Download a pdf copy of Supplemental Contract Terms.
Supplemental Terms Governing
Agreements for Services Performed for
Ethicon, Inc. Ethicon, LLC, Ethicon US, LLC, Ethicon Endo-Surgery, Inc.,
Ethicon Endo-Surgery, LLC, Obtech Medical Sàrl or Sterilmed, Inc.
Effective Date: April 1, 2014
Except to the extent explicitly agreed otherwise in your agreement with Ethicon, Inc., Ethicon, LLC, Ethicon US, LLC, Ethicon Endo-Surgery, Inc., Ethicon Endo-Surgery, LLC ,Obtech Medical Sàrl. or Sterilmed, Inc. (each the “Company”) the following terms and conditions shall govern your performance of services for the Company under Service Provider’s agreement with Company (the “Agreement”), but only to the extent that you or any subcontractors you utilize to perform the services, and/or the services to be provided under your agreement with Company meet the below criteria. Hereinafter, you shall be referred to as “Service Provider”.
a. If Service Provider will travel at the request of Company in furtherance of any service to be performed under the Agreement, Service Provider will comply with the provisions of Part A of the Supplemental Terms.
b. If the services to be provided under the Agreement involve the use or disclosure of Protected Health Information (as defined under the U.S. HIPAA Privacy Requirements), Service Provider will comply with the provisions of Part B of the Supplemental Terms, and Service Provider agrees to include such provisions in its contracts with any subcontractors it engages to perform the services.
c. If Service Provider is a or in connection with any service to performed under the Agreement will engage any health care professional, a medical school, a medical institution that employs or grants privileges to health care professionals, a medical society, a medical trade association or a government agency that buys health care products and/or services, Service Provider will comply with the provisions of Part C of the Supplemental Terms, and Service Provider agrees to include such provisions in its contracts with any subcontractors it engages to perform the services.
d. If Service Provider or its subcontractors either (i) own or operate facilities in the European Union or (ii) have/has employees located in the European Union that will provide services or transfer any information that can be used to identify a person (“Personal Information”) in connection with services performed under the Agreement, or (iii) Service Provider or its subcontractors will collect, receive or use Personal Information in connection with services performed under the Agreement, Service Provider and comply with by the provisions of Part D of the Supplemental Terms, and Service Provider agrees to include such provisions in its contracts with any subcontractors it engages to perform the services.
e. If Service Provider or its subcontractors employ persons who will provide services under the Agreement, Service Provider and its subcontractors will abide by the provisions of Part E of the Supplemental Terms, and Service Provider agrees to include such provisions in its contracts with any subcontractors it engages to perform the services.
f. If the services to be provided under the Agreement involve the creation of records which demonstrate regulatory, legal and/or other compliance, Service Provider comply with the provisions of Part F of the Supplemental Terms, and Service Provider agrees to include such provisions in its contracts with any subcontractors it engages to perform the services.
g. If the services to be provided by Service Provider under the Agreement involve the provision of general reimbursement-related information and support to health care providers, office managers, patients and/or third party payors, Service Provider comply with the provisions of Part G of the Supplemental Terms, and Service Provider agrees to include such provisions in its contracts with any subcontractors it engages to perform the services.
h. If the services to be provided by Service Provider under the Agreement involve the disclosure of prescribing information, Service Provider will comply with the provisions of Part H of the Supplemental Terms, and Service Provider agrees to include such provisions in its contracts with any subcontractors it engages to perform the services.
i. If Service Provider will have access to Company’s IT network in connection with performing services under the Agreement or if in furtherance of such services and/or if Company provides Service Provider any computing assets or devices, including without limitation, a smart phone, virtual private network token or laptop computer, Service Provider shall comply with the provisions of Part I of the Supplemental Terms.
Part A - Travel Policy
Company shall cover the cost of travel and living expenses related to Service Provider’s work, provided that such costs and expenses abide by this travel policy and have been approved in advanced by Company. Company will neither reimburse personal expenses incurred by the Service Provider nor expenses incurred by anyone other than the Service Provider.
I. Travel Reservations: All reservations for air travel, lodging, and ground transportation should be made through the J&J Travel Department. Reservations can be made by contacting J&J Travel at (888) 565-8728 between the hours of 8:30 a.m. and 4:30 p.m. Eastern Standard Time.
