The URL can be used to link to this page

Home My WebLink AboutC-8392-1 - Date Exchange Participation Agreement• PRHR ONE CALIFORNIA PARTNERSHIP REGIONAL HEALTH INFORMATION ORGANIZATION DATA EXCHANGE PARTICIPATION AGREEMENT OCPRHIO, Inc: Participant: Orange County Partnership Regional Health Information Organization, Inc. City of Newport Beach Fire Department Name dba One California Partnership Regional Health Information Organization 601 N Park Center Drive Suite, #104 Santa Ana, CA 92705 PBudilo@ocprhio.org Phone: (714) 884-4441 FAX: (714) 919-4401 100 Civic Center Drive Address Newport Beach, CA 92660 City, State, Zip Code CDuncan@nbfd.net E -Mail Address Telephone Fax Participant Type: Data Provider(y/n): y Data User (y/n): y Participant operates a: Emergency Transport Article 1. Background A. The Orange County Partnership Regional Health Information Organization, Inc. (OCPRHIO, Inc) dba One California Partnership Regional Health Information Organization operates Internet -based programs (the "Programs") involving the private and secure electronic exchange of health information among health care providers and other qualified organizations (each, a "Participant"), in order to promote the quality and efficiency of health care services provided to the people who live and work in the communities OCPRHIO, Inc. serves. OCPRHIO, Inc. provides or arranges for the provision of data transmission and related services to Participants to enable a Participant to send Patient Information to another Participant. OCPRHIO's services do not include establishing and applying standards for exchange of Patient Information nor does OCPRHIO have access to and is not responsible to maintain any such Patient Data in the performance of services to Participants. B. Participants may act as Data Providers to make Patient Information available to be accessed by Data Users, and/or as Data Users to be able to access and use Patient Information provided by Data Providers. This Participant Type shall be specified in advance by the Participant. The Programs do not provide access to data in a Data Provider's computer system. One California Partnership Regional Health Information Organization Data Exchange Participation Agreement Version 5.4 C. This Data Exchange Participation Agreement (the "Agreement") sets forth the terms and conditions upon which the Participant will participate in, the Programs. Article 2. Agreement 1. Participation. The Participant shall participate in the Program(s), as to the extent described in Exhibit B (Participation), and subject to and in accordance with the terms and conditions of this Agreement. 2. Entire Agreement. This Agreement hereby incorporates by reference the following documents: (a) Exhibit A (Standard Terms and Conditions►, attached hereto, which describes the terms and conditions that OCPRHIO, Inc. generally shall apply to participation in the Programs by the Participant and to other Participants that may either make Patient Information available electronically to be Accessed by the Participant or that will be able to Access Patient Information that the Participant provides as a Data Provider (the "Standard Terms and Conditions'). (b) Exhibit B (Participation), attached hereto, which describes the specific Program(s) in which the Participant shall participate, and any additional terms and conditions that shall apply specifically to that participation. (c) Exhibit C (Technical and Functional Specifications), attached hereto, which describes the technical and functional specifications with which the Participant shall comply in order to participate in the Program(s) as a Data Provider and/or Data User. (d) Exhibit D (Participation Fees), attached hereto, which describes the fees and other amounts that the Participant shall pay to OCPRHIO, Inc in exchange for participation in the Program(s) described on Exhibit B (Participation). (e) Exhibit E (Business Associate Agreementl, attached hereto, which sets forth the terms and conditions upon which OCPRHIO, Inc shall act as the business associate of the Participant (the "Business Associate Agreement"). To the extent that the terms of the Business Associate Agreement conflict with those of this Data Exchange Participation Agreement, the terms of the Business Associate Agreement shall prevail. (f) "OCPRHIO, Ines Policies and Procedure Manual" for the Program (also known as the "Policies and Procedures"), as OCPRHIO Policies and Procedures shall be in effect from time to time. In the event of a conflict between the terms of this Agreement and OCPRHIO, Inc.'s Policies and Procedures, the terms of this Agreement shall prevail. This Agreement and the documents described above contain the entire agreement between OCPRHIO, Inc. and the Participant and supersede any and all prior agreements or representations, written or oral, of the parties with respect to the subject matter of this Agreement. This Agreement and the documents described above may be amended from time to time as described in the Standard Terms and Conditions. 3. Definitions. Capitalized terms that are not defined in this Agreement shall have the meanings described in the Standard Terms and Conditions. 4. Effective Date: Term. The effective date of this Agreement shall be December 1 " , 2016 (the "Effective Date"). The term of this Agreement shall continue for a period of (2) years from the Effective Date of this Agreement until it is terminated as described in the Standard Terms and Conditions. One California Partnership Regional Health Information Organization Data Exchange Participation Agreement Version 5.4 "OCPRHIO, Inc." Orange County Partnership Regional Health Information Organization, Inc. dba One California Partnership Regional Health Information Organization By: Paul Budilo Executive Director, CEO \�19 Zoel Date ATTEST r Leilafil.ro WCIty,ler Date: _ 1=—J 11 "Participant" Participant's Name B �. 4. Name Chief Chip Duncan Title: A 1-4 , - ') r� r, e -ti � t � Date APPROVED AS TO FORM: CITY ATTO OFFICE Date:,, � ] % REMAINDER OF THIS PAGE LEFT INTENTIONALLY BLANK One California Partnership Regional Health Information Organization Data Exchange Participation Agreement Version 5.4 ONE CALIFORNIA PARTNERSHIP REGIONAL HEALTH INFORMATION ORGANIZATION DATA EXCHANGE PARTICIPATION AGREEMENT Exhibit A Standard Terms and Conditions 1. Definitions. 1.1 "Access" means, as the context requires, (a) to cause data (such as Patient Information) to be viewed or viewable by an Authorized User, such as by transferring that data from one computer or other electronic data storage device to another and/or by causing that data to be displayed (e.g., an Authorized User will "Access" Patient Information through the OCUnites HIE); or (b) the ability to cause data to be transferred and/or viewed as described above (e.g., a Data User will have "Access" to Patient Information through the OCUnites HIE). 1.2 "Authorized User" means an individual designated by OCPRHIO, Inc. or by the Participant to Access and Use the OCUnites HIE and Patient Information on behalf of OCPRHIO, Inc. or the Participant, respectively, including without limitation, an employee, contractor or other agent of the Participant, and/or a credentialed member of the Participant's medical staff. 1.3 "Data Exchange Participation Agreement" means a written agreement between OCPRHIO, Inc. and a Participant, pursuant to which that Participant agrees to act as a Data Provider and/or a Data User. 1.4 "Data Provider" means any Participant that OCPRHIO, Inc. designates as a Data Provider to make Patient Information available so that other Participants may Access that information through the Program. 1.5 "Data User" means any Participant OCPRHIO, Inc. designates as a Data User to have Access to Patient Information provided by the Participant through the Program. 1.6 "Health Information Organization" or "HIO" means a multistakeholder organization created to facilitate health information exchange 1.7 "Health Information Exchange" or "HIE" means the transfer of healthcare information electronically across organizations— among or beyond the stakeholders of that region's healthcare system. 1.8 "HIPAA Rules" means the Standards for Privacy of Individually Identifiable Health Information and the Security Standards for the Protection of Electronic Protected Health Information [45 C.F.R. Parts 160 and 1641 promulgated by the U.S. Department of Health and Human Services under the Health Insurance Portability and Accountability Act ("HIPAA") of 1996, and the applicable privacy and security provisions of the American Recovery and Reinvestment Act (42 U.S.C. § 17931(a) et. seq.) (the "ARRA"), as in effect from time to time. 1.9 "OCPRHIO, Inc.'s Policies and Procedures" means OCPRHIO's administrative and operations Policy and Procedure Manual for the Program, as they shall be in effect from time to time. One California Partnership Regional Health Information Organization Data Exchange Participation Agreement Version 5.4 4 1.10 "OCUnites HIE" means the Internet -based, brokered, peer-to-peer technology health information exchange platform and advanced clinical search engine that resides on servers operated by OCPRHIO, Inc. 1.11 "Participant" means an individual person or organization that is currently a party to a Data Exchange Participation Agreement with OCPRHIO, Inc. 1.12 "Participant's System" means the hardware and software controlled by the Participant through which the Participant conducts its health information exchange related activities pursuant to its Data Exchange Participation Agreement. 1.13 "Participant Types" means the category lies) of Participant to which a particular Participant is assigned by OCPRHIO, Inc. and is based upon that Participant's role in the HIE. 1.14 "Patient Information" means all information relating to a patient that a Data Provider makes available so that Data Users may Access that information through the Program. Patient Information shall be treated as "protected health information," as defined in the HIPAA Rules, as described in Section 7.1, Protected Health Information. 1.15 "Prerequisite System" means the technology within the Participant's firewall necessary for the Participant to Access and Use the OCUnites HIE, as described in OCPRHIO, Inc.'s Policies and Procedures. 1.16 "Program" means any one (1) or more programs of electronic health information exchange operated by OCPRHIO, Inc. in which a Participant agrees to participate pursuant to its Data Exchange Participation Agreement. 1.17 "Services" means the health information exchange and related services 1.18 "Technical and Functional Specifications' means OCPRHIO, Ines Technical and Functional Specifications for the OCUnites HIE, which are set forth on Exhibit C (Technical and Functional Specifications). 1.19 "Use" means to apply data for one {1) or more purposes permitted under this Agreement (e.g., a party will Use Patient Information by applying that data to medical decision-making in the treatment of a patient). 2. OCPRHIO's Resuonsibilities. 2.1 Conduct of Programs. OCPRHIO, Inc. shall conduct the Program as described in the Participant's Data Exchange Participation Agreement and OCPRHIO, Inc.'s Policies and Procedures. OCPRHIO, Inc. may suspend or terminate all or part of the Program as described in Section 8.2, Termination Incident to Termination of Program. 2.2 Data Exchange Participation Agreements. OCPRHIO, Inc. shall from time to time enter into Data Exchange Participation Agreement with those Participants that OCPRHIO, Inc. selects in its discretion. This may include other Health Information Organizations. If necessary and upon its discretion OCPRHIO, Inc. has the right to cease to participate with any data exchange participant or in another health information organization, or may reduce the functionality, or make changes to the System and/or services, or may cease providing the services at any time upon its sole discretion upon not less than ninety (90) days prior notice to the Participants. 2.3 Controlling Access to Patient Information. Except as described in this Section 2.3 Controlling Access to Patient Information OCPRHIO, Inc. shall make Access to Patient Information available only to Participants and their respective Authorized Users, and only for purposes of treatment, healthcare operations and payment, as defined under the HIPAA Rules, of an individual with whom the Participant has a provider -patient relationship. Without limiting the foregoing, OCPRHIO, Inc. shall make Access to Patient Information available only One California Partnership Regional Health Information Organization Data Exchange Participation Agreement Version 5.4 to Authorized Users, and only to the extent that each such Authorized User reasonably requires such Access in order to perform the responsibilities assigned to him or her. OCPRHIO, Inc. may make Access to Patient Information available to the operators and/or users of other health information exchanges to the extent OCPRHIO, Inc. determines appropriate to permit such users to Access that information for the purpose of treatment, as defined in the HIPAA Rules, of an individual with whom each such user has a provider-patient relationship. Based on the information provided by the Participant 2.4 Passwords and Other Security Mechanisms. Base on the information provided by the Participant pursuant to Section 3.3, Identification of Authorized Users, OCPRHIO, Inc. shall issue a User Name and Password (and/or other security measures) to each Authorized User that shall permit the Authorized User to access the Services of OCPRHIO, Inc. OCPRHIO, Inc. shall provide each user name and password (and/or other security measures) to the Participant and the Participant shall be responsible to communicate that information to the appropriate Authorized User. When the Participant removes an individual from its list of Authorized Users, and informs OCPRHIO, Inc. of the change pursuant to Section 3.3, Identification of Authorized Users, OCPRHIO shall cancel the user name and password (and/or other security measures) of such individual with respect to the Participant and cancel and deactivate the user name and password (and/or other security measures) of such individual if that individual is as a result of the change no longer an Authorized User of any Participant. 2.5 OCUnites HIE Availability. OCPRHIO shall exercise commercially reasonable efforts to make the OCUnites HIE available to Participants 24 hours per day, 7 days per week, 365 days per year; provided, however, that the availability of the OCUnites HIE may be temporarily suspended for maintenance or unscheduled interruptions. OCPRHIO shall exercise commercially reasonable efforts to provide the Participant with advance notice of any such suspension or interruption of OCUnites HIE availability. Without limiting the foregoing, Participants shall be responsible for obtaining Patient Health Information through means other than the Program during any periods during which the OCUnites HIE is unavailable. 2.6 Compliance with Laws and Regulations. OCPRHIO, Inc. shall comply with all laws and regulations applicable to its operations, including without limitation the California Confidentiality of Medical Information Act (California Civil Code, Section 56 et. seq.) and the HIPAA Rules. 2.7 Privacy and Security of Patient Information. OCPRHIO, Inc. shall implement reasonable safeguards to protect Patient Information from unlawful Access, tampering or disclosure. These safeguards shall comply with the HIPAA Rules and/or other applicable laws and include administrative procedures, physical security measures, and technical security measures that are reasonably necessary to prevent such unlawful Access, tampering or disclosure, including encryption technology to make the Patient Information unusable, unreadable and indecipherable to unauthorized persons, as described in the HIPAA Rules. During the term of this Agreement, the Participant or its third party designee or any regulatory agency of government with jurisdiction may, but is not obligated to, perform audits of the OCUnites HIE and associated OCPRHIO, Inc. environment, as it relates to the receipt, maintenance, use or retention of Patient Information and other data provided by the Participant pursuant to this Agreement. 2.8 Use and Disclosure of Patient Information. OCPRHIO, Inc. shall Access, Use and/or disclose Patient Information solely in its capacity as a "business associate" within the meaning of the HIPAA Rules and otherwise as required for OCPRHIO, Inc.'s compliance with applicable laws and regulations and other requirements imposed or orders issued by any government agency or court with competent jurisdiction. OCPRHIO, Inc. shall enter into a "business associate agreement" with each Participant, as required by the HIPAA Rules. Without limiting the generality of the foregoing, OCPRHIO, Inc. shall not be or act as a Data User, but OCPRHIO shall be permitted to Access and Use Patient Information through the OCUnites HIE for the purposes of maintaining the OCUnites HIE and/or its resources and otherwise as required for the performance of OCPRHIO's responsibilities as described in these Standard Terms and Conditions. Without limiting any other provision of these Standard Terms and Conditions, OCPRHIO, Inc. shall not Use any Patient Information to compare the performance of health care services by one (1) or more Participants against such performance by one (1) or more other Participants. One California Partnership Regional Health Information Organization Data Exchange Participation Agreement Version 5.4 2.9 Responsibility for Employees and Others. OCPRHIO, Inc. shall inform its employees, contractors and other agents who perform Program functions, including without limitation its Authorized Users who have Access to Patient Information, of the applicable terms and conditions of Data Exchange Participation Agreements and OCPRHIO, Inc.'s Policies and Procedures, including without limitation responsibilities and restrictions imposed by applicable laws and regulations regarding the privacy and security of Patient Information, such as the HIPAA Rules. OCPRHIO, Inc. shall be responsible for all acts and omissions by any of its Authorized Users and other employees, contractors and other agents only in the event that the acts of its employees and agents constitutes negligence or a breach of the Agreement and in connection with their performance of Program functions, including without limitation any privacy and/or security breaches, any non-compliance with the terms and conditions of the applicable Data Exchange Participation Agreement, and their Access or Use of Patient Information. 2.10 Notification of Data Breaches. OCPRHIO, Inc. shall notify Participants, agencies of federal, state and/or local government, and other parties, of any breach of Patient Information made available for Access through the Program, as and to the extent required by, and within the periods of time required by, applicable laws and regulations, as shall be described in OCPRHIO, Inc.'s Policies and Procedures. The parties shall cooperate in good faith in determining the timing, extent and content of any notifications required by the HIPAA Rules and/or other applicable federal, state or local laws. 2.11 Training and Support. OCPRHIO, Inc. shall provide training and technical support to Participants in the Use of the OCUnites HIE, as described in OCPRHIO, Inc.'s Policies and Procedures. 2.12 Patient Control. OCPRHIO, Inc. shall implement and maintain a program pursuant to which patients may exercise choice concerning the inclusion and/or availability of their own Patient Information through the Program, as described in OCPRHIO, Inc.'s Policies and Procedures, and OCPRHIO, Inc. shall comply with the requirements of that program. 2.13 Deletion of Inaccurate and/or Inappropriate Patient Information. OCPRHIO, Inc. shall receive reports from Participants and others regarding inaccurate and/or inappropriate Patient Information, corruption, errors and/or omissions in Patient Information. In consultation with the Data Provider that has made the affected Patient Information available through the Program, OCPRHIO, Inc. shall within a reasonable period of time delete and/or correct such information in accordance with the Data Provider's instructions. 2.14 Viruses and Other Threats. OCPRHIO shall exercise commercially reasonable efforts to prevent exposure through the OCUnites HIE of the Participant's System to (i) any program, routine, subroutine, virus, data, cancelbot, Trojan horse, worm or other software or harmful component that will disrupt the proper operation of the Participant's System; (ii) any unlawful, threatening, abusive, libelous, defamatory, or otherwise objectionable information of any kind, including without limitation any transmissions constituting or encouraging conduct that would constitute a criminal offense, give rise to civil liability, or otherwise violate any local, state or federal law; or (iii) any information that violates the proprietary rights, privacy rights, or any other rights of a third party, including without limitation any patient. 2.15 Accounting of Disclosures. OCPRHIO, Inc. shall provide Data Providers with access to the OCUnites HIE so that they may produce accountings of Disclosures of Patient Information necessary for compliance with the HIPAA Rules, or develop and maintain a process by which OCPRHIO, Inc. shall provide such accountings to or on behalf of such Data Providers. 2.16 Reports. OCPRHIO, Inc. shall provide periodic reports to Participants regarding the operation of the Program, as described in OCPRHIO, Inc.'s Policies and Procedures. 2.17 Regulatory Access to Books and Records. OCPRHIO, Inc. shall, until the expiration of four (4) years after the furnishing of data and services pursuant to the Agreement, make available, upon written request, to the Secretary of the United States Department of Health and Human Services or the Comptroller of the United One California Partnership Regional Health Information Organization Data Exchange Participation Agreement Version 5.4 States, or any duly authorized representatives, this Agreement, and books, documents and records that are necessary to certify the nature and extent of the cost of services provided pursuant to this Agreement. If OCPRHIO, Inc. carries out any of its duties pursuant to this Agreement through a subcontract with a value of $10,000 or more over a 12 -month period with a related organization, such subcontract shall contain a clause placing the same obligations on subcontractor as this clause places on OCPRHIO, Inc. 2.18 Help Desk Support. OCPRHIO, Inc. shall provide by telephone and/or email, during normal business hours, support and assistance in resolving difficulties in accessing and using the Services. OCPRHIO, Inc. will not provide problem resolution to solve issues related to the Participant's own internal Electronic Health Record (EMR) system or internal health information exchange if accessing the Services of OCPRHIO is related to issues internal with the Participant's internal EHGR or their internal HIE. 3. Particioant's Resoonsibilities. Generallv. 3.1 Participation in Program. The Participant shall participate in the Program in accordance with the terms and conditions of the Participant's Data Exchange Participation Agreement and OCPRHIO, Inc.'s Policies and Procedures. 3.2 Compliance with Laws and Regulations. The Participant shall comply with all laws and regulations applicable to the activities it conducts pursuant to its participation in the Program. 3.3 Identification of Authorized Users. Each Participant will provide OCPRHIO, Inc. with a list in a medium and format approved by OCPRHIO, Inc. identifying all the Participant's Authorized Users, together with the required information described in the OCPRHIO Policies and Procedures concerning "Required Information for Authorized Users" to enable OCPRHIO, Inc. to establish a unique identifier for each Authorized User. The Participants shall update such list whenever an Authorized User is added or removed by reason of termination of employment or otherwise, in accordance with the processes described in the Policies and Procedures. Participant shall then provide any changes to such list to OCPRHIO, Inc. in writing. 3.4 Responsibility for Acts of Authorized Users and Others. The Participant shall be responsible for all acts and omissions, including without limitation privacy or security breaches and/or failures to comply with the requirements of the Participant's Data Exchange Participation Agreement or OCPRHIO, Inc.'s Policies and Procedures, by the Participant's employees, contractors, agents and any other parties who Access or Use the OCUnites HIE or Patient Information pursuant to the Participant's Data Exchange Participation Agreement, including without limitation the Participant's Authorized Users. 3.5 Certification of Authorized Users. At the time that a Participant identifies an Authorized User to OCPRHIO, Inc. pursuant to Section 3.3, Identification of Authorized Users, the Participant shall certify to OCPRHIO, Inc. that the Authorized User: a) Has completed a training program conducted by OCPRHIO, Inc. and Participant b) Will be permitted by Participant to use the Services of OCPRHIO, Inc. only as reasonably necessary for the performance of Participants activities as the Participant Type under which Participant is registered with OCPRHIO pursuant to Article 1, Section B of this Agreement. c) Has acknowledged in writing that his or her failure to comply with the Terms and Conditions may result in the withdraw of privileges to use the Services of OCPRHIO, Inc. and may constitute cause for disciplinary action by the Participant. 3.6 Training . The Participant shall provide or arrange for appropriate training in the Use of the OCUnites HIE and the requirements of these Standard Terms and Conditions for all the Participant's Authorized One California Partnership Regional Health Information Organization Data Exchange Participation Agreement Version 5.4 Users. Without limiting the generality of the foregoing, the Participant shall inform its Authorized Users of the applicable terms and conditions of its Data Exchange Participation Agreements and OCPRHIO, Inc.'s Policies and Procedures, including without limitation responsibilities and restrictions imposed by applicable laws and regulations regarding the privacy and security of Patient Information, such as the HIPAA Rules. 3.7 Program Liaison; Program Team. The Participant shall designate a single individual who shall be responsible for managing communications between the Participant and OCPRHIO, Inc. in connection with the Participant's participation in the Program. The Participant shall organize and maintain a Program Team for its participation in the Program, in accordance with the requirements of OCPRHIO, Inc.'s Policies and Procedures. 3.8 Access Controls. The Participant shall comply with OCPRHIO, Inc.'s Policies and Procedures' requirements for the application and administration of controls upon individuals' Use of the OCUnites HIE and Patient Information made available for Access through the OCUnites HIE. 3.9 Unauthorized Use. The Participant shall restrict access to the Services of OCPRHIO, Inc. only to the Authorized Users that the Participant has identified to OCPRHIO, Inc. in accordance to Section 3.3, Identification of Authorized Users. The Participant shall monitor Access and Use of the OCUnites HIE and Patient Information on its behalf for the purpose of detecting unauthorized Access or Use of the OCUnites HIE or Patient Information through the Participant's connection(s) to the OCUnites HIE. The Participant shall notify OCPRHIO, Inc. of any unauthorized Access or Use in accordance with the requirements of the OCPRHIO, Inc.'s Policies and Procedures. 3.10 Prerequisite Systems. The Participant shall be solely responsible for obtaining, installing and maintaining, at the Participant's expense, the Participant's Prerequisite Systems. OCPRHIO, Inc. shall not be responsible for the Participant's inability to Access or Use the OCUnites HIE if that inability is for any reason other than the OCUnites HIE's failure to comply with the specifications therefore set forth in OCPRHIO, Inc.'s Policies and Procedures, or OCPRHIO, Ines other failure to perform its obligations under the applicable Data Exchange Participation Agreement, including without limitation any factors arising from the Participant's computing environment, software, interfaces, or hardware, or any upgrade or alteration to any of them. 3.11 Data Within Participant's Firewall. The Participant shall be solely responsible for the control and protection of all data stored within the Participant's firewall, including without limitation Patient Information, and for the Participant's compliance with all laws and regulations applicable thereto. 4. Data Provider's Responsibilities. Without limiting any other provision of the Participant's Data Exchange Participation Agreement, if the Participant is a Data Provider, the terms and conditions of this Section 4 (Data Provider's Responsibilities) shall apply. 4.1 Provision of Patient Information. The Data Provider shall provide Access to Patient Information as described on Exhibit B, Participation of the Participant's Data Exchange Participation Agreement and OCPRHIO, Inc.'s Policies and Procedures. The Data Provider shall, by entering into a Data Exchange Participation Agreement, grant each Data User, and each other user described in Section 2.3, Controlling Access to Patient Information, a perpetual, royalty -free license to Use the Patient Information that the Data Provider makes available for Access by Data Users in accordance with these Standard Terms and Conditions. 4.2 Quality of Information Provided. The Data Provider shall exercise reasonable care to assure that the Patient Information to which the Data Provider provides Access pursuant to its participation in the Program is correct, accurate, free from serious error and reasonably complete and provided in a timely manner and that the necessary consent has been obtained. One California Partnership Regional Health Information Organization Data Exchange Participation Agreement Version 5.4 9 4.3 Reporting Inaccurate or Other Inappropriate Information. The Data Provider shall, within the time frames set forth in OCPRHIO, Inc.'s Policies and Procedures, notify OCPRHIO, Inc. of any Patient Information to which the Data Provider has provided Access as described in Section 4.1, Provision of Patient Information that the Data Provider determines is corrupt, incomplete, erroneous or otherwise incorrect, or which is otherwise inappropriate for availability through the OCUnites HIE. 4.4 Specifically Prohibited Activities. Without limiting any other provision of the Data Provider's Data Exchange Participation Agreement, the Data Provider shall not: (i) allow to be transmitted to the OCUnites HIE any unlawful, threatening, abusive, libelous, defamatory, or otherwise objectionable information of any kind, including without limitation any transmissions constituting or encouraging conduct that would constitute a criminal offense, give rise to civil liability, or otherwise violate any local, state or federal law; (ii) knowingly allow to be transmitted to the OCUnites HIE any information or software that contains a virus, cancelbot, Trojan horse, worm or other harmful component; or (iii) knowingly allow to be transmitted to the OCUnites HIE any information that violates the proprietary rights, privacy rights, or any other rights of a third party, including without limitation any patient. 4.5 Prohibited Information. The Data Provider shall not make available to Data Users through the OCUnites HIE any Patient Information containing the following: (i) information relating to a patient's participation in outpatient treatment with a psychotherapist, as defined in Cal. Civ. Code § 56.104; (ii) psychotherapy notes, as defined in 45 C.F.R. § 164.501; (iii) records of the identity, diagnosis, prognosis, or treatment of any patient maintained in connection with any program or activity relating to alcoholism or alcohol abuse education, training, treatment, rehabilitation, or research, as defined in 42 C.F.R. § 2.2 and Cal. Health & Safety Code § 11977; (iv) public health records relating to AIDS, as defined in Cal. Health & Safety Code §§ 121025(a); or (v) genetic test results, as defined in Cal. Civ. Code § 56.17; or (vi) any other data protected from disclosure without valid consent or authorization under federal or state law or agreement with the subject. To the extent that the Participant shall provide any Patient Information constituting information subject to the restrictions set forth in California Welfare and Institutions Code Section 14100.2, the Data Provider represents that such information is being disclosed for purposes directly connected with the administration of the Medi -Cal program. 4.6 Data Provider's Warranty as to Patient Information. By entering into a Data Exchange Participation Agreement, each Data Provider shall acknowledge that Patient Information will be Accessed through the OCUnites HIE and Used by OCPRHIO and Data Users and other users for the provision of treatment, payment and those health care operations specified in 45 C.F.R. § 164.506(c) without independently verifying that such data are correct and are valid when used for such purpose(s), and shall acknowledge sole responsibility for the Patient Information made available to Data Users through the Program, provided however the foregoing shall not relieve OCPRHIO, Inc. and Data Users from their obligations under this Agreement and the Data Exchange Participation Agreement, as applicable, and applicable law. The Data Provider shall take reasonable steps to ensure that the Patient Information that the Data Provider makes available through the OCUnites HIE (a) is accurate and does not violate any intellectual property rights, privacy rights, or other rights of any third party, (b) is not unlawful, libelous, defamatory, or otherwise objectionable, and (c) does not violate any local, state or federal law or regulation. By making Patient Information available to Data Users through the Program, the Data Provider shall represent and warrant that it owns or has obtained all necessary rights in the Patient Information, and consents for its Use and disclosure by the Data Provider, so that its Use by OCPRHIO, Inc. or other Participants does not violate any intellectual property rights, privacy rights, or other rights of a patient or other third party. 4.7 Notice to Patients. Without limiting any other provisions of these Standard Terms and Conditions, the Data Provider shall notify affected individuals of the Data Provider's participation in the Program, the Data Provider's policies regarding the use and disclosure of Patient Information through the Program, and such individuals' rights with respect thereto, all as and to the extent required by applicable laws and regulations including without limitation the HIPAA Rules. One California Partnership Regional Health Information Organization Data Exchange Participation Agreement Version 5.4 10 5. Data User's Responsibilities. Without limiting any other provision of the Participant's Data Exchange Participation Agreement, if the Participant is a Data User, the terms and conditions of this Section 5 (Data User's Responsibilities) shall apply. 5.1 Access of Patient Information for Permitted Use Only.. The Data User shall Access Patient Information through the Program only for the purpose of treatment, healthcare operations and payment as defined in the HIPAA Rules, of an individual with whom the Data User has a provider -patient relationship. 5.2 Limitations Upon Use of Patient Information. Any Use by the Data User of Patient Information obtained through the OCUnites HIE shall be solely in the Data User's capacity as a "covered entity" within the meaning of 45 C.F.R. § 160.103 or as a health care provider or health care facility licensed under California law. The Data User shall Use such Patient Information solely for purposes of treatment, as defined under the HIPAA Rules, of individuals with whom the Data User has a provider -patient relationship, for payment purposes related thereto, for those health care operations specified in 45 C.F.R. § 164.506(c), and/or pursuant to a valid authorization when required under the HIPAA Rules and/or state law, or otherwise as required for the Data User's compliance with applicable laws and regulations and other requirements imposed or orders issued by any government agency or court with competent jurisdiction. Without limiting any other provision of these Standard Terms and Conditions, the Data User shall not Use any Patient Information to compare the performance of health care services by one (1) or more Participants against such performance by one (1) or more other Participants. 5.3 Use and Disclosure of Patient Information. The Participant shall Use and/or disclose Patient Information obtained through the Program only as permitted by applicable laws and regulations, including without limitation the HIPAA Rules, and to the extent not inconsistent therewith, this Agreement. 5.4 Reasonable Safeguards for Privacy and Security.. The Data User shall adopt and maintain reasonable safeguards, as required under the HIPAA Rules, to maintain the privacy and security of Patient Information obtained through the OCUnites, and comply with all applicable laws and regulations regarding the privacy and security of that Patient Information. Without limiting the generality of the foregoing: (a) the Data User shall not share or disclose, and shall not permit its employees, contractors or other agents to share or disclose, the Data User's participant identity, password(s) or other identification or authentication device to any party or individual not authorized to Use that device in accordance with OCPRHIO, Inc: s Policies and Procedures; and (b) the Data User shall adopt and maintain reasonable safeguards to prevent the Use of the Data User's identity, password(s) or other identification or authentication device by any unauthorized party or individual. 6. Costs of Participation. Except as expressly provided otherwise in the applicable Data Exchange Participation Agreement, or in Exhibit D to these Standard Terms and Conditions, Participation Fees, OCPRHIO, Inc. and the Participant shall each bear their own costs and expenses relating to their connectivity to one another and for performance of their respective roles and responsibilities pursuant their respective participation in the Program. Participant shall also pay an annual Service Fee to OCPRHIO, in accordance with the then -current Fee Schedule (please see attached). Additional Provisions Regarding Privacy and Security of Patient Information. 7.1 Protected Health Information. Without limiting any other provision of this Agreement, OCPRHIO, Inc. and each Participant shall treat all Patient Information that is "protected health information," as defined in the HIPAA Rules, and/or that is "individually identifiable medical information," as defined in the California Confidentiality of Medical Information Act (California Civil Code, Section 56 et. seq.), in accordance with the laws and regulations that apply thereto. One California Partnership Regional Health Information Organization Data Exchange Participation Agreement Version 5.4 11 7.2 Disclosures of De -Identified Data. Except as described in OCPRHIO, Inc.'s Policies and Procedures, OCPRHIO, Inc. shall not disclose de -identified Patient Information unless and to the extent that OCPRHIO, Inc. shall have obtained in advance the express authorization of the Data Provider that made that information available for Access through the OCUnites HIE. 7.3 No Consumer Accounts. Without limiting any other provision of this Agreement, the Program shall not include the provision of a personal health record or other consumer service to patients, and neither OCPRHIO nor any Participant may Use the OCUnites HIE as a device to provide Patient Information to patients. 8. Termination of Data Exchange Participation Agreements. 8.1 Termination for Convenience. Either OCPRHIO, Inc. or a Participant may terminate a Data Exchange Participation Agreement for convenience, effective at any time after the second (2nd) anniversary of its Effective Date, upon sixty (60) days prior written notice. 8.2 Termination Incident to Termination of Program. OCPRHIO, Inc. may terminate any or all Data Exchange Participation Agreements at any time upon sixty (60) days prior written notice incident to a termination of its operation of the Program(s) for any reason. 8.3 Termination for Breach. Any Data Exchange Participation Agreement may be terminated at any time by either party to that Agreement (the "Terminating Party") if the other party to that Agreement (the "Breaching Party") shall breach materially any of its obligations arising thereunder and fail to cure that breach within thirty (30) days following receipt of written notice of that breach from the Terminating Party; provided, however, that if the nature of a curable breach (other than a breach of an obligation to pay money) precludes its cure within that thirty (30) day period, and if the Breaching Party commences the cure of that breach within that thirty (30) day period and diligently and continuously proceeds to cure that breach, then this Agreement shall not be terminated based thereon. 8.4 Other Grounds for Termination. Any Data Exchange Participation Agreement maybe terminated at anytime (a) by either party to that Agreement if the other party to that Agreement shall be adjudicated or become a bankrupt or an insolvent; (b) by a party to that Agreement if another party to that Agreement files a voluntary petition under any bankruptcy, reorganization, or insolvency law; (c) by a party to that Agreement after the appointment of a trustee or receiver (1) for another party to that Agreement or (2) to take possession of all or substantially all of the assets of another party to that Agreement, whether applied for or consented to by the other party or otherwise; (d) by a party to that Agreement if another party to that Agreement consents to or files an answer admitting the jurisdiction of the court and the material allegations of an involuntary petition filed under any bankruptcy, reorganization, or insolvency law; (e) by a party to that Agreement if another party to that Agreement has commenced any proceedings of bankruptcy, reorganization, or insolvency that is not be dismissed within thirty days after its commencement; (f) by a party to that Agreement if another party to that Agreement makes any assignment for the benefit of creditors or other arrangement or composition under any laws for the benefit of insolvents; (g) by a parry to that Agreement if an order for relief is entered against another party to that Agreement under any bankruptcy, reorganization, or insolvency law of any jurisdiction or any case, proceeding, or other actions seeking such order is not dismissed for thirty days after its filing; or (h) by a party to that Agreement if a writ of attachment, garnishment, or execution is levied against all or substantially all assets of a party to that Agreement, or all or substantially all assets of a party to that Agreement becomes subject to any attachment garnishment, execution, or other judicial seizure, and the same is satisfied, removed, released, or bonded within thirty days after the date of the attachment, garnishment, execution, or other judicial seizure. 8.5 Effect of Termination. Upon any termination of a Data Exchange Participation Agreement, all licenses granted to the Participant thereunder that are not specifically stated to be perpetual shall cease and terminate. OCPRHIO shall promptly assure that any and all Patient Information in the OCUnites HIE that was One California Partnership Regional Health Information Organization Data Exchange Participation Agreement Version 5.4 12 provided by the Participant shall no longer be available for Access by other Participants through the OCPRHIO or otherwise. 8.6 Survival of Provisions. Those parts of a terminated Data Exchange Participation Agreement incorporating the following sections of these Standard Terms and Conditions shall survive termination of that Agreement: Section 2.7, Privacy and Security of Patient Information; Section 5.4, Reasonable Safeguards for Privacy and Security: Section 8, Termination of Data Exchange Participation Agreements; Section 11, Warranties and Disclaimers; Section 12, Indemnification • Section 14, Dispute Resolution; Section 17, Third Party Beneficiaries; and Section 18,General Terms. 9. Amendments. OCPRHIO, Inc. may, in consultation with OCPRHIO, Inc.'s Privacy and Security Committee, amend any or all Data Exchange Participation Agreements or OCPRHIO, Inc.'s Policies and Procedures upon sixty (60) days prior written notice to the Participant; provided, that any amendment required for compliance with applicable laws and/or regulations shall take effect automatically upon the effective date thereof stated in OCPRHIO, Inc.'s notice to the Participant. For any other amendment, the Participant shall have the option of accepting or rejecting the amendment by written notice to OCPRHIO, Inc.. If the Participant does not object to the amendment in writing within the sixty (60) day notice period, such amendment shall automatically take effect upon the effective date specified in OCPRHIO, Inc.'s notice of such amendment. If the Participant does so object, OCPRHIO, Inc. may in its discretion elect, at any time prior to the effective date of the amendment described in OCPRHIO, Inc.'s notice of the proposed amendment, either (a) not to implement such amendment with respect to the Participant that has objected; or (b) terminate the Participant's Data Exchange Participation Agreement on the effective date of such amendment. 10. Confidential and Proprietary Information. 10.1 Participant's Obligations. Each party acknowledges that the party (the "Receiving Party") shall be provided with and exposed to information, materials, and data that are confidential and proprietary to the other party (the "Disclosing Party'), including without limitation documentation, confidential business information of the Disclosing Party, passwords, Participant lists, and Participant identities, password(s) or other identification or authentication devices. The Receiving Party shall take commercially reasonable steps to maintain the confidentiality of such information, materials, and data ("Proprietary Information"). The Receiving Party shall exercise no less than reasonable care with respect to the handling of Proprietary Information and shall not disclose Confidential Information to a third party without the express written consent of OCPRHIO, Inc., unless (a) required to do so by law, or (b) the Confidential Information becomes publicly available without breach of any duty or obligation. The Receiving Party shall return all Proprietary Information to the Disclosing Party, or destroy such information if return is not practical, retaining no copies, upon the termination of the Participant's Data Exchange Participation Agreement. 10.2 Patient Information. Patient Information shall not be deemed to be Proprietary Information hereunder. The confidentiality of Patient Information and the parties' obligations to protect the privacy and security thereof, is discussed in Section 2.3, Controlling Access to Patient Information; Section 2.6, Compliance with Laws and Regulations; Section 2.7, Privacy and Security of Patient Information; Section 2.8, Use and Disclosure of Patient Information; 3.2, Compliance with Laws and Regulations; Section 5.2 ,Limitations on Use and Disclosure of Patient Information; Section 5.3, Use and Disclosure of Patient Information: Section 5.4, Reasonable Safeguards for Privacy and Security; and Section 7, Additional Provisions Regarding Privacy and Security of Patient Information. One California Partnership Regional Health Information Organization Data Exchange Participation Agreement Version 5.4 13 11. Warranties and Disclaimers. 11.1 OCPRHIO, Inc. represents and warrants as follows: (i) it has the full power, capacity and authority to enter into and perform this Agreement and to make the grant of rights contained herein; (ii) its performance of this Agreement does not violate or conflict with any agreement to which OCPRHIO, Inc. is a party; (iii) there is no pending or threatened litigation that would have a material adverse impact on its performance under this Agreement; and (iv) to the best of OCPRHIO, Inc.'s knowledge, Participants use of the OCUnites HIE pursuant to the terms and conditions of the applicable Data Exchange Participation Agreement shall not infringe the patent rights, copyrights or other intellectual property rights of any third party. 11.2 Disclaimers of Warranties. EXCEPT FOR THE WARRANTIES SET FORTH IN SECTION 11.1, OCPRHIO, INC. PROVIDES ACCESS TO THE OCUNITES HIE, PATIENT INFORMATION AND USE OF DOCUMENTATION TO THE PARTICIPANT "AS IS" AND WITHOUT ANY WARRANTY OF ANY KIND TO PARTICIPANTS, WHETHER EXPRESS, IMPLIED OR STATUTORY. OCPRHIO, INC. DOES NOT WARRANT THAT THE PERFORMANCE OF THE OCUNITES HIE WILL BE UNINTERRUPTED OR ERROR -FREE, OR THAT ALL ERRORS IN THE OCUNITES HIE OR PATIENT INFORMATION WILL BE CORRECTED; PROVIDED THAT THE FOREGOING SHALL NOT RELIEVE OCPRHIO, INC. FROM ANY OF ITS EXPRESS OBLIGATIONS SET FORTH IN THIS AGREEMENT. OCPRHIO, INC. HEREBY DISCLAIMS ALL IMPLIED AND EXPRESS WARRANTIES, CONDITIONS AND OTHER TERMS, WHETHER STATUTORY, ARISING FROM COURSE OF DEALING, OR OTHERWISE, INCLUDING WITHOUT LIMITATION TERMS AS TO QUALITY, MERCHANTABILITY, FITNESS FOR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL OCPRHIO, INC. OR THE PARTICIPANT BE LIABLE TO THE OTHER FOR ANY CONSEQUENTIAL, INCIDENTAL, INDIRECT, PUNITIVE, OR SPECIAL DAMAGES SUFFERED BY THE OTHER OR ANY OTHER THIRD PARTY, HOWEVER CAUSED AND REGARDLESS OF LEGAL THEORY OR FORESEEABILITY, INCLUDING, WITHOUT LIMITATION, LOST PROFITS, BUSINESS INTERRUPTIONS OR OTHER ECONOMIC LOSS, DIRECTLY OR INDIRECTLY ARISING OUT OF THIS AGREEMENT, THE PARTICIPANT'S USE OF THE OCUNITES HIE OR ANY COMPONENT THEREOF, OR ANY PATIENT INFORMATION. OCPRHIO, INC. SHALL NOT BE LIABLE FOR ANY DAMAGES ARISING OUT OF OR RELATED TO (i) THE ACCURACY OR COMPLETENESS OR INPUTTING OF PATIENT INFORMATION; OR (ii) THE ACTS OR OMISSIONS OF THE PARTICIPANT, WHETHER SUFFERED BY OCPRHIO OR ANY THIRD PARTY. OCPRHIO'S TOTAL AGGREGATE LIABILITY FOR ANY DAMAGES ARISING OUT OF OR RELATED TO THIS AGREEMENT WILL NOT EXCEED $30,000; EXCEPT FOR OCPRHIO, INC.'S BREACH OF PRIVACY, SECURITY OR CONFIDENTIALITY OBLIGATIONS. OCPRHIO, INC.'S TOTAL AGGREGATE LIABILITY FOR ANY DAMAGES ARISING FROM OCPRHIO, INC.'S BREACH OF PRIVACY, SECURITY OR CONFIDENTIALITY OBLIGATIONS WILL NOT EXCEED $1,000,000. THE EXISTENCE OF ONE OR MORE CLAIMS SHALL NOT ENLARGE THESE LIMITS. EACH PARTY ACKNOWLEDGES THAT THE ALLOCATION OF RISK AND THE LIMITATION OF LIABILITY SPECIFIED IN THIS SECTION WILL APPLY REGARDLESS OF WHETHER ANY LIMITED OR EXCLUSIVE REMEDY SPECIFIED IN THIS AGREEMENT FAILS OF ITS ESSENTIAL PURPOSE. 11.3 Disclaimer of Responsibility. OCPRHIO, Inc. accepts no responsibility for (a) the performance of the Prerequisite Systems or any other systems of the Participant, (b) the transmission of the Patient Information to or from the OCUnites HIE, (c) all Use by the Participant and its employees, contractors or other agents of the OCUnites HIE, (d) the accuracy, completeness or appropriateness of Patient Information and any health care decision made in reliance, either in whole or in part, thereon; and (e) all Use by the Participant of information obtained through the OCUnites HIE including, without limitation, Patient Information; provided however the foregoing shall not limit OCPRHIO, Inc.'s responsibility for its obligations expressly set forth in this Agreement. The Participant and its employees, contractors and other agents shall be solely responsible for all decisions involving patient care, utilization management and quality management for its patients. Without limiting the generality of the foregoing, the Data User shall have sole responsibility for the Use of Patient Information obtained through the OCUnites HIE, including without limitation all clinical decision-making based thereon or influenced thereby. THE OCUNITES HIE SHOULD BE USED AS A SUPPLEMENTTO, AND NOT IN PLACE OF, OTHER DATATHAT IS AVAILABLE TO THE DATA USER AND/OR THE TREATING HEALTH CARE PROVIDER IN PERFORMING THE ABOVE FUNCTIONS. The Participant shall have no recourse against OCPRHIO, , Inc. for any loss, damage, claim, or cost relating to or resulting from the Use or mis-Use of the OCUnites HIE by the Participant or data Accessed through the OCUnites One California Partnership Regional Health Information Organization Data Exchange Participation Agreement Version 5.4 14 HIE by the Participant; provided however the foregoing shall not limit OCPRHIO, Inc.'s responsibility for its obligations expressly set forth in this Agreement. 11.4 Non -Liability. Without limiting any other provision of this Agreement, OCPRHIO, Inc. shall not be responsible for the act or omission of any Participant with respect to the Use of the OCUnites HIE and Patient Information by Participants. 12. Indemnification. OCPRHIO, Inc. shall indemnify, defend, and hold the Participant and its employees, agents, subcontractors and licensors harmless from and against all liability to third parties (including reasonable attorneys' fees), injury or damage that arises from an act or omission of OCPRHIO, Inc., including, without limitation, OCPRHIO, Inc.'s breach of any obligation, representation, or warranty of OCPRHIO set forth herein. The Participant shall indemnify, defend, and hold OCPRHIO, Inc. and other Participants, and their respective employees, agents, subcontractors, and licensors harmless from and against any and all liability to third parties (including reasonable attorney's fees), injury, or damage that arises from an act or omission of the Participant, including, without limitation, the Participant's breach of any obligation, representation, or warranty of the Participant set forth herein. A party's indemnification obligations under this section are conditioned upon the party seeking to be indemnified: (a) giving prompt notice of the claim to the indemnifying party; (b) granting sole control of the defense or settlement of the claim or action to the indemnifying party; and (c) providing reasonable cooperation to the indemnifying party and, at the indemnifying party's request and expense, assistance in the defense or settlement of the claim; provided however, the indemnifying party shall be relieved of its indemnification obligations only to the extent failure to comply with any of the foregoing prejudices its ability to provide indemnification required hereunder. An indemnifying party may not settle any claim against the other without that other party's consent, which consent shall not be unreasonably withheld. 13. Force Majeure. If the performance of any material obligation under this Agreement is prevented or interfered with by a Force Majeure (any act or condition whatsoever beyond the reasonable control of and not occasioned by the fault or negligence of the affected party, including but not limited to internet brown -outs, terrorism, natural disasters, acts of God, acts of government, wars, riots, strikes and other labor disputes, fires, and floods) the party so affected shall be excused from such performance to the extent of such prevention or interference. 14. Dispute Resolution. Any unresolved disputes between the parties relating to or arising from this Agreement shall be settled by arbitration in accordance with the then current rules of JAMS (the "JAMS Rules") before a single neutral and competent arbitrator selected in accordance with the JAMS Rules. Such arbitration shall be conducted in the English language and shall be held in Orange, California. The cost and expense of arbitration shall be shared equally by the parties to the arbitration, regardless of which party or parties prevail. The arbitration shall be conducted in accordance with the following time schedule unless otherwise mutually agreed to in writing by the parties: (i) no later than thirty (30) days after the appointment of the arbitrator, the arbitrator shall schedule a hearing on the dispute and (ii) within thirty (30) business days after the date of the hearing referenced in clause (i), the arbitrator shall render a decision. The decision or award of the arbitrator shall be final and binding upon the parties, and to the same extent and to the same degree as if the matter had been adjudicated by a court of competent jurisdiction and shall be enforceable under the Federal Arbitration Act. However, the parties agree that any breach of a party's privacy, security or confidentiality obligations and the license grant and restrictions set forth in this Agreement may result in irreparable injury to the other party for which there is no adequate remedy One California Partnership Regional Health Information Organization Data Exchange Participation Agreement Version 5.4 15 at law, and in such an event an aggrieved party may seek prompt equitable relief in addition to its other available legal remedies without submitting such matter to arbitration. Fallowing any court's ruling on temporary or preliminary equitable relief, and with the consent of the court, the cause in its entirety shall then be subject to the mandatory arbitration provisions of this section. As an exception to the mandatory arbitration of this section, the parties need not arbitrate any dispute in which a third party is joined, whether indispensable or not, which third party is not contractually bound to arbitrate in the place and before the arbitral authority set forth in this agreement. The parties consent to the personal jurisdiction of the state courts in Santa Ana, California and the federal courts in sitting in the Ninth Circuit in Southern California. 15. Participants' Insurance. 15.1 Required Insurance Policies. The Participant shall procure and maintain in effect during the term of this Agreement commercial general liability insurance, and professional liability insurance that will cover the Participant's liability with limits of not less than One Million Dollars ($1,000,000) per occurrence and Five Million Dollars ($5,000,000) in the aggregate for the policy year. 15.2 Carriers. All insurance required under this Section 15 (Participants' Insurance) shall be carried by companies with a rating not lower than "A, X" by A.M. Best Company. 15.3 Self Insurance. Upon demonstration to OCPRHIO, Inc. that Participant maintains a sufficiently funded program of self-insurance to cover the risks of liability described in Section 15.1, Required Insurance Policies OCPRHIO shall issue to the Participant notice confirming that the Participant satisfies the requirements of Section 15.1, Required Insurance Policies through such self-insurance. 15.4 Certificates of Insurance. On request of OCPRHIO, Inc., the Participant promptly provide OCPRHIO, Inc. with a certificate of insurance evidencing the aforementioned coverage, and shall notify OCPRHIO, Inc. immediately upon any cancellation, termination or restriction of any such coverage. 16. OCP R H I O. Inc. Insurance. 16.1 Required Policies. OCPRHIO, Inc. shall procure and maintain in effect during the term of this Agreement commercial liability insurance that will cover OCPRHIO, Inc.'s liability with limits of not less than One Million Dollars ($1,000,000) per occurrence and Five Million Dollars ($5,000,000) in the aggregate for the policy year. 16.2 Carriers. All insurance required under this Section 16 shall be carried by companies with a rating not lower than "A, X" by A.M. Best Company. 16.3 Certificates of Insurance. On request of the Participant, OCPRHIO, Inc. shall promptly provide the Participant with a certificate of insurance evidencing the aforementioned coverage, and shall notify the Participant immediately upon any cancellation, termination or restriction of any such coverage. 17. Third Party Beneficiaries Except as expressly provided with respect to other Participants, there shall be no third party beneficiaries of this Agreement. 18. General Terms. One California Partnership Regional Health Information Organization Data Exchange Participation Agreement Version 5.4 16 Each Data Exchange Participation Agreement and Business Associate Agreement set forth the entire agreement between the parties and supersede any and all prior agreements or representations, written or oral, of the parties with respect to the subject matter of such Agreement. All exhibits referred to in a Data Exchange Participation Agreement are incorporated herein by reference. If a party wishes to assign or otherwise transfer a Data Exchange Participation Agreement to anyone, such parry must obtain the other's prior written consent, which shall not be unreasonably withheld. Any attempted transfer or assignment in violation of the foregoing shall be void and of no effect. Each Data Exchange Participation Agreement shall be binding on the parties, their successors, and permitted assigns. For any breach or threatened breach of obligations identified hereunder as subjecting a nonbreaching party to irreparable harm, the nonbreaching party shall be entitled to seek equitable relief in addition to its other available legal remedies in a court of competent jurisdiction. Data Exchange Participation Agreements shall be construed under the laws of the State of California, without regard to its conflicts of law principles. The parties hereby disclaim the application of the 1980 U.N. Convention on Contracts for the International Sale of Goods. If any provision of a Data Exchange Participation Agreement is found invalid or unenforceable by an arbitrator or a court of competent jurisdiction, the remaining portions shall remain in full force and effect. A Data Exchange Participation Agreement may be executed in one or more counterparts, each of which shall be deemed to be an original and all of which together shall constitute one and the same Agreement. A facsimile signature shall be considered true and genuine. The relationship of the parties to each Data Exchange Participation Agreement is one of independent contractors and shall not be deemed to be that of employer and employee, master and servant, principal and agent or any other relationship except that of independent contractors contracting for the purposes of that Agreement. 19. Medicare/Medicaid Participation. Each party hereto hereby represents and warrants to the other that neither the party nor its principals (if applicable) are presently debarred, suspended, proposed for debarment, declared ineligible, or excluded from participation in any federally funded health care program, including Medicare and Medicaid. Each party shall immediately notify the other of any threatened, proposed, or actual debarment, suspension or exclusion from any federally funded health care program, including Medicare and Medicaid. In the event that a party is debarred, suspended, proposed for debarment, declared ineligible or excluded from participation in any federally funded health care program during the term of this Agreement, or if at any time after the effective date of this Agreement it is determined that a party is in breach of this Section 19, this Agreement shall, as of the effective date of such action or breach, automatically terminate. Each party further understands that the other party may periodically check contracted individuals and entities against the Office of Inspector General (OIG) and General Service Administration (GSA) databases of Excluded Individuals and Entities and will notify the other party if it discovers a match. Each parry will take reasonable measures to verify that the match is the same individual or entity before taking any action to terminate any underlying agreement(s). 20. Notices. All notices required under a Data Exchange Participation Agreement shall be in writing. Notices shall be deemed to have been duly made and received (i) when personally served, (ii) when delivered by commercially established courier service, (iii) ten (10) days after deposit in mail via certified mail, return receipt requested, or (iv) on delivery, when delivered by Federal Express, charges prepaid or charged to the sender's account, if delivery is confirmed by Federal Express. Notices must be delivered to the addresses specified in the applicable Data Exchange Participation Agreement, or to such other address as a party shall designate in writing from time to time. Any correctly addressed Notice that is refused, unclaimed, or undeliverable because of an act or omission of the party to be notified shall be deemed effective as of the first date that the notice was refused, unclaimed, or deemed undeliverable by the postal authorities, messenger, or overnight delivery service. Any party may change contact information by giving the other party written notice. One California Partnership Regional Health Information Organization Data Exchange Participation Agreement Version 5.4 17 ONE CALIFORNIA PARTNERSHIP REGIONAL HEALTH INFORMATION ORGANIZATION DATA EXCHANGE PARTICIPATION AGREEMENT Exhibit B Participation The Participant shall participate in the following Program (s): 1. OCUnites Health Information Exchange (all Phases) OCUnites is a community collaborative health information exchange which includes health care providers whose mission is to facilitate health information exchange in California. OCUnites is designed in such a way to provide maximum flexibility by allowing participation onto the HIE in various ways. For participants who decide to provide data into the HIE the option to provide the data is a) via an edge server or, b) through direct data feeds into the OCUnites data warehouse, thus providing maximum flexibility to include participants at various levels of capabilities. Accessing the data can also be accomplished through a multitude of ways including: a) Interfaces developed to provide data from OCUnites directly into the participants electronic health record system , or b) by connecting via an internet connection into the OCUnites portal. Available data from OCUnites includes - but is not limited to: ADT, Discharge summaries, progress notes, medication, lab results, imaging reports, etc through a variety of data types. One California Partnership Regional Health Information Organization Data Exchange Participation Agreement Version 5.4 18 ONE CALIFORNIA PARTNERSHIP REGIONAL HEALTH INFORMATION ORGANIZATION DATA EXCHANGE PARTICIPATION AGREEMENT Exhibit C Technical and Functional Specifications Technical Specifications: Participants who participate as Data Users need a computer with Internet Explorer or Mozilla Firefox in order to access the web -based portal. Functional Specifications: The Clinical Portal shall aggregate discrete patient data from multiple data sources into a "virtual patient record" for the Data User to view through a web browser. Additional functional specifications will be provided as part of the Training Module provided to the Data User. One California Partnership Regional Health Information Organization Data Exchange Participation Agreement Version 5.4 19 ONE CALIFORNIA PARTNERSHIP REGIONAL HEALTH INFORMATION ORGANIZATION DATA EXCHANGE PARTICIPATION AGREEMENT Exhibit D Participation Fees 1. Service Fees. Unless the Participation Agreement provides otherwise, each Participant shall pay a Service Fee to OCPRHIO, in accordance with the then -current Fee Schedule (please see attached). 2. Changes to Fee Schedule. OCPRHIO reserves the right to change its Fee Schedule at any time after the second (2nd) Anniversary of its Effective Date upon sixty (60) -days prior written notice to the Participant. 3. Miscellaneous Charges. Unless the Participant's Participation Agreement provides otherwise, the Participant shall also pay OCPRHIO's charges for all goods and services that OCPRHIO provides at the Participant's request that are not specified in the then -current Fee Schedule. The Participant shall pay for all costs incurred by the Participant for participating with OCPRHIO in the exchanging of data on the HIE. This includes Participant's costs for: Personnel, interface development, license fees related to the Participant's software for accessing the HIE, connectivity and other related items. 4. Payment The Participant shall pay all Service Fees and Miscellaneous Charges within thirty (30) days following the date of invoice from OCPRHIO sent to the Participant's address as shown in this Agreement or to other previously agreed to address, or emailed in accordance with the Participation Agreement S. Late Charges Service Fees and Miscellaneous Charges not paid to OCPRHIO within thirty (30) days following the due date on the invoice from OCPRHIO are subject to a late charge of five (5) percent of the amount owing and interest thereafter at the rate of one and one-half (1.5) percent per month on the outstanding balance, or the highest amount permitted by law, whichever is lower. 6. Suspension of Services Failure to pay Service Fees and Miscellaneous Charges within sixty (60) days following the due date on the invoice from OCPRHIO may result in termination of Participant's access to the Services on ten (10) days prior notice. A connection fee equal to three (3) percent of the outstanding balance shall be assessed to reestablish connection after the termination due to non-payment. One California Partnership Regional Health Information Organization Data Exchange Participation Agreement Version 5.4 20 Taxes All Service Fees and Miscellaneous Charges shall be exclusive of all federal, state, municipal, or other government excise, sales, use, occupational, or like taxes now in force or enacted in the future, and the Participant shall pay any tax (excluding taxes on OCPRHIO's net income) that OCPRHIO may be required to collect or pay now or at any time in the future and that are imposed upon the sale or delivery of items and services provided pursuant to the Terms and Conditions. 