API Access Agreement
BESHP D.B.A. MyAdvocate Medicare Advantage
This API Access Agreement (together with any amendments, the "Agreement") governs your access to and use of any BESHP’s APIs as defined herein. By accessing BESHP’s APIs, you agree to be bound by the terms of this Agreement. You represent and warrant that you are at least 18 years of age and that you possess the legal right and ability to agree to and comply with this Agreement. If you are using the BESHP APIs on behalf of an entity (i.e. an App company), you represent that you have full and proper authority to act on behalf of and bind the entity to this Agreement.
1) Developer Account.
You must establish a Developer Account prior to accessing any APIs. When you establish your Developer Account, BESHP may collect certain information such as contact information (e.g., name, address, telephone number and e-mail address), demographic information (e.g., zip code, organization and / or role), or billing information. You agree to keep all required information updated at all times. BESHP will use such information to provide you with relevant information about the BESHP APIs and contact you when necessary.
2) BESHP APIs.
Below is a description of the BESHP APIs currently available (which could change from time to time at BESHP’s discretion and without notice):
a) Public APIs. Upon establishment of a Developer Account, BESHP makes publicly available certain single patient, standards-based BESHP APIs, typically focused on direct-to¬ consumer and standalone provider facing applications ("Public APIs"). Public APIs include BESHP’s Patient Access API, Provider Directory API and Promoting Interoperability API.
b) Fees. BESHP makes Public APIs available to you free of charge upon your establishment of a Developer Account.
3) BESHP API Access.
a) Limited Right to Access. Subject to your compliance with the terms of this Agreement, BESHP hereby grants to you a limited, revocable, non-exclusive, non-transferable right to access and use the BESHP’s APIs solely as necessary to (i) interoperate with, enable and achieve the access , exchange, or use of electronic health information (ii) The availability of the BESHP’s APIs and specific BESHP API capabilities in locations outside of the United States will be determined in BESHP’s sole discretion and could change from time to time without notice to you.
b) Access Restrictions. The BESHP APIs are proprietary to BESHP and may contain trade secrets. The BESHP APIs are not sold to you. No right to use, print, copy, modify, create derivative works of, display, adapt, translate, distribute, disclose, decompile or reverse engineer the BESHP APIs is granted to you or any third party, except as expressly set forth in this Agreement. You shall not sell, pledge, assign, rent or lease, transfer, or commercialize the BESHP APIs or any derivative works thereof, in whole or in part, or take any action that would result in any third party obtaining any ownership of or other intellectual property rights in or to the BESHP APIs or any portion thereof. BESHP reserves all title and interest in and to the BESHP APIs and all rights not expressly granted hereunder. You may not allow, expose or provide a third-party access to the BESHP APIs without BESHP’s prior written consent in each instance, which may be withheld in BESHP’s sole discretion.
4) Developed Apps.
a) Responsibilities. You accept full responsibility and liability for your Developed App. Without limiting the foregoing, you are solely responsible for the demonstration, pricing, sales support (including product analyst support), licensing, configuration, installation, implement at ion, use, maintenance and technical support of your Developed App. You are solely responsible and liable for all representations, warranties, support and other obligations made by you to any third party related to your Developed App, including claims arising from product liability, breach of warranty, use or misuse of data, and intellectual property infringement.
b) Acknowledgements.
i) Each Developed App must be approved in writing and registered for use before BESHP will enable your Developed App.
ii) It is your sole responsibility to implement your Developed App.
iii) BESHP may use and disclose your performance and usage data relating to the BESHP APIs for any purpose permitted by law so long as the data does not contain protected health information (as defined under HIPAA).
iv) BESHP’s APIs are designed to support real time queries. BESHP may restrict the amount of data returned by certain queries to a specific page size and require you to implement logic to incrementally page through the data set as needed to support application workflow. BESHP’s APIs do support the ability to issue limited concurrent queries to assist you in data retrieval.
v) You will protect all secrets, including OAuth 2 identifiers, which have been assigned to your Developed App. If a secret is leaked, you will notify BESHP immediately so that we can reassign secrets or remove access temporarily while the issue is resolved.
c) Monitoring. BESHP may monitor and audit your use of the BESHP APIs and other activities related to your obligations under this Agreement. BESHP may, in its sole and reasonable discretion, suspend, throttle or otherwise limit your Developed App activity if BESHP reasonably believes (i) your Developed App poses a threat to the operation, stability or security of BESHP or its client's systems, infrastructure or services, or (ii) your Developed App may be compromised, contain viruses, material bugs or other errors.
d) Updates. If BESHP has an Update to a BESHP API, BESHP will issue a public notice of such Update. It is solely your responsibility to ensure that future versions of your Developed App are updated to interoperate with the then current version of the BESHP APIs.
5) Warranties; Disclaimers.
a) Compliance. You are solely responsible for your use of the BESHP APIs and agree to comply with all responsibilities and obligations as stated in this Agreement. You warrant that at all times you will comply with all applicable laws, rules and regulations relating to the use of the BESHP APIs, the BESHP websites and the development, distribution, commercialization, license and use of your Developed App. You warrant that at all times you will comply with the CARIN code of conduct attached hereto as Attachment 1. You further acknowledge and agree that, as it relates to the access and services under this Agreement, you are not a supplier to or downstream business associate (as defined under HIPAA) of BESHP.
b) Virus Warranty. You warrant that your Developed App will not contain or transmit any viruses or other malicious computer instructions, devices, or techniques that can or were designed to threaten, infect, damage, disable, or shut down the BESHP APIs, or any other technology, equipment or computer system.
c) Security. You warrant that you have implemented reasonable security measures, systems, and procedures to (i) ensure the confidentiality, integrity, and availability of all electronic health information your Developed App creates, receives, maintains or transmits, (ii) identify and protect against reasonably anticipated threats or hazards to the security or integrity of your Developed App or the electronic health information, and (iii) protect against reasonably anticipated, impermissible uses or disclosures of the electronic health information. You are responsible for all security obligations applicable to the licensing of your Developed App.
d) Support. You warrant that you will maintain industry standard levels of support for your Developed App, including without limitation, a support guide and process for handling user issues, communications on planned downtime and unplanned events that is readily accessible by users, a policy on operating system patching, adequate support staffing, electronic tracking of issue resolution accessible by users, and an issue escalation process with appropriate service level standards.
e) Functionality. You warrant that: (a) you will use best efforts to ensure that your Developed App does not regularly crash or produce unexpected errors; (b) information displayed by your Developed App does not modify or conflict with information displayed in the Sanford Health’s client's electronic medical record (EMR); (c) your Developed App does not include undocumented or hidden features inconsistent with the description of the Developed App; (d) your Developed App consumes FHIR resources relevant to the documented workflow, filters data effectively, and properly handles changes to the underlying dataset; and (e) your Developed App properly handles EMR-specific events, such as patient context changes and user context changes.
f) Content. You warrant that your Developed App will only include content that you developed or that you have a license or written consent to use in connection with your Developed App. You further warrant that the Developed App, any content or other materials used within the Developed App will not constitute an infringement, misappropriation or other violation of any patent, trademark, copyright, trade secret or other intellectual property right of a third party.
g) Disclaimers. EXCEPT AS EXPRESSLY PROVIDED FOR IN THIS AGREEMENT, EACH PARTY DISCLAIMS ALL WARRANTIES, EXPRESS , IMPLIED, STATUTORY , AND OTHERWISE, INCLUDING ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPO SE, ANY WA RR ANTY ARISING FROM A COURSE OF DEA LING, USAGE OR TRADE PRACTICE AND ANY IMPLIED WARRANTY OF NON-INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS. BESHP DOES NOT WARRANT THAT THE BESHP APIS, SANFORD HEALTH SERVICES OR ANY DATA TRANSMITTED THROUGH USE OF SUCH SERVICES WILL BE ERROR-FREE , UNINTERRUPTED OR AVAILABLE IN ALL TERRITORIES, THAT ALL DEFECTS WILL BE CORRECTED, OR WILL MEET A THIRD PARTY'S REQUIREMENTS OR NEEDS. BESHP DOES NOT REVIEW OR PROVIDE ANY WARRANTY REGARDING THE ACCURACY OR COMPLETENESS OF ANY INFORMATION ENTERED INTO OR TRANSMITTED THROUGH BESHP’S SERVICES. BESHP DOES NOT WARRANT THAT ANY ALERTS OR OTHER INFORMATION PROVIDED THROUGH SANFORD HEATLH SERVICES HAVE THE ABILITY TO IMPROVE THE HEALTH STATUS OF A PATIENT OR SAVE PATIENT LIVES. THE BESHP APIS AND ALL RELATED SERVICES ARE PROVIDED ON AN AS-IS AND AS-AVAILABLE BASIS AND ARE SUBJECT TO TIME DELAYS.
6) Limitation of Liability; Indemnification.
a) Limitation of Liability. IN NO CASE SHALL BESHP BE LIABLE TO YOU OR ANY THIRD PARTY (INCLUDING CLIENTS) FOR ANY SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES BASED UPON BREACH OF WARRANTY, BREACH OF CONTRACT, NEGLIGENCE, STRICT TORT, OR ANY OTHER LEGAL THEORY EVEN IF IT HAS BEEN ADVISED OF THE POSSIBILITY OF THE SAME. SUCH EXCLUDED DAMAGES INCLUDE, BUT ARE NOT LIMITED TO, LOSS OF PROFITS, LOSS OF SAVINGS OR REVENUE, LOSS OF USE OF THE BESHP APIS OR THE SYSTEM OF WHICH THEY ARE PART, OR ANY ASSOCIATED DOWNTIME, COST OF CAPITAL, OR THE COST OF ANY SUBSTITUTE PRODUCTS OR SERVICES. BESHP’S MAXIMUM AGGREGATE LIABILITY FOR ALL CLAIMS UNDER THIS AGREEMENT SHALL BE LIMITED TO $1,000.00.
7) Indemnification.
You agree to indemnify, defend and hold BESHP, its officers, directors, employees, agents, information providers and suppliers harmless from and against all third party claims, liabilities, losses, expenses, damages and costs, including reasonable attorney's fees, resulting from (i) any violation by you (or your employees or other agents) of this Agreement, (ii) your Developed App or any use thereof, (iii) any activity related to your access to or use of (A) the BESHP APIs (including infringement of third parties' worldwide intellectual property rights, misappropriation of trade secrets or other proprietary rights or negligent or wrongful conduct ), and (B) your developer account.
8) Trade Secrets.
BESHP does not anticipate exchanging confidential or trade secret information under this Agreement. However, in the event that it becomes necessary for BESHP to disclose trade secret information to you, BESHP will clearly identify such trade secret information in an amendment hereto. You agree to keep such trade secret information strictly confidential. You will (i) only use it for the limited purpose provided to you, (ii) secure and protect it using the same or greater level of care that you use to protect your own trade secret information, which in no event will be less than a reasonable degree of care, and (iii) require your respective employees, agents, attorneys, and independent contractors who have a need to access the trade secret information to be bound by confidentiality obligations sufficient to protect the trade secrets.
9) Miscellaneous Provisions.
a) Names and logos. You may not use or display BESHP’s trademarks, service marks or logos without BESHP’s express prior written permission. If BESHP elects to include your Developed App in BESHP list of approved Apps, and you consent to such inclusion, you grant to BESHP a nonexclusive and nontransferable license to use your logos and trademarks as provided to BESHP for such purpose.
b) Relationship. No joint venture, partnership, employment or agency relationship exists between you and BESHP as a result of this Agreement or use of the Sanford Heatlh Plan APIs. BESHP’s performance of this Agreement is subject to existing laws and legal process, and nothing contained in this Agreement is in derogation of BESHP’s right to comply with governmental, court and law enforcement requests or requirements relating to your use of the BESHP APIs or information provided to or gathered by BESHP with respect to such use.
c) Force Majeure. Neither party shall be liable to the other for failure or delay in the performance of a required obligation (excluding payment obligations) if such failure or delay is caused by strike, riot, fire, flood, natural disaster, epidemic, pandemic or other similar cause beyond such party's reasonable control, provided that such party gives prompt written notice of such condition and resumes its performance as soon as possible.
d) Severability. If any part of this Agreement is determined to be invalid or unenforceable pursuant to applicable law including, but not limited to, any obligations, warranty disclaimers and liability limitations set forth above, then the invalid or unenforceable provision will be deemed superseded by a valid, enforceable provision that most closely matches the intent of the original provision and the remainder of this Agreement shall continue in effect.
e) Nonexclusive Relationship. The parties acknowledge and agree that this relationship is nonexclusive. Nothing in this Agreement will impair BESHP’s right to develop, acquire, license, market, promote or distribute products, software or technologies that perform the same or similar functions or contain the same or similar user interfaces or features as, or otherwise compete with, any Developed App, products, software or technologies that you may develop, produce, market, or distribute. In the absence of a separate written agreement to the contrary, BESHP is free to use any information, suggestions or recommendations provided to BESHP in connection with your use of the BESHP APIs for any purpose, subject to any applicable patents, copyrights or trademarks. BESHP may freely use residuals from information provided by you to BESHP, provided, however, that the right to use residuals does not represent a license under any of your patents, copyrights or trademarks. As used herein, "residuals" means any information in non-tangible form retained in the unaided memories of BESHP employees who have had access to your information pursuant to your use of the BESHP APIs, including ideas, know-how, or techniques contained therein. BESHP shall have no obligation to pay any royalties to you for any resulting work from BESHP’s use of any residuals.
f) Changes. BESHP may add, delete or change its services, including without limitation, the BESHP APIs, at any time without notice to you.
g) Terms and Termination. This Agreement is effective upon your initial use of any BESHP API and shall continue until terminated in accordance with the terms of this Agreement. BESHP may terminate this Agreement upon written notice to you if you breach any material provision of this Agreement and fail within 30 days after receipt of notice of default to correct such. Upon termination of this Agreement for any reason, you shall immediately cease all use of the BESHP APIs.
h) Dispute Resolution. You and BESHP will work cooperatively to resolve any dispute arising out of or relating to this Agreement ("Dispute") amicably at appropriate management levels. If a Dispute remains unresolved and a party wishes to escalate to a formal dispute resolution forum, the party will submit the Dispute to binding arbitration at a site in Nebraska under the Federal Arbitration Act ("FAA") and under the current Commercial Arbitration Rules of the American Arbitration Association, Inc. ("AAA "). The arbitrators will follow the Federal Rules of Evidence. The provisions of this Agreement will control over both the rules and procedures of the FAA, AAA, and Federal Rules of Evidence. No arbitration proceeding will include class action arbitration. The parties will share equally in the fees and expenses of the arbitrators and the cost of the facilities used for the arbitration hearing, but will otherwise bear their respective fees, expenses, and costs incurred in connection with the arbitration. Judgment on any arbitration award, including damages, may be entered and enforced in any U.S. court having jurisdiction. Each party acknowledges that any breach of its obligations with respect to the other party's intellectual property rights will result in an irreparable injury for which money damages will not be an adequate remedy and that the non-breaching party is entitled to injunctive relief in addition to any other relief a court may deem proper.
i) Governing Law. This Agreement is governed by, subject to, and interpreted in accordance with the laws of the State of Nebraska, without regard to its conflicts of laws principles. Use of the BESHP APIs is unauthorized in any jurisdiction that does not give effect to all provisions of this Agreement, including without limitation this paragraph.
j) Miscellaneous. Any cause of action or claim you may have with respect to BESHP must be commenced within one (1) year after the claim or cause of action arises. BESHP’s failure to insist upon or enforce strict performance of any provision of this Agreement shall not be construed as a waiver of any provision or right. Neither the course of conduct between the parties nor trade practice shall act to modify any provision of this Agreement. You may not assign or otherwise transfer this Agreement, or any of your rights or duties hereunder, without the prior written consent of BESHP. BESHP may assign its rights and duties under this Agreement to any party at any time without notice to you. Any attempt to assign this Agreement in violation of this section is null and void.
k) Entire Agreement. This Agreement constitutes the complete and exclusive statement of the terms and conditions between the parties, which supersedes all prior proposals, understandings and all other agreements, oral and written, between the parties relating to the subject matter of this Agreement. This Agreement may not be modified or altered except by a written instrument duly executed by BESHP.
10) Definitions.
a) BESHP APIs means all works of authorship and any other embodiments of Intellectual Property Rights in the set of Application Program Interfaces (APIs) and related underlying technologies, and related BESHP documentation, developed, licensed or acquired by BESHP to define how applications are launched, authorized, authenticated, registered, context is shared, data service endpoints are discovered through use of applicable proprietary and / or FHIR service endpoints, and how Substitutable Medical Applications and Reusable Technologies (SMART) are implemented.
b) Developed App means a software application (including any new versions, upgrades, updates, enhancements, derivative works or other modifications thereto) developed by you which utilizes the BESHP APIs.
c) Developer Account means the account with BESHP that provides you with access to the Public APIs, as more fully set forth in Section 3 of this Agreement.
d) HIPAA means the Health Insurance Portability and Accountability Act of 1996, as amended.
e) Updates mean those updates, enhancements and new releases to the BESHP APIs to enhance the security or operation of the BESHP APIs that BESHP makes generally commercially available.
Attachment 1
The CARIN Alliance Code of Conduct
Background: The CARIN Alliance code of conduct represents the consensus view of a group of multi-sector stakeholders that include leading providers, payers, health IT companies, EHR companies, consumer platform companies, consumers, caregivers and others focused on advancing consumer-directed exchange across the U.S. The Code is based on internationally recognized standards including the Code of Fair Information Practices (FIP) (See NCVHS report, “Health Information Privacy Around HIPAA: A 2018 Environmental Scan of Major Trends and Challenges, p.19) and numerous other information sharing accepted principles and practices. The Alliance is working collaboratively with other stakeholders and leaders in government to overcome the policy, cultural, and technological barriers to advancing consumer-directed exchange. The CARIN Alliance envisions a future where any consumer can choose any application or service to retrieve both their complete health record and their complete claims information from any provider or health plan in the U.S. and have that information used, managed, and stored by a third-party application based on the individual’s consent and personal preferences.
Application: The CARIN code of conduct is meant to apply to all consumer-facing applications (defined as technology enabled platforms, services, and tools) that collect personal data and are offered to and used by consumers in the United States, regardless of whether or not they are covered by HIPAA.
Definitions:
- Personal Data: Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Data (or Information): Any information relating to a natural person (includes personal data and de-identified and pseudonymized information). • De-identified information: Personal data that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information.
- Pseudonymized information: “Pseudonymize” or “Pseudonymization” means the processing of personal data in a manner that renders the personal data no longer attributable to a specific consumer without the use of additional information, provided that the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable consumer.
- Use: Use means, with respect to personal data, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.
- Disclosure: Disclosure means the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.
- Consent: Agreement or permission to do something from someone who has been given full information about the possible effects or results.
The CARIN Alliance Code of Conduct
The CARIN Alliance code of conduct is meant to provide consumers with transparency into how their information is being used and disclosed by their chosen consumer-facing application. As a company or organization that collects information on behalf of consumers, and facilitates the further use and disclosure of that information as authorized by the consumer, we commit to the following:
I. Transparency
We will:
a) Have a privacy policy that is based on industry best practices and is prominent, publicly accessible, and easy to read (i.e., written in lay language) and that addresses all of the issues addressed in this Framework.
b) Ensure our privacy policy specifies our Company’s data collection, consent, use, disclosure, access, security, and retention/deletion practices, including the use and disclosure of personal data as well as of de-identified, or pseudonymized information.
c) Address in our policy when personal data disclosure could have an impact on others (such as the impact of disclosing genetic or family history information on relatives). d) Proactively provide clear updates to users when privacy policies or practices have changed.
e) Use the ONC’s Model Privacy Notice (MPN) and the CARIN questionnaire as a resource when developing the privacy policies of the application
f) Be clear with users regarding whether personal data is collected, or it is disclosed to third parties, on a one-time basis or persistently collected (and if so, for what duration) and allow the user rights to change those options consistent with our consent policies.
g) Be clear with users regarding their rights (or lack thereof) to change or annotate personal data or to disclose portions of their personal data and whether any such changes, annotations, or notices of lack of completeness are communicated to any downstream recipients authorized by the user.
h) Explain what will happen to the user’s personal data after they withdraw their consent if the user does not exercise his or her right to have the personal data securely disposed of
i) Specify in the privacy policy what will happen to a user’s personal data in the event of a transfer of ownership or in the case of a company ending or selling its business, and provide the user with at least one of the following options: (i) securely dispose of, transmit, or download their personal data, (ii) ensure the successor entity commitments are consistent with the organization’s then-existing privacy policy, or (iii) allow the user the option to close their account.
j) Be clear with users regarding our policies regarding dormant or closed accounts.
II. Consent
We will:
a) Avoid default personal data sharing by obtaining informed, proactive consent from users in advance of personal data disclosure with such consent clearly describing how user personal data will be collected, used and disclosed.
b) Obtain separate, informed, proactive opt-in consent to use or disclose personal data from any individual or other individual identified in the personal data for marketing purposes. (For example, Individual A’s consent does not extend to Individual B who may be referenced in Individual A’s personal data.)
c) Comply with the Children’s Online Privacy Protection Act that is defined by applicable law.
d) Provide users with advance notice of our privacy policy changes and allow the user to affirm their consent to the updated privacy policy changes in order to continue to use and disclose their personal data with the application or give user the option to withdraw consent or close the account.
e) Provide users with an easy process for how to withdraw their consent with the application used to access personal data and clearly communicate those processes.
f) Allow the user to always indicate the destination for disclosing their personal data.
III. Use & Disclosure
We will:
a) Contractually bind third-party vendors and contractors to our commitments to users regarding use or disclosure of user data (pursuant to Section 1b of the Code) and prohibit uses or disclosures of user data for any purposes not consistent with those commitments without informed, proactive consent from the user.
b) Except for the contracted third-party vendors identified above, or as required by law, prohibit the use or disclosure of user personal data without user consent.
c) Limit the collection of personal data to only what the user has expressly consented that the application can collect.
d) Collect, use, and disclose personal data in ways that are consistent with reasonable user expectations given the context in which the users provided (or authorized the provision of) the health information.
IV. Individual Access
We will:
a) Provide the ability for users to access all personal data about the user collected by the application and a clear, easy process for requesting corrections to any inaccurate data.
b) Establish and clearly communicate to users clear policies for how the application will handle personal data it collects that may not be timely, accurate, relevant, or complete.
c) Upon user request, securely dispose of the user’s personal data completely and indefinitely to allow the user the “right to be forgotten” with respect to any future uses or disclosures of user’s personal data.
V. Security
We will:
a) Follow safeguards consistent with the responsible stewardship associated with protection of a user’s personal data against risks such as loss or unauthorized access, use, alteration, destruction, unauthorized annotation, or disclosure.
b) Store and retain personal data in a manner consistent with the best practices associated with the protection of personal data.
c) Protect personal data through a combination of mechanisms including, at a minimum: secure storage, encryption of digital records both in transit and at rest, data-use agreements and contractual obligations, and accountability measures (e.g., access controls and logs and independent audits) that could be made available to the user.
d) Comply with applicable breach notification laws and provide meaningful remedies to address security breaches, privacy, or other violations incurred because of misuse of the user’s personal data.
e) On behalf of our users, request a copy of their health data from the HIPAA designated record set maintained by a health care provider, health plan, or health information exchange by 1) relying on a health care provider or health plan portal identity credential using SMART or accept a digital identity credential for the user that is at least NIST Identity Assurance Level 2 (IAL2) and Authenticator Assurance Level 2 (AAL2) and 2) clearly indicating the destination for sending the personal data.
f) Adopt internal policies and secure contractual commitments with third parties to prohibit the re- identification of de-identified or anonymized data.
g) Establish and implement a policy for how to handle dormant user accounts.
VI. Provenance
We will:
a) Where possible, as data is changed, continue to maintain the provenance of the data to provide users, their caregivers, and authorized recipients information about who or what entity originally supplied the data and, where relevant, who made changes to the data, and what changes were made.
VII. Accountability
We will:
a) Comply with all applicable federal and state laws.
b) Designate a responsible executive officer within the company who is committed to these data principles and ensure these commitments are publicly facing to allow oversight enforcement by the Federal Trade Commission (FTC), State Attorneys General, or other applicable authorities.
c) Establish and clearly communicate a process for collecting and responding to user complaints.
d) Train our staff on these principles and ensure compliance by regularly evaluating our performance internally.
e) Notify the public when we have received any certification or accreditation from any independent certifying organizations (and indicate the timing/duration of such certifications). In addition to the above commitments that give meaning to the Code of Fair Information Practices, we agree to support the vision of the CARIN Alliance as follows:
VIII. Education
We will:
a) Inform users about their personal data disclosure choices and the consequences of those choices including the risks, benefits, and limitations of data disclosure by providing educational materials ourselves or pointing to appropriate third-party resources.
BESHP, Inc. (D.B.A. MyAdvocate Medicare Advantage), is an HMO-POS plan with a Medicare contract. Enrollment in BESHP, Inc. depends on contract renewal. BESHP, Inc. complies with applicable federal civil rights laws and does not discriminate, exclude or treat people differently on the basis of race, color, national origin, religion, pregnancy and related conditions, sex (including sexual orientation, gender identity, sex stereotypes, sex characteristics and intersex traits), age, disability, health status, marital status, arrest or conviction record or military participation in the administration of the plan, including enrollment and benefit determinations.
CMS ID Number: H0816_MyAMAWebsite_07-25_NE_M
2025 MyAdvocate Medicare Advantage (BESHP, Inc.). All rights reserved.
Last Updated On: 12.9.2025 at 10:00 AM