GUIDANCE FOR BUSINESS ASSOCIATES



Similar documents
HIPAA Compliance 101. Important Terms. Pittsburgh Computer Solutions

HIPAA HITECH ACT Compliance, Review and Training Services

FAFSA / DREAM ACT COMPLETION PROGRAM AGREEMENT

VCU Payment Card Policy

Texas Woman's University University Policy Manual

Cloud-based File Sharing: Privacy and Security Tutorial Institutional Compliance Office July 2013

HIPAA Legislation - Key Provisions

COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy

Privacy and Security Training Policy (PS.Pol.051)

University of Texas at Dallas Policy for Accepting Credit Card and Electronic Payments

Unified Infrastructure/Organization Computer System/Software Use Policy

First Global Data Corp.

Personal Data Security Breach Management Policy

POLICY 1390 Information Technology Continuity of Business Planning Issued: June 4, 2009 Revised: June 12, 2014

Data Protection Act Data security breach management

Project Open Hand Atlanta. Health Insurance Portability and Accountability Act (HIPAA) NOTICE OF PRIVACY PRACTICES

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

BLUE RIDGE COMMUNITY AND TECHNICAL COLLEGE BOARD OF GOVERNORS

Data Protection Policy & Procedure

Hillsborough Board of Education Acceptable Use Policy for Using the Hillsborough Township Public Schools Network

RUTGERS POLICY. Responsible Executive: Vice President for Information Technology and Chief Information Officer

TrustED Briefing Series:

THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM

Hampton Roads Orthopaedics & Sports Medicine. Notice of Privacy Practices

How To Ensure Your Health Care Is Safe

Chapter 7 Business Continuity and Risk Management

Supersedes: DPS Policy Internet and Use Of The DPSnet, July 14, 2000 Effective: February 15, 2005 Pages: 1 of 5

COMPLIANCE WITH THE FEDERAL TRADE COMMISSION S SAFEGUARDS RULE

Plus500CY Ltd. Statement on Privacy and Cookie Policy

HIPAA Notice of Privacy Practices. Central Ohio Surgical Associates, Inc.

DisplayNote Technologies Limited Data Protection Policy July 2014

NYU Langone Medical Center NYU Hospitals Center NYU School of Medicine

FAYETTEVILLE STATE UNIVERSITY

Security Services. Service Description Version Effective Date: 07/01/2012. Purpose. Overview

Online Banking Agreement

A Guide to HIPAA Security Standards and the Quest HIPAA Report Pack

Key Steps for Organizations in Responding to Privacy Breaches

A96 CALA Policy on the use of Computers in Accredited Laboratories Revision 1.5 August 4, 2015

Session 9 : Information Security and Risk

CMS Eligibility Requirements Checklist for MSSP ACO Participation

Christchurch Polytechnic Institute of Technology Access Control Security Standard

Privacy Policy. The Central Equity Group understands how highly people value the protection of their privacy.

HIPAA COMPLIANCE FOR MTSOs

ALBAN CHURCH OF ENGLAND ACADEMY COMPUTER SECURITY POLICY. Approved by Governing Body on: 6 th May 2015

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST ASSESSMENT AND GUIDANCE INSTRUCTIONS

DATE APPROVED March Version Date Comments / Changes 1.0 March 2011 Initial policy released

MigrationWiz HIPAA Compliant Migration. Focus on data migration, not regulation. BitTitan Global Headquarters: 3933 Lake Washington Blvd NE Suite 200

Woodstock Multimedia, INC. Software/Hardware Usage Policy

Version Date Comments / Changes 1.0 January 2015 Initial Policy Released

2. Are there any restrictions on when the work can be performed (e.g. only at night, only during business hours, only on weekends)? No.

To clarify terms used within these policies, the following definitions are provided:

Multi-Year Accessibility Policy and Plan for NSF Canada and NSF International Strategic Registrations Canada Company,

PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK

expertise hp services valupack consulting description security review service for Linux

Internet Banking Agreement and Disclosure Statement

Bill Payment Agreement & Disclosures

IT Help Desk Service Level Expectations Revised: 01/09/2012

Information Security Policy

TITLE: RECORDS AND INFORMATION MANAGEMENT POLICY

AML Internet Manor Court, Manor Farm House, London Road, Derby, Derbyshire, DE72 2GR. Tel: Fax:

Process of Setting up a New Merchant Account

NERC-CIP Cyber Security Standards Compliance Documentation

Technical Writing - TheUsers Visa (SHR User Accunt)

SaaS Listing CA Cloud Service Management

Cloud Services Frequently Asked Questions FAQ

WHAT YOU NEED TO KNOW ABOUT. Protecting your Privacy

Systems Support - Extended

Information Services Hosting Arrangements

How To Use A Health Infrmatin

State of North Carolina. Statewide Information Security Manual. Prepared by the Enterprise Security and Risk Management Office

Remote Working (Policy & Procedure)

Help Desk Level Competencies

OITS Service Level Agreement

Presentation: The Demise of SAS 70 - What s Next?

