WHEREAS, the American Academy of Pediatrics recommends and supports a strong partnership among school nurses, other school health personnel, and pediatricians;
WHEREAS, Nemours has an electronic health record system (EHRS) containing clinical information (including progress notes, specialty consults, laboratory and imaging results), demographics, and other information; and,
WHEREAS,School desires its school nurses ("Users") to obtain access to select portions of its Students' health records maintained in Nemours' EHRS; and,
WHEREAS, Nemours has an interest in improving the quality, delivery and coordination of care to Patients of Nemours by providing school nurses secure electronic access to portions of its Students' electronic health records ("EHRS"), subject to compliance with state and federal privacy laws and regulations.
NOW THEREFORE, in consideration of the promises and covenants contained in this Agreement, and for good and valuable consideration, Nemours and Practice agree as follows:
1. Access to Service: Upon execution of this Agreement and any other required documents, and approval of all access sites and Users as required herein, Nemours will provide School's Users with secure access to its Students¿ EHRs via the Service and also provide limited training on the Service.
2.1 Authorized Agent or Representative means an individual who has the legal authority to legally obligate the School under this Agreement. 2.2 HIPAA means Health Insurance Portability and Accountability Act (HIPPA) Privacy, Security, Breach Notification and Enforcement Rules set forth int he HIPAAA Final Omnibus Rule dated January 18, 2013.
2.3 Nemours' Data means Protected Health Information contained within Nemours¿ EHRS and Proprietary Information.
2.4 Patient means an Individual as defined at 45 C.F.R. § 160.103 ("the person who is the subject of protected health information") who is currently enrolled as a Student in the School.
2.5 Permitted Use means uses of the Service described in Section 6 below.
2.6 Privacy Officer refers to a Nemours employee who is responsible for the development and implementation of Nemours privacy policies and procedures, and who can be contacted at firstname.lastname@example.org or (904) 697-4287.
2.7 Protected Health Information (PHI) means individually identifiable health information as defined at 45 CFR §160.103. This information is protected by various state and federal privacy laws and regulations.
2.8 Proprietary Information refers to information relating to Nemours¿ internal business affairs, including information regarding Nemours products, pricing; personnel data; vendor information; financial data and other competitively sensitive information that Nemours maintains as confidential. It also includes non-publicly available information regarding the Service, EHRS vendors, and EHRS enhancements. If such information is already made available in the public domain, then such information is not Proprietary Information. All Proprietary Information is confidential and may not be used for any purpose without the advanced written consent of Nemours. Proprietary Information includes the NemoursLink Manual, this Agreement and the User Agreement, and any NemoursLink forms or documents.
2.9 Service means the NemoursLink software and other Nemours and EHRS Vendor supplied services, software, databases, content, documentation, works of authorship and other materials and intellectual property used to provide a secure method of communication enabling a User to view the EHR of a Practice's Patient who has received health care services at Nemours.
2.10 Student means an individual enrolled as a student in the School.
2.11 Technical Liaison means the department or individual employed by Nemours who should be contacted by a User or School to report certain events or problems as required by this Agreement. The contact information for the Technical Liaison is contained in Section 15 below.
2.12 User means an employee of the School who has a current license to practice nursing in the jurisdiction where the School is located, who is authorized by the School to access its Students' EHRs, who has signed a User Agreement, and whose access to EHRS via the Service has been approved by Nemours.
3. Term and Termination. This Agreement is effective on the Effective Date and will continue until either Party notifies the other in writing of its intent to terminate. Nemours will consider any unauthorized use of the Service as a material breach of this Agreement and grounds for immediate termination of this Agreement. Nemours retains the right to unilaterally terminate access, in its sole discretion, without advance notice to School.
4. Nemours Data. No rights or legal interest in Nemours' Data is transferred to the School under this Agreement. School will not copy or use Nemours' Data for any purpose other than for the Permitted Uses described in Section 6 below, unless Nemours consents in writing or such use or disclosure is required by law. If School receives a request or demand for disclosure of the Nemours¿ Data, including a subpoena, order, or other legal mandate, School will immediately notify Nemours, and to the extent feasible consistent with the legal mandate, withhold response to permit Nemours to seek a protective order.
5. Service. Subject to the terms and conditions of this Agreement, Nemours will make the Service available to School's Users at reasonable times, provided that the Service may be unavailable when maintenance is being performed and at other times in Nemours' reasonable discretion. USERS HAVE NO RIGHT OF PRIVACY WHEN USING THE SERVICE. Nemours may, directly or through a third party designee, inspect, test and/or audit School and its Users¿ compliance with the terms and conditions of this Agreement. Nemours may also permit any regulator with jurisdiction over Nemours, School and/or any User, to perform such inspections, tests and/or audits if requested by such regulators. Also, Nemours may permit its EHRS Vendors to inspect, test, or audit the use of the EHRS components pursuant to the terms of their agreements with Nemours. School hereby consents to the inspections, tests and audits described in this Section and shall cooperate and cause its Users to cooperate therewith.
6. Permitted Use of Service.
6.1 Access to a Students' EHR through the Service is prohibited, except in cases wheer the parent/legal guardian has authorized in writing the School's user to acces sthe Students' EHR. School hereby represents, warrants and covenants that it will obtain all necessary consents, authorizations and permissions for such access, and will comply with all applicable laws and regulations pertaining to use and disclosure of PHI, as well as the terms of this Agreement.
6.2 A HIPAA/FERPA Authorization ("Authorization") authorizing access to the Student's EHR must be on file at the School, and must be transmitted to nemours prior to accessing the Student's EHR. School agrees to retain a copy of the Authorization on file for six (6) years from date of access of the Service and make a copy available to Nemours upon request. (See Exhibit A for Authorization Template).
6.3 School acknowledges that if a Student's EHR is accessed without a vaild HIPAA/FERPA Authorization, such access may constitute a breach of unsecured PHI under HIPAA/HITECH rules, necessitating notificaiton to individuals involved and possibly others, depending on the size of the breach. School will apply appropriate sanctions against School employees who fail to comply with the privacy requirements and procedures of this Agreement and/or the User Agreement.
7. Prohibited Use of Service. School through it s Users may not:
7.1 Access or use the Service in the absence of the Authorization required by Seciton 6 above;
7.2 Disclose, transfer, sell, or otherwise permit or facilitate third party access to the Service;
7.3 Use or disclose Nemours' Data with the intent to negatively impact the competitive advantage of Nemours in the marketplace;
7.4 Use or disclose Nemours' Data other than as permitted by this Agreement.
8. Privacy and Confidentiality Obligations. School understands that the Service provides secure access to Nemours Data (PHI and Proprietary Information). School agrees to:
8.1 Report to the Nemours Privacy Officer any unauthorized access, use or disclosure of Nemours¿ Data;
8.2 Take appropriate precautions to ensure that computer screens will not ve visible to Students, visitors, and other unauthorized persons during access to the Servcie;
8.3 Advise Students who request amendment of their PHI to contact the Nemours' Privacy Officer;
8.4 Make its internal practices, books, and records relating to the use and disclosure of PHI obtained using the Service available to the Secretary of Health and Human Services for the purposes of determining Nemours' compliance with privacy regulations.
9. Obligations of School.
9.1 Equipment and Supplies. School is solely responsible for the costs of the equipment, maintenance, and supplies required for access to and use of the Service. Costs may include acquisition, installation, operation and maintenance of personal computers and printers; wiring, hardware, software, phone charges, and Internet access; and ongoing equipment and supply upgrades.
9.2 User Access. The Technical Liaison must be notified in writing of the names of Users authorized by School to access the Service. See Exhibit B. Users will not be granted access to the Service until the User signs a User Agreement, at which time Nemours will assign each User a unique logon and password to access the Service. Completion of the User Agreement requires the User to acknowledge he or she has read this Agreement. Therefore, it is the obligation of the School to give a copy of this Agreement to each of its authorized Users to read before the User signs the User Agreement.
(c) Access to Service. The selection of Users and the implementation and maintenance of security related to access to the Service by Users will be the sole responsibility of School. School will ensure each User maintains the security and confidentiality of its individual logon and password and does not share or disclose the User¿s assigned logon or password to others. SCHOOL WILL BE RESPONSIBLE FOR ENSURING ALL USERS COMPLY WITH THE TERMS AND CONDITIONS OF THIS AGREEMENT, AND WILL ASSUME ALL RESPONSIBILITY AND LIABILTY BETWEEN NEMOURS AND SCHOOL WITH RESPECT TO USE OF THE SERVICE BY SCHOOL, ITS USERS OR ANY OTHER PERSONS WHO MAY ACCESS THE SERVICE USING LOGINS AND/OR PASSWORDS PROVIDED TO USERS. Nemours reserves the right to suspend or terminate a User¿s access to the Server for any reason.
9.4 Termination of Access. School agrees that it will take immediate steps to notify the Technical Liaison both orally at (877) MYNEMOURS and in writing when a User is no longer authorized to access the Service (see Section 15). School remains responsible for the User¿s actions until written notice to terminate access is provided to the Technical Liaison.
9.5 Ensure Appropriate Use of Service. School is obligated to notify the Nemours' Privacy Office immediately in instances where there is reasonable suspicion that there may have been password compromise, unauthorized access, use or disclosure of Nemours Data, alteration of Service software or Nemours data, or other violations of this Agreement, the User Agreement, or state or federal law. Nofication should be made orally and in writing to the Privacy Officer at (904) 697-4287 and email@example.com.
9.6 Representations and Warranties. School represents that it is in compliance with all applicable state and federal laws and regulations governing the provision of health care to Students, and that neither neither it nor any of its Users has been debarred, penalized by, convicted, sanctioned, suspended, excluded or otherwise deemed ineligible to participate in any state or federal reimbursement program, including Medicaid or Medicare. In the event that School or any of its Users are sanctioned or excluded from participation in any state or federal reimbursement program. School will immediately notify the Technical Liaison and Nemours may, in its sole discretion, terminate this Agreement.
9.7 Licensed Use of Service and EHRS. Subject to the terms and conditions of this Agreement, Nemours grants to School a non-exclusive, non-transferable, limited license for School and its Users to access and use the Service and EHRS solely for the Permitted Use in Section 6 above. The foregoing license is only a permission to use the Service and EHRS subject to all terms and conditions herein and neither School nor any authorized User is entitled to a copy of any software or any other Service component used to provide access to the EHRS. Without in any way limiting the prohibitions or limitations stated elsewhere in this Agreement, School shall not and shall not permit its Users or any other person to reproduce, publicly display, reverse engineer, disassemble, decompile, translate, port, adapt, modify or make derivative works of the Service or the EHRS; or sublicense, lease, lend, loan, re-distribute, re-transmit or time-share the Service or ERHS or make them available otherwise for access or use by any person or entity other than School and its Users in accordance with this Agreement.
9.8 Copyright. The Service and EHRS include materials that are protected by law, including United States copyright, trade secret law and other intellectual property laws and by international treaty provisions. All rights not granted under this Agreement are expressly reserved to Nemours and/or as applicable, Nemours' third party suppliers or agents. School shall not, and shall cause its Users to not, remove any copyright, trademark, or other intellectual property or proprietary rights notices of Nemours or its third party suppliers or agents from the Service or EHRS or any copies, reports or other materials or data generated therefrom.
9.9 Return of Proprietary Information. On Nemours' written request or upon the expiration or termination of this Agreement for any reason, School will promptly: (a) return or destroy, at Nemours' option, all originals and copies of all documents and materials it has received containing Nemours' Proprietary Information; and (b) deliver or destroy, at Nemours¿ option, all originals and copies of all summaries, records, descriptions, modifications, negatives, drawings, adoptions and other documents or materials, whether in writing or in machine-readable form, prepared by School prepared under its direction, or at its request from the documents and materials referred to in subparagraph (a), and provide a notarized written statement to Nemours certifying that all documents and materials referred to in subparagraphs (a) and (b) have been delivered to Nemours or destroyed, as requested by Nemours.
