A s a covered entity or business associate, you have

Size: px
Start display at page:

Download "A s a covered entity or business associate, you have"

Transcription

1 Health IT Law & Industry Report VOL. 7, NO. 19 MAY 11, 2015 Reproduced with permission from Health IT Law & Industry Report, 07 HITR, 5/11/15. Copyright 2015 by The Bureau of National Affairs, Inc. ( ) COMPLIANCE CORNER Business Associates HIPAA Compliance: Should Covered Entities Be Concerned? PAULA M. STANNARD Paula M. Stannard is counsel at Alston & Bird LLP in Washington. She advises clients on regulatory questions that arise from the health-care reform effort and focuses her practice on HIPAA; health information technology, including electronic health record certification and the meaningful use program; and food and drug policy. Stannard is a former deputy general counsel and acting general counsel for the Department of Health and Human Services where she oversaw the food and drug, civil rights and legislation divisions. A s a covered entity or business associate, you have identified the vendors (current or prospective) and other entities which (1) perform the functions or activities that involve the use or disclosure of protected health information (PHI) on your behalf, or (2) provide services to you involving the use of PHI, which make them your business associates (or subcontractor business associates). 1 You have entered (or will enter) into business associate agreements with them. You may believe that, with those business associate agreements, you have met the requirements of the Health Insurance Portability and Accountability Act Pri- 1 For purposes of this article, the term business associates will be used to refer to both the business associates of covered entities and the subcontractors of business associates. COPYRIGHT 2015 BY THE BUREAU OF NATIONAL AFFAIRS, INC. ISSN

2 2 vacy, Security, and Breach Notification Rules (HIPAA Rules) with respect to your business associates (or subcontractors) and that you do not have to worry any further about those entities compliance with the HIPAA Rules. After all, they can now be held directly liable by the Department of Health and Human Services (HHS) for violations of HIPAA. And HHS has made it clear that the HIPAA Rules do not require you as a covered entity (or business associate) to actively monitor the actions of your business associates (or subcontractors) and do not hold you responsible or liable for the actions of your business associates (or subcontractors). 2 You may need to be concerned about your business associate s HIPAA compliance. The HIPAA violations of your business associates can negatively affect you in some circumstances. All of this is be true, but it is not the whole story. You may need to be concerned about your business associate s HIPAA compliance. The HIPAA violations of your business associates can negatively affect you in some circumstances. But different business associates performing different services and handling different types of PHI present different levels of risk for you. In appropriate circumstances, you may want to consider a more proactive approach to the HIPAA compliance of your business associates or potential business associates. This article examines why you may need to be concerned about your business associate s HIPAA compliance. It then explores factors that you may want to consider in determining which, if any, business associate or prospective business associate to engage with on HIPAA compliance. Finally, the article considers several potential cost effective mechanisms by which to engage with appropriate business associates on their HIPAA compliance. How Can Your Business Associate s HIPAA Violations Affect You? It is true that the HIPAA Rules do not expressly require you to actively monitor your business associate s actions or their HIPAA compliance. A business associate s failure to comply with the HIPAA Rules, however, can negatively affect you. First, the business associate agreement (BAA) requires your business associate to, among other things, use appropriate safeguards, and to comply with the HIPAA Security Rule (with respect to electronic protected health information (PHI)), to prevent the use or disclosure of the PHI other than as provided for by your BAA. 3 You are not required to actively monitor your business associate s actions Fed. Reg , (Dec. 28, 2000); 67 Fed. Reg , (Aug. 14, 2002) CFR (e)(2)(ii)(B). But if you know of a pattern of activity or a practice by your business associate that constitutes a material breach or violation of its BAA obligations, and you do not take reasonable steps to cure the breach or end the violation, or, if such steps are unsuccessful, you do not terminate the BAA if feasible, you may have committed a violation of the Privacy Rule. 4 This means that if you have or receive credible evidence of a violation for example, with respect to your business associate s failure to comply with a material provision of the Security Rule you must investigate the situation and act upon what you learn from the investigation. 5 Second, you have an obligation to take certain reasonable steps to safeguard the privacy/confidentiality of PHI of your patients, policyholders, or beneficiaries. Your business associate s HIPAA violation may harm them or compromise the privacy or confidentiality of their PHI, bring you to the attention of the HIPAA enforcement authorities at HHS, and/or damage your reputation. Not every HIPAA violation compromises the security or privacy of PHI, but some do. As you know, you are required to notify the affected individuals, HHS, and, in some instances, the media of breaches of unsecured PHI that compromise its security or privacy, 6 whether that breach occurred as a result of your actions or inactions or those of your business associate. 7 Having to provide notice to your patients, policyholders, or beneficiaries that their PHI has been compromised by a breach 8 even if the breach involved your business associate, not you can negatively affect your relationship with them. It appears, moreover, that breaches involving business associates affect a disproportionate number of individuals. Less than half of the breaches affecting 500 or more individuals, as reported to HHS, involve business associates, 9 but such breaches appear to affect a disproportionate number of individuals. 10 Thus, a breach by your business associate has the 4 45 CFR (e)(1)(ii) & (iii) Fed. Reg. at 82505, With some exceptions, the Breach Notification Rule defines a breach as the acquisition, access, use, or disclosure of [PHI] in a manner not permitted under [the Privacy Rule] which compromises the security or privacy of the [PHI] and presumes that any such improper acquisition, access, use or disclosure is a breach unless the covered entity or business associate can demonstrate that there is a low probability that the PHI has been compromised based on a risk assessment that requires consideration of at least four identified factors. 45 CFR CFR , The notice is required to include: a brief description of the breach, when it occurred and the date it was discovered; a description of the types of unsecured PHI involved in the breach; any steps individuals should take to protect themselves from potential harm resulting from the breach; a brief description of what you are doing to investigate the breach, to mitigate harm to the individuals, and to protect against any further breaches; and contact information. 45 CFR (c)(1). 9 As of early 2015, there were approximately 1185 breaches reported in the HHS breach portal; of those breaches, business associates were reported as involved in 273 of the breaches. 10 Approximately 60 percent of the individuals affected by such reported breaches were as a result of breaches involving a business associate. Studies by the Ponemon Institute studies of health care breaches support this conclusion. See, e.g., Third Annual Benchmark Study on Patient Privacy & Data Security, Ponemon Institute, December COPYRIGHT 2015 BY THE BUREAU OF NATIONAL AFFAIRS, INC. HITR ISSN

