{
"ConformanceCriteria": [{
"Description": "The covered entity must have a business associate contract to report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information, as required by Section 164.410.",
"Number": 1,
"Citations": [{
"Description": "45 CFR Section 164.504(e)(2)(ii)(C)",
"Source": {"$ref": "#source-1080565857"}
}],
"$id": "criterion1",
"Name": "Report Breaches"
}],
"AssessmentSteps": [{
"ConformanceCriteria": [{"$ref": "#criterion1"}],
"Artifacts": [{
"Description": "Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step.",
"Name": "A1"
}],
"Description": "Does the covered entity have and enforce a business associate contract to report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information, as required by Section 164.410?",
"Number": 1,
"$id": "BusinessAssociateUsesofPHI",
"Name": "Business Associate Uses of PHI"
}],
"$TMF_VERSION": "1.4",
"AssessmentStepsPreface": "To support the assessment of these requirements, the assessor should upload all or part of the business associate contract or agreement in question, and provide section references with the text that support the assessor's determination.",
"IssuanceCriteria": "yes(ALL)",
"Metadata": {
"PublicationDateTime": "2017-02-17T00:00:00.000Z",
"TargetRecipientDescription": "Health care related organizations that want to demonstrate that they use, disclose, process and store protected health information (PHI) in a manner that complies with HIPAA regulations 45 CFR Parts 160 - 164.",
"Description": "Specifies requirements for contents of the business associate contract between a covered entity and its business associate(s). The business associate must report to the covered entity any unauthorized use or disclosure (breaches) of PHI.",
"Keywords": [
"Health Care",
"HIPAA Privacy",
"Business Associate"
],
"ExtensionDescription": "This Trustmark Definition requires no extension data.",
"Name": "Business Associate Contracts - Breach Notification",
"Identifier": "https://artifacts.trustmarkinitiative.org/lib/tds/business-associate-contracts---breach-notification/1.0/",
"TargetProviderDescription": "Organizations that audit or evaluate health care related organizations for compliance with privacy and security policies and procedures in the Health Insurance Portability and Accountability Act (HIPAA).",
"ProviderEligibilityCriteria": "Any organization or business entity may act as a Trustmark Provider for trustmarks under this Trustmark Definition.",
"Version": "1.0",
"TrustmarkRevocationCriteria": "For any trustmark issued under this Trustmark Definition, the Trustmark Provider must revoke the trustmark upon any condition whereby one or more Conformance Criteria cease to be satisfied.",
"LegalNotice": "This artifact is published by the Georgia Tech Research Institute (GTRI) as part of the Trustmark Initiative. This artifact and the information contained herein is provided on an \"AS IS\" basis, and GTRI disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties or merchantability or fitness for a particular purpose. In addition, GTRI disclaims legal liability for any loss incurred as a result of the use or reliance on the document or the information contained herein.",
"TargetRelyingPartyDescription": "Health care related organizations and individuals that require their trusted partners' privacy and security policies and procedures to comply with the Health Insurance Portability and Accountability Act (HIPAA).",
"TargetStakeholderDescription": "Health care related organizations that use protected health information (PHI) in a manner that is subject to regulations in the Health Insurance Portability and Accountability Act (HIPAA).",
"AssessorQualificationsDescription": "Any individual employed or contracted by the Trustmark Provider may act as the assessor for trustmarks under this Trustmark Definition.",
"TrustmarkDefiningOrganization": {
"Identifier": "https://trustmarkinitiative.org/",
"PrimaryContact": {
"Email": "help@trustmarkinitiative.org",
"Telephone": "555-555-5555",
"Kind": "PRIMARY",
"WebsiteURL": "https://trustmarkinitiative.org/",
"Responder": "Trustmark Support"
},
"Name": "Trustmark Initiative"
}
},
"Terms": [
{
"Definition": "Covered entities engage \"business associates\" to work on their behalf. A business associate is a person (not part of the workforce of the covered entity) or organization that creates, receives, maintains, or transmits protected health information on behalf of the covered entity. \n
\nCovered entities must have contracts or other arrangements in place with their business associates to ensure that the business associates safeguard protected health information, and use and disclose the information only as permitted or required by the Privacy Rule. \n
\nA covered entity may be a business associate of another covered entity.",
"Abbreviations": ["BA"],
"Name": "Business Associate"
},
{
"Definition": "Correctional institution means any penal or correctional facility, jail, reformatory, detention center, work farm, halfway house, or residential community program center operated by, or under contract to, the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, for the confinement or rehabilitation of persons charged with or convicted of a criminal offense or other persons held in lawful custody. Other persons held in lawful custody includes juvenile offenders adjudicated delinquent, aliens detained awaiting deportation, persons committed to mental institutions through the criminal justice system, witnesses, or others awaiting charges or trial.",
"Abbreviations": ["CI"],
"Name": "Correctional Institution"
},
{
"Definition": "The Administrative Simplification provisions of HIPAA apply to three types of entities, which are known as \"covered entities\": 1) health care providers if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard, 2) health plans, and 3) health care clearinghouses. \n
\nA covered entity may be a business associate of another covered entity.",
"Abbreviations": ["CE"],
"Name": "Covered Entity"
},
{
"Definition": "Disclosure means the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.",
"Name": "Disclosure"
},
{
"Definition": "Electronic protected health information means protected health information (PHI)<\/i> that is transmitted by electronic means or maintained in electronic media.",
"Abbreviations": ["e-PHI"],
"Name": "Electronic Protected Health Information"
},
{
"Definition": "The HIPAA law includes Administrative Simplification provisions that require adoption of national standards for electronic health care transactions and code sets, unique health identifiers, and security. Additionally, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.",
"Abbreviations": ["HIPAA"],
"Name": "Health Insurance Portability and Accountability Act of 1996"
},
{
"Definition": "Plan administration functions means administration functions performed by the plan sponsor of a group health plan on behalf of the group health plan and excludes functions performed by the plan sponsor in connection with any other benefit or benefit plan of the plan sponsor.",
"Abbreviations": ["PAF"],
"Name": "Plan Administration Functions"
},
{
"Definition": "Protected health information (PHI) means \"individually identifiable health information\" that is transmitted by electronic means or maintained in electronic media or transmitted or maintained in any other form or medium, except it excludes individually identifiable health information:\n\n- In education records covered by the Family Educational Rights and Privacy Act;<\/li>\n
- In records described at 20 U.S.C. 1232g(a)(4)(B)(iv);<\/li>\n
- In employment records held by a covered entity in its role as employer;<\/li>\n
- Regarding a person who has been deceased for more than 50 years.<\/li>\n<\/ol>\nHIPAA rules protect most PHI held or transmitted by a covered entity or its business associate, in any form or medium, whether electronic, on paper, or oral. \nPHI is information, including demographic information, which relates to the individual's past, present, or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual. For example, PHI includes name, address, birth date, Social Security Number, a medical record, laboratory report, or hospital bill. However, reporting or aggregating data that cannot be used to individually identify a person would not be considered PHI.",
"Abbreviations": ["PHI"],
"Name": "Protected Health Information"
},
{
"Definition": "Information, that may be individually identifiable health information, and that summarizes the claims history, claims expenses, or type of claims experienced by individuals.",
"Name": "Summary Health Information"
},
{
"Definition": "The U.S. Department of Health and Human Services' (HHS) mission is to enhance and protect the health and well-being of all Americans by providing for effective health and human services and fostering advances in medicine, public health, and social services.",
"Abbreviations": ["HHS"],
"Name": "U.S. Department of Health and Human Services"
}
],
"ConformanceCriteriaPreface": "The Business Associate Contract describes the relationship between the covered entity and its business associate (or other subcontractors) with respect to handling of PHI and other matters.",
"$Type": "TrustmarkDefinition",
"Sources": [{
"Identifier": "HIPAA-Privacy-Rule",
"Reference": "HIPAA Privacy Rule, published by U.S. Dept of Health and Human Services, HIPAA Administrative Simplification Regulation Text 45 CFR Part 160 and subparts A and E of Part 164, available at http://www.hhs.gov/hipaa/for-professionals<\/a>",
"$id": "source-1080565857"
}]
}