CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

Size: px
Start display at page:

Download "CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy"

Transcription

1 CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc.

2 TABLE OF CONTENTS ARTICLE I. Introduction 1 A. Purpose and Application 1 B. Policy Effective Date 1 ARTICLE II. Definitions 1 ARTICLE III. Summary of Policies 4 ARTICLE IV. Minimum Necessary Rule 6 A. General Rule 6 B. Criteria for Determining Minimum Necessary 6 C. Exceptions to Minimum Necessary Requirement 6 ARTICLE V. Safeguarding Protected Health Information 7 A. General Rule 7 B. Physical Security 7 C. Electronic Security 8 D. Security of Specific Materials and Communications 10 E. Remote Access to PHI 14 F. Authorization Required 14 ARTICLE VI. Individuals Rights Regarding Protected Health Information 15 A. Privacy Notice 15 B. Access to Protected Health Information 15 Page 2

3 ARTICLE I. INTRODUCTION A. Purpose and Application This HIPAA Privacy Policy ( Privacy Policy or Policy ) reflects practices that have been adopted by Creative Solutions in Healthcare, Inc. ("CSH") to protect the Protected Health Information (PHI) of it's Plan Participants medical information. This Privacy Policy is intended to comply with the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ), as it pertains to health information privacy, and in conformity with the Health Information Technology for Economic and Clinical Health Act ( HITECH ) as part of the American Recovery and Reinvestment Act of The United States Department of Health and Human Services (HHS) issued complex HIPAA privacy regulation referred to as the Privacy Rule. Modifications to the Privacy Rule are expected from time to time, some of which may require amendment of this Policy. The Privacy Policy applies only to PHI that is created or received by CSH. All employees of CSH who perform healthcare functions, hereinafter referred to as Responsible Employees, are bound by this Policy. Business Associates who perform activities on behalf of CSH must also comply with this Policy, all applicable federal and state laws, and as set forth in their Business Associate contracts if applicable. B. Policy Effective Date This Policy is effective as of the HIPAA Compliance Date, and HITECH Compliance Dates, respectively. ARTICLE II. DEFINITIONS 1. ARRA the American Recovery and Reinvestment Act of 2009 which enacted Title VIII of the ARRA, known as the Health Information Technology for Economic and Clinical Health Act (HITECH). 2. Authorization an Individual s specific written permission. 3. Breach (of security or privacy) a use or disclosure of unsecured PHI in violation of the HIPAA Privacy Rule. PHI may not be used or disclosed without the individual s prior written authorization. 4. Business Associate a third party agent who creates or receives PHI on the covered entity s behalf; a person or entity, other than an employee of CSH or of a Health Plan, who performs or assists in the performance of a function or activity involving the use or disclosure of PHI from or on behalf of CSH. Such functions or activities include, but are not limited to, claims processing or administration, data analysis, utilization review, quality assurance, billing, benefit management, repricing, and other professional services. Business Associate also includes all employees of the Business Associate who perform or assist in the performance of functions on behalf of CSH. A list of Business Associates is maintained by the Privacy Officer. Business Associates must comply directly with HIPAA s Security Rules and 3

4 comply with the business associate provisions of HIPAA s Privacy Rules, and ensure that their Business Associate agreements conform to the new mandates of the HITECH Act. Business Associates must notify the covered entity of any breach and provide the identity of all affected individuals. 5. Company Creative Solutions in Healthcare, Inc.. 6. Covered Entity a health plan, a health care clearinghouse, or a Health Care Provider that transmits health information in electronic form in connection with a Transaction covered under HIPAA. 7. De identified Information health information that does not include any of the following identifiers of the Individual or the Individual s relatives, employers, or household members: (a) name; (b) geographic subdivision smaller than a state (except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census, the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people, and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000); (c) (d) (e) (f) (g) (h) (i) (j) month and day of birth and other personal dates; telephone number; fax number; e mail address; social security number; medical record number; CSH beneficiary number; account number; (k) certificate or license number; vehicle identifier (including serial or license plate number); (l) (m) (n) device identifier; serial number; Web Universal Resource Locator; Internet Protocol address number; (o) biometric identifier; 4

5 (p) (q) full face photographic image; or any other unique identifying number, characteristic, or code. Health information is also De identified Information if a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; provided that the results of the analysis that justify such determination are documented by such person. 8. Designated Record Set records that include PHI maintained by or for a Health Plan that pertains payment, claims adjudication, medical or case management, and other information used to make healthcare related decisions about Individuals. 9. Electronic Health Record electronic record of health related information on an individual that is created, gathered, managed and consulted by authorized health care clinicians and staff. 10. Electronic Transmissions includes transactions using all forms of electronic media. Such transactions include the transfer of information over the Internet (wide open), Extranet (using Internet technology to link a business with information only accessible to collaborating parties), leased lines, dial up lines, and private networks. Electronic Transmissions include magnetic tape, disk, or compact disc media. 11. Encryption the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key, and such confidential process or key that might enable decryption has not been breached. 12. Health Care Operations activities related to the covered entity's functions as a health care provider and include general administrative and business functions necessary for the ocvered entity to remain a viable business. 13. Health Care Provider a person or entity that provides, bills for, and/or is paid for providing medical or health services. 14. HHS The United States Department of Health and Human Services, the agency charged with interpreting and enforcing the Privacy Rule. 15. HIPAA the Health Insurance Portability and Accountability Act of 1996 (as amended), and the regulations promulgated thereunder. 16. HIPAA Compliance Date April 14, 2003, or such other date as set forth under the HIPAA regulations or other HHS guidance, or any related legislative or regulatory action. 17. HITECH the Health Information Technology for Economic and Clinical Health Act enacted February 17,

6 18. Individual a person who is the subject of the PHI. 19. Minimum Necessary the standard described in this Policy to limit PHI that is accessed, requested, used, disclosed, created, or transmitted. 20. Notice a written description of CSH s uses and disclosures of Individuals PHI that satisfies the requirements of and is distributed. 21. Privacy Rule The provisions of HIPAA that address health information privacy and security. 22. Protected Health Information (PHI) individually identifiable health information that (i) relates to the past, present, or future physical or mental condition of an Individual, provision of health care to an Individual, or payment for such health care; (ii) can either identify the Individual, or there is a reasonable basis to believe the information can be used to identify the Individual. ARTICLE III. SUMMARY OF POLICIES The following policies are hereby adopted by CSH: 1. CSH will not use or disclose PHI other than as permitted or required by this Policy, or as required by law; 2. CSH will ensure that any agents to whom CSH provides PHI agree to be bound by the same requirements with respect to such PHI; 3. CSH will report to CSH any affected individuals, any use or disclosure in violation of this Policy about which CSH becomes aware; 4. CSH, in the event of a breach of security, will promptly notify each affected individual that such secure PHI may have become compromised or unsecured; 5. In the event that a breach involves 500 or more individuals, CSH will notify the Department of Health and Human Services contemporaneously with the notification of the affected individuals; 6. In the event that the breach in the security of PHI involves fewer than 500 individuals, CSH shall keep a log and produce such log to the Department of Health and Human Services no later than March 1 of the following calendar year; 7. In the event that the breach in the security of PHI involves 500 or more individuals from the same state or jurisdiction, CSH will notify prominent media outlets serving the state or jurisdiction contemporaneously with notifying the affected individuals in the form of a press release; 8. Notices of any breach of security or privacy will be delivered as soon as reasonably possible but not more than sixty days after discovery of the breach; 6

7 9. Notices of any breach of security or privacy of PHI shall state (a) a brief description of the incident including the date and date discovered; (b) the types of unsecured PHI involved in the breach; such as social security number, date of birth, and diagnosis; (c) the steps the affected individuals can take to reduce the risk of harm from the breach; (d) a brief description of CSH s or other covered entity s investigation and efforts to mitigate harm to the affected individual; (e) steps taken to prevent a recurrence of the breach; and (f) contact information for obtaining additional information; 10. CSH will make PHI available to the individual to which it refers or inspection or copying; 11. CSH will make PHI available for amendment and will incorporate any amendments into PHI; 12. CSH will make PHI available to provide an accounting of disclosures; 13. CSH will accommodate an individual s written requests for access to his or her individual electronic protected health information, and will, upon written request by that individual, send a copy of their electronic health record to a third party; 14. CSH, upon an individual s written request, will not disclose PHI for payment or health care operations if the individual has paid out of pocket for the service; 15. CSH shall provide an accounting of disclosures of electronic health records for treatment, payment, and health care operations during the three year period preceding the request of an individual; 16. CSH will not sell or otherwise disseminate PHI without valid authorization from the individual; 17. CSH will make its internal practices and records related to the use and disclosure of PHI available to HHS for purposes of determining compliance with the Privacy Rule; 18. CSH shall make every effort when feasible to store all PHI in electronic PHI form, and shall utilize technology to store and encrypt such information as specified in the HIPAA Security Rule by the use of an algorithmic process to transform data into a form in which there is low probability of assigning meaning without use of a confidential process or key, and such confidential process or key that might enable decryption has not been breached; 19. The media on which the PHI is stored or recorded shall be destroyed by either shredding for paper, film or other hard copy media, or electronic media shall have been cleared, purged or destroyed such that it cannot be retrieved; 20. CSH will destroy all non electronic PHI maintained by CSH and will retain no copies when no longer retained (and, if not feasible, will limit further use and disclosure to the purposes that make return or destruction infeasible); and ARTICLE IV. MINIMUM NECESSARY RULE 7

8 A. General Rule A Responsible Employee or Business Associate is permitted to use, request, disclose, access, receive, create, and/or transmit (collectively, use or disclose ) PHI for purposes set forth in this Policy. When using and disclosing PHI to or from any person, a Responsible Employee or Business Associate must make reasonable efforts to use and disclose only the Minimum Necessary amount of PHI to achieve the particular purpose, and use limited data sets to accomplish the same business purpose for use of the PHI. In addition to limiting the PHI to limited data sets for PHI, a Responsible Employee or Business Associate must take steps to ensure that only the person(s) needing the PHI for the intended purpose receives it. This duty applies regardless of whether such recipients are other Responsible Employees, Business Associates, or other persons to whom the Responsible Employee or Business Associate is required, permitted, or authorized to disclose PHI. If a Responsible Employee or Business Associate is the recipient of PHI, he or she should process, copy, or record such PHI without disclosing it to others, unless such disclosure is necessary for the intended and permitted purpose. CSH, Responsible Employee or Business Associate shall comply with the directives of the Secretary of HHS which may be issued from time to time, for guidance on the minimum necessary standard. Prior to any disclosure of PHI in response to a request, the Responsible Employee or Business Associate must take reasonable steps to verify the identity and authority of the person requesting such information. B. Criteria for Determining Minimum Necessary The following criteria apply in determining whether a proposed Transaction involving PHI complies with the Minimum Necessary requirement: 1. whether the intended use or disclosure of the PHI is necessary for Payment, and Health Care Operations, or another permitted function under this Policy to which the Minimum Necessary rule applies; 2. whether the intended purpose could be served adequately if fewer people were permitted access to (e.g., to use or receive disclosure of) the PHI; 3. whether the intended purpose could be served adequately if less PHI is used or disclosed; and 4. whether the method for transmitting the PHI reasonably ensures that it is received only by the intended recipient. C. Exceptions to Minimum Necessary Requirement The Minimum Necessary rule does not apply to the following Transactions: 8

9 1. disclosure to or requests by a Health Care Provider for treatment purposes; 2. disclosure to the Individual 3. disclosures to the Secretary of Health and Human Services 4. uses and disclosures required by law including disclosures necessary to comply legal or law enforcement purposes; and 5. uses and disclosures for which the Individual has given authorization. ARTICLE V. SAFEGUARDING PROTECTED HEALTH INFORMATION A. General Rule When using or disclosing PHI, a Responsible Employee or Business Associate must take reasonable steps to safeguard the PHI and keep it confidential, and to ensure that it is not intentionally or unintentionally used or disclosed for a purpose or in a manner inconsistent with this Policy. Any breach of security of PHI must be reported to the Privacy Officer, who will (1) act as necessary to maintain the security of any PHI including electronic PHI, (2) take such action as he or she deems appropriate to prevent any similar breach in the future, (3) take steps necessary to mitigate any damages caused by the breach, (4) impose appropriate sanctions against the Responsible Employee accountable for the breach, and (5) notify the affected individuals and federal and/or state authorities or media outlets as the incident may warrant. If the Privacy Officer determines that sanctions against the Responsible Employee causing such breach are warranted, he or she will consult with the individual s supervisor. All sanctions issued for a breach of this Policy, and any applicable sanctions and actions taken to prevent similar breaches, will be documented by the Privacy Officer. No Business Associate is permitted to create or receive PHI on behalf of a Health Plan unless the Business Associate has certified that it maintains reasonable procedures to safeguard PHI. B. Physical Security PHI in physical form (e.g., printed material, notes, computer disks and other physical storage media) to the extent it exists and has not been destroyed, will be maintained and stored by CSH on its premises and/or on the premises of a Business Associate that has certified that it maintains reasonable procedures to safeguard PHI. In the case of electronic PHI, (ephi), CSH shall implement technological safeguards and when feasible encryption processes and software to protect ephi. 1. Building Access 9

10 Access to premises on which Health Plan PHI is maintained or stored will be restricted. Persons regularly employed on the premises will be issued and display identification cards or electronic or photographic key cards, or will otherwise be required to register with building security personnel, in a manner that permits the identification and screening of persons entering the building. Identification or key cards, pass keys, or other means of access will be issued and maintained in accordance with building security policies. Visitors entering the building will also be required to sign in and show valid identification to building security personnel in accordance with building security policies so as to permit identification and screening of others entering the building. Entry will be denied to any person who does not have legitimate business on the premises. 2. Protection of PHI Stored in Physical Form When not required to be readily available for use by a Responsible Employee or Business Associate, and to the extent such PHI cannot be immediately destroyed, or shredded after use, PHI maintained in physical form must be stored in a locked filing cabinet, locked office or similarly secure repository dedicated to the storage of PHI. The Privacy Officer will maintain a log of such filing cabinets, offices or similar repositories where PHI is stored and, for each such filing cabinet, office or repository, (1) the general nature of the PHI stored therein, (2) each Responsible Employees maintaining keys, and (3) the Responsible Employees (by general job description or title) authorized to access such stored PHI in the normal course of their duties. A Responsible Employee may access a filing cabinet, office or repository in which PHI is stored only if he or she is authorized to do so or is acting under the direct supervision of such a Responsible Employee. Duplicate keys will be maintained for each such filing cabinet, office or similar repository to assure that the PHI will be available for access when needed. Responsible Employees must take reasonable steps to secure PHI in physical form when not in use. PHI must not be visible when a Responsible Employee is away from his or her work area for a significant amount of time. If a Responsible Employee shares a work area with someone who is not a Responsible Employee, PHI maintained in physical form must be stored in a locked filing cabinet, office or similar repository dedicated to the storage of PHI. The Privacy Officer will monitor the Responsible Employees authorized to access such stored PHI in the normal course of their duties. A Responsible Employee may access a filing cabinet, office, or repository in which PHI is stored only if he or she is authorized to do so or is acting under the direct supervision of such a Responsible Employee. C. Electronic Security ephi, or PHI in electronic form (e.g., e mail, databases, and computer files containing PHI) will be maintained and stored in a secure manner and in conformity with HITECH and all such rules promulgated by the Department of Health and Human Services. Electronic backup systems must be secured in accordance with HITECH and safeguarded through the use of technology including if possible encryption programs to protect the ephi, and in conformity with CSH s communication systems policies. PHI and ephi may be maintained or stored by a Business Associate that has certified that it maintains the required technical safeguards including encryption technology pursuant to Federal Law. Electronic Transmissions containing PHI must, to the extent reasonably possible, be protected to prevent interception by parties other than the 10

11 intended recipient, or access by unauthorized users, consistent with the Information Security Policy. 1. Access to Electronic PHI Access to PHI in electronic form will be restricted to Responsible Employees who have a need to access such information in the normal course of their duties. Responsible Employees may access such electronic PHI on authorized computers including applicable procedures regarding password protection, encryption procedures, periodic back up, and virus protection. Responsible Employees with remote access to electronic PHI must protect PHI. All computer files and databases containing PHI received, created, or maintained by CSH in electronic form which require access by more than one Responsible Employee or which may be accessed by a Business Associate or Covered Participant will be maintained on a secure network. Access to files, databases, and other PHI in electronic form will be password protected and will be available only to authorized Responsible Employees or Business Associates who need to access such PHI in the course of their duties within the requirements of the HITECH Act. A Responsible Employee who discloses his or her password to another person (other than upon request to an authorized employee in the information systems department for security or systems maintenance purposes) may be subject to sanctions under this Privacy Policy and under CSH s Progressive Discipline program. Upon termination of a Responsible Employee, or upon a change or reassignment of an employee whose job functions have changed so that he or she is no longer a Responsible Employee, he or she shall be removed from authorized entry into any files, databases and other PHI maintained in electronic form. Such terminations shall be reported to an appropriate Responsible Employee in the information systems department, who will adjust such former Responsible Employee s access to electronic PHI accordingly. Employees in the Human Resources Information Technology Department may have access to files, databases and other PHI in electronic form solely as necessary for security and systems maintenance purposes. Such employees will be treated as Responsible Employees will be trained on maintaining the security of PHI. Any outside entity (including Business Associates) retained to perform information technology services will not be permitted access to any files, databases, and other PHI in electronic form, except as necessary. Such access will be approved by the Privacy Officer and will be performed under the direct supervision of authorized personnel within the information systems department. 2. Electronic Transmissions of PHI A Responsible Employee who performs Electronic Transmissions as part of his or her job functions, or a Business Associate contracted to perform Electronic Transmissions on behalf of a Health Plan, may engage in a Transaction involving the Electronic Transmission of PHI if the following conditions are met: (a) The Responsible Employee or Business Associate has determined that the Transaction is permitted under Privacy Policy; and 11

12 (b) The Responsible Employee or Business Associate has received reasonable assurances that the intended recipient has appropriate control of and access to the computer(s) receiving the Electronic Transmission. Whenever possible, an Electronic Transmission of PHI will meet the following criteria: (c) For non open networks, either access control (password protection) or encryption will be used to prevent parties other than the intended recipient from intercepting messages; and (d) Both open and non open networks will have integrity controls which ensure the validity of the information being transmitted or stored. In addition, there will be an error message which reports abnormal conditions within a system and either locally or remotely signals such abnormality; an audit trail; an authentication of the user which denies access to unauthorized users and identifies authorized users; and event reporting which documents operational irregularities or the completion of a task. D. Security of Specific Materials and Communications 1. Printed/Written Material (a) Generally Responsible Employees and Business Associates must destroy or shred printed or written material whenever possible, or be converted to ephi format, and maintained in accordance with the HITECH Act, maintain secure printed or written materials containing PHI in designated secure locations when not in use. When printed materials are in use, the Responsible Employee or Business Associate must take reasonable steps to ensure that such materials are viewable only by the Responsible Employee or Business Associate. For example, if a Responsible Employee or Business Associate has PHI in printed material on his or her desk, he or she should put away the material or otherwise make sure that PHI is not in plain view before leaving his or her immediate work area for any significant amount of time. Printed materials containing PHI that is maintained or stored at a premises must be placed in locked file cabinets after business hours. If another person enters a Responsible Employee s or Business Associate s immediate work area while the Responsible Employee or Business Associate is viewing PHI, the Responsible Employee or Business Associate should remove the PHI from the view of the other person (other than a Responsible Employee or Business Associate whose duties include the matters to which the PHI relates) if it is reasonable to do so. Under no circumstances may printed material containing PHI be removed from a Responsible Employee s work site without the approval of a Level I Responsible Employee. Printed or written material containing PHI that is (i) created or received by a Responsible Employee or Business Associate, and (ii) is not part of a Designated Record Set or otherwise necessary or intended to be part of the Individual s file, such as personal notes not required to be retained, will be shredded or placed into a locked disposal receptacle and destroyed. (b) Mail 12

13 Interoffice, intercompany, or outside mail addressed to a Health Plan (or known to relate to a Health Plan) and sent to CSH must be delivered only to Responsible Employees. Any other correspondence addressed to CSH that contains PHI must be forwarded to an appropriate Responsible Employee. Mail likely to contain PHI sent to a Business Associate shall be handled and processed in accordance with guidelines established by the Business Associate to reasonably ensure compliance with the Minimum Necessary rule. If mail not addressed to a Health Plan is later determined to contain PHI, the mail must be forwarded to a Responsible Employee. Mail containing PHI should be handled and stored in accordance with the general guidelines for printed materials as discussed herein. A Responsible Employee or Business Associate must take reasonable steps to verify that the addressee is a person or persons to whom the Responsible Employee or Business Associate is required, permitted, or authorized to disclose PHI, as described in this Health Plan Privacy Policy. Thus, the Responsible Employee or Business Associate may not routinely copy other persons to whom an Individual directed his or her correspondence (whether as cc or directly) on outgoing correspondence containing PHI. Instead, the Responsible Employee or Business Associate first must consider whether the persons copied on the original correspondence are authorized to receive the PHI, keeping in mind that by merely directing correspondence to such persons, the Individual did not give Authorization for the Responsible Employee or Business Associate to disclose PHI to them. Outgoing mail should be addressed to the Individual at his or her address of record with CSH, unless the Responsible Employee or Business Associate is directed to address mail to an alternate address. Outgoing mail to a Responsible Employee or Business Associate should be sent to the Responsible Employee s or Business Associate s business address. Outgoing correspondence containing PHI mailed to a Health Care Provider, non Company health plan, or other third party should be sent to the address provided by the requestor. A Responsible Employee or Business Associate that mails material containing PHI must ensure that no PHI is visible from the outside of the envelope. Once known to contain PHI, mail must be marked confidential. CSH assume that only the person(s) to whom mail correspondence is addressed or another Responsible Employee under his or her supervision will receive and open the correspondence. (c) Faxes and Print Jobs A Responsible Employee or Business Associate must take reasonable steps to ensure that all incoming faxes and print jobs containing PHI are retrieved and viewed only by the Responsible Employee or Business Associate who is the intended recipient, or by another Responsible Employee under his or her supervision. A Responsible Employee or Business Associate who transmits a fax containing PHI must take reasonable steps to verify that the fax is addressed to a person to whom the Responsible Employee or Business Associate is required, permitted, or authorized to disclose PHI as described in this Health Plan Privacy Policy. PHI should be faxed to an Individual only upon the Individual s express request, and if the Individual represents that only he or she will have access to retrieve the fax. PHI may be faxed only to a Responsible Employee s or Business Associate s business fax number. Faxes to a Health Care 13

14 Provider, non Company health plan, or other third party should be sent to the number provided by the requestor. A Responsible Employee or Business Associate must advise third parties to send faxes to a secured fax machine accessible to the Responsible Employee or Business Associate. If a Responsible Employee or Business Associate knows that a fax containing PHI is being sent to him or her, then the Responsible Employee or Business Associate must timely retrieve the fax and safeguard the document. If a Responsible Employee or Business Associate prints a document containing PHI, then he or she must timely retrieve it and safeguard the document. Electronic Information (d) Generally All electronic PHI shall be secured such that specific security measures have been implemented such as encryption programs and other technology has been incorporated to safeguard ephi. Security measures must be in place that would make the ephi untenable, unreadable or indecipherable. Responsible Employee or Business Associate must store tapes and other physical storage media containing PHI in designated secure locations. A Responsible Employee or Business Associate must take reasonable steps to ensure that PHI displayed on his or her monitor is viewable only by the Responsible Employee or Business Associate. For example, if a Responsible Employee has PHI displayed on his or her computer screen, he or she should close the window containing the PHI and lock the computer before leaving his or her immediate work area. (e) E Mail A Responsible Employee or Business Associate who transmits mail electronically must take reasonable steps to verify that each intended recipient is a person to whom the Responsible Employee or Business Associate is required, permitted or authorized to disclose PHI as described in this Health Plan Privacy Policy. If an e mail contains PHI, the Responsible Employee or Business Associate also must take reasonable steps to verify that the intended recipient has sole access to the addressee e mail account, unless the e mail is directed to an account accessed by a number of Responsible Employees or Business Associates who are permitted to use the PHI to perform Health Plan functions. If the e mail address is a Company address, the Responsible Employee or Business Associate may assume that the recipient has sole access, or if there are multiple persons with access to CSH e mail account, that all such persons are Responsible Employees with a legitimate reason to view any incoming e mail messages. A Responsible Employee or Business Associate may not routinely copy other persons to whom an Individual directed his or her e mail (whether as cc or directly) on outgoing e mail that includes PHI. The Responsible Employee or Business Associate first must consider whether such persons copied on the original e mail are authorized to receive the PHI, keeping in mind that by merely directing correspondence to such persons, the Individual has not given his or her 14

15 Authorization for the Responsible Employee or Business Associate to disclose PHI to such persons. All e mail to an Individual should be sent to the e mail account on record with CSH or to the e mail address specifically provided by the Individual. E mail to a Responsible Employee or Business Associate must be sent to a business e mail address. Messages to a Health Care Provider, non Company health plan, or other third party should be sent to an e mail address provided by the requestor. The Responsible Employee must take reasonable steps to verify the identity of the recipient before sending communications via e mail. A Responsible Employee or Business Associate must advise third parties to send e mail containing PHI to a business e mail account accessible only by the Responsible Employee or Business Associate (and such other Responsible Employees and Business Associate employees with a legitimate need to use or access such PHI in the performance of Health Plan functions). 2. Telephonic and Other Verbal Communication (a) Generally A Responsible Employee or Business Associate must take reasonable steps to ensure that persons who do not have a legitimate need to know the content of the conversation do not overhear telephone and other verbal conversations in which PHI is discussed. For example, conferences in which PHI is discussed generally should be conducted in a closed room or in a low tone of voice unlikely to be overheard. Before engaging in a conversation in which a Responsible Employee or Business Associate may disclose PHI, the Responsible Employee or Business Associate must take reasonable steps to verify that all of the other parties on the telephone line or present for the conversation are persons to whom the Responsible Employee or Business Associate is required, permitted, or authorized to disclose PHI, as described in this Policy. If the caller is the Individual and another person is on the line, or if another person is present during an in person conversation, the Responsible Employee or Business Associate must not discus the Individual s PHI except as permitted. Recordings A Responsible Employee or Business Associate who leaves a recorded message containing PHI must take reasonable steps to verify (i) that each intended recipient is a person to whom the Responsible Employee or Business Associate is required, permitted or authorized to disclose PHI, as described in this Policy; and (ii) that the intended recipient (or the intended recipient and other persons authorized to view the PHI, e.g., a person permitted to access the Individual s PHI pursuant to an Authorization) has sole access to the answering machine. If this cannot be verified, the Responsible Employee or Business Associate must limit the message to one that does not contain PHI. A Responsible Employee or Business Associate may leave a recorded message containing PHI for another Responsible Employee or Business Associate at the Responsible 15

16 Employee s or Business Associate s business phone number. A Responsible Employee or Business Associate may leave a recorded message containing an Individual s PHI on an Individual s home answering machine only if the answering machine message indicates that it is the answering machine for the Individual (or his or her residence), and the Individual has instructed the Responsible Employee to leave the message. If the Individual is a Company employee, the Responsible Employee or Business Associate may leave a message with PHI in the Individual s Company provided voice mail box, unless the Individual directs otherwise. A Responsible Employee or Business Associate must use only the Responsible Employee s or Business Associate s business voice mailbox for conducting Health Plan business. Such voice mailbox must be accessible only to the Responsible Employee or Business Associate (and such other Responsible Employees and Business Associate employees with a legitimate need to use or access such PHI in the performance of Health Plan functions). E. Remote Access to PHI A Responsible Employee or Business Associate who remotely accesses PHI is subject to all applicable requirements of this Policy. PHI may be remotely accessed electronically using a secured, encrypted connection. Responsible Employees and Business Associates who work remotely must restrict access to the area in which PHI is used, maintained, or stored. When not required to be readily available for use by a Responsible Employee or Business Associate, PHI maintained in physical form must be reasonably secured and must not be left in open view for any significant period of time. The Responsible Employee or Business Associate must take steps to ensure that PHI used and stored in the off site work area cannot be accessed by others, including the Responsible Employee s or Business Associate s family members. All PHI received or created by a Responsible Employee or Business Associate who is working remotely must be secured and accounted for consistent with this Health Plan Policy. If a Responsible Employee or Business Associate creates or receives any PHI that is part of the Designated Record Set, such PHI must be stored and maintained on the appropriate system or on CSH s or the Business Associate s premises. Individuals Authorizations F. Authorization Required Generally, CSH will not use or disclose PHI without an Individual s Authorization. Each such use or disclosure must be consistent with the Authorization given for that use or disclosure. A Health Plan will request an Authorization if there is a need to disclose PHI for reasons not otherwise permitted. If a Health Plan requests the Authorization then the Individual must be provided with a copy of the Authorization.. ARTICLE VI. INDIVIDUALS RIGHTS REGARDING PROTECTED HEALTH INFORMATION An Individual has a number of rights under the Privacy Rule, including the right to a privacy Notice containing the Health Plan s legal duties regarding uses and disclosures of PHI, 16

17 the right to access and amend PHI in a Designated Record Set, the right to request restrictions on uses and disclosures of PHI, and the right to an accounting of certain uses and disclosures of PHI. Under no circumstances will Health Plan enrollment or benefit payment be conditioned on an Individual s waiver of his or her rights under the Privacy Rule.. A. Privacy Notice CSH, on behalf of CSH, must notify Individuals of the Health Plan s permissible uses and disclosures of their PHI and of the Individuals rights and the Health Plan s legal duties with respect to PHI. The terms of the Notice also bind all Business Associates, to the extent the Business Associates use or disclose PHI on behalf of a Health Plan. The Notice must be provided to each Individual by the HIPAA Compliance Date and for new enrollees after the HIPAA Compliance Date at the time of enrollment. The Notice must also be posted on CSH s website where Health Plan information is available. Each covered dependent of a Covered Participant will be deemed to have received a copy of the Notice if the Notice is provided to the Covered Participant. The Notice must be revised whenever there is a material change to the uses and disclosures, Individuals rights, the Health Plan s duties, or other privacy practices stated in the Notice. Revised Notices must be distributed to Covered Participants and will be posted on CSH s website within 60 days of the material change. The Privacy Officer must maintain a copy of each version of the Notice for a period of at least six years from the date last effective. Once every three years, CSH must notify Covered Participants of their right to obtain a copy of the Notice and how to do so. If the Covered Participant agrees, delivery of the Notice may be electronic. If the Health Plan becomes aware that electronic delivery has failed, a paper copy must be provided. All Individuals have the right to request a paper copy of the Notice by making a request to the Privacy Officer.. B. Access to Protected Health Information CSH must permit an Individual to inspect and obtain a copy of his or her PHI maintained by CSH (including all Business Associates) within the Designated Record Set, except for information compiled in preparation for legal proceedings. A request for access must be made in writing and submitted to the Privacy Officer or Business Associate.. If access is granted, the Health Plan will provide timely access to the Individual s PHI in the standard form or format established by the Health Plan, unless another form or format is specifically requested by the Individual. If the form or format requested by the Individual is not readily producible, access to the PHI will be provided in form or format agreed to by the Health Plan and the Individual. If the Health Plan charges a fee to copy and/or mail the requested PHI, the Individual will be notified of the fee in advance. 1. Timing of Response and Providing Access 17

18 Within 30 days (or 60 days if the requested PHI is not maintained or accessible on site) of receiving the request, the Privacy Officer must provide either the requested access, a written denial notice, or a written notice that an extension of time is needed to respond to the request. If a decision cannot be made within 30 days (60 days) of the request, CSH can extend the time limit by up to 30 additional days, as long as the Individual is notified in writing of the reason for the delay and the additional time needed to comply before the expiration of the first 30 day (60 day) period. If a Business Associate maintains the requested information for a Health Plan, the Privacy Officer will instruct the Business Associate to provide the Privacy Officer or the requesting individual directly with copies of the PHI so that the requested access can be provided within these time frames. 18

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information I. PREAMBLE ( Covered Entity ) and ( Business Associate ) (jointly the Parties ) wish to enter into an Agreement to comply with the requirements

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University

More information

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN Stewart C. Miller & Co., Inc. (Business Associate) AND City of West Lafayette Flexible Spending Plan (Covered Entity) TABLE OF CONTENTS

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Agreement is entered into as of ("Effective Date"), between ( Covered Entity ), and ( Business Associate ). RECITALS WHEREAS, Business Associate provides services on behalf

More information

Data Breach, Electronic Health Records and Healthcare Reform

Data Breach, Electronic Health Records and Healthcare Reform Data Breach, Electronic Health Records and Healthcare Reform (This presentation is for informational purposes only and it is not intended, and should not be relied upon, as legal advice.) Overview of HIPAA

More information

Business Associate Agreement Involving the Access to Protected Health Information

Business Associate Agreement Involving the Access to Protected Health Information School/Unit: Rowan University School of Osteopathic Medicine Vendor: Business Associate Agreement Involving the Access to Protected Health Information This Business Associate Agreement ( BAA ) is entered

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) is entered into by and between (the Covered Entity ), and Iowa State Association of Counties (the Business Associate ). RECITALS

More information

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS The following HIPAA Business Associate Terms and Conditions (referred to hereafter as the HIPAA Agreement ) are part of the Brevium Software License

More information

AMENDMENTS TO HIPAA POLICIES AND PROCEDURES OF THE ROMAN CATHOLIC ARCHDIOCESE OF BOSTON HEALTH BENEFIT PLAN

AMENDMENTS TO HIPAA POLICIES AND PROCEDURES OF THE ROMAN CATHOLIC ARCHDIOCESE OF BOSTON HEALTH BENEFIT PLAN AMENDMENTS TO HIPAA POLICIES AND PROCEDURES OF THE ROMAN CATHOLIC ARCHDIOCESE OF BOSTON HEALTH BENEFIT PLAN Whereas, the Roman Catholic Archdiocese of Boston Health Benefit Plan (the Plan ) has adopted

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BAA ) is effective ( Effective Date ) by and between ( Covered Entity ) and Egnyte, Inc. ( Egnyte or Business Associate ). RECITALS

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) between Inphonite, LLC ( Business Associate and you, as our Customer ( Covered Entity ) (each individually, a Party, and collectively,

More information

This form may not be modified without prior approval from the Department of Justice.

This form may not be modified without prior approval from the Department of Justice. This form may not be modified without prior approval from the Department of Justice. Delete this header in execution (signature) version of agreement. HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate

More information

Model Business Associate Agreement

Model Business Associate Agreement Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model

More information

HIPAA Business Associate Addendum

HIPAA Business Associate Addendum HIPAA Business Associate Addendum THIS HIPAA BUSINESS ASSOCIATE ADDENDUM (this Addendum ) is by and between ( Covered Entity ) and TALKSOFT CORPORATION ( Business Associate ) (hereinafter, Covered Entity

More information

Business Associate Agreement Washtenaw Community Health Organization Effective Date: insert date

Business Associate Agreement Washtenaw Community Health Organization Effective Date: insert date Level 2 & 3: Product 1/2 Business Associates Agreement Business Associate Agreement Washtenaw Community Health Organization Effective Date: insert date This Business Associate Agreement is made as of the

More information

HIPAA Business Associate Agreement

HIPAA Business Associate Agreement HIPAA Business Associate Agreement User of any Nemaris Inc. (Nemaris) products or services including but not limited to Surgimap Spine, Surgimap ISSG, Surgimap SRS, Surgimap Office, Surgimap Ortho, Surgimap

More information

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions A. Business Associate. Business Associate shall have the meaning given to such term under the Privacy and Security Rules, including,

More information

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable: PLEASE NOTE: THIS DOCUMENT IS SUBMITTED AS A SAMPLE, FOR INFORMATIONAL PURPOSES ONLY TO ABC ORGANIZATION. HIPAA SOLUTIONS LC IS NOT ENGAGED IN THE PRACTICE OF LAW IN ANY STATE, JURISDICTION, OR VENUE OF

More information

HIPAA Business Associate Agreement For Collaborative Services

HIPAA Business Associate Agreement For Collaborative Services EXECUTION DRAFT HIPAA Business Associate Agreement For Collaborative Services This Business Associate Agreement ( Agreement ) is by and between the Camden Coalition of Healthcare Providers, Inc. (the Business

More information

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE Lewis & Clark College and Allegiance Benefit Plan Management, Inc., (jointly the Parties

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BA Agreement ) is entered into by Medtep Inc., a Delaware corporation ( Business Associate ) and the covered entity ( Covered Entity

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (this Agreement ), effective as of May 1, 2014 (the Effective Date ), by and between ( Covered Entity ) and Orchard Software Corporation,

More information

University Healthcare Physicians Compliance and Privacy Policy

University Healthcare Physicians Compliance and Privacy Policy Page 1 of 11 POLICY University Healthcare Physicians (UHP) will enter into business associate agreements in compliance with the provisions of the Health Insurance Portability and Accountability Act of

More information

STANDARD ADMINISTRATIVE PROCEDURE

STANDARD ADMINISTRATIVE PROCEDURE STANDARD ADMINISTRATIVE PROCEDURE 16.99.99.M0.26 Investigation and Response to Breach of Unsecured Protected Health Information (HITECH) Approved October 27, 2014 Next scheduled review: October 27, 2019

More information

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT

More information

FirstCarolinaCare Insurance Company Business Associate Agreement

FirstCarolinaCare Insurance Company Business Associate Agreement FirstCarolinaCare Insurance Company Business Associate Agreement THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement"), is made and entered into as of, 20 (the "Effective Date") between FirstCarolinaCare Insurance

More information

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is made and entered into to be effective as of, 20 (the Effective Date ), by and between ( Covered Entity ) and

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT This is a draft business associate agreement based on the template provided by HHS. It is not intended to be used as is and you should only use the agreement after you

More information

HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets

HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets FULL POLICY CONTENTS Scope Policy Statement Reason for Policy Definitions ADDITIONAL DETAILS Web Address Forms Related Information

More information

MaxMD 2200 Fletcher Ave. 5 th Floor Fort Lee, NJ (201) 963 0005 www.max.md www.mdemail.md support@max.md Page 1of 10

MaxMD 2200 Fletcher Ave. 5 th Floor Fort Lee, NJ (201) 963 0005 www.max.md www.mdemail.md support@max.md Page 1of 10 Business Associate Agreement This Business Associate Agreement (the Agreement ) shall apply to the extent that the MaxMD Customer signee is a Covered Entity or "HIPAA Business Associate," as defined below.

More information

BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc.

BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc. BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc. THIS BUSINESS ASSOCIATE AGREEMENT (BAA) is entered into by and between First Choice Community Healthcare, with a principal place of

More information

Please print the attached document, sign and return to privacy@covermymeds.com or contact Erica Van Treese, Account Manager, Provider Relations &

Please print the attached document, sign and return to privacy@covermymeds.com or contact Erica Van Treese, Account Manager, Provider Relations & Please print the attached document, sign and return to privacy@covermymeds.com or contact Erica Van Treese, Account Manager, Provider Relations & Solutions. Office: 866-452-5017, Fax: 615-379-2541, evantreese@covermymeds.com

More information

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE This Notice of Privacy Practices describes the legal obligations of Ave Maria University, Inc. (the plan ) and your legal rights regarding your protected health

More information

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308)

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) HIPAA Business Associate Agreement Sample Notice Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) The information provided in this document does not constitute, and is no substitute

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is by and between ( Covered Entity )and CONEX Med Pro Systems ( Business Associate ). This Agreement has been attached to,

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the BAA ) is made and entered into as of the day of, 20, by and between Delta Dental of California (the Covered Entity ) and (the Business

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (the AGREEMENT ) is entered into this (the "Effective Date"), between Delta Dental of Tennessee ( Covered Entity ) and ( Business Associate

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (this Agreement ) is made effective as of ( Effective Date ) by and between Sentara Health Plans, Inc. ( Covered Entity ) and ( Business Associate

More information

Tulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY

Tulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY Tulane University DEPARTMENT: General Counsel s POLICY DESCRIPTION: Business Associates Office -- HIPAA Agreement PAGE: 1 of 1 APPROVED: April 1, 2003 REVISED: November 29, 2004, December 1, 2008, October

More information

Business Associates Agreement

Business Associates Agreement Business Associates Agreement This Business Associate Agreement (the Agreement ) between Customer,( Covered Entity ) and Kareo ( Business Associate ) will be in effect during any such time period that

More information

HIPAA PRIVACY POLICY FOR OPTICAL LABS TABLE OF CONTENTS. Exhibit B Notice of Privacy Practices pages B-1 to B-4

HIPAA PRIVACY POLICY FOR OPTICAL LABS TABLE OF CONTENTS. Exhibit B Notice of Privacy Practices pages B-1 to B-4 HIPAA PRIVACY POLICY FOR OPTICAL LABS TABLE OF CONTENTS HIPAA Privacy Policy pages 2 to 12 Exhibit A HIPAA Privacy Regulations pages A-1 to A-89 Exhibit B Notice of Privacy Practices pages B-1 to B-4 Exhibit

More information

M E M O R A N D U M. Definitions

M E M O R A N D U M. Definitions M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice

More information

The Institute of Professional Practice, Inc. Business Associate Agreement

The Institute of Professional Practice, Inc. Business Associate Agreement The Institute of Professional Practice, Inc. Business Associate Agreement This Business Associate Agreement ( Agreement ) effective on (the Effective Date ) is entered into by and between The Institute

More information

COMPLIANCE ALERT 10-12

COMPLIANCE ALERT 10-12 HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT The parties to this ( Agreement ) are, a _New York_ corporation ( Business Associate ) and ( Client ) you, as a user of our on-line health record system (the "System"). BY

More information

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean. BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement is made as of the day of, 2010, by and between Methodist Lebonheur Healthcare, on behalf of itself and all of its affiliates ( Covered Entity

More information

What You Need to Know About the New HIPAA Breach Notification Rule 1

What You Need to Know About the New HIPAA Breach Notification Rule 1 What You Need to Know About the New HIPAA Breach Notification Rule 1 New regulations effective September 23, 2009 require all physicians who are covered by HIPAA to notify patients if there are breaches

More information

The Basics of HIPAA Privacy and Security and HITECH

The Basics of HIPAA Privacy and Security and HITECH The Basics of HIPAA Privacy and Security and HITECH Protecting Patient Privacy Disclaimer The content of this webinar is to introduce the principles associated with HIPAA and HITECH regulations and is

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) by and between OUR LADY OF LOURDES HEALTH CARE SERVICES, INC., hereinafter referred to as Covered Entity, and hereinafter referred

More information

Health Partners HIPAA Business Associate Agreement

Health Partners HIPAA Business Associate Agreement Health Partners HIPAA Business Associate Agreement This HIPAA Business Associate Agreement ( Agreement ) by and between Health Partners of Philadelphia, Inc., the Covered Entity (herein referred to as

More information

EXHIBIT C BUSINESS ASSOCIATE AGREEMENT

EXHIBIT C BUSINESS ASSOCIATE AGREEMENT EXHIBIT C BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT is made and entered into by and between ( Covered Entity ) and KHIN ( Business Associate ). This Agreement is effective as of, 20 ( Effective Date

More information

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS Dear Physician Member: Thank you for contacting the California Medical Association and thank you for your membership. In order to advocate on your behalf,

More information

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Everett School Employee Benefit Trust Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Introduction The Everett School Employee Benefit Trust ( Trust ) adopts this policy

More information

Business Associate and Data Use Agreement

Business Associate and Data Use Agreement Business Associate and Data Use Agreement This Business Associate and Data Use Agreement (the Agreement ) is entered into by and between ( Covered Entity ) and HealtHIE Nevada ( Business Associate ). W

More information

BUSINESS ASSOCIATE AGREEMENT Health Insurance Portability and Accountability Act (HIPAA)

BUSINESS ASSOCIATE AGREEMENT Health Insurance Portability and Accountability Act (HIPAA) BUSINESS ASSOCIATE AGREEMENT Health Insurance Portability and Accountability Act (HIPAA) This Business Associate Agreement (the Agreement ) is made and entered into as of [Date] (hereinafter Effective

More information

HIPAA Privacy Breach Notification Regulations

HIPAA Privacy Breach Notification Regulations Technical Bulletin Issue 8 2009 HIPAA Privacy Breach Notification Regulations On August 24, 2009 Health and Human Services (HHS) issued interim final regulations implementing the HIPAA Privacy Breach Notification

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT 1. DEFINITIONS: 1.1 Undefined Terms: Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms defined by the Health Insurance Portability

More information

BUSINESS ASSOCIATE ADDENDUM

BUSINESS ASSOCIATE ADDENDUM BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) adds to and is made a part of the Q- global Subscription and License Agreement by and between NCS Pearson, Inc. ( Business Associate

More information

LCD SOLUTIONS and CLICKTATE.COM BUSINESS ASSOCIATE AGREEMENT and DISCLOSURE of RIGHTS to COVERED ENTITIES

LCD SOLUTIONS and CLICKTATE.COM BUSINESS ASSOCIATE AGREEMENT and DISCLOSURE of RIGHTS to COVERED ENTITIES LCD SOLUTIONS and CLICKTATE.COM BUSINESS ASSOCIATE AGREEMENT and DISCLOSURE of RIGHTS to COVERED ENTITIES This agreement ("Agreement") is effective upon its execution and delivery to LCD SOLUTIONS, INC.

More information

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate? HIPAA Information Who does HIPAA apply to? HIPAA applies to all Covered Entities (entities that collect, access, use and/or disclose Protected Health Data (PHI) and are subject to HIPAA regulations). What

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT Please complete the following and return signed via Fax: 919-785-1205 via Mail: Aesthetic & Reconstructive Plastic Surgery, PLLC 2304 Wesvill Court Suite 360 Raleigh, NC 27607

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) by and between (hereinafter known as Covered Entity ) and Office Ally, LLC. (hereinafter known as Business Associate ), and

More information

Medical Privacy Version 2015.12.10 - Standard. Business Associate Agreement. 1. Definitions

Medical Privacy Version 2015.12.10 - Standard. Business Associate Agreement. 1. Definitions Medical Privacy Version 2015.12.10 - Standard Business Associate Agreement This Business Associate Agreement (the Agreement ) shall apply to the extent that the Lux Scientiae HIPAA Customer signee is a

More information

HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information

HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information New regulations requiring health care professionals, health plans, and other entities covered by the Health Insurance

More information

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview Updated HIPAA Regulations What Optometrists Need to Know Now The U.S. Department of Health & Human Services Office for Civil Rights recently released updated regulations regarding the Health Insurance

More information

DRAFT BUSINESS ASSOCIATES AGREEMENT

DRAFT BUSINESS ASSOCIATES AGREEMENT DRAFT BUSINESS ASSOCIATES AGREEMENT THIS AGREEMENT is made this day of, 20, by and among, a Corporation organized under the laws of the State of (hereinafter known as "Covered Entity") and organized under

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the "Agreement") is made and entered into this day of,, by and between Quicktate and idictate ("Business Associate") and ("Covered Entity").

More information

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security

More information

HIPAA Data Use Agreement Policy R&G Template Updated for Omnibus Rule HIPAA DATE USE AGREEMENT 1

HIPAA Data Use Agreement Policy R&G Template Updated for Omnibus Rule HIPAA DATE USE AGREEMENT 1 HIPAA DATE USE AGREEMENT 1 This Data Use Agreement (the "Agreement") is effective as of (the "Agreement Effective Date") by and between ("Covered Entity") and ("Data User"). RECITALS WHEREAS, Covered Entity

More information

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American

More information

HIPAA Breach Notification Interim Final Rule

HIPAA Breach Notification Interim Final Rule HIPAA Breach Notification Interim Final Rule The American Recovery and Reinvestment Act of 2009 ( the Act ) made several changes to the HIPAA privacy rules including adding a requirement for notice to

More information

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY School Board Policy 523.5 The School District of Black River Falls ( District ) is committed to compliance with the health information

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This BUSINESS ASSOCIATE AGREEMENT (the "Agreement") is entered into by and between the Board of Regents of the University of Wisconsin System on behalf of the [insert name

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is between you, a healthcare provider, its employees and agents ( Covered Entity ) and Doc Halo, LLC ( Business Associate ).

More information

Breach Notification Policy

Breach Notification Policy 1. Breach Notification Team. Breach Notification Policy Ferris State University ( Ferris State ), a hybrid entity with health care components, has established a Breach Notification Team, which consists

More information

BUSINESS ASSOCIATE AGREEMENT TERMS

BUSINESS ASSOCIATE AGREEMENT TERMS BUSINESS ASSOCIATE AGREEMENT TERMS This Addendum ( Addendum ) is incorporated into and made part of the Agreement between SIGNATURE HEALTHCARE CORPORATION ("Covered Entity ) and ( Business Associate"),

More information

HIPAA Privacy and Business Associate Agreement

HIPAA Privacy and Business Associate Agreement HR 2011-07 ATTACHMENT D HIPAA Privacy and Business Associate Agreement This Agreement is entered into this day of,, between [Employer] ( Employer ), acting on behalf of [Name of covered entity/plan(s)

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (hereinafter Agreement ) is between COVERED ENTITY NAME (hereinafter Covered Entity ) and BUSINESS ASSOCIATE NAME (hereinafter Business

More information

BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT

BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT This BUSINESS ASSOCIATE AGREEMENT ( Agreement ) dated as of the signature below, (the Effective Date ), is entered into by and between the signing organization

More information

Statement of Policy. Reason for Policy

Statement of Policy. Reason for Policy Table of Contents Statement of Policy 2 Reason for Policy 2 HIPAA Liaison 2 Individuals and Entities Affected by Policy 2 Who Should Know Policy 3 Exclusions 3 Website Address for Policy 3 Definitions

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is effective as of, 200 ( Effective Date ), and entered into by and between, whose address is ( Business Associate ) and THE

More information

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act by Lane W. Staines and Cheri D. Green On February 17, 2009, The American Recovery and Reinvestment Act

More information

The ReHabilitation Center. 1439 Buffalo Street. Olean. NY. 14760

The ReHabilitation Center. 1439 Buffalo Street. Olean. NY. 14760 Procedure Name: HITECH Breach Notification The ReHabilitation Center 1439 Buffalo Street. Olean. NY. 14760 Purpose To amend The ReHabilitation Center s HIPAA Policy and Procedure to include mandatory breach

More information

Section C: Data Use Agreement. Illinois Department of Healthcare and Family Services. And DATA USE AGREEMENT

Section C: Data Use Agreement. Illinois Department of Healthcare and Family Services. And DATA USE AGREEMENT Section C: Data Use Agreement Illinois Department of Healthcare and Family Services And DATA USE AGREEMENT This Data Use Agreement (the Agreement ) is effective as of (the Agreement Effective Date ) by

More information

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( BAA ) is by and between the National Association of Boards of Pharmacy

More information

Gaston County HIPAA Manual

Gaston County HIPAA Manual Gaston County HIPAA Manual Includes Gaston County IT Manual Action Date Reviewed and Revised December 2012 Gaston County HIPAA Policy Manual has be updated and combined with the Gaston County IT Manual.

More information

CATHOLIC SOCIAL SERVICES BUSINESS ASSOCIATE AGREEMENT

CATHOLIC SOCIAL SERVICES BUSINESS ASSOCIATE AGREEMENT CATHOLIC SOCIAL SERVICES BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (Agreement) is made this day of, 20, between the Catholic Social Services ( CSS ), whose business address is 3710

More information

BREACH NOTIFICATION POLICY

BREACH NOTIFICATION POLICY PRIVACY 2.0 BREACH NOTIFICATION POLICY Scope: All subsidiaries of Universal Health Services, Inc., including facilities and UHS of Delaware Inc. (collectively, UHS ), including UHS covered entities ( Facilities

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This BUSINESS ASSOCIATE AGREEMENT (this "Agreement") is effective as of. (the "Effective Date"), by and among GalacTek Corp., a Florida corporation (hereinafter referred

More information

Infinedi HIPAA Business Associate Agreement RECITALS SAMPLE

Infinedi HIPAA Business Associate Agreement RECITALS SAMPLE Infinedi HIPAA Business Associate Agreement This Business Associate Agreement ( Agreement ) is entered into this day of, 20 between ( Company ) and Infinedi, LLC, a Limited Liability Corporation, ( Contractor

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT Talksoft is BA with Covered Entity BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BAA ) is made this day of, and entered into between, ( Covered Entity ) having its principal place of

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is entered between ("Covered Entity" or "CE") and, ("Business Associate" or "BA"), collectively the Parties, who agree as follows:

More information

Donna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS

Donna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS Donna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS 1 DISCLAIMER Please review your own documentation with your attorney. This information

More information

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT H I P AA B U S I N E S S AS S O C I ATE AGREEMENT This HIPAA BUSINESS ASSOCIATE AGREEMENT (the BAA ) is entered into by and between Opticare of Utah, Inc. ( Covered Entity ), and,( Business Associate ).

More information

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S):

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S): UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S): THIS AGREEMENT is made by and between UNIVERSITY PHYSICIANS OF BROOKLYN, INC., located at 450 Clarkson Ave., Brooklyn,

More information

Georgia Regional Academic Community Health Information Exchange (GRAChIE) Breach Notification Policy Effective Date: May, 2012 Revision Date: New

Georgia Regional Academic Community Health Information Exchange (GRAChIE) Breach Notification Policy Effective Date: May, 2012 Revision Date: New Objective The objective of this policy is to provide guidance for breach notification by Georgia Regional Academic Community Health Information Exchange (hereafter referred to as GRAChIE) when unauthorized

More information

HIPAA Business Associate Agreement

HIPAA Business Associate Agreement HIPAA Business Associate Agreement This HIPAA Business Associate Agreement (the Agreement ) is executed by the parties on the dates shown beneath their respective signature lines, but is effective as of,

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into as of ( Effective Date ) by and between ( Covered Entity ) and American Academy of Sleep Medicine ( Business Associate

More information