University of Mississippi Medical Center Data Use Agreement Protected Health Information

Similar documents
HIPAA and HIPAA Compliance with PHI/PII in Research

HIPAA and Research Contracts JILL RAINES, ASSISTANT GENERAL COUNSEL AND UNIVERSITY PRIVACY OFFICIAL

Attachment B Newtopia Wellness Program and Genetic Testing. The Health Risk Assessment also invites individuals to undergo genetic testing.

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.

HIPAA Federal Security Rule H I P A A

University of Wisconsin-Madison Policy and Procedure

Research Data Use Agreement (RDUA)

HMIS (HOMELESS MANAGEMENT INFORMATION SYSTEM) SECURITY AWARENESS TRAINING. Created By:

Housecall Privacy Statement Statement Date: 01/01/2007. Most recent update 09/18/2009

EDI ENROLLMENT AGREEMENT INSTRUCTIONS

Security and Privacy Breach Notification

Railroad Medicare Electronic Data Interchange Application

HIPAA 101: What All Doctors NEED To Know

Change Healthcare CLAIMS Provider Information Form *This form is to ensure accuracy in updating the appropriate account

Part A/Part B/HHH EDI Enrollment (Agreement) Form and Instructions

Security Overview. Joseph Balberde North Country Community Mental Health Information Technology Director

POLICY. Create a governance process to manage requests to extract de- identified data from the Information Exchange (IE).

Florida Health Information Exchange Subscription Agreement for Event Notification Service

JURISDICTION 11 EDI CONTRACT INSTRUCTIONS

Policy and Procedure: SDM Guidance for HIPAA Business Associates

EXAMPLE 3-JOINT PRIVACY AND SECURITY CHECKLIST

Employee Security Awareness Training Program

NYSIF.com Online Account Third-Party Billers.V3

Change Healthcare CLAIMS Provider Information Form *This form is to ensure accuracy in updating the appropriate account

Privacy and Security for the Medical Student. HIPAA Compliance Audit and Compliance Services Mount Sinai Health System

HIPAA For Assisted Living WALA iii

WASHINGTON UNIVERSITY HIPAA Privacy Policy # 7. Appropriate Methods of Communicating Protected Health Information

Therapy Provider Portal. User Guide

UTAH VALLEY UNIVERSITY Policies and Procedures

Putting It All Together:

Banner Health Information Security and Privacy Training Team. Morgan Raimo Paul Lockwood

EXAMPLE 2-JOINT PRIVACY AND SECURITY CHECKLIST

HIPAA Privacy & Security Training. HIPAA The Health Insurance Portability and Accountability Act of 1996

HIPAA Privacy and Security Training Program

TERMS OF USE Terms You Your CMT Underlying Agreement CMT Network Subscribers Services Workforce User Authorization to Access and Use Services.

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

HIPAA Security Manual

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

The Relationship Between HIPAA Compliance and Business Associates


INSTRUCTIONS FOR RECIPIENTS OF EMORY UNIVERSITY MATERIAL

NYSIF.com Online Account Medical Providers.V4. April 26, 2018

Made In Hackney Data Protection Policy Last Updated:

HIPAA-HITECH: Privacy & Security Updates for 2015

Federal Breach Notification Decision Tree and Tools

Building Information Modeling and Digital Data Exhibit

MEDICARE Texas (TRAILBLAZERS) PRE-ENROLLMENT INSTRUCTIONS 00900

Data Processing Agreement

NOTICE OF PRIVACY PRACTICES

Privacy Policy on the Responsibilities of Third Party Service Providers

MEDICARE PART B HAWAII PRE ENROLLMENT INSTRUCTIONS MR057

TEXAS MEDICARE (TRAILBLAZERS) CHANGE FORM MR085

HIPAA & RESEARCH DATA SECURITY FOR BU RESEARCHERS CHARLES RIVER CAMPUS. November 14, 2017

HIPAA & Privacy Compliance Update

Schedule EHR Access Services

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

QUALITY HIPAA December 23, 2013

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

End User Agreement Anthem Point of Care (POC)

Janie Appleseed Network Privacy Policy

A Panel Discussion. Nancy Davis

HIPAA and Social Media and other PHI Safeguards. Presented by the UAMS HIPAA Office August 2016 William Dobbins

MEDICARE FLORIDA PRE ENROLLMENT INSTRUCTIONS MR025

3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012

HIPAA. Developed by The University of Texas at Dallas Callier Center for Communication Disorders

North Carolina Health Information Exchange Authority. User Access Policy for NC HealthConnex

HIPAA UPDATE. Michael L. Brody, DPM

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

Red Flags/Identity Theft Prevention Policy: Purpose

Mississippi Medicaid. Mississippi Medicaid Program Provider Enrollment P.O. Box Jackson, Mississippi Complete form and mail original to:

Change Healthcare ERA Provider Information Form *This form is to ensure accuracy in updating the appropriate account

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

NCQA and HIPAA. The Fifth National HIPAA Summit. A match made in? Sharon King Donohue, JD General Counsel, Chief Privacy Officer November 1, 2002

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

Mile Privacy Policy. Ticket payment platform with Blockchain. Airline mileage system utilizing Ethereum platform. Mileico.com

The City of Mississauga may install Closed Circuit Television (CCTV) Traffic Monitoring System cameras within the Municipal Road Allowance.

