Common use of Obligations of Contractor Clause in Contracts

Obligations of Contractor. Contractor agrees that: (A) With respect to PHI, Contractor shall: (1) Make PHI available in a designated record set if requested by HHS, if Contractor maintains PHI in a designated record set, as defined in HIPAA. (2) Provide to HHS data aggregation services related to the healthcare operations Contractor performs for HHS pursuant to the Base Contract, if requested by HHS, if Contractor provides data aggregation services as defined in HIPAA. (3) Provide access to PHI to an individual who is requesting his or her own PHI, or such individual’s Legally Authorized Representative, in compliance with the requirements of HIPAA. (4) Make PHI available to HHS for amendment, and incorporate any amendments to PHI that HHS directs, in compliance with HIPAA. (5) Document and make available to HHS, an accounting of disclosures in compliance with the requirements of HIPAA. (6) If Contractor receives a request for access, amendment or accounting of PHI by any individual, promptly forward the request to HHS or, if forwarding the request would violate HIPAA, promptly notify HHS of the request and of Contractor’s response. HHS will respond to all such requests, unless Contractor is Required by Law to respond or HHS has given prior written consent for Contractor to respond to and account for all such requests. (B) With respect to ALL Confidential Information, Contractor shall: (1) Exercise reasonable care and no less than the same degree of care Contractor uses to protect its own confidential, proprietary and trade secret information to prevent Confidential Information from being used in a manner that is not expressly an Authorized Purpose or as Required by Law. Contractor will access, create, maintain, receive, use, disclose, transmit or Destroy Confidential Information in a secure fashion that protects against any reasonably anticipated threats or hazards to the security or integrity of such information or unauthorized uses. (2) Establish, implement and maintain appropriate procedural, administrative, physical and technical safeguards to preserve and maintain the confidentiality, integrity, and availability of the Confidential Information, in accordance with applicable laws or regulations relating to Confidential Information, to prevent any unauthorized use or disclosure of Confidential Information as long as Contractor has such Confidential Information in its actual or constructive possession. (3) Implement, update as necessary, and document privacy, security and Breach notice policies and procedures and an incident response plan to address a Breach, to comply with the privacy, security and breach notice requirements of this DUA prior to conducting work under the Base Contract. Contractor shall produce, within three business days of a request by HHS, copies of its policies and procedures and records relating to the use or disclosure of Confidential Information. (4) Obtain HHS’s prior written consent to disclose or allow access to any portion of the Confidential Information to any person, other than Authorized Users, Workforce or Subcontractors of Contractor who have completed training in confidentiality, privacy, security and the importance of promptly reporting any Breach to Contractor's management and as permitted in Section 3.01(A)(3), above. Contractor shall produce evidence of completed training to HHS upon request. HHS, at its election, may assist Contractor in training and education on specific or unique HHS processes, systems and/or requirements. All of Contractor’s Authorized Users, Workforce and Subcontractors with access to a state computer system or database will complete a cybersecurity training program certified under Texas Government Code Section 2054.519 by the Texas Department of Information Resources. (5) Establish, implement and maintain appropriate sanctions against any member of its Workforce or Subcontractor who fails to comply with this DUA, the Base Contract or applicable law. Contractor shall maintain evidence of sanctions and produce it to HHS upon request. (6) Obtain prior written approval of HHS, to disclose or provide access to any Confidential Information on the basis that such act is Required by Law, so that HHS may have the opportunity to object to the disclosure or access and seek appropriate relief. If HHS objects to such disclosure or access, Contractor shall refrain from disclosing or providing access to the Confidential Information until HHS has exhausted all alternatives for relief. (7) Certify that its Authorized Users each have a demonstrated need to know and have access to Confidential Information solely to the minimum extent necessary to accomplish the Authorized Purpose and that each has agreed in writing to be bound by the disclosure and use limitations pertaining to the Confidential Information contained in this DUA. Contractor and its Subcontractors shall maintain at all times an updated, complete, accurate list of Authorized Users and supply it to HHS upon request. (8) Provide, and shall cause its Subcontractors and agents to provide, to HHS periodic written confirmation of compliance with controls and the terms and conditions of this DUA. (9) Return to HHS or Destroy, at HHS’s election and at Contractor’s expense, all Confidential Information received from HHS or created or maintained by Contractor or any of Contractor’s agents or Subcontractors on HHS's behalf upon the termination or expiration of this DUA, if reasonably feasible and permitted by law. Contractor shall certify in writing to HHS that all such Confidential Information has been Destroyed or returned to HHS, and that Contractor and its agents and Subcontractors have retained no copies thereof. Notwithstanding the foregoing, Contractor acknowledges and agrees that it may not Destroy any Confidential Information if federal or state law, or HHS record retention policy or a litigation hold notice prohibits such Destruction. If such return or Destruction is not reasonably feasible, or is impermissible by law, Contractor shall immediately notify HHS of the reasons such return or Destruction is not feasible and agree to extend the protections of this DUA to the Confidential Information for as long as Contractor maintains such Confidential Information. (10) Complete and return with the Base Contract to HHS, attached as Attachment 2 to this DUA, the HHS Security and Privacy Initial Inquiry (SPI) at xxxxx://xxx.xxxxx.xxx/laws- regulations/forms/miscellaneous/hhs-information-security-privacy-initial-inquiry-spi. The SPI identifies basic privacy and security controls with which Contractor must comply to protect Confidential Information. Contractor shall comply with periodic security controls compliance assessment and monitoring by HHS as required by state and federal law, based on the type of Confidential Information Contractor creates, receives, maintains, uses, discloses or has access to and the Authorized Purpose and level of risk. Contractor's security controls shall be based on the National Institute of Standards and Technology (NIST) Special Publication 800-53. Contractor shall update its security controls assessment whenever there are significant changes in security controls for HHS Confidential Information and shall provide the updated document to HHS. HHS also reserves the right to request updates as needed to satisfy state and federal monitoring requirements. (11) Comply with the HHS Acceptable Use Policy (AUP) and require each Subcontractor and Workforce member who has direct access to HHS Information Resources, as defined in the AUP, to execute an HHS Acceptable Use Agreement. (12) Only conduct secure transmissions of Confidential Information whether in paper, oral or electronic form. A secure transmission of electronic Confidential Information in motion includes secure File Transfer Protocol (SFTP) or encryption at an appropriate level as required by rule, regulation or law. Confidential Information at rest requires encryption unless there is adequate administrative, technical, and physical security as required by rule, regulation or law. All electronic data transfer and communications of Confidential Information shall be through secure systems. Contractor shall provide proof of system, media or device security and/or encryption to HHS no later than 48 hours after HHS's written request in response to a compliance investigation, audit, or the Discovery of a Breach. HHS may also request production of proof of security at other times as necessary to satisfy state and federal monitoring requirements. Deidentification of Confidential Information in accordance with HIPAA de-identification standards is deemed secure. (13) Designate and identify a person or persons, as Privacy Official and Information Security Official, each of whom is authorized to act on behalf of Contractor and is responsible for the development and implementation of the privacy and security requirements in this DUA. Contractor shall provide name and current address, phone number and e-mail address for such designated officials to HHS upon execution of this DUA and prior to any change. Upon written notice from HHS, Contractor shall promptly remove and replace such official(s) if such official(s) is not performing the required functions. (14) Make available to HHS any information HHS requires to fulfill HHS's obligations to provide access to, or copies of, Confidential Information in accordance with applicable laws, regulations or demands of a regulatory authority relating to Confidential Information. Contractor shall provide such information in a time and manner reasonably agreed upon or as designated by the applicable law or regulatory authority. (15) Comply with the following laws and standards if applicable to the type of Confidential Information and Contractor's Authorized Purpose: • Title 1, Part 10, Chapter 202, Subchapter B, Texas Administrative Code; • The Privacy Act of 1974; • OMB Memorandum 17-12; • The Federal Information Security Management Act of 2002 (FISMA); • The Health Insurance Portability and Accountability Act of 1996 (HIPAA); • Internal Revenue Publication 1075 – Tax Information Security Guidelines for Federal, State and Local Agencies; • National Institute of Standards and Technology (NIST) Special Publication 800-66 Revision 1 – An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule; • NIST Special Publications 800-53 and 800-53A – Recommended Security Controls for Federal Information Systems and Organizations, as currently revised; • NIST Special Publication 800-47 – Security Guide for Interconnecting Information Technology Systems; • NIST Special Publication 800-88, Guidelines for Media Sanitization; • NIST Special Publication 800-111, Guide to Storage of Encryption Technologies for End User Devices containing PHI; • Family Educational Rights and Privacy Act • Texas Business and Commerce Code, Chapter 521; • Any other State or Federal law, regulation, or administrative rule relating to the specific HHS program area that Contractor supports on behalf of HHS. (16) Be permitted to use or disclose Confidential Information for the proper management and administration of Contractor or to carry out Contractor’s legal responsibilities, except as otherwise limited by this DUA, the Base Contract, or law applicable to the Confidential Information, if: (a) Disclosure is Required by Law; (b) Contractor obtains reasonable assurances from the person to whom the information is disclosed that the person shall: 1. Maintain the confidentiality of the Confidential Information in accordance with this DUA; 2. Use or further disclose the information only as Required by Law or for the Authorized Purpose for which it was disclosed to the person; and 3. Notify Contractor in accordance with Section 4.01 of a Breach of Confidential Information that the person Discovers or should have Discovered with the exercise of reasonable diligence. (C) With respect to ALL Confidential Information, Contractor shall NOT: (1) Attempt to re-identify or further identify Confidential Information that has been deidentified, or attempt to contact any persons whose records are contained in the Confidential Information, except for an Authorized Purpose, without express written authorization from HHS. (2) Engage in prohibited marketing or sale of Confidential Information. (3) Permit, or enter into any agreement with a Subcontractor to, create, receive, maintain, use, disclose, have access to or transmit Confidential Information, on behalf of HHS without requiring that Subcontractor first execute either the Form Subcontractor Agreement, Attachment 1, or Contractor’s own Subcontractor agreement that ensures that the Subcontractor shall comply with the same safeguards and restrictions contained in this DUA for Confidential Information. Contractor is directly responsible for its Subcontractors’ compliance with, and enforcement of, this DUA.

