BREACH DISCOVERY AND NOTIFICATION 17 1. Following the discovery of a Breach of Unsecured PHI, CONTRACTOR shall notify 18 COUNTY of such Breach, however both parties agree to a delay in the notification if so advised by a 19 law enforcement official pursuant to 45 CFR § 164.412.
20 a. A Breach shall be treated as discovered by CONTRACTOR as of the first day on which 21 such Breach is known to CONTRACTOR or, by exercising reasonable diligence, would have been 22 known to CONTRACTOR.
23 b. CONTRACTOR shall be deemed to have knowledge of a Breach, if the Breach is 24 known, or by exercising reasonable diligence would have known, to any person who is an employee, 25 officer, or other agent of CONTRACTOR, as determined by federal common law of agency.
26 2. CONTRACTOR shall provide the notification of the Breach immediately to the COUNTY 27 Privacy Officer. CONTRACTOR’s notification may be oral, but shall be followed by written 28 notification within twenty four (24) hours of the oral notification.
29 3. CONTRACTOR’s notification shall include, to the extent possible:
30 a. The identification of each Individual whose Unsecured PHI has been, or is reasonably 31 believed by CONTRACTOR to have been, accessed, acquired, used, or disclosed during the Breach;
32 b. Any other information that COUNTY is required to include in the notification to 33 Individual under 45 CFR §164.404 (c) at the time CONTRACTOR is required to notify COUNTY or 34 promptly thereafter as this information becomes available, even after the regulatory sixty (60) day 35 period set forth in 45 CFR § 164.410 (b) has elapsed, including:
36 1) A brief description of what happened, including the date of the Breach and the date 37 of the discovery of the Breach, if known;
1 2) A description of the types of Unsecured PHI that were involved in the Breach (such 2 as whether full name, social security number, date of birth, home address, account number, diagnosis, 3 disability code, or other types of information were involved);
4 3) Any steps Individuals should take to protect themselves from potential harm 5 resulting from the Breach;
6 4) A brief description of what CONTRACTOR is doing to investigate the Breach, to 7 mitigate harm to Individuals, and to protect against any future Breaches; and
8 5) Contact procedures for Individuals to ask questions or learn additional information, 9 which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
10 4. COUNTY may require CONTRACTOR to provide notice to the Individual as required in 11 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the 12 COUNTY.
13 5. In the event that CONTRACTOR is responsible for a Breach of Unsecured PHI in violation 14 of the HIPAA Privacy Rule, CONTRACTOR shall have the burden of demonstrating that 15 CONTRACTOR made all notifications to COUNTY consistent with this Subparagraph F and as 16 required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or 17 disclosure of PHI did not constitute a Breach.
18 6. CONTRACTOR shall maintain documentation of all required notifications of a Breach or 19 its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur.
20 7. CONTRACTOR shall provide to COUNTY all specific and pertinent information about the 21 Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit 22 COUNTY to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as 23 practicable, but in no event later than fifteen (15) calendar days after CONTRACTOR’s initial report of 24 the Breach to COUNTY pursuant to Subparagraph F.2. above.
25 8. CONTRACTOR shall continue to provide all additional pertinent information about the
CERTIFICATION REGARDING DRUG-FREE WORKPLACE REQUIREMENTS 1. The Contractor certifies that it will provide a drug-free workplace by:
a. Publishing a statement notifying employees that the unlawful manufacture, distribution, dispensing, possession or use of a controlled substance is prohibited in the Contractor’s workplace and specifying the actions that will be taken against employees for violation of such prohibition;
Optional Xactimate Response Attachment (Part 2)
Fraud, Waste, and Abuse Contractor understands that HHS does not tolerate any type of fraud, waste, or abuse. Violations of law, agency policies, or standards of ethical conduct will be investigated, and appropriate actions will be taken. Pursuant to Texas Government Code, Section 321.022, if the administrative head of a department or entity that is subject to audit by the state auditor has reasonable cause to believe that money received from the state by the department or entity or by a client or contractor of the department or entity may have been lost, misappropriated, or misused, or that other fraudulent or unlawful conduct has occurred in relation to the operation of the department or entity, the administrative head shall report the reason and basis for the belief to the Texas State Auditor’s Office (SAO). All employees or contractors who have reasonable cause to believe that fraud, waste, or abuse has occurred (including misconduct by any HHS employee, Grantee officer, agent, employee, or subcontractor that would constitute fraud, waste, or abuse) are required to immediately report the questioned activity to the Health and Human Services Commission's Office of Inspector General. Contractor agrees to comply with all applicable laws, rules, regulations, and System Agency policies regarding fraud, waste, and abuse including, but not limited to, HHS Circular C-027. A report to the SAO must be made through one of the following avenues: ● SAO Toll Free Hotline: 1-800-TX-AUDIT ● SAO website: xxxx://xxx.xxxxx.xxxxx.xx.xx/ All reports made to the OIG must be made through one of the following avenues: ● OIG Toll Free Hotline 0-000-000-0000 ● OIG Website: XxxxxxXxxxxXxxxx.xxx ● Internal Affairs Email: XxxxxxxxXxxxxxxXxxxxxxx@xxxx.xxxxx.xx.xx ● OIG Hotline Email: XXXXxxxxXxxxxxx@xxxx.xxxxx.xx.xx. ● OIG Mailing Address: Office of Inspector General Attn: Fraud Hotline MC 1300 P.O. Box 85200 Austin, Texas 78708-5200
Substance Abuse Treatment Information Substance abuse treatment information shall be maintained in compliance with 42 C.F.R. Part 2 if the Party or subcontractor(s) are Part 2 covered programs, or if substance abuse treatment information is received from a Part 2 covered program by the Party or subcontractor(s).
DRUG-FREE WORKPLACE REQUIREMENTS Contractor will comply with the requirements of the Drug-Free Workplace Act of 1990 and will provide a drug-free workplace by taking the following actions:
a. Publish a statement notifying employees that unlawful manufacture, distribution, dispensation, possession or use of a controlled substance is prohibited and specifying actions to be taken against employees for violations.
b. Establish a Drug-Free Awareness Program to inform employees about:
1) the dangers of drug abuse in the workplace;
2) the person's or organization's policy of maintaining a drug-free workplace;
3) any available counseling, rehabilitation and employee assistance programs; and,
4) penalties that may be imposed upon employees for drug abuse violations.
c. Every employee who works on the proposed Agreement will:
1) receive a copy of the company's drug-free workplace policy statement; and,
2) agree to abide by the terms of the company's statement as a condition of employment on the Agreement. Failure to comply with these requirements may result in suspension of payments under the Agreement or termination of the Agreement or both and Contractor may be ineligible for award of any future State agreements if the department determines that any of the following has occurred: the Contractor has made false certification, or violated the certification by failing to carry out the requirements as noted above. (Gov. Code §8350 et seq.)
Determination of Responsiveness 28.1 The Procuring Entity's determination of a Tender's responsiveness is to be based on the contents of the Tender itself, as defined in ITT28.2.
Encryption Requirements DST will not locally store Fund Data on any laptops or mobile devices (e.g., Blackberries, PDAs) managed by DST.
Workplace Violence Prevention and Crisis Response (applicable to any Party and any subcontractors and sub-grantees whose employees or other service providers deliver social or mental health services directly to individual recipients of such services): Party shall establish a written workplace violence prevention and crisis response policy meeting the requirements of Act 109 (2016), 33 VSA §8201(b), for the benefit of employees delivering direct social or mental health services. Party shall, in preparing its policy, consult with the guidelines promulgated by the U.S. Occupational Safety and Health Administration for Preventing Workplace Violence for Healthcare and Social Services Workers, as those guidelines may from time to time be amended. Party, through its violence protection and crisis response committee, shall evaluate the efficacy of its policy, and update the policy as appropriate, at least annually. The policy and any written evaluations thereof shall be provided to employees delivering direct social or mental health services. Party will ensure that any subcontractor and sub-grantee who hires employees (or contracts with service providers) who deliver social or mental health services directly to individual recipients of such services, complies with all requirements of this Section.
Transparency and Freedom of Information 15.1 The Contractor acknowledges that the Authority is subject to the requirements of FOISA and the Environmental Information Regulations. The Contractor shall:
(a) provide all necessary assistance and cooperation as the Authority may reasonably request to enable the Authority to comply with its obligations under FOISA and Environmental Information Regulations;
(b) transfer to the Authority all Requests for Information relating to this Agreement that the Contractor receives as soon as practicable and in any event within 2 Working Days of receipt;
(c) provide the Authority with a copy of all information held on behalf of the Authority which is requested in a Request For Information and which is in the Contractor’s possession or control. The information must be provided within 5 Working Days (or such other period as the Authority may reasonably specify) in the form that the Authority requires.
(d) not respond directly to a Request For Information addressed to the Authority unless authorised in writing to do so by the Authority.
15.2 If the Request for Information appears to be directed to information held by the Authority, the Contractor must promptly inform the applicant in writing that the Request for Information can be directed to the Authority.
15.3 If the Authority receives a Request for Information concerning the Framework Agreement, the Authority is responsible for determining at its absolute discretion whether the information requested is to be disclosed to the applicant or whether the information requested is exempt from disclosure in accordance with FOISA or the Environmental Information Regulations.
15.4 The Contractor acknowledges that the Authority may, acting in accordance with the Authority’s Code of Practice on the Discharge of Functions of Public Authorities issued under section 60(5) of FOISA (as may be issued and revised from time to time), be obliged under FOISA or the Environmental Information Regulations to disclose information requested concerning the Contractor or the Framework Agreement:
15.4.1 in certain circumstances without consulting the Contractor, or
15.4.2 following consultation with the Contractor and having taken its views into account.
