I. Key Federal and State Legal Requirements and Guidance. A. Insurance Company Disaster Planning Disaster Preparedness and Response
|
|
- Piers Walker
- 8 years ago
- Views:
Transcription
1 CLIENT MEMORANDUM IN THE WAKE OF STORM SANDY, INSURANCE COMPANIES SHOULD ENSURE THAT THEIR BUSINESS CONTINUITY AND DISASTER RECOVERY PLANS COMPLY WITH LEGAL REQUIREMENTS AND BEST PRACTICES How do insurance companies prepare for the risks presented to their own business operations by natural disasters such as Storm Sandy? In the immediate aftermath of Storm Sandy, insurers disaster response to policyholders and regulators is an immediate priority. Also important to insurers, however, is an assessment of the risks presented to their own business operations by such natural disasters. This client memorandum focuses on the following key aspect of insurers disaster risk assessment and recovery efforts: the protection of data, information technology, business records and private medical and financial information. More specifically, set forth herein is: (1) a summary of significant statutory and regulatory frameworks that relate directly or indirectly to insurance company disaster recovery planning; and (2) a practical assessment of data protection and recovery best practices that insurance companies should consider implementing to minimize risk and maximize compliance. I. Key Federal and State Legal Requirements and Guidance A. Insurance Company Disaster Planning Disaster Preparedness and Response New York-licensed insurers are expected to prepare for, and respond to, disasters as set forth in various circular letters issued by the New York Department of Financial Services (the NYDFS or the Department ). 1 Such disaster preparedness standards incorporate a Business Continuity Plan Questionnaire ( BCPQ ) to assure the [NYDFS] that each [insurer] has taken steps to put in place a Business Continuity Plan that would reasonably ensure that the recovery of critical business processes could take place in the event of a disaster. 2 The BCPQ also ensures that the business continuity plan has been tested, is kept in a secure off-site location, and addresses all significant business activities, including financial functions, telecommunications services, data processing, and network services. 3 Similarly, the Florida Office of Insurance Regulation (the FLOIR ) has issued guidance to ensure insurance company preparedness for the hurricane season. 4 Such guidance addresses N.Y. Circ. Ltr (Apr. 9, 2012) (applicable to authorized property/casualty insurers ); see also N.Y. Circ. Ltr (Apr. 12, 2012) (applicable to authorized health insurers ); N.Y. Circ. Ltr (Apr. 12, 2012) (applicable to authorized life insurers ). N.Y. Circ. Ltr (Apr. 9, 2012). See NYDFS Business Continuity Planning Questionnaire, See, e.g., Fla. Info. Memo. OIR M (June 8, 2005). NEW YORK WASHINGTON PARIS LONDON MILAN ROME FRANKFURT BRUSSELS in alliance with Dickson Minto W.S., London and Edinburgh
2 disaster recovery plans to ensure company facilities are operational post-storm, which include reviewing functions such as backup power, backup telephone systems or call centers, backup staffing, technology issues, system access, and contract resources for services restoration. 5 B. Risk & Solvency Assessment Insurers business continuity and disaster plans are subject to regulatory examination as part of the risk-focused financial condition examination process. For examinations beginning in 2010, state insurance regulators have applied a revised risk-focused examination approach to better incorporate prospective risk assessment related to insurer solvency and focus on management s ability to identify, assess and manage the insurer s business risks. The NAIC Financial Condition Examiners Handbook provides that the person responsible for maintaining, updating and testing the insurer s business continuity and disaster recovery plans should be identified and interviewed, and that the insurer s Chief Risk Officer should be interviewed regarding the company s plan for operating in crisis/disaster business continuity. Confirmation that an insurer s disaster recovery plan has been tested is an additional element of the examiner s riskfocused examination. It is also noteworthy that the NAIC recently adopted the Risk Management and Own Risk and Solvency Assessment Model Act ( ORSA Model Act ), and has proposed an Own Risk and Solvency Assessment ( ORSA ) Guidance Manual. Although ORSA Model Act and ORSA Guidance Manual are not prescriptive, if adopted by the states, they would require covered insurers to assess, monitor, document and report on business operations risks. C. The Sarbanes-Oxley Act Of 2002: Business Continuity For Publicly Traded Companies The Sarbanes-Oxley Act of 2002 ( SOX ) does not directly address disaster recovery planning; however, it does cover business continuity planning with respect to an organization s operations in the event of a disaster, including maintaining operations in order to prepare timely accurate financial statements. Compliance with Section 404 of SOX requires organizations to design and establish controls and infrastructure with the aim of protecting and preserving business records from loss, destruction, or unauthorized alteration. This would include: (1) the establishment of a control environment; (2) risk assessment; (3) the implementation of control activities; (4) the creation of effective communications and information flows; and (5) monitoring. 6 D. HIPAA: Protected Health Information The Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009, and its implementing regulations (collectively, HIPAA ), impose various obligations regarding disaster recovery 5 6 See id. See Committee of Sponsoring Organizations of the Treadway Commission, Internal Control Integrated Framework (Dec. 2011),
3 plans on insurance companies that qualify as covered entities or business associates within the meaning of the law. 7 As an overarching matter, HIPAA-covered insurers must establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain [EPHI]. The provisions of HIPAA s implementing regulations covering business continuity and disaster recovery planning are established as part of the HIPAA Security Rule 8 and are located at 45 C.F.R (Administrative Safeguards), 45 C.F.R (Physical Safeguards), and 45 C.F.R (Technical Safeguards). As identified in the following list, some of the provisions established under HIPAA regulations are Required ( R ), whereas others are Addressable ( A ). 9 These provisions include: (1) a data backup plan (R); 10 (2) a disaster recovery plan (R); 11 (3) an emergency mode operation plan (R); 12 (4) an emergency access procedure (R); 13 (5) contingency operations procedures (A); Whether a given insurer s activities relating to health care or health information will result in regulation under HIPAA can be a complex question for which advice from counsel should be sought. Initially, HIPAA s requirements only applied to covered entities (essentially health plans, health care clearinghouses, and healthcare providers), in connection with their use of electronic protected health information ( EPHI ), which is defined as individually identifiable health information that is either transmitted by electronic media or maintained in electronic media. However, these requirements have recently been expanded to directly cover business associates as well, which are organizations that perform, or assist a covered entity in the performance of, a function or activity involving the use or disclosure of EPHI, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing. As the Department of Health and Human Services ( HHS ) is in the process of finalizing further HIPAA rules, it is not currently enforcing these requirements against business associates, but state attorneys general have done so, and HHS will as well when it finalizes its rules. The Security Rule is located at 45 C.F.R Part 160 and Subparts A and C of Part 164. When an implementation specification is required, a HIPAA-covered insurer must comply with the implementation specification as written. By contrast, when an implementation standard is addressable, a HIPAA-covered insurer has somewhat more flexibility. As a threshold matter, an addressable implementation specification must be complied with if it is reasonable and appropriate for the insurer to do so. However, if a HIPAA-covered insurer, after a risk assessment and analysis, determines that complying with a particular implementation specification is not reasonable or appropriate, it must consider whether there is a reasonable and appropriate alternative that accomplishes the same purpose. If the HIPAA-covered insurer determines that there is no reasonable or appropriate alternative, it must document why it would not be reasonable and appropriate to implement the implementation specification. Thus, in general, HIPAA compliance requires an additional level of analysis and documentation by covered insurers. 45 C.F.R (a)(7)(ii)(A); see also 45 C.F.R (d)(2)(iv) (HIPAA-covered insurers must create a retrievable, exact copy of EPHI, when needed, before movement of equipment). 45 C.F.R (a)(7)(ii)(B). 45 C.F.R (a)(7)(ii)(C). 45 C.F.R (a)(2)(ii) C.F.R (a)(2)(i)
4 (6) an applications and data criticality analysis (A); 15 and (7) testing and revision procedures (A). 16 Specifications 1 and 2 above require a HIPAA-covered insurer to create procedures to back up and be able to restore exact copies of EPHI if lost. Specifications 3-5 cover procedures for the continuation of critical business processes to protect the security of and maintain access to EPHI during an emergency. Specification 6 covers access to the insurer s facilities in support of the activities covered in the prior specifications, and specification 7 covers the need to ensure that all of the procedures herein are reviewed and revised on a timely basis. It is important that HIPAA-covered insurers understand that the provisions cited above are not waived or suspended in the event of a federally declared emergency or disaster. 17 Although the Secretary of the Department of Health & Human Services may suspend certain provisions of the HIPAA Privacy Rule in the event of a federally declared emergency or disaster, 18 the provisions that may be suspended have no bearing on those cited above, which appear in the Security Rule. Although the federal government may exercise discretion when enforcing HIPAA, insurers should not be lulled into a false sense of security; a failure to comply with HIPAA s emergency and disaster requirements cannot be explained away by the occurrence of an emergency or disaster. E. The Gramm-Leach-Bliley Act: Nonpublic Personal Information Pursuant to Title V of the Gramm-Leach-Bliley Act (the GLBA ), 15 U.S.C. 6801, et seq., financial institutions, including insurers, must protect the security and confidentiality of customers nonpublic personal information. GLBA requires that each state insurance agency establish appropriate standards for financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards (1) to insure the security and confidentiality of customer records and information; (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and (3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any C.F.R (a)(7)(ii)(E). 45 C.F.R (a)(7)(ii)(D). Office for Civil Rights, Health Information Privacy Frequently Asked Questions, Pursuant to 42 U.S.C. 1320b-5, the Secretary of HHS may waive certain provisions of the HIPAA Privacy Rule following a presidential declaration of an emergency or a disaster. The Secretary must, in turn, declare a public health emergency as well. Following such a joint declaration, the Secretary may waive the following provisions of the HIPAA Privacy Rule: (1) the requirements to obtain a patient s agreement to speak with family members or friends involved in the patient s care (45 C.F.R (b)); (2) the requirement to honor a request to opt out of the facility directory (45 C.F.R (a)); (3) the requirement to distribute a notice of privacy practices (45 C.F.R ); (4) the patient s right to request privacy restrictions (45 C.F.R (a)); and (5) the patient s right to request confidential communications (45 C.F.R (b)). These waivers exceed those disclosures already permitted by law. See Hurricane Katrina Bulletin: HIPAA Privacy and Disclosures in Emergency Situations, Sept. 2, 2005,
5 customer. 19 In New York, for example, Regulation 173 requires that each licensee shall implement a comprehensive written information security program that includes administrative, technical and physical safeguards for the protection of customer information. 20 Although not explicit, the protections required for such nonpublic personal information would reasonably relate to disaster preparedness and recovery. II. Best Practices The complex priorities of assessing, monitoring, and planning for risks in order to maintain business operations while protecting confidential policyholder information present unique challenges to the insurance industry. Highlights of significant considerations and best practices in this regard are set forth below. We note that a given insurer may be subject to one or more of the laws discussed above, and thus some of the practices below may also be legal requirements; this is particularly true for HIPAA-covered insurers. Please consider discussing your business continuity / disaster recovery plan with counsel to ensure compliance with such requirements. A. Key First Steps The first step any insurer should take in the business continuity planning process is to analyze its vulnerabilities. To do so, an insurer should conduct: (1) a business impact analysis; and (2) a risk analysis. The business impact analysis is the process through which the insurer must determine which systems and data should be viewed as critical and which should be viewed as noncritical. The risk analysis is the process through which the insurer considers the potential circumstances that could constitute a disaster, i.e., a threat to the critical systems and data identified in the business impact analysis. Both steps naturally involve a cost/benefit analysis, but an insurer must take care to go beyond a consideration of operational losses and take into account legal costs for failure to comply with various federal, state, and local laws and regulations that mandate specific procedures and redundancies depending on the regulatory structure covering the insurer. 