Contractors Duties Regarding Confidential Information. Section 3.01
Contractors Duties Regarding Confidential Information. 3.1. With respect to PHI, Contractor shall:
3.1.1. Make PHI available if requested by DHHS, if Contractor maintains PHI, as defined in HIPAA.
3.1.2. Provide to DHHS data aggregation services related to the healthcare operations Contractor performs for DHHS pursuant to the Contract, if requested by DHHS, if Contractor provides data aggregation services as defined in HIPAA.
3.1.3. Provide access to PHI to an individual who is requesting his or her own PHI, or such individual’s Legally Authorized Representative, in compliance with the requirements of HIPAA.
3.1.4. Make PHI available to DHHS for amendment, and incorporate any amendments to PHI that DHHS directs, in compliance with HIPAA.
3.1.5. Document and make available to DHHS, an accounting of use and disclosures in compliance with the requirements of HIPAA.
3.1.6. If Contractor receives a request for access, amendment or accounting of PHI by any individual, promptly forward the request to DHHS or, if forwarding the request would violate HIPAA, promptly notify DHHS of the request and of Contractor’s response. DHHS will respond to all such requests, unless Contractor is Required by Law to respond or DHHS has given prior written consent for Contractor to respond to and account for all such requests.
3.2. With respect to ALL Confidential Information, Contractor shall:
3.2.1. Exercise reasonable care and no less than the same degree of care Contractor uses to protect its own confidential, proprietary and trade secret information to prevent Confidential Information from being used in a manner that is not expressly an Authorized Purpose or as Required by Law. Contractor must access, create, maintain, receive, use, disclose, transmit or Destroy Confidential Information in a secure fashion that protects against any reasonably anticipated threats or hazards to the security or integrity of such information or unauthorized uses.
3.2.2. Establish, implement and maintain appropriate procedural, administrative, physical and technical safeguards (for the purpose of this paragraph, “Safeguards”) to preserve and maintain the confidentiality, integrity, and availability of the Confidential Information, in accordance with applicable laws or regulations relating to Confidential Information, to prevent any unauthorized use or disclosure of Confidential Information as long as Contractor has such Confidential Information in its actual or constructive possession. DHHS must review and approve said Safeguards before actual or const...
Contractors Duties Regarding Confidential Information. Contractor must Limit access to CI to only Authorized Users for an Authorized Purpose (the services that HHS has hired the contractor to perform) Train its Workforce on privacy and security Sanction its Workforce who violate the DUA Not re-identify de-identified CI Be responsible for its subcontractors and have them sign the Subcontractor Attachment to the DUA Return or Destroy CI upon termination of DUA at HHS’ election Safeguard CI Provide an Initial Security Inquiry or System Security Plan to HHS that documents contractor’s security controls and identifies security risks Establish and implement administrative, procedural, technical and physical safeguards that protect HHS CI Identify a Privacy Official and an Information Security Official to be responsible for the implementation of the DUA and contact with HHS Maintain a list of Authorized Users Respond to HHS requests for information and cooperate with investigations and audits Securely transmit CI (may include encryption) Comply with applicable laws, regulations, security controls and policies
Contractors Duties Regarding Confidential Information
