Medical Research Law & Policy Report

Size: px
Start display at page:

Download "Medical Research Law & Policy Report"

Transcription

1 Medical Research Law & Policy Report Reproduced with permission from Medical Research Law & Policy Report, 12 MRLR 98, 02/06/2013. Copyright 2013 by The Bureau of National Affairs, Inc. ( ) HIPAA Final Rule Clarifies Major Research Issues BY MARK BARNES, SUSAN STAYN, EVE BRUNTS, AND SARAH FERRANTI O n Jan. 17, 2013, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) released its Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules (the Final Rule ), implementing important changes to regulations under the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ), including changes required by the Health Information Technology for Economic and Clinical Health Act of 2009 ( HITECH ) and the Genetic Information Nondiscrimination Act of The Final Rule is intended to Mark Barnes, Eve Brunts, and Sarah Ferranti are attorneys at Ropes & Gray LLP, and Susan Stayn is senior university counsel at Stanford University. Mark and Susan are members of the Subcommittee on Harmonization of the HHS Secretary s Advisory Committee on Human Research Protections (SACHRP), and this article has been informed by their Subcommittee work on these issues. enhance privacy and security protections and patients rights with respect to their health information, strengthen enforcement mechanisms, and improve the overall practicability of the HIPAA Rules. 1 The Final Rule is effective March 26, 2013, although covered entities and business associates have additional time to comply with new standards, as described more fully below. Notably, in the first overarching amendment to the Privacy Rule since its implementation in 2003, HHS effected meaningful changes to the requirements governing research. The Final Rule eliminates the previous restriction on combining research authorizations, permits authorizations for future studies in certain circumstances, clarifies the research exception to the ban on the sale of protected health information ( PHI ), confirms that external institutional review boards ( IRBs ) are not business associates, and limits privacy protec- 1 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule (the Final Rule ), 78 Fed. Reg. 5566, Jan. 25, COPYRIGHT 2013 BY THE BUREAU OF NATIONAL AFFAIRS, INC. ISSN

2 2 tions for decedents to 50 years. Many of these amendments address issues that have been of great concern to the national research community since the Privacy Rule was first promulgated. History Before the Privacy Rule, researchers and their institutions commonly placed data and bio-specimens generated during the course of a clinical trial into databases or repositories, which later could be used for purposes such as tracking patient outcomes, performing retrospective chart reviews for quality assurance, and conducting new research studies. Databanks and tissue repositories with identifiable information were, and continue to be, important sources of research data. HHS s initial version of the Privacy Rule and its 2002 proposed modifications, however, appeared to put this practice at risk, indicating that the department regarded the practice of establishing and adding to these research databases and tissue repositories as new research activities that would themselves require both HIPAA authorizations and research consents. To prevent what it believed to be an unintended result of the Privacy Rule, in April 2002, the National Human Research Protections Advisory Committee (NHRPAC), the precursor to the Secretary s Advisory Committee on Human Research Protections (SACHRP), suggested in a letter to HHS that the regulations be amended to allow creation and maintenance of databases and tissue repositories as activities preparatory to research or to allow them based upon approval by a Privacy Board (or an IRB sitting as a Privacy Board). 2 A few months later, HHS announced in its Final Rule on the Standards for Privacy of Individually Identifiable Health Information that the department interpreted the establishment and maintenance of research databases and tissue repositories to fall within the definition of research subject to HIPAA, and that establishing and maintaining them did not qualify as preparatory to research activities. The result of this interpretation was that the use and disclosure of PHI to create a database, or a tissue repository with identifiable information, would itself require authorization by all individual subjects whose data would be included, or waiver of authorization by an IRB. 3 Impliedly, this also meant that these subjects also would need to give their research consent to the same banking activities. In practice, this interpretation required that subjects who participated in clinical trials and also allowed their identifiable data and specimens to be placed in repositories during the trials sign two separate HIPAA authorizations. Two authorizations were necessary because HHS interpreted the Privacy Rule to prohibit compound authorizations that is, authorizations in instances when participation in research-related treatment is conditioned on one authorization (the authorization for use and disclosure of PHI to conduct the trial) 2 Letter from Mary Faith Marshall, Ph.D., Chairperson of the National Human Research Protections Advisory Committee to the Office for Civil Rights of the Department of Health and Human Services (April 2002), available at Standards for Privacy of Individually Identifiable Health Information; Final Rule, 67 Fed. Reg. 53,182, at 53,231, Aug. 14, and not on the conjoined authorization (the authorization to include PHI or specimens in a database or repository). Therefore, for primary clinical studies whose clinical data and/or identified tissue would be banked for later use, two separate authorizations would be required one for the primary study and another for the banking activities. At the same time, and making matters still more complex, HHS clarified that in order to comply with the required elements of 45 C.F.R , authorizations must include a description of each specific purpose of the requested use or disclosure and that the purpose must be study-specific. 4 By contrast, the Common Rule, in historical practice, had allowed greater flexibility, permitting subjects to consent to future research uses of their data when those uses had been described in sufficient detail to give the subject a reasonable understanding of their nature and range; under the Common Rule, this would be determined by the IRB on a case-by-case basis. 5 Once future specific research uses were identified, researchers and an IRB could look back at the consent, to ensure that these additional research activities were contemplated in that original consent. If not, the researcher would be required to seek new consents, or to obtain a waiver of consent from the IRB. Under a strict construction of HHS s guidance in the 2002 Final Rule, therefore, the practice that may have required only a single consent document before HIPAA, thereafter required three additional documents: one document with the authorization for the trial itself, which could be combined with the informed consent; a second document with the authorization to include PHI or identified specimens collected during the trial in a database or tissue repository; and a third document with the authorization for a future specific research use, if that specific use was known at the time of consent. If the specific additional research use was not identified until some later point, the researcher could seek a waiver of authorization for that specific additional research use from the IRB or Privacy Board. In September 2004, following these clarifications from HHS, SACHRP made several recommendations regarding the application of HIPAA to research, including streamlining the informed consent and authorization process by (1) revis[ing] HIPAA s compound authorization rules to permit the combining of research authorizations into one form when researchers seek to bank data and materials collected as part of an underlying clinical trial, and (2) permit[ting] subjects to authorize the use and disclosure of their PHI for certain reasonably defined future uses. 6 These recommendations were reiterated in the Institute of Medicine s ( IOM ) 2009 Consensus Report, Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. In 2010, the regulatory overhaul necessitated by HITECH provided HHS the opportunity to address the issues raised in both the SACHRP and IOM reports and gather additional feedback from the research community and the public. In the end, the Final 4 Id. at 53, Final Rule at Letter from Ernest D. Prentice, Chair of the Secretary s Advisory Committee on Human Research Protections, to Tommy G. Thompson, Secretary of Health and Human Services (Sept. 27, 2004), available at sachrp/hipaalettertosecy html COPYRIGHT 2013 BY THE BUREAU OF NATIONAL AFFAIRS, INC. MRLR ISSN

