UNMC Business Partner Agreement

advertisement
Business Partner Network Use Agreement
This BUSINESS PARTNER NETWORK USE AGREEMENT (“Agreement”) is a written
agreement between The Board of Regents of the University of Nebraska, a public
corporation (“Board of Regents”) for and on behalf of the University of Nebraska
Medical Center (“UNMC”) and _____________________________________________
(“Business Partner”). The purpose of this Agreement is to effectuate the parties’ desire
to comply with the Security Standards of the Health Insurance Portability and
Accountability Act (HIPAA) promulgated by the Department of Health and Human
Services at 45 CFR parts 160 and 164.
The Business Partner performs certain services for UNMC as described in Exhibit “A”
(“Services”) and agrees to the following:
1. DEFINITIONS. Terms used, but not otherwise defined in this Agreement shall
have the same meaning as those terms defined in 45 CFR 160 and 164.
2. OBLIGATIONS OF THE BUSINESS PARTNER.
(a) Implement administrative, physical and technical safeguards that reasonably
and appropriately protect the confidentiality, integrity, and availability of the
UNMC network resources.
(b) Ensure that any agent, including a subcontractor, to whom it provides access
to the UNMC network agrees to implement reasonable and appropriate
safeguards to protect the network resources of UNMC.
(c) Comply with the Business and Academic Partner Network Access Technical
Requirements as detailed in Exhibit B.
(d) Report to UNMC any security incident of which it becomes aware.
3. TERMINATION.
(a) Except as provided in (b) below, upon termination of Agreement for any
reason, Business Partner shall return or destroy all software received from
UNMC, or created or received by Business Partner on behalf of UNMC.
Business Partner shall not retain copies of software.
(b) In the event that Business Partner determines that returning or destroying the
software is infeasible, Business Partner shall provide to UNMC notification of
the conditions that make return or destruction infeasible.
Business Partner Agreement
September 2014
Page 1 of 7
(c) The respective rights and the obligations of Business Partner under this
subsection shall survive the termination of Agreement.
4.
AMENDMENT. The parties agree to take such action as is necessary to
amend Agreement from time to time as is necessary for parties to comply
with federal and state requirements.
5. INTERPRETATION. Any ambiguity in Agreement shall be resolved to permit
UNMC to comply with federal and state law.
BUSINESS PARTNER:
University of Nebraska Medical Center
______________________________
Signature
________________________________
Signature
______________________________
Title
________________________________
Title
______________________________
Date
________________________________
Date
Business Partner Agreement
September 2014
Page 2 of 7
EXHIBIT A
SERVICES
Business Partner Agreement
September 2014
Page 3 of 7
EXHIBIT B
Business and Academic Partner Network Access Technical Requirements
A.
Non-Disclosure. All access control information given to Business Partner must
be kept confidential and must not be disclosed to any other individual/organization
without the written permission of the University of Nebraska Medical Center (UNMC)
computer network team.
B. Connectivity Options. All connection methods to Covered Entity resources will
be evaluated on a case-by-case basis. The UNMC Network Team is responsible for
installation and configuration of the Business Partner connection. Business Partner
connection options include but are not limited to the following technologies:
1. Site to site VPN
2. On premise
3. On Demand VPN Connectivity
C. Remote Site Continuous Connectivity.
The requirements for providing
continuous network connectivity between the Covered Entity network and a Business
Partner network include but are not limited to:
1. Business Partner will provide TCP/IP addressing for their networked devices that
is unique to the Covered Entity environment. IP addresses which the Business
Partner provides must be:
a.
Licensed to the organization for use on the public Internet; or
b.
Comply with RFC1918-Address Allocation for Private Internets
2. The Business Partner site will provide the TCP/IP address for each networked
device resident on the Business Partner site's LAN that requires access to
Covered Entity network resources.
3. The Business Partner site is responsible for the security of the remote site's
Local Area Network (LAN).
