42 CFR Part 2 Qualified Service Organization Agreement

Last updated: July 11, 2026

This Qualified Service Organization Agreement (“QSOA” or “Agreement”) forms part of the agreement between the customer (“Customer,” “you”) and Automate Admits, Inc. (“Automate Admits,” “we”) for the use of the Automate Admits platform (the “Service”). It applies where the Customer operates a program subject to the federal confidentiality regulations at 42 CFR Part 2. You accept this Agreement when you create an account. Capitalized terms not defined here have the meaning given in our Terms of Service.

This QSOA governs Part 2–protected substance use disorder records. It is not a HIPAA Business Associate Agreement (“BAA”); a BAA is entered separately. Where both apply, each governs its own subject matter.

1. Definitions

2. Designation as a Qualified Service Organization

The Customer designates Automate Admits as a Qualified Service Organization to the Customer’s Part 2 Program. Automate Admits provides communication, messaging, scheduling, storage, data-processing, and related workflow services (including an optional AI agent) to the Customer and, in doing so, may receive, store, process, or otherwise handle Patient Records. This Agreement is the written agreement contemplated by 42 CFR §2.11 for a Qualified Service Organization.

3. Automate Admits acknowledges it is bound by Part 2

Automate Admits acknowledges that in receiving, storing, processing, or otherwise dealing with any Patient Records from the Customer’s Part 2 Program, it is fully bound by the regulations in 42 CFR Part 2. Automate Admits will use and disclose Patient Records only as permitted by Part 2 and only as necessary to provide the Service to the Customer, and it will not redisclose Patient Records except as permitted by Part 2 and this Agreement.

4. Resisting compelled disclosure

If necessary, Automate Admits will resist in judicial proceedings any efforts to obtain access to Patient Identifying Information related to substance use disorder diagnosis, treatment, or referral for treatment, except as expressly permitted by 42 CFR Part 2. Automate Admits will not disclose Patient Records in response to a subpoena, warrant, or other legal process unless disclosure is permitted by Part 2 (including a court order that meets the requirements of Part 2, Subpart E), and will promptly notify the Customer of any such request where lawful.

5. Prohibition on use against the patient

Consistent with 42 CFR §2.12(d) and §2.13, Patient Records and the information they contain may not be used to initiate or substantiate any criminal charges against a patient, or to conduct any criminal investigation of a patient, except as expressly authorized by a court order under Part 2, Subpart E. Automate Admits will not use Patient Records for any purpose other than providing the Service.

6. Permitted uses and disclosures

7. Customer responsibilities as the Part 2 Program

8. Redisclosure prohibition

Patient Records disclosed under this Agreement are protected by Part 2. Recipients are prohibited from redisclosing them except as expressly permitted by the prior written consent of the patient, or as otherwise permitted by 42 CFR Part 2. A general authorization for the release of medical or other information is not sufficient for this purpose.

9. Security and safeguards

Automate Admits maintains technical and organizational measures designed to protect Patient Records, including encryption in transit and at rest, access controls and least-privilege access, salted hashing of passwords, optional two-factor authentication, session timeouts, an access/audit log, signature verification of incoming platform webhooks, and logical isolation of each Customer’s data in our multi-tenant environment. Further detail is on our Security page and in our Data Processing Addendum.

10. Breach and incident notification

Automate Admits will notify the Customer without undue delay after becoming aware of any unauthorized use or disclosure of, or unauthorized access to, Patient Records, and will provide information reasonably available to help the Customer meet its obligations under Part 2, HIPAA, and applicable law.

11. Subprocessors

The Customer authorizes Automate Admits to engage subprocessors to provide the Service, as listed in our Data Processing Addendum. Automate Admits imposes on each subprocessor confidentiality and Part 2 obligations consistent with this Agreement and remains responsible for their performance. We will give notice of intended changes to subprocessors that handle Patient Records.

12. Term, termination & return or destruction

This Agreement takes effect when you create an account and continues while you use the Service. On termination, and at the Customer’s choice, Automate Admits will delete or make available for return the Patient Records in its possession and delete existing copies, unless retention is required by law. Sections 3, 4, 5, and 8 survive termination as to any Patient Records that remain.

13. No agency or care relationship

Automate Admits is a service provider only. It is not a healthcare provider, is not part of the Customer’s care team, and does not provide medical, clinical, or treatment advice. Nothing in this Agreement makes Automate Admits the Part 2 Program or shifts the Customer’s obligations under Part 2 to Automate Admits.

14. Order of precedence & general

If there is a conflict between this Agreement and the Terms regarding Patient Records subject to Part 2, this Agreement controls as to that subject matter. Where a separate BAA applies, each agreement governs its own subject matter. This Agreement is governed by the same law as the Terms.

To request a countersigned copy of this QSOA, or for any Part 2 question, contact privacy@automateadmits.com.