DATA SHARING & BREACH PROTOCOLS UNDER THE FINAL HIPAA PRIVACY RULE

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "DATA SHARING & BREACH PROTOCOLS UNDER THE FINAL HIPAA PRIVACY RULE"

Transcription

1 DATA SHARING & BREACH PROTOCOLS UNDER THE FINAL HIPAA PRIVACY RULE I. INTRODUCTION: The Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification provisions apply to three types of entities, which are known as covered entities : (1) health care providers who conduct covered health care transactions electronically, (2) health plans, and (3) health care clearinghouses. The HIPAA Privacy Rule, 45 CFR Part 160 and Subparts A and E of Part 164, requires covered entities to (1) implement safeguards to ensure that the privacy of protected health information is maintained, (2) provides the parameters under which covered entities may use or disclose an individual s protected health information ( PHI ), and (3) notify individuals of their rights to examine and obtain a copy of their health records and to request corrections. Covered entities that engage business associates to perform functions/work on their behalf must have contracts or other data sharing arrangements in place with their business associates to ensure that the business associates safeguard PHI, and use and disclose the information only as permitted or required by the Privacy Rule. II. HITECH ACT: The Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted in 2009 is designed to promote the widespread adoption and integration of health information technology. It includes provisions designed to strengthen the privacy and security protections for health information established by HIPAA. These provisions include: extending the applicability of certain of the Privacy and Security Rules requirements to the business associates of covered entities; requiring that Health Information Exchange Organizations and similar organizations, as well as personal health record vendors that provide services to covered entities, shall be treated as business associates; requiring HIPAA covered entities and business associates to provide for notification of breaches of unsecured PHI; establishing new limitations on the use and disclosure of PHI; prohibiting the sale of PHI; and expanding individuals rights to access their PHI, and to obtain restrictions on certain disclosures of PHI to health plans. In addition, its provisions are designed to strengthen and expand HIPAA s enforcement provisions. III. OMNIBUS RULE: On January 25, 2013 the Department of Health and Human Services (HHS) issued the final changes to the Privacy Rule. (See, 78 Fed. Reg. 5566, et. seq.) This constituted the adoption of 1

2 the final privacy, security and breach notification provisions of HIPAA, HITECH and the Genetic Information Nondiscrimination Act (GINA). As of the 23 rd of September 2013, this rule is in full effect and other than certain grandfathered agreements, all covered entities and their business associates fall under its provisions. The Final Privacy Rule makes business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules requirements. It strengthens the limitations on the use and disclosure of PHI and prohibits the sale of PHI without individual authorization. It expands individuals rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full. It requires modifications to, and redistribution of, a covered entity s notice of privacy practices. It modifies the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others. It also adopts additional HITECH enhancements to the Enforcement Rule like the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect. The Omnibus Rule also incorporates the increased and tiered civil money penalty structure provided by the HITECH Act, and replaces the breach notification rule s harm threshold in an attempt to provide a more objective standard. Finally, it prohibits most health plans from using or disclosing genetic information for underwriting purposes. A. Business Associates HIPAA permits a covered entity to disclose PHI to a business associate, and allow a business associate to create, receive, maintain, or transmit PHI on its behalf, provided the covered entity obtains satisfactory assurances in the form of a contract or other arrangement that the business associate will appropriately safeguard the information. Business associate is defined to include a person/entity who performs functions or activities on behalf of, or certain services for, a covered entity that involve the use or disclosure of PHI. Such entities include, inter alia, billing companies, electronic records management companies, Patient Safety Organizations, Health Information Organizations (HIO), E-Prescribing Gateways, other entities that provide data transmission services with respect to protected health information to a covered entity whose activities require routine access to such protected health information; and entities who offer a personal health record to one or more individuals on behalf of a covered entity. The definitions of HIO and routine access are purposefully vague. The former is seen as an evolving one based on practice and technology, and the latter is to be determined on a case-by-case basis. Accordingly, an entity that acts as a conduit for PHI, but does sample the data for integrity purposes may, or may not be a business associate, depending on its relationship to covered entities, how often in accesses the PHI and what its responsibility for maintaining the data may be. However, both the guidance and prudence suggest that the conduit exception is a narrow one designed for internet service providers and the like. An entity that maintains a covered 2

3 entities data base, for example, but does not access PHI in performing this task is still a business associate and not a conduit. To avoid having HIPAA s protections for PHI lapse merely because a function is performed by an entity that is a subcontractor rather than an entity with a direct relationship with a covered entity, a subcontractor that acts on behalf of a business associate, other than in the capacity of a member of the workforce of such business associate, including an agent or other person who acts on behalf of the business associate, is also a business associate; even if the business associate has failed to enter into a business associate contract with the person/entity. As such the subcontractor must comply with the Privacy Rule. In other words, the analysis is the same for the business associate and its subcontractor(s). This does not mean that a covered entity has to have a contract with a business associate s subcontractor(s). The obligation is on each business associate (sub or direct) to obtain satisfactory assurances in the form of a written contract or other arrangement that its subcontractor will appropriately safeguard PHI. Thus the requirements of HIPAA are pushed down the chain along with the PHI. The Privacy Rule provides that disclosures by a business associate for its own management and administration or legal responsibilities do not create a business associate relationship with the recipient of the PHI because such disclosures are made outside of the entity s role as a business associate. However, for such disclosures that are not required by law, the Privacy Rule requires that the business associate obtain reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person and the person notifies the business associate of any instances of which it is aware that the confidentiality of the information has been breached. The determination of when the disclosure of PHI by the business associate to a person who will assist the business associate in performing a function, activity, or service for a covered entity or another business associate creates a business associate relationship verses being solely for its own management is to be made on a case-by-case basis. a. Internal Business Associates N.Y.C. HRA as an example of a Hybrid Entity The Omnibus Rule promotes a shift toward direct liability for business associates of covered entities in the event of an unauthorized disclosure or breach of protected health information and synchronizes rules for both internal and external business associates. Internal business associates are components of a hybrid entity and perform business associate, rather than covered, functions. HRA is a hybrid entity because it is a covered entity; [w]hose business activities include both covered and non-covered functions; and designates health care components in accordance with [HIPAA regulations]. The old rule allowed hybrid entities to subject only their healthcare components to HIPAA regulations while cordoning internal business associate functions. The new rule removes this flexibility by providing that if the covered entity designates one or more health care components, it must include any component that would meet the definition of a covered entity or business associate if it were a separate legal entity. 45 C.F.R (iii)(D). There is some ambiguity regarding the extent of the changes. Some scholars argue that the new regulation does not require a covered entity s business associate function areas to comply with 3

4 HIPAA ( [A] covered entity as a whole does not have to comply with HIPAA ) ( lth_law_esource_1305_bernstein.html). However, under the new rule, some program areas that were previously considered non-covered components will now fall under the healthcare component umbrella. Therefore, those program areas are now subject to HIPAA regulations because the healthcare component is subject to HIPAA rules. For example, [consider] an entity that is both a hospital and university, any Business Associate function being performed by the non-health care component (e.g., the university s legal offices) would now be subject to direct compliance as if it were within the health component of the hospital department of the entity. ( This falls into line with the drafter s intended to promulgate liability to internal business associates of healthcare components with which they share protected health information. [A]fter this final rule, business associates, by definition, are separately and directly liable for violations of the Security Rule and for violations of the Privacy Rule for impermissible uses and disclosures pursuant to their business associate contracts. With respect to a hybrid entity, however, not including business associate functions within the health care component of a hybrid entity could avoid direct liability and compliance obligations for the business associate component. Thus, we agree with the commentators that supported requiring inclusion of business associate functions inside the health care component of a hybrid entity. As such, the final rule requires that the health care component of a hybrid entity include all business associate functions within the entity. 78 Fed. Reg. 5566, To be in compliance with the new provision, all program areas utilizing protected health information from HRA s healthcare component, must comply with HIPAA regulations regarding business associate arrangements, and organizational requirements. 45 C.F.R (iii). Furthermore, HRA has revisited documentation regarding its healthcare component to see which program areas would qualify as business associates if they were separate legal entities. 45 C.F.R (iii)(D). These program areas have been notified of the new regulation and its implications. [HANDOUT: HIPAA MOU Covered Entity and Business Associate Agencies] b. External Business Associates and Their Subcontractors To conform with the new regulations, HRA must modify its business contracts to reflect the understanding that HRA business associates must comply with HIPAA regulations. HRA must have contracts that satisfactorily convey the business associate s liability. Most significantly, these amendments to our business associate contracts and memoranda of understanding (for sister municipal entities) business associates of covered entities must make similar changes to their contracts with subcontractors 4

5 c. Breach Notifications The final Privacy Rule largely tracks the provisions of the Interim Breach Rule. There are, however, a few important changes to the breach notification rules and procedures that will affect covered entities. The final Privacy Rule clarifies the definition of a data breach, adopts a new standard for risk assessment concerning PHI disclosures, and alters the breach notification timeline for breaches involving less than 500 people. The definition of a breach has been amended by eliminating one of the exceptions recognized by the interim rule. Under the Interim Rule, an impermissible use or disclosure of PHI that would qualify as a limited data set, but that excludes dates of birth and zip codes, is not a breach. The final Privacy Rule does not recognize such an exception. See 45 C.F.R (1)(ii). Second, the final Privacy Rule replaces the risk of harm standard with a new obligation to assess whether PHI has been compromised. Under the Interim rule s risk of harm standard, covered entities were required to conduct a risk assessment to determine whether there was a significant risk of harm due to impermissible use or disclosure. The final Privacy Rule, however, instead requires covered entities to assess the risk that the PHI was compromised if they want to avoid the notice requirements of the rule. While the term compromised is not defined, the HSS indicates that, when conducting an assessment, the covered entity must consider at least the following factors: 1. The nature and extent of the PHI; 2. The unauthorized person who used or received the PHI; 3. Whether the PHI was actually viewed or acquired; and 4. The extent to which the risk to the PHI has been mitigated. The covered entity or business associate has the burden of proving a disclosure was not a breach, and must treat an incident as a breach unless, it determines that there is a low probability the PHI was compromised. While the standard is different, it is unclear if this new standard will result in material differences in the response to a breach and the determination regarding notification in most circumstances. These provisions incentivize covered entities and business associates to encrypt the limited data sets and other PHI, since PHI, if encrypted pursuant to the Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals (74 FR 42740, 42742), no breach notification is required following an impermissible use or disclosure of the information. Finally, breach notification procedures under the final Privacy Rule are largely the same, with one notable change. The covered entity still has the ultimate duty, although potentially assignable to another business associate, to notify affected individuals of the breach pursuant to 45 C.F.R [HANDOUT: Example of a Breach Notification Letter] 5

6 Recently HRA had a data security incident in which a list of with 24 names and Social Security numbers of Medicaid clients were lost. A legal determination was made that a data breach occurred and a letter was sent by HRA to notify these individuals. In addition, the covered entity must follow the same procedures for media notification for breaches involving 500 or more individuals. See 45 C.F.R (b). However, for breaches involving fewer than 500 individuals, the final Privacy Rule modifies 45 C.F.R (c) so that covered entities must notify the Secretary of all breaches not later than 60 days after the end of the calendar year in which the breaches were discovered, not in which the breaches occurred. d. Accounting for Disclosures The final Privacy Rule does not address the accounting for disclosures requirement the 2009 HITECH Act; rather, the Office of Civil Rights has advised that it will be the subject of a future rulemaking. The new rulemaking, however, shall only require such information to be collected through an electronic health record in a manner that takes into account the interests of the individuals in learning the circumstances under which their [PHI] is being disclosed and takes into account the administrative burden of accounting for such disclosures. (HITECH, 13405(c)(2)). Consequently, this discussion will focus on the requirements of the HITECH Act. While there have been proposals for changes in the regulations, covered entities must focus most on both recordkeeping and reporting practices in order to fully comply with the HITECH Act. It is important to note that, while the 2009 HITECH Act modifies the HIPAA rules, it is relatively narrow in scope. Specifically, the legislation addresses covered entities that use or maintain an electronic health record, and makes no mention of paper records. See 42 U.S.C (c)(1). Any relevance the act has to paper records is not discussed. Despite the narrowness of the legislation s applicability, there are three main changes with regards to recordkeeping. First, covered entities must now be able to provide an individual with a record of disclosures that goes back three (3) years instead of six (6). See 42 U.S.C (c)(1)(B). Second, the rule eliminates the exception that allowed entities to not record disclosures for purposes of treatment, payment, and healthcare operations. See 42 U.S.C (c)(1)(A). Finally, the final rule now requires business associates to maintain records the same way that covered entities are required to. See 42 U.S.C (c)(3)(B). Naturally, reporting requirements under the new rule are consistent with the revised time period during which an individual has the right to view all disclosures of their electronic PHI. In addition, a covered entity must either provide an accounting of disclosures made by the covered entity and by a business associate acting on behalf of the covered entity (see 42 U.S.C (c)(3)(A)), or provide list of disclosures made by covered entity in addition to a list of business associates acting on behalf of the covered entity, including contact information for such associates (such as mailing address, phone number, and address). See 42 U.S.C (c)(3)(B). Finally, the final rule establishes a timetable for compliance. If a covered entity receives an electronic health record as of January 1, 2009, the final rule applies to the covered entity that made electronic record on or after January 1, 2014 (see 42 U.S.C (c)(4)(A)); and if covered entity receives electronic health record after January 1, 2009, then rule applies to that entity on or after January 1, 2011, whichever date comes first. See 42 U.S.C. 6