3 3 Rule largely adopts SACHRP s and IOM s recommendations on these issues, and provides additional important clarifications. Compound Authorizations The Privacy Rule contains a general prohibition on compound authorizations. A compound authorization is an authorization for the use and disclosure of PHI that is combined with another legal consent. An exception under the original Privacy Rule allows an authorization to be combined with a research informed consent form, but not with an authorization for another study. This Final Rule has now amended 42 C.F.R (b)(3)(i) specifically to allow combining an authorization for the use or disclosure of protected health information for a research study with another authorization for the same research study, [or] with an authorization for the creation or maintenance of a research database or repository, or with a consent to participate in research, as long as (1) the authorization clearly differentiates between the conditioned and unconditioned authorization components (e.g., respectively, the authorization for participation in the clinical study, and the authorization for the use of PHI collected in that study for a separate database or tissue repository), and (2) provides the individual with an opportunity to opt in to the research activities described in the unconditioned authorization. 7 The new amendment thus provides the flexibility to combine in a single document the informed consent and all research authorizations needed for the same or another study with the exception of authorizations for the use and disclosure of psychotherapy notes, which still must be contained in separate documents. 8 In SACHRP s comments on HHS s 2010 NPRM, SACHRP sought additional clarification on acceptable methods to differentiate conditioned and unconditioned authorizations. SACHRP proposed the following three approaches, all of which were approved in the preamble to the Final Rule: (1) a combined consent/authorization form for a clinical trial and optional banking component, with a check-box for the individual to have the choice to opt in to the optional banking component, and one signature; (2) a combined consent/ authorization form for a clinical trial and optional banking component, with one signature for the clinical trial and another signature to indicate the individual agrees to the optional banking component; and (3) a combined consent/authorization form for a clinical trial and optional banking component, with a check box for the individual to have the choice to opt in to the banking component, and one signature, but with detailed information about the banking component presented in a separate brochure or information sheet that is referenced directly in the consent/authorization form. 9 If the covered entity uses the third method, HHS has now 7 45 C.F.R (b)(3)(i). Under the original Privacy Rule, enrollment in a clinical trial that includes treatment may be conditioned on the signing of an authorization for use and disclosure of health information gathered in the course of the trial, but outside of the clinical trial context, it is a violation of HIPAA to condition medical treatment on the signing of an authorization. 45 C.F.R (b)(4) C.F.R (b)(3)(ii). 9 Final Rule at clarified that subjects should have an appropriate opportunity to review the brochure and that the brochure should be retained in the covered entity s records as if the document were part and parcel of the authorization. 10 Use of PHI for Future Research A required element of a valid authorization under the HIPAA Rule is a description of each purpose of the requested use or disclosure. 11 As noted above, in the 2002 Final Rule, HHS interpreted purpose to be study specific, thus preventing researchers from obtaining authorizations to use or disclose PHI to conduct future, undetermined research. In the Final Rule preamble, HHS revised its earlier interpretation, stating: The Department no longer interprets the purpose provision at (c)(1)(iv) as requiring that an authorization for the use or disclosure of protected health information for research purposes be study specific. In order to satisfy the requirement that an authorization include a description of each purpose of the requested use or disclosure, an authorization for uses and disclosures of protected health information for future research purposes must adequately describe such purposes such that it would be reasonable for the individual to expect that his or her protected health information could be used or disclosed for such future research. 12 HHS also clarified that although covered entities and researchers are required to satisfy all of the elements of a valid authorization contained in 45 C.F.R , given the uncertainty of future research, both the PHI to be used or disclosed and the recipients of the PHI can be described with more general language than was previously required. Research Exception for the Sale of PHI The Final Rule incorporates HITECH s prohibition on the sale of PHI without authorization, and retains and provides additional clarification on the research exception. Under the Final Rule, the sale of PHI means a disclosure of protected health information by a covered entity or business associate... where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information. 13 Consistent with HITECH, excluded from the definition is PHI disclosed for research purposes where the only remuneration received by the covered entity or business associate is a reasonable cost-based fee to cover the cost to prepare and transmit the protected health information for such purposes. 14 In the preamble, HHS makes two important clarifications regarding the scope of the new standard. First, HHS does not consider payments to covered entities pursuant to research grants or contracts to constitute a sale of PHI. Although the terms of the grant or contract may require reporting of PHI to the research spon- 10 Id. at C.F.R (c)(1)(iv). 12 Final Rule at C.F.R (a)(5)(ii)(B)(1) C.F.R (a)(5)(ii)(B)(1)(ii). MEDICAL RESEARCH LAW & POLICY REPORT ISSN BNA