10. Assignment. Neither this Agreement nor any of the rights herein may be assigned by School without the express, prior written approval of Nemours. Nemours may, without the consent of School, assign the rights and obligations herein to any entity affiliated with Nemours.
11. Relationship of the Parties. It is expressly understood and agreed that this Agreement is not intended to, and does not, create a joint venture, partnership, association, or other affiliation or business relationship between the parties. Nemours and School shall at all times be separate legal entities and are not liable for the debts or obligations of the other party.
12. Insurance, Costs, and Indemnification.
12.1 Insurance: Each party agrees to obtain or fund at their own cost, appropriate professional liability and general insurance coverage with limits of no less than $1,000,000 per occurrence to insure itself and its employees against liability for claims brought by third parties in connetion with its provision of healthcare services and performance of its duties and responsibilties under this Agreement.
12.2 Costs. Business Associate will reimburse actual costs and expenses incurred by Covered Entity or Covered Entity Affiliate arising from a Breach of Unsecured PHI, including all reasonable costs and expenses associated with provision of the notification, including, but not limited to, any administrative costs associated with providing notice, printing and mailing costs, and costs of obtaining credit monitoring and identify theft insurance to mitigate the harm for affected individuals whose PHI has been or may have been compromised solely as a result of the Breach of Unsecured PHI while such PHI was under the control of Business Associate or any Business Associate Affiliate, or any subcontractor, agent or othe third party to whom Business Associate is permitted to disclose PHI under the terms of this BAA.
12.3 Indemnification. School agrees to indemnify, protect, save and hold harmless Nemours, it sofficers, employees and agents, from and against any and all losses, damages, injuries, claims, demands and expenses (including attorney's fees and legal expenses) of whatsoever kind and nature, arising on acccount of or related to any negligent act or omission, including failure to obtain a valid HIPAA/FERPA Authroization prior to accessing the Service, willful misconduct or breach of this Agreement by School or its Users. This provision shall survive termination of this Agreement. 13. Applicable Law and Disputes. This Agreement shall be construed, and the rights and liabilities of the parties determined, in accordance with the laws of the state of Delaware, except with regard to the conflicts of law principles of the state of Delaware to the extent they would apply the laws of another state to this Agreement. If any dispute arises under this Agreement and results in litigation, the losing party shall pay the prevailing party all costs of litigation, including reasonable attorney's fees.
14. Survival of Certain Provisions. The obligations of the parties to this Agreement pertaining to insurance and indemnification, confidentiality and HIPAA/HITECH compliance, and permitted and prohibited uses of Nemours' Data set forth in paragraphs 5, 6, 7, 8, and 11 shall survive and continue beyond the termination of this Agreement.
15. Notices. Any notices under this Agreement shall be made in writing and effective upon receipt. Such notices shall be personally delivered, sent by registered or certified mail, by a nationally recognized overnight delivery service, or sent by facsimile or electronic mail with confirmation, addressed as follows, unless such address is changed by written notice hereunder:
If to NEMOURS:
Nemours Children's Clinic - Orlando
9161 Narcoossee Road, Suite 206
Orlando, FL 32827
Attention: Nemours Health Informatics
|If to School|
| With copy to: |
The Nemours Foundation
Office of Contracts Administration
10140 Centruion Parkway North
Jacksonville, FL 32256
Fax: (904) 697-4070
16. Entire Agreement and Waiver. This Agreement constitutes the entire agreement between the parties and supersedes all other written or oral agreementswith respect to the subject matter hereof. This Agreement may not be altered, amended or modified except as agreed in writing by the parties. No consentor waiver, express or implied, by either party in the performance by the other party of its obligations under this Agreement shall be deemed or construed to be a consent to or waiver of any other breach or default by the other party.
17. Counterparts and Electronic Signature: This Agreement may be executed in two or more counterparts, each of which will be deemed an original, but allof which together will constitute one and the same instrument. Delivery of an executed signature page by facsimile transmission or PDF will be as effective as delivery of a manually signed counterpart.
IN WITNESS HEREOF, the parties have executed this Agreement as of the day and year first written above.