7 17935(c)(4)(B). The date in subsection (c)(4)(a) can be amended to no later than 2016, and the date in subsection (c)(4)(b) can be amended to no later than See 42 U.S.C (c)(4)(C). IV. BREACH PREVENTION A. Examples of HIPPAA Breaches That Would Trigger Notification [HANDOUT: Data Security Incident Protocol: What to do in the Event of an Unauthorized Disclosure and Breach Prevention Measures] [HANDOUT: PACU-OLA Data Security Incident Form] 7

Department of Health and Human Services. No. 17 January 25, 2013. Part II

Department of Health and Human Services. No. 17 January 25, 2013. Part II Vol. 78 Friday, No. 17 January 25, 2013 Part II Department of Health and Human Services Office of the Secretary 45 CFR Parts 160 and 164 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach

More information

HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule

HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule JANUARY 23, 2013 HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule By Linn Foster Freedman, Kathryn M. Sylvia, Lindsay Maleson, and Brooke A. Lane On

More information

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS The following HIPAA Business Associate Terms and Conditions (referred to hereafter as the HIPAA Agreement ) are part of the Brevium Software License

More information

HIPAA Breach Notification Interim Final Rule

HIPAA Breach Notification Interim Final Rule HIPAA Breach Notification Interim Final Rule The American Recovery and Reinvestment Act of 2009 ( the Act ) made several changes to the HIPAA privacy rules including adding a requirement for notice to

More information

Legislative & Regulatory Information

Legislative & Regulatory Information Americas - U.S. Legislative, Privacy & Projects Jurisdiction Effective Date Author Release Date File No. UFS Topic Citation: Reference: Federal 3/26/13 Michael F. Tietz Louis Enahoro HIPAA, Privacy, Privacy

More information

M E M O R A N D U M. Leon Rodriguez, HHS Office for Civil Rights Director, noted in a press release that the Omnibus Rule:

M E M O R A N D U M. Leon Rodriguez, HHS Office for Civil Rights Director, noted in a press release that the Omnibus Rule: To: From: Clients and Friends Jim Pyles Rob Portman Amita Sanghvi M E M O R A N D U M REVISED/UPDATED Date: January 25, 2013 Re: HIPAA Final Omnibus Rule is Here! On January 17, 2013, the US Department

More information

COMPLIANCE ALERT 10-12

COMPLIANCE ALERT 10-12 HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment

More information

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist. www.riskwatch.com

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist. www.riskwatch.com HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist www.riskwatch.com Introduction Last year, the federal government published its long awaited final regulations implementing the Health

More information

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES CONTENTS Introduction 3 Brief Overview of HIPPA Final Omnibus Rule 3 Changes to the Definition of Business Associate

More information

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean. BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement is made as of the day of, 2010, by and between Methodist Lebonheur Healthcare, on behalf of itself and all of its affiliates ( Covered Entity

More information

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Patricia D. King, Esq. Associate General Counsel Swedish Covenant Hospital Chicago, IL I. Business Associates under

More information

Long-Expected Omnibus HIPAA Rule Implements Significant Privacy and Security Regulations for Entities and Business Associates

Long-Expected Omnibus HIPAA Rule Implements Significant Privacy and Security Regulations for Entities and Business Associates Legal Update February 11, 2013 Long-Expected Omnibus HIPAA Rule Implements Significant Privacy and Security Regulations for Entities and Business Associates On January 17, 2013, the Department of Health

More information

HIPAA/HITECH Omnibus Final Rule - January 23, 2013

HIPAA/HITECH Omnibus Final Rule - January 23, 2013 HIPAA Omnibus Rule Please note: these slides are intended to provide an overview of general information, not an exhaustive review. No legal advice is being offered or intended. Do not rely on this information

More information

New HIPAA regulations require action. Are you in compliance?

New HIPAA regulations require action. Are you in compliance? New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT

More information

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI January 23, 2013 HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI Executive Summary HHS has issued final regulations that address recent legislative

More information

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN Major Changes to HIPAA Security and Privacy Rules Enacted in Economic Stimulus Package By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN The HITECH Act is the

More information

Data Breach, Electronic Health Records and Healthcare Reform

Data Breach, Electronic Health Records and Healthcare Reform Data Breach, Electronic Health Records and Healthcare Reform (This presentation is for informational purposes only and it is not intended, and should not be relied upon, as legal advice.) Overview of HIPAA

More information

HIPAA & The Medical Practice

HIPAA & The Medical Practice HIPAA & The Medical Practice Requirements for Privacy, Security and Breach Notification Presented by: Gina L. Campanella, JD, MHA Rules that Control Privacy A collection of laws and regulations including:

More information

FirstCarolinaCare Insurance Company Business Associate Agreement

FirstCarolinaCare Insurance Company Business Associate Agreement FirstCarolinaCare Insurance Company Business Associate Agreement THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement"), is made and entered into as of, 20 (the "Effective Date") between FirstCarolinaCare Insurance

More information

OCR UPDATE Breach Notification Rule & Business Associates (BA)

OCR UPDATE Breach Notification Rule & Business Associates (BA) OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the

More information

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate? HIPAA Information Who does HIPAA apply to? HIPAA applies to all Covered Entities (entities that collect, access, use and/or disclose Protected Health Data (PHI) and are subject to HIPAA regulations). What

More information

SaaS. Business Associate Agreement

SaaS. Business Associate Agreement SaaS Business Associate Agreement This Business Associate Agreement ( BA Agreement ) becomes effective pursuant to the terms of Section 5 of the End User Service Agreement ( EUSA ) between Customer ( Covered

More information

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Compliance Tip Sheet National Hospice and Palliative Care Organization www.nhpco.org/regulatory HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Hospice Provider Compliance To Do List

More information

New Rules on Privacy, Security, Breach Reporting and Enforcement: Not Just for HIPAA-chondriacs

New Rules on Privacy, Security, Breach Reporting and Enforcement: Not Just for HIPAA-chondriacs New Rules on Privacy, Security, Breach Reporting and Enforcement: Not Just for HIPAA-chondriacs Executive Summary After years of waiting for all of the anxious HIPAA-chondriacs out there, the HHS Office

More information

SUMMARY OF CHANGES HIPAA AND OHIO PRIVACY LAWS

SUMMARY OF CHANGES HIPAA AND OHIO PRIVACY LAWS Franklin J. Hickman Janet L. Lowder David A. Myers Elena A. Lidrbauch Judith C. Saltzman Mary B. McKee Lisa Montoni Garvin Andrea Aycinena Penton Building 1300 East Ninth Street Suite 1020 Cleveland, OH

More information

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308)

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) HIPAA Business Associate Agreement Sample Notice Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) The information provided in this document does not constitute, and is no substitute

More information

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection

More information

Use & Disclosure of Protected Health Information by Business Associates

Use & Disclosure of Protected Health Information by Business Associates Applicability: Policy Title: Policy Number: Use & Disclosure of Protected Health Information by Business Associates PP-12 Superseded Policy(ies) or Entity Policy: N/A Date Established: January 31, 2003

More information

Penalty. Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

Penalty. Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation WHY YOU NEED TO COMPLY. HIPAA UPDATE 2014: WHY AND HOW YOU MUS T C OMPL Y 1 In January 2013, the Department of Health and Human Services ( HHS ) issued its longawaited Omnibus Rule 2 implementing regulations

More information

M E M O R A N D U M. Definitions

M E M O R A N D U M. Definitions M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice

More information

SALT LAKE COUNTY COUNTYWIDE POLICY ON HIPAA BREACH NOTIFICATION REQUIREMENTS

SALT LAKE COUNTY COUNTYWIDE POLICY ON HIPAA BREACH NOTIFICATION REQUIREMENTS SALT LAKE COUNTY COUNTYWIDE POLICY ON HIPAA BREACH NOTIFICATION REQUIREMENTS Reference Purpose Health Insurance Portability and Accountability Act of 1996 (HIPAA); 45 United States Code 1320d et seq.;

More information

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Business Associates, HITECH & the Omnibus HIPAA Final Rule Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS

More information

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 RULES Issued August 19, 2009 Requires Covered Entities to notify individuals of a breach as well as HHS without reasonable delay or within

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University

More information

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS Dear Physician Member: Thank you for contacting the California Medical Association and thank you for your membership. In order to advocate on your behalf,

More information

OFFICE OF CONTRACT ADMINISTRATION 60400 PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA)

OFFICE OF CONTRACT ADMINISTRATION 60400 PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA) Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA) BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) supplements and is made a part of the contract ( Contract

More information

Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule

Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule HEALTHCARE October 2009 Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule This HIPAA Update provides a detailed description of the new breach notification requirements for HIPAA

More information

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions A. Business Associate. Business Associate shall have the meaning given to such term under the Privacy and Security Rules, including,

More information

Am I a Business Associate?

