HCCA Research Compliance Conference May 31-June 3, 2015

Size: px
Start display at page:

Download "HCCA Research Compliance Conference May 31-June 3, 2015"

Transcription

1 Cybersecurity of Medical Devices and the Impact on Research Ken Briggs, Esq. Polsinelli PC, Phoenix One East Washington St., Suite 1200 Phoenix, AZ June 2015 Polsinelli PC. In California, Polsinelli LLP Polsinelli provides this material for informational purposes only. The material provided herein is general and is not intended to be legal advice. Nothing herein should be relied upon or used without consulting a lawyer to consider your specific circumstances, possible changes to applicable laws, rules and regulations and other legal issues. Receipt of this material does not establish an attorney-client relationship. Polsinelli is very proud of the results we obtain for our clients, but you should know that past results do not guarantee future results; that every case is different and must be judged on its own merits; and that the choice of a lawyer is an important decision and should not be based solely upon advertisements Polsinelli PC. In California, Polsinelli LLP. Polsinelli is a registered mark of Polsinelli PC 2 Concepts to Cover Orientation What is cybersecurity? What are the threats? Key Players Regulations Medical Devices Cybersecurity Research Considerations 3 1

2 Orientation 4 Impact on Research Bringing medical devices to market Allocating liability among the manufacturer, physician/pi, hospital, and patient Regulatory Response 5 What is a Medical Device? The FDA defines a medical device as: an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory which is: recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them, intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or intended to affect the structure or any function of the body of man or other animals, and which does not achieve any of its primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of any of its primary intended purposes. 6 2

3 Medical Devices Can be big/small and (relatively) simple 7 Medical Devices Can be big/small and complex 8 What about these? Medical Devices 9 3

4 Medical devices become far more complex when they: Connect with other devices Can be modified/personalized Depend on user/third-party inputs Need advanced power sources 10 So this Medical Device Connectivity Quickly becomes this 11 Medical Device Connectivity Physicians with other devices Hospital Home Others? Patient Internet Device Other patients Physician Manufacturer Other devices 12 4

5 Manufacturer Medical Device Connectivity Hospital Others? Device Patient Physician 13 Cybersecurity 14 What is Cybersecurity? No fixed definition of cybersecurity The process of preventing unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient. FDA Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (Oct. 2, 2014) The ability to protect or defend the use of cyberspace from [An attack, via cyberspace, targeting an enterprise s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information]. CNSSI-4009, CNSSI

6 Threat Overview Malware, denial-of-service, unauthorized access, theft/loss, others Consequences of incident Complete or partial malfunction Does not work at all Does not work in the intended way Compromise Pivot device Patient/financial information Intentional vs. Unintentional What does it matter? 16 Threat Overview Malware/Virus A computer program that can replicate itself, infect a computer without permission or knowledge of the user, and then spread or propagate to another computer. Software that compromises the operation of a system by performing an unauthorized function or process. DDOS A denial-of-service (DoS) or distributed denial-of-service (DDoS) attack is an attempt to make a machine or network resource unavailable to its intended users. Commonly used to shut down or interrupt a network Unauthorized access Any access that violates the stated security policy. Others? Theft? Loss? 17 Source of Threats Threat actors What everyone talks about National Governments Terrorists Industrial Spies and Organized Crime Groups Hacktivists Hackers GAO Threat Table Users/Patients Manufacturer/Developer Multi-Party Failures Where most of the issues do/will originate 18 6

7 Malicious Threat Lifecycle Phase 1 Reconnaissance Adversary identifies and selects a target(s). Phase 2 Weaponize Adversary packages an exploit into a payload designed to execute on the targeted computer/network. Phase 3 Deliver Adversary delivers the payload to the target system(s). Phase 4 Exploit Adversary code is executed on the target system(s). Phase 5 Install Adversary installs remote access software that provides a persistent presence within the targeted environment or system. Phase 6 Command and Control Adversary employs remote access mechanisms to establish a command and control channel with the compromised device. Phase 7 Act on Objectives Adversary pursues intended objectives (e.g., data exfiltration, lateral movement to other targets). Source: NIST Special Publication (Draft), Oct Malicious Threat Lifecycle Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Phase 6 Device weaknesses are observed and researched Malicious code/software/virus developed Package is delivered to the target through one or more devices Software on device is executed or manipulated Device or software on device is told what to do Information is collected; device is compromised, shut down/broken Intentional vs. Unintentional? 20 Unintentional Threat Malfunction or unintentional consequence of design/code/software Code is not properly written or conflicts with new code Device or information on device is compromised Code does not save all the information Misprints output directions Instructs devices to perform unintended function 21 7

8 Threat Environment There is no such thing as a threat-proof medical device. Suzanne Schwartz, M.D., MBA, FDA s Center for Devices and Radiological Health. Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems. There s little recourse for hospitals when a manufacturer refuses to allow OS updates or security patches. Dr. Kevin Fu, member, NIST Information Security & Privacy Advisory Board 22 Examples of Threats The U.S. Department of Homeland Security is investigating nearly two dozen cases of suspected cybersecurity flaws in medical devices. Beth Israel Deaconess Medical Center in Boston reported 664 pieces of medical equipment running on outdated operating systems. Boston Children s was the subject of a DDOS hacktivist attack where it experienced nearly 40 times what its usual inbound traffic would have been. There were also direct attacks on internet-facing ports. Researchers (Billy Rios and Terry McCorkle) discovered a hard-coded password vulnerability affecting roughly 300 medical devices across approximately 40 vendors. Software failures were behind 24 percent of all the medical device recalls in There were 429 device recalls for Software Design during FY 2010 and At the DEFCON hacking conference Jerome Radcliffe remotely manipulated the dosage levels delivered by an insulin pump from up to 300 feet away. 23 KEY PLAYERS 24 8

9 Key Players Develop devices Financial interest in success=sales Purchase, develop, research Manufacturers Hospitals Patients Physicians Recipients and users Not merely bystanders Prescribe, purchase, research 25 KEY REGULATIONS 26 Key Regulations Health Insurance Portability and Accountability Act of 1996 FDA medical device manufacturing requirements FDA research regulations Common Rule Protection of human subjects Consumer protection FTC and state attorneys general stops unfair, deceptive and fraudulent business practices civil lawsuits 27 9

10 Current Regulatory Process Step One: Device Classification Class I, II, III Step Two: Identify Appropriate Path 510(k) (Premarket Notification) PMA (Premarket Approval) De Novo (Evaluation of Automatic Class III Designation) HDE (Humanitarian Device Exemption) Step Three: Prepare Information for Submission Design Controls, Nonclinical Testing, Clinical Evidence, Labeling Step Four: Send Information to FDA Step Five: Complete Registration and Device Listing 28 Development of Medical Devices FDA classification Class I, Class II, Class III Investigational Device Exemption (IDE) Regulatory review Premarket Approval (PMA) High risk devices that pose a significant risk of illness or injury, or devices found not substantially equivalent to Class I and II predicate through the 510(k) process. More involved and includes the submission of clinical data to support claims made for the device. Premarket notification (510k) Demonstrate that the device is substantially equivalent to one approved : (1) before May 28, 1976; or (2) to a device that has been determined by FDA to be substantially equivalent. Quality Control Post-approval studies or reports Adverse events, MAUDE Mobile devices to be used as an accessory to a regulated medical device; or to transform a mobile platform into a regulated medical device. 29 Device Classes Class I Class II Class III Most (74%) are exempt from 510(k) Most require 510(k) Most require PMA Low risk 47% of devices Higher risk 43% of devices Generally highest risk Subject to the highest level of regulatory control

11 Medical Devices Premarket Notification (510(k)) Made to FDA to demonstrate that the device to be marketed is at least as safe and effective, that is, substantially equivalent, to a legally marketed device (21 CFR (a)(3)) that is not subject to PMA. Requires demonstration of substantial equivalence to another legally U.S. marketed device. Substantial equivalence is established with respect to intended use, design, energy used or delivered, materials, chemical composition, manufacturing process, performance, safety, effectiveness, labeling, biocompatibility, standards, and other characteristics, as applicable. 31 Medical Devices Premarket Approval (PMA) PMA is the FDA process of scientific and regulatory review to evaluate the safety and effectiveness of Class III medical devices. Four-Step Process at FDA administrative and limited scientific review for completeness; in-depth scientific, regulatory, and Quality System; review and recommendation by the appropriate advisory committee; and final deliberations/decision. Class III devices are those that support or sustain human life, are of substantial importance in preventing impairment of human health, or which present a potential, unreasonable risk of illness or injury. Requires documentation to demonstrate the safety and effectiveness of the device. If the device contains software or is controlled by a computer, the submission should contain documentation of software development and validation appropriate to the level of risk of the software. 32 Investigational Device Exemption (IDE) An investigational device exemption (IDE) allows the investigational device to be used in a clinical study in order to collect safety and effectiveness data. Clinical studies are most often conducted to support a PMA. Only a small percentage of 510(k)s require clinical data to support the application

12 Investigational Device Exemption (IDE) Clinical evaluation of devices that have not been cleared for marketing requires: an investigational plan approved by an IRB; approval by FDA if study involves a significant risk device; informed consent from all patients; labeling stating that the device is for investigational use only; monitoring of the study and; required records and reports. Good Clinical Practices (GCP) must be complied with while conducting a clinical study. 34 Current Regulatory Process Step One: Device Classification Class I, II, III Step Two: Identify Appropriate Path 510(k), PMA, De Novo, HDE Step Three: Prepare Information for Submission Design Controls, Nonclinical Testing, Clinical Evidence, Labeling Step Four: Send Information to FDA Step Five: Complete Registration and Device Listing 35 Preparing Information for FDA Step Three: Prepare Information for Submission Design Controls. Design validation Includes software validation and risk analysis, where appropriate. Nonclinical Testing Clinical Evidence Labeling 36 12

