Agreements Related to HIPAA Data
Purpose
Ohio University, is a Health Insurance Portability and Accountability Act (HIPAA) Hybrid Entity. As such, Ohio University has business activities that include both covered and non-covered functions. Agreements involving the use, disclosure, or processing of HIPAA data must be routed for review and signature by the HIPAA Privacy Officer.
Scope
This standard will apply to all Ohio University HIPAA Covered Entity Units. Additionally this standard will apply to all Ohio University activities, services or research that involve protected health information and are thus subject to HIPAA regulations.
Standard
Agreements utilized by HIPAA Covered Entity units, or Ohio University activities, services or research involving HIPAA data may include, but not be limited to:
- Business Associate Agreements.
- A Business Associate Agreement (BAA) is used when transferring data between a HIPAA covered entity and a person or entity that performs functions or activities that involve the use or disclosure of protected health information on behalf of or provides services to, a covered entity.
- Ohio University, as a HIPAA Hybrid entity may have departments or operating units that enter into a BAA as a covered entity. Similarly, there may be departments or operating units that enter into a BAA due to the nature of their relationship with third party HIPAA Covered Entities.
- A Business Associate Agreement (BAA) is used when transferring data between a HIPAA covered entity and a person or entity that performs functions or activities that involve the use or disclosure of protected health information on behalf of or provides services to, a covered entity.
- Data Use Agreements or Data Sharing Agreements.
- A Data Use or Data Sharing Agreement is used when transferring, a data set, non-public software, or any other data subject to restrictions of use, between two or more parties.
- Non-Disclosure or Confidentiality Agreements.
- A Non-Disclosure or Confidentiality Agreement is used to ensure that information disclosed during the course of business between two or more entities is kept confidential and used only for those purposes outlined within the agreement.
- Material Transfer Agreements.
- A Material Transfer Agreement is used when sending or receiving physical materials to or from Ohio University.
Such agreements, including any applicable Memorandum of Understanding (MOU), Service Agreements, or a brief summary of the activities relating to the data agreements outlined above, must be routed to the HIPAA Privacy Officer for review. The purpose of this review is to ensure the necessary data protections are in place to minimize risk to institutional data. Upon review and approval, the HIPAA Privacy Officer will initiate the Ohio University Contract/Agreement Routing form and route to the appropriate university stakeholders for review, approval, and corresponding signature.
Definitions
- Memorandum of Understanding. A Memorandum of Understanding is an agreement that documents the intentions of two or more parties to move forward with a contract or agreement.
- Service Agreement. A Service Agreement refers to an agreement between two parties whereby one party is the provider of a given service and whereby the other party is the recipient of said service.
References
The following items are relevant to this policy:
- Policy 03.001 General Policy on Health Insurance Portability and Accountability Act (HIPAA)
Compliance - Ohio University Provider HIPAA Privacy Standards and Procedures [PDF]
- Ohio University Health Plan HIPAA Privacy Standards and Procedures [PDF]
Governance
This standard will be reviewed and approved by the University HIPAA Steering Committee, and other key stakeholders in the interest of ensuring the privacy and security of individual’s health information, as deemed appropriate based on the current regulatory requirement mandates.
Status: Approved
Effective: September 24, 2019