HomeMy WebLinkAboutC2018-323 - 6/19/2018 - Approved DocuSign Envelope ID-:FFB5F111-2856-0D29-AZED-00ABE5D8A22B
Contract Number: HHSRE V 100000815
DEPARTMENT OF STATE HEALTH SERVICES
Contract number HHSREV 100000815(the"Contract"),is entered into by Department of State
Health Services("DSHS")Vital Statistics Section and Corpus Christi-Nueces County Public
Health District(City)("Contractor"). DSHS and Contractor are collectively referred to herein as
the"Parties."
I. Purpose of the Contract. DSHS agrees to provide access to the DSHS Vital Event
Electronic Registration System for the purpose of issuing individual birth certificates.
II. Term or the Contract. This Contract will begin on September I,2018 and end on August
31,2023.
III. Authority. The Parties enter into this Contract under the authority of Texas Health and
Safety Code Chapter 191 and Texas Government Code Chapter 791.
IV. Statement of Work.
A. DSHS agrees to provide on-line computer services in support of Contractor from 7:00
a.m. to 6:00 p.m. (CST) Monday through Friday, except holidays. In the event of an
emergency or computer application error, DSHS may temporarily suspend services
without advance notice.
B. Contractor may search DSHS databases,locate data,and issue Certifications of Birth to
authorized individuals requesting such data. The certifications will be in a format
formally approved by DSHS. Contractor will take reasonable efforts to ensure use of the
DSHS Vital Event Electronic Registration System is not abused by its staff. Abuse of
the access to confidential information in the DSHS Vital Event Electronic Registration
System may be cause for termination of this Contract in accordance with Section IX.K.
C. Contractor will acquire the necessary data processing equipment, communications,
hardware or software, and purchase"bank note"paper, as specified by DSHS. DSHS
will assist in connection of the equipment, furnish software program and provide
technical assistance,if necessary.
D. Contractor will complete the DSHS Vital Event Electronic Registration System
registration forms as specified by DSHS.Contractor will remain in compliance with any
requirements specified by DSHS for accessing the DSHS Vital Event Electronic
Registration System.Contractor will not be required to pay an additional fee pursuant to
this Subsection.
V55 Rnnole Both/aces
pare I
2018-323
6/19/18
M2018-096
TX Dept of State Health Services
INDEXED
DocuSign Envelope ID.FFB5F111-2856-4D29-A2ED-00ABE5D8A22B
Contract Number.HHSREVI00000815
E. Contractor acknowledges that records may not be located in the searching process
instituted by Contractor,or records which are located may hove errors due to:
I. Normal key-entry errors in spellings;
2. Accidental failure on the part of the DSHS to update a file for an amendment
or paternity determination;and
3. The event year does not exist on the system.
F. Contractor will notify DSHS in writing,at least monthlyoferrors or suspected errors that
exist on the database information.
G. Contractor is to maintain an inventory control and account for each document produced
on"bank note"paper,including voided documents.
H. Contractor will issue Certificates of Birth utilizing remote access to the DSHS system in
conformance with Health and Safety Code Chapters 191, 192 and 195,as well as 25 Tex.
Admin.Code Chapter 181.
1. The Parties are required to comply with nil applicable state and federal laws relating to
the privacy and confidentiality of this data and records,which includes Texas
Government Code Section 552.115.
J. The Parties will use confidential records and information obtained under this Contract
only for purposes as described in this Contract and as otherwise allowed by law.
V. Fees.
Contractor agrees to pay DSHS ONE DOLLAR AND EIGHTY-THREE CENTS($1.83)for each
Certification of Vital Record printed as a result of searches of the database. Contractor
agrees to charge the same base search fee for a birth certificate as DSHS. Additional fees
may only be charged as authorized by Texas Health and Safety Code Chapter 191 and 25
Tex. Admin. Code Chapter 181
VI. B1111np.
A. DSHS will send an itemized billing to Contractor on a monthly basis for each
Certification of Birth printed. This billing will be sent through the U.S.Postal
Service to the Contractor at:
Name City of Corpus Christi
Address: P O.Box 9727
Carpus Christi,TX 78469
B. Contractor will direct any billing inquiries either by phone to 512-776-7206 or email
to vsubusinessservices(Ddshs.texasmov.
V55 aum+.a.nh A=s
Part
DecoSign Envelope 10'FFB5F111-2856-4029-A2ED-00ABE5D8A22B
Contract Number: HHSREV I000008I5
VII. Payment Method.
A. Contractor will remit payment to DSHS within thirty days after a billing is received
by them. Payment by the Contractor will be considered made on the dale
postmarked.
B. Contractor will send payments to DSHS al:
Texas Department of Slate Health Services
Cash Receipts Branch MC 2096
P.O.Box 149347
Austin,TX 78714-9347
C. Contractor will make payment to DSHS out of its current revenues.
VIII. Representatives.The following will act as the Representative authorized to administer
activities under this Contract on behalf of their respective Party.
Cit of Cat Ps Christi DSHS
City of Corpus Christi Texas Department of State Health Services
Public Health Services Contract Management Section
Ann:Annette Rodriguez Ann:Tina Walker
Mail Code 1990
P.O. Box 9727 P.O.Box 149347
Corpus Christi,TX 78469 ' Austin,TX 78714-9347
Phone:(361)826 7205 Phone.(512)776-2732
Email annetter cctexas.com Email' tma walke .dshs.texas..ov
IX. General Terms and Conditions.
A. Governing Law. Regarding all issues related to this Contract's formation,performance,
interpretation,and any issues that may arise in any dispute between the panics,the
Contract will be governed by and construed in accordance with the laws of the State of
Texas.
B. Amendment This Contract may be modified by written amendment signed by the
Parties.
C. Confidentiality.
The Parties are required to comply with all applicable state and federal laws relating to
the privacy and confidentiality of records that contain Personal Identifying Information
(P11)or Personally Sensitive Information(PSI)or other information or records made
confidential by law,including Tex. Bus.&Comm.Code Section 521.002. The attached
Data Use Agreement(Attachment A)applies to this Contract.
YSS acmoa Binh Act=
Pao. l
DocuSign Envelope ID.FFB5F111-2855-4029-A2ED-00ABE5D8A2213
Contract Number: HHSREV100000815
D. Exchange of Personal Identifytntlnformation.This Contract concerns personal
identifying information. Except as prohibited by other law,Contractor and DSHS may
exchange P11 without consent,in accordance with Chapter 191 of die Health and Safety
Code.
E. Records Retention. DSHS will retain records in accordance with DSHS State of Texas
Records Retention Schedule at hltp: www.dshs.texas.uov records/schedules.shtm,
Department Rules and other applicable state and federal statutes and regulations
governing medical,mental health,and substance abuse information.
F. Seven Rft,, If any provision of this Contract is construed to be illegal or invalid,the
illegal or invalid provision will be deemed stricken and deleted to the same extent and
effect as if never incorporated,but all other provisions will continue.
G. Notice. Any notice required or permitted to be given under this Contact will be in
writing and sent to the respective Party's Representative in Section VIII.Notice will be
deemed to have been received by a Party on the third business day after the date on which
it was mailed to the Party at the address specified in writing by the Party to the other
Party,or,if sent by certified mail,on the date of receipt.
H. Waiver. Acceptance by either Party of partial performance or failure to complain of any
action,non-action or default under this Contract will not constitute a waiver of either
Party's rights under the Contract.
1. Assignment Neither DSHS nor Contractor will transfer,assign,or sell its interest,in
whole or in part,in this Contract without prior written consent by both Parties.
J. Suspension of Services Under This Contract. In the event of an emergency or
information technology system failure,DSHS may temporarily suspend services without
advance notice. Use of services for purposes inconsistent with applicable law may also
result in a suspension of services.
K. Termination.
1. Convenience.This Contract may be terminated by mutual agreement of the Parties.
Either Party may terminate this Contract without cause by giving 30 days written
notice of its intent to terminate to the non-terminating Party.
2. Cause.This Contract may be terminated for cause by either Party for breach or
failure to perform an essential requirement of the Contract. Use of services for
purposes inconsistent with applicable law may be cause for Contract termination.
3. Notice of Termination.Written notice may be sent by any method that provides
verification of receipt,which will be calculated from the date of receipt by the no
terminating Party's Representative provided in Section VIII.
V55 acw':Binh Aeea$
Nei
DocuSigrr Envelope ID:FFB5F111-2856-4D29-A2ED-00ABE5D8A22B
Contract Number: HHSREV 100000815
4. Equitable Settlement. At the end of the Term of this Contract or termination as
provided for in this Section,the Parties will equitably settle their respective accrued
interests or obligations incurred prior to termination.
By signing below,the Parties agree that this Contract constitutes the entire legal and binding
agreement between them. The Parties acknowledge that they have read the Contract and agree to
its terms,and that the persons whose signatures appear below have the authority to execute this
Contract on behalf of their respective Party
DEPARTMENT Or STATE HEALTH SERVICES CORPUS CHRISTI-NU£CES COUNTY PUBLIC
HEALTH DISTRICT(CITY)
Docu Signed by:
` f 1
1 l t 1/ '? AAA244 vier.
r '-4FC9092742CE414
Mane• Hall,M.D. Annette Rodriguez
Associate Commissioner Director of Public Health
Department of State Health Services Corpus Christi-Nueces County Public
Health District(City)
1/i 1 I 6/22/2018
Date Date
THE FOLLOWING ATTACHMENTS ARE ATTACHED AND INCORPORATED AS PART OF THE
CONTRACT HHSREV100000815: ,
ATTACHMENT A-DATA USE AGREEMENT ATTEST:
REB CCA HUERTA
CITY SECRETARY
Approved as to tor2
rel A, Kedr ,.x Z
Assistant City Attorney
For City Attorney
R2-0AUTHO 11[i
0 COUNCIL.
VSS Borate Birth Aaca: / I
Pair S
-----------
SECRETA• AL-
AI
DocuSgn Envelope IC.FFB5F11 l-2856-4D29-A2ED-00ABE508A22B
ATTACHMENT A—DATA USE AGREEMENT
DATA USE AGREEMENT
BETWEEN TIM
TEXAS HEALTH AND HUMAN SERVICES ENTERPRISE
AND
CORPUS CHRISTI-NUECES COUNTY PUBLIC HEALTH DISTRICT("CONTRACTOR")
This Data Use Agreement("DUA')is incorporated into System Agency Contract Na
H7ISREV 100000815(the"Base Contract")between theTexas Department of Slate Health Services
("System.Agency']end Corpus Christi-Nueces County Public Health District("Contractor").
ARTICLE I,PURPOSE; APPLICABILITY; ORDER OF PRECEDENCE
ATTACHIs1 ENT I. The purpose of this DUA is to facilitate creation, receipt, maintenance,
use, disclosure or access to Confident al Information with Contractor, and describe
Contractor's rights and obligations with respect to the confident ini Information and
the limited purposes for which the Contractor may create, receive, maintain, use, disclose or
have access to Confidential In formelioR. 45 CFR 164.504(r)(1)-(3). This DUA also
describes System Agency's remedies in the event of Contractor's noncompliance with
its obi iga l ions under this DUA. This DUA applies to both Business Associates and contractors who
am not Business Assoc ala who create, receive, maintain, use, disclose or have access to Confidential
In foetation on behalf of System Agency,its programs or clients as described in the Base Contract.
As of the Effective Date of the Contract,if any provision of the Base Contract,including any General
Provisions or Uniform Terms and Conditions,conflicts with this DUA,this DUA controls.
ARTICLE 2. DEFINITIONS
For the purposes of this DUA,capitalized,underlined terms have the meanings set forth In the
following: Health Insurance Ponahility and Accountability Act of 1996, Public Law 104-191 (42 U.S.C.
§1320d, et seq.) and regulations thereunder in 45 CER Pans 160 and 164. including all amendments,
regulations and guidance issued thereafter, The Social Security Act. including Section 1131 (42 U.S C.
§§ 13206-7).Title XVI of the Act;The Privacy Act of 1974,as amended by the Computer Matching and
Privacy Pmtection Act of 1988,5 1.1.5 C.§552a and regulations and guidance thereunder, Internal Revenue
Code,Title 26 of the United States Code and regulations and publications adopted under that code,including
IRS Publication 1075; OMB Memorandum 07-18; Texas Business and Commerce Code Ch. 521; Texas
Government Code,Ch. 552,and Texas Govenunent Code§2054.1125. In addition,the following terms in
this DUA are defined as follows:
"Authorized Purpose"macs the specific purpese or purposes described in the Scope of Work of
the Base Contract for Contractor to fulfill its obligations under the Base Contract, or any other purpose
expressly authorized by System Agency in writing in advance.
"Authorized User"means a Parton:
(I) Who is authorized to create, receive, maintain, have access to, process, view, handle,
cxardne,interpret,or analyze Confidential Information,pursuant to this DUA;
(2) For whom Contractor warrants and represents has a demonstrable need to create,receive,
maintain,use,disclose or have access to the Confidential Information:and
System Agency Data Use Agreement V.8.3 El PAA Omnibus Carnahan.Apnl I.2015
GOVERNMENTAL ENTITY VERSION
DocuSign Envelope ID:FFB5F11 l-2856-4D29-A2ED-00ABE5D8A22B
System Agency Contract No.HHSRP V I00d00815
(3) Who has agreed in writing to be bound by the disclosure and use limitations penaining to
the Confidential In(Ormation as required by this DUA.
"Confidential Information" mons any communication or record (whether oral, written,
electronically stored or transmitted,or in any other form)provided to or made available to Contractor or that
Contractor may create,receive, maintain,use,disclose or have access to on behalf of System Agency that
consists of or includes any or all of the following.
(I) Client Information'
(2) Protected Health Information in any form including without limitation, Electronic
Protected Health Information or Unsecured Protected Health Information;
(3) Sensitive Personal Information defined by Texas Business and Commerce Code Ch.521;
(4) Federal Tax Information;
(5) Personally Identifiable Information
(6) Social Security Administration Data, including, without limitation, Medicaid
information;
(7) All privileged work product;
(8) All information designated as confidential under the constitution and laws of the State of
Texas and of the Uni:cd States, including the Texas Health & Safety Code and the Texas Public
Information Act.Texas Government Code.Chapter 552.
"Legally Authorized Representative" of the Individual as defined by Texas law, including as
provided in 45 CFR 435.923 (Medicaid); 45 CFR 164502(g)(I) (IIWAA);Tex.Occ.Code § 151.002(6),
Tex.11.&S.Code§16&164;Estates Code Cls.752 and Texas Prob.Code§3
ARTICLE 3.CONTRACTOR'S OUT IES REGARDING CONFIDENTIAL INFORMATION
Section 3.01 Obligations of Contractor
Contractor agrees that
(A) Contractor will exercise reasonable care and no less than the same degree of care
Contractor uses to protect its own confidential. propdelary and trade secret information to prevent any
portion of the Confidential Information from being used in a manner that is not expressly an Authorized
Purpose under this DUA or as Required by Law.45 CFR 164.503(6)(1);45 CFR 164.514(d)
(B) Contactor will not, without System Agency's prior written consent, disclose or allow
access to any portion of the Confidential Information to any Prrsoq or other entity,other than Authorized
User's Workforce or Subcontractors of Contractor who have completed training in confidentiality,
privacy. security and the importance of promptly reporting anyvera or Breach to Contractors
tnanagemem,to carry out the Authorncd Purpose or as Required by Law.
System Agency, at its election, may assist Contractor in training and education on specific or
unique System Agency processes. systems or requirements. Contractor will produce evidence of
completed mining to System Agency upon request. 45 C.F.R. 164.308(0)(5)(1);Texas Health & Safety
Code§181.101
(C) Contractor will establish. implement and maintain appropriate sanctions against any
member of its Workforce or Subcontractor who fails to comply with this DUA, the Base Contract or
applicable law. Contractor will maintain evidence of sanctions and produce it to System Agency upon
request 4$C.F.R. 164.308(a)(050(0; 164.530(e);164.410(6);164.530(6)(1)
System Agency Data Use Agreement V.8.3 HIPAA Omnibus Compliant April I,2015
Page 2 of II
CocaSign Envelope IC:FFB5F111-2856-4029-A2ED-OOABE5D8A22B
System Agency Convect Na.IIHSREV 100000815
(D) Contractor will not,without prior written approval of System Agency,disclose or provide
access to any Confidential Information on the basis that such act is Required by Law without notifying
System Agency so that System Agency may have the opportunity la object to the disclosure or access and
seek appropriate relief, If System Agency objects to such disclosure or access, Contractor will refrain
from disclosing or providing access to the Confidential Information until System Agency has exhausted
all alternatives far relief. 45 CFR 164.304(c(2)(ii)(A)
(E) Contractor will not attempt to re-identify or further identify flan or
De-identified Information, or attempt to contact any igividuats whose records arc contained in the
Confidential Information, except for an Authorized Purpose. without express written authorization from
System Agency or as expressly permitted by the Bose Contract. 45 CFR 164.501(40)(p and (i)
Contractor will not engage in prohibited marketing or sale of Confidential Information. 45 CFR 164501,
164.505(x)(3)and(4);Texas Health&Safety Code Ch. 181.002
(F) Contractor will not permit,or enter into any agreement with a Subcontractor to,create,
receive, mailain, use, disclose, have access to or transmit Confidential Information, on behalf of
Contractor without requiring that Subcontractor first execute the Fano Subcontractor .Agreement,
Attachment I, which ensures that the Subcontractor will comply with the identical teens, conditions,
safeguards and restrictions as contained in this DUA for PHI and any other relevant Confidential
Information and which permits more strict limitations;and 45 CFR 164.502(e)(1)(1)60; 164.504(e)(1)0)
and(2)
(G) Contractor is directly responsible for compliance with,and enforcement of,all conditions for
creation,maintenance, use,disclosure,transmission and pciVuction afConfidential Information and the acts
or omissions of Subcontractors as may be reasonably necessary la prevent unauthorized use. 45 CFR
164.504(e)(5);42 CFR 431.300,et seq.
(H) If Contractor maintains PHI in a Designated Record Set Contractor will make PFEI
available to System Agency in a Designated Record Set or,as directed by System Agency,provide PHI
to the Individual or I egally Authorized Representative of the individual who is requesting PHI in
compliance with the requirements of the HIPAA Privacy Regulations. Contractor will make other
Confidential Information in Contractor's possession available pursuant to the requirements of HIPAA or
other applicable law upon a detemtinalion of o Breach of Unsecured PHI as defined in HIPAA.45 CFR
164.524and 164.504(e)(2)(i)(E) .
(I) Contractor will make PHI as required by HIPAA available to System Agency for
amendment and incorporate any amendments to this information that System Agency directs or agrees to
pursuant to the HIPAA 45 CFR 164.504(e)(2)(ii)(E)and(F)
(1) Contractor will document and make available to System Agency the PHI required to
provide access, an accounting of disclosures or amendment in compliance with the requirements of the
H(PAA Privacy Regulations.45 CFR 164.504(e)(2)0O(G)and 164518
(1:) If Contractor receives a request for access, amendment or accounting or Pill by any
Individual subject to this DUA, it will promptly forward the request to System Agency, however, if it
would violate HIPAA to forward the request, Contractor will promptly notify of the request and of
Contractor's response Unless Contractor is prohibited by law from forwarding a request,System Agency
will respond to all such requests,unless System Agency has given prior written consent for Contractor to
respond to and account for all such requests. 45 CFR 164.504(e)(2)
(L) Contractor will provide, and will cause its Subcontractors and agents to provide, to
System Agency periodic wriitcn certifications of compliance with controls and provisions relating to
information privacy, security and breach notification, including without limitation information related to
System Agency Dew Use Agreement VU3 HIPAA Omnibus Compliant April 1,1015
Page 3 of II
Docusign Envelope ID-.FFB5FI11-2856-4D29-A2ED-OOABE5D8A22B
System Agency Contract No.HHSREV 100000813
data transfers and the handling and disposal of Confidential Information.45 CFR 164308; 164.530(c);1
TAC 202
(M) Except as otherwise limited by this DUA, the Base Contract, or law applicable to the
Confidential Information.Contractor may use or disclose L for the proper management and administration
of Contractor or to carry out Contractor's legal responsibilities if 45 CFR 164.501(eWOO(A)
(I) Disclosure is Required by Law,provided that Contractor complies with Section 30l(D);
(2) Contractor obtains reasonable assurances from the Person to whom the information is
disclosed that the Person will:
(a)Maintain the confidentiality of the Confidential Information in accordance with this DUA;
(b) Use or further disclose the information only as Required by Law or far the Authorized
Purpose far which it was disclosed to the Person,and
(c)Notify Contractor in accordance with Section 4.01 of any Event or Breach of Confidential
Information of which the Person discovers or should have discovered with the exercise of
reasonable diligence. 45 CFR 164.504(e)(4)(ii)(8)
(N) Except as otherwise limited by this DUA, Contractor will, if requested by System
Agency,use PHI to provide data aggregation services to System Agency, as that term is defined in the
HIPAA,45 CFA.§164.501 and permitted by HIPAA 45 CFR 164.504(e)(2)(i)(B)
(0) Contractor will,on the termination Cr expiration of this DUA or the Base Contract,at its
expense,return In System Agency or Destroy,at System Agency's election,and to the extent reasonably
feasible and permissible by law,all Confidential information received from System Agency or created or
mainiained by Contractor or any of Contactor's agents or Subcontractors on System Agency's behalf if
that data contains Confidential Information Contractor will certify in writing to System Agency that ell
the Confidential Inforttution that has been created, received, maintained. used by or disclosed to
Contractor, has been Destroyed or returned to System Agency, and that Contractor and its agents and
$ubcontactors have retained no copies thereof. Notwithstanding the foregoing,Contractor acknowledges
and agrees that it nay not Destroy any Confidential Information if federal or state law,or System Agency
record retention policy or a litigation hold notice prohibits such Destruction. If such return or Destruction
is not reasonably feasible,or is impermissible by law,Contractor will immediately notify System Agency
of the reasons such return or Destruction is not feasible,and agree to extend indefinitely the protections of
this DUA to the Confidential Information and limit its further uses and disclosures to the purposes that
make the return of the Confidential Information not feasible for as long as Contractor maintains such
Confidential Information.45 CPR 164.504(c)(7)(10(J)
(P) Contractor will create, maintain, use, disclose, transmit or Dcslroy Confidential
Information in a secure fashion that protects against any reasonably anticipated threats or hazards to the
security or integrity of such information or unauthorized uses.45 CFR 164.306;164.530(c)
(Q) If Contractor accesses, transmits, stores, or maintains Confidential Information,
Contractor will complete and return to System Agency at infosecuritvt'hhsc.sate.tx.us the System
Agency information security and privacy initial inquiry(SRI)at Attachment 2 . The SPI identifies basic
privacy and security controls with which Contractor must comply to protect System Agency Confidential
Infoimtioll. Contactor will comply with periodic security controls compliance assessment and
monitoring by System Agency as required by state and federal law, based on the type of Confidential
Information Contractor curates, receives, maintains, uses, discloses or has access to and the Authorized
Purpose and level of risk. Contractors security controls will be based on the National Institute of
Standards and Technology (NIST) Special Publication 800-57. Contractor will update its security
controls assessment whenever there are significant changes in security controls for System Agency
System Agency Dama Use Agreement V.B.)HIPAA Omnibus Compliant April I,2015
Page 4 of II
DacuSlgmEnvelope ID:FFBSF11 l-2856-4D29-A2ED-00ABE5D8A22B
System Agency Contract No HHSREV 100000 8 1 5
Confdentiol Information and will provide the updated document to System Agency. System Agency also
reserves the right to request updates as needed to satisfy slate and federal monitoring requirements. 45
CFR 164.306
(R) Contractor will establish, implement and maintain any and all appropriate procedural,
administrative,physical and technical safeguards to preserve and maintain the confidentiality, integrity,
and availability of the Confidential Information, and with respect to all as described in the NIPAA
Privacy end Security Regulation, or other applicable laws or regulations relating to Confidential
Information to prevent any unauthorized use or disclosure of Confidential Information as long as
Contractor has such Confident al Information in its actual or constructive possession. 45 CFR 164.308
(administrative safeguards); 164.310 @Veical safeguards); 164.311 (technical safeguards);
164.53000(privary safeguards)
(S) Contractor will designate and identify, subject to System Agency approval, a Person ur
Persons, as Privacy Official 45 CFR 164.530(a)(I)and Information Security Official, each of whom is
authorized to act on behalf of Contractor and is responsible for the development and implementation of
the privacy and security requirements in this DUA. Contractor will provide name and current address.
phone number and e-mail address for such designated officials to System Agency upon execution of this
DUA and prior to any change. 45 CFR 164.308(0)(1)
(T) Contractor represents and warrants that its Authorized Users each have a demonstrated
need to know and have access to Confidential Information solely to the minimum extent necessary to
accomplish the Authorized Pglpgse pursuant to this DUA and the Base Contract, and further, that each
has agreed in writing to be bound by the disclosure and use limitations penainir..g to the Confidential
Information contained in ibis DUA 45 CFR 164502;/64.514(d)
(U) Contractor and its Subcontractors will maintain an updated, complete, accurate and
numbered list of Authorized Users. their signatures, titles and the dale they agreed to be bound by the
terms of this DUA at all limes and supply it to System Agency,as directed,upon request.
(V) Contractor will implement, update as necessary, and document reasonable and
appropriate policies and procedures for privacy,security and Breach of Confidential Information and an
incident response plan for an Fvent or Breach, to comply with the privacy, security and breach notice
requirements of this DUA prior in conducting work under the DUA 45 CFR 164308; 164.316;
164.514(4); 1645306111)
fµ9 Contractor will produce copies of its information security and privacy policies and
procedures and records relating to the use or disclosure of Confidential Information received from,
created by, or received, used or disclosed by Contractor on behalf of System Agency for System
Agency's review and approval within 30 days of execution of the DUA and upon requNt by System
Agency the following business day or other agreed upon time frame. 45 CFR 164.308;164.514(9)
(X) Contractor will make available to System Agency any information System Agency requires
to fulfill System Agency's obligations to provide access to,or copies of,PHI in accordance with Hf'AA and
other applicable laws and regulations relating to Confidential Information. Contractor will provide such
information in a time and manner reasonably agreed upon or as designated by the Secretary,or other federal
or sate law.45 CFR 164.504/)(1)0)(1)
(Y) Contractor will only conduct secure transmissions of Confidential Information whether in
paper, oral or electronic fano. A secure transmission of electronic Confidential Information in motion
includes secure File Transfer Protocol(SETP)or Encryption at an appropriate level or otherwise protected
as required by rule, regulation or law. System Agency Confidential Information at rest requires
ncryntiom unless there is adequate administrative, technical, and physical security, or as otherwise
System Agency Dau Use Agreement V.A.3 HIPAA Omnibus Compliant April 1,2015
Page 5 of 11
DocuSignEnvelope ID FFB5F111-2856-4029-A2ED-OOABE5D8A22B
System Agency Contract No.HHSREV 100000815
protected as required by rule, regulation or law. All electronic data transfer and communications of
Confdem'xl Infonnat'on will be through secure systems. Proof of system, media or device security or
Encryption must be produced to System Agency no later than 48 hours after System Agency's written
request in response to a compliance investigation, audit or the Qiscovery of an Event orr@ etch.
Otherwise, requested production of such proof will be made as agreed upon by the parties. De-
identification of System Agency Confidential Information is a means of security. With respect to dc-
identification of AHI."secure"means de,identified according to HIPAA Pi-ivory standards and regulatory
guidance.45 CFR 164.312;164530(1)
(Z) Contractor will comply with the following laws and standards if applicable to the type of
Canfdenrial information end Contractor's Authorized Purpose:
• Title I,Part 10,Chapter 202,Subchapter B,Texas Administrative Code:
• The Privacy Act of 1974;
• OMB Memorandum 0716,
• The Federal Information Security Manacemenl Act of?00'(FISAIA);
• The Health Insurance Portability and Accountability Act of 1996(HIPAA)as defined in the
OVA;
• Internal Revenue Publication 1075 Tax Information Security Guidelines for Federal, State
and Local Agencies;
• National Institute of Standards and Technology(NIST)$oecial Publication 80065 Revision
I An Introductory Resource Guide for Implementing the Health Insurance Portability and
Accountability Act(H[PAA)Security Rule.
• NIST Special Publications S00-53 and 800-52A Recommended Security Controls for
Federal Information Systems and Organizations,as currently revised;
• NIST $pedal Publication 800-47 Security, Guide for Interconnecting Information
Technology Systems,
• NIST Special Publication 80098 Guidelines for Media Santliration'
• NIST Special Publication 800-I I I. Guide to Storage of Encryption Technologies for End
User Devices containing PHI.and
• Any other Stam or Federal law,regulation,or administrative rule relating to the sped tic System
Agency program area that Commctor supports on behalf of System Agency.
ARTICLE 4. BREACH NOTICE,REPORTING AND CORRECTION REQUIREMENTS
Section 4A1. Breach or Erna Notification no System Agency. 45 CFR 164.400414
(A) Contractor will cooperate fully with System Agency in investigating, mitigating to the
extent practicable and issuing notifications directed by System Agency, for any went or Breach
of Confidential Information to the extent and in the mariner determined by System Agency.
(B) Contractor's obligation begins at the Discovery of an Event or Breach and continues as
long as related activity continues,until all effects of the Event are mitigated to System Agency's
satisfaction(the"incident response penod").45 CFR 164.404
(C) Breach Notice'
Initial Notice.
System Agency Data Use Agreement V 8 3 HIPAA Omnibus Compliant April 1,2015
Page bofll
DoonSigrrEnvelope ID:FFB5F111-2856-4D29-A2ED-00ABE5D8A22B
System Agency Contract No.HHSREV 100000815
a.For federal information,including without limitation,Federal Tax Information,Social Security
Administration Data and Medicaid Client Information within the first, consecutive clock hour
of Discovery and for all other types of Confidential Information not more than 24 hours after
Discovery or in a timeframe otherwise approved by System Agency in writing,initially report Io
System Agency's Privacy and Security Officers via email at: privacv(olSvstcm
ArencvC.state.tx us and to the System Agency division responsible for this DOA' and IRS
Publication 7075; Privacy AO of 1974, as amended by the Computer Matching and Privacy
Protection Act of 1988, 5 U.S.C.§ 552a; OMB Memorandum 07-16 as cited in SSxern
AgencyC-CMS Contracts for information crchange.
b. Report all information reasonably available to Contractor about the Event or Preach of the
privacy or security of Confidential Inforrratiuu. 45 CFR 164.410
c. Name, and provide contact information to System Agency for, Contractor's single point of
contact who will communicate with System Agency both on and off business hours during the
incident response period.
2
4 R-Hour Formal Notice. No later than 43 consecutive clock hours alter Discovery, or a
time within which Discovery reasonably should have been made by Contractor of an Event or
Breach of Confidential Information, provide formal notification to the Slate, including all
reasonably available information about the EygiLl or Breach, and Contractors investigation,
including without limitation and to the extent available: For(a) -(u) below: 45 CFR 164.400-
414
a.The date the Pvonl or Breach occurred:
b.The date of Contractor's and,if applicable.54.contractcrs Discovery;
c. A brief description of the vent or Breach' including how it occurred and who is responsible
(or hypotheses,if not yet determined):
d.A brie(description of Contractor's investigation and the status of the investigation;
e. A description of the types and amount of Confidential Information involved,
f. Identification of and number of all Individuals reasonably believed to be affected, including
first and last name of the individual and if applicable the,Legally authorized representative, last
known address,age, telephone number, and email address if it is a preferred contact method, to
the extent known or can be reasonably determined by Contractor at that time;
g. Contractor's initial risk assessment of the Event or Breach demonstrating whether individual
or other notices are_requird by applicable law or this DllA for System Agency approval,
including an analysis of whether there is a low probability of compromise of the Confidential
Information or whether any legal exceptions to notification apply:
h. Contractor's recommendation for System Agency's approval as to the steps Individuals or
Contractor on behalf of Individuals, should take to protect the Individuals from potential harm,
including without limitation Contractor's provision of notifications, credit protection- claims
monitoring, and any specific protections for a legally Authorized Representative to lake on
behalf of an Individual with special capacity or circumstances:
i.The steps Contractor has taken to mitigate the harm or potential harm caused(including without
limitation the provision of sufficient r sources to mitigate);
J.The steps Contractor has taken,or will take,to prevent or reduce the likelihood of recurrence of
a similar aign or Breach:
System Agency Data Use Agreement V.8.3 tIiPAA Omnibus Compliant April 1,2015
Page 7 of 11
DocuSigrt Envelope ID:FFB5F111-2856-4D29-A2ED-OOABE5D8A22B
System Agency Contact No.HHSREV 100000915
k. Identify,describe or estimate of the Persons,Workforce,Subcontractor or Individuals and any
law enforcement That may be involved in the Evros or Breach:
I. A reasonable schedule for Contractor to provide regular updates to the foregoing in the future
far response to the Event or •reach,but no less than every three(3)business days or as otherwise
directed by System Agency,including information about risk estimations, reporting,notification,
if any,mitigation,corrective action, root cause analysis and when such activities arc expected to
be completed;and
m. Any reasonably available,pertinent information,documents or reports related to an Event or
Breach that System Agency requests following Discovery.
Section 4.02 Imewlgation,Response and dfirigannn.For 4-F below: 45 CFR 164.308,310
and 312;164.530
(A) Contractor will immediately conduct a full and complete investigation, respond to the
Event or Breach,commit necessary and appropriate staff and resources to expeditiously respond,
and report as required Co and by System Agency for incident response purposes and for purposes
of System Agency's compliance with report and notification requirements,to the satisfaction of
System Agency.
(B) Contractor will complete ur participate in a risk assessment as directed by System
Agency following an Event or Broth, and provide the final assessment, corrective actions and
mitigations to System Agency for review and approval.
(C) Contractor will fully cooperate with System Agency to respond to inquiries and
proceedings by state and federal authorities,Persons and Individuals about the Event or Breach.
(D) Contractor will fully cooperate with System Agency's efforts to seek appropriale
injunctive relief or otherwise prevent or curtail such Event or Breach,or to recover or protect any
Confidential Information including complying with reasonable corrective action or measures,as
specified by System Agency in a Corrective Action Plan if directed by System Agency under the
Base Contract.
Section 4.03 Breach Notification to Individuals and Reporting to Authorities. Tec Bus. &
Comm. Cade§511.053;45 CFR 164.404(Individuals), 164.406(Media); 164.408(Authorities)
(A) System Agency may direct Contractor to protide Breach notification to Individuals,
regulators or third-panics.as specified by System Agency following a Breach.
(B) Contractor must obtain System Agency's prior written approval of the time, manner and
content of any notification to Individuals, regulators or third-panics, or any notice required by
other state or federal authorities. Notice letters will be in Contractor's name and an Contractor's
letterhead, unless otherwise directed by System Agency, and will contain contact information,
including the name and rile of Contractors representative, an email address and a roll-free
telephone number,for the Individual to obtain additional information.
(C) Contractor will provide System Agency with copies of distributed and approved
communications.
(D) Contractor will have the burden of demonstrating to the satisfaction of System Agency
that any notification required by System Agency was timely made. If there arc delays outside of
Contactors control,Contractor will provide written documentation of the reasons for the delay.
System Agency Dau Use Agreement V.8.3 HIPAA Omnibus Compliant April 1,2015
Page 8 of I
OocuSign Envelope ID:FFB5F1 11-2056-4D29-A2ED-00ABE50BA22B
System Agency Contract No HHSREV 100000815
(E) If System Agency delegates notice requirements to Contractor, System Agency shall, in the
time end manner reasonably requested by Contractor, cooperate and assist with Contractor's
information requests in order m make such notifications and reports.
ARTICLE 5. SCOPE OF WORK
Scopesiyigrk means the services and deliverables to be performed or provided by Contractor,or on
behalf of Contactor by its Subcontractors or agents for System Agency that are described in detail in the
Base Contract. The Scope of Work,including any future amendments thereto,is incorporated by reference in
this DUA as if set out word-for-wool herein.
ARTICLE 6. GENERAL Paovtsmns
Section 6.01 Ownership of Confidential Informations
Contractor acknowledges and agrees that the Confidential Information is and will m m the
pmpcny of System Agency. Contractor agrees it acquires no title or rights to the confidential Information.
Section 6.02 System Agency Connnirmeur and Obligations
System Agency will not request that Contractor create, maintain, transmit, use or disclose PHI in any
manner that would not he permissible under applicable law if done by System Agency.
Section 6.03 System Agency Right to Inspection
At any time upon reasonable notice to Contractor,or if System Agency determines that Contractor
has violated this DUA, System Agency, directly or through its agent, will have the right to inspect the
facilities,systems,books and records of Contractor to monitor compliance with this DUA. For purposes of
this subsection, System Agency's agent(s) include. without limitation, the System Agency Office of the
Inspector General or the 01Hce of the Attorney General of Texas, outside consultants or legal course: or
other designee.
Section 6.04 Term; Termination of DUA:Survival
This DUA will take effect with the Base Contract,and will terminate upon termination of the Base
Contract and as set forth herein. If the Base Contract is extended or amended. this DUA is updated
automatically concurent with such extension or amendment.
(A) System Agency may immediately terminate this DUA and Base Contract upon o material
violation of this DUA.
(B) Termination or Expiation of this DUA will not relieve Contractor of its obligation to
return or Destroy the Confidential Information as set forth in this DUA and to continue to safeguard the
Confidential Information until such time as determined by System Agency.
(D) If System Agency determines that Contractor has violated a material term of this DCA,
System Agency may in its sole discretion'
Exercise any of its rights including but not limited to reports,access and inspection under
this DUA or the Base Contract;or
2. Require Contractor to submit to a corrective action plan, including a plan for monitoring
and plan for reporting,as System Agency may determine necessary to maintain compliance with
this DUA;or
System Agency Data Use Agreement V.S.)HIPAA Omnibus Compliant April I,2015
Page 9 of I
DecoSign Envelope 10'FFB5F11 l-2856-4D29-A2ED-00ABE508A22B
System Agency Contract No.HHSREV(00000915
3. Provide Contractor with a reasonable period to cure the violation as determined by
System Agency;or
a. Terminate the DUA and Base Contract immediately, and seek relief in a court of
competent jurisdiction in Travis County,Texas.
Before exercising any of these options, System Agency will provide written notice lo Contractor
describing the violation and the action it intends to take.
(E) If neither termination nor cure is feasible, System Agency shall moon the violation to the
Sac retan'
(F) The duties of Contractor or its Subcontractor under this DUA survive the expiration or
termination of this DUA until all the Confidential Information is Destroyed or returned to System
Agency,os required by Nis DUA.
Section 6.05 Governing Lau, Venue and Lirige+ion
(A) The validity,construction and performance of this DUA and the legal relations among the
Parties to this DUA will be governed by and construed in accordance with the laws of the Slate OF Texas.
(B) The Panics agree that the cows of Travis County,Texas,will be the exclusive venue(or
any litigation,special proceeding or other proceeding as between the parties that may be brought,or arise
out of.or in connection with,or by reason of this DUA.
Section 6.06 !n/nneiive Relief
(A) Contractor acknowledges and agrees that System Agency may suffer irreparable injury if
Contactor or its Subcontractor fails to comply with any of the terms of this DUA with respect to the
Con1dential Information or a provision of HIPAA or otter laws or regulations applicable to Confidential
Formation.
(B) Contractor further agrees that monetary damages may be inadequate to compensate
System Agency for Contractors or its 5 ubcvntractor'g failure to comply. Accordingly,Contractor agrees
thai System Agency will, in addition to any other remedies available to it at law or in equity.be entitled to
seek injunctive relief without posting a bond and without the necessity of demonstrating actual damages,
to enforce the terms of this DUA.
Section 6.07 Indemnifieariou
To the extent permitted by low,Contactor will indemnify.defend and hold harmless System Agency and
its respective Executive Commissioner, employees, Subconlactots agents (including other state agencies
acting on behalf of System Agency)or other members of its Workforce(each of the foregoing heremaAer
referred to as"Indemnified Pony-)against all actual and direct losses suffered by the Inde m.nified Party and
all liability to third panics arising from or in cornectton with any breach of this DUA or from any acts or
omissions related to this DUA by Contrartor or its employees,directors,officers,Subcontractors or agents or
other members of its Workforce. The duty to indemnify,defend and hold harmless is independent of the duty
to insure and continues to apply even in the event insurance coverage required,if any, in the DUA or Base
Contract is denied,or coverage rights arc reserve by any insurance carrier. Upon demand,Contractor will
reimburse System Agency for any and all losses. liabilities. lost profits, lines,penalties, costs or expenses
(including reasonable attorneys' fees)which may for my reason be imposed upon any Indemnified Party by
reason of any suit,claim,action,proceeding or demand by any third party to the extent caused by and which
results from the Contractor's failure to meet any of as obligations under this DUA. To the extent perp fined
System Agency Data Use Agreement V1.3 HIPAA Omnibus Compliant April 1.2E115
Page 10 of 11
DocuSigmEnvelape ID.FFB5F111-28564D29-A2ED-00ABE5D8A22B
System Agency Contract No.HHSREV 100000815
by law,Contractor's obligation to defend, indemnify and hold harmless any Indemnified Party will survive
the expiration or termination of this DUA.
Section 6.98 insurance
(A) Contractor represents and warrants that it maintains either self-insurance or commercial
insuraccewith policy limits sufficient to cover any liability arising from any acts or omissions by
Contractor or its employees,directors,officers,Subcontractors,or agents or other members of its Workforce
under this DUA. Contractor warrents that System Agency will be a loss payee and beneficiary for any such
claims..
(B) Contractor will provide System Agency with written proof that required insurance
coverage is in effect,at the request of System Agency.
'cation 609 fees and Cam
Except as otherwise specified in This DUA or the Base Contract, including but not limited to
requirements to insure or indemnify System Agency,if any legal action or other proceeding is brought for the
enforcement of this DUA, or because of an alleged dispute, contact violation, Event, Breach, default,
misrepresentation,or injunctive action,in connection with any of the provisions of this DUA,earl party will
bear their own legal expenses and the other con incurred in that action or proceeding.
Section 6.10 Entirely of the Crurea
This Data Use Agreement is incorporated by reference into the Base Contract and,together with the
Base Contract, constitutes the entire agreement between the parties. No change, waiver, or discharge of
obligations arising under those documents will be valid unless in writing and executed by the party ogabs•.
whom such change,waiver,or discharge is sought to be enforced.
Section 6.11 Automatic Amendment and Lticrpraratian
Upon the effmtive date of any amendment or issuance of additional regulations to I{NAA, or any
other law applicable to Confidential Information, this DUA will automatically be amended so that she
obligations imposed an System Agency or Contractor retain in compliance with such requirements Any
ambiguity in this DUA will be resolved in favor of a meaning that permits System Agency and Conincmr to
comply with }BPAA or any other law applicable to Confidential Information.
System Agency Data Use Agreement V.8.)HIPAA Omnibus Compliant April I,2015
Paye Il all
DocuSigrrEnvelope ID:FFB5F111-2856-4D29-A2ED-00ABE5D8A22B
System Agency Contract No.HHSREV100000815
ATTACHMENT 1. SUBCONTRACTOR AGREEMENT FORM
System Agency CONTRACT NUMBER IIIISREV 100000815
The DUA between System Agency and Contractor establishes the permitted and required uses and
disclosures of Confidential Information by Contractor.
Contractor has subcontracted with NO (SUBContractor)for
performance of duties on behalf of CONTACTOR which arc subject to the DUA. SUBContractor
acknowledges,understands and agrees to be bound by the identical terms and conditions applicable to
Contractor under the DUA,incorporated by reference in this Agreement,with respect to System Agency
Confidential Information.Contractor and SUBContractor agree that System Agency is a third-party
beneficiary to applicable provisions of the subcontract.
System Agency has the right but not the obligation to review or approve the terms and conditions of the
subcontract by virtue of this Subcontractor Agreement Form.
Contractor and SUBContractor assure System Agency that any Breach or Event as defined by the DUA
that SUBContractor Discovers will be reported to System Agency by Contractor in the time,manner and
content required by the DUA.
If Contractor knows or should have known in the exercise of reasonable diligence of a pattern of activity
or practice by SUBContractor that constitutes a material breach or violation of the DUA or the
SUBContractor's obligations Contractor will:
I. Take reasonable steps to cure the violation or end the violation,as applicable;
2. If the steps arc unsuccessful,terminate the contract or arrangement with SUBContractor,if
feasible;
3. Notify System Agency immediately upon reasonably discovery of the pattern of activity or
practice of SUBContractor that constitutes a material breach or violation of the DUA and keep
System Agency reasonably and regularly informed about steps Contractor is taking to cure or •
end the violation or terminate SUBCONTACTOR's contract or arrangement.
This Subcontractor Agreement Form is executed by the parties in their capacities indicated below.
CONTRACTOR SUBCONTRACTOR
DocuSlgned by.
AME po. n-ye.
BY: �c e+rdret.,a BY:
Annette Rodriguez
NAME: NAME: _.
TITLE: Di rector of Public Health TITLE:
6/22/2018
DATE ,201 _ DATE:
System Agency Data Use Agreement V.8.3 HIPAA Omnibus Compliant April 1,2015
Attaclunent I /tel
Pass l of I Approved as to form
aka jazitez
Assistant City Attorney
For City Attorney