INFORMATION SHARING AND DATA USE AGREEMENT

This INFORMATION SHARING AND DATA USE AGREEMENT (this “Agreement”) is entered into as of_________, (the “Effective Date”), by and between the Association of State and Territorial Health Officials, located at 2231 Crystal Drive, Suite 450, Arlington, VA 22202 (“ASTHO”), and [Data Source Name- DATA SOURCE SHALL BE A LOCAL OR STATE HEALTH JURISDICTION OPERATING UNDER EITHER STATUTORY OR REGULATORY AUTHORITY] located at ______________ (the “Data Source”), concerning the provision by the Data Source of a Data Set to ASTHO to be used as part of the BioSense program (the “BioSense Program”) pursuant to the terms of this Agreement.

WHEREAS, ASTHO has been funded through a cooperative agreement with the Centers for Disease Control and Prevention, US Department of Health and Human Services ("CDC") to assist with the coordination of governance of BioSense 2.0, and

WHEREAS, ASTHO is providing the BioSense Program with an Internet application to facilitate the sharing of certain health-related data for public health and surveillance designed to assist in the possible detection, confirmation, situation awareness, monitoring of, and response to public health threats,

WHEREAS, Data Source intends to use and share with the BioSense Program certain health-related data for public health and surveillance purposes as described herein, subject to the terms and conditions of the Agreement, and

WHEREAS, within BioSense 2.0 Data Source will have access to: (1) a secure space where it will be the only party able to view and analyze Data Source’s patient-level data and PHI or IIHI; and (2) a shared space wherein Data Source will have the ability and discretion to determine whether, how, with whom, and at what level to share Data Source’s aggregate data, views and maps with other data sources, the CDC or other agencies.

NOW THEREFORE, in consideration of the mutual promises set forth herein and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties hereto agree as follows:

1.Background

As of November 2011, the BioSense Program has developed a distributed computing environment and tools with state and local control (“BioSense 2.0”). Governance is facilitated by ASTHO, in coordination with the CDC, Council of State and Territorial Epidemiologists (“CSTE”), National Association of County and City Health Officials (“NACCHO”), and International Society for Disease Surveillance (“ISDS”) (collectively, the “Governance Group"). ASTHO has contracted with a vendor to act as a data storage company (“Vendor”) for BioSense 2.0 that is certified as described in Section 8 of this Agreement. Through the Vendor, ASTHO will offer BioSense 2.0 for receiving and managing public health and surveillance information. BioSense 2.0 will provide the Data Source with the ability to contribute and access data that will support existing and potential expansion of its public health and surveillance systems.

BioSense 2.0 shall provide two spaces for the submission of Data. The first space shall be a secure space in which Data Source shall have exclusive access and control over any Data it submits to the extent permitted by applicable law. Data Source will also have the ability to permit data providers within its jurisdiction to send public health-related data (“Public Health Data Providers” or “PHDPs”) directly to its secure space within BioSense 2.0. This secure space shall provide the Data Source with an environment capable of receiving all Data forms and formats (including HL7) and converting them to any format the Data Source desires.

The second space within BioSense 2.0 shall be a shared space in which Data Source and others providing Data to BioSense 2.0 shall provide and share access to views of aggregated Data.

2.Definitions

For purposes of this Agreement, the following definitions shall apply:

“BioSense 2.0” means the cloud-enabled, web-based platform and tools used to store, maintain, process, display, receive, analyze, and destroy Data received for the advancement of the BioSense Program as described in Section 1 of this Agreement.

“BioSense Program” means the program run by the CDC that tracks health problems as they evolve and provides public health officials with data, information and tools they need to better prepare for and coordinate responses to safeguard and improve the health of American people.

“Data” means the public health-related information gathered by or contributed to the Data Source or gathered by an individual User on behalf of the Data Source that becomes part of the Data Set submitted to BioSense 2.0.

“Data Set” means the Data provided or contributed to BioSense 2.0 by the Data Source, any Users, and any PHDPs within the jurisdiction of the Data Source that have entered into an agreement that complies with Section 4 herein.

“Individually Identifiable Health Information” or “IIHI” shall have the same definition as provided by the Health Insurance Portability and Accountability Act (“HIPAA”) and corresponding regulations.

“Meaningful Use regulations” currently means the regulations as defined by Centers for Medicare & Medicaid Services (42 CFR Parts 412, 413, 422 et al.) Medicare and Medicaid Programs; Electronic Health Record Incentive Program; Final Rules (published on July 28, 2010 in the Federal Register) and the Office of the National Coordinator for Health Information Technology (45 CFR Part 170) Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology; Final Rule (published on July 28, 2010 in the Federal Register).

“Party” means Data Source or ASTHO; “Parties” means Data Source and ASTHO.

“Protected Health Information” or “PHI” shall have the same definition as is contained in HIPAA and corresponding regulations.

“User” means any authorized user of Data available through BioSense 2.0. All Users must be affiliated with a Data Source, except as otherwise provided herein.

3. Data Sharing. BioSense 2.0 is designed to promote the contribution of public health data by all Users and the appropriate sharing of aggregated Data in the shared space. While Data Source and other Users are not required to share Data, they are encouraged to do so. The Governance Group may consider and make recommendations for data sharing in the shared space. These could include recommendations for types of data (e.g., minimum data sets), seasonal data collections, and similar contributions that would enhance the value of BioSense 2.0 to all Users.

4.Data Set Access and Use.

Data Source agrees to participate in the BioSense Program by submitting data and utilizing BioSense 2.0 in accordance with the terms and conditions herein.  Prior to allowing any PHDP to submit data to BioSense 2.0 (either directly or through Data Source), Data Source will require the PHDP to agree, by means of an electronic (click-thru) or any other reasonable form of agreement, to certain terms and conditions, including but not limited to: a) PHDP shall not take any actions that are inconsistent with this Agreement; b) PHDP shall not submit Data to BioSense 2.0 that it is not authorized to submit; and c) PHDP submission of Data will comply with applicable federal, state, and local laws.  The exact nature and form of such agreement shall be mutually agreed upon by the Parties.  Any violation of the aforementioned terms and conditions by a PHDP may result in suspension or termination of the PHDP’s access to and/or use of BioSense 2.0. 

a. The Data Source acknowledges and agrees that as part of BioSense 2.0, the Data Set may be used and/or disclosed for the following purposes:

(i) Sole Use by Data Source in Secure Space. For use by Data Source for posting of Data, and continued maintenance and control of its Data, in BioSense 2.0. For use by Data Source to process new feeds and manage its own Data and information for internal uses only. To the extent that Data Source does not wish to share its Data Set or have access to other Data Sources’ Data Sets, Data Source may still access BioSense 2.0 for purposes of accessing the information technology tools and infrastructure available in BioSense 2.0;

(ii) Shared Space. To facilitate the sharing of views of Data, which shall not contain PHI or IIHI, for public health and surveillance purposes. Data Source can share, at minimum, aggregate views of their Data at a level determined by the Data Source. The Data Source acknowledges such use, access and publication shall be between jurisdictions, provided, however, that such use, access and sharing of its Data shall be determined solely by Data Source. Selected aggregate Data in the shared space will also be available for public use and publication, but only with Data Source’s knowledge of such use and publication. To the extent that Data Source does not wish to share its Data Set or have access to other Data Sources’ Data Sets, Data Source may still access BioSense 2.0 for purposes of accessing the information technology tools and infrastructure available in BioSense 2.0;

(iii) Other health agency uses. To provide access to the Data Set or analyses thereof to local, state and federal governmental health agencies (including, but not limited to, CDC) or other agencies and entities in connection with the conducting of their respective public health responsibilities consistent with applicable state and/or federal law for the following purposes: (1) To facilitate the interchange of information that can be used to coordinate responses and monitor events routinely and during a potential health event; (2) For early detection and characterization of events (or health-related threats) by building on state and local health departments systems and programs; (3) To provide health-related information for: (a) public health situation awareness, (b) routine public health practice, and (c) improved health outcomes and public health; and (4) To improve the ability to detect emergency health threats by supporting the enhancement of systems to signal alerts for potential problems in collaboration with federal, state and local health jurisdictions and other potential stakeholders; and

(iv) ASTHO use. ASTHO shall use information provided by Data Source only as allowed under the terms of this Agreement and shall at all times comply with applicable federal and state laws. Except as otherwise provided in this Agreement, Data Source acknowledges and understands that ASTHO requires all Users of BioSense 2.0 to agree to terms and conditions which specify and require acknowledgement of the uses of BioSense 2.0; however, ASTHO shall not be responsible for the acts or omissions of any Users.

b. Data Source may use and share Data contributed to BioSense 2.0 for the purpose of monitoring and assessing public health activity within its jurisdiction.

c. As part of access to the shared space in BioSense 2.0 and in accordance with this Agreement, Data Source understands and agrees to provide CDC with, at minimum, aggregate level data (city or county or state) for Data Source's jurisdiction. Data Source also understands and agrees that CDC may access and review Data contributed to the shared space for use as described in Section 4a(iii) above; provided however, that such access and review shall be as determined by Data Source to the extent permitted by applicable law. CDC may prepare associated reports and analyses related to public health surveillance. Further, Data Source acknowledges that CDC will work with the Data Source and/or PHDP(s) within the Data Source’s jurisdiction in the development of analytic methods for identification and investigation of public health concerns. Such analysis and development may be shared by the CDC with other governmental agencies as necessary and appropriate; provided, however, that the Data Source shall, to the extent permitted by applicable law, have the ability to control the distribution of its Data Set and may deny the sharing of the Data Set, and any related analyses, with any governmental agency.

d. It is anticipated that the shared space may also have a second component in which the general public would be provided with certain general aggregated access to information as established by each Data Source.

5. Data Set Content Restrictions and Requirements. Data Set information shall be provided in compliance with the published Data Set requirements of BioSense 2.0, including but not limited to then-current requirements of the Meaningful Use regulations. Such Data Set information requirements shall be published on the BioSense 2.0 website and may be changed from time to time. The Governance Group may make recommendations regarding the types of data to be submitted to the shared space. However, this shall not be construed to require any particular Data element to be included in the Data Set. Data Source warrants that it will comply with all applicable laws and government regulations affecting its use of BioSense 2.0, and ASTHO shall not have any responsibility relating to Data Source therefor, including, without limitation, any responsibility to advise Data Source of Data Source’s responsibility in complying with any laws or governmental regulations affecting its use of BioSense 2.0. Data Source warrants that all PHDPs authorized to participate in BioSense 2.0 by Data Source will do so under an agreement consistent with Section 4.

6. Confidentiality and De-Identification/Encryption of Data

a. Neither PHI nor IIHI will be submitted to BioSense 2.0 by Data Source or PHDPs unless transmitted to Data Source’s secure space in BioSense 2.0; neither ASTHO, the CDC, the Vendor nor any other Data Source (other than Data Source’s authorized PHDPs) shall have access to such Data in the secure space.

b. Other than Data provided to the secure space, Data Source is responsible for de-identifying and/or encrypting all PHI and IIHI prior to submission to BioSense 2.0 and is responsible for maintaining the security of any encryption techniques used. De-identification and encryptions will be done in compliance with federal and state law, including HIPAA and corresponding regulations. ASTHO shall have no responsibility for the encryption of PHI or IIHI. ASTHO will work with the Governance Group to facilitate the development of data sharing concepts and principles to which Data Source must adhere in BioSense 2.0. ASTHO shall have no obligation to ensure Data Source maintains compliance with these concepts and principles. Data Source agrees and acknowledges that the Data captured by BioSense 2.0 may include certain health information technology facilities. Data Source agrees that it is Data Source’s responsibility to obtain any permissions required in order to submit such Data to BioSense 2.0, and to the extent permitted by applicable law and practice specifically agrees to indemnify, save and hold harmless ASTHO from and against all claims and liabilities associated therewith.

7. Open Records Laws. Data Source acknowledges and understands that the Data it submits, including Data accessed by other Data Sources and Users, including CDC, may be subject to state and federal (e.g., the Freedom of Information Act) open records laws. To the extent a Data Set provided to BioSense 2.0 may be subject to the applicable open records laws for the state of origin for the Data Source submitting the applicable Data Set, Data Source is responsible for reviewing and complying with the applicable open records laws when determining the Data to be provided in the Data Set.

8. Data Retention/ Data Security

a. Data Source acknowledges and understands that Data provided as a part of the Data Set shall be archived, stored, maintained, protected, and disposed of in compliance with federal law and the applicable state law for the Data Source, to the extent state law is not superseded by federal law. The Data Set shall be maintained in a distributed computing environment and any and all policies and procedures applicable to the use of a such an environment for BioSense 2.0 shall be in compliance with the Federal Information Security Management Act (“FISMA”).

b. Data Source is responsible for creating and protecting User passwords and other secure measures used for accessing and using BioSense 2.0 and for establishing its own security protocols and procedures in the use of the passwords and administration of the Data Set supplied for its jurisdiction and any Data Set viewed through BioSense 2.0. Data Source is further responsible for ensuring that PHI and IIHI is submitted to BioSense 2.0 only as permitted in Sections 4 and 6 of this Agreement, and will ensure that its PHDPs do the same. Data Source will adhere to the data sharing concepts and principles that are developed for BioSense 2.0. Data Source shall maintain written policies and procedures for the transmission of the Data Set and any other information to BioSense 2.0. The Data Source shall be responsible and liable for any misuse or abuse of its passwords and other measures and any resulting misuse or abuse of BioSense 2.0.

c. The Parties agree to immediately alert the other Party if there is a potential or actual breach of the security of BioSense 2.0 or the Data Set contained within BioSense 2.0, or any actual or potential misappropriation or misuse of a Data Set or any Data available through BioSense 2.0. The Parties further agree to work cooperatively to investigate and comply with any federal and state laws should a breach occur.

9. Term and Termination

a. The initial term of this Agreement (the “Initial Term”) shall commence on the Effective Date and shall continue for five (5) years. Unless this Agreement is earlier terminated as set forth herein, this Agreement shall be automatically and successively renewed without further action by either Party for an indefinite number of successive one-year terms (each such additional term a “Renewal Term” and together with the Initial Term, the “Term”).

b. Either Party may terminate this Agreement upon 30 days prior written notice to the other Party. If this Agreement is so terminated, the Parties shall be liable only for performance rendered in accordance with the terms of this Agreement prior to the effective date of termination. Further, either party may terminate this Agreement immediately in the event the other Party materially breaches its obligations under the Agreement.

c. Promptly upon termination of this Agreement (i) the Data Source shall have the right to cease providing any additional Data Sets and/or any updates to previously submitted Data Sets and (ii) ASTHO may retain the Data Sets that have been previously contributed to BioSense 2.0 unless otherwise restricted by law. Data Source may request that any previously submitted Data Sets be removed from BioSense 2.0 and that ASTHO’s and any other Data Source’s or User’s (including the CDC’s) access to that specific Data Set be terminated; however, such removal shall be subject to whether the specific Data Set was accessed or used, feasibility of removal, and whether the Data Set is subject to related laws, including any outlined as a part of Section 7 herein.

10. Ownership of Data. The Data Source shall at all times retain all rights to alter or revise the level of sharing permissions for the Data Set, as it deems necessary or as required by law. The Data Source retains ownership of any Data Sets it contributes to BioSense 2.0; but, as indicated in Sections 7 and 9 herein, any Data provided outside the secure area may be subject to continued legal requirements, including but not limited to retention and open records laws. As described in Section 9, the Data Source may request that previously submitted Data be removed; however, the Data Source has no right to return or destruction of any Data contributed to BioSense 2.0, except for Data submitted to the secure area of BioSense 2.0. The Data Source acknowledges that contribution of Data Sets to BioSense 2.0 does not in any way grant the Data Source any rights, beyond those provided under this Agreement, to any Data Sets that it may access through BioSense 2.0 or to BioSense 2.0 itself. Further, ASTHO acknowledges that the Data Source’s contribution of a Data Set to BioSense 2.0 does not grant ASTHO any rights, beyond those provided under this Agreement, to any Data Sets the Data Source chooses not to submit to BioSense 2.0.

