No preview available
HomeMy WebLinkAboutC24-345 Chestnut Health Systems Non-Covered Entity Data Use Agreement Chestnut Institute Data Use Agreement (CHS CE, Site Non-CE) APPROVED FOR USE IN CALENDAR YEAR 2024 ONLY Page 1 of 6 This DATA USE AGREEMENT (this “Agreement”) is made this ___________ day of _____________________, 20_____, (the “Effective Date”), by and between CHESTNUT HEALTH SYSTEMS, INC., an Illinois not-for-profit corporation (“Chestnut”), and __________________________________ (“Site”). Chestnut and Site are sometimes each referred to herein as a “Party” and collectively as the “Parties”. WHEREAS, Site wishes to have access to Chestnut’s products and services, including training, certification, instruments, manuals, computer applications, technical assistance, quality assurance feedback, and/or analytic datasets concerning the following: Global Appraisal of Individual Needs Assessment Building System (“GAIN ABS”) Adolescent – Community Reinforcement Approach (“A-CRA”) Assertive Continuing Care (“ACC”) Recovery Management Checkups (“RMC”) Other _____________________________ WHEREAS, Site does NOT operate a behavioral health (mental health, drug, or alcohol treatment) program or other health/wellness program and does NOT need to comply with the Federal Confidentiality of Alcohol and Drug Abuse Patient Records law and regulations, 42 U.S.C. §290dd-2 and 42 C.F.R. Part 2 (“42 C.F.R. Part 2”); WHEREAS, Chestnut is a Covered Entity within the meaning of the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), and the Privacy Rule and Security Rule, 45 C.F.R. Parts 160-164 (collectively, the “Privacy and Security Rules”); WHEREAS, Chestnut receives from Site certain data related to the products and services indicated above; WHEREAS, the Parties wish to enter into this Agreement that will permit the sharing of data between them , as well as to comply with the requirements of 42 C.F.R. Part 2, the HITECH Act, and the Privacy and Security Rules. NOW, THEREFORE, in consideration of the mutual covenants and promises set forth herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties hereto agree as follows: 1.DEFINITIONS. 1.1 “Individually Identifiable Health Information” means information that is a subset of health information, including demographic information collected from an individual, and (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual , and (a) that identifies the individual, or (b) with respect to which there is rea sonable basis to believe the information can be used to identify the individual. 1.2 “Limited Data Set” means a data set that has had the following identifiers for an individual and for his/her relatives, employers and household members removed: •Names •Street or postal address information (other than town or city, state and zip code) •Telephone numbers •Facsimile numbers •E-mail addresses •Social Security numbers •Medical record numbers •Health plan beneficiary numbers •Account numbers 12th August 24 Eagle County Sheriffs Office X Docusign Envelope ID: DBC3D979-0FA9-4656-BA1B-F7139EA605E0 Chestnut Health Systems, Inc. Data Use Agreement (CHS CE, Site Non-CE) APPROVED FOR USE IN CALENDAR YEAR 2024 ONLY Page 2 of 6 •Certificate/license numbers •Vehicle identifiers and serial numbers, including license plate numbers •Device identifiers and serial numbers •Internet Universal Resource Locators (URLs) •Internet Protocol (IP) address numbers •Biometric identifiers, including finger and voice prints •Full face photographic images and any comparable images A Limited Data Set may include the following identifying information: •The zip code of the individual •Dates, including dates of behaviors or services converted to days before or after intake and the federal fiscal year of intake •Age (in years) at intake •A unique identifying number, characteristic or code A Limited Data Set may also include non-identifying information, including the type of treatment or service received or randomly assigned and the amount of services received, as well as the facility location. A Limited Data Set will require two linkage files (one at Chestnut and one at Site) to connect it back to Protected Health Information (as defined in Section 1.4 hereof). 1.3 “Protected Health Information” or “PHI” means Individually Identifiable Health Information that is (1) transmitted by electronic media, (2) maintained or transmitted in any medium described in the definition of electronic media at Section 160.103 of the Privacy Rule, or (3) transmitted or maintained in any other form or medium. PHI does not include Individually Identifiable Health Information (4) in education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g, (5) in records described at 20 U.S.C. 1232g(a)(4)(B)(iv), (6) in employment rec ords held by a covered entity in its role as employer, and (6) regarding a person who has been deceased for more than fifty (50) years. 