4. The Business Partner site must have a firewall installed and maintained.
Business Partner Agreement
September 2014
Page 4 of 7
5. Connectivity to the Covered Entity network will be provided through a UNMC
Network Team routed interface.
6. UNMC Network Team will maintain ACL's on the routed interface that will permit
the Business Partner site to access only approved Covered Entity network
resources.
7. UNMC Network Team will provide network support to the routed interface.
8. The Business Partner site will provide contact(s) for technical networking and
workstation needs.
9. Business Partner will not install or use peer-to-peer software or any remote
administration software without coordination with IT Technical Services.
D. Services Provided. In general, services provided over the Business Partner
connections should be limited only to those services needed, and only to those devices
(hosts, servers, etc.) required to conduct necessary business. Blanket access will not
be provided. The default setup will only allow access to those specific services that are
needed. In no case shall the connection to the Covered Entity be used as the Internet
connection for the Business Partner.
Any changes to the services require the Business Sponsor of the Covered Entity to
request those changes. Business Partners are not allowed to request changes to their
connectivity.
E. Authentication for Business Partner Connections. All Business Partner
connections will be authenticated using a strong authentication process. A separate
account will be established specifically for each Business Partner. A site to site
connection relies on the security of the connecting site.
F. Covered Entity Equipment at Business Partner Sites. In some cases it may be
necessary to have Covered Entity owned and maintained equipment at the Business
Partner site. All such equipment will be documented by the UNMC Network Team.
Access to network devices such as routers and switches will only be provided to UNMC
support personnel. All Covered Entity owned equipment located at Business Partner
sites is to be used for business purposes only. Any misuse of access or tampering with
Covered Entity provided hardware will result in termination of the connection agreement
between said parties.
Business Partner Agreement
September 2014
Page 5 of 7
G. Business Partner Equipment located at the Covered Entity. The Covered Entity
will protect equipment which belongs to third parties in the same manner that Covered
Entity equipment is protected. If networking equipment is found whose ownership is in
question, UNMC Network Team will work to identify the owner of the equipment and
ensure that the equipment is in compliance with all policies.
H. Protection of Network Resources. The UNMC Network Team will be responsible
for ensuring all reasonable measures have been taken to ensure the integrity of the
network. At no time will the Covered Entity rely solely on security and control
mechanisms at the Business Partner site to protect Covered Entity confidential
information.
I. Acceptable Use. Third party network connections are to be used for business
purposes only. Any violation of these guidelines will be reported to the Business Partner
sponsor and Covered Entity management. A joint decision will be made regarding the
action to be taken. Action may result in the immediate termination of the connection/
agreement with said Business Partner.
1. All technical information provided to the Covered Entity by Business Partner
must be accurate and current.
2. Covered Entity equipment located on partner premise will only be configured
for the necessary protocols to facilitate Covered Entity related data transfers.
3. Configuration changes will be coordinated between the Business Partner,
Business Partner sponsor and UNMC Network Team.
4. The UNMC Network Team will set the password on Covered Entity devices
located on the partner premise. These devices will be actively monitored and
any attempt to compromise these devices will result in termination of the
connection.
5. Only employees of the Business Partner who have approved access shall use
the resources associated with the Business Partner connection. Accounts
should not be shared on Covered Entity owned and maintained devices.
J. Audit and Review of Business Partner Connections. The Covered Entity
reserves the right to monitor their half of the mutually configured connections with
Business Partners. The Covered Entity will not perform scans, penetration tests or other
Business Partner Agreement
September 2014
Page 6 of 7
security related activities against the Business Partners’ networks. Likewise, the
Business Partner will not perform scans, penetration tests or other security related
activities against the Covered Entity. The UNMC Security Team will review all Business
Partner connections on an annual basis and information regarding specific Business
Partner connections will be updated as necessary. Obsolete Business Partner
connections will be terminated.
Business Partner Agreement
September 2014
Page 7 of 7
Download