11. Warranties

a. The Data Source represents and warrants it has the authority to enter into this Agreement and to provide the Data Set to ASTHO as contemplated by this Agreement for the Intended Uses as outlined in Section 4.

b. Data Source acknowledges and agrees to the following: (i) ASTHO is responsible for the oversight of BioSense 2.0 and sharing amongst Data Sources; (ii) Data Source shall not submit any Data that it is not permitted to disclose; (iii) by disclosing the information to ASTHO, Data Source has not breached, and will not breach, any confidential agreement or legal duty that Data Source has to any party and, further, no one else has breached a legal duty in providing the Data to the Data Source. Additionally, if Data Source breaches this section, then ASTHO shall have a right to terminate this Agreement.

12. Limitation of Liability. Data Source and not ASTHO, shall have sole responsibility for the accuracy, quality, integrity, legality, reliability, appropriateness, and intellectual property ownership or right to use of all Data Sets, and ASTHO shall not be responsible or liable for the deletion, correction, destruction, damage, loss or failure to store any Data Sets. ASTHO makes no representations or warranties as to the accuracy or completeness of the Data and disclaims responsibility for any errors caused by inaccuracies or incompleteness of the Data. Data Source hereby waives, and covenants not to sue ASTHO for, any and all possible claims that it might have against ASTHO arising out of, or resulting from, the operation of the BioSense Program. IN NO EVENT SHALL ASTHO AND/OR ITS LICENSORS BE LIABLE TO DATA SOURCE FOR ANY INDIRECT, PUNITIVE, SPECIAL, EXEMPLARY, INCIDENTAL, CONSEQUENTIAL OR OTHER DAMAGES OF ANY TYPE OR KIND (INCLUDING LOSS OF DATA, REVENUE, PROFITS, USE OR OTHER ECONOMIC ADVANTAGE) ARISING OUT OF, OR IN ANY WAY CONNECTED WITH THIS AGREEMENT, EVEN IF ASTHO OR ASTHO' LICENSORS HAVE BEEN PREVIOUSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

13. Amendment; Waiver. This Agreement, or any term or condition, may be modified only by a written amendment signed by the Data Source and ASTHO. Either party may propose an amendment. Failure or delay on the part of either party to exercise any right, power, privilege or remedy provided under this Agreement shall not constitute a waiver. No provision of this Agreement may be waived by either party except in writing signed by the Data Source or ASTHO.

14. Severability. If any term or condition of this Agreement is held invalid, such invalidity shall not affect the validity of the other terms or conditions of this Agreement, provided, however, that the remaining terms and conditions can still fairly be given effect.

15. Entire Agreement; No Assignment. This Agreement is the complete agreement between the Parties concerning the subject matter hereof, and supersedes any prior oral or written communications between the Parties. This Agreement may be executed in counterparts. This Agreement may only be modified or assigned by a written agreement executed by duly appointed officers of both Parties.

16. Governing Law. U.S. federal law shall govern the construction, interpretation, and performance of this Agreement; provided, however, the laws of the state of where the Data Set originated shall govern any disputes, claims or issues arising from, relating to or concerning a Data Set, or the contribution of the Data Set to BioSense 2.0, except to the extent such state law is limited, or superseded, in whole or in part by applicable U.S. federal law.

17. Notices. Any notice, demand or other communication required or permitted to be given under the Agreement shall be in writing and shall be deemed delivered to a Party: (i) when delivered by hand or nationally recognized overnight courier; or (ii) six (6) days after the date of mailing if mailed by United States certified mail, return receipt requested, postage prepaid, in each case to the address of such Party set forth below (or at such other address as the Party may from time to specify by notice delivered in the foregoing manner):

If to Data Source:	__________________________________ __________________________________ __________________________________ Attn:
If to ASTHO:	Association of State and Territorial Health Officials 2231 Crystal Drive, Suite 450 Arlington, VA 22202 Attn: Rose-Ella Slavin

18. Survival. The sections of this Agreement that by their nature are intended to continue in their effect following expiration or termination of this Agreement shall survive any expiration or termination of the Agreement.

IN WITNESS WHEREOF, the undersigned have caused this Agreement to be effective as of the Effective Date.