The URL can be used to link to this page

Home My WebLink AboutResolution - 2025-R0316 - DSHS MOU Contract No. HHS001472800037, Electronic Public Health Data - 07/08/2025Resolution No. 2025-R0316 Item No. 6.24 July 8, 2025 RESOLUTION BE IT RESOLV�D BY TII� CI"I'Y COUNCII_ OF TIIE CITY OP LUBBOCK: THAT the Mayor of the City of Lubbock is hcreby authorizcd and directed to execute for and on behalf of the City of Lubbock, the Department of State Health Services (DSHS) Memorandum of Understanding (MOU), Contract No. HIIS001472800037, regarding access to electronic public health data for the purpose of providing essential public hcalth services, by and between the City of Lubbock and the State of Texas acting by and through DSHS, and all related documents. Said MOU is attached hereto and incorporated in this resolution as if fully set forth herein and shall be included in the minutes of the City Council. Passed by the City Council on _ July 8, 2025 �._-- MARK W. MCBI�IYE AYOR ATT�ST: Courtney Paz, City Sc tary APPROVED AS TO CONTLNT: � �� Bill H erton, Deputy C� nager APPROVED AS TO FORM: achael Foster, ssis nt City Attorney ccdocslllRES.DSHS MOU No. FIHSU01472800037 6.20.25 Docusign Envelope ID: 4E394409-1F63-4C8E-A60D-E61AA9083AA6 Resolution No. 2025-R0316 MEMORANDUM OF UNDERSTANDING BETWEEN DEPARTMENT OF STATE HEALTH SERVICES AND CITY OF LUBBOCK, ON BEHALF OF ITS HEALTH DEPARTMENT DSHS CONTRACT NO. HHS001472800037 This Memorandum of Understanding (MOU) is between the Department of State Health Services (DSHS) and City of Lubbock, on behalf of its Health Department (Local Public Health Entity or LHE). DSHS and LHE may be refened to individually as a"Party" and collectively as the "Parties." I. PURPOSE DSHS agrees to provide LHE certain public health data and information, which DSHS maintains, for the purpose of providing essential public health services. This MOU provides the Parties' roles and responsibilities regarding access and utilization of the data as outlined in each attachment of this MOU. II. LEGAL AUTHORITY This MOU is entered into pursuant to Chapter 12 and 1001 of the Texas Health and Safety Code. DSHS will provide public health data and information to LHE so that the LHE may provide "essential public health services" as defined in Section 121.002 of Texas Health and Safety Code, as follows: • Monitor the health status of individuals in the community to identify community health problems; • Diagnose and investigate community health problems and community health hazards; • Inform, educate, and empower the community with respect to health issues; • Mobilize community partnerships in identifying and solving community health problems; • Develop policies and plans that support individual and community efforts to improve health; • Enforce laws and rules that protect the public health and ensure safety in accordance with those laws and rules; • Link individuals who have a need for community and personal heaith services to appropriate community and private providers; • Ensure a competent workforce for the provision of essential public health services; • Research new insights and innovative solutions to community health problems; and � Evaluate the effectiveness, accessibility, and quality of personal and population-based health services in a community. DSHS Contract No. HHSOO 1472800037 Page 1 of I 1 Docusign Envelope ID: 4E394409-1F63-4C8E-A60D-E61AA9083AA6 Legal authority for data and information sharing is authorized by and in compliance with 45 CFR Parts 160 and 164. Additional legal authority for data and information sharing for the data sets authorized to be shared under the MOU is specifically identified in a corresponding attachment to this MOU. DSHS will not share data or information until and unless data sets and elements are identified and incorporated into the MOU. III. LHE JURISDICTION The jurisdiction of the LHE under this MOU is Lubbock, Lamb, Hale, Floyd, Hockley, Terry, Lynn, and Garza County. To receive certain public health data and information for the contiguous jurisdiction(s), if permitted by the Section 1001.089 of the Texas Health and Safety Code, LHE shall submit written request to DSHS for review and approval. If DSHS authorizes the LHE to receive public health data and information for its contiguous jurisdiction(s), then DSHS Contract Representative will send written notice to the LHE specifying the approved contiguous jurisdiction(s) and the data type(s) that DSHS will make available to the LHE. After any testing, as determined appropriate by DSHS, LHE will receive written notice specifying when the public health data and information of the contiguous jurisdiction(s) will be made available. IV. STATEMENT OF WORK A. LHE shall: 1. Comply with all DSHS policies and procedures regarding access and utilization of the data and information provided by DSHS. 2. Access and receive the data and information in a secure, confidential manner in compliance with all applicable federal and state laws governing the protection of confidential information. 3. Access, use and disclose the data and information for essential public health services only as set forth in this MOU. 4. Promptly provide written notice to DSHS of any access, use or disclosure of the data and information which violates the terms of this MOU or applicable law. 5. Submit a list of staff names, titles, and email addresses, and the intended uses of the data and information, to request and obtain access. The request must be submitted in writing to the DSHS Representatives identified in this MOU or through the agency's identity and access management system, based upon guidance provided by DSHS for each data set. 6. Complete the data checklist(s) identified as attachments to this MOU, as applicable. 7. Maintain a list of all authorized users with access to DSHS data and information, and upon written request by DSHS, provide the list of authorized users within fve (5) business days. 8. Notify the DSHS Representatives identified in this MOU or through the DSHS identity and access management system, based upon guidance provided by DSHS for each data set, of any changes in staff that require removal from the list of authorized users. Such notification must be made in writing or through the DSHS identity and access management system within five (5) business days of any staffing changes. 9. On an annual basis, and as additionally requested by DSHS, certify the list of authorized DSHS Contract No. HHS001472800037 Page 2 of l 1 Docusign Envelope ID: 4E394409-1FB3-4C8E-A60D-E61AA9083AA6 users in writing to the DSHS Representatives identified in this MOU or through the DSHS identity and access management system, based upon guidance provided by DSHS for each data set. 10. Submit an application for amendment to the DSHS Representatives identified in this MOU to request changes or additional data set variables. 11. Participate in any required DSHS-sponsored training on the access and usage of the data and information. 12. Ensure the data and information provided to LHE under this MOU, including information residing on LHE's back-up systems, remains within the contiguous United States and such data and information shall not be accessed by individuals located outside of the contiguous United States. Furthermore, the data and information may not be received, stored, processed, or destroyed via information technology systems used by LHE that are located outside of the contiguous United States. B. DSHS will: 1. Review the LHE's written requests for access to specific data and information and provide approval or denial of the request in writing or through the DSHS identity and access management system. 2. Conduct data user testing as determined appropriate by DSHS. 3. Notify the LHE when the data set(s) are available or authorized to be shared with the LHE. 4. After completion of testing protocols (such as user testing) and approval of LHE's submission of the information required under this MOU, make available certain public health data and information via a secure data exchange. Data and information sharing is limited to the data sets identified and submitted by the LHE and approved by DSHS under the MOU. 5. Deliver data and information through use of a secure file transfer protocol site or other method of data transfer with at least that same level of security and/or encryption. 6. Provide each approved LHE user with access credentials including the secure site, username, and password, as appropriate. This information will be provided directly to LHE staff inembers authorized to access the data and information. 7. Remove user access to the DSHS data and information as requested by LHE within five (5) business days of receipt of the LHE's written notification. 8. At its sole discretion, sponsor trainings and provide technical assistance on accessing the limited data sets through the DSHS databases. C. The Parties will communicate as necessary to successfully manage this MOU and work in good faith together to fulfill the purpose of this MOU. V. CONFIDENTIALITY A. The Parties are required to comply with all applicable state and federal laws relating to the privacy, security, and confidentiality of the data and information. B. LHE shall comply with the HHSC Data Use Agreement ("DUA") which is attached to this MOU as Attachment A. DSHS Contract No. HHSOO 1472800037 Page 3 of 11 Docusign Envelope ID: 4E394409-1F63-4C8E-A60D-E61AA9083AA6 C. LHE shall maintain appropriate procedural, administrative, physical, and technical safeguards to prevent the release or disclosure of any data and information obtained under this MOU to anyone other than individuals who are authorized by law to receive such records or information and who will protect the data and information from re-disclosure as required by law. All data and information shall be maintained in a secure location and in compliance with the DUA. D. LHE shall use the data and information obtained under this MOU only for purposes described in this MOU and in accordance with the terms under the MOU. In addition, LHE shall comply with LHE's appropriate review policies. E. LHE shall not publish or disclose Confidential Data obtained or accessed under this MOU to a third pariy. F. No Personally Identifiable Information ("PII") and non-public data may be accessed or disclosed by LHE without specific statutory authority and DSHS prior written approval. G. Data and information no longer in use by LHE shall be destroyed using software that renders the data unrecoverable. LHE may not destroy data and information via information technology systems that are located outside the contiguous United States. Upon DSHS request, LHE shall provide written verification that the data and information has been destroyed. H. LHE shall not attempt to link nor permit others to attempt to link the records of patients or individuals in the data sets with personally identifiable records from any other source. I. LHE shall not release nor permit others to release any data or information that identifies individuals, directly or indirectly. LHE shall not permit others to copy, sell, rent, license, lease, loan, or otherwise grant access to the data and information covered by this MOU to any other person or entity, unless approved in writing by DSHS. K. LHE acknowledges that when releasing or disclosing the data set or any part to others in its organization it will retain full responsibility for the privacy and security of the data and information and will prohibit others from further release or disclosure of the data and information. VI. DESIGNATION OF REPRESENTATIVES The following will act as the representative authorized to administer activities under this MOU on behalf of its respective Party. DSHS Contract No. HHS001472800037 Page 4 of 11 Docusign Envelope ID: 4E394409-1F63-4C8E-A60D-E61AA9083AA6 llSHS Contract Management DSHS Program City of Lubbock, on behalf of its Section (CMS) Health Department Gretchen Wells, CTCM Jason Lucas iffany Torres, MPH, MLS Contract Manager Branch Manager Laboratory/Epidemiology Manager 1100 W 49`h Street, MC 1990 PO Box 149347 2015 50'h Street, Austin, Texas 78756 Mail Code 1898 Lubbock, TX 76413 (512) 776-2679 Austin, TX 78714-9347 (g06) 775-2990 Gretchen.Wells@dshs.texas.gov (512) 776-6439 ttorres@mylubbock.us HIRBrequests@dshs.texas.gov Either Party may change its designated representative by providing written notice to the other Party. VII. LEGAL NOTICES Legal notices under this MOU shall be in writing and deemed delivered on the date of delivery if delivered by United States mail, postage paid, certified, return receipt requested; common carrier, overnight, signature required; or hand delivery. Legal Notices must be sent to the appropriate address below: If to DSHS: Health and Human Services Commission Attention: Office of Chief Counsel 4601 W. Guadalupe, MC 1100 Austin, Texas 78751 If to Local Health Entitv City of Lubbock on behalf of its Health Department Attn: Tiffany Torres, MPH, MLS 2015 SO�h Street, Lubbock, TX 76413 Copy To: Department of State Health Services Attn: General Counsel 1100 W. 49`" Street, MC 1919 Austin, Texas 78756 Copy To: City of Lubbock Attn: General Counsel 2015 50`'' Street, Lubbock, TX 76413 Notice may be given in an alternate manner with written approval from the other Party. Alternate notice shall be deemed effective upon written confirmation of receipt by the Party receiving notice. Either Party may change its address for receiving legal notice by providing written notice to the other Pariy. DSHS Contract No. HHS001472800037 Page 5 of 11 Docusign Envelope ID: 4E394409-1F63-4C8E-A60D-E61AA9083AA6 VIII. GENERAL TERMS AND CONDITIONS A. Term of MOU This MOU is effective on the date of the last Party to sign. This MOU will remain in effect for two (2) years from the effective date, unless terminated sooner as provided herein. B. Terminallon of the MOU Termination without Cause. This MOU may be terminated by either Party by providing at least thirty (30) calendar days' advance written notice to the other Party. Breach and Termination for Cause. DSHS may terminate this MOU immediately, and without prior notice, upon LHE's breach of the terms of this MOU. Such breach may include, but is not limited to, improper disclosure of the data and information or other violation of the privacy, confidentiality and/or security requirements set forth in this MOU. Effect of Expiration or Termination. DSHS will cease data and information sharing immediately upon the expiration or termination of this MOU. Upon termination or expiration, LHE shall destroy all data and information using software that renders the data and information unrecoverable and provide documentation to DSHS that data and information was destroyed as directed by DSHS. LHE may not destroy data and information via information technology systems that are located outside the contiguous United States. C. No Cost This is a no cost agreement. Each Party shall pay the cost of its participation in this MOU without cost or reimbursement by the other Party. D. DSHS Suspension of Information Sharing under this MOU DSHS may temporarily suspend the sharing of data and information without advance notice and may restore access at a time, and in a manner, of its sole discretion. E. Amendment This MOU may be amended or modified by the consent of both Parties at any time during its term. Amendments to this MOU must be in writing and signed by authorized representatives of DSHS and LHE. No change in, addition to, or waiver of any term or condition of this MOU shall be binding on DSHS unless approved in writing by an authorized representative of DSHS. F. Change in Laws and Compliance with Laws The Parties shall comply with all applicable federal and state statutes, rules, and regulations. Any alterations, additions, or deletions to the terms of this MOU which are required by changes in federal or state law or regulations are automatically incorporated into the MOU without DSHS Contract No. HHSOO 1472800037 Page 6 of 11 Docusign Envelope ID: 4E394409-1F63-4C8E-A60D-E61AA9083AA6 written amendment hereto and shall become effective on the date designated by such law or by regulation. G. Permitting and Licensure LHE shall obtain and maintain for the duration of this MOU any state, county, city, or federal license, authorization, insurance, waiver, permit, qualifcation, or certification required by statute, ordinance, law, or regulation to assume the roles and responsibilities contained within this MOU. H. Assignment LHE shall not assign its rights under this MOU or delegate the performance of its duties under the MOU without prior written approval from DSHS. Any attempted assignment in violation of this provision is void and without effect. I. No Partnership or Joint Venture The Parties agree that nothing in this MOU shall be deemed to create an association, partnership, or joint venture between DSHS and LHE. J. No Waiver Failure of either Party to insist on strict compliance with any term or condition of this MOU or to exercise any right or privilege hereunder will not be deemed a waiver of such term, condition, right or privilege later. K. Severability If any provision of this MOU is illegal, invalid, void, or unenforceable, the other provisions of this MOU will not be affected. The Parties agree to amend any illegal, invalid, void, or unenforceable provision to the extent necessary to render it valid, legal, and enforceable while preserving the intent of the MOU. L. Disaster Recovery Plan Upon request of DSHS, LHE shall provide copies of its most recent business continuity and disaster recovery plans. M. Dispute Resolution The Parties agree to use good faith efforts to resolve all questions, difficulties, or disputes of any nature that may arise under or by this MOU. However, nothing in this paragraph shall preclude either Party from pursuing any remedies as may be available under Texas law. Notwithstanding this provision, the Parties acknowledge and agree to use the dispute resolution provisions required under Chapter 2260 of the Texas Government Code, to the extent DSHS Contract No. HHSOO 1472800037 Page 7 of 11 Docusign Envelope ID: 4E394409-1FB3-4C8E-A60D-E61AA9083AA6 applicable. N. Indemnification LHE SHALL DEFEND, INDEMNIFY AND HOLD HARMLESS THE STATE OF TEXAS AND DSHS, AND/OR THEIR OFFICERS, AGENTS, EMPLOYEES, REPRESENTATIVES, CONTRACTORS, ASSIGNEES, AND/OR DESIGNEES FROM ANY AND ALL LIABILITY, ACTIONS, CLAIMS, DEMANDS, OR SUITS, AND ALL RELATED COSTS, ATTORNEY FEES, AND EXPENSES ARISING OUT OF OR RESULTING FROM ANY ACTS OR OMISSIONS OF LHE OR ITS AGENTS, EMPLOYEES, SUBCONTRACTORS, ORDER FULFILLERS, OR SUPPLIERS OF SUBCONTRACTORS IN THE EXECUTION OR PERFORMANCE OF THE MOU. THIS CLAUSE IS NOT INTENDED TO AND WILL NOT BE CONSTRUED TO REQUIRE LHE TO INDEMNIFY OR HOLD HARMLESS THE STATE OR DSHS FOR ANY CLAIMS OR LIABILITIES RESULTING FROM THE NEGLIGENT ACTS OR OMISSIONS OF DSHS OR ITS EMPLOYEES. FOR THE AVOIDANCE OF DOUBT, DSHS SHALL NOT INDENINIFY LHE OR ANY OTHER ENTITY UNDER THE MOU. O. Force Majeure Neither Party shall be liable to the other for any delay in, or failure of performance of, any requirement included in this MOU caused by force majeure. The existence of such causes of delay or failure shall extend the period of performance until after the causes of delay or failure have been removed provided the non-performing Party exercises all reasonable due diligence to perform. Force majeure is defined as acts of God, war, fires, explosions, hurricanes, floods, failure of transportation, or other causes that are beyond the reasonable control of either Party and that by exercise of due foresight such Party could not reasonably have been expected to avoid, and which, by the exercise of all reasonable due diligence, such Party is unable to overcome. P. Public Information Act Each Party is responsible for complying with Chapter 552 of the Texas Government Code ("Texas Public Information Act") as interpreted by judicial decisions and opinions of the Attorney General of Texas. Responses to requests for information and open records requests shall be handled in accordance with the provisions of the Texas Public Information Act. Q. Limitation on Authority LHE shall have no authority to act for or on behalf of DSHS or the State of Texas except as expressly provided for in this MOU; no other authority, power or use is granted or implied. LHE may not incur any debt, obligation, expense or liability of any kind on behalf of DSHS or the State of Texas. DSHS Contract No. HHS001472800037 Page 8 of 11 Docusign Envelope ID: 4E394409-1F63-4C8E-A60D-E61AA9083AA6 R. Survival Expiration or termination of this MOU for any reason does not release LHE from any liability or obligation set forth in this MOU that is expressly stated to survive any such expiration or termination, or that by its nature would be intended to be applicable following any such expiration or termination, or that is necessary to fulfill the essential purpose of the MOU, including without limitation the provisions regarding confidentiality and rights and remedies upon termination. S. Sovereign Immunity This MOU shall not constitute or be construed as a waiver of any of the privileges, rights, defenses, remedies, or immunities available to either Party as an agency of the State of Texas or otherwise available to the Party. The failure to enforce or any delay in the enforcement of any privileges, rights, defenses, remedies, or immunities available to a Party under this MOU or under applicable law shall not constitute a waiver of such privileges, rights, defenses, remedies, or immunities or be considered as a basis for estoppel. Neither Party waives any privileges, rights, defenses, or immunities available to it as an agency of the State of Texas, or otherwise available to it, by entering into this MOU or by its conduct prior to or subsequent to entering into this MOU. T. Agency's Right to Audit LHE shall make available at reasonable times and upon reasonable notice, and for reasonable periods, work papers, reports, books, records, and supporting documents kept current by LHE pertaining to the MOU for purposes of inspecting, monitoring, auditing, or evaluating by DSHS and the State of Texas. U. State Auditor's Right to Audit The state auditor may conduct an audit or investigation of any entity receiving funds from the state directly under the MOU or indirectly through a subcontract under the MOU. The acceptance of funds directly under the MOU or indirectly through a subcontract under the contract acts as acceptance of the authority of the state auditor, under the direction of the legislative audit committee, to conduct an audit or investigation in connection with those funds. Under the direction of the legislative audit committee, an entity that is the subject of an audit or investigation by the state auditor must provide the state auditor with access to any information the state auditor considers relevant to the investigation or audit. V. MOU Attachments The following documents are attached hereto, incorporated herein, and made a part of this MOU for all purposes: 1. Attachment A: HHS Data Use Agreement—TACCHO Version 2. Attachment B: Access to Public Health Dashboards 3. Attachment C: Access to Vital Event Data DSHS Contract No. HHS001472800037 Page 9 of 11 Docusign Envelope ID: 4E394409-1F63-4C8E-A60D-E61AA9083AA6 4. Attachment D: Access to Texas Health Care Information Collection Public Use Data File In the event of conflict, ambiguity, or inconsistency between or among any documents, all DSHS documents take precedence over LHE documents, and the HHS Data Use Agreement takes precedence over all other MOU documents. W. Governing Law and Venue This MOU shall be governed by and construed in accordance with the laws of the State of Texas, without regard to the conflicts of law provisions. The venue of any suit arising under the MOU is fixed in any court of competent jurisdiction of Travis County, Texas. X. Counterparts and Signatures The Parties may sign this MOU in counterparts, each of which will be deemed an original, but all of which will together constitute one document. Electronically transmitted signatures will be deemed originals for all purposes related to this MOU. Y. Entire Agreement This document constitutes the entire agreement of the Parties and is intended as a complete and exclusive statement of the promises, representations, negotiations, discussions, and other agreements that may have been made in connection with the subject matter hereo£ Any additional or conflicting terms in any future document incorporated into this agreement will be harmonized with this agreement to the extent possible. Z. Signature Authority By signing below, the Parties agree that they have read the MOU and agree to its terms, and that the persons whose signatures appear below have the authority to execute this MOU on behalf of their respective Party. SIGNATURE PAGE FOLLOWS DSHS Contract No. HHS001472800037 Page 10 of 11 Docusign Envelope ID: 4E394409-1F63-4C8E-A60D-E61AA9083AA6 SIGNATURE PAGE DSHS Contract No. HHS001472800037 Department of State Health Services Signature of Authorized Official Printed Name Title Date City of Lubbock, on behalf of its Health Department Signature of Authorized Official Printed Name Title Date DSHS Contract No. HHS001472800037 Page 11 of 11 Docusign Envelope ID: 4E394409-1FB3-4C8E-A60D-E61AA9083AA6 ATTACHMENT A HHS DATA USE AGREEMENT This Data Use Agreement ("DUA"), effective as of the date the Base Contract into which it is incorporated is signed ("Effective Date"), is entered into by and between a Texas Health and Human Services Enterprise agency ("HHS"), and the Contractor identified in the Base Contract, a political subdivision of the State of Texas ("CONTRACTOR. ARTICLE 1. PURPOSE; APPLICABILITY; ORDER OF PRECEDENCE The purpose of this DUA is to facilitate creation, receipt, maintenance, use, disclosure or access to Confidential Information with CONTRACTOR, and describe CONTRACTOR's rights and obligations with respect to the Confidential Information. 45 CFR 164.504(e)(1)-(3). This DUA also describes HHS's remedies in the event of CONTRACTOR's noncompliance with its obligations under this DUA. This DUA applies to both Business Associates and contractors who are not Business Associates who create, receive, maintain, use, disclose or have access to Confidential Information on behalf of HHS, its programs or clients as described in the Base Contract. As of the Effective Date of this DUA, if any provision of the Base Contract, including any General Provisions or Uniform Terms and Conditions, conflicts with this DUA, this DUA controls. ARTICLE 2. DEFINITIONS For the purposes of this DUA, capitalized, underlined terms have the meanings set forth in the following: Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (42 U.S.C. § 1320d, et seq.) and regulations thereunder in 45 CFR Parts 160 and 164, including all amendments, regulations and guidance issued thereafter; The Social Security Act, including Section 1137 (42 U.S.C. §§ 1320b-7), Title XVI of the Act; The Privacy Act of 1974, as amended by the Computer Matching and Privacy Protection Act of 1988, 5 U.S.C. § 552a and regulations and guidance thereunder; internal Revenue Code, Title 26 of the United States Code and regulations and publications adopted under that code, including IRS Publication 1075; OMB Memorandum 07-18; Texas Business and Commerce Code Ch. 521; Texas Government Code, Ch. 552, and Texas Government Code §2054.1125. In addition, the following terms in this DUA are defined as follows: "Authorized Purpose" means the specific purpose or purposes described in the Statement of Work of the Base Contract for CONTRACTOR to fulfill its obligations under the Base Contract, or any other purpose expressly authorized by HHS in writing in advance. "Authorized User" means a Person: (1) Who is authorized to create, receive, maintain, have access to, process, view, handle, examine, interpret, or analyze Confidential Information pursuant to this DUA; HHS Data Use Agreement TACCHO VERSION (Local City and County Entities) October 23, 2019 Page 1 of 15 Docusign Envelope ID: 4E394409-1F63-4C8E-A60D-E61AA9083AA6 (2) For whom CONTRACTOR warrants and represents has a demonstrable need to create, receive, maintain, use, disclose or have access to the Confidential Information; and (3) Who has agreed in writing to be bound by the disclosure and use limitations pertaining to the Confidential Information as required by this DUA. "Confidential Information" means any communication or record (whether oral, written, electronically stored or transmitted, or in any other form) provided to or made available to CONTRACTOR, or that CONTRACTOR may, for an Authorized Purpose, create, receive, maintain, use, disclose or have access to, that consists of or includes any or all of the following: (1) Client Information; (2) Protected Health Information in any form including without limitation, Electronic Protected Health Information or Unsecured Protected Health Information (herein "PHI"); (3) Sensitive Personal Information defined by Texas Business and Commerce Code Ch. 521; (4) Federal Tax Information; (5) Individually Identifiable Health Information as related to HIPAA, Texas HIPAA and Personal Identi �in� Information under the Texas Identity Theft Enforcement and Protection Act; (6) Social Securitv Administration Data, including, without limitation, Medicaid information; (7) All privileged work product; (8) All information designated as confidential under the constitution and laws of the State of Texas and of the United States, including the Texas Health & Safety Code and the Texas Public Information Act, Texas Government Code, Chapter 552. "Legally Authorized Representative" of the Individual, as defined by Texas law, including as provided in 45 CFR 435.923 (Medicaid); 45 CFR 164.502(g)(1) (HII'AA); Tex. Occ. Code § 151.002(6); Tex. H. & S. Code § 166.164; and Estates Code Ch. 752. ARTICLE 3. CONTRACTOR'S DUTIES REGARDING CONFIDENTIAL INFORMATION 3.01 Obligations of CONTRACTOR CONTRACTOR agrees that: (A) CONTRACTOR will exercise reasonable care and no less than the same degree of care CONTRACTOR uses to protect its own confidential, proprietary and trade secret information to prevent any portion of the Confidential Information from being used in HHS Data Use Agreement TACCHO VERSION (Local City and County Entities) October 23, 2019 Page 2 of 15 Docusign Envelope ID: 4E394409-1FB3-4C8E-A60D-E61AA9083AA6 a manner that is not expressly an Authorized Purpose under this DUA or as Required bv Law. 45 CFR 164.502(b)(1); 45 CFR 164.514(d) (B) Except as Required bv Law, CONTRACTOR will not disclose or allow access to any portion of the Confidential Information to any Person or other entity, other than Authorized User's Workforce or Subcontractors (as defined in 45 C.F.R. 160.103) of CONTRACTOR who have completed training in confidentiality, privacy, security and the importance of promptly reporting any Event or Breach to CONTRACTOR's management, to carry out CONTRACTOR's obligations in connection with the Authorized Purpose. HHS, at its election, may assist CONTRACTOR in training and education on specific or unique HHS processes, systems and/or requirements. CONTRACTOR will produce evidence of completed training to HHS upon request. 45 C.F.R. 164.308(a)(S)(i); Texas Health & Safety Code §181.101 All of CONTRACTOR's Authorized Users, Workforce and Subcontractors with access to a state computer system or database will complete a cybersecurity training program certified under Texas Government Code Section 2054.519 by the Texas Department of Information Resources. (C) CONTRACTOR will establish, implement and maintain appropriate sanctions against any member of its Workforce or Subcontractor who fails to comply with this DUA, the Base Contract or applicable law. CONTRACTOR will maintain evidence of sanctions and produce it to HHS upon request.45 C.F.R. 164.308(a)(1)(ii)(C); 164.530(e); 164.410(b); 164.530(b)(1) (D) CONTRACTOR will not, except as otherwise permitted by this DUA, disclose or provide access to any Confidential Information on the basis that such act is Required b,� without notifying either HHS or CONTRACTOR's own legal counsel to determine whether CONTRACTOR should object to the disclosure or access and seek appropriate relief. CONTRACTOR will maintain an accounting of all such requests for disclosure and responses and provide such accounting to HHS within 48 hours of HHS' request. 45 CFR 164.504(e)(2)(ii)(A) (E) CONTRACTOR will not attempt to re-identify or further identify Confidential Information or De-identif ed Information, or attempt to contact any Individuals whose records are contained in the Confidential Information, except for an Authorized Purpose, without express written authorization from HHS or as expressly permitted by the Base Contract. 45 CFR 164.502(d)(2)(i) and (ii) CONTRACTOR will not engage in prohibited marketing or sale of Confidential Information. 95 CFR 164.501, 164.508(a)(3) and (4); Texas Health & Safety Code Ch. 181.002 (F) CONTRACTOR will not permit, or enter into any agreement with a Subcontractor to, create, receive, maintain, use, disclose, have access to or transmit Confidential Information to carry out CONTRACTOR's obligations in connection with the Authorized Purpose on behalf of CONTRACTOR, unless Subcontractor agrees to comply with all applicable laws, rules and regulations. 