1. Business Impact Analysis / Data Classification Policy The business impact analysis is the first study an insurer must conduct as part of its business continuity planning. Most insurers are already aware of which systems and data are critical from an operational and a profit-making perspective, but this analysis must take into account any legal requirements to which a given insurer is subject. Certain regulatory structures have explicit requirements that state in detail which systems and data are critical. For example, insurers covered by HIPAA are subject to regulations that classify data (e.g., as EPHI) and mandate specific requirements in the event of an emergency. 21 On the other hand, other laws may not be as explicit. For example, as noted above, while SOX does not have a specific disaster recovery U.S.C. 6801(b). 11 N.Y.C.R.R ; see also N.Y. OGC Opinion No (Feb. 14, 2002). See 45 C.F.R (a)(7)
6 requirement, the statute does generally speak to business continuity planning with respect to an organization s operations in the event of a disaster, including maintaining operations in order to continue to prepare timely and accurate financial statements. 2. Risk Analysis / Determine Threats Once insurers, through a business impact analysis, have determined which systems and data are critical, the insurers must next consider which possible threats exist to the security, confidentiality, integrity, and availability of that data, and whether those threats call for specific pre- or post-response actions. Naturally, this analysis will reflect the business judgments of a given insurer, as some threats are more likely than others, but insurers subject to various regulatory structures must take all reasonable threats into account. Any threat that could affect the regulated systems or data is a potential liability for the insurer, and all reasonable threats must therefore be considered and mitigated to the extent possible. In some cases, the regulatory structure will suggest certain risks. For example, HIPAA contains a nonexhaustive list that includes fire, vandalism, system failure, and natural disaster. 22 Other authorities speak more broadly, such as the guidance put forth by the NYDFS, which requires insurers to plan for and protect against damages arising from natural and man-made disasters. 23 Companies should consider threats unique to their business model, location(s), and other particular attributes. B. Security Controls (Physical, Electronic/Access Control) Many types of disasters identified through the risk analysis will challenge an insurer s ability to maintain the security of critical systems and data. However, it would be imprudent to assume that noncompliance with any established sector-specific or other applicable regulatory or similar data and systems integrity obligations would be deemed acceptable simply because a disaster is underway or has occurred. Thus, an insurer must ensure that the appropriate data and systems security protocols are followed leading up to and maintained during a disaster to avoid exposing itself to legal liability. Insurers should evaluate possible mechanisms for ensuring the security of critical systems and data, including both physical and electronic access controls. Depending on the data at risk, this regulatory requirement or best practice relates to both the system(s) and data recovery/restoration process and the emergency access procedure discussed, infra. Further, as the insurer recovers from a disaster, it should, at a minimum, ensure that the confidentiality, integrity, and availability of systems and data are not compromised by a security breach. As part of this pre-disaster planning and risk analysis, insurers should consider whether their established, pre-disaster access controls should, and under what circumstances, be extended to other personnel (internal or external) in response to an emergency C.F.R (a)(7)(i). See N.Y. Circ. Ltr (Apr. 9, 2012) (applicable to all authorized property/casualty insurers, among other entities); N.Y. Circ. Ltr (Apr. 12, 2012) (applicable to authorized health insurers ); N.Y. Circ. Ltr (Apr. 12, 2012) (applicable to authorized life insurers ). 24 See Emergency Access Procedure, infra
7 C. Backup, Emergency Access, and Restoration Mechanisms As part of the business impact and risk analyses, insurers should determine which systems and data are critical, i.e., those that cannot, as a legal or business imperative, be compromised as the result of a disaster. As part of this determination, insurers should employ loss prevention measures to ensure that effective backup and restoration mechanisms are in place to ensure the safety of the systems and data identified as critical from the threats identified as reasonable during the risk analysis phase. 1. Backup Procedures The backup procedures an insurer should implement will vary based on operational needs and any legal requirements to which the entity is subject. The type of data backed up should at least include that which was determined to be critical under the business impact analysis, supra. For example, HIPAA-covered insurers are only explicitly required to create and maintain retrievable exact copies of [EPHI]. 25 However, a HIPAA-covered insurer must take into account the nature of the EPHI it holds, including the frequency with which it changes, to ensure that backups are sufficiently regular so as to avoid running afoul of HIPAA s data integrity requirements. 26 As an example of a more general requirement, as part of an insurer s business continuity plan, the NYDFS asks insurers to ensure their [business continuity] plan contain[s] a list of critical computer application programs, operating systems and data files. 27 Other statutes, such as SOX, may have additional backup requirements. 2. Emergency Access Procedures During or in the aftermath of a disaster, but before a full restoration via backup, certain insurers will be required to maintain or immediately resume access to their critical systems and data as identified by the business impact analysis. To the extent required by any regulatory requirements to which the insurer is subject, insurers should ensure that they are able to do so. For example, HIPAA requires procedures for obtaining necessary [EPHI] during an emergency. 28 This could potentially require the redundancy of critical systems that provide an alternate access path in the event that primary systems become unavailable due to a disaster or other emergency situation. Furthermore, it could require changes to access controls in the event that alternate personnel (e.g., internal IT technicians or other external IT forensics specialists) are needed to retrieve or otherwise ensure access to critical systems or data. Similarly, the NYDFS asks insurers whether, in drafting a business continuity plan, the insurer has developed adequate C.F.R (a)(7)(ii)(A). See, e.g., 45 C.F.R (c). NYDFS Business Continuity Planning Questionnaire, 45 C.F.R (a)(2)(ii)
8 manual processing procedures for use until the electronic data processing function can be restored. 29 Insurers should carefully evaluate any such access changes made in the event of a disaster and implement procedures to ensure the confidentiality and integrity of critical systems and data. Although legal provisions may impose a requirement for ongoing access to the systems and data, any decision to relax documented security controls to facilitate such access should be directed and controlled by senior supervisory personnel. If such deviations from established security controls are deemed necessary to comply with law or business imperatives, supervision and monitoring would likely need to be heightened to maintain the confidentiality and integrity of the affected systems and data, both to ensure that no breaches occur during the disaster and to ensure that once the disaster is resolved, normal security controls are restored. 3. Restoration Procedures Data restoration procedures will similarly vary based on operational needs and any regulatory requirements to which the insurer is subject. Some laws may contain explicit requirements. For example, HIPAA requires procedures to restore any loss of [EPHI] data. 30 However, the question is broader than the mere restoration of data, as the data must be restored to an available system that is actually accessible. To that end, the insurer s risk analysis (see supra) should anticipate this need and be guided in this regard. If possible disasters include environmental ones such as storms that could have a severe region-wide impact, the entity should consider a restoration plan that involves more secure, off-site facilities outside a given region. For example, as part of an insurer s business continuity plan, the NYDFS asks whether an insurer has an agreement in place to use a specific alternate site and computer hardware to restore data processing operations after a disaster occurs and whether the site [has] a backup generator in place in case of local power outages, a fire detection and suppression system and moisture sensors in place under the raised floor. 31 Moreover, the NYDFS asks whether an insurer s business continuity plan contains a list of supplies that would be needed in the event of a disaster, together with names and phone numbers of the suppliers. 32 The NYDFS stresses the importance of an insurer undertak[ing] steps in managing [its] supply chain as part of its business continuity plan. 33 Similarly, the FLOIR suggests that insurers, when considering a disaster recovery plan to ensure company facilities are operational post-storm, address physical resources such as office space, back-up power... back-up telephone system... technology NYDFS Business Continuity Planning Questionnaire, 45 C.F.R (a)(7)(ii)(B) (emphasis added). NYDFS Business Continuity Planning Questionnaire,
9 issues, computers / laptops / printers / calculators, system access, server alternatives, [and] contract resources for services restoration[.] 34 D. Policy Distribution Mechanism / Documentation Plan A disaster recovery plan is only effective if an insurer s employees are trained and aware of it. Moreover, certain laws require covered insurers to ensure that employees have ready access to the plan. For example, HIPAA requires mandated procedures to be in written (or electronic) form, and for that documentation to be available to those persons responsible for implementing the procedures. 35 When evaluating an insurer s business continuity plan, the NYDFS asks whether the insurer s business continuity plan clearly describe[s] senior management roles and responsibilities associated with the declaration of an emergency and implementation of the business continuity and disaster recovery plans. 36 Moreover, the NYDFS looks to see whether an insurer s business continuity plan clearly identif[ies] the general process by which the threat will be assessed and the specific individuals who are authorized to declare an emergency. 37 Therefore, it is important for insurers to carefully consider mechanisms for ensuring that their employees are sufficiently aware of and trained in the company s emergency procedures, such that they are able to adequately respond in the event of a disaster. Access to emergency plans and policies is also critical. Thus, while an insurer may choose to provide electronic access to copies of (or updates to) its disaster recovery plan documents, the insurer should strongly consider regularly making hard copies of such plans/policies available to key personnel, as a loss of power or a system failure is a common type of disaster that would be identified in the risk analyses of nearly every company. For example, the NYDFS asks insurers whether copies of the [business continuity] plan [are] kept in relevant off-site locations. 38 E. Test and Review Process Finally, one of the most important best practices to employ is the regular testing, review, and redrafting, where necessary, of the procedures discussed above and the documentation that results. As part of the business continuity planning process, the NYDFS asks insurers whether their business continuity plan is current, based on a business impact analysis, [has] been tested [and whether that test has occurred in the last year]. 39 Moreover, the NYDFS asks insurers to Fla. Info. Memo. OIR M (June 8, 2005). 45 C.F.R (b). NYDFS Business Continuity Planning Questionnaire,
10 review the plan to ensure that it covers all significant business activities, including financial functions, telecommunication services, data processing, [and] networking services, and to ensure that a restoration priority [has] been assigned to all significant business activities. 40 A regular review of the business impact analysis and risk analysis serves to ensure that all necessary systems and data designated as critical are examined regularly and tested to determine whether then-current procedures are sufficient and will work as planned. Too many companies neglect this important step and, following a disaster, find that their procedures did not function as planned, or worse yet, that backup, emergency access, or restoration of critical systems and data is not achievable. Such a failure can expose insurers to serious liability. Again, insurers should seek advice from counsel during each review stage of their business continuity plans to ensure that they account for the most current federal, state, and local laws, regulations, and guidance, as well as industry best practices. * * * * * * * * * * * * * * * If you have any questions regarding this new proposal, please contact Leah Campbell ( , lcampbell@willkie.com), Francis M. Buono ( , fbuono@willkie.com), McLean B. Sieverding ( , msieverding@willkie.com), Carissa M. Mann ( , cmann@willkie.com), Benjamin B. Williams ( , bbwilliams@willkie.com), or the Willkie attorney with whom you regularly work. Willkie Farr & Gallagher LLP is headquartered at 787 Seventh Avenue, New York, NY Our telephone number is (212) , and our facsimile number is (212) Our website is located at December 11, 2012 Copyright 2012 Willkie Farr & Gallagher LLP. All Rights Reserved. This memorandum may not be reproduced or disseminated in any form without the express permission of Willkie Farr & Gallagher LLP. This memorandum is provided for news and information purposes only and does not constitute legal advice or an invitation to an attorney-client relationship. While every effort has been made to ensure the accuracy of the information contained herein, Willkie Farr & Gallagher LLP does not guarantee such accuracy and cannot be held liable for any errors in or any reliance upon this information. Under New York s Code of Professional Responsibility, this material may constitute attorney advertising. Prior results do not guarantee a similar outcome
1. Entities and Accounts Covered by the New Rules. 1.1. Covered Entities
CLIENT MEMORANDUM RED FLAG IDENTITY THEFT RULES MAY HAVE YOU SEEING RED: FTC EXTENDS COMPLIANCE DEADLINE BECAUSE MANY COMPANIES DID NOT KNOW THAT THESE RULES APPLY TO THEM When companies outside the financial
More informationFEDERAL RESERVE AND FDIC PROPOSE NEW RULES REGARDING PREPARATION OF LIVING WILLS
CLIENT MEMORANDUM FEDERAL RESERVE AND FDIC PROPOSE NEW RULES REGARDING PREPARATION OF LIVING WILLS On March 29, 2011, the Board of Governors of the Federal Reserve System (the Federal Reserve ) and the
More informationHIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS
HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better
More informationVMware vcloud Air HIPAA Matrix
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
More informationHIPAA Security Checklist
HIPAA Security Checklist The following checklist summarizes HIPAA Security Rule requirements that should be implemented by covered entities and business associates. The citations are to 45 CFR 164.300
More informationHIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards
More informationthe definition of financial companies potentially subject to the orderly liquidation provisions;
CLIENT MEMORANDUM FDIC PROPOSES NEW ORDERLY LIQUIDATION AUTHORITY RULES ADDRESSING EXECUTIVE COMPENSATION CLAWBACK, PRIORITY OF CLAIMS AND ADMINISTRATIVE CLAIMS PROCEDURES On March 15, 2011, the FDIC released
More informationSECURITY RISK ASSESSMENT SUMMARY
Providers Business Name: Providers Business Address: City, State, Zip Acronyms NIST FIPS PHI EPHI BA CE EHR HHS IS National Institute of Standards and Technology Federal Information Process Standards Protected
More informationFLORIDA BANKRUPTCY COURT CALLS INTO QUESTION ENFORCEABILITY OF SAVINGS CLAUSES IN UPSTREAM GUARANTY AGREEMENTS
CLIENT MEMORANDUM FLORIDA BANKRUPTCY COURT CALLS INTO QUESTION ENFORCEABILITY OF SAVINGS CLAUSES IN UPSTREAM GUARANTY AGREEMENTS On October 13, 2009, the United States Bankruptcy Court for the Southern
More informationITS HIPAA Security Compliance Recommendations
ITS HIPAA Security Compliance Recommendations October 24, 2005 Updated May 31, 2010 http://its.uncg.edu/hipaa/security/ Table of Contents Introduction...1 Purpose of this Document...1 Important Terms...1
More informationHIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich
HIPAA Audit Processes Erik Hafkey Rainer Waedlich 1 Policies for all HIPAA relevant Requirements and Regulations Checklist for an internal Audit Process Documentation of the compliance as Preparation for
More informationRECENT CHANGES TO THE NEW YORK POWER OF ATTORNEY LAW
CLIENT MEMORANDUM RECENT CHANGES TO THE NEW YORK POWER OF ATTORNEY LAW Powers of attorney are commonly used in the asset management business, including in private funds and other investment arrangements,
More informationHIPAA COMPLIANCE AND DATA PROTECTION. sales@eaglenetworks.it +39 030 201.08.25 Page 1
HIPAA COMPLIANCE AND DATA PROTECTION sales@eaglenetworks.it +39 030 201.08.25 Page 1 CONTENTS Introduction..... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and EagleHeaps
More informationBEWARE: LEGAL PRIVILEGE RULES DIFFER BETWEEN THE U.S. AND THE EU
CLIENT MEMORANDUM BEWARE: LEGAL RULES DIFFER BETWEEN THE U.S. AND THE EU I. Introduction Jurisdictions in the United States and Europe differ significantly in their approach to the privilege afforded to
More informationCLIENT MEMORANDUM CFTC AND SEC ADOPT DEFINITION OF SWAP AND SECURITY-BASED SWAP
CLIENT MEMORANDUM CFTC AND SEC ADOPT DEFINITION OF SWAP AND SECURITY-BASED SWAP The Commodity Futures Trading Commission and the Securities and Exchange Commission have issued joint final rules and interpretations
More informationLEGAL EFFECT OF ERRONEOUS FILING OF A UNIFORM COMMERCIAL CODE TERMINATION FINANCING STATEMENT
CLIENT MEMORANDUM LEGAL EFFECT OF ERRONEOUS FILING OF A UNIFORM COMMERCIAL CODE TERMINATION FINANCING STATEMENT Two cases, one recently decided and one pending, address the question of whether unauthorized
More informationSEC ADOPTS NEW RULE DESIGNED TO DETER PAY-TO-PLAY ACTIVITIES BY INVESTMENT ADVISERS
CLIENT MEMORANDUM SEC ADOPTS NEW RULE DESIGNED TO DETER PAY-TO-PLAY ACTIVITIES BY INVESTMENT ADVISERS In light of recent publicized occurrences in states such as New York, California, New Mexico and Connecticut
More informationIN RE MILLER: RECENT CASE HIGHLIGHTS THE DIFFICULTY OF PERFECTING SECURITY INTERESTS AGAINST INDIVIDUALS UNDER ARTICLE 9 OF THE UCC
CLIENT MEMORANDUM IN RE MILLER: RECENT CASE HIGHLIGHTS THE DIFFICULTY OF PERFECTING SECURITY INTERESTS AGAINST INDIVIDUALS UNDER ARTICLE 9 OF THE UCC Perfecting a security interest against an individual
More informationTHE INTERNATIONAL CHAMBER OF COMMERCE PROPOSES AN ALTERNATIVE FOR LEGITIMIZING INTERNATIONAL TRANSFERS OF PERSONAL DATA FROM THE EUROPEAN UNION
CLIENT MEMORANDUM THE INTERNATIONAL CHAMBER OF COMMERCE PROPOSES AN ALTERNATIVE FOR LEGITIMIZING INTERNATIONAL TRANSFERS OF PERSONAL DATA FROM THE EUROPEAN UNION The ICC Report analyzes the use of binding
More informationEnsuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services
Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services Introduction Patient privacy continues to be a chief topic of concern as technology continues to evolve. Now that the majority
More informationWHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery
WHITE PAPER HIPAA-Compliant Data Backup and Disaster Recovery DOCUMENT INFORMATION HIPAA-Compliant Data Backup and Disaster Recovery PRINTED March 2011 COPYRIGHT Copyright 2011 VaultLogix, LLC. All Rights
More informationHIPAA Compliance and the Protection of Patient Health Information
HIPAA Compliance and the Protection of Patient Health Information WHITE PAPER By Swift Systems Inc. April 2015 Swift Systems Inc. 7340 Executive Way, Ste M Frederick MD 21704 1 Contents HIPAA Compliance
More informationBUSINESS ASSOCIATE AGREEMENT ( BAA )
BUSINESS ASSOCIATE AGREEMENT ( BAA ) Pursuant to the terms and conditions specified in Exhibit B of the Agreement (as defined in Section 1.1 below) between EMC (as defined in the Agreement) and Subcontractor
More informationCFTC AND SEC DEFINE MAJOR SWAP PARTICIPANT AND MAJOR SECURITY-BASED SWAP PARTICIPANT
CLIENT MEMORANDUM CFTC AND SEC DEFINE MAJOR SWAP PARTICIPANT AND MAJOR SECURITY-BASED SWAP PARTICIPANT The Commodity Futures Trading Commission and the Securities and Exchange Commission have issued joint
More informationHIPAA COMPLIANCE AND
INTRONIS CLOUD BACKUP & RECOVERY HIPAA COMPLIANCE AND DATA PROTECTION CONTENTS Introduction 3 The HIPAA Security Rule 4 The HIPAA Omnibus Rule 6 HIPAA Compliance and Intronis Cloud Backup and Recovery
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More information787 Wye Road, Akron, Ohio 44333 P 330-666-6200 F 330-666-7801 www.keystonecorp.com
Introduction Keystone White Paper: Regulations affecting IT This document describes specific sections of current U.S. regulations applicable to IT governance and data protection and maps those requirements
More informationHIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements
HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationHealth Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
More informationHeather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
More informationSEC ADOPTS RULES IMPLEMENTING DODD-FRANK INVESTMENT ADVISER EXEMPTIONS AND REGISTRATION REQUIREMENTS
CLIENT MEMORANDUM SEC ADOPTS RULES IMPLEMENTING DODD-FRANK INVESTMENT ADVISER EXEMPTIONS AND REGISTRATION REQUIREMENTS Last week the Securities and Exchange Commission ( SEC ) adopted a series of technical
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ("Agreement") is made and is effective as of the date of electronic signature("effective Date") between Name of Organization ("Covered
More informationHIPAA Security Series
7 Security Standards: Implementation for the Small Provider What is the Security Series? The security series of papers provides guidance from the Centers for Medicare & Medicaid Services (CMS) on the rule
More informationSWAP DEALER AND SECURITY-BASED SWAP DEALER DEFINED
CLIENT MEMORANDUM SWAP DEALER AND SECURITY-BASED SWAP DEALER DEFINED The Securities and Exchange Commission and Commodity Futures Trading Commission jointly adopted final rules 1 under Title VII of the
More informationWHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery
WHITE PAPER HIPPA Compliance and Secure Online Data Backup and Disaster Recovery January 2006 HIPAA Compliance and the IT Portfolio Online Backup Service Introduction October 2004 In 1996, Congress passed
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BAA ) is effective ( Effective Date ) by and between ( Covered Entity ) and Egnyte, Inc. ( Egnyte or Business Associate ). RECITALS
More informationA s a covered entity or business associate, you have
Health IT Law & Industry Report VOL. 7, NO. 19 MAY 11, 2015 Reproduced with permission from Health IT Law & Industry Report, 07 HITR, 5/11/15. Copyright 2015 by The Bureau of National Affairs, Inc. (800-372-1033)
More informationTreasury Department Proposes Anti-Money Laundering Regulations for Investment Advisers
CLIENT MEMORANDUM Treasury Department Proposes Anti-Money Laundering Regulations for Investment Advisers August 28, 2015 AUTHORS Benjamin J. Haskin Russell L. Smith Barbara Block On August 25, 2015, the
More informationPlease print the attached document, sign and return to privacy@covermymeds.com or contact Erica Van Treese, Account Manager, Provider Relations &
Please print the attached document, sign and return to privacy@covermymeds.com or contact Erica Van Treese, Account Manager, Provider Relations & Solutions. Office: 866-452-5017, Fax: 615-379-2541, evantreese@covermymeds.com
More informationMASSIVE NETWORKS Online Backup Compliance Guidelines... 1. Sarbanes-Oxley (SOX)... 2. SOX Requirements... 2
MASSIVE NETWORKS Online Backup Compliance Guidelines Last updated: Sunday, November 13 th, 2011 Contents MASSIVE NETWORKS Online Backup Compliance Guidelines... 1 Sarbanes-Oxley (SOX)... 2 SOX Requirements...
More informationUNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S):
UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S): THIS AGREEMENT is made by and between UNIVERSITY PHYSICIANS OF BROOKLYN, INC., located at 450 Clarkson Ave., Brooklyn,
More informationFEDERAL CIRCUIT HOLDS THAT HEIGHTENED PLEADING REQUIREMENTS APPLY TO FALSE MARKING ACTIONS
CLIENT MEMORANDUM FEDERAL CIRCUIT HOLDS THAT HEIGHTENED PLEADING REQUIREMENTS APPLY TO FALSE MARKING ACTIONS In a decision that will likely reduce the number of false marking cases, the Federal Circuit
More informationBusiness Associate Agreement Involving the Access to Protected Health Information
School/Unit: Rowan University School of Osteopathic Medicine Vendor: Business Associate Agreement Involving the Access to Protected Health Information This Business Associate Agreement ( BAA ) is entered
More informationHealth Plan Select, Inc. Business Associate Privacy Addendum To The Service Agreement
This (hereinafter referred to as Addendum ) by and between Athens Area Health Plan Select, Inc. (hereinafter referred to as HPS ) a Covered Entity under HIPAA, and INSERT ORG NAME (hereinafter referred
More informationMontclair State University. HIPAA Security Policy
Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that
More informationEnsuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services
Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services Introduction Patient privacy has become a major topic of concern over the past several years. With the majority of
More informationBUSINESS ASSOCIATE AGREEMENT. Recitals
BUSINESS ASSOCIATE AGREEMENT This Agreement is executed this 8 th day of February, 2013, by BETA Healthcare Group. Recitals BETA Healthcare Group consists of BETA Risk Management Authority (BETARMA) and
More informationHIPAA Compliance: Are you prepared for the new regulatory changes?
HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed
More informationSAMPLE BUSINESS ASSOCIATE AGREEMENT
SAMPLE BUSINESS ASSOCIATE AGREEMENT This is a draft business associate agreement based on the template provided by HHS. It is not intended to be used as is and you should only use the agreement after you
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,
More informationState HIPAA Security Policy State of Connecticut
Health Insurance Portability and Accountability Act State HIPAA Security Policy State of Connecticut Release 2.0 November 30 th, 2004 Table of Contents Executive Summary... 1 Policy Definitions... 3 1.
More informationBusiness Associate Agreement
This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is by and between ( Covered Entity )and CONEX Med Pro Systems ( Business Associate ). This Agreement has been attached to,
More informationHIPAA Security. 2 Security Standards: Administrative Safeguards. Security. Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Proc - A edures, dministrativ and e Documentation Safeguards
More informationSEC ADOPTS FINAL RULES ON DISCLOSURE REGARDING PORTFOLIO MANAGERS OF INVESTMENT COMPANIES
CLIENT MEMORANDUM SEC ADOPTS FINAL RULES ON DISCLOSURE REGARDING PORTFOLIO MANAGERS OF INVESTMENT COMPANIES The Securities and Exchange Commission (the SEC ), as part of its ongoing effort to improve the
More informationEnsuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services
Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services 1 Contents 3 Introduction 5 The HIPAA Security Rule 7 HIPAA Compliance & AcclaimVault Backup 8 AcclaimVault Security and
More informationTHE COMMONWEALTH OF MASSACHUSETTS
THE COMMONWEALTH OF MASSACHUSETTS OFFICE OF CONSUMER AFFAIRS AND BUSINESS REGULATION DIVISION OF INSURANCE Report on the Comprehensive Market Conduct Examination of The Paul Revere Variable Annuity Insurance
More informationEnsuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services
Ensuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services Page 2 of 8 Introduction Patient privacy has become a major topic of concern over the past several years. With the majority
More informationC.T. Hellmuth & Associates, Inc.
Technical Monograph C.T. Hellmuth & Associates, Inc. Technical Monographs usually are limited to only one subject which is treated in considerably more depth than is possible in our Executive Newsletter.
More informationLouisiana State University System
PM-36: Attachment 4 Business Associate Contract Addendum On this day of, 20, the undersigned, [Name of Covered Entity] ("Covered Entity") and [Name of Business Associate] ("Business Associate") have entered
More informationBUSINESS ASSOCIATE AGREEMENT
Note: This form is not meant to encompass all the various ways in which any particular facility may use health information and should be specifically tailored to your organization. In addition, as with
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ), entered into and effective this day of,, is by and between ( Business Associate ) and Black, Gould & Associates, Inc.
More informationDEPARTMENT OF MENTAL HEALTH AND DEVELOPMENTAL DISABILITIES
DEPARTMENT OF MENTAL HEALTH AND DEVELOPMENTAL DISABILITIES POLICIES AND PROCEDURES Subject: ADMINISTRATION OF HIPAA Effective Date: 12/15/03 Review Date: 6/8/06 Revision Date: 11/21/06 (All legal citations
More informationSAMPLE BUSINESS ASSOCIATE AGREEMENT
SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT
More informationProfessional Solutions Insurance Company. Business Associate Agreement re HIPAA Rules
Professional Solutions Insurance Company Business Associate Agreement re HIPAA Rules I. Purpose of Agreement This Agreement reflects Professional Solutions Insurance Company s agreement to comply with
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement is effective September 1, 2013 and made between Community Health Solutions of America, Inc., a Florida corporation ( CHS ) and ( Company ).
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the "Agreement") is made and entered into this day of,, by and between Quicktate and idictate ("Business Associate") and ("Covered Entity").
