Common use of DATA SECURITY AND SAFEGUARDS Clause in Contracts

DATA SECURITY AND SAFEGUARDS. The Data Applicant and Data Recipient agree to establish, comply with, and update appropriate administrative, technical, and physical safeguards to protect the confidentiality of MHDO Data and to prevent unauthorized use, access to, or disclosure of the MHDO Data other than as provided for by this Agreement. MHDO Data shall be stored and accessed only in areas that are physically safe from access by unauthorized persons at all times. The MHDO Data shall be protected electronically to prevent unauthorized access by computer, remote access, or any other means. The Data Applicant and Data Recipient agree that all MHDO Data and work product derived therefrom that has not been approved by MHDO for publication will be encrypted at rest and in transit. Block level encryption of all media is required where MHDO data are stored. The strength of data encryption must be a certified algorithm which is 256 bit or higher. Any encryption keys protecting the storage or transmission of MHDO Data, including the MHDO encryption key, shall only be used by individual persons specified on this MHDO DUA. Such keys shall be stored and transmitted separately from the information they protect. The Data Applicant and Data Recipient expressly agree that MHDO Data will not be accessed, tested, maintained, backed-up, transmitted, or stored outside of the United States. The Data Applicant and Data Recipient may not sell, re-package or in any way make MHDO Data available at the individual element level, unless the ultimate viewers of that data have applied to MHDO for this data, been approved for such access and signed an MHDO DUA. The Data Applicant and Data Recipient shall immediately inform the MHDO of any legal process by which third parties try to obtain access to MHDO data held by the Data Applicant or Data Recipient or any subcontractor and shall not turn over any data except as permitted by MHDO. REPORTING AND INVESTIGATIONS The Data Applicant and Data Recipient agree to report to the MHDO: all security incidents including attempted or successful unauthorized access, use, disclosure, modification or destruction of MHDO Data; interference with system operation in an information system that contains MHDO Data; and specifically, any potential or actual breach of Protected Health Information (PHI) from the MHDO Data. Data Applicant and Data Recipient shall report any such actual or suspected security incident to the MHDO Executive Director within 24 hours after it is discovered. The Data Applicant and Data Recipient agrees to cooperate fully with MHDO in determining the significance of the security incident, and to provide all internal documents, practices and specific information required by MHDO to assess and resolve security incidents. The Data Applicant and Data Recipient shall make, at its expense, all reasonable efforts to mitigate any harmful effect known to the Data Applicant and Data Recipient arising from its use or disclosure of MHDO Data in violation of this Agreement. The Executive Director of MHDO will determine whether there was any breach, if any PHI was compromised, and if so, whether any notification to individuals should be made. An impermissible use or disclosure of PHI is presumed to be a breach unless the Data Applicant and Data Recipient demonstrates and MHDO concludes that there is a low probability that the PHI has been compromised based on a risk assessment including the following factors: the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; the unauthorized person who used the PHI or to whom the disclosure was made; whether the PHI was actually acquired or viewed; the extent to which the risk to the PHI has been mitigated, and whether and how the data was secured, including encryption. If the Executive Director of MHDO determines that the data were secure data or that there was a low probability of compromise to any PHI involved or that one of the exceptions or safe harbors to the definition of breach exists (such as unintentional or inadvertent disclosures to employees held to same security and privacy standards and not further disclosed or good faith reason to believe unauthorized person to whom a disclosure was made could not reasonably retain the PHI), the Executive Director will determine that no individual notification need be made. If the Executive Director of MHDO determines that there is a breach of non-secure PHI data such as would require notice to affected individuals if the breach occurred at a HIPAA covered entity, MHDO will provide individual notification similar to notification required by HIPAA. HOLD HARMLESS Data Applicant and Data Recipient shall be jointly and severally liable and shall indemnify and hold harmless MHDO and its Directors and employees for any damages, liabilities, and costs, including individual notification, resulting from a Data Applicant’s or Data Recipient’s breach or other violation of law or of this Agreement. Furthermore, if MHDO determines that notification to affected individual persons of the breach and/or other remedies are required, the Data Applicant and Data Recipient agree to carry out these remedies without cost to MHDO. To the extent legal action based on a Data Applicant and or Data Recipient’s breach or other violation of law is taken against an entity that submits data to MHDO, Data Applicant and/or Data Recipient shall indemnify and hold harmless that data provider.

DATA SECURITY AND SAFEGUARDS. The Data Applicant and Data Recipient agree to establish, comply with, and update appropriate administrative, technical, and physical safeguards to protect the confidentiality of MHDO Data and to prevent unauthorized use, access to, or disclosure of the MHDO Data other than as provided for by this Agreement. MHDO Data shall be stored and accessed only in areas that are always physically safe from access by unauthorized persons at all timespersons. The MHDO Data shall be protected electronically to prevent unauthorized access by computer, remote access, or any other means. The Data Applicant and Data Recipient agree that all MHDO Data and work product derived therefrom that has not been approved by MHDO for publication will be encrypted at rest and in transit. Block level encryption of all media is required where MHDO data are stored. The strength of data encryption must be a certified algorithm which is 256 bit or higher. Any encryption keys protecting the storage or transmission of MHDO Data, including the MHDO encryption key, shall only be used by individual persons specified on this MHDO DUA. Such keys shall be stored and transmitted separately from the information they protect. The Data Applicant and Data Recipient expressly agree that MHDO Data will not be accessed, tested, maintained, backed-up, transmitted, or stored outside of the United States. The Data Applicant and Data Recipient may not sell, re-package or in any way make MHDO Data available at the individual element level, unless the ultimate viewers of that data have applied to MHDO for this data, been approved for such access and signed an MHDO DUA. The Data Applicant and Data Recipient shall immediately inform the MHDO of any legal process by which third parties try to obtain access to MHDO data held by the Data Applicant or Data Recipient or any subcontractor and shall not turn over any data except as permitted by MHDO. REPORTING AND INVESTIGATIONS The Data Applicant and Data Recipient agree to report to the MHDO: all security incidents including attempted or successful unauthorized access, use, disclosure, modification modification, or destruction of MHDO Data; interference with system operation in an information system that contains MHDO Data; and specifically, any potential or actual breach of Protected Health Information (PHI) from the MHDO Data. Data Applicant and Data Recipient shall report any such actual or suspected security incident to the MHDO Executive Director within 24 hours after it is discovered. The Data Applicant and Data Recipient agrees to cooperate fully with MHDO in determining the significance of the security incident, and to provide all internal documents, practices and specific information required by MHDO to assess and resolve security incidents. The Data Applicant and Data Recipient shall make, at its expense, all reasonable efforts to mitigate any harmful effect known to the Data Applicant and Data Recipient arising from its use or disclosure of MHDO Data in violation of this Agreement. The Executive Director of MHDO will determine whether there was any breach, if any PHI was compromised, and if so, whether any notification to individuals should be made. An impermissible use or disclosure of PHI is presumed to be a breach unless the Data Applicant and Data Recipient demonstrates demonstrate and MHDO concludes that there is a low probability that the PHI has been compromised based on a risk assessment including the following factors: the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; the unauthorized person who used the PHI or to whom the disclosure was made; whether the PHI was actually acquired or viewed; the extent to which the risk to the PHI has been mitigated, and whether and how the data was secured, including encryption. If the Executive Director of MHDO determines that the data were secure data or that there was a low probability of compromise to any PHI involved or that one of the exceptions or safe harbors to the definition of breach exists (such as unintentional or inadvertent disclosures to employees held to same security and privacy standards and not further disclosed or good faith reason to believe unauthorized person to whom a disclosure was made could not reasonably retain the PHI), the Executive Director will determine that no individual notification need be made. If the Executive Director of MHDO determines that there is a breach of non-secure PHI data such as would require notice to affected individuals if the breach occurred at a HIPAA covered entity, MHDO will provide individual notification similar to notification required by HIPAA. HOLD HARMLESS Data Applicant and Data Recipient shall be jointly and severally liable and shall indemnify and hold harmless MHDO and its Directors and employees for any damages, liabilities, and costs, including individual notification, resulting from a Data Applicant’s or Data Recipient’s breach or other violation of law or of this Agreement. Furthermore, if MHDO determines that notification to affected individual persons of the breach and/or other remedies are required, the Data Applicant and Data Recipient agree to carry out these remedies without cost to MHDO. To the extent legal action based on a Data Applicant and or Data Recipient’s breach or other violation of law is taken against an entity that submits data to MHDO, Data Applicant and/or Data Recipient shall indemnify and hold harmless that data provider.