Data Sharing Agreement
Data Sharing Agreement
Last modified: January 10, 2019
1. Purpose of the Agreement
THE DATA SHARING AGREEMENT, which follows, governs the relationship between you (the "User") and Acclaim Consulting Inc. ("Acclaim", "we", or "Party"), having a place of business in Richmond, British Columbia, (the "Parties"). By registering with us and using our software applications distributed under the names "Claim Manager Online" and "Claim Manager Desktop" (the "Services") you agree that this Data Sharing Agreement is legally binding upon you.
Please read this Agreement in its entirety as well our Privacy Policy, the Services Terms of Use, our Website Terms of Use and any additional applicable policies, guidelines, restrictions or rules (collectively the "TERMS") that may be posted on our Website from time to time.
2. DEFINITIONS
- THE SERVICES mean web application developed by Acclaim Consulting Inc. for medical and health care practitioners in BC, available under the name Claim Manager Online and hosted on Web site secure.claimmanger.ca, together with certain documentation, media, manuals and other technical information. The SERVICES combine contact management with private billing and electronic claim submissions to Teleplan and might include additional features that facilitate business tasks of medical practices such as scheduling, reporting, group emails, etc. However, the SERVICES are not an Electronic Medical Records (EMRs) system and should not be used as an alternative to the traditional paper based patient record system.
- SERVICES PLAN describes the amount of the Services you use and your consideration and terms of payment. A plan is chosen when an ACCOUNT OWNER requests a licence to use the SERVICES.
- The SERVICES PROVIDER means Acclaim Consulting Inc.
- A HEALTH CARE PRACTICE is a health-care business or medical clinic run by a Solo Practitioner, a Group of Practitioners or an Organization.
- YOU, USER, LICENSEE or PARTY includes such users of the SERVICES as
- a sole supplementary benefit practitioner such as an optometrist, acupuncturist, chiropractor, massage therapist, naturopath, physiotherapist or podiatrist (a "Sole Practitioner");
- a sole physician (a "Sole Practitioner"),
- an unincorporated group of physicians or practitioners (a "Group"),
- a practitioner or physician organization, which may be a corporation or a partnership ("an ORGANIZATION"), and
- a service bureau,
- A REPRESENTATIVE means an employee, contractor, or an agent of a USER.
- THE MEDICAL SERVICES PLAN (MSP) OF BRITISH COLUMBIA insures medically required services provided by physicians and supplementary health care practitioners, laboratory services and diagnostic procedures. More information about MSP can be found at http://www.health.gov.bc.ca/msp.
- TELEPLAN WEB VERSION 4.0 (TELEPLAN or MSP TELEPLAN) is a web-based telecommunications system used by practitioners to securely submit claims, notes and eligibility requests to MSP, and receive payment statements, rejected claims and patient eligibility data from MSP through an encrypted Internet connection.
- COMPUTER means a virtual or physical computer device (hardware) including a portable device such as a tablet or a mobile phone that accepts information in digital or similar form and manipulates it for a specific result based on a sequence of instructions.
- REFERENCE DATA means any built-in dictionaries used with the SERVICES, such as diagnostic codes (ICD9), MSP Fee Item codes, MSP services location codes, WorkSafeBC's part of body codes, nature of injury codes, etc.
- OUTBOUND DATA means an output file(s) that you create with the SERVICES to be submitted to Medical MSP Teleplan.
- INBOUND DATA means an input file(s) that you receive using the SERVICES.
- USER CREATED DATA or DATABASE means data entered by you, or imported on your request, in the SERVICES, such as patients', clinic's or practitioners' information.
- USER CONTENT means INBOUND DATA, OUTBOUND DATA AND USER CREATED DATA collectively.
- A DATA CENTRE NUMBER (DCN) is an identifying number assigned by BC Medical Services Plan’s TELEPLAN support to a practitioner or a group of practitioners. A DATA CENTRE NUMBER might be thought of as a unique identifier of a USER CONTENT'S database for the purposes of connecting to TELEPLAN. A USER has to belong to a DATA CENTRE to be able to use the SERVICES to connect to TELEPLAN. A USER does not have to belong to a DATA CENTRE to use the SERVICES to perform private billing.
- THE WEB SITE means set of web pages served under domain name secure.claimmanager.ca, hosted on Company's server(s).
- AN ACCOUNT OWNER is the first SOLE PRACTITIONER, GROUP, or ORGANIZATION who signed up for the SERVICES on behalf of a DATA CENTRE or a HEALTH CARE PRACTICE. In a solo practice, the practitioner is a de facto ACCOUNT OWNER. A REPRESENTATIVE cannot be an ACCOUNT OWNER.
- AN ACCOUNT MEMBER means a REPRESENTATIVE, SOLE PRACTITIONER, GROUP, or ORGANIZATION whom an ACCOUNT OWNER added as a USER to the SERVICES for the purposes of this Agreement.
- SUSPENDED ACCOUNT means an account in a read-only mode. Suspended USERS can login to view or export their USER CONTENT, but not to use the SERVICES.
- TERMINATED OR CANCELLED ACCOUNT means a closed account. USERS on a terminated account cannot login to view their USER CONTENT.
- PERSONAL HEALTH INFORMATION ("PHI") includes any patient information that is entered into the Services by Users or imported there on their requests. It might include patients' demographics data, diagnostic codes, fee items, visit history, users' notes and any other data that is required for MSP Teleplan and private billing and for other tasks of a medical office
- A SERVER is a system that includes hardware and software that responds to requests across computer network and performs computation, data processing and data storage on behalf of the Users. THE SERVERS mean servers that are owned or leased by Acclaim to host its Website and Web Applications including Claim Manager Online.
3. Ownership of Personal Health Information/Data Stewardship
3.1. The Parties acknowledge that for the purposes of applicable privacy legislation, all PHI collected by the User remains in the custody and under control of the User.
3.2. We acknowledge and agree that we shall not acquire any ownership of any PHI.
4. Claim Manager Online: data storage, password and access
4.1. Users of Claim Manager Online collect and store PHI on Acclaim's Server(s).
4.2. Users access their accounts, the Services and User Content with single login name and password.
4.3. Users must keep their passwords in a private and secure place. They should change their passwords at least once a month.
4.4. Users may not share their login name and passwords with anyone including other Users - even if they belong to the same Health Care Practice or Data Centre – to avoid tampering with the access logs.
4.5. Account Members must change temporary passwords that were assigned to them by an Account Owner.
4.6. Users' active session in the Services expires after thirty (30) minutes of inactivity.
4.7. We can monitor the history of User's passwords and access the Services using Users' login name and password for the purposes of quality assurance, customers support and troubleshooting. Such an access will be recorded in the access log file for Users to monitor.
4.8. If a User forgets login name or passwords, we will restore it. Users should change their restored passwords.
5. Claim Manager Desktop: data storage, passwords and access
5.1. Users of Claim Manager Desktop collect and store patients' PHI in their private databases located on their personal computers. They may have installed only one instance of Claim Manager Desktop at one time; therefore, they may maintain only one current version of their database at any time.
5.2. Claim Manager Desktop databases are encrypted appropriately to sensitivity of the information and protected with a password of Users' choice.
5.3. Users must keep their passwords in a private and secure place. They should change their passwords at least once a month.
5.4. Users may not share their login name and passwords with anyone including other Users - even if they belong to the same Health Care Practice or Data Centre Number – to avoid tampering with the audit logs.
5.5. User's login name and password to Claim Manager Desktop can be different from User's login name and password to his or her account on our Web site.
5.6. We do not have an access to patients' PHI in Claim Manager Desktop, but we collect copies of submitted claims and received remittances in proprietary Teleplan format for customer support, quality assurance and billing purposes. These files may contain patients' PHI. They are stored on the Servers in a backup state. They are treated with the same care as PHI collected through Claim Manager Online.
5.7. Only a User knows his or her login name and password to Claim Manager Desktop. If a User forgets them, we can restore this information by retrieving it from the User's database after that database is made available to us. Users should change their restored passwords.
6. Access Rights
6.1. PHI collected by Users from a Health Care Practice or a Data Centre is accessible to all Users that belong to that practice or centre, subject to restrictions by the ACCOUNT OWNER where applicable. It is the Account Owner's responsibility to ensure that any User that is invited to use the Services have permission to view the information stored in the Services.
7. Confidentiality and Privacy
7.1. In collecting, using or disclosing PHI, the Parties shall comply with all applicable laws and regulations relating to privacy and the processing of personal information.
7.2. The collection, use and disclosure of PHI will be undertaken in accordance with applicable privacy legislation on a "least information necessary to achieve the purpose" principle, with the highest degree of anonymity that is practical in the circumstances. Collection and use of PHI will be on a "need to know" basis.
7.3. Users must obtain consent to the collection, use and disclosure of patients' PHI for the purposes of using the Services, including but not limited to
a) submitting claims, notes and eligibility requests to Medical Services Plan and receiving payment statements, rejected claims, patient eligibility data, messages and remittances from Medical Services Plan (MSP), using MSP Web-based telecommunications system Teleplan,
b) creating and printing private invoices for their patients,
c) maintaining and managing a database of their patients' demographics,
d) preparing, printing or saving electronic reports of their billing history,
e) scheduling appointments.
7.4. Users may not use the Services as an Electronic Medical Records system for their medical practice.
7.5. Users may provide their patients with access to their own PHI in accordance with applicable law.
7.6. We can collect, use, correct and disclose PHI of Users' patients to
a) fulfill Users' Services requests;
f) conduct the Services testing, quality assurance, maintenance and customer support,
g) investigate errors and/or data inconsistency that happen during the use of the Services,
h) investigate rejected claims or unsuccessful transactions,
i) make inquiries to Teleplan support regarding Users' Teleplan communication and billing issues;
j) identify areas of improvement and Users' needs in new design, features or products,
k) conduct periodic and/or random audits of access to the Services and use or disclosure of PHI including assessments of levels of access, the identity of individuals or entities accessing, using or disclosing PHI, and the purposes of access, use or disclosure.
7.7. We will assume that the purpose is clearly identified and that we have your implied consent when we collect, use, correct or disclose PHI for the purposes listed in paragraph 7.6. We will not use nor make available for use any of this information for any other purposes without your explicit consent.
7.8. We restrict internal access to PHI to select members of our staff. We do not use this personal information to market third-parties products or services.
7.9. A Party may disclose PHI in response to a subpoena, warrant, order, demand or request by a Canadian court or other competent authority with jurisdiction to compel the disclosure, or as otherwise required or permitted by Canadian law. A Party shall promptly notify the other Party if it receives any such order so that the Parties can jointly determine whether to seek a protective order or other appropriate remedy. The Parties shall cooperate with each other as appropriate to help obtain a protective order. If a Party does not obtain a protective order, the Party subject to the subpoena, warrant, order or demand shall
a) furnish only that portion of the PHI which is legally required;
b) exercise reasonable efforts to obtain reliable assurance that the PHI will be accorded confidential treatment; and
c) promptly provide to the other Party, copies of the PHI that was disclosed, as well as the request made for the PHI.
8. Security and Access to the Services
8.1. We shall implement and maintain safeguards for the security and protection of the PHI consistent applicable law and any provincial/territorial regulatory authority policies, and shall protect the PHI against risks such as unauthorized use, disclosure, destruction and alteration.
8.2. We will utilize technological practices and standards, such as encryption technology, that incorporate reasonable security measures, to protect confidentiality.
8.3. We will allow for creation of a unique personal system account and profile for, and enable use of the system by each participating User.
8.4. We will manage, in a secure manner, any devices, codes or other security measures we create for enabling User access to the Services.
8.5. We will develop, implement, operate and manage a mechanism, which may include processes and technology, to detect and monitor unauthorized access to the Services, and unauthorized use or disclosure of PHI.
8.6. We will develop, implement, operate and manage an incident response process to deal with breaches or suspected breaches of the Services or PHI access security.
8.7. We will immediately investigate any suspected breach of the Services or PHI security where:
a) the suspected breach is identified by us, or
b) such investigation is requested by a participant in its own investigation of a suspected breach.
8.8. Where we determine that a breach of the Services or PHI security has occurred, we will immediately inform the User impacted by or likely to be impacted by the breach.
8.9. With respect to any breach of the System or PHI security, we will immediately act to:
a) remedy the breach;
b) manage and mitigate effects of the breach; and
c) develop a strategy for the prevention of a future breach under a similar circumstance.
8.10. The Parties will not allow any person to use PHI in the Services unless that person has been authorized as a designated User by an Account Owner and the Services Provider.
8.11. The Parties will use all reasonable efforts to protect the Services and the PHI against any unauthorized access, use, disclosure or modification. This obligation shall survive termination of the Agreement.
8.12. We shall provide Users with audit logs of the Users', its agents' and our activity in the Services upon Users' request, and cooperate with Users' investigations of inappropriate use of the Services by User's agents.
8.13. The Parties shall only permit use of PHI if it is necessary to carry out a collection, use or disclosure contemplated under this Agreement. Except as otherwise required in the Agreement, wherever possible the parties shall de-identify PHI before using or disclosing.
8.14. The Parties agree that every User of the Services shall use and disclose the minimum PHI that is essential to enable the User to carry out one or more of the purposes authorized by the Agreement. The Parties agree that PHI shall only be collected, stored, used and disclosed as contemplated by this Agreement.
8.15. We may use outside companies, called third parties, to help us provide the Services. Regardless of the location of these third parties, we require these third parties to comply with Canadian privacy legislation and our Privacy Policy. Certain third parties may be located in the United States and therefore may also be subject to US legislation.
8.16. The User covenants and agrees that it will: (a) comply with all applicable laws, including laws relating to maintenance of privacy, security, and confidentiality of patient and other health information; (b) ensure that any use of the Services (including making health information available through the Services) complies with applicable law, including all laws relating to maintenance of privacy, security, and confidentiality of patient and other health information; (c) implement and maintain appropriate administrative, physical and technical safeguards to protect information within the Services from unauthorized access, use or alteration; (d) be responsible for the use of the Services by the User and those for whom the User is responsible, in law; (e) immediately notify us of any breach or suspected breach of the security of the Services of which the User becomes aware, to take such action to mitigate the breach or suspected breach as we may direct, and to cooperate with us in investigating and mitigating the breach;
9. Accuracy and PHI Quality
9.1. Corrections or amendments can be made to PHI by the User as required, including in response to a request from a patient for a correction to his/her PHI.
9.2. Corrections or amendments can be made to PHI by us as required, including in response to a request from a User or in accordance with MSP Teleplan records.
9.3. We shall notify the User if the User has accessed any erroneous or outdated information.
9.4. The Parties shall ensure that the PHI that is collected, used or disclosed is accurate and not altered, modified or enhanced except in accordance with this Agreement.
10. Record Maintenance Requirements
10.1. A User may access the Services and use PHI on the System for conducting practice self audits as follows:
- determine whether the requirements of an applicable professional regulatory body are being maintained and its guidelines adhered to;
- to determine whether the requirements of any other governing or overseeing body are being maintained;
- to determine whether the practice's claims submissions are accurate and their claims practices compliant with applicable requirements;
- to determine whether the practice's own written standards and procedures are being effectively and efficiently executed; and
- for any other purpose essential to the practice's effective operation in the provision of health services to individuals.