4 4 sor or funding agency, the disclosure in that case is simply a byproduct of the service being provided, and therefore the covered entity is not receiving remuneration in exchange for PHI. 15 On the other hand, when a covered entity is simply providing PHI to a researcher for some remuneration or compensation, and its only service is the collection and transmission of data, such an arrangement would fall within the definition of the sale of PHI and remuneration will be limited to a reasonable, cost-based fee. 16 HHS also provided guidance on the types of costs that may be included in the fee charged for data collection and transmission. Specifically, HHS interprets costs to include both direct and indirect costs, including labor, materials, and supplies for generating, storing, retrieving, and transmitting the PHI, labor and supplies to ensure the PHI is disclosed in a permissible manner, in addition to related capital and overhead costs. 17 A fee for disclosure of PHI for research, if it includes a profit margin, will not be considered reasonable. The covered entity or business associate transmitting the PHI and receiving the fee, and not the IRB overseeing the research, will be responsible for determining reasonable costs. HHS left largely unresolved a question about how nonfinancial, in-kind benefits will be treated under the new rule. Commenters expressed concern that a broad prohibition on remuneration could prevent covered entities from participating in data collaborations in which they contribute PHI in exchange for access to the combined data to be used for research or quality improvement purposes. 18 HHS did not address these concerns specifically, but did suggest that there may be future guidance issued relating to acceptable fee structures for sharing PHI. It is possible that these data collaboration arrangements, and the remuneration of gaining access to other institutions data in return for contributing one s own PHI, will be clarified in such future guidance. Clarification Regarding the Definition of a Business Associate One of the most significant changes to HIPAA mandated by HITECH is the imposition of certain Privacy Rule and Security Rule requirements on business associates. The new requirements make the determination of whether an entity is a business associate all the more important. In response to public comments to the 2010 NPRM, HHS confirmed that when performing research activities for a covered entity, neither individual researchers nor external or outsourced IRBs (sometimes referred to as central IRBs ) are considered business associates under the Privacy Rule. Research activities are not among the business associate functions listed in the definition of business associate in 45 C.F.R and, therefore, the performance of such activities on behalf of a covered entity does not give rise to a business associate relationship. This clarification supports the current trend toward use of central IRBs or external IRBs for collaborative and multi-site trials. One caveat is that research studies may give rise to business associate relationships depending on the specific type of services being performed on behalf of the covered entity. As the preamble explains, [A] researcher may be a business associate if the researcher performs a function, activity, or service for a covered entity that does fall within the definition of a business associate, such as the health care operations function of creating a de-identified or limited data set for the covered entity. 19 In other words, if a covered entity uses an external researcher or consultant to de-identify PHI on the covered entity s behalf for research, then a business associate relationship is created because deidentifying PHI is a service for the covered entity. As another example, if researchers within a covered entity want to use cloud storage services to maintain research data including PHI, then such arrangements will require a business associate agreement with the cloud storage company, even if the cloud storage company does not view the PHI. 20 Proactive dialogue among researchers, IRBs, and privacy officers within covered entities will help ensure that business associate arrangements are identified even when they arise in a research context. Relaxed Research Access to Decedents PHI The Privacy Rule historically has protected the PHI of an individual during life, and after death in perpetuity, although the Privacy Rule does contain an exception to allow researchers, if they meet certain conditions, to access and use the PHI of deceased persons. 21 Those conditions include some documentation that the individual whose PHI is sought actually is deceased; assurance from the researcher that the sole purpose for using or disclosing the PHI is for research on the decedents PHI (and presumably, not for derivative research on the PHI of other, living persons); and assurance that use or disclosure of the PHI is necessary for the research. To use or to disclose to researchers a deceased individual s PHI for research purposes, a covered entity must either obtain assurances consistent with this exception, or obtain authorization from the individual s legally authorized executor or administrator, who is treated as the decedent s personal representative. Given the difficulty of locating personal representatives, researchers, along with archivists, biographers, and historians, have needed to rely on this exception for research use of decedents PHI. 22 Yet this requires, even for the PHI of persons who died centuries or decades ago, a process by which the covered entity gathers, records, and preserves the necessary assurances from researchers. In addition, for libraries and other documentary collections held by covered entities, much PHI on deceased persons is held, in incidental mentions and references, in letters, books, or other records that are not medical records themselves. As testimony before the National Committee on Health and Vital Statistics in 2005 demonstrated, the treatment of all PHI of all persons, even those dead for centuries, as equally protected has handicapped and burdened the operation of libraries and documentary collections held by covered 15 Final Rule at Id. 17 Id. at Id. at Fed. Reg. at Fed. Reg. at C.F.R (i)(1)(iii). 22 Final Rule at COPYRIGHT 2013 BY THE BUREAU OF NATIONAL AFFAIRS, INC. MRLR ISSN

5 5 entities. 23 To help address these concerns, HHS has revised 45 C.F.R (f) to limit privacy protection of deceased individuals PHI to 50 years after death. In choosing the length of time for the limitation, HHS tried to strike a balance between the rights of individuals with a relationship to the decedent who might prefer that the information be kept private and the challenge in obtaining authorizations over time. 24 While researchers still may rely on the separate provision that allows them to make written representations about the need to use decedents PHI for research, the new 50-year limitation on HIPAA s coverage of decedent PHI is another win for the research community, as it facilitates library management within covered entities and expedites historical studies. Next Steps While the Final Rule takes effect on March 26, 2013, covered entities and business associates will have 180 days (until Sept. 23, 2013) to comply with most of the provisions. Entities that conduct research should use this interim time to review and revise their policies, procedures, forms (especially research authorizations), and related training, in order to comply with the Final Rule. In developing strategies to comply with the new rule, many entities may question whether new authorizations must be obtained from research participants, or other changes are needed for existing, ongoing studies. In helpful commentary, and in response to SACHRP s comments related to a practical need for grandfathering, HHS has recognized this concern and has addressed it. Specifically, HHS has explained: (1) with respect to the no sale of PHI provision, a covered entity may rely on a research authorization obtained before the compliance date even if remuneration is involved but the authorization does not indicate that the disclosure is in exchange for remuneration ; 25 (2) compound authorizations (which allow combining a clinical trial authorization with an authorization to opt into another research activity such as a repository) are a new option, but are not required, so [p]reviously approved, ongoing studies may continue to rely on the separate authorization forms that were obtained, and for new studies, 23 National Committee on Health and Vital Statistics, Subcommittee on Privacy and Confidentiality, Jan , 2005, available at 24 Final Rule at Id. at either separate authorizations or the new compoundauthorization approach is permissible; 26 and (3) for studies involving the possibility of future research, [c]overed entities and researchers may rely on an Institutional Review Board-approved consent obtained prior to the effective date of the final rule that reasonably informed individuals of the future research, provided the informed consent was combined with a HIPAA authorization (even though the authorization itself was specific to the original study or creation and maintenance of a repository). 27 This guidance acknowledges the strong policy interests in not disrupting ongoing research and provides for grandfathering in the above situations. A further next step for the regulated community is to consider how aspects of this Final Rule compare to other laws, including state laws. For example, most states have breach reporting laws. Covered entities that are subject to their own state laws on this issue as well as the Final Rule will need to assess their breach reporting requirements, including those requirements that may apply when a security or privacy incident arises in research. Similarly, the Common Rule requires reporting of unanticipated problems (which may include significant breaches of privacy), and comparisons will be needed between that requirement and the breach reporting standard under the Final Rule. Other changes in the Final Rule, along with HHS s robust enforcement efforts, also will warrant ongoing attention within the research community to promote compliance and to protect the privacy interests of research participants. Conclusion With these recent revisions to the Privacy Rule and official agency interpretations, HHS has effectively answered some significant concerns voiced over the past decade by the national research community, since the advent of the Privacy Rule. These changes should make the drafting of consent and authorization forms for clinical studies more straightforward, and now allow researchers to present prospective research participants with unified, integrated, and more readily understandable consent/authorization forms. The research-focused changes appear, in general, entirely salutary for research efforts, easing formal requirements while continuing to safeguard the privacy interests of patients and subjects. 26 Id. at Id. at MEDICAL RESEARCH LAW & POLICY REPORT ISSN BNA

NEW HIPAA PRIVACY RULES ALTER OPTIONS FOR HEALTH CARE MARKETING AND RESEARCH

NEW HIPAA PRIVACY RULES ALTER OPTIONS FOR HEALTH CARE MARKETING AND RESEARCH A DV I S O RY January 2013 NEW HIPAA PRIVACY RULES ALTER OPTIONS FOR HEALTH CARE MARKETING AND RESEARCH In a notice published in the Federal Register on Jan. 25, 2013, 1 the Department of Health and Human

More information

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Compliance Tip Sheet National Hospice and Palliative Care Organization www.nhpco.org/regulatory HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Hospice Provider Compliance To Do List

More information

Memorandum. Factual Background

Memorandum. Factual Background Memorandum TO: FROM: SUBJECT: Chris Ianelli and Jill Mullan, ispecimen, Inc. Kristen Rosati and Ana Christian, Polsinelli, PC ispecimen Regulatory Compliance DATE: January 26, 2014 You have asked us to

More information

OCR Issues Final Modifications to the HIPAA Privacy, Security, Breach Notification and Enforcement Rules to Implement the HITECH Act

OCR Issues Final Modifications to the HIPAA Privacy, Security, Breach Notification and Enforcement Rules to Implement the HITECH Act OCR Issues Final Modifications to the HIPAA Privacy, Security, Breach Notification and Enforcement Rules to Implement the HITECH Act February 20, 2013 Boston Brussels Chicago Düsseldorf Frankfurt Houston

More information

O n Sept. 8, 2015, the U.S. Department of Health and

O n Sept. 8, 2015, the U.S. Department of Health and Life Sciences Law & Industry Report Reproduced with permission from Life Sciences Law & Industry Report, 09 LSLR 1303, 11/13/15. Copyright 2015 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com

More information

Re: HIPAA/HITECH Final Rule Clarification and Guidance Sought on Refill Reminder Programs

Re: HIPAA/HITECH Final Rule Clarification and Guidance Sought on Refill Reminder Programs June 5, 2013 Ms. Susan McAndrew Deputy Director for Health Information Privacy Office for Civil Rights Department of Health and Human Services 200 Independence Ave., SW 56E 5 th Floor Washington, D.C.

More information

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES CONTENTS Introduction 3 Brief Overview of HIPPA Final Omnibus Rule 3 Changes to the Definition of Business Associate

More information

SaaS. Business Associate Agreement

SaaS. Business Associate Agreement SaaS Business Associate Agreement This Business Associate Agreement ( BA Agreement ) becomes effective pursuant to the terms of Section 5 of the End User Service Agreement ( EUSA ) between Customer ( Covered

More information

HIPAA Basics for Clinical Research

HIPAA Basics for Clinical Research HIPAA Basics for Clinical Research Audio options: Built-in audio on your computer OR Separate audio dial-in: 415-930-5229 Toll-free: 1-877-309-2074 Access Code: 960-353-248 Audio PIN: Shown after joining

More information

HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule

HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule JANUARY 23, 2013 HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule By Linn Foster Freedman, Kathryn M. Sylvia, Lindsay Maleson, and Brooke A. Lane On

More information

Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and HITECH Act Breach Notification Rules, 78 Fed. Reg. 5566 (Jan.

Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and HITECH Act Breach Notification Rules, 78 Fed. Reg. 5566 (Jan. AIS Special Report 1 AIS Special Report Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and HITECH Act Breach Notification Rules, 78 Fed. Reg. 5566 (Jan. 25, 2013) By Francie Fernald,

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT This is a draft business associate agreement based on the template provided by HHS. It is not intended to be used as is and you should only use the agreement after you

More information

New Rules on Privacy, Security, Breach Reporting and Enforcement: Not Just for HIPAA-chondriacs

New Rules on Privacy, Security, Breach Reporting and Enforcement: Not Just for HIPAA-chondriacs New Rules on Privacy, Security, Breach Reporting and Enforcement: Not Just for HIPAA-chondriacs Executive Summary After years of waiting for all of the anxious HIPAA-chondriacs out there, the HHS Office

More information

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Patricia D. King, Esq. Associate General Counsel Swedish Covenant Hospital Chicago, IL I. Business Associates under

More information

Department of Health and Human Services. No. 17 January 25, 2013. Part II

Department of Health and Human Services. No. 17 January 25, 2013. Part II Vol. 78 Friday, No. 17 January 25, 2013 Part II Department of Health and Human Services Office of the Secretary 45 CFR Parts 160 and 164 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach

More information

HIPAA Medical Billing Requirements For Research

HIPAA Medical Billing Requirements For Research The Health Insurance Portability and Accountability Act (HIPAA) Excerpted from the UTC IRB Policy June 2008 Table of Contents PART V: The Health Insurance Portability and Accountability Act (HIPAA)...

More information

-1- PERSONNEL CERTIFIED / NON-CERTIFIED 4112.61/4212.61

-1- PERSONNEL CERTIFIED / NON-CERTIFIED 4112.61/4212.61 -1- HIPAA Privacy Policies The Wallingford Board of Education ("the Board" or the "Plan Sponsor") sponsors a group health plan that provides medical and dental benefits (the "Plan"). These Privacy Policies

More information

Sample Business Associate Agreement Provisions

Sample Business Associate Agreement Provisions Sample Business Associate Agreement Provisions Words or phrases contained in brackets are intended as either optional language or as instructions to the users of these sample provisions. Definitions Catch-all

More information

January 25, 2013. 1 P a g e

January 25, 2013. 1 P a g e Analysis of Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information

More information

Model Business Associate Agreement

Model Business Associate Agreement Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model

More information

A s a covered entity or business associate, you have

A s a covered entity or business associate, you have Health IT Law & Industry Report VOL. 7, NO. 19 MAY 11, 2015 Reproduced with permission from Health IT Law & Industry Report, 07 HITR, 5/11/15. Copyright 2015 by The Bureau of National Affairs, Inc. (800-372-1033)

More information

DRAFT BUSINESS ASSOCIATES AGREEMENT

DRAFT BUSINESS ASSOCIATES AGREEMENT DRAFT BUSINESS ASSOCIATES AGREEMENT THIS AGREEMENT is made this day of, 20, by and among, a Corporation organized under the laws of the State of (hereinafter known as "Covered Entity") and organized under

More information

HIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule )

HIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule ) HIPAA and HITECH Compliance Under the New HIPAA Final Rule Presented Presented by: by: Barry S. Herrin, Attorney CHPS, Name FACHE Smith Smith Moore Moore Leatherwood Leatherwood LLP LLP Atlanta Address

More information

Finally! HHS Issues Proposed Rule Implementing Changes to the HIPAA Privacy, Security and Enforcement Rules under HITECH

Finally! HHS Issues Proposed Rule Implementing Changes to the HIPAA Privacy, Security and Enforcement Rules under HITECH Employment, Labor and Benefits and Health Law Advisory JULY 13 2010 Finally! HHS Issues Proposed Rule Implementing Changes to the HIPAA Privacy, Security and Enforcement Rules under HITECH BY ALDEN BIANCHI,

More information

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate? HIPAA Information Who does HIPAA apply to? HIPAA applies to all Covered Entities (entities that collect, access, use and/or disclose Protected Health Data (PHI) and are subject to HIPAA regulations). What

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) is entered into by and between (the Covered Entity ), and Iowa State Association of Counties (the Business Associate ). RECITALS

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into as of ( Effective Date ) by and between ( Covered Entity ) and American Academy of Sleep Medicine ( Business Associate

More information

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT H I P AA B U S I N E S S AS S O C I ATE AGREEMENT This HIPAA BUSINESS ASSOCIATE AGREEMENT (the BAA ) is entered into by and between Opticare of Utah, Inc. ( Covered Entity ), and,( Business Associate ).

More information

Winthrop-University Hospital

Winthrop-University Hospital Winthrop-University Hospital Use of Patient Information in the Conduct of Research Activities In accordance with 45 CFR 164.512(i), 164.512(a-c) and in connection with the implementation of the HIPAA Compliance

More information

GENERAL OVERVIEW OF STANDARDS FOR PRIVACY OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION [45 CFR Part 160 and Subparts A and E of Part 164]

GENERAL OVERVIEW OF STANDARDS FOR PRIVACY OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION [45 CFR Part 160 and Subparts A and E of Part 164] GENERAL OVERVIEW OF STANDARDS FOR PRIVACY OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION [45 CFR Part 160 and Subparts A and E of Part 164] OCR HIPAA Privacy The following overview provides answers to

More information

HIPAA: Open Research Issues Michael L. Blau, Esq. McDermott, Will & Emery

HIPAA: Open Research Issues Michael L. Blau, Esq. McDermott, Will & Emery HIPAA: Open Research Issues Michael L. Blau, Esq. McDermott, Will & Emery Research A. General Rules. There are four pathways for covered entities ( CEs ) to obtain permission under the Health Insurance

More information

The Health and Benefit Trust Fund of the International Union of Operating Engineers Local Union No. 94-94A-94B, AFL-CIO. Notice of Privacy Practices

The Health and Benefit Trust Fund of the International Union of Operating Engineers Local Union No. 94-94A-94B, AFL-CIO. Notice of Privacy Practices The Health and Benefit Trust Fund of the International Union of Operating Section 1: Purpose of This Notice Notice of Privacy Practices Effective as of September 23, 2013 THIS NOTICE DESCRIBES HOW MEDICAL

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the "Agreement") is made and entered into this day of,, by and between Quicktate and idictate ("Business Associate") and ("Covered Entity").

More information

Legislative & Regulatory Information

Legislative & Regulatory Information Americas - U.S. Legislative, Privacy & Projects Jurisdiction Effective Date Author Release Date File No. UFS Topic Citation: Reference: Federal 3/26/13 Michael F. Tietz Louis Enahoro HIPAA, Privacy, Privacy

More information

BUSINESS ASSOCIATE AGREEMENT WITH TRANSFUSION FACILITIES

BUSINESS ASSOCIATE AGREEMENT WITH TRANSFUSION FACILITIES 1 BUSINESS ASSOCIATE AGREEMENT WITH TRANSFUSION FACILITIES This BUSINESS ASSOCIATE AGREEMENT (this Agreement ) is entered into as of the date first written in the signature block below (the Effective Date

More information

HIPAA/HITECH Rules Proposed: Major Changes Looming for Business Associates and Subcontractors

HIPAA/HITECH Rules Proposed: Major Changes Looming for Business Associates and Subcontractors Health Care ADVISORY July 16, 2010 HIPAA/HITECH Rules Proposed: Major Changes Looming for Business Associates and Subcontractors On July 8, 2010, the Office for Civil Rights (OCR) of the Department of

More information

New HIPAA regulations require action. Are you in compliance?

New HIPAA regulations require action. Are you in compliance? New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security

More information

RESEARCH INVOLVING DATA AND/OR BIOLOGICAL SPECIMENS

RESEARCH INVOLVING DATA AND/OR BIOLOGICAL SPECIMENS RESEARCH INVOLVING DATA AND/OR BIOLOGICAL SPECIMENS 1. Overview IRB approval and participant informed consent are required to collect biological specimens for research purposes. Similarly, IRB approval

More information

FirstCarolinaCare Insurance Company Business Associate Agreement

FirstCarolinaCare Insurance Company Business Associate Agreement FirstCarolinaCare Insurance Company Business Associate Agreement THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement"), is made and entered into as of, 20 (the "Effective Date") between FirstCarolinaCare Insurance

More information

University of Mississippi Medical Center Office of Integrity and Compliance

University of Mississippi Medical Center Office of Integrity and Compliance Office of Integrity and Effective Date: 2005 By: Committee 1.0 PURPOSE The purpose of this policy is to guide (UMMC) employees, who are involved with research, in obtaining an authorization for the use

More information

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements Protecting Patient Information in an Electronic Environment- New HIPAA Requirements SD Dental Association Holly Arends, RHIT Clinical Program Manager Meet the Speaker TRUST OBJECTIVES Overview of HIPAA

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Agreement ( Agreement ) is made and entered into this day of [Month], [Year] by and between [Business Name] ( Covered Entity ), [Type of Entity], whose business address

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (hereinafter Agreement ) is between COVERED ENTITY NAME (hereinafter Covered Entity ) and BUSINESS ASSOCIATE NAME (hereinafter Business

More information

PATIENT RECORDS PRIVACY POLICIES AND PROCEDURES FOR HIPAA COMPLIANCE (4/03)

PATIENT RECORDS PRIVACY POLICIES AND PROCEDURES FOR HIPAA COMPLIANCE (4/03) PATIENT RECORDS PRIVACY POLICIES AND PROCEDURES FOR HIPAA COMPLIANCE (4/03) Use and Disclosure of PHI: Protected Health Information ( PHI ) may not be used or disclosed in violation of the Health Insurance

More information

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES I. Overview / Definitions The Health Insurance Portability and Accountability Act is a federal law

More information

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist. www.riskwatch.com

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist. www.riskwatch.com HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist www.riskwatch.com Introduction Last year, the federal government published its long awaited final regulations implementing the Health

More information

Health Insurance Portability and Accountability Policy 1.8.4

Health Insurance Portability and Accountability Policy 1.8.4 Health Insurance Portability and Accountability Policy 1.8.4 Appendix C Uses and Disclosures of PHI Procedures This Appendix covers procedures related to Uses and Disclosures of PHI. Disclosures to Law

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (the AGREEMENT ) is entered into this (the "Effective Date"), between Delta Dental of Tennessee ( Covered Entity ) and ( Business Associate

More information

HIPAA Data Use Agreement Policy R&G Template Updated for Omnibus Rule HIPAA DATE USE AGREEMENT 1

HIPAA Data Use Agreement Policy R&G Template Updated for Omnibus Rule HIPAA DATE USE AGREEMENT 1 HIPAA DATE USE AGREEMENT 1 This Data Use Agreement (the "Agreement") is effective as of (the "Agreement Effective Date") by and between ("Covered Entity") and ("Data User"). RECITALS WHEREAS, Covered Entity

More information

New HIPAA Rules: A Guide for Radiology Providers

New HIPAA Rules: A Guide for Radiology Providers New HIPAA Rules: A Guide for Radiology Providers Adrienne Dresevic, Esq and Clinton Mikel, Esq The credit earned from the Quick Credit TM test accompanying this article may be applied to the AHRA certified

More information

Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule

Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule AA Privacy RuleP DEPARTMENT OF HE ALTH & HUMAN SERVICES USA Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule NIH Publication Number 03-5388 The HI Protecting Personal

More information

HIPAA COMPLIANCE. What is HIPAA?

HIPAA COMPLIANCE. What is HIPAA? HIPAA COMPLIANCE What is HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) also known as the Privacy Rule specifies the conditions under which protected health information may be used

More information

HITECH Privacy, Security, Enforcement, Breach & GINA The Final Omnibus Rule Frequently Asked Questions and Answers

HITECH Privacy, Security, Enforcement, Breach & GINA The Final Omnibus Rule Frequently Asked Questions and Answers HITECH Privacy, Security, Enforcement, Breach & GINA The Final Omnibus Rule Frequently Asked Questions and Answers Disclaimer: The following questions and answers are not legal advice or opinion. They

More information

How To Write A Community Based Care Coordination Program Agreement

How To Write A Community Based Care Coordination Program Agreement Section 4.3 Implement Business Associate and Other Agreements This tool identifies the types of agreements that may be necessary for a community-based care coordination (CCC) program to have in place in

More information

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act by Lane W. Staines and Cheri D. Green On February 17, 2009, The American Recovery and Reinvestment Act

More information

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions A. Business Associate. Business Associate shall have the meaning given to such term under the Privacy and Security Rules, including,

More information

UNITED CEREBRAL PALSY OF NORTHWEST MISSOURI NOTICE OF PRIVACY PRACTICES EFFECTIVE DATE: OCTOBER 22, 2014

UNITED CEREBRAL PALSY OF NORTHWEST MISSOURI NOTICE OF PRIVACY PRACTICES EFFECTIVE DATE: OCTOBER 22, 2014 UNITED CEREBRAL PALSY OF NORTHWEST MISSOURI NOTICE OF PRIVACY PRACTICES EFFECTIVE DATE: OCTOBER 22, 2014 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN

More information

BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc.

BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc. BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc. THIS BUSINESS ASSOCIATE AGREEMENT (BAA) is entered into by and between First Choice Community Healthcare, with a principal place of

More information

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN Major Changes to HIPAA Security and Privacy Rules Enacted in Economic Stimulus Package By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN The HITECH Act is the

More information

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA): FACT SHEET FOR NEUROPSYCHOLOGISTS Division 40, American Psychological Association

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA): FACT SHEET FOR NEUROPSYCHOLOGISTS Division 40, American Psychological Association HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA): FACT SHEET FOR NEUROPSYCHOLOGISTS Division 40, American Psychological Association DISCLAIMER This general information fact sheet is made available

More information

What is Covered by HIPAA at VCU?

What is Covered by HIPAA at VCU? What is Covered by HIPAA at VCU? The Privacy Rule was designed to protect private health information from incidental disclosures. The regulations specifically apply to health care providers, health plans,

More information

AMWELL SERVICE PROVIDER SUBSCRIPTION AGREEMENT

AMWELL SERVICE PROVIDER SUBSCRIPTION AGREEMENT Revised: July 27, 2015 AMWELL SERVICE PROVIDER SUBSCRIPTION AGREEMENT Welcome to the AmWell Exchange Service (the Service ), which is owned and operated by American Well Corporation, a Delaware corporation

More information

DALLAS ALLERGY & ASTHMA CENTER

DALLAS ALLERGY & ASTHMA CENTER DALLAS ALLERGY & ASTHMA CENTER Gary N. Gross, MD Michael E. Ruff, MD 5499 Glen Lakes Dr., Suite 100 Dallas, TX 75231 Dania A. Wierzbicki, MD Phone: (214) 691-1330 Jane Zepeda, PA-C FAX: (214) 691-6405

More information

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION HILLSDALE COLLEGE HEALTH AND WELLNESS CENTER Policy Preamble This privacy policy ( Policy ) is designed to address the Use and Disclosure

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) between Inphonite, LLC ( Business Associate and you, as our Customer ( Covered Entity ) (each individually, a Party, and collectively,

More information

BUSINESS ASSOCIATE AGREEMENT FOR ATTORNEYS

BUSINESS ASSOCIATE AGREEMENT FOR ATTORNEYS BUSINESS ASSOCIATE AGREEMENT FOR ATTORNEYS This Business Associate Agreement (this Agreement ), is made as of the day of, 20 (the Effective Date ), by and between ( Business Associate ) and ( Covered Entity

More information

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information about HIPAA, the HITECH-HIPAA Omnibus Privacy Act, how

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( the Agreement ) is entered into this day of, 20 by and between the Tennessee Chapter of the American Academy of Pediatrics ( Business Associate

More information

BUSINESS ASSOCIATE ADDENDUM

BUSINESS ASSOCIATE ADDENDUM BUSINESS ASSOCIATE ADDENDUM This BA Agreement, effective as of the effective date of the Terms of Use, adds to and is made part of the Terms of Use by and between Business Associate and Covered Entity.

More information

Add a section in the back of your HIPAA Privacy Manual and HIPAA Security Manual.

Add a section in the back of your HIPAA Privacy Manual and HIPAA Security Manual. HIPAA/HITECH Policies and Procedures Please read this in its entirety. Add a section in the back of your HIPAA Privacy Manual and HIPAA Security Manual. Give a copy of this to all staff to read and ask

More information

LCD SOLUTIONS and CLICKTATE.COM BUSINESS ASSOCIATE AGREEMENT and DISCLOSURE of RIGHTS to COVERED ENTITIES

LCD SOLUTIONS and CLICKTATE.COM BUSINESS ASSOCIATE AGREEMENT and DISCLOSURE of RIGHTS to COVERED ENTITIES LCD SOLUTIONS and CLICKTATE.COM BUSINESS ASSOCIATE AGREEMENT and DISCLOSURE of RIGHTS to COVERED ENTITIES This agreement ("Agreement") is effective upon its execution and delivery to LCD SOLUTIONS, INC.

More information

HIPAA-P01 Uses and Disclosures of Protected Health Information Policy

HIPAA-P01 Uses and Disclosures of Protected Health Information Policy HIPAA-P01 Uses and Disclosures of Protected Health Information Policy FULL POLICY CONTENTS Scope Policy Statement Reason for Policy Definitions Sanctions ADDITIONAL DETAILS Additional Contacts Web Address

More information

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE This Notice of Privacy Practices describes the legal obligations of Ave Maria University, Inc. (the plan ) and your legal rights regarding your protected health

More information

Form I: HIPAA Notice of Privacy Practices HIPAA NOTICE OF PRIVACY PRACTICES

Form I: HIPAA Notice of Privacy Practices HIPAA NOTICE OF PRIVACY PRACTICES Pg. 4 Form I: HIPAA Notice of Privacy Practices Susan Zaro, LMFT, BCB HIPAA NOTICE OF PRIVACY PRACTICES I. THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU

More information

BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION

BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION This Agreement governs the provision of Protected Health Information ("PHI") (as defined in 45 C.F.R.

