The URL can be used to link to this page

Home My WebLink AboutResolution - 2020-R0272 - Contract HHS 000812700012, DSHS COVID-19 Grant ProgramResolution No. 2020-RO272 Item No. 7.1.1 August 25, 2020 RESOLUTION BE IT RESOLVED BY THE CITY COUNCIL OF THE CITY OF LUBBOCK: THAT the acts of the Mayor of the City of Lubbock in executing, on behalf of the City 0 Lubbock, a Department of State Health Services (DSHS) Contract No. HHS00081270001 under the COVID-19 Grant Program, to provide funding for COVID-19 activities, by ani between the City of Lubbock and the State of Texas acting by and through DSHS, and relate documents are hereby ratified in full. Said Contract is attached hereto and incorporated in thi resolution as if fully set forth herein and shall be included in the minutes of the City Council. Passed by the City Council on August 25, 2020 DANIEL M. POPE, MAYOR ATTEST: 4Rea ca �Tarza,y Vta APPROVED AS TO CONTENT: APT FORM: an ooke, ssistant City Attorney RES.DSHS Contract No. HHS000812700012 Ratification 7.31.20 DocuSign Envelope ID- 025C3ADA-7A4D-46C9-9128-AF03957BA1EB SIGNATURE DOCUMENT FOR DEPARTMENT OF STATE HEALTH SERVICES CONTRACT No. HHS000812700012 UNDER THE COVID-19 GRANT PROGRAM I. PURPOSE Resolution No. 2020-RO272 The DEPARTMENT OF STATE HEALTH SERVICES ("SYSTEM AGENCY" OR "DSHS"), a pass -through entity, and CITY OF LUBBOCK (`GRANTEE") (each a "Party" and collectively the "Parties") enter into the following grant contract to provide funding for COVID-19 activities (the "Contract"). II. LEGAL AUTHORITY This Contract is authorized by and in compliance with the provisions of Texas Government Code Chapter 791, and Chapters 12 and 121 of the Texas Health and Safety Code. III. DURATION The Contract is effective on August 1, 2020 or the signature date of the latter of the Parties to sign this agreement, if executed later than August 1, 2020. The contract terminates on April 30, 2022, unless renewed, extended, or terminated pursuant to the terms and conditions of the Contract. System Agency, at its sole discretion, may extend this Contract for any period(s) of time, provided the Contract term, including all extensions or renewals, does not exceed five years. Notwithstanding the limitation in the preceding sentence, System Agency, at its sole discretion, also may extend the Contract beyond five years as necessary to ensure continuity of service, for purposes of transition, or as otherwise determined by System Agency to serve the best interest of the State. IV. BUDGET The total amount of this Contract will not exceed $154,908.00. Grantee is not required to provide matching funds. All expenditures under the Contract will be in accordance with ATTACHMENT B, BUDGET. V. REPORTING REQUIREMENTS This Contract contains reporting requirements as stated in Attachment A, Statement of Work. VI. CONTRACT REPRESENTATIVES The following will act as the representative authorized to administer activities under this Contract on behalf of their respective Party. Pagel of 9 System Agency Contract No. HHS000812700012 Docuftn Envelope ID: 025C3ADA-7A4D-46C9-9128-AF03957BA1EB System Agency Department of State Health Services P.O. Box 149347 — Mail Code 1990 Austin, Texas 78714-9347 Attention: Caeli Paradise Grantee City of Lubbock P.O. Box 2000 Lubbock, Texas 79457 Attention: Katherine Wells VII. LEGAL NOTICES Any legal notice required under this Contract shall be deemed delivered when deposited by the System Agency either in the United States mail, postage paid, certified, return receipt requested; or with a common carrier, overnight, signature required, to the appropriate address below: System Agency Department of State Health Services F.Q. Box 149347 — Mail Code 1990 Austin, Texas 78714-9347 Attention: General Counsel Grantee City of Lubbock P.O. Box 2000 Lubbock, Texas 79457 Attention: D. Blu Kostelich VIII. NOTICE REQUIREMENTS Notice given by Grantee will be deemed effective when received by the System Agency. Either Party may change its address for notices by providing written notice to the other Party. All notices submitted to System Agency must: A. include the Contract number; B. be sent to the person(s) identified in the Contract; and, C. comply with all terms and conditions of the Contract. IX. ADDITIONAL GRANT INFORMATION Grantee Data Universal Numbering System (DUNS) Number: 807391511 System Agency Contract No. HHS000812700012 Page 2 of 9 DocuSign Envelope ID: 025C3ADA-7A4D46C9-9128-AF039579A1EB Federal Award Identification Number (FAIN): NU50CK000501 Catalog of Federal Domestic Assistance (CFDA) Name and Number (list all that apply): Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) — 93.323 Federal Award Date: April 23, 2020 Name of Federal Awarding Agency: Centers for Disease Control and Prevention Awarding Official Contact Information: Brownie Anderson -Rana, Grants Management Officer 2939 Flowers Road — Mailstop TV2 Atlanta, GA 30341-5509 Phone: 770-488-2771 SIGNATURE PAGE FOLLOWS System Agency Contract No. HHS000812700012 Page 3 of 9 Docuftn Envelope ID: 025C3ADA-7MD46C9-9128-AF03957BAIEB SIGNATURE PAGE FOR SYSTEM AGENCY CONTRACT No. HHS000812700012 SYSTEM AGENCY Signature Printed Name:_ Title: Date of Execution: GRANTEE DoouBlpmd by: all P614 ._ Printed Name: Daniel Pope Title: Mayor Date of Execution: July 17, 2020 THE FOLLOWING ATTACHMENTS TO SYSTEM AGENCY CONTRACT No. HHS000812700012 ARE INCORPORATED BY REFERENCE: ATTACHMENT A - STATEMENT OF WORK ATTACHMENT B - BUDGET ATTACHMENT C - UNIFORM TERMS AND CONDITIONS - GRANT ATTACHMENT D - SUPPLEMENTAL AND SPECIAL CONDITIONS ATTACHMENT E - FEDERAL ASSURANCES NON -CONSTRUCTION ATTACHMENT F - CERTIFICATION REGARDING LOBBYING ATTACHMENT G - FFATA ATTACHMENT H - HHS DATA USE AGREEMENT ATTACHMENT I - SECURITY AND PRIVACY INQUIRY (SPI) ATTACHMENTS FOLLOW 4PPPDM AS TO =nW APPOV41 Y IC System Agency Contract No. HHS000812700012 FW4� .. MIR Page 4 of 9 DocuSign Envelope ID:025C3ADA-7A4D-48C9-9128-AF03957BAtES ATTACHMENT A STATEMENT OF WORK I. GRANTEE RESPONSIBILITIES Grantee will: A. Establish or enhance ability to aggressively identify cases of COVID-19, conduct contact tracing and follow up activities, as well as implement recommended containment measures. Enhanced contact tracing including contact elicitation/identification, contact notification, and contact follow-up. Activities could include traditional contact tracing methods as well as healthcare -specific methods. Other proximity.?location-based methods using individuals' cellphone tower data are not allowed to be used for the purposes of contact tracing. Information on contacts must be entered into the Texas Health Trace system in accordance with DSHS's published guidance. B. Improve morbidity and mortality surveillance, including: i. Establish or enhance community -based surveillance - Surveillance of populations and individuals includes but not limited to; those without severe illness, those with travel to high -risk locations, or those who are contacts to known cases. 2. Monitor and report daily COVID-19 probable and confirmed COVID cases (including deaths) to DSHS. 3. Track and send Emergency Department and outpatient visits for coronavirus (COVID)-like illness, as well as other illnesses, to Centers for Disease Control and Prevention (CDC). 4. Send copies of all admission, discharge, and transfer (ADT) messages to CDC National Syndromic Surveillance Program (NSSP). 5. Monitor and utilize available data in the CDC's National Healthcare Safety Network (NHSN) for confirmed 2019 novel coronavirus (COVID-19) infection or for COVID-like illness. a. Long-term care: https:.`,'www.cdc.gov/nhsn/Itc/covidl9/index.html b. Acute care: https://www.cdc.&ov/nhsn/acute-care- hospitalicovid I9.,'index.html b. Work with long-term care facilities to enroll the facility in the NHSN Long- term Care Facility (LTCF) COVID-19 Module. 7. Provide requested information on COVID-19 associated deaths to DSHS within three business days. System Agency Contract No. 14HS000812700012 Page 5 of 9 DocuSign Envelope ID:025C3ADA-7A4D-46C9-9128-AF03957BA1EB C. Enhance laboratory testing and reporting capacity: 1. Establish or expand capacity to test all symptomatic individuals, and secondarily expand capacity to achieve community -based surveillance. This capacity would entail increasing testing capabilities above the current number of specimens that can be tested at the jurisdiction's public health laboratory or by establishing new testing capabilities at the jurisdiction's laboratory. 2. Screen for past infection (e.g., serology) for health care workers, employees of high -risk facilities, critical infrastructure workforce, and childcare providers. 3. Obtain all jurisdictional laboratory test data electronically, including from new, non-traditional testing settings, and using alternative file formats (e.g., .csv or .xIs) to help automate. In addition to other reportable results, this should include all COVID-19 — related testing data, including all tests to detect severe acute respiratory syndrome coronavirus 2 (SAR-CoV-2) and serology testing. 4. Report all COVID-19 — related line level testing data (negatives, positives, indeterminants, serology) daily to DSHS. Data must meet new federal Coronavirus AID, Relief, and Economic Security (CARES) Act laboratory guidance. All public health data must be reported electronically to DSHS in compliance with the Texas Administrative Code and within appropriate reporting timeframes. D. Prevent and control COVID-19 in healthcare settings and protect other vulnerable or high -risk populations: 1. Assess and monitor COVID-19 infections in healthcare workers across the healthcare spectrum. 2. Perform infection control assessments using preparedness tools approved by DSHS to ensure interventions are in place to protect high -risk populations. 3. Monitor and help implement mitigation strategies for COVID-19 in all high - risk healthcare facilities (e.g., hospitals, dialysis clinics, cancer clinics, nursing homes, and other long-term care facilities, etc.). 4. Monitor and help implement mitigation strategies for other high -risk employment settings (e.g., meat processing facilities), and congregate living settings (e.g., prisons, youth homes, shelters). a. This includes coordinating with the Texas Department of Criminal Justice when individuals are released from serving their prison term and will be returning to the jurisdiction. These individuals may have been exposed to COVID-19 while in prison and/or may be COVID-positive and require additional public health follow-up. E. Monitor and mitigate COVID-19 introductions from connected jurisdictions (i.e., neighboring cities, states; including air travel). System Agency Contract No. HHS000812700012 Page 6 of 9 DocuSign Envelope ID: 025C3ADA-7A4D-48C9-9128-AF03957BA1EB F. Work with healthcare system to manage and monitor system capacity. 1. Assess and monitor the number and availability of critical care staff, necessary PPE and potentially life-saving medical equipment, as well as access to testing services. 2. Leverage NHSN data to monitor healthcare worker staffing, Patient Impact, Hospital Capacity, and healthcare (PPE, PAPRs, ventilators, etc.) supplies. Grantee will request access to the NHSN database within 30 days of the execution of this contract or 30 days of hire for the position completing the data entry. Upon access approval, Grantee will review available NHSN data (at least monthly) to assess gaps in the healthcare system. G. Improve understanding of jurisdictional communities with respect to COVID-19 risk. Grantee must build an understanding of population density and high -risk population density (i.e. population of >65 yrs., proportion of population with underlying conditions, households with limited English fluency, healthcare seeking behavior, populations without insurance and those below poverty level). H. Submit a monthly report on the report template to be provided by the DSHS. Monthly reports are due on or before the 15th of each month. Each report must contain a summary of activities that occurred during the preceding month for each activity listed above in Section I, A through G. Submit monthly reports by electronic mail to COVID. ContractsAdshs. texas. gov. The email "Subject Line" and the name of the attached file for all reports should be clearly identified with the Grantees Name, Contract Number, IDCU/COVID and the month the report covers. I. May use funds to pay pre -award costs which date back to January 20, 2020, that are directly related to the COVID-19 outbreak response. All pre -award costs must be approved in writing by DSHS. J. Not use funds for research, clinical care, fund raising activities, construction or major renovations, to supplant existing state or federal funds for activities, or funding an award to another party or provider who is ineligible. Other than normal and recognized executive -legislative relationships, no funds may be used for: 1. Publicity or propaganda purposes, for the preparation, distribution, or use of any material designed to support or defeat the enactment of legislation before any legislative body; 2. The salary or expenses of any grant or contract recipient, or agent acting for such recipient, related to any activity designed to influence the enactment of legislation, appropriations, regulation, administrative act or Executive order proposed or pending before any legislative body. System Agency Contract No. HHS000812700012 Page 7 of 9 DocuSign Envelope ID: 025C3ADA-7A4D46C9-9128-AF039576A1EB II. PERFORMANCE MEASURES The System Agency will monitor the Grantee's performance of the requirements in Attachment A and compliance with the Contract's terms and conditions. III.INVOICE AND PAYMENT A. Grantee will request payments using the State of Texas Purchase Voucher (Form B-13) at ht!p://www.dshs.state.tx.us.