The URL can be used to link to this page

Home My WebLink AboutResolution - 2024-R0190 - TTUHSC MOU HHS001437900001, DSHS, Accessing Electronic Health Data - 04/09/2024Resolution No. 2024-R0190 Item No. 6.32 April 9, 2024 RESOLUTION BE IT RESOLVED BY THL CITY COUNCIL OF TH� CITY OI' LUBBOCK: TI IAT the Mayor of the City of Lubbock is hereby authorized and directed to exccute for and on behalf of the City of Lubbock, the Department of State I-Iealth Services (DSI-IS) Memorandum of Understanding (MOU), MOU HIIS001437900001, regarding accessing electronic health data for the purpose of providing essential public health services, by and between the City of Lubbock and the State of Texas acting by and through DSHS, and all related documents. Said MOU is attached hereto and incorporated in this resolution as if fully set forth herein and shall be included in the minutes of the City Council. Passed by thc City Council on A rn i1 9, 2024 ATTEST: Courtney Paz, City Secretary APPROVED AS TO CONTI;NT: � _ _w-�� - �� Bill Ho erton, Deputy City Manager AYYROVLD AS 1'O I�ORM: Rachacl Foster, Assistant City Attorney RES.DSFIS MOU No. HIiS001437900001 3.6.24 DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 Resolution No. 2024-RO 190 HHS Contract No. HHSOO1437900001 Pagel of 69 MEMORANDUM OF UNDERSTANDING BETWEEN DEPARTMENT OF STATE HEALTH SERVICES AND City of Lubbock DSIIS CONTRACT NO. IIHS001.437900001 This Memorandum of Understanding (MOU) is between the Department of State Health Services (DSI-IS) and City of Lubbock (Local Public Health Entity or LHE). DSHS and LHE may be referred to individually as a "Party" and collectively as the "Parties." PURPOSE DSHS agrees to provide LHE certain confidential public health data, which DSHS maintains, for the LHE's jurisdiction and any jurisdiction contiguous to their jurisdiction, as defined in each attachment to this MOU, for the purpose of providing essential public health services as authorized by Texas Health and Safety Code § 1001,089. This MOU provides the Parties' roles and responsibilities regarding access and utilization of the data as outlined in each attachment of this MOU. II. LEGAL AUTHORITY This MOU is authorized by and in compliance with the provisions of the following: Texas Health and Safety Code, Section 1001.089; and Texas Health and Safety Code, Section 121,002;. LHE is eligible to receive the confidential public health data through provision of essential public health services as those services are defined in Texas Health and Safety Code, Section 121.002, as follows: • Monitor the health status of individuals in the community to identify community health problems; • Diagnose and investigate community health problems and community health hazards; • Inform, educate, and empower the community with respect to health issues; • Develop policies and plans that support individual and community efforts to improve health. • Research new insights and innovative solutions to community health problems; and ■ Evaluate the effectiveness, accessibility, and quality of personal and population -based health services in a community. Legal authority for each data set will be specifically identified in a corresponding attachment to this MOU. III. ROLES AND RESPONSIBLITIES OF LHE: The LHE will: A. Comply with all DSHS policies and procedures regarding access and utilization of the data provided by DSHS. B. Access and receive the data sets in a secure, confidential manner in compliance with all. applicable federal and state laws governing the protection of confidential information. C. Use industry best practices to secure, protect, and manage the data sets. If LHE exports data from the DSHS system, LHE assumes responsibility for the security and privacy of the exported data. DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Contract No: HHS001437900001 Page 2 of 69 D. Use and share data for public health purposes only or as otherwise permitted by law or this MOU. E. Promptly provide written notice to DSHS of any use or disclosure of the data which violates the terms of this MOU or applicable law. F. Submit a list of staff, titles, and email addresses, and the intended uses of the data, to request and obtain access to the limited data set(s) or data visualization. The request must be submitted to the DSHS Representatives identified in this MOU. G. Complete the data checklist(s) identified in attachments to this MOU, as applicable. H. Maintain a list of all authorized users with access to DSHS data. and upon written request by DSHS, provide the list of authorized users within five (5) business days. 1. Notify the DSHS Representatives identified in this MOU of any changes in staff that require removal from the list of authorized users. Such notification must be made in writing and within five (5) business days of any staffing changes. J. Submit an application for amendment to the DSHS Representatives identified in this MOU to request changes or additional data set variables. K. Participate in any required DSHS-sponsored training on data access and usage. IV. ROLES AND RESPONSIBILIES OF DSHS: DSHS will: A. Receive the LHE's written requests for access to specific data sets and provide a written approval or denial of the request. B. Make available confidential public health data, via a secure data exchange, according to the variables submitted by the LHE on the appropriate data checklist. Data sharing will be limited to the variables requested and the approved data fields identified in the attachment. C. Deliver the confidential data through use of a secure file transfer protocol site or other method of data transfer with at least that same level of security and/or encryption. D. Provide the LHE with access credentials, including the secure site, with an account number, and Passwords, as appropriate and in the appropriate quantity. This information will be provided directly to LHE staff members authorized to access the data. E. Remove user access to the DSHS data as requested by LHE within five (5) business days of receipt of the LHE's written request. F. Sponsor trainings and provide technical assistance on accessing the limited data sets through the DSHS database. V. MUTUAL RESPONSIBILITES The Parties will communicate as necessary to successfully manage this MOU and work in good faith together to fulfill the purpose of this MOU.. VI. CONFIDENTIALITY 1. The Parties are required to comply with all applicable state and federal laws relating to the privacy and confidentiality of confidential data and records. 2. LHE will comply with the HHSC Data Use Agreement ("DUA") which is attached to this MOU as Attachment A. 3. LHE will maintain sufficient safeguards to prevent release or disclosure of any confidential records or information obtained under this MOU to anyone other than individuals who are authorized by law to receive such records or information and who will protect the records or information from re -disclosure as required by law. Data will be housed in a secure location and in compliance with the DUA. The foregoing shall not apply to information that: DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Contract NO: HHS001437900001 Page 3 of 69 (i) is not disclosed in writing by DSHS or reduced to writing and marked confidential within 30 days after disclosure; or (ii) is already in LHE's possession at the time of disclosure as evidenced by written records in the possession of LHE prior to such time; or (iii) is or later becomes part of the public domain through no fault of LHE; or (iv) is received from a third party having no obligations of confidentiality to DSHS; or (v) is independently developed by LHE or by its personnel having no access to the Confidential Data. 4. LHE will use confidential data obtained under this MOU only for purposes as described in this MOU and as otherwise allowed by law. 5. No Personally Identifiable Information ("PII") and non-public data may be shared or released by LHE without specific statutory authority or as provided under this MOU. 6. Data no longer in use will be destroyed using software that renders the data unrecoverable. V11. DESIGNATION OF REPRESENTATIVES The following will act as the representative authorized to administer activities under this MOU on behalf of its respective Party. DSHS Contract Management DSHS Program City of Lubbock Section (CMS) Gretchen Wells, Jason Lucas Tiffany Torres, MPH, MLS(ASCP)cm Contract Manager Branch Manager Laboratory/Epidemiology Manager 1100 W 49" Street, MCI 990 PO Box 149347, Mail Code 1898 806 18" Street, Austin, Texas 78756 Austin, TX 78714-9347 Lubbock, TX 79401 (512) 776-2679 (512) 776- 6439 (806) 775-2990 Gretchen.wells@dshs.texas.gov HIRBrequests@dshs.texas.gov tiorres@mylubbock.us Either Party may change its designated representative by providing written notice to the other Party. VIII. LEGAL NOTICES Legal notices under this MOU shall be in writing and deemed delivered on the date of delivery if deliverers by United States mail, postage paid, certified, return receipt requested; common carrier, overnight, signature required; or hand delivery. Legal Notices must be sent to the appropriate address below: If to DSHS. Department of State Health Services Attn: General Counsel l 100 W. 491h Street, MC 1919 Austin, Texas 78756 If to Local Health Enti City of Lubbock Attn: Tiffany Torres, MPH, MLS 806 18`h Street, Lubbock, TX 79401 DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HH'S Contract No: HHS001437900001 Page 4 of 69 Copy To: Copy To: Health and Human Services Commission City of Lubbock Attention: Office of Chief Counsel Attn: General Counsel 4601 W. Guadalupe, MCI 100 806 181h Street, Austin, Texas 78751 Lubbock, TX 79401 Notice may be given in an alternate manner with written approval from the other Party. Alternate notice shall be deemed effective upon written confirmation of receipt by the Party receiving notice. Either Party may change its address for receiving legal notice by providing written notice to the other Party. IX. GENERAL TERMS AND CONDITIONS A. Term of MOU This MOU is effective on the signature date of the latter of the Parties to sign this MOU. This MOU will remain in effect for five (5) years from the effective date, unless terminated sooner. The Parties may extend this MOU for one additional four-year term subject to mutually agreeable terms. DSHS will cease data sharing immediately upon the expiration or termination of this MOU. B. Termination of the MOU Termination without Cause: This MOU may be terminated by either Party by providing at least thirty (30) days written notice to the other Party. Notice of Breach and Termination for Cause: DSHS may terminate this MOU immediately, and without prior notice, if LHE improperly discloses confidential information, or breaches confidentiality and/or security requirements set forth in this MOU. C. No Cost This is a no cost agreement. LHE shall not be obligated to make any payments, of any amount, to DSHS for access to the public health data outlined in this MOU. D. DSHS Suspension of Data Sharing under this MOU In the event an information technology system issue or failure, DSHS may temporarily suspend the sharing of data without advance notice and may restore access at a time, and in a manner, of its sole discretion. E. Amendment This MOU may be amended or modified by the consent of both Parties at any time during its term. Amendments to this MOU must be in writing and signed by DSHS and LHE. No change in, addition to, or waiver of any term or condition of this MOU shall be binding on DSHS unless approved in writing by an authorized representative of DSHS. F. Change in Laws and Compliance with Laws The Parties shall comply with all applicable federal and state statutes, rules, and DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Contract No: HHS0014379D0001 Page 5 of 69 regulations. Any alterations, additions, or deletions to the terns of this MOU which are required by changes in federal or state law or regulations are automatically incorporated into the MOU without written amendment hereto, and shall become effective on the date designated by such law or by regulation. G. Permitting and Licensure LHE shall obtain and maintain for the duration of this MOU any state, county, city, or federal license, authorization, insurance, waiver, permit, qualification, or certification required by statute, ordinance, law, or regulation to assume the roles and responsibilities contained within this MOU. H. Assignment LHE shall not assign its rights under this MOU or delegate the performance of its duties under the agreement without prior written approval from DSHS. Any attempted assignment in violation of this provision is void and without effect. I. No Partnership or Joint Venture The Parties agree that nothing in this MOU shall be deemed to create an association, partnership, or joint venture between DSHS and. LHE, but is intended solely to guide the relationship between the Parties. Each Party shall pay the cost of its participation in this MOU without cost or reimbursement by the other Party. J. Waiver Failure of either Parry to insist on strict compliance with any term or condition of this MOU or to exercise any right or privilege hereunder will not be deemed a waiver of such term, condition, right or privilege later. K. Severability If any provision of this MOU is illegal, invalid, void, or unenforceable, the other provisions of this MOU will not be affected. The Parties agree to amend any illegal, invalid, void, or unenforceable provision to the extent necessary to render it valid, legal, and enforceable while preserving the intent of the MOU. L. Disaster Recovery Plan Upon request of DSHS, LHE shall provide copies of its most recent business continuity and disaster recovery plans. M. Dispute Resolution The Parties agree to use good faith efforts to resolve all questions, difficulties, or disputes of any nature that may arise under or by this MOU; provided however, nothing in this paragraph shall preclude either Party from pursuing any remedies as may be available under Texas law. Notwithstanding this provision, the Parties acknowledge and agree to use the dispute resolution provisions required under Texas Government Code, Chapter 2260.. DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 FHHS Contract No: HHS001437900001 Page 6 of 65 N. Force Majeure Neither Party shall be liable to the other for any delay in, or failure of performance of, any requirement included in this MOU caused by farce majeure. The existence of such causes of delay or failure shall extend the period of performance until after the causes of delay or failure have been removed provided the non -performing Party exercises all reasonable due diligence to perform. Force majeure is defined as acts of God, war, fires, explosions, hurricanes, floods, failure of transportation, or other causes that are beyond the reasonable control of either Party and that by exercise of due foresight such Party could not reasonably have been expected to avoid, and which, by the exercise of all reasonable due diligence, such Party is unable to overcome. 0. Public Information Act Each Party is responsible for complying with the provisions of Chapter 552 of the Texas Government Code ("Texas Public Information Act"), 25 Tex. Admin. Code, Chapter 181, and relevant Attorney General Opinions. Responses to requests for information and open records requests shall be handled in accordance with the provisions of the Texas Public Information Act. P. Limitation on Authority LHE shall have no authority to act for or on behalf of DSHS or the State of Texas except as expressly provided for in this MOU; no other authority, power or use is granted or implied. LHE may not incur any debt, obligation, expense or liability of any kind on behalf of DSHS or the State of Texas. Q. Survival Expiration or termination of this MOU for any reason does not release LHE from any liability or obligation set forth in this MOU that is expressly stated to survive any such expiration or termination, or that by its nature would be intended to be applicable following any such expiration or termination, or that is necessary to fulfill the essential purpose of the MOU, including without limitation the provisions regarding confidentiality and rights and remedies upon termination. R. Sovereign immunity This MOU shall not constitute or be construed as a waiver of any of the privileges, rights, defenses, remedies, or immunities available to either Party as an agency of the State of Texas or otherwise available to the Party. The failure to enforce or any delay in the enforcement of any privileges, rights, defenses, remedies, or immunities available to a Party under this MOU or under applicable law shall not constitute a waiver of such privileges, rights, defenses, remedies, or immunities or be considered as a basis for estoppel. Neither Party waives any privileges, rights, defenses, or immunities available to it as an agency of the State of Texas, or otherwise available to it, by entering into this MOU or by its conduct prior to or subsequent to entering into this MOU. S. Right to Audit. LHE shall make available at reasonable times and upon reasonable notice, and for reasonable periods, reports, records, supporting documents or materials kept current by LHE pertaining to this MOU for purposes of inspecting, monitoring, auditing or evaluating by DSHS, DSHS's contracted examiners, the State Auditor's Office, the Texas Attorney General's Office and any successor agencies each of which may be a duly authorized authority. In addition to any right of access arising by operation of law, LHE shall permit DSHS, as well as duly authorized federal, state or local. authorities, unrestricted access to and the right to examine any site where business is conducted or DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Contract No: HHS001437900001 Page 7 of 69 services are performed and all records related to this MOU. T. Attachments Attachments listed following the signature block at the end of this MOU are incorporated in their entirety as terms and conditions of this MOU. U. Governing Law and Venue This MOU made, performed, and governed by the laws of the State of Texas. The venue of any suit arising under the MOU is fixed in any court of competent jurisdiction of Travis County, Texas, unless the specific venue is otherwise identified in a statute which directly names or otherwise identifies its applicability to DSHS. V. Counterparts and Signatures The Parties may sign this MOU in counterparts, each of which will be deemed an original, but all of which will together constitute one document. Electronically transmitted signatures will be deemed originals for all purposes related to this MOU. W. Entire Agreement This document constitutes the entire agreement of the Parties and is intended as a complete and exclusive statement of the promises, representations, negotiations, discussions, and other agreements that may have been made in connection with the subject matter hereof. Any additional or conflicting terms in any future document incorporated into this agreement will be harmonized with this agreement to the extent possible. SIGNATURE PAGE FOLLOWS DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F2397lA539 HHS Contract No: HHS001437900001 Page 8 of 69 SIGNATURE PAGE DSHS Contract No. HHS00143790000I By signing below, the Parties agree that they have read the MOLL and agree to its terms, and that the persons whose signatures appear below have the authority to execute this MOU on behalf of their respective Party. Department of State Health Services E DocuSigned by: Eav S(�, °ifiE3EfiBBM)F"B9 Signature of Authorized Official Varun Shetty Printed Natttc City of L Authorized Official ted Nance Chief State Epidemiologist May Title Title April 29, 2024 __April 9 2024 Date Date THE FOLLOWING DOCUMENTS ARE HEREBY ATTACHED AND INCORPORATED INTO THE MOU: ATTACHMENT A — HHS DATA USE AGREEMENT ATTACHMENT B — SECURITY AND PRIVACY INQUIRY (SPI) ATTACHMENT C- ACCESS TO PUBLIC HEALTH DASHBOARDS ATTACHMENT D- ACCESS TO VITAL EVENT DATA EXHIBIT D-I - CHFCKLIST BIRTH DATA EXHIBIT D-Z- CHECKLIST FOR DEATH DATA EXHIBIT D-3- CHECKLIST FOR FETAl. DEA'rn DATA ATTACHMENT E- ACCESS TO TEXAS PUBLIC USE HEALTH CARE DATA . Internal Note- Additional attackanents rnay only be added through a formal written amendment to this MOU for each data set LHE is approved to access. DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Contract No: HHS001437900001 Page 9 of 69 ATTACHMENT A HHS DATA UsE ACREEMFNT This Data Use Agreement ("DUA"), effective as of the date the Base Contract into which it is incorporated is signed ("Effective Date"), is entered into by and between a Texas Health and Human Services Enterprise agency ("HHS"), and the Contractor identified in the Base Contract, a political subdivision of the State of Texas ("CONTRACTOR. ARTICLE 1. PURPOSE; APPLICABILITY; ORDER OF PRECEDENCE The purpose of this DUA is to facilitate creation, receipt, maintenance, use, disclosure or access to Confidential Information with CONTRACTOR, and describe CONTRACTOR's rights and obligations with respect to the Confidential Information. 45 CFR 164.504(e)(1)-(3). This DUA also describes HHS's remedies in the event of CONTR.ACTOR's noncompliance with its obligations under this DUA. This DUA applies to both Business Associates and contractors who are not Business Associates who create, receive, maintain, use, disclose or have access to Confidential Information on behalf of HHS, its programs or clients as described in the Base Contract. As of the Effective Date of this DUA, if any provision of the Base Contract, including any General Provisions or Uniform Terms and Conditions, conflicts with this DUA, this DUA controls. ARTICLE 2. DEFINITIONS For the purposes of this DUA, capitalized, underlined terms have the meanings set forth in the following: Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (42 U.S.C. §1320d, et seq.) and regulations thereunder in 45 CFR farts 160 and 164, including all amendments, regulations and guidance issued thereafter; The Social Security Act, including Section 1137 (42 U.S.C. §§ 1320b-7), Title XVI of the Act; The Privacy Act of 1974, as amended by the Computer Matching and Privacy Protection Act of 1988, 5 U.S.C. § 552a and regulations and guidance thereunder; Internal Revenue Code, Title 26 of the United States Code and regulations and publications adopted under that code, including IRS Publication 1075; OMB Memorandum 07-18; Texas Business and Commerce Code Ch. 521; Texas Government Code, Ch. 552, and Texas Government Code §2054.1125. In addition, the following terms in this DUA are defined as follows: "Authorized Purpose" means the specific purpose or purposes described in the Statement of Work of the Base Contract for CONTRACTOR to fulfill its obligations under the Base Contract, or any other purpose expressly authorized by HHS in writing in advance. "Authorized User" means a Person: (1) Who is authorized to create, receive, maintain, have access to, process, view, handle, examine, interpret, or analyze Confidential Information pursuant to this DUA; DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Contrad Na: HH1::a01 437900001 Page 10 of 69 (2) For whom CONTRACTOR warrants and represents has a demonstrable need to create, receive, maintain, use, disclose or have access to the Confidential Information; and (3) Who has agreed in writing to be bound by the disclosure and use limitations pertaining to the Confidential Information as required by this DiUA. "Confidential Information" means any communication or record (whether oral, written, electronically stored or transmitted, or in any other form) provided to or made available to CONTRACTOR, or that CONTRACTOR may, for an Authorized Pu ose, create, receive, maintain, use, disclose or have access to, that consists of or includes any or all of the following: (1) Client Information; (2) Protected Health Information in any form including without limitation, Electronic Protected Health Information or Unsecured Protected Health Information (herein "PHI"); (3) Sensitive Personal Information defined by Texas Business and Commerce Code Ch. 521; (4) Federal Tax Information; (5) Individually Identifiable Health Information as related to HIPAA, Texas HIPAA and Personal Identifying Information under the Texas Identity Theft Enforcement and Protection Act; (6) Social Security Administration Data, including, without limitation, Medicaid information; (7) All privileged work product; (8) All information designated as confidential under the constitution and laws of the State of Texas and of the United States, including the Texas Health & Safety Code and the Texas Public Information Act, Texas Government Code, Chapter 552. "Legally Authorized Representative" of the Individual, as defined by Texas law, including as provided in 45 CFR 435.923 (Medicaid); 45 CPR 164.502(g)(1) (HIPAA); Tex. Occ. Code § 151.002(6); Tex. 11. & S. Code §166.164; and Estates Code Ch. 752. ARTICLE 3. CONTRACTOR'S DUTIES REGARDING CONFIDENTIAL INFORMATION 3.01 Obligations of CONTRACTOR CONTRACTOR agrees that: (A) CONTRACTOR will exercise reasonable care and no less than the same degree of care CONTRACTOR uses to protect its own confidential, proprietary and trade secret infonnation to prevent any portion of the Confidential Information from being used in DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Contract No: HHS001437900001 Page 11 of 69 a manner that is not expressly an Authorized. Purpose under this DUA or as Required by Law. 45 CFR 164.502(b)(1); 45 CFR 164.514(d) (B) Except as Required by Law, CONTRACTOR will not disclose or allow access to any portion of the Confidential Information to any Person or other entity, other than Authorized User's Workforce or Subcontractors (as defined in 45 C.F.R. 160.103) of CONTRACTOR who have completed training in confidentiality, privacy, security and the importance of promptly reporting any Event or Breach to CONTRACTOR's management, to carry out CONTRACTOR's obligations in connection with the Authorized Purpose. HHS, at its election, may assist CONTRACTOR in training and education on specific or unique HHS processes, systems and/or requirements. CONTRACTOR will produce evidence of completed training to HHS upon request. 45 C.F.R.. 164.308(a)(5)(f); Texas Health & Safety Code §181.101 All of CONTRACTOR's Authorized Users, Workforce and Subcontractors with access to a state computer system or database will complete a cybersecurity training program certified under Texas Government Code Section 2054.519 by the Texas Department of Information Resources. (C) CONTRACTOR will establish, implement and maintain appropriate sanctions against any member of its Workforce or Subcontractor who fails to comply with this DUA, the Base Contract or applicable law. CONTRACTOR will maintain evidence of sanctions and produce it to HHS upon request.45 C.ER. 164.308(a)(1)(h)(C); 164 530(e); 164.410(b); 164.530(h)(1) (D) CONTRACTOR will not, except as otherwise permitted by this QUA, disclose or provide access to any Confidential Information on the basis that such act is Required by Law without notifying either HHS or CONTRACTOR's own legal counsel to determine whether CONTRACTOR should object to the disclosure or access and seek appropriate relief. CONTRACTOR will maintain an accounting of all such requests for disclosure and responses and provide such accounting to HHS within 48 hours of HHS' request. 45 CFR 164.504(e)(2)(ii)(A) (E) CONTRACTOR will not attempt to re -identify or further identify Confidential Information or De -identified. Information, or attempt to contact any Individuals whose records are contained in the Confidential Information, except for an Authorized Purpose, without express written authorization from HHS or as expressly permitted by the Base Contract. 45 CFR 164.502(d)(2)(i) and (ii) CONTRACTOR will not engage in prohibited marketing or sale of Confidential Information. 45 CFR 164.501, 164.508(a)(3) and (4); Texas Health & Safety Cade Ch. 181.002 (F) CONTRACTOR will not permit, or enter into any agreement with a Subcontractor to, create, receive, maintain, use, disclose, have access to or transmit Confidential Information to carry out CONTRACTOR's obligations in connection with the Authorized Purpose on behalf of CONTRACTOR, unless Subcontractor agrees to comply with all applicable laws, rules and regulations. 45 CFR 164.502(e)(1)(ii); 164.504(e)(1)(i) and (2). DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Contract No: HHS001437900001 Page 12 of 69 (G) CONTRACTOR is directly responsible for compliance with, and enforcement of, all conditions for creation, maintenance, use, disclosure, transmission and Destruction of Confidential Information and the acts or omissions of Subcontractors as may be reasonably necessary to prevent unauthorized use. 45 CFR 164.504(e)(5); 42 CFR 431.300, et seq. (H) If CONTRACTOR maintains PHI in a Designated Record Set which is Confidential Information and subject to this Agreement, CONTRACTOR will make PHI available to HHS in a Designated Record Set upon request. CONTRACTOR will provide PHI to an Individual, or Legate Authorized Representative of the Individual who is requesting PHI in compliance with the requirements of the HIPAA Privacy Regulations. CONTRACTOR will release PHI in accordance with the HIPAA Privacy Regulations upon receipt of a valid written authorization. CONTRACTOR will make other Confidential Information in CONTRACTOR's possession available pursuant to the requirements of HIPAA or other applicable law upon a determination of a Breach of Unsecured PHI as defined in HIPAA. CONTRACTOR will maintain an accounting of all such disclosures and provide it to HHS within 48 hours of HHS' request. 45 CFR 164.524and 164.504(e)(2)(ii)(E).. (I) If PHI is subject to this Agreement, CONTRACTOR will make PHI as required by HIPAA available to HHS for review subsequent to CONTRACTOR's incorporation of any amendments requested pursuant to HIPAA. 45 CFR 164.504(e)(2)(ii)(E) and (F). (]) If PHI is subject to this Agreement, CONTRACTOR will document and make available to HHS the PHI required to provide access, an accounting of disclosures or amendment in compliance with the requirements of the HIPAA Privacy Regulations. 45 CFR 164.504(e)(2)(ii)(G) and 164.528. (K) If CONTRACTOR receives a request for access, amendment or accounting of PHI from an individual with a right of access to information subject to this DUA, it will respond to such request in compliance with the HIPAA Privacy Regulations. CONTRACTOR will maintain an accounting of all responses to requests for access to or amendment of PHI and provide it to HHS within 48 hours of HHS' request. 45 CFR 164.504(e)(2). (L) CONTRACTOR will provide, and will cause its Subcontractors and agents to provide, to HHS periodic written certifications of compliance with controls and provisions relating to information privacy, security and breach notification, including without limitation information related to data transfers and the handling and disposal of Confidential Information. 45 CFR 164.308, 164.530(c); I TA 202. (M) Except as otherwise limited by this DUA, the Base Contract, or law applicable to the Confidential Information, CONTRACTOR may use PHI for the proper management and administration of CONTRACTOR or to carry out CONTRACTOR's legal responsibilities. Except as otherwise limited by this DUA, the Base Contract, or law applicable to the Confidential Information, CONTRACTOR may disclose PHI for the DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Contract No: HHS001437900001 Page 13 of 69 proper management and administration of CONTRACTOR, or to carry out CONTRACTOR's legal responsibilities, if: 45 CFR 164.504(e)(4)(A). (1) Disclosure is Required by Law, provided that CONTRACTOR complies with Section 3.01(D); or (2) CONTRACTOR obtains reasonable assurances from the person or entity to which the iinformation is disclosed that the person or entity will: (a)Maintain the confidentiality of the Confidential Information in accordance with this DUA; (b) Use or further disclose the information only as Required by Law or for the Authorized Purpose for which it was disclosed to the Person; and (c)Notify CONTRACTOR in accordance with Section 4.01 of any Event or Breach of Confidential Information of which the Person discovers or should have discovered with the exercise of reasonable diligence. 45 CFR 164.504(e) (4) (i r) (B). (N) Except as otherwise limited by this DUA, CONTRACTOR will, if required by law and requested by HHS, use commercially reasonable efforts to use PHI to provide data aggregation services to HHS, as that term is defined in the HIPAA, 45 C.F.R. § 164.501 and permitted by HIPAA. 45 CFR 164.504(e)(2)(i)(B) (0) CONTRACTOR will, on the termination or expiration of this DUA or the Base Contract, at its expense, send to HHS or Destroy, at HHS's election and to the extent reasonably feasible and permissible by law, all Confidential Information received from HHS or created or maintained by CONTRACTOR or any of CONTRACTOR's agents or Subcontractors on HHS's behalf if that data contains Confidential Information. CONTRACTOR will certify in writing to HHS that all the Confidential Information that has been created, received, maintained, used by or disclosed to CONTRACTOR, has been Destroyed or sent to HHS, and that CONTRACTOR and its agents and Subcontractors have retained no copies thereof. Notwithstanding the foregoing, HHS acknowledges and agrees that CONTRACTOR is not obligated to send to HHSC and/or Destroy any Confidential Information if federal law, state law, the Texas State Library and Archives Commission records retention schedule, and/or a litigation hold notice prohibit such delivery or Destruction. If such delivery or Destruction is not reasonably feasible, or is impermissible by law; CONTRACTOR will immediately notify HHS of the reasons such delivery or Destruction is not feasible, and agree to extend indefinitely the protections of this DUA to the Confidential Information and lit -nit its further uses and disclosures to the purposes that make the return delivery or Destruction of the Confidential Information not feasible for as long as CONTRACTOR maintains such Confidential Information. 45 CFR 164 504(e)(2)(Y)(J) (P) CONTRACTOR will create, maintain, use, disclose, transmit or Destroy Confidential Information in a secure fashion that protects against any reasonably anticipated DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Contract No: HHS001437900001 Page 14 of 69 threats or hazards to the security or integrity of such information or unauthorized uses. 45 CFR 164.306; 164.530(c) (Q) If CONTRACTOR accesses, transmits, stores, and/or maintains Confidential Information, CONTRACTOR will complete and return to HHS at infosecurity@hhsc.state.tx.us the HHS information security and privacy initial inquiry (SPI) at Attachment I . The SPI identifies basic privacy and security controls with which CONTRACTOR must comply to protect HHS Confidential Information. CONTRACTOR will comply with periodic security controls compliance assessment and monitoring by HHS as required by state and federal law, based on the type of Confidential Information CONTRACTOR creates, receives, maintains, uses, discloses or has access to and the Authorized Purpose and level of risk. CONTRACTOR's security controls will be based on the National Institute of Standards and Technology (MIST) Special Publication 800-53. CONTRACTOR will update its security controls assessment whenever there are significant changes in security controls for HHS Confidential information and will provide the updated document to HHS. HHS also reserves the right to request updates as needed to satisfy state and federal monitoring requirements. 45 CFR 164.306. (R) CONTRACTOR will establish, implement and maintain reasonable procedural, administrative, physical and technical safeguards to preserve and maintain the confidentiality, integrity, and availability of the Confidential Information, and with respect to PHI, as described in the HIPAA_Privacy and Security Regulations, or other applicable laws or regulations relating to Confidential Information, to prevent any unauthorized use or disclosure of Confidential. Information as long as CONTRACTOR has such Confidential Information in its actual or constructive possession. 45 CFR 164.308 (administrative safeguards); 164.310 (physical safeguards); 164.312 (technical safeguards); 164.530(c)(privacy safeguards). (S) CONTRACTOR will designate and identify, a Person or Persons, as Privacv Official 45 CFR 164.530(a)(1) and Information Security Official, each of whom is authorized to act on behalf of CONTRACTOR and is responsible for the development and implementation of the privacy and security requirements in this DUA. CONTRACTOR will provide name and current address, phone number and e-mail address for such designated officials to 1-I1-IS upon execution of this DUA and prior to any change. If such persons fail to develop and implement the requirements of the DUA, CONTRACTOR will replace them upon HHS request. 45 CFR 164.308(a)(2). (T) CONTRACTOR represents and warrants that its Authorized Users each have a demonstrated need to know and have access to Confidential Information solely to the minimum extent necessary to accomplish the Authorized Purpose pursuant to this DUA and the Base Contract, and further, that each has agreed in writing to be bound by the disclosure and use limitations pertaining to the Confidential Information contained in this DUA. 45 CFR 164.502, 164.514(d). (U) CONTRACTOR and its Subcontractors will maintain an updated, complete, accurate and numbered list of Authorized Users, their signatures, titles and the date they DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Contract No: HHS00143790000l Page 15 of 69 agreed to be bound by the terms of this DUA, at all times and supply it to HHS, as directed, upon request. (V) CONTRACTOR will implement, update as necessary, and document reasonable and appropriate policies and procedures for privacy, security and Breach of Confidential Information and an incident response plan for an Event or Breach, to comply with the privacy, security and breach notice requirements of this DUA prior to conducting work under the Statement of Work. 45 CFR 164.308, 164.316, 164.514(d); 164.530(ej(1). (W) CONTRACTOR will produce copies of its information security and privacy policies and procedures and records relating to the use or disclosure of Confidential Information received from, created by, or received, used or disclosed by CONTRACTOR for an Authorized Purpose for HHS's review and approval within 30 days of execution of this DUA and upon request by HHS the following business day or other agreed upon time frame. 45 CFR 164.308, 164.514(d). (X) CONTRACTOR will make available to HHS any information HHS requires to fulfill HHS's obligations to provide access to, or copies of, PHI in accordance with HIPAA and other applicable laws and regulations relating to Confidential Information. CONTRACTOR will provide such information in a time and manner reasonably agreed upon or as designated by the Secretary of the U.S. Department of Health and Human Services, or other federal or state law. 45 CFR 164.504(e)(2)(i)(I). (Y) CONTRACTOR will only conduct secure transmissions of Confidential Information whether in paper, oral or electronic form, in accordance with applicable rules, regulations and laws. A secure transmission of electronic Confidential Information in motion includes, but is not limited to, Secure File Transfer Protocol (SFTP) or Encryption at an appropriate level. If required by rule, regulation or law, HHS Confidential Information at rest requires Encryption unless there is other adequate administrative, technical, and physical security. All electronic data transfer and communications of Confidential Information will be through secure systems. Proof of system, media or device security and/or Encryption must be produced to HHS no later than 48 hours after HHS's written request in response to a compliance investigation, audit or the Discovery of an Event or Breach. Otherwise, requested production of such proof will be made as agreed upon by the parties. De -identification of HHS Confidential Information is a means of security. With respect to de -identification of PHI, "secure" means de -identified according to HIPAA Privacy standards and regulatory guidance. 45 CFR 164.312; 164.530(d). (Z) For each type of Confidential Information CONTRACTOR creates, receives, maintains, uses, discloses, has access to or transmits in the performance of the Statement of Work, CONTRACTOR will comply with the following laws rules and regulations, only to the extent applicable and required by law: Title 1, Part 10, Chapter 202, Subchapter B, Texas Administrative Code; The Privacy Act of 1974; DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Contract No: HHS001437900001 Page 16 of69 • OMB Memorandum 07-16; • The Federal Information Security Management Act of 2002 (FISMA); • The Health Insurance Portability and Accountability Act of 1996 (HIPAA) as defined in the DUA; • Internal Revenue Publication 1075 — Tax Information Security Guidelines for Federal, State and Local Agencies; • National Institute of Standards and Technology (MIST) Special Publication 800-66 Revision 1 — An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule; • NIST Special Publications 800-53 and 800-53A — Recommended Security Controls for Federal Information Systems and Organizations, as currently revised; • NIST Special Publication 800-47 — Security Guide for Interconnecting Information Technology Systems; • NIST Special Publication 800-88, Guidelines for Media Sanitization; • NIST Special Publication 800-111, Guide to Storage of Encryption Technologies for End User Devices containing PHI; and Any other State or Federal law, regulation, or administrative rule relating to the specific HHS program area that CONTRACTOR supports on behalf of HHS. (AA) Notwithstanding anything to the contrary herein, .CONTRACTOR will treat any Personal Identifying Information it creates, receives, maintains, uses, transmits, destroys and/or discloses in accordance with Texas Business and. Commerce Code, Chapter 521 and other applicable regulatory standards identified in Section 3.01(Z), and Individually Identifiable Health Information CONTRACTOR creates, receives, maintains, uses, transmits, destroys and/or discloses in accordance with HIPAA and other applicable regulatory standards identified in Section 3.01(Z). ARTICLE 4. BREACH NOTICE, REPORTING AND CORRECTION REQUIREMENTS 4.01 Breach or Event Notification to HHS. 45 CFR 164.400-414. (A) CONTRACTOR will cooperate fully with HHS in investigating, mitigating to the extent practicable and issuing notifications directed by HHS, for any Event or Breach of Confidential Information to the extent and in the manner determined by HI -IS. DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Contract No: HHS001437900001 Page 17 of 69 (B) CONTRACTOR'S obligation begins at the Discovery of an Event or Breach and continues as long as related activity continues, until all effects of the Event are mitigated to HHS's reasonable satisfaction (the "incident response period"). 