3 3 potential to be more significant in terms of the number of individuals whose PHI is impacted by a breach. For breaches involving business associates, the listing on the HHS breach portal may include not only the name of the business associate, but also the name of the covered entity whose PHI was breached, so you could be associated with the breach on the HHS wall of shame. 11 HITECH Act 13402(e)(4) CFR (f). The Security Rule contains a similar mitigation requirement, applicable both to you and your business associate, with respect to the harmful effects of security incidents that are known to you or your business associate. 45 CFR (a)(6)(ii). But it is not just your relationship with your current patients, policyholders, or beneficiaries that can be affected by a breach by your business associate. If, according to the covered entity s breach notice to HHS, the breach affects 500 individuals, it is HHS s practice to undertake an investigation of the breach. This could lead to an investigation not only of your business associate s practices, but also of your practices. Furthermore, HHS is required to post information about such breaches on its website, for all to see. 11 For breaches involving business associates, the listing on the HHS breach portal may include not only the name of the business associate, but also the name of the covered entity whose PHI was breached, so you could be associated with the breach on the HHS wall of shame. In addition, if the breach affects more than 500 individuals in a particular State or other jurisdiction, you are required to provide a notice to prominent media outlets in the jurisdiction of the breach, including a brief description of the breach, when it occurred and the date it was discovered. Coupled with the fact that the report of the breach is posted on HHS s website, the resulting media attention can damage your reputation not only with current patients or policyholders, but also with prospective patients or policyholders. Third, you may be required to mitigate the harmful effects of your business associate s HIPAA violations. The Privacy Rule requires that a covered entity mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of [PHI] in violation of its policies and procedures or the requirements of [the Privacy Rule] by the covered entity or its business associate. 12 Thus, for example, if your business associate s failure to implement a reasonable and appropriate safeguard under the Security Rule leads to a violation of a Privacy Rule requirement, you will have the obligation to mitigate any known harmful effects of that failure, if practicable. The HIPAA Breach Notification Rule reinforces this: If your business associate commits a breach of PHI or electronic PHI which constitutes a violation of the Privacy Rule, you are required, among other things, to provide notice to all individuals who are affected by the breach. This notice includes a brief description of what you, as a covered entity, are doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches. 13 Fourth, in some instances, HHS can hold you liable for your business associate s HIPAA violations. HHS has made it clear that if your business associate is acting as your agent (within the scope of the agency), 14 as determined under the federal common law of agency, HHS can hold you liable, and impose civil money penalties (CMPs) upon you, for the HIPAA Rule violations of your business associate. 15 Indeed, HHS recently removed from the HIPAA Enforcement Rule even a limited exception from liability for a covered entity with respect to the acts of its business associate agents. 16 Furthermore, even if a business associate undertakes to perform certain of your obligations under the Privacy Rule and contractually agrees to comply with the Privacy Rule with respect to such obligation, you nevertheless remain directly liable for potential CMPs if your business associate fails to perform the obligation. 17 Which Business Associates, If Any, Should You Engage on HIPAA Compliance? You understand that a business associate s HIPAA compliance can present risks for you. But you are not required to actively monitor their compliance, and it may not make sense for you to do so in all cases. Further, you may have limited resources and it may not be feasible in terms of the time or resources involved for you to engage with some or all of your business associates concerning their HIPAA compliance, especially if the business associate presents low risk with respect to HIPAA compliance. Nevertheless, you may recognize that you should consider addressing such risk by proactively engaging some business associates or prospective business associates on their HIPAA compliance. But which ones? There are a number of factors or issues that you can consider in making a determination as to whether to consider engaging with a current or prospective business associate on their HIPAA compliance, or performing some type of due diligence on its HIPAA compliance. These include (but are not limited to): CFR (c)(1)(D). 14 HHS has noted that the question of agency is a factspecific analysis which takes into account the totality of the circumstances; the essential factor is the right or authority of a covered entity (or business associate) to control the business associate s (or subcontractor s) conduct in the course of performing a service for the covered entity (or business associate). 78 Fed. Reg. 5566, 5581 (Jan. 25, 2013). This agency relationship can exist even if the covered entity (1) does not retain the authority to control every aspect of its business associate s activities; (2) does not exercise such control, but holds the authority to do so; and (3) and business associate are separated by physical distance. Id. at Fed. Reg. at And HHS has rejected the argument that any deviation from the terms in a business associate agreement would put the actions of the business associate outside the scope of agency. Id. at Id Fed. Reg. at HEALTH IT LAW & INDUSTRY REPORT ISSN BNA

