Information Security and Third-Party Service Provider Agreements
|
|
- Lorin Garrison
- 5 years ago
- Views:
Transcription
1 The Iowa State Bar Association s ecommerce & Intellectual Property Law Sections presents 2016 Intellectual Property Law & ecommerce Seminar Information Security and Third-Party Service Provider Agreements 11:15 am 12:15 pm Presented By Amy McHugh CliftonLarsonAllen LLP 600 3rd Avenue SE Suite 300 Cedar Rapids, IA Phone: Friday, December 2, 2016
2 Information Security and Third-Party Service Agreements Amy McHugh JD, CISA, Network+, Security+ CLAconnect.com
3 What Information Are We Protecting? Gramm-Leach-Bliley Section 501(b) for the Safeguarding of Customer Information Customer information: any record containing nonpublic personal information about a customer, whether in paper, electronic, or other form, that is maintained by or on behalf of the institution. Nonpublic personal information (i) Personally identifiable financial information; and (ii) Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available. Personally identifiable financial information (i) Information a consumer provides to you to obtain a financial product or service from you; (ii) Information about a consumer resulting from any transaction involving a financial product or service between you and a consumer; or (iii) Information you otherwise obtain about a consumer in connection with providing a financial product or service to that consumer.
4 What Information Are We Protecting? Health Insurance Portability and Accountability Act of 1996 (HIPAA) Protected Health Information: The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. Individually identifiable health information: Information, including demographic data, that relates to: (i) the individual s past, present or future physical or mental health or condition, (ii) the provision of health care to the individual, or (iii) the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. (ex. name, address, birth date, Social Security Number).
5 What Information Are We Protecting? Payment Card Industry (PCI) Payment card data Personally Identifiable Information: Information that can be utilized to identify an individual including but not limited to name, address, social security number, phone number, etc. Business information Don t Forget! Employee information Trade Secrets/IP Business plans M&A plans
6 Information Shared with Third-Parties Cornerstone of a Vendor Management Program Gramm-Leach-Bliley Section 501(b) for the Safeguarding of Customer Information Oversee Service Provider Arrangements: Each institution shall: Exercise appropriate due diligence in selecting its service providers; Require its service providers by contract to implement appropriate measures designed to meet the objectives of these Guidelines; and Where indicated by the institution's risk assessment, monitor its service providers to confirm that they have satisfied their obligations as required by paragraph D.2. As part of this monitoring, an institution should review audits, summaries of test results, or other equivalent evaluations of its service providers.
7 Information Shared with Third-Parties Health Insurance Portability and Accountability Act of 1996 (HIPAA) Business Associates: Covered providers and health plans may disclose PHI to business associates if they obtain satisfactory assurances (in writing) that the business associate will (i) use the information only for the purposes for which it was engaged by the covered entity; (ii) will safeguard the information from misuse; and (iii) will help the covered entity comply with some of the covered entity s duties under the Privacy Rule. A business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity. Examples include claims processing or administration; utilization review; billing; etc.
8 ABA s Cybersecurity Legal Task Force Vendor Contracting Project Cybersecurity Checklist (October 17, 2016) %20Force%20Vendor%20Contracting%20Checklist%20v%201% %20cmb%20edits%20clean.pdf To assist procuring organizations, vendors, and their respective counsel to address information security requirements in their transactions. The Checklist frames the issues parties should consider consistent with common principles for managing cybersecurity risk. Develop a Vendor Management Program including: 1. Vendor product/service risk assessment 2. Vendor due diligence and selection process based on the results of the risk assessment 3. Contract negotiation to address information security concerns 4. Ongoing vendor oversight and management to monitor information security
9 Vendor Management Process Independent Reviews Planning Due diligence and third-party selection Documentation & Reporting Vendor Mgmt Process Contract Review & Negotiation Oversight & Accountability Ongoing Monitoring Termination
10 Risk Assessment 1. Identify all Information Assets Electronic, Physical, Human 2. Identify reasonably foreseeable internal and external threats to information assets that could negatively impact confidentiality, integrity, and availability of data. Also Strategic, Reputation, Operational, Transaction, Credit, and Compliance Risks. 3. Determine Inherent Risk based on the likelihood of a threat occurring and the resulting impact of that occurrence on the organization. 4. Identify mitigating controls (administrative, technical, and physical) to reduce the risk of the particular event 5. Determine the Residual Risk based on the effectiveness of the identified controls in actually reducing the risk.
11 Vendor Selection and Due Diligence What product or service is contemplated and what information assets will be required to complete the engagement? What information will the vendor receive, transmit, or store? What is the sensitivity of the data involved? PII, PHI, Financial Information? Where will the data be stored? Vendor or subcontractor networks, data centers, mobile devices, cloud systems, backups?
12 Vendor Selection and Due Diligence Identify the risk profile for the product or service What information will be transmitted, processed, or stored, and where will it ultimately reside? What access to information, internal network resources, or customers will the vendor have? What controls are in place/should be in place to manage the vendor s access? What legal or regulatory requirements are involved? What is the vendor s industry experience? Does the vendor use subcontractors or affiliates to provide the services? Will the vendor negotiate terms? If not, how will you mitigate any control concerns? Ex. insurance, audits, etc.
13 Vendor Selection and Due Diligence Will prospective vendors follow information security practices and how can you mitigate risks Develop a vendor rating process Vendor Risk Assessment: access to sensitive data, criticality to operations, ability to terminate and replace Assess the vendor based on its rating require more documentation, assurances from higher risk vendors Information Security Policy Business Continuity/Disaster Recovery/Incident Response Plans and testing program Audit and remediation program Vendor management program Employee security awareness training program Network monitoring and reporting Data protection in transit and at rest (ex. encryption)
14 Contract Provisions Contemplate the entire vendor lifecycle including: Performance monitoring (SLA tracking, credits) Cyber threat and incident communication Performance obligations of the parties, and Winding up and offboarding activities at the end of the relationship (including the secure return/erasure of the purchaser s data).
15 Definitions Contract Provisions Definitions a) Confidential information; b) Personally Identifiable Information (PII); c) Incident and data breach; d) Malware or similar concepts like harmful code e) Vulnerabilities in product or service
16 Contract Provisions Performance Performance a) What and for whom is the product/service b) Who will produce the product or provide the service who will have access to your information? c) How will the you and the vendor (and subcontractors) interact and share information? d) Will the vendor have access to your IP and technology? e) Who will have access to and own the resulting IP? f) Where will products be produced or services performed? Consider potential BC/DR risk, political risk, security risk, subcontractors.
17 Contract Provisions Representations and Warranties Consider with respect to bargaining leverage. a) No recent (material) security incidents/breaches not previously disclosed b) No claims threatened or pending, or events or circumstances known to the vendor likely to give rise to claims as a result of any security incident or vulnerability. c) No regulatory actions threatened or pending, or events or circumstances (noncompliance) known to the vendor likely to give rise to regulatory action as a result of any security incident or vulnerability. d) No processing, storage, or transmission of information by third-parties not previously disclosed. Cloud providers involved?
18 Contract Provisions Representations and Warranties (cont.) e) Vendor has all licenses and certifications required by applicable law to provide the product/service. f) Vendor has all rights necessary to provide the product/perform the service. If licensed to the vendor, the license authorizes vendor to use for third parties. g) Require vendor has an information security program in place. h) Vendor employs personnel qualified to maintain the information security program and has validated sufficiency of programs of subcontractors. i) Vendor handles your information consistent with its policies.
19 Contract Provisions - Confidentiality Confidentiality a) Mutual. Do both parties have CI of the other? Do all provisions apply equally and reasonably to both? b) Scope. Define CI in the possession or control of each party, including to any subcontractor, and data generated by the engagement. c) PII. Will the vendor collect, store, process, or transmit PII? From what jurisdiction(s) does the PII originate and where will it be stored? d) Permitted uses of confidential information. Used only as necessary for the product/service. e) Storage & Communication. Restrictions on location, notice of storage in any location not previously disclosed; encryption of data-at-rest and in-flight/transit.
20 Contract Provisions Confidentiality (cont.) f) Sharing with affiliates and downstream vendors or subcontractors. g) Customer-supplied information and record information, i.e., information accumulated about customers or as a byproduct of the customer relationship h) Return/destruction obligation at the end of contract term and at other times at the disclosing party s request. i) Exceptions to return Will the disclosing party agree to exceptions, such as for information stored in a backup in a manner that makes destruction of specific information impractical/commercially unreasonable?
21 Contract Provisions Confidentiality (cont.) j) Incident management. i. The definition of incident. ii. Notices to affected persons and law enforcement timing, content, method of delivery. iii. Delays attributed to law enforcement permitted? iv. Copies of any notice vendor is required to give parties in connection with any incident, unless prohibited by law v. Vendor s procedures/infrastructure for tracking notice requirements and implementing notices when required vi. Access to information about incidents and to compromised systems or images to assess impact and mitigate adverse effects. vii. Remediation access to information about root cause and observed impacts to aid response and recovery. viii. Costs allocate liability for direct costs of the incident, ex. breach notification ix. Duration of confidentiality obligation indefinite or confirm that the recipient returns/destroys information
22 Contract Provisions Information Security Program Information Security Program Vendor commitment to establish/maintain a comprehensive ISP for the CIA of information and systems commensurate with risk of loss, misuse, unauthorized access/modification. Involve knowledgeable employees/consultants in developing requirements, including: Physical, administrative, management, technical, logical controls. Threat/Vulnerability assessment, monitoring, response, intelligence Software management internally developed or purchased Change/Infrastructure Management patching, monitoring/remediation Personnel qualifications; training; insider threat monitoring/ response; new hire procedures; job descriptions; segregation of duties; user access controls Compliance with applicable laws and regulations
23 Contract Provisions Monitoring/Assessment of Vendor Performance Monitoring, assessment, remediation provisions and mechanisms to terminate if unable to remediate a) SLAs with key performance and risk indicators b) Vendor access to information and ability to remove access c) Audit of internal controls, performance monitoring and reporting, security issues d) Vendor financial health review e) Performance and issue remediation with option to suspend or terminate services f) Confirmation of personnel background investigations g) Access to vendor information, systems, and operations for audit/assessment by your regulators.
24 Contract Provisions Risk Event Reporting Risk Events Events beyond breach/security incidents, e.g., loss of material downstream supplier, political risk or labor disputes in a location where key services are performed, and IP infringement claims that could enjoin use of key technology.
25 Contract Provisions Remedies Appropriate for the nature of the failed performance and actionable a) Elements of loss compensable as damages. Investigation/vulnerability and incident mitigation costs; notification and identity theft services. b) Liquidated damages appropriate or effective remedy? c) Specific performance available/enforceable? d) Limitations and disclaimers Consider incidental and consequential damage disclaimers relating to security breaches. What costs arising from response and recovery are direct damages and what costs are incidental/indirect?
26 Contract Provisions Termination Termination Provisions a) Default Acts, omissions, conditions give right to terminate? b) Terminate for other than for default (e.g., upon reasonable notice and without penalty): Regulator directs you to terminate or regulatory/legal requirements change Vendor is unable to respond adequately to a threat or breach? Disagreement about the significance of a vulnerability or remediation? For convenience? c) Transition Plan service/data transfer to you or another vendor. Hardware, third-party software, data, IP, etc. d) Offboarding/Turnover obligations verification/certification of data return/destruction; removal of vendor logical/physical access; include subcontractors/affiliates.
27 Contract Provisions Insurance Consider cyber risk insurance coverage First- and Third-Party Coverage: Data physical and electronic form Media and hardware Malware Identity theft and credit monitoring services Breach mitigation/forensics Legal services Regulatory actions/penalties Public relations and crisis management
28 Contract Provisions Indemnification Indemnification Provisions a) Loss of information breach notification/ investigation/remediation, litigation expenses. b) Intellectual property open source software? c) Limitation of liability If the agreement will include limitations of liability, consider caps for indemnification of third-party claims (information loss, breaches, IP infringement, remediation)
29 Contract Provisions Business Continuity/Resiliency What priority will the vendor give you in a contingency situation? a) Data retention and back-up procedures, failover to redundant systems, security of backup facilities. b) Ownership/license of material to maintain operations/support Rights to shift performance (internally or to a third party)? c) Identification of parties key personnel and training d) Access to vendor s continuity plan and test results. Participation in vendors and your testing exercises? e) Communication between parties during an event. f) Force Majeure Draft to maintain performance consistent with continuity/resiliency obligations.
30 Contract Provisions Miscellaneous Miscellaneous Provisions a) Notices Including prompt notice of incidents, vulnerabilities, etc. Base on applicable laws/regs and data b) Assignment and change of control Enable reviews of operations and systems if performance is moved to a different entity. c) Subcontracting Permitted? Subject to what conditions? Consider downstream vendors that provide services not exclusive to the purchaser s contract. d) Survival Confidentiality/security involving info retention/storage. e) Dispute resolution Escalation procedures involving knowledgeable representatives from both sides to determine if agree on facts and assessments
31 Contract Provisions Software Software Provisions a) Third-party/open source components inventory, monitoring and remediation of vulnerabilities, indemnification. b) Self-help remedies If not prohibited, disclose. Require notice and only to prevent harm to purchaser other customer infrastructure. c) Vulnerability reporting Vendor obligation to disclose software vulnerabilities. d) Threat intelligence coverage identification third-parties to which it reports vulnerabilities and that monitors its products. e) Support and maintenance security monitoring and remediation of vulnerabilities; SLA response provisions; severity determination f) Secure development environment and secure design practices Promise to maintain current environment; reference industry standards/best practices/applicable regulatory requirements. g) Warranties Vulnerabilities, development environment breaches, infringement claims h) Source code escrow agreement and audit
32 Amy McHugh, JD, CISA, Network+, Security+ Senior Associate (319) CLAconnect.com twitter.com/ CLAconnect facebook.com/ cliftonlarsonallen linkedin.com/company/ cliftonlarsonallen 31
American Bar Association (ABA) Cybersecurity Legal Task Force Vendor Contracting Project: Cybersecurity Checklist 1
Introduction American Bar Association (ABA) Cybersecurity Legal Task Force Vendor Contracting Project: Cybersecurity Checklist 1 The objective of this Cybersecurity Checklist is to assist procuring organizations,
More informationH 7789 S T A T E O F R H O D E I S L A N D
======== LC001 ======== 01 -- H S T A T E O F R H O D E I S L A N D IN GENERAL ASSEMBLY JANUARY SESSION, A.D. 01 A N A C T RELATING TO INSURANCE - INSURANCE DATA SECURITY ACT Introduced By: Representatives
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Agreement dated as of is made by and between, on behalf of its (School/Department/Division) (hereinafter referred to as Covered Entity ) and, (hereinafter Business Associate
