Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
EXTERNAL BUSINESS ASSOCIATE ASSESSMENT FOR NC DHHS For Use in Identifying DHHS Business Associate Relationships with another State Government Department or a Public/Private Contractor Section One: Introduction HIPAA Business Associate: A person or organization that performs a function or activity for, or on behalf of a HIPAA covered health care component or that provides certain legal, financial, or management services to a covered health care component; wherein such services involve the sharing of individually identifiable health information. External Business Associate: Another State Government Department: HIPAA covered service provided by a section or unit in another department/office/agency in state government (i.e., outside of DHHS such as the Office of the Attorney General) Must share individually identifiable health information Requires a Business Associate Addendum to the DHHS Memorandum of Understanding Public/Private Contractor: HIPAA covered service provided through contractual agreement Must share individually identifiable health information Requires a Business Associate Addendum to the DHHS Standard Contract Section Two: Instructions 1. Complete this External Business Associate Assessment for every MOU with another state government department/office/agency and for every contract with a public or private contractor. Complete Sections Three, Four, and Six if agreement is with another state government department/office/agency. Complete Sections Three, Five, and Six if a contract is with a public or private contractor. 2. If it is determined that a business associate relationship exists, notify the Agency Privacy Official in writing. 3. If there are questions about the privacy relationship of a service provider with the agency, contact the Agency Privacy Official for assistance with that determination. 4. If no business associate relationship exists, process the MOU or contract in the usual manner. 493736251 Page 1 of 6 External Business Associate Assessment Section Three: General Information DHHS Division/Office Contract Number Agency Contract Administrator Date Assessment Completed Section Four: Assessment of Service Provided by Another Department in State Government 1. Has a relationship been initiated that allows an agency in another state government department/office/agency to perform a function or activity for, or on behalf of, a DHHS HIPAA covered health care component? Yes No Name of State Government Department/Office/Agency ____________________________ Yes – Go to Question 2. No – Stop. There is no business associate relationship. _____________________________ Service Provided _____________________________ _____________________________ 2. Is the function or service to be rendered by another state government department/office/ agency an activity other than treatment of clients? Note: The sharing of individually identifiable health information with another treatment provider for treatment purposes only does not require a business associate agreement. Yes – Go to Question 3. No – Stop. There is no business associate relationship. Yes No 3. Does the function or service to be rendered by another state government department/office/ agency involve the use or disclosure of individually identifiable health information? Note: Data that does not contain individually identifiable health information does not have to be protected through a business associate agreement. Yes – Go to Question 4. No – Stop. There is no business associate relationship. Yes No 4. Are the services rendered by staff from another state government department/office/ agency performed on the premises of a DHHS HIPAA covered health care component, using that component’s resources and following that component’s policies and procedures? 493736251 Note: Whenever a service is rendered on the premises of a DHHS HIPAA covered component, utilizing the component’s office space and supplies and following the component’s requirements, the person rendering such services is considered a member of that component’s workforce, and is therefore required to comply with that Page 2 of 6 No – Go to Question 5. Yes – Stop. There is no business associate relationship. External Business Associate Assessment Section Four: Assessment of Service Provided by Another Department in State Government Yes No 5. Is the type(s) of function/activity to be rendered by another state government department/office/ agency to the DHHS HIPAA covered health care component listed in column 2? Yes – See column 2 No – Activity listed below component’s privacy policies and procedures. Check appropriate service(s): Legal Attorney Representing Agency Actuarial Benefits Management Accounting Patient Accounts Billing Claims Processing Claims Administration Bill Collections Consulting Professional Services Special Population Assessments Data Aggregation Services Data Analysis Data Processing Data Administration Accreditation Services JCAHO Council on Accreditation Financial Services Re-pricing Rate Setting Management Services Practice Management Software Support Utilization Review Quality Assurance Contract Analysis Central Office Supervision Administrative Services Security Dietary Machine Maintenance Facility Maintenance Landscaping Housekeeping Hardware Support Audits/Surveys Purchasing 493736251 Page 3 of 6 Yes – External Business Associate Identified Note: The specified function/activity, which involves the sharing of individually identifiable health information, is to be provided by another state government department/office/ agency. This constitutes an External Business Associate relationship and such information must be protected. Therefore, a Business Associate Addendum must be developed and attached to the DHHS Memorandum of Understanding with the department/office/ agency identified above. No – Stop. There is no business associate relationship. External Business Associate Assessment Section Five: Assessment of Service Provided by Public or Private Contractor 1. Has a relationship been initiated that allows a public or private contractor to perform a function or activity for, or on behalf of a DHHS HIPAA covered health care component? Yes No 2. Is the function or service to be rendered by a public or private contractor an activity other than treatment of clients? Name of Contractor ______________________________ ______________________________ Yes – Go to Question 2. No – Stop. There is no business associate relationship. Service Provided ______________________________ ______________________________ Note: The sharing of individually identifiable health information with another treatment provider for treatment purposes only does not require a business associate agreement. Yes – Go to Question 3. Note: Data that does not contain individually identifiable health information does not have to be protected through a business associate agreement. Yes – Go to Question 4. No – Stop. There is no business associate relationship. Yes No 3. Does the function or service to be rendered by a public or private contractor involve the use or disclosure of individually identifiable health information? No – Stop. There is no business associate relationship. Yes No 4. Are the services rendered by a public or private contractor performed on the premises of a DHHS HIPAA covered health care component, using that component’s resources and following that component’s policies and procedures? Note: Whenever a service is rendered on the premises of a DHHS HIPAA covered component, utilizing that component’s office and supplies and following that component’s requirements, the person rendering such services is considered a member of that component’s workforce, and is therefore required to comply with that component’s privacy policies and procedures. No – Go to Question 5. Yes – Stop. There is no business associate relationship. Yes No 5. Is the type(s) of function/activity to be rendered by a public or private contractor to the DHHS covered health 493736251 Check appropriate service(s): Legal Yes - External Business Associate Identified Attorney Representing Agency Actuarial Note: The specified function/activity, which Page 4 of 6 External Business Associate Assessment Section Five: Assessment of Service Provided by Public or Private Contractor care component listed in column 2? Yes – See column 2 No – Activity Listed below Benefits Management Accounting Patient Accounts Billing Claims Processing Claims Administration Bill Collections Consulting Professional Services Special Population Assessments Data Aggregation Services Data Analysis Data Processing Data Administration Accreditation Services JCAHO Council on Accreditation Financial Services involves the sharing of individually identifiable health information, is to be provided by a public or private contractor. This constitutes an External Business Associate relationship and such information must be protected. Therefore, a Business Associate Addendum must be developed and attached to the DHHS Standard Contract with the contractor identified above. No – Stop. There is no business associate relationship. Re-pricing Rate Setting Management Services Practice Management Software Support Utilization Review Quality Assurance Contract Analysis Central Office Supervision Administrative Services Security Dietary Machine Maintenance Facility Maintenance Landscaping Housekeeping Hardware Support Audits/Surveys Purchasing Section Six: Additional Requirements Regarding External Business Associates 1. Has the Agency Privacy Official been notified of this business associate 493736251 Note: The Agency Privacy Official needs to be notified of all services provided by a business associate. Notification may be Page 5 of 6 Yes – Go to Question 2. No - Stop. Business External Business Associate Assessment Section Six: Additional Requirements Regarding External Business Associates relationship? accomplished through e-mail. associate relationship was not established. Note: DHHS Privacy Policy, “Business Associates (Internal & External)” requires agencies to complete the “Business Associate Questionnaire” for all external business associates and to send a copy of that document to the Agency Privacy Official at the end of each state fiscal year. Yes – Go to Question 3. Yes No 2. Has the Business Associate Questionnaire been completed for this External Business Associate? Yes No 3. Has the Contracts Database been updated to indicate a business associate relationship with this external business associate? Yes No Note: The Contracts Database, which accounts for the “purchase” of a service, includes a box to be checked whenever a DHHS MOU or DHHS Contract has a Business Associate Addendum attached to it. This element allows for tracking of DHHS Business Associates. No – Stop. Business associate relationship was not established. Yes – Business Associate relationship has been properly acknowledged. No – Stop. There is no business associate relationship. ***End of Document*** 493736251 Page 6 of 6