How to Process Software Agreements at Penn State
|
|
- Julia Golden
- 8 years ago
- Views:
Transcription
1 How to Process Software Agreements at Penn State SEPTEMBER 3, 2015 PRESENTED BY: DANNA BRESSLER, PURCHASING AGENT RICHEL PERRETTI, CONTRACT MANAGER, RISK MANAGEMENT Overview Important Policies Contract Signature Authority Data Categorization Policy Determine where to Route Software Agreements Purchasing Software Agreement Process Risk Management Electronic Software Agreement Process Coming Soon FNG02 Changes for Software Electronic Agreements Software Agreement Decision Tool 1
2 Contract Signature Authority As outlined in Policy FN11, only nine Corporate Officers for Penn State are authorized to sign contracts for the University: Board President Board Vice President Secretary (the University's President) Treasurer (the University's Senior Vice President for Finance and Business) the three Assistant Treasurers Corporate Controller for Hershey, the Controller of the College of Medicine Contract Signature Authority Policy Guideline FNG02 outlines specific delegated signature authority. Office of Sponsored Programs Office of Technology Management Purchasing Other individuals or titles Electronic Agreements 2
3 Excerpt from FNG02 as of 9/3/15: E. Electronic Agreements Any agreements that are required to be accepted online must be reviewed by the Office of Risk Management and submitted to the Corporate Controller for the signature process. The Corporate Controller or Assistant Treasurer will approve acceptance of the agreement and instruct the appropriate individual to accept the agreement electronically on behalf of the University. This one time approval from the Office of the Corporate Controller to electronically accept the agreement must be made in writing and will be maintained in the contract file as evidence of the University s acceptance of the agreement. Coming Soon new language to specifically address electronic Software agreements. Policy AD71 Data Categorization Public: Public data are intended for distribution to the general public, both internal and external to the University. The release of the data would have no or minimal damage to the institution. Internal/Controlled: Internal/controlled data is intended for distribution within the University only, generally to defined subsets of the user population. The release of the data has the potential to create moderate damage to the institution. Restricted: Restricted data are those which the University has legal, regulatory, policy or contractual obligations to protect. Access to restricted data must be strictly and individually controlled and logged. The release of such data has the potential to create major damage to the institution. 3
4 ADG07 Provides examples of data that fall under the data categories in Policy AD71, Data Categorization Where to Route Software Agreements Purchasing or Risk Management? Purchasing handles ALL Software/SaaS agreements regardless of payment method or even if it is free, UNLESS it is an electronic click through agreement and then Risk Management will process. NOTE: Once FNG02 is updated you should complete the Software Agreement Decision Tool referenced in the updated policy for Electronic Agreements to determine this. 4
5 PSU Software Agreement Process Goal: Authorized Contract Necessary Steps Determine what data category(ies) is involved (AD71), is vendor hosting software (or PSU) and who will use the Software (employees, students etc.) Inquire about the vendor s willingness to negotiate their standard terms and conditions If Yes Obtain vendor terms and conditions If No Obtain vendor terms and conditions, adjust expectations accordingly and work toward potential Plan B Are there other University approved services that meet the need? Determine where to route contract: Purchasing or Risk Management Complete appropriate Cover Sheet and route according to Purchasing or Risk Management Process Purchasing and Risk Management involve other offices as needed as part of contract review. IMPORTANT Supply accurate information on Cover Sheet Timing / Plan Ahead Critical to understand what you can/can t do (restrictions) How will this be communicated to end users Contract Process for Purchasing Process to submit to Purchasing for review and negotiation: Determine payment method (ebuy PO, SRFC, P card) If ebuy PO attach all agreement documents and Software Agreement Cover Sheet to the requisition If SRFC, P card or other method agreement and Software Agreement Cover Sheet to purchasesoftware@psu.edu 5
6 Purchasing: Software Agreement Cover Sheet Access Cover Sheet and instructions on how to complete Cover Sheet at: staff/forms/index.cfm VIP Areas to be handled with extra attention Payment Method Agreement Type (provides background for Purchasing) End Users of Product Data Access/Data Security Data Categorization/Detailed Description of Data Credit Card Processing Ability Integration with existing University Systems Acknowledgement Section Purchasing Review/Negotiation Process Purchasing will review the agreement and determine the next steps. Contract Negotiation with the Supplier Consultation of PSU Internal Departments Negotiation of appropriate language Financial Signoff Internal controls Active engagement in mitigating the risks associated with the product/service (what can the department do to lower the risks?) After the contract is signed by Purchasing and Vendor Green light for the use case indicated by the initiating department (Data specific and Unit specific based on completed Software Agreement Cover Sheet) Does not open the door to University wide usage unless reviewed under that context Changes on how product/service will be used requires additional review (possible contract amendment) 6
7 Hosted Sensitive Data Addendum Hosted Sensitive Data Addendum (HSDA): University developed document outlining University minimum requirements for security, liability, insurance, e discovery issues etc. and serves as baseline document when vendor hosts, stores or has access to sensitive University data Implemented in 2013; last updated May 2015 Many offices involved: SOS, Privacy, OGC, Purchasing, Internal Audit, and Risk Management Vendor may propose changes to be considered by University HSDA is always required when Restricted data is hosted by vendor. Examples of Sensitive Data: Credit Card Processing data, FERPA, HIPPA, or SSN RFPs and Bid responses HSDA Addresses: Data Security Ensure appropriate administrative, technical and physical security measures Location of servers must be located in U.S. Penetration testing Encrypted backups Compliance FERPA, HIPAA (PHI), PCI, SSN (PII) Data breach notification to University Privacy Office Protection for University Related to Breaches and Claims Insurance Requirements including Cyber/Privacy Indemnification, Limitation of Liability and E Discovery 7
8 Risk Management: Electronic Agreement Process Identify electronic Software Agreement Terms End User License Agreement (EULA) and/or Terms of Service; Terms and Conditions Complete Risk Management Electronic Agreement Cover Sheet Be sure to include: Brief description of Software Is Vendor Hosting Software or is Software locally loaded on PSU device? What data category(ies) is involved? Highest risks is related to functionality of Vendor Hosted Software and when vendor hosts Restricted data completed cover sheet and electronic Software Agreement Terms to central Excerpt from FNG02 as of 9/3/15 outlining current process: E. Electronic Agreements Any agreements that are required to be accepted online must be reviewed by the Office of Risk Management and submitted to the Corporate Controller for the signature process. The Corporate Controller or Assistant Treasurer will approve acceptance of the agreement and instruct the appropriate individual to accept the agreement electronically on behalf of the University. This one time approval from the Office of the Corporate Controller to electronically accept the agreement must be made in writing and will be maintained in the contract file as evidence of the University s acceptance of the agreement. 8
9 Coming Soon new FNG02 language for Electronic Software Agreements Subject to the exceptions below, employees are hereby delegated the authority to accept electronic terms and conditions of software/software-as-a-service and application (referred to as Software ) agreements, whether free or procured through use of the Purchasing Card or otherwise where, as defined within University Policy AD71, to the extent that only Public or Internal/Controlled data will be used or stored within the Software. If an employee accepts such terms, and there is a breach of data or other claim/damages which cause expense to the University, all such resulting expenses shall be borne by the unit whose employee accepted the software/application s terms. EXCEPTIONS: Employees are not permitted to accept such electronic terms and conditions without a full review by the Risk Management Office pursuant to the requirements of paragraph E.1 above if any of the following situations will occur: Cont. Coming Soon new language for Electronic Software Agreements a. If the Software or related support documentation or files are expressly identified by the vendor/provider as controlled under U.S. or foreign export laws or regulations; b. If the Software, support