The URL can be used to link to this page

Agenda 05/09/2023 Item #16E 1 (Confidentiality Agreement between Collier County and NCH Healthcare System, Inc.)16.E.1 05/09/2023 EXECUTIVE SUMMARY Recommendation to approve and authorize an Access and Confidentiality Agreement between Collier County and NCH Healthcare System, Inc., to allow EMS to obtain access to patient outcomes from Naples Community Hospital utilizing the EpicCare Link Software System. OBJECTIVE: To approve and authorize the County to sign the attached NCH Healthcare System, Inc., ("NCH") EpicCare Link User Agreement allowing for secure and confidential access to NCH's owned patient information on the date that patients are transported by Collier EMS, as well as to evaluate the patient's post transport care for accreditation and quality care purposes. CONSIDERATIONS: NCH recently changed its patient care reporting software to EpicCare Link Software System. As part of its Quality Assurance Program, Collier EMS obtains patient outcome information on patients that have been transported to NCH hospitals to assure patients are being treated properly and efficiently. This data is useful in providing feedback to Collier EMS and is utilized for training and system improvement. With the change in software, NCH is requiring Collier County to enter into the attached EpicCare Link User Agreement to obtain patient outcome information by Collier EMS. FISCAL IMPACT: None. GROWTH MANAGEMENT IMPACT: There is no impact to the Growth Management Plan from this action. LEGAL CONSIDERATIONS: This item is approved as to form and legality and requires majority vote for Board approval. -SRT RECOMMENDATION: For the Board to approve and sign the attached EpicCare Link User Agreement with the NCH Healthcare System, Inc. allowing Collier EMS to obtain patient information on patients that are transported to NCH hospitals by Collier EMS. PREPARED BY: Tabatha Butcher, Chief Collier County EMS ATTACHMENT(S) 1. EPIC Agrmt 04.21.23 Final (PDF) Packet Pg. 833 16. E.1 05/09/2023 COLLIER COUNTY Board of County Commissioners Item Number: 16.E.1 Doe ID: 25264 Item Summary: Recommendation to approve and authorize an Access and Confidentiality Agreement between Collier County and NCH Healthcare System, Inc., to allow EMS to obtain access to patient outcomes from Naples Community Hospital utilizing the EpicCare Link Software System. Meeting Date: 05/09/2023 Prepared by: Title: — Emergency Medical Services Name: Cherie DuBock 04/17/2023 1:19 PM Submitted by: Title: Division Director - EMS Operations — Emergency Medical Services Name: Tabatha Butcher 04/17/2023 1:19 PM Approved By: Review: Emergency Medical Services Office of Management and Budget Office of Management and Budget County Attorney's Office County Attorney's Office County Manager's Office Board of County Commissioners Tabatha Butcher Director Review Debra Windsor Level 3 OMB Gatekeeper Review Christopher Johnson Additional Reviewer Scott Teach Level 3 County Attorney's Office Review Scott Teach Additional Reviewer Dan Rodriguez Level 4 County Manager Review Geoffrey Willig Meeting Pending Completed 04/18/2023 8:28 AM Completed 04/18/2023 9:03 AM Completed 04/18/2023 1:17 PM Completed 04/21/2023 1:19 PM Completed 04/21/2023 1:43 PM Completed 05/02/2023 8:22 AM 05/09/2023 9:00 AM Packet Pg. 834 16.E.1.a Healthcare System NCH Healthcare System EpicCare Link User Agreement This NCH Healthcare System, Inc. EpicCare Link User Agreement ("Agreement") is made and entered into as of this day of May, 2023, by Collier EMS, Collier County Florida, a subdivision of the State of Florida, an emergency medical service providing care to mutually shared patients ("CCEMS") and the NCH Healthcare System, Inc. ("NCH") who renders care to patients at two hospitals and two free standing emergency rooms. WITNESSETH: WHEREAS, CCEMS provides care to the patient on the date of transport; WHEREAS, the parties wish to state the terms and conditions under which CCEMS will be given access to a secure electronic database of NCH owned patient information by which CCEMS may obtain information for those patients CCEMS rendered care to on a specific date the patient was transported, to evaluate the patient's post transport care for their accreditation and quality of care purposes. NOW, THEREFORE, in consideration of the mutual promises herein contained, NCH and CCEMS agree as follows: ARTICLE I Section 1.1. The Electronic Health Record. NCH maintains a secure electronic database of confidential patient information owned by NCH, including but not limited to clinical and hospital treatment records, physician notes, laboratory and imaging records, patient demographic information, insurance and third -party payor information and other information regarding NCH patients and proprietary information. This aforementioned information and the EpicCare Link software shall be collectively referred to as the "EHR". NCH reserves the right to modify or discontinue the EHR or CCEMS' access to the EHR, or terminate this Agreement at any time for any reason. Section 1.2. Grant of limited Use. CCEMS is granted the right to access the EHR for the following sole and limited purpose: CCEMS may obtain health information about the subsequent hospital care and treatment of CCEMS patients for the CCEMS accreditation and quality of care purposes. CCEMS will only access the patient encounter for the services rendered related to a transport. No prior or subsequent hospital or other patient encounters may be accessed. All other use of the EHR is strictly prohibited. The EHR information may not be used for clinical trials or any other research purpose. Any other patient information sought by CCEMS shall be obtained upon the patient's written authorization utilizing NCH's standard patient information release form, and complies with 1 Packet Pg. 835 16.E.1.a Florida law. This authorization form will be provided to the NCH Privacy Officer, who will coordinate the release of information. CCEMS' access to the EHR is subject to audit and review at any time by NCH. Section 1.3 Designation of Access Administrator. CCEMS shall designate an Access Administrator ("Administrator") who will be responsible for managing the Users of CCEMS. The Administrator assures NCH that the User for which the CCEMS is requesting access for is a bona fide employee of CCEMS and that the User has a legitimate need for access to the NCH EHR. The Administrator is responsible for promptly notifying NCH to remove access when a User has left the CCEMS or has changed roles and no longer needs access. if the Administrator leaves the employment of CCEMS, CCEMS will notify NCH within 5 days. Access Administrator Name: Access Administrator Email: Access Administrator direct line or cell #; Section 1.4. No Maintenance or Support to EHR. No technical or administrative support shall be provided to CCEMS relative to its use of the EHR. However, NCH will assist in directing CCEMS to EPIC training if appropriate. ARTICLE If Section 2.1. CCEMS Access. EHR access is managed by the NCH IT Department and the NCH Privacy Officer. CCEMS shall identify users whom it shall authorize to access the EHR on its behalf ("User") under this Agreement and the Access Administrator shall submit to NCH. A confidential User ID and temporary password shall then be assigned to each User, by which such User may access the EHR for the limited purposes stated in Section 1.2 herein. Section 2.2. Sharing of Passwords Prohibited. CCEMS shall protect the confidentiality of User IDs and passwords consistent with the requirements detailed In the NCH EpicCare Link terms and conditions, Florida law, the Health Insurance Portability and Accountability Act as amended (HIPAA HITECH Act) and shall not divulge such confidential IDs and/or passwords to any other persons. CCEMS shall be responsible for use of the password issued to its designated Users. If any inappropriate access occurs, the access will be suspended for a minimum of 30 days and reactivation will be determined by the Privacy Officer. Section 2.3. Notification of Compromised Password. In the event that a password assigned to a User is compromised or disclosed to a person other than the User, CCEMS shall upon learning of the compromised password, immediately notify the NCH IT Help Desk (as set forth in Article VI, Section 6.2) so actions can be taken to limit access by that password and to issue a new password to the CCEMS User. Section 2.4. CCEMS Notification of Termination of Employment and Other Events Ending an Employee's Need toAccess the EHR. CCEMS shall immediately notify the NCH IT Service Center (as set forth FN Packet Pg. 836 16.E.1.a in Article VI, Section 6.2) in the event any CCEMS User ceases to be employed by or associated with the CCEMS, experiences a change in job function no longer requiring access to the EHR, or for any other reason that the CCEMS choses to no longer provide such person access to the EHR on its behalf. Unless and until the NCH IT Service Center receives such notification, CCEMS shall remain responsible for such User's actions in accessing the EHR and using the information obtained thereunder. Section 2.5. CCEMS Training Requirement. CCEMS shall provide annual training to its Users on issues related to information security and patient confidentiality. CCEMS shall maintain written records evidencing such annual training and provide copies upon request to NCH. ARTICLE III Section 3.1. Ownership. No rights to the EHR or patient information contained therein are transferred to the CCEMS under this Agreement. Section 3.2. Accessing, Using, and Disclosing PHI. a. If CCEMS has need to print EHR documents, CCEMS may only do so of medical records which are necessary and essential for the sole purpose of the CCEMS' quality of care. Such documents shall be maintained, protected and destroyed in the same manner as the CCEMS maintains, protects and destroys the medical records of CCEMS' patients. b. CCEMS shall not use or disclose or release any medical records obtained from the EHR for any purpose other than otherwise permitted in this Agreement and as set forth in Article IV, Section 4.1 of this Agreement. Information contained in the EHR may not be used for clinical trials or any other research purpose. o. CCEMS may not make electronic copies of medical records or other documents contained in the EHR. d. CCEMS shall not rewrite or otherwise alter, destroy, circumvent or sabotage the EHR or the electronic medical records and documents stored and maintained in the EHR. e. CCEMS shall not access, use or disclose any information contained in the EHR for any purpose with the intent to negatively impact the competitive advantage of NCH in the marketplace. ARTICLE IV Section 4.1. Medical Records Confidentiality. The parties recognize that the medical records maintained in the EHR are subject to various state and federal privacy laws and regulations including but not limited to HIPAA, the Health Information Technology for Economic and Clinical Health Act (HITECH) and that NCH and CCEMS are under an obligation to maintain the confidentiality of such records. CCEMS shall not disclose information from such records except for: a) CCEMS accreditation purposes Section 4.2. Indemnification. To the extent permitted by law, CCEMS shall indemnify and defend and CAO Packet Pg. 837 16.E.1.a hold NCH harmless from and against all claims, demands, suits, judgments, costs and expenses (including reasonable attornev`s fees and court costs), if any, that may be made or taken against NCH incurred by it as a result of any unauthorized access, use or disclosure of any EHR information (which Includes protected patient health information as defined in HIPAA ("PHI")) undertaken on behalf of the CCEMS by its designated Users or utilized through passwords issued to their Users. The foregoing indemnification by the CCEMS shall not constitute a waiver of sovereign immunity beyond the limits set forth in Florida Statues, Section 768.28. Section 4.3. Unauthorized Access, Use or Disclosure. if the CCEMS discovers an unauthorized access, use ordisclosure of PHI by CCEMS, any CCEMS User or as a result of a compromised ID & password issued to a User, CCEMS shall as soon as possible but not later than two (2) calendar days following the discovery of such unauthorized acquisition, access, use or disclosure of PHI notify NCH by telephone and in writing at the telephone numbers and addresses set forth in Article V1, Section 6.2. CCEMS shall be considered to have discovered such unauthorized activity as of the first day on which the unauthorized activity is known or, by exercising reasonable diligence, would have been known to the CCEMS. Such notice shall include identification of each individual whose unsecured PHI has been or is reasonably believed by the CCEMS to have been accessed, acquired, or disclosed during such unauthorized activity. If NCH determines the unauthorized activity by CCEMS or its agent or employee qualifies as a Breach (hereinafter defined) that triggers the HITECH breach notification requirements, then CCEMS will reimburse NCH, respectively, for all costs incurred by each related to notifying individuals affected by such Breach, subject to the indemnification limitation stated In Article IV, Section 4.2 NCH, at their sole discretion, shall