More informationDetermining Whether You Are a Business Associate
The HIPAApotamus in the Room: When Lawyers and Law Firms are Subject to HIPAA Enforcement, And How to Comply with the Law by Leslie R. Isaacman, J.D., M.B.A. The Omnibus Final Rule 1 of the Health Information
More informationRecord Management & Retention Policy
POLICY TYPE: Corporate Divisional EFFECTIVE DATE: INITIAL APPROVAL DATE: NEXT REVIEW DATE: POLICY NUMBER: May 15, 2010 May - 2010 March 2015 REVISION APPROVAL DATE: 5/10, 3/11, 5/12, 9/13, 4/14, 11/14
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS
HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS This HIPAA Business Associate Agreement ( BAA ) is entered into on this day of, 20 ( Effective Date ), by and between Allscripts
More informationHIPAA Compliance Guide
This document provides an overview of the Health Insurance Portability and Accountability Act (HIPAA) compliance requirements. It covers the relevant legislation, required procedures, and ways that your
More informationHIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES
HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment
More informationNegotiating SaaS and Cloud Contracts May 28, Peter J. Kinsella 303/
Negotiating SaaS and Cloud Contracts May 28, 2015 Peter J. Kinsella 303/291-2328 Disclaimer The information provided in this presentation does not necessarily reflect the opinions of Perkins Coie LLP,
More informationHot Topics in Software as a Service and Cloud
Hot Topics in Software as a Service and Cloud Presented by: Robert J. Scott www.scottandscottllp.com Speaker Robert J. Scott Cloud Computing Trends Forrester Research estimates the cloud market will reach
More informationMEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know
1801 California Street Suite 4900 Denver, CO 80202 303-830-1776 Facsimile 303-894-9239 MEMORANDUM To: Adam Finkel, Assistant Director, Government Relations, NCRA From: Mel Gates Date: December 23, 2013
More informationNATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE
NATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE As many of you know, Gramm-Leach-Bliley requires "financial institutions" to establish and implement a Safeguard Rule Compliance
More information2017 Copyright The Sequoia Project. All rights reserved.
Exhibit 1 Carequality Connection Terms As used herein, Organization refers to the Carequality Connection upon which these Carequality Connection Terms are binding and Sponsoring Implementer refers to the
More informationReviewing and Drafting IT Agreements
Reviewing and Drafting IT Agreements March 10, 2015 Peter J. Kinsella 303/291-2328 The information provided in this presentation does not necessarily reflect the opinions of Perkins Coie LLP, its clients
More informationData Security Addendum for inclusion in the Contract between George Mason University (the University ) and the Selected Firm/Vendor
Data Security Addendum for inclusion in the Contract between George Mason University (the University ) and the Selected Firm/Vendor This Addendum is applicable only in those situations where the Selected
More informationHIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier. March 22, 2018
1 HIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier March 22, 2018 2 Today s Panel: Kimberly Holmes - Moderator - Vice President, Health Care, Cyber Liability & Emerging Risks, TDC Specialty Underwriters,
More informationARTICLE 1. Terms { ;1}
The parties agree that the following terms and conditions apply to the performance of their obligations under the Service Contract into which this Exhibit is being incorporated. Contractor is providing
More informationREF STANDARD PROVISIONS
This Data Protection Addendum ( Addendum ) is an add- on to the Purchasing Terms and Conditions. It is applicable only in those situations where the Selected Firm/Vendor provides goods or services under
More informationDesigning Privacy Policies and Identifying Privacy Risks for Financial Institutions. June 2016
Designing Privacy Policies and Identifying Privacy Risks for Financial Institutions June 2016 Program Overview Regulatory Environment Who Needs a Privacy Program and Common Questions Components of a Comprehensive
More informationDELHAIZE AMERICA PHARMACIES AND WELFARE BENEFIT PLAN HIPAA SECURITY POLICY (9/1/2016 VERSION)
DELHAIZE AMERICA PHARMACIES AND WELFARE BENEFIT PLAN HIPAA SECURITY POLICY (9/1/2016 VERSION) Delhaize America, LLC Pharmacies and Welfare Benefit Plan 2013 Health Information Security and Procedures (As
More informationLICENSE AGREEMENT. Security Software Solutions
LICENSE AGREEMENT Security Software Solutions VERIS ACTIVE ID SERVICES AGREEMENT between Timothy J. Rollins DBA Security Software Solutions, having an office at 5215 Sabino Canyon Road and 4340 N Camino
More informationHEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT BUSINESS ASSOCIATE TERMS AND CONDITIONS
COVERYS RRG, INC. HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT BUSINESS ASSOCIATE TERMS AND CONDITIONS WHEREAS, the Administrative Simplification section of the Health Insurance Portability and
More informationUniversity Data Policies
BACKGROUND Data are valuable institutional assets of Washington State University. Data policies are needed to ensure that these resources are carefully managed, maintained, protected, and used appropriately.
More informationPrivacy and Data Breach Protection Modular application form
Instructions The Hiscox Technology, Privacy and Cyber Portfolio Policy may be purchased on an a-la-carte basis. Some organizations may require coverage for their technology errors and omissions, while
More informationNegotiating Business Associate Agreements
Negotiating Business Associate Agreements February 19, 2015 William J. Roberts, Esq. Shipman & Goodwin LLP 2015. All rights reserved. HARTFORD STAMFORD GREENWICH WASHINGTON, DC About HIPAA HIPAA is a federal
More informationCyber, Data Risk and Media Insurance Application form
Instructions The Hiscox Technology, Privacy and Cyber Portfolio Policy may be purchased on an a-la-carte basis. Some organizations may require coverage for their technology errors and omissions, while
More informationHIPAA and Lawyers: Your stakes have just been raised
HIPAA and Lawyers: Your stakes have just been raised October 16, 2013 Presented by: Harry Nelson e: hnelson@fentonnelson.com Claire Marblestone e: cmarblestone@fentonnelson.com AGENDA Statutory & Regulatory
More informationSCHEDULE D HIPPA BUSINESS PARTNER AGREEMENT
SCHEDULE D HIPPA BUSINESS PARTNER AGREEMENT Whereas, the DPB, hereinafter the Covered Entity, as that term is defined by the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C.A. 1301
More informationSPRINT CLOUDCOMPUTE INFRASTRUCTURE SERVICES PRODUCT ANNEX
SPRINT CLOUDCOMPUTE INFRASTRUCTURE SERVICES PRODUCT ANNEX The following terms and conditions, together with the Sprint Standard Terms and Conditions for Communication Services ( Standard Terms and Conditions
More informationHEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT
Attachment G HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT Health Insurance Portability and Accountability Act (HIPAA) Compliance This HIPAA Business Agreement
More informationBuilding a Program to Manage the Vendor Management Lifecycle
Building a Program to Manage the Vendor Management Lifecycle Libbie Canter Amelia Hukoveh Daniel Nazar October 5, 2017 Overview 1. Introduction and Background 2. Three Pillars of Third-Party Risk Management
More informationHIPAA Business Associate Agreement
HIPAA Business Associate Agreement ICANotes LLC doing business at 1600 St Margarets Rd, Annapolis MD 21409 and, doing business at are parties to a Business Associate arrangement as defined under the Health
More informationAFTER THE OMNIBUS RULE
AFTER THE OMNIBUS RULE 1 Agenda Omnibus Rule Business Associates (BAs) Agreement Breach Notification Change Breach Reporting Requirements (Federal and State) Notification to Care1st Health Plan Member
More informationCybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do
ARTICLE Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do By Gene Griggs and Saad Gul This article analyzes cybersecurity issues for retirement plans. Introduction
More informationSECURITY POLICY 1. Security of Services. 2. Subscriber Security Administration. User Clearance User Authorization User Access Limitations
! SECURITY POLICY This Security Policy ( Policy ) applies to all Services provided by Collective Medical Technologies, Inc. ( CMT ) pursuant to a Master Subscription Agreement ( Underlying Agreement )
More informationBITS KEY CONSIDERATIONS FOR MANAGING SUBCONTRACTORS
BITS KEY CONSIDERATIONS FOR MANAGING SUBCONTRACTORS BITS 1001 PENNSYLVANIA AVENUE, NW SUITE 500 SOUTH WASHINGTON, DC 20004 202-289-4322 WWW.BITSINFO.ORG TABLE OF CONTENTS Executive Summary...3 Regulatory
More informationCyber Risk Proposal Form
Cyber Risk Proposal Form Company or trading name Address Postcode Country Telephone Email Website Date business established Number of employees Do you have a Chief Privacy Officer (or Chief Information
More informationEmma Eccles Jones College of Education & Human Services. Title: Business Associate Agreements
POLICY INFORMATION Document # 900 Revision # 1.0 Safeguard: Administrative Title: Business Associate Agreements Prepared by: J. Black Approved by: Dean Beth E. Foley Print Date: 8/29/2016 Date Prepared:
More informationSouth Carolina General Assembly 122nd Session,
South Carolina General Assembly 122nd Session, 2017-2018 R184, H4655 STATUS INFORMATION General Bill Sponsors: Reps. Sandifer and Spires Document Path: l:\council\bills\nbd\11202cz18.docx Companion/Similar
More informationHIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel
HIPAA Training HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel Agenda HIPAA basics HITECH highlights Questions and discussion HIPAA Basics Legal Basics Health Insurance Portability
More informationPrivacy and Security Standards
Contents Privacy and Security Standards... 3 Introduction... 3 Course Objectives... 3 Privacy vs. Security... 4 Definition of Personally Identifiable Information... 4 Agent and Broker Handling of Federal
More informationLimited Data Set Data Use Agreement For Research
Limited Data Set Data Use Agreement For Research This Data Use Agreement is dated,, and is between the ( Recipient ) and University of Miami, ( Covered Entity ). This Data Use Agreement is made in accordance
More informationARE YOU HIP WITH HIPAA?
ARE YOU HIP WITH HIPAA? Scott C. Thompson 214.651.5075 scott.thompson@haynesboone.com February 11, 2016 HIPAA SECURITY WHY SHOULD I CARE? Health plan fined $1.2 million for HIPAA breach. Health plan fined
More informationHIPAA, Privacy, and Security Oh My!
2014 CliftonLarsonAllen LLP HIPAA, Privacy, and Security Oh My! Chad D. Kunze CPA Health Care Principal Phoenix, AZ CLAconnect.com Learning Objectives At the end of this learning session, you will be able
More informationAGREEMENT PURSUANT TO THE TERMS OF HIPAA ; HITECH ; and FIPA (Business Associate Agreement) (Revised August 2015)
AGREEMENT PURSUANT TO THE TERMS OF HIPAA ; HITECH ; and FIPA (Business Associate Agreement) (Revised August 2015) THIS AGREEMENT made the day of, 20, by and between HOSPICE OF MARION COUNTY, INC., a Florida
More informationACORD 834 (2014/12) - Cyber and Privacy Coverage Section
ACORD 834 (2014/12) - Cyber and Privacy Coverage Section ACORD 834, Cyber and Privacy Coverage Section, is used to apply for cyber and privacy coverage. The form was designed to be used in conjunction
More informationNEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES PROPOSED 23 NYCRR 500 CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES
NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES PROPOSED 23 NYCRR 500 CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES I, Maria T. Vullo, Superintendent of Financial Services, pursuant to the
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (the Agreement ) is entered into this day of, 20, by and between the University of Maine System acting through the University of ( University
More informationHIPAA Background and History
Agenda Jeffery P. Drummond Lawyers as HIPAA Business Associates: Ethical Obligations and Practical Tips for Compliance Dallas Bar Association January 17, 2018 Jamie Sorley An Overview of HIPAA The Privacy
More informationAPPLICATION for: TechGuard Liability Insurance Claims Made Basis. Underwritten by Underwriters at Lloyd s, London
APPLICATION for: TechGuard Liability Insurance Claims Made Basis. Underwritten by Underwriters at Lloyd s, London SECTION I. GENERAL INFORMATION 1. Name of Applicant: Physical Address: (as it should appear
More informationCybersecurity Curveballs in Vendor Risk Management Programs
Cybersecurity Curveballs in Vendor Programs 2016 SoCal Cybersecurity, & Data Protection Retreat November 7, 2016 2016 Reed Smith LLP. All rights reserved. The contents of this presentation are for informational
More informationSection 1 - Errors and Omission
ELECTRONICS AND INFORMATION TECHNOLOGY ERRORS AND OMISSIONS, INTELLECTUAL PROPERTY RIGHTS APPLICATION (Claims made Coverage) Some sections of the application will not apply to your firm. Where this is
More informationHIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.
HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule Association of Corporate Counsel Houston Chapter October 14, 2014 Jeffery P. Drummond Jackson Walker L.L.P. 901 Main Street, Suite 6000 Dallas,
More informationUNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP
UNDERSTANDING HIPAA & THE HITECH ACT Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP 1 Objectives of Presentation Learn what HIPAA is Learn the purpose of HIPAA Understand who HIPAA regulates
More informationIHDE BUSINESS ASSOCIATE AGREEMENT (BAA)
IHDE BUSINESS ASSOCIATE AGREEMENT (BAA) This Business Associate Agreement (BAA) is entered into by and between the Covered Entity aka. Data Provider/User, (please enter name of organization) and the Business
More informationLong-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates
Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates March 7, 2013 Brad M. Rostolsky Partner Reed Smith LLP brostolsky@reedsmith.com Nancy E.
More informationDATA PROCESSING AGREEMENT/ADDENDUM
DATA PROCESSING AGREEMENT/ADDENDUM This Data Processing Agreement ( DPA ) is made and entered into as of this day of, 2018 forms part of our Terms and Conditions (available at www.storemaven.com/terms-of-service)
More informationDATA PROTECTION ADDENDUM
DATA PROTECTION ADDENDUM In the event an agreement ( Underlying Agreement ) entered into by and between (i) either Sunovion Pharmaceuticals Inc. or its subsidiary, Sunovion Pharmaceuticals Europe Ltd.
More informationSUMMARY: The Federal Trade Commission ( FTC or Commission ) requests public
[Billing Code: 6750-01S] FEDERAL TRADE COMMISSION 16 CFR Part 314 RIN 3084-AB35 Standards for Safeguarding Customer Information AGENCY: Federal Trade Commission. ACTION: Request for public comment. SUMMARY:
More informationCompliance Steps for the Final HIPAA Rule
Brought to you by The Alpha Group for the Final HIPAA Rule On Jan. 25, 2013, the Department of Health and Human Services (HHS) issued a final rule under HIPAA s administrative simplification provisions.
More informationInterpreters Associates Inc. Division of Intérpretes Brasil
Interpreters Associates Inc. Division of Intérpretes Brasil Adherence to HIPAA Agreement Exhibit B INDEPENDENT CONTRACTOR PRIVACY AND SECURITY PROTECTIONS RECITALS The purpose of this Agreement is to enable
More informationBusiness Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)
Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA) This Business Associate Agreement (the Agreement ) is made and entered into by and between Washington Dental Service
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is entered into this day of, 20, by and between the University of Maine System ( University ), and ( Business Associate ).
More informationNEW CYBER RULES FOR NEW YORK-BASED BANKING, INSURANCE AND FINANCIAL SERVICE FIRMS HAVE FAR-REACHING EFFECTS
REGULATORY LAW ALERT JUNE 2017 NEW CYBER RULES FOR NEW YORK-BASED BANKING, INSURANCE AND FINANCIAL SERVICE FIRMS HAVE FAR-REACHING EFFECTS OVERVIEW In potentially the most significant state-level expansion
More informationTERMS AND CONDITIONS OF SERVICE 1. DEFINITIONS: Affiliate means any entity which directly or indirectly owns or controls, is controlled by, or is
TERMS AND CONDITIONS OF SERVICE 1. DEFINITIONS: Affiliate means any entity which directly or indirectly owns or controls, is controlled by, or is under common control with, Donnelley Financial or Client,
More informationLong-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates
Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates November 7, 2013 Brad M. Rostolsky Partner Reed Smith LLP brostolsky@reedsmith.com Nancy
More informationBUSINESS ASSOCIATE AGREEMENT
PREVIEW VERSION ONLY This Business Associate Agreement (BAA) is made available for preview purposes only. It is indicative of the BAA that will be presented through the online user interface for acceptance
More informationBUSINESS ASSOCIATE AGREEMENT W I T N E S S E T H:
BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( this Agreement ) is made and entered into as of this day of 2015, by and between TIDEWELL HOSPICE, INC., a Florida not-for-profit corporation,
More informationBusiness Associate Agreement
Business Associate Agreement This Business Associate Agreement (this Agreement ) is entered into on the Effective Date of the Azalea Health Software as a Service Agreement and/or Billing Service Provider
More informationSUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT
SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT (Revised on March 1, 2016) THIS HIPAA SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT (the BAA ) is entered into on (the Effective Date ), by and between ( EMR ),
More informationClaims Made Basis. Underwritten by Underwriters at Lloyd s, London
APPLICATION for: NetGuard Plus Claims Made Basis. Underwritten by Underwriters at Lloyd s, London tice: The Policy for which this Application is made applies only to Claims made against any of the Insureds
More informationRECITALS. In consideration of the mutual promises below and the exchange of information pursuant to this BAA, the Parties agree as follows:
This Business Associate Agreement ( BAA ) is entered into by and between NORCAL Mutual Insurance Company ( NORCAL ) and Insured/Applicant ( Covered Entity ) and is effective as of September 23 rd, 2013
More informationTHIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY CRISIS MANAGEMENT COVERAGE The Insurer shall pay on behalf of the Insured: 1) Crisis Management Expenses that are a direct result of a Network
More informationARTICLE 1 DEFINITIONS
[GPM Note: This Template Data Use Agreement is to be used when a covered entity seeks to disclose a limited set of PHI to another entity for research, public health, and/or health care operations purposes.
More informationRegenstrief Center for Healthcare Engineering HIPAA Compliance Policy
Regenstrief Center for Healthcare Engineering HIPAA Compliance Policy Revised December 6, 2017 Table of Contents Statement of Policy 3 Reason for Policy 3 HIPAA Liaison 3 Individuals and Entities Affected
More informationCOLUMBIA UNIVERSITY DATA CLASSIFICATION POLICY
COLUMBIA UNIVERSITY DATA CLASSIFICATION POLICY I. Introduction Published: October 2013 Revised: November 2014, April 2016, October 2017 As indicated in the Columbia University Information Security Charter
More informationOMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS
OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT Effective Date: September 23, 2013 RECITALS WHEREAS a relationship exists between the Covered Entity and the Business Associate that performs certain functions
More informationHIPAA & The Medical Practice
HIPAA & The Medical Practice Requirements for Privacy, Security and Breach Notification Gina L. Campanella, JD, MHA, CHA Founder & Principal, Campanella Law Office Of Counsel, The Beinhaker Law Firm BEINHAKER,
More informationMEDIATECH INSURANCE APPLICATION THIS APPLICATION IS FOR A CLAIMS MADE POLICY PLEASE INDICATE WHICH COVERAGES ARE REQUIRED Technology and Professional
THIS APPLICATION IS FOR A CLAIMS MADE POLICY PLEASE INDICATE WHICH COVERAGES ARE REQUIRED Technology and Professional Services: $100,000 $250,000 $500,000 $1,000,000 $2,000,000 Other:$ Technology Product
More informationb. "Documentation" means the user guides and manuals for installation and use of the Product regardless of format.
IMPORTANT! Be sure to carefully read and understand all the terms and conditions set forth in this Agreement ( Agreement ) prior to opening, installing, or using this Product (as defined below). This Product
More informationNOTICE OF CHANGE IN TERMS
NOTICE OF CHANGE IN TERMS Effective August 1, 2015 ( Amendment Effective Date ), the 2002 version of the Comerica Treasury Management Services Master Agreement ( 2002 Master Agreement ) and the version
More informationELECTRONIC TRADING PARTNER AGREEMENT
ELECTRONIC TRADING PARTNER AGREEMENT This Agreement is by and between all provider practices wishing to submit electronic claims to University Health Alliance ( UHA ). RECITALS WHEREAS, UHA provides health
More informationBusiness Associate Risk
Business Associate Risk Assessing and Managing Business Associate Risk Presented by CJ Wolf, MD, COC, CPC, CHC, CCEP, CIA Healthicity Senior Compliance Executive Disclaimer: Nothing in this presentation
More informationHEALTHCARE BREACH TRIAGE
IAPP Privacy Academy September 30 October 2, 2013 HEALTHCARE BREACH TRIAGE Theodore P. Augustinos EDWARDS WILDMAN PALMER LLP Kenneth P. Mortensen CVS/CAREMARK 2013 Edwards Wildman Palmer LLP & Edwards
More informationBorder Federal Credit Union Electronic Services Agreement Terms and Conditions
(for Website, E-Mail Notifications, E-Statements, Automatic Dialing Service, Internet Banking (BFCULive), Text Messaging, Text Banking, Mobile Banking, Mobile App, and Bill Payment Services) Border Federal
More informationSUBCONTRACTOR BUSINESS ASSOCIATE ADDENDUM
SUBCONTRACTOR BUSINESS ASSOCIATE ADDENDUM This Subcontractor Business Associate Addendum (the Addendum ) is entered into this day of, 20, by and between the University of Maine System, acting through the
More informationSaturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules
Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules Gina Campanella, JD HIPAA & The Medical Practice Requirements for Privacy, Security and Breach Notification Gina L. Campanella, Esq.
More informationSDM Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates
Policy and Procedure: SDM HIPAA Terms and Conditions for (Adapted from UPMC s HIPAA Terms and Conditions for at http://www.upmc.com/aboutupmc/supplychainmanagement/documents/terms.pdf) Effective: 03/30/2012
More informationBUSINESS ASSOCIATE AGREEMENT (for use when there is no written agreement with the business associate)
BUSINESS ASSOCIATE AGREEMENT (for use when there is no written agreement with the business associate) This HIPAA Business Associate Agreement ( Agreement ) is entered into this day of, 20, by and between
More informationHIPAA Basic Training for Health & Welfare Plan Administrators
2010 Human Resources Seminar HIPAA Basic Training for Health & Welfare Plan Administrators Norbert F. Kugele What We re going to Cover Important basic concepts Who needs to worry about HIPAA? Complying
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) by and between (hereinafter known as Covered Entity ) and Office Ally, Inc., a clearinghouse Covered Entity under HIPAA, providing
More informationAllocating Risk for Privacy and Data Security in Commercial Contracts and Related Insurance Implications
Allocating Risk for Privacy and Data Security in Commercial Contracts and Related Insurance Implications Presented by: Selena J. Linde George Galt Aaron Coombs June 23, 2016 Perkins Coie LLP Presenter:
More informationHIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?
HIPAA Information Who does HIPAA apply to? HIPAA applies to all Covered Entities (entities that collect, access, use and/or disclose Protected Health Data (PHI) and are subject to HIPAA regulations). What
More informationNASDAQ Futures, Inc. Off-Exchange Reporting Broker Agreement
2. Access to the Services. a. The Exchange may issue to the Authorized Customer s security contact person, or persons (each such person is referred to herein as an Authorized Security Administrator ),
More informationCyber ERM Proposal Form
Cyber ERM Proposal Form This document allows Chubb to gather the needed information to assess the risks related to the information systems of the prospective insured. Please note that completing this proposal
More informationBusiness Associate Agreement
This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement
More informationBREACH MITIGATION EXPENSE COVERAGE
POLICY NUMBER: QBPC-2030 (09-16) THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ IT CAREFULLY. BREACH MITIGATION EXPENSE COVERAGE This endorsement modifies insurance provided under the following: INSURANCE
More informationWhat You Need to Know to Make Sure Your Insurance Business Complies
New York State Department of Financial Services New Cybersecurity Regulation 23 NYCRR Part 500 What You Need to Know to Make Sure Your Insurance Business Complies Presented by: NAIFA-NYS, Peter J. Molinaro,
More informationHIPAA and ProAssurance
HIPAA and ProAssurance The ProAssurance Companies, along with our legal counsel, have reviewed the Health Insurance Portability And Accountability Act of 1996, and its implementing regulations (collectively,
More informationTake It or Leave It: Pitfalls and Challenges of IT Contracts Thursday, May 4, 2017 General Session; 9:00 10:30 a.m.
Take It or Leave It: Pitfalls and Challenges of IT Contracts Thursday, May 4, 2017 General Session; 9:00 10:30 a.m. Margarita Gutierrez, Deputy City Attorney, City and County of San Francisco Rosa M. Sanchez,
More information