Skip survey header

HSS Care Link Application

Site User:  Agreement for Access to Protected Health Information Between Hospital for Special Surgery and Site User

Download site agreement copy for review


THIS AGREEMENT for Access to Protected Health Information is entered into between Hospital for Special Surgery and its affiliates (hereinafter “HSS”), and the physician practice or other user site identified as a signatory here (hereinafter “Site User”).

Recitals

HSS uses a certain electronic medical record system and related functionality, called “HSS Care Link” (the “System”), which allow users to access certain patient electronic health records to which they otherwise would not have access.

This Agreement is applicable in two circumstances: (i) to grant access to the System by a non-HSS medical or other health care office practice; or (ii) for certain activities that have been approved by HSS for use of the System for unique and special activities, where the “Site User” and “Site Administrator” is employed and/or affiliated in some capacity by or with HSS.

The System allows these users to view the HSS electronic health records (“EHR”) of patients for the purpose of treatment, care coordination, payment related activities, and other approved activities and to communicate with the HSS care team (individually or collectively “Approved Activities”) to the extent permitted without patient authorization in accordance with the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996, and the rules and regulations promulgated thereunder, as may be amended from time to time, and further subject to the Recovery and Reinvestment Act of 2009, including its provisions commonly known as the “HITECH Act,” and rules and regulations promulgated thereunder, as may be amended from time to time (all collectively, “HIPAA”).

Site User provides or coordinates professional or other medical and/or healthcare services to, or is otherwise involved with Approved Activities involving, patients who are or were HSS patients or study subjects.

HSS believes that access to the EHR by Site User will substantially improve the quality of the Approved Activities and therefore would like to allow access to the System by Site User, and those employed or authorized by Site User, subject to the restrictions and other requirements set forth in this Agreement.

Site User has agreed to use the System in accordance with this Agreement to improve the quality and efficiency of the medical and healthcare services Site User provides to patients who receive care at HSS, or to facilitate the processing of payment related activities for health care services received at HSS, to facilitate research oversight, to assist with care coordination or to coordinate other Approved Activities, as applicable.

NOW, THEREFORE, in consideration of the premises, the mutual agreements and covenants herein contained, and other good and valuable consideration, the receipt and sufficiency of which hereby are acknowledged, the parties hereto agree as follows:

1. License for Use.

A. Subject to the terms and conditions of this Agreement, HSS hereby grants Site User a non-transferable and non-exclusive access (the “System License”) to the System (i) if Site User is a non-HSS medical and/or other healthcare office practice, to permit its medical and/or healthcare providers (MDs, RNs, LPNs, NAs, PAs, CMAs, NPs, Physical Therapists) as provided to HSS upon application for System (each a “Medical Provider”), and their employed or affiliated administrative and/or billing/coding personnel (collectively “Authorized Users”), to electronically access and use the System for Approved Activities for patients of Medical Provider.

Site User agrees that HSS may terminate individual Authorized Users’ access and/or the entire System License at any time for any reason without penalty, regardless of any effect such termination may have on Site User’s operations.

B. Unless otherwise agreed by HSS, Site User acknowledges and agrees that any hardware, software, network access or other components necessary for Site User to access and use the System must be obtained separately by Site User. HSS, by reason of this Agreement, shall not be responsible for the procurement, installation or maintenance of any necessary components, and HSS makes no representations or warranties regarding the components whatsoever. Any fees for the components shall be borne by Site User and paid directly to the suppliers of the components.

2. Conditions of Use of the System.

A. Neither Site User nor any Authorized User shall use or disclose Protected Health Information (“PHI”) obtained through the System in any manner that would constitute a violation of federal or state law, including, but not limited to, HIPAA. Site User shall ensure that its directors, officers, employees, contractors and agents, or those to whom Site User grants access pursuant to this Agreement, use (access) and disclose PHI obtained through the System only in accordance with the provisions of this Agreement and federal and state law. Site User and Authorized Users shall not disclose PHI in any manner other than as permitted by this Agreement. Site User agrees that all information accessed through the System will be maintained in the strictest confidentiality and in the same manner as Site User safeguards the confidentiality of other patient care records to which it is entitled to access, or as required by state and federal law.

B. Site User and each Authorized User agree to implement and utilize the System solely for the purposes of treatment and care coordination of their patients, and/or payment related activities relevant to their patients, or other Approved Activities, as appropriate, to the extent permitted without patient authorization by HIPAA. Site User and each Authorized User shall use the System in accordance with any network security policies issued by HSS from time to time, including but not limited to the requirement that each Site User and each Authorized User agrees to comply with the following policies:
  1. Maintain the confidentiality of any user ID, password, or other access control device provided by HSS and will not disclose such user ID, password, or other access control device to any third party, except as expressly authorized by the Agreement or by other written instructions provided by HSS;
  2. Not attempt to access any data or systems which are not permitted under this Agreement;
  3. Not tamper with, compromise, or attempt to circumvent, or bypass any security pertaining to Hospital’s systems, electronic or otherwise (any of which may be referred to as a “Security Violation”), and, to that end, Site User and each Authorized User assumes responsibility and liability for any access to data or systems arising out of or resulting in any Security Violation;
  4. Take reasonable precautions not to allow entry of any virus or any other contaminant codes, commands, or instructions that may be used to access, alter, delete, damage, or disable HSS’s data, systems, or other software or property;
  5. Not install or download any unauthorized software;
  6. Maintain the confidentiality of any data and systems to which Site User and Authorized User has access and use such data and systems only as expressly authorized by the Agreement; and
  7. Site User and/or Authorized User shall notify HSS immediately if it suspects that HSS’s network connection or any data or systems to which it has access has been compromised, or in the event that it suspects or knows of a breach of any of the foregoing.
C. Site User understands and agrees that such access to, and use of, the System shall be limited to that achieved through unique access codes provided to each individual Authorized User by HSS as hereinafter provided, and further agrees that each Authorized User shall be prohibited from using another Authorized User’s access code to access and/or use the System.

D. Site User agrees that it will implement all appropriate technical, administrative and physical safeguards to prevent unauthorized use or disclosure of PHI. Site User agrees to comply with all federal and state laws and regulations regarding privacy, security, and electronic exchange of health information, as currently enacted or amended in the future.

3. Access to the System

A. Site User shall designate one individual employed by Site User to be the “Site Administrator” for administering access to the System by Authorized Users. Site User, upon request, shall provide HSS with the name and direct contact information for the Site Administrator as well as for its Privacy Officer (who may be the same individual as the Site Administrator). The Site Administrator is responsible for coordinating with HSS to establish, modify and terminate accounts that the Authorized Users are permitted to maintain for access to the System and/or other additional related duties as may be set forth from time to time. While Site Administrator may have the technical ability to assign or change Authorized Users’ passwords, as part of the process for doing so Site Administrator shall advise all Authorized Users of the necessity for the Authorized User promptly thereafter to establish his/her own password.  The Site Administrator and/or Privacy Officer shall be subject to the following expectations and duties:
  • Assist HSS in confirming that a treatment relationship exists between Site User and/or Authorized User and patient for records viewed via System.
  • Assist HSS in investigating any potential unauthorized access or disclosure of PHI obtained from System by Site User and/or Authorized Users.
  • Ensure the Site User takes appropriate disciplinary and corrective action as required by HIPAA if any Authorized User accesses or discloses information obtained from System for a purpose unrelated to the patient’s treatment by the entity.
  • Where appropriate, coordinate with Hospital in providing written notification and/or credit monitoring to patients in the event of a data breach involving System data and Authorized Users.
B. Each Authorized User shall also complete, in a form and in a manner to be determined by HSS, training regarding the requirements of System access and use. Before access to the System is granted, each Authorized User shall be informed of the basic terms of this Agreement and must select “ACCEPT” to the terms of the online Terms and Conditions of Use, as those Terms and Conditions may be amended from time to time (current version of Terms and Conditions is attached hereto and incorporated herein by reference). Site User agrees to ensure that each Authorized User approved for access under this Agreement adheres to the requirements of this Agreement and the Terms and Conditions. Each Site User and/or Authorized User shall use System in accordance with any training and certifications as may be required by HSS.

C. For purposes of this Agreement, access to the System shall be permitted only for such categories of employees of Site User who have a reasonable need to access PHI of HSS patients for purposes of carrying out their healthcare treatment or payment related duties to such patients. Site User agrees to notify HSS within 24 hours to terminate access rights when any Authorized User is separated from employment of Site User for any reason, including but not limited to termination or voluntary separation. Site User further agrees to validate and document, at least every thirty (30) days, that the Authorized Users then currently permitted to access the System continue to require access to the System and continue to be employees or agents of Site User, using the System’s site verification process.

D. Site User shall be solely responsible for designating and monitoring the appropriate level of access and use of the System based on the job functions and credentialing of each Authorized User, including requirements under applicable scope of practice rules.

E. Site User agrees to educate all Authorized Users on compliance with the standards and requirements of HIPAA. Site User represents that all of its workforce members have received appropriate HIPAA Training.

F. Site User shall not grant any third party access to the System.

G. Indemnification. Site User agrees to indemnify and hold harmless HSS, its governing board, officers, employees and agents, from and against any and all claims, costs, losses, damages, liabilities, expenses, demands, and judgments, including litigation expenses and attorney’s fees, which may arise from Site User’s or any  Authorized User’s performance under this Agreement or negligent acts or omissions of its subcontractors, agents, or employees, including, but not limited to, any penalties, claims or damages arising from or pertaining to a breach of this Agreement, or the violation of any state or federal law applicable to the use, disclosure or protection of PHI subject to this Agreement. Such indemnification shall include but shall not be limited to the full cost of any required notice to impacted individuals and costs of related remedial actions, including the costs to retain an outside consulting firm, vendor or outside attorneys to undertake the effort.

H. Insurance. During the term of this Agreement, Site User, at its sole cost and expense, shall maintain commercial general liability insurance on an occurrence basis in the minimum amount of One Million Dollars ($1,000,000) per occurrence and Two Million Dollars ($2,000,000) in the annual aggregate. Such liability insurance coverage shall include “cyber liability” insurance coverage.  The above foregoing insurance limits may be satisfied by applicable excess or umbrella liability insurance. The foregoing insurance must be affected under valid and enforceable policies eligible to do business in the state of New York and with an AM Best rating of A- VIII or better. If any of the applicable insurance is written on a claims-made basis, Site User must maintain coverage in force for a period of at least three (3) years following completion of the contract.  All insurance policies must list the Hospital for Special Surgery and its affiliates as additional insureds. All insurance policies will be primary and non-contributory to any insurance in effect for the Hospital for Special Surgery. None of the required insurance should be cancelled without 30 days prior notice to the Hospital for Special Surgery. Prior to the commencement of the Agreement, Site User will provide the Hospital for Special Surgery with a certificate evidencing such insurance.

I. Term. This Agreement is effective on the acceptance hereof by Site User and will continue thereafter from year to year unless terminated by either party upon thirty (30) days written notice, unless otherwise terminated by HSS as herein provided.

J. HSS has the right, at Site User’s sole cost and expense, at any time, to monitor, audit, and review activities and methods in implementing this Agreement by Site User in order to assure compliance with this Agreement and applicable law.

K. Legally Binding. The party accepting this Agreement represents that s/he has full power and legal authority to bind the Site User to the terms of this Agreement. This Agreement is accepted by Site User upon the representative of Site User clicking “Accept” at the bottom of this Agreement.

4. Data Ownership--General.

Site User acknowledges and agrees that HSS owns all rights, interests and title in and to the data available through the System and that such rights, interests and title shall remain vested in HSS at all times. Site User shall not compile and/or distribute data or analyses to third parties utilizing any data accessed or received from or through the System, other than for any Approved Activities, without express written permission from HSS.

5. Reporting of Unauthorized Use or Disclosure of PHI-General.

A. Site User shall, within one (1) working day of becoming aware of an unauthorized use (access) or disclosure of PHI obtained through the System by Site User, its officers, directors, employees, contractors, agents, by a third party to which Site User disclosed PHI, or by an Authorized User, report any such use or disclosure to HSS.

B. If at any time Site User has reason to believe that the System may have been accessed without proper authorization and contrary to the terms of this Agreement, Site User promptly shall give HSS notice and take actions to eliminate the cause of the unauthorized access.

C. Any notice under this Section 6 shall be delivered only via hardcopy delivered by hand or via courier, to the following address:

HSS Privacy Officer
535 East 70th Street
New York, NY 10021

D. To the extent HSS deems warranted, in its sole discretion, HSS will provide notice or require Site User to provide notice to individuals whose PHI may have been improperly accessed or disclosed through use of the System.

6. Investigations/Sanctions-General.

HSS reserves the right to monitor, review and investigate suspected, reported or identified failures to comply with this Agreement and impose nonmonetary appropriate sanctions. Sanctions may include, but are not limited to, the termination of this Agreement, termination of Site User’s access, or termination of individual Authorized User access. HSS reserves the right to report unprofessional conduct to appropriate licensing or other regulatory authorities. Site User agrees to cooperate with HSS in order to investigate adequately complaints received involving the Site User’s employees or agents. Site User agrees to have a sanctions policy, produce it upon request, and discipline its employees or agents for all breaches involving HSS PHI in accordance with HIPAA. Site User understands that lack of adherence to this section allows HSS immediately to terminate this Agreement and all associated access privileges.

7. Termination-General.

HSS may terminate this Agreement, and Site User’s and all Authorized Users’ access to the System, at any time with or without cause, without any obligation or liability for such termination. Such termination may be immediate in the event HSS determines that Site User, or Site User’s directors, officers, employees, contractors or agents have violated a material provision of this Agreement.

8. No Warranty-General.

No warranties are given by HSS as to the completeness, accuracy or otherwise of the information that may be accessed through the System, nor as to the continuity, availability, characteristics, functionality or performance of the System. The System is provided “as is.”

9. Limitation of Liability-General.

In no event will HSS be liable to any party for (i) any special, exemplary, direct, indirect, punitive, incidental or consequential damages or any other damages, even if HSS has been advised of the possibility of such damages, arising in any way from or in connection with the availability, use, reliance on, or performance of the System; provision of or failure to provide the System; loss of data; access or inability to access or use the System or use and reliance on information or content available on or through the System; or (ii) any claim attributable to errors, omissions, or other dysfunction in, or destructive properties of, arising out of or in connection with the use or performance of the System.

10. Miscellaneous-General.

A. Entire Agreement. This Agreement constitutes the entire agreement between the parties regarding access to the System, and supersedes all prior oral or written agreements, commitments or understandings concerning the matters provided for herein.

B. Independent Parties. HSS, on the one hand, and Site User and its Authorized Users, on the other hand, are independent parties and this Agreement does not create a partnership, joint venture or any other type of legal relationship other than a contractual relationship in accordance with the terms of this Agreement.

C. No Assignment. This Agreement, and the permissions and license provide herein, may not be assigned by Site User.

D. Severability. This Agreement must be interpreted as a whole; no portions of this Agreement may be severed from the remaining provisions of this Agreement. If this Agreement is determined to be invalid by a court of competent jurisdiction, then the rights and privileges granted Site User hereunder shall terminate immediately.

E. Amendment. This Agreement may be modified from time to time by HSS by subsequent versions that may be made available through System functionality. The provisions in this Agreement may not be modified by Site User by any attachment, letter agreement or other communication or vehicle.

F. Governing Law. The parties’ rights or obligations under this Agreement will be construed in accordance with, and any claim or dispute relating thereto will be governed by, the laws of the State of New York.

G. Waiver. Neither the waiver by HSS of a breach of or a default under any of the provisions of this Agreement, nor the failure of HSS, on one or more occasions, to enforce any of the provisions of this Agreement or to exercise any right or privilege hereunder, will thereafter be construed as a waiver of any subsequent breach or default of a similar nature, or as a waiver of any of such provisions, rights or privileges hereunder.

H. Survival. The obligations to maintain the confidentiality of PHI obtained under this Agreement in accordance with applicable law by Site User and all Authorized Users are not limited or extinguished by termination of this Agreement. The obligation for indemnification provided under Section 3 of this Agreement shall survive termination of this Agreement.

I. Except in communications internal to the using party which are appropriately undertaken by such party in connection with the subject matter of this Agreement, neither party shall make use of the name, nickname, trademark, logo, service mark, trade dress or other name, term, mark or symbol identifying or associated with the other party without the prior written consent of the other party to the specific use in question.

J. Site User agrees to make its internal practices, books and records relating to the use and disclosure of PHI received from HSS, or created or received on behalf of HSS, available to Hospital and to the Secretary of the U.S. Department of Health and Human Services for purposes of determining HSS’s and Site User’s compliance with HIPAA standards. Site User promptly shall provide to HSS a copy of any documentation that Site User provides to the Secretary.

K. Site User acknowledges that it is the responsibility of Authorized Users to monitor and manage all System messages (called “InBasket messages”) which may be time sensitive and related to patient care. Site User understands the HSS does not monitor Site User’s Authorized Users’ InBasket messages and expressly disclaims any responsibility for managing the timeliness of responses to Authorized Users’ InBasket messages.

Site User on behalf of a non-HSS medical and/or healthcare office practice has caused this Agreement to be duly executed on the day and year Accepted by Site User. Site User on behalf of other Approved Activities agrees to perform the applicable tasks and responsibilities as set forth above on the day and year Accepted by Site User.

Signed By *This question is required.
Clear
Signature of
0%