Notice2024-27554
Notice of Publication of Common Agreement for Nationwide Health Information Interoperability (Common Agreement) Version 2.1
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
November 26, 2024
Issuing agencies
Health and Human Services Department
Abstract
This notice fulfills an obligation under the Public Health Service Act (PHSA). The act requires the National Coordinator for Health Information Technology to publish on the Office of the National Coordinator for Health Information Technology's public internet website, and in the Federal Register, the trusted exchange framework and common agreement developed under the PHSA. This notice is for publishing an updated version of the Common Agreement (Version 2.1).
Full Text
<html>
<head>
<title>Federal Register, Volume 89 Issue 228 (Tuesday, November 26, 2024)</title>
</head>
<body><pre>
[Federal Register Volume 89, Number 228 (Tuesday, November 26, 2024)]
[Notices]
[Pages 93309-93334]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2024-27554]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
Notice of Publication of Common Agreement for Nationwide Health
Information Interoperability (Common Agreement) Version 2.1
AGENCY: Assistant Secretary for Technology Policy/Office of the
National Coordinator for Health Information Technology, Department of
Health and Human Services.
ACTION: Notice.
-----------------------------------------------------------------------
SUMMARY: This notice fulfills an obligation under the Public Health
Service Act (PHSA). The act requires the National Coordinator for
Health Information Technology to publish on the Office of the National
Coordinator for Health Information Technology's public internet
website, and in the Federal Register, the trusted exchange framework
and common agreement developed under the PHSA. This notice is for
publishing an updated version of the Common Agreement (Version 2.1).
ADDRESSES: Common Agreement Version 2.1 is also available on the Office
of the National Coordinator for Health Information Technology's public
internet website at <a href="http://www.HealthIT.gov/TEFCA">www.HealthIT.gov/TEFCA</a>.
FOR FURTHER INFORMATION CONTACT: Mark Knee, Office of the National
Coordinator for Health Information Technology, 202-664-2058.
SUPPLEMENTARY INFORMATION: This notice fulfills the obligation under
section 3001(c)(9)(C) of the Public Health Service Act (PHSA) to
publish the trusted exchange framework and common agreement, developed
under section 3001(c)(9)(B) of the PHSA (42 U.S.C. 300jj-11(c)(9)(B)),
in the Federal Register. This publication consists of the following
document:
[[Page 93310]]
Common Agreement for Nationwide Health Information Interoperability
Version 2.1
October 2024
This document was published by the U.S. Department of Health and
Human Services, Office of the National Coordinator for Health
Information Technology and was produced at U.S. taxpayer expense. This
document meets the requirement in section 3001(c)(9)(C) of the Public
Health Service Act for the National Coordinator for Health Information
Technology to publish on the Office of the National Coordinator for
Health Information Technology's public internet website, and in the
Federal Register, the common agreement (42 U.S.C. 300jj-11(c)(9)(C)).
The Common Agreement for Nationwide Health Information Interoperability
This Common Agreement for Nationwide Health Information
Interoperability (the ``Common Agreement'') is entered into as of the
CA Effective Date, by and between The Sequoia Project, Inc., a Virginia
non-stock corporation, acting as the current Recognized Coordinating
Entity[supreg] as defined below (the ``RCE\TM\'') and_____ , a
_____(``Signatory''). RCE and Signatory may also be referred to herein
individually as a ``Party'' or collectively as the ``Parties.''
Recitals
Whereas, Section 4003 of the 21st Century Cures Act directed the
U.S. Department of Health and Human Services (``HHS'') National
Coordinator for Health Information Technology to, ``in collaboration
with the National Institute of Standards and Technology and other
relevant agencies within the Department of Health and Human Services,
for the purpose of ensuring full network-to-network exchange of health
information, convene public-private and public-public partnerships to
build consensus and develop or support a trusted exchange framework,
including a common agreement among health information networks
nationally'' (the ``Trusted Exchange Framework and Common
Agreement''\SM\ or TEFCA\SM\);
Whereas, this Common Agreement (including the documents
incorporated herein by reference) is the common agreement developed
pursuant to Section 4003 of the 21st Century Cures Act;
Whereas, The Sequoia Project has been selected by the Office of the
National Coordinator for Health Information Technology (``ONC'') to
serve as the RCE for purposes of implementing, maintaining, and
updating this Common Agreement, including the Qualified Health
Information Network\TM\ (``QHIN\TM\'') Technical Framework, as well as
managing the activities associated with the designation of interested
health information networks (``HINs'') as QHINs (as defined and set
forth in this Common Agreement);
Whereas, Signatory wishes to be Designated as a QHIN and has
completed the application and testing process toward such Designation;
Whereas, Signatory must, among other conditions set forth in this
Common Agreement, agree to be bound by the terms of this Common
Agreement before Signatory may be designated as a QHIN and, upon
signing this Common Agreement, Signatory agrees to be so bound as a
Signatory and as a QHIN, if so Designated, as the case may be;
Now, therefore, in consideration of the mutual promises set forth
herein and other good and valuable consideration, the receipt and
sufficiency of which is hereby acknowledged, the Parties, intending to
be legally bound, mutually agree as set forth below.
Agreement
1. Definitions and Relevant Terminology.
1.1 Defined Terms. Capitalized terms used in this Common Agreement
shall have the meaning set forth below. Where a definition includes one
or more citations to a statute, regulation, or standard, the definition
shall be interpreted to refer to such statute, regulation, or standard
as may be amended from time-to-time.
Applicable Law: all federal, State, local, or tribal laws and
regulations then in effect and applicable to the subject matter herein.
For the avoidance of doubt, federal agencies are only subject to
federal law.
Breach of Unencrypted Individually Identifiable Information: the
acquisition, access, or Disclosure of unencrypted Individually
Identifiable Information maintained by an IAS Provider that compromises
the security or privacy of the unencrypted Individually Identifiable
Information.
Business Associate: has the meaning assigned to such term at 45 CFR
160.103.
Business Associate Agreement (BAA): a contract, agreement, or other
arrangement that satisfies the implementation specifications described
within 45 CFR 164.314(a) and 164.504(e), as applicable.
Common Agreement: unless otherwise expressly indicated, the Common
Agreement for Nationwide Health Information Interoperability, the QHIN
Technical Framework (QTF), all Standard Operating Procedures (SOPs),
and all other attachments, exhibits, and artifacts incorporated therein
by reference.
Common Agreement (CA) Effective Date: if (i) Signatory was
Designated as a QHIN prior to the Implementation Date, then the
Implementation Date; or (ii) if Signatory was Designated as a QHIN
after the Implementation Date, then the date that the RCE executes the
Common Agreement to which Signatory is a Party.
Confidential Information: any information that is designated as
Confidential Information by a CI Discloser, or that a reasonable person
would understand to be of a confidential nature, and is disclosed to a
CI Recipient pursuant to or in connection with a Framework Agreement.
For the avoidance of doubt, ``Confidential Information'' does not
include electronic protected health information (ePHI), as defined in a
Framework Agreement, that is subject to a Business Associate Agreement
or other provisions of a Framework Agreement.
Notwithstanding any label to the contrary, ``Confidential
Information'' does not include any information that: (i) is or becomes
known publicly through no fault of the CI Recipient; or (ii) is learned
by the CI Recipient from a third party that the CI Recipient reasonably
believes is entitled to disclose it without restriction; or (iii) is
already known to the CI Recipient before receipt from the CI Discloser,
as shown by the CI Recipient's written records; or (iv) is
independently developed by the CI Recipient without the use of or
reference to the CI Discloser's Confidential Information, as shown by
the CI Recipient's written records, and was not subject to
confidentiality restrictions prior to receipt of such information from
the CI Discloser.
Confidential Information (CI) Discloser: a person or entity that
discloses Confidential Information.
Confidential Information (CI) Recipient: a person or entity that
receives Confidential Information.
Connectivity Services: the technical services provided by a QHIN,
Participant, or Subparticipant to its Participants and Subparticipants
that facilitate TEFCA Exchange and are consistent with the requirements
of the then-applicable QHIN Technical Framework.
[[Page 93311]]
Contract: the Contract by and between The Sequoia Project and HHS,
or, if applicable, a successor agreement between The Sequoia Project
and HHS or a successor agreement between a different RCE and HHS.
Covered Entity: has the meaning assigned to such term at 45 CFR
160.103.
Cybersecurity Council: the council established by the RCE to
enhance cybersecurity commensurate with the risks in TEFCA Exchange, as
more fully set forth in an SOP.
Designated Network: the Health Information Network that Signatory
uses to offer and provide the Designated Network Services.
Designated Network Governance Body: a representative and
participatory group or groups that approve the processes for fulfilling
the Governance Functions and participate in such Governance Functions
for Signatory's Designated Network.
Designated Network Services: the Connectivity Services or
Governance Services.
Designation (including its correlative meanings ``Designate,''
``Designated,'' and ``Designating''): the RCE's written confirmation to
ONC and Signatory that Signatory has satisfied all the requirements of
the Common Agreement, the QHIN Technical Framework, all applicable
SOPs, and is now a QHIN.
Directory Entry(ies): listing of each Node controlled by a QHIN,
Participant or Subparticipant, which includes the endpoint resource for
such Node(s) and any other organizational or technical information
required by the QTF or an applicable SOP.
Disclosure (including its correlative meanings ``Disclose,''
``Disclosed,'' and ``Disclosing''): the release, transfer, provision of
access to, or divulging in any manner of TEFCA Information (TI) outside
the entity holding the information.
Discover (including its correlative meanings ``Discovery'' and
``Discovering''): the first day on which something is known to the
QHIN, Participant, or Subparticipant, or by exercising reasonable
diligence would have been known, to the QHIN, Participant or
Subparticipant.
Discriminatory Manner: any act or omission that is inconsistently
taken or not taken with respect to any similarly situated QHIN,
Participant, Subparticipant, Individual, or group of them, whether it
is a competitor, or whether it is affiliated with or has a contractual
relationship with any other entity, or in response to an event.
Dispute: (i) a disagreement about any provision of this Common
Agreement, including any SOP, the QTF, and all other attachments,
exhibits, and artifacts incorporated by reference; or (ii) a concern or
complaint about the actions, or any failure to act, of Signatory, the
RCE, any other QHIN, or another QHIN's Participant(s) or
Subparticipant(s).
Dispute Resolution Process: the non-binding Dispute resolution
process set forth in an SOP.
Electronic Protected Health Information (ePHI): has the meaning
assigned to such term at 45 CFR 160.103.
Exchange Purpose(s) or XP(s): the reason, as authorized by a
Framework Agreement, including the applicable SOP(s), for a
transmission, Query, Use, Disclosure, or Response transacted through
TEFCA Exchange.
Framework Agreement(s): with respect to QHINs, the Common
Agreement; and with respect to a Participant or Subparticipant, the
Participant/Subparticipant Terms of Participation (ToP).
FHIR Endpoint: has the meaning assigned to such term in the Health
Level Seven International[supreg] (HL7[supreg]) Fast Healthcare
Interoperability Resources (FHIR[supreg]) Specification available at
<a href="https://hl7.org/fhir/r4/">https://hl7.org/fhir/r4/</a>, as such specification may be amended,
modified or replaced.
FTC Rule: the Health Breach Notification Rule promulgated by the
Federal Trade Commission set forth at 16 CFR part 318.
Governing Council: the permanent governing body for activities
conducted under the Framework Agreements, as more fully described in
the applicable SOP(s).
Government Benefits Determination: a determination made by any
agency, instrumentality, or other unit of the federal, State, local, or
tribal government as to whether an Individual qualifies for government
benefits for any purpose other than health care (e.g., Social Security
disability benefits) to the extent permitted by Applicable Law.
Disclosure of TI for this purpose may require an authorization that
complies with Applicable Law.
Government Health Care Entity: any agency, instrumentality, or
other unit of the federal, State, local, or tribal government to the
extent that it provides health care services (e.g., treatment) to
Individuals but only to the extent that it is not acting as a Covered
Entity.
Governance Functions: the functions, activities, and
responsibilities of the Designated Network Governance Body as set forth
in an applicable SOP.
Governance Services: the governance functions described in
applicable SOP(s), which are performed by a QHIN's Designated Network
Governance Body for its Participants and Subparticipants to facilitate
TEFCA Exchange in compliance with the then-applicable requirements of
the Framework Agreements.
Health Care Provider: meets the definition of such term in either
45 CFR 171.102 or in the HIPAA Rules at 45 CFR 160.103.
Health Information Network (HIN): has the meaning assigned to the
term ``Health Information Network or Health Information Exchange'' in
the information blocking regulations at 45 CFR 171.102.
HIPAA: the Health Insurance Portability and Accountability Act of
1996, Public Law 104-191, and the Health Information Technology for
Economic and Clinical Health Act of 2009, Public Law 111-5.
HIPAA Rules: the regulations set forth at 45 CFR parts 160, 162,
and 164.
HIPAA Privacy Rule: the regulations set forth at 45 CFR parts 160
and 164, Subparts A and E.
HIPAA Security Rule: the regulations set forth at 45 CFR part 160
and 164, Subpart C.
Implementation Date: the date sixty (60) calendar days after
publication of version 2 of the Common Agreement in the Federal
Register.
Individual: has the meaning assigned to such term at 45 CFR
171.202(a)(2).
Individual Access Services Incident (IAS Incident): a TEFCA
Security Incident or a Breach of Unencrypted Individually Identifiable
Information maintained by an IAS Provider.
Individual Access Services Provider (IAS Provider): each QHIN,
Participant, and Subparticipant that offers Individual Access Services
(IAS).
Individual Access Services (IAS): the services provided to an
Individual by a QHIN, Participant, or Subparticipant that has a direct
contractual relationship with such Individual in which the QHIN,
Participant, or Subparticipant, as applicable, agrees to satisfy that
Individual's ability to use TEFCA Exchange to access, inspect, obtain,
or transmit a copy of that Individual's Required Information.
IAS Consent: an IAS Provider's own supplied form for obtaining
express written consent from the Individual in connection with the IAS.
Individually Identifiable Information: information that identifies
an Individual or with respect to which there is a reasonable basis to
believe that the
[[Page 93312]]
information could be used to identify an Individual.
Initiating Node: a Node through which a QHIN, Participant, or
Subparticipant initiates transactions for TEFCA Exchange.
Node: a technical system that is controlled directly or indirectly
by a QHIN, Participant, or Subparticipant and that is listed in the RCE
Directory Service.
Non-HIPAA Entity (NHE): a QHIN, Participant, or Subparticipant that
is neither a Covered Entity nor a Business Associate as defined under
the HIPAA Rules with regard to activities under a Framework Agreement.
To the extent a QHIN, Participant, or Subparticipant is a Hybrid
entity, as defined in 45 CFR 164.103, such QHIN, Participant, or
Subparticipant shall be considered a Non-HIPAA Entity with respect to
TEFCA Exchange activities related to such QHIN, Participant, or
Subparticipant's non-covered components.
ONC: the U.S. Department of Health and Human Services Office of the
National Coordinator for Health Information Technology.
Participant: to the extent permitted by applicable SOP(s), a U.S.
Entity that has entered into the ToP in a legally binding contract with
a QHIN to use the QHIN's Designated Network Services to participate in
TEFCA Exchange in compliance with the ToP.
Participant/Subparticipant Caucus: a forum established pursuant to
an applicable SOP(s), the purpose of which is for the Participants and
Subparticipants to meet and discuss issues of interest directly related
to TEFCA Exchange and related activities under the Framework
Agreements.
Participant/Subparticipant Terms of Participation (ToP): the
requirements set forth in Exhibit 1 to the Common Agreement to which:
QHINs must contractually obligate their Participants to agree; to which
QHINs must contractually obligate their Participants to contractually
obligate their Subparticipants and Subparticipants of the
Subparticipants to agree, in order to participate in TEFCA Exchange
including the QHIN Technical Framework (QTF), all applicable Standard
Operating Procedures (SOPs), and all other attachments, exhibits, and
artifacts incorporated therein by reference.
Passthrough Node: a Node that is neither an Initiating nor
Responding Node and through which a QHIN, Participant, or
Subparticipant transmits transactions to and from Initiating and
Responding Nodes, including any other services it provides.
Privacy and Security Notice: an IAS Provider's own supplied written
privacy and security notice that contains the information required by
the applicable SOP(s).
Protected Health Information (PHI): has the meaning assigned to
such term at 45 CFR 160.103.
Public Health Authority: has the meaning assigned to such term at
45 CFR 164.501.
QHIN Technical Framework (QTF): the most recent effective version
of the document that contains the technical, functional, privacy, and
security requirements for TEFCA Exchange.
Qualified Health Information Network (QHIN): to the extent
permitted by applicable SOP(s), a Health Information Network that is a
U.S. Entity that has been Designated by the RCE and is a Party to the
Common Agreement countersigned by the RCE.
QHIN Caucus: a forum established pursuant to an applicable SOP(s),
the purpose of which is for the QHINs to meet and discuss issues of
interest directly related to TEFCA Exchange and related activities
under the Framework Agreements.
Query(ies) (including its correlative uses/tenses ``Queried'' and
``Querying''): the act of asking for information through TEFCA
Exchange.
RCE Directory Service: a technical service provided by the RCE that
enables QHINs to identify their Nodes to enable TEFCA Exchange. The
requirements for use of, inclusion in, and maintenance of the RCE
Directory Service are set forth in the Framework Agreements, QTF, and
applicable SOPs.
Recognized Coordinating Entity (RCE): the entity selected by ONC
that enters into the Common Agreement with QHINs in order to impose, at
a minimum, the requirements of the Common Agreement, including the SOPs
and the QTF, on the QHINs and administer such requirements on an
ongoing basis. The RCE is a Party to the Common Agreement.
Required Information: the Electronic Health Information, as defined
in 45 CFR 171.102, that is (i) maintained in a Responding Node by any
QHIN, Participant, or Subparticipant prior to or during the term of the
applicable Framework Agreement and (ii) relevant for a required XP
Code, as set forth in the QTF or an applicable SOP(s).
Responding Node: a Node through which the QHIN, Participant, or
Subparticipant Responds to a received transaction for TEFCA Exchange.
Response(s) (including its correlative uses/tenses ``Responds,''
``Responded'' and ``Responding''): the act of providing the information
that is the subject of a Query or otherwise transmitting a message in
response to a Query through TEFCA Exchange.
Security Posture: the security status of an entity's networks,
information, and systems based on information assurance resources
including, without limitation, people, hardware, software, and
policies, and capabilities in place to manage the defense of the
entity's networks, information, and systems and to react as the
situation changes (derived from NIST Definition 800-30r1).
Signatory: the entity that has satisfied Section 4.1 and is a Party
to the Common Agreement.
Standard Operating Procedure(s) or SOP(s): a written procedure or
other provision that is adopted pursuant to the Common Agreement and
incorporated by reference into a Framework Agreement to provide
detailed information or requirements related to TEFCA Exchange,
including all amendments thereto. Each SOP identifies the relevant
group(s) to which the SOP applies, including whether Participants or
Subparticipants are required to comply with a given SOP.
State: any of the several States, the District of Columbia, Puerto
Rico, the Virgin Islands, Guam, American Samoa, and the Northern
Mariana Islands.
Subparticipant: to the extent permitted by applicable SOP(s), a
U.S. Entity that has entered into the ToP in a legally binding contract
with a Participant or another Subparticipant to use the Participant's
or Subparticipant's Connectivity Services to participate in TEFCA
Exchange in compliance with the ToP.