II. Airfare: J&J has an established airfare policy. Under the terms of this policy, the J&J Travel Department will select the lowest fair alternative within the time frame of the Service Provider’s request without significantly inconveniencing the Service Provider. A change in departure or arrival time of approximately one hour is not considered an undue inconvenience.
a. Corporate discount fares have been negotiated with several preferred airline carriers. Where it is beneficial to Company and the Service Provider will not be duly inconvenienced, Service Providers are encouraged to book reservations on the preferred carriers.
b. Class of Service shall be determined by the length of elapsed flight time. All flights with less than six hours elapsed flight time will be booked in Coach Class. Flights of six or more hours will be booked in Business Class. Company will not pay for First Class travel.
c. Airfare should be charged using either an authorized Company BTA (“Business Travel Account”) or Service Provider’s personal credit card. In the event Service Provider’s personal credit card is used, Service Provider must obtain approval from Company prior to final booking of their airfare. Once travel has occurred, Service Provider must submit original receipts with other travel expenses for reimbursement. Company shall reimburse Service Provider within 7 working days of receipt of travel expenses. Company cannot reimburse in advance of the travel occurrence.
III. Lodging: J&J Travel has several preferred hotels (i.e., Embassy Suites, Marriott, DoubleTree, etc.), where these hotels are available, Service Provider shall stay at preferred hotels unless this would cause significant business inconvenience. Hotel room charges cannot exceed policy limits of $275.00 per night. Luxury hotels and resorts/spas are prohibited, unless there is written permission from the Company Corporate Compliance Officer.
a. For Cincinnati based events: In most instances, an authorized BTA has been established with the preferred hotel. Company will be responsible for room charge, tax, phone calls (business-related), and meals (if not provided through event agenda). These charges will be billed to the authorized BTA. Dollar limits for meals must not exceed policy limits of $25.00 per person for breakfast, $50.00 per person for lunch, and $125.00 per person for dinner (evening meal). All other charges (i.e., movies, dry-cleaning (if event is less than 5 days), mini bar, etc.) are the sole responsibility of the Service Provider.
b. For remote location events: Service Provider will be responsible for using Service Provider’s personal credit card for charges. Authorized expenses should be submitted to Company for reimbursement. As in Cincinnati based events, Company will be responsible for room charge, tax, phone calls (business-related), and meals (if not provided through event agenda). Dollar limits for meals at remote location events are the same as for Cincinnati based events (see above). All other charges (i.e., movies, dry-cleaning (if event is less than 5 days), mini bar, etc.) are the sole responsibility of the Service Provider.
IV. Ground Transportation/Car Rental: The use of cost efficient local transportation is encouraged. Service Provider may choose either local ground transportation based on availability, or the rental of a mid-size car. When possible, transportation expenses will be charged to an authorized Company BTA. If for some reason a BTA cannot be utilized, Service Provider may charge expenses to Service Provider’s personal credit card, and submit original receipts for reimbursement. All original receipts for expenses such as fuel, tolls, parking, etc. must be submitted for reimbursement. If the Service Provider is within driving distance of their scheduled event and chooses to use their personal car, Company will reimburse Service Provider the cost of mileage per the terms of the J&J eXRS Car Mileage Rate.
Part B - Use of Protected Health Information
With respect to the services provided pursuant to Service Provider’s agreement with Company, Service Provider shall ensure that the provision of the Services complies with any HIPAA Privacy Requirements that apply to such Protected Health Information. The “HIPAA Privacy Requirements” refer collectively to the applicable provisions of the Administrative Simplification section of HIPAA - the Health Insurance Portability and Accountability Act of 1996 (as codified at 42 U.S.C. § 1320d - d-8) and any regulations promulgated thereunder, including without limitation, the federal privacy regulations (45 CFR Parts 160 and 164) and the federal security standards (45 CFR Part 142). Without limiting the foregoing, Service Provider will use a HIPAA-compliant Patient Authorization whenever the HIPAA Privacy Requirements so require. When the Services provided under the Agreement involve direct interactions with patients, consumers or caregivers, the Service Provider shall obtain written consent from any such person allowing Company to use and disclose the personal information collected from such persons.
Part C - Health Care Compliance
The parties acknowledge and agree that the compensation set forth in their agreement for services represents the fair market value of the services provided, negotiated in an arms-length transaction and has not been determined in a manner which takes into account the volume or value of any referrals or business otherwise generated between Company and Service Provider. Nothing contained in Service Provider’s agreement with Company shall be construed in any manner as an obligation or inducement for the Service Provider to recommend that patients purchase Company products or those of any organizations affiliated with Company. The parties further agree that Service Provider’s agreement with Company does not involve the counseling or promotion of a business arrangement that violates state or federal law.
With respect to the services provided pursuant to Service Provider’s agreement with Company, Service Provider shall:
I. Ensure that the services are provided in compliance with all applicable laws and regulations, including but not limited to: laws and regulations pertaining to the promotion of products regulated by the FDA (21 U.S.C. §§ 201, et seq. and its implementing regulations); laws, regulations and guidance pertaining to state and federal anti-kickback statutes (42 U.S.C. §§ 1320a-7b(b), et seq. and their implementing regulations) and submission of false claims to governmental or private health care payors (31 U.S.C. §§ 3729, et seq. and its implementing regulations); state and federal laws and regulations relating to the protection of individual and patient privacy (42 U.S.C. §§ 1320d, et seq. and their implementing regulations); and any other laws and regulations applicable to the provision of the Services.
II. Ensure that the Service Provider is:
a. not excluded from a federal health care program as outlined in Sections 1128 and 1156 of the Social Security Act (see the Office of Inspector General of the Department of Health and Human Services List of Excluded Individuals/Entities at http://www.oig.hhs.gov/FRAUD/exclusions/listofexcluded.html).
b. not debarred by the FDA under 21 U.S.C. 335a (see the FDA Office of Regulatory Affairs Debarment List at http://www.fda.gov/ora/compliance_ref/debar/).
c. otherwise not excluded from contracting with the federal government (see the Excluded Parties Listing System at http://epls.arnet.gov).
d. if required, duly licensed and in good standing in accordance with applicable state laws to provide the services.
The Service Provider shall report to Company any violations of the compliance obligations applicable to the services provided under the Agreement. The Service Provider agrees that Company and its designated representatives shall have the right, upon reasonable notice, to audit all applicable records of the Service Provider for the purpose of determining compliance with the compliance obligations, and any Company Policies applicable to the services provided under the Agreement and the terms of the Agreement. This right to audit shall extend throughout the term of the Agreement and for the later of a period of 2 years after termination of Service Provider’s agreement with Company or resolution of any disputes between Company and the Service Provider hereunder.
Documentation of Services Performed
For each separate project under a statement of work, proposal, work order or similar document entered into pursuant to the Agreement, Service Provider shall, within 30 days of the conclusion of a project or meeting, provide documentation as set forth in greater detail in the applicable work order, including, at a minimum:
a. Copies of written agreements including compensation terms, with each health care professional providing services.
b. Copies of reports indicating that each health care professional providing services is not excluded or debarred and, for any healthcare practitioner, duly licensed under state law, Service Provider shall obtain such reports prior to engaging such health care professionals to provide services for Company’s benefit.
c. Documentation of the services provided by such health care professional, e.g., a written report, comments collected at a meeting, etc.;
d. Electronic report of overall expenses paid to or on behalf of each health care professional in connection with the statement of work, proposal, work order or similar document.
e. Electronic copies of all original receipts documenting such expenses.
f. Copy of any required ethics or other authorizations allowing health care professionals employed by federal, state or local government agencies to provide services for Company’s benefit in connection with the Agreement.
Disclosure of Funding
The parties acknowledge that the Physician Payments Transparency Requirements of the Patient Protection and Affordable Care Act of 2010 (codified at 42 U.S.C. 1320a-7h) and implementing regulations, require Company to annually report to the Centers for Medicare and Medicaid Services (CMS) certain information about payments and transfers of value provided directly or indirectly to U.S. physicians and teaching hospitals. As required by law, Company will report to CMS information about payments or transfers of value Company provides to Service Provider under the Agreement, which CMS will make publicly available. Such reported information will include the identity and business address of Service Provider, the value and purpose of any payments or transfers of value that are made in connection with this Agreement, and any other information as may be required by law. The Company may also report information about compensation, payments and transfers of value provided to Service Provider as necessary to meet any other legal requirements, and the Company reserves the right to post on a website accessible to the public, information regarding such compensation made to Service Provider, whether or not required by law.
