Availability of HIE System and CRISP Services. 1.01 CRISP will make available to Participant during the term of this Agreement, the HIE System, CRISP Services, and the related operational, administrative and support staff functions and technical infrastructure, for the provision and consumption of Data among Participants, based on Push, Query- Retrieve, and Publish-Subscribe exchange of Messages in a secure manner, all as described in this Agreement, including the following directly or through an Exchange Technology Provider: x. XXXXX will provide, maintain and make available all Data hosting and the software and related services necessary for operation and maintenance of the Central Data Service. x. XXXXX will provide for all appropriate and necessary software, maintenance and hardware necessary for the HIE System and to allow Participant and Participant’s Participant Users to access and use the HIE via Internet connections. x. XXXXX also is responsible for ensuring that the HIE System shall be available as set forth in the Policies and Procedures. d. As to Data that is subject to protections and restrictions under Applicable Law, CRISP shall provide access to the HIE System via a secured methodology, consistent with industry standards, which shall incorporate end user authentication by Participant Users for access where applicable. CRISP is responsible to ensure HIE System security and shall operate the HIE System in a manner that protects the confidentiality, integrity, availability or security of Data. CRISP will ensure encryption of Data through the use of generally accepted industry standards and methods, in no case less than is required under the Business Associate Agreement (Exhibit F) and under other Applicable Laws. CRISP shall be responsible for the security of Participant’s Data that it receives while under the control ofCRISP or Crisp’s Exchange Technology Providers. In furtherance of the foregoing, CRISP shall limit thenumber of CRISP personnel, subcontractors and agents who will have Access to Participant’s Data to that which is necessary and appropriate to the work function of individual personnel, subcontractors and agents. Additionally, CRISP shall take all reasonable steps necessary to prevent CRISP personnel subcontractors and agents from accessing the HIE System after having their access privileges revoked or suspended. CRISP shall be responsible for ensuring the performance of routine and frequent backups of Participant’s Data stored on the HIE System. e. As to Data that is not subject to protections and restrictions under Applicable Law, and as to Confidential Information of Participant, CRISP shall provide protections for the security and confidentiality of such information, in no event less than reasonable, industry accepted protections, and shall limit the number of CRISP personnel, subcontractors and agents who will have access to such information to that which is necessary and appropriate to the work function of individual personnel, subcontractors and agents. Additionally, CRISP shall take all reasonable steps necessary to prevent CRISP personnel subcontractors and agents from accessing such information after having their access privileges revoked or suspended. f. To the extent that CRISP staff has access to information, including Data and/or Confidential Information of Participant, such information will be used only as specified in Section 5.03. 1.02 CRISP will (unless Participant and CRISP agree otherwise in writing), during the term of this Agreement, provide at its sole expense, Central Data Service for Participant’s use exclusively in connection with the HIE. The Service may be hosted by CRISP or by an Exchange Technology Provider under an agreement with CRISP. a. For the purposes of this Agreement, CRISP will be responsible for the provision of the Central Data Service and its compliance with the confidentiality and security of Data held on the Central Data Service and corresponding repositories in accordance with the same standards and requirements that are applicable to the HIE under this Agreement. CRISP will have authority to do so as a Business Associate of Participant as set forth in the Business Associate Agreement (Exhibit C). x. XXXXX agrees that in the event that Participant so requests in writing, in its sole discretion and with or without cause, CRISP will immediately instruct the Exchange Technology Provider to or CRISP itself will (i) terminate drawing further Data from Participant’s System into HIE; and
Appears in 3 contracts
Samples: Payer Participation Agreement, Payer Participation Agreement, Payer Participation Agreement
Availability of HIE System and CRISP Services. 1.01 CRISP will make available to Participant during the term of this Agreement, the HIE System, and CRISP Services, and the related operational, administrative and support staff functions and technical infrastructure, for the provision and consumption of Data among Participants, based on the Push, Query- Retrieve, Query-Retrieve and Publish-Subscribe exchange of Messages in a secure manner, all as described in this Agreement, including the following following, directly or through an Exchange Technology Provider:
x. XXXXX will provide, maintain and make available all Data hosting and the software and related services necessary for operation and maintenance of the Central Data Service.
x. XXXXX will provide for all appropriate and necessary software, maintenance and hardware necessary for the HIE System and to allow Participant and Participant’s Participant Users to access and use the HIE via Internet connections.
x. XXXXX also is responsible for ensuring that the HIE System shall be available as set forth in the Policies and Procedures.
d. As to Data that is subject to protections and restrictions under Applicable Law, CRISP shall provide access to the HIE System via a secured methodology, consistent with industry standards, which shall incorporate end user authentication by Participant Users for access where applicableaccess. CRISP is responsible to ensure HIE System security and shall operate the HIE System in a manner that protects the confidentiality, integrity, availability or security of Data. CRISP will ensure encryption of Data through the use of generally accepted industry standards and methods, in no case less than is required under the Business Associate Agreement (Exhibit FC) and under other Applicable Laws. CRISP shall be responsible for the security of Participant’s Data that it receives while under the control ofCRISP of CRISP or CrispCRISP’s Exchange Technology Providers. In furtherance of the foregoing, CRISP shall limit thenumber the number of CRISP personnel, subcontractors and agents who will have Access to Participant’s Data to that which is necessary and appropriate to the work function of individual personnel, subcontractors and agents. Additionally, CRISP shall take all reasonable steps necessary to prevent CRISP personnel personnel, subcontractors and agents from accessing the HIE System after having their access privileges revoked or suspended. CRISP shall be responsible for ensuring the performance of routine and frequent backups of Participant’s Data stored on the HIE System.
e. As to Data that is not subject to protections and restrictions under Applicable Law, and as to Confidential Information of Participant, CRISP shall provide protections for the security and confidentiality of such information, in no event less than reasonable, industry accepted protections, and shall limit the number of CRISP personnel, subcontractors and agents who will have access to such information to that which is necessary and appropriate to the work function of individual personnel, subcontractors and agents. Additionally, CRISP shall take all reasonable steps necessary to prevent CRISP personnel personnel, subcontractors and agents from accessing such information after having their access privileges revoked or suspended.
f. To the extent that CRISP staff has access to information, including Data and/or Confidential Information of Participant, such information will be used only as specified in Section 5.03.
1.02 CRISP will (unless Participant and CRISP agree otherwise in writing), during the term of this Agreement, provide at its sole expense, the Central Data Service for Participant’s use exclusively in connection with the HIE. The Central Data Service may be hosted by CRISP or by an Exchange Technology Provider Provider, under an agreement with CRISP.
a. For the purposes of this Agreement, CRISP will be responsible for the provision of the Central Data Service and its compliance with the confidentiality and security of Data held on the Central Data Service and corresponding repositories in accordance with the same standards and requirements that are applicable to the HIE under this Agreement. CRISP will have authority to do so as a Business Associate of Participant as set forth in the Business Associate Agreement (Exhibit C).
x. XXXXX agrees that that, in the event that Participant so requests in writing, in its sole discretion and with or without cause, CRISP will immediately instruct the Exchange Technology Provider to or CRISP itself will (i) terminate drawing further Data from Participant’s System into the HIE; andand (ii) terminate providing such Data for transmission through the HIE, on a prospective basis. The foregoing termination may be temporary or permanent, and in either case, CRISP will ensure that the Exchange Technology Provider or CRISP itself causes such termination to occur promptly upon receipt of CRISP’s instruction. The Central Data Service and Participant’s Data stored in the Central Data Service may, if determined necessary by CRISP continue to be held by the Exchange Technology Provider or CRISP, and such Data will be available to CRISP for documentation of Messages sent or received by Participant prior to the termination of the data provision via the Central Data Service and for other purposes related to the management of the HIE as specified in Section 5.03, so long as such purposes do not involve further transmission of Participant’s Data to other Participants. Each party acknowledges that a temporary suspension (other than one issued in accordance with Section 20.04 so long as the investigation is proceeding under Section 20.04(e) may be grounds for termination of this Agreement by either party, after discussion with the other party, and a permanent suspension will be treated as grounds for termination of this Agreement by either party.
x. XXXXX shall (i) establish and maintain safeguards against the destruction, loss or alteration of Participant’s Data; (ii) establish and maintain safeguards against the unauthorized access to such Participant’s Data; and (iii) establish and maintain network and internet security procedures, protocols, security gateways and firewalls with respect to such Participant’s Data, all in accordance with industry standard practices. Without limiting the foregoing, and in addition to its obligations under the Business Associate Agreement set forth in Exhibit C, CRISP shall implement and/or agree to: (1) maintain network security to include appropriate use of firewalls, intrusion detection/prevention, anti-malware (including anti- virus), secure (or encrypted) transmission of data, secure remote access to Participant’s systems, and related network, management and maintenance applications and tools as well as appropriate fraud prevention and detection technologies; (2) store all Participant backup data as part of its designated backup and recovery process in encrypted form, using a commercially supported encryption solution; any and all Data stored on any portable computing device or portable storage medium by CRISP, including but not limited to end user devices, shall be encrypted using industry standard encryption solutions; (3) comply with industry standard software development guidelines to protect against security related vulnerabilities and continue to enhance/modify development guidelines incorporating the newest applicable industry standards; and (4) maintain a secure processing environment including but not limited to the timely application of patches, fixes and updates to operating systems, infrastructure components and applications as provided by CRISP.
d. Without limiting the generality of the foregoing, CRISP’s information security policies shall provide for (i) periodic assessment and re-assessment of the risks to the security of Participant’s Data and CRISP’s network(s), including but not limited to (1) assessment and identification of internal and external threats that could result in unauthorized disclosure, alteration or destruction of Participant’s Data and such systems, (2) review of the sufficiency of policies, procedures, and CRISP’s network(s) to control risks; and (ii) implement appropriate protection against such risks. CRISP shall monitor and enforce security procedures and resolve exception report issues.
x. XXXXX shall perform, and where relevant require performance by its contractors, security audits of its systems and facilities at least annually to ensure the security of Participant’s Data in accordance with industry standard practices and the Agreement, which shall include, at a minimum, yearly penetration tests to test the security of CRISP-hosted systems processing Participant’s Data. If, and to the extent relevant and available for a specific CRISP-hosted service, CRISP will provide to Participant, upon Participant’s reasonable request no more frequently than once per calendar year, and for no additional charge, an ISO certification, HITRUST certification, or a SOC-1 or SOC-2 third-party auditor's letter of attestation or audit report, or successor certifications or audit reports, or business specific security guidelines for the CRISP-hosted service to be provided under the Agreement. Any such certifications, audit reports or security guidelines provided to Participant are to be treated and marked as “Confidential Information” to be protected in accordance with the terms of the Agreement. XXXXX agrees to comply with those data privacy laws applicable to CRISP’s role as a data processor under this Agreement.
f. Where required, CRISP shall perform audits in a remote setting and shall provide such audit logs to Participant as reasonably requested.
Appears in 3 contracts
Samples: Hie Participation Agreement, Hie Participation Agreement, Hie Participation Agreement
Availability of HIE System and CRISP Services. 1.01 CRISP will make available to Participant during the term of this Agreement, the HIE System, and CRISP Services, and the related operational, administrative and support staff functions and technical infrastructure, for the provision and consumption of Data among Participants, based on the Push, Query- Retrieve, Query-Retrieve and Publish-Subscribe exchange of Messages in a secure manner, all as described in this Agreement, including the following following, directly or through an Exchange Technology Provider:
x. XXXXX will provide, maintain and make available all Data hosting and the software and related services necessary for operation and maintenance of the Central Data Service.
x. XXXXX will provide for all appropriate and necessary software, maintenance and hardware necessary for the HIE System and to allow Participant and Participant’s Participant Users to access and use the HIE via Internet connections.
x. XXXXX also is responsible for ensuring that the HIE System shall be available as set forth in the Policies and Procedures.
d. As to Data that is subject to protections and restrictions under Applicable Law, CRISP shall provide access to the HIE System via a secured methodology, consistent with industry standards, which shall incorporate end user authentication by Participant Users for access where applicableaccess. CRISP is responsible to ensure HIE System security and shall operate the HIE System in a manner that protects the confidentiality, integrity, availability or security of Data. CRISP will ensure encryption of Data through the use of generally accepted industry standards and methods, in no case less than is required under the Business Associate Agreement (Exhibit FC) and under other Applicable Laws. CRISP shall be responsible for the security of Participant’s Data that it receives while under the control ofCRISP of CRISP or CrispCRISP’s Exchange Technology Providers. In furtherance of the foregoing, CRISP shall limit thenumber the number of CRISP personnel, subcontractors and agents who will have Access to Participant’s Data to that which is necessary and appropriate to the work function of individual personnel, subcontractors and agents. Additionally, CRISP shall take all reasonable steps necessary to prevent CRISP personnel personnel, subcontractors and agents from accessing the HIE System after having their access privileges revoked or suspended. CRISP shall be responsible for ensuring the performance of routine and frequent backups of Participant’s Data stored on the HIE System.
e. As to Data that is not subject to protections and restrictions under Applicable Law, and as to Confidential Information of Participant, CRISP shall provide protections for the security and confidentiality of such information, in no event less than reasonable, industry accepted protections, and shall limit the number of CRISP personnel, subcontractors and agents who will have access to such information to that which is necessary and appropriate to the work function of individual personnel, subcontractors and agents. Additionally, CRISP shall take all reasonable steps necessary to prevent CRISP personnel personnel, subcontractors and agents from accessing such information after having their access privileges revoked or suspended.
f. To the extent that CRISP staff has access to information, including Data and/or Confidential Information of Participant, such information will be used only as specified in Section 5.03.
1.02 CRISP will (unless Participant and CRISP agree otherwise in writing), during the term of this Agreement, provide at its sole expense, the Central Data Service for Participant’s use exclusively in connection with the HIE. The Central Data Service may be hosted by CRISP or by an Exchange Technology Provider Provider, under an agreement with CRISP.
a. For the purposes of this Agreement, CRISP will be responsible for the provision of the Central Data Service and its compliance with the confidentiality and security of Data held on the Central Data Service and corresponding repositories in accordance with the same standards and requirements that are applicable to the HIE under this Agreement. CRISP will have authority to do so as a Business Associate of Participant as set forth in the Business Associate Agreement (Exhibit C).
x. XXXXX agrees that that, in the event that Participant so requests in writing, in its sole discretion and with or without cause, CRISP will immediately instruct the Exchange Technology Provider to or CRISP itself will (i) terminate drawing further Data from Participant’s System into the HIE; andand (ii) terminate providing such Data for transmission through the HIE, on a prospective basis. The foregoing termination may be temporary or permanent, and in either case, CRISP will ensure that the Exchange Technology Provider or CRISP itself causes such termination to occur promptly upon receipt of CRISP’s instruction. The Central Data Service and Participant’s Data stored in the Central Data Service may, if determined necessary by CRISP continue to be held by the Exchange Technology Provider or CRISP, and such Data will be available to CRISP for documentation of Messages sent or received by Participant prior to the termination of the data provision via the Central Data Service and for other purposes related to the management of the HIE as specified in Section 5.03, so long as such purposes do not involve further transmission of Participant’s Data to other Participants. Each party acknowledges that a temporary suspension (other than one issued in accordance with Section 20.04 so long as the investigation is proceeding under Section 20.04(e) may be grounds for termination of this Agreement by either party, after discussion with the other party, and a permanent suspension will be treated as grounds for termination of this Agreement by either party.
x. XXXXX shall (i) establish and maintain safeguards against the destruction, loss or alteration of Participant’s Data; (ii) establish and maintain safeguards against the unauthorized access to such Participant’s Data; and (iii) establish and maintain network and internet security procedures, protocols, security gateways and firewalls with respect to such Participant’s Data, all in accordance with industry standard practices. Without limiting the foregoing, and in addition to its obligations under the Business Associate Agreement set forth in Exhibit C, CRISP shall implement and/or agree to: (1) maintain network security to include appropriate use of firewalls, intrusion detection/prevention, anti-malware (including anti- virus), secure (or encrypted) transmission of data, secure remote access to Participant’s systems, and related network, management and maintenance applications and tools as well as appropriate fraud prevention and detection technologies; (2) store all Participant backup data as part of its designated backup and recovery process in encrypted form, using a commercially supported encryption solution; any and all Data stored on any portable computing device or portable storage medium by CRISP, including but not limited to end user devices, shall be encrypted using industry standard encryption solutions; (3) comply with industry standard software development guidelines to protect against security related vulnerabilities and continue to enhance/modify development guidelines incorporating the newest applicable industry standards; and (4) maintain a secure processing environment including but not limited to the timely application of patches, fixes and updates to operating systems, infrastructure components and applications as provided by CRISP.
d. Without limiting the generality of the foregoing, CRISP’s information security policies shall provide for (i) periodic assessment and re-assessment of the risks to the security of Participant’s Data and CRISP’s network(s), including but not limited to (1) assessment and identification of internal and external threats that could result in unauthorized disclosure, alteration or destruction of Participant’s Data and such systems, (2) review of the sufficiency of policies, procedures, and CRISP’s network(s) to control risks; and (ii) implement appropriate protection against such risks. CRISP shall monitor and enforce security procedures and resolve exception report issues.
x. XXXXX shall perform, and where relevant require performance by its contractors, security audits of its systems and facilities at least annually to ensure the security of Participant’s Data in accordance with industry standard practices and the Agreement, which shall include, at a minimum, yearly penetration tests to test the security of CRISP-hosted systems processing Participant’s Data. If, and to the extent relevant and available for a specific CRISP-hosted service, CRISP will provide to Participant, upon Participant’s reasonable request no more frequently than once per calendar year, and for no additional charge, an ISO certification, HITRUST certification, or a SOC-1 or SOC-2 third-party auditor's letter of attestation or audit report, or successor certifications or audit reports, or business specific security guidelines for the CRISP-hosted service to be provided under the Agreement. Any such certifications, audit reports or security guidelines provided to Participant are to be treated and marked as “Confidential Information” to be protected in accordance with the terms of the Agreement. CRISP agrees to comply with those data privacy laws applicable to CRISP’s role as a data processor under this Agreement.
f. Where required, CRISP shall perform audits in a remote setting and shall provide such audit logs to Participant as reasonably requested.
Appears in 1 contract
Samples: Hie Participation Agreement