45 CFR 164.404. (C) Breach Notice: (1) Initial Notice. (a) For federal information, including without limitation, Federal Tax Information, Social Security Administration Data, and Medicaid Client Information, within the first, consecutive clock hour of Discovery, and for all other types of Confidential Information not more than 24 hours after Discovery, or in a timeframe otherwise approved by HHS in writing, initially report to HHS's Privacy and Security Officers via email at: privacy@HHSC.state.tx.us and to the HHS division responsible for this ❑UA; and IRS Publication 1075; Privacy Act of 1974, as amended by the Computer Matching and Privacy Protection Act of 1988, 5 U.S.C. § 552a; OMB Memorandum 07-16 as cited in HHSC-CMS Contracts for information exchange. (b) Report all information reasonably available to CONTRACTOR about the Event or Breach of the privacy or security of Confidential Information. 45 CFR 164.410. (c) Name, and provide contact information to HHS for, CONTRACTOR' single point of contact who will communicate with HHS both on and off business hours during the incident response period. (2) Formal Notice. No later than two business days after the Initial Notice above, provide formal notification to privacy@HHSC.state.tx.us and to the HHS division responsible for this ❑UA, including all reasonably available information about the Event or Breach, and CONTRACTOR' investigation, including without limitation and to the extent available: For (a) - (m) below: 45 CFR 164.400-414. (a) The date the Event or Breach occurred; (b) The date of CONTRACTORSs and, if applicable, Subcontractor's Discovery; (c) A brief description of the Event or Breach; including how it occurred and who is responsible (or hypotheses, if not yet determined); (d) A brief description of CONTRACTOR' investigation and the status of the investigation; (e) A description of the types and amount of Confidential Information involved; DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Contract No: HHS001437900001 Page 18 of 69 (f) Identification of and number of all Individuals reasonably believed to be affected, including first and last name of the Individual and if applicable the, Legally Authorized Rgpresentativq, last known address, age, telephone number, and email address if it is a preferred contact method, to the extent known or can be reasonably determined by CONTRACTOR at that time; (g) CONTRACTOR's initial risk assessment of the Event or Breach demonstrating whether individual or other notices are required by applicable law or this DUA for HHS approval, including an analysis of whether there is a low probability of compromise of the Confidential Information or whether any legal exceptions to notification apply; (h) CONTRACTOR's recommendation for HHS's approval as to the steps Individuals and/or CONTRACTOR on behalf of Individuals, should take to protect the Individuals from potential harm, including without limitation CONTRACTOR's provision of notifications, credit protection, claims monitoring, and any specific protections for a Legally Authorized Representative to take on behalf of an Individual with special capacity or circumstances; (i) The steps CONTRACTOR has taken to mitigate the harm or potential harm caused (including without limitation the provision of sufficient resources to mitigate); 0) The steps CONTRACTOR has taken, or will take, to prevent or reduce the likelihood of recurrence of a similar Event or Breach; (k) Identify, describe or estimate the Persons, Workforce, Subcontractor, or Individuals and any law enforcement that maybe involved in the Event or Breach; (1) A reasonable schedule for CONTRACTOR to provide regular updates during normal business hours to the foregoing in the future for response to the Event or Breach, but no less than every three (3) business days or as otherwise directed by HHS, including information about risk estimations, reporting, notification, if any, mitigation, corrective action, root cause analysis and when such activities are expected to be completed; and (m) Any reasonably available, pertinent information, documents or reports related to an Event or Breach that IIHS requests following Discovery. 4.02 Investigation, Response and Mitigation. 45 CFR 164.308, 31.0 and 312; 164.530 (A) CONTRACTOR will immediately conduct a full and complete investigation, respond to the Event or Breach, cominit necessary and appropriate staff and resources to DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Contract No: HHS001437900001 Page 19 of 69 expeditiously respond, and report as required to and by HHS for incident response purposes and for purposes of HHS's compliance with report and notification requirements, to the reasonable satisfaction of HHS. (B) CONTRACTOR will complete or participate in a risk assessment as directed by HHS following an Event or Breach, and provide the final asscssment, corrective actions and mitigations to HHS for review and approval. (C) CONTRACTOR will fully cooperate with HHS to respond to inquiries and/or proceedings by state and federal authorities, Persons and/or Individuals about the Event or Breach. (D) CONTRACTOR will fully cooperate with HHS's efforts to seek appropriate injunctive relief or otherwise prevent or curtail such Event or Breach, or to recover or protect any Confidential Information, including complying with reasonable corrective action or measures, as specified by HHS in a Corrective Action Plan if directed by HHS under the Base Contract. 4.03 Breach Notification to Individuals and Reporting to Authorities. Tex. Bus. & Comm. Cade §521.053; 45 CFR 164.404 (Individuals), 164.406 (Media); 164.408 (Authorities) (A) HHS may direct CONTRACTOR to provide Breach notification to Individuals, regulators or third -parties, as specified by HHS following a Breach. (B) CONTRACTOR shall give HHS an opportunity to review and provide feedback to CONTRACTOR and to confirm that CONTRACTOR's notice meets all regulatory requirements regarding the time, manner and content of any notification to Individuals, regulators or third -parties, or any notice required by other state or federal authorities, including without limitation, notifications required by Texas Business and Commerce Code, Chapter 521.053(b) and HIPAA. HHS shall have ten (10) business days to provide said feedback to CONTRACTOR. Notice letters will be in CONTRACTOR's name and on CONTRACTOR's letterhead, unless otherwise directed by HHS, and will contain contact information, including the name and title of CONTRACTOR's representative, an email address and a toll -free telephone number, if required by applicable law, rule, or regulation, for the Individual to obtain additional information. (C) CONTRACTOR will provide HHS with copies of distributed and approved communications. (D) CONTRACTOR will have the burden of demonstrating to the reasonable satisfaction of HHS that any notification required by HHS was timely made. If there are delays outside of CONTRACTOR's control, CONTRACTOR will provide written documentation of the reasons for the delay. DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Contract No: HHS001437900001 Page 20 of 69 (E) If HHS delegates notice requirements to CONTRACTOR, HHS shall, in the time and manner reasonably requested by CONTRACTOR, cooperate and assist with CONTRACTOR's information requests in order to make such notifications and reports. ARTICLE S. STATEMENT OF WORK "Statement of Work" means the services and deliverables to be performed or provided by CONTRACTOR, or on behalf of CONTRACTOR by its Subcontractors or agents for HHS that are described in detail in the Base Contract. The Statement of Work, including any filture amendments thereto, is incorporated by reference in this DUA as if set out ward -for -word herein. ARTICLE 6. GENERAL PROVISIONS 6.01 Oversight of Confidential Information CONTRACTOR acknowledges and agrees that HHS is entitled to oversee and monitor CONTRACTOR's access to and creation, receipt, maintenance, use, disclosure of the Confidential Information to confirm that CONTRACTOR is in compliance with this DUA.. 6.02 HHS Commitment and Obligations HHS will not request CONTRACTOR to create, maintain, transmit, use or disclose PHI in any manner that would not be permissible under applicable law if done by HHS. 6.03 HHS Right to Inspection At any time upon reasonable notice to CONTRACTOR, or if 1-1I1S determines that CONTRACTOR has violated this DUA, HHS, directly or through its agent, will have the right to inspect the facilities, systems, books and records of CONTRACTOR to monitor compliance with this DUA. For purposes of this subsection, HHS's agent(s) include, without limitation, the HHS Office of the Inspector General or the Office of the Attorney General of Texas, outside consultants or legal counsel or other designee. 6.041 Term; Termination of DUA; Survival This DUA will be effective on the date on which CONTRACTOR executes the DUA, and will terminate upon termination of the Base Contract and as set forth herein. If the Base Contract is extended or amended, this DUA shall be extended or amended concurrent with such extension or amendment. (A) HHS may immediately terminate this DUA and Base Contract upon a material violation of this DUA. DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Conlrart No: HHS001437900001 Page 21 of 69 (B) Termination or Expiration of this DUA will not relieve CONTRACTOR of its obligation to return or Destroy the Confidential Information as set forth in this DUA and to continue to safeguard the Confidential Infonnation until such time as determined by HHS. (C) If HHS determines that CONTRACTOR has violated a material term of this DUA; HHS may in its sole discretion: (1) Exercise any of its rights including but not limited to reports, access and inspection under this DUA and/or the Base Contract; or (2) Require CONTRACTOR to submit to a Corrective Action Plan, including a plan for monitoring and plan for reporting, as HHS may determine necessary to maintain compliance with this DUA; or (3) Provide CONTRACTOR with a reasonable period to cure the violation as determined by HHS; or (4) Tenninate the DUA and Base Contract immediately, and seek relief in a court of competent jurisdiction in Texas. Before exercising any of these options, HHS will provide written notice to CONTRACTOR describing the violation, the requested corrective action CONTRACTOR may take to cure the alleged violation, and the action HHS intends to take if the alleged violated is not timely cured by CONTRACTOR. (D) If neither termination nor cure is feasible, HHS shall report the violation to the Secretary of the U.S. Department of Health and Human Services. (E) The duties of CONTRACTOR or its Subcontractor under this DUA survive the expiration or termination of this DUA until all the Confidential Information is Destroyed or returned to HHS, as required by this DUA. 6.05 Governing Law, Venue and Litigation (A) The validity, construction and performance of this DUA and the legal relations among the Parties to this DUA will be governed by and construed in accordance with the laws of the State of Texas. (B) The Parties agree that the courts of Texas, will be the exclusive venue for any litigation, special proceeding or other proceeding as between the parties that may be brought, or arise out of, or in connection with, or by reason of this DUA. 6.06 Injunctive Relief (A) CONTRACTOR acknowledges and agrees that HHS may suffer irreparable injury if CONTRACTOR or its Subcontractor fails to comply with any of the terms of this DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Contract No: HHS001437900001 Page 22 of 69 DUA with respect to the Confidential Information or a provision ofHIPAA or other laws or regulations applicable to Confidential Information. (B) CONTRACTOR further agrees that monetary damages may be inadequate to compensate HHS for CONTRACTOR's or its Subcontractor's failure to comply. Accordingly, CONTRACTOR agrees that HHS will, in addition to any other remedies available to it at law or in equity, be entitled to seek injunctive relief without posting a bond and without the necessity of demonstrating actual damages, to enforce the terms of this DUA. 6.07 Responsibility. To the extent permitted by the Texas Constitution, laws and rules, and without waiving any immunities or defenses available to CONTRACTOR as a governmental entity, CONTRACTOR shall be solely responsible for its own acts and omissions and the acts and omissions of its employees, directors, officers, Subcontractors and agents. HHS shall be solely responsible for its own acts and omissions. 6.08 Insurance (A) As a governmental entity, and in accordance with the limits of the Texas Tort Claims Act, Chapter 101 of the Texas Civil Practice and Remedies Code, CONTRACTOR either maintains commercial insurance or self -insures with policy limits in an amount sufficient to cover CONTRACTOR's liability arising under this DUA. CONTRACTOR will request that HHS be named as an additional insured. IIIiSC reserves the right to consider alternative means for CONTRACTOR to satisfy CONTRACTOR"s financial responsibility under this DUA. Nothing herein shall relieve CONTRACTOR of its financial obligations set forth in this DUA if CONTRACTOR fails to maintain insurance. (B) CONTRACTOR will provide HHS with written proof that required insurance coverage is in effect, at the request of HHS. 6.08 Fees and Costs Except as otherwise specified in this DUA or the Base Contract, if any legal action or other proceeding is brought for the enforcement of this DUA, or because of an alleged dispute, contract violation, Event, Breach, default, misrepresentation, or injunctive action, in connection with any of the provisions of this DUA, each party will bear their own legal expenses and the other cost incurred in that action or proceeding. 6.09 Entirety of the Contract This DUA is incorporated by reference into the Base Contract as an amendment thereto and, together with the Base Contract, constitutes the entire agreement between the parties. No change, waiver, or discharge of obligations arising under those documents will be valid unless in writing and executed by the party against whom such change, waiver, or discharge is sought to be enforced. If any provision of the Base Contract, including any General Provisions or Uniform Terms and Conditions, conflicts with this DUA, this DUA controls. DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Contract No: HHS00143790DOO1 Page 23 of 69 6.10 Automatic Amendment and Interpretation If there is (i) a change in any law, regulation or rule, state or federal, applicable to HIPPA and/or Confidential Information, or (ii) any change in the judicial or administrative interpretation of any such law, regulation or rule„ upon the effective date of such change, this DUA shall be deemed to have been automatically amended, interpreted and read so that the obligations imposed on HHS and/or CONTRACTOR remain in compliance with such changes. Any ambiguity in this DUA will be resolved in favor of a meaning that permits HHS and CONTRACTOR to comply with IIIPAA or any other law applicable to Confidential Information.. DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F2397lA539 RocuSGan Envete�i6:.56659ex8&=A]9�},479,eB�6t6.F3R69443E8 0 ❑ono 7A -fan TEXAS Texas HHS System - Data Use Agreement - Attachment B Heaith and Human SECURITY AND PRIVACY INQUIRY (SPI) Services If you are a bidder for a new procurement/contract, in order to participate in the bidding process, you must have corrected any "No" responses (except Aga) prior to the contract award date. If you are an applicant for an open enrollment, you must have corrected any "No" answers (except Aga and All) prior to performing any work on behalf of any Texas HHS agency. For any questions answered "No" (except A9a and All), an Action Plan for Compliance with a Timeline must be documented in the designated area below the question. The timeline for compliance with HIPAA-related requirements for safeguarding Protected Health Information is 30 calendar days from the date this form is signed. Compliance with requirements related to other types of Confidential Information must be confirmed within 90 calendar days from the date the form is signed. SECTION A: APPLICANT/BIDDER INFORMATION (To be completed by Applicant/Bidder) 1. Does the applicant/bidder access, create, disclose, receive, transmit, maintain, or store Texas Q Yes HHS Confidential Information in electronic systems (e.g., laptop, personal use computer, No mobile device, database, server, etc.)? IF NO, STOP. THE SPI FORM IS NOT REQUIRED. 2. Entity or Applicant/Bidder Legal Name Legal Name: City of Lubbock Legal Entity Tax Identification Number (TIN) (Last Four Numbers Only): Procurement/Contract#: HHS001437900001 Address: PO Box 2000 City: Lubbock State: TX Telephone ZIP: 79457 #: (806) 775-2941 Email Address: kwells@mylubbock.us 3. Number of Employees, at all locations, in Total Employees: Applicant/Bidder's Workforce "Workforce" means all employees, volunteers, trainees, and other Persons whose conduct is under the direct control of Applicant/Bidder, whetheror not they are paid by Applicant/ Bidder, If Applicant/Bidder is a sale proprietor, the workforce may be only one employee. 4. Number of Subcontractors Total Subcontractors: (if Applicant/Bidder will not use subcontractors, enter "b") S. Name of Information Technology Security Official A. Security Official: and Name of Privacy Official for Applicant/Bidder Legal Name: (Privacy and Security Official may be the same person.) Address: City: State: ZIP: Telephone #: Email Address:. B. Privacy Official: Legal Name: Address: City: State: ZIP: Telephone #: Email Address: SPI Version 2.1 (06/2018) Texas HHS System • Data Use Agreement - Attachment2: Page 1 of IS SECURITY AND PRIVACY INQUIRY (SPI) DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F2397lA539 ❑ocuSign Enve I�o�3 � F3D6944JE0Qv fi. Type (s) v�"fexas vn Identla n vrmatian the HIPAA C® Ift5 FTI CM�_ 5 PH Applicant/Bidder will create, receive, maintain, use, ✓ disclose or have access to: (Check all that apply) Other (Please List) • Heolth Insurance Portobiliry and Accountability Act (HIPAA)dato • Criminal Justice Information Services (CJIS) data • Internal Revenue Service Federal Tax Information (IRS FTI) data • Centers for Medicare & Medicaid Services (CMS) • SocioISecurlryAdministrotion (SSA) • Personally Identifiable tnformation (PH) 7. Number of Storage Devices for Texas HHS Confidential Information (as defined in the Total # Texas HHS System Data Use Agreement (DUA)) (Sum a-d) Cloud Services involve using a network of remote servers hosted on the Internet to store, manage, and process data, rather than a local server or a personal computer. 0 A Data Center is a centralized repository, either physical or virtual, for the storage, management, and dissemination of data and information organized around a particular body of knowledge or pertaining to a particular business. a. Devices. Number of personal user computers, devices or drives, including mobile devices and mobile drives. b. Servers. Number of Servers that are not in a data center or using Cloud Services. c. Cloud Services. Number of Cloud Services in use. d. Data Centers. Number of Data Centers in use. 8. Number of unduplicated individuals for whom Applicant/Bidder reasonably expects to Select Option handle Texas HHS Confidential Information during one year: (a-d) a. 499 individuals or less Q a. b. 500 to 999 individuals Q b. c, 1,000 to 99,999 individuals Q C. d. 100,000 individuals or more Q d. 9. HIPAA Business Associate Agreement a. Will Applicant/Bidder use, disclose, create, receive, transmit or maintain protected Q Yes health information on behalf of a HIPAA-covered Texas HHS agency for a HIPAA- Q No covered function? b. Does Applicant/Bidder have a Privacy Notice prominently displayed on a Webpage or a Q Yes Public Office of Applicant/Bidder's business open to or that serves the public? (This is a Q No HIPAA requirement. Answer "N/A" if not applicable, such as for agencies not covered ( N/A by HIPAA.) Action Plan for Compliance with a Timeline: Compliance Date: 10. Subcontractors. If the Applicant/Bidder responded "0" to Question 4 (indicating no subcontractors), check "N/A" for both 'a.' and 'b.' a. Does Applicant/Bidder require subcontractors to execute the DUA Attachment 1 Q Yes Subcontractor Agreement Form? Q No Q N/A Action Plan for Compliance with a Timeline: Compliance Date:, SPI Version 2.1 (06/2018) Texas HHS System - Data Use Agreement -Attachment 2: Page 2 of 18 SECURITY AND PRIVACY INQUIRY {SPI} DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 DocuSign EnveWMip A6r4 69443E8Qa Pans 9R of RQ b. Will Applicant/Bidder agree to require subcontractors who wilt access Confidential 0 Yes Information to comply with the terms of the DUA, not disclose any Confidential Q No Information to them until they have agreed in writing to the same safeguards and to (� N/A discontinue their access to the Confidential Information if they fail to comply? Action Plan for Compliance with_a Timeline: Compliance Date: 11. Does Applicant/Bidder have any Optional Insurance currently in place? Yes Optional Insurance provides coverage for: (1) Network Security and Privacy, (2) Data Breach; (3) Cyber No Liability (lost data, lost use or delay/suspension in business, denial of service with e-business, the Internet, networks and informational assets, such as privacy, intellectual property, virus transmission, extortion, N/A sabotage or web activities); (4) Electronic Media Liability; (5) Crime/Theft; (6) Advertising Injury and Personal Injury Liability; and (7) Crisis Management and Notification Expense Coverage. SPI Version 2.1 (06/2018) Texas HHS System - Data Use Agreement -Attachment 2: Page 3 of 18 SECURITY AND PRIVACY INQUIRY (SPI) DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 DocuSign En a F3D69443E8Da PRIVACYSECTION B: a be completed by Applicant/Bidder) For any questions answered "No," an Action Plan for Compliance with a Timeline must be documented in the designated area below the question. The timeline for compliance with HIPAA-related requirements for safeguarding Protected Health Information is 30 calendar days from the date this form is signed. Compliance with requirements related to other types of Confidential Information must be confirmed within 90 calendar days from the date the form is signed. 1. Written Policies & Procedures. Does Applicant/Bidder have current written privacy and Yes or No security policies and procedures that, at a minimum: a. Does Applicant/Bidder have current written privacy and security policies and (] Yes procedures that identify Authorized Users and Authorized Purposes (as defined in the C) No DUA} relating to creation, receipt, maintenance, use, disclosure, access or transmission of Texas HHS Confidential Information? Action Plan for Compliance with a Timeline: Compliance Date: b. Does Applicant/Bidder have current written privacy and security policies and Q Yes procedures that require Applicant/Bidder and its Workforce to comply with the No applicable provisions of HIPAA and other laws referenced in the DUA, relating to creation, receipt, maintenance, use, disclosure, access or transmission of Texas HHS Confidential Information on behalf of a Texas HHS agency? Action Plan for Compliance with a Timeline: Compliance Date: c. Does Applicant/Bidder have current written privacy and security policies and procedures [.]Yes that limit use or disclosure of Texas HHS Confidential Information to the minimum that is No necessary to fulfill the Authorized Purposes? Action Plan for Compliance with a Timeline: Compliance Date: d. Does Applicant/Bidder have current written privacy and security policies and procedures 0Yes that respond to an actual or suspected breach of Texas HHS Confidential Information, to "No" "No" No include at a minimum (if any responses are check for all three): i. Immediate breach notification to the Texas HHS agency, regulatory authorities, and other required Individuals or Authorities, in accordance with Article 4 of the DUA; ii. Following a documented breach response plan, in accordance with the DUA and applicable law; & iii. Notifying Individuals and Reporting Authorities whose Texas HHS Confidential Information has been breached, as directed by the Texas HHS agency? S P I Version 2.1 (0612018) Texas HH5 System - Data Use Agreement - Attachment2: Page 4 of 18 SECURITY AND PRIVACY INQUIRY(SPI) DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 VVLWJI[�IY GIIVC�C�1� w3VV �4 �r�VUV�Y•�J�Vuu Action Plan Vor ompliance wit a imeline: om lance Date: e. Does Applicant/Bidder have current written privacy and security policies and procedures (F� Yes that conduct annual workforce training and monitoring for and correction of any training No delinquencies? Action Plan for Compliance with a Timeline: Compliance Date: f. Does Applicant/Bidder have current written privacy and security policies and (.] Yes procedures that permit or deny individual rights of access, and amendment or correction, when appropriate? Q No Action Plan for Compliance with a Timeline: Compliance Date: g. Does Applicant/Bidder have current written privacy and security policies and procedures Yes that permit only Authorized Users with up-to-date privacy and security training, and No with a reasonable and demonstrable need to use, disclose, create, receive, maintain, access or transmit the Texas HHS Confidential Information, to carry out an obligation under the DUA for an Authorized Purpose, unless otherwise approved in writing by a Texas NHS agency? Action Plan for Compliance with a Timeline: Compliance Date: h. Does Applicant/Bidder have current written privacy and security policies and procedures (F� yes that establish, implement and maintain proof of appropriate sanctions against any 0 No Workforce or Subcontractors who fail to comply with an Authorized Purpose or who is not an Authorized User, and used or disclosed Texas HHS Confidential Information in violation of the DUA, the Base Contract or applicable law? Action Plan for Compliance with a Timeline: Comoliance Date: i. Does Applicant/Bidder have current written privacy and security policies and yes procedures that require updates to policies, procedures and plans following major Q No changes with use or disclosure of Texas HHS Confidential Information within 60 days of identification of a need for update? Action Plan for Compliance with a Timeline: Compliance Date: SPI Version 2.1 (06/2018) Texas HHS System -Data Use Agreement -Attachment 2: Page 5 of 18 SECURITY AND PRIVACY INQUIRY (SPI) DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 VVVu NIIJ II CI IVUHHE lea 9u ��f 0 N' .iuua^.v.td_uuu j. Does Applicant Bid er ave current written privacy and security policies and + Yes procedures that restrict permissions or attempts to re -identify or further identify C> No de -identified Texas HHS Confidential Information, or attempt to contact any Individuals whose records are contained in the Texas HHS Confidential Information, except for an Authorized Purpose, without express written authorization from a Texas HHS agency or as expressly permitted by the Base Contract? Action Plan for Compliance with a Timeline: Compliance Date: k. If Applicant/Bidder intends to use, disclose, create, maintain, store or transmit Texas HHS (F) Yes Confidential Information outside of the United States, will Applicant/Bidder obtain the No express prior written permission from the Texas HHS agency and comply with the Texas HHS agency conditions for safeguarding offshore Texas HHS Confidential Information? Action Plan for Compliance with a Timeline: Compliance Date: I. Does Applicant/Bidder have current written privacy and security policies and procedures yes that require cooperation with Texas HHS agencies' or federal regulatory inspections, (� No audits or investigations related to compliance with the DUA or applicable law? Action Plan for Compliance with a Timeline: Compliance Date: m. Does Applicant/Bidder have current written privacy and security policies and Yes procedures that require appropriate standards and methods to destroy or dispose of O No Texas HHS Confidential Information? Action Plan for Compliance with a Timeline: Compliance Date: n. Does Applicant/Bidder have current written privacy and security policies and procedures () Yes that prohibit disclosure of Applicant/Bidder's work product done on behalf of Texas HHS C) No pursuant to the DUA, or to publish Texas HHS Confidential Information without express prior approval of the Texas HHS agency? Action Plan for Compliance with a Timeline: Compliance Date: 2. Does Applicant/Bidder have a current Workforce training program? 0 Yes Training of Workforce must occur at least once every year, and within 30 days of date of hiring a new C) No Workforce member whowill handle Texas HHS Confidential Information. Training must include: (1) privacy and security policies, procedures, plans and applicable requirements for handling Texas HHS Confidential Information, (2) a requirement to complete training before access is given to Texas HH5 Confidential Information, and (3) written proof of training and a procedure for monitoring timely completion of training. SPl Version 2.1 (0612018) Texas HHS System - Data Use Agreement - Attachment 2: Page 6 of 18 SECURITY AND PRIVACY INQUIRY (SPI) DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 5 F d --Cana Uocu 19n Enveigq I�o�SI044TFWOW r 3 6 Action Plan or Compliance with a Timeline: Va omp iance Date: 3. Does Applicant/Bidder have Privacy Safeguards to protect Texas HHS Confidential Q Yes Information in oral, paper and/or electronic form? C) No "Privacy Safeguards" means protection of Texas HHS Confidential Information by estabiishing, implementing and maintaining required Administrative, Physical and Technical policies, procedures, processes and controls, required by the DUA, HIPAA (45 CFR 1.64.530), Social Security Administration, Medicaid and laws, rules or regulations, as applicable. Administrative safeguards include administrative protections, policies and procedures for matters such as training, provision of access, termination, and review of safeguards, incident management, disaster recovery plans, and contract provisions. Technical safeguards include technical protections, policies and procedures, such as passwords, logging, emergencies, how paper is faxed or mailed, and electronic protections such as encryption of data. Physical safeguards include physical protections, policies and procedures, such as locks, keys, physical access, physical storage and trash. Action Plan for Compliance with a Timeline: Compliance Date: 4. Does Applicant/Bidder and all subcontractors (if applicable) maintain a current list of Q Yes Authorized Users who have access to Texas HHS Confidential Information, whether oral, written or electronic? ONO Action Plan for Compliance with a Timeline; Compliance Date: 5. Does Applicant/Bidder and all subcontractors (if applicable) monitor for and remove I(DYes terminated employees or those no longer authorized to handle Texas HH5 ONO Confidential Information from the list of Authorized Users? Action Plan for Compliance with a Timeline: Compliance Date: SPI Version 2.1 (06/2018) Texas H HS System - Data Use Agreement - Attachment 2: Page 7 of 18 SECURITY AND PRIVACY INQUIRY (SPi) DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F2397lA539 VlJ4ll Jll�fl CfIVC - rJVvu.Y Qi v This section is about your electronic system. If your business DOES NOT store, access, or No Electronic transmit Texas HHS Confidential Information in electronic systems (e.g., laptop, personal Systems use computer, mobile device, database, server, etc..) select the box to the right, and "YES" will be entered for all questions in this section, For any questions answered "No," an Action Plan for Compliance with a Timeline must be documented in the designated area below the question. The timeline for compliance with HIPAA-related items is 30 calendar days, PII-related items is 90 calendar days. 1. Does the Applicant/Bidder ensure that services which access, create, disclose, receive, [] Yes transmit, maintain, or store Texas HHS Confidential Information are maintained IN the 0 No United States (no offshoring) unless ALL of the following requirements are met? a. The data is encrypted with FIPS 140-2 validated encryption b. The offshore provider does not have access to the encryption keys c. The Applicant/Bidder maintains the encryption key within the United States d. The Application/Bidder has obtained the express prior written permission of the Texas HHS agency For more informorion regarding FIPS 140.2 encryption products, please refer to: httD:/Irsrc.nist. a0v/aub1iCoN0ns/fi05 Action Plan for Compliance with a Timeline; Compliance Date: 2. Does Applicant/Bidder utilize an IT security -knowledgeable person or company to maintain 0 Yes or oversee the configurations of Applicant/Bidder's computing systems and devices? C) No Action Plan for Compliance with a Timeline: Compliance Date: 3. Does Applicant/Bidder monitor and manage access to Texas HH5 Confidential Information ()Yes (e.g., a formal process exists for granting access and validating the need for users to access O No Texas HHS Confidential Information, and access is limited to Authorized Users)? Action Plan for Compliance with a Timeline: Compliance Date: 4. Does Applicant/Bidder a) have a system for changing default passwords, b) require user ( Yes password changes at least every 90 calendar days, and c) prohibit the creation of weak Q No passwords (e.g., require a minimum of 8 characters with a combination of uppercase, lowercase, special characters, and numerals, where possible) for all computer systems that access or store Texas HHS Confidential Information. If yes, upon request must provide evidence such as a screen shot or a system report. Action Plan for Compliance with a Timeline: Compliance Date: SPI Version 2.1 (06/2018) Texas HHS System -Data Use Agreement -Attachment 2: Page 8 of 18 SECURITY AND PRIVACY INQUIRY (SPI) DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F2397lA539 D 5 E F3U69443E8Dfl ocu 19n nvel"tC'o :] 99r9Vb 5. Does each mem er of App icant/Bldder's Workforce who will use, disclose, create, receive, C)Yes transmit or maintain Texas HHS Confidential Information have a unique user name C> No (account) and private password? Action Plan for Compliance with a Timeline: Compliance Date: b. Does Applicant/Bidder lock the password after a certain number of failed attempts and Q Yes after 15 minutes of user inactivity in all computing devices that access or store Texas HHS Confidential Information? Cj No Action Plan for Compliance with a Timeline: Compliance Date: 7. Does Applicant/Bidder secure, manage and encrypt remote access (including wireless C>Yes access) to computer systems containing Texas HHS Confidential Information? (e.g., a formal process exists for granting access and validating the need for users to remotely access Texas O No HMS Confidential information, and remote access is limited to Authorized Users). Encryption is required far all Texas HHS Confidentiallnformotion. Additionally, F[PS 144.2 validated encryption is required for Heolth lnsvronce Portability and Accountability Act (HIPAA) data, Criminal Justice Information Services (015) data, Internal Revenue Service Federoi Tex Information (IRSFTI) data, and Centers for Medicare & Medicaid Services (CMS) data, For more information regarding FIPS 140-2 encryption products, please refer to: h t tp.11CsrC. nis t. q oy/pubh ro tionSj�ps Action Plan for Compliance with a Timeline: Compliance Date: 8. Does Applicant/Bidder implement computer security configurations or settings for all 0 Yes computers and systems that access or store Texas HHS Confidential Information? (e.g., non -essential features or services have been removed or disabled to reduce the [� No threat of breach and to limit exploitation opportunities for hackers or intruders, etc.) Action Plan for Compliance with a Timeline: Compliance Date. 9. Does Applicant/Bidder secure physical access to computer, paper, or other systems [>Yes containing Texas HHS Confidential Information from unauthorized personnel and theft (e.g,, door locks, cable locks, laptops are stored in the trunk of the car instead of the C) No passenger area, etc.)? Action Plan for Compliance with a Timeline: Compliance Date: SPI Version 2.1 (06/2018) Texas HHS system - Data Use Agreement - Attachment 2: Page 9 of 18 SECURITY AND PRIVACY INQUIRY lSPI) DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F2397lA539 �"' 1111H eA 3EIt}i4`3f9HUd�f'. uW�Y��w 10. Does App leant r der use encryption products to protect Texas HHS Confidential [}Yes Information that is transmitted over a public network (e.g., the Internet, WiFi, etc.)? Q No If yes, upon request must provide evidence such as a screen shot or a system report. Encryption is required far all HHS Confidential Information. Additionally, FIPS 140-2 validated encryption is required for Health insurance Portability and Accountability Act (HIPAA) do ta, Criminal Justice information Services (CjIS) dato, Internal Revenue Service Federol Tax Information {IRS FTI) data, and Centers for Medicare & Medicaid Services (CMS} do to. For more information regarding FiPS 144-2 encryption products, please refer to: http://csrc.nist. goy/nubllcationslfigs Action Plan for Compliance with a Timeline: Compliance Date. 11. Does Applicant/Bidder use encryption products to protect Texas HHS Confidential OYes Information stored on end user devices (e.g., laptops, U56s, tablets, smartphones, external hard drives, desktops, etc.)? O No If yes, upon request must provide evidence such as a screen shot or a system report. Encryption is required foroil Texas HHS Confidential Information. Additionally, FiPS I40-2 validated encryption is required for Health Insurance Portability and Accountability Act (HiPAA) data, Criminal Justice Inform ction Services (015) data, in ternal Reven ue 5 ervi ce Federal Tax Information (iRS FTI) data, and Centers for Medicore & Medicaid Services (CMS) do to. For more information regarding FIPS 140 2 encryption products, please refer to- h tt ryllcs rc. nist. go v/publications/fi ps Action Plan for Comoliance with a Timeline: Compliance Date: 12. Does Applicant/Bidder require Workforce members to formally acknowledge rules outlining C) Yes their responsibilities for protecting Texas HH5 Confidential Information and associated systems containing HHS Confidential Information before their access is provided? �] No Action Plan for Compliance with a Timeline: Compliance Date: 13. Is Applicant/Bidder willing to perform or submit to a criminal background check on dYes Authorized Users? Q No Action Plan for Compliance with a Timeline: Compliance Date: 14. Does Applicant/Bidder prohibit the access, creation, disclosure, reception, transmission, 0Yes maintenance, and storage of Texas HHS Confidential Information with a subcontractor (e.g., cloud services, social media, etc.) unless Texas HHS has approved the subcontractor Q No agreement which must include compliance and liability clauses with the same requirements as the Applicant/Bidder? Action Plan for Compliance with a Timeline: Compliance Date: SPI Version 2.1 (06/2018) Texas HHS System -Data Use Agreement -Attachment 2: Page 10 of t8 SECURITY AND PRIVACY INQUIRY (SPI) DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F2397lA539 Uvf;Ualyrr cave !eo 0isc+�tbsx�e©g r�uoaMN�eouv 15. Does App icant Bi der eep current on security updates/patches (including firmware, OYes software and applications) for computing systems that use, disclose, access, create, transmit, maintain or store Texas HHS Confidential Information? O No Action Plan for Compliance with a Timeline: Compliance Date: 16. Do Appticant/Bidder's computing systems that use, disclose, access, create, transmit, dYes maintain or store Texas HHS Confidential Information contain up-to-date anti- malware and antivirus protection? ONo Action Plan for Compliance with a Timeline: Compliance Date: 17. Does the Applicant/Bidder review system security logs on computing systems that access 0Yes or store Texas HHS Confidential Information for abnormal activity or security concerns on a regular basis? a No Action Plan for Compliance with a Timeline: Compliance Date. 1$. Notwithstanding records retention requirements, does Applicant/Bidder's disposal 0Yes processes for Texas HHS Confidential Information ensure that Texas HHS Confidential Information is destroyed so that it is unreadable or undecipherable? C) No Action Plan for Compliance with a Timeline: Compliance Date: 19. Does the Applicant/Bidder ensure that ail public facing websites and mobile 0 Yes applications containing Texas HHS Confidential Information meet security testing standards set forth within the Texas Government Code (TGC), Section 2054.51.6; Q No including requirements for implementing vulnerability and penetration testing and addressing identified vulnerabilities? For more information regarding T6C, Section 2054.516 DATA SECURITYPLAN FOR ONLINE AND MOBILE APPLICATIONS, please refer to: httosJ/feoiscon.com/7x/text/H'98/2017 Action Plan for Compliance with a Timeline:_ Compliance Date: SPI Version 2.1 (06/2018) Texas HHS System • Data Use Agreement - Attachment 2: Page 11 of 18 SECURITY AND PRIVACY INQUIRY {SPI} DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 ❑ocuSign Envelgq Ian 4.QWaE"A F3a69443E800 SECTIONr be ■ r d by Applicant/Bidder) Please sign the form digitally, if possible. if you can't, provide a handwritten signature. 1. 1 certify that all of the information provided in this form is truthful and correct to the test of my knowledge. If I learn that any such information was not correct, I agree to notify Texas HHS of this immediately. 2. Signature 3. Title 4. Date: ey: J_Krce Mayor kne I6,,2023 TEDOCIA11d Wg' pleted, signed form • Email the form as an attachment to the appropriate Texas HHS Contract Manager(s). Sectio To Be Completed by Agency(s): Requesting Department(s): HHSC: ® DFPS: ❑ DSHS: El Center for Health Statistics Legal Entity Tax Identification Number (TIN) (Last four Only): PO/Contract(s) #: EllJ'JN' 5 tffil 9 0 fi HH5001441300O01 Contract Manager: Contract Manager Email Address: Contract Manager Telephone #: Gretchen Wells gretchen.wells@dshs.texas.gov (512) 776-2679 Contract Manager: Contract Manager Email Address: Contract Manager Telephone #: Contract Manager: Contract Manager Email Address: Contract Manager Telephone #: Contract Manager: Contract Manager Email Address: Contract Manager Telephone #: Contract Manager: Contract Manager Email Address: Contract Manager Telephone #: Contract Manager: Contract Manager Email Address: Contract Manager Telephone #: Contract Manager: Contract Manager Email Address: Contract Manager Telephone #: Contract Manager: Contract Manager Email Address: Contract Manager Telephone #: SPI Version 2.1 (06/2018) Texas HHS System - Data Use Agreement - Attachment 2: Page 12 of 18 SECURITY AND PRIVACY INQUIRY jSPI) DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F2397lA539 HHS Contra rl Wl &J M1k COMPLETING THE SECURITY AND PRIVACY INQUIRY (SPgage 36 of 69 Below are instructions for Applicants, Bidders and Contractors for Texas Health and Human Services requiring the Attachment 2, Security and Privacy Inquiry (SPI) to the Data Use Agreement (DUA). Instruction item numbers below correspond to sections on the SPI form. If you are a bidder for a new procurement/contract, in order to participate in the bidding process, you must have corrected any "No" responses {except Aga) prior to the contract award date. If you are an applicant for an open enrollment, you must have corrected any "No" answers (except A9a and All) prior to performing any work on behalf of any Texas HHS agency. For any questions answered "No" (except Aga and All), an Action Plan for Compliance with a Timeline must be documented in the designated area below the question. The timeline for compliance with HIPAA-related requirements for safeguarding Protected Health Information is 30 calendar days from the date this form is signed. Compliance with requirements related to other types of Confidential Information must be confirmed within 90 calendar days from the date the form is signed. SECTION A. APPLICANT /BIDDER INFORMATION Item #1. Only contractors that access, transmit store, and/or maintain Texas HHS Confidential information will complete and email this form as an attachment to the appropriate Texas HHS Contract Manager. Item #Z. Entity orRpplicant/Bidder Legal Name. Provide the legal name of the business (the name used for legal purposes, like filing a federal or state tax form on behalf of the business, and is not a trade or assumed named "dba"), the legal tax identification number (last four numbers only) of the entity or applicant/bidder, the address of the corporate or main branch of the business, the telephone number where the business can be contacted regarding questions related to the information on this form and the website of the business, if a website exists. item #3. Number of Employees, at all locations, in Applicant/Bidder's workforce. Provide the total number of individuals, including volunteers, subcontractors, trainees, and other persons who work for the business. If you are the only employee, please answer "I. " Item #4. Number of Subcontractors. Provide the total number of subcontractors working for the business. if you have none, please answer "0"zero. Item #5. Number of unduplicated individuals for whom Applicant%Bidder reasonably expects to handle HHS Confidential Information during one year. Select the radio button that corresponds with the number of clients/consumers for whom you expect to handle Texas HHS Confidential information during a year. Only count clients/consumers once, no matter how many direct services the client receives during a year. item #S. Name of Information Technology Security Official and Name of Privacy Official for Applicant/Bidder. As with all other fields on the SPI, this is a required field. This may be the some person and the owner of the business if such person has the security and privacy knowledge that is required to implement the requirements of the DUA and respond to questions related to the SPI. In 4.A, provide the name, address, telephone number, and email address of the person whom you have designated to answer any security questions found in Section C and in 4.B. provide this information for the person whom you have designated os the person to onswerany privacy questions found in Section B. The business may contract out for this expertise, however, designated individuals) must hove knowledge of the business's devices, systems and methods for use, disclosure, creation, receipt, transmission and maintenance of Texas HHS Confidential Information and be willing to be the point of contact for privacy and security questions. item #6. Type(s) of HHS Confidential information the Entity or Applicant/Bidder Will Create, Receive, Maintain, Use, Disclose or Have Access to: Provide a complete listing of all Texas HHS Confidential Information that the Contractor will create, receive, maintain, use, disclose or hove access to. The DUA section Article Z Definitions, defines Texas HHS Confidential Information as. "Confidential Information" means any communication or record (whether oral, written, electronically stored or transmitted, or in any ather form) provided to or made available to CONTRACTOR or that CONTRACTOR may create, receive, maintain, use, disclose or have access to on behalf of Texas HHS that consists of or includes any or all of the following: (I) Client Information; (2) Protected Health Information in any form including without limitation, Electronic Protected Health Information or Unsecured Protected Health Information; (3) Sensitive Personal information defined by Texas Business and Commerce Code Ch. 521 SPI Version 2.1 (0612018) Texas HHS System - Data Use Agreement -Attachment 2: Page 13 of 18 SECURITY AND PRIVACY INQUIRY (SPI) DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F2397lA539 (4) FeL1er1 l pzra�magSarf,1a3i9Dfl601 Page 37 of 69 (5) Personally Identifiable Information; (S) Social Security Administration Data, including, without limitotion, Medicaid information; (7) Alf privileged work product; (8) All information designated as confidential under the constitution and laws of the State of Texas and of the United States, including the Texas Health & Safety Code and the Texas Public Information Act, Texas Government Code, Chop ter552. Definitions for the following types of confidential information can be found the following sites: • Health Insurance Portability and Accountability Act (HIPAA) - http://www. hhs.gov/hlpoa/index.html • Criminal Justice Information Services (01S) - https://www.fbi.gov/serviceslciislciis-security-policy-resource-center • internal Revenue Service Federal Tax Information (iRS FTI) - https:Ilwww.irs.govipub/irs-pdfIO1075.pdf • Centers for Medicare & Medicaid Services (CMS) - https://www.cros.gov/Regulations-and-Guidance/Regulotions-and- Guidance. h tml • Social Security Administration (SSA) - https://www.ssa.gov/regulations/ • Personally Identifiable information (PII) - http./Icsrc.nist.gov/publications/nistpubs/80o-122/sp8Ol1-I22.pdf Item #7. Number of Storage devices for Texas HHS Confidential information. The total number of devices is outomotically calculated by exiting the fields in lines a - d. Use the <Tab> key when exiting the field to prompt calculation, if it doesn't otherwise sum correctly. • Item 7a. Devices. Provide the number of personal user computers, devices, and drives (including mobile devices, laptops, USB drives, and external drives) on which your business stores or will stare Texas NHS Confidential Information. • Item 7b. Servers. Provide the number of servers not housed in a data center or "in the cloud, " on which Texas HHS Confidential information is stared or will be stored. A server is a dedicated computer that provides data or services to other computers. It may provide services or data to systems on a local area network (LAN) or a wide area network (WAN) over the Internet. If none, answer "0 "(zero). ■ Item 7c. Cloud Services. Provide the number of cloud services to which Texas HHS Confidential information is stored. Cloud Services involve using a network of remote servers hosted on the Internet to store, manage, and process data, rather than on a local server or personal computer. if none, answer "0" (zero.) ■ Item 7d. Data Centers. Provide the number of dato centers in which you store Texas HHS Confidential information. A Data Center is a centralized repository, either physical or virtual, for the storage, management and dissemination of data and information organized around a particular body of knowledge or pertaining to a particular business. If none, answer T" (zero). Item #8. Number of unduplicated individuals for whom the Applicant/Bidder reasonably expects to handle Texas HHS Confidential Information during one year. Select the radio button that corresponds with the number of clients/consumers for whom you expect to handle Confidential Information during a year. only count clients/consumers once, no matter how many direct services the client receives during a year. item #9. HIPAA Business Associate Agreement. • Item #9a. Answer "Yes " if your business will use, disclose, create, receive, transmit or store information relating to a client/consumer's healthcare on behalf of the Department of State Health Services, the Department of Disability and Aging Services, or the Health and Human Services Commission for treatment, payment, or operation of Medicaid or Medicaid clients. If your contract does not include HiPAA covered information, respond "no. " if "no," a compliance plan is not required. • Item #9b. Answer "Yes " if your business has a notice of privacy practices (a document that explains how you protect and use a client/consumers healthcare information) displayed either on a website (if one exists for your business) or in your place of business (if that location is open to chents/consumers or the public). if your contract does not include HIPAA covered information, respond "NIA. " Item #10. Subcontractors. if your business responded "0" to question 4 (number of subcontractors), Answer "N/A" to items 10a and 10b to indicate not applicable. • Item #10a. Answer "Yes" if your business requires that all subcontractors sign Attachment 1 of the DUA. • Item #10b. Answer "Yes" if your business obtains Texas HHS approval before permitting subcontractors to handle Texas NHS Confidential information on your business's behalf. Item #21. Optional Insurance. Answer "yes" if applicont has optional insurance in place to provide coverage for a Breach or any Texas HHS System - Data Use Agreement - Attachment 2: Page 14 of 18 SPI Version 21 {D812L}18} SECURITY AND PRIVACY INQUIRY (SPI) DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F2397lA539 HHS �o�ltract N : HHS00143790 01 Rage 38 69 other situations llSie{7 fn is question. 11you are not required to have this optional coverage, answer "N/A' A compliance pion is not required. SECTION R. PRIVACY RISK ANALYSIS AND ASSESSMENT Reasonable and appropriate written Privacy and Security policies and procedures are required, even for sole proprietors who are the only employee, to demonstrate how your business will safeguard Texas HHS Confidential Information and respond in the event of a Breach of Texas HHS Confidential Information. To ensure that your business is prepared, all of the items below must be addressed in your written Privacy and Security poiicies and procedures. Item #1. Answer "Yes" if you have written policies in place for each of the areas (a-o). • item #1a. Answer "yes" if your business has written policies and procedures that identify everyone, including subcontractors, who are authorized to use Texas HHS Confidential Information. The policies and procedures should also identify the reason why these Authorized Users need to access the Texas HHS Confidential Information and this reason must align with the Authorized Purpose described in the Scope of Work or description of services in the Base Contract with the Texas HHS agency. • Item #11b. Answer "Yes" if your business has written policies and procedures that require your employees (including yourself), your volunteers, your trainees, and any other persons whose work you direct, to comply with the requirements of HIPAA, if applicable, and other confidentiality laws as they relate to your handling of Texas HHS Confidential Information. Refer to the laws and rules that apply, including those referenced in the DUA and Scope of Work or description of services in the Base Contract. • Item #1c. Answer "Yes" if your business has written policies and procedures that limit the Texas HHS Confidential Information you disclose to the minimum necessary for your workforce and subcontractors (if applicable) to perform the obligations described in the Scope of Work or service description in the Base Contract. (e.g., if a client/consumer's Social Security Number is not required for a workforce member to perform the obligations described in the Scope of Work or service description in the Base Contract, then the Social Security Number will not be given to them.) If you are the only employee for your business, policies and procedures must not include a request for, or use of, Texas HHS Confidential Information that is not required for performance of the services. • item #1d. Answer "Yes" if your business has written policies and procedures that explain how your business would respond to an actual or suspected breach of Texas HHS Confidential Information. The written policies and procedures, at a minimum, must include the three items below. If any response to the three items below are no, answer "no." 0 Item #1di. Answer "Yes" if your business has written policies and procedures that require your business to immediately notify Texas HMS, the Texas HHS Agency, regulatory authorities, or other required Individuals or Authorities of a Breach as described in Article 4, Section 4 of the DUA. Refer to Article 4, Section 4.01: Initial Notice of Breach must be provided in accordance with Texas HN5 and DUA requirements with as much information as possible about the Event/Breach and a name and contact who will serve as the single point of contact with HHS both on and off business hours. Time frames related to initial Notice include: • within one hour of Discovery of an Event or Breach of Federal Tax Information, Social Security Administration Data, or Medicaid Client Information • within 24 hours of all other types of Texas HHS Confidential information 48-hour Formal Notice must be provided no later than 48 hours after Discovery for protected health information, sensitive personal information or other non-public information and must include applicable information as referenced in Section 4.01 (C) 2. of the DUA. 0 Item #1dii. Answer "Yes" if your business has written policies and procedures require you to have and follow a written breach response plan as described in. Article 4 Section 4.02 of the DUA. 0 Item #1diii. Answer "Yes" if your business has written policies and procedures require you to notify Reporting Authorities and Individuals whose Texas HHS Confidential Information has been breached as described in Article 4 Section 4.03 of the DUA. • Item #1e. Answer "Yes" if your business has written policies and procedures requiring annual training of your entire workforce on matters related to confidentiality, privacy, and security, stressing the importance of promptly reporting any Event or Breach, outlines the process that you will use to require attendance and track completion for employees who failed to complete annual training. SPI Version 2.1 (0612018) Texas HHS System - Data Use Agreement - Attachment 2: Page 15 of 18 SECURITY AN0 PRIVACY INQUIRY (SPI) DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Corltrad No HHS001437900001. Page 39 of 69 • Item #1f. Answer "Yes" if your business has written policies and procedures requiring you to allow individuals (clients/consumers) to access their individual record of Texas HHS Confidential Information, and allow them to amend or correct that information, if applicable. • Item #ig. Answer "Yes" if your business has written policies and procedures restricting access to Texas HHS Confidential Information to only persons who have been authorized and trained on how to handle Texas HHS Confidential Information • Item #1h. Answer "Yes" if your business has written policies and procedures requiring sanctioning of any subcontractor, employee, trainee, volunteer, or anyone whose work you direct when they have accessed Texas HHS Confidential Information but are not authorized to do so, and that you have a method of proving that you have sanctioned such an individuals. If you are the only employee, you must demonstrate how you will document the noncompliance, update policies and procedures if needed, and seek additional training or education to prevent future occurrences. + Item #1i. Answer "Yes" if your business has written policies and procedures requiring you to update your policies within 60 days after you have made changes to how you use or disclose Texas HHS Confidential Information. • Item #1j. Answer "Yes" if your business has written policies and procedures requiring you to restrict attempts to take de -identified data and re -identify it or restrict any subcontractor, employee, trainee, volunteer, or anyone whose work you direct, from contacting any individuals for whom you have Texas HHS Confidential Information except to perform obligations under the contract, or with written permission from Texas HHS. ■ Item #1k. Answer "Yes" if your business has written policies and procedures prohibiting you from using, disclosing, creating, maintaining, storing or transmitting Texas HHS Confidential Information outside of the United States. • Item #11. Answer "Yes" if your business has written policies and procedures requiring your business to cooperate with HHS agencies or federal regulatory entities for inspections, audits, or investigations related to compliance with the DUA or applicable law. ■ Item #1m. Answer "Yes" if your business has written policies and procedures requiring your business to use appropriate standards and methods to destroy or dispose of Texas HHS Confidential Information. Policies and procedures should comply with Texas HHS requirements for retention of records and methods of disposal. • Item #1n. Answer "Yes" if your business has written policies and procedures prohibiting the publication of the work you created or performed on behalf of Texas HHS pursuant to the DUA, or other Texas HHS Confidential Information, without express prior written approval of the HHS agency. Item #2. Answer "Yes" if your business has a current training program that meets the requirements specified in the SPI for you, your employees, your subcontractors, your volunteers, your trainees, and any other persons under you direct supervision. Item #3. Answer "'Yes" if your business has privacy safeguards to protect Texas HHS Confidential Information as described in the SPI. Item #4. Answer "Yes" if your business maintains current lists of persons in your workforce, including subcontractors (if applicable), who are authorized to access Texas HHS Confidential Information. If you are the only person with access to Texas HHS Confidential Information, please answer "yes." Item #5. Answer "Yes" if your business and subcontractors (if applicable) monitor for and remove from the list of Authorized Users, members of the workforce who are terminated or are no longer authorized to handle Texas HHS Confidential Information. If you are the only one with access to Texas HHS Confidential Information, please answer "Yes." SECTION C. SECURITY RISK ANALYSIS AND ASSESSMENT This section is about your electronic systems. If you DO NOT store Texas HHS Confidential Information in electronic systems (e.g., laptop, personal computer, mobile device, database, server, etc.), select the "No Electronic Systems" box and respond "Yes" for all questions in this section. Item 101. Answer "Yes" if your business does not "offshore" or use, disclose, create, receive, transmit or maintain Texas HHS Confidential Information outside of the United States. If you are not certain, contact your provider of technology services (application, cloud, data center, network, etc.) and request confirmation that they do not off- shore their data. SPI Version 2.1 (06/2018) Texas HHS System - Data Use Agreement - Attachment 2: Page 16 of 18 SECURITY AND PRIVACY INQUIRY (SPI) DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS C tra❑: HH 0143790"01 Pa a 4t3 of 69 Item #2. Answer �0les i your usiness uses a person or company who is knowledgeable in IT security to mat`�tain or oversee the configurations of your business's computing systems and devices. You may be that person, or you may hire someone who can provide that service for you. Item #3. Answer "Yes" if your business monitors and manages access to Texas HHS Confidential Information (i.e., reviews systems to ensure that access is limited to Authorized Users; has formal processes for granting, validating, and reviews the need for remote access to Authorized Users to Texas HHS Confidential Information, etc.). If you are the only employee, answer "Yes" if you have implemented a process to periodically evaluate the need for accessing Texas HHS Confidential Information to fulfill your Authorized Purposes. Item #4. Answer "Yes" if your business has implemented a system for changing the password a system initially assigns to the user (also known as the default password), and requires users to change their passwords at least every 90 days, and prohibits the creation of weak passwords for all computer systems that access or store Texas HHS Confidential Information (e.g., a strong password has a minimum of 8 characters with a combination of uppercase, lowercase, special characters, and numbers, where possible), If your business uses a Microsoft Windows system, refer to the Microsoft website on how to do this, see example: hops://flocs. rrarcrasoft. corn/en-us/wind ows/security/threat-protectionlsecurity-policy-set tin_qslpclssword-policy Item #5. Answer "Yes" if your business assigns a unique user name and private password to each of your employees, your subcontractors, your volunteers, your trainees and any other persons under your direct control who will use, disclose, create, receive, transmit or maintain Texas HH5 Confidential Information. Item #6. Answer "Yes" if your business locks the access after a certain number of failed attempts to login and after 15 minutes of user inactivity on all computing devices that access or store Texas H H 5 Confidential Information. If your business uses a Microsoft Windows system, refer to the Microsoft website on how to do this, see example: httos:lldocs. microsoft. com/en-us/wind ows/Securi tv/threat-protection/security-,00ficv-settinas/account-/ockou t-po/icv Item #7. Answer "Yes" if your business secures, manages, and encrypts remote access, such as: using Virtual Private Network (VPN) software on your home computer to access Texas HHS Confidential Information that resides on a computer system at a business location or, if you use wireless, ensuring that the wireless is secured using a password code. If you do not access systems remotely or over wireless, answer "Yes." Item #8. Answer "Yes" if your business updates the computer security settings for all your computers and electronic systems that access or store Texas HHS Confidential Information to prevent hacking or breaches (e.g., non -essential features or services have been removed or disabled to reduce the threat of breach and to limit opportunities for hackers or intruders to access your system). For example, Microsoft's Windows security checklist: http5:,lopcs.microsoft.com/en-us/windows/security/threat-protectionlsecurity policy-settings/how-to-configure-security-policy-settings Item #9. Answer "Yes" if your business secures physical access to computer, paper, or other systems containing Texas HHS Confidential Information from unauthorized personnel and theft (e.g., door locks, cable locks, laptops are stored in the trunk of the car instead of the passenger area, etc.). If you are the only employee and use these practices for your business, answer "Yes." Item #10. Answer "Yes" if your business uses encryption products to protect Texas HHS Confidential Information that is transmitted over a public network (e.g., the Internet, WIFI, etc.) or that is stored on a computer system that is physically or electronically accessible to the public (TIPS 140-2 validated encryption is required for Health Insurance Portability and Accountability Act (HIPAA) data, Criminal Justice Information. Services (CJIS) data, Internal Revenue Service Federal Tax Information (IRS FTI) data, and Centers for Medicare & Medicaid Services (CMS) data.) For more information regarding FIPS 140-2 encryption products, please refer to: httP,11CsrC.niSt-qoy1P ublications ! s). Item #11. Answer "Yes" if your business stores Texas HHS Confidential Information on encrypted end -user electronic devices (e.g., laptops, USBs, tablets, smartphones, external hard drives, desktops, etc.) and can produce evidence of the encryption, such as, a screen shot or a system report (FIPS 140-2 encryption is required for Health Insurance Portability and Accountability Act (HIPAA) data, Criminal Justice Information Services (CJIS) data, Internal Revenue Service Federal Tax Information (IRS FTI) data, and Centers for Medicare & Medicaid Services (CMS) data). For more information regarding FIPS 140-2 validated encryption products, please refer to: http:-I/csrc.nist.gav/publications/fips). If you do not utilize end -user electronic devices for storing Texas HHS Confidential Information, answer "Yes." SPI Version 2.1 (0612018) Texas HHS System - Data Use Agreement - Attachment 2: Page 17 of 18 SECURITY AND PRIVACY INQUIRY (SPI) DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Conlract No: HHS001437900001 Page 41 of 69 Item #12. Answer "Yes" if your business requires employees, volunteers, trainees and other workforce members to sign a document that clearly outlines their responsibilities for protecting Texas HHS Confidential Information and associated systems containing Texas HHS Confidential Information before they can obtain access. If you are the only employee answer "Yes" if you have signed or are willing to sign the DUA, acknowledging your adherence to requirements and responsibilities. Item #13. Answer "Yes" if your business is willing to perform a criminal background check on employees, subcontractors, volunteers, or trainees who access Texas HH5 Confidential Information. If you are the only employee, answer "Yes" if you are willing to submit to a background check. Item #14. Answer "Yes" if your business prohibits the access, creation, disclosure, reception, transmission, maintenance, and storage of Texas HHS Confidential Information on Cloud Services or social media sites if you use such services or sites, and there is a Texas HHS approved subcontractor agreement that includes compliance and liability clauses with the same requirements as the Applicant/Bidder. If you do not utilize Cloud Services or media sites for storing Texas HHS Confidential Information, answer "Yes." Item #15. Answer "Yes" if your business keeps current on security updates patches (including firmware, software and applications) for computing systems that use, disclose, access, create, transmit, maintain or store Texas HHS Confidential Information. If you use a Microsoft Windows system, refer to the Microsoft website on how to ensure your system is automatically updating, see example: https://portal. msrc, micros oft. comjen-us[ Item #16. Answer "Yes" if your business's computing systems that use, disclose, access, create, transmit, maintain or store Texas HHS Confidential Information contain up-to-date anti-malware and antivirus protection, if you use a Microsoft Windows system, refer to the Microsoft website on how to ensure your system is automatically updating, see example: htt s: docs.microso .cam en -us windows securit threat rotectio Item #17. Answer "Yes" if your business reviews system security logs on computing systems that access or store Texas HHS Confidential Information for abnormal activity or security concerns on a regular basis. If you use a Microsoft Windows system, refer to the Microsoft website for ensuring your system is logging security events, see example: htt s: docs.microso t.com en -us windows secu ritylthreat- rote ction ouditin basic-securit-audit- olicies Item #18. Answer "Yes" if your business disposal processes for Texas HH5 Confidential Information ensures that Texas HHS Confidential Information is destroyed so that it is unreadable or undecipherable. Simply deleting data or formatting the hard drive is not enough; ensure you use products that perform a secure disk wipe. Please see NIST SP 800-88 R1, Guidelines for Media Sonitization and the applicable laws and regulations for the information type for further guidance. Item #19. Answer "Yes" if your business ensures that all public facing websites and mobile applications containing HHS Confidential Information meet security testing standards set forth within the Texas Government Code (TGC), Section 2054.516 SECTION D. SIGNATURE AND SUBMISSION Click on the signature area to digitally sign the document. Email the form as an attachment to the appropriate Texas HHS Contract Manager. SPI Version 2.1 (06/2018) Texas HHS System - Data Use Agreement - Attachment 2: Page 18 of 18 SECURITY AND PRIVACY INQUIRY (SPI) DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Contract No HHS001437900001 Page 42 of fig ATTACHMENT C ACCESS TO PUBLIC HEALTH DASHBOARDS THROUGH DSHS CONTRACT NO. HHS001437900001 Subject to the terms and conditions set forth in the Memorandum of Understanding between the parties, this Attachment C provides Local Public Health Entity (LHE) with authorization to access public health dashboards created by DSHS. L PURPOSE DSHS agrees to provide LHE access to public health dashboards and data visualizations created by DSHS for a variety of data sets maintained by DSHS. LHE may access aggregate data on these dashboards (even if they do not have an agreement to access identified data) for LHE's jurisdiction and any jurisdiction contiguous to their jurisdiction for the purpose of providing essential public health services. Statewide views may also be available on public health dashboards. lr��xenrn111rsIf] 1910 DSHS has legal authority under Texas Health and Safety Code, Section 1001.089 to share the data described in this Attachment. III, SPECIAL CONSIDERATIONS FOR THE USE OF PUBLIC HEALTH DASHBOARDS a) Dashboards and other data visualizations created by DSHS and shared with LHE may contain potentially identifiable public health data. b) DSHS will provide access credentials for staff designated by LHE and authorized by DSHS to access these secure dashboards and other data visualizations. c) At its sole discretion, DSHS may or may not suppress data on public health dashboards or other data visualizations shared with LHE. d) LHE shall not make any attempt to use the data on the dashboard or data visualizations to identify a person represented on the dashboard. e) LHE shall ensure dashboards and other data visualizations, including exports of information from these dashboards and data visualizations that contain potentially identifiable health information, are not shared with the public or other non -authorized audiences. DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Contract No: HHS001437900001 Page 43 of 69 ATTACIIMEN7' D ACCESS TO VITAL EVENT DATA THROUGH DSHS CONTRACT NO. HHS001437900001 Subject to the terms and conditions set forth in the Memorandum of Agreement between the Parties, this Attachment D provides Local Public Health Entity (LHE) with authorization to access public health data maintained by DSHS. I. PURPOSE DSHS agrees to provide LHE access to certain confidential data extracted from designated birth, death, fetal death, and/or birth -infant death linked (BID) records maintained by DSHS. LHE may access the vital event data for LHE's jurisdiction and any jurisdiction contiguous to their jurisdiction for the purpose of providing essential public health services. This data will include all residents of the Local Health Entity's jurisdiction regardless of where the event occurred. Section IV of this Attachment outlines the intended use of the data by LHE. No personally identifiable information and non-public data may be shared or released by LHE without specific statutory authority and the prior written consent of DSHS. II. LEGAL AUTHORITY DSHS has legal authority under the following statutes to share the data described in this Attachment: a) Texas Government Code, Section 552.115; b) Texas Health and Safety Code, Section 191.051; and c) 25 Texas Administrative Code, Section 181.1(21) III. DESCRIPTION OF VITAL EVENT DATA TO RE PROVIDED DSHS will provide LHE with provisional and finalized birth, death, fetal death, and/or BID data files via secure data exchange, according to the variables outlined in Section VI of this Attachment. In BID files, variables provided include only those death certificate items requested by the LHE in the birth and death checklists outlined in Section VI of this Attachment and are completed for death. certificates. In provisional birth, death, and fetal death files, variables provided include only those items requested by the LHE in the checklists outlined in Section VI of this Attachment that are available for provisional data. A. DSHS will provide data for vital events that occurred 2023 through the current year of available data. The selection criteria are events among all residents of Lubbock County. B. DSHS will provide access to vital events data according to the following schedule and conditions: 1. Access to finalized statistically -locked data files will be provided approximately one month after the effective date of this MOU, for years 2023 through current. These files will consist of birth, death, fetal death and/or BID data files. 2. Once DSHS has granted an LHE staff member access in accordance with Section IV (D) of the MOU, that individual shall have log in access to the data twenty-four hours a day, seven days a week. DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 H H S Contract No: HHS001437900001 Page 44 of 69 3. Annual statistically locked birth, death, fetal death and/or BID data files will replace that year's provisional data. C. LHE will use the confidential data obtained under this Attachment only for the purposes described in this Attachment or as otherwise approved by DSHS in writing, and shall be in accordance with LHE's appropriate review policies. IV. INTENDED USE OF VITAL EVENT DATA The use of vital event data is to assist Lubbock Public Health Department address the gaps in community health. Understanding fetal death and vital records will allow the health department to search for a root cause of morbidities and mortalities of the citizens of the Lubbock community and develop policies and procedures to prevent further health disparities. Understanding the demographics pulled from the requested data can allow us to target affected populations. The reviewed data can allow us to analyze what our community lacks and what we can do as a public health service to ensure health equity and equality for our citizens. V. SPECIAL CONSIDERATIONS FOR THE USE OF VITAL EVENT DATA Under no circumstances shall LHE utilize the data to identify, disclose, or discover information concerning the specific adoptions, paternity determinations, or the identity of the parents of children who are the subjects of adoption placements. Any accidental identification of this information related to a child or parents of that child shall not be disclosed. VI. CHECKLISTS FOR VITAL EVENT DATA Checklists will be attached as Exhibits of Attachment D, as provided in LHE's data request for birth„ death, and/or fetal death, and may be amended to add, delete or modify data elements. • Exhibit D-1 - Birth Certificate Data • Exhibit D-2 - Death Certificate Data • Exhibit D-3 - Fetal Death Certificate Data VII. LIST OF INDIVIDUALS ACCESSING DATA In accordance with Section III of the MOU, LHE shall submit a list of staff, titles, and email addresses; and the intended use of the data, to request access to the limited data set(s) or data visualization. The request must be submitted to the DSHS Representatives identified directly below. LHE shall notify DSHS Representatives of any changes in staff that require removal from the list of authorized users. Such notification must be made in writing and within five (5) business days of any staffing changes. VIII. VITAL EVENT DATA REPRESENTATIVES The following will act as the representatives authorized to administer activities under this Attachment for vital event data on behalf of their respective Party. DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F2397lA539 HHS Contract No: HHS001437900001 Page 45 of 69 DSHS Contract Management Section (CMS) DSHS Center for Health Statistics City of Lubbock. Gretchen Wells, Jason Lucas Tiffany Torres, MPH, MLS(ASCP)II Contract Manager Branch Manager Laboratory/Epidemiology Manager 1100 W 491h Street, MC 1990 PO Box 149347, Mail Code 1898 806 18'" Street, Austin, Texas 78756 Austin, TX 78714-9347 79401 Lubbock, T990 (512) 776-2679 (512) 776- 6439 (orrc 77mylub Gretchen.wells@dshs.texas.gov HIRBrequests@dshs.texas.gov dshs.texas.gov ttorres@rny lubb ack. us DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F2397lA539 HHS Contract No: HHS001437900001 Page 46 of 69 Exhibit D-1 Checklist for Birth Certificate Data 2005 and beyond Instructions: 1. Since these data are confidential, all requested certificate items need to have brief justifications according to your project aims. 2. If a certificate item is used for linkage, then state how and whether it will be removed from the resulting linked analysis file. If the certificate item will be retained in the linked analysts file, please also provide a brief justification according to your project aims. 3. For certain sensitive data elements, such as certificate number or residence address, consider alternative means of accomplishing your project aims while using less sensitive data. Examples include creating your own unique identifier instead of requesting the certificate number, and requesting geocoded census tracts instead of residence address. I. Birth Certificate Items Available Electronically J Item Number Item Descriptor Justification ® ' Unique ID — Created by CH5 identifier. if needing to Unique_. g_ de -identify ❑ Birth Number 'Certificate Number _ ❑ ® 1 Child's Birth State atient identifier for records Child's Name E ' First atient identifier for records ® Middle atient identifier for records Last Suffix atient identifier for records z Date of Birth mmiddl atient identifier for records ® 3. Sex ata aggregation studies ❑ ® ® ® a. 4b. Place of Birth — Count City or Town[Demographic studies ondition studies 5. Time of Birth AMIPM ® ® �6a. Plurality - Single, Twin, Triplet, etc- '6b. If Plural Birth, Born, 1st, 2nd, 3rd, etc. 7a. 'Place of Birth: C I in iclDoctor's Office Licensed Birthing Center Hospital Home Birth (Planned to deliver at home? Yes/No) Other: Other (Specify) - includes residential addresses for home births Name of Hospital or Birthing Center (street address for not 7b, institution 7.ondition studies 2ondition studies ® ® '21 Provider education as needed Demographic studies ® 8b. 10. Attendant Type: MD, DO, CNM, Midwife, Other Other(Specify):_ Mother's Name Prior to First Marriage Drovide education, as needed Link patient to conditions ® First ink patient to conditions ® Middle ink patient to conditions ® Last ink patient to conditions 11 Date of Birth mmiddl ink patient to records 12 Birthplace (state, territory, or foreign country) Demographic studies DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Conlract No. HHS001437900001 Page 47 of 69 ® ® 13a. 13b 13c. Residence State County City, Town or Location Street Address or Rural Location Mother's residence apartment number jZip Code Demographic studies emographic studies emographic studies ® ❑ 13d. Demographic studies Demographic studies 13e. 13f. Inside City Limits (Yes/No) Demographic studies Demographic studies ® 14. Mother's Mailing Address ® Mother's Mailing Apartment Number emographic studies ® Mother's Mailing City Demographic studies ® Mother's Mailing State Demographic studies ,/ Item Number Item Descriptor Ll Mother's Mailing Zip Code ❑ Same as Residence, or: 15- Father Name atient identifier for records ® First atient identifier for records ® _ Middle atient identifier for records ® Last Datient identifier for records ❑ Suffix ® 16. Rate of Birth mm/ddlPatient identifier for records ❑ 17. IBirthplace state, territory or foreign count Items 19 through 65 are confidential information for medical and public health use. Tex. Health and Safety Code, Sec.192.002(b) V Item Number Item Descriptor Justification 19, Mother's Current Le al Name ® First Demographic studies ® Middle Demographic studies ® Last Demographic studies ❑ 22. Mother Married YeslNo [] ❑ ❑ ❑ 6 Father's Mailing Address Fathers Mailing Apartment Number Father's Mailing City Father's Mailing State Father's Mailing Zip Code ©I ISame as Mother ® 27, Mother's Education Determinants of health studies 8th Grade or Less 9th - 12th Grade, No Diploma Hi h School Graduate or GED Some College Credit, but No Degree Associate Degree (e.g., AA, AS Bachelor's Degree (e.g., BA, AB, BS Master's Degree (e.g. MA, MS, MEn , Med, MSW, MBA Doctorate (e.g., PhD. EdD) or Professional Degree (e.g., MD, DDS, DVM, LLB, JD 8. Mother of Hispanic Origin? No Not Spanish, Hispanic/Latina Penriographic Studies DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 -CHS Contract No: HHS001437900001 Page 48 of 69 U Yes, Mexican, Mexican American, Chicana Demographic Studies Yes, Puerto Rican Demographic Studies ® Yes, Cuban hic Studies Demographic 9 P ® Yes, Other Spanish, Hispanic/Latina Demographic Studies z Yes, Other Spanish, Hispanic/Latina (Specify) Demographic Studies z Mather of Hispanic Origin: Unknown Demographic Studies 29. Mother's Race Demographic Studies ® White Demographic Studies Black or African American ✓ ® Item Number _ Item Descriptor American Indian or Alaska Native Demographic Studies ® American Indian or Alaska Native (Name of the enrolled or principal tribe Demographic Studies Z Asian Indian Demographic Studies Chinese Demographic Studies ® Filipino Demographic Studies 7 Japanese Demographic Studies ® Korean Demographic Studies ® ---------------- Vietnamese Demographic Studies ® ® Other Asian -------------- Other Asian (Specify) Demographic Studies ---------- -- - - - - Demographic Studies ® ® Native Hawaiian Guamanian or Chamorro Demographic Studies Demographic Studies ® Samoan Demographic Studies ® Other Pacific Islander Demographic Studies ® Other Pacific Islander (Specify) Demographic Studies ® Other Demographic Studies Other (Specify) Demographic Studies Mother's Race: Unknown Demographic Studies 30. Father's Education Determinants of health studies 8th Grade or Less 9th - 12th Grade, No Diploma High School Graduate or GED Some College Credit, but No Degree Associate Degree (e.g., AA, A5 - --- - Bachelor's Degree (e.g., BA, AB, B5 Master's Degree (e.g. MA, MS, MEn , Med, MSW, MBA Doctorate (e.g., PhD. EdD) or Professional Degree (e.g., MD, DDS, DVM, LLB, JD 31. Father of Hispanic Origin? ® No, not Spanish, HispaniclLatino Demographic Studies ® Yes, Mexican, Mexican American, Chicana - Demographic Studies ® _mW Yes, Puerto Rican Demographic Studies ® Yes, Cuban Demographic Studies ® ® Yes, Other Spanish, Hispanic/Latino Yes, Other Spanish, Hispanic/Latino (Specify) Demographic Studies Demographir Studies Father of Hispanic Origin: Unknown Demographic Studies 32. Father's Race White emographic Studies DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Contract No: HHS001437900001 Page 49 of 69 ® Blain �;o African American L7emographic Studies ® American Indian or Alaska Native Demographic Studies ® American Indian or Alaska Native (Name of the enrolled or principal tribe Demographic Studies ® Asian Indian Demographic Studies ® Chinese Demographic Studies Filipino Demographic Studies ® Japanese Demographic Studies ® Korean Demographic Studies r Item Number Item Descriptor___ ® Vietnamese Demographic Studies ® Other Asian Demographic Studies Demographic Studies ® Other Asian (specify) z Native Hawaiian Demographic Studies Demographic -Studies ® Guamanian or Chamorro Samoan Demographic Studies ® Other Pacific Islander Demographic Studies ® Other Pacific Islander (Specify) Demographic Studies ® Other Demographic Studies ® Other (Specify) Demographic Studies Father's Race. Unknown Demographic Studies 33. Mother ❑ Usual Occupation 34. Father ❑ Usual Occupation 35. Mother Type of Business/Industry 36. Father ❑ Type of Business/industry Pregnancy History PREVIOUS LIVE BIRTHS Do not include this child ❑ 37a. Now Living Number None ❑ 37b. Now Dead Number None ❑ 37c. pate of Last Live Birth mml ❑ 37d. OTHER PREGNANCY OUTCOMES Number ❑ 37e. None Date Last Other Pregnancy Ended mml 38. SOURCE OF PRENATAL CARE check all that apply) ® Hos ital Clinic rovider education as needed Public Health Clinic 3rovider education as needed ® Private Physician rovider education as needed ® Midwife rovider education as needed None rovider education as needed Unknown Provider education as needed DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Contract No: HHS001437900001 Page 50 of 69 Other ;Provider education as needed Other (Specify) _ rovider education as needed Mother's Medicaid Number ❑ 39. ® Q. Mother's Pre re nanc Weight(pounds) Provider education as needed ® 1- Mother's Weight at Delivery (pounds) Provider education as needed ,� Item Number Item Descriptor Justification 2. Mother's Height feet/inches-Determine risk of pregnancy, if any 3- Date Last Normal Menses Began mmfddl PRENATAL CARE ® No Prenatal Care Determine risk of pregnancy, if any .. ® 44a. -- — --- Date of First Visit mmlddlDetermine ---- risk of pregnancy, if any ® 44b. Date of Last Visit {rnm/dd/yyy Determine risk of pregnancy, if any ® 4c. Number of Prenatal Visits Determine risk of pregnancy, if any ® 5- Cigarette Smoking Before and During Pregnancy Average Number of Cigarettes or Packs of Cigarettes Smoked per Da etermine risk of pregnancy, if any v Three Months Before Pregnancy ❑ # of Cigarettes ❑ # of Packs First Three Months of Pregnancy ❑ -------- - -------------------- --- # of Cigarettes ❑ # of Packs Second Three Months of Pregnancy ❑ # of Cigarettes ❑ # of Packs Third Trimester of Pregnancy ❑ # of Ci arettes ❑ # of Packs ❑ 46. Principal Source of Payment for this Delivery Private Insurance ------------- Medicaid Self -pay ❑ Dther S eci ❑ ® ® 7. 48, Did Mother get WIC Food for Herself During this Pregnancy? Yes/Na Mother Transferred for Maternal Medical or Fetus Indications for this Delivery? (YeslNo) If Yes, Enter the Name of Facility Mother Transferred From. Determine risk of pregnancy, if any 9, Risk Factors in this Pregnancy check all that apply) Diabetes z Pre re fancy diagnosis prior to this pregnancy) Determine risk of pregnancy, if any ® Gestational (diagnosis in this pregnancy) Determine risk of pregnancy, if any Hypertension ® Pre re nanc chronicDetermine risk of pregnancy, if any Gestational PIH reeclam siaDetermine risk of pregnancy, if any ® Eclam sia Determine risk of pregnancy, if any ® Previous Preterm Birth Other Previous Poor Pregnancy Outcome (includes perinatal death, small -for -gestational age/intrauterine growth restricted growth) etermine risk of pregnancy, if any 0 Preqnancv Resulted from Infertility Treatment DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F2397lA539 HHS Conlract No: HHS001437900001 Page 51 of 69 ❑ Fertility -enhancing Drugs, Artificial Insemination, or Intrauterine Insemination ❑ Assisted Re reductive Tech nology___(e- . IVF, GIFT ❑ ❑ Mother had Previous Cesarean Delivery If yes, how man Item Number Item Descriptor Justification ® ------------------------_ ntlretrovirals Administered During Pregnancy or at Delivery (Variables which provide or imply HIV or STD infection status cannot be provided to agencies outside of DSHS Determine risk of pregnancy, if any ® 50. None of the Above Infections Present and/or Treated During this Pregnancy (Variables which provide or imply HIV or STD infection status cannot be provided to agencies outside of DSHS Determine risk of pregnancy, if any Determine risk of pregnancy, if any ® Gonorrhea Determine risk of pregnancy, if any ® S s Determine risk of pregnancy, if any ® Chlam diaDe-term ine risk of pregnancy, if any ® Hepatitis B Determine risk of pregnancy, if any ® Hepatitis C Determine risk of pregnancy, if any ® None of the Above Determine risk of pregnancy, if any ❑ 51 a- HIV Test Done Prenatally (Yes/No) - available for 2011 onwards Determine risk of pregnancy, if any ❑ First Trimester ❑ Second Trimester ❑ Third Trimester ❑ Unknown ❑ None Z 51 b. HIV Test Done at Delivery Yes/NaDetermine risk of pregnancy, if any ® Infant Tested for HIV at Birth (Yes/No) -available for 2011 onwards Determine risk of pregnancy, if any 52. Obstetric Procedures Determine risk of pregnancy, if any ® Cervical Cercla e Determine risk of pregnancy, if any Tocolysis Determine risk of pregnancy, if any External Cephalic Version: Determine risk of pregnancy, if any ® Successful Determine risk of pregnancy, if any ® Failed Determine risk of pregnancy, if any None of the Above Determine risk of pregnancy, if any 53. Onset of Labor Premature Rupture of the Membranes (prolonged ? 12 hrs.Determine risk of pregnancy, if any ® Precipitous Labor 3 hrs.Determine risk of pregnancy, if any Prolonged Labor 20 hrs-Determine risk of pregnancy, if any None of the Above Determine risk of pregnancy, if any 54. Characteristics of Labor and Delivery ® Induction of Labor Determine risk of pregnancy, if any ® of Labor Determine risk of pregnancy, if any ® --Augmentation Non -Vertex of Labor Determine risk of pregnancy, if any Steroids (glucocorticoids) for Fetal Lung Maturation Received by the Mother Prior to Delivery Determine risk of pregnancy, if any ® Antibiotics Received by the Mother During Labor Determine risk of pregnancy, if any ❑ Chorioamnionitis or Maternal Temperature 2:38°C 100.4'F ❑ Moderate/Heavy Meconium Staining of the Amniotic Fluid DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Contract No: HHS001437900001 Page 52 of 69 Fetal Intolerance of Labor Such That One or More of the Following Actions was Taken: In-Utero Resuscitative Measures, Further Fetal Assessment or Operative Delivery Epidural or Spinal Anesthesia During Labor C1 None of the Above 55. Method of Delivery ❑ 55a. Was Delivery with Forceps Attempted but Unsuccessful? Yes/No V Item Number Item Descriptor Justification ® 55b. Was Delivery with Vacuum Extraction Attempted but Unsuccessful? Yes/No Determine risk of pregnancy, if any ® 55c. I Fetal Presentation at Birth Determine risk of pregnancy, if any Cephalic Breech Other ® 55d. Final Route and Method of Delivery check oneDetermine risk of pregnancy, if any Va inal/5 ontaneous Va inal/Forceps _ Va nal/Vacuum �J Cesarean If Cesarean, was a Trial of Labor Attempted: (Yes/No} Determine risk of pregnancy, if any 56. Maternal Morbidity - Complications Associated with Labor and elive Check All That Apply] Determine risk of pregnancy, if any ® Maternal Transfusion Determine risk of pregnancy, if any ® ® Third or Fourth Degree Perineal Laceration Ruptured Uterus Determine risk of pregnancy, if any _Determine risk of pregnancy, if any ® Unplanned H sterectom ________ Determine risk of pregnancy, if any ® Admission to Intensive Care Unit Determine risk of pregnancy, if any ® Unplanned Operating Room Procedure Following Delivery Determine risk of pregnancy, if any ® None of the Above Determine risk of pregnancy, if any 157. Newborn Information ® Hepatitis B Immunization Given?(Yes/No) Newborn assessment 58 Birthweight (G or LB. OZ.) G Newborn assessment ® LB Newborn assessment ® ® 59. ------------ OZ l omio Obstetric Estimate of Gestation (completed weeks S _._._._.p. } Newborn assessment ewbt orn assessmen ® 60a. Apgar Score at 5 Minutes ewborn assessment ® i® 60b. 61. _ If 5 Minute Score is Less Than 6, Apgar Score at 10 Minutes Is the Infant Living at the Time of the Report? YeslNo Newborn assessment _ .. _.._ ewborn assessment ® 62. Is the Infant Being Breastfed at the Time of Discharge? ewborn assessment Yes No Infant Transferred, Status Unknown 63. Abnormal Conditions of the Newborn check all that apply) Assisted Ventilation Required Immediately Following Delivery Newborn assessment ®� Assisted Ventilation Required for More Than 6 Hours ewborn assessment DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Contract No: HHS001437900001 Page 53 of 59 NICU Admission ewborn assessment Newborn Given Surfactant Replacement Therapy Antibiotics Received by the Newborn for Suspected Neonatal ewborn assessment Seizure or Serious Neurologic Dysfunction ❑ Significant Birth Injury (Skeletal Fracture(s), Peripheral Nerve Injury, and/or Soft Tissue/Solid Organ Hemorrhage Which Re uire_sIntervention ✓ Item Number Item Descriptor Justification ❑ None of the Above 64. Gan enital Anomalies of the Newborn check all that apply) ❑ Anence hal ❑ Men in_gamyelocele/S ina Bifida ❑ Cyanotic Congenital Heart Disease ❑ Congenital Diaphragmatic Hernia ❑ Om halocele ❑ Gastroschisis Q Limb Reduction Defect (excluding congenital amputation and dwarfing syndromes) ❑ Cleft Lip With or Without Cleft Palate ❑ Cleft Palate Alone ❑ Down Syndrome ❑ Karyoty e Confirmed ❑ Karyotype Pending ❑ Suspected Chromosomal Disorder ❑ Karyotype Confirmed ❑ Karyotype Pending Q ❑ Hypospadias None of the Anomalies Listed Above ❑ ❑ 65. Was Infant Transferred Within 24 Hours of Delivery? (Yes/No) If Yes, Name of Facility Infant Transferred to I1. Variables Calculated Based on the Certificate Information ✓ Item Number Item Descriptor Justification Demographic studies Demographic studies ® Father's Age Mother's Age ❑ Mother's Combined Race 1 Ethnicity IMother's Bridged Race Code (determined by NCHS) Father's Bridged Race Code (determined by NCHS) Q ❑ Q Birth Welk ht Group Birth Weight Calculated in Grams ® ❑ Birth Weight Priority (2005-2017) Calculated Gestation or Length of Pregnancy Month Prenatal Care Began isk assessment ❑ lNumber of Live Births at this Delivery (2005-2018) ® Lon itude based on mother's street addressDemographic studies ® Latitude based on mother's street address) GIS Match Code Demographic studies ❑ ❑ GIS Location Code DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Contract No: HH5001437900001 Page 54 of 69 ❑ I IGeocodingAccuracy ❑ GIS Mother's Residence County Name from 2014 data on ❑ GIS Mother's Residence County FIPS Cade (from 2014 data on ❑ Zip Code Tabulation Area ZCTA from 2013 data on ❑ 1990 Census Tract based on mother's street address ❑ 2000 Census Tract based on mother's street address ❑ 2010 Census Tract (based on mother's street address) - from 2010 data [] 2020 Census Tract (based on mother's street address) — from 2020 data Last updated: November 2, 2021 DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Contract No: HHS001437900001 Page 55 of 69 Exhibit D-2 Checklist for Death Certificate Data - Draft 2006 and beyond Instructions: 1. Since these data are confidential, all requested certificate items need to have brief justifications according to your project aims. 2. If a certificate item is used for linkage, then state how and whether it will be removed from the resulting linked analysis file. If the certificate item will be retained in the linked analysis file, please also provide a brief justification according to your project aims. 3. For certain sensitive data elements, such as certificate number or residence address, consider alternative means of accomplishing your project aims while using less sensitive data. Examples include creating your own unique identifier instead of requesting the certificate number, and requesting geocoded census tracts instead of residence address. I. Death Certificate Items Item Number Item Descriptor Justification ❑ nla State File Number Certificate Number ® nla State of Death Review of death data ® 1 Legal Name of Deceased: Patient identifier ® First ® Middle ® Last Maiden ® Suffix ® 1. Deceased AKA's if any: Comparison with current records First ® Middle ® Last ® 2. Date of Death Death review ® Date of Death Type (Actual, Presumed, Estimated, Found ® 3. Sex Demographic data ® 4. Date of Birth Patient identifier Z 5. JAge - Last Birthday Demo ra hic data ®Age — kind of units (years, months, weeks, days, Demographic data hours, minutes ® 6. Birthplace -City Demographic data ❑ State or Foreign Country ® 8. Marital Status at Time of Death Demographic data z 9. Surviving Spouse (If wife, give name prior to first Record comparison ❑ marriage): First ® Middle ® Last Suffix 14a. Residence Street Address Demographic data ® 10b. pt No Demoo ra hic data 10c. City or Town of Residence Demographic data 10d. County of Residence z 10e. State of Residence Zip Code Demographic data ❑ Zip Code Extension 1Q Inside City Limits? DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F2397lA539 HHS Contract No: HHS001437900001 Page 56 of 69 ./ Item Number Item Descriptor Justification D 11 Father's Name: ❑ First ❑ Middle ❑ Last ❑ Suffix ❑ 12 Mother's Name Prior to First Marriage: ❑ First ❑ Middle ❑ Last ❑ Suffix ® 13. Place of Death: Review of death data for department programs If Death Occurred in a Hospital. Inpatient If Death Occurred in a Hospital: ER/Outpatient If Death Occurred in a Hospital' DOA If Death Occurred Somewhere Other Than a Hospital: Hospice Facility If Death Occurred Somewhere Other Than a Hospital Nursing Home (Includes LTC) If Death Occurred Somewhere Other Than a Hospital: Decedent's Home ® Other Other (Specify) ® 14. County of Death Demographic review and comparison of data ❑ 15. City/Town of Death (If outside city limits give precinct Demographic review and comparison of data ❑ no) ❑ Street Address ® Zip Code Zip Code Extension ❑ 16. Facility Name If not institution give street address ❑ 17. Informant's Name & Relationship to Deceased 18. Mailing Address of Informant: ❑ Street ❑ Number ❑ City ❑ State ❑ Zip Code ❑ Zip Code Extension ® 19. Method of Disposition: Death data review Burial Cremation Donation Entombment Removal From State Other ❑ Other (Specify) ❑ 20 License Number of Funeral Director or Person Acting s Such ❑ 21 Section ❑ Block ❑ Lot ❑ Space ❑ Unknown ❑ Place of Disposition (Name of cemetery, crematory, Death data review 22 other lace ❑ 23 Location of Disposition.- 0 City, Town ❑ State DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Contract No: HHS001437900001 Page 57 of fig ./ Item Number Item Descriptor Justification ❑ 24 Name of Funeral Facility 25 Complete Address of Funeral Facility: ❑ Street ❑ Number ❑ City ❑ State ❑ Zip Code Code Extension _❑ ® —Zip 26 Certifier: ME Point of Contact Certifying Physician Medical Examiner Justice of the Peace ❑ 28 Date Certified Mo/Da Nr ❑ 29 Certifier's License Number ® 30 Time of Death Death data review ❑ Time of Death Type (Actual, Presumed, Estimated, Found)T_ _ 31, Certifier's Address: ❑ Street and Number ❑ City State ❑ Zip Code ❑ Zip Code Extension ❑ 32. Title of Certifier 33. Chain of Events —Diseases, Injuries or Complications — That Directly Caused the Death: (if you want to orderICD-10 ------ -------------------- codes, check with the section It of this checklist): ----------- ---------------------------------------------------------------------------------------- ® 33. Part Cause of Death A (immediate Cause) — certifier's text Review of data for comparison with department ® la. Approximate Interval: Onset to death studies ® 33. Part ause of Death B - certifier's text Review of data for comparison with department Z 1b. �pproximateInterval Onset to death studies ® 33 Part Cause of Death C - certifier's text Review of data for comparison with department 1c. Approximate Interval: Onset to death studies 33. Part Cause of Death D - certifier's text Review of data for comparison with department ® 1d. pRrroximate Interval Onset to death studies ® _______ 33 Part Other Significant Conditions Contributing to Death but Review of data for comparison with department 2. not Resulting in the Underlying Cause Given in Part 1. studies ® Was an Autopsy Performed? Review of data for comparison with department 34 studies 35 Were Autopsy Findings Available to Complete the Review of data for comparison with department Cause of Death? studies Manner of Death Review of data for comparison with department 36 studies ® Did Tobacco Contribute to Death? Review of data for comparison with department 37 tudies z 38 If Female- Review of data for comparison with department Not pregnant within past year studies Pregnant at time of death Not pregnant, but pregnant within 42 days of death Not pregnant, but pregnant 43 days to 1 year before death Unknown if re Want within the ast ear 7139 If Transportation Injury, Specify: Review of data for comparison with department Driver/Operator studies Passenger Pedestrian Other DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F2397lA539 HEWS Contrad No. HFIS001437900001 Page 58 of fig ✓ Item Number Item Descriptor Justification r] Other (Specify) Z 40a. Date of Injury Mo/Da /Yr Death data review ® 40b. Time of Injury Death data review 40c. Injury at Work? Death data review ® 40d. Place of Injury (e.g. Decedent's home; construction site, restaurant, wooded area Death data review ® ® ® ® 0e. Location: Street Number City State Zip Code Death data review 40f. County of In'u ry Death data review ® 41 Describe How Injury Occurred Death data review ® 43 Decedent's Education Social determinants of health review 44. Decedent of Hispanic Origin? Death data review ® No, Not Spanish, Hispanic/Latino Yes, Mexican, Mexican American, Chicano Death data review Death data review es, Puerto Rican Death data review ® Yes, Cuban Death data review ® _ Yes, Other Span ish/H isaniclLatino Death data review _Specify 45. Decedent's Race (2006 revision allows informants to select one or more races to indicate what the decedent considered himself or herself to be Death data review White Death data review ® Black or African American Death data review ®American ® Indian or Alaska Native Name of the enrolled or principal tribe Death data review ®Asian Indian Death data review Chinese Death data review Filipino Death data review ® Japanese Death data review ® Korean Death data review Z Vietnamese Death data review ® Other Asian Death data review Other Asian (Specify) Death data review Native Hawaiian Death data review ® Guamanian or Chamorro Death data review Samoan Death data review Other Pacific Islander Death data review ® ether Pacific Islander 5 eci Death data review ® Other Death data review Other S eci Death data review Q 46. Ever in-U.S. Armed Forces? Q 47. __ Ever a Peace Officer in This State? ® 48. Decedent's Usual Occupation (Indicate type of work done during most of working life). Social determinant of health ❑ 149. Decedent's Type of Businessllndustry Q ® ❑ ❑ ❑ nfa If Deceased Served in U.S. Armed Forces, Fi1I Gut the Following. Is the deceased reported to have been in such service? Name of organization in which service was rendered? Serial number of dischar e a ers or adjusted service DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F2397lA539 HHS Contract. No: HHS001437900001 Page 59 of 69 Rem Item Descriptor Justification Number certificate? Name of next of kin or of next friend? Post Office Address? Ill. Other Variables Calculated Based on the Death Certificate Items Item Number Item Descriptor El Record Type (Identified, Un-indentified, Out of State, Catastrophic) ❑ Age Group ❑ Additional Funeral Home ® Causes of Death (multiple, including underlying) — ICD- 10 codes Death data review Underlying Cause of Death — ICD-10 codes Death data review ® CDC 113 Selected Causes of Death ICD-10Death data review ® CDC 130 Selected Causes of Infant Death ICD-10 Death data review ® lWas Death a Result of an In u ? Death data review ❑ Decedent's Bridged Race Code determined ty NCNS ❑ Decedent's Race/Ethnicity (based on the TSDC method ❑ Decedent's Spanish/Hispanic/Latino Origin Unknown ❑ Decedent's Race Unknown ❑ Longitude based on decedent's street address ❑I IlLatitude based on decedent's street address GIS Match code GIS Location code Geocoding accuracy ❑ 1990 census tract (based on decedent's street address ❑ 2000 census tract (based on decedent's street address 2010 census tract (based on decedent's street address ❑ 2020 census tract (based on decedent's street address) - 2020 forward ❑ Zip code tabulation areas ZCTAs - from 2013 data ❑ GIS Residence County Name - from 2014 data ❑ GIS Residence County FIPS - from 2014 data ❑ NIOSH Indust Code — 2020 forward NIOSH Occupation Code — 2020 forward Last updated., October 3, 2022 DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Conlract No: HHS001437900001 Page 60 of 69 Exhibit D-3 Checklist for Fetal Death Certificate Data 2006 and beyond Instructions: 1. Since these data are confidential, all requested certificate items need to have brief justifications according to your project aims. 2. If a certificate item is used for linkage, then state how and whether it will be removed from the resulting linked analysis file. If the certificate item will be retained in the linked analysis file, please also provide a brief justification according to your project aims. 3. For certain sensitive data elements, such as certificate number or residence address, consider alternative means of accomplishing your project aims while using less sensitive data. Examples include creating your own unique identifier instead of requesting the certificate number, and requesting geocoded census tracts instead of residence address. I. Fetal Death Certificate Items Item Number Item Descriptor Justification ❑ STATE FILE NUMBER (Certificate Number) 1. Fetus Name: First Patient identification ® Fetus Name: Middle Patient identification z Fetus Name: Last Patient identification El Fetus Name: Suffix ® Date of Delivery Data aggregation studies ® ex Demographic studies Place of Delivery - County Demographic studies ® 6a. Place of Delivery- City or Town Demographic studies ® 7a. Plurality - Single, Twin, etc. Data aggregation studies ® b. If Plural Birth, Born, 1st, 2nd, 3rd, etc. Data aggregation studies ® a. Place of Delivery - Clinic/Doctor's Office Provider education, as needed ® Licensed Birthing Center Collect facility information ® Hospital Collect facility information ® Home Collect facility information ® Other (Yes/No) Collect facility information ® J Other (Specify); Collect facility information ® b, Name of Hospital or Birthing Center Collect facility information ® 9, Mother's Current Legal Name. First Patient identifier for records z Mother's Current Legal Name: Middle Patient identifier for records ® Mother's Current Legal Name. Last Patient identifier for records ® 10. Date of Birth (of mother) Patient identifier for records ® 11 Mother's Name Prior to First Marriage- Last (i.e., maiden name Demographic studies ® 1.2. other's Birthplace (State or Foreign Country) Demographic studies ® 13a. other's Residence State Demographic studies ® 13b. other's Residence County Demographic studies ® 13c. Mother's Residence City or Town Demographic studies 13d. Mother's Residence Street Address or Rural Location Demographic studies 13e. Mother's Residence apartment number Demographic studies ® 13f. Mother's Residence Zip Code Demographic studies ® 13g. Inside City Limits (mother's residence) Demographic studies ® 14. lFather Name: First Patient identifier for records DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Conlracl No: HHS001437900001 Page 61 of 69 ✓ Item Number Item descriptor Justification Father Name: Middle Patient identifier for records Father Name: Last Patient identifier for records ❑ Father Name: Suffix E 15. Date of Birth (of father) Patient identifier for records ❑ 16.Father's Birthplace (State or Foreign Country) 17b- Attendant Type ® MD Provider education DO Provider education ® ----------- NM Provider education ® Midwife Provider education ® Other (Yes/No) Provider education ®Other 18b- (Specify): Certifier Provider education ❑ Certifying Physician ❑ Medical Examiner /Justice of the Peace 19. Method of Disposition ® Burial Data aggregation studies Cremation Data aggregation studies Removal from state Data aggregation studies Donation Data aggregation studies Entombment Data aggregation studies Cher (Yes/No) Data aggregation studies Other (Specify): ® 6a- Initiating Cause/Condition Contributing to Fetal Death Fetal death review ® Rupture of Membranes Fetal death review ® bruptio Placenta Fetal death review ® Placental Insufficiency Fetal death review Prolapsed Cord Fetal death review ® Choricamnionitis Fetal death review Other (YeslNo) Fetal death review Other (Specify): Fetal death review Other Obstetrical or Pregnancy Complications (Specify) Fetal death review ® Fetal Anomaly (Specify) Fetal death review ® Fetal Injury (Specify) Fetal death review Fetal Infection (Specify) Fetal death review Other Fetal Conditions/Disorders (Specify) Fetal death review Unknown Fetal death review ® fibOther Significant Causes or Conditions Contributing to Fetal Death Fetal death review ® Rupture of Membranes Fetal death review ® bruptio Placenta Fetal death review ® lacental Insufficiency Fetal death review ®11rolapsed Cord Fetal death review ® horioamnionitis Fetal death review ® ther (Yes/No) Fetal death review ® ther (Specify): Fetal death review Other Obstetrical or Pregnancy Complications (Spec' ) Fetal death review ® etal Anomaly (Specify) Fetal death review ® etal Injury (Specify) Fetal death review DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Contract No: HHS001437900001 Page 62 of 69 J Item Number Item Descriptor Justification ® Fetal Infection (Specify) Fetal death review ®Other Fetal Conditions/Disorders (Specify) Fetal death review ® Unknown Fetal death review ® 7, Weight of Fetus --- ------ ------ ------------.._ Grams Patient status ® LB ® Oz ® 8. 9 bstetric Estimate of Gestation (Weeks) Estimated Time of Fetal Death Patient status ® Dead at Time of First Assessment, No Labor Ongoing Fetal death review ® Dead at Time of First Assessment, Labor Ongoing Fetal death review ® Died During Labor, After First Assessment Fetal death review ® Unknown Time of Fetal Death Fetal death review Q. Was an Autopsy Performed? ® Yes Fetal pathology review ® No Fetal pathology review ® Planned Fetal pathology review 31. Was a Histological Placental Examination Performed? ® Yes Fetal pathology review ® No Fetal pathology review ® Planned Were Autopsy or Histological Placental Examination Results Used in Determining the Cause of Death? Fetal pathology review ® Yes Fetal pathology review ® No Fetal pathology review Items 34 through 53 are confidential information for medical and public health use. 4. Mother's Education ® 8th Grade or Less Social determinants of health ® 9th - 12th Grade, No Diploma Social determinants of health ® School Graduate or GED Social determinants of health ®Some —High College Credit, but No Degree Social determinants of health ® ssociate Degree (e.g., AA, ASSocial determinants of health ® Bachelor's Degree e. ., BA, AB, BSSocial determinants of health ® Master's Degree (e.g- MA, MS, MEn , Med, MSW, MBASocial determinants of health ® Doctorate (e.g., PhD. EdD) or Professional Degree (e.g., MD, DDS, DVM, LLB, JD Social determinants of health 5. Mother of Hispanic Origin? ® No, Not Spanish, Hispanic/Latina Demographic studies Yes, Mexican, Mexican American, Chicana. Demographic studies ® Yes. Puerto Rican Demographic studies N Yes.Cuban Demographic studies ® Yes. Other Spanish, Hispanic/Latina Demographic studies ® Yes. Other S anish, Hispanic/Latina (Specify) Demographic studies fi. Mother's Race Demographic studies ® White Demographic studies ® Black or African American Demographic studies American Indian or Alaska Native Demographic studies DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Contract No: HHS001437900001 Page 63 of 69 ✓ Item Number Item Descriptor Justification W ® merican Indian or Alaska Native (Name of the enrolled or rinci al tribe Asian Indian Demographic studies Demographic studies Chinese Demographic studies Filipino Demographic studies ®Japanese Demographic studies ®Korean Demographic studies ® ietnamese Demographic studies ® _ ther Asian _ Demographic studies ther Asian (Specify) Demographic studies Native Hawaiian Demographic studies uamanian or Chamorro Demographic studies ®Samoan Demographic studies Other Pack Islander Demographic studies Other Pacific Islander (Specify) Demographic studies PREVIOUS LIVE BIRTHS 7a. Now Living ❑ Number ❑ one 7b. Now Dead ❑ umber ❑ one ❑ 37c. Date of Last Live Birth mml 37d. OTHER PREGNANCY OUTCOMES ® umber Maternal risk review ® one Maternal risk review 7e. Date Last Other Pregnancy Ended mm/ Maternal risk review 8. Cigarette Sm king Before and During Pregnancy Average Number of Cigarettes or Packs of Cigarettes Smoked per Da Maternal risk review Three Months Before Pregnancy # of Ci arettes # of Packs Maternal risk review ❑ ® First Three Months of Pregnancy # of Cigarettes # of Packs Second Three Months of Pregnancy Maternal risk review # of Cigarettes # of Packs Maternal risk review Third Trimester of Pregnancy # of Ci arettes El z # of Packs Maternal risk review 9. SOURCE OF PRENATAL CARE check all that apply) Clinic acility assessment —Hospital Public Health Clinic acility assessment ®—Private Physician acility assessment Midwife acility assessment DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F2397lA539 HHS Contract No: HHS001437900001 Page 64 of 69 Item Number Item Descriptor Justification ® one Facility assessment Unknown Facility assessment Other Yes/NoFacility assessment Other (Specify). Facility assessment ❑ 0. other's Height feet/inches ❑ 41. other's Pre re nanc Weight(pounds) ❑ 42. Mother's Weight at Delivery (pounds) PRENATALCARE z No Prenatal Care -------------- Maternal risk assessment 3a. Date of First Visit mm/dd! Maternal risk assessment 3b. Date of Last Visit mmtdd! Maternal risk assessment 3c. Number of Prenatal Visits Maternal risk assessment ❑ 44, Date Last Normal Menses Began mm/ddl 5- Did Mother get WIC Food for Herself During this Pre nancy? ❑ Yes ❑ No 6. Mother Married? Yes U No 7. Mother Transferred for Maternal Medical or Fetus Indications for this Delivery? ❑ es ❑ No ❑ If Yes, Enter the Name of Facility Mother Transferred From: 8. Risk Factors in this Pregnancy check all that apply) Diabetes ® Pre re nanc (Diagnosis prior to this pregnancy) Maternal risk review Gestational (Diagnosis in this pregnancy) Maternal risk review H ertension Maternal risk review ® Pre re nanc Chronic Maternal risk review ® Gestational PIH reeclam sia Maternal risk review Eclam sia Maternal risk review ❑ Previous Preterm Birth Other Previous Poor Pregnancy Outcome (includes erinatal death, small -for -gestational age/intrauterine rowth restrictedgrowth) Maternal risk review ❑ Pregnancy Resulted from Infertility Treatment (if yes, heck all that apply) ❑ Fertility -enhancing Drugs, Artificial insemination, or Intrauterine Insemination ❑ Assisted re reductive technology (e.g. IVF, GIFT ❑ Mother had Previous Cesarean Delivery - El If yes, how man ❑ Antiretrovirals Administered During Pregnancy or at Delivery (Variables which provide or imply HIV or STD infection status cannot be provided to agencies outside of SHS. 'These data elements should normally be left unchecked ❑ one of the Above DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Contract No. HHS001437900001 Page 65 of 69 f Item Number Item Descriptor Justification 9. Infections Present andlor Treated During this Pregnancy (check all that apply) (Variables which provide or imply HIV or STD infection status cannot be provided to agencies outside of DSHS. These data elements should normally be left unchecked �iGonorrhea Comparison with STD reportable conditions ®Syphillis Comparison with STD reportable conditions hlam dia Comparison with STD reportable conditions ® -isteria Comparison with infectious disease reportable 3roup B Streptococcus Comparison with infectious disease reportable tame alovirus Comparison with health data arvovirus Comparison with health data ® Toxoplasmosis Comparison with health data ® None of the above Reportable disease comparison ® Dther(Yes/No) Reportable disease comparison ® ther Specify): Reportable disease comparison aa. HIV Test Done Prenatally ® Yes Reported HIV comparison ® 140 Reported HIV comparison Ob. IV Test Done at Delivery ® Yes Reported HIV comparison z No Reported HIV comparison 1. Method of Qell�ery 1A. as Delivery with Forceps Attempted but Unsuccessful? ❑ es ❑ No ❑ 1B. Was Delivery with Vacuum Extraction Attempted but Unsuccessful? es ❑ No 1C. Fetal Presentation at Birth Cephalic Fetal review ,Breech Fetal review Other Fetal review 1 D. Final Route and Method of Delivery Check one Vaginal/Spontaneous Vaginal/Forceps a inalNacuum Cesarean ❑ If cesarean, was a trial of labor attempted: Yes No 1 E. IH sterotom 1H sterectom ❑ Yes ❑ I No 2. Maternal Morbidity - Complications Associated with Labor and Delivery Check All That Apply) iMaternal Transfusion Maternal review ® _ hird or Fourth Degree Perineal Laceration Maternal review DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Contract No: HHS001437900001 Page 66 of 69 f Item Number Item Descriptor Justification Uterus Maternal review ® —Ruptured Un fanned Hy_Merectonny Maternal review Admission to Intensive Care Unit Maternal review ® Unplanned O erating Room Procedure Following Delivery Maternal review ® None of the Above Maternal review 3. Congenital Anomalies of the Newborn (check all that l nence hal Fetal death review ® Meni om elocelel5 ina Bifida Fetal death review ® G anotIC Congenital Heart Disease Fetal death review Congenital Diaphragmatic Hernia Fetal death review m halocele Fetal death review astroschisis Fetal death review ❑Limb Reduction Defect (excluding congenital amputation nd dwarfin syndromes) Fetal death review ® Cleft Lip With or Without Cleft Palate Fetal death review ® ® left Palate Alone own Syndrome Fetal death review Fetal death review ® Karyctye Confirmed Fetal death review ® KaryotVpe Pending Fetal death review ® Chromosomal Disorder Fetal death review ® —Suspected Karyotype Confirmed 7etal death review ® Karyotype Pending etal death review ® Hypospadias one of the Anomalies Listed Above 7etal death review ekal death review II. Other Commonly Used Variables (Not an the Fetal Death Certificate) Available for selected years f Item Number Item Descriptor Justification' Underlying Cause of Death (ICD codes) Fetal death reivew Mother's Combined Race 1 Ethnicity Field ❑ alculated Weeks of Gestation El i Mother's Age ather's Age ongitude - Decimal Degrees (based on mother's street ddress GIS study ® ❑ Latitude - Decimal Degrees (based on mother's street address) 1S Match Code (not available prior to 2004) IS Location Code (not available prior to 2004) GIS study ❑ eocoding Accuracy ❑ 1990 Census Tract (based on mother's street address) 000 Census Tract (based on mother's street address) ❑ 010 Census "tract (based on mother's street address) Last updated: March 20, 2018 DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Contract No: HHS001437900001 Page 67 of 69 ATTACHMENT E ACCESS TO TEXAS PUBLIC USE HEALTH CARE DATA COLLECTED UNDER HEALTH AND SAFETY CODE CHAPTER 108 THROUGH DSHS CONTRACT NO. HHS001437900001 Subject to the terms and conditions set forth in the Memorandum of Agreement between the Parties, this Attachment F provides Local Public Health Entity (LHE) with authorization to access public health data maintained by DSHS. I. PURPOSE DSHS agrees to provide Texas LHE access to the public use data files (PUDF) from hospital inpatient, outpatient or emergency department discharge data collected by DSHS under Chapter 108 of the Texas Health and Safety Code. Section IV of this Attachment outlines the intended use of the data by LHE. No personally identifiable information and non-public data may be shared or released by LHE without specific statutory authority and the prior written consent of DSHS. II. LEGAL AUTHORITY DSHS has legal authority under the following statutes to share the data described in this Attachment under Texas Health and Safety Code, Section 108.011. III. DESCRIPTION OF PUBLIC USE HOSPITAL DISCHARGE DATA TO BE PROVIDED DSHS will provide LHE with one or more PUDFs described above via secure data exchange, according to request outlined in Section VI of this Attachment. LHE must identify which PUDF files they are requesting: inpatient, outpatient or emergency department. A. DSHS will provide access to each requested PUDF according to the following schedule and conditions: 1. Access to finalized, quarterly data files will be provided electronically to qualified requestors approximately 24-48 hours after the request form and MOU are submitted and approved. DSIIS is statutorily required to track and publicly post all data requests. Texas Health and Safety Code, 108.0131. 2. Once DSHS has granted an LHE staff member access in accordance with Section IV (D) of the MOU, that individual shall have log in access to the data twenty-four hours a day, seven days a week. IV. LIST OF INDIVIDUALS ACCESSING DATA In accordance with Section III of the MOU, for direct access, LHE shall submit a list of staff, titles, and email addresses; and the intended use of the data, to request access to the limited data set(s) or data visualization. The request must be submitted to the DSHS Representatives identified directly below. LHE shall notify DSHS Representatives of any changes in staff that require removal from the list of authorized users. Such notification must be made in writing and within five (5) business days of any staffing changes. DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Conlract No: HHS001437900001 Page 68 of 69 V. SPECIAL CONSIDERATIONS FOR THE USE OF PUDF Sections 108.013(c)(1) and (2) and 108.013 (g) of the Texas Health and Safety Code (THSC) prohibit the Texas Department of State Health Services (DSI.1S) from releasing, and a person or entity from gaining access to, any data that could reveal the identity of a patient or the identity of a physician unless specially authorized under Chapter 108 of THSC. Any effort to determine the identity of any person or to use the information for any purpose other than for analysis and aggregate statistical reporting violates the THSC and this data use agreement. By virtue of this agreement, the undersigned agrees that the data will not be used to identify an individual patient or physician. Any questions about the data must be referred to the DSHS manager in charge of implementing Chapter 108 of the THSC. Product support is not provided by DSHS. The data are protected by United States copyright laws and international treaty provisions. Sharing of the data between two organizations, regardless of affiliation, is only allowed with the written approval of DSHS. LHE (also referred to as "licensee") is required to comply with all federal and state confidentiality laws. The licensee agrees to the foregoing restrictions and acknowledges that the knowing or negligent release of data in violation of Chapter 108, Health and Safety Code, is punishable by a civil penalty of up to $10,000 under section 108.014 and is a state jail felony under section 108.0141 and any other remedies available under the law to DSHS. The licensee acknowledges the data is limited to the organizatior's physical location (specified below) unless purchasing a multiple organizational license; The licensee will not release nor permit others to release the individual patient records or any part of them to any person who is not a staff member of the organization (specified below), except with the written approval of DSHS; The licensee will not attempt to link nor permit others to attempt to link the inpatient records of patients in this data set with per•,on, lly mentifiahle records from any other source; .. _ __._.._..... The lice ritiee will not re !ease nor permit others to release any information that identifies persons, directly or indirectly; The hcensec will riot attempt to use nor permit others to use the data to learn the identity of any physician, - The licensee will not nor permit others to copy, sell, rent, license, lease, loan, or otherwise grant access to the data covered by this Agreement to any other person or entity, unless approved in writing by DSHS; The licensee acknowledges that when releasing or disclosing the data set or any part to others in their organization they will retain full responsibility for the privacy and security of the data and will prohibit others from further release or disclosure of the data; The licensee agrees to read the User Manual and understand the limitations of the data (User Manual located at: www.dshs.texas. ov thcic ; The licensee will periodically check the DSHS/CHS/THCIC website for any technical updates to the data (www.dshs.t xas. ov th ic); The licensee will use the following citation in any publication of intonnatton from thi, file as. Texas Hospital Inpatient Discharge Public Use Data File, (quarter and year of data). Texas. Department of State Health Services, Austin, Texas. [date of publication); The licensee will indemnify, defend and hold the DSHS, its members, employees, and its contract vendors harmless from any and all claims and losses accruing to any person as a result of violation of this agreement; and The licensee will make no statement nor permit others to make statements indicating or suggesting that interpretations drawn from these data are those of DSHS. DocuSign Envelope ID: 7653182C-464E-4BC8-947A-D4F23971A539 HHS Contract No: HHS001437900001 Page 69 of 69 VI. PUBLIC USE HOSPITAL DISCHARGE DATA REPRESENTATIVES The following will act as the representatives authorized to administer activities under this Attachment for public use hospital discharge data on behalf of their respective Party. DSHS Contract Management Section (CMS) Texas Health Care Information Collection City of Lubbock Gretchen Wells, CTCM Tarik Brown Tiffany Torres, MPH, MLS(ASCP)c"t Contract Manager Director Laboratory/Epidemiology Manager 1100 W 49`" Street, MCI 990 1100 W 49" Street, MC 1898 806 18" Street, Austin, Texas 78756 (512)776-2679 Austin, Texas 78756 (5 12) 438-4844 Lubbock, TX 79401 Gretchen.wells@dshs.texas.,-,ov Tarik.brown@dshs.texas.gov dshs.texas.go►+ (806) 775-2990 ttorresQmylubbock.us