Am I a Business Associate? Am I a Business Associate? Now What? JENNIFER L. RATHBURN Quarles & Brady LLP KATEA M. RAVEGA Quarles & Brady LLP agenda» Overview of HIPAA / HITECH» Business Associate ( BA ) Basics» What Do BAs Have

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (Hereinafter "Agreement") dated as of, 2013, is made by and between (Hereinafter Covered Entity ) and (Hereinafter Business Associate ). ARTICLE

More information

BUSINESS ASSOCIATE ADDENDUM

BUSINESS ASSOCIATE ADDENDUM BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) adds to and is made a part of the Q- global Subscription and License Agreement by and between NCS Pearson, Inc. ( Business Associate

More information

HIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule )

HIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule ) HIPAA and HITECH Compliance Under the New HIPAA Final Rule Presented Presented by: by: Barry S. Herrin, Attorney CHPS, Name FACHE Smith Smith Moore Moore Leatherwood Leatherwood LLP LLP Atlanta Address

More information

organization's patient protected health information (PHI) occurs. as any other federal or state notification law.

organization's patient protected health information (PHI) occurs. as any other federal or state notification law. I. APPLICABILITY Entire organization and its business associate (BAs) and the BA's Subcontractors. II. PURPOSE To provide guidance for breach notification by covered entities and breaches by their business

More information

Appendix : Business Associate Agreement

Appendix : Business Associate Agreement I. Authority: Pursuant to 45 C.F.R. 164.502(e), the Indian Health Service (IHS), as a covered entity, is required to enter into an agreement with a business associate, as defined by 45 C.F.R. 160.103,

More information

Model Business Associate Agreement

Model Business Associate Agreement Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model

More information

BREACH NOTIFICATION POLICY

BREACH NOTIFICATION POLICY PRIVACY 2.0 BREACH NOTIFICATION POLICY Scope: All subsidiaries of Universal Health Services, Inc., including facilities and UHS of Delaware Inc. (collectively, UHS ), including UHS covered entities ( Facilities

More information

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements Protecting Patient Information in an Electronic Environment- New HIPAA Requirements SD Dental Association Holly Arends, RHIT Clinical Program Manager Meet the Speaker TRUST OBJECTIVES Overview of HIPAA

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT This is a draft business associate agreement based on the template provided by HHS. It is not intended to be used as is and you should only use the agreement after you

More information

Business Associates under HITECH: A Chain of Trust

Business Associates under HITECH: A Chain of Trust FAQ on InfoSafe Shredding Services: Frequently Asked Questions on InfoSafe Shredding Information And Video on One Time Cleanouts: Cleanouts and Purges Business Associates under HITECH: A Chain of Trust

More information

January 25, 2013. 1 P a g e

January 25, 2013. 1 P a g e Analysis of Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Agreement ( Agreement ) is made and entered into this day of [Month], [Year] by and between [Business Name] ( Covered Entity ), [Type of Entity], whose business address

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT 1. The terms and conditions of this document entitled Business Associate Agreement ( Business Associate Agreement ), shall be attached to and incorporated by reference in the

More information

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT H I P AA B U S I N E S S AS S O C I ATE AGREEMENT This HIPAA BUSINESS ASSOCIATE AGREEMENT (the BAA ) is entered into by and between Opticare of Utah, Inc. ( Covered Entity ), and,( Business Associate ).

More information

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview Updated HIPAA Regulations What Optometrists Need to Know Now The U.S. Department of Health & Human Services Office for Civil Rights recently released updated regulations regarding the Health Insurance

More information

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:

More information

What You Need to Know About the New HIPAA Breach Notification Rule 1

What You Need to Know About the New HIPAA Breach Notification Rule 1 What You Need to Know About the New HIPAA Breach Notification Rule 1 New regulations effective September 23, 2009 require all physicians who are covered by HIPAA to notify patients if there are breaches

More information

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Brought to you by Winston & Strawn s Health Care Practice Group 2013 Winston & Strawn LLP Today s elunch Presenters

More information

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE Lewis & Clark College and Allegiance Benefit Plan Management, Inc., (jointly the Parties

