Page 65 - Privacy_Program
P. 65

BUSINESS ASSOCIATE ASSURANCE [DP160]
        Back to Table of Contents


        Scope: Enterprise
        Distribution: Executive Leadership, Director of Information Technology, Privacy and Data Security, Directors, Managers and
        Supervisors
        Purpose: To ensure third parties to whom the organization discloses Protected Health Information maintain an equivalent level
        of protection of that data.
        External Regulation or Standard: 45 C.F.R. §164.502(e), 164.504(e) and 164.532 ‐ business associate contract


        Who is Responsible     Statement    Policy, Standard, or Procedure Statement
                                Number
        CFO with Executive       DP160.1    The organization will take reasonable steps to ensure that third parties that
        Leadership, Director of             access, process, or receive Protected Health Information (PHI) under the
        Information                         organization's control take equivalent steps as the organization does to protect
        Technology, Privacy                 that data.
        and Data Security,
        Directors and Managers
        CFO                      DP160.2    The organization will ensure contracts or other arrangements between the
                                            organization and its business associates/vendors comply with the policies and
                                            procedures described herein and as required by law.
        CFO with Director of     DP160.3    Upon learning that a pattern of activity or practice of a business associate
        Information                         constitutes a material breach of PHI or violation of the business associate’s
        Technology, Privacy                 obligation under the contract or other arrangement, the organization will take
        and Data Security                   reasonable steps to cure the breach or end the violation. If such steps are
                                            unsuccessful:
        and Privacy Steering
        Committee
        CFO With Privacy        DP160.3a    (a)  terminate the contract or arrangement, if feasible; and/or
        Steering Committee


        CFO With Director       DP160.3b    (b)  report the breach as required under the HITECH Act if a determination is
        of Information                      made that a reportable breach of PHI has occurred.
        Technology,
        Privacy and Data
        Security and
        Privacy Steering
        Committee
        CFO with Director of     DP160.4    The organization will document satisfactory assurances of compliance with the
        Information                         policies and procedures herein through a written contract or other written
        Technology, Privacy                 agreement or arrangement with the business associate; that establishes the
        and Data Security                   permitted and required uses and disclosures of PHI.

        CFO with Director of     DP160.5    The written contract or other written agreement or arrangement with a business
        Information                         associate will authorize termination of the contract by the organization if the
        Technology, Privacy                 organization determines that the business associate has violated a material term
        and Data Security                   of the contract.

        CFO with Director of     DP160.6    Written contracts or agreements between the organization and a business
        Information                         associate will provide that the business associate will:
        Technology, Privacy
        and Data Security


         GES CONFIDENTIAL                                                                                    61
   60   61   62   63   64   65   66   67   68   69   70