4 4 s Do you have a current relationship with the business associate? What has been your experience with it? What has been the experience of others with the business associate? s What is the nature of the business associate s business? s What services is the business associate performing for you? Are they services that only the business associate can perform? Are the services the type of activity/ services that the business associate usually performs? s Is the business associate in an industry or profession in which it is required to maintain the confidentiality of information communicated to it by a client? Or in a regulated industry or profession where the regulator has imposed such requirements? If not, is the business associate in a highly regulated industry in which there is a significant focus or emphasis on regulatory compliance? s What is the business associate s reputation, if any, in its industry or profession? If it is in a highly regulated industry, what is generally known, if anything, about its compliance program? s What type (paper, electronic) and quantity of PHI does/will the business associate handle on your behalf? Is any of the PHI likely to be considered sensitive PHI? s How will PHI (or electronic PHI) be transmitted to or by the business associate? Whether to engage a particular business associate on its HIPAA compliance is a decision that you may want to base on the totality of the facts and circumstances with respect to that business associate. Whether to engage any particular business associate (or prospective business associate) on its HIPAA compliance is a decision that you may want to base on the totality of the facts and circumstances with respect to that business associate. If, for example, the business associate handles a great deal of PHI for you particularly if such PHI includes sensitive PHI and/or the business associate has had privacy or breach issues in the past (especially if it has not adequately addressed such issues), you may want to consider engaging the business associate on its HIPAA compliance. How Can You Engage a Business Associate on HIPAA Compliance? If you decide to engage a business associate or prospective business associate on its HIPAA compliance, you will have to consider how to do so. There is a broad range of approaches that could be employed, and various levels of examination and detail that could be sought, with respect to a business associate s HIPAA compliance. But you may have limited time and resources to conduct any examination or review. And particularly if you are a small- or medium- sized entity, you may have limited internal expertise to evaluate the technical aspects of a vendor s compliance program, especially with respect to information security. Nevertheless, there may be cost effective approaches to engage a business associate or prospective business associate on its HIPAA compliance. These approaches may include: Due diligence. As you interview and conduct diligence on vendors (prospective business associates), include HIPAA compliance as part of your review. Ask about interviewing the personnel responsible for HIPAA compliance. For example, see if you can talk to the vendor s information technology/information security personnel to gain an understanding of the entity s approach to information security generally, and what the entity is doing to meet HIPAA Security Rule s requirements. This could include asking about the information security credentials of the relevant personnel, and/or checking them out via LinkedIn or other online resources, to consider their information security expertise. Review third party validation. In some instances, it may be difficult to determine if the measures that a (prospective) business associate has taken are sufficient for purposes of HIPAA compliance. This is especially the case with the HIPAA Security Rule. The Security Rule establishes certain general requirements, including that the confidentiality, integrity and availability of electronic PHI be ensured, by implementation of administrative, physical and technical safeguards. 18 But the Rule does not dictate particular security measures to be implemented to meet such requirements. Instead, the Rule permits an entity to determine the security measures to implement based on several factors, including the entity s size, complexity, and capabilities and its technical infrastructure, hardware, and software security capabilities. 19 It also contains certain addressable implementation specification which an entity must implement if reasonable and appropriate safeguard in its environment and considering its likely contribution to protecting electronic PHI, and if not, implement an equivalent alternative measure, if reasonable and appropriate. 20 Because of the structure of the Security Rule, it may be difficult for you to assess a vendor s compliance with the Rule especially if you lack technical expertise, or knowledge of the information security measures common in the vendor s industry, to enable you to fully evaluate the vendor s information security program. This is where a third party s assessment, or validation, of the vendor s information security program, and its compliance with the Security Rule, may be helpful. Although not required by the HIPAA Security Rule, a business associate may have retained a third party to audit or assess its information security risks, its implementation of safeguards, and/or its compliance with the Security Rule. Such an audit/assessment may provide an independent analysis of the entity s information security program and its HIPAA Security Rule compliance CFR (a)(1), , , CFR (b) CFR (d)(3) COPYRIGHT 2015 BY THE BUREAU OF NATIONAL AFFAIRS, INC. HITR ISSN