More information

Business Associates under HITECH: A Chain of Trust

Business Associates under HITECH: A Chain of Trust FAQ on InfoSafe Shredding Services: Frequently Asked Questions on InfoSafe Shredding Information And Video on One Time Cleanouts: Cleanouts and Purges Business Associates under HITECH: A Chain of Trust

More information

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview Updated HIPAA Regulations What Optometrists Need to Know Now The U.S. Department of Health & Human Services Office for Civil Rights recently released updated regulations regarding the Health Insurance

More information

The Institute of Professional Practice, Inc. Business Associate Agreement

The Institute of Professional Practice, Inc. Business Associate Agreement The Institute of Professional Practice, Inc. Business Associate Agreement This Business Associate Agreement ( Agreement ) effective on (the Effective Date ) is entered into by and between The Institute

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,

More information

NOTICE OF HEALTH INFORMATION PRIVACY PRACTICES (HIPAA)

NOTICE OF HEALTH INFORMATION PRIVACY PRACTICES (HIPAA) NOTICE OF HEALTH INFORMATION PRIVACY PRACTICES (HIPAA) THIS NOTICE OF PRIVACY PRACTICES DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

More information

Please print the attached document, sign and return to privacy@covermymeds.com or contact Erica Van Treese, Account Manager, Provider Relations &

Please print the attached document, sign and return to privacy@covermymeds.com or contact Erica Van Treese, Account Manager, Provider Relations & Please print the attached document, sign and return to privacy@covermymeds.com or contact Erica Van Treese, Account Manager, Provider Relations & Solutions. Office: 866-452-5017, Fax: 615-379-2541, evantreese@covermymeds.com

More information

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308)

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) HIPAA Business Associate Agreement Sample Notice Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) The information provided in this document does not constitute, and is no substitute

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) by and between OUR LADY OF LOURDES HEALTH CARE SERVICES, INC., hereinafter referred to as Covered Entity, and hereinafter referred

More information

HIPAA Business Associate Addendum

HIPAA Business Associate Addendum HIPAA Business Associate Addendum THIS HIPAA BUSINESS ASSOCIATE ADDENDUM (this Addendum ) is by and between ( Covered Entity ) and TALKSOFT CORPORATION ( Business Associate ) (hereinafter, Covered Entity

More information

This form may not be modified without prior approval from the Department of Justice.

This form may not be modified without prior approval from the Department of Justice. This form may not be modified without prior approval from the Department of Justice. Delete this header in execution (signature) version of agreement. HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate

More information

Snake River School District No. 52 HIPAA BUSINESS ASSOCIATE AGREEMENT (See also Policy No. 7436, HIPAA Privacy Rule)

Snake River School District No. 52 HIPAA BUSINESS ASSOCIATE AGREEMENT (See also Policy No. 7436, HIPAA Privacy Rule) 5450F1 (page 1 of 6) Snake River School District No. 52 HIPAA BUSINESS ASSOCIATE AGREEMENT (See also Policy No. 7436, HIPAA Privacy Rule) THIS AGREEMENT is entered into on this day of, 20 by and between

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT Express Scripts, Inc. and one or more of its subsidiaries ( ESI ), and Sponsor or one of its affiliates ( Sponsor ), are parties to an agreement ( PBM Agreement ) whereby ESI

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (this Agreement ), effective as of May 1, 2014 (the Effective Date ), by and between ( Covered Entity ) and Orchard Software Corporation,

More information

DISCLAIMER HEALTH INFORMATION PRIVACY POLICIES & PROCEDURES

DISCLAIMER HEALTH INFORMATION PRIVACY POLICIES & PROCEDURES DISCLAIMER This web site is provided for information and education purposes only. No doctor/patient relationship is established by your use of this site. No diagnosis or treatment is being provided. The

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT is made and entered into as of the day of, 2013 ( Effective Date ), by and between [Physician Practice] on behalf of itself and each of its

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT COLUMBIA AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is entered into as of ( Effective Date ) by and between The Trustees of Columbia University in the City of

More information

Notice of Privacy Practices. Human Resources Division Employees Benefits Section

Notice of Privacy Practices. Human Resources Division Employees Benefits Section Notice of Privacy Practices Human Resources Division Employees Benefits Section THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

More information

Long-Expected Omnibus HIPAA Rule Implements Significant Privacy and Security Regulations for Entities and Business Associates

Long-Expected Omnibus HIPAA Rule Implements Significant Privacy and Security Regulations for Entities and Business Associates Legal Update February 11, 2013 Long-Expected Omnibus HIPAA Rule Implements Significant Privacy and Security Regulations for Entities and Business Associates On January 17, 2013, the Department of Health

More information

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013 Welcome to ChiroCare s Fourth Annual Fall Business Summit October 3, 2013 HIPAA Compliance Regulatory Overview & Implementation Tips for Providers Agenda Green packet Overview of general HIPAA terms and

More information

BUSINESS ASSOCIATE AGREEMENT ( BAA )

BUSINESS ASSOCIATE AGREEMENT ( BAA ) BUSINESS ASSOCIATE AGREEMENT ( BAA ) Pursuant to the terms and conditions specified in Exhibit B of the Agreement (as defined in Section 1.1 below) between EMC (as defined in the Agreement) and Subcontractor

More information

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS Dear Physician Member: Thank you for contacting the California Medical Association and thank you for your membership. In order to advocate on your behalf,

More information

Shipman & Goodwin LLP. HIPAA Alert STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS

Shipman & Goodwin LLP. HIPAA Alert STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS Shipman & Goodwin LLP HIPAA Alert March 2009 STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS The economic stimulus package, officially named the American Recovery and Reinvestment Act of 2009

More information

BUSINESS ASSOCIATE AGREEMENT HIPAA Omnibus Rule (Final Rule)

BUSINESS ASSOCIATE AGREEMENT HIPAA Omnibus Rule (Final Rule) BUSINESS ASSOCIATE AGREEMENT HIPAA Omnibus Rule (Final Rule) This Business Associate Agreement (the Agreement ), dated September 9, 2013, is entered into by and between ( Covered Entity ) and Schuster

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( Agreement ) is entered into as of the day of, 2013 by and between RUTGERS UNIVERSITY, a Hybrid Entity, on behalf and for the

More information