8. Other Charges and Expenses The Participant shall be solely responsible for any other charges or expenses the Participant may incur to access the HIE and use the Services, including without limitation, telephone and equipment charges, and fees charged by third -party vendors for products and services. REMAINDER OF THIS PAGE LEFT INTENTIONALLY BLANK One California Partnership Regional Health Information Organization Data Exchange Participation Agreement Version 5.4 21 ONE CALIFORNIA PARTNERSHIP REGIONAL HEALTH INFORMATION ORGANIZATION DATA EXCHANGE PARTICIPATION AGREEMENT Exhibit E Business Associate Agreement This Exhibit E sets forth an agreement between Participant ("we" "our" or "us") and Orange County Partnership Regional Health Information Organization, Inc. ("you" or "your") concerning your use and disclosure of protected health information that you receive from us in the course of providing services to us, Orin the course of providing services to our clients on our behalf. When countersigned by you below, this Exhibit E will constitute a binding agreement between us. We are required to obtain this agreement from you by the terms of our agreements with our clients who are covered under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HIPAA Privacy Rule (45 CFR Parts 160 and 164). Our agreements with our clients are called "business associate agreements" For purposes of this agreement, "protected health information" means any information that you receive from us or from a third party (including our clients) in the course of providing services to us, or in the course of providing services to our clients on our behalf, and which contains health information relating to an individual. "Health information" includes any information concerning an individual's health condition, treatment for a health condition, or payment for such treatment. This agreement is to be interpreted consistently with the HIPAA Privacy Rule. Undefined terms used in this agreement have the meanings given them in the HIPAA Privacy Rule. 1. Use and Disclosure of Protected Health Information (a) Subject to the provisions of this agreement, you may use protected health information to assist us in health information exchange as described in the Orange County Partnership Regional Health Information Organization, Inc. Data Participation Exchange Agreement, within the scope of your engagement or contract with us. You may not use or disclose protected health information for any other purpose, except as required by law or expressly permitted by us in writing. Under no circumstances will you use protected health information for any purpose for which our clients would not be permitted to use it under the Privacy Rule. (b) You may disclose protected health information only for the purposes described in subsection (a) above, or if you are required bylaw to make the disclosure. If the disclosure is for the purposes described in subsection (a) above, it may only be made -- (i) to your employees who need the information in order to perform their duties; or (ii) to your agents and subcontractors to assist you in providing services to us or our clients, but only after obtaining from them the agreement described in subsection (e) below, and furnishing us with a copy of the agreement. If you are required bylaw to make a disclosure, you must give us as much advance notice as you reasonably can under the circumstances, so that we can notify our clients of the impending disclosure. One California Partnership Regional Health Information Organization Data Exchange Participation Agreement Version 5.4 22 You must maintain a record of all disclosures of protected health information to third parties for six (6) years, and furnish it to us or to our client from time to time on request. This requirement does not apply to disclosures contemplated by our agreements with you and made for our clients' operational purposes. This requirement will survive the termination of our agreements with you. (c) You will implement reasonable administrative, physical, and technical safeguards to protect the confidentiality, integrity and availability of protected health information that you create, receive, maintain or transmit on our behalf or on behalf of our client, and to prevent use or disclosure of protected health information otherwise than as provided for by this Agreement. (d) You will immediately report to us any use or disclosure of protected health information not provided for by this Agreement of which you become aware, including any security incident or breach of confidentiality of the information. (e) You will ensure that any agent, including a subcontractor, to whom you provide protected health information agrees in writing to the same safeguards, restrictions and conditions that apply to you with respect to such information. (f) You will make your internal practices, books, and records relating to the use and disclosure of protected health information available to us, to our client, and to the Secretary of the Department of Health and Human Services for purposes of determining your compliance with this agreement and our clients' compliance with the Privacy Rule. (g) You will comply with any additional restrictions required by our client concerning the use or disclosure of its protected health information, if we notify you in writing of the restrictions (which we may do by providing you with a copy of our agreement with the client). (h) You will comply with any additional requirements imposed by applicable laws or regulations, including without limitation the privacy and security requirements set forth in Sections 13401 and 13404 of Title XIII of the American Recovery and Reinvestment Act of 2009. 2. Term and Termination (a) This Agreement will be effective as of the date on which you first receive protected health information from us, and will terminate when you have returned or destroyed all protected health information. (b) If at any time if we determine that you have violated a material term of this agreement, we may terminate any agreement or arrangement between us under which you have access to protected health information (any provision to the contrary in any such agreement notwithstanding). (c) Upon termination for any reason of the agreement or arrangement between us under which you have access to protected health information, you will return or destroy all protected health information, and you will retain no copies of it. However, if we determine that returning or destroying protected health information is not feasible, you need not return or destroy it, but you must extend the protections of this Agreement to the protected health information and limit further uses and disclosures of the protected health information to those purposes that make return or destruction infeasible. 3. Miscellaneous. This Agreement constitutes the entire agreement between us with respect to the confidentiality of protected health information, except that it does not relieve you of any professional obligation that otherwise exists. It may be amended only by writing, signed by the party to be bound. It has no third -party beneficiaries. It is to be governed by the internal law of the State of California. One California Partnership Regional Health Information Organization Data Exchange Participation Agreement Version 5.4 23 PARTICIPANT's NAME Signed: tet' Name: L/� ;� Jyy\ w Title: -V-l.fe Cv��C'�r Effective Date: I 1- 1 jl l PROVED AS TO FORM: k �YATfORNI=E ato; y: Aaron C. Harp, City Attorney Orange County Partnership Regional Health Information Organization, Inc. (OCPRHIO, Inc) dba One California Partnership Regional Health Information Organization Signed: 0, 00f ,i Name ► AVEVE - Title: Date: O�lg�'LOQ'� AT, alta It. 'wln, It erk Date: % 74.17 REMAINDER OF THIS PAGE LEFT INTENTIONALLY BLANK One California Partnership Regional Health Information Organization Data Exchange Participation Agreement Version 5.4 24 C_% S o ONE CALIFORNIA PARTNERSHIP REGIONAL HEALTH INFORMATION ORGANIZATION, INC. DATA EXCHANGE PARTICIPATION AGREEMENT Fee Schedule (Effective Date: 12/21/2016) City of Newport Beach, Fire Department (Newport Fire) Startup Annual Fee (only Maintenance Total Year Facility Model year 1) Fee 1 City of Newport Beach, Fire Department EMS 1 (EMS Transport) Transport $ 0.00 $ 0.00 $ 0.00 $ 0.00 $ 0.00 $ 0.00 Total Year 1 costs above for participation on OCPRHIO are due as follows: a) Startup Fee due 30 -days after agreement to participate on the HIE, and b) Annual Maintenance Fee invoiced with the Startup Fee and due within 60 -days of invoice date. Total Year 2 costs below for participation on OCPRHIO as per the Data Exchange Participation Agreement (DEPA) are due on the 1 -year anniversary date of the interface Go -Live as described in the DEPA and, annually, thereafter. Total Year Facility Model 2 1 City of Newport Beach, Fire Department EMS (EMS Transport) Transport $ 0.00 $ 0.00 Information in this Fee Schedule and all associated costs, discounts and offers expire within (45) days of the Effective Date printed above OCPRHIO reserves the right to change its Fee Schedule at any time after the second (2ND) anniversary of the Effective Date of this Agreement, upon SIXTY (60) days prior written notice to the Participant Notes lone -time Onboa rding Startup Fee — for Year 1 only, waived. z Annual Maintenance Fee — Waived as an initial participant on the EMS Integration Proof of Concept project in Orange County, CA, 3 Other Certain fees not charged by OCPRHIO, however, may be the responsibility of the Participant. These may include but are not limited to any fees charged by the respective Participant's IT solutions vendor(s) or other Participant's vendors for any system fees, upgrades, or any additional servers required and are the sole responsibility of the Participant. Access to the OCPRHIO HIE is granted to EMS Transport and employees employed by the above entities performing any functions related to patient EMS transport. Access to the OCPRHIO HIE and its services by non -employed entities of the HIE Participant are charged at the rate of $35.00/month/employee and will be negotiated pending further Discovery, if needed. One California Partnership Regional Health Information Organization Data Exchange Participation Agreement Version 5.4