Skip to main content

General Data Usage Agreement

DATA ACCESS AGREEMENT

This Data Access Agreement ("Agreement") is effective upon the last date of execution ("Effective Date") and is entered into by and between CareQuest Institute for Oral Health, Inc., a Massachusetts not-for-profit corporation on behalf of itself and its subsidiaries ("CareQuest Institute") and ____________________ ("Data Recipient").

CareQuest Institute desires to make available certain de-identified data to Data Recipient solely for the advancement of oral health care, medical care, and social research, evaluation, and advocacy, including dissemination of analytics to improve the oral health care system (the "Purpose").

A. Definitions

1. De-Identified Data. Information that does not identify an individual and with respect to which there is no reasonable basis to believe the information can be used to identify an individual, as determined in accordance with 45 C.F.R. § 164.514(a)--(c). For clarity, De-Identified Data is not Protected Health Information ("PHI*"*).

2. Aggregated Outputs. Analyses, statistics, visualizations, tables, or reports generated from De-Identified Data that do not include row-level records and that meet the disclosure controls in this Agreement.

3. Derivative Materials. Models, algorithms, parameters, and other materials derived from or trained on De-Identified Data that do not contain the underlying De-Identified Data and cannot be used to re-identify individuals.

4. Authorized Users. The Data Recipient personnel identified in Exhibit A (and any subsequently approved personnel) who are authorized to access and use the De-Identified Data solely for the Purpose.

B. Provision of De-Identified Data Ownership

Subject to this Agreement, CareQuest Institute may provide Data Recipient with access to De-Identified Data reasonably necessary for the Purpose.

1. Access. CareQuest Institute grants Data Recipient a limited, non-exclusive, non-transferable, revocable right to access and use the De-Identified Data solely for the Purpose and solely by Authorized Users.

2. Ownership. CareQuest Institute retains all right, title, and interest in and to the De-Identified Data and any CareQuest Institute Confidential Information. No ownership is transferred by this Agreement.

C. Permitted Uses

  • Use the De-Identified Data solely for the Purpose described in the preamble above;

  • Create Aggregated Outputs and Derivative Materials in accordance with Section D;

  • Share Aggregated Outputs and Derivative Materials with Authorized Users on a need-to-know basis for the Purpose.

D. Publication; Disclosure Controls; Derivative Materials

1. Pre-Publication Review. If Data Recipient intends to publish, present, or publicly disclose any Aggregated Outputs or Derivative Materials that reference CareQuest Institute or the De-Identified Data (a "Proposed Publication"), Data Recipient shall provide CareQuest Institute a complete draft at least sixty (60) days prior to submission or disclosure.

CareQuest Institute shall have the right to review, approve, or reject any Proposed Publication in its sole discretion for any reason, including the right to review the Proposed Publication to:
(a) confirm compliance with this Agreement;
(b) remove CareQuest Institute or third-party Confidential Information; or
(c) request reasonable modifications.

CareQuest Institute shall provide its written approval, rejection, or requested revisions within the 60‑day review period.

2. Publication. Data Recipient must represent and describe De-Identified Data accurately and include in any publication an acknowledgement of the use of De-Identified Data and a disclaimer on behalf of Institute substantially equivalent to the following: "Research for this article is based upon data compiled and maintained by CareQuest Institute for Oral Health, Inc. [Author Name(s) is/are] solely responsible for the research and conclusions reflected in this article. CareQuest Institute is not responsible for the conduct of the research or for any of the opinions expressed in this article." Any publication is subject to CareQuest Institute's Authorship and Publishing Guidelines, which will be provided to Data Recipient by CareQuest upon receipt of access to the De-Identified Data.

3. Disclosure Controls. All public disclosures must meet the following minimum standards: (a) no row-level records or sample records; (b) no small cells---counts fewer than eleven (11) must be suppressed or combined; (c) avoid complementary suppression; (d) apply rounding or noise where appropriate to reduce re-identification risk; and (e) do not include indirect identifiers that could reasonably enable re-identification.

4. No Re-Identification. Aggregated Outputs and Derivative Materials shall not be used, alone or in combination with other data, to identify or attempt to identify any individual.

5. Attribution. Publications will acknowledge CareQuest Institute as a data source if agreed upon by CareQuest Institute in writing and subject to CareQuest Institute's branding guidelines.

6. Derivative Materials. Data Recipient may create and use Derivative Materials for the Purpose. Derivative Materials may not be used to create products or services for commercialization or for use with third parties without CareQuest Institute's prior written consent and may not be used to train or fine-tune artificial intelligence models without such consent.

E. Prohibited Uses and Restrictions

1. Re-identification. Attempting to identify any individual represented in the De-Identified Data or contacting any such individual.

2. Onward Disclosure. Selling, licensing, disclosing, or otherwise making available the De-Identified Data to any third party, except as permitted in Section G.

3. Linkage. Combining the De-Identified Data with other datasets for the purpose of re-identification.

4. High-Risk Modeling. Using the De-Identified Data to develop models intended to infer sensitive attributes about identifiable individuals.

F. Information Security Safeguards

Data Recipient shall implement reasonable administrative, technical, and physical safeguards appropriate to the sensitivity of the De-Identified Data, including access controls, encryption in transit and at rest where feasible, and secure disposal. Data Recipient shall restrict access to Authorized Users and maintain least-privilege access.

G. Additional Personnel Access

Only after Data Recipient has received written authorization from CareQuest Institute may Data Recipient permit additional personnel who are not Authorized Users to access the De-Identified Data. Such access would be solely to support the Purpose, provided that (i) such access is limited to the minimum necessary; (ii) the personnel is bound by a written agreement with obligations at least as protective as this Agreement (including prohibitions on re-identification and onward disclosure); and (iii) Data Recipient remains responsible for the acts and omissions of its personnel.

H. Unauthorized Use or Security Incident

Data Recipient shall promptly (and in any event within three (3) business days) notify CareQuest Institute of any actual or suspected unauthorized use or disclosure of the De-Identified Data or security incident involving the De-Identified Data. Data Recipient shall cooperate with CareQuest Institute to investigate, mitigate, and remediate any such incident in compliance with applicable law.

I. Platform; Terms of Use and Privacy Policy

1. Access Via Platform. CareQuest Institute may make De-Identified Data available through its Data Exchange Platform (the "Platform"). Data Recipient and its Authorized Users shall comply with the Platform Terms of Use and Privacy Policy, each as updated from time to time. CareQuest Institute may suspend Data Recipient access for violations to protect the security or integrity of the Platform or the De-Identified Data.

2. Precedence. In the event of a conflict between this Agreement and the Platform Terms of Use or Privacy Policy with respect to rights to use the De-Identified Data, this Agreement controls; with respect to Platform conduct and technical requirements, the Platform Terms of Use control. The more privacy-protective provision will prevail in case of doubt.

J. Term and Termination

This Agreement begins on the Effective Date and continues for one (1) year unless earlier terminated. CareQuest Institute may terminate this Agreement without cause at any time upon ten (10) business days written notice to Data Recipient. Either party may terminate upon material breach that remains uncured after written notice and a reasonable cure period specified by the non-breaching party (not less than ten (10) business days). CareQuest Institute may terminate immediately in the event of re-identification or unauthorized disclosure.

Upon termination, Data Recipient shall cease all use of the De-Identified Data and, at CareQuest Institute's option, return or destroy all copies, except as required by law. Any retained copies remain subject to this Agreement until destroyed.

K. Confidentiality

Non-public information disclosed by CareQuest Institute that is marked or reasonably understood to be confidential ("Confidential Information") shall be protected by Data Recipient using at least the same degree of care as it uses to protect its own similar information, but no less than reasonable care. De-Identified Data shall be treated as Confidential Information. Exclusions apply for information that is or becomes public through no fault of Data Recipient, was already known, independently developed, or rightfully received from a third party without duty of confidentiality.

L. Miscellaneous

1. Conflicts. The terms and conditions of this Agreement override and control any conflicting term or condition of any other agreement between the parties relating to De-Identified Data.

2. Amendment. This Agreement (including its Exhibits) may be modified only by a written amendment signed by both parties.

3. Ambiguity. Any ambiguity regarding the use of De-Identified Data shall be resolved in favor of a meaning that furthers privacy and security.

4. Severability. If any provision is held invalid, the remaining provisions remain in full force and effect.

5. Governing Law. This Agreement is governed by the laws of the Commonwealth of Massachusetts, without regard to conflicts-of-law rules.

M. Notices

All notices required or permitted under this Agreement must be in writing and delivered: (a) in person; (b) by electronic mail with confirmation by registered or certified mail placed in the mail reasonably thereafter; (c) by registered or certified mail, return receipt requested; or (d) by an overnight delivery service requiring a receipt of delivery, to the addresses below (or to such other address as a party may designate by notice):

To CareQuest Institute: CareQuest Institute for Oral Health, Inc.

465 Medford Street, Suite #500

Boston, Massachusetts 02129

Attn: Chief Legal Officer

Email: contracts@carequest.org

To Data Recipient: [Insert Party Name]

[Street Address]

[City, State ZIP]

Attn: [Insert Contact/Title]

Email: [Insert Email]

**N. Indemnification **

Data Recipient shall defend, indemnify, and to hold harmless CareQuest Institute, its employees, directors, officers, agents, contractors, advisors, consultants, or any CareQuest Institute affiliate or subsidiary, either directly or indirectly, from any and all liabilities, penalties, claims, causes of action, and demands brought by third parties (including the costs, expenses and legal fees on account thereof) arising, resulting from or relating to: 

1. Data Recipient's breach of this Agreement;

2. Data Recipient's infringement of intellectual property rights of a third party; and

3. Data Recipient's failure to comply with applicable law.

Data Recipient's agreement to defend, to indemnify, and to hold CareQuest Institute harmless applies whether a claim against CareQuest Institute arises out of contract or tort (including strict liability), and regardless of the form of action. 

SIGNATURES

IN WITNESS WHEREOF, the parties have executed this Agreement as of the dates set forth below.

CAREQUEST INSTITUTE: CareQuest Institute for Oral Health, Inc.

By: _________________________________

Name: _______________________________

Title: ________________________________

Date: ________________________________

DATA RECIPIENT: _______________________________

By: _________________________________

Name: _______________________________

Title: ________________________________

Date: ________________________________

Exhibit A

Authorized Users (name, title, affiliation):