The URL can be used to link to this page

Home My WebLink AboutResolution - 2021-R0470 - MOU HHS001112200001 with Department of State Health Services 12.7.21Resolution No. 2021-RO470 Item No. 7.11 December 7, 2021 RESOLUTION BE IT RESOLVED BY THE CITY COUNCIL OF THE CITY OF LUBBOCK: THAT the acts of the Mayor of the City of Lubbock in executing, on behalf of the City o Lubbock, to the Department of State Health Services (DSHS) Memorandum of Understanding (MOU), MOU HHS001112200001, regarding accessing electronic health data through the TxS: system for the purpose of supporting public health syndromic surveillance to protect the health o the citizens of Texas, by and between the City of Lubbock and the State of Texas acting by an( through DSHS, and related documents are hereby ratified in full. Said MOU is attached hereto and incorporated in this resolution as if fully set forth herein and shall be included in the minute; of the City Council. Passed by the City Council on December 7, 2021 DANIEL M. POPE, MAYOR ATTEST: A AtA" w Re Coca Garza, City Secretary APPROVED AS TO CONTENT: Bill Ho4Deputy Ci ager APPROVED AS TO FORM: - ZXI"-7 -- R n oke, Assistant City Attorney RGS.DSHS MOU No. HFIS001112200001 Ratification 11.5.21 DocuSign Envelope ID: E1 DA78D2-0887-4BEF-A614-2881281 FF7D3 Resolution No. 2021-R0470 MOU HHS001112200001 DEPARTMENT OF STATE HEALTH SERVICES MEMORANDUM OF UNDERSTANDING This Memorandum of Understanding (MOU) is entered into by and between the Texas Department of State Health Services (DSHS) and City of Lubbock (LHD), who are collectively referred to herein as the "Parties." DSHS has authority to operate the statewide syndromic surveillance system, Texas Syndromic Surveillance (TxS2), under Chapter 81 of the Health and Safety Code. This MOU provides the Parties' roles and responsibilities regarding accessing electronic health data (referred to herein as Limited Data Set) through the TxS2 system for the purpose of supporting public health syndromic surveillance to protect the health of the citizens of Texas. The Limited Data Set will, at a minimum, meet requirements for the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs for the meaningful use of certified EHR technology to improve patient care. More information on the Limited Data Set can be found at httD://www.dshs.state.tx.us/txs2. LHD intends to access the Limited Data Set, as set forth in this MOU, to support the ongoing analysis of data to search for combinations of signs and symptoms of disease in a population, which is expected to be useful in: identifying and responding to naturally occurring diseases such as influenza and food -borne illness, detecting and mitigating the effects of terrorist incidents, and serving other public health uses consistent with applicable law. Any other uses of the Limited Data Set are prohibited. Definitions of the Limited Data Set are below. "Aggregate data" means a view of the data with no details of the cases that make up the daily totals. Graphs and tables can be made, and queries can be created to see the overall counts of the health issue a user is looking for, but specifics about individuals cannot be seen. Users can choose a geography or demographic characteristic to see at this aggregate level. "Record -level data" means a view of the data that includes all of the aggregate data abilities and the ability to see information on individuals. TxS2 data is de -identified though, so names, addresses, and SSNs, as well as any other universal identifiers are not present in the data. DocuSign Envelope ID: ElDA7BD2-0867-4BEF-A614-2881281FF7D3 MOU HHS001112200001 Type of Data DSHS/HHSC staff have LHDs with an Hospitals have access to: access to: appropriate MOU have access to: ER data (from electronic Record -level statewide Record -level Public Health Record -level for their health records) Region (PHR)-wide and entire hospital system aggregate statewide Poison Data Aggregate statewide Aggregate statewide Not available (except for TxS2 staff who have access to Record - Level data for administrative work, including ensuring the data is correct and flowing into the database) EMS Data Record -level for county Record -level for county Not available and adjacent counties and and adjacent counties and aggregate statewide aggregate statewide Death Record Data Record -level statewide Record -level for county Not available and adjacent counties, not available statewide I. Roles and Responsibilities of Parties. The Parties will: A. Access and receive the Limited Data Set in a secure, confidential manner in compliance with all applicable federal and state laws governing the protection of health -related information, including Attachment A, Data Use Agreement. B. Use industry best practices to secure, protect, and manage the Limited Data Set. If LHD exports data from the system, LHD assumes responsibility for the security and privacy of the exported data. C. Use and share data for public health purposes only or as otherwise permitted by law or this MOU. D. Not attempt to determine the identity of, nor contact any person whose information is contained in the Limited Data Set unless such actions are necessary as part of a public health investigation or otherwise fall within the authority of the Party, as provided by Texas or federal law. E. Promptly provide written notice to the other Party of any use or disclosure of the Limited Data Set which violates the terms of this MOU or applicable law. -2- DocuSign Envelope ID: ElDA7BD2-08f37-4BEF-A614-2881281FF7D3 MOU HHS001112200001 II. Roles and Responsibilities of DSHS. DSHS will: A. Develop and maintain the TxS2 system to receive the Limited Data Set from Data Providers. B. Receive and store data in one or more servers located in a secure data environment maintained by DSHS. C. Provide policies and procedures for requesting access and using TxS2. Policies and procedures will be posted at http://www.dshs.state.tx.us/txs2. D. Provide the following authorized users with access, as specified, to view and analyze data: 1. LHDs participating in TxS2 will have access to the Limited Data Set for all of the counties within the Health Service Region (HSR) that the LHD resides and to the jurisdiction contiguous to the LHDs when applicable, pursuant to Health and Safety Code Section 1001.089(b)(1). 2. Hospitals that participate in TxS2 will have access to all data within their facility and aggregate statewide data. 3. The Applied Physics Laboratory at Johns Hopkins University will have access to data as needed for system maintenance. 4. The Centers for Disease Control and Prevention (CDC), to whom DSHS sends syndromic surveillance data in support of the National Syndromic Surveillance Program. 5. All other government agencies with whom DSHS, by law, must share data. E. Sponsor trainings and provide technical assistance on TxS2 usage and capabilities. F. Remove user access to TxS2 as requested by the LHD within five business days of receipt of the LHD's written request. G. Maintain a list of all authorized users of TxS2 and upon written request by the LHD, provide the list of authorized users within that LHD's HSR to the requesting LHD within five business days. H. Acknowledge LHD's written requests for access to the Limited Data Set to anyone not authorized to view data as provided in this MOU within 10 business days. III. Roles and Responsibilities of LHD. LHD will: A. Comply with all DSHS policies and procedures for requesting access and using TxS2. Policies and procedures will be posted at httc://www.dshsstate.tx.us/txs2. B. Provide a list of designated personnel authorized to access TxS2, following the DSHS policies and procedures for requesting access to TxS2. C. Participate in DSHS-sponsored training on TxS2 usage and capabilities. D. Notify DSHS of designated personnel that no longer have authorization to view TxS2 within five days. E. Maintain a list of all authorized users of TxS2 and upon written request by DSHS, provide the list of authorized users to DSHS within five days. F. Use the Limited Data Set for enhanced surveillance of public health conditions or threats, early event detection, situational awareness, retrospective analysis, and other public health uses. G. Not use or disclose the Limited Data Set other than as provided by this MOU or as otherwise provided by law. -3- DocuSign Envelope ID: E1 DA7BD2-0867-46EF-A614-2881281 FF7D3 MOU HHS001112200001 H. Submit a written request to DSHS and obtain written permission from DSHS prior to providing access to the Limited Data Set to anyone not authorized to view data as provided in this MOU. I. Ensure that any authorized agents, including a subcontractor, to whom it provides the Limited Data Set agree to the same restrictions and conditions to the Parties in this MOU and in compliance with applicable federal and state law. J. Not assign this MOU without the prior written consent of DSHS. IV. Term of the MOU. The MOU is effective on the date of the latter signature of the Parties and terminates on the fifth anniversary of the effective date, unless renewed or terminated pursuant to the terms and conditions of this MOU. The Parties may extend this MOU for one additional one-year term, subject to terms and conditions mutually agreeable to the Parties. The Parties agree to review this MOU on an annual basis and provide written notice to the other party if one party determines that a material change to the MOU is needed. If the Parties agree that the MOU needs to be amended then the Parties will execute a written amendment as provided for in Section V. V. Amendments. Amendments to this MOU shall be in writing and signed by the Parties. VI. Termination of MOU. Either DSHS or LHD may terminate by providing written notice to the other Party at least 30 days prior to the date of termination and sending the written notice by certified mail, return receipt requested to the Party's Primary Contact as set forth below. The effective date of termination is the date the nonterminating party receives the notice. VII. Primary Contacts. All communications between the Parties shall be made through the primary contacts or their designees to the maximum extent possible. The primary contacts are: For DSHS: Linc Allen Syndromic Surveillance Team DSHS P.O. Box 149347, Mail Code 1926 Austin, TX 78714-9347 (512) 776-7770 (Office) (512) 776-7509 (Fax) syndromic.surveillanceQdshs.state.tx.us .4.. For LHD: Rachel Dolan, PHEP Coordinator City of Lubbock P.O. Box 2000 Lubbock, TX 79457 (806) 775-2917 rdolan@mylubbock.us DocuSign Envelope ID: E1 DA7BD2-08B7-46EF-A614-2881281 FF7D3 MOU HHS001112200001 By signing below, the Parties acknowledge that they have read the MOU and agree to its terms, and that the persons whose signatures appear below have the requisite authority to execute this MOU on behalf of the named party. DSHS cDocuSigned by, By; 8113AOB1CFEC4CE.. Signature of Authorized Official October 27, 2021 Date of Signature David Gruber Printed Name and Title LHD oocusigned by: IVavt,it,(, kept, By: 3F037883155540F Signature of Authorized Official October 26, 2021 Date of Signature Associate Commissioner for M1 Pope Mayor Printed Name and Title THE FOLLOWING DOCUMENT IS ATTACHED TO THIS CONTRACT AND ITS TERMS ARE HEREBY INCORPORATED BY REFERENCE: ATTACHMENT A - HHS DATA USE AGREEMENT TACCHO VERSION, OCTOBER 23, 2019 -5- DocuSlgn Envelope ID: E1 DA7BD2-0867-4BEF-A614-2881281 FF7D3 ATTACHMENT A HHS DATA USE AGREEMENT This Data Use Agreement ("DUA"), effective as of the date the Base Contract into which it is incorporated is signed ("Effective Date"), is entered into by and between a Texas Health and Human Services Enterprise agency ("HHS"), and the Contractor identified in the Base Contract, a political subdivision of the State of Texas ("CONTRACTOR"). ARTICLE 1. PURPOSE; APPLICABILITY; ORDER OF PRECEDENCE The purpose of this DUA is to facilitate creation, receipt, maintenance, use, disclosure or access to Confidential Information with CONTRACTOR, and describe CONTRACTOR's rights and obligations with respect to the Confidential Information. 45 CFR 164.504(e)(1)-(3). This DUA also describes HHS's remedies in the event of CONTRACTOR's noncompliance with its obligations under this DUA. This DUA applies to both Business Associates and contractors who are not Business Associates who create, receive, maintain, use, disclose or have access to Confidential Information on behalf of HHS, its programs or clients as described in the Base Contract. As of the Effective Date of this DUA, if any provision of the Base Contract, including any General Provisions or Uniform Terms and Conditions, conflicts with this DUA, this DUA controls. ARTICLE 2. DEFINITIONS For the purposes of this DUA, capitalized, underlined terms have the meanings set forth in the following: Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (42 U.S.C. § 1320d, et seq.) and regulations thereunder in 45 CFR Parts 160 and 164, including all amendments, regulations and guidance issued thereafter; The Social Security Act, including Section 1137 (42 U.S.C. §§ 1320b-7), Title XVI of the Act; The Privacy Act of 1974, as amended by the Computer Matching and Privacy Protection Act of 1988, 5 U.S.C. § 552a and regulations and guidance thereunder; Internal Revenue Code, Title 26 of the United States Code and regulations and publications adopted under that code, including IRS Publication 1075; OMB Memorandum 07-18; Texas Business and Commerce Code Ch. 521; Texas Government Code, Ch. 552, and Texas Government Code §2054.1125. In addition, the following terms in this DUA are defined as follows: "Authorized Purpose" means the specific purpose or purposes described in the Statement of Work of the Base Contract for CONTRACTOR to fulfill its obligations under the Base Contract, or any other purpose expressly authorized by HHS in writing in advance. "Authorized User" means a Person: (1) Who is authorized to create, receive, maintain, have access to, process, view, handle, examine, interpret, or analyze Confidential Information pursuant to this DUA; HHS Data Use Agreement TACCHO VERSION (Local City and County Entities) October 23, 2019 Page I of 15 DocuSign Envelope ID: E1DA7BD2-08B74BEF-A614-2881281FF7D3 (2) For whom CONTRACTOR warrants and represents has a demonstrable need to create, receive, maintain, use, disclose or have access to the Confidential Information; and (3) Who has agreed in writing to be bound by the disclosure and use limitations pertaining to the Confidential Information as required by this DUA. "Confidential Information" means any communication or record (whether oral, written, electronically stored or transmitted, or in any other form) provided to or made available to CONTRACTOR, or that CONTRACTOR may, for an Authorized Purpose, create, receive, maintain, use, disclose or have access to, that consists of or includes any or all of the following: (1) Client Information; (2) Protected Health Information in any form including without limitation, Electronic Protected Health Information or Unsecured Protected Health Information (herein "PHI"); (3) Sensitive Personal Information defined by Texas Business and Commerce Code Ch. 521; (4) Federal Tax Information; (5) Individually Identifiable Health Information as related to HIPAA, Texas HIPAA and Personal Identifying Information under the Texas Identity Theft Enforcement and Protection Act; (6) Social Security Administration Data, including, without limitation, Medicaid information; (7) All privileged work product; (8) All information designated as confidential under the constitution and laws of the State of Texas and of the United States, including the Texas Health & Safety Code and the Texas Public Information Act, Texas Government Code, Chapter 552. "Legally Authorized Representative" of the Individual, as defined by Texas law, including as provided in 45 CFR 435.923 (Medicaid); 45 CFR 164.502(g)(1) (HIPAA); Tex. Occ. Code § 151.002(6); Tex. H. & S. Code § 166.164; and Estates Code Ch. 752. ARTICLE 3. CONTRACTOR'S DUTIES REGARDING CONFIDENTIAL INFORMATION 3.01 Obligations of CONTRACTOR CONTRACTOR agrees that: (A) CONTRACTOR will exercise reasonable care and no less than the same degree of care CONTRACTOR uses to protect its own confidential, proprietary and trade secret information to prevent any portion of the Confidential Information from being used in HHS Data Use Agreement TACCHO VERSION (Local City and County Entities) October 23, 2019 Page 2 of 15 DocuSign Envelope ID: E1DA7BD2-08B7-4BEF-A614-2881281FF7D3 a manner that is not expressly an Authorized Purpose under this DUA or as Required by Law. 45 CFR 164.502(b) (1); 45 CFR 164.514(d) (B) Except as Required by Law, CONTRACTOR will not disclose or allow access to any portion of the Confidential Information to any Person or other entity, other than Authorized User's Workforce or Subcontractors (as defined in 45 C.F.R. 160.103) of CONTRACTOR who have completed training in confidentiality, privacy, security and the importance of promptly reporting any Event or Breach to CONTRACTOR's management, to carry out CONTRACTOR's obligations in connection with the Authorized Purpose. HHS, at its election, may assist CONTRACTOR in training and education on specific or unique HHS processes, systems and/or requirements. CONTRACTOR will produce evidence of completed training to HHS upon request. 45 C.F.R. 164.308(a)(5)(i); Texas Health & Safety Code §181.101 All of CONTRACTOR's Authorized Users, Workforce and Subcontractors with access to a state computer system or database will complete a cybersecurity training program certified under Texas Government Code Section 2054.519 by the Texas Department of Information Resources or offered under Texas Government Code Sec. 2054.519(f). (C) CONTRACTOR will establish, implement and maintain appropriate sanctions against any member of its Workforce or Subcontractor who fails to comply with this DUA, the Base Contract or applicable law. CONTRACTOR will maintain evidence of sanctions and produce it to HHS upon request.45 C.F.R. 164.308(a)(1)(li)(C); 164.530(e); 164.410(b); 164.530(b)(1) (D) CONTRACTOR will not, except as otherwise permitted by this DUA, disclose or provide access to any Confidential Information on the basis that such act is Required by Law without notifying either HHS or CONTRACTOR's own legal counsel to determine whether CONTRACTOR should object to the disclosure or access and seek appropriate relief. CONTRACTOR will maintain an accounting of all such requests for disclosure and responses and provide such accounting to HHS within 48 hours of HHS' request. 45 CFR 164.504(e)(2)(ii)(A) (E) CONTRACTOR will not attempt to re -identify or further identify Confidential Information or De -identified Information, or attempt to contact any Individuals whose records are contained in the Confidential Information, except for an Authorized Pun2ose, without express written authorization from HHS or as expressly permitted by the Base Contract. 45 CFR 164.502(d)(2)(i) and (ii) CONTRACTOR will not engage in prohibited marketing or sale of Confidential Information. 45 CFR 164.501, 164.508(a)(3) and (4); Texas Health & Safety Code Ch. 181.002 (F) CONTRACTOR will not permit, or enter into any agreement with a Subcontractor to, create, receive, maintain, use, disclose, have access to or transmit Confidential Information to carry out CONTRACTOR's obligations in connection with the Authorized Purpose on behalf of CONTRACTOR, unless Subcontractor agrees to comply HHS Data Use Agreement TACCHO VERSION (Local City and County Entities) October 23, 2019 Page 3 of 15 DocuSign Envelope ID: E1 DA78D2-08B7-4BEF-A614-2881281 FF7133 with all applicable laws, rules and regulations. 45 CFR 164.502(e)(1)(ii); 164.504(e)(1)(i) and (2). (G) CONTRACTOR is directly responsible for compliance with, and enforcement of, all conditions for creation, maintenance, use, disclosure, transmission and Destruction of Confidential Information and the acts or omissions of Subcontractors as may be reasonably necessary to prevent unauthorized use. 45 CFR 164.504(e)(5); 42 CFR 431.300, et seq. (H) If CONTRACTOR maintains PHI in a Designated Record Set which is Confidential Information and subject to this Agreement, CONTRACTOR will make PHI available to HHS in a Designated Record Set upon request. CONTRACTOR will provide PHI to an Individual, or Legally. Authorized Representative of the Individual who is requesting PHI in compliance with the requirements of the HIPAA Privacy Regulations. CONTRACTOR will release PHI in accordance with the HIPAA Privacy Regulations upon receipt of a valid written authorization. CONTRACTOR will make other Confidential Information in CONTRACTOR's possession available pursuant to the requirements of HIPAA or other applicable law upon a determination of a Breach of Unsecured PHI as defined in HIPAA. CONTRACTOR will maintain an accounting of all such disclosures and provide it to HHS within 48 hours of HHS' request. 45 CFR 164.524and 164.504(e)(2)(ii)(E). (I) If PHI is subject to this Agreement, CONTRACTOR will make PHI as required by HIPAA available to HHS for review subsequent to CONTRACTOR's incorporation of any amendments requested pursuant to HIPAA. 45 CFR 164.504(e)(2)(ii)(E) and (F). (J) If PHI is subject to this Agreement, CONTRACTOR will document and make available to HHS the PHI required to provide access, an accounting of disclosures or amendment in compliance with the requirements of the HIPAA Privacy Regulations. 45 CFR 164.504(e)(2)(ii)(G) and 164.528. (K) If CONTRACTOR receives a request for access, amendment or accounting of PHI from an individual with a right of access to information subject to this DUA, it will respond to such request in compliance with the HIPAA Privacy Regulations. CONTRACTOR will maintain an accounting of all responses to requests for access to or amendment of PHI and provide it to HHS within 48 hours of HHS' request. 45 CFR 164.504(e)(2). (L) CONTRACTOR will provide, and will cause its Subcontractors and agents to provide, to HHS periodic written certifications of compliance with controls and provisions relating to information privacy, security and breach notification, including without limitation information related to data transfers and the handling and disposal of Confidential Information. 45 CFR 164.308, 164.530(c); 1 TA 202. (1) Except as otherwise limited by this DUA, the Base Contract, or law applicable to the Confidential Information, CONTRACTOR may use PHI for the proper management and administration of CONTRACTOR or to carry out CONTRACTOR's HHS Data Use Agreement TACCHO VERSION (Local City and County Entities) October 23, 2019 Page 4 of 15 DocuSign Envelope ID: ElDA7BD2-0867-46EF-A614-2881281FF7D3 legal responsibilities. Except as otherwise limited by this DUA, the Base Contract, or law applicable to the Confidential Information, CONTRACTOR may disclose PHI for the proper management and administration of CONTRACTOR, or to carry out CONTRACTOR's legal responsibilities, if: 45 CFR 164.504(e)(4)(A). (1) Disclosure is Required by L provided that CONTRACTOR complies with Section 3.01(D); or (2) CONTRACTOR obtains reasonable assurances from the person or entity to which the information is disclosed that the person or entity will: (a)Maintain the confidentiality of the Confidential Information in accordance with this DUA; (b) Use or further disclose the information only as Required by Law or for the Authorized Purpose for which it was disclosed to the Person; and (c)Notify CONTRACTOR in accordance with Section 4.01 of any Event or Breach of Confidential Information of which the Person discovers or should have discovered with the exercise of reasonable diligence. 45 CFR 164.504(e)(4)(ii)(B). (N) Except as otherwise limited by this DUA, CONTRACTOR will, if required by law and requested by HHS, use commercially reasonable efforts to use PHI to provide data aggregation services to HHS, as that term is defined in the HIPAA, 45 C.F.R. § 164.501 and permitted by HIPAA. 45 CFR 164.504(e)(2)(i)(B) (0) CONTRACTOR will, on the termination or expiration of this DUA or the Base Contract, at its expense, send to HHS or Destroy, at HHS's election and to the extent reasonably feasible and permissible by law, all Confidential Information received from HHS or created or maintained by CONTRACTOR or any of CONTRACTOR's agents or Subcontractors on HHS's behalf if that data contains Confidential Information. CONTRACTOR will certify in writing to HHS that all the Confidential Information that has been created, received, maintained, used by or disclosed to CONTRACTOR, has been Destroyed or sent to HHS, and that CONTRACTOR and its agents and Subcontractors have retained no copies thereof. Notwithstanding the foregoing, HHS acknowledges and agrees that CONTRACTOR is not obligated to send to HHSC and/or Destroy any Confidential Information if federal law, state law, the Texas State Library and Archives Commission records retention schedule, and/or a litigation hold notice prohibit such delivery or Destruction. If such delivery or Destruction is not reasonably feasible, or is impermissible by law, CONTRACTOR will immediately notify HHS of the reasons such delivery or Destruction is not feasible, and agree to extend indefinitely the protections of this DUA to the Confidential Information and limit its further uses and disclosures to the purposes that make the return delivery or Destruction of the Confidential Information not feasible for as long as CONTRACTOR maintains such Confidential Information. 45 CFR 164.504(e)(2)(ii)(J) HHS Data Use Agreement TACCHO VERSION (Local City and County Entities) October 23, 2019 Page 5 of 15 DocuSign Envelope ID: E1 DAM2-0887-48EF-A614-2881281 FF7D3 (P) CONTRACTOR will create, maintain, use, disclose, transmit or Destroy Confidential Information in a secure fashion that protects against any reasonably anticipated threats or hazards to the security or integrity of such information or unauthorized uses. 45 CFR 164.306; 164.530(c) (Q) If CONTRACTOR accesses, transmits, stores, and/or maintains Confidential Information, CONTRACTOR will complete and return to HHS at infosecurity@hhsc.state.tx.us the HHS information security and privacy initial inquiry (SPI) at Attachment 1 . The SPI identifies basic privacy and security controls with which CONTRACTOR must comply to protect HHS Confidential Information. CONTRACTOR will comply with periodic security controls compliance assessment and monitoring by HHS as required by state and federal law, based on the type of Confidential Information CONTRACTOR creates, receives, maintains, uses, discloses or has access to and the Authorized Purpose and level of risk. CONTRACTOR's security controls will be based on the National Institute of Standards and Technology (MIST) Special Publication 500-53. CONTRACTOR will update its security controls assessment whenever there are significant changes in security controls for HHS Confidential Information and will provide the updated document to HHS. HHS also reserves the right to request updates as needed to satisfy state and federal monitoring requirements. 45 CFR 164.306. (R) CONTRACTOR will establish, implement and maintain reasonable procedural, administrative, physical and technical safeguards to preserve and maintain the confidentiality, integrity, and availability of the Confidential Information, and with respect to PHI, as described in the HIPAA Privacy and Security Regulations, or other applicable laws or regulations relating to Confidential Information, to prevent any unauthorized use or disclosure of Confidential Information as long as CONTRACTOR has such Confidential Information in its actual or constructive possession. 45 CFR 164.308 (administrative safeguards); 164.310 (physical safeguards); 164.312 (technical safeguards); 164.530(c)(privacy safeguards). (S) CONTRACTOR will designate and identify, a Person or Persons, as Privacy Official 45 CFR 164.530(a)(1) and Information Security Official, each of whom is authorized to act on behalf of CONTRACTOR and is responsible for the development and implementation of the privacy and security requirements in this DUA. CONTRACTOR will provide name and current address, phone number and e-mail address for such designated officials to HHS upon execution of this DUA and prior to any change. If such persons fail to develop and implement the requirements of the DUA, CONTRACTOR will replace them upon HHS request. 45 CFR 164.308(a)(2). (T) CONTRACTOR represents and warrants that its Authorized Users each have a demonstrated need to know and have access to Confidential Information solely to the minimum extent necessary to accomplish the Authorized Purpose pursuant to this DUA and the Base Contract, and further, that each has agreed in writing to be bound by the disclosure and use limitations pertaining to the Confidential Information contained in this DUA. 45 CFR 164.502, 164.514(d). HHS Data Use Agreement TACCHO VERSION (Local City and County Entities) October 23, 2019 Page 6 of 15 DocuSign Envelope ID: ElDA7BD2-0867-46EF-A614-2881281FF7D3 (U) CONTRACTOR and its Subcontractors will maintain an updated, complete, accurate and numbered list of Authorized Users, their signatures, titles and the date they agreed to be bound by the terms of this DUA, at all times and supply it to HHS, as directed, upon request. (V) CONTRACTOR will implement, update as necessary, and document reasonable and appropriate policies and procedures for privacy, security and Breach of Confidential Information and an incident response plan for an Event or Breach, to comply with the privacy, security and breach notice requirements of this DUA prior to conducting work under the Statement of Work. 45 CFR 164.308, 164.316, 164.514(d); 164.530(i)(1). (W) CONTRACTOR will produce copies of its information security and privacy policies and procedures and records relating to the use or disclosure of Confidential Information received from, created by, or received, used or disclosed by CONTRACTOR for an Authorized Purpose for HHS's review and approval within 30 days of execution of this DUA and upon request by HHS the following business day or other agreed upon time frame. 45 CFR 164.308, 164.514(d). (X) CONTRACTOR will make available to HHS any information HHS requires to fulfill HHS's obligations to provide access to, or copies of, PHI in accordance with HIPAA and other applicable laws and regulations relating to Confidential Information. CONTRACTOR will provide such information in a time and manner reasonably agreed upon or as designated by the Secretary of the U.S. Department of Health and Human Services, or other federal or state law. 45 CFR 164.504(e)(2)(i)(I). (Y) CONTRACTOR will only conduct secure transmissions of Confidential Information whether in paper, oral or electronic form, in accordance with applicable rules, regulations and laws. A secure transmission of electronic Confidential Information in motion includes, but is not limited to, Secure File Transfer Protocol (SFTP) or Encryption at an appropriate level. If required by rule, regulation or law, HHS Confidential Information at rest requires Encryption unless there is other adequate administrative, technical, and physical security. All electronic data transfer and communications of Confidential Information will be through secure systems. Proof of system, media or device security and/or Encryption must be produced to HHS no later than 48 hours after HHS's written request in response to a compliance investigation, audit or the Discovery of an Event or Breach. Otherwise, requested production of such proof will be made as agreed upon by the parties. De -identification of HHS Confidential Information is a means of security. With respect to de -identification of PHI, "secure" means de -identified according to HIPAA Privacy standards and regulatory guidance. 45 CFR 164.312, 164.530(d). (Z) For each type of Confidential Information CONTRACTOR creates, receives, maintains, uses, discloses, has access to or transmits in the performance of the Statement of Work, CONTRACTOR will comply with the following laws rules and regulations, only to the extent applicable and required by law: Title 1, Part 10, Chapter 202, Subchapter B, Texas Administrative Code; HHS Data Use Agreement TACCHO VERSION (Local City and County Entities) October 23, 2019 Page 7 of 15 DocuSign Envelope ID: ElDA76D2-0867-4BEF-A614-2881281FF7D3 • The Privacy Act of 1974; • OMB Memorandum 07-16; • The Federal Information Security Management Act of 2002 (FISMA); • The Health Insurance Portability and Accountability Act of 1996 (HIPAA) as defined in the DUA; • Internal Revenue Publication 1075 — Tax Information Security Guidelines for Federal, State and Local Agencies; • National Institute of Standards and Technology (MIST) Special Publication 800-66 Revision 1— An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule; • NIST Special Publications 800-53 and 800-53A — Recommended Security Controls for Federal Information Systems and Organizations, as currently revised; • NIST Special Publication 800-47 — Security Guide for Interconnecting Information Technology Systems; • NIST Special Publication 800-88, Guidelines for Media Sanitization; • NIST Special Publication 800-111, Guide to Storage of Encryption Technologies for End User Devices containing PHI; and Any other State or Federal law, regulation, or administrative rule relating to the specific HHS program area that CONTRACTOR supports on behalf of HHS. (AA) Notwithstanding anything to the contrary herein, CONTRACTOR will treat any Personal Identifying Information it creates, receives, maintains, uses, transmits, destroys and/or discloses in accordance with Texas Business and Commerce Code, Chapter 521 and other applicable regulatory standards identified in Section 3.01(Z), and Individually Identifiable Health Information CONTRACTOR creates, receives, maintains, uses, transmits, destroys and/or discloses in accordance with HIPAA and other applicable regulatory standards identified in Section 3.01(Z). ARTICLE 4. BREACH NOTICE, REPORTING AND CORRECTION REQUIREMENTS 4.01 Breach or Event Notification to HHS. 45 CFR 164.400-414. HHS Data Use Agreement TACCHO VERSION (Local City and County Entities) October 23, 2019 Page 8 of 15 DocuSlgn Envelope ID: E1 DA7BD2-08B7-46EF-A614-2881281 FF7D3 (A) CONTRACTOR will cooperate fully with HHS in investigating, mitigating to the extent practicable and issuing notifications directed by HHS, for any Event or Breach of Confidential Information to the extent and in the manner determined by HHS. (B) CONTRACTOR'S obligation begins at the Discovery of an Event or Breach and continues as long as related activity continues, until all effects of the Event are mitigated to HHS's reasonable satisfaction (the "incident response period"). 45 CFR 164.404. (C) Breach Notice: (1) Initial Notice. (a) For federal information, including without limitation, Federal Tax Information, Social Security Administration Data, and Medicaid Client Information, within the first, consecutive clock hour of Discovery, and for all other types of Confidential Information not more than 24 hours after Discovery, or in a timeframe otherwise approved by HHS in writing, initially report to HHS's Privacy and Security Officers via email at: privacy(dj.HHSC.state.tx.us and to the HHS division responsible for this DUA; and IRS Publication 1075; Privacy Act of 1974, as amended by the Computer Matching and Privacy Protection Act of 1988, 5 U.S.C. § 552a; OMB Memorandum 07-16 as cited in HHSC-CMS Contracts for information exchange. (b) Report all information reasonably available to CONTRACTOR about the Event or Breach of the privacy or security of Confidential Information. 45 CFR 164.410. (c) Name, and provide contact information to HHS for, CONTRACTOR's single point of contact who will communicate with HHS both on and off business hours during the incident response period. (2) Formal Notice. No later than two business days after the Initial Notice above, provide formal notification to privacy@HHSC.state.tx.us and to the HHS division responsible for this DUA, including all reasonably available information about the Event or Breach, and CONTRACTOR's investigation, including without limitation and to the extent available: For (a) - (m) below: 45 CFR 164.400-414. (a) The date the Event or Breach occurred; (b) The date of CONTRACTOR's and, if applicable, Subcontractor's Discovery; (c) A brief description of the Event or Breach; including how it occurred and who is responsible (or hypotheses, if not yet determined); HHS Data Use Agreement TACCHO VERSION (Local City and County Entities) October 23, 2019 Page 9 of 15 DocuSign Envelope ID: E1 DA7BD2-08B7-4BEF-A614-2881281 FF7D3 (d) A brief description of CONTRACTOR's investigation and the status of the investigation; (e) A description of the types and amount of Confidential Information involved; (f) Identification of and number of all Individuals reasonably believed to be affected, including first and last name of the Individual and if applicable the, Legally Authorized Representative, last known address, age, telephone number, and email address if it is a preferred contact method, to the extent known or can be reasonably determined by CONTRACTOR at that time; (g) CONTRACTOR's initial risk assessment of the Event or Breach demonstrating whether individual or other notices are required by applicable law or this DUA for HHS approval, including an analysis of whether there is a low probability of compromise of the Confidential Information or whether any legal exceptions to notification apply; (h) CONTRACTOR's recommendation for HHS's approval as to the steps Individuals and/or CONTRACTOR on behalf of Individuals, should take to protect the Individuals from potential harm, including without limitation CONTRACTOR's provision of notifications, credit protection, claims monitoring, and any specific protections for a Legally Authorized Representative to take on behalf of an Individual with special capacity or circumstances; (i) The steps CONTRACTOR has taken to mitigate the harm or potential harm caused (including without limitation the provision of sufficient resources to mitigate); 0) The steps CONTRACTOR has taken, or will take, to prevent or reduce the likelihood of recurrence of a similar Event or Breach, (k) Identify, describe or estimate the Persons, Workforce, Subcontractor, or Individuals and any law enforcement that may be involved in the Event or Breach, (1) A reasonable schedule for CONTRACTOR to provide regular updates during normal business hours to the foregoing in the future for response to the Event or Breach, but no less than every three (3) business days or as otherwise directed by HHS, including information about risk estimations, reporting, notification, if any, mitigation, corrective action, root cause analysis and when such activities are expected to be completed; and HHS Data Use Agreement TACCHO VERSION (Local City and County Entities) October 23, 2019 Page 10 of 15 DocuSign Envelope ID. E1 DA7i3D2-0867-46EF-A614-2881281 FF7D3 (m) Any reasonably available, pertinent information, documents or reports related to an Event or Breach that HHS requests following Discovery. 4.02 Investigation, Response and Mitigation. 45 CFR 164.308, 310 and 312; 164.530 (A) CONTRACTOR will immediately conduct a full and complete investigation, respond to the Event or Breach, commit necessary and appropriate staff and resources to expeditiously respond, and report as required to and by HHS for incident response purposes and for purposes of HHS's compliance with report and notification requirements, to the reasonable satisfaction of HHS. (B) CONTRACTOR will complete or participate in a risk assessment as directed by HHS following an Event or Breach, and provide the final assessment, corrective actions and mitigations to HHS for review and approval. (C) CONTRACTOR will fully cooperate with HHS to respond to inquiries and/or proceedings by state and federal authorities, Persons and/or Individuals about the Event or Breach. (D) CONTRACTOR will fully cooperate with HHS's efforts to seek appropriate injunctive relief or otherwise prevent or curtail such Event or Breach, or to recover or protect any Confidential Information, including complying with reasonable corrective action or measures, as specified by HHS in a Convective Action Plan if directed by HHS under the Base Contract. 4.03 Breach Notification to Individuals and Reporting to Authorities. Tex. Bus. & Comm. Code §521.053; 45 CFR 164.404 (Individuals), 164.406 (Media); 164.408 (Authorities) (A) HHS may direct CONTRACTOR to provide Breach notification to Individuals, regulators or third -parties, as specified by HHS following a Breach. (B) CONTRACTOR shall give HHS an opportunity to review and provide feedback to CONTRACTOR and to confirm that CONTRACTOR's notice meets all regulatory requirements regarding the time, manner and content of any notification to Individuals, regulators or third -parties, or any notice required by other state or federal authorities, including without limitation, notifications required by Texas Business and Commerce Code, Chapter 521.053(b) and H11'AA. HHS shall have ten (10) business days to provide said feedback to CONTRACTOR. Notice letters will be in CONTRACTOR's name and on CONTRACTOR's letterhead, unless otherwise directed by HHS, and will contain contact information, including the name and title of CONTRACTOR's representative, an email address and a toll -free telephone number, if required by applicable law, rule, or regulation, for the Individual to obtain additional information. (C) CONTRACTOR will provide 1111S with copies of distributed and approved communications. HHS Data Use Agreement TACCHO VERSION (Local City and County Entities) October 23, 2019 Page 11 of 15 DocuSign Envelope ID: ElDA7BD2-08B7-46EF-A61M2881281FF7D3 (D) CONTRACTOR will have the burden of demonstrating to the reasonable satisfaction of HHS that any notification required by HHS was timely made. If there are delays outside of CONTRACTOR's control, CONTRACTOR will provide written documentation of the reasons for the delay. (E) If HHS delegates notice requirements to CONTRACTOR, HHS shall, in the time and manner reasonably requested by CONTRACTOR, cooperate and assist with CONTRACTOR's information requests in order to make such notifications and reports. ARTICLE 5. STATEMENT OF WORK "Statement of Work" means the services and deliverables to be performed or provided by CONTRACTOR, or on behalf of CONTRACTOR by its Subcontractors or agents for HHS that are described in detail in the Base Contract. The Statement of Work, including any future amendments thereto, is incorporated by reference in this DUA as if set out word-for-word herein. ARTICLE 6. GENERAL PROVISIONS 6.01 Oversight of Confidential Information CONTRACTOR acknowledges and agrees that HHS is entitled to oversee and monitor CONTRACTOR's access to and creation, receipt, maintenance, use, disclosure of the Confidential Information to confirm that CONTRACTOR is in compliance with this DUA. 6.02 HHS Commitment and Obligations HHS will not request CONTRACTOR to create, maintain, transmit, use or disclose PHI in any manner that would not be permissible under applicable law if done by HHS. 6.03 HHS Right to Inspection At any time upon reasonable notice to CONTRACTOR, or if HHS determines that CONTRACTOR has violated this DUA, HHS, directly or through its agent, will have the right to inspect the facilities, systems, books and records of CONTRACTOR to monitor compliance with this DUA. For purposes of this subsection, HHS's agent(s) include, without limitation, the HHS Office of the Inspector General or the Office of the Attorney General of Texas, outside consultants or legal counsel or other designee. 6.04 Term; Termination of DUA; Survival This DUA will be effective on the date on which CONTRACTOR executes the DUA, and will terminate upon termination of the Base Contract and as set forth herein. If the Base Contract is extended or amended, this DUA shall be extended or amended concurrent with such extension or amendment. HHS Data Use Agreement TACCHO VERSION (Local City and County Entities) October 23, 2019 Page 12 of 15 DocuSign Envelope ID ElDA76D2-08B7-4BEF-A614-2881281FF7D3 (A) HHS may immediately terminate this DUA and Base Contract upon a material violation of this DUA. (B) Termination or Expiration of this DUA will not relieve CONTRACTOR of its obligation to return or Destroy the Confidential Information as set forth in this DUA and to continue to safeguard the Confidential Information until such time as determined by HHS. (C) If HHS determines that CONTRACTOR has violated a material term of this DUA; HHS may in its sole discretion: (1) Exercise any of its rights including but not limited to reports, access and inspection under this DUA and/or the Base Contract; or (2) Require CONTRACTOR to submit to a Corrective Action Plan, including a plan for monitoring and plan for reporting, as HHS may determine necessary to maintain compliance with this DUA; or (3) Provide CONTRACTOR with a reasonable period to cure the violation as determined by 1-1HS; or (4) Terminate the DUA and Base Contract immediately, and seek relief in a court of competent jurisdiction in Texas. Before exercising any of these options, HHS will provide written notice to CONTRACTOR describing the violation, the requested corrective action CONTRACTOR may take to cure the alleged violation, and the action HHS intends to take if the alleged violated is not timely cured by CONTRACTOR. (D) If neither termination nor cure is feasible, HHS shall report the violation to the Secretary of the U.S. Department of Health and Human Services. (E) The duties of CONTRACTOR or its Subcontractor under this DUA survive the expiration or termination of this DUA until all the Confidential Information is Destroyed or returned to HHS, as required by this DUA. 6.05 Governing Law, Venue and Litigation (A) The validity, construction and performance of this DUA and the legal relations among the Parties to this DUA will be governed by and construed in accordance with the laws of the State of Texas. (B) The Parties agree that the courts of Texas, will be the exclusive venue for any litigation, special proceeding or other proceeding as between the parties that may be brought, or arise out of, or in connection with, or by reason of this DUA. 6.06 Injunctive Relief HHS Data Use Agreement TACCHO VERSION (Local City and County Entities) October 23, 2019 Page 13 of 15 DocuSlgn Envelope ID: ElDA76D2-08B7-4BEF-A614-2881281FF7D3 (A) CONTRACTOR acknowledges and agrees that HHS may suffer irreparable injury if CONTRACTOR or its Subcontractor fails to comply with any of the terms of this DUA with respect to the Confidential Information or a provision of HIPAA or other laws or regulations applicable to Confidential Information. (B) CONTRACTOR further agrees that monetary damages may be inadequate to compensate HHS for CONTRACTOR's or its Subcontractor's failure to comply. Accordingly, CONTRACTOR agrees that HHS will, in addition to any other remedies available to it at law or in equity, be entitled to seek injunctive relief without posting a bond and without the necessity of demonstrating actual damages, to enforce the terms of this DUA. 6.07 Responsibility. To the extent permitted by the Texas Constitution, laws and rules, and without waiving any immunities or defenses available to CONTRACTOR as a governmental entity, CONTRACTOR shall be solely responsible for its own acts and omissions and the acts and omissions of its employees, directors, officers, Subcontractors and agents. HHS shall be solely responsible for its own acts and omissions. 6.08 Insurance (A) As a governmental entity, and in accordance with the limits of the Texas Tort Claims Act, Chapter 101 of the Texas Civil Practice and Remedies Code, CONTRACTOR either maintains commercial insurance or self -insures with policy limits in an amount sufficient to cover CONTRACTOR's liability arising under this DUA. CONTRACTOR will request that HHS be named as an additional insured. HHSC reserves the right to consider alternative means for CONTRACTOR to satisfy CONTRACTOR's financial responsibility under this DUA. Nothing herein shall relieve CONTRACTOR of its financial obligations set forth in this DUA if CONTRACTOR fails to maintain insurance. (B) CONTRACTOR will provide HHS with written proof that required insurance coverage is in effect, at the request of HHS. 6.08 Fees and Costs Except as otherwise specified in this DUA or the Base Contract, if any legal action or other proceeding is brought for the enforcement of this DUA, or because of an alleged dispute, contract violation, Event, Breach, default, misrepresentation, or injunctive action, in connection with any of the provisions of this DUA, each party will bear their own legal expenses and the other cost incurred in that action or proceeding. 6.09 Entirety of the Contract This DUA is incorporated by reference into the Base Contract as an amendment thereto and, together with the Base Contract, constitutes the entire agreement between the parties. No change, waiver, or discharge of obligations arising under those documents will be valid unless in writing and executed by the party against whom such change, waiver, or discharge is sought to be HHS Data Use Agreement TACCHO VERSION (Local City and County Entities) October 23, 2019 Page 14 of 15 DocuSign Envelope ID: ElDA7BD2-08B7-46EF-A614-2881281FF7D3 enforced. If any provision of the Base Contract, including any General Provisions or Uniform Terms and Conditions, conflicts with this DUA, this DUA controls. 6.10 Automatic Amendment and Interpretation If there is (i) a change in any law, regulation or rule, state or federal, applicable to HIPPA and/or Confidential Information, or (ii) any change in the judicial or administrative interpretation of any such law, regulation or rule„ upon the effective date of such change, this DUA shall be deemed to have been automatically amended, interpreted and read so that the obligations imposed on HHS and/or CONTRACTOR remain in compliance with such changes. Any ambiguity in this DUA will be resolved in favor of a meaning that permits HHS and CONTRACTOR to comply with HIPAA or any other law applicable to Confidential Information. HHS Data Use Agreement TACCHO VERSION (Local City and County Entities) October 23, 2019 Page 15 of 15 Certificate Of Completion Envelope Id: E1DA7BD208B74BEFA6142881281FF7D3 Subject: HHS001112200001 City of Lubbock Base MOU Source Envelope: Document Pages: 20 Signatures: 2 Certificate Pages: 5 Initials: 0 AutoNav: Enabled Envelopeld Stamping: Enabled Time Zone: (UTC-06:00) Central Time (US & Canada) Record Tracking Status: Original 10/25/2021 7:19:43 PM Signer Events Daniel Pope dpope@mylubbock.us Mayor City of Lubbock Security Level: Email, Account Authentication (None) Electronic Record and Signature Disclosure: Accepted: 10/26/2021 4:40:22 PM ID:dc279bcb-d2f2-484f-8e07-34e82c953975 Jonah Wilczynski jonah.wiiczynski@dshs.texas.gov Unit Director Security Level: Email, Account Authentication (None) Electronic Record and Signature Disclosure: Accepted: 10/26/2021 7:13:21 PM ID: 5e6f3fa8-7ebe-40f5-b7a0-fcd2e76dcf5d Patty Melchior Patty. Melchior@dshs.texas.gov Director, DSHS CMS Security Level: Email, Account Authentication (None) Electronic Record and Signature Disclosure: Accepted: 10/27/2021 6:33:03 AM ID:7e4cb9c5-3f52-429a-9190-e23320ad53da David Gruber david.gruber@dshs.texas.gov Associate Commissioner for RLHS Texas Health and Human Services Commission Security Level: Email, Account Authentication (None) Electronic Record and Signature Disclosure: Accepted: 1/3/2021 4:48:45 PM ID:bd2f4497-b4dc-4c51-9974-71b86780cff4 Holder: CMS Internal Routing Mailbox CMS.InternalRouting@dshs.texas.gov Signature E000uBlpnW by: za Pbrt- 3FO37B53155MF Signature Adoption: Pre -selected Style Using IP Address: 208.84.91.41 Completed Using IP Address: 160.42.85.12 Completed Using IP Address: 167.137.1.9 COw Sign dby- BI CFE CE A /� Signature Adoption: Drawn on Device Using IP Address: 160.42.85.12 Docu ftrr Status: Completed Envelope Originator: CMS Internal Routing Mailbox 11493 Sunset Hills Road #100 Reston, VA 20190 CMS.IntemalRouting@dshs.texas.gov IP Address: 167.137.1.8 Location: DocuSign Timestamp Sent: 10/25/2021 7:33:36 PM Viewed: 10/26/2021 4:40:22 PM Signed: 10/26/2021 5:26:09 PM Sent: 10/26/2021 5:26:11 PM Viewed: 10/26/2021 7:13:21 PM Signed: 10/26/2021 7:13:30 PM Sent: 10/26/2021 7:13:32 PM Viewed: 10/27/2021 6:33:03 AM Signed: 10/27/2021 6:33:11 AM Sent: 10/27/2021 6:33:13 AM Viewed: 10/27/2021 11:47:33 AM Signed: 10/27/2021 11:47:43 AM In Person Signer Events Signature Timestamp Editor Delivery Events Status Timestamp Agent Delivery Events Status Timestamp Intermediary Delivery Events Status Timestamp Certified Delivery Events Status Timestamp Carbon Copy Events Status Timestamp Rachel Dolan Sent: 10/25/2021 7:33:36 PM rdolan@mylubbock.us COPIED Security Level: Email, Account Authentication (None) Electronic Record and Signature Disclosure: Not Offered via DocuSign CMS Internal Routing Sent: 10/27/2021 11:47:45 AM cros-internalrouting@dshs.texas.gov COPIED Resent: 10/27/2021 11:47:48 AM DSHS Contract Management Section Security Level: Email, Account Authentication (None) Electronic Record and Signature Disclosure: Not Offered via DocuSign David Acosta Sent: 10/27/2021 11:47:45 AM david.acosta@dshs.texas.gov COPIED Viewed. 10/27/2021 2:59:37 PM CSIV Security Level: Email, Account Authentication (None) Electronic Record and Signature Disclosure: Not Offered via DocuSign Witness Events Signature Timestamp Notary Events Signature Timestamp Envelope Summary Events Status Timestamps Envelope Sent Hashed/Encrypted 10/25/2021 7:33:36 PM Certified Delivered Security Checked 10/27/2021 11:47:33 AM Signing Complete Security Checked 10/27/2021 11 :47:43 AM Completed Security Checked 10/27/2021 11:47:45 AM Payment Events Status Timestamps Electronic Record and Signature Disclosure Electronic Record and Signature Disclosure created on: 9/14/2020 7:10:18 PM Parties agreed to: Daniel Pope, Jonah Wilczynski, Patty Melchior, David Gruber ELECTRONIC RECORD AND SIGNATURE DISCLOSURE From time to time, DSHS Contract Management Section (we, us or Company) may be required by law to provide to you certain written notices or disclosures. Described below are the terms and conditions for providing to you such notices and disclosures electronically through the DocuSign system. Please read the information below carefully and thoroughly, and if you can access this information electronically to your satisfaction and agree to this Electronic Record and Signature Disclosure (ERSD), please confirm your agreement by selecting the check -box next to `I agree to use electronic records and signatures' before clicking `CONTINUE' within the DocuSign system. Getting paper copies At any time, you may request from us a paper copy of any record provided or made available electronically to you by us. You will have the ability to download and print documents we send to you through the DocuSign system during and immediately after the signing session and, if you elect to create a DocuSign account, you may access the documents for a limited period of time (usually 30 days) after such documents are first sent to you. After such time, if you wish for us to send you paper copies of any such documents from our office to you, you will be charged a $0.00 per -page fee. You may request delivery of such paper copies from us by following the procedure described below. Withdrawing your consent If you decide to receive notices and disclosures from us electronically, you may at any time change your mind and tell us that thereafter you want to receive required notices and disclosures only in paper format. How you must inform us of your decision to receive future notices and disclosure in paper format and withdraw your consent to receive notices and disclosures electronically is described below. Consequences of changing your mind If you elect to receive required notices and disclosures only in paper format, it will slow the speed at which we can complete certain steps in transactions with you and delivering services to you because we will need first to send the required notices or disclosures to you in paper format, and then wait until we receive back from you your acknowledgment of your receipt of such paper notices or disclosures. Further, you will no longer be able to use the DocuSign system to receive required notices and consents electronically from us or to sign electronically documents from us. All notices and disclosures will be sent to you electronically Unless you tell us otherwise in accordance with the procedures described herein, we will provide electronically to you through the DocuSign system all required notices, disclosures, authorizations, acknowledgements, and other documents that are required to be provided or made available to you during the course of our relationship with you. To reduce the chance of you inadvertently not receiving any notice or disclosure, we prefer to provide all of the required notices and disclosures to you by the same method and to the same address that you have given us. Thus, you can receive all the disclosures and notices electronically or in paper format through the paper mail delivery system. If you do not agree with this process, please let us know as described below. Please also see the paragraph immediately above that describes the consequences of your electing not to receive delivery of the notices and disclosures electronically from us. How to contact DSHS Contract Management Section: You may contact us to let us know of your changes as to how we may contact you electronically, to request paper copies of certain information from us, and to withdraw your prior consent to receive notices and disclosures electronically as follows: To contact us by email send messages to: alison joffrion(c hhsc.state.tx.us To advise DSHS Contract Management Section of your new email address To let us know of a change in your email address where we should send notices and disclosures electronically to you, you must send an email message to us at alison.joffrion@hhsc.state.tx.us and in the body of such request you must state: your previous email address, your new email address. We do not require any other information from you to change your email address. If you created a DocuSign account, you may update it with your new email address through your account preferences. To request paper copies from DSHS Contract Management Section To request delivery from us of paper copies of the notices and disclosures previously provided by us to you electronically, you must send us an email to alison.joffrion@hhsc.state.tx.us and in the body of such request you must state your email address, full name, mailing address, and telephone number. We will bill you for any fees at that time, if any. To withdraw your consent with DSHS Contract Management Section To inform us that you no longer wish to receive future notices and disclosures in electronic format you may: i. decline to sign a document from within your signing session, and on the subsequent page, select the check -box indicating you wish to withdraw your consent, or you may; ii. send us an email to alison.joffrion@hhsc.state.tx.us and in the body of such request you must state your email, full name, mailing address, and telephone number. We do not need any other information from you to withdraw consent.. The consequences of your withdrawing consent for online documents will be that transactions may take a longer time to process.. Required hardware and software The minimum system requirements for using the DocuSign system may change over time. The current system requirements are found here: httl2s:Hsupport.docusi ng_com/guides/si ner- uig_de-_ si ng_ing-system-requirements. Acknowledging your access and consent to receive and sign documents electronically To confirm to us that you can access this information electronically, which will be similar to other electronic notices and disclosures that we will provide to you, please confirm that you have read this ERSD, and (i) that you are able to print on paper or electronically save this ERSD for your future reference and access; or (ii) that you are able to email this ERSD to an email address where you will be able to print on paper or save it for your future reference and access. Further, if you consent to receiving notices and disclosures exclusively in electronic format as described herein, then select the check -box next to `I agree to use electronic records and signatures' before clicking `CONTINUE' within the DocuSign system. By selecting the check -box next to `I agree to use electronic records and signatures', you confirm that: You can access and read this Electronic Record and Signature Disclosure; and You can print on paper this Electronic Record and Signature Disclosure, or save or send this Electronic Record and Disclosure to a location where you can print it, for future reference and access; and Until or unless you notify DSHS Contract Management Section as described above, you consent to receive exclusively through electronic means all notices, disclosures, authorizations, acknowledgements, and other documents that are required to be provided or made available to you by DSHS Contract Management Section during the course of your relationship with DSHS Contract Management Section.