Disclosure of Relationship
If Service Provider participates on any committee or board that establishes formulary or other clinical standards, Service Provider will disclose to such committee or board the nature of the Agreement and Service Provider’s relationship with Company.
Conflict of Interests for Service Providers who are Individuals
Where the provision of services by Service Provider (and/or his, her, or its subcontractor) is subject to professional and/or employment rules (such as conflicts of interest or ethics policies) established by the Service Provider’s (and/or his, her or its subcontractor’s) employer or a professional organization or institution with which the Service Provider (and/or his, her or its subcontractor) is affiliated, Service Provider (and/or his, her or its subcontractor) warrants that he/ she/it shall comply fully with such rules, including, as applicable, obtaining any required approval(s) prior to delivering the services and making any required reports. Service Provider (and/or his, her or its subcontractor) shall acknowledge this obligation by executing a Certification in the form of the following and returning the same to Company:
Conflict of Interest Certification
Dear Healthcare Professional:
In assuming contractual obligations to Company the undersigned Healthcare Professional agrees that financial ties between healthcare professionals and industry may create Conflicts of Interest, both real and perceived, which must be identified and resolved to preserve the public’s trust by ensuring the independence of professional judgment and the integrity of educational and research endeavors. It is the policy of Company to verify that healthcare professionals who receive funding from or provide services to the company abide with any applicable institutional Conflict of Interest policies.
Accordingly, please complete the information below, sign, and return to our attention at your first opportunity.
* * *
I have assessed whether any institutional Conflict of Interest policies apply to me by virtue of my employment or professional affiliation with regard to the above referenced arrangement with [Company. Further, with respect to such Conflict of Interest policies I certify the following:
[ ] No Conflict of Interest policies apply
[ ] I have complied and will continue to comply fully with all applicable Conflicts of Interest requirements (e.g., approval, disclosure or reporting requirements, compensation or other limits on outside research, or reporting of compensation) imposed by all Institutions whose internal rules and policies apply to me.
Part D – Data Protection
I. For the purposes of this Part D, the following terms shall have the meanings given below:
“Individual” shall mean any person about whom Personal Data may be Processed in the performance of the Agreement;
“Company Standards” shall mean Company’s human resources, employment, and other standards, plans, programs, policies, practices, processes, procedures, and controls, and associated technologies, architectures, products, and systems, including, but not limited to, the J&J Worldwide Information Asset Protection Policies;
“Personal Data” shall mean data that identifies or can be used to identify an Individual;
“Process” or “Processing” shall mean the collection, use, disclosure, transfer, storage, deletion, combination, access, or other use of Personal Data as contemplated by applicable privacy and data protection laws;
“Public Authority” shall mean a public agency or authority of any country, state, territory, or political subdivision of a country, state, or territory, or a person or entity acting under a grant of authority from or under contract with such public agency or authority, that is authorized by law to enforce individual rights with respect to Personal Data, or to oversee or monitor compliance with privacy and data protection laws, rules, and regulations;
“Special Personal Data” shall include any of the following types of Personal Data: (i) social security number, taxpayer identification number, passport number, driver’s license number or other government-issued identification number; or (ii) credit or debit card details or financial account number, with or without any code or password that would permit access to the account; or (iii) information on race, religion, ethnicity, sexual orientation, union membership, medical or health information, background check information, judicial data such as criminal records or information on other judicial or administrative proceedings.
II. Service Provider will:
a. Ensure that all Personal Data collected by Service Provider are processed only as instructed by Company, and only to perform obligations under the Agreement and as specifically permitted by the Agreement or as otherwise instructed in writing from time to time by Company. Service Provider may not use such Personal Data for any purpose other than providing Services under the Agreement, including without limitation for its own commercial benefit, unless agreed to in writing by Company;
b. Ensure that Personal Data are not disclosed or transferred to or allow access by any third party (including affiliates and subcontractors) without the prior written permission of Company, except (i) as specifically stated in the Agreement, or (ii) where such disclosure or transfer is required by any applicable law, regulation, or Public Authority;
i. If Company consents to Service Provider’s disclosure of Personal Data to a third party, such third party shall, prior to any such disclosure, have entered into an Agreement at least as restrictive as the Agreement. Service Provider shall remain accountable and responsible for all actions by such third parties with respect to the disclosed Personal Data;
ii. If Service Provider is required to make a disclosure or transfer of Personal Data Service Provider shall, wherever possible, notify Company promptly (and in any event within five days of receipt of such a request) in writing. Prior to complying with any such request for disclosure or transfer, Service Provider shall comply with all reasonable directions of Company with respect to such disclosure or transfer;
c. Ensure that all Personal Data created by Service Provider on behalf of Company are accurate and, where -necessary, kept updated, and ensure that any Personal Data which are inaccurate or incomplete are erased or rectified in accordance with Company’s instructions or applicable J&J Standards;
d. Hold Personal Data in strict confidence and ensure that all Personal Data received from or on behalf of Company and its affiliates are maintained in a secure manner; and develop, implement, maintain, and monitor a comprehensive, written information security program that contains administrative, technical and physical safeguards to protect against anticipated threats or hazards to the confidentiality, integrity and security of, the unauthorized or accidental destruction, loss, alteration or use of, and the unauthorized access to, Personal Data with measures that meet or exceed the requirements of the J&J Standards, prevailing industry standards, as well as mandatory security requirements applicable to the Service Provider;
e. Conduct a risk assessment to identify and assess reasonably foreseeable internal and external risks to the security, confidentiality and integrity of electronic, paper and other records containing Personal Data and evaluate and improve, where necessary, the effectiveness of its safeguards for limiting those internal and external risks.
f. Review and, as appropriate, revise its information security program: (a) at least annually or whenever there is a material change in Service Provider’s business practices that may reasonably implicate the security or integrity of Personal Data; (b) in accordance with prevailing industry practices; and (c) as reasonably requested by Company. If Service Provider modifies its information security program following such a review, Service Provider shall promptly notify Company of such modifications and shall provide such modifications to Company in writing upon Company’s request. Service Provider may not alter or modify its information security program in such a way that will weaken or compromise the confidentiality and security of Personal Data.
g. Maintain appropriate access controls, including, but not limited to, limiting access to Personal Data to the minimum number of Service Provider employees and personnel who require such access in order to provide the goods and/or services to Company under Service Provider’s agreement with Company;
h. Require its employees and personnel who will be provided access to, or otherwise come into contact with, Personal Data will be required (including during the term of their employment or retention and thereafter) to protect all Personal Data in accordance with the requirements of the Agreement; and (c) Service Provider will provide such employees and personnel with appropriate training regarding information security and the protection of personal information.
i. Ensure that its information security program covers all networks, systems, servers, computers, notebooks, laptops, PDAs, mobile phones, and other devices that process or handle Personal Data or allow access to Company networks, systems or information. Moreover, Service Provider shall ensure that its information security program includes industry standard password protections, firewalls and anti-virus and malware protections to protect Personal Data stored on computer systems.
j. Encrypt, using industry standard encryption tools, all records and files containing Special Personal Data that Service Provider: (a) transmits or sends wirelessly or across public networks; (b) stores on laptops or storage media; and (c) where technically feasible, stores on portable devices. Service Provider shall safeguard the security and confidentiality of all encryption keys associated with encrypted Special Personal Data.
k. Regularly dispose of Personal Data that Company notifies Service Provider in writing is no longer necessary to provide the services to Company. If Service Provider disposes of any paper, electronic or other record containing Personal Data, Service Provider shall do so by taking all reasonable steps to destroy the information by: (a) shredding; (b) permanently erasing and deleting; (c) degaussing; or (d) otherwise modifying the Personal Data in such records to make it unreadable, unreconstructable and indecipherable.
l. Notify Company in writing immediately (and in any event within 24 hours) whenever Service Provider reasonably believes that there has been any unauthorized access, acquisition, use, disclosure or destruction of Personal Data (“Security Breach”), and provide detailed information regarding the nature and scope of the Security Breach, the actual or potential cause of the breach, and the measures being taken by Service Provider to investigate the breach, correct or mitigate the breach, and prevent future breaches. Service Provider agrees that any decision to notify Data Subjects or Public Authorities of the Security Breach shall be at Company’s sole discretion and any notice shall be approved in advance by Company;
m. Notify Company promptly in writing (and in any event within five days of receipt) of any communication received from an Individual relating to such Individual’s request to access, modify, or correct his or her Personal Data and comply with all reasonable instructions of Company before responding to such communications.
