The URL can be used to link to this page

Home My WebLink AboutResolution - 2021-R0227 - MOU for Central Distribution Model Participants 6.22.2021Resolution No. 2021-R0227 Item No. 6.20 June 22, 2021 RESOLUTION BE IT RESOLVED BY THE CITY COUNCIL OF THE CITY OF LUBBOCK: THAT the Mayor of the City of Lubbock is hereby authorized and directed to execute for and on behalf of the City of Lubbock, a Memorandum of Understanding for Central Distribution Model Participants, Department of State Health Services Contract No. HHS001031800017 to treat and control the spread of infectious disease across Texas through the U.S. federal government 340B Drug Pricing Program, by and between the City of Lubbock and the State of Texas' Department of State Health Services, and all related documents. Said Memorandum of Understanding is attached hereto and incorporated in this resolution as if fully set forth herein and shall be included in the minutes of the City Council. Passed by the City Council on ATTEST: A-, Rebe a Garza, City Sec et APPROVED AS TO CONTENT: APPROVED AS TO FORM: Ryan Bro e, kssiAant City Attorney June 22, 2021 DANIEL M. POPE, MAYOR RES.MOU Central Distribution Model Participants DSHS Contract No. HHS001031800017 6.4.21 Resolution No. 2021-R0227 MEMORANDUM OF UNDERSTANDING FOR CENTRAL DISTRIBUTION MODEL PARTICIPANTS DSHS CONTRACT No. HHS001031800017 This Memorandum of Understanding (MOU), is between Department of State Health Services (DSHS) and City of Lubbock each a "Party" and collectively "Parties" to this MOU to treat and control the spread of infectious disease across Texas through the U.S. federal government 340B Drug Pricing Program (the "Program"). 1. Purpose Establish roles and responsibilities concerning Parties' compliance with the Program, while providing listed medications available through DSHS' Inventory Tracking Electronic Asset Management System (ITEAMS) platform. 2. Joint Responsibilities 2.1 Ensure policies and procedures align with Program guidelines and expectations of compliance; 2.2 Monitor and track medication from DSHS Pharmacy Branch to patient receipt; and 2.3 Ensure all policies and procedures are implemented and adhered to. 3. DSHS Responsibilities 3.1 Create, review and update policies and procedures to ensure compliance of Program; 3.2 Purchase medications for the treatment of sexually transmitted diseases (STDs) and tuberculosis (TB) with state and federal funds allocated for specific public health purposes that are administered and dispensed in compliance with Program regulations, as authorized by the Texas Health and Safety Code, Chapters 81, 85 and 1001; 3.3 Review, approve and monitor Clinic's registration in Office of Pharmacy Affairs Information System (OPAIS); 3.4 May review and approve the eligibility for each Clinic location to participate in Program; 3.5 Ensure TB medications provided are through local, pre -authorized health department and entities; 3.6 Provide education concerning Program compliance to Clinic through initial and ongoing trainings by submitting information on how to sign-up for the Apexus PVP Program, a Health Resources and Services Administration (HRSA) contractor for further education; 3.7 Monitor and support Clinic on all compliance elements of the Program addressed in the policies outlined by the DSHS HIV/STD Program, which can be accessed at: https://www.dshs.texas.gov/hivstd/polic�/; and 3.8 Monitor and support Clinic on all compliance elements of the Program addressed in the policies outlined by the DSHS Tuberculosis and Hansen's Disease Branch in the Texas Tuberculosis Work Plan, which can be accessed at: https://www.dshs.texas.gov: idcu/disease/tb/policies/ . DSHS Contract No. HHS001031800017 Page 1 of 9 4. Clinic Responsibilities 4.1 Determine eligibility of participation in the Program for each Clinic location; 4.2 Obtain medications through ITEAMS platform for outpatient treatment of STDs or for TB services and medications; 4.3 Distribute medications at no charge to uninsured, eligible patients; 4.4 Ensure medications are used only for the treatment of STDs and TB; 4.5 Ensure medications from the Program are not sold or exchanged to any individual or entity; 4.6 Maintain a Class D pharmacy license; Clinics without a Class D Pharmacy license are only pennitted to order medications under a physician's license for direct administration to patients onsite and for patient -delivered partner therapy using single -dose oral medications for chlamydia and gonorrhea. i.e. azithromycin and cefixime. 4.7 Designate a staff member who oversees the ordering, provision, reconciliation and reporting of medications obtained through the ITEAMS platform, with reconciliation of the medications occurring prior to the last day of each month; 4.8 Maintain a tangible or electronic tracking -log documenting the following information for each medication distributed: 4.8.1 Link to the patient to ensure that it is administered or dispensed to all eligible patient of clinical services in an outpatient setting; 4.8.2 The National Drug Code (NDC); 4.8.3 Total quantity of medication dispended or administered; and 4.8.4 Reconciled medication inventory. 4.9 Maintain records of Program information establishing appropriate use of each Program medication -- as records may be requested and audited by DSHS or for an internal review at any time to ensure compliance. Records include, but are not limited to: billing records, medication tracking logs, and relevant patient records; 4.10 Ensure all Program medications for treatment of STDs comply with current policies and procedures outlined by the DSHS HIV/STD Program, which can be accessed at: https:+'/www.dshs.texas.gov hivstd policy/; 4.11 Ensure all Program medications for TB services comply with current policies and procedures outlined by the DSHS Tuberculosis and Hansen's Disease Branch in the Texas Tuberculosis Work Plan, which can be accessed at: https://www.dshs.texas.gov/idcu/disease/tb/policies/; 4.12 Develop and implement policies and procedures for Program medication tracking and distribution that are accessible to DSHS. Clinic may adopt guidance from DSHS or create their own so long as they follow Program guidelines and do not contradict DSHS' Program policies and procedures; and 4.13 Register as a covered entity in OPAIS database, maintaining registration each year this contract is enforceable, using the DSHS Program grant number for each program for which Clinic receives funding or in -kind contributions from DSHS. The OPAIS database can be accessed at: https: /340bopais.hrsa.gov . DSHS Contract No. HHSOO1031800017 Page 2 of 9 5. Duration and Termination This MOU will commence on September 1, 2021 or on the last date of signature by the Parties to sign this MOU, whichever is later, and terminates on August 31, 2023, with the option to renew, by written agreement, in one-year increments, not exceeding a total of five years. Either Party may tenninate this MOU upon providing 30 calendar days' advance written notice to the other Party. 6. Additional Terms and Conditions 6.1 Confidentiality. 6.1.1 Clinic will comply with the Privacy, Security and Breach Notification incorporated into this MOU as Attachment B. 6.1.2 Clinic will maintain confidentiality and not disclose to third parties without DSHS' prior written consent, and any DSHS information including but not limited to DSHS Data, business activities, practices, systems, conditions and services. This section will survive termination or expiration of this MOU. The obligations of Clinic under this section will survive termination or expiration of this MOU. 6.1.3 All confidential information requirements must be included in all subcontract awarded by Clinic. 6.2 DSHS Data. 6.2.1 As between the Parties, all data and information acquired, accessed, or made available to Clinic by, through, or on behalf of DSHS or DSHS contractors, including all electronic data generated, processed, transmitted, or stored by Clinic in the course of providing data processing services in connection with Clinic's performance hereunder (the "DSHS Data"), is owned solely by DSHS 6.2.2 Clinic has no right has no right or license to use, analyze, aggregate, transmit, create derivatives of, copy, disclose, or process the DSHS Data except as required for Clinic to fulfill its obligations under the Contract or as authorized in advance in writing by DSHS 6.2.3 For the avoidance of doubt, Clinic is expressly prohibited from using, and from permitting any third party to use, DSHS Data for marketing, research, or other non- governmental or commercial purposes, without the prior written consent of DSHS 6.2.4 Clinic shall make DSHS Data available to DSHS, including to DSHS' designated vendors, as directed in writing by DSHS. The foregoing shall be at no cost to DSHS. 6.2.5 Furthermore, the proprietary nature of Clinic's systems that process, store, collect, and/or transmit the DSHS Data shall not excuse Clinic's performance of its obligations hereunder. 