45 CFR 164.502(e)(1)(ii); 164.504(e)(1)(i) and (2). HHS Data Use Agreement TACCHO VERSION (Local City and County Entities) October 23, 2019 Page 3 of I S Docusign Envelope ID: 4E394409-1FB3-4C8E-A60D-E61AA9083AA6 (G) CONTRACTOR is directly responsible for compliance with, and enforcement of, all conditions for creation, maintenance, use, disclosure, transmission and Destruction of Confidential Information and the acts or omissions of Subcontractors as may be reasonably necessary to prevent unauthorized use. 45 CFR 164.504(e)(S); 42 CFR 431.300, et seq. (H) If CONTRACTOR maintains PHI in a Desi�nated Record Set which is Confidential Information and subject to this Agreement, CONTRACTOR will make PHI available to HHS in a Designated Record Set upon request. CONTRACTOR will provide PHI to an Individual, or Le a�llv Authorized Representative of the Individual who is requesting PHI in compliance with the requirements of the HIPAA Privacv Regulations. CONTRACTOR will release PHI in accordance with the HIPAA Privacv ReQulations upon receipt of a valid written authorization. CONTRACTOR will make other Confidential Information in CONTRACTOR's possession available pursuant to the requirements of HIPAA or other applicable law upon a determination of a Breach of Unsecured PHI as defined in HIPAA. CONTRACTOR will maintain an accounting of all such disclosures and provide it to HHS within 48 hours of HHS' request. 45 CFR 164.524and 164.504(e)(2)(ii)(E). (n If PHI is subject to this Agreement, CONTRACTOR will make PHI as required by HIPAA available to HHS for review subsequent to CONTRACTOR's incorporation of any amendments requested pursuant to HIPAA. 45 CFR 164.504(e)(2)(ii)(E) and (F). (� If PHI is subject to this Agreement, CONTRACTOR will document and make available to HHS the PHI required to provide access, an accounting of disclosures or amendment in compliance with the requirements of the HIPAA Privacy Re�ulations. 45 CF� 164.504(e)(2)(ii)(G) and 164.528. (K) If CONTRACTOR receives a request for access, amendment or accounting of PHI from an individual with a right of access to information subject to this DUA, it will respond to such request in compliance with the HIPAA Privacy Re�ulations. CONTRACTOR will maintain an accounting of all responses to requests for access to or amendment of PHI and provide it to HHS within 48 hours of HHS' request. 45 CFR 164.504(e)(2). (L) CONTRACTOR will provide, and will cause its Subcontractors and agents to provide, to HHS periodic written certifications of compliance with controls and provisions relating to information privacy, security and breach notification, including without limitation information related to data transfers and the handling and disposal of Confidential Information. 45 CFR 164.308; 164.530(c); 1 TAC 202. (M) Except as otherwise limited by this DUA, the Base Contract, or law applicable to the Confidential Information, CONTRACTOR may use PHI for the proper management and administration of CONTRACTOR or to carry out CONTRACTOR's legal responsibilities. Except as otherwise limited by this DUA, the Base Contract, or law applicable to the Confidential Information, CONTRACTOR may disclose PHI for the HHS Data Use Agreement TACCHO VERSION (Local City and County Entities) October 23, 2019 Page 4 of I S Docusign Envelope ID:4E394409-1F63-4C8E-A60D-E61AA9083AA6 proper management and administration of CONTRACTOR, or to carry out CONTR.ACTOR's legal responsibilities, if: 45 CFR 164.504(e)(4)(A). (1) Disclosure is Required by Law, provided that CONTRACTOR complies with Section 3.01(D); or (2) CONTRACTOR obtains reasonable assurances from the person or entity to which the information is disclosed that the person or entity will: (a)Maintain the confidentiality of the Confidential Information in accordance with this DUA; (b) Use or further disclose the information only as Required bv Law or for the Authorized Purpose for which it was disclosed to the Person; and (c)Notify CONTRACTOR in accordance with Section 4.01 of any Event or Breach of Confdential Information of which the Person discovers or should have discovered with the exercise of reasonable diligence. 45 CFR 164.504(e)(4)(ii)(B). (N) Except as otherwise limited by this DUA, CONTRACTOR will, if required by law and requested by HIIS, use commercially reasonable efforts to use PHI to provide data aggregation services to HHS, as that term is defined in the HIPAA, 45 C.F.R. §164.501 and permitted by HIPAA. 45 CFR 164.504(e)(2)(i)(B) (0) CONTRACTOR will, on the termination or expiration of this DUA or the Base Contract, at its expense, send to HHS or Destrov, at HHS's election and to the extent reasonably feasible and permissible by law, all Confidential Information received from HHS or created or maintained by CONTRACTOR or any of CONTRACTOR's agents or Subcontractors on HHS's behalf if that data contains Confidential Information. CONTRACTOR will certify in writing to HHS that all the Confidential Information that has been created, received, maintained, used by or disclosed to CONTRACTOR, has been Destro.� or sent to HHS, and that CONTRACTOR and its agents and Subcontractors have retained no copies thereof. Notwithstanding the foregoing, HHS acknowledges and agrees that CONTRACTOR is not obligated to send to HHSC and/or Destrov any Confidential Information if federal law, state law, the Texas State Library and Archives Commission records retention schedule, and/or a litigation hold notice prohibit such delivery or Destruction. If such delivery or Destruction is not reasonably feasible, or is impermissible by law, CONTRACTOR will immediately notify HHS of the reasons such delivery or Destruction is not feasible, and agree to extend indefinitely the protections of this DUA to the Confidential Information and limit its further uses and disclosures to the purposes that make the return delivery or Destruction of the Confidential Information not feasible for as long as CONTRACTOR maintains such Confidential Information. 45 CFR 164.504(e)(2)(ii)(J) (P) CONTRACTOR will create, maintain, use, disclose, transmit or Destroy Confidential Information in a secure fashion that protects against any reasonably anticipated HHS Data Use Agreement TACCHO VERSION (Local City and County Entities) October 23, 2019 Page 5 of 15 Docusign Envelope ID: 4E394409-1F63-4C8E-A60D-E61AA9083AA6 � � �. • . r � 1i • � \� � � • •' • • ' '• • ��• C ••' This section is about your electronic system. If your business DOES NOT store, access, or No Electronic transmit Texas HHS Confidential Information in electronic systems (e.g., laptop, personal Systems use computer, mobile device, database, server, etc.) select the box to the right, and ❑ "YES" will be entered for all questions in this section. For any questions answered "No," an Action Plan for Compliance with a Timeline must be documented in the designated area below the question. The timeline for compliance with HIPAA-related items is 30 calendar days, PII-related items is 90 calendar days. 1. Does the Applicant/Bidder ensure that services which access, create, disclose, receive, � Yes transmit, maintain, or store Texas HHS Confidential Information are maintained IN the � No United States (no offshoring) unless ALL of the following requirements are met? a. The data is encrypted with FIPS 140-2 validated encryption b. The offshore provider does not have access to the encryption keys c. The Applicant/Bidder maintains the encryption key within the United States d. The Application/Bidder has obtained the express prior written permission of the Texas HHS agency For more information regarding FIPS 140-2 encryption products, please refer to: htta:Ucsrc.nist. pov/publications/fiGs Action Plan for Compliance with a Timeline: Compliance Date: 2. Does Applicant/Bidder utilize an IT security-knowledgeable person or company to maintain O Yes or oversee the configurations of Applicant/Bidder's computing systems and devices? � No Action Plan for Compliance with a Timeline: Compliance Date: 3. Does Applicant/Bidder monitor and manage access to Texas HHS Confidential Information � Yes (e.g., a formal process exists for granting access and validating the need for users to access � No Texas HHS Confidential Information, and access is limited to Authorized Users)? Action Plan for Compliance with a Timeline: Compliance Date: 4. Does Applicant/Bidder a) have a system for changing default passwords, b) require user � Yes password changes at least every 90 calendar days, and c) prohibit the creation of weak � No passwords (e.g., require a minimum of 8 characters with a combination of uppercase, lowercase, special characters, and numerals, where possible) for all computer systems that access or store Texas HHS Confidential Information. If yes, upon request must provide evidence such as a screen shot or a system report. Action Plan for Compliance with a Timeline: Compliance Date: SPI Version 2.1 (06/2018) Texas HHS System - Data Use Agreement - Attachment 2: Page 8 of 18 SECURITYAND PRIVACY INQUIRY (SPI) Docusign Envelope ID: 4E394409-1F83-4C8E-A60D-E61AA9083AA6 5. Does each member of Applicant/Bidder's Workforce who will use, disclose, create, receive, � Yes transmit or maintain Texas HHS Confidentia) Information have a unique user name � No (account) and private password? Action Plan for Compliance with a Timeline: Compliance Date: 6. Does Applicant/Bidder lock the password after a certain number of failed attempts and � Yes after 15 minutes of user inactivity in all computing devices that access or store Texas o No HHS Confidential Information? Action Plan for Compliance with a Timeline: Compliance Date: 7. Does Applicant/Bidder secure, manage and encrypt remote access (including wireless � Yes access) to computer systems containing Texas HHS Confidential Information? (e.g., a formal o No process exists for granting access and validating the need for users to remotely access Texas HHS Confidential Information, and remote access is limited to Authorized Users). Encryption is required for all Texas HHS Confidential lnformation. Additionally, FIP5140-2 validated encryption is required for Health Insurance Portability ond Accountability Act (HIPAAJ data, Criminal Justice Information Services (GISJ data, Internal Revenue Service Federal Tax Information (IRS FTI) data, and Centers for Medicare & Medicaid Services (CMSJ data. For more information regarding FIPS 140-2 encryption products, please refer to: http://csrc. nis[.Qov/publica[ions/fips Action Plan for Compliance with a Timeline: Compliance Date: 8. Does Applicant/Bidder implement computer security configurations or settings for all Q Yes computers and systems that access or store Texas HHS Confidential Information? � No (e.g., non-essential features or services have been removed or disabled to reduce the threat of breach and to limit exploitation opportunities for hackers or intruders, etc.) Action Plan for Compliance with a Timeline: Compliance Date: 9. Does Applicant/Bidder secure physical access to computer, paper, or other systems O Yes containing Texas HHS Confidential Information from unauthorized personnel and theft � No (e.g., door locks, cable locks, laptops are stored in the trunk of the car instead of the passenger area, etc.)? Action Plan for Compliance with a Timeline: Compliance Date: SPI Version 2.1 (06/2018) Texas HHS System - Data Use Agreement - Attachment 2: Page 9 of 18 SECURITY AND PRIVACY INQUIRY (SPI) Docusign Envelope ID: 4E394409-1F63-4C8E-A60D-E61AA9083AA6 10. Does Applicant/Bidder use encryption products to protect Texas HHS Confidential Information that is transmitted over a public network (e.g., the Internet, WiFi, etc.)? tf yes, upon request must provide evidence such as a screen shot or a system report. Encryption is required for all HHS Confidential lnformation. Additionally, FIPS 140-2 validated encryption is required for Health Insurance Portobility and Accountability Act (HIPAA) data, Criminallustice Information Services (GIS) data, Internal Revenue Service Federal Tox Information (IRS FTIJ data, and Centers for Medicare & Medicoid Services (CMSJ data. For more information regarding FIPS 140-2 encryption products, please refer to: http://csrc. nist.4ov/nubl ications/fips Action Plan for Compliance with a Timeline: 11. Does Applicant/Bidder use encryption products to protect Texas HHS Confidential Information stored on end user devices (e.g., laptops, USBs, tablets, smartphones, external hard drives, desktops, etc.)? If yes, upon request must provide evidence such as a screen shot or a system report. Encryption is required for all Texas HHS Confidentiol Information. Additionally, FIPS 140-2 volidated encryption is required for Health Insurance Portability and Accountability Act (HIPAAJ data, Criminal Justice Information Services (GISJ data, Internal Revenue Service Federal Tax Information (IRS FTIJ dato, and Centers for Medicare & Medicaid Services (CMS) data. For more information regarding FIP5140-2 encryption products, please refer to: http://csrc. nist. vov/publications/�as Action Plan for Compliance with a Timeline: 12. Does Applicant/Bidder require Workforce members to formally acknowledge rules outlining their responsibilities for protecting Texas HHS Confidential Information and associated systems containing HHS Confidential Information before their access is provided? Action Plan for Compliance with a Timeline: 13. Is Applicant/Bidder willing to perform or submit to a criminal background check on Authorized Users? Action Plan for Compliance with a Timeline: 14. Does Applicant/Bidder prohibit the access, creation, disclosure, reception, transmission, maintenance, and storage of Texas HHS Confidential Information with a subcontractor (e.g., cloud services, social media, etc.) unless Texas HHS has approved the subcontractor agreement which must include compliance and liability clauses with the same requirements as the Applicant/Bidder? Action Plan for Compliance with a Timeline: SPI Version 2.1 (06/2018) Texas HHS System - Data Use Agreement - Attachment 2: SECURITY AND PRIVACY INQUIRY (SPI) � Yes Q No Compliance Date: � Yes Q No Compliance Date: O Yes Q No Compliance Date: Q Yes � No Compliance Date: Q Yes Q No Compliance Date: Page 10 of 18 Docusign Envelope ID: 4E394409-1F63-4C8E-A60D-E61AA9083AA6 15. Does Applicant/Bidder keep current on security updates/patches (including firmware, software and applications) for computing systems that use, disclose, access, create, transmit, maintain or store Texas HHS Confidential Information? Action Plan for Compliance with a Timeline: 16. Do Applicant/Bidder's computing systems that use, disclose, access, create, transmit, maintain or store Texas HHS Confidential Information contain up-to-date anti- malware and antivirus protection? Action Plan for Compliance with a Timeline: 17. Does the Applicant/Bidder review system security logs on computing systems that access or store Texas HHS Confidential Information for abnormal activity or security concerns on a regular basis? Action Plan for Compliance with a Timeline: 18. Notwithstanding records retention requirements, does Applicant/Bidder's disposal processes for Texas HHS Confidential Information ensure that Texas HHS Confidential Information is destroyed so that it is unreadable or undecipherable? Action Plan for Compliance with a Timeline: 19. Does the Applicant/Bidder ensure that all public facing websites and mobile applications containing Texas HHS Confidential Information meet security testing standards set forth within the Texas Government Code (TGC), Section 2054.516; including requirements for implementing vulnerability and penetration testing and addressing identified vulnerabilities? For more information regarding TGC, Section 2054.516 DATA SECURITY PLAN FOR ONLINE AND MOBILE APPL/CATIONS, please refer to: httas://leqiscan.com/7X/text/H88/2017 Action Plan for Compliance with a Timeline: SPI Version 2.1 (06/2018) Texas HHS System - Data Use Agreement - Attachment 2: SECURITY AND PRIVACY INQUIRY (SPI) � Yes Q No Compliance Date: � Yes Q No Compliance Date: Q Yes � No Compliance Date: � Yes � No Compliance Date: Q Yes � No Compliance Date: Page 11 of 18 Docusign Envelope ID: 4E394409-1F63-4C8E-A60D-E61AA9083AA6 • � � � � • • • ' � � ' � • � � • � � ' Please sign the form digitally, if possible. If you can't, provide a handwritten signature. 