III. Service Provider shall take any other steps reasonably requested by Company to assist Company in complying with any notification or other obligations applicable to Company or its affiliates under applicable laws, rules, and regulations with respect to such party’s Processing of Personal Data under the Agreement. In the event that the Agreement, or any actions to be taken or contemplated to be taken in performance of the Agreement, do not or would not satisfy either party’s obligations under such laws, the parties shall negotiate in good faith upon an appropriate amendment to the Agreement.
IV. At any time during the term of the Agreement, upon prior request and in a reasonable time and manner, Service Provider agrees to make its internal policies and procedures, practices, books, and records relating to the privacy and security of Personal Data and the Processing of Personal Data available to Company and/or its affiliates for assessment.
V. Service Provider shall provide Company, its authorized representatives, and any such independent inspection body or public authority as Company may appoint, on reasonable notice, with (i) access to Service Provider’s premises and records; (ii) reasonable assistance and cooperation of Service Provider’s relevant staff; and (iii) reasonable facilities at Service Provider’s premises for the purpose of auditing Service Provider’s compliance with its obligations under the Agreement. Upon request, and within a reasonable period of time, Service Provider shall be obliged to provide Company with all information necessary to carry out a comprehensive review of the Processing. Service Provider shall, upon request from Company, inform Company of the measures it has taken to ensure the implementation of appropriate technical and organizational measures.
VI. Upon Company’s request, Service Provider shall enter into appropriate data transfer agreements with Company and Company Affiliates as needed to satisfy cross-board transfer obligations relating to Personal Data, such as the Standard Contractual Clauses issued by the European Commission, a Safe Harbor Onward Transfer Agreement or other similar agreements.
VII. Upon termination or expiration of the Agreement for whatever reason, or upon request by Company, Service Provider shall immediately cease to Process the Personal Data and shall promptly return to Company all such Personal Data, or destroy the same, in accordance with instructions given by Company at that time.
VIII. Service Provider shall notify Company of its designated primary security manager. The security manager shall be responsible for managing and coordinating the performance of Service Provider's obligations set forth in this Section/Agreement [modify based on whether this is stand alone or part of a larger agreement].
IX. Notwithstanding anything to the contrary in Service Provider’s agreement with Company, Service Provider agrees to indemnify, keep indemnified, hold harmless, and, upon Company’s request, defend Company and its directors, officers, employees, shareholders, and agents from and against any and all damages, liabilities, expenses, claims, fines, and losses of any type, including without limitation, reasonable legal fees, in connection with, arising out of, or relating to, in whole or in part, a) Service Provider’s failure (or the failure of any employee, contractor, or agent of Service Provider) to comply with the obligations under the Agreement; b) any Security Breach; c) any negligence or willful misconduct by Service Provider, its personnel or agents or any third party to whom Service Provider provides access to Personal Data.
X. The respective rights and obligations of Service Provider under this Part D, shall survive the termination, expiration, or other conclusion of the Agreement.
Part E - Employees
All employees providing material portions of the services shall have adequately performed similar duties for other companies and possess not only the appropriate education and technical skills, but also the ability to communicate clearly to Company and to follow directions. Service Provider will ensure that its personnel are adequately trained on Health Care Compliance, Privacy and all other requirements necessary to perform the services. Service Provider will maintain documentation of training materials and personnel training records.
Employment of Young Persons
This policy applies to the employment by Service Provider of persons under the age of 18 (“Young Persons”) in the manufacture of any product, or any component of any product, or any services provided to Johnson & Johnson or any of its affiliates worldwide.
Age, Health & Safety
No person under the age of 16 shall be employed. No person between the ages of 16 and 18 shall be employed unless such employment is in compliance with the health, safety and moral provisions of the International Labour Organization Convention 138 Concerning Minimum Age (“ILO Convention 138”), a summary of which appears below.
No young person shall be required to work more than 48 hours of regularly scheduled time and 12 hours of overtime per week, nor more than six days per week.
Laws & Regulations
No young person shall be employed unless such employment is in compliance with all applicable laws and regulations concerning age, hours, compensation, health and safety.
No manufacturer shall be engaged to manufacture any product, or any component of a product, for Johnson & Johnson or any of its affiliates worldwide unless such manufacturer has entered into an enforceable written agreement to comply with this policy, submit to periodic compliance inspections, maintain the records necessary to demonstrate compliance and provide annual certifications of compliance. If any such manufacturer shall be found to be in breach of such agreement, the manufacturer’s engagement shall be terminated.