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into as of ( Effective Date ) by and between ( Covered Entity ) and American Academy of Sleep Medicine ( Business Associate

More information

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable: PLEASE NOTE: THIS DOCUMENT IS SUBMITTED AS A SAMPLE, FOR INFORMATIONAL PURPOSES ONLY TO ABC ORGANIZATION. HIPAA SOLUTIONS LC IS NOT ENGAGED IN THE PRACTICE OF LAW IN ANY STATE, JURISDICTION, OR VENUE OF

More information

BUSINESS ASSOCIATE AGREEMENT. Recitals

BUSINESS ASSOCIATE AGREEMENT. Recitals BUSINESS ASSOCIATE AGREEMENT This Agreement is executed this 8 th day of February, 2013, by BETA Healthcare Group. Recitals BETA Healthcare Group consists of BETA Risk Management Authority (BETARMA) and

More information

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010 New HIPAA Breach Notification Rule: Know Your Responsibilities Loudoun Medical Group Spring 2010 Health Information Technology for Economic and Clinical Health Act (HITECH) As part of the Recovery Act,

More information

This form may not be modified without prior approval from the Department of Justice.

This form may not be modified without prior approval from the Department of Justice. This form may not be modified without prior approval from the Department of Justice. Delete this header in execution (signature) version of agreement. HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate

More information

what your business needs to do about the new HIPAA rules

what your business needs to do about the new HIPAA rules what your business needs to do about the new HIPAA rules Whether you are an employer that provides health insurance for your employees, a business in the growing health care industry, or a hospital or

More information

Business Associate Agreement Involving the Access to Protected Health Information

Business Associate Agreement Involving the Access to Protected Health Information School/Unit: Rowan University School of Osteopathic Medicine Vendor: Business Associate Agreement Involving the Access to Protected Health Information This Business Associate Agreement ( BAA ) is entered

More information

HIPAA means the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.

HIPAA means the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191. HIPAA Data Use Agreement 1 Revision Date: This Data Use Agreement (the Agreement ) is entered into by and between Yale University ( Covered Entity ) and ( Data User ), collectively, the Parties, and shall

More information

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES I. Overview / Definitions The Health Insurance Portability and Accountability Act is a federal law

More information

COVERMYMEDS BUSINESS ASSOCIATE AGREEMENT

COVERMYMEDS BUSINESS ASSOCIATE AGREEMENT COVERMYMEDS BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (the Agreement ) is entered into between Covered Entity and CoverMyMeds LLC, a Delaware limited liability company ( Business Associate

More information

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record

More information

Health Partners HIPAA Business Associate Agreement

Health Partners HIPAA Business Associate Agreement Health Partners HIPAA Business Associate Agreement This HIPAA Business Associate Agreement ( Agreement ) by and between Health Partners of Philadelphia, Inc., the Covered Entity (herein referred to as

More information

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various

More information

It s a New Regulatory Landscape: Do You Know Where Your Business Associates are and What They are Doing?

It s a New Regulatory Landscape: Do You Know Where Your Business Associates are and What They are Doing? It s a New Regulatory Landscape: Do You Know Where Your Business Associates are and What They are Doing? The AMC Privacy & Security Conference Series Securely Connecting Communities for Improved Health

More information

Please print the attached document, sign and return to privacy@covermymeds.com or contact Erica Van Treese, Account Manager, Provider Relations &

Please print the attached document, sign and return to privacy@covermymeds.com or contact Erica Van Treese, Account Manager, Provider Relations & Please print the attached document, sign and return to privacy@covermymeds.com or contact Erica Van Treese, Account Manager, Provider Relations & Solutions. Office: 866-452-5017, Fax: 615-379-2541, evantreese@covermymeds.com

More information

Sample Business Associate Agreement Provisions

Sample Business Associate Agreement Provisions Sample Business Associate Agreement Provisions Words or phrases contained in brackets are intended as either optional language or as instructions to the users of these sample provisions. Definitions Catch-all

More information

MEMORANDUM OF UNDERSTANDING PURSUANT TO HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT

MEMORANDUM OF UNDERSTANDING PURSUANT TO HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT MEMORANDUM OF UNDERSTANDING PURSUANT TO HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT This MEMORANDUM OF' UNDERSTANDING ("MOU") is entered into by and among the following agencies of the City of

More information

H. R. 1 144. Subtitle D Privacy

H. R. 1 144. Subtitle D Privacy H. R. 1 144 (1) an analysis of the effectiveness of the activities for which the entity receives such assistance, as compared to the goals for such activities; and (2) an analysis of the impact of the

