0 | PDMP-EHR Integration Toolkit: Memorandum of Understanding Guidance
Memorandum of
Understanding
Guidance
Advancing PDMP-EHR Integration Project
PDMP-EHR Integration Toolkit
i | PDMP-EHR Integration Toolkit: Memorandum of Understanding Guidance
This document was developed by Accenture Federal Services as the contractor leading the Advancing
Prescription Drug Monitoring Programs - Electronic Health Record (PDMP-EHR) Integration
Project under contract #GS-35F-540GA order # HHSP233201800327G. The project team from
Accenture Federal Services served as a contractor to the Office of the National Coordinator for
Health Information Technology (ONC). ONC served as the implementer partner to the Centers for
Disease Control and Prevention (CDC). Funding for this contract award was provided by the CDC.
The PDMP-EHR Integration Toolkit was developed based on lessons learned by the Accenture team
through collaborations with PDMP-EHR integration technical demonstration sites and Clinical
Decision Support Proofs-of-Concept sites that participated in the Advancing PDMP-EHR Integration
Project from 2018 - 2021. The PDMP-EHR Integration Toolkit is supplemented by the Integration
Framework.
The findings and conclusions in this document are those of the authors and do not necessarily
represent the official position of, the Centers for Disease Control and Prevention/the Agency for Toxic
Substances and Disease Registry, the Office of the National Coordinator for Health Information
Technology, or the other organizations involved, nor does the mention of trade names, commercial
products, or organizations imply endorsement by the U.S. Government.
ii | PDMP-EHR Integration Toolkit: Memorandum of Understanding Guidance
Table of Contents
Purpose ..................................................................................................................................................... 1
Background ............................................................................................................................................... 1
Sample MOU Areas of Consideration ...................................................................................................... 1
Appendix ................................................................................................................................................... 3
1 | PDMP-EHR Integration Toolkit: Memorandum of Understanding Guidance
Purpose
This document translates lessons learned from the Office
of the National Coordinator for Health Information
Technology/Centers for Disease Control and Prevention
(ONC/CDC) Advancing Prescription Drug Monitoring
Program Electronic Health Record (PDMP-EHR)
Integration Project into general Memorandum of
Understanding (MOU) guidance. The MOU Guidance is
one of several documents within the PDMP-EHR
Integration Toolkit and provides key topics and points
for consideration in developing PDMP-EHR data
integration and sharing agreements. The intended
audience for this document is State PDMP
Administrators, to assist them in developing their
PDMP-EHR Integration MOU document for review with
health care systems in their state. This guidance is
designed to be used alongside the MOU template found
in the Appendix of this document.
Background
This document lists key topics often found in MOUs that require careful articulation to support
streamlined data sharing between PDMPs and health care systems, institutions, or vendors. These
topics are collected from conversations and work with State PDMP Administrators pursuing
integration initiatives. Enhanced clarity in MOU language is often necessary because counsel for
health care systems may be unfamiliar with the nuanced application of PDMP data access, use, and
disclosure provisions.
Enhanced clarity in MOU language is often necessary because counsel for health
care systems may be unfamiliar with the nuanced application of PDMP data
access, use, and disclosure provisions.
Sample MOU Areas of Consideration
Automatic versus Practitioner Initiated Queries. Some states require each query to be for an
individual patient and to be practitioner initiated. Some states allow health care systems to generate
automated queries to pull PDMP data for patients with appointments the following day.
Storage and Format of the PDMP data. Some states allow storage of the PDMP data in the
patient's medical record within the EHR but may require the health care facility to meet state
requirements regarding how and where data are stored. The permitted format of the stored PDMP
data varies among states. At least one state only allows the storage of PDMP data in the medical record
as a PDF attachment. Other states permit discrete PDMP data elements to be stored in the medical
record, as approved by the State PDMP Administrator. Other states only allow a view of the PDMP
data from within the EHR and prohibit actual storage within the EHR system.
Access/Disclosure of Stored PDMP Data. States should specify which disclosure laws and
policies govern the stored PDMP data. Some states allow the access and disclosure rules that govern
other data in the medical record to also govern the stored PDMP data. These states often deem the
stored PDMP data to be a medical record or medical or health information. The stored PDMP data are
subject to the state and federal privacy and confidentiality policies that govern other such records or
information. It is also advisable for a state to clarify any PDMP disclosure restrictions that it wishes to
2 | PDMP-EHR Integration Toolkit: Memorandum of Understanding Guidance
retain for the stored PDMP data. For example, proper retrieval of the information contained within a
legal health record requires subpoenas or court orders for use in civil suits or other legal proceedings.
Some states prohibit the State PDMP Administrator from disclosing PDMP data for use in certain civil
proceedings. If a state wants to subject health care systems to a comparable disclosure restriction, the
state should outline the circumstances in which disclosure is prohibited. Additionally, states should
specify which login credentials clinicians may use to request PDMP data. Some states require clinicians
to use their PDMP credentials, while others permit the use of EHR credentials.
Use of the Stored PDMP Data. Health care systems may be
unaware of the numerous differences in data governance
between PDMP laws and policies and other health care laws and
policies. These entities sometimes assume that they and their
clinicians can use PDMP data stored in the medical record as
they would other information in the record. For example, Chief
Medical Officers and Medical Directors sometimes ask if their
institutions can include PDMP data with other patient data
maintained within their EHR systems to conduct analyses of
patient use and prescribing behaviors. Whether such data use is
permitted varies by state. States sometimes prevent the
manipulation of the PDMP data. Other states may authorize the
State PDMP Administrator to permit the use of discrete PDMP
data elements for clinical decision support or patient care
purposes on an individual case basis.
Data Interpretations/Summaries. States generally allow health care clinicians to review and use
interpretations or summaries of PDMP data, such as risk scores. At least one state permits storage in
the medical record of an interpretation or summary with, but not in lieu of, PDMP data. However,
some states have policies or legal opinions that a clinician's review of such an interpretation or
summary does not by itself comply with a state's mandate to review a patient's PDMP data. A state
should clarify whether a clinician's review of a PDMP data interpretation or summary satisfies the
state's mandated PDMP use provision.
Log of PDMP Data Requests. States generally specify the type of information that health care
systems must maintain regarding who has requested PDMP data and when each request was made.
The entities often have to provide the information upon request by the State PDMP Administrator.
Sometimes states also require reporting to the State PDMP Administrator regularly, such as monthly
or quarterly.
Notification of Breaches. States often outline a process by which health care systems have to notify
the State PDMP Administrator of breaches that may impact the receipt and/or storage of PDMP data
in the EHR system. This process usually details notification procedures and the state's authority to
suspend access by an individual clinician or the EHR system's connection to the PDMP pending query.
In addition, the process usually indicates that the state, if necessary, will terminate the clinician's
access or the EHR system's connection.
Required Education and Monitoring. States often require health care institutions to educate
their clinicians about the proper access, disclosure, and use of the PDMP data. Additionally, states
require institutions to properly monitor their clinicians to ensure the clinicians' compliance with all
relevant laws, regulations, and policies. States should require institutions to document that their
clinicians have received the proper instruction so that documentation is readily available to the State
PDMP Administrator upon request.
Required State View of Integrated PDMP Data Display. States need to confirm that the
integrated PDMP data display complies with state statutes, regulations, and implementation
requirements. If states have the authority to view the integration display or expect to take other
reasonable compliance monitoring measures during the integration testing and approval phases, the
state should include those requirements in the MOU. States should also include the authority to take
3 | PDMP-EHR Integration Toolkit: Memorandum of Understanding Guidance
reasonable measures to investigate complaints or information received regarding the EHR system’s
possible noncompliance.
Appendix
Sample MOU Template
Disclaimer
A sample MOU template is provided below. Readers should consider consulting with an attorney
employed by or contracted by their department or agency for assistance in crafting MOUs or other
agreements to permit integration between PDMPs and health IT systems while complying with
relevant legal and regulatory requirements. This sample MOU is a working draft that does not reflect
any specific state or approved MOU. The sample template is a composite of multiple MOUs from
different states and incorporates common themes that may be helpful to consider when drafting
state and health IT integration agreements.
Template
This data sharing agreement is entered into on _______________ (Effective Date) by and between
the [insert name of appropriate state agency] (Agency) and _______________________,
a company organized under the laws of or authorized to do business in the State of [insert name of
state] (Participant).
SECTION 1. PURPOSE.
This agreement is intended to provide a secure and efficient method by which health care professionals
may access and use PDMP data through Participant’s electronic health record system (EHR).
SECTION 2. DEFINITIONS.
For the purposes of this Agreement, the following words and phrases shall have the meanings given
them in this Section.
(a) “Applicable laws and standards” means all applicable state and federal laws, statutes, acts,
regulations, rules, standards, policies, guidelines, conditions and judicial or administrative rulings,
orders, or opinions. Such laws and standards include, but are not limited to: [insert citations to
appropriate state statutes]; the Health Insurance Portability and Accountability Act of 1996
(HIPAA), Pub. L. No. 104-191 (Aug. 21, 1996), 45 C.F.R. parts 160 and 164 (HIPAA Privacy and Security
Rules); the federal confidentiality law and regulations, 42 U.S.C. § 290dd-2, 42 C.F.R. Part 2;
standards of the Centers for Medicare and Medicaid Services Conditions of Participation; and
standards of accrediting agencies such as the Joint Commission on Accreditation of Health care
Organizations.
(b) “Health care” means health care as defined in [insert citation to §160.103 of HIPAA or
applicable state definition].
(c) “Health care professional” means an individual licensed by the State of [insert name of state]
to provide health care who is employed by or under contract with Participant to provide such care on
behalf of Participant.
(d) “Health record” means [OPTION 1: the record of health care provided to a patient by all
health care professionals involved in the patient’s care that is designed to be accessed
by all such professionals and the patient.] [OPTION 2: insert citation to applicable state
definition.]
(e) “Patient” means an individual who (1) has received or is receiving health care from a health care
professional or (2) who seeks health care from a health care professional and for whom the
professional affirmatively acts to provide such care, or agrees to do so.
(f) “PDMP” means the prescription drug monitoring program established and operated pursuant to
[insert citation to state PDMP statute and regulations].
4 | PDMP-EHR Integration Toolkit: Memorandum of Understanding Guidance
(g) “PDMP data” means data that are collected, maintained, managed and disclosed by the PDMP.
SECTION 3. GRANT OF RIGHT TO ACCESS THE PDMP.
(a) The Agency grants to Participant a nonexclusive, nontransferable, nonassignable, nonsub-
licensable, and limited right to access the PDMP and make PDMP data available through Participant’s
EHR. Participant shall maintain a secure environment in compliance with this Agreement and
applicable laws and standards to connect to the PDMP and to permit access, use and disclosure of
PDMP data through Participant’s EHR.
(b) Participant shall be responsible for all costs associated with the installation, modification and
maintenance of hardware and software necessary to maintain a secure environment. The Agency shall
not levy any service fees or charges for access, use and disclosure of PDMP data pursuant to this
Agreement.
SECTION 4. ACCESS, USE, AND DISCLOSURE OF PDMP DATA IN EHR.
(a) Participant shall only make PDMP data available to its designated non-health care employees,
contractors or agents and health care professionals.
(b) Designated non-health care employees, contractors, or agents:
(i) May access, use, and disclose PDMP data only as necessary to facilitate Participant’s
compliance with this Agreement and applicable laws and standards and
(ii) Shall comply with the terms and conditions of this Agreement and applicable laws and
standards, to the same extent Participant is required to comply.
(c) Health care professionals [OPTION 1: may use EHR credentials provided by Participant to request
PDMP data.][OPTION 2: shall use credentials provided by the PDMP to request PDMP data.] Health
care professionals shall only request PDMP data as required or allowed by applicable laws and
standards and shall submit such requests by one of the following methods:
(i) A health care practitioner may initiate a PDMP request for a single patient or
(ii) Participant may submit a single, automated request for the PDMP data of patients with
appointments at Participant’s location the next business day.
(d) Participant may store the PDMP data in a patient’s health record in a format authorized by the
Agency. PDMP data in a health record may be stored for the same duration as other patient
information stored in that record. At no time during storage shall Participant alter, edit, or modify the
PDMP data. As authorized by the Agency, Participant may copy or incorporate the PDMP data into a
searchable computer program or database for clinical decision support or health care operations as
defined by [insert citation to §164.501 of HIPAA or appropriate state definition of “health
care operations”]. Summaries or interpretations of the PDMP data may be stored with but not in
lieu of the PDMP data. Except as authorized by the Agency, health care professionals shall not use
summaries or interpretations in lieu of PDMP data to comply with applicable laws and standards.
(e) PDMP data stored in a patient’s health record shall be disclosed on the same terms and conditions
as other patient information stored in that record. [Insert any state requirements or
restrictions on how or to whom Participant may disclose the PDMP data.]
SECTION 5. MANAGEMENT AND MONITORING OF PDMP DATA IN EHR.
(a) Participant shall maintain, and provide to the Agency upon its request, a written policy for the
management of PDMP data access, use, and disclosure. The policy shall contain a description of
Participant’s internal procedures for:
(i) Educating designated non-health care employees, contractors or agents and health care
professionals on access, use, and disclosure of PDMP data in compliance with this Agreement
and applicable laws and standards;
(ii) Imposing discipline or sanctions for non-compliant access, use or disclosure of PDMP data;
5 | PDMP-EHR Integration Toolkit: Memorandum of Understanding Guidance
(iii) Auditing the access, use or disclosure of PDMP data by designated non-health care
employees, contractors or agents and health care professionals and
(iv) Detecting access, use or disclosure by unauthorized individuals or entities.
(b) Participant shall make all reasonable changes to the policy deemed necessary by the Agency for
Participant to maintain a secure environment in compliance with Section 3.
(c) Participant shall provide to the Agency all information and reports that the Agency deems necessary
to monitor and investigate compliance with this Agreement and applicable laws and standards.
Participant shall provide the information and reports as requested by, or on a frequency established
by, the Agency.
(d) Each designated non-health care employee, contractor or agent and health care professional shall
sign a statement acknowledging the responsibility of the employee, contractor, agent or professional
to access, use, and disclose PDMP data in compliance with this Agreement and applicable laws and
standards. Participant shall provide to the Agency upon its request a copy of the signed statement of a
specified employee, contractor, agent or professional.
(e) Participant shall notify the Agency in writing if it detects any access, use or disclosure of PDMP
data by a designated non-health care employee, contractor or agent or health care professional that it
has reason to believe is seriously non-compliant with this Agreement or applicable laws and standards.
Serious non-compliance means access, use or disclosure of PDMP data that:
(i) compromises the confidentiality of the PDMP data,
(ii) adversely affects the operation of the PDMP or
(iii) adversely affects the legal liability of the Agency.
The notice shall be without unreasonable delay and in no case later than [insert X days] following
detection of the possibly serious non-compliance. The notice shall include:
(i) A brief description of the possibly serious non-compliance,
(ii) A description of the PDMP data elements involved in the possibly serious non-compliance
and
(iii) Steps Participant is taking to investigate the possibly serious non-compliance.
Participant shall provide to the Agency investigative findings that:
(i) Indicate whether serious non-compliant access, use or disclosure occurred,
(ii) Outline steps Participant is taking to mitigate any harm, and
(iii) Identify measures being implemented to prevent further instances of serious non-
compliance.
(f) Upon receipt of notice pursuant to subsection (e), the Agency shall temporarily suspend the access
to PDMP data of a designated non-health care employee, contractor or agent or health care
professional under investigation by Participant for possibly serious non-compliance. Upon receipt of
findings pursuant to subsection (e), the Agency shall terminate the access to PDMP data of the
employee, contractor, or agent or professional found to be in serious non-compliance. Participant shall
take all reasonable steps to prevent access, use or disclosure of PDMP data by the employee,
contractor, agent or professional whose access has been temporarily suspended or terminated.
(g) If the Agency discovers, other than by Participant’s notice, serious non-compliant access, use or
disclosure by a designated non-health care employee, contractor or agent or health care professional,
the Agency shall terminate the access to PDMP data of that employee, contractor, agent or
professional. The Agency shall notify Participant in writing of its discovery of the serious non-
compliance and the termination of access to PDMP data. The notice shall be without unreasonable
delay and in no case later than [insert X days] following the discovery of the serious non-compliance.
6 | PDMP-EHR Integration Toolkit: Memorandum of Understanding Guidance
(h) Participant shall notify the Agency in writing if it detects access, use or disclosure by unauthorized
individuals or entities. The notice shall be without unreasonable delay and in no case later than
[insert X days] following detection of the unauthorized access, use or disclosure.
(i) Participant shall notify the Agency in writing if Participant discovers that it has failed to maintain
a secure environment as required by Section 3. The notice shall be without unreasonable delay and in
no case later than [insert X days] following discovery of the failure. Upon receipt of notice, the
Agency shall temporarily suspend Participant’s access to the PDMP. If the Agency discovers, other
than by Participant’s notice, Participant’s failure to maintain a secure environment as required by
Section 3, the Agency shall temporarily suspend Participant’s access to the PDMP. The Agency shall
notify Participant in writing of the Agency’s discovery of the failure and the temporary suspension of
access. Participant shall take, at Participant’s expense, all reasonable steps identified by the Agency to
cure the failure. Participant’s inability to restore a secure environment within [insert X days] after
sending the Agency notice or receiving notice from the Agency pursuant to this subsection may result
in the Agency’s termination of this Agreement pursuant to Section 7.
SECTION 6. TERM OF AGREEMENT.
This Agreement will commence on the Effective Date and will remain in effect for an initial term of
[insert X years]. Thereafter, this Agreement shall automatically renew for successive terms of one
(1) year, unless either the Agency or Participant provides the other with written notice of non-renewal
not less than [insert X days] prior to the expiration date of the then-current term.
SECTION 7. TERMINATION OF AGREEMENT AND EFFECT.
(a) Either the Agency or Participant shall have the right to immediately terminate this Agreement to
comply with any change in applicable laws or standards, or interpretations thereof.
(b) Either the Agency or Participant, upon giving written notice to the other, may terminate this
Agreement if the other breaches any material provision of this Agreement and fails to cure such breach,
or fails to commence and continuously maintain substantial efforts to cure, within [insert X days]
after receipt of written notice from the other.
(c) Either the Agency or Participant, upon [insert X days] prior written notice to the other, may
terminate this Agreement without cause.
(d) Upon termination, Participant’s right to access the PDMP under Section 3 shall immediately cease.
All PDMP data accessed by Participant pursuant to Section 3 shall continue to be stored, accessed,
used, and disclosed pursuant to the terms and conditions of this Agreement.
SECTION 8. INDEMNIFICATION.
Participant shall defend, indemnify and hold harmless the Agency from and against any liability, claim,
action, loss, damage, or expenses, including court costs and reasonable attorneys’ fees, based on any
third-party claims arising out of, or relating to, Participant’s access, storage, use or disclosure of PDMP
data in violation of this Agreement.
SECTION 9. WARRANTIES AND LIMITATION OF LIABILITY.
(a) The Agency makes no warranty that access to the PDMP pursuant to Section 3 will be error-free or
uninterrupted or that all errors will be corrected. No advice or information, whether oral or written,
obtained from the Agency or elsewhere will create any warranty not expressly stated in this Agreement.
(b) The Agency makes no warranty and assumes no liability related to the accuracy, currency, or
completeness of the PDMP data that Participant accesses pursuant to Section 3.
(c) Participant warrants to the best of its knowledge that neither it, nor any of its designated non-
health care employees, contractors or agents or health care professionals, have been convicted of or
otherwise legally found in violation of applicable laws and standards. Participant shall inform the
Agency if at any point during the term of this Agreement such a conviction or legal ruling occurs.
7 | PDMP-EHR Integration Toolkit: Memorandum of Understanding Guidance
(d) Neither the Agency nor Participant shall be liable to the other or to any third party for any
incidental, indirect, special, punitive, exemplary, or consequential damages arising out of or in
connection with this Agreement.
SECTION 10. GENERAL.
(a) This Agreement shall be binding on the Agency and Participant, their successors and permitted
assigns. Neither the Agency nor Participant shall assign or transfer this Agreement, or any part thereof,
without the prior written consent of the other.
(b) This Agreement does not create in any natural person, corporation, partnership, or organization
any benefits or rights and this Agreement will be effective only as to the Agency and Participant, and
their successors and assigns.
(c) The Agency and Participant are independent contractors. This Agreement shall not establish a
partnership, joint venture, agency or any other relationship between the Agency and Participant.
(d) This Agreement shall be governed by and construed in accordance with the laws of the State of
[insert name of state] without reference to or application of conflict of laws rules or principles.
(e) This Agreement sets forth the entire and only Agreement between the Agency and Participant
related to the subject matter herein. Any representation, promise or condition, whether oral or written,
not incorporated herein shall not be binding upon the Agency or Participant.
(f) This Agreement may be modified, altered, or amended only by express written consent of the
Agency and Participant.
(g) Notice required by this Agreement shall be delivered by (1) certified mail, return receipt requested;
(2) first-class mail, postage prepaid; (3) email transmission; (4) facsimile transmission or (5) express
or overnight carrier. Notice shall be deemed effective when the sender receives delivery confirmation
of the certified mail, email or fax transmission or carrier or [insert X days] after the postmark of any
notice placed into the U.S. mail.
(h) Neither the Agency nor Participant shall be liable for any failure or delay in performing its
obligations under this Agreement beyond its reasonable control, including war, terrorism, riot, acts of
God or governmental action.
(i) Nothing in this Agreement shall be construed to restrict the right of the Agency or Participant to
pursue all remedies available under law for damages or other relief arising from acts or omissions of
the other related to this Agreement, or to limit any rights, immunities, or defenses to which the Agency
or Participant may be entitled under applicable laws and standards. No failure or delay by the Agency
or Participant in exercising its rights under this Agreement shall operate as a waiver of such rights and
no waiver of any right shall constitute a waiver of any prior, concurrent, or subsequent right.
(j) This Agreement may be executed in counterparts, each of which will be deemed an original, but all
of which together will constitute one and the same instrument.
(k) The headings in this Agreement are for the convenience of reference only and have no legal effect.
(l) If for any reason a court of competent jurisdiction finds any provision of this Agreement invalid or
unenforceable, that provision of the Agreement will be enforced to the maximum extent permissible,
and the other provisions of this Agreement will remain in full force and effect.
