Information Privacy and Security Program Title:

Similar documents
HIPAA COMPLIANCE. What is HIPAA?

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information

HIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant

Welcome. This presentation focuses on Business Associates under the Omnibus Rule of 2013.

HIPAA 100 Training Manual Table of Contents. V. A Word About Business Associate Agreements 10

Section C: Data Use Agreement. Illinois Department of Healthcare and Family Services. And DATA USE AGREEMENT

UNIVERSITY HOSPITAL POLICY

4. No accounting of disclosures is required with respect to disclosures of PHI within a Limited Data Set.

Administrative Services

BUSINESS ASSOCIATES AND BUSINESS ASSOCIATE AGREEMENTS

What is Covered by HIPAA at VCU?

INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS. I. Introduction 2. II. Definitions 3

HIPAA-Compliant Research Access to PHI

UPMC POLICY AND PROCEDURE MANUAL

January Employers must be prepared for their obligations under the HIPAA Privacy Rules

HIPAA-G04 Limited Data Set and Data Use Agreement Guidance

HIPAA Privacy & Breach Notification Training for System Administration Business Associates

University of Cincinnati Limited HIPAA Glossary

HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets

CancerLinQ Data Quality Management Policies

Statement of Policy. Reason for Policy

TriageLogic Information Security Policy

HIPAA POLICY REGARDING DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION AND USE OF LIMITED DATA SETS

DATA USE AGREEMENT RECITALS

Limited Data Set Background Information

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE

[Insert Name and Address of Data Recipient] Data Use Agreement. Dear :

UCSF and Data Contributor are hereinafter also referred to individually as Party and collectively as Parties.

University of Mississippi Medical Center Office of Integrity and Compliance

HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES

HIPAA OVERVIEW ETSU 1

Business Associate Agreement

How to De-identify Data. Xulei Shirley Liu Department of Biostatistics Vanderbilt University 03/07/2008

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1

HIPAA COMPLIANCE INFORMATION. HIPAA Policy

Burn Model Systems National Data and Statistical Center STANDARD OPERATING PROCEDURE 601. Data Use Agreement

OCR/HHS HIPAA/HITECH Audit Preparation

Business Associate Agreements and Similar Agreements February 23, 2010

BUSINESS ASSOCIATES [45 CFR (e), (e), (d) and (e)]

VENDOR / CONTRACTOR. Privacy Basics

HIPAA means the Health Insurance Portability and Accountability Act of 1996, Public Law

Winthrop-University Hospital

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - De-identification of PHI 10030

Donna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS

HIPAA Compliance Issues and Mobile App Design

Business Associates Policy HS 9430

Health Insurance Portability & Accountability Act (HIPAA) Compliance Application

HIPAA Compliance Guide

How To Protect Your Health Care From Being Hacked

HIPAA PRIVACY POLICY FOR OPTICAL LABS TABLE OF CONTENTS. Exhibit B Notice of Privacy Practices pages B-1 to B-4

HIPAA Compliance Guide

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

Legal Insight. Big Data Analytics Under HIPAA. Kevin Coy and Neil W. Hoffman, Ph.D. Applicability of HIPAA

HIPAA Data Use Agreement Policy R&G Template Updated for Omnibus Rule HIPAA DATE USE AGREEMENT 1

Business Associate Agreement (BAA) Guidance

Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule

Grand Rapids Medical Education Partners Mercy Health Saint Mary s Spectrum Health. Pam Jager, GRMEP Director of Education & Development

How To Understand The Health Insurance Portability And Accountability Act (Hipaa)

PEPPERDINE UNIVERSITY HIPAA Policies Procedures and Forms Manual

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

HIPAA Medical Billing Requirements For Research

State of Connecticut Department of Social Services HIPAA Policies and Procedures Manual

BUSINESS ASSOCIATES [45 CFR (e), (e), (d) and (e)]

De-Identification of Health Data under HIPAA: Regulations and Recent Guidance" " "

HIPAA Privacy Manual

Data Security Considerations for Research

Understanding HIPAA Regulations and How They Impact Your Organization!

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

HIPAA. Privacy and Security Frequently Asked Questions for Employers. Gallagher Benefit Services, Inc.

HIPAA Compliance for Students

Key HIPAA HITECH Changes. Gina Kastel, Partner, Health and Life Sciences

HIPAA 101: Privacy and Security Basics

Information Privacy and Security Program Title:

State of Nevada Public Employees Benefits Program. Master Plan Document for the HIPAA Privacy and Security Requirements for PEBP Health Benefits

University Healthcare Physicians Compliance and Privacy Policy

Computer Security Incident Response Plan. Date of Approval: 23- FEB- 2015

Table of Contents INTRODUCTION AND PURPOSE 1

HIPAA ephi Security Guidance for Researchers

ROWAN UNIVERSITY SOM POLICY

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA and Leadership. The Importance of Creating a More Compliance Focused Environment

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

Model Business Associate Agreement

Business Associate Management Methodology

Virginia Commonwealth University Information Security Standard

Compliance Program and HIPAA Training For First Tier, Downstream and Related Entities

Memorandum. Factual Background

BUSINESS ASSOCIATE AGREEMENT

How To Handle A Health Care Issue With A Health Insurance Company

HIPAA PRIVACY AND SECURITY AWARENESS

Business Associates Agreement

HIPAA PRIVACY AND SECURITY STANDARDS CITY COMPLIANCE

HIPAA and You The Basics

BUSINESS ASSOCIATE AND DATA USE AGREEMENT NAME OF COVERED ENTITY: COVERED ENTITY FEIN/TAX ID: COVERED ENTITY ADDRESS:

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

UNIVERSITY POLICY. Disclosures of Personally Identifiable Health Information to Business Associates. Adopted: 3/8/2016 Reviewed: 3/8/2016.

Patient Privacy and HIPAA/HITECH

CHAPTER 7 BUSINESS ASSOCIATES

Datto Compliance 101 1

Transcription:

1 Page: 1 of 5 I. PURPOSE: 1 The purpose of this standard is to identify and define the standards for implementing contracting provisions related to those individuals and organizations identified as Business Associates. The Privacy Rule allows covered providers and health plans to disclose protected health information to these Business Associates if the providers or plans obtain satisfactory assurances that the Business Associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity s duties under the Privacy Rule. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the Business Associate. II. DEFINITIONS: A. Business Associate or BA means a person or entity (not an employee) who, on behalf of Tenet, 1. Creates, receives, maintains, or transmits protected health information for a function or activity regulated by HIPAA, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing; or 2. Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or on behalf of Tenet, where the provision of the service involves the disclosure of individually identifiable health information from Tenet. B. Data Use Agreement is an agreement that allows the covered entity to disclose a Limited Data Set to the potential recipient. 164.514 (e) (1) C. Electronic Protected Health Information or ephi means Protected Health Information (PHI) stored or transmitted by electronic means. D. Incidental Disclosure means the possible disclosure of PHI due to exposure to information while performing a service for Tenet that does not directly involve access, use and disclosure of PHI. Examples include, janitorial service, nonpatient care employees/vendors in the patient room or waiting area. E. Information is individually identifiable if it either identifies an individual or contains enough specific information to do so. 1 Replaces and retires Information Privacy Policies 1.1.1, 1.2.5 and Information Security Policy Comp-Sec 2.1.1.

Page: 2 of 5 F. A Limited Data Set is protected health information that can only be used or disclosed for research, public health, or Health Care Operations and excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual: names; postal address information, other than town or city, state, and zip code; telephone numbers; fax numbers; electronic mail addresses; social security numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers, including license plate numbers; device identifiers and serial numbers; web universal resource locators (URLs); internet protocol (IP) address numbers; biometric identifiers, including finger and voice prints; and full face photographic images and any comparable images. G. Protected Health Information or PHI means individually identifiable health information that is transmitted or maintained in any form or medium and that relates to the past, present or future physical or mental health or condition of a patient, the provision of health care to patient, or the past, present or future payment for the provision of health care by a patient. H. Additional capitalized terms used herein are defined in the Information Privacy and Security Glossary of Definitions. III. STANDARD Prior to disclosing any Protected Health Information (PHI) to a Business Associate of Tenet, Tenet will obtain satisfactory assurances from a Business Associate that the Business Associate will appropriately safeguard the PHI it receives or creates on behalf of Tenet. Tenet will document these satisfactory assurances in writing in the form of a Business Associate Agreement (BAA) with the Business Associate in compliance with the HIPAA regulations. Any disclosures to a Business Associate must be limited to disclosures permitted by the HIPAA regulations and not for the Business Associate s independent use or purposes. A. Determine if PERSON or ENTITY is a Business Associate The Tenet Facility s contract administrator, in conjunction with appropriate business unit owner(s), must evaluate each business relationship for need of a Business Associate Agreement; utilize Attachment A (Prospective Business Associate Third party/vendor Guide) and Attachment B (BAA Decision Tree). A Business Associate: 1. Provides service/activity on behalf of Tenet; 2. Is not employed by Tenet; 3. Involves the access to, use or disclosure of, or creation of PHI.

Page: 3 of 5 4. If unclear whether a relationship requires a BAA, contact the Tenet Facility Compliance Officer for assistance. B. Accounts Payable New Vendor (Business Associate) Setup New vendor setup procedures managed by Tenet s Accounts Payable Department shall be followed to identify future vendors that qualify as Business Associates. A copy of the vendor setup request form is located under Forms on the Accounts Payable etenet website. 1. Tenet Facilities must ensure a process is created to ensure the New Vendor Form is processed. 2. Audit Services will perform periodic reviews of New Vendor Forms to ensure that written contracts are in place and the Business Associate process described above are being followed. C. Data Use Agreement (DUA) Limited Data Set Section 164.514(e) of the Privacy Rule states a Business Associate Agreement is not required when the only PHI an entity receives is a Limited Data Set. A Limited Data Set may be used and disclosed for research, health care operations, and public health purposes, provided the recipient enters into a Data Use Agreement (DUA) promising specified safeguards for the PHI within the limited data set. The DUA satisfies the Privacy Rule s requirements that the covered entity obtain satisfactory assurances from its third parties/vendors to protect patients right to privacy consistent with obligations under federal and state law and Tenet s information privacy policies. D. Business Associate Agreement (BAA) Section 164.504(e) of the Privacy Rule requires that business associate agreements must specify the uses and disclosures of PHI that Tenet requires of the Business Associate. The agreement will state that the Business Associate must comply with all applicable HIPAA and HITECH Regulations and conduct its business as a covered entity. Tenet s Business Associate Agreements are maintained on the Law Department s Contractual Arrangements Manual (CAM). E. Refer third party/vendor expressing concerns or indicating that negotiation is needed to the Tenet Facility Compliance Officer for consultation and agreement recommendations. F. It is recommended that Tenet only enter into a Business Associate or Data Use Agreement located on the CAM, however, the Tenet Facility Compliance Officer

Page: 4 of 5 must review and approve any Business Associate or Data Use Agreements submitted to Tenet from outside organizations prior to execution. G. Upon receipt of signed Business Associate Agreement or Data Use Agreement from the third party/vendor: 1. Maintain the original signed BAA or DUA per Tenet Facility policy. 2. Upload a copy into the ecats system (see Law Department policy L-15 Electronic Contract Approval Term Sheet (ecats) and its Frequently Asked Questions). IV. IMPLEMENTATION: A. Tenet Facility 1. The Tenet Facility Compliance Officer and Tenet Facility Management are responsible for distribution and oversight of Information Privacy and Standards at the facility level. 2. Tenet Facility must B. Corporate a. Adopt this standard and where necessary develop specific written procedures in order for the Tenet Facility to operationalize this standard; b. Develop appropriate methods to monitor adherence to the written procedures; and c. Report monitoring activity to the Tenet Facility Compliance Officer. 1. Tenet s Information Privacy/Security Office will work with the Tenet Facility Compliance Officer and Tenet Facility Management to develop, maintain, and update procedures and standards for protecting the privacy of PHI and affording patients their rights with respect to their PHI. 2. Tenet Corporate and Tenet Regional Offices must incorporate these standards into their specific policies and procedures where necessary.

Page: 5 of 5 V. REFERENCES: - Information Privacy & Security Glossary of Definitions - EC.PS.01.00 Information Privacy and Security Administration Policy - Law Department s Contractual Arrangements Manual (CAM) - Law Department policy L-15 Electronic Contract Approval Term Sheet (ecats) and its Frequently Asked Questions - 45 C.F.R. Parts 160 and 164 VI. ATTACHMENTS: - Attachment A: Aid for Evaluating Third Parties for Determination of Need for Business Associate Contract(s) - Attachment B: Business Associate Flowchart

Attachment A Business Associate And Data Use Agreement Standard Page 1 of 1 Aid for Evaluating Third Parties for Determination of Need for Business Associate Contract(s) Checklist of arrangements with third parties that may need to be documented with business associate contracts. This list is provided for illustration only and is not a complete list of all arrangements that are subject to the business associate rules. Third party professionals Consultants Accountants Attorneys Actuaries Patient Safety Organizations Risk management Information technology Billing and coding Management Service Providers Coding providers Waste disposal and recycling companies (if PHI included in waste) Transcription services Microfilm and optical disk conversion providers Clearinghouses Billing companies Insurance brokers Records management companies (including storage and reproduction) Temporary staffing agencies (if personnel will have access to PHI) Software and hardware providers (for installation, maintenance and other services that may have access to PHI) Other agreements Joint ventures IPA/HMO/other payer contracts (under which Covered Entity is buying managed care contracting services and/or billing/collection services that involve the use or disclosure of PHI) Shared service arrangements Research services Management agreements 09-16-13

Attachment B EC.PS.01.04 Business Associate And Data Use Agreement Standard Page 1 of 1 Business Associate Flowchart 09-16-13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information