More information

UNIVERSITY OF WYOMING HIPAA POLICY 3.6 BREACH

UNIVERSITY OF WYOMING HIPAA POLICY 3.6 BREACH UNIVERSITY OF WYOMING HIPAA POLICY 3.6 BREACH I. PURPOSE: The purpose of this policy is to outline the processes and procedures for determining whether the security or privacy of PHI has been compromised

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( Agreement ) is entered into as of the day of, 2013 by and between RUTGERS UNIVERSITY, a Hybrid Entity, on behalf and for the

More information

Business Associate and Data Use Agreement

Business Associate and Data Use Agreement Business Associate and Data Use Agreement This Business Associate and Data Use Agreement (the Agreement ) is entered into by and between ( Covered Entity ) and HealtHIE Nevada ( Business Associate ). W

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) by and between Drexel University ( Hybrid Entity ), with a principal address at 3141 Chestnut Street, Philadelphia, PA 19104,

More information

Business Associate Liability Under HIPAA/HITECH

Business Associate Liability Under HIPAA/HITECH Business Associate Liability Under HIPAA/HITECH Joseph R. McClure, JD, CHP Siemens Healthcare WEDI Security & Privacy SNIP Co-Chair Reece Hirsch, CIPP, Partner Morgan Lewis & Bockius LLP ` Fifth National

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (this Agreement ), effective as of May 1, 2014 (the Effective Date ), by and between ( Covered Entity ) and Orchard Software Corporation,

More information

University Healthcare Physicians Compliance and Privacy Policy

University Healthcare Physicians Compliance and Privacy Policy Page 1 of 11 POLICY University Healthcare Physicians (UHP) will enter into business associate agreements in compliance with the provisions of the Health Insurance Portability and Accountability Act of

More information

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE

More information

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Compliance: Are you prepared for the new regulatory changes? HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed

More information

Definitions. Catch-all definition:

Definitions. Catch-all definition: BUSINESS ASSOCIATE AGREEMENT THESE PROVISIONS MAY STAND ALONE AS A BUSINESS ASSOCIATE AGREEMENT, OR MAY BE INCORPORATED INTO A LARGER, MORE COMPREHENSIVE CONTRACT WITH THE BUSINESS ASSOCIATE TO COVER OTHER

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Business Associate Agreement (the Agreement ) is made by and between Business Associate, [Name of Business Associate], and Covered Entity, The Connecticut Center for Health,

More information

Business Associates Agreement

Business Associates Agreement Business Associates Agreement This Business Associate Agreement (the Agreement ) between Customer,( Covered Entity ) and Kareo ( Business Associate ) will be in effect during any such time period that

More information

HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS

HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS James J. Eischen, Jr., Esq. November 2013 San Diego, California JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher & Mack, LLP 26+ years of experience

More information

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 Policy and Procedure Templates Reflects modifications published in the Federal Register

More information

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE This Notice of Privacy Practices describes the legal obligations of Ave Maria University, Inc. (the plan ) and your legal rights regarding your protected health

More information

Business Associate Agreement

Business Associate Agreement This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement

More information

Business Associate Contract

Business Associate Contract Business Associate Contract THIS CONTRACT is made and entered into by and between Imagine! (hereinafter called Contractor ), a not-for-profit Community Centered Board, duly incorporated and existing under

More information

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help The Health Information Portability and Accountability Act (HIPAA) Omnibus Rule which will begin to be enforced September 23, 2013,

More information

Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013

Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013 Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013 The City of Philadelphia is a Covered Entity as defined in the regulations

More information

Business Associate Agreement (BAA) Guidance

Business Associate Agreement (BAA) Guidance Business Associate Agreement (BAA) Guidance Introduction The purpose of this document is to provide guidance for creating or updating business associate agreements between your Practice ( Covered Entity

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Agreement is entered into as of ("Effective Date"), between ( Covered Entity ), and ( Business Associate ). RECITALS WHEREAS, Business Associate provides services on behalf

More information

BUSINESS ASSOCIATE AGREEMENT HIPAA Omnibus Rule (Final Rule)

BUSINESS ASSOCIATE AGREEMENT HIPAA Omnibus Rule (Final Rule) BUSINESS ASSOCIATE AGREEMENT HIPAA Omnibus Rule (Final Rule) This Business Associate Agreement (the Agreement ), dated September 9, 2013, is entered into by and between ( Covered Entity ) and Schuster

More information