Exceptions & Interpretations
Upon good cause shown in a specific situation, an exception to the Age and Hours (but not Health & Safety) provisions of this policy may be granted by the responsible Executive Committee Member with the concurrence of the Vice President, Administration, if such exception is consistent with ILO Convention 138 and all applicable laws and regulations. (See attached summary of ILO convention 138.) Requests for definitive interpretations of this policy should be directed to the General Counsel.
(NOTE. The Age provision of the Johnson & Johnson Policy on the Employment of Young Persons is more restrictive than ILO Convention 138. The following summary is provided only as an explanatory supplement to the Health & Safety and Exceptions provisions of the Johnson & Johnson policy. For guidance on specific situations, please contact the Johnson & Johnson Law Department.)
Summary of ILO Convention No. 138 Concerning Minimum Age
For work likely to jeopardize the health, safety or morals of the worker, the minimum age is 18; if there is adequate protection and training of the worker, then the minimum age for such work is 16. (No exception to this provision is available under the Johnson & Johnson policy.)
For work which is not likely to jeopardize the health, safety or morals of the worker, the minimum age is 14. (Requires an exception under the Johnson & Johnson policy.)
(Requires an exception under the Johnson & Johnson policy.)
Part F - Record Keeping
All paper or electronic records, files, documents, work papers and other information in any form, whether marked “confidential” or not (the “Files and Work Papers”), provided by Company, its employees, agents or affiliates or generated pursuant to the Agreement shall remain the exclusive property of Company. Service Provider (and its subcontractors and agents) shall use Company Files and Work Papers only as permitted by the Johnson & Johnson Guideline for Management of Records in Third Party Relationships (the “Guideline”) set forth below. Service Provider shall permit representatives of Company to enter Service Provider’s premises unannounced at any reasonable time for a site visit, and Service Provider shall ensure that representatives of Company shall be permitted to enter the premises of any subcontractor or agent of Service Provider, unannounced at any reasonable time, in order to assess Service Provider (or its subcontractors or agents) compliance with the Guideline. Service Provider (and its subcontractors and agents) shall maintain the records necessary to demonstrate compliance with the Guideline and shall provide to Company a written certification upon request of Company. Service Provider’s failure to comply with this Section shall be considered a material breach of the Agreement and Company shall have the right to terminate the Agreement forthwith, effective upon 10 days’ prior written notice, and without payment of any penalty or termination fee.
Johnson & Johnson Guideline for Management of Records in Third Party Relationships
Company Files and Work Papers must not be used by Service Provider, its employees, agents, affiliates, or others for their own gain.
Company Files and Work Papers related to Service Provider’s agreement with Company must be generated, maintained and managed separately from files generated, managed or maintained by Service Provider under agreements with other companies. In addition, those employees or agents of Service Provider working on projects for Company cannot work on projects for competitors of Company at the same time where a conflict of interest might occur.
Company Files and Work Papers that are created or modified by Service Provider in electronic format must be submitted to Company in electronic format or as otherwise directed by Company.
Company Files and Work Papers must not be stored within Service Provider’s or its employees’ or agents’ homes.
Files and Work Papers of Company must be destroyed on a timely basis as follows:
1. Files and Work Papers provided to Service Provider by or on behalf of Company or generated by Service Provider pursuant to Service Provider’s agreement with Company shall be kept in Service Provider’s possession only so long as it serves a necessary business purpose, the project is ongoing and, in no case, longer than the time specified in Service Provider’s agreement with Company without the express written permission of Company.
2. Only final Work Papers (i.e. work products) may be retained after the completion of a project, but in no case beyond termination of Service Provider’s agreement with Company, without the express written permission of Company.
3. Upon termination of Service Provider’s agreement with Company for any reason and/or upon Company’s written request, all Files and Work Papers prepared by Service Provider in connection with services rendered under Service Provider’s agreement with Company shall be returned to Company or destroyed as directed by Company. No copies are to be made or retained by Service Provider.
4. Notwithstanding the above requirements, Service Provider must maintain records to the extent required by state and federal statutes and regulations, as applicable.
5. Service Provider must promptly notify Company prior to destruction of any Company Files and Work Papers so that it can be verified that records are not pertinent to any litigation or government inquiry or otherwise required to be maintained before their destruction.
