Re: HIPAA Business Associate/Identity Theft Prevention Agreement

["Don M. Blumenthal" <don () DONBLUMENTHAL COM>]

I've done Red Flag work and serve, among other things, as chief compliance
officer for a company in the PHR space. Whether the requests are reasonable
depends on a lot of factors that aren't clear from the message and
fundamentally are legal decisions. I'd suggest checking with counsel.



Don

======================

Don M. Blumenthal

DMB Associates, LLC

Technology, Policy, and Law

(734) 997-0764

(202) 431-0874 (m)

don () donblumenthal com

www.donblumenthal.com



From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Steven Bourdon
Sent: Monday, February 22, 2010 1:44 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] HIPAA Business Associate/Identity Theft Prevention
Agreement



Hello All,



I just received an agreement from a local hospital requesting we sign as a
"business associate" under HIPAA and "service provider" for FTC Red Flag
Rules.   Other than a nursing program with student clinical rotations
performed at local hospitals we don't deal with protected health information
on campus.  This is a new area for me so I'm curious if others have signed
similar agreements for their health programs with local health providers for
student clinical activities.



Thanks,



Steven M. Bourdon, CISO

South Texas College