1.2 Participant means a third party who interacts with the Services as a result of that party s relationship with or connection to you.

Information Privacy Statement

Lesson Three: False Claims Act and Health Insurance Portability and Accountability Act (HIPAA)

HIPAA TRANSACTION 837 PROFESSIONAL STANDARD COMPANION GUIDE

Document Cloud (including Adobe Sign) Additional Terms of Use. Last updated June 5, Replaces all prior versions.

HIPAA FOR BROKERS. revised 10/17

PRIVACY-SECURITY INCIDENT REPORT

Data Processing Agreement for Oracle Cloud Services

Information Classification & Protection Policy

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

Universal Patient Key

HIPAA Tips and Advice for Your. Medical Practice

MEDICARE IDAHO PRE ENROLLMENT INSTRUCTIONS MR003

First National Bank and Trust P. O. Box 100 London, KY Attention: Statements

Dealing with Sensitive Data: Helping You Protect You

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

CALSTRS ONLINE AGREEMENT TERMS AND CONDITIONS

What information is collected from you and how it is used

Data Use and Reciprocal Support Agreement (DURSA) Overview

ecare Vault, Inc. Privacy Policy

Beam Technologies Inc. Privacy Policy

LifeWays Operating Procedures

Transcription:

Data Use Agreement Protected Health Information This Data Use Agreement ( DUA ) is effective on the day of, 20, ( Effective Date ) by and between (UMMC) ( Data Custodian ), and ( Recipient ), located at collectively hereinafter referred to as the Parties. UMMC ( Data Custodian ) is a Covered Entity as defined in the Health Insurance Portability and Accountability Act of 1996, as amended ( HIPAA ); and UMMC is providing Recipient with Protected Health Information ( PHI ) as defined in 45 Code of Federal Regulations (CFR) 160.103.This DUA shall not be construed as creating HIPAA liabilities if HIPAA is not applicable to the data use and disclosure provided for under this agreement. The Parties agree to the provisions of this DUA in order to address the requirements of HIPAA and to protect the interest of both Parties. Description of Data Requested: Example: Dataset which shows all patients with the diagnoses of 428.0 (congestive heart failure) for the date range of 01/01/00 12/31/00. Include the last name of the patient, their zip code, DOB, and MRN. If possible, I will need this report sent to me in an Excel spreadsheet with each item (Pt. LN, zip code, DOB, MRN) in a separate column. 1. DEFINITIONS. Except as otherwise defined herein, any and all capitalized terms in this DUA shall have the definitions set forth in HIPAA. In the event of any inconsistency between the provisions of this DUA and mandatory provisions of HIPAA, as amended, the HIPAA provision shall control. Where provisions of this DUA are different than those provided in HIPAA, but are permitted by HIPAA, the provisions of this DUA shall control. PHI shall mean Individually Identifiable Health Information. 2. OBLIGATIONS OF DATA RECIPIENT. 2.1 Permitted Use or Disclosure. Select the following as appropriate: Decedent Information. Under HIPAA, the use or disclosure of PHI is permitted without written Authorization from the personal representative of the patient, a Waiver of Authorization, or DUA when for research as long as the Covered Entity obtains certain representations from the researcher; However, UMMC requires a DUA in order to obtain representations. By executing this DUA, Recipient is declaring 1) Use or disclosure being sought is solely for research and use of PHI of decedents; 2) PHI being sought is necessary for research; and 3) At the request of the Covered Entity, documentation of the death of the individuals about whom information is being sought. Decedent information is protected for 50 years following the date of death. Treatment/Payment/Healthcare Operations within UMMC. Under HIPAA, the use or disclosure of PHI is permitted without the patient s written Authorization when for Treatment, Payment, or Health Care Operations (TPO). Definitions of these activities are specified in 45 CFR 164.501. Employees are to use and disclose only that information that is minimally necessary to perform their job duties. By executing this DUA, employee agrees to data use and/or disclosure obligations.

