The URL can be used to link to this page

Home My WebLink AboutC2023-153 - 6/27/2023 - Approved DocuSign Envelope ID: E9EDB34E-COAA-4AE5-670C-AOFA8A1360E8 INTERLOCAL COOPERATION CONTRACT DEPARTMENT OF STATE HEALTH SERVICES CONTRACT No. HHSREV100002919 The DEPARTMENT OF STATE HEALTH SERVICES("DSHS"or"SYSTEM AGENCY") and CITY OF CORPUS-CHRISTI("LOCAL GOVERNMENT"or"CONTRACTOR"),each a"Party"and collectively the "Parties," enter into the following contract for Local Government access to the Texas Electronic Vital Events Registrar ("TxEVER") (the "Contract") pursuant to the provisions of the "Interlocal Cooperation Act," Tex. Gov't Code Chapter 791. I. CONTRACT REPRESENTATIVES The following will act as the representative authorized to administer activities under the Contract on behalf of its respective Party. DSHS Local Government Name: Department of State Health Services Name: City of Corpus-Christi Attn: Contract Management Section Attn: Vital Records 1100 W 49th Street,MC-1990 1201 Leopard Street Austin,TX 78776-2679756 Corpus Christi,Tx 78401 Contact Person: Gretchen Wells Contact Person: Tina Belock Telephone: (512)776-2679 Telephone: (361) 826-3244 E-Mail: Gretchen.wells(adshs.texas.gov E-Mail: Tinab@cctexas.com Agency Number: 537 II. STATEMENT OF SERVICES TO BE PROVIDED The Parties agree to cooperate to provide necessary and authorized services and resources in accordance with the terms of the Contract. Specific services provided are described in ATTACHMENT C,STATEMENT OF WORK. III. CONTRACT PERIOD AND RENEWAL The Contract is effective on the signature date of the latter of the Parties to sign the Contract and expires August 31, 2027, unless renewed, extended, or terminated pursuant to the terms and conditions of the Contract. DSHS, at its sole discretion, may renew the Contract for up to one(1) additional year for a maximum Contract term of 5 years. Notwithstanding the limitation in the preceding sentence, and with at least 30 calendar days' advance written notice to Local Government,at the end of the initial term or any renewal period,DSHS,at its sole discretion,may extend the Contract as necessary to ensure continuity of service, for purposes of transition, or as otherwise determined by DSHS to serve the best interest of the state of Texas for up to 12 months, in one-month intervals,at the then-current Contract rate or rates(if applicable)as modified during the term of the Contract. DSHS Contract No.HHSREV100002919 Page 1 of 7 SCANNED DocuSign Envelope ID:E9EDB34E-CORA-4AE5-B70C-AOFA8A1360E8 IV. AMENDMENT The Parties to the Contract may modify the Contract only through the execution of a written amendment signed by both Parties. V. FEES AND PAYMENT FOR SERVICES All payments made by Local Government to DSHS in connection with the Contract, including the manner in which payments to DSHS by Local Government will be rendered, are stated in ATTACHMENT C,STATEMENT OF WORK. VI. NOTICE REQUIREMENTS A. All notices given by Local Government shall be in writing,include the Contract number, comply with all terms and conditions of the Contract, and be delivered to DSHS's Contract Representative identified above. B. Local Government shall send legal notices to DSHS at the address below and provide a copy to DSHS's Contract Representative: Health and Human Services Commission Attn: Office of the Chief Counsel 4601 W Guadalupe St.MC-1100 Austin,Texas 78751 with copy to Department of State Health Services Attn: Office of General Counsel 1100 W.49th Street,MC-1919 Austin,TX 78756 C. DSHS shall send legal notices to Local Government at the address below: City of Corpus-Christi 1201 Leopard Street Corpus Christi,Texas 78401 (361) 826-3105 RebeccaH@cctexas.com D. Notices given by DSHS to Local Government may be emailed, mailed, or sent by common carrier. Email notices shall be deemed delivered when sent by DSHS. Notices sent by mail shall be deemed delivered when received by Local Government.Notices sent by common carrier shall be deemed delivered when deposited by DSHS with a common carrier,overnight,signature required. DSHS Contract No.HHSREV100002919 Page 2 of 7 DocuSign Envelope ID: E9EDB34E-COAA-4AE5-B70C-AOFA8A1360E8 E. Notices given by Local Government to DSHS shall be deemed delivered when received by DSHS. F. Either Party may change its Contract Representative or Legal Notice contact by providing written notice to the other Party. VII. CONTRACT DOCUMENTS The following documents are incorporated by reference and made a part of the Contract for all purposes. In the event of a conflict, ambiguity, or inconsistency between the terms and conditions set forth in the documents that comprise the Contract, the controlling document shall be this Signature Document, then the remaining documents in the following list in the order stated: ATTACHMENT A:HHS DATA USE AGREEMENT-GOVERNMENTAL ENTITY(VERSION 8.5). ATTACHMENT B: HHS CONTRACT AFFIRMATIONS(VERSION 2.2);and ATTACHMENT C: STATEMENT OF WORK. VIII. MISCELLANEOUS TERMS AND CONDITIONS A. Exchange of Personal Identifying Information.The Contract concerns the exchange of Confidential Information. Except as prohibited by applicable law or regulation, Local Government and DSHS may exchange such information in accordance with Tex. Health and Safety Code Chapter 191. B. Suspension of Services or Contract Termination.Use of services under the Contract by Local Government for purposes inconsistent with the Contract or applicable law or regulation may result in suspension of services or termination of the Contract for cause by DSHS. C. Governing Law and Venue. The Contract shall be governed by and construed in accordance with the laws of the State of Texas, without regard to the conflicts of law provisions. The venue of any suit arising under the Contract is fixed in any court of competent jurisdiction of Travis County,Texas, unless the specific venue is otherwise identified in a statute which directly names or otherwise identifies its applicability to DSHS. D. Confidentiality. Local Government shall maintain as confidential and shall not disclose to third parties without DSHS's prior written consent,any DSHS information including but not limited to DSHS Data,DSHS's business activities,practices,systems, conditions, and services. This section shall survive termination or expiration of the Contract. This requirement must be included in all subcontracts awarded by Local Government.The Parties shall comply with all applicable state and federal laws relating to the privacy and confidentiality of data and records provided under the Contract, including,but not limited to,Tex.Gov't Code Section 552.115. DSHS Contract No.HHSREV 100002919 Page 3 of 7 DocuSign Envelope ID: E9EDB34E-COAA-4AE5-B70C-AOFA8A1360E8 E. Record Maintenance and Retention 1. Local Government shall keep and maintain under GAAP or GASB, as applicable, full,true,and complete records necessary to fully disclose to DSHS,the Texas State Auditor's Office, the United States Government, and their authorized representatives sufficient information to determine compliance with the terms and conditions of the Contract and all state and federal rules, regulations, and statutes. 2. Local Government shall maintain and retain legible copies of the Contract and all records relating to the performance of the Contract, including supporting fiscal documents adequate to ensure that claims for Contract funds are in accordance with applicable state of Texas requirements. These records shall be maintained and retained by Local Government for a minimum of seven(7)years after the Contract expiration date or seven(7)years after the completion of all audits,claim,litigation, or dispute matters involving the Contract are resolved,whichever is later. F. Dispute Resolution. To the extent that Tex. Gov't Code Chapter 2260 is applicable to the Contract, the dispute resolution process provided for in Chapter 2260, and the related rules adopted by the Texas Attorney General pursuant to Chapter 2260,shall be used by DSHS and Local Government to attempt to resolve any claim for breach of contract made by Local Government that cannot be resolved in the ordinary course of business. G. Entire Agreement.The Contract contains all the terms and conditions between DSHS and Local Government relating to the matters set forth herein and no prior or contemporaneous agreement or understanding pertaining to the same shall be of any force or effect. H. Force Majeure. Neither Local Government nor DSHS shall be liable to the other for any delay in, or failure of performance of, any requirement included in the Contract caused by force majeure. The existence of such causes of delay or failure shall extend the period of performance until after the causes of delay or failure have been removed provided the non-performing Party exercises all reasonable due diligence to perform. Force majeure is defined as acts of God, war, fires, explosions, hurricanes, floods, failure of transportation,or other causes that are beyond the reasonable control of either Party and that by exercise of due foresight such Party could not reasonably have been expected to avoid, and which, by the exercise of all reasonable due diligence, such Party is unable to overcome. I. INDEMNIFICATION I. TO THE EXTENT ALLOWED BY THE CONSTITUTION AND LAWS OF THE STATE OF TEXAS, LOCAL GOVERNMENT SHALL DEFEND, INDEMNIFY AND HOLD HARMLESS THE STATE OF TEXAS, DSHS, AND HHSC, AND/OR THEIR OFFICERS, AGENTS, EMPLOYEES, REPRESENTATIVES, CONTRACTORS, ASSIGNEES, AND/OR DSHS Contract No.HHSREV 100002919 Page 4 of 7 DocuSign Envelope ID: E9EDB34E-COAA-4AE5-B70C-AOFA8A1360E8 DESIGNEES FROM ANY AND ALL LIABILITY, ACTIONS, CLAIMS, DEMANDS, OR SUITS,AND ALL RELATED COSTS,ATTORNEY FEES, AND EXPENSES ARISING OUT OF OR RESULTING FROM ANY ACTS OR OMISSIONS OF LOCAL GOVERNMENT OR ITS AGENTS, EMPLOYEES, SUBCONTRACTORS, ORDER FULFILLERS, OR SUPPLIERS OF SUBCONTRACTORS IN THE EXECUTION OR PERFORMANCE OF THE CONTRACT AND ANY PURCHASE ORDERS ISSUED UNDER THE CONTRACT. 2. THIS PARAGRAPH IS NOT INTENDED TO AND WILL NOT BE CONSTRUED TO REQUIRE LOCAL GOVERNMENT TO INDEMNIFY OR HOLD HARMLESS THE STATE OF TEXAS, DSHS, OR HHSC FOR ANY CLAIMS OR LIABILITIES RESULTING FROM THE NEGLIGENT ACTS OR OMISSIONS OF THE STATE OF TEXAS,DSHS,OR HHSC OR ITS EMPLOYEES. 3. FOR THE AVOIDANCE OF DOUBT,NEITHER THE STATE OF TEXAS, DSHS, NOR HHSC SHALL INDEMNIFY LOCAL GOVERNMENT OR ANY OTHER ENTITY UNDER THE CONTRACT. J. No Waiver of Sovereign Immunity. Nothing in the Contract shall be construed as a waiver of DSHS's, HHSC's, or the state of Texas' sovereign immunity. Neither the Contract nor any action or inaction of DSHS shall constitute or be construed as a waiver of any of the privileges,rights,defenses,remedies,or immunities available to the State of Texas,DSHS,or HHSC. The failure to enforce,or any delay in the enforcement of, any privileges,rights,defenses,remedies,or immunities available to the State of Texas, DSHS, or HHSC under the Contract or under applicable law or regulation shall not constitute a waiver of such privileges, rights, defenses, remedies, or immunities or be considered as a basis for estoppel.Neither the State of Texas,DSHS,nor HHSC waives any privileges, rights, defenses, or immunities available to the State of Texas, DSHS, or HHSC by entering into the Contract or by its conduct prior to or subsequent to entering into the Contract.Notwithstanding the forgoing,if Local Government is a state of Texas agency or department, district, authority, county, municipality, or other political subdivision of the state of Texas,then nothing in the Contract will be construed to abrogate any rights or affirmative defenses available to Local Government under doctrines of sovereign and official immunity. K. Severability. If any provision of the Contract is construed to be illegal or invalid, the illegal or invalid provision shall be deemed stricken and deleted to the same extent and effect as if never incorporated,but all other provisions shall continue. L. Waiver.The failure of either Party to object to or to take affirmative action with respect to any conduct of either Party which is in violation or breach of the terms of the Contract shall not be construed as a waiver of the violation or breach,or of any future violation or breach. DSHS Contract No.HHSREV 100002919 Page 5 of 7 DocuSign Envelope ID:E9EDB34E-COAA-4AE5-B70C-AOFA8A1360E8 M. Termination 1. Convenience. Either Party may terminate the Contract without cause by giving 30 days' written notice of its intent to terminate to the non-terminating Party. The termination will be effective on the date specified in the terminating Party's notice of termination. 2. Cause Resulting from Material Breach. Except as otherwise provided by the U.S. Bankruptcy Code, or any successor law, either Party may terminate the Contract, in whole or in part, upon the following condition: i. Material Breach If a Party determines, in its sole discretion, the other Party has materially breached the Contract or has failed to adhere to any laws,ordinances, rules, regulations or orders of any public authority having jurisdiction and such violation prevents or substantially impairs performance of the other Party's duties under the Contract. 3. Cause Resulting from Failure to Maintain Financial Viability. DSHS may terminate the Contract if, in its sole discretion, DSHS has a good faith belief that Local Government no longer maintains the financial viability to fully perform its obligations under the Contract. IX. CERTIFICATIONS The undersigned contracting Parties certify that: A. The services specified above are necessary and essential for activities that are properly within the statutory functions and programs of each Party. B. Each Party executing the Contract on its behalf has full power and authority to enter into the Contract. C. The proposed arrangements serve the interest of efficient and economical administration of state and local government;and D. The services contracted for are not required by Section 21, Article XVI of the Constitution of Texas to be supplied under a contract awarded to the lowest responsible bidder. DSHS further certifies that it has statutory authority to contract for the services described in the Contract under Tex. Health and Safety Code Chapter 191 and Tex. Gov't Code Chapter 791. Local Government further certifies that it has statutory authority to contract for the services described in the Contract under Tex. Health and Safety Code Chapter 191 and Tex. Gov't Code Chapter 791. SIGNATURE PAGE FOLLOWS DSHS Contract No.HHSREV100002919 Page 6 of 7 DocuSign Envelope ID:E9EDB34E-COAA-4AE5-670C-AOFA8A1360E8 SIGNATURE PAGE FOR DSHS CONTRACT No.HHSREV100002919 DEPARTMENT OF STATE HEALTH SERVICES CITY OF CORPUS-CHRISTI r—DoeuSlomd by: 'ignafure 164E2.. Sig ure Manda Hall. MD leper mars Printed Name Printed Name Associate Commissioner for Community Health C'6 IGY1dIer Improvement Title Title Date August 3, 2023 Date ATTEST: =� �, It A 1.4 REBECCA HUERTA CITY SECRETARY a5-43302.3 AUfHORIlIr► tY COUNCIL �� sternKirka" DSHS Contract No. HHSREV 100002919 • Page 7 of 7 DocuSign Envelope ID E9EDB34E-CORA-4AE5-670C-AOFA8A1360E8 HHS DATA USE AGREEMENT This Data Use Agreement("DUA"), effective as of the date the Base Contract into which it is incorporated is signed("Effective Date"), is entered into by and between a Texas Health and Human Services Enterprise agency("HHS"),and the Contractor identified in the Base Contract,a political subdivision of the State of Texas("CONTRACTOR"). ARTICLE 1. PURPOSE;APPLICABILITY;ORDER OF PRECEDENCE The purpose of this DUA is to facilitate creation, receipt, maintenance, use, disclosure or access to Confidential Information with CONTRACTOR, and describe CONTRACTOR's rights and obligations with respect to the Confidential Information.45 CFR 164.504(e)(1)-(3).This DUA also describes HHS's remedies in the event of CONTRACTOR's noncompliance with its obligations under this DUA. This DUA applies to both Business Associates and contractors who are not Business Associates who create, receive, maintain, use, disclose or have access to Confidential Information on behalf of HHS, its programs or clients as described in the Base Contract. As of the Effective Date of this DUA, if any provision of the Base Contract,including any General Provisions or Uniform Terms and Conditions,conflicts with this DUA,this DUA controls. ARTICLE 2. DEFINITIONS For the purposes of this DUA, capitalized, underlined terms have the meanings set forth in the following:Health Insurance Portability and Accountability Act of 1996,Public Law 104-191 (42 U.S.C. §1320d, et seq.) and regulations thereunder in 45 CFR Parts 160 and 164, including all amendments,regulations and guidance issued thereafter;The Social Security Act, including Section 1137 (42 U.S.C. §§ 1320b-7), Title XVI of the Act; The Privacy Act of 1974, as amended by the Computer Matching and Privacy Protection Act of 1988, 5 U.S.C. § 552a and regulations and guidance thereunder;Internal Revenue Code,Title 26 of the United States Code and regulations and publications adopted under that code, including IRS Publication 1075; OMB Memorandum 07-18; Texas Business and Commerce Code Ch. 521; Texas Government Code, Ch. 552, and Texas Government Code§2054.1125.In addition,the following terms in this DUA are defined as follows: "Authorized Purpose"means the specific purpose or purposes described in the Statement of Work of the Base Contract for CONTRACTOR to fulfill its obligations under the Base Contract, or any other purpose expressly authorized by HHS in writing in advance. "Authorized User"means a Person: (1) Who is authorized to create, receive, maintain, have access to, process, view, handle,examine, interpret,or analyze Confidential Information pursuant to this DUA; HHS Data Use Agreement TACCHO VERSION(Local City and County Entities)October 23,2019 Page 1 of 15 DocuSign Envelope ID: E9EDB34E-COAA-4AE5-670C-AOFA8A1360E8 (2) For whom CONTRACTOR warrants and represents has a demonstrable need to create,receive,maintain, use,disclose or have access to the Confidential Information; and (3) Who has agreed in writing to be bound by the disclosure and use limitations pertaining to the Confidential Information as required by this DUA. "Confidential Information" means any communication or record (whether oral, written, electronically stored or transmitted, or in any other form) provided to or made available to CONTRACTOR,or that CONTRACTOR may,for an Authorized Purpose,create,receive,maintain, use,disclose or have access to, that consists of or includes any or all of the following: (1) Client Information; (2) Protected Health Information in any form including without limitation, Electronic Protected Health Information or Unsecured Protected Health Information(herein"PHI"); (3) Sensitive Personal Information defined by Texas Business and Commerce Code Ch. 521; (4) Federal Tax Information; (5) Individually Identifiable Health Information as related to HIPAA, Texas HIPAA and Personal Identifying Information under the Texas Identity Theft Enforcement and Protection Act; (6) Social Security Administration Data, including, without limitation, Medicaid information; (7) All privileged work product; (8) All information designated as confidential under the constitution and laws of the State of Texas and of the United States, including the Texas Health& Safety Code and the Texas Public Information Act,Texas Government Code, Chapter 552. "Legally Authorized Representative"of the Individual,as defined by Texas law,including as provided in 45 CFR 435.923 (Medicaid); 45 CFR 164.502(g)(1) (HIPAA); Tex. Occ. Code § 151.002(6);Tex.H.&S.Code §166.164; and Estates Code Ch. 752. ARTICLE 3. CONTRACTOR'S DUTIES REGARDING CONFIDENTIAL INFORMATION 3.01 Obligations of CONTRACTOR CONTRACTOR agrees that: (A) CONTRACTOR will exercise reasonable care and no less than the same degree of care CONTRACTOR uses to protect its own confidential, proprietary and trade secret information to prevent any portion of the Confidential Information from being used in HHS Data Use Agreement TACCHO VERSION(Local City and County Entities)October 23,2019 Page 2 of 15 DocuSign Envelope ID: E9EDB34E-COAA-4AE5-670C-AOFA8A1360E8 a manner that is not expressly an Authorized Purpose under this DUA or as Required by Law. 45 CFR 164.502(b)(1);45 CFR 164.514(d) (B) Except as Required by Law,CONTRACTOR will not disclose or allow access to any portion of the Confidential Information to any Person or other entity, other than Authorized User's Workforce or Subcontractors (as defined in 45 C.F.R. 160.103) of CONTRACTOR who have completed training in confidentiality, privacy, security and the importance of promptly reporting any Event or Breach to CONTRACTOR's management,to carry out CONTRACTOR's obligations in connection with the Authorized Purpose. HHS, at its election, may assist CONTRACTOR in training and education on specific or unique HHS processes, systems and/or requirements. CONTRACTOR will produce evidence of completed training to HHS upon request. 45 C.F.R. 164.308(a)(5)(i); Texas Health &Safety Code§181.101 All of CONTRACTOR's Authorized Users, Workforce and Subcontractors with access to a state computer system or database will complete a cybersecurity training program certified under Texas Government Code Section 2054.519 by the Texas Department of Information Resources or offered under Texas Government Code Sec. 2054.519(f). (C) CONTRACTOR will establish, implement and maintain appropriate sanctions against any member of its Workforce or Subcontractor who fails to comply with this DUA, the Base Contract or applicable law. CONTRACTOR will maintain evidence of sanctions and produce it to HHS upon request.45 C.F.R. 164.308(a)(1)(ii)(C); 164.530(e); 164.410(b);164.530(b)(1) (D) CONTRACTOR will not, except as otherwise permitted by this DUA, disclose or provide access to any Confidential Information on the basis that such act is Required by Law without notifying either HHS or CONTRACTOR's own legal counsel to determine whether CONTRACTOR should object to the disclosure or access and seek appropriate relief. CONTRACTOR will maintain an accounting of all such requests for disclosure and responses and provide such accounting to HHS within 48 hours of HHS' request.45 CFR 164.504(e)(2)(ii)(A) (E) CONTRACTOR will not attempt to re-identify or further identify Confidential Information or De-identified Information,or attempt to contact any Individuals whose records are contained in the Confidential Information, except for an Authorized Purpose, without express written authorization from HHS or as expressly permitted by the Base Contract. 45 CFR 164.502(d)(2)(1) and (ii) CONTRACTOR will not engage in prohibited marketing or sale of Confidential Information. 45 CFR 164.501, 164.508(a)(3) and(4); Texas Health &Safety Code Ch. 181.002 (F) CONTRACTOR will not permit, or enter into any agreement with a Subcontractor to, create, receive, maintain, use, disclose, have access to or transmit Confidential Information to carry out CONTRACTOR's obligations in connection with the Authorized Purpose on behalf of CONTRACTOR, unless Subcontractor agrees to comply HHS Data Use Agreement TACCHO VERSION(Local City and County Entities)October 23.2019 Page 3 of 15 DocuSign Envelope ID. E9EDB34E-COAA-4AE5-B70C-AOFA8A1360E8 with all applicable laws, rules and regulations. 45 CFR 164.502(e)(1)(ii); 164.504(e)(1)(i) and(2). (G) CONTRACTOR is directly responsible for compliance with,and enforcement of, all conditions for creation,maintenance, use,disclosure,transmission and Destruction of Confidential Information and the acts or omissions of Subcontractors as may be reasonably necessary to prevent unauthorized use.45 CFR 164.504(e)(S);42 CFR 431.300,et seq. (H) If CONTRACTOR maintains PHI in a Designated Record Set which is Confidential Information and subject to this Agreement, CONTRACTOR will make PHI available to HHS in a Designated Record Set upon request.CONTRACTOR will provide PHI to an Individual, or Legally Authorized Representative of the Individual who is requesting PHI in compliance with the requirements of the HIPAA Privacy Regulations. CONTRACTOR will release PHI in accordance with the HIPAA Privacy Regulations upon receipt of a valid written authorization. CONTRACTOR will make other Confidential Information in CONTRACTOR's possession available pursuant to the requirements of HIPAA or other applicable law upon a determination of a Breach of Unsecured PHI as defined in HIPAA. CONTRACTOR will maintain an accounting of all such disclosures and provide it to HHS within 48 hours of HHS'request.45 CFR 164.524and 164.504(e)(2)(ii)(E). (I) If PHI is subject to this Agreement, CONTRACTOR will make PHI as required by HIPAA available to HHS for review subsequent to CONTRACTOR's incorporation of any amendments requested pursuant to HIPAA. 45 CFR 164.504(e)(2)(ii)(E) and(F). (J) If PHI is subject to this Agreement,CONTRACTOR will document and make available to HHS the PHI required to provide access, an accounting of disclosures or amendment in compliance with the requirements of the HIPAA Privacy Regulations.45 CFR 164.504(e)(2)(10(G)and 164.528. (K) If CONTRACTOR receives a request for access,amendment or accounting of PHI from an individual with a right of access to information subject to this DUA, it will respond to such request in compliance with the HIPAA Privacy Regulations. CONTRACTOR will maintain an accounting of all responses to requests for access to or amendment of PHI and provide it to HHS within 48 hours of HHS' request. 45 CFR 164.504(e)(2). (L) CONTRACTOR will provide, and will cause its Subcontractors and agents to provide, to HHS periodic written certifications of compliance with controls and provisions relating to information privacy, security and breach notification, including without limitation information related to data transfers and the handling and disposal of Confidential Information.45 CFR 164.308; 164.530(c); 1 TAC 202. (M) Except as otherwise limited by this DUA, the Base Contract, or law applicable to the Confidential Information, CONTRACTOR may use PHI for the proper management and administration of CONTRACTOR or to carry out CONTRACTOR's HHS Data Use Agreement TACCHO VERSION(Local City and County Entities)October 23. 2019 Page 4 of 15 DocuSign Envelope ID: E9EDB34E-COAA-4AE5-670C-AOFA8A1360E8 legal responsibilities. Except as otherwise limited by this DUA,the Base Contract,or law applicable to the Confidential Information, CONTRACTOR may disclose PHI for the proper management and administration of CONTRACTOR, or to carry out CONTRACTOR's legal responsibilities, if: 45 CFR 164.504(e)(4)(A). (1) Disclosure is Required by Law,provided that CONTRACTOR complies with Section 3.01(D);or (2) CONTRACTOR obtains reasonable assurances from the person or entity to which the information is disclosed that the person or entity will: (a)Maintain the confidentiality of the Confidential Information in accordance with this DUA; (b) Use or further disclose the information only as Required by Law or for the Authorized Purpose for which it was disclosed to the Person;and (c)Notify CONTRACTOR in accordance with Section 4.01 of any Event or Breach of Confidential Information of which the Person discovers or should have discovered with the exercise of reasonable diligence. 45 CFR 164.504(e)(4)(ii)(B). (N) Except as otherwise limited by this DUA, CONTRACTOR will, if required by law and requested by HHS,use commercially reasonable efforts to use PHI to provide data aggregation services to HHS,as that term is defined in the HIPAA,45 C.F.R. §164.501 and permitted by HIPAA.45 CFR 164.504(e)(2)(i)(B) (0) CONTRACTOR will, on the termination or expiration of this DUA or the Base Contract, at its expense, send to HHS or Destroy, at HHS's election and to the extent reasonably feasible and permissible by law,all Confidential Information received from HHS or created or maintained by CONTRACTOR or any of CONTRACTOR's agents or Subcontractors on HHS's behalf if that data contains Confidential Information. CONTRACTOR will certify in writing to HHS that all the Confidential Information that has been created, received, maintained, used by or disclosed to CONTRACTOR, has been Destroyed or sent to HHS,and that CONTRACTOR and its agents and Subcontractors have retained no copies thereof. Notwithstanding the foregoing, HHS acknowledges and agrees that CONTRACTOR is not obligated to send to HHSC and/or Destroy any Confidential Information if federal law, state law, the Texas State Library and Archives Commission records retention schedule, and/or a litigation hold notice prohibit such delivery or Destruction.If such delivery or Destruction is not reasonably feasible,or is impermissible by law, CONTRACTOR will immediately notify HHS of the reasons such delivery or Destruction is not feasible,and agree to extend indefinitely the protections of this DUA to the Confidential Information and limit its further uses and disclosures to the purposes that make the return delivery or Destruction of the Confidential Information not feasible for as long as CONTRACTOR maintains such Confidential Information.45 CFR 164.504(e)(2)(ii)(J) HHS Data Use Agreement TACCHO VERSION(Local City and County Entities)October 23,2019 Page 5 of 15 DocuSign Envelope ID. E9EDB34E-COAA-4AE5-B70C-AOFA8A1360E8 (P) CONTRACTOR will create, maintain, use, disclose, transmit or Destroy Confidential Information in a secure fashion that protects against any reasonably anticipated threats or hazards to the security or integrity of such information or unauthorized uses. 45 CFR 164.306;164.530(c) (Q) If CONTRACTOR accesses,transmits, stores,and/or maintains Confidential Information, CONTRACTOR will complete and return to HHS at infosecurity@hhsc.state.tx.us the HHS information security and privacy initial inquiry(SPI) at Attachment 1 . The SPI identifies basic privacy and security controls with which CONTRACTOR must comply to protect HHS Confidential Information. CONTRACTOR will comply with periodic security controls compliance assessment and monitoring by HHS as required by state and federal law, based on the type of Confidential Information CONTRACTOR creates, receives, maintains, uses, discloses or has access to and the Authorized Purpose and level of risk. CONTRACTOR's security controls will be based on the National Institute of Standards and Technology (NIST) Special Publication 800-53. CONTRACTOR will update its security controls assessment whenever there are significant changes in security controls for HHS Confidential Information and will provide the updated document to HHS. HHS also reserves the right to request updates as needed to satisfy state and federal monitoring requirements.45 CFR 164 306. (R) CONTRACTOR will establish, implement and maintain reasonable procedural, administrative, physical and technical safeguards to preserve and maintain the confidentiality,integrity,and availability of the Confidential Information,and with respect to PHI, as described in the HIPAA Privacy and Security Regulations,or other applicable laws or regulations relating to Confidential Information, to prevent any unauthorized use or disclosure of Confidential Information as long as CONTRACTOR has such Confidential Information in its actual or constructive possession. 45 CFR 164.308 (administrative safeguards); 164.310 (physical safeguards); 164.312 (technical safeguards); 164.530(c)(privacy safeguards). (S) CONTRACTOR will designate and identify, a Person or Persons,as Privacy Official 45 CFR 164.530(a)(1)and Information Security Official,each of whom is authorized to act on behalf of CONTRACTOR and is responsible for the development and implementation of the privacy and security requirements in this DUA. CONTRACTOR will provide name and current address, phone number and e-mail address for such designated officials to HHS upon execution of this DUA and prior to any change.If such persons fail to develop and implement the requirements of the DUA, CONTRACTOR will replace them upon HHS request.45 CFR 164.308(a)(2). (T) CONTRACTOR represents and warrants that its Authorized Users each have a demonstrated need to know and have access to Confidential Information solely to the minimum extent necessary to accomplish the Authorized Purpose pursuant to this DUA and the Base Contract,and further,that each has agreed in writing to be bound by the disclosure and use limitations pertaining to the Confidential Information contained in this DUA. 45 CFR 164.502;164.514(d). HHS Data Use Agreement TACCHO VERSION(Local City and County Entities)October 23,2019 Page 6 of 15 DocuSign Envelope ID: E9EDB34E-COAA-4AE5-B70C-AOFA8A1360E8 (U) CONTRACTOR and its Subcontractors will maintain an updated, complete, accurate and numbered list of Authorized Users, their signatures, titles and the date they agreed to be bound by the terms of this DUA,at all times and supply it to HHS,as directed, upon request. (V) CONTRACTOR will implement, update as necessary, and document reasonable and appropriate policies and procedures for privacy, security and Breach of Confidential Information and an incident response plan for an Event or Breach, to comply with the privacy, security and breach notice requirements of this DUA prior to conducting work under the Statement of Work.45 CFR 164.308;164.316;164.514(d);164.530(1)(1). (W) CONTRACTOR will produce copies of its information security and privacy policies and procedures and records relating to the use or disclosure of Confidential Information received from,created by,or received,used or disclosed by CONTRACTOR for an Authorized Purpose for HHS's review and approval within 30 days of execution of this DUA and upon request by HHS the following business day or other agreed upon time frame. 45 CFR 164.308;164.514(d). (X) CONTRACTOR will make available to HHS any information HHS requires to fulfill HHS's obligations to provide access to,or copies of,PHI in accordance with HIPAA and other applicable laws and regulations relating to Confidential Information. CONTRACTOR will provide such information in a time and manner reasonably agreed upon or as designated by the Secretary of the U.S. Department of Health and Human Services,or other federal or state law.45 CFR 164.504(e)(2)(i)(I). (Y) CONTRACTOR will only conduct secure transmissions of Confidential Information whether in paper, oral or electronic form, in accordance with applicable rules, regulations and laws.A secure transmission of electronic Confidential Information in motion includes, but is not limited to, Secure File Transfer Protocol (SFTP) or Encryption at an appropriate level.If required by rule,regulation or law,HHS Confidential Information at rest requires Encryption unless there is other adequate administrative, technical, and physical security.All electronic data transfer and communications of Confidential Information will be through secure systems.Proof of system,media or device security and/or Encryption must be produced to HHS no later than 48 hours after HHS's written request in response to a compliance investigation,audit or the Discovery of an Event or Breach.Otherwise,requested production of such proof will be made as agreed upon by the parties.De-identification of HHS Confidential Information is a means of security. With respect to de-identification of PHI, "secure"means de-identified according to HIPAA Privacy standards and regulatory guidance. 45 CFR 164.312;164.530(d). (Z) For each type of Confidential Information CONTRACTOR creates,receives, maintains,uses,discloses,has access to or transmits in the performance of the Statement of Work, CONTRACTOR will comply with the following laws rules and regulations, only to the extent applicable and required by law: • Title 1,Part 10, Chapter 202, Subchapter B,Texas Administrative Code; HHS Data Use Agreement TACCHO VERSION(Local City and County Entities)October 23,2019 Page 7 of 15 DocuSign Envelope ID: E9EDB34E-COAA-4AE5-B70C-AOFA8A1360E8 • The Privacy Act of 1974; • OMB Memorandum 07-16; • The Federal Information Security Management Act of 2002 (FISMA); • The Health Insurance Portability and Accountability Act of 1996(HIPAA) as defined in the DUA; • Internal Revenue Publication 1075 —Tax Information Security Guidelines for Federal, State and Local Agencies; • National Institute of Standards and Technology(NIST)Special Publication 800-66 Revision 1 —An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule; • NIST Special Publications 800-53 and 800-53A—Recommended Security Controls for Federal Information Systems and Organizations, as currently revised; • NIST Special Publication 800-47 — Security Guide for Interconnecting Information Technology Systems; • NIST Special Publication 800-88,Guidelines for Media Sanitization; • NIST Special Publication 800-111, Guide to Storage of Encryption Technologies for End User Devices containing PHI; and Any other State or Federal law,regulation,or administrative rule relating to the specific HHS program area that CONTRACTOR supports on behalf of HHS. (AA) Notwithstanding anything to the contrary herein, CONTRACTOR will treat any Personal Identifying Information it creates,receives,maintains,uses,transmits,destroys and/or discloses in accordance with Texas Business and Commerce Code, Chapter 521 and other applicable regulatory standards identified in Section 3.01(Z), and Individually Identifiable Health Information CONTRACTOR creates, receives, maintains, uses, transmits, destroys and/or discloses in accordance with HIPAA and other applicable regulatory standards identified in Section 3.01(Z). ARTICLE 4. BREACH NOTICE,REPORTING AND CORRECTION REQUIREMENTS 4.01 Breach or Event Notification to HHS.45 CFR 164.400-414. HHS Data Use Agreement TACCHO VERSION(Local City and County Entities)October 23,2019 Page 8of15 DocuSign Envelope ID:E9EDB34E-COAA-4AE5-B70C-AOFA8A1360E8 (A) CONTRACTOR will cooperate fully with HHS in investigating,mitigating to the extent practicable and issuing notifications directed by HHS, for any Event or Breach of Confidential Information to the extent and in the manner determined by HHS. (B) CONTRACTOR'S obligation begins at the Discovery of an Event or Breach and continues as long as related activity continues,until all effects of the Event are mitigated to HHS's reasonable satisfaction(the"incident response period").45 CFR 164.404. (C) Breach Notice: (1) Initial Notice. (a) For federal information, including without limitation,Federal Tax Information, Social Security Administration Data,and Medicaid Client Information, within the first, consecutive clock hour of Discovery, and for all other types of Confidential Information not more than 24 hours after Discovery,or in a timeframe otherwise approved by HHS in writing,initially report to HHS's Privacy and Security Officers via email at: privacy@HHSC.state.tx.us and to the HHS division responsible for this DUA; and IRS Publication 1075; Privacy Act of 1974, as amended by the Computer Matching and Privacy Protection Act of 1988, 5 U.S.C. § 552a; OMB Memorandum 07-16 as cited in HHSC-CMS Contracts for information exchange. (b) Report all information reasonably available to CONTRACTOR about the Event or Breach of the privacy or security of Confidential Information.45 CFR 164.410. (c) Name, and provide contact information to HHS for, CONTRACTOR's single point of contact who will communicate with HHS both on and off business hours during the incident response period. (2) Formal Notice.No later than two business days after the Initial Notice above, provide formal notification to privacy@HHSC.state.tx.us and to the HHS division responsible for this DUA, including all reasonably available information about the Event or Breach, and CONTRACTOR's investigation, including without limitation and to the extent available:For(a)-(m)below:45 CFR 164.400-414. (a) The date the Event or Breach occurred; (b) The date of CONTRACTOR's and, if applicable, Subcontractor's Discovery; (c) A brief description of the Event or Breach; including how it occurred and who is responsible(or hypotheses, if not yet determined); HHS Data Use Agreement TACCHO VERSION(Local City and County Entities)October 23.2019 Page 9 of 15 DocuSign Envelope ID E9EDB34E-COAA-4AE5-B70C-AOFA8A1360E8 (d) A brief description of CONTRACTOR's investigation and the status of the investigation; (e) A description of the types and amount of Confidential Information involved; (f) Identification of and number of all Individuals reasonably believed to be affected,including first and last name of the Individual and if applicable the, Legally Authorized Representative, last known address, age,telephone number,and email address if it is a preferred contact method, to the extent known or can be reasonably determined by CONTRACTOR at that time; (g) CONTRACTOR's initial risk assessment of the Event or Breach demonstrating whether individual or other notices are required by applicable law or this DUA for HHS approval, including an analysis of whether there is a low probability of compromise of the Confidential Information or whether any legal exceptions to notification apply; (h) CONTRACTOR's recommendation for HHS's approval as to the steps Individuals and/or CONTRACTOR on behalf of Individuals, should take to protect the Individuals from potential harm,including without limitation CONTRACTOR's provision of notifications, credit protection, claims monitoring, and any specific protections for a Legally Authorized Representative to take on behalf of an Individual with special capacity or circumstances; (i) The steps CONTRACTOR has taken to mitigate the harm or potential harm caused (including without limitation the provision of sufficient resources to mitigate); (j) The steps CONTRACTOR has taken, or will take,to prevent or reduce the likelihood of recurrence of a similar Event or Breach; (k) Identify, describe or estimate the Persons, Workforce, Subcontractors or Individuals and any law enforcement that may be involved in the Event or Breach; (1) A reasonable schedule for CONTRACTOR to provide regular updates during normal business hours to the foregoing in the future for response to the Event or Breach, but no less than every three (3)business days or as otherwise directed by HHS, including information about risk estimations,reporting,notification,if any,mitigation,corrective action,root cause analysis and when such activities are expected to be completed;and HHS Data Use Agreement TACCHO VERSION(Local City and County Entities)October 23,2019 Page 10 of 15 DocuSign Envelope ID: E9EDB34E-COAA-4AE5-B70C-AOFA8A1360E8 (m) Any reasonably available,pertinent information,documents or reports related to an Event or Breach that HHS requests following Discovery. 4.02 Investigation,Response and Mitigation.45 CFR 164.308,310 and 312; 164.530 (A) CONTRACTOR will immediately conduct a full and complete investigation, respond to the Event or Breach, commit necessary and appropriate staff and resources to expeditiously respond, and report as required to and by HHS for incident response purposes and for purposes of HHS's compliance with report and notification requirements, to the reasonable satisfaction of HHS. (B) CONTRACTOR will complete or participate in a risk assessment as directed by HHS following an Event or Breach, and provide the final assessment, corrective actions and mitigations to HHS for review and approval. (C) CONTRACTOR will fully cooperate with HHS to respond to inquiries and/or proceedings by state and federal authorities, Persons and/or Individuals about the Event or Breach. (D) CONTRACTOR will fully cooperate with HHS's efforts to seek appropriate injunctive relief or otherwise prevent or curtail such Event or Breach,or to recover or protect any Confidential Information, including complying with reasonable corrective action or measures,as specified by HHS in a Corrective Action Plan if directed by HHS under the Base Contract. 4.03 Breach Notification to Individuals and Reporting to Authorities. Tex. Bus. & Comm. Code §521.053; 45 CFR 164.404 (Individuals), 164.406 (Media); 164.408 (Authorities) (A) HHS may direct CONTRACTOR to provide Breach notification to Individuals,regulators or third-parties,as specified by HHS following a Breach. (B) CONTRACTOR shall give HHS an opportunity to review and provide feedback to CONTRACTOR and to confirm that CONTRACTOR's notice meets all regulatory requirements regarding the time, manner and content of any notification to Individuals, regulators or third-parties, or any notice required by other state or federal authorities, including without limitation, notifications required by Texas Business and Commerce Code,Chapter 521.053(b)and HIPAA. HHS shall have ten(10)business days to provide said feedback to CONTRACTOR.Notice letters will be in CONTRACTOR's name and on CONTRACTOR's letterhead, unless otherwise directed by HHS, and will contain contact information, including the name and title of CONTRACTOR's representative, an email address and a toll-free telephone number, if required by applicable law, rule, or regulation,for the Individual to obtain additional information. (C) CONTRACTOR will provide HHS with copies of distributed and approved communications. HHS Data Use Agreement TACCHO VERSION(Local City and County Entities)October 23.2019 Page 11 of 15 DocuSign Envelope ID:E9EDB34E-COAA-4AE5-B70C-A0FA8A1360E8 (D) CONTRACTOR will have the burden of demonstrating to the reasonable satisfaction of HHS that any notification required by HHS was timely made.If there are delays outside of CONTRACTOR's control,CONTRACTOR will provide written documentation of the reasons for the delay. (E) If HHS delegates notice requirements to CONTRACTOR,HI-IS shall, in the time and manner reasonably requested by CONTRACTOR, cooperate and assist with CONTRACTOR's information requests in order to make such notifications and reports. ARTICLE 5. STATEMENT OF WORK "Statement of Work" means the services and deliverables to be performed or provided by CONTRACTOR,or on behalf of CONTRACTOR by its Subcontractors or agents for HHS that are described in detail in the Base Contract. The Statement of Work, including any future amendments thereto,is incorporated by reference in this DUA as if set out word-for-word herein. ARTICLE 6. GENERAL PROVISIONS 6.01 Oversight of Confidential Information CONTRACTOR acknowledges and agrees that HHS is entitled to oversee and monitor CONTRACTOR's access to and creation,receipt,maintenance,use,disclosure of the Confidential Information to confirm that CONTRACTOR is in compliance with this DUA. 6.02 HHS Commitment and Obligations HHS will not request CONTRACTOR to create,maintain,transmit,use or disclose PHI in any manner that would not be permissible under applicable law if done by HHS. 6.03 HHS Right to Inspection At any time upon reasonable notice to CONTRACTOR, or if HHS determines that CONTRACTOR has violated this DUA, HHS, directly or through its agent, will have the right to inspect the facilities,systems,books and records of CONTRACTOR to monitor compliance with this DUA.For purposes of this subsection,HHS's agent(s)include,without limitation,the HHS Office of the Inspector General or the Office of the Attorney General of Texas, outside consultants or legal counsel or other designee. 6.04 Term; Termination of DUA; Survival This DUA will be effective on the date on which CONTRACTOR executes the DUA, and will terminate upon termination of the Base Contract and as set forth herein. If the Base Contract is extended or amended, this DUA shall be extended or amended concurrent with such extension or amendment. HHS Data Use Agreement TACCHO VERSION(Local City and County Entities)October 23,2019 Page 12 of 15 DocuSign Envelope ID: E9EDB34E-COAA-4AE5-B70C-AOFA8A1360E8 (A) HHS may immediately terminate this DUA and Base Contract upon a material violation of this DUA. (B) Termination or Expiration of this DUA will not relieve CONTRACTOR of its obligation to return or Destroy the Confidential Information as set forth in this DUA and to continue to safeguard the Confidential Information until such time as determined by HHS. (C) If HHS determines that CONTRACTOR has violated a material term of this DUA;HHS may in its sole discretion: (1) Exercise any of its rights including but not limited to reports, access and inspection under this DUA and/or the Base Contract;or (2) Require CONTRACTOR to submit to a Corrective Action Plan, including a plan for monitoring and plan for reporting, as HHS may determine necessary to maintain compliance with this DUA;or (3) Provide CONTRACTOR with a reasonable period to cure the violation as determined by HHS;or (4) Terminate the DUA and Base Contract immediately,and seek relief in a court of competent jurisdiction in Texas. Before exercising any of these options, HHS will provide written notice to CONTRACTOR describing the violation,the requested corrective action CONTRACTOR may take to cure the alleged violation, and the action HHS intends to take if the alleged violated is not timely cured by CONTRACTOR. (D) If neither termination nor cure is feasible,HHS shall report the violation to the Secretary of the U.S.Department of Health and Human Services. (E) The duties of CONTRACTOR or its Subcontractor under this DUA survive the expiration or termination of this DUA until all the Confidential Information is Destroyed or returned to HHS,as required by this DUA. 6.05 Governing Law,Venue and Litigation (A) The validity,construction and performance of this DUA and the legal relations among the Parties to this DUA will be governed by and construed in accordance with the laws of the State of Texas. (B) The Parties agree that the courts of Texas,will be the exclusive venue for any litigation,special proceeding or other proceeding as between the parties that may be brought, or arise out of,or in connection with,or by reason of this DUA. 6.06 I n j u nctive Relief HHS Data Use Agreement TACCHO VERSION(Local City and County Entities)October 23,2019 Page 13 of 15 DocuSign Envelope ID: E9EDB34E-COAA-4AE5-B70C-AOFA8A1360E8 (A) CONTRACTOR acknowledges and agrees that HHS may suffer irreparable injury if CONTRACTOR or its Subcontractor fails to comply with any of the terms of this DUA with respect to the Confidential Information or a provision of HIPAA or other laws or regulations applicable to Confidential Information. (B) CONTRACTOR further agrees that monetary damages may be inadequate to compensate HHS for CONTRACTOR's or its Subcontractor's failure to comply.Accordingly, CONTRACTOR agrees that HHS will,in addition to any other remedies available to it at law or in equity, be entitled to seek injunctive relief without posting a bond and without the necessity of demonstrating actual damages,to enforce the terms of this DUA. 6.07 Responsibility. To the extent permitted by the Texas Constitution, laws and rules, and without waiving any immunities or defenses available to CONTRACTOR as a governmental entity, CONTRACTOR shall be solely responsible for its own acts and omissions and the acts and omissions of its employees,directors,officers,Subcontractors and agents. HHS shall be solely responsible for its own acts and omissions. 6.08 Insurance (A) As a governmental entity,and in accordance with the limits of the Texas Tort Claims Act, Chapter 101 of the Texas Civil Practice and Remedies Code, CONTRACTOR either maintains commercial insurance or self-insures with policy limits in an amount sufficient to cover CONTRACTOR's liability arising under this DUA. CONTRACTOR will request that HHS be named as an additional insured. HHSC reserves the right to consider alternative means for CONTRACTOR to satisfy CONTRACTOR's financial responsibility under this DUA.Nothing herein shall relieve CONTRACTOR of its financial obligations set forth in this DUA if CONTRACTOR fails to maintain insurance. (B) CONTRACTOR will provide HHS with written proof that required insurance coverage is in effect,at the request of HHS. 6.08 Fees and Costs Except as otherwise specified in this DUA or the Base Contract, if any legal action or other proceeding is brought for the enforcement of this DUA, or because of an alleged dispute, contract violation, Event, Breach, default,misrepresentation, or injunctive action, in connection with any of the provisions of this DUA,each party will bear their own legal expenses and the other cost incurred in that action or proceeding. 6.09 Entirety of the Contract This DUA is incorporated by reference into the Base Contract as an amendment thereto and, together with the Base Contract, constitutes the entire agreement between the parties. No change, waiver, or discharge of obligations arising under those documents will be valid unless in writing and executed by the party against whom such change,waiver,or discharge is sought to be HHS Data Use Agreement TACCHO VERSION(Local City and County Entities)October 23,2019 Page 14 of 15 DocuSign Envelope ID:E9EDB34E-COAA-4AE5-B70C-AOFA8A1360E8 enforced. If any provision of the Base Contract, including any General Provisions or Uniform Terms and Conditions,conflicts with this DUA,this DUA controls. 6.10 Automatic Amendment and Interpretation If there is (i) a change in any law, regulation or rule, state or federal, applicable to HIPPA and/or Confidential Information,or(ii)any change in the judicial or administrative interpretation of any such law,regulation or rule„upon the effective date of such change,this DUA shall be deemed to have been automatically amended, interpreted and read so that the obligations imposed on HHS and/or CONTRACTOR remain in compliance with such changes.Any ambiguity in this DUA will be resolved in favor of a meaning that permits HHS and CONTRACTOR to comply with HIPAA or any other law applicable to Confidential Information. HHS Data Use Agreement TACCHO VERSION(Local City and County Entities)October 23. 2019 Page 15 of 15 DocuSign Envelope ID:E9EDB34E-COAA-4AE5-B70C-AOFA8A1360E8 Texas HHS System - Data Use Agreement-Attachment 2 As A.Human SECURITY AND PRIVACY INQUIRY(SPI) Services If you are a bidder for a new procurement/contract, in order to participate in the bidding process,you must have corrected any"No" responses(except A9a)prior to the contract award date. If you are an applicant for an open enrollment,you must have corrected any"No"answers(except A9a and All)prior to performing any work on behalf of any Texas HHS agency. For any questions answered"No"(except A9a and All),an Action Plan for Compliance with a Timeline must be documented in the designated area below the question.The timeline for compliance with HIPAA-related requirements for safeguarding Protected Health Information is 30 calendar days from the date this form is signed. Compliance with requirements related to other types of Confidential Information must be confirmed within 90 calendar days from the date the form is signed. SECTION A:APPLICANT/BIDDER INFORMATION (To be completed by Applicant/Bidder) 1. Does the applicant/bidder access, create, disclose, receive, transmit, maintain, or store Texas el Yes HHS Confidential Information in electronic systems(e.g., laptop, personal use computer, 0 No mobile device, database, server,etc.)? IF NO,STOP. THE SPI FORM IS NOT REQUIRED. 2. Entity or Applicant/Bidder Legal Name Legal Name: City of Corpus Christi-City Secretary's Office Legal Entity Tax Identification Number (TIN) (Last Four Numbers Only): 5741 Procurement/Contract#: HHSREV100002919 • Address: 1201 Leopard Street City: Corpus Christi State:TX ZIP: 78401 Telephone#: (361)826-3244 Email Address: tinab@cctexas.com 3. Number of Employees, at all locations, in Total Employees: 4 Applicant/Bidder's Workforce "Workforce"means all employees,volunteers,trainees,and other Persons whose conduct is under the direct control of Applicant/Bidder,whether or not they are paid by Applicant/ Bidder.If Applicant/Bidder is a sole proprietor,the workforce may be only one employee. 4. Number of Subcontractors Total Subcontractors: 0 (if Applicant/Bidder will not use subcontractors,enter"0") 5. Name of Information Technology Security Official A. Security Official: and Name of Privacy Official for Applicant/Bidder Legal Name: Jesus Hernandez (Privacy and Security Official may be the same person.) Address: 1201 Leopard Street City: Corpus Christi State: TX ZIP: 78401 Telephone #: (361)826-3748 Email Address: jesush6@cctexas.com B. Privacy Official: Legal Name: Jesus Hernandez Address: 1201 Leopard Street City: Corpus Christi State: TX ZIP: 78401 Telephone #: (361)826-3748 Email Address: jesush6@cctexas.com SPI Version 2.1 (06/2018) Texas HHS System-Data Use Agreement-Attachment 2: Page 1 of 18 SECURITY AND PRIVACY INQUIRY(SPI) DocuSign Envelope ID:E9EDB34E-COAA-4AE5-B70C-AOFA8A1360E8 6. Type(s)of Texas HHS Confidential Information the HIPAA CJIS IRS FTI CMS SSA PII Applicant/Bidder will create, receive, maintain, use, E✓ ❑ El ❑ c✓ disclose or have access to:(Check all that apply) Other(Please List) •Health Insurance Portability and Accountability Act(HIPAA)data •Criminal Justice Information Services(CJIS)data •Internal Revenue Service Federal Tax Information(IRS FTI)data •Centers for Medicare&Medicaid Services(CMS) •Social Security Administration(SSA) •Personally Identifiable Information(PII) 7. Number of Storage Devices for Texas HHS Confidential Information (as defined in the Total# Texas HHS System Data Use Agreement (DUA)) (Sum a-d) Cloud Services involve using a network of remote servers hosted on the Internet to store, 5 manage, and process data, rather than a local server or a personal computer. A Data Center is a centralized repository, either physical or virtual,for the storage, management,and dissemination of data and information organized around a particular body of knowledge or pertaining to a particular business. a. Devices. Number of personal user computers, devices or drives, including mobile 4 devices and mobile drives. b.Servers. Number of Servers that are not in a data center or using Cloud Services. 1 c. Cloud Services. Number of Cloud Services in use. 0 d. Data Centers. Number of Data Centers in use. 0 8. Number of unduplicated individuals for whom Applicant/Bidder reasonably expects to Select Option handle Texas HHS Confidential Information during one year: (a-d) a. 499 individuals or less 0 a. b. 500 to 999 individuals 0 b. c. 1,000 to 99,999 individuals 0 c. d. 100,000 individuals or more 0 d. 9. HIPAA Business Associate Agreement a. Will Applicant/Bidder use, disclose, create, receive, transmit or maintain protected 0 Yes health information on behalf of a HIPAA-covered Texas HHS agency for a HIPAA- 0 No covered function? b. Does Applicant/Bidder have a Privacy Notice prominently displayed on a Webpage or a 0 Yes Public Office of Applicant/Bidder's business open to or that serves the public? (This is a 0 No HIPAA requirement. Answer "N/A" if not applicable, such as for agencies not covered 0 N/A by HIPAA.) Action Plan for Compliance with a Timeline: Compliance Date: 10. Subcontractors. If the Applicant/Bidder responded "0" to Question 4 (indicating no subcontractors), check"N/A" for both 'a.' and 'b.' a. Does Applicant/Bidder require subcontractors to execute the DUA Attachment 1 0 Yes Subcontractor Agreement Form? 0 No 0 N/A Action Plan for Compliance with a Timeline: Compliance Date: SPI Version 2.1 (06/2018) Texas HI-IS System-Data Use Agreement-Attachment 2: Page 2 of 18 SECURITY AND PRIVACY INQUIRY(SPI) DocuSign Envelope ID:E9EDB34E-COAA-4AE5-670C-AOFA8A1360E8 b. Will Applicant/Bidder agree to require subcontractors who will access Confidential 0 Yes Information to comply with the terms of the DUA, not disclose any Confidential 0 No Information to them until they have agreed in writing to the same safeguards and to Q N/A discontinue their access to the Confidential Information if they fail to comply? Action Plan for Compliance with a Timeline: Compliance Date: 11. Does Applicant/Bidder have any Optional Insurance currently in place? Optional Insurance provides coverage for:(1)Network Security and Privacy;(2)Data Breach;(3)Cyber 0 Yes Liability(lost data,lost use or delay/suspension in business,denial of service with e-business,the Internet, 0 No networks and informational assets,such as privacy,intellectual property,virus transmission,extortion, 0 N/A sabotage or web activities);(4)Electronic Media Liability;(5)Crime/Theft;(6)Advertising Injury and Personal Injury Liability;and(7)Crisis Management and Notification Expense Coverage. SPI Version 2.1 (06/2018) Texas HHS System-Data Use Agreement-Attachment 2: Page 3 of 18 SECURITY AND PRIVACY INQUIRY(SPI) DocuSign Envelope ID:E9EDB34E-COAA-4AE5-B70C-AOFA8A1360E8 SECTION B: PRIVACY RISK ANALYSIS AND ASSESSMENT (To be completed by Applicant/Bidder) For any questions answered "No," an Action Plan for Compliance with a Timeline must be documented in the designated area below the question. The timeline for compliance with HIPAA-related requirements for safeguarding Protected Health Information is 30 calendar days from the date this form is signed. Compliance with requirements related to other types of Confidential Information must be confirmed within 90 calendar days from the date the form is signed. 1. Written Policies & Procedures. Does Applicant/Bidder have current written privacy and Yes or No security policies and procedures that, at a minimum: a. Does Applicant/Bidder have current written privacy and security policies and 0 Yes procedures that identify Authorized Users and Authorized Purposes(as defined in the © No DUA) relating to creation, receipt, maintenance, use, disclosure, access or transmission of Texas HHS Confidential Information? Action Plan for Compliance with a Timeline: Compliance Date: b. Does Applicant/Bidder have current written privacy and security policies and I�Yes procedures that require Applicant/Bidder and its Workforce to comply with the applicable provisions of HIPAA and other laws referenced in the DUA, relating No to creation, receipt, maintenance, use, disclosure, access or transmission of Texas HHS Confidential Information on behalf of a Texas HHS agency? Action Plan for Compliance with a Timeline: Compliance Date: c. Does Applicant/Bidder have current written privacy and security policies and procedures I®Yes that limit use or disclosure of Texas HHS Confidential Information to the minimum that is Q No necessary to fulfill the Authorized Purposes? Action Plan for Compliance with a Timeline: Compliance Date: d. Does Applicant/Bidder have current written privacy and security policies and procedures O Yes that respond to an actual or suspected breach of Texas HHS Confidential Information, to include at a minimum (if any responses are "No" check "No"for all three): 0 No i. Immediate breach notification to the Texas HHS agency, regulatory authorities, and other required Individuals or Authorities, in accordance with Article 4 of the DUA; ii. Following a documented breach response plan, in accordance with the DUA and applicable law; & iii. Notifying Individuals and Reporting Authorities whose Texas HHS Confidential Information has been breached, as directed by the Texas HHS agency? SPI Version 2.1 (06/2018) Texas HHS System-Data Use Agreement-Attachment 2: Page 4 of 18 SECURITY AND PRIVACY INQUIRY(SPI) DocuSign Envelope ID:E9EDB34E-COAA-4AE5-B70C-AOFA8A1360E8 Action Plan for Compliance with a Timeline: Compliance Date: e. Does Applicant/Bidder have current written privacy and security policies and procedures 0 Yes that conduct annual workforce training and monitoring for and correction of any training delinquencies? 0 No Action Plan for Compliance with a Timeline: Compliance Date: f. Does Applicant/Bidder have current written privacy and security policies and ® Yes procedures that permit or deny individual rights of access, and amendment or correction, when appropriate? 0 No Action Plan for Compliance with a Timeline: Compliance Date: g. Does Applicant/Bidder have current written privacy and security policies and procedures 0 Yes that permit only Authorized Users with up-to-date privacy and security training, and © No with a reasonable and demonstrable need to use, disclose, create, receive, maintain, access or transmit the Texas HHS Confidential Information, to carry out an obligation under the DUA for an Authorized Purpose, unless otherwise approved in writing by a Texas HHS agency? Action Plan for Compliance with a Timeline: Compliance Date: h. Does Applicant/Bidder have current written privacy and security policies and procedures 0 Yes that establish, implement and maintain proof of appropriate sanctions against any © No Workforce or Subcontractors who fail to comply with an Authorized Purpose or who is not an Authorized User, and used or disclosed Texas HHS Confidential Information in violation of the DUA, the Base Contract or applicable law? Action Plan for Compliance with a Timeline: Compliance Date: i. Does Applicant/Bidder have current written privacy and security policies and 0 Yes procedures that require updates to policies, procedures and plans following major ® No changes with use or disclosure of Texas HHS Confidential Information within 60 days of identification of a need for update? Action Plan for Compliance with a Timeline: Compliance Date: SPI Version 2.1 (06/2018) Texas HHS System-Data Use Agreement-Attachment 2: Page 5 of 18 SECURITY AND PRIVACY INQUIRY(SPI) DocuSign Envelope ID:E9EDB34E-COAA-4AE5-670C-AOFA8A1360E8 j. Does Applicant/Bidder have current written privacy and security policies and 0 Yes procedures that restrict permissions or attempts to re-identify or further identify 0 No de-identified Texas HHS Confidential Information, or attempt to contact any Individuals whose records are contained in the Texas HHS Confidential Information, except for an Authorized Purpose, without express written authorization from a Texas HHS agency or as expressly permitted by the Base Contract? Action Plan for Compliance with a Timeline: Compliance Date: k. If Applicant/Bidder intends to use, disclose, create, maintain, store or transmit Texas HHS 0 Yes Confidential Information outside of the United States, will Applicant/Bidder obtain the No express prior written permission from the Texas HHS agency and comply with the Texas HHS agency conditions for safeguarding offshore Texas HHS Confidential Information? Action Plan for Compliance with a Timeline: Compliance Date: I. Does Applicant/Bidder have current written privacy and security policies and procedures 0 Yes that require cooperation with Texas HHS agencies' or federal regulatory inspections, ® No audits or investigations related to compliance with the DUA or applicable law? Action Plan for Compliance with a Timeline: Compliance Date: m. Does Applicant/Bidder have current written privacy and security policies and ®Yes procedures that require appropriate standards and methods to destroy or dispose of o No Texas HHS Confidential Information? Action Plan for Compliance with a Timeline: Compliance Date: n. Does Applicant/Bidder have current written privacy and security policies and procedures 0 Yes that prohibit disclosure of Applicant/Bidder's work product done on behalf of Texas HHS © No pursuant to the DUA, or to publish Texas HHS Confidential Information without express prior approval of the Texas HHS agency? Action Plan for Compliance with a Timeline: Compliance Date: 2. Does Applicant/Bidder have a current Workforce training program? 0 Yes Training of Workforce must occur at least once every year,and within 30 days of date of hiring a new O No Workforce member who will handle Texas HHS Confidential Information.Training must include:(1)privacy and security policies,procedures,plans and applicable requirements for handling Texas HHS Confidential Information,(2)a requirement to complete training before access is given to Texas HHS Confidential Information,and(3)written proof of training and a procedure for monitoring timely completion of training. SPI Version 2.1 (06/2018) Texas HHS System-Data Use Agreement-Attachment 2: Page 6 of 18 SECURITY AND PRIVACY INQUIRY(SPI) • DocuSign Envelope ID:E9EDB34E-COAA-4AE5-B70C-AOFA8A1360E8 Action Plan for Compliance with a Timeline: Compliance Date: 3. Does Applicant/Bidder have Privacy Safeguards to protect Texas HHS Confidential ®Yes Information in oral, paper and/or electronic form? 0 No "Privacy Safeguards" means protection of Texas HHS Confidential Information by establishing,implementing and maintaining required Administrative, Physical and Technical policies,procedures,processes and controls, required by the DUA,HIPAA(45 CFR 164.530),Social Security Administration, Medicaid and laws,rules or regulations,as applicable.Administrative safeguards include administrative protections,policies and procedures for matters such as training,provision of access,termination,and review of safeguards,incident management,disaster recovery plans,and contract provisions.Technical safeguards include technical protections,policies and procedures,such as passwords, logging,emergencies,how paper is faxed or mailed, and electronic protections such as encryption of data. Physical safeguards include physical protections, policies and procedures,such as locks,keys,physical access,physical storage and trash. Action Plan for Compliance with a Timeline: Compliance Date: 4. Does Applicant/Bidder and all subcontractors (if applicable) maintain a current list of 0 Yes Authorized Users who have access to Texas HHS Confidential Information, whether oral, ©No written or electronic? Action Plan for Compliance with a Timeline: Compliance Date: 5. Does Applicant/Bidder and all subcontractors (if applicable) monitor for and remove °Yes terminated employees or those no longer authorized to handle Texas HHS 0 No Confidential Information from the list of Authorized Users? Action Plan for Compliance with a Timeline: Compliance Date: SPI Version 2.1 (06/2018) Texas HHS System-Data Use Agreement-Attachment 2: Page 7 of 18 SECURITY AND PRIVACY INQUIRY(SPI) DocuSign Envelope ID:E9EDB34E-COAA-4AE5-B70C-AOFA8A1360E8 • ` g • ' • ` ' . ` o , V T(to be completed by Applicant/Bidder+ This section is about your electronic system. If your business DOES NOT store, access, or No Electronic transmit Texas HHS Confidential Information in electronic systems(e.g., laptop, personal Systems use computer, mobile device, database, server, etc.) select the box to the right, and "YES" will be entered for all questions in this section. For any questions answered "No," an Action Plan for Compliance with a Timeline must be documented in the designated area below the question. The timeline for compliance with HIPAA-related items is 30 calendar days, PH-related items is 90 calendar days. 1. Does the Applicant/Bidder ensure that services which access, create, disclose, receive, 0 Yes transmit, maintain, or store Texas HHS Confidential Information are maintained IN the 0 No United States (no offshoring) unless ALL of the following requirements are met? a. The data is encrypted with FIPS 140-2 validated encryption b. The offshore provider does not have access to the encryption keys c. The Applicant/Bidder maintains the encryption key within the United States d. The Application/Bidder has obtained the express prior written permission of the Texas HHS agency For more information regarding F/PS 140-2 encryption products,please refer to: http://csrc.nlst.aov/p!Ib/1cations/flys Action Plan for Compliance with a Timeline: Compliance Date: 2. Does Applicant/Bidder utilize an IT security-knowledgeable person or company to maintain 0 Yes or oversee the configurations of Applicant/Bidder's computing systems and devices? 0 No Action Plan for Compliance with a Timeline: Compliance Date: 3. Does Applicant/Bidder monitor and manage access to Texas HHS Confidential Information ®Yes (e.g., a formal process exists for granting access and validating the need for users to access O No Texas HHS Confidential Information, and access is limited to Authorized Users)? Action Plan for Compliance with a Timeline: Compliance Date: 4. Does Applicant/Bidder a) have a system for changing default passwords, b) require user eyes password changes at least every 90 calendar days, and c) prohibit the creation of weak 0 No passwords (e.g., require a minimum of 8 characters with a combination of uppercase, lowercase, special characters, and numerals, where possible) for all computer systems that access or store Texas HHS Confidential Information. If yes, upon request must provide evidence such as a screen shot or a system report. Action Plan for Compliance with a Timeline: Compliance Date: SPI Version 2.1 (06/2018) Texas HHS System-Data Use Agreement-Attachment 2: Page 8 of 18 SECURITY AND PRIVACY INQUIRY(SPI) DocuSign Envelope ID:E9EDB34E-COAA-4AE5-B70C-A0FA8A1360E8 5. Does each member of Applicant/Bidder's Workforce who will use, disclose, create, receive, 0 Yes transmit or maintain Texas HHS Confidential Information have a unique user name ©No (account) and private password? Action Plan for Compliance with a Timeline: Compliance Date: 6. Does Applicant/Bidder lock the password after a certain number of failed attempts and ()Yes after 15 minutes of user inactivity in all computing devices that access or store Texas ©No HHS Confidential Information? Action Plan for Compliance with a Timeline: Compliance Date: 7. Does Applicant/Bidder secure, manage and encrypt remote access (including wireless ®Yes access)to computer systems containing Texas HHS Confidential Information? (e.g., a formal 0 No process exists for granting access and validating the need for users to remotely access Texas HHS Confidential Information, and remote access is limited to Authorized Users). Encryption is required for all Texas HHS Confidential Information. Additionally,FIPS 140-2 validated encryption is required for Health Insurance Portability and Accountability Act(HIPAA)data,Criminal Justice Information Services(GIS)data, Internal Revenue Service Federal Tax Information(IRS FTI)data,and Centers for Medicare&Medicaid Services(CMS)data. For more information regarding FIPS 140-2 encryption products,please refer to: http://csrc.nlst.aov/publications/fips Action Plan for Compliance with a Timeline: Compliance Date: 8. Does Applicant/Bidder implement computer security configurations or settings for all 0 Yes computers and systems that access or store Texas HHS Confidential Information? ©No (e.g., non-essential features or services have been removed or disabled to reduce the threat of breach and to limit exploitation opportunities for hackers or intruders, etc.) Action Plan for Compliance with a Timeline: Compliance Date: 9. Does Applicant/Bidder secure physical access to computer, paper, or other systems O Yes containing Texas HHS Confidential Information from unauthorized personnel and theft 0 No (e.g., door locks, cable locks, laptops are stored in the trunk of the car instead of the passenger area, etc.)? Action Plan for Compliance with a Timeline: Compliance Date: SPI Version 2.1 (06/2018) Texas HHS System-Data Use Agreement-Attachment 2: Page 9 of 18 SECURITY AND PRIVACY INQUIRY(SPI) DocuSign Envelope ID:E9EDB34E-CORA-4AE5-B70C-AOFA8A1360E8 10. Does Applicant/Bidder use encryption products to protect Texas HHS Confidential 0 Yes Information that is transmitted over a public network(e.g., the Internet,WiFi, etc.)? ®No If yes, upon request must provide evidence such as a screen shot or a system report. Encryption is required fcr all HHS Confidential Information. Additionally,FIPS 140-2 validated encryption is required for Health Insurance Portability and Accountability Act(HIPAA)data,Criminal Justice Information Services PIS)data,Internal Revenue Service Federal Tax Information(IRS FTI)data,and Centers for Medicare&Medicaid Services(CMS)data. For more information regarding FIPS 140-2 encryption products,please refer to: htty://csrc.nlst.aov/vubllcotlons/flus Action Plan for Compliance with a Timeline: Compliance Date: 11. Does Applicant/Bidder use encryption products to protect Texas HHS Confidential ®Yes Information stored on end user devices(e.g., laptops, USBs,tablets, smartphones, external a No hard drives, desktops, etc.)? If yes, upon request must provide evidence such as a screen shot or a system report. Encryption is required for all Texas HHS Confidential Information. Additionally,FIPS 140-2 validated encryption is required for Health Insurance Portability and Accountability Act(HIPAA)data,Criminal Justice Information Services(CPS)data, Internal Revenue Service Federal Tax Information(IRS FTI)data,and Centers for Medicare&Medicaid Services(CMS)data. For more information regarding FIPS 140-2 encryption products,please refer to: h ttv://csrc,nist.aov/publico kions/fivs Action Plan for Compliance with a Timeline: Compliance Date: 12.Does Applicant/Bidder require Workforce members to formally acknowledge rules outlining 0 Yes their responsibilities for protecting Texas HHS Confidential Information and associated 0 No systems containing HHS Confidential Information before their access is provided? Action Plan for Compliance with a Timeline: Compliance Date: 13. Is Applicant/Bidder willing to perform or submit to a criminal background check on ®Yes Authorized Users? 0 No Action Plan for Compliance with a Timeline: Compliance Date: 14. Does Applicant/Bidder prohibit the access, creation, disclosure, reception, transmission, ®Yes maintenance, and storage of Texas HHS Confidential Information with a subcontractor 0 No (e.g., cloud services, social media, etc.) unless Texas HHS has approved the subcontractor agreement which must include compliance and liability clauses with the same requirements as the Applicant/Bidder? Action Plan for Compliance with a Timeline: Compliance Date: SPI Version 2.1 (06/2018) Texas HHS System-Data Use Agreement-Attachment 2: Page 10 of 18 SECURITY AND PRIVACY INQUIRY(SPI) DocuSign Envelope ID:E9EDB34E-CORA-4AE5-B70C-AOFA8A1360E8 15. Does Applicant/Bidder keep current on security updates/patches(including firmware, 0 Yes software and applications) for computing systems that use, disclose, access, create, O No transmit, maintain or store Texas HHS Confidential Information? Action Plan for Compliance with a Timeline: Compliance Date: 16. Do Applicant/Bidder's computing systems that use, disclose, access, create, transmit, 0 Yes maintain or store Texas HHS Confidential Information contain up-to-date anti- 0 No malware and antivirus protection? Action Plan for Compliance with a Timeline: Compliance Date: 17. Does the Applicant/Bidder review system security logs on computing systems that access 0 Yes or store Texas HHS Confidential Information for abnormal activity or security concerns on 0 No a regular basis? Action Plan for Compliance with a Timeline: Compliance Date: 18. Notwithstanding records retention requirements, does Applicant/Bidder's disposal 0 Yes processes for Texas HHS Confidential Information ensure that Texas HHS Confidential 0 No Information is destroyed so that it is unreadable or undecipherable? Action Plan for Compliance with a Timeline: Compliance Date: 19. Does the Applicant/Bidder ensure that all public facing websites and mobile 0 Yes applications containing Texas HHS Confidential Information meet security testing O No standards set forth within the Texas Government Code (TGC), Section 2054.516; including requirements for implementing vulnerability and penetration testing and addressing identified vulnerabilities? For more information regarding TGC,Section 2054.516 DATA SECURITY PLAN FOR ONLINE AND MOBILE APPLICATIONS,please refer to: httos://leaiscan.com/TX/text/HB8/2017 Action Plan for Compliance with a Timeline: Compliance Date: SPI Version 2.1 (06/2018) Texas HHS System-Data Use Agreement-Attachment 2: Page 11 of 18 SECURITY AND PRIVACY INQUIRY(SPI) DocuSign Envelope ID:E9EDB34E-CORA-4AE5-B70C-AOFA8A1360E8 SECTION D: SIGNATURE AND SUBMISSION (to be completed by Applicant/Bidder) Please sign the form digitally, if possible. If you can't, provide a handwritten signature. 1. I certify that all of the information provided in this form is truthful and correct to the best of my knowledge. If I learn that any such information was not correct, I agree to notify Texas HHS of this immediately. 2.Signature 3.Title . Date: Tina Be I oc k octet.:ll2023.0y signed4.26by T13:0ina Belock 5:16 05'00' Deputy Registrar To submit the completed,signed form: • Email the form as an attachment to the appropriate Texas HHS Contract Manager(s). Section E: To Be Completed by Texas HHS Agency Staff: Agency(s): Requesting Department(s): HHSC:❑ DFPS: ❑ DSHS:❑ Legal Entity Tax Identification Number(TIN) (Last four Only): PO/Contract(s)#: I'll Contract Manager: Contract Manager Email Address: Contract Manager Telephone#: Contract Manager: Contract Manager Email Address: Contract Manager Telephone it Contract Manager: Contract Manager Email Address: Contract Manager Telephone#: Contract Manager: Contract Manager Email Address: Contract Manager Telephone#: Contract Manager: Contract Manager Email Address: Contract Manager Telephone#: Contract Manager: Contract Manager Email Address: Contract Manager Telephone#: Contract Manager: Contract Manager Email Address: Contract Manager Telephone#: • Contract Manager: Contract Manager Email Address: Contract Manager Telephone#: SPI Version 2.1 (06/2018) Texas HHS System-Data Use Agreement-Attachment 2: Page 12 of 18 SECURITY AND PRIVACY INQUIRY(SPI) DocuSign Envelope ID:E9EDB34E-COAA-4AE5-B70C-AOFA8A1360E8 1111 31 rwL I ILMIJ run wrvirLt i nvv THE SECURITY AND PRIVACY INQUIRY(SPI) Below are instructions for Applicants, Bidders and Contractors for Texas Health and Human Services requiring the Attachment 2, Security and Privacy Inquiry (SPI) to the Data Use Agreement (DUA). Instruction item numbers below correspond to sections on the SPI form. If you are a bidder for a new procurement/contract, in order to participate in the bidding process,you must have corrected any"No" responses(except A9a)prior to the contract award date. If you are an applicant for an open enrollment,you must have corrected any"No"answers(except A9a and All)prior to performing any work on behalf of any Texas HHS agency. For any questions answered "No" (except A9a and All),an Action Plan for Compliance with a Timeline must be documented in the designated area below the question.The timeline for compliance with HIPAA-related requirements for safeguarding Protected Health Information is 30 calendar days from the date this form is signed. Compliance with requirements related to other types of Confidential Information must be confirmed within 90 calendar days from the date the form is signed. SECTION A. APPLICANT/BIDDER INFORMATION Item#1. Only contractors that access, transmit,store, and/or maintain Texas HHS Confidential Information will complete and email this form as an attachment to the appropriate Texas HHS Contract Manager. Item#2. Entity or Applicant/Bidder Legal Name. Provide the legal name of the business(the name used for legal purposes, like filing a federal or state tax form on behalf of the business,and is not a trade or assumed named "dba"), the legal tax identification number(last four numbers only)of the entity or applicant/bidder, the address of the corporate or main branch of the business, the telephone number where the business can be contacted regarding questions related to the information on this form and the website of the business, if a website exists. Item#3.Number of Employees,at all locations,in Applicant/Bidder's workforce. Provide the total number of individuals,including volunteers,subcontractors, trainees, and other persons who work for the business. If you are the only employee,please answer"1." Item#4.Number of Subcontractors. Provide the total number of subcontractors working for the business. If you have none,please answer"0"zero. Item#5. Number of unduplicated individuals for whom Applicant/Bidder reasonably expects to handle HHS Confidential Information during one year. Select the radio button that corresponds with the number of clients/consumers for whom you expect to handle Texas HHS Confidential Information during a year. Only count clients/consumers once, no matter how many direct services the client receives during a year. item#5.Name of Information Technology Security Official and Name of Privacy Official for Applicant/Bidder. As with all other fields on the SPi, this is a required field. This may be the same person and the owner of the business if such person has the security and privacy knowledge that is required to implement the requirements of the DUA and respond to questions related to the SPI. In 4.A. provide the name, address, telephone number, and email address of the person whom you have designated to answer any security questions found in Section C and in 4.8.provide this information for the person whom you have designated as the person to answer any privacy questions found in Section B. The business may contract out for this expertise;however,designated individual(s)must have knowledge of the business's devices,systems and methods for use, disclosure,creation, receipt, transmission and maintenance of Texas HHS Confidential Information and be willing to be the point of contact for privacy and security questions. Item#6. Type(s)of HHS Confidential Information the Entity or Applicant/Bidder Will Create,Receive,Maintain, Use, Disclose or Have Access to: Provide a complete listing of all Texas HHS Confidential Information that the Contractor will create, receive, maintain, use, disclose or have access to. The DUA section Article 2, Definitions, defines Texas HHS Confidential Information as: "Confidential Information"means any communication or record(whether oral, written, electronically stored or transmitted, or in any other form)provided to or made available to CONTRACTOR or that CONTRACTOR may create,receive, maintain, use, disclose or have access to on behalf of Texas HHS that consists of or includes any or all of the following: (1)Client Information; (2)Protected Health Information in any form including without limitation, Electronic Protected Health Information or Unsecured Protected Health Information; (3)Sensitive Personal Information defined by Texas Business and Commerce Code Ch.521; SPI Version 2.1 (06/2018) Texas HHS System-Data Use Agreement-Attachment 2: Page 13 of 18 SECURITY AND PRIVACY INQUIRY(SPI) DocuSign Envelope ID: E9EDB34E-COAA-4AE5-670C-AOFA8A1360E8 (4)l-eaerai lax information; (5)Personally Identifiable Information; (6)Social Security Administration Data, including, without limitation, Medicaid information; (7)All privileged work product; (8)All information designated as confidential under the constitution and laws of the State of Texas and of the United States, including the Texas Health&Safety Code and the Texas Public Information Act, Texas Government Code, Chapter 552. Definitions for the following types of confidential information can be found the following sites: • Health Insurance Portability and Accountability Act(HIPAA)-http://www.hhs.ciov/hipaa/index.html • Criminal Justice Information Services(CJIS)-https://www.fbi.aov/services/clis/c11s-security-pollcv-resource-center • Internal Revenue Service Federal Tax Information(IRS FTI)-httas://www.irs.aov/pub/irs-pdf/p1075.pdf • Centers for Medicare& Medicaid Services(CMS)-https://www.cros.aov/Reaulatlons-and-Guldance/Reaulatlons-and- Guidance.html •Social Security Administration(SSA)-https://www.ssa.aov/regulations/ • Personally Identifiable Information (PII)-http://csrc.nist.aov/publications/nistpubs/800-122/sp800-122.0df Item#7.Number of Storage devices for Texas HHS Confidential Information. The total number of devices is automatically calculated by exiting the fields in lines a-d. Use the<Tab>key when exiting the field to prompt calculation, if it doesn't otherwise sum correctly. • Item 7a.Devices. Provide the number of personal user computers, devices, and drives(including mobile devices,laptops, USB drives,and external drives)on which your business stores or will store Texas HHS Confidential Information. • Item 7b.Servers. Provide the number of servers not housed in a data center or"in the cloud,"on which Texas HHS Confidential Information is stored or will be stored.A server is a dedicated computer that provides data or services to other computers. It may provide services or data to systems on a local area network(LAN)or a wide area network(WAN)over the Internet. If none,answer"0"(zero). • Item 7c. Cloud Services. Provide the number of cloud services to which Texas HHS Confidential Information is stored. Cloud Services involve using a network of remote servers hosted on the Internet to store, manage,and process data,rather than on a local server or a personal computer. If none,answer"0"(zero.) • Item 7d. Data Centers. Provide the number of data centers in which you store Texas HHS Confidential Information.A Data Center is a centralized repository,either physical or virtual,for the storage,management,and dissemination of data and information organized around a particular body of knowledge or pertaining to a particular business. If none,answer"0"(zero). Item#8. Number of unduplicated individuals for whom the Applicant/Bidder reasonably expects to handle Texas HHS Confidential Information during one year.Select the radio button that corresponds with the number of clients/consumers for whom you expect to handle Confidential Information during a year. Only count clients/consumers once, no matter how many direct services the client receives during a year. Item#9. HIPAA Business Associate Agreement. • Item#9a.Answer"Yes"if your business will use, disclose, create,receive, transmit, or store information relating to a client/consumer's healthcare on behalf of the Department of State Health Services, the Department of Disability and Aging Services, or the Health and Human Services Commission for treatment, payment, or operation of Medicaid or Medicaid clients. If your contract does not include HIPAA covered information, respond "no."If"no,"a compliance plan is not required. • Item#9b. Answer"Yes"if your business has a notice of privacy practices(a document that explains how you protect and use a client/consumer's healthcare information)displayed either on a website(if one exists for your business)or in your place of business(if that location is open to clients/consumers or the public). if your contract does not include HIPAA covered information, respond "N/A." item#10.Subcontractors. If your business responded "0"to question 4 (number of subcontractors),Answer"N/A"to Items 10a and 10b to indicate not applicable. • Item#10a.Answer"Yes"if your business requires that all subcontractors sign Attachment 1 of the DUA. • Item#10b.Answer"Yes"if your business obtains Texas HHS approval before permitting subcontractors to handle Texas HHS Confidential Information on your business's behalf. Item#11. Optional Insurance.Answer"yes"if applicant has optional insurance in place to provide coverage for a Breach or any SPI Version 2.1 (0612018) Texas HHS System-Data Use Agreement-Attachment 2: Page 14 of 18 SECURITY AND PRIVACY INQUIRY(SPI) DocuSign Envelope ID:E9EDB34E-COAA-4AE5-B70C-AOFA8A1360E8 otner situations listed in tnis question. if you are not required to have this optional coverage, answer"N/A"A compliance plan is not required. SECTION B. PRIVACY RISK ANALYSIS AND ASSESSMENT Reasonable and appropriate written Privacy and Security policies and procedures are required,even for sole proprietors who are the only employee,to demonstrate how your business will safeguard Texas HHS Confidential Information and respond in the event of a Breach of Texas HHS Confidential Information.To ensure that your business is prepared, all of the items below must be addressed in your written Privacy and Security policies and procedures. Item#1.Answer"Yes" if you have written policies in place for each of the areas (a-o). • Item#1a.Answer"yes" if your business has written policies and procedures that identify everyone, including subcontractors,who are authorized to use Texas HHS Confidential Information.The policies and procedures should also identify the reason why these Authorized Users need to access the Texas HHS Confidential Information and this reason must align with the Authorized Purpose described in the Scope of Work or description of services in the Base Contract with the Texas HHS agency. • Item#1b.Answer"Yes" if your business has written policies and procedures that require your employees(including yourself),your volunteers,your trainees, and any other persons whose work you direct,to comply with the requirements of HIPAA, if applicable,and other confidentiality laws as they relate to your handling of Texas HHS Confidential Information. Refer to the laws and rules that apply, including those referenced in the DUA and Scope of Work or description of services in the Base Contract. • Item#1c.Answer"Yes" if your business has written policies and procedures that limit the Texas HHS Confidential Information you disclose to the minimum necessary for your workforce and subcontractors (if applicable)to perform the obligations described in the Scope of Work or service description in the Base Contract. (e.g., if a client/consumer's Social Security Number is not required for a workforce member to perform the obligations described in the Scope of Work or service description in the Base Contract,then the Social Security Number will not be given to them.) If you are the only employee for your business, policies and procedures must not include a request for, or use of, Texas HHS Confidential Information that is not required for performance of the services. • Item #1d. Answer "Yes" if your business has written policies and procedures that explain how your business would respond to an actual or suspected breach of Texas HHS Confidential Information. The written policies and procedures, at a minimum, must include the three items below. If any response to the three items below are no, answer"no." O Item#1di.Answer"Yes" if your business has written policies and procedures that require your business to immediately notify Texas HHS,the Texas HHS Agency, regulatory authorities,or other required Individuals or Authorities of a Breach as described in Article 4,Section 4 of the DUA. Refer to Article 4,Section 4.01: Initial Notice of Breach must be provided in accordance with Texas HHS and DUA requirements with as much information as possible about the Event/Breach and a name and contact who will serve as the single point of contact with HHS both on and off business hours. Time frames related to Initial Notice include: • within one hour of Discovery of an Event or Breach of Federal Tax Information,Social Security Administration Data, or Medicaid Client Information • within 24 hours of all other types of Texas HHS Confidential Information 48-hour Formal Notice must be provided no later than 48 hours after Discovery for protected health information,sensitive personal information or other non-public information and must include applicable information as referenced in Section 4.01 (C)2. of the DUA. O Item#1dii.Answer"Yes" if your business has written policies and procedures require you to have and follow a written breach response plan as described in Article 4 Section 4.02 of the DUA. O Item#ldiii.Answer"Yes" if your business has written policies and procedures require you to notify Reporting Authorities and Individuals whose Texas HHS Confidential Information has been breached as described in Article 4 Section 4.03 of the DUA. • Item#1e. Answer "Yes" if your business has written policies and procedures requiring annual training of your entire workforce on matters related to confidentiality, privacy,and security,stressing the importance of promptly reporting any Event or Breach, outlines the process that you will use to require attendance and track completion for employees who failed to complete annual training. SPI Version 2.1 (06/2018) Texas HHS System-Data Use Agreement-Attachment 2: Page 15 of 18 SECURITY AND PRIVACY INQUIRY(SPI) DocuSign Envelope ID:E9EDB34E-COAA-4AE5-B70C-AOFA8A1360E8 • Item#1f.Answer"Yes" if your business has written policies and procedures requiring you to allow individuals (clients/consumers)to access their individual record of Texas HHS Confidential Information,and allow them to amend or correct that information, if applicable. • Item#1g.Answer"Yes" if your business has written policies and procedures restricting access to Texas HHS Confidential Information to only persons who have been authorized and trained on how to handle Texas HHS Confidential Information • Item#1h.Answer"Yes" if your business has written policies and procedures requiring sanctioning of any subcontractor, employee,trainee,volunteer,or anyone whose work you direct when they have accessed Texas HHS Confidential Information but are not authorized to do so, and that you have a method of proving that you have sanctioned such an individuals. If you are the only employee,you must demonstrate how you will document the noncompliance, update policies and procedures if needed, and seek additional training or education to prevent future occurrences. • Item#1i. Answer"Yes" if your business has written policies and procedures requiring you to update your policies within 60 days after you have made changes to how you use or disclose Texas HHS Confidential Information. • Item#1j.Answer"Yes" if your business has written policies and procedures requiring you to restrict attempts to take de-identified data and re-identify it or restrict any subcontractor, employee,trainee,volunteer,or anyone whose work you direct,from contacting any individuals for whom you have Texas HHS Confidential Information except to perform obligations under the contract, or with written permission from Texas HHS. • Item#1k.Answer"Yes" if your business has written policies and procedures prohibiting you from using, disclosing, creating, maintaining, storing or transmitting Texas HHS Confidential Information outside of the United States. • Item#11.Answer"Yes" if your business has written policies and procedures requiring your business to cooperate with HHS agencies or federal regulatory entities for inspections, audits, or investigations related to compliance with the DUA or applicable law. • Item#1m. Answer"Yes" if your business has written policies and procedures requiring your business to use appropriate standards and methods to destroy or dispose of Texas HHS Confidential Information. Policies and procedures should comply with Texas HHS requirements for retention of records and methods of disposal. • Item#1n.Answer"Yes" if your business has written policies and procedures prohibiting the publication of the work you created or performed on behalf of Texas HHS pursuant to the DUA, or other Texas HHS Confidential Information,without express prior written approval of the HHS agency. Item#2.Answer"Yes" if your business has a current training program that meets the requirements specified in the SPI for you,your employees,your subcontractors,your volunteers,your trainees,and any other persons under you direct supervision. Item#3.Answer"Yes" if your business has privacy safeguards to protect Texas HHS Confidential Information as described in the SPI. Item#4.Answer"Yes" if your business maintains current lists of persons in your workforce, including subcontractors (if applicable),who are authorized to access Texas HHS Confidential Information. If you are the only person with access to Texas HHS Confidential Information, please answer"yes." Item#5.Answer"Yes" if your business and subcontractors(if applicable) monitor for and remove from the list of Authorized Users, members of the workforce who are terminated or are no longer authorized to handle Texas HHS Confidential Information. If you are the only one with access to Texas HHS Confidential Information, please answer"Yes." SECTION C. SECURITY RISK ANALYSIS AND ASSESSMENT This section is about your electronic systems. If you DO NOT store Texas HHS Confidential Information in electronic systems (e.g., laptop, personal computer, mobile device,database,server, etc.),select the "No Electronic Systems" box and respond "Yes"for all questions in this section. Item#1.Answer"Yes" if your business does not"offshore" or use,disclose, create, receive,transmit or maintain Texas HHS Confidential Information outside of the United States. If you are not certain, contact your provider of technology services (application, cloud,data center, network,etc.)and request confirmation that they do not off- shore their data. SPI Version 2.1 (06/2018) Texas HHS System-Data Use Agreement-Attachment 2: Page 16 of 18 SECURITY AND PRIVACY INQUIRY(SPI) DocuSign Envelope ID:E9EDB34E-COAA-4AE5-1370C-AOFA8A1360E8 item Z.Answer Yes it your business uses a person or company who is knowledgeable in IT security to maintain or oversee the configurations of your business's computing systems and devices.You may be that person,or you may hire someone who can provide that service for you. Item#3.Answer"Yes" if your business monitors and manages access to Texas HHS Confidential Information (i.e., reviews systems to ensure that access is limited to Authorized Users; has formal processes for granting,validating,and reviews the need for remote access to Authorized Users to Texas HHS Confidential Information, etc.). If you are the only employee, answer"Yes" if you have implemented a process to periodically evaluate the need for accessing Texas HHS Confidential Information to fulfill your Authorized Purposes. Item#4.Answer "Yes" if your business has implemented a system for changing the password a system initially assigns to the user(also known as the default password),and requires users to change their passwords at least every 90 days,and prohibits the creation of weak passwords for all computer systems that access or store Texas HHS Confidential Information (e.g., a strong password has a minimum of 8 characters with a combination of uppercase, lowercase,special characters,and numbers,where possible). If your business uses a Microsoft Windows system, refer to the Microsoft website on how to do this,see example: h ttps://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-policy Item#5.Answer"Yes" if your business assigns a unique user name and private password to each of your employees, your subcontractors,your volunteers,your trainees and any other persons under your direct control who will use, disclose,create, receive,transmit or maintain Texas HHS Confidential Information. Item#6.Answer "Yes" if your business locks the access after a certain number of failed attempts to login and after 15 minutes of user inactivity on all computing devices that access or store Texas H H S Confidential Information. If your business uses a Microsoft Windows system, refer to the Microsoft website on how to do this, see example: h ttps://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-policy Item#7.Answer"Yes" if your business secures, manages,and encrypts remote access,such as: using Virtual Private Network(VPN) software on your home computer to access Texas HHS Confidential Information that resides on a computer system at a business location or, if you use wireless,ensuring that the wireless is secured using a password code. If you do not access systems remotely or over wireless,answer"Yes." Item#8.Answer"Yes" if your business updates the computer security settings for all your computers and electronic systems that access or store Texas HHS Confidential Information to prevent hacking or breaches (e.g., non-essential features or services have been removed or disabled to reduce the threat of breach and to limit opportunities for hackers or intruders to access your system). For example, Microsoft's Windows security checklist: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings Item#9.Answer"Yes" if your business secures physical access to computer, paper,or other systems containing Texas HHS Confidential Information from unauthorized personnel and theft(e.g., door locks,cable locks, laptops are stored in the trunk of the car instead of the passenger area,etc.). If you are the only employee and use these practices for your business, answer"Yes." Item#10.Answer"Yes" if your business uses encryption products to protect Texas HHS Confidential Information that is transmitted over a public network(e.g.,the Internet,WIFI,etc.)or that is stored on a computer system that is physically or electronically accessible to the public(FIPS 140-2 validated encryption is required for Health Insurance Portability and Accountability Act(HIPAA) data, Criminal Justice Information Services (CJIS) data, Internal Revenue Service Federal Tax Information (IRS FTI) data, and Centers for Medicare& Medicaid Services (CMS)data.) For more information regarding FIPS 140-2 encryption products, please refer to: http://csrc.nist.gov/publications/fips). Item#11.Answer"Yes" if your business stores Texas HHS Confidential Information on encrypted end-user electronic devices (e.g., laptops, USBs,tablets,smartphones, external hard drives,desktops,etc.)and can produce evidence of the encryption, such as, a screen shot or a system report(FIPS 140-2 encryption is required for Health Insurance Portability and Accountability Act (HIPAA)data, Criminal Justice Information Services (CJIS) data, Internal Revenue Service Federal Tax Information (IRS FTI) data, and Centers for Medicare &Medicaid Services (CMS) data). For more information regarding FIPS 140-2 validated encryption products, please refer to: http://csrc.nist.gov/publications/fips). If you do not utilize end-user electronic devices for storing Texas HHS Confidential Information,answer"Yes." SPI Version 2.1 (06/2018) Texas HHS System-Data Use Agreement-Attachment 2: Page 17 of 18 SECURITY AND PRIVACY INQUIRY(SPI) DocuSign Envelope ID:E9EDB34E-CORA-4AE5-B70C-AOFA8A1360E8 Item#12.Answer"Yes" if your business requires employees,volunteers,trainees and other workforce members to sign a document that clearly outlines their responsibilities for protecting Texas HHS Confidential Information and associated systems containing Texas HHS Confidential Information before they can obtain access. If you are the only employee answer "Yes" if you have signed or are willing to sign the DUA,acknowledging your adherence to requirements and responsibilities. Item#13. Answer "Yes" if your business is willing to perform a criminal background check on employees, subcontractors, volunteers, or trainees who access Texas HHS Confidential Information. If you are the only employee, answer"Yes" if you are willing to submit to a background check. Item#14.Answer"Yes" if your business prohibits the access,creation, disclosure, reception,transmission, maintenance, and storage of Texas HHS Confidential Information on Cloud Services or social media sites if you use such services or sites, and there is a Texas HHS approved subcontractor agreement that includes compliance and liability clauses with the same requirements as the Applicant/Bidder. If you do not utilize Cloud Services or media sites for storing Texas HHS Confidential Information,answer"Yes." Item#15.Answer"Yes" if your business keeps current on security updates/patches (including firmware,software and applications)for computing systems that use, disclose, access, create,transmit, maintain or store Texas HHS Confidential Information. If you use a Microsoft Windows system, refer to the Microsoft website on how to ensure your system is automatically updating,see example: https://portal.msrc.microsoft.com/en-us/ Item#16.Answer"Yes" if your business's computing systems that use,disclose, access,create,transmit, maintain or store Texas HHS Confidential Information contain up-to-date anti-malware and antivirus protection. If you use a Microsoft Windows system, refer to the Microsoft website on how to ensure your system is automatically updating,see example: https://docs.microsoft.com/en-us/windows/security/threat-protection/ Item #17. Answer "Yes" if your business reviews system security logs on computing systems that access or store Texas HHS Confidential Information for abnormal activity or security concerns on a regular basis. If you use a Microsoft Windows system, refer to the Microsoft website for ensuring your system is logging security events,see example: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-security-audit-policies Item#18.Answer"Yes" if your business disposal processes for Texas HHS Confidential Information ensures that Texas HHS Confidential Information is destroyed so that it is unreadable or undecipherable. Simply deleting data or formatting the hard drive is not enough; ensure you use products that perform a secure disk wipe. Please see NIST SP 800-88 R1, Guidelines for Media Sanitization and the applicable laws and regulations for the information type for further guidance. Item#19.Answer"Yes" if your business ensures that all public facing websites and mobile applications containing HHS Confidential Information meet security testing standards set forth within the Texas Government Code (TGC),Section 2054.516 SECTION D. SIGNATURE AND SUBMISSION Click on the signature area to digitally sign the document. Email the form as an attachment to the appropriate Texas HHS Contract Manager. SPI Version 2.1 (06/2018) Texas HHS System-Data Use Agreement-Attachment 2: Page 18 of 18 SECURITY AND PRIVACY INQUIRY(SPI) DocuSign Envelope ID:E9EDB34E-COAA-4AE5-B70C-AOFA8A1360E8 HEALTH AND HUMAN SERVICES Contract Number HHSREV100002919 Attachment B CONTRACT AFFIRMATIONS For purposes of these Contract Affirmations,HHS includes both the Health and Human Services Commission (HHSC)and the Department of State Health Services(DSHS). System Agency refers to HHSC,DSHS,or both,that will be a party to this Contract.These Contract Affirmations apply to all Contractors and Grantees (referred to as"Contractor")regardless of their business form(e.g., individual,partnership,corporation). By entering into this Contract, Contractor affirms,without exception,understands,and agrees to comply with the following items through the life of the Contract: 1. Contractor represents and warrants that these Contract Affirmations apply to Contractor and all of Contractor's principals,officers, directors, shareholders,partners,owners, agents,employees, subcontractors, independent contractors,and any other representatives who may provide services under,who have a financial interest in,or otherwise are interested in this Contract and any related Solicitation. 2. Complete and Accurate Information Contractor represents and warrants that all statements and information provided to HHS are current, complete,and accurate.This includes all statements and information in this Contract and any related Solicitation Response. 3. Public Information Act Contractor understands that HHS will comply with the Texas Public Information Act (Chapter 552 of the Texas Government Code)as interpreted by judicial rulings and opinions of the Attorney General of the State of Texas. Information,documentation, and other material prepared and submitted in connection with this Contract or any related Solicitation may be subject to public disclosure pursuant to the Texas Public Information Act. In accordance with Section 2252.907 of the Texas Government Code,Contractor is required to make any information created or exchanged with the State pursuant to the Contract,and not otherwise excepted from disclosure under the Texas Public Information Act,available in a format that is accessible by the public at no additional charge to the State. 4. Contracting Information Requirements Contractor represents and warrants that it will comply with the requirements of Section 552.372(a)of the Texas Government Code. Except as provided by Section 552.374(c)of the Texas Government Code,the requirements of Subchapter J(Additional Provisions Related to Contracting Information), Chapter 552 of the Government Code, may apply to the Contract and the Contractor agrees that the Contract can be terminated if the Contractor knowingly or intentionally fails to comply with a requirement of that subchapter. Health and Human Services Contract Affirmations v.2.2 Effective May 2022 Page 1 of 13 DocuSign Envelope ID: E9EDB34E-COAA-4AE5-670C-AOFA8A1360E8 5. Assignment A. Contractor shall not assign its rights under the Contract or delegate the performance of its duties under the Contract without prior written approval from System Agency. Any attempted assignment in violation of this provision is void and without effect. B. Contractor understands and agrees the System Agency may in one or more transactions assign,pledge,or transfer the Contract.Upon receipt of System Agency's notice of assignment,pledge,or transfer,Contractor shall cooperate with System Agency in giving effect to such assignment,pledge,or transfer,at no cost to System Agency or to the recipient entity. 6. Terms and Conditions Contractor accepts the Solicitation terms and conditions unless specifically noted by exceptions advanced in the form and manner directed in the Solicitation, if any,under which this Contract was awarded. Contractor agrees that all exceptions to the Solicitation, as well as terms and conditions advanced by Contractor that differ in any manner from HHS' terms and conditions, if any,are rejected unless expressly accepted by System Agency in writing. 7. HHS Right to Use Contractor agrees that HHS has the right to use,produce,and distribute copies of and to disclose to HHS employees,agents,and contractors and other governmental entities all or part of this Contract or any related Solicitation Response as HHS deems necessary to complete the procurement process or comply with state or federal laws. 8. Release from Liability Contractor generally releases from liability and waives all claims against any party providing information about the Contractor at the request of System Agency. 9. Dealings with Public Servants Contractor has not given,has not offered to give,and does not intend to give at any time hereafter any economic opportunity, future employment,gift, loan, gratuity,special discount,trip, favor,or service to a public servant in connection with this Contract or any related Solicitation,or related Solicitation Response. 10. Financial Participation Prohibited Under Section 2155.004,Texas Government Code(relating to financial participation in preparing solicitations), Contractor certifies that the individual or business entity named in this Contract and any related Solicitation Response is not ineligible to receive this Contract and acknowledges that this Contract may be terminated and payment withheld if this certification is inaccurate. 11. Prior Disaster Relief Contract Violation Under Sections 2155.006 and 2261.053 of the Texas Government Code(relating to convictions and penalties regarding Hurricane Rita,Hurricane Katrina,and other disasters),the Contractor certifies that the individual or business entity named in this Contract and any related Solicitation Response is not ineligible to receive this Contract Ilealth and Human Services Contract Affirmations v.2.2 Effective May 2022 Page 2 of 13 DocuSign Envelope ID:E9EDB34E-COAA-4AE5-670C-AOFA8A1360E8 and acknowledges that this Contract may be terminated and payment withheld if this certification is inaccurate. 12. Child Support Obligation Under Section 231.006(d)of the Texas Family Code regarding child support,Contractor certifies that the individual or business entity named in this Contract and any related Solicitation Response is not ineligible to receive the specified payment and acknowledges that the Contract may be terminated and payment may be withheld if this certification is inaccurate. If the certification is shown to be false,Contractor may be liable for additional costs and damages set out in 231.006(f). 13. Suspension and Debarment Contractor certifies that it and its principals are not suspended or debarred from doing business with the state or federal government as listed on the State of Texas Debarred Vendor List maintained by the Texas Comptroller of Public Accounts and the System for Award Management(SAM)maintained by the General Services Administration. This certification is made pursuant to the regulations implementing Executive Order 12549 and Executive Order 12689,Debarment and Suspension,2 C.F.R. Part 376,and any relevant regulations promulgated by the Department or Agency funding this project.This provision shall be included in its entirety in Contractor's subcontracts,if any, if payment in whole or in part is from federal funds. 14. Excluded Parties Contractor certifies that it is not listed in the prohibited vendors list authorized by Executive Order 13224, "Blocking Property and Prohibiting Transactions with Persons Who Commit, Threaten to Commit, or Support Terrorism,"published by the United States Department of the Treasury, Office of Foreign Assets Control.' 15. Foreign Terrorist Organizations Contractor represents and warrants that it is not engaged in business with Iran, Sudan,or a foreign terrorist organization, as prohibited by Section 2252.152 of the Texas Government Code. 16. Executive Head of a State Agency In accordance with Section 669.003 of the Texas Government Code,relating to contracting with the executive head of a state agency,Contractor certifies that it is not(1) the executive head of an HHS agency, (2)a person who at any time during the four years before the date of this Contract was the executive head of an HHS agency,or(3)a person who employs a current or former executive head of an HHS agency. 17. Human Trafficking Prohibition Under Section 2155.0061 of the Texas Government Code,Contractor certifies that the individual or business entity named in this Contract is not ineligible to receive this Contract and acknowledges that this Contract may be terminated and payment withheld if this certification is inaccurate. Health and Unman Services Contract Affirmations v.2.2 Effective May 2022 Page 3 of 13 DocuSign Envelope ID: E9EDB34E-COAA-4AE5-B70C-AOFA8A1360E8 18. Franchise Tax Status Contractor represents and warrants that it is not currently delinquent in the payment of any franchise taxes owed the State of Texas under Chapter 171 of the Texas Tax Code. 19. Debts and Delinquencies Contractor agrees that any payments due under this Contract shall be applied towards any debt or delinquency that is owed to the State of Texas. 20. Lobbying Prohibition Contractor represents and warrants that payments to Contractor and Contractor's receipt of appropriated or other funds under this Contract or any related Solicitation are not prohibited by Sections 556.005, 556.0055,or 556.008 of the Texas Government Code (relating to use of appropriated money or state funds to employ or pay lobbyists, lobbying expenses,or influence legislation). 21. Buy Texas Contractor agrees to comply with Section 2155.4441 of the Texas Government Code, requiring the purchase of products and materials produced in the State of Texas in performing service contracts. 22. Disaster Recovery Plan Contractor agrees that upon request of System Agency, Contractor shall provide copies of its most recent business continuity and disaster recovery plans. 23. Computer Equipment Recycling Program If this Contract is for the purchase or lease of computer equipment,then Contractor certifies that it is in compliance with Subchapter Y,Chapter 361 of the Texas Health and Safety Code related to the Computer Equipment Recycling Program and the Texas Commission on Environmental Quality rules in 30 TAC Chapter 328. 24. Television Equipment Recycling Program If this Contract is for the purchase or lease of covered television equipment,then Contractor certifies that it is compliance with Subchapter Z,Chapter 361 of the Texas Health and Safety Code related to the Television Equipment Recycling Program. 25. Cybersecurity Training A. Contractor represents and warrants that it will comply with the requirements of Section 2054.5192 of the Texas Government Code relating to cybersecurity training and required verification of completion of the training program. B. Contractor represents and warrants that if Contractor or Subcontractors, officers,or employees of Contractor have access to any state computer system or database,the Contractor, Subcontractors,officers,and employees of Contractor shall complete cybersecurity training pursuant to and in accordance with Government Code, Section 2054.5192. Health and Human Services Contract Affirmations v.2.2 Effective May 2022 Pagc4of13 DocuSign Envelope ID E9EDB34E-COAA-4AE5-B70C-AOFA8A1360E8 26. Restricted Employment for Certain State Personnel Contractor acknowledges that,pursuant to Section 572.069 of the Texas Government Code,a former state officer or employee of a state agency who during the period of state service or employment participated on behalf of a state agency in a procurement or contract negotiation involving Contractor may not accept employment from Contractor before the second anniversary of the date the Contract is signed or the procurement is terminated or withdrawn. 27. No Conflicts of Interest A. Contractor represents and warrants that it has no actual or potential conflicts of interest in providing the requested goods or services to System Agency under this Contract or any related Solicitation and that Contractor's provision of the requested goods and/or services under this Contract and any related Solicitation will not constitute an actual or potential conflict of interest or reasonably create an appearance of impropriety. B. Contractor agrees that, if after execution of the Contract, Contractor discovers or is made aware of a Conflict of Interest, Contractor will immediately and fully disclose such interest in writing to System Agency. In addition,Contractor will promptly and fully disclose any relationship that might be perceived or represented as a conflict after its discovery by Contractor or by System Agency as a potential conflict. System Agency reserves the right to make a final determination regarding the existence of Conflicts of Interest,and Contractor agrees to abide by System Agency's decision. 28. Fraud,Waste,and Abuse Contractor understands that HHS does not tolerate any type of fraud, waste,or abuse. Violations of law,agency policies,or standards of ethical conduct will be investigated, and appropriate actions will be taken. Pursuant to Texas Government Code, Section 321.022, if the administrative head of a department or entity that is subject to audit by the state auditor has reasonable cause to believe that money received from the state by the department or entity or by a client or contractor of the department or entity may have been lost, misappropriated,or misused,or that other fraudulent or unlawful conduct has occurred in relation to the operation of the department or entity,the administrative head shall report the reason and basis for the belief to the Texas State Auditor's Office (SAO). All employees or contractors who have reasonable cause to believe that fraud,waste,or abuse has occurred(including misconduct by any HHS employee, Grantee officer, agent, employee,or subcontractor that would constitute fraud,waste,or abuse)are required to immediately report the questioned activity to the Health and Human Services Commission's Office of Inspector General. Contractor agrees to comply with all applicable laws, rules,regulations,and System Agency policies regarding fraud,waste, and abuse including, but not limited to, HHS Circular C-027. A report to the SAO must be made through one of the following avenues: • SAO Toll Free Hotline: 1-800-TX-AUDIT • SAO website: http://sao.fraud.state.tx.us/ All reports made to the OIG must be made through one of the following avenues: Health and Human Services Contract Affirmations v.2.2 Effective May 2022 Page 5of13 DocuSign Envelope ID:E9EDB34E-COAA-4AE5-B70C-AOFA8A1360E8 • OIG Toll Free Hotline 1-800-436-6184 • OIG Website: ReportTexasFraud.com • Internal Affairs Email: InternalAffairsReferral@hhsc.state.tx.us • OIG Hotline Email: OIGFraudHotline@hhsc.state.tx.us, • OIG Mailing Address: Office of Inspector General Attn: Fraud Hotline MC 1300 P.O. Box 85200 Austin,Texas 78708-5200 29. Antitrust The undersigned affirms under penalty of perjury of the laws of the State of Texas that: A. in connection with this Contract and any related Solicitation Response,neither I nor any representative of the Contractor has violated any provision of the Texas Free Enterprise and Antitrust Act,Tex. Bus. &Comm. Code Chapter 15; B. in connection with this Contract and any related Solicitation Response, neither I nor any representative of the Contractor has violated any federal antitrust law; and C. neither I nor any representative of the Contractor has directly or indirectly communicated any of the contents of this Contract and any related Solicitation Response to a competitor of the Contractor or any other company,corporation, firm, partnership or individual engaged in the same line of business as the Contractor. 30. Legal and Regulatory Actions Contractor represents and warrants that it is not aware of and has received no notice of any court or governmental agency proceeding, investigation,or other action pending or threatened against Contractor or any of the individuals or entities included in numbered paragraph 1 of these Contract Affirmations within the five(5)calendar years immediately preceding execution of this Contract or the submission of any related Solicitation Response that would or could impair Contractor's performance under this Contract,relate to the contracted or similar goods or services,or otherwise be relevant to System Agency's consideration of entering into this Contract. If Contractor is unable to make the preceding representation and warranty,then Contractor instead represents and warrants that it has provided to System Agency a complete,detailed disclosure of any such court or governmental agency proceeding, investigation, or other action that would or could impair Contractor's performance under this Contract,relate to the contracted or similar goods or services, or otherwise be relevant to System Agency's consideration of entering into this Contract. In addition,Contractor acknowledges this is a continuing disclosure requirement. Contractor represents and warrants that Contractor shall notify System Agency in writing within five(5)business days of any changes to the representations or warranties in this clause and understands that failure to so timely update System Agency shall constitute breach of contract and may result in immediate contract termination. Health and Human Services Contract Affirmations v.2.2 Effective May 2022 Page 6 of 13 DocuSign Envelope ID:E9EDB34E-COAA-4AE5-B70C-AOFA8A1360E8 31. No Felony Criminal Convictions Contractor represents that neither Contractor nor any of its employees,agents,or representatives, including any subcontractors and employees, agents,or representative of such subcontractors,have been convicted of a felony criminal offense or that if such a conviction has occurred Contractor has fully advised System Agency in writing of the facts and circumstances surrounding the convictions. 32. Unfair Business Practices Contractor represents and warrants that it has not been the subject of allegations of Deceptive Trade Practices violations under Chapter 17 of the Texas Business and Commerce Code,or allegations of any unfair business practice in any administrative hearing or court suit and that Contractor has not been found to be liable for such practices in such proceedings. Contractor certifies that it has no officers who have served as officers of other entities who have been the subject of allegations of Deceptive Trade Practices violations or allegations of any unfair business practices in an administrative hearing or court suit and that such officers have not been found to be liable for such practices in such proceedings. 33. Entities that Boycott Israel Contractor represents and warrants that(1) it does not, and shall not for the duration of the Contract,boycott Israel or(2)the verification required by Section 2271.002 of the Texas Government Code does not apply to the Contract. If circumstances relevant to this provision change during the course of the Contract, Contractor shall promptly notify System Agency. 34. E-Verify Contractor certifies that for contracts for services, Contractor shall utilize the U.S. Department of Homeland Security's E-Verify system during the term of this Contract to determine the eligibility of: 1. all persons employed by Contractor to perform duties within Texas; and 2. all persons, including subcontractors,assigned by Contractor to perform work pursuant to this Contract within the United States of America. 35. Former Agency Employees—Certain Contracts If this Contract is an employment contract, a professional services contract under Chapter 2254 of the Texas Government Code,or a consulting services contract under Chapter 2254 of the Texas Government Code, in accordance with Section 2252.901 of the Texas Government Code,Contractor represents and warrants that neither Contractor nor any of Contractor's employees including,but not limited to,those authorized to provide services under the Contract,were former employees of an HHS Agency during the twelve(12) month period immediately prior to the date of the execution of the Contract. Ilealth and Human Services Contract Affirmations v.2.2 Effective May 2022 Page 7 of 13 DocuSign Envelope ID: E9EDB34E-COAA-4AE5-B70C-AOFA8A1360E8 36. Disclosure of Prior State Employment—Consulting Services If this Contract is for consulting services, A. In accordance with Section 2254.033 of the Texas Government Code,a Contractor providing consulting services who has been employed by,or employs an individual who has been employed by, System Agency or another State of Texas agency at any time during the two years preceding the submission of Contractor's offer to provide services must disclose the following information in its offer to provide services. Contractor hereby certifies that this information was provided and remains true, correct,and complete: 1. Name of individual(s)(Contractor or employee(s)); 2. Status; 3. The nature of the previous employment with HHSC or the other State of Texas agency; 4. The date the employment was terminated and the reason for the termination;and 5. The annual rate of compensation for the employment at the time of its termination. B. If no information was provided in response to Section A above, Contractor certifies that neither Contractor nor any individual employed by Contractor was employed by System Agency or any other State of Texas agency at any time during the two years preceding the submission of Contractor's offer to provide services. 37. Abortion Funding Limitation Contractor understands, acknowledges,and agrees that,pursuant to Article IX of the General Appropriations Act(the Act),to the extent allowed by federal and state law, money appropriated by the Texas Legislature may not be distributed to any individual or entity that,during the period for which funds are appropriated under the Act: 1. performs an abortion procedure that is not reimbursable under the state's Medicaid program; 2. is commonly owned,managed,or controlled by an entity that performs an abortion procedure that is not reimbursable under the state's Medicaid program; or 3. is a franchise or affiliate of an entity that performs an abortion procedure that is not reimbursable under the state's Medicaid program. The provision does not apply to a hospital licensed under Chapter 241,Health and Safety Code, or an office exempt under Section 245.004(2),Health and Safety Code. Contractor represents and warrants that it is not ineligible,nor will it be ineligible during the term of this Contract,to receive appropriated funding pursuant to Article IX. 38. Funding Eligibility Contractor understands, acknowledges, and agrees that,pursuant to Chapter 2272 (eff. Sept. 1, 2021,Ch. 2273)of the Texas Government Code,except as exempted under that Chapter,HHSC cannot contract with an abortion provider or an affiliate of an abortion provider. Contractor certifies that it is not ineligible to contract with HHSC under the terms of Chapter 2272(eff. Sept. 1,2021, Ch. 2273)of the Texas Government Code. Health and Human Services Contract Affirmations v.2.2 Effective May 2022 Page 8 of 13 DocuSign Envelope ID. E9EDB34E-COAA-4AE5-B70C-AOFA8A1360E8 39. Prohibition on Certain Telecommunications and Video Surveillance Services or Equipment(2 CFR 200.216) Contractor certifies that the individual or business entity named in this Response or Contract is not ineligible to receive the specified Contract or funding pursuant to 2 CFR 200.216. 40. COVID-19 Vaccine Passports Pursuant to Texas Health and Safety Code, Section 161.0085(c), Contractor certifies that it does not require its customers to provide any documentation certifying the customer's COVID-19 vaccination or post-transmission recovery on entry to,to gain access to,or to receive service from the Contractor's business. Contractor acknowledges that such a vaccine or recovery requirement would make Contractor ineligible for a state-funded contract. 41. Entities that Boycott Energy Companies In accordance with Senate Bill 13,Acts 2021, 87th Leg.,R.S.,pursuant to Section 2274.002 of the Texas Government Code(relating to prohibition on contracts with companies boycotting certain energy companies), Contractor represents and warrants that: (1) it does not, and will not for the duration of the Contract,boycott energy companies or(2)the verification required by Section 2274.002 of the Texas Government Code does not apply to the Contract. If circumstances relevant to this provision change during the course of the Contract, Contractor shall promptly notify System Agency. 42. Entities that Discriminate Against Firearm and Ammunition Industries In accordance with Senate Bill 19,Acts 2021, 87th Leg.,R.S.,pursuant to Section 2274.002 of the Texas Government Code(relating to prohibition on contracts with companies that discriminate against firearm and ammunition industries),Contractor verifies that: (1)it does not,and will not for the duration of the Contract, have a practice, policy,guidance,or directive that discriminates against a firearm entity or firearm trade association or(2)the verification required by Section 2274.002 of the Texas Government Code does not apply to the Contract. If circumstances relevant to this provision change during the course of the Contract,Contractor shall promptly notify System Agency. 43. Security Controls for State Agency Data In accordance with Senate Bill 475,Acts 2021, 87th Leg.,R.S.,pursuant to Texas Government Code, Section 2054.138, Contractor understands,acknowledges,and agrees that if,pursuant to this Contract, Contractor is or will be authorized to access,transmit, use, or store data for System Agency, Contractor is required to meet the security controls the System Agency determines are proportionate with System Agency's risk under the Contract based on the sensitivity of System Agency's data and that Contractor must periodically provide to System Agency evidence that Contractor meets the security controls required under the Contract. health and Human Services Contract Affirmations v.2.2 Effective May 2022 Page 9of13 DocuSign Envelope ID. E9EDB34E-COAA-4AE5-B70C-AOFA8A1360E8 44. Cloud Computing State Risk and Authorization Management Program (TX-RAMP) In accordance with Senate Bill 475,Acts 2021, 87th Leg., R.S.,pursuant to Texas Government Code, Section 2054.0593, Contractor acknowledges and agrees that, if providing cloud computing services for System Agency, Contractor must comply with the requirements of the state risk and authorization management program and that System Agency may not enter or renew a contract with Contractor to purchase cloud computing services for the agency that are subject to the state risk and authorization management program unless Contractor demonstrates compliance with program requirements. If providing cloud computing services for System Agency that are subject to the state risk and authorization management program,Contractor certifies it will maintain program compliance and certification throughout the term of the Contract. 45. Office of Inspector General Investigative Findings Expert Review In accordance with Senate Bill 799,Acts 2021, 87th Leg.,R.S., if Texas Government Code, Section 531.102(m-1)(2) is applicable to this Contract, Contractor affirms that it possesses the necessary occupational licenses and experience. 46. Contract for Professional Services of Physicians,Optometrists, and Registered Nurses In accordance with Senate Bill 799,Acts 2021, 87th Leg., R.S., if Texas Government Code, Section 2254.008(a)(2) is applicable to this Contract, Contractor affirms that it possesses the necessary occupational licenses and experience. 47. Foreign-Owned Companies in Connection with Critical Infrastructure If Texas Government Code, Section 2274.0102(a)(1)(relating to prohibition on contracts with certain foreign-owned companies in connection with critical infrastructure) is applicable to this Contract,pursuant to Government Code Section 2274.0102,Contractor certifies that neither it nor its parent company,nor any affiliate of Contractor or its parent company, is: (1)majority owned or controlled by citizens or governmental entities of China, Iran,North Korea,Russia,or any other country designated by the Governor under Government Code Section 2274.0103,or(2)headquartered in any of those countries. 48. Critical Infrastructure Subcontracts For purposes of this Paragraph,the designated countries are China, Iran,North Korea, Russia,and any countries lawfully designated by the Governor as a threat to critical infrastructure. Pursuant to Section 113.002 of the Business and Commerce Code, Contractor shall not enter into a subcontract that will provide direct or remote access to or control of critical infrastructure,as defined by Section 113.001 of the Texas Business and Commerce Code, in this state,other than access specifically allowed for product warranty and support purposes to any subcontractor unless (i)neither the subcontractor nor its parent company,nor any affiliate of the subcontractor or its parent company, is majority owned or controlled by citizens or governmental entities of a designated country; and(ii) neither the subcontractor nor its parent company,nor any affiliate of the subcontractor or its parent company, is headquartered in a designated country. Contractor will notify the System Agency before entering into any subcontract that will provide direct or remote Health and Human Services Contract Affirmations v.2.2 Effective May 2022 Page l0 of 13 DocuSign Envelope ID:E9EDB34E-COAA-4AE5-B70C-AOFA8A1360E8 access to or control of critical infrastructure,as defined by Section 113.001 of the Texas Business&Commerce Code, in this state. 49. Enforcement of Certain Federal Firearms Laws Prohibited In accordance with House Bill 957,Acts 2021, 87th Leg.,R.S., if Texas Government Code, Section 2.101 is applicable to Contractor, Contractor certifies that it is not ineligible to receive state grant funds pursuant to Texas Government Code, Section 2.103. 50. Prohibition on Abortions Contractor understands, acknowledges,and agrees that,pursuant to Article II of the General Appropriations Act,(1)no funds shall be used to pay the direct or indirect costs (including marketing,overhead, rent,phones, and utilities)of abortion procedures provided by contractors of HHSC;and(2)no funds appropriated for Medicaid Family Planning,Healthy Texas Women Program,or the Family Planning Program shall be distributed to individuals or entities that perform elective abortion procedures or that contract with or provide funds to individuals or entities for the performance of elective abortion procedures. Contractor represents and warrants that it is not ineligible,nor will it be ineligible during the term of this Contract,to receive appropriated funding pursuant to Article II. 51. False Representation Contractor understands, acknowledges,and agrees that any false representation or any failure to comply with a representation,warranty, or certification made by Contractor is subject to all civil and criminal consequences provided at law or in equity including,but not limited to, immediate termination of this Contract. 52. False Statements Contractor represents and warrants that all statements and information prepared and submitted by Contractor in this Contract and any related Solicitation Response are current,complete,true, and accurate. Contractor acknowledges any false statement or material misrepresentation made by Contractor during the performance of this Contract or any related Solicitation is a material breach of contract and may void this Contract. Further, Contractor understands,acknowledges,and agrees that any false representation or any failure to comply with a representation,warranty,or certification made by Contractor is subject to all civil and criminal consequences provided at law or in equity including,but not limited to, immediate termination of this Contract. 53. Permits and License Contractor represents and warrants that it will comply with all applicable laws and maintain all permits and licenses required by applicable city,county, state,and federal rules,regulations, statutes, codes,and other laws that pertain to this Contract. 54. Equal Employment Opportunity Contractor represents and warrants its compliance with all applicable duly enacted state and federal laws governing equal employment opportunities. Health and human Services Contract Affirmations v.2.2 Effective May 2022 Page 11 of 13 DocuSign Envelope ID:E9EDB34E-COAA-4AE5-B70C-AOFA8A1360E8 55. Federal Occupational Safety and Health Law Contractor represents and warrants that all articles and services shall meet or exceed the safety standards established and promulgated under the Federal Occupational Safety and Health Act of 1970,as amended(29 U.S.C. Chapter 15). 56. Signature Authority Contractor represents and warrants that the individual signing this Contract Affirmations document is authorized to sign on behalf of Contractor and to bind the Contractor. Signature Page Follows Health and Human Services Contract Affirmations v.2.2 Effective May 2022 Page 12 of 13 DocuSign Envelope ID:E9EDB34E-COAA-4AE5-B70C-AOFA8A1360E8 Authorized representative on behalf of Contractor must complete and sign the following: Tina Belock Legal Name of Contractor City of Corpus Christi Assumed Business Name of Contractor,if applicable(d/b/a or`doing business as') Texas County(s) for Assumed Business Name(d/b/a or`doing business as') Attach Assumed Name Certificate(s)filed with the Texas Secretary of State and Assumed Name Certificate(s), if any, for each Texas County Where Assumed Name Certificate(s)has been filed. /eot.. - gelt,c 07/31/2023 Signature of Authorized Representative Date Signed Tina M.Belock Deputy Registrar Printed Name of Authorized Representative Title of Authorized Representative First, Middle Name or Initial,and Last Name 1201 Leopard St. Corpus Christi,TX 78401 Physical Street Address City,State,Zip Code PO Box 9277 Corpus Christi,TX 78469-9277 Mailing Address, if different City,State,Zip Code (361)826-3244 (361)826-1342 Phone Number Fax Number tinab@cctexas.com 069457786 Email Address DUNS Number 746000574 17460005741 Federal Employer Identification Number Texas Identification Number(TIN) Texas Franchise Tax Number Texas Secretary of State Filing Number XETBTPKCL895 SAM.gov Unique Entity Identifier(UEI) Health and Human Services Contract Affirmations v.2.2 Effective May 2022 Page 13 of 13 DocuSign Envelope ID:E9EDB34E-COAA-4AE5-B70C-AOFA8A1360E8 ATTACHMENT C STATEMENT OF WORK I. Responsibilities of the Parties A. Local Government shall use the Texas Electronic Registration Remote System ("TxEVER") to search DSHS databases, locate data, and issue Certifications of Birth ("Birth Certificates") only to authorized individuals or entities requesting such data. The Birth Certificates shall be provided to authorized individuals or entities in a format formally approved by DSHS.Local Government shall implement appropriate measures to ensure its use of TxEVER is not abused or misused by its personnel. B. DSHS will allow Local Government to access TxEVER during the hours of 7:00 a.m. to 6:00 p.m. Central Time, Monday through Friday, except national holidays as identified in Tex. Gov't Code Section 662.003(a).In the event of an emergency or computer application error, DSHS may temporarily suspend TxEVER access without advance notice. C. Local Government shall acquire and retain at its own expense, the necessary data processing equipment, communications, hardware or software, and paper products in accordance with the requirements set out in Tex.Admin. Code Title 25,Section 181.28 and as specified by DSHS. If necessary, DSHS will provide technical assistance to Local Government to enable Local Government's computer equipment to connect to TxEVER. D. Local Government acknowledges that TxEVER records may not be located or contain errors resulting from the following unintentional occurrences: 1. Key-entry errors in spelling. 2. Failure on the part of DSHS to update a file for an amendment or paternity determination; or 3. The event year does not exist in TxEVER. E. Local Government shall provide DSHS with monthly written notification of errors or suspected errors discovered by Local Government in TxEVER. F. Local Government shall use TxEVER in conformance with Tex. Health and Safety Code Chapters 191, 192,and 195,as well as Tex.Admin. Code Title 25,Part 1,Chapter 181,and in the format formally approved by DSHS. II. Fees,Invoicing,and Payment A. Fees. Local Government shall pay DSHS $1.83 for each birth certificate issued to Local Government from TxEVER. Local Government agrees to charge the same base search fee for a birth certificate as DSHS charges to Local Government.Additional fees may only be charged as authorized by Tex. Health and Safety Code Chapter 191 and Tex.Admin. Code Title 25, Part 1, Chapter 181. DSHS acknowledges that Local Government's payment obligations to DSHS are payable only from funds appropriated for the then current Local Government's fiscal year and available for the purpose of the Contract. Local Government shall provide DSHS with prompt notice of failure of Local Government to receive adequate appropriations or otherwise sufficient revenue to satisfy its obligations under the Contract. Page 1 of 2 V. 11.2022 DocuSign Envelope ID:E9EDB34E-COAA-4AE5-B70C-AOFA8A1360E8 ATTACHMENT C STATEMENT OF WORK B. Invoicing. DSHS will send itemized invoices to Local Government on the 1st of every month for all birth certificates provided to Local Government by DSHS in the prior month. Invoicing will be sent through the U.S.Postal Service to Local Government at: Name: Tina Belock City of Corpus-Christi 1201 Leopard Street Corpus Christi,Texas 78401 Local Government shall direct any invoicing inquiries to DSHS either by phone at 512- 776-2953 or email to vssbusinessservicesfedshs.texas gov C. Payment. Local Government shall remit payment in full to DSHS within thirty (30)days of its receipt of a DSHS invoice. Payment shall be remitted via mail or electronic fund transfer. Payment by Local Government shall be considered complete on the date received by DSHS. Local Government shall send payments to DSHS at: Texas Department of State Health Services Cash Receipts Branch MC-2096 P.O. Box 149347 Austin, TX 78714-9347 or JPMorgan Chase Bank Acct#0135371118 Bank Rt#021409169 TIN#320113643 Page 2 of 2 v. 11.2022