5 5 in the context of its business and technological capabilities. If a (prospective) business associate has obtained such an assessment and is willing to discuss the results of such a third party s audits/assessment, or to share such document (under a nondisclosure agreement), with you, it may permit you to make an informed decision about its HIPAA Security Rule compliance. Review polices and procedures and/or risk assessment and management plan. The HIPAA Security Rule requires business associates to develop, maintain, and/or implement certain written documents, such as HIPAA Security Rule policies and procedures, a security risk analysis/assessment and risk management plan, and a business contingency plan. 21 HHS has emphasized in its guidance documents and in its enforcement actions that an accurate and thorough security risk analysis (and risk management plan) is of key importance for Security Rule compliance. (These documents assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI, and identify security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Security Rule requirements.) If your prospective business associate does not have or is unable to provide a third party s assessment of its HIPAA compliance, you may want to consider whether it might be appropriate to discuss, and/or seek to review (under a nondisclosure or confidentiality agreement), key Security Rule documents. Given HHS guidance, you may want to focus on the business associate s risk analysis and risk management plan in such discussions and/or reviews, as a means for CFR ((a)(1),(ii), (a)(7). assessing the entity s overall HIPAA Security Rule compliance. Conclusion As a covered entity or business associate, you are not required to actively monitor the HIPAA compliance of your business associate or subcontractor. However, a compliance failure by such an entity can have a negative impact on you. Thus, you may want to consider proactively engaging on HIPAA compliance with certain business associates, based on the business associate s particular circumstances. Even for a small- or medium-sized covered entity with limited time, resources, and/or technical expertise, there are several approaches to such an inquiry that may provide you with helpful information on the business associate s compliance in a cost effective manner. The time to act is now, before issues with a business associate s HIPAA compliance causes you problems. Consider which, if any, of your business associate or prospective business associates are such that you should engage on their HIPAA compliance. Then, review the vendor s HIPAA compliance, which could involve, depending on the circumstance, interviewing the vendor s information security personnel, obtaining a copy of any third-party validation it has, or reviewing its security risk assessment and management plan (or other policies and procedures). The time and resources you devote to the effort now may be amply rewarded in problems avoided. The opinions expressed in this article are those of the author and do not necessarily reflect the views of the firm or its clients. It is intended to be informational and does not constitute legal advice regarding any specific situation. HEALTH IT LAW & INDUSTRY REPORT ISSN BNA

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES CONTENTS Introduction 3 Brief Overview of HIPPA Final Omnibus Rule 3 Changes to the Definition of Business Associate

More information

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI January 23, 2013 HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI Executive Summary HHS has issued final regulations that address recent legislative

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Business Associate Agreement (the Agreement ) is made by and between Business Associate, [Name of Business Associate], and Covered Entity, The Connecticut Center for Health,

More information

BUSINESS ASSOCIATE AGREEMENT. Recitals

BUSINESS ASSOCIATE AGREEMENT. Recitals BUSINESS ASSOCIATE AGREEMENT This Agreement is executed this 8 th day of February, 2013, by BETA Healthcare Group. Recitals BETA Healthcare Group consists of BETA Risk Management Authority (BETARMA) and

More information

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the Privacy Rule.

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the Privacy Rule. Exhibit F - Business Associate Agreement HIPAA BAA HIPAA BAA, v1.3 Revised 8/15/2014 THIS AGREEMENT is made on between Centre Technologies, Inc., a Texas Corporation ( Company ) with its principal place

More information

University Healthcare Physicians Compliance and Privacy Policy

University Healthcare Physicians Compliance and Privacy Policy Page 1 of 11 POLICY University Healthcare Physicians (UHP) will enter into business associate agreements in compliance with the provisions of the Health Insurance Portability and Accountability Act of

More information

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM BETWEEN The Division of Health Care Financing and Policy Herein after referred to as the Covered Entity and (Enter Business

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is entered into by and between Professional Office Services, Inc., with principal place of business at PO Box 450, Waterloo,

More information

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN Major Changes to HIPAA Security and Privacy Rules Enacted in Economic Stimulus Package By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN The HITECH Act is the

More information

COMPLIANCE ALERT 10-12

COMPLIANCE ALERT 10-12 HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment

More information

SaaS. Business Associate Agreement

SaaS. Business Associate Agreement SaaS Business Associate Agreement This Business Associate Agreement ( BA Agreement ) becomes effective pursuant to the terms of Section 5 of the End User Service Agreement ( EUSA ) between Customer ( Covered

More information

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection

More information

Sample Business Associate Agreement Provisions

Sample Business Associate Agreement Provisions Sample Business Associate Agreement Provisions Words or phrases contained in brackets are intended as either optional language or as instructions to the users of these sample provisions. Definitions Catch-all

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BAA ) is effective ( Effective Date ) by and between ( Covered Entity ) and Egnyte, Inc. ( Egnyte or Business Associate ). RECITALS

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,

More information

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean. BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement is made as of the day of, 2010, by and between Methodist Lebonheur Healthcare, on behalf of itself and all of its affiliates ( Covered Entity

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (this Agreement ), effective as of May 1, 2014 (the Effective Date ), by and between ( Covered Entity ) and Orchard Software Corporation,

More information

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Compliance Tip Sheet National Hospice and Palliative Care Organization www.nhpco.org/regulatory HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Hospice Provider Compliance To Do List

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT This is a draft business associate agreement based on the template provided by HHS. It is not intended to be used as is and you should only use the agreement after you

More information

Shipman & Goodwin LLP. HIPAA Alert STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS

Shipman & Goodwin LLP. HIPAA Alert STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS Shipman & Goodwin LLP HIPAA Alert March 2009 STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS The economic stimulus package, officially named the American Recovery and Reinvestment Act of 2009

More information

BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc.

BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc. BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc. THIS BUSINESS ASSOCIATE AGREEMENT (BAA) is entered into by and between First Choice Community Healthcare, with a principal place of

More information

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist. www.riskwatch.com

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist. www.riskwatch.com HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist www.riskwatch.com Introduction Last year, the federal government published its long awaited final regulations implementing the Health

More information

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate? HIPAA Information Who does HIPAA apply to? HIPAA applies to all Covered Entities (entities that collect, access, use and/or disclose Protected Health Data (PHI) and are subject to HIPAA regulations). What

More information

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( BAA ) is by and between the National Association of Boards of Pharmacy

More information

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Agreement ( Agreement ) is made and entered into this day of [Month], [Year] by and between [Business Name] ( Covered Entity ), [Type of Entity], whose business address

More information

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Business Associates, HITECH & the Omnibus HIPAA Final Rule Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS

More information

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Brought to you by Winston & Strawn s Health Care Practice Group 2013 Winston & Strawn LLP Today s elunch Presenters

More information

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various

More information

Business Associate Management Methodology

Business Associate Management Methodology Methodology auxilioinc.com 844.874.0684 Table of Contents Methodology Overview 3 Use Case 1: Upstream of s I manage business associates 4 System 5 Use Case 2: Eco System of s I manage business associates

More information

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act by Lane W. Staines and Cheri D. Green On February 17, 2009, The American Recovery and Reinvestment Act

More information

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information

More information

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview Updated HIPAA Regulations What Optometrists Need to Know Now The U.S. Department of Health & Human Services Office for Civil Rights recently released updated regulations regarding the Health Insurance

More information

HIPAA Privacy and Business Associate Agreement

HIPAA Privacy and Business Associate Agreement HR 2011-07 ATTACHMENT D HIPAA Privacy and Business Associate Agreement This Agreement is entered into this day of,, between [Employer] ( Employer ), acting on behalf of [Name of covered entity/plan(s)

More information

BUSINESS ASSOCIATE AGREEMENT. (Contractor name and address), hereinafter referred to as Business Associate;

BUSINESS ASSOCIATE AGREEMENT. (Contractor name and address), hereinafter referred to as Business Associate; BUSINESS ASSOCIATE AGREEMENT (Agreement #) THIS DOCUMENT CONSTITUTES AN AGREEMENT BETWEEN: AND (Contractor name and address), hereinafter referred to as Business Associate; The Department of Behavioral

More information

BUSINESS ASSOCIATE AGREEMENT TERMS

BUSINESS ASSOCIATE AGREEMENT TERMS BUSINESS ASSOCIATE AGREEMENT TERMS This Addendum ( Addendum ) is incorporated into and made part of the Agreement between SIGNATURE HEALTHCARE CORPORATION ("Covered Entity ) and ( Business Associate"),

More information

Data Breach, Electronic Health Records and Healthcare Reform

Data Breach, Electronic Health Records and Healthcare Reform Data Breach, Electronic Health Records and Healthcare Reform (This presentation is for informational purposes only and it is not intended, and should not be relied upon, as legal advice.) Overview of HIPAA

More information

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 Policy and Procedure Templates Reflects modifications published in the Federal Register

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT 1. DEFINITIONS: 1.1 Undefined Terms: Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms defined by the Health Insurance Portability

More information

Preferred Professional Insurance Company Subcontractor Business Associate Agreement

