[ see the actual form here: http://db1.spiderline.com/exec/search?q=contracts&a=16683&x=13&y=58 ]
eHealth Ontario Mandate
eHealth Ontario is the provincial agency mandated to improve patient care and safety by harnessing innovation and technology. Its priorities are the creation of a Diabetes Registry; establishing an e-prescribing system and developing and ehealth portal. It will also oversee the development of a province-wide electronic health record system by 2015.
eHealth Ontario Obligations
eHealth Ontario agrees to provide network connectivity, including network interface equipment, to the client in fulfillment of its mandate. eHealth Ontario also agrees to provide a support structure to assist the client in resolving eHealth Ontario network-related issues. eHealth Ontario will bear the cost of providing and managing the network connectivity to the client.
Client Obligations
The client agrees to provide an appropriate and secure environment for eHealth Ontario to install the network and locate its network interface equipment, and reasonable access to the site to deliver, install, maintain, inspect, disconnect or remove its network interface equipment. The client will bear the local infrastructure cost of interfacing to and using the provided network services. Upon termination of the service, the client agrees to return all eHealth Ontario-provided equipment to eHealth Ontario.
Shared Obligations
Both eHealth Ontario and the client have an obligation to provide appropriate management, governance and oversight to protect the confidentiality and security of health-related information exchanged by health care providers.
Detailed Terms and Conditions and attached schedules, being the Acceptable Use Policy and Security Policy, have been provided.
Please Refer to: Instructions for Completing ONE® Network Order Agreement and What You Need to Know before completing this form. Please complete the entire form; incomplete forms, or incorrect information will result in processing delays.
eHealth Ontario USE ONLY Order Number:
Part A – Acknowledgement
1. The ONE Network Order Agreement or “Agreement” consists of this order form and the attached Terms and Conditions including
any schedules thereto. By signing below, the client acknowledges that it has read, understands and agrees to be bound by the Agreement as of the __________/__________/__________ (the “Effective Date”) (yyyy-mm-dd).
Signature: Business Legal Name:
Printed Name:
Title:
Date:
2. Site Address
The street address of the site where the circuit will be installed, (not the mailing address).
Refer to ONE Network - What You Need to Know for further information regarding the location of the circuit.
Number and Street Name
Suite/Unit/Floor
Building Name (for multi-building sites)
City/Town
Province
ON Postal Code
Site Telephone No. (include extension)
Site Fax No.
Is this fax secure? * 0 Yes 0 No
*The fax machine must be located in a secure area where it can be used and monitored only by authorized personnel.
Site Name/Group Name
Circuit Location:
Floor Room Number/
Description
eHealth Ontario USE ONLY e-Health Initiative:
Unique Site Identifier:
3. Site Business Hours and Preferred Installation Hours
Business hours are the hours the site is staffed. Depending upon the type of circuit provided, it may be necessary to have one or more eHealth Ontario authorized installer(s) visit your site. To indicate preferred installation hours, list only the hours the site is open and able to withstand a possible interruption from an installer. Vendor installation hours are Monday to Friday, 8:00 am to 5:00 pm (excluding statutory holidays).
3a. Site Business Hours
3b. Preferred Installation Hours 0 Mon 0 Tue 0 Wed 0 Thurs 0 Fri
0 AM 0 PM
Same as Site Business Hours? 0 Yes 0 No
3c. Site Access Instructions Site Access Instructions are forwarded to the subcontractor. Concisely and accurately indicate whom the subcontractor should contact to arrange installation. (For example, contact John Smith prior to visit to make security arrangements.)
Site access instructions 0 No instructions required
4. Shipping Information
Would you like the hardware shipped to the site address provided for the circuit location? 0 Yes 0 No If No, specify shipping information below
Ship To: Name of organization and/or staff member:
Shipping Address
City/Town
Province
ON Postal Code
5. Client Contact Information (Provide only business-related information)
5a. Primary Contact (Name of the individual with the authority to make decisions regarding the installation. This individual can be either on or off-site.)
First Name
Last Name
On-site?
0 Yes 0 No
Business Telephone No. (Include extension)
Business Fax No.
Is this fax secure?*
0 Yes 0 No
*The fax machine must be located in a secure area where it can be used and monitored only by authorized personnel.
Business Pager/Cell Phone No.
Business E-mail
5b. Backup Contact (Name of the individual to contact in the event the Primary Contact cannot be reached. This individual can be either on or off-site.)
First Name
Last Name
On-site?
0 Yes 0 No
Business Telephone No. (Include extension)
Business Fax No.
Is this fax secure?*
0 Yes 0 No
*The fax machine must be located in a secure area where it can be used and monitored only by authorized personnel.
Business Pager/Cell Phone No.
Business E-mail
5c. Technical Contact (Name of the individual who provides local assistance at the site during the implementation of the hardware)
First Name
Last Name
On-site?
0 Yes 0 No
Company Name
Business Telephone No. (Include extension)
Business Fax No.
Is this fax secure?*
0 Yes 0 No
*The fax machine must be located in a secure area where it can be used and monitored only by authorized personnel.
Business Pager/Cell Phone No.
Business E-mail
PART B: Technical Information
It is recommended that you consult your technical support person to complete the remainder of this form.
6. LAN Information. If you have or will have a LAN at the time of circuit installation, respond to the questions below. Otherwise, proceed to section 7. Internet or Other Connection.
6a. Total number of workstations
6b. Number of workstations requiring Internet access
6c. Total number of IP addresses required
(Allow room for growth over next 3-5 years) 6d. Number of addresses to reserve for static IP addresses
(e.g. network printers, servers, wireless devices, routers, faxes)
6e. Type of LAN: 0 Ethernet 0 Token Ring
0 Other, specify
6f. Will you have Hubs or Switches at the time of circuit installation? 0 Yes 0 No
6g. Will you be sharing your LAN with any other organizations at the time of circuit installation?
0 Yes 0 No
If “Yes”, specify the organization(s) and their line(s) of business
6h. Do your users use Macintosh computers?
0 No
0 Yes, at work
0 Yes, from home or other remote locations
7. Internet or Other Connection
If you have an Internet or Other Connection, respond to the questions below and refer to Security Policy - Internet section.
If you DO NOT have an Internet or Other Connection, proceed to Uninterruptible Power Supply and Firewall.
7a. How do you currently connect to the Internet?
0 Dial-up 0 Cable
0 ADSL 0 Other (specify)
7b. If you already have an ADSL line, please specify:
The phone number used for ADSL:
The supplier’s name:
7c. Name of Internet Service Provider
7d. Name of e-mail Service Provider
7e. Bandwidth of your current connection (upstream)
7f. Bandwidth of your current connection (downstream)
7g. If you use the Internet for anything other than browsing, name the applications you are using (refer to the instructions for completing this form)
7h. Other connections? 0 Yes 0 No If Yes, specify:
8. Uninterruptible Power Supply (UPS) and Firewall
eHealth Ontario strongly recommends installation of a UPS of adequate size, prior to eHealth Ontario circuit installation.
Do not use an additional firewall beyond the eHealth Ontario firewall.
8a. Check (x) ONE ONLY
0 Site currently has a UPS that can accommodate an eHealth Ontario modem and an eHealth Ontario SOFA (firewall)
0 Site will install a UPS of adequate capacity prior to eHealth Ontario circuit installation
9. Telephone connection
eHealth Ontario needs to know if there is a PBX, and or other characteristics of your existing phone system, in order to avoid any service disruption.
9a. Do you have a PBX system?
0 Yes 0 No
9b. Name of carrier for your local telephone lines
9c. If you have a PBX, is the fax line that you listed
in section 2 connected through the PBX?
0 Yes 0 No
9d. Is the fax line used for anything else besides sending/receiving faxes?
0 Yes 0 No
If Yes, please specify other uses:
9e. List any other existing ADSL eligible analog line(s) on which eHealth Ontario may be able
to provision ADSL. (Please consult with your phone provider; refer to the eligibility table below)
Line No. Is this a fax no.? 0 Yes 0 No
Line No. Is this a fax no.? 0 Yes 0 No
Line No. Is this a fax no.? 0 Yes 0 No
ADSL can be installed on: ADSL cannot be installed on:
Bell Canada Analog Business Lines
Analog Centrex Lines
Dial Inward Dial (DID) telephone numbers
A standard line used for phone, fax, or credit card terminal Bell Canada lines that terminate at a PBX or other private telephony equipment
(for example, need to dial ‘9’ or any other code to get outside line)
Bell Canada Business Trunk (Central Office Trunk, or “CO” trunk) lines
Bell Canada ISDN (BRI or PRI) lines
Lines that have an AML (Add a Main Line) box installed (the phone accepts two different phone numbers or distinct ring or Ident-a-Call service)
Lines on which security alarm systems are installed
Telephone lines from suppliers other than Bell Canada
Lines which have a modem installed
10. Active Directory/Domain Name System (AD/DNS) Please answer “Yes” if your network will be using the following services at the time of circuit installation.
10a. An Active Directory server? 0 Yes 0 No
10b. Your own domain name? 0 Yes 0 No If Yes, specify the domain name:
10c. A registered domain name? 0 Yes 0 No
10d. DHCP services? 0 Yes 0 No
11. Virtual Private Network (VPN)
11a. Will your network be using a VPN solution at the time of circuit installation?
0 Yes 0 No
11b. If “Yes”, what VPN client is/will be deployed on the workstation?
11c. Will your network be hosting any servers for external access at the time of circuit installation?
0 Yes 0 No
12. Comments
12a. Please enter any comments/questions/notes below. (Refer to the instructions for completing this form, for things you may wish to include.)
13. Clinical Management System (CMS) Vendor – For organizations installing a CMS
13a. Are you installing a CMS?
0 Yes 0 No
13b. Specify the CMS vendor
13c. Is this a new CMS for your Office?
0 Yes 0 No
13d. Specify the product name
13e. How many physicians work at this site?
14. Clinical Management System (CMS) Configuration – For organizations installing a CMS
14a. For eHealth Ontario to order and install the most suitable circuit, check (x) the configuration that best describes your location environment.
0 CMS Local Configuration 1
0 CMS Local Configuration 2
0 CMS Local Configuration 3
0 CMS ASP
0 Desktop Only
Stand alone local location.
Hub and Spoke location(s); connects several physician offices (remote locations) at different locations to a server within one physician’s office (hub).
Remote location(s); connects several physician offices (remote locations) at different locations to a server within a hospital.
Your site will be using the CMS ASP offering. (Note: A CMS ASP Addendum for the ONE Network Order Agreement is required).
Your site is not implementing a CMS at this time.
The installation period for a CMS Local Configuration 2 is 20 to 120 business days (approx. 1-6 months). The installation period
for all other configurations is 20 to 45 business days. The first business day begins on the date that the order is placed by eHealth Ontario.
14b. How many CMS users at this location?
Applicable to CMS Local Configurations 2 and 3 Only
14c. Is your site the hub location? 0 Yes 0 No
If “No”, specify hub location Address:
14d. Hub Location Primary Contact (First and Last Name)
ONE® Network
Order Agreement Terms and Conditions
ARTICLE 1 BACKGROUND
1.1 Purpose. This Agreement sets out the terms and conditions under which eHealth Ontario will provide the Services to Client.
1.2 Representatives. “Representatives” means, in the case of eHealth Ontario or Client, any directors, officers, employees, agents, consultants or subcontractors, as well as the directors, officers, employees or agents of any subcontractor, of each such party.
ARTICLE 2 TERM AND TERMINATION
2.1 Term. This Agreement shall be effective as of the Effective Date and shall continue until terminated in accordance with the terms and conditions set out in this Article 2.
2.2 Material Breach. In the event of a breach of this Agreement, the non-breaching party may terminate this Agreement upon written notice to the other party provided that the non-defaulting party has given the breaching party prior written notice of the breach which describes the nature of the breach and the breaching party has failed to cure the breach within thirty (30) days of the prior written notice.
2.3 For Convenience. At any time more than six (6) months after the Effective Date, Client or eHealth Ontario may terminate this Agreement upon ninety (90) days written notice to the other party.
2.4 Change to Policies. “eHealth Ontario Policies” means eHealth Ontario’s Acceptable Use Policy attached as Schedule One and eHealth Ontario’s Security Policy attached as Schedule Two. Each is a “eHealth Ontario Policy”. For a period of ten (10) Business Days following any date on which eHealth Ontario issues a notice of any change to the eHealth Ontario Policies to Client, if that change is unacceptable to Client, Client may terminate this Agreement upon thirty (30) days written notice to eHealth Ontario.
2.5 Survival. Those sections which by their nature should survive the termination or expiration of this Agreement, including but not limited to sections 2.5, 3.5(e), 3.5(f), 3.7 and 3.8 and Articles 5, 6, 7 and 8 will remain in full force and effect following the expiration or termination of this Agreement.
ARTICLE 3 SERVICES
3.1 (a) Services. Subject to the other provisions of this Agreement, eHealth Ontario agrees to provide to Client, a network circuit connected to eHealth Ontario’s technology infrastructure and any related services described in the following provisions of this Article 3 (the “Services”).
(b) Plain Language Descriptions. Client acknowledges receiving from eHealth Ontario the plain language descriptions of the Services, including a description of the safeguards pertaining to the Services, attached hereto as Schedule Three (the “Plain Language Descriptions”). eHealth Ontario may amend the Plain Language Descriptions from time to time. A current copy of the Plain Language Descriptions is available at the eHealth Ontario website (www.www.ehealthontario.on.ca).
3.2 Service Level Commitment. eHealth Ontario will use commercially reasonable efforts to provide the Services, but eHealth Ontario makes no service level commitments in this Agreement.
3.3 Authorization Letter. In order to perform certain activities related to the Services, eHealth Ontario or its subcontractors may require letter(s) of authorization from Client. If such a letter is required, eHealth Ontario shall be relieved of any obligation to provide the affected Services until Client provides that letter to eHealth Ontario or its subcontractor (as applicable).
3.4 End Users. Client shall cause any individual who is an employee, agent, consultant or other representative of Client and who is authorized by Client to use all or part of the Services that are intended for individual use (its “End Users”) to comply with this Agreement and is responsible for the acts and omissions of its End Users as if such acts and omissions were the acts and omissions of Client.
3.5 Service Equipment. The provision of Services may include the provision of Service Equipment. “Service Equipment” means any equipment or software selected by and provided by eHealth Ontario (or any Representative of eHealth Ontario) to Client in conjunction with any Services including without limitation servers, routers, modems, cables, fibre optic cable, panels or switching equipment but not including any equipment that has been purchased by Client. With respect to any Service Equipment:
(a) Provision. Client acknowledges that the provision of any item of Service Equipment is in eHealth Ontario’s sole discretion.
(b) Access. Client shall ensure that eHealth Ontario or its Representatives may access any site where the circuit provided under this Agreement terminates (“Authorized Site”) to deliver, install, maintain, inspect, disconnect or remove any Service Equipment located or to be located at such site.
(c) Service Equipment. Client will ensure that any Service Equipment is installed, used, stored and maintained in a manner and in an environment which conforms to the relevant manufacturer’s specifications, any specifications provided by eHealth Ontario and this Agreement. Client will be responsible for the loss of and risk or damage to the Service Equipment, except where caused by the negligence or wilful misconduct of eHealth Ontario.
(d) Modifications. eHealth Ontario in its sole discretion may replace or modify any item of Service Equipment, so long as doing so does not have a material adverse impact on the Services in connection with which that item of Services Equipment was originally provided.
(e) Ownership. Service Equipment remains the property of eHealth Ontario or its suppliers, and Client shall not acquire any interest in, nor file or permit any liens or other encumbrances upon the Service Equipment.
(f) Return. Upon the termination of any Service in connection with which any Service Equipment was provided, Client is responsible for ensuring the return of that Service Equipment to a location in the Province of Ontario designated by eHealth Ontario.
(g) Equipment. Except for Service Equipment, Client is responsible for providing any equipment, software or services required by Client to access and use all or part of the Services.
3.6 Support. eHealth Ontario will provide Client with technical support and assistance relating to the Services through a help desk available by telephone. eHealth Ontario may change the applicable telephone number from time to time. eHealth Ontario does not guarantee that it will be able to verify or resolve all problems presented by Client to the help desk. Client acknowledges that Client and not eHealth Ontario is responsible for resolving any problems with Client’s own technology infrastructure.
3.7 Intellectual Property. No intellectual property rights are transferred by eHealth Ontario to Client by this Agreement. Client will not remove any confidentiality, copyright or other proprietary rights notices from any materials provided by eHealth Ontario or its Representatives.
3.8 IP Addresses. Client acknowledges that Client has no right, title or interest in or to any IP addresses assigned to Client by eHealth Ontario or its Representatives in connection with any Services. If a fixed IP address is assigned to Client, eHealth Ontario or its Representatives may change any such address upon notice to Client.
3.9 Additional Services. Any additional services related to the Services that are requested by Client and that eHealth Ontario in its sole discretion provides are deemed to be Services provided pursuant to the terms and conditions of this Agreement.
ARTICLE 4 SECURITY AND ACCEPTABLE USE
4.1 Compliance. Client acknowledges that it has read the eHealth Ontario Policies and agrees to comply with the eHealth Ontario Policies. Client will cause its End Users to read and to comply with the eHealth Ontario Policies. Any violation of any eHealth Ontario Policy or any laws by Client (or by any End User) is a material breach of this Agreement by Client and eHealth Ontario may, in its sole discretion, restrict, suspend or terminate the Services, upon written notice, without an opportunity to cure notwithstanding section 2.2. When exercising its rights under this section, eHealth Ontario will respond in a manner proportional to the severity of the violation.
4.2 Revisions to eHealth Ontario Policies. eHealth Ontario may revise any of the eHealth Ontario Policies, from time to time, in its sole discretion, and Client agrees to abide by the eHealth Ontario Policies as amended from time to time. eHealth Ontario will give Client notice of any such changes to the eHealth Ontario Policies. CLIENT’S CONTINUED USE OF THE SERVICES CONSTITUTES ACCEPTANCE OF SUCH CHANGES.
ARTICLE 5 PRIVACY AND CONFIDENTIALITY
5.1 “Confidential Information” means any and all information and materials, which: (i) are designated in writing, as confidential at the time of disclosure, or (ii) if disclosed orally or visually, are designated in writing, as confidential, within thirty (30) days of disclosure, or (iii) a reasonable person, having regard to the circumstances and the information, would regard as confidential.
5.2 “Personal Information” means any personal information including personal health information which is required to be protected pursuant to the Personal Health Information Protection Act, 2004 (“PHIPA”) or the Freedom of Information and Protection of Privacy Act (“FIPPA”) (each as amended from time to time) or any other laws, regulations or judicial decisions applicable in the Province of Ontario pertaining to the protection of personal information as are in effect at this time or may be in effect during the term of this Agreement (“Privacy Laws”). Personal Information is a subset of Confidential Information.
5.3 Confidential Information. Both parties recognize that the protection of Confidential Information by the receiving party (the “Recipient”) is of vital importance to the party disclosing that information (the “Disclosing Party”). As between the Disclosing Party and the Recipient, the Disclosing Party is the owner of its Confidential Information, and except to the extent set out in this Agreement, no interest, license or other right in or to that Confidential Information is granted to the Recipient or implied simply by the disclosure of that Confidential Information.
5.4 Unless it is also Personal Information, Confidential Information does not include information which:
(a) is or at any time becomes in the public domain other than by a breach of this Agreement or breach of any agreement between the Disclosing Party and a third party;
(b) is known to the Recipient (as substantiated by cogent and reliable written evidence in the Recipient’s possession) free of any restrictions at the time of disclosure;
(c) is independently developed by the Recipient through individuals who have not had either direct or indirect access to the Disclosing Party’s Confidential Information; or
(d) is disclosed to the Recipient by a third party who had a right to make such disclosure.
5.5 As Is. ALL CONFIDENTIAL INFORMATION PROVIDED BY A DISCLOSING PARTY IS PROVIDED ON AN “AS IS” BASIS, WITHOUT ANY WARRANTY, REPRESENTATION OR CONDITION OF ANY KIND.
5.6 Obligations. The Recipient will:
(a) use the Disclosing Party's Confidential Information only in accordance with this Agreement and only for the purpose of fulfilling its obligations and exercising its rights under this Agreement, and will not use, manipulate or exploit the Disclosing Party's Confidential Information for any other purpose;
(b) use the same degree of care to protect the Disclosing Party's Confidential Information as the Recipient would protect its own confidential information of a like nature and in any event using a standard no less than a reasonable degree of care;
(c) disclose the Disclosing Party's Confidential Information only to the Recipient's employees, subcontractors or agents who have a need to know and are bound by a written contract to keep the Confidential Information of third parties confidential at least to the same extent as set forth in this Agreement; and
(d) notify the Disclosing Party immediately upon becoming aware of any unauthorized use, access of or disclosure of the Disclosing Party’s Confidential Information.
5.7 Termination. Upon the termination of this Agreement,, the Recipient will: (i) return all Confidential Information disclosed to it by the Disclosing Party and all copies thereof, regardless of form; or (ii) securely destroy any such Confidential Information that cannot be returned. Notwithstanding the foregoing in this section 5.7:
(a) eHealth Ontario may retain any back-up tapes or disks produced in conjunction with the Services until such time as they are scheduled to be destroyed in accordance with eHealth Ontario’s policies and procedures with respect to the retention of back-ups.
(b) Either party may retain any Confidential Information of the other party that it is required to keep pursuant to any law applicable in the Province of Ontario for so long as it is required to do so.
5.8 By Law. Neither party shall be liable for disclosure of Confidential Information if disclosure is required by the laws of the Province of Ontario, provided that the Recipient, to the extent permitted by law, notifies the Disclosing Party of any such requirement as soon as legally permissible, so that the Disclosing Party may seek a protective order or other relief.
5.9 Injunctions. The Recipient agrees that the unauthorized access, use or disclosure of the Disclosing Party’s Confidential Information will cause irreparable injury to the Disclosing Party, and the Disclosing Party is entitled to seek injunctive and other equitable relief, as a matter of right.
5.10 Privacy. Each party agrees to comply with all Privacy Laws to which it is subject. PHIPA applies to eHealth Ontario. For clarification, eHealth Ontario provides services in the capacity of a “health information network provider” under this Agreement. As a health information network provider, eHealth Ontario will comply with section 6(3) of Ontario Regulation 329/04, made under PHIPA as amended from time to time (the “PHIPA Regulation”). The obligations of the PHIPA Regulation are satisfied by the provisions of this Agreement. .
5.11 Authorization. By Ontario Regulation 43/02 (amended to Ontario Regulation 54/05) (as amended from time to time), eHealth Ontario is authorized to collect Personal Information for purposes connected with the registration and authentication of its clients and as otherwise necessary for the administration of eHealth Ontario’s authorized activities.
5.12 Unauthorized Access or Disclosure. eHealth Ontario shall notify Client as the first reasonable opportunity if: a) eHealth Ontario accessed, used, disclosed, or disposed of personal health information other than in accordance with PHIPA; or b) an unauthorized person accessed personal health information. In the event that eHealth Ontario is obliged to notify the Client pursuant to this section, eHealth Ontario shall provide notice in accordance with the following procedures: (1) eHealth Ontario shall notify the Authorized Representative as soon as reasonably practicable; (2) The contents of the notice will include: (a) the date and time of the unauthorized access, use, disclosure or disposal; (b) a description in reasonable detail of the personal health information subject to the unauthorized access, use, disclosure or disposal; (c) the circumstances surrounding the incident, including who accessed, used, disclosed, or disposed of the personal health information; and (d) the actions taken to contain and to prevent similar unauthorized access, use, disclosure or disposal; and (3) eHealth Ontario shall, to the extent reasonably practical, and in a manner that is reasonably practical, keep and make available to the Client, on the written request of the Client, an electronic record of: a) all accesses to all or part of the personal health information associated with Client being held in equipment controlled by eHealth Ontario, which record shall identify the person who accessed the information and the date and time of the access; and b) all transfers of all or part of the personal health information associated with Client by means of equipment controlled by eHealth Ontario, which record shall identify the person who transferred the information and the person or address to whom it was sent and the time it was sent. Notwithstanding the forgoing, in general eHealth Ontario does not store any personal health iInformation on any equipment that is part of the eHealth Ontario network. With respect to accesses, eHealth Ontario firewalls and routers only maintain the following information: firewall rules, firewall routing tables, and firewall address translation tables. This information consists of source IP addresses, destination IP addresses, and the port number specific to the application being used. With respect to transfers, eHealth Ontario is only able to track the IP addresses of the source, destination and application port. eHealth Ontario is only able to identify the client organization.
5.13 Client Obligations to Notify and Co-operate. Client will immediately report to eHealth Ontario all security or privacy incidents of which they are aware involving the Services. When reporting any such incident, Client will provide all information that it is reasonably able to provide with respect to the incident. Further, Client will provide reasonable assistance and co-operation to eHealth Ontario to investigate, verify and resolve the incident.
5.14 Security and Privacy Assessments. eHealth Ontario shall provide to Client the results of any assessments of the Services done by or at the direction of eHealth Ontario with respect to: a) threats, vulnerabilities and risks to the security of Personal Information; and b) how the Services affect the privacy of individuals who are the subject of that information. eHealth Ontario shall provide a copy of the forgoing summaries within a reasonable period of time after the summary is completed by eHealth Ontario. Such reports shall set out the scope, limitations, and associated risks of the assessments. The Client is responsible for assessing and managing any privacy and security risks associated with the use of the Services.
5.15 FOI Requests. With respect to requests for access to information under FIPPA:
(a) Client acknowledges that all records that are in the custody or under the control of eHealth Ontario are subject to the access provisions of FIPPA and that eHealth Ontario cannot guarantee that the confidentiality of any such records will be preserved if a request for access to it is made under FIPPA.
(b) To the extent permitted under FIPPA, eHealth Ontario will inform Client of any request made of eHealth Ontario under FIPPA for any records related to this Agreement that may reveal a trade secret or scientific, technical, commercial, financial or labour relations information supplied in confidence by Client to eHealth Ontario so that Client may make representations to eHealth Ontario with respect to the proposed disclosure.
ARTICLE 6 PRICING, PAYMENT, AND COST ALLOCATION
6.1 eHealth Ontario. eHealth Ontario will bear the cost of delivering the Services.
6.2 Client. Client will bear the cost and responsibility of engaging and using the Services, including but not limited to acquiring, installing and maintaining any equipment (other than Service Equipment) and telecommunications facilities required by Client to obtain the Services and interconnect with eHealth Ontario’s technology infrastructure.
ARTICLE 7 WARRANTIES AND LIMITATION OF LIABILITY
7.1 Warranty. EHEALTH ONTARIO WILL PROVIDE THE SERVICES IN A PROFESSIONAL AND WORKMAN-LIKE MANNER.
7.2 Disclaimer. CLIENT ACKNOWLEDGES THAT THE SERVICES MAY NOT ALWAYS BE AVAILABLE, AND WITH THE EXCEPTION OF ANY EXPRESS WARRANTIES CONTAINED IN THIS AGREEMENT, eHealth Ontario EXPRESSLY DISCLAIMS ANY OTHER REPRESENTATIONS, WARRANTIES, OR CONDITIONS WITH RESPECT TO THE SERVICES OR OTHERWISE ARISING FROM THIS AGREEMENT WHETHER EXPRESS OR IMPLIED, PAST OR PRESENT, STATUTORY OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OR CONDITIONS OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY THAT THE SERVICES WILL BE UNINTERRUPTED, SECURE OR ERROR FREE.
7.3 Limit. IN NO EVENT SHALL THE TOTAL CUMULATIVE LIABILITY OF eHealth Ontario (INCLUDING ITS REPRESENTATIVES AND SUPPLIERS) TO CLIENT, ITS END USERS OR ITS PATIENTS, FOR ANY CLAIMS ARISING OUT OF OR RELATING TO THIS AGREEMENT, EXCEED AN AMOUNT EQUAL TO THE SERVICE FEES PAID OR TO BE PAID BY eHealth Ontario TO ITS SUPPLIER(S) FOR THE AFFECTED CIRCUIT(S) DURING THE SIX (6) MONTH PERIOD PRECEDING THE DATE OF THE FIRST CLAIM MADE BY CLIENT.
7.4 Indirect Damages. eHealth Ontario (INCLUDING ITS REPRESENTATIVES) SHALL NOT BE LIABLE TO CLIENT, ITS END USERS OR ITS PATIENTS IN ANY WAY WHATSOEVER, FOR ANY INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, REVENUE OR PROFIT RESULTING FROM OR ARISING IN CONNECTION WITH THIS AGREEMENT OR THE PROVISION OR USE OF THE SERVICES OR THE PROVISION OR USE OF ANY SERVICE EQUIPMENT. THIS LIMITATION SHALL APPLY WHETHER OR NOT SUCH DAMAGES ARE FORESEEABLE, OR WHETHER THE DEFAULTING PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
7.5 Exclusions. THE LIMITATIONS OF LIABILITY SET OUT IN THIS ARTICLE 7 DO NOT APPLY TO ANY CLAIM ARISING FROM WILFUL MISCONDUCT OF eHealth Ontario OR CLIENT. OTHERWISE, THE FOREGOING PROVISIONS LIMITING THE LIABILITY SHALL APPLY REGARDLESS OF THE FORM OR CAUSE OF ACTION, WHETHER IN CONTRACT OR TORT (INCLUDING NEGLIGENCE), OR A BREACH OF A FUNDAMENTAL TERM OR CONDITION OR A FAILURE OF ESSENTIAL PURPOSE.
ARTICLE 8 MISCELLANEOUS
8.1 Governing Law. This Agreement will be governed by the laws of the Province of Ontario and the laws of Canada applicable therein, without reference to the conflict of laws provisions. The parties consent to the jurisdiction of the courts of Ontario.
8.2 Force Majeure. Neither party will be liable for any failure or delay in its performance under this Agreement due to any cause beyond its reasonable control that could not have been avoided by the exercise of reasonable foresight provided that such party gives the other party prompt notice of such cause, and uses its reasonable commercial efforts to promptly correct such failure or delay in performance. If eHealth Ontario is unable to provide Services for a period of thirty (30) consecutive days as a result of a continuing force majeure event, either party may terminate this Agreement upon written notice to the other party without any further liability or obligation of either party hereunder.
8.3 Notice. Notices sent to eHealth Ontario shall be sent to eHealth Ontario’s head office and to the attention of the Vice President of Client Services. Notices sent to Client will be sent to the Authorized Site to the attention of the Primary Contact identified on the order form at the start of this Agreement.
8.4 Entire Agreement. The Agreement constitutes the complete agreement between eHealth Ontario and Client with respect to the subject matter hereof and supersedes and replaces all prior or contemporaneous discussions and agreements regarding such subject matter.
8.5 No waiver of any part of this Agreement will be deemed to be a waiver of any other provision. No term of this Agreement will be deemed to be waived by reason of any previous failure to enforce it. No term of this Agreement may be waived except in a writing signed by the party waiving enforcement.
8.6 Assignment. Client may not assign this Agreement, either in whole or in part, without the prior written consent of eHealth Ontario which will not be unreasonably withheld.
SCHEDULE ONE - ACCEPTABLE USE POLICY
1. SUMMARY. This policy establishes the acceptable use requirements for eHealth Ontario products, services and the technology infrastructure used by eHealth Ontario to provide them. eHealth Ontario may revise this policy from time to time in its sole discretion. Revised versions of this policy will be posted at www.www.ehealthontario.on.ca, and notice of the revision will be given to you in accordance with the agreement pursuant to which eHealth Ontario provides products or services to you.
2. Scope and Application. This policy applies to all users. Any person who accesses or uses the technology infrastructure or uses a product or service provided by eHealth Ontario is a “user”. A “person” includes any individual, person, estate, trust, firm, partnership or corporation, government or any agency or ministry of any government, and includes any successor to any of the foregoing.
3. Accountability. Each client organization is responsible for any access or use of the technology infrastructure or any product or service provided by eHealth Ontario made by any user who is an individual and who obtained his or her user ID and password to access the technology infrastructure and any product or service provided by eHealth Ontario from that client organization or at the direction of that client organization.
4. Acceptable Use. Users are permitted to use eHealth Ontario’s products, services and technology infrastructure for health care-related business activities. Unacceptable use refers to any illegal use or any inappropriate use as defined in this policy. Users must not use the products, services or technology infrastructure in any manner that constitutes an unacceptable use.
5. Inappropriate and Illegal Use.
5.1 Illegal use is the creation, collection, transmission, storage or exchange of any material in violation of any applicable law or regulation. Illegal use includes but is not limited to:
(a) defaming other persons (e.g., spreading false allegations or rumours about others);
(b) unlawfully accessing, destroying, encrypting or altering information;
(c) making, possessing or distributing computer programs that are designed to assist in obtaining unlawful access to computer systems unless authorized by eHealth Ontario;
(d) wilfully promoting hatred against any identifiable group or individual by communicating such statements outside of private conversations;
(e) harassing other persons electronically (e.g., making threats to a person’s safety or property);
(f) possessing, viewing, downloading, transmitting, or storing any child pornography or any involvement whatsoever with the traffic of such material;
(g) using another user’s password, secure token, digital certificates, or any other identifier to engage in any illegal activity; and
(h) breaching copyright, trade secret, or other intellectual property rights (e.g., breaching software licences, pirating recorded music or movies or stealing trade secrets).
5.2 Inappropriate use includes, but is not limited to, any of the following behaviours or any other behaviour that may jeopardize eHealth Ontario’s products, services, technology infrastructure or ability to operate or expose eHealth Ontario to civil liability:
(a) wilfully bypassing or subverting eHealth Ontario physical, logical or procedural safeguards such as firewalls, web-filtering software or other access controls;
(b) vandalism, which is defined as any malicious attempt to harm or destroy the information of another user, the Internet or other networks;
(c) harassment, including but not limited to persistent non-work related contact with another user when such contact is unwelcome or creating a poisoned work environment by accessing, displaying, storing, downloading or transmitting any content which is offensive;
(d) the sending of unwanted e-mail or unsolicited commercial or advertising material to any other person;
(e) deliberate unauthorized access to information, facilities or services accessible through the eHealth Ontario infrastructure;
(f) unauthorized use, destruction, encryption, alteration or disclosure of personal information, business trade secrets, or sensitive eHealth Ontario information;
(g) sending anonymous messages or impersonating any other person;
(h) selling, sharing or otherwise redistributing eHealth Ontario products or services without written authorization from eHealth Ontario; or
(i) electronic gambling over the Internet.
6. Security. Users must ensure that passwords, secure tokens, digital certificates and any other identifiers used by the user to directly or indirectly gain access to the products, services or technology infrastructure are safeguarded.
7. Breaches of This Policy.
7.1 Users and client organizations must report all breaches of this policy of which they are aware to eHealth Ontario. Users must do so through the help desk from which they receive technical support, and client organizations must contact eHealth Ontario directly.
7.2 eHealth Ontario reserves the right to investigate suspected breaches of this policy, and users and client organizations will cooperate when asked to assist in any such investigation.
7.3 eHealth Ontario may, in its sole discretion, suspend or revoke a user’s access to eHealth Ontario’s products, services, or technology infrastructure should such user breach this policy.
7.4 Client organizations will co-operate with eHealth Ontario on the management of breaches of this policy. This responsibility includes, but is not limited to, assisting with the development and distribution of communications regarding breaches or incidents.
7.5 Breaches of this policy may result in criminal prosecution or civil liability.
7.6 Although eHealth Ontario is not obligated to monitor content and assumes no responsibility for any information or material that is transmitted by users of the products, services, technology infrastructure or Internet, eHealth Ontario reserves the right, subject to all applicable laws relating to the protection of personal information, to investigate content posted to or transmitted over eHealth Ontario’s technology infrastructure and may block access to, refuse to post, or remove any information or material that it deems to be in breach of this policy.
7.7 eHealth Ontario may report breaches of this policy committed by a user to the client organization responsible for that user’s actions.
7.8 eHealth Ontario assumes no liability for enforcing or not enforcing this policy, and any failure by eHealth Ontario to enforce any part of this policy shall not constitute waiver by eHealth Ontario of any right to do so at any time.
