4. No accounting of disclosures is required with respect to disclosures of PHI within a Limited Data Set.

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "4. No accounting of disclosures is required with respect to disclosures of PHI within a Limited Data Set."

Transcription

1 IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Limited Data Sets and Data Use Agreements POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel & Compliance Policy Title: Limited Data Sets and Data Use Agreements Responsible Executive (RE): General Counsel Sponsoring Organization (SO): Office of General Counsel Dates: Effective Date: Revised: Annual Review: I. POLICY STATEMENT In accordance with 45 CFR , ISU adopts and implements this policy in order to: A. Provide guidance on how to create a limited data set. B. Outline the process for reviewing and responding to requests for limited data sets. C. Define the requirements of a Data Use Agreement for use and disclosure of a limited data set. II. AUTHORITY AND RESPONSIBILITIES ISU is a hybrid entity in accordance with ISU s HIPPA Privacy Policy Only the health care component (i.e., the covered functions) of ISU must comply with this policy. All references in this policy to ISU shall be construed to refer only to the health care component of ISU. III. DEFINITIONS See HIPAA Privacy Policy IV. PROCEDURES TO IMPLEMENT A. Creating Limited Data Sets: 1. Limited Data Set A limited data set is PHI that excludes the following direct identifiers of the patient, or of the patient s relatives, employers or household members: a. Names b. Postal address information, other than town or city, state, and zip code c. Telephone numbers HIPAA Privacy Limited Data Sets and Data Use Agreements Page 1 of 8

2 d. Fax Numbers e. Electronic mail addresses f. Social Security numbers g. Medical record numbers (including prescription and clinical trials numbers) h. Health plan beneficiary numbers i. Account numbers j. Certificate/license numbers k. Vehicle identifiers and serial numbers, including license plate numbers l. Device identifiers and serial numbers m. Web Universal Resource Locators (URLs) n. Internet Protocol (IP) address numbers o. Biometric identifiers, including finger and voice prints p. Full face photographic images and any comparable images 2. The covered entity may use PHI to create a Limited Data Set, or may disclose PHI to a business associate, pursuant to an executed business associate agreement, so that the business associate can create a Limited Data Set. 3. Limited Data Sets may be used or disclosed only: a. For the purposes of research, public health, and/or health care operations. b. To or by a business associate for purposes of creating a Limited Data Set for the covered entity, another covered entity, or the business associate. 4. No accounting of disclosures is required with respect to disclosures of PHI within a Limited Data Set. 5. The covered entity will define approved methods of creating Limited Data Sets. a. The Federal Information Processing Standard (FIPS) 198 Keyed-Hash Message Authentication Code (HMAC) does not qualify as an appropriate method for deidentifying information under Federal privacy requirements; however, the HMAC methodology may be used to create a Limited Data Set. 6. If the covered entity uses specialized software to de-identify PHI or re-identify information, access by workforce members to the software will be governed by the appropriate covered entity policies and procedures on information security and privacy, including, but not limited to: a. Access controls b. Password management c. Media control d. Physical safeguards e. Confidentiality and privacy of PHI B. Processing Requests for Limited Data Sets: HIPAA Privacy Limited Data Sets and Data Use Agreements Page 2 of 8

3 1. Requests for Limited Data Sets must be documented (using Attachment A Limited Data Set Request and Data Use Agreement) and submitted to the Privacy Officer or his/her designee: 2. A request for a Limited Data Set must include the following: a. Requestor s name, address, telephone numbers, title, organization or department; b. Date of request; c. Purpose of the request (e.g., research, public health or health care operations), including the intended uses, any re-disclosures, and who will use or have access to the Limited Data Set; d. Names of all recipients of the Limited Data Set; e. Record parameters or selection criteria time period included, minimum number of patient records, type of patient records (such as by diagnosis, procedure, drug use, or other criteria); and f. Date the Limited Data Set is needed. 3. If a Limited Data Set Request and Data Use Agreement that relates to a research study is sent directly to the covered entity s IRB or Privacy Board, the request form should be forwarded to the Privacy Officer or his/her designee before any review is conducted. 4. The Limited Data Set Request and Data Use Agreement must be logged and assigned a unique tracking number. This will assist the Privacy Officer or his/her designee to monitor and document completion of the review and authorization process prior to production or release of the Limited Data Set. 5. Payment of the application processing fee should be submitted with the Limited Data Set Request and Data Use Agreement. The Privacy Officer, or his/her designee, will transfer the application fee payment to the appropriate workforce member. See Fee Schedule section below for further information. 6. The minimum necessary standard applies to requests for Limited Data Set information. a. For example, a patient s date of birth should only be disclosed where a requestor and the covered entity agree that it is needed for the purpose of the request. b. In very limited circumstances, if the requestor provides an adequate description of the purposes of the Limited Data Set and specifies the particular data elements required, the covered entity may rely on a requested disclosure as the minimum necessary. 7. Third party recipients of a Limited Data Set must sign a Data Use Agreement outlining the approved use of the Limited Data Set. The covered entity must obtain satisfactory assurance, in the form of a Data Use Agreement that meets the requirements of the HIPAA Privacy Rule, that the recipient will only use or disclose the Limited Data Set for the limited purposes set forth in the Data Use Agreement. a. The Data Use Agreement between the covered entity and the recipient of the Limited Data Set must: HIPAA Privacy Limited Data Sets and Data Use Agreements Page 3 of 8

