DELHAIZE AMERICA PHARMACIES AND WELFARE BENEFIT PLAN HIPAA SECURITY POLICY (9/1/2016 VERSION)

Size: px
Start display at page:

Download "DELHAIZE AMERICA PHARMACIES AND WELFARE BENEFIT PLAN HIPAA SECURITY POLICY (9/1/2016 VERSION)"

Transcription

1 DELHAIZE AMERICA PHARMACIES AND WELFARE BENEFIT PLAN HIPAA SECURITY POLICY (9/1/2016 VERSION)

2 Delhaize America, LLC Pharmacies and Welfare Benefit Plan 2013 Health Information Security and Procedures (As amended and restated effective September 1, 2016)

3 ARTICLE I INTRODUCTION AND PURPOSE Delhaize America, LLC ( Delhaize ) adopts this Health Information Security and Procedures (the Security ), as amended and restated effective September 1, 2016, on behalf of the Pharmacies operated by Food Lion, LLC and Hannaford Bros. Co., LLC and the Health Care Benefit Options that are offered under the Plan to eligible employees and retirees of Delhaize and other Participating Employers, the purpose of which is to comply with the written policy requirement of the Security Standards for the Protection of Electronic Protected Health Information contained in 45 C.F.R. Parts 160, 162 and 164 (the Security Standards ), as amended to reflect the Health Information Technology for Economic and Clinical Health Act ( HITECH ), and as otherwise amended from time to time. The Security provides policies and procedures implemented by the Pharmacies and the Health Care Benefit Options, which are Covered Entities, to comply with the standards, implementation specifications and other requirements of the Security Standards. This Security is intended to underscore the security requirements that are specific to the Security Standards and HITECH, while also aligning with Delhaize's Information Security policies and standards, which address in detail the topics of information security management; information access management; asset management; information classification and handling; personnel security; access control; physical security; communications and data protection management; security operations; monitoring and response; application security; legal, privacy and regulatory compliance; and acceptable use. The Security Standards require the Pharmacies and Health Care Benefit Options to do the following: ensure the confidentiality, integrity and availability of all Electronic Protected Health Information created, received, maintained or transmitted for a pharmacy or group health plan; protect against any reasonable or anticipated threats or hazards to the security or integrity of such Electronic Protected Health Information; protect against any reasonably anticipated uses or disclosures of Electronic Protected Health Information that are not permitted or required under the Privacy Standards; and ensure employees of Delhaize or any other Participating Employer complies with the requirements of the Security Standards. The Security shall be administered by the Vice President of Pharmacy, the Plan Administrator and the Chief Information Security Officer (CISO), who serves as the designated HIPAA Security Official. The Vice President of Pharmacy, the Plan Administrator and the CISO shall have complete and absolute power, authority and discretion to determine all matters with the respect to the administration of the Security and to implement and carry out the provisions herein, including, but not limited to, the determination and interpretation of all provisions of the Security and modification of the Security from time to time as necessary to comply with any changes in applicable law, including the Security Standards. PAGE 1

4 ARTICLE II ELECTRONIC PROTECTED HEALTH INFORMATION Section 2.3 Application of Security. The Security applies to the Pharmacies and the Health Care Benefit Options that are subject to the Privacy Standards and create, receive, maintain or transmit Electronic Protected Health Information (also referred to herein as E-PHI ). Section 2.2 Scope of Electronic Protected Health Information. Electronic Protected Health Information is Protected Health Information that is maintained or transmitted in Electronic Media. Electronic media means media described in each of (a) and (b) below: (a) Electronic storage media on which data is or may be recorded electronically, including devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or (b) Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the internet, extranet or intranet, leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, of the information being exchanged did not exist in electronic form immediately before the transmission. Section 2.3 Systems for Electronic Protected Health Information. Electronic Protected Health Information for any Pharmacy or Health Care Benefit Options is accessed, created, received, maintained or transmitted in and through the information technology system (or systems) that services and supports the business operations and systems of Delhaize or other Participating Employer. The structure and operation of the information technology systems are controlled by personnel from the Delhaize America IT Department and the Information Security Organization (ISO) and are subject to the security policies, procedures and standards developed and maintained by the ISO. Where appropriate, the requirements of the Security may be coordinated and/or implemented through such policies, procedures and standards. ARTICLE III DEFINITIONS Whenever used in this Security, the following words and phrases shall have the respective meanings stated below unless a different meaning is plainly required by the context, and where the defined meaning is intended, the term is capitalized. Capitalized terms not defined herein shall have the meaning attributed to such terms under the Privacy Standards, the Security Standards or the Plan, as applicable. Section 3.1 Business Associate A "Business Associate" means any person or entity who, other than in the capacity of a member of the workforce of the Pharmacies or Health Care Benefit Options, (a) creates, receives, maintains or transmits Protected Health Information on behalf of the Pharmacies and/or Health Care Benefit Options, involving the Use or Disclosure of Individually Identifiable Health Information as more specifically identified in the Privacy Standards, or (b) provides services to the Pharmacies and/or Health Care Benefit Options where the provision of the service involves the Use or Disclosure of Protected Health Information to the person. Examples of functions or services performed by Business Associates include the following: Claims processing or administration, data analysis, utilization review, PAGE 2

5 quality assurance, benefit management, legal, actuarial, accounting, consulting, data aggregation, management, financial and administrative services provided to or for the Pharmacies and Health Care Benefit Options. A Business Associate includes any person that provides data transmission services for Protected Health Information to the Pharmacies and Health Care Benefit Options on a routine basis. Section 3.2 Delhaize "Delhaize" means Delhaize America, LLC, its affiliates and any successor to such entity whether by merger, consolidation, liquidation or otherwise. Section 3.3 Effective Date "Effective Date" means September 23, Section 3.4 Electronic Media "Electronic Media" has the meaning set forth in Section 2.2 hereof. Section 3.5 Electronic Protected Health Information (or E-PHI) "Electronic Protected Health Information" or "E-PHI" means Protected Health Information that is maintained or transmitted in Electronic Media. Section 3.6 Encryption "Encryption" means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key. Section 3.7 Facility "Facility" means the physical premises and the interior and exterior of a building(s). Section 3.8 Health Care Benefit Options "Health Care Benefit Options," for purposes of this Security, mean any of the health care benefit options offered to employees of Participating Employers and the employees performing administrative functions relating to such Health Care Benefit Options on behalf of the Plan Administrator, to the extent such Health Care Benefit Options constitute a Covered Entity subject to the Security Standards. The Health Care Benefit Options governed by this Security are identified in the Delhaize America, LLC Welfare Benefit Plan Health Information Privacy and Procedures. Section 3.9 HR "HR" means Human Resources. Section 3.10 Individually Identifiable Health Information "Individually Identifiable Health Information" means health information, including demographic information, collected from an individual that: (a) Is created or received by a Pharmacy or Health Care Benefit Options; and (b) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and PAGE 3

6 (i) Identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual. Individually Identifiable Health Information may be in any form, such as written, oral, or electronic. Section 3.11 Information Security Book "Information Security Book" means a comprehensive information security governance strategy to control risks and manage the Delhaize America, LLC information security operations within which E-PHI is contained, accessed, created, received, maintained or transmitted for a Pharmacy or Health Care Benefit Options, as may be amended or supplemented from time to time. Section 3.12 IT System "IT System" means a technology information system that supports and services the business and operations of a Participating Employer. Section 3.13 Participating Employer "Participating Employer" means Delhaize and any affiliates thereof participating in the Plan. Section 3.14 Pharmacies "Pharmacies" means the pharmacies operated by Food Lion, LLC and Hannaford Bros. Co., LLC in many retail locations. The Pharmacies to which this Security applies are the same as the Pharmacies to which the Delhaize America, LLC Pharmacy HIPAA Privacy Policies and accompanying forms and guidance apply. Section 3.15 Plan "Plan" means the plan or program under which Health Care Benefit Options are offered, as amended from time to time. The Plans to which this Security applies are the same as the plans to which the Delhaize America, LLC Welfare Benefit Plan Health Information Privacy and Procedures applies. Section 3.16 Plan Administrator "Plan Administrator" means Delhaize or such other person or entity appointed by Delhaize to administer the Plan; provided, that for any Plan under which insured Health Care Benefit Options are offered, it shall mean, for those Options, the person or entity designated as such under the applicable insurance policy or other agreement. Section 3.17 Privacy Policies "Privacy Policies" refers to the Delhaize America, LLC Pharmacy HIPAA Privacy Policies and accompanying forms and guidance, as well as the Delhaize America, LLC Welfare Benefit Plan Health Information Privacy and Procedures, all as may be amended or supplemented from time to time. Section 3.18 Privacy Standards "Privacy Standards" means the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and E, as may be amended from time to time. Section 3.19 Protected Health Information (PHI) "Protected Health Information" or "PHI" means Individually Identifiable Health Information, excluding: PAGE 4

7 (a) Certain education records covered by the Family Educational Rights and Privacy Act, as amended (20 U.S.C. 1232g); and (b) Employment records held by a Participating Employer in its role as employer. Section 3.20 Security Official "Security Official" means the Security Official identified in Exhibit A attached to this Security. Section 3.21 Security Standards "Security Standards" means the Security Standards for the Protection of Electronic Protected Health Information contained in 45 C.F.R. Parts 160, 162 and 164, as may be amended from time to time. Section 3.22 Secretary "Secretary" means the Secretary of the Department of Health and Human Services or his designee. Section 3.23 Workstation "Workstation" means an electronic computing device, such as a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment. ARTICLE IV ADMINISTRATIVE STANDARDS Section 4.1 Security Management Process Risk Analysis The Pharmacies and the Health Care Benefit Options must implement policies and procedures to prevent, detect, contain and correct security violations relating to E-PHI. Procedures Risk Analysis The CISO/Security Official, on behalf of the Pharmacies and the Health Care Benefit Options, has conducted an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity and availability of E-PHI. (a) The risk analysis identified the following for the Pharmacies and the Health Care Benefit Options: (i) the source and location of any E-PHI received, created, maintained, stored, transmitted by (or on behalf of) the Pharmacies and the Health Care Benefit Options, including, for example, Protected Health Information that is converted into electronic format (e.g., using an Excel spread sheet, Word document program or Acrobat software program) for electronic storage or transmission, or communications.; (ii) all IT Systems that involve access, receipt, creation, storage or transmission of E-PHI for the Pharmacies and the Health Care Benefit Options; the ownership and supervision of any such IT System and all IT System elements and all physical facilities where such IT System and IT System equipment is located; and PAGE 5

8 (iii) all individuals that are involved in the receipt, creation, storage, maintenance and transmission of E-PHI for the Pharmacies and the Health Care Options, including, personnel in the HR, IT and ISO Departments for Delhaize or any other Participating Employer. (b) The risk analysis further identified all current security measures to protect E-PHI for the Pharmacies and the Health Care Benefit Options. These current security measures include security measures for E-PHI required pursuant to the Privacy Policies and applicable policies in the Information Security Book (which are hereby incorporated into this Security by reference). (c) The risk analysis assessed potential risks and vulnerabilities to the security and integrity of E-PHI for the Pharmacies and the Health Care Benefit Options. This analysis considered, among other things, the potential for and likelihood of unauthorized access, use or disclosure of E-PHI or loss of data integrity for E-PHI. (d) The CISO/Security Official, on behalf of the Pharmacies and the Health Care Benefit Options, evaluated current security measures to determine whether and the extent to which such measures satisfy the standards and implementation specifications of the Security Standards. Section 4.2 Security Management Process Risk Management Program The Pharmacies and the Health Care Benefit Options must implement policies and procedures to prevent, detect, contain and correct security violations relating to E-PHI. Procedures Risk Management Program The Pharmacies and the Health Care Benefit Options have implemented appropriate security measures in response to the risk analysis described in Section 4.1 above to reduce risks to the confidentiality, integrity and availability of E-PHI for the Pharmacies and the Health Care Benefit Options to a reasonable and appropriate level as follows: (a) The Pharmacies and the Health Care Benefit Options have determined in certain instances that existing security measures for E-PHI satisfy the required and addressable implementation requirements of the Security Standards. In other instances, the Pharmacies and the Health Care Benefit Options are modifying existing security measures or implementing additional administrative, physical or technical security measures in each case to satisfy the Security Standards. (b) In evaluating whether to modify existing security measures for E-PHI or implement additional security measures, the Pharmacies and the Health Care Benefit Options consider the size, complexity, technical capabilities (in terms of the overall technical capabilities of the IT System that accesses, receives, creates maintains or transmits for the Pharmacies and the Health Care Benefit Options), the risk of a security violation (as defined by the Risk Analysis) and the relative costs of any security measures. (c) Any new or modified security measures implemented, as well as any current security measures maintained, are subject to periodic review as established by the CISO/Security Official (or his or her delegate) as set forth in Article VII. Section 4.3 Security Management Process Sanction The Pharmacies and the Health Care Benefit Options must implement policies and procedures to detect, prevent, contain and mitigate security violations relating to its E-PHI. Procedure Sanction PAGE 6

9 (a) Sanctions may be applied against any employees of a Participating Employer who access, receive, create, maintain or transmit E-PHI for or on behalf of the Pharmacies or the Health Care Benefit Options and fail to comply with the terms and conditions of this Security. (b) The sanctions to be applied to an employee who fails to comply with the requirements of the Security may include disciplinary action, up to and including, termination of employment, consistent with a Participating Employer s employment policies. (c) The procedures for determining sanctions under this sanction policy are the same as those procedures set forth in the Privacy Policies, as applicable; provided, however, that the nature of any violation triggering sanctions shall be determined with reference to the requirements of this Security. (d) The applicable procedures implemented pursuant to the Privacy Policies (and any related employment policies of a Participating Employer) for determining sanctions and disciplinary action are hereby incorporated by reference into the Security. Section 4.4 Information System Activity Review The Pharmacies and the Health Care Benefit Options must review records of information system activity on a regular basis to detect, prevent, contain and mitigate security violations. Procedures (a) Activity in an IT System is tracked and documented pursuant to the applicable policies in the Information Security Book. The information system activity for E-PHI assessed, created, received, maintained or transmitted under this IT System will be handled in accordance with these policies and procedures. Examples of information system activity that may be reviewed for Security Standard violations include audit logs, access reports, security incident tracking reports and data modification tracking reports. (b) The Security Official (or his or her delegate) will review information system activity in coordination with appropriate IT and ISO Department personnel at such times and in such manner so as to allow for reasonable detection and investigation of potential security violations of the Security Standards. Except as otherwise directed by the Security Official (or his or her delegate), such reviews shall take place and be handled in accordance with the policies in the Information Security Book. (c) IT and ISO Department personnel will assist the Security Official (or his or her delegate) in determining whether existing information system activity allows for appropriate detection, prevention or containment of security violations. Any modification or update of these information activity mechanisms will be made in accordance with applicable policies in the Information Security Book. Section 4.5 Workforce Security The Pharmacies and the Health Care Benefit Options must ensure that employees of a Participating Employer or of the Pharmacies who create, receive, maintain or transmit E-PHI for the Pharmacies and the Health Care Benefit Options have appropriate access to such E-PHI. Accordingly, the Pharmacies and the Health Care Benefit Options must ensure employees of a Participating Employer or any other individuals who do not require access to E-PHI are appropriately restricted from such access. Procedures (a) Only those employees of a Participating Employer who are designated to handle Protected Health Information on behalf of a Health Care Benefit Options under the Privacy Policies will be granted access to E-PHI and IT System equipment through which E-PHI is accessed, created, maintained or transmitted. The nature and scope of such access will be based in part upon an individual s job specifications and PAGE 7

10 responsibilities. Procedures for authorizing and limiting access are the same as those access procedures set forth in the Privacy Policies and applicable policies in the Information Security Book. Access procedures implemented under the Privacy Policies include the following: (b) Access to any IT System containing Protected Health Information shall be protected by (A) limiting access to specifically identified persons and (B) requiring those persons to have appropriate personnel clearance including, for example, entering both a user identification number/code and a password to access the IT System, whether onsite or remotely. (i) As soon as administratively feasible after an authorized employee, contractor or service provider no longer requires access to Protected Health Information for any reason (e.g., termination of employment or contract), all reasonable steps necessary to prevent such person s or entity s access to Protected Health Information must be taken. This includes removing any permitted means of access, such as returning keys or access cards, removal of user accounts, change of passwords, removal from access lists or changing locks. In addition, Business Associates, where necessary, must be notified that such person or entity is no longer authorized to access Protected Health Information. (ii) Reasonable efforts shall be made to limit access to only those persons within a Participating Employer s workforce as specifically identified under the Privacy Policies for the type(s) of Protected Health Information allowable for such persons. Such persons are limited to those who need access to Protected Health Information to carry out their duties for the Pharmacies and the Health Care Benefit Options. (iii) Any designated person may access the Protected Health Information designated for such person under the Privacy Policies, only if the person satisfies the applicable conditions for such access as set forth in the Privacy Policies or the policies in the Information Security Book. (c) Any employee having access to E-PHI who reasonably expects to be away from his or her Workstation for more than a brief period of time must take reasonable steps to ensure that any E-PHI displayed on the screen of his or her Workstation is viewable only by another authorized employee, including closing the applicable window, using screen saver devices and/or locking the door to the work area where such Workstation is located or, in the alternative, shutting down or otherwise locking his or her computer. (d) Any individuals who do not engage in activities relating to the Pharmacies and the Health Care Benefit Options but may work in areas where E-PHI may be inadvertently viewed or accessed (e.g., maintenance personnel), must have specific authorization as part of their duties to access such areas. (e) Given the limited number of persons in the workforce who are authorized to access E-PHI and the fact that such access is generally based upon an employee s particular job responsibilities, it has been determined that it would not be reasonable or appropriate to establish additional workforce clearance or personnel screening procedures for continuing access to E-PHI. The access procedures currently in place under the Privacy Policies, in combination with policies in the Information Security Book and the current employment procedures for screening and clearance, adequately address this matter. Section 4.6 Information Access Management The Pharmacies and the Health Care Benefit Options will ensure that access to E-PHI is authorized. Procedure (a) Each employee will be properly authorized to access E-PHI. Authorization will be determined and provided in accordance with job specifications or responsibilities and the procedures set forth in the Privacy Policies. Existing procedures for authorizing access under the Privacy Policies and policies in the Information Security Book include the following: PAGE 8

11 (i) Access to any IT System containing Protected Health Information shall be protected by (I) limiting access to specifically identified persons and (II) requiring those persons to enter both a user identification number/code and a password to access the IT System, whether onsite or remotely. (ii) As soon as administratively feasible after an authorized employee, contractor or service provider no longer needs access to Protected Health Information for any reason (e.g., termination of employment or contract), all reasonable steps necessary to prevent such person s or entity s access to Protected Health Information must be taken. This will include removing any permitted means of access, such as returning keys or access cards, removal of user accounts, change of passwords, removal from access lists or changing locks. In addition, Business Associates, where necessary, must be notified that such person or entity is no longer authorized to access Protected Health Information. (iii) Any portable electronic devices (such as laptops, disks and computer tapes) containing Protected Health Information shall be encrypted or shall be stored in a locked file or room with limited access. Access to information located on such devices also may be password protected. (b) All electronic documents (including s, Word documents, electronic faxes, reports or Excel spread sheets) containing any E-PHI must be stored on a designated drive in one or more separate folders to which only authorized personnel will have access. Access to these folders will be determined and controlled by the Security Official (or his or her delegate) in coordination with IT personnel. Authorized personnel may be permitted to use personal subfolders in the IT System s general network drive to temporarily create and store any such electronic documents prior to transfer to (or storage in) a separate subfolder that has been designated for that purpose. (c) Any employee having access to E-PHI who reasonably expects to be away from his or her Workstation for more than a brief period of time must lock the door to the work area where such Workstation is located or, in the alternative, shut down or otherwise lock his or her computer. (d) Additional procedures or criteria for reviewing and modifying a user s authorization to access a workstation, program, transaction or process may be established from time to time. Section 4.7 Security Awareness and Training Security awareness and training will be provided to all employees of a Participating Employer or Pharmacy who are authorized to handle or otherwise have access to E-PHI. Procedures (a) Security awareness and training will be made part of the training program required under the Privacy Policies and coordinated with any applicable training programs required under policies in the Information Security Book. Security awareness and training will be required for all new employees and for existing employees in the same manner as required by the Privacy Policies. (b) The policies in the Information Security Book for guarding against, detecting and reporting malicious software and password protection shall be followed and applied under the Security. (c) Employees shall be promptly notified of any modifications to the security measures for E-PHI. In addition, periodic updates shall be provided to employees as needed to ensure they (i) are aware of any important security issues and (ii) understand their responsibility to protect the security of E-PHI. These updates will be communicated in the same manner and at the same time as any updates required under the Privacy Policies. Updates to the technical security measures in place under the IT System may be communicated in accordance with the policies in the Information Security Book. PAGE 9

12 (d) It has been determined that it is not reasonable or appropriate to implement, or provide training for, the following: (i) log-in monitoring procedures, as the risk of unauthorized access of E-PHI or security violations (I) will not be mitigated in any substantial way by monitoring log-in attempts and (II) are otherwise addressed by other security measures, such as requirements for password protection and user identification codes, and (ii) additional procedures for password creation, changing or safeguarding, as current in the policies in the Information Security Book and guidelines in the Privacy Policies provide sufficient protection. For example, under existing policies in the Information Security Book, users are required to periodically change passwords and a screen saver mode is in place on all Workstation monitors. The Security Official may, in coordination with IT and ISO Department personnel, implement such additional password protection procedures as may be deemed necessary or appropriate. Section 4.8 Security Incidents The Pharmacies and the Health Care Benefit Options must be able to identify and respond to Security Incidents of which the Vice President of Pharmacy, the Plan Administrator or the Security Official become aware or suspect has occurred. Procedures (a) Employees who have access to E-PHI will be subject to security and awareness training described in Section 4.7 above. (b) Each such employee will be required to report to the Security Official (or his or her delegate) any known or suspected Security Incident. (c) All Security Incidents that are known or are suspected of occurring will be documented and investigated. Upon becoming aware of a Security Incident or suspecting the occurrence of a Security Incident, the Vice President of Pharmacy, the Plan Administrator or the Security Official (or a delegate of any of these individuals) will take actions on behalf of the Pharmacies and the Health Care Benefit Options to respond to the Security Incident. This response will include, to the extent practicable, mitigating any harmful effects of the Security Incident. (d) The appropriate response to a Security Incident will be determined by the Vice President of Pharmacy, the Plan Administrator or the Security Official (or a delegate of any of these individuals) based on surrounding facts and circumstances, including, the nature and severity of the Security Incident. Responses may include, but are not limited to, the application of disciplinary actions against responsible personnel, the initiation of security reminders, additional training, or an evaluation of the adequacy of existing security measures. (e) Except as otherwise established by the Security Official, the documenting, investigating and responding to any Security Incident that is of a technical nature generally will be handled in accordance with the policies in the Information Security Book. The Security Official may, in coordination with IT and ISO Department personnel, implement additional procedures governing the response to or mitigation of a Security Incident as may be deemed necessary or appropriate. PAGE 10

13 Section 4.9 Contingency Plan The Pharmacies and the Health Care Benefit Options must establish and maintain business continuity and contingency procedures to (1) respond to an emergency or other occurrence (e.g., system failure, vandalism or natural disaster) that may damage systems containing E-PHI and (2) protect E-PHI during the event. Procedures (a) The contingency procedures include, among other things, the following: (i) procedures to create and maintain retrievable exact copies of E-PHI; and (ii) procedures to restore lost data (which may include procedures requiring attempted recovery of the data from the original outside source, such as the individual to whom this data pertains). (b) The preceding procedures shall be based upon the applicable policies in the Information Security Book for data backup and data restoration upon the occurrence of an emergency. The Security Official may, in coordination with IT, ISO and Facility management personnel, implement such additional procedures as may be deemed necessary or appropriate to specifically address the requirements for such a contingency. Section 4.10 Evaluation The Pharmacies and the Health Care Benefit Options will periodically evaluate this Security by performing technical and non-technical evaluations to assess the extent to which the policies and procedures set forth herein satisfy the requirements of the Security Standards. Procedures. (a) The Security Official (or his or her delegate) will evaluate the Pharmacies and the Health Care Benefit Options compliance with the requirements of the Security Standards. Evaluation of continuing compliance with the Security Standards will be conducted from time to time, taking into account any changes in the security environment or operations, as well as any changes in E-PHI created, received, maintained or transmitted by the Pharmacies and the Health Care Benefit Options. These evaluations will assess whether existing policies and procedures set forth herein are appropriate in light of the changes to the environment or E-PHI. (b) The evaluations must be technical as well as non-technical in nature. Any technical evaluations will be conducted in accordance with applicable policies in the Information Security Book. The Security Official may, in coordination with IT and ISO Department personnel, conduct such additional evaluations as may be deemed necessary or appropriate to address compliance with the Security Standards. ARTICLE V PHYSICAL SAFEGUARDS Section 5.1 Facility Access Controls The Pharmacies and the Health Care Benefit Options will limit physical access to IT system equipment where E-PHI is accessed, created, received, maintained or transmitted and the Facility work areas where such IT system equipment is located except for those individuals that are properly authorized. PAGE 11

14 Procedures (a) IT System equipment containing or permitting access to E-PHI and those Facility work areas where such IT System equipment is located will be safeguarded from unauthorized access, tampering or theft in accordance with applicable policies in the Information Security Book and the Privacy Policies. The Security Official may, in coordination with IT personnel, require such additional procedures be implemented as may be deemed necessary or appropriate to protect against unauthorized access to Facility work areas and IT System equipment. (b) Access to IT Systems containing E-PHI to carry out disaster recovery or emergency operation must be allowed. Such access shall be provided in accordance with any policies in the Information Security Book addressing access to IT Systems for data recovery and restoration. (c) The Pharmacies and the Health Care Benefit Options also must control and validate physical access to work areas and IT System equipment. The procedures for ensuring control and validating access are set forth in the Privacy Policies, Retail Operational Standard Practices and the policies in the Information Security Book. The Security Official may, in coordination with IT and ISO Department personnel, require such additional access restrictions as may be deemed necessary or appropriate including, for example, requiring special key card access to work areas, additional access code for IT System equipment and special authorization procedures for non-routine access by visitors, repair persons or technicians. (d) Any record keeping for physical repairs or modifications to the Facility work areas shall be handled in accordance with the policies in the Information Security Book. Section 5.2 Workstation Use The Pharmacies and the Health Care Benefit Options will identify those Workstations or classes of Workstations that contain or permit access to E-PHI; specify the proper functions to be performed at such Workstations or class of workstations, the manner in which those functions are to be performed and physical surroundings for those Workstations or class of Workstations. Procedure (a) The procedures addressing the manner and scope of use for a Workstation where E-PHI is contained or accessed are set forth in the Privacy Policies, any applicable policies in the Information Security Book and Participating Employer employment policies. (b) The procedures for defining the physical surroundings for a Workstation are addressed in the Facility Access Controls set out in Section 5.1 of this Security. Section 5.3 Workstation Security The Pharmacies and the Health Care Benefit Options will implement physical safeguards for all Workstations that contain or permit access to E-PHI in order to restrict access to any Workstation only to authorized users. Procedure (a) Each Workstation will be subject to access restrictions required by the Privacy Policies and applicable policies in the Information Security Book. Under these safeguards, an authorized employee or other individual must enter both a user identification number/code and password to access the IT system. In addition, the Privacy Policies and applicable policies in the Information Security Book provide PAGE 12

15 specific procedures for termination of physical access, which may include returning keys or access cards. The Security Official may, in coordination with IT and ISO Department personnel, implement such additional physical access limits as may be deemed necessary or appropriate to satisfy the Security Standards. (b) Any employee having access to E-PHI who reasonably expects to be away from his or her Workstation for more than a brief period of time must lock the door to the work area where such Workstation is located or, in the alternative, shut down or otherwise lock his or her computer. Workstations also are required pursuant to the policies in the Information Security Book to have screen saver activation with password access. (c) The above procedures also apply to the use of laptops and remote connections; this level of security is reasonable and appropriate. Section 5.4 Device and Media Controls The Pharmacies and the Health Care Benefit Options must manage and safeguard the receipt, removal and disposal of hardware or other electronic media that contains E-PHI. Procedures (a) The disposal of E-PHI (and any hardware or other electronic media on which E-PHI is stored) will be handled in accordance with the policies in the Information Security Book. All E-PHI contained on computers, fax machines, copiers or other electronic storage media must be deleted or destroyed before such media is discarded or made available for re-use. (b) The following will be handled in accordance with the policies in the Information Security Book: (i) Any physical removal or relocation of computer hardware or other electronic media, (ii) The determination of whether and to what extent an exact copy of E-PHI will be created prior to the movement of IT System equipment or transfer of E-PHI; and (iii) the creation and maintenance of backup data files including E-PHI and the person(s) responsible for such. It has been determined that the policies in the Information Security Book appropriately and reasonably address these aspects of the above policy. ARTICLE VI TECHNICAL STANDARDS Section 6.1 Access Controls The Pharmacies and the Health Care Benefit Options must implement technical security measures to limit access to the portion of the IT Systems containing E-PHI to only those persons or software programs that are authorized to have access. PAGE 13

16 Procedures (a) Pursuant to the Privacy Policies and the policies in the Information Security Book, each employee who is authorized to access, create, receive, maintain or transmit E-PHI must use a unique identification code to access any IT System that contains E-PHI, included through remote connection or laptop. This code allows the IT System to identify, authenticate and track activity of this user, including with respect to any Security Incidents. (b) Emergency access to IT Systems containing E-PHI is required as part of the contingency plan described in Section 4.9 above. Access to E-PHI in these circumstances shall be handled in accordance with applicable policies in the Information Security Book and Facility security policies. (c) The Security Official may, in coordination with IT and ISO Department personnel, require at a later date that additional electronic procedures as may be necessary or appropriate to limit unauthorized access to IT Systems containing E-PHI be implemented. These types of electronic procedures include automatic log-off or sleep mode programs. Any such procedures shall be implemented in accordance with applicable policies in the Information Security Book. Section 6.2 Audit Controls The Pharmacies and the Health Care Benefit Options must have hardware, software or procedural mechanisms that record and examine IT Systems and activities each relating to E-PHI. Procedures IT Systems and activities involving E-PHI are subject to such audit controls as may be in place under the policies in the Information Security Book. Any resulting incident reports and logs may be used by the Security Official in connection with information system activity reviews. Section 6.3 Integrity of Electronic Protected Health Information The Pharmacies and the Health Care Benefit Options must take reasonable measures to authenticate E-PHI. Procedures E-PHI is protected from unauthorized alteration or destruction pursuant to the safeguards in place under the policies in the Information Security Book. Examples of mechanisms to avoid or detect alteration or destruction of E- PHI may include error correcting memory, magnetic disk storage or processes that employ digital signatures. Audit Controls implemented under applicable policies in the Information Security Book, also enable parties to assess whether E-PHI has in fact been altered or destroyed. Section 6.4 Person or Entity Authentication. The Pharmacies and the Health Care Benefit Options will ensure IT Systems that contain or permit access to E-PHI adequately authenticate the identity of the person or entity seeking access to such E-PHI. PAGE 14

17 Procedures It has been determined that the policies in the Information Security Book and the procedures under the Privacy Policies contain sufficient technical mechanisms for appropriately and reasonably verifying the identity of a person or entity seeking access to E-PHI. For example, the Privacy Policies provide that each person must have a user identification code and password to access the IT System containing E-PHI. Section 6.5 Transmission Security The Pharmacies and the Health Care Benefit Options must prevent unauthorized access to E-PHI that is transmitted over any information technology network. Procedures E-PHI shall be protected from unauthorized access during transmission in accordance with applicable policies in the Information Security Book. Protections for transmission of E-PHI may include digital signatures or disclaimers. ARTICLE VII ORGANIZATIONAL REQUIREMENTS Section 7.1 Designation of Security Official and Contact Person The Pharmacies and the Health Care Benefit Options will designate a Security Official for development and implementation of this Security. The Security Official will be required to coordinate the implementation of any physical, technical and administrative safeguards for E-PHI in accordance with this Security. Accordingly, the Security Official (or his or her delegate) will, from time to time, review and coordinate the operation of the Privacy Policies, policies in the Information Security Book, Employment policies and Facility security policies as may be deemed necessary or appropriate. The Security Official (or his or her delegate) shall be the contact person responsible for receiving complaints and providing further information. Section 7.2 Responsibilities for Compliance Reports and Reviews (a) Provide Records and Compliance Reports. The Pharmacies and the Health Care Benefit Options must keep records and submit compliance reports, in the time and manner, as the Secretary may determine to be necessary to enable the Secretary to ascertain compliance with the Security Standards. (b) Cooperate with Compliance Investigations and Reviews. The Pharmacies and the Health Care Benefit Options shall cooperate with the Secretary in investigations or compliance reviews of the policies, procedures or practices of the Pharmacies and Health Care Benefit Options to determine compliance with the Security Standards. (c) Permit Access to Information. The Pharmacies and the Health Care Benefit Options shall permit access by the Secretary during normal business hours to its facilities, books, records and accounts and other sources of information, including E-PHI, that are pertinent to ascertaining compliance with the Security Standards. If any information required under this section shall be in the exclusive possession of any other agency, institution or person and that agency, institution or person fails or refuses to furnish such PAGE 15

18 information, the Pharmacies and/or the Health Care Benefit Options must so certify and set forth what efforts were made to obtain the information. ARTICLE VIII POLICIES AND PROCEDURES AND DOCUMENTATION REQUIREMENTS Section 8.1 Policies and Procedures - Modifications and Updates (a) Elective Changes. The Vice President of Pharmacy, the Plan Administrator and the Security Official, on behalf of the Pharmacies and the Health Care Benefit Options, may make changes to the Security from time to time; provided, that such changes comply and are implemented in accordance with the Security Standards. (b) Changes Required for Compliance. The Vice President of Pharmacy, the Plan Administrator and the Security Official, on behalf of the Pharmacies and the Health Care Benefit Options, shall make changes to the Security as necessary and appropriate to comply with changes in the law, including the Security Standards. (c) Changes Required for environment or operations. The Vice President of Pharmacy, the Plan Administrator and the Security Official, on behalf of the Pharmacies and the Health Care Benefit Options, shall periodically review the Security and update it as needed in response to environmental or operational changes affecting the security of E-PHI. (d) Documentation. Written record of the Security Policies and any change or revision made thereto pursuant to this Section 8.1 shall be documented and maintained in accordance with Article VIII hereof. Section 8.2 Documentation In accordance with the Security Standards and this Security, the Pharmacies and the Health Care Benefit Options shall document and retain such documentation in accordance with the provisions of this Article VIII with respect to the following: (a) Decisions by or on behalf of the Pharmacies and the Health Care Benefit Options not to implement any addressable implementation specifications set forth in the Security Standards and why it is not reasonable or appropriate to implement any such specifications. (b) Written documentation of Security Incidents and their outcomes in accordance with Section 4.8; and (c) Written record of any change or revision made to the Security as contemplated by Section 8.1. Section 8.3 Availability This Security and any updates or changes thereto will be made available to the Security Official (or his or her delegate) and any other employees or individuals who are responsible for implementing, on behalf of the Pharmacies and the Health Care Benefit Options, any of the procedures contained herein. Section 8.4 Record Retention Period Requirement Any action, activity or designation required under this Security to be documented shall be maintained in writing or in electronic form for a period of six years (or other period required by law) from the date of its creation or, if later, the date it was last in effect. PAGE 16

19 ARTICLE IX SECURITY OFFICIAL Section 9.1 Security Official The individual identified in Exhibit A to this Security shall be the Security Official with respect to the Pharmacies and the Health Care Benefit Options. Section 9.2 Duties The Security Official s duties include the following: (a) Develop a thorough understanding of the Security Standards and this Security ; (b) Implement and enforce this Security ; (c) Ensure that all relevant personnel (including new hires) receive training with respect to this Security ; (d) Investigate potential violations of this Security ; (e) Monitor vendor compliance with security provisions of business associate contracts; and (f) Administer, in coordination with IT and ISO Department personnel, a program for restricting or permitting access to Protected Health Information that complies with this Security. Section 9.3 Delegation The Security Official may delegate his or her responsibilities and duties to one or more persons, provided that such delegation is in writing and otherwise in accordance with Delhaize personnel procedures. ARTICLE X DISCLOSURES TO EMPLOYER The Health Care Benefit Options may make a Disclosure to the Participating Employer for plan administration functions if the plan document includes, and the plan is administered in accordance with, provisions requiring each Participating Employer to: (a) implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of any E-PHI that the Participating Employer creates, receives, maintains or transmits on behalf of the Health Care Benefit Options; (b) ensure that any agent to whom it provides E-PHI that the Participating Employer creates, receives, maintains or transmits on behalf of the Health Care Benefit Options, agrees to implement reasonable and appropriate security measures to protect such information; (c) implement reasonable and appropriate security measures to support the adequate separation between the Health Care Benefit Options and the Participating Employer; and (d) report the occurrence of any Security Incident impacting the Health Care Benefit Options of which it becomes aware to the Security Official (or his or her delegate). PAGE 17

HIPAA Compliance Guide

HIPAA Compliance Guide This document provides an overview of the Health Insurance Portability and Accountability Act (HIPAA) compliance requirements. It covers the relevant legislation, required procedures, and ways that your

More information

BUSINESS ASSOCIATE AGREEMENT W I T N E S S E T H:

BUSINESS ASSOCIATE AGREEMENT W I T N E S S E T H: BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( this Agreement ) is made and entered into as of this day of 2015, by and between TIDEWELL HOSPICE, INC., a Florida not-for-profit corporation,

More information

1 Security 101 for Covered Entities

1 Security 101 for Covered Entities HIPAA SERIES Topics 1. 101 for Covered Entities 2. Standards - Administrative Safeguards 3. Standards - Physical Safeguards 4. Standards - Technical Safeguards 5. Standards - Organizational, Policies &

More information

ARE YOU HIP WITH HIPAA?

ARE YOU HIP WITH HIPAA? ARE YOU HIP WITH HIPAA? Scott C. Thompson 214.651.5075 scott.thompson@haynesboone.com February 11, 2016 HIPAA SECURITY WHY SHOULD I CARE? Health plan fined $1.2 million for HIPAA breach. Health plan fined

More information

Managing Information Privacy & Security in Healthcare. The HIPAA Security Rule in Plain English 1. By Kristen Sostrom and Jeff Collmann Ph.

Managing Information Privacy & Security in Healthcare. The HIPAA Security Rule in Plain English 1. By Kristen Sostrom and Jeff Collmann Ph. Managing Information Privacy & Security in Healthcare The HIPAA Security Rule in Plain English 1 By Kristen Sostrom and Jeff Collmann Ph.D This document includes a Plain English explanation for the general

More information

March 1. HIPAA Privacy Policy

March 1. HIPAA Privacy Policy March 1 HIPAA Privacy Policy 2016 1 PRIVACY POLICY STATEMENT Purpose: The following privacy policy is adopted by the Florida College System Risk Management Consortium (FCSRMC) Health Program and its member

More information

* Corporation General Partnership Limited Partnership LLC Sole Proprietorship Non Profit Other Accounts Payable: Name

* Corporation General Partnership Limited Partnership LLC Sole Proprietorship Non Profit Other Accounts Payable: Name INVACARE CORPORATION New Customer Change of Ownership Customer Credit Application *Legal Name of Business Trade Name (DBA) *Billing Address: Shipping Address (if different): *Federal Tax ID # * # of Years

More information

NATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE

NATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE NATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE As many of you know, Gramm-Leach-Bliley requires "financial institutions" to establish and implement a Safeguard Rule Compliance

More information

Interpreters Associates Inc. Division of Intérpretes Brasil

Interpreters Associates Inc. Division of Intérpretes Brasil Interpreters Associates Inc. Division of Intérpretes Brasil Adherence to HIPAA Agreement Exhibit B INDEPENDENT CONTRACTOR PRIVACY AND SECURITY PROTECTIONS RECITALS The purpose of this Agreement is to enable

More information

HIPAA Security. ible. isions. Requirements, and their implementation. reader has

HIPAA Security. ible. isions. Requirements, and their implementation. reader has HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

H 7789 S T A T E O F R H O D E I S L A N D

H 7789 S T A T E O F R H O D E I S L A N D ======== LC001 ======== 01 -- H S T A T E O F R H O D E I S L A N D IN GENERAL ASSEMBLY JANUARY SESSION, A.D. 01 A N A C T RELATING TO INSURANCE - INSURANCE DATA SECURITY ACT Introduced By: Representatives

More information

HIPAA COMPLIANCE PLAN FOR OHIO EYE ASSOCIATES, INC.

HIPAA COMPLIANCE PLAN FOR OHIO EYE ASSOCIATES, INC. HIPAA COMPLIANCE PLAN FOR OHIO EYE ASSOCIATES, INC. Adopted August 2016 PREPARED BY STACEY A. BOROWICZ, ESQ. DINSMORE & SHOHL LLP 614-227-4212 STACEY.BOROWICZ@DINSMORE.COM 10600677V1 75602.1 i OHIO EYE

More information

2016 Business Associate Workforce Member HIPAA Training Handbook

2016 Business Associate Workforce Member HIPAA Training Handbook 2016 Business Associate Workforce Member HIPAA Training Handbook Using the Training Handbook The material in this handbook is designed to deliver required initial, and/or annual HIPAA training for all

More information

Auditing for HIPAA Compliance: Evaluating security and privacy compliance in an organization that provides health insurance benefits to employees

Auditing for HIPAA Compliance: Evaluating security and privacy compliance in an organization that provides health insurance benefits to employees Auditing for HIPAA Compliance: Evaluating security and privacy compliance in an organization that provides health insurance benefits to employees San Antonio IIA: I HEART AUDIT CONFERENCE February 24,

More information

March 1. HIPAA Privacy Policy. This document includes: HIPAA Privacy Policy Statement, HIPAA Manual and HIPAA Forms

March 1. HIPAA Privacy Policy. This document includes: HIPAA Privacy Policy Statement, HIPAA Manual and HIPAA Forms March 1 2016 HIPAA Privacy Policy This document includes: HIPAA Privacy Policy Statement, HIPAA Manual and HIPAA Forms 1 Table of Contents PRIVACY POLICY STATEMENT... 3 HIPAA PROCEDURES MANUAL... 10 ACCESS

More information

HIPAA Privacy, Breach, & Security Rules

HIPAA Privacy, Breach, & Security Rules HIPAA Privacy, Breach, & Security Rules An Eagle Associates Presentation Eagle Associates, Inc. www.eagleassociates.net info@eagleassociates.net P.O. Box 1356 Ann Arbor, MI 48106 800-777-2337 Eagle Associates,

More information

Plan Document: Appendix B

Plan Document: Appendix B Plan Document: Appendix B Medical or Medical-Related Expense Reimbursement Benefits Plan (Health Flexible Spending Account, or FSA) All terms and conditions stated in the Plan Document and Appendix B are

More information

HIPAA PRIVACY AND SECURITY AWARENESS

HIPAA PRIVACY AND SECURITY AWARENESS HIPAA PRIVACY AND SECURITY AWARENESS Introduction The Health Insurance Portability and Accountability Act (known as HIPAA) was enacted by Congress in 1996. HIPAA serves three main purposes: To protect

More information

HIPAA Privacy & Security. Transportation Providers 2017

HIPAA Privacy & Security. Transportation Providers 2017 HIPAA Privacy & Security Transportation Providers 2017 HIPAA Privacy & Security As a non emergency medical transportation provider, you deal directly with Medicare and Medicaid Members healthcare information

More information

SECURITY POLICY 1. Security of Services. 2. Subscriber Security Administration. User Clearance User Authorization User Access Limitations

SECURITY POLICY 1. Security of Services. 2. Subscriber Security Administration. User Clearance User Authorization User Access Limitations ! SECURITY POLICY This Security Policy ( Policy ) applies to all Services provided by Collective Medical Technologies, Inc. ( CMT ) pursuant to a Master Subscription Agreement ( Underlying Agreement )

More information

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT BUSINESS ASSOCIATE TERMS AND CONDITIONS

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT BUSINESS ASSOCIATE TERMS AND CONDITIONS COVERYS RRG, INC. HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT BUSINESS ASSOCIATE TERMS AND CONDITIONS WHEREAS, the Administrative Simplification section of the Health Insurance Portability and

More information

Credit Card Handling Security Standards

Credit Card Handling Security Standards Credit Card Handling Security Standards Overview This document is intended to provide guidance regarding the processing of charges and credits on credit and/or debit cards. These standards are intended

More information

Terms used, but not otherwise defined, in this Addendum shall have the same meaning as those terms in 45 CFR and

Terms used, but not otherwise defined, in this Addendum shall have the same meaning as those terms in 45 CFR and This Business Associate Addendum, effective April 1, 2003, is entered into by and between Guilford County and/or Guilford County Department of Social Services and/or Guilford County Department of Public

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) by and between (hereinafter known as Covered Entity ) and Office Ally, Inc., a clearinghouse Covered Entity under HIPAA, providing

More information

PRIVACY AND SECURITY GUIDELINES

PRIVACY AND SECURITY GUIDELINES PRIVACY AND SECURITY GUIDELINES Concerning Compliance with the Health Insurance Portability and Accountability Act ( HIPAA ), the Health Information Technology for Economic and Clinical Health Act ( HITECH

More information

HIPAA Basic Training for Health & Welfare Plan Administrators

HIPAA Basic Training for Health & Welfare Plan Administrators 2010 Human Resources Seminar HIPAA Basic Training for Health & Welfare Plan Administrators Norbert F. Kugele What We re going to Cover Important basic concepts Who needs to worry about HIPAA? Complying

More information

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA) Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA) This Business Associate Agreement (the Agreement ) is made and entered into by and between Washington Dental Service

More information

Regenstrief Center for Healthcare Engineering HIPAA Compliance Policy

Regenstrief Center for Healthcare Engineering HIPAA Compliance Policy Regenstrief Center for Healthcare Engineering HIPAA Compliance Policy Revised December 6, 2017 Table of Contents Statement of Policy 3 Reason for Policy 3 HIPAA Liaison 3 Individuals and Entities Affected

More information

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation HIPAA UPDATE: WHY AND HOW YOU MUST COMPLY 1 In January 2013, the Department of Health and Human Services ( HHS ) issued its long-awaited Omnibus Rule 2 implementing regulations required by the HITECH Act

More information

University of California Group Health and Welfare Benefit Plans HIPAA Privacy Rule Policies and Procedures (Interim)

University of California Group Health and Welfare Benefit Plans HIPAA Privacy Rule Policies and Procedures (Interim) Group Insurance Regulations Administrative Supplement No. 19 April 2003 University of California Group Health and Welfare Benefit Plans HIPAA Privacy Rule Policies and Procedures (Interim) The University

More information

HIPAA PRIVACY RULE POLICIES AND PROCEDURES

HIPAA PRIVACY RULE POLICIES AND PROCEDURES HIPAA PRIVACY RULE POLICIES AND PROCEDURES Purpose: The purpose of this document is to educate, and identify the need to formally create and implement policies and procedures for Hudson Community School

More information

Meaningful Use Requirement for HIPAA Security Risk Assessment

Meaningful Use Requirement for HIPAA Security Risk Assessment Meaningful Use Requirement for HIPAA Security Risk Assessment The MU attestation requirement does not state that any gaps must be resolved prior to meaningful use attestation. Mary Sirois, MBA, PT, CPHIMSS

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Business Associate Agreement (this Agreement ) is entered into on the Effective Date of the Azalea Health Software as a Service Agreement and/or Billing Service Provider

More information

PART 160_GENERAL ADMINISTRATIVE REQUIREMENTS--Table of Contents. Except as otherwise provided, the following definitions apply to this subchapter:

PART 160_GENERAL ADMINISTRATIVE REQUIREMENTS--Table of Contents. Except as otherwise provided, the following definitions apply to this subchapter: TITLE 45--PUBLIC WELFARE AND HUMAN SERVICES PART 160_GENERAL ADMINISTRATIVE REQUIREMENTS--Table of Contents Sec. 160.103 Definitions. Subpart A_General Provisions Except as otherwise provided, the following

More information

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE Policy Preamble This privacy policy ( Policy ) is designed to

More information

COMMONWEALTH OF PENNSYLVANIA BUSINESS ASSOCIATE ADDENDUM

COMMONWEALTH OF PENNSYLVANIA BUSINESS ASSOCIATE ADDENDUM APPENDIX J Rev dated 11/24/2014 COMMONWEALTH OF PENNSYLVANIA BUSINESS ASSOCIATE ADDENDUM WHEREAS, the Pennsylvania Department of Human Services (Covered Entity) and Contractor (Business Associate) intend

More information

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules Gina Campanella, JD HIPAA & The Medical Practice Requirements for Privacy, Security and Breach Notification Gina L. Campanella, Esq.

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement THIS BUSINESS ASSOCIATE AGREEMENT (this Agreement ) is effective by and between CRESTPOINT HEALTH INSURANCE COMPANY, on behalf of itself and its affiliates (collectively, Covered

More information

Record Management & Retention Policy

Record Management & Retention Policy POLICY TYPE: Corporate Divisional EFFECTIVE DATE: INITIAL APPROVAL DATE: NEXT REVIEW DATE: POLICY NUMBER: May 15, 2010 May - 2010 March 2015 REVISION APPROVAL DATE: 5/10, 3/11, 5/12, 9/13, 4/14, 11/14

More information

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate? HIPAA Information Who does HIPAA apply to? HIPAA applies to all Covered Entities (entities that collect, access, use and/or disclose Protected Health Data (PHI) and are subject to HIPAA regulations). What

More information

HIPAA The Health Insurance Portability and Accountability Act of 1996

HIPAA The Health Insurance Portability and Accountability Act of 1996 HIPAA The Health Insurance Portability and Accountability Act of 1996 Results Physiotherapy s policy regarding privacy and security of protected health information (PHI) is a reflection of our commitment

More information

Effective Date: 4/3/17

Effective Date: 4/3/17 HIPAA AND HITECH ADM 067.4 Attachment D Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and Security Rule Health Information Technology for Economic and Clinical Health (HITECH)

More information

HIPAA & The Medical Practice

HIPAA & The Medical Practice HIPAA & The Medical Practice Requirements for Privacy, Security and Breach Notification Gina L. Campanella, JD, MHA, CHA Founder & Principal, Campanella Law Office Of Counsel, The Beinhaker Law Firm BEINHAKER,

More information

HIPAA Service Description

HIPAA Service Description PO Box 8021 Rancho Santa Fe California 92067 858.259.6204 tel 858.259.0309 fax www.practicalsecurity.com HIPAA Service Description February 2003 1 2 3 PSI HIPAA Services Offering The Department of Health

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) is entered into this 22 nd day of September, 2014 ( Effective Date ), by and between Customer_Name with a place of business

More information

COVERED TRANSACTION means a Transaction for which the Secretary has adopted a standard under HIPAA.