documentation and/or associated data files will be installed or reside on any portable electronic device, such as a laptop or tablet computer, which will be taken on trips outside of the United States or such Software, support documentation and/or associated data files will be accessed remotely by the user while outside of the United States; c. If foreign nationals will require access to the software for more than mere operational use of the Software (such as access to installation files and/or source code); d. If the user intends to use the Software to manipulate, store or manage Restricted data (per University Policy AD71); e. If the use of the Software will generate revenue, regardless of method, for the University; or, f. If the Software will exchange data with or integrate into any other existing University Information Technology resources or systems. In order to assist faculty and staff in determining how Software Agreements should be processed, a Software Agreement Decision Tool has been developed which includes questions to determine if any of the above exceptions apply to the Software Agreement. The Software Agreement Decision Tool may be found at (insert link location). 9
10 Coming Soon 10
11 DECISION ROUTE TO PURCHASING Answering No triggers a series of additional questions that link directly with the changes being made to Policy FNG02 to determine whether: 1. The employee will be delegated signature authority to accept terms electronically on behalf of the University; or 2. if Risk Management review is required. The additional questions identify if any of the exceptions listed in the new FNG02 language applies to the Software use: Determining if any identified Export Control issues apply Determining if Restricted data (as defined in Policy AD71) is involved Determine if Software integrates with any existing IT systems Determine if use of Software will generate any revenue 11
12 If based on the additional questions any of the Exceptions outlined in the updated FNG02 language for Electronic Agreements apply, then the following Decision will be displayed. DECISION ROUTE TO RISK MANAGEMENT If none of the Exceptions outlined in the updated FNG02 language for Electronic Agreements apply, then the following Decision will be displayed. DECISION CLICK AWAY! 12
13 Software Agreement Decision Tool Also addresses Student Use of Software in Courses: Some key questions in the Software Agreement Decision Tool will ask about Software intended for use by Penn State students due to the Software being a required part of a University course. The decision tool will also provide a Decision on whether it is acceptable for students to accept these terms without further University review or if further review is required. Will be available once FNG02 Electronic Agreement language is updated, but should be used for ALL software agreements and not just electronic software agreements. Expected to be available via GURU Takeaways Become familiar with related policies and procedures Do your best to give as much detailed and correct information when submitting cover sheets to Purchasing or Risk Management. Once available use the Software Agreement Decision Tool Why is an Authorized Agreement important? Compliance with University Policy Actively manage risks associated with Software Protection for University and its employees Internal Audit 13
14 Questions? PURCHASING Danna Bressler Purchasing Agent RISK MANAGEMENT Richel Perretti Contract Manager
HIPAA Compliance Evaluation Report
Jun29,2016 HIPAA Compliance Evaluation Report Custom HIPAA Risk Evaluation provided for: OF Date of Report 10/13/2014 Findings Each section of the pie chart represents the HIPAA compliance risk determinations
More informationBusiness Associate Agreement (BAA) Guidance
Business Associate Agreement (BAA) Guidance Introduction The purpose of this document is to provide guidance for creating or updating business associate agreements between your Practice ( Covered Entity
More informationHIPAA Business Associate Contract. Definitions
HIPAA Business Associate Contract Definitions Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the Privacy Rule. Examples of specific definitions:
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BAA ) is effective ( Effective Date ) by and between ( Covered Entity ) and Egnyte, Inc. ( Egnyte or Business Associate ). RECITALS
More informationBusiness Associate Agreement
Business Associate Agreement This Business Associate Agreement (the Agreement ) is made by and between Business Associate, [Name of Business Associate], and Covered Entity, The Connecticut Center for Health,
More informationCan Your Diocese Afford to Fail a HIPAA Audit?
Can Your Diocese Afford to Fail a HIPAA Audit? PETULA WORKMAN & PHIL BUSHNELL MAY 2016 2016 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS Agenda Overview Privacy Security Breach Notification Miscellaneous
More informationIRB Policy for Security and Integrity of Human Research Data
IRB Policy for Security and Integrity of Human Research Data Kathleen Hay Human Subjects Protection Office Terri Shkuda Research Informatics & Computing, Information Technology Overview of Presentation
More informationDRAFT BUSINESS ASSOCIATES AGREEMENT
DRAFT BUSINESS ASSOCIATES AGREEMENT THIS AGREEMENT is made this day of, 20, by and among, a Corporation organized under the laws of the State of (hereinafter known as "Covered Entity") and organized under
More informationOFFSHORE OUTSOURCING IN HEALTH CARE: PRIVACY AND SECURITY CONCERNS
OFFSHORE OUTSOURCING IN HEALTH CARE: PRIVACY AND SECURITY CONCERNS CONCURRENT SESSION IV September 9, 2005 Gregg D. Reisman, Esq. Peter B. Mancino, Esq. On behalf of Garfunkel, Wild & Travis, P.C. 1 WHAT
More informationCONTRACT ADDENDUM BUSINESS ASSOCIATE CONTRACT 1
CONTRACT ADDENDUM BUSINESS ASSOCIATE CONTRACT 1 THIS AGREEMENT is entered into on ( Effective Date ) by and between LaSalle County Health Department, hereinafter called Covered Entity and, hereinafter
More informationAGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION BETWEEN WAKE FOREST UNIVERSITY BAPTIST MEDICAL CENTER AND
AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION BETWEEN WAKE FOREST UNIVERSITY BAPTIST MEDICAL CENTER AND THIS AGREEMENT for Access to Protected Health Information ( PHI ) ( Agreement ) is entered
More informationInformation for Agents and Brokers Regarding the HIPAA Business Associate Agreement
Information for Agents and Brokers Regarding the HIPAA Business Associate Agreement You may be aware that the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) requires health plans
More informationReview of Cloud Risks: What if
Review of Cloud Risks: What if Availability of Data Ownership of Data Security of Information Privacy Controls there is no way to prevent Twitter from sharing your data (like when & where you tweeted from)
More informationTop Ten Technology Risks Facing Colleges and Universities
Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) by and between (hereinafter known as Covered Entity ) and Office Ally, LLC. (hereinafter known as Business Associate ), and
More informationHIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions
HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions A. Business Associate. Business Associate shall have the meaning given to such term under the Privacy and Security Rules, including,
More informationBUSINESS ASSOCIATE ADDENDUM
BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) is entered into this day of 2014. Perry Memorial Hospital ( Covered Entity ) and [ABC Company] ( Business Associate ) referred
More informationMMA SAMPLE FORM *REVIEW CAREFULLY & ADAPT TO YOUR PRACTICE*
This is only sample language. The language should be changed to accurately reflect business arrangements between a covered entity and business associate or business associate and subcontractor. In addition,
More informationMedical Privacy Version 2015.12.10 - Standard. Business Associate Agreement. 1. Definitions
Medical Privacy Version 2015.12.10 - Standard Business Associate Agreement This Business Associate Agreement (the Agreement ) shall apply to the extent that the Lux Scientiae HIPAA Customer signee is a
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Agreement ( Agreement ) is made and entered into this day of [Month], [Year] by and between [Business Name] ( Covered Entity ), [Type of Entity], whose business address
More informationBUSINESS ASSOCIATE AGREEMENT TERMS
BUSINESS ASSOCIATE AGREEMENT TERMS This Addendum ( Addendum ) is incorporated into and made part of the Agreement between SIGNATURE HEALTHCARE CORPORATION ("Covered Entity ) and ( Business Associate"),
More informationBUSINESS ASSOCIATE ADDENDUM. WHEREAS, Provider (as defined below) has a contractual relationship with FHCCP requiring this Addendum;
BUSINESS ASSOCIATE ADDENDUM This BUSINESS ASSOCIATE ADDENDUM (this Addendum ) is made and entered into as of July 1, 2012, ( Effective Date ) and supplements and is made a part of the services agreement
More informationVERSION DATED AUGUST 2013/TEXAS AND CALIFORNIA
VERSION DATED AUGUST 2013/TEXAS AND CALIFORNIA This Business Associate Addendum ("Addendum") supplements and is made a part of the service contract(s) ("Contract") by and between St. Joseph Health System
More informationUNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S):
UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S): THIS AGREEMENT is made by and between UNIVERSITY PHYSICIANS OF BROOKLYN, INC., located at 450 Clarkson Ave., Brooklyn,
More informationBAC to the Basics: Business Associate Contracts Made Easy
BAC to the Basics: Business Associate Contracts Made Easy Prepared by Jen C. Salyers BAC to the Basics: Business Associate Contracts Made Easy Table of Contents Page I. Approaches to Creating a Business
More informationOCR UPDATE Breach Notification Rule & Business Associates (BA)
OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the
More informationIsaac Willett April 5, 2011
Current Options for EHR Implementation: Cloud or No Cloud? Regina Sharrow Isaac Willett April 5, 2011 Introduction Health Information Technology for Economic and Clinical Health Act ( HITECH (HITECH Act
More informationHIPAA Privacy Rule Policies
DRAFT - Policies and Procedures PRIVACY OFFICE ASSIGNMENT AND RESPONSIBILITIES APPROVED BY: SUPERCEDES POLICY: Policy #1 ADOPTED: REVISED: REVIEWED: Purpose This policy is designed to assure the establishment
More informationSTATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM
STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM BETWEEN The Division of Health Care Financing and Policy Herein after referred to as the Covered Entity and (Enter Business
More informationBusiness Associate Agreement
Business Associate Agreement I. Definitions Catch-all definition: The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( Agreement ) is by and between ( Covered Entity ) and Xelex Digital, LLC ( Business Associate ), and is effective as of. WHEREAS,
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is effective as of, 2013, and is by and between SOUTHWEST DEVELOPMENTAL SERVICES, INC. ( Covered Entity ) and ( Business Associate
More informationTECH TALK. September 25, 2014
TECH TALK September 25, 2014 Cloud Services Guidance for Campus Tech Talk UAB IT is offering interim guidance to members of the UAB campus community who wish to use 'cloud' applications & services available
More informationOur Commitment to Information Security
Our Commitment to Information Security What is HIPPA? Health Insurance Portability and Accountability Act 1996 The HIPAA Privacy regulations require health care providers and organizations, as well as
More informationBUSINESS ASSOCIATE AGREEMENT. (Contractor name and address), hereinafter referred to as Business Associate;
BUSINESS ASSOCIATE AGREEMENT (Agreement #) THIS DOCUMENT CONSTITUTES AN AGREEMENT BETWEEN: AND (Contractor name and address), hereinafter referred to as Business Associate; The Department of Behavioral
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is entered into by and between Professional Office Services, Inc., with principal place of business at PO Box 450, Waterloo,
More informationPolicy Number B-2 Date This Version of Policy February 2006. Department Responsible for UNC HCS HIPAA Policy
Name of Policy BUSINESS ASSOCIATES *Excludes Rex Healthcare Policy Number B-2 Date This Version of Policy February 2006 Effective Department Responsible for UNC HCS HIPAA Policy Review Committee POLICY:
More informationHow Much Do I Need To Do to Comply? Vice president SystemExperts Corporation
How Much Do I Need To Do to Comply? Richard E. Mackey, Jr. Vice president SystemExperts Corporation Agenda Background Requirements and you Risk language Risk Factors Assessing risk Program elements and
More informationHEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( BAA ) is by and between the National Association of Boards of Pharmacy
More informationCloud Computing Contract Clauses
Cloud Computing Contract Clauses Management Advisory Report Report Number SM-MA-14-005-DR April 30, 2014 Highlights The 13 cloud computing contracts did not address information accessibility and data security
More informationWelcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013
Welcome to ChiroCare s Fourth Annual Fall Business Summit October 3, 2013 HIPAA Compliance Regulatory Overview & Implementation Tips for Providers Agenda Green packet Overview of general HIPAA terms and
More informationAppendix : Business Associate Agreement
I. Authority: Pursuant to 45 C.F.R. 164.502(e), the Indian Health Service (IHS), as a covered entity, is required to enter into an agreement with a business associate, as defined by 45 C.F.R. 160.103,
More informationResearch Support Council (RSC) - What Data is Sensitive and How
Research Support Council (RSC) - What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance Tuesday, May 14, 2013 9:00 am 9:30 am Witherspoon Student Center John_Baines@ncsu.edu
More informationCOVERMYMEDS BUSINESS ASSOCIATE AGREEMENT
COVERMYMEDS BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (the Agreement ) is entered into between Covered Entity and CoverMyMeds LLC, a Delaware limited liability company ( Business Associate
More informationSAMPLE BUSINESS ASSOCIATE AGREEMENT
SAMPLE BUSINESS ASSOCIATE AGREEMENT This is a draft business associate agreement based on the template provided by HHS. It is not intended to be used as is and you should only use the agreement after you
More informationClient Alert. Global Information Technology & Communications Privacy, Data Protection and Information Management
Global Information Technology & Communications Privacy, Data Protection and Information Management Client Alert Umbrellas for Clouds: Risk Mitigation Strategies for SaaS Transactions www.bakermckenzie.com
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the "Agreement") is made and entered into this day of,, by and between Quicktate and idictate ("Business Associate") and ("Covered Entity").
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( BA Agreement ) amends, supplements, and is made a part of the Agreement ( Agreement ) entered with Client ( CLIENT ) and International
More informationSUBCONTRACTOR PRE-QUALIFICATION APPLICATION
APPLICATION SUBCONTRACTOR IDENTITY Date Submitted Company Name Complete Address Phone Number Contact Name Federal Tax ID # DUNS # Fax Number Email Address NAICS Code States Registered to do Business Include
More informationPolicy & Procedure HIPAA / PRIVACY AMENDMENT OF PHI
WEBER HUMAN SERVICES Policy & Procedure HIPAA / PRIVACY AMENDMENT OF PHI NUMBER 06 APPROVED 2/21/2014 REVIEWED REVISED PURPOSE This Policy is to provide a process for responding to a client s request for
More informationAm I a Business Associate?
Am I a Business Associate? Now What? JENNIFER L. RATHBURN Quarles & Brady LLP KATEA M. RAVEGA Quarles & Brady LLP agenda» Overview of HIPAA / HITECH» Business Associate ( BA ) Basics» What Do BAs Have
More informationSample Business Associate Agreement (4. Other Bus. Assoc., Version 6-06-05)
Sample Business Associate Agreement (4. Other Bus. Assoc., Version 6-06-05) This Business Associate Agreement (the Agreement ) is entered into as of, 20, (the Effective Date ) by and between, (the Covered
More informationEXECUTIVE BRIEF SPON. File Synchronization and Sharing Market Forecast, 2012-2017. Published May 2013. An Osterman Research Executive Brief
EXECUTIVE BRIEF N Sharing Market Forecast, sponsored by An Osterman Research Executive Brief Published May 2013 SPON sponsored by Osterman Research, Inc. P.O. Box 1058 Black Diamond, Washington 98010-1058
More informationDeveloping a Data Governance System
UNIVERSITY BUSINESS EXECUTIVE ROUNDTABLE Developing a Data Governance System Custom Research Brief October 22, 2010 RESEARCH ASSOCIATE Jeff Durkin TABLE OF CONTENTS I. Research Methodology II. Executive
More informationSTATE OF NEW JERSEY Security Controls Assessment Checklist
STATE OF NEW JERSEY Security Controls Assessment Checklist Appendix D to 09-11-P1-NJOIT P.O. Box 212 www.nj.gov/it/ps/ 300 Riverview Plaza Trenton, NJ 08625-0212 Agency/Business (Extranet) Entity Response
More information[Insert Name and Address of Data Recipient] Data Use Agreement. Dear :
[Insert Name and Address of Data Recipient] Re: Data Use Agreement Dear : The federal Health Insurance Portability and Accountability Act and the regulations promulgated thereunder (collectively referred
More informationSponsored Programs Award Review, Negotiation, Acceptance and Notification
Negotiation, Acceptance and Notification Policy Type: Administrative Responsible Office: Office of Sponsored Programs Initial Policy Approved: 01/07/2013 Current Revision Approved: 04/06/2016 Policy Statement
More informationThis form may not be modified without prior approval from the Department of Justice.
