Convicted, Discriminatory, Antitrust Violator, and Suspended Vendor Lists In accordance with sections 287.133, 287.134, and 287.137, F.S., the Contractor is hereby informed of the provisions of sections 287.133(2)(a), 287.134(2)(a), and 287.137(2)(a), F.S. For purposes of this Contract, a person or affiliate who is on the Convicted Vendor List, the Discriminatory Vendor List, or the Antitrust Violator Vendor List may not perform work as a contractor, supplier, subcontractor, or consultant under the Contract. The Contractor must notify the Department if it or any of its suppliers, subcontractors, or consultants have been placed on the Convicted Vendor List, the Discriminatory Vendor List, or the Antitrust Violator Vendor List during the term of the Contract. In accordance with section 287.1351, F.S., a vendor placed on the Suspended Vendor List may not enter into or renew a contract to provide any goods or services to an agency after its placement on the Suspended Vendor List. A firm or individual placed on the Suspended Vendor List pursuant to section 287.1351, F.S., the Convicted Vendor List pursuant to section 287.133, F.S., the Antitrust Violator Vendor List pursuant to section 287.137, F.S., or the Discriminatory Vendor List pursuant to section 287.134, F.S., is immediately disqualified from Contract eligibility.
Handling Sensitive Personal Information and Breach Notification A. As part of its contract with HHSC Contractor may receive or create sensitive personal information, as section 521.002 of the Business and Commerce Code defines that phrase. Contractor must use appropriate safeguards to protect this sensitive personal information. These safeguards must include maintaining the sensitive personal information in a form that is unusable, unreadable, or indecipherable to unauthorized persons. Contractor may consult the “Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals” issued by the U.S. Department of Health and Human Services to determine ways to meet this standard.
B. Contractor must notify HHSC of any confirmed or suspected unauthorized acquisition, access, use or disclosure of sensitive personal information related to this Contract, including any breach of system security, as section 521.053 of the Business and Commerce Code defines that phrase. Contractor must submit a written report to HHSC as soon as possible but no later than 10 business days after discovering the unauthorized acquisition, access, use or disclosure. The written report must identify everyone whose sensitive personal information has been or is reasonably believed to have been compromised.
C. Contractor must either disclose the unauthorized acquisition, access, use or disclosure to everyone whose sensitive personal information has been or is reasonably believed to have been compromised or pay the expenses associated with HHSC doing the disclosure if:
1. Contractor experiences a breach of system security involving information owned by HHSC for which disclosure or notification is required under section 521.053 of the Business and Commerce Code; or
2. Contractor experiences a breach of unsecured protected health information, as 45 C.F.R. §164.402 defines that phrase, and HHSC becomes responsible for doing the notification required by 45 C.F.R. §164.404. HHSC may, at its discretion, waive Contractor's payment of expenses associated with HHSC doing the disclosure.
