HIPAA STUDENT ASSOCIATE AGREEMENT

Similar documents
BUSINESS ASSOCIATE AGREEMENT

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

ARTICLE 1. Terms { ;1}

TEXAS SOUTHERN UNIVERSITY HIPAA BUSINESS ASSOCIATE AGREEMENT

Business Associate Agreement

HIPAA Business Associate Agreement Passport to Languages

SDM Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates

BUSINESS ASSOCIATE AGREEMENT

HIPAA and ProAssurance

HIPAA BUSINESS ASSOCIATE AGREEMENT

IHDE BUSINESS ASSOCIATE AGREEMENT (BAA)

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

Emma Eccles Jones College of Education & Human Services. Title: Business Associate Agreements

BUSINESS ASSOCIATE AGREEMENT W I T N E S S E T H:

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

Interpreters Associates Inc. Division of Intérpretes Brasil

Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

SUBCONTRACTOR BUSINESS ASSOCIATE ADDENDUM

Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT (for use when there is no written agreement with the business associate)

Limited Data Set Data Use Agreement For Research

BUSINESS ASSOCIATE AGREEMENT Between THE NORTH CENTRAL TEXAS COUNCIL OF GOVERNMENTS and

HIPAA ADDENDUM TO SERVICE AGREEMENT

HIPAA Business Associate Agreement

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT

Business Associate Agreement

Business Associate Agreement For Protected Healthcare Information

ARTICLE 1 DEFINITIONS

JOTFORM HIPAA BUSINESS ASSOCIATE AGREEMENT

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT

RECITALS. In consideration of the mutual promises below and the exchange of information pursuant to this BAA, the Parties agree as follows:

OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS

FACT Business Associate Agreement

NETWORK PARTICIPATION AGREEMENT

H E A L T H C A R E L A W U P D A T E

BUSINESS ASSOCIATE AGREEMENT

COMMONWEALTH OF PENNSYLVANIA BUSINESS ASSOCIATE ADDENDUM

Interim Date: July 21, 2015 Revised: July 1, 2015

SUNY DOWNSTATE MEDICAL CENTER UNIVERSITY HOSPITAL OF BROOKLYN POLICY AND PROCEDURE

RECIPROCAL BUSINESS ASSOCIATE AND DATA USE AGREEMENT BETWEEN THE PARTICIPATING PHYSICIAN ORGANIZATION AND MILLIMAN, INC.

PsyBar, LLC 6600 France Avenue South, Suite 640 Edina, MN Telephone: (952) Facsimile: (952)

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

BREACH NOTIFICATION POLICY

AGREEMENT PURSUANT TO THE TERMS OF HIPAA ; HITECH ; and FIPA (Business Associate Agreement) (Revised August 2015)

Determining Whether You Are a Business Associate

ACGME BUSINESS ASSOCIATE AGREEMENT

SCHEDULE D HIPPA BUSINESS PARTNER AGREEMENT

ACCESS TO ELECTRONIC HEALTH RECORDS AGREEMENT WITH THE DOCTORS CLINIC, PART OF FRANCISCAN MEDICAL GROUP

HIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017

BUSINESS ASSOCIATE AGREEMENT

HIPAA P11 Retention and Destruction of Protected Health Information

Terms used, but not otherwise defined, in this Addendum shall have the same meaning as those terms in 45 CFR and

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

HIPAA The Health Insurance Portability and Accountability Act of 1996

BUSINESS ASSOCIATE AGREEMENT

HIPAA PRIVACY COMPLIANCE MANUAL DISCLAIMER

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

BUSINESS ASSOCIATE AGREEMENT

MNsure Certified Application Counselor Services Agreement with Tribal Nation Attachment A State of Minnesota

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

LIMITED DATA SET REQUEST AND DATA USE AGREEMENT

Texas Tech University Health Sciences Center HIPAA Privacy Policies

AIUM Ultrasound Practice Accreditation Master Services Agreement & Business Associate Agreement (MSA/BAA)

University of Mississippi Medical Center Data Use Agreement Protected Health Information

AFTER THE OMNIBUS RULE

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

HIPAA BUSINESS ASSOCIATE ADDENDUM

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

Texas Tech University Health Sciences Center El Paso HIPAA Privacy Policies

HIPAA and Lawyers: Your stakes have just been raised

Central Fabrication Accreditation Application

Business Associate Agreement RECITALS AGREEMENT

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

HIPAA / HITECH. Ed Massey Affiliated Marketing Group

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

Microsoft Online Subscription Agreement/Open Program License Agreement Amendment for HIPAA and HITECH Act Amendment ID MOS13

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT BUSINESS ASSOCIATE TERMS AND CONDITIONS

HOW TO COMPLETE A BUSINESS ASSOCIATE AGREEMENT (BAA)

HIPAA FUNDAMENTALS For Substance abuse Treatment Industry

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

POLESTAR BENEFITS, INC. ADMINISTRATION AGREEMENT

Central Florida Regional Transportation Authority Table of Contents A. Introduction...1 B. Plan s General Policies...4

HIPAA OMNIBUS FINAL RULE

UCLA Health System Data Use Agreement

Record Management & Retention Policy

The HIPAA Omnibus Rule

* Corporation General Partnership Limited Partnership LLC Sole Proprietorship Non Profit Other Accounts Payable: Name

RECITALS. WHEREAS, this Amendment incorporates the various amendments, technical and conforming changes to HIPAA implemented by the Final Rule; and

Transcription:

HIPAA STUDENT ASSOCIATE AGREEMENT This Agreement dated as of, 20 is made by and between Petaluma Health Center (Hereinafter Covered Entity ) and (Hereinafter Student ). INTRODUCTION This Agreement governs the terms and conditions under which Student will access personal health information belonging to patients of Covered Entity in performing services for, or on behalf of, Covered Entity. Specifically, this agreement governs the terms and conditions under which Student will provide student services to the Department. DEFINITIONS Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in 45 CFR 160.103 and 164.501. For purposes of this section: 1. Individual. Individual shall have the same meaning as the term Individual in 45 CFR 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g). 2. Privacy Rule. Privacy Rule shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E. 3. Protected Health Information. Protected Health Information shall have the same meaning as the term protected health information in 45 CFR 164.501, limited to the information created or received by Student from or on behalf of Covered Entity. 4. Required By Law. Required By Law shall have the same meaning as the term required by law in 45 CFR 164.501. 5. Secretary. Secretary shall mean the Secretary of the Department of Health and Human Services or his designee. OBLIGATIONS AND ACTIVITIES OF STUDENT Student agrees to: 1. Not use or further disclose Protected Health Information other than as permitted or required by the Agreement or as Required by Law. 2. Use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement. 3. Mitigate, to the extent practicable, any harmful effect that is known to Student of a use or disclosure of Protected Health Information by Student in violation of the requirements of this Agreement. 4. Report to Covered Entity any use or disclosure of the Protected Health Information not provided for by this Agreement. 5. Ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by Student on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Student with respect to such information. 6. In the event that the Student maintains PHI in a designated records set, Student agrees to provide access, at the request of Covered Entity, and in the time and manner designated by Covered Entity, to Protected Health Information in a Designated Record Set, to Covered Entity or, Student Agreement 2010 1 of 5

as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR 164.524. 7. In the event that the Student maintains Protected Health Information in a designated records set, Student agrees to make any amendment(s) to Protected Health Information in a designated record set that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526 at the request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity. 8. Make internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Student on behalf of, Covered Entity available to the Covered Entity, or at the request of the Covered Entity to the Secretary, in a time and manner designated by the Covered Entity or the Secretary, for purposes of the Secretary determining Covered Entity's compliance with the Privacy Rule. In the event such a request comes directly from the Secretary, Student agrees to notify Covered Entity immediately of such request. 9. Document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. 10. Provide to Covered Entity or an Individual, in time and manner designated by Covered Entity, information collected in accordance with this section, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. 11. Implementation of an Identity Theft Monitoring Policy and Procedure, to protect any patient information that may be breached by the Student, under the Federal Trade Commission Regulations Red Flag Rules. 12. Understand and Comply with California Senate Bill 541 and AB 211 which requires health facilities, clinics, hospices and home health agencies to prevent unlawful or unauthorized access to, or use or disclosure of, a patient's medical information. This requirement creates a stricter standard than any currently in effect under existing state law or HIPAA because facilities are required under this bill to prevent unauthorized access, not merely to take reasonable steps to try to monitor and stop inappropriate access. SB 541 also authorizes administrative penalties on the facility of up to $25,000 per patient per violation, and up to $17,500 for each subsequent accessing, use or disclosure of that information, and increases existing penalties for violations that result in immediate jeopardy of patients. Assembly Bill 211 requires that every health care provider implement specified safeguards to protect the privacy of a patient's medical information, and establishes an Office of Health Information Integrity (OHII) within the California Health and Human Services Agency, which will assess and impose fines for violations of privacy laws. Penalties may be assessed: against any person or provider of health care, whether licensed or unlicensed up to $250,000 as set forth in CMIA and requires referral from DPH for assessment of fines. Obligation to report violations of patient privacy Facilities will be required to report any unlawful or unauthorized access to, or use or disclosure of, a patient's medical information both to the DHS and to the affected patient (or the patient's representative) no later than five days after the unlawful or unauthorized access, use or disclosure has been detected. "Unauthorized" means inappropriate access, review or viewing of patient medical information without a direct need for medical diagnosis, treatment or other lawful use as permitted by the Confidentiality of Medical Information Act (Civil Code sections 56 56.37) or any other statute or regulation governing the lawful access, use or disclosure of medical information. This latter reference is broad enough to include HIPAA, as it operates in conjunction with California law. HITECH ACT REGULATIONS FOR STUDENTS Student Agreement 2010 2 of 5

The HITECH Act imposes on entities covered by the Health Insurance Portability and Accountability Act (HIPAA) and their Students federal breach notification requirements when "unsecured" PHI is acquired by an unauthorized party. "Unsecured" means not secured through the use of a technology or methodology that renders the information "unusable, unreadable, or indecipherable" to unauthorized individuals. Information that has been "de-identified" is not subject to the breach notification requirements because such information is not protected under HIPAA. In other words, the Act specifies circumstances under which PHI is no longer "unsecured" and accordingly avoids the HITECH Act's notification requirements. The guidance, however, provides that notice may be required to comply with other federal and state requirements. The breach notification requirements will apply to PHI in any form. PHI may be vulnerable in any of the following commonly recognized data states: "Data in motion": Data that is moving through a wired or wireless network; "Data at rest": Data that resides in databases, files, or in storage; "Data in use": Data that is in the process of being created, maintained, updated, or destroyed; or "Data disposed": Data that has been discarded or recycled. PHI in each of these data states, with the possible exception of "data in use," may be secured using one or more methods. Encryption, which will apply only to electronic information; and Destruction Encryption of "data at rest" must satisfy NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices. Valid encryption processes for "data in motion" must comply with the requirements of Federal Information Processing Standards (FIPS) 140-2. These include, as appropriate, standards described in NIST Special Publications 800-52; Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs; and may include others that are FIPS 140-2 validated. Destruction of PHI on paper, film, or other hard copy media must involve either shredding or otherwise destroying the PHI so that it cannot be read or reconstructed. PHI on electronic media must be cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved. Student agrees to comply with all aspects of the HITECH Act. PERMITTED USES AND DISCLOSURES BY STUDENT Except as otherwise limited in this Agreement, Student may use or disclose Protected Health Information, as follows: 1. On behalf of, Covered Entity, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity. 2. Except as otherwise limited in this Agreement, Student may disclose Protected Health Information for the proper management and administration of the Student, provided that disclosures are required by law, or Student obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies the Student of any instances of which it is aware in which the confidentiality of the information has been breached. OBLIGATIONS OF COVERED ENTITY Covered Entity shall provide Student with the notice of privacy practices that Covered Entity produces in accordance with 45 CFR 164.520, as well as any changes to such notice. Student Agreement 2010 3 of 5

PERMISSIBLE REQUESTS BY COVERED ENTITY Covered Entity shall not request Student to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity. TERM AND TERMINATION 1. Term. The obligations set forth in this section shall be effective as of the date the first Protected Health Information is released to Student pursuant to this Agreement, and shall terminate only when all of the Protected Health Information provided by Covered Entity to Student, or created or received by Student on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Section. 2. Termination for Cause. Upon Covered Entity's knowledge of a material breach by Student, Covered Entity shall provide an opportunity for Student to cure the breach or end the violation. Covered Entity may terminate this Agreement if Student does not cure the breach or end the violation within the time specified by Covered Entity. 3. Effect of Termination. i. Except as provided in paragraph (ii) of this section, upon termination of this Agreement, for any reason, Student shall return or destroy all Protected Health Information received from Covered Entity, or created or received by Student on behalf of Covered Entity. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Student. Student shall retain no copies of the Protected Health Information. ii. In the event that Student determines that returning or destroying the Protected Health Information is infeasible, Student shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction of Protected Health Information is infeasible, Student shall extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Student maintains such Protected Health Information. Survival. The respective rights and obligations of Student under this section shall survive the termination of this Agreement. OWNERSHIP OF INFORMATION Covered Entity holds all right, title, and interest in and to the PHI and Student does not hold and will not acquire by virtue of this Agreement or by virtue of providing goods or services to Covered Entity, any right, title, or interest in or to the PHI or any portion thereof. RIGHT TO INJUNCTIVE RELIEF Student expressly acknowledges and agrees that the breach, or threatened breach, by it of any provision of this Agreement may cause Covered Entity to be irreparably harmed and that Covered Entity may not have an adequate remedy at law. Therefore, Student agrees that upon such breach, or threatened breach, Covered Entity will be entitled to seek injunctive relief to prevent Student from commencing or continuing any action constituting such breach without having to post a bond or other security and without having to prove the inadequacy of any other available remedies. Nothing in this paragraph will be deemed to limit or abridge any other remedy available to Covered Entity at law or in equity. MISCELLANEOUS Student Agreement 2010 4 of 5

1. Regulatory References. A reference in this Agreement to a section in the Privacy Rule means the section as in effect or as amended, and for which Compliance is required. 2. Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the Privacy Rule and the Health Insurance Portability and Accountability Act, Public Law 104-191. 3. Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with the Privacy Rule. Petaluma Health Center Name: Title: Signature: Date: Student Name: Title: Signature: Date: Student Agreement 2010 5 of 5

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback