HIPAA DATA USE AGREEMENT

Similar documents
HIPAA BUSINESS ASSOCIATE AGREEMENT. ( BUSINESS ASSOCIATE ) and is effective as of ( Effective Date ). RECITALS

HITECH Omnibus Business Associate Agreement DU Hybrid CE ra FINAL

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT WITH COVERED ENTITY

Model Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT

DATA USE AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

WarrantyLink MASTER SERVICES AGREEMENT RECITALS

PODIATRY RESIDENCY RESOURCE, INC. END USER SOFTWARE LICENSE AGREEMENT. IMPORTANT-READ CAREFULLY BEFORE USING THE Podiatry Residency Resource SOFTWARE.

Site Access Agreement. (hereinafter referred to as the

INDEPENDENT CONTRACTOR AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT (BETWEEN GIOSTARCHICAGO.COM AND GIOSTARORTHOPEDICS.COM AND GODADDY)

Agent/Agency Agreement

SERVICE PROVIDER SECURITY AGREEMENT. Clemson University ( Clemson ) and. Vendor Name Here. ( Service Provider )

EXHIBIT G PRIVACY AND INFORMATION SECURITY PROVISIONS

ELECTRONIC TRANSACTIONS TRADING PARTNER AGREEMENT BETWEEN DIRECT SUBMITTER AND WELLPOINT, INC

Sales Order (Processing Services)

SAMPLE FORMS - CONTRACTS DATA REQUEST AND RELEASE PROCESS NON-DISCLOSURE AGREEMENT, Form (See Attached Form)

TRADEMARK LICENSE AGREEMENT

MATERIALS TRANSFER AND EVALUATION LICENSE AGREEMENT. Carnegie Mellon University

RETS DATA ACCESS AGREEMENT

DATA COLLECTION AGREEMENT MASTER TERMS RECITALS

Connecticut Multiple Listing Service, Inc.

CLINICAL TRIAL AGREEMENT for INVESTIGATOR-INITIATED STUDY

ACT, Inc. ( ACT ) and Customer agree as follows: Effective Date: August 8, 2017

Provider Electronic Trading Partner Agreement

DATABASE AND TRADEMARK LICENSE AGREEMENT

REQUEST FOR PROPOSALS FOR ACCREDITATION CONSULTANT SNHD-9-RFP

COMMONWEALTH OF MASSACHUSETTS. ) COMMONWEALTH OF MASSACHUSETTS, ) ) Plaintiff, ) ) v. ) ) SOUTH SHORE HOSPITAL, INC., ) ) Defendant.

CARTOGRAM, INC. VOTING AGREEMENT RECITALS

HARVARD PILGRIM HEALTH CARE, INC. PRIVACY AND SECURITY AGREEMENT

DATA USE AGREEMENT RECITALS

AGREEMENT FOR LIMITED ACCESS TO DATA

CHARITABLE CONTRIBUTION AGREEMENT

BRU FUEL AGREEMENT RECITALS

!! 1 Page! 2014 PEODepot. All rights reserved. PEODepot and peodepot.com are trademarks of PEODepot. INITIAL! BROKER AGREEMENT

THE DAVID J. JOSEPH COMPANY USER ADMINISTRATOR AGREEMENT FOR SCRAPCONNECT

PAYMENT IN LIEU OF TAXES AGREEMENT

NON-EXCLUSIVE LICENSE FOR USE OF SCHOOL WORDMARKS AND LOGOS

PROFESSIONAL SERVICES AGREEMENT

CERTIFICATE OF DEPOSIT SELLING GROUP AGREEMENT

GREEN ELECTRONICS COUNCIL UL ECOLOGO/EPEAT JOINT CERTIFICATION PROGRAM PARTICIPATING MANUFACTURER AGREEMENT

MDP LABS SERVICES AGREEMENT

License Agreement. 1.4 Named User License A Named User License is a license for one (1) Named User to access the Software.

usdrp DISPUTE PROVIDER AGREEMENT (Approved by the U. S. Dept. of Commerce on February 21, 2002)

ASC Model Contract. NOW, THEREFORE, in consideration of the mutual covenants and conditions herein contained, the parties agree as follows:

SAMPLE PROPERTY AND LIABILITY INSURANCE BROKER SERVICES AGREEMENT BETWEEN SPOKANE AIRPORT AND

BULK USER AGREEMENT RECITALS

THIS INTERAGENCY AGREEMENT ("Agreement") is made and entered into as of the date on which it becomes fully executed, by and between

SERVICE REFERRAL AGREEMENT

Digital Entertainment Content Ecosystem MEDIA FORMAT SPECIFICATION AGREEMENT FOR IMPLEMENTATION

LAW FIRM BUSINESS ASSOCIATE TERMS AND CONDITIONS. North Carolina Society of Healthcare Attorneys

Model Commercial Paper Dealer Agreement

rdd Doc 825 Filed 12/11/17 Entered 12/11/17 16:29:55 Main Document Pg 1 of 4

GREEN ELECTRONICS COUNCIL UL ECOLOGO/EPEAT JOINT CERTIFICATION PROGRAM PARTICIPATING MANUFACTURER AGREEMENT

SOUTHERN CALIFORNIA EDISON COMPANY ENERGY SERVICE PROVIDER SERVICE AGREEMENT

PROFESSIONAL SERVICES CONTRACT GENERAL SERVICES BETWEEN COPPER VALLEY ELECTRIC ASSOCIATION, INC. AND

AGREEMENT FOR PROFESSIONAL SERVICES Contract No.

Drive Trust Alliance Member Services Agreement

AGREEMENT BETWEEN KIDS IN DISTRESS, INC., AND BROWARD COUNTY FOR SUBSTANCE ABUSE SERVICES Contract Number: KID-BARC-CFS-2017

DATA COMMONS SERVICES AGREEMENT

KAISER FOUNDATION HOSPITALS ON BEHALF OF KAISER FOUNDATION HEALTH PLAN OF THE MID-ATLANTIC STATES, INC.

MOTOROLA LICENSE AGREEMENT FOR MOTOROLA RADIO SERVICE SOFTWARE

Data Licensing Agreement

HDCP RESELLER ASSOCIATE AGREEMENT W I T N E S S E T H

GREEN ELECTRONICS COUNCIL UL ECOLOGO/EPEAT JOINT CERTIFICATION LICENSE AND PARTICIPATING MANUFACTURER AGREEMENT

Limited Data Set Data Use Agreement

CORPORATE FARE TERMS & CONDITIONS

Volunteer Services Agreement

ENGINEERING AND CONSTRUCTION AGREEMENT WASHINGTON INTERCONNECTION

EARLY INTERVENTION SERVICES INTERAGENCY AGREEMENT BETWEEN LAKE STEVENS SCHOOL DISTRICT AND SNOHOMISH COUNTY

VOTING AGREEMENT RECITALS

PROPOSAL SUBMISSION AGREEMENT

AON HEWITT DEFINED CONTRIBUTION NEXUS PARTICIPATION AGREEMENT

Commonwealth of Massachusetts County of Suffolk The Superior Court NOTICE OF DOCKET ENTRY

DEPOSITORY AND BANKING SERVICES CONTRACT. This Depository and Banking Services Contract, hereinafter

FS- ISAC Affiliate Agreement

JOINT MARKETING AND SALES REFERRAL AGREEMENT

BRU FUEL AGREEMENT RECITALS

AWS Certification Program Agreement

ARTWORK LICENSING AGREEMENT

I. PURPOSE AND SCOPE. WHEREAS, [SITE] and its employees or agents will collaborate as a study site; and

ASTM Supplier s Declaration of Conformity Program Participant Agreement

IRB RELIANCE EXCHANGE PORTAL AGREEMENT

POLE ATTACHMENT LICENSE AGREEMENT SKAMANIA COUNTY PUD

WILLIAM MARSH RICE UNIVERSITY SPONSORED COURSE AGREEMENT. Comp 410/539. Agreement No.

GREEN ELECTRONICS COUNCIL EPEAT LICENSE AND PARTICIPATING MANUFACTURER AGREEMENT

Last revised: 6 April 2018 By using the Agile Manager Website, you are agreeing to these Terms of Use.

GUARANTY OF PERFORMANCE AND COMPLETION

METER DATA MANAGEMENT SERVICES AGREEMENT BETWEEN AMEREN SERVICES COMPANY AND

AeroScout App End User License Agreement

ORANGE AND ROCKLAND UTILITIES, INC. CONSOLIDATED BILLING AND ASSIGNMENT AGREEMENT

License Agreement. 1. Definitions. For purposes of this Agreement, the following terms have the following meanings:

PAYMENT IN LIEU OF TAXES AGREEMENT

Trademark License Agreement

SECURITIES AND EXCHANGE COMMISSION WASHINGTON, D.C FORM 8-K CURRENT REPORT

AqWiFi Mobile Application End User License Agreement

Transcription:

HIPAA DATA USE AGREEMENT This Data Use Agreement (this "Agreement") is entered into effective as of 20 and until months thereafter the Effective Date by and among St. Jude Children s Research Hospital, Inc. (herein "Covered Entity") and Name of Researcher/Institution (herein Recipient ) in order to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191), 42 U.S.C. Section 1320d, et. seq., and regulations promulgated there under, as may be amended from time to time (statute and regulations hereafter collectively referred to as "HIPAA"). STATEMENT OF AGREEMENT 1. HIPAA Compliance. Recipient hereby agrees to fully comply with the requirements under HIPAA and with respect to Limited Data Set information, including, without limitation, 45 C.F.R. 164.514, throughout the term of this Agreement. Further, Recipient agrees that to the extent it has access to Protected Health Information as defined under HIPAA ( PHI ) of the Covered Entity, Recipient will fully comply with the requirements of HIPAA and this Agreement with respect to such PHI; and, further, that every agent, employee, subsidiary, and affiliate of Recipient to whom it provides PHI or Limited Data Set information received from, or created or received by Recipient on behalf of, Covered Entity will be required to fully comply with HIPAA, and will be bound by written agreement to the same restrictions, terms and conditions as set forth in this Agreement. The Recipient agrees that the individual or class of individuals, identified below is the designated Custodian of the Limited Data Set or PHI and will be personally responsible for the observance of all conditions of the use or disclosure and for the establishment and maintenance of all reasonable and administrative, technical, and physical safeguards, as required by applicable state or federal laws, including HIPAA to prevent unauthorized access, disclosure or use of PHI or Breach of Unsecured Protected Health Information. Recipient will notify Covered Entity in writing within five (5) business days of any change of custodianship of PHI or the Limited Data Set. 2. Use and Disclosure. Recipient agrees that it shall not use or disclose PHI or Limited Data Set information except as permitted under this Agreement. Recipient may use or disclose the Limited Data Set information received or created by it: (a) to perform its obligations under this Agreement consistent only with Research, Public Health or limited Health Care Operations purposes, including without limitation the following: 1

Specific Description of Protocol: [include name of protocol with specificity] and further, in order to properly manage and administer its business, (b) to carry out its legal responsibilities if the disclosure of PHI or Limited Data Set is required by law, or (c) to carry out data aggregation functions, as defined by HIPAA. If pursuant to Section 1 above, Recipient discloses Limited Data Set information to other entities, the Recipient must obtain reasonable assurances, including all reasonable and administrative, technical, and physical safeguards from the entity to whom the information is disclosed that the Limited Data Set or PHI will be held confidentially and used or further disclosed only as required by law or for the purpose permitted under this Agreement. Further, the entity would be required to notify Recipient in writing of any instances of which it is aware that the confidentiality of PHI or Limited Data Set is compromised or an impermissible use or disclosure of PHI has occurred in violation of this Agreement or if such information has been Breached. Recipient shall not disclose Limited Data Set or PHI in a manner that would violate HIPAA if Recipient were a covered entity. Recipient may only release the Limited Data Set or PHI to the following persons or classes of persons to use or disclose such information: Name of persons or description of workforce and/or business associates (if applicable)[name of all persons who will have access to PHI] or other persons as may be agreed upon between Covered Entity and Recipient in writing from time to time. Recipient will not identify or attempt to identify the individual(s) to which the Limited Data Set information pertains or contact or attempt to contact the individual(s) that Recipient believes to be the subject of any Limited Data Set information. Recipient will not otherwise disclose, release, reveal, show, sell, rent, lease, loan or otherwise grant access to Limited Data Set or PHI to any person or entity and will not attempt to re-sell or market Limited Data Set or PHI. 3. Safeguards. Recipient agrees to develop, document, use, and keep current appropriate procedural, administrative, physical, technical, and electronic safeguards, sufficient to comply with the requirements of HIPAA, to prevent any use or disclosure of Limited Data Set information or PHI other than as permitted or required by this Agreement. Recipient agrees to notify Covered Entity, when requested by Covered Entity of the location of any Limited Data Set information or PHI disclosed by Covered Entity or created by Recipient on behalf of Covered Entity and held by or under the control of Recipient or its subcontractors or agents or those to whom Recipient has disclosed such Limited Data Set information or PHI. 4. Report of Improper Use or Disclosure. Recipient shall immediately report but no later than five (5) business days to Covered Entity any information of which it becomes aware, including any Limited Data Set information or PHI from the Recipient or other entities, concerning any use or disclosure of PHI or Limited Data Set information that is not permitted by this Agreement or under HIPAA including but not limited to any Breaches of Unsecured Protected Health Information, security incident or any 2

impermissible use or disclosure of PHI or Limited Data Set information in violation of HIPAA. The Recipient will act in good faith with the Covered Entity to mitigate any potential or actual harm due to the improper use or disclosure of PHI or Limited Data Set information. The content of such a report of the Recipient to the Covered Entity shall include, but is not limited to: A brief description of what happened, including the date of the Breach or Security Incident or other inappropriate or impermissible or unlawful use or disclosure of PHI or Limited Data Set, if known; and a description of the types of PHI that were involved (e.g. SSN, name, DOB, home address, account number or disability code). Additionally, this report to the Covered Entity shall identify the nature of the violating use or disclosure, the PHI or Limited Data Set information used or disclosed, who made the violating use or received the disclosure, what corrective action Recipient has or will take to prevent further violations, including any mitigation, and provide any other information as Covered Entity may request. 5. Termination Rights; Mitigation. Recipient acknowledges and agrees that Covered Entity shall have the right to terminate this Agreement in the event Recipient breaches or fails to comply with the requirements set forth in this Agreement. In addition, Covered Entity may immediately terminate the Agreement, if Covered Entity determines, in its reasonable discretion, which Recipient has failed to comply with a material term(s) of the Agreement required by HIPAA and is substantially not in compliance with the requirements of HIPAA. In addition to its obligations under this Agreement, Recipient shall take any other reasonable actions available to it to mitigate any detrimental effects of such violation or failure to comply. 6. Breach. Upon material breach or violation of the Agreement by Recipient, and if Recipient does not cure such breach or violation within a reasonable period of time and no later than twenty (20) business days, then Covered Entity may terminate the Agreement and request that Recipient destroy or return all PHI or Limited Data Set information provided by Covered Entity to Recipient and by Recipient to its agents or subcontractors. If requested by Covered Entity, Recipient will ensure that all originals and copies of PHI or Limited Data Set, on all media and as held by either Recipient or its agents or subcontractors, will be either returned to Covered Entity as applicable, or destroyed within twenty (20) business days of termination of this Agreement and will certify in writing to such return or destruction within such twenty (20) business days. In addition, in the event of a breach or violation, regardless of whether the breach or violation results in termination, Covered Entity may, in its sole discretion, take one or more of the following actions: i. Prohibit Recipient from obtaining future access to Covered Entity s data files and data elements or other PHI; ii. Report the breach or violation to the Institutional Review Board involved, if any, with Recipient's research for which the Limited Data Set was obtained; iii. Use any and all remedies as may be available to it under law, including seeking injunctive relief, to prevent unauthorized use or disclosure of PHI or Limited Data Set; and/or iv. Require Recipient to submit a corrective action plan with steps designed to prevent any future unlawful, unauthorized disclosures or uses of PHI or Limited Data Set information. 3

Covered Entity will be responsible to provide notification to individuals whose unsecured PHI or Breach has been disclosed, as well as the Secretary and the media, as required by Sec. 13402 of the HITECH Act, 42 U.S.C.A. 17932; Additionally, if Covered Entity knows of a pattern of activity or practice of Recipient that constitutes a breach or violation of Recipient s obligations under this Agreement, Covered Entity or Recipient may take any steps reasonably necessary to cure such breach and make Recipient comply, and, if such steps are unsuccessful, Covered Entity may either (a) terminate this Agreement, if feasible, or (b) if cure and termination are not feasible, discontinue disclosure of Limited Data Set information or PHI to Recipient and report the breach or violation to the U.S. Department of Health and Human Services (DHHS). If Recipient is a covered entity or business associate, as defined by HIPAA, violates the terms and conditions of this Agreement or any other agreement in its capacity as a recipient of Limited Data Set information or business associate of another covered entity, Recipient shall be, for purposes of this Agreement, not be in compliance with HIPAA. 7. Return of PHI and Limited Data Set Information. Recipient agrees that upon termination of this Agreement, and if feasible, Recipient shall, at its expense, (a) return or destroy all PHI and Limited Data Set information received from, or created or received by Recipient or by any of Recipient s subcontractors or agents on behalf of, Covered Entity that Recipient or its subcontractors or agents maintain or control in any form or manner and retain no copies of such information or, (b) if such return or destruction is not feasible, immediately notify Covered Entity of the reasons return or destruction are not feasible, and extend indefinitely the protection of this Agreement to such PHI and Limited Data Set information and limit further uses and disclosures to those purposes that make the return or destruction of the PHI and Limited Data Set information not feasible. 8. Subpoena or Legal Process. Upon receipt by Recipient of a subpoena or other legal process that seeks disclosure of PHI or Limited Data Set, Recipient shall immediately provide written notice to Covered Entity so that Covered Entity may have the option to seek a protective order, on Covered Entity s own behalf, with respect to such PHI or Limited Data Set, Recipient will fully cooperate with any attempt by Covered Entity to seek such a protective order, including but not limited to withholding from production any data before Covered Entity has had an opportunity to obtain such an order or to seek review of the denial of such an order or the issuance of an order that Covered Entity deems insufficiently protective. MISCELLANEOUS A. Indemnification. Recipient will indemnify, defend, and hold harmless Covered Entity and any of their affiliates, and their respective trustees, officers, directors, employees, agents, from and against any claim, cause of action, liability, damage, cost or expense, including without limitation, reasonable attorney s fees and court costs, arising out of in connection with any unauthorized or prohibited use or disclosure of PHI or Limited Data 4