13 Design Controls Scope All manufacturers (including specification developers) of Class II and III devices and select Class I devices are required to follow design controls [ ] during the development of their device. The design control requirements are basic controls needed to ensure that the device being designed will perform as intended when produced for commercial distribution. 21 C.F.R (g) Design validation shall include software validation and risk analysis, where appropriate. The results of the design validation, including identification of the design, method(s), the date, and the individual(s) performing the validation, shall be documented in the [design history file]. 37 Recent FDA Guidance Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (Oct. 2014). This guidance provides recommendations to consider and information to include in FDA medical device premarket submissions for effective cybersecurity management. Applicable devices that contain software as well as software that is a medical device Manufacturers should develop a set of cybersecurity controls to assure medical device cybersecurity and maintain medical device functionality and safety. Manufacturers should establish design inputs for their device related to cybersecurity, and establish a cybersecurity vulnerability and management approach as part of the software validation and risk analysis that is required by 21 CFR (g). The Agency recommends that medical device manufacturers consider the following cybersecurity framework core functions to guide their cybersecurity activities: Identify, Protect, Detect, Respond, and Recover. 38 Recent FDA Guidance Design validation shall include software validation and risk analysis, where appropriate. The approach should appropriately address the following elements: Identification of assets, threats, and vulnerabilities; Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients; Assessment of the likelihood of a threat and of a vulnerability being exploited; Determination of risk levels and suitable mitigation strategies; Assessment of residual risk and risk acceptance criteria

14 Recent FDA Guidance Identify and Protect The extent to which security controls are needed will depend on the device s intended use, the presence and intent of its electronic data interfaces, its intended environment of use, the type of cybersecurity vulnerabilities present, the likelihood the vulnerability will be exploited (either intentionally or unintentionally), and the probable risk of patient harm due to a cybersecurity breach. Detect, Respond, and Recover Implement features that allow for security compromises to be detected, recognized, logged, timed, and acted upon during normal use; Develop and provide information to the end user concerning appropriate actions to take upon detection of a cybersecurity event; Implement device features that protect critical functionality, even when the device s cybersecurity has been compromised; Provide methods for retention and recovery of device configuration by an authenticated privileged user. 40 Recent FDA Guidance In the premarket submission [not just PMA], manufacturers should provide the following information related to the cybersecurity of their medical device: 1. Hazard analysis, mitigations, and design considerations pertaining to intentional and unintentional cybersecurity risks associated with your device, including: A specific list of all cybersecurity risks that were considered in the design of your device; A specific list and justification for all cybersecurity controls that were established for your device. 2. A traceability matrix that links your actual cybersecurity controls to the cybersecurity risks that were considered; 3. A summary describing the plan for providing validated software updates and patches as needed throughout the lifecycle of the medical device to continue to assure its safety and effectiveness. The FDA typically will not need to review or approve medical device software changes made solely to strengthen cybersecurity. 4. A summary describing controls that are in place to assure that the medical device software will maintain its integrity (e.g. remain free of malware) from the point of origin to the point at which that device leaves the control of the manufacturer; and 5. Device instructions for use and product specifications related to recommended cybersecurity controls appropriate for the intended use environment (e.g. anti-virus software, use of firewall). 41 Impact of FDA Guidance Application to Research Manufacturers may also consider applying the cybersecurity principles described in this guidance as appropriate to Investigational Device Exemption submissions and to devices exempt from premarket review. Documentation Cost 42 14

15 Weaknesses in Current Process Guidance is weak and the potential consequences are very high Ad hoc reviews of cybersecurity are insufficient Transfer of responsibilities when the product goes to market is unclear Significant, overlapping liability Gaps in the regulation 43 Regulations Gaps? HIPAA patient information What if a device is accessed but patient information is not accessed or breached? FDA safety efficacy of medical devices Common Rule protection of human subjects in research FTC consumer protection 44 Natural Path of Regulation Current regulation Revised regulation Industry modification Hard guidance Technology & industry Improvement You are here Soft guidance Regulatory ambiguity 45 15

16 Other Regulations: HIPAA Application Does not typically apply to manufacturers Applies to covered entities: hospitals, physicians Remember FDA definition of cybersecurity HIPAA obligations must be observed even during research 46 Other Regulations: HIPAA HIPAA Risk Analysis Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. 45 C.F.R Required Considerations [OCR Security Rule Guidance 2010] An organization must identify where the e-phi is stored, received, maintained or transmitted. Organizations must identify and document reasonably anticipated threats to e-phi. Organizations should assess and document the security measures an entity uses to safeguard e-phi, whether security measures required by the Security Rule are already in place, and if current security measures are configured and used properly. A truly integrated risk analysis and management process is performed as new technologies and business operations are planned, thus reducing the effort required to address risks identified after implementation. 47 Other Regulations: HIPAA Research authorization requirements When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with such authorization. 45 C.F.R Breach of Unsecured PHI [T]he acquisition, access, use, or disclosure of protected health information in a manner not permitted under [the Privacy Rule] which compromises the security or privacy of the protected health information. A covered entity must notify the individual(s), the OCR, and possibly the media

17 Allocation of liability in research Regulatory, Civil, Contract, Costs (development/research) How is liability identified and allocated? Contracts, clearer regulation, transparent guidance, case law Unified industry 49 Research Considerations Hospitals and Manufacturers Informal FDA guidance to hospitals and manufacturers: Recently, the FDA has become aware of cybersecurity vulnerabilities and incidents that could directly impact medical devices or hospital network operations, including: Network-connected/configured medical devices infected or disabled by malware; The presence of malware on hospital computers; Uncontrolled distribution of passwords; Failure to provide timely security software updates and patches to medical devices; Security vulnerabilities in off-the-shelf software designed to prevent unauthorized device or network access. The FDA is not aware of any patient injuries or deaths associated with these incidents nor do we have any indication that any specific devices or systems in clinical use have been purposely targeted at this time. 50 Research Considerations Hospitals and Manufacturers FDA recommendations to device manufacturers: Take steps to limit unauthorized device access to trusted users only[sic]. Protect individual components from exploitation and develop strategies for active security protection appropriate for the device s use environment. Such strategies should include timely deployment of routine, validated security patches and methods to restrict software or firmware updates to authenticated code. Note: The FDA typically does not need to review or approve medical device software changes made solely to strengthen cybersecurity. Use design approaches that maintain a device s critical functionality, even when security has been compromised, known as fail-safe modes. Provide methods for retention and recovery after an incident where security has been compromised. Cybersecurity incidents are increasingly likely and manufacturers should consider incident response plans that address the possibility of degraded operation and efficient restoration and recovery

18 Research Considerations Hospitals and Manufacturers FDA recommendations to health care facilities: Evaluate your network security and protect your hospital system. Restrict unauthorized access to the network and medical devices connected to the network. Make certain appropriate antivirus software and firewalls are upto-date. Monitor network activity for unauthorized use. Protect individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services. Contact the specific device manufacturer if you think you may have a cybersecurity problem related to a medical device. Develop and evaluate strategies to maintain critical functionality during adverse conditions. 52 Research Considerations Understanding Liability Will the Manufacturer notify the hospital of cybersecurity issues? What if the device is breached or used to breach the hospital s network? What if the hospital was notified of an update and does not perform it (or doesn t perform it accurately)? What if a device stops functioning and a patient is physically injured? What if patient information is taken directly from the device? 53 Incident Response Activities of hospital, PI, and Manufacturer overlap Source: Recommended Practice: Developing an Industrial Control Systems Cybersecurity Incident Response Capability (Oct. 2009), ICS- CERT 54 18

19 Research Considerations Key Contract Terms Duties and Responsibilities Confidential or Proprietary Information Indemnification Scope of indemnification Extend of control (Investigations, lawsuits) Compensation for Subject Injury Insurance Does it cover breach issues? Reporting obligations From hospital/pi to Manufacturer Adverse event; device deficiency From Manufacturer to hospital/pi (e.g., security discoveries) 55 Indemnification What costs, claims, damages, etc. of the hospital and/or PHI will be paid for by the manufacturer? HIPAA, injury, privacy 56 Research Considerations Due Diligence Information requested from the manufacturer Communication to patients Training provided by manufacturer Updated security risk analysis Certificates of insurance IT contacts Other 57 19

20 Research Considerations Dedicated Personnel Understand the devices Understand the liability and incentives through the research process Has knowledge of the transfer and use issues from the manufacturer to the patient 58 20

FDA Releases Final Cybersecurity Guidance for Medical Devices

FDA Releases Final Cybersecurity Guidance for Medical Devices FDA Releases Final Cybersecurity Guidance for Medical Devices By Jean Marie R. Pechette and Ken Briggs Overview and General Principles On October 2, 2014, the Food and Drug Administration ( FDA ) finalized

More information

New Devices Mean New Risks: The Potential for Liability When Software is a Component of Medical Devices. September 25, 2013

New Devices Mean New Risks: The Potential for Liability When Software is a Component of Medical Devices. September 25, 2013 New Devices Mean New Risks: The Potential for Liability When Software is a Component of Medical Devices September 25, 2013 The Hartford Insuring Innovation Joe Coray Dan Silverman Providing insurance solutions

More information

MEDICAL DEVICE Cybersecurity.

