Download External Business Associate Assessment

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
Document related concepts
no text concepts found
Transcript 
EXTERNAL BUSINESS ASSOCIATE ASSESSMENT
FOR NC DHHS
For Use in Identifying DHHS Business Associate Relationships with another State
Government Department or a Public/Private Contractor
Section One: Introduction
HIPAA Business Associate: A person or organization that performs a function or activity for, or on
behalf of a HIPAA covered health care component or that provides certain legal, financial, or management
services to a covered health care component; wherein such services involve the sharing of individually
identifiable health information.
External Business Associate:
Another State Government Department:



HIPAA covered service provided by a section or unit in another
department/office/agency in state government (i.e., outside of
DHHS such as the Office of the Attorney General)
Must share individually identifiable health information
Requires a Business Associate Addendum to the DHHS
Memorandum of Understanding
Public/Private Contractor:



HIPAA covered service provided through contractual agreement
Must share individually identifiable health information
Requires a Business Associate Addendum to the DHHS
Standard Contract
Section Two: Instructions
1. Complete this External Business Associate Assessment for every MOU with another state government
department/office/agency and for every contract with a public or private contractor. Complete Sections
Three, Four, and Six if agreement is with another state government department/office/agency. Complete
Sections Three, Five, and Six if a contract is with a public or private contractor.
2. If it is determined that a business associate relationship exists, notify the Agency Privacy Official in writing.
3. If there are questions about the privacy relationship of a service provider with the agency, contact the
Agency Privacy Official for assistance with that determination.
4. If no business associate relationship exists, process the MOU or contract in the usual manner.
493736251
Page 1 of 6
External Business Associate Assessment
Section Three: General Information
DHHS Division/Office
Contract Number
Agency Contract Administrator
Date Assessment Completed
Section Four: Assessment of Service Provided by Another Department in
State Government
1. Has a relationship been
initiated that allows an agency in
another state government
department/office/agency to
perform a function or activity for,
or on behalf of, a DHHS HIPAA
covered health care component?
Yes
No
Name of State Government
Department/Office/Agency
____________________________
Yes – Go to Question 2.
No – Stop. There is no business
associate relationship.
_____________________________
Service Provided
_____________________________
_____________________________
2. Is the function or service to be
rendered by another state
government department/office/
agency an activity other than
treatment of clients?
Note: The sharing of individually
identifiable health information with
another treatment provider for
treatment purposes only does not
require a business associate
agreement.
Yes – Go to Question 3.
No – Stop. There is no business
associate relationship.
Yes
No
3. Does the function or service to
be rendered by another state
government department/office/
agency involve the use or
disclosure of individually
identifiable health information?
Note: Data that does not contain
individually identifiable health
information does not have to be
protected through a business
associate agreement.
Yes – Go to Question 4.
No – Stop. There is no business
associate relationship.
Yes
No
4. Are the services rendered by
staff from another state
government department/office/
agency performed on the
premises of a DHHS HIPAA
covered health care component,
using that component’s
resources and following that
component’s policies and
procedures?
493736251
Note: Whenever a service is
rendered on the premises of a DHHS
HIPAA covered component, utilizing
the component’s office space and
supplies and following the
component’s requirements, the
person rendering such services is
considered a member of that
component’s workforce, and is
therefore required to comply with that
Page 2 of 6
No – Go to Question 5.
Yes – Stop. There is no business
associate relationship.
External Business Associate Assessment
Section Four: Assessment of Service Provided by Another Department in
State Government
Yes
No
5. Is the type(s) of
function/activity to be rendered
by another state government
department/office/ agency to the
DHHS HIPAA covered health
care component listed in column
2?
Yes – See column 2
No – Activity listed below
component’s privacy policies and
procedures.
Check appropriate service(s):
Legal
Attorney Representing Agency
Actuarial
Benefits Management
Accounting
Patient Accounts Billing
Claims Processing
Claims Administration
Bill Collections
Consulting
Professional Services
Special Population Assessments
Data Aggregation Services
Data Analysis
Data Processing
Data Administration
Accreditation Services
JCAHO
Council on Accreditation
Financial Services
Re-pricing
Rate Setting
Management Services
Practice Management
Software Support
Utilization Review
Quality Assurance Contract
Analysis
Central Office Supervision
Administrative Services
Security
Dietary
Machine Maintenance
Facility Maintenance
Landscaping
Housekeeping
Hardware Support
Audits/Surveys
Purchasing
493736251
Page 3 of 6
Yes – External Business
Associate Identified
Note: The specified
function/activity, which involves
the sharing of individually
identifiable health information, is
to be provided by another state
government department/office/
agency. This constitutes an
External Business Associate
relationship and such information
must be protected. Therefore, a
Business Associate Addendum
must be developed and attached
to the DHHS Memorandum of
Understanding with the
department/office/ agency
identified above.
