CM-2015-806 - 6/12/2015DADS Conh�act No. 539-11-0008-00001
ATTACHMENT 1_ SU6CONTRACTOR AGREEMENT FORM
DADS CONTRACT NUMBER
The DVA between HHSand CONTRACTOR establishes the permitted and required uses and disclosures
of Confidential In{ rmation by CONTRACTO/��tR. ` / o —
CONTRACTOR has subcontracted with l �i�l ✓1 fel' F --t/ �U10� �0�
(SUBCONTRACTOR) for performance of duties on ehalf o£ CONTACTOR which are subject to the
DUA. SUBCONTRACTOR acknowledges, understands and agrees to be bound by the identical terms
and wnditions applicable to CONTRACTOR under the DUA, incorporated by reference in this
Agreement, with respect to HHS ConFdential Information. CONTRACTOR and SilB CONTRACTOR
agree that HHS is a third -party bene£ciary to applicable provisions of the subcontract.
HHS has the right but not the obligation to review or approve the terms and conditions of the subcontract
by virtue of this Subcontractor Agreement Porm.
CONTRACTOR and SUBCONTRACTOR assure HHS that any Breach or Event as defined by the DUA
that SUBCONTRACTOR Discovers will be reported to HHS by CONTRACTOR in the time, manner
and content required by the DVA.
If CONTRACTOR lmows or should have known in the exercise o£reasonable diligence of a pattern o£
activity or practice by SUBCONTRACTOR that constitutes a material breach or violation of the DUA or
the SLIBCONTRACTOR's obligations CONTRACTOR will:
1. Take reasonable seeps to cure the vio]ation or end the violation, as applicable;
2. If the steps are unsuccessful, terminate the contract or arrangement with SUBCONTRACTOR, if
feasible;
3. Notify HHS immediately upon reasonably discovery of the pattem of activity or practice of
SUBCONTRACTOR that constitutes a material breach or violation of the DUA and keep III IS
reasonably and regularly informed about steps CONTRACTOR is taking to cure or end the
violation or terminate SUBCONTACTOR's contract or arrangement.
This Subcontractor Agreement Form is executed by the parties in [hair capact[io indicated below.
CONTRACTOR SUBCONTRACTOR
BY: BY: �1O/O�J�IX �L���/�,y�.�/®I��
NAME: NAME• f��fA�GI.VyI ����-t�-I�r-r-�v�f �y
TITLE: T[TLE:�� / ' r~� �Y'/r�
DATE , 201 DATE' G - � Z • � S
HHS Data Use Agreement V.83 HIPAA Omnibus Compliant April 1, 201 �-
Attachment 1
L' •''t 2-v �S-8 6l�
State of Texas -
Travis County
DADS Contract No. 539-11-0008-0001
Amendment No. -5 fo the-Contractfor.Older American Ac[ Programs
(Capital Area Council of Governments) '
The Department of Aging and Disability Services (DADS) and Capital Area Council of Governments
(Contractor) agree to amend to the contract between them For Older American Act Programs (the ^Base
Contract^) in accortlance with the terms and conditions set forth in chis amendment. (DADS and
Contractor, collectively, the ^pa rtles;' each a "party.")
The parties hereby agree as follows:
Purpose. This amendment will modify provisions of She Base Contract relating to the prafection of
confidential information.
1. Data Use Agreement. The Health and Human Services (HHS) Data Use Agreement (DUA), Attachment
A, is hereby incorporated by reference antl made therefore, a part of the Base Contract. The DUA, will,
as of the effec[tve date of this amendment, govern the hantlling of ^Confidential Information;' as that
term is defined in the DUA, under the Base Contract.
2. Effective Date. This am endmeni is effective when signed by both parties.
3. Terms Bemain in Effect. The parties agree the terms of the Base Contract shall remain in effect
and continue to govern except to the extent modified in this amendment.
4. Amendment Execution. By signing this amendment, the parties expressly understand and agree [his
amendment is hereby made a part of the Base Contract as though it were set out word for word in the
Base Contract. This amendment may be executed in counterparts, each of which will be deemed an
original, and both of which taken together will constitute one and the same document. Electronically
transmitted signatures will be deemed originals for all purposes relating to the Base Contract.
5. Entire Amendment. By signing below, the parties acknowledge they have read the amendment and
agree to its terms, and the persons whose signatures appear below have the requisite authority fo
execute this amendment on behalf of the named party.
Capital Area Council of Governm encs Department of Aging and Disability Services
Authorized By:
Name:
Authorized By:
Name: Elisa J. Garza
DADS Contract No. 5 39-1 1-0008-0000 1
ATTACHMENT "w"
BETWEEN THE
TEXAS HEALTH AND HUMAN SERVICES ENTERPRISE
AND
CAPITAL AREA COUNCIL OF GOVERNMENTS
This Data Use Agreement <"DUA'7 en[ereA into by and between the Texas Health and Human
Services Enterprise ("HHS' agency, the Department o£ Aging end Disability Services (DADS) and Capital
Area Council of Govenunents ("CONTRACTOR'7, and incorporated into ffie terms of DADS Contract No.
539-I 3-0008-00001, in Tmvis County, Texas (thc "Base Contract").
ARTICLE 1.PU RPOSE; APPLICABILITY; ORDER OF PRECEDENCE
ATTACHMENT 1. THL• PURPOSE OR THIS DUA IS TO FAC[LIT ATE CREATION, RECEIPT,
MA[NTENANCE, USE, DISCLOSURE OR ACCESSTO CONFI ENTIAL INFORMATION WITH
CONTRACTOR, AND DESCRIBE CONTRACTOR'S RIGHTS AND OBLIGATIONS WITH
RESPECT TO THE CO F[D ENTIAL INFORMATION AND THE LIMITED PURPOSES FOR
WHICH THE CONTRACTOR MAY CREATE,RECEIVE, MAINTAIN, USE, DISCLOSE OR HAVE
ACCESS TO C LAPID I L I ORMA ION. 45 CFR 164.504(E)(I)-(3) THIS DUA ALSO
DESCRIBES HHS'S REMEDIES IN THE EVENT OF CONTRACTOR'S NONCOMPLIANCE
WITH ITS OBLIGATIONS UNDER THIS DUA. THIS DUA APPLIES TO BOTE[BUS[NESS
ASSOCIATES AND CONTRACTORS WHO ARE NOT BUS[NESS ASSOC TES WHO CREATE, RECE[VE,
MAINTAIN, USE, DISCLOSE OR HAVE ACCESS TO CONFID—EP!T_ Ls� IM+ORMAT[ON ON BEHALF OF HHS, ITS
PROGRAMS OR CLIENTS AS DESCRIBED IN THE BASE CONTRACT -
As o£ the Effective Date o£ this DUH, if any provision of the Base Contract, including any General
Provisions or Standard Contract Terms and Conditions, conflicts with this DVA, this DUA convols.
ARTICLE 2. DEFINITIONS
For the purposes o£this DVA, capitalized, underlined terms have the meanings set forth in the
following: Health Insurance Portability and Accountability Act o£ 1996, Public Law 704-191 (42 V.S.C.
§3320d, er seq.) and regulations thereunder in 45 CFR Parts 160 and 164, including all amendments,
regulations and guidance issued thereaRer; The Social Security Act, including Section 1137 (42 U.S.C.
§§ 1320b-7), Title XVI o£the Act; The Privacy Act of 1974, as amended by the Computer Matching end
Privacy Protection Act o£ 1988, 5 U.S.C. § 552a and regulations and guidance thereunder, Internal Revenue
Code, Title 26 o£the United States Code and regulations and publications adopted under that code, including
IRS Publication 1075; OMB Memorandum 07-18; Texas Business and Commerce Code Ch. 521; Texas
Government Code, Ch. 552, end Texas Gover[mtant Code §2054.1125. In addition, the following terms in
this DUA are devned as follows:
"A th ri d P "means the specific purpose or purposes described in the S £ W k of
the Base Convect for CONTRACTOR to fulfill its obligavons under the Base Convect, or any other purpose
expressly authorized by HHS in writing in advance.
"A th d U M' means a P��:
<3) Who is authorized to create, receive, maintain, have access to, process, view, handle,
examine, interpret, or analyze C fd t 1 I £ pursuant to this DVA;
HHS Data Use Agreement V.8.3 HIAA Omnibus Compliant April 1, 2015
Attachment 1
DADS Contract No. 5 3 9-1 1-0005-0000 1
(2) For whom CONTRACTOR warrants and represents has a demonstrable need to create,
receive, maintain, use, disclose or have access to the Confidential Information; and
(3) Who'has agreed in writing to be -bound -by the disclosureand use 9imitations pertaining -to
the Confidential Information as required by this DUA.
•°Confidential Int rmation" means any communication or record (whether oral, wdtten,
electronically stored or transmitted, or in any other form) provided to or mad¢ available to CONTRACTOR
or that CONTRP.CTOR may create, receive, maintaiq use, disclose or have access to on behalf of HHS that
wnsists of or includes any or all of the following:
(1) Client Information;
(2) Protected Health Information in any £ortn including without limitation, Electronic
Protected Health Information or Unsecured Protected Health Information; -
<3) Sensitive Personal Information defined by Texas Business and Commerce Code Ch. 521;
(4) Federal Tax Information;
(5) Personally Identifiable Information;
(6) Social Security Administration Data, including, without limitation, Medicaid
information;
(7) All privileged work product;
(8) All information designated as confidential under the wnstitution and laws of the State o£
Texas and of the United States, including the Texas Health 8c Safety Code and the Texas Public
Information Act, Texas Government Code, Chapter 552.
`Zenally Authorized R¢nr¢sentative" of the Individual, as defined by Texas law, including as
provided in 45 CFR 435.923 (Medicaid); 45 CFR 164.502(8)(3) (I-IIPAA); Tex. Occ Code § 151.002(6);
Tex. H. 1� S. Cod¢ § ] 66.164; Estates Code Ch. '152 and Texas Prob. Code § 3.
ARTICLE 3.CONTRACTOR'S DUTIES REGARDING CONFIDENTIAL INFORMATION
Section 3.01 Obligations of CONTRACTOR
CONTRACTOR agrees that:
(A) CONTRACTOR will exercise reasonable care and no less than the same degree of care
CONTRACTOR uses to protect its own confidential, proprietary and trade secret in{ormation to prevent
any portion of the Confidential Information from being used in a manner Yhat is not expressly an
Authorized Pumose under this DUA or as Required by Law. 45 CFR Z64.502(b)(I); 95 CFR Z64.514(d)
(B) CONTRACTOR will not, without HHS's prior written consent, disclose or allow access
to any portion o{ the Confidential Information to any P� or other entity, other than Authorized User's
Workforce or Subcontractors o£CONTRACTOR who have completed training in confidentiality, privacy,
security and the importance of promptly reporting any Ev uD5 or Breach to CONTRACTOR•s
management, to carry out the Authorized Purpose or as R d b L
HHS, at its election, may assist CONTRACTOR in training and education on specific or unique
HHS processes, systems and/or requirements. CONTRACTOR will produce evidence of completed
training to HHS upon request 45 C.F.R Z69308(a)(5)(i); Teras Health Br Safety Cod¢ §ZBZ.ZOZ
(C) CONTRACTOR will establish, implement and maintain appropriate sanctions against
any member of its Workforce or Subcontractor who fails to comply with this DUA, the Base Contract or
HHS Deta Usa Agreement V.g.3 HIPAA Omnibus Compliant April 1, 2015
Attachm¢nt 1
Dn os conTract No. s39 -11 -000a -0000l
applicable law. CONTRACTOR will maintain evidence of sanctions and produce it Yo HHS upon
request45 GF.R. 764.308(n)(Z)(lt)(C); ItW.530(e); 164.410(6); Z64.530(b)(Z)
(D) CONTRACTOR will rtot� without prior written -approval -of HHS, -discos¢ -or provide
access to any C fd t' l I f t' on the basis that such act is R d b L without notifying
HHS so that HHS may have the opporunity to object to the disclosure or access and seek appropriaTe
relief If HHS objects fo such disclosure or access, CONTRACTOR will refrain from disclosing or
providing access to the C £d t 1 ] £ t' until HHS has exhausted all alternatives {or retie£ 45
CFR 764.504(a)(2)(it)(A)
(E) CONTRACTOR will not attempt to re -identify or further identify Confidential
Information or De -identified Information, or attempT to contact any Individuals whose records are
contained in the C £d t 1 I £ t" except for an A th d P ,without express written
authorization from HHS or as expressly permitted by the Base Contract. 45 CFR 764.502(4)(2)(9 and (i[)
CONTRACTOR will not engage in prohibited marketing or sale of Confidential Information. 45 CFR
764.501. I64.508(a)(3) and (4); Texas Hev[[h B Sajery Code Ch. 187.003
(F) CONTRACTOR will not permit, or enter into any ageement with a Subcontractor to,
create, receive, maintain, use, disclose, have access to or transmit C Fd f l I £ t on behalf of
CONTRACTOR without requiring that Subcontractor First execute the Form Subcontractor Agreement,
Attachment ], which ensures that the Subcontractor will comply with the identical terms, conditions,
safeguards and restriotior+s as contained in this DUA £or PI3I and any other rolevant Confidential
Information and which permits more strict limitations; and 45 CFR 164.502(e)(I)(Z)(it); I64.504(e)(Z)([)
and (2)
(G) CONTRACTOR is directly responsible for compliance with, and enforcement of, al]
conditions for creation, maintenance, use, disclosure, transmission and Destruction o£ Cord-idential
Irrformation and the acts or omissions of Subcontractors as may be reasonably necessary [o prevent
unauthorized use. 45 CFR 764.504(r)(S); 42 CFR 43L3D0 e[ seq.
(H) If CONTRACTOR maintains PHI in a D - ted Record Set, CONTRACTOR will
make PHI available to HHS in a Desi¢na[ed Record Set or, as directed by HHS, provide PHI ro [he
Individual. ori II A h d R E of [he Individual who is requesting pHI in wmpliance
with the requirements of the HIPAA P ' Ae I t CONTRACTOR will make other Contidentia]
Information in CONTRACTOR'S possession available pursuant to the requirements of HIPAA or other
applicabl¢ ]aw upon a determination o£ a Breach o£ Un d PHl as defined in HIPAA. 45 CFR
[64.524and 764.504(e)(2) (tiJ (R)
(I) CONTRACTOR will make pHI as required by HIPAA available to HHS £or amendment
and incorporate any amendments to chis information that HHS directs or agrees to pursuant to the HIPAA.
45 CFR Z64.504(e)(2)(ti)(E) and (FJ
(J) CONTRACTOR will document and make available to HHS the PHI required to provide
access, an accounting of disclosures or amendment in compliance with the requirements of the HIPAA
Privacv Reeulations. 45 CFR I64.504(e)(2)(t9(G) and 164.528
(K) If CONTRACTOR receives a request for access, amendment or accounting of PHI by
any Intlividual subject to this DUA, it will promptly Forward the request to HHS; however, if it would
violate HIPAA to Forward the request, CONTRACTOR will promptly notify HHS of the request and o£
CONTRACTOR'S response- Unless CONTRACTOR is prohibited by law from forwarding a request,
HHS will respond [o all such requests, unless HHS has given prior written consent for CONTRACTOR to
respond to and account for all such requests. 45 CFR 764.504(x)(2)
(L) CONTRACTOR will provide, and will cause its Subcontractors and agents to provide, to
HHS periodic written certifications of compliance with controls and provisions relating to information
HHS Data Use Agreement V.S3 HIPAA Omnibus Compliant April 1. 2015
Attachment 1
DA pS Contract No. 539-1 1-0008-00001
privacy, security and breach noti£.caHoq including wahout limitation information related m data trancfars
and the handling and disposal of Confidential Information. 45 CFR 164.308; 764.530(e)p I TAC 202
(M)- Except -as otherwise limited -by this DUA;-the-Base Contract, or law applicable-ro-the-
Covfidential Information, CONTRACTOR may use or disclose PIII for the proper management and
adminiatration of CONTRACTOR or to catty cu[ CONTRACTOR's Icgal responaibilitics i8 45 CFR
l64_504(J(iTf (l)(Af
(1) Disclosure is Reeuired by Law_ provided that CONTRACTOR complies with Section
3.01(D);
(2j CONTRACTOR obtains reasonable assurances from the Person to whom the itt£ormation
is disclosed that the Patron will:
(a) Maintain the confidentiality of the Confidential Information in accordance with this DUA;
(b) Use or further disclose the information only as Required by Law or for the Authorized
Purpose for which it was disclosed to the Person; and
(c) Notify CONTRACTOR in accordance with Section 4.01 of any Event or eac o£
Confidential Information of which the Person discovers or should have discovered with the
exeroise of reasonable diligence. 45 CFA I64.504(e)(4)(it)(B)
CN) Except as otherwise limited by this DUA. CONTRACTOR will, i£ requested by HHS,
use PHI to provide data aggregation services to HHS, as [hal tens is defined in the HIPAA, 45 C.F.R.
§ 164.501 and permitted by HIPAA. 45 CFR I64.504(e)(Z)O(B)
(0) CONTRACTOR will, on the termination or expiration o£this DUA or the Base Contract,
at its experse, return to HHS or Destroy, at HH$'s election, and to the extent reasonably feasible and
permissible by law, all Confidential Information received from I -IHS or created or maintained by
CONTRACTOR or any of CONTRACTOR'S agents or Subcontractors on HHS's behalf if that data
contains Confidential Information. CONTRACTOR will certify in writing to I -IHS that all the
Confidential Information that has been created, received, maintained, used by or disclosed to
CONTRACTOR, has been Destroyed or returned to HHS, and that CONTRACTOR and its agents and
Subcontractors have retained no copies thereof Notwithstanding the foregoing, CONTRACTOR
aclmowledges and agrees that it may not Destroy any C £d 'al I £ Y i£ federal or state law, or
HHS record retention policy or a litigation hold notice prohibits such Destruction. [£ such return or
Destruction is not reasonably feasible, or is impermissible by law, CONTRACTOR will immediately
notify HIiS of the reasons such return or Destruction is not feasible, and agree to extend ittdeFnitely the
protections of this DUA to the Confidential Information and limit its further uses and disclosures to the
purposes that make the return of the Confidential Information not feasible for as long as CONTRACCOR
maintains such C £d Eal I £ C . 45 CFR I64.504(e)(2)(ii)(J)
(Pj CONTRACTOR will create, maintain, use, disclose, transmit or Destroy ConSdential
Information in a secure fashion that protects against any reasonably anticipated threats or hazards to the
security or integrity of such information or unauthorized uses. 45 CFR 164 306p I tS4.530(e)
<Q) If CONTRACTOR accesses, transmits, stores, and/or maintains Confidential
Information. CONTRACTOR will complete and return [o HHS at ' fo ecuritvtn'l. hhscstate.tx.us the HHS
information security and privacy initial inquiry (SPI) at Attachment 2 . The SPI identifies basic privacy
and security controls with which CONTRACTOR must comply to protect HHS Confidential ln£onnation.
CONTRACTOR will comply with periodic security controls compliance assessment and monitoring by
HHS as required by state and federal law, based on [he type of C rt£d Y 1 I £ tl CONTRACTOR
creates, receives, maintains, uses, discloses or has access to and the A th d P and level of risk.
CONTRACTOR'S security controls will be based on the National Ins[itufe of Standards end Technology
(NIST) Special Publication 800-53. CONTRACTOR will update its security controls assessment
IiFlS Data Use Agreement V.8.3 HIPAA Omnibus Compliant April I, 2015
Attachment I
DADS Contract No. 539-i 1-0008-00001
whenever there are significant changes in security controls for HHS Confidential Informatimn ane will
provide the updated document to HHS. HHS also reserves the right to request updates as needed to
satisfy state and federal monitoring re�C uirements._ 45 CFR Z64.30b _ _ _
(R) CONTRACTOR will establish, implement and maintain any and all appropriate
procedural, administrative, physical and technical safeguards to preserve and maintain the
wnfidentiality, integrity, and availability of the Confidential Information, and with respect to PHI, as
described in the HIPAA P d S 't R 1 t , or other applicable laws or regulations relating
[o CovFdential info t to prevent any mauthorized use or disclosure of Con{dentia! In£otxnation as
long as CONTRACTOR has such Confidential Information in its actual or constructive possession. 43
CFR 164.308 (administrattve saj¢guardsJ; 264310 (physlcu! saj¢guardsJ; 164322 (fechutcrd
sajeguardsJ; Z64.530(c)(przvr:cy saJ¢guurdsJ
(S) CONTRACTOR will designate and identify, subject to HHS approval, a arson o
Persons, as Privacy Official 45 CFR 264.530(nJ(ZJ and Information Security Official, each of whom is
authorized to act on behalf of CONTRACTOR and is responsible for the developmenf and
implementation of the privacy and security requirements in this DUA. CONTRACTOR will provide
name and current address, phone number and a -mail address £or such designated officials to HHS upon
execution of this DUA and prior to any change. 43 CFR 264.308(a)(2)
(T) CONTRACTOR represents and warrants that its Authorized Users each have a
demonstreted need to Imow and have a s to Con£dmtial Information solely to them m rattan[
necessary to accomplish the Authorised Purmose pursuant to this DUA and the Base Contract, and ivrther,
that each has agreed in writing to be bound by the disclosure and use limitations pertaining to the
Confidential Information contained in this DUA. 43 CFR 264.502; 164 SZ4(d)
CII) CONTRACTOR and its Subcontractors will maintain an updated, complete, accurate and
numbered list of Authorized Users, [heir signatures, titles and the date they agreed to be bound by the
terms of this DUA, at all times and supply it to HHS, as directed, upon request.
(V) CONTRACTOR will implement, update as necessary, and document reasonable and
appropriate policies and procedures for privacy, security and Breach o£ Confidential Information and an
incident response plan for an Event or Breach, to comply with the privacy, security and breach notice
requirements of this DUA prior to conducting work under the DUA. 45 CFR 164.308; 264.316;
164 SI4(dJ; 164 330(iJ(2)
(W) CONTRACTOR will produce copies of its information security and privacy policies and
procedures and records relating to the use or disclosure o£ Confidential Information received from,
created by, or received, used or disclosed by CONTRACTOR on behalf of HHS £or HHS's review and
approval within 30 days of execution of this DUA and upon request by HHS the following business day
or other agreed upon time frame_ 45 CFA 164.308; 264 3Z4(d)
(X) CONTRACTOR will melee available to HHS any information HHS requires to fulfill IiHS's
obligations to provide access m, or copies o£, PHI in accordance with HIPAA and other applicable laws and
regulations relating to Confidential Information. CONTRACTOR will provide such information in a time
and manner reasonably agreed upon or as designated by the Secretary_ or other federal or state law. 45 CFR
264 304(e)(2J(%(Z)
(Y) CONTRACTOR will only conduct secure transmissions of Confidential Information
whether in paper, oral or electronic form. A secure transmission o£electmnic Confidential Information in
motion includes secure File Transfer Protocol (SFTP) or Enervation at an appropriate level or otherwise
protected as required by rule, regulation or law. HHS Confidential Information at rest requires Encrvotion
unless there is adequate administrative, technical, and physical security, or as otherwise protected as
required by rulq regulation or law. Ali electronic data transfer and communications of Confidential
I-II35 Dara Usa Agreement V.8.3 I-IIPAA Omnibus Compliant April 1, 2015
Altachmmt
DADS Contract No. 5 39-1 1-000 8-0000 1
Information will be through secure systems. Proof of system, media or device security and/or Encrvotion
must be produced to HHS no later than 48 hours ager HHS's written requesx in response to a compliance
investigation, auditorthe_Discovery_o1_a_n_Event or Broach._ Otharwis_c,_reguested production o£such _ _
proof will be made as agreed upon by the parties. De -identification of HHS Confidential Information is
a means of security. With respect to de -identification o£p1Eh cure" means de -identified according to
HIPAA Privacy standards and regulatory guidance. 45 CFR Z64 3I2; I64_530(d)
(Z) CONTRACTOR will comply with the following laws and standards if nppllcab[e to the type or
Confrdenria[ Iu forrnatian and Cwxtrac[or's Autleorized Purpose:
• Title 1, Part 10. Chapter 202, Subchapter B. Texas Administrative Code;
• The Privacy Act o{ ] 974;
• OMB Memorandum 07-16;
• The ederel In£or 'o ana amen 2 (FISMA);
• The Health Insurance Portability and Accountability Act o{ 1996 (HIPAAI as defined in the
DUA;
• Internal Revenue Publication 1095 —Tax Information Security Guidelines for Federal, State
and Locai Agencies;
• National Institute o£ Standards and Technology (NIST) S I P bl' f' 800-66 R v
t — An Introductory Resource Guide £or Implementing the Health Insurance Portability and
Accountability Act (HIPAA) Security Rule;
• NIST S ecia SOD 53 a d 5 — Recommended Security Controls £or
Federal Information Systems and Organizations, as currently revised;
• NIST Special Publication 800-4'1 — Security Guide for Interoormecting Information
Technology Systems;
• NIST Special Publication 800-88, G 'd 1' F M d' S ti
• NIST Special Publication 800-111, Guide to Storage of Encryption Technologies £or End
User Devices containing PHI; and
• Any other State or Federal law, regulation, or administrative rule relating to the specific HHS
program area that CONTRACTOR supports on behalf of HHS.
ARTICLE 4. BREACH NOTICE, REPORTING AND CORRECTION REQUIREMENTS
Section 4.01. Breach or Event No[�catlon to HHS. 45 CFR I64_400.4Z4
(A) CONTRACTOR will cooperate fully with HHS in investigating, mitigating to the extent
practicable and issuing notifications directed by HHS, for any Event or Breach of Co�dential
Information to the extent and in the manner detettrtined by HHS.
(B) CONTRACTOR'S obligation begins at the Discovery of an Event or Breach and
continues as long as related activity continues, until all effects of the Evenl are mitigated to
HHS's satisfaction (the "incident response period"). 45 CFR 164_404
(C) Breach Notice:
1. Initial Notice
a. Fot federal information, including without limitakioq F d 1 T Inf Y Social Securiri
Ad t C D m, and Medicaid Client Infottnation. within the first, consecutive clock hour
HHS Data Use Agreement V.8.3 HIPAA Omnibus Compliant April I, 2015
Attachment 1
DADS Contract No- 539-1 I-0008-00001
of Discoverv, and for all other types of Co�dential Information not more than 24 hours aRw
Discoverv, or in a timeframe trth erwtse approved by HHS In writing, initially report to HHS's
_P_rivacy_and_Security Officers via_email_at_ r'vac-- _ e HHS division
resoonsible £or this DUA: and IRS Pubticatfon 1075; Prtvacy Act of 2974 as rtmended by rt:e
Computer Matctztng and Prtvacy Pratecx4on Act ofZ988, 5 U.S.Q § 552a; OMB Memorandum
O7 I6 as citert in HHSC-COTS Contrnctsfor information c -a -change.
b. Report all in{ormation reasonably available to CONTRACTOR about the $� or reach of
the privacy or security of Confidential Information. 45 CFR Z64.4Z0
c. Name, and provide contact information to HHS For, CONTRACTOR•s single point of contact
who will communicate with HHS bode on and off business hours during the incident response
period.
2. 48 -Hour Formai Notice. No later than 48 consecutive clock hours after Discoverv. or a
time within which Discovery reasonably should have been made by CONTRACTOR of an Even[
or Breach of Confidential In£ortnation, provide formal notification to the State, including all
reasonably available information about the Event or Breach. and CONTRACTOR's investigation,
including without limitation and [o the extent available: For (a) - (m) below: 45 CFR Z64.400 -
4l4
a- The date the Event or Breach occurred;
b. The date of CONTF2ACTOR•s and, if applicable, Subcontractor's Discoverv;
c. A brief description of the vent or Breach- including how i[ occurred and who is responsible
(or hypotheses, i£ not yet determined);
d. A brief description o£ CONTRACTOR's investigation and the status of the investigation;
e. A description o£the types and amount of Confidential Information involved;
Idents£cation of and number o{ all Individuals reasonably believed to be affected, including
first and last name of the individual and if applicable the, Le¢ally authorized reoresentative, last
known address, age, telephone number, and email address if it is a preferred contact method, to
the extent known or can be reasonably determined by CONTRACTOR at that time;
g. CONTRACTOR's initial risk assessment o£ the Event or Breach demonstrating whether
individual or other notices are_regvired by applicable law or this DUA for HHS approval,
including an analysis of whether there is a low probability of compromise o£ the Confidential
Information or whether any legal exceptions to notification apply;
h. CONTRACTOR•s recommendation £or HHS's approval as to the steps Individuals and/or
CONTRACTOR on behalf of Individuals, should take to protect the Individuals from potential
harm, including without limitation CONTAACTOR's provision o£ notifications, credit protection,
claims monitoring, and any specific protections for a L 11 A th 'zed R tat to take
on behalf of an Individual with species capacity or circumstances;
i. The steps CONTRACTOR has taken to mitigate the harm or potential harts caused (including
without limitation the provision of sufficient resources [o mitigate);
j. The steps CONTRACTOR has taken, or will take, to prevent or reduce the likelihood o£
recurrenm of a similar E� or Breach;
k. Identify, describe or estimate of the Persons- Workforne, Subcontractor, or Individuals and any
law enforcement that may ba involved in the Event or Breach;
1. A reasonable schedule for CONTRACTOR to provide regular updates to the foregoing in the
future for response to the Event or Breach. but no less than every three (3) business days or as
HHS Data Use Agreement V.8.3 HIPAA Omnibus Compliant April 1, 2015
Attachment t
in>:\ S.YYlitFT3i�f]FYrY�\QthPFIItI<LZOI
otherwise directed by HHS, including information above riaR ea<imn<io.+:+, .eport..,g, .,otificaGoq
i£ any, mitigation, corrective action, root cause analysis and when such activities are expected to
be_compl e2e_d:�nd _ _ _ _
m. Any reasonably availab]e, pertinent informatioq documents or reports related to an Event or
Breach that HHS requests following Discovery.
Section 4.02 In vestignifaq Response and Mtttgattan. For A -F betorv: 45 CFR 164.308, 370
and 322; I64.53D
(A) CONTRACTOR will immediately conduct a full and complete investigation, respond to
the ve or Breach_ commit necessary and appropriate staff and resources to expeditiously
respond, and report as required to and by HHS for incident response purposes and For purposes of
HHS's compliance with report and notiRcaHon requirements, to th¢ satisfaction o{HHS.
(B) CONTRACTOR will complete or participate in a risk assessment as directed by HHS
following an Event or Breach, and provide the final assessment, corrective actions and
mitigations to HHS for review and approvai-
(C) CONTRACTOR will fully cooperate with HHS to respond to inquiries and/or
proceedings by state and federal authorities, Persons and/or Individuals about the Event or
Breach.
(D) CONTRACTOR will £idly cooperate with HHS's efforts to seek appropriate injunctive
relief or otherwise prevent or curtail such Event or Breach, or to recover or protect any
Con£dential Information, including complying with reasonable corrective action or measures, as
specified by HHS in a Corrective Action Plan if directed by HHS under the Base Contract -
Section 4.03 Breach Nat{fcatiors to Individ'uats and Repor[tng to Authorities Tex. Bus. 8.
Comm. Code §52L033; 45 CFR 264.404 (Indtviduats), 164.406 (Media); 764.408 (Authorities)
(A) HHS may direct CONTRACTOR to provide Breach notification to Individuals.
regulators or third -parties, es specified by HHS following a Breach.
(B) CONTRACTOR must obtain HHS's prior written approval o£ the time, manner and
content o£ any notification to Individuals. regulators or third -parties, or any notice required by
other stat¢ or federal authorities. Notice letters will be in CONTRACTOR•s name and on
CONTR-ACTOR's Letterhead, unless otherwise directed by HHS, and will contain contact
information, including the name and title of CONTRACTOR'S representative, an email address
and atoll -free telephone number, for the Individual to obtain additional information.
(C) CONTRACTOR will provide HHS with copies o£ distributed and approved
communications.
(D) CONTRACTOR will have the burden of demonstrating to the satisfaction of HHS that
any notification required by HHS was timely made. I£ there are delays outside of
CONTRACTOR'S control, CONTRACTOR will provide written documentation o£ the reasons
for [he delay.
(E) I£ HHS delegates notice requirements to CONTRACTOR. HHS shall, in the time and
manner reasonably requested by CONTRACTOR, cooperate and assist with CONTIL4CYOR's
information requests in order to malts such notifications and reports.
ARTICLE 5. SCOPE os WORK
III IS Data Use Agrcemmt V-83 HIPAA Omnibus Compliant April 1, 2015
Attachment 1
DADS ConVact No. 53 9-1 1-000 8-00001
F Work means the services and deliverables to be performed or provided by
or on behalf of CONTRACTOR by its Subcontractors or agents for HHS that are described
se Contract. The Scoce o£ Work, including any Future amendments thereto, is. ineorpprated_ _
s DUA as if set out word-for-word herein.
ARTICLE 6. GENERAL PROV1StONS
Section 6.01 Ownership nlConjrderstial lnlormafion
CONTRACTOR acknowledges and agrees that the Confidential information is and will remain the
property ofHHS. CONTRACTOR agrees it acquires no title or rights [o the Confidential Information.
Section 6_02 HHS Conxnxttment and Obligations
HHS will not request CONTRACTOR to create, maintain, transmit, use or disclose PHI in any manner
[hat wou]d not be permissible under aonlicable law if done by HHS.
Section 6.03 HHS Right to Inspection
At any time upon reasonable notice to CONTRACTOR, or if HHS determines that CONTRACTOR
has violated this DUA, I -II -IS, directly or through its agent, wil I have the right to inspect the Facilities, systems,
books end records of CONTRACTOR to monitor compliance with this DUA. For purposes of this
subsection, HHS's agents) include, without limitation, the HHS OtFice of the Inspector General or the Office
of the Attorney General of Texas, outside consultants or legal counsel or other desigttee.
Section 6_04 Terme Terminn8ors olDUAp Survtvrr!
This DUA will b¢ effective on the date on which CONTRACTOR ¢xecutes the DUA, and will
terminate upon termination of the Base Contract and as set forth hareiv . If the Base Contract is extended or
amended, dtis DUA is updated an[omatically concurrent with such extension or amendment.
(A) HHS may immediately terminate this DUA and Base Contract upon a material violation
o£this DUA.
(B) Tertninaiion or Expiration of this DUA will not relieve CONTRACTOR of its obligation
to return or Destroy the Confidential Information as set forth in this DUA and to continue to safeguard the
Confidential Information until such time as determined by HHS.
[D) If HHS determines that CONTRACTOR has violated a material term of this DUA; HHS
may in its sole discretion:
i. Exercise any of its rights including but not limited to reports, access and inspection untler
[his DUA and/or the Base Contract; or
2. Require CONTRACTOR to submit to a corrective action plan, including a plan for
monitoring and plan for reporting, as HHS may detertnine necessary to maintain compliance with
this DUA; Or
3. Provide CONTRACTOR with a reasonable period to cur¢ the violation as determined
by HHS; or
4. Terminate the DUA and Base Contract immediately, and seek relief in a court of
competent jurisdiction in Travis County, Texas.
Before exercising any of these options, HHS will provide written notice to CONTRACTOR
describing the violation and the action it intends to take.
HHS Data Usc Agreement V.8.3 HO?AA Omnibus Compliant April 1, 2015
Attachment I
DA OS Conu-act No. 539-13-0008-00001
(E) If neither termination nor cure is feasible, HHS shall report the violation to the Secretary.
(F) The duties of CONTRACTOR or its Subcontractor under this DVA survive the expiration or
- termination-of-this-DlJA-until-all-the-ConFden[isi-Information-is- Destroyed or returned to HHS, as -
required by this DUA.
Section 6.05 Go v¢rning taw, Venue and Llrlga8on
(A) The validity, constmetion and performance of this DVA and the legal relations among the
Parties to this DUA will be governed by and construed in accordance with the laws of the State of Texas.
(B) The Parties agree that the courts of Travis County, Texas, will be the exclusive venue for
any litigation, special proceeding or other proceeding as between the parties that may be brought, or arise
out o£, or in connection with, or by reason of this DUA.
Section 6.06 Zrijuncrive Aeli¢j
(A) CONTRACTOR acknowledges and agrees that HHS may suffer irreparable injury if
CONTRACTOR or its Subcontractor fails to comply with any o£ [he terms o{ this DUA with respect to
the Confidential In£oranation or a provision o£ HIPAA or other laws or regulations applicable to
ConFdentia] Information.
(B) CONTRACTOR further a8rees that monetary damages may ba inadequate to compensate
HHS for CONTRACTOR'S or its Subcontractor's failure to comply. Accordingty, CONTRACTOR
agrees that HHS will, in addition to any other remedies available to it ai law or in equity, be entitled to
seek injunctive retie£ without posting a bond and without the necessity o{ demonstrating actual damages,
to enforce the terms of this DUA.
Section 6.07 Znd¢mnilcnrion
To the extent permitted by law, CONTRACTOR will indemnify, defend and hold harmless HHS and its
respective Executive Commissioneq employees, Subcontracmrs- agents (including other state agencies acting
on behalf of HHS) or other members of its Workforce (each of the foregoing hereinafter referred to as
"Indemnified Party'h against all actual and direct losses suffered by the IndemniSed Party and all liability to
third patties arising from or in connection with any breach o£ this DUA or from any acts ar omissions related
to this DUA by CONTRACTOR or ifs employees, directors, officers, Subcontractors, or agents or other
members of its Workfomz- The duty to indemnify, defend and hold harmless is independent of the duty to
insure and continues to apply even in the event insurance coverage required, if any, in the DUA or Base
Contract is denied, or coverage rights are reserved by any insurance carrier. Upon demand, CON"TRACTOR
will reimburse HHS for any and all losses, liabilities, lost profits, fines, penalties, costs or expenses (including
reasonable attorneys• fees) which may £or any reason be imposed upon any IntlemniPed Party by reason of
any suit, claim, action, proceeding or demand by any third party m the extent caused by and which results
from the CONTRACTOR'S failure m meet any of its obligations under this DVA- To the eMent permitted by
law, CONTRACTOR'S obligation to defend, indemnify and hold harmless any Indemnified Party will
survive the expiration or termination o£Ihis DUA.
Section 6.08 Insurance
(A) CONTRACTOR represents and warrants that it maintains either self-insurance or
commercial insurancewith policy limits sufficient to cover any liability arising from any acts or omissions
by CONTRACTOR"or its employees, directors, officers, Subcontractors. or agents or other members o£ its
Wozlcforce under this DUA. CONTRACTOR warants that HHS wi71 be a Toss payee and beneficiary for any
such claims. .
HHS Data Uae Agreement V.8.3 HIPAA Omnibus Compliant April I, 2015
Attachment ]
DADS Contract No. 539-1 ]-D008-00001
(BJ CONTRACTOR will provide HHS with written proof that required insurance cov rngc is
in effect, a[ the request of HHS.
Section 6A9 Fees and Costs
Except as otherwise specified in this DUA or the Base ContracS including but not limited to
requirements to insure and/or indemnify HHS, if any legal action or other proceeding is brought for the
enforcemrnt of this DUA, or because of an alleged dispute, contract violation, Event. Breach, default,
misrepresentation, or injunctive action, in connection with any o{the provisions of this DUA, each party will
bear their own legal expenses and the other cost incurred in that action or proceeding.
Section 6.10 Snrir<ty ofth<Contracl
This Data Use Agreement is incorporated by reference into the Base Contract and, together with the
Base Con4acq constitutes the entire agreement between the parties. No change, waiver, or discharge of
obligations arising under those documents will be valid unless in writing and executed by the party against
whom such change, waiveq or discharge is sought to be enforced.
Section 6.11 AutamaticAmendment and lrlerprelation
Upon the effective date of any amendment or issuance of additional regulations to HIAA, or any
other law applicable Fo Ccnfidential Information. [his DUA will nu[oma[ically be amendetl so that [he
obligations imposetl on HHS and/or CONTRACTOR remain in compliance with such roquiremerrts. Any
ambiguity in this DUA will be resolved in favor of a meaning that permits HHS and CONTRACTOR to
comply with HIPAA or any other law applicable to Confidential Information.
Section 6_I2. E,Yfective Date
The effective date ofthis Data Use Agreement is as stated in the contract amendment which
incorporates the DUA into the Base Contract.
HHS Data Usc Agrccment V.8.3 HIPAA Omnibus Compliant April 1, 2015
Attachment 1
State of Texas
Travis County
Title:
Date Signed_
DADS Contract No. 539-11-0008-00001
Title= Asslsta n__t_Commissioner,.
Access and Intake
Date Signed:
City of Round Rock
'arexunsv avec Agenda Item Summary
Agenda Number:
Title: Consider executing "Attachment 1. Subcontractor Agreement Form" of the
"Data Use Agreement between the Texas Health and Human Services
Enterprise and CAPCOG," said Data Use Agreement being added as
Attachment "A" to the base contract between Texas Health and Human
Services Enterprise and CAPCOG for Older American Act Programs
through Amendment No. 5 to the base contract for The purpose of better
protecting conFdential information.
Type: City Manager Item
Gov¢rning Body: City Manager Approval
Agenda Date: 6/72/20'15
D¢pt Director: Gary Hudder
Cost:
Ind¢xes:
Attachments: Attachment 1 to Data Vse Agreement (AAA 8. DADS)_pdf
Department: Transportation Department
Text of L¢gislative File CM -205 -BOB
LEGAL DEPARTMENT APPROVAL FOR CITY COUNCIL/CITY MANAGER ACTION
Required For Submission of ALL City Council and Clty Manager Items
Department Nama�
Protect Mgr/Reaouma:,
Council Action:
0
ORDINANCE Q
xx City Manager Approval
Attorney
Proj¢ct Name: suemmra=wrwa•s.manna wa per. use br..ment
faciOfNendOr: Taxva Health antl Human 8arvlue EMamraeH%hV4'00
RESOLUTION
LMA Wording
Consider executing "Attachment 1. Subcontractor Agreement Form" at the "Dara use Agreement between IDs Texas Haatlh ane.
Human Services Enterprise and CAPCOG; •said Daly flee Agreement befog added as Attachment"A" b the Beae Contract
between Tazas Haal[h and Human Sarvtces Enterprise and CAPCOG for Older American Ad Programs ttrtough Amantlmanl No:
S b Iha Basa Conbaci (ar the propose of ballet protecting ccnlidential Informallon.
O:\wdox\SC Cln is\0127\'1500\CONTRACT\0033582].XLS Updated 6/3/08
June t6, zot5
Texas Health and Human Services Enterprise/CAPCOG
Attn: Michelle Davis
680o Burleson Rd., Bldg. 3t o, Suite t65
Austin, Texas 78744
To Whom It May Concern: tr'
On June t2, zot5, City Manager, Laurie Hadley, executed an "Attachment t. Subcontractor
Agreement Form" between the Texas Health and Human Services Enterprise and CAPCOG.
Enclosed are two executed originals fior your signature. Aself-addressed envelope is also
enclosed for your convenience. Please keep one original for your fiAes and return the other
to the fiollowing address: f
City of Round Rock
Attn: Monique Adams
zzt Easi Main Street
Round Rock, TX 78664
Please feel free to contact me if you have any questions at 5tz-zt8-3z34•
Since ely,
Monique'
Assistant to the City Manager
Enclosure
File{M-zot5-So6
CITY of ROUND ROCK 221 East Main 6tre¢t, Round Rock, Texas 76661
[P) St2.2t a.54t0 - [Fj St2.2t8J097 - roundrockt¢xas.gov
Mayor
Councilm¢mb¢rs
Clty Manager
�.�
Alan McGraw
Cralg Morgan
Laurie Hatll¢y
y
Frank Leffingwell
Will Peckham
RUUNU-ROC—K—T-E—XAS
Mayor Pro-r¢m
--�ohnMoman --
—ncyAttom¢y
ARmimsTannpry O¢ewaTm¢rvT
George White
Krls Whitfield
Stephan L. Sheets
June t6, zot5
Texas Health and Human Services Enterprise/CAPCOG
Attn: Michelle Davis
680o Burleson Rd., Bldg. 3t o, Suite t65
Austin, Texas 78744
To Whom It May Concern: tr'
On June t2, zot5, City Manager, Laurie Hadley, executed an "Attachment t. Subcontractor
Agreement Form" between the Texas Health and Human Services Enterprise and CAPCOG.
Enclosed are two executed originals fior your signature. Aself-addressed envelope is also
enclosed for your convenience. Please keep one original for your fiAes and return the other
to the fiollowing address: f
City of Round Rock
Attn: Monique Adams
zzt Easi Main Street
Round Rock, TX 78664
Please feel free to contact me if you have any questions at 5tz-zt8-3z34•
Since ely,
Monique'
Assistant to the City Manager
Enclosure
File{M-zot5-So6
CITY of ROUND ROCK 221 East Main 6tre¢t, Round Rock, Texas 76661
[P) St2.2t a.54t0 - [Fj St2.2t8J097 - roundrockt¢xas.gov