Preferred Professional Insurance Company Subcontractor Business Associate Agreement Preferred Professional Insurance Company Subcontractor Business Associate Agreement THIS SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT ( Agreement ) amends and is made a part of all Services Agreements (as

More information

Final HIPAA/HITECH Omnibus Rule Makes Significant Changes for Health Plans and Their Business Associates

Final HIPAA/HITECH Omnibus Rule Makes Significant Changes for Health Plans and Their Business Associates Final HIPAA/HITECH Omnibus Rule Makes Significant Changes for Health Plans and Their Business Associates After a very long wait, the Department of Health and Human Services ( HHS ) has issued a final HIPAA/HITECH

More information

Business Associate Agreement (BAA) Guidance

Business Associate Agreement (BAA) Guidance Business Associate Agreement (BAA) Guidance Introduction The purpose of this document is to provide guidance for creating or updating business associate agreements between your Practice ( Covered Entity

More information

Appendix : Business Associate Agreement

Appendix : Business Associate Agreement I. Authority: Pursuant to 45 C.F.R. 164.502(e), the Indian Health Service (IHS), as a covered entity, is required to enter into an agreement with a business associate, as defined by 45 C.F.R. 160.103,

More information

FINAL HIPAA HITECH REGULATIONS RELEASED

FINAL HIPAA HITECH REGULATIONS RELEASED FINAL HIPAA HITECH REGULATIONS RELEASED On January 25, 2013, the United States Department of Health and Human Services (HHS) published final regulations implementing changes to the Health Insurance Portability

More information

BUSINESS ASSOCIATE AND DATA USE AGREEMENT NAME OF COVERED ENTITY: COVERED ENTITY FEIN/TAX ID: COVERED ENTITY ADDRESS:

BUSINESS ASSOCIATE AND DATA USE AGREEMENT NAME OF COVERED ENTITY: COVERED ENTITY FEIN/TAX ID: COVERED ENTITY ADDRESS: BUSINESS ASSOCIATE AND DATA USE AGREEMENT NAME OF COVERED ENTITY: COVERED ENTITY FEIN/TAX ID: COVERED ENTITY ADDRESS:, City State Zip This Business Associate and Data Use Agreement ( Agreement ) is effective

More information

The Institute of Professional Practice, Inc. Business Associate Agreement

The Institute of Professional Practice, Inc. Business Associate Agreement The Institute of Professional Practice, Inc. Business Associate Agreement This Business Associate Agreement ( Agreement ) effective on (the Effective Date ) is entered into by and between The Institute

More information

BUSINESS ASSOCIATE AGREEMENT ( BAA )

BUSINESS ASSOCIATE AGREEMENT ( BAA ) BUSINESS ASSOCIATE AGREEMENT ( BAA ) Pursuant to the terms and conditions specified in Exhibit B of the Agreement (as defined in Section 1.1 below) between EMC (as defined in the Agreement) and Subcontractor

More information

Use & Disclosure of Protected Health Information by Business Associates

Use & Disclosure of Protected Health Information by Business Associates Applicability: Policy Title: Policy Number: Use & Disclosure of Protected Health Information by Business Associates PP-12 Superseded Policy(ies) or Entity Policy: N/A Date Established: January 31, 2003

More information

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308)

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) HIPAA Business Associate Agreement Sample Notice Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) The information provided in this document does not constitute, and is no substitute

More information

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security

More information

It s a New Regulatory Landscape: Do You Know Where Your Business Associates are and What They are Doing?

It s a New Regulatory Landscape: Do You Know Where Your Business Associates are and What They are Doing? It s a New Regulatory Landscape: Do You Know Where Your Business Associates are and What They are Doing? The AMC Privacy & Security Conference Series Securely Connecting Communities for Improved Health

More information

Business Associate Agreement Involving the Access to Protected Health Information

Business Associate Agreement Involving the Access to Protected Health Information School/Unit: Rowan University School of Osteopathic Medicine Vendor: Business Associate Agreement Involving the Access to Protected Health Information This Business Associate Agreement ( BAA ) is entered

More information

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS The following HIPAA Business Associate Terms and Conditions (referred to hereafter as the HIPAA Agreement ) are part of the Brevium Software License

More information

HIPAA Business Associate Agreement

HIPAA Business Associate Agreement HIPAA Business Associate Agreement User of any Nemaris Inc. (Nemaris) products or services including but not limited to Surgimap Spine, Surgimap ISSG, Surgimap SRS, Surgimap Office, Surgimap Ortho, Surgimap

More information

Model Business Associate Agreement

Model Business Associate Agreement Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model

More information

Am I a Business Associate?

