42 CFR Part 2 Qualified Service Organization Agreement
This Qualified Service Organization Agreement (“QSOA” or “Agreement”) forms part of the agreement between the customer (“Customer,” “you”) and Automate Admits, Inc. (“Automate Admits,” “we”) for the use of the Automate Admits platform (the “Service”). It applies where the Customer operates a program subject to the federal confidentiality regulations at 42 CFR Part 2. You accept this Agreement when you create an account. Capitalized terms not defined here have the meaning given in our Terms of Service.
This QSOA governs Part 2–protected substance use disorder records. It is not a HIPAA Business Associate Agreement (“BAA”); a BAA is entered separately. Where both apply, each governs its own subject matter.
1. Definitions
- “Part 2” means the regulations at 42 CFR Part 2, “Confidentiality of Substance Use Disorder Patient Records,” as amended (including the 2024 Final Rule), and any successor regulation.
- “Part 2 Program” means a federally-assisted program (as defined in 42 CFR §2.11 and §2.12) that holds itself out as providing, and provides, substance use disorder (“SUD”) diagnosis, treatment, or referral for treatment. The Customer represents whether it is a Part 2 Program.
- “Patient Records” or “Records” means records of the identity, diagnosis, prognosis, or treatment of any patient that are maintained in connection with a Part 2 Program and that identify a patient as having or having had an SUD, whether directly or by reference, as protected under Part 2.
- “Patient Identifying Information” has the meaning given in 42 CFR §2.11.
- “Qualified Service Organization” (“QSO”) has the meaning given in 42 CFR §2.11.
2. Designation as a Qualified Service Organization
The Customer designates Automate Admits as a Qualified Service Organization to the Customer’s Part 2 Program. Automate Admits provides communication, messaging, scheduling, storage, data-processing, and related workflow services (including an optional AI agent) to the Customer and, in doing so, may receive, store, process, or otherwise handle Patient Records. This Agreement is the written agreement contemplated by 42 CFR §2.11 for a Qualified Service Organization.
3. Automate Admits acknowledges it is bound by Part 2
Automate Admits acknowledges that in receiving, storing, processing, or otherwise dealing with any Patient Records from the Customer’s Part 2 Program, it is fully bound by the regulations in 42 CFR Part 2. Automate Admits will use and disclose Patient Records only as permitted by Part 2 and only as necessary to provide the Service to the Customer, and it will not redisclose Patient Records except as permitted by Part 2 and this Agreement.
4. Resisting compelled disclosure
If necessary, Automate Admits will resist in judicial proceedings any efforts to obtain access to Patient Identifying Information related to substance use disorder diagnosis, treatment, or referral for treatment, except as expressly permitted by 42 CFR Part 2. Automate Admits will not disclose Patient Records in response to a subpoena, warrant, or other legal process unless disclosure is permitted by Part 2 (including a court order that meets the requirements of Part 2, Subpart E), and will promptly notify the Customer of any such request where lawful.
5. Prohibition on use against the patient
Consistent with 42 CFR §2.12(d) and §2.13, Patient Records and the information they contain may not be used to initiate or substantiate any criminal charges against a patient, or to conduct any criminal investigation of a patient, except as expressly authorized by a court order under Part 2, Subpart E. Automate Admits will not use Patient Records for any purpose other than providing the Service.
6. Permitted uses and disclosures
- Automate Admits uses Patient Records solely to provide, operate, secure, and support the Service for the Customer.
- Automate Admits may disclose Patient Records to its own personnel and subprocessors only as needed to provide the Service, and only where each is bound by confidentiality obligations and by Part 2 to the same extent as Automate Admits.
- Any disclosure that would require patient consent under 42 CFR §2.31, or that relies on an exception in Part 2, is the responsibility of the Customer to authorize and direct; Automate Admits acts only on the Customer’s documented instructions and as permitted by law.
7. Customer responsibilities as the Part 2 Program
- Consent. You are responsible for obtaining and maintaining any patient consent required under 42 CFR §2.31 before entering Patient Identifying Information into the Service, and for ensuring the scope of any disclosure through the Service is within that consent or an applicable Part 2 exception.
- Notice to patients. You are responsible for providing patients the notice of Part 2’s confidentiality requirements and the prohibition on redisclosure (42 CFR §2.32), and your Notice of Privacy Practices as applicable.
- Lawful configuration and use. You are responsible for configuring and using the Service (including messages sent or drafted by the AI agent) in a manner that complies with Part 2, HIPAA, the TCPA, and applicable state law, and for all clinical and admissions decisions.
- Accuracy of status. You are responsible for accurately representing whether you operate a Part 2 Program and for updating us if that changes.
8. Redisclosure prohibition
Patient Records disclosed under this Agreement are protected by Part 2. Recipients are prohibited from redisclosing them except as expressly permitted by the prior written consent of the patient, or as otherwise permitted by 42 CFR Part 2. A general authorization for the release of medical or other information is not sufficient for this purpose.
9. Security and safeguards
Automate Admits maintains technical and organizational measures designed to protect Patient Records, including encryption in transit and at rest, access controls and least-privilege access, salted hashing of passwords, optional two-factor authentication, session timeouts, an access/audit log, signature verification of incoming platform webhooks, and logical isolation of each Customer’s data in our multi-tenant environment. Further detail is on our Security page and in our Data Processing Addendum.
10. Breach and incident notification
Automate Admits will notify the Customer without undue delay after becoming aware of any unauthorized use or disclosure of, or unauthorized access to, Patient Records, and will provide information reasonably available to help the Customer meet its obligations under Part 2, HIPAA, and applicable law.
11. Subprocessors
The Customer authorizes Automate Admits to engage subprocessors to provide the Service, as listed in our Data Processing Addendum. Automate Admits imposes on each subprocessor confidentiality and Part 2 obligations consistent with this Agreement and remains responsible for their performance. We will give notice of intended changes to subprocessors that handle Patient Records.
12. Term, termination & return or destruction
This Agreement takes effect when you create an account and continues while you use the Service. On termination, and at the Customer’s choice, Automate Admits will delete or make available for return the Patient Records in its possession and delete existing copies, unless retention is required by law. Sections 3, 4, 5, and 8 survive termination as to any Patient Records that remain.
13. No agency or care relationship
Automate Admits is a service provider only. It is not a healthcare provider, is not part of the Customer’s care team, and does not provide medical, clinical, or treatment advice. Nothing in this Agreement makes Automate Admits the Part 2 Program or shifts the Customer’s obligations under Part 2 to Automate Admits.
14. Order of precedence & general
If there is a conflict between this Agreement and the Terms regarding Patient Records subject to Part 2, this Agreement controls as to that subject matter. Where a separate BAA applies, each agreement governs its own subject matter. This Agreement is governed by the same law as the Terms.
To request a countersigned copy of this QSOA, or for any Part 2 question, contact privacy@automateadmits.com.