1 Montclair State University HIPAA Security Policy Effective: June 25, 2015
4 2. Training. The Security Official will provide for the delivery of training sessions for all current members of the Workforce regarding the Security Rule and this Policy. All individuals who join the Workforce will be trained within a reasonable time after joining the Workforce. Training for existing Workforce members will occur as MSU deems necessary and in accordance with applicable MSU policies or practices. If this Policy is materially changed, MSU will provide training related to the changes as appropriate or necessary for the Workforce within a reasonable time after this Policy is modified. 3. Documentation. The Security Official will document the time, date, place, and content of each training session, as well as the Workforce members who attend each training session. The Security Official will maintain such documentation in HIPAA compliance files for a period of at least six (6) years and shall make it available for inspection by regulatory authorities, as appropriate. IV. PHYSICAL AND TECHNICAL SAFEGUARDS A. Policy 1. MSU will establish and use reasonable and appropriate administrative, technical, and physical safeguards to prevent PHI from intentionally or unintentionally being used or disclosed in violation of applicable Privacy Rule requirements, in compliance with the applicable provisions of the Security Rule and applicable Business Associate Agreement(s). 2. MSU will reasonably safeguard PHI to eliminate impermissible uses or disclosures made pursuant to an otherwise permitted or required use or disclosure. 3. MSU will periodically review the safeguards and will coordinate the safeguards with internal policies and procedures. B. Procedures 1. Physical Safeguards a. Secure Premises. Workforce members will safeguard all e-phi by ensuring that access to MSU s premises and workstations is secure and that auto-screen lock technology is installed on all workstations. b. Access Controls. MSU will create, implement, and maintain access control and validation procedures necessary to limit individual access to areas where e-phi is accessed or maintained. These controls will apply to individuals, including but not limited to Workforce members, maintenance personnel, vendors, and associates. These controls will include, without limitation, to the following: (i) Proper identification of any person being granted physical access to a facility or site through a verifiable source of information, such as government or employer records or authorizing identification; 3
5 (ii) (iii) (iv) (v) (vi) Limitation of access to those sensitive areas where PHI or e-phi are accessed or maintained to only that access that is reasonably necessary for an individual s role or function; Documentation of access authorizations and uses, in addition to ongoing monitoring and maintenance of such records by the Security Official or by his or her designee, as reasonable and appropriate; Issuance of identification tokens, badges, or smart cards that describe a person s identity, his or her approved areas of access, and an expiration date, if applicable; Updates to each individual s access capabilities when the individual s role, responsibility or position changes; and Revocation or limitation of any access authorization in a timely manner when access is no longer needed. c. MSU will develop and implement procedures to ensure that all physical safeguards are reviewed, tested, and revised on a regular basis. 2. Technical Safeguards a. As applicable, technical safeguards will be implemented, such as reasonable and appropriate firewalls, security software, and encryption programs as well as a requirement for unique usernames and passwords for access to MSU computer files and Mobile Devices that contain PHI. Members of the Workforce will have such unique usernames and passwords. b. All e-phi maintained in an MSU , on a MSU hard drive, or on a Mobile Device will be authorized and will necessitate the Workforce to coordinate the activation of MSU s encryption technology to ensure that the e-phi is secure. Workforce are prohibited from accessing Mobile Media containing e-phi using a Personal Device unless the Personal Device contains encryption technology provided by MSU. c. When PHI is removed from electronic media, MSU Workforce will delete all e-phi in a commercially reasonable manner to ensure that the information is permanently unreadable prior to disposal. When a Mobile Device is returned by the Workforce to the University, the Division of Information Technology shall delete all Mobile Media, including but not limited to e-phi, before the Mobile Device is reassigned, returned to the lessor, or disposed. 4
6 V. SECURITY OF ELECTRONIC PHI A. Policy MSU requires reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of e-phi; to protect against any reasonably anticipated threats or hazards to the security or integrity of the e-phi; to protect against any reasonably anticipated uses or disclosures that are not permitted by the Security Rule; and to support Workforce compliance with this Policy and with the Security Rule. MSU will review and modify its security measures as needed and will update documentation of such security measures periodically and as needed. B. Procedures 1. Security Management Process MSU maintains a security management process to prevent, detect, contain, and correct security violations of applications and/or systems that contain e-phi. a. Risk Analysis: MSU will conduct an assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-phi held by MSU, annually or upon a significant change in the system. Such review will include the assessment of the reasonableness of encryption or other enciphering tools. b. Risk Management: On the basis of its risk analysis, MSU will manage risks to its e-phi by limiting vulnerabilities to a reasonable and appropriate level by taking into account various factors such as the complexity of the vulnerability; MSU s technical infrastructure, hardware, software, and security capabilities; the costs of security measures; and the criticality of the e-phi potentially affected. 2. Information System Activity Review MSU will regularly review records of information system activity; such activity may include system and application audit logs, access reports, and other security documentation and reporting set forth in this Policy. The Security Official or another appropriate administrator will regularly monitor access to information systems to ensure compliance with this Policy. Access audit trails will be maintained and reviewed at least annually or in response to suspicious activity to determine whether unsuccessful logons and access attempts are occurring. The Security Official will also periodically run reports of user identification names, send a report to the administrator of the Healthcare Component(s), and update user access after a response. 3. Workforce Security MSU maintains workforce security procedures to ensure that all members of the Workforce have only appropriate access to e-phi. 5
7 a. Authorization and/or Supervision: Unless otherwise permitted by MSU pursuant to a Business Associate Agreement or other written agreement, only appropriate members of the Workforce will be granted access to e- PHI. b. Workforce Clearance Procedures: The Privacy Officer or the Security Official will periodically review which members of the Workforce have access to e-phi to determine whether the access is appropriate. MSU or the Security Official will periodically monitor access logs and audit trails to ensure that the access and use of e-phi by each member of the Workforce is consistent with this Policy and the Security Rule. c. Termination Procedures: If a person employed by or under contract with MSU who has access to e-phi is terminated or resigns, the Workforce member s computer accounts will be disabled, and he or she will return all MSU assets in his or her possession or control, including access codes, control devices and Mobile Devices. 4. Information Access Management To ensure that appropriate access to e-phi is consistent with the Security Rule, only authorized users will be permitted to access devices or platforms containing e-phi that is owned or maintained by MSU. MSU actively manages the rights of the Workforce to access e-phi. To the extent that it is reasonable and appropriate, access to e-phi is limited to members of the Workforce for purposes of carrying out their services for MSU as permitted by the Security Rule and consistent with MSU internal procedures. When a member of the Workforce is permitted access to e-phi, MSU will define the scope of such access based on each Workforce member s need to access such e-phi to perform his or her job functions. MSU will terminate or modify the scope of a member s access as appropriate or necessary due to modified employment position or other applicable rationale. Access to devices or platforms containing e-phi that is owned or maintained by MSU will be restricted through the use of username and password verification according to standards set forth by the the University s Division for Information Technology s Policy on Data Classification and Handling. In addition, MSU will implement auto-screen lock on all Workforce workstations. 5. Mobile Devices and Media a. Protecting Mobile Devices. All users of Mobile Devices and Mobile Media, whether the equipment or media is a Personal Device or is owned by MSU, assume responsibility for ensuring compliance with this Policy. This means that Workforce have an individual responsibility to take the necessary precautions described in this Policy to prevent potential theft of ephi. When traveling, Workforce should be aware of the location and circumstances of the Mobile Device at all times and may additionally take the following measures to protect the Mobile Device: (1) on flights, carry the Mobile Device and Mobile Media in your hand luggage; (2) in a vehicle, lock the Mobile Device and Mobile Media in the luggage compartment when you leave the vehicle; (3) in hotels, lock the Mobile Device and Mobile Media in a safe or cabinet; and (4) in public areas, never leave the Mobile Device and Mobile Media unattended. i. No ephi shall be maintained on Mobile Devices or Mobile Media unless authorized and necessary and Workforce has caused MSU s encryption program/system functions to have been activated to ensure that the ephi is secure. 6
15 information, or I subsequently withdraw my consent to these terms and conditions, I understand and acknowledge that University has the right to physically or remotely remove any and all ephi from my Personal Device. I further understand and acknowledge that in these circumstances that the University has no obligation before exercising this right to prove any disclosure, or threat of disclosure, of any ephi or any other harm to University, or to provide me with any further notice. Likelihood of permanent loss of personal information connected with physical or remote removal procedure. In the event of a removal of ephi from my Personal Device, I understand and acknowledge that it is likely that all or a portion of personal information on my Personal Device (for example, my contacts, audio files, video files, applications, or photos) may be permanently deleted or destroyed. I further understand and acknowledge that University recommends that I save or store such personal information on another device or on other equipment to avoid its permanent deletion or destruction, and I undertake the sole responsibility to do this. Should I fail to do this, I accept the risk that personal information may be permanently deleted or destroyed as described above. Mobile device security compatibility. I agree that I will download and install all applications that University may require in order to permit my Personal Device to access University s systems and networks or to otherwise gain access to ephi. I agree to keep the device current with security patches and updates as approved by University and will not jail break the device (installing software that allows the user to bypass built-in security features and controls). I understand that to ensure that my Personal Device continues to meet information security requirements, University s mobile device management software may be used to periodically verify that my Personal Device has the required applications installed and that it continues to meet compatibility requirements including operating system requirements. I understand that the applications may require use of a unique password and/or another authentication process in order for my Personal Device to access or use University s systems and information. Duty to take reasonable security measures and report loss, theft or unauthorized access. In order to protect ephi, I agree to use a PIN code or unique password access system on my Personal Device. I further agree to employ other reasonable measures to protect my Personal Device against unauthorized use. For example, to not leave my Personal Device unattended in a visible or accessible place, not use it on networks that are not specifically known by me to be secure, and not accept or download content from suspicious or unknown sources. In the event that my Personal Device is lost or stolen or an unauthorized third party gains access to it or to my University account or ephi via my Personal Device, I agree to immediately report this to my supervisor or directly to University s Privacy and Security Official. Leaving University or changing mobile devices. I agree that if I leave the University, or if I change my mobile device, all ephi must be permanently removed from the Personal Device. I agree that the University may physically remotely access my Personal Device to confirm compliance with this provision. Duty to limit third party use. I agree not to permit any third party to use my Personal Device to access my University s account or, or University systems or networks which contain ephi, and shall refrain from sharing with or allowing any third party to access any ephi stored on or accessible from my Personal Device. Limitation of University s liability. I understand and acknowledge that to the fullest extent possible under applicable laws, the University shall not be liable to me or to any third party for any loss or damage caused by or arising directly or indirectly in connection with, or related to, my use of a Personal Device for professional work purposes, nor in connection with University exercising its right to conduct a physical or remote removal of or access to information on my Personal Device. I hereby waive, to the 14
16 fullest extent possible under applicable laws, any and all rights to make any claim whatsoever against the University for any such loss or damage. By signing this form, I expressly consent to and agree with the above terms and conditions associated with using a Personal Device for professional work purposes to access ephi. I understand that if I am an employee or volunteer and I breach the terms of this form, I may be subject to disciplinary action, up to and including the termination of my employment and/or contract with the University without notice or payment in lieu of notice. I understand that if I am a student of the University and I breach these terms, I may be subject to discipline under the Student Code of Conduct. Date Workforce Member Signature 15
17 TABLE OF CONTENTS Page I. DEFINITIONS... 1 II. SECURITY OFFICIAL AND CONTACT PERSON... 2 III. WORKFORCE TRAINING... 2 IV. PHYSICAL AND TECHNICAL SAFEGUARDS... 3 V. SECURITY OF ELECTRONIC PHI... 5 VI. SANCTIONS FOR VIOLATIONS OF SECURITY POLICY... 8 VII. UNAUTHORIZED DISCLOSURES OF PHI... 8 VIII. DISCLOSURES OF PHI TO BUSINESS ASSOCIATES... 9 IX. STATE LAW PREEMPTION... 9 X. RECORD RETENTION AND DISPOSAL XI. EXHIBIT A..11 -i-
Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE How to Use this Assessment The following risk assessment provides you with a series of questions to help you prioritize the development and implementation
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help
BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security
HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BAA ) is effective ( Effective Date ) by and between ( Covered Entity ) and Egnyte, Inc. ( Egnyte or Business Associate ). RECITALS
MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) 201 CMR 17.00 Standards for the Protection of Personal Information Of Residents of the Commonwealth of Massachusetts Revised April 28,
Vermont Information Technology Leaders HIPAA COMPLIANCE POLICIES AND PROCEDURES Policy Number: InfoSec 1 Policy Title: Information Privacy and Security Management Process IDENT INFOSEC1 Type of Document:
HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as required by HIPAA. 1. Definitions. a. Business Associate, as used in this Contract, means the
Brooklyn Community Services Policies and Compliance Guide relating to the HIPAA Security Rule June 2013 Table of Contents INTRODUCTION... 3 GUIDE TO BCS COMPLIANCE WITH THE HIPAA SECURITY REGULATION...
LCD SOLUTIONS and CLICKTATE.COM BUSINESS ASSOCIATE AGREEMENT and DISCLOSURE of RIGHTS to COVERED ENTITIES This agreement ("Agreement") is effective upon its execution and delivery to LCD SOLUTIONS, INC.
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Data Handling and Storage Standard This standard is applicable to all VCU School of Medicine personnel. Approval
FirstCarolinaCare Insurance Company Business Associate Agreement THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement"), is made and entered into as of, 20 (the "Effective Date") between FirstCarolinaCare Insurance
Written Information Security Plan (WISP) for HR Knowledge, Inc. This document has been approved for general distribution. Last modified January 01, 2014 Written Information Security Policy (WISP) for HR
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
This form may not be modified without prior approval from the Department of Justice. Delete this header in execution (signature) version of agreement. HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate
CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the
HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is entered into as of (the Effective Date ), by and between ("Covered Entity") and Acuity Scheduling, Inc. ("Business Associate").
UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S): THIS AGREEMENT is made by and between UNIVERSITY PHYSICIANS OF BROOKLYN, INC., located at 450 Clarkson Ave., Brooklyn,
BUSINESS ASSOCIATE AGREEMENT ( BAA ) Pursuant to the terms and conditions specified in Exhibit B of the Agreement (as defined in Section 1.1 below) between EMC (as defined in the Agreement) and Subcontractor
BUSINESS ASSOCIATE AGREEMENT This Agreement ( Agreement ) is made and entered into this day of [Month], [Year] by and between [Business Name] ( Covered Entity ), [Type of Entity], whose business address
HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association
SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. email@example.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions A. Business Associate. Business Associate shall have the meaning given to such term under the Privacy and Security Rules, including,
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the "Agreement") is made and entered into this day of,, by and between Quicktate and idictate ("Business Associate") and ("Covered Entity").
Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model
FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is made and entered into to be effective as of, 20 (the Effective Date ), by and between ( Covered Entity ) and
Meaningful Use and Core Requirement 15 How can I comply the lack of time and staff... www.compliancygroup.com 1 Meaningful Use and Core Requirement 15 Meaningful Use Protection of Protected Health Information
TITLE AND INFORMATION TECHNOLOGY RESOURCES DOCUMENT # 1107 APPROVAL LEVEL Alberta Health Services Executive Committee SPONSOR Legal & Privacy / Information Technology CATEGORY Information and Technology
SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY School Board Policy 523.5 The School District of Black River Falls ( District ) is committed to compliance with the health information
TABLE OF CONTENTS University of Northern Colorado HIPAA Policies and Procedures Page # Development and Maintenance of HIPAA Policies and Procedures... 1 Procedures for Updating HIPAA Policies and Procedures...
Level 2 & 3: Product 1/2 Business Associates Agreement Business Associate Agreement Washtenaw Community Health Organization Effective Date: insert date This Business Associate Agreement is made as of the
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
HIPAA: In Plain English Material derived from a presentation by Kris K. Hughes, Esq. Posted with permission from the author. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub.
HIPAA Business Associate Agreement User of any Nemaris Inc. (Nemaris) products or services including but not limited to Surgimap Spine, Surgimap ISSG, Surgimap SRS, Surgimap Office, Surgimap Ortho, Surgimap
STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM BETWEEN The Division of Health Care Financing and Policy Herein after referred to as the Covered Entity and (Enter Business
Health Insurance Portability and Accountability Act State HIPAA Security Policy State of Connecticut Release 2.0 November 30 th, 2004 Table of Contents Executive Summary... 1 Policy Definitions... 3 1.
DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY This Plan we adopted by member, partner, etc.) on Our Program Coordinator (date). (Board of Directors, owner, We have appointed
HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University
BUSINESS ASSOCIATE AGREEMENT 1. DEFINITIONS: 1.1 Undefined Terms: Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms defined by the Health Insurance Portability
SaaS Business Associate Agreement This Business Associate Agreement ( BA Agreement ) becomes effective pursuant to the terms of Section 5 of the End User Service Agreement ( EUSA ) between Customer ( Covered
HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better
AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION BETWEEN WAKE FOREST UNIVERSITY BAPTIST MEDICAL CENTER AND THIS AGREEMENT for Access to Protected Health Information ( PHI ) ( Agreement ) is entered
The HIPAA Security Rule Primer A Guide For Mental Health Practitioners Distributed by NASW Printer-friendly PDF 2006 APAPO 1 Contents Click on any title below to jump to that page. 1 What is HIPAA? 3 2
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is by and between ( Covered Entity )and CONEX Med Pro Systems ( Business Associate ). This Agreement has been attached to,
SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION Please Note: 1. THIS IS NOT A ONE-SIZE-FITS-ALL OR A FILL-IN-THE BLANK COMPLIANCE PROGRAM.
DRAFT - Policies and Procedures PRIVACY OFFICE ASSIGNMENT AND RESPONSIBILITIES APPROVED BY: SUPERCEDES POLICY: Policy #1 ADOPTED: REVISED: REVIEWED: Purpose This policy is designed to assure the establishment
Business Associate Agreement This Agreement is entered into as of ("Effective Date"), between ( Covered Entity ), and ( Business Associate ). RECITALS WHEREAS, Business Associate provides services on behalf
HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ("Agreement") is made and is effective as of the date of electronic signature("effective Date") between Name of Organization ("Covered
Healthcare Compliance Solutions Let Protected Trust be your Safe Harbor In the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the U.S. Department of Health and Human
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES I. Overview / Definitions The Health Insurance Portability and Accountability Act is a federal law
UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C This Attachment addresses the Contractor s responsibility for safeguarding Compliant Data and Business Sensitive Information
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is entered into by and between Professional Office Services, Inc., with principal place of business at PO Box 450, Waterloo,
Below you will find the following sample policies: Antivirus and Malware Prevention Policy and Procedures (Template) Employee Personal Device Use Terms and Conditions (Template) *Log in to erisk Hub for
HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,
California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...
SAMPLE BUSINESS ASSOCIATE AGREEMENT This is a draft business associate agreement based on the template provided by HHS. It is not intended to be used as is and you should only use the agreement after you
HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( Agreement ) is by and between ( Covered Entity ) and Xelex Digital, LLC ( Business Associate ), and is effective as of. WHEREAS,
When HHS Calls, Will Your Plan Be HIPAA Compliant? Petula Workman, J.D., CEBS Division Vice President Compliance Counsel Gallagher Benefit Services, Inc., Sugar Land, Texas The opinions expressed in this
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is between you, a healthcare provider, its employees and agents ( Covered Entity ) and Doc Halo, LLC ( Business Associate ).
PM-36: Attachment 4 Business Associate Contract Addendum On this day of, 20, the undersigned, [Name of Covered Entity] ("Covered Entity") and [Name of Business Associate] ("Business Associate") have entered
IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Business Associates 10230 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel & Compliance Policy Title:
BUSINESS ASSOCIATE AND DATA USE AGREEMENT NAME OF COVERED ENTITY: COVERED ENTITY FEIN/TAX ID: COVERED ENTITY ADDRESS:, City State Zip This Business Associate and Data Use Agreement ( Agreement ) is effective
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 ( HIPAA ) COMPLIANCE PROGRAM Adopted December 2008: Revised February 2009, May, 2012, and August 2013 Table of Contents INTRODUCTION AND PURPOSE
7 Security Standards: Implementation for the Small Provider What is the Security Series? The security series of papers provides guidance from the Centers for Medicare & Medicaid Services (CMS) on the rule
CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS Dear Physician Member: Thank you for contacting the California Medical Association and thank you for your membership. In order to advocate on your behalf,
1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad
Exhibit 2 Business Associate Addendum This Business Associate Addendum ( Addendum ) governs the use and disclosure of Protected Health Information by EOHHS when functioning as a Business Associate in performing
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) is entered into by and between (the Covered Entity ), and Iowa State Association of Counties (the Business Associate ). RECITALS
Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)