Electronic Health Record Access Agreement (Virginia Mason Medical Center)
This is an Agreement ("EHR Access Agreement") between Virginia Mason Medical Center ("Virginia Mason") and the undersigned
("Company"), to which Virginia Mason has agreed to provide access to its electronic health record ("EHR Data"), subject to
the terms of this EHR Access Agreement and Virginia Mason policy. The Effective Date of this Agreement shall be the date upon which access
provisioning is approved for Company, pursuant to Virginia Mason policy.
Company understands and agrees to all the following terms and conditions, as a condition of such EHR Data access:
- Authorized Users; Access. Access shall be limited to Company workforce users who have applied for and been granted access to Virginia
Mason EHR Data ("Authorized Users"). Authorized User access shall be contingent on existence of an unexpired EHR Access Agreement
covering user's access, and user's continued compliance with the EHR Access Agreement terms and Virginia Mason policies and procedures.
Company expressly acknowledges and accepts responsibility for each user granted access to the EHR Data. Access will be provided via TLS
secured HTTPS. As technology evolves, Virginia Mason may alter the method for access.
EHR Data access is provided for the following purpose: treatment (the "Purpose"). Access shall be "read-only". Access to
Virginia Mason's EHR Data is a privilege that Virginia Mason may revoke at any time. Virginia Mason reserves the right to revoke access without
notification, in response to an actual or suspected Breach (defined below) of this EHR Access Agreement. Should the Company fail to comply with
Virginia Mason security policies and procedures, revocation of access privileges will satisfy the HIPAA sanction requirement found at
45 CFR § 164.308(a)(1)(ii)(C).
- Privacy and Confidentiality. Company and its Authorized Users shall access EHR Data only for the specific Purpose described above. Company
and Authorized Users shall at all times treat EHR Data as strictly confidential and shall not disclose EHR Data, or otherwise make EHR Data
available to any other person or entity, except with the prior written consent of Virginia Mason, or as may be required by law. Company agrees
to specifically protect, and require Authorized Users to specifically protect, the confidentiality of the personally identifiable health and
other proprietary information that is part of the EHR Data. Company, and its Authorized Users, shall comply with applicable Virginia Mason
policies and procedures regarding privacy and confidentiality and cooperate with Virginia Mason in complying with regulatory requirements
related to access, including patient restrictions and accounting of disclosures.
This EHR Access Agreement is not intended to, and shall not grant, to Company, or any Authorized User, a right to access any other records
besides the EHR Data, nor access any records for any other Purpose. Company shall insure that its Authorized Users do not access information
on family members, friends, or co-workers unless such access is a required part of job functions and consistent with the Purpose. Company shall
further prohibit its Authorized Users from in any way divulging, copying, screen printing, releasing, selling, altering, posting online,
destroying or forwarding EHR Data.
The foregoing privacy and confidentiality requirements continue to apply, even after Company or its Authorized Users no longer have access to
the EHR Data, or this EHR Access Agreement has been terminated.
If Company has entered into a Business Associate Agreement ("BAA") with Virginia Mason, then in the event of any conflict between the
BAA and this EHR Access Agreement, the terms of the BAA shall apply.
- Breach. Company shall report to Virginia Mason any use or disclosure not authorized by this EHR Access Agreement of patient information
or other confidential or proprietary information ("Breach"), without unreasonable delay but not later than ten (10) calendar days
following discovery of such Breach; and cooperate with Virginia Mason's investigation and requests for information. As applicable, the report
shall include the identification of each patient whose confidential health or other information has been or is reasonably believed to have been
compromised and other information as requested by Virginia Mason.
- Security. Company agrees that any individual passcode issued to its Authorized User must be used ONLY by that Authorized User and may
not be shared with anyone else, because it uniquely identifies the Authorized User and the Authorized User's usage activity. The passcode may
periodically expire. Company acknowledges that Virginia Mason may periodically audit the Authorized User's access to the EHR Data and that Company
agrees to provide information reasonably required for such audits within five (5) business days of the request. Virginia Mason may periodically
require the Authorized User to provide information to verify his/her identity.
Authorized Users shall have received annual HIPAA Compliance Training.
If any Authorized User is terminated from or leaves the employment of Company, or no longer requires access to Virginia Mason's EHR, Company shall
immediately report such change to Virginia Mason's Help Desk at (206) 583-6402. Company's failure to so notify Virginia Mason constitutes a Breach
of this EHR Access Agreement, including for purposes of section 6 below.
- Unauthorized Use. Company agrees that failure to comply with these confidentiality, privacy and security requirements or using the EHR
Data in an unauthorized manner will be treated as a Breach of this EHR Access Agreement. If Company suspects a violation of privacy or security,
it shall immediately report the incident to Virginia Mason's Privacy Officer at (206) 223-7505.
- Indemnification. Company indemnifies and holds Virginia Mason harmless from any claims, liabilities, losses, damages, fines, penalties
or costs and expenses (including reasonable attorneys' fees) arising out of, or related to: (i) a Breach of this EHR Access Agreement, or (ii)
the acts or omissions of Company, an Authorized User, or other directors, officers, employees or agents of Company under this EHR Access Agreement.
This indemnification shall survive termination or expiration of this EHR Access Agreement, and shall be in addition to any indemnification set forth
in a BAA.
- Ownership of EHR Data. Virginia Mason shall be the sole owner of the EHR Data, including any adaptations or copies of the EHR Data, and
ownership of the EHR Data shall include any associated intellectual property rights.
- Governing Law. This EHR Access Agreement shall be construed and interpreted in accordance with the laws of the State of Washington. In
the event of a dispute, such dispute shall be first referred to nonbinding mediation with a mediator mutually agreeable to both parties. If the
parties are unable to resolve the dispute through mediation, the forum for any additional proceedings shall be King County, Washington.
- Notices. In the event of a Breach, Company shall provide written notice to Virginia Mason Medical Center, Attn: Privacy Officer, 1100 Ninth
Ave, Mail Stop M7-IS, P.O. Box 900, Seattle, WA 98111.
- Compliance with Law. The parties hereto shall comply with applicable laws and regulations governing their relationship, including, as
applicable, the Health Insurance Portability and Accountability Act ("HIPAA") codified at 45 C.F.R. parts 160 through 164, and its implementing
regulations, the Washington Uniform Healthcare Information Act (RCW 70.02), and any other federal or state laws or regulations governing the
arrangements described in this EHR Access Agreement.
- Term; Termination. This EHR Access Agreement shall commence as of the Effective Date and shall continue only through the date of the next required
Virginia Mason EHR Access Agreement re-attestation (as determined by Virginia Mason). The terms, conditions and instructions regarding confidentiality,
privacy and security of the EHR Data shall survive the expiration or termination of this EHR Access Agreement. Either party may terminate this EHR
Access Agreement at any time for any reason upon thirty (30) days prior written notice. Notwithstanding the foregoing, Virginia Mason reserves the
right to suspend or terminate EHR Data access for the Company and/or any of its Authorized Users, in the event Virginia Mason has reasonable cause
based on privacy or security concerns, as determined in its sole discretion.
- Miscellaneous. This EHR Access Agreement is not assignable in whole or in part by Company without the prior written consent of Virginia Mason.
This EHR Access Agreement sets forth the parties' entire agreement and supersedes all prior oral and written agreements relating to the subject matter.
Neither Company, nor any Authorized User or other workforce member of Company, shall be considered an employee of Virginia Mason.