Limited Data Set Data Use Agreement

Similar documents
Model Business Associate Agreement

HITECH Omnibus Business Associate Agreement DU Hybrid CE ra FINAL

HIPAA BUSINESS ASSOCIATE AGREEMENT. ( BUSINESS ASSOCIATE ) and is effective as of ( Effective Date ). RECITALS

Patient Privacy and Security: Data Breach Reporting and other HIPAA Changes

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

South Carolina Department of Motor Vehicles

AMERICAN RECOVERY & REINVESTMENT ACT OF 2009 TITLE XIII HEALTH INFORMATION TECHNOLOGY ANALYSIS OF PRIVACY AND SECURITY REQUIREMENTS (SUBPART D)

Site Access Agreement. (hereinafter referred to as the

KAISER FOUNDATION HOSPITALS ON BEHALF OF KAISER FOUNDATION HEALTH PLAN OF THE MID-ATLANTIC STATES, INC.

DATA USE AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION

BUSINESS ASSOCIATE AGREEMENT (BETWEEN GIOSTARCHICAGO.COM AND GIOSTARORTHOPEDICS.COM AND GODADDY)

ADDENDUM TO STANDARD CONTRACT BETWEEN Community Coordinated Care for Children, Inc. (4C) AND (CONTRACTOR)

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

Agent/Agency Agreement

Investigating Privacy Breaches under HITECH and HIPAA

BUSINESS ASSOCIATE AGREEMENT

HIPAA DATA USE AGREEMENT

INDEPENDENT CONTRACTOR AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

1 HB By Representative Williams (P) 4 RFD: Technology and Research. 5 First Read: 13-FEB-18. Page 0

Health Information Technology for Economic and Clinical Health (HITECH) Act Privacy and Security Provisions

Sacramento Public Library Authority

IRB RELIANCE EXCHANGE PORTAL AGREEMENT

1 SB By Senators Orr and Holley. 4 RFD: Governmental Affairs. 5 First Read: 13-FEB-18. Page 0

ELECTRONIC TRANSACTIONS TRADING PARTNER AGREEMENT BETWEEN DIRECT SUBMITTER AND WELLPOINT, INC

CODERED NEXT SERVICES AGREEMENT

RETS DATA ACCESS AGREEMENT

CLINICAL TRIAL AGREEMENT for INVESTIGATOR-INITIATED STUDY

USER AGREEMENT GRANTING DEPARTMENT OF REAL ESTATE ACCESS TO USER S ELECTRONIC MANAGEMENT SYSTEM

1 SB By Senators Orr and Holley. 4 RFD: Governmental Affairs. 5 First Read: 13-FEB-18. Page 0

Drive Trust Alliance Member Services Agreement

DIABETIC SUPPLIES REBATE AGREEMENT

END-USER LICENSE AGREEMENT

EWR, INC. PARTICIPANT AGREEMENT

VOLUNTARY DISCLOSURE AGREEMENT. The State of Florida Department of Financial Services, Division of Unclaimed Property, 200

EXHIBIT G PRIVACY AND INFORMATION SECURITY PROVISIONS

Trustwave Subscriber Agreement for Digital Certificates Ver. 15FEB17

ASSETMARK TRUST COMPANY TOTALCASH MANAGER TM ACCESS AUTHORIZATION AGREEMENT

Site Builder End User License Agreement

EWR, INC. PEANUT PARTICIPANT AGREEMENT. THIS AGREEMENT is entered into as of the day of, by and between EWR,

SAMPLE FORMS - CONTRACTS DATA REQUEST AND RELEASE PROCESS NON-DISCLOSURE AGREEMENT, Form (See Attached Form)

Northern California Regional Intelligence Center

EMC Proven Professional Program

AGREEMENT BETWEEN KIDS IN DISTRESS, INC., AND BROWARD COUNTY FOR SUBSTANCE ABUSE SERVICES Contract Number: KID-BARC-CFS-2017

ENT CREDIT UNION ELECTRONIC DEPOSIT AGREEMENT

JOINT MARKETING AND SALES REFERRAL AGREEMENT

USE OF MLS IDX LISTING DATA BY RETS COMPATIBLE VENDOR

Security Breach Notification Chart

rdd Doc 825 Filed 12/11/17 Entered 12/11/17 16:29:55 Main Document Pg 1 of 4

AGREEMENT FOR SERVICE AGREEMENT FOR SERVICE

EARLY INTERVENTION SERVICES INTERAGENCY AGREEMENT BETWEEN LAKE STEVENS SCHOOL DISTRICT AND SNOHOMISH COUNTY

DATA COLLECTION AGREEMENT MASTER TERMS RECITALS

Auto-print SDK/ACTIVEX DISTRIBUTION LICENSE AGREEMENT

DATA USE AGREEMENT RECITALS

SERVICE PROVIDER SECURITY AGREEMENT. Clemson University ( Clemson ) and. Vendor Name Here. ( Service Provider )

Provider Electronic Trading Partner Agreement

Authorizing the City Manager to execute an Agreement between the City of Columbia and Passport Parking

PeachCourt Document Access User Agreement Terms of Use

Mobile Deposit User Agreement

PURCHASE ORDER TERMS AND CONDITIONS

GREEN ELECTRONICS COUNCIL UL ECOLOGO/EPEAT JOINT CERTIFICATION LICENSE AND PARTICIPATING MANUFACTURER AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

EMPOWER SOFTWARE HOSTED SERVICES AGREEMENT

CONTRACTOR AGREEMENT. WHEREAS, Contractor wishes to provide such goods and/or services to NACCHO; ARTICLE I: SPECIAL PROVISIONS

AGREEMENT FOR SERVICES OF INDEPENDENT CONTRACTOR

OTTO Archive, LLC CONTENT LICENSE AGREEMENT

Delaware State Supplemental Rebate Agreement And (Manufacturer) As used in this Agreement, the following terms have the following

Terms and Conditions for Use of Patton Redirection Services and Server Use

THE GENERAL ASSEMBLY OF PENNSYLVANIA HOUSE BILL

HDCP RESELLER ASSOCIATE AGREEMENT W I T N E S S E T H

INTERNET ADVERTISING AGREEMENT. THIS AGREEMENT made as of this day of, 2004.

Connecticut Multiple Listing Service, Inc.

RESOLUTION AGREEMENT. I. Recitals

Sales Agent Agreement

INDICATORS OF COMPLIANCE WITH STANDARDS FOR BIRTH CENTERS END USER LICENSE AGREEMENT

PCM Initialization Kit LEASE AGREEMENT

CONSULTANT AGREEMENT

Security Breach Notification Chart

REMOTE DEPOSIT ANYWHERE AGREEMENT

CORE TECHNOLOGIES CONSULTING, LLC UNLIMITED OEM SOFTWARE LICENSE AGREEMENT

CONSIGNMENT AGREEMENT The Golden Closet 7243 Coldwater Canyon Avenue North Hollywood, CA 91605

TUCOWS.INFO domain APPLICATION SERVICE TERMS OF USE

CUSTODIAL AGREEMENT. by and among THE TORONTO-DOMINION BANK. as Issuer, Seller, Servicer and Cash Manager. and

Form of Registration Agreement

FULLY EXECUTED Contract Number: Contract Effective Date: 08/08/2014 Valid From: 07/01/2014 To: 12/31/2099

DATABASE AND TRADEMARK LICENSE AGREEMENT

NON-TRANSFERABLE AND NON-EXCLUSIVE LICENSE AGREEMENT

Please return the following to

SOFTWARE LICENSE TERMS AND CONDITIONS

CLINICAL TRIAL AGREEMENT [Identification of the trial, Person in charge of research] Sponsor of the Trial: Institution:

Framework Contract for the provision of Reference Mapping Products

KENTUCKY BROADCASTERS ASSOCIATION

AGREEMENT. between BROWARD COUNTY, FLORIDA. and. for BILLING RELATED TO THE SOUTHWEST REGIONAL LANDFILL

Equipment Loan and Collaboration Agreement. Between. Company Name. and the. University of Florida Board of Trustees

Sales Order (Processing Services)

Terms and Conditions Database License Agreement ( Agreement )

(i) the data provided in the domain name registration application is true, correct, up to date and complete,

ANNOTATION SDK/ACTIVEX DEVELOPMENT LICENSE AGREEMENT

WASHINGTON COUNTY PROPERTY RECORDS TECHNOLOGY AND INFORMATION SUBSCRIPTION AGREEMENT

Transcription:

Limited Data Set Data Use Agreement This Agreement is made and entered into by and between (hereinafter Applicant ) and the State of Florida Agency for Health Care Administration, Florida Center for Health Information and Transparency (hereinafter Agency ). This agreement addresses the conditions under which the Agency will disclose and Applicant will obtain and use the limited data set specified herein. Applicant agrees to abide by the provisions of this agreement in the use of the limited data set obtained from the Agency. 1. Purpose of Agreement: Applicant represents and, in furnishing the limited data set specified in this agreement, the Agency relies upon such representation that the limited data set will be used solely for the purpose(s) of research or public health. The data specified in this agreement will be used solely for purposes of: Research - a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge. Describe in detail below how the study is compliant with this definition of research and address EACH of the following: Describe the emphasis of study, the goal(s) of the study and the findings (who the study will assist and how the study will assist them). Or; Public Health - activities conducted by or at the direction of a public health authority that are within its legally authorized duties. A public health authority is an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate. Provide in detail, the public health activity to be advanced by obtaining this data set, and if your organization is not a public health authority, but is acting on behalf of a public health authority, attach written authorization for you to act on behalf of the public health authority (by way of example and not limitation, a contract, grant, or business associate agreement). 1 Revised: August 2017

Justification for Access: This agreement is authorized under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended, and associated federal regulations, specifically 45 CFR 164.514 regarding disclosure of limited data sets. 2. Description of Data: The following limited data sets will be disclosed or used pursuant to this agreement: Description data sets(s), time period(s), etc.: 3. Ownership Rights: The Applicant agrees that the Agency retains all ownership rights to the limited data set referred to in this agreement, and that Applicant does not obtain any right, title, or interest in any of the data furnished by the Agency. The Applicant further agrees that the Agency makes no representation or warranty, either implied or express, with respect to the accuracy of any data in the limited data set. 4. Point of Contact: The Agency designates the following individual as the Agency s point of contact for this agreement: Arlene Schwahn 2727 Mahan Drive, Mail Stop 16 Tallahassee, FL 32308 Email Address: Arlene.Schwahn@ahca.myflorida.com Phone Number: (850) 412-3772; FAX Number: (850) 488-1261 All correspondence regarding this agreement, including, but not limited to notification of change of custodianship, uses or disclosures of the limited data set not provided for by this agreement, disposition of the limited data set, and termination of this agreement, shall be addressed to the point of contact. 5. Custodial Responsibility: Applicant names the following custodian of the designated record set on behalf of the Applicant: Name of custodian Name of company or organization Street address City/ State/ Zip code Phone number 2 Revised: August 2017

(Applicant: Please provide a list on a separate sheet of paper of all individuals or entities that require the limited data set to perform the functions of this agreement): The custodian shall be responsible for the observance of all conditions of use and for the maintenance of safeguards as specified in this agreement to prevent unauthorized use. Applicant shall notify the Agency in writing within fifteen (15) days of any change of custodianship. Notification of change of custodianship shall be delivered by certified mail, return receipt requested, or in person with proof of delivery. 6. Payment: Simultaneous with the execution hereof, and pursuant to Chapter 119, Florida Statutes, Applicant shall pay the Agency $ to reimburse the Agency for costs and expenses incurred by the Agency in generating the data specified in this agreement. 7. Permissible Uses and Disclosures: Applicant shall not use or further disclose the limited data set specified in this agreement except as permitted by this agreement or as required by federal or Florida law. Applicant shall establish appropriate administrative, technical, and physical safeguards compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended, and associated federal regulations and Florida law to protect the confidentiality of and to prevent unauthorized use or access to the limited data set. Applicant shall not release or allow the release of the limited data set specified in this agreement to any persons or entities other than as permitted by the agreement. Applicant shall record and maintain a list of all individuals and entities that are permitted to use or receive the limited data set per Section 5 of the agreement and the list must be updated when changes occur. Applicant shall restrict disclosure of the limited data set to the minimum number of individuals listed in Section 5 of the agreement who require the information in order to perform the functions of this agreement. Applicant shall instruct individuals to which the limited data set is disclosed of all obligations under this agreement and shall require the individuals to maintain those obligations. Applicant shall secure the limited data set when the data is not under the direct and immediate control of an authorized individual performing the functions of this agreement. The Applicant must conduct all activities in compliance with 45 CFR 164 Subpart C to ensure data security, including, but not limited to encryption of all information that is confidential under Florida or federal law, while in transmission and while resident on portable electronic media storage devices. Encryption shall be consistent with Federal Information Processing Standards (FIPS), and/or the National Institute of Standards and Technology (NIST) publications regarding cryptographic standards. Applicant shall not attempt to identify the information or use the limited data set to track or link an individual s data to any other data source, and any profiles or descriptions of individuals that the Applicant constructs from the limited data set shall not be further released or published without the express written consent of the Agency. 3 Revised: August 2017

Applicant shall not attempt to use the limited data set to determine real or likely identities, gain information about an individual, or contact an individual. Applicant shall make a good faith effort to identify any use or disclosure of the limited data set not provided for by this agreement. Applicant shall notify the Agency by certified mail, return receipt requested, or in person with proof of delivery within seventy-two (72) hours of discovery of any use or disclosure of the limited data set not provided for by this agreement of which Applicant is aware. Applicant shall not sell, transfer, or trade any of the limited data sets unless specifically authorized by the Agency. A violation of this section shall constitute a material breach of this agreement. 8. Disclosure to Agents: Applicant shall ensure that any agents of Applicant, including, but not limited to a contractor or subcontractor, to whom Applicant provides the limited data set specified in the agreement agree to the same terms, conditions, and restrictions that apply to Applicant with respect to the limited data set. The Applicant shall document all disclosures of the limited data set specified in this agreement and provide to the Agency upon request an accounting of all disclosures. 9. Reporting: The Applicant shall make a good faith effort to identify any use or disclosure of data released pursuant to this agreement not provided for in this agreement. 9a. To Agency The Applicant shall report to the Agency, within seventy-two (72) hours of discovery of any use or disclosure of data not provided for by this agreement of which Applicant is aware. Upon direction by the Agency, the Applicant shall submit to the Agency a written breach risk assessment conducted in accordance with 45 CFR 164.402. 9b. To Individuals In the case of a breach (as defined by 45 CFR 164.402) of data provided to the Applicant under this agreement discovered by the Applicant, the Applicant shall first notify the Agency of the pertinent details of the breach and upon prior approval of the Agency shall notify each individual whose data has been, or is reasonably believed by the Applicant to have been accessed, acquired, used or disclosed as a result of such breach. Such notification shall be in writing by firstclass mail to the individual (or next of kin, where the individual is deceased) respectively, or, if specified as a preference by the individual, by electronic mail. Where there is insufficient, or out-of-date contact information (including a phone number, email address, or any other form of appropriate communication) that precludes written (or, if specifically requested, electronic) notification to the individual, a substitute form of notice shall be provided, including, in the case that there are 10 or more individuals for which there is insufficient or out-of-date contact information, a conspicuous posting on the web site of the covered entity involved or notice in major print of broadcast media, including major media in the geographic areas where the individuals affected by the breach likely reside. In any case deemed by the Applicant to require urgency because of possible 4 Revised: August 2017

imminent misuse of the data, the Applicant may also provide information to individuals by telephone or other means, as appropriate. 9c. To Media In the case of a breach of data contained in this agreement discovered by the Applicant where the data of more than 500 persons is reasonably believed to have been accessed, acquired, used, or disclosed, after prior approval by the Agency, the Applicant shall provide notice to prominent media outlets serving the State or relevant portion of the State involved. 9d. To Secretary of Health and Human Services (HHS) The Applicant shall cooperate with the Agency to provide notice to the Secretary of HHS of data that has been acquired or disclosed in a breach. Applicants Who Are HIPAA Covered Entities In the event of a breach by an agent of the Applicant, and the Applicant is a HIPAA covered entity, the Applicant shall be considered the covered entity for purposes of notification to the Secretary of HHS pursuant to 45 CFR 164.408. The Applicant shall be responsible for filing the notification to the Secretary of HHS and will identify itself as the covered entity in the notice. If the breach was with respect to 500 or more individuals, the Applicant shall provide a copy of the notice to the Agency, along with the Applicant s breach risk assessment for review at least 15 business days prior to the date required by 45 CFR 164.408(b) for the Applicant to file the notice with the Secretary of HHS. If the breach was with respect to less than 500 individuals, the Applicant shall notify the Secretary of HHS within the notification timeframe imposed by 45 CFR 164.408(c) and shall contemporaneously submit copies of said notifications to the Agency. 9e. Content of Notices All notices required under this section shall include the content set forth in Section 13402(f), Title XIII of the American Recovery and Reinvestment Act of 2009 and 45 CFR 164.404(c), except that references therein to a covered entity shall be read as references to the Applicant. 9f. Breach of Electronic Personal Information In addition to the provisions under section 9a through 9e of this agreement, the Applicant shall comply with s. 501.171, F.S, regarding breach reporting and shall contact the Agency within seventy-two hours (72) hours of the discovery of any disclosure of electronic personal information, as defined by s. 501.171, F.S., not provided for in this agreement. 9g. Financial Responsibility The Applicant shall be responsible for all costs related to the notices required under this section. 10. Release of Statistical and Research Results: Subject to the conditions of this agreement, aggregated statistical tabulations and research results derived from the limited data set specified in this agreement may be released or published; however, statistical tabulations or research results that may 5 Revised: August 2017

reveal information about an individual s record or lead to the identification of individuals, either alone or in combination with other information, shall not be published or released. Any publications created by Applicant or any agent of Applicant that result from the limited data set must state that the publication was derived from a limited data set supplied by the Agency but that the Agency specifically disclaims responsibility for any analysis, interpretations, or conclusions that may be created as a result of the limited data set. 11. Penalties: Applicant acknowledges that failure to abide by the terms of this agreement may constitute a wrongful disclosure that subjects Applicant to penalties under applicable criminal or civil law. Additionally, Applicant acknowledges that the Agency for Health Care Administration may be obligated to report the failure of Applicants to abide by the terms of this agreement to appropriate state and/or federal authorities for assessment of said criminal and/or civil penalties against the Applicant. Applicant shall inform all persons with authorized access to the limited data set specified in this agreement of the penalties for wrongful disclosure of data. Further, the Applicant acknowledges that it is not an agent of the Agency and accepts full responsibility in the event the Applicant breaches or compromises the confidentiality or security of the data furnished by the Agency or discloses the data in any manner not permitted under this agreement. 12. Indemnification: Applicant agrees to indemnify, defend, and hold harmless the Agency from any or all fines, claims, and losses accruing to any person, organization, or other legal entity as a result of violation of this agreement to the extent permitted by federal and Florida law. 13. Disposition of Data: Applicant may retain the limited data set specified in this agreement for a period of two (2) years until, hereinafter referred to as the retention date. Notwithstanding the termination date of this agreement, the Applicant s duties and obligations survive and are enforceable by the Agency throughout the retention period. Unless otherwise agreed to in writing, Applicant shall destroy the limited data set and any information derived from its contents, including all copies, modified data, or hybrid or merged databases containing the limited data set, upon the retention date. Data destruction shall be by shredding, burning, or otherwise rendering data unreadable and unusable in paper and electronic form. Applicant shall provide the Agency with written confirmation of the destruction of the limited data set information. If both parties agree in writing to amend the retention date, Applicant shall extend the protections of this agreement and maintain the confidentiality of the limited data set until the amended retention date. 14. Term of Agreement: This agreement shall be effective upon execution by both parties and shall remain in effect until the retention date, or until terminated by one of the parties. The Agency may, by no less than twenty-four (24) hours written notice to Applicant, terminate this agreement upon material breach of the agreement. This agreement may be terminated by either party without cause upon thirty (30) day written notice. Notice of termination shall be delivered by certified mail, return receipt requested, or in person with proof of delivery. 6 Revised: August 2017

The terms of this agreement may not be waived, altered, modified, or amended except by written agreement of both parties. This agreement supersedes any and all agreements between the parties with respect to the use of the limited data set specified in this agreement. For Applicant For the Agency for Health Care Administration Signature: Signature: Print Name: Print Name: Patricia Vidal Title: Title: Administrator Company: Date: Date: 7 Revised: August 2017

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback