HomeMy WebLinkAboutRES 21-171RESOLUTION NO. 21-171
BE IT RESOLVED BY THE CITY COUNCIL
OF THE CITY OF BEAUMONT:
THAT the City Manager be and he is hereby authorized to execute all documents
necessary to enter into a Memorandum of Understanding with the Texas Department of
State Health Services (DSHS) to treat and control the spread of infectious disease
across Texas through the United States Federal Government 340B Drug Pricing
Program, Said Memorandum of Understanding is substantially in the form attached
hereto as Exhibit "A" and made a part hereof for all purposes.
The meeting at which this resolution was approved was in all things conducted in
strict compliance with the Texas Open Meetings Act, Texas Government Code, Chapter
551
PASSED BY THE CITY COUNCIL of the City of Beaumont this the 20th day of
July, 2021.
- Mayor Pro dwin Samuel -
TEXAS
v Texas Department of State Health Services
bV Health and Human
Services John Hellerstedt, M.D.
Commisslone,
Federal3408 Drug Discount Program Assurance Form
Beaumont Public Health Dept. (Participating Clinic's Full Legal Name
Including dba) makes the following assurances in support of its participation
In the Federal 340B Drug Discount Program (the "Program"):
1. Utilize Department of State Health Services' (DSHS) Central
Distribution Model for all Program medications, made available through
DSHS' Inventory Tracking Electronic Asset Management System
(ITEAMS) platform.
2. DSHS' Medications, Pharmacy Branch will order, receive and distribute
medications to authorized sub -grantees.
3. Signed a Memorandum of Understanding with DSHS to participate In
the Program, agreeing to all terms and conditions.
4. Comply with all Program requirements set by federal and state laws,
rules and regulations, the Health Resources and Service Administration
(HRSA) and DSHS.
By signing below, designee acknowledges they have the requisite authority
to execute this form on behalf of the named party.
Signature of Program Designee Date
or Printed Name
P.O. Boa 149347 • Austin, Texas 78714-9347 • Phone: 888-963-7111 • TTY: 800-735-2989 • dshs.texas.gm
EXHIBIT "A"
MEMORANDUM OF UNDERSTANDING
FOR CENTRAL DISTRIBUTION MODEL PARTICIPANTS
DSHSCONTKACr No. HHS001031800004
This Memorandum of Understanding (MOU), is between Department of State Health Services
(DSHS) and Beaumont Public Health Department (Clinic), each a "Party" and collectively "Parties"
to this MOU to treat and control the spread of infectious disease across Texas through the U.S. federal
government 340B Drug Pricing Program (the "Program").
1. Purpose
Establish roles and responsibilities concerning Parties' compliance with the Program, while
providing listed medications available through DSHS' Inventory Tracking Electronic Asset
Management System ([TEAMS) platform.
2. Joint Responsibilities
2.1 Ensure policies and procedures align with Program guidelines and expectations of
compliance;
2.2 Monitor and track medication from DSHS Pharmacy Branch to patient receipt; and
2.3 Ensure all policies and prmedums are implemented and adhered to.
3. DSHS Responsibilities
3.1 Create, review and update policies and procedures to ensure compliance of Program;
3.2 Purchase medications for the treatment of sexually transmitted diseases (STDs) and
tuberculosis (TB) with state and federal fonds allocated for specific public health purposes
that are administered and dispensed in compliance with Program regulations, as authorized
by the Texas Health and Safety Code, Chapters 81, 85 and 1001;
3.3 Review, approve and monitor Clinic's registration in Office of Pharmacy Affairs
Information System (OPAIS);
3.4 May review and approve the eligibility for each Clinic location to participate in Program;
3.5 Ensure TB medications provided are through local, pre -authorized health department and
entities;
3.6 Provide education concerning Program compliance to Clinic through initial and ongoing
trainings by submitting information on how to sign-up for the Apexus PVP Program, a
Health Resources and Services Administration (HRSA) contractor for further education;
3.7 Monitor and support Clinic on all compliance elements of the Program addressed in the
policies outlined by the DSHS HIV/STD Program, which can be accessed at.
littys�//Nvww.dstis.texas.gov/hivstd/i)oI icy/; and
3.8 Monitor and supportClinic on all compliance elements of the Program addressed in the policies
outlined by the DSHS Tuberculosis and Hansen's Disease Branch in the Texas Tuberculosis Work
Plan, which can be accessed at: https'Hwww.dshs.texas.gov/idcti/discase/(b/policic .
DSHS Conlrect No. HHS001031800D04 Page 1 or9
4. Clinic Responsibilities
4.1 Determine eligibility of participation in the Program for each Clinic location;
4.2 Obtain medications through ITEAMS platform for outpatient treatment of STDs or for TB
services and medications;
4.3 Distribute medications at no charge to uninsured, eligible patients;
4.4 Ensure medications are used only for the treatment of STDs and TB;
4.5 Ensure medications from the Program are not sold or exchanged to any individual or entity;
4.6 Maintain a Class D pharmacy license; Clinics without a Class D Pharmacy license are only
permitted to order medications under a physician's license for direct administration to
patients onsite and for patient -delivered partner therapy using single -dose oral medications
for chlamydis and gonorrhea. i.e. azithromycin and cefixime.
4.7 Designate a staff member who oversees the ordering, provision, reconciliation and
reporting of medications obtained through the ITEAMS platform, with reconciliation of
the medications occurring prior to the last day of each month;
4.8 Maintain a tangible or electronic tracking -log documenting the following information for
each medication distributed:
4.8.1 Link to the patient to ensure that it is administered or dispensed to an eligible patient
of clinical services in an outpatient setting;
4.8.2 The National Drug Code (NDC);
4.8.3 Total quantity of medication dispended or administered; and
4.8.4 Reconciled medication inventory.
4.9 Maintain records of Program information establishing appropriate use of each Program
medication -- as records may be requested and audited by DSHS or for an internal review
at any time to ensure compliance. Records include, but are not limited to: billing records,
medication tracking logs, and relevant patient records;
4.10 Ensure all Program medications for treatment of STDs comply with current policies and
procedures outlined by the DSHS HIV/STD Program, which can be accessed at:
haos //www.dshs.texas.gov/liivstd/policy ;
4.11 Ensure all Program medications for T 3 services comply with current policies and
procedures outlined by the DSHS Tuberculosis and Hansen's Disease Branch in the Texas
Tuberculosis Work Plan, which can be accessed at:
hllps'Hwww dshs texas eov/idcu/discase/lb/policies/;
4.12 Develop and implement policies and procedures for Program medication tracking and
distribution that are accessible to DSHS. Clinic may adopt guidance from DSHS or create
their own so long as they follow Program guidelines and do not contradict DSHS' Program
policies and procedures; and
4.13 Register as a covered entity in OPAIS database, maintaining registration each year this
contract is enforceable, using the DSHS Program grant number for each program for which
Clinic receives funding or in -kind contributions from DSHS. The OPAIS database can be
accessed at: htlos'//340boyais.hrsa.gov/.
DSHS CON� No. HHS001031800004 Page 2 of 9
5. Duration and Termination
This MOU will commence on September I, 2021 or on the last date of signature by the Parties
to sign this MOU, whichever is later, and terminates on August 31, 2023, with the option to
renew, by written agreement, in one-year increments, not exceeding a total of five years.
Either Party may terminate this MOU upon providing 30 calendar days' advance written notice
to the other Party.
6. Additional Terms and Conditions
6.1 Confidentiality.
6.1.1 Clinic will comply with the Privacy, Security and Breach Notification incorporated
into this MOU as Attachment B.
6.1.2 Clinic will maintain confidentiality and not disclose to third parties without DSHS'
prior written consent, and any DSHS information including but not limited to DSHS
Data, business activities, practices, systems, conditions and services. This section
will survive termination or expiration of this MOU. The obligations of Clinic under
this section will survive termination or expiration of this MOU.
6.1.3 All confidential information requirements must be included in all subcontract
awarded by Clinic.
6.2 DSHS Data.
6.2.1 As between the Parties, all data and information acquired, accessed, or made
available to Clinic by, through, or on behalf of DSHS or DSHS contractors,
including all electronic data generated, processed, transmitted, or stored by Clinic
in the course of providing data processing services in connection with Clinic's
performance hereunder (the "DSHS Data"), is owned solely by DSHS
6.2.2 Clinic has no righthas no right or licenseto use,analyze, aggregate, transmit, create
derivatives of, copy, disclose, or process the DSHS Data except as required for
Clinic to fulfill its obligations under the Contract or as authorized in advance in
writing by DSHS
6.2.3 For the avoidance of doubt, Clinic is expressly prohibited from using, and from
permitting any third party to use, DSHS Data for marketing, research, or other non-
governmental or commercial purposes, without the prior written consent of DSHS
6.2.4 Clinic shall make DSHS Data available to DSHS, including to DSHS' designated
vendors, as directed in writing by DSHS. The foregoing shall be at no cost to DSHS.
6.2.5 Furthermore, the proprietary nature of Clinic's systems that process, store, collect,
and/or transmit the DSHS Data shall not excuse Clinic's performance of its
obligations hereunder.
6.3 No Cost. This is a "no cost" agreement; the Comptroller shall not be obligated to make any
payments of any amounts to Clinic or other parties as a result of this MOU. Any costs and
DSHS COMMd No. HHS001031a00004 Page 3 .179
expenses incurred under the terms of this MOU will be paid by the Party incurring the cost
or expense. No funds appropriated to either Party will be exchanged under this MOU.
6.4 Public Information Act. Information, documentation and other material related to this
MOU may be subject to public disclosure pursuant to Chapter 552 of the Tex. Gov't Code
(the "Public Information Act' or "PIA'. In accordance with Tex. Gov't Code section
2252.907, Local Government is required to make any information created or exchanged
with DSHS pursuant to this MOU, and not otherwise excepted from disclosure under the
PIA, available in a format that is accessible by the public at no additional charge to DSHS.
6.5 Record Maintenance and Retention.
6.5.1 Clinic shall keep and maintain under GAAP or GASB, as applicable, full, true, and
complete records necessary to fully disclose to the DSHS, the Texas State Auditor's
Office, the United States Government, and their authorized representatives'
sufficient information to determine compliance with the terms and conditions of
this Contract and all state and federal rules, regulations, and statutes.
6.52 Clinic shall maintain and retain legible copies of this Contract and all records
relating to the performance of the Contract including supporting fiscal documents
adequate to ensure that claims for contract funds are in accordance with applicable
State of Texas requirements. These records shall be maintained and retained by
Clinic fora minimum of seven (7) years after the Contract expiration date or seven
(7) years after the completion of all audit, claim, litigation, or dispute matters
involving the Contract are resolved, whichever is later.
6.6 DSHS' Right to Audit.
6.6.1 Clinic shall make available at reasonable times and upon reasonable notice, and for
reasonable periods, work papers, reports, books, records, supporting documents
kept current by Clinic pertaining to the Contract for purposes of inspecting,
monitoring, auditing, or evaluating by DSHS and the State offexas
6.6.2 In addition to any right of access arising by operation of law, Clinic and any of
Clinic's affiliate or subsidiary organizations, or Subcontractors shall permit the
DSHS or any of its duly authorized representatives, as well as duly authorized
federal, state or local authorities, unrestricted access to and the right to examine
any site where business is conducted or Services are performed, and all records,
which includes but is not limited to financial, client and patient records, books,
papers or documents related to this Contract. If the Contract includes federal funds,
federal agencies that shall have a right of access to records as described in this
section include: the federal agency providing the funds, the Comptroller General of
the United States, the General Accounting Office, the Office of the Inspector
General, and any of their authorized representatives. In addition, agencies of the
State ofTexas that shall have a right of access to records as described in this section
include: the DSHS, HHSC, HHSC's contracted examiners, the State Auditor's
Office, the Texas Attorney General's Office, and any successor agencies. Each of
these entities may be a duly authorized authority
DSHS Contract No. HHS001031900004 Page 4 of 9
6.6.3 If deemed necessary by the DSHS or any duly authorized authority, for the purpose
of investigation or hearing, Clinic shall produce original documents related to this
Contract
6.6.4 DSHS and any duly authorized authority shall have the right to audit billings both
before and after payment, and all documentation that substantiates the billings
6.6.5 Clinic shall include this provision conceming the right of access to, and
examination of, sites and information related to this Contract in any Subcontract it
awards
6.7 Comoliance with Audit or Inspection Findings.
6.7.1 Clinic mustact to ensure its and its Subcontractors' compliance with all corrections
necessary to address any finding of noncompliance with any law, regulation, audit
requirement, or generally accepted accounting principle, or any other deficiency
identified in any audit, review, or inspection of the Contract and the Services and
Deliverables provided. Any such correction will be at Clinic's or its Subcontractor's
sole expense. Whether Clinic's action corrects the noncompliance shall be solely
the decision ofthe DSHS
6.7.2 As part of the Responsibilities, Clinic must provide to DSHS upon request a copy
of those portions of Clinic's and its Subcontractors' internal audit reports relating to
the Services and Deliverables provided to the State under the MOU
6.8 State Auditor's Riaht to Audit. The Parties acknowledge the Slate Auditor's authority to
conduct audits of state agencies under Chapter 321 of the Texas Government Code. Clinic
shall comply with any rules and procedures of the state auditor in the implementation and
enforcement of Section 2262.154 of the Texas Government Code.
6.9 Amendment, This MOU may be modified by written amendment signed by the Parties.
6.10 Change in Law and Compliance with Laws. Clinic shall comply with all laws, regulations,
requirements and guidelines applicable to a vendor providing services and products
required by this MOU to the Stale of Texas, as these laws, regulations, requirements and
guidelines currently exist and as amended throughout the term of the MOU. DSHS reserves
the right, in its sole discretion, to unilaterally amend the MOU to incorporate any
modifications necessary for DSHS' compliance, as an agency of the State of Texas, with
all applicable state and federal laws, regulations, requirements and guidelines
6.11 Governing Law and Venue. This MOU shall be governed by and construed in accordance
with the laws of the Stale of Texas, without regard to the conflicts of law provisions. The
venue of any suit arising under the Contract is fixed in any court of competent jurisdiction
of Travis County, Texas, unless the specific venue is otherwise identified in a statute which
directly names or otherwise identifies its applicability to the DSHS.
6.12 Dispute Resolution.
6.12.1 The dispute resolution process provided for in Chapter 2260 of the Texas
Government Code must be used to attempt to resolve any dispute arising under the
Contract. If the Clinic's claim for breach of contract cannot be resolved informally
with the DSHS, the claim shall be submitted to the negotiation process provided in
DSHS CoN t No. HHS001031800001 Page 5 of 9
Chapter 2260. To initiate the process, the Clinic shall submit written notice, as
required by Chapter 2260, to the individual identified in the Contract for receipt of
notices. Any informal resolution efforts shall in no way modify the requirements or
toll the timing of the formal written notice of a claim for breach of contract required
under §2260.051 of the Texas Government Code. Compliance by the Clinic with
Chapter 2260 is a condition precedent to the filing of a contested case proceeding
under Chapter 2260.
6.12.2 The contested case process provided in Chapter 2260 is the Clinic's sole and
exclusive process for seeking a remedy for an alleged breach of contract by the
DSHS ifthe Parties are unable to resolve their disputes as described above.
6.12.3 Notwithstanding any other provision of the Contract to the contrary, unless
otherwise requested or approved in writing by the DSHS, the Clinic shall continue
performance and shall not be excused from performance during the period of any
breach of contract claim or while the dispute is pending. However, the Clinic may
suspend performance during the pendency of such claim or dispute if the Clinic has
complied with all provisions of Section 2251.051, Texas Government Code, and
such suspension of performance is expressly applicable and authorized under that
law
6.13 Limitation on Authority.
6.13.1 Any authority granted to Clinic by the DSHS is limited to the tennsof this MOU.
6.13.2 Clinic shall not have any authority to act for or on behalf of the DSHS or the State
of Texas except as expressly provided for in the Contract; no other authority, power,
or use is granted or implied. Clinic may not incur any debt, obligation, expense, or
liability of any kind on behalf of DSHS or the State of Texas
6.13.3 Clinic may not rely on implied authority and is not granted authority under the
MOU to:
6.13.3.1 Make public policy on behalf of DSHS;
6.13.3.2 Promulgate, amend, or disregard administrative regulations of
program policy decisions made by State and federal agencies
responsible for administration of a DSHS program; or
6.13.3.3 Unilaterally communicate or negotiate with any federal or state
agency or Texas Legislature on behalf of DSHS regarding DSHS
programs or this MOU.
6.14 Severability. If any provision of the Contract is held to be illegal, invalid or unenforceable
by a court of law or equity, such construction will not affect the legality, validity or
enforceability of any other provision or provisions of this Contract. It is the intent and
agreement of the Parties this Contract shall be deemed amended by modifying such
provision to the extent necessary to render it valid, legal and enforceable while preserving
its intent or, if such modification is not possible, by substituting another provision that is
valid, legal and enforceable and that achieves the same objective. All other provisions of
this Contract will continue in full force and effect.
DSHS Conlrecl No. HHSOO1031800a0I Page 6 of 9
6.15 Force Maieure. Neither Party shall be liable to the other for any delay in, or failure of
performance of, any requirement included in the Contract caused by force majeure. The
existence of such causes of delay or failure shall extend the period of performance until
after the causes of delay or failure have been removed provided the non-perfonning party
exercises all reasonable due diligence to perform. Force majeure is defined as acts of God,
war, fires, explosions, hurricanes, floods, failure of transportation, or other causes that are
beyond the reasonable control of either parry and that by exercise of due foresight such
party could not reasonably have been expected to avoid, and which, by the exercise of all
reasonable due diligence, such party is unable to overcome
6.16 No Waiver. Nothing in the Contract shall be construed as a waiver of the DSHS' or the
State's sovereign immunity. This Contract shall not constitute or be construed as a waiver
of any of the privileges, rights, defenses, remedies, or immunities available to the DSHS
or the State of Texas. The failure to enforce, or any delay in the enforcement of, any
privileges, rights, defenses, remedies, or immunities available to the DSHS or the State of
Texas under the Contract or under applicable law shall not constitute a waiver of such
privileges, rights, defenses, remedies, or immunities or be considered as a basis for
estoppel. DSHS does not waive any privileges, rights, defenses, or immunities available to
DSHS by entering into the Contract or by its conduct prior to or subsequent to entering into
the Contract.
6.17 Entire Contract and Modification. This Contract constitutes the entire agreement of the
Parties and is intended as a complete and exclusive statement of the promises,
representations, negotiations, discussions, and other agreements that may have been made
in connection with the subject matter hereof. Any additional or conflicting terms in any
future document incorporated into the Contract will be harmonized with this Contract to
the extentpossible.
7. Authorized Representatives
The following will act as the designated Representative authorized to administer activities
including, but not limited to, notices, consents, approvals or other general communications to
the maximum extent possible. The designated Party Representatives are:
DSHS
Melissa D. Tafnya-Cortez. CTCM
DSHS Contract Management
P.O. Box 149347
Austin, Texas 78714-9347
Phone:(512) 776-2643
Melissa.Cortez@dshs.texw.gov
Clinic
<Full Name> Mary Alexander
Beaumont Public Health Department
3040 College Street
Beaumont, Texas 77701
Phone: <Phone Number> 409-654Je25
<Email> mary.elexender@beaummtta e.gov
DSHS C.Wre No. RHS001031800004 Page 7 of 9
Either Party may change its designated Representative by providing written notice to the other
Party at least ten calendar days prior to the change.
8. Authorized Signatures
By signing, Parties acknowledge that they have read the MOU in its entirety, agreeing to its terms.
The persons whose signatures appear below have the requisite authority to execute this MOU on
behalf of the named party.
Signature Page foflmvs
USHS CoMmi No. HHS001031800004 Page 8 of9
DSHS
A
SIGNATURE PAGE FOR
MEMORANDUM OF UNDERSTANDING
DSHS CONTRACT NO. HHS001031800004
CLINIC
0
Printed Name: Printed Name:
Date of Signature: Date of Signature:
THE FOLLOWING ATTACHMENTS ARE ATTACHED AND INCORPORATED AS PART OF THE
CONTRACT:
ATTACHMENT A —CLINIC'S PARTICIPATING LOCATIONS
ATTACHMENT B--PRIVACY, SECURITY, AND BREACH NOTIFICATION
ATTACHMENTS FOLLOW
Page 9 of9
DSHS Coned No. HHS001031800001
ATTACHMENT A
CLINICS PARTICIPATING LOCATIONS
DSHS CONTRACT No. HHS001031800004
Clinic Name
Address
City
Zip
Phone
Number
Beaumont Public Health Dept
3040 College St
Beaumont
77701
40M54-3503
ATTACHMENTB
PRIVACY, SECURITY, AND BREACH NOTIFICATION
DSHS CONTRACT NO. HHS001031800004
1.0 Deflnitions
"Breach" means the acquisition, access, use, or disclosure of Confidential Information in an
unauthorized manner which compromises the security or privacy of the Confidential Information.
"DSHS Confidential Information" means any communication or record (whether oral, written,
electronically stored or transmitted, or in any other form) provided to or made available to the
CLINIC electronically or through any other means that consists of or includes any or all of the
following:
(a) Protected Health Information in any form including without limitation, Electronic
Protected Health Information or Unsecured Protected Health Information (as these
terms are defined in 45 C.F.R. §160.103);
(b) Sensitive Personal Information defined by Texas Business and Commerce Code
Chapter 521;
(c) Federal Tax Information (as defined in Internal Revenue Service Publication 1075);
(d) Personal Identifying Information (as defined In Texas Business and Commerce Code
Chapter 521);
(a) Social Security Administration Data (defined as information received from a Social
Security Administration federal agency system of records), including, without
limitation, Medicare or Medicaid information (defined as information relating to an
applicant or recipient of Medicare or Medicaid benefits);
(f) All information designated as confidential under the constitution and laws of the State
of Texas and of the United States, Including the Texas Health & Safety Code and the
Texas Public Information Act, Texas Government Code, Chapter 552.
1.1 DSHS Confidential Information
Any DSHS Confidential Information received by the CLINIC under this Contract may be
disclosed only in accordance with applicable law. By signing this Contract, the CLINIC
certifies that the CLINIC is, and intends to remain forthe term of this Contract, in compliance
with all applicable state and federal laws and regulations with respect to privacy, security,
and breach notification, including without limitation the following:
(a) Title 5 United Stales Code (USC) Part I, Chapter 5, Subchapter II, Section552a,
Records Maintained on Individuals, The Privacy Act of 1974, as amended by the
Computer Matching and Privacy Protection Act of 1988;
(b). Title 26 USC, Internal Revenue Code,
(c). Title 42 USC Chapter 7, Subchapter XI, Part C, Administrative Simplification, the
relevant portions of the Health Insurance Portability and Accountability Act of 1996
(HIPAA);
(d) Title 42 USC Chapter 7, the relevant portions of the Social Security Act;
(a) Title 42 USC Chapter I, Subchapter A, Part 2, Confidentiality of Substance Use
Disorder Patient Records
(f) Title 45 Code of Federal Regulations (CFR) Chapter A, Subchapter C, Part 160,
General Administrative Requirements
(g) Title 45 CFR Chapter A Subchapter C, Part 164, Security and Privacy;
(h) Internal Revenue Service Publication 1075, Tax Information Security Guidelines for
Federal, State and Local Agencies, Safeguards for Protecting Federal Tax Returns
and Return Information;
(i) Office of Management and Budget Memorandum 17-12, Preparing for and
Responding to a Breach of Personally Identifiable Information;
(j) Texas Business and Commerce Code Title 11, Subtitle B, Chapter 521 Unauthorized
Use of Identifying Information;
(k) Texas Government Code, Title, 5, Subtitle A, Chapter 552, Public Information, as
applicable,
(1) Texas Health and Safety Code, Title 2, Subtitle D, Chapter 81, Section 61.006, Funds
(m) Texas Health and Safety Code Title 2, Subtitle I, Chapter 181, Medical Records
Privacy;
(n) Texas Health and Safely Code Title 7, Subtitle E, Chapter 611, Mental Health
Records;
(o) Texas Human Resources Code, Title 2, Subtitle A, Chapter 12, Section 12.003,
Disclosure of Information Prohibited;
(p) Texas Occupations Code, Title 3, Health Professions, as applicable;
(q) Constitutional and common law privacy; and
(r) Any other applicable law controlling the release of information created or obtained in
the course of providing the services described in this Contract.
The CLINIC further certifies that the CLINIC will comply with all amendments, regulations, and
guidance relating to those laws, to the extent applicable.
1.2 Cybersecurlty Training
All of CLINIC's authorized users, workforce and subcontractors with access to a state
computer system or database will complete a cybersecurity training program certified under
Texas Government Code, Title 10, Subtitle B, Chapter 2054, Section 2054.5192,
Cybersecurily Training Required: Certain State Contractors, by the Texas Department of
Information Resources.
1.3 Business Associate Agreement
CLINIC will ensure that any subcontractor of CLINIC who has access to DSHS Confidential
Information will sign a HIPAA-compliant Business Associate Agreement with CLINIC, and
CLINIC will submit a copy of that Business Associate Agreement to DSHS upon request.
1.4 CLINIC's Incident Notice, Reporting and Mitigation
The CLINIC's obligation begins at discovery of any unauthorized disclosure of Confidential
Information or any privacy or security incident that may compromise Confidential
Information. "Incident" is defined as an attempted or successful unauthorized access, use,
disclosure, modification, or destruction of information or Interference with system
operations in an information system. The CLINIC's obligation continues until all effects of
the Incident are resolved to DSHS's satisfaction, hereafter referred to as the "Incident
Response Period".
1.5 Notification to DSHS.
(a) The CLINIC must notify DSHS within the timeframes set forth in Section (c) below.
(b) The CLINIC must require that its Subcontractors and contractors take the
necessary steps to assure that the CLINIC can comply with all of the following
Incident notice requirements.
(c) Incident Notice:
1. Initial Notice.
Within twenty-four (24) hours of discovery, or in a timeframe otherwise approved by
DSHS in writing, the CLINIC must preliminarily report on the occurrence of an
Incident to the DSHS Privacy and Security Officers via email at:
privacv(c) HHSC.state.tx. us.
This initial notice must, at a minimum, contain:
(i) all information reasonably available to CLINIC about the Incident,
(ii) confirmation that the CLINIC has met any applicable federal Breach notification
requirements, and
(if) a single point of contact for the CLINIC for DSHS communications both during
and outside of business hours during the Incident Response Period.
2. Formal Notice.
No later than three (3) Business Days after discovery of an Incident, or when the
CLINIC should have reasonably discovered the Incident, the CLINIC must provide
written formal notification to DSHS using the Potential Privacy/Security Incident
Form which is available on the HHSC website at
hops'//hl s connection hhs teens pov/rights-mspons'li lities/office-chief-counscl/privacy.
The formal notification must include all available information about the Incident,
and the CLINIC's investigation of the Incident.
1.6 CLINIC Investigation, Response, and Mitigation.
The CLINIC must fully investigate and mitigate, to the extent practicable and as soon as
possible or as indicated below, any Incident. At a minimum, the CLINIC will:
(a) Immediately commence a full and complete investigation;
(b) Cooperate fully with DSHS in its response to the Incident;
(c) Complete or participate in an initial risk assessment;
(d) Provide a final risk assessment;
(a) Submit proposed corrective actions to DSHS for review and approval;
(0 Commit necessary and appropriate staff and resources to expeditiously respond;
(g) Report to DSHS as required by DSHS and all applicable federal and state laws for
Incident response purposes and for purposes of DSHS's compliance with report
and notification requirements, to the satisfaction of DSHS;
(h) Fully cooperate with DSHS to respond to inquiries and/or proceedings by federal
and state authorities about the Incident;
(I) Fully cooperate with DSHS's efforts to seek appropriate injunctive relief or to
otherwise prevent or curtail such Incidents;
(j) Recover, or assure destruction of, any Confidential Information impermissibly
disclosed during or as a result of the Incident; and
(k) Provide DSHS with a final report on the Incident explaining the Incident's resolution.
1.7 Breach Notification to Individuals and Reporting to Authorities.
(a) In addition to the notices required in this section, the CLINIC must comply with all
applicable legal and regulatory requirements in the time, manner, and content of any
notification to individuals, regulators, or third -parties, or any notice required by other
state or federal authorities, including without limitation, notifications required in Title 45
CFR Chapter A, Subchapter C Part 164, Subpart D Notification in the Case of Breach
of Unsecured Protected Health Information and Texas Business and Commerce Code,
Title 11, Subtitle B, Chapter 521, Section 521.053(b), Notification Required Following
Breach of Security of Computerized Data, or as specified by DSHS following an Incident.
(b) The CLINIC must assure that the time, manner, and content of any Breach notification
required by this section meets all federal and state regulatory requirements.
(c) Breach notice letters must be in the CLINIC's name and on the CLINIC's letterhead and
must contain contact Information to obtain additional Information, including the name and
title of the CLINIC's representative, an email address, and a toll -free telephone number.
(d) The CLINIC must provide DSHS with copies of all distributed communications related to
the Breach notification at the same time the CLINIC distributes the communications.
(a) The CLINIC must demonstrate to the satisfaction of DSHS that any Breach notification
required by applicable law was timely made. If there are delays outside of the CLINIC's
control, the CLINIC must provide written documentation to DSHS of the reasons for the
delay.