COVERED TRANSACTION means a Transaction for which the Secretary has adopted a standard under HIPAA. UNIVERSITY OF MAINE SYSTEM HIPAA POLICY #1 DEFINITIONS Unless otherwise provided herein, capitalized terms shall have the same meaning as set forth in HIPAA, as amended, and its implementing regulations,

More information

MNsure Certified Application Counselor Services Agreement with Tribal Nation Attachment A State of Minnesota

MNsure Certified Application Counselor Services Agreement with Tribal Nation Attachment A State of Minnesota MNsure Certified Application Counselor Services Agreement with Tribal Nation Attachment A State of Minnesota 1. MNsure Duties A. Application Counselor Duties (a) (b) (c) (d) (e) (f) Develop and administer

More information

Preparing for the HIPAA Security Rules

Preparing for the HIPAA Security Rules ACS Sponsored Practice Management Teleconference Series March 24th & 27th, 2004 Preparing for the HIPAA Security Rules The final HIPAA Security Rules were published on February 20, 2003 and in many respects

More information

IHDE BUSINESS ASSOCIATE AGREEMENT (BAA)

IHDE BUSINESS ASSOCIATE AGREEMENT (BAA) IHDE BUSINESS ASSOCIATE AGREEMENT (BAA) This Business Associate Agreement (BAA) is entered into by and between the Covered Entity aka. Data Provider/User, (please enter name of organization) and the Business

More information

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013 The Impact of Final Omnibus HIPAA/HITECH Rules Presented by Eileen Coyne Clark Niki McCoy September 19, 2013 0 Disclaimer The material in this presentation is not meant to be construed as legal advice

More information

ARTICLE 1. Terms { ;1}

ARTICLE 1. Terms { ;1} The parties agree that the following terms and conditions apply to the performance of their obligations under the Service Contract into which this Exhibit is being incorporated. Contractor is providing

More information

South Carolina General Assembly 122nd Session,

South Carolina General Assembly 122nd Session, South Carolina General Assembly 122nd Session, 2017-2018 R184, H4655 STATUS INFORMATION General Bill Sponsors: Reps. Sandifer and Spires Document Path: l:\council\bills\nbd\11202cz18.docx Companion/Similar

More information

Emma Eccles Jones College of Education & Human Services. Title: Business Associate Agreements

Emma Eccles Jones College of Education & Human Services. Title: Business Associate Agreements POLICY INFORMATION Document # 900 Revision # 1.0 Safeguard: Administrative Title: Business Associate Agreements Prepared by: J. Black Approved by: Dean Beth E. Foley Print Date: 8/29/2016 Date Prepared:

More information

HIPAA and Lawyers: Your stakes have just been raised

HIPAA and Lawyers: Your stakes have just been raised HIPAA and Lawyers: Your stakes have just been raised October 16, 2013 Presented by: Harry Nelson e: hnelson@fentonnelson.com Claire Marblestone e: cmarblestone@fentonnelson.com AGENDA Statutory & Regulatory

More information

Subject: Protecting cardholder data in support of the Payment Card Industry (PCI) Data Security Standards

Subject: Protecting cardholder data in support of the Payment Card Industry (PCI) Data Security Standards University Policy: Cardholder Data Security Policy Category: Financial Services Subject: Protecting cardholder data in support of the Payment Card Industry (PCI) Data Security Standards Office Responsible

More information

Chesapeake Regional Information System for Our Patients, Inc. ( CRISP ) HIE Participation Agreement (HIE and Direct Service)

Chesapeake Regional Information System for Our Patients, Inc. ( CRISP ) HIE Participation Agreement (HIE and Direct Service) Chesapeake Regional Information System for Our Patients, Inc. ( CRISP ) HIE Participation Agreement (HIE and Direct Service) A. CRISP is a private Maryland non-stock membership corporation which is tax

More information

PLAN SPONSOR CERTIFICATION TO THE GROUP HEALTH PLAN

PLAN SPONSOR CERTIFICATION TO THE GROUP HEALTH PLAN PLAN SPONSOR CERTIFICATION TO THE GROUP HEALTH PLAN The self-funded group health plan (the Plan ) that you, as an employer, sponsor is a Covered Entity as defined by the Health Insurance Portability and

More information

Partnership & Corporation Professional Liability Application

Partnership & Corporation Professional Liability Application Partnership & Corporation Professional Liability Application Producer Name Address Telephone Medical Professional Mutual Insurance Company ProSelect Insurance Company ProSelect National Insurance Company

More information

University of Wisconsin Milwaukee

University of Wisconsin Milwaukee University of Wisconsin Milwaukee Policies and Procedures for the Protection of Patient Health Information Under the Health Insurance Portability and Accountability Act ( HIPAA ) Published April 14, 2003

More information

COVERED ENTITY CHARTS

COVERED ENTITY CHARTS COVERED ENTITY CHARTS Guidance on how to determine whether an entity is a covered entity under the Administrative Simplification provisions of HIPAA Last Modified: 07/07/03 2 Background The Administrative

More information

TEXAS SOUTHERN UNIVERSITY HIPAA BUSINESS ASSOCIATE AGREEMENT

TEXAS SOUTHERN UNIVERSITY HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement (this BA Agreement ) is made and entered into by ( Provider ), a, located at, and Texas Southern University, an agency and institution of higher education established

More information

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014. HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule Association of Corporate Counsel Houston Chapter October 14, 2014 Jeffery P. Drummond Jackson Walker L.L.P. 901 Main Street, Suite 6000 Dallas,

More information

BUSINESS ASSOCIATE AGREEMENT Between THE NORTH CENTRAL TEXAS COUNCIL OF GOVERNMENTS and

BUSINESS ASSOCIATE AGREEMENT Between THE NORTH CENTRAL TEXAS COUNCIL OF GOVERNMENTS and BUSINESS ASSOCIATE AGREEMENT Between THE NORTH CENTRAL TEXAS COUNCIL OF GOVERNMENTS and WHEREAS, Dallas County, Tarrant County, Denton County, Parker County, the North Texas Tollway Authority have created

More information

INFORMATION AND CYBER SECURITY POLICY V1.1

INFORMATION AND CYBER SECURITY POLICY V1.1 Future Generali 1 INFORMATION AND CYBER SECURITY V1.1 Future Generali 2 Revision History Revision / Version No. 1.0 1.1 Rollout Date Location of change 14-07- 2017 Mumbai 25.04.20 18 Thane Changed by Original

More information

RECITALS. In consideration of the mutual promises below and the exchange of information pursuant to this BAA, the Parties agree as follows:

RECITALS. In consideration of the mutual promises below and the exchange of information pursuant to this BAA, the Parties agree as follows: This Business Associate Agreement ( BAA ) is entered into by and between NORCAL Mutual Insurance Company ( NORCAL ) and Insured/Applicant ( Covered Entity ) and is effective as of September 23 rd, 2013

More information

Limited Data Set Data Use Agreement For Research

Limited Data Set Data Use Agreement For Research Limited Data Set Data Use Agreement For Research This Data Use Agreement is dated,, and is between the ( Recipient ) and University of Miami, ( Covered Entity ). This Data Use Agreement is made in accordance

More information

AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION

AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION THIS AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION ( PHI ) ( Agreement ) is entered into between The Moses H. Cone Memorial Hospital Operating

More information

NAPBS BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM ACCREDITATION STANDARD AND AUDIT CRITERIA Version 2.0. Potential Verification for Onsite Audit

NAPBS BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM ACCREDITATION STANDARD AND AUDIT CRITERIA Version 2.0. Potential Verification for Onsite Audit Page 1 of 24 NAPBS BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM ACCREDITATION STANDARD AND AUDIT CRITERIA Version 2.0 (Glossary provided at end of document.) Information Security 1.1 Information Security

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS This HIPAA Business Associate Agreement ( BAA ) is entered into on this day of, 20 ( Effective Date ), by and between Allscripts

More information

HIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier. March 22, 2018

HIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier. March 22, 2018 1 HIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier March 22, 2018 2 Today s Panel: Kimberly Holmes - Moderator - Vice President, Health Care, Cyber Liability & Emerging Risks, TDC Specialty Underwriters,

