[QUERY HEALTH PARTICIPANT – DATA SOURCE] MODEL LANGUAGE AS FOUNDATION FOR A DATA USE AGREEMENT Notes: This DUA is designed to be between a Data Source and Query Source This DUA is meant to guide the development of a contract, but is not itself a final or complete contract This DUA is not meant to be a substitute for an agreement between a Covered Entity and a Business Associate required under HIPAA This DUA is not meant to be a substitute for the DURSA This DUA is meant to be a template, customized by the parties and finalized by the parties’ legal departments *** The [Query Source] (Entity making queries) (“Query Source”), and [Data Source] enter into this Data Use Agreement (the “Agreement”) effective ________ (“Effective Date”). This agreement will remain effective for _______ or __________, whichever is earlier. [Data Source] and [Query Source] shall be referred to individually as a “Party,” or collectively as the “Parties.” This Agreement establishes a formal data access and data use relationship between [Data Source] and [Query Source]. This Agreement covers “Covered Data”. Covered Data is defined as data currently in possession of the Data Source that [is/will be] [deidentified/in a limited data set as defined by the HIPAA Privacy Rule (42 C.F.R. § 164.514(b)-(e))] and then provided to [Query Source], specifically those Covered Data listed in Exhibit A. [Note that in some cases, Covered Data may include the minimum necessary amount of protected health information for certain public health purposes explicitly authorized by law, which will be disclosed in a manner consistent with applicable law. In such case, the Agreement will be worded to reflect this.] Exhibit A represents the complete set of data items that [Query Source] will have access to as a result of this Agreement. Both Parties shall abide by all applicable Federal and State laws, rules and regulations including, without limitation, all applicable patient confidentiality and medical record requirements. [Query Source] USES OF COVERED DATA [Query Source] agrees to use and disclose the Covered Data for the purposes expressly listed in Exhibit B and those purposes only. All other purposes are strictly prohibited, except to the extent they are expressly required by law. Note that the permissible uses set forth in Exhibit B should be commensurate with the potential privacy risks posed by the particular data and its identifiability. For example, the Data Use Agreement [ORGANIZATION] Rev. xxxx 2012 Page 1 of 1 permissible uses of “line-level” data shall be more limited than those of de-identified data provided in summarized form. Both Parties agree that access to Covered Data provided under the terms of the Agreement will be limited solely to those who are explicitly authorized to use Covered Data from Exhibit A, and only for the purposes set forth in Exhibit B. Both the Data Source and the Query Source may only grant access to Covered Data from Exhibit A to other parties when required by law or in accordance with Clauses D and/or E of this agreement. DATA PROTECTIONS [Query Source] acknowledges that it will be the custodian of Covered Data stored in its data files and, as such, will be responsible for establishing and maintaining appropriate administrative, technical and physical safeguards, as described in the HIPAA Security Rule, to prevent unauthorized access to, use or disclosure of these files unless required by law. Any entity that receives data under this DUA that is not a covered entity or Business Associate must be held to the same standards as a covered entity or Business Associate as it relates to securing covered data [Query Source] specifically agrees that, unless required by State and federal law, it will not release Covered Data requested under open records laws; to media; or for litigation purposes. Covered Data is not intended to be or to become part of an individual’s legal Electronic Health Record. POLICY REQUIREMENTS [Query Source] and [Data Source] shall abide by the set of Query Health policy requirements set forth and available at [xxxxxxxxxxx], as they may change from time to time. TERMS AND CONDITIONS The Parties Agree to the following: A. [Query Source] certifies that the statements made in this Agreement (above) regarding the planned use and disclosure of the Covered Data are complete and accurate. B. The Parties agree that whether or not to run a particular query, and whether or not to release any results, will be under the control of the disclosing entity/data holder ([Data source]). C. [Query Source] understands all Covered Data will be provided [on a de-identified basis/in a limited data set/minimum-necessary basis in the case of PHI]. [Query Source] agrees that it will: Data Use Agreement [ORGANIZATION] Rev. xxxx 2012 Page 2 of 2 1. Not make any attempt to re-identify the data; 2. Not make any attempt to contact any individuals whose personal information is contained in the Covered Data; and 3. Notify the [Data Source] immediately if the identity of any individual is inadvertently discovered. D. [Data Source] and [Query Source] shall be permitted to hire and use third-party intermediaries. 1. For the purposes of this Agreement, “intermediary” is defined as a party either affiliated or unaffiliated with [Data Source] or [Query Source] who provides services to [Data Source] or [Query Source] to assist it in sending, receiving, deidentifying and/or aggregating Covered Data. 2. As part of this agreement, [Data Source] and [Query Source] agree that they will not disclose Covered Data to an intermediary unless the intermediary agrees to the same standards, terms and conditions applicable to the [Data Source] or [Query Source] under this agreement. The agreement between the [Data Source] or [Query Source] and any intermediary must be documented and shall be subject to review. 3. [Data Source] or [Query Source] may, through an assigned intermediary of the opposite party, send or respond to queries, provided that an agreement as outlined above is in place between the intermediary and the party that has assigned it to send or receive queries. E. [Query Source] will not disclose the Covered Data to anyone (unless explicitly permitted or required by law or this Agreement), outside [Query Source] without appropriate agreements in place, all of which shall be subject to review by the [Data Source]. All outside entities that may, through subsequent agreements, have access to Covered Data, shall be held to the same standards, terms and conditions contained within this Agreement. [Query Source] will only disclose the Covered Data to those individuals or groups at [Query Source] specifically authorized to receive it, unless otherwise required by law. Within the [Query Source], access to the Covered Data shall be limited to the minimum number of individuals necessary to achieve the purpose stated in the Agreement. F. No findings or information derived from the Covered Data may be released if such findings contain any combination of data elements that may reasonably allow for identification or the deduction of an individual’s identity. G. [Query Source] agrees to subject any findings or manuscripts proposed for public release (e.g., abstracts, presentations, publications) to a stringent review to maintain the confidentiality of data and to prevent individuals from being identified. H. [Query Source] will maintain policies and procedures related to data confidentiality and associated reviews and audits. Data Use Agreement [ORGANIZATION] Rev. xxxx 2012 Page 3 of 3 I. [Data Source] will make reasonable efforts to main data quality and/or integrity and to address related issues that arise under this Agreement. J. [Query Source] understands that data is provided on an “as is” basis, without any express or implied warranties, including but not limited to fitness for a particular purpose. K. [Query Source] will report immediately to the [Data Source] any use or disclosure of the Covered Data other than as permitted by this Agreement, and will take all reasonable and necessary steps to mitigate the effects of such improper use or disclosure, cooperating with all reasonable requests by the [Data Source] toward that end. L. Either the [Data Source] or the [Query Source] may terminate this Agreement, in writing, upon thirty days written notice, at: [address] M. In the event that the [Data Source] determines or has a reasonable belief that [Query Source] has violated any terms of this Agreement, the [Data Source] may take any of the following actions: 1. Revoke the existing Agreement. 2. Deny [Query Source] future access to data from the [Data Source]. 3. Report the violation to [Query Source] (if applicable) for action pursuant to [Query Source] policies. 4. The [Data Source] may seek an injunction or damages against [Query Source] in a court of competent jurisdiction. N. [Query Source] agrees that upon termination of this Agreement for any reason, the Query Source shall erase, destroy or render unrecoverable any data that relates to a single patient, even if that data has been deidentified in accordance with 45 C.F.R. § 164.514(b) or consists of a limited data set described by 45 C.F.R. § 164.514(e). For data that does not relate to a single patient, [Query Source] agrees that upon termination the Query Source shall remain restricted to using the data for the purposes listed in Exhibit B. O. If using an intermediary, [Query Source] and [Data Source] must have the intermediary destroy and render unrecoverable all Covered Data in accordance with the same requirements listed for the [Query Source] in Clause N upon termination of this Agreement. P. This Agreement contains the entire agreement with the [Data Source] concerning the subject matter hereof. No modifications of this Agreement or waiver of the terms and conditions hereof will be binding upon, unless approved in writing by both Parties. The [Query Source] may not assign this Agreement without the [Data Data Use Agreement [ORGANIZATION] Rev. xxxx 2012 Page 4 of 4 Source’s] written consent. If any provision of this Agreement shall, for any reason, be adjudged by any court of competent jurisdiction to be invalid or unenforceable, such judgment shall not affect, impair or invalidate the remainder of this Agreement but shall be confined in its operation to the provision of this Agreement directly involved in the controversy in which such judgment shall have been rendered. The undersigned individuals hereby attest that they authorized to legally bind the [Data/Query Source] to the terms of this Agreement and agree to all the terms specified herein. Signature of [Data Source] Designated Official Signature Date Name of Official from [Data Source] [Data Source] Telephone No. E-mail Address Signature of [Query Source] Designated Official: Signature Date Name of Designated Recipient (printed or typed) [Query Source] Data Use Agreement [ORGANIZATION] Rev. xxxx 2012 Page 5 of 5