TEFCA Exchange: the transaction of information between Nodes using
an XP Code.
TEFCA Information (TI): any information that is transacted through
TEFCA Exchange except to the extent that such information is received
by a QHIN, Participant, or Subparticipant that is a Covered Entity,
Business Associate, or NHE that is exempt from compliance with the
Privacy section of the applicable Framework Agreement and is
incorporated into such recipient's system of record, at which point the
information is no longer TI with respect to such recipient and is
governed by the HIPAA Rules and other Applicable Law.
TEFCA Security Incident(s):
(i) An unauthorized acquisition, access, Disclosure, or Use of
unencrypted TI using TEFCA Exchange, but NOT including any of the
following:
(a) Any unintentional acquisition, access, Use, or Disclosure of TI
by a Workforce Member or person acting under the authority of a QHIN,
[[Page 93313]]
Participant, or Subparticipant, if such acquisition, access, Use, or
Disclosure (i) was made in good faith, (ii) was made by a person acting
within their scope of authority, (iii) was made to another Workforce
Member or person acting under the authority of any QHIN, Participant,
or Subparticipant, and (iv) does not result in further acquisition,
access, Use, or Disclosure in a manner not permitted under Applicable
Law and the Framework Agreements.
(b) A Disclosure of TI where a QHIN, Participant, or Subparticipant
has a good faith belief that an unauthorized person to whom the
Disclosure was made would not reasonably have been able to retain such
information.
(c) A Disclosure of TI that has been de-identified in accordance
with the standard at 45 CFR 164.514(b).
(ii) Other security events (e.g., ransomware attacks), as set forth
in an SOP, that adversely affect a QHIN's, Participant's, or
Subparticipant's participation in TEFCA Exchange.
Threat Condition: (i) a breach of a material provision of a
Framework Agreement that has not been cured within fifteen (15) days of
receiving notice of the material breach (or such other period of time
to which the Parties have agreed), which notice shall include such
specific information about the breach that the RCE has available at the
time of the notice; or (ii) a TEFCA Security Incident; or (iii) an
event that RCE, a QHIN, its Participant, or their Subparticipant has
reason to believe will disrupt normal TEFCA Exchange, either due to
actual compromise of or the need to mitigate demonstrated
vulnerabilities in systems or data of the QHIN, Participant, or
Subparticipant, as applicable, or could be replicated in the systems,
networks, applications, or data of another QHIN, Participant, or
Subparticipant; or (iv) any event that could pose a risk to the
interests of national security as directed by an agency of the United
States government.
Transitional Council: the interim governing body for activities
conducted under Framework Agreements, as more fully described in the
applicable SOP(s).
United States: the fifty (50) States, the District of Columbia, and
the territories and possessions of the United States including, without
limitation, all military bases or other military installations,
embassies, and consulates operated by the United States government.
U.S. Entity/Entities: any corporation, limited liability company,
partnership, or other legal entity that meets all of the following
requirements:
(i) The entity is organized under the laws of a State or
commonwealth of the United States or the federal law of the United
States and is subject to the jurisdiction of the United States and the
State or commonwealth under which it was formed;
(ii) The entity's principal place of business, as determined under
federal common law, is in the United States; and
(iii) None of the entity's directors, officers, or executives, and
none of the owners with a five percent (5%) or greater interest in the
entity, are listed on the Specially Designated Nationals and Blocked
Persons List published by the United States Department of the
Treasury's Office of Foreign Asset Control or on the United States
Department of Health and Human Services, Office of Inspector General's
List of Excluded Individuals/Entities.
Use(s) (including correlative uses/tenses, such as ``Uses,''
``Used,'' and ``Using''): with respect to TI, means the sharing,
employment, application, utilization, examination, or analysis of such
information within an entity that maintains such information.
U.S. Qualified Person means those individuals who are U.S.
nationals and citizens at birth as defined in 8 U.S.C. 1401, U.S.
nationals but not citizens of the United States at birth as defined in
8 U.S.C. 1408, lawful permanent residents of the United States as
defined in the Immigration and Nationality Act, and non-immigrant
aliens who are hired by a U.S. Entity as an employee in a specialty
occupation pursuant to an H-1B Visa.
Workforce Member(s): any employees, volunteers, trainees, and other
persons whose conduct, in the performance of work for an entity, is
under the direct control of such entity, whether or not they are paid
by the entity.
XP Code: the code used to identify the XP in any given transaction,
as set forth in the applicable SOP(s).
1.2 Common Agreement Terminology.
1.2.1 References to Signatory and QHINs. As set forth in its
definition and in the introductory paragraph of this Common Agreement,
the term ``Signatory'' is used to refer to the specific entity that is
a Party to this Common Agreement with the RCE. Any and all rights and
obligations of a QHIN stated herein are binding upon Signatory as of
the CA Effective Date and are also binding upon all other QHINs.
References herein to ``other QHINs,'' ``another QHIN,'' and similar
such terms are used to refer to any and all other organizations that
have signed the Common Agreement with the RCE.
1.2.2 Intentionally Omitted.
1.2.3 General Rule of Construction. For the avoidance of doubt, a
reference to a specific section of the Common Agreement in a particular
section does not mean that other sections of this Common Agreement that
expressly apply to a QHIN are inapplicable. A reference in this Common
Agreement to any law, any regulation, or to Applicable Law includes any
amendment, modification or replacement to such law, regulation, or
Applicable Law.
1.2.4 Terms of Participation. Signatory shall contractually
obligate its Participants to comply with the ToP. Notwithstanding the
foregoing, for any entity that became a Participant of Signatory prior
to the Implementation Date, Signatory shall (i) contractually obligate
such entity to comply with the ToP within one-hundred eighty (180) days
of the Implementation Date, provided that such Participant is and
remains a party to the Participant-QHIN Agreement, as defined in and
required by Common Agreement Version 1.1, during such period; or (ii)
terminate such Participant's ability to engage in TEFCA Exchange upon
the earlier of the date of termination of the existing Participant-QHIN
Agreement or one-hundred eighty (180) days after the Implementation
Date.
2. Incorporation of Recitals. The Recitals set forth above are
incorporated into this Common Agreement in their entirety and shall be
given full force and effect as if set forth in the body of this Common
Agreement.
3. Governing Approach.
3.1 Role of the RCE and ONC. ONC was directed by Congress in the
21st Century Cures Act to, ``in collaboration with the National
Institute of Standards and Technology and other relevant agencies
within the Department of Health and Human Services, for the purpose of
ensuring full network-to-network exchange of health information,
convene public-private and public-public partnerships to build
consensus and develop or support a trusted exchange framework,
including a common agreement among health information networks
nationally.'' ONC entered into the Contract with the RCE to implement,
maintain, and update the Common Agreement.
Under the Contract, the RCE is responsible for matters related to
the development and operation of the exchange of TI and related
activities.
ONC provides oversight of the RCE's work under the Contract. Under
the Contract, ONC has the right to review the RCE's conduct, including
Designation, corrective action, and termination decisions regarding
QHINs,
[[Page 93314]]
the proper execution of nondiscrimination and conflict of interest
policies that demonstrate a commitment to transparent, fair, and
nondiscriminatory treatment by the RCE of QHINs, and whether the RCE
has adhered to the requirements imposed upon it by this Common
Agreement. ONC may also address complaints made by a QHIN against the
RCE as set forth in Section 15.6. QHINs have the right to appeal RCE
decisions as set forth in Section 16 of this Common Agreement.
3.2 Participation in Governance. QHINs, Participants, and
Subparticipants shall have the opportunity to engage in governance
under the Common Agreement. The RCE shall establish a Transitional
Council and then a Governing Council which will be responsible for
serving as a resource to the RCE and a forum for orderly and civil
discussion of any issues affecting TEFCA Exchange or other issues that
may arise under the Common Agreement. The formation, composition,
responsibilities, and duration of the Transitional Council and
Governing Council shall be set forth in an SOP(s).
3.3 Advisory Groups. The RCE, in consultation with the Transitional
or Governing Council (as applicable) and ONC, may establish Advisory
Groups for purposes of seeking input from distinct groups of
stakeholders that are parties to or affected by TEFCA Exchange
activities to better inform the governance process, provide input on
certain topics, and promote inclusivity. The process for establishing
Advisory Groups and selecting members is set forth in the applicable
SOP.
4. QHIN Designation.
4.1 Eligibility to be Designated. Signatory affirms and warrants
that as of the CA Effective Date and throughout the term of this Common
Agreement, it meets and will continue to meet the eligibility criteria
listed below and any additional requirements set forth in the
applicable SOP(s).
(i) Signatory is a U.S. Entity and is not controlled by any person
or entity that is not a U.S. Qualified Person(s) or U.S. Entity(ies).
The specific, required means to demonstrate this are set forth in an
SOP.
(ii) Signatory is a Health Information Network.
(iii) Signatory has the ability to perform all of the Designated
Network Services and other required functions of a QHIN in the manner
required by this Common Agreement, the SOPs, the QTF, and all other
applicable guidance from the RCE. The specific, required means to
demonstrate this are set forth in an SOP(s).
(iv) Signatory has in place the organizational infrastructure and
legal authority to comply with the obligations of the Common Agreement
and to provide Governance Services for its Designated Network. In
addition, Signatory has the resources and infrastructure to support a
reliable and trusted network. The specific, required means to
demonstrate this are set forth in an SOP(s).
If, at any time during the term of this Common Agreement, Signatory
Discovers that it fails to meet the foregoing eligibility criteria or
any additional requirements set forth in the applicable SOP(s),
Signatory shall immediately notify the RCE.
4.2 Affirmation of Application. Signatory represents and warrants
that the information in its application for Designation was at the time
of the application submission, and continues to be as of the CA
Effective Date, accurate and complete, to the best of its knowledge.
Signatory acknowledges that the RCE relied upon the information in its
application to evaluate whether Signatory meets the criteria to be
Designated and that violation of this representation and warranty is a
material breach of this Common Agreement. If the RCE determines that
information in the application that was material to the RCE's decision
to Designate Signatory is or was not accurate or complete, the RCE may
terminate Signatory's Designation and this Common Agreement and will
provide notice of such termination to Signatory.
5. Change Management.
5.1 Change Management Framework. The RCE shall coordinate all
changes to the Common Agreement, the QTF, and the SOPs in conjunction
with ONC. In addition to the activities described below, ONC shall be
available in a consultative role throughout the change management
process to review any proposed amendments to the Common Agreement, the
QTF, and the SOPs as well as the adoption of any new SOP and the repeal
of any existing SOP. The RCE will work with ONC, the Governing Council,
and the QHIN and Participant/Subparticipant Caucuses, as outlined
below, to consider amendments to the Common Agreement, the QTF, or the
SOPs and the adoption of any new SOP or the repeal of any existing SOP.
Provided, however, that the actions described in Sections 5.1 through
5.3 of this Common Agreement by or with respect to the Governing
Council, the QHIN Caucus, and the Participant/Subparticipant Caucus, as
applicable, shall not be required until the respective body has been
established as described in Section 3 and the applicable SOP(s).
Signatory acknowledges that it and the RCE do not have the sole legal
authority to agree to changes to this Common Agreement, the QTF, or the
SOPs. ONC must approve all changes, additions, and deletions. The
Common Agreement must be the same for all QHINs.
5.2.1 Amending the Common Agreement or the QTF. The RCE is tasked,
under its Contract with ONC, with updating the Common Agreement and
QTF. Proposed amendments to the Common Agreement or QTF may originate
from multiple sources, including, but not limited to, ONC, the RCE, the
Governing Council, the QHIN Caucus, or the Participant/Subparticipant
Caucus. The RCE may consult with the Governing Council, the QHIN
Caucus, or the Participant/Subparticipant Caucus prior to submitting
the proposed amendment(s) to ONC for consideration. The RCE shall
collect all proposed amendments and submit them to ONC, who shall
determine whether further action on a proposed amendment is warranted.
If ONC determines that a proposed amendment warrants further
consideration, then the RCE will present the proposed amendment to the
Governing Council for its feedback. The Governing Council will evaluate
the proposed amendment and determine whether it will seek feedback from
the QHIN Caucus, the Participant/Subparticipant Caucus, or both, as
deemed necessary and appropriate. The Governing Council will provide
the RCE with written feedback on the proposed amendment in a timely
manner, which will include feedback from the QHIN and Participant/
Subparticipant Caucuses as applicable and appropriate.
5.2.2 The RCE shall consult with ONC about the Governing Council
feedback. ONC shall, after considering the feedback, determine whether
the proposed amendment should proceed after making any changes to the
amendment. If ONC decides to proceed with the amendment, it will
advance the proposed amendment to the QHIN Caucus for approval by a
written vote. An amendment will be approved if at least two-thirds (\2/
3\) of the votes cast by the QHIN Caucus members within the timeframe
established by ONC for the voting period are in favor of the proposed
amendment. The requirement to consult with the Governing Council in
this provision shall be satisfied by ONC's approval of the proposed
amendment if, at the time of such approval, the Governing Council and
the QHIN Caucus have not yet been established.
[[Page 93315]]
5.2.3 The time period for ONC to decide whether to proceed or not
with proposed amendment to the Common Agreement pursuant to Section
5.2.2 above shall initially be three (3) months after ONC receives from
the RCE feedback from the Governing Council pursuant to Section 5.2.2
above; provided, however, that ONC may, in its discretion, extend this
time for an unlimited number of additional three- (3-) month time
periods.
5.2.4 The time period for ONC to decide whether to proceed or not
with a proposed amendment to the QTF pursuant to Section 5.2.2 above
shall initially be three (3) months after ONC receives from the RCE
feedback from the Governing Council pursuant to Section 5.2.2 above;
provided, however, that ONC may, in its discretion, extend this time
for one (1) additional three- (3-) month time period. If an amendment
to the Common Agreement or QTF is approved as described above, the
amendment shall become effective on the effective date identified by
ONC as part of the amendment process and shall be binding on Signatory
without any further action by Signatory or the RCE. If Signatory is not
willing or able to comply with the amendment, then Signatory shall,
within fifteen (15) business days of being notified by the RCE that the
amendment has been approved, provide the RCE written notice of
termination of this Common Agreement effective no later than the
expiration of thirty (30) days from approval of the amendment.
5.2.5 Notwithstanding the foregoing, if the RCE determines that an
amendment to the Common Agreement or QTF is required in order for the
RCE to remain in compliance with Applicable Law, the RCE is not
required to provide QHINs with an opportunity to vote on the amendment.
However, the RCE shall still be required to provide sixty (60) days'
advance written notice of the amendment and legal analysis of the need
to use this expedited process, unless the RCE would be materially
harmed by being out of compliance with Applicable Law if it provided
the sixty (60) days' written notice, in which case it will provide as
much notice as practicable under the circumstances. Any such amendment
to this Common Agreement or the QTF shall be subject to ONC review and
modification prior to the RCE providing advance written notice of the
amendment to Signatory. Only those amendments that are approved by ONC
will be enacted.
5.2 Amending, Adopting, or Repealing an SOP. The RCE is tasked,
under its Contract with ONC, with developing an initial set of SOPs
that were considered adopted when initially made publicly available
prior to the initial QHIN application period (i.e., prior to anyone
signing the Common Agreement). The amendment process set forth below
shall also apply to amending the initial set of SOPs through adopting
one or more new SOPs, repealing an SOP in its entirety, or amending one
of the initial SOPs.
5.3.1 Proposed amendments to the SOPs may originate from multiple
sources including, but not limited to, ONC, the RCE, the Governing
Council, the QHIN Caucus, or the Participant/Subparticipant Caucus. The
RCE may consult with the Governing Council, the QHIN Caucus, or the
Participant/Subparticipant Caucus prior to submitting the proposed
amendment(s) to ONC for consideration. The RCE shall collect all
proposed amendments and submit them to ONC, who shall determine whether
further action on a proposed amendment is warranted.
If ONC determines that a proposed amendment warrants further
consideration, then the RCE will present the proposed amendment to the
Governing Council for its feedback. The Governing Council will evaluate
the proposed amendment and determine whether it will seek feedback from
the QHIN Caucus, the Participant/Subparticipant Caucus, or both, as
deemed necessary and appropriate. The Governing Council will evaluate
proposed amendments in a timely manner and provide the RCE with written
feedback on the proposed amendment.
5.3.2 The RCE shall consult with ONC about the Governing Council
feedback. ONC shall, after considering the feedback, determine whether
the proposed amendment should proceed after making any changes to the
amendment. If ONC decides to proceed with the amendment, it will
advance the proposed amendment to the QHIN Caucus and the Participant/
Subparticipant Caucus for approval by a written vote. An amendment will
be approved if at least two-thirds (\2/3\) of the votes cast by the
QHIN Caucus and at least two-thirds (\2/3\) of the votes cast by the
Participant/Subparticipant Caucus within the timeframe established by
ONC for the voting period are in favor of the proposed amendment. The
requirement to consult with the Governing Council in this provision
shall be satisfied by ONC's approval of the proposed amendment if, at
the time of such approval, the QHIN Caucus and the Participant/
Subparticipant Caucus have not yet been established.
5.3.3 The time period for ONC to decide whether to proceed or not
with a proposed amendment to an SOP pursuant to Section 5.3.3 above
shall initially be three (3) months after ONC receives from the RCE
feedback from the Governing Council; provided, however, that: (a) ONC
may, in its discretion, extend this time for one (1) additional three-
(3-) month time period; and (b) if ONC, in addition, determines in its
reasonable discretion that the amendment affects or may be contrary to
an ONC policy or another policy of the Department of Health and Human
Services or any Applicable Law, ONC may extend this time for an
unlimited number of additional three- (3-) month time periods.
5.3.4 Notwithstanding the requirement for a Participant/
Subparticipant vote set forth in Section 5.3.3, if the proposed
amendment will not have a material impact on any Participants or
Subparticipants, ONC may advance the proposed amendment to the QHIN
Caucus only, whereby the amendment will be approved if at least two-
thirds (\2/3\) of the votes cast by the QHIN Caucus within the
timeframe established by ONC for the voting period are in favor of the
proposed amendment. The requirement to consult with the QHIN Caucus in
this provision shall be satisfied by ONC's approval of the proposed
amendment if, at the time of such approval, the QHIN Caucus has not yet
been established. The RCE will determine an effective date for the
approved amendment subject to approval of ONC.
5.3.5 Notwithstanding the foregoing, if the RCE determines that an
amendment to an SOP is required in order for the RCE to remain in
compliance with Applicable Law, the RCE is not required to provide the
QHIN Caucus or the Participant/Subparticipant Caucus with an
opportunity to vote on the amendment. However, the RCE shall still be
required to provide sixty (60) days' advance written notice of the
amendment and the legal analysis of the need to use this expedited
process, unless the RCE would be materially harmed by being out of
compliance with Applicable Law if it provided the sixty (60) days'
written notice, in which case the RCE will provide as much notice as
practicable under the circumstances. Any such amendment to an SOP shall
be subject to ONC review and modification prior to enactment. Only
those amendments that are approved by ONC will be enacted.
5.3 Voting Method. For purposes of the voting process set forth in
this Section 5, the phrase ``written vote'' includes any process by
which there is a voting record, which may include voting by electronic
means.
[[Page 93316]]
6. Cooperation and Non-Discrimination.
6.1 Cooperation. Signatory understands and acknowledges that
numerous activities with respect to this Common Agreement will likely
involve other QHINs and their respective Participants and
Subparticipants, as well as employees, agents, third-party contractors,
vendors, or consultants of each of them. Signatory shall reasonably
cooperate with the RCE, ONC, other QHINs, and their respective
Participants and Subparticipants in all matters related to TEFCA
Exchange. Requirements for reasonable cooperation are set forth in an
SOP. The costs of cooperation to Signatory shall be borne by Signatory
and shall not be charged to the RCE or other QHINs. Nothing in this
Section 6.1 shall modify or replace the TEFCA Security Incident
notification obligations under Section 12.3 and, if applicable, the IAS
Incident notification obligations under Section 10.5.2 of this Common
Agreement.
6.2 Non-Discrimination.
6.2.1 Prohibition Against Exclusivity. Neither Signatory nor the
RCE shall prohibit or attempt to prohibit any QHIN, Participant, or
Subparticipant from joining, exchanging with, conducting other
transactions with, or supporting any other networks or exchange
frameworks that use services other than the Signatory's Designated
Network Services, concurrently with the QHIN's, Participant's, or
Subparticipant's participation in TEFCA Exchange.
6.2.2 No Discriminatory Limits on Exchange of TI. Signatory shall
not engage in TEFCA Exchange, refrain from engaging in TEFCA Exchange,
or limit TEFCA Exchange with any other QHIN, Participant,
Subparticipant, or Individual, in a Discriminatory Manner.
Notwithstanding the foregoing, if Signatory refrains from engaging in
TEFCA Exchange or limits interoperability with any other QHIN,
Participant, or Subparticipant under the following circumstances,
Signatory's actions or inactions shall not be deemed discriminatory:
(i) Signatory's Connectivity Services require load balancing of network
traffic or similar activities provided such activities are implemented
in a consistent and non-discriminatory manner for a period of time no
longer than necessary to address the network traffic issue; (ii)
Signatory has a reasonable and good-faith belief that the other QHIN,
Participant, or Subparticipant has not satisfied or will not be able to
satisfy the applicable terms hereof (including compliance with
Applicable Law) in any material respect; or (iii) Signatory's actions
or inactions are consistent with or permitted by an applicable SOP. One
QHIN suspending its exchange activities with another QHIN, Participant,
or Subparticipant in accordance with Section 17.4.2 shall not be deemed
discriminatory.
6.2.3 Updates to Connectivity Services. In revising and updating
its Connectivity Services from time to time, Signatory will use
commercially reasonable efforts to do so in accordance with generally
accepted industry practices and to implement any changes in a non-
discriminatory manner; provided, however, this provision shall not
apply to limit modifications or updates to the extent that such
revisions or updates are required by Applicable Law or implemented to
respond promptly to newly discovered privacy or security threats.
6.2.4 Notice of Updates to Connectivity Services. Signatory shall
implement a reporting protocol to provide reasonable prior written
notice of all modifications or updates of its Connectivity Services to
all other QHINs if such revisions or updates are expected to adversely
affect TEFCA Exchange between QHINs or require changes in the
Connectivity Services of any other QHIN, regardless whether they are
necessary due to Applicable Law or newly discovered privacy or security
threats.
6.3 Non-Interference. Signatory shall not prevent a Participant or
Subparticipant from changing the QHIN through which the Participant or
Subparticipant engages in TEFCA Exchange. Notwithstanding the
foregoing, this subsection does not preclude Signatory from including
and enforcing reasonable term limits in its contracts with its
Participants related to a Participant's use of Signatory's Designated
Network Services.
7. Confidentiality and Accountability.
7.1 Confidential Information. Signatory and RCE each agree to use
and disclose all Confidential Information received pursuant to this
Common Agreement only as authorized in this Common Agreement and any
applicable SOP(s) and solely for the purposes of performing its
obligations under this Common Agreement or the proper exchange of
information under the Common Agreement and for no other purpose. Each
Party may act as a CI Discloser and a CI Recipient, accordingly. A CI
Recipient may disclose the Confidential Information it receives only to
its Workforce Members who require such knowledge and use in the
ordinary course and scope of their employment or retention and are
obligated to protect the confidentiality of the CI Discloser's
Confidential Information in a manner substantially equivalent to the
terms required herein for the treatment of Confidential Information. If
a CI Recipient must disclose a CI Discloser's Confidential Information
under operation of law, the CI Recipient may do so provided that, to
the extent permitted by Applicable Law, the CI Recipient gives the CI
Discloser reasonable notice to allow the CI Discloser to object to such
redisclosure, and such redisclosure is made to the minimum extent
necessary to comply with Applicable Law.
7.2 Disclosure of Confidential Information. Nothing herein shall be
interpreted to prohibit the RCE from disclosing any Confidential
Information to ONC. Signatory acknowledges that ONC, as a Federal
government agency, is subject to the Freedom of Information Act. Any
disclosure of Signatory's Confidential Information to ONC or any ONC
contractor will be subject to Applicable Law, as well as the
limitations, procedures, and other relevant provisions of any
applicable SOP(s).
7.3 ONC's and the RCE's Approach when Requesting Confidential
Information. As a matter of general policy, ONC will request only the
limited set of Confidential Information that ONC believes is necessary
to inform the specific facts and circumstances of a matter. The RCE
will request only the limited set of Confidential Information that the
RCE believes is necessary to inform the specific facts and
circumstances of a matter.
7.4 QHIN Accountability.
7.4.1 Statement of General Principle. To the extent not prohibited
by Applicable Law, Signatory shall be responsible for its acts and
omissions, and the acts or omissions of its Participants and their
Subparticipants, but not for the acts or omissions of any other QHINs
or their Participants or Subparticipants. For the avoidance of doubt, a
Signatory that is also a governmental agency or instrumentality shall
not be liable to the extent that the Applicable Law that governs
Signatory does not expressly waive Signatory's sovereign immunity.
Notwithstanding any provision in this Common Agreement to the contrary,
Signatory shall not be liable for any act or omission if a cause of
action for such act or omission is otherwise prohibited by Applicable
Law. This Section 7.4.1 shall not be construed as a hold-harmless or
indemnification provision.
7.4.2 Harm to RCE. Subject to Sections 7.4 and 7.6 of this Common
Agreement that exclude certain types of damages or limit overall
damages,
[[Page 93317]]
Signatory shall be responsible for harm suffered by the RCE to the
extent that the harm was caused by Signatory's breach of this Common
Agreement, the QTF, or any applicable SOP.
7.4.3 Harm to Other QHINs. Subject to Section 7.6 of this Common
Agreement, which excludes certain types of damages or limits overall
damages, Signatory shall be responsible for harm suffered by another
QHIN to the extent that the harm was caused by Signatory's breach of
this Common Agreement, the QTF, or any applicable SOP.
7.5 RCE Accountability. Signatory will not hold the RCE, or anyone
acting on its behalf, including but not limited to members of the
Governing Council, Transitional Council, Caucuses, Cybersecurity
Council, any Advisory Group, any work group, or any subcommittee, its
contractors, employees, or agents liable for any damages, losses,
liabilities, or injuries arising from or related to this Common
Agreement, except to the extent that such damages, losses, liabilities,
or injuries are the direct result of the RCE's breach of this Common
Agreement. This Section 7.5 shall not be construed as a hold-harmless
or indemnification provision.
7.6 LIMITATION ON LIABILITY. NOTWITHSTANDING ANYTHING IN THIS
COMMON AGREEMENT TO THE CONTRARY, IN NO EVENT SHALL EITHER THE RCE'S OR
SIGNATORY'S TOTAL LIABILITY TO EACH OTHER AND ALL OTHER QHINS ARISING
FROM OR RELATING TO THIS COMMON AGREEMENT EXCEED AMOUNTS EQUAL TO TWO
MILLION DOLLARS ($2,000,000) PER INCIDENT AND FIVE MILLION DOLLARS
($5,000,000) AGGREGATE PER ANNUM OR SUCH OTHER AMOUNTS AS STATED IN A
THEN-IN-EFFECT SOP, IN ORDER TO ALLOW FOR THE PERIODIC ADJUSTMENT OF
THIS LIABILITY LIMIT OVER TIME WITHOUT THE NEED TO AMEND THIS COMMON
AGREEMENT. THIS AND ANY SUCH ADJUSTED LIMITATION ON LIABILITY SHALL
APPLY REGARDLESS OF WHETHER A CLAIM FOR ANY SUCH LIABILITY OR DAMAGES
IS PREMISED UPON BREACH OF CONTRACT, BREACH OF WARRANTY, NEGLIGENCE,
STRICT LIABILITY, OR ANY OTHER THEORIES OF LIABILITY, EVEN IF SUCH
PARTY HAS BEEN APPRISED OF THE POSSIBILITY OR LIKELIHOOD OF SUCH
DAMAGES OCCURRING. IF SIGNATORY IS A GOVERNMENT AGENCY OR A GOVERNMENT
INSTRUMENTALITY UNDER FEDERAL LAW, STATE LAW, LOCAL LAW, OR TRIBAL LAW
AND IT IS PROHIBITED FROM LIMITING ITS RECOVERY OF DAMAGES FROM A THIRD
PARTY UNDER APPLICABLE LAW, THEN THIS SECTION 7.6 SHALL NOT APPLY TO
EITHER SIGNATORY OR THE RCE. NOTHING IN THIS SECTION 7.6 OF THIS COMMON
AGREEMENT SHALL BE CONSTRUED TO CREATE LIABILITY FOR A GOVERNMENTAL
AGENCY OR INSTRUMENTALITY OR OTHERWISE WAIVE SOVEREIGN IMMUNITY.
8. RCE Directory Service.
8.1 Access to and Use of the RCE Directory Service. During the term
of this Common Agreement and provided that Signatory is not suspended,
the RCE shall provide Signatory with access to the RCE Directory
Service. The timeframes and requirements for access to, publishing
Directory Entries in, and use of the RCE Directory Service are set out
in the QTF and the applicable SOP(s).
8.2 Utilization of the RCE Directory Service. The RCE Directory
Service and Directory Entries contained therein shall be used by
Signatory solely as necessary to create and maintain operational
connectivity under the Common Agreement to enable TEFCA Exchange.
Signatory shall not use or disclose Directory Entries except to its
Workforce Members, to the Workforce Members of its Participants or
Subparticipants, or to the Workforce Members of health information
technology vendors who are engaged in assisting Signatory, the
Participant or Subparticipant with engaging in TEFCA Exchange. Further,
Signatory shall not use another QHIN's Directory Entries or information
derived therefrom for marketing or any form of promotion of its own
products and services, unless otherwise permitted pursuant to an SOP.
In no event shall Signatory use or disclose the information contained
in the RCE Directory Service in a manner that should be reasonably
expected to have a detrimental effect on ONC, the RCE, other QHINs or
their Participants or Subparticipants, or any other individual or
organization. For the avoidance of doubt, Directory Entries are
Confidential Information of the Discloser except to the extent such
information meets one of the exceptions to the definition of
Confidential Information. Nothing herein shall be interpreted to
prohibit a QHIN from publicly disclosing the identity of its
Participants or Subparticipants.
8.3 QHIN Directory Entries. Signatory must have at least one Node
listed in the RCE Directory Service. Signatory is responsible for
entering its Participant and Subparticipant Nodes in the RCE Directory
Service and maintaining the accuracy of such entries. Signatory shall
immediately remove from the RCE Directory Service any Node(s)
associated with a Participant or Subparticipant that is suspended from
engaging in TEFCA Exchange or whose agreement to participate in TEFCA
Exchange in connection with Signatory has expired or been terminated.
8.4 Framework Agreement Record.
8.4.1 QHINs must maintain a record of all ToPs into which Signatory
enters with its Participants, regardless of whether such Participants
are listed in the RCE Directory Service. Such record must be provided
to the RCE within five (5) business days following the RCE's written
request unless such other timeframe is agreed to by the RCE.
8.4.2 Records of all ToPs into which Signatory's Participants or
Subparticipants enter with their respective Subparticipants must be
maintained by Signatory's Participants and Subparticipants in
accordance with their respective obligations pursuant to the ToP. Upon
request from the RCE, Signatory must provide such record to the RCE
within two (2) business days of receiving such record(s) from its
Participant(s).
9. TEFCA Exchange Activities.
9.1 Utilization of TEFCA Exchange. Signatory may only utilize
Designated Network Services for purposes of facilitating TEFCA
Exchange. TEFCA Exchange may only be utilized for an XP. To the extent
there are limitations on what types of Participants or Subparticipants
may transact TEFCA Information for a specific XP, such limitations will
be set forth in the applicable SOP(s). All TEFCA Exchange is governed
by and must comply with the Framework Agreements governing the QHINs,
Participants, and Subparticipants.
9.2 Uses. Signatory may Use TI in any manner that: (i) is not
prohibited by Applicable Law; (ii) is consistent with Signatory's
Privacy and Security Notice, if applicable; and (iii) is in accordance
with Sections 11 and 12 of this Common Agreement, if applicable.
9.3 Disclosures. Signatory may Disclose TI provided such
Disclosure: (i) is not prohibited by Applicable Law; (ii) is consistent
with Signatory's Privacy and Security Notice, if applicable; and (iii)
is in accordance with Sections 11 and 12 of this Common Agreement, if
applicable.
9.4 Responses. Except as otherwise set forth in an applicable SOP,
Responding Nodes must Respond to Queries for all XP Codes that are
identified as ``required'' in the
[[Page 93318]]
applicable SOP(s). Such Response must include all Required Information.
Notwithstanding the foregoing, Signatory may withhold some or all of
the Required Information to the extent necessary to comply with
Applicable Law.
9.5 Special Legal Requirements. If and to the extent Applicable Law
requires that an Individual either consent to, approve, or provide an
authorization for the Use or Disclosure of that Individual's
information to Signatory, such as a more stringent federal or State law
relating to sensitive health information, then Signatory shall refrain
from the Use or Disclosure of such information in connection with this
Common Agreement unless such Individual's consent, approval, or
authorization has been obtained consistent with the requirements of
Applicable Law and Section 11 of this Common Agreement including
without limitation communicated pursuant to the access consent
policy(ies) described in the QTF or applicable SOP(s). Copies of such
consent, approval, or authorization shall be maintained and transmitted
pursuant to the process described in the QTF by whichever party is
required to obtain it under Applicable Law, and Signatory may make such
copies of the consent, approval, or authorization available
electronically to any QHIN, Participant, or Subparticipant in
accordance with the QTF and to the extent permitted by Applicable Law.
Signatory shall maintain written policies and procedures to allow an
Individual to revoke such consent, approval, or authorization on a
prospective basis. If Signatory is an IAS Provider, the foregoing shall
not be interpreted to modify, replace, or diminish the requirements set
forth in Section 10 of this Common Agreement and any applicable SOP(s)
for obtaining an Individual's express written consent.
10. Individual Access Services.
10.1 Individual Access Services (IAS) Offering(s). Signatory may
elect to be an IAS Provider by offering IAS to any Individual in
accordance with the requirements of this Section 10 and in accordance
with all other provisions of this Common Agreement. Nothing in this
Section 10 shall modify, terminate, or in any way affect an
Individual's right of access under the HIPAA Privacy Rule at 45 CFR
164.524 with respect to any QHIN, Participant, or Subparticipant that
is a Covered Entity or a Business Associate. Nothing in this Section 10
of this Common Agreement shall be construed as modifying or taking
precedence over any provision codified in 45 CFR part 171. An IAS
Provider shall not prohibit or attempt to prohibit any Individual using
the IAS of any other IAS Provider or from joining, exchanging with,
conducting other transactions with any other networks or exchange
frameworks, using services other than the IAS Providers' Designated
Network Services, concurrently with the QHIN's, Participant's, or
Subparticipant's participation in TEFCA Exchange.
10.2 Individual Consent. This Section 10.2 shall apply to Signatory
if Signatory is an IAS Provider. The Individual requesting IAS shall be
responsible for completing the IAS Consent. The IAS Consent shall
include, at a minimum: (i) consent to use the Individual Access
Service; (ii) the Individual's acknowledgement and agreement to the IAS
Provider's Privacy and Security Notice; and (iii) a description of the
Individual's rights to access, delete, and export such Individual's
Individually Identifiable Information. An IAS Provider may implement
secure electronic means (e.g., secure email, secure web portal) by
which an Individual may submit the IAS Consent. An IAS Provider shall
collect the IAS Consent prior to the Individual's first use of the IAS
and prior to any subsequent use if there is any material change in the
applicable IAS Consent, including the version of the Privacy and
Security Notice referenced therein. Nothing in the IAS Consent may
contradict or be inconsistent with any applicable provision of this
Common Agreement or the SOP(s). If the IAS Provider is a Covered Entity
and has a Notice of Privacy Practices that meets the requirements of 45
CFR 164.520, the IAS Provider is not required to have a Privacy and
Security Notice that meets the requirements of the applicable SOP.
Nothing in Section 10 reduces a Covered Entity's obligations under the
HIPAA Rules.
10.3 Intentionally Omitted.
10.4 Intentionally Omitted.
10.5 Additional Security Requirements for IAS Providers. This
Section 10.5 shall apply to Signatory if Signatory is an IAS Provider.
10.5.1 Scope of Security Requirements. An IAS Provider must meet
the applicable security requirements set forth in Section 12 for all
Individually Identifiable Information it maintains as an IAS Provider,
regardless of whether such information is TI.
10.5.2 IAS Incident Notice to Affected Individuals. If an IAS
Provider reasonably believes that an Individual has been affected by an
IAS Incident, it must provide such Individual with notification without
unreasonable delay and in no case later than sixty (60) days following
Discovery of the IAS Incident. The notification required under this
Section 10.5.2 must be written in plain language and shall include, to
the extent possible, the information set forth in the applicable
SOP(s). To the extent Signatory is already required by Applicable Law
to notify an Individual of an incident that would also be an IAS
Incident, this Section 10.5.2 does not require duplicative notification
to that Individual.
10.6 Survival for IAS Providers. This Section 10.6 shall apply to
Signatory if Signatory is an IAS Provider. As between Signatory as an
IAS Provider and an Individual, the IAS Provider's obligations in the
IAS Consent, including the IAS Provider's requirement to comply with
the Privacy and Security Notice and provide Individuals with rights,
shall survive for so long as the IAS Provider maintains such
Individual's Individually Identifiable Information. If Signatory was an
IAS Provider, the requirements of Section 10.5 shall survive
termination of this Common Agreement for so long as Signatory maintains
Individually Identifiable Information acquired during the term of this
Common Agreement as an IAS Provider regardless of whether such
information is or was TI.
11. Privacy.
11.1 Compliance with the HIPAA Privacy Rule. If Signatory is a NHE
(but not to the extent that it is acting as an entity entitled to make
a Government Benefits Determination under Applicable Law, a Public
Health Authority, or a Government Health Care Entity or any other type
of entity exempted from compliance with this Section 11.1 in an
applicable SOP), then it shall comply with the provisions of the HIPAA
Privacy Rule listed below with respect to all Individually Identifiable
Information as if such information is Protected Health Information and
Signatory is a Covered Entity.
11.1.1 From 45 CFR 164.502, General Rules:
<bullet> Subsection (a)(1)--Dealing with permitted Uses and
Disclosures, but only to the extent Signatory is authorized to engage
in the activities described in this subsection of the HIPAA Privacy
Rule for the applicable XP
<bullet> Subsection (a)(2)(i)--Requiring Disclosures to Individuals
<bullet> Subsection (a)(5)--Dealing with prohibited Uses and
Disclosures
<bullet> Subsection (b)--Dealing with the minimum necessary standard
[[Page 93319]]
<bullet> Subsection (c)--Dealing with agreed-upon restrictions
<bullet> Subsection (d)--Dealing with deidentification and re-
identification of information
<bullet> Subsection (e)--Dealing with Business Associate contracts
<bullet> Subsection (f)--Dealing with deceased persons' information
<bullet> Subsection (g)--Dealing with personal representatives
<bullet> Subsection (h)--Dealing with confidential communications
<bullet> Subsection (i)--Dealing with Uses and Disclosures consistent
with notice
<bullet> Subsection (j)--Dealing with Disclosures by whistleblowers
11.1.2 45 CFR 164.504(e), Organizational Requirements.
11.1.3 45 CFR 164.508, Authorization Required. Notwithstanding the
foregoing, the provisions of Sections 10.2 shall control and this
Section 11.1.3 shall not apply with respect to an IAS Provider that is
a NHE.
11.1.4 45 CFR 164.510, Uses and Disclosures Requiring Opportunity
to Agree or Object. Notwithstanding the foregoing, an IAS Provider that
is a NHE but is not a Health Care Provider shall not have the right to
make the permissive Disclosures described in Sec. 164.510(a)(3)--
Emergency circumstances; provided, however, that an IAS Provider is not
prohibited from making such a Disclosure if the Individual has
consented to the Disclosure pursuant to Section 10 of this Common
Agreement.
11.1.5 45 CFR 164.512, Authorization or Opportunity to Object Not
Required. Notwithstanding the foregoing, an IAS Provider that is a NHE
but is not a Health Care Provider shall not have the right to make the
permissive Disclosures described in Sec. 164.512(c)--Standard:
Disclosures about victims of abuse, neglect or domestic violence; Sec.
164.512 Subsection (d)--Standard: Uses and Disclosures for health
oversight activities; and Sec. 164.512 Subsection (j)--Standard: Uses
and Disclosures to avert a serious threat to health or safety;
provided, however, that an IAS Provider is not prohibited from making
such a Disclosure(s) if the Individual has consented to the
Disclosure(s) pursuant to Section 10 of this Common Agreement.
11.1.6 From 45 CFR 164.514, Other Requirements Relating to Uses and
Disclosures:
<bullet> Subsections (a)-(c)--Dealing with de-identification
requirements that render information not Individually Identifiable
Information for purposes of this Section 11 and TEFCA Security
Incidents
<bullet> Subsection (d)--Dealing with minimum necessary requirements
<bullet> Subsection (e)--Dealing with Limited Data Sets
11.1.7 45 CFR 164.522, Rights to Request Privacy Protections.
11.1.8 45 CFR 164.524, Access of Individuals, except that an IAS
Provider that is a NHE shall be subject to the requirements of Section
10 with respect to access by Individuals for purposes of IAS and not
this Section 11.1.8.
11.1.9 45 CFR 164.528, Accounting of Disclosures.
11.1.10 From 45 CFR 164.530, Administrative Requirements:
<bullet> Subsection (a)--Dealing with personnel designations
<bullet> Subsection (b)--Dealing with training
<bullet> Subsection (c)--Dealing with safeguards
<bullet> Subsection (d)--Dealing with complaints
<bullet> Subsection (e)--Dealing with sanctions
<bullet> Subsection (f)--Dealing with mitigation
<bullet> Subsection (g)--Dealing with refraining from intimidating or
retaliatory acts
<bullet> Subsection (h)--Dealing with waiver of rights
<bullet> Subsection (i)--Dealing with policies and procedures
<bullet> Subsection (j)--Dealing with documentation
11.2 Written Privacy Policy. Signatory must develop, implement,
make publicly available, and act in accordance with a written privacy
policy describing its privacy practices with respect to Individually
Identifiable Information that is Used or Disclosed pursuant to this
Common Agreement and any SOPs. Signatory can satisfy the written
privacy policy requirement by including applicable content consistent
with the HIPAA Rules in its existing privacy policy, except as
otherwise stated herein with respect to IAS Providers. This written
privacy policy requirement does not supplant the HIPAA Privacy Rule
obligations of a QHIN, Participant, or a Subparticipant that is a
Covered Entity to post and distribute a Notice of Privacy Practices
that meets the requirements of 45 CFR 164.520. If Signatory is a
Covered Entity, then this written privacy policy requirement can be
satisfied by its Notice of Privacy Practices. If Signatory is an IAS
Provider, then the written privacy policy requirement must be in the
form of a Privacy and Security Notice that meets the requirements of
Section 10.2 of this Common Agreement. Notwithstanding Section 11.1, to
the extent the Signatory's written privacy policy is ``more stringent''
than the HIPAA Privacy Rule provisions listed below, the written
privacy policy shall govern. ``More stringent'' shall have the meaning
assigned to it in 45 CFR 160.202 except the written privacy policy
shall be substituted for references to State law and the reference to
``standards, requirements or implementation specifications adopted
under subpart E of part 164 of this subchapter'' shall be limited to
those listed below.
12. Security.
12.1 General Security Requirements. Signatory shall comply with the
HIPAA Security Rule as if the HIPAA Security Rule applied to
Individually Identifiable Information that is TI regardless of whether
Signatory is a Covered Entity or a Business Associate. Signatory shall
also comply with the security requirements stated in Section 12 of this
Common Agreement and specific additional requirements as described in
the QTF and applicable SOPs. With the exception of Section 12.1.5, none
of these requirements in Section 12.1 shall apply to any federal agency
or any other type of entity exempted from compliance with this Section
12.1 in an applicable SOP.
12.1.1 Cybersecurity Coverage. In accordance with the applicable
SOP(s), Signatory shall maintain, throughout the term of this Common
Agreement: (i) a policy or policies of insurance or cyber risk and
errors and omissions; (ii) internal financial reserves to self-insure
against a cyber-incident; or (iii) some combination of (i) and (ii).
12.1.2 Cybersecurity Certification. Signatory shall achieve and
maintain third-party certification to an industry-recognized
cybersecurity framework demonstrating compliance with all relevant
security controls, as set forth in the applicable SOP.
12.1.3 Annual Security Assessments. Signatory must obtain a third-
party security assessment and technical audit no less often than
annually and as further described in the applicable SOP. Within thirty
(30) days of completing such annual security assessment or technical
audit, Signatory must provide evidence of completion and mitigation as
specified in the applicable SOP.
12.1.4 Intentionally Omitted.
12.1.5 Security Resource Support to Participants. Signatory shall
make available to its Participants: (i) security resources and guidance
regarding the protection of TI applicable to the Participants'
participation in the QHIN under the applicable Framework Agreement; and
(ii) information and
[[Page 93320]]
resources that the RCE or Cybersecurity Council makes available to
Signatory related to promotion and enhancement of the security of TI
under the Framework Agreements.
12.1.6 Chief Information Security Officer.
i. The RCE shall designate a person to serve as the Chief
Information Security Officer (CISO) for activities conducted under the
Framework Agreements. This may be either an employee or independent
contractor of the RCE. The RCE's CISO will be responsible for
monitoring and maintaining the overall Security Posture of activities
conducted under the Framework Agreements and making recommendations to
all QHINs regarding changes to baseline security practices required to
address changes to the threat landscape.
ii. Signatory agrees that it, and not the RCE, is ultimately
responsible for the Security Posture related to Signatory's
participation in TEFCA. Signatory shall also designate a person to
serve as its CISO for purposes of Signatory's participation in TEFCA
Exchange. Signatory's CISO shall have responsibility for Signatory's
Security Posture 'with respect to its participation in TEFCA Exchange
and as set forth in an SOP. The RCE shall establish a Cybersecurity
Council to enhance cybersecurity commensurate with the risks of the
activities conducted under the Framework Agreements as set forth in an
SOP.
12.2 TI Outside the United States. Signatory shall only Use TI
outside the United States or Disclose TI to any person or entity
outside the United States to the extent such Use or Disclosure is
permitted or required by Applicable Law and the Use or Disclosure is
conducted in conformance with the HIPAA Security Rule, regardless of
whether Signatory is a Covered Entity or Business Associate.
12.3 TEFCA Security Incident Reporting. Signatory shall report to
the RCE and to all QHINs that are likely impacted, whether directly or
by nature of one of the other QHIN's Participants or Subparticipants,
any TEFCA Security Incident, as set forth in the applicable SOP(s).
Such report must include sufficient information for the RCE and others
affected to understand the nature and likely scope of the TEFCA
Security Incident. Signatory shall supplement the information contained
in the report as additional relevant information becomes available and
cooperate with the RCE, and with other QHINs, Participants, and
Subparticipants that are likely impacted by the TEFCA Security
Incident.
12.3.1 Receiving TEFCA Security Incident Report. Signatory shall
implement a reporting protocol by which other QHINs can provide
Signatory with a report of a TEFCA Security Incident.
12.3.2 Vertical Reporting of TEFCA Security Incident(s). Signatory
shall report a TEFCA Security Incident to its Participants and
Subparticipants as required by an applicable SOP.
12.3.3 Compliance with Notification Under Applicable Law. Nothing
in this Section 12.3 shall be deemed to modify or replace any breach
notification requirements that Signatory may have under the HIPAA
Rules, the FTC Rule, or other Applicable Law. To the extent Signatory
is already required by Applicable Law to notify a Participant,
Subparticipant, or another QHIN of an incident that would also be a
TEFCA Security Incident, this Section 12.3 does not require duplicative
notification.
12.4 Encryption. If Signatory is a NHE (but not to the extent that
it is a federal agency or any other type of entity exempted from
compliance with this Section 12.4 in an applicable SOP), Signatory must
encrypt all Individually Identifiable Information it maintains, both in
transit and at rest, regardless of whether such information is TI.
Requirements for encryption may be set forth in an SOP.
13. General Obligations.
13.1 Compliance with Applicable Law and the Framework Agreements.
Signatory shall comply with all Applicable Law and shall implement and
act in accordance with any provision required by this Common Agreement,
including all applicable SOPs and provisions of the QTF, when providing
Designated Network Services or otherwise engaging in or facilitating
TEFCA Exchange.
13.2 Compliance with Specific Obligations.
13.2.1 Responsibility of the RCE. To the extent required by the
Contract, the RCE shall take reasonable steps to confirm that Signatory
is abiding by the obligations under this Common Agreement, the QTF, and
all applicable SOPs. In the event that the RCE becomes aware of a
material non-compliance with any of the obligations stated in a
Framework Agreement or any of the applicable SOPs by Signatory or its
Participants or Subparticipants, then the RCE shall promptly notify
Signatory in writing. Such notice shall notify Signatory that its
failure to correct any such deficiencies within the timeframe
established by the RCE shall constitute a material breach of this
Common Agreement, which may result in termination of this Common
Agreement in accordance with Section 17.3.2.
13.2.2 Responsibility of Signatory. Signatory shall be responsible
for taking reasonable steps to confirm that all of its Participants and
Subparticipants are abiding by the ToP, all applicable SOPs, and any
decisions made pursuant to Section 16.3. In the event that Signatory
becomes aware of a material non-compliance by one of its Participants
or Subparticipants, which includes failure to comply with a decision
made pursuant to Section 16.3, then Signatory shall promptly notify the
Participant or Subparticipant in writing. Such notice shall inform the
Participant or Subparticipant that its failure to correct any such
deficiencies within the timeframe established by Signatory shall
constitute a material breach of the ToP, which may result in suspension
or termination of Participant's or Subparticipant's ability to engage
in TEFCA Exchange. Except as set forth in Section 17.4.5, Signatory is
responsible for determining when suspension or termination of its
Participants' or Subparticipants' ability to engage in TEFCA Exchange
is warranted. Nothing in this Section 13.2.2 shall be deemed to limit
Signatory's responsibility for the acts or omissions of its
Participants and Subparticipants as set forth in Section 7.4.
13.2.3 Responsibility for Third-Party Technology Vendors of
Signatory. To the extent that Signatory uses a third-party technology
vendor(s) that will have access to TEFCA Information in connection with
Designated Network Services, it shall include in a written agreement
with each such subcontractor or agent a requirement to comply with all
applicable provisions of this Common Agreement and a prohibition on
engaging in any act or omission that would cause Signatory to violate
the terms of this Common Agreement if Signatory had engaged in such act
or omission itself.
13.3 Intentionally Omitted.
13.4 Intentionally Omitted.
14. Specific QHIN Obligations.
14.1 Transparency--Access to Participant/Subparticipant
Information. If either ONC or the RCE has a reasonable basis to believe
that one or more of the following situations exist with respect to
Signatory, then Signatory shall make available, upon written request,
evidence of the applicable Participant/Subparticipant Terms of
Participation and information relating to the exchange of TI and the
circumstances giving rise to the basis for such request. The foregoing
shall be subject to Signatory's right to restrict or condition its
cooperation or disclosure
[[Page 93321]]
of information in the interest of preserving privileges but only to the
extent that such information is material to the defense of a
substantiated claim asserted by a third party. Such situations include:
(i) an alleged violation of this Common Agreement or Applicable Law; or
(ii) a threat to the security of TEFCA Exchange or information that the
RCE or ONC reasonably believes is TI. The right of Signatory to
restrict or condition its cooperation or disclosure of information
pursuant to this Section 14.1 in the interest of preserving privileges
shall not apply to a disclosure that is requested in the interest of
national security.
14.2 Compliance with Standard Operating Procedures. The RCE shall
adopt Standard Operating Procedures (SOPs) to provide detailed guidance
on specific aspects of the exchange activities under this Common
Agreement that are binding on the RCE, Signatory and, as applicable,
Participants and Subparticipants. The SOPs are incorporated by
reference into this Common Agreement, and Signatory shall comply with
all SOPs that are applicable to it. In the ToP, Participants and
Subparticipants will agree to comply with all applicable SOPs. If
Signatory or its Participants or Subparticipants fail to comply with
any applicable SOP, the RCE may take corrective action to bring the
organization into compliance with the SOP, which may include: (i)
requiring Signatory to suspend the ability of a Participant or
Subparticipant to exchange information under the Framework Agreement(s)
until the non-compliance is corrected to the satisfaction of the RCE;
(ii) requiring Signatory to terminate the ability of a Participant or
Subparticipant to exchange information under the Framework
Agreement(s); (iii) suspending Signatory's ability to exchange
information under the Common Agreement; or (iv) terminating Signatory's
ability to exchange information under the Common Agreement. RCE shall
adopt an SOP that provides detailed information about sanctions for
non-compliance with an SOP. Nothing in this Section 14.2 of this Common
Agreement limits the RCE's rights to terminate this Common Agreement
under Section 17.3.2 or 17.3.3 of this Common Agreement.
14.3 Intentionally Omitted.
14.4 Intentionally Omitted.
15. Dispute Resolution.
15.1 Acknowledgement and Consent to Dispute Resolution Process.
Signatory acknowledges that it may be in its best interest to resolve
Disputes related to the Common Agreement through a collaborative,
collegial process rather than through civil litigation. Signatory has
reached this conclusion based upon the fact that the legal and factual
issues related to the exchange and related activities under the Common
Agreement are unique, novel, and complex, and limited case law exists
that addresses the legal issues that could arise in connection with
this Common Agreement. Therefore, Signatory agrees to participate in
the Dispute Resolution Process with respect to any Dispute.
Notwithstanding, Signatory understands that the Dispute Resolution
Process does not supersede or replace any oversight, investigatory,
enforcement, or other administrative actions or processes that may be
taken by the relevant authority, whether or not arising out of or
related to the circumstances giving rise to the Dispute. RCE and
Signatory are committed to promptly and fairly resolving Disputes.
To that end, Signatory shall use its best efforts to resolve
Disputes that may arise with other QHINs, their respective Participants
and Subparticipants, or the RCE through informal discussions before
seeking to invoke the Dispute Resolution Process. Likewise, Signatory,
on its own behalf and on behalf of its Participant(s) or
Subparticipant(s), will seek to resolve Disputes involving the RCE
through good-faith informal discussions with the RCE prior to invoking
the Dispute Resolution Process. If the Dispute cannot be resolved
through cooperation between Signatory and the other QHIN(s) or the RCE,
then the RCE may, or Signatory may on its own behalf or on behalf of
its Participant(s) or Subparticipant(s), choose to submit the Dispute
to the Dispute Resolution Process.
Under no circumstances will the Dispute Resolution Process give the
RCE any power to assess monetary damages against any party to the
Dispute Resolution Process including, without limitation, Signatory or
its Participants or Subparticipants or any other QHIN or its
Participants or Subparticipants. Except in accordance with Section
15.2, if Signatory refuses to participate in the Dispute Resolution
Process, such refusal shall constitute a material breach of this Common
Agreement and may be grounds for suspension or termination of
Signatory's participation in TEFCA Exchange.
15.2 Injunctive Relief.
15.2.1 Notwithstanding Section 15.1, Signatory shall be relieved of
its obligation to participate in the Dispute Resolution Process if
Signatory: (i) makes a good faith determination that is based upon
available information or other evidence that another QHIN's or its
Participants' or Subparticipants' acts or omissions will violate
Section 7.1 or cause irreparable harm to Signatory or another
organization or person (e.g., another QHIN or its Participant or an
Individual); and (ii) pursues immediate injunctive relief against such
QHIN or its Participant or Subparticipant in a court of competent
jurisdiction in accordance with Section 19.3. Signatory must notify RCE
of such action within two (2) business days of filing for the
injunctive relief and of the result of the action within twenty-four
(24) hours of a court of competent jurisdiction granting or denying
injunctive relief.
15.2.2 If the injunctive relief sought in Section 15.2.1 is not
granted and Signatory chooses to pursue the Dispute, the Dispute must
be submitted to the Dispute Resolution Process in accordance with
Section 15.1.
15.3 Activities during Dispute Resolution Process. The pendency of
a Dispute under this Common Agreement has no effect on either Party's
obligations herein, unless Signatory terminates its rights in
accordance with Section 17.3.1 or is suspended in accordance with
Section 17.4.2.
15.4 Implementation of Agreed Upon Resolution. If, at any point
during the Dispute Resolution Process, Signatory and all other parties
to the Dispute accept a proposed resolution of the Dispute, Signatory
and RCE each agree to implement the terms of the resolution within the
timeframe agreed to in the resolution of the Dispute, to the extent
applicable to each of them.
15.5 Reservation of Rights. If, following the completion of the
Dispute Resolution Process, in the opinion of either Party, the Dispute
Resolution Process failed to adequately resolve the Dispute, a Party
may pursue any remedies available to it in a court of competent
jurisdiction in accordance with Section 19.3.
15.6 Escalation of Certain Disputes to ONC. Except for RCE
suspension or termination decisions subject to Section 16 of this
Common Agreement, if Signatory has reason to believe that: (i) the RCE
is acting in a Discriminatory Manner or in violation of the RCE's
conflict of interest policies; or (ii) the RCE has not acted in
accordance with its obligations stated in this Common Agreement, then
Signatory shall have the right, on its own behalf and on behalf of its
Participants and Subparticipants, to make a complaint to ONC. The
complaint shall identify the parties to the Dispute, a description of
the Dispute, a summary of each party's position on the issues included
in the Dispute, the final disposition of the
[[Page 93322]]
Dispute, and the basis for the RCE's alleged misconduct. The RCE and
Signatory shall each also promptly provide such additional information
as may be reasonably requested by ONC in order to consider and resolve
the issues raised for review. Since this complaint may include PHI and
may include Confidential Information, the RCE will work with ONC to
develop mechanisms to protect the confidentiality of this information.
Such protective mechanisms and the process for escalating a complaint
to ONC are set forth in an SOP.
15.7 Reporting of Anonymized Dispute Information to ONC. As part of
the RCE's communications with ONC, within fifteen (15) business days
after the end of each calendar quarter, the RCE reports the following
information relating to each Dispute that has been submitted through
the Dispute Resolution Process in an anonymized format to ONC: (i)
identification of whether the parties to the Dispute are QHIN(s) only,
or whether the Dispute also involves Participant(s) or
Subparticipant(s); (ii) a description of the Dispute with reasonable
specificity; and (iii) the final disposition of the Dispute.
16. Appeals to ONC and ONC Decisions Regarding XP Usage.
16.1 Signatory may appeal the following decisions of the RCE to
ONC:
16.1.1 Suspension of a Signatory or Suspension of a Signatory's
Participant or Subparticipant; and
16.1.2 Termination of a Signatory's Common Agreement by the RCE.
16.2 ONC anticipates publishing regulations to address the appeals
of any of the RCE's decisions listed in Section 16.1. ONC anticipates
issuing sub-regulatory guidance to address those appeals while
formulating regulations. Until ONC's regulations governing those
appeals are finalized and effective, the sub-regulatory guidance ONC
issues shall be binding under this Common Agreement.
16.3 Notwithstanding anything herein to the contrary, the Parties
agree that ONC may decide whether a Query or a proposed Query meets or
will meet the requirements for the XP Code asserted in the Query. Such
requirements for XP Codes are set forth either in this Common Agreement
or in an applicable SOP(s). ONC may make a decision (i) prior to an
organization becoming, or once an organization has become, a QHIN,
Participant, or Subparticipant if such decision is made pursuant to
this Common Agreement or an applicable SOP(s); or (ii) in connection
with the resolution of a Dispute if the Dispute involves a disagreement
about whether a Query or proposed Query complied with the applicable
requirements for the XP Code asserted in the Query or proposed Query.
If ONC makes a decision pursuant to this Section 16.3 about any Query
or proposed Query, Signatory agrees that ONC's decision will be binding
for TEFCA Exchange and Signatory shall enforce such decision pursuant
to its responsibilities under Section 13.2.2.
17. Term, Termination and Suspension.
17.1 Term. This Common Agreement shall commence on the CA Effective
Date and shall remain in effect until it is terminated by either Party
in accordance with the terms of this Common Agreement.
17.2 Intentionally Omitted.
17.3 Termination.
17.3.1 Termination by Signatory. Signatory may terminate this
Common Agreement at any time without cause by providing ninety (90)
days' prior written notice to RCE. Signatory may also terminate for
cause if the RCE commits a material breach of the Common Agreement, and
the RCE fails to cure its material breach within thirty (30) days of
Signatory providing written notice to RCE of the material breach;
provided, however, that if RCE is diligently working to cure its
material breach at the end of this thirty (30) day period, then
Signatory must provide the RCE with up to another thirty (30) days to
complete its cure.
17.3.1 Termination by the RCE. RCE may not terminate this Common
Agreement except as provided by Section 4.2, this Section 17.3.2, or
Section 17.3.3 of this Common Agreement. RCE may terminate this Common
Agreement with immediate effect by giving notice to Signatory if: (i)
Signatory is in material breach of any of the terms and conditions of
this Common Agreement and fails to remedy such breach within thirty
(30) days after receiving notice of such breach; provided, however,
that if Signatory is diligently working to cure its material breach at
the end of this thirty- (30-) day period, then RCE must provide
Signatory with up to another thirty (30) days to complete its cure; or
(ii) Signatory breaches a material provision of this Common Agreement
where such breach is not capable of remedy.
17.3.2 Termination by RCE if the RCE Ceases to be Funded. The
Parties acknowledge that the RCE's activities under this Common
Agreement are supported by ONC funding. If this funding ceases, there
are no guarantees that the RCE will continue unless a financial
sustainability model has been put in place. If federal funding ceases,
or if the available funding is not sufficient to provide the necessary
funding to support operation of the RCE and there is no successor RCE,
then the RCE may terminate this Common Agreement by providing one
hundred and eighty (180) days' prior written notice to Signatory.
17.3.3 Termination by Mutual Agreement. The Parties may terminate
this Common Agreement at any time and for any reason by mutual, written
agreement.
17.3.4 Effect of Termination of the Common Agreement.
(i) Upon termination of this Common Agreement for any reason, RCE
shall promptly remove Signatory and its Participants and
Subparticipants from the RCE Directory Service and any other lists of
QHINs that RCE maintains. Signatory shall implement the technical
mechanism(s) necessary to ensure that its Participants' and
Subparticipants' ability to participate in TEFCA Exchange is terminated
upon termination of this Common Agreement.
(ii) Upon termination of this Common Agreement for any reason,
Signatory shall, without undue delay, (a) remove all references that
identify it as a QHIN from all media, and (b) cease all use of any
material, including but not limited to product manuals, marketing
literature, and web content that identifies it as a QHIN. Within twenty
(20) business days of termination of this Common Agreement, Signatory
shall confirm to RCE, in writing, that it has complied with this
Subsection 17.3.5(ii).
(iii) To the extent Signatory stores TI, such TI may not be
distinguishable from other information maintained by Signatory. When
the TI is not distinguishable from other information, it is not
possible for Signatory to return or destroy TI it maintains upon
termination or expiration of this Common Agreement. Upon termination or
expiration of this Common Agreement, if Signatory is subject to Section
11 of this Common Agreement, such sections shall continue to apply so
long as the information would be ePHI if maintained by a Covered Entity
or Business Associate. The protections required under the HIPAA
Security Rule shall also continue to apply to all TI that is ePHI,
regardless of whether Signatory is a Covered Entity or Business
Associate.
(iv) In no event shall Signatory be entitled to any refund of any
fees that it has paid the RCE prior to termination.
(v) The provisions set forth in this Section 17.3.5 are in addition
to those
[[Page 93323]]
survival provisions set forth in Section 19.16.
17.4 Suspension.
17.4.1 Suspension by RCE. RCE may suspend Signatory's ability to
engage in TEFCA Exchange if RCE determines, following completion of a
preliminary investigation, that Signatory is responsible for a Threat
Condition or in accordance with Section 17.4. RCE will make a
reasonable effort to notify Signatory in advance of RCE's intent to
suspend Signatory, including notice of the Threat Condition giving rise
to such suspension. If advance notice is not reasonably practicable
under the circumstances, the RCE will notify Signatory of the
suspension, and the Threat Condition giving rise thereto, as soon as
practicable following the suspension. Upon suspension of Signatory, RCE
will work collaboratively with Signatory to resolve the issue leading
to the suspension. RCE shall adopt an SOP to address specific
requirements and timelines related to suspension.
17.4.2 Selective Suspension by Signatory. Signatory may, in good
faith and to the extent permitted by Applicable Law, determine that it
must suspend exchanging with another QHIN, Participant, or
Subparticipant with which it is otherwise required to exchange in
accordance with an SOP because of reasonable and legitimate concerns
related to the privacy, security, accuracy, or quality of information
that is exchanged. If Signatory makes this determination, it is
required to promptly notify the RCE and the QHIN that Signatory is
suspending of its decision and the reason(s) for making the decision.
If Signatory makes the decision to suspend, it is required, within
thirty (30) days, to initiate the Dispute Resolution Process in order
to resolve whatever issues led to the decision to suspend, or end its
suspension and resume exchanging with the other QHIN. Provided that
Signatory selectively suspends exchanging with another QHIN in
accordance with this Section 17.4.2 and in accordance with Applicable
Law, such selective suspension shall not be deemed a violation of
Sections 6.2.2 or 9.4.
17.4.3 Additional Suspension Rights of RCE. Notwithstanding
anything to the contrary set forth herein, the RCE retains the right to
suspend any TEFCA Exchange activity (i) upon ten (10) days' prior
notice if the RCE determines that Signatory has created a situation in
which the RCE may suffer material harm and suspension is the only
reasonable step that the RCE can take to protect itself; or (ii)
immediately if the RCE determines that the safety or security of any
person or the privacy or security of TI or Confidential Information is
threatened. In the case of an immediate suspension under this Section
17.4.3, the RCE will provide notice as soon as practicable following
the suspension.
17.4.4 Effect of Suspension. The suspension of Signatory's ability
to participate in TEFCA Exchange pursuant to this Section 17.4 has no
effect on Signatory's other obligations hereunder, including, without
limitation, obligations with respect to privacy and security. During
any suspension pursuant to this Section 17.4, Signatory's inability to
exchange information under this Common Agreement or comply with those
terms of this Common Agreement that require information exchange shall
not be deemed a breach of this Common Agreement. In the event of
suspension of Signatory's ability to participate in TEFCA Exchange,
Signatory shall communicate to its Participants, and require that they
communicate to their Subparticipants, that all TEFCA Exchange by or on
behalf of Signatory's Participants and Subparticipants will also be
suspended during any period of Signatory's suspension. Signatory is
responsible for having and implementing the technical mechanism(s)
necessary to ensure that its Participants' and Subparticipants' ability
to participate in TEFCA Exchange is suspended during the period of
Signatory's suspension from TEFCA Exchange.
17.4.5 RCE Suspension of Participant or Subparticipants. To the
extent that RCE determines that one of Signatory's Participants or
Subparticipants has done something or failed to do something that
results in a Threat Condition, RCE may suspend, or the RCE may direct
that Signatory suspend, that Participant's or Subparticipant's ability
to engage in TEFCA Exchange. In the event that the RCE directs
Signatory to suspend a Participant or Subparticipant based on (a) the
RCE's determination that suspension or termination is warranted based
on (i) an alleged violation of such Framework Agreement or of
Applicable Law by the party/parties; (ii) a cognizable threat to the
security of TEFCA Exchange or the information that the RCE reasonably
believes is TI; or (iii) such suspension is in the interests of
national security as directed by an agency of the United States
government, then Signatory must effectuate such suspension as soon as
practicable and not longer than within twenty-four (24) hours of the
RCE having directed the suspension, unless the RCE specifies a longer
period of time is permitted to effectuate the suspension; and (b) any
reason other than those in subsection (a), then Signatory must
effectuate suspension as soon as practicable.
17.5 Successor RCE and Transition. Signatory agrees that ONC has
the right to select any successor RCE or to act as an interim RCE until
such successor RCE has been selected. Signatory further agrees to work
cooperatively with the RCE and any interim or successor RCE selected by
ONC. Additionally, Signatory shall continue to abide by the provisions
of this Common Agreement during the transition to any interim or
successor RCE.
18. Fees.
18.1 Fees Paid by QHINs to the RCE. Signatory shall pay the fees
set forth on Schedule 1 attached hereto (the ``QHIN Fees''). RCE shall
invoice Signatory for all Fees in accordance with Schedule 1. Unless
otherwise set forth in Schedule 1, invoices shall be due and payable by
Signatory within sixty (60) days after receipt thereof unless Signatory
notifies RCE in writing that it is contesting the accuracy of the
invoice and identifies the specific inaccuracies that it asserts. QHIN
Fees contested under this Section 18.1 shall be resolved between
Signatory and RCE as stated in the applicable SOP. Other than with
regard to invoiced amounts that are contested in good faith, any
collection costs, attorneys' fees or other expenses reasonably incurred
by RCE in collecting amounts due under this Common Agreement are the
responsibility of Signatory. If Signatory fails to pay any undisputed
QHIN Fees when due hereunder, RCE has the right to suspend or terminate
Signatory's ability to participate in any exchange activity under this
Common Agreement. Prior to taking any action against Signatory for non-
payment, including suspension, RCE shall provide Signatory ten (10)
days' prior written notice. If Signatory makes payment within ten (10)
days of receiving written notice, RCE will not suspend Signatory's
ability to participate in any exchange activity under this Common
Agreement. If Signatory fails to make payment within ten (10) days of
receiving notice, then the RCE may implement the suspension or may
terminate Signatory's ability to participate in any exchange activity
under this Common Agreement.
18.1.1 Changes to QHIN Fees. Schedule 1 may be updated by the RCE
from time-to-time in relation to operational costs, availability of ONC
funding, and other market factors in order to ensure the sustainability
of the activities conducted under the Framework Agreements. In light of
the
[[Page 93324]]
foregoing, changes to Schedule 1 are not subject to the change
management process set forth in Section 5. The RCE shall provide
Signatory not less than ninety (90) days' advance written notice of any
adjustments to the QHIN Fees set forth in Schedule 1.
18.2 Fees Charged by QHINs to Other QHINs. Signatory is prohibited
from charging fees to other QHINs for any exchange of information using
the Designated Network Services.
18.3 Fees Charged by QHINs, Participants or Subparticipants. QHINs,
Participants, and Subparticipants that operate a Responding Node may
charge fees to an Initiating Node when Responding to Queries through
TEFCA Exchange as defined in an applicable SOP. The foregoing shall not
prohibit Signatory from charging its Participants or Subparticipants
fees for use of its Designated Network Services.
19. Contract Administration.
19.1 Authority to Execute. Signatory warrants and represents that
it has the full power and authority to execute this Common Agreement
and that any representative of Signatory who executes this Common
Agreement has full power and authority to do so on behalf of Signatory.
19.2 Notices. All notices to be made under this Common Agreement
shall be given in writing to Signatory at the address for legal notice
specified in its QHIN Application and to the RCE at The Sequoia Project
8300 Boone Blvd., Suite 500, Vienna, Virginia 22182 or
<a href="/cdn-cgi/l/email-protection#ea98898faa998f9b9f85838b9a9885808f899ec485988d"><span class="__cf_email__" data-cfemail="bccedfd9fccfd9cdc9d3d5ddccced3d6d9dfc892d3cedb">[email protected]</span></a>, and shall be deemed given: (i) upon delivery,
if personally delivered; (ii) upon delivery by overnight delivery
service such as UPS or FEDEX or another recognized commercial carrier;
(iii) upon the date indicated on the return receipt, when sent by the
United States Postal Service Certified Mail, return receipt requested;
or (iv) if by facsimile telecommunication or other form of electronic
transmission, upon receipt when the sending facsimile machine or
electronic mail address receives confirmation of receipt by the
receiving facsimile machine or electronic mail address. Either Party
may update its address for notice by providing notice to the other
Party in accordance with this Section 19.2.
19.3 Governing Law, Forum, and Jurisdiction.
19.3.1 Conflicts of Law and Governing Law. In the event of a
Dispute between Signatory and the RCE, the applicable federal and State
conflicts of law provisions that govern the operations of the Parties
shall determine governing law.
19.3.2 Jurisdiction and Venue. The RCE, currently a Virginia non-
profit corporation, and Signatory each hereby submits to the exclusive
jurisdiction of any State or federal court sitting in the Commonwealth
of Virginia within twenty-five (25) miles of Alexandria, Virginia in
any legal proceeding arising out of or relating to this Common
Agreement unless otherwise required by Applicable Law. The RCE and
Signatory each agrees that all claims and matters arising out of this
Common Agreement may be heard and determined in such court, and each
Party hereby waives any right to object to such filing on grounds of
improper venue, forum non-conveniens, or other venue-related grounds.
19.3.3 Intentionally Omitted.
19.3.4 Sovereign Immunity. No provision within this Common
Agreement in any way constitutes a waiver by the United States
Department of Health and Human Services or any other part of the
federal government of sovereign immunity or any other applicable
immunity from suit or from liability that the United States Department
of Health and Human Services or other part of the federal government
may have by operation of law.
19.4 Assignment. None of this Common Agreement, including but not
limited to any of the rights created by this Common Agreement, can be
transferred by either Party, whether by assignment, merger, other
operation of law, change of control of the Party or otherwise, without
the prior written approval of the other Party. Notwithstanding the
foregoing, if ONC selects another organization to serve as the RCE,
then RCE shall assign this Common Agreement to the successor RCE or an
interim RCE as directed by ONC and consent of Signatory to such
assignment shall not be required. Signatory understands and agrees that
no interim or successor RCE shall have any obligation or liability for
any act or omission of The Sequoia Project in connection with this
Common Agreement or any of the other Framework Agreements prior to the
termination of The Sequoia Project's status as the RCE.
19.5 Force Majeure. Neither Party shall be responsible for any
delays or failures in performance caused by the occurrence of events or
other circumstances that are beyond its reasonable control after the
exercise of commercially reasonable efforts to either prevent or
mitigate the effect of any such occurrence or event.
19.6 Severability. If any provision of this Common Agreement shall
be adjudged by any court of competent jurisdiction to be unenforceable
or invalid, that provision shall be struck from the Common Agreement,
and the remaining provisions of this Common Agreement shall remain in
full force and effect and enforceable.
19.7 Counterparts. This Common Agreement may be executed in one or
more counterparts, each of which shall be considered an original
counterpart, and shall become a binding agreement when each Party shall
have executed one counterpart.
19.8 Captions. Captions appearing in this Common Agreement are for
convenience only and shall not be deemed to explain, limit, or amplify
the provisions of this Common Agreement.
19.9 Independent Parties. Nothing contained in this Common
Agreement shall be deemed or construed as creating a joint venture or
partnership between Signatory and RCE.
19.10 Acts of Contractors and Agents. To the extent that the acts
or omissions of a Party's agent(s) or contractor(s), or their
subcontractor(s), result in that Party's breach of and liability under
this Common Agreement, said breach shall be deemed to be a breach by
that Party.
19.11 Entire Agreement; Waiver. This Common Agreement, together
with the QTF, SOPs, and all other attachments, exhibits, and artifacts
incorporated by reference, contains the entire understanding of the
Parties with regard to the subject matter contained herein. The failure
of either Party to enforce, at any time, any provision of this Common
Agreement shall not be construed to be a waiver of such provision, nor
shall it in any way affect the validity of this Common Agreement or any
part hereof or the right of such Party thereafter to enforce each and
every such provision. No waiver of any breach of this Common Agreement
shall be held to constitute a waiver of any other or subsequent breach,
nor shall any delay by either Party to exercise any right under this
Common Agreement operate as a waiver of any such right.
19.12 Effect of Agreement. Except as provided in Sections 7.4 and
Section 15, nothing in this Common Agreement shall be construed to
restrict either Party's right to pursue all remedies available under
law for damages or other relief arising from acts or omissions of the
RCE or other QHINs or their Participants or Subparticipants related to
the Common Agreement, or to limit any rights, immunities, or defenses
to which Signatory may be entitled under Applicable Law.
19.13 Priority. In the event of any conflict or inconsistency
between
[[Page 93325]]
Applicable Law, a provision of this Common Agreement, the QTF, an SOP,
or any implementation plans, guidance documents, or other materials or
documentation the RCE makes available to QHINs, Participants, or
Subparticipants regarding the operations or activities conducted under
the Framework Agreements, the following shall be the order of
precedence for this Common Agreement to the extent of such conflict or
inconsistency: (i) Applicable Law; (ii) the Common Agreement; (iii) the
ToP; (iv) the QTF; (v) the Dispute Resolution Process, as set forth
herein and further detailed in an SOP; (vi) all other SOPs; (vii) all
other attachments, exhibits, and artifacts incorporated herein by
reference; and (viii) other RCE plans, documents, or materials made
available regarding activities conducted under the Framework
Agreements.