1. I certify that all of the information provided in this form is truthful and correct to the best of my knowledge. If I learn that any such information was not correct, I agree to notify Texas HHS of this immediately. 2. Signature 3. Title . Date: �n_� � ( Financial Analyst � �,p 5/16/2024 To submit the completed, signed form: • Email the form as an attachment to the appropriate Texas HHS Contract Manager(s). . • • . -. . .. Agency(s): Re uestin De artment s: HHSC: � DFPS: � DSHS: ❑x Center for Health Statistics Legal Entity Tax Identification Number (TIN) (Last four Only): PO/Contract(s) #: H HS001472800037 Contract Manager: Contract Manager Email Address: Contract Manager Telephone #: Gretchen Wells gretchen.wells@dshs.texas.gov (512) 776-2679 Contract Manager: Contract Manager Email Address: Contract Manager Telephone #: Contract Manager: Contract Manager Email Address: Contract Manager Telephone #: Contract Manager: Contract Manager Email Address: Contract Manager Telephone #: Contract Manager: Contract Manager Email Address: Contract Manager Telephone #: Contract Manager: Contract Manager Email Address: Contract Manager Telephone #: Contract Manager: Contract Manager Email Address: Contract Manager Telephone #: Contract Manager: Contract Manager Email Address: Contract Manager Telephone #: SPI Version 2.1 (06/2018) Texas HHS System - Data Use Agreement - Attachment 2: page 12 of 18 SECURITYAND PRIVACY INQUIRY (SPI) Docusign Envelope ID: 4E394409-1FB3-4C8E-A60D-E61AA9083AA6 ��v� i n��, i ��rv� rvn t,vrv�r�� i iivu THE SECURITY AND PRIVACY INQUIRY (SPI) eelow are instructions for Applicants, eidders and Contractors for Texas Health and Human Services requirinq the Attachment 2, Security and Privacy Inquiry (SPI) to the Data Use Agreement (DUA). Instruction item numbers below correspond to sections on the SPI form. If you are a bidder for a new procurement/contract, in order to participate in the bidding process, you must have corrected any "No" responses (except A9a) prior to the contract award date. If you are an applicant for an open enrollment, you must have corrected any "No" answers (except A9a and A11) prior to performing any work on behalf of any Texas HHS agency. For any questions answered "No" (except A9a and A11), an Action Plan for Compliance with a Timeline must be documented in the designated area below the question. The timeline for compliance with HIPAA-related requirements for safeguarding Protected Health Information is 30 calendar days from the date this form is signed. Compliance with requirements related to other types of Confidential Information must be confirmed within 90 calendar days from the date the form is signed. SECTION A. APPLICANT /BIDDER INFORMATION Item #1. Only contractors that access, transmit, store, and/or maintain Texas HHS Confidential Information will complete and email fhis form as an attachment to ihe appropriate Texas HHS Contract Manager. Item #2. Entity orApplicant/eidder Legal Name. Provide the legal name of the business (the name used for legal purposes, like filing a federal orstate tax form on behalf of the business, and is not a trade or assumed named "dba"J, the legal tax identification number (last four numbers only) of the entity or applicant/bidder, the address of the corporate or main branch of the business, the telephone number where the business can be contacted regarding questions related to the informacion on ihis form and the website of the business, if a website exists. Item #3. Number of Employees, at all locations, in Applicant/eidder's workforce. Provide the total number of individuals, includinq volunteers, subcontractors, trainees, and other persons who work for the business. lf you are the only employee, please answer "1." Item #4. Number of Subcontractors. Provide the total number of subcontractors working for the business. If you have none, please answer "0" zero. Item �15. Number of unduplicated individuals for whom Applicant/eidder reasonably expects to handle HHS Confidential Information during one year. Select the radio button that corresponds with the number of clients/consumers for whom you expect to handle Texas HHS Confidential lnformation during a year. Only count clients/consumers once, no matter how many direct services ihe client receives during a year. Item #5. Name of /nformation Technology Security Official and Name of Privacy Official for Applicant/Bidder. As with all other fields on the SPI, this is a required field. This may be the same person and the owner of the business if such person has the security and privacy knowledge that is required to implement the requirements of the DUA and respond to questions related to the SPI. ln 4.A. provide ihe name, address, telephone number, and email address of the person whom you have designated to answer any security questions found in Section C and in 4.8. provide this information for the person whom you have designated as the person to answer any privacy questions found in Section e. The business may contract out for this expertise; however, designated individual(s) must have knowledqe of the business's devices, systems and methods for use, disclosure, creation, receipt, transmission and maintenance of Texas HHS Confidential lnformation and be willing to be the point of contact for privacy and security quesiions. Item #6. Type(s) of HHS Confidenfial Information the Entity or Applicant/Bidder Will Create, Receive, Maintain, Use, Disclose or Have Atcess to: Provide a complete listing of all Texas HHS Confidential lnformation that the Contractor will create, receive, maintain, use, disclose or have access to. The DUA section Artide 2, Definitions, defines Texas HHS Confidential Information as: "Confidential Information" means any communication or record (whether oral, written, electronically stored or transmitted, or in any other form) provided to or made available to CONTRACTOR or that CONTRACTOR may create, receive, maintain, use, disclose or have access to on behalf of Texas HHS that consists of or includes any or all of the following: (1J Client Information; (2J Protected Health Information in any form including without limitation, Electronic Protected Health Information or Unsecured Protected Health Information; (3J Sensitive Personal lnformation defined by Texas Business and Commerce Code Ch. 521; SPI Version 2.1 (06/2018) Texas HHS System - Data Use Agreement - Attachment 2: page 13 of 18 SECURITY AND PRIVACY INQUIRY (SPI) Docusign Envelope ID: 4E394409-1FB3-4C8E-A60D-E61AA9083AA6 �4/ reaerai i ax inlormat►on; (5J Personally Identifiable Information; (6J Social5ecurityAdministration Data, including, without limitation, Medicaid information; (7) All privileged work produci; (8J All information designaied as confidential under ihe constitution and laws of the State of Texas and of the United States, including the Texas Health & Safety Code and the Texas Public Information Act, Texas Government Code, Chapter 552. Definitions for the followinq types of confidential information can be found ihe following sites: • Health Insurance Portability and AccountabilityAct (H/PA,4J - http://www.hhs.qov/hipaa/index.html • Criminal Justice Information Services (UISJ - https://www.fbi.pov/services/ciis/ciis-security-policy-resource-center • Internal Revenue Service Federal Tax Information (IRS FTI) - https://www.irs.4ov/pub/irs-pdf/p1075.pdf • Centers for Medicare & Medicaid Services (CMS) - https://www.cros.qov/Re9ulations-and-Guidance/Regulations-and- Guidance.html • Social SecurityAdministration (SSA) - https://www.ssa.qov/requlations/ • Personally Identifiable Information (Pll) - http://csrc.nist.qov/publications/nistpubs/800-122/sp800-122.pdf Item #7. Number of Storage devices for Texas HHS Confidential lnformation. The total number of devices is automatically calculated by exiting the fields in lines a- d. Use the <Tab> key when exiiing the field io prompt calculation, if it doesn't otherwise sum correctly. • liem 7a. Devices. Provide the number of personal user computers, devices, and drives (including mobile devices, laptops, U58 drives, and external drives) on which your business stores or will siore Texas HHS Confidential Information. • Item 7b. Servers. Provide the number of servers not housed in a data center or "in the cloud," on which Texas HHS Confidential Information is stored or will be stored. A server is a dedicated computer that provides data or services to other computers. It may provide services or data to systems on a local area network (LANJ or a wide area network (WANJ over the Internet. If none, answer "0" (zero). • Item 7c. Cloud Services. Provide che number of cloud services to which Texas HHS Confidential lnformation is stored. Cloud Services involve using a network of remote servers hosted on the Internet to store, manage, and process data, rather than on a local server or a personal computer. If none, answer "0" (zero.) • Item 7d. Data Centers. Provide the number of data centers in which you store Texas HHS Confidential lnformation. A Data Center is a centralized repository, either physical or virtual, for the storage, management, and dissemination of data and information organized around a particular body of knowledge or pertaining to a particular business. If none, answer "0" (zero). Item #8. Number of unduplicated individuals for whom the Applicant/eidder reasonably expecis to handle Texas HHS Confidential lnformation during one year. Select the radio button that corresponds with the number of clients/consumers for whom you expect to handle Confidential lnformation during a year. Only couni clients/consumers once, no matter how many direct services the client receives during a year. Item �19. HIPAA Business Associate Agreemeni. • Item ll9a. Answer "Yes" if your business will use, disclose, create, receive, transmit, or store information relating to a client/consumer's healthcare on behalf of the Department of State Health Services, the Department of Disability and Aging Services, or the Health and Human Services Commission for treatment, payment, or operation of Medicaid or Medicaid clients. If your contract does not include HIPAA covered information, respond "no. " If "no, " a compliance plan is not required. • Item #9b. Answer "Ves" if your business has a notice of privacy practices (a document that explains how you protect and use a client/consumer's healthcare information) displayed either on a website (if one exists for your business) or in your place of business (if that location is open to clients/consumers or the public). If your contract does not include HIPAA covered information, respond "N/A." Item J�10. Subcontractors. If your business responded "0" to question 4(number of subcontractors), Answer "N/A" to Items 10a and 10b to indicate noi applicable. • Item #IOa. Answer "Yes" if your business requires that all subcontractors sign Attachment 1 of the DUA. • Item #IOb. Answer "Ves" if your business obtains Texas HHS approval before permitting subcontractors to handle Texas HHS Confidential Information on your business's behalf. Item 1111. Optional Insurance. Answer "yes" if applicant has optional insurance in place co provide coveraqe for a Breach or any SPI Version 2.1 (06/2018) Texas HHS System - Data Use Agreement - Attachment 2: page 14 of 18 SECURITYAND PRIVACY INQUIRY (SPI) Docusign Envelope ID 4E394409-1F63-4C8E-A60D-E61AA9083AA6 otner s►tuarions ��srev ►n tnis quesr►on. �l you are not required to have this optional coverage, answer "N/A"A compliance plan is not required. SECTION B. PRIVACY RISK ANALYSIS AND ASSESSMENT Reasonable and appropriate written Privacy and Security policies and procedures are required, even for sole proprietors who are the only employee, to demonstrate how your business will safeguard Texas HHS Confidential Information and respond in the event of a Breach of Texas HHS Confidential Information. To ensure that your business is prepared, all of the items below must be addressed in your written Privacy and Security policies and procedures. Item #1. Answer "Yes" if you have written policies in place for each of the areas (a-o). • Item #la. Answer "yes" if your business has written policies and procedures that identify everyone, including subcontractors, who are authorized to use Texas HHS Confidential Information. The policies and procedures should also identify the reason why these Authorized Users need to access the Texas HHS Confidential Information and this reason must align with the Authorized Purpose described in the Scope of Work or description of services in the Base Contract with the Texas HHS agency. • Item #ib. Answer "Yes" if your business has written policies and procedures that require your employees (including yourself), your volunteers, your trainees, and any other persons whose work you direct, to comply with the requirements of HIPAA, if applicable, and other confidentiality laws as they relate to your handling of Texas HHS Confidential Information. Refer to the laws and rules that apply, including those referenced in the DUA and Scope of Work or description of services in the Base Contract. • Item #ic. Answer "Yes" if your business has written policies and procedures that limit the Texas HHS Confidential Information you disclose to the minimum necessary for your workforce and subcontractors (if applicable) to perform the obligations described in the Scope of Work or service description in the Base Contract. (e.g., if a client/consumer's Social Security Number is not required for a workforce member to perform the obligations described in the Scope of Work or service description in the Base Contract, then the Social Security Number will not be given to them.) If you are the only employee for your business, policies and procedures must not include a request for, or use of, Texas HHS Confidential Information that is not required for performance of the services. . Item #id. Answer "Yes" if your business has written policies and procedures that explain how your business would respond to an actual or suspected breach of Texas HHS Confidential Information. The written policies and procedures, at a minimum, must include the three items below. If any response to the three items below are no, answer "no." o Item #1di. Answer "Yes" if your business has written policies and procedures that require your business to immediately notify Texas HHS, the Texas HHS Agency, regulatory authorities, or other required Individuals or Authorities of a Breach as described in Article 4, Section 4 of the DUA. Refer to Article 4, Section 4.01: Iniiial Notice of ereach must be provided in accordance with Texas HHS and DUA requirements with as much information as possible about the Event/ereach and a name and contact who will serve as the single point of contact with HHS both on and off business hours. Time frames related to Initial Notice include: • within one hour of Discovery of an Event or ereach of Federal Tax Information, Social5ecurity Administration Data, or Medicaid Client Information • within 24 hours of all other types of Texas HHS Confidential lnformation 48-hour Formal Notice must be provided no later than 48 hours after Discovery for protected health information, sensitive personal information or other non-public information and must include applicable information as referenced in Section 4.01 (C) 2. of the DUA. o Item #idii. Answer "Yes" if your business has written policies and procedures require you to have and follow a written breach response plan as described in Article 4 Section 4.02 of the DUA. O Item #ldiii. Answer "Yes" if your business has written policies and procedures require you to notify Reporting Authorities and Individuals whose Texas HHS Confidential Information has been breached as described in Article 4 Section 4.03 of the DUA. • Item #1e. Answer "Yes" if your business has written policies and procedures requiring annual training of your entire workforce on matters related to confidentiality, privacy, and security, stressing the importance of promptly reporting any Event or Breach, outlines the process that you will use to require attendance and track completion for employees who failed to complete annual training. SPI Version 2.1 (06/2018) Texas HHS System - Data Use Agreement - Attachment 2: page 15 of 18 SECURITYAND PRIVACY INQUIRY (SPI) Docusign Envelope ID: 4E394409-1F63-4C8E-A60D-E61AA9083AA6 • Item #lf. Answer "Yes" if your business has written policies and procedures requiring you to allow individuals (clients/consumers) to access their individual record of Texas HHS Confidential Information, and allow them to amend or correct that information, if applicable. • Item #ig. Answer "Yes" if your business has written policies and procedures restricting access to Texas HHS Confidential Information to only persons who have been authorized and trained on how to handle Texas HHS Confidential Information • Item #1h. Answer "Yes" if your business has written policies and procedures requiring sanctioning of any subcontractor, employee, trainee, volunteer, or anyone whose work you direct when they have accessed Texas HHS Confidential Information but are not authorized to do so, and that you have a method of proving that you have sanctioned such an individuals. If you are the only employee, you must demonstrate how you will document the noncompliance, update policies and procedures if needed, and seek additional training or education to prevent future occurrences. • Item #li. Answer "Yes" if your business has written policies and procedures requiring you to update your policies within 60 days after you have made changes to how you use or disclose Texas HHS Confidential Information. • Item #1j. Answer "Yes" if your business has written policies and procedures requiring you to restrict attempts to take de-identified data and re-identify it or restrict any subcontractor, employee, trainee, volunteer, or anyone whose work you direct, from contacting any individuals for whom you have Texas HHS Confidential Information except to perform obligations under the contract, or with written permission from Texas HHS. • Item #1k. Answer "Yes" if your business has written policies and procedures prohibiting you from using, disclosing, creating, maintaining, storing or transmitting Texas HHS Confidential Information outside of the United States. • Item #11. Answer "Yes" if your business has written policies and procedures requiring your business to cooperate with HHS agencies or federal regulatory entities for inspections, audits, or investigations related to compliance with the DUA or applicable law. • Item #im. Answer "Yes" if your business has written policies and procedures requiring your business to use appropriate standards and methods to destroy or dispose of Texas HHS Confidential Information. Policies and procedures should comply with Texas HHS requirements for retention of records and methods of disposal. • Item #in. Answer "Yes" if your business has written policies and procedures prohibiting the publication of the work you created or performed on behalf of Texas HHS pursuant to the DUA, or other Texas HHS Confidential Information, without express prior written approval of the HHS agency. Item #2. Answer "Yes" if your business has a current training program that meets the requirements specified in the SPI for you, your employees, your subcontractors, your volunteers, your trainees, and any other persons under you direct supervision. Item #3. Answer "Yes" if your business has privacy safeguards to protect Texas HHS Confidential Information as described in the SPI. Item #4. Answer "Yes" if your business maintains current lists of persons in your workforce, including subcontractors (if applicable), who are authorized to access Texas HHS Confidential Information. If you are the only person with access to Texas HHS Confidential Information, please answer "yes." Item #5. Answer "Yes" if your business and subcontractors (if applicable) monitor for and remove from the list of Authorized Users, members of the workforce who are terminated or are no longer authorized to handle Texas HHS Confidential Information. If you are the only one with access to Texas HHS Confidential Information, please answer "Yes." SECTION C. SECURITY RISK ANALYSIS AND ASSESSMENT This section is about your electronic systems. If you DO NOT store Texas HHS Confidential Information in electronic systems (e.g., laptop, personal computer, mobile device, database, server, etc.), select the "No Electronic Systems" box and respond "Yes" for all questions in this section. Item #1. Answer "Yes" if your business does not "offshore" or use, disclose, create, receive, transmit or maintain Texas HHS Confidential Information outside of the United States. If you are not certain, contact your provider of technology services (application, cloud, data center, network, etc.) and request confirmation that they do not off- shore their data. SPI Version 2.1 (06/2018) Texas HHS System - Data Use Agreement - Attachment 2: Page 16 of 18 SECURIN AND PRIVACY INQUIRY (SPI) Docusign Envelope ID: 4E394409-1F63-4C8E-A60D-E61AA9083AA6 item �t. answer "ves" it your nusiness uses a person or company who is knowledgeable in IT security to maintain or oversee the configurations of your business's computing systems and devices. You may be that person, or you may hire someone who can provide that service for you. Item #3. Answer "Yes" if your business monitors and manages access to Texas HHS Confidential Information (i.e., reviews systems to ensure that access is limited to Authorized Users; has formal processes for granting, validating, and reviews the need for remote access to Authorized Users to Texas HHS Confidential Information, etc.). If you are the only employee, answer "Yes" if you have implemented a process to periodically evaluate the need for accessing Texas HHS Confidential Information to fulfill your Authorized Purposes. Item #4. Answer "Yes" if your business has implemented a system for changing the password a system initially assigns to the user (also known as the default password), and requires users to change their passwords at least every 90 days, and prohibits the creation of weak passwords for all computer systems that access or store Texas HHS Confidential Information (e.g., a strong password has a minimum of 8 characters with a combination of uppercase, lowercase, special characters, and numbers, where possible). If your business uses a Microsoft Windows system, refer to the Microsoft website on how to do this, see example: https://docs. microsoft.com/en-us/windows/security/threat-protection/security-policy-settinqs/password-policy Item #5. Answer "Yes" if your business assigns a unique user name and private password to each of your employees, your subcontractors, your volunteers, your trainees and any other persons under your direct control who will use, disclose, create, receive, transmit or maintain Texas HHS Confidential Information. Item #6. Answer "Yes" if your business locks the access after a certain number of failed attempts to login and after 15 minutes of user inactivity on all computing devices that access or store Texas H H S Confidential Information. If your business uses a Microsoft Windows system, refer to the Microsoft website on how to do this, see example: https://docs. microsoft.com/en-us/windows/security/threat-protection/security-policy-settinqs/account-lockout-policy Item #7. Answer "Yes" if your business secures, manages, and encrypts remote access, such as: using Virtual Private Network (VPN) software on your home computer to access Texas HHS Confidential Information that resides on a computer system at a business location or, if you use wireless, ensuring that the wireless is secured using a password code. If you do not access systems remotely or over wireless, answer "Yes." Item #8. Answer "Yes" if your business updates the computer security settings for all your computers and electronic systems that access or store Texas HHS Confidential Information to prevent hacking or breaches (e.g., non-essential features or services have been removed or disabled to reduce the threat of breach and to limit opportunities for hackers or intruders to access your system). For example, Microsoft's Windows security checklist: https://docs. microsoft. com/en-us/windows/securiry/threat-protection/securitv-policy-settinqs/how-to-confiQure-security-policy-settinqs Item #9. Answer "Yes" if your business secures physical access to computer, paper, or other systems containing Texas HHS Confidential Information from unauthorized personnel and theft (e.g., door locks, cable locks, laptops are stored in the trunk of the car instead of the passenger area, etc.). If you are the only employee and use these practices for your business, answer "Yes." Item #10. Answer "Yes" if your business uses encryption products to protect Texas HHS Confidential Information that is transmitted over a public network (e.g., the Internet, WIFI, etc.) or that is stored on a computer system that is physically or electronically accessible to the public (FIPS 140-2 validated encryption is required for Health Insurance Portability and Accountability Act (HIPAA) data, Criminal Justice Information Services (GIS) data, Internal Revenue Service Federal Tax Information (IRS FTI) data, and Centers for Medicare & Medicaid Services (CMS) data.) For more information regarding FIPS 140-2 encryption products, please refer to: http://csrc.nist.qov/publications/fips). Item #11. Answer "Yes" if your business stores Texas HHS Confidential Information on encrypted end-user electronic devices (e.g., laptops, USBs, tablets, smartphones, external hard drives, desktops, etc.) and can produce evidence of the encryption, such as, a screen shot or a system report (FIPS 140-2 encryption is required for Health Insurance Portability and Accountability Act (HIPAA) data, Criminal Justice Information Services (UIS) data, Internal Revenue Service Federal Tax Information (IRS FTI) data, and Centers for Medicare & Medicaid Services (CMS) data). For more information regarding FIPS 140-2 validated encryption products, please refer to: http://csrc.nist.qov/publications/fips). If you do not utilize end-user electronic devices for storing Texas HHS Confidential Information, answer "Yes." SPI Version 2.1 (06/2018) Texas HHS System - Data Use Agreement - Attachment 2: Page 17 of 18 SECURITYAND PRIVACY INQUIRY (SPI) Docusign Envelope ID: 4E394409-1F63-4C8E-A60D-E61AA9083AA6 Item #12. Answer "Yes" if your business requires employees, volunteers, trainees and other workforce members to sign a document that clearly outlines their responsibilities for protecting Texas HHS Confidential Information and associated systems containing Texas HHS Confidential Information before they can obtain access. If you are the only employee answer "Yes" if you have signed or are willing to sign the DUA, acknowledging your adherence to requirements and responsibilities. Item #13. Answer "Yes" if your business is willing to perform a criminal background check on employees, subcontractors, volunteers, or trainees who access Texas HHS Confidential Information. If you are the only employee, answer "Yes" if you are willing to submit to a background check. Item #14. Answer "Yes" if your business prohibits the access, creation, disclosure, reception, transmission, maintenance, and storage of Texas HHS Confidential Information on Cloud Services or social media sites if you use such services or sites, and there is a Texas HHS approved subcontractor agreement that includes compliance and liability clauses with the same requirements as the Applicant/Bidder. If you do not utilize Cloud Services or media sites for storing Texas HHS Confidential Information, answer "Yes." Item #15. Answer "Yes" if your business keeps current on security updates/patches (including firmware, software and applications) for computing systems that use, disclose, access, create, transmit, maintain or store Texas HHS Confidential Information. If you use a Microsoft Windows system, refer to the Microsoft website on how to ensure your system is automatically updating, see example: https://portal. msrc. microsoft. com/en-us/ Item #16. Answer "Yes" if your business's computing systems that use, disclose, access, create, transmit, maintain or store Texas HHS Confidential Information contain up-to-date anti-malware and antivirus protection. If you use a Microsoft Windows system, refer to the Microsoft website on how to ensure your system is automatically updating, see example: https://docs. microsoft. com/en-us/windows/security/threat-protection/ Item #17. Answer "Yes" if your business reviews system security logs on computing systems that access or store Texas HHS Confidential Information for abnormal activity or security concerns on a regular basis. If you use a Microsoft Windows system, refer to the Microsoft website for ensuring your system is logging security events, see example: htrps://docs. microsoft. com/en-us/windows/security/threat-protection/auditinq/basic-security-audit-policies Item #18. Answer "Yes" if your business disposal processes for Texas HHS Confidential Information ensures that Texas HHS Confidential Information is destroyed so that it is unreadable or undecipherable. Simply deleting data or formatting the hard drive is not enough; ensure you use products that perform a secure disk wipe. Please see NIST SP 800-88 R1, Guidelines for Media Sanitization and the applicable laws and regulations for the information type for further guidance. Item #19. Answer "Yes" if your business ensures that all public facing websites and mobile applications containing HHS Confidential Information meet security testing standards set forth within the Texas Government Code (TGC), Section 2054.516 SECTION D. SIGNATURE AND SUBMISSION Click on the signature area to digitally sign the document. Email the form as an attachment to the appropriate Texas HHS Contract Manager. SPI Version 2.1 (06/2018) Texas HHS System - Data Use Agreement - Attachment 2: page 18 of 18 SECURITYAND PRIVACY INQUIRY (SPI) Docusign Envelope ID: 4E394409-1FB3-4C8E-A60D-E61AA9083AA6 ATTACHMENT B ACCESS TO PUBLIC HEALTH DASHBOARDS I. PURPOSE DSHS will provide LHE access to public health dashboards and data visualizations created by DSHS for certain data sets maintained by DSHS. LHE may access de-identified data on these dashboards for LHE's jurisdiction for the purpose of providing essential public health services even if it does not have an agreement with DSHS to access identified data; and, upon DSHS approval, statewide views may also be made available on public health dashboards. II. SPECIAL CONSIDERATIONS FOR THE USE OF PUBLIC HEALTH DASHBOARDS a) Dashboards and other data visualizations, including exports of information from these dashboards and data visualizations, created by DSHS and shared with LHE, may contain potentially identifiable public health data. b) To receive potentially identifiable public health data sets from the dashboard(s) and/or data visualizations, an agreement under the MOU for the sharing of said data sets is required prior to the sharing of potentially identifiable public health data. c) Only individuals having access credentials provided by DSHS are authorized to access these dashboards and/or data visualizations. d) At its sole discretion, DSHS may or may not suppress data on public health dashboards or other data visualizations shared with LHE. e) LHE shall not make any attempt to use the data on the dashboard or data visualizations to identify a person represented on the dashboard. III. LIST OF INDIVIDUALS ACCESSING PUBLIC HEALTH DASHBOARD LHE shall comply with Section N(A) of the MOU regarding authorized users, including submission of information and notification of change in authorized users, having access to the public health dashboards under this document. IV. REPRESENTATIVES FOR PUBLIC HEALTH DASHBOARDS The representatives authorized to administer activities for public health dashboards under this document on behalf of their respective Party are listed under Article VI, Desi�nation of Representatives, of the MOU. DSHS Contract No.HHS001472800037 Page 1 of 1 Attachment B Docusign Envelope ID: 4E394409-1FB3-4C8E-A60D-E61AA9083AA6 ATTACHMENT C ACCESS TO VITAL EVENT DATA I. PURPOSE DSHS agrees to provide LHE access to certain confidential data and information extracted from designated birth, death, fetal death and/or linked birth-infant death ("BID") records maintained by DSHS. LHE may access the vital event data that occurred in Texas for all residents of LHE's jurisdiction and contiguous jurisdictions as approved by DSHS (see Article III, LHE Jurisdiction, of the Contract) for the purpose set forth in Section IV herein. II. LEGAL AUTHORITY In addition to Chapter 121 of the Texas Health and Safety Code, DSHS has legal authority under the following statutes and administrative rules to share the data described herein: a) Section 191.051 of the Texas Health and Safety Code; b) Rule 181.1(21) in Title 25 of the Texas Administrative Code; and c) Section 1001.089(b) of the Texas Health and Safety Code. III. DESCRIPTION OF VITAL EVENT DATA TO BE PROVIDED DSHS will provide LHE with provisional and statistically locked data iiles via secure data exchange, according to the variables outlined in Exhibit l, Exhibit 2, and Exhibit 3, which is/are attached hereto, incorporated herein, and made part of the MOU for all purposes. In BID files, variables provided include only those death certificate items identified in the birth and death checklists in the Exhibit(s) attached and are completed for death certificates. If provisional files are available, then variables provided include only those items identiiied in the Exhibit(s) that are available for provisional data. A. DSHS will provide residence data compiled by the usual place of residence without regard to the demographic place where the event occurred within Texas. For births and fetal deaths, the mother's usual residence is used as the place of residence. B. DSHS will provide access to vital event data and information according to the following schedule and conditions: 1. Access to data files will be provided approximately thirty (30) calendar days after the effective date of this MOU, or if access to certain data is approved through an amendment, then (thirty) 30 calendar days from effective date of the respective amendment. These data files will consist of: • Birth: data for years 2005 through the latest year of available data, as defined in Exhibit 1; • Death: data for years 2006 through the latest year of available data, as defined in Exhibit 2; • Fetal Death: data for years 2006 through the latest year of available data, as defined in Exhibit 3; and • BID: data for years 2006 through the latest year of available data, as defined in the applicable exhibits. 2. The standard data sets for birth, death, and fetal death will be provided to each LHE as defined in Exhibit 1, Exhibit 2, and Exhibit 3, respectively. The standard data sets may be updated at DSHS' sole discretion to add, delete, or modify data elements. DSHS DSHS Contract No.HHS001472800037 Page 1 of 3 Attachment C Docusign Envelope ID: 4E394409-1F63-4C8E-A60D-E61AA9083AA6 may periodically add descriptive or calculated variables based on these data elements. 3. Data will be automatically updated when the new data files are available. 4. Once DSHS has granted an LHE authorized user access, that individual shall have log in access to the data twenty-four hours a day, seven days a week. 5. Annual statistically locked data fles will replace that year's provisional data. IV. INTENDED USE OF VITAL EVENT DATA To monitor and analyze incidences of diseases to improve public health in the community. V. SPECIAL CONSIDERATIONS FOR THE USE OF VITAL EVENT DATA Under no circumstances shall LHE utilize the data and information to identify, disclose, or discover information concerning the specific adoptions, paternity determinations, or the identity of the parents of children who are the subjects of adoption placements. Any accidental identification of this information related to a child or parents of that child shall not be disclosed. VI. LIST OF INDIVIDUALS ACCESSING DATA In accordance with Section N(A) of the MOU, LHE shall submit a list of staff names, titles, and email addresses in writing to the DSHS Representative identiiied in Section VII herein or through the DSHS identity and access management system, based upon guidance provided by DSHS. LHE shall notify DSHS Representatives of any changes in staff that require removal from the list of authorized users. Such notification must be made in writing or through DSHS' identity and access management system within five (5) business days of any staffing changes. On an annual basis and as additionally requested by DSHS, LHE shall certify the list of authorized users in writing to the DSHS Representatives identified in this MOU or through DSHS' identity and access management system, based upon guidance provided by DSHS. VII. VITAL EVENT DATA ATTACHMENTS The following e�chibits are attached to this vital event data document and islare incorporated into this document for all purposes. • Exhibit 1: Checklist for Birth Certificate Data 2005 and beyond • Exhibit 2: Checklist for Death Certifcate Data 2006 and beyond • Exhibit 3: Checklist for Fetal Death Certificate Data 2006 and beyond VIII. VITAL EVENT DATA REPRESENTATIVES The following will act as the representatives authorized to administer activities for vital event data under this document on behalf of their respective Party. DSHS Contract No.HHS001472800037 Page 2 of 3 Attachment C Docusign Envelope ID: 4E394409-1F63-4C8E-A60D-E61AA9083AA6 DSHS Contract Management DSHS Center for Health City of Lubbock, on behalf of its Section (CMS) Statistics (CHS) Health Department Gretchen Wells Jason Lucas iffany Torres, MPH, MLS Contract Manager Branch Manager Laboratory/Epidemiology Manager 1100 W 49`h Street, MC 1990 PO Box 149347, MC 1898 2015 50`h Street, Austin, Texas 78756 Austin, Texas 78714-9347 Lubbock, TX 76413 (512) 776-2679 (512) 776-6439 (806) 775-2990 Gretchen.Wells@dshs.texas.gov HIItBRequests@dshs.texas.gov ttorres@mylubbock.us DSHS Contract No.HHS001472800037 Page 3 of 3 Attachment C Docusign Envelope ID: 4E394409-1FB3-4C8E-A60D-E61AA9083AA6 ATTACHMENT C ACCESS TO VITAL EVENT DATA EXHIBIT 1 Checklist for Birth Certificate Data 2005 and beyond Instructions: 1. Since these data are confidential, all requested certificate items need to have brief justifications according to LHE project aims. 2. If a certificate item is used for linkage, then state how and whether it will be removed from the resulting linked analysis file. If the certificate item will be retained in the linked analysis file, please also provide a brief justification according to LHE project aims. 3. For certain sensitive data elements, such as certificate number or residence address, consider alternative means of accomplishing LHE project aims while using less sensitive data. Examples include creating a LHE unique identifier instead of requesting the certificate number and requesting geocoded census tracts instead of residence address. I. Birth Certificate Items Available Electronically Item `� Number Item Descri tor Justification HE is a properly qualified applicant. Health nd Safety Code § 191.051 and 25 Texas a Random Uniaue ID (unrelated to certificate number) dministrative Code & 181.1(21). irth Number (Certificate Num :hild's Birth State :hild's Name First Middle Last Su�x iate of Birth (mm� lace of Birth — Cou ity or Town ime of Birth uralitv - Sinqle, Twin, Triplet, etc. b. If Plural Birth, Born, 1st, 2nd, 3rd, etc. a. Place of Birth: Clinic/Doctor's Office Licensed Birthing Center Hospital Home Birth (Planned to deliver at home? Yes/No) Other: Other (Specify) - includes residential addresses for home Other of Hospital or Birthing Center (street address for not nt Type: MD, DO, CNM, Midwife, Other 10. IMother's Name Prior to First is a properly qualified applicant. Health Safety Code § 191.051 and 25 Texas inistrative Code § 181.1(21). DSHS Contract No. HHSOO 1472800037 Page 1 of 9 Attachment C, Exhibit I Docusign Envelope ID: 4E394409-1FB3-4C8E-A60D-E61AA9083AA6 1 2 3a. 3b. 3c. 3d. 3e. 3f. 4. ✓ I Item 5 � � First Middle Last Su�x iate of Birth (mm/d idence State or toreiqn co ;ity, Town or Location >treet Address or Rural Location Jlother's residence apartment number '_ip Code nside City Limits (Yes/No) Jlother's Mailing Address Jlother's Mailing Apartment Number Jlother's Mailing City Jlother's Mailing State Item Descriptor Jlother's Mailing Zip Code >ame as Residence, or: =ather Name First Middle Last Suffix �ate of Birth (mm/dd/vvvv) ✓ Item Number Item Descri 19. Mother's Current Leaal Name 12SI First � Middle � Last � 22. Mother Married Yes/No � 26 Father's Mailing Address � Father's Mailing Apartment Numbe � Father's Mailing City � Father's Mailing State � Father's Mailing Zip Code � Same as Mother � 27. Mother's Education 8th Grade or Less 9th - 12th Grade, No Di loma Hi h School Graduate or GED Some Colle e Credit, but No De Associate De ree e. ., AA, AS Bachelor's De ree e. ., BA, AB, DSHS Contract No. HHS001472800037 Attachment C, Exhibit 1 ree rthpiace (state, territory or toreign country) � Items 19 through 65 are Confidential Information for medical and public health use. Texas Hea/th and Safety Code, Sec.192.002(b) BS is a properly qualified applicant. Health Safety Code § 191.051 and 25 Texas iinistrative Code § 181.1(21). Justification 'rovision of essential public health services er Health and Safety Code 1001.089 and 21.002, and as approved by program. Page 2 of 9 Docusign Envelope ID: 4E394409-1F63-4C8E-A60D-E61AA9083AA6 ✓ I Item Master's Degree (e.g. MA, MS, MEng, Med, MSW, MBA; Doctorate (e.g., PhD. EdD) or Professional Degree (e.g., 9D, DDS, DVM, LLB, JD) �other of Hispanic Origin? No, Not Spanish, Hispanic/Latina Yes. Mexican. Mexican American, Chicana Yes, Puerto F Yes, Cuban Yes, Other S� Yes, Other S� Mother of His �other's Race White nish, Hispanic/Latina nish, Hispanic/Latina mic Oriqin: Unknown or African American Item Descriptor American Indian or Alaska Native American Indian or Alaska Native (Name of the enrolled or �rincipal tribe) Asian Indian Chinese Filipino 12SI Korean � Vietnamese � Other Asian � Other Asian S eci � Native Hawaiian � Guamanian or Chamorro � Samoan � Other Pacific Islander � Other Pacific Islander S eci � Other � Other S eci � Mother's Race: Unknown � 30. Father's Education 8th Grade or Less 9th - 12th Grade, No Di loma Hi h School Graduate or GED Some Colle e Credit, but No De ree Associates De ree e. ., AA, AS Bachelor's De ree e. ., BA, AB, BS Master's De ree e. ., MA, MS, MEn , Med, MSW, MBA Doctorate (e.g., PhD. EdD) or Professional Degree (e.g., MD, DDS, DVM, LLB, JD 31. Father of His anic Ori in? � No, not S anish, His anic/Latino � Yes, Mexican, Mexican American, Chicana � Yes, Puerto Rican � Yes, Cuban � Yes, Other S anish, His anic/Latino DSHS Contract No. HHSOOl472800037 Attachment C, Exhibit 1 'rovision of essential public health services er Health and Safety Code 1001.089 and 21.002, and as approved by program. Page 3 of 9 Docusign Envelope ID:4E394409-1FB3-4C8E-A60D-E61AA9083AA6 ✓ IItem Number Yes, Other Spanish, Hispanic/Latino Father of Hispanic Origin: Unknown ather's Race White Black or African American American Indian or Alaska Native American Indian or Alaska Native (Name of the enrolled or Asian Indian Chinese ,lapanese Korean Item Vietnamese Other Asian Other Asian (Specify) Native Hawaiian Guamanian or Chamorro Samoan Other Pacific Islander Other Pacific Islander (SqE Other (Specify) Father's Race: Unknown �other Isual Occupation ather Isual Occupation �other 'ype of Business/Industry 'ather �ype of Business/Industry 'regnancy History 'REVIOUS LIVE BIRTHS not include this chi Number None � 37b. Now Dead Number None � 37c. Date of Last Live Birth mm/ � 37d. OTHER PREGNANCY OUTCOMES Number None � 37e. Date Last Other Pre nanc Ended mm/ 38. SOURCE OF PRENATAL CARE check all that � Hos ital Clinic � Public Health Clinic DSHS Contract No. HHS001472800037 Attachment C, Exhibit 1 'rovision of essential public health services �er Health and Safety Code1001.089 and 21.002, and as approved by program. Page 4 of 9 Docusign Envelope ID: 4E394409-1F63-4C8E-A60D-E61AA9083AA6 Private Physician Midwife None Unknown Other Other (Specifv) �I 39. Mother's Medicaid Number � 0. Mother's Pre re nanc We � 1. Mother's Wei ht at Delive ✓ Item Item Descriptor Mother's Hei ht feeUinches Date Last Normal Menses Be an [mm/dd/yyyy} PRENATALCARE No Prenatal Care Date of First Visit (mm/dd/yyyy) Date of Last Visit (mm/dd/yyyy) Number of Prenatal Visits Cigarette Smoking Before and During Pregnancy Average Number of Cigarettes or Packs of Cigarettes Smoked vee Months Before Preg� # of Cigarettes # of Packs rst Three Months of Preg # of Cigarettes # of Packs econd Three Months of P # of Cigarettes # of Packs hird Trimester of PregnancY # of Cigarettes # of Packs �rincipal Source of Payment for this Del Private Insurance Medicaid Other S eci Did Mother get WIC Food for Herself During this Pregnancy? 7. Yes/No 8. Mother Transferred for Maternal Medical or Fetus Indications or this Delivery? (Yes/No) If Yes, Enter the Name of Facilit Mother Transferred From: 9. Risk Factors in this Preqnancv [check all that anRlv? Prepregnancy (diagnosis prior to this Gestational (diagnosis in this pregnai Prepregnancy (chron Gestational (PIH preE Eclampsia DSHS Contract No. HHS001472800037 Attachment C, Exhibit 1 �rovision of essential public health services er Health and Safety Code 1001.089 and 21.002, and as approved by program. Page 5 of 9 Docusign Envelope ID: 4E394409-1F63-4C8E-A60D-E61AA9083AA6 us Preterm Birth Previous Poor Pregnancy Outcome (includes perinatal small-for-gestational age/intrauterine growth restricted ✓ IItem Numb� a. 'rL% �regnancy Resulted from Infertility Treatment Fertility-enhancing Drugs, Artificial Insemination, or ntrauterine Insemination Assisted Reproductive Technology (e.g., IVF, GIFT) Jlother had Previous Cesarean Delivery f ves, how manv Item Descriptor �ntiretrovirals Administered During Pregnancy or at Delivery Variables which provide or imply HIV or STD infection �tatus cannot be provided to agencies outside of DSHS) Jone of the Above nfections Present and/or Treated During this Pregnancy Variables which provide or imply HIV or STD infection >tatus cannot be provided to agencies outside of DSHS) Gonorrhea Syphilis Chlamydia Hepatitis B Hepatitis C None of the Above -IIV Test Done Prenatally (Yes/No) - available for 2011 First Trimester Second Trimester Third Trimester Unknown None �IV Test Done at Delivery (Yes/No) nfant Tested for HIV at Birth (Yes/No) - available for 2011 Premature Rupture of the Membranes (prolonged >_ 12 hrs. Precipitous Labor (< 3 hrs.) Prolonged Labor (>_ 20 hrs.) None of the Above ;haracteristics of Labor and Delivery Induction of Labor Augmentation of Labor Non-Vertex of Labor Steroids (glucocorticoids) for Fetal Lung Maturation teceived bv the Mother Prior to Delivery )bstetric Procedures Cervical Cerclage Tocolysis External Cephalic Version: Successful Failed None of the Above )nset of Labor �rovision of essential public health services er Health and Safety Code 1001.089 and 21.002, and as approved by program. DSHS Contract No. HHS001472800037 Page 6 of 9 Attachment C, Exhibit 1 Docusign Envelope ID: 4E394409-1FB3-4C8E-A60D-E61AA9083AA6 ✓ I Item Antibiotics Received by the Mother During Labor Chorioamnionitis or Maternal Temperature >_38°C (100.4°I Moderate/Heavy Meconium Staining of the Amniotic Fluid Fetal Intolerance of Labor Such That One or More of the 'ollowing Actions was Taken: In-Utero Resuscitative �easures, Further Fetal Assessment or Operative Delivery Epidural or Spinal Anesthesia During Labor None of the Above �ethod of Delivery Was Delivery with Forceps Attempted but Unsuccessful? Item Descriptor Was Delivery with Vacuum Extraction Attempted but Insuccessful? (Yes/No) Fetal Presentation at Birth Cephalic Breech Other Final Route and Method of Delivery (check one) Vaqinal/Spontaneous Vaginal/Vacuum Cesarean If Cesarean, was a Trial of Labor Attempted: (Yes/No) aternal Morbidity - Complications Associated with Labor and :livery (Check All That Applv) Third- or Fourth-De4ree Perineal Laceration Ruptured Uterus Unplanned Hysterectomy Admission to Intensive Care Unit Unplanned Operating Room Procedure Following Del None of the Above ewborn Information lepatitis B Immunization Given? �irthweight (G or LB. OZ.) G LB OZ �bstetric Estimate of Gestation (completed weeks) �pgar Score at 5 Minutes f 5 Minute Score is Less Than 6, A ar Score at 10 Minutes 1. Is the Infant Livin at the Time of the Re ort? Yes/I 2. Is the Infant Bein Breastfed at the Time of Dischar� Yes No Infant Transferred, Status Unknown 3. bnormal Conditions of the Newborn (check all that DSHS Contract No. HHS001472800037 Attachment C, Exhibit l 'rovision of essential public health services er Health and Safety Code 1001.089 and 21.002, and as approved by program. Page 7 of 9 Docusign Envelope ID: 4E394409-1F63-4C8E-A60D-E61AA9083AA6 � Assisted Ventilation Required Immediately Following Delive � Assisted Ventilation Re uired for More Than 6 Hours rovision of essential public health services � NICU Admission er Health and Safety Code 1001.089 and � Newborn Given Surfactant Re lacement Thera 121.002, and as approved by program. � Antibiotics Received by the Newborn for Suspected Neonatal Se sis � Seizure or Serious Neurolo ic D sfunction � Significant Birth Injury (Skeletal Fracture(s), Peripheral Nerve Injury, and/or Soft Tissue/Solid Organ Hemorrhage Which Re uires Intervention ✓ Item Number Item Descri tor � None of the Above 64. Con enital Anomalies of the Newborn check all that a I � Anence hal � Menin om elocele/S ina Bifida � C anotic Con enital Heart Disease � Con enital Dia hra