10.2. We shall conduct periodic and/or random audits of access to the System and use or disclosure of PHI including assessments of levels of access; the identity of individuals or entities accessing, using or disclosing PHI; and the purposes of access, use or disclosure.
10.3. We shall ensure that the Services provide for an audit trail to supply a record of collection, use, access, disclosure and corrections made to the PHI.
10.4. When, in accordance with applicable law and any provincial/territorial regulatory authority (College) policies, PHI is required to be destroyed, we shall ensure that the PHI has been destroyed in an appropriate manner consistent with applicable law and any provincial/territorial regulatory authority (College) policies.
11. Data Availability
11.1. We shall provide scheduled maintenance ("Scheduled Maintenance") for the purpose of general maintenance and upkeep of the Services, including, without limitation, general adjustments to the System, the installation of bug fixes and patches, and the implementation of updates, upgrades, revisions and new versions of software and hardware. During these periods User Content may be unavailable.
11.2. We shall also provide remedial maintenance ("Remedial Maintenance"), including responding to problems encountered by the Users when the User reports problems to us. During remedial maintenance User Content may be unavailable.
11.3. We destroy PHI or make the information anonymous as soon as it is reasonable to assume the following:
- the purpose for which the personal information was collected is no longer being served by keeping the personal information, and
- it is no longer necessary to keep the personal information for legal or business purposes.
12. Backups
12.1. Users of Claim Manager Desktop are responsible to perform regular backup of their User Content. They shall back up their files either by creating a copy of their C:/ClaimManager folder or by using backup functionality built in the application. Users shall treat backup files with the same care and responsibility as any other PHI information of their patients.
12.2. The Account Owner of Claim Manager Online is responsible for regular back up of Data Centre's or Health Care Practice's User Content by downloading a complete database of User Content in a format of *.csv file. This feature is available in the Services. The Account Owner shall keep the backup file in safe places in multiple copies. This file is archived for effective storage and encrypted with a password. This file can also be used to transfer User Content to a different billing software.
12.3. We shall perform backup of User Content stored on the Servers that involves nightly incremental and periodic full backups of the Claim Manager Online data.
13. Termination and Suspension of the Services
13.1. After suspension of the Services or expiration of the License, Users will continue to have access to USER CONTENT, but not the use of the Services, within three (3) months or until the Services are available, whatever is less. The access to the Services will be in a read-only mode so that Users can export files with User Content in the forms of available reports.
13.2. After termination of the Services, Users will not be able to access their accounts and USER CONTENT; however, we will make all reasonable efforts to keep their data for twelve months after the termination of the Services and to provide Users on their request with an export file containing the information about their patients in format approved by Medical Software Vendor Association of BC.
a) An export file will include information only about the patients who received health services from a User. It will not include information about the patients who received health services exclusively from other practitioners in a Health Care clinic.
b) An export file will not be provided to a practitioner's employees or agents without a written consent from the practitioner.
c) We will charge fee for fulfilling such requests according to our then current Fee Schedule.
d) It might take us up to 30 working days to fulfill such requests.
13.3. If termination of the Services was caused by us going out of business, users might not have access to User Content after the suspension or termination of the Services.
13.4. Services Provider has the right to refuse providing Users with the export file with their USERS CONTENT if the Services were terminated for default (paragraph 16 of Terms of Services), for non-payment, due Force Majeure, or if the Services Provider cannot establish the identity of USERS requiring an export file.
14. Indemnification
14.1. Users agrees to be liable to and to indemnify and hold Acclaim Consulting Inc., its employees, subcontractors, agents and suppliers harmless from any and all claims, demands, suits, actions, causes of action or liability of any kind whatsoever for damages, losses, costs or expenses (including legal fees and disbursements) or other amounts that may arise, directly or indirectly as a result of:
14.1.1. any breach of applicable law;
14.1.2. any breach of the Agreement;
14.1.3. any unauthorized collection, use, or disclosure or alteration of PHI;
14.1.4. any unauthorized exchange of PHI;
14.1.5. any unauthorized access to the System;
14.1.6. any breach of the security or privacy of PHI the Physician has entered or has provided access to through the System; or
14.1.7. any unauthorized alteration (including, without limitation, unauthorized access) of the PHI the User has contributed to the System, or caused by the Services Provider, its employees, agents or others for whom the User is legally responsible.
14.2. INDEMNIFICATION PROCESS: The indemnifying party will defend and settle, at the indemnifying party's own expense, all such claims and will pay all awards, damages, costs and other amounts awarded to the claimant or agreed to in a settlement, including the indemnified party's reasonable legal fees and expenses prior to the indemnifying party assuming control of the defence to such claims and the reasonable and necessary expenses relating to cooperation requested by the Indemnifying Party.
14.3. INDEMNIFICATION CONDITIONS: The indemnified party shall notify the indemnifying party of such claim without undue delay. The indemnifying party shall have control over the defence, final award or settlement of such claim, provided that the indemnifying party shall not compromise or settle a claim in the name of the indemnified party without the indemnified party's prior consent. The indemnified party shall cooperate with the indemnifying party in such defence and settlement.
14.4. Users agree to provide us with full co-operation and assistance in relation to any complaint, notice or communication which relates directly or indirectly to the processing of personal data or other information or to the Users' compliance with any applicable local and national laws. The Users agree to promptly comply with any request from Acclaim requiring them to amend, transfer and/or delete any information recorded by them on the Services.
15. Limitation of Liability
15.1. In no event shall any provision of this Agreement limit or exclude the Users' liability for any unauthorized or unlawful collection, access, use or disclosure of PHI.
16. Representations and Warranties
16.1. Users represent and warrant to the Services Provider that: (a) they have the full power and authority to enter into and perform its obligations under this Agreement; (b) there are no outstanding contracts, commitments, covenants or agreements to which Users are a party which conflict with this Agreement or which may limit, restrict or impair the rights of the ability of Users to perform its obligations hereunder; (g) Users will comply with all applicable law and any provincial/territorial regulatory authority (College) policies in the performance of its obligations hereunder.
17. Governing Law/Forum
17.1. GOVERNING LAW/FORUM: The Parties hereby agree that their relationship and the resolution of any and all disputes arising therefrom, including any issues related to this Agreement, shall be governed by and construed in accordance with the laws of the Province of British Columbia and the laws of Canada applicable therein.
17.2. JURISDICTION: The Parties hereby acknowledge that the Services will be provided in Richmond in the Province of British Columbia and that the Courts of the Province of Richmond, British Columbia shall have exclusive and preferential jurisdiction to entertain any complaint, demand, claim or cause of action whatsoever arising out of this Agreement. The parties hereby agree that if either of them commences any such legal proceedings they will only be commenced in Richmond, British Columbia and hereby irrevocably submit to the exclusive jurisdiction of the Courts of Richmond, British Columbia.
18. Changes to this Agreement
18.1. Any changes or modifications to this Agreement will be posted thirty (30) days before they take effect. We will not make retroactive changes to the practices associated with your personal information without your consent.
18.2. If you do not agree to the changes implemented by us your sole and exclusive remedy is to terminate your relationship with us as a customer of the SERVICES. Unless explicitly stated otherwise, any new features or products that change, augment or enhance THE SERVICES will be subject to this Agreement.
19. Severability
If a provision of this Agreement is determined by any court or other competent authority to be unlawful and/or unenforceable, the other provisions will continue in effect. If any unlawful and/or unenforceable provision would be lawful or enforceable if part of it were deleted, that part will be deemed to be deleted, and the rest of the provision will continue in effect.
Our postal address is
145-12100 Riverside Way
RICHMOND BC V6W 1K5
Phone: +1 (604) 626-9903
Fax: +1 (866) 863-6217
Email: info@tripletee.com