 3 1 Addresses- All geographical subdivisions smaller than a state, including street address, city county, precinct, zip code, their equivalent geocodes, except for the initial three digits of the zip codes, if according to the current publicly available data from the Bureau of the Censes: (1) geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of the zip code for all such geographic units containing 20,000 or fewer people is changed to Dates- All elements of dates (except year) for the dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older. 3 Other unique number, characteristic, or code-- (which may identify a person), 5

6 Limited & De-Identified Data Sets, Waiver of HIPAA Authorization If your study involves a limited data set or de-identified data, and you are not providing advice, treatment or intervention then you do not need to comply with the full set of HIPAA obligations. Limited Data Set: A researcher may choose to use a limited data set, which is less restrictive and excludes mostly direct subject identifiers. For use of a limited data set, the researcher must complete a formal data use agreement, (DUA) that sets forth permitted uses and disclosures of the limited data set information with the data source. De-identified data contains none of the 18 PHI identifiers. If the data does not contain any of the 18 identifiers it is considered de-identified and the data is exempt from HIPAA s requirements. However, SPH will still require researchers to provide the Office of Research with a yearly data inventory. To be completely de-identified, the data must be stripped of all direct and indirect subject identifiers. Waiver of HIPAA Authorization: A&M s IRB, however, may permit the disclosure of PHI subject to HIPAA without a subject's specific prior consent or authorization, (1) if the research cannot be practically conducted without access to the PHI, and (2) the disclosure involves no more than minimal risk to the privacy of the subject. If you are requesting such a Waiver of Authorization, then you must complete the Texas A&M s Waiver of Authorization application form and submit to the IRB. If you plan to share or disclose a subject's PHI in connection with a research study that is determined to be subject to HIPAA then the full provisions of HIPAA apply and you must first obtain the written permission of the subject prior to sharing This permission, called an Authorization for Release of Protected Health Information, and must specify precisely what information will be released, why it is being released, and from and to whom it is being released. A template for this form is provided in the Forms and Templates section of this website, which can be accessed from the main menu. This form must be appended to the informed consent form and completed by the subject at the same time the subject completes the informed consent form. A subject cannot participate in the research if he or she does not complete the Authorization. Additionally, the investigator must maintain a detailed record of each release of health information, and this record must be accessible under certain circumstances to the subject. Failure to comply with the SPH yearly HIPAA data audit inventory and/or HIPAA policies will result in immediate suspension of your research study and withholding of your paychecks or salary until the required inventory is filed. Repeated failure to comply will result in disciplinary action by the Dean of the School of Public Health and may result in termination of employment and/or faculty appointment. A more detailed description of the HIPAA Privacy Rule requirements may be found at If HIPAA applies to your research study, any failure to comply with HIPAA will result not only in termination of your study and suspension of related research grants, but also potentially in criminal and/or civil penalties to you and A&M SPH (for an individual, penalties may be as severe as $1,500,000 or 10 years imprisonment.). 6

7 HIPAA Compliance Flowchart. The following flow-chart will help you determine if your research requires full HIPAA Compliance or whether it may be subject to exceptions. 4 4 Credit: adapted from: 7

8 SPH MONITORING OF PROTOCOLS FOR HIPAA COMPLIANCE: All research protocols must be submitted to the A&M Division of Research Institutional Review Board (IRB) for review and approval prior to commencing any study or evaluation of data containing PHI. SPH Office of Research monitors all active IRB protocols through the Office of Shared Research Services (SRS). UTILIZATION OF CLOUD SERVERS FOR STORAGE AND FILE SHARING: All data containing PHI must be stored on a HIPAA compliant server. This mandate includes cloud servers. Many researchers are not aware that very few commercial cloud servers offer HIPAA compliance assurances and many companies are not willing to sign a Business Associate Agreement (BAA), (e.g., icloud, Dropbox and Amazon). The TAMHSC Office of Information Technology now offers a secure cloud server and file sharing software called Syncplicity. This TAMHSC Cloud server can be accessed per the following: Access and Use: TAMHSC Cloud (Syncplicity), can be accessed at cloud.tamhsc.edu. It allows you to Share most file types and folders with others from any device Syncplicity keeps everyone in sync, automatically. Create, edit, and share Microsoft Office documents using any platform, including mobile devices. Break out of the box Syncplicity lets you share any file or folder on your computer without copying them to a designated folder, like Dropbox. Send large files there are no file-size limits, and no FTP hassles. UTILIZATION OF PHI IN RESEARCH BY AUTHORIZATION: Data that contains PHI must strictly comply with HIPAA. In order to utilize PHI in connection with research, researchers must (a) obtain written authorization from the individual who is participating as a research subject in accordance with HIPAA standards for authorization, or (b) obtain a waiver of the authorization requirement from the Institutional Review Board (IRB) in accordance with HIPAA standards for such waivers, or (c) obtain approval for such use as preparatory to research, or d) notify the IRB of such use as research on decedents' information. PHI obtained in accordance with this policy may be used only by and disclosed only to the principal investigator and other members of the research team identified in the research protocol application, except that further disclosure may be made (a) as specified in the authorization granted by individual from whom PHI has been obtained or allowed under a BAA or DUA; or (b) as required or permitted by the HIPAA rules or other law. Approval of the IRB is required for any disclosure request that is not within the scope of an authorization granted by the individual participating in research or as required or permitted by HIPAA rules and other law. If an authorization is required in order to utilize PHI in connection with research, the content of the authorization must comply with HIPAA rules. Authorization may be obtained by the use of a separate authorization form, which is reviewed with and signed by the individual participating in the research protocol. A template authorization form is available at the Office for Research Protections and should be completed by the principal investigator and submitted for review and approval by the IRB. Authorization may also be obtained by including the requisite information in an Informed Consent Form to be used with the protocol. Model provisions for inclusion of an authorization 8

9 with the Consent Form are available at The IRB will review the authorization provisions as part of its review of the Informed Consent Form. Copies of the authorization must be signed by the individual participating in the research protocol and must be retained by the principal investigator for a minimum of three (3) years following completion of the study. (Ref. 45 CFR (b)). Other time limits may apply and the IRB office should be consulted in the event there are any questions. In the event a principal investigator leaves the University during the study or prior to the end of the time period required by contract or policy, for retaining consents and waivers, the investigator will notify the SPH Office of Research and IRB and make arrangements for ongoing retention of required research documents at the University. UTILIZATION OF PHI IN RESEARCH WITH A WAIVER OF AUTHORIZATION: If a research protocol proposes to obtain and use PHI in research without an authorization, the principal investigator must submit a request for a waiver of the authorization requirement to the A&M IRB. In addition, depending upon the policies of individual health care providers, it may be necessary to obtain approval of the waiver from another IRB or privacy board. An application must be in writing and be submitted with the protocol to be reviewed by the IRB. An application form for this purpose is available at A request for waiver of authorization will be reviewed by the full IRB at a regularly scheduled monthly meeting. An application for waiver will be approved only if the IRB concludes that the criteria in the HIPAA rules have been satisfied. These include: 1. The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements: i. an adequate plan to protect the identifiers from improper use and disclosure; ii. iii. an adequate plan to destroy the identifiers at the earliest opportunity consistent with the protocol, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted under the HIPAA Privacy Rule. 2. The research could not practicably be conducted without the waiver or alteration; and 9