IRB Approved Research. Under HIPAA, the use or disclosure of PHI for research is permitted without the patient s written Authorization, if a HIPAA Waiver of Authorization or HIPAA Alteration of Authorization from an Institutional Review Board (IRB) or Privacy Board has been approved. By executing this DUA, Recipient declares receipt of IRB approval and shall attach one of the following approval letters 1) HIPAA Alteration of Authorization; or 2) HIPAA Waiver. Limited Data Set. Under HIPAA, the use or disclosure of PHI is permitted without the patient s written Authorization when it is for Research, Public Health, or Health Care Operations, as long as a DUA is obtained. Specific details shall be provided on the last page. Recipient shall not attempt to identify the individuals to whom the PHI pertains, or attempt to contact such individuals. A Limited Data Set excludes the following identifiers: 1) Names; 2) Postal address information, other than town or city, State, and zip code; 3) Telephone numbers; 4) Fax numbers; 5) Electronic mail addresses; 6) Social security numbers; 7) Medical record numbers; 8) Health plan beneficiary numbers; 9) Account numbers; 10) Certificate/license numbers; 11) Vehicle identifiers and serial numbers, including license plate numbers; 12) Device identifiers and serial numbers; 13) Web Universal Resource Locators (URLs); 14) Internet Protocol (IP) address numbers; 15) Biometric identifiers, including finger and voice prints; and 16) Full face photographic images and any comparable images. Preparatory to Research. Under HIPAA, the use or disclosure of PHI is permitted without the patient s written Authorization, a Waiver of Authorization, or DUA as long as the Covered Entity obtains certain representations from the researcher; However, UMMC requires a DUA in order to obtain representations. By executing this DUA, Recipient is declaring 1) I will not remove any PHI from the Covered Entity; and 2) PHI for which access is sought is necessary for the research purpose. Please select the box that most accurately reflects the nature of your request: That the use or disclosure of the PHI is solely to prepare for a research protocol or for similar purposes preparatory to research; or The review is only for the possible recruitment of participants. If the purpose of the PHI is to recruit participants, the investigator should coordinate the initial patient contact through the attending physician. If the patient does not object to being contacted by the investigator, then the investigator may talk directly to the patient about the study. 2.2 Recipient Use or Disclosure. Recipient agrees that it, and any employees, agents and subcontractors to whom it discloses the PHI, will not use or further disclose the PHI other than as permitted by this DUA, or as otherwise required by law or regulation. Any person or entity receiving PHI from Recipient shall agree to the same restrictions and/or obligations of the Recipient as set forth in this DUA. 2.3 Safeguards. Recipient and any employees, agents, and subcontractors shall use appropriate safeguards to protect the PHI from misuse or inappropriate disclosure and to prevent any use or disclosure of the PHI other than as provided in this DUA or as otherwise required by law or regulation. Version: 06.06.2018 Data Use Agreement Page 2 of 5

2.4 Storage and Transmission. Data sets containing sensitive elements or PHI should be stored in a secure encrypted method. This applies to any storage device (hard drive, USB drive, CD/DVD). At no time should this data be stored on any hosted service or unencrypted physical drive. Any transmission of this data should be encrypted as well. At no time should data be transferred to anyone other than as permitted by this DUA, or as otherwise required by law or regulation. 2.5 Data Security Plan. Please provide responses to the questions below. If further space is required, please use the final page. (a) Storage. How will the data be stored? Where will the data be stored? (b) Access. Who will have access to the data? (c) Protections. How will the data be protected? 2.6 Reporting. Recipient shall report, within 5 working days, to UMMC any use or disclosure of the PHI that is not provided for in this DUA, any Security Incident involving electronic PHI and any Breach of Unsecured PHI of which the Recipient becomes aware. Recipient will take reasonable steps to limit any further such use or disclosure. 3. TERM and TERMINATION. 3.1 Term. The Term of this DUA shall be effective as of the date first written above, and shall terminate when all the PHI provided by UMMC to Recipient is destroyed or returned to the UMMC Data Custodian, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Section. 3.2 Termination for Cause. Should Recipient commit a material breach of this DUA, which is not cured within thirty (30) days after Recipient receives notice of such breach from the UMMC, then the Covered Component will discontinue disclosure of PHI and will report the problem to the Secretary, U. S. Department of Health and Human Services. 3.3 Effects of Termination. (a) Except as provided in paragraph (ii) of this subsection, within ten (10) days upon termination of this DUA, Recipient shall return or destroy all PHI received from the UMMC. This provision shall apply to PHI that is in the possession of subcontractors or agents of Data Recipient. Recipient shall retain no copies of the PHI. (b) In the event that Recipient determines that returning or destroying the PHI is infeasible, Recipient shall provide to UMMC notification of the conditions that make return or destruction infeasible. Version: 06.06.2018 Data Use Agreement Page 3 of 5

Upon mutual agreement of the Parties that return or destruction of PHI is infeasible, Data Recipient shall extend the protections of this DUA to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Recipient maintains PHI. UMMC: Recipient: (Date) (Date) (Signature) (Signature) Stacy Baldwin (Printed Name) (Printed Name) Executive Director (Title) (Title) Office of Integrity and Compliance (Department) (Department) Version: 06.06.2018 Data Use Agreement Page 4 of 5

Complete the section below for a Limited Data Set: Research. (a) Description of Research: (b) IRB Protocol Number: (c) Expected disclosure to third parties? If yes, please identify third party recipients below. Public Health. (a) Description of Public Health Purpose: (b) Expected disclosure to third parties? If yes, please identify third party recipients below. Health Care Operations. (a) Description of Health Care Operations Purpose: (b) Expected disclosure to third parties? If yes, please identify third party recipients below. ADDITIONAL INFORMATION: Version: 06.06.2018 Data Use Agreement Page 5 of 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback