Common use of Standard: Standard Operating Procedures Clause in Contracts

Standard: Standard Operating Procedures. The Non-Exchange Entity shall incorporate privacy and security standards and implementation specifications, where appropriate, in its standard operating procedures that are associated with functions involving the creation, collection, disclosure, access, maintenance, storage, or use of PII. i. Implementation Specifications: 1. The privacy and security standards and implementation specifications shall be written in plain language and shall be available to all of the Non- Exchange Entity’s Workforce members, or sub-contractors, whose responsibilities entail the creation, collection, maintenance, storage, access, or use of PII. 2. The procedures shall ensure the Non-Exchange Entity’s cooperation with CMS in resolving any Incident or Breach, including (if requested by CMS) the return or destruction of any PII files it received under the Agreement; the provision of a formal response to an allegation of unauthorized PII use, reuse or disclosure; and/or the submission of a corrective action plan with steps designed to prevent any future unauthorized uses, reuses or disclosures. 3. The standard operating procedures must be designed and implemented to ensure the Non-Exchange Entity and its Workforce, or sub-contractor, comply with the standards and implementation specifications contained herein, and must be reasonably designed, taking into account the size and the type of activities that relate to PII undertaken by the Non-Exchange Entity, to ensure such compliance.

Standard: Standard Operating Procedures. The Non-Exchange Entity shall incorporate privacy and security standards and implementation specifications, where appropriate, in 1 Available at xxxx://xxx.xxx.xxx/Research-Statistics-Data-and-Systems/CMS-Information- Technology/InformationSecurity/Downloads/RMH_VIII_7-1_Incident_Handling_Standard.pdf its standard operating procedures that are associated with functions involving the creation, collection, disclosure, access, maintenance, storage, or use of PII. i. Implementation Specifications: 1. The privacy and security standards and implementation specifications shall be written in plain language and shall be available to all of the Non- Exchange Entity’s Workforce members, or sub-contractors, whose responsibilities entail the creation, collection, maintenance, storage, access, or use of PII. 2. The procedures shall ensure the Non-Exchange Entity’s cooperation with CMS in resolving any Incident or Breach, including (if requested by CMS) the return or destruction of any PII files it received under the Agreement; the provision of a formal response to an allegation of unauthorized PII use, reuse or disclosure; and/or the submission of a corrective action plan with steps designed to prevent any future unauthorized uses, reuses or disclosures. 3. The standard operating procedures must be designed and implemented to ensure the Non-Exchange Entity and its Workforce, or sub-contractor, comply with the standards and implementation specifications contained herein, and must be reasonably designed, taking into account the size and the type of activities that relate to PII undertaken by the Non-Exchange Entity, to ensure such compliance.

Standard: Standard Operating Procedures. The Non-Exchange Entity shall incorporate privacy and security standards and implementation specifications, where appropriate, in its standard operating procedures that are associated with functions involving the creation, collection, disclosure, access, maintenance, storage, or use of PII. i. Implementation Specifications: 1. The privacy and security standards and implementation specifications shall be written in plain language and shall be available to all of the Non- Non-Exchange Entity’s Workforce members, or sub-contractors, whose responsibilities entail the creation, collection, maintenance, storage, access, or use of PII. 2. The procedures shall ensure the Non-Exchange Entity’s cooperation with CMS in resolving any Incident or Breach, including (if requested by CMS) the return or destruction of any PII files it received under the Agreement; the provision of a formal response to an allegation of unauthorized PII use, reuse or disclosure; and/or the submission of a corrective action plan with steps designed to prevent any future unauthorized uses, reuses or disclosures. 3. The standard operating procedures must be designed and implemented to ensure the Non-Exchange Entity and its Workforce, or sub-contractor, comply with the standards and implementation specifications contained herein, and must be reasonably designed, taking into account the size and the type of activities that relate to PII undertaken by the Non-Exchange Entity, to ensure such compliance.