THIRD-PARTY MANAGEMENT OF INFORMATION RESOURCES

Similar documents
TEXAS SOUTHERN UNIVERSITY HIPAA BUSINESS ASSOCIATE AGREEMENT

IHDE BUSINESS ASSOCIATE AGREEMENT (BAA)

JOTFORM HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA Business Associate Agreement

Business Associate Agreement RECITALS AGREEMENT

COMMONWEALTH OF PENNSYLVANIA BUSINESS ASSOCIATE ADDENDUM

ARTICLE 1. Terms { ;1}

HIPAA BUSINESS ASSOCIATE ADDENDUM

OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS

REF STANDARD PROVISIONS

Business Associate Agreement

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT BUSINESS ASSOCIATE TERMS AND CONDITIONS

Business Associate Agreement

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

HIPAA Privacy Compliance Checklist

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

SUBCONTRACTOR BUSINESS ASSOCIATE ADDENDUM

ARTICLE 1 DEFINITIONS

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

DELHAIZE AMERICA PHARMACIES AND WELFARE BENEFIT PLAN HIPAA SECURITY POLICY (9/1/2016 VERSION)

BUSINESS ASSOCIATE AGREEMENT

Terms used, but not otherwise defined, in this Addendum shall have the same meaning as those terms in 45 CFR and

BUSINESS ASSOCIATE AGREEMENT

PLAN SPONSOR CERTIFICATION TO THE GROUP HEALTH PLAN

Microsoft Online Subscription Agreement/Open Program License Agreement Amendment for HIPAA and HITECH Act Amendment ID MOS13

AMWELL GROUP PRACTICE AGREEMENT

Data Security Addendum for inclusion in the Contract between George Mason University (the University ) and the Selected Firm/Vendor

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

BUSINESS ASSOCIATE AGREEMENT

Emma Eccles Jones College of Education & Human Services. Title: Business Associate Agreements

HOW TO COMPLETE A BUSINESS ASSOCIATE AGREEMENT (BAA)

RECIPROCAL BUSINESS ASSOCIATE AND DATA USE AGREEMENT BETWEEN THE PARTICIPATING PHYSICIAN ORGANIZATION AND MILLIMAN, INC.

BUSINESS ASSOCIATE AGREEMENT Between THE NORTH CENTRAL TEXAS COUNCIL OF GOVERNMENTS and

MNsure Certified Application Counselor Services Agreement with Tribal Nation Attachment A State of Minnesota

HIPAA BUSINESS ASSOCIATE AGREEMENT

PURCHASE ORDER TERMS AND CONDITIONS

BUSINESS ASSOCIATE AGREEMENT

JEFFERSON HEALTH CARE LINK ACCESS AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT (for use when there is no written agreement with the business associate)

DATA PROCESSING ADDENDUM

University Data Policies

ACGME BUSINESS ASSOCIATE AGREEMENT

GUIDANCE ON HIPAA & CLOUD COMPUTING

HIPAA ADDENDUM TO SERVICE AGREEMENT

FACT Business Associate Agreement

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

COLUMBIA UNIVERSITY DATA CLASSIFICATION POLICY

Sample Privacy Notice

SDM Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates

BUSINESS ASSOCIATE AGREEMENT

PsyBar, LLC 6600 France Avenue South, Suite 640 Edina, MN Telephone: (952) Facsimile: (952)

Business Associate Agreement

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT

Interpreters Associates Inc. Division of Intérpretes Brasil

RECITALS. In consideration of the mutual promises below and the exchange of information pursuant to this BAA, the Parties agree as follows:

AFTER THE OMNIBUS RULE

HIPAA Business Associate Agreement Passport to Languages

BUSINESS ASSOCIATE AGREEMENT

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

* Corporation General Partnership Limited Partnership LLC Sole Proprietorship Non Profit Other Accounts Payable: Name

HIPAA PRIVACY RULE POLICIES AND PROCEDURES

HIPAA BUSINESS ASSOCIATE AGREEMENT

NAPBS BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM ACCREDITATION STANDARD AND AUDIT CRITERIA Version 2.0. Potential Verification for Onsite Audit

H 7789 S T A T E O F R H O D E I S L A N D

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

Central Florida Regional Transportation Authority Table of Contents A. Introduction...1 B. Plan s General Policies...4