6.3 No Cost. This is a "no cost" agreement; the Comptroller shall not be obligated to make any payments of any amounts to Clinic or other parties as a result of this MOU. Any costs and DSHS Contract No. HHS001031800017 Page 3 of 9 expenses incurred under the terms of this MOU will be paid by the Party incurring the cost or expense. No funds appropriated to either Party will be exchanged under this MOU. 6.4 Public Information Act. Information, documentation and other material related to this MOU may be subject to public disclosure pursuant to Chapter 552 of the Tex. Gov't Code (the "Public Information Act" or "PIA"). In accordance with Tex. Gov't Code section 2252.907, Local Government is required to make any information created or exchanged with DSHS pursuant to this MOU, and not otherwise excepted from disclosure under the PIA, available in a format that is accessible by the public at no additional charge to DSHS. 6.5 Record Maintenance and Retention. 6.5.1 Clinic shall keep and maintain under GAAP or GASB, as applicable, full, true, and complete records necessary to fully disclose to the DSHS, the Texas State Auditor's Office, the United States Government, and their authorized representatives' sufficient information to determine compliance with the terms and conditions of this Contract and all state and federal rules, regulations, and statutes. 6.5.2 Clinic shall maintain and retain legible copies of this Contract and all records relating to the performance of the Contract including supporting fiscal documents adequate to ensure that claims for contract funds are in accordance with applicable State of Texas requirements. These records shall be maintained and retained by Clinic for a minimum of seven (7) years after the Contract expiration date or seven (7) years after the completion of all audit, claim, litigation, or dispute matters involving the Contract are resolved, whichever is later. 6.6 DSHS' Right to Audit. 6.6.1 Clinic shall make available at reasonable times and upon reasonable notice, and for reasonable periods, work papers, reports, books, records, supporting documents kept current by Clinic pertaining to the Contract for purposes of inspecting, monitoring, auditing, or evaluating by DSHS and the State ofTexas 6.6.2 In addition to any right of access arising by operation of law, Clinic and any of Clinic's affiliate or subsidiary organizations, or Subcontractors shall permit the DSHS or any of its duly authorized representatives, as well as duly authorized federal, state or local authorities, unrestricted access to and the right to examine any site where business is conducted or Services are performed, and all records, which includes but is not limited to financial, client and patient records, books, papers or documents related to this Contract. If the Contract includes federal funds, federal agencies that shall have a right of access to records as described in this section include: the federal agency providing the funds, the Comptroller General of the United States, the General Accounting Office, the Office of the Inspector General, and any of their authorized representatives. In addition, agencies of the State of Texas that shall have a right of access to records as described in this section include: the DSHS, HHSC, HHSC's contracted examiners, the State Auditor's Office, the Texas Attorney General's Office, and any successor agencies. Each of these entities may be a duly authorized authority DSHS Contract No. HHSOO1031800017 Page 4 of 9 6.6.3 If deemed necessary by the DSHS or any duly authorized authority, for the purpose of investigation or hearing, Clinic shall produce original documents related to this Contract 6.6.4 DSHS and any duly authorized authority shall have the right to audit billings both before and after payment, and all documentation that substantiates the billings 6.6.5 Clinic shall include this provision concerning the right of access to, and examination of, sites and information related to this Contract in any Subcontract it awards 6.7 Compliance with Audit or Inspection Findings. 6.7.1 Clinic must act to ensure its and its Subcontractors' compliance with all corrections necessary to address any finding of noncompliance with any law, regulation, audit requirement, or generally accepted accounting principle, or any other deficiency identified in any audit, review, or inspection of the Contract and the Services and Deliverables provided. Any such correction will be at Clinic's or its Subcontractor's sole expense. Whether Clinic's action corrects the noncompliance shall be solely the decision ofthe DSHS 6.7.2 As part of the Responsibilities, Clinic must provide to DSHS upon request a copy of those portions of Clinic's and its Subcontractors' internal audit reports relating to the Services and Deliverables provided to the State under the MOU 6.8 State Auditor's Right to Audit. The Parties acknowledge the State Auditor's authority to conduct audits of state agencies under Chapter 321 of the Texas Government Code. Clinic shall comply with any rules and procedures of the state auditor in the implementation and enforcement of Section 2262.154 of the Texas Government Code. 6.9 Amendment. This MOU may be modified by written amendment signed by the Parties. 6.10 Change in Law and Compliance with Laws. Clinic shall comply with all laws, regulations, requirements and guidelines applicable to a vendor providing services and products required by this MOU to the State of Texas, as these laws, regulations, requirements and guidelines currently exist and as amended throughout the term of the MOU. DSHS reserves the right, in its sole discretion, to unilaterally amend the MOU to incorporate any modifications necessary for DSHS' compliance, as an agency of the State of Texas, with all applicable state and federal laws, regulations, requirements and guidelines 6.11 Governing Law and Venue. This MOU shall be governed by and construed in accordance with the laws of the State of Texas, without regard to the conflicts of law provisions. The venue of any suit arising under the Contract is fixed in any court of competent jurisdiction of Travis County, Texas, unless the specific venue is otherwise identified in a statute which directly names or otherwise identifies its applicability to the DSHS. 6.12 Dispute Resolution. 6.12.1 The dispute resolution process provided for in Chapter 2260 of the Texas Government Code must be used to attempt to resolve any dispute arising under the Contract. If the Clinic's claim for breach of contract cannot be resolved informally with the DSHS, the claim shall be submitted to the negotiation process provided in DSHS Contract No. HHS001031800017 Page 5 of 9 Chapter 2260. To initiate the process, the Clinic shall submit written notice, as required by Chapter 2260, to the individual identified in the Contract for receipt of notices. Any informal resolution efforts shall in no way modify the requirements or toll the timing of the formal written notice of a claim for breach of contract required under §2260.051 of the Texas Government Code. Compliance by the Clinic with Chapter 2260 is a condition precedent to the fling of a contested case proceeding under Chapter 2260. 6.12.2 The contested case process provided in Chapter 2260 is the Clinic's sole and exclusive process for seeking a remedy for an alleged breach of contract by the DSHS if the Parties are unable to resolve their disputes as described above. 6.12.3 Notwithstanding any other provision of the Contract to the contrary, unless otherwise requested or approved in writing by the DSHS, the Clinic shall continue performance and shall not be excused from performance during the period of any breach of contract claim or while the dispute is pending. However, the Clinic may suspend performance during the pendency of such claim or dispute if the Clinic has complied with all provisions of Section 2251.051, Texas Government Code, and such suspension of performance is expressly applicable and authorized under that law 6.13 Limitation on Authority. 6.13.1 Any authority granted to Clinic by the DSHS is limited to the terms of this MOU. 6.13.2 Clinic shall not have any authority to act for or on behalf of the DSHS or the State of Texas except as expressly provided for in the Contract; no other authority, power, or use is granted or implied. Clinic may not incur any debt, obligation, expense, or liability of any kind on behalf of DSHS or the State ofTexas 6.13.3 Clinic may not rely on implied authority and is not granted authority under the MOU to: 6.13.3.1 Make public policy on behalf of DSHS; 6.13.3.2 Promulgate, amend, or disregard administrative regulations of program policy decisions made by State and federal agencies responsible for administration of a DSHS program; or 6.13.3.3 Unilaterally communicate or negotiate with any federal or state agency or Texas Legislature on behalf of DSHS regarding DSHS programs or this MOU. 6.14 Severability. If any provision of the Contract is held to be illegal, invalid or unenforceable by a court of law or equity, such construction will not affect the legality, validity or enforceability of any other provision or provisions of this Contract. It is the intent and agreement of the Parties this Contract shall be deemed amended by modifying such provision to the extent necessary to render it valid, legal and enforceable while preserving its intent or, if such modification is not possible, by substituting another provision that is valid, legal and enforceable and that achieves the same objective. All other provisions of this Contract will continue in full force and effect. DSHS Contract No. HHSOO 1031800017 Page 6 of 9 6.15 Force Majeure. Neither Party shall be liable to the other for any delay in, or failure of performance of, any requirement included in the Contract caused by force majeure. The existence of such causes of delay or failure shall extend the period of performance until after the causes of delay or failure have been removed provided the non -performing party exercises all reasonable due diligence to perform. Force majeure is defined as acts of God, war, fires, explosions, hurricanes, floods, failure of transportation, or other causes that are beyond the reasonable control of either party and that by exercise of due foresight such party could not reasonably have been expected to avoid, and which, by the exercise of all reasonable due diligence, such party is unable to overcome 6.16 No Waiver. Nothing in the Contract shall be construed as a waiver of the DSHS' or the State's sovereign immunity. This Contract shall not constitute or be construed as a waiver of any of the privileges, rights, defenses, remedies, or immunities available to the DSHS or the State of Texas. The failure to enforce, or any delay in the enforcement of, any privileges, rights, defenses, remedies, or immunities available to the DSHS or the State of Texas under the Contract or under applicable law shall not constitute a waiver of such privileges, rights, defenses, remedies, or immunities or be considered as a basis for estoppel. DSHS does not waive any privileges, rights, defenses, or immunities available to DSHS by entering into the Contract or by its conduct prior to or subsequent to entering into the Contract. 6.17 Entire Contract and Modification. This Contract constitutes the entire agreement of the Parties and is intended as a complete and exclusive statement of the promises, representations, negotiations, discussions, and other agreements that may have been made in connection with the subject matter hereof. Any additional or conflicting terms in any future document incorporated into the Contract will be harmonized with this Contract to the extentpossible. 7. Authorized Representatives The following will act as the designated Representative authorized to administer activities including, but not limited to, notices, consents, approvals or other general communications to the maximum extent possible. The designated Party Representatives are: DSHS Melissa D. Tafoya-Cortez. CTCM DSHS Contract Management P.O. Box 149347 Austin, Texas 78714-9347 Phone: (512) 776-2643 Melissa.Cortez@dshs.texas.gov Clinic Kim Swacina City of Lubbock 806 18`" Street Lubbock, Texas 79401 Phone: (806) 775-2908 kswacina@mylubbock.us DSHS Contract No. HHS001031800017 Page 7 of 9 Either Party may change its designated Representative by providing written notice to the other Party at least ten calendar days prior to the change. 8. Authorized Signatures By signing, Parties acknowledge that they have read the MOU in its entirety, agreeing to its terms. The persons whose signatures appear below have the requisite authority to execute this MOU on behalf of the named party. Signature Page follows DSHS Contract No. HHS001031800017 Page 8 of 9 DocuSign Envelope ID: 8DA678FC-B68D-4BE8-8390-6E1ABC9B1EE3 DSHS DocuSigned by: By: a�:AFRR94)9924A9.. Printed Name: Imelda Garcia Date of Signature: July 6, 2021 SIGNATURE PAGE FOR MEMORANDUM OF UNDERSTANDING DSHS CONTRACT No. HHS001031800017 CLINIC By: b.—& Printed Name: Daniel M. Pope, Mayor Date of Signature: 6/22/2021 THE FOLLOWING ATTACHMENTS ARE ATTACHED AND INCORPORATED AS PART OF THE CONTRACT: ATTACHMENT A --CLINIC'S PARTICIPATING LOCATIONS ATTACHMENT B--PRIVACY, SECURITY, AND BREACH NOTIFICATION ATTACHMENTS FOLLOW DSHS Contract No. HHS001031800017 Page 9 of 9 ATTACHMENT A CLINIC'S PARTICIPATING LOCATIONS DSHS CONTRACT NO. HHS001031800017 ATTACHMENT B PRIVACY, SECURITY, AND BREACH NOTIFICATION DSHS CONTRACT NO. HHS001031800017 1.0 Definitions "Breach" means the acquisition, access, use, or disclosure of Confidential Information in an unauthorized manner which compromises the security or privacy of the Confidential Information. "DSHS Confidential Information" means any communication or record (whether oral, written, electronically stored or transmitted, or in any other form) provided to or made available to the CLINIC electronically or through any other means that consists of or includes any or all of the following: (a) Protected Health Information in any form including without limitation, Electronic Protected Health Information or Unsecured Protected Health Information (as these terms are defined in 45 C.F.R. §160.103); (b) Sensitive Personal Information defined by Texas Business and Commerce Code Chapter 521; (c) Federal Tax Information (as defined in Internal Revenue Service Publication 1075); (d) Personal Identifying Information (as defined in Texas Business and Commerce Code Chapter 521); (e) Social Security Administration Data (defined as information received from a Social Security Administration federal agency system of records), including, without limitation, Medicare or Medicaid information (defined as information relating to an applicant or recipient of Medicare or Medicaid benefits); (f) All information designated as confidential under the constitution and laws of the State of Texas and of the United States, including the Texas Health & Safety Code and the Texas Public Information Act, Texas Government Code, Chapter 552. 1.1 DSHS Confidential Information Any DSHS Confidential Information received by the CLINIC under this Contract may be disclosed only in accordance with applicable law. By signing this Contract, the CLINIC certifies that the CLINIC is, and intends to remain for the term of this Contract, in compliance with all applicable state and federal laws and regulations with respect to privacy, security, and breach notification, including without limitation the following: (a) Title 5 United States Code (USC) Part I, Chapter 5, Subchapter ll, Section552a, Records Maintained on Individuals, The Privacy Act of 1974, as amended by the Computer Matching and Privacy Protection Act of 1988; (b). Title 26 USC, Internal Revenue Code, (c). Title 42 USC Chapter 7, Subchapter XI, Part C, Administrative Simplification, the relevant portions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA); (d) Title 42 USC Chapter 7, the relevant portions of the Social Security Act; (e) Title 42 USC Chapter I, Subchapter A, Part 2, Confidentiality of Substance Use Disorder Patient Records (f) Title 45 Code of Federal Regulations (CFR) Chapter A, Subchapter C, Part 160, General Administrative Requirements (g) Title 45 CFR Chapter A Subchapter C, Part 164, Security and Privacy; (h) Internal Revenue Service Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, Safeguards for Protecting Federal Tax Returns and Return Information; (i) Office of Management and Budget Memorandum 17-12, Preparing for and Responding to a Breach of Personally Identifiable Information; (j) Texas Business and Commerce Code Title 11, Subtitle B, Chapter 521 Unauthorized Use of Identifying Information; (k) Texas Government Code, Title, 5, Subtitle A, Chapter 552, Public Information, as applicable, (1) Texas Health and Safety Code, Title 2, Subtitle D, Chapter 81, Section 81.006, Funds (m) Texas Health and Safety Code Title 2, Subtitle I, Chapter 181, Medical Records Privacy; (n) Texas Health and Safety Code Title 7, Subtitle E, Chapter 611, Mental Health Records; (o) Texas Human Resources Code, Title 2, Subtitle A, Chapter 12, Section 12.003, Disclosure of Information Prohibited; (p) Texas Occupations Code, Title 3, Health Professions, as applicable; (q) Constitutional and common law privacy; and (r) Any other applicable law controlling the release of information created or obtained in the course of providing the services described in this Contract. The CLINIC further certifies that the CLINIC will comply with all amendments, regulations, and guidance relating to those laws, to the extent applicable. 1.2 Cybersecurity Training All of CLINIC's authorized users, workforce and subcontractors with access to a state computer system or database will complete a cybersecurity training program certified under Texas Government Code, Title 10, Subtitle B, Chapter 2054, Section 2054.5192, Cybersecurity Training Required: Certain State Contractors, by the Texas Department of Information Resources. 1.3 Business Associate Agreement CLINIC will ensure that any subcontractor of CLINIC who has access to DSHS Confidential Information will sign a HIPAA-compliant Business Associate Agreement with CLINIC, and CLINIC will submit a copy of that Business Associate Agreement to DSHS upon request. 1.4 CLINIC's Incident Notice, Reporting and Mitigation The CLINIC's obligation begins at discovery of any unauthorized disclosure of Confidential Information or any privacy or security incident that may compromise Confidential Information. "Incident" is defined as an attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. The CLINIC's obligation continues until all effects of the Incident are resolved to DSHS's satisfaction, hereafter referred to as the "Incident Response Period". 1.5 Notification to DSHS. (a) The CLINIC must notify DSHS within the timeframes set forth in Section (c) below. (b) The CLINIC must require that its Subcontractors and contractors take the necessary steps to assure that the CLINIC can comply with all of the following Incident notice requirements. (c) Incident Notice: 1. Initial Notice. Within twenty-four (24) hours of discovery, or in a timeframe otherwise approved by DSHS in writing, the CLINIC must preliminarily report on the occurrence of an Incident to the DSHS Privacy and Security Officers via email at: privacy(-)-HHSC.state.tx.us. This initial notice must, at a minimum, contain: (i) all information reasonably available to CLINIC about the Incident, (ii) confirmation that the CLINIC has met any applicable federal Breach notification requirements, and (iii) a single point of contact for the CLINIC for DSHS communications both during and outside of business hours during the Incident Response Period. 2. Formal Notice. No later than three (3) Business Days after discovery of an Incident, or when the CLINIC should have reasonably discovered the Incident, the CLINIC must provide written formal notification to DSHS using the Potential Privacy/Security Incident Form which is available on the HHSC website at htt s:/ hhsconnection.hhs.texas. ov/ri hts-res onsibilities/office-chief-counsel/ rivac . The formal notification must include all available information about the Incident, and the CLINIC's investigation of the Incident. 1.6 CLINIC Investigation, Response, and Mitigation. The CLINIC must fully investigate and mitigate, to the extent practicable and as soon as possible or as indicated below, any Incident. At a minimum, the CLINIC will: (a) Immediately commence a full and complete investigation; (b) Cooperate fully with DSHS in its response to the Incident; (c) Complete or participate in an initial risk assessment; (d) Provide a final risk assessment; (e) Submit proposed corrective actions to DSHS for review and approval; (f) Commit necessary and appropriate staff and resources to expeditiously respond; (g) Report to DSHS as required by DSHS and all applicable federal and state laws for Incident response purposes and for purposes of DSHS's compliance with report and notification requirements, to the satisfaction of DSHS; (h) Fully cooperate with DSHS to respond to inquiries and/or proceedings by federal and state authorities about the Incident; (i) Fully cooperate with DSHS's efforts to seek appropriate injunctive relief or to otherwise prevent or curtail such Incidents; Q) Recover, or assure destruction of, any Confidential Information impermissibly disclosed during or as a result of the Incident; and (k) Provide DSHS with a final report on the Incident explaining the Incident's resolution. 1.7 Breach Notification to Individuals and Reporting to Authorities. (a) In addition to the notices required in this section, the CLINIC must comply with all applicable legal and regulatory requirements in the time, manner, and content of any notification to individuals, regulators, or third -parties, or any notice required by other state or federal authorities, including without limitation, notifications required in Title 45 CFR Chapter A, Subchapter C Part 164, Subpart D Notification in the Case of Breach of Unsecured Protected Health Information and Texas Business and Commerce Code, Title 11, Subtitle B, Chapter 521, Section 521.053(b), Notification Required Following Breach of Security of Computerized Data, or as specified by DSHS following an Incident. (b) The CLINIC must assure that the time, manner, and content of any Breach notification required by this section meets all federal and state regulatory requirements. (c) Breach notice letters must be in the CLINIC's name and on the CLINIC's letterhead and must contain contact information to obtain additional information, including the name and title of the CLINIC's representative, an email address, and a toll -free telephone number. (d) The CLINIC must provide DSHS with copies of all distributed communications related to the Breach notification at the same time the CLINIC distributes the communications. (e) The CLINIC must demonstrate to the satisfaction of DSHS that any Breach notification required by applicable law was timely made. If there are delays outside of the CLINIC's control, the CLINIC must provide written documentation to DSHS of the reasons for the delay.