|
17
<br />
<br />11.12. Creation of Test Data. Participant shall submit test data that closely approximates the production
<br />HIE Data intended to be submitted to NC HIEA. Any Test data that has been created, or will be
<br />created in the future, shall not contain any personal or individually identifiable information, including
<br />without limitation, PHI.
<br />12. License to NC HealthConnex Resources.
<br />12.01. Participant is hereby granted a nonexclusive, nontransferable, revocable and limited license to the
<br />NC HealthConnex Resources solely for use as a Participant in performance of this Agreement.
<br />Participant shall not (a) sell, sublicense, transfer, exploit or, other than pursuant to this Agreement,
<br />or (b) reverse engineer, decompile, disassemble, or otherwise attempt to discover the source code to
<br />any NC HealthConnex Resources. THE NC HEALTHCONNEX RESOURCES ARE PROVIDED
<br />“AS IS” AND “AS AVAILABLE” WITHOUT ANY WARRANTY OF ANY KIND, EXPRESS
<br />OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
<br />MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND
<br />NONINFRINGEMENT.
<br />12.02. Exchange of Data for Meaningful Use. If Participant elects to utilize NC HealthConnex for
<br />Meaningful Use purposes, Participant is granted a nonexclusive, nontransferable, revocable and
<br />limited license to the NC HealthConnex Resources for the purpose of exchanging clinical and
<br />demographic information through NC HealthConnex to comply with Meaningful Use or other federal
<br />guidelines. Participant also grants NC HIEA a nonexclusive, nontransferable, revocable and limited
<br />license to access, use, and store data submitted to or through NC HealthConnex under this subsection.
<br />13. Privacy and Security.
<br />13.01. Applicability of HIPAA Regulations. HIE Data Message Content contains PHI. Furthermore,
<br />some, but not all, Participants are either a Covered Entity or a Business Associate of a Covered
<br />Entity. Because the Participants are limited to Transacting Message Content for only a Permitted
<br />Purpose, the Participants do not intend to become each other’s Business Associate by virtue of
<br />signing this Agreement or Transacting Message Content. As a result, this Agreement is not intended
<br />to serve as a Business Associate Agreement among the Participants. To support the privacy,
<br />confidentiality, and security of the Message Content, each Participant agrees as follows:
<br />a. If the Participant is a Covered Entity, the Participant does, and at all times shall, comply with the
<br />HIPAA Regulations to the extent applicable.
<br />b. If the Participant is a Business Associate of a Covered Entity, the Participant does, and shall at
<br />all times, comply with the provisions of its Business Associate Agreements (or for governmental
<br />entities relying upon 45 C.F.R. §164.504(e)(3)(i)(A), its Memoranda of Understanding) and
<br />Applicable Law.
<br />c. If Participant is a governmental entity, the Participant shall comply with the applicable privacy
<br />and security laws.
<br />14. Breach Notification. The following provisions apply to both a HIPAA Breach and a Security Breach as
<br />defined in Section 2 (Definitions). For this Section 14 only, the term “Breach” refers to either a HIPAA
<br />Breach or a Security Breach.
<br />14.01. The Parties agree that within one (1) hour of discovering information that leads the Party to
<br />reasonably believe that a Breach may have occurred, it shall alert the other Party and other
<br />Participants whose Message Content may have been Breached. Participant must also alert the SAS
<br />Help Desk at HIEsupport@sas.com within one (1) hour of discovery and describe the incident. As
<br />soon as reasonably practicable, but no later than twenty-four (24) hours after determining that a
<br />Breach has occurred, the Parties shall provide a Notification to the other Party and to all
<br />DocuSign Envelope ID: 47B4445A-C7CA-4D2E-9075-2AFD82F82DEC
|