10 3. The research could not practicably be conducted without access to and use of the protected health information. DATA ANALYSIS PREPARATORY TO RESEARCH: Because it may be necessary for a researcher to obtain access to and review PHI in order to prepare a research protocol, HIPAA rules allow such review upon compliance with specified criteria. This provision might be used, for example, to design a research study or to assess the feasibility of conducting a study, or to identify potential participants for a study. An application for review of PHI preparatory to research must be submitted to the A&M IRB. An application form is available at the A&M Research Compliance Office web site at HIPAA allows data analysis preparatory to research under the following conditions: PHI OF DECEDENTS: 1. The use or disclosure of the protected health information is solely to prepare a research protocol or for similar purposes preparatory to research; 2. No PHI will be removed in any manner, including by means of copying or notes, from the original source of the PHI; and 3. The PHI for which access is sought is necessary for the research purpose. Principal Investigators will also need to submit an IRB application prior to engaging in research with the PHI of decedents. In order to gain access to the PHI maintained by a covered entity, principal investigators will need to demonstrate: 1. Use or disclosure sought is solely for research on the PHI of decedents; 2. Adequate documentation of the death of such individuals; and 3. PHI for which use or disclosure is sought is necessary for the purposes of the proposed research. TRACKING OF PHI DISCLOSURES: HIPAA rules require that a record be made of a disclosure of any personally identifiable information that is made without an authorization by the research participant. Therefore, tracking of disclosures will have to be undertaken for all disclosures if a waiver of authorization, an approval for review preparatory to research or an approval for the use of a decedent's PHI is obtained for purposes of research, and for any disclosures not previously specified in a signed authorization document. For purposes of this policy, "disclosure" means the release, transfer, provision of access to, or divulging in any other manner of PHI to any person, whether or not employed by PSU, who is not participating in carrying out the research protocol. The following information about any disclosure must be recorded and made available upon request to the individual who is the subject of the PHI: 1. Date of disclosure; 2. Name of person/entity that received the PHI; 10

11 3. Description of what PHI was disclosed; and 4. Brief statement regarding the purpose of the disclosure. If a research protocol requires multiple disclosures to the same outside party over a period of time, the following information is adequate: 1. For the first disclosure, all of the above must be recorded. 2. For subsequent disclosures, tracking can refer to the initial record of disclosure and should include the frequency, periodicity or the number of disclosures that will be made. 3. The date of the last disclosure must be documented. Large Studies with Waiver: HIPAA rules allow a modified tracking method for research that involves the disclosure of PHI from more than 50 people and for which authorization has been waived. In this instance it is unnecessary to maintain a list of the specific persons about whom PHI has been disclosed, but the following information must be available upon the request of any individual whose information may have been included. 1. The name and description of all protocols involving 50 or more people for which authorization has been waived, including the purpose of these and criteria for selecting records, if the individual's information may have been included; 2. Brief descriptions of types of PHI disclosed; 3. Dates or time periods during which disclosures occurred; 4. Contact information (name, address, telephone number) for sponsors and recipient researchers; and 5. Statement that a specific individual's PHI may or may not have been disclosed for a particular protocol or research activity. In addition, the researcher must also assist in contacting the sponsor and recipient researcher if it is reasonably likely that an individual's PHI was disclosed to them. The principal investigator must submit all tracking of disclosure information to the IRB, and the principal investigator must retain the tracking information for no less than three (3) years. REVOCATION OF PHI or IRB AUTHORIZATION BY PARTICIPANT: HIPAA rules allow a subject to revoke a prior authorization to use or disclose PHI for purposes of research. Participant requests for the revocation of authorization must be requested in writing to the principal investigator. Researchers must honor this request, except to the extent the researcher has already relied on the authorization. Researchers may continue utilizing PHI that was obtained prior to the time the individual revoked his or her authorization, as necessary to maintain the integrity of the research study. In addition, use or disclosure of identifiable information previously obtained is permitted for purposes such as accounting for the participant's withdrawal, reporting adverse events, or complying with investigations. 11

12 STORAGE AND SECURITY FOR DATA CONTAINING PHI: The following apply to storage and security for data, including surveys, focus group notes, or other hard copy documents, containing any of the 18 PHI identifiers: Researchers are responsible for ensuring that all data containing PHI is securely protected from unauthorized disclosures. Researchers must take precautions to securely maintain and dispose of PHI, as described in Policy AD22. (See related policies AD20 and AD23.) Researchers are responsible for ensuring secure transfer of data containing PHI. If transmitting data electronically, or transferring data by portable device, researchers should ensure that a) the data is securely encrypted; b) that the receiver of the data is the individual for whom it is intended; and b) the data remains secure until it is received by the intended receiver. Questions about the security of electronic data transfers may be directed to the Office of Information Technology at or When sending or transferring data containing PHI via ground mail or delivery services, researchers must also assure the security of the information until it arrives in the hands of the intended receiver. Hard copy documents containing PHI should be sent 1) using an insured carrier; 2) with a receiving signature required; and 3) by a carrier with package tracking services. See also page 8 pertaining to use of Cloud servers. RESEARCH COMMENCED PRIOR TO HIPAA s EFFECTIVE DATE APRIL 14, 2003 Research that is/was ongoing before the applicable HIPPA compliance date (April 14, 2003) is covered by the Privacy Rule's transition provisions if the research participant's informed consent, other legal permission for the research use and disclosure, or an IRB's waiver of informed consent was obtained by the covered entity before the applicable compliance date for the Privacy RuleA transition provision was included in the HIPAA Privacy Rule that allows the research community to "grandfather" certain research studies that were underway at the compliance date mandated for the Privacy Rule. The Privacy Rule allows for use and disclosure of PHI created or received for research, either before or after April 14, 2003, if one of the following was obtained prior to that date: An authorization or other express legal permission from the individual to use or disclose his or her information for research, The legally effective informed consent of the individual to participate in the research, OR A valid waiver of informed consent from the IRB. However, if a subject is asked for informed consent (or asked to re-consent) for the use of PHI in research on or after April 14, 2003, an authorization must be obtained at that time. An authorization is not required under the HIPAA rule for participants who were enrolled in a research protocol before April 14, 2003 and who have signed a Common Rule-compliant informed consent form. Even if participants enrolled before April 14 th have follow-up visits after that date, authorization will not be required. 12

