HomeMy WebLinkAboutRES 15-082RESOLUTION NO.15-082 BE IT RESOLVED BY THE CITY COUNCIL OF THE CITY OF BEAUMONT: THAT the City Manager be and he is hereby authorized to execute all documents necessary to enter into a Data Use Agreement between the City of Beaumont and Texas Department of Health and Human Services to provide, give access to, or transmittal of confidential information. The Date Use Agreement is substantially in the form attached hereto as Exhibit "A" and made a part hereof for all purposes. 2015. PASSED BY THE CITY COUNCIL of the City of Beaumont this the 28th day of April, if) IS Corm act No -10i4-044055-00 I DATA QgEAGl3EkMENT Bk:7 WEEN THE J'EX,kS DEALT}t AND HUNIAN SERlrt CS I'-VI'MPRISE ANT This Data Use Agreemeat ('`DUA"), effective as of'die (late, signed lWow (-Tffec;ivr. Date"), is entered into by and between the 'r exas Health and Human Services Iinterprise, agency Pf..paru icni of State {tealtli Services.("I{l{S) antl.B[,rei vfC)1TCl IY fit AE_1 #� l iiEA '{:i E1,1• CONTRA C rOR"), andl incorporated into the terois of I I{JS Contract Nm2014-044055_;,001 in Travis County, Texas (the "Base Contract"). ARTICLE I., i'L'-RPOSL; ,4PPLICAI3I'I_I S'Y; ORDER OF PRFC EDE C E The purpose of this DUA is to facilitate creation, receipt. maintenance, use, disclosure or access to C:onfiderr( IInfoirnation with CONTRACTOR, and describe C:O NI'R,ACTOIC's rights and obligations with respect to the Ctrnficlential t;nformigion•and the limited purposes for which the CONTRACTOR may create, receive, mainwin, use, disclose or have access to �;grltirlentiaJ fn(orrtiation, 45 CP:9 1 d4.SU8(2)(1#(A) This UL'A also describes I IRS's remedies in the event of'CON IMC: F011's noncompliance v ith its obligations under this DDA. This I)l:A applies to both Dusiii ss,(issot:ia4es and contractors who are not i3us ncss Associates who create, receive, maintain, use, disclose or bale access to Cc�nf&P- ial 1nfQM:utigrr on behalf tif' l IRS, its programs or clients as described in the Base Contract. As of'the 1"MCCtive Date 01* this DUA. if';any pro%isinn ref tine Bas(. Contract. including any Genera: Provisions or Uniforxn'f'ernis and Conditions. coallicts with: (his!)(!A, this DDA controls. ARTICLE 2. Dl:PTIgfTIONS Por the purposes of this DDA. capitalized, underlined terries have the mertninps set forth iti the following; I•lca)di fnstirtince Portability and Accountability -Act oi' 1990. Public Lav- 104-191 (42 U.S.C. R 13204. et ,eery.) and rcgulations thereunder in 45 Cf=R Parts i60 and 164. iucluding all amendments, repulattions and guidance issued thereafter: The Social Sccurit\ Act, including, Section 1 I37 (42 L-.; C. 1320b-7). Witte XV[ of the Act, The Privacy Act of 19.14, as amended by (lie Computer Matching and Privacy Protection Act of' 1988.: (i.S.C. § 552a and reftulations Lind guidance ihercundcr, Internal !revenue Code, Title 26 of'the United States Code and regulations and publications adopted under that code, including IRS Publication 1075: OM13 Memorandum 07-18.'relas Business and Commercc Code Ch. 52I : texas Cloveinnicni Code, Ch, 552. and Texas Govenimetit Code §2054.1125 in addition. the following terms in this DDA are defined as hollows: °' jiQi irtdl?ur'0=" means 1110. specific purpose or purposes described in the Scopg of 4trorY of" the Base Contract for CONTRACTOR OR to fblfill its obligations under the Brise Contract. or any other pinposc e:tpressly authorized by !ll IS in writing in ldearice "Author zed Uset" means a Per-cn: (1) Who is authorized to create, receive, mairmin, have access to. process, view- Handle. afiarninc, interpret, or analyze Coniidcntiai Information pursuanr to this DUA: (2) I7or whom CONTIZACTOR warrants and represents has a dernonstrairle need to crea(e, receive. maintain, use. disclose or have access to the Confidential Information: and (3) Who has agreed in writing to be bound by clic disclosure and use limitations pertaining to the Confidential Information as required h} this DUA. IMS Data t;se Ag -cement i:' 13.2 If{PAA Chnnibus Compliant Fc:brvaty 6.20:5 Pae I of; I EXHIBIT "A" NNS Conuac•t �c 2014-044053-001 "Qrid9"nfi8 hrmatlo "mcans any communication or record (whether oral, written, electronica);y s(ored or t)`ansmitted, or in any other form) provided to or made available to CONTRACTOR or that CONTRACTOR may create, receive, maintain, use. disclose or have access to on behalf of HHS that consists of or includes any or all of the following;: {;) Client information; (2) i?rotected Health_ Informatign.•_[n any ihtm including without !imitation, EJec _..!j'On)c Protected Ufe..alth [nforroatiar„or Unsecttred Pr[iieelect t{calth Inforniatinn; (3) Sinsitive _t !sol a! lnfomtxhon defined by Texas 13usiness and Commerce Codc Ch. 521; (4) Federal Tax Infor•t iation; (5) f?i�t.'scJnlafly 1tlenlifiairlc infgrnAalion: (6) Secia) Sec its_ _Administration f)aia. including, without. limitation, Medicaid inronnation; (7) All privileged work product; , (8) All information designated as confidential under the constitution and laws of the Stant of Texas and of the United State,, including the Texas health lir• Safety Code and [lie Texas Public Information Act, Texas Governmcnr Code. Chapter 552. "Legynlly Authorized Represiantative" orthc. Individual. as deCned b} Texas (avy. including aS provided in 45 CFR 435.923 (Medicaid), 45'C FR 164.502(g)()) (IiIPAA): i`rx. (:cc. Code § l +1.00'(6). Tex. 11. & S. Code y 166.164; Kstates Code Ch. 752 and Texas Prob. C'odc :1. ARTICLE 3.1CONTRAC TOR'S Ot'TICS REGARDING CONFIDENTIAL INFORMATION l n I..QI Obligations ref COMA OR CONTRACTOR agrees 11):71t (A) CONTRACTOR will cxerc:isc reasonable care and no less than the same degree of care CONTRACTOR uses to protect its own confidential, proprietary and trade secret information to prevent any portion of' (tic C;Utrlf&ntial In(orrtlat pii) frorn being used in a rrtanner that is not expressly an Atnlzorizect Purl)Q-S . under this bOX or as R Lt red 15 Ch l_SO4(,-)(2)(i) ([3) CONTRACTOR will not. without tilfS's prior writien consent. disclose or access to any portion of the Carr[ enji,il,•Informat on to an} i?etx z ter other cntit}, other than i1ptJ r riz l_ [.fiver's %k'orjCforce or Subcontractors of CONTRACTOR who have completed training in con6dertliality. privacy. scrturily and the importance of promptly reporting any Crygvt_or f3reat:h to r0l'\`)'RAC"110B'5 management, to carry out the Autl)gri.tec[...i?13.rpag or as Requirgd by [.aN HHS, at its election. may assist CONTRACTOR in traininp and education on specific or unique MIS processes, s}stenos and:or requirements. CONTRACTOR will produce evidence of complcied training to HHS upon request. 4.5 CF.R. 164.3l1FS(a)(.fjji); Tea:as Healrk d Sujcn. Code §181.101 (C) CONTRACTOR will establish, implement and maintain appropriate sanctions against any member of its Eqrl jbrcc or .Subcontractor u•ho fails to comply %�Jth this DDA. Lhe 130st: Contract or applicable law. CONTRACTOR will maintain evidence of sanctions and produce it to MIS upon request.45C.F:R. I64.308(a)(ii)(C), 164.530(e), 164.419(6) (D) CONTRACTOR will not. without prior Ar•itten approval of H1 -IS, disclose or provide access to any C'onfden(iai Informat;en Un the basis that such act is IZeguired ht [.au�•w;thout noul".-Ing Ill IS so that I-IFIS naay bate the opponunity to object to the disclosure or access and seek appropriate relief. if NIPS objects to such disclosure or access. CONTRACTOR Neill refrain from disclosing or W IS Data Ilse Agreernent V.$.? filPAA Omnibus Cornplianr Pebruary 6.2015 Page 2 v I HHS C01111act \p 20)4-044055.00; providing access, to the Gerificicr+tiul ln%rmation until IIIiS has cr Jiausted all alternatives for relief: 45 CRR 164.504(a),(t)(e) raltd(f) (F) CONTRACTOR will not. attempt to re -identify or further idrntify C:ontldential infarrz�ation or 1.1c-identiiled infonttation, or attempt to :intact any frtdi,yiduals.whosc records are contained in the Confidential InfUai>a(ion, except for an rlutltarized -Pur d.Agj t,dthoui express written authorization from HITS or as expressly permitted by the Base Contract. 4S Cl -,R 164.502(cl)(2)(1) and (1i) CONTRACTOR will not engahc in prohibited marketing or sale of (;oniider1r14..JP.-0•t»anon, 45 CFR 164 S01, 164.SGgea)(3) and (4); Texas• Heafllr & Safe:]+ Cade Ch. 181.002 (F) CONTRAC 011 will not permit, or enter into any agreement with a SuhconiraetgEjo, create, receive, maintain, use, disclose, have access to or transmit Gonfitlgntia#_Infr-rrnatiem, on behalf' of CONTRACTOR without express written approval of IIHS, in advance 11NS prior approval, tit a minimum will require that Subcontractor and CONTRACIM execute the Dorm Subcontractor Agreement, Atfdelinient 1, which ensures the subcontract contains identical terms, conditions, safeguards and restrictions as contained in this DI.A for PI ll and any outer relevant Ctaniid�ntidl in#crrrn!}iori and which: pcmtits more strict limitations; and 4s, CFR 164.SO4(e)(2)(11)(A), (B), (D) and (e)(5) (0) CONTRACTOR is directly responsible forcompliance with, and enforcement of, all conditions for creation, maintenance, use. disclosure; transmission and Ucstruc(igri of!.nnf3tfetlti4I fnforfrtatinr_.,and the acts or ornissions of Suhcatitraptor:s as may be reasonably necessary io prevent unauthorized use. 45 ('PW 164, SW(e)(S);,'2 CFR 4.11. MO, et seq. (11) If CONTRACTOR maintains 1'ifl_in a I)cs_ii lk tcd Recce,[( t. I'ONTRACTOR will maize £?l.ji._available to Ili 1S in a Designated Record..Sel. nt'. as directed bF 111(S. provide Pill to the )ridvi Ma or [,.e all ../tutitarired.ftr rescrtt:�ti�,� nFific Individual who is rcquesting f i)l,in complirarrce uitlt the requirements of the fII!?t�A t'rii�a y fte_gulatfigts. CON I'ICAC TOR `Lill maks other Cortfidjil'al jnfrirm4!ic�n_in CONTRAC"t'OR's po4scssion availahie pursuant to the requirnmcnts of Ilil'Art or other applicable law upon a determination of a HrLntcj of t}tlsecurcd, Pl:tl as defined in l.Llf?6zA.'5 CFR 164.524and 164.SO4(e9(2)f+f)(F) (1) CONTRACTOR `ill maize Ptil as required bm Iffj°AA available to IMS for arncndnicnt and incorporate any amendments to this inflonnation that I IHS drrccts or anr'ces to pursuant to the l fli'hlt,. 0 CF)Z 16404(e}(2)fl�)(F_j and(F) (J) CONTRAUFOR. v ill document and marc available to 11115 the PI If_required to protide access, an accounting; of disclosures or amendment in compliance %Lith the requirements ofthe HIPAA Privac`_ ftegula(iorts. 4S CTR 164.504(e)(2)(11)(G) card 164.528 (I0 If CONTRACTOR reccives a request for access. antendment or accounting of f1kj,_by any individual subject to this DILA, it will promptly forward the request to IItIS: hoLvcti•cr. if it would Violate 141PAA to forward the request. CONTRACTOR \hill prorrtpify notify MMS of the request and of C ONTRAC'T'OR's response. Unless CON'TRACTCiR is prohibited b} lav+- from for'wardtng a request_ I #lis LL ill respond to all such requests. 45CJrR 164.5114(0)(2) (l.) CONTRACTOR will protide, and will cause its 4u(c9litKAgLprs and agents to proN We. to IMS periodic written certifications of compliance with controls and provisions relating to infn>7natioti privacy-. sccuriry anti breach notification. Including Lvithoul lirrtitation information related to data transfers and the handling and disposaf of!;_pritideniial,lrupmia:ion. 4.s CFR 104.308; 164.5.30(c.); I YAC202 ('LI Except its otfacr'wise limited by this DCA. the Base Contract. or lavL. applicable to the Confidential Information. CON"I'RACTOR ma) usr or disclose I'M for the proper tnana;ernent anu administration of CONTRACTOR a� to carry out C'O,\TRACi'nit's legal responsibilities if. 4S CFk 164.04(e)(u10)(4) 11115 Data Use Agrcemem t- 9 2 t11P A C)ntaibus Complian, February G. 2005 page.i of I I H14S Cordract No..014.044055•G0i (i) Disclosure is Ree ui_r'ed by provided that C'ONTRACiOIR complies with Section 3.01(D), (2) CONTRACTOR obtains reason.,blo assurances from the Person to whom the information is disclosed that the person wiW (a) Maintain the confidentiality of the Confidential Information is accordance with this DDA, (b) Use or fvt,ber disclose the inforrriation only as 'required by LaB kLor for the Auti?orized lsu.rose (br which it was disclosed ur the Person, and (c) Notify CUl1t•IRACTOR in accordance with Section 4.01 of any Kylznt or areach _of C;ortrclential 113fonnatr iy _of which the PeKsondiscovers or shoufd have discovered with the cxereise of reasonable diligence. 45 CFIR 164.504(e)(4)(fl)(R) (N) Except as otherwise limited by this DDA, CONTRACTOR will. if requested b}, IMS, use Plfl to provide dataaggregation services to IWS, as chat tents is defined in the IJIPAA. 4:5 C I .R. g 164,50) and permitted by t.tf!'AA. 45 CFR ?64, St14(r)(ZJ(tJ(�J (0) CONTRACTOR wil), an the termination or expiration of this DDA or the Base Contract, at its expense. return to IIIIS or 17e�;'iLgy, at MIS's election, and to the exicn( reasonably feasible and permissible Ly law, all t,ct&ontial,,,(I,fotmation,„received frons 1I11S or created or maintained by. CC}lti'I'1t;1(:'i'OK or any of CC)ltiT'RAC";CJR's agr:tits or 5ubGatttrclpls on 11115's behalf' if that data contains Confidential. In or7ngtign CONTRACTOR will certif}• in writing to IMS Ilia! all the Cn.,r3;teicnti�iry Inf)a. that has been create(], received. maintained, used hy. or cirwlosed it) CONTRACTOR, has been I)estroy_od or returned to !Ills, and that CONTRACTOR and its agents and Sui}CUnitLae[gs' have retained tui copies; thereof: Notwiihstanding the tinregoing, C'ONTRAC TOR ocknowtudges and agrees shat it tray not f?csfr©); any' C'c>nfidential i�rformatittfI if federal or state lane•. or fills record retention policy or a litigation hold notice prohibits such 1)OXuc;,f,ioil. If such return or Dcstruction ji, not reasonabiv feasible, or is impermissible b}• taw, CONTRAC" 6R will imnnediately ioticy IIIIS of tide reasons such return or Destruclion is not feasible, and agree to c .xwnd indefinitely the protections of this UUA to the CWifideiitial i jf'ormatian. and limit its farther uses and disclosures to the purposes (flat make the return of the C:ortfidenliot lnfnrnvition not feasible (or as long as CONTRACTOR maintains such Infriri2trion. 