-'&Lantsifortns.shtm. Voucher and any supporting documentation will be mailed or submitted by fax or electronic mail to all addresses/number below. Department of State Health Services Claims Processing Unit, MC 1940 1100 West 491h Street P.O. Box 149347 Austin, TX 78714-9347 FAX: (512) 458-7442 EMAIL: invoices@dshs.state.tx.us and EMAIL: CMSInvoicesRdshs.texas.gov and EMAIL: COVID.ContractsAdshs.texas. t;ov B. Grantee will be paid on a cost reimbursement basis and in accordance with the Budget in Attachment B of this Contract. C. Grantee will submit requests for reimbursement (Form B-13) and financial expenditure template monthly by the last business day of the month following the month in which expenses were incurred or services provided. Grantee shall maintain all documentation that substantiate invoices and make the documentation available to the DSHS upon request. In the event a cost reimbursed under the Contract is later determined to be unallowable then the Grantee will reimburse DSHS for that cost. D. Grantee will submit quarterly Financial Status Reports (FSRs) to DSHS by the last business day of the month following the end of each quarter of the Contract for DSHS review and financial assessment. E. Grantee will submit request for reimbursement (B-13) as a final close-out invoice not later than forty-five (45) calendar days following the end of the term of the Contract. Reimbursement requests received in the DSHS office more than forty- five (45) calendar days following the termination of the Contract may not be paid. F. Grantee will submit a final FSR as a final close-out FSR not later than forty-five (45) calendar days following the end of the term of the Contract. System Agency Contract No. HHS000812700012 Page 8 of 9 DocuSign Envelope ID: 025C3ADA-7A4D-46C9-9128-AF03957BA1EB ATTACHMENT B BUDGET City of Lubbock Contract No. HHS000812700012 Categorical Budget PERSONNEL FRINGE BENEFITS TRAVEL EQUIPMENT SUPPLIES CONTRACTUAL OTHER TOTAL DIRECT CHARGES INDIRECT CHARGES TOTAL Upon Execution to April 30, 2022 $0.00 $0.00 $0.00 $0.00 $0.00 $154,908.00 $0.00 $154,908.00 $0.00 $154,908.00 System Agency Contract No. 14HS000812700012 Page 9 of 9 DocuSign Envelope ID: 025C3ADA-7A4D-46C9-9128-AF03957BA1EB HHSC Uniform Terms and Conditions Version 2.16 Published and Effective: March 26, 2019 Responsible Office: Chief Counsel TEXAS Health and Human Services Health and Human Services Commission HHSC Uniform Terms and Conditions - Grant Version 2.16. DocuS gn Envelope ID. 025C3ADA-7A4D-46C9-9128-AF03957BA1EB TABLE OF CONTENTS ARTICLE I. DEFINITIONS AND INTERPRETIVE PROVISIONS .................................... 4 1.1 Definitions......................................................:::............................................................. 4 1.2 Interpretive rovisions....................................................................................................6 ARTICLE 1L PAYMENT METHODS AND RESTRICTIONS .............................................. 6 ,1 Payment Method........................................................................................................... 6 2,2 Final Billing Submission........................................................................................... 7 2.3 Financial Status Reports (FRs)..................................................................................... 7 2AUse of Funds...........................................................:....................................................... 7 2.5 Use for Match Prohibited............................................................................................... 7 2.6 Program income........................................................................................................... 7 .7 Nonsupplanting...............................................................................................................8 .8 Allowable Costs..:::.............................................::.......................................................... 8 2.9 Indir t Cost Rates ......... .... ............... :........ .,..:::.,.........:......................... ::............ .......... 8 ARTICLE [11. STATE AND FEDERAL FUNDIN......................... ..... ........................... :...... 3.1 Funding ...... ......................................................................................................... 8 3.2 No Debt Against the State.......................................................... ........................ .. 8 3.3 Debt and Delinquencies................................................................................................. 8 3.4 Recapture of Funds....................................................................................... ... ........ S ARTICLE IV. ALLOWABLE COSTS ARID AUDIT REQUIREMENTS ............................. 4. l Allowable Costs . ............ .:................. ................. ............. ---- ............. ................. . 41 }audits and Financial Sraatements.........................-...................................,................... 10 4.3 Submission of Audits and Financial Statements ................ :...... ......:.......... ......... .. 1 I ARTICLE V. AFFIRMATIONS, ASSURANCES AND CERTIFICATIONS ..................... 11 5.1 Genml Affirmations ... ................................:........................................................ ...... 11 5.2 Federal Assurances....................................................................................................... 11 .3 Federal Certifications .................................................................................................... 11 ARTICLE VI. IN"I`ELLECTUAL PROPERTY.......................................................... ......... 11 6.1 Ownership of Work Product........ .................. -- ......................................................... 11 6.2 Gram% Pr c-existing Works....................................................................................... 1 6.3 Agreements with Employees and Subcnntractors....................................................... 12 6.4 Delivery Upon Termination or Expiration ......................................................... 1 6.5 Survival................................................................................:...................................---- 12 HHSC Grantee Uniform Ternns and Conditions Page 2 (if 21 v. 2.16.1 Effective 03/26.:2019 oocuSignEnvelope ID: 28-AF03957BAiE8 7lBooks and B000«d$... ................................ -'........... _.......................................... ..... l3 7.2 Acc�ss to Rwords, Books, and Documents ........................................ ........................ 13 7'3 ResponsedCompliance*/ith Audit or ITispection Findings ............ —........................... ]3 7.4 SAO Audit. ................................................ ....................... -_—~...~,,,,,~........ -..... l4 7.5 CKanfid............. ......................... ............ .... ........................................... -...... l4 ARTICLE VIII. CONTRACT MANAGEMENT AND EARLY TERMINATION ... h4 8.1 Contma Remedies ...... .,.,.,,...,.,,,,,,-_---_,~,,,,...,,,,..,,_................................... ]4 8.2 l[mnmimution for Convenience ......................... --... ....... -.................................. ...... 14 8,3 Temiffintimnfor Cause ........................... .,,,,,,..'—.... --...................................... ........ l4 ARTICLE IX. MISCELLANEOUSPROVISIONS ............. —........ --_--..,,,,,,,,,,..—.-8s 9.1 AoocndoP*nt................ ,...................................... -_,,,..,.,,,,,,,,..................................... ]5 9.2 Insurance ................. ......... ....... .—............ -_,,.,,,,,,,,,,,,—.---_--........................ l5 9.3 Legal ,-.......... --~---.,,,,,,,_-------~,,..,,,,,,,,,.--.......... ........ l5 gA Permitting and [jcensmmo-.................................. .............. .............. ,,___....... _16 9.5 Iidemnn4.......... ....... -................. ,,,,,..,,,,,,,,,___ .......... -................................. ___ l6 9.6 Assigamnis ......... _.................................... __~,,...,,,,,,.___..... ... ............... .... l6 9'7 IndependentComtractxr_-...............,--,_----...,.,..,.,,,,,,,,'_—.--.—_--,,,,17 9'8 Technical Guidance Lettenn..,,,,,,,,,,,,,,,_-----........................................ --,,,,,,,,,l7 99 Dispute Resolution ...................... ,,...................... ........ ........................................... l7 9,10 Governing Law and Venue. ............................... ____ ........ ---,..,,,,,,,.,,,,,,-,_--.17 9.11 Severability ...................... -____ .......... -......................................................... ........... ]7 9.12 Survivability ..................... ... ..... ............................... .................... —... .............. 18 9\13 Force............................ ....... ............ ................... ............ -......................... ls 9�14 No Waiver ofProvisions ......... ~--.,...-................ -...................... -_—_.....18 9.]5 Publicity .............. ................ -................ ..................................... ... ... ................ ]s 9.16 Prohibition on Restrictions ........................................................... --..... l9 9.17 No Waiver of Sovereign Immunity ... .......... __-~____,,,—._—_............... ..... 29 9.18 Entire Comlractand Modjficmtima........... ................................. ----______'......... lg 9.K9 Counterparts--............ --.................... ................................. --.............................. l9 9.20 Proper Authority ........ _................ ~.................. __.......... __................................ ...... l9 9.21 ....... ................................. ............ --'--^~~~~~___ ........ ~—'`~1g 9.22 Civil Rights ................ .......... .......................... ...... --.......... .................... -............ ]9 HFISC Grantee Uniform Terms mgConditions yu�r3v(2| ^z./6x snecnveo»?2&m1v DocuSign Envelope ID: 025C3ADA-7A4D-46C9-9128-AE03957SA1 ED ARTICLE I. DEFINITIONS AND INTERPRETIVE PROVISIONS 1.1 ❑EF'INITIONS As used in this Contract, unless the context clearly indicates otherwise, the following terms and conditions have the meanings assigned below: "Amendment" means a written agreement, signed by the Parties, which documents changes to the Contract other than those permitted by Work Orders or Technical Guidance Letters. "Attachment" means documents, terms, conditions, or information added to this Contract following the Signature Document or included by reference, and made a part of this Contract. "Contract" means the Signature Document, these Uniform Terms and Conditions, along with any Attachments, and any Amendments, or Technical Guidance Letters that may be issued by the System Agency, to be incorporated by reference for all purposes. "Deliverable" means the work product(s), including all reports and project documentation, required to be submitted by Grantee to the System Agency. "Effective Date" means the date agreed to by the Parties as the date on which the Contract takes effect. "Federal Fiscal Year" means the period beginning October 1 and ending September 30 each year, which is the annual accounting period for the United States government. "GAAP" means Generally Accepted Accounting Principles. "GASB" means the Governmental Accounting Standards Board. "Grantee" means the Party receiving funds under this Contract. May also be referred to as "Contractor" in certain attachments. "Health and. Human Services Commission" or "HHSC" means the administrative agency established under Chapter 531, Texas Government Code, or its designee. "HUB" means Historically Underutilized Business, as defined by Chapter 2161 of the Texas Government Code. "Intellectual Property Ri is ' means the worldwide proprietary rights or interests, including patent, copyright, trade secret, and trademark rights, as such right may be evidenced by or embodied in: i. any idea, design, concept, personality right, method, process, technique, apparatus, invention, discovery, or improvement; ii. any work of authorship, including any compilation, computer code, website or web page design, literary work, pictorial work, or graphic work; iii. any trademark, service mark, trade dress, trade name, branding, or other indicia of source or origin; iv. domain name registrations; and v. any other proprietary or similar rights. The Intellectual Property Rights of a Party include all worldwide proprietary rights or interests that the Party may have acquired by assignment, by exclusive license, or by license with the right to grant sublicenses. IIIISC Grantee Uniform Tzrms and Conditions Page 4 of 21 v. 2.16.1 EffCCtwC 03?26+2019 DocuSign Envelope ID: 025C3ADA-7A4D46C9-9128-AF039576A1ED "Mentor Prot6gV means the Comptroller of Public Accounts' leadership program found at: http://www.window.state.tx.us/procurement/prog/hub/mentorprotegei. "Parties" means the System Agency and Grantee, collectively. "Party" means either the System Agency or Grantee, individually. "Program" means the statutorily authorized activities of the System Agency under which this Contract has been awarded. "Project" means specific activities of the Grantee that are supported by funds provided under this Contract. "Public Information Act" or "PIA" means Chapter 552 of the Texas Government Code. "Signature Document" means the document executed by both Parties that specifically sets forth all of the documents that constitute the Contract. "Solicitation" or "Request for Applications WA)" means the document (including all amendments and attachments) issued by the System Agency under which applications for Program funds were requested, which is incorporated by reference for all purposes in its entirety. "Solicitation Response" or "Application" means Grantee's full and complete response (including any attachments and addenda) to the Solicitation, which is incorporated by reference for all purposes in its entirety. "State Fiscal Year" means the period beginning September 1 and ending August 31 each year, which is the annual accounting period for the State of Texas. "State of Texas Textravel" means Texas Administrative Code, Title 34, Part 1, Chapter 5, Subchapter C, Section 5.22, relative to travel reimbursements under this Contract, if any. "Statement of Work" means the description of activities performed in completing the Project, as specified in the Contract and as may be amended. "System Agency' means HHSC or any of the agencies of the State of Texas that are overseen by HHSC under authority granted under State law and the officers, employees, authorized representatives and designees of those agencies. These agencies include: HHSC and the Department of State Health Services. "Technical Guidance Letter" or "TGL" means an instruction, clarification, or interpretation of the requirements of the Contract, issued by the System Agency to the Grantee. "Work Product" means any and all works, including work papers, notes, materials, approaches, designs, specifications, systems, innovations, improvements, inventions, software, programs, source code, documentation, training materials, audio or audiovisual recordings, methodologies, concepts, studies, reports, whether finished or unfinished, and whether or not included in the deliverables, that are developed, produced, generated or provided by Grantee in connection with Grantee's performance of its duties under the Contract or through use of any funding provided under this Contract. "Uniform Grant Management Standards" or "UGMS" means uniform grant and contract administration procedures, developed under the authority of Chapter 783 of the Texas III ISC Grantee Unifonn Tkmns and Conditions Pagc 5 oi'31 v. 2.16.1 Effective ON26r2019 DocuSign Envelope ID: 025C3ADA-7A4DA6C9-9128-AF03957BA1EB Government Code, to promote the efficient use of public funds in local government and in programs requiring cooperation among local, state, and federal agencies. 1.2 INTERPRETIVE PROVISIONS A. The meanings of defined terms include the singular and plural forms. B. The words "hereof," "herein," "hereunder," and similar words refer to this Contract as a whole and not to any particular provision, section, Attachment, or schedule of this Contract unless otherwise specified. C. The term "including" is not limiting and means "including without limitation" and, unless otherwise expressly provided in this Contract, (i) references to contracts (including this Contract) and other contractual instruments shall be deemed to include all subsequent Amendments and other modifications, but only to the extent that such Amendments and other modifications are not prohibited by the terms of this Contract, and (ii) references to any statute or regulation are to be construed as including all statutory and regulatory provisions consolidating, amending, replacing, supplementing, or interpreting the statute or regulation. D. Any references to "sections," "appendices," or "attachments" are references to sections, appendices, or attachments of the Contract. E. Any references to agreements, contracts, statutes, or administrative rules or regulations in the Contract are references to these documents as amended, modified, or supplemented from time to time during the term of the Contract. F. The captions and headings of this Contract are for convenience of reference only and do not affect the interpretation of this Contract. G. All Attachments, including those incorporated by reference, and any Amendments are considered part of the terms of this Contract. H. This Contract may use several different limitations, regulations, or policies to regulate the same or similar matters. All such limitations, regulations, and policies are cumulative and each will be performed in accordance with its terms. I. Unless otherwise expressly provided, reference to any action of the System Agency or by the System Agency by way of consent, approval, or waiver will be deemed modified by the phrase "in its sole discretion." J. Time is of the essence in this Contract. ARTICLE II. PAYMENT METHODS AND RESTRICTIONS 2.1 PAYMENT METHODS A. Except as otherwise provided by this Contract, the payment method will be one or more of the following: i. Cost Reimbursement. This payment method is based on an approved budget and submission of a request for reimbursement of expenses Grantee has incurred at the time of the request; ii. Unit rate.Tee-for-service. This payment method is based on a fixed price or a specified rate(s) or fee(s) for delivery of a specified unit(s) of service and acceptable submission of all required documentation, forms and/or reports; or iii. Advance payment. This payment method is based on disbursal of the minimum necessary funds to carry out the Program or Project where the Grantee has I If ISC: Grantee Uniform T%nns and Conditions Page 6 (11,21 v. 2.16.1 Effective 03126i2019 DocuSign 1=nvelope ID:025C3ADA-7A4D46C9-9128-AF03957BA1EB implemented appropriate safeguards. This payment method will only be utilized in accordance with governing law, state and federal regulations, and at the sole discretion of the System Agency. B. Grantee shall bill the System Agency in accordance with the Contract. Unless otherwise specified in the Contract, Grantee shall submit requests for reimbursement or payment monthly by the last business day of the month following the month in which expenses were incurred or services provided. Grantee shall maintain all documentation that substantiates invoices and make the documentation available to the System Agency upon request. 2.2 FINAL BILLING SUBMISSION Unless otherwise provided by the System Agency, Grantee shall submit a reimbursement or payment request as a final close-out invoice not later than forty-five (45) calendar days following the end of the term of the Contract. Reimbursement or payment requests received after the deadline may not be paid. 2.3 FINANCIAL STATUS REPORTS (FSRs) Except as otherwise provided, for contracts with categorical budgets, Grantee shall submit quarterly FSRs to System Agency by the last business day of the month following the end of each quarter for System Agency review and financial assessment. Grantee shall submit the final FSR no later than forty-five (45) calendar days following the end of the applicable term. 2.4 USE OF FUNDS Grantee shall expend funds under this Contract only for approved services and for reasonable and allowable expenses directly related to those services. 2.5 USE FOR MATCH PROHIBITED Grantee shall not use funds provided under this Contract for matching purposes in securing other funding without the written approval of the System Agency. 2.6 PROGRAM INCOME Income directly generated from funds provided under this Contract or earned only as a result of such funds is Program Income. Unless otherwise required under the Program, Grantee shall use Program Income, as provided in UGMS Section III, Subpart C, .25(g)(2), to further the Program, and Grantee shall spend the Program Income on the Project. Grantee shall identify and report Program Income in accordance with the Contract, applicable law, and any programmatic guidance. Grantee shall expend Program Income during the Contract term, when earned, and may not carry Program Income forward to any succeeding term. Grantee shall refund Program Income to the System Agency if the Program Income is not expended in the term in which it is earned. The System Agency may base future funding levels, in part, upon Grantee's proficiency in identifying, billing, collecting, and reporting Program Income, and in using Program Income for the purposes and under the conditions specified in this Contract. 111-ISC Grantcc Uniform "ITenns and Condition. Page 7 of'_ 1 V. 2.16.1 Effcctivc 03/2&2019 DocuSign Envelope ID: 025C3ADA-7A4D-46C9-9128-AF03957BA1EB 2.7 NONSUPPLANTING Grant funds may be used to supplement existing, new or corresponding programming and related activities. Grant funds may not be used to supplant (replace) existing funds in place to support current programs and related activities. 2.8 ALLOWABLE COSTS Allowable Costs are restricted to costs that comply with the Texas Uniform Grant Management Standards (UGMS) and applicable state and federal rules and law. The Parties agree that all the requirements of the UGMS apply to this Contract, including the criteria for Allowable Costs. Additional federal requirements apply if this Contract is funded, in whole or in part, with federal funds. 2.9 INDIRECT COST RATES The System Agency may acknowledge an indirect cost rate for Grantees that is utilized for all applicable contracts. Grantee will provide the necessary financial documents to determine the indirect cost rate in accordance with the Uniform Grant Guidance (UGG) and Uniform Grant Management Standards (UGMS). ARTICLE III. STATE AND FEDERAL FUNDING 3.1 FUNDING This Contract is subject to termination or cancellation, without penalty to System Agency, either in whole or in part, subject to the availability of state funds. System Agency is a state agency whose authority and appropriations are subject to actions of the Texas Legislature. If System Agency becomes subject to a legislative change, revocation of statutory authority, or lack of appropriated funds that would render either System Agency's or Grantee's delivery or performance under the Contract impossible or unnecessary, the Contract will be terminated or cancelled and be deemed null and void. In the event of a termination or cancellation under this Section, System Agency will not be liable to Grantee for any damages, that are caused or associated with such termination, or cancellation, and System Agency will not be required to give prior notice. 3.2 No DEBT AGAINST THE STATE This Contract will not be construed as creating any debt by or on behalf of the State of Texas. 3.3 DEBT AND DELINQUENCIES Grantee agrees that any payments due under the Contract shall be directly applied towards eliminating any debt or delinquency it has to the State of Texas including, but not limited to, delinquent taxes, delinquent student loan payments, and delinquent child support. 3.4 RECAPTURE OF FUNDS A. At its sole discretion, the System Agency may i) withhold all or part of any payments to Grantee to offset overpayments, unallowable or ineligible costs made to the Grantee, or if any required financial status report(s) is not submitted by the due date(s), or ii) require Grantee to promptly refund or credit - within thirty (30) calendar days of written notice - III ISC Grantce Uniform Terms and %'-ond-non. Page,4 of ? I v. 2.16.1 ElTectivc 03126l2019 DocuSign Envelope ID: 025C3ADA-7A4D46C9-9128-AF03957BA1ES any funds erroneously paid by System Agency which are not expressly authorized under the Contract. B. "Overpayments" as used in this Section include payments (i) made by the System Agency that exceed the maximum allowable rates; (ii) that are not allowed under applicable laws, rules, or regulations; or (iii) that are otherwise inconsistent with this Contract, including any unapproved expenditures. Grantee understands and agrees that it will be liable to the System Agency for any costs disallowed pursuant to financial and compliance audit(s) of funds received under this Contract. Grantee further understands and agrees that reimbursement of such disallowed costs shall be paid by Grantee from funds which were not provided or otherwise made available to Grantee under this Contract. ARTICLE IV. ALLOWABLE COSTS AND AUDIT REQUIREMENTS 4.1 ALLOWABLE COSTS A. System Agency will reimburse the allowable costs incurred in performing the Project that are sufficiently documented. Grantee must have incurred a cost prior to claiming reimbursement and within the applicable term to be eligible for reimbursement under this Contract. At its sole discretion, the System Agency will determine whether costs submitted by Grantee are allowable and eligible for reimbursement. The System Agency may take repayment (recoup) from funds available under this Contract in amounts necessary to fulfill Grantee's repayment obligations. Applicable cost principles, audit requirements, and administrative requirements include, but are not limited to: Applicable Entity Applicable Cost Audit Administrative Principles Requirements Requirements State, Local, and 2 CFR Part 200 and 2 CFR Part 200, 2 CFR Part 200 and Tribal UGMS Subpart F and UGMS Governments UGMS Educational 2 CFR Part 200 and 2 CFR Part 200, 2 CFR Part 200 and Institutions UGMS Subpart F and UGMS UGMS Non -Profit 2 CFR Part 200 and 2 CFR Part 200, 2 CFR Part 200 and Organizations UGMS Subpart F and UGMS UGMS I IIISC Grantee Unifonn Tennis and Conditions Page 9 of' 2 1 v. 2.16.1 Effective 03/26/2019 DocuSign Envelope ID: 025C3ADA-7A4D46C9-9128-AF03957BAIEB For -profit 48 CFR Part 31, 2 CFR Part 200, 2 CFR Part 200 and Organization Contract Cost Subpart F and UGMS other than a Principles and UGMS hospital and an Procedures, or organization Uniform cost named in OMB accounting Circular A-122 standards that (2 CFR Part, comply with cost 230) as not principles subject to that acceptable to the circular. federal or state awarding agency B. OMB Circulars will be applied with the modifications prescribed by UGMS with effect given to whichever provision imposes the more stringent requirement in the event of a conflict. 4.2 AUDITS AND FINANCIAL STATEMENTS A. Audits i. HHS Single Audit Unit will notify Grantee to complete the Single Audit Determination Form. If Grantee fails to complete the form within thirty (30) calendar days after receipt of notice, Grantee will be subject to the sanctions and remedies for non-compliance with this Contract. ii. If Grantee, within Grantee's fiscal year, expends at least SEVEN HUNDRED FIFTY THOUSAND DOLLARS ($750,000) in federal funds awarded, Grantee shall have a single audit or program -specific audit in accordance with 2 CFR 200. The federal threshold amount includes federal funds passed through by way of state agency awards. iii. If Grantee, within Grantee's fiscal year, expends at least SEVEN HUNDRED FIFTY THOUSAND DOLLARS ($750,000) in state funds awarded, Grantee shall have a single audit or program -specific audit in accordance with UGMS, State of Texas Single Audit Circular. The audit must be conducted by an independent certified public accountant and in accordance with 2 CFR 200, Government Auditing Standards, and UGMS. iv. For -profit Grantees whose expenditures meet or exceed the federal or state expenditure thresholds stated above shall follow the guidelines in 2 CFR 200 or UGMS, as applicable, for their program -specific audits. v. Each Grantee that is required to obtain a single audit must competitively re -procure single audit services once every six years. Grantee shall procure audit services in compliance with this section, state procurement procedures, as well as with the provisions of UGMS. B. Financial Statements Each Grantee that does not meet the expenditure threshold for a single audit or program - specific audit, must provide financial statements. I If ISC Grantee Unifonn Terms and Conditions Paige 10 of'-'[ v. 2.16.1 Effective 03126i 2019 DocuSign Envelope ID: 025C3ADA-7A4D46C9-9126-AF03957BA1 EB 4.3 SUBMISSION OF AUDITS AND FINANCIAL STATEMENTS A. Audits Due the earlier of 30 days after receipt of the independent certified public accountant's report or nine months after the end of the fiscal year, Grantee shall submit electronically one copy of the single audit or program -specific audit to the System Agency via: i. HHS portal at: or, hLtps:,-'/hhsportal.hhs.state.tx.us/heartwebextr/hhscSau ii. Email to: single audit report( B. Financial Statements Due no later than nine months after the Grantee's fiscal year end, Grantees which are not required to submit an audit, shall submit electronically financial statements via: i. HHS portal at: https:llhhsportal.hhs.state.tx.us/heartwebextr.'hhscSau; or, ii. Email to: single_audit_report;,hhsc.state.tx.us. ARTICLE V. AFFIRMATIONS, ASSURANCES AND CERTIFICATIONS 5.1 GENERAL AFFIRMATIONS Grantee certifies that, to the extent General Affirmations are incorporated into the Contract under the Signature Document, the Grantee has reviewed the General Affirmations and that Grantee is in compliance with all requirements. 5.2 FEDERAL ASSURANCES Grantee further certifies that, to the extent Federal Assurances are incorporated into the Contract under the Signature Document, the Grantee has reviewed the Federal Assurances and that Grantee is in compliance with all requirements. 5.3 FEDERAL CERTIFICATIONS Grantee further certifies that, to the extent Federal Certifications are incorporated into the Contract under the Signature Document, the Grantee has reviewed the Federal Certifications and that Grantee is in compliance with all requirements. In addition, Grantee certifies that it is in compliance with all applicable federal laws, rules, and regulations, as they may pertain to this Contract. ARTICLE VI. INTELLECTUAL PROPERTY 6.1 OWNERSHIP OF WORK PRODUCT All right, title, and interest in the Work Product, including all Intellectual Property Rights therein, is exclusively owned by System Agency. Grantee and Grantee's employees will have no rights in or ownership of the Work Product or any other property of System Agency. Any and all Work Product that is copyrightable under United States copyright law is deemed to be "work made for hire" owned by System Agency, as provided by Title 17 of the United States Code. To the extent that Work Product does not qualify as a "work made for hire" under applicable federal law, Grantee hereby irrevocably assigns and transfers to System Agency, its successors and assigns, the entire right, title, and interest in and to the Work Product, including any and all Intellectual Property Rights embodied therein or associated 1-11 ISC Grantee Unifonn Terms and Conditions page I I of 21 v. 2.16.1 Effective 03 26: 2014 DocuSign Envelope ID- 025C3ADA-7A4D-46C9-9128-AF03957BA1EB therewith, and in and to all works based upon, derived from, or incorporating the Work Product, and in and to all income, royalties, damages, claims and payments now or hereafter due or payable with respect thereto, and in and to all causes of action, either in law or in equity for past, present or future infringement based on the copyrights, and in and to all rights corresponding to the foregoing. Grantee agrees to execute all papers and to perform such other property rights as System Agency may deem necessary to secure for System Agency or its designee the rights herein assigned. In the event that Grantee has any rights in and to the Work Product that cannot be assigned to System Agency, Grantee hereby grants to System Agency an exclusive, worldwide, royalty -free, transferable, irrevocable, and perpetual license, with the right to sublicense, to reproduce, distribute, modify, create derivative works of, publicly perform and publicly display, make, have made, use, sell and offer for sale the Work Product and any products developed by practicing such rights. 6.2 GRANTEE'S PRE-EXISTING WORKS To the extent that Grantee incorporates into the Work Product any works of Grantee that were created by Grantee or that Grantee acquired rights in prior to the Effective Date of this Contract ("Incorporated Pre-existing Works"), Grantee retains ownership of such Incorporated Pre-existing Works, and Grantee hereby grants to System Agency an irrevocable, perpetual, non-exclusive, royalty -free, transferable, worldwide right and license, with the right to sublicense, to use, modify, copy, create derivative works of, publish, publicly perform and display, sell, offer to sell, make and have made, the Incorporated Pre- existing Works, in any medium, with or without the associated Work Product. Grantee represents, warrants, and covenants to System Agency that Grantee has all necessary right and authority to grant the foregoing license in the Incorporated Pre-existing Works to System Agency. 6.3 AGREEMENTS WITH EMPLOYEES AND SUBCONTRACTORS Grantee shall have written, binding agreements with its employees and subcontractors that include provisions sufficient to give effect to and enable Grantee's compliance with Grantee's obligations under this Article VI. 6.4 DELIVERY UPON TERMINATION OR EXPIRATION No later than the first calendar day after the termination or expiration of the Contract or upon System Agency's request, Grantee shall deliver to System Agency all completed, or partially completed, Work Product, including any Incorporated Pre-existing Works, and any and all versions thereof. Grantee's failure to timely deliver such Work Product is a material breach of the Contract. Grantee will not retain any copies of the Work Product or any documentation or other products or results of Grantee's activities under the Contract without the prior written consent of System Agency. 6.5 SuRv[vAL The provisions and obligations of this Article VI survive any termination or expiration of the Contract. 1111SC; Crantce Uniform Terms and Conditions Page 12 of2l v. 2.16.1 Effective 0126.2019 DocuSign Envelope ID: 025C3ADA-7A4D46C9-9128-AF03957SA1 EB ARTICLE VII. RECORDS, AUDIT, AND DISCLOSURE 7.1 BOOKS AND RECORDS Grantee shall keep and maintain under GAAP or GASB, as applicable, full, true, and complete records necessary to fully disclose to the System Agency, the Texas State Auditor's Office, the United States Government, and their authorized representatives sufficient information to determine compliance with the terms and conditions of this Contract and all state and federal rules, regulations, and statutes. Unless otherwise specified in this Contract, Grantee shall maintain legible copies of this Contract and all related documents for a minimum of seven (7) years after the termination of the Contract period or seven (7) years after the completion of any litigation or dispute involving the Contract, whichever is later. 7.2 ACCESS TO RECORDS, BOOKS, AND DOCUMENTS In addition to any right of access arising by operation of law, Grantee and any of Grantee's affiliate or subsidiary organizations, or Subcontractors shall permit the System Agency or any of its duly authorized representatives, as well as duly authorized federal, state or local authorities, unrestricted access to and the right to examine any site where business is conducted or services are performed, and all records, which includes but is not limited to financial, client and patient records, books, papers or documents related to this Contract. If the Contract includes federal funds, federal agencies that shall have a right of access to records as described in this section include: the federal agency providing the funds, the Comptroller General of the United States, the General Accounting Office, the Office of the Inspector General, and any of their authorized representatives. In addition, agencies of the State of Texas that shall have a right of access to records as described in this section include: the System Agency, HHSC, HHSC's contracted examiners, the State Auditor's Office, the Office of the Texas Attorney General, and any successor agencies. Each of these entities may be a duly authorized authority. If deemed necessary by the System Agency or any duly authorized authority, for the purpose of investigation or hearing, Grantee shall produce original documents related to this Contract. The System Agency and any duly authorized authority shall have the right to audit billings both before and after payment, and all documentation that substantiates the billings. Grantee shall include this provision concerning the right of access to, and examination of, sites and information related to this Contract in any Subcontract it awards. 7.3 RESPONSEICOMPLIANCE WITH AUDIT OR INSPECTION FINDINGS A. Grantee must act to ensure its and its Subcontractors' compliance with all corrections necessary to address any finding of noncompliance with any law, regulation, audit requirement, or generally accepted accounting principle, or any other deficiency identified in any audit, review, or inspection of the Contract and the services and Deliverables provided. Any such correction will be at Grantee's or its Subcontractor's sole expense. Whether Grantee's action corrects the noncompliance shall be solely the decision of the System Agency. B. As part of the services, Grantee must provide to HHSC upon request a copy of those portions of Grantee's and its Subcontractors' internal audit reports relating to the services and Deliverables provided to the State under the Contract. III ISC Grantee Unifonn Terms and Condition, Page 13 of '-I v 2.16.1 Effective 01:26 20 i 9 DocuSign Envelope ID. 025C3ADA-7A4D-46C9-9128-AF03957BA1EB 7.4 SAO AUDIT A. The state auditor may conduct an audit or investigation of any entity receiving funds from the state directly under the Contract or indirectly through a subcontract under the Contract. The acceptance of funds directly under the Contract or indirectly through a subcontract under the Contract acts as acceptance of the authority of the state auditor, under the direction of the legislative audit committee, to conduct an audit or investigation in connection with those funds. Under the direction of the legislative audit committee, an entity that is the subject of an audit or investigation by the state auditor must provide the state auditor with access to any information the state auditor considers relevant to the investigation or audit. B. Grantee shall comply with any rules and procedures of the state auditor in the implementation and enforcement of Section 2262.154 of the Texas Government Code. 7.5 CONFIDENTIALITY Grantee shall maintain as confidential, and shall not disclose to third parties without System Agency's prior written consent, any System Agency information including but not limited to System Agency's business activities, practices, systems, conditions and services. This section will survive termination or expiration of this Contract. ARTICLE VIII. CONTRACT REMEDIES AND EARLY TERMINATION 8.1 CONTRACT REMEDIES To ensure Grantee's full performance of the Contract and compliance with applicable law, the System Agency reserves the right to hold Grantee accountable for breach of contract or substandard performance and may take remedial or corrective actions, including, but not limited to: i. suspending all or part of the Contract; ii. requiring the Grantee to take specific actions in order to remain in compliance with the Contract; iii. recouping payments made by the System Agency to the Grantee found to be in error; iv. suspending, limiting, or placing conditions on the Grantee's continued performance of the Project; v. imposing any other remedies, sanctions or penalties authorized under this Contract or permitted by federal or state statute, law, regulation or rule. 8.2 TERMINATION FOR CONVENIENCE The System Agency may terminate the Contract at any time when, in its sole discretion, the System Agency determines that termination is in the best interests of the State of Texas. The termination will be effective on the date specified in HHSC's notice of termination. The System Agency's right to terminate the Contract for convenience is cumulative of all rights and remedies which exist now or in the future. 8.3 TERMINATION FOR CAUSE Except as otherwise provided by the U.S. Bankruptcy Code, or any successor law, the System Agency may terminate the Contract, in whole or in part, upon either of the following conditions: IIIISC Grantee Untfortn Terms and Conditions Page 14 of 2-1 v. 2.16.1 Effective 03126i2019 DocuSign Envelope ID 025C3ADA-7A4D-46C9-9128-AF03957DA1Ell i. Material Breach The System Agency will have the right to terminate the Contract in whole or in part if the System Agency determines, in its sole discretion, that Grantee has materially breached the Contract or has failed to adhere to any laws, ordinances, rules, regulations or orders of any public authority having jurisdiction and such violation prevents or substantially impairs performance of Grantee's duties under the Contract. Grantee's misrepresentation in any aspect of Grantee's Solicitation Response, if any, or Grantee's addition to the Excluded Parties List System (EPLS) will also constitute a material breach of the Contract. ii. Failure to Maintain Financial Viability The System Agency may terminate the Contract if, in its sole discretion, the System Agency has a good faith belief that Grantee no longer maintains the financial viability required to complete the services and Deliverables, or otherwise fully perform its responsibilities under the Contract. ARTICLE IX. MISCELLANEOUS PROVISIONS 9.1 AMENDMENT The Contract may only be amended by an Amendment executed by both Parties. 9.2 INSURANCE A. Unless otherwise specified in this Contract, Grantee shall acquire and maintain, for the duration of this Contract, insurance coverage necessary to ensure proper fulfillment of this Contract and potential liabilities thereunder with financially sound and reputable insurers licensed by the Texas Department of Insurance, in the type and amount customarily carried within the industry as determined by the System Agency. Grantee shall provide evidence of insurance as required under this Contract, including a schedule of coverage or underwriter's schedules establishing to the satisfaction of the System Agency the nature and extent of coverage granted by each such policy, upon request by the System Agency. In the event that any policy is determined by the System Agency to be deficient to comply with the terms of this Contract, Grantee shall secure such additional policies or coverage as the System Agency may reasonably request or that are required by law or regulation. If coverage expires during the term of this Contract, Grantee must produce renewal certificates for each type of coverage. B. These and all other insurance requirements under the Contract apply to both Grantee and its Subcontractors, if any. Grantee is responsible for ensuring its Subcontractors' compliance with all requirements. 9.3 LEGAL OBLIGATIONS Grantee shall comply with all applicable federal, state, and local laws, ordinances, and regulations, including all federal and state accessibility laws relating to direct and indirect use of information and communication technology. Grantee shall be deemed to have knowledge of all applicable laws and regulations and be deemed to understand them. 1111SC: Crtntee Unifonn Teens and Conditions Page I*; of 1 v. 2.16.1 Effectivc 03126i2019 DocuSign Envelope ID: 025C3ADA-7A4D-46C9-9128-AF03957BA1EB 9.4 PERMITTING AND LICENSURE At Grantee's sole expense, Grantee shall procure and maintain for the duration of this Contract any state, county, city, or federal license, authorization, insurance, waiver, permit, qualification or certification required by statute, ordinance, law, or regulation to be held by Grantee to provide the goods or services required by this Contract. Grantee shall be responsible for payment of all taxes, assessments, fees, premiums, permits, and licenses required by law. Grantee shall be responsible for payment of any such government obligations not paid by its Subcontractors during performance of this Contract. 9.5 INDEMNITY A. GRANTEE SHALL DEFEND, INDEMNIFY AND HOLD HARMLESS THE STATE OF TEXAS AND SYSTEM AGENCY, AND/OR THEIR OFFICERS, AGENTS, EMPLOYEES, REPRESENTATIVES, CONTRACTORS, ASSIGNEES, AND/OR DESIGNEES FROM ANY AND ALL LIABILITY, ACTIONS, CLAIMS, DEMANDS, OR SUITS, AND ALL RELATED COSTS, ATTORNEY FEES, AND EXPENSES ARISING OUT OF OR RESULTING FROM ANY ACTS OR OMISSIONS OF GRANTEE OR ITS AGENTS, EMPLOYEES, SUBCONTRACTORS, ORDER FULFILLERS, OR SUPPLIERS OF SUBCONTRACTORS IN THE EXECUTION OR PERFORMANCE OF THE CONTRACT AND ANY PURCHASE ORDERS ISSUED UNDER THE CONTRACT. THE DEFENSE SHALL BE COORDINATED BY GRANTEE WITH THE OFFICE OF THE TEXAS ATTORNEY GENERAL WHEN TEXAS STATE AGENCIES ARE NAMED DEFENDANTS IN ANY LAWSUIT AND GRANTEE MAY NOT AGREE TO ANY SETTLEMENT WITHOUT FIRST OBTAINING THE CONCURRENCE FROM THE OFFICE OF THE TEXAS ATTORNEY GENERAL. GRANTEE AND SYSTEM AGENCY AGREE TO FURNISH TIMELY WRITTEN NOTICE TO EACH OTHER OF ANY SUCH CLAIM. B. THIS PARAGRAPH IS NOT INTENDED TO AND SHALL NOT BE CONSTRUED TO REQUIRE GRANTEE TO INDEMNIFY OR HOLD HARMLESS THE STATE OR THE SYSTEM AGENCY FOR ANY CLAIMS OR LIABILITIES RESULTING FROM THE NEGLEGENT ACTS OR OMISSIONS OF THE SYSTEM AGENCY OR ITS EMPLOYEES. C. For the avoidance of doubt, System Agency shall not indemnify Grantee or any other entity under the Contract. 9.6 ASSIGNMENTS A. Grantee may not assign all or any portion of its rights under, interests in, or duties required under this Contract without prior written consent of the System Agency, which may be withheld or granted at the sole discretion of the System Agency. Except where otherwise agreed in writing by the System Agency, assignment will not release Grantee from its obligations under the Contract. B. Grantee understands and agrees the System Agency may in one or more transactions assign, pledge, or transfer the Contract. This assignment will only be made to another State agency or a non -state agency that is contracted to perform agency support. IF ISL Grantee Unifofln Terms and Condition; Page 16 of 21 v. 2.16.1 Effccuve 03/26i2019 DocuSign Envelope ID:025C3ADA-7A4D-46C9-9128-AF03957BAlEB 9.7 INDEPENDENT CONTRACTOR Grantee and Grantee's employees, representatives, agents, Subcontractors, suppliers, and third -party service providers shall serve as independent contractors in providing the services under the Contract. Neither Grantee nor System Agency is an agent of the other and neither may make any commitments on the other party's behalf. Should Grantee subcontract any of the services required in the Contract, Grantee expressly understands and acknowledges that in entering such subcontract(s), System Agency is in no manner liable to any Subcontractor(s) of Grantee. In no event shall this provision relieve Grantee of the responsibility for ensuring that the services performed under all subcontracts are rendered in compliance with the Contract. Grantee shall have no claim against System Agency for vacation pay, sick leave, retirement benefits, social security, worker's compensation, health or disability benefits, unemployment insurance benefits, or employee benefits of any kind. The Contract shall not create any joint venture, partnership, agency, or employment relationship between Grantee and System Agency. 9.8 TECHNICAL GUIDANCE LETTERS In the sole discretion of the System Agency, and in conformance with federal and state law, the System Agency may issue instructions, clarifications, or interpretations as may be required during work performance in the form of a Technical Guidance Letter (TGL). A TGL must be in writing, and may be delivered by regular mail electronic mail or facsimile transmission. Any TGL issued by the System Agency will be incorporated into the Contract by reference for all purposes when it is issued. 9.9 DISPUTE RESOLUTION A. The dispute resolution process provided for in Chapter 2260 of the Texas Government Code must be used to attempt to resolve any dispute arising under the Contract. B. If a contract dispute arises that cannot be resolved to the satisfaction of the Parties, either Party may notify the other Party in writing of the dispute. If the Parties are unable to satisfactorily resolve the dispute within fourteen (14) days of the written notification, the Parties must use the dispute resolution process provided for in Chapter 2260 of the Texas Government Code to attempt to resolve the dispute. This provision will not apply to any matter with respect to which either Party may make a decision within its respective sole discretion. 9.10 GOVERNING LAW AND VENUE The Contract shall be governed by and construed in accordance with the laws of the State of Texas, without regard to the conflicts of law provisions. The venue of any suit arising under the Contract is fixed in any court of competent jurisdiction of Travis County, Texas, unless the specific venue is otherwise identified in a statute which directly names or otherwise identifies its applicability to the System Agency. 9.111 SEVERABILITY If any provision contained in this Contract is held to be unenforceable by a court of law or equity, this Contract shall be construed as if such provision did not exist and the non- 131ISC Clrantee Unif«nn Ternsand Conditions Page 17 of I v. 2.16.1 Eflcctive 03.:26:2019 DocuSign Envelope ID: 025C3ADA-7A4D-46C9-9128-AF03957BAIEB enforceability of such provision shall not be held to render any other provision or provisions of this Contract unenforceable. 9.12 SURVIVABILITY Expiration or termination of the Contract for any reason does not release Grantee from any liability or obligation set forth in the Contract that is expressly stated to survive any such expiration or termination, that by its nature would be intended to be applicable following any such expiration or termination, or that is necessary to fulfill the essential purpose of the Contract, including without limitation the provisions regarding warranty, indemnification, confidentiality, and rights and remedies upon termination. 9.13 FORCE MAJEURE Neither Grantee nor System Agency shall be liable to the other for any delay in, or failure of performance, of any requirement included in the Contract caused by force majeure. The existence of such causes of delay or failure shall extend the period of performance until after the causes of delay or failure have been removed provided the non -performing party exercises all reasonable due diligence to perform. Force majeure is defined as acts of God, war, fires, explosions, hurricanes, floods, failure of transportation, or other causes that are beyond the reasonable control of either party and that by exercise of due foresight such party could not reasonably have been expected to avoid, and which, by the exercise of all reasonable due diligence, such party is unable to overcome. 9.14 NO WAIVER OF PROVISIONS The failure of the System Agency to object to or to take affirmative action with respect to any conduct of the Grantee which is in violation or breach of the terms of the Contract shall not be construed as a waiver of the violation or breach, or of any future violation or breach. 9.15 PUBLICITY A. Except as provided in the paragraph below, Grantee must not use the name of, or directly or indirectly refer to, the System Agency, the State of Texas, or any other State agency in any media release, public announcement, or public disclosure relating to the Contract or its subject matter, including in any promotional or marketing materials, customer lists, or business presentations. B. Grantee may publish, at its sole expense, results of Grantee performance under the Contract with the System Agency's prior review and approval, which the System Agency may exercise at its sole discretion. Any publication (written, visual, or sound) will acknowledge the support received from the System Agency and any Federal agency, as appropriate. C. Contractor is prohibited from using the Work for any Contractor or third party marketing, advertising, or promotional activities, without the prior written consent of System Agency. The foregoing prohibition includes, without limitation, the placement of banners, pop-up ads, or other advertisements promoting Contractor's or a third parry's products, services, workshops, trainings, or other commercial offerings on any website portal or internet-based service or software application hosted or managed by Contractor as part of the Work. IIf ISC Grantee Unttonn Tmns and Condittons Page 18 of 21 v. 2.16.1 Effective 03/26f2019 DocuSign Envelope 10: 025C3ADA-7A4D46C9-9128-AF03957BA1 ES 9.16 PROHIBITION ON NON -COMPETE RESTRICTIONS Grantee shall not require any employees or Subcontractors to agree to any conditions, such as non -compete clauses or other contractual arrangements that would limit or restrict such persons or entities from employment or contracting with the State of Texas. 9.17 NO WAIVER OF SOVEREIGN IMMUNITY Nothing in the Contract will be construed as a waiver of the System Agency's or the State's sovereign immunity. This Contract shall not constitute or be construed as a waiver of any of the privileges, rights, defenses, remedies, or immunities available to the System Agency or the State of Texas. The failure to enforce, or any delay in the enforcement, of any privileges, rights, defenses, remedies, or immunities available to the System Agency or the State of Texas under the Contract or under applicable law shall not constitute a waiver of such privileges, rights, defenses, remedies, or immunities or be considered as a basis for estoppel. System Agency does not waive any privileges, rights, defenses, or immunities available to System Agency by entering into the Contract or by its conduct prior to or subsequent to entering into the Contract. 9.18 ENTIRE CONTRACT AND MODIFICATION The Contract constitutes the entire agreement of the Parties and is intended as a complete and exclusive statement of the promises, representations, negotiations, discussions, and other agreements that may have been made in connection with the subject matter hereof. Any additional or conflicting terms in any future document incorporated into the Contract will be harmonized with this Contract to the extent possible. 9.19 COUNTERPARTS This Contract may be executed in any number of counterparts, each of which will be an original, and all such counterparts will together constitute but one and the same Contract. 9.20 PROPER AUTHORITY Each Party represents and warrants that the person executing this Contract on its behalf has full power and authority to enter into this Contract. 9.21 E-VERIFY PROGRAM Grantee certifies that it utilizes and will continue to utilize the U.S. Department of Homeland Security's E-Verify system to determine the eligibility of: i. all persons employed to perform duties within Texas during the term of the Contract; and ii. all persons, (including subcontractors) assigned by the Grantee to perform work pursuant to the Contract within the United States of America. 9.22 CIVIL RIGHTS A. Grantee agrees to comply with state and federal anti -discrimination laws, including: i. Title VI of the Civil Rights Act of 1964 (42 U.S.C. §2000d et seq.); ii. Section 504 of the Rehabilitation Act of 1973 (29 U.S.C. §794); iii. Americans with Disabilities Act of 1990 (42 U.S.C. § 12101 et seq.); iv. Age Discrimination Act of 1975 (42 U.S.C. §§6101-6107); III ISC Grantee Uniform Terms and Conditions Page 19(if '_1 v. 2.16.1 Effective 03126r2019 DocuSign Envelope ID: 025C3ADA-7A4D-46C9-9128-AF03957BA1 EB v. Title DC of the Education Amendments of 1972 (20 U.S.C. §§ 1681-1688); vi. Food and Nutrition Act of 2008 (7 U.S.C. §2011 et seq.); and vii. The System Agency's administrative rules, as set forth in the Texas Administrative Code, to the extent applicable to this Contract. B. Grantee agrees to comply with all amendments to the above -referenced laws, and all requirements imposed by the regulations issued pursuant to these laws. These laws provide in part that no persons in the United States may, on the grounds of race, color, national origin, sex, age, disability, political beliefs, or religion, be excluded from participation in or denied any aid, care, service or other benefits provided by Federal or State funding, or otherwise be subjected to discrimination. C. Grantee agrees to comply with Title VI of the Civil Rights Act of 1964, and its implementing regulations at 45 C.F.R. Part 80 or 7 C.F.R. Part 15, prohibiting a contractor from adopting and implementing policies and procedures that exclude or have the effect of excluding or limiting the participation of clients in its programs, benefits, or activities on the basis of national origin. State and federal civil rights laws require contractors to provide alternative methods for ensuring access to services for applicants and recipients who cannot express themselves fluently in English. Grantee agrees to take reasonable steps to provide services and information, both orally and in writing, in appropriate languages other than English, in order to ensure that persons with limited English proficiency are effectively informed and can have meaningful access to programs, benefits, and activities. D. Grantee agrees to post applicable civil rights posters in areas open to the public informing clients of their civil rights and including contact information for the HHS Civil Rights Office. The posters are available on the HHS website at: http://hhscx.hhse.texas.govisystem-support- serviceslcivil-ri hts,` ublications E. Grantee agrees to comply with Executive Order 13279, and its implementing regulations at 45 C.F.R. Part 87 or 7 C.F.R. Part 16. These provide in part that any organization that participates in programs funded by direct financial assistance from the United States Department of Agriculture or the United States Department of Health and Human Services shall not discriminate against a program beneficiary or prospective program beneficiary on the basis of religion or religious belief. F. Upon request, Grantee shall provide HHSC's Civil Rights Office with copies of the Grantee's civil rights policies and procedures. G. Grantee must notify HHSC's Civil Rights Office of any civil rights complaints received relating to its performance under this Contract. This notice must be delivered no more than ten (10) calendar days after receipt of a complaint. Notice provided pursuant to this section must be directed to: HHSC Civil Rights Office 701 W. 51 ` Street, Mail Code W206 Austin, Texas 78751 Phone Toll Free: (888) 388-6332 Phone: (512) 438-4313 TTY Toll Free: (877) 432-7232 Fax: (512) 438-5885. III ISC Grantee Uniform Terms and Condition. Page 20 af2l v. 2.16.1 Effective 03/26/20 t 9 DocuSign Envelope ID: 025C3ADA-7A4D-46C9-9128-AF03957BA1EB 9.23 SYSTEM AGENCY DATA As between the Parties, all data and information acquired, accessed, or made available to Contractor by or through System Agency or System Agency contractors, including all electronic data generated, processed, transmitted, or stored by Contractor in the course of providing data processing services in connection with Contractor's performance hereunder, (the "System Agency Data"), is owned solely by System Agency. Contractor has no right or license to use, analyze, aggregate, transmit, create derivatives of, copy, disclose, or process the System Agency Data except as required for Contractor to fulfill its obligations under the Contract or as authorized in advance in writing by System Agency. For the avoidance of doubt, Contractor is expressly prohibited from using, and from permitting any third party to use, System Agency Data for marketing, research, or other non -governmental or commercial purposes, without the prior written consent of System Agency. III{SC Grantee Uniforin Terms and Conditions Page21 of21 v.2.16.1 Effective Mee 2019 DocuSign Envelope ID: 0250ADA-7MD-46C9-9128-AF03957BAIEB ATTACHMENT D GRANT SUPPLEMENTAL & SPECIAL CONDITIONS SUPPLEMENTAL CONDITIONS There are no Supplemental Conditions for this Contract that modifies this Contract's HHS Uniform Terms and Conditions. SPECIAL CONDITIONS SECTION 1.01 NOTICE OF CONTRACT ACTION Grantee shall notify their assigned contract manager if Grantee has had any contract suspended or terminated for cause by any local, state or federal department or agency or nonprofit entity within five days of becoming aware of the action and include the following: a. Reason for such action; b. Name and contact information of the local, state or federal department or agency or entity; c. Date of the contract; d. Date of suspension or termination; and e. Contract or case reference number. SECTION 1.02 NOTICE OF BANKRUPTCY Grantee shall notify in writing its assigned contract manager of its plan to seek bankruptcy protection within five days of such action by Grantee. SECTION 1.03 NOTICE OF CRIMINAL ACTIVITY AND DISCIPLINARY ACTIONS a. Grantee shall immediately report in writing to their contract manager when Grantee has knowledge or any reason to believe that they or any person with ownership or controlling interest in the organization/business, or their agent, employee, contractor or volunteer that is providing services under this Contract has: 1. Engaged in any activity that could constitute a criminal offense equal to or greater than a Class A misdemeanor or grounds for disciplinary action by a state or federal regulatory authority; or 2. Been placed on community supervision, received deferred adjudication, or been indicted for or convicted of a criminal offense relating to involvement in any financial matter, federal or state program or felony sex crime. b. Grantee shall not permit any person who engaged, or was alleged to have engaged, in any activity subject to reporting under this section to perform direct client services or have direct contact with clients, unless otherwise directed in writing by the System Agency. v.012017 Page 1 DocuSign Envelope ID: 025C3ADA-7A4D-46C9-9128-AF03957BAIEB ATTACHMENT D GRANT SUPPLEMENTAL & SPECIAL CONDITIONS SECTION 1.04 GRANTEE'S NOTIFICATION OF CHANGE OF CONTACT PERSON OR KEY PERSONNEL The Grantee shall notify in writing their contract manager assigned within ten days of any change to the Grantee's Contact Person or Key Personnel. SECTION 1.07 DISASTER SERVICES In the event of a local, state, or federal emergency, including natural, man- made, criminal, terrorist, and/or bioterrorism events, declared as a state disaster by the Governor, or a federal disaster by the appropriate federal official, Grantee may be called upon to assist the System Agency in providing the following services: a. Community evacuation; b. Health and medical assistance; c. Assessment of health and medical needs; d. Health surveillance; e. Medical care personnel; f. Health and medical equipment and supplies; g. Patient evacuation; h. In -hospital care and hospital facility status; i. Food, drug and medical device safety; j. Worker health and safety; k. Mental health and substance abuse; 1. Public health information; in. Vector control and veterinary services; and n. Victim identification and mortuary services. SECTION 1.10 SERVICES AND INFORMATION FOR PERSONS WITH LIMITED ENGLISH PROFICIENCY a. Grantee shall take reasonable steps to provide services and information both orally and in writing, in appropriate languages other than English, to ensure that persons with limited English proficiency are effectively informed and can have meaningful access to programs, benefits and activities. b. Grantee shall identify and document on the client records the primary language/dialect of a client who has limited English proficiency and the need for translation or interpretation services and shall not require a client to provide or pay for the services of a translator or interpreter. c. Grantee shall make every effort to avoid use of any persons under the age of 18 or any family member or friend of the client as an interpreter for essential communications with a client with limited English proficiency, unless the client has requested that person and using the person would not compromise the effectiveness of services or violate the client's confidentiality and the client is advised that a free interpreter is available. SECTION 1.11 THIRD PARTY PAYORS Except as provided in this Contract, Grantee shall screen all clients and may not bill the System v.03.2017 Page 2 DocuSign Envelope It):025C3ADA-7A4D-46C9-9128-AF03957BA1EB ATTACHMENT D GRANT SUPPLEMENTAL & SPECIAL CONDITIONS Agency for services eligible for reimbursement from third party payors, who are any person or entity who has the legal responsibility for paying for all or part of the services provided, including commercial health or liability insurance carriers, Medicaid, or other federal, state, local and private funding sources. As applicable, the Grantee shall: a. Enroll as a provider in Children's Health Insurance Program and Medicaid if providing approved services authorized under this Contract that may be covered by those programs and bill those programs for the covered services; b. Provide assistance to individuals to enroll in such programs when the screening process indicates possible eligibility for such programs; c. Allow clients that are otherwise eligible for System Agency services, but cannot pay a deductible required by a third -party payor, to receive services up to the amount of the deductible and to bill the System Agency for the deductible; d. Not bill the System Agency for any services eligible for third party reimbursement until all appeals to third party payors have been exhausted; e. Maintain appropriate documentation from the third -party payor reflecting attempts to obtain reimbursement; f Bill all third -party payors for services provided under this Contract before submitting any request for reimbursement to System Agency; and g. Provide third party billing functions at no cost to the client. SECTION 1.12 HIVIAIDS MODEL WORKPLACE GUIDELINES Grantee shall implement System Agency's policies based on the Human Immunodeficiency Virus/Acquired Immunodeficiency Syndrome (HIVIAIDS), AIDS Model Workplace Guidelines for Businesses at http://,,vww.dshs.state.tx.us/hivstd,-policv..-'t)olicies.shtm, State Agencies and State Grantees Policy No. 090.021. Grantee shall also educate employees and clients concerning HIV and its related conditions, including AIDS, in accordance with the Texas. Health & Safety Code §§ 85.112-114. SECTION 1.13 MEDICAL RECORDS RETENTION Grantee shall retain medical records in accordance with 22 TAC § 165.1(b) or other applicable statutes, rules and regulations governing medical information. SECTION 1.14 NOTICE OF A LICENSE ACTION Grantee shall notify their contract manager of any action impacting its license to provide services under this Contract within five days of becoming aware of the action and include the following- a. Reason for such action; b. Name and contact information of the local, state or federal department or agency or entity; c. Date of the license action; and d. License or case reference number. SECTION 1.15 INTERIM EXTENSION AMENDMENT a. Prior to or on the expiration date of this Contract, the Parties agree that this Contract can v.03.2017 page 3 DocuSign Envelope ID: 025C3ADA-7A4D-46C9-9128-AF03957BA1 ES ATTACHMENT D GRANT SUPPLEMENTAL & SPECIAL CONDITIONS be extended as provided under this Section. b. The System Agency shall provide written notice of interim extension amendment to the Grantee under one of the following circumstances: 1. Continue provision of services in response to a disaster declared by the governor; or 2. To ensure that services are provided to clients without interruption. c. The System Agency will provide written notice of the interim extension amendment that specifies the reason for it and period of time for the extension. d. Grantee will provide and invoice for services in the same manner that is stated in the Contract. e. An interim extension under Section (b)(1) above shall extend the term of the contract not longer than 30 days after governor's disaster declaration is declared unless the Parties agree to a shorter period of time. f. An interim extension under Section (b)(2) above shall be a one-time extension for a period of time determined by the System Agency. SECTION 1.16 ELECTRONIC AND INFORMATION RESOURCES ACCESSIBILITY AND SECURITY STANDARDS a. Applicability: The following Electronic and Information Resources (EIR) requirements apply to the Contract because the Grantee performs services that include EIR that the System Agency's employees are required or permitted to access or members of the public are required or permitted to access. This Section does not apply to incidental uses of EIR in the performance of the Agreement, unless the Parties agree that the EIR will become property of the State of Texas or will be used by HHSC's clients or recipients after completion of the Agreement. Nothing in this section is intended to prescribe the use of particular designs or technologies or to prevent the use of alternative technologies, provided they result in substantially equivalent or greater access to and use of a Product. b. Definitions: "Accessibility Standards" means accessibility standards and specifications for Texas agency and institution of higher education websites and EIR set forth in 1 TAC Chapter 206 and/or Chapter 213. "Electronic and Information Resources" means information resources, including information resources technologies, and any equipment or interconnected system of equipment that is used in the creation, conversion, duplication, or delivery of data or information. The term includes telephones and other telecommunications products, information kiosks, transaction machines, Internet websites, multimedia resources, and office equipment, including copy machines and fax machines. v.03.2017 Page 4 DocuSign Envelope ID: 025MADA-7A40-46G9-9128-AF03957SA1 EB ATTACHMENT D GRANT SUPPLEMENTAL & SPECIAL CONDITIONS "Electronic and Information Resources Accessibility Standards" means the accessibility standards for electronic and information resources contained in i Texas Administrative Code Chapter 213. "Product" means information resources technology that is or is related to EIR. "Web Site Accessibility Standards/ Specifications" means standards contained in Volume 1 Tex. Admin. Code Chapter 206(c) Accessibility Requirements. Under Tex. Gov't Code Chapter 2054, Subchapter M, and implementing rules of the Texas Department of Information Resources, the System Agency must procure Products and services that comply with the Accessibility Standards when those Products are available in the commercial marketplace or when those Products are developed in response to a procurement solicitation. Accordingly, Grantee must provide electronic and information resources and associated Product documentation and technical support that comply with the Accessibility Standards. c. Evaluation, Testing, and Monitoring The System Agency may review, test, evaluate and monitor Grantee's Products and services, as well as associated documentation and technical support for compliance with the Accessibility Standards. Review, testing, evaluation and monitoring may be conducted before and after the award of a contract. Testing and monitoring may include user acceptance testing. Neither the review, testing (including acceptance testing), evaluation or monitoring of any Product or service, nor the absence of review, testing, evaluation or monitoring, will result in a waiver of the State's right to contest the Grantee's assertion of compliance with the Accessibility Standards. 2. Grantee agrees to cooperate fully and provide the System Agency and its representatives timely access to Products, records, and other items and information needed to conduct such review, evaluation, testing, and monitoring. d. Representations and Warranties 1. Grantee represents and warrants that: i. As of the Effective Date of the Contract, the Products and associated documentation and technical support comply with the Accessibility Standards as they exist at the time of entering the Agreement, unless and to the extent the Parties otherwise expressly agree in writing; and ii. If the Products will be in the custody of the state or a System Agency's client or recipient after the Contract expiration or termination, the Products will continue to comply with Accessibility Standards after the expiration or termination of the Contract Term, unless the System Agency or its clients or recipients, as applicable, use the Products in a manner that renders it noncompliant. v.03.2017 Page 5 DocuSign Envelope ID: 025C3ADA-7A4DA6C9-9128-AF03957BA1 EB ATTACHMENT D GRANT SUPPLEMENTAL & SPECIAL CONDITIONS 2. In the event Grantee becomes aware, or is notified that the Product or service and associated documentation and technical support do not comply with the Accessibility Standards, Grantee represents and warrants that it will, in a timely manner and at no cost to the System Agency, perform all necessary steps to satisfy the Accessibility Standards, including remediation, replacement, and upgrading of the Product or service, or providing a suitable substitute. 3. Grantee acknowledges and agrees that these representations and warranties are essential inducements on which the System Agency relies in awarding this Contract. 