MEDICAL DEVICE Cybersecurity. MEDICAL DEVICE Cybersecurity. 2 MEDICAL DEVICE CYBERSECURITY Introduction Wireless technology and the software in medical devices have greatly increased healthcare providers abilities to efficiently and

More information

Cybersecurity for Medical Devices

Cybersecurity for Medical Devices Cybersecurity for Medical Devices Suzanne O Shea Kathleen Rice January 29, 2015 Why Is This Important? Security Risks in the Sensors of Implantable Medical Devices Over the last year, we ve seen an uptick

More information

Overview of FDA Compliance for Medical Devices

Overview of FDA Compliance for Medical Devices Glisland Training Series: Overview of FDA Compliance for Medical Devices Glisland, Inc. San Jose, California, USA http://www.glisland.com Description This course provides a concise overview of how FDA

More information

Risk Management and Cybersecurity for Devices that Contain Software. Seth D. Carmody, Ph.D. 12 th Medical Device Quality Congress March 18, 2015

Risk Management and Cybersecurity for Devices that Contain Software. Seth D. Carmody, Ph.D. 12 th Medical Device Quality Congress March 18, 2015 Risk Management and Cybersecurity for Devices that Contain Software Seth D. Carmody, Ph.D. 12 th Medical Device Quality Congress March 18, 2015 Main Points Establish a Cybersecurity Risk Management Program

More information

Suzanne B. Schwartz, MD, MBA Director Emergency Preparedness/Operations & Medical Countermeasures (EMCM Program) CDRH/FDA

Suzanne B. Schwartz, MD, MBA Director Emergency Preparedness/Operations & Medical Countermeasures (EMCM Program) CDRH/FDA 8 th Annual Safeguarding Health Information: Building Assurance through HIPAA Security HHS Office of Civil Rights and National Institute of Standards & Technology Wednesday September 2, 2015 Suzanne B.

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

CDRH Regulated Software

CDRH Regulated Software CDRH Regulated Software An Introduction John F. Murray Jr. CDRH Software Compliance Expert CDRH Regulates Software in the following areas Medical Devices Automation of Production Systems Automation of

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

Conducting due diligence and managing cybersecurity in medical technology investments

Conducting due diligence and managing cybersecurity in medical technology investments Conducting due diligence and managing cybersecurity in medical technology investments 2015 McDermott Will & Emery LLP. McDermott operates its practice through separate legal entities in each of the countries

More information

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec. The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million

More information

FACT SHEET: Ransomware and HIPAA

FACT SHEET: Ransomware and HIPAA FACT SHEET: Ransomware and HIPAA A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000

More information

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

Guidance on Risk Analysis Requirements under the HIPAA Security Rule Guidance on Risk Analysis Requirements under the HIPAA Security Rule Introduction The Office for Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule.

More information

CYBERSECURITY TESTING & CERTIFICATION SERVICE TERMS

CYBERSECURITY TESTING & CERTIFICATION SERVICE TERMS CYBERSECURITY TESTING & CERTIFICATION SERVICE TERMS These Cybersecurity Testing and Certification Service Terms ( Service Terms ) shall govern the provision of cybersecurity testing and certification services

More information

DATA SECURITY AGREEMENT. Addendum # to Contract #

DATA SECURITY AGREEMENT. Addendum # to Contract # DATA SECURITY AGREEMENT Addendum # to Contract # This Data Security Agreement (Agreement) is incorporated in and attached to that certain Agreement titled/numbered and dated (Contract) by and between the

More information

The iphone as a Medical Device

The iphone as a Medical Device The iphone as a Medical Device Presented by: Melissa L. Markey, Esq. Hall, Render, Killian, Heath & Lyman, PLLC 201 West Big Beaver Rd, Suite 315 Troy, Michigan (248) 740-7505 Hall, Render, Killian, Heath

More information

GAO MEDICAL DEVICES. FDA Should Expand Its Consideration of Information Security for Certain Types of Devices. Report to Congressional Requesters

GAO MEDICAL DEVICES. FDA Should Expand Its Consideration of Information Security for Certain Types of Devices. Report to Congressional Requesters GAO United States Government Accountability Office Report to Congressional Requesters August 2012 MEDICAL DEVICES FDA Should Expand Its Consideration of Information Security for Certain Types of Devices

More information

SaaS. Business Associate Agreement

SaaS. Business Associate Agreement SaaS Business Associate Agreement This Business Associate Agreement ( BA Agreement ) becomes effective pursuant to the terms of Section 5 of the End User Service Agreement ( EUSA ) between Customer ( Covered

More information

Navigating the Waters of Incident Response and Recovery

Navigating the Waters of Incident Response and Recovery Navigating the Waters of Incident Response and Recovery Lee Kim, Esq. Tucker Arensberg, P.C. CERT Symposium: Cyber Security Incident Management for Health Information Exchanges June 26, 2013 2013 Lee Kim

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT 1. DEFINITIONS: 1.1 Undefined Terms: Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms defined by the Health Insurance Portability

More information

ehealth Privacy & Security Interest Group Monthly Call Friday November 14, 2014

ehealth Privacy & Security Interest Group Monthly Call Friday November 14, 2014 ehealth Privacy & Security Interest Group Monthly Call Friday November 14, 2014 Medical Device Security in a Connected World Kevin McDonald 1 www.americanbar.org ehealth Privacy & Security Interest Group