13 However, an authorization will be required for any participant enrolled in a study on or after April 14, 2003, even if the study was approved by the IRB prior to that date. Therefore, if all participants were enrolled prior to April 14, 2003, there is no need for an authorization for those participants. However, authorization will be required for any new participants after April 14, 2003, either in the form of a separate authorization document or a modified informed consent form, which includes the required authorization language. WAIVER OF CONSENT REQUIREMENT BY IRB FOR RESEARCH COMMENCED PRIOR TO APRIL 14, 2003 If researchers are conducting a medical records study under an IRB-approved waiver of consent they should continue protecting the privacy of participants' information, but do not need to re-apply to the IRB. Ongoing studies for which the IRB approved a waiver of informed consent are grandfathered under the HIPAA rule. Although a new waiver is not required, it is important to note that the individual rights provided by the Privacy Rule went into effect as of April 14, As a result, any disclosure of PHI made pursuant to a waiver of authorization must be tracked as noted above. 13

14 FORMS FOR RESEARCHERS 14

15 TAMHSC BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) dated, 2013 (the Effective Date ), is entered into by and between ( Covered Entity ) and ( Business Associate ), each a Party and collectively, the Parties. Covered Entity and Business Associate have entered into, are entering into, or may subsequently enter into, agreements or other documented arrangements (collectively, the Business Arrangements ) pursuant to which Business Associate may provide products and/or services for Covered Entity that require Business Associate to access, create, maintain, and use health information that is protected by state and/or federal law. Pursuant to the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ), the U.S. Department of Health & Human Services ( HHS ) promulgated the Standards for Privacy of Individually Identifiable Health Information (the Privacy Standards ), at 45 C.F.R. Parts 160 and 164, requiring certain individuals and entities subject to the Privacy Standards (each a Covered Entity, or collectively, Covered Entities ) to protect the privacy of certain individually identifiable health information ( Protected Health Information or PHI ). Pursuant to HIPAA, HHS issued the Security Standards (the Security Standards ), at 45 C.F.R. Parts 160, 162 and 164, for the protection of electronic protected health information ( EPHI ). In order to protect the privacy and security of PHI, including EPHI, created or maintained by or on behalf of the Covered Entity, the Privacy Standards and Security Standards require a Covered Entity to enter into a business associate agreement with certain individuals and entities providing services for or on behalf of the Covered Entity if such services require the use or disclosure of PHI or EPHI. On February 17, 2009, the federal Health Information Technology for Economic and Clinical Health Act was signed into law (the HITECH Act ), and the HITECH Act imposes certain privacy and security obligations on Covered Entities in addition to the obligations created by the Privacy Standards and Security Standards. The HITECH Act revises many of the requirements of the Privacy Standards and Security Standards concerning the confidentiality of PHI and EPHI, including extending certain HIPAA and HITECH Act requirements directly to Business Associates. The HITECH Act requires that certain of its provisions be included in business associate agreements, and that certain requirements of the Privacy Standards be imposed contractually upon Covered Entities as well as Business Associates. The Texas Legislature has adopted certain privacy and security requirements that are more restrictive than those required by HIPAA and HITECH, and such requirements are applicable to Business Associates as Covered Entities as defined by Texas law; and 15

16 Because Business Associate and Covered Entity desire to enter into this Business Associate Agreement, in consideration of the mutual promises set forth in this Agreement and the applicable Business Arrangements, and other good and valuable consideration, the sufficiency and receipt of which are hereby acknowledged, the Parties agree as follows: I. Definitions a. Except as otherwise defined in this Agreement, all capitalized terms used in this Agreement shall have the meanings set forth in HIPAA. b. Business Associate shall have the same meaning to the term Associate under the Privacy Rule, including, but not limited to, 45 CFR Section c. Breach shall mean the acquisition, access, use or disclosure of Protected Health Information in a manner not permitted by the HIPAA Privacy Rule that compromises the security or privacy of the Protected Health Information as defined, and subject to the exceptions set forth, in 45 CFR d. Covered Entity shall have the meaning given to such term under the Privacy Rule, including, but not limited to, 45 CFR Section e. Data Aggregation Services shall mean the combining of PHI or EPHI by Business Associate with the PHI or EPHI received by Business Associate in its capacity as a business associate of another covered entity, to permit data analyses that relate to the health care operations of, payment to, and treatment of patients by the respective covered entities. f. Electronic Protected Health Information shall mean Protected Health Information that is transmitted or maintained in Electronic Media. g. HIPAA shall mean the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended and supplemented by the HITECH Act and its implementing regulations, as each is amended from time to time. h. HIPAA Breach Notification Rule shall mean the federal breach notification regulations, as amended from time to time, issued under HIPAA and set forth in 45 CFR Part 164 (Subpart D). i. HIPAA Privacy Rule shall mean the federal privacy regulations, as amended from time to time, issued under HIPAA and set forth in 45 CFR Parts 160 and 164 (Subparts A & E). j. HIPAA Security Rule shall mean the federal security regulations, as amended from time to time, issued under HIPAA and set forth in 45 CFR Parts 160 and 164 (Subparts A & C). k. HITECH Act shall mean Subtitle D of the Health Information Technology for Economic and Clinical Health Act provisions of the American recovery and Reinvestment Act of 2009, 42 U.S.C , and all its implementing regulations, when and as each is effective and compliance is required. 16

17 l. Protected Health Information of PHI shall mean Protected Health Information, as defined in 45 CFR , and is limited to the Protected Health Information received, maintained, created or transmitted on behalf of, Covered Entity by Business Associate in performance of the Underlying Services. m. Underlying Services shall mean, to the extent and only to the extent they involve the creation, maintenance, use, disclosure or transmission of Protected Health Information, the services performed by Business Associate for Covered Entity pursuant to the Underlying Services Agreement. n. Underlying Services Agreement shall mean the written agreement(s) (other than this Agreement) by and between the parties as amended as set forth in the attached schedule by and between the Parties pursuant to which Business Associate access to, receives, maintains, creates or transmits PHI for or on behalf of Covered Entity in connection with the provision of the services described in that agreement(s) by Business Associate to Covered Entity or in performance of Business Associate s obligations under such agreement(s). II. Business Associate Obligations. Business Associate may receive from Covered Entity, or create or receive or maintain on behalf of Covered Entity, health information that is protected under applicable state and/or federal law, including without limitation, PHI and EPHI. All references to PHI herein shall be construed to include EPHI. Business Associate agrees not to use or disclose (or permit the use or disclosure of) PHI in a manner that would violate the Privacy Standards, Security Standards the HITECH Act, or Texas law, including without limitation the provisions of Texas Health and Safety Code Chapters 181 and 182 as amended by HB 300 (82nd Legislature), effective September 1, 2012, in each case including any implementing regulations as applicable (collectively referred to hereinafter as the Confidentiality Requirements ) if the PHI were used or disclosed by Covered Entity in the same manner. III. Use of Protected Health Information Except as otherwise required by law, Business Associate shall use PHI in compliance with 45 C.F.R (e). Furthermore, Business Associate shall use PHI (i) solely for Covered Entity s benefit and only for the purpose of performing services for Covered Entity as such services are defined in Business Arrangements, (ii) for Data Aggregation Services (as hereinafter defined), and (iii) as necessary for the proper management and administration of the Business Associate or to carry out its legal responsibilities, provided that such uses are permitted under federal and state law. For avoidance of doubt, under no circumstances may Business Associate sell PHI in such a way as to violate Texas Health and Safety Code, Chapter , as amended by HB 300 (82nd Legislature), effective September 1, 2012, nor shall Business Associate use PHI for marketing purposes in such as manner as to violate Texas Health and Safety Code Section , or attempt to re-identify any information in violation of Texas Health and Safety Code Section , regardless of whether such action is on behalf of or permitted by the Covered Entity. To the extent not otherwise prohibited in the Business Arrangements or by applicable 17

18 law, use, creation and disclosure of de-identified health information, as that term is defined in 45 CFR , by Business Associate is permitted. IV. Disclosure of Protected Health Information Subject to any limitations in this Agreement, Business Associate may disclose PHI to any third party persons or entities as necessary to perform its obligations under the Business Arrangement and as permitted or required by applicable federal or state law. Business Associate recognizes that under the HIPAA/HITECH Omnibus Final Rule, Business Associates may not disclose PHI in a way that would be prohibited if Covered Entity made such a disclosure. Any disclosures made by Business Associate will comply with minimum necessary requirements under the Privacy Rule and related regulations. Business Associate shall not [and shall provide that its directors, officers, employees, subcontractors, and agents, do not] disclose PHI to any other person (other than members of their respective workforce as specified in subsection 0 below), unless disclosure is required by law or authorized by the person whose PHI is to be disclosed. Any such disclosure other than as specifically permitted in the immediately preceding sentences shall be made only if such disclosee has previously signed a written agreement that: a.) Binds the disclosee to the provisions of this Agreement pertaining to PHI, for the express benefit of Covered Entity, Business Associate and, if disclosee is other than Business Associate, the disclosee; b.) Contains reasonable assurances from disclosee that the PHI will be held confidential as provided in this Agreement, and only disclosed as required by law for the purposes for which it was disclosed to disclosee; and, c.) Obligates disclosee to immediately notify Business Associate of any breaches of the confidentiality of the PHI, to the extent disclosee has obtained knowledge of such breach. Business Associate shall not disclose PHI to any member of its workforce and shall provide that its subcontractors and agents do not disclose PHI to any member of their respective workforces, unless Business Associate or such subcontractor or agent has advised such person of Business Associate s obligations under this Agreement, and of the consequences for such person and for Business Associate or such subcontractor or agent of violating them as memorialized in a business associate agreement pursuant to the HIPAA/HITECH Omnibus Final Rule. Business Associate shall take and shall provide that each of its subcontractors and agents take appropriate disciplinary action against any member of its respective workforce who uses or discloses PHI in contravention of this Agreement In addition to Business Associate s obligations under Section 9, Business Associate agrees to mitigate, to the extent commercially practical, harmful effects that are 18

19 known to Business Associate and is the result of a use or disclosure of PHI by Business Associate or Recipients in violation of this Agreement. V. Access to and Amendment of Protected Health Information Business Associate shall (i) provide access to, and permit inspection and copying of, PHI by Covered Entity; and (ii) amend PHI maintained by Business Associate as requested by Covered Entity. Any such amendments shall be made in such a way as to record the time and date of the change, if feasible, and in accordance with any subsequent requirements promulgated by the Texas Medical Board with respect to amendment of electronic medical records by HIEs. Business Associate shall respond to any request from Covered Entity for access by an individual within seven (7) days of such request and shall make any amendment requested by Covered Entity within twenty (20) days of the later of (a) such request by Covered Entity or (b) the date as of which Covered Entity has provided Business Associate with all information necessary to make such amendment. Business Associate may charge a reasonable fee based upon the Business Associate s labor costs in responding to a request for electronic information (or the fee approved by the Texas Medical Board for the production of non-electronic media copies). Business Associate shall notify Covered Entity within five (5) days of receipt of any request for access or amendment by an individual. Covered Entity shall determine whether to grant or deny any access or amendment requested by the individual. Business Associate shall have a process in place for requests for amendments and for appending such requests and statements in response to denials of such requests to the Designated Record Set, as requested by Covered Entity. VI. Accounting of Disclosures Business Associate shall make available to Covered Entity in response to a request from an individual, information required for an accounting of disclosures of PHI with respect to the individual in accordance with 45 CFR , as amended by Section 13405(c) of the HITECH Act and any related regulations or guidance issued by HHS in accordance with such provision. VII. Records and Audits Business Associate shall make available to the United States Department of Health and Human Services or its agents, its internal practices, books, and records relating to the use and disclosure of PHI received from, created, or received by Business Associate on behalf of Covered Entity for the purpose of determining Covered Entity s compliance with the Confidentiality Requirements or the requirements of any other health oversight agency, in a time and manner designated by the Secretary. VIII. Implementation of Security Standards; Notice of Security Incidents Business Associate will use appropriate safeguards to prevent the use or disclosure of PHI other than as expressly permitted under this Agreement. Business Associate will implement administrative, physical and technical safeguards that reasonably and 19

20 appropriately protect the confidentiality, integrity and availability of the PHI that it creates, receives, maintains or transmits on behalf of Covered Entity. Business Associate acknowledges that the HITECH Act requires Business Associate to comply with 45 C.F.R , , and as if Business Associate were a Covered Entity, and Business Associate agrees to comply with these provisions of the Security Standards and all additional security provisions of the HITECH Act. Furthermore, to the extent feasible, Business Associate will use commercially reasonable efforts to secure PHI through technology safeguards that render such PHI unusable, unreadable and indecipherable to individuals unauthorized to acquire or otherwise have access to such PHI in accordance with HHS Guidance published at 74 Federal Register (April 17, 2009), or such later regulations or guidance promulgated by HHS or issued by the National Institute for Standards and Technology ( NIST ) concerning the protection of identifiable data such as PHI. Lastly, Business Associate will promptly report to Covered Entity any successful Security Incident of which it becomes aware. At the request of Covered Entity, Business Associate shall identify: the date of the Security Incident, the scope of the Security Incident, the Business Associate s response to the Security Incident and the identification of the party responsible for causing the Security Incident, if known. IX. Data Breach Notification and Mitigation HIPAA Data Breach Notification and Mitigation. Business Associate agrees to implement reasonable systems for the discovery and prompt reporting to Covered Entity of any breach of unsecured PHI as those terms are defined by 45 C.F.R Specifically, a breach is an unauthorized acquisition, access, use or disclosure of unsecured PHI, including ephi, which compromises the security or privacy of the PHI/ePHI. A breach is presumed to have occurred unless there is a low probability that the PHI has been compromised based on a risk assessment of at least the factors listed in 45 C.F.R (2)(i)-(iv) (hereinafter a HIPAA Breach ). The parties acknowledge and agree that 45 C.F.R , as described below in this Section 8.1, governs the determination of the date of discovery of a HIPAA Breach. In addition to the foregoing and notwithstanding anything to the contrary herein, Business Associate will also comply with applicable state law, including without limitation, Section 521 Texas Business and Commerce Code, as amended by HB 300 (82nd Legislature), or such other laws or regulations as may later be amended or adopted. In the event of any conflict between this Section 8.1, the Confidentiality Requirements, Section 521 of the Texas Business and Commerce Code, and any other later amended or adopted laws or regulations, the most stringent requirements shall govern. Discovery of Breach. Business Associate will, following the discovery of a HIPAA Breach, notify Covered Entity without unreasonable delay and in no event later than the earlier of the maximum of time allowable under applicable law or three (3) business days after Business Associate discovers such HIPAA Breach, unless Business Associate is prevented from doing so by 45 C.F.R concerning law enforcement investigations. For purposes of reporting a HIPAA Breach to 20

21 Covered Entity, the discovery of a HIPAA Breach shall occur as of the first day on which such HIPAA Breach is known to the Business Associate or, by exercising reasonable diligence, would have been known to the Business Associate. Business Associate will be considered to have had knowledge of a HIPAA Breach if the HIPAA Breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the HIPAA Breach) who is an employee, officer or other agent of the Business Associate. Reporting a Breach. Without unreasonable delay and no later than the earlier of the maximum of time allowable under applicable law or five (5) business days following a HIPAA Breach, Business Associate shall provide Covered Entity with sufficient information to permit Covered Entity to comply with the HIPAA Breach notification requirements set forth at 45 C.F.R et seq. Specifically, if the following information is known to (or can be reasonably obtained by) the Business Associate, Business Associate will provide Covered Entity with: a.) contact information for individuals who were or who may have been impacted by the HIPAA Breach (e.g., first and last name, mailing address, street address, phone number, address); b.) a brief description of the circumstances of the HIPAA Breach, including the date of the HIPAA Breach and date of discovery; c.) a description of the types of unsecured PHI involved in the HIPAA Breach (e.g., names, social security number, date of birth, addressees, account numbers of any type, disability codes, diagnostic and/or billing codes and similar information); d.) a brief description of what the Business Associate has done or is doing to investigate the HIPAA Breach, mitigate harm to the individual impacted by the HIPAA Breach, and protect against future HIPAA Breaches; and, e.) appoint a liaison and provide contact information for same so that Covered Entity may ask questions or learn additional information concerning the HIPAA Breach. Following a HIPAA Breach, Business Associate will have a continuing duty to inform Covered Entity of new information learned by Business Associate regarding the HIPAA Breach, including but not limited to the information described in items (i) through (v), above. X. Termination This Agreement shall commence on the Effective Date. Upon the termination of the applicable Business Arrangement, either Party may terminate this Agreement by providing written notice to the other Party. Upon termination of this Agreement for any reason, Business Associate agrees: 21

22 a.) to return to Covered Entity or to destroy all PHI received from Covered Entity or otherwise through the performance of services for Covered Entity, that is in the possession or control of Business Associate or its agents. Business Associate agrees that all paper, film, or other hard copy media shall be shredded or destroyed such that it may not be reconstructed, and EPHI shall be purged or destroyed concurrent with NIST Guidelines for media sanitization at or, b.) in the case of PHI which is not feasible to return or destroy, to extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. Business Associate further agrees to comply with other applicable state or federal law, which may require a specific period of retention, redaction, or other treatment of such PHI. XI. Miscellaneous Notice. All notices, requests, demands and other communications required or permitted to be given or made under this Agreement shall be in writing, shall be effective upon receipt or attempted delivery, and shall be sent by (i) personal delivery; (ii) certified or registered United States mail, return receipt requested; (iii) overnight delivery service with proof of delivery; or (iv) facsimile with return facsimile acknowledging receipt. Notices shall be sent to the addresses below. Neither party shall refuse delivery of any notice hereunder. Business Associate: Covered Entity: Waiver. No provision of this Agreement or any breach thereof shall be deemed waived unless such waiver is in writing and signed by the Party claimed to have waived such provision or breach. No waiver of a breach shall constitute a waiver of or excuse any different or subsequent breach. Assignment. Neither Party may assign (whether by operation or law or otherwise) any of its rights or delegate or subcontract any of its obligations under this Agreement without the prior written consent of the other Party. Notwithstanding the foregoing, Covered Entity shall have the right to assign its rights and obligations hereunder to any entity that is an affiliate or successor of Covered Entity, without the prior approval of Business Associate. Severability. Any provision of this Agreement that is determined to be invalid or unenforceable will be ineffective to the extent of such determination without 22

Model Business Associate Agreement

Model Business Associate Agreement Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model

More information

BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT

BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT This BUSINESS ASSOCIATE AGREEMENT ( Agreement ) dated as of the signature below, (the Effective Date ), is entered into by and between the signing organization

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Agreement is entered into as of ("Effective Date"), between ( Covered Entity ), and ( Business Associate ). RECITALS WHEREAS, Business Associate provides services on behalf

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BAA ) is effective ( Effective Date ) by and between ( Covered Entity ) and Egnyte, Inc. ( Egnyte or Business Associate ). RECITALS

More information

HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets

HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets FULL POLICY CONTENTS Scope Policy Statement Reason for Policy Definitions ADDITIONAL DETAILS Web Address Forms Related Information

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) by and between OUR LADY OF LOURDES HEALTH CARE SERVICES, INC., hereinafter referred to as Covered Entity, and hereinafter referred

More information

FirstCarolinaCare Insurance Company Business Associate Agreement

FirstCarolinaCare Insurance Company Business Associate Agreement FirstCarolinaCare Insurance Company Business Associate Agreement THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement"), is made and entered into as of, 20 (the "Effective Date") between FirstCarolinaCare Insurance

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into as of ( Effective Date ) by and between ( Covered Entity ) and American Academy of Sleep Medicine ( Business Associate

More information

HIPAA COMPLIANCE. What is HIPAA?

HIPAA COMPLIANCE. What is HIPAA? HIPAA COMPLIANCE What is HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) also known as the Privacy Rule specifies the conditions under which protected health information may be used

More information

HIPAA COMPLIANCE INFORMATION. HIPAA Policy

HIPAA COMPLIANCE INFORMATION. HIPAA Policy HIPAA COMPLIANCE INFORMATION HIPAA Policy Use of Protected Health Information for Research Policy University of North Texas Health Science Center at Fort Worth Applicability: All University of North Texas

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT

More information

This form may not be modified without prior approval from the Department of Justice.

