Skip to main content

Data Usage Agreement for Integrated Medical Claims Processing and Enrollment Analytics.

DATA ACCESS AGREEMENT

This Data Access Agreement ("Agreement") is effective upon last date of execution ("Effective Date") and is entered into by and between CareQuest Institute for Oral Health, Inc., a Massachusetts not-for-profit corporation on behalf of itself and its subsidiaries ("CareQuest Institute") and ____________________ ("Data Recipient").

CareQuest Institute desires to make available certain de-identified data to Data Recipient solely for the advancement of oral health care, medical care, and social research, evaluation, and advocacy, including dissemination of analytics to improve the oral health care system (the "Purpose").

A. Definitions

1. De-Identified Data. Information that does not identify an individual and with respect to which there is no reasonable basis to believe the information can be used to identify an individual, as determined in accordance with 45 C.F.R. § 164.514(a)--(c). For clarity, De-Identified Data is not Protected Health Information ("PHI*"*).

2. Aggregated Outputs. Analyses, statistics, visualizations, tables, or reports generated from De-Identified Data that do not include row-level records and that meet the disclosure controls in this Agreement.

3. Derivative Materials. Models, algorithms, parameters, and other materials derived from or trained on De-Identified Data that do not contain the underlying De-Identified Data and cannot be used to re-identify individuals.

4. Authorized Users. The Data Recipient personnel identified in Exhibit A (and any subsequently approved personnel) who are authorized to access and use the De-Identified Data solely for the Purpose.

B. Provision of De-Identified Data; Ownership

Subject to this Agreement, CareQuest Institute may provide Data Recipient with access to De-Identified Data reasonably necessary for the Purpose.

1. Access. CareQuest Institute grants Data Recipient a limited, non-exclusive, non-transferable, revocable right to access and use the De-Identified Data solely for the Purpose and solely by Authorized Users.

2. Ownership. CareQuest Institute retains all right, title, and interest in and to the De-Identified Data and any CareQuest Institute Confidential Information. No ownership is transferred by this Agreement.

C. Permitted Uses

  • Use the De-Identified Data solely for the Purpose described in the preamble above;

  • Create Aggregated Outputs and Derivative Materials in accordance with Section D;

  • Share Aggregated Outputs and Derivative Materials with Authorized Users on a need-to-know basis for the Purpose.

D. Publication; Disclosure Controls; Derivative Materials

1. Pre-Publication Review. If Data Recipient intends to publish, present, or publicly disclose any Aggregated Outputs or Derivative Materials that reference CareQuest Institute or the De-Identified Data (a "Proposed Publication"), Data Recipient shall provide CareQuest Institute a complete draft at least sixty (60) days prior to submission or disclosure.

CareQuest Institute shall have the right to review, approve, or reject any Proposed Publication in its sole discretion for any reason, including the right to review the Proposed Publication to:
(a) confirm compliance with this Agreement;
(b) remove CareQuest Institute or third-party Confidential Information; or
(c) request reasonable modifications.

CareQuest Institute shall provide its written approval, rejection, or requested revisions within the 60‑day review period.

2. Publication. Data Recipient must represent and describe De-Identified Data accurately and include in any publication an acknowledgement of the use of De-Identified Data and a disclaimer on behalf of Institute substantially equivalent to the following: "Research for this article is based upon data compiled and maintained by CareQuest Institute for Oral Health, Inc. [Author Name(s) is/are] solely responsible for the research and conclusions reflected in this article. CareQuest Institute is not responsible for the conduct of the research or for any of the opinions expressed in this article." Any publication is subject to CareQuest Institute's Authorship and Publishing Guidelines, which will be provided to Data Recipient by CareQuest upon receipt of access to the De-Identified Data.

3. Disclosure Controls. All public disclosures must meet the following minimum standards: (a) no row-level records or sample records; (b) no small cells---counts fewer than eleven (11) must be suppressed or combined; (c) avoid complementary suppression; (d) apply rounding or noise where appropriate to reduce re-identification risk; and (e) do not include indirect identifiers that could reasonably enable re-identification.

4. No Re-Identification. Aggregated Outputs and Derivative Materials shall not be used, alone or in combination with other data, to identify or attempt to identify any individual.

5. Attribution. Publications will acknowledge CareQuest Institute as a data source if agreed upon by CareQuest Institute in writing and subject to CareQuest Institute's branding guidelines.

6. Derivative Materials. Data Recipient may create and use Derivative Materials for the Purpose. Derivative Materials may not be used to create products or services for commercialization or for use with third parties without CareQuest Institute's prior written consent and may not be used to train or fine-tune artificial intelligence models without such consent.

E. Prohibited Uses and Restrictions

1. Re-identification. Attempting to identify any individual represented in the De-Identified Data or contacting any such individual.

2. Onward Disclosure. Selling, licensing, disclosing, or otherwise making available the De-Identified Data to any third party, except as permitted in Section G.

3. Linkage. Combining the De-Identified Data with other datasets for the purpose of re-identification.

4. High-Risk Modeling. Using the De-Identified Data to develop models intended to infer sensitive attributes about identifiable individuals.

F. Information Security Safeguards

Data Recipient shall implement reasonable administrative, technical, and physical safeguards appropriate to the sensitivity of the De-Identified Data, including access controls, encryption in transit and at rest where feasible, and secure disposal. Data Recipient shall restrict access to Authorized Users and maintain least-privilege access.

G. Additional Personnel Access

Only after Data Recipient has received written authorization from CareQuest Institute may Data Recipient permit additional personnel who are not Authorized Users to access the De-Identified Data. Such access would be solely to support the Purpose, provided that (i) such access is limited to the minimum necessary; (ii) the personnel is bound by a written agreement with obligations at least as protective as this Agreement (including prohibitions on re-identification and onward disclosure); and (iii) Data Recipient remains responsible for the acts and omissions of its personnel.

H. Unauthorized Use or Security Incident

Data Recipient shall promptly (and in any event within three (3) business days) notify CareQuest Institute of any actual or suspected unauthorized use or disclosure of the De-Identified Data or security incident involving the De-Identified Data. Data Recipient shall cooperate with CareQuest Institute to investigate, mitigate, and remediate any such incident in compliance with applicable law.

I. Platform; Terms of Use and Privacy Policy

1. Access Via Platform. CareQuest Institute may make De-Identified Data available through its Data Exchange Platform (the "Platform"). Data Recipient and its Authorized Users shall comply with the Platform Terms of Use and Privacy Policy, each as updated from time to time. CareQuest Institute may suspend Data Recipient access for violations to protect the security or integrity of the Platform or the De-Identified Data.

2. Precedence. In the event of a conflict between this Agreement and the Platform Terms of Use or Privacy Policy with respect to rights to use the De-Identified Data, this Agreement controls; with respect to Platform conduct and technical requirements, the Platform Terms of Use control. The more privacy-protective provision will prevail in case of doubt.

J. Term and Termination

This Agreement begins on the Effective Date and continues for one (1) year unless earlier terminated. CareQuest Institute may terminate this Agreement without cause at any time upon ten (10) business days written notice to Data Recipient. Either party may terminate upon material breach that remains uncured after written notice and a reasonable cure period specified by the non-breaching party (not less than ten (10) business days). CareQuest Institute may terminate immediately in the event of re-identification or unauthorized disclosure.

Upon termination, Data Recipient shall cease all use of the De-Identified Data and, at CareQuest Institute's option, return or destroy all copies, except as required by law. Any retained copies remain subject to this Agreement until destroyed.

K. Confidentiality

Non-public information disclosed by CareQuest Institute that is marked or reasonably understood to be confidential ("Confidential Information") shall be protected by Data Recipient using at least the same degree of care as it uses to protect its own similar information, but no less than reasonable care. De-Identified Data shall be treated as Confidential Information. Exclusions apply for information that is or becomes public through no fault of Data Recipient, was already known, independently developed, or rightfully received from a third party without duty of confidentiality.

L. Miscellaneous

1. Conflicts. The terms and conditions of this Agreement override and control any conflicting term or condition of any other agreement between the parties relating to De-Identified Data.

2. Amendment. This Agreement (including its Exhibits) may be modified only by a written amendment signed by both parties.

3. Ambiguity. Any ambiguity regarding the use of De-Identified Data shall be resolved in favor of a meaning that furthers privacy and security.

4. Severability. If any provision is held invalid, the remaining provisions remain in full force and effect.

5. Governing Law. This Agreement is governed by the laws of the Commonwealth of Massachusetts, without regard to conflicts-of-law rules.

M. Notices

All notices required or permitted under this Agreement must be in writing and delivered: (a) in person; (b) by electronic mail with confirmation by registered or certified mail placed in the mail reasonably thereafter; (c) by registered or certified mail, return receipt requested; or (d) by an overnight delivery service requiring a receipt of delivery, to the addresses below (or to such other address as a party may designate by notice):

To CareQuest Institute: CareQuest Institute for Oral Health, Inc.

465 Medford Street, Suite #500

Boston, Massachusetts 02129

Attn: Chief Legal Officer

Email: contracts@carequest.org

To Data Recipient: [Insert Party Name]

[Street Address]

[City, State ZIP]

Attn: [Insert Contact/Title]

Email: [Insert Email]

**N. Indemnification **

Data Recipient shall defend, indemnify, and to hold harmless CareQuest Institute, its employees, directors, officers, agents, contractors, advisors, consultants, or any CareQuest Institute affiliate or subsidiary, either directly or indirectly, from any and all liabilities, penalties, claims, causes of action, and demands brought by third parties (including the costs, expenses and legal fees on account thereof) arising, resulting from or relating to: 

1. Data Recipient's breach of this Agreement;

2. Data Recipient's infringement of intellectual property rights of a third party; and

3. Data Recipient's failure to comply with applicable law.

Data Recipient's agreement to defend, to indemnify, and to hold CareQuest Institute harmless applies whether a claim against CareQuest Institute arises out of contract or tort (including strict liability), and regardless of the form of action. 

O. MARKETSCAN DATA

If provided access to certain data provided to CareQuest Institute by Merative US L.P. ("the MarketScan Data"), Data Recipient agrees to comply with the Merative MarketScan Terms and Conditions under Exhibit B.

SIGNATURES

IN WITNESS WHEREOF, the parties have executed this Agreement as of the dates set forth below.

CAREQUEST INSTITUTE: CareQuest Institute for Oral Health, Inc.

By: _________________________________

Name: _______________________________

Title: ________________________________

Date: ________________________________

DATA RECIPIENT: _______________________________

By: _________________________________

Name: _______________________________

Title: ________________________________

Date: ________________________________

Exhibit A

Authorized Users (name, title, affiliation):

Exhibit B

Merative MarketScan Data

a. General Terms

Data Recipient will not:

• use the MarketScan Data or programs, databases, or other information relating to the Data ("MarketScan Documentation") except in connection with the Purpose;

• use the MarketScan Data for any of Data Recipient's own business or educational purposes, except in connection with the Purpose;

• combine, merge, or append the MarketScan Data to data from other parties in any manner;

• duplicate, create, or recreate the MarketScan Data, or permit others to do the same, without Merative's prior written consent;

• duplicate, create, or recreate related materials, or any information contained therein, enhancements, corrections or modifications to the MarketScan Data ("MarketScan Materials"), or permit others to do the same, without Merative's prior written consent;

• host the Data in an environment outside of the CareQuest Institute Platform;

• re-identify, attempt to re-identify, or allow re-identification of any individual (whether a patient, beneficiary, provider, or other person) contained within the MarketScan Data;

• re-identify, attempt to re-identify, or allow the re-identification of, any relative(s), family, or household member(s) of such individual(s), unless required by law;

• re-identify, attempt to re-identify, or allow any re-identification of the entities that are the sources of information that is included within the MarketScan Data;

• aggregate or otherwise combine the MarketScan Data with any other individual patient level, provider level, and/or payer level data or attempt to import into or otherwise link any data or data elements with or into the MarketScan Data subset; or

• use the MarketScan Data or (allow use or access to the MarketScan Data) in a manner that would result in the ingestion within, or training of, generative artificial intelligence or any other artificial intelligence technology; and

• use the MarketScan Data for any other purpose outside of the Purpose.

If the identity of any person, establishment, or organization is discovered inadvertently, then: (a) no use will be made of this knowledge; (b) the information that would identify any person, establishment, or organization will be safeguarded or destroyed; and (c) no one else (other than Data Recipient or CareQuest Institute notifying Merative) will be informed of the discovered identity.

b. Security

Data Recipient will only access the MarketScan Data at or from the CareQuest Institute Platform. Data Recipient may not download the MarketScan Data to their own or any other environment, copy or screenshot the MarketScan Data. Data Recipient agrees to use appropriate safeguards and take all reasonable steps to protect the data from any use, reproduction, publication, or disclosure that is not specifically authorized under CareQuest Institute's agreement with Merative (the "CareQuest MarketScan Agreement") and will report to Merative or CareQuest Institute any known misuse of the MarketScan Data within ten (10) calendar days of discovery.

c. Intellectual Property

Data Recipient agrees the MarketScan Data, MarketScan Materials, MarketScan Documentation, and any modifications to such materials, used, developed, or provided by Merative, are proprietary to Merative and that all applicable rights therein, including all rights to patents, copyrights, and trademarks and other intellectual property rights, are and will remain the sole and exclusive property of Merative, and that title thereto will remain in Merative.

Data Recipient will not; (i) reverse compile/assemble, decrypt, or reverse engineer any MarketScan Materials, (ii) publish any MarketScan Materials, (iii) create any derivative works of MarketScan Materials, or (iv) transfer possession of MarketScan Materials, including any partial copies, to any other party.

d. Confidential Information

Data Recipient will keep the MarketScan Data, MarketScan Documentation, and MarketScan Materials (collectively "Confidential Information") confidential and will instruct all Authorized Users to maintain the same level of confidentiality with respect to the Confidential Information as Data Recipient uses with its own confidential information.

e. Liability and Indemnification

Merative will not be liable for any reason, whatsoever, arising out of the MarketScan Data or Data Recipient's use thereof. Merative's liability herein, from any and all causes, will be solely to CareQuest Institute as provided in the CareQuest MarketScan Agreement.

Information is provided "AS IS" and Merative makes no representations or warranties, either express or implied, with respect to information, including the warranties of merchantability and fitness for a particular purpose. Merative will not be liable for special, incidental, exemplary, indirect, or economic consequential damages, or lost profits, business, value, revenue, goodwill, or anticipated savings. These limitations apply collectively to Merative, its affiliates, contractors, subprocessors, and suppliers.

f. Termination

Data Recipient's right to use the MarketScan Data will terminate upon termination or expiration of the CareQuest MarketScan Agreement. Upon such termination, Data Recipient will destroy the MarketScan Data and any MarketScan Materials and MarketScan Documentation and provide Merative with certification of such destruction.