More information

LinkedIn 10x Medical Device Conference Tuesday May 5 th, 2015

LinkedIn 10x Medical Device Conference Tuesday May 5 th, 2015 LinkedIn 10x Medical Device Conference Tuesday May 5 th, 2015 Suzanne B. Schwartz, MD, MBA Director Emergency Preparedness/Operations & Medical Countermeasures (EMCM Program) CDRH/FDA Uncertainty Complex

More information

FirstCarolinaCare Insurance Company Business Associate Agreement

FirstCarolinaCare Insurance Company Business Associate Agreement FirstCarolinaCare Insurance Company Business Associate Agreement THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement"), is made and entered into as of, 20 (the "Effective Date") between FirstCarolinaCare Insurance

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,

More information

Developing a Mobile Medical App? How to determine if it is a medical device and get it cleared by the US FDA

Developing a Mobile Medical App? How to determine if it is a medical device and get it cleared by the US FDA Developing a Mobile Medical App? How to determine if it is a medical device and get it cleared by the US FDA In this presentation: App stats: Explosive growth Examples already cleared by the US FDA Is

More information

August 18, 2015. Re: Section 1201 Rulemaking Proposed Exemption for Medical Devices

August 18, 2015. Re: Section 1201 Rulemaking Proposed Exemption for Medical Devices DEPARTMENT OF HEALTH & HUMAN SERVICES Public Health Service Food and Drug Administration 10903 New Hampshire Avenue Silver Spring, MD 20993 August 18, 2015 Ms. Jacqueline C. Charlesworth General Counsel

More information

CENTER FOR CONNECTED HEALTH POLICY

CENTER FOR CONNECTED HEALTH POLICY CENTER FOR CONNECTED HEALTH POLICY The Center for Connected Health Policy (CCHP) is a public interest nonprofit organization that develops and advances telehealth policy solutions to promote improvements

More information

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Iliana Peters, JD, LLM, HHS Office for Civil Rights Kevin

More information

a Medical Device Privacy Consortium White Paper

a Medical Device Privacy Consortium White Paper a Medical Device Privacy Consortium White Paper Introduction The Medical Device Privacy Consortium (MDPC) is a group of leading companies addressing health privacy and security issues affecting the medical

More information

University Healthcare Physicians Compliance and Privacy Policy

University Healthcare Physicians Compliance and Privacy Policy Page 1 of 11 POLICY University Healthcare Physicians (UHP) will enter into business associate agreements in compliance with the provisions of the Health Insurance Portability and Accountability Act of

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This BUSINESS ASSOCIATE AGREEMENT (the "Agreement") is entered into by and between the Board of Regents of the University of Wisconsin System on behalf of the [insert name

More information

VMware vcloud Air HIPAA Matrix

VMware vcloud Air HIPAA Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory

More information

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Security COMPLIANCE Checklist For Employers Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major

More information

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM BETWEEN The Division of Health Care Financing and Policy Herein after referred to as the Covered Entity and (Enter Business

More information

What is a medical device? Medical Devices: Roadmap to Market. Kathryn Klaus, Esq.

What is a medical device? Medical Devices: Roadmap to Market. Kathryn Klaus, Esq. Medical Devices: Roadmap to Market Kathryn Klaus, Esq. The last installment of Regulatory 360 discussed the FDA organization in general where it came from and a broad overview of how it operates, as well

More information

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

Top Ten Technology Risks Facing Colleges and Universities

Top Ten Technology Risks Facing Colleges and Universities Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology

More information

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131 CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131 TOPICS 1. Threats to your business s data 2. Legal obligations

More information

Nine Network Considerations in the New HIPAA Landscape

Nine Network Considerations in the New HIPAA Landscape Guide Nine Network Considerations in the New HIPAA Landscape The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Omnibus Final Rule, released January 2013, introduced some significant

More information

Big Data, Big Risk, Big Rewards. Hussein Syed

Big Data, Big Risk, Big Rewards. Hussein Syed Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual

More information

Overview of the HIPAA Security Rule

Overview of the HIPAA Security Rule Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Business Associate Agreement (this Agreement ) is entered into as of _September 23_, 2013, (the Effective Date ) by and between Denise T. Nguyen, DDS, PC ( Dental Practice

More information

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement Clinton Mikel The Health Law Partners, P.C. Alessandra Swanson U.S. Department of Health and Human Services - Office for Civil Rights Disclosure

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (Hereinafter "Agreement") dated as of, 2013, is made by and between (Hereinafter Covered Entity ) and (Hereinafter Business Associate ). ARTICLE

More information

The U.S. FDA s Regulation and Oversight of Mobile Medical Applications

The U.S. FDA s Regulation and Oversight of Mobile Medical Applications The U.S. FDA s Regulation and Oversight of Mobile Medical Applications The U.S. FDA s Regulation and Oversight of Mobile Medical Applications As smart phones and portable tablet computers become the preferred

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BA Agreement ) is entered into by Medtep Inc., a Delaware corporation ( Business Associate ) and the covered entity ( Covered Entity

More information

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry Information Protection Framework: Data Security Compliance and Today s Healthcare Industry Executive Summary Today s Healthcare industry is facing complex privacy and data security requirements. The movement

More information

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is made and entered into to be effective as of, 20 (the Effective Date ), by and between ( Covered Entity ) and

More information

What is required of a compliant Risk Assessment?