matic Hernia � Om halocele � Gastroschisis � Limb Reduction Defect (excluding congenital amputation and dwa�n s ndromes � Cleft Li with or Without Cleft Palate � Cleft Palate Alone � Down S ndrome � Ka ot e Confirmed � Ka ot e Pendin � Sus ected Chromosomal Disorder � Ka ot e Confirmed � Ka ot e Pendin � H os adias � None of the Anomalies Listed Above � 65. Was Infant Transferred Within 24 Hours of Delivery? (Yes/No) � If Yes, Name of Facilit Infant Transferred to: II. Variables Calculated Based on the Certificate Information ✓ Item Number Item Descri tor Justification � Father's Age rovision of essential public health services � Mother's Age er Health and Safety Code 1001.089 and � Mother's Combined Race / Ethnicity 121.002, and as approved by program. � Mother's Bridged Race Code (determined by NCHS) � Father's Bridged Race Code (determined by NCHS) � Birth Wei ht Grou � Birth Weight Calculated in Grams � Birth Weight Priority (2005-2017) � Calculated Gestation or Length of Pregnancy � Month Prenatal Care Began � Number of Live Births at this Delivery (2005-2018) � Lon itude based on mother's street address � Latitude based on mother's street address DSHS Contract No. HHS001472800037 Page 8 of 9 Attachment C, Exhibit 1 Docusign Envelope ID: 4E394409-1F63-4C8E-A60D-E61AA9083AA6 S Match Code S Location Code :oding Accuracy Mother's Residence County Name (from 2014 data on) Mother's Residence County FIPS Code (from 2014 data ip Code Tabulation Area 990 Census Tract (basec 2013 data on on mother's street DO Census Tract (based on mother's street address) 10 Census Tract (based on mother's street address) - from 10 data 20 Census Tract (based on mother's street address) — from 20 data Last updated: December 7, 2023 DSHS Contract No. HHS001472800037 Attachment C, Exhibit 1 rovision of essential public health services er Health and Safety Code 1001.089 and 21.002, and as approved by program. Page 9 of 9 Docusign Envelope ID: 4E394409-1F63-4C8E-A60D-E61AA9083AA6 ATTACHMENT C ACCESS TO VITAL EVENT DATA EXHIBIT 2 Checklist for Death Certificate Data 2006 and beyond Instructions: 1. Since these data are confidential, all requested certificate items need to have brief justifications according to LHE project aims. 2. If a certificate item is used for linkage, then state how and whether it will be removed from the resulting linked analysis file. If the certificate item will be retained in the linked analysis file, please also provide a brief justification according to LHE project aims. 3. For certain sensitive data elements, such as certificate number or residence address, consider alternative means of accomplishing LHE project aims while using less sensitive data. Examples include creating a LHE unique identifier instead of requesting the certificate number and requesting geocoded census tracts instead of residence address. I. Death Certificate Items � Item Item Descriptor Justification Number LHE is a properly qualified applicant. Health and afety Code § 191.051 and 25 Texas Administrative � Random Uni ue ID unrelated to certificate number ode 181.1 21 . ❑ n/a State File Number Certificate Number � n/a State of Death LHE is a properly qualified applicant. Health and � 1. Legal Name of Deceased: afety Code § 191.051 and 25 Texas Administrative � First Code § 181.1(21). � Middle � Last � Maiden � Suffix � 1. Deceased AKA's if any: � First � Middle � Last � Suffix � 2. Date of Death � Date of Death Type (Actual, Presumed, Estimated, Found � 3. Sex � . Date of Birth � 5. e - Last Birthda � ge — kind of units (years, months, weeks, days, hours, minutes � 6. Birthplace -City � State or Forei n Count � 8. Marital Status at Time of Death ❑ 9. Surviving Spouse (If wife, give name prior to first ❑ marriage): ❑ First ❑ Middle ❑ Last Suffix � 10a. Residence Street Address LHE is a properly qualified applicant. Health and � 10b. t No afety Code § 191.051 and 25 Texas Administrative DSHS Contract No. HHSOO 1472800037 Page 1 of 5 Attachment C, Exhibit 2 Docusign Envelope ID: 4E394409-1F63-4C8E-A60D-E61AA9083AA6 � Item Item Descriptor Justification Number � 10c. Cit or Town of Residence ode § 181.1(21). � 10d. Count of Residence � 10e. State of Residence � 10f. Zip Code � Zi Code Extension � 10 . Inside Cit Limits? ❑ 11. Father's Name: ❑ First ❑ Middle ❑ Last ❑ Suffix ❑ 12. Mother's Name Prior to First Marriage: ❑ First ❑ Middle ❑ Last ❑ Suffix � 13. Place of Death: LHE is a properly qualified applicant. Health and If Death Occurred in a Hospital: Inpatient afety Code § 191.051 and 25 Texas Administrative If Death Occurred in a Hospital: ER/Outpatient Code § 181.1(21). If Death Occurred in a Hospital: DOA If Death Occurred Somewhere Other Than a hospital: Hospice Facility If Death Occurred Somewhere Other Than a hospital: Nursing Home (Includes LTC) If Death Occurred Somewhere Other Than a hospital: DecedenYs Home � Other Other S eci � 14. Count of Death � 15. Citylfown of Death (If outside city limits give precinct � no) � Street Address � Zip Code Zi Code Extension � 16. Facilit Name If not institution ive street address ❑ 17. Informant's Name & ❑ Relationshi to Deceased 18. Mailing Address of Informant: ❑ Street ❑ Number ❑ C ity ❑ State ❑ Zip Code ❑ Zi Code Extension � 19. Method of Disposition: LHE is a properly qualified applicant. Health and Burial afety Code § 191.051 and 25 Texas Administrative Cremation ode § 181.1(21). Donation Entombment Removal From State Other � Other S eci ❑ 20. License Number of Funeral Director or Person Acting s Such ❑ 21. Section ❑ Block ❑ Lot DSHS Contract No. HHSOO 1472800037 Page 2 of 5 Attachment C, Exhibit 2 Docusign Envelope ID: 4E394409-1FB3-4C8E-A60D-E61AA9083AA6 � Item Item Descriptor Justification Number ❑ Space ❑ Unknown ❑ Place of Disposition (Name of cemetery, crematory, 22. other lace ❑ 23. Location of Disposition: ❑ City, Town ❑ State ❑ 24. Name of Funeral Facilit 25. Complete Address of Funeral Facility: ❑ Street ❑ Number ❑ City ❑ State ❑ Zip Code ❑ Zi Code Extension � 26. Certifier: LHE is a properly qualified applicant. Health and Certifying Physician afety Code § 191.051 and 25 Texas Administrative Medical Examiner ode § 181.1(21). Justice of the Peace � 28. Date Certified Mo/Da /Yr ❑ 29. Certifier `s License Number � 30. Time of Death LHE is a properly qualified applicant. Health and � Time of Death Type (Actual, Presumed, Estimated, afety Code § 191.051 and 25 Texas Administrative Found Code § 181.1(21). � 31. Certifier's Name: ❑ Certifier's Address: ❑ Street and Number ❑ City ❑ State ❑ Zip Code Zi Code Extension � 32. Title of Certifier 33. Chain of Events —Diseases, Injuries or Complications — That Directly Caused the Death: ��r you wanr ro order ic�-�o codes, check with the Section 11 of this checklist : � 33. Part Cause of Death A(Immediate Cause) — certifier's text � 1a. roximate Interval: Onset to death � 33. Part Cause of Death B- certifier's text � 1b. roximate Interval: Onset to death � 33. Part Cause of Death C- certifier's text � 1c. roximate Interval: Onset to death � 33. Part Cause of Death D- certifier's text � 1d. roximate Interval: Onset to death � 33. Part Other Significant Conditions Contributing to Death but 2. not Resultin in the Underl in Cause Given in Part 1. � 34. Was an Auto s Performed? � 35. Were Autopsy Findings Available to Complete the Cause of Death? � 36. Manner of Death � 37. Did Tobacco Contribute to Death? � 38. If Female: Not pregnant within past year Pregnant at time of death Not pregnant, but pregnant within 42 days of death Not pregnant, but pregnant 43 days to 1 year before death DSHS Contract No. HHS001472800037 Page 3 of 5 Attachment C, Exhibit 2 Docusign Envelope ID: 4E394409-1F63-4C8E-A60D-E61AA9083AA6 � Item Item Descriptor Justification Number Unknown if re nant within the ast ear � 39. If Transportation Injury, Specify: Driver/Operator Passenger Pedestrian Other � Other S eci � 40a. Date of In�u Mo/Da /Yr � 40b. Time of In�u LHE is a properly qualified applicant. Health and � 40c. In�u at Work? afety Code § 191.051 and 25 Texas Administrative � Od. Place of Injury (e.g., DecedenYs home; construction Code § 181.1(21). site, restaurant, wooded area 40e. Location: � Street � Number � City � State � Zi Code � 40f. Count of In�u � 1. Describe How In'u Occurred � 3. DecedenYs Education � 4. Decedent of His anic Ori in? � No, Not S anish, His anic/Latino � Yes, Mexican, Mexican American, Chicano � Yes, Puerto Rican � Yes, Cuban � Yes, Other S anish/His anic/Latino � S eci � 45. Decedent's Race (2006 revision allows informants to select one or more races to indicate what the decedent considered himself or herself to be : � White � Black or African American � merican Indian or Alaska Native � Name of the enrolled or rinci al tribe � sian Indian � Chinese � Fili ino � Ja anese � Korean � ietnamese � Other Asian � Other Asian S eci � Native Hawaiian � Guamanian or Chamorro � Samoan � Other Pacific Islander � Other Pacific Islander S eci � Other � Other S eci � 46. Ever in U.S. Armed Forces? � 7. Ever a Peace Officer in This State? � 48. DecedenYs Usual Occupation (Indicate type of work done durin most of workin life . DSHS Contract No. HHS001472800037 Page 4 of 5 Attachment C, Exhibit 2 Docusign Envelope ID: 4E394409-1FB3-4C8E-A60D-E61AA9083AA6 � Item Item Descriptor Justification Number � 9. DecedenYs T e of Business/Indust n/a If Deceased Served in U.S. Armed Forces, Fill Out the ❑ Following: ❑ Is the deceased reported to have been in such ❑ service? ❑ Name of organization in which service was rendered? ❑ Serial number of discharge papers or adjusted service certificate? Name of next of kin or of next friend? Post Office Address? II.Other Variables Calculated Based on the Death Certificate Items � Item Item Descriptor Justification Number � Record Type (Identified, Un-indentified, Out of State, Catastro hic ge Group LHE is a properly qualified applicant. Health and � afety Code § 191.051 and 25 Texas Administrative ode 181.1 21 . ❑ dditional Funeral Home � Causes of Death (multiple, including underlying) — ICD- 10 codes � Underl in Cause of Death — ICD-10 codes LHE is a properly qualified applicant. Health and � CDC 113 Selected Causes of Death ICD-10 afety Code § 191.051 and 25 Texas Administrative � CDC 130 Selected Causes of Infant Death ICD-10 Code § 181.1(21). � CDC 52 Rankable Causes of Death ICD-10 � as Death a Result of an In�u ? � DecedenYs Brid ed Race Code determined b NCHS � DecedenYs Race/Ethnicity (based on the TSDC method � DecedenYs S anish/His anic/Latino Ori in Unknown � DecedenYs Race: Unknown � Lon itude based on decedenYs street address � Latitude based on decedent's street address � GIS Match code � GIS Location code � Geocodin accurac � 1990 census tract (based on decedent's street address � 2000 census tract (based on decedenYs street address � 2010 census tract (based on decedenYs street address � 2020 census tract (based on decedent's street address - 2020 forward � Zi code tabulation areas ZCTAs - from 2013 data � GIS Residence Count Name - from 2014 data � GIS Residence Count FIPS - from 2014 data � NIOSH Indust Code — 2020 forward � NIOSH Occu ation Code — 2020 forward � Covid-19 Fla — 2020 forward DSHS Contract No. HHSOO 1472800037 Page 5 of 5 Attachment C, Exhibit 2 Docusign Envelope ID: 4E394409-1F63-4C8E-A60D-E61AA9083AA6 ATTACHMENT C ACCESS TO VITAL EVENT DATA EXHIBIT 3 Checklist for Fetal Death Certificate Data 2006 and beyond Instructions: 1. Since these data are confidential, all requested certificate items need to have brief justifications according to LHE project aims. 2. If a certificate item is used for linkage, then state how and whether it will be removed from the resulting linked analysis file. If the certificate item will be retained in the linked analysis file, please also provide a brief justification according to LHE project aims. 3. For certain sensitive data elements, such as certificate number or residence address, consider alternative means of accomplishing LHE project aims while using less sensitive data. Examples include creating a LHE unique identifier instead of requesting the certificate number and requesting geocoded census tracts instead of residence address. I. Fetal Death Certificate Items � Item Item Descriptor Justification Number LHE is a properly qualified applicant. Health nd Safety Code § 191.051 and 25 Texas � Random Uni ue ID unrelated to certificate number dministrative Code 181.1 21 . ❑ TATE FILE NUMBER (Certificate Number) � 1. etus Name: First HE is a properly qualified applicant. Health � Fetus Name: Middle nd Safety Code § 191.051 and 25 Texas � Fetus Name: Last dministrative Code § 181.1(21). � Fetus Name: Suffix � Date of Delivery � ime of Delivery — 2012 forward � ex � lace of Delivery - County � a. Place of Delivery- City or Town � a. Plurality - Single, Twin, etc. � b. If Plural Birth, Born, 1st, 2nd, 3rd, etc. � a. Place of Delivery - Clinic/Doctor's Office � Licensed Birthing Center � Hospital � Home � ther (Yes/No) � ther (Specify): � b. Name of Hospital or Birthing Center � Mother's Current Legal Name: First � Mother's Current Legal Name: Middle � Mother's Current Legal Name: Last � other's Current Legal Name: Suffix - 2019 forward � 10. Date of Birth (of mother) � 11. Mother's Name Prior to First Marriage: Last (i.e., maiden name � 12. Mother's Birthplace (State or Foreign Country) � 13a. Mother's Residence State DSHS Contract No.HHS001472800037 Page 1 of 8 Attachment C, Exhibit 3 Docusign Envelope ID� 4E394409-1F63-4C8E-A60D-E61AA9083AA6 � Item Item Descriptor Justification Number � 13b. Mother's Residence County � 13c. Mother's Residence City or Town � 13d. Mother's Residence Street Address or Rural Location � 13e. Mother's Residence apartment number � 13f. other's Residence Zip Code LHE is a properly qualified applicant. Health � 13g. Inside City Limits (mother's residence) nd Safety Code § 191.051 and 25 Texas � 14. ather Name: First dministrative Code § 181.1(21). � ather Name: Middle � Father Name: Last � Father Name: Suffix � 15. Date of Birth (of father) � 16. Father's Birthplace (State or Foreign Country) 17b. ttendant Type � MD � DO � NM � idwife � ther (Yes/No) � ther (Specify): 18b. ertifier � ertifying Physician � edical Examiner /Justice of the Peace 19. Method of Disposition � urial � remation � Removal from state � Donation � Entombment � ther (Yes/No) � ther (Specify): � 6a. Initiating Cause/Condition Contributing to Fetal Death � Rupture of Membranes � bruptio Placenta � Placental Insufficiency � Prolapsed Cord � horioamnionitis � ther (Yes/No) � ther (Specify): � ther Obstetrical or Pregnancy Complications (Specify) � Fetal Anomaly (Specify) � Fetal Injury (Specify) � Fetal Infection (Specify) � ther Fetal Conditions/Disorders (Specify) � Unknown � 6b. ther Significant Causes or Conditions Contributing to Fetal Death � Rupture of Membranes � bruptio Placenta � lacental Insufficiency DSHS Contract No.HHS001472800037 Page 2 of 8 Attachment C, Exhibit 3 Docusign Envelope ID: 4E394409-1F63-4C8E-A60D-E61AA9083AA6 � Item Item Descriptor Justification Number � Prolapsed Cord � horioamnionitis � ther (Yes/No) � ther (Specify): � ther Obstetrical or Pregnancy Complications (Specify) LHE is a properly qualified applicant. Health � etal Anomaly (Specify) nd Safety Code § 191.051 and 25 Texas � etal Injury (Specify) dministrative Code § 181.1(21). � etal Infection (Specify) � ther Fetal Conditions/Disorders (Specify) � Unknown 7. eight of Fetus � rams � B � Z � 8. bstetric Estimate of Gestation (Weeks) 9. stimated Time of Fetal Death � Dead at Time of First Assessment, No Labor Ongoing � Dead at Time of First Assessment, Labor Ongoing � Died During Labor, After First Assessment � Unknown Time of Fetal Death 0. as an Autopsy Performed? � es � o � lanned 1. as a Histological Placental Examination PerFormed? � es � o � Planned 2 ere Autopsy or Histological Placental Examination esults Used in Determinin the Cause of Death? � es � o Items 34 through 53 are confidential information for medical and public health use. 4. other's Education � th Grade or Less � th - 12th Grade, No Di loma � Hi h School Graduate or GED � ome Colle e Credit, but No De ree � ssociate De ree e. ., AA, AS � Bachelor's De ree e. ., BA, AB, BS � Master's De ree e. ., MA, MS, MEn , Med, MSW, MBA � Doctorate (e.g., PhD. EdD) or Professional Degree (e.g., MD, DDS, DVM, LLB, JD 5. other of His anic Ori in? � o, Not S anish, His anic/Latina � es, Mexican, Mexican American, Chicana � es, Puerto Rican DSHS Contract No.HHS001472800037 Page 3 of 8 Attachment C, Exhibit 3 Docusign Envelope ID: 4E394409-1F63-4CSE-A60D-E61AA9083AA6 � Item Item Descriptor Justification Number � es, Cuban � es, Other S anish, His anic/Latina � es, Other S anish, His anic/Latina S eci 6. Mother's Race � ite LHE is a properly qualified applicant. Health � Black or African American nd Safety Code § 191.051 and 25 Texas � merican Indian orAlaska Native dministrative Code § 181.1(21). � merican Indian or Alaska Native (Name of the enrolled or rinci al tribe � sian Indian � hinese � Fili ino � apanese � orean � ietnamese � ther Asian � ther Asian S eci � Native Hawaiian � uamanian or Chamorro � amoan � ther Pacific Islander � ther Pacific Islander (Specify) REVIOUS LIVE BIRTHS 7a. ow Livin � umber � None 7b. Now Dead � umber � None � 7c. Date of Last Live Birth mm/ 7d. THER PREGNANCY OUTCOMES � Number � None � 7e. Date Last Other Pre nanc Ended mm/ 8. i arette Smokin Before and Durin Pre nanc verage Number of Cigarettes or Packs of Cigarettes moked er Da hree Months Before Pre nanc � # of Ci arettes � # of Packs First Three Months of Pre nanc � # of Ci arettes � # of Packs econd Three Months of Pre nanc � # of Ci arettes � # of Packs hird Trimester of Pre nanc DSHS Contract No.HHS001472800037 Page 4 of 8 Attachment C, Exhibit 3 Docusign Envelope ID: 4E394409-1F63-4C8E-A60D-E61AA9083AA6 � Item Item Descriptor Justification Number � # of Ci arettes � # of Packs 9. OURCE OF PRENATAL CARE check all that a I � Hos ital Clinic � ublic Health Clinic LHE is a properly qualified applicant. Health � Private Ph sician nd Safety Code § 191.051 and 25 Texas � Midwife dministrative Code § 181.1(21). � None � nknown � ther Yes/No � ther S eci � 0. Mother's Hei ht feeUinches � 1. Mother's Pre re nanc Wei ht ounds � 2. Mother's Wei ht at Delive ounds RENATALCARE � No Prenatal Care � 3a. Date of First Visit mm/dd/ � 3b. Date of Last Visit mm/dd/ � 3c. Number of Prenatal Visits � 4. Date Last Normal Menses Be an mm/dd/ Did Mother get WIC Food for Herself During this 5. re nanc ? � es � No 6. Mother Married? � es � No Mother Transferred for Maternal Medical or Fetus 7. Indications for this Delive ? � es � No � If Yes, Enter the Name of Facility Mother Transferred From: 8. Risk Factors in this Pre nanc check all that a I Diabetes � Pre re nanc Dia nosis rior to this re nanc � Gestational Dia nosis in this re nanc H ertension � Pre re nanc Chronic � Gestational PIH reeclam sia � Eclam sia � Previous Preterm Birth � ther Previous Poor Pregnancy Outcome (includes erinatal death, small-for-gestational age/intrauterine rowth restricted rowth � Pregnancy Resulted from Infertility Treatment (if yes, heck all that a I � Fertility-enhancing Drugs, Artificial Insemination, or Intrauterine Insemination � Assisted re roductive technolo e. ., IVF, GIFT DSHS Contract No.HHS001472800037 Page 5 of 8 Attachment C, Exhibit 3 Docusign Envelope ID: 4E394409-1F63-4CSE-A60D-E61AA9083AA6 � Item Item Descriptor Justification Number � Mother had Previous Cesarean Delive . � If es, how man � ntiretrovirals Administered During Pregnancy or at Delivery (Variables which provide or imply HIV or STD 'nfection status cannot be provided to agencies outside of SHS. These data elements should normally be /eft nchecked � one of the Above HE is a properly qualified applicant. Health Infections Present and/or Treated During this Pregnancy nd Safety Code § 191.051 and 25 Texas (check all that apply) (Variables which provide or imply dministrative Code § 181.1(21). HIV or STD infection status cannot be provided to gencies outside of DSHS. These data elements should 9. normall be left unchecked � onorrhea � hilis � hlam dia � Listeria � rou B Stre tococcus � tome alovirus � arvovirus � oxo lasmosis � None of the above � ther Yes/No � ther S eci Oa. HIV Test Done Prenatall � es � No Ob. HIV Test Done at Delive � es � No 1. Method of Delive 1A. as Delive with Force s Attem ted but Unsuccessful? � es � o as Delivery with Vacuum Extraction Attempted but 1 B. nsuccessful? � es � o 1 C. etal Presentation at Birth � e halic � Breech � ther � 1 D. Final Route and Method of Delive Check One a inal/S ontaneous a inal/Force s a inalNacuum esarean � If cesarean, was a trial of labor attem ted: Yes DSHS Contract No.HHS001472800037 Page 6 of 8 Attachment C, Exhibit 3 Docusign Envelope ID: 4E394409-1F63-4C8E-A60D-E61AA9083AA6 � Item Item Descriptor Justification Number No 1 E. H sterotom /H sterectom � Yes � No Maternal Morbidity - Complications Associated with Labor LHE is a properly qualified applicant. Health 2. nd Delive Check All That A I nd Safety Code § 191.051 and 25 Texas � Maternal Transfusion dministrative Code § 181.1(21). � hird- or Fourth-De ree Perineal Laceration � u tured Uterus � Un lanned H sterectom � dmission to Intensive Care Unit � Un lanned O eratin Room Procedure Followin Delive � None of the Above ongenital Anomalies of the Newborn (check all that 3. I � nence hal � Menin om elocele/S ina Bifida � anotic Con enital Heart Disease � on enital Dia hra matic Hernia � m halocele � astroschisis � imb Reduction Defect (excluding congenital amputation nd dwarFin s ndromes � left Li Wth or Without Cleft Palate � left Palate Alone � Down S ndrome � Ka ot e Confirmed � Ka ot e Pendin � us ected Chromosomal Disorder � Ka ot e Confirmed � Ka ot e Pendin � H os adias � None of the Anomalies Listed Above II. Other Commonly Used Variables (Not on the Fetal Death Certificate) Available for selected years � Item Item Descriptor Justification Number � Underlying Cause of Death (ICD codes) LHE is a properly qualified applicant. Health � auses of Death (multiple, including underlying) — ICD-10 nd Safety Code § 191.051 and 25 Texas odes dministrative Code § 181.1(21). � DC 124 Selected Causes of Fetal Death (ICD-10) � DC 45 Rankable Causes of Fetal Death (ICD-10) � other's Combined Race / Ethnicity Field � alculated Weeks of Gestation � eight of Fetus Calculated in Grams � Mother's Age � Father's Age � Lon itude - Decimal De rees based on mother's street DSHS Contract No.HHS001472800037 Page 7 of 8 Attachment C, Exhibit 3 Docusign Envelope ID: 4E394409-1F63-4C8E-A60D-E61AA9083AA6 � Item Item Descriptor Justification Number ddress � atitude - Decimal Degrees (based on mother's street ddress � IS Match Code (not available prior to 2004) � IS Location Code (not available prior to 2004) LHE is a properly qualified applicant. Health � eocoding Accuracy nd Safety Code § 191.051 and 25 Texas � 1990 Census Tract (based on mother's street address) dministrative Code § 181.1(21). � 000 Census Tract (based on mother's street address) � 010 Census Tract (based on mother's street address) � 020 Census Tract (based on mother's street address) — 020 forward Last updated: December 7, 2023 DSHS Contract No.HHS001472800037 Page 8 of 8 Attachment C, Exhibit 3 Docusign Envelope ID: 4E394409-1FB3-4C8E-A60D-E61AA9083AA6 ATTACHMENT E ACCESS TO TEXAS PUBLIC USE HEALTH CARE DATA COLLECTED UNDER HEALTH AND SAFETY CODE CHAPTER 108 THROUGH DSHS CONTRACT NO. HHS001437900001 Subject to the terms and conditions set forth in the Memorandum of Agreement between the Parties, this Attachment F provides Local Public Health Entity (LHE) with authorization to access public health data maintained by DSHS. I. PURPOSE DSHS agrees to provide Texas LHE access to the public use data files (PUDF) from hospital inpatient, outpatient or emergency department discharge data collected by DSHS under Chapter 108 of the Texas Health and Safety Code. Section IV of this Attachment outlines the intended use of the data by LHE. No personally identifiable information and non-public data may be shared or released by LHE without specific statutory authority and the prior written consent of DSHS. II. LEGAL AUTHORITY DSHS has legal authority under the following statutes to share the data described in this Attachment under Texas Health and Safety Code, Section 108.011. III. DESCRIPTION OF PUBLIC USE HOSPITAL DISCHARGE DATA TO BE PROVIDED DSHS will provide LHE with one or more PUDFs described above via secure data exchange, according to request outlined in Section VI of this Attachment. LHE must identify which PUDF fles they are requesting: inpatient, outpatient or emergency department. A. DSHS will provide access to each requested PUDF according to the following schedule and conditions: 1. Access to finalized, quarterly data files will be provided electronically to qualified requestors approximately 24-48 hours after the request form and MOU are submitted and approved. DSHS is statutorily required to track and publicly post all data requests. Texas Health and Safety Code, 108.0131. 2. Once DSHS has granted an LHE staff inember access in accordance with Section IV (D) of the MOU, that individual shall have log in access to the data twenty-four hours a day, seven days a week. IV. LIST OF INDIVIDUALS ACCESSING DATA In accordance with Section III of the MOU, for direct access, LHE shall submit a list of staff, titles, and email addresses; and the intended use of the data, to request access to the limited data set(s) or data visualization. The request must be submitted to the DSHS Representatives identifed directly below. LHE shall notify DSHS Representatives of any changes in staff that require removal from the list of authorized users. Such notification must be made in writing and within five (5) business days of any staffng changes. Page 1 of 3 Docusign Envelope ID: 4E394409-1FB3-4C8E-A60D-E61AA9083AA6 V. SPECIAL CONSIDERATIONS FOR THE USE OF PUDF Sections 108.013(c)(1) and (2) and 108.013 (g) of the Texas Health and Safety Code (THSC) prohibit the Texas Department of State Health Services (DSHS) from releasing, and a person or entity from gaining access to, any data that could reveal the identity of a patient or the identity of a physician unless specially authorized under Chapter 108 of THSC. Any effort to determine the identity of any person or to use the information for any purpose other than for analysis and aggregate statistical reporting violates the THSC and this data use agreement. By virtue of this agreement, the undersigned agrees that the data will not be used to identify an individual patient or physician. Any questions about the data must be referred to the DSHS manager in charge of implementing Chapter 108 of the THSC. Product support is not provided by DSHS. The data are protected by United States copyright laws and international treaty provisions. Sharing of the data between two organizations, regardless of affiliation, is only allowed with the written approval of DSHS. LHE (also referred to as "licensee") is required to comply with all federal and state confidentiality laws. The licensee agrees to the foregoing restrictions and acknowledges that the knowing or negligent release of data in violation of Chapter 108, Health and Safety Code, is punishable by a civil penalty of up to $10,000 under section 108.014 and is a state jail felony under section 108.0141 and any other remedies available under the law to DSHS. The licensee acknowledges the data is limited to the organization's physical location (specified below) unless purchasing a multiple organizational license; The licensee will not release nor permit others to release the individual patient records or any part of them to any person who is not a staff member of the organization (specified below), except with the written approval of DSHS; The licensee will not attempt to link nor permit others to attempt to link the inpatient records of patients in this data set with personally identifiable records from any other source; The licensee will not release nor permit others to release any information that identifies persons, directly or indirectly; The licensee will not attempt to use nor permit others to use the data to learn the identity of any physician; The licensee will not nor permit others to copy, sell, rent, license, lease, loan, or otherwise grant access to the data covered by this Agreement to any other person or entity, unless approved in writing by DSHS; The licensee acknowledges that when releasing or disclosing the data set or any part to others in their organization they will retain full responsibility for the privacy and security of the data and will prohibit others from further release or disclosure of the data; The licensee agrees to read the User Manual and understand the limitations of the data (User Manual located at: www.dshs.texas. ov thcic ; The licensee will periodically check the DSHS/CHS/THCIC website for any technical updates to the data (www.dshs.texas. ov thcic); The licensee will use the following citation in any publication of information from this file as: Texas Hospital Inpatient Discharge Public Use Data File, [quarter and year of data]. Texas Department of State Health Services, Austin, Texas. [date of ublication]; The licensee will indemnify, defend and hold the DSHS, its members, employees, and its contract vendors harmless from any and all claims and losses accruing to any person as a result of violation of this agreement; and The licensee will make no statement nor permit others to make statements indicating or suggesting that interpretations drawn from these data are those of DSHS. • Page 2 of 3 Docusign Envelope ID: 4E394409-1F63-4C8E-A60D-E61AA9083AA6 VI. PUBLIC USE HOSPITAL DISCHARGE DATA REPRESENTATIVES The following will act as the representatives authorized to administer activities under this Attachment for public use hospital discharge data on behalf of their respective Party. DSHS Contract Management Texas Health Care City of Lubbock, on behalf of its Section (CMS) Information Collection Health Department (LHE) Gretchen Wells, CTCM Tarik Brown iffany Torres, MPH, MLS(ASCP)cM Contract Manager Director Laboratory/Epidemiology Manager 1100 W 49`h Street, MC 1990 1100 W 49`'' Street, MC 2015 50�" Street, Austin, Texas 78756 1898 Lubbock, TX 76413 (512) 776-2679 Austin, Texas 78756 (806) 775-2990 Gretchen.wells@dshs.texas.gov (512) 438-4844 ttorres@mylubbock.us Tarik. brown@dshs. texas. gov Page 3 of 3 a docusign. Certificate Of Completion Envelope Id:4E394409-1F63-4C8E-A60D-E61AA9083AA6 Subject: HHS001472800037_City of Lubbock_MOU_CHS/DSHS Source Envelope: Document Pages: 73 Signatures: 0 Certificate Pages: 2 Initials: 0 AutoNav: Enabled Envelopeld Stamping: Enabled Time Zone: (UTC-06:00) Central Time (US & Canada) Record Tracking Status: Original 6/11/2025 4:56:44 PM Holder: CMS Internal Routing Mailbox CMS.InternalRouting@dshs.texas.gov Signer Events Mark McBrayer mmcbrayer@mylubbock. us Security Level: Email, Account Authentication (None) Electronic Record and Signature Disclosure: Not Offered via Docusign Helen Whittington helen.whittington@dshs.texas.gov Security Level: Email, Account Authentication (None) Electronic Record and Signature Disclosure: Not Offered via Docusign Susana Garcia Susana.Garcia@dshs.texas.gov Security Level: Email, Account Authentication (None) Electronic Record and Signature Disclosure: Not Offered via Docusign Patty Melchior Patty. Melchior@dshs.texas.gov Security Level: Email, Account Authentication (None) Electronic Record and Signature Disclosure: Not Offered via Docusign Imelda Garcia Imelda M. Garcia@dshs.texas.gov Security Level: Email, Account Authentication (None) Electronic Record and Signature Disciosure: Not Offered via Docusign In Person Signer Events Editor Delivery Events Agent Delivery Events Intermediary Delivery Events Signature Signature Status Status Status Status: Sent Envelope Originator: CMS Internal Routing Mailbox 11493 Sunset Hills Road #100 Reston, VA 20190 CMS.Internal Routing@dshs. texas.gov IP Address: 167.137.1.7 Location: DocuSign Timestamp Sent: 6/11/2025 5:06:58 PM Timestamp Timestamp Timestamp Timestamp Certifed Delivery Events Status Timestamp Carbon Copy Events Gloria Diaz gdiaz@mylubbock.us Financial Analyst Security Level: Email, Account Authentication (None) Electronic Record and Signature Disclosure: Not Offered via Docusign Status COPIED Timestamp Sent: 6/11/2025 5:06:59 PM Viewed: 6/12/2025 8:22:13 AM Katherine Wells CO PI E D kweils@mylubbock.us Security Level: Email, Account Authentication (None) Electronic Record and Signature Disclosure: Not Offered via Docusign CMS Internal Routing Mailbox CMS.I nternalRouting@dshs.texas.gov Security Level: Email, Account Authentication (None) Electronic Record and Signature Disclosure: Not Offered via Docusign Gretchen Wells gretchen.wel Is@dshs.texas.gov Security Level: Email, Account Authentication (None) Electronic Record and Signature Disclosure: Not Offered via Docusign Witness Events Notary Events Envelope Summary Events Envelope Sent Payment Events Signature Signature Status Hashed/Encrypted Status Sent: 6/11/2025 5:06:59 PM Timestamp Timestamp Timestamps 6/11/2025 5:06:59 PM Timestamps