7.9 If any provision of this policy is found to be invalid or unenforceable, then that provision will be enforced to the extent permissible, and all other provisions will remain in full force and effect.
SCHEDULE TWO – SECURITY POLICY
1. Additional Definitions. In addition to those definitions set out elsewhere in this Agreement, the following definitions apply to this Schedule:
(a) “Client Equipment” means any equipment or software in the possession or control of Client that Client uses in conjunction with the Services that is not Service Equipment.
(b) “Client Network” means any network(s) operated or controlled by Client up to the demarcation point where such network(s) interconnect with eHealth Ontario’s technology infrastructure.
(c) “ONE Network Remote” means the remote virtual private network.
(d) “ONE Network” means the managed private network operated by eHealth Ontario.
2. eHealth Ontario Safeguards. eHealth Ontario has designed and implemented the ONE Network as a secure private network to be used by health care professionals when communicating with each other. For further information on the types of safeguards that eHealth Ontario uses, please contact eHealth Ontario.
3. Client Data. Client is responsible for any materials that Client transmits over the ONE Network and determining whether such materials can appropriately be transmitted over the ONE Network without encryption or other safeguards (given the nature and sensitivity of the materials being transmitted). If Client determines that any safeguard is required when transmitting such materials, Client will implement such safeguard. As well, Client is responsible for verifying the accuracy of any data that it receives over the ONE Network.
4. Equipment. Client is responsible for the security of the Service Equipment and Client’s own tangible assets, including but not limited to Client Equipment, premises and utilities. This obligation includes maintenance of an inventory of Client’s assets forming part of the Client Network, identification of possible risks and implementation of administrative, physical and technical means to secure such assets.
5. Safeguards. Client is responsible for managing the security of Client Equipment to reasonably limit the risk that Client Equipment will be accessed and used to attack the eHealth Ontario ONE Network or systems connected to it. This obligation includes but is not limited to establishing security policies and implementing appropriate physical, procedural and technical controls to prevent, detect and respond to security violations.
6. No Changes. Client will not connect to, modify, reconfigure, or alter the Service Equipment in any manner without the prior written approval of eHealth Ontario.
7. Infrastructure and Environment. Client will provide the infrastructure and environment necessary for the safe operation of the Service Equipment such as locating the Service Equipment in a dry, clean, well ventilated, and temperature controlled location and providing an appropriate uninterrupted power supply. All Service Equipment must be placed on a rack or appropriate shelf and positioned to provide ample working space in and around it.
8. Compatibility. From time to time, eHealth Ontario may provide to Client certain guidelines with respect to Client Equipment. Client acknowledges that it may not be able to receive and use the Services (because of compatibility issues) should its Client Equipment not conform to such guidelines.
9. Client Network Security. Client is responsible for the security and operation of Client Network, and Client will use organizational, administrative, physical and technical means to limit physical and virtual access to any computer terminal or other device interconnected with the ONE Network. Client will:
(a) implement and regularly up-date reasonable anti-virus and anti-spam software on the Client Network;
(b) regularly monitor the Client Network for security breaches;
(c) implement such controls as are reasonably necessary to prevent security breaches relating to the Client Network and, in any event, use commercially reasonable efforts to minimize the impact of any security breaches on the Client Network; and
(d) regularly monitor the Client Network and applications used on the Client Network in a manner consistent with good network administration practices.
10. Access Control. Client will use organizational, administrative, physical and technical means to protect any user identifications, passwords, secure tokens or other authentication credentials assigned to Client or Client’s End Users that enable them to connect to the ONE Network or obtain services over the ONE Network.
11. Passwords. Should Client determine that a password or any other user authentication credential has been or may have been compromised, Client’s Primary Contact (as set out in the order form at the start of this Agreement) will report that incident or concern to the help desk from which Client receives technical support.
12. Program. Client will establish its own security program that includes an incident response approach and risk management process. At a minimum, Client will, and shall cause its End Users to, immediately report all actual or potential security incidents affecting the ONE Network or any network connected to the ONE Network of which they are aware to Client’s Primary Contact who will immediately report them to the help desk from which Client receives technical support. When reporting any such incident, Client will provide all information that it is reasonably able to provide with respect to that security incident and reasonable assistance to enable eHealth Ontario to verify and resolve that security incident. eHealth Ontario will use commercially reasonable efforts to resolve each such security incident.
13. Third-Party Networks. Client is responsible for: (i) putting in place safeguards (such as security gateways and firewalls) to prevent any network traffic originating in a third party network from being routed through the Client Network directly to the ONE Network; and (ii) maintaining appropriate configuration and security controls over the Client Network to reasonably ensure that no person who has accessed the Client Network from a third party network may use any computing device forming part of the Client Network to gain unauthorized access to the ONE Network. If eHealth Ontario acting reasonably (after having given Client an opportunity to improve its security safeguards) determines that Client is unable to secure the Client Network as described in this section 13, Client agrees to relinquish such connections between the Client Network and any network other than the ONE Network as are needed to secure the Client Network in such a manner.
14. Remote Access. Client will not connect remotely (other than from Authorized Site) to eHealth Ontario’s technology infrastructure other than through the ONE Network Remote or other technological means approved by eHealth Ontario. Client will not, and will ensure that its End User’s do not, modify or change any configurations or topologies of any ONE Network Remote or means of remote access approved by eHealth Ontario other than with the prior written approval of eHealth Ontario. Client’s Primary Contact is responsible for managing which End Users are allowed to access eHealth Ontario’s technology infrastructure remotely.
15. IP Forwarding. Client will not enable IP forwarding on any server or workstation deployed within the Client Network.
16. DNS or DHCP. Client will not run alternative domain name service (“DNS”) or dynamic host control protocol (“DHCP”) in connection with any circuits forming part of the ONE Network.
17. Additional Firewall. eHealth Ontario does not recommend that Client deploy any firewall between any small office firewall appliance provided by eHealth Ontario (if applicable) and Client Network. However, should Client wish to provide its own additional firewall service, Client will:
(a) be responsible for creating and administering its own remote virtual private network solution;
(b) be responsible for managing its own local area network address space including the potential use of a DHCP service and use of DNS;
(c) be responsible for ensuring that its additional firewall service performs network address translation (NAT) and stateful inspection; and
(d) not enable IP forwarding on any server or workstation deployed within the Client Network.