Am I a Business Associate? Am I a Business Associate? Now What? JENNIFER L. RATHBURN Quarles & Brady LLP KATEA M. RAVEGA Quarles & Brady LLP agenda» Overview of HIPAA / HITECH» Business Associate ( BA ) Basics» What Do BAs Have

More information

Our Commitment to Information Security

Our Commitment to Information Security Our Commitment to Information Security What is HIPPA? Health Insurance Portability and Accountability Act 1996 The HIPAA Privacy regulations require health care providers and organizations, as well as

More information

BUSINESS ASSOCIATE AGREEMENT HIPAA Omnibus Rule (Final Rule)

BUSINESS ASSOCIATE AGREEMENT HIPAA Omnibus Rule (Final Rule) BUSINESS ASSOCIATE AGREEMENT HIPAA Omnibus Rule (Final Rule) This Business Associate Agreement (the Agreement ), dated September 9, 2013, is entered into by and between ( Covered Entity ) and Schuster

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Business Associate Agreement (this "Agreement") is made as of, 201_ (the Effective Date ), and is entered into between ( Covered Entity ) and Delta Business System, Inc.

More information

DRAFT BUSINESS ASSOCIATES AGREEMENT

DRAFT BUSINESS ASSOCIATES AGREEMENT DRAFT BUSINESS ASSOCIATES AGREEMENT THIS AGREEMENT is made this day of, 20, by and among, a Corporation organized under the laws of the State of (hereinafter known as "Covered Entity") and organized under

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT Express Scripts, Inc. and one or more of its subsidiaries ( ESI ), and Sponsor or one of its affiliates ( Sponsor ), are parties to an agreement ( PBM Agreement ) whereby ESI

More information

BUSINESS ASSOCIATE AGREEMENT Tribal Contract

BUSINESS ASSOCIATE AGREEMENT Tribal Contract DEPARTMENT OF HEALTH SERVICES Division of Enterprise Services F-00714 (08/2013) STATE OF WISCONSIN BUSINESS ASSOCIATE AGREEMENT Tribal Contract This Business Associate Agreement is made between the Wisconsin

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) between Inphonite, LLC ( Business Associate and you, as our Customer ( Covered Entity ) (each individually, a Party, and collectively,

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the "Agreement") is made and entered into this day of,, by and between Quicktate and idictate ("Business Associate") and ("Covered Entity").

More information

BUSINESS ASSOCIATE ADDENDUM

BUSINESS ASSOCIATE ADDENDUM BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) adds to and is made a part of the Q- global Subscription and License Agreement by and between NCS Pearson, Inc. ( Business Associate

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT 1. The terms and conditions of this document entitled Business Associate Agreement ( Business Associate Agreement ), shall be attached to and incorporated by reference in the

More information

This is a "preview " of the BAA agreement. You'll be able to sign the BAA electronically after you upgrade to the Powerhouse Player plan.

This is a preview  of the BAA agreement. You'll be able to sign the BAA electronically after you upgrade to the Powerhouse Player plan. BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is entered into as of (the Effective Date ), by and between ("Covered Entity") and Acuity Scheduling, Inc. ("Business Associate").

More information

Rutgers University HIPAA BUSINESS ASSOCIATE AGREEMENT

Rutgers University HIPAA BUSINESS ASSOCIATE AGREEMENT Rutgers University HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: School/Unit:

More information

AMENDMENT TO IMPLEMENT HIPAA BUSINESS ASSOCIATE REQUIREMENTS (UPB=COVERED ENTITY) CONTRACT NO(S).:

AMENDMENT TO IMPLEMENT HIPAA BUSINESS ASSOCIATE REQUIREMENTS (UPB=COVERED ENTITY) CONTRACT NO(S).: AMENDMENT TO IMPLEMENT HIPAA BUSINESS ASSOCIATE REQUIREMENTS (UPB=COVERED ENTITY) CONTRACT NO(S).: THIS AMENDMENT is made as by and between UNIVERSITY PHYSICIANS OF BROOKLYN, INC. located at 450 Clarkson

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( Agreement ) is entered into as of the day of, 2013 by and between RUTGERS UNIVERSITY, a Hybrid Entity, on behalf and for the

More information

Business Associate and Other Agreements

Business Associate and Other Agreements Section 4.3 Implement Business Associate and Other Agreements This tool identifies the types of agreements that may be necessary for a community-based care coordination (CCC) program to have in place in

More information

what your business needs to do about the new HIPAA rules

what your business needs to do about the new HIPAA rules what your business needs to do about the new HIPAA rules Whether you are an employer that provides health insurance for your employees, a business in the growing health care industry, or a hospital or

More information

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES I. Overview / Definitions The Health Insurance Portability and Accountability Act is a federal law

More information

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind Page1 Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind The use of electronic medical records (EMRs) to maintain patient information is encouraged today and

More information

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S):

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S): UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S): THIS AGREEMENT is made by and between UNIVERSITY PHYSICIANS OF BROOKLYN, INC., located at 450 Clarkson Ave., Brooklyn,

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT The parties to this ( Agreement ) are, a _New York_ corporation ( Business Associate ) and ( Client ) you, as a user of our on-line health record system (the "System"). BY

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is between you, a healthcare provider, its employees and agents ( Covered Entity ) and Doc Halo, LLC ( Business Associate ).