No – Stop. There is no business
associate relationship.
External Business Associate Assessment
Section Five: Assessment of Service Provided by Public or Private
Contractor
1. Has a relationship been
initiated that allows a
public or private contractor
to perform a function or
activity for, or on behalf of
a DHHS HIPAA covered
health care component?
Yes
No
2. Is the function or
service to be rendered by
a public or private
contractor an activity
other than treatment of
clients?
Name of Contractor
______________________________
______________________________
Yes – Go to Question 2.
No – Stop. There is no
business associate
relationship.
Service Provided
______________________________
______________________________
Note: The sharing of individually
identifiable health information with
another treatment provider for
treatment purposes only does not
require a business associate
agreement.
Yes – Go to Question 3.
Note: Data that does not contain
individually identifiable health
information does not have to be
protected through a business
associate agreement.
Yes – Go to Question 4.
No – Stop. There is no
business associate
relationship.
Yes
No
3. Does the function or
service to be rendered by
a public or private
contractor involve the use
or disclosure of
individually identifiable
health information?
No – Stop. There is no
business associate
relationship.
Yes
No
4. Are the services
rendered by a public or
private contractor
performed on the
premises of a DHHS
HIPAA covered health
care component, using
that component’s
resources and following
that component’s policies
and procedures?
Note: Whenever a service is rendered on
the premises of a DHHS HIPAA covered
component, utilizing that component’s
office and supplies and following that
component’s requirements, the person
rendering such services is considered a
member of that component’s workforce,
and is therefore required to comply with
that component’s privacy policies and
procedures.
No – Go to Question 5.
Yes – Stop. There is no
business associate
relationship.
Yes
No
5. Is the type(s) of
function/activity to be
rendered by a public or
private contractor to the
DHHS covered health
493736251
Check appropriate service(s):
Legal
Yes - External Business
Associate Identified
Attorney Representing Agency
Actuarial
Note: The specified
function/activity, which
Page 4 of 6
External Business Associate Assessment
Section Five: Assessment of Service Provided by Public or Private
Contractor
care component listed in
column 2?
Yes – See column 2
No – Activity Listed
below
Benefits Management
Accounting
Patient Accounts Billing
Claims Processing
Claims Administration
Bill Collections
Consulting
Professional Services
Special Population Assessments
Data Aggregation Services
Data Analysis
Data Processing
Data Administration
Accreditation Services
JCAHO
Council on Accreditation
Financial Services
involves the sharing of
individually identifiable health
information, is to be provided
by a public or private
contractor. This constitutes
an External Business
Associate relationship and
such information must be
protected. Therefore, a
Business Associate
Addendum must be
developed and attached to
the DHHS Standard Contract
with the contractor identified
above.
No – Stop. There is no
business associate
relationship.
Re-pricing
Rate Setting
Management Services
Practice Management
Software Support
Utilization Review
Quality Assurance Contract Analysis
Central Office Supervision
Administrative Services
Security
Dietary
Machine Maintenance
Facility Maintenance
Landscaping
Housekeeping
Hardware Support
Audits/Surveys
Purchasing
Section Six: Additional Requirements Regarding External Business
Associates
1. Has the Agency Privacy
Official been notified of this
business associate
493736251
Note: The Agency Privacy Official needs to
be notified of all services provided by a
business associate. Notification may be
Page 5 of 6
Yes – Go to Question 2.
No - Stop. Business
External Business Associate Assessment
Section Six: Additional Requirements Regarding External Business
Associates
relationship?
accomplished through e-mail.
associate relationship was
not established.
Note: DHHS Privacy Policy, “Business
Associates (Internal & External)” requires
agencies to complete the “Business
Associate Questionnaire” for all external
business associates and to send a copy of
that document to the Agency Privacy Official
at the end of each state fiscal year.
Yes – Go to Question 3.
Yes
No
2. Has the Business
Associate Questionnaire
been completed for this
External Business
Associate?
Yes
No
3. Has the Contracts
Database been updated to
indicate a business associate
relationship with this external
business associate?
Yes
No
Note: The Contracts Database, which
accounts for the “purchase” of a service,
includes a box to be checked whenever a
DHHS MOU or DHHS Contract has a
Business Associate Addendum attached to
it. This element allows for tracking of DHHS
Business Associates.
No – Stop. Business
associate relationship was
not established.
Yes – Business Associate
relationship has been
properly acknowledged.
No – Stop. There is no
business associate
relationship.
***End of Document***
493736251
Page 6 of 6
Related documents
BUSINESS ADMINISTRATION DIVISION OF BUSINESS
BUSINESS ADMINISTRATION DIVISION OF BUSINESS
job specifications
job specifications
Character
Character
Document 8917995
Document 8917995
Chapter-7-Lecture
Chapter-7-Lecture
A Career in Pharmaceuticals AstraZeneca Canada Annil Ramsumair, Clinical Supplies Associate
A Career in Pharmaceuticals AstraZeneca Canada Annil Ramsumair, Clinical Supplies Associate
SELECTION CRITERIA Assistant or Associate Professor of Marketing
SELECTION CRITERIA Assistant or Associate Professor of Marketing
How Can This "Linkage" - Global Health Sciences
How Can This "Linkage" - Global Health Sciences
JOB AD Senior Research Associate American Sociological
JOB AD Senior Research Associate American Sociological
Associate`s expectation
Associate`s expectation