State of California California Technology Agency. Software Management Plan Guidelines

Employees - recruitment, records and monitoring

State of Wisconsin. File Server Service Service Offering Definition

Monthly All IFS files, all Libraries, security and configuration data

ACTIVITY MONITOR Real Time Monitor Employee Activity Monitor

Yur Infrmatin technlgy Security Plicy

Outsourcing arrangements

Internet and Policy User s Guide

System Business Continuity Classification

Request for Resume (RFR) CATS II Master Contract. All Master Contract Provisions Apply

System Business Continuity Classification

Vantiv eprotect iframe Technical Assessment Paper Prepared for:

NAIC Replacement Requirements For Certain Life Insurance Policies And Annuity Contracts

RATIONALE TERMS OF REFERENCE FOR THE QUALITY COMMITTEE UNDER THE EXCELLENT CARE FOR ALL ACT. Authority

FINANCIAL OPTIONS. 2. For non-insured patients, payment is due on the day of service.

IN-HOUSE OR OUTSOURCED BILLING

Accident Investigation

BAMS Third Party Service Providers (TPSPs) FAQs

SPECIFICATION. Hospital Report Manager Connectivity Requirements. Electronic Medical Records DRAFT. OntarioMD Inc. Date: September 30, 2010

We will record and prepare documents based off the information presented

Symantec User Authentication Service Level Agreement

Improved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1

Sources of Federal Government and Employee Information

EA-POL-015 Enterprise Architecture - Encryption Policy

Felician College. Computer Use Policy. Office of Information Technology 262 South Main St Lodi, NJ

Transcription:

GUIDANCE FOR BUSINESS ASSOCIATES This Guidance fr Business Assciates dcument is intended t verview UPMCs expectatins, as well as t prvide additinal resurces and infrmatin, t UPMC s HIPAA business assciates. In general, as a business assciate, it is expected that apprpriate steps are taken in rder t prtect UPMC data frm the risk f unauthrized disclsure. OVERVIEW As a business assciate t UPMC, UPMC expects yu t cmply with UPMC s business assciate terms and cnditins fund at: http://www.upmc.cm/services/supplychainmanagement/pages/hipaa.aspx (the BAA Terms ). BREACH NOTIFICATION Yu shall reprt t UPMC any breach f UPMC s patient infrmatin immediately upn becming aware f such breach. The reprt shall include the name f each individual whse prtected health infrmatin was r is reasnably believed by yur rganizatin t have been inapprpriately accessed, acquired r disclsed, as well as wh UPMC shuld cntact frm yur rganizatin. Yu shall als prvide such assistance and further infrmatin as requested by UPMC. Yu shall immediately reprt any situatin where yu believe that yur rganizatin may have vilated the BAA Terms. The reprt can be emailed t privacyaskus@upmc.edu. SECURITY: APPLICABILITY OF HIPAA SECURITY STANDARDS Generally, UPMC expects that yu will prperly secure all UPMC patient infrmatin. This includes such steps as: Encrypting hard disks, remvable media, remte access and infrmatin sent via the Internet. Securing wrkstatins and servers. Emplying effective passwrds. Maintaining effective antivirus sftware. Patching yur systems. Perfrming backups f yur systems and data. Ensuring that yur data center is physically secure, and that yu have an effective cntingency plan. Limit staff access t systems and infrmatin n a need t knw basis. Destrying data when yu n lnger need t keep it. The fllwing prvisins frm the HIPAA Security Standards (45 CFR Sectin 164) apply directly t yu in yur capacity as a business assciate:

Administrative Safeguards (164.308) Physical Safeguards (164.310) Technical Safeguards (164.312) Plicies & Prcedures and Dcumentatin Requirements (164.316) Mre infrmatin n these requirements is included in Attachment A. BUSINESS ASSOCIATE SUBCONTRACTORS AND AGENTS Any agent r subcntractr that yu utilize and whm yu prvide UPMC s patient infrmatin t must agree t the BAA Terms as well as any ther terms and cnditins yu and UPMC agree t. ACCOUNTING OF DISCLOSURES Under the terms f the American Recvery & Reinvestment Act (ARRA), patients have a right t an accunting f wh electrnically accessed their infrmatin. This includes access by staff f business assciates and their subcntractrs and agents. Accrdingly, yu shall maintain lgs f such access in rder that UPMC can cmply with this prvisin. IDENTITY THEFT Yu may receive r have access t UPMC infrmatin that culd be used t cmmit identity theft, such as names, SSNs, accunt numbers and birth dates. Accrdingly, yu shall implemented apprpriate precautins, as well as plicies and prcedures, t prevent, detect and mitigate identity theft. INAPPROPPRIATE ACCESS BY STAFF Yu shall nly allw yur staff t access UPMC patient infrmatin as is necessary fr them t d their jb. Yu shall als implement apprpriate prcedures t detect if a staff member has inapprpriately accessed UPMC patient infrmatin. Yu will further investigate each case where yu believe that inapprpriate access has ccurred. EDUCATION Yu shall train yur staff and ensure that they understand their bligatins under the BAA Terms. MITIGATION & DSICIPLINE Yu shall implement prcesses and prcedures t prperly address any breach f the BAA Terms that may ccur, including disciplining emplyees, subcntractrs and agents. ADDITIONAL INFORMATION Additinal infrmatin regarding HIPAA and the privacy rule (including the HIPAA regulatins and FAQs) can be fund at http://www.hhs.gv/cr/privacy. Guidance specific t business assciates can be fund at http://www.hhs.gv/cr/privacy/hipaa/understanding/cveredentities/businessassciates.html.

ATTACHMENT A 1. ADMINISTRATIVE SAFEGUARDS a. Security Management Prcess: i. Risk Analysis: Cnduct an accurate and thrugh assessment f the ptential risks and vulnerabilities t the cnfidentiality, integrity, and availability f electrnic prtected health infrmatin held by the cvered entity. ii. Risk Management: Implement security measures sufficient t reduce risks and vulnerabilities t a reasnable and apprpriate level. iii. Sanctin Plicy: Apply apprpriate sanctins against wrkfrce members wh fail t cmply with the security plicies and prcedures f the cvered entity. iv. Infrmatin System Activity Review: Implement prcedures t regularly review recrds f infrmatin system activity, such as audit lgs, access reprts, and security incident tracking reprts. b. Assigned Security Respnsibility: i. Identify the security fficial wh is respnsible fr the develpment and implementatin f the facility's infrmatin security plicies and prcedures c. Wrkfrce Security: i. Wrkfrce Security: Implement prcedures fr the authrizatin and/r supervisin f wrkfrce members wh wrk with electrnic prtected health infrmatin r in lcatins where it might be accessed. ii. Wrkfrce Clearance Prcedure: Implement prcedures t determine that the access f a wrkfrce member t electrnic prtected health infrmatin is apprpriate. iii. Terminatin prcedure: Implement prcedures fr terminating access t electrnic PHI when the emplyment f a wrkfrce member. d. Infrmatin Access Management: Implement plicies and prcedures fr authrizing access t electrnic PHI i. Islating Health Care Clearinghuse Functins: If a health care clearinghuse is part f a larger rganizatin, the clearinghuse must implement plicies and prcedures that prtect the electrnic prtected health infrmatin f the clearinghuse frm unauthrized access by the larger rganizatin. ii. Access Authrizatin: Implement plicies and prcedures fr granting access t electrnic PHI, fr example, thrugh access t a wrkstatin, transactin, prgram, prcess, r ther mechanism. iii. Access Establishment and Mdificatin: Implement plicies and prcedures that, based upn the entity's access authrizatin plicies, establish, dcument, review, and mdify a user's right f access t a wrkstatin, transactin, prgram, r prcess. e. Security Awareness and Training: Implement a security awareness and training prgram fr all members f its wrkfrce (including management). i. Security reminders peridic security updates.

ii. Prtectin frm malicius sftware - Prcedures fr guarding against, detecting, and reprting malicius sftware. iii. Lg in mnitring - Prcedures fr mnitring lg-in attempts and reprting discrepancies. iv. Passwrd Management - Prcedures fr creating, changing, and safeguarding passwrds. f. Security Incident Prcedures i. Respnse and Reprting - Identify and respnd t suspected r knwn security incidents; mitigate, t the extent practical, harmful effects f security incidents that are knwn t the cvered entity; and dcument security incidents and their utcmes. g. Cntingency Plan - Establish (and implement as needed) plicies and prcedures fr respnding t an emergency r ther ccurrence (fr example, fire, vandalism, system failure, and natural disaster) that damages systems that cntain electrnic PHI. i. Data backup plan - Establish and implement prcedures t create and maintain retrievable exact cpies f electrnic PHI. ii. Disaster Recvery Plan - Establish (and implement as needed) prcedures t restre any lss f data. iii. Emergency Mde Operatin Plan - Establish (and implement as needed) prcedures t enable cntinuatin f critical business prcesses fr prtectin f the security f electrnic PHI while perating in emergency mde. iv. Testing and Revisin Prcedures - Implement prcedures fr peridic testing and revisin f cntingency plans. v. Applicatins and Data Criticality Analysis - Assess the relative criticality f specific applicatins and data in supprt f ther cntingency plan cmpnents. h. Evaluatin - Perfrm a peridic self r external evaluatin f the facility's cmpliance with the HIPAA security rule. i. Business Assciate Cntracts and Other Arrangements 2. PHYSICAL SAFEGUARDS a. Facility Access Cntrls - Implement plicies and prcedures t limit physical access t its electrnic infrmatin systems and the facility r facilities in which they are hused, while ensuring that prperly authrized access is allwed. i. Cntingency Operatins - Establish (and implement as needed) prcedures that allw facility access in supprt f restratin f lst data under the disaster recvery plan and emergency mde peratins plan in the event f an emergency. ii. Facility Security Plan - Implement plicies and prcedures t safeguard the facility and the equipment therein frm unauthrized physical access, tampering, and theft. iii. Access Cntrl and Validatin Prcedures - Implement prcedures t cntrl and validate a persn's access t facilities based n their rle r functin,

including visitr cntrl, and cntrl f access t sftware prgrams fr testing and revisin. iv. Maintenance Recrds - Implement plicies and prcedures t dcument repairs and mdificatins t the physical cmpnents f a facility which are related t security (fr example, hardware, walls, drs, and lcks.) b. Wrkstatin Use - Implement prcedures that specify apprpriate usage, including the physical attributes f wrkstatins which can access ephi c. Wrkstatin Security - Implement physical safeguards fr all wrkstatins that access ephi t restrict access t authrized users d. Device and Media Cntrls - Implement plicies and prcedures that gvern the receipt and remval f hardware and electrnic media that cntain electrnic PHI int and ut f a facility, and the mvement f these items within the facility. i. Dispsal - Implement plicies and prcedures t address the final dispsitin f electrnic PHI and/r the hardware r electrnic media n which it is stred. ii. Media Re-use - Implement prcedures fr remval f electrnic PHI frm electrnic media befre the media are made available fr re-use. iii. Accuntability - Maintain a recrd f the mvements f hardware and electrnic media and any persn respnsible therefre. iv. Data Backup and Strage - Create a retrievable, exact cpy f electrnic PHI, when needed, befre mvement f equipment. 3. TECHNICAL SAFEGUARDS a. Access Cntrl i. Unique User Identificatin - Assign a unique name and/r number fr identifying and tracking user identity. ii. Emergency Access Prcedure - Establish (and implement as needed) prcedures fr btaining necessary electrnic prtected health infrmatin during an emergency. iii. Autmatic Lgff - Implement electrnic prcedures that terminate an electrnic sessin after a predetermined time f inactivity. iv. Encryptin and Decryptin - Implement a mechanism t encrypt and decrypt electrnic PHI. b. Audit Cntrls - Implement hardware, sftware, and/r prcedural mechanisms that recrd and examine activity in infrmatin systems that cntain r use electrnic PHI. c. Integrity - Implement electrnic mechanisms t crrbrate that electrnic prtected health infrmatin has nt been altered r destryed in an unauthrized manner. d. Persn r Entity Authenticatin- Implement prcedures t verify that a persn r entity seeking access t ephi is the ne claimed. e. Transmissin Security - Implement technical security measures t guard against unauthrized access t electrnic PHI that is being transmitted ver an electrnic cmmunicatins netwrk.

i. Integrity Cntrls - Implement security measures t ensure that electrnically transmitted electrnic PHI is nt imprperly mdified withut detectin until dispsed f. ii. Encryptin - Implement a mechanism t encrypt electrnic PHI whenever deemed apprpriate.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information