Obligations of Contractor. Contractor agrees that: (A) With respect to PHI, Contractor shall: (1) Make PHI available in a designated record set if requested by HHS, if Contractor maintains PHI in a designated record set, as defined in HIPAA. (2) Provide to HHS data aggregation services related to the healthcare operations Contractor performs for HHS pursuant to the Base Contract, if requested by HHS, if Contractor provides data aggregation services as defined in HIPAA. (3) Provide access to PHI to an individual who is requesting his or her own PHI, or such individual’s Legally Authorized Representative, in compliance with the requirements of HIPAA. (4) Make PHI available to HHS for amendment, and incorporate any amendments to PHI that HHS directs, in compliance with HIPAA. (5) Document and make available to HHS, an accounting of disclosures in compliance with the requirements of HIPAA. (6) If Contractor receives a request for access, amendment or accounting of PHI by any individual, promptly forward the request to HHS or, if forwarding the request would violate HIPAA, promptly notify HHS of the request and of Contractor’s response. HHS will respond to all such requests, unless Contractor is Required by Law to respond or HHS has given prior written consent for Contractor to respond to and account for all such requests. (B) With respect to ALL Confidential Information, Contractor shall: (1) Exercise reasonable care and no less than the same degree of care Contractor uses to protect its own confidential, proprietary and trade secret information to prevent Confidential Information from being used in a manner that is not expressly an Authorized Purpose or as Required by Law. Contractor will access, create, maintain, receive, use, disclose, transmit or Destroy Confidential Information in a secure fashion that protects against any reasonably anticipated threats or hazards to the security or integrity of such information or unauthorized uses. (2) Establish, implement and maintain appropriate procedural, administrative, physical and technical safeguards to preserve and maintain the confidentiality, integrity, and availability of the Confidential Information, in accordance with applicable laws or regulations relating to Confidential Information, to prevent any unauthorized use or disclosure of Confidential Information as long as Contractor has such Confidential Information in its actual or constructive possession. (3) Implement, update as necessary, and document privacy, security and Breach notice policies and procedures and an incident response plan to address a Breach, to comply with the privacy, security and breach notice requirements of this DUA prior to conducting work under the Base Contract. Contractor shall produce, within three business days of a request by HHS, copies of its policies and procedures and records relating to the use or disclosure of Confidential Information. (4) Obtain HHS’s prior written consent to disclose or allow access to any portion of the Confidential Information to any person, other than Authorized Users, Workforce or Subcontractors of Contractor who have completed training in confidentiality, privacy, security and the importance of promptly reporting any Breach to Contractor's management and as permitted in Section 3.01(A)(3), above. Contractor shall produce evidence of completed training to HHS upon request. HHS, at its election, may assist Contractor in training and education on specific or unique HHS processes, systems and/or requirements. All of Contractor’s Authorized Users, Workforce and Subcontractors with access to a state computer system or database will complete a cybersecurity training program certified under Texas Government Code Section 2054.519 by the Texas Department of Information Resources. (5) Establish, implement and maintain appropriate sanctions against any member of its Workforce or Subcontractor who fails to comply with this DUA, the Base Contract or applicable law. Contractor shall maintain evidence of sanctions and produce it to HHS upon request. (6) Obtain prior written approval of HHS, to disclose or provide access to any Confidential Information on the basis that such act is Required by Law, so that HHS may have the opportunity to object to the disclosure or access and seek appropriate relief. If HHS objects to such disclosure or access, Contractor shall refrain from disclosing or providing access to the Confidential Information until HHS has exhausted all alternatives for relief. (7) Certify that its Authorized Users each have a demonstrated need to know and have access to Confidential Information solely to the minimum extent necessary to accomplish the Authorized Purpose and that each has agreed in writing to be bound by the disclosure and use limitations pertaining to the Confidential Information contained in this DUA. Contractor and its Subcontractors shall maintain at all times an updated, complete, accurate list of Authorized Users and supply it to HHS upon request. (8) Provide, and shall cause its Subcontractors and agents to provide, to HHS periodic written confirmation of compliance with controls and the terms and conditions of this DUA. (9) Return to HHS or Destroy, at HHS’s election and at Contractor’s expense, all Confidential Information received from HHS or created or maintained by Contractor or any of Contractor’s agents or Subcontractors on HHS's behalf upon the termination or expiration of this DUA, if reasonably feasible and permitted by law. Contractor shall certify in writing to HHS that all such Confidential Information has been Destroyed or returned to HHS, and that Contractor and its agents and Subcontractors have retained no copies thereof. Notwithstanding the foregoing, Contractor acknowledges and agrees that it may not Destroy any Confidential Information if federal or state law, or HHS record retention policy or a litigation hold notice prohibits such Destruction. If such return or Destruction is not reasonably feasible, or is impermissible by law, Contractor shall immediately notify HHS of the reasons such return or Destruction is not feasible and agree to extend the protections of this DUA to the Confidential Information for as long as Contractor maintains such Confidential Information. (10) Complete and return with the Base Contract to HHS, attached as Attachment 2 to this DUA, the HHS Security and Privacy Initial Inquiry (SPI) at xxxxx://xxx.xxxxx.xxx/laws- regulations/forms/miscellaneous/hhs-information-security-privacy-initial-inquiry-spi. The SPI identifies basic privacy and security controls with which Contractor must comply to protect Confidential Information. Contractor shall comply with periodic security controls compliance assessment and monitoring by HHS as required by state and federal law, based on the type of Confidential Information Contractor creates, receives, maintains, uses, discloses or has access to and the Authorized Purpose and level of risk. Contractor's security controls shall be based on the National Institute of Standards and Technology (NIST) Special Publication 800-53. Contractor shall update its security controls assessment whenever there are significant changes in security controls for HHS Confidential Information and shall provide the updated document to HHS. HHS also reserves the right to request updates as needed to satisfy state and federal monitoring requirements. (11) Comply with the HHS Acceptable Use Policy (AUP) and require each Subcontractor and Workforce member who has direct access to HHS Information Resources, as defined in the AUP, to execute an HHS Acceptable Use Agreement. (12) Only conduct secure transmissions of Confidential Information whether in paper, oral or electronic form. A secure transmission of electronic Confidential Information in motion includes secure File Transfer Protocol (SFTP) or encryption at an appropriate level as required by rule, regulation or law. Confidential Information at rest requires encryption unless there is adequate administrative, technical, and physical security as required by rule, regulation or law. All electronic data transfer and communications of Confidential Information shall be through secure systems. Contractor shall provide proof of system, media or device security and/or encryption to HHS no later than 48 hours after HHS's written request in response to a compliance investigation, audit, or the Discovery of a Breach. HHS may also request production of proof of security at other times as necessary to satisfy state and federal monitoring requirements. Deidentification of Confidential Information in accordance with HIPAA de-identification standards is deemed secure. (13) Designate and identify a person or persons, as Privacy Official and Information Security Official, each of whom is authorized to act on behalf of Contractor and is responsible for the development and implementation of the privacy and security requirements in this DUA. Contractor shall provide name and current address, phone number and e-mail address for such designated officials to HHS upon execution of this DUA and prior to any change. Upon written notice from HHS, Contractor shall promptly remove and replace such official(s) if such official(s) is not performing the required functions. (14) Make available to HHS any information HHS requires to fulfill HHS's obligations to provide access to, or copies of, Confidential Information in accordance with applicable laws, regulations or demands of a regulatory authority relating to Confidential Information. Contractor shall provide such information in a time and manner reasonably agreed upon or as designated by the applicable law or regulatory authority. (15) Comply with the following laws and standards if applicable to the type of Confidential Information and Contractor's Authorized Purpose: • Title 1, Part 10, Chapter 202, Subchapter B, Texas Administrative Code; • The Privacy Act of 1974; • OMB Memorandum 17-12; • The Federal Information Security Management Act of 2002 (FISMA); • The Health Insurance Portability and Accountability Act of 1996 (HIPAA); • Internal Revenue Publication 1075 – Tax Information Security Guidelines for Federal, State and Local Agencies; • National Institute of Standards and Technology (NIST) Special Publication 800-66 Revision 1 – An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule; • NIST Special Publications 800-53 and 800-53A – Recommended Security Controls for Federal Information Systems and Organizations, as currently revised; • NIST Special Publication 800-47 – Security Guide for Interconnecting Information Technology Systems; • NIST Special Publication 800-88, Guidelines for Media Sanitization; • NIST Special Publication 800-111, Guide to Storage of Encryption Technologies for End User Devices containing PHI; • Family Educational Rights and Privacy Act • Texas Business and Commerce Code, Chapter 521; • Any other State or Federal law, regulation, or administrative rule relating to the specific HHS program area that Contractor supports on behalf of HHS. (16) Be permitted to use or disclose Confidential Information for the proper management and administration of Contractor or to carry out Contractor’s legal responsibilities, except as otherwise limited by this DUA, the Base Contract, or law applicable to the Confidential Information, if: (a) Disclosure is Required by Law; (b) Contractor obtains reasonable assurances from the person to whom the information is disclosed that the person shall: 1. Maintain the confidentiality of the Confidential Information in accordance with this DUA; 2. Use or further disclose the information only as Required by Law or for the Authorized Purpose for which it was disclosed to the person; and 3. Notify Contractor in accordance with Section 4.01 of a Breach of Confidential Information that the person Discovers or should have Discovered with the exercise of reasonable diligence. (C) With respect to ALL Confidential Information, Contractor shall NOT: (1) Attempt to re-identify or further identify Confidential Information that has been deidentified, or attempt to contact any persons whose records are contained in the Confidential Information, except for an Authorized Purpose, without express written authorization from HHS. (2) Engage in prohibited marketing or sale of Confidential Information. (3) Permit, or enter into any agreement with a Subcontractor to, create, receive, maintain, use, disclose, have access to or transmit Confidential Information, on behalf of HHS without requiring that Subcontractor first execute either the Form Subcontractor Agreement, Attachment 1, or Contractor’s own Subcontractor agreement that ensures that the Subcontractor shall comply with the same safeguards and restrictions contained in this DUA for Confidential Information. Contractor is directly responsible for its Subcontractors’ compliance with, and enforcement of, this DUA.

Obligations of Contractor. Contractor agrees that: (A) With respect to PHI, Contractor shall: (1) Make PHI available in a designated record set if requested by HHS, if Contractor maintains PHI in a designated record set, as defined in HIPAA. (2) Provide to HHS data aggregation services related to the healthcare operations Contractor performs for HHS pursuant to the Base Contract, if requested by HHS, if Contractor provides data aggregation services as defined in HIPAA. (3) Provide access to PHI to an individual who is requesting his or her own PHI, or such individual’s Legally Authorized Representative, in compliance with the requirements of HIPAA. (4) Make PHI available to HHS for amendment, and incorporate any amendments to PHI that HHS directs, in compliance with HIPAA. (5) Document and make available to HHS, an accounting of disclosures in compliance with the requirements of HIPAA. (6) If Contractor receives a request for access, amendment or accounting of PHI by any individual, promptly forward the request to HHS or, if forwarding the request would violate HIPAA, promptly notify HHS of the request and of Contractor’s response. HHS will respond to all such requests, unless Contractor is Required by Law to respond or HHS has given prior written consent for Contractor to respond to and account for all such requests. (B) With respect to ALL Confidential Information, Contractor shall: (1) Exercise reasonable care and no less than the same degree of care Contractor uses to protect its own confidential, proprietary and trade secret information to prevent Confidential Information from being used in a manner that is not expressly an Authorized Purpose or as Required by Law. Contractor will access, create, maintain, receive, use, disclose, transmit or Destroy Confidential Information in a secure fashion that protects against any reasonably anticipated threats or hazards to the security or integrity of such information or unauthorized uses. (2) Establish, implement and maintain appropriate procedural, administrative, physical and technical safeguards to preserve and maintain the confidentiality, integrity, and availability of the Confidential Information, in accordance with applicable laws or regulations relating to Confidential Information, to prevent any unauthorized use or disclosure of Confidential Information as long as Contractor has such Confidential Information in its actual or constructive possession. (3) Implement, update as necessary, and document privacy, security and Breach notice policies and procedures and an incident response plan to address a Breach, to comply with the privacy, security and breach notice requirements of this DUA prior to conducting work under the Base Contract. Contractor shall produce, within three business days of a request by HHS, copies of its policies and procedures and records relating to the use or disclosure of Confidential Information. (4) Obtain HHS’s prior written consent to disclose or allow access to any portion of the Confidential Information to any person, other than Authorized Users, Workforce or Subcontractors of Contractor who have completed training in confidentiality, privacy, security and the importance of promptly reporting any Breach to Contractor's management and as permitted in Section 3.01(A)(3), above. Contractor shall produce evidence of completed training to HHS upon request. HHS, at its election, may assist Contractor in training and education on specific or unique HHS processes, systems and/or requirements. All of Contractor’s Authorized Users, Workforce and Subcontractors with access to a state computer system or database will complete a cybersecurity training program certified under Texas Government Code Section 2054.519 by the Texas Department of Information Resources. (5) Establish, implement and maintain appropriate sanctions against any member of its Workforce or Subcontractor who fails to comply with this DUA, the Base Contract or applicable law. Contractor shall maintain evidence of sanctions and produce it to HHS upon request. (6) Obtain prior written approval of HHS, to disclose or provide access to any Confidential Information on the basis that such act is Required by Law, so that HHS may have the opportunity to object to the disclosure or access and seek appropriate relief. If HHS objects to such disclosure or access, Contractor shall refrain from disclosing or providing access to the Confidential Information until HHS has exhausted all alternatives for relief. (7) Certify that its Authorized Users each have a demonstrated need to know and have access to Confidential Information solely to the minimum extent necessary to accomplish the Authorized Purpose and that each has agreed in writing to be bound by the disclosure and use limitations pertaining to the Confidential Information contained in this DUA. Contractor and its Subcontractors shall maintain at all times an updated, complete, accurate list of Authorized Users and supply it to HHS upon request. (8) Provide, and shall cause its Subcontractors and agents to provide, to HHS periodic written confirmation of compliance with controls and the terms and conditions of this DUA. (9) Return to HHS or Destroy, at HHS’s election and at Contractor’s expense, all Confidential Information received from HHS or created or maintained by Contractor or any of Contractor’s agents or Subcontractors on HHS's behalf upon the termination or expiration of this DUA, if reasonably feasible and permitted by law. Contractor shall certify in writing to HHS that all such Confidential Information has been Destroyed or returned to HHS, and that Contractor and its agents and Subcontractors have retained no copies thereof. Notwithstanding the foregoing, Contractor acknowledges and agrees that it may not Destroy any Confidential Information if federal or state law, or HHS record retention policy or a litigation hold notice prohibits such Destruction. If such return or Destruction is not reasonably feasible, or is impermissible by law, Contractor shall immediately notify HHS of the reasons such return or Destruction is not feasible and agree to extend the protections of this DUA to the Confidential Information for as long as Contractor maintains such Confidential Information. (10) Complete and return with the Base Contract to HHS, attached as Attachment 2 to this DUA, the HHS Security and Privacy Initial Inquiry (SPI) at xxxxx://xxx.xxxxx.xxx/laws- regulations/forms/miscellaneous/hhs-information-security-privacy-initial-inquiry-spi. The SPI identifies basic privacy and security controls with which Contractor must comply to protect Confidential Information. Contractor shall comply with periodic security controls compliance assessment and monitoring by HHS as required by state and federal law, based on the type of Confidential Information Contractor creates, receives, maintains, uses, discloses or has access to and the Authorized Purpose and level of risk. Contractor's security controls shall be based on the National Institute of Standards and Technology (NIST) Special Publication 800-53. Contractor shall update its security controls assessment whenever there are significant changes in security controls for HHS Confidential Information and shall provide the updated document to HHS. HHS also reserves the right to request updates as needed to satisfy state and federal monitoring requirements. (11) Comply with the HHS Acceptable Use Policy (AUP) and require each Subcontractor and Workforce member who has direct access to HHS Information Resources, as defined in the AUP, to execute an HHS Acceptable Use Agreement. (12) Only conduct secure transmissions of Confidential Information whether in paper, oral or electronic form. A secure transmission of electronic Confidential Information in motion includes secure File Transfer Protocol (SFTP) or encryption at an appropriate level as required by rule, regulation or law. Confidential Information at rest requires encryption unless there is adequate administrative, technical, and physical security as required by rule, regulation or law. All electronic data transfer and communications of Confidential Information shall be through secure systems. Contractor shall provide proof of system, media or device security and/or encryption to HHS no later than 48 hours after HHS's written request in response to a compliance investigation, audit, or the Discovery of a Breach. HHS may also request production of proof of security at other times as necessary to satisfy state and federal monitoring requirements. Deidentification of Confidential Information in accordance with HIPAA de-identification standards is deemed secure. (13) Designate and identify a person or persons, as Privacy Official and Information Security Official, each of whom is authorized to act on behalf of Contractor and is responsible for the development and implementation of the privacy and security requirements in this DUA. Contractor shall provide name and current address, phone number and e-mail address for such designated officials to HHS upon execution of this DUA and prior to any change. Upon written notice from HHS, Contractor shall promptly remove and replace such official(s) if such official(s) is not performing the required functions. (14) Make available to HHS any information HHS requires to fulfill HHS's obligations to provide access to, or copies of, Confidential Information in accordance with applicable laws, regulations or demands of a regulatory authority relating to Confidential Information. Contractor shall provide such information in a time and manner reasonably agreed upon or as designated by the applicable law or regulatory authority. (15) Comply with the following laws and standards if applicable to the type of Confidential Information and Contractor's Authorized Purpose: • Title 1, Part 10, Chapter 202, Subchapter B, Texas Administrative Code; • The Privacy Act of 1974; • OMB Memorandum 17-12; • The Federal Information Security Management Act of 2002 (FISMA); • The Health Insurance Portability and Accountability Act of 1996 (HIPAA); • Internal Revenue Publication 1075 – Tax Information Security Guidelines for Federal, State and Local Agencies; • National Institute of Standards and Technology (NIST) Special Publication 800-66 Revision 1 – An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule; • NIST Special Publications 800-53 and 800-53A – Recommended Security Controls for Federal Information Systems and Organizations, as currently revised; • NIST Special Publication 800-47 – Security Guide for Interconnecting Information Technology Systems; • NIST Special Publication 800-88, Guidelines for Media Sanitization; • NIST Special Publication 800-111, Guide to Storage of Encryption Technologies for End User Devices containing PHI; • Family Educational Rights and Privacy Act • Texas Business and Commerce Code, Code Chapter 521; 521 • Any other State or Federal law, regulation, or administrative rule relating to the specific HHS program area that Contractor supports on behalf of HHS. (16) Be permitted to use or disclose Confidential Information for the proper management and administration of Contractor or to carry out Contractor’s legal responsibilities, except as otherwise limited by this DUA, the Base Contract, or law applicable to the Confidential Information, if: (a) Disclosure is Required by Law; (b) Contractor obtains reasonable assurances from the person to whom the information is disclosed that the person shall: 1. Maintain the confidentiality of the Confidential Information in accordance with this DUA; 2. Use or further disclose the information only as Required by Law or for the Authorized Purpose for which it was disclosed to the person; and 3. Notify Contractor in accordance with Section 4.01 of a Breach of Confidential Information that the person Discovers or should have Discovered with the exercise of reasonable diligence. (C) With respect to ALL Confidential Information, Contractor shall NOT: (1) Attempt to re-identify or further identify Confidential Information that has been deidentified, deidentified or attempt to contact any persons whose records are contained in the Confidential Information, except for an Authorized Purpose, without express written authorization from HHS. (2) Engage in prohibited marketing or sale of Confidential Information. (3) Permit, or enter into any agreement with a Subcontractor to, create, receive, maintain, use, disclose, have access to or transmit Confidential Information, on behalf of HHS without requiring that Subcontractor first execute either the Form Subcontractor Agreement, Attachment 1, or Contractor’s own Subcontractor agreement that ensures that the Subcontractor shall comply with the same safeguards and restrictions contained in this DUA for Confidential Information. Contractor is directly responsible for its Subcontractors’ compliance with, and enforcement of, this DUA.

Obligations of Contractor. Contractor agrees that: (A) With respect to PHI, Contractor shall: (1) Make PHI available in a designated record set if requested by HHS, if Contractor maintains PHI in a designated record set, as defined in HIPAA. (2) Provide to HHS data aggregation services related to the healthcare operations Contractor performs for HHS pursuant to the Base Contract, if requested by HHS, if Contractor provides data aggregation services as defined in HIPAA. (3) Provide access to PHI to an individual who is requesting his or her own PHI, or such individual’s Legally Authorized Representative, in compliance with the requirements of HIPAA. (4) Make PHI available to HHS for amendment, and incorporate any amendments to PHI that HHS directs, in compliance with HIPAA. (5) Document and make available to HHS, an accounting of disclosures in compliance with the requirements of HIPAA. (6) If Contractor receives a request for access, amendment or accounting of PHI by any individual, promptly forward the request to HHS or, if forwarding the request would violate HIPAA, promptly notify HHS of the request and of Contractor’s response. HHS will respond to all such requests, unless Contractor is Required by Law to respond or HHS has given prior written consent for Contractor to respond to and account for all such requests. (B) With respect to ALL Confidential Information, Contractor shall: (1) Exercise reasonable care and no less than the same degree of care Contractor uses to protect its own confidential, proprietary and trade secret information to prevent Confidential Information from being used in a manner that is not expressly an Authorized Purpose or as Required by Law. Contractor will access, create, maintain, receive, use, disclose, transmit or Destroy Confidential Information in a secure fashion that protects against any reasonably anticipated threats or hazards to the security or integrity of such information or unauthorized uses. (2) Establish, implement and maintain appropriate procedural, administrative, physical and technical safeguards to preserve and maintain the confidentiality, integrity, and availability of the Confidential Information, in accordance with applicable laws or regulations relating to Confidential Information, to prevent any unauthorized use or disclosure of Confidential Information as long as Contractor has such Confidential Information in its actual or constructive possession. (3) Implement, update as necessary, and document privacy, security and Breach notice policies and procedures and an incident response plan to address a Breach, to comply with the privacy, security and breach notice requirements of this DUA prior to conducting work under the Base Contract. Contractor shall produce, within three business days of a request by HHS, copies of its policies and procedures and records relating to the use or disclosure of Confidential Information. (4) Obtain HHS’s prior written consent to disclose or allow access to any portion of the Confidential Information to any person, other than Authorized Users, Workforce or Subcontractors of Contractor who have completed training in confidentiality, privacy, security and the importance of promptly reporting any Breach to Contractor's management and as permitted in Section 3.01(A)(3), above. Contractor shall produce evidence of completed training to HHS upon request. HHS, at its election, may assist Contractor in training and education on specific or unique HHS processes, systems and/or requirements. All of Contractor’s Authorized Users, Workforce and Subcontractors with access to a state computer system or database will complete a cybersecurity training program certified under Texas Government Code Section 2054.519 by the Texas Department of Information Resources. (5) Establish, implement and maintain appropriate sanctions against any member of its Workforce or Subcontractor who fails to comply with this DUA, the Base Contract or applicable law. Contractor shall maintain evidence of sanctions and produce it to HHS upon request. (6) Obtain prior written approval of HHS, to disclose or provide access to any Confidential Information on the basis that such act is Required by Law, so that HHS may have the opportunity to object to the disclosure or access and seek appropriate relief. If HHS objects to such disclosure or access, Contractor shall refrain from disclosing or providing access to the Confidential Information until HHS has exhausted all alternatives for relief. (7) Certify that its Authorized Users each have a demonstrated need to know and have access to Confidential Information solely to the minimum extent necessary to accomplish the Authorized Purpose and that each has agreed in writing to be bound by the disclosure and use limitations pertaining to the Confidential Information contained in this DUA. Contractor and its Subcontractors shall maintain at all times an updated, complete, accurate list of Authorized Users and supply it to HHS upon request. (8) Provide, and shall cause its Subcontractors and agents to provide, to HHS periodic HHSperiodic written confirmation of compliance with controls and the terms and conditions of this DUA. (9) Return to HHS or Destroy, at HHS’s election and at Contractor’s expense, all Confidential Information received from HHS or created or maintained by Contractor or any of Contractor’s agents or Subcontractors on HHS's behalf upon the termination or expiration of this DUA, if reasonably feasible and permitted by law. Contractor shall certify in writing to HHS that all such Confidential Information has been Destroyed or returned to HHS, and that Contractor and its agents and Subcontractors have retained no copies thereof. Notwithstanding the foregoing, Contractor acknowledges and agrees that it may not Destroy any Confidential Information if federal or state law, or HHS record retention policy or a litigation hold notice prohibits such Destruction. If such return or Destruction is not reasonably feasible, or is impermissible by law, Contractor shall immediately notify HHS of the reasons such return or Destruction is not feasible and agree to extend the protections of this DUA to the Confidential Information for as long as Contractor maintains such Confidential Information. (10) Complete and return with the Base Contract to HHS, attached as Attachment 2 to this DUA, the HHS Security and Privacy Initial Inquiry (SPI) at xxxxx://xxx.xxxxx.xxx/laws- regulations/forms/miscellaneous/hhs-information-security-privacy-initial-inquiry-spi. The SPI identifies basic privacy and security controls with which Contractor must comply to protect Confidential Information. Contractor shall comply with periodic security controls compliance assessment and monitoring by HHS as required by state and federal law, based on the type of Confidential Information Contractor creates, receives, maintains, uses, discloses or has access to and the Authorized Purpose and level of risk. Contractor's security controls shall be based on the National Institute of Standards and Technology (NIST) Special Publication 800-53. Contractor shall update its security controls securitycontrols assessment whenever there are significant changes in security controls for HHS Confidential Information and shall provide the updated document to HHS. HHS also reserves the right to request updates as needed to satisfy state and federal monitoring requirements. (11) Comply with the HHS Acceptable Use Policy (AUP) and require each Subcontractor and Workforce member who has direct access to HHS Information Resources, as defined in the AUP, to execute an HHS Acceptable Use Agreement. (12) Only conduct secure transmissions of Confidential Information whether in paper, oral or electronic form. A secure transmission of electronic Confidential Information in motion includes secure File Transfer Protocol (SFTP) or encryption at an appropriate level as required by rule, regulation or law. Confidential Information at rest requires encryption unless there is adequate administrative, technical, and physical security as required by rule, regulation or law. All electronic data transfer and communications of Confidential Information shall be through secure systems. Contractor shall provide proof of system, media or device security and/or encryption to HHS no later than 48 hours after HHS's written request in response inresponse to a compliance investigation, audit, or the Discovery of a Breach. HHS may also request production of proof of security at other times as necessary to satisfy state and federal monitoring requirements. Deidentification of Confidential Information in accordance with HIPAA de-identification standards is deemed secure. (13) Designate and identify a person or persons, as Privacy Official and Information Security Official, each of whom is authorized to act on behalf of Contractor and is responsible for the development and implementation of the privacy and security requirements in this DUA. Contractor shall provide name and current address, phone number and e-mail address for such designated officials to HHS upon execution of this DUA and prior to any change. Upon written notice from HHS, Contractor shall promptly remove and replace such official(s) if such official(s) is not performing the required functions. (14) Make available to HHS any information HHS requires to fulfill HHS's obligations to provide access to, or copies of, Confidential Information in accordance with applicable laws, regulations or demands of a regulatory authority relating to Confidential Information. Contractor shall provide such information in a time and manner reasonably agreed upon or as designated by the applicable law or regulatory authority. (15) Comply with the following laws and standards if applicable to the type of Confidential Information and Contractor's Authorized Purpose: • Title 1, Part 10, Chapter 202, Subchapter B, Texas Administrative Code; • The Privacy Act of 1974; • OMB Memorandum 17-12; • The Federal Information Security Management Act of 2002 (FISMA); • The Health Insurance Portability and Accountability Act of 1996 (HIPAA); • Internal Revenue Publication 1075 – Tax Information Security Guidelines for Federal, State and Local Agencies; • National Institute of Standards and Technology (NIST) Special Publication 800-66 Revision 1 Revision1 – An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule; • NIST Special Publications 800-53 and 800-53A – Recommended Security Controls for Federal Information Systems and Organizations, as currently revised; • NIST Special Publication 800-47 – Security Guide for Interconnecting Information Technology Systems; • NIST Special Publication 800-88, Guidelines for Media Sanitization; • NIST Special Publication 800-111, Guide to Storage of Encryption Technologies for End User Devices containing PHI; • Family Educational Rights and Privacy Act • Texas Business and Commerce Code, Chapter 521; • Any other State or Federal law, regulation, or administrative rule relating to the specific HHS program area that Contractor supports on behalf of HHS. (16) Be permitted to use or disclose Confidential Information for the proper management and administration of Contractor or to carry out Contractor’s legal responsibilities, except as otherwise limited by this DUA, the Base Contract, or law applicable to the Confidential Information, if: (a) Disclosure is Required by Law; (b) Contractor obtains reasonable assurances from the person to whom the information is disclosed that the person shall: 1. Maintain the confidentiality of the Confidential Information in accordance with this DUA; 2. Use or further disclose the information only as Required by Law or for the Authorized Purpose for which it was disclosed to the person; and 3. Notify Contractor in accordance with Section 4.01 of a Breach of Confidential Information that the person Discovers or should have Discovered with the exercise of reasonable diligence. (C) With respect to ALL Confidential Information, Contractor shall NOT: (1) Attempt to re-identify or further identify Confidential Information that has been deidentified, or attempt to contact any persons whose records are contained in the Confidential Information, except for an Authorized Purpose, without express written authorization from HHS. (2) Engage in prohibited marketing or sale of Confidential Information. (3) Permit, or enter into any agreement with a Subcontractor to, create, receive, maintain, use, disclose, have access to or transmit Confidential Information, on behalf of HHS without requiring that Subcontractor first execute either the Form Subcontractor Agreement, Attachment 1, or Contractor’s own Subcontractor agreement that ensures that the Subcontractor shall comply with the same safeguards and restrictions contained in this DUA for Confidential Information. Contractor is directly responsible for its Subcontractors’ compliance with, and enforcement of, this DUA.

Obligations of Contractor. Contractor agrees that: (A) With respect to PHI, Contractor shall: (1) Make PHI available in a designated record set if requested by HHS, if Contractor maintains PHI in a designated record set, as defined in HIPAA. (2) Provide to HHS data aggregation services related to the healthcare operations Contractor performs for HHS pursuant to the Base Contract, if requested by HHS, if Contractor provides data aggregation services as defined in HIPAA. (3) Provide access to PHI to an individual who is requesting his or her own PHI, or such individual’s Legally Authorized Representative, in compliance with the requirements of HIPAA. (4) Make PHI available to HHS for amendment, and incorporate any amendments to PHI that HHS directs, in compliance with HIPAA. (5) Document and make available to HHS, an accounting of disclosures in compliance with the requirements of HIPAA. (6) If Contractor receives a request for access, amendment or accounting of PHI by any individual, promptly forward the request to HHS or, if forwarding the request would violate HIPAA, promptly notify HHS of the request and of Contractor’s response. HHS will respond to all such requests, unless Contractor is Required by Law to respond or HHS has given prior written consent for Contractor to respond to and account for all such requests. (B) With respect to ALL Confidential Information, Contractor shall: (1) Exercise reasonable care and no less than the same degree of care Contractor uses to protect its own confidential, proprietary and trade secret information to prevent Confidential Information from being used in a manner that is not expressly an Authorized Purpose or as Required by Law. Contractor will access, create, maintain, receive, use, disclose, transmit or Destroy Confidential Information in a secure fashion that protects against any reasonably anticipated threats or hazards to the security or integrity of such information or unauthorized uses. (2) Establish, implement and maintain appropriate procedural, administrative, physical and technical safeguards to preserve and maintain the confidentiality, integrity, and availability of the Confidential Information, in accordance with applicable laws or regulations relating to Confidential Information, to prevent any unauthorized use or disclosure of Confidential Information as long as Contractor has such Confidential Information in its actual or constructive possession. (3) Implement, update as necessary, and document privacy, security and Breach notice policies and procedures and an incident response plan to address a Breach, to comply with the privacy, security and breach notice requirements of this DUA prior to conducting work under the Base Contract. Contractor shall produce, within three business days of a request by HHS, copies of its policies and procedures and records relating to the use or disclosure of Confidential Information. (4) Obtain HHS’s prior written consent to disclose or allow access to any portion of the Confidential Information to any person, other than Authorized Users, Workforce or Subcontractors of Contractor who have completed training in confidentiality, privacy, security and the importance of promptly reporting any Breach to Contractor's management and as permitted in Section 3.01(A)(3), above. Contractor shall produce evidence of completed training to HHS upon request. HHS, at its election, may assist Contractor in training and education on specific or unique HHS processes, systems and/or requirements. All of Contractor’s C Authorized Users, Workforce and Subcontractors with access to a state computer system or database will complete a cybersecurity training program certified under Texas Government Code Section 2054.519 by the Texas Department of Information Resources. (5) Establish, implement and maintain appropriate sanctions against any member of its Workforce or Subcontractor who fails to comply with this DUA, the Base Contract or applicable law. Contractor shall maintain evidence of sanctions and produce it to HHS upon request. (6) Obtain prior written approval of HHS, to disclose or provide access to any Confidential Information on the basis that such act is Required by Law, so that HHS may have the opportunity to object to the disclosure or access and seek appropriate relief. If HHS objects to such disclosure or access, Contractor shall refrain from disclosing or providing access to the Confidential Information until HHS has exhausted all alternatives for relief. (7) Certify that its Authorized Users each have a demonstrated need to know and have access to Confidential Information solely to the minimum extent necessary to accomplish the Authorized Purpose and that each has agreed in writing to be bound by the disclosure and use limitations pertaining to the Confidential Information contained in this DUA. Contractor and its Subcontractors shall maintain at all times an updated, complete, accurate list of Authorized Users and supply it to HHS upon request. (8) Provide, and shall cause its Subcontractors and agents to provide, to HHS periodic written confirmation of compliance with controls and the terms and conditions of this DUA. (9) . Return to HHS or Destroy, at HHS’s election and at Contractor’s expense, all Confidential Information received from HHS or created or maintained by Contractor or any of Contractor’s agents or Subcontractors on HHS's behalf upon the termination or expiration of this DUA, if reasonably feasible and permitted by law. Contractor shall certify in writing to HHS that all such Confidential Information has been Destroyed or returned to HHS, and that Contractor and its agents and Subcontractors have retained no copies thereof. Notwithstanding the foregoing, Contractor acknowledges and agrees that it may not Destroy any Confidential Information if federal or state law, or HHS record retention policy or a litigation hold notice prohibits such Destruction. If such return or Destruction is not reasonably feasible, or is impermissible by law, Contractor shall immediately notify HHS of the reasons such return or Destruction is not feasible and agree to extend the protections of this DUA to the Confidential Information for as long as Contractor maintains such Confidential (9) Information. (10) Complete and return with the Base Contract to HHS, attached as Attachment 2 to this DUA, the HHS Security and Privacy Initial Inquiry (SPI) at xxxxx://xxx.xxxxx.xxx/laws- regulations/forms/miscellaneous/hhs-information-security-privacy-initial-inquiry-spi. The SPI identifies basic privacy and security controls with which Contractor must comply to protect Confidential Information. Contractor shall comply with periodic security controls compliance assessment and monitoring by HHS as required by state and federal law, based on the type of Confidential Information Contractor creates, receives, maintains, uses, discloses or has access to and the Authorized Purpose and level of risk. Contractor's security controls shall be based on the National Institute of Standards and Technology (NIST) Special Publication 800-53. Contractor shall update its security controls assessment whenever there are significant changes in security controls for HHS Confidential Information and shall provide the updated document to HHS. HHS also reserves the right to request updates as needed to satisfy state and federal monitoring requirements. (11) Comply with the HHS Acceptable Use Policy (AUP) and require each Subcontractor and Workforce member who has direct access to HHS Information Resources, as defined in the AUP, to execute an HHS Acceptable Use Agreement. (12) Only conduct secure transmissions of Confidential Information whether in paper, oral or electronic form. A secure transmission of electronic Confidential Information in motion includes secure File Transfer Protocol (SFTP) or encryption at an appropriate level as required by rule, regulation or law. Confidential Information at rest requires encryption unless there is adequate administrative, technical, and physical security as required by rule, regulation or law. All electronic data transfer and communications of Confidential Information shall be through secure systems. Contractor shall provide proof of system, media or device security and/or encryption to HHS no later than 48 hours after HHS's written request in response to a compliance investigation, audit, or the Discovery of a Breach. HHS may also request production of proof of security at other times as necessary to satisfy state and federal monitoring requirements. Deidentification of Confidential Information in accordance with HIPAA de-identification standards is deemed secure. (13) Designate and identify a person or persons, as Privacy Official and Information Security Official, each of whom is authorized to act on behalf of Contractor and is responsible for the development and implementation of the privacy and security requirements in this DUA. Contractor shall provide name and current address, phone number and e-mail address for such designated officials to HHS upon execution of this DUA and prior to any change. Upon written notice from HHS, Contractor shall promptly remove and replace such official(s) if such official(s) is not performing the required functions. (14) Make available to HHS any information HHS requires to fulfill HHS's obligations to provide access to, or copies of, Confidential Information in accordance with applicable laws, regulations or demands of a regulatory authority relating to Confidential Information. Contractor shall provide such information in a time and manner reasonably agreed upon or as designated by the applicable law or regulatory authority. (15) Comply with the following laws and standards if applicable to the type of Confidential Information and Contractor's Authorized Purpose: • Title 1, Part 10, Chapter 202, Subchapter B, Texas Administrative Code; • The Privacy Act of 1974; • OMB Memorandum 17-12; • The Federal Information Security Management Act of 2002 (FISMA); • The Health Insurance Portability and Accountability Act of 1996 (HIPAA); • Internal Revenue Publication 1075 – Tax Information Security Guidelines for Federal, State and Local Agencies; • National Institute of Standards and Technology (NIST) Special Publication 800-66 Revision 1 – An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule; • NIST Special Publications 800-53 and 800-53A – Recommended Security Controls for Federal Information Systems and Organizations, as currently revised; • NIST Special Publication 800-47 – Security Guide for Interconnecting Information Technology Systems; • NIST Special Publication 800-88, Guidelines for Media Sanitization; • NIST Special Publication 800-111, Guide to Storage of Encryption Technologies for End User Devices containing PHI; • Family Educational Rights and Privacy Act • Texas Business and Commerce Code, Chapter 521; • Any other State or Federal law, regulation, or administrative rule relating to the specific HHS program area that Contractor supports on behalf of HHS. (16) Be permitted to use or disclose Confidential Information for the proper management and administration of Contractor or to carry out Contractor’s legal responsibilities, except as otherwise Cont limited by this DUA, the Base Contract, or law applicable to the Confidential Information, if: (a) Disclosure is Required by Law; (b) Contractor obtains reasonable assurances from the person to whom the information is disclosed that the person shall: 1. Maintain the confidentiality of the Confidential Information in accordance with this DUA; 2. Use or further disclose the information only as Required by Law or for the Authorized Purpose for which it was disclosed to the person; and 3. Notify Contractor in accordance with Section 4.01 of a Breach of Confidential Information that the person Discovers or should have Discovered with the exercise of reasonable diligence. (C) With respect to ALL Confidential Information, Contractor shall NOT: (1) Attempt to re-identify or further identify Confidential Information that has been deidentified, or attempt to contact any persons whose records are contained in the Confidential Information, except for an Authorized Purpose, without express written authorization from HHS. (2) Engage in prohibited marketing or sale of Confidential Information. (3) Permit, or enter into any agreement with a Subcontractor to, create, receive, maintain, use, disclose, have access to or transmit Confidential Information, on behalf of HHS without requiring that Subcontractor first execute either the Form Subcontractor Agreement, Attachment 1, or Contractor’s own Subcontractor agreement that ensures that the Subcontractor shall comply with the same safeguards and restrictions contained in this DUA for Confidential Information. Contractor is directly responsible for its Subcontractors’ compliance with, and enforcement of, this DUA.

Obligations of Contractor. Contractor agrees that: (A) With respect to PHI, Contractor shall: (1) Make PHI available in a designated record set if requested by HHS, if Contractor maintains PHI in a designated record set, as defined in HIPAA. (2) Provide to HHS data aggregation services related to the healthcare operations Contractor performs for HHS pursuant to the Base Contract, if requested by HHS, if Contractor provides data aggregation services as defined in HIPAA. (3) Provide access to PHI to an individual who is requesting his or her own PHI, or such individual’s Legally Authorized Representative, in compliance with the requirements of HIPAA. (4) Make PHI available to HHS for amendment, and incorporate any amendments to PHI that HHS directs, in compliance with HIPAA. (5) Document and make available to HHS, an accounting of disclosures in compliance with the requirements of HIPAA. (6) If Contractor receives a request for access, amendment or accounting of PHI by any individual, promptly forward the request to HHS or, if forwarding the request would violate HIPAA, promptly notify HHS of the request and of Contractor’s response. HHS will respond to all such requests, unless Contractor is Required by Law to respond or HHS has given prior written consent for Contractor to respond to and account for all such requests. (B) With respect to ALL Confidential Information, Contractor shall: (1) Exercise reasonable care and no less than the same degree of care Contractor uses to protect its own confidential, proprietary and trade secret information to prevent Confidential Information from being used in a manner that is not expressly an Authorized Purpose or as Required by Law. Contractor will access, create, maintain, receive, use, disclose, transmit or Destroy Confidential Information in a secure fashion that protects against any reasonably anticipated threats or hazards to the security or integrity of such information or unauthorized uses. (2) Establish, implement and maintain appropriate procedural, administrative, physical and technical safeguards to preserve and maintain the confidentiality, integrity, and availability of the Confidential Information, in accordance with applicable laws or regulations relating to Confidential Information, to prevent any unauthorized use or disclosure of Confidential Information as long as Contractor has such Confidential Information in its actual or constructive possession. (3) Implement, update as necessary, and document privacy, security and Breach notice policies and procedures and an incident response plan to address a Breach, to comply with the privacy, security and breach notice requirements of this DUA prior to conducting work under the Base Contract. Contractor shall produce, within three business days of a request by HHS, copies of its policies and procedures and records relating to the use or disclosure of Confidential Information. (4) Obtain HHS’s prior written consent to disclose or allow access to any portion of the Confidential Information to any person, other than Authorized Users, Workforce or Subcontractors of Contractor who have completed training in confidentiality, privacy, security and the importance of promptly reporting any Breach to Contractor's management and as permitted in Section 3.01(A)(3), above. Contractor shall produce evidence of completed training to HHS upon request. HHS, at its election, may assist Contractor in training and education on specific or unique HHS processes, systems and/or requirements. All of Contractor’s Authorized Users, Workforce and Subcontractors with access to a state computer system or database will complete a cybersecurity training program certified under Texas Government Code Section 2054.519 by the Texas Department of Information Resources. (5) Establish, implement and maintain appropriate sanctions against any member of its Workforce or Subcontractor who fails to comply with this DUA, the Base Contract or applicable law. Contractor shall maintain evidence of sanctions and produce it to HHS upon request. (6) Obtain prior written approval of HHS, to disclose or provide access to any Confidential Information on the basis that such act is Required by Law, so that HHS may have the opportunity to object to the disclosure or access and seek appropriate relief. If HHS objects to such disclosure or access, Contractor shall refrain from disclosing or providing access to the Confidential Information until HHS has exhausted all alternatives for relief. (7) Certify that its Authorized Users each have a demonstrated need to know and have access to Confidential Information solely to the minimum extent necessary to accomplish the Authorized Purpose and that each has agreed in writing to be bound by the disclosure and use limitations pertaining to the Confidential Information contained in this DUA. Contractor and its Subcontractors shall maintain at all times an updated, complete, accurate list of Authorized Users and supply it to HHS upon request. (8) Provide, and shall cause its Subcontractors and agents to provide, to HHS periodic written periodicwritten confirmation of compliance with controls and the terms and conditions of this DUA. (9) Return to HHS or Destroy, at HHS’s election and at Contractor’s expense, all Confidential Information received from HHS or created or maintained by Contractor or any of Contractor’s agents or Subcontractors on HHS's behalf upon the termination or expiration of this DUA, if reasonably feasible and permitted by law. Contractor shall certify in writing to HHS that all such Confidential Information has been Destroyed or returned to HHS, and that Contractor and its agents and Subcontractors have retained no copies thereof. Notwithstanding the foregoing, Contractor acknowledges and agrees that it may not Destroy any Confidential Information if federal or state law, or HHS record retention policy or a litigation hold notice prohibits such Destruction. If such return or Destruction is not reasonably feasible, or is impermissible by law, Contractor shall immediately notify HHS of the reasons such return or Destruction is not feasible and agree to extend the protections of this DUA to the Confidential Information for as long as Contractor maintains such Confidential Information. (10) Complete and return with the Base Contract to HHS, attached as Attachment 2 to this DUA, the HHS Security and Privacy Initial Inquiry (SPI) at xxxxx://xxx.xxxxx.xxx/laws- regulations/forms/miscellaneous/hhs-information-security-privacy-initial-inquiry-spi. The SPI identifies basic privacy and security controls with which Contractor must comply to protect Confidential Information. Contractor shall comply with periodic security controls compliance assessment and monitoring by HHS as required by state and federal law, based on the type of Confidential Information Contractor creates, receives, maintains, uses, discloses or has access to and the Authorized Purpose and level of risk. Contractor's security controls shall be based on the National Institute of Standards and Technology (NIST) Special Publication 800-53. Contractor shall update its security controls assessment whenever there are significant changes in security controls for HHS Confidential Information and shall provide the updated document to HHS. HHS also reserves the right to request updates as needed to satisfy state and federal monitoring requirements. (11) Comply with the HHS Acceptable Use Policy (AUP) and require each Subcontractor and Workforce member who has direct access to HHS Information Resources, as defined in the AUP, to execute an HHS Acceptable Use Agreement. (12) Only conduct secure transmissions of Confidential Information whether in paper, oral or electronic form. A secure transmission of electronic Confidential Information in motion includes secure File Transfer Protocol (SFTP) or encryption at an appropriate level as required by rule, regulation or law. Confidential Information at rest requires encryption unless there is adequate administrative, technical, and physical security as required by rule, regulation or law. All electronic data transfer and communications of Confidential Information shall be through secure systems. Contractor shall provide proof of system, media or device security and/or encryption to HHS no later than 48 hours after HHS's written request in response to a compliance investigation, audit, or the Discovery of a Breach. HHS may also request production of proof of security at other times as necessary to satisfy state and federal monitoring requirements. Deidentification of Confidential Information in accordance with HIPAA de-identification standards is deemed secure. (13) Designate and identify a person or persons, as Privacy Official and Information Security Official, each of whom is authorized to act on behalf of Contractor and is responsible for the development and implementation of the privacy and security requirements in this DUA. Contractor shall provide name and current address, phone number and e-mail address for such designated officials to HHS upon execution of this DUA and prior to any change. Upon written notice from HHS, Contractor shall promptly remove and replace such official(s) if such official(s) is not performing the required functions. (14) Make available to HHS any information HHS requires to fulfill HHS's obligations to provide access to, or copies of, Confidential Information in accordance with applicable laws, regulations or demands of a regulatory authority relating to Confidential Information. Contractor shall provide such information in a time and manner reasonably agreed upon or as designated by the applicable law or regulatory authority. (15) Comply with the following laws and standards if applicable to the type of Confidential Information and Contractor's Authorized Purpose: • Title 1, Part 10, Chapter 202, Subchapter B, Texas Administrative Code; • The Privacy Act of 1974; • OMB Memorandum 17-12; • The Federal Information Security Management Act of 2002 (FISMA); • The Health Insurance Portability and Accountability Act of 1996 (HIPAA); • Internal Revenue Publication 1075 – Tax Information Security Guidelines for Federal, State and Local Agencies; • National Institute of Standards and Technology (NIST) Special Publication 800-66 Revision 1 Revision1 – An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule; • NIST Special Publications 800-53 and 800-53A – Recommended Security Controls for Federal Information Systems and Organizations, as currently revised; • NIST Special Publication 800-47 – Security Guide for Interconnecting Information Technology Systems; • NIST Special Publication 800-88, Guidelines for Media Sanitization; • NIST Special Publication 800-111, Guide to Storage of Encryption Technologies for End User Devices containing PHI; • Family Educational Rights and Privacy Act • Texas Business and Commerce Code, Code Chapter 521; 521 • Any other State or Federal law, regulation, or administrative rule relating to the specific HHS program area that Contractor supports on behalf of HHS. (16) Be permitted to use or disclose Confidential Information for the proper management and administration of Contractor or to carry out Contractor’s legal responsibilities, except as otherwise limited by this DUA, the Base Contract, or law applicable to the Confidential Information, if: (a) Disclosure is Required by Law; (b) Contractor obtains reasonable assurances from the person to whom the information is disclosed that the person shall: 1. Maintain the confidentiality of the Confidential Information in accordance with this DUA; 2. Use or further disclose the information only as Required by Law or for the Authorized Purpose for which it was disclosed to the person; and 3. Notify Contractor in accordance with Section 4.01 of a Breach of Confidential Information that the person Discovers or should have Discovered with the exercise of reasonable diligence. (C) With respect to ALL Confidential Information, Contractor shall NOT: (1) Attempt to re-identify or further identify Confidential Information that has been deidentified, deidentified or attempt to contact any persons whose records are contained in the Confidential Information, except for an Authorized Purpose, without express written authorization from HHS. (2) Engage in prohibited marketing or sale of Confidential Information. (3) Permit, or enter into any agreement with a Subcontractor to, create, receive, maintain, use, disclose, have access to or transmit Confidential Information, on behalf of HHS without requiring that Subcontractor first execute either the Form Subcontractor Agreement, Attachment 1, or Contractor’s own Subcontractor agreement that ensures that the Subcontractor shall comply with the same safeguards and restrictions contained in this DUA for Confidential Information. Contractor is directly responsible for its Subcontractors’ compliance with, and enforcement of, this DUA.

Obligations of Contractor. Contractor agrees that: (A) With respect to PHI, Contractor shall: (1) Make PHI available in a designated record set if requested by HHS, if Contractor maintains PHI in a designated record set, as defined in HIPAA. (2) Provide to HHS data aggregation services related to the healthcare operations Contractor performs for HHS pursuant to the Base Contract, if requested by HHS, if Contractor provides data aggregation services as defined in HIPAA. (3) Provide access to PHI to an individual who is requesting his or her own PHI, or such individual’s Legally Authorized Representative, in compliance with the requirements of HIPAA. (4) Make PHI available to HHS for amendment, and incorporate any amendments to PHI that HHS directs, in compliance with HIPAA. (5) Document and make available to HHS, an accounting of disclosures in compliance with the requirements of HIPAA. (6) If Contractor receives a request for access, amendment or accounting of PHI by any individual, promptly forward the request to HHS or, if forwarding the request would violate HIPAA, promptly notify HHS of the request and of Contractor’s response. HHS will respond to all such requests, unless Contractor is Required by Law to respond or HHS has given prior written consent for Contractor to respond to and account for all such requests. (B) With respect to ALL Confidential Information, Contractor shall: (1) Exercise reasonable care and no less than the same degree of care Contractor uses to protect its own confidential, proprietary and trade secret information to prevent Confidential Information from being used in a manner that is not expressly an Authorized Purpose or as Required by Law. Contractor will access, create, maintain, receive, use, disclose, transmit or Destroy Confidential Information in a secure fashion that protects against any reasonably anticipated threats or hazards to the security or integrity of such information or unauthorized uses. (2) Establish, implement and maintain appropriate procedural, administrative, physical and technical safeguards to preserve and maintain the confidentiality, integrity, and availability of the Confidential Information, in accordance with applicable laws or regulations relating to Confidential Information, to prevent any unauthorized use or disclosure of Confidential Information as long as Contractor has such Confidential Information in its actual or constructive possession. (3) Implement, update as necessary, and document privacy, security and Breach notice policies and procedures and an incident response plan to address a Breach, to comply with the privacy, security and breach notice requirements of this DUA prior to conducting work under the Base Contract. Contractor shall produce, within three business days of a request by HHS, copies of its policies and procedures and records relating to the use or disclosure of Confidential Information. (4) Obtain HHS’s prior written consent to disclose or allow access to any portion of the Confidential Information to any person, other than Authorized Users, Workforce or Subcontractors of Contractor who have completed training in confidentiality, privacy, security and the importance of promptly reporting any Breach to Contractor's management and as permitted in Section 3.01(A)(3), above. Contractor shall produce evidence of completed training to HHS upon request. HHS, at its election, may assist Contractor in training and education on specific or unique HHS processes, systems and/or requirements. All of Contractor’s Authorized Users, Workforce and Subcontractors with access to a state computer system or database will complete a cybersecurity training program certified under Texas Government Code Section 2054.519 by the Texas Department of Information Resources. (5) Establish, implement and maintain appropriate sanctions against any member of its Workforce or Subcontractor who fails to comply with this DUA, the Base Contract or applicable law. Contractor shall maintain evidence of sanctions and produce it to HHS upon request. (6) Obtain prior written approval of HHS, to disclose or provide access to any Confidential Information on the basis that such act is Required by Law, so that HHS may have the opportunity to object to the disclosure or access and seek appropriate relief. If HHS objects to such disclosure or access, Contractor shall refrain from disclosing or providing access to the Confidential Information until HHS has exhausted all alternatives for relief. (7) Certify that its Authorized Users each have a demonstrated need to know and have access to Confidential Information solely to the minimum extent necessary to accomplish the Authorized Purpose and that each has agreed in writing to be bound by the disclosure and use limitations pertaining to the Confidential Information contained in this DUA. Contractor and its Subcontractors shall maintain at all times an updated, complete, accurate list of Authorized Users and supply it to HHS upon request. (8) Provide, and shall cause its Subcontractors and agents to provide, to HHS periodic written confirmation of compliance with controls and the terms and conditions of this DUA. (9) Return to HHS or Destroy, at HHS’s election and at Contractor’s expense, all Confidential Information received from HHS or created or maintained by Contractor or any of Contractor’s agents or Subcontractors on HHS's behalf upon the termination or expiration of this DUA, if reasonably feasible and permitted by law. Contractor shall certify in writing to HHS that all such Confidential Information has been Destroyed or returned to HHS, and that Contractor and its agents and Subcontractors have retained no copies thereof. Notwithstanding the foregoing, Contractor acknowledges and agrees that it may not Destroy any Confidential Information if federal or state law, or HHS record retention policy or a litigation hold notice prohibits such Destruction. If such return or Destruction is not reasonably feasible, or is impermissible by law, Contractor shall immediately notify HHS of the reasons such return or Destruction is not feasible and agree to extend the protections of this DUA to the Confidential Information for as long as Contractor maintains such Confidential Information. (10) Complete and return with the Base Contract to HHS, attached as Attachment 2 to this DUA, the HHS Security and Privacy Initial Inquiry (SPI) at xxxxx://xxx.xxxxx.xxx/laws- regulations/forms/miscellaneous/hhs-information-security-privacy-initial-inquiry-spi. The SPI identifies basic privacy and security controls with which Contractor must comply to protect Confidential Information. Contractor shall comply with periodic security controls compliance assessment and monitoring by HHS as required by state and federal law, based on the type of Confidential Information Contractor creates, receives, maintains, uses, discloses or has access to and the Authorized Purpose and level of risk. Contractor's security controls shall be based on the National Institute of Standards and Technology (NIST) Special Publication 800-53. Contractor shall update its security controls assessment whenever there are significant changes in security controls for HHS Confidential Information and shall provide the updated document to HHS. HHS also reserves the right to request updates as needed to satisfy state and federal monitoring requirements. (11) Comply with the HHS Acceptable Use Policy (AUP) and require each Subcontractor and Workforce member who has direct access to HHS Information Resources, as defined in the AUP, to execute an HHS Acceptable Use Agreement. (12) Only conduct secure transmissions of Confidential Information whether in paper, oral or electronic form. A secure transmission of electronic Confidential Information in motion includes secure File Transfer Protocol (SFTP) or encryption at an appropriate level as required by rule, regulation or law. Confidential Information at rest requires encryption unless there is adequate administrative, technical, and physical security as required by rule, regulation or law. All electronic data transfer and communications of Confidential Information shall be through secure systems. Contractor shall provide proof of system, media or device security and/or encryption to HHS no later than 48 hours after HHS's written request in response to a compliance investigation, audit, or the Discovery of a Breach. HHS may also request production of proof of security at other times as necessary to satisfy state and federal monitoring requirements. Deidentification of Confidential Information in accordance with HIPAA de-identification standards is deemed secure. (13) Designate and identify a person or persons, as Privacy Official and Information Security Official, each of whom is authorized to act on behalf of Contractor and is responsible for the development and implementation of the privacy and security requirements in this DUA. Contractor shall provide name and current address, phone number and e-mail address for such designated officials to HHS upon execution of this DUA and prior to any change. Upon written notice from HHS, Contractor shall promptly remove and replace such official(s) if such official(s) is not performing the required functions. (14) Make available to HHS any information HHS requires to fulfill HHS's obligations to provide access to, or copies of, Confidential Information in accordance with applicable laws, regulations or demands of a regulatory authority relating to Confidential Information. Contractor shall provide such information in a time and manner reasonably agreed upon or as designated by the applicable law or regulatory authority. (15) Comply with the following laws and standards if applicable to the type of Confidential Information and Contractor's Authorized Purpose: • Title 1, Part 10, Chapter 202, Subchapter B, Texas Administrative Code; • The Privacy Act of 1974; • OMB Memorandum 17-12; • The Federal Information Security Management Act of 2002 (FISMA); • The Health Insurance Portability and Accountability Act of 1996 (HIPAA); • Internal Revenue Publication 1075 – Tax Information Security Guidelines for Federal, State and Local Agencies; • National Institute of Standards and Technology (NIST) Special Publication 800-66 Revision 1 – An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule; • NIST Special Publications 800-53 and 800-53A – Recommended Security Controls for Federal Information Systems and Organizations, as currently revised; • NIST Special Publication 800-47 – Security Guide for Interconnecting Information Technology Systems; • NIST Special Publication 800-88, Guidelines for Media Sanitization; • NIST Special Publication 800-111, Guide to Storage of Encryption Technologies for End User Devices containing PHI; • Family Educational Rights and Privacy Act • Texas Business and Commerce Code, Chapter 521; • Any other State or Federal law, regulation, or administrative rule relating to the specific HHS program area that Contractor supports on behalf of HHS. (16) Be permitted to use or disclose Confidential Information for the proper management and administration of Contractor or to carry out Contractor’s legal responsibilities, except as otherwise limited by this DUA, the Base Contract, or law applicable to the Confidential Information, if: (a) Disclosure is Required by Law; (b) Contractor obtains reasonable assurances from the person to whom the information is disclosed that the person shall: 1. Maintain the confidentiality of the Confidential Information in accordance with this DUA; 2. Use or further disclose the information only as Required by Law or for the Authorized Purpose for which it was disclosed to the person; and 3. Notify Contractor in accordance with Section 4.01 of a Breach of Confidential Information that the person Discovers or should have Discovered with the exercise of reasonable diligence. (C) With respect to ALL Confidential Information, Contractor shall NOT: (1) Attempt to re-identify or further identify Confidential Information that has been deidentified, or attempt to contact any persons whose records are contained in the Confidential Information, except for an Authorized Purpose, without express written authorization from HHS. (2) Engage in prohibited marketing or sale of Confidential Information. (3) Permit, or enter into any agreement with a Subcontractor to, create, receive, maintain, use, disclose, have access to or transmit Confidential Information, on behalf of HHS without requiring that Subcontractor first execute either the Form Subcontractor Agreement, Attachment 1, or Contractor’s own Subcontractor agreement that ensures that the Subcontractor shall comply with the same safeguards and restrictions contained in this DUA for Confidential Information. Contractor is directly responsible for its Subcontractors’ compliance with, and enforcement of, this DUA.

Obligations of Contractor. Contractor agrees that: (A) With respect to PHI, Contractor shall: (1) Make PHI available in a designated record set if requested by HHS, if Contractor maintains PHI in a designated record set, as defined in HIPAA. (2) Provide to HHS data aggregation services related to the healthcare operations Contractor performs for HHS pursuant to the Base Contract, if requested by HHS, if Contractor provides data aggregation services as defined in HIPAA. (3) Provide access to PHI to an individual who is requesting his or her own PHI, or such individual’s Legally Authorized Representative, in compliance with the requirements of HIPAA. (4) Make PHI available to HHS for amendment, and incorporate any amendments to PHI that HHS directs, in compliance with HIPAA. (5) Document and make available to HHS, an accounting of disclosures in compliance with the requirements of HIPAA. (6) If Contractor receives a request for access, amendment or accounting of PHI by any individual, promptly forward the request to HHS or, if forwarding the request would violate HIPAA, promptly notify HHS of the request and of Contractor’s response. HHS will respond to all such requests, unless Contractor is Required by Law to respond or HHS has given prior written consent for Contractor to respond to and account for all such requests. (B) With respect to ALL Confidential Information, Contractor shall: (1) Exercise reasonable care and no less than the same degree of care Contractor uses to protect its own confidential, proprietary and trade secret information to prevent Confidential Information from being used in a manner that is not expressly an Authorized Purpose or as Required by Law. Contractor will access, create, maintain, receive, use, disclose, transmit or Destroy Confidential Information in a secure fashion that protects against any reasonably anticipated threats or hazards to the security or integrity of such information or unauthorized uses. (2) Establish, implement and maintain appropriate procedural, administrative, physical and technical safeguards to preserve and maintain the confidentiality, integrity, and availability of the Confidential Information, in accordance with applicable laws or regulations relating to Confidential Information, to prevent any unauthorized use or disclosure of Confidential Information as long as Contractor has such Confidential Information in its actual or constructive possession. (3) Implement, update as necessary, and document privacy, security and Breach notice policies and procedures and an incident response plan to address a Breach, to comply with the privacy, security and breach notice requirements of this DUA prior to conducting work under the Base Contract. Contractor shall produce, within three business days of a request by HHS, copies of its policies and procedures and records relating to the use or disclosure of Confidential Information. (4) Obtain HHS’s prior written consent to disclose or allow access to any portion of the Confidential Information to any person, other than Authorized Users, Workforce or Subcontractors of Contractor who have completed training in confidentiality, privacy, security and the importance of promptly reporting any Breach to Contractor's management and as permitted in Section 3.01(A)(3), above. Contractor shall produce evidence of completed training to HHS upon request. HHS, at its election, may assist Contractor in training and education on specific or unique HHS processes, systems and/or requirements. All of Contractor’s C Authorized Users, Workforce and Subcontractors with access to a state computer system or database will complete a cybersecurity training program certified under Texas Government Code Section 2054.519 by the Texas Department of Information Resources. (5) Establish, implement and maintain appropriate sanctions against any member of its Workforce or Subcontractor who fails to comply with this DUA, the Base Contract or applicable law. Contractor shall maintain evidence of sanctions and produce it to HHS upon request. (6) Obtain prior written approval of HHS, to disclose or provide access to any Confidential Information on the basis that such act is Required by Law, so that HHS may have the opportunity to object to the disclosure or access and seek appropriate relief. If HHS objects to such disclosure or access, Contractor shall refrain from disclosing or providing access to the Confidential Information until HHS has exhausted all alternatives for relief. (7) Certify that its Authorized Users each have a demonstrated need to know and have access to Confidential Information solely to the minimum extent necessary to accomplish the Authorized Purpose and that each has agreed in writing to be bound by the disclosure and use limitations pertaining to the Confidential Information contained in this DUA. Contractor and its Subcontractors shall maintain at all times an updated, complete, accurate list of Authorized Users and supply it to HHS upon request. (8) Provide, and shall cause its Subcontractors and agents to provide, to HHS periodic written confirmation of compliance with controls and the terms and conditions of this DUA. (9) . Return to HHS or Destroy, at HHS’s election and at Contractor’s expense, all Confidential Information received from HHS or created or maintained by Contractor or any of Contractor’s agents or Subcontractors on HHS's behalf upon the termination or expiration of this DUA, if reasonably feasible and permitted by law. Contractor shall certify in writing to HHS that all such Confidential Information has been Destroyed or returned to HHS, and that Contractor and its agents and Subcontractors have retained no copies thereof. Notwithstanding the foregoing, Contractor acknowledges and agrees that it may not Destroy any Confidential Information if federal or state law, or HHS record retention policy or a litigation hold notice prohibits such Destruction. If such return or Destruction is not reasonably feasible, or is impermissible by law, Contractor shall immediately notify HHS of the reasons such return or Destruction is not feasible and agree to extend the protections of this DUA to the Confidential Information for as long as Contractor maintains such Confidential (9) Information. (10) Complete and return with the Base Contract to HHS, attached as Attachment 2 to this DUA, the HHS Security and Privacy Initial Inquiry (SPI) at xxxxx://xxx.xxxxx.xxx/laws- regulations/forms/miscellaneous/hhs-information-security-privacy-initial-inquiry-spi. The SPI identifies basic privacy and security controls with which Contractor must comply to protect Confidential Information. Contractor shall comply with periodic security controls compliance assessment and monitoring by HHS as required by state and federal law, based on the type of Confidential Information Contractor creates, receives, maintains, uses, discloses or has access to and the Authorized Purpose and level of risk. Contractor's security controls shall be based on the National Institute of Standards and Technology (NIST) Special Publication 800-53. Contractor shall update its security controls assessment whenever there are significant changes in security controls for HHS Confidential Information and shall provide the updated document to HHS. HHS also reserves the right to request updates as needed to satisfy state and federal monitoring requirements. (11) Comply with the HHS Acceptable Use Policy (AUP) and require each Subcontractor and Workforce member who has direct access to HHS Information Resources, as defined in the AUP, to execute an HHS Acceptable Use Agreement. (12) Only conduct secure transmissions of Confidential Information whether in paper, oral or electronic form. A secure transmission of electronic Confidential Information in motion includes secure File Transfer Protocol (SFTP) or encryption at an appropriate level as required by rule, regulation or law. Confidential Information at rest requires encryption unless there is adequate administrative, technical, and physical security as required by rule, regulation or law. All electronic data transfer and communications of Confidential Information shall be through secure systems. Contractor shall provide proof of system, media or device security and/or encryption to HHS no later than 48 hours after HHS's written request in response to a compliance investigation, audit, or the Discovery of a Breach. HHS may also request production of proof of security at other times as necessary to satisfy state and federal monitoring requirements. Deidentification of Confidential Information in accordance with HIPAA de-identification standards is deemed secure. (13) Designate and identify a person or persons, as Privacy Official and Information Security Official, each of whom is authorized to act on behalf of Contractor and is responsible for the development and implementation of the privacy and security requirements in this DUA. Contractor shall provide name and current address, phone number and e-mail address for such designated officials to HHS upon execution of this DUA and prior to any change. Upon written notice from HHS, Contractor shall promptly remove and replace such official(s) if such official(s) is not performing the required functions. (14) Make available to HHS any information HHS requires to fulfill HHS's obligations to provide access to, or copies of, Confidential Information in accordance with applicable laws, regulations or demands of a regulatory authority relating to Confidential Information. Contractor shall provide such information in a time and manner reasonably agreed upon or as designated by the applicable law or regulatory authority. (15) Comply with the following laws and standards if applicable to the type of Confidential Information and Contractor's Authorized Purpose: • Title 1, Part 10, Chapter 202, Subchapter B, Texas Administrative Code; • The Privacy Act of 1974; • OMB Memorandum 17-12; • The Federal Information Security Management Act of 2002 (FISMA); • The Health Insurance Portability and Accountability Act of 1996 (HIPAA); • Internal Revenue Publication 1075 – Tax Information Security Guidelines for Federal, State and Local Agencies; • National Institute of Standards and Technology (NIST) Special Publication 800-66 Revision 1 – An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule; • NIST Special Publications 800-53 and 800-53A – Recommended Security Controls for Federal Information Systems and Organizations, as currently revised; • NIST Special Publication 800-47 – Security Guide for Interconnecting Information Technology Systems; • NIST Special Publication 800-88, Guidelines for Media Sanitization; • NIST Special Publication 800-111, Guide to Storage of Encryption Technologies for End User Devices containing PHI; • Family Educational Rights and Privacy Act • Texas Business and Commerce Code, Chapter 521; • Any other State or Federal law, regulation, or administrative rule relating to the specific HHS program area that Contractor supports on behalf of HHS. (16) Be permitted to use or disclose Confidential Information for the proper management and administration of Contractor or to carry out Contractor’s legal responsibilities, except as otherwise Cont limited by this DUA, the Base Contract, or law applicable to the Confidential Information, if: (a) Disclosure is Required by Law; (b) Contractor obtains reasonable assurances from the person to whom the information is disclosed that the person shall: 1. Maintain the confidentiality of the Confidential Information in accordance with this DUA; 2. Use or further disclose the information only as Required by Law or for the Authorized Purpose for which it was disclosed to the person; and 3. Notify Contractor in accordance with Section 4.01 of a Breach of Confidential Information that the person Discovers or should have Discovered with the exercise of reasonable diligence. (C) With respect to ALL Confidential Information, Contractor shall NOT: (1) Attempt to re-identify or further identify Confidential Information that has been deidentified, or attempt to contact any persons whose records are contained in the Confidential Information, except for an Authorized Purpose, without express written authorization from HHS. (2) Engage in prohibited marketing or sale of Confidential Information. (3) Permit, or enter into any agreement with a Subcontractor to, create, receive, maintain, use, disclose, have access to or transmit Confidential Information, on behalf of HHS without requiring that Subcontractor first execute either the Form Subcontractor Agreement, Attachment 1, or Contractor’s own 1 Subcontractor agreement that ensures that the Subcontractor shall comply with the same safeguards and restrictions contained in this DUA for Confidential Information. Contractor is directly responsible for its Subcontractors’ compliance with, and enforcement of, this DUA.its

Obligations of Contractor. Contractor agrees that: (A) With respect to PHI, Contractor shall: (1) Make PHI available in a designated record set if requested by HHS, if Contractor maintains PHI in a designated record set, as defined in HIPAA. (2) Provide to HHS data aggregation services related to the healthcare operations Contractor performs for HHS pursuant to the Base Contract, if requested by HHS, if Contractor provides data aggregation services as defined in HIPAA. (3) Provide access to PHI to an individual who is requesting his or her own PHI, or such individual’s Legally Authorized Representative, in compliance with the requirements of HIPAA. (4) Make PHI available to HHS for amendment, and incorporate any amendments to PHI that HHS directs, in compliance with HIPAA. (5) Document and make available to HHS, an accounting of disclosures in compliance with the requirements of HIPAA. (6) If Contractor receives a request for access, amendment or accounting of PHI by any individual, promptly forward the request to HHS or, if forwarding the request would violate HIPAA, promptly notify HHS of the request and of Contractor’s response. HHS will respond to all such requests, unless Contractor is Required by Law to respond or HHS has given prior written consent for Contractor to respond to and account for all such requests. (B) With respect to ALL Confidential Information, Contractor shall: (1) Exercise reasonable care and no less than the same degree of care Contractor uses to protect its own confidential, proprietary and trade secret information to prevent Confidential Information from being used in a manner that is not expressly an Authorized Purpose or as Required by Law. Contractor will access, create, maintain, receive, use, disclose, transmit or Destroy Confidential Information in a secure fashion that protects against any reasonably anticipated threats or hazards to the security or integrity of such information or unauthorized uses. (2) Establish, implement and maintain appropriate procedural, administrative, physical and technical safeguards to preserve and maintain the confidentiality, integrity, and availability of the Confidential Information, in accordance with applicable laws or regulations relating to Confidential Information, to prevent any unauthorized use or disclosure of Confidential Information as long as Contractor has such Confidential Information in its actual or constructive possession. (3) Implement, update as necessary, and document privacy, security and Breach notice policies and procedures and an incident response plan to address a Breach, to comply with the privacy, security and breach notice requirements of this DUA prior to conducting work under the Base Contract. Contractor shall produce, within three business days of a request by HHS, copies of its policies and procedures and records relating to the use or disclosure of Confidential Information. (4) Obtain HHS’s prior written consent to disclose or allow access to any portion of the Confidential Information to any person, other than Authorized Users, Workforce or Subcontractors of Contractor who have completed training in confidentiality, privacy, security and the importance of promptly reporting any Breach to Contractor's management and as permitted in Section 3.01(A)(3), above. Contractor shall produce evidence of completed training to HHS upon request. HHS, at its election, may assist Contractor in training and education on specific or unique HHS processes, systems and/or requirements. All of Contractor’s Authorized Users, Workforce and Subcontractors with access to a state computer system or database will complete a cybersecurity training program certified under Texas Government Code Section 2054.519 by the Texas Department of Information Resources. (5) Establish, implement and maintain appropriate sanctions against any member of its Workforce or Subcontractor who fails to comply with this DUA, the Base Contract or applicable law. Contractor shall maintain evidence of sanctions and produce it to HHS upon request. (6) Obtain prior written approval of HHS, to disclose or provide access to any Confidential Information on the basis that such act is Required by Law, so that HHS may have the opportunity to object to the disclosure or access and seek appropriate relief. If HHS objects to such disclosure or access, Contractor shall refrain from disclosing or providing access to the Confidential Information until HHS has exhausted all alternatives for relief. (7) Certify that its Authorized Users each have a demonstrated need to know and have access to Confidential Information solely to the minimum extent necessary to accomplish the Authorized Purpose and that each has agreed in writing to be bound by the disclosure and use limitations pertaining to the Confidential Information contained in this DUA. Contractor and its Subcontractors shall maintain at all times an updated, complete, accurate list of Authorized Users and supply it to HHS upon request. (8) Provide, and shall cause its Subcontractors and agents to provide, to HHS periodic written confirmation of compliance with controls and the terms and conditions of this DUA. (9) Return to HHS or Destroy, at HHS’s election and at Contractor’s expense, all Confidential Information received from HHS or created or maintained by Contractor or any of Contractor’s agents or Subcontractors on HHS's behalf upon the termination or expiration of this DUA, if reasonably feasible and permitted by law. Contractor shall certify in writing to HHS that all such Confidential Information has been Destroyed or returned to HHS, and that Contractor and its agents and Subcontractors have retained no copies thereof. Notwithstanding the foregoing, Contractor acknowledges and agrees that it may not Destroy any Confidential Information if federal or state law, or HHS record retention policy or a litigation hold notice prohibits such Destruction. If such return or Destruction is not reasonably feasible, or is impermissible by law, Contractor shall immediately notify HHS of the reasons such return or Destruction is not feasible and agree to extend the protections of this DUA to the Confidential Information for as long as Contractor maintains such Confidential Information. (10) Complete and return with the Base Contract to HHS, attached as Attachment 2 to this DUA, the HHS Security and Privacy Initial Inquiry (SPI) at xxxxx://xxx.xxxxx.xxx/laws- regulations/forms/miscellaneous/hhs-information-security-privacy-initial-inquiry-spi. The SPI identifies basic privacy and security controls with which Contractor must comply to protect Confidential Information. Contractor shall comply with periodic security controls compliance assessment and monitoring by HHS as required by state and federal law, based on the type of Confidential Information Contractor creates, receives, maintains, uses, discloses or has access to and the Authorized Purpose and level of risk. Contractor's security controls shall be based on the National Institute of Standards and Technology (NIST) Special Publication 800-53. Contractor shall update its security controls assessment whenever there are significant changes in security controls for HHS Confidential Information and shall provide the updated document to HHS. HHS also reserves the right to request updates as needed to satisfy state and federal monitoring requirements. (11) Comply with the HHS Acceptable Use Policy (AUP) and require each Subcontractor and Workforce member who has direct access to HHS Information Resources, as defined in the AUP, to execute an HHS Acceptable Use Agreement. (12) Only conduct secure transmissions of Confidential Information whether in paper, oral or electronic form. A secure transmission of electronic Confidential Information in motion includes secure File Transfer Protocol (SFTP) or encryption at an appropriate level as required by rule, regulation or law. Confidential Information at rest requires encryption unless there is adequate administrative, technical, and physical security as required by rule, regulation or law. All electronic data transfer and communications of Confidential Information shall be through secure systems. Contractor shall provide proof of system, media or device security and/or encryption to HHS no later than 48 hours after HHS's written request in response to a compliance investigation, audit, or the Discovery of a Breach. HHS may also request production of proof of security at other times as necessary to satisfy state and federal monitoring requirements. Deidentification of Confidential Information in accordance with HIPAA de-identification standards is deemed secure. (13) Designate and identify a person or persons, as Privacy Official and Information Security Official, each of whom is authorized to act on behalf of Contractor and is responsible for the development and implementation of the privacy and security requirements in this DUA. Contractor shall provide name and current address, phone number and e-mail address for such designated officials to HHS upon execution of this DUA and prior to any change. Upon written notice from HHS, Contractor shall promptly remove and replace such official(s) if such official(s) is not performing the required functions. (14) Make available to HHS any information HHS requires to fulfill HHS's obligations to provide access to, or copies of, Confidential Information in accordance with applicable laws, regulations or demands of a regulatory authority relating to Confidential Information. Contractor shall provide such information in a time and manner reasonably agreed upon or as designated by the applicable law or regulatory authority. (15) Comply with the following laws and standards if applicable to the type of Confidential Information and Contractor's Authorized Purpose: • Title 1, Part 10, Chapter 202, Subchapter B, Texas Administrative Code; • The Privacy Act of 1974; • OMB Memorandum 17-12; • The Federal Information Security Management Act of 2002 (FISMA); • The Health Insurance Portability and Accountability Act of 1996 (HIPAA); • Internal Revenue Publication 1075 – Tax Information Security Guidelines for Federal, State and Local Agencies; • National Institute of Standards and Technology (NIST) Special Publication 800-66 Revision 1 – An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule; • NIST Special Publications 800-53 and 800-53A – Recommended Security Controls for Federal Information Systems and Organizations, as currently revised; • NIST Special Publication 800-47 – Security Guide for Interconnecting Information Technology Systems; • NIST Special Publication 800-88, Guidelines for Media Sanitization; • NIST Special Publication 800-111, Guide to Storage of Encryption Technologies for End User Devices containing PHI; • Family Educational Rights and Privacy Act • Texas Business and Commerce Code, Chapter 521; • Any other State or Federal law, regulation, or administrative rule relating to the specific HHS program area that Contractor supports on behalf of HHS. (16) Be permitted to use or disclose Confidential Information for the proper management and administration of Contractor or to carry out Contractor’s legal responsibilities, except as otherwise limited by this DUA, the Base Contract, or law applicable to the Confidential Information, if: (a) Disclosure is Required by Law; (b) Contractor obtains reasonable assurances from the person to whom the information is disclosed that the person shall: 1. Maintain the confidentiality of the Confidential Information in accordance with this DUA; 2. Use or further disclose the information only as Required by Law or for the Authorized Purpose for which it was disclosed to the person; and 3. Notify Contractor in accordance with Section 4.01 of a Breach of Confidential Information that the person Discovers or should have Discovered with the exercise of reasonable diligence. (C) With respect to ALL Confidential Information, Contractor shall NOT: (1) Attempt to re-identify or further identify Confidential Information that has been deidentified, deidentified or attempt to contact any persons whose records are contained in the Confidential Information, except for an Authorized Purpose, without express written authorization from HHS. (2) Engage in prohibited marketing or sale of Confidential Information. (3) Permit, or enter into any agreement with a Subcontractor to, create, receive, maintain, use, disclose, have access to or transmit Confidential Information, on behalf of HHS without requiring that Subcontractor first execute either the Form Subcontractor Agreement, Attachment 1, or Contractor’s own Subcontractor agreement that ensures that the Subcontractor shall comply with the same safeguards and restrictions contained in this DUA for Confidential Information. Contractor is directly responsible for its Subcontractors’ compliance with, and enforcement of, this DUA.