HomeMy WebLinkAboutResolution - 2012-R0088 - Amendment To Agreement - TX HHS Commision - Extend 18 Months - 02_23_2012Resolution No. 2012-R0088
February 23, 2012
Item No. 1.1
RESOLUTION
BE IT RESOLVED BY THE CITY COUNCIL OF THE CITY OF LUBBOCK:
THAT the Mayor of the City of Lubbock is hereby authorized and directed to
execute for and on behalf of the City of Lubbock, an Amendment to the Medical
Transportation Services Agreement to extend the terms of the agreement for an additional
eighteen (18) months, by and between the City of Lubbock and Texas Health and Human
Services Commission, and related documents. Said Amendment is attached hereto and
incorporated in this resolution as if fully set forth herein and shall be included in the
minutes of the City Council.
Passed by the City Council on February 23, 2012
TOM MARTIN, MAYOR
l:NrMCT-W
Garza, City Secretary
AS TO CONTENT:
• 1
ty Development
Citibus
APPROVED AS TO FORM:
Weaver, Assistant City Attorney
xs/RES.Citibus Amendment -Tx Health & HSC
26, 2010
Resolution No. 2012-R0088
STATE OF TEXAS § HHSC 529-08-0196-00016
COUNTY OF TRAVIS
HHSC AMENDMENT THREE
TO THE
MEDICAL TRANSPORTATION SERVICES AGREEMENT
BETWEEN THE
TEXAS HEALTH AND HUMAN SERVICES COMMISSION
AND
CITIBUS
Article 1. Background and Objectives
Section 1.01 Background
THIS HHSC AMEN DMENT THREE ("Amendment") to HHSC contract 529-08-0196-
00016 ("Agreement") is entered into between the Texas Health and Human Services Commission
("HHSC"), an administrative agency within the executive department of the State of Texas, with
its principal place of business at 4900 North Lamar Boulevard, Austin, Texas, 78751 and Citibus
("CONTRACTOR"), 801 Texas Ave., Lubbock TX 79401, organized under the laws of Texas,
and having its principal offices at 801 Texas Ave., Lubbock TX 79401. HHSC and the
CONTRACTOR may be referred to in this Amendment individually as "Party" and collectively
as the "Parties."
The Texas Department of Transportation ("TxDOT") issued its solicitation entitled
"Request for Proposal ("UP"), Medical Transportation Program, Statewide Transportation
Services," Solicitation No. B442006073000 October, 2005 with an initial term of 36 months of
performance beginning June 26, 2006 and ending June 25, 2009. TxDOT assigned the contract to
HHSC effective May 1, 2008, pursuant to S.B. 10, 80`h Legislature, Regular Session, 2007.
DISC assigned contract number 529-08-0196-00016 to the contract.
Section 1.02 Authority
This Amendment is executed under the authority granted in §531.02414 of the Tex. Gov
Code and the Human Resource Code, Section 22.002 and in compliance with Articles 7 and 11 of
the HHSC Uniform Contract Terms and Conditions (UTC) v. 1.4.
Section 1.03 Objectives
The objectives of this Amendment are to extend the term of the agreement to procure
continued services, provide for payment of costs for those continued services, incorporate
modifications therein, and provide performance standards and liquidated damages.
RECEIVED
EEB 2 7 2012
HHSC Contract No. 529-08-0196-000I6 Page i MTP-Central office
Article H. Amendment to the Obligations of the Parties
Section 2.01 Modification of Term
The Agreement's current term expires on February 29, 2012. Under this Amendment
Three, the additional term will commence on March 1, 2012 and expire no later than August 31,
2013, unless extended to complete the intended purpose of the agreement or terminated earlier
pursuant to UTC 11.03.
Section 2.02 HHSC Uniform Contract Terms and Conditions, L4.1
The term "Agreement" means the contract awarded as a result of the TxDOT Solicitation
and includes all exhibits to the Solicitation. The following documents in order of priority are
incorporated into the agreement:
• the Contract document (s) and any Amendments;
• the TxDOT Solicitation all addenda, attachments and exhibits;
• modifications, addendum or amendments issued in conjunction with the TxDOT
Solicitation;
• HHSC's Uniform Contract Terms and Conditions (UTCs), Version 1.4.1 located at
http://www.hhsc.state.tx.us/about_hhsc/Contracting/rfp_attch/General TC.pdf; and
• the successful Respondent's proposal.
Section 2.03 Revisions to the contract
All data given to Contractors is deemed confidential and will be protected in accordance
with Exhibit A, Business Associate and Data Use Agreement, to this Amendment.
All references to MTP's automation system, TEJAS in previous contract documents are
replaced with "MTP automation system used to authorize nonemergency Medical Transportation
services."
All references to TxDOT in previous contract documents are replaced with Texas Health
and Human Services Comnnission (HHSC).
9.8. The Contactor shall report all service provider and recipient no-shows and any add -on
trips the following workday to HHSC is replaced with, "Contractor is responsible for adjusting
trips to accurately reflect the outcome of the services provided using the MTP automated system
on March 1, 2012 or as instructed by DISC."
9.10. HHSC reviews and approves claim for payment is replaced with, "TSAP shall submit
claims to the designated claims processing systems upon notification from HHSC."
10.3.3.1, The Contractor shall notify HHSC the next business day of contact number(s) that are
disconnected, or incorrect as listed, is replaced with, "The Contractor shall enter the correct client
telephone numbers that are incorrect, enter a notation when telephone numbers are disconnected,
and correct addresses in the MTP automated system, when the system is available."
RECEIVED
HHSC Contract No. 529-08-019E-00016 Page 2 FEB 2 7 2012
MTP-Central office
10.8.4. Notify HHSC of any additional trips (Add -on Trips) for prior authorized recipients made
under the following circumstances is replaced with is replaced with, "The TSAP will enter any
additional trips (Add -on Trips) in the MTP automated system for prior authorized recipients,
when the system is available."
10.2.3, Print the final daily manifest at the end of each day to ensure that it captures authorized
services for the following day is replaced with, "Contractor is responsible for retrieving service
trip authorizations through the appropriate MTP automated system."
10.7.2, Provide records that contain all pertinent documentation, including operator's logs for
each service billed to MTP. The operator logs must include the recipient's and the
attendant's (if applicable) signatures, and the time that the recipient or their attendant were
picked up and dropped off for each segment of a trip is replaced with, "Provide records that
contain all pertinent documentation, including operator's logs for each service billed to MTP.
The operator logs must include the recipient's and the attendant's (if applicable) signatures, the
time that the recipient or their attendant were picked up and dropped off for each segment of a
trip and the name of the driver who provided the transportation."
10.9. INSURANCE REQUIREMENTS: Non -Governmental entities shall comply with following
insurance requirements after issuance of the purchase order and prior to beginning work.
109.1.1. Comprehensive General Liability Minimum Limits:
10.9.1.1.1. $500,000.00 Each Occurrence
10.9.1.1.2. $500,000.00 Personal & Adv Injury
10.9.1.1.3. $500,000.00 General Aggregate
10.9.1.1.4. $500,000.00 Products/Comp Op Agg
10.9.1.1.5. Waiver of Subrogation in favor of HHSC
10.9.1.1.6. Additional Insured Certificate in favor of HHSC
10.9.1.2. Business Auto Liability For Any Auto Minimum Limits
10.9.1.2. L CSL (Combined Single Limit) $750,000.00
Bodily Injury Per Person
Bodily Injury Per Accident
Property Damage Per Accident
10.9.1.2.3. Waiver of Subrogation in favor of HHSC
10.9.1.2.4. Additional Insured Certificate in favor of HHSC
10.9.1.3. Workers Compensation & Employers Liability
10.9.1.3.1. Workers Compensation Statutory Limits
10.9.1.3.2. Employers Liability $100,000.00
10.9.1.3.3. Disease $100,000.00 Each Employee
10.9.1.3.4. Disease $500,000.00 Policy Limit
109.1.3.5. Waiver of Subrogation in favor of HHSC
10.9.1.8. The prime Contractor shall submit insurance renewals, changes, amendments or
modifications made to any insurance policy (ies) is replaced with, "The prime Contractor will
submit insurance renewals, changes, amendments or modifications made to any insurance
policy(ies) as instructed by HHSC."
109.5. The Contractor shall adhere to the following reporting requirements is replaced with,
"The Contractor will adhere to the following reporting requirements on March 1, 201�"IVED
instructed by HHSC".
HHSC Contract No. 529-08-0196-00016 Page 3 FEB 2 7 2012
MTP-Centrai office
Occurrence
Reporting
Log of recipient and Contractor
Contractor will enter the current and correct information in
no-shows
the MTP automated system
Log of recipient add -on trips
Contractor will enter the current and correct information in
the MTP automated system
Respond to recipient
Contractor will respond to client complaints within 10
complaints received by
business days; Contractor will respond to Ombudsman
HHSC
complaints within 3 days and Contractor will respond to
Legislative and urgent complaints within 48 hours
Report allegations of fraud or
Entered on web portals as instructed by 14HSC staff
program, abuse, sexual
harassment or physical or
verbal abuse committed by
recipient and/or attendants
during trips authorized by
HHSC
10.11.4. Provide training for operators that includes, but is not limited to;
10.11.4.1. First -aid every 3 years.
10.11.4.2. Recognize when and how to call for emergency services annually.
10.11.4.3. Defensive driving every 2 years.
10.11.4.4. Passenger assistance annually
10.11.4.5. Recipient safety annually.
10.11.4.6, Wheelchair transfer and securing of wheelchair in transportation vehicle annually
10.11.4.7. Any additional required TSAP training.
17. CLAIM FILING INSTRUCTIONS AND PAYMENT REQUIREMENTS: The claim
shall be completed with all required documentation and submitted to the address to be provided
by MTP upon issuance of the purchase order. Claims should not be sent to the invoice address
provided on the purchase order, instructions of where to send claims will be provided. Claims
will be filed electronically, when available in TEJAS, is replaced with, "The Contractor shall
possess and maintain a claims processing system that assures compliance with all technical
requirements to assure only claims for appropriate services provided by eligible and credentialed
drivers and enrolled subcontractors are paid. This system must have appropriate edits and audits
to monitor and detect duplicate services and guard against fraudulent billing. The Contractor
shall continue to file claims electronically for services authorized by HHSC using TEJAS."
"The Contractor shall possess and maintain a claims processing and payment system that
processes HIPAA 837 electronic claims or CMS 1500 claim forms for use when HHSC
implements the Texas Medical Transportation System (TMTS) and transitions medical
transportation claims processing to the state's Medicaid fiscal agent. Absent the HIPAA 837
electronic claims and CMS 1500, the Contractor shall submit eligible transportation claims via
the Medicaid fiscal agent's browser -based application to file claims electronically."
Section 2.04 Performance Remedies — Damages
CONTRACTOR is expected to meet or exceed the objectives and standards set forth in
this Agreement. All areas of responsibility and all requirements listed in the Agreement will be
subject to performance evaluation by HHSC in accordance with the HHSC's Uniform Contract
RECEIVED
HHSC Contract No. 529-08-0196-00016 Page 4
FEB 2 7 2012
MTP-Central officQ
Terms and Conditions. Performance reviews may be conducted at HHSC's discretion, at any
time, and may relate to any responsibility and/or requirement. Any and all responsibilities and
requirements not fulfilled may be subject to the remedies set forth in Article 11 of HHSC's
Uniform Contract Terms. HHSC reserves the right to provide services by contracting with
a transportation provider when the Contractor fails to provide reliable, timely, or safe
transportation services.
Section 2.05 Effective date
The modifications to the Agreement provided in this Amendment Three will take effect
upon execution and will terminate on the Expiration Date of the Agreement unless extended or
terminated sooner by HHSC in accordance with the Agreement.
HHSC Contract No. 529-05-0196-00016 Page 5
ARTICLE III. REPRESENTATIONS AND AGREEMENTS OF THE PARTIES.
Section 3.01 Continuing effect of the Agreement
The Parties contract and agree that the terms of the Agreement shall remain in effect and
continue to govern except to the extent modified in this Amendment.
Section 3.02 Incorporation of the terms of the Amendment
By signing this Amendment, the Parties expressly understand and agree that this
Amendment is hereby made a part of the Agreement as though it were set out word for word in
the Agreement.
IN WITNESS HEREOF, HHSC AND CONTRACTOR have each caused this Amendment to
be signed and delivered by its duly authorized representative.
Health & Human Services Commission
Hy:
Thoma M. /4hs[
Execut ve Commissioner
s � j
Date:
CITIBUS
By: �li►-�' ��'
Print Name: TOM MARTIN
Job Title: Mayor
Date: February 23, 2012
Print Name: JOHN WILSON
Job Title: General Manager
Citibus
RECEIVED.
HHSC Contract No. 529-08-0196-00016 Page 6 FEB 2 7 2012
MTP-Central office
:'':0 M
ATTEST:
Reber a Garza, City Secretary Q�
APPROVED AS TO CONTENT:
Bill Howerton, CD/Citibu aison
APPROVED AS TO FORM:
Chad Weaver, Assistant City Attorney
DECEIVED
FEB 2 7 2012
MTP-Central ®Mice
HHSC Contract No. 529-08-0196-00016 Exhibit "A"
DATA USE AND BUSINESS ASSOCIATE AGREEMENT
BETWEEN HEALTH AND HUMAN SERVICES COMMISSION
AND Crr BUS ("CONTRACTOR")
ARTICLE1.
PURPOSE.......................................................................................................
2
ARTICLE 2.
DEFINITIONS................................................................................................
2
Section 2.01
Definition of Confidential Information ..........................................................
2
Section 2.02
Other Definitions .......................................................................... .........
3
ARTICLE 3.
Data Use Terms and Conditions.....................................................................
8
ARTICLE 4.
Authority To Execute......................................................................................
8
ATTACHMENT 1.
Access, Use, Disclosure of Confidential Information ....................................
1
Section A 1.01
Ownership of Confidential Information..........................................................
I
Section A1.02
General Obligations of CONTRACTOR........................................................1
Section A1.03
Specific Duties and Obligations of CONTRACTOR .....................................
I
Section A1.04
Other Permissible Uses and Disclosures of PHI by CONTRACTOR ............
2
Section A1.05
Security Requirements for Confidential Information .....................................
3
Section Al. 06
Breach Notification, Report and Mitigation Requirements ............................
4
ATTACHMENT2. Scope of Work............................................................................................. ....
1
ATTACHMENT 3. Other Obligations of CONTRACTOR.........................................................
1
Section A3.01
Location of Confidential Information; Custodial Responsibility ...................
1
Section A3.02
PHI in Designated Record Set........................................................................
1
Section A3.03
CONTRACTOR Recordkeeping, Accounting and Disclosure Tracking .......
1
ATTACHMENT 4. Disposition of Confidential Information.........................................................
1
Section A4.01
CONTRACTOR's Duty in General................................................................
1
Section A4.02
Return or Destruction of Confidential Information ........................................
1
ATTACHMENT 5. General Provisions..........................................................................................
1
Section A5.01
HHSC cornmitment and obligations...............................................................
I
Section A5.02
HHSC Right to Inspection..............................................................................
1
SectionA5.03
Access to PHI..................................................................................................
1
Section A5.04
Term of Agreement.........................................................................................
1
SectionA5.05
Termination.....................................................................................................
1
SectionA5.06
Publication......................................................................................................
2
Section A5.07
Governing Law, Venue and Litigation...........................................................
2
Section A5.08
Injunctive Relief.............................................................................................. 2
Section A5.09
Indemnification............................................................................................... 3
Section A5.10
Insurance......................................................................................................... 3
SectionA5.11
Fees and Costs................................................................................................. 3
Section A5.12
Entirety of the Agreement...............................................................................
4
Section A5.13
Automatic Amendment and Interpretation ..................................... ............
4
ATTACHMENT 6. Confidential Information................................................................................
1
ATTACHMENT 7. Security Guidelines and Procedures...............................................................
1
ATTACHMENT 8. List of Authorized Users.................................................................................
1
HHSC Data Use and Business Associate Agreement V.1
Page 1 of 8
HHSC Contract No. 529-08-0196-00016
STATE of TExAS
COUNTY of TRAvis
DATA USE AND BUSIMS ASSOCIATE, AGREEMENT
BETWEEN HEALTH AND HUMAN SLm iczs CommissION
AND West Texas Opportunities, Inc. ("CONTRACTOR")
This Data Use And Business Associate Agreement (the "Agreement") is entered into by and
between Health and Human Services Commission CSMC') and Citibus ("CONTRACTOW),
and incorporated into the teams of the; `Base Contract" entered into by these parties, HHSC
Contract No.529-08-0196-00016.
ARTICLE /.PURPOSE
CONTRACTOR requires access to informafum about HHSC programs and/or its clients for HHSC
program benefits and services desc n`bed in the Base Contract. This information is deemed confidential under
state and federal law. CONTRACTOR acknowledges the sensitive and confidential nature of this
information and agrees that it will take all necessary and amble measures to presme: and prate rA the
confidentiality, privacy, security, integrity, availability and appropriate use of the HHSC information.
The purpose of this Agreement is to facilitate the sharing of Confidential Information with
CONTRACTOR, and clarify CONiRACTOR's obligations with respect to its access to and use and
disclosure of the information. This Aft expressly describes the limited purposes for which the
CONTRACTOR shay access, use or disclose the infom3ation, and establishes CONTRACTOR's rights and
respon.bilitieg eons the information. This Agroeament also describesIiHSC'a remedies is the event of
CONTRACTOR's noncompliance with its obligations under this Agreement.
ARTICLE 2. DEFINITIONS
For the purposes of this Agreement, the following terms below have the meanings set forth below.
Section 2.01 Definition of Conftden[iart Information
For the purposes of this Agreement, the term "Confidential information" has the meaning set forth
below_ Capitalized terms included in this definition on have the meanings set forth in Section 2.02 below.
"Confidential Information" means any cvmcrosnication or record (whetber oral. written, electronically
stored or transmitted, or in any other form) that consists of or includes any or all ofthe following:
(1)
(2) Ecob nic Prateod Hain Infomnation;.
(3) Eaters/ Tax Info=aaoan:
(4) Persana3Jy Identifiable information:
(5) Protected Health, Information:
(6) Social Sccurily Admjaj r on Dam
(7) Unsecured Protected HMU h onMgon:
HHSC Data Use and Business Associate Agreement V.1
Page 2 of 8
HHSC Contract No. 529-08-0196-00016
(S) All non-public budget, expense, payment and other financial information;
(9) All privileged work product;
(10) All information designated as confidential under the laws of the State of Texas and of the
United States;
{l1) To the extent permitted under the laws and constitution of the State of Texas, all
information designated by HHSC or any other State agency as confidential, including but
not limited all information designated as confidential under the Texas Public Information
Act, Texas Government Code, Chapter 552;
(12) information that is utilized, developed, received, or maintained by HHSC, the
CONTRACTOR, or participating State agencies for the purpose of fulfilling a duty or
obligation under this Agreement and that has not been publicly disclosed;
(13) Information identified in Attachment 6 attached to this Agreement and to which
CONTRACTOR specifically seeks to obtain access for an Authorized Purpose.
Section 2.02 Other Definitions
For the purposes of this Agreement, the following terms have the meanings set forth below.
"Authorized Purpose' means the purpose or purposes descried in the Scone of Work attached to this
Agreement as Attachment Z, or any other purpose expressly authorized by HHSC in writing in advance.
"Authorized User" means a Person:
(1) Who is authorized to view, handle, examine, interpret, or analyze Confidential Information
pursuant to this Agreement;
(2) For whom CONTRACTOR warrants and represents has a demonstrable need to know and
have access to the Con#idential Information; and
(3) Who has agreed in writing to be bound by the disclosure and use limitations pertaining to
the Confidential .Information as required by this Agreement, such agreement evidenced by
each Authorized User's signature on the form attached to this Agreement as Attachment g.
"Breach" means:
(1) Breach of PHI. With respect to Protected Health information ("PHP') pursuant to HW
and the JHITECH Act including without limitation Electronic Protected Health Information
and/or Unsecured Protected -Health information, the acquisition, access, use, or disclosure
of ICI in a manner not permitted under the Agreement and/or HIPAA_ Privacy
Regulations or HIPAA Security Regulations, which compromises the security or privacy of
the PHI.
With respect to RIM"compromises the security or nriyacy of the PUP means poses a
significant risk of financial, reputational, or other harm to the individual. A use or
disclosure of De -Identified ' form tiozl, date of birth, and zip code does not compromise
the security or privacy of the PHI.
With respect to PIMI " e c " pursuant to H)PAA. excludes:
(A) Any unintentional acquisition, access or use of M by a workforce member or
person acting under the authority of HHSC or CONTRACTOR if such acquisition,
access, or use was made in good faith and within the scope of authority and does not
result in further use or disclosure in a manner not permitted under the HIPAA
vacs Regulations.
HHSC Data Use and Business Associate Agreement V.1
Page 3 of 8
HHSC Contract No. 529-08-0196-00016
(B) Any inadvertent disclosure by a person who is authorized to access PW at BHSC or
CONTRACTOR to another person authorized to access PM at the same BHSC or
CONTRACTOR location, or organized health care arrangement, as defined by
HIPAA Privacy RgRulatinm and HLPAA SpggiV RUMIalipas, in which HHSC
participates, and the information received as a result of such disclosure is not further
used or disclosed in a manner not permitted under the HWAA Privacy Re-ZUMM.
(C) A disclosure of PM where HHSC or CONTRACTOR has a good faith belief that an
unauthorized person to whom the disclosure was made would not reasonably have
been able to retain such information, pursuant to HITECH and the IUAA Security
Re atio .
(2) "Breach of System Security." as defined by the Texts Breach Law. For purpose of the
Texas Breach Law, the currently undefined phrase, "caMWses the security,
confidentiality, or integrity of_smdtive personal info tra_ �" will be 'interpreted in
HHSC's sole discretion, including without limitation, any reasonably likelihood of harm
or loss to an ilidMdual taldng into consideration relevant fact -specific information about
the htacb, including without limitation, � any legal requirements theunauthorized person is
subject to regarding Codesal lnformatiean to protect and further safeguard the data from
unauthorized use or disclosure, and/or the receipt of satisfactory assurance from the gMo
that the person agrees to further protect and safeguard, return anchor destroy the data
subject to the Texas Breach Law to the satisfaction of HfiSC; and/or
(3) Any unauthorized use or disclosure as defined by any other law and any regulations
adopted there under, regarding Conflde4tial Informatio�y
`Business Assaedate I meats a person or orgarilzation, other than a member of HHSC's workforce, that
performs certain functions or activities on behalf of~ or provides certain services to, HHSC that involve the
use or disclosure of individually identifiable health information. The meaning of Business .Associate is more
My described in the E AA Privacy ftgulations and HiPAA Security Regulations. CONTRACTOR is a
Business Associate of HHSC for purposes of this Agreement.
"Client information" means Ietson t Wsaffiable liiformattion about or concerning recipients of
benefits utter one or more public assistance programs administered by HHSC.
-MkWerntified lin%rmation" means health information, as defined in the HMAA Pdmx Rmgationa
as not ME regarding which there is no reasonable basis to believe that the information can be used to
Men* an 'mdnadhW. MC has determined that health information is not individually identifiable and there
is no reasonable basis to believe that the information can be used to identify an individual only if:
(1) The following identifiers of the indivi or of relatives, employers, or household
members of the individual, are removed from the information:
(A) Names;
(B) All geographic subdivisions smaller than a State, including street address, city,
county, precinct, zip code, and their equivalent geocodes, except for the 'initial three
digits of a zip code if, according to the current publicly available data from the
Bureau of the Census:
(i) The geographic unit formed by combining all zip codes with the same three
initial digits contains more than 20,000 people,, and
(ii) The initial three digits of a zip code for all such geographic units containing
20,000 or fewer people is changed to 000.
(C) All elements of dates (except year) far dates directly related to an individug
including birth date, admission date, discharge date, date of death; and all ages over
HHSC Data Use and Business Associate Agreement V.1
Page 4 of 9
HHSC Contract No. 529-08-0196-00016
89 and all elements of dates (including year) indicative of such age, except that such
ages and elements may be aggregated into a single category of age 90 or older,
(D) Telephone numbers;
(E) Fax numbers;
(F) Electronic mail addresses;
(G) Social security numbers;
(H) Medical record numbers (including without limitation, Medicaid Identification
Number);
(1) Health plan beneficiary numbers;
(d) Account numbers;
(K) Certificate/license numbers;
(L) Vehicle identifiers and serial numbers, including license plate numbers;
(M) Device identifiers and serial numbers;
(l) Web Universal Resource Locators (URLs);
(0) Internet Protocol (IP) address numbers;
(P) Biometric identifiers, including finger and voice prints;
(Q) Full face photographic images and any comparable images; and
(R) Any other unique identifying number, characteristic, or code, except as permitted by
paragraph (C) of this section; and
(2) Neither HHSC nor CONTRACTOR has actual knowledge that the information could be
used alone or in combination with other information to identify an individual who is a
subject of the information."
"Designated Record Set" means a group of records maintained by or for a covered entity that is: (i) the
medical records and billing records about individuals maintained by or for a covered health care provider; (ii)
the enrollment, payment, claims adjudication, and case or medical management record systems maintained
by or for a health plan; or (iii) used, in whole or in part, by or for the covered entity to make decisions about
individuals. For purposes of this definition, "record" means any item, collection, or grouping of information
that includes LW and is maintained, collected, used, or disseminated by or for a covered entity.
"Destroy" means, as specified in the 111PAA Security Rule Re ations:
(1) Paper, fihn, or other hard copy media have been shredded or destroyed such that the PHI
cannot be read or otherwise cannot be reconstructed. Redaction is specifically excluded as
a means of data destruction.
(2) Electronic media have been cleared, purged, or destroyed as specified in the HIP
Security Rule Regulations, such that the PHI cannot be retrieved.
"Disco a 'meatus the first day on which an incident is known to CONTRACTOR, or, by exercising
reasonable diligence would have been known to CONTRACTOR, and includes incidents discovered by or
repotted to CONTRACTOR by its officers, directors, employees, agents, work force members,
subcontractors or third -parties (such as legal authorities and/or individuals}.
"Electronic Health Record" means an electronic record of health -related information on an individual
that is created, gathered, managed, and consulted by authorized health care clinicians and staff.
"Electronic Protected Health Information" ("EYHI") means any PHI which is maintained or
transmitted by Flectronic Media, as further described in the HIPAA Privacy Regulations and the 111P�A
Sect Regulations.
"Encrypted Electronic Protected Health Information" means , as specified in the AIPAA Security
Regulations, the use of an algorithmic process to transform data into a form is which there is a low
HHSC Data Use and Business Associate Agreement V.I
Page 5 of 8
HHSC Contract No. 529-08-0196-00016
probability of assigning meaning without the use of a confidential process or key and such confidential
process or ley that might enable decryption has not been Breeched To avoid a Breach of the confidential
process or key, these decryption tools will be stored on a device or at a location separate from the data they
are used to encrypt or decrypt.
"Federal Tax Information" has the meaning assigned in the Internal Revenue Code, Title 26 of the
United States Code and regulations adopted under that code.
"HIPAA" means the Health Insurance Portability and Accountability Act of 1996,42 U.S.C. §1320d, et
seq., and regulations adopted under that act.
191PAA Privacy Regulations" means the RPAA Privacy Regulations codified at 45 C.F.R Fart 160
and 45 CF.R. Part 164, Subpart A, Subpart D and Subpart R
"RWAA Security Regulations" means the H]PAA Security !regulations codified at 45 C F.R. Part 160
and 45 C.F.R Part 164 Subpart A and Subpart C, and Subpart D.
"EMCH Act" means the Health Information Technology for Economic and Clinical Health Act (P.L.
111-105), and regulations adopted under that act.
"Inddent'means a potential or attempted unauthorized access, use, disclosure, mwdi$cation, loss or
destructi of Qnnfidentid gyp, v� whicli has the potential for jeopardizing the con idediality, integrity
or availability of the Confide dal In£omtation An uwAd= becomes a hrmew--4 when the incident involves the
suspected or actual unauthorized access, use, disclosure, modification, loss or dewxacti of Confidential
informaxicm. which has the potential for jeopardizing the confidentiality, integrity or availability of the
Confidential information.
"In ' du " means the subject of the Confidential Information including, without limitation PM and
will include the subjed's legally authorized representative whoqualifies under the�Privacv
Regan as a le011y MAhonzed MV- aeutative of the Ldhd , as defined by Texas law, for example,
without limitation as provided in Tex. Occ. Code § 151.002(6); Tea. IL & S. Code §166.164; and Teas
Prob. Code § 3:
(1) a parent or legal guardian if the individual is a minor;
(2) a legal guardian if the patient has been adjudicated incompetent to manage the individual's
personal affairs;
(3) an agent of the individual authorized under a durable power of attorney for health care;
(4) an allomay ad ]item appointed for the individual,
(5) a guardian ad !item appointed for the individual;
(6) a personal representative our statutory beneficiary if the individual is deceased;
(7) an attorney retained by the individual or by another person listed herein; or
(8) If an individual is deceased, their personal represve must be the executor,
independent executor, administrator, independent adni tstrator, or temporary
administrator of the estate.
"Information Seearhy Guidelines and procedures" means the information security ity guidelines,
procedures, protocols, and outer documents or information identified in Attaehment 7 to this Agreement.
"Limited Data Set" means PI�I that excludes the following direct identifiers of the or of
relatives, employees, or household members of the individual
Oy names;
(2) postal address information, other than town or city, State, and zip code;
HHSC Data Use and Business Associate Agreement VA
Page 6 of 8
H1ISC Contract No. 529-08-0196-00016
(3) telephone numbers;
(4) fax numbers;
(5) electronic mail addresses;
(6) Social Security numbers;
(7) medical record numbers;
(8) health plan beneficiary numbers;
(9) account numbers;
(10) certificate/license numbers;
(11) vehicle identifiers and serial numbers, including license plate numbers;
(12) device identifiers and serial numbers;
(13) web universal resource locators (URLs);
(14) internet protocol (IP) address numbers;
(15) biometric identifiers, including finger and voice prints; and
(16) hill face photographic images and any comparable images.
"Person" means without limitation, an employee, agent, representative, firm, corporation, subcontractor,
a member of the general public, and/or a consumer.
"Personally Identifiable Information" or "PII" means information that can be used to uniquely
identify, contact, or locate a single individual or can be used with other sources to uniquely identify a single
individual.
"Protected Health Information" or' PHP' means individually identifiable patient health information in
any form that is created or received by a healthcare provider, and relates to the patient's healthcare condition,
provision of healthcare, or payment for the provision of healthcare, as fiuther described and defined in the
HIPAA. Privacy Regulations. PHI includes demographic information unless such information is De -
identified, as defined above. PHI includes without limitation, "Electronic Protected Health Information"as
above.
"Scope of World' nmeans the services and deliverables to be performed or provided by CONTRACTOR,
or on behalf of CONTRACTOR by its subcontractors or agents for HHSC that are described in Attachment 2
attached to this Agreement. If the Scope of Work includes or consists of a written proposal by the
CONTRACTOR, any conflict between such proposal and the other terms of the Base Contract or this
Agreement will be resolved, in HHSC's sole discretion, by giving effect to the other term of the Base
Contract or this .Agreement.
"Social E2gg dv AdrAWstration Data" means disclosures of records, information, or data made by the
Social Security Administration to HHSC for its administration of federally funded benefit programs under
various provisions of the Social Security Act, such as Section 1137 (42 U.S.C. §§ 1320b-7), including the
state-ftumded state supplementary paymeW programs under Title XVI of the Act, in accordance with the
requirements of the Privacy Act of 1974, as amended by the Computer Matching and Privacy Protection Act
of 1988, 5 U.S.C. § 552a.
'w`exas Breach Law" means the Texas Identity Theft Enforcement and Protection Act, Texas Business
& Commerce Code Ch. 521 and Texas Government Code §2054.1125.
"Unsecured Protected Health information" means Protected Health Information that is not rendered
unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or
methodology specified by the Secretary of Health and Human Services under the HfI`ECH Act and H1PAA
Security Rations. Unsecured Protected Health Information does not include:
HHSC Data Use and Business Associate Agreement V.1
Page 7 of 8
HHSC Contract No. 529-08-0196-00015
(1) Encrypted Electronic Protected Health Information or
(2) Destruction of the media on which the PHI is stored.
All terms used in this Agreement that are not otherwise defined in this Agreement have the same
meaning as those terms in RIPAA Privacy Regulations, HWAA Security Regulations, the HTTECH Act, or
other applicable law relating to Confidential Information.
ARTICLE 3.DATA USE TERMS AND CONDITIONS
The Data Use Terms and Conditions are described in attachments to this Agreement. Requirements for
Access, Use, Disclosure of Confidential Information are described in Attachment 1. The Scope of Work is
described in Attachment 2. Other Obligations of CONTRACTOR are described in Attachment 3.
CONTRACTOR obligations regarding disposition of Confidential Information are described in Attachment
4, General provisions related to this Agreement are described in Attachment S. A description of Confidentia�
Information related to this Agreement is provided in Attachment b. Information Security Guidelines and
Procedures are described in Attachment 7. The List of CONTRACTOR's Authorized Users under this
Agreement is provided in Attachment 8,
ARTICLE 4. AUTHORITY To ExECuTE
The Parties have executed this contract in their capacities as stated below with authority to bind their
organizations on the dates set forth by their signatures.
IN 'QMITNESS HEREOF, HHSC and CONTRACTOR have each caused this Agreement to be
signed and delivered by its duly authorized representative:
HEALTH AND HUMAN SERVICES COMMISSION CITIIBUS
BY: BY:
NAME: I NAME: nu fl
TITLE:
Thomas M. Suehs
Executive Commissioner
TITLE:
HHSC Data Use and Business Associate Agreement V.1
Page 8 of 8
HHSC Contract No. 529-08-0196-00016
Exhibit A
ATTACHMENT 1. ACCESS, USE, DISCLOSURE OF CONFIDENTIAL INFORMATION
Section A1.01 Ownership of Confidential Information
CONTRACTOR acknowledges and agrees that the Confidential Information is and will remain the
property of HHSC. CONTRACTOR agrees it acquires no title or rights to the Confidential Informatiory
including without limitation, PHI Limited Data Sets and/or De -identified information, as a result of this
Agreement.
Section A1.02 General Obligations of CONTRACTOR
CONTRACTOR acknowledges and agrees that it may access and use Confidential Information only for
an Authorized Purpose, and that it may not disclose any Confidential Information to a third party except as
may be expressly authorized under this Agreement. HHSC will allow CONTRACTOR to access the
Confidential Information and use and disclose such information for an Authorized Pttmose, provided
CONTRACTOR complies in all respects with the terms and conditions of this Agreement.
Section A1.03 Specific Duties and Obligations of CONTRACTOR
(1) CONTRACTOR agrees, in consideration of HHSC's allowing access to Confidential
Information, that:
(A) CONTRACTOR will hold the Confidential Information in trust and in strictest
confidence;
(B) CONTRACTOR will take all measures necessary to prevent any portion of the
Confidential Information from:
(i) Being used in a manner that is not expressly an Authorized Purpose under
this Agreement;
(ii) Falling into the public domain; or
(iii) Falling into the possession of persons not bound to maintain the
confidentiality of the Confidential Information.
(C) The measures taken by CONTRACTOR pursuant to this Section include the
exercise of reasonable care and at least the same degree of care as CONTRACTOR
protects its own confidential, proprietary and trade secret information.
(D) CONTRACTOR will not, without HHSC's prior written consent, disclose or allow
access to any portion of the Confidential Information to any Person or other entity,
other than Authorized User employees or agents of CONTRACTOR.
(E) CONTRACTOR will comply with all applicable requirements of the
HIPAA Privacy Regulations, the HIPAA Security Regulations, and the HTTECH
Act to the extent the Confidential Information contains information that is subject to
HIPAA, or other applicable law relating to Confidential Information.
(2) CONTRACTOR will have the limited right to access, use and disclose the Confidential
Information solely and exclusively for an Authorized Purpose, provided that such use or
disclosure would not violate HIPAA, the HIPAA Privacy Regulations, the HIPAA Security
Regulations, the HITECH Act or other applicable law relating to Confidential Information
if such use or disclosure had been made by HHSC.
HHSC Data Use and Business Associate Agreement V.1
Attachment 1
Page l of 7
HHSC Contract No. 529-08-0196-00016
Exhibit A
(3) CONTRACTOR will allow access to or disclose Confidential Information only to those
persons who are Authorized Users trained in privacy and data security and who have a
reasonable and demonstrable need to access the Confidential Information to carry out
CONTRACTOR's obligations in connection with the Authorized Purpose.
(4) CONTRACTOR will establish, implement and maintain appropriate sanctions against any
employee, agent or subcontractor who uses or discloses Authorized Purpose in violation of
this Agreement, the Base Contract or applicable law.
(5) CONTRACTOR will not, without prior written approval of HHSC, disclose any
Confidential Information on the basis that such disclosure is required by law without
notifying HHSC so that HHSC may have the opportunity to object to the disclosure and
seek appropriate relief. If HHSC objects to such disclosure, CONTRACTOR will refrain
from disclosing the Confidential Information until HHSC has exhausted all alternatives for
relief. Such disclosures of PHI are also addressed in Section 3.04(3), below.
(6) CONTRACTOR will limit any use or disclosure to the minimum necessary to accomplish
an Authorized Pose.
(7) CONTRACTOR agrees that to the extent that it has access to, receives from HHSC, or
creates or receives PHI on behalf of HHSC CONTRACTOR will fully comply with the
requirements of HIPAA, the HIPAA Privacy Regulations, the HIPAA Security Regulations
and the HITECH Act with respect to such PHI. To the extent that CONTRACTOR has
access to Limited Data Set information, CONTRACTOR agrees to comply with the
requirements of HIPAA, the HIPAA Privacy Regulations, the HIPAA Security Regulations
and the =ECH Act with respect to such Limited Data Set information;
(8) CONTRACTOR will not attempt to re -identify the Confidential Information De -identified,
further identify the Confidential Information, or attempt to contact any individuals whose
records are contained in the Confidential Information, without express written
authorization from HHSC or as expressly permitted by the Base Contract.
(9) CONTRACTOR will not enter into a subcontract for use or disclosure of Confidential
Information by any sub -Contractor or agent of CONTRACTOR, without express written
approval of HHSC, in advance. HHSC prior approval, at a minimum will require that:
(A) The subcontract contains identical terms, conditions, safeguards and restrictions on
the use and disclosure of PHI and any other relevant Confidential Information as
contained in this Agreement;
(B) The subcontractor is approved by HHSC;
(C) HHSC will be a third party beneficiary to any agreement between the
CONTRACTOR and a third party related to the Confidential information, and
HHSC will have the right but not the obligation to enforce the terms of any such
agreement directly against the third party.
(10) The obligations of CONTRACTOR under this section are in addition to the duties of
CONTRACTOR with respect to Confidential Information described elsewhere in the
Agreement or the Base Contract.
Section A1.04 Other Permissible Uses and Disclosures of PHI by CONTRACTOR
Except as otherwise limited by this Agreement or the Base Contract, CONTRACTOR may:
HHSC Data Use and Business Associate Agreement V.I
Attachment 1
Page 2 of 7
HHSC Contract No. 529-08-0196-00016
Exhibit A
(1) Use or disclose PHI to perform the Services and Deliverables of the Base Contract, as
permitted by this Agreement, provided that:
(A) Such use or disclosure would not violate the HIPAA Privacy Regulations or HIPAA
Security Rcolations if the use or disclosure were made by HHSC; and
(B) Such use or disclosure is limited to the minimum necessary to accomplish the
purposes of the use or disclosure.
(2) Use PHI for the proper management and administration of CONTRACTOR or to carry out
CONTRACTOR's legal responsibilities.
(3) Disclose PHI for the proper management and administration of CONTRACTOR or to
carry out CONTRACTOR's legal responsibilities if:
(A) Disclosure is required by law, provided CONTRACTOR will not, without prior
written approval of HHSC, disclose any PHI on the basis that such disclosure is
required by law without notifying HHSC so that HHSC may have the opportunity to
object to the disclosure and seek appropriate relief If HHSC objects to such
disclosure, CONTRACTOR will refrain from disclosing PHI until HHSC has
exhausted all alternatives for relief; or
(B) CONTRACTOR obtains reasonable assurances from the person to whom the
information is disclosed that the person will:
(i) Maintain the confidentiality of the PHI;
(ii) Use or further disclose the information only as required by law or for the
purpose for which it was disclosed to the person; and
(iii) Notify CONTRACTOR of any breaches of PHI of which the person is
aware, as described in Section Al .06.
(4) Use PHI to provide data aggregation services to HHSC, as that term is defined in the
HIPAA Privacy Re Igu ations, 45 C.F.R. § 164.501 and permitted by 45 C.F.R.
§ 164.504(e)(2)(i)(B).
Section A1.05 Security Requirementsfor Confidential Information
(1) Secure access, use and/or disclosure. CONTRACTOR will access, maintain, retain,
modify, record, store, destroy, or otherwise hold, use, or disclose the Confidential
Information in a secure fashion. For purposes of this Agreement, a secure fashion means
that the Confidential Information is rendered unusable, unreadable, or indecipherable to
unauthorized persons by either encryption or destruction such that the Confidential
Information cannot be read or otherwise reconstructed.
(2) Safeguards. CONTRACTOR will establish, implement and maintain any and all
appropriate procedural, physical and technical safeguards to preserve and maintain the
confidentiality, integrity, and availability of the Confidential Information, as described in
the HIPAA Privacy Regulations, HIPAA Security Regulations, the HITECH Act, or other
applicable laws or regulations relating to Confidential Information, to prevent any
unauthorized use or disclosure of Confidential Information as long as CONTRACTOR has
such Confidential Information in its actual or constructive possession.
(3) Security Program. CONTRACTOR will establish, implement and maintain an ongoing
security program addressing:
HHSC Data Use and Business Associate Agreement V.1
Attachment 1
Page 3 of 7
HHSC Contract No, 529-08-0196-00016
Exhibit A
(A) Administrative, physical, and technical safeguards that reasonably and appropriately
protects the confidentiality, integrity, and availability of the Confidential
Information, including without limitation, PHI that it creates, receives, maintains, or
transmits on behalf of HHSC as in specified in the HIPAA Security Rule.
(B) A system of sanctions for any CONTRACTOR Director, Officer, workforce
member, employee, subcontractor, or agent who violates the requirements regarding
Confidential Information in this Agreement, the Base Contract, the HIPAA Privacy
Regulations, HIPAA Security Regulations, the HITEC14 Act, and/or law and
regulations applicable to the Confidential Information.
(C) A System in place for mitigating, to the maximum extent practicable, any harmful
effect of a use or disclosure of Confidential Information, including without
limitation, PHI that is contrary to this Agreement or applicable law.
(4) Security Policies and Procedures. CONTRACTOR will produce copies of its information
security policies and procedures for HHSC's review and approval upon request by HHSC.
(5) Method of Confidential Information Access or Transfer. All transmissions of
Confidential Information and by CONTRACTOR will be conducted via either a secure
File Transfer Protocol site or optical media (e.g., recordable CD or DVD) to be delivered
in accordance with FUAA requirements and HHSC Confidentiality and Security
Protocols. All data transfer and communications involving potentially identifying
Confidential Information will be through secure systems.
(6) Information Security Guidelines and Procedures. CONTRACTOR will comply with the
requirements and guidelines identified in Attachment 7 of this Agreement to ensure the
security and confidentiality of the Confidential Information.
Section A1.06 Breach Notification, Report and Mitigation Requirements
(1) Breach Notification to RHSC.
(A) CONTRACTOR will immediately, within the first consecutive clock hour, report to
HHSC, Discovery of an Incident or a Breach of privacy or security of Confidential
Information, including without limitation PHI, Unsecured PHI, EPHI, HIPAA
and/or the HITECH Act which is not in compliance with the terms of the
Agreement, the Base Contract or other laws applicable to any Confidential
Information.
(B) CONTRACTOR will cooperate fully with HHSC in addressing any such
unauthorized acquisition, access, use or disclosure, or suspected or potential
unauthorized acquisition, access, use or disclosure of Confidential Information
including without limitation Unsecured PHI, to the extent and in the niamer
determined by HHSC.
(C) CONTRACTOR'S obligation begins at the Discovery of an Incident or Breach and
continues as long as related activity continues, until all effects of the incident are
mitigated, to HHSC's satisfaction.
(D) No later than 48 consecutive clock hours after CONTRACTOR discovers or
reasonably should have discovered any Incident or Breach of unauthorized
acquisition, access, use, or disclosure of Confidential Information, including without
limtation Unsecured PHI, provide formal notification to the State. Such notice will
include all information to which CONTRACTOR has access, including but not
limited to the following information:
HHSC Data Use and Business Associate Agreement V, i
Attachment 1
Page 4 of 7
HHSC Contract No. 529-08-0196-00016
Exhibit A
1) The date the incident or Breach of unauthorized acquisition, access, use, or
disclosure occurred;
2) The date of Discovery;
3) A brief description of the incident or Breach of Confidential Information,
including without limitation Unsecured PHI, acquired, accessed, used, or
disclosed without an Authorized Purpose;
4) A description of the types of Confidential Information involved;
5) Identification and number of all individuals reasonably believed to be
affected, including first and last name of the individual, legally authorized
representative, last known address, age, telephone number, email address if
preferred contact method, to the extent known or can be reasonably
determined by CONTRACTOR;
6) CONTRACTOR's initial assessment of potential harm to the individual or
compromise to the information required by the HIPAA Security Regulations
or other applicable law (such as the Texas Breach Law), for HHSC approval;
7) Recommendation for HHSC's approval as to the steps individuals and/or
CONTRACTOR on behalf of individuals, should take to protect the
individuals from potential harm, including without limitation
CONTRACTOR's provision of credit protection, claims monitoring, and any
specific protections for a legally authorized representative to take on behalf
of an individual with special capacity or circumstances;
8) Contact procedures for individuals to ask questions or learn additional
information, including the name and title of a CONTRACTOR representative
and a toll free telephone number, an e-mail address, website or postal
address;
9) The status of CONTRACTOR's investigation;
10) The steps CONTRACTOR has taken to mitigate the harm or potential harm
caused (including without limitation the provision of sufficient resources to
mitigate);
1 I) The steps CONTRACTOR has taken., or will take, to prevent another
Incident or Breach;
12) A description of how the Incident or Breach occurred and/or estimations
thereof;
13) A description or estimation of the entities and/or individuals which may be
involved in the Incident or Breach (such as CONTRACTOR, subcontractor,
rogue employee, suspected criminal activity and/or law enforcement
involvement);
14) A single point of contact and a back-up for CONTRACTOR, with applicable
full contact information for both on and off business hours;
15) A reasonable schedule for CONTRACTOR to provide regular updates to the
foregoing, as directed by and approved by HHSC for response to the Incident
or Breac1b but no less than every three (3) business days or as otherwise
directed by HHSC, including estimation date investigation, reporting, if any,
HHSC Data Use and Business Associate Agreement V.1
Attachment 1
Page 5 of 7
HHSC Contract No. 529-08-0196-00016
Exhibit A
notification, if any, mitigation and root cause analysis is expected to be
completed; and
16) Any pertinent inforn»ation, documents or reports HHSC requests following
discovery.
(2) Investigation, Response and Mitigation.
(A) CONTRACTOR will immediately conduct an investigation and respond to the
Incident or Breach, and will commit necessary and appropriate staff and resources to
expeditiously respond and report to HHSC to ensure HHSC's compliance with
report and notification timelines, to the satisfaction of HHSC.
(B) CONTRACTOR will have procedures and processes to respond to an Incident or
Breach, in place prior to the delivery of any Confidential Information, including
investigation, incident response, root cause analysis, notification, reporting and
mitigation (to the maximum extent practicable, any harmful effect of a use or
disclosure of Confidential Information, including without limitation Unsecured PHI,
that is contrary to this Agreement, the Base Contract, HIPAA, HITECH or other
laws applicable to any Confidential Information}.
(C) CONTRACTOR will update as necessary, procedures to investigate the Incident or
Breach, mitigate losses, and protect against any future Incident or Breach, and to
provide a description of these procedures and the specific findings of the
investigation to HHSC in the time and manner reasonably requested by HHSC.
(D) CONTRACTOR will complete or participate in a risk assessment following an
Incident or Breach, as specified by HHSC.
(E) CONTRACTOR will cooperate with HHSC to respond to inquiries and/or
proceedings by state and federal authorities and/or individuals.
(F) CONTRACTOR will cooperate with HHSC's efforts to seek appropriate injunctive
relief or otherwise prevent or curtail such threatened or actual Incident or Breac or
to recover or protect any Confidential Information, including complying with
reasonable corrective action or measures, as specified by HHSC and a Corrective
Action Plan if directed by HHSC under Article 14 of the Base Contract.
(3) Breach Notification to Individuals and Reporting to Authorities.
(A) At HHSC's option, CONTRACTOR may be delegated all or part of the
requirements to timely notify and report any breach, as specified by HHSC.
(B) CONTRACTOR must obtain HHSC's prior written approval of the time, manner
and content of any notification to individuals, the media, and/or report as directed by
HHSC to state or federal authorities (regardless of whether or not legally required),
and provide HHSC with copies of distributed and approved communications.
(C) CONTRACTOR will have the burden of demonstrating to the satisfaction of HHSC
that all delegated notifications or reports were made as required; including any
evidence demonstrating any delay outside of the control of CONTRACTOR beyond
require timelines.
(4) Training and Education. CONTRACTOR will ensure its officers, directors, employees,
agents, subcontractors and workforce are adequately trained and educated and periodically
retrained on the importance of promptly reporting privacy and security any Incident or
Breach and of the consequences of failing to do so, including without limitation, sanctions
or enforcement actions for legal noncompliance, potential loss of Federal Financial
HHSC Data Use and Business Associate Agreement V. t
Attachment l
Page 6 of 7
H1ISC Contract No. 529-08-0196-00016
Exhibit A
Participation, and risks to third -party agreements. HHSC„ at its election, may assist
CONTRACTOR in training and education on specific or unique HHSC processes, systems
and/or requirements.
HHSC Data Use and Business Associate Agreement V.1
Attachment 1
Page 7 of 7
HHSC Contract No. 529-08-0196-00016
Exhibit A
ATTACHMENT 2. SCOPE OF WORK
The Scope of Work is set forth in detail in the Texas Department of Transportation Specification
No. TxDOT 952-94 Dated October 2005, of the Base Contract, HHSC Contract No. 529-08-0196-00016,
as amended, between HHSC and CONTRACTOR and is incorporated by reference as if set out word-for-
word in this document.
HHSC Data Use and Business Associate Agreement V.1
Attachment 2
Page I of I
NI-ISC Contract No. 529-08-0196-00016
E-diibit A
ATTACHMENT 3. OTHER OBLIGATIONS OF CONTRACTOR
Section A3.01 Location of Confidential Information; Custodial Responsibility
CONTRACTOR is designated as the custodian of the records to which it may be entrusted and that
contain Confidential Information, and is responsible for compliance with and enforcement of all conditions
for use, establishment, and maintenance of confidentiality, privacy and security agreements as specified in
this Agreement or as may be reasonably necessary to prevent unauthorized use. CONTRACTOR will store
all Confidential Information in a secure area and, subject to the terms of this Agreement, will des any
paper material in a secure manner in accordance with the requirements of the Information Security Guidelines
and Procedures in Attachment 7 and Disposition of Confidential Information in Attachment 4.
Section A3.02 PHI in Designated Record Set
(1) CONTRACTOR will make PHI in a Designated Record Set available to HHSC or, as
directed by HHSC, provide PHI to the individual, or legally authorized representative of
the individual, in compliance with the requirements of the HIPAA Privacy Regulations,
and make other information in CONTRACTOR's possession available pursuant to the
requirements of the HTTECH Act in case of a need for notification by HHSC upon a
determination of a Breach of Unsecured PHI as defined in the HTTECH Act,
(2) CONTRACTOR will make PHI in a Designated Record Set available to HHSC for
amendment and incorporate any amendments to this information that HHSC directs or
agrees to pursuant to the HIPAA Privacy_Reatilations and HIPAA Security Regulations.
Section A3.03 CONTRACTOR Recordkeeping, Accounting and Disclosure Tracking
(1) Accounting, Access or Amendment. Document and make available to HHSC the PHI
required to provide access, an accounting of disclosures or amendment in compliance with
the requirements of the HIPAA Privacy Regulations.
(2) If CONTRACTOR receives a request for access, amendment or accounting of PHI by any
Person, it will promptly forward the request to HHSC; however, if it would violate HIPAA,
the HIPAA Privacy Regulations or HITECH to forward the request, CONTRACTOR will
promptly notify HHSC of the request and of CONTRACTOR's response. Unless
CONTRACTOR is prohibited by law from forwarding a request, HHSC will respond to all
such requests.
(3) DHHS Inspection. Make internal practices, books, and records relating to the use or
disclosure of PHI received from, or created or received by the CONTRACTOR on behalf
of HHSC, available to the Secretary of the U.S. Department of Health and Human Services
or the Secretary's designee for purposes of determining compliance with the HIPAA
Privacy Regulations and HIPAA Security Regulations.
(4) Comptiance Certification. CONTRACTOR will provide, and will cause its
subcontractors and agents to provide, to HHSC periodic written certifications of
compliance with controls and provisions relating to information security, including but not
limited, those related to data transfers and the handling and disposal of Confidential
Information, including without limitation, PHI, EPHI, Unsecured PHI and FIT. Written
evidence of compliance must be acceptable to HHSC in its sole discretion. Such evidence
may include but is not necessarily limited to the following:
(A) Statement on Auditing Standards No.70, Service Organizations (SAS-70) Report, or
a Service Organizations Report issued in accordance with the Statement on
Standards for Attestation Engagements (SSAE) No. 16;
HHSC Data Use and Business Associate Agreement V.1
Attachment 3
Page 1 of 2
HHSC Contract No. 529-08-0196-00016
Exhibit A
(B) General security controls audit conducted in accordance with generally -accepted
industry standards by a qualified and independent auditor that is acceptable to
HHSC;
(C) Application controls audit conducted in accordance with generally -accepted industry
standards by a qualified and independent auditor that is acceptable to HHSC;
(D) Vulnerability assessment conducted in accordance with generally -accepted industry
standards by a qualified and independent expert in telecommunications and
information security that is acceptable to HHSC; and
(E) Network/systems penetration test conducted in accordance with generally -accepted
industry standards by a qualified and independent expert in telecommunications and
information security that is acceptable to HHSC.
HHSC Data Use and Business Associate Agreement V. l
Attachment 3
Page 2 of 2
HHSC Contract No. 529-08-0196-00016
Exhibit A
ATTACHMENT 4. DISPOSITION OF CONFIDENTIAL
INFORMATION
Section A4.01 CONTRACTOR's Duty in General
CONTRACTOR will return, destroy, or continue to maintain appropriate safeguards for Confidential
Information, including without limitation all PHI received from HHSC or created or received on behalf of
HHSC, as directed by HHSC, upon termination of the Agreement or Base Contract.
Section A4.42 Return or Destruction of Confidential Information
(1) CONTRACTOR agrees that on the termination or expiration of this Agreement,
CONTRACTOR will, at its expense, return to HHSC or destroy. at HHSC's election, all
Confidential Information received from HHSC, and any data created by CONTRACTOR
or any of CONTRACTOR'S agents or subcontractors if that data contains Confidential
Information. CONTRACTOR will certify in writing to HHSC that all the Confidential
Information that has been disclosed to CONTRACTOR, and any created PHI, has been
destroyed or returned to HHSC, and that CONTRACTOR and its agents and
subcontractors have retained no copies thereof. Notwithstanding the foregoing,
CONTRACTOR acknowledges and agrees that it may not destroy any Confidential
Information if federal or state law prohibits such destruction.
(2) If such return or destruction is not feasible, or is impermissible by law, immediately notify
HHSC of the reasons such return or destruction is not feasible, and agree to extend
indefinitely the protections of this Agreement to the Confidential Information and limit its
further uses and disclosures to the purposes that make the return of the Confidential
Information not feasible.
HHSC Data Use and Business Associate Agreement V.1
Attachment 4
Page 1 of 1
HHSC Contract No. 529-08-0196-00016
Exhibit A
ATTACHMENT 5. GENERAL PROVISIONS
Section A5.01 HHSC commitment and obligations
HHSC will not request CONTRACTOR to use or disclose PHI in any manner that would not be
permissible under HIPAA or HITECH, if done by HHSC.
Section A5.02 HHSC Right to Inspection
At any time upon reasonable notice to CONTRACTOR, or if HHSC determines that CONTRACTOR
has breached this Agreement, HHSC or its agent will have the right to inspect the facilities, systems, books
and records of CONTRACTOR to monitor compliance with this Agreement. For purposes of this subsection,
HHSC's agents include, without limitation, the Office of the Inspector General or the Office of the Attorney
General of Texas. HHSC's or its agent's inspection, failure to inspect or failure to detect any noncompliance
with the Agreement does not relieve CONTRACTOR of its responsibility to comply with this Agreement.
Section A5.03 Access to PHI
CONTRACTOR will make available to HHSC any information HHSC requires to fulfill HHSC's
obligations to provide access to, and copies of, PHI in accordance with 111PAA, HIPAA Privacy Regulations,
HITECH and other applicable laws and regulations of Confidential Information.
Section A5.04 Term of Agreement
This Agreement will be effective on the date on which the latter of the two parties signed the Agreement,
and will expire on the date specified in the Scope of Work.
Section A5.05 Termination
(1) Either party may terminate this Agreement at any time upon 30 days written notice to the
other party.
(2) HHSC may immediately terminate this Agreement on:
(A) A material breach of this Agreement. "Material" means:
(i) any violation by CONTRACTOR of a material term of this Agreement will
be considered a breach of contract if the CONTRACTOR knew of or
reasonably should have known of the violation and failed to immediately
take reasonable steps to cure it and notify HHSC, as required by the
Agreement;
(ii) CONTRACTOR fails to report a reportable event, or take corrective action
required;
(iii)CONTRACTOR's repeated or flagrant violation of the obligations under the
Agreement;
(iv) CONTRACTOR's failure to respond to a demand letter concerning penalties
under the agreement;
(v) CONTRACTOR being named as a defendant in a criminal proceeding for a
violation of HIPAA, HIPAA Privacy Regulations, HIPAA Security
Regulations, HTTECH, or other applicable laws and regulations of
Confidential Information; and/or
HHSC Data Use and Business Associate Agreement V.1
Attachment 5
Page l of 4
1-1HSC Contract No. 529-08-0196-00016
Exhibit A
(vi) a finding or stipulation that CONTRACTOR has violated any standard or
requirement of HIPAA, HIPAA Privacy Regulations, HIPAA Security
Regulations, HITECH, other applicable laws and regulations of Confidential
Information; or other security or privacy laws is made in any administrative
or civil proceeding which CONTRACTOR has been joined.
(3) Temunation of this Agreement will not relieve CONTRACTOR of its duties with regards
to the return or disposition of the Confidential Information as set forth in the Agreement.
(4) Termination Options. If HHSC determines that CONTRACTOR has violated a material
term of this Agreement; HHSC may in its sole discretion:
(A) Exercise any of its rights including but not limited to reports, access and inspection
under this Agreement and/or the Base Contract; and/or
(B) Require CONTRACTOR to submit to a corrective action plan of the Base Contract,
plan for monitoring and plan for reporting, as 14HSC may determine necessary to
maintain compliance with this Agreement; and/or
(i) Provide CONTRACTOR with a period to cure the breach as determined by
HHSC; or
(ii) Terminate the Agreement and Base Contract immediately, and seek relief in
a court of competent jurisdiction in Travis County, Texas; and
(iii)Before exercising any of these options, HHSC will provide written notice to
CONTRACTOR describing the violation and the action it intends to take.
Section A5.06 Publication
CONTRACTOR may not publish or otherwise disclose to a third party any results of work under the
Agreement or Base Contract unless HHSC expressly approved in writing of such disclosure in advance of
such publication.
Section A5.07 Governing Law, Venue and Litigation
(1) The validity, construction and performance of this Agreement and the legal relations
among the Parties to this Agreement will be governed by and construed in accordance with
the laws of the State of Texas.
(2) The Parties agree that the courts of Travis County, Texas, will be the exclusive venue for
any litigation, special proceeding or other proceeding as between the parties that may be
brought, or arise out of, or in connection with, or by reason of this Agreement.
Section A5.08 Injunctive Relief
(1) CONTRACTOR understands and agrees that HHSC will suffer irreparable injury if
CONTRACTOR fails to comply with any of the terms of this Agreement with respect to
the Confidential information or a provision of HIPAA, HIPAA Privacy Regulations,
HIPAA Security Regulations, HITECH or other laws or regulations applicable to
Confidential Information.
(2) CONTRACTOR further agrees that monetary damages may be inadequate to compensate
HHSC for such failure to comply. Accordingly, CONTRACTOR agrees that HHSC will,
in addition to any other remedies available to it at law or in equity, be entitled to injunctive
relief, without posting a bond and without the necessity of demonstrating actual damages,
to enforce the terms of this Agreement.
HHSC Data Use and Business Associate Agreement V.1
Attachment 5
Page 2 of 4
HHSC Contract No. 529-08-0196-00016
Exhibit A
(3) The duties of CONTRACTOR under this Agreement survive the expiration of this
Agreement until all the Confidential Information is destroyed or returned to HHSC, as
required by this Agreement.
Section A5.09 Indemnification
CONTRACTOR will indemnify, defend and hold harmless HHSC and its respective Executive
Commissioner, employees, subcontractors, agents (including other state agencies acting on behalf of HHSC)
or other members of its workforce (each of the foregoing hereinafter referred to as "Indemnified Party")
against all actual and direct losses suffered by the Indemnified Party and all liability to third parties arising
from or in connection with any breach of this Agreement or from any acts or omissions related to this
Agreement by CONTRACTOR or its employees, directors, officers, subcontractors, agents or other members
of its workforce. The duty to indemnify, defend and hold harmless is independent of the duty to insurer, and
continues to apply even in the event insurance coverage required, if any, in the Agreement or Base Contract
is denied, or coverage rights reserved by any insurance carrier. Upon demand, CONTRACTOR will
reimburse HHSC for any and all actual and direct losses, liabilities, lost profits, fines, penalties, costs or
expenses (including reasonable attorneys' fees) which may for any reason be imposed upon any Indemnified
Party by reason of any suit, claim, action, proceeding or demand by any third party which results from the
CONTRACTOR's failure to meet any of its obligations under this Agreement. CONTRACTOR's obligation
to defend, indemnify and hold harmless any Indemnified Party will survive the expiration or tern ination of
this Agreement.
Section A5.10 Insurance
(1) In addition to any insurance required in the Base Contract, at HHSC"s option and as
directed, HHSC may require CONTRACTOR to maintain, at its expense, the following
special and/or custom first- and third -party insurance coverages, naming the State of Texas,
acting through HHSC, as an additional named insured and loss payee, with primary and
non-contributory status, with required coverage, by the Effective Date of the request, or as
required by HHSC:
(A) Network Security and Privacy;
(B) Data Breach;
(C) Cyber Liability (lost data, lost use or delay/suspension in business, denial of service
with e-business, the Internet, networks and informational assets, such as privacy,
intellectual property, virus transmission, extortion, sabotage or web activities);
(D) Electronic Media Liability;
(E) Crime/Theft;
(F) Advertising injury and Personal Injury Liability; and
(G) Crisis Management and Notification Expense Coverage.
(2) CONTRACTOR will provide HHSC with proof of policy part (as opposed to merely a
certificate of coverage or binder), at the request of HHSC.
Section A5.11 Fees and Costs
Except as otherwise specified in this Agreement or the Base Contract, including but not limited to
requirements to insure and/or indemnify HHSC, if any legal action or other proceeding is brought for the
enforcement of this Agreement, or because of an alleged dispute, breach, default, misrepresentation, or
injunctive action, in connection with any of the provisions of this Agreement, each party will bear their own
legal expenses and the other cost incurred in that action or proceeding.
HHSC Data Use and Business Associate Agreement V.I
Attachment 5
Page 3 of 4
HHSC Contract No. 529-08-0196-00016
Exhibit A
Section A5.12 Entirety of the Agreement
The Agreement contract consists of this Business Associate Agreement and the Base Contract and
constitutes the entire agreement between the parties. There are no understandings or agreements relating to
this Agreement or the Base Contract that are not fiilly expressed therein and no change, waiver, or discharge
of obligations arising under those documents will be valid unless in writing and executed by the party against
whom such change, waiver, or discharge is sought to be enforced. To the extent of any conflicts between this
Business Associate Agreement and the Base Contract, this Business Associate Agreement controls.
Section A5.13 Automadc Amendment and Interpretation
Upon the effective date of any amendment to HIPAA, H1PAA Privacy Regulations, HMAA Security
Re _ ullations, HTTECH, or any other law applicable to Confidential Information, this Agreement will
automatically amend so that the obligations imposed on HHSC and/or CONTRACTOR remain in
compliance with such requirements. Any ambiguity in this Agreement will be resolved in favor of a meaning
that permits HHSC and CONTRACTOR to comply HIPAA Ptivaey RegWations, HiPAA Security
Regulations, HTT> CH, or any other law applicable to Confidential Information.
HHSC Data Use and Business Associate Agreement V.1
Attachment 5
Page 4 of 4
HHSC Uontract No. -)Sy-Ulf-illyb-UUulb
Exhibit A
ATTACHMENT 6. 529-CONFIDENTIAL INFORMATION
Any information under the terms of the Base Contract, HHSC Contract No. 529-08-0196-00016
between HHSC and CONTRACTOR, as amended, that HHSC may provide or make available to
CONTRACTOR, or that CONTRACTOR may create, receive or have access to on behalf of HHSC that
is deemed Confidential.
HHSC Data Use and Business Associate Agreement V. l
Attachment 6
Page 1 of 1
rttim- 1-ontract to
Exhibit A
ATTACHMENT 7. SECURITY GUIDELINES AND PROCEDURES
CONTRACTOR and all subcontractors, consultants, or agents under the Agreement (collectively
"CONTRACTOR') must comply with the following Information Security Guidelines and Procedures:
+ HHS Circular C-021, Health and Human Services Enterprise Information Security Standards
and Guidelines; and
• Title 1, Sections 202.1 and 202.3, and Subchapter B, Texas Administrative Code.
CONTRACTOR must comply with the following, as applicable:
• The Federal Information Security Management Act of 2002 (FISMA);
• The Health Insurance Portability and Accountability Act of 1996 M]PAA) and HIPAA
Privacy Regulations and IIIPAA Security Reulations;
• The Health Information Technology for Economic and Clinical Health Act (! TT H Act);
• Publication 1075 — Tax Information Security Guidelines for Federal, State and Local
Agencies;
• National Institute of Standards and Technology (NIST) Special Publication 800-66 Revision
1 — An Introductory Resource Guide for Implementing the Health Insurance Portability and
Accountability Act (HIPAA) Security Rule;
• NIST Special Publication 800-53 Revision 3 — Recommended Security Controls for Federal
Information Systems and Organizations; and
• NIST Special Publication 800-47 — Security Guide for Interconnecting Information
Technology Systems.
In addition to the requirements expressly stated in this Section, CONTRACTOR must comply with any
other State or Federal law, regulation, or administrative rule relating to the specific HHSC program area that
CONTRACTOR supports.
HHSC Data Use and Business Associate Agreement V. l
Attachment 7
Page 1 of 1
Exhibit A
ATTACHMENT 8. LIST OF AUTHORIZED USERS
CONTRACTOR represents and warrants that each of those identified below have a demonstrated need to
know and have access to Confidential information pursuant to this Agreement and the Base Contract, and
further, that each agree to be bound by the disclosure and use limitations pertaining to the Confidential.
information contained in the Agreement. CONTRACTOR must maintain an updated, complete, accurate and
numbered list of Authorized Users at all tines and supply it to HHSC, as directed, to the extent those
identified below change:
1. Signature:
Name:
Title:
Date:
2. Signature:
Name:
Title:
Date:
3. Signature:
Name:
Title:
4. Signature:
Name:
Date:
5, Signature:
Name:
Date:
6. Signature:
Name:
Title:
Date:
7. Signature:
Name:
Title:
Date:
8. Signature:
Name:
Title:
Date:
4. Signature:
Name:
Date:
10. Signature:
Name:
Date:
11. Signature:
Name:
Date:
12. Signature:
Name:
Title:
Date:
13. Signature:
Name:
Title:
Date:
14. Signature:
Name:
Title:
Date:
HHSC Data Use and Business Associate Agreement V.1
Attachment 8
Page i of 2
Exhibit A _-�M-• - -. _ -_ - _ ... _ _ _ - -
15. Signature:.
Name:
Title:
Date:
16. Signature:
Name:
Title:
Date:
17. Signature:
Name:
Date:
18. Signature:
Name:
Title:
Date:
19. Signature:
Name:
Title:
Date:
20. Signature:
Name:
Title:
Date:
21. Signature:
Name:
Title:
Date:
22. Signature.
Name:
Title:
Date:
23. Signature:
Name:
Title:
Date:
24. Signature:
Name. -
Title:
Date:
25. Signature:
Name:
Title:
Date:
26. Signature:.
Name:
Title:_
Date:
27. Signature:
Name:
Title:
Date:
28. Signature:
Name:
Title:
Date:
29. Signature:
Name:
Title:
Date:
30. Signature:
Name:
Title:
Date:
31. Signature:
Name
Date:
32. Signature:
Name:
Title:
Date:
HHSC Data Use and Business Associate Agreement V. I
Attachment 8
Page 2 of 2
Exhibit B
MTP TSAP LIQUIDATED DAMAGES
Performance measures are applicable at all times and may be monitored accordingly. Accelerated monitoring may occur as needed.
Performance standard will be applied to regular monitoring visits or any other follow up or occurrence as deemed necessary by
HHSC.
Definitions
"Performance Standard" refers to the specific, desired or required outcome or result of the FRB's performance
"Performance Measure" refers to the specific number, amount, percentage or duration of the activity or deliverable described in the
Performance Standard
"Monitoring Period" refers to the specific period of time during which the FRB's performance will be monitored for compliance
with the Performance Standard and subject to potential remedies under the contract
"Cure Period" refers to the time specified as a grace period in this document for each Performance Measure during which the FRB
may perform the required service or supply the required deliverable
"Base Liquidated Damage Value" is the dollar amount HHSC will apply to each unit or instance of noncompliance with a
Performance Measure
Reference
Contract
Performance Standard
Performance Measure
Monitoring
Cure Period
Base Liquidated
Number
Requirement
Period
Damage Value
TSAP 1
10.9.5
Service Cam laints
98% of all complaints in a
Monthly
0 calendar
$100 each percentag
The TSAP will respond to
calendar month will receive a
unless
days
point below 98%.
service delivery complaints
response from the TSAP
accelerated by
within up to 10 business
within the performance
HHSC
days, Ombudsman
standard timeframe
complaints within up to 3
days, Legislator's office
complaints within up to 24
hours
TSAP 2
10.3,
On -time Service Delivery
98% of all trips will be
Monthly
0 calendar
$300 per occurrence
Scheduling
The TSAP will ensure
provided according to the
unless
days
for each percent
and
transportation is provided
performance standard.
accelerated by
partial percent belov
Dispatching
to all clients in such a
HHSC
the performance
Exhibit B
Reference
Contract
Performance Standard
Performance Measure
Monitoring
Cure Period
Base Liquidated
Number
Requirement
Period
Damage Value
Requirements
manner that clients arrive
standard.
to appointments on time,
but no more than one hour
prior to the scheduled
appointment time and are
picked up no more than
one hour from receipt of
request for a return trip
TSAP 3
Section 10.5
Demand Response
100% of vehicles providing
Monthly
0 calendar
$500 per vehicle per
Vehicle
Services
services must meet
unless
days
day when it does not
Requirements
The TSAP must ensure that
performance standard
accelerated by
meet the performanc
a reliable fleet of vehicles,
requirements.
HHSC
standard
including ADA compliant
requirements.
vehicles that meet federal,
state and local ordinances,
including insurance
requirements are used to
transport clients safely.
Non compliant vehicles
may not be used to provide
transportation to Medicaid
clients. Payment may be
recouped for each trip
provided with a non
compliant vehicle in
addition to the assessment
of the liquidated damage.
TSAP 4
Throughout
Documentation Retention
100% of all contract required
Monthly
2 calendar
$354 per calendar
the contract
documentation must be
unless
days
day for failure to
The TSAP must maintain
maintained at the
accelerated by
maintain
Exhibit B
Reference
Number
Contract
Requirement
Performance Standard
Performance Measure
Monitoring
Period
Cure Period
Base Liquidated
Damage Value
and retain all contract
headquarter office. These
HHSC
documentation or
required documentation.
records must be readily
have it readily
obtainable for review by
attainable during
HHSC.
HHSC monitoring
visits
TSAP 5
Section 10.4.
Driver Qualifications
100% of drivers providing
Monthly
2 calendar
$1000 for each
Operator
services must adhere to
unless
days
operator who is not
Driving
The TSAP must ensure that
performance standard
accelerated by
compliant with the
History
every operator who
requirements
HHSC
standards 0.4.5 and i
provides transportation:
transporting clients
HHSC.
• does not possess more
than two moving
violations either on or
off the job for the
previous 12 months
• does not have any
findings by a law
enforcement authority
of driving while
intoxicated
(DWI/DUI) or under
the influence of any
substance that may
impair the driver's
ability to safely
operate a motor
vehicle
Payment will be recouped
Exhibit B
Reference
Contract
Performance Standard
Performance Measure
Monitoring
Cure Period
Base Liquidated
Number
Requirement
Period
Damage Value
for each trip provided by a
non -compliant driver in
addition to the assessment
of the liquidated damage.
TSAP 6
Section 10.4.6
Criminal Background
100% of the drivers must be
Monthly
0 calendar
$300 for each driven
Criminal
Checks
eligible to transport clients
unless
days
per day that does no
Background
The TSAP must ensure that
by meeting the contract
accelerated by
meet the contract
Checks
the criminal background
required criminal
HHSC
requirements for
checks are completed prior
background checks.
criminal backgrounc
to the driver providing
Documentation must be on
checks.
service to a program client
file and stored at the Texas
and annually thereafter.
headquarter office available
Payment will be recouped
for inspection.
for each trip provided by a
non -compliant driver in
addition to the assessment
of the liquidated damage.
TSAP 7
Section 10.8.5
Accidents and Incident
100% of all accident and
As necessary
0 calendar
$250 per incident the
incident reports will be filed
days
required an
Reporting
and submitted in accordance
immediate report an
The TSAP must report all
with the performance
was not submitted
accidents, and or incidents
standard.
timely or the require
involving a client or
documentation was
attendant immediately
not submitted to
either by phone, fax, e-mail
HHSC.
or in person within 24
Exhibit B
Reference
Contract
Performance Standard
Performance Measure
Monitoring
Cure Period
Base Liquidated
Number
Requirement
Period
Damage Value
hours
Police reports must be
submitted within 2 weeks
from the date of the vehicle
accident when a client
sustained injury (ies)
TSAP 8
Section 10.9
Insurance Requirements
100% of vehicles providing
Monthly
2 calendar
$60 for each vehicle
The TSAP must maintain
Insurance
services must have insurance
unless
days
per day that did not
Requirements
insurance in contract-
coverage per contract
accelerated by
meet the contract -
required amounts.
requirements.
HHSC
required insurance
amounts.
Documentation must be
submitted according to
HHSC instruction.
All vehicles must meet the
contract required insurance
coverage.
TSAP 9
Sections
Operator Logs
100% of operator logs must
Monthly
1 calendar day
$150 per each leg of
10.2.4
meet performance standard
unless
the trip when the
The TSAP must maintain
requirements.
accelerated by
required
10.7.2.2
operator logs that contain
HHSC
documentation was
10.3.3.2
the following:
not maintained.
• recipient's and
attendant's signature
(when applicable) or
documentation to show
that there was an
Exhibit B
Reference
Number
Contract
Requirement
Performance Standard
Performance Measure
Monitoring
Period
Cure Period
Base Liquidated
Damage Value
inability to obtain these
signatures
• the time that the
recipient or their
attendant were picked up
and dropped off for each
leg of the trip
• the name of the driver
that provided each leg of
the transportation
service
• a note of the time a
calling card was left at
the pick up location if a
recipient or attendant
failed to appear at the
scheduled pick up
location
• TSAP must he able to
provide documentation
of trip assignments for
review by HHSC staff
TSAP 10
Section 8
Management
100% of the TSAP's Hours
Continuous
0 calendar
$150 for each hour
The TSAP will assure that
of Operation will be staffed
Monitoring
days
that TSAP key
key personnel staff who
by key personnel to respond
personnel staff did
has authority to act on a
to HHSC inquiries within 1
not respond within 1
request from the HHSC
hour.
hour.
designated staff, a
Exhibit B
Reference
Contract
Performance Standard
Performance Measure
Monitoring
Cure Period
Base Liquidated
Number
Requirement
Period
Damage Value
complaint, or any other
matter relating to the
performance of the services
is available at minimum
during TSAP Hours of
Operation. TSAP key
personnel staff will
respond within 1 hour of
the HHSC inquiry
TSAP 11
Section 8
Management
100% of the TSAP's key
Continuous
0 calendar
$100 for each TSAP
The TSAP will maintain
personnel be staffed as
Monitoring
days
business day that the
the agreed upon staffing of
agreed upon by HHSC and
TSAP did not meet
qualified key personnel.
the TSAP, key personnel
agreed upon qualific
must be replaced within 90
staffing requirement
days after vacancy of
of key personnel or
position).
failed to receive
HHSC's approval
prior to hiring.
TSAP 12
Section 26
Corrective Action Plans
100% of all corrective action
Continuous
3 calendar
$100 per occurrence
The TSAP must submit
plans are submitted to HHSC
Monitoring by
days
when performance
corrective action plans by
by mutually approved
HHSC
measure is not met.
required timeframes.
timeframes or with
Occurrence means a
extensions approved by
corrective action pla
HHSC
that is not submitted
on time.
Exhibit B
Reference
Contract
Performance Standard
Performance Measure
Monitoring
Cure Period
Base Liquidated
Number
Requirement
Period
Damage Value
TSAP 13
Section 26
Corrective Action Plan
100% of all items noted in
Continuous
0 calendar
$200 per day for eac
The TSAP must implement
HHSC approved corrective
Monitoring by
days
item noted in
all items noted in the
action plan must be
HHSC
corrective action pla
corrective action plan
implemented by the
that the TSAP did nc
(CAP) by required
approved and required
implement by
timeframes
timeframes
timeframe required i
CAP.
TSAP 14
Section 9.11
Payment Administration
98% of all undisputed
Monthly
0 calendar
$100 per percentage
The TSAP will promptly
subcontractor invoices are
unless
days
point below 98% of
pay valid, undisputed
paid in accordance with
accelerated by
all undisputed
subcontractor invoices
Texas Government Code
HHSC
subcontractor
Chapter 2251 Section
invoices in a calend,-
2251.022.
month when invoice
are not paid in
accordance with the
Texas Government
Code Chapter 2251
Section 2251.022.
TSAP will provide
the documentation tc
support timely
payment of
subcontractor.
TSAP 15
Section 10.9.5
Reporting Requirements
100% of all reports will be
Continuous
3 calendar
$100 per report for
The TSAP must submit all
submitted within the required
Monitoring
days
each business day th
required reports within the
reporting timeframes
report is not
HHSC deadlines. The
submitted, or not
Exhibit B
Reference
Contract
Performance Standard
Performance Measure
Monitoring
Cure Period
Base Liquidated
Number
Requirement
Period
Damage Value
reports must be complete
complete or accurate
and accurate.
after Cure Period.
TSAP 16
Section
Client Communication
100% of clients will receive
Quarterly
0 calendar
S 100 each time the
The TSAP will provide
10.2.8. and
services and information per
days
TSAP failed to
10.10.4
program services and
LEP contract requirement.
adhere to the LEP
information in the
contract requiremem
appropriate language and
in adherence to the Limited
English Proficiency (LEP)
requirement
TSAP 17
Section 10.3.
Service Delivery
98% of all services must be
Quarterly
0 calendar
$350 each percentag
The TSAP must arrange,
coordinate, schedule, and
arranged, coordinated,
scheduled and provided to
unless
accelerated by
days
point below 98%
when the service is
provide transportation
meet the clients' needs
HHSC
not delivered as
services to meet the needs
required.
of the client
TSAP 18
Records Management
100% compliance in meeting
Quarterly
3 calendar
$500 for each
The TSAP must comply
records management
unless
days
occurrence when the
with the approved HHSC
requirements. HHSC
accelerated by
TSAP could not
recordkeeping and record
requests for documents must
HHSC
produce records by
retention policy.
be received by the HHSC
the HHSC specified
specified deadline.
deadline o.
Occurrence means
each HHSC request.
Exhibit B
Reference
Contract
Performance Standard
Performance Measure
Monitoring
Cure Period
Base Liquidated
Number
Requirement
Period
Damage Value
TSAP 19
Section
Licensed Drivers
100% of the drivers must be
Quarterly
0 calendar
$1000 per day per
10.4.4.
The TSAP must ensure that
legally licensed. The
unless
days
ineligible and
demand response drivers
required driver
accelerated by
unlicensed driver
are legally licensed by the
documentation must be on
HHSC
who provided MTP
State of Texas to operate
site at the TSAP's
services
the vehicle to which they
headquarter office in Texas
are assigned.
and available for inspection
TSAP 20
Section
Demand Response
100% of all subcontractor
As necessary
0 calendar
$100 per client for
10.4.14
Services
services will be provided at
days
each time a
The TSAP must ensure that
no charge to clients. Upon
subcontractor chargf
all demand response
being informed that a
clients for a service
drivers do not charge
subcontractor inappropriately
program clients for
charged a client, the TSAP
services authorized by the
shall reimburse the client the
TSAP
charged amount within
twenty-four (24) hours of
being notified of the event.
TSAP 21
Driver Training
100% of all subcontractor
As necessary
0 calendar
$300 per driver not
The TSAP must ensure that
demand response drivers will
days
meeting contract
drivers are trained
be trained
training requirement
according to contract
requirements
TSAP 22
Compliance with Rules and
100% compliance with
Continuous
0 calendar
$500 a day when a
Regulations The TSAP
Applicable Laws.
Monitoring by
days
TSAP continues nor
must comply with the
HHSC staff
compliant actions
requirements of the laws
after notification by
applicable to the
HHSC that it is out c
performance of the contract
compliance with
which include certain:
applicable laws
10
Exhibit B
Reference
Contract
Performance Standard
Performance Measure
Monitoring
Cure Period
Base Liquidated
Number
Requirement
Period
Damage Value
a. state and federal
regulations
b. state Medicaid rules
and regulations
c. state regulations
regarding
transportation
services
d. Texas
Administrative
Code
e. Uniform Terms and
Conditions
f. Corrective Action
Orders and the
Consent Decree
Frew v Suehs
TSAP 23
Vehicle and Driver Roster
100% of vehicles and drivers
Monthly
0 calendar
$200 per day for eac
The TSAP must maintain a
used in the service delivery
unless
days
vehicle or driver the
current vehicle and driver
to clients will be maintained
accelerated by
TSAP used that was
roster used to provide
on a vehicle and driver
HHSC
not included on a
transportation to program
roster. This Performance
current roster.
clients.
Standard excludes drivers or
vehicles that HHSC and the
TSAP agree are not required
to be included on the driver
or vehicle roster, such as
public transit.
TSAP 24
The Parties agree that
TSAP must perform all
Continuous
3 calendar
$200 per calendar
HHSC may assess a
duties required under the
Monitoring
days
day for each instanc,
11
Exhibit B
Reference
Number
Contract
Requirement
Performance Standard
Performance Measure
Monitoring
Period
Cure Period
Base Liquidated
Damage Value
liquidated damage of up to
Contract.
of TSAP's breach of
$200 per calendar day for
nonperformance of ,
each instance of TSAP's
duty not specified in
breach or nonperformance
the Performance
of a duty that is not
Standards and
specified in the
Measures, after
Performance Standards and
HHSC has given
Measures.
notice to TSAP of
such non-
performance.
12
Form Number. CPP0430
Texas Health and Human Services Commission
Vendor Information Form (VIF)
Instructions: This form must be completed and submitted with each new contract, amendment, renewal, and/or extension.
(Please type or print information,)
SECTION 1: Contractor's General Information
Legal Contractors Name:
Legal Doing Business As
(DBA) Name:
Physical Address:
Remit To (Payment) Address:
❑Texas Identification Number (TIN):
Enter one of the following:
[]Federal Employer Identification Number (FEIN):
[]Social Security Number (SSN):
Select the Legal Status:
❑ For -profit Entity
❑ Non-profit Entity
❑ Corporation ❑ Joint Venture ❑ Partnership*
❑ Limited (Liability) Company ❑ Limited (Liability) Partnership ❑ Sole Proprietorship
❑ Governmental Entity (must specify):
Select the Business Structure:
❑ Other (must specify):
' If Partnership, must provide SSN or TIN for minimum of two partners
Partner Name:
TIN or SSN:
Partner Name:
TIN or SSN:
If applicable, enter
State of Incorporation:
Texas Charter Number
Name of Parent Entity:
appropriate information:
SECTION 2: Contractor's Contact Information
Person Who Will Sign the Contract
Point of Contact for Contract
Name:
Name:
Title:
Title:
Mailing Address:
Mailing Address:
Telephone:
Telephone:
Fax:
Fax:
E-mail:
E-mail:
SECTION 3: Contractor's Authorized Signature or HHSC Contract Mana er
Printed Name Signature Date Phone Number
StU I IUN 4: Aciminlstrative services ueveio ment Abu U"ice Use Unl
Contractor to Receive Payment: ❑ No ❑ Yes
Contract Number:
Effective Date: June, 2006 Revision Date: February 23, 2011