Set or any other breach of this Agreement by Recipient or any subcontractor, agent, or person under Recipient s control. B. Amendment. The Covered Entity and Recipient agree to amend this Agreement from time to time, as Covered Entity deems necessary for Covered Entity to comply with all applicable federal and state requirements regarding the privacy, security and confidentiality of Limited Data Set or PHI. C. Construction of Terms and Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with all applicable federal and state law and regulatory requirements regarding the privacy, security and confidentiality of Limited Data Set or PHI. D. Third Parties Beneficiaries. There are no intended third party beneficiaries to this Agreement. Without in any way limiting the foregoing, it is the parties' specific intent that nothing contained in this Agreement gives rise to any right or cause of action, contractual or otherwise, in, by or on behalf of the individuals or entities whose information is used or disclosed pursuant to this Agreement. E. Waiver. The waiver by either of the parties of a breach or violation of any provision of this Agreement shall not operate as, or be construed to be, a waiver of any subsequent breach of the same or any other provision hereof and shall not affect the right of either party to require performance at a later time. No party may rely on the waiver of a provision of this Agreement unless the party obtains written consent signed by the waiving party. F. Notices. Any notice required or permitted by this Agreement shall be in writing and shall be deemed given upon receipt when sent via: (i) United States Mail, postage prepaid, by certified or registered mail with return receipt requested, (ii) an overnight courier, addressed to John Bailey, HIPAA Privacy Officer, St. Jude Children s Research Hospital, Inc. 262 Danny Thomas Place, Mail Stop 280, Memphis, Tennessee 38105. G. Assignment. Neither party may assign this Agreement without the prior written consent of the other party. This Agreement will be binding upon and will be for the benefit of the parties hereto and their respective successors and assigns. H. Headings. The headings or captions provided throughout this Agreement are for reference purposes only and shall not in any way affect the meaning or interpretation of this Agreement. I. Governing Law, Jurisdiction, and Venue. These Terms and Conditions shall be governed by, construed and enforced in accordance with the laws of the State of Tennessee regardless of the choice of law rules of any jurisdiction. Each party irrevocably agrees that the courts of the State of Tennessee located in Shelby County shall have the sole and exclusive jurisdiction with respect to any action or proceeding at law or in equity arising out of or relating to these Terms and Conditions. Each party hereby submits to the personal jurisdiction of, and venue in, such court(s) for the purposes thereof, and expressly waives any claim of lack of jurisdiction, improper venue, or that such venue constitutes an inconvenient forum. 5

J. HIPAA Compliance Recipient will comply with all other future applicable provisions of HIPAA and its regulations. K. Agency. Nothing in the Agreement shall be construed to create an agency relationship between the parties. L. Covered Entity s Name and Logo: Recipient may not use the Covered Entity s name, trade or service marks, or logos except upon the prior written consent of the American Lebanese Syrian Associated Charities (ALSAC) CEO, COO, or his designee, in concurrence with Covered Entity s CEO. IN WITNESS WHEREOF, the parties have executed this Agreement effective upon the Effective Date set forth above. Acknowledged and agreed to by: Recipient, Name and Title Date Covered Entity John Bailey Global Privacy Counsel St. Jude Children's Research Hospital, Inc. Date 6

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback