Common use of Constraints on Use of Data/Limited License Clause in Contracts

Constraints on Use of Data/Limited License. A. Subject to the Terms and Conditions of this Contract, HCA hereby grants Contractor a limited license for the access and Permissible Use of Data. This grant of access may not be deemed as providing Contractor with ownership rights to the Data. The Data being shared/accessed is owned and belongs to HCA. B. For Limited Data Sets, Contractor agrees to not attempt to re-identify individuals in the Data shared or attempt to contact said individuals. C. If Data shared under this Contract includes data protected by 42 C.F.R. Part 2. In accordance with 42 C.F.R. § 2.32, this Data has been disclosed from records protected by federal confidentiality rules (42 C.F.R. Part 2). The federal rules prohibit Contractor from making any further disclosure(s) of the Data that identifies a patient as having or having had a substance use disorder either directly, by reference to publicly available information, or through verification of such identification by another person unless further disclosure is expressly permitted by the written consent of the individual whose information is being disclosed or as otherwise permitted by 42 C.F.R. Part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose (42 C.F.R. § 2.31). The federal rules restrict any use of the SUD data to investigate or prosecute with regard to a crime any patient with a substance use disorder, except as provided at 42 C.F.R. §§ 2.12(c)(5) and 2.65. D. This Contract does not constitute a release of the Data for the Contractor’s discretionary use. Contractor must use the Data received or accessed under this Contract only to carry out the purpose and justification of this Contract as set out in the Data Licensing Statement(s). Any analysis, use, or reporting that is not within the Purpose of this Contract is not permitted without HCA’s prior written consent. E. This Contract does not constitute a release for Contractor to share the Data with any third parties, including Subcontractors, even if for authorized use(s) under this Contract, without the third party release being approved in advance by HCA and identified in the Data Licensing Statement(s). F. Derivative Data Product Review and Release Process. i. All reports derived from Data shared under this Contract, produced by Contractor that are created with the intention of being published for or shared with external customers (Data Product(s)) must be sent to HCA for review of usability, data sensitivity, data accuracy, completeness, and consistency with HCA standards prior to disclosure. This review will be conducted, and response of suggestions, concerns, approval, or notification of additional review time needed provided to Receiving Party within 10 business days. HCA reserves the right to extend the review period as needed for approval or denial. ii. Small Numbers. Contractor will adhere to HCA Small Numbers Standards, Attachment C. HCA and Contractor may agree to individual Permissible Use exceptions to the Small Numbers Standards, in writing (email acceptable). G. Any disclosure of Data contrary to this Contract is unauthorized and is subject to penalties identified in law.

Constraints on Use of Data/Limited License. A. 4.1 Subject to the Terms and Conditions of this Contract, HCA hereby grants Contractor a limited license for the access and Permissible Use of Data. This grant of access may not be deemed as providing Contractor with ownership rights to the Data. The Data being shared/accessed is owned and belongs to HCA. B. 4.2 For Limited Data Sets, Contractor agrees to not attempt to re-identify individuals in the Data shared or attempt to contact said individuals. C. 4.3 If Data shared under this Contract includes data protected by 42 C.F.R. Part 2. In accordance with 42 C.F.R. § 2.32, this Data has been disclosed from records protected by federal confidentiality rules (42 C.F.R. Part 2). The federal rules prohibit Contractor from making any further disclosure(s) of the Data that identifies a patient as having or having had a substance use disorder either directly, by reference to publicly available information, or through verification of such identification by another person unless further disclosure is expressly permitted by the written consent of the individual whose information is being disclosed or as otherwise permitted by 42 C.F.R. Part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose (42 C.F.R. § 2.31). The federal rules restrict any use of the SUD data to investigate or prosecute with regard to a crime any patient with a substance use disorder, except as provided at 42 C.F.R. §§ 2.12(c)(5) and 2.65. D. 4.4 This Contract does not constitute a release of the Data for the Contractor’s discretionary use. Contractor must use the Data received or accessed under this Contract only to carry out the purpose and justification of this Contract as set out in the Data Licensing Statement(s). Any analysis, use, or reporting that is not within the Purpose of this Contract is not permitted without HCA’s prior written consent. E. 4.5 This Contract does not constitute a release for Contractor to share the Data with any third parties, including Subcontractors, even if for authorized use(s) under this Contract, without the third party release being approved in advance by HCA and identified in the Data Licensing Statement(s). F. Derivative Data Product Review and Release Process. i. All reports derived from Data shared under this Contract, produced by Contractor that are created with the intention of being published for or shared with external customers (Data Product(s)) must be sent to HCA for review of usability, data sensitivity, data accuracy, completeness, and consistency with HCA standards prior to disclosure. This review will be conducted, and response of suggestions, concerns, approval, or notification of additional review time needed provided to Receiving Party within 10 business days. HCA reserves the right to extend the review period as needed for approval or denial. ii. Small Numbers. Contractor will adhere to HCA Small Numbers Standards, Attachment C. HCA and Contractor may agree to individual Permissible Use exceptions to the Small Numbers Standards, in writing (email acceptable). G. Any disclosure of Data contrary to this Contract is unauthorized and is subject to penalties identified in law.

Constraints on Use of Data/Limited License. A. 5.1 Subject to the Terms and Conditions of this Contract, HCA hereby grants Contractor a limited license for the access and Permissible Use of Data. This grant of access may not be deemed as providing Contractor with ownership rights to the Data. The Data being shared/accessed is owned and belongs to HCA. B. For 5.2 [Use for Limited Data Sets, ] Contractor agrees to not attempt to re-identify individuals in the Data shared or attempt to contact said individuals. C. 5.3 [Use for Part 2 (SUD/MH) Data] If Data shared under this Contract includes data protected by 42 C.F.R. Part 2. In accordance with 42 C.F.R. § 2.32, this Data has been disclosed from records protected by federal confidentiality rules (42 C.F.R. Part 2). The federal rules prohibit Contractor from making any further disclosure(s) of the Data that identifies a patient as having or having had a substance use disorder either directly, by reference to publicly available information, or through verification of such identification by another person unless further disclosure is expressly permitted by the written consent of the individual whose information is being disclosed or as otherwise permitted by 42 C.F.R. Part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose (42 C.F.R. § 2.31). The federal rules restrict any use of the SUD data to investigate or prosecute with regard to a crime any patient with a substance use disorder, except as provided at 42 C.F.R. §§ 2.12(c)(5) and 2.65. D. 5.4 This Contract does not constitute a release of the Data for the Contractor’s discretionary use. Contractor must use the Data received or accessed under this Contract only to carry out the purpose and justification of this Contract as set out in the Data Licensing Statement(s). Any analysis, use, Use or reporting (including of artificial intelligence tools) that is not within the Purpose of this Contract DSA is not permitted without HCA’s prior written consent. E. 5.5 This Contract does not constitute a release for Contractor to share the Data with any third parties, including Subcontractors, even if for authorized use(s) under this Contract, without the third party release being approved in advance by HCA and identified in the Data Licensing Statement(s). F. Derivative Data Product Review and Release Process. i. All reports derived from Data shared under this Contract, produced by Contractor that are created with the intention of being published for or shared with external customers (Data Product(s)) must be sent to HCA for review of usability, data sensitivity, data accuracy, completeness, and consistency with HCA standards prior to disclosure. This review will be conducted, and response of suggestions, concerns, approval, or notification of additional review time needed provided to Receiving Party within 10 business days. HCA reserves the right to extend the review period as needed for approval or denial. ii. Small Numbers. Contractor will adhere to HCA Small Numbers Standards, Attachment C. HCA and Contractor may agree to individual Permissible Use exceptions to the Small Numbers Standards, in writing (email acceptable). G. Any disclosure of Data contrary to this Contract is unauthorized and is subject to penalties identified in law.

Constraints on Use of Data/Limited License. A. 4.1. Subject to the Terms and Conditions of this ContractDSA, HCA hereby grants Contractor Receiving Party a limited license for the access and Permissible Use of Data. This grant of access may not be deemed as providing Contractor Receiving Party with ownership rights to the Data. The Data being shared/accessed is owned and belongs to HCA. B. For Limited Data Sets, Contractor 4.2. Receiving Party agrees to not attempt to re-identify individuals in the Data shared shared, or attempt to contact said individuals. C. If 4.3. Data shared under this Contract DSA includes data protected by 42 C.F.R. Part 2. In accordance with 42 C.F.R. § 2.32, this Data has been disclosed from records protected by federal confidentiality rules (42 C.F.R. Part 2). The federal rules prohibit Contractor Receiving Party from making any further disclosure(s) of the Data that identifies a patient as having or having had a substance use disorder either directly, by reference to publicly available information, or through verification of such identification by another person unless further disclosure is expressly permitted by the written consent consnet of the individual whose information is being disclosed or as otherwise permitted by 42 C.F.R. Part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose (42 C.F.R. § 2.31). The federal rules restrict any use of the SUD data to investigate or prosecute with regard to a crime any patient with a substance use disorder, except as provided at 42 C.F.R. §§ 2.12(c)(5) and 2.65. D. 4.4. This Contract DSA does not constitute a release of the Data for the ContractorReceiving Party’s discretionary use. Contractor Receiving Party must use the Data received or accessed under this Contract DSA only to carry out the purpose and justification of this Contract DSA as set out in the Data Licensing Statement(s). Any analysis, use, or reporting that is not within the Purpose of this Contract DSA is not permitted without HCA’s prior written consent. E. 4.5. This Contract DSA does not constitute a release for Contractor Receiving Party to share the Data with any third parties, including Subcontractors, even if for authorized use(s) under this ContractDSA, without the third party release being approved in advance by HCA and identified in the Data Licensing Statement(s). F. 4.6. Derivative Data Product Review and Release Process. i. . All reports derived from Data shared under this ContractDSA, produced by Contractor Receiving Party that are created with the intention of being published for or shared with external customers (Data Product(s)) must be sent to HCA for review reivew of usability, data sensitivity, data accuracy, completeness, and consistency with HCA standards prior to disclosure. This review will be conducted, conducted and response of suggestions, concerns, approval, or notification of additional review time needed approval provided to Receiving Receving Party within 10 business days. HCA reserves the right to extend the review period as needed for approval or denial. ii. a. Small Numbers. Contractor Receiving Party will adhere to HCA Small Numbers Standards, Attachment C. Exhibit B. HCA and Contractor Receiving Party may agree to individual Permissible Use exceptions to the Small Numbers Standards, in writing (email acceptable). G. 4.7. Any disclosure of Data contrary to this Contract DSA is unauthorized and is subject to penalties identified in law.

Constraints on Use of Data/Limited License. A. Subject to the Terms and Conditions of this Contract, HCA hereby grants Contractor a limited license for the access and Permissible Use of Data. This grant of access may not be deemed as providing Contractor with ownership rights to the Data. The Data being shared/accessed is owned and belongs to HCA. B. For . [Use for Limited Data Sets, ] Contractor agrees to not attempt to re-identify individuals in the Data shared shared, or attempt to contact said individuals. C. If . [Use for Part 2 (SUD/MH) Data] Data shared under this Contract includes data protected by 42 C.F.R. Part 2. In accordance with 42 C.F.R. § 2.32, this Data has been disclosed from records protected by federal confidentiality rules (42 C.F.R. Part 2). The federal rules prohibit Contractor from making any further disclosure(s) of the Data that identifies a patient as having or having had a substance use disorder either directly, by reference to publicly available information, or through verification of such identification by another person unless further disclosure is expressly permitted by the written consent of the individual whose information is being disclosed or as otherwise permitted by 42 C.F.R. Part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose (42 C.F.R. § 2.31). The federal rules restrict any use of the SUD data to investigate or prosecute with regard to a crime any patient with a substance use disorder, except as provided at 42 C.F.R. §§ 2.12(c)(5) and 2.65. D. . This Contract does not constitute a release of the Data for the Contractor’s discretionary use. Contractor must use the Data received or accessed under this Contract only to carry out the purpose and justification of this Contract as set out in the Data Licensing Statement(s). Any analysis, use, or reporting that is not within the Purpose of this Contract is not permitted without HCA’s prior written consent. E. . This Contract does not constitute a release for Contractor to share the Data with any third parties, including Subcontractors, even if for authorized use(s) under this Contract, without the third party release being approved in advance by HCA and identified in the Data Licensing Statement(s). F. . Derivative Data Product Review and Release Process. i. . All reports derived from Data shared under this Contract, produced by Contractor that are created with the intention of being published for or shared with external customers (Data Product(s)) must be sent to HCA for review of usability, data sensitivity, data accuracy, completeness, and consistency with HCA standards prior to disclosure. This review will be conducted, conducted and response of suggestions, concerns, approval, or notification of additional review time needed approval provided to Receiving Party within 10 business days. HCA reserves the right to extend the review period as needed for approval or denial. ii. Small Numbers. Contractor will adhere to HCA Small Numbers Standards, Attachment C. 2. HCA and Contractor may agree to individual Permissible Use exceptions to the Small Numbers Standards, in writing (email acceptable). G. . Any disclosure of Data contrary to this Contract is unauthorized and is subject to penalties identified in law. Any modification to the Purpose, Justification, Description of Data to be Shared/Data Licensing Statement(s), and Permissible Use, is required to be approved through HCA’s Data Request Process. Contractor must notify HCA’s Contract Manager of any requested changes to the Data elements, Use, records linking needs, research needs, and any other changes from this Contract, immediately to start the review process. Approved changes will be documented in an Amendment to the Contract. Data Protection The Contractor must protect and maintain all Confidential Information gained by reason of this Contract against unauthorized use, access, disclosure, modification or loss. This duty requires the Contractor to employ reasonable security measures, which include restricting access to the Confidential Information by: Allowing access only to staff that have an authorized business requirement to view the Confidential Information. Physically securing any computers, documents, or other media containing the Confidential Information. Data Security Standards Contractor must comply with the Data Security Requirements set out in Attachment 1 and the Washington OCIO Security Standard, 141.10 (xxxxx://xxxx.xx.xxx/policies/141-securing-information-technology-assets/14110-securing-information-technology-assets.) The Security Standard 141.10 is hereby incorporated by reference into this Contract. Data Disposition and Retention Contractor will dispose of HCA Data in accordance with this section. Upon request by HCA, or at the end of the Contract term, or when no longer needed, Confidential Information/Data must be disposed of as set out in Attachment 1, Section 5. Data Disposition, except as required to be maintained for compliance or accounting purposes. Contractor will provide written certification to HCA of disposition using Attachment 4, Certification of Destruction/Disposition of Confidential Information. [Medicaid Claims Data] For the purpose of this section, “fiscal year” means the 12-month period of July 1 to June 30. Claims Data will not be kept or maintained beyond 10 years after the end of the fiscal year in which the claim is dated. Client Data, not including Claims Data, will not be kept or maintained beyond 10 years from the date received from HCA. Any other Data will not be kept or maintained beyond 10 years from the date received from HCA. At that time Data and derivative Data Products must be disposed of in accordance with subsection B.. Data Confidentiality. The Contractor will not use, publish, transfer, sell, or otherwise disclose any Confidential Information gained by reason of this Contract for any purpose that is not directly connected with the purpose, justification, and Permissible Use of this Contract, as set out in the attached Data Licensing Statement(s), except: (a) as provided by law; or (b) with the prior written consent of the person or personal representative of the person who is the subject of the Data. Non-Disclosure of Data The Contractor must ensure that all employees or Subcontractors who will have access to the Data described in this Contract (including both employees who will use the Data and IT support staff) are instructed and made aware of the use restrictions and protection requirements of this Contract before gaining access to the Data identified herein. The Contractor will also instruct and make any new employee aware of the use restrictions and protection requirements of this Contract before they gain access to the Data. The Contractor will ensure that each employee or Subcontractor who will access the Data signs the User Agreement on Non-Disclosure of Confidential Information, Attachment 3 hereto. The Contractor will retain the signed copy of the User Agreement on Non-Disclosure of Confidential Information in each employee’s personnel file for a minimum of six years from the date the employee’s access to the Data ends. The documentation must be available to HCA upon request. Penalties for Unauthorized Disclosure of Data State laws (including RCW 74.04.060 and RCW 70.02.020) and federal regulations (including HIPAA Privacy and Security Rules, 45 C.F.R. Part 160 and Part 164; Confidentiality of Alcohol and Drug Abuse Patient Records, 42 C.F.R., Part 2; and Safeguarding Information on Applicants and Beneficiaries, 42 C.F.R. Part 431, Subpart F) prohibit unauthorized access, use, or disclosure of Confidential Information. Violation of these laws may result in criminal or civil penalties or fines. The Contractor accepts full responsibility and liability for any noncompliance by itself, its employees, and its Subcontractors with these laws and any violations of the Contract. The Contractor will not enter into any Subcontract without the express, written permission of HCA, which will approve or deny the proposed subcontract in its sole discretion. If Data access is to be provided to a Subcontractor under this Contract it will only be for the Permissible Use authorized by HCA and the Contractor must include all of the Data security terms, conditions and requirements set forth in this Contract in any such Subcontract. In no event will the existence of the Subcontract operate to release or reduce the liability of the Contractor to HCA for any breach in the performance of the Contractor’s responsibilities. At HCA’s request or in accordance with OCIO 141.10, Contractor shall obtain audits covering Data Security and Permissible Use. Contractor may cover both the Permissible Use and the Data Security Requirements under the same audit, or under separate audits. The term, “independent third-party” as referenced in this section means an outside auditor that is an independent auditing firm. Data Security audits must demonstrate compliance with Data Security standards adopted by the Washington State Office of the Chief Information Officer (OCIO), and as set forth in Attachment 1, Data Security Requirements. At a minimum, audit(s) must determine whether Data Security policies, procedures, and controls are in place to ensure compliance with all Data Security Requirements set forth herein and as required by state and federal law. Permissible Use Audits must demonstrate compliance with Permissible Use standards as set forth in this Contract and each Attachment A. Audit(s) must determine whether Permissible Use policies, procedures, and controls are in place to ensure compliance with all Permissible Use requirements in this Contract. HCA may monitor, investigate, and audit the use of Personal Information received by Contractor through this Contract. The monitoring and investigating may include the act of introducing data containing unique but false information (commonly referred to as “salting” or “seeding”) that can be used later to identify inappropriate use or disclosure of Data. During the term of this Contract and for six (6) years following termination or expiration of this Contract, HCA will have the right at reasonable times and upon no less than five (5) business days prior written notice to access the Contractor’s records and place of business for the purpose of auditing, and evaluating the Contractor’s compliance with this Contract and applicable laws and regulations.

Constraints on Use of Data/Limited License. A. 5.1 Subject to the Terms and Conditions of this Contract, HCA hereby grants Contractor a limited license for the access and Permissible Use of Data. This grant of access may not be deemed as providing Contractor with ownership rights to the Data. The Data being shared/accessed is owned and belongs to HCA. B. For Limited Data Sets, 5.2 Contractor agrees to not attempt to re-identify individuals individals in the Data shared shared, or attempt to contact said individuals. C. If 5.3 Data shared under this Contract includes data protected by 42 C.F.R. Part 2. In accordance with 42 C.F.R. § 2.32, this Data has been disclosed from records protected by federal confidentiality rules (42 C.F.R. Part 2). The federal rules prohibit Contractor from making any further disclosure(s) of the Data that identifies a patient as having or having had a substance use disorder either directly, by reference to publicly available information, or through verification of such identification by another person unless further disclosure is expressly permitted by the written consent of the individual whose information is being disclosed or as otherwise permitted by 42 C.F.R. Part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose (42 C.F.R. § 2.31). The federal rules restrict any use of the SUD data to investigate or prosecute with regard to a crime any patient with a substance use disorder, except as provided at 42 C.F.R. §§ 2.12(c)(5) and 2.65. D. 5.4 This Contract does not constitute a release of the Data for the Contractor’s discretionary use. Contractor must use the Data received or accessed under this Contract only to carry out the purpose and justification of this Contract as set out in the Data Licensing Statement(s). Any analysis, use, or reporting that is not within the Purpose of this Contract is not permitted without HCA’s prior written consent. E. 5.5 This Contract does not constitute a release for Contractor to share the Data with any third parties, including Subcontractors, even if for authorized use(s) under this Contract, without the third party release being approved in advance by HCA and identified in the Data Licensing Statement(s). F. 5.6 Derivative Data Product Review and Release Process. i. . All reports derived from Data shared under this Contract, produced by Contractor that are created with the intention of being published for or shared with external customers (Data Product(s)) must be sent to HCA for review of usability, data sensitivity, data accuracy, completeness, and consistency with HCA standards prior to disclosure. This review will be conducted, conducted and response of suggestions, concerns, approval, or notification of additional review time needed approval provided to Receiving Receving Party within 10 business days. HCA reserves the right to extend the review period as needed for approval or denial. ii. a. Small Numbers. Contractor will adhere to HCA Small Numbers Standards, Attachment C. 2. HCA and Contractor may agree to individual Permissible Use exceptions to the Small Numbers Standards, in writing (email acceptable). G. 5.7 Any disclosure of Data contrary to this Contract is unauthorized and is subject to penalties identified in law.