18. Tools. Client will not run network contouring, vulnerability assessment, hacking tools, or configuration tools against any Service Equipment or any network circuits provided pursuant to this Agreement.
19. Client Contact. Client’s Primary Contact is responsible for coordinating all matters relating to End User access (including password changes and the addition, modification or removal of End Users with eHealth Ontario) and shall be the sole representative of Client who is authorized to communicate any related requests to eHealth Ontario.
20. Compliance. Upon the request of eHealth Ontario acting reasonably, Client will provide to eHealth Ontario evidence of its compliance with all or part of this Security Policy.
SCHEDULE THREE – PLAIN LANGUAGE DESCRIPTIONS
1. Network Services. ONE Network allows health care providers to confidently share information over a high-speed network built for health care. When eHealth Ontario provides Network Services to Client, eHealth Ontario is providing one or more telecommunications circuits to Client which will result in one or more networks under the control of Client being interconnected with eHealth Ontario’s technology infrastructure. A circuit may be based on any one of a number of technologies such as a digital subscriber line, cable or satellite. Where circumstances warrant, fibre optic connectivity may also be used.
2. Security and Privacy Safeguards.
2.1 All eHealth Ontario Products and Services. eHealth Ontario’s security program is based on two standards from the International Organization for Standardization (ISO), as recommended by the Government of Canada:
• ISO/IEC 17799:2005, – Code of Practice for Information Security Management, and
• ISO/IEC 27001:2005, – Information Security Management Systems – Requirements.
and is in compliance with the Personal Health Information Protection Act and the Freedom of Information and Protection of Privacy Act. Security of information and protection of privacy within, and by use of, eHealth Ontario’s products and services is achieved by collaboration of all parties who are partners in providing or using these services. For its part, eHealth Ontario has implemented the following safeguards:
(i) Administrative Safeguards
• eHealth Ontario regularly reviews and enhances its security policies and is in the process of developing supporting governance documentation. (e.g. Information Security Operating Directives) Staff and contractors read the relevant policies and sign that they have read and understood them.
• eHealth Ontario has mandatory security staff awareness and training programs.
• eHealth Ontario Staff and contractors generally have no ability or permission to access personal health information. If access to personal health information is required in the course of providing eHealth Ontario services, individuals are prohibited from using or disclosing such information.
• All staff and contractors must sign confidentiality agreements and undergo criminal background checks prior to joining eHealth Ontario. eHealth Ontario has a security screening policy that requires staff to have an appropriate level of clearance for the sensitivity of the information they may access.
• Client obligations, for their part in maintaining security, are detailed in individual contracts and Service Level Agreements (SLAs).
• eHealth Ontario ensures, through formal contracts/SLAs, that any third party it retains to assist in providing services to health information custodians will comply with the restrictions and conditions necessary for eHealth Ontario to fulfil its legal responsibilities.
• eHealth Ontario staff, consultants, suppliers and clients must promptly report any security breaches to eHealth Ontario for investigation.
• Security risk assessments are conducted as part of both product/service development and client deployments. Mitigation activities are well established and tracked as part of each assessment.
• eHealth Ontario provides a written copy of the results of a security risk assessment to the affected health information custodians.
• eHealth Ontario has established a formal risk management program, including an enterprise risk management policy and guidelines.
• eHealth Ontario conducts regular independent vulnerability assessments of technical configurations and operational security practices.
(ii) Technology Safeguards
• For access to sensitive systems, strong passwords, secure tokens, and other authenticators are required.
• Administrative access to all IT equipment is controlled via strong, two-factor authentication, and is recorded.
• eHealth Ontario monitors and manages network traffic using security mechanisms such as routers, switches, network firewalls, intrusion detection systems, and anti-virus programs.
• eHealth Ontario encrypts all data stored on staff computers.
(iii) Physical Safeguards
• The eHealth Ontario datacentres are purpose-built facilities, physically secured against unauthorized access, and are staffed and monitored continuously by security personnel.
• Datacentre physical security controls have been validated by an independent third party in accordance with federal government standards.
• eHealth Ontario requires escorted access at all times for third party vendors and maintenance personnel who require access to the datacentre.
2.2 ONE Network Safeguards. In addition to the generic safeguards which apply to all eHealth Ontario products and services, the following security safeguards are in place for ONE Network:
(i) Core Network Safeguards
• ONE Network Enterprise is segregated from the Internet, and is protected by a defence-in-depth approach against threats originating from external networks.
• Clients are expected to take appropriate measures to segregate their own internal network(s) from untrusted networks.
• ONE Network Enterprise equipment is deployed for exclusive use by eHealth Ontario to provide the ONE Network service, and is operated in accordance with eHealth Ontario practices and policies.
• ONE Network Enterprise is implemented province-wide via dedicated optical fibre links, where possible, providing a high level of protection against interception or modification of network traffic. Where fibre is not available, eHealth Ontario makes use of carrier networks and employs IPSec tunnels.
• All Clients sign agreements that they will ensure ONE Network Enterprise equipment on their premises will be located in physically secure environments that will be controlled and monitored.
• eHealth Ontario is developing and implementing network monitoring capabilities and a full enterprise security and privacy incident management program.
• All changes to the network are controlled by eHealth Ontario and subject to formal eHealth Ontario change management practices.
• Administrative personnel have no access to the e-Health data flowing through the ONE network.
(ii) ONE Network Access Safeguards
Because ONE Network Access is provisioned via 3rd-party network service providers, eHealth Ontario does not have the same degree of control over these networks as it does for the core network. To maintain the security of e-
Health communications flowing through the access networks, eHealth Ontario implements additional security safeguards:
• All communications to and from eHealth Ontario-hosted e-Health applications are automatically encrypted when traversing the access networks.
• Every network point of access has controls for protecting the network from security threats, whether malicious or unintentional.
• eHealth Ontario optionally provides clients with a secure means of accessing their office network from a remote location (via the ONE Network Remote service).
eHealth Ontario optionally provides encrypted private communications between client sites (e.g. for geographically separated offices belonging to the same organization).
No comments:
Post a Comment