Data Authorization Agreement
In addition, affected companies such as Stanford must take all reasonable steps to remedy a recipient`s violation of the DUA. For example, if Stanford learns that the data it has provided to a recipient is being used in a way that is not authorized under the DUA, Stanford must work with the recipient to resolve that issue. If these efforts fail, Stanford would be required to stop any further disclosure of PHI to the recipient under the DUA and report the matter to the Federal Office of Public Health and Social Affairs for Civil Rights. determine the permitted uses and disclosures of the limited data set; The privacy rule allows a covered company to disclose what it calls a “limited data set.” A limited data set is a set of identifiable health information that covered companies may share with certain companies for research, public health activities, and health operations without the patient`s prior written consent. 1.2.1 The Processor may not engage a Sub-Processor without the specific or general written consent of the Customer. A business partnership agreement is a contract between the company concerned and the business partner that sets out these assurances in writing. Under a business partnership agreement, the parties must specify the types of PSR and access to PSR that a business partner will have (and the types of access and access they may not have) and what safeguards the business partner uses to maintain the integrity and confidentiality of the PSR. A limited data set excludes certain direct identifiers (identifiers that represent protected health information or PSR that directly identifies the objects of research) of the individual or of the individual`s parents, employers or household members. 4.4.2 The Customer and all of its generally owned or controlled affiliates that have signed a Transaction Services Agreement (“Client Companies”) will be considered “Data Exporters” within the meaning of the C2P Standard Contractual Clauses; A restricted record is a record that is exempt from certain direct identifiers specified in the privacy policy. A limited data set may only be shared with an external party without a patient`s permission if the purpose of the disclosure is for research, public health or healthcare operations purposes, and the person or organization receiving the information signs a Data Use Agreement (DUA) with the relevant company or its business partner. 6.6 “Breach of Security” means a breach of security that results in the destruction, loss, alteration, unauthorised disclosure or accidental or unlawful access to Personal Data. A security breach includes a “personal data breach” (as defined in the GDPR), a “system security breach” or similar term (as defined in other applicable data protection laws), and any other event that compromises the security, confidentiality or integrity of personal data.
4.3 Cooperation with sub-processors. The Processor shall ensure that, when cooperating with another Data Processor, including affiliates (a “Sub-Processor”) for the purpose of carrying out certain processing activities on behalf of the Customer, there is a written contract between the Processor and the relevant Sub-Processor. Such written contracts, to the extent applicable to the nature of the transaction services provided by the relevant sub-processor, will provide at least the same level of protection of the Customer`s personal data as defined in this DPA. This Data Processing Agreement (“DPA”) is an agreement between you and the company you represent (“Customer” or “You”) on the one hand and Authorize.Net LLC (“Authorize.Net”) on the other. They are part of a written or electronic agreement between you and Authorize.Net under which Authorize.Net processes personal data on your behalf (each, an “Agreement”), except for an agreement under which you and Authorize.Net data processing terms that deal with the subject matter of this Agreement. This DPA forms part of the service documentation defined in the Agreement. A Data Use Agreement (DUA) is an agreement required under the confidentiality rule and must be entered into before a limited record (defined below) is used or disclosed to an external institution or party. A limited record is always protected by Health Information (PHI), and for this reason, covered companies like Stanford must enter into a data use agreement with each recipient of a limited Stanford record.
6.1 “Applicable Data Protection Law” means any law or regulation relating to data protection, privacy and/or the processing of personal data to the extent applicable to the obligations of either party under the Agreement and this DPA. Applicable data protection laws include, but are not limited to, and to the extent applicable, the General Data Protection Regulation (Regulation (EU) 2016/679 (the “GDPR”), the UK Data Protection Act 2018, the California Consumer Privacy Act 2018, Cal. Civ. Code ยง 1798.100 et seq. (“CCPA”) and any related rules or other laws or regulations that implement or supersede the foregoing; 2.2 The Processor shall provide the Customer with appropriate assistance in all legally required data protection impact assessments (a); and (b) prior consultations initiated by Customer with its supervisory authority in connection with such data protection impact assessments. This assistance is strictly limited to the processing of the Customer`s personal data by the Processor on behalf of the Customer under the Contract, taking into account the nature of the processing and the information available to the Processor. . . .