1.4 All other capitalized terms not defined herein shall have the same meaning given to them in the Privacy Rule and/or the Security Rule. 2.SERVICES TO BE PROVIDED. 2.1 Chestnut will provide the following services to Site, as requested by Site (collectively, the “Services”): (a) training and technical assistance for Site’s staff for Chestnut’s evidence-based products listed above including administration training and certification, quality assurance review and feedback, and data collection techniques, (b) technical assistance on Chestnut’s data collection websites and systems, (c) a Limited Datasets, (d) analytic and publication as sistance. In the performance of the Services, Chestnut may have varying degrees of access to PHI, a Limited Data Set, or De-identified Information. 2.2 Chestnut hereby designates the following individual to oversee Chestnut’s receipt and disclosure of data pursuant to this Agreement: Name: Barbara Estrada, Director, GAIN Coordinating Center E-mail Address:bestrada@chestnut.org Telephone Number:(309) 451-7891 2.3 Site hereby designates the following individual as its point of contact for purposes of this Agreement: Name: E-mail Address: Telephone Number: __Sarah Kennedy______________________________ __sarah.kennedy@eaglecounty.us_________________ __970-328-8541_______________________________ 3.BUSINESS ASSOCIATE PROVISIONS. To the extent Chestnut uses, accesses, creates, maintains, transmits, receives and/or discloses PHI in the course of providing the Services, Chestnut will be considered a Business Associate of Site and the terms and provisions of this Section 3 shall apply. All PHI that is created or received by Chestnut and disclosed or made available in any form, Docusign Envelope ID: DBC3D979-0FA9-4656-BA1B-F7139EA605E0 Chestnut Health Systems, Inc. Data Use Agreement (CHS CE, Site Non-CE) APPROVED FOR USE IN CALENDAR YEAR 2024 ONLY Page 3 of 6 including paper records, oral communications, audio recordings, and electronic displays, by Site or any of its operating unit s to Chestnut or received by Chestnut on behalf of Site, will be subject to this Section 3. 3.1 Permitted Uses and Disclosures. 3.1.1 Chestnut may use, access, create, maintain, transmit, receive or disclose PHI on behalf of Site only in order to perform any of the Services. Except as otherwise limited by this Agreement, Chestnut may also use PHI (a) for the proper management and administration of Chestnut, and (b) to carry out the legal responsibilities of Chestnut (i.e., audits). 3.1.2 Chestnut may not use or disclose PHI if such use or disclosure would be a violation of the Privacy Rule if done by Site. 3.1.3 Chestnut agrees that it will not use or further disclose PHI other than as permitted or required by this Agreement or as required by law. 3.2 Safeguards. Chestnut agrees to use appropriate physical, administrative and technical safeguards to prevent use or disclosure of PHI other than as permitted by this Agreement or by HIPAA. 3.3 Mitigation. Chestnut agrees to mitigate, to the extent practicable, any harmful effect that is known to Chestnut of a use or disclosure of PHI by Chestnut that violates the requirements of this Agreement. 3.4 Reporting. Chestnut agrees to report to Site, in writing, any use or disclosure of the PHI not permitted by this Agreement of which it becomes aware within ten (10) days of Chestnut’s discovery of such unauthorized use and/or disclosure. If Chestnut becomes aware of a Breach of any Unsecured PHI in Chestnut’s possession (i.e., PHI that has not been rendered unusable, unreadable or indecipherable to unauthorized individuals), Chestnut shall work with Site to investigate, mitigate, assess and notify affected individuals as required and shall comply with the notification requirements to the Secretary of the United States Department of Health and Human Services. Chestnut shall notify Site of any breach of Unsecured PHI as soon as possible, but in no event later than sixty (60) calendar days after discovery. 3.5 Subcontractors. In the event Chestnut is permitted by law to provide PHI to an agent, Chestnut agrees to ensure that all such agents, including subcontractors, that create, receive, maintain, use, disclose, access or transmit PHI on behalf of Chestnut agree to the same restrictions, conditions, and requirements that apply to Chestnut with respect to such information. Chestnut agrees to satisfy this requirement by implementing a written agreement with each subcontractor setting forth the terms and cond itions required under this Agreement. 3.6 Right of Access. The Parties agree that Chestnut will not be creating or receiving any PHI on behalf of Site that is not already contained within Site’s records. Therefore, any requests for access to PHI by Site’s patients or their legal representatives shall be the sole responsibility of Site. 3.7 Right of Amendment. Chestnut agrees to incorporate any amendments to PHI as directed or agreed to by Site in accordance with the amendment of PHI provisions of the Privacy Rule set forth at 45 C.F.R. §164.526 in the time and manner that are mutually agreeable to the Parties. 3.8 Right to Accounting of Disclosures. Chestnut will maintain and make available to Site, within ten (10) days following Site’s request, the information required to provide an accounting of disclosures in accordance with the Privacy Rule. 3.9 Books and Records. Chestnut agrees to make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the United States Department of Health and Human Services for purposes of determining Chestnut’s and the Site’s compliance with this Section 3, the Security Rule, and/or the Privacy Rule. 3.10 Return or Destruction of PHI. Upon termination of this Agreement for any reason, Chestnut shall, as directed by Site, return or destroy all PHI received from or created or received by Chestnut on behalf of Site that Chestnut still maintains in any form and retain no copies of PHI. This provision shall apply to PHI that is in the possession of Chestnut, its subcontractors, or agents. If return or destruction is not feasible, Chestnut shall provide to Site notification of the conditions that make return or destruction infeasible. If Site is in agreement that return or destruction is not feasible, then Chestnut will agree to extend the protections of this Docusign Envelope ID: DBC3D979-0FA9-4656-BA1B-F7139EA605E0 Chestnut Health Systems, Inc. Data Use Agreement (CHS CE, Site Non-CE) APPROVED FOR USE IN CALENDAR YEAR 2024 ONLY Page 4 of 6 Agreement to the information and to limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible, for as long as Chestnut maintains such PHI. 3.11 Security Provisions. Chestnut will take the following security measures: (a) implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the electronic PHI that it creates, receives, maintains or transmits on behalf of the Site as required by the Security Rule in accordance with 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.314, and 164.316; (b) ensure that any agent, including a subcontractor, to whom it provides such information enters into a written agreement to implement reasonable and appropriate safeguards to protect the electronic PHI; (c) develop and enforce appropriate policies, procedures and documentation standards, including de signation of a Security Official; and (d) in accordance with this Section 3.11, report to Site any Security Incident (as defined in 45 C.F.R. § 164.304) of which it becomes aware, as well as any breach of Unsecured PHI. The Parties agree that the breach notification requirements of Section 3.4 hereof satisfy any notice requirements of Chestnut to Site of the ongoing existence and occurrence of attempted but unsuccessful Security Incidents, for which no additional notice to Site shall be required. 4.QUALIFIED SERVICE ORGANIZATION PROVISIONS. To the extent Chestnut has access to substance abuse treatment information in the course of providing the Services, Chestnut will be considered a Qualified Service Organization o f Site (as defined in 42 C.F.R. § 2.11) and the terms and provisions of this Section 4 shall apply. 4.1 In receiving, storing, processing or otherwise dealing with any protected substance abuse information from Site, Chestnut is fully bound by the provisions of 42 C.F.R. Part 2. 4.2 If necessary, Chestnut will resist in judicial proceedings any efforts to obtain access to protected substance abuse information unless access is expressly permitted under 42 C.F.R. Part 2. 4.3 Chestnut acknowledges that any unauthorized disclosure of information under this Section 4 is a federal criminal offense. 5.DE-IDENTIFIED INFORMATION. 5.1 Data will be de-identified in accordance with §§ 164.514 (a) and (b) of the Privacy Rule. Chestnut shall be permitted to use or disclose De-identified Information without restriction, including using De-identified Information to test software applications, new or modified functionality, reports, and products. 5.2 Chestnut’s De-identified Information data set shall contain a randomly assigned identification number, which will be linked only to the identification number assigned by the Site. Site will not have access to this link. Similarly, Chestnut will not have access to the link between the Site’s identification number and personal identifiers. 6.TERM AND TERMINATION. 6.1 Term. This Agreement shall become effective on the Effective Date and shall terminate when data is no longer being provided to, created by, used by, disclosed to, maintained by, transmitted to or received by Chestnut on behalf of Site. Chestnut agrees that all identifying information not previously returned or destroyed in accordance with Section 3.1 0 hereof will be destroyed within five (5) years of the termination of this Agreement, unless continuation funding and/or an updated consent is/are obtained or as otherwise required by law. 6.2 Termination. Either Party may terminate this Agreement immediately in the event of a material breach of this Agreement by the other Party that remains uncured for fifteen (15) days after notification of said breach by the non -breaching party. If termination is not feasible, the non -terminating party, if a Covered Entity, shall have the responsibility to report any problems to the Secretary of the U.S. Department of Health and Human Services. Upon termination, any PHI in possession of Chestnut shall be returned to Site or destroyed in accordance with Section 3.10 hereof. 7.MISCELLANEOUS. 7.1 Compliance with Law. Each Party agrees to perform its responsibilities hereunder in accordance with all applicable laws. Docusign Envelope ID: DBC3D979-0FA9-4656-BA1B-F7139EA605E0 Chestnut Health Systems, Inc. Data Use Agreement (CHS CE, Site Non-CE) APPROVED FOR USE IN CALENDAR YEAR 2024 ONLY Page 5 of 6 7.2 Notices. Any and all notices, demands, requests, and other communications required or permitted hereunder shall be in writing and shall be given in person or by registered mail, return receipt requested, or by facsimile or electronic transm ission, addressed as follows. Any notice shall be deemed to have been given at the time of actual receipt. If to Chestnut: If to Site: Chestnut Health Systems, Inc. Name: Attention: Puneet Leekha, General Counsel Address: 1003 Martin Luther King Drive Address: Bloomington, Illinois 61701 Telephone: Email: pleekha@chestnut.org Email: _Eagle County Detention Facility_________ _885 E. Chambers Ave. _______________ _Eagle, Co 81631_____________________ _970-328-8564_______________________ _Elizabeth.Sanchez@eaglecounty.us______ 7.3 Amendments. This Agreement may only be amended or modified in writing as mutually agreed upon by the Parties. 7.4 Assignment. The Parties expressly agree that neither Party may assign any of its rights or responsibilities under this Agreement to any individual or entity without the prior written consent of the other Party. Notwithstanding the foregoing, Site acknowledges that Chestnut may assign any or all its rights or responsibilities under this Agreement to any of its wholly owned subsidiaries, affiliates, or related entities, without the consent of Site. 7.5 Severability. If any provision of this Agreement shall for any reason be held to be invalid or unenforceable, such invalidity or unenforceability shall not affect any other provision hereof, and this Agreement shall be construed as if such invalid or unenforceable provisions were omitted. 7.6 Waiver. The waiver by either Party of a breach or violation of any provision of this Agreement shall not operate as, or be construed to be, a waiver of any subsequent breach of the same or other provisions hereof. 7.7 Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State of Colorado. 7.8 Entire Agreement. This Agreement, including any exhibits hereto, constitutes the entire agreement between the Parties with respect to the subject matter hereof. There are no representations, agreements, arrangements, restrictions, limitations, or understandings, oral or written, between the Parties relating to the subject matter of this Agreement that are not fully expr essed herein. 7.9 No Third-Party Beneficiaries. No person or entity that is not a party to this Agreement will be a third-party beneficiary of any rights or obligations hereunder or be entitled to enforce any of said rights or obligations. 7.10 Headings. Section headings have been inserted into this Agreement as a matter of convenience of reference only, and it is agreed that such section headings are not part of this Agreement and shall not be used in the interpretation of any pro visions of this Agreement. 7.11 Singular, Plural, and Gender. Throughout this Agreement and whenever required by context, the use of the singular shall be construed to include the plural, and the use of plural the singular, and the use of any gender shall include all gen ders. 7.12 Remedies Cumulative. No remedy set forth in this Agreement or otherwise conferred upon or reserved to either party shall be considered exclusive of any other remedy. 7.13 Counterparts. This Agreement may be executed in any number of counterparts, each of which shall be considered an original and all of which shall together constitute one and the same document. Delivery of an executed counterpart of this Agreement by electronic or facsimile transmission shall be equally as effective as delivery of an original executed counterpart. Any Party delivering an executed counterpart of this Agreement by electronic or facsimile transmission shall also deliver an original executed counterpart, but failure to deliver an original executed counterpart shall not affect the validity, enforceability, or binding effect of this Agreement. 7.14 Drafting. Chestnut, or Chestnut’ legal counsel, has drafted this Agreement solely as a matter of convenience for the Parties hereto. Each Party has carefully reviewed and negotiated the terms of this Agreement and, accordingly, any drafting errors, ambiguities or inconsistencies will not be interpreted against Chestnut. Docusign Envelope ID: DBC3D979-0FA9-4656-BA1B-F7139EA605E0 Chestnut Health Systems, Inc. Data Use Agreement (CHS CE, Site Non-CE) APPROVED FOR USE IN CALENDAR YEAR 2024 ONLY Page 6 of 6 7.15 Expenses. Each Party will pay its own fees and expenses and those of its agents, advisors, attorneys, and accountants, with respect to the preparation and negotiation of this Agreement. 7.16 Accessibility Requirements. a. Contractor hereby represents and warrants that the Services either comply, or Contractor is making a good faith effort to bring the Services into compliance with all applicable state and federal disability laws and regulations, including but not limited to, the accessibility requirements of Section 508 of the Rehabilitation Act of 1973, The Americans with Disabilities Act, C.R.S. § 24 -85-101, C.R.S. § 24- 85-102, and C.R.S. § 24-85-103 as those laws may be amended and implemented through regulation. b. Contractor hereby represents and warrants that the Services either conform, or Contractor is making a good faith effort to bring the Services into conformance with, the accessibility standards for individuals with a disability set forth in WCAG 2.1 A and AA, or the most current standards published by the World Wide Web Consortium and all other accessibility standards established by the Colorado Governor’s Office of Information Technology, and as may be amended (collectively, the “Accessibility Standards”). c. Contractor shall produce accessibility testing results and written documentation regarding accessibility in an Accessibility Conformance Report (“ACR”) in a “Voluntary Product Accessibility Template” (“VPAT”), provided by the Information Technology Industry Council, compliant with the current version of the Web Content Accessibility Guidelines (“WCAG”) and 8 CCR 1501 -11, or other format specified by County. An ACR consistent with the requirements set forth in this Section 15 is attached hereto as Exhibit C. Contractor shall maintain and retain, subject to review by County, full documentation of the measures taken to ensure the Services are in compliance with the Accessibility Standards, including records of any automated, manual and user testing or simulations conducted. d. Contractor acknowledges and agrees that if the Services do not meet the Accessibility Standards as determined by County in its reasonable discretion, then County may be required to terminate this Agreement. e. In addition to Contractor’s indemnification obligations set forth in Section 7 above, Contractor shall indemnify, defend and hold County harmless from any losses, claims, damages or liabilities arising out of its failure to comply with the Accessibility Standards, including but not limited to, the damages, fines, liabilities and penalties set forth in C.R.S.§ 24 -34-802, as may be amended. IN WITNESS WHEREOF, the Parties have executed this DATA USE AGREEMENT as of the date first set forth above. CHESTNUT: SITE: CHESTNUT HEALTH SYSTEMS, INC. __________________________________________ Signature: Signature: ______________________________ Name: Puneet Leekha Name: ______________________________ Title: COO and General Counsel Title: ______________________________ PL PL Docusign Envelope ID: DBC3D979-0FA9-4656-BA1B-F7139EA605E0 Jeff Shroll County Manager Eagle County Detention Facility