Common use of Privacy and Use of Information Clause in Contracts

Privacy and Use of Information. A. The protected health information/individually identifiable health information and individually identifiable information described in this agreement are being furnished by the CMS Contractor and the Trading Partner for use in the coordination of health insurance benefits between the Medicare Program and the COBA Trading Partner, as defined in Article I.C. The CMS individually identifiable information is confidential and subject to the provisions of 5 USC §552a (i) (3) under the Privacy Act of 1974. Furthermore, the privacy rule under HIPAA (Standards for Privacy of Individually Identifiable Health Information) applies to all health plans, health care clearinghouses, and health care providers that transmit protected health information/individually identifiable health information in electronic transactions. To assure that no records held confidential under the Privacy Act of 1974 and/or the HIPAA privacy rule are improperly used or disclosed, the CMS Contractor and the Trading Partner agree that any information furnished by the other party will be used only as authorized under the terms and conditions of this Agreement and may not be further disclosed. No party shall be permitted to disclose or use information that is of a proprietary nature, except as permitted by the terms of this Agreement. The Trading Partner agrees to the following conditions: 1. When it provides information for an individual, that individual is covered by the Trading Partner in its role as an insurer, an entity working under contract with a self-insured employer plan or an insurer to adjudicate claims and perform other insurance functions, or benefit program that pays after Medicare. 2. It will utilize the information solely for the purpose of determining liability following Medicare’s payment or determination. 3. It will safeguard the confidentiality of and prevent unauthorized access to the Medicare data. 4. CMS retains all ownership rights to the Claims File. 5. It does not obtain any right, title, or interest in any of the data furnished by CMS. The CMS Contractor agrees that, pursuant to the Privacy Act of 1974, the HIPAA privacy rule, and the Xxxxx-Xxxxx-Xxxxxx Financial Services Modernization Act of 1999 (Public Law 106-102, codified at 15 U.S.C. 6801), it shall maintain the confidential nature of all nonpublic personal information obtained from the Trading Partner on behalf of its customers—namely, Medicare beneficiaries. This provision extends to all coverage data provided by the COBA Trading Partner on its eligibility file for the purpose of coordination of benefits for Medicare beneficiaries. B. The Trading Partner, CMS, and the CMS Contractor shall establish appropriate administrative, technical, procedural, and physical safeguards to protect the confidentiality of the data and to prevent unauthorized use or access to the data. The safeguards should provide a level and scope of security that is at least comparable to the level and scope of security established by the Office of Management and Budget in OMB Circular No. A-130, Appendix III – Security of Federal Automated Information Systems (xxxxx://xxx.xxxxxxxxxx.xxx/omb/circulars/), which sets forth guidelines for security plans for automated information systems in Federal agencies. The Trading Partner agrees to the establishment of the following procedures: 1. Limit access to the data to only those employees, agents, and officials who need it to perform their duties in connection with the authorized use. 2. Store and process the Claims File in such a manner that unauthorized persons cannot retrieve information by any means, including computers, remote terminals, or other means. 3. Instruct all personnel and agents who will have access to the data regarding the confidential nature of the information, the safeguards required, and the criminal sanctions. Web-based training and other non-classroom alternatives are acceptable means for providing this instruction. C. The Trading Partner agrees that in the event CMS determines or has a reasonable belief that the Trading Partner has made or may have made disclosure of the Claims File information that is not authorized by this Agreement or other written CMS authorization, CMS, in its sole discretion, may require the Trading Partner to: (a) promptly investigate and report to CMS the Trading Partner’s determinations regarding any alleged or actual unauthorized disclosure; (b) promptly resolve any problems identified by the investigation; (c) submit a formal written response to an allegation of unauthorized disclosure; (d) submit a corrective action plan with steps designed to prevent any future unauthorized disclosures; and/or (e) return data files to CMS. The Trading Partner understands that as a result of CMS’ determination or reasonable belief that unauthorized disclosure(s) has or have taken place, the CMS Contractor may refuse to release further CMS data to the Trading Partner, report the unauthorized disclosure(s) to the proper government authority, and terminate this Agreement. D. The Trading Partner will obtain satisfactory assurance and documentation of that assurance, as required in 45 CFR §164.502(e), from any entity with whom it contracts (e.g., clearinghouse, billing service, data transmission service, or network service vendor) to ensure that the Trading Partner Contractor (identified in Section V of the Attachment) will appropriately safeguard the protected health information/individually identifiable health information covered by this Agreement.

Privacy and Use of Information. A. The protected health information/individually identifiable health information and individually identifiable information described in this agreement are being furnished by the CMS Contractor and the Trading Partner for use in the coordination of health insurance benefits between the Medicare Program and the COBA Trading Partner, as defined in Article I.C. The CMS individually identifiable information is confidential and subject to the provisions of 5 USC §552a (i) (3) under the Privacy Act of 1974. Furthermore, the privacy rule under HIPAA (Standards for Privacy of Individually Identifiable Health Information) applies to all health plans, health care clearinghouses, and health care providers that transmit protected health information/individually identifiable health information in electronic transactions. To assure that no records held confidential under the Privacy Act of 1974 and/or the HIPAA privacy rule are improperly used or disclosed, the CMS Contractor and the Trading Partner agree that any information furnished by the other party will be used only as authorized under the terms and conditions of this Agreement and may not be further disclosed. No party shall be permitted to disclose or use information that is of a proprietary nature, except as permitted by the terms of this Agreement. The Trading Partner agrees to the following conditions: 1. When it provides information for an individual, that individual is covered by the Trading Partner in its role as an insurer, an entity working under contract with a self-insured employer plan or an insurer to adjudicate claims and perform other insurance functions, or benefit program that pays after Medicare. 2. It will utilize the information solely for the purpose of determining liability following Medicare’s payment or determination. 3. It will safeguard the confidentiality of and prevent unauthorized access to the Medicare data. 4. CMS retains all ownership rights to the Claims File. 5. It does not obtain any right, title, or interest in any of the data furnished by CMS. The CMS Contractor agrees that, pursuant to the Privacy Act of 1974, the HIPAA privacy rule, and the Xxxxx-Xxxxx-Xxxxxx Financial Services Modernization Act of 1999 (Public Law 106-102, codified at 15 U.S.C. 6801), it shall maintain the confidential nature of all nonpublic personal information obtained from the Trading Partner on behalf of its customers—namely, Medicare beneficiaries. This provision extends to all coverage data provided by the COBA Trading Partner on its eligibility file for the purpose of coordination of benefits for Medicare beneficiaries. B. The Trading Partner, CMS, and the CMS Contractor shall establish appropriate administrative, technical, procedural, and physical safeguards to protect the confidentiality of the data and to prevent unauthorized use or access to the data. The safeguards should provide a level and scope of security that is at least comparable to the level and scope of security established by the Office of Management and Budget in OMB Circular No. A-130, Appendix III – Security of Federal Automated Information Systems (xxxxx://xxx.xxxxxxxxxx.xxx/omb/circulars/xxxx://xxx.xxxxxxxxxx.xxx/omb/circulars/ a130/a130.html), which sets forth guidelines for security plans for automated information systems in Federal agencies. The Trading Partner agrees to the establishment of the following procedures: 1. Limit access to the data to only those employees, agents, and officials who need it to perform their duties in connection with the authorized use. 2. Store and process the Claims File in such a manner that unauthorized persons cannot retrieve information by any means, including computers, remote terminals, or other means. 3. Instruct all personnel and agents who will have access to the data regarding the confidential nature of the information, the safeguards required, and the criminal sanctions. Web-based training and other non-classroom alternatives are acceptable means for providing this instruction. C. The Trading Partner agrees that in the event CMS determines or has a reasonable belief that the Trading Partner has made or may have made disclosure of the Claims File information that is not authorized by this Agreement or other written CMS authorization, CMS, in its sole discretion, may require the Trading Partner to: (a) promptly investigate and report to CMS the Trading Partner’s determinations regarding any alleged or actual unauthorized disclosure; (b) promptly resolve any problems identified by the investigation; (c) submit a formal written response to an allegation of unauthorized disclosure; (d) submit a corrective action plan with steps designed to prevent any future unauthorized disclosures; and/or (e) return data files to CMS. The Trading Partner understands that as a result of CMS’ determination or reasonable belief that unauthorized disclosure(s) has or have taken place, the CMS Contractor may refuse to release further CMS data to the Trading Partner, report the unauthorized disclosure(s) to the proper government authority, and terminate this Agreement. D. The Trading Partner will obtain satisfactory assurance and documentation of that assurance, as required in 45 CFR §164.502(e), from any entity with whom it contracts (e.g., clearinghouse, billing service, data transmission service, or network service vendor) to ensure that the Trading Partner Contractor (identified in Section V of the Attachment) will appropriately safeguard the protected health information/individually identifiable health information covered by this Agreement.

Privacy and Use of Information. A. The protected health information/individually identifiable health information and individually identifiable information described in this agreement are Agreement is being furnished by the CMS Contractor and the Trading Partner and Medicaid for use in the coordination electronic submission and adjudication of health insurance benefits between claims for programs administered by the Medicare Program and the COBA Trading Partner, as defined in Article I.C. Division of Medical Services. The CMS individually identifiable Medicaid recipient-specific information is confidential and subject to the provisions provision of 5 USC §552a (i) (3) under the Privacy Act of 1974. Furthermore, Furthermore the privacy rule under HIPAA (Standards for Privacy of Individually Identifiable Health Information) applies to all health plans, health care clearinghouses, and health care providers that transmit protected health information/individually identifiable health information in electronic transactions. To assure that no records held confidential under the Privacy Act of 1974 and/or the HIPAA privacy rule are improperly used or disclosed, the CMS Contractor Division of Medical Services and the Trading Partner agree that any information furnished by the other party will be used only as authorized under the terms and conditions of this Agreement and may not be further disclosed. No party shall be permitted to disclose or use information that is of a proprietary nature, except as permitted by the terms of this the Agreement. The Trading Partner agrees to the following conditions: 1. When it That each individual on whom the information is being provided is one for whom the State provides information for an individualmedical assistance benefits, that with the exception of eligibility inquiries or instances in which the Submitter has reason to believe the individual is covered by the Trading Partner in its role as an insurer, an entity working under contract with a self-insured employer plan or an insurer to adjudicate claims and perform other insurance functions, or benefit program that pays after Medicare.Medicaid eligible; 2. It will utilize the information solely for the purpose of determining liability following Medicare’s payment or determination. 3. It That it will safeguard the confidentiality of and prevent unauthorized access to the Medicare Medicaid data.; and 43. CMS That Medicaid retains all ownership rights to the Claims File. 5. It data, and that the Trading Partner does not obtain any right, title, or interest in any of the data furnished by CMSMedicaid. The CMS Contractor Medicaid agrees that, pursuant to the Privacy Act of 1974, the HIPAA privacy rule, and the Xxxxx-Xxxxx-Xxxxxx Financial Services Modernization Act of 1999 (Public Law 106-102, codified at 15 U.S.C. 6801), that it shall maintain the confidential nature of all nonpublic non-public personal information obtained from the Trading Partner on behalf of its customers—namely, Medicare beneficiariesthe Medicaid recipients. This provision extends to all coverage data provided by the COBA Trading Partner on its eligibility file for the purpose of coordination of benefits for Medicare beneficiaries. B. The Trading Partner, CMSCMS (Centers for Medicare and Medicaid Services), and the CMS Contractor Division of Medical Services shall establish appropriate administrative, technical, procedural, and physical safeguards to protect the confidentiality of the data and to prevent unauthorized use or access to the data. The safeguards should provide a level and scope of security that is at least comparable to the level and scope of security established by the Office of Management and Budget in OMB Circular No. A-130, Appendix III – Security of Federal Automated Information Systems (xxxxx://xxx.xxxxxxxxxx.xxx/omb/circulars/)Systems, which sets forth the guidelines for security plans for automated information systems in Federal agencies. The Trading Partner agrees to the establishment of the following procedures: 1. : - Limit access to the data to only those employees, agents, and officials who need it to perform their duties in connection with the authorized use. 2. ; - Store and process the Claims File data in such a manner that unauthorized persons cannot retrieve information by any means, including computers, remote terminals, or other means. 3. ; and - Instruct all personnel and agents who will have access to the data regarding the confidential nature of the information, the safeguards required, and the criminal sanctions. Web-based training and other non-classroom alternatives are acceptable means for providing this instruction. C. . The Trading Partner agrees that in the event the Division of Medical Services or CMS determines determine or has a reasonable belief that the Trading Partner has made or may have made disclosure of the Claims File information Medicaid data that is not authorized by this Agreement or other written CMS or Division of Medical Services authorization, CMSthe Division of Medical Services may, in at its sole discretion, may require the Trading Partner to: (a) promptly - Promptly investigate and report to CMS the DIVISION OF MEDICAL SERVICES the Trading Partner’s determinations regarding any alleged or actual unauthorized disclosure; (b) promptly , and - Promptly resolve any problems identified by the investigation; (c) , submit a formal written response to an allegation of unauthorized disclosure; (d) , and submit a corrective action plan with steps designed to prevent any future unauthorized disclosures; , and/or (e) return data files to CMSDIVISION OF MEDICAL SERVICES. The Trading Partner understands that as a result of CMSDIVISION OF MEDICAL SERVICES’ determination or reasonable belief that unauthorized disclosure(s) has or have taken place, the CMS Contractor DIVISION OF MEDICAL SERVICES may refuse to release further CMS data to the Trading Partner, report the unauthorized disclosure(s) to the proper government authority, and terminate this Agreement. D. . If the Trading Partner wishes to use the data provided by DIVISION OF MEDICAL SERVICES under this Agreement for any purposes other than those outlined in this Agreement, the Trading Partner shall make a written request to THE DIVISION OF MEDICAL SERVICES, in Pierre, outlining the additional purpose for which it seeks to use the data. If the Division of Medical Services determines that the Trading Partner’s request to use the data provided hereunder is acceptable, the Division of Medical Services will provide written approval to the Trading Partner for the additional proposed use of the data. The Trading Partner will obtain satisfactory assurance hereby acknowledges that criminal penalties under 1106 of the Social Security Act (42 USC 1306 (a) may apply to disclosures of information that are covered by 1106 and documentation of that assurance, as required in 45 CFR §164.502(e), from any entity with whom are not authorized by regulation. The Trading Partner acknowledges that criminal penalties under the Privacy Act (5 USC 552a (I) (3) may apply if it contracts (e.g., clearinghouse, billing service, data transmission service, or network service vendor) to ensure is determined that the Trading Partner, or any individual employed or affiliated therewith, knowingly and willfully obtained the individually identifiable data under false pretenses. The Trading Partner Contractor acknowledges that criminal penalties may be imposed under 18 USC 641 if it is determined that the Trading Partner, or any individual employed or affiliated therewith, has taken or converted to its own use data files, or received the files knowing that they were stolen or converted. The Trading Partner acknowledges that civil and criminal penalties under HIPAA (identified in Section V of the AttachmentPublic Law 104-191) will appropriately safeguard the protected health information/may apply if it is determined that a person wrongfully disclosed individually identifiable health information covered by this Agreementinformation.

Privacy and Use of Information. A. The protected health information/individually identifiable health information and individually identifiable information described in this agreement are being furnished by the CMS Contractor and the Trading Partner for use in the coordination of health insurance benefits between the Medicare Program and the COBA Trading Partnertrading partner, as defined in Article I.C. The CMS individually identifiable information is confidential and subject to the provisions of 5 USC §552a (i) (3) under the Privacy Act of 1974. Furthermore, the privacy rule under HIPAA (Standards for Privacy of Individually Identifiable Health Information) applies to all health plans, health care clearinghouses, and health care providers that transmit protected health information/individually identifiable health information in covered electronic transactions. To assure that no records held confidential under the Privacy Act of 1974 and/or the HIPAA privacy rule are improperly used or disclosed, the CMS Contractor and the Trading Partner agree that any information furnished by the other party will be used only as authorized under the terms and conditions of this Agreement and may not be further disclosedAgreement. No party shall be permitted to disclose or use information that is of a proprietary nature, except as permitted by the terms of this Agreement. The Trading Partner agrees to the following conditions: 1. When it provides information for to the CMS Contractor about an individual, that individual is covered by entitled to benefits under Title XIX of the Trading Partner in its role as an insurer, an entity working under contract with a self-insured employer plan or an insurer to adjudicate claims and perform other insurance functions, or benefit program that pays after MedicareSocial Security Act. 2. It will safeguard the confidentiality of and prevent unauthorized access to the data received from Medicare under this Agreement. 3. Its use of the data received from Medicare under this Agreement shall comply with all applicable laws. 4. It may generally utilize the information data received from Medicare under this Agreement solely for the purpose of determining liability following Medicare’s payment or determination. 3a. Absent prior written approval, it shall not use the data received from Medicare under this Agreement for conducting quality improvement activities that are permissible under paragraphs (1) and (2) of the definition of health care operations in the HIPAA Privacy Rule. It will safeguard the confidentiality of and prevent unauthorized access Inquiries about obtaining prior written approval should be directed to the Medicare dataXxxxxxxxXxxxxxx@xxx.xxx.xxx. 4b. Absent prior written approval, it shall not re-release the data received from Medicare under this Agreement. CMS retains all ownership rights Inquiries about obtaining prior written approval should be directed to the Claims FileXxxxxxxxXxxxxxx@xxx.xxx.xxx. 5. It does not obtain any right, title, or interest in any c. All other uses and disclosures of the data furnished by CMSreceived from Medicare under this Agreement and any data derived from that data are prohibited. The CMS Contractor agrees that, pursuant to the Privacy Act of 1974, the HIPAA privacy rule, and the Xxxxx-Xxxxx-Xxxxxx Financial Services Modernization Act of 1999 (Public Law 106-102, codified at 15 U.S.C. 6801), it shall maintain the confidential nature of all nonpublic personal information obtained from the Trading Partner on behalf of its customers—namelyentitled recipients, who are also Medicare beneficiaries. This provision extends to all coverage data provided by the COBA Trading Partner trading partner on its eligibility file for the purpose of coordination of benefits for Medicare beneficiaries. B. The Trading Partner, CMS, and the CMS Contractor shall establish appropriate administrative, technical, procedural, and physical safeguards to protect the confidentiality of the data and to prevent unauthorized use or access to the data. The safeguards should provide a level and scope of security that is at least comparable to the level and scope of security established by the Office of Management and Budget in OMB Circular No. A-130, Appendix III – Security of Federal Automated Information Systems (xxxxx://xxx.xxxxxxxxxx.xxx/omb/circulars/xxxx://xxx.xxxxxxxxxx.xxx/omb/circulars/ a130/a130.html), which sets forth guidelines for security plans for automated information systems in Federal agencies. The Trading Partner agrees to the establishment of the following procedures: 1. Limit access to the data to only those employees, agents, and officials who need it to perform their duties in connection with the authorized use. 2. Store and process the Claims File in such a manner that unauthorized persons cannot retrieve information by any means, including computers, remote terminals, or other means. 3. Instruct all personnel and agents who will have access to the data regarding the confidential nature of the information, the safeguards required, and the criminal sanctions. Web-based training and other non-classroom alternatives are acceptable means for providing this instruction. C. The Trading Partner agrees that in the event CMS determines or has a reasonable belief that the Trading Partner has made or may have made disclosure of the Claims File information that is not authorized by this Agreement or other written CMS authorization, CMS, in its sole discretion, may require the Trading Partner to: (a) promptly investigate and report to CMS the Trading Partner’s determinations regarding any alleged or actual unauthorized disclosure; (b) promptly resolve any problems identified by the investigation; (c) submit a formal written response to an allegation of unauthorized disclosure; (d) submit a corrective action plan with steps designed to prevent any future unauthorized disclosures; and/or (e) return data files to CMS. The Trading Partner understands that as a result of CMS’ determination or reasonable belief that unauthorized disclosure(s) has or have taken place, the CMS Contractor may refuse to release further CMS data to the Trading Partner, report the unauthorized disclosure(s) to the proper government authority, and terminate this Agreement. D. The Trading Partner will obtain satisfactory assurance and documentation of that assurance, as required in 45 CFR §164.502(e), from any entity with whom it contracts (e.g., clearinghouse, billing service, data transmission service, or network service vendor) to ensure that the Trading Partner Contractor (identified in Section V of the Attachment) will appropriately safeguard the protected health information/individually identifiable health information covered by this Agreement.

Privacy and Use of Information. A. The protected health information/individually identifiable health information and individually identifiable information described in this agreement are Agreement is being furnished by the CMS Contractor and the Trading Partner and Medicaid for use in the coordination electronic submission and adjudication of health insurance benefits between claims for programs administered by the Medicare Program and the COBA Trading Partner, as defined in Article I.C. Division of Medical Services. The CMS individually identifiable Medicaid recipient-specific information is confidential and subject to the provisions provision of 5 USC §552a (i) (3) under the Privacy Act of 1974. Furthermore, Furthermore the privacy rule under HIPAA (Standards for Privacy of Individually Identifiable Health Information) applies to all health plans, health care clearinghouses, and health care providers that transmit protected health information/individually identifiable health information in electronic transactions. To assure that no records held confidential under the Privacy Act of 1974 and/or the HIPAA privacy rule are improperly used or disclosed, the CMS Contractor Division of Medical Services and the Trading Partner agree that any information furnished by the other party will be used only as authorized under the terms and conditions of this Agreement and may not be further disclosed. No party shall be permitted to disclose or use information that is of a proprietary nature, except as permitted by the terms of this the Agreement. The Trading Partner agrees to the following conditions: 1. When it That each individual on whom the information is being provided is one for whom the State provides information for an individualmedical assistance benefits, that with the exception of eligibility inquiries or instances in which the Submitter has reason to believe the individual is covered by the Trading Partner in its role as an insurer, an entity working under contract with a self-insured employer plan or an insurer to adjudicate claims and perform other insurance functions, or benefit program that pays after Medicare.Medicaid eligible; 2. It will utilize the information solely for the purpose of determining liability following Medicare’s payment or determination. 3. It That it will safeguard the confidentiality of and prevent unauthorized access to the Medicare Medicaid data.; and 43. CMS That Medicaid retains all ownership rights to the Claims File. 5. It data, and that the Trading Partner does not obtain any right, title, or interest in any of the data furnished by CMSMedicaid. The CMS Contractor Medicaid agrees that, pursuant to the Privacy Act of 1974, the HIPAA privacy rule, and the Xxxxx-Xxxxx-Xxxxxx Financial Services Modernization Act of 1999 (Public Law 106-102, codified at 15 U.S.C. 6801), that it shall maintain the confidential nature of all nonpublic non-public personal information obtained from the Trading Partner on behalf of its customers—namely, Medicare beneficiariesthe Medicaid recipients. This provision extends to all coverage data provided by the COBA Trading Partner on its eligibility file for the purpose of coordination of benefits for Medicare beneficiaries. B. The Trading Partner, CMSCMS (Centers for Medicare and Medicaid Services), and the CMS Contractor Division of Medical Services shall establish appropriate administrative, technical, procedural, and physical safeguards to protect the confidentiality of the data and to prevent unauthorized use or access to the data. The safeguards should provide a level and scope of security that is at least comparable to the level and scope of security established by the Office of Management and Budget in OMB Circular No. A-130, Appendix III – Security of Federal Automated Information Systems (xxxxx://xxx.xxxxxxxxxx.xxx/omb/circulars/)Systems, which sets forth the guidelines for security plans for automated information systems in Federal agencies. The Trading Partner agrees to the establishment of the following procedures: 1. : - Limit access to the data to only those employees, agents, and officials who need it to perform their duties in connection with the authorized use. 2. ; - Store and process the Claims File data in such a manner that unauthorized persons cannot retrieve information by any means, including computers, remote terminals, or other means. 3. ; and - Instruct all personnel and agents who will have access to the data regarding the confidential nature of the information, the safeguards required, and the criminal sanctions. Web-based training and other non-classroom alternatives are acceptable means for providing this instruction. C. . The Trading Partner agrees that in the event the Division of Medical Services or CMS determines determine or has a reasonable belief that the Trading Partner has made or may have made disclosure of the Claims File information Medicaid data that is not authorized by this Agreement or other written CMS or Division of Medical Services authorization, CMSthe Division of Medical Services may, in at its sole discretion, may require the Trading Partner to: (a) promptly - Promptly investigate and report to CMS the Division Of Medical Services the Trading Partner’s determinations regarding any alleged or actual unauthorized disclosure; (b) promptly , and - Promptly resolve any problems identified by the investigation; (c) , submit a formal written response to an allegation of unauthorized disclosure; (d) , and submit a corrective action plan with steps designed to prevent any future unauthorized disclosures; , and/or (e) return data files to CMSDivision of Medical Services. The Trading Partner understands that as a result of CMS’ Division of Medical Services determination or reasonable belief that unauthorized disclosure(s) has or have taken place, the CMS Contractor Division of Medical Services may refuse to release further CMS data to the Trading Partner, report the unauthorized disclosure(s) to the proper government authority, and terminate this Agreement. D. . If the Trading Partner wishes to use the data provided by Division of Medical Services under this Agreement for any purposes other than those outlined in this Agreement, the Trading Partner shall make a written request to the Division of Medical Services, in Pierre, outlining the additional purpose for which it seeks to use the data. If the Division of Medical Services determines that the Trading Partner’s request to use the data provided hereunder is acceptable, the Division of Medical Services will provide written approval to the Trading Partner for the additional proposed use of the data. The Trading Partner will obtain satisfactory assurance hereby acknowledges that criminal penalties under 1106 of the Social Security Act (42 USC 1306 (a) may apply to disclosures of information that are covered by 1106 and documentation of that assurance, as required in 45 CFR §164.502(e), from any entity with whom are not authorized by regulation. The Trading Partner acknowledges that criminal penalties under the Privacy Act (5 USC 552a (I) (3) may apply if it contracts (e.g., clearinghouse, billing service, data transmission service, or network service vendor) to ensure is determined that the Trading Partner, or any individual employed or affiliated therewith, knowingly and willfully obtained the individually identifiable data under false pretenses. The Trading Partner Contractor acknowledges that criminal penalties may be imposed under 18 USC 641 if it is determined that the Trading Partner, or any individual employed or affiliated therewith, has taken or converted to its own use data files, or received the files knowing that they were stolen or converted. The Trading Partner acknowledges that civil and criminal penalties under HIPAA (identified in Section V of the AttachmentPublic Law 104-191) will appropriately safeguard the protected health information/may apply if it is determined that a person wrongfully disclosed individually identifiable health information covered by this Agreementinformation.

Privacy and Use of Information. A. The protected health information/individually identifiable health information and individually identifiable information described in this agreement are Agreement is being furnished by the CMS Contractor and the Trading Partner and Medicaid for use in the coordination electronic submission and adjudication of health insurance benefits between claims for programs administered by the Medicare Program and the COBA Trading Partner, as defined in Article I.C. OMS. The CMS individually identifiable Medicaid recipient-specific information is confidential and subject to the provisions provision of 5 USC §552a (i) (3) under the Privacy Act of 1974. Furthermore, Furthermore the privacy rule under HIPAA (Standards for Privacy of Individually Identifiable Health InformationInformation ) applies to all health plans, health care clearinghouses, and health care providers that transmit protected health information/individually identifiable health information in electronic transactions. To assure that no records held confidential under the Privacy Act of 1974 and/or the HIPAA privacy rule are improperly used or disclosed, the CMS Contractor OMS and the Trading Partner agree that any information furnished by the other party will be used only as authorized under the terms and conditions of this Agreement and may not be further disclosed. No party shall be permitted to disclose or use information that is of a proprietary nature, except as permitted by the terms of this the Agreement. The Trading Partner agrees to the following conditions: 1. When it That each individual on whom the information is being provided is one for whom the State provides information for an individualmedical assistance benefits, that with the exception of eligibility inquiries or instances in which the Submitter has reason to believe the individual is covered by the Trading Partner in its role as an insurer, an entity working under contract with a self-insured employer plan or an insurer to adjudicate claims and perform other insurance functions, or benefit program that pays after Medicare.Medicaid eligible; 2. It will utilize the information solely for the purpose of determining liability following Medicare’s payment or determination. 3. It That it will safeguard the confidentiality of and prevent unauthorized access to the Medicare Medicaid data.; and 43. CMS That Medicaid retains all ownership rights to the Claims File. 5. It data, and that the Trading Partner does not obtain any right, title, or interest in any of the data furnished by CMSMedicaid. The CMS Contractor Medicaid agrees that, pursuant to the Privacy Act of 1974, the HIPAA privacy rule, and the Xxxxx-Xxxxx-Xxxxxx Financial Services Modernization Act of 1999 (Public Law 106-102, codified at 15 U.S.C. 6801), that it shall maintain the confidential nature of all nonpublic non-public personal information obtained from the Trading Partner on behalf of its customers—namely, Medicare beneficiariesthe Medicaid recipients. This provision extends to all coverage data provided by the COBA Trading Partner on its eligibility file for the purpose of coordination of benefits for Medicare beneficiaries. B. The Trading Partner, CMSCMS (Centers for Medicare and Medicaid Services), and the CMS Contractor OMS shall establish appropriate administrative, technical, procedural, and physical safeguards to protect the confidentiality of the data and to prevent unauthorized use or access to the data. The safeguards should provide a level and scope of security that is at least comparable to the level and scope of security established by the Office of Management and Budget in OMB Circular No. A-130, Appendix III – Security of Federal Automated Information Systems (xxxxx://xxx.xxxxxxxxxx.xxx/omb/circulars/)Systems, which sets forth the guidelines for security plans for automated information systems in Federal agencies. The Trading Partner agrees to the establishment of the following procedures: 1. : - Limit access to the data to only those employees, agents, and officials who need it to perform their duties in connection with the authorized use. 2. ; - Store and process the Claims File data in such a manner that unauthorized persons cannot retrieve information by any means, including computers, remote terminals, or other means. 3. ; and - Instruct all personnel and agents who will have access to the data regarding the confidential nature of the information, the safeguards required, and the criminal sanctions. Web-based training and other non-classroom alternatives are acceptable means for providing this instruction. C. . The Trading Partner agrees that in the event the OMS or CMS determines determine or has a reasonable belief that the Trading Partner has made or may have made disclosure of the Claims File information Medicaid data that is not authorized by this Agreement or other written CMS or OMS authorization, CMSthe OMS may, in at its sole discretion, may require the Trading Partner to: (a) promptly - Promptly investigate and report to CMS the OMS the Trading Partner’s determinations regarding any alleged or actual unauthorized disclosure; (b) promptly , and - Promptly resolve any problems identified by the investigation; (c) , submit a formal written response to an allegation of unauthorized disclosure; (d) , and submit a corrective action plan with steps designed to prevent any future unauthorized disclosures; , and/or (e) return data files to CMSOMS. The Trading Partner understands that as a result of CMS’ OMS’s determination or reasonable belief that unauthorized disclosure(s) has or have taken place, the CMS Contractor OMS may refuse to release further CMS data to the Trading Partner, report the unauthorized disclosure(s) to the proper government authority, and terminate this Agreement. D. . If the Trading Partner wishes to use the data provided by OMS under this Agreement for any purposes other than those outlined in this Agreement, the Trading Partner shall make a written request to OMS, in Pierre, outlining the additional purpose for which it seeks to use the data. If OMS determines that the Trading Partner’s request to use the data provided hereunder is acceptable, OMS will provide written approval to the Trading Partner for the additional proposed use of the data. The OMS contact information for this purpose or other inquiry is provided in Attachment III to this document. The Trading Partner will obtain satisfactory assurance hereby acknowledges that criminal penalties under 1106 of the Social Security Act (42 USC 1306 (a) may apply to disclosures of information that are covered by 1106 and documentation of that assurance, as required in 45 CFR §164.502(e), from any entity with whom are not authorized by regulation. The Trading Partner ackowledges that criminal penalties under the Privacy Act (5 USC 552a (I) (3) may apply if it contracts (e.g., clearinghouse, billing service, data transmission service, or network service vendor) to ensure is determined that the Trading Partner, or any individual employed or affiliated therewith, knowingly and willfully obtained the individually identifiable data under false pretenses. The Trading Partner Contractor acknowledges that criminal penalties may be imposed under 18 USC 641 if it is determined that the Trading Partner, or any individual employed or affiliated therewith, has taken or converted to its own use data files, or received the files knowing that they were stolen or converted. The Trading Partner acknowledges that civil and criminal penalties under HIPAA (identified in Section V of the AttachmentPublic Law 104-191) will appropriately safeguard the protected health information/may apply if it is determined that a person wrongfully disclosed individually identifiable health information covered by this Agreementinformation.

Privacy and Use of Information. A. The protected health information/individually identifiable health information and individually identifiable information described in this agreement are being furnished by the CMS Contractor and the Trading Partner for use in the coordination of health insurance benefits between the Medicare Program and the COBA Trading Partner, as defined in Article I.C. The CMS individually identifiable information is confidential and subject to the provisions of 5 USC §552a (i) (3) under the Privacy Act of 1974. Furthermore, the privacy rule under HIPAA (Standards for Privacy of Individually Identifiable Health Information) applies to all health plans, health care clearinghouses, and health care providers that transmit protected health information/individually identifiable health information in covered electronic transactions. To assure that no records held confidential under the Privacy Act of 1974 and/or the HIPAA privacy rule are improperly used or disclosed, the CMS Contractor and the Trading Partner agree that any information furnished by the other party will be used only as authorized under the terms and conditions of this Agreement and may not be further disclosedAgreement. No party shall be permitted to disclose or use information that is of a proprietary nature, except as permitted by the terms of this Agreement. The Trading Partner agrees to the following conditions: 1. When it provides information for an individual, that individual is covered by the Trading Partner in its role as an insurer, an entity working under contract with a self-insured employer plan or an insurer to adjudicate claims and perform other insurance functions, or benefit program that pays after Medicare. 2. It will utilize the information solely for the purpose of determining liability following Medicare’s payment or determination. 3. It will safeguard the confidentiality of and prevent unauthorized access to the Medicare data. 4. CMS retains all ownership rights to the Claims File. 5. It does not obtain any right, title, or interest in any of the data furnished by CMS. The CMS Contractor agrees that, pursuant to the Privacy Act of 1974, the HIPAA privacy rule, and the Xxxxx-Xxxxx-Xxxxxx Financial Services Modernization Act of 1999 (Public Law 106-102, codified at 15 U.S.C. 6801), it shall maintain the confidential nature of all nonpublic personal information obtained from the Trading Partner on behalf of its customers—namelyentitled recipients, who are also Medicare beneficiaries. This provision extends to all coverage data provided by the COBA Trading Partner on its eligibility file for the purpose of coordination of benefits for Medicare beneficiaries. B. The Trading Partner, CMS, and the CMS Contractor shall establish appropriate administrative, technical, procedural, and physical safeguards to protect the confidentiality of the data and to prevent unauthorized use or access to the data. The safeguards should provide a level and scope of security that is at least comparable to the level and scope of security established by the Office of Management and Budget in OMB Circular No. A-130, Appendix III – Security of Federal Automated Information Systems (xxxxx://xxx.xxxxxxxxxx.xxx/omb/circulars/xxxx://xxx.xxxxxxxxxx.xxx/omb/circulars/ a130/a130.html), which sets forth guidelines for security plans for automated information systems in Federal agencies. The Trading Partner agrees to the establishment of the following procedures: 1. Limit access to the data to only those employees, agents, and officials who need it to perform their duties in connection with the authorized use. 2. Store and process the Claims File in such a manner that unauthorized persons cannot retrieve information by any means, including computers, remote terminals, or other means. 3. Instruct all personnel and agents who will have access to the data regarding the confidential nature of the information, the safeguards required, and the criminal sanctions. Web-based training and other non-classroom alternatives are acceptable means for providing this instruction. C. The Trading Partner agrees that in the event CMS determines or has a reasonable belief that the Trading Partner has made or may have made disclosure of the Claims File information that is not authorized by this Agreement or other written CMS authorization, CMS, in its sole discretion, may require the Trading Partner to: (a) promptly investigate and report to CMS the Trading Partner’s determinations regarding any alleged or actual unauthorized disclosure; (b) promptly resolve any problems identified by the investigation; (c) submit a formal written response to an allegation of unauthorized disclosure; (d) submit a corrective action plan with steps designed to prevent any future unauthorized disclosures; and/or (e) return data files to CMS. The Trading Partner understands that as a result of CMS’ determination or reasonable belief that unauthorized disclosure(s) has or have taken place, the CMS Contractor may refuse to release further CMS data to the Trading Partner, report the unauthorized disclosure(s) to the proper government authority, and terminate this Agreement. D. The Trading Partner will obtain satisfactory assurance and documentation of that assurance, as required in 45 CFR §164.502(e), from any entity with whom it contracts (e.g., clearinghouse, billing service, data transmission service, or network service vendor) to ensure that the Trading Partner Contractor (identified in Section V of the Attachment) will appropriately safeguard the protected health information/individually identifiable health information covered by this Agreement.