This form may not be modified without prior approval from the Department of Justice. This form may not be modified without prior approval from the Department of Justice. Delete this header in execution (signature) version of agreement. HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) by and between Drexel University ( Hybrid Entity ), with a principal address at 3141 Chestnut Street, Philadelphia, PA 19104,

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ), is made effective as of the sign up date on the login information page of the CarePICS.com website, by and between CarePICS,

More information

Business Associate and Data Use Agreement

Business Associate and Data Use Agreement Business Associate and Data Use Agreement This Business Associate and Data Use Agreement (the Agreement ) is entered into by and between ( Covered Entity ) and HealtHIE Nevada ( Business Associate ). W

More information

DATA USE AGREEMENT RECITALS

DATA USE AGREEMENT RECITALS DATA USE AGREEMENT This Data Use Agreement (the Agreement ), effective as of the day of, 20, is by and between ( Covered Entity ) and ( Limited Data Set Recipient or Recipient ) (collectively, the Parties

More information

EXHIBIT C BUSINESS ASSOCIATE AGREEMENT

EXHIBIT C BUSINESS ASSOCIATE AGREEMENT EXHIBIT C BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT is made and entered into by and between ( Covered Entity ) and KHIN ( Business Associate ). This Agreement is effective as of, 20 ( Effective Date

More information

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE Lewis & Clark College and Allegiance Benefit Plan Management, Inc., (jointly the Parties

More information

HSHS BUSINESS ASSOCIATE AGREEMENT BACKGROUND AND RECITALS

HSHS BUSINESS ASSOCIATE AGREEMENT BACKGROUND AND RECITALS HSHS BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement, ( Agreement ) is entered into on the date(s) set forth below by and between Hospital Sisters Health System on its own behalf and

More information

University Healthcare Physicians Compliance and Privacy Policy

University Healthcare Physicians Compliance and Privacy Policy Page 1 of 11 POLICY University Healthcare Physicians (UHP) will enter into business associate agreements in compliance with the provisions of the Health Insurance Portability and Accountability Act of

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) by and between (hereinafter known as Covered Entity ) and Office Ally, LLC. (hereinafter known as Business Associate ), and

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,

More information

BUSINESS ASSOCIATE AGREEMENT FOR ATTORNEYS

BUSINESS ASSOCIATE AGREEMENT FOR ATTORNEYS BUSINESS ASSOCIATE AGREEMENT FOR ATTORNEYS This Business Associate Agreement (this Agreement ), is made as of the day of, 20 (the Effective Date ), by and between ( Business Associate ) and ( Covered Entity

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University

More information

APPENDIX I: STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT

APPENDIX I: STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT APPENDIX I: STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT THIS AGREEMENT is entered into and made effective the day of, 20 (the Effective Date ), by and between (a) THE SOCIETY OF GYNECOLOGIC

More information

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate? HIPAA Information Who does HIPAA apply to? HIPAA applies to all Covered Entities (entities that collect, access, use and/or disclose Protected Health Data (PHI) and are subject to HIPAA regulations). What

More information

Health Partners HIPAA Business Associate Agreement

Health Partners HIPAA Business Associate Agreement Health Partners HIPAA Business Associate Agreement This HIPAA Business Associate Agreement ( Agreement ) by and between Health Partners of Philadelphia, Inc., the Covered Entity (herein referred to as

More information

HIPAA Business Associate Addendum

HIPAA Business Associate Addendum HIPAA Business Associate Addendum THIS HIPAA BUSINESS ASSOCIATE ADDENDUM (this Addendum ) is by and between ( Covered Entity ) and TALKSOFT CORPORATION ( Business Associate ) (hereinafter, Covered Entity

More information

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE

More information

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN Stewart C. Miller & Co., Inc. (Business Associate) AND City of West Lafayette Flexible Spending Plan (Covered Entity) TABLE OF CONTENTS

More information

BUSINESS ASSOCIATE AND DATA USE AGREEMENT NAME OF COVERED ENTITY: COVERED ENTITY FEIN/TAX ID: COVERED ENTITY ADDRESS:

BUSINESS ASSOCIATE AND DATA USE AGREEMENT NAME OF COVERED ENTITY: COVERED ENTITY FEIN/TAX ID: COVERED ENTITY ADDRESS: BUSINESS ASSOCIATE AND DATA USE AGREEMENT NAME OF COVERED ENTITY: COVERED ENTITY FEIN/TAX ID: COVERED ENTITY ADDRESS:, City State Zip This Business Associate and Data Use Agreement ( Agreement ) is effective

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT COLUMBIA AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is entered into as of ( Effective Date ) by and between The Trustees of Columbia University in the City of

More information

APPENDIX I: STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT (2012 Version)

APPENDIX I: STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT (2012 Version) APPENDIX I: STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT (2012 Version) THIS AGREEMENT is entered into and made effective the day of, 2012 (the Effective Date ), by and between (a)

More information

BUSINESS ASSOCIATE AGREEMENT WITH TRANSFUSION FACILITIES

BUSINESS ASSOCIATE AGREEMENT WITH TRANSFUSION FACILITIES 1 BUSINESS ASSOCIATE AGREEMENT WITH TRANSFUSION FACILITIES This BUSINESS ASSOCIATE AGREEMENT (this Agreement ) is entered into as of the date first written in the signature block below (the Effective Date

More information

BUSINESS ASSOCIATE AGREEMENT TERMS

BUSINESS ASSOCIATE AGREEMENT TERMS BUSINESS ASSOCIATE AGREEMENT TERMS This Addendum ( Addendum ) is incorporated into and made part of the Agreement between SIGNATURE HEALTHCARE CORPORATION ("Covered Entity ) and ( Business Associate"),

More information

HIPAA Business Associate Agreement

HIPAA Business Associate Agreement HIPAA Business Associate Agreement User of any Nemaris Inc. (Nemaris) products or services including but not limited to Surgimap Spine, Surgimap ISSG, Surgimap SRS, Surgimap Office, Surgimap Ortho, Surgimap

More information

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT H I P AA B U S I N E S S AS S O C I ATE AGREEMENT This HIPAA BUSINESS ASSOCIATE AGREEMENT (the BAA ) is entered into by and between Opticare of Utah, Inc. ( Covered Entity ), and,( Business Associate ).

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is entered into by and between Professional Office Services, Inc., with principal place of business at PO Box 450, Waterloo,

More information

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM BETWEEN The Division of Health Care Financing and Policy Herein after referred to as the Covered Entity and (Enter Business

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) is entered into by and between (the Covered Entity ), and Iowa State Association of Counties (the Business Associate ). RECITALS

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( the Agreement ) is entered into this day of, 20 by and between the Tennessee Chapter of the American Academy of Pediatrics ( Business Associate

More information

Business Associate Agreement Involving the Access to Protected Health Information

Business Associate Agreement Involving the Access to Protected Health Information School/Unit: Rowan University School of Osteopathic Medicine Vendor: Business Associate Agreement Involving the Access to Protected Health Information This Business Associate Agreement ( BAA ) is entered

More information

HIPAA Data Use Agreement Policy R&G Template Updated for Omnibus Rule HIPAA DATE USE AGREEMENT 1

HIPAA Data Use Agreement Policy R&G Template Updated for Omnibus Rule HIPAA DATE USE AGREEMENT 1 HIPAA DATE USE AGREEMENT 1 This Data Use Agreement (the "Agreement") is effective as of (the "Agreement Effective Date") by and between ("Covered Entity") and ("Data User"). RECITALS WHEREAS, Covered Entity

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is by and between ( Covered Entity )and CONEX Med Pro Systems ( Business Associate ). This Agreement has been attached to,

More information

Winthrop-University Hospital

Winthrop-University Hospital Winthrop-University Hospital Use of Patient Information in the Conduct of Research Activities In accordance with 45 CFR 164.512(i), 164.512(a-c) and in connection with the implementation of the HIPAA Compliance

More information

BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc.

BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc. BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc. THIS BUSINESS ASSOCIATE AGREEMENT (BAA) is entered into by and between First Choice Community Healthcare, with a principal place of

More information

Infinedi HIPAA Business Associate Agreement RECITALS SAMPLE

Infinedi HIPAA Business Associate Agreement RECITALS SAMPLE Infinedi HIPAA Business Associate Agreement This Business Associate Agreement ( Agreement ) is entered into this day of, 20 between ( Company ) and Infinedi, LLC, a Limited Liability Corporation, ( Contractor

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Agreement, dated as of, 2015 ("Agreement"), by and between, on its own behalf and on behalf of all entities controlling, under common control with or controlled

More information

STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT

STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT THIS AGREEMENT is entered into and made effective the day of, 2014 (the Effective Date ), by and between (a) GI Quality Improvement Consortuim,

More information

Business Associate Agreement

Business Associate Agreement This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement

More information

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions A. Business Associate. Business Associate shall have the meaning given to such term under the Privacy and Security Rules, including,

More information

Children's Hospital, Boston (Draft Edition)

Children's Hospital, Boston (Draft Edition) Children's Hospital, Boston (Draft Edition) The Researcher's Guide to HIPAA Evervthing You Alwavs Wanted to Know About HIPAA But Were Afraid to Ask 1. What is HIPAA? 2. What is the Privacy Rule? 3. What

More information

Medical Society of Virginia 2924 Emerywood Parkway, Ste 300 Richmond, VA 23294 Fax: 804-355-6189

Medical Society of Virginia 2924 Emerywood Parkway, Ste 300 Richmond, VA 23294 Fax: 804-355-6189 RE: MSV and MSVIA Business Associate Agreement The HIPAA Privacy Rule requires that specific safeguards be implemented for sharing protected health information (PHI) among different entities. A medical

More information

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S):

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S): UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S): THIS AGREEMENT is made by and between UNIVERSITY PHYSICIANS OF BROOKLYN, INC., located at 450 Clarkson Ave., Brooklyn,

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT The parties to this ( Agreement ) are, a _New York_ corporation ( Business Associate ) and ( Client ) you, as a user of our on-line health record system (the "System"). BY

More information

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( BAA ) is by and between the National Association of Boards of Pharmacy

More information

HIPAA Business Associate Agreement Instructions

HIPAA Business Associate Agreement Instructions HIPAA Business Associate Agreement Instructions HIPAA AND COLA ACCREDITATION The Health Insurance Portability and Accountability Act (HIPAA) requires laboratories to enter into written agreements with

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BA Agreement ) is entered into by Medtep Inc., a Delaware corporation ( Business Associate ) and the covered entity ( Covered Entity

More information

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information I. PREAMBLE ( Covered Entity ) and ( Business Associate ) (jointly the Parties ) wish to enter into an Agreement to comply with the requirements

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT Please complete the following and return signed via Fax: 919-785-1205 via Mail: Aesthetic & Reconstructive Plastic Surgery, PLLC 2304 Wesvill Court Suite 360 Raleigh, NC 27607

More information

HIPAA POLICY REGARDING BUSINESS ASSOCIATES

HIPAA POLICY REGARDING BUSINESS ASSOCIATES HIPAA POLICY REGARDING BUSINESS ASSOCIATES SCOPE OF POLICY: What Units Are Covered by this Policy?: This policy applies to the following units of Emory University: School of Medicine; School of Nursing;

More information

BUSINESS ASSOCIATE AGREEMENT. Emory University and/or Emory Healthcare, Inc. ( Emory ) ( Covered Entity ) and

BUSINESS ASSOCIATE AGREEMENT. Emory University and/or Emory Healthcare, Inc. ( Emory ) ( Covered Entity ) and BUSINESS ASSOCIATE AGREEMENT Emory University and/or Emory Healthcare, Inc. ( Emory ) ( Covered Entity ) and Associate ) ( Business This Business Associate Agreement (this Agreement ) effective as of (the

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (this Agreement ) is made effective as of ( Effective Date ) by and between Sentara Health Plans, Inc. ( Covered Entity ) and ( Business Associate

More information

Data Breach, Electronic Health Records and Healthcare Reform

Data Breach, Electronic Health Records and Healthcare Reform Data Breach, Electronic Health Records and Healthcare Reform (This presentation is for informational purposes only and it is not intended, and should not be relied upon, as legal advice.) Overview of HIPAA

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (the AGREEMENT ) is entered into this (the "Effective Date"), between Delta Dental of Tennessee ( Covered Entity ) and ( Business Associate

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT This is a draft business associate agreement based on the template provided by HHS. It is not intended to be used as is and you should only use the agreement after you

More information

Please print the attached document, sign and return to privacy@covermymeds.com or contact Erica Van Treese, Account Manager, Provider Relations &

Please print the attached document, sign and return to privacy@covermymeds.com or contact Erica Van Treese, Account Manager, Provider Relations & Please print the attached document, sign and return to privacy@covermymeds.com or contact Erica Van Treese, Account Manager, Provider Relations & Solutions. Office: 866-452-5017, Fax: 615-379-2541, evantreese@covermymeds.com

More information

BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION

BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION This Agreement governs the provision of Protected Health Information ("PHI") (as defined in 45 C.F.R.

More information

Appendix : Business Associate Agreement

Appendix : Business Associate Agreement I. Authority: Pursuant to 45 C.F.R. 164.502(e), the Indian Health Service (IHS), as a covered entity, is required to enter into an agreement with a business associate, as defined by 45 C.F.R. 160.103,

More information

HIPAA means the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.

HIPAA means the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191. HIPAA Data Use Agreement 1 Revision Date: This Data Use Agreement (the Agreement ) is entered into by and between Yale University ( Covered Entity ) and ( Data User ), collectively, the Parties, and shall

More information

Tulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY

Tulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY Tulane University DEPARTMENT: General Counsel s POLICY DESCRIPTION: Business Associates Office -- HIPAA Agreement PAGE: 1 of 1 APPROVED: April 1, 2003 REVISED: November 29, 2004, December 1, 2008, October

More information

HIPAA Medical Billing Requirements For Research

HIPAA Medical Billing Requirements For Research The Health Insurance Portability and Accountability Act (HIPAA) Excerpted from the UTC IRB Policy June 2008 Table of Contents PART V: The Health Insurance Portability and Accountability Act (HIPAA)...

More information

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308)

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) HIPAA Business Associate Agreement Sample Notice Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) The information provided in this document does not constitute, and is no substitute

More information

BUSINESS ASSOCIATE ADDENDUM

BUSINESS ASSOCIATE ADDENDUM BUSINESS ASSOCIATE ADDENDUM This BA Agreement, effective as of the effective date of the Terms of Use, adds to and is made part of the Terms of Use by and between Business Associate and Covered Entity.

More information

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is made and entered into to be effective as of, 20 (the Effective Date ), by and between ( Covered Entity ) and

More information

HIPAA-Compliant Research Access to PHI

HIPAA-Compliant Research Access to PHI HIPAA-Compliant Research Access to PHI HIPAA permits the access, disclosure and use of PHI from a HIPAA Covered Entity s or HIPAA Covered Unit s treatment, payment or health care operations records for

More information

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean. BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement is made as of the day of, 2010, by and between Methodist Lebonheur Healthcare, on behalf of itself and all of its affiliates ( Covered Entity

More information

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS Dear Physician Member: Thank you for contacting the California Medical Association and thank you for your membership. In order to advocate on your behalf,

More information

BUSINESS ASSOCIATE AGREEMENT Tribal Contract

BUSINESS ASSOCIATE AGREEMENT Tribal Contract DEPARTMENT OF HEALTH SERVICES Division of Enterprise Services F-00714 (08/2013) STATE OF WISCONSIN BUSINESS ASSOCIATE AGREEMENT Tribal Contract This Business Associate Agreement is made between the Wisconsin

More information

HIPAA-G04 Limited Data Set and Data Use Agreement Guidance

HIPAA-G04 Limited Data Set and Data Use Agreement Guidance HIPAA-G04 Limited Data Set and Data Use Agreement Guidance GUIDANCE CONTENTS Scope Reason for the Guidance Guidance Statement Definitions ADDITIONAL DETAILS Additional Contacts Web Address Forms Related

More information

Preferred Professional Insurance Company Subcontractor Business Associate Agreement

Preferred Professional Insurance Company Subcontractor Business Associate Agreement Preferred Professional Insurance Company Subcontractor Business Associate Agreement THIS SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT ( Agreement ) amends and is made a part of all Services Agreements (as

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT 1. DEFINITIONS: 1.1 Undefined Terms: Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms defined by the Health Insurance Portability

More information

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT BUSINESS ASSOCIATE TERMS AND CONDITIONS

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT BUSINESS ASSOCIATE TERMS AND CONDITIONS COVERYS RRG, INC. HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT BUSINESS ASSOCIATE TERMS AND CONDITIONS WHEREAS, the Administrative Simplification section of the Health Insurance Portability and

More information

Limited Data Set Data Use Agreement

Limited Data Set Data Use Agreement Limited Data Set Data Use Agreement This Agreement is made and entered into by and between (hereinafter Applicant ) and the State of Florida Agency for Health Care Administration, Florida Center for Health

More information

Health Plan Select, Inc. Business Associate Privacy Addendum To The Service Agreement

Health Plan Select, Inc. Business Associate Privacy Addendum To The Service Agreement This (hereinafter referred to as Addendum ) by and between Athens Area Health Plan Select, Inc. (hereinafter referred to as HPS ) a Covered Entity under HIPAA, and INSERT ORG NAME (hereinafter referred

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Business Associate Agreement (this Agreement ) is entered into as of _September 23_, 2013, (the Effective Date ) by and between Denise T. Nguyen, DDS, PC ( Dental Practice

More information

BAC to the Basics: Business Associate Contracts Made Easy

BAC to the Basics: Business Associate Contracts Made Easy BAC to the Basics: Business Associate Contracts Made Easy Prepared by Jen C. Salyers BAC to the Basics: Business Associate Contracts Made Easy Table of Contents Page I. Approaches to Creating a Business

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT Note: This form is not meant to encompass all the various ways in which any particular facility may use health information and should be specifically tailored to your organization. In addition, as with

More information

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS The following HIPAA Business Associate Terms and Conditions (referred to hereafter as the HIPAA Agreement ) are part of the Brevium Software License

More information

[Insert Name and Address of Data Recipient] Data Use Agreement. Dear :

[Insert Name and Address of Data Recipient] Data Use Agreement. Dear : [Insert Name and Address of Data Recipient] Re: Data Use Agreement Dear : The federal Health Insurance Portability and Accountability Act and the regulations promulgated thereunder (collectively referred

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the "Agreement") is made and entered into this day of,, by and between Quicktate and idictate ("Business Associate") and ("Covered Entity").

More information

Business Associates Agreement

Business Associates Agreement Business Associates Agreement This Business Associate Agreement (the Agreement ) between Customer,( Covered Entity ) and Kareo ( Business Associate ) will be in effect during any such time period that

More information

Section C: Data Use Agreement. Illinois Department of Healthcare and Family Services. And DATA USE AGREEMENT

Section C: Data Use Agreement. Illinois Department of Healthcare and Family Services. And DATA USE AGREEMENT Section C: Data Use Agreement Illinois Department of Healthcare and Family Services And DATA USE AGREEMENT This Data Use Agreement (the Agreement ) is effective as of (the Agreement Effective Date ) by

More information

Business Associate Contract

Business Associate Contract Business Associate Contract THIS CONTRACT is made and entered into by and between Imagine! (hereinafter called Contractor ), a not-for-profit Community Centered Board, duly incorporated and existing under

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Agreement ( Agreement ) is entered into by and between Wittman Enterprises, LLC ( Business Associate ) and City of Coronado Fire Department ( Covered Entity ). RECITALS

More information

VERSION DATED AUGUST 2013/TEXAS AND CALIFORNIA

VERSION DATED AUGUST 2013/TEXAS AND CALIFORNIA VERSION DATED AUGUST 2013/TEXAS AND CALIFORNIA This Business Associate Addendum ("Addendum") supplements and is made a part of the service contract(s) ("Contract") by and between St. Joseph Health System

More information

UPMC POLICY AND PROCEDURE MANUAL

UPMC POLICY AND PROCEDURE MANUAL UPMC POLICY AND PROCEDURE MANUAL POLICY: INDEX TITLE: HS-EC1807 Ethics & Compliance SUBJECT: Honest Broker Certification Process Related to the De-identification of Health Information for Research and

More information

Business Associate Agreement Washtenaw Community Health Organization Effective Date: insert date

Business Associate Agreement Washtenaw Community Health Organization Effective Date: insert date Level 2 & 3: Product 1/2 Business Associates Agreement Business Associate Agreement Washtenaw Community Health Organization Effective Date: insert date This Business Associate Agreement is made as of the

More information

Enclosure. Dear Vendor,

Enclosure. Dear Vendor, Dear Vendor, As you may be aware, the Omnibus Rule was finalized on January 25, 2013 and took effect on March 26, 2013. Under the Health Insurance Portability & Accountability Act (HIPAA) and the Omnibus

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT 1. The terms and conditions of this document entitled Business Associate Agreement ( Business Associate Agreement ), shall be attached to and incorporated by reference in the

More information