mehealth for ADHD
Terms and Conditions of License, Use and Services
Last Updated: April 3, 2019
By paying the license fee described below and/or using the mehealth software and materials (each term as defined below) offered by Cincinnati Children’s Hospital Medical Center ("Licensor"), you, on behalf of yourself and your employer ("Licensee") agree to be bound to the terms and conditions contained herein.
Non-paying users of the ADHD Web Portal agree to be bound to the terms and conditions contained herein except for the terms and conditions that are specifically related to payment. Further, the terms and conditions become effective to non-paying users upon accessing the ADHD Web Portal.
Licensor has developed a web portal available at https://secure.mehealth.com/adhd/ designed to support a physician's assessment and treatment of patients with ADHD as more fully described in Exhibit A ("ADHD Web Portal"). In conjunction with the ADHD Web Portal, Licensor has created implementation materials ("Materials") which will be provided to Licensee upon Licensee's acceptance of these terms and conditions of license, use and services and payment of fees for the ADHD Web Portal ("Agreement").
- License. Subject to the terms and conditions of this Agreement, and subject to payment of all applicable fees, Licensor hereby grants to Licensee a non-exclusive, non-transferable license to use for its own internal use for Licensee's patients (i) the ADHD Web Portal, and (ii) the Materials for implementation of the ADHD Web Portal. To receive the license and services hereunder, Licensee is required to provide the resources and complete the tasks described in Exhibit A under "Licensee Requirements". Licensee shall not cause, attempt, or permit reverse-engineering, disassembly, or decompilation of the ADHD Web Portal or otherwise attempt to derive the source code of the ADHD Web Portal. Licensor retains
all rights, title and interest now existing or hereafter in existence in and to the ADHD Web Portal, Materials, source codes, enhancements, modifications, derivative works, training materials, and other proprietary information, including, without limitation, all rights to patents, copyrights, trademarks, and trade secrets. Licensee agrees that it does not acquire any rights, express or implied, therein. Licensee shall not modify or amend the ADHD Web Portal or any Materials or create any derivative works or improvements thereto (all such modifications, amendments, improvements of derivative works collectively referred to as "Modifications") without the prior written consent of Licensor. Modifications, whether authorized or unauthorized, will be solely owned by Licensor and shall be subject to the limited licenses and restrictions set forth in this Agreement. Licensee agrees to execute (and cause its employees and contractors to execute) any additional documents and do all things
necessary or appropriate (at Licensor's expense) to vest and confirm all rights in the ADHD Web Portal, Materials and Modifications (including, without limitation, all patents, copyrights, trade secrets and other intellectual property rights therein, whether now existing or hereafter coming into existence) in Licensor and to facilitate Licensor obtaining any desired legal protection for the same in any countries. Any rights not expressly granted by this Agreement shall not be implied; the license granted pursuant to this Agreement authorizes only the use of the ADHD Web Portal and Materials licensed herein. At Licensor's written request, Licensee shall furnish Licensor with a document signed by Licensee's authorized representative listing the total number of users of the ADHD Web Portal. Licensor reserves the right to audit Licensee's use of the ADHD Web Portal no more than once annually. Licensor shall schedule any audit at least ten (10) days in advance. Any such audit shall be
conducted during regular business hours and may be conducted at Licensee's facilities and shall not unreasonably interfere with Licensee's business activities. If such audit reveals that Licensee has underpaid fees to Licensor, Licensee shall promptly pay to Licensor all applicable fees. The costs of conducting the audit will be paid by Licensor, unless the audit discloses that Licensee's underpayment of license fees exceeds five percent (5%) of the total fees paid by Licensee for the current Agreement term, or that Licensee has otherwise materially breached the terms of this Agreement, in which case Licensee will reimburse Licensor for its reasonable out-of-pocket expenses in performing such audit.
- Description of Services. Licensee engages Licensor as an independent contractor to provide the services set forth in Exhibit A attached hereto and incorporated herein by reference (“Services”).
- Term. This Agreement will become effective upon Licensor's receipt of payment described here ("Effective Date") and will continue for the term of a purchased subscription ("Initial Term"). This Agreement will be renewed by the parties for an additional period based on the purchased subscription term upon expiration of the prior term ("Renewal Term") unless either party provides written notice to the other of its intent to terminate this Agreement at least thirty (30) days prior to the expiration of the then current Initial Term or Renewal Term, as applicable. Licensor may terminate this Agreement upon written notice, effective immediately, due to Licensee's breach of any provision hereof, including
without limitation, payment of all fees due, or in the event Licensee becomes insolvent or ceases to do business. Upon termination of this Agreement, Licensee shall discontinue immediately all use of the ADHD Web Portal, Materials, and Modifications and destroy or otherwise cease display of all printed materials bearing any of the Licensor's copyrights, trademarks or service marks. All rights in the ADHD Web Portal, Materials and Modifications shall remain the property of Licensor. If this Agreement is terminated prior to the first anniversary of the Effective Date, then the parties will not enter into an agreement for the provision of services similar to those provided in this Agreement prior to the first anniversary of the Effective Date.
- Fee and Payment Terms. Licensee will pay Licensor the fees posted at https://www.mehealth.com/products/adhd/. Licensee’s license to use the ADHD Web Portal will automatically renew annually at the then-current rate, unless Licensee cancels prior to the anniversary date of the initial license. In addition, Licensee agrees to pay and be responsible for any and all sales taxes, use taxes, value added taxes and duties imposed by any jurisdiction as a result of the license granted pursuant to this Agreement, or Licensee's use of the Materials and any content entered by Licensee or on behalf of Licensee's patient into the ADHD Web Portal. In the event payment is not
received when due, Licensee's access to https://secure.mehealth.com/adhd/ will be terminated and this Agreement will be terminated. The primary credit or debit card that Licensee has provided will be charged all license fees. If Licensor is unable to process these charges, an alternative card may be charged. To cancel, call 1-877-845-4656 or send an email to support@mehealth.com. Both parties acknowledge and agree that the terms of this Agreement are commercially reasonable and the payments provided are consistent with fair market value for general commercial purposes without regard, directly or indirectly, to the volume or value of any referrals or other business generated or which could in the future be generated between the parties.
- Limitation of Liability. IT IS UNDERSTOOD THAT THE ADHD WEB PORTAL IS INTENDED FOR USE IN CONNECTION WITH LICENSEE'S MEDICAL PRACTICE. LICENSEE AND LICENSEE'S PHYSICIANS AND OTHER MEDICAL PROFESSIONALS HAVE SOLE RESPONSIBILITY TO MAKE ALL DECISIONS RELATED TO PATIENT CARE, INCLUDING WITHOUT LIMITATATION, THE DECISION AS TO THE APPROPRIATENESS OF RELYING ON ANY DATA OBTAINED FROM THE ADHD WEB PORTAL OR ANY INFORMATION RECEIVED BY LICENSEE FROM LICENSOR IN THE COURSE OF LICENSOR PROVIDING SERVICES. LICENSEE ACCEPTS ALL RESPONSIBILITY IN CONNECTION WITH ITS USE OF ANY DATA OBTAINED FROM THE ADHD WEB PORTAL OR ANY INFORMATION RECEIVED BY LICENSEE FROM LICENSOR IN THE COURSE OF LICENSOR PROVIDING SERVICES, INCLUDING RESPONSIBILITY FOR INJURY, DAMAGE AND/OR LOSS RELATED TO SUCH DIAGNOSIS OR TREATMENT. LICENSEE ACKNOWLEDGES
THAT COMPLEX INFORMATION SYSTEMS ARE INHERENTLY SUSCEPTIBLE TO ERRORS AND THAT LICENSOR SHALL HAVE NO LIABILITY FOR THE CONSEQUENCES OF ANY ERRONEOUS DATA OBTAINED FROM THE ADHD WEB PORTAL OR INFORMATION RECEIVED BY LICENSEE FROM LICENSOR. LICENSEE ASSUMES THE RISK OF ANY ERROR OR OMISSION IN THE ADHD WEB PORTAL AND SERVICES. LICENSEE ACCEPTS SOLE RESPONSIBILITY FOR THE ACCURACY AND COMPLETENESS OF DATA INPUT BY END USERS AND THE PROCESS OF INPUTTING SUCH DATA.
- Indemnification. Unless prohibited by state law, Licensee agrees to indemnify, hold harmless, and defend Licensor, its officers, trustees, directors, employees, contractors and agents from and against all loss, liability, claims, suits, demands, costs (including reasonable attorneys' fees), judgments and other expenses arising out of or on account of any use of the ADHD Web Portal, Materials, and/or Modifications, including, but not limited to any claim by or in respect of any individual for death or bodily injury. In no event will Licensor's liability to Licensee for any costs, expenses, or damages, regardless of the form of action, whether based on contract, tort, negligence, strict liability, products
liability or otherwise, ever exceed the amount paid to Licensor hereunder. Under no circumstances will Licensor be liable to Licensee for loss of use or profits or other collateral, special, consequential or other damages, losses, or expenses even if Licensor was notified of the possibility of such damages.
