|
longer qualify as an Authorized User. Provider will be responsible for initiating, updating, monitoring, controlling and removing or
<br />suspending access of its Authorized Users in accordance with the law and any requirements contained in this Agreement, including
<br />but not limited to Section 5. Before allowing access to the Informatics Center, or use or disclosure of Data to an Authorized User,
<br />Provider shall require such Authorized User to agree to a Confidentiality Agreement containing terms for the protection and use of
<br />Data and Proprietary Information substantially similar to those contained herein. Provider shall log in an audit trail or otherwise
<br />document Authorized User's consent to the Confidentiality Agreement. Provider shall report to Network any breach of this Network
<br />User System Access Agreement of which it becomes aware.
<br />c. Access to Data. Subject to the terms and conditions of this Agreement, Provider agrees to provide Data to Network
<br />or the Informatics Center, as applicable, dating as far back as the information is generally accessible in electronic format and
<br />maintained on Provider's System, as reasonably required, if at all, by NCCCN during the term of this Agreement. Subject to the terms
<br />and conditions of this Agreement, Data will be available for access by Provider solely in connection with uses authorized by Medicaid
<br />in writing. Provider acknowledges that Data is drawn from numerous sources. Certain categories of information, including but not
<br />limited to HIV status, mental health records, substance abuse records and genetic information, may be more sensitive and accorded
<br />extra protections under State and federal law. For this or other reasons, certain types of Data may not be accessed, used or disclosed
<br />hereunder. In addition, Provider agrees to: (i) maintain Data on its System for a time period as established by Provider's internal
<br />policies and procedures, but in no event less than that required by applicable law; (ii) provide Data in a timely manner for purposes of
<br />this Agreement; and (iii) notify any recipient hereunder in advance of any planned changes to its System that may impact the
<br />availability or accuracy of Data. If Provider becomes aware of any material inaccuracies in its own Data or System, it agrees to
<br />communicate such inaccuracy to Network as soon as reasonably possible. If Provider is unable reasonably to provide Data due to
<br />material inaccuracies, it shall provide a written statement indicating such limitations. In the event Provider or Provider's Authorized
<br />Users agree to place additional restrictions on Data, Provider shall be solely liable for maintaining such restrictions. Provider agrees
<br />and acknowledges that Provider or NCCCN, as applicable, may assume that, and treat such Data as if there are no additional
<br />restrictions placed on such Data except as otherwise stated in this Agreement or required by relevant law.
<br />d. Ownership. Disclosure of Data under this Agreement does not change the ownership of Data under applicable
<br />State and federal laws. If Data has been used or disclosed for treatment, payment, or health care operations, it may thereafter be
<br />integrated into the records of the recipient. This Agreement does not grant either Party any rights in the Informatics Center, Provider's
<br />System, or any of the technology used to create, operate, enhance or maintain the System of the other Party.
<br />4. Provider Requirements. Provider, whether providing, receiving or using information hereunder, shall:
<br />a. establish and implement appropriate policies and procedures to prevent unauthorized access, use and disclosure of
<br />Data and ensure that such policies and procedures do not conflict with and are not less restrictive than this Agreement, and provide
<br />copies of such policies and procedures to Network upon reasonable request;
<br />b. regularly monitor and audit access to Data, and take reasonable steps to pursue, address and mitigate any breach or
<br />other privacy or security issues detected by such monitoring and auditing;
<br />c. notify Network, as soon as reasonably possible, of any Security Incident and take all reasonable steps to mitigate
<br />harm arising from such incident;
<br />d. make its internal practices, books and records relating to uses and disclosures of Data available to the Secretary of
<br />the U.5. Department of Health and Human Services or his/her designee, if necessary to comply with HIPAA or other applicable State
<br />and federal law;
<br />e. provide all Authorized Users with appropriate education and training on the requirements of this Agreement; and
<br />f. provide Network with notice of requests for Data by legal action or requests for public records.
<br />5. Provider-Privacy and Security Safeguards.
<br />a. Provider will use appropriate administrative, technical and physical safeguards to protect the confidentiality,
<br />integrity, and availability of information and to prevent the use or disclosure of Data other than as permitted or required by applicable
<br />federal or State law and this Agreement. To that end, the Provider shall: (i) provide appropriate identification and authentication of
<br />Authorized Users; (ii) provide appropriate access authorization; (iii) guard against unauthorized access to Data; and (iv) provide
<br />appropriate security audit controls and documentation.
<br />b. Provider shall apply appropriate sanctions against any person, subject to the Provider's privacy and security policies
<br />and procedures, who fails to comply with such policies and procedures. The type and severity of sanctions applied shall be in
<br />
|