More information

This form may not be modified without prior approval from the Department of Justice.

This form may not be modified without prior approval from the Department of Justice. This form may not be modified without prior approval from the Department of Justice. Delete this header in execution (signature) version of agreement. HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement (the Agreement ), is made and is effective as of this day of, 2013 ( Effective Date ), between, located at ( Business Associate

More information

Attachment 5 HIPAA BUSINESS ASSOCIATE AGREEMENT

Attachment 5 HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT Preamble This Business Associate Agreement ( Agreement ) is Attachment to the Contract for Payment Eligibility Assessment Whereas, pursuant to the terms of the Contract,

More information

OFFICE OF CONTRACT ADMINISTRATION 60400 PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA)

OFFICE OF CONTRACT ADMINISTRATION 60400 PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA) Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA) BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) supplements and is made a part of the contract ( Contract

More information

FirstCarolinaCare Insurance Company Business Associate Agreement

FirstCarolinaCare Insurance Company Business Associate Agreement FirstCarolinaCare Insurance Company Business Associate Agreement THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement"), is made and entered into as of, 20 (the "Effective Date") between FirstCarolinaCare Insurance

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( Agreement ) is by and between ( Covered Entity ) and Xelex Digital, LLC ( Business Associate ), and is effective as of. WHEREAS,

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the BAA ) is made and entered into as of the day of, 20, by and between Delta Dental of California (the Covered Entity ) and (the Business

More information

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions A. Business Associate. Business Associate shall have the meaning given to such term under the Privacy and Security Rules, including,

More information

Neither You Nor Your Business Associates Can Afford to be Lax About Complying with HIPAA Requirements

Neither You Nor Your Business Associates Can Afford to be Lax About Complying with HIPAA Requirements Neither You Nor Your Business Associates Can Afford to be Lax About Complying with HIPAA Requirements Sara Kashing, JD, Staff Attorney July/August 2012 The Therapist If you are considered a Covered Entity

More information

HIPPA. business associates agreement

HIPPA. business associates agreement This Business Associate Agreement ( BAA ) is entered into by and between ALTOR National ( ALTOR National ) and Insured/Applicant ( Covered Entity ) and is effective as of September 23 rd, 2013 (the BAA

More information

HIPAA Business Associate Contract. Definitions

HIPAA Business Associate Contract. Definitions HIPAA Business Associate Contract Definitions Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the Privacy Rule. Examples of specific definitions:

More information

Please print the attached document, sign and return to privacy@covermymeds.com or contact Erica Van Treese, Account Manager, Provider Relations &

Please print the attached document, sign and return to privacy@covermymeds.com or contact Erica Van Treese, Account Manager, Provider Relations & Please print the attached document, sign and return to privacy@covermymeds.com or contact Erica Van Treese, Account Manager, Provider Relations & Solutions. Office: 866-452-5017, Fax: 615-379-2541, evantreese@covermymeds.com

More information

Professional Solutions Insurance Company. Business Associate Agreement re HIPAA Rules

Professional Solutions Insurance Company. Business Associate Agreement re HIPAA Rules Professional Solutions Insurance Company Business Associate Agreement re HIPAA Rules I. Purpose of Agreement This Agreement reflects Professional Solutions Insurance Company s agreement to comply with

More information

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Business Associates 10230

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Business Associates 10230 IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Business Associates 10230 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel & Compliance Policy Title:

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) by and between (hereinafter known as Covered Entity ) and Office Ally, LLC. (hereinafter known as Business Associate ), and

More information

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE Lewis & Clark College and Allegiance Benefit Plan Management, Inc., (jointly the Parties

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University

More information

Enclosure. Dear Vendor,

Enclosure. Dear Vendor, Dear Vendor, As you may be aware, the Omnibus Rule was finalized on January 25, 2013 and took effect on March 26, 2013. Under the Health Insurance Portability & Accountability Act (HIPAA) and the Omnibus

More information

VMware vcloud Air HIPAA Matrix

VMware vcloud Air HIPAA Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory

More information

New HIPAA regulations require action. Are you in compliance?

New HIPAA regulations require action. Are you in compliance? New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security

More information

Re: RIN 0991-AB56; Breach Notification for Unsecured Protected Health Information; Interim Final Rule, 74 Fed. Reg (August 24, 2009).

Re: RIN 0991-AB56; Breach Notification for Unsecured Protected Health Information; Interim Final Rule, 74 Fed. Reg (August 24, 2009). Kathleen Sebelius, Secretary U.S. Department of Health and Human Service Office for Civil Rights Attention: HITECH Breach Notification Hubert H. Humphrey Building, Room 509F 200 Independence Avenue, SW

More information