4 i. Establish the permitted uses and disclosures of such information by the Limited Data Set recipient; ii. Not authorize the Limited Data Set recipient to use or further disclose the information in a manner that would violate the HIPAA Privacy Rule; iii. Establish who is permitted to use or receive the Limited Data Set; and iv. Provide that the Limited Data Set recipient will; 01. Not use or further disclose the information other than as permitted by the Data Use Agreement or as otherwise required by law; 02. Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the Data Use Agreement; 03. Report to the covered entity s Privacy Officer any use or disclosure of the information not allowed by its Data Use Agreement of which it becomes aware; 04. Ensure that any agents, including a subcontractor to whom it provides the Limited Data Set, agree to the same restrictions and conditions that apply to the Limited Data Set recipient with respect to such information; and 05. Not identify the information or contact any of the patients, or the patient s family members, employers, or household members, whose PHI is included in the Limited Data Set. 8. Request for Limited Data Sets may be denied if: a. The covered entity cannot create the Limited Data Set; b. The recipient refuses to sign the Data Use Agreement; c. The recipient refuses to compensate the covered entity for generating the Limited Data Set; or d. Creating the Limited Data Set is an imposition to the operations of the covered entity. 9. The Limited Data Set Request and Data Use Agreement form must be reviewed, approved or denied by the Privacy Officer or his/her designee. The Privacy Officer should be notified of the decision to accept or deny the request for the Limited Data Set. a. The Limited Data Set Request and Data Use Agreement form is used to document the decision and a copy is provided to the requestor informing him or her of the decision. b. The Limited Data Set log, maintained by the Privacy Officer, should reflect the decision and confirm that written communication of the decision was sent to the requestor. 10. In the event the request is approved, the requestor will be asked to confirm acceptance of and submit payment for the production costs prior to actual creation of the Limited Data Set. a. If the approved Limited Data Set request is for PHI that will be used for the purpose of conducting research, the request must be routed to the IRB or Privacy Board for further consideration and approval of a waiver or alteration of authorization prior to communicating with the requestor. See HIPAA Privacy Policy Use and Disclosure of PHI for Research for further guidance HIPAA Privacy Limited Data Sets and Data Use Agreements Page 4 of 8

5 b. For tracking and monitoring purposes, the IRB or Privacy Board will notify the Privacy Officer in writing of a denial, or the waiver of authorization for approved research requests for Limited Data Sets. The Privacy Officer will contact the requestor of the Board s decision in writing. 11. Approved requests for creation of Limited Data Sets will be routed to personnel designated by the Privacy Officer or the business associate responsible for creating the Limited Data Set. 12. The Privacy Officer, or his/her designee, should be contacted at the time of release to establish and document closure of the process in the Limited Data Set log. C. Fee Schedule: 1. The requestor of a Limited Data Set may be asked to compensate the covered entity for resource expenditures related to the request. Note: The covered entity must determine if an application fee will be established for processing requests for Limited Data Sets. The fee should provide reasonable cost recovery of the personnel time required for reviewing the request and determining the estimate of costs to produce the requested Limited Data Set. It is recommended that the application fee be collected at the time the request is submitted to avoid after-the-fact billing or collection efforts. Consideration of fee structures must address implications by research studies that are federally-funded. 2. The covered entity may establish a fee schedule to compensate for the use of personnel, time, software, hardware, and supplies for: a. Reviewing requests for Limited Data Sets (application fee); b. Generating the Limited Data Set; and c. Other specified activities related to the production and delivery of the Limited Data Set. In the event the initial review results in an approval to create the Limited Data Set, a determination of the cost to produce the data set should be made and communicated to the requestor. D. Limited Data Set Violations: 1. The covered entity is not in compliance with the HIPAA Privacy Rule if it knows of a pattern of activity or practice by the Limited Data Set recipient that constitutes a material breach or violation of the Data Use Agreement, unless the covered entity takes reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful: a. Discontinues disclosure of PHI to the recipient; and b. Reports the problem to the Secretary of the Department of Health and Human Services (DHHS) HIPAA Privacy Limited Data Sets and Data Use Agreements Page 5 of 8

6 2. A covered entity that is a Limited Data Set recipient and violates a Data Use Agreement is in violation of the HIPAA Privacy Rule. V. REFERENCES HIPAA Privacy Policies 10020, HIPAA Regulations, 45 CFR , VI. ATTACHMENTS Attachment A - Limited Data Set Request and Data Use Agreement PRESIDENTIAL CERTIFICATION Approved by Arthur C. Vailas President, Idaho State University Date: OGC use only: Received by OGC on by (initial). Published to ISUPP on by (initial) HIPAA Privacy Limited Data Sets and Data Use Agreements Page 6 of 8

