In This Section      
 

Agreement for Access to Protected Health Information Between Johns Hopkins and Site User

THIS AGREEMENT for Access to Protected Health Information is entered into between The Johns Hopkins Health System Corporation and The Johns Hopkins University, on behalf of themselves and their affiliated entities (hereinafter “Johns Hopkins”), and the physician practice or other user identified in the on-line new account enrollment page completed on behalf of such physician practice or other user (hereinafter “Site User”).

Recitals

Johns Hopkins uses a certain electronic medical record system and related functionality, called “Hopkins CareLink” (the “System”), which allow users to access certain patient electronic health records to which they otherwise would not have access.

This Agreement is applicable in two circumstances: (i) to grant access to the System by a non-Johns Hopkins medical office practice; or (ii) for certain activities that have been approved by Johns Hopkins for use of the System for unique and special activities, where the “Site User” and “Site Administrator” is employed in some capacity by Johns Hopkins.

The System allows these users to view the Johns Hopkins electronic health records (“EHR”) of patients for the purpose of treatment, research, care coordination, payment related activities, and other approved activities (individually or collectively “Approved Activities”) to the extent permitted without patient authorization in accordance with the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996, and the rules and regulations promulgated thereunder, as may be amended from time to time, and further subject to the Recovery and Reinvestment Act of 2009, including its provisions commonly known as the “HITECH Act,” and rules and regulations promulgated thereunder, as may be amended from time to time (all collectively, “HIPAA”).

Site User provides or coordinates professional or other medical services to, or is otherwise involved with Approved Activities involving, patients who are or were Johns Hopkins patients or study subjects.

Johns Hopkins believes that access to the EHR by Site User will substantially improve the quality of the Approved Activities and therefore would like to allow access to the System by Site User, and those employed or authorized by Site User, subject to the restrictions and other requirements set forth in this Agreement.

Site User has agreed to use the System in accordance with this Agreement to improve the quality and efficiency of the medical services Site User provides to patients who receive care at Johns Hopkins, or to facilitate the processing of payment related activities for health care services received at Johns Hopkins, to facilitate research oversight, to assist with care coordination or to coordinate other Approved Activities, as applicable.

NOW, THEREFORE, in consideration of the premises, the mutual agreements and covenants herein contained, and other good and valuable consideration, the receipt and sufficiency of which hereby are acknowledged, the parties hereto agree as follows:

1. License for Use.

A. Subject to the terms and conditions of this Agreement, Johns Hopkins hereby grants Site User non-transferable and non-exclusive access (the “System License”) to the System (i) if Site User is a non-Johns Hopkins medical office practice, to permit its medical providers (MDs, RNs, LPNs, NAs, PAs, CMAs, NPs) (each a “Medical Provider”), and their employed or affiliated administrative personnel (collectively “Medical Office Authorized Users”), to electronically access and use the System solely for viewing medical records, images and content related to the provision of healthcare to patients of such Medical Providers, and in limited circumstances, taking initial steps to establish a new medical record; or (ii) if Site User is coordinating other Approved Activities, to permit the personnel employed by those entities involved in such Approved Activities (collectively “Approved Activities Authorized Users”) to electronically access and use the System solely for viewing medical records for purposes of the Approved Activities; (“Medical Office Authorized Users” and “Approved Activities Authorized Users” individually and collectively “Authorized Users”).

Site User agrees that Johns Hopkins may terminate individual Authorized Users’ access and/or the entire System License at any time for any reason without penalty, regardless of any effect such termination may have on Site User’s operations.

B. Unless otherwise agreed by Johns Hopkins, Site User acknowledges and agrees that any hardware, software, network access or other components necessary for Site User to access and use the System must be obtained separately by Site User. Johns Hopkins, by reason of this Agreement, shall not be responsible for the procurement, installation or maintenance of any necessary components, and Johns Hopkins makes no representations or warranties regarding the components whatsoever. Any fees for the components shall be borne by Site User and paid directly to the suppliers of the components.

2. Conditions of Use of the System.

A. Neither Site User nor any Authorized User shall use or disclose Protected Health Information (“PHI”) obtained through the System in any manner that would constitute a violation of federal or state law, including, but not limited to, HIPAA. Site User shall ensure that its directors, officers, employees, contractors and agents, or those to whom Site User grants access pursuant to this Agreement, use (access) and disclose PHI obtained through the System only in accordance with the provisions of this Agreement and federal and state law. Site User and Authorized Users shall not disclose PHI in any manner other than as permitted by this Agreement. Site User agrees that all information accessed through the System will be maintained in the strictest confidentiality and in the same manner as Site User safeguards the confidentiality of other patient care records to which it is entitled to access, or as required by state and federal law.

B. Site User and each Authorized User agree to implement and utilize the System solely for the purposes of treatment of their patients, and/or payment related activities relevant to their patients, or other Approved Activities, as appropriate, to the extent permitted without patient authorization by HIPAA. Site User and each Authorized User shall use the System in accordance with any network security policies issued by Johns Hopkins from time to time.

C. Site User understands and agrees that such access to, and use of, the System shall be limited to that achieved through unique access codes provided to each individual Authorized User by Johns Hopkins as hereinafter provided, and further agrees that each Authorized User shall be prohibited from using another Authorized User’s access code to access and/or use the System.

D. Site User agrees that it will implement all appropriate technical, administrative and physical safeguards to prevent unauthorized use or disclosure of PHI. Site User agrees to comply with all federal and state laws and regulations regarding privacy, security, and electronic exchange of health information, as currently enacted or amended in the future.

3. Access to the System—Medical Office Practice.

This Section 3 applies only to non-Johns Hopkins medical practices.

A. Site User shall designate one individual employed by Site User to be the “Site Administrator” for administering access to the System by Medical Office Authorized Users. Site User, upon request, shall provide Johns Hopkins with the name and direct contact information for the Site Administrator as well as for its Privacy Officer (who may be the same individual as the Site Administrator). The Site Administrator is responsible for coordinating with Johns Hopkins to establish, modify and terminate accounts that the Medical Office Authorized Users are permitted to maintain for access to the System. While Site Administrator may have the technical ability to assign or change Medical Office Authorized Users’ passwords, as part of the process for doing so Site Administrator shall advise all Medical Office Authorized Users of the necessity for the Medical Office Authorized User promptly thereafter to establish his/her own password.

B. Each Medical Office Authorized User shall also complete, in a form and in a manner to be determined by Johns Hopkins, training regarding the requirements of System access and use. Before access to the System is granted, each Medical Office Authorized User shall be informed of the basic terms of this Agreement and must select “ACCEPT” to the terms of the online Terms and Conditions of Use, as those Terms and Conditions may be amended from time to time. Site User agrees to ensure that each Medical Office Authorized User approved for access under this Agreement adheres to the requirements of this Agreement and the Terms and Conditions.

C. For purposes of this Agreement, access to the System shall be permitted only for such categories of employees of Site User who have a reasonable need to access PHI of Johns Hopkins patients for purposes of carrying out their healthcare treatment or payment related duties to such patients. Site User agrees to notify Johns Hopkins within 24 hours to terminate access rights when any Medical Office Authorized User is separated from employment of Site User for any reason, including but not limited to termination or voluntary separation. Site User further agrees to validate and document, at least semiannually, that the Medical Office Authorized Users then currently permitted to access the System continue to require access to the System and continue to be employees or agents of Site User, using the System’s site verification process.

D. Site User shall be solely responsible for designating and monitoring the appropriate level of access and use of the System based on the job functions and credentialing of each Medical Office Authorized User, including requirements under applicable scope of practice rules.

E. Site User agrees to educate all Medical Office Authorized Users on compliance with the standards and requirements of HIPAA. Site User represents that all of its workforce members have received appropriate HIPAA Training.

F. Site User shall not grant any third party access to the System.

G. Indemnification. Site User agrees to indemnify and hold harmless Johns Hopkins, its governing board, officers, employees and agents, from and against any and all claims, costs, losses, damages, liabilities, expenses, demands, and judgments, including litigation expenses and attorney’s fees, which may arise from Site User’s or any Medical Office Authorized User’s performance under this Agreement or negligent acts or omissions of its subcontractors, agents, or employees, including, but not limited to, any penalties, claims or damages arising from or pertaining to a breach of this Agreement, or the violation of any state or federal law applicable to the use, disclosure or protection of PHI subject to this Agreement. Such indemnification shall include but shall not be limited to the full cost of any required notice to impacted individuals and costs of related remedial actions, including the costs to retain an outside consulting firm, vendor or outside attorneys to undertake the effort.

H. Insurance. During the term of this Agreement, Site User, at its sole cost and expense, shall maintain commercial general liability insurance on an occurrence basis in the minimum amount of $1,000,000. Such liability insurance coverage shall include “cyber liability” insurance coverage.

I. Term. This Agreement is effective on the acceptance hereof by Site User and will continue thereafter from year to year unless terminated by either party upon thirty (30) days written notice, unless otherwise terminated by Johns Hopkins as herein provided.

J. Johns Hopkins has the right, at Site User’s sole cost and expense, at any time, to monitor, audit, and review activities and methods in implementing this Agreement by Site User in order to assure compliance with this Agreement and applicable law.

K. Legally Binding. The party accepting this Agreement represents that s/he has full power and legal authority to bind the Site User to the terms of this Agreement. This Agreement is accepted by Site User upon the representative of Site User clicking “Accept” at the bottom of this Agreement.

4. Access to the System—Other Approved Activities.

This Section 4 applies to all Approved Activities other than to a non-Johns Hopkins medical office practice.

A. Site User involved in any other of the Approved Activities shall be the “Site Administrator” for his/her specific Approved Activities for administering access to the System by Approved Activities Authorized Users. The Site Administrator is responsible for coordinating with Johns Hopkins to establish, modify and terminate accounts that the Approved Activities Authorized Users are permitted to maintain for access to the System. While Site Administrator may have the technical ability to assign or change Approved Activities Authorized Users’ passwords, as part of the process for doing so Site Administrator shall advise all Approved Activities Authorized Users of the necessity for the Approved Activities Authorized User promptly thereafter to establish his/her own password.

B. Each Approved Activities Authorized User shall also complete, in a form and in a manner to be determined by Johns Hopkins, training regarding the requirements of System access and use.

C. Access to the System shall be permitted by Site Administrator only for those individuals who have a reasonable need to access PHI of Johns Hopkins patients for purposes of carrying out their specific Approved Activities. Site User agrees to notify Johns Hopkins within 24 hours to terminate access rights when any Approved Activities Authorized User is no longer involved in the Approved Activities, including but not limited to termination or voluntary separation from his/her employer. Site User further agrees to validate and document, at least semi-annually, that the Approved Activities Authorized Users then currently permitted to access the System continue to require access to the System, using the System’s site verification process.

D. Site User shall be solely responsible for designating and monitoring the appropriate level of access and use of the System based on the job functions of each Approved Activities Authorized User.

E. Term. This Agreement is effective on the acceptance hereof by Site User and will continue thereafter as long as the Approved Activities are being performed, unless terminated by either party upon thirty (30) days written notice, unless otherwise terminated by Johns Hopkins as herein provided.

F. Site User shall not grant any third party access to the System other than for the Approved Activities for which Site User has administrative responsibilities.

G. Johns Hopkins has the right, at any time, to monitor, audit, and review activities and methods in implementing this Agreement by Site User in order to assure compliance with this Agreement and applicable law.

5. Data Ownership--General.

Site User acknowledges and agrees that Johns Hopkins owns all rights, interests and title in and to the data available through the System and that such rights, interests and title shall remain vested in Johns Hopkins at all times. Site User shall not compile and/or distribute data or analyses to third parties utilizing any data accessed or received from or through the System, other than for any Approved Activities, without express written permission from Johns Hopkins.

6. Reporting of Unauthorized Use or Disclosure of PHI-General.

A. Site User shall, within one (1) working day of becoming aware of an unauthorized use (access) or disclosure of PHI obtained through the System by Site User, its officers, directors, employees, contractors, agents, by a third party to which Site User disclosed PHI, or by an Authorized User, report any such use or disclosure to Johns Hopkins.

B. If at any time Site User has reason to believe that the System may have been accessed without proper authorization and contrary to the terms of this Agreement, Site User promptly shall give Johns Hopkins notice and take actions to eliminate the cause of the unauthorized access.

C. Any notice under this Section 6 shall be delivered only via hardcopy delivered by hand or via courier, to the following address:

Johns Hopkins Privacy Office
Location: Suite 300
1812 Ashland Avenue
Baltimore, MD 21205

D. To the extent Johns Hopkins deems warranted, in its sole discretion, Johns Hopkins will provide notice or require Site User to provide notice to individuals whose PHI may have been improperly accessed or disclosed through use of the System.

7. Investigations/Sanctions-General.

Johns Hopkins reserves the right to monitor, review and investigate suspected, reported or identified failures to comply with this Agreement and impose nonmonetary appropriate sanctions. Sanctions may include, but are not limited to, the termination of this Agreement, termination of Site User’s access, or termination of individual Authorized User access. Johns Hopkins reserves the right to report unprofessional conduct to appropriate licensing or other regulatory authorities. Site User agrees to cooperate with Johns Hopkins in order to investigate adequately complaints received involving the Site User’s employees or agents. If Site User is a non-Johns Hopkins medical office practice, it agrees to have a sanctions policy, produce it upon request, and discipline its employees or agents for all breaches involving Johns Hopkins PHI in accordance with HIPAA. Site User understands that lack of adherence to this section allows Johns Hopkins immediately to terminate this Agreement and all associated access privileges.

8. Termination-General.

Johns Hopkins may terminate this Agreement, and Site User’s and all Authorized Users’ access to the System, at any time with or without cause, without any obligation or liability for such termination. Such termination may be immediate in the event Johns Hopkins determines that Site User, or Site User’s directors, officers, employees, contractors or agents have violated a material provision of this Agreement.

9. No Warranty-General.

No warranties are given by Johns Hopkins as to the completeness, accuracy or otherwise of the information that may be accessed through the System, nor as to the continuity, availability, characteristics, functionality or performance of the System. The System is provided “as is.”

10. Limitation of Liability-General.

In no event will Johns Hopkins be liable to any party for (i) any special, direct, indirect, punitive, incidental or consequential damages or any other damages, even if Johns Hopkins has been advised of the possibility of such damages, arising in any way from or in connection with the availability, use, reliance on, or performance of the System; provision of or failure to provide the System; loss of data; access or inability to access or use the System or use and reliance on information or content available on or through the System; or (ii) any claim attributable to errors, omissions, or other dysfunction in, or destructive properties of, arising out of or in connection with the use or performance of the System.

11. Miscellaneous-General.

A. Entire Agreement. This Agreement constitutes the entire agreement between the parties regarding access to the System, and supersedes all prior oral or written agreements, commitments or understandings concerning the matters provided for herein.

B. Independent Parties. Johns Hopkins, on the one hand, and Site User and its Authorized Users, on the other hand, are independent parties and this Agreement does not create a partnership, joint venture or any other type of legal relationship other than a contractual relationship in accordance with the terms of this Agreement.

C. No Assignment. This Agreement, and the permissions and license provide herein, may not be assigned by Site User.

D. Severability. This Agreement must be interpreted as a whole; no portions of this Agreement may be severed from the remaining provisions of this Agreement. If this Agreement is determined to be invalid by a court of competent jurisdiction, then the rights and privileges granted Site User hereunder shall terminate immediately.

E. Amendment. This Agreement may be modified from time to time by Johns Hopkins by subsequent versions that may be made available through System functionality. The provisions in this Agreement may not be modified by Site User by any attachment, letter agreement or other communication or vehicle.

F. Governing Law. The parties’ rights or obligations under this Agreement will be construed in accordance with, and any claim or dispute relating thereto will be governed by, the laws of the State of Maryland.

G. Waiver. Neither the waiver by Johns Hopkins of a breach of or a default under any of the provisions of this Agreement, nor the failure of Johns Hopkins, on one or more occasions, to enforce any of the provisions of this Agreement or to exercise any right or privilege hereunder, will thereafter be construed as a waiver of any subsequent breach or default of a similar nature, or as a waiver of any of such provisions, rights or privileges hereunder.

H. Survival. The obligations to maintain the confidentiality of PHI obtained under this Agreement in accordance with applicable law by Site User and all Authorized Users are not limited or extinguished by termination of this Agreement. The obligation for indemnification provided under Section 3 of this Agreement shall survive termination of this Agreement.

Site User on behalf of a non-Johns Hopkins medical office practice has caused this Agreement to be duly executed on the day and year Accepted by Site User. Site User on behalf of other Approved Activities agrees to perform the applicable tasks and responsibilities as set forth above on the day and year Accepted by Site User.