- Disclaimer of Warranties. LICENSOR MAKES NO WARRANTIES, WRITTEN, ORAL, EXPRESS OR IMPLIED, WITH RESPECT TO THE SERVICES IT PROVIDES HEREUNDER. ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT OF ANY PATENT, COPYRIGHT, TRADEMARK OR OTHER PROPRIETARY RIGHTS AND WARRANTIES FROM A COURSE OF DEALING OR USE OF TRADE ARE HEREBY DISCLAIMED BY LICENSOR. LICENSEE ACKNOWLEDGES THAT NO REPRESENTATIONS HAVE BEEN MADE WITH RESPECT TO THE ADHD WEB PORTAL, THE MATERIALS, SERVICES, OR ANY OTHER GOODS OR SERVICES PROVIDED, AND THAT LICENSEE HAS NOT RELIED ON ANY REPRESENTATION NOT INCLUDED IN THIS AGREEMENT. LICENSOR DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY THAT THE ADHD WEB PORTAL, MATERIALS AND/OR SERVICES WILL MEET LICENSEE'S
REQUIREMENTS; THAT THE ADHD WEB PORTAL WILL OPERATE IN COMBINATIONS WITH OTHER HARDWARE, SOFTWARE, SYSTEMS, OR DATA NOT PROVIDED BY LICENSOR WHICH LICENSEE MAY SELECT FOR USE; THAT THE OPERATION OF THE ADHD WEB PORTAL WILL BE UNINTERRUPTED OR ERROR-FREE; OR THAT ALL SOFTWARE ERRORS WILL BE CORRECTED. NO WARRANTIES OF LICENSOR MAY BE CHANGED BY ANY REPRESENTATIVES OF LICENSOR. WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, LICENSOR DOES NOT WARRANT THE ACCURACY OR SUITABILITY OF INFORMATION IN THE ADHD WEB PORTAL OR MATERIALS AND SHALL HAVE NO LIABILITY FOR USE OF THE MATERIALS BY LICENSEE OR ANY THIRD PARTY. LICENSOR DOES NOT UNDERTAKE ANY OBLIGATION TO UPDATE OR OTHERWISE MODIFY THE ADHD WEB PORTAL OR MATERIALS.
- Data Use. Licensee grants Licensor a worldwide, perpetual, royalty-free, irrevocable, nonexclusive, fully sublicensable license and right to use, reproduce, modify, adapt, translate, publish, broadcast, transmit and distribute all data Licensee inputs into the ADHD Web Portal for any lawful purposes and in any form, medium, or technology now known or later developed, provided that such data shall be "de-identified" in accordance with the requirements of the Health Insurance Portability and Accountability Act of 1996 prior to any such use by Licensor. Licensee represents and warrants that: (a) Licensee has the full right and authority to grant to Licensor all of the licenses and rights set forth herein; and (b) Licensor's exercise of the license and rights granted pursuant to this license will not violate any applicable law, rule or regulation or the rights of any third party.
- Business Associate Agreement. The parties acknowledge that Licensee is a "Covered Entity" as that term is defined under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the HIPAA administrative simplification regulations, 45 C.F.R. Parts 160 and Part 164, Subparts A, C and E (Subpart E, together with the definitions in Subpart A is known as the "Standards for Privacy of Individually Identifiable Health Information" (the "Privacy Rule") and Subpart C, together with the definitions in Subpart A, is known as the "Security Standards for the Protection of Electronic Protected Health Information" (the "Security Rule") (the Privacy Rule and the Security Rule are collectively called the "Privacy and Security Rules"). Licensor and Licensee agree to be bound by the terms and conditions contained in the Business Associate Agreement attached hereto and incorporated herein by reference as Exhibit B.
- Miscellaneous
- Medical Records. It is Licensee's sole responsibility to determine whether data input into the ADHD Web Portal or generated by the ADHD Web Portal should be included in a patient's medical record, and if so determined, to ensure such data is included in the applicable medical record. The ADHD Web Portal is not a medical records system and Licensor makes no commitment to maintain any data in the ADHD Web Portal for any period of time.
- Access Information. Licensee acknowledges that Licensor will provide Licensee with user identification codes and passwords for access to the ADHD Web Portal ("Access Information). Licensee will not share its Access Information with any third parties except as permitted by the Materials. In the event any Licensee staff is no longer an employee of Licensee or any party who had access to the ADHD Web Portal no longer needs access (e.g. doctor/patient relationship terminated), Licensee will promptly ensure the applicable Access Information is terminated. Licensee shall be responsible for ensuring that each authorized user of the ADHD Web Portal will: (a) be responsible for the security and/or use of his or her logon identifier; (b) not disclose his or her logon identifier to any person or entity; (c) not permit any other person or entity to use his or her logon identifier.
- No Partnership, etc. This Agreement shall not be construed as establishing a partnership, agency or joint venture between the parties. Neither party shall have any right to obligate or bind the other party in any manner whatsoever, and nothing herein contained shall give, or is intended to give, any rights of any kind to any third parties.
- Assignment. The rights granted to Licensee hereunder shall not be assigned, sublicensed or otherwise transferred by Licensee without the prior written consent of Licensor, and any such attempted transfer without such written consent shall be void and of no effect. This Agreement shall be binding upon the parties hereto and their permitted successors and assigns.
- Refund. If you are not satisfied with your purchase, within 2 weeks from the purchase date, we will fully refund the cost of your order. Any applicable taxes are not refundable, except in certain states and countries where these items are refundable. If you receive a refund for your purchase, in Licensor's sole discretion, licenses will be disabled to prevent further use.
- Severability. In the event that any term or provision of this Agreement shall for any reason be held invalid, illegal or unenforceable in any respect, such invalidity, illegality, or unenforceability shall not affect any other term or provision hereof, and such invalid, illegal or unenforceable term or provision shall be reformed so as to most nearly effect the intent of the parties without invalidity or illegality.
- Force Majeure / Delays. In the event either party will be delayed or hindered in or prevented from performance of any act required hereunder by reasons of strike, lockouts, labor troubles, restrictive government or judicial orders, or decrees riots, insurrection, war, Acts of God, inclement weather or other similar reason or a cause beyond such party's control, then performance of such act will be excused for the period of such delay. Notice of the start and stop of any such force majeure will be provided to the other party. To the extent either party is delayed for reasons set forth above or for other reasons beyond the control of the affected party, any timeline or milestone obligations of said party will be extended for a period of time equal to the number of days of the delay. In the event a party is delayed for reason set forth above or for other reasons beyond the control of the affected party for more than 30 days, the unaffected party will have the right to
terminate this Agreement after 30 days written notification.
- Notices. Any notice required or permitted to be given hereunder by either party hereunder will be in writing and will be deemed delivered upon receipt and will be sent by overnight courier services, charges prepaid, or upon receipt after being delivered personally, when properly addressed. Notices sent to Licensor must be sent to Children’s Hospital Medical Center, Division of Behavioral Medicine and Clinical Psychology, 3333 Burnet Ave, ML 10006, Cincinnati, OH 45229-3039, Attn: Dr. Jeffery Epstein. Notices sent to Licensee's address published on the internet will be considered properly addressed.
- Governing Law. Unless prohibited by state law imposed on Licensee, this Agreement and all matters arising out of or relating to this Agreement shall be governed by the laws of the State of Ohio (excluding its conflict of law provisions) and the provisions of applicable copyright law. The courts located in Hamilton County, Ohio shall have exclusive jurisdiction and venue over any suit or action against Licensor arising out of or relating to this Agreement. Licensee hereby consents to the personal jurisdiction of such courts and waives any objections to such venue.
- Entire Agreement; Modifications. This Agreement sets forth the entire agreement with respect to the subject matter hereof and supersedes any prior agreements or understandings relating to the subject matter hereof. Any waiver, modification, or cancellation of any terms or conditions of this Agreement must be in writing, and no waiver by Licensor, whether express or implied, of any breach or default by Licensee shall constitute a continuing waiver of any term or provision of this Agreement. Cincinnati. Children’s Hospital Medical Center may modify these Terms and Conditions of Use at any time. It is your responsibility to periodically check for updated terms. By using this system, you agree to the terms and conditions of use which are current at the time of your use.
Exhibit A
ADHD Web Portal Synopsis: Licensor offers a consultative and technological tool to physicians designed to support assessment and treatment of ADHD patients. Physicians learn how to integrate the American Academy of Pediatrics ("AAP") guidelines for ADHD into daily clinical practice using a web-based portal to guide assessment and treatment. This online tool assists primary care providers and their clinical and non-clinical office staff members (including front desk personnel, telephone triage nurses, physician assistants and nurse practitioners) in using quality improvement methods to develop policies and procedures that improve and streamline the flow of ADHD patients through the evaluation and treatment process. Licensor's goal is to help physicians achieve greater efficiency, accuracy and confidence in the diagnosis and management of patients with ADHD within their practice.
What is Offered?
- Access to the ADHD Web Portal provides:
- Online training
- Online mapping wizard to create ADHD patient flow
- Online collection of rating scales from parents and teachers used during assessment to help make a diagnosis of ADHD and used after diagnosis to help monitor medication treatment response
- Automated schedules of rating scale distribution and collection for medication dosing and monitoring
- Online integrative patient assessment and treatment reports
- Automatic warnings of patient behavioral deterioration or demonstration of problematic side effects during treatment
- Online information for parents, teachers, and physicians
- Online tools to allow parents and teachers to create and implement behavioral interventions
- Easy teacher-parent-physician communication
- Real-time physician performance monitoring on the diagnosis and treatment of ADHD patients that can be used for recertification
- Online Plan-Do-Study-Act (PDSA) wizard to facilitate continuous quality improvement
- Available apps for several electronic health records that allow integration between mehealth for ADHD and the electronic health record
- Integrated user interface
- Pulling of medication information from EHR into mehealth
- Progress note tool
- Online registry of ADHD patients
- Materials to effectively implement the AAP guidelines, including without limitation:
- Rating scales
- Interview scripts
- Treatment algorithms
- Services
- 4 Part Online Training
- ADHD Guideline Training: Verbal and visual didactic session which introduces you to the AAP evidence-based guidelines assessing and treating ADHD.
- Web Portal Training: Verbal didactic session with concurrent "hands-on" computer training which navigates through all the assessment and treatment functions and features of the web portal.
- Office Flow Training: Interactive Q & A session which utilizes a "mapping wizard" with guidance through the process of restructuring office flow. This exercise is designed to assist with identifying the essential tasks and responsibilities that need to be considered in order to successfully implement the AAP ADHD guidelines. (**ATTENTION: This training session can only be accessed from the Managers Account and, for best results, should be conducted with key members of office support staff in attendance.**)
- Maintenance of Certification, part 4b/ AMA PI CME Training: Verbal and visual didactic session which teaches how to use quality improvement tools for monitoring personal performance and implementing tests of change (PDSA cycles). Material presented in this session will enable Licensee to complete the requirements for either ABP, Part 4b MOC re-certification or AMA PI CME credit. In addition, this didactic will provide valuable billing and coding information that may enable enhanced reimbursement for ADHD patient care.
- Technical assistance with the ADHD Web Portal
- Technical assistance is available for all ADHD Web Portal users (physicians, office staff, parents, teachers)
- Technical assistants will provide users with information about how to access and use features of the ADHD Web Portal (e.g., signing in, passwords, accessing reports, transferring patients)
- Technical assistants will refer any question pertaining to the clinical care of a child back to Licensee
- Technical assistants will be available from 9:00 am – 5:00 pm Monday – Friday except for Licensor's holidays; all calls after these hours will be answered within 24 hours.
- Eligibility for Accreditation for the American Board of Pediatrics "Performance in Practice" requirement
Licensee Requirements
- Identify a lead ADHD physician and an ADHD office champion
- Lead ADHD Physician Responsibilities
- Encouraging physician and staff participation
- ADHD Office Champion Responsibilities (Usually an office manager, RN, MA)
- Primary contact with Licensor
- Arranges trainings and consultations
- Partners with Lead ADHD Physician to facilitate change
- Manages the ADHD Web Portal
- Checks report card on ADHD Web Portal
- Share with office staff
- Lead discussion of office modifications to promote improvements
- All physicians and office champion at practice complete trainings
- Internet access at office
- Provide email address for physicians and ADHD office champion
- If compatible mehealth app for practice EHR, technical support at practice will need to install mehealth for ADHD app on EHR.
- In order to receive MOC "Performance in Practice" credits, physicians will need to perform a self-study chart audit, complete all four trainings, demonstrate ADHD care with minimum of 10 patients, post a minimum of three Tests of Change (i.e., PDSAs), meet goal thresholds for three out of 13 measures, and participate for a minimum of 3 months.
Exhibit B
BUSINESS ASSOCIATE AGREEMENT
Cincinnati Children’s Hospital Medical Center
This Business Associate Agreement ("Agreement") is entered into by and between Licensee ("Covered Entity") and Licensor ("Business Associate"), effective as of the Effective Date.
RECITALS
Covered Entity and Business Associate are parties to an arrangement or separate agreement ("Underlying Agreement"), under which Business Associate provides certain services in the nature of website hosting, related services and de-identification of patient data to Covered Entity. In connection with Business Associate's provision of services to Covered Entity, Covered Entity discloses to Business Associate "Protected Health Information" ("PHI"), including "Electronic Protected Health Information" ("ePHI"), as defined in 45 C.F.R. §160.103. Such disclosure results in Business Associate's use, disclosure, maintenance and/or creation of PHI, including ePHI, on behalf of Covered Entity.
Business Associate's provision of services to Covered Entity, when coupled with Covered Entity's disclosure of PHI to Business Associate, makes Business Associate a "business associate" of Covered Entity, as the term is defined in as defined in 45 C.F.R. §160.103.
The purpose of this Agreement is to comply with the requirements of the Privacy and Security Rules, including, but not limited to, the Business Associate Agreement requirements at 45 C.F.R. §§ 164.314(a) and 164.504(e), and to satisfy the provisions of the Health Information Technology for Economic and Clinical Health Act, set forth in Division A, Title XIII, of the American Recovery and Reinvestment Act of 2009, and its implementing regulations and guidance (collectively, "HITECH") that: (i) affect the relationship between a Business Associate and Covered Entity; and (ii) enable Covered Entity to comply with HITECH's requirements to notify affected individuals in the event of a Breach of Unsecured Protected Health Information.
Covered Entity's disclosure of PHI to Business Associate, and Business Associate's use, disclosure and creation of PHI for or on behalf of Covered Entity, is subject to protection and regulation under the Privacy Rule. To the extent such use, disclosure or creation involves ePHI, such ePHI is subject to protection and regulation under the Security Rule. Business Associate acknowledges it shall comply with the Privacy and Security Rules regarding the use and disclosure of PHI and ePHI, pursuant to this Agreement and when and as required by HITECH and its implementing regulations.
Therefore, Covered Entity and Business Associate agree as follows:
- Definitions.
- Unless otherwise provided in this Agreement, capitalized terms have the same meanings as set forth in the Privacy Rule, Security Rule, and HITECH.
- "PHI" means "Protected Health Information," as that term is defined in the Privacy and Security Rules. "ePHI" means "Electronic Protected Health Information," as that term is defined in the Privacy and Security Rules. PHI includes PHI that is ePHI as well as PHI that does not constitute ePHI.
- "Unsecured PHI" or "Unsecured Protected Health Information" includes PHI in any form that is not secured through use of a technology or methodology specified in the HITECH, those being: (1) encryption for ePHI in accordance with the appropriate NIST standards for data at rest and in transit; or (2) destruction for other forms of PHI.
- Scope of Uses and Disclosures by Business Associate.
- In General. Except as otherwise limited in this Agreement or by law, Business Associate may use or disclose PHI provided to Business Associate by Covered Entity to perform the functions, activities, or services for or on behalf of Covered Entity that are specified in the Underlying Agreement, provided that such uses or disclosures would not violate the Privacy Rule if done by Covered Entity or the Minimum Necessary policies and procedures of Business Associate.
- Use of PHI. Except as otherwise limited in this Agreement or by law, Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
- Disclosure of PHI. Except as otherwise limited in this Agreement or by law, Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that disclosures are required by law, or Business Associate obtains reasonable assurances, in writing, from the person to whom the information is disclosed that it will remain confidential and be used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate, in writing, within five (5) business days, of any instances of which it is aware in which the confidentiality of the information has been breached.
- Data Aggregation. Except as otherwise limited in this Agreement or by law, Business Associate may use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B).
- De-Identification. Business Associate may de-identify any and all PHI created or received by Business Associate under this Agreement or the Underlying Agreement, provided however, that the de-identification conforms to the requirements of the Privacy Rule. Such resulting de-identified information would not be subject to the terms of this Agreement.
- Limitation on Use and Disclosure of PHI. With regard to its use and/or disclosure of PHI necessary to perform its obligations to Covered Entity, Business Associate agrees to limit disclosures of PHI to the Minimum Necessary (as defined in the Privacy Rule, as modified by HITECH and implementing regulations) to accomplish the intended purpose of the use, disclosure or request, respectively, whenever the Privacy Rule limits the use or disclosure in question to the Minimum Necessary.
- Limitation on Remuneration for PHI. With regard to its use and/or disclosure of PHI necessary to perform its obligations to Covered Entity and to comply with HITECH, Business Associate agrees not to receive direct or indirect remuneration for any exchange of PHI not otherwise authorized under HITECH without individual authorization, unless (i) specifically required for the provision of services under the Underlying Agreement (ii) for treatment purposes; (iii) providing the individual with a copy of his or her PHI; or (iv) otherwise determined by the Secretary in regulations.
- Reporting Violation of Law. Business Associate may use PHI to report a violation of law to appropriate Federal and/or State authorities, consistent with 45 CFR §164.502(j)(1).
- Obligations of Business Associate.
- In General. Business Associate shall use or further disclose PHI only as permitted or required by this Agreement or as required by law.
- Safeguards. Business Associate shall use reasonable and appropriate safeguards to prevent use or disclosure of PHI other than as specifically authorized by this Agreement. Such safeguards shall at a minimum include: (i) a comprehensive written information privacy and security policy addressing the requirements of the Privacy and Security Rules, as amended by HITECH, that are directly applicable to Business Associate; and (ii) periodic and mandatory privacy and security training and awareness for members of Business Associate's Workforce.
- Mitigation. Business Associate shall mitigate any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate that violates the requirements of this Agreement or applicable law.
- Reporting. Business Associate shall report to Covered Entity any use or disclosure of PHI that is not sanctioned by this Agreement of which Business Associate becomes aware within five (5) business days.
- Subcontractors. Business Associate shall require subcontractors or agents to whom Business Associate provides PHI to agree, in writing, to comply with the Privacy and Security Rules, as amended by HITECH, to the same extent Business Associate is required to comply.
- Inspection by Secretary. Business Associate shall make available to the Secretary of Health and Human Services Business Associate's internal practices, books and records relating to the use and disclosure of PHI for purposes of determining Covered Entity and Business Associate's compliance with the Privacy and Security Rules and HITECH, subject to any applicable legal privileges.
- Accounting of Disclosures of PHI. Business Associate shall document disclosures of PHI and information related to those disclosures necessary to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with the Privacy Rule, when and as required by HITECH, and provide to Covered Entity, and in the time and manner it reasonably specifies but in no case longer than five (5) business days, the information necessary to make an accounting of disclosures of PHI about an Individual. If PHI is maintained in an Electronic Health Record ("EHR"), Business Associate shall document and maintain documentation of such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures in an EHR, when and as required by HITECH.
- Access to PHI. Business Associate shall provide to Covered Entity, at Covered Entity's request and in the time and manner it reasonably specifies but in no case longer than ten (10) business days, PHI necessary to respond to Individuals' requests for access to PHI about them, in the event that the PHI in Business Associate's possession constitutes a Designated Record Set. If PHI is maintained in an Electronic Health Record, Business Associate shall provide access electronically, upon reasonable request of Covered Entity, when and as required by HITECH.
- Amendment to PHI. Business Associate shall, upon receipt of notice from Covered Entity but in no case longer than ten (10) business days, incorporate any amendments or corrections to the PHI in accordance with the Privacy Rule, in the event that the PHI in Business Associate's possession constitutes a Designated Record Set.
- Security of PHI. Business Associate shall, as described in HITECH Act §13401, comply with 45 CFR §§ 164.308, 164.310, 164.312, and 164.316 of the Security Rule and acknowledges that such provisions apply to Business Associate in the same manner that they apply to Covered Entity. Therefore, Business Associate agrees that it is required to maintain appropriate and reasonable administrative, physical, and technical safeguards, including documentation of the same, so as to ensure that PHI is not used or disclosed other than as provided by this Agreement or as required by law, including the following:
- Administrative safeguards (implementation of policies and procedures to prevent, detect, contain, and correct security violations; conducting and documentation of risk analysis and risk management);
- Physical safeguards (implementation of policies and procedures to limit physical access to PHI or ePHI or electronic information systems and related facilities);
- Technical safeguards (implementation of policies and procedures creating and tracking unique user identification, authentication processes, and transmission security, which may include encryption);
- Policies and procedures to reasonably and appropriately document the foregoing safeguards as required by the Security Rule; and
- Ensuring that any agent, including any subcontractor, to whom Business Associate provides ePHI agrees, in writing, to comply with these administrative, physical, and technical safeguards, as well as the policies, procedures, and document requirements contained within the Security Rule.
- Civil and Criminal Liability. Business Associate acknowledges that it shall be liable under the civil and criminal enforcement provisions set forth at 42 USC §§1320d-5 and 1320d-6, as amended from time to time, for failure to comply with any use or disclosure requirements of this Agreement with respect to PHI and for failure to comply with its direct obligations under the Privacy and Security Rules and HITECH.
- Notification of Security Incidents and Breach of Unsecured PHI. Business Associate shall promptly following discovery, notify Covered Entity of any actual or suspected Security Incident or Breach of Unsecured Protected Health Information. The notice shall include: (i) the identification of each Individual whose PHI or Unsecured PHI has been or is reasonably believed by Business Associate to have been accessed, acquired, used or disclosed during the Security Incident or Breach, (ii) a brief description of what happened, including the date of the Security Incident or Breach and the date of the discovery of the Security Incident or Breach, (iii) a description of the types of PHI or Unsecured PHI that were
involved in the Security Incident or Breach, (iv) any preliminary steps taken to mitigate the damage, and (v) a description of any investigatory steps taken. Such notice shall be supplemented as Business Associate learns more information. In addition, Business Associate shall provide any additional information reasonably requested by Covered Entity for purposes of investigating a Breach of Unsecured PHI. A Breach shall be treated as discovered by Business Associate as of the first day on which the Breach is known to Business Associate (including any person, other than the Individual committing the Breach, that is an employee, officer, or other agent of Business Associate) or should reasonably have been known to Business Associate to have occurred. Covered Entity shall have the sole right to determine, with respect to a Breach: (i) whether notice is to be provided to Individuals, regulators, law enforcement agencies, consumer reporting agencies, media outlets and/or the Department of
Health and Human Services, or others as required by law or regulation, in Covered Entity's discretion; and (ii) the contents of such notice, whether any type of remediation may be offered to Individuals affected, and the nature and extent of any such remediation. The provision of the notices to affected Individuals, and any remediation which Covered Entity determines is required or reasonably necessary, shall be at Business Associate's sole cost and expense. The Parties acknowledge and agree that this Section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which notice to Covered Entity by Business Associate shall be required only upon request. "Unsuccessful Security Incidents" shall include, but not be limited to, pings and other broadcast attacks on Business Associate's firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of
the above, so long as no such incident results in unauthorized access, use or disclosure of PHI.
- Obligations of Covered Entity.
- Limitation in Notice of Privacy Practices. Covered Entity will notify Business Associate of any limitation in Covered Entity's Notice of Privacy Practices in accordance with the Privacy Rule, to the extent that the limitation may affect Business Associate's use or disclosure of PHI.
- Changes in Permission by Individual. Covered Entity will notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI to the extent that the change may affect Business Associate's use or disclosure of PHI.
- Restriction on Use/Disclosure of PHI. Covered Entity will notify Business Associate of any restriction on the use or disclosure of PHI that has been agreed to with an Individual and any restrictions on marketing or fundraising to the extent that the restriction may affect Business Associate's use or disclosure of PHI.
- Permitted by the Privacy Rule or HITECH. Covered Entity will not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule or HITECH if done by Covered Entity, except to the extent Business Associate will use or disclose PHI for, and this Agreement includes provisions for, Data Aggregation by or for management, administrative, and legal activities of Business Associate.
- Term and Termination.
- Term of the Agreement. The term of this Agreement begins on the Effective Date and ends when all of the PHI provided to Business Associate by Covered Entity, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity. To the extent it is infeasible for Business Associate to return or destroy the PHI, upon the agreement of Covered Entity, protections shall be extended to that PHI in accordance with the termination provisions in this Section.
- Termination for Breach. Either party may terminate this Agreement if it determines that the other party has breached a material term of this Agreement. Alternatively, the non-breaching party may choose to provide the breaching party with notice of the existence of an alleged material breach and afford an opportunity to cure the material breach. If the breaching party fails to cure the breach to the satisfaction of the non-breaching party, the non-breaching party may immediately thereafter terminate this Agreement and report the breaching party to the Secretary.
- Automatic Termination. This Agreement will automatically terminate on the date Business Associate ceases to provide the services described in the Underlying Agreement.
- Effect of Termination. Upon termination of this Agreement, Business Associate will return or destroy all PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity that Business Associate still maintains and will retain no copies of that PHI. However, if this return or destruction is not feasible, upon the agreement of Covered Entity, then Business Associate will extend the protections of this Agreement to the PHI and will limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.
- Agreement. Covered Entity and Business Associate agree to take any reasonable action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity and Business Associate to comply with the requirements of the Privacy and Security Rules, HITECH, and any other implementing regulations or guidance.
- Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the Privacy and Security Rules and HITECH.
- Survival. The obligations of Business Associate under Section 5(d) of this Agreement survive any termination of this Agreement.
- No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything in this Agreement confer, upon any person other than the parties and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
- Notices. Any notices required by this Business Associate Agreement will be sent to the party's address provided below by (i) registered or certified mail or by private delivery service that provides receipts to the sender and recipient, (ii) personally delivered, or (iii) by regular mail. Each party reserves the right to designate a different address for notices to be sent. Notices are deemed given on (i) the date shown on the registered mail, certified mail or private delivery service receipt, (ii) the date personally delivered, or (iii) two business days after the date of mailing of a notice sent by regular mail. All notices to Business Associate must be sent to Children’s Hospital Medical Center,
Division of Behavioral Medicine and Clinical Psychology, 3333 Burnet Ave, ML 10006, Cincinnati, OH 45229-3039, Attn: Dr. Jeffery Epstein. All notices sent to Covered Entity at its address posted on the internet will be considered properly addressed.