7 Attachment A Limited Data Set Request and Data Use Agreement REQUESTOR/RECIPIENT INFORMATION A. I/we are the requestor(s) and recipient(s) of the Limited Data Set identified in this document and agree to provisions of this Data Use Agreement (If necessary, use a separate page to identify all names of individuals or organizations requesting or receiving the Limited Data Set information, and attach to this document): 1. Name: Title: Organization: Address: Telephone: Fax: Signature: Date: 2. Name: Title: Organization: Address: Telephone: Fax: Signature: Date: HIPAA Privacy Limited Data Sets and Data Use Agreements Page 7 of 8

8 FOR ISU USE ONLY Review decision. Check one: 1. Request Denied 2. Request Approved 3. Request Approved with the following modification: Fees Due, if applicable: 1. Amount Due: $ 2. Date Fees Collected: Signature: Date: Title: Department: HIPAA Privacy Limited Data Sets and Data Use Agreements Page 8 of 8

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - De-identification of PHI 10030

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - De-identification of PHI 10030 IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - De-identification of PHI 10030 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel & Compliance Policy

More information

Winthrop-University Hospital

Winthrop-University Hospital Winthrop-University Hospital Use of Patient Information in the Conduct of Research Activities In accordance with 45 CFR 164.512(i), 164.512(a-c) and in connection with the implementation of the HIPAA Compliance

More information

HIPAA COMPLIANCE. What is HIPAA?

HIPAA COMPLIANCE. What is HIPAA? HIPAA COMPLIANCE What is HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) also known as the Privacy Rule specifies the conditions under which protected health information may be used

More information

HIPAA POLICY REGARDING DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION AND USE OF LIMITED DATA SETS

HIPAA POLICY REGARDING DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION AND USE OF LIMITED DATA SETS HIPAA POLICY REGARDING DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION AND USE OF LIMITED DATA SETS SCOPE OF POLICY: What Units Are Covered by this Policy?: This policy applies to the following units

More information

HIPAA PRIVACY RULE & AUTHORIZATION

HIPAA PRIVACY RULE & AUTHORIZATION HIPAA PRIVACY RULE & AUTHORIZATION Definitions Breach. The term breach means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy

More information

University of Wisconsin-Madison Policy and Procedure

University of Wisconsin-Madison Policy and Procedure Page 1 of 6 I. Policy A limited data set is protected health information that excludes direct identifiers. The UW HCC units may use or disclose a limited data set only for the purposes of public health

More information

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy Use and Disclosure of Psychotherapy Notes 10130

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy Use and Disclosure of Psychotherapy Notes 10130 IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy Use and Disclosure of Psychotherapy Notes 10130 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel &

More information

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy Use and Disclosure of PHI With Authorization 10120

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy Use and Disclosure of PHI With Authorization 10120 IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy Use and Disclosure of PHI With Authorization 10120 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel

More information

Limited Data Set Background Information

Limited Data Set Background Information Limited Data Set Background Information 1. A limited data set is protected health information that excludes certain identifiers but permits the use and disclosure of more identifiers than in a de-identified

More information

The Health Insurance Portability and Accountability Act (HIPAA) Excerpted from the UTC IRB Policy

The Health Insurance Portability and Accountability Act (HIPAA) Excerpted from the UTC IRB Policy The Health Insurance Portability and Accountability Act (HIPAA) Excerpted from the UTC IRB Policy June 2008 Table of Contents PART V: The Health Insurance Portability and Accountability Act (HIPAA)...

More information

University of Mississippi Medical Center Office of Integrity and Compliance

University of Mississippi Medical Center Office of Integrity and Compliance Office of Integrity and Effective Date: 2005 By: Committee 1.0 PURPOSE The purpose of this policy is to guide (UMMC) employees, who are involved with research, in obtaining an authorization for the use

More information

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information I. PREAMBLE ( Covered Entity ) and ( Business Associate ) (jointly the Parties ) wish to enter into an Agreement to comply with the requirements

More information

HIPAA COMPLIANCE INFORMATION. HIPAA Policy

HIPAA COMPLIANCE INFORMATION. HIPAA Policy HIPAA COMPLIANCE INFORMATION HIPAA Policy Use of Protected Health Information for Research Policy University of North Texas Health Science Center at Fort Worth Applicability: All University of North Texas

More information

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy & Security - Sanctions 10210

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy & Security - Sanctions 10210 IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy & Security - Sanctions 10210 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel & Compliance Policy Title:

More information

Administrative Services

Administrative Services Policy Title: Administrative Services De-identification of Client Information and Use of Limited Data Sets Policy Number: DHS-100-007 Version: 2.0 Effective Date: Upon Approval Signature on File in the

More information

HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets

HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets FULL POLICY CONTENTS Scope Policy Statement Reason for Policy Definitions ADDITIONAL DETAILS Web Address Forms Related Information

More information

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Business Associates 10230

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Business Associates 10230 IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Business Associates 10230 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel & Compliance Policy Title:

More information

HIPAA-Compliant Research Access to PHI

HIPAA-Compliant Research Access to PHI HIPAA-Compliant Research Access to PHI HIPAA permits the access, disclosure and use of PHI from a HIPAA Covered Entity s or HIPAA Covered Unit s treatment, payment or health care operations records for

More information

Section C: Data Use Agreement. Illinois Department of Healthcare and Family Services. And DATA USE AGREEMENT

Section C: Data Use Agreement. Illinois Department of Healthcare and Family Services. And DATA USE AGREEMENT Section C: Data Use Agreement Illinois Department of Healthcare and Family Services And DATA USE AGREEMENT This Data Use Agreement (the Agreement ) is effective as of (the Agreement Effective Date ) by

More information

UPMC POLICY AND PROCEDURE MANUAL

UPMC POLICY AND PROCEDURE MANUAL UPMC POLICY AND PROCEDURE MANUAL POLICY: INDEX TITLE: HS-EC1807 Ethics & Compliance SUBJECT: Honest Broker Certification Process Related to the De-identification of Health Information for Research and

More information

HIPAA-G04 Limited Data Set and Data Use Agreement Guidance

HIPAA-G04 Limited Data Set and Data Use Agreement Guidance HIPAA-G04 Limited Data Set and Data Use Agreement Guidance GUIDANCE CONTENTS Scope Reason for the Guidance Guidance Statement Definitions ADDITIONAL DETAILS Additional Contacts Web Address Forms Related

More information

[Insert Name and Address of Data Recipient] Data Use Agreement. Dear :

[Insert Name and Address of Data Recipient] Data Use Agreement. Dear : [Insert Name and Address of Data Recipient] Re: Data Use Agreement Dear : The federal Health Insurance Portability and Accountability Act and the regulations promulgated thereunder (collectively referred

More information

HIPAA Data Use Agreement Policy R&G Template Updated for Omnibus Rule HIPAA DATE USE AGREEMENT 1

HIPAA Data Use Agreement Policy R&G Template Updated for Omnibus Rule HIPAA DATE USE AGREEMENT 1 HIPAA DATE USE AGREEMENT 1 This Data Use Agreement (the "Agreement") is effective as of (the "Agreement Effective Date") by and between ("Covered Entity") and ("Data User"). RECITALS WHEREAS, Covered Entity

More information

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE Lewis & Clark College and Allegiance Benefit Plan Management, Inc., (jointly the Parties

More information

What is Covered by HIPAA at VCU?

What is Covered by HIPAA at VCU? What is Covered by HIPAA at VCU? The Privacy Rule was designed to protect private health information from incidental disclosures. The regulations specifically apply to health care providers, health plans,

More information

HIPAA as it Pertains to IRBs and Research. Jeffrey M. Cohen, Ph.D., CIP Chief Executive Officer HRP Consulting Group, Inc.

HIPAA as it Pertains to IRBs and Research. Jeffrey M. Cohen, Ph.D., CIP Chief Executive Officer HRP Consulting Group, Inc. HIPAA as it Pertains to IRBs and Research Jeffrey M. Cohen, Ph.D., CIP Chief Executive Officer HRP Consulting Group, Inc. HIPAA Acronym for the Health Insurance Portability and Accountability Act of 1996

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Agreement is entered into as of ("Effective Date"), between ( Covered Entity ), and ( Business Associate ). RECITALS WHEREAS, Business Associate provides services on behalf

More information

INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS. I. Introduction 2. II. Definitions 3

INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS. I. Introduction 2. II. Definitions 3 INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS I. Introduction 2 II. Definitions 3 III. Program Oversight and Responsibilities 4 A. Structure B. Compliance Committee C.

More information

IRB Guidelines 1.3 HIPAA Research Implications Version 1.1: Created 4/20/2016

IRB Guidelines 1.3 HIPAA Research Implications Version 1.1: Created 4/20/2016 Institutional Review Board (IRB) IRB Guidelines 1.3 HIPAA Research Implications Version 1.1: Created 4/20/2016 Overview The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its regulations,

More information

Health Insurance Portability and Accountability Policy 1.8.4

Health Insurance Portability and Accountability Policy 1.8.4 Health Insurance Portability and Accountability Policy 1.8.4 Appendix C Uses and Disclosures of PHI Procedures This Appendix covers procedures related to Uses and Disclosures of PHI. Disclosures to Law

More information

HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES

HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES SALISH BHO HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES Policy Name: HIPAA BREACH NOTIFICATION REQUIREMENTS Policy Number: 5.16 Reference: 45 CFR Parts 164 Effective Date: 03/2016 Revision Date(s):

More information

DATA USE AGREEMENT RECITALS

DATA USE AGREEMENT RECITALS DATA USE AGREEMENT This Data Use Agreement (the Agreement ), effective as of the day of, 20, is by and between ( Covered Entity ) and ( Limited Data Set Recipient or Recipient ) (collectively, the Parties

More information

The HIPAA privacy rule and long-term care : a quick guide for researchers

The HIPAA privacy rule and long-term care : a quick guide for researchers Scholarly Commons at Miami University http://sc.lib.miamioh.edu Scripps Gerontology Center Scripps Gerontology Center Publications The HIPAA privacy rule and long-term care : a quick guide for researchers

More information

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Everett School Employee Benefit Trust Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Introduction The Everett School Employee Benefit Trust ( Trust ) adopts this policy

More information

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Minimum Necessary Standard for Use and Disclosure of PHI 10190

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Minimum Necessary Standard for Use and Disclosure of PHI 10190 IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Minimum Necessary Standard for Use and Disclosure of PHI 10190 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General

More information

Information Privacy and Security Program Title:

Information Privacy and Security Program Title: 1 Page: 1 of 5 I. PURPOSE: 1 The purpose of this standard is to identify and define the standards for implementing contracting provisions related to those individuals and organizations identified as Business

More information

HIPAA Privacy & Breach Notification Training for System Administration Business Associates

HIPAA Privacy & Breach Notification Training for System Administration Business Associates HIPAA Privacy & Breach Notification Training for System Administration Business Associates Barbara M. Holthaus privacyofficer@utsystem.edu Office of General Counsel University of Texas System April 10,

More information

HIPAA means the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.

HIPAA means the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191. HIPAA Data Use Agreement 1 Revision Date: This Data Use Agreement (the Agreement ) is entered into by and between Yale University ( Covered Entity ) and ( Data User ), collectively, the Parties, and shall

More information

Statement of Policy. Reason for Policy

Statement of Policy. Reason for Policy Table of Contents Statement of Policy 2 Reason for Policy 2 HIPAA Liaison 2 Individuals and Entities Affected by Policy 2 Who Should Know Policy 3 Exclusions 3 Website Address for Policy 3 Definitions

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement (the Agreement ), is made and is effective as of this day of, 2013 ( Effective Date ), between, located at ( Business Associate

More information

HIPAA Privacy Compliance Plan for Research. University of South Alabama IRB Guidance and Procedures

HIPAA Privacy Compliance Plan for Research. University of South Alabama IRB Guidance and Procedures HIPAA Privacy Compliance Plan for Research University of South Alabama IRB Guidance and Procedures Office of Research Compliance and Assurance CSAB 140 460-6625 Adopted: 4/2/2003 2 HIPAA PRIVACY COMPLIANCE

More information

Burn Model Systems National Data and Statistical Center STANDARD OPERATING PROCEDURE 601. Data Use Agreement

Burn Model Systems National Data and Statistical Center STANDARD OPERATING PROCEDURE 601. Data Use Agreement Data Use Agreement This Data Use Agreement (the Agreement ) is effective as of [month, day, year] (the Agreement Effective Date ) until [month, day, year] (the Agreement Termination Date ) by and between

More information

Health Insurance Portability & Accountability Act (HIPAA) Compliance Application

Health Insurance Portability & Accountability Act (HIPAA) Compliance Application Health Insurance Portability & Accountability Act (HIPAA) Compliance Application IRB Office 101 - Altru Psychiatry Center 860 S. Columbia Rd, Grand Forks, North Dakota 58201 Phone: (701) 780-6161 PROJECT

More information

UCSF and Data Contributor are hereinafter also referred to individually as Party and collectively as Parties.

UCSF and Data Contributor are hereinafter also referred to individually as Party and collectively as Parties. DATA USE AGREEMENT This Data Use Agreement ( Agreement ) is entered into by and between The Regents of the University of California, on behalf if its San Francisco campus ( UCSF or Data User ), and [full

More information

HUMAN SUBJECTS AND HIPAA

HUMAN SUBJECTS AND HIPAA Research Compliance Tipsheet HIPAA Basics Last Revised: September 11, 2009 When we work with Protected Health Information (PHI) covered under the Health Insurance Portability and Accountability Act (HIPAA),

More information

What is Covered under the Privacy Rule? Protected Health Information (PHI)

What is Covered under the Privacy Rule? Protected Health Information (PHI) HIPAA & RESEARCH What is Covered under the Privacy Rule? Protected Health Information (PHI) Health information + Identifier = PHI Transmitted or maintained in any form (paper, electronic, forms, web-based,

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Business Associate Agreement (the Agreement ) is made by and between Business Associate, [Name of Business Associate], and Covered Entity, The Connecticut Center for Health,

More information

UPMC POLICY AND PROCEDURE MANUAL

UPMC POLICY AND PROCEDURE MANUAL UPMC POLICY AND PROCEDURE MANUAL POLICY: INDEX TITLE: HS-EC1611 Ethics & Compliance SUBJECT: Use and Disclosure of Protected Health Information (PHI) For Research Purposes Pursuant to the HIPAA Privacy

More information

HIPAA Privacy Common Questions: Definitions

HIPAA Privacy Common Questions: Definitions Brought to you by Momentous Insurance Brokerage, Inc. HIPAA Privacy Common Questions: Definitions What is a Covered Entity under the HIPAA Privacy Rules? The following organizations are governed by this