19.14 QHIN Time Periods. Any of the time periods relating to the
Parties hereto that are specified in this Common Agreement may be
changed on a case-by-case basis pursuant to the mutual written consent
of the Parties, provided that these changes are not undertaken to
adversely affect another QHIN and provided that these changes would not
unfairly benefit either Party to the detriment of others participating
in activities under the Framework Agreements. Time periods that pertain
to ONC may not be changed, except by ONC, including the time periods
for ONC review of proposed changes to the Common Agreement, the QTF, or
SOPs that are set forth in Section 5.
19.15 Remedies Cumulative. The rights and remedies of the Parties
provided in this Common Agreement are cumulative and are in addition to
any other rights and remedies provided by Applicable Law.
19.16 Survival of Rights and Obligations. The respective rights,
obligations, and liabilities of the Parties with respect to acts or
omissions that occur by either Party prior to the date of expiration or
termination of this Common Agreement shall survive such expiration or
termination. Following any expiration or termination of this Common
Agreement, the Parties shall thereafter cooperate fully and work
diligently in good faith to achieve an orderly resolution of all
matters resulting from such expiration or termination.
19.16.1 The following sections shall survive expiration or
termination of this Common Agreement as more specifically provided
below:
(i) The following sections shall survive in perpetuity following
the expiration or termination of this Common Agreement: Sections 7.6
Limitation of Liability; 19.2 Notices; 19.3 Governing Law, Forum, and
Jurisdiction; 19.6 Severability; 19.9 Independent Parties; 19.10 Acts
of Contractors and Agents; 19.11 Entire Agreement; Waiver; 19.12 Effect
of Agreement; 19.13 Priority; and 19.15 Remedies Cumulative.
(ii) The following sections shall survive for a period of six (6)
years following the expiration or termination of this Common Agreement:
Sections 7.1 Confidential Information; 7.2 Disclosure of Confidential
Information; 7.4.1 Statement of General Principle; 12.3 TEFCA Security
Incident Notification; and 14.1 Transparency--Access to Participant/
Subparticipant Information.
(iii) The following section shall survive for the period
specifically stated in such section following the expiration or
termination of this Common Agreement: Section 17.3.5 Effect of
Termination of Common Agreement.
(iv) To the extent that Signatory is an IAS Provider, the
provisions set forth in Section 10.6 shall survive following the
termination or expiration of this Common Agreement for the respective
periods set forth therein.
In witness whereof, the Parties hereto, intending legally to be
bound hereby, have executed and delivered this Common Agreement as of
the date first above written.
RCE: THE SEQUOIA PROJECT, INC.
-----------------------------------------------------------------------
-----------------------------------------------------------------------
Signature
By:--------------------------------------------------------------------
Title:-----------------------------------------------------------------
Date:------------------------------------------------------------------
Signatory:
-----------------------------------------------------------------------
Signature
By:--------------------------------------------------------------------
Title:-----------------------------------------------------------------
Date:------------------------------------------------------------------
Exhibit 1 to the Common Agreement for Nationwide Health Information
Interoperability
Participant/Subparticipant Terms of Participation
Version 1.0
April 2024
Participant/Subparticipant Terms of Participation
Introduction
Section 4003 of the 21st Century Cures Act directed the U.S.
Department of Health and Human Services (``HHS'') National Coordinator
for Health Information Technology to, ``in collaboration with the
National Institute of Standards and Technology and other relevant
agencies within the Department of Health and Human Services, for the
purpose of ensuring full network-to-network exchange of health
information, convene public-private and public-public partnerships to
build consensus and develop or support a trusted exchange framework,
including a common agreement among health information networks
nationally'' (the ``Trusted Exchange Framework and Common
Agreement''\SM\ or TEFCA\SM\). The common agreement referenced in the
foregoing sentence is the Common Agreement for Nationwide Health
Information Interoperability entered into by each Qualified Health
Information Network\TM\ (``QHIN \TM\'') that has been Designated to
participate in TEFCA. The Common Agreement requires that every QHIN
contractually obligate their TEFCA Participants, who in turn are
required to contractually obligate their Subparticipants to comply with
the Participant/Subparticipant Terms of Participation (``ToP'').
Upstream QHIN, Participant, or Subparticipant (``QPS''), as defined
below, must ensure that these ToP are included, directly or by
reference, in a legally enforceable contract in which the Upstream QPS
binds its Participants and Subparticipants. These ToP must be presented
and entered into WITHOUT modification, except that Upstream QPS should
insert its name in the highlighted field(s) below and the name of the
QHIN if Upstream QPS is not a QHIN and may, but is not required to, add
signature lines to the end of these ToP. For the avoidance of doubt,
the foregoing is not intended to prohibit Upstream QPS from imposing
additional terms upon its Participants and/or Subparticipants, provided
any such terms do not conflict with the ToP with respect to TEFCA
Exchange.
Participant/Subparticipant Terms of Participation
[NAME OF UPSTREAM QPS] (``Upstream QPS'') participates in TEFCA by
providing technical and/or governance services to its Participants and/
or Subparticipants to facilitate their ability to engage in TEFCA
Exchange consistent with all applicable legal and contractual
requirements. [Upstream QPS is a QHIN OR Upstream QPS is a Participant
or Subparticipant of [QHIN].] Your organization (``You'') wishes to
become a Participant or Subparticipant, as applicable, of Upstream QPS
so that You may participate in TEFCA Exchange.
As a Participant or Subparticipant, You agree to abide by these
Participant/
[[Page 93326]]
Subparticipant Terms of Participation (``ToP'').
1. Definitions and Relevant Terminology.
1.1 Defined Terms. Capitalized terms used in these ToP shall have
the meaning set forth below. Where a definition includes one or more
citations to a statute, regulation, or standard, the definition shall
be interpreted to refer to such statute, regulation, or standard as may
be amended from time-to-time.
Applicable Law: all federal, State, local, or tribal laws and
regulations then in effect and applicable to the subject matter herein.
For the avoidance of doubt, federal agencies are only subject to
federal law.
Breach of Unencrypted Individually Identifiable Information: the
acquisition, access, or Disclosure of unencrypted Individually
Identifiable Information maintained by an IAS Provider that compromises
the security or privacy of the unencrypted Individually Identifiable
Information.
Business Associate: has the meaning assigned to such term at 45 CFR
160.103.
Business Associate Agreement (BAA): a contract, agreement, or other
arrangement that satisfies the implementation specifications described
within 45 CFR 164.314(a) and 164.504(e), as applicable.
Common Agreement: unless otherwise expressly indicated, the Common
Agreement for Nationwide Health Information Interoperability, the QHIN
Technical Framework (QTF), all Standard Operating Procedures (SOPs),
and all other attachments, exhibits, and artifacts incorporated therein
by reference.
Confidential Information: any information that is designated as
Confidential Information by the CI Discloser, or that a reasonable
person would understand to be of a confidential nature, and is
disclosed to a CI Recipient pursuant to a Framework Agreement. For the
avoidance of doubt, ``Confidential Information'' does not include
electronic protected health information (ePHI), as defined herein, that
is subject to a Business Associate Agreement and/or other provisions of
a Framework Agreement.
Notwithstanding any label to the contrary, ``Confidential
Information'' does not include any information that: (i) is or becomes
known publicly through no fault of the CI Recipient; or (ii) is learned
by the CI Recipient from a third party that the CI Recipient reasonably
believes is entitled to disclose it without restriction; or (iii) is
already known to the CI Recipient before receipt from the CI Discloser,
as shown by the CI Recipient's written records; or (iv) is
independently developed by CI Recipient without the use of or reference
to the CI Discloser's Confidential Information, as shown by the CI
Recipient's written records, and was not subject to confidentiality
restrictions prior to receipt of such information from the CI
Discloser.
Confidential Information (CI) Discloser: a person or entity that
discloses Confidential Information.
Confidential Information (CI) Recipient: a person or entity that
receives Confidential Information.
Connectivity Services: the technical services provided by a QHIN,
Participant, or Subparticipant to its Participants and Subparticipants
that facilitate TEFCA Exchange and are consistent with the requirements
of the then-applicable QHIN Technical Framework.
Covered Entity: has the meaning assigned to such term at 45 CFR
160.103.
Designated Network: the Health Information Network that a QHIN uses
to offer and provide the Designated Network Services.
Designated Network Governance Body: a representative and
participatory group or groups that approve the processes for fulfilling
the Governance Functions and participate in such Governance Functions
for Signatory's Designated Network.
Designated Network Services: the Connectivity Services and/or
Governance Services.
Directory Entry(ies): listing of each Node controlled by a QHIN,
Participant or Subparticipant, which includes the endpoint resource for
such Node(s) and any other organizational or technical information
required by the QTF or an applicable SOP.
Disclosure (including its correlative meanings ``Disclose,''
``Disclosed,'' and ``Disclosing''): the release, transfer, provision of
access to, or divulging in any manner of TEFCA Information (TI) outside
the entity holding the information.
Discover (including its correlative meanings ``Discovery'' and
``Discovering''): the first day on which something is known to the
QHIN, Participant, or Subparticipant, or by exercising reasonable
diligence would have been known, to the QHIN, Participant,
Subparticipant.
Discriminatory Manner: an act or omission that is inconsistently
taken or not taken with respect to any similarly situated QHIN,
Participant, Subparticipant, Individual, or group of them, whether it
is a competitor, or whether it is affiliated with or has a contractual
relationship with any other entity, or in response to an event.
Electronic Protected Health Information (ePHI): has the meaning
assigned to such term at 45 CFR 160.103.
Exchange Purpose or XP: means the reason, as authorized by a
Framework Agreement, including the applicable SOP(s), for a
transmission, Query, Use, Disclosure, or Response transacted through
TEFCA Exchange.
Framework Agreement(s): with respect to QHINs, the Common
Agreement; and with respect to a Participant or Subparticipant, the
ToP.
FTC Rule: the Health Breach Notification Rule promulgated by the
Federal Trade Commission set forth at 16 CFR part 318.
Government Benefits Determination: a determination made by any
agency, instrumentality, or other unit of the federal, State, local, or
tribal government as to whether an Individual qualifies for government
benefits for any purpose other than health care (e.g., Social Security
disability benefits) to the extent permitted by Applicable Law.
Disclosure of TI for this purpose may require an authorization that
complies with Applicable Law.
Government Health Care Entity: any agency, instrumentality, or
other unit of the federal, State, local, or tribal government to the
extent that it provides health care services (e.g., treatment) to
Individuals but only to the extent that it is not acting as a Covered
Entity.
Governance Functions: the functions, activities, and
responsibilities of the Designated Network Governance Body as set forth
in an applicable SOP.
Governance Services: the governance functions described in an
applicable SOP, which are performed by a QHIN's Designated Network
Governance Body for its Participants and Subparticipants to facilitate
TEFCA Exchange in compliance with the then-applicable requirements of
the Framework Agreements.
Health Care Provider: meets the definition of such term in either
45 CFR 171.102 or in the HIPAA Rules at 45 CFR 160.103.
Health Information Network (HIN): has the meaning assigned to the
term ``Health Information Network or Health Information Exchange'' in
the information blocking regulations at 45 CFR 171.102.
HIPAA: the Health Insurance Portability and Accountability Act of
1996, Public Law 104-191 and the Health Information Technology for
[[Page 93327]]
Economic and Clinical Health Act of 2009, Public Law 111-5.
HIPAA Rules: the regulations set forth at 45 CFR parts 160, 162,
and 164.
HIPAA Privacy Rule: the regulations set forth at 45 CFR parts 160
and 164, Subparts A and E.
HIPAA Security Rule: the regulations set forth at 45 CFR part 160
and 164, subpart C.
Implementation Date: the date sixty (60) calendar days after
publication of version 2 of the Common Agreement in the Federal
Register.
Individual: has the meaning assigned to such term at 45 CFR
171.202(a)(2).
Individual Access Services Incident (IAS Incident): a TEFCA
Security Incident or a Breach of Unencrypted Individually Identifiable
Information maintained by an IAS Provider.
Individual Access Service Consent (IAS Consent): an IAS Provider's
own supplied form for obtaining express written consent from the
Individual in connection with the IAS.
Individual Access Services Provider (IAS Provider): each QHIN,
Participant, and Subparticipant that offers Individual Access Services
(IAS).
Individual Access Services (IAS): the services provided to an
Individual by a QHIN, Participant, or Subparticipant that has a direct
contractual relationship with such Individual in which the QHIN,
Participant, or Subparticipant, as applicable, agrees to satisfy that
Individual's ability to use TEFCA Exchange to access, inspect, obtain,
or transmit a copy of that Individual's Required Information.
Individually Identifiable Information: information that identifies
an Individual or with respect to which there is a reasonable basis to
believe that the information could be used to identify an Individual.
Initiating Node: a Node through which a QHIN, Participant, or
Subparticipant initiates transactions for TEFCA Exchange and, to the
extent such transaction is a Query, receives a Response to such Query.
Node: a technical system that is controlled directly or indirectly
by a QHIN, Participant, or Subparticipant and that is listed in the RCE
Directory Service.
Non-HIPAA Entity (NHE): a QHIN, Participant, or Subparticipant that
is neither a Covered Entity nor a Business Associate as defined under
the HIPAA Rules with regard to activities under a Framework Agreement.
To the extent a QHIN, Participant, or Subparticipant is a Hybrid
entity, as defined in 45 CFR 164.103, such QHIN, Participant, or
Subparticipant shall be considered a Non-HIPAA Entity with respect to
TEFCA Exchange activities related to such QHIN, Participant, or
Subparticipant's non-covered components.
ONC: the U.S. Department of Health and Human Services Office of the
National Coordinator for Health Information Technology.
Participant: to the extent permitted by applicable SOP(s), a U.S.
Entity that has entered into the ToP in a legally binding contract with
a QHIN to use the QHIN's Designated Network Services to participate in
TEFCA Exchange in compliance with the ToP.
Participant/Subparticipant Terms of Participation (ToP): the
requirements set forth in Exhibit 1 to the Common Agreement, as
reflected herein, to which: QHINs must contractually obligate their
Participants to agree; to which QHINs must contractually obligate their
Participants to contractually obligate their Subparticipants and
Subparticipants of the Subparticipants to agree, in order to
participate in TEFCA Exchange including the QHIN Technical Framework
(QTF), all applicable Standard Operating Procedures (SOPs), and all
other attachments, exhibits, and artifacts incorporated therein by
reference.
Privacy and Security Notice: an IAS Provider's own supplied written
privacy and security notice that contains the information required by
the applicable SOP(s).
Protected Health Information (PHI): has the meaning assigned to
such term at 45 CFR 160.103.
Public Health Authority: has the meaning assigned to such term at
45 CFR 164.501.
QHIN Technical Framework (QTF): the most recent effective version
of the document that contains the technical, functional, privacy, and
security requirements for TEFCA Exchange.
Qualified Health Information Network (QHIN): to the extent
permitted by applicable SOP(s), a Health Information Network that is a
U.S. Entity that has been Designated by the RCE and is a party to the
Common Agreement countersigned by the RCE.
Query(ies) (including its correlative uses/tenses ``Queried'' and
``Querying''): the act of asking for information through TEFCA
Exchange.
RCE Directory Service: a technical service provided by the RCE that
enables QHINs to identify their Nodes to enable TEFCA Exchange. The
requirements for use of, inclusion in, and maintenance of the RCE
Directory Service are set forth in the Framework Agreements, QTF, and
applicable SOPs.
Recognized Coordinating Entity [supreg] (RCE \TM\): the entity
selected by ONC that enters into the Common Agreement with QHINs in
order to impose, at a minimum, the requirements of the Common
Agreement, including the SOPs and the QTF, on the QHINs and administer
such requirements on an ongoing basis.
Required Information: the Electronic Health Information, as defined
in 45 CFR 171.102, that is (i) maintained in a Responding Node by any
QHIN, Participant, or Subparticipant prior to or during the term of the
applicable Framework Agreement and (ii) relevant for a required XP
Code, as set forth in the QTF or an applicable SOP(s).
Responding Node: a Node through which the QHIN, Participant, or
Subparticipant Responds to a received transaction for TEFCA Exchange.
Response(s) (including its correlative uses/tenses ``Responds,''
``Responded'' and ``Responding''): the act of providing the information
that is the subject of a Query or otherwise transmitting a message in
response to a Query through TEFCA Exchange.
Standard Operating Procedure(s) or SOP(s): a written procedure or
other provision that is adopted pursuant to the Common Agreement and
incorporated by reference into the Framework Agreements to provide
detailed information or requirements related to TEFCA Exchange,
including all amendments thereto. Each SOP identifies the relevant
group(s) to which the SOP applies, including whether Participants or
Subparticipants are required to comply with a given SOP.
State: any of the several States, the District of Columbia, Puerto
Rico, the Virgin Islands, Guam, American Samoa, and the Northern
Mariana Islands.
Subparticipant: to the extent permitted by applicable SOP(s), a
U.S. Entity that has entered into the ToP in a legally binding contract
with a Participant or another Subparticipant to use the Participant's
or Subparticipant's Connectivity Services to participate in TEFCA
Exchange in compliance with the ToP.
TEFCA Exchange: the transaction of information between Nodes using
an XP Code.
TEFCA Information (TI): any information that is transacted through
TEFCA Exchange except to the extent that such information is received
by a QHIN, Participant, or Subparticipant that is a Covered Entity,
Business Associate, or NHE that is exempt from compliance with the
Privacy section of the applicable Framework Agreement and is
incorporated into such recipient's system of records, at which point
the
[[Page 93328]]
information is no longer TI with respect to such recipient and is
governed by the HIPAA Rules and other Applicable Law.
TEFCA Security Incident(s):
(i) An unauthorized acquisition, access, Disclosure, or Use of
unencrypted TI using TEFCA Exchange, but NOT including any of the
following:
(a) Any unintentional acquisition, access, Use, or Disclosure of TI
by a Workforce Member or person acting under the authority of a QHIN,
Participant, or Subparticipant, if such acquisition, access, Use, or
Disclosure (i) was made in good faith, (ii) was made by a person acting
within their scope of authority, (iii) was made to another Workforce
Member or person acting under the authority of any QHIN, Participant,
or Subparticipant, and (iv) does not result in further acquisition,
access, Use, or Disclosure in a manner not permitted under Applicable
Law and the Framework Agreements.
(b) A Disclosure of TI where a QHIN, Participant, or Subparticipant
has a good faith belief that an unauthorized person to whom the
Disclosure was made would not reasonably have been able to retain such
information.
(c) A Disclosure of TI that has been de-identified in accordance
with the standard at 45 CFR 164.514(b).
(ii) Other security events (e.g., ransomware attacks), as set forth
in an SOP, that adversely affect a QHIN's, Participant's, or
Subparticipant's participation in TEFCA Exchange.
Threat Condition: (i) a breach of a material provision of a
Framework Agreement that has not been cured within fifteen (15) days of
receiving notice of the material breach (or such other period of time
to which the Parties have agreed), which notice shall include such
specific information about the breach that the RCE has available at the
time of the notice; or (ii) a TEFCA Security Incident; or (iii) an
event that RCE, a QHIN, its Participant, or their Subparticipant has
reason to believe will disrupt normal TEFCA Exchange, either due to
actual compromise of or the need to mitigate demonstrated
vulnerabilities in systems or data of the QHIN, Participant, or
Subparticipant, as applicable, or could be replicated in the systems,
networks, applications, or data of another QHIN, Participant, or
Subparticipant; or (iv) any event that could pose a risk to the
interests of national security as directed by an agency of the United
States government.
United States: the fifty (50) States, the District of Columbia, and
the territories and possessions of the United States including, without
limitation, all military bases or other military installations,
embassies, and consulates operated by the United States government.
U.S. Entity/Entities: any corporation, limited liability company,
partnership, or other legal entity that meets all of the following
requirements:
(i) The entity is organized under the laws of a State or
commonwealth of the United States or the federal law of the United
States and is subject to the jurisdiction of the United States and the
State or commonwealth under which it was formed;
(ii) The entity's principal place of business, as determined under
federal common law, is in the United States; and
(iii) None of the entity's directors, officers, or executives, and
none of the owners with a five percent (5%) or greater interest in the
entity, are listed on the Specially Designated Nationals and Blocked
Persons List published by the United States Department of the
Treasury's Office of Foreign Asset Control or on the United States
Department of Health and Human Services, Office of Inspector General's
List of Excluded Individuals/Entities.
Use(s) (including correlative uses/tenses, such as ``Uses,''
``Used,'' and ``Using''): with respect to TI, means the sharing,
employment, application, utilization, examination, or analysis of such
information within an entity that maintains such information.
Workforce Member(s): any employees, volunteers, trainees, and other
persons whose conduct, in the performance of work for an entity, is
under the direct control of such entity, whether or not they are paid
by the entity.
XP Code: the code used to identify the XP in any given transaction,
as set forth in the applicable SOP(s).
1.2 ToP Terminology.
1.2.1 References to You and QHINs, Participants, and
Subparticipants. As set forth in its definition and in the introductory
paragraph of these ToP, the term ``You'' is used to refer to the
specific entity that is a party to these ToP with the Upstream QPS.
(You and Upstream QPS may also be referred to herein individually as a
``Party'' or collectively as the ``Parties.'') Any and all rights and
obligations of a QHIN, Participant or Subparticipant stated herein are
binding upon all other QHINs, Participants, and Subparticipants that
have entered into a Framework Agreement. References herein to
``QHINs,'' ``other Participants,'' ``other Subparticipants,'' and
similar such terms are used to refer to any and all other organizations
that have signed a Framework Agreement.
1.2.2 General Rule of Construction. For the avoidance of doubt, a
reference to a specific section of the ToP in a particular section does
not mean that other sections of the ToP that expressly apply to You are
inapplicable. A reference in these ToP to any law, any regulation, or
to Applicable Law includes any amendment, modification or replacement
to such law, regulation, or Applicable Law.
1.2.3 Terms of Participation for Subparticipants. You shall
contractually obligate your Subparticipants, if any, to comply with the
ToP. Notwithstanding the foregoing, for any entity that became Your
Subparticipant prior to the Implementation Date, You shall (i)
contractually obligate such entity to comply with the ToP within one-
hundred eighty (180) days of the Implementation Date, provided that
such Subparticipant is and remains a party to the Participant
Subparticipant Agreement, as defined in and required by Common
Agreement Version 1.1, during such period; or (ii) terminate such
entity's ability to engage in TEFCA Exchange upon the earlier of the
date of termination of the existing Participant-Subparticipant
Agreement or one-hundred (180) days after the Implementation Date.
2. Cooperation and Non-Discrimination.
2.1 Cooperation. You understand and acknowledge that numerous
activities with respect to the ToP will likely involve the RCE, QHINs,
and their respective Participants and Subparticipants, as well as
employees, agents, third-party contractors, vendors, or consultants of
each of them. You shall reasonably cooperate with the RCE, ONC, QHINs
and their respective Participants and Subparticipants in all matters
related to TEFCA Exchange, including any dispute resolution activities
in which You are involved. Expectations for reasonable cooperation are
set forth in an SOP. The costs of cooperation to You shall be borne by
You and shall not be charged to the RCE or other QHINs. Nothing in this
Section 2.1 shall modify or replace the TEFCA Security Incident
notification obligations under Section 8.3 and, if applicable, the IAS
Incident notification obligations under Section 6.3.2 of the ToP.
2.2 Non-Discrimination.
2.2.1 Prohibition Against Exclusivity. Upstream QPS shall not
prohibit or attempt to prohibit You, nor shall You or Upstream QPS
prohibit or attempt to prohibit any of Your Subparticipants, if any,
from joining, exchanging with, conducting other transactions with, or
supporting any other networks or exchange frameworks that use services
other than the
[[Page 93329]]
Upstream QPS's Designated Network Services or Your Connectivity
Services, concurrently with Your or Your Subparticipants' participation
in TEFCA Exchange. Notwithstanding the foregoing, this subsection does
not preclude You from including and enforcing reasonable term limits in
the contracts with Your Subparticipants related to Your
Subparticipants' use of Your Connectivity Services.
2.2.2 No Discriminatory Limits on Exchange of TI. Neither You nor
Upstream QPS shall engage in TEFCA Exchange, refrain from engaging in
TEFCA Exchange, or limit TEFCA Exchange with any QHIN, Participant,
Subparticipant, or Individual in a Discriminatory Manner.
Notwithstanding the foregoing, if You refrain from engaging in TEFCA
Exchange or limit interoperability with any other QHIN, Participant, or
Subparticipant under the following circumstances, Your actions or
inactions shall not be deemed discriminatory: (i) Your Connectivity
Services require load balancing of network traffic or similar
activities provided such activities are implemented in a consistent and
non-discriminatory manner for a period of time no longer than necessary
to address the network traffic issue; (ii) You have a reasonable and
good-faith belief that the other QHIN, Participant, or Subparticipant
has not satisfied or will not be able to satisfy the applicable terms
of a Framework Agreement (including compliance with Applicable Law) in
any material respect; and/or (iii) Your actions or inactions are
consistent with or permitted by an applicable SOP. One QHIN,
Participant, or Subparticipant suspending its exchange activities with
another QHIN, Participant, or Subparticipant in accordance with Section
17.4.2 of the Common Agreement or Section 10.4.5 of the ToP, as
applicable, shall not be deemed discriminatory.
2.2.3 Updates to Connectivity Services. In revising and updating
Connectivity Services from time to time, You will use commercially
reasonable efforts to do so in accordance with generally accepted
industry practices and to implement any changes in a non-discriminatory
manner; provided, however, this provision shall not apply to limit
modifications or updates to the extent that such revisions or updates
are required by Applicable Law or implemented to respond promptly to
newly discovered privacy or security threats.
2.2.4 Notice of Updates to Connectivity Services. You shall
implement a reporting protocol to provide reasonable prior written
notice of all modifications or updates of Your Connectivity Services to
Upstream QPS and Your Subparticipants if such revisions or updates are
expected to adversely affect Your ability to engage in TEFCA Exchange
or require changes in the Connectivity Services of Upstream QPS or Your
Subparticipants, regardless of whether they are necessary due to
Applicable Law or newly discovered privacy or security threats.
3. Confidentiality and Accountability.
3.1 Confidential Information. You and Upstream QPS each agree to
use and disclose all Confidential Information received pursuant to
these ToP only as authorized in these ToP and any applicable SOP(s) and
solely for the purposes of performing its obligations under a Framework
Agreement or the proper exchange of information through TEFCA Exchange
and for no other purpose. You and Upstream QPS may act as a CI
Discloser and a CI Recipient, accordingly. A CI Recipient may disclose
the Confidential Information it receives only to its Workforce Members
who require such knowledge and use in the ordinary course and scope of
their employment or retention and are obligated to protect the
confidentiality of the CI Discloser's Confidential Information in a
manner substantially equivalent to the terms required herein for the
treatment of Confidential Information. If a CI Recipient must disclose
the CI Discloser's Confidential Information under operation of law, it
may do so provided that, to the extent permitted by Applicable Law, the
CI Recipient gives the CI Discloser reasonable notice to allow the CI
Discloser to object to such redisclosure, and such redisclosure is made
to the minimum extent necessary to comply with Applicable Law.
3.2 Disclosure of Confidential Information. Nothing herein shall be
interpreted to prohibit Upstream QPS or the RCE from disclosing any
Confidential Information to ONC. You acknowledge that ONC, as a Federal
government agency, is subject to the Freedom of Information Act. Any
disclosure of Your Confidential Information to ONC or any ONC
contractor will be subject to Applicable Law, as well as the
limitations, procedures, and other relevant provisions of any
applicable SOP(s).
3.3 ONC's and the RCE's Approach when Requesting Confidential
Information. As a matter of general policy, ONC will request only the
limited set of Confidential Information that ONC believes is necessary
to inform the specific facts and circumstances of a matter. The RCE
will request only the limited set of Confidential Information that the
RCE believes is necessary to inform the specific facts and
circumstances of a matter.
4. RCE Directory Service and Directory Entries.
4.1 Utilization of Directory Entries. The RCE Directory Service and
Directory Entries contained therein shall be used by QHINs solely as
necessary to create and maintain operational connectivity to enable
TEFCA Exchange. Upstream QPS is providing You with access to, and the
right to use, Directory Entries on the express condition that You only
use and disclose Directory Entry information as necessary to advance
the intended use of the Directory Entries or as required by Applicable
Law. For example, You are permitted to disclose Directory Entry
information to Your Workforce Members, Your Subparticipant's Workforce
Members, and/or to the Workforce Members of health information
technology vendors who are engaged in assisting You or Your
Subparticipant with establishing and maintaining connectivity via the
Framework Agreements. Further, You shall not use another QPS's
Directory Entries or information derived therefrom for marketing or any
form of promotion of Your own products and services, unless otherwise
permitted pursuant to an SOP. In no event shall You use or disclose the
information contained in the Directory Entries in a manner that should
be reasonably expected to have a detrimental effect on ONC, the RCE,
Upstream QPS, Your Subparticipants, other QHINs, other Participants,
other Subparticipants, or any other individual or organization. For the
avoidance of doubt, Directory Entries are Confidential Information of
the CI Discloser except to the extent such information meets one of the
exceptions to the definition of Confidential Information. Nothing
herein shall be interpreted to prohibit a QHIN or Upstream QPS from
publicly disclosing the identity of its own Participants or
Subparticipants.
4.2 ToP Record. You must maintain a record of all ToPs into which
You enter with Your Subparticipants, if any, regardless of whether such
Subparticipants are listed in the RCE Directory Services. Such record
must be provided to the RCE within four (4) business days following the
RCE's or Upstream QPS's written request unless such other timeframe is
agreed to by the RCE.
5. TEFCA Exchange Activities.
5.1 Utilization of TEFCA Exchange. You may only utilize
Connectivity Services for purposes of facilitating TEFCA Exchange. You
may only utilize
[[Page 93330]]
TEFCA Exchange for an XP. To the extent there are limitations on what
types of Participants or Subparticipants may transact TEFCA Information
for a specific XP, such limitations will be set forth in the applicable
SOP(s). All TEFCA Exchange is governed by and must comply with the
Framework Agreements governing the QHINs, Participants, and
Subparticipants engaging in the TEFCA Exchange. To the extent that
Upstream QPS provides you with access to other health information
exchange networks, these ToP do not affect these other activities or
the reasons for which You may request and exchange information within
these other networks. Such activities are not in any way limited by the
Framework Agreements provided the transactions are not TEFCA Exchange.
5.2 Uses. You may Use TI in any manner that: (i) is not prohibited
by Applicable Law; (ii) is consistent with Your Privacy and Security
Notice, if applicable; and (iii) is in accordance with Sections 7 and 8
of these ToP.
5.3 Disclosures. You may Disclose TI provided such Disclosure: (i)
is not prohibited by Applicable Law; (ii) is consistent with Your
Privacy and Security Notice, if applicable; and (iii) is in accordance
with Sections 7 and 8 of these ToP.
5.4 Responses. Except as otherwise set forth in an applicable SOP,
Your Responding Nodes must Respond to Queries for all XP Codes that are
identified as ``required.'' in the applicable SOP(s). Such Response
must include all Required Information. Notwithstanding the foregoing,
You may withhold some or all of the Required Information to the extent
necessary to comply with Applicable Law.
5.5 Special Legal Requirements. If and to the extent Applicable Law
requires that an Individual either consent to, approve, or provide an
authorization for the Use or Disclosure of that Individual's
information to You, such as a more stringent federal or State law
relating to sensitive health information, then You shall refrain from
the Use or Disclosure of such information in connection with these ToP
unless such Individual's consent, approval, or authorization has been
obtained consistent with the requirements of Applicable Law and Section
7 of these ToP, including, without limitation, communicated pursuant to
the access consent policy(ies) described in the QTF or applicable
SOP(s). Copies of such consent, approval, or authorization shall be
maintained and transmitted pursuant to the process described in the QTF
by whichever party is required to obtain it under Applicable Law, and
You may make such copies of the consent, approval, or authorization
available electronically to any QHIN, Participant, or Subparticipant in
accordance with the QTF and to the extent permitted by Applicable Law.
You shall maintain written policies and procedures to allow an
Individual to revoke such consent, approval, or authorization on a
prospective basis. If You are an IAS Provider, the foregoing shall not
be interpreted to modify, replace, or diminish the requirements set
forth in Section 6 of these ToP and any applicable SOP(s) for obtaining
an Individual's express written consent.
6. Individual Access Services.
6.1 IAS Offering(s). You may elect to be an IAS Provider by
offering IAS to any Individual in accordance with the requirements of
this section and in accordance with all other provisions of these ToP
and applicable SOP(s). Nothing in this Section 6 shall modify,
terminate, or in any way affect an Individual's right of access under
the HIPAA Privacy Rule at 45 CFR 164.524 if You are a Covered Entity or
a Business Associate. Nothing in this Section 6 of these ToP shall be
construed as modifying or taking precedence over any provision codified
in 45 CFR part 171. An IAS Provider shall not prohibit or attempt to
prohibit any Individual using the IAS of any other IAS Provider or from
joining, exchanging with, conducting other transactions with any other
networks or exchange frameworks, using services other than the IAS
Providers' Designated Network Services, concurrently with the QHIN's,
Participant's, or Subparticipant's participation in TEFCA Exchange.
6.2 Individual Consent. This Section 6.2 shall apply to You if You
are an IAS Provider. The Individual requesting IAS shall be responsible
for completing the IAS Consent. The IAS Consent shall include, at a
minimum: (i) consent to use the IAS; (ii) the Individual's
acknowledgement and agreement to Your Privacy and Security Notice; and
(iii) a description of the Individual's rights to access, delete, and
export such Individual's Individually Identifiable Information. You may
implement secure electronic means (e.g., secure email, secure web
portal) by which an Individual may submit the IAS Consent. You shall
collect the IAS Consent prior to the Individual's first use of the IAS
and prior to any subsequent use if there is any material change in the
applicable IAS Consent, including the version of the Privacy and
Security Notice referenced therein. Nothing in the IAS Consent may
contradict or be inconsistent with any applicable provision of these
ToP or the SOP(s). If You are a Covered Entity and have a Notice of
Privacy Practices that meets the requirements of 45 CFR 164.520, You
are not required to have a Privacy and Security Notice that meets the
requirements of the applicable SOP. Nothing in Section 6 reduces a
Covered Entity's obligations under the HIPAA Rules.
6.3 Additional Security Requirements for IAS Providers. In addition
to meeting the applicable security requirements set forth in Section 8,
if You are an IAS Provider, You must further satisfy the requirements
of this subsection.
6.3.1 Scope of Security Requirements. You must meet the applicable
security requirements set forth in Section 8 for all Individually
Identifiable Information You maintain as an IAS Provider, regardless of
whether such information is TI.
6.3.2 IAS Incident Notice to Affected Individuals. If You
reasonably believe that an Individual has been affected by an IAS
Incident, You must provide such Individual with notification without
unreasonable delay and in no case later than sixty (60) days following
Discovery of the IAS Incident. The notification required under this
section must be written in plain language and shall include, to the
extent possible, the information set forth in the applicable SOP(s). To
the extent You are already required by Applicable Law to notify an
Individual of an incident that would also be an IAS Incident, this
section does not require duplicative notification to that Individual.
6.4 Survival for IAS Providers. This Section 6.4 shall apply to You
if You are an IAS Provider. As between You as an IAS Provider and an
Individual, the IAS Provider's obligations in the IAS Consent,
including Your requirement to comply with the Privacy and Security
Notice and provide Individuals with rights, shall survive for so long
as You maintain such Individual's Individually Identifiable
Information. If You were an IAS Provider, the requirements of Section
6.3 shall survive termination of these ToP for so long as You maintain
Individually Identifiable Information acquired during the term of these
ToP as an IAS Provider regardless of whether such information is or was
TI.
7. Privacy.
7.1 Compliance with the HIPAA Privacy Rule. If You are a NHE (but
not to the extent that You are acting as an entity entitled to make a
Government Benefits Determination under Applicable Law, a Public Health
[[Page 93331]]
Authority, or a Government Health Care Entity or any other type of
entity exempted from compliance with this Section in an applicable
SOP), then You shall comply with the provisions of the HIPAA Privacy
Rule listed below with respect to all Individually Identifiable
information as if such information is Protected Health Information and
You are a Covered Entity.
7.1.1 From 45 CFR 164.502, General Rules:
<bullet> Subsection (a)(1)--Dealing with permitted Uses and
Disclosures, but only to the extent You are authorized to engage in the
activities described in this subsection of the HIPAA Privacy Rule for
the applicable XP
<bullet> Subsection (a)(2)(i)--Requiring Disclosures to Individuals
<bullet> Subsection (a)(5)--Dealing with prohibited Uses and
Disclosures
<bullet> Subsection (b)--Dealing with the minimum necessary standard
<bullet> Subsection (c)--Dealing with agreed-upon restrictions
<bullet> Subsection (d)--Dealing with de-identification and re-
identification of information
<bullet> Subsection (e)--Dealing with Business Associate contracts
<bullet> Subsection (f)--Dealing with deceased persons' information
<bullet> Subsection (g)--Dealing with personal representatives
<bullet> Subsection (h)--Dealing with confidential communications
<bullet> Subsection (i)--Dealing with Uses and Disclosures consistent
with notice
<bullet> Subsection (j)--Dealing with Disclosures by whistleblowers
7.1.2 45 CFR 164.504(e), Organizational Requirements.
7.1.3 45 CFR 164.508, Authorization Required. Notwithstanding the
foregoing, the provisions of Sections 6.2 shall control and this
Section 7.1.3 shall not apply with respect to You if You are an IAS
Provider that is a NHE.
7.1.4 45 CFR 164.510, Uses and Disclosures Requiring Opportunity to
Agree or Object. Notwithstanding the foregoing, an IAS Provider that is
a NHE but is not a Health Care Provider shall not have the right to
make the permissive Disclosures described in Sec. 164.510(a)(3)--
Emergency circumstances; provided, however, that an IAS Provider is not
prohibited from making such a Disclosure if the Individual has
consented to the Disclosure pursuant to Section 6 of these ToP.
7.1.5 45 CFR 164.512, Authorization or Opportunity to Object Not
Required. Notwithstanding the foregoing, an IAS Provider that is a NHE
but is not a Health Care Provider shall not have the right to make the
permissive Disclosures described in Sec. 164.512(c)--Standard:
Disclosures about victims of abuse, neglect or domestic violence, Sec.
164.512 Subsection (d)--Standard: Uses and Disclosures for health
oversight activities, and Sec. 164.512 Subsection (j)--Standard: Uses
and Disclosures to avert a serious threat to health or safety;
provided, however, that an IAS Provider is not prohibited from making
such a Disclosure(s) if the Individual has consented to the
Disclosure(s) pursuant to Section 6 of these ToP.
7.1.6 From 45 CFR 164.514, Other Requirements Relating to Uses and
Disclosures:
<bullet> Subsections (a)-(c)--Dealing with de-identification
requirements that render information not Individually Identifiable
Information for purposes of this Section 7 and TEFCA Security Incidents
<bullet> Subsection (d)--Dealing with minimum necessary requirements
<bullet> Subsection (e)--Dealing with Limited Data Sets
7.1.7 45 CFR 164.522, Rights to Request Privacy Protections.
7.1.8 45 CFR 164.524, Access of Individuals, except that an IAS
Provider that is a NHE shall be subject to the requirements of Section
6 with respect to access by Individuals for purposes of IAS and not
this Section 7.1.8.
7.1.9 45 CFR 164.528, Accounting of Disclosures.
7.1.10 From 45 CFR 164.530, Administrative Requirements:
<bullet> Subsection (a)--Dealing with personnel designations
<bullet> Subsection (b)--Dealing with training
<bullet> Subsection (c)--Dealing with safeguards
<bullet> Subsection (d)--Dealing with complaints
<bullet> Subsection (e)--Dealing with sanctions
<bullet> Subsection (f)--Dealing with mitigation
<bullet> Subsection (g)--Dealing with refraining from intimidating or
retaliatory acts
<bullet> Subsection (h)--Dealing with waiver of rights
<bullet> Subsection (i)--Dealing with policies and procedures
<bullet> Subsection (j)--Dealing with documentation
7.2 Written Privacy Policy. You must develop, implement, make
publicly available, and act in accordance with a written privacy policy
describing Your privacy practices with respect to Individually
Identifiable Information that is Used or Disclosed pursuant to these
ToP. You can satisfy the written privacy policy requirement by
including applicable content consistent with the HIPAA Rules in Your
existing privacy policy, except as otherwise stated herein with respect
to IAS Providers. If You are a Covered Entity, this written privacy
policy requirement does not supplant the HIPAA Privacy Rule obligations
to post and distribute a Notice of Privacy Practices that meets the
requirements of 45 CFR 164.520. If You are a Covered Entity, then this
written privacy policy requirement can be satisfied by Your Notice of
Privacy Practices. If You are an IAS Provider, then the written privacy
practices requirement must be in the form of a Privacy and Security
Notice that meets the requirements of Section 6.2 of these ToP.
Notwithstanding Section 11.1, to the extent the Signatory's written
privacy policy is ``more stringent'' than the HIPAA Privacy Rule
provisions listed below, the written privacy policy shall govern.
``More stringent'' shall have the meaning assigned to it in 45 CFR
160.202 except the written privacy policy shall be substituted for
references to State law and the reference to ``standards, requirements
or implementation specifications adopted under subpart E of part 164 of
this subchapter'' shall be limited to those listed below.
8. Security.
8.1 Security Controls. You shall implement and maintain appropriate
security controls for Individually Identifiable Information that are
commensurate with risks to the confidentiality, integrity, and/or
availability of the Individually Identifiable Information. If You are a
NHE, You shall comply with the HIPAA Security Rule provisions with
respect to all Individually Identifiable Information as if such
information were Protected Health Information and You were a Covered
Entity or Business Associate. You shall comply with any additional
security requirements that may be set forth in an SOP applicable to
Participants and Subparticipants.
8.2 TEFCA Security Incident Reporting.
8.2.1 Reporting to Upstream QPS. You shall report to Upstream QPS
any suspected TEFCA Security Incident, as set forth in the applicable
SOP(s). Such report must include sufficient information for Upstream
QPS and others affected to understand the nature and likely scope of
the TEFCA Security Incident. You shall supplement the information
contained in the report as additional relevant information becomes
available and cooperate with Upstream QPS and, at the direction of
Upstream QPS, with the RCE, and with other QHINs, Participants, and
[[Page 93332]]
Subparticipants that are likely impacted by the TEFCA Security
Incident.
8.2.2 Reporting to Subparticipants. You shall report any TEFCA
Security Incident experienced by or reported to You to Your
Subparticipants as required by an applicable SOP.
8.2.3 Compliance with Notification Under Applicable Law. Nothing in
this Section 8.3 shall be deemed to modify or replace any breach
notification requirements that You may have under the HIPAA Rules, the
FTC Rule, or other Applicable Law. To the extent You are already
required by Applicable Law to notify Upstream QPS or a Subparticipant
of an incident that would also be a TEFCA Security Incident, this
section does not require duplicative notification.
8.3 Security Resource Support to Subparticipants. You shall make
available to Your Subparticipants (if any): (i) security resources and
guidance regarding the protection of TI applicable to the
Subparticipants' participation in TEFCA Exchange; and (ii) information
and resources that the RCE or Cybersecurity Council makes available to
You related to promotion and enhancement of the security of TI under
the Framework Agreements.
8.4 TI Outside the United States. You shall only Use TI outside the
United States or Disclose TI to any person or entity outside the United
States to the extent such Use or Disclosure is permitted or required by
Applicable Law and the Use or Disclosure is conducted in conformance
with the HIPAA Security Rule, regardless of whether You are a Covered
Entity or Business Associate and as set forth in an applicable SOP.
8.5 Encryption. If You are a NHE (but not to the extent that You
are a federal agency or any other type of entity exempted from
compliance with this Section in an applicable SOP), You must encrypt
all Individually Identifiable Information You maintain, both in transit
and at rest, regardless of whether such information is TI. Requirements
for encryption may be set forth in an SOP.
9. General Obligations.
9.1 Compliance with Applicable Law and the ToP. You shall comply
with all Applicable Law and shall implement and act in accordance with
any provision required by the ToP, including all applicable SOPs and
provisions of the QTF, when engaging in or facilitating TEFCA Exchange.
While each SOP identifies the relevant group(s) to which it applies,
not every requirement in an SOP or the QTF will necessarily be
applicable to You. It is Your responsibility to determine, in
consultation with Upstream QPS, which of the SOPs and QTF provisions
are applicable to You.
9.2 Your Responsibility for Your Subparticipants. You shall be
responsible for taking reasonable steps to confirm that all of Your
Subparticipants (if any) are abiding by the ToP, specifically including
all applicable SOPs and QTF provisions. In the event that You become
aware of a material non-compliance by one of Your Subparticipants, then
You shall promptly notify the Subparticipant in writing. Such notice
shall inform the Subparticipant that its failure to correct any such
deficiencies within thirty (30) days of receiving notice shall
constitute a material breach of the ToP, which may result in early
termination of these ToP.
9.3 Your Responsibility for Your Third-Party Technology Vendors. To
the extent that You use a third-party technology vendor that will have
access to TEFCA Information in connection with Connectivity Services or
TEFCA Exchange, You shall include in a written agreement with each such
subcontractor or agent a requirement to comply with all applicable
provisions of these ToP and a prohibition on engaging in any act or
omission that would cause You to violate the terms of these ToP if You
had engaged in such act or omission Yourself.
9.4 Fees Charged by QHINs, Participants, or Subparticipants. You
may charge fees to an Initiating Node when Responding to Queries
through TEFCA Exchange as defined in an applicable SOP. The foregoing
shall not prohibit You from charging Your Subparticipants fees for use
of Your Connectivity Services.
10. Term, Termination, and Suspension.
10.1 Term. These ToP shall become effective upon agreement of both
Parties and shall remain in effect until terminated by either Party.
You may terminate these ToP by providing at least thirty (30) days'
prior written notice of termination to Upstream QPS. Upstream QPS may
terminate these ToP by providing at least ninety (90) days' prior
written notice to You. Notwithstanding the foregoing, in the event that
Upstream QPS's Framework Agreement is terminated, Your ToP shall be
immediately terminated.
10.2 Termination for Cause. Either Party may terminate these ToP
for cause if the other Party commits a material breach of a Framework
Agreement, and fails to cure its material breach within thirty (30)
days of receiving notice specifying the nature of such breach in
reasonable detail from the non-breaching Party; provided, however, that
if Upstream QPS is diligently working to cure its material breach at
the end of this thirty (30) day period, then You must provide Upstream
QPS with up to another thirty (30) days to complete its cure.
10.3 Effect of Termination. Upon termination of these ToP, You will
no longer be able to engage in TEFCA Exchange facilitated by or through
Upstream QPS. To the extent You store TI, such TI may not be
distinguishable from other information maintained by You. When the TI
is not distinguishable from other information, it is not possible for
You to return or destroy TI You maintain upon termination or expiration
of these ToP. Upon termination or expiration of these ToP, if You are
subject to Section 7 of these ToP, such sections shall continue to
apply so long as the information would be ePHI if maintained by a
Covered Entity or Business Associate. The protections required under
the HIPAA Security Rule shall also continue to apply to all TI that is
ePHI, regardless of whether You are a Covered Entity or Business
Associate. The provisions set forth in this Section 10.3 are in
addition to those survival provisions set forth in Section 11.9.
10.4 Conflict with Other Agreements Between You and Upstream QPS.
Notwithstanding anything herein to the contrary, in the event You and
Upstream QPS are parties to an agreement that provides additional terms
related to TEFCA Exchange and that agreement provides for a shorter
notice period for termination, such shorter notice period shall
control.
10.5 Rights to Suspend.
10.5.1 RCE's Right to Suspend Your Ability to Engage in TEFCA
Exchange. You acknowledge and agree that the RCE has the authority to
suspend, or direct the Upstream QPS to suspend, any QPS's ability to
engage in TEFCA Exchange if: (i) there is an alleged violation of the
respective Framework Agreement or of Applicable Law by the respective
party/parties; (ii) there is a Threat Condition; (iii) the RCE
determines that the safety or security of any person or the privacy or
security of TI and/or Confidential Information is threatened; (iv) such
suspension is in the interests of national security as directed by an
agency of the United States government; or (v) there is a situation in
which the RCE may suffer material harm and suspension is the only
reasonable step that the RCE can take to protect itself. You
acknowledge that upon receiving direction from the RCE, You will be
suspended as soon as practicable provided, however, if the suspension
is based on Subsections 10.5.1(i) or 10.5.1(iv) or a Threat
[[Page 93333]]
Condition that results in a cognizable threat to the security of TEFCA
Exchange or the information that the RCE reasonably believes is TI,
then You will be suspended within twenty-four (24) hours of the RCE
having directed Your QHIN to effectuate the suspension, unless the RCE
specifies a longer period of time is permitted.
10.5.2 Upstream QPS's Right to Suspend Your Ability to Engage in
TEFCA Exchange. You acknowledge and agree that Upstream QPS has the
same authority as the RCE to suspend Your ability to engage in TEFCA
Exchange, and Your Subparticipant's (if any) ability to engage in TEFCA
Exchange, if any of the circumstances described in Subsections 10.5.1
(i)-(iii) above occur with respect to You or any of Your
Subparticipants.
(i) Upstream QPS may exercise such right to suspend based on its
own determination that any of the circumstances described in
Subsections 10.5.1 (i)-(iii) above occurred with respect to You or any
of Your Subparticipants.
(ii) Upstream QPS must exercise such right to suspend if directed
to do so by the RCE or its Upstream QPS based on its determination that
suspension is warranted based on any of the circumstances described in
Subsections 10.5.1 (i)-(v) above with respect to You or any of Your
Subparticipants.
(iii) You acknowledge that if Upstream QPS makes a determination
that suspension is warranted or receives direction from its Upstream
QPS to suspend Your ability to engage in TEFCA Exchange, You will be
suspended as soon as practicable provided, however, if the suspension
is based on the circumstances described in Subsections 10.5.1(i) or
10.5.1(iv) or a Threat Condition that results in a cognizable threat to
the security of TEFCA Exchange or the information that the RCE
reasonably believes is TI, then You will be suspended within twenty-
four (24) hours of notice of Upstream QPS's determination or receipt of
direction from its Upstream QPS, unless Upstream QPS specifies a longer
period of time is permitted.
10.5.3 Upstream QPS Suspension. Notwithstanding the foregoing, in
the event that Upstream QPS's ability to engage in TEFCA Exchange is
suspended, Your and any of Your Subparticipants' ability to engage in
TEFCA Exchange will be immediately suspended.
10.5.4 Suspension Rights Granted to You Related to Your
Subparticipants. If You have Subparticipants, You acknowledge and agree
that You have the same responsibility and authority to suspend Your
Subparticipant's ability to engage in TEFCA Exchange if any of the
circumstances described in Subsections 10.5.1 (i)-(iii) above occur
with respect to any of Your Subparticipants. If You make a
determination to suspend, You are required to promptly notify Upstream
QPS of Your decision and the reason(s) for making the decision. If any
of Your Subparticipants notify You of their decision to suspend
exchange with their Subparticipant(s), You must notify Upstream QPS of
such decision.
(i) You may exercise such right to suspend based on Your own
determination that any of the circumstances described in Subsections
10.5.1 (i)-(iii) above occurred with respect to any of Your
Subparticipants.
(ii) You must exercise such right to suspend if directed to do so,
by the RCE or Upstream QPS based on the RCE's determination that
suspension is warranted based on any of the circumstances described in
Subsections 10.5.1 (i)-(v) above with respect to any of Your
Subparticipants.
(iii) You must effectuate such suspension of Your Subparticipant as
soon as practicable provided, however, if the suspension is based on
the circumstances described in Subsections 10.5.1(i) or 10.5.1(iv) or a
Threat Condition that results in a cognizable threat to the security of
TEFCA Exchange or the information that the RCE reasonably believes is
TI, then it must be effectuated within twenty-four (24) hours of the
triggering event, unless a longer period of time is permitted. For
purposes of this subsection, the triggering event is Your determination
to suspend, Your receipt of direction from your Upstream QPS to
suspend, or the RCE having directed Your QHIN to effectuate the
suspension.
10.5.5 Selective Suspension. You may, in good faith and to the
extent permitted by Applicable Law, determine that You must suspend
exchanging with a QHIN, Participant, or Subparticipant with which You
are otherwise required to exchange in accordance with an SOP because of
reasonable and legitimate concerns related to the privacy, security,
accuracy, or quality of information that is exchanged. If You make this
determination, You are required to promptly notify Upstream QPS of Your
decision and the reason(s) for making the decision. If any of Your
Subparticipants notify You of their decision to suspend exchange with a
QHIN, Participant, or Subparticipant, You must notify Upstream QPS of
such decision. You acknowledge that You may be required to engage in a
process facilitated by the RCE to resolve whatever issues led to the
decision to suspend. Provided that You selectively suspend exchanging
with another QHIN, Participant, or Subparticipant in accordance with
this section and in accordance with Applicable Law, such selective
suspension shall not be deemed a violation of Section 2.2 of these ToP.
11. Contract Administration.
11.1 Authority to Agree. You warrant and represent that You have
the full power and authority to enter into these ToP.
11.2 Assignment. None of these ToP can be transferred by either
Party, including whether by assignment, merger, other operation of law,
change of control (i.e., sale of substantially all of the assets of the
Party) of the Party or otherwise, without the prior written approval of
the other Party.
11.3 Severability. If any provision of these ToP shall be adjudged
by any court of competent jurisdiction to be unenforceable or invalid,
that provision shall be struck from the ToP, and the remaining
provisions of these ToP shall remain in full force and effect and
enforceable.
11.4 Captions. Captions appearing in these ToP are for convenience
only and shall not be deemed to explain, limit, or amplify the
provisions of these ToP.
11.5 Independent Parties. Nothing contained in these ToP shall be
deemed or construed as creating a joint venture or partnership between
Upstream QPS and You.
11.6 Acts of Contractors and Agents. To the extent that the acts or
omissions of a Party's agent(s) or contractor(s), or their
subcontractor(s), result in that Party's breach of and liability under
these ToP, said breach shall be deemed to be a breach by that Party.
11.7 Waiver. The failure of either Party to enforce, at any time,
any provision of these ToP shall not be construed to be a waiver of
such provision, nor shall it in any way affect the validity of these
ToP or any part hereof or the right of such Party thereafter to enforce
each and every such provision. No waiver of any breach of these ToP
shall be held to constitute a waiver of any other or subsequent breach,
nor shall any delay by either Party to exercise any right under these
ToP operate as a waiver of any such right.
11.8 Priority. In the event of any conflict or inconsistency
between any other agreement that You and Upstream QPS enter into with
respect to TEFCA Exchange, Applicable Law, a provision of these ToP,
the QTF, an SOP, and/or any implementation plans, guidance documents,
or other materials or
[[Page 93334]]
documentation the RCE makes available to QHINs, Participants, and/or
Subparticipants regarding the operations or activities conducted under
the Framework Agreements, the following shall be the order of
precedence for these ToP to the extent of such conflict or
inconsistency: (1) Applicable Law; (2) these ToP; (3) the QTF; (4) the
SOPs; (5) all other attachments, exhibits, and artifacts incorporated
herein by reference; (6) other RCE plans, documents, or materials made
available regarding activities conducted under the Framework
Agreements; and (7) any other agreement that You and Upstream QPS enter
into with respect to TEFCA Exchange.
11.9 Survival. The following sections of these ToP shall survive
expiration or termination of these ToP as more specifically provided
below:
(i) Section 3, Confidentiality and Accountability shall survive for
a period of six (6) years following the expiration or termination of
these ToP.
(ii) Section 6.4, Survival for IAS Providers, to the extent that
You are an IAS Provider, shall survive following the expiration or
termination of these ToP for the respective time periods set forth in
Section 6.4.
(iii) Section 7, Privacy, to the extent that You are subject to
Section 7, said Section shall survive the expiration or termination of
these ToP so long as the information maintained by You would be ePHI if
maintained by a Covered Entity or Business Associate.
(iv) Section 8.1 Security Controls, and Section 8.5, Encryption, to
the extent that You are subject to Sections 8.1 and 8.5, said Section
or Sections shall survive the expiration or termination of these ToP
for so long as the information maintained by You would be ePHI if
maintained by a Covered Entity or Business Associate regardless of
whether You are a Covered Entity or Business Associate.
(v) The requirements of Section 8.2, TEFCA Security Incidents
Reporting, shall survive for a period of six (6) years following the
expiration or termination of these ToP.
Common Agreement Version Control Table
------------------------------------------------------------------------
------------------------------------------------------------------------
Version 1.0............................... January 2022.
Version 1.1............................... November 2023.
Draft Version 2.0......................... January 2024.
Version 2.0............................... April 2024.
------------------------------------------------------------------------
Common Agreement Version 2.1 is also available on the Office of the
National Coordinator for Health Information Technology's public
internet website at <a href="http://www.HealthIT.gov/TEFCA">www.HealthIT.gov/TEFCA</a>.
Authority: 42 U.S.C. 300jj-11.
Dated: November 20, 2024.
Suhas Tripathi,
Assistant Secretary for Technology Policy, National Coordinator for
Health Information Technology.
[FR Doc. 2024-27554 Filed 11-22-24; 8:45 am]
BILLING CODE 4150-45-P
</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>Indexed from Federal Register on November 26, 2024.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.