More informationSEC ISSUES FINAL RULES FOR NEW CEO/CFO CERTIFICATION UNDER SECTION 302 OF THE SARBANES-OXLEY ACT
CLIENT MEMORANDUM SEC ISSUES FINAL RULES FOR NEW CEO/CFO CERTIFICATION UNDER SECTION 302 OF THE SARBANES-OXLEY ACT As noted in our previous client memoranda, the Sarbanes-Oxley Act of 2002 (the Act ) calls
More informationGROUP HEALTH INCORPORATED SELLING AGENT AGREEMENT
GROUP HEALTH INCORPORATED SELLING AGENT AGREEMENT This Agreement, made between Group Health Inc., having its principal office at 441 Ninth Avenue, New York, NY 10001 ("GHI"), and, having its principal
More informationCFTC PROPOSES SPECULATIVE POSITION LIMITS FOR REFERENCED ENERGY CONTRACTS
CLIENT MEMORANDUM CFTC PROPOSES SPECULATIVE POSITION LIMITS FOR REFERENCED ENERGY CONTRACTS The Commodity Futures Trading Commission has proposed Federal speculative position limits on certain natural
More informationUniversity Healthcare Physicians Compliance and Privacy Policy
Page 1 of 11 POLICY University Healthcare Physicians (UHP) will enter into business associate agreements in compliance with the provisions of the Health Insurance Portability and Accountability Act of
More informationHIPAA/HITECH: A Guide for IT Service Providers
HIPAA/HITECH: A Guide for IT Service Providers Much like Arthur Dent in the opening scene of The Hitchhiker s Guide to the Galaxy (HHGTTG), you re experiencing the impact of new legislation that s infringing
More informationSUMMARY. 2. Covered information, which is the key term, is very broadly defined and includes the following with respect to an individual:
CLIENT MEMORANDUM DRAFT FEDERAL PRIVACY BILL WOULD DRAMATICALLY AFFECT HOW A WIDE RANGE OF COMPANIES COLLECT, USE, AND DISCLOSE CERTAIN INFORMATION ABOUT INDIVIDUALS, BOTH ONLINE AND OFFLINE On May 4,
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationFORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT
FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is made and entered into to be effective as of, 20 (the Effective Date ), by and between ( Covered Entity ) and
More informationFirstCarolinaCare Insurance Company Business Associate Agreement
FirstCarolinaCare Insurance Company Business Associate Agreement THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement"), is made and entered into as of, 20 (the "Effective Date") between FirstCarolinaCare Insurance
More informationHIPAA Security Rule Compliance
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Agreement ( Agreement ) is made and entered into this day of [Month], [Year] by and between [Business Name] ( Covered Entity ), [Type of Entity], whose business address
More informationSocial Marketing & Liability
Social Marketing & Liability Fred E. Karlinsky, Esq. Co-Chair, Insurance Regulatory & Transactions Practice Shareholder, Greenberg Traurig Louisiana Insurers Conference Insurance Compliance Seminar August
More informationHIPAA Compliance Guide
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT 1. DEFINITIONS: 1.1 Undefined Terms: Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms defined by the Health Insurance Portability
More informationGramm Leach Bliley Act. GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 7/1/2007
Gramm Leach Bliley Act 15 U.S.C. 6801-6809 6809 GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 7/1/2007 1 Objectives for GLBA Training GLBA Overview Safeguards Rule
More informationBUSINESS ASSOCIATE AND DATA USE AGREEMENT NAME OF COVERED ENTITY: COVERED ENTITY FEIN/TAX ID: COVERED ENTITY ADDRESS:
BUSINESS ASSOCIATE AND DATA USE AGREEMENT NAME OF COVERED ENTITY: COVERED ENTITY FEIN/TAX ID: COVERED ENTITY ADDRESS:, City State Zip This Business Associate and Data Use Agreement ( Agreement ) is effective
More informationBAC to the Basics: Business Associate Contracts Made Easy
BAC to the Basics: Business Associate Contracts Made Easy Prepared by Jen C. Salyers BAC to the Basics: Business Associate Contracts Made Easy Table of Contents Page I. Approaches to Creating a Business
More informationInformation Resources Security Guidelines
Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive
More informationThis is the third and final presentation on HIPAA Security Administrative Safeguards. This presentation focuses on the last 2 standards under the
This is the third and final presentation on HIPAA Security Administrative Safeguards. This presentation focuses on the last 2 standards under the HIPAA Security rule: Contingency planning and evaluation.
More informationHealthcare Management Service Organization Accreditation Program (MSOAP)
ELECTRONIC HEALTHCARE NETWORK ACCREDITATION COMMISSION (EHNAC) Healthcare Management Service Organization Accreditation Program (MSOAP) For The HEALTHCARE INDUSTRY Version 1.0 Released: January 2011 Lee
More informationBENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT
BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT This BUSINESS ASSOCIATE AGREEMENT ( Agreement ) dated as of the signature below, (the Effective Date ), is entered into by and between the signing organization
More informationPreparing for the HIPAA Security Rule
A White Paper for Health Care Professionals Preparing for the HIPAA Security Rule Introduction The Health Insurance Portability and Accountability Act (HIPAA) comprises three sets of standards transactions
More informationAVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE
AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE This Notice of Privacy Practices describes the legal obligations of Ave Maria University, Inc. (the plan ) and your legal rights regarding your protected health
More informationAm I a Business Associate? Do I want to be a Business Associate? What are my obligations?
Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Brought to you by Winston & Strawn s Health Care Practice Group 2013 Winston & Strawn LLP Today s elunch Presenters
More informationTerms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013
Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013 The City of Philadelphia is a Covered Entity as defined in the regulations
More informationAOA HIPAA SECURITY REGULATION COMPLIANCE MANUAL
AOA HIPAA SECURITY REGULATION COMPLIANCE MANUAL August, 2013 HIPAA SECURITY REGULATION COMPLIANCE DOCUMENTS For (Practice name) (Street Address) (City, State, ZIP) Adopted (Date) 2 INTRODUCTION The federal
More informationBEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050
BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security
More informationTulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY
Tulane University DEPARTMENT: General Counsel s POLICY DESCRIPTION: Business Associates Office -- HIPAA Agreement PAGE: 1 of 1 APPROVED: April 1, 2003 REVISED: November 29, 2004, December 1, 2008, October
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (this Agreement ), effective as of May 1, 2014 (the Effective Date ), by and between ( Covered Entity ) and Orchard Software Corporation,
More informationBUSINESS ASSOCIATE AGREEMENT WITH TRANSFUSION FACILITIES
1 BUSINESS ASSOCIATE AGREEMENT WITH TRANSFUSION FACILITIES This BUSINESS ASSOCIATE AGREEMENT (this Agreement ) is entered into as of the date first written in the signature block below (the Effective Date
More informationBUSINESS ASSOCIATE AGREEMENT FOR ATTORNEYS
BUSINESS ASSOCIATE AGREEMENT FOR ATTORNEYS This Business Associate Agreement (this Agreement ), is made as of the day of, 20 (the Effective Date ), by and between ( Business Associate ) and ( Covered Entity
More informationBusiness Associate Agreement
Business Associate Agreement This Business Associate Agreement (the Agreement ) is made by and between Business Associate, [Name of Business Associate], and Covered Entity, The Connecticut Center for Health,
More information