make the determination of whether the definition of "Breach" as set forth in the HITECH Act, 45 CFR §164.402, has been met. In addition, it shall be incumbent upon CCEMS to institute appropriate disciplinary actions against the agent(s) and or employee(s) responsible for the Breach. Upon request from NCH, CCEMS shall provide evidence to NCH of any disciplinary actions taken. In addition to disciplinary actions taken by CCEMS, NCH may, at its sole discretion, and without prejudice to any of its rights against CCEMS as a result thereof, terminate this Agreement and terminate the access of CCEMS. CCEMS agrees to cooperate with NCH promptly and fully in any investigation of suspected breach of patient confidentiality. Section 4.4. Additional Legal Remedies for Prohibited Acts. Should CCEMS or any contractor, agent, employee or CCEMS User access, use or disclose any data, patient information or other information stored or maintained in the EHR for any purpose not authorized in this Agreement, NCH may unilaterally and immediately terminate the access to the EHR by CCEMS and seek such legal and/or equitable relief as each party deems appropriate. ARTICLE V Disclaimer of Warranties. NCH MAKES NO REPRESENTATION, WARRANTY OR GUARANTY, EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR PARTICULAR PURPOSE WITH REGARD TO THE EHR SUPPLIED TO CCEMS PURSUANT TO THIS AGREEMENT. SHOULD THE EHR FAIL OR BE INACCURATE, UNDER NO CIRCUMSTANCES SHALL NCH BE LIABLE FOR ANY LOSS 4 Packet Pg. 838 16.E.1.a OF PROFITS TO CCEMS OR FOR SPECIAL, CONSEQUENTIAL, EXEMPLARY OR ANY OTHER DAMAGES (ALL OF WHICH ARE HEREBY EXPRESSLY WAIVED BY CCEMS AS PART OR THE CONSIDERATION FOR THIS AGREEMENT), EVEN IF NCH HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. ARTICLE VI Section 6.1. No Assignment. CCEMS may not assign this Agreement. Section 6.2. Notice Notice referenced under this agreement shall be as follows: To report a User or others may have breached a patient's privacy, was unauthorized to access, or accessed the EHR inappropriately: Call the NCH Privacy Office — (239) 624-9375 or (239) 624-4017 After hours or weekends call the IT Service Center — (239) 624-2200 To terminate a User's access as they left your employment, or are now in a role where they do not need access to the EHR: Call the IT Service Center — (239) 624-2200 Section 6.3. Termination. All privacy and confidentiality obligations established under this Agreement shall survive termination of this Agreement or access permitted under it. Either party may terminate this agreement for convenience upon thirty (30) days written notice to the other party, In the event of a breach by CCEMS, a HIPAA violation such as accessing the medical record of a patient not transported by CCEMS, or a HIPAA security concern such as the sharing of Usernames and Passwords, NCH reserves the right to immediately terminate this agreement. Section 6.4. Entire Agreement, Governing Law, Jurisdiction, and Venue. This Agreement constitutes the complete understanding among the parties and incorporates all prior understandings among the parties on the subject of access to the EHR. There are no promises or agreements, either oral or written, among the parties on this subject other than as set forth herein. No modification of this Agreement shall be binding unless the same is in writing and signed by the respective parties hereto. This Agreement shall be governed by and construed in accordance with the laws of the State of Florida, without regard to conflict of law principles. Each party consents to submit to the exclusive jurisdiction and venue of the federal and state courts within the State of Florida, in and for Collier County, Florida and each party hereby consents to personal jurisdiction in such forum, for any action, suits or proceedings arising out of or relating to this Agreement. 5 rAQ Packet Pg. 839 16.E.1.a NCH EpicCare Link User Agreement CCEMS: By — - Signature/Authorized Representative Printed Name and Title: Rick Lo Castro. Chairman Date: Attest: Crystal K. Kinzel, Clerk of Courts & Comptroller By: Signature/Authorized Representative Printed Name and Title: Date: NCH Healthcare System, Inc. By Signature/Authorized Representative Printed Name and Title: Nathan Oliver, Compliance and Privacy Officer Date: I a () d� : ' Approved as to form and legality Scott R. Teach, Deputy County Attorney c U- M N N le O E L Q U d uJ C d E M v N r r Q �V ACC Packet Pg. 840