Back

Establish, implement, and maintain a use of information agreement.


CONTROL ID
06215
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Governance, Risk, and Compliance framework., CC ID: 01406

This Control has the following implementation support Control(s):
  • Include use limitations in the use of information agreement., CC ID: 06244
  • Include disclosure requirements in the use of information agreement., CC ID: 11735
  • Include information recipients in the use of information agreement., CC ID: 06245
  • Include reporting out of scope use of information in the use of information agreement., CC ID: 06246
  • Include disclosure of information in the use of information agreement., CC ID: 11830
  • Include information security procedures assigned to the information recipient in the use of information agreement., CC ID: 07130
  • Include information security procedures assigned to the originator in the use of information agreement., CC ID: 14418
  • Include a do not contact rule for the individuals identified in a data set in the use of information agreement., CC ID: 07131
  • Include the information recipient's third parties accepting the agreement in the use of information agreement., CC ID: 07132


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The entity has formal agreements, provides notices and formally communicates with data subjects about its privacy practices to meet the entity's objectives related to privacy. Refer to Component N2.0. (M1.0 Agreement, notice and communication, Privacy Management Framework, Updated March 1, 2020)
  • The entity executes formal agreements, provides notices and formally communicates with data subjects about its privacy practices to meet its objectives related to privacy. (N2.1, Privacy Management Framework, Updated March 1, 2020)
  • Finally, OMB Circular No. A-130 also contains certain requirements for disseminating personally identifiable information. In principle, the dissemination and disclosure of personally identifiable information must be limited to what is legally authorised, relevant and reasonably deemed necessary for … (3.1.1.2 (106), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties. (§ 5.14 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • Organizations that wish to transmit HCFA Privacy Act-protected and/or other sensitive HCFA information over the Internet must notify HCFA. The organization must e-mail this notification to internetsecurity@hcfa.gov and the following information must be included: the organization's name and address, … (§ 9, HIPAA HCFA Internet Security Policy, November 1998, Deprecated)
  • The organization must document agreements about how to protect files before sharing programs or data with other entities. (CSR 2.14.2, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • § 13404(a) A business associate of a covered entity shall incorporate into the business associate agreement requirements to ensure compliance with protected health information use or disclosure. § 13405(d)(1) A covered entity shall obtain authorization from the individual providing protected healt… (§ 13404(a), § 13405(d)(1), American Recovery and Reinvestment Act of 2009, Division A Title XIII Health Information Technology)
  • A data use agreement must be developed between the covered entity and the limited data set recipient. (§ 164.514(e)(4)(ii), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • A covered entity may comply with this paragraph and §164.314(a)(1) if the covered entity discloses only a limited data set to a business associate for the business associate to carry out a health care operations function and the covered entity has a data use agreement with the business associate th… (§ 164.504(e)(3)(iv), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Obtains agreements from employees, contractors, and service providers covering confidentiality, nondisclosure, and authorized use. (App A Objective 6.8.e, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should mitigate the risks posed by users by doing the following: - Establishing and administering security screening in IT hiring practices. - Establishing and administering a user access program for physical and logical access. - Employing segregation of duties. - Obtaining agreements… (II.C.7 User Security Controls, FFIEC Information Technology Examination Handbook - Information Security, September 2016)