I am requesting external read-only access to The Corvallis Clinic's Athena EHR.

Professional Address

The Corvallis Clinic, P.C.
AUTHORIZED PARTICIPANT USER ACCESS REQUEST
(Attachment A)
This WRITTEN REQUEST must be completed and signed by each non-Corvallis Clinic “Participant User” requesting access to Corvallis Clinic’s Electronic Health Record Exchange. This “Authorized Participant User Access Request” and the “Authorized Participant User Access and Confidentiality Agreement” must be completed, signed, and returned to the Corvallis Clinic HIPAA Security Officer, 444 N.W. Elks Drive, Corvallis, Oregon before access can be considered.

Name of Practicioner Requesting Access

I am requesting access to the Corvallis Clinic, P.C. Electronic Health Record exchange, have completed, signed, submitted, and agree to the terms within the “AUTHORIZED PARTICIPANT USER ACCESS AGREEMENT”. Further:

  • I understand if granted access it shall be “Read-Only” and therefore, I will not be able to contribute to, amend, or delete data.

  • I acknowledge that The Corvallis Clinic EHR is the property of The Corvallis Clinic, P.C. I agree to use The Corvallis Clinic EHR solely for patient care purposes. I will not use The Corvallis Clinic EHR for other uses such as personal use, outside business ventures, campaigns, and political or religious reasons.

  • I understand that all EHR available through The Corvallis Clinic EHR system is confidential and is to be treated as such.

  • I understand that should I violate any provision this document, the “Access Participant User and Confidentiality Agreement” or HIPAA, The Corvallis Clinic shall immediately terminate my access to its EHR system. Additionally, The Corvallis Clinic may take legal action against me, including seeking monetary damages for inappropriate use and/or disclosure of Protected Health Information. I understand that The Corvallis Clinic may be obligated to report my unauthorized access and use of Protected Health Information to federal authorities, including the federal Office for Civil Rights, and local and federal law enforcement officials.

  • I agree to indemnify, defend, and hold harmless, The Corvallis Clinic, its members, affiliates, employees, trustees, providers, officers, directors, counsel, and its agents from and against any claim cause of action, liability, damage, fine, penalty, cost, or expense, including, without limitation, reasonable attorneys’ fees and costs arising out of or in connection with any unauthorized or prohibited Use or Disclosure of The Corvallis Clinic EHR, protected health information, or any other breach to this Agreement.

  • I agree to immediately notify The Corvallis Clinic of any conflict with or violation of the above conditions of that in the “Access Participant User and Confidentiality Agreement.”

The Corvallis Clinic (TCC) facilitates the electronic availability of protected health information (Data) through an Electronic Health Record (EHR Exchange) to individuals and organizations contracting with the TCC in order to assist in patient care coordination and to assist Healthcare Providers, like Participant, in providing optimal treatment to Patients. Participant (defined below) has entered into a Participation Agreement with TCC in order to facilitate this exchange of Data for these purposes.
You have been identified by Participant as an Authorized User of Data through TCC because you are a Covered Entity, as those terms are defined under the federal privacy laws. TCC will agree to provide access to Data to you through its EHR Exchange, only if you agree to the terms and conditions of this Agreement.

This agreement shall extend from the requested effective date until terminated by either party. The parties to this agreement are TCC and the participant

1. Compliance with Agreement. 

THIS IS A BINDING AGREEMENT. By signing below, you agree to comply with all terms and conditions for access to Data under this Agreement, the Participant’s Participation Agreement, and all TCC policies and procedures. Failure to comply with these terms and conditions may be grounds for discipline, including without limitation, denial of your privileges to access Data through TCC and termination of your relationship with TCC.

2. Permitted Use and Restrictions on Use.
     2.1 User Participant is a Healthcare Provider who provides Treatment to Patients, as defined by the HIPAA Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Part 160 and Part 164, Subpart E. As a Participant, you may access the EHR Exchange only to obtain Data to provide Treatment for Participant’s Patients. You may not use the Exchange, or any hardware or software relating to use of the Exchange, for purposes that are outside the scope of your duties as Participant.
     2.2 This Consent grants you a nonexclusive, nontransferable right to use the TCC EHR Exchange. This right is subject to the following restrictions:
          a. This right is specific to you. You may not share, sell or sublicense this right with anyone else.
          b. You may not change, reverse engineer, disassemble or otherwise try to learn the source code, structure or ideas underlying the Exchange’s software or introduce a virus to the Exchange. You may not connect or install unauthorized or uncertified equipment, hardware or software or improperly use the hardware or software relating to use of the Exchange.
          c. You agree you are in full compliance with Subpart C of 45 CFR Part 164 with respect to electronic safeguards that are designed to prevent the unauthorized access or use of the PHI contained within the EMR Exchange.

3. Protection of Data.
     3.1 Scope of Access. As an Authorized User, you may have access to Data that includes protected health information that is subject to confidentiality, privacy and security requirements under state and federal law and regulations. You agree that you will only access Data consistent with your access privileges, and pursuant to all requirements under this Agreement, the Participant’s Participation Agreement, TCC policies and procedures, and applicable laws and regulations including but not limited to the “Minimum Necessary” requirement as defined under HIPAA.
     3.2 Protection of Data. As an Authorized User, you have an obligation to maintain the confidentiality, privacy and security of the Data.
          a. You will not disclose Data except as required for your job as Participant and subject to all terms of this Agreement.
          b. You will not access or view any information other than what is required for you to do your job.
          c. You will not make any unauthorized copies of Data. You will not save Confidential Information to portable media devices (Floppies, ZIP disks, CDs, PDAs, and other devices).
          d. You will not to email any Data to another email account.
          e. You will not release your authentication code or device or password to any other person, including any employee or person acting on your behalf. You will not to allow anyone else to access the EMR Exchange under your authentication code or device or password. You agree not to use or release anyone else’s authentication code or device or password. You agree to notify TCC immediately if you become aware or suspect that another person has access to your authentication code or device or password.
          f. You agree not to allow your family, friends or other persons to see the Data on your computer screen while you are accessing the Exchange. You agree to log out of the EHR Exchange before leaving your workstation to prevent others from accessing the Exchange.
          g. You agree never to access Data for “curiosity viewing.” This includes viewing Data of your children, other family members, friends, or coworkers, unless access is necessary to provide services to a Patient with whom you or the physician(s) with whom you work have a treatment relationship with that Patient.
          h. You will protect the accuracy of the Data submitted or received through the EMR Exchange and will not insert information that you know is not accurate.

4. Audit and Review.
TCC and Participant have the right at all times and without notice to access the EHR Exchange and any hardware or software relating to the Exchange to review and audit your use of the EMR Exchange and compliance with the terms of this Agreement. This includes any hardware or software located at your office, your home, or any other site from which you access the EMR Exchange.

5. Sanctions.
You understand that failure to comply with the terms of this Agreement, may result in disciplinary action against you, which may include loss of access to the Exchange as an Authorized User or termination of your employment or contract with Participant. TCC maintains the right to immediately terminate this agreement at any time for any reason. Access to the EMR Exchange is a privilege for the benefit of mutual patients, only.

6. Duration.
This Agreement will be in effect from the time it is signed until TCC or Participant terminates your status as an Authorized User or until you violate the terms of this Agreement. Any terms of this Agreement necessary to protect the Exchange and Data will survive the termination of this Agreement.

7. Scope of Agreement.
This agreement is intended to be consistent with all state and federal privacy laws specifically including, but not limited to, ORS 192.558 and 45 CFR 164.506 and represents a sharing of PHI from one covered entity to another for purposes of coordination of health care and treatment. For that reason, it is not anticipated that separate prior patient authorization. However, to the extent such is deemed required, it shall be the responsibility of the Participating Provider to obtain that authorization and maintain a copy in the patient’s health record.

8. Indemnity.
In the event TCC is subject to any action, complaint, investigation, charge, or inquiry of any kind by a state or federal agency or governmental body as a consequence or result of Participant’s access to or use of the EHR Exchange, Participant shall be responsible for reimbursing the reasonable attorneys fees incurred by TCC in defending against such governmental activity, including administrative costs incurred by TCC in complying with discovery requests sent by such agencies to TCC. To the extent fines are imposed by such agencies as a result of Participant’s conduct or its participation in this Agreement, those fines shall be paid directly by Participant, and TCC can look to Participant for payment of same.

9. Participant Security Requirements.
In addition to any obligations set forth in the Agreement and TCC Policies and Standards, Participant will observe the following requirements. TCC may amend or supplement these requirements on written notice to Participant.

  1. Each of Participant’s servers connecting to the TCC gateway will comply with TCC’s authentication requirements, implementing Secure Sockets Layer (SSL) encryption and using certificates approved by TCC.

  2. Participant will authenticate each Authorized User at the point of access and will implement password policies, both based on applicable laws and regulations and TCC Policies and Standards. Participant may elect to implement stronger authentication mechanisms at its discretion. Participant will review and update its list of Authorized Users as required under TCC Policies and Standards.

  3. Participant will limit access of each Authorized User to a Permitted Use and according to Role Based Access principles. Participant will impose appropriate sanctions for its employees or agents who violate applicable security Policies and Standards or the Authorized User Terms of Consent or make improper use of the Exchange, including revocation of an Authorized User’s authorization to access the Exchange as may be appropriate under the circumstances.

  4. Participant will maintain access logs that capture end user identification information.

  5. Participant will implement message-level security using WS-Security or other security technology acceptable to TCC.

  6. Participant will implement firewalls and intrusion detection per TCC Policies and Standards.

  7. Participant will implement other safeguards to protect servers based on information security best practices, such as the SANS Institute (www.sans.org) recommendations.

  8. Participant will perform periodic automated and random manual review and verification of audit logs for both operational monitoring and system security as required by TCC Policies and Standards.

Agreed to by:

I have been provided all Corvallis Clinic Information Technology policies (Attachment A and B) and agree to adhere to these policies.