89 FR 228 pgs. 93309-93334 - Notice of Publication of Common Agreement for Nationwide Health Information Interoperability (Common Agreement) Version 2.1
Type: NOTICEVolume: 89Number: 228Pages: 93309 - 93334
Pages: 93309, 93310, 93311, 93312, 93313, 93314, 93315, 93316, 93317, 93318, 93319, 93320, 93321, 93322, 93323, 93324, 93325, 93326, 93327, 93328, 93329, 93330, 93331, 93332, 93333, 93334FR document: [FR Doc. 2024-27554 Filed 11-22-24; 8:45 am]
Agency: Health and Human Services Department
Official PDF Version: PDF Version
[top]
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
Notice of Publication of Common Agreement for Nationwide Health Information Interoperability (Common Agreement) Version 2.1
AGENCY:
Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology, Department of Health and Human Services.
ACTION:
Notice.
SUMMARY:
This notice fulfills an obligation under the Public Health Service Act (PHSA). The act requires the National Coordinator for Health Information Technology to publish on the Office of the National Coordinator for Health Information Technology's public internet website, and in the Federal Register , the trusted exchange framework and common agreement developed under the PHSA. This notice is for publishing an updated version of the Common Agreement (Version 2.1).
ADDRESSES:
Common Agreement Version 2.1 is also available on the Office of the National Coordinator for Health Information Technology's public internet website at www.HealthIT.gov/TEFCA.
FOR FURTHER INFORMATION CONTACT:
Mark Knee, Office of the National Coordinator for Health Information Technology, 202-664-2058.
SUPPLEMENTARY INFORMATION:
[top] This notice fulfills the obligation under section 3001(c)(9)(C) of the Public Health Service Act (PHSA) to publish the trusted exchange framework and common agreement, developed under section 3001(c)(9)(B) of the PHSA (42 U.S.C. 300jj-11(c)(9)(B)), in the Federal Register . This publication consists of the following document:
Common Agreement for Nationwide Health Information Interoperability
Version 2.1
October 2024
This document was published by the U.S. Department of Health and Human Services, Office of the National Coordinator for Health Information Technology and was produced at U.S. taxpayer expense. This document meets the requirement in section 3001(c)(9)(C) of the Public Health Service Act for the National Coordinator for Health Information Technology to publish on the Office of the National Coordinator for Health Information Technology's public internet website, and in the Federal Register , the common agreement (42 U.S.C. 300jj-11(c)(9)(C)).
The Common Agreement for Nationwide Health Information Interoperability
This Common Agreement for Nationwide Health Information Interoperability (the "Common Agreement") is entered into as of the CA Effective Date, by and between The Sequoia Project, Inc., a Virginia non-stock corporation, acting as the current Recognized Coordinating Entity® as defined below (the "RCE TM ") and_____ , a _____("Signatory"). RCE and Signatory may also be referred to herein individually as a "Party" or collectively as the "Parties."
Recitals
Whereas , Section 4003 of the 21st Century Cures Act directed the U.S. Department of Health and Human Services ("HHS") National Coordinator for Health Information Technology to, "in collaboration with the National Institute of Standards and Technology and other relevant agencies within the Department of Health and Human Services, for the purpose of ensuring full network-to-network exchange of health information, convene public-private and public-public partnerships to build consensus and develop or support a trusted exchange framework, including a common agreement among health information networks nationally" (the "Trusted Exchange Framework and Common Agreement" SM or TEFCA SM );
Whereas , this Common Agreement (including the documents incorporated herein by reference) is the common agreement developed pursuant to Section 4003 of the 21st Century Cures Act;
Whereas , The Sequoia Project has been selected by the Office of the National Coordinator for Health Information Technology ("ONC") to serve as the RCE for purposes of implementing, maintaining, and updating this Common Agreement, including the Qualified Health Information Network TM ("QHIN TM ") Technical Framework, as well as managing the activities associated with the designation of interested health information networks ("HINs") as QHINs (as defined and set forth in this Common Agreement);
Whereas , Signatory wishes to be Designated as a QHIN and has completed the application and testing process toward such Designation;
Whereas , Signatory must, among other conditions set forth in this Common Agreement, agree to be bound by the terms of this Common Agreement before Signatory may be designated as a QHIN and, upon signing this Common Agreement, Signatory agrees to be so bound as a Signatory and as a QHIN, if so Designated, as the case may be;
Now, therefore , in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties, intending to be legally bound, mutually agree as set forth below.
Agreement
1. Definitions and Relevant Terminology.
1.1 Defined Terms. Capitalized terms used in this Common Agreement shall have the meaning set forth below. Where a definition includes one or more citations to a statute, regulation, or standard, the definition shall be interpreted to refer to such statute, regulation, or standard as may be amended from time-to-time.
Applicable Law: all federal, State, local, or tribal laws and regulations then in effect and applicable to the subject matter herein. For the avoidance of doubt, federal agencies are only subject to federal law.
Breach of Unencrypted Individually Identifiable Information: the acquisition, access, or Disclosure of unencrypted Individually Identifiable Information maintained by an IAS Provider that compromises the security or privacy of the unencrypted Individually Identifiable Information.
Business Associate: has the meaning assigned to such term at 45 CFR 160.103.
Business Associate Agreement (BAA): a contract, agreement, or other arrangement that satisfies the implementation specifications described within 45 CFR 164.314(a) and 164.504(e), as applicable.
Common Agreement: unless otherwise expressly indicated, the Common Agreement for Nationwide Health Information Interoperability, the QHIN Technical Framework (QTF), all Standard Operating Procedures (SOPs), and all other attachments, exhibits, and artifacts incorporated therein by reference.
Common Agreement (CA) Effective Date: if (i) Signatory was Designated as a QHIN prior to the Implementation Date, then the Implementation Date; or (ii) if Signatory was Designated as a QHIN after the Implementation Date, then the date that the RCE executes the Common Agreement to which Signatory is a Party.
Confidential Information: any information that is designated as Confidential Information by a CI Discloser, or that a reasonable person would understand to be of a confidential nature, and is disclosed to a CI Recipient pursuant to or in connection with a Framework Agreement. For the avoidance of doubt, "Confidential Information" does not include electronic protected health information (ePHI), as defined in a Framework Agreement, that is subject to a Business Associate Agreement or other provisions of a Framework Agreement.
Notwithstanding any label to the contrary, "Confidential Information" does not include any information that: (i) is or becomes known publicly through no fault of the CI Recipient; or (ii) is learned by the CI Recipient from a third party that the CI Recipient reasonably believes is entitled to disclose it without restriction; or (iii) is already known to the CI Recipient before receipt from the CI Discloser, as shown by the CI Recipient's written records; or (iv) is independently developed by the CI Recipient without the use of or reference to the CI Discloser's Confidential Information, as shown by the CI Recipient's written records, and was not subject to confidentiality restrictions prior to receipt of such information from the CI Discloser.
Confidential Information (CI) Discloser: a person or entity that discloses Confidential Information.
Confidential Information (CI) Recipient: a person or entity that receives Confidential Information.
[top] Connectivity Services: the technical services provided by a QHIN, Participant, or Subparticipant to its Participants and Subparticipants that facilitate TEFCA Exchange and are consistent with the requirements of the then-applicable QHIN Technical Framework.
Contract: the Contract by and between The Sequoia Project and HHS, or, if applicable, a successor agreement between The Sequoia Project and HHS or a successor agreement between a different RCE and HHS.
Covered Entity: has the meaning assigned to such term at 45 CFR 160.103.
Cybersecurity Council: the council established by the RCE to enhance cybersecurity commensurate with the risks in TEFCA Exchange, as more fully set forth in an SOP.
Designated Network: the Health Information Network that Signatory uses to offer and provide the Designated Network Services.
Designated Network Governance Body: a representative and participatory group or groups that approve the processes for fulfilling the Governance Functions and participate in such Governance Functions for Signatory's Designated Network.
Designated Network Services: the Connectivity Services or Governance Services.
Designation (including its correlative meanings "Designate," "Designated," and "Designating"): the RCE's written confirmation to ONC and Signatory that Signatory has satisfied all the requirements of the Common Agreement, the QHIN Technical Framework, all applicable SOPs, and is now a QHIN.
Directory Entry(ies): listing of each Node controlled by a QHIN, Participant or Subparticipant, which includes the endpoint resource for such Node(s) and any other organizational or technical information required by the QTF or an applicable SOP.
Disclosure (including its correlative meanings "Disclose," "Disclosed," and "Disclosing"): the release, transfer, provision of access to, or divulging in any manner of TEFCA Information (TI) outside the entity holding the information.
Discover (including its correlative meanings "Discovery" and "Discovering"): the first day on which something is known to the QHIN, Participant, or Subparticipant, or by exercising reasonable diligence would have been known, to the QHIN, Participant or Subparticipant.
Discriminatory Manner: any act or omission that is inconsistently taken or not taken with respect to any similarly situated QHIN, Participant, Subparticipant, Individual, or group of them, whether it is a competitor, or whether it is affiliated with or has a contractual relationship with any other entity, or in response to an event.
Dispute: (i) a disagreement about any provision of this Common Agreement, including any SOP, the QTF, and all other attachments, exhibits, and artifacts incorporated by reference; or (ii) a concern or complaint about the actions, or any failure to act, of Signatory, the RCE, any other QHIN, or another QHIN's Participant(s) or Subparticipant(s).
Dispute Resolution Process: the non-binding Dispute resolution process set forth in an SOP.
Electronic Protected Health Information (ePHI): has the meaning assigned to such term at 45 CFR 160.103.
Exchange Purpose(s) or XP(s): the reason, as authorized by a Framework Agreement, including the applicable SOP(s), for a transmission, Query, Use, Disclosure, or Response transacted through TEFCA Exchange.
Framework Agreement(s): with respect to QHINs, the Common Agreement; and with respect to a Participant or Subparticipant, the Participant/Subparticipant Terms of Participation (ToP).
FHIR Endpoint: has the meaning assigned to such term in the Health Level Seven International® (HL7®) Fast Healthcare Interoperability Resources (FHIR®) Specification available at https://hl7.org/fhir/r4/, as such specification may be amended, modified or replaced.
FTC Rule: the Health Breach Notification Rule promulgated by the Federal Trade Commission set forth at 16 CFR part 318.
Governing Council: the permanent governing body for activities conducted under the Framework Agreements, as more fully described in the applicable SOP(s).
Government Benefits Determination : a determination made by any agency, instrumentality, or other unit of the federal, State, local, or tribal government as to whether an Individual qualifies for government benefits for any purpose other than health care ( e.g., Social Security disability benefits) to the extent permitted by Applicable Law. Disclosure of TI for this purpose may require an authorization that complies with Applicable Law.
Government Health Care Entity: any agency, instrumentality, or other unit of the federal, State, local, or tribal government to the extent that it provides health care services ( e.g., treatment) to Individuals but only to the extent that it is not acting as a Covered Entity.
Governance Functions: the functions, activities, and responsibilities of the Designated Network Governance Body as set forth in an applicable SOP.
Governance Services: the governance functions described in applicable SOP(s), which are performed by a QHIN's Designated Network Governance Body for its Participants and Subparticipants to facilitate TEFCA Exchange in compliance with the then-applicable requirements of the Framework Agreements.
Health Care Provider: meets the definition of such term in either 45 CFR 171.102 or in the HIPAA Rules at 45 CFR 160.103.
Health Information Network (HIN): has the meaning assigned to the term "Health Information Network or Health Information Exchange" in the information blocking regulations at 45 CFR 171.102.
HIPAA: the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, and the Health Information Technology for Economic and Clinical Health Act of 2009, Public Law 111-5.
HIPAA Rules: the regulations set forth at 45 CFR parts 160, 162, and 164.
HIPAA Privacy Rule: the regulations set forth at 45 CFR parts 160 and 164, Subparts A and E.
HIPAA Security Rule : the regulations set forth at 45 CFR part 160 and 164, Subpart C.
Implementation Date: the date sixty (60) calendar days after publication of version 2 of the Common Agreement in the Federal Register .
Individual: has the meaning assigned to such term at 45 CFR 171.202(a)(2).
Individual Access Services Incident (IAS Incident) : a TEFCA Security Incident or a Breach of Unencrypted Individually Identifiable Information maintained by an IAS Provider.
Individual Access Services Provider (IAS Provider): each QHIN, Participant, and Subparticipant that offers Individual Access Services (IAS).
Individual Access Services (IAS): the services provided to an Individual by a QHIN, Participant, or Subparticipant that has a direct contractual relationship with such Individual in which the QHIN, Participant, or Subparticipant, as applicable, agrees to satisfy that Individual's ability to use TEFCA Exchange to access, inspect, obtain, or transmit a copy of that Individual's Required Information.
IAS Consent: an IAS Provider's own supplied form for obtaining express written consent from the Individual in connection with the IAS.
[top] Individually Identifiable Information: information that identifies an Individual or with respect to which there is a reasonable basis to believe that the
Initiating Node: a Node through which a QHIN, Participant, or Subparticipant initiates transactions for TEFCA Exchange.
Node: a technical system that is controlled directly or indirectly by a QHIN, Participant, or Subparticipant and that is listed in the RCE Directory Service.
Non-HIPAA Entity (NHE): a QHIN, Participant, or Subparticipant that is neither a Covered Entity nor a Business Associate as defined under the HIPAA Rules with regard to activities under a Framework Agreement. To the extent a QHIN, Participant, or Subparticipant is a Hybrid entity, as defined in 45 CFR 164.103, such QHIN, Participant, or Subparticipant shall be considered a Non-HIPAA Entity with respect to TEFCA Exchange activities related to such QHIN, Participant, or Subparticipant's non-covered components.
ONC: the U.S. Department of Health and Human Services Office of the National Coordinator for Health Information Technology.
Participant: to the extent permitted by applicable SOP(s), a U.S. Entity that has entered into the ToP in a legally binding contract with a QHIN to use the QHIN's Designated Network Services to participate in TEFCA Exchange in compliance with the ToP.
Participant/Subparticipant Caucus: a forum established pursuant to an applicable SOP(s), the purpose of which is for the Participants and Subparticipants to meet and discuss issues of interest directly related to TEFCA Exchange and related activities under the Framework Agreements.
Participant/Subparticipant Terms of Participation (ToP) : the requirements set forth in Exhibit 1 to the Common Agreement to which: QHINs must contractually obligate their Participants to agree; to which QHINs must contractually obligate their Participants to contractually obligate their Subparticipants and Subparticipants of the Subparticipants to agree, in order to participate in TEFCA Exchange including the QHIN Technical Framework (QTF), all applicable Standard Operating Procedures (SOPs), and all other attachments, exhibits, and artifacts incorporated therein by reference.
Passthrough Node : a Node that is neither an Initiating nor Responding Node and through which a QHIN, Participant, or Subparticipant transmits transactions to and from Initiating and Responding Nodes, including any other services it provides.
Privacy and Security Notice : an IAS Provider's own supplied written privacy and security notice that contains the information required by the applicable SOP(s).
Protected Health Information (PHI) : has the meaning assigned to such term at 45 CFR 160.103.
Public Health Authority : has the meaning assigned to such term at 45 CFR 164.501.
QHIN Technical Framework (QTF) : the most recent effective version of the document that contains the technical, functional, privacy, and security requirements for TEFCA Exchange.
Qualified Health Information Network (QHIN) : to the extent permitted by applicable SOP(s), a Health Information Network that is a U.S. Entity that has been Designated by the RCE and is a Party to the Common Agreement countersigned by the RCE.
QHIN Caucus : a forum established pursuant to an applicable SOP(s), the purpose of which is for the QHINs to meet and discuss issues of interest directly related to TEFCA Exchange and related activities under the Framework Agreements.
Query(ies) (including its correlative uses/tenses "Queried" and "Querying") : the act of asking for information through TEFCA Exchange.
RCE Directory Service : a technical service provided by the RCE that enables QHINs to identify their Nodes to enable TEFCA Exchange. The requirements for use of, inclusion in, and maintenance of the RCE Directory Service are set forth in the Framework Agreements, QTF, and applicable SOPs.
Recognized Coordinating Entity (RCE) : the entity selected by ONC that enters into the Common Agreement with QHINs in order to impose, at a minimum, the requirements of the Common Agreement, including the SOPs and the QTF, on the QHINs and administer such requirements on an ongoing basis. The RCE is a Party to the Common Agreement.
Required Information : the Electronic Health Information, as defined in 45 CFR 171.102, that is (i) maintained in a Responding Node by any QHIN, Participant, or Subparticipant prior to or during the term of the applicable Framework Agreement and (ii) relevant for a required XP Code, as set forth in the QTF or an applicable SOP(s).
Responding Node : a Node through which the QHIN, Participant, or Subparticipant Responds to a received transaction for TEFCA Exchange.
Response(s) (including its correlative uses/tenses "Responds," "Responded" and "Responding") : the act of providing the information that is the subject of a Query or otherwise transmitting a message in response to a Query through TEFCA Exchange.
Security Posture : the security status of an entity's networks, information, and systems based on information assurance resources including, without limitation, people, hardware, software, and policies, and capabilities in place to manage the defense of the entity's networks, information, and systems and to react as the situation changes (derived from NIST Definition 800-30r1).
Signatory : the entity that has satisfied Section 4.1 and is a Party to the Common Agreement.
Standard Operating Procedure(s) or SOP(s) : a written procedure or other provision that is adopted pursuant to the Common Agreement and incorporated by reference into a Framework Agreement to provide detailed information or requirements related to TEFCA Exchange, including all amendments thereto. Each SOP identifies the relevant group(s) to which the SOP applies, including whether Participants or Subparticipants are required to comply with a given SOP.
State : any of the several States, the District of Columbia, Puerto Rico, the Virgin Islands, Guam, American Samoa, and the Northern Mariana Islands.
Subparticipant : to the extent permitted by applicable SOP(s), a U.S. Entity that has entered into the ToP in a legally binding contract with a Participant or another Subparticipant to use the Participant's or Subparticipant's Connectivity Services to participate in TEFCA Exchange in compliance with the ToP.
TEFCA Exchange : the transaction of information between Nodes using an XP Code.
TEFCA Information (TI) : any information that is transacted through TEFCA Exchange except to the extent that such information is received by a QHIN, Participant, or Subparticipant that is a Covered Entity, Business Associate, or NHE that is exempt from compliance with the Privacy section of the applicable Framework Agreement and is incorporated into such recipient's system of record, at which point the information is no longer TI with respect to such recipient and is governed by the HIPAA Rules and other Applicable Law.
TEFCA Security Incident(s) :
(i) An unauthorized acquisition, access, Disclosure, or Use of unencrypted TI using TEFCA Exchange, but NOT including any of the following:
[top] (a) Any unintentional acquisition, access, Use, or Disclosure of TI by a Workforce Member or person acting under the authority of a QHIN,
(b) A Disclosure of TI where a QHIN, Participant, or Subparticipant has a good faith belief that an unauthorized person to whom the Disclosure was made would not reasonably have been able to retain such information.
(c) A Disclosure of TI that has been de-identified in accordance with the standard at 45 CFR 164.514(b).
(ii) Other security events ( e.g., ransomware attacks), as set forth in an SOP, that adversely affect a QHIN's, Participant's, or Subparticipant's participation in TEFCA Exchange.
Threat Condition : (i) a breach of a material provision of a Framework Agreement that has not been cured within fifteen (15) days of receiving notice of the material breach (or such other period of time to which the Parties have agreed), which notice shall include such specific information about the breach that the RCE has available at the time of the notice; or (ii) a TEFCA Security Incident; or (iii) an event that RCE, a QHIN, its Participant, or their Subparticipant has reason to believe will disrupt normal TEFCA Exchange, either due to actual compromise of or the need to mitigate demonstrated vulnerabilities in systems or data of the QHIN, Participant, or Subparticipant, as applicable, or could be replicated in the systems, networks, applications, or data of another QHIN, Participant, or Subparticipant; or (iv) any event that could pose a risk to the interests of national security as directed by an agency of the United States government.
Transitional Council : the interim governing body for activities conducted under Framework Agreements, as more fully described in the applicable SOP(s).
United States : the fifty (50) States, the District of Columbia, and the territories and possessions of the United States including, without limitation, all military bases or other military installations, embassies, and consulates operated by the United States government.
U.S. Entity/Entities : any corporation, limited liability company, partnership, or other legal entity that meets all of the following requirements:
(i) The entity is organized under the laws of a State or commonwealth of the United States or the federal law of the United States and is subject to the jurisdiction of the United States and the State or commonwealth under which it was formed;
(ii) The entity's principal place of business, as determined under federal common law, is in the United States; and
(iii) None of the entity's directors, officers, or executives, and none of the owners with a five percent (5%) or greater interest in the entity, are listed on the Specially Designated Nationals and Blocked Persons List published by the United States Department of the Treasury's Office of Foreign Asset Control or on the United States Department of Health and Human Services, Office of Inspector General's List of Excluded Individuals/Entities.
Use(s) (including correlative uses/tenses, such as "Uses," "Used," and "Using") : with respect to TI, means the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.
U.S. Qualified Person means those individuals who are U.S. nationals and citizens at birth as defined in 8 U.S.C. 1401, U.S. nationals but not citizens of the United States at birth as defined in 8 U.S.C. 1408, lawful permanent residents of the United States as defined in the Immigration and Nationality Act, and non-immigrant aliens who are hired by a U.S. Entity as an employee in a specialty occupation pursuant to an H-1B Visa.
Workforce Member(s) : any employees, volunteers, trainees, and other persons whose conduct, in the performance of work for an entity, is under the direct control of such entity, whether or not they are paid by the entity.
XP Code : the code used to identify the XP in any given transaction, as set forth in the applicable SOP(s).
1.2 Common Agreement Terminology.
1.2.1 References to Signatory and QHINs. As set forth in its definition and in the introductory paragraph of this Common Agreement, the term "Signatory" is used to refer to the specific entity that is a Party to this Common Agreement with the RCE. Any and all rights and obligations of a QHIN stated herein are binding upon Signatory as of the CA Effective Date and are also binding upon all other QHINs. References herein to "other QHINs," "another QHIN," and similar such terms are used to refer to any and all other organizations that have signed the Common Agreement with the RCE.
1.2.2 Intentionally Omitted.
1.2.3 General Rule of Construction. For the avoidance of doubt, a reference to a specific section of the Common Agreement in a particular section does not mean that other sections of this Common Agreement that expressly apply to a QHIN are inapplicable. A reference in this Common Agreement to any law, any regulation, or to Applicable Law includes any amendment, modification or replacement to such law, regulation, or Applicable Law.
1.2.4 Terms of Participation. Signatory shall contractually obligate its Participants to comply with the ToP. Notwithstanding the foregoing, for any entity that became a Participant of Signatory prior to the Implementation Date, Signatory shall (i) contractually obligate such entity to comply with the ToP within one-hundred eighty (180) days of the Implementation Date, provided that such Participant is and remains a party to the Participant-QHIN Agreement, as defined in and required by Common Agreement Version 1.1, during such period; or (ii) terminate such Participant's ability to engage in TEFCA Exchange upon the earlier of the date of termination of the existing Participant-QHIN Agreement or one-hundred eighty (180) days after the Implementation Date.
2. Incorporation of Recitals . The Recitals set forth above are incorporated into this Common Agreement in their entirety and shall be given full force and effect as if set forth in the body of this Common Agreement.
3. Governing Approach .
3.1 Role of the RCE and ONC. ONC was directed by Congress in the 21st Century Cures Act to, "in collaboration with the National Institute of Standards and Technology and other relevant agencies within the Department of Health and Human Services, for the purpose of ensuring full network-to-network exchange of health information, convene public-private and public-public partnerships to build consensus and develop or support a trusted exchange framework, including a common agreement among health information networks nationally." ONC entered into the Contract with the RCE to implement, maintain, and update the Common Agreement.
Under the Contract, the RCE is responsible for matters related to the development and operation of the exchange of TI and related activities.
[top] ONC provides oversight of the RCE's work under the Contract. Under the Contract, ONC has the right to review the RCE's conduct, including Designation, corrective action, and termination decisions regarding QHINs,
3.2 Participation in Governance. QHINs, Participants, and Subparticipants shall have the opportunity to engage in governance under the Common Agreement. The RCE shall establish a Transitional Council and then a Governing Council which will be responsible for serving as a resource to the RCE and a forum for orderly and civil discussion of any issues affecting TEFCA Exchange or other issues that may arise under the Common Agreement. The formation, composition, responsibilities, and duration of the Transitional Council and Governing Council shall be set forth in an SOP(s).
3.3 Advisory Groups. The RCE, in consultation with the Transitional or Governing Council (as applicable) and ONC, may establish Advisory Groups for purposes of seeking input from distinct groups of stakeholders that are parties to or affected by TEFCA Exchange activities to better inform the governance process, provide input on certain topics, and promote inclusivity. The process for establishing Advisory Groups and selecting members is set forth in the applicable SOP.
4. QHIN Designation .
4.1 Eligibility to be Designated. Signatory affirms and warrants that as of the CA Effective Date and throughout the term of this Common Agreement, it meets and will continue to meet the eligibility criteria listed below and any additional requirements set forth in the applicable SOP(s).
(i) Signatory is a U.S. Entity and is not controlled by any person or entity that is not a U.S. Qualified Person(s) or U.S. Entity(ies). The specific, required means to demonstrate this are set forth in an SOP.
(ii) Signatory is a Health Information Network.
(iii) Signatory has the ability to perform all of the Designated Network Services and other required functions of a QHIN in the manner required by this Common Agreement, the SOPs, the QTF, and all other applicable guidance from the RCE. The specific, required means to demonstrate this are set forth in an SOP(s).
(iv) Signatory has in place the organizational infrastructure and legal authority to comply with the obligations of the Common Agreement and to provide Governance Services for its Designated Network. In addition, Signatory has the resources and infrastructure to support a reliable and trusted network. The specific, required means to demonstrate this are set forth in an SOP(s).
If, at any time during the term of this Common Agreement, Signatory Discovers that it fails to meet the foregoing eligibility criteria or any additional requirements set forth in the applicable SOP(s), Signatory shall immediately notify the RCE.
4.2 Affirmation of Application. Signatory represents and warrants that the information in its application for Designation was at the time of the application submission, and continues to be as of the CA Effective Date, accurate and complete, to the best of its knowledge. Signatory acknowledges that the RCE relied upon the information in its application to evaluate whether Signatory meets the criteria to be Designated and that violation of this representation and warranty is a material breach of this Common Agreement. If the RCE determines that information in the application that was material to the RCE's decision to Designate Signatory is or was not accurate or complete, the RCE may terminate Signatory's Designation and this Common Agreement and will provide notice of such termination to Signatory.
5. Change Management.
5.1 Change Management Framework. The RCE shall coordinate all changes to the Common Agreement, the QTF, and the SOPs in conjunction with ONC. In addition to the activities described below, ONC shall be available in a consultative role throughout the change management process to review any proposed amendments to the Common Agreement, the QTF, and the SOPs as well as the adoption of any new SOP and the repeal of any existing SOP. The RCE will work with ONC, the Governing Council, and the QHIN and Participant/Subparticipant Caucuses, as outlined below, to consider amendments to the Common Agreement, the QTF, or the SOPs and the adoption of any new SOP or the repeal of any existing SOP. Provided, however, that the actions described in Sections 5.1 through 5.3 of this Common Agreement by or with respect to the Governing Council, the QHIN Caucus, and the Participant/Subparticipant Caucus, as applicable, shall not be required until the respective body has been established as described in Section 3 and the applicable SOP(s). Signatory acknowledges that it and the RCE do not have the sole legal authority to agree to changes to this Common Agreement, the QTF, or the SOPs. ONC must approve all changes, additions, and deletions. The Common Agreement must be the same for all QHINs.
5.2.1 Amending the Common Agreement or the QTF. The RCE is tasked, under its Contract with ONC, with updating the Common Agreement and QTF. Proposed amendments to the Common Agreement or QTF may originate from multiple sources, including, but not limited to, ONC, the RCE, the Governing Council, the QHIN Caucus, or the Participant/Subparticipant Caucus. The RCE may consult with the Governing Council, the QHIN Caucus, or the Participant/Subparticipant Caucus prior to submitting the proposed amendment(s) to ONC for consideration. The RCE shall collect all proposed amendments and submit them to ONC, who shall determine whether further action on a proposed amendment is warranted. If ONC determines that a proposed amendment warrants further consideration, then the RCE will present the proposed amendment to the Governing Council for its feedback. The Governing Council will evaluate the proposed amendment and determine whether it will seek feedback from the QHIN Caucus, the Participant/Subparticipant Caucus, or both, as deemed necessary and appropriate. The Governing Council will provide the RCE with written feedback on the proposed amendment in a timely manner, which will include feedback from the QHIN and Participant/Subparticipant Caucuses as applicable and appropriate.
[top] 5.2.2 The RCE shall consult with ONC about the Governing Council feedback. ONC shall, after considering the feedback, determine whether the proposed amendment should proceed after making any changes to the amendment. If ONC decides to proceed with the amendment, it will advance the proposed amendment to the QHIN Caucus for approval by a written vote. An amendment will be approved if at least two-thirds ( 2⁄3 ) of the votes cast by the QHIN Caucus members within the timeframe established by ONC for the voting period are in favor of the proposed amendment. The requirement to consult with the Governing Council in this provision shall be satisfied by ONC's approval of the proposed amendment if, at the time of such approval, the Governing Council and the QHIN Caucus have not yet been established.
5.2.3 The time period for ONC to decide whether to proceed or not with proposed amendment to the Common Agreement pursuant to Section 5.2.2 above shall initially be three (3) months after ONC receives from the RCE feedback from the Governing Council pursuant to Section 5.2.2 above; provided, however, that ONC may, in its discretion, extend this time for an unlimited number of additional three- (3-) month time periods.
5.2.4 The time period for ONC to decide whether to proceed or not with a proposed amendment to the QTF pursuant to Section 5.2.2 above shall initially be three (3) months after ONC receives from the RCE feedback from the Governing Council pursuant to Section 5.2.2 above; provided, however, that ONC may, in its discretion, extend this time for one (1) additional three- (3-) month time period. If an amendment to the Common Agreement or QTF is approved as described above, the amendment shall become effective on the effective date identified by ONC as part of the amendment process and shall be binding on Signatory without any further action by Signatory or the RCE. If Signatory is not willing or able to comply with the amendment, then Signatory shall, within fifteen (15) business days of being notified by the RCE that the amendment has been approved, provide the RCE written notice of termination of this Common Agreement effective no later than the expiration of thirty (30) days from approval of the amendment.
5.2.5 Notwithstanding the foregoing, if the RCE determines that an amendment to the Common Agreement or QTF is required in order for the RCE to remain in compliance with Applicable Law, the RCE is not required to provide QHINs with an opportunity to vote on the amendment. However, the RCE shall still be required to provide sixty (60) days' advance written notice of the amendment and legal analysis of the need to use this expedited process, unless the RCE would be materially harmed by being out of compliance with Applicable Law if it provided the sixty (60) days' written notice, in which case it will provide as much notice as practicable under the circumstances. Any such amendment to this Common Agreement or the QTF shall be subject to ONC review and modification prior to the RCE providing advance written notice of the amendment to Signatory. Only those amendments that are approved by ONC will be enacted.
5.2 Amending, Adopting, or Repealing an SOP. The RCE is tasked, under its Contract with ONC, with developing an initial set of SOPs that were considered adopted when initially made publicly available prior to the initial QHIN application period ( i.e., prior to anyone signing the Common Agreement). The amendment process set forth below shall also apply to amending the initial set of SOPs through adopting one or more new SOPs, repealing an SOP in its entirety, or amending one of the initial SOPs.
5.3.1 Proposed amendments to the SOPs may originate from multiple sources including, but not limited to, ONC, the RCE, the Governing Council, the QHIN Caucus, or the Participant/Subparticipant Caucus. The RCE may consult with the Governing Council, the QHIN Caucus, or the Participant/Subparticipant Caucus prior to submitting the proposed amendment(s) to ONC for consideration. The RCE shall collect all proposed amendments and submit them to ONC, who shall determine whether further action on a proposed amendment is warranted.
If ONC determines that a proposed amendment warrants further consideration, then the RCE will present the proposed amendment to the Governing Council for its feedback. The Governing Council will evaluate the proposed amendment and determine whether it will seek feedback from the QHIN Caucus, the Participant/Subparticipant Caucus, or both, as deemed necessary and appropriate. The Governing Council will evaluate proposed amendments in a timely manner and provide the RCE with written feedback on the proposed amendment.
5.3.2 The RCE shall consult with ONC about the Governing Council feedback. ONC shall, after considering the feedback, determine whether the proposed amendment should proceed after making any changes to the amendment. If ONC decides to proceed with the amendment, it will advance the proposed amendment to the QHIN Caucus and the Participant/Subparticipant Caucus for approval by a written vote. An amendment will be approved if at least two-thirds ( 2⁄3 ) of the votes cast by the QHIN Caucus and at least two-thirds ( 2⁄3 ) of the votes cast by the Participant/Subparticipant Caucus within the timeframe established by ONC for the voting period are in favor of the proposed amendment. The requirement to consult with the Governing Council in this provision shall be satisfied by ONC's approval of the proposed amendment if, at the time of such approval, the QHIN Caucus and the Participant/Subparticipant Caucus have not yet been established.
5.3.3 The time period for ONC to decide whether to proceed or not with a proposed amendment to an SOP pursuant to Section 5.3.3 above shall initially be three (3) months after ONC receives from the RCE feedback from the Governing Council; provided, however, that: (a) ONC may, in its discretion, extend this time for one (1) additional three- (3-) month time period; and (b) if ONC, in addition, determines in its reasonable discretion that the amendment affects or may be contrary to an ONC policy or another policy of the Department of Health and Human Services or any Applicable Law, ONC may extend this time for an unlimited number of additional three- (3-) month time periods.
5.3.4 Notwithstanding the requirement for a Participant/Subparticipant vote set forth in Section 5.3.3, if the proposed amendment will not have a material impact on any Participants or Subparticipants, ONC may advance the proposed amendment to the QHIN Caucus only, whereby the amendment will be approved if at least two-thirds ( 2⁄3 ) of the votes cast by the QHIN Caucus within the timeframe established by ONC for the voting period are in favor of the proposed amendment. The requirement to consult with the QHIN Caucus in this provision shall be satisfied by ONC's approval of the proposed amendment if, at the time of such approval, the QHIN Caucus has not yet been established. The RCE will determine an effective date for the approved amendment subject to approval of ONC.
5.3.5 Notwithstanding the foregoing, if the RCE determines that an amendment to an SOP is required in order for the RCE to remain in compliance with Applicable Law, the RCE is not required to provide the QHIN Caucus or the Participant/Subparticipant Caucus with an opportunity to vote on the amendment. However, the RCE shall still be required to provide sixty (60) days' advance written notice of the amendment and the legal analysis of the need to use this expedited process, unless the RCE would be materially harmed by being out of compliance with Applicable Law if it provided the sixty (60) days' written notice, in which case the RCE will provide as much notice as practicable under the circumstances. Any such amendment to an SOP shall be subject to ONC review and modification prior to enactment. Only those amendments that are approved by ONC will be enacted.
[top] 5.3 Voting Method. For purposes of the voting process set forth in this Section 5, the phrase "written vote" includes any process by which there is a voting record, which may include voting by electronic means.
6. Cooperation and Non-Discrimination.
6.1 Cooperation. Signatory understands and acknowledges that numerous activities with respect to this Common Agreement will likely involve other QHINs and their respective Participants and Subparticipants, as well as employees, agents, third-party contractors, vendors, or consultants of each of them. Signatory shall reasonably cooperate with the RCE, ONC, other QHINs, and their respective Participants and Subparticipants in all matters related to TEFCA Exchange. Requirements for reasonable cooperation are set forth in an SOP. The costs of cooperation to Signatory shall be borne by Signatory and shall not be charged to the RCE or other QHINs. Nothing in this Section 6.1 shall modify or replace the TEFCA Security Incident notification obligations under Section 12.3 and, if applicable, the IAS Incident notification obligations under Section 10.5.2 of this Common Agreement.
6.2 Non-Discrimination.
6.2.1 Prohibition Against Exclusivity. Neither Signatory nor the RCE shall prohibit or attempt to prohibit any QHIN, Participant, or Subparticipant from joining, exchanging with, conducting other transactions with, or supporting any other networks or exchange frameworks that use services other than the Signatory's Designated Network Services, concurrently with the QHIN's, Participant's, or Subparticipant's participation in TEFCA Exchange.
6.2.2 No Discriminatory Limits on Exchange of TI. Signatory shall not engage in TEFCA Exchange, refrain from engaging in TEFCA Exchange, or limit TEFCA Exchange with any other QHIN, Participant, Subparticipant, or Individual, in a Discriminatory Manner. Notwithstanding the foregoing, if Signatory refrains from engaging in TEFCA Exchange or limits interoperability with any other QHIN, Participant, or Subparticipant under the following circumstances, Signatory's actions or inactions shall not be deemed discriminatory: (i) Signatory's Connectivity Services require load balancing of network traffic or similar activities provided such activities are implemented in a consistent and non-discriminatory manner for a period of time no longer than necessary to address the network traffic issue; (ii) Signatory has a reasonable and good-faith belief that the other QHIN, Participant, or Subparticipant has not satisfied or will not be able to satisfy the applicable terms hereof (including compliance with Applicable Law) in any material respect; or (iii) Signatory's actions or inactions are consistent with or permitted by an applicable SOP. One QHIN suspending its exchange activities with another QHIN, Participant, or Subparticipant in accordance with Section 17.4.2 shall not be deemed discriminatory.
6.2.3 Updates to Connectivity Services. In revising and updating its Connectivity Services from time to time, Signatory will use commercially reasonable efforts to do so in accordance with generally accepted industry practices and to implement any changes in a non-discriminatory manner; provided, however, this provision shall not apply to limit modifications or updates to the extent that such revisions or updates are required by Applicable Law or implemented to respond promptly to newly discovered privacy or security threats.
6.2.4 Notice of Updates to Connectivity Services. Signatory shall implement a reporting protocol to provide reasonable prior written notice of all modifications or updates of its Connectivity Services to all other QHINs if such revisions or updates are expected to adversely affect TEFCA Exchange between QHINs or require changes in the Connectivity Services of any other QHIN, regardless whether they are necessary due to Applicable Law or newly discovered privacy or security threats.
6.3 Non-Interference. Signatory shall not prevent a Participant or Subparticipant from changing the QHIN through which the Participant or Subparticipant engages in TEFCA Exchange. Notwithstanding the foregoing, this subsection does not preclude Signatory from including and enforcing reasonable term limits in its contracts with its Participants related to a Participant's use of Signatory's Designated Network Services.
7. Confidentiality and Accountability.
7.1 Confidential Information. Signatory and RCE each agree to use and disclose all Confidential Information received pursuant to this Common Agreement only as authorized in this Common Agreement and any applicable SOP(s) and solely for the purposes of performing its obligations under this Common Agreement or the proper exchange of information under the Common Agreement and for no other purpose. Each Party may act as a CI Discloser and a CI Recipient, accordingly. A CI Recipient may disclose the Confidential Information it receives only to its Workforce Members who require such knowledge and use in the ordinary course and scope of their employment or retention and are obligated to protect the confidentiality of the CI Discloser's Confidential Information in a manner substantially equivalent to the terms required herein for the treatment of Confidential Information. If a CI Recipient must disclose a CI Discloser's Confidential Information under operation of law, the CI Recipient may do so provided that, to the extent permitted by Applicable Law, the CI Recipient gives the CI Discloser reasonable notice to allow the CI Discloser to object to such redisclosure, and such redisclosure is made to the minimum extent necessary to comply with Applicable Law.
7.2 Disclosure of Confidential Information. Nothing herein shall be interpreted to prohibit the RCE from disclosing any Confidential Information to ONC. Signatory acknowledges that ONC, as a Federal government agency, is subject to the Freedom of Information Act. Any disclosure of Signatory's Confidential Information to ONC or any ONC contractor will be subject to Applicable Law, as well as the limitations, procedures, and other relevant provisions of any applicable SOP(s).
7.3 ONC's and the RCE's Approach when Requesting Confidential Information. As a matter of general policy, ONC will request only the limited set of Confidential Information that ONC believes is necessary to inform the specific facts and circumstances of a matter. The RCE will request only the limited set of Confidential Information that the RCE believes is necessary to inform the specific facts and circumstances of a matter.
7.4 QHIN Accountability.
7.4.1 Statement of General Principle. To the extent not prohibited by Applicable Law, Signatory shall be responsible for its acts and omissions, and the acts or omissions of its Participants and their Subparticipants, but not for the acts or omissions of any other QHINs or their Participants or Subparticipants. For the avoidance of doubt, a Signatory that is also a governmental agency or instrumentality shall not be liable to the extent that the Applicable Law that governs Signatory does not expressly waive Signatory's sovereign immunity. Notwithstanding any provision in this Common Agreement to the contrary, Signatory shall not be liable for any act or omission if a cause of action for such act or omission is otherwise prohibited by Applicable Law. This Section 7.4.1 shall not be construed as a hold-harmless or indemnification provision.
[top] 7.4.2 Harm to RCE. Subject to Sections 7.4 and 7.6 of this Common Agreement that exclude certain types of damages or limit overall damages,
7.4.3 Harm to Other QHINs. Subject to Section 7.6 of this Common Agreement, which excludes certain types of damages or limits overall damages, Signatory shall be responsible for harm suffered by another QHIN to the extent that the harm was caused by Signatory's breach of this Common Agreement, the QTF, or any applicable SOP.
7.5 RCE Accountability. Signatory will not hold the RCE, or anyone acting on its behalf, including but not limited to members of the Governing Council, Transitional Council, Caucuses, Cybersecurity Council, any Advisory Group, any work group, or any subcommittee, its contractors, employees, or agents liable for any damages, losses, liabilities, or injuries arising from or related to this Common Agreement, except to the extent that such damages, losses, liabilities, or injuries are the direct result of the RCE's breach of this Common Agreement. This Section 7.5 shall not be construed as a hold-harmless or indemnification provision.
7.6 LIMITATION ON LIABILITY. NOTWITHSTANDING ANYTHING IN THIS COMMON AGREEMENT TO THE CONTRARY, IN NO EVENT SHALL EITHER THE RCE'S OR SIGNATORY'S TOTAL LIABILITY TO EACH OTHER AND ALL OTHER QHINS ARISING FROM OR RELATING TO THIS COMMON AGREEMENT EXCEED AMOUNTS EQUAL TO TWO MILLION DOLLARS ($2,000,000) PER INCIDENT AND FIVE MILLION DOLLARS ($5,000,000) AGGREGATE PER ANNUM OR SUCH OTHER AMOUNTS AS STATED IN A THEN-IN-EFFECT SOP, IN ORDER TO ALLOW FOR THE PERIODIC ADJUSTMENT OF THIS LIABILITY LIMIT OVER TIME WITHOUT THE NEED TO AMEND THIS COMMON AGREEMENT. THIS AND ANY SUCH ADJUSTED LIMITATION ON LIABILITY SHALL APPLY REGARDLESS OF WHETHER A CLAIM FOR ANY SUCH LIABILITY OR DAMAGES IS PREMISED UPON BREACH OF CONTRACT, BREACH OF WARRANTY, NEGLIGENCE, STRICT LIABILITY, OR ANY OTHER THEORIES OF LIABILITY, EVEN IF SUCH PARTY HAS BEEN APPRISED OF THE POSSIBILITY OR LIKELIHOOD OF SUCH DAMAGES OCCURRING. IF SIGNATORY IS A GOVERNMENT AGENCY OR A GOVERNMENT INSTRUMENTALITY UNDER FEDERAL LAW, STATE LAW, LOCAL LAW, OR TRIBAL LAW AND IT IS PROHIBITED FROM LIMITING ITS RECOVERY OF DAMAGES FROM A THIRD PARTY UNDER APPLICABLE LAW, THEN THIS SECTION 7.6 SHALL NOT APPLY TO EITHER SIGNATORY OR THE RCE. NOTHING IN THIS SECTION 7.6 OF THIS COMMON AGREEMENT SHALL BE CONSTRUED TO CREATE LIABILITY FOR A GOVERNMENTAL AGENCY OR INSTRUMENTALITY OR OTHERWISE WAIVE SOVEREIGN IMMUNITY.
8. RCE Directory Service.
8.1 Access to and Use of the RCE Directory Service. During the term of this Common Agreement and provided that Signatory is not suspended, the RCE shall provide Signatory with access to the RCE Directory Service. The timeframes and requirements for access to, publishing Directory Entries in, and use of the RCE Directory Service are set out in the QTF and the applicable SOP(s).
8.2 Utilization of the RCE Directory Service. The RCE Directory Service and Directory Entries contained therein shall be used by Signatory solely as necessary to create and maintain operational connectivity under the Common Agreement to enable TEFCA Exchange. Signatory shall not use or disclose Directory Entries except to its Workforce Members, to the Workforce Members of its Participants or Subparticipants, or to the Workforce Members of health information technology vendors who are engaged in assisting Signatory, the Participant or Subparticipant with engaging in TEFCA Exchange. Further, Signatory shall not use another QHIN's Directory Entries or information derived therefrom for marketing or any form of promotion of its own products and services, unless otherwise permitted pursuant to an SOP. In no event shall Signatory use or disclose the information contained in the RCE Directory Service in a manner that should be reasonably expected to have a detrimental effect on ONC, the RCE, other QHINs or their Participants or Subparticipants, or any other individual or organization. For the avoidance of doubt, Directory Entries are Confidential Information of the Discloser except to the extent such information meets one of the exceptions to the definition of Confidential Information. Nothing herein shall be interpreted to prohibit a QHIN from publicly disclosing the identity of its Participants or Subparticipants.
8.3 QHIN Directory Entries. Signatory must have at least one Node listed in the RCE Directory Service. Signatory is responsible for entering its Participant and Subparticipant Nodes in the RCE Directory Service and maintaining the accuracy of such entries. Signatory shall immediately remove from the RCE Directory Service any Node(s) associated with a Participant or Subparticipant that is suspended from engaging in TEFCA Exchange or whose agreement to participate in TEFCA Exchange in connection with Signatory has expired or been terminated.
8.4 Framework Agreement Record.
8.4.1 QHINs must maintain a record of all ToPs into which Signatory enters with its Participants, regardless of whether such Participants are listed in the RCE Directory Service. Such record must be provided to the RCE within five (5) business days following the RCE's written request unless such other timeframe is agreed to by the RCE.
8.4.2 Records of all ToPs into which Signatory's Participants or Subparticipants enter with their respective Subparticipants must be maintained by Signatory's Participants and Subparticipants in accordance with their respective obligations pursuant to the ToP. Upon request from the RCE, Signatory must provide such record to the RCE within two (2) business days of receiving such record(s) from its Participant(s).
9. TEFCA Exchange Activities.
9.1 Utilization of TEFCA Exchange. Signatory may only utilize Designated Network Services for purposes of facilitating TEFCA Exchange. TEFCA Exchange may only be utilized for an XP. To the extent there are limitations on what types of Participants or Subparticipants may transact TEFCA Information for a specific XP, such limitations will be set forth in the applicable SOP(s). All TEFCA Exchange is governed by and must comply with the Framework Agreements governing the QHINs, Participants, and Subparticipants.
9.2 Uses. Signatory may Use TI in any manner that: (i) is not prohibited by Applicable Law; (ii) is consistent with Signatory's Privacy and Security Notice, if applicable; and (iii) is in accordance with Sections 11 and 12 of this Common Agreement, if applicable.
9.3 Disclosures. Signatory may Disclose TI provided such Disclosure: (i) is not prohibited by Applicable Law; (ii) is consistent with Signatory's Privacy and Security Notice, if applicable; and (iii) is in accordance with Sections 11 and 12 of this Common Agreement, if applicable.
[top] 9.4 Responses. Except as otherwise set forth in an applicable SOP, Responding Nodes must Respond to Queries for all XP Codes that are identified as "required" in the
9.5 Special Legal Requirements. If and to the extent Applicable Law requires that an Individual either consent to, approve, or provide an authorization for the Use or Disclosure of that Individual's information to Signatory, such as a more stringent federal or State law relating to sensitive health information, then Signatory shall refrain from the Use or Disclosure of such information in connection with this Common Agreement unless such Individual's consent, approval, or authorization has been obtained consistent with the requirements of Applicable Law and Section 11 of this Common Agreement including without limitation communicated pursuant to the access consent policy(ies) described in the QTF or applicable SOP(s). Copies of such consent, approval, or authorization shall be maintained and transmitted pursuant to the process described in the QTF by whichever party is required to obtain it under Applicable Law, and Signatory may make such copies of the consent, approval, or authorization available electronically to any QHIN, Participant, or Subparticipant in accordance with the QTF and to the extent permitted by Applicable Law. Signatory shall maintain written policies and procedures to allow an Individual to revoke such consent, approval, or authorization on a prospective basis. If Signatory is an IAS Provider, the foregoing shall not be interpreted to modify, replace, or diminish the requirements set forth in Section 10 of this Common Agreement and any applicable SOP(s) for obtaining an Individual's express written consent.
10. Individual Access Services.
10.1 Individual Access Services (IAS) Offering(s). Signatory may elect to be an IAS Provider by offering IAS to any Individual in accordance with the requirements of this Section 10 and in accordance with all other provisions of this Common Agreement. Nothing in this Section 10 shall modify, terminate, or in any way affect an Individual's right of access under the HIPAA Privacy Rule at 45 CFR 164.524 with respect to any QHIN, Participant, or Subparticipant that is a Covered Entity or a Business Associate. Nothing in this Section 10 of this Common Agreement shall be construed as modifying or taking precedence over any provision codified in 45 CFR part 171. An IAS Provider shall not prohibit or attempt to prohibit any Individual using the IAS of any other IAS Provider or from joining, exchanging with, conducting other transactions with any other networks or exchange frameworks, using services other than the IAS Providers' Designated Network Services, concurrently with the QHIN's, Participant's, or Subparticipant's participation in TEFCA Exchange.
10.2 Individual Consent. This Section 10.2 shall apply to Signatory if Signatory is an IAS Provider. The Individual requesting IAS shall be responsible for completing the IAS Consent. The IAS Consent shall include, at a minimum: (i) consent to use the Individual Access Service; (ii) the Individual's acknowledgement and agreement to the IAS Provider's Privacy and Security Notice; and (iii) a description of the Individual's rights to access, delete, and export such Individual's Individually Identifiable Information. An IAS Provider may implement secure electronic means ( e.g., secure email, secure web portal) by which an Individual may submit the IAS Consent. An IAS Provider shall collect the IAS Consent prior to the Individual's first use of the IAS and prior to any subsequent use if there is any material change in the applicable IAS Consent, including the version of the Privacy and Security Notice referenced therein. Nothing in the IAS Consent may contradict or be inconsistent with any applicable provision of this Common Agreement or the SOP(s). If the IAS Provider is a Covered Entity and has a Notice of Privacy Practices that meets the requirements of 45 CFR 164.520, the IAS Provider is not required to have a Privacy and Security Notice that meets the requirements of the applicable SOP. Nothing in Section 10 reduces a Covered Entity's obligations under the HIPAA Rules.
10.3 Intentionally Omitted.
10.4 Intentionally Omitted.
10.5 Additional Security Requirements for IAS Providers. This Section 10.5 shall apply to Signatory if Signatory is an IAS Provider.
10.5.1 Scope of Security Requirements. An IAS Provider must meet the applicable security requirements set forth in Section 12 for all Individually Identifiable Information it maintains as an IAS Provider, regardless of whether such information is TI.
10.5.2 IAS Incident Notice to Affected Individuals. If an IAS Provider reasonably believes that an Individual has been affected by an IAS Incident, it must provide such Individual with notification without unreasonable delay and in no case later than sixty (60) days following Discovery of the IAS Incident. The notification required under this Section 10.5.2 must be written in plain language and shall include, to the extent possible, the information set forth in the applicable SOP(s). To the extent Signatory is already required by Applicable Law to notify an Individual of an incident that would also be an IAS Incident, this Section 10.5.2 does not require duplicative notification to that Individual.
10.6 Survival for IAS Providers. This Section 10.6 shall apply to Signatory if Signatory is an IAS Provider. As between Signatory as an IAS Provider and an Individual, the IAS Provider's obligations in the IAS Consent, including the IAS Provider's requirement to comply with the Privacy and Security Notice and provide Individuals with rights, shall survive for so long as the IAS Provider maintains such Individual's Individually Identifiable Information. If Signatory was an IAS Provider, the requirements of Section 10.5 shall survive termination of this Common Agreement for so long as Signatory maintains Individually Identifiable Information acquired during the term of this Common Agreement as an IAS Provider regardless of whether such information is or was TI.
11. Privacy.
11.1 Compliance with the HIPAA Privacy Rule. If Signatory is a NHE (but not to the extent that it is acting as an entity entitled to make a Government Benefits Determination under Applicable Law, a Public Health Authority, or a Government Health Care Entity or any other type of entity exempted from compliance with this Section 11.1 in an applicable SOP), then it shall comply with the provisions of the HIPAA Privacy Rule listed below with respect to all Individually Identifiable Information as if such information is Protected Health Information and Signatory is a Covered Entity.
11.1.1 From 45 CFR 164.502, General Rules:
• Subsection (a)(1)-Dealing with permitted Uses and Disclosures, but only to the extent Signatory is authorized to engage in the activities described in this subsection of the HIPAA Privacy Rule for the applicable XP
• Subsection (a)(2)(i)-Requiring Disclosures to Individuals
• Subsection (a)(5)-Dealing with prohibited Uses and Disclosures
[top] • Subsection (b)-Dealing with the minimum necessary standard
• Subsection (c)-Dealing with agreed-upon restrictions
• Subsection (d)-Dealing with deidentification and re-identification of information
• Subsection (e)-Dealing with Business Associate contracts
• Subsection (f)-Dealing with deceased persons' information
• Subsection (g)-Dealing with personal representatives
• Subsection (h)-Dealing with confidential communications
• Subsection (i)-Dealing with Uses and Disclosures consistent with notice
• Subsection (j)-Dealing with Disclosures by whistleblowers
11.1.2 45 CFR 164.504(e), Organizational Requirements.
11.1.3 45 CFR 164.508, Authorization Required. Notwithstanding the foregoing, the provisions of Sections 10.2 shall control and this Section 11.1.3 shall not apply with respect to an IAS Provider that is a NHE.
11.1.4 45 CFR 164.510, Uses and Disclosures Requiring Opportunity to Agree or Object. Notwithstanding the foregoing, an IAS Provider that is a NHE but is not a Health Care Provider shall not have the right to make the permissive Disclosures described in §?164.510(a)(3)-Emergency circumstances; provided, however, that an IAS Provider is not prohibited from making such a Disclosure if the Individual has consented to the Disclosure pursuant to Section 10 of this Common Agreement.
11.1.5 45 CFR 164.512, Authorization or Opportunity to Object Not Required. Notwithstanding the foregoing, an IAS Provider that is a NHE but is not a Health Care Provider shall not have the right to make the permissive Disclosures described in §?164.512(c)-Standard: Disclosures about victims of abuse, neglect or domestic violence; §?164.512 Subsection (d)-Standard: Uses and Disclosures for health oversight activities; and §?164.512 Subsection (j)-Standard: Uses and Disclosures to avert a serious threat to health or safety; provided, however, that an IAS Provider is not prohibited from making such a Disclosure(s) if the Individual has consented to the Disclosure(s) pursuant to Section 10 of this Common Agreement.
11.1.6 From 45 CFR 164.514, Other Requirements Relating to Uses and Disclosures:
• Subsections (a)-(c)-Dealing with de-identification requirements that render information not Individually Identifiable Information for purposes of this Section 11 and TEFCA Security Incidents
• Subsection (d)-Dealing with minimum necessary requirements
• Subsection (e)-Dealing with Limited Data Sets
11.1.7 45 CFR 164.522, Rights to Request Privacy Protections.
11.1.8 45 CFR 164.524, Access of Individuals, except that an IAS Provider that is a NHE shall be subject to the requirements of Section 10 with respect to access by Individuals for purposes of IAS and not this Section 11.1.8.
11.1.9 45 CFR 164.528, Accounting of Disclosures.
11.1.10 From 45 CFR 164.530, Administrative Requirements:
• Subsection (a)-Dealing with personnel designations
• Subsection (b)-Dealing with training
• Subsection (c)-Dealing with safeguards
• Subsection (d)-Dealing with complaints
• Subsection (e)-Dealing with sanctions
• Subsection (f)-Dealing with mitigation
• Subsection (g)-Dealing with refraining from intimidating or retaliatory acts
• Subsection (h)-Dealing with waiver of rights
• Subsection (i)-Dealing with policies and procedures
• Subsection (j)-Dealing with documentation
11.2 Written Privacy Policy. Signatory must develop, implement, make publicly available, and act in accordance with a written privacy policy describing its privacy practices with respect to Individually Identifiable Information that is Used or Disclosed pursuant to this Common Agreement and any SOPs. Signatory can satisfy the written privacy policy requirement by including applicable content consistent with the HIPAA Rules in its existing privacy policy, except as otherwise stated herein with respect to IAS Providers. This written privacy policy requirement does not supplant the HIPAA Privacy Rule obligations of a QHIN, Participant, or a Subparticipant that is a Covered Entity to post and distribute a Notice of Privacy Practices that meets the requirements of 45 CFR 164.520. If Signatory is a Covered Entity, then this written privacy policy requirement can be satisfied by its Notice of Privacy Practices. If Signatory is an IAS Provider, then the written privacy policy requirement must be in the form of a Privacy and Security Notice that meets the requirements of Section 10.2 of this Common Agreement. Notwithstanding Section 11.1, to the extent the Signatory's written privacy policy is "more stringent" than the HIPAA Privacy Rule provisions listed below, the written privacy policy shall govern. "More stringent" shall have the meaning assigned to it in 45 CFR 160.202 except the written privacy policy shall be substituted for references to State law and the reference to "standards, requirements or implementation specifications adopted under subpart E of part 164 of this subchapter" shall be limited to those listed below.
12. Security.
12.1 General Security Requirements. Signatory shall comply with the HIPAA Security Rule as if the HIPAA Security Rule applied to Individually Identifiable Information that is TI regardless of whether Signatory is a Covered Entity or a Business Associate. Signatory shall also comply with the security requirements stated in Section 12 of this Common Agreement and specific additional requirements as described in the QTF and applicable SOPs. With the exception of Section 12.1.5, none of these requirements in Section 12.1 shall apply to any federal agency or any other type of entity exempted from compliance with this Section 12.1 in an applicable SOP.
12.1.1 Cybersecurity Coverage. In accordance with the applicable SOP(s), Signatory shall maintain, throughout the term of this Common Agreement: (i) a policy or policies of insurance or cyber risk and errors and omissions; (ii) internal financial reserves to self-insure against a cyber-incident; or (iii) some combination of (i) and (ii).
12.1.2 Cybersecurity Certification. Signatory shall achieve and maintain third-party certification to an industry-recognized cybersecurity framework demonstrating compliance with all relevant security controls, as set forth in the applicable SOP.
12.1.3 Annual Security Assessments. Signatory must obtain a third-party security assessment and technical audit no less often than annually and as further described in the applicable SOP. Within thirty (30) days of completing such annual security assessment or technical audit, Signatory must provide evidence of completion and mitigation as specified in the applicable SOP.
12.1.4 Intentionally Omitted.
[top] 12.1.5 Security Resource Support to Participants. Signatory shall make available to its Participants: (i) security resources and guidance regarding the protection of TI applicable to the Participants' participation in the QHIN under the applicable Framework Agreement; and (ii) information and
12.1.6 Chief Information Security Officer.
i. The RCE shall designate a person to serve as the Chief Information Security Officer (CISO) for activities conducted under the Framework Agreements. This may be either an employee or independent contractor of the RCE. The RCE's CISO will be responsible for monitoring and maintaining the overall Security Posture of activities conducted under the Framework Agreements and making recommendations to all QHINs regarding changes to baseline security practices required to address changes to the threat landscape.
ii. Signatory agrees that it, and not the RCE, is ultimately responsible for the Security Posture related to Signatory's participation in TEFCA. Signatory shall also designate a person to serve as its CISO for purposes of Signatory's participation in TEFCA Exchange. Signatory's CISO shall have responsibility for Signatory's Security Posture 'with respect to its participation in TEFCA Exchange and as set forth in an SOP. The RCE shall establish a Cybersecurity Council to enhance cybersecurity commensurate with the risks of the activities conducted under the Framework Agreements as set forth in an SOP.
12.2 TI Outside the United States. Signatory shall only Use TI outside the United States or Disclose TI to any person or entity outside the United States to the extent such Use or Disclosure is permitted or required by Applicable Law and the Use or Disclosure is conducted in conformance with the HIPAA Security Rule, regardless of whether Signatory is a Covered Entity or Business Associate.
12.3 TEFCA Security Incident Reporting. Signatory shall report to the RCE and to all QHINs that are likely impacted, whether directly or by nature of one of the other QHIN's Participants or Subparticipants, any TEFCA Security Incident, as set forth in the applicable SOP(s). Such report must include sufficient information for the RCE and others affected to understand the nature and likely scope of the TEFCA Security Incident. Signatory shall supplement the information contained in the report as additional relevant information becomes available and cooperate with the RCE, and with other QHINs, Participants, and Subparticipants that are likely impacted by the TEFCA Security Incident.
12.3.1 Receiving TEFCA Security Incident Report. Signatory shall implement a reporting protocol by which other QHINs can provide Signatory with a report of a TEFCA Security Incident.
12.3.2 Vertical Reporting of TEFCA Security Incident(s). Signatory shall report a TEFCA Security Incident to its Participants and Subparticipants as required by an applicable SOP.
12.3.3 Compliance with Notification Under Applicable Law. Nothing in this Section 12.3 shall be deemed to modify or replace any breach notification requirements that Signatory may have under the HIPAA Rules, the FTC Rule, or other Applicable Law. To the extent Signatory is already required by Applicable Law to notify a Participant, Subparticipant, or another QHIN of an incident that would also be a TEFCA Security Incident, this Section 12.3 does not require duplicative notification.
12.4 Encryption. If Signatory is a NHE (but not to the extent that it is a federal agency or any other type of entity exempted from compliance with this Section 12.4 in an applicable SOP), Signatory must encrypt all Individually Identifiable Information it maintains, both in transit and at rest, regardless of whether such information is TI. Requirements for encryption may be set forth in an SOP.
13. General Obligations.
13.1 Compliance with Applicable Law and the Framework Agreements. Signatory shall comply with all Applicable Law and shall implement and act in accordance with any provision required by this Common Agreement, including all applicable SOPs and provisions of the QTF, when providing Designated Network Services or otherwise engaging in or facilitating TEFCA Exchange.
13.2 Compliance with Specific Obligations.
13.2.1 Responsibility of the RCE. To the extent required by the Contract, the RCE shall take reasonable steps to confirm that Signatory is abiding by the obligations under this Common Agreement, the QTF, and all applicable SOPs. In the event that the RCE becomes aware of a material non-compliance with any of the obligations stated in a Framework Agreement or any of the applicable SOPs by Signatory or its Participants or Subparticipants, then the RCE shall promptly notify Signatory in writing. Such notice shall notify Signatory that its failure to correct any such deficiencies within the timeframe established by the RCE shall constitute a material breach of this Common Agreement, which may result in termination of this Common Agreement in accordance with Section 17.3.2.
13.2.2 Responsibility of Signatory. Signatory shall be responsible for taking reasonable steps to confirm that all of its Participants and Subparticipants are abiding by the ToP, all applicable SOPs, and any decisions made pursuant to Section 16.3. In the event that Signatory becomes aware of a material non-compliance by one of its Participants or Subparticipants, which includes failure to comply with a decision made pursuant to Section 16.3, then Signatory shall promptly notify the Participant or Subparticipant in writing. Such notice shall inform the Participant or Subparticipant that its failure to correct any such deficiencies within the timeframe established by Signatory shall constitute a material breach of the ToP, which may result in suspension or termination of Participant's or Subparticipant's ability to engage in TEFCA Exchange. Except as set forth in Section 17.4.5, Signatory is responsible for determining when suspension or termination of its Participants' or Subparticipants' ability to engage in TEFCA Exchange is warranted. Nothing in this Section 13.2.2 shall be deemed to limit Signatory's responsibility for the acts or omissions of its Participants and Subparticipants as set forth in Section 7.4.
13.2.3 Responsibility for Third-Party Technology Vendors of Signatory. To the extent that Signatory uses a third-party technology vendor(s) that will have access to TEFCA Information in connection with Designated Network Services, it shall include in a written agreement with each such subcontractor or agent a requirement to comply with all applicable provisions of this Common Agreement and a prohibition on engaging in any act or omission that would cause Signatory to violate the terms of this Common Agreement if Signatory had engaged in such act or omission itself.
13.3 Intentionally Omitted.
13.4 Intentionally Omitted.
14. Specific QHIN Obligations.
[top] 14.1 Transparency-Access to Participant/Subparticipant Information. If either ONC or the RCE has a reasonable basis to believe that one or more of the following situations exist with respect to Signatory, then Signatory shall make available, upon written request, evidence of the applicable Participant/Subparticipant Terms of Participation and information relating to the exchange of TI and the circumstances giving rise to the basis for such request. The foregoing shall be subject to Signatory's right to restrict or condition its cooperation or disclosure
14.2 Compliance with Standard Operating Procedures. The RCE shall adopt Standard Operating Procedures (SOPs) to provide detailed guidance on specific aspects of the exchange activities under this Common Agreement that are binding on the RCE, Signatory and, as applicable, Participants and Subparticipants. The SOPs are incorporated by reference into this Common Agreement, and Signatory shall comply with all SOPs that are applicable to it. In the ToP, Participants and Subparticipants will agree to comply with all applicable SOPs. If Signatory or its Participants or Subparticipants fail to comply with any applicable SOP, the RCE may take corrective action to bring the organization into compliance with the SOP, which may include: (i) requiring Signatory to suspend the ability of a Participant or Subparticipant to exchange information under the Framework Agreement(s) until the non-compliance is corrected to the satisfaction of the RCE; (ii) requiring Signatory to terminate the ability of a Participant or Subparticipant to exchange information under the Framework Agreement(s); (iii) suspending Signatory's ability to exchange information under the Common Agreement; or (iv) terminating Signatory's ability to exchange information under the Common Agreement. RCE shall adopt an SOP that provides detailed information about sanctions for non-compliance with an SOP. Nothing in this Section 14.2 of this Common Agreement limits the RCE's rights to terminate this Common Agreement under Section 17.3.2 or 17.3.3 of this Common Agreement.
14.3 Intentionally Omitted.
14.4 Intentionally Omitted.
15. Dispute Resolution.
15.1 Acknowledgement and Consent to Dispute Resolution Process. Signatory acknowledges that it may be in its best interest to resolve Disputes related to the Common Agreement through a collaborative, collegial process rather than through civil litigation. Signatory has reached this conclusion based upon the fact that the legal and factual issues related to the exchange and related activities under the Common Agreement are unique, novel, and complex, and limited case law exists that addresses the legal issues that could arise in connection with this Common Agreement. Therefore, Signatory agrees to participate in the Dispute Resolution Process with respect to any Dispute. Notwithstanding, Signatory understands that the Dispute Resolution Process does not supersede or replace any oversight, investigatory, enforcement, or other administrative actions or processes that may be taken by the relevant authority, whether or not arising out of or related to the circumstances giving rise to the Dispute. RCE and Signatory are committed to promptly and fairly resolving Disputes.
To that end, Signatory shall use its best efforts to resolve Disputes that may arise with other QHINs, their respective Participants and Subparticipants, or the RCE through informal discussions before seeking to invoke the Dispute Resolution Process. Likewise, Signatory, on its own behalf and on behalf of its Participant(s) or Subparticipant(s), will seek to resolve Disputes involving the RCE through good-faith informal discussions with the RCE prior to invoking the Dispute Resolution Process. If the Dispute cannot be resolved through cooperation between Signatory and the other QHIN(s) or the RCE, then the RCE may, or Signatory may on its own behalf or on behalf of its Participant(s) or Subparticipant(s), choose to submit the Dispute to the Dispute Resolution Process.
Under no circumstances will the Dispute Resolution Process give the RCE any power to assess monetary damages against any party to the Dispute Resolution Process including, without limitation, Signatory or its Participants or Subparticipants or any other QHIN or its Participants or Subparticipants. Except in accordance with Section 15.2, if Signatory refuses to participate in the Dispute Resolution Process, such refusal shall constitute a material breach of this Common Agreement and may be grounds for suspension or termination of Signatory's participation in TEFCA Exchange.
15.2 Injunctive Relief.
15.2.1 Notwithstanding Section 15.1, Signatory shall be relieved of its obligation to participate in the Dispute Resolution Process if Signatory: (i) makes a good faith determination that is based upon available information or other evidence that another QHIN's or its Participants' or Subparticipants' acts or omissions will violate Section 7.1 or cause irreparable harm to Signatory or another organization or person ( e.g., another QHIN or its Participant or an Individual); and (ii) pursues immediate injunctive relief against such QHIN or its Participant or Subparticipant in a court of competent jurisdiction in accordance with Section 19.3. Signatory must notify RCE of such action within two (2) business days of filing for the injunctive relief and of the result of the action within twenty-four (24) hours of a court of competent jurisdiction granting or denying injunctive relief.
15.2.2 If the injunctive relief sought in Section 15.2.1 is not granted and Signatory chooses to pursue the Dispute, the Dispute must be submitted to the Dispute Resolution Process in accordance with Section 15.1.
15.3 Activities during Dispute Resolution Process. The pendency of a Dispute under this Common Agreement has no effect on either Party's obligations herein, unless Signatory terminates its rights in accordance with Section 17.3.1 or is suspended in accordance with Section 17.4.2.
15.4 Implementation of Agreed Upon Resolution. If, at any point during the Dispute Resolution Process, Signatory and all other parties to the Dispute accept a proposed resolution of the Dispute, Signatory and RCE each agree to implement the terms of the resolution within the timeframe agreed to in the resolution of the Dispute, to the extent applicable to each of them.
15.5 Reservation of Rights. If, following the completion of the Dispute Resolution Process, in the opinion of either Party, the Dispute Resolution Process failed to adequately resolve the Dispute, a Party may pursue any remedies available to it in a court of competent jurisdiction in accordance with Section 19.3.
[top] 15.6 Escalation of Certain Disputes to ONC. Except for RCE suspension or termination decisions subject to Section 16 of this Common Agreement, if Signatory has reason to believe that: (i) the RCE is acting in a Discriminatory Manner or in violation of the RCE's conflict of interest policies; or (ii) the RCE has not acted in accordance with its obligations stated in this Common Agreement, then Signatory shall have the right, on its own behalf and on behalf of its Participants and Subparticipants, to make a complaint to ONC. The complaint shall identify the parties to the Dispute, a description of the Dispute, a summary of each party's position on the issues included in the Dispute, the final disposition of the
15.7 Reporting of Anonymized Dispute Information to ONC. As part of the RCE's communications with ONC, within fifteen (15) business days after the end of each calendar quarter, the RCE reports the following information relating to each Dispute that has been submitted through the Dispute Resolution Process in an anonymized format to ONC: (i) identification of whether the parties to the Dispute are QHIN(s) only, or whether the Dispute also involves Participant(s) or Subparticipant(s); (ii) a description of the Dispute with reasonable specificity; and (iii) the final disposition of the Dispute.
16. Appeals to ONC and ONC Decisions Regarding XP Usage.
16.1 Signatory may appeal the following decisions of the RCE to ONC:
16.1.1 Suspension of a Signatory or Suspension of a Signatory's Participant or Subparticipant; and
16.1.2 Termination of a Signatory's Common Agreement by the RCE.
16.2 ONC anticipates publishing regulations to address the appeals of any of the RCE's decisions listed in Section 16.1. ONC anticipates issuing sub-regulatory guidance to address those appeals while formulating regulations. Until ONC's regulations governing those appeals are finalized and effective, the sub-regulatory guidance ONC issues shall be binding under this Common Agreement.
16.3 Notwithstanding anything herein to the contrary, the Parties agree that ONC may decide whether a Query or a proposed Query meets or will meet the requirements for the XP Code asserted in the Query. Such requirements for XP Codes are set forth either in this Common Agreement or in an applicable SOP(s). ONC may make a decision (i) prior to an organization becoming, or once an organization has become, a QHIN, Participant, or Subparticipant if such decision is made pursuant to this Common Agreement or an applicable SOP(s); or (ii) in connection with the resolution of a Dispute if the Dispute involves a disagreement about whether a Query or proposed Query complied with the applicable requirements for the XP Code asserted in the Query or proposed Query. If ONC makes a decision pursuant to this Section 16.3 about any Query or proposed Query, Signatory agrees that ONC's decision will be binding for TEFCA Exchange and Signatory shall enforce such decision pursuant to its responsibilities under Section 13.2.2.
17. Term, Termination and Suspension.
17.1 Term. This Common Agreement shall commence on the CA Effective Date and shall remain in effect until it is terminated by either Party in accordance with the terms of this Common Agreement.
17.2 Intentionally Omitted.
17.3 Termination.
17.3.1 Termination by Signatory. Signatory may terminate this Common Agreement at any time without cause by providing ninety (90) days' prior written notice to RCE. Signatory may also terminate for cause if the RCE commits a material breach of the Common Agreement, and the RCE fails to cure its material breach within thirty (30) days of Signatory providing written notice to RCE of the material breach; provided, however, that if RCE is diligently working to cure its material breach at the end of this thirty (30) day period, then Signatory must provide the RCE with up to another thirty (30) days to complete its cure.
17.3.1 Termination by the RCE. RCE may not terminate this Common Agreement except as provided by Section 4.2, this Section 17.3.2, or Section 17.3.3 of this Common Agreement. RCE may terminate this Common Agreement with immediate effect by giving notice to Signatory if: (i) Signatory is in material breach of any of the terms and conditions of this Common Agreement and fails to remedy such breach within thirty (30) days after receiving notice of such breach; provided, however, that if Signatory is diligently working to cure its material breach at the end of this thirty- (30-) day period, then RCE must provide Signatory with up to another thirty (30) days to complete its cure; or (ii) Signatory breaches a material provision of this Common Agreement where such breach is not capable of remedy.
17.3.2 Termination by RCE if the RCE Ceases to be Funded. The Parties acknowledge that the RCE's activities under this Common Agreement are supported by ONC funding. If this funding ceases, there are no guarantees that the RCE will continue unless a financial sustainability model has been put in place. If federal funding ceases, or if the available funding is not sufficient to provide the necessary funding to support operation of the RCE and there is no successor RCE, then the RCE may terminate this Common Agreement by providing one hundred and eighty (180) days' prior written notice to Signatory.
17.3.3 Termination by Mutual Agreement. The Parties may terminate this Common Agreement at any time and for any reason by mutual, written agreement.
17.3.4 Effect of Termination of the Common Agreement.
(i) Upon termination of this Common Agreement for any reason, RCE shall promptly remove Signatory and its Participants and Subparticipants from the RCE Directory Service and any other lists of QHINs that RCE maintains. Signatory shall implement the technical mechanism(s) necessary to ensure that its Participants' and Subparticipants' ability to participate in TEFCA Exchange is terminated upon termination of this Common Agreement.
(ii) Upon termination of this Common Agreement for any reason, Signatory shall, without undue delay, (a) remove all references that identify it as a QHIN from all media, and (b) cease all use of any material, including but not limited to product manuals, marketing literature, and web content that identifies it as a QHIN. Within twenty (20) business days of termination of this Common Agreement, Signatory shall confirm to RCE, in writing, that it has complied with this Subsection 17.3.5(ii).
(iii) To the extent Signatory stores TI, such TI may not be distinguishable from other information maintained by Signatory. When the TI is not distinguishable from other information, it is not possible for Signatory to return or destroy TI it maintains upon termination or expiration of this Common Agreement. Upon termination or expiration of this Common Agreement, if Signatory is subject to Section 11 of this Common Agreement, such sections shall continue to apply so long as the information would be ePHI if maintained by a Covered Entity or Business Associate. The protections required under the HIPAA Security Rule shall also continue to apply to all TI that is ePHI, regardless of whether Signatory is a Covered Entity or Business Associate.
(iv) In no event shall Signatory be entitled to any refund of any fees that it has paid the RCE prior to termination.
[top] (v) The provisions set forth in this Section 17.3.5 are in addition to those
17.4 Suspension.
17.4.1 Suspension by RCE. RCE may suspend Signatory's ability to engage in TEFCA Exchange if RCE determines, following completion of a preliminary investigation, that Signatory is responsible for a Threat Condition or in accordance with Section 17.4. RCE will make a reasonable effort to notify Signatory in advance of RCE's intent to suspend Signatory, including notice of the Threat Condition giving rise to such suspension. If advance notice is not reasonably practicable under the circumstances, the RCE will notify Signatory of the suspension, and the Threat Condition giving rise thereto, as soon as practicable following the suspension. Upon suspension of Signatory, RCE will work collaboratively with Signatory to resolve the issue leading to the suspension. RCE shall adopt an SOP to address specific requirements and timelines related to suspension.
17.4.2 Selective Suspension by Signatory. Signatory may, in good faith and to the extent permitted by Applicable Law, determine that it must suspend exchanging with another QHIN, Participant, or Subparticipant with which it is otherwise required to exchange in accordance with an SOP because of reasonable and legitimate concerns related to the privacy, security, accuracy, or quality of information that is exchanged. If Signatory makes this determination, it is required to promptly notify the RCE and the QHIN that Signatory is suspending of its decision and the reason(s) for making the decision. If Signatory makes the decision to suspend, it is required, within thirty (30) days, to initiate the Dispute Resolution Process in order to resolve whatever issues led to the decision to suspend, or end its suspension and resume exchanging with the other QHIN. Provided that Signatory selectively suspends exchanging with another QHIN in accordance with this Section 17.4.2 and in accordance with Applicable Law, such selective suspension shall not be deemed a violation of Sections 6.2.2 or 9.4.
17.4.3 Additional Suspension Rights of RCE. Notwithstanding anything to the contrary set forth herein, the RCE retains the right to suspend any TEFCA Exchange activity (i) upon ten (10) days' prior notice if the RCE determines that Signatory has created a situation in which the RCE may suffer material harm and suspension is the only reasonable step that the RCE can take to protect itself; or (ii) immediately if the RCE determines that the safety or security of any person or the privacy or security of TI or Confidential Information is threatened. In the case of an immediate suspension under this Section 17.4.3, the RCE will provide notice as soon as practicable following the suspension.
17.4.4 Effect of Suspension. The suspension of Signatory's ability to participate in TEFCA Exchange pursuant to this Section 17.4 has no effect on Signatory's other obligations hereunder, including, without limitation, obligations with respect to privacy and security. During any suspension pursuant to this Section 17.4, Signatory's inability to exchange information under this Common Agreement or comply with those terms of this Common Agreement that require information exchange shall not be deemed a breach of this Common Agreement. In the event of suspension of Signatory's ability to participate in TEFCA Exchange, Signatory shall communicate to its Participants, and require that they communicate to their Subparticipants, that all TEFCA Exchange by or on behalf of Signatory's Participants and Subparticipants will also be suspended during any period of Signatory's suspension. Signatory is responsible for having and implementing the technical mechanism(s) necessary to ensure that its Participants' and Subparticipants' ability to participate in TEFCA Exchange is suspended during the period of Signatory's suspension from TEFCA Exchange.
17.4.5 RCE Suspension of Participant or Subparticipants. To the extent that RCE determines that one of Signatory's Participants or Subparticipants has done something or failed to do something that results in a Threat Condition, RCE may suspend, or the RCE may direct that Signatory suspend, that Participant's or Subparticipant's ability to engage in TEFCA Exchange. In the event that the RCE directs Signatory to suspend a Participant or Subparticipant based on (a) the RCE's determination that suspension or termination is warranted based on (i) an alleged violation of such Framework Agreement or of Applicable Law by the party/parties; (ii) a cognizable threat to the security of TEFCA Exchange or the information that the RCE reasonably believes is TI; or (iii) such suspension is in the interests of national security as directed by an agency of the United States government, then Signatory must effectuate such suspension as soon as practicable and not longer than within twenty-four (24) hours of the RCE having directed the suspension, unless the RCE specifies a longer period of time is permitted to effectuate the suspension; and (b) any reason other than those in subsection (a), then Signatory must effectuate suspension as soon as practicable.
17.5 Successor RCE and Transition. Signatory agrees that ONC has the right to select any successor RCE or to act as an interim RCE until such successor RCE has been selected. Signatory further agrees to work cooperatively with the RCE and any interim or successor RCE selected by ONC. Additionally, Signatory shall continue to abide by the provisions of this Common Agreement during the transition to any interim or successor RCE.
18. Fees.
18.1 Fees Paid by QHINs to the RCE. Signatory shall pay the fees set forth on Schedule 1 attached hereto (the "QHIN Fees"). RCE shall invoice Signatory for all Fees in accordance with Schedule 1. Unless otherwise set forth in Schedule 1, invoices shall be due and payable by Signatory within sixty (60) days after receipt thereof unless Signatory notifies RCE in writing that it is contesting the accuracy of the invoice and identifies the specific inaccuracies that it asserts. QHIN Fees contested under this Section 18.1 shall be resolved between Signatory and RCE as stated in the applicable SOP. Other than with regard to invoiced amounts that are contested in good faith, any collection costs, attorneys' fees or other expenses reasonably incurred by RCE in collecting amounts due under this Common Agreement are the responsibility of Signatory. If Signatory fails to pay any undisputed QHIN Fees when due hereunder, RCE has the right to suspend or terminate Signatory's ability to participate in any exchange activity under this Common Agreement. Prior to taking any action against Signatory for non-payment, including suspension, RCE shall provide Signatory ten (10) days' prior written notice. If Signatory makes payment within ten (10) days of receiving written notice, RCE will not suspend Signatory's ability to participate in any exchange activity under this Common Agreement. If Signatory fails to make payment within ten (10) days of receiving notice, then the RCE may implement the suspension or may terminate Signatory's ability to participate in any exchange activity under this Common Agreement.
[top] 18.1.1 Changes to QHIN Fees. Schedule 1 may be updated by the RCE from time-to-time in relation to operational costs, availability of ONC funding, and other market factors in order to ensure the sustainability of the activities conducted under the Framework Agreements. In light of the
18.2 Fees Charged by QHINs to Other QHINs. Signatory is prohibited from charging fees to other QHINs for any exchange of information using the Designated Network Services.
18.3 Fees Charged by QHINs, Participants or Subparticipants. QHINs, Participants, and Subparticipants that operate a Responding Node may charge fees to an Initiating Node when Responding to Queries through TEFCA Exchange as defined in an applicable SOP. The foregoing shall not prohibit Signatory from charging its Participants or Subparticipants fees for use of its Designated Network Services.
19. Contract Administration.
19.1 Authority to Execute. Signatory warrants and represents that it has the full power and authority to execute this Common Agreement and that any representative of Signatory who executes this Common Agreement has full power and authority to do so on behalf of Signatory.
19.2 Notices. All notices to be made under this Common Agreement shall be given in writing to Signatory at the address for legal notice specified in its QHIN Application and to the RCE at The Sequoia Project 8300 Boone Blvd., Suite 500, Vienna, Virginia 22182 or rce@sequoiaproject.org, and shall be deemed given: (i) upon delivery, if personally delivered; (ii) upon delivery by overnight delivery service such as UPS or FEDEX or another recognized commercial carrier; (iii) upon the date indicated on the return receipt, when sent by the United States Postal Service Certified Mail, return receipt requested; or (iv) if by facsimile telecommunication or other form of electronic transmission, upon receipt when the sending facsimile machine or electronic mail address receives confirmation of receipt by the receiving facsimile machine or electronic mail address. Either Party may update its address for notice by providing notice to the other Party in accordance with this Section 19.2.
19.3 Governing Law, Forum, and Jurisdiction.
19.3.1 Conflicts of Law and Governing Law. In the event of a Dispute between Signatory and the RCE, the applicable federal and State conflicts of law provisions that govern the operations of the Parties shall determine governing law.
19.3.2 Jurisdiction and Venue. The RCE, currently a Virginia non-profit corporation, and Signatory each hereby submits to the exclusive jurisdiction of any State or federal court sitting in the Commonwealth of Virginia within twenty-five (25) miles of Alexandria, Virginia in any legal proceeding arising out of or relating to this Common Agreement unless otherwise required by Applicable Law. The RCE and Signatory each agrees that all claims and matters arising out of this Common Agreement may be heard and determined in such court, and each Party hereby waives any right to object to such filing on grounds of improper venue, forum non-conveniens, or other venue-related grounds.
19.3.3 Intentionally Omitted.
19.3.4 Sovereign Immunity. No provision within this Common Agreement in any way constitutes a waiver by the United States Department of Health and Human Services or any other part of the federal government of sovereign immunity or any other applicable immunity from suit or from liability that the United States Department of Health and Human Services or other part of the federal government may have by operation of law.
19.4 Assignment. None of this Common Agreement, including but not limited to any of the rights created by this Common Agreement, can be transferred by either Party, whether by assignment, merger, other operation of law, change of control of the Party or otherwise, without the prior written approval of the other Party. Notwithstanding the foregoing, if ONC selects another organization to serve as the RCE, then RCE shall assign this Common Agreement to the successor RCE or an interim RCE as directed by ONC and consent of Signatory to such assignment shall not be required. Signatory understands and agrees that no interim or successor RCE shall have any obligation or liability for any act or omission of The Sequoia Project in connection with this Common Agreement or any of the other Framework Agreements prior to the termination of The Sequoia Project's status as the RCE.
19.5 Force Majeure. Neither Party shall be responsible for any delays or failures in performance caused by the occurrence of events or other circumstances that are beyond its reasonable control after the exercise of commercially reasonable efforts to either prevent or mitigate the effect of any such occurrence or event.
19.6 Severability. If any provision of this Common Agreement shall be adjudged by any court of competent jurisdiction to be unenforceable or invalid, that provision shall be struck from the Common Agreement, and the remaining provisions of this Common Agreement shall remain in full force and effect and enforceable.
19.7 Counterparts. This Common Agreement may be executed in one or more counterparts, each of which shall be considered an original counterpart, and shall become a binding agreement when each Party shall have executed one counterpart.
19.8 Captions. Captions appearing in this Common Agreement are for convenience only and shall not be deemed to explain, limit, or amplify the provisions of this Common Agreement.
19.9 Independent Parties. Nothing contained in this Common Agreement shall be deemed or construed as creating a joint venture or partnership between Signatory and RCE.
19.10 Acts of Contractors and Agents. To the extent that the acts or omissions of a Party's agent(s) or contractor(s), or their subcontractor(s), result in that Party's breach of and liability under this Common Agreement, said breach shall be deemed to be a breach by that Party.
19.11 Entire Agreement; Waiver. This Common Agreement, together with the QTF, SOPs, and all other attachments, exhibits, and artifacts incorporated by reference, contains the entire understanding of the Parties with regard to the subject matter contained herein. The failure of either Party to enforce, at any time, any provision of this Common Agreement shall not be construed to be a waiver of such provision, nor shall it in any way affect the validity of this Common Agreement or any part hereof or the right of such Party thereafter to enforce each and every such provision. No waiver of any breach of this Common Agreement shall be held to constitute a waiver of any other or subsequent breach, nor shall any delay by either Party to exercise any right under this Common Agreement operate as a waiver of any such right.
19.12 Effect of Agreement. Except as provided in Sections 7.4 and Section 15, nothing in this Common Agreement shall be construed to restrict either Party's right to pursue all remedies available under law for damages or other relief arising from acts or omissions of the RCE or other QHINs or their Participants or Subparticipants related to the Common Agreement, or to limit any rights, immunities, or defenses to which Signatory may be entitled under Applicable Law.
[top] 19.13 Priority. In the event of any conflict or inconsistency between
19.14 QHIN Time Periods. Any of the time periods relating to the Parties hereto that are specified in this Common Agreement may be changed on a case-by-case basis pursuant to the mutual written consent of the Parties, provided that these changes are not undertaken to adversely affect another QHIN and provided that these changes would not unfairly benefit either Party to the detriment of others participating in activities under the Framework Agreements. Time periods that pertain to ONC may not be changed, except by ONC, including the time periods for ONC review of proposed changes to the Common Agreement, the QTF, or SOPs that are set forth in Section 5.
19.15 Remedies Cumulative. The rights and remedies of the Parties provided in this Common Agreement are cumulative and are in addition to any other rights and remedies provided by Applicable Law.
19.16 Survival of Rights and Obligations. The respective rights, obligations, and liabilities of the Parties with respect to acts or omissions that occur by either Party prior to the date of expiration or termination of this Common Agreement shall survive such expiration or termination. Following any expiration or termination of this Common Agreement, the Parties shall thereafter cooperate fully and work diligently in good faith to achieve an orderly resolution of all matters resulting from such expiration or termination.
19.16.1 The following sections shall survive expiration or termination of this Common Agreement as more specifically provided below:
(i) The following sections shall survive in perpetuity following the expiration or termination of this Common Agreement: Sections 7.6 Limitation of Liability; 19.2 Notices; 19.3 Governing Law, Forum, and Jurisdiction; 19.6 Severability; 19.9 Independent Parties; 19.10 Acts of Contractors and Agents; 19.11 Entire Agreement; Waiver; 19.12 Effect of Agreement; 19.13 Priority; and 19.15 Remedies Cumulative.
(ii) The following sections shall survive for a period of six (6) years following the expiration or termination of this Common Agreement: Sections 7.1 Confidential Information; 7.2 Disclosure of Confidential Information; 7.4.1 Statement of General Principle; 12.3 TEFCA Security Incident Notification; and 14.1 Transparency-Access to Participant/Subparticipant Information.
(iii) The following section shall survive for the period specifically stated in such section following the expiration or termination of this Common Agreement: Section 17.3.5 Effect of Termination of Common Agreement.
(iv) To the extent that Signatory is an IAS Provider, the provisions set forth in Section 10.6 shall survive following the termination or expiration of this Common Agreement for the respective periods set forth therein.
In witness whereof , the Parties hereto, intending legally to be bound hereby, have executed and delivered this Common Agreement as of the date first above written.
RCE: THE SEQUOIA PROJECT, INC.
Signature
By:
Title:
Date:
Signatory:
Signature
By:
Title:
Date:
Exhibit 1 to the Common Agreement for Nationwide Health Information Interoperability
Participant/Subparticipant Terms of Participation
Version 1.0
April 2024
Participant/Subparticipant Terms of Participation
Introduction
Section 4003 of the 21st Century Cures Act directed the U.S. Department of Health and Human Services ("HHS") National Coordinator for Health Information Technology to, "in collaboration with the National Institute of Standards and Technology and other relevant agencies within the Department of Health and Human Services, for the purpose of ensuring full network-to-network exchange of health information, convene public-private and public-public partnerships to build consensus and develop or support a trusted exchange framework, including a common agreement among health information networks nationally" (the "Trusted Exchange Framework and Common Agreement" SM or TEFCA SM ). The common agreement referenced in the foregoing sentence is the Common Agreement for Nationwide Health Information Interoperability entered into by each Qualified Health Information Network TM ("QHIN? TM ") that has been Designated to participate in TEFCA. The Common Agreement requires that every QHIN contractually obligate their TEFCA Participants, who in turn are required to contractually obligate their Subparticipants to comply with the Participant/Subparticipant Terms of Participation ("ToP").
Upstream QHIN, Participant, or Subparticipant ("QPS"), as defined below, must ensure that these ToP are included, directly or by reference, in a legally enforceable contract in which the Upstream QPS binds its Participants and Subparticipants. These ToP must be presented and entered into WITHOUT modification, except that Upstream QPS should insert its name in the highlighted field(s) below and the name of the QHIN if Upstream QPS is not a QHIN and may, but is not required to, add signature lines to the end of these ToP. For the avoidance of doubt, the foregoing is not intended to prohibit Upstream QPS from imposing additional terms upon its Participants and/or Subparticipants, provided any such terms do not conflict with the ToP with respect to TEFCA Exchange.
Participant/Subparticipant Terms of Participation
[NAME OF UPSTREAM QPS] ("Upstream QPS") participates in TEFCA by providing technical and/or governance services to its Participants and/or Subparticipants to facilitate their ability to engage in TEFCA Exchange consistent with all applicable legal and contractual requirements. [Upstream QPS is a QHIN OR Upstream QPS is a Participant or Subparticipant of [QHIN].] Your organization ("You") wishes to become a Participant or Subparticipant, as applicable, of Upstream QPS so that You may participate in TEFCA Exchange.
[top] As a Participant or Subparticipant, You agree to abide by these Participant/
1. Definitions and Relevant Terminology.
1.1 Defined Terms. Capitalized terms used in these ToP shall have the meaning set forth below. Where a definition includes one or more citations to a statute, regulation, or standard, the definition shall be interpreted to refer to such statute, regulation, or standard as may be amended from time-to-time.
Applicable Law : all federal, State, local, or tribal laws and regulations then in effect and applicable to the subject matter herein. For the avoidance of doubt, federal agencies are only subject to federal law.
Breach of Unencrypted Individually Identifiable Information : the acquisition, access, or Disclosure of unencrypted Individually Identifiable Information maintained by an IAS Provider that compromises the security or privacy of the unencrypted Individually Identifiable Information.
Business Associate : has the meaning assigned to such term at 45 CFR 160.103.
Business Associate Agreement (BAA) : a contract, agreement, or other arrangement that satisfies the implementation specifications described within 45 CFR 164.314(a) and 164.504(e), as applicable.
Common Agreement : unless otherwise expressly indicated, the Common Agreement for Nationwide Health Information Interoperability, the QHIN Technical Framework (QTF), all Standard Operating Procedures (SOPs), and all other attachments, exhibits, and artifacts incorporated therein by reference.
Confidential Information : any information that is designated as Confidential Information by the CI Discloser, or that a reasonable person would understand to be of a confidential nature, and is disclosed to a CI Recipient pursuant to a Framework Agreement. For the avoidance of doubt, "Confidential Information" does not include electronic protected health information (ePHI), as defined herein, that is subject to a Business Associate Agreement and/or other provisions of a Framework Agreement.
Notwithstanding any label to the contrary, "Confidential Information" does not include any information that: (i) is or becomes known publicly through no fault of the CI Recipient; or (ii) is learned by the CI Recipient from a third party that the CI Recipient reasonably believes is entitled to disclose it without restriction; or (iii) is already known to the CI Recipient before receipt from the CI Discloser, as shown by the CI Recipient's written records; or (iv) is independently developed by CI Recipient without the use of or reference to the CI Discloser's Confidential Information, as shown by the CI Recipient's written records, and was not subject to confidentiality restrictions prior to receipt of such information from the CI Discloser.
Confidential Information (CI) Discloser : a person or entity that discloses Confidential Information.
Confidential Information (CI) Recipient : a person or entity that receives Confidential Information.
Connectivity Services : the technical services provided by a QHIN, Participant, or Subparticipant to its Participants and Subparticipants that facilitate TEFCA Exchange and are consistent with the requirements of the then-applicable QHIN Technical Framework.
Covered Entity : has the meaning assigned to such term at 45 CFR 160.103.
Designated Network : the Health Information Network that a QHIN uses to offer and provide the Designated Network Services.
Designated Network Governance Body : a representative and participatory group or groups that approve the processes for fulfilling the Governance Functions and participate in such Governance Functions for Signatory's Designated Network.
Designated Network Services : the Connectivity Services and/or Governance Services.
Directory Entry(ies) : listing of each Node controlled by a QHIN, Participant or Subparticipant, which includes the endpoint resource for such Node(s) and any other organizational or technical information required by the QTF or an applicable SOP.
Disclosure (including its correlative meanings "Disclose," "Disclosed," and "Disclosing") : the release, transfer, provision of access to, or divulging in any manner of TEFCA Information (TI) outside the entity holding the information.
Discover (including its correlative meanings "Discovery" and "Discovering") : the first day on which something is known to the QHIN, Participant, or Subparticipant, or by exercising reasonable diligence would have been known, to the QHIN, Participant, Subparticipant.
Discriminatory Manner : an act or omission that is inconsistently taken or not taken with respect to any similarly situated QHIN, Participant, Subparticipant, Individual, or group of them, whether it is a competitor, or whether it is affiliated with or has a contractual relationship with any other entity, or in response to an event.
Electronic Protected Health Information (ePHI) : has the meaning assigned to such term at 45 CFR 160.103.
Exchange Purpose or XP : means the reason, as authorized by a Framework Agreement, including the applicable SOP(s), for a transmission, Query, Use, Disclosure, or Response transacted through TEFCA Exchange.
Framework Agreement(s) : with respect to QHINs, the Common Agreement; and with respect to a Participant or Subparticipant, the ToP.
FTC Rule : the Health Breach Notification Rule promulgated by the Federal Trade Commission set forth at 16 CFR part 318.
Government Benefits Determination : a determination made by any agency, instrumentality, or other unit of the federal, State, local, or tribal government as to whether an Individual qualifies for government benefits for any purpose other than health care ( e.g., Social Security disability benefits) to the extent permitted by Applicable Law. Disclosure of TI for this purpose may require an authorization that complies with Applicable Law.
Government Health Care Entity : any agency, instrumentality, or other unit of the federal, State, local, or tribal government to the extent that it provides health care services ( e.g., treatment) to Individuals but only to the extent that it is not acting as a Covered Entity.
Governance Functions : the functions, activities, and responsibilities of the Designated Network Governance Body as set forth in an applicable SOP.
Governance Services : the governance functions described in an applicable SOP, which are performed by a QHIN's Designated Network Governance Body for its Participants and Subparticipants to facilitate TEFCA Exchange in compliance with the then-applicable requirements of the Framework Agreements.
Health Care Provider : meets the definition of such term in either 45 CFR 171.102 or in the HIPAA Rules at 45 CFR 160.103.
Health Information Network (HIN) : has the meaning assigned to the term "Health Information Network or Health Information Exchange" in the information blocking regulations at 45 CFR 171.102.
[top] HIPAA : the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 and the Health Information Technology for
HIPAA Rules : the regulations set forth at 45 CFR parts 160, 162, and 164.
HIPAA Privacy Rule : the regulations set forth at 45 CFR parts 160 and 164, Subparts A and E.
HIPAA Security Rule : the regulations set forth at 45 CFR part 160 and 164, subpart C.
Implementation Date : the date sixty (60) calendar days after publication of version 2 of the Common Agreement in the Federal Register .
Individual : has the meaning assigned to such term at 45 CFR 171.202(a)(2).
Individual Access Services Incident (IAS Incident) : a TEFCA Security Incident or a Breach of Unencrypted Individually Identifiable Information maintained by an IAS Provider.
Individual Access Service Consent (IAS Consent) : an IAS Provider's own supplied form for obtaining express written consent from the Individual in connection with the IAS.
Individual Access Services Provider (IAS Provider) : each QHIN, Participant, and Subparticipant that offers Individual Access Services (IAS).
Individual Access Services (IAS) : the services provided to an Individual by a QHIN, Participant, or Subparticipant that has a direct contractual relationship with such Individual in which the QHIN, Participant, or Subparticipant, as applicable, agrees to satisfy that Individual's ability to use TEFCA Exchange to access, inspect, obtain, or transmit a copy of that Individual's Required Information.
Individually Identifiable Information : information that identifies an Individual or with respect to which there is a reasonable basis to believe that the information could be used to identify an Individual.
Initiating Node : a Node through which a QHIN, Participant, or Subparticipant initiates transactions for TEFCA Exchange and, to the extent such transaction is a Query, receives a Response to such Query.
Node : a technical system that is controlled directly or indirectly by a QHIN, Participant, or Subparticipant and that is listed in the RCE Directory Service.
Non-HIPAA Entity (NHE) : a QHIN, Participant, or Subparticipant that is neither a Covered Entity nor a Business Associate as defined under the HIPAA Rules with regard to activities under a Framework Agreement. To the extent a QHIN, Participant, or Subparticipant is a Hybrid entity, as defined in 45 CFR 164.103, such QHIN, Participant, or Subparticipant shall be considered a Non-HIPAA Entity with respect to TEFCA Exchange activities related to such QHIN, Participant, or Subparticipant's non-covered components.
ONC : the U.S. Department of Health and Human Services Office of the National Coordinator for Health Information Technology.
Participant : to the extent permitted by applicable SOP(s), a U.S. Entity that has entered into the ToP in a legally binding contract with a QHIN to use the QHIN's Designated Network Services to participate in TEFCA Exchange in compliance with the ToP.
Participant/Subparticipant Terms of Participation (ToP) : the requirements set forth in Exhibit 1 to the Common Agreement, as reflected herein, to which: QHINs must contractually obligate their Participants to agree; to which QHINs must contractually obligate their Participants to contractually obligate their Subparticipants and Subparticipants of the Subparticipants to agree, in order to participate in TEFCA Exchange including the QHIN Technical Framework (QTF), all applicable Standard Operating Procedures (SOPs), and all other attachments, exhibits, and artifacts incorporated therein by reference.
Privacy and Security Notice : an IAS Provider's own supplied written privacy and security notice that contains the information required by the applicable SOP(s).
Protected Health Information (PHI) : has the meaning assigned to such term at 45 CFR 160.103.
Public Health Authority : has the meaning assigned to such term at 45 CFR 164.501.
QHIN Technical Framework (QTF) : the most recent effective version of the document that contains the technical, functional, privacy, and security requirements for TEFCA Exchange.
Qualified Health Information Network (QHIN) : to the extent permitted by applicable SOP(s), a Health Information Network that is a U.S. Entity that has been Designated by the RCE and is a party to the Common Agreement countersigned by the RCE.
Query(ies) (including its correlative uses/tenses "Queried" and "Querying") : the act of asking for information through TEFCA Exchange.
RCE Directory Service : a technical service provided by the RCE that enables QHINs to identify their Nodes to enable TEFCA Exchange. The requirements for use of, inclusion in, and maintenance of the RCE Directory Service are set forth in the Framework Agreements, QTF, and applicable SOPs.
Recognized Coordinating Entity?® (RCE? TM ): the entity selected by ONC that enters into the Common Agreement with QHINs in order to impose, at a minimum, the requirements of the Common Agreement, including the SOPs and the QTF, on the QHINs and administer such requirements on an ongoing basis.
Required Information: the Electronic Health Information, as defined in 45 CFR 171.102, that is (i) maintained in a Responding Node by any QHIN, Participant, or Subparticipant prior to or during the term of the applicable Framework Agreement and (ii) relevant for a required XP Code, as set forth in the QTF or an applicable SOP(s).
Responding Node: a Node through which the QHIN, Participant, or Subparticipant Responds to a received transaction for TEFCA Exchange.
Response(s) (including its correlative uses/tenses "Responds," "Responded" and "Responding"): the act of providing the information that is the subject of a Query or otherwise transmitting a message in response to a Query through TEFCA Exchange.
Standard Operating Procedure(s) or SOP(s): a written procedure or other provision that is adopted pursuant to the Common Agreement and incorporated by reference into the Framework Agreements to provide detailed information or requirements related to TEFCA Exchange, including all amendments thereto. Each SOP identifies the relevant group(s) to which the SOP applies, including whether Participants or Subparticipants are required to comply with a given SOP.
State: any of the several States, the District of Columbia, Puerto Rico, the Virgin Islands, Guam, American Samoa, and the Northern Mariana Islands.
Subparticipant: to the extent permitted by applicable SOP(s), a U.S. Entity that has entered into the ToP in a legally binding contract with a Participant or another Subparticipant to use the Participant's or Subparticipant's Connectivity Services to participate in TEFCA Exchange in compliance with the ToP.
TEFCA Exchange: the transaction of information between Nodes using an XP Code.
[top] TEFCA Information (TI): any information that is transacted through TEFCA Exchange except to the extent that such information is received by a QHIN, Participant, or Subparticipant that is a Covered Entity, Business Associate, or NHE that is exempt from compliance with the Privacy section of the applicable Framework Agreement and is incorporated into such recipient's system of records, at which point the
TEFCA Security Incident(s):
(i) An unauthorized acquisition, access, Disclosure, or Use of unencrypted TI using TEFCA Exchange, but NOT including any of the following:
(a) Any unintentional acquisition, access, Use, or Disclosure of TI by a Workforce Member or person acting under the authority of a QHIN, Participant, or Subparticipant, if such acquisition, access, Use, or Disclosure (i) was made in good faith, (ii) was made by a person acting within their scope of authority, (iii) was made to another Workforce Member or person acting under the authority of any QHIN, Participant, or Subparticipant, and (iv) does not result in further acquisition, access, Use, or Disclosure in a manner not permitted under Applicable Law and the Framework Agreements.
(b) A Disclosure of TI where a QHIN, Participant, or Subparticipant has a good faith belief that an unauthorized person to whom the Disclosure was made would not reasonably have been able to retain such information.
(c) A Disclosure of TI that has been de-identified in accordance with the standard at 45 CFR 164.514(b).
(ii) Other security events ( e.g., ransomware attacks), as set forth in an SOP, that adversely affect a QHIN's, Participant's, or Subparticipant's participation in TEFCA Exchange.
Threat Condition: (i) a breach of a material provision of a Framework Agreement that has not been cured within fifteen (15) days of receiving notice of the material breach (or such other period of time to which the Parties have agreed), which notice shall include such specific information about the breach that the RCE has available at the time of the notice; or (ii) a TEFCA Security Incident; or (iii) an event that RCE, a QHIN, its Participant, or their Subparticipant has reason to believe will disrupt normal TEFCA Exchange, either due to actual compromise of or the need to mitigate demonstrated vulnerabilities in systems or data of the QHIN, Participant, or Subparticipant, as applicable, or could be replicated in the systems, networks, applications, or data of another QHIN, Participant, or Subparticipant; or (iv) any event that could pose a risk to the interests of national security as directed by an agency of the United States government.
United States: the fifty (50) States, the District of Columbia, and the territories and possessions of the United States including, without limitation, all military bases or other military installations, embassies, and consulates operated by the United States government.
U.S. Entity/Entities: any corporation, limited liability company, partnership, or other legal entity that meets all of the following requirements:
(i) The entity is organized under the laws of a State or commonwealth of the United States or the federal law of the United States and is subject to the jurisdiction of the United States and the State or commonwealth under which it was formed;
(ii) The entity's principal place of business, as determined under federal common law, is in the United States; and
(iii) None of the entity's directors, officers, or executives, and none of the owners with a five percent (5%) or greater interest in the entity, are listed on the Specially Designated Nationals and Blocked Persons List published by the United States Department of the Treasury's Office of Foreign Asset Control or on the United States Department of Health and Human Services, Office of Inspector General's List of Excluded Individuals/Entities.
Use(s) (including correlative uses/tenses, such as "Uses," "Used," and "Using"): with respect to TI, means the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.
Workforce Member(s): any employees, volunteers, trainees, and other persons whose conduct, in the performance of work for an entity, is under the direct control of such entity, whether or not they are paid by the entity.
XP Code: the code used to identify the XP in any given transaction, as set forth in the applicable SOP(s).
1.2 ToP Terminology.
1.2.1 References to You and QHINs, Participants, and Subparticipants. As set forth in its definition and in the introductory paragraph of these ToP, the term "You" is used to refer to the specific entity that is a party to these ToP with the Upstream QPS. (You and Upstream QPS may also be referred to herein individually as a "Party" or collectively as the "Parties.") Any and all rights and obligations of a QHIN, Participant or Subparticipant stated herein are binding upon all other QHINs, Participants, and Subparticipants that have entered into a Framework Agreement. References herein to "QHINs," "other Participants," "other Subparticipants," and similar such terms are used to refer to any and all other organizations that have signed a Framework Agreement.
1.2.2 General Rule of Construction. For the avoidance of doubt, a reference to a specific section of the ToP in a particular section does not mean that other sections of the ToP that expressly apply to You are inapplicable. A reference in these ToP to any law, any regulation, or to Applicable Law includes any amendment, modification or replacement to such law, regulation, or Applicable Law.
1.2.3 Terms of Participation for Subparticipants. You shall contractually obligate your Subparticipants, if any, to comply with the ToP. Notwithstanding the foregoing, for any entity that became Your Subparticipant prior to the Implementation Date, You shall (i) contractually obligate such entity to comply with the ToP within one-hundred eighty (180) days of the Implementation Date, provided that such Subparticipant is and remains a party to the Participant Subparticipant Agreement, as defined in and required by Common Agreement Version 1.1, during such period; or (ii) terminate such entity's ability to engage in TEFCA Exchange upon the earlier of the date of termination of the existing Participant-Subparticipant Agreement or one-hundred (180) days after the Implementation Date.
2. Cooperation and Non-Discrimination.
2.1 Cooperation. You understand and acknowledge that numerous activities with respect to the ToP will likely involve the RCE, QHINs, and their respective Participants and Subparticipants, as well as employees, agents, third-party contractors, vendors, or consultants of each of them. You shall reasonably cooperate with the RCE, ONC, QHINs and their respective Participants and Subparticipants in all matters related to TEFCA Exchange, including any dispute resolution activities in which You are involved. Expectations for reasonable cooperation are set forth in an SOP. The costs of cooperation to You shall be borne by You and shall not be charged to the RCE or other QHINs. Nothing in this Section 2.1 shall modify or replace the TEFCA Security Incident notification obligations under Section 8.3 and, if applicable, the IAS Incident notification obligations under Section 6.3.2 of the ToP.
2.2 Non-Discrimination.
[top] 2.2.1 Prohibition Against Exclusivity. Upstream QPS shall not prohibit or attempt to prohibit You, nor shall You or Upstream QPS prohibit or attempt to prohibit any of Your Subparticipants, if any, from joining, exchanging with, conducting other transactions with, or supporting any other networks or exchange frameworks that use services other than the
2.2.2 No Discriminatory Limits on Exchange of TI. Neither You nor Upstream QPS shall engage in TEFCA Exchange, refrain from engaging in TEFCA Exchange, or limit TEFCA Exchange with any QHIN, Participant, Subparticipant, or Individual in a Discriminatory Manner. Notwithstanding the foregoing, if You refrain from engaging in TEFCA Exchange or limit interoperability with any other QHIN, Participant, or Subparticipant under the following circumstances, Your actions or inactions shall not be deemed discriminatory: (i) Your Connectivity Services require load balancing of network traffic or similar activities provided such activities are implemented in a consistent and non-discriminatory manner for a period of time no longer than necessary to address the network traffic issue; (ii) You have a reasonable and good-faith belief that the other QHIN, Participant, or Subparticipant has not satisfied or will not be able to satisfy the applicable terms of a Framework Agreement (including compliance with Applicable Law) in any material respect; and/or (iii) Your actions or inactions are consistent with or permitted by an applicable SOP. One QHIN, Participant, or Subparticipant suspending its exchange activities with another QHIN, Participant, or Subparticipant in accordance with Section 17.4.2 of the Common Agreement or Section 10.4.5 of the ToP, as applicable, shall not be deemed discriminatory.
2.2.3 Updates to Connectivity Services. In revising and updating Connectivity Services from time to time, You will use commercially reasonable efforts to do so in accordance with generally accepted industry practices and to implement any changes in a non-discriminatory manner; provided, however, this provision shall not apply to limit modifications or updates to the extent that such revisions or updates are required by Applicable Law or implemented to respond promptly to newly discovered privacy or security threats.
2.2.4 Notice of Updates to Connectivity Services. You shall implement a reporting protocol to provide reasonable prior written notice of all modifications or updates of Your Connectivity Services to Upstream QPS and Your Subparticipants if such revisions or updates are expected to adversely affect Your ability to engage in TEFCA Exchange or require changes in the Connectivity Services of Upstream QPS or Your Subparticipants, regardless of whether they are necessary due to Applicable Law or newly discovered privacy or security threats.
3. Confidentiality and Accountability.
3.1 Confidential Information. You and Upstream QPS each agree to use and disclose all Confidential Information received pursuant to these ToP only as authorized in these ToP and any applicable SOP(s) and solely for the purposes of performing its obligations under a Framework Agreement or the proper exchange of information through TEFCA Exchange and for no other purpose. You and Upstream QPS may act as a CI Discloser and a CI Recipient, accordingly. A CI Recipient may disclose the Confidential Information it receives only to its Workforce Members who require such knowledge and use in the ordinary course and scope of their employment or retention and are obligated to protect the confidentiality of the CI Discloser's Confidential Information in a manner substantially equivalent to the terms required herein for the treatment of Confidential Information. If a CI Recipient must disclose the CI Discloser's Confidential Information under operation of law, it may do so provided that, to the extent permitted by Applicable Law, the CI Recipient gives the CI Discloser reasonable notice to allow the CI Discloser to object to such redisclosure, and such redisclosure is made to the minimum extent necessary to comply with Applicable Law.
3.2 Disclosure of Confidential Information. Nothing herein shall be interpreted to prohibit Upstream QPS or the RCE from disclosing any Confidential Information to ONC. You acknowledge that ONC, as a Federal government agency, is subject to the Freedom of Information Act. Any disclosure of Your Confidential Information to ONC or any ONC contractor will be subject to Applicable Law, as well as the limitations, procedures, and other relevant provisions of any applicable SOP(s).
3.3 ONC's and the RCE's Approach when Requesting Confidential Information. As a matter of general policy, ONC will request only the limited set of Confidential Information that ONC believes is necessary to inform the specific facts and circumstances of a matter. The RCE will request only the limited set of Confidential Information that the RCE believes is necessary to inform the specific facts and circumstances of a matter.
4. RCE Directory Service and Directory Entries.
4.1 Utilization of Directory Entries. The RCE Directory Service and Directory Entries contained therein shall be used by QHINs solely as necessary to create and maintain operational connectivity to enable TEFCA Exchange. Upstream QPS is providing You with access to, and the right to use, Directory Entries on the express condition that You only use and disclose Directory Entry information as necessary to advance the intended use of the Directory Entries or as required by Applicable Law. For example, You are permitted to disclose Directory Entry information to Your Workforce Members, Your Subparticipant's Workforce Members, and/or to the Workforce Members of health information technology vendors who are engaged in assisting You or Your Subparticipant with establishing and maintaining connectivity via the Framework Agreements. Further, You shall not use another QPS's Directory Entries or information derived therefrom for marketing or any form of promotion of Your own products and services, unless otherwise permitted pursuant to an SOP. In no event shall You use or disclose the information contained in the Directory Entries in a manner that should be reasonably expected to have a detrimental effect on ONC, the RCE, Upstream QPS, Your Subparticipants, other QHINs, other Participants, other Subparticipants, or any other individual or organization. For the avoidance of doubt, Directory Entries are Confidential Information of the CI Discloser except to the extent such information meets one of the exceptions to the definition of Confidential Information. Nothing herein shall be interpreted to prohibit a QHIN or Upstream QPS from publicly disclosing the identity of its own Participants or Subparticipants.
4.2 ToP Record. You must maintain a record of all ToPs into which You enter with Your Subparticipants, if any, regardless of whether such Subparticipants are listed in the RCE Directory Services. Such record must be provided to the RCE within four (4) business days following the RCE's or Upstream QPS's written request unless such other timeframe is agreed to by the RCE.
5. TEFCA Exchange Activities.
[top] 5.1 Utilization of TEFCA Exchange. You may only utilize Connectivity Services for purposes of facilitating TEFCA Exchange. You may only utilize
5.2 Uses. You may Use TI in any manner that: (i) is not prohibited by Applicable Law; (ii) is consistent with Your Privacy and Security Notice, if applicable; and (iii) is in accordance with Sections 7 and 8 of these ToP.
5.3 Disclosures. You may Disclose TI provided such Disclosure: (i) is not prohibited by Applicable Law; (ii) is consistent with Your Privacy and Security Notice, if applicable; and (iii) is in accordance with Sections 7 and 8 of these ToP.
5.4 Responses. Except as otherwise set forth in an applicable SOP, Your Responding Nodes must Respond to Queries for all XP Codes that are identified as "required." in the applicable SOP(s). Such Response must include all Required Information. Notwithstanding the foregoing, You may withhold some or all of the Required Information to the extent necessary to comply with Applicable Law.
5.5 Special Legal Requirements. If and to the extent Applicable Law requires that an Individual either consent to, approve, or provide an authorization for the Use or Disclosure of that Individual's information to You, such as a more stringent federal or State law relating to sensitive health information, then You shall refrain from the Use or Disclosure of such information in connection with these ToP unless such Individual's consent, approval, or authorization has been obtained consistent with the requirements of Applicable Law and Section 7 of these ToP, including, without limitation, communicated pursuant to the access consent policy(ies) described in the QTF or applicable SOP(s). Copies of such consent, approval, or authorization shall be maintained and transmitted pursuant to the process described in the QTF by whichever party is required to obtain it under Applicable Law, and You may make such copies of the consent, approval, or authorization available electronically to any QHIN, Participant, or Subparticipant in accordance with the QTF and to the extent permitted by Applicable Law. You shall maintain written policies and procedures to allow an Individual to revoke such consent, approval, or authorization on a prospective basis. If You are an IAS Provider, the foregoing shall not be interpreted to modify, replace, or diminish the requirements set forth in Section 6 of these ToP and any applicable SOP(s) for obtaining an Individual's express written consent.
6. Individual Access Services.
6.1 IAS Offering(s). You may elect to be an IAS Provider by offering IAS to any Individual in accordance with the requirements of this section and in accordance with all other provisions of these ToP and applicable SOP(s). Nothing in this Section 6 shall modify, terminate, or in any way affect an Individual's right of access under the HIPAA Privacy Rule at 45 CFR 164.524 if You are a Covered Entity or a Business Associate. Nothing in this Section 6 of these ToP shall be construed as modifying or taking precedence over any provision codified in 45 CFR part 171. An IAS Provider shall not prohibit or attempt to prohibit any Individual using the IAS of any other IAS Provider or from joining, exchanging with, conducting other transactions with any other networks or exchange frameworks, using services other than the IAS Providers' Designated Network Services, concurrently with the QHIN's, Participant's, or Subparticipant's participation in TEFCA Exchange.
6.2 Individual Consent. This Section 6.2 shall apply to You if You are an IAS Provider. The Individual requesting IAS shall be responsible for completing the IAS Consent. The IAS Consent shall include, at a minimum: (i) consent to use the IAS; (ii) the Individual's acknowledgement and agreement to Your Privacy and Security Notice; and (iii) a description of the Individual's rights to access, delete, and export such Individual's Individually Identifiable Information. You may implement secure electronic means ( e.g., secure email, secure web portal) by which an Individual may submit the IAS Consent. You shall collect the IAS Consent prior to the Individual's first use of the IAS and prior to any subsequent use if there is any material change in the applicable IAS Consent, including the version of the Privacy and Security Notice referenced therein. Nothing in the IAS Consent may contradict or be inconsistent with any applicable provision of these ToP or the SOP(s). If You are a Covered Entity and have a Notice of Privacy Practices that meets the requirements of 45 CFR 164.520, You are not required to have a Privacy and Security Notice that meets the requirements of the applicable SOP. Nothing in Section 6 reduces a Covered Entity's obligations under the HIPAA Rules.
6.3 Additional Security Requirements for IAS Providers. In addition to meeting the applicable security requirements set forth in Section 8, if You are an IAS Provider, You must further satisfy the requirements of this subsection.
6.3.1 Scope of Security Requirements. You must meet the applicable security requirements set forth in Section 8 for all Individually Identifiable Information You maintain as an IAS Provider, regardless of whether such information is TI.
6.3.2 IAS Incident Notice to Affected Individuals. If You reasonably believe that an Individual has been affected by an IAS Incident, You must provide such Individual with notification without unreasonable delay and in no case later than sixty (60) days following Discovery of the IAS Incident. The notification required under this section must be written in plain language and shall include, to the extent possible, the information set forth in the applicable SOP(s). To the extent You are already required by Applicable Law to notify an Individual of an incident that would also be an IAS Incident, this section does not require duplicative notification to that Individual.
6.4 Survival for IAS Providers. This Section 6.4 shall apply to You if You are an IAS Provider. As between You as an IAS Provider and an Individual, the IAS Provider's obligations in the IAS Consent, including Your requirement to comply with the Privacy and Security Notice and provide Individuals with rights, shall survive for so long as You maintain such Individual's Individually Identifiable Information. If You were an IAS Provider, the requirements of Section 6.3 shall survive termination of these ToP for so long as You maintain Individually Identifiable Information acquired during the term of these ToP as an IAS Provider regardless of whether such information is or was TI.
7. Privacy.
[top] 7.1 Compliance with the HIPAA Privacy Rule. If You are a NHE (but not to the extent that You are acting as an entity entitled to make a Government Benefits Determination under Applicable Law, a Public Health
7.1.1 From 45 CFR 164.502, General Rules:
• Subsection (a)(1)-Dealing with permitted Uses and Disclosures, but only to the extent You are authorized to engage in the activities described in this subsection of the HIPAA Privacy Rule for the applicable XP
• Subsection (a)(2)(i)-Requiring Disclosures to Individuals
• Subsection (a)(5)-Dealing with prohibited Uses and Disclosures
• Subsection (b)-Dealing with the minimum necessary standard
• Subsection (c)-Dealing with agreed-upon restrictions
• Subsection (d)-Dealing with de-identification and re-identification of information
• Subsection (e)-Dealing with Business Associate contracts
• Subsection (f)-Dealing with deceased persons' information
• Subsection (g)-Dealing with personal representatives
• Subsection (h)-Dealing with confidential communications
• Subsection (i)-Dealing with Uses and Disclosures consistent with notice
• Subsection (j)-Dealing with Disclosures by whistleblowers
7.1.2 45 CFR 164.504(e), Organizational Requirements.
7.1.3 45 CFR 164.508, Authorization Required. Notwithstanding the foregoing, the provisions of Sections 6.2 shall control and this Section 7.1.3 shall not apply with respect to You if You are an IAS Provider that is a NHE.
7.1.4 45 CFR 164.510, Uses and Disclosures Requiring Opportunity to Agree or Object. Notwithstanding the foregoing, an IAS Provider that is a NHE but is not a Health Care Provider shall not have the right to make the permissive Disclosures described in §?164.510(a)(3)-Emergency circumstances; provided, however, that an IAS Provider is not prohibited from making such a Disclosure if the Individual has consented to the Disclosure pursuant to Section 6 of these ToP.
7.1.5 45 CFR 164.512, Authorization or Opportunity to Object Not Required. Notwithstanding the foregoing, an IAS Provider that is a NHE but is not a Health Care Provider shall not have the right to make the permissive Disclosures described in §?164.512(c)-Standard: Disclosures about victims of abuse, neglect or domestic violence, §?164.512 Subsection (d)-Standard: Uses and Disclosures for health oversight activities, and §?164.512 Subsection (j)-Standard: Uses and Disclosures to avert a serious threat to health or safety; provided, however, that an IAS Provider is not prohibited from making such a Disclosure(s) if the Individual has consented to the Disclosure(s) pursuant to Section 6 of these ToP.
7.1.6 From 45 CFR 164.514, Other Requirements Relating to Uses and Disclosures:
• Subsections (a)-(c)-Dealing with de-identification requirements that render information not Individually Identifiable Information for purposes of this Section 7 and TEFCA Security Incidents
• Subsection (d)-Dealing with minimum necessary requirements
• Subsection (e)-Dealing with Limited Data Sets
7.1.7 45 CFR 164.522, Rights to Request Privacy Protections.
7.1.8 45 CFR 164.524, Access of Individuals, except that an IAS Provider that is a NHE shall be subject to the requirements of Section 6 with respect to access by Individuals for purposes of IAS and not this Section 7.1.8.
7.1.9 45 CFR 164.528, Accounting of Disclosures.
7.1.10 From 45 CFR 164.530, Administrative Requirements:
• Subsection (a)-Dealing with personnel designations
• Subsection (b)-Dealing with training
• Subsection (c)-Dealing with safeguards
• Subsection (d)-Dealing with complaints
• Subsection (e)-Dealing with sanctions
• Subsection (f)-Dealing with mitigation
• Subsection (g)-Dealing with refraining from intimidating or retaliatory acts
• Subsection (h)-Dealing with waiver of rights
• Subsection (i)-Dealing with policies and procedures
• Subsection (j)-Dealing with documentation
7.2 Written Privacy Policy. You must develop, implement, make publicly available, and act in accordance with a written privacy policy describing Your privacy practices with respect to Individually Identifiable Information that is Used or Disclosed pursuant to these ToP. You can satisfy the written privacy policy requirement by including applicable content consistent with the HIPAA Rules in Your existing privacy policy, except as otherwise stated herein with respect to IAS Providers. If You are a Covered Entity, this written privacy policy requirement does not supplant the HIPAA Privacy Rule obligations to post and distribute a Notice of Privacy Practices that meets the requirements of 45 CFR 164.520. If You are a Covered Entity, then this written privacy policy requirement can be satisfied by Your Notice of Privacy Practices. If You are an IAS Provider, then the written privacy practices requirement must be in the form of a Privacy and Security Notice that meets the requirements of Section 6.2 of these ToP. Notwithstanding Section 11.1, to the extent the Signatory's written privacy policy is "more stringent" than the HIPAA Privacy Rule provisions listed below, the written privacy policy shall govern. "More stringent" shall have the meaning assigned to it in 45 CFR 160.202 except the written privacy policy shall be substituted for references to State law and the reference to "standards, requirements or implementation specifications adopted under subpart E of part 164 of this subchapter" shall be limited to those listed below.
8. Security.
8.1 Security Controls. You shall implement and maintain appropriate security controls for Individually Identifiable Information that are commensurate with risks to the confidentiality, integrity, and/or availability of the Individually Identifiable Information. If You are a NHE, You shall comply with the HIPAA Security Rule provisions with respect to all Individually Identifiable Information as if such information were Protected Health Information and You were a Covered Entity or Business Associate. You shall comply with any additional security requirements that may be set forth in an SOP applicable to Participants and Subparticipants.
8.2 TEFCA Security Incident Reporting.
[top] 8.2.1 Reporting to Upstream QPS. You shall report to Upstream QPS any suspected TEFCA Security Incident, as set forth in the applicable SOP(s). Such report must include sufficient information for Upstream QPS and others affected to understand the nature and likely scope of the TEFCA Security Incident. You shall supplement the information contained in the report as additional relevant information becomes available and cooperate with Upstream QPS and, at the direction of Upstream QPS, with the RCE, and with other QHINs, Participants, and
8.2.2 Reporting to Subparticipants. You shall report any TEFCA Security Incident experienced by or reported to You to Your Subparticipants as required by an applicable SOP.
8.2.3 Compliance with Notification Under Applicable Law. Nothing in this Section 8.3 shall be deemed to modify or replace any breach notification requirements that You may have under the HIPAA Rules, the FTC Rule, or other Applicable Law. To the extent You are already required by Applicable Law to notify Upstream QPS or a Subparticipant of an incident that would also be a TEFCA Security Incident, this section does not require duplicative notification.
8.3 Security Resource Support to Subparticipants. You shall make available to Your Subparticipants (if any): (i) security resources and guidance regarding the protection of TI applicable to the Subparticipants' participation in TEFCA Exchange; and (ii) information and resources that the RCE or Cybersecurity Council makes available to You related to promotion and enhancement of the security of TI under the Framework Agreements.
8.4 TI Outside the United States. You shall only Use TI outside the United States or Disclose TI to any person or entity outside the United States to the extent such Use or Disclosure is permitted or required by Applicable Law and the Use or Disclosure is conducted in conformance with the HIPAA Security Rule, regardless of whether You are a Covered Entity or Business Associate and as set forth in an applicable SOP.
8.5 Encryption. If You are a NHE (but not to the extent that You are a federal agency or any other type of entity exempted from compliance with this Section in an applicable SOP), You must encrypt all Individually Identifiable Information You maintain, both in transit and at rest, regardless of whether such information is TI. Requirements for encryption may be set forth in an SOP.
9. General Obligations.
9.1 Compliance with Applicable Law and the ToP. You shall comply with all Applicable Law and shall implement and act in accordance with any provision required by the ToP, including all applicable SOPs and provisions of the QTF, when engaging in or facilitating TEFCA Exchange. While each SOP identifies the relevant group(s) to which it applies, not every requirement in an SOP or the QTF will necessarily be applicable to You. It is Your responsibility to determine, in consultation with Upstream QPS, which of the SOPs and QTF provisions are applicable to You.
9.2 Your Responsibility for Your Subparticipants. You shall be responsible for taking reasonable steps to confirm that all of Your Subparticipants (if any) are abiding by the ToP, specifically including all applicable SOPs and QTF provisions. In the event that You become aware of a material non-compliance by one of Your Subparticipants, then You shall promptly notify the Subparticipant in writing. Such notice shall inform the Subparticipant that its failure to correct any such deficiencies within thirty (30) days of receiving notice shall constitute a material breach of the ToP, which may result in early termination of these ToP.
9.3 Your Responsibility for Your Third-Party Technology Vendors. To the extent that You use a third-party technology vendor that will have access to TEFCA Information in connection with Connectivity Services or TEFCA Exchange, You shall include in a written agreement with each such subcontractor or agent a requirement to comply with all applicable provisions of these ToP and a prohibition on engaging in any act or omission that would cause You to violate the terms of these ToP if You had engaged in such act or omission Yourself.
9.4 Fees Charged by QHINs, Participants, or Subparticipants. You may charge fees to an Initiating Node when Responding to Queries through TEFCA Exchange as defined in an applicable SOP. The foregoing shall not prohibit You from charging Your Subparticipants fees for use of Your Connectivity Services.
10. Term, Termination, and Suspension.
10.1 Term. These ToP shall become effective upon agreement of both Parties and shall remain in effect until terminated by either Party. You may terminate these ToP by providing at least thirty (30) days' prior written notice of termination to Upstream QPS. Upstream QPS may terminate these ToP by providing at least ninety (90) days' prior written notice to You. Notwithstanding the foregoing, in the event that Upstream QPS's Framework Agreement is terminated, Your ToP shall be immediately terminated.
10.2 Termination for Cause. Either Party may terminate these ToP for cause if the other Party commits a material breach of a Framework Agreement, and fails to cure its material breach within thirty (30) days of receiving notice specifying the nature of such breach in reasonable detail from the non-breaching Party; provided, however, that if Upstream QPS is diligently working to cure its material breach at the end of this thirty (30) day period, then You must provide Upstream QPS with up to another thirty (30) days to complete its cure.
10.3 Effect of Termination. Upon termination of these ToP, You will no longer be able to engage in TEFCA Exchange facilitated by or through Upstream QPS. To the extent You store TI, such TI may not be distinguishable from other information maintained by You. When the TI is not distinguishable from other information, it is not possible for You to return or destroy TI You maintain upon termination or expiration of these ToP. Upon termination or expiration of these ToP, if You are subject to Section 7 of these ToP, such sections shall continue to apply so long as the information would be ePHI if maintained by a Covered Entity or Business Associate. The protections required under the HIPAA Security Rule shall also continue to apply to all TI that is ePHI, regardless of whether You are a Covered Entity or Business Associate. The provisions set forth in this Section 10.3 are in addition to those survival provisions set forth in Section 11.9.
10.4 Conflict with Other Agreements Between You and Upstream QPS. Notwithstanding anything herein to the contrary, in the event You and Upstream QPS are parties to an agreement that provides additional terms related to TEFCA Exchange and that agreement provides for a shorter notice period for termination, such shorter notice period shall control.
10.5 Rights to Suspend.
[top] 10.5.1 RCE's Right to Suspend Your Ability to Engage in TEFCA Exchange. You acknowledge and agree that the RCE has the authority to suspend, or direct the Upstream QPS to suspend, any QPS's ability to engage in TEFCA Exchange if: (i) there is an alleged violation of the respective Framework Agreement or of Applicable Law by the respective party/parties; (ii) there is a Threat Condition; (iii) the RCE determines that the safety or security of any person or the privacy or security of TI and/or Confidential Information is threatened; (iv) such suspension is in the interests of national security as directed by an agency of the United States government; or (v) there is a situation in which the RCE may suffer material harm and suspension is the only reasonable step that the RCE can take to protect itself. You acknowledge that upon receiving direction from the RCE, You will be suspended as soon as practicable provided, however, if the suspension is based on Subsections 10.5.1(i) or 10.5.1(iv) or a Threat
10.5.2 Upstream QPS's Right to Suspend Your Ability to Engage in TEFCA Exchange. You acknowledge and agree that Upstream QPS has the same authority as the RCE to suspend Your ability to engage in TEFCA Exchange, and Your Subparticipant's (if any) ability to engage in TEFCA Exchange, if any of the circumstances described in Subsections 10.5.1 (i)-(iii) above occur with respect to You or any of Your Subparticipants.
(i) Upstream QPS may exercise such right to suspend based on its own determination that any of the circumstances described in Subsections 10.5.1 (i)-(iii) above occurred with respect to You or any of Your Subparticipants.
(ii) Upstream QPS must exercise such right to suspend if directed to do so by the RCE or its Upstream QPS based on its determination that suspension is warranted based on any of the circumstances described in Subsections 10.5.1 (i)-(v) above with respect to You or any of Your Subparticipants.
(iii) You acknowledge that if Upstream QPS makes a determination that suspension is warranted or receives direction from its Upstream QPS to suspend Your ability to engage in TEFCA Exchange, You will be suspended as soon as practicable provided, however, if the suspension is based on the circumstances described in Subsections 10.5.1(i) or 10.5.1(iv) or a Threat Condition that results in a cognizable threat to the security of TEFCA Exchange or the information that the RCE reasonably believes is TI, then You will be suspended within twenty-four (24) hours of notice of Upstream QPS's determination or receipt of direction from its Upstream QPS, unless Upstream QPS specifies a longer period of time is permitted.
10.5.3 Upstream QPS Suspension. Notwithstanding the foregoing, in the event that Upstream QPS's ability to engage in TEFCA Exchange is suspended, Your and any of Your Subparticipants' ability to engage in TEFCA Exchange will be immediately suspended.
10.5.4 Suspension Rights Granted to You Related to Your Subparticipants. If You have Subparticipants, You acknowledge and agree that You have the same responsibility and authority to suspend Your Subparticipant's ability to engage in TEFCA Exchange if any of the circumstances described in Subsections 10.5.1 (i)-(iii) above occur with respect to any of Your Subparticipants. If You make a determination to suspend, You are required to promptly notify Upstream QPS of Your decision and the reason(s) for making the decision. If any of Your Subparticipants notify You of their decision to suspend exchange with their Subparticipant(s), You must notify Upstream QPS of such decision.
(i) You may exercise such right to suspend based on Your own determination that any of the circumstances described in Subsections 10.5.1 (i)-(iii) above occurred with respect to any of Your Subparticipants.
(ii) You must exercise such right to suspend if directed to do so, by the RCE or Upstream QPS based on the RCE's determination that suspension is warranted based on any of the circumstances described in Subsections 10.5.1 (i)-(v) above with respect to any of Your Subparticipants.
(iii) You must effectuate such suspension of Your Subparticipant as soon as practicable provided, however, if the suspension is based on the circumstances described in Subsections 10.5.1(i) or 10.5.1(iv) or a Threat Condition that results in a cognizable threat to the security of TEFCA Exchange or the information that the RCE reasonably believes is TI, then it must be effectuated within twenty-four (24) hours of the triggering event, unless a longer period of time is permitted. For purposes of this subsection, the triggering event is Your determination to suspend, Your receipt of direction from your Upstream QPS to suspend, or the RCE having directed Your QHIN to effectuate the suspension.
10.5.5 Selective Suspension. You may, in good faith and to the extent permitted by Applicable Law, determine that You must suspend exchanging with a QHIN, Participant, or Subparticipant with which You are otherwise required to exchange in accordance with an SOP because of reasonable and legitimate concerns related to the privacy, security, accuracy, or quality of information that is exchanged. If You make this determination, You are required to promptly notify Upstream QPS of Your decision and the reason(s) for making the decision. If any of Your Subparticipants notify You of their decision to suspend exchange with a QHIN, Participant, or Subparticipant, You must notify Upstream QPS of such decision. You acknowledge that You may be required to engage in a process facilitated by the RCE to resolve whatever issues led to the decision to suspend. Provided that You selectively suspend exchanging with another QHIN, Participant, or Subparticipant in accordance with this section and in accordance with Applicable Law, such selective suspension shall not be deemed a violation of Section 2.2 of these ToP.
11. Contract Administration.
11.1 Authority to Agree. You warrant and represent that You have the full power and authority to enter into these ToP.
11.2 Assignment. None of these ToP can be transferred by either Party, including whether by assignment, merger, other operation of law, change of control ( i.e., sale of substantially all of the assets of the Party) of the Party or otherwise, without the prior written approval of the other Party.
11.3 Severability. If any provision of these ToP shall be adjudged by any court of competent jurisdiction to be unenforceable or invalid, that provision shall be struck from the ToP, and the remaining provisions of these ToP shall remain in full force and effect and enforceable.
11.4 Captions. Captions appearing in these ToP are for convenience only and shall not be deemed to explain, limit, or amplify the provisions of these ToP.
11.5 Independent Parties. Nothing contained in these ToP shall be deemed or construed as creating a joint venture or partnership between Upstream QPS and You.
11.6 Acts of Contractors and Agents. To the extent that the acts or omissions of a Party's agent(s) or contractor(s), or their subcontractor(s), result in that Party's breach of and liability under these ToP, said breach shall be deemed to be a breach by that Party.
11.7 Waiver. The failure of either Party to enforce, at any time, any provision of these ToP shall not be construed to be a waiver of such provision, nor shall it in any way affect the validity of these ToP or any part hereof or the right of such Party thereafter to enforce each and every such provision. No waiver of any breach of these ToP shall be held to constitute a waiver of any other or subsequent breach, nor shall any delay by either Party to exercise any right under these ToP operate as a waiver of any such right.
[top] 11.8 Priority. In the event of any conflict or inconsistency between any other agreement that You and Upstream QPS enter into with respect to TEFCA Exchange, Applicable Law, a provision of these ToP, the QTF, an SOP, and/or any implementation plans, guidance documents, or other materials or
11.9 Survival. The following sections of these ToP shall survive expiration or termination of these ToP as more specifically provided below:
(i) Section 3, Confidentiality and Accountability shall survive for a period of six (6) years following the expiration or termination of these ToP.
(ii) Section 6.4, Survival for IAS Providers, to the extent that You are an IAS Provider, shall survive following the expiration or termination of these ToP for the respective time periods set forth in Section 6.4.
(iii) Section 7, Privacy, to the extent that You are subject to Section 7, said Section shall survive the expiration or termination of these ToP so long as the information maintained by You would be ePHI if maintained by a Covered Entity or Business Associate.
(iv) Section 8.1 Security Controls, and Section 8.5, Encryption, to the extent that You are subject to Sections 8.1 and 8.5, said Section or Sections shall survive the expiration or termination of these ToP for so long as the information maintained by You would be ePHI if maintained by a Covered Entity or Business Associate regardless of whether You are a Covered Entity or Business Associate.
(v) The requirements of Section 8.2, TEFCA Security Incidents Reporting, shall survive for a period of six (6) years following the expiration or termination of these ToP.
| Version 1.0 | January 2022. |
| Version 1.1 | November 2023. |
| Draft Version 2.0 | January 2024. |
| Version 2.0 | April 2024. |
Common Agreement Version 2.1 is also available on the Office of the National Coordinator for Health Information Technology's public internet website at www.HealthIT.gov/TEFCA.
Authority: 42 U.S.C. 300jj-11.
Dated: November 20, 2024.
Suhas Tripathi,
Assistant Secretary for Technology Policy, National Coordinator for Health Information Technology.
[FR Doc. 2024-27554 Filed 11-22-24; 8:45 am]
BILLING CODE 4150-45-P