This Patient360 User License Agreement governs any usage or application of the Patient360 API, or related products or services.

Terms and Conditions

1. Description of Services

Customer acknowledges and agrees that, as part of the Services, Health Data of Customer and each of its End Users may be used and disclosed by Alliance through its Service Provider and disclosed to other Members’ Customers and End Users participating in the Services, solely as necessary to provide the Services, as further described below. Customer represents and warrants that it has all rights and authority necessary to agree to and comply with the previous sentence and all Health Data provided to Alliance or Service Provider or exchanged via the Services by Customer and its End Users is provided with the full authority and consent of the owner of such Health Data as set forth in Section 4 of this EULA.

Health Data in Health Gorilla may be used and disclosed by Alliance and Service Provider and their subcontractors solely as necessary to provide the Services, including on behalf of Customer or End Users to carry out the following related to the Services: (a) submit requests for Health Data relating to individual patients, (b) identify whether other participants utilizing the Services maintain Health Data relating to those patients, (c) request Health Data from the participants maintaining it, (d) transmit requested Health Data to the requesting participant, and in support of other uses approved by the Alliance. In addition, Alliance and Service Provider may de-identify PHI and store Health Data and de-identified PHI for the sole purposes of performance testing, troubleshooting and improving the Services within the scope of the MSA, and for no other purpose.

2. Licenses

Customer hereby receives a limited, nonexclusive, non-transferable, non-sublicensable license to access the Services as integrated with and accessible via a designated Customer healthcare information technology solution, solely for Customer’s internal purposes, and only for purposes approved by the Alliance.

3. Access to Services

The Services include the login features described in the Documentation. Each End User will be required to enter his or her login credentials (“Login Credentials”) in order to access the Services. Customer is fully responsible for all uses of Login Credentials issued to or created by its End Users. Customer is responsible for authentication and identity management of each End User that accesses the Services and to ensure such Login Credentials are unique to each End User and remain secure. Customer shall ensure that each End User accessing clinical data using the Services is properly identified, authenticated and authorized under applicable law to access such Health Data.

4. Authority and Consent

Customer agrees to use or disclose data received from other participants in the Services responsibly and in accordance with Applicable Laws, including but not limited to any and all required consents. Customer shall ensure, and train and obligate its Ends Users to ensure, that patient consents are: (i) made with full transparency and education; (ii) made only after the patient has had sufficient time to review educational material; (iii) commensurate with circumstances for why health information is exchanged; (iv) not used for discriminatory purposes or as a condition for receiving medical treatment; (v) consistent with patient expectations; and (vi) revocable at any time. Customer agrees, and shall cause and obligate each End User to agree, that it shall access and use Health Data only for purposes approved by Alliance.

5. Business Associate Agreements

Customer represents and warrants that it has and will maintain a business associate agreement in conformance with Applicable Laws with Member that is applicable to and covers the use and disclosure of Health Data for participation in the Services.

6. Suspension of Services

Alliance, Service Provider, and Member each retain the right to suspend the Services provided to Customer at any time in the event that Customer is not in material compliance with this EULA or to protect the performance, integrity and security of the Services.

7. PHI Accuracy and Completeness

Each Customer agrees and will require its End Users to agree to the following terms, or to terms substantially similar thereto:

7.1. Alliance through Service Provider provides the technology and services to allow Customer (and its respective Users) to request and disclose their PHI, and as such, Alliance and Service Provider give no representations or guarantees about the accuracy or completeness of the PHI disclosed through the Services;

7.2. PHI disclosed or received using the Services may not be a complete clinical record or history with respect to any individual, and it is the sole responsibility of any treating healthcare provider to confirm the accuracy and completeness of any PHI or clinical records used for treatment purposes and to obtain whatever information the provider deems necessary for the proper treatment of the patient;

7.3. Customer and each of its End Users is solely responsible for any decisions or actions taken involving patient care or patient care management, whether or not those decisions or actions were made or taken using information received through the Services; and

7.4. Alliance and Service Provider assume no responsibility or role in the care of any patient.

8. Compliance with EULA and Alliance Policies

Customer agrees (i) to utilize the Services in accordance with the terms and conditions of this EULA, and (ii) to comply with and to obligate its End Users to comply with all Alliance Policies, and (iii) to provide reasonable training to End Users regarding the use of the Services in accordance with the terms and conditions of this EULA, Alliance Policies, and Documentation.

9. Carequality Services

Services may include products and services to Customers which involve access to, use of, and re-disclosure of Information that the Alliance obtains by virtue of being an Carequality Implementer (“Carequality Services.”). If Customer has access to Carequality Services, Customer hereby agrees to comply with the Carequality Connection Terms. “Carequality Connection Terms” means the Carequality® terms and conditions, as updated from time to time available here: https://sequoiaproject.org/. For the purpose of this Section “Implementer” has the meaning provided in the Carequality Connection Terms.

10. Accuracy and Data Backup

Customer acknowledges and agrees that it is solely responsible for the accuracy of data it provides through the Services and that Alliance and Service Provider are not responsible for the accuracy or content of the data used or disclosed in providing the Services. Customer is responsible for establishing and operating its own back-up, and other procedures and controls appropriate to maintain the integrity and continuity of Customer’s operations, including the protection of its data and PHI or of its End Users.

11. Breach Detection and Notification

Customer shall comply with all applicable breach notification requirements pursuant to 45 CFR § 164.410. Customer shall make reasonable efforts to notify Member of any Breach of Confidentiality or Security within three (3) days from discovery.

12. Compliance with Laws

Customer is, and will remain, and will obligate End Users to be and remain, compliant with all Applicable Laws in their use of the Services, including laws that become effective during the use of the Services.

13. Proprietary Rights

Customer acknowledges and agrees, as between Customer, Alliance and Service Provider, Customer is only being granted a limited use right to the Services provided by Alliance or Service Provider. Alliance and Service Provider retain all rights title and interest in and to their own respective Intellectual Property rights. The Services and all additions or modifications to the Services provided by Alliance or Service Provider, and all Intellectual Property rights associated therewith, are the sole and exclusive property of Alliance, Service Provider, or their licensors.

14. LIMITATION OF LIABILITY.

IN NO EVENT WILL ALLIANCE OR SERVICE PROVIDER BE LIABLE TO CUSTOMER UNDER, IN CONNECTION WITH, OR RELATED TO THE SERVICES FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOST PROFITS OR LOSS OF GOODWILL, WHETHER BASED ON BREACH OF CONTRACT, WARRANTY, TORT, PRODUCT LIABILITY, OR OTHERWISE, AND WHETHER OR NOT ALLIANCE OR SERVICE PROVIDER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ALLIANCE AND SERVICE PROVIDER’S ENTIRE LIABILITY TO CUSTOMER FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FOR ANY CAUSE WHATSOEVER AND REGARDLESS OF THE FORM OF ACTION, RELATED TO CUSTOMER’S USE OF THE SERVICES, WILL BE LIMITED TO CUSTOMER’S ACTUAL DIRECT OUT-OF-POCKET EXPENSES WHICH ARE REASONABLY INCURRED BY CUSTOMER IN AN AMOUNT NOT TO EXCEED $25,000.00.

15. Exclusive Warranty and Disclaimer

ALLIANCE AND SERVICE PROVIDER MAKE NO WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, INCLUDING WITHOUT LIMITATION WITH REGARDS TO THE SERVICES.

16. Service Provider as Third Party Beneficiary

Alliance and Service Provider are third party beneficiaries of this EULA and are each entitled to enforce any rights herein that relate to its rights in the Services, including rights related to any Intellectual Property owned by each of them.

Definitions

In addition to terms defined elsewhere in this EULA, the following defined terms shall apply:

“Alliance Policies” means all policies approved by the Alliance relating to the Alliance or the Services, including but not limited to the Data, Security, and Privacy Policy available on Alliance’s website, as updated from time to time. (Please see:
http://www.commonwellalliance.org/data-and-security/)

“Applicable Laws” means all applicable federal, state, and local laws, including but not limited to privacy laws, HIPAA, and those concerning the use of PHI related to minors, personally identifiable information, and sensitive personal information.

“Breach” has the meaning provided for in 45 CFR 164.402 (Definitions, effective March 26, 2013; 78 Federal Register 5695) or its successor.

“Breach of Confidentiality or Security” means an incident that is reasonably likely to adversely affect: (a) the viability, security, or reputation of the Services, or (b) the legal liability of Alliance, Service Provider, or any Member.

“Customer” means a customer or user of a Member that receives the benefits of the Services.

“Documentation” means the user documentation containing the functional descriptions for the Services as may be reasonably modified from time to time by Alliance or Service Provider.

“End User” means a healthcare provider facility, practice group, or physician (including any individual or legal entity), permitted by an Adopter to access the Services or any enrollment user interface to utilize the Services.

“Health Data” means health information, including information and PHI that is received, transmitted, stored or maintained through the Services.

“HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations.

“Intellectual Property” means all forms of legal rights and protections in any country of the world regarding intellectual property rights, including all right, title and interest arising under common and statutory law to all: patents, trademarks, copyrights, trade secrets, and other industrial property rights and other rights to inventions or designs, and all applications, registrations, issuances, divisions, continuations, continuations-in-part, renewals, reissuances and extensions of the foregoing.

“Login Credentials” means unique user identification and password combination, as well as any other applicable security measures that are required by Service Provider to allow Member, a Customer or a User to gain access to the Services.

“Member” means legal entity, approved by the Alliance, and which is a party to a valid Alliance Membership Agreement.

“Protected Health Information” or “PHI” has the meaning set forth in 45 C.F.R. 160.103, as applied to the information created, received, transmitted or maintained through the Services.

“Services” means the services approved and offered by or on behalf of the Alliance, including but not limited to those related to patient registration, enrollment, linking, and retrieval of electronic healthcare records. Services may include products and services, which involve access to, use of, and re-disclosure of information that the Alliance obtains by virtue of being a Carequality Implementer.

“Service Provider” means a service provider that provides services relating to the Services on behalf of Alliance.

Carequality Connection Terms

1. Definitions.

As used herein, the following terms have the following meanings:

1.1. Adverse Security Event: The unauthorized acquisition, access, disclosure, or use of individually identifiable health information (as defined in the HIPAA Regulations) while such information is being transmitted between Implementers or Carequality Connections as specified by a Carequality Implementation Guide and pursuant to a valid CCA or Carequality Connection Terms, as applicable, but shall not include (i) any unauthorized acquisition, access, disclosure or use of encrypted data; (ii) any unintentional acquisition, access, disclosure, or use of health information if (I) such acquisition, access, disclosure, or use was made in good faith and within the course and scope of the employment, or other professional relationship if not an employee, of an End User; and (II) such health information is not further acquired, accessed, disclosed or used by the End User; or (iii) any acquisition, access, disclosure or use of information that was not directly related to use of the Carequality Elements.

1.2. Applicable Law: (i) If Organization is not a Federal agency, all applicable statutes and regulations of the State(s) or jurisdiction(s) in which Organization operates, as well as all applicable Federal statutes, and regulations; or (ii) if Organization is a Federal agency, all applicable Federal statutes, regulations, standards and policy requirements.

1.3. Business Associate: An organization that is defined as a “business associate” in 45 C.F.R.

§ 160.103 of the HIPAA Regulations.

1.4. Business Day(s): Monday through Friday excluding federal or state holidays.

1.5. Carequality Connection: An organization that is properly listed in the Carequality Directory in accordance with the requirements of Section 15 of the CCA.

1.6. Carequality Directory: A set of information that includes entries for all organizations who have been accepted as Carequality Implementers, along with those organizations’ Carequality Connections, which serves as the definitive reference for identifying those organizations who are valid participants in exchange activities through the Carequality Elements, and for obtaining the information needed to establish technical connectivity with such organizations.

1.7. Carequality Elements: Those elements that have been adopted by Carequality to support widespread interoperability among Implementers including, but not limited to, the Carequality Connected Agreement, the Carequality Connection Terms, the Carequality Directory, Implementation Guides, and the Carequality Policies.

1.8. Carequality Policies: Those policies and procedures adopted by Carequality which are binding on Carequality, Implementers, Carequality Connections or all of them.

1.9. Carequality Use Case: A combination of a set of functional needs and a particular technical architecture for addressing those needs, for which the Carequality Steering Committee (“Steering Committee”) has adopted an Implementation Guide.

1.10. Confidential Information: Proprietary or confidential materials or information of a Discloser in any medium or format that a Discloser labels as such upon disclosure or given the nature of the information or the circumstances surrounding its disclosure, reasonably should be considered confidential. With respect to Carequality, Confidential Information also includes those components of the Carequality Elements that the Carequality Steering Committee determines should be labeled Confidential. Notwithstanding any label to the contrary, Confidential Information does not include any Contribution (even if included in a Carequality Element); any information which is or becomes known publicly through no fault of a Recipient; is learned of by a Recipient from a third party entitled to disclose it; is already known to a Recipient before receipt from a Discloser as documented by the Recipient’s written records; or, is independently developed by Recipient without reference to, reliance on, or use of, Discloser’s Confidential Information.

1.11. Contribution: Any submission by a Discloser to Carequality intended by the Discloser to be considered for inclusion in any of the Carequality Elements, including comments submitted on any media, oral discussions at meetings of any work group, committee or sub-committee or other types of submissions.

1.12. Covered Entity: An organization that is defined as a “covered entity” in 45 C.F.R. § 160.03 of the HIPAA Regulations.

1.13. Discloser: The entity that discloses Confidential Information to a Recipient.

1.14. Dispute: Any controversy, dispute, or disagreement arising out of or relating to the interpretation or implementation of the Carequality Elements.

1.15. End User: An individual or program generating a request for information, responding to a request for information, publishing information to a list of recipients or receiving published information through the Carequality Elements.

1.16. Exchange Activity: Any use of the capability provided or supported by the Carequality Elements to exchange information among Implementers or their Carequality Connection.

1.17. Governmental Entity: A local, state or Federal agency.

1.18. HIPAA Regulations: The Standards for Privacy of Individually Identifiable Health Information and the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164) promulgated by the U.S. Department of Health and Human Services under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, as in effect on the effective date of the Enforcing Agreement and as may be amended, modified, or renumbered.

1.19. Implementation Guide: A guide adopted by Carequality that sets forth the technical specifications and additional business rules that apply to Implementers and Carequality Connections who declare support for a specific Carequality Use Case. Additional business rules will include, but not be limited to, permitted purposes for the Carequality Use Case, roles associated with the Carequality Use Case and specifications on compliance with Section 8 of these Carequality Connection Terms (“Non-Discrimination”).

1.20. Implementer: An organization that has signed the Carequality Connected Agreement and been accepted as such by Carequality.

1.21. Organization Business Rule: A data sharing restriction that Organization has adopted for itself and its End Users. An Organization Business Rule may only be based on a policy decision that Organization has made with respect to the handling of patient data identified as clinically or legally sensitive, or to the consent or authorization that is required to share data with other Implementers and Carequality Connections. It is not necessary that the Organization Business Rule be required by Applicable Law or be based on Applicable Law.

1.22. Organization: The Carequality Connection on which these Carequality Connection Terms are binding.

1.23. Recipient: The entity that receives Confidential Information from a Discloser.

1.24. Sponsoring Implementer: The entity that is a party to the Carequality Connected Agreement and is ensuring that these Carequality Connection Terms are legally binding on Organization, either directly through contract or some other appropriate relationship with Organization, or by relying on one or more intermediaries. This term is used to distinguish this specific entity from other Implementers, and applies to that entity both during the period in which it is seeking to attain Implementer status, and after it is accepted as an Implementer.

2. Recognition as a Carequality Connection

2.1. Organization. Upon Sponsoring Implementer determining to its satisfaction that Organization has met the requirements to be a Carequality Connection, and Sponsoring Implementer’s inclusion of Organization in the Carequality Directory, Organization shall be recognized as a Carequality Connection, subject to all obligations, terms and conditions contained herein and entitled to all rights and benefits conferred upon Carequality Connections including, but not limited to, inclusion in the Carequality Directory.

2.2. Sub-Organization Entities. Sponsoring Implementer may delegate to Organization the authority to identify to Carequality those of Organization’s subsidiary and related entities that Organization wishes to be listed in the Carequality directory as Carequality Connections of Sponsoring Implementer (“Sub-Organization Entities”). Such entities include, but are not limited to, separately branded business divisions, individual hospitals, individual clinics or medical offices, and otherwise-unaffiliated entities who contract with Organization for use of Organization’s electronic health record system. For all Sub-Organization Entities that Organization identifies, it shall ensure that each Sub-Organization Entity is legally required to comply with these CC Terms. In addition, Organization shall work cooperatively with Sponsoring Implementer to assure that its Sub-Organization Entities are not already listed in the Carequality Directory by another Carequality Implementer.

3. Suspension and Termination

3.1. Suspension. Sponsoring Implementer or Carequality may suspend Organization’s ability to participate in any exchange activity under the Carequality Connection Terms in the event that Sponsoring Implementer or Carequality determines, following completion of a preliminary investigation, that (i) Organization has breached a material provision of these Carequality Connection Terms and failed to cure such breach within fifteen (15) days or such other period of time that the Parties have agreed to, of receiving notice of same; or (ii) there is a substantial likelihood that Organization’s acts or omissions create an immediate threat or will cause irreparable harm to Carequality, Sponsoring Implementer, another Implementer, Carequality Connection, End User or individual (collectively, a “Threat Condition”). Organization may provide notice to Sponsoring Implementer that it wishes to temporarily remove itself from the Carequality Directory in the event that Organization or any of Organization’s End Users cannot comply with these Carequality Connection Terms.

3.2. Termination. Sponsoring Implementer may terminate Organization’s status as a Carequality Connection with immediate effect by giving notice to Organization if: (i) Organization is in material breach of any of these Carequality Connection Terms and fails to remedy such breach within 30 days after receiving notice of such breach; or (ii) Organization breaches a material provision of these Carequality Connection Terms where such breach is not capable of remedy. Subject to the terms of any agreement between Organization and Sponsoring Implementer, Organization may voluntarily terminate its status as a Carequality Connection at any time by providing written notice to Sponsoring Implementer and to Carequality at least 60 prior to the effective date of the termination. The notice shall indicate the reason(s) for Organization deciding to terminate its status as a Carequality Connection.

4. Legal Requirements

Organization shall, at all times, fully comply with all Applicable Law relating to these Carequality Connection Terms and the use of the Carequality Elements. To further support the privacy, confidentiality, and security of health information exchanged pursuant to the-se Carequality Connection Terms, Organization agrees that when acting as a Carequality Connection, it will comply with the provisions of the HIPAA Regulations that are applicable to Business Associates as a minimum contractual standard of conduct even if Organization is not a Covered Entity, a Business Associate, or a Governmental Entity.

5. Compliance with the Implementation Guides and Carequality Policies

Organization shall implement and maintain support of at least one Carequality Use Case and shall indicate to Sponsoring Implementer the Organization’s role in such Carequality Use Case (“Carequality Use Case Role”). For all Carequality Use Cases supported by Organization, Organization shall comply with all components (unless such components are designated as optional) set forth in the applicable Implementation Guide that apply to (i) the Organization’s Carequality Use Case Role or (ii) all Carequality Connections. Organization is encouraged, but not required, to comply with all optional components of the applicable Implementation Guide(s). Organization also agrees that, if it is not in compliance with all applicable components of the Implementation Guide(s) and all Carequality Policies applicable to Carequality Connections, Sponsoring Implementer may exercise its right to suspend Organization in accordance with Section 3.1.

6. Non-Discrimination

With respect to Implementers and Implementers’ Carequality Connections that have implemented the same Carequality Use Case as Organization and Organization’s End Users, neither Organization nor its End Users shall unfairly or unreasonably limit exchange or interoperability with such Implementers or their Carequality Connections. Each Carequality Use Case’s Implementation Guide will provide specific requirements for compliance with this requirement in the context of that Carequality Use Case.

7. Organization Autonomy

To the extent that Organization has adopted Organization Business Rules, Organization is permitted to continue acting in accordance with such Organization Business Rules, even if they restrict Organization’s ability to support exchange of information with other Implementers or Carequality Connections or to meet the requirements of Section 6 above, provided that Organization applies such Organization Business Rules consistently with respect to other Implementers and Carequality Connections and the Organization Business Rules do not impose conditions that would unfairly or unreasonably limit interoperability.

8. Accountability

8.1. Organization Accountability. Organization shall be responsible for any harm to Carequality, its Sponsoring Implementer, other Carequality Connections of its Sponsoring Implementer, other Implementers and their Carequality Connections which harm is caused by Organization’s, or its End Users, acts and omissions. Organization shall not be responsible for the acts or omissions of any Implementer or other Carequality Connection. Notwithstanding any provision in these Carequality Connection Terms to the contrary, Organization shall not be liable for any act or omission if a cause of action for such act or omission is otherwise prohibited by Applicable Law. This section shall not be construed as a hold harmless or indemnification provision.

8.2. Carequality Accountability. Organization will not hold Carequality, or anyone acting on its behalf, including but not limited to members of the Steering Committee, Advisory Council, Dispute Resolution Panel or any work group, or subcommittee, of any of these or Carequality’s contractors, employees or agents liable for any damages, losses, liabilities or injuries arising from or related to these Carequality Connection Terms. This section shall not be construed as an indemnification provision.

8.3. Limitation on Liability. Notwithstanding anything in these Carequality Connection Terms to the contrary, in no event shall Carequality’s, Sponsoring Implementer’s or Organization’s total liability to each other and all third party beneficiaries arising from or relating to these Carequality Connection Terms exceed an aggregate amount equal to three million dollars ($3,000,000), whether a claim for any such liability or damages is premised upon breach of contract, breach of warranty, negligence, strict liability, or any other theories of liability, even if the entity whose conduct creates the liability has been apprised of the possibility or likelihood of such damages occurring.

9. Dispute Resolution

9.1. Organization acknowledges that it may be in its best interest to resolve Disputes between or among Organization, or its End Users, and Carequality, other Implementers or their Carequality Connections through a collaborative, collegial process rather than through civil litigation. Organization has reached this conclusion based upon the fact that the legal and factual issues involved in these Carequality Connection Terms are unique, novel, and complex and limited case law exists which addresses the legal issues that could arise from these Carequality Connection Terms or the Enforcing Agreement. Organization acknowledges that Carequality has adopted a Dispute Resolution Process which Organization agrees to follow. Further, Organization agrees to use its best efforts to resolve Disputes with Carequality, other Carequality Connections and their Implementers or with another Implementer directly if the Dispute does not involve another Implementers’ Carequality Connections, through discussions with those involved in such Dispute before even submitting the Dispute to its Implementer pursuant to the Dispute Resolution Process. If Organization requires assistance in identifying contact information for another Carequality Connection, or an Implementer, it shall seek that assistance from Sponsoring Implementer.

9.2. If, despite using its best efforts, Organization cannot resolve any Dispute through discussions with the other parties involved, then Organization will notify the Sponsoring Implementer of the Dispute and request that the Implementer initiate the Dispute Resolution Process. Organization is required to undertake these efforts in the event of a Dispute before seeking any other recourse.

9.3. Notwithstanding the above, Organization may be relieved of its obligation to participate in the Dispute Resolution Process if Organization (i) believes that another Implementer’s or Carequality Connection’s act or omission will cause irreparable harm to Organization or another organization or individual (e.g. Implementer, Carequality Connection, End User or consumer) and (ii) pursues immediate injunctive relief against such Implementer or Carequality Connection in a court of competent jurisdiction. Organization must inform its Sponsoring Implementer of such action within two business days of filing for the injunctive relief and of the result of the action within 24 hours of learning of same. If the injunctive relief sought is not granted and Organization chooses to pursue the Dispute, the Dispute must be submitted to the Organizations’s Sponsoring Implementer in accordance with the Dispute Resolution Process so that the Sponsoring Implementer can determine next steps.

10. Cooperation

Organization understands and acknowledges that numerous activities with respect to Carequality shall likely involve its Sponsoring Implementer, other Implementers and their Carequality Connections, employees, agents, and third party contractors, vendors, or consultants. To the extent not legally prohibited, Organization shall: (a) respond in a timely manner to inquiries from Carequality, its Sponsoring Implementer, other Implementers or their Carequality Connections about possible issues related to the Carequality Use Case(s) in which Organization is involved; (b) collaboratively participate in discussions coordinated by Carequality to address differing interpretations of requirements set forth in an applicable Implementation Guide(s) prior to pursuing the Dispute Resolution Process; (c) make reasonable efforts to notify its Sponsoring Implementer when persistent and widespread connectivity failures are occurring with its Sponsoring Implementer or with other Implementers or their Carequality Connections, so that all those affected can investigate the problems and identify the root cause(s) of the connectivity failures; (d) work cooperatively, including without limitation facilitating contact with other Implementers or their Carequality Connections, to address the root cause(s) of persistent and widespread connectivity failures; (e) subject to Organization’s right to restrict or condition its cooperation or disclosure of information in the interest of preserving privileges in any foreseeable dispute or litigation or protecting Organization’s confidential information, provide reasonable information to others in support of collaborative efforts to resolve issues or Disputes; (f) provide information and other relevant assistance to Sponsoring Implementer in connection with this Section 10; and (g) subject to Organization’s right to restrict or condition its cooperation or disclosure of information in the interest of preserving privileges in any foreseeable litigation or protecting Organization’s Confidential Information, provide reasonable information to aid the efforts of Organization’s Sponsoring Implementer, other Implementers or their Carequality Connections to understand, contain, and mitigate an Adverse Security Event, at the request of such Implementer or Carequality Connection. In no case shall Organization be required to disclose individually identifiable health information in violation of Applicable Law. In seeking another’s cooperation, Organization shall make all reasonable efforts to accommodate the other’s schedules and reasonable operational concerns.

11. Adverse Security Event Reporting

11.1. As soon as reasonably practicable, but no later than five (5) business days after determining that an Adverse Security Event has occurred and is likely to have an adverse impact on an Implementer(s) or Carequality Connection(s), Organization shall provide Sponsoring Implementer with notification of the Event through the notification protocol specified by Sponsoring Implementer. The notification should include sufficient information for Sponsoring Implementer to understand the nature of the Adverse Security Event and identify other Implementers or Carequality Connections that may be impacted by the Adverse Security Event. Notwithstanding the foregoing, Organization agrees that (a) within one (1) hour of learning that an Adverse Security Event occurred and that such Event may involve an Implementer or Carequality Connection that is a Federal agency, it shall alert the Federal agency in accordance with the procedures and contacts provided by such Federal agency, and (b) that within twenty-four (24) hours after determining that an Adverse Security Event has occurred and is likely to have an adverse impact on an Implementer(s) or Carequality Connection(s) that is a Federal agency, Organization shall provide a notification to the Federal agency in accordance with the procedures and contacts provided by such Federal agency, and Organization shall copy Sponsoring Implementer and Carequality on any such notification.

11.2. This Section 11 shall not be deemed to supersede Organization’s obligations (if any) under relevant security incident, breach notification or confidentiality provisions of Applicable Law. Compliance with this Section 11 shall not relieve Organization of any other security incident or breach reporting requirements under Applicable Law including, but not limited to, those related to consumers.

12. Acceptable Use

Carequality has adopted permitted purposes for the use of the Carequality Elements that are specifically set out in the Implementation Guide for each Carequality Use Case. Organization shall only engage in exchange activities through the Carequality Elements for permitted purposes as defined in the Implementation Guides. If Organization does not comply with these permitted purposes or other applicable provisions in the Implementation Guide, Carequality may exercise its right to suspend Organization in accordance with Section 3 of these Carequality Connection Terms. If Organization is not a Covered Entity or Governmental entity, then (i) Organization may only use the interoperability available through Carequality to transmit or receive information on behalf of its End Users and not on its own behalf; and (ii) Organization will not re-use, re-disclose, aggregate, de-identify or sell any information transacted by its End Users for its own benefit unless its respective Carequality Connections or End Users have given Organization the explicit written authority to do so.

13. Confidentiality

13.1. Organization agrees to use any Confidential Information that it obtains solely for the purpose of performing its obligations under the Carequality Connection Terms, and for no other purpose. Organization will disclose the Confidential Information it receives only to its employees and agents who require such knowledge and use in the ordinary course and scope of their employment or retention, and are obligated to protect the confidentiality of such Confidential Information. In the event Organization has any question about whether information and/or materials it receives is Confidential Information, it shall treat the same as if it were Confidential Information. For the avoidance of doubt, the Carequality Elements that are not labeled as Confidential Information by the Carequality Steering Committee are not confidential and are not covered by the provisions of this section.

13.2. Organization may be given access to all or a portion of the Carequality Directory by Sponsoring Implementer. The Carequality Directory is intended to be used by Implementers, Carequality Connections, and End Users to create and maintain operational connectivity under the Carequality Elements, including the development and maintenance of effective user interfaces for relevant systems. Organization agrees that it will only use and disclose information contained in the Carequality Directory as necessary to advance the intended use of the Carequality Directory. For example, Organization is permitted to disclose information contained in the Carequality Directory to the personnel of its EHR vendor who are engaged in assisting Organization with establishing and maintaining connectivity via the Carequality Elements. Further, Organization shall not use the information contained in the Carequality Directory for marketing or any form of promotion of its own products and services, unless this use and disclosure is part of an effort by Organization to expand, or otherwise improve, connectivity via the Carequality Elements, and any promotion of Organization’s own products or services is only incidental to the primary purpose. In no event shall Organization use the information contained in the Carequality Directory in a manner that should be reasonably expected to have a detrimental effect on another Implementer, Carequality Connection, End User, or other individual or organization.

14. Contributions; IP Rights; Ownership of Materials; License

Organization acknowledges that any copyrights, patent rights, trade secrets, trademarks, service marks, trade dress, and other intellectual property in or related to Carequality including, but not limited to, these Carequality Connection Terms, Implementation Guides, Carequality Elements, Carequality Policies, related materials, information, reports, processes (the “Carequality IP”), are protected under applicable United States law. Recognizing that the Carequality IP is the work product of the membership of Carequality, and that Carequality is the collective representative of all Implementers’ interests, these intellectual property rights are asserted and held by

Carequality in its capacity as the representative of its total membership and licensed to Organization hereunder. This does not apply to Carequality trademarks, service marks or trade dress rights, which are discussed separately below. Organization is encouraged to provide Contributions to Carequality and understands that Carequality must obtain certain rights in such Contributions in order to include the Contribution in Carequality IP.

14.1. With respect to each Contribution, Organization represents that: (a) no information in the Contribution is confidential; (b) Carequality may freely disclose the information in the Contribution; and

(c) to the best of its knowledge, such Contribution is free of encumbrance as it relates to the intellectual property rights of others.

14.2. To the extent that a Contribution or any portion thereof is protected by copyright or other rights of authorship, Organization grants a perpetual, irrevocable, non-exclusive, royalty-free, world-wide, sublicensable right and license to Carequality under all such copyrights and other rights in the Contribution to copy, modify, publish, display and distribute the Contribution (in whole or part) and to prepare derivative works based on or that incorporate all or part of such Contribution, in each case, for the purpose of incorporating such Contributions into the Carequality IP. Organization also grants Carequality the right:

(a) to register copyright in Carequality’s name any Carequality IP even though it may include Contributions; and (b) to permit others, at Carequality’s sole discretion, to reproduce in whole or in part the resulting
Carequality IP.

14.3. Organization shall identify to Carequality, through the issuance of a letter of assurance, any patents or patent applications which Organization believes may be applicable to any Carequality Element specifically including, but not limited to, any Implementation Guide. This assurance shall be provided without coercion and shall take the form of a general disclaimer to the effect that the patent holder will not enforce any of its present or future patent(s) that would be required to implement or use the Carequality Element relevant to any person or entity using the patent(s) to comply with such Carequality Element.

14.4. Sponsoring Implementer grants to Organization a perpetual, irrevocable, non-exclusive, royalty-free, world-wide, right and license to use, the Carequality IP for the purpose of enhancing interoperability (including through the modification of its products and services to implement the Carequality Use Cases and conform to the Implementation Guides) Organization and its End Users have and will continue to possess the usage rights to the Carequality IP as authorized by Sponsoring Implementer’s Carequality Connected Agreement and these Carequality Connection Terms. Organization retains ownership of any Contribution it provides, granting only the licenses described in this Section. Nothing shall prevent Organization from (i) changing Organization’s technology, services or any Contribution in any way, including to conform to the requirements of an Implementation Guide or (ii) making any change available to any other person or entity. Notwithstanding anything to the contrary in the Carequality Connection Terms, all right, title, and interest in any change to Organization’s technology, services or any Contribution will accrue to the benefit of, and be owned exclusively by, Organization.

14.5. The trademarks, services marks, trade dress, business names, company names, and logos owned by Carequality, including without limitation CAREQUALITY and all Carequality logos, (collectively, the “Carequality Marks”) are an important part of maintaining the strength and reputation of Carequality and its efforts to enable the interoperable exchange of healthcare information. Organization may not use the Carequality Marks to brand any of Organization’s products or services and may not incorporate any Carequality Marks in any of Organization’s domain names except as provided in Carequality’s published guidelines on use of trademarks. Organization shall not apply for registration of any trademark, service mark, trade dress, business name or company name, or logo that incorporates any Carequality Mark or any element confusingly similar to any Carequality Mark. In connection with any non-trademark, descriptive use of Carequality Marks, Organization will use the registration symbol ® or the trademark or service mark symbols, TM or SM, as more fully set out in the Carequality guidelines on use of trademarks, and indicate in the text that the Carequality Mark used “is the registered trademark of Carequality,” “is the trademark of Carequality,” or “is the service mark of Carequality,” respectively.

15. Disclaimers

Organization acknowledges that Implementers and Carequality Connections may be added to or removed from the Carequality Directory at any time; therefore, Organization may not rely upon the inclusion in the Carequality Directory of a particular Implementer or Carequality Connection. IT IS EXPRESSLY AGREED THAT IN NO EVENT SHALL CAREQUALITY OR ORGANIZATION BE LIABLE TO EACH OTHER OR ANY THIRD PARTY BENEFICIARY FOR ANY SPECIAL, INDIRECT, CONSEQUENTIAL, OR EXEMPLARY DAMAGES, INCLUDING BUT NOT LIMITED TO, LOSS OF PROFITS OR REVENUES, LOSS OF USE, OR LOSS OF INFORMATION OR DATA, WHETHER A CLAIM FOR ANY SUCH LIABILITY OR DAMAGES IS PREMISED UPON BREACH OF CONTRACT, BREACH OF WARRANTY, NEGLIGENCE, STRICT LIABILITY, OR ANY OTHER THEORIES OF LIABILITY, EVEN IF THE ENTITY WHOSE CONDUCT CREATES THE LIABILITY HAS BEEN APPRISED OF THE POSSIBILITY OR LIKELIHOOD OF SUCH DAMAGES OCCURRING.

16. Miscellaneous / General

16.1. Amendment. These Carequality Connection Terms may be amended by Carequality from time to time, subject to the requirements of Section 21.4 of the CCA. Sponsoring Implementer will inform Organization of such amendments along with their effective date, which shall be at least thirty (30) days after the date on which Sponsoring Implementer informs Organization of such amendments.

16.2. Third Party Beneficiary. Carequality, other Carequality Connections of the Sponsoring Implementer, other Implementers and their Carequality Connections shall be deemed third party beneficiaries of these Carequality Connection Terms for purposes of enforcing Organization’s compliance with these Carequality Connection Terms.