Common use of Participant’s Users and System Access Policies Clause in Contracts

Participant’s Users and System Access Policies. Each Participant shall have written policies and procedures in place that govern its Participant Users’ ability to access information on or through the Participant’s System and through the Network (“Participant Access Policies”). Each Participant acknowledges that Participant Access Policies will differ among them as a result of differing Applicable Law and business practices. At a minimum, each Participant shall ensure that it has a valid and enforceable written agreement with each of its Participant Users, and/or policies and procedures that Participant Users are required to comply with, that ensure that any Health Data accessed by its Participant Users is: (i) for a Permitted Purpose; (ii) supported by appropriate legal authority for obtaining the Health Data; (iii) requested and viewed by a Participant User with the legal authority to have such access, and (iv) as soon as reasonably practicable after determining that a Breach occurred, report such Breach to the Participant. Further, each Participant shall employ a process for identity proofing that meets or exceeds National Institutes of Standards and Technology (NIST) Level 3 requirements in effect as of the date of execution of this Agreement by which the Participant, or its designee, validates sufficient information to uniquely identify each person seeking to become a Participant User prior to issuing credentials that would grant the person access to the Participant’s System. Participant is solely responsible for authenticating Participant’s own Participant Users for that access. Each Participant represents that it shall have the ability to monitor and audit all access to and use of its System related to this Agreement, for system administration, security, and other legitimate purposes. Each Participant agrees to enforce the provisions of this Agreement including but not limited to any provisions regarding limitations on Permitted Purposes for access to the Health Data and any confidentiality provisions of this Agreement by appropriately training all Participant Users, and disciplining individuals within each Participant’s organization who violate such provisions pursuant to each Participant’s respective Participant Access Policies. Participant shall also require that its Participant Users keep on file any signed patient authorization or consent forms that may be required for documentation regarding access to Health Data from the Network, as well as any documentation of emergency accesses of Health Data from the Network (pursuant to any applicable Network Operating Policies and Technical Requirements).

Participant’s Users and System Access Policies. Each Participant shall have written policies and procedures in place that govern its Participant Users’ ability to access information on or through the Participant’s System and through the Network (“Participant Access Policies”). Each Participant acknowledges that Participant Access Policies will differ among them as a result of differing Applicable Law and business practices. At a minimum, each Participant shall ensure that it has a valid and enforceable written agreement with each of its Participant Users, and/or policies and procedures that Participant Users are required to comply with, that ensure that any Health Data accessed by its Participant Users is: (i) for a Permitted Purpose; (ii) supported by appropriate legal authority for obtaining the Health Data; (iii) requested and viewed by a Participant User with the legal authority to have such access, and (iv) as soon as reasonably practicable after determining that a Breach occurred, report such Breach to the Participant. Further, each Participant shall employ a process for identity proofing that meets or exceeds National Institutes of Standards and Technology (NIST) Level 3 requirements in effect as of the date of execution of this Agreement by which the Participant, or its designee, validates sufficient information to uniquely identify each person seeking to become a Participant User prior to issuing credentials that would grant the person access to the Participant’s System. Participant is solely responsible for authenticating Participant’s own Participant Users for that access. Each Participant represents that it shall have the ability to monitor and audit all access to and use of its System related to this Agreement, for system administration, security, and other legitimate purposes. Each Participant agrees to enforce the provisions of this Agreement including but not limited to any provisions regarding limitations on Permitted Purposes for access to the Health Data and any confidentiality provisions of this Agreement by appropriately training all Participant Users, and disciplining individuals within each Participant’s organization who violate such provisions pursuant to each Participant’s respective Participant Access Policies. Participant shall also (and if appropriate, require that its Participant Users Users) keep on file any signed patient authorization or consent forms that may be required for documentation regarding access to Health Data from the Network, as well as any documentation of emergency accesses of Health Data from the Network (pursuant to any applicable Network Operating Policies and Technical Requirements).