What is required of a compliant Risk Assessment? What is required of a compliant Risk Assessment? ACR 2 Solutions President Jack Kolk discusses the nine elements that the Office of Civil Rights requires Covered Entities perform when conducting a HIPAA

More information

Medical Product Software Development and FDA Regulations Software Development Practices and FDA Compliance

Medical Product Software Development and FDA Regulations Software Development Practices and FDA Compliance Medical Product Development and FDA Regulations IEEE Orange County Computer Society March 27, 2006 Carl R. Wyrwa Medical Product Development and FDA Regulations Introduction Regulated FDA Overview Medical

More information

Am I a Business Associate?

Am I a Business Associate? Am I a Business Associate? Now What? JENNIFER L. RATHBURN Quarles & Brady LLP KATEA M. RAVEGA Quarles & Brady LLP agenda» Overview of HIPAA / HITECH» Business Associate ( BA ) Basics» What Do BAs Have

More information

My Docs Online HIPAA Compliance

My Docs Online HIPAA Compliance My Docs Online HIPAA Compliance Updated 10/02/2013 Using My Docs Online in a HIPAA compliant fashion depends on following proper usage guidelines, which can vary based on a particular use, but have several

More information

Cybersecurity: What CFO s Need to Know

Cybersecurity: What CFO s Need to Know Cybersecurity: What CFO s Need to Know William J. Nowik, CISA, CISSP, QSA PCIP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Today s Agenda Introduction

More information

Data Security Incident Response Plan. [Insert Organization Name]

Data Security Incident Response Plan. [Insert Organization Name] Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security

More information

Why Lawyers? Why Now?

Why Lawyers? Why Now? TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business

More information

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011 Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8

More information

M E M O R A N D U M. Definitions

M E M O R A N D U M. Definitions M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice

More information

Risk Assessment Guide

Risk Assessment Guide KirkpatrickPrice Assessment Guide Designed Exclusively for PRISM International Members KirkpatrickPrice. innovation. integrity. delivered. KirkpatrickPrice Assessment Guide 2 Document Purpose The Assessment

More information

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE This Notice of Privacy Practices describes the legal obligations of Ave Maria University, Inc. (the plan ) and your legal rights regarding your protected health

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Agreement is entered into as of ("Effective Date"), between ( Covered Entity ), and ( Business Associate ). RECITALS WHEREAS, Business Associate provides services on behalf

More information

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( BAA ) is by and between the National Association of Boards of Pharmacy

More information

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean. BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement is made as of the day of, 2010, by and between Methodist Lebonheur Healthcare, on behalf of itself and all of its affiliates ( Covered Entity

More information

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 Revision History Update this table every time a new edition of the document is

More information

Cybersecurity for Meaningful Use. 2013 FRHA Annual Summit "Setting the Health Care Table: Politics, Economics, Health" November 20-22, 2013

Cybersecurity for Meaningful Use. 2013 FRHA Annual Summit Setting the Health Care Table: Politics, Economics, Health November 20-22, 2013 Cybersecurity for Meaningful Use 2013 FRHA Annual Summit "Setting the Health Care Table: Politics, Economics, Health" November 20-22, 2013 Healthcare Sector Vulnerable to Hackers By Robert O Harrow Jr.,

More information

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN Stewart C. Miller & Co., Inc. (Business Associate) AND City of West Lafayette Flexible Spending Plan (Covered Entity) TABLE OF CONTENTS

More information

Shipman & Goodwin LLP. HIPAA Alert STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS

Shipman & Goodwin LLP. HIPAA Alert STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS Shipman & Goodwin LLP HIPAA Alert March 2009 STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS The economic stimulus package, officially named the American Recovery and Reinvestment Act of 2009

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ), entered into and effective this day of,, is by and between ( Business Associate ) and Black, Gould & Associates, Inc.

More information

AUTHORED BY: George W. Gray CTO, VP Software & Information Systems Ivenix, Inc. ADDRESSING CYBERSECURITY IN INFUSION DEVICES

AUTHORED BY: George W. Gray CTO, VP Software & Information Systems Ivenix, Inc. ADDRESSING CYBERSECURITY IN INFUSION DEVICES AUTHORED BY: George W. Gray CTO, VP Software & Information Systems Ivenix, Inc. ADDRESSING CYBERSECURITY IN INFUSION DEVICES INTRODUCTION Cybersecurity has become an increasing concern in the medical device

More information

Tulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY

Tulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY Tulane University DEPARTMENT: General Counsel s POLICY DESCRIPTION: Business Associates Office -- HIPAA Agreement PAGE: 1 of 1 APPROVED: April 1, 2003 REVISED: November 29, 2004, December 1, 2008, October

More information

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BAA ) is effective ( Effective Date ) by and between ( Covered Entity ) and Egnyte, Inc. ( Egnyte or Business Associate ). RECITALS

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement and is made between BEST Life and Health Insurance Company ( BEST Life ) and ( Business Associate ). RECITALS WHEREAS, the U.S.

More information

Data Breach Response Planning: Laying the Right Foundation

Data Breach Response Planning: Laying the Right Foundation Data Breach Response Planning: Laying the Right Foundation September 16, 2015 Presented by Paige M. Boshell and Amy S. Leopard babc.com ALABAMA I DISTRICT OF COLUMBIA I FLORIDA I MISSISSIPPI I NORTH CAROLINA

More information

STANDARD ADMINISTRATIVE PROCEDURE

STANDARD ADMINISTRATIVE PROCEDURE STANDARD ADMINISTRATIVE PROCEDURE 16.99.99.M0.26 Investigation and Response to Breach of Unsecured Protected Health Information (HITECH) Approved October 27, 2014 Next scheduled review: October 27, 2019

More information

Iowa Health Information Network (IHIN) Security Incident Response Plan

Iowa Health Information Network (IHIN) Security Incident Response Plan Iowa Health Information Network (IHIN) Security Incident Response Plan I. Scope This plan identifies the responsible parties and action steps to be taken in response to Security Incidents. IHIN Security

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT This is a draft business associate agreement based on the template provided by HHS. It is not intended to be used as is and you should only use the agreement after you

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (the AGREEMENT ) is entered into this (the "Effective Date"), between Delta Dental of Tennessee ( Covered Entity ) and ( Business Associate

More information

The Security Rule of The Health Insurance Portability and Accountability Act (HIPAA) Security Training

The Security Rule of The Health Insurance Portability and Accountability Act (HIPAA) Security Training The Security Rule of The Health Insurance Portability and Accountability Act (HIPAA) Security Training Introduction The HIPAA Security Rule specifically requires training of all members of the workforce.

More information

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308)

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) HIPAA Business Associate Agreement Sample Notice Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) The information provided in this document does not constitute, and is no substitute

More information

Attachment A. Identification of Risks/Cybersecurity Governance

Attachment A. Identification of Risks/Cybersecurity Governance Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT

More information

Please print the attached document, sign and return to privacy@covermymeds.com or contact Erica Van Treese, Account Manager, Provider Relations &

Please print the attached document, sign and return to privacy@covermymeds.com or contact Erica Van Treese, Account Manager, Provider Relations & Please print the attached document, sign and return to privacy@covermymeds.com or contact Erica Van Treese, Account Manager, Provider Relations & Solutions. Office: 866-452-5017, Fax: 615-379-2541, evantreese@covermymeds.com

More information

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions A. Business Associate. Business Associate shall have the meaning given to such term under the Privacy and Security Rules, including,

More information

Healthcare Cybersecurity Risk Management: Keys To an Effective Plan

Healthcare Cybersecurity Risk Management: Keys To an Effective Plan Healthcare Cybersecurity Risk Management: Keys To an Effective Plan Anthony J. Coronado and Timothy L. Wong About the Authors Anthony J. Coronado, BS, is a biomedical engineering manager at Renovo Solutions

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement I. Definitions Catch-all definition: The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated

More information

Where s the App for That?

Where s the App for That? Where s the App for That? Mobile Medical Apps, Cybersecurity and the Regulatory and Litigation Landscape Sharon R. Klein Jan P. Levine Angelo A. Stio, III PBI Health Law Institute 2016 Spring 2016 1 Today

More information

COMPLIANCE ALERT 10-12

COMPLIANCE ALERT 10-12 HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment

More information

The Shifting Sands of Medical Software Regulation

The Shifting Sands of Medical Software Regulation The Shifting Sands of Medical Software Regulation Suzanne O Shea Ralph Hall September 10, 2014 What Software is Regulated by FDA? FDA regulates medical devices. FDA regulates software that meets the definition

More information

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and

More information

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:

More information

Model Business Associate Agreement

Model Business Associate Agreement Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model

More information

Can Your Diocese Afford to Fail a HIPAA Audit?

Can Your Diocese Afford to Fail a HIPAA Audit? Can Your Diocese Afford to Fail a HIPAA Audit? PETULA WORKMAN & PHIL BUSHNELL MAY 2016 2016 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS Agenda Overview Privacy Security Breach Notification Miscellaneous

More information

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S):

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S): UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S): THIS AGREEMENT is made by and between UNIVERSITY PHYSICIANS OF BROOKLYN, INC., located at 450 Clarkson Ave., Brooklyn,

More information

Responsible Access and Use of Information Technology Resources and Services Policy

Responsible Access and Use of Information Technology Resources and Services Policy Responsible Access and Use of Information Technology Resources and Services Policy Functional Area: Information Technology Services (IT Services) Applies To: All users and service providers of Armstrong

More information

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style. Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP

More information