4S CFR 164-04('9 (11) CONTRACTOR %611 create. maintain, use, disclose, u•ansniil or t)eslrc:,},.C'prtfit3cr}tiai lnfi?rmVjinn in a secure fashion that protects against any reasonably anticipated threats or hazards to tit: security or integrity of such information or o nauthorired uses. 45 CFR 164.306; 164.330(c) (() WCOtrTRACTOR transmits, stares, andlor maintains C_gnfiderYtal, In or�pat;on_or-I non -I 111JS ,}stems or netwtzrtcs, CON i RACTOR completed (tic tills initial security assessment at lr :l tilisrx.Iihsc.staCri xtrsJiect�ciefauit.slitmi to idenlif;rand mitigate identified ricks prior to execution of this DDA_ C:ONTRACTOR's initial security assessment %sill document security corilroi, within CO'\' 1"frAC'1'{)R's syslem that protect I toss C,orifidc al fnfornnation. CON 'TRAC'TOR will comply with Periodic security controls compliance assessment and monitoring by I'll IS as required by state and federal Jail-, based all the type of Qpfl sden_(iai Information CONTRACTOR creates. receives, maintains, uses; discloses or lias access to and the Autiyo!_i7.ed F! rpkqe and level of risk. CONTRACT OR's security controls will be based on the National institute of Standards and Technology (NIST) Special publication 8(10-53. COI TRACTOR MIJ update Its security Controls assessment whenever there are significant changes in security controls for HHS C gLfiden sal lnforniacicsn_and will provide the updated document to MIS NHS also reserves the right to request updates as needed to satisfj state and Wendt monitoring requirements. 45 CFR 164.306 (R) CONTRACTOR tl ilf establish, implement and maintain any and all appropriate Procedural. administrative, physical and technical safeguards to preserve and mainlairr tltc Ii.H$ Do, t Us: A1reePie nI V-3.2 111PAA 0ntrubus Comp):an,Feb ruar,, 5.201 Page 4 of 11 HHS Contract N01J14 044055-00) confidentiality, integrity, and availability of the QQgLkential nfnrmation,and vvitlt respect to P1411, as described in t9tc }-IIP_i'ri)a�and Security lZcrvulativ , or other applicable laws or regulations relating to Confrdeniia# ]nfolraation, to prevent any unauthorized uSr, or disclosure ofn#idential Infvrrrtation as long as CONTRACTOR has such Confidential In omiation*in its actuar. or constructive possession. 45 CFR 1641308 (Qdmitrlstra1Ne safeguatxls); 164.310 (pliysieid s4rfegtrards); 164.312 (technical safeguart ); 164J.30(6)(privary, safeguards) (S) CONTRACTOR will designate and identify, subject to HPIS approval, a Person ,or Persons, as Privacy Official 4.5 CF'12 164,530(a)(1) and lttformation Security Official, each of whom is authorized to act ort behalf of CONTRACTOR and is responsible for the development and implementation ofthc privacy and security requirements in this DUA. 45 CF'R 164.308(x)(2) { T) CONTRACTOR represents and wan•ants that its fl.utl}orizcd Users each have a demonstrated need to knew and have access to C;onfidCntial Information solely to the tn=.•nirnum extent necessary to accomplish the ltutltnria cf Purposc,pursuant to this Ut,'A and the Bas Contract, and further, that each has agreed in writing to be bound by the disclosure and use limitations pertaining to the JjgL Information containcd in this DUA, 45 CFR 164.502;164.514(d) (t.,) CONTRACTOR.and its Suttconfractors will maintain alt updated, complete, accurate and numbered fist orAptliorized Users, their signatures, titles and the date they ag;rced to be bound I>y the terms of this UIIA, at all times and supply it to PHS. as directed, upor, request. (V) CONTRACTOR will implc'ncnt. update as neccrsttry-. and docun;cnt reasonable and appropriate policies and procedures forprivacy. security and Breach ol'C�onfidetttial Inforinationlrnd an incident response plan for an J vpstt or I3rcach, to comply: %v ith the privacy. security aril breach notice rcquiremenis of this DUA prior to conducting; work under tic DDA. 4S CFW 164.308; 164.514(d) (its`) CONTRACTOR will produce copies of its information security and privacy policies; and procedures and records relating to the use or disclosure of'C,rortlidentilnforinadon rLceived front, created hy, -or received, used or disclosed by CC)mrRAC" fOR ort heltalf of it#1S for I If IS`s rcvictt and approval within 30 days of esecu:ion of this DDA and upon request by 111 IS the following, business day or other- agreed upon time t'rame. 4,5 CFR 164.308; 164.514(d) (X) CONTRACTOR will tttake available to IMS art} infi}trttsttivn lit iS reouireS to fuff ill }II IS's obligations to provide access to, or copies oC, Pl if in accordance with 1-111?AA and outer applicable taws arid regulations relating; to Con icl„cntitgf lnfiarrtLafitln. CONTRACTOR will provide such infbmiati:m In a tirrrc and manner reasonably agrecd upon or as desiggnated b) the: Secretar-y. or other federal or state, law. 45 G.F R 164.SO4(P,)(I)N (Y) C^ON7RACTOR x0f only conduct secure transmissions of C'onfidcntial Infuriation v�ltether pit paper, oral yr cicctrouic lbrm, A secure transmission of electronic Confidential tnforn3atiort in trrotiun includes secure bile Transfer Protocol (SFTP) or Lga;.)Dtion.at an appropriate level or otherwise protected as required by rule, regulation or Iasa !#1{S C:anfiderttiaf lnfQrn>atiorlurrest requires f:ncrv7tion unless there is adequa.t.e administrative, technical. and physical security, or as otherwise protected as required by rule• repgularior or law. All electronic data transfer and communications of Confidential !n(orrratic�rl_will be through secure systems. Proof' of system. media or device security and'or f- nit?n must be produced to MIS no later that) 411 hours after HHS's writion request in response to a compliance Jntiestigation, audit or the Discovery_nf an l �Krj!,or Gresch. Oiherwise, rctluested production of such proof will be made as agreed upon by rhe patties. 1)e -identification ofNilS Confidential Information is a means of security With respect to de-idermftcation ofP111. "secure” means de•jdemified according to )rliP.A,,% f?vacly standards and regulatory g=uidance_ 45 CFB 164.312; 164.530(41) (/,) CONTRACTOR will compl\ with the following la«•s arid standards if applicable to the 0,pe of f_1a&MAdQ&t771d Carrtractor's rl a lenrird Purnosr : 1-1115 Data t se Agrecilia r V.8 2 1 iIPAA Omnibus Compliant Februar; G, 2015 Page : of I i FINS Conuael No 2014.044055-001 a Title I, 1?art i4 Chapter 202, SuhcbLgpt r f3, "texas Adrrtinisrrative Code; a The Privacy Act of] 974; o OMB V;ernoranduni 07-i6; b The Eacleryl L11fcljrration SGcurit} ,ylanaucmcnt Actor 2002 (FISMA); Q The Flealth Insurance Portability and Accountability Act of 1996 (L-11PAA) as defined in the Dt:A: Internal Revenue Publication LL7 - Tax InfoiYnation Security Guidelines for Federal, State and Local Agencies; o National Institute of Standards and Technology (NIST) 80Q -G6 Revision I - An Introductory Resource Guide f'or Implementing the health lnsuranco Portability and Accountability Act (141PAA) Security Rule; d NISI' .5pAl1 lPg,blications, bUb-53 and.AOO:53A Recommended Sccurily Controls for Federal Information Systems and Organizations, as currently mvised; a 7\FS'1' S ecial _1? 1-111S Conic act No 20H-04405.5-001 c. Name, and provide contact information to HIJS for, CONTRACTOR's single point of contact who will communicate with HIPS both on and off business hours during the incident response period, 2. 48 -Hour Formal N'ocica. No later than 0 consecutive clock hours after flimyM, or a time within which D.iscQyP!_v rcasnalibly should have been made by CONTRACTOR of an Fv- em of &CA�ft C or ollf!dufltial ItirQrroation.. py-ovide ibmial notification to the State, including all reasonably available inforniarion about the Event t or Breach, and COMRACTOR's investigation, including) without limitation and to the extent available: For (a) - (m) below. 4S CRR 16W.00- 414 a. The date the 1.' �v�eit or Breach occurred; b. The date of CONTRACTORs and. DisC.QN-el-Y; c, A Drier description or the EXeM,"Lof BrMLh: including horn it occurred and who is responsible (or hypotheses, it'no; yet determined): d. A brial description of CONTRACTIOR's investigation and the status of the investigation; c.ii qtjoL involvcd, I. identification of and number of all lndividu4Ls_rnasonably believed to be affected, including first and last name of the individual and ii' applicable the, Le-gaj1mqlL)L)r ' J7 '.a d i * -cp�qqtaLiyt_ last known address, age, telephone number, find email address if it is a prellerred contact method. to die exR.-ril known or can bereasonably' determined by C'ONT'RAC'T'ORai that time: g. CO -N TR ACTOR's initial risk assessilient of the I'vgjll or J reach dcIllo list rat ing whether individual or other notices are required by applicable lavv of, this DUA ftir IMS ztpprot-af. iocluding lilt 111)111% $is ofwhether there is if lo\k, probability of cornpromise t7f tilt: CO C&Litial Whedier any' legal exceptions to notification apply: It. CONTRACTOR's recommendation Ior IMS's approval as to the steps lncliti cJltplti an(Yor CONTRACTOR on hchall'of IndiNiduals, should take to protect the Individual" rroill powilbal NUM, inCiddilli; \\-Wl0UI lifflitation CONTRACTOR', provision ol*notifications. credit proteclion, claims moniloring, and all\ specific Protections 1,61. a j.cKIQIy "kldlorixccf JZC 11 i\ C w take on Oclialfol'an special capacity of, Circurristallces. i. The steps CONTRACTOR leas taken to mitigate ilia harm of- potential harm caused (including without limitation the provision of sufficient resources to mitigate). j. Tic steps Cowl-RACORhas takers. or will take, to pro-ent or reduce the likelihood of ,recurrence ora similar Rvi2rrt or 3rq4ch: k. ldcntify, describe or estimate of the Persons. A�;IrUq49(jr. o cc. Subco �— -- L r lndj%%Ual!-Land a* law enforcement that may be involved in the Ex: .ET or BEc 4Lii: -1 1. A reasonable schedule for CONTRACTOR 10 1.11'OVICIC ITIR11211' updates 10 Ole f0regoiljo in Ill( - future Cor response to (lie EvOt or Breach. but no lesz., than "en, Three (3) busincs-, dayti or as otherwise directed by HMS, including information about risk ei-dowl ions. repornt-,st. notificall'Ofl. if any, Mitigation, con-ecOve action, root cause analysis and Olen such aclMlics are expected to be completed: and in. Ariy reasonably available, pertinent infbt-motion, documents of reports rc!aied to an Event or fiLqgj!.tha[ I Iffs requests following jXscovC.a-. MIS Dam t.*se Agrevincilt V.8.2 I IIPAA Omnibus Conipliarif February, 6. 2015 HHS Cantrao .tin 2014.04,1055.001 as-Anrr' 02 Lrvestigatioll, Response and Mitlgtatiotr. For A -F helosw: 45 CFR 164.308, 310 and 312 (A) C ONI'l'RACTOR will irntr:etliateiy conduct a full and complete investigation, respond to the {_tint[[ ter f3rctic1i, cornmit necessary and appropriate staff and resources to expeditiously respond; [inti report its required to and by 111 1S for incident response purposes and for purposes of I t144's Compliance [hill) report and nodfir:atior: requirements, to the satisfaction of 14114. (8) CONTRACTOR will cornpiete or par'iicipate in a risk assessment as dir'ccted by MIS following an .went _or t3reach, and provide the final assessment, corrective actions and nutigations to 1II IS for review and approval. (C) CONTRACTOR will fully cooperate with i414S to respond to inquiries and/or proceedings by state and federal authorities, lersortg.and/or IndividgaAs_ about the i'::verrt ..or- DLgach. (C?) CONTRACTOR will fully cooperate with I• HS's efforts to seek appropriate injuneflve relief or otherwise present or curtail such Fyant.or I3reaeh, or to reeovor or protect any Gonfi3eniiai..lnF<zrm�t�orl, includiag complying 1ti•ith rcasonabfe corrective action or measures, as specified by HHS in a Corrective Action Plan if dircciedby IIF IS under the fuse Contract. ,SSgapn.44 Breach Notfetrtiorl to L26WWftr ;,and Reporthig to Arrthoriries. lex. Bis. 4 - Comm. Comm. Code §5.21.053; 4S CFR 164. 464 (irrrh 4dnnls), 764.4 06 (iflediu); 16-{ 408 (A'utltorities) (A) HUS may direct CONMACTOR to provide Breach, .tiwiCicatior; to Irldiyidualy. regulators or third -panics, as specified bylfliS following a 13reach, (I3) CONTIZACTOR must obtain I11IS's prior Britten approvtti of the time, manner and comcni of any notification to jr7ctfviduats, regulators or third -parties, or any- notice required b} other state or federal authorities. Notice letters will be in C ON IRAC VOR's name and on C'ONTRAC" DR's letterhead, unless otheriviso: dir•eNed by HHS, and mill contain contact information, including, the name and title of CONTItAC'TOR's representative, an email address and a tori -free telephone number. for the Individual to obtain additional information. (C:) CONTRACTOR will prof idc MIS I iS rtiith copies of distributed rind approved colrlmur1ications. (D) CONTRACTOR will have the burden of demonstrating to the satisfaction of III IS that env notification required b}• PIKS was iiniely made. If there ate delays outside of C O NTRAC OR's control. CONTRACTOR TOR trill provide %vriticrr documentation of the reasons for the delay. (1:) If 11144 delegates notice require.nMcnts to CONTRACTOR, 141fS shall. in the time and manner reasonably requested by C0�"1RAC''MR, cooperate and assist x•ith C oN,rRAC'I0Wq information requests in order to make such nolffiealion.: and reports. ARTICLE 5. Scon o1< Woyw Scope of 1i't�rk means the sen+ices and deliverables to be performed or pro\1ded by CON"? It:1C_"I•M. or on behalf of CONTRACTOR OR b;• its Subcontractors or agents for l HAS that are described in detaf l in the Base Contract. The Scopc of \' r,(. including any• future amendments thereto, is incorporated try rofercr.ce in flik M.A as if set out tt ord far -curd herein. HHS Data Use Agreement V S 2 I IIPAA Omnibus Compliant February 6, 3025 Page 8 of 11 1 1'li I5 Contract \o 2014-044055-001 ARTICLE b, t:iENIMAL PHOVISIONS t�j, ltv� Ovrrte� ship of Ca+zdentlnl Aforntation CONTRACTOR acknowledges and agyecs that tilt: Confidential Jnfgrtrtation is and wilt remain the property of 1-11 IS, CONTRACTOR agrees it acquires no title or rights to the C:onfidcntiat in(gnnatinr;, SggjjpjL(j-&HHS Comrniltnettt and Obligations HUS will not request CONTRACTOR to create, maintain, transmit, use or disclose Pill in any manner that would not be, permissible under if done by I f l IS. 5gction Uj .611S Right to Inspection At any time upon reasonable notice to CONTRACTOR, or if I MS determines that CONTRAC" OR has Ciolated this DUA,1111.3, direerly or through its agent, x0f have the right to inspect the facilities, systems, books and records of i:OIfTR.AC"I'0R to monitor compliance -with this DG`A. For purposes of this subsection, JIHS's agent(s) include, without limitation, the Ili IS Office of the inspector General or the Office ol'(he Attorney General of'Iexas, outside consultants or legal counsel or other designee, S.gamil6,44 Term; 7'crinintirtion g1DUA; Strr;,hjat 'This DUA will be effective an the date on which CONTRACTOR executes the DUA. and will terminate upon tennination ofthe [lase Contract and asset forth herein, If the Base Contract is extended or amended, this DGA is updated automatically concurrent with such extension or amendment, (A) JIM may iminediatcl) tcrrninate this DDA and Base C'on!ract upon a material tiiolalion ofthis DUA. (fi) Termination or f:xpiration of this DUA wili not relieve C'ONTRAC'TC)R of its obligation it) rtt(r-1t or #Jcs(q!y-_1hc C,�'tittficlt;tltiai lnfortrtation as set li7rtlt in this J)lr`A and to continue to safeguard the C <7titir:,ctttial lnii�rma(i��tr until such tune as determined by I HIS. (D) If III IS determines that CCNTRAC"l`()R has violated a material term of this DUA. I JPS mat in its sole discretion: I. f xcrcisc any of its rights including but not limited to reports, access and inspection under this DUA and/or the Fuse Contract, or ?. Require CONTRACTOR to submit to a catycctke action plan, including a plan for monitoring and plan for reporting, as 1114S may determine necossat) to maintain compliance v ith this DDA: or 7. provide C:ON R.ACTOR with a rcasouable period to cure the violation as determined b). FIIIS: or el. Terminate the DUA a,7d Base Contract immediately- and seek reiicf in a coup of competent jurisdiction in Travis County, Texas. Before exercising any of these, options. J-41 iS mill provide written notice to CONTRACTOR describing the violation and the action it intends to take. (!,) If neither termination nor cure is feasible. I II IS shall report the violation to the Sgcrclarv. (F) The duties of'CONTRgC: OR or its Subcontractor under (his D1:A survive (lie expiration or termination of this DCA utttif all (tieC:o �firlcnti�! Infc>tmafi , tr.js l-)estr'ot-ed or returned to 11145, 'as required b) this DUA. RHS Da.a Use Agreement V3? HIPAA Omnibus Compliant Fearuar} G, 3?k', S Page 9 of I I HHS Conn•act .Na 20)4-044055.001 &aU zla_f,U Gtiuerning Law, Venue and Liiigarion (A) The validity, construction and performance of this DUA and the legal relations among the Parties to this DDA will be governed by and construed in accordance with the laws of the State of Texas. (I3) The fatties agree that the courts of Travis County, 'T'exas, will be the exclusive venue for any litigation, special proceeding or other proceeding as between the parties that may be brought, or arise out of. or in connection with, or by reason of this DUA. Section &0 Iitjrinctive Relief (A) CONTRACTDR acknowledges and agrees that HHS may suffer in•eparable irtjury if CONTRACTOR or its Suber}niMctor fails to comply with any of the terms of this DUA with respect to the C:onfiaentia) Inf'orrrtation ,or a provision of HIPAA or other laws or regulations applicable to CQnlacien tial._Inforrrtaiion. (13) CONTRACTOR further agrees that monetary damages may be inadequate to compensate, INS for CONITRACTOR's or its Subcontr%jor's_failure to comply. Accordingly, CONTRACTOR agrees that IIIIS will, in addition to any other remedies available to it at Iasi• or in equity, be entitled to seek injunctive relief without posting a bond and without the necessity of demonstrating actual damages, to enforce file terms of this DIM 3jgjjUj&U It deinnijic rli n C'ONTRAM R N% indemnify, dot t f and hold harmless\uas nd its respectiv Executive �lsr' Commissioner, cmplo)ecs, :' thcor}tr:icttx::. asset 1 (including other stcies acting ort behal W1 u IS) 0 other members of its W'ttrk: rce_(eachof the cgoinsthereinaftI to as "Indemnified ern•"`) t all actual and direct iosst , LffCvvcd by the Inc unified Partyia ' ity tea third parties are. " ff'rtun « fn cunt[ critter with any br�� !t ofthis I�itA car many actssicrn, refattd to this DL'AOR or its ettt}�loyces, dt •ctors, officers. Sub ntrac[pents or uhcr members of its V+'orknif�'. cirlG cl and }told hanntes\'ion u' nt' the fury to insure attclcontinues to to ly even in the es•cnt insura •e cutcrage axituntthe DUA o, 43.�se Contract is denied, or cover, e. rights are rc served 6v t) insurance cademand. {'O' I ,iC`T"{)R �tiill r n:burse 1III5 far y and :tri ttsssc:s, tiabilittes, otic profits. fies. costs or expens ; {including rest table attottteys' !i t�°hiclt Wray for an}' reasc. be impos) . 2d:trnificd Parte h� eason of any st 't. claim, action, pros ding or demand by any ird parttent used 'by and whit results from tlt C:ONTRAC OIR-s turc, to meet any of its bligations under this�k;'A. CONTRAC�C)R's oblifation defend,, indemuiif) a trI hold harmless an) 1n nnfCr d Fart} will SuraiNe the expiration or termination of is DUA. "ec fon 6.08 Insartrtiee (A) in addition to any insurance required in the Base Contract, at J IHS's option. HIIS nay require CONTRACTOR TRACTOR to maintain, at .its expense. the special andior custom first- and third -party insurance coverages, including without limitation dant breach. cyber liability, crime theft. and notification expense coverages. with policy limits sufficient to cover anv liability arising under this DDA_ naming the State of Texas, acting through IRS. as an additional named insured and loss payee, with primary and tion -contributory status, with required insurance coverage, by the Effective Date, oras required by I II IS. (R) CONTRACTOR NN if? provide 111 i with written proof that required insurance coverage is in effect, at the request of IMS. IMS Data Use Agreenwrit V 8.2 1UPAA ()rnntbus Compliant Februar} G. 2015 Page JO of I ) HNS Contract Ego 2p 14-044055-001 &QdUL 9 Fees and Costs Except as otherwise specified in this DUA or the Base Contract, including but not limited to requirements to insure and/or indemnify 1THSjf any legal action or other proceeding is brought For the enforcement of this DUA, or because of an alleged dispute, contract violation, E%TU it. Bpeacb, default, nnisrepresentation, or injunctive action, in connection with any of the provisions of this DDA , each Marty will bear their own legal expenses and the other cost incurred in that action or proceeding. Seof3tott_6.€ (1 .i niirw); of the. Contract 3 , is Data Use Agreement is incorporated by reference into the Base Contract and, together with the Base Contract, constitutes the entire agreement bewvren the parties. No change, Nvaiver, or discharge of obligations arising under those documents will be valid unless in waiting arid exxeeuted by the party against whom such change, waiver, or discharge is sought to be enforced. ,fed gA_(Wj ArrfoinaticAmerr(itrrcntandInkupreratiort Upon the effoctive date of any amendment or issuance or additional regulations to I-M)AA, or any other law applicable to Confidential 1ntLrMAt_ on, this DUA will automatically be amended so that the obligations imposed on HRS and/or CONTRACTOR remain in compliance With such requirements. Any ambiguity in this DUA N-vill be resolved in favor ofa meaning that permits Ill IS and CONTRACTOR to eomp y with HIP&A1 or any outer law applicable to Confidential Information, ARTICLE 7, At:THOP[T1 To BNEC(,'T t_ The Partici; have executed this DDA in their capacities as stated below with authority it) bind their organiwions on the dates set firth by their signatures. IN WITNESS HEREOF, MIS and CONTRACTOR OR !rave each caused this DDA to be signed and delivered b} its duk, authorized representative: Tuns HEALTH AND HUMAN SE'.RVICE:S CtawRACTOR Mow E: NA Pr E. TPrt Gt TME., WLTF.; IINS Data Use APceemen, V.8.2 HIPAA Onnnibw Compliant Fcbruar� fi. 201 Page i 1 of 11 L