The DURSA is a comprehensive, multi-party trust agreement that is entered into voluntarily by public and private organizations (eHealth Exchange participants) that desire to engage in electronic health information exchange with each other as part of the eHealth Exchange.
The DURSA builds upon the various legal requirements that participants are already subject to and describes the mutual responsibilities, obligations and expectations of all participants under the Agreement. All of these responsibilities, obligations and expectations created a framework for safe and secure health information exchange, and are designed to promote trust among participants and protect the privacy, confidentiality and security of the health data that is shared.
The DURSA is based upon the existing body of law (federal, state, local) applicable to the privacy and security of health information and is supportive of the current policy framework for health information exchange. The DURSA is intended to be a legally enforceable contract that represents a framework for broad-based information exchange among a set of trusted entities. The Agreement reflects consensus among the state-level, federal and private entities who were involved in the development of the DURSA regarding the following issues:
- Multi-Party Agreement
- Participants Actively Engaged in Health Information Exchange
- Privacy and Security Obligations
- Requests for Information Based on a Permitted Purpose
- Duty to Respond
- Future Use of Data Received from Another Participant
- Respective Duties of Submitting and Receiving Participants
- Autonomy Principle for Access
- Use of Authorizations to Support Requests for Data
- Participant Breach Notification
- Mandatory Non-Binding Dispute Resolution
- Allocation of Liability Risk
Approved & Amended eHealth Exchange DURSA
- DURSA Amendment Executable
- Effective 2/1/2020
- Existing Participants should:
- Sign page 35 of 50: Sign the right-side of the page, listing your organization as the “Participant Name.”
- Populate page 38 of 50: List the individuals who should receive any official notifications.
- Do not populate pages 43 & 44 of 50: Please leave Attachment 7 (Joinder Agreement) as-is since this section would be for a brand-new Participant joining the eHealth Exchange.
- Do no populate page 50 of 50: Please leave Attachment 8 (Business Associate Agreement) as-is since this is simply an optional BAA template your organization probably will never use. Your organization might use it some day in the unlikely event you and another Participant determine the DURSA doesn’t address PHI disclosures due to some very unusual circumstance and you needed a bare-bones BAA template that didn’t include often-seen BAA terms not required by HIPAA.
- Email the signed and scanned agreement before 1/31/2020 to firstname.lastname@example.org and await a countersigned agreement.
- DURSA Amendment Redlined– Effective 2/1/2020; This document identifies items that have changed since the last version your organization signed the DURSA.
- DURSA Reference Packet
- DURSA Policy Assumptions
Amendment History & Process Schedule:
- On 8/13/2019, the Coordinating Committee recommended Participants approve the following amended DURSA
- September 2019: Participants were educated regarding then-proposed DURSA changes via meetings and other mediums.
- October 1, 2019 through November 30, 2019: Participants voted to amend the DURSA.
- December 1, 2019 through January 31, 2020: Every Participant must sign the amendment to the DURSA prior to the effective date of the amendment or have their network participation automatically terminated (required by the DURSA and Operating Policy and Procedure #3).
- February 1, 2020: New DURSA version effective date.