More information

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know 1801 California Street Suite 4900 Denver, CO 80202 303-830-1776 Facsimile 303-894-9239 MEMORANDUM To: Adam Finkel, Assistant Director, Government Relations, NCRA From: Mel Gates Date: December 23, 2013

More information

RECITALS. WHEREAS, this Amendment incorporates the various amendments, technical and conforming changes to HIPAA implemented by the Final Rule; and

RECITALS. WHEREAS, this Amendment incorporates the various amendments, technical and conforming changes to HIPAA implemented by the Final Rule; and Amendment to Business Associate Agreements and All Other Contracts Containing Embedded Business Associate Provisions as stated in a Health Insurance Portability and Accountability Act Section between Independent

More information

Data Processing Appendix

Data Processing Appendix Company Name* Execution Date *Company name indicated must conform to the name on customer s Master Subscription Agreement executed with SugarCRM. This Data Processing Appendix on the processing of personal

More information

ON24 DATA PROCESSING ADDENDUM

ON24 DATA PROCESSING ADDENDUM ON24 DATA PROCESSING ADDENDUM This Data Processing Addendum ( Addendum ) is entered into by and between ON24 Inc., on behalf of itself and its Affiliates ( ON24 ), and Client, on behalf of itself and its

More information

EGYPTIAN ELECTRIC COOPERATIVE ASSOCIATION POLICY BULLETIN NO. 214A

EGYPTIAN ELECTRIC COOPERATIVE ASSOCIATION POLICY BULLETIN NO. 214A CASH AND BENEFITS PLAN (SECTION 125 PLAN) HIPAA POLICIES AND PROCEDURES EFFECTIVE DATE: APRIL 14, 2004 It is the intent of the Egyptian Electric Cooperative Association (EECA) to comply in all respects

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Agreement dated as of is made by and between, on behalf of its (School/Department/Division) (hereinafter referred to as Covered Entity ) and, (hereinafter Business Associate

More information

HIPAA Definitions.

HIPAA Definitions. HIPAA 160.103 Definitions. Except as otherwise provided, the following definitions apply to this subchapter: Act means the Social Security Act. Administrative simplification provision means any requirement

More information

Central Florida Regional Transportation Authority Table of Contents A. Introduction...1 B. Plan s General Policies...4

Central Florida Regional Transportation Authority Table of Contents A. Introduction...1 B. Plan s General Policies...4 Table of Contents A. Introduction...1 1. Purpose...1 2. No Third Party Rights...1 3. Right to Amend without Notice...1 4. Definitions...1 B. Plan s General Policies...4 1. Plan s General Responsibilities...4

More information

Claims Made Basis. Underwritten by Underwriters at Lloyd s, London

Claims Made Basis. Underwritten by Underwriters at Lloyd s, London APPLICATION for: NetGuard Plus Claims Made Basis. Underwritten by Underwriters at Lloyd s, London tice: The Policy for which this Application is made applies only to Claims made against any of the Insureds

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is entered into this day of, 20, by and between the University of Maine System ( University ), and ( Business Associate ).

More information

HIPAA Background and History

HIPAA Background and History Agenda Jeffery P. Drummond Lawyers as HIPAA Business Associates: Ethical Obligations and Practical Tips for Compliance Dallas Bar Association January 17, 2018 Jamie Sorley An Overview of HIPAA The Privacy

More information

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT (Revised on March 1, 2016) THIS HIPAA SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT (the BAA ) is entered into on (the Effective Date ), by and between ( EMR ),

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Agreement is by and between The Health Plan ( Plan ) and Priority Health Managed Benefits, Inc., a Michigan Third Party Administrator ( Business Associate

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Agreement, dated as of, 2018 ("Agreement"), by and between, on its own behalf and on behalf of all entities controlling, under common control with or controlled

More information

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4 Addendum II [Name of Organization] HIPAA Incident/Breach Investigation Procedure 4 I. Purpose To distinguish between (1) cases in which our HIPAA policy was not correctly followed but such violation did

More information

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule 1 IMPORTANCE OF STAFF TRAINING HIPAA staff training is a key, required element in a covered entity's HIPAA

More information

ACCESS TO ELECTRONIC HEALTH RECORDS AGREEMENT WITH THE DOCTORS CLINIC, PART OF FRANCISCAN MEDICAL GROUP

ACCESS TO ELECTRONIC HEALTH RECORDS AGREEMENT WITH THE DOCTORS CLINIC, PART OF FRANCISCAN MEDICAL GROUP ACCESS TO ELECTRONIC HEALTH RECORDS AGREEMENT WITH THE DOCTORS CLINIC, PART OF FRANCISCAN MEDICAL GROUP and THIS AGREEMENT ( Agreement ) is made and entered into this day of, 20, by and between The Doctors

More information

HIPAA Privacy and Security for Employers in the Age of Common Data Breaches. April 30, 2015

HIPAA Privacy and Security for Employers in the Age of Common Data Breaches. April 30, 2015 HIPAA Privacy and Security for Employers in the Age of Common Data Breaches April 30, 2015 HIPAA Privacy and Security for Employers in the Age of Common Data Breaches Welcome! We will begin at 3 p.m. Eastern

More information

Partners Health Plan, NY Provider Electronic Transaction Enrollment Packet

Partners Health Plan, NY Provider Electronic Transaction Enrollment Packet Partners Health Plan, NY Provider Electronic Transaction Enrollment Packet Dear Provider, Partners Health Plan providers are now able to submit standard 837P and 837I electronic claim transactions directly

More information

Georgia Health Information Network, Inc. Georgia ConnectedCare Policies

Georgia Health Information Network, Inc. Georgia ConnectedCare Policies Georgia Health Information Network, Inc. Georgia ConnectedCare Policies Version History Effective Date: August 28, 2013 Revision Date: August 2014 Originating Work Unit: Health Information Technology Health

More information

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below. Subject: Protected Health Information Breach Notification Policy Department: Enterprise Risk Management Services Executive Sponsor: SVP/Chief Risk Officer Approved by: Rod Hochman, MD President/CEO Policy

More information

OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS

OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT Effective Date: September 23, 2013 RECITALS WHEREAS a relationship exists between the Covered Entity and the Business Associate that performs certain functions

More information

HIPAA BUSINESS ASSOCIATE ADDENDUM

HIPAA BUSINESS ASSOCIATE ADDENDUM HIPAA BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( BAA ) is made between Cognito, LLC., a South Carolina corporation ( Cognito Forms ) and {OrganizationLegalName} ( Covered Entity or

More information

"HIPAA RULES AND COMPLIANCE"

HIPAA RULES AND COMPLIANCE PRESENTER'S GUIDE "HIPAA RULES AND COMPLIANCE" Training for HIPAA REGULATIONS Quality Safety and Health Products, for Today...and Tomorrow OUTLINE OF MAJOR PROGRAM POINTS OUTLINE OF MAJOR PROGRAM POINTS

More information

HTKT.book Page 1 Monday, July 13, :59 PM HIPAA Tool Kit 2017

HTKT.book Page 1 Monday, July 13, :59 PM HIPAA Tool Kit 2017 HIPAA Tool Kit 2017 Contents Introduction...1 About This Manual... 1 A Word About Covered Entities... 1 A Brief Refresher Course on HIPAA... 2 A Brief Update on HIPAA... 2 Progress Report... 4 Ongoing

More information

HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT

HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT WHAT YOU NEED TO KNOW ABOUT HIPAA AND ONLINE BACKUP Learn more about how KeepItSafe can help to reduce costs, save time, and provide compliance for online backup, disaster recovery-as-a-service, mobile

More information

Flexible Benefits Plans

Flexible Benefits Plans Flexible Benefits Plans Summary of Material Modification Effective January 1, 2017 Changes to the Plan and Summary Plan Description (SPD) for Colgate University s Flexible Benefits Plan are described below.

More information

HIPAA COMPLIANCE. for Small & Mid-Size Practices

HIPAA COMPLIANCE. for Small & Mid-Size Practices HIPAA COMPLIANCE for Small & Mid-Size Practices Golden State Web Solutions 619.825.GSWS (4797) INTRODUCTION Most individuals reading this are interested in HIPAA, GSWS, or some combination of the two;

More information

University Data Policies

University Data Policies BACKGROUND Data are valuable institutional assets of Washington State University. Data policies are needed to ensure that these resources are carefully managed, maintained, protected, and used appropriately.

More information

Polson/ Ronan Ambulance Service Identity Theft Prevention Program

Polson/ Ronan Ambulance Service Identity Theft Prevention Program Purpose Polson/ Ronan Ambulance is committed to providing all aspects of our service and conducting our business operations in compliance with all applicable laws and regulations. This policy sets forth

More information