6. Service Provider must promptly notify Company prior to the production of subpoenaed Company Files and Work Papers so that Company may seek a protective order or other appropriate protection for Company Files and Work Papers.
Part G - Reimbursement
Service Provider has read the terms of the Johnson & Johnson Guidance Document on Reimbursement Issues, including its review process provisions and agrees to comply with the terms thereof.
Part H - Disclosure of Prescribing Information
Before disclosing to Company any information concerning the prescribing practices of a health care professional, Service Provider and its subcontractors will first obtain consent from such health care professional to disclose this information and Service Provider will immediately communicate to Company any restrictions placed upon the disclosure by such health care professional.
Part I - Data Safeguards
I. Service Providers who possess Company information that is not publically available, have access to Company information or computing resources using Service Provider’s computing and network resources over a network-to-network connection, or host any Company information on a Service Provider-hosted, Internet-facing website or web application, shall have in place and maintain an information security program that encompasses administrative, technical, and physical safeguards that meet or exceed the requirements specified in the current SISR (as defined in Section VI of this Part I) and applicable industry standards to protect against threats both to the unauthorized or accidental destruction, loss, alteration, or use of, and the unauthorized disclosure or access to such Company information. Service Providers that collect, disclose, transfer, store, delete, combine or otherwise use Personal Information (as defined in Part D of these Supplemental Terms) for or on behalf of Company, shall also comply with the requirements set forth in Part D.
II. If Service Provider uses a Service Provider computing resource to access the Internet in order to view or input Company information that is not publically available, provided that Service Provider does not electronically or physically retain any Company non-public information subsequent to such access, Service Provider’s obligation with respect thereto is limited to meeting or exceeding the Internet Access Only Requirements specified in the current SISR and any applicable industry standards reasonably intended to protect against threats both to the unauthorized or accidental destruction, loss, alteration, or use of, and the unauthorized disclosure or access to non-public information.
III. Service Provider personnel (employees, contractors and other individuals) who operate, manage or maintain Company computing and networking resources shall provide those services in compliance with the current IAPP (as defined in Section VI of this Part I), including the deliverables produced under the Agreement (or a statement of work, work order or similar document executed thereunder).
IV. "Service Provider personnel who are provided access to Company facilities and/or network and computing resources shall abide by all applicable IAPP Acceptable Use policies and complete the information security training approved by Company. For such personnel, Service Provider shall conduct background checks and/or other investigations deemed necessary, as appropriate and permitted by applicable law. Service Provider personnel with direct, unrestricted access to the Johnson & Johnson Network (“JJNET”) shall complete Company IAPP awareness training upon initial access to JJNET and annually thereafter. Service Provider access or connectivity may be terminated at any time upon violation of policies and/or misuse or abuse of privileges.
V. "If Service Provider discovers or is notified of a breach or potential breach of security relating to Company information that is not intended for public release, Service Provider shall (a) notify Company within 24 hours of such breach or potential breach and (b) if the applicable Company information was in the possession of Service Provider at the time of such breach or potential breach, Service Provider shall (i) investigate and remediate the effects of the breach or potential breach and (ii) provide Company with satisfactory assurance that such breach or potential breach will not reoccur. If such breach or potential breach of security relating to Company information concerns “Personal Information” (as defined in Part D of these Supplemental Terms), Service Provider shall also comply with the requirements of Part D relating to notifications to Company and individuals, and other requirements, in the event of a “Security Breach”.
VI. "No Company information shall be sold, assigned, leased or otherwise disposed of to a third party by or for Service Provider or commercially exploited by or on behalf of Service Provider or its personnel.
"IAPP" means the Johnson & Johnson Worldwide Policies on Information Asset Protection in effect as of the Effective Date and as revised from time to time by Company and provided to Service Provider. “SISR” means the Johnson & Johnson Service Provider Information Security Requirements in effect as of the Effective Date of the Agreement and as revised from time to time by Company and provided to Service Provider. Service Provider shall have 30 days after receipt of an IAPP or SISR revision from Company to reject any new requirements contained therein. If Service Provider rejects the revised IAPP or SISR, Company shall have the right to terminate the Agreement. If Service Provider intends to implement a change to its systems, policies or procedures that would reduce the level of safeguards already in place, Service Provider shall notify Company and, upon Company's approval, implement such change.