Common use of Obligations of Contractor Clause in Contracts

Obligations of Contractor. a. Contractor may use Electronic PHI and PHI (collectively, “PHI”) solely to perform its duties and responsibilities under this Contract and only as provided in this Contract. Contractor acknowledges and agrees that PHI is confidential and shall not be used or disclosed, in whole or in part, except as provided in this Contract or as Required by Law. Specifically, Contractor agrees it will and will require its employees, agents, vendors, and subcontractor to: i. Use or further disclose PHI only as permitted in this Contract or as Required by Law, including, but not limited to HIPAA. ii. Ensure that SoonerCare member information is confidential and is not to be released pursuant to 42 U.S.C §1396a(a)(7), 42 C.F.R. §§ 431.300-431.306 and 63 O.S. § 5018. Contractor agrees not to release the information governed by these SoonerCare member requirements to any other person or entity without the approval of OHCA, or as required by law or court order. iii. Ensure that SoonerCare member and provider information cannot be re- marketed, summarized, distributed, or sold to any other organization without the express written approval of OHCA. iv. Implement and document appropriate technical, physical, and administrative safeguards and comply with 45 C.F.R. Part 164 with respect to electronic PHI to prevent use or disclosure of PHI other than as provided for by this Contract, and to protect the confidentiality, integrity, and availability of PHI that it creates, receives, maintains, or transmits for or on behalf of OHCA in accordance with HIPAA including but not limited to training all employees, agents, and subcontractors in HIPAA to protect OHCA’s PHI and prevent, detect, contain, and correct Security violations in accordance with HIPAA; applying security patches and performing vulnerability assessments on a regular basis, and using encryption for all electronic transmission of PHI including forced TLS connections for email. v. Not use or disclose or otherwise make available OHCA’s PHI to any entity or individual who is not subject to the laws of the United States. vi. Not receive remuneration from a third party in exchange for disclosing PHI received from or on behalf of OHCA. vii. Report to OHCA any use or disclosure of PHI that is not permitted under this Contract as soon as reasonably practicable upon discovery but not later than five (5) calendar days from discovery, and mitigate, to the extent practicable and in cooperation with OHCA, any harmful effects known to him/her/it in connection with a use or disclosure made in violation of this Contract. viii. Report potential known violations of 21 O.S. § 1953 to OHCA Legal Division without delay and in no event later than five (5) calendar days after discovery of an unauthorized act. In general, this criminal statute makes it a crime to willfully and without authorization gain access to, alter, modify, disrupt, or threaten a computer system. ix. Report to OHCA any security incident upon discovery within five (5) calendar days of knowledge of the incident, as defined in the Security Rule, with respect to electronic PHI, as well as any breaches of unsecured PHI as required by 45 C.F.R. § 164.400 et seq. A Security Incident shall include, but is not limited to, unwanted disruption or denial of service, unauthorized use of a system for processing or storing ePHI, or changes to system hardware, firmware, or software without Contractor’s consent. Reports shall include successful Security Incidents. x. With the exception of law enforcement delays that satisfy the requirements of 45 C.F.R. § 164.412, notify OHCA promptly, in writing and without unreasonable delay and in no case later than five (5) calendar days, upon the discovery of a breach of unsecured PHI as reasonable in the HITECH Act or accompanying regulations, pursuant to the terms of 45 C.F.R. § 164.410. Such notice shall include, to the extent possible, the name of each individual whose unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, or disclosed during such breach. Contractor shall also, to the extent possible, furnish OHCA with any other available information that OHCA is required to include in any notification to individuals under 45 C.F.R. § 164.404(c) at the time of Contractor’s notification to OHCA or promptly thereafter as such information becomes available. Contractor shall cooperate in OHCA’s breach analysis procedures, including risk assessment, if requested. xi. Mitigate, to the extent practicable, any harmful effect that is known to Contractor in connection with a use or disclosure of PHI by Contractor in violation of the requirements of this Contract. xii. Provide encrypted e-mail communication when PHI is transmitted to OHCA. No direct connection or Virtual Private Network (VPN) to OHCA will be used for this purpose nor will OHCA use individual e-mail certificates for its staff. Such encrypted e-mail will require a X.509 certificate that can be collected by the existing OHCA e-mail encryption system, so that e-mails can be decrypted automatically by OHCA. OHCA shall provide no additional hardware/software to Contractor for this purpose nor accept any Contractor provided hardware/software. xiii. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors, vendors, and agents to whom it provides PHI or who create, receive, use, disclose, maintain, transmit, or have access to OHCA’s PHI agree to the same restrictions, conditions, and requirements that apply to Contractor under this Contract, including but not limited to implementing reasonable and appropriate safeguards to protect PHI. Contractor shall obtain satisfactory written assurance of this from the subcontractor, and make this assurance available to OHCA upon request. xiv. Contractor will make available PHI in a designated record set to OHCA as necessary to satisfy OHCA’s obligations under 45 C.F.R. § 164.524. xv. Contractor will make any amendment(s) to PHI in a designated record set as directed or agreed to by OHCA pursuant to 45 C.F.R. § 164.526, or take other measures as necessary to satisfy OHCA’s obligations under 45 C.F.R. § 164.526. xvi. Any disclosure of OHCA data shall be approved in advance by OHCA and then only to individuals expressly authorized to review such information under applicable Federal or State laws. If Contractor, employees, or subcontractors disclose(s) or attempt(s) to disclose OHCA data, an injunction may be sought to prevent that disclosure as well as any other remedies of law that may be available. Participants shall provide written notice to OHCA of any use or disclosure of OHCA data not provided for by this Contract of which Contractor becomes aware within five (5) calendar days of its discovery. xvii. Notwithstanding anything to the contrary herein, Contractor shall promptly provide written notice to OHCA upon receipt of a subpoena or other legal process that seeks disclosure of OHCA data, so that OHCA may have the opportunity to seek a protective order, on their own behalf, with respect to such data. Contractor will, to the extent allowed by law, fully cooperate with any attempt by OHCA to seek such a protective order, including but not limited to withholding from production any data before OHCA has had a reasonable opportunity to seek such an order or to seek review of the denial of such an order or the issuance of an order that OHCA deems insufficiently protective. xviii. Contractor will maintain and make available the information required to provide an accounting of disclosures to OHCA as necessary to satisfy OHCA’s obligations under 45 C.F.R. § 164.528. xix. To the extent Contractor is to carry out one or more of OHCA's obligation(s) under 45 C.F.R. Part 164, Subpart E comply with the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s). xx. Contractor will make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules. xxi. To the extent allowed by law, Contractor shall indemnify and hold OHCA harmless from all claims, liabilities, costs, and damages arising out of or in any manner related to the unauthorized use or disclosure by Contractor, its employees, subcontractors, vendors, and agents of any PHI or related to the Breach by Contractor, its employees, subcontractors, vendors, and agents of any obligation related to PHI. xxii. Provide access in a timely manner to PHI maintained by Contractor in a designated record set to OHCA, or if directed by XXXX, to an Individual in order to meet the requirements of 45 C.F.R. § 164.524. In the event that any Individual requests access to PHI directly from Contractor, Contractor shall promptly forward such request to OHCA. Any denials of access to the PHI requested shall be the responsibility of OHCA. xxiii. Make PHI available in a timely manner to OHCA for amendment and incorporate any amendments to PHI in accordance with 45 C.F.R. § 164.526. xxiv. Document disclosure of PHI and information related to such disclosure as would be required for OHCA to respond to a request by an Individual for an accounting of disclosures of PHI, in accordance with 45 C.F.R. § 164.528, and within five (5) calendar days of receiving a request from OHCA, make such disclosure documentation and information available to OHCA. In the event the request for an accounting is delivered directly to Contractor, Contractor shall promptly forward such request to OHCA. xxv. Make its internal policies, procedures, practices, books, and records related to the use and disclosure of PHI received from or created or received by Contractor on behalf of OHCA available to the Secretary of HHS, authorized governmental officials, and OHCA for the purpose of determining Contractor’s compliance with HIPAA. Contractor shall give OHCA advance written notice of requests from DHHS or government officials and provide OHCA with a copy of all documents it makes available. xxvi. Respond to OHCA’s request for confirmation and certification of Contractor’s ongoing compliance with HIPAA, including but not limited to conducting regular security audits and assessments as necessary to evaluate its Security and Privacy practices.

Obligations of Contractor. a. Contractor may Contractor’s use Electronic of PHI and PHI (collectively, “PHI”) solely is limited to perform the performance of its duties and responsibilities under this Contract and only as provided in this Contractthis. Contractor acknowledges and agrees that PHI is confidential and shall not be used or disclosed, in whole or in part, except as provided in this Contract or as Required by Law. Specifically, Contractor agrees it will and will require its employees, agents, vendors, and subcontractor to: i. Use or further disclose PHI only as permitted in this Contract or as Required by Law, including, but not limited to HIPAA. ii. Ensure that SoonerCare member information is confidential and is not to be released pursuant to 42 U.S.C §1396a(a)(7), 42 C.F.R. §§ 431.300-431.306 and 63 O.S. § 5018. Contractor agrees not to release the information governed by these SoonerCare member requirements to any other person or entity without the approval of OHCA, or as required by law or court order. iii. Ensure that SoonerCare member and provider information cannot be re- marketed, summarized, distributed, or sold to any other organization without the express written approval of OHCA. iv. Implement and document appropriate technical, physical, and administrative safeguards and comply with 45 C.F.R. Part 164 with respect to electronic PHI to prevent use or disclosure of PHI other than as provided for by this Contract, and to protect the confidentiality, integrity, and availability of PHI that it creates, receives, maintains, or transmits for or on behalf of OHCA in accordance with HIPAA including but not limited to training all employees, agents, and subcontractors in HIPAA to protect OHCA’s PHI and prevent, detect, contain, and correct Security violations in accordance with HIPAA; applying security patches and performing vulnerability assessments on a regular basis, and using encryption for all electronic transmission of PHI including forced TLS connections for email. v. Not use or disclose or otherwise make PHI available OHCA’s PHI to any entity or individual who is not subject to the laws of the United States. vi. Not receive remuneration from a third party in exchange for disclosing PHI received from or on behalf of OHCA. vii. Report to OHCA any use or disclosure of PHI that is not permitted under this Contract as soon as reasonably practicable upon discovery but not later than five (5) calendar days from discovery, and mitigate, to the extent practicable and in cooperation with OHCA, any harmful effects known to him/her/it in connection with a use or disclosure made in violation of this Contract. viii. Report potential known violations of 21 O.S. § 1953 to OHCA Legal Division without delay and in no event later than five (5) calendar days after discovery of an unauthorized act. In general, this criminal statute makes it a crime to willfully and without authorization gain access to, alter, modify, disrupt, or threaten a computer system. ix. Report to OHCA any security incident upon discovery within five (5) calendar days of knowledge of the incident, as defined in the Security Rule, with respect to electronic PHI, as well as any breaches of unsecured PHI as required by 45 C.F.R. § 164.400 et seq. A Security Incident shall include, but is not limited to, unwanted disruption or denial of service, unauthorized use of a system for processing or storing ePHI, or changes to system hardware, firmware, or software without Contractor’s consent. Reports shall include successful Security Incidents. x. With the exception of law enforcement delays that satisfy the requirements of 45 C.F.R. § 164.412, notify OHCA promptly, in writing and without unreasonable delay and in no case later than five (5) calendar days, upon the discovery of a breach of unsecured PHI as reasonable in the HITECH Act or accompanying regulations, pursuant to the terms of 45 C.F.R. § 164.410. Such notice shall include, to the extent possible, the name of each individual whose unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, or disclosed during such breach. Contractor shall also, to the extent possible, furnish OHCA with any other available information that OHCA is required to include in any notification to individuals under 45 C.F.R. § 164.404(c) at the time of Contractor’s notification to OHCA or promptly thereafter as such information becomes available. Contractor shall cooperate in OHCA’s breach analysis procedures, including risk assessment, if requested. xi. Mitigate, to the extent practicable, any harmful effect that is known to Contractor in connection with a use or disclosure of PHI by Contractor in violation of the requirements of this Contract. xii. Provide encrypted e-mail communication when PHI is transmitted to OHCA. No direct connection or Virtual Private Network (VPN) to OHCA will be used for this purpose nor will OHCA use individual e-mail certificates for its staff. Such encrypted e-mail will require a X.509 certificate that can be collected by the existing OHCA e-mail encryption system, so that e-mails can be decrypted automatically by OHCA. OHCA shall provide no additional hardware/software to Contractor for this purpose nor accept any Contractor provided hardware/software. xiii. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors, vendors, and agents to whom it provides PHI or who create, receive, use, disclose, maintain, transmit, or have access to OHCA’s PHI agree to the same restrictions, conditions, and requirements that apply to Contractor under this Contract, including but not limited to implementing reasonable and appropriate safeguards to protect PHI. Contractor shall obtain satisfactory written assurance of this from the subcontractor, and make this assurance available to OHCA upon request. xiv. Contractor will make available PHI in a designated record set to OHCA as necessary to satisfy OHCA’s obligations under 45 C.F.R. § 164.524. xv. Contractor will make any amendment(s) to PHI in a designated record set as directed or agreed to by OHCA pursuant to 45 C.F.R. § 164.526, or take other measures as necessary to satisfy OHCA’s obligations under 45 C.F.R. § 164.526. xvi. Any Ensure that disclosure of OHCA data shall data, including, but not limited to a designated record set, be approved in advance by OHCA and then disclosed only to individuals expressly authorized to review such information under applicable Federal or State laws. If Contractor, employees, or subcontractors disclose(s) or attempt(s) to disclose OHCA datadata without the requisite prior approval, an injunction OHCA may be sought take a any available remedy to prevent that disclosure as well as or mitigate any other remedies of law that may be availablefurther disclosure. Participants Contractor shall provide written notice to OHCA of any use or disclosure of OHCA data not provided for by this Contract of which Contractor becomes aware within five (5) calendar days of its discovery. xvii. Notwithstanding anything to the contrary herein, Contractor shall promptly provide written notice to OHCA upon receipt of a subpoena or other legal process that seeks disclosure of OHCA data, so that OHCA may have the opportunity to seek a protective order, on their own behalf, with respect to order or other means of limiting or preventing such datadisclosure. Contractor willshall withhold from production, to the extent allowed by law, fully cooperate with any attempt by OHCA to seek such a protective order, including but not limited to withholding from production any data before OHCA has had a reasonable an opportunity to seek such an order or to seek review of the denial of such an order or the issuance of an order that OHCA deems insufficiently protectiveand/or respond further. xviii. Contractor will maintain Maintain and make available the information required to provide an accounting of disclosures to OHCA as necessary to satisfy OHCA’s obligations under 45 C.F.R. § 164.528. xix. To the extent Contractor is to carry out one or more of OHCA's obligation(s) under 45 C.F.R. Part 164, Subpart E comply with the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s). xx. Contractor will make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules. xxi. To the extent allowed by law, Contractor shall indemnify and hold OHCA harmless from all claims, liabilities, costs, and damages arising out of or in any manner related to the unauthorized use or disclosure by Contractor, its employees, subcontractors, vendors, and agents of any PHI or related to the Breach by Contractor, its employees, subcontractors, vendors, and agents of any obligation related to PHI. xxii. Provide access in a timely manner to PHI maintained by Contractor in a designated record set to OHCA, or if directed by XXXX, to an Individual in order to meet the requirements of 45 C.F.R. § 164.524. In the event that any Individual requests access to PHI directly from Contractor, Contractor shall promptly forward such request to OHCA. Any denials of access to the PHI requested shall be the responsibility of OHCA. xxiii. Make PHI available in a timely manner to OHCA for amendment and incorporate any amendments to PHI in accordance with 45 C.F.R. § 164.526. xxiv. Document disclosure of PHI and information related to such disclosure as would be required for OHCA to respond to a request by an Individual for an accounting of disclosures of PHI, in accordance with 45 C.F.R. § 164.528, and within five (5) calendar days of receiving a request from OHCA, make such disclosure documentation and information available to OHCA. In the event the request for an accounting is delivered directly to Contractor, Contractor shall promptly forward such request to OHCA. xxv. Make its internal policies, procedures, practices, books, and records related to the use and disclosure of PHI received from or created or received by Contractor on behalf of OHCA available to the Secretary of HHS, authorized governmental officials, and OHCA for the purpose of determining Contractor’s compliance with HIPAA. Contractor shall give OHCA advance written notice of requests from DHHS or government officials and provide OHCA with a copy of all documents it makes available. xxvi. Respond to OHCA’s request for confirmation and certification of Contractor’s ongoing compliance with HIPAA, including but not limited to conducting regular security audits and assessments as necessary to evaluate its Security and Privacy practices.

Obligations of Contractor. a. Contractor may use Electronic PHI and PHI (collectively, “PHI”) solely to perform its duties and responsibilities under this Agreement/Contract and only as provided in this Contract. Contractor acknowledges and agrees that PHI is confidential and shall not be used or disclosed, in whole or in part, except as provided in this Contract or as Required by Law. Specifically, Contractor agrees it will and will require its employees, agents, vendors, and subcontractor to: i. a. Use or further disclose PHI only as permitted in this Agreement/Contract or as Required by Law, including, but not limited to HIPAA.; ii. b. Ensure that SoonerCare member information is confidential and is not to be released to pursuant to 42 U.S.C U.S.C. §1396a(a)(7), 42 C.F.R. §§ §431.300-431.306 and 63 O.S. § §5018. Contractor Contractor(s) agrees not to release the information governed by these SoonerCare member requirements to any other person or entity without the approval of OHCA, or as required by law or court order. iii. c. Ensure that SoonerCare member and provider information cannot be re- re-marketed, summarized, distributed, or sold to any other organization without the express written approval of OHCA. iv. d. Implement and document appropriate technical, physical, and administrative safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI to prevent use or disclosure of PHI other than as provided for by this Contract, and to protect the confidentiality, integrity, and availability of PHI that it creates, receives, maintains, or transmits for or on behalf of OHCA in accordance with HIPAA including but not limited to training all employees, agents, and subcontractors in HIPAA to protect OHCA’s PHI and prevent, detect, contain, and correct Security violations in accordance with HIPAA; applying security patches and performing vulnerability assessments on a regular basis, and using encryption for all electronic transmission of PHI including forced TLS connections for email.; v. e. Not use or disclose or otherwise make available OHCA’s PHI to any entity or individual who is not subject to the laws of the United States.; vi. f. Not receive remuneration from a third party in exchange for disclosing PHI received from or on behalf of OHCA.; vii. g. Report to the OHCA any use or disclosure of PHI that is not permitted under this Agreement/Contract as soon as reasonably practicable upon discovery it but not later than five (5) calendar days from discovery, and mitigate, to the extent practicable and in cooperation with OHCA, any harmful effects known to him/her/it in connection with this Contract of a use or disclosure made in violation of this Contract.; viii. h. Report potential known violations of 21 O.S. § §1953 to OHCA Legal Division without delay and in no event later than five (5) calendar days after discovery of an unauthorized a prohibited act. In general, this criminal statute makes it a crime to willfully and without authorization gain access to, alter, modify, disrupt, or threaten a computer system. ix. i. Report to the OHCA any security incident upon discovery within five (5) calendar days of knowledge of the incident, as defined in the Security Rule, with respect to electronic PHI, as well as any breaches of unsecured PHI as required by 45 C.F.R. § 164.400 et seq§164. A Security Incident shall include, but is not limited to, unwanted disruption or denial of service, unauthorized use of a system for processing or storing ePHI, or changes to system hardware, firmware, or software without Contractor’s consent. Reports shall include both attempted or successful Security Incidents.; x. j. With the exception of law enforcement delays that satisfy the requirements of 45 C.F.R. § 164.412, notify the OHCA promptly, in writing and without unreasonable delay and in no case later than five (5) calendar days, upon the discovery of a breach Breach of unsecured Unsecured PHI as reasonable in the HITECH Act or accompanying regulations, pursuant to the terms of 45 C.F.R. § §164.410. Such notice shall include, to the extent possible, the name of each individual whose unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, or disclosed during such breachBreach. Contractor shall also, to the extent possible, furnish the OHCA with any other available information that the OHCA is required to include in any notification to individuals under 45 C.F.R. § 164.404(c) at the time of Contractor’s notification to the OHCA or promptly thereafter as such information becomes available. Contractor shall cooperate in OHCA’s breach analysis procedures, including risk assessment, if requested. xi. k. Mitigate, to the extent practicable, any harmful effect that is known to Contractor in connection with of a use or disclosure of PHI by Contractor in violation of the requirements of this Contract. xii. l. Provide encrypted e-mail communication when PHI is transmitted to OHCA. No direct connection or Virtual Private Network (VPN) to OHCA will be used for this purpose nor will OHCA use individual e-mail certificates for its staff. Such encrypted e-mail will require a X.509 certificate that can be collected by the existing OHCA e-mail encryption system, so that e-mails can be decrypted automatically by OHCA. OHCA shall provide no additional hardware/software to the Contractor for this purpose nor accept any Contractor provided hardware/software. xiii. m. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors, vendors, and agents to whom it provides PHI or who create, receive, use, disclose, maintain, transmit, or have access to OHCA’s PHI agree to the same restrictions, conditions, and requirements that apply to the Contractor under this Agreement/Contract, including but not limited to implementing reasonable and appropriate safeguards to protect PHI. Contractor shall must obtain satisfactory written assurance of this from the subcontractor, and make this assurance available to OHCA upon request.; xiv. n. Contractor will make available PHI in a designated record set to the OHCA as necessary to satisfy OHCA’s obligations under 45 C.F.R. § 164.524.; xv. o. Contractor will make any amendment(s) to PHI in a designated record set as directed or agreed to by OHCA pursuant to 45 C.F.R. § 164.526, or take other measures as necessary to satisfy OHCA’s obligations under 45 C.F.R. § 164.526.; xvi. p. Any disclosure of OHCA data shall must be approved in advance by OHCA and then only to individuals expressly authorized to review such information under applicable Federal federal or State state laws. If Contractor, employees, or subcontractors disclose(s) or attempt(s) to disclose OHCA data, an injunction may be sought to prevent that disclosure as well as any other remedies of law that may be available. Participants shall provide written notice to OHCA of any use or disclosure of OHCA data not provided for by this Contract of which Contractor becomes aware within five (5) calendar days of its discovery. xvii. q. Notwithstanding anything to the contrary herein, Contractor shall promptly provide written notice to OHCA upon receipt of a subpoena or other legal process that seeks disclosure of OHCA data, so that OHCA may have the opportunity option to seek a protective order, on their own behalf, with respect to such data. Contractor will, to the extent allowed by law, fully cooperate with any attempt by OHCA to seek such a protective order, including but not limited to withholding from production any data before OHCA has had a reasonable opportunity to seek such an order or to seek review of the denial of such an order or the issuance of an order that OHCA deems insufficiently protective. xviii. r. Contractor will maintain and make available the information required to provide an accounting of disclosures to OHCA as necessary to satisfy OHCA’s obligations under 45 C.F.R. § 164.528.; xix. s. To the extent the Contractor is to carry out one or more of OHCA's obligation(s) under Subpart E of 45 C.F.R. Part 164, Subpart E comply with the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s).; xx. t. Contractor will make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules. xxi. u. To the extent allowed by law, Contractor shall indemnify and hold OHCA harmless from all claims, liabilities, costs, and damages arising out of or in any manner related to the unauthorized use or disclosure by Contractor, its employees, subcontractors, vendors, and agents of any PHI or related to the Breach by Contractor, its employees, subcontractors, vendors, and agents of any obligation related to PHI.; xxii. v. Provide access in a timely manner to PHI maintained by Contractor in a designated record set Designated Record Set to the OHCA, or if directed by XXXXthe OHCA, to an Individual in order to meet the requirements of 45 C.F.R. § 164.524. In the event that any Individual requests access to PHI directly from Contractor, Contractor shall promptly forward such request to OHCA. Any denials of access to the PHI requested shall be the responsibility of OHCA164. xxiii. Make PHI available in a timely manner to OHCA for amendment and incorporate any amendments to PHI in accordance with 45 C.F.R. § 164.526. xxiv. Document disclosure of PHI and information related to such disclosure as would be required for OHCA to respond to a request by an Individual for an accounting of disclosures of PHI, in accordance with 45 C.F.R. § 164.528, and within five (5) calendar days of receiving a request from OHCA, make such disclosure documentation and information available to OHCA. In the event the request for an accounting is delivered directly to Contractor, Contractor shall promptly forward such request to OHCA. xxv. Make its internal policies, procedures, practices, books, and records related to the use and disclosure of PHI received from or created or received by Contractor on behalf of OHCA available to the Secretary of HHS, authorized governmental officials, and OHCA for the purpose of determining Contractor’s compliance with HIPAA. Contractor shall give OHCA advance written notice of requests from DHHS or government officials and provide OHCA with a copy of all documents it makes available. xxvi. Respond to OHCA’s request for confirmation and certification of Contractor’s ongoing compliance with HIPAA, including but not limited to conducting regular security audits and assessments as necessary to evaluate its Security and Privacy practices.

Obligations of Contractor. a. Contractor may use Electronic PHI and PHI (collectively, “PHI”) solely to perform its duties and responsibilities under this Contract and only as provided in this Contract. Contractor acknowledges and agrees that PHI is confidential and shall not be used or disclosed, in whole or in part, except as provided in this Contract or as Required by Law. Specifically, Contractor agrees it will and will require its employees, agents, vendors, and subcontractor to: i. Use or further disclose PHI only as permitted in this Contract or as Required by Law, including, but not limited to HIPAA. ii. Ensure that SoonerCare member information is confidential and is not to be released pursuant to 42 U.S.C §1396a(a)(7), 42 C.F.R. §§ 431.300-431.306 and 63 O.S. § 5018. Contractor agrees not to release the information governed by these SoonerCare member requirements to any other person or entity without the approval of OHCA, or as required by law or court order. iii. Ensure that SoonerCare member and provider information cannot be re- marketed, summarized, distributed, or sold to any other organization without the express written approval of OHCA. iv. Implement and document appropriate technical, physical, and administrative safeguards and comply with 45 C.F.R. Part 164 with respect to electronic PHI to prevent use or disclosure of PHI other than as provided for by this Contract, and to protect the confidentiality, integrity, and availability of PHI that it creates, receives, maintains, or transmits for or on behalf of OHCA in accordance with HIPAA including but not limited to training all employees, agents, and subcontractors in HIPAA to protect OHCA’s PHI and prevent, detect, contain, and correct Security violations in accordance with HIPAA; applying security patches and performing vulnerability assessments on a regular basis, and using encryption for all electronic transmission of PHI including forced TLS connections for email. v. Not use or disclose or otherwise make available OHCA’s PHI to any entity or individual who is not subject to the laws of the United States. vi. Not receive remuneration from a third party in exchange for disclosing PHI received from or on behalf of OHCA. vii. Report to OHCA any use or disclosure of PHI that is not permitted under this Contract as soon as reasonably practicable upon discovery but not later than five (5) calendar days from discovery, and mitigate, to the extent practicable and in cooperation with OHCAXXXX, any harmful effects known to him/her/it in connection with a use or disclosure made in violation of this Contract. viii. Report potential known violations of 21 O.S. § 1953 to OHCA Legal Division without delay and in no event later than five (5) calendar days after discovery of an unauthorized act. In general, this criminal statute makes it a crime to willfully and without authorization gain access to, alter, modify, disrupt, or threaten a computer system. ix. Report to OHCA any security incident upon discovery within five (5) calendar days of knowledge of the incident, as defined in the Security Rule, with respect to electronic PHI, as well as any breaches of unsecured PHI as required by 45 C.F.R. § 164.400 et seq. A Security Incident shall include, but is not limited to, unwanted disruption or denial of service, unauthorized use of a system for processing or storing ePHI, or changes to system hardware, firmware, or software without Contractor’s consent. Reports shall include successful Security Incidents. x. With the exception of law enforcement delays that satisfy the requirements of 45 C.F.R. § 164.412, notify OHCA promptly, in writing and without unreasonable delay and in no case later than five (5) calendar days, upon the discovery of a breach of unsecured PHI as reasonable in the HITECH Act or accompanying regulations, pursuant to the terms of 45 C.F.R. § 164.410. Such notice shall include, to the extent possible, the name of each individual whose unsecured PHI has been, or is reasonably believed by Contractor to have been, accessed, acquired, or disclosed during such breach. Contractor shall also, to the extent possible, furnish OHCA with any other available information that OHCA is required to include in any notification to individuals under 45 C.F.R. § 164.404(c) at the time of Contractor’s notification to OHCA or promptly thereafter as such information becomes available. Contractor shall cooperate in OHCA’s breach analysis procedures, including risk assessment, if requested. xi. Mitigate, to the extent practicable, any harmful effect that is known to Contractor in connection with a use or disclosure of PHI by Contractor in violation of the requirements of this Contract. xii. Provide encrypted e-mail communication when PHI is transmitted to OHCA. No direct connection or Virtual Private Network (VPN) to OHCA will be used for this purpose nor will OHCA use individual e-mail certificates for its staff. Such encrypted e-mail will require a X.509 certificate that can be collected by the existing OHCA e-mail encryption system, so that e-mails can be decrypted automatically by OHCA. OHCA shall provide no additional hardware/software to Contractor for this purpose nor accept any Contractor provided hardware/software. xiii. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors, vendors, and agents to whom it provides PHI or who create, receive, use, disclose, maintain, transmit, or have access to OHCA’s PHI agree to the same restrictions, conditions, and requirements that apply to Contractor under this Contract, including but not limited to implementing reasonable and appropriate safeguards to protect PHI. Contractor shall obtain satisfactory written assurance of this from the subcontractor, and make this assurance available to OHCA upon request. xiv. Contractor will make available PHI in a designated record set to OHCA as necessary to satisfy OHCA’s obligations under 45 C.F.R. § 164.524. xv. Contractor will make any amendment(s) to PHI in a designated record set as directed or agreed to by OHCA pursuant to 45 C.F.R. § 164.526, or take other measures as necessary to satisfy OHCA’s obligations under 45 C.F.R. § 164.526. xvi. Any disclosure of OHCA data shall be approved in advance by OHCA and then only to individuals expressly authorized to review such information under applicable Federal or State laws. If Contractor, employees, or subcontractors disclose(s) or attempt(s) to disclose OHCA data, an injunction may be sought to prevent that disclosure as well as any other remedies of law that may be available. Participants shall provide written notice to OHCA of any use or disclosure of OHCA data not provided for by this Contract of which Contractor becomes aware within five (5) calendar days of its discovery. xvii. Notwithstanding anything to the contrary herein, Contractor shall promptly provide written notice to OHCA upon receipt of a subpoena or other legal process that seeks disclosure of OHCA data, so that OHCA may have the opportunity to seek a protective order, on their own behalf, with respect to such data. Contractor will, to the extent allowed by law, fully cooperate with any attempt by OHCA to seek such a protective order, including but not limited to withholding from production any data before OHCA has had a reasonable opportunity to seek such an order or to seek review of the denial of such an order or the issuance of an order that OHCA deems insufficiently protective. xviii. Contractor will maintain and make available the information required to provide an accounting of disclosures to OHCA as necessary to satisfy OHCA’s obligations under 45 C.F.R. § 164.528. xix. To the extent Contractor is to carry out one or more of OHCA's obligation(s) under 45 C.F.R. Part 164, Subpart E comply with the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s). xx. Contractor will make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules. xxi. To the extent allowed by law, Contractor shall indemnify and hold OHCA harmless from all claims, liabilities, costs, and damages arising out of or in any manner related to the unauthorized use or disclosure by Contractor, its employees, subcontractors, vendors, and agents of any PHI or related to the Breach by Contractor, its employees, subcontractors, vendors, and agents of any obligation related to PHI. xxii. Provide access in a timely manner to PHI maintained by Contractor in a designated record set to OHCA, or if directed by XXXX, to an Individual in order to meet the requirements of 45 C.F.R. § 164.524. In the event that any Individual requests access to PHI directly from Contractor, Contractor shall promptly forward such request to OHCA. Any denials of access to the PHI requested shall be the responsibility of OHCA. xxiii. Make PHI available in a timely manner to OHCA for amendment and incorporate any amendments to PHI in accordance with 45 C.F.R. § 164.526. xxiv. Document disclosure of PHI and information related to such disclosure as would be required for OHCA to respond to a request by an Individual for an accounting of disclosures of PHI, in accordance with 45 C.F.R. § 164.528, and within five (5) calendar days of receiving a request from OHCA, make such disclosure documentation and information available to OHCA. In the event the request for an accounting is delivered directly to Contractor, Contractor shall promptly forward such request to OHCA. xxv. Make its internal policies, procedures, practices, books, and records related to the use and disclosure of PHI received from or created or received by Contractor on behalf of OHCA available to the Secretary of HHS, authorized governmental officials, and OHCA for the purpose of determining Contractor’s compliance with HIPAA. Contractor shall give OHCA advance written notice of requests from DHHS or government officials and provide OHCA with a copy of all documents it makes available. xxvi. Respond to OHCA’s request for confirmation and certification of Contractor’s ongoing compliance with HIPAA, including but not limited to conducting regular security audits and assessments as necessary to evaluate its Security and Privacy practices.