Regenstrief Center for Healthcare Engineering HIPAA Compliance Policy

Campus Administrative Policy

HIPAA Security. ible. isions. Requirements, and their implementation. reader has

Determining Whether You Are a Business Associate

COLLECTION SERVICES AND BUSINESS ASSOCIATE AGREEMENT

Central Fabrication Accreditation Application

APPLICATION for: TechGuard Liability Insurance Claims Made Basis. Underwritten by Underwriters at Lloyd s, London

PCI Compliance and Payment Card Processing Policy

HIPAA PRIVACY AND SECURITY AWARENESS

AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION

Business Associate Agreement For Protected Healthcare Information

MANCHESTER UROLOGY ASSOCIATES, PA Derry Manchester Dover

EU Data Processing Addendum

HIPAA Background and History

BUSINESS ASSOCIATE AGREEMENT

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

~Cityof. ~~Corpu~ ~.--=.;: ChnstI City Policies HR29.0 NO.

HIPAA Compliance Guide

RECITALS. WHEREAS, this Amendment incorporates the various amendments, technical and conforming changes to HIPAA implemented by the Final Rule; and

UCLA Health System Data Use Agreement

2016 Business Associate Workforce Member HIPAA Training Handbook

Georgia Health Information Network, Inc. Georgia ConnectedCare Policies

HIPAA BUSINESS ASSOCIATE AGREEMENT

MEMORANDUM OF UNDERSTANDING for DATA SHARING BETWEEN DISTRICT AND SCCOE

Partners Health Plan, NY Provider Electronic Transaction Enrollment Packet

BUSINESS ASSOCIATE AGREEMENT

HIPAA Redux 2013 Kim Cavitt, AuD Audiology Resources, Inc. Expert e-seminar 4/29/2013. HIPAA Redux Presented by: Kim Cavitt, AuD

BUSINESS ASSOCIATE AGREEMENT W I T N E S S E T H:

Record Management & Retention Policy

HIPAA and ProAssurance

Data Processing Addendum

HIPAA Security How secure and compliant are you from this 5 letter word?

Transcription:

THIRD-PARTY MANAGEMENT OF INFORMATION RESOURCES Policy All vendors and third-party information technology service providers must comply with all applicable UT Health San Antonio policies. A. Contracts of any kind, including purchase orders, memoranda of understanding (MOU), letters of agreement, or any other type of legally binding agreement, that involve current or future thirdparty access to or creation of or Data must include terms to ensure that vendors and any subcontractors or other third-parties that maintain, create, or access University data as the result of the contract comply with all applicable federal and state security and privacy laws and regulations, UT Health San Antonio policies, U.T. System policies and standards and must contain terms that ensure that all University data affected by the contract is maintained in accordance with those policies at all times, including posttermination of the contract. B. UT Health San Antonio procurement staff, Data Owners and the (CISO) are jointly and separately responsible for ensuring that all contracts are reviewed to determine whether the contract involves third-party access to outsourcing, maintenance or creation of University data and that all such access, outsourcing or maintenance fully complies with UT Health San Antonio policies. C. Any contract involving third-party access to, creation of, or maintenance of Protected Health Information (PHI) must include a Health Insurance Portability and Accountability Act (HIPAA) Business Associate Agreement (BAA) approved by UT Health San Antonio Legal and/or Compliance Officer. D. Any contract involving third-party provided credit card services must require that the contractor provides assurances that all subcontractors who provide credit card services pursuant to the contract will comply with the requirement of the Payment Card Industry Data Security Standard (PCI DSS) in the provisioning of the services. Page 1 of 5

E. Prior to access, maintenance or creation of University data by a vendor or any other third-party, the Chief Information Security Officer must ensure that an assessment is or has been performed that is designed to ensure that: i. the vendor has sufficient technological, administrative and physical safeguards to ensure the confidentiality, security and integrity of the data at rest and during any transmission or transfer; and ii. any subcontractor or other third-party that will access, maintain, or create data pursuant to the contract will also ensure the confidentiality, security and integrity of such data while it is at rest, during any transmission and physically transferred. F. As part of the assessment of a vendor or other third-party, the will request copies of any selfassessments or third-party assessments and audits that the vendor or third-party has access to. Third-party assessments and audits shall be requested annually for vendors or other third-parties who host or have access to Mission Critical Systems or Confidential Data; and Periodically as deemed necessary by the Chief Information Security Officer but no less than every three (3) years for all other systems and data. G. All UT Health San Antonio schools, departments, offices and centers engaging vendors, contractors, consultants or other thirdparty information technology service providers are responsible for managing that relationship, including appropriate termination notifications. H. All vendor and third-party network and communication equipment installed on the UT Health San Antonio network shall be disabled except when in use for authorized maintenance or other use as defined in the contract. Page 2 of 5

I. All remote vendor or third-party access to the UT Health San Antonio network or other Information Resource must use a secured access method approved by the Chief Information Security Officer and comply with all UT Health San Antonio Access Control policies, standards and procedures. Each vendor or third-party employee with access to UT Health San Antonio sensitive information must be approved by the data owner (Principal Investigator, Access Control Executive, department head, etc.) to handle that information. Access to information will be based the least privilege principle for the responsibilities assigned to the employee. Each vendor must provide UT Health San Antonio with a list of all employees working on the contract. The list must be updated and provided to UT Health San Antonio within 48 hours of staff changes. Vendor Contracts Vendor must represent, warrant and certify it will: a. comply with applicable federal and state laws and regulations and UT Health San Antonio policies; b. hold all Confidential Data in the strictest confidence; c. limit the use of UT Health San Antonio and Data only for the purposes of the business agreement; d. perform reasonable effort to comply with any UT Health San Antonio auditing requests, including the auditing of a vendor s third-party or contractor work; e. not use any UT Health San Antonio data acquired or created in the course of the contract for the vendor s or third-party provider s own purposes or divulged to others other than what is defined in the contract. f. maintain uniquely identifiable access control and strong password standards to and Data; Page 3 of 5

g. if directly accessing UT Health San Antonio Information Resources, comply with applicable polices, standards and procedures for that Information Resource (including, but not limited to Acceptable Use policy and Information Security Awareness Training) using systems that meet minimum UT Health San Antonio security configurations; h. not release any Confidential Data unless vendor obtains UT Health San Antonio prior written approval and performs such a release in full compliance with all applicable privacy laws, including the Family Education Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA); i. not otherwise use or disclose Confidential Data except as required or permitted by law; j. safeguard data according to all commercially reasonable administrative, physical, and technical standards (e.g., such standards established by the National Institute of Standards and Technology or the Center for Internet Security); k. continually monitor its operations and take any action necessary to assure the data is safeguarded in accordance with UT Health San Antonio policies and standards and federal and state laws and regulations; l. ensure that all software used on UT Health San Antonio property is properly licensed for the vendor s and/or third-party s use; m. comply with vendor access requirements set forth in UT Health San Antonio policies and standards; n. provide written notice of any unauthorized use or disclosure of any Confidential Data within one (1) business day, or if the Data Owner, Compliance Officer and are satisfied that a longer period is acceptable, within that period, after vendor s or third-party s discovery of such use or disclosure; o. upon termination of a vendor s employee, contractor or thirdparty, ensure that all Confidential Data is collected and returned Page 4 of 5

to UT Health San Antonio or securely destroyed within 48 hours, provide proof or attestation of that destruction, and immediately surrender all UT Health San Antonio identification badges, access cards, equipment and supplies; p. within 30 days after the termination or expiration of a purchase order, contract or agreement for any reason, vendor must either: i. return or securely destroy, as specified by contract or agreement, all data provided to the vendor by UT Health San Antonio, including all Confidential Data provided to vendor s employees, subcontractors, agents, or other affiliated persons or institutions, with appropriate proof or attestation; or ii. in the event that returning or securely destroying the data is not feasible, provide notification of the conditions that make return or destruction infeasible, in which case the vendor or third-party must: continue to protect all data that it retains; agree to limit further uses and disclosures of such data to those purposes that make the return or destruction infeasible for as long as the vendor or other third-party maintains such data; and to the extent possible, de-identify such data. Authority Violations of this policy are subject to disciplinary action as described in the HOP, Section 2.1.2, Handbook of Operating Procedures. References U.T System Policy 165 Standard 22 Page 5 of 5

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback