TRUSTED EXCHANGE TERMS AND CONDITIONS

Last Updated: August 29, 2024‍‍

These Trusted Exchange Terms and Conditions, available at http://www.credohealth.com/trusted-exchange-terms, including any URLs, documents, and policies referenced herein, are collectively referred to as these “Trusted Exchange Terms.” These Trusted Exchange Terms are an Attachment that is incorporated by reference into the Agreement and the Master Terms and Conditions by and between Credo Health Solutions Holdings, Inc., and all of its affiliated entities, including without limitation Credo Health Solutions Inc. and Medical Records Exchange LLC d/b/a Chartfast LLC (collectively, “Credo”) and the Customer identified in the Order Form (“Customer”). For clarity, these Trusted Exchange Terms are part of the Agreement and the Master Terms and Conditions, and they apply to all other Attachments and Order Forms between Credo and Customer (collectively, the “Agreement”). Credo and Customer are each referred to as a “party” and collectively the “parties.”

 

1. TRUSTED EXCHANGE CONNECTIONS GENERALLY

1.1   Relationship to Other Attachments; Order of Priority; Linked Documents; Changes. These Trusted Exchange Terms are part of the Agreement between the parties. These Trusted Exchange Terms govern the parties’ use of Trusted Exchanges in connection with the Credo Service. The parties each acknowledge and agree that in the event of a conflict between any term or condition set forth in these Trusted Exchange Terms and any term or condition set forth in the BAA, the BAA will govern with respect to the subject matter thereof; provided, however, that these Trusted Exchange Terms may expressly amend or modify the BAA. The parties further agree that in the event of conflict between these Trusted Exchange Terms and the Master Terms and Conditions (or any other Attachment other than the BAA), these Trusted Exchange Terms will govern with respect to the Trusted Exchanges. For the avoidance of doubt, the parties also each acknowledge and agree that the contractual documents linked in these Trusted Exchange Terms, and any amendments thereto, are incorporated into these Trusted Exchange Terms. Customer confirms that it has the ability to access, and has accessed, read, understands and agrees to, the linked documents in these Trusted Exchange Terms. Credo may update and revise these Trusted Exchange Terms if required or requested by a Trusted Exchange or HIN/HIE that provides Credo with a Trusted Exchange Connection. Credo will notify Customer of material changes to these Trusted Exchange Terms by email notification.

1.2   Definitions. Capitalized terms used without definition will have the meanings set forth in the Master Terms and Conditions or, if applicable, the BAA or HIPAA. For purposes of these Trusted Exchange Terms, the following capitalized terms have the following meanings:

“Authorized Exchange User” means a natural person (not a corporation, limited liability company, partnership, association, or other entity) who is either employed by, on the medical staff of, or otherwise a legal representative of Customer and who Customer identified and authorized as having permission to access or use a Trusted Exchange Connection. For clarity, a patient cannot be an Authorized Exchange User.

“Network Solution Provider” refers to a third-party vendor that integrates network connectivity for access to one or more Trusted Exchange Connections. 

“Permitted Purpose” means the reasons, as authorized by these Trusted Exchange Terms, for requesting, sending, disclosing, and transmitting electronic health information through a Trusted Exchange, to the extent permitted under applicable law and the applicable Trusted Exchange Connection. DUE TO CURRENT LEGAL, TECHNICAL AND ADMINISTRATIVE LIMITATIONS, THE PERMITTED PURPOSES ARE LIMITED TO TREATMENT ONLY, UNLESS OTHERWISE AGREED TO IN WRITING BY CREDO AND CUSTOMER.  It is not feasible for Credo to support additional Permitted Purposes at this time. For clarity, Health Plans, Business Associates of Health Plans, and Subcontractor Business Associates of Business Associates of Health Plans do not perform Treatment functions under HIPAA and are prohibited from participating in the Treatment Permitted Purpose.

1.3   Participation in Trusted Exchange Connections; Customer Authorization for Use of Trusted Exchange Connections. The Credo Services may include, but are not limited to, access to or use of one or more Trusted Exchange Connections. The Trusted Exchange Connections may include without limitation and for illustration purposes only, the DURSA, Carequality, CommonWell, and TEFCA; provided, however, Credo shall have no obligation to participate in any specific Trusted Exchange Connection or to use a certain technology vendor or HIN/HIE for access to one or more Trusted Exchange Connections. Customer hereby authorizes Credo on behalf of Customer to connect, request, query, receive, send, disclose, push and transmit (collectively, “Exchange”) electronic health information and any other related information regarding Customer’s (including without limitation Affiliates’) patient through a HIN/HIE’s Trusted Exchange Connection for a Permitted Purpose. Customer acknowledges and agrees that the Exchange through an HIN/HIE’s Trusted Exchange Connection does not in any way inherit a patient’s consent, government approval, institutional review board or privacy board approval, regulatory clearance of any kind, or HIPAA compliance, solely by receiving electronic health information from the Credo Service. Customer further acknowledges and agrees that these Trusted Exchange Terms (and any other relevant portions of the Agreement) may be made available by Credo to its Network Solution Provider or any HIN/HIE(s) or governance body for a Trusted Exchange Connection, and that execution of the Agreement (including without limitation these Trusted Exchange Terms) does not guarantee that Customer will be approved for participation in the Trusted Exchange.

1.4   Customer Responsibilities; Additional Representations, Warranties and Covenants.

(a)          Consent.  Customer shall not direct Credo to Exchange information on a patient unless Customer has the requisite authority and consent from such patient to engage in the Exchange and the Exchange complies with these Trusted Exchange Terms and Conditions (collectively, “Patient Consent”). Customer is solely responsible for obtaining Patient Consent to Exchange patient electronic health information through an HIN/HIE’s Trusted Exchange Connection for the Permitted Purposes. Customer will provide Credo with copies of such Patient Consent upon request and at no cost to Credo. Nothing in this Section shall be construed to prevent, preclude or prohibit Credo, in its sole discretion, from obtaining the Credo ROI directly from patients.

(b)          Entity Type and Permitted Purpose. Customer represents, warrants and covenants that its statements regarding its entity type (e.g., Covered Entity, Health Care Provider, etc.), its asserted Permitted Purpose for each and any Exchange under the applicable Trusted Exchange Connection, and any other information provided by Customer prior to or during the Term regarding Customer is true and accurate, and meets all requirements for entity type, Permitted Purpose, and any other requirements under the applicable Trusted Exchange Connection.

‍(c)           Patient Relationship; Treatment Purpose; Verification. Customer represents and warrants that at all relevant times: (i) Customer has a relationship with the patient; and (ii), unless Credo has given its prior express, written permission to Customer to Exchange for a non-Treatment Permitted Purpose, Customer is requesting Credo to provide the Services for Customer’s Treatment of the patient. Upon request, Customer shall provide an attestation or other written documentation or material to verify or validate the existence of a patient relationship and Treatment purpose (or other Permitted Purpose, if applicable). 

(d)          HIE Laws. Customer is responsible for complying with any and all applicable laws in connection with the Credo Services, including but not limited to Trusted Exchange Connections. Specifically, Customer is solely responsible for complying with any and all applicable laws requiring or permitting patients to opt in or opt out of HIN/HIE participation or any HIN/HIE notice requirements. Customer must not request that Credo Exchange patient electronic health information through a HIN/HIE for any patient who (i) has not expressly consented to HIN/HIE participation; or (ii) has revoked consent.

(e)          Technical Requirements. Customer will comply with any of the Network Service Provider’s or Trusted Exchange Connection’s technical requirements, specifications or configurations for connecting or accessing a Trusted Exchange, including without limitation any object identifier (OID) configurations for facilitating Exchange for a Permitted Purpose.

(f)          Bi-Directional (Reciprocal) Exchange.

i. As part of the Credo Services, Customer must provide minimum demographic information on patients for Credo to enable patient matching in connection with the Credo Services and use of the Trusted Exchange Connections. The Trusted Exchanges also have bi-directional (reciprocal) data sharing requirements. As a condition of using a Trusted Exchange Connection, Customer agrees to comply fully with any bi-directional data sharing obligation required or requested by a Trusted Exchange Connection or the HIN/HIE that provides Credo’s Trusted Exchange Connection, including without limitation by responding to Treatment requests with unique, clinically relevant information about a given patient, generated by Customer (collectively, “Clinical Data”); provided, however, that Customer may work with Credo to apply for an exception from the bi-directional data sharing requirement with the relevant Trusted Exchange, if Credo determines that Customer might qualify for such an exception. Customer acknowledges and agrees that Credo may require Customer to refresh the Clinical Data at a minimum every thirty (30) calendar days. Customer further acknowledges and understands that failure to provide sufficient Clinical Data may result in: (1) Customer being suspended or terminated from a Trusted Exchange or the HIN/HIE that provides Credo’s Trusted Exchange Connection; and/or (2) other participants in a Trusted Exchange declining to respond to Customer’s queries.     

ii. If Customer chooses to apply for an exception to the bi-directional data sharing requirement, Customer acknowledges and understands that: (1) the relevant Trusted Exchange or HIN/HIE that provides Credo with a Trusted Exchange Connection may deny Customer’s request for an exception from the bi-directional data sharing requirement, and Customer agrees that Credo is not responsible or liable for such a denial; and (2) if Customer is approved for an exception, Customer’s queries may be coded to reflect that Customer is excused from the bi-directional data sharing requirement and that this may affect whether other participants in a Trusted Exchange return data in response to Customer’s queries. For clarity, Customer must satisfy the bi-directional data sharing requirement unless Customer is granted an exception from that requirement in accordance with this Section 1.4(d) (Bi-Directional (Reciprocal) Exchange) and the relevant Trusted Exchange policies.

(g)          Revocation. Customer must immediately notify Credo in writing if a patient revokes the Patient Consent, or otherwise exercises the patient’s right to opt out of HIN/HIE participation.

(h)         Liability. Customer is solely responsible and liable for its (including without limitation its Authorized Exchange Users’) actions and omissions in connection with a Trusted Exchange.

(i)          Indemnification. In addition to any other indemnification obligations in the Agreement, Customer will indemnify, defend and hold harmless Credo Parties for any Claims, and shall pay all losses, damages, liabilities, settlements, judgments, awards, interest, civil penalties, and reasonable expenses (collectively, “Losses,” and including, but not limited to, reasonable attorneys’ fees, expert witness fees and court costs), arising out of or related to Customer’s (including without limitation its Authorized Exchange Users’) actions or omissions in connection with these Trusted Exchange Terms.

(h)         Cooperation. Customer shall reasonably cooperate with Credo, any Network Solution Provider, or HIN/HIE or data governor of a Trusted Exchange Connection in any audit or investigation regarding Customer’s use of the Credo Service in connection with a Trusted Exchange.

1.5  Additional Customer Permissions; BAA Amendment.

(a)          Additional Customer Permissions Necessary for the Trusted Exchange Connections. Customer acknowledges and agrees that by authorizing Credo to participate in Trusted Exchange on Customer’s behalf, Customer expressly authorizes Credo, in connection with the Credo Services, and Credo’s subcontractors and services providers, and technology vendors and HIN/HIEs that operate the Trusted Exchange Connection(s) to: (i) use and disclose Customer Data, including without limitation Protected Health Information, as permitted or required by applicable law; (ii) to use Customer Data, including without limitation Protected Health Information, for Data Aggregation services related to Health Care Operations as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B); (iii) to de-identify Customer Data, including without limitation Protected Health Information, in accordance with 45 C.F.R. § 164.514; (iv) to use and disclose Customer Data, including without limitation Protected Health Information, subject to the requirements and limitations of 45 C.F.R. § 164.504(e)(4) for their proper management and administration, including without limitation operation of a master patient index, record locator or other identity resolution solutions; and (v) to respond directly to and perform any requests received directly from an individual to make available the individual’s Protected Health Information at the Individual’s directions. Customer further acknowledges and agrees that Credo, Credo’s subcontractors and service providers, and the technology vendors and HIN/HIEs that operate the Trusted Exchange Connection(s), including without limitation the Network Solution Provider, each: (y) have ownership over the de-identified data in their possession; and (z) may use and disclose de-identified data for any purposes permitted by applicable law, even after termination of the BAA and/or Agreement.

(b)         BAA Amendment. Customer acknowledges and agrees that to the extent the foregoing additional permissions require a change to the BAA between Customer and Credo, these Trusted Exchange Terms and Conditions shall operate as a signed, written amendment to the BAA to expressly grant these additional permissions.

1.6   Prohibited Uses; Third Party Terms. In addition to the use limitations set forth in Section 1.6 of the Master Terms and Conditions, Customer agrees to not: (a) submit false, misleading or otherwise inaccurate information to Credo; (b) otherwise seek to interfere with or gain unauthorized access to the Credo Service, the Trusted Exchanges and/or data from the foregoing; (c) under any circumstances, repackage or in any way resell direct or indirect access to or use of the Credo Services, including without limitation use of Credo’s connections to the Trusted Exchanges, in whole or in part, without Credo’s specific written permission; and (d) permit any third party to do any of the foregoing. Customer (and not Credo) is responsible for ensuring the use of the Trusted Exchange Connections and subsequent use and disclosure of the electronic health information received from the Trusted Exchange Connections complies with applicable law and the terms and conditions of the applicable Trusted Exchange. Customer agrees to comply with the terms and conditions, policies, acceptable use requirements and other restrictions of the Trusted Exchanges and/or technology vendors or HIN/HIEs that support the connection to those Trusted Exchanges, including without limitation the Network Solution Provider Minimum Terms set forth below in Section 2 (Network Solution Provider Minimum Terms). Customer further acknowledges and agrees that from time to time, Credo may connect the Credo Service with additional third parties who support Exchange. Customer acknowledges and agrees that such third party may require additional terms and conditions, and Credo reserves the right to deny Customer’s access to or use of such third party data sources until Customer agrees to comply with such terms and conditions.

1.7  Suspension. Credo may immediately suspend Customer access to one or more Trusted Exchange Connections (in whole or in part), with or without terminating these Trusted Exchange Terms, if Credo in its sole discretion determines any of the following: (a) unauthorized access or use of the Credo Services; (b) any violation of these Trusted Exchange Terms or the Agreement by Customer; (c) Customer uses or attempts to use the Credo Services for any fraudulent or illegal purpose, including without limitation if Customer or an Authorized Exchange User has engaged in suspicious activity or Credo determines that Customer’s continued use of the Credo Services would cause Credo to violate any applicable law or place Credo at material risk of suffering any sanction, penalty or liability; or (d) Customer or its Authorized Exchange Users’ actions or omissions create an immediate threat or may cause material harm to any person or organization.

1.8  Survival. The parties’ respective obligations in these Trusted Exchange Terms, which expressly or by their nature would continue beyond the expiration or termination of the Agreement, will survive the Agreement, including without limitation each party’s indemnity-related obligations.

‍

2. NETWORK SOLUTION 
PROVIDER MINIMUM TERMS

2.1   General. A Network Solution Provider requires Customer’s agreement to these additional terms and conditions set forth in this Section 2 (Network Solution Provider Minimum Terms). For clarity, the requirements, obligations and limitations set forth herein are in addition to, and do not limit, the other terms and conditions set forth in the Agreement or other sections of these Trusted Exchange Terms.A Network Solution Provider requires Customer’s agreement to these additional terms and conditions set forth in this Section 2 (Network Solution Provider Minimum Terms). For clarity, the requirements, obligations and limitations set forth herein are in addition to, and do not limit, the other terms and conditions set forth in the Agreement or other sections of these Trusted Exchange Terms.

2.2   Prohibited Uses; Confidentiality; Intellectual Property; Third Party Beneficiary Rights. Customer is prohibited from engaging (either directly or indirectly) in any of the following: (a) the reverse engineering, decompiling, disassembly or modification of the Network Solution Provider’s software, including without limitation any attempt to discover the source code, object code or underlying structure, ideas or algorithms of the software; (b) use of the software to infringe intellectual property rights or other proprietary rights, or rights of publicity or privacy, of any third party; (c) removal of any proprietary notices from the Network Solution Provider software or related documentation; and (d) any use of the Network Solution Provider software in violation of any applicable law (including without limitation any export control laws and regulations). Customer and its end users must maintain the confidentiality of the Network Solution Provider (and related information). Customer further acknowledges and agrees that: (i) the Network Solution Provider will retain all intellectual property rights relating to their product; and (ii) the Network Solution Provider is an express third-party beneficiary of these Trusted Exchange Terms with respect to this Section 2 (Network Solution Provider Minimum Terms), Section 4 (the Carequality Interoperability Framework), and Section 6 (the Trusted Exchange Framework and Common Agreement).

2.3   Indemnification. Customer shall indemnify, defend and hold Credo and Network Solution Provider, its affiliates, and their respective officers, directors, employees, and agents, as well as Carequality, any Carequality Implementer, Qualified Health Information Network (QHIN) and any QHIN Participant/Subparticipant each as defined in Section 4 (The Carequality Interoperability Framework) and Section 6 (the Trusted Exchange Framework and Common Agreement (TEFCA)), respectively, harmless from and against any third party claim, demand, allegation, cost, dispute or liability including, without limitation, reasonable attorneys’ fees arising out of or relating to: (a) any electronic records Customer creates, transmits, or displays in connection with improper or errant use, or misuse of the Credo Services integrated with the Network Solution Provider; (b) any breach of this Section 2 (Network Solution Provider Minimum Terms), Section 4 (The Carequality Interoperability Framework), and Section 6 (the Trusted Exchange Framework and Common Agreement); (c) any unlicensed or unlawful use of the Credo Services integrated with the Network Solution Provider; (d) the gross negligence, fraud or willful misconduct of Customer, its end users or its representatives; (e) any act or omission that, if true, would constitute a breach by Customer, its end users or its representatives, of its representations, warranties or covenants as a Carequality Connection or Organization as set forth in the Carequality Connection Terms, or otherwise in relation to the Carequality Interoperability Framework (each as defined below in Section 4 (the Carequality Interoperability Framework)); and (f) any act or omission that, if true, would constitute a breach by Customer, its end users or its representatives, of its representations, warranties or covenants set forth in the Participant/Subparticipant Terms of Participation (as defined below in Section 6 (The Trusted Exchange Framework and Common Agreement (TEFCA))). Customer acknowledges that the Network Solution Provider reserves the right to assume the exclusive defense and control of any such matter, and Customer will cooperate with any reasonable requests to assist with Network Solution Provider’s defense of such matter. Customer may not settle or compromise any such matter without Network Solution Provider’s written consent.

‍2.4   Breach. Customer agrees any misuse, unauthorized use, or violation of this Section 2 (Network Solution Provider Minimum Terms), the Carequality Connection Terms (see Section 4 (The Carequality Interoperability Framework)), or the Participant/Subparticipant Terms of Participation (see Section 6 (The Trusted Exchange Framework and Common Agreement (TEFCA))) by Customer, its end users or representatives will constitute a material breach. In the event of such a breach, Network Solution Provider reserves the right to pursue all available legal remedies, including but not limited to, seeking damages, injunctive relief, and require the termination of the services provisioned through the Credo Services.

2.5   Carequality and TEFCA. In addition to and without limiting Section 4 (The Carequality Interoperability Framework) and Section 6 (The Trusted Exchange Framework and Common Agreement (TEFCA)), the Network Solution Provider requires Customer to do one of the following: (a) execute a click-through acceptance process (with an electronic audit trail of such acknowledgement); (b) execute a written confirmation (electronic signature acceptable) of acceptance; or (c) acknowledge acceptance language in these Trusted Exchange Terms with Credo stating that Customer is bound by the Carequality Connection Terms (as defined in Section 4) and the Participant/Subparticipant Terms of Participation (as defined in Section 6 (The Trusted Exchange Framework and Common Agreement)) by continued use which constitutes acceptance of the Carequality Connection Terms and Participant/Subparticipant Terms of Participation, each as may be updated from time to time. Customer’s agreement to these Trusted Exchange Terms hereby constitutes Customer’s acknowledgment of acceptance that Customer is bound by the Carequality Connection Terms and Participant/Subparticipant Terms of Participation. Customer further acknowledges and agrees that as Credo provides updated or amended Carequality Connection Terms or Participant/Subparticipant Terms of Participation made by the Network Solution Provider, Carequality, or the Recognized Coordinating Entity (RCE), respectively, to Customer, Customer is required to comply with the acceptance criteria set forth herein.

2.6   Arbitration; Governing Law. To the extent any dispute, controversy or claim arising out of this Section 2 (Network Solution Provider Minimum Terms), or the breach, termination or invalidity thereof, involves the Network Solution Provider, and cannot be resolved by the parties and the Network Solution Provider through consultation, Customer agrees that it shall be settled by binding arbitration in accordance with the American Arbitration Association (“AAA”) rules, and decided by a panel of three (3) arbitrators. The Network Solution Provider shall be entitled to select one (1) arbitrator, and the two selected arbitrators shall select the third arbitrator. The place of the arbitration shall be Wilmington, Delaware for all arbitrations. Each party and the Network Solution Provider will bear its own costs of arbitration and, with respect to the arbitrators’ costs, Customer shall not be required to contribute more than 25% of the costs of the arbitrators. Notwithstanding the foregoing, Customer acknowledges and agrees that Credo and the Network Solution Provider have the right, in addition to their other rights and remedies, to seek and obtain injunctive relief for any violation of their respective ownership rights or non-disclosure provisions set forth in this Section, and Customer hereby expressly waives any objection, in any such equitable action, that Credo or the Network Solution Provider may have an adequate remedy at law. Additionally, to the extent the Network Solution Provider is involved and the dispute is not subject to AAA rules, this Section 2 (Network Solution Provider Minimum Terms) will be governed by the laws of the State of Delaware, exclusive of its rules governing choice of law and conflict of laws. Customer acknowledges that the rights and remedies of the Network Solution Provider set forth in this Section are cumulative and concurrent and may be pursued separately, successively, or together.

3. THE DATA USE AND RECIPROCAL SUPPORT AGREEMENT (DURSA) FRAMEWORK

3.1   General. Credo participates in the eHealth Exchange Network of Networks (the “eHealth Exchange Network”) that is active in all fifty (50) States, connecting federal agencies and non-federal healthcare organizations so that electronic health information can be exchanged nationwide to improve patient care and public health. As a condition of participation, Credo has signed the DURSA and is required to obtain its Customer’s agreement to comply with certain provisions in the DURSA, to the extent those provisions are applicable to Customer’s use of the Credo Services. Customer agrees to comply with the following additional provisions in this Section when Exchanging Messages (as defined below) under the DURSA.

3.2   DURSA Definitions. For purposes of this Section 2, the following capitalized terms shall have the following meanings:

“DURSA Adverse Security Event” means the unauthorized acquisition, access, disclosure, or use of unencrypted Message Content while in the process of being Transacted in a manner permitted by the DURSA by anyone who is not a DURSA participant or DURSA participant user or by a DURSA participant or participant user in any manner that is not a permitted purpose under the DURSA. For the avoidance of doubt, a DURSA Adverse Security Event does not include the following: (i) any unintentional acquisition, access, disclosure, or use of Message Content by an employee or individual acting under the authority of a DURSA participant or DURSA participant user if—(I) such acquisition, access, disclosure, or use was made in good faith and within the course and scope of the employment or other professional relationship of such employee or individual, respectively, with the DURSA participant or participant user; and (II) such unencrypted Message Content is not further acquired, accessed, disclosed or used by such employee or individual; or (ii) any acquisition, access, disclosure or use of information contained in or available through the DURSA participant’s system where such acquisition, access, disclosure or use was not directly related to Transacting Message Content.

“Message Content” shall mean that information contained within a Message or accompanying a Message using the Specifications. This information includes, but is not limited to, Protected Health Information (PHI), de-identified data (as defined in the HIPAA Regulations at 45 C.F.R. § 164.514), individually identifiable information, pseudonymized data, metadata, digital credentials, and schema.

 “Message” shall mean an electronic transmission of Message Content Transacted between DURSA participants using the Specifications. Messages are intended to include all types of electronic transactions as specified in the Performance and Service Specifications, including the data or records transmitted with those transactions. 

“Performance and Service Specifications” shall mean the validation plan and the Specifications, as well as any implementation guidance, migration plans and other technical materials and resources approved by the DURSA Coordinating Committee. 

“Specifications” shall mean the specifications adopted by the DURSA Coordinating Committee to prescribe the data content, technical, and security requirements to enable DURSA participants to Transact Message Content. Specifications may include, but are not limited to, specific network standards, services and policies.

“Transact” shall mean to send, request, receive, assert, respond to, submit, route, subscribe to, or publish Message Content using the Performance and Service Specifications.

 3.3   Cooperation. Customer will reasonably cooperate with Credo on any issues related to the DURSA, including: (a) safeguarding the confidentiality, privacy and security of Messages and Message Content; (b) allowing periodic audits and/or monitoring of the Credo Services by Credo to ensure compliance with the DURSA; and (c) gathering and providing information and documentation related to Customer’s use of the Credo Services to Exchange Messages through the eHealth Exchange Network, including reporting and responding to DURSA Adverse Security Events.

 3.4   Use of eHealth Exchange Network. When Customer (or Credo on behalf of Customer) Exchanges Message Content through the eHealth Exchange Network, such Exchange will be done in accordance with this Section of these Trusted Exchange Terms and for one of the purposes permitted by the DURSA (but only if it is also a Permitted Purpose under these Trusted Exchange Terms), see https://ehealthexchange.org/dursa/ (all subsequent amendments are incorporated herein by this reference). Customer will comply with all applicable terms and conditions of the DURSA, including the following to the extent that they are applicable to Customer’s use of the Credo Services:

(a)          Customer shall not disclose any passwords, digital security certificates, tokens, or other security measures issued by Credo or the eHealth Exchange Network to enable connectivity to the eHealth Exchange Network;

(b)          Customer shall comply with any applicable DURSA Performance and Service Specifications;

(c)          Customer shall report all suspected and confirmed DURSA Adverse Security Events to Credo within one (1) hour of discovery in order for Credo to fulfill its obligations in meeting Adverse Security Event notification requirements under the DURSA; and

(d)          Customer may retain, use and redisclose Message Content received from the eHealth Exchange Network in accordance with applicable law and Customer’s own data retention policies and procedures.

3.5   Termination. If Credo’s participation in Exchange under the DURSA is terminated for any reason, Customer will no longer have any right to Exchange Messages on the eHealth Exchange Network utilizing Credo’s connection. 

4. THE CAREQUALITY INTEROPERABILITY FRAMEWORK

4.1   General. Credo may participate in the Carequality Interoperability Framework (the “Carequality”), which facilitates electronic health information exchange across the country, see https://carequality.org/resources/. As a condition of participation, Credo has agreed to comply with the Carequality Connection Terms (the “CC Terms”) and is required to obtain Customer’s agreement to comply with certain provisions of the CC Terms. Capitalized terms in this Section 4 (the Carequality Interoperability Framework) that are not specifically defined in this Section, are as defined in the CC Terms and Carequality Policies. Customer agrees to comply with the following additional provisions in this Section when Exchanging electronic health information under Carequality. Customer further acknowledges that: (a) Credo has applied to become a Carequality Implementer and is currently a Carequality Candidate Implementer; and (b) in the event Credo is approved to become an Implementer, Credo may execute the Carequality Connected Agreement as may be amended from time to time (available at Carequality Connected Agreement and related documents (collectively, the “CCA”), which may cause Credo to update these Trusted Exchange Terms.

4.1   CC Terms. By opting into Exchange with Carequality, Customer agrees to comply with all applicable provisions of the CC Terms, as may be amended from time to time (available at https://carequality.org/resources/), including without limitation Section 1 (Definitions), Section 3 (Suspension and Termination), Section 4 (Legal Requirements), Section 5 (Compliance with the Implementation Guides and Carequality Policies) and the Carequality Policies and Implementation Guides as may be amended from time to time (available at https://carequality.org/resources/), Section 6 (Non-Discrimination), Section 8 (Accountability), Section 9 (Dispute Resolution) and the Carequality Dispute Resolution Process as may be amended from time to time (available at Carequality Dispute Resolution Process), Section 10 (Organization), Section 11 (Adverse Security Event Reporting), Section 12 (Acceptable Use), Section 13 (Confidentiality), Section 14 (Contributions; IP Rights; Ownership of Materials; License), Section 15 (Disclaimers), and Section 16 (Miscellaneous/General) of the CC Terms. Customer acknowledges and agrees that: (a) the CC Terms (as may be amended as described in Section 16 of the CC Terms) are incorporated by reference into this Section 4 (the Carequality Interoperability Framework) of the Trusted Exchange Terms; and (b) for purposes of interpreting application of the CC Terms to Customer, Customer agrees to give the same representations, warranties and covenants required of an Organization and to comply with the CC Terms as if Customer were the Organization as defined in Section 11 of the CC Terms.

4.3   Carequality Passthrough Exchange Fees. Carequality, other Carequality Implementers and other Carequality Connections may impose additional fees, costs or charges in connection with the Exchange activities under Carequality, including without limitation Carequality Implementer Fees pursuant to the Carequality Implementer Fee Schedule, available at https://carequality.org/implementer-fee-schedule/, which may be amended by Carequality from time to time (collectively, “Carequality Passthrough Fees”). Customer is solely responsible for the payment of such Carequality Passthrough Fees. To the extent practicable, Credo will use commercially reasonable efforts to inform Customer of any material Carequality Passthrough Fees in advance. Customer agrees to pay invoices for such Carequality Passthrough Fees according to the terms of the Agreement. If applicable to Customer’s use of the Carequality connection, Customer shall further provide Credo with the annual revenue that Customer derives from its services or products connected to Carequality so that Carequality may assess the appropriate Carequality Implementer Fee or other relevant fees imposed by Carequality. Customer will certify to this revenue, if requested by Credo, the Network Solution Provider, or Carequality.

4.4   Termination. If Credo’s participation in Exchange under Carequality is terminated for any reason, Customer will no longer have any right to Exchange through the Carequality network utilizing Credo’s connection.

5. COMMONWELL

5.1   General. Credo may participate in the CommonWell Health Alliance Network (“CommonWell”), which enables electronic health information across its network of connected sites, see https://www.commonwellalliance.org/. As a condition of connection, Credo has agreed to comply with the CommonWell End User Licensing Agreement (“EULA”) and is required to obtain Customer’s agreement to comply with the EULA. Customer agrees to comply with the following additional provisions in this Section when Exchanging electronic health information with CommonWell.

5.2   CommonWell EULA. By opting into Exchange with CommonWell, Customer agrees to comply with all provisions of the EULA, as may be amended from time to time (available at https://www.commonwellalliance.org/wp-content/uploads/2019/05/CommonWell-EULA-Version-13Jan2021-1.pdf). Capitalized terms in this Section 5 (CommonWell) that are not specifically defined in this Section are as defined in the EULA. Customer agrees that the EULA (as may be amended from time to time by CommonWell) is incorporated by reference into this Section of the Trusted Exchange Terms.

5.3   Termination. If Credo’s participation in Exchange under the EULA is terminated for any reason, Customer will no longer have any right to Exchange through CommonWell utilizing Credo’s connection.

6. THE TRUSTED EXCHANGE FRAMEWORK AND COMMON AGREEMENT (TEFCA)

6.1   General. Credo may participate in the Trusted Exchange Framework and Common Agreement, which facilitates electronic health information exchange across the country. As a condition of participation, Credo has agreed to comply with the Participant/Subparticipant Terms of Participation set forth in Exhibit 1 to the then-current Common Agreement for Nationwide Health Information Interoperability, available at https://rce.sequoiaproject.org/tefca-and-rce-resources/, https://rce.sequoiaproject.org/wp-content/uploads/2024/11/Common-Agreement-2.1_ASTP-508.pdf, and as may be published in the Federal Register, including without limitation any subsequent amendments thereto (collectively, the “ToP”) and to obtain Customer’s agreement to the ToP.

6.2   TEFCA ToPs and SOPs. By opting into Exchange under TEFCA, Customer agrees to comply with: (a) the ToP (also available at https://rce.sequoiaproject.org/wp-content/uploads/2024/05/Common-Agreement-v2.0-Exhibit-1_508.pdf), as may be amended from time to time; and (b) all the Standard Operating Procedures applicable to Subparticipants, available at https://rce.sequoiaproject.org/tefca-and-rce-resources/, including without limitation any subsequent amendments or additions thereto (collectively, “SOPs”). Capitalized terms in this Section 6 (The Trusted Exchange Framework and Common Agreement (TEFCA)) that are not specifically defined in this Section are as defined in ToP and the SOPs. Customer agrees that the ToP (as may be amended from time to time by the RCE) is incorporated by reference into this Section of the Trusted Exchange Terms.

‍6.3   TEFCA Passthrough Exchange Fees. The RCE, other QHINs, and other Participants/Subparticipants in TEFCA may impose additional fees, costs or charges in connection with the Exchange activities under TEFCA (collectively, “TEFCA Passthrough Fees”). Customer is solely responsible for the payment of such TEFCA Passthrough Exchange Fees. To the extent practicable, Credo will use commercially reasonable efforts to inform Customer of any material TEFCA Passthrough Fees in advance. Customer agrees to pay invoices for such TEFCA Passthrough Fees according to the terms of the Agreement.

6.4   Termination. If Credo’s participation in Exchange under TEFCA is terminated for any reason, Customer will no longer have any right to Exchange under TEFCA utilizing Credo’s connection. 

 [End of agreement]