This form may not be modified without prior approval from the Department of Justice. Delete this header in execution (signature) version of agreement. HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) by and between OUR LADY OF LOURDES HEALTH CARE SERVICES, INC., hereinafter referred to as Covered Entity, and hereinafter referred
More informationSnake River School District No. 52 HIPAA BUSINESS ASSOCIATE AGREEMENT (See also Policy No. 7436, HIPAA Privacy Rule)
5450F1 (page 1 of 6) Snake River School District No. 52 HIPAA BUSINESS ASSOCIATE AGREEMENT (See also Policy No. 7436, HIPAA Privacy Rule) THIS AGREEMENT is entered into on this day of, 20 by and between
More informationIDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) Information Technology Services Information Security Policy #2500
IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) Information Technology Services Information Security Policy #2500 POLICY INFORMATION Major Functional Area (MFA): Finance and Administration Policy
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ), entered into and effective this day of,, is by and between ( Business Associate ) and Black, Gould & Associates, Inc.
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Data Handling and Storage Standard This standard is applicable to all VCU School of Medicine personnel. Approval
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) between Inphonite, LLC ( Business Associate and you, as our Customer ( Covered Entity ) (each individually, a Party, and collectively,
More informationAskAvanade: Answering the Burning Questions around Cloud Computing
AskAvanade: Answering the Burning Questions around Cloud Computing There is a great deal of interest in better leveraging the benefits of cloud computing. While there is a lot of excitement about the cloud,
More informationTHE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS
THE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS Data Law Group, P.C. Kari Kelly Deborah Shinbein YOU CAN T OUTSOURCE COMPLIANCE! Various statutes and regulations govern
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Addendum is made part of the agreement between Boston Medical Center ("Covered Entity ) and ( Business Associate"), dated [the Underlying Agreement ]. In connection with
More informationHIPAA Business Associate Agreement
HIPAA Business Associate Agreement This HIPAA Business Associate Agreement ( BAA ), effective as of, ( Effective Date ), is made by and between ( Covered Entity ) and da Vinci Motion Graphics, Inc. d/b/a
More informationMontclair State University. HIPAA Security Policy
Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that
More informationIT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014
IT Vendor Due Diligence Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014 Carolinas HealthCare System (CHS) Second largest not-for-profit healthcare system
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT The parties to this ( Agreement ) are, a _New York_ corporation ( Business Associate ) and ( Client ) you, as a user of our on-line health record system (the "System"). BY
More informationCallRail Healthcare Marketing. HIPAA and HITECH Compliance for Covered Entities using Call Analytics Software
CallRail Healthcare Marketing HIPAA and HITECH Compliance for Covered Entities using Call Analytics Software Healthcare 2015 HIPAA and HITECH Compliance for Covered Entities using Call Analytics Software
More informationBUSINESS ASSOCIATE AGREEMENT
THIS IS A TEMPLATE ONLY. CERTAIN STATES MAY NOT PERMIT THE TYPES OF ACTIVITIES ALLOWED HEREUNDER RELATING TO PROTECTED HEALTH INFORMATION. THUS THIS AGREEMENT MAY NEED TO BE MODIFIED IN ORDER TO COMPLY
More informationIDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Business Associates 10230
IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Business Associates 10230 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel & Compliance Policy Title:
More informationTABLE OF CONTENTS. University of Northern Colorado
TABLE OF CONTENTS University of Northern Colorado HIPAA Policies and Procedures Page # Development and Maintenance of HIPAA Policies and Procedures... 1 Procedures for Updating HIPAA Policies and Procedures...
More informationIDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy Use and Disclosure of Psychotherapy Notes 10130
IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy Use and Disclosure of Psychotherapy Notes 10130 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel &
More informationServer Hosting Request
Server Hosting Request Contact Name: Date: Email Address: Department Information Office: Department: Phone Number: Guidelines Technology Services provides a fee based physical and virtual server hosting
More informationNine Network Considerations in the New HIPAA Landscape
Guide Nine Network Considerations in the New HIPAA Landscape The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Omnibus Final Rule, released January 2013, introduced some significant
More informationHIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND
HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN Stewart C. Miller & Co., Inc. (Business Associate) AND City of West Lafayette Flexible Spending Plan (Covered Entity) TABLE OF CONTENTS
More informationInformation Governance Management Framework
Information Governance Management Framework Responsible Officer Author Business Planning & Resources Director Governance Manager Date effective from October 2015 Date last amended October 2015 Review date
More informationA How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1
A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 Policy and Procedure Templates Reflects modifications published in the Federal Register
More informationThird Party Security: Are your vendors compromising the security of your Agency?
Third Party Security: Are your vendors compromising the security of your Agency? Wendy Nather, Texas Education Agency Michael Wyatt, Deloitte & Touche LLP TASSCC Annual Conference 3 August 2010 Agenda
More informationLeveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance
ADVANCED INTERNET TECHNOLOGIES, INC. https://www.ait.com Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance Table of Contents Introduction... 2 Encryption and Protection
More informationThe Institute of Professional Practice, Inc. Business Associate Agreement
The Institute of Professional Practice, Inc. Business Associate Agreement This Business Associate Agreement ( Agreement ) effective on (the Effective Date ) is entered into by and between The Institute
More informationACTION COLLECTION SERVICES INC. BUSINESS ASSOCIATE AGREEMENT (FOR MEDICAL PROVIDERS)
ACTION COLLECTION SERVICES INC. BUSINESS ASSOCIATE AGREEMENT (FOR MEDICAL PROVIDERS) THIS BUSINESS ASSOCIATE AGREEMENT (the Agreement ), is dated as of, by and between Action Collection Services Inc. (
More informationIt s a New Regulatory Landscape: Do You Know Where Your Business Associates are and What They are Doing?
It s a New Regulatory Landscape: Do You Know Where Your Business Associates are and What They are Doing? The AMC Privacy & Security Conference Series Securely Connecting Communities for Improved Health
More informationHIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing
HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the BAA ) is made and entered into as of the day of, 20, by and between Delta Dental of California (the Covered Entity ) and (the Business
More informationLessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd
Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual
More informationCyber, Security and Privacy Questionnaire
Cyber, Security and Privacy Questionnaire www.fbinsure.com Please note: This is an electronic application. When completed please save and email to: Ed McGuire emcguire@fbinsure.com Cyber, Security & Privacy
More informationUse & Disclosure of Protected Health Information by Business Associates
Applicability: Policy Title: Policy Number: Use & Disclosure of Protected Health Information by Business Associates PP-12 Superseded Policy(ies) or Entity Policy: N/A Date Established: January 31, 2003
More informationBENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT
BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT This BUSINESS ASSOCIATE AGREEMENT ( Agreement ) dated as of the signature below, (the Effective Date ), is entered into by and between the signing organization
More informationBUSINESS ASSOCIATE ADDENDUM
BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) adds to and is made a part of the Q- global Subscription and License Agreement by and between NCS Pearson, Inc. ( Business Associate
More informationBUSINESS ASSOCIATE AGREEMENT
Note: This form is not meant to encompass all the various ways in which any particular facility may use health information and should be specifically tailored to your organization. In addition, as with
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,
More informationUNIVERSITY OF ROCHESTER INFORMATION TECHNOLOGY POLICY
PURPOSE The University of Rochester recognizes the vital role information technology plays in the University s missions and related administrative activities as well as the importance in an academic environment
More informationEnclosure. Dear Vendor,
Dear Vendor, As you may be aware, the Omnibus Rule was finalized on January 25, 2013 and took effect on March 26, 2013. Under the Health Insurance Portability & Accountability Act (HIPAA) and the Omnibus
More informationMIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
More informationDepartment of Children and Families (DCF) Request for Information (RFQ) #01U013DS1 HIPAA Compliance Review DCF Answers to Vendor Questions
Department of Children and Families (DCF) Request for Information (RFQ) #01U013DS1 HIPAA Compliance Review s to Vendor Questions Questions as Submitted by Vendors (Duplicates omitted) 1. Have controls
More information