More information

HIPAA Compliance And Participation in the National Oncologic Pet Registry Project

HIPAA Compliance And Participation in the National Oncologic Pet Registry Project HIPAA Compliance And Participation in the National Oncologic Pet Registry Project Your facility has indicated its willingness to participate in the National Oncologic PET Registry Project (NOPR) sponsored

More information

January 2003. Employers must be prepared for their obligations under the HIPAA Privacy Rules

January 2003. Employers must be prepared for their obligations under the HIPAA Privacy Rules Employer Sponsored Group Health Plans and the HIPAA Privacy Rules Employers must be prepared for their obligations under the HIPAA Privacy Rules January 2003 Bob Radecki KnowHIPAA.com HIPAA-COBRA-FMLA

More information

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240 IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel & Compliance

More information

HIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant

HIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant HIPAA Privacy and Security Rules: A Refresher Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant Objectives Provide overview of Health insurance Portability and Accountability

More information

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE

More information

SCHOOL OF PUBLIC HEALTH. HIPAA Privacy Training

SCHOOL OF PUBLIC HEALTH. HIPAA Privacy Training SCHOOL OF PUBLIC HEALTH HIPAA Privacy Training Public Health and HIPAA This presentation will address the HIPAA Privacy regulations as they effect the activities of the School of Public Health. It is imperative

More information

Gaston County HIPAA Manual

Gaston County HIPAA Manual Gaston County HIPAA Manual Includes Gaston County IT Manual Action Date Reviewed and Revised December 2012 Gaston County HIPAA Policy Manual has be updated and combined with the Gaston County IT Manual.

More information

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Security - Security Incident Response 10330

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Security - Security Incident Response 10330 IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Security - Security Incident Response 10330 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel & Compliance Policy

More information

HIPAA OVERVIEW ETSU 1

HIPAA OVERVIEW ETSU 1 HIPAA OVERVIEW ETSU 1 What is HIPAA? Health Insurance Portability and Accountability Act. 2 PURPOSE - TITLE II ADMINISTRATIVE SIMPLIFICATION To increase the efficiency and effectiveness of the entire health

More information

Grand Rapids Medical Education Partners Mercy Health Saint Mary s Spectrum Health. Pam Jager, GRMEP Director of Education & Development

Grand Rapids Medical Education Partners Mercy Health Saint Mary s Spectrum Health. Pam Jager, GRMEP Director of Education & Development Grand Rapids Medical Education Partners Mercy Health Saint Mary s Spectrum Health Pam Jager, GRMEP Director of Education & Development To understand the requirements of the federal Health Information Portability

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Addendum is made part of the agreement between Boston Medical Center ("Covered Entity ) and ( Business Associate"), dated [the Underlying Agreement ]. In connection with

More information

INTERMACS REGISTRY BUSINESS ASSOCIATE AGREEMENT

INTERMACS REGISTRY BUSINESS ASSOCIATE AGREEMENT INTERMACS REGISTRY BUSINESS ASSOCIATE AGREEMENT This Agreement dated as of is made by and between The Board of Trustees of the University of Alabama, on behalf of INTERMACS Registry ( Business Associate

More information

VENDOR / CONTRACTOR. Privacy Basics

VENDOR / CONTRACTOR. Privacy Basics VENDOR / CONTRACTOR Privacy Basics Introduction Premera s mission is to provide our customers with peace of mind about their healthcare. This requires that everyone who works with or for Premera (the Company

More information

HIPAA PRIVACY POLICY FOR OPTICAL LABS TABLE OF CONTENTS. Exhibit B Notice of Privacy Practices pages B-1 to B-4

HIPAA PRIVACY POLICY FOR OPTICAL LABS TABLE OF CONTENTS. Exhibit B Notice of Privacy Practices pages B-1 to B-4 HIPAA PRIVACY POLICY FOR OPTICAL LABS TABLE OF CONTENTS HIPAA Privacy Policy pages 2 to 12 Exhibit A HIPAA Privacy Regulations pages A-1 to A-89 Exhibit B Notice of Privacy Practices pages B-1 to B-4 Exhibit

More information

efolder White Paper: 12 HIPAA FAQs for MSPs and VARs

efolder White Paper: 12 HIPAA FAQs for MSPs and VARs efolder White Paper: 12 HIPAA FAQs for MSPs and VARs October 2015 Disclaimer efolder has made every attempt to ensure the accuracy of the information provided in this document. efolder assumes no legal

More information

INFORMATION SECURITY & HIPAA COMPLIANCE MPCA

INFORMATION SECURITY & HIPAA COMPLIANCE MPCA INFORMATION SECURITY & HIPAA COMPLIANCE MPCA Annual Conference August 5, 201 Agenda 1 HIPAA 2 The New Healthcare Paradigm Internal Compliance 4 Conclusion 2 1 HIPAA 1 Earning Their Trust 4 HIPAA 5 Health

More information

HIPAA, Research, and the IRB. Michelle Brown, BBA Biomedical IRB Manager

HIPAA, Research, and the IRB. Michelle Brown, BBA Biomedical IRB Manager HIPAA, Research, and the IRB Michelle Brown, BBA Biomedical IRB Manager Agenda Brief History of HIPAA How Did We Get Here? When Does HIPAA Apply to Research? How Do Researchers Access & Share PHI Under

More information

How to De-identify Data. Xulei Shirley Liu Department of Biostatistics Vanderbilt University 03/07/2008

How to De-identify Data. Xulei Shirley Liu Department of Biostatistics Vanderbilt University 03/07/2008 How to De-identify Data Xulei Shirley Liu Department of Biostatistics Vanderbilt University 03/07/2008 1 Outline The problem Brief history The solutions Examples with SAS and R code 2 Background The adoption

More information

HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information

HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information New regulations requiring health care professionals, health plans, and other entities covered by the Health Insurance

More information

Sample Business Associate Agreement Provisions

Sample Business Associate Agreement Provisions Sample Business Associate Agreement Provisions Words or phrases contained in brackets are intended as either optional language or as instructions to the users of these sample provisions. Definitions Catch-all

More information

Memorandum. Factual Background

Memorandum. Factual Background Memorandum TO: FROM: SUBJECT: Chris Ianelli and Jill Mullan, ispecimen, Inc. Kristen Rosati and Ana Christian, Polsinelli, PC ispecimen Regulatory Compliance DATE: January 26, 2014 You have asked us to

More information

AMENDMENT TO IMPLEMENT HIPAA BUSINESS ASSOCIATE REQUIREMENTS (UPB=COVERED ENTITY) CONTRACT NO(S).:

AMENDMENT TO IMPLEMENT HIPAA BUSINESS ASSOCIATE REQUIREMENTS (UPB=COVERED ENTITY) CONTRACT NO(S).: AMENDMENT TO IMPLEMENT HIPAA BUSINESS ASSOCIATE REQUIREMENTS (UPB=COVERED ENTITY) CONTRACT NO(S).: THIS AMENDMENT is made as by and between UNIVERSITY PHYSICIANS OF BROOKLYN, INC. located at 450 Clarkson

More information

LIMITED DATA USE AGREEMENT

LIMITED DATA USE AGREEMENT LIMITED DATA USE AGREEMENT THIS LIMITED DATA USE AGREEMENT ("LDU Agreement") is made and entered into as of this day of, (the "Effective Date") by and between University of South Alabama Hospitals (hereinafter

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ("Agreement") is made and is effective as of the date of electronic signature("effective Date") between Name of Organization ("Covered

More information

SaaS. Business Associate Agreement

SaaS. Business Associate Agreement SaaS Business Associate Agreement This Business Associate Agreement ( BA Agreement ) becomes effective pursuant to the terms of Section 5 of the End User Service Agreement ( EUSA ) between Customer ( Covered

More information

De-Identification of Health Data under HIPAA: Regulations and Recent Guidance" " "

De-Identification of Health Data under HIPAA: Regulations and Recent Guidance  De-Identification of Health Data under HIPAA: Regulations and Recent Guidance" " " D even McGraw " Director, Health Privacy Project January 15, 201311 HIPAA Scope Does not cover all health data Applies

More information

HIPAA Compliance for Students

HIPAA Compliance for Students HIPAA Compliance for Students The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 by the United States Congress. It s intent was to help people obtain health insurance benefits

More information

Legal Insight. Big Data Analytics Under HIPAA. Kevin Coy and Neil W. Hoffman, Ph.D. Applicability of HIPAA

Legal Insight. Big Data Analytics Under HIPAA. Kevin Coy and Neil W. Hoffman, Ph.D. Applicability of HIPAA Big Data Analytics Under HIPAA Kevin Coy and Neil W. Hoffman, Ph.D. Privacy laws and regulations such as the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule can have a significant

More information

Texas Tech University Health Sciences Center HIPAA Privacy Policies

Texas Tech University Health Sciences Center HIPAA Privacy Policies Administration Policy 1.1 Glossary of Terms - HIPAA Effective Date: References: http://www.hhs.gov/ocr/hipaa HSC HIPAA website http://www.ttuhsc.edu/hipaa/policies_procedures.aspx Policy Statement The

More information

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS Dear Physician Member: Thank you for contacting the California Medical Association and thank you for your membership. In order to advocate on your behalf,

More information

Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule

Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule AA Privacy RuleP DEPARTMENT OF HE ALTH & HUMAN SERVICES USA Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule NIH Publication Number 03-5388 The HI Protecting Personal

More information

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions A. Business Associate. Business Associate shall have the meaning given to such term under the Privacy and Security Rules, including,

More information

References to Business Associates in HIPAA-HIPAA regulations

References to Business Associates in HIPAA-HIPAA regulations Title 45: Public Welfare PART 160 GENERAL ADMINISTRATIVE REQUIREMENTS 160.103 Definition Business associate: (1) Except as provided in paragraph (4) of this definition, business associate means a person

More information

IRB Application for Medical Records Review Request

IRB Application for Medical Records Review Request Office of Regulatory Research Compliance Institutional Review Board FORM B1 : Medial Records Review Application FORM B1 IRB Application for Medical Records Review Request Principal Investigator: Email:

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT This is a draft business associate agreement based on the template provided by HHS. It is not intended to be used as is and you should only use the agreement after you

More information

TABLE OF CONTENTS. University of Northern Colorado

TABLE OF CONTENTS. University of Northern Colorado TABLE OF CONTENTS University of Northern Colorado HIPAA Policies and Procedures Page # Development and Maintenance of HIPAA Policies and Procedures... 1 Procedures for Updating HIPAA Policies and Procedures...

More information

North Shore LIJ Health System, Inc. Facility Name

North Shore LIJ Health System, Inc. Facility Name North Shore LIJ Health System, Inc. Facility Name POLICY TITLE: The Medical Record POLICY #: 200.10 Approval Date: 2/14/13 Effective Date: Prepared by: Elizabeth Lotito, HIM Project Manager ADMINISTRATIVE

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (hereinafter Agreement ) is between COVERED ENTITY NAME (hereinafter Covered Entity ) and BUSINESS ASSOCIATE NAME (hereinafter Business

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( Agreement ) is entered into as of the day of, 2013 by and between RUTGERS UNIVERSITY, a Hybrid Entity, on behalf and for the

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT THIS IS A TEMPLATE ONLY. CERTAIN STATES MAY NOT PERMIT THE TYPES OF ACTIVITIES ALLOWED HEREUNDER RELATING TO PROTECTED HEALTH INFORMATION. THUS THIS AGREEMENT MAY NEED TO BE MODIFIED IN ORDER TO COMPLY

More information

HIPAA BUSINESS ASSOCIATE ADDENDUM

HIPAA BUSINESS ASSOCIATE ADDENDUM HIPAA BUSINESS ASSOCIATE ADDENDUM This Addendum, dated as of, 2007 ( Addendum ), supplements and is made a part of the Services Agreement (as defined below) by and between ( Covered Entity ) and FUJIFILM

More information

CancerLinQ Data Quality Management Policies

CancerLinQ Data Quality Management Policies CancerLinQ Data Quality Management Policies I. Introduction CancerLinQ is committed to conquering cancer through appropriate, secure and ethical usage of health information entrusted to the CancerLinQ

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is entered into by and between Professional Office Services, Inc., with principal place of business at PO Box 450, Waterloo,

More information

This is a "preview " of the BAA agreement. You'll be able to sign the BAA electronically after you upgrade to the Powerhouse Player plan.

This is a preview  of the BAA agreement. You'll be able to sign the BAA electronically after you upgrade to the Powerhouse Player plan. BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is entered into as of (the Effective Date ), by and between ("Covered Entity") and Acuity Scheduling, Inc. ("Business Associate").

More information

HIPAA and You The Basics

HIPAA and You The Basics HIPAA and You The Basics The Purpose of HIPAA Privacy Rules 1. Provide strong federal protections for privacy rights Ensure individual trust in the privacy and security of his or her health information

More information

HENRY COUNTY POLICIES AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 HIPAA

HENRY COUNTY POLICIES AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 HIPAA HENRY COUNTY POLICIES AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 HIPAA 1 Amended January 23, 2014 This HIPAA compliance manual was prepared for the

More information

BUSINESS ASSOCIATE AGREEMENT. Recitals

BUSINESS ASSOCIATE AGREEMENT. Recitals BUSINESS ASSOCIATE AGREEMENT This Agreement is executed this 8 th day of February, 2013, by BETA Healthcare Group. Recitals BETA Healthcare Group consists of BETA Risk Management Authority (BETARMA) and

More information

Please print the attached document, sign and return to privacy@covermymeds.com or contact Erica Van Treese, Account Manager, Provider Relations &

Please print the attached document, sign and return to privacy@covermymeds.com or contact Erica Van Treese, Account Manager, Provider Relations & Please print the attached document, sign and return to privacy@covermymeds.com or contact Erica Van Treese, Account Manager, Provider Relations & Solutions. Office: 866-452-5017, Fax: 615-379-2541, evantreese@covermymeds.com

More information

BUSINESS ASSOCIATE AGREEMENT HIPAA Omnibus Rule (Final Rule)

BUSINESS ASSOCIATE AGREEMENT HIPAA Omnibus Rule (Final Rule) BUSINESS ASSOCIATE AGREEMENT HIPAA Omnibus Rule (Final Rule) This Business Associate Agreement (the Agreement ), dated September 9, 2013, is entered into by and between ( Covered Entity ) and Schuster

More information

TriageLogic Information Security Policy

TriageLogic Information Security Policy TriageLogic Information Security Policy What is HIPAA, and what information is protected by it? HIPAA, short for the United States Health Insurance Portability and Accountability Act, is a set of standards

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Agreement ( Agreement ) is made and entered into this day of [Month], [Year] by and between [Business Name] ( Covered Entity ), [Type of Entity], whose business address

More information