HomeMy WebLinkAboutResolution - 2023-R0263 - MOU with DSHS Contract HHS001329900030 - 340 Drug Pricing ProgramResolution No. 2023-RO263
Item No. 5.25
May 23, 2023
RESOLUTION
BE IT RESOLVED BY THE CITY COUNCIL OF THE CITY OF LUBBOCK:
THAT the Mayor of the City of Lubbock is hereby authorized and directed to
execute for and on behalf of the City of Lubbock a Memorandum of Understanding
("MOU") with the State of Texas' Department of State Health Services ("DSHS") DSHS
Contract HHS001329900030, regarding the U.S. Federal Government's 340B Drug
Pricing Program and providing medication to patients via DSHS's Pharmacy Unit
ordering platform. Said MOU is attached hereto and incorporated in this Resolution as if
fully set forth herein and shall be included in the minutes of the Council.
Passed by the City Council on May 23, 2023
APPROVED AS TO CONTENT:
APPROVED AS TO FORM:
Foster, A§sistaht City Attorney
RESNOU-COL and DSHS-340B Drug Pricing Program
4.27.23
Resolution No. 2023-RO263
MEMORANDUM OF UNDERSTANDING
DEPARTMENT OF STATE HEALTH SERVICES
AND
CITY OF LUBBOCK
FOR
CENTRAL DISTRIBUTION MODEL PARTICIPANTS
DSHS CONTRACT No. HHS001329900030
This Memorandum of Understanding ("MOU") is entered into between Department of State Health
Services ("DSHS") and City of Lubbock ("Clinic"), each referred to in this MOU as a "Party" and
collectively as the "Parties," to treat and control the spread of infectious disease across Texas through
the U.S. Federal Government's 340B Drug Pricing Program (the "Program").
I. Purpose
This MOU serves to establish roles and responsibilities concerning the Parties' compliance
with Program guidelines related to providing medication to patients via DSHS's Pharmacy
Unit ordering platform.
II. DSHS Requirements
Under this MOU, DSHS will:
A. Create, review, and update policies and procedures to ensure compliance with the
Program guidelines;
B. Purchase medications for the treatment of sexually transmitted diseases ("STDs") and
tuberculosis ("TB") with state and federal funds allocated for specific public health
purposes. The medications will be administered and dispensed in compliance with the
Program's regulations, as authorized by the Texas Health and Safety Code, Chapters 81,
85, and 1001;
C. Monitor Clinic's registration in the Office of Pharmacy Affairs Information System
("OPAIS") to confirm that such registration remains current by conducting regular online
searches of the OPAIS website;
D. Provide education concerning compliance with the Program's guidelines to Clinic
through initial and ongoing trainings and by providing information on how to sign-up for
the Apexus PVP Program, a Health Resources and Services Administration ("HRSA")
contractor, for further education;
DSHS Contract No. ((Contract Number» Page 1 of 11
E. Monitor and support Clinic as it relates to all compliance elements of the Program
addressed in the policies outlined by the DSHS HIV/STD Program, which can be
accessed at https://www.dshs.texas.gov/hivstd/policyl; and
F. Monitor and support Clinic as it relates to all compliance elements of the Program
addressed in the policies outlined by the DSHS Tuberculosis and Hansen's Disease
Branch in the Texas Tuberculosis Work Plan, which can be accessed at
https://www.dshs.texas.gov/idcu/disease/tb/policies/.
III. Clinic Requirements
Under this MOU, Clinic will:
A. Establish policies and procedures that align with DSHS's Program policies and
procedures;
B. Obtain medications from the DSHS Pharmacy Unit for outpatient treatment of STDs
or for TB services and medications;
C. Distribute medications at no charge to qualified uninsured patients;
D. Ensure that medications are used only for the treatment of STDs and TB;
E. Ensure that medications from the Program are not sold or exchanged to any unqualified
or insured individual or entity;
F. Ensure that TB medications are provided through local, pre -authorized health
departments and entities;
G. Maintain a Class D pharmacy license;
H. Designate a staff member who will oversee the ordering, provision, reconciliation, and
reporting of medications from the DSHS Pharmacy Unit. Clinic's designated staff
member will reconcile medications prior to the last day of each month;
I. Maintain a tangible or electronic tracking -log that documents the following information
for each medication distributed:
1. Record of the patient's information to ensure that the medication is administered or
dispensed to a qualified patient of clinical services in an outpatient setting;
2. The National Drug Code (NDC);
3. Total quantity of the medication dispended or administered; and
DSHS Contract No. «Contract Number» Page 2 of 1 1
4. Reconciled medication inventory.
J. Maintain records that establish appropriate use of each Program medication, as records
may be requested and audited by DSHS or for an internal review at any time to ensure
compliance. Records include, but are not limited to, billing records, medication
tracking logs, and relevant patient records;
K. Ensure that all Program medications for treatment of STDs comply with current
policies and procedures outlined by the DSHS HIV/STD Program, which can be
accessed at https://www.dshs.texas.gov/hivstd/polio;
L. Ensure all Program medications for TB services comply with current policies and
procedures outlined by the DSHS Tuberculosis and Hansen's Disease Branch in the
Texas Tuberculosis Work Plan, which can be accessed at
https://www.dshs.texas.gov/idcu/disease/tb/policies/;
M. Develop and implement policies and procedures for Program medication tracking and
distribution that are accessible to DSHS. Clinic may adopt guidance from DSHS or
create its own policies and procedures provided it follows the Program's guidelines and
does not contradict DSHS's Program policies and procedures;
N. Register with OPAIS and obtain its approval as a covered entity in the OPAIS database
using the DSHS Program grant number, maintain such registration during the entire
term of this MOU (See SECTION 5, herein), and identify the program area that Clinic
receives funding or in -kind contributions from DSHS. The OPAIS database can be
accessed at https://340bopais.hrsa.gov/; and
O. Complete ATTACHMENT A, LOCATION LIST OF CLINIC'S PARTICIPATING CLINICS,
prior to or upon MOU's execution, by identifying the name, location, and phone
number of each participating clinic.
IV. Term of MOU
This MOU is effective on September 1, 2023, and terminates on August 31, 2028, unless
sooner terminated pursuant to the terms and conditions of the MOU. This MOU does not
include any renewal options.
V. Termination
Either Party may terminate this MOU without cause upon providing thirty (30) calendar days'
advance written notice of its intent to terminate to the non -terminating Party's MOU
Representative(s).
DSHS Contract No. «Contract Number» Page 3 of I 1
VI. Additional Terms and Conditions
A.
DSHS Data
1. As between the Parties, all data and information acquired, accessed, or made
available to Clinic by, through, or on behalf of DSHS or DSHS contractors,
including all electronic data generated, processed, transmitted, or stored by Clinic
in the course of providing data processing services in connection with Clinic's
performance hereunder (the "DSHS Data"), is owned solely by DSHS.
2. Clinic has no right or license to use, analyze, aggregate, transmit, create derivatives
of, copy, disclose, or process the DSHS Data except as required for Clinic to fulfill
its obligations under the MOU or as authorized in advance in r."Titing by DSHS.
3. Clinic is expressly prohibited from using, and from permitting any third party to
use, DSHS Data for marketing, research, or other non -governmental or commercial
purposes, without the prior written consent of DSHS.
4. Clinic shall make DSHS Data available to DSHS, including to DSHS's designated
vendors, as directed in writing by DSHS. The foregoing shall be at no cost to DSHS.
5. The proprietary nature of Clinic's systems that process, store, collect, and/or
transmit the DSHS Data shall not excuse Clinic's performance of its obligations
hereunder.
Confidentiality
1. Clinic will comply with ATTACHMENT B, PRIVACY, SECURITY AND BREACH
NOTIFICATION, which is incorporated by reference and made a part of this MOU
for all purposes.
2. Clinic will maintain confidentiality and not disclose any DSHS information to third
parties without DSHS's prior written consent, including but not limited to, DSHS
Data, business activities, practices, systems, conditions, and services. This section
will survive termination or expiration of this MOU. The obligations of Clinic under
this section will survive termination or expiration of this MOU.
3. All confidential information requirements must be included in all subcontracts
awarded by Clinic.
C. No Cost
This is a "no cost" agreement. DSHS shall not be obligated to make any payments of
any amounts to Clinic as a result of this MOU. Any costs and expenses incurred under
the terms of this MOU will be paid by the Party incurring the cost or expense. No funds
appropriated to either Party will be exchanged under this MOU.
D. Assignment
Clinic will not assign all or any portion of its rights under or interests in this MOU or
delegate any of its duties without prior written consent of DSHS. Any written request
DSHS Contract No. (<Contract_Number)) Page 4 of i l
for assignment or delegation must be accompanied by written acceptance of the
assignment or delegation by the assignee or delegation by the delegate. Except where
otherwise agreed in writing by DSHS, any assignment or delegation will not release
Clinic from its obligations under this MOU.
E. No Implied Waiver of Provisions
The failure of the DSHS to object to or to take affirmative action with respect to any
conduct of Clinic that is in violation or breach of the terms of the MOU shall not be
construed as a waiver of the violation or breach, or of any future violation or breach.
F. Public Information Act
Clinic understands that DSHS will comply with the Texas Public Information Act
(Chapter 552 of the Texas Government Code) as interpreted by judicial rulings and
opinions of the Attorney General of the State of Texas.
G. Record Maintenance and Retention
I. Clinic shall keep and maintain under Generally Accepted Accounting Principles
("GAAP") or Governmental Accounting Standards Board ("GASB"), as
applicable, full, true, and complete records necessary to fully disclose to DSHS, the
Texas State Auditor's Office, the United States Government, and their authorized
representatives' sufficient information to determine compliance with the terms and
conditions of this MOU and all state and federal rules, regulations, and statutes.
2. Clinic shall maintain and retain legible copies of this MOU and all records relating
to the performance of the MOU. These records shall be maintained and retained by
Clinic for a minimum of seven (7) years after the MOU's expiration date or seven
(7) years after the completion of all audits, claim, litigation, or dispute matters
involving the MOU are resolved, whichever is later.
H. DSHS's Right to Audit
I. Clinic shall make available at reasonable times, upon reasonable notice, and for
reasonable periods, work papers, reports, books, records, and supporting documents
kept current by Clinic pertaining to the MOU for purposes of inspecting,
monitoring, auditing, or evaluating by DSHS and the State ofTexas.
2. In addition to any right of access arising by operation of law, Clinic, any of Clinic's
affiliate or subsidiary organizations, or subcontractors, shall permit DSHS or any
of its duly authorized representatives, as well as duly authorized federal, state, or
local authorities, unrestricted access to and the right to examine any site where
business is conducted or services are performed, and all records (including but not
limited to financial, client and patient records, books, papers or documents) related
to this MOU. In addition, agencies of the State of Texas that shall have a right of
access to records as described in this section include: DSHS, HHSC, HHSC's
DSHS Contract No. «Contract._ Number» Page 5 of 11
contracted examiners, the State Auditor's Office, the Texas Attorney General's
Office, and any successor agencies. Each of these entities may be a duly authorized
authority.
3. If deemed necessary by DSHS or any duly authorized authority, for the purpose of
investigation or hearing, Clinic shall produce original documents related to this
MOU.
4. DSHS and any duly authorized authority shall have the right to audit billings, both
before and after payment, and all documentation that substantiates the billings.
5. Clinic shall include this SUBSECTION VI.H, herein, concerning the right of access
to, and examination of, sites and information related to this MOU in any subcontract
it awards.
I. Compliance with Audit or Inspection Findings
1. Clinic must act to ensure its compliance and its subcontractors' compliance with all
corrections necessary to address any finding of noncompliance with any law,
regulation, audit requirement, or generally accepted accounting principle, or any
other deficiency identified in any audit, review, or inspection of the MOU and the
services provided. Any such correction will be at Clinic's sole expense or its
subcontractor's sole expense. Whether Clinic's action corrects the noncompliance
shall be solely DSHS's decision.
2. Upon DSHS's request, Clinic must provide DSHS a copy of those portions of
Clinic's internal audit reports and its subcontractors' internal audit reports relating
to the services provided to the State of Texas under this MOU.
J. State Auditor's Right to Audit
1. The state auditor may conduct an audit or investigation of any entity receiving funds
from the state directly under the MOU or indirectly through a subcontract under the
MOU. The acceptance of funds directly under the MOU or indirectly through a
subcontract under the MOU acts as acceptance of the authority of the state auditor,
under the direction of the legislative audit committee, to conduct an audit or
investigation in connection with those funds. Under the direction of the legislative
audit committee, an entity that is the subject of an audit or investigation by the state
auditor must provide the state auditor with access to any information the state
auditor considers relevant to the investigation or audit.
2. The Clinic shall comply with any rules and procedures of the state auditor in the
implementation and enforcement of Section 2262.154 of the Texas Government
Code.
K. Amendment
This MOU may only be modified by written amendment signed by the Parties.
DSHS Contract No. «Contract Number» Page 6 of 11
L. Change in Law and Compliance with Laws
Clinic shall comply with all laws, regulations, requirements, and guidelines applicable
to a vendor providing services required by this MOU to an agency of the State of Texas,
as these laws, regulations, requirements, and guidelines currently exist and as amended
throughout the term of the MOU. DSHS reserves the right, in its sole discretion, to
unilaterally amend the MOU to incorporate any modifications necessary for DSHS's
compliance, as an agency of the State of Texas, with all applicable state and federal
laws, regulations, requirements, and guidelines.
M. Governing Law and Venue
This MOU shall be governed by and construed in accordance with the laws of the State
of Texas, without regard to the conflicts of law provisions. The venue of any suit arising
under this MOU is fixed in any court of competent jurisdiction of Travis County, Texas,
unless the specific venue is otherwise identified in a statute which directly names or
otherwise identifies its applicability to DSHS.
N. Dispute Resolution
1. The dispute resolution process provided for in Chapter 2260 of the Texas
Government Code must be used to attempt to resolve any dispute arising under the
MOU. If the Clinic's claim for breach of contract cannot be resolved informally
with DSHS, the claim shall be submitted to the negotiation process provided in
Chapter 2260. To initiate the process, the Clinic shall submit written notice, as
required by Chapter 2260, to the individual identified in the MOU for receipt of
notices. Any informal resolution efforts shall in no way modify the requirements or
toll the timing of the formal written notice of a claim for breach of contract required
under Section 2260.051 of the Texas Government Code. Compliance by the Clinic
with Chapter 2260 is a condition precedent to the filing of a contested case
proceeding under Chapter 2260.
2. The contested case process provided in Chapter 2260 is the Clinic's sole and
exclusive process for seeking a remedy for an alleged breach of contract by DSHS
if the Parties are unable to resolve their disputes as described above.
3. Notwithstanding any other provision of the MOU to the contrary, unless otherwise
requested or approved in writing by the DSHS, the Clinic shall continue
performance and shall not be excused from performance during the period of any
breach of contract claim or while the dispute is pending.
O. Limitation on Authority
1. Any authority granted to Clinic by DSHS is limited to the terms of this MOU.
2. Clinic shall not have any authority to act for or on behalf of the DSHS or the State
of Texas except as expressly provided for in the MOU; no other authority, power,
DSHS Contract No. aContract_Numbem Page 7 of 1 I
or use is granted or implied. Clinic may not incur any debt, obligation, expense, or
liability of any kind on behalf of DSHS or the State of Texas.
3. Clinic may not rely on implied authority and is not granted authority under the
MOU to:
a. Make public policy on behalf of DSHS.
b. Promulgate, amend, or disregard administrative regulations of program policy
decisions made by state and federal agencies responsible for administration of
a DSHS program; or
c. Unilaterally communicate or negotiate with any federal or state agency or Texas
Legislature on behalf of DSHS regarding DSHS programs or this MOU.
P. Severability
If any provision of the MOU is held to be illegal, invalid, or unenforceable by a court
of law or equity, such construction will not affect the legality, validity, or enforceability
of any other provision or provisions of this MOU. It is the intent and agreement of the
Parties that this MOU shall be deemed amended by modifying such provision to the
extent necessary to render it valid, legal, and enforceable while preserving its intent or,
if such modification is not possible, by substituting another provision that is valid,
legal, and enforceable and that achieves the same objective. All other provisions of this
MOU will continue in full force and effect.
Q. Force Majeure
Neither Party shall be liable to the other for any delay in, or failure of performance of,
any requirement included in the MOU caused by force majeure. The existence of such
causes of delay or failure shall extend the period of performance until after the causes
of delay or failure have been removed provided the non -performing party exercises all
reasonable due diligence to perform. Force majeure is defined as acts of God, war, fires,
explosions, hurricanes, floods, failure of transportation, or other causes that are beyond
the reasonable control of either Party and that by exercise of due foresight such Party
could not reasonably have been expected to avoid, and which, by the exercise of all
reasonable due diligence, such Party is unable to overcome.
R. Sovereign Immunity
Nothing in the MOU shall be construed as a waiver of the DSHS's or the State of
Texas's sovereign immunity. This MOU shall not constitute or be construed as a waiver
of any of the privileges, rights, defenses, remedies, or immunities available to DSHS
or the State of Texas. The failure to enforce, or any delay in the enforcement of, any
privileges, rights, defenses, remedies, or immunities available to DSHS or the State of
Texas under the MOU or under applicable law shall not constitute a waiver of such
privileges, rights, defenses, remedies, or immunities or be considered as a basis for
estoppel. DSHS does not waive any privileges, rights, defenses, or immunities available
DSHS Contract No. «Contract_Number>) Page 8 of 11
to DSHS by entering into the MOU or by its conduct prior to or subsequent to entering
into the MOU.
S. Entire MOU and Modification
This MOU constitutes the entire agreement of the Parties and is intended as a complete
and exclusive statement of the promises, representations, negotiations, discussions, and
other agreements that may have been made in connection with the subject matter
hereof. Any additional or conflicting terms in any future document incorporated into
the MOU will be harmonized with this MOU to the extentpossible.
VII. Authorized Representatives
The following will act as the designated representative ("MOU Representative") authorized to
administer activities including, but not limited to, notices, consents, approvals, or other general
communications to the maximum extent possible. The designated Party MOU Representatives
are as follows:
DSHS
Melissa Tafoya-Cortez
DSHS Contract Management Section
P.O. Box149347
Austin, Texas 78714-9347
(512) 776-2643
Melissa.Cortez@dshs.texas.gov
VIII. Notice Requirements
Clinic
Norma Pope, RN
City of Lubbock
806 18th Stret
Lubbock, Texas, and 79401
(806) 775-2915
NPope@mylubbock.us
A. All notices given by Clinic shall be in writing, include the DSHS contract number, comply
with all terms and conditions of the MOU, and be delivered to DSHS's MOU
Representative identified above.
B. Clinic shall send legal notices to DSHS at the address below and provide a copy to
DSHS's MOU Representative:
Health and Human Services Commission
Attn: Office of Chief Counsel
4601 W. Guadalupe, Mail Code 1100
Austin, Texas 78751
With copy to:
Department of State Health Services
Attn: Office of General Counsel
DSHS Contract No. «Contract Number» Page 9 of 11
IX.
1�
XI.
1100 W. 491' Street, Mail Code 1919
Austin, Texas 78756
C. Notices given by DSHS to Clinic may be emailed, mailed, or sent by common carrier.
Email notices shall be deemed delivered when sent by DSHS. Notices sent by mail shall
be deemed delivered when deposited by DSHS in the United States mail, postage paid,
certified, return receipt requested. Notices sent by common carrier shall be deemed
delivered when deposited by DSHS with a common carrier, overnight, signature required.
D. Notices given by Clinic to DSHS shall be deemed delivered when received by DSHS.
E. Either Party may change its MOU Representative or Legal Notice contact by providing
written notice to the other Party at least ten (10) calendar days prior to the change.
Legal Authority
DSHS enters into this MOU under the authority of Texas Health and Safety Code Chapters 12,
81, 85, and 1001.
Contract Documents
The following documents are incorporated by reference and made a part of this MOU for all
purposes.
ATTACHMENT A - LOCATION LIST OF CLINIC'S PARTICIPATING CLINICS
ATTACHMENT B - PRIVACY, SECURITY, AND BREACH NOTIFICATION
Authorized Signatures
By signing, Parties acknowledge that they have read the MOU in its entirety and agree to its
terms. The individuals whose signatures appear below have the requisite authority to execute
this MOU on behalf of the named Party.
DSHS Contract No. «Contract Number» Page 10 of 11
Attachment A — Location List of Clinic's Participating Clinics
DSHS Contract No. «Contract Number»
SIGNATURE PAGE FOR
MEMORANDUM OF UNDERSTANDING
DSHS CONTRACT No. HHS001329900030
DEPARTMENT OF STATE HEALTH SERVICES
By:
Printed Name:
Title:
Date of Signature:
CITY OF LUBBOCK
ATTES
By:
C urtney Paz, City Vicretary
APPRO D TO CONTENT:
By: A- � kv),b--
Katherine Wells, Director of Public Health
APPROVED AS TO FORM:
By:
Vdkd ANA WVA:��
Rachae-T Foster. Assista t Clity Attorney
CITY OF LUBBOCK
Title: Mayor
Date of Signature: May 23, 2023
Page 1 of 1
Attachment A — Location List of Clinic's Participating Clinics
DSHS Contract No. «Contract—Numbem
ATTACHMENT A
LOCATION LIST OF CLINIC'S PARTICIPATING CLINICS
DSHS CONTRACT No. HHS001329900030
Clinic Name Address City Zip Phone Number
Page 2 of 1
Attachment B -- Privacy, Security, and Breach Notification
DSHS Contract No. «Contract Number»
ATTACHMENT B
PRIVACY, SECURITY, AND BREACH NOTIFICATION
DSHS CONTRACT No. HHS001329900030
1.0 Definitions
"Breach" means the acquisition, access, use, or disclosure of Confidential Information in an
unauthorized manner which compromises the security or privacy of the Confidential Information.
"DSHS Confidential Information" means any communication or record (whether oral, written,
electronically stored or transmitted, or in any other form) provided to or made available to Clinic
electronically or through any other means that consists of or includes any or all of the following:
(a) Protected Health Information in any form including without limitation, Electronic
Protected Health Information or Unsecured Protected Health Information (as these terms
are defined in 45 C.F.R. §160.103);
(b) Sensitive Personal Information defined by Texas Business and Commerce Code Chapter
521;
(c) Federal Tax Information (as defined in Internal Revenue Service Publication 1075);
(d) Personal Identifying Information (as defined in Texas Business and Commerce Code
Chapter 521);
(e) Social Security Administration Data (defined as information received from a Social
Security Administration federal agency system of records), including, without limitation,
Medicare or Medicaid information (defined as information relating to an applicant or
recipient of Medicare or Medicaid benefits); and
(f) All information designated as confidential under the constitution and laws of the State of
Texas and of the United States, including the Texas Health & Safety Code and the Texas
Public Information Act, Texas Government Code, Chapter 552.
1.1 DSHS Confidential Information
Any DSHS Confidential Information received by Clinic under this MOU may be disclosed only in
accordance with applicable law. By signing this MOU, Clinic certifies that Clinic is, and intends to
remain for the term of this MOU, in compliance with all applicable state and federal laws and
regulations with respect to privacy, security, and breach notification, including without limitation
the following:
(a) Title 5 United States Code (USC) Part I, Chapter 5, Subchapter II, Section552a, Records
Maintained on Individuals, The Privacy Act of 1974, as amended by the Computer
Matching and Privacy Protection Act of 1988.
(b) Title 26 USC, Internal Revenue Code.
Page l of 4
Attachment B — Privacy, Security, and Breach Notification
DSHS Contract No. «Contract Number»
(c) Title 42 USC Chapter 7, Subchapter XI, Part C, Administrative Simplification, the
relevant portions of the Health Insurance Portability and Accountability Act of 1996
(HIPAA);
(d) Title 42 USC Chapter 7, the relevant portions of the Social Security Act;
(e) Title 42 USC Chapter I, Subchapter A, Part 2, Confidentiality of Substance Use Disorder
Patient Records;
(f) Title 45 Code of Federal Regulations (CFR) Chapter A, Subchapter C, Part 160, General
Administrative Requirements;
(g) Title 45 CFR Chapter A Subchapter C, Part 164, Security and Privacy;
(h) Internal Revenue Service Publication 1075, Tax Information Security Guidelines for
Federal, State and Local Agencies, Safeguards for Protecting Federal Tax Returns and
Return Information;
(i) Office of Management and Budget Memorandum 17-12, Preparing for and Responding to
a Breach of Personally Identifiable Information;
(j) Texas Business and Commerce Code Title 11, Subtitle B, Chapter 521 Unauthorized Use
of Identifying Information;
(k) Texas Government Code, Title, 5, Subtitle A, Chapter 552, Public Information, as
applicable;
(1) Texas Health and Safety Code, Title 2, Subtitle D, Chapter 81, Section 81.006, Funds;
(m) Texas Health and Safety Code Title 2, Subtitle I, Chapter 181, Medical Records Privacy;
(n) Texas Health and Safety Code Title 7, Subtitle E, Chapter 611, Mental Health Records;
(o) Texas Human Resources Code, Title 2, Subtitle A, Chapter 12, Section 12.003, Disclosure
of Information Prohibited;
(p) Texas Occupations Code, Title 3, Health Professions, as applicable;
(q) Constitutional and common law privacy; and
(r) Any other applicable law controlling the release of information created or obtained in the
course of providing the services described in this MOU.
Clinic further certifies that Clinic will comply with all amendments, regulations, and guidance
relating to those laws, to the extent applicable.
1.2 Cybersecurity Training
All of Clinic's authorized users, workforce and subcontractors with access to a state computer system
or database will complete a cybersecurity training program certified under Texas Government Code,
Title 10, Subtitle B, Chapter 2054, Section 2054.5192, Cybersecurity Training Required: Certain
State Contractors, by the Texas Department of Information Resources.
1.3 Business Associate Agreement
Clinic will ensure that any subcontractor of Clinic who has access to DSHS Confidential Information
will sign a HIPAA-compliant Business Associate Agreement with Clinic, and Clinic will submit a
copy of that Business Associate Agreement to DSHS upon request.
Page 2 of 4
Attachment B — Privacy, Security, and Breach Notification
DSHS Contract No. «Contract Number»
1.4 Clinic's Incident Notice, Reporting and Mitigation
Clinic's obligation begins at discovery of any unauthorized disclosure of Confidential Information
or any privacy or security incident that may compromise Confidential Information. "Incident" is
defined as an attempted or successful unauthorized access, use, disclosure, modification, or
destruction of information or interference with system operations in an information system. Clinic's
obligation continues until all effects of the Incident are resolved to DSHS's satisfaction, hereafter
referred to as the "Incident Response Period."
1.5 Notification to DSHS.
(a) Clinic must notify DSHS within the timeframes set forth in Section (c) below.
(b) Clinic must require that its subcontractors and contractors take the necessary steps to
assure that Clinic can comply with all of the following Incident notice requirements.
(c) Incident Notice:
1. Initial Notice.
Within twenty-four (24) hours of discovery, or in a timeframe otherwise approved by
DSHS in writing, Clinic must preliminarily report on the occurrence of an Incident to the
DSHS Privacy and Security Officers via email at: privacy&HHSC.state.tx.us.
This initial notice must, at a minimum, contain:
(i) all information reasonably available to Clinic about the Incident, (ii) confirmation that
the Clinic has met any applicable federal Breach notification requirements, and
(iii) a single point of contact for the Clinic for DSHS communications both during and
outside of business hours during the Incident Response Period.
2. Formal Notice.
No later than three (3) Business Days after discovery of an Incident, or when Clinic should
have reasonably discovered the Incident, Clinic must provide written formal notification
to DSHS using the Potential Privacy/Security Incident Form which is available on the
HHSC website at https•//hhsconnection.hhs.texas.gov/ri hg ts-responsibilities/office-chief-
counsel/privacy. The formal notification must include all available information about the
Incident, and Clinic's investigation of the Incident.
1.6 Clinic Investigation, Response, and Mitigation.
Clinic must fully investigate and mitigate, to the extent practicable and as soon as possible or as
indicated below, any Incident. At a minimum, Clinic will:
(a) Immediately commence a full and complete investigation.
(b) Cooperate fully with DSHS in its response to the Incident.
(c) Complete or participate in an initial risk assessment.
Page 3 of 4
Attachment B — Privacy, Security, and Breach Notification
DSHS Contract No. «Contract Number»
(d) Provide a final risk assessment.
(e) Submit proposed corrective actions to DSHS for review and approval.
(f) Commit necessary and appropriate staff and resources to expeditiously respond.
(g) Report to DSHS as required by DSHS and all applicable federal and state laws for Incident
response purposes and for purposes of DSHS's compliance with report and notification
requirements, to the satisfaction of DSHS.
(h) Fully cooperate with DSHS to respond to inquiries and/or proceedings by federal and state
authorities about the Incident.
(i) Fully cooperate with DSHS's efforts to seek appropriate injunctive relief or to otherwise
prevent or curtail such Incidents.
(j) Recover, or assure destruction of, any Confidential Information impermissibly disclosed
during or as a result of the Incident; and
(k) Provide DSHS with a final report on the Incident explaining the Incident's resolution.
1.7 Breach Notification to Individuals and Reporting to Authorities.
(a) In addition to the notices required in this section, Clinic must comply with all applicable
legal and regulatory requirements in the time, manner, and content of any notification to
individuals, regulators, or third -parties, or any notice required by other state or federal
authorities, including without limitation, notifications required in Title 45 CFR Chapter
A, Subchapter C Part 164, Subpart D Notification in the Case of Breach of Unsecured
Protected Health Information and Texas Business and Commerce Code, Title 11, Subtitle
B, Chapter 521, Section 521.053(b), Notification Required Following Breach of Security
of Computerized Data, or as specified by DSHS following an Incident.
(b) The Clinic must assure that the time, manner, and content of any Breach notification
required by this section meets all federal and state regulatory requirements.
(c) Breach notice letters must be in Clinic's name and on Clinic's letterhead and must contain
contact information to obtain additional information, including the name and title of
Clinic's representative, an email address, and a toll -free telephone number.
(d) Clinic must provide DSHS with copies of all distributed communications related to the
Breach notification at the same time Clinic distributes the communications.
(e) Clinic must demonstrate to the satisfaction of DSHS that any Breach notification required
by applicable law was timely made. If there are delays outside of Clinic's control, Clinic
must provide written documentation to DSHS of the reasons for the delay.
Page 4 of 4