4. Grantee's representations and warranties under this subsection will survive the termination or expiration of the Contract and will remain in full force and effect throughout the useful life of the Product. e. Remedies 1. Under Tex. Gov't Code § 2054.465, neither the Grantee nor any other person has cause of action against the System Agency for a claim of a failure to comply with Tex. Gov't Code Chapter 2054, Subchapter M, and rules of the Department of Information Resources. 2. In the event of a breach of Grantee's representations and warranties, Grantee will be liable for direct, consequential, indirect, special, or liquidated damages and any other remedies to which the System Agency may be entitled under this Contract and other applicable law. This remedy is cumulative of any other remedies to which the System Agency may be entitled under this Contract and other applicable law. SECTION 1.18 GRANTEES CERTIFICATION OF MEETING OR EXCEEDING TOBACCO -FREE WORKPLACE POLICY MINIMUM STANDARDS. Grantee certifies that it has adopted and enforces a Tobacco -Free Workplace Policy that meets or exceeds all of the following minimum standards of: a) Prohibiting the use of all forms of tobacco products, including but not limited to cigarettes, cigars, pipes, water pipes (hookah), bidis, kreteks, electronic cigarettes, smokeless tobacco, snuff and chewing tobacco; b) Designating the property to which this Policy applies as a "designated area," which must at least comprise all buildings and structures where activities funded under this Contract are taking place, as well as Grantee owned, leased, or controlled sidewalks, parking lots, walkways, and attached parking structures immediately adjacent to this designated area; c) Applying to all employees and visitors in this designated area; and d) Providing for or referring its employees to tobacco use cessation services. v.03.2017 Page 6 DocuSign Envelope ID: 425C3ADA-7A4D-46C9-9128-AF03957BAl EB ATTACHMENT D GRANT SUPPLEMENTAL & SPECIAL CONDITIONS If Grantee cannot meet these minimum standards, it must obtain a waiver from the System Agency. v.03.2017 Page 7 DocuSign Envelope ID: 025C3ADA-7A4D-46C9-9128-AF03957BA1EB Mayo r ASSURANCES - NON -CONSTRUCTION PROGRAMS OMB Number: 4040-0007 Expiration Date: 02/28/2022 Public reporting burden for this collection of information is estimated to average 15 minutes per response, including time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding the burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to the Office of Management and Budget, Paperwork Reduction Project (0348-0040), Washington, DC 20503. PLEASE DO NOT RETURN YOUR COMPLETED FORM TO THE OFFICE OF MANAGEMENT AND BUDGET. SEND IT TO THE ADDRESS PROVIDED BY THE SPONSORING AGENCY. NOTE: Certain of these assurances may not be applicable to your project or program. If you have questions, please contact the awarding agency. Further, certain Federal awarding agencies may require applicants to certify to additional assurances. If such is the case, you will be notified. As the duly authorized representative of the applicant, l certify that the applicant: 1. Has the legal authority to apply for Federal assistance and the institutional, managerial and financial capability (including funds sufficient to pay the non -Federal share of project cost) to ensure proper planning, management and completion of the project described in this application. 2. Will give the awarding agency, the Comptroller General of the United States and, if appropriate, the State, through any authorized representative, access to and the right to examine all records, books, papers, or documents related to the award; and will establish a proper accounting system in accordance with generally accepted accounting standards or agency directives. 3. Will establish safeguards to prohibit employees from using their positions for a purpose that constitutes or presents the appearance of personal or organizational conflict of interest, or personal gain. 4. Will initiate and complete the work within the applicable time frame after receipt of approval of the awarding agency. 5. Will comply with the Intergovernmental Personnel Act of 7. 1970 (42 U.S.C. §§4728-4763) relating to prescribed standards for merit systems for programs funded under one of the 19 statutes or regulations specified in Appendix A of OPM's Standards for a Merit System of Personnel Administration (5 C.F.R. 900, Subpart F). 6. Will comply with all Federal statutes relating to nondiscrimination. These include but are not limited to: (a) Title A of the Civil Rights Act of 1964 (P.L. 88-352) which prohibits discrimination on the basis of race, color or national origin; (b) Title IX of the Education Amendments of 1972, as amended (20 U.S.C.§§1681- 1683, and 1685-1686), which prohibits discrimination on the basis of sex; (c) Section 504 of the Rehabilitation Act of 1973, as amended (29 U.S.C. §794), which prohibits discrimination on the basis of handicaps; (d) the Age Discrimination Act of 1975, as amended (42 U. S.C. §§6101-6107), which prohibits discrimination on the basis of age; (e) the Drug Abuse Office and Treatment Act of 1972 (P.L. 92-255). as amended, relating to nondiscrimination on the basis of drug abuse; (f) the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment and Rehabilitation Act of 1970 (P.L. 91-616), as amended, relating to nondiscrimination on the basis of alcohol abuse or alcoholism; (g) §§523 and 527 of the Public Health Service Act of 1912 (42 U.S.C. §§290 dd-3 and 290 ee- 3), as amended, relating to confidentiality of alcohol and drug abuse patient records; (h) Title VIII of the Civil Rights Act of 1968 (42 U.S.C. §§3601 et seq.), as amended, relating to nondiscrimination in the sale, rental or financing of housing; (i) any other nondiscrimination provisions in the specific statute(s) under which application for Federal assistance is being made; and, 0} the requirements of any other nondiscrimination statute(s) which may apply to the application. Will comply, or has already complied, with the requirements of Titles II and III of the Uniform Relocation Assistance and Real Property Acquisition Policies Act of 1970 (P.L. 91-646) which provide for fair and equitable treatment of persons displaced or whose property is acquired as a result of Federal or federally -assisted programs. These requirements apply to all interests in real properly acquired for project purposes regardless of Federal participation in purchases. 8. Will comply, as applicable, with provisions of the Hatch Act (5 U.S.C. §§1501-1508 and 7324-7328) which limit the political activities of employees whose principal employment activities are funded in whole or in part with Federal funds. Previous Edition Usable Standard Form 424B (Rev. 7-97) Authorized for Local Reproduction Prescribed by OMB Circular A-102 DocuSign Envelope ID: 025C3ADA-7A4D-46C9-9128-AF03957BA1 EB 9. Will comply, as applicable, with the provisions of the Davis- 13. Will assist the awarding agency in assuring compliance Bacon Act (40 U.S.C. §§276a to 276a-7), the Copeland Act with Section 106 of the National Historic Preservation (40 U.S.C. §276c and 18 U.S.C. §874), and the Contract Act of 1966, as amended (16 U.S.C. §470), EO 11593 Work Hours and Safety Standards Act (40 U.S.C. §§327- (identification and protection of historic properties), and 333), regarding labor standards for federally -assisted the Archaeological and Historic Preservation Act of construction subagreements. 1974 (16 U.S.C. §§469a-1 et seq.). 10. Will comply, if applicable, with flood insurance purchase 14. Will comply with P.L. 93-348 regarding the protection of requirements of Section 102(a) of the Flood Disaster human subjects involved in research, development, and Protection Act of 1973 (P.L. 93-234) which requires related activities supported by this award of assistance. recipients in a special flood hazard area to participate in the program and to purchase flood insurance if the total cost of 15. Will comply with the Laboratory Animal Welfare Act of insurable construction and acquisition is $10:000 or more. 1966 (P.L. 89-544, as amended, 7 U.S.C. §§2131 et seq.) pertaining to the care, handling, and treatment of 11 _ Will comply with environmental standards which may be -warm blooded animals held for research, teaching, or prescribed pursuant to the following: (a) institution of other activities supported by this award of assistance. environmental quality control measures under the National Environmental Policy Act of 1969 (P.L, 91-190) and 16, Will comply with the Lead -Based Paint Poisoning Executive Order (EO) 11514; (b) notification of violating Prevention Act (42 U.S.C. §§4801 et seq.) which facilities pursuant to EO 11738; (c) protection of wetlands prohibits the use of lead -based paint in construction or pursuant to EO 11990; (d) evaluation of flood hazards in rehabilitation of residence structures. floodplains in accordance with EO 11988; (e) assurance of 17. Will cause to be performed the required financial and project consistency with the approved State management compliance audits in accordance with the Single Audit program developed under the Coastal Zone Management Act Amendments of 1996 and OMB Circular No. A-133. Act of 1972 (16 U.S.C. §§1451 at seq.); (f) conformity of "Audits of States, Local Governments, and Non -Profit Federal actions to State (Clean Air) Implementation Plans Organizations." under Section 176(c) of the Clean Air Act of 1955, as amended (42 U.S.C. §§7401 et seq.); (g) protection of 18. Will comply with all applicable requirements of all other underground sources of drinking water under the Safe Federal laws, executive orders, regulations, and policies Drinking Water Act of 1974, as amended (P.L. 93-523); governing this program. and, (h) protection of endangered species under the Endangered Species Act of 1973, as amended (P.L. 93- 19. Will comply with the requirements of Section 106(g) of 205). the Trafficking Victims Protection Act (TVPA) of 2000, as amended (22 U.S.C. 7104) which prohibits grant award 12, Will comply with the Wild and Scenic Rivers Act of recipients or a sub -recipient from (1) Engaging in severe 1968 (16 U.S.C. §§1271 el seq.) related to protecting forms of trafficking in persons during the period of time components or potential components of the national that the award is in effect (2) Procuring a commercial wild and scenic rivers system. sex act during the period of time that the award is in effect or (3) Using forced labor in the performance of the award or subawards under the award. SIGNATURE OF AUTHORIZED CERTIFYING OFFICIAL TITLE Director of Public Health APPLICANT ORGANIZATION DATE SUBMITTED city of Lubbock Standard Form 4248 (Rev. 7-97) Back DocuSign Envelope ID: 025C3ADA-7A4D-46C9-9128-AF03957BA1 EB CERTIFICATION REGARDING LOBBYING Certification for Contracts, Grants, Loans, and Cooperative Agreements The undersigned certifies, to the best of his or her knowledge and belief, that: (1) No Federal appropriated funds have been paid or will be paid, by or on behalf of the undersigned, to any person for influencing or attempting to influence an officer or employee of an agency, a Member of Congress, an officer or employee of Congress, or an employee of a Member of Congress in connection with the awarding of any Federal contract, the making of any Federal grant, the making of any Federal loan, the entering into of any cooperative agreement, and the extension, continuation, renewal, amendment, or modification of any Federal contract, grant, loan, or cooperative agreement. (2) If any funds other than Federal appropriated funds have been paid or will be paid to any person for influencing or attempting to influence an officer or employee of any agency, a Member of Congress, an officer or employee of Congress, or an employee of a Member of Congress in connection w th this Federal contract, grant, loan, or cooperative agreement, the undersigned shall complete and submit Standard Form-LLL, "Disclosure of Lobbying Activities," in accordance with its instructions. (3) The undersigned shall require that the language of this certification be included in the award documents for all subawards at all tiers (including subcontracts, subgrants, and contracts under grants, loans, and cooperative agreements) and that all subrecipients shall certify and disclose according y. This certification is a material representation of fact upon which reliance was placed when this transaction was made or entered into. Submission of this certification is a prerequisite for making or entering into this transaction imposed by section 1352, title 31, U.S. Code. Any person who fails to file the required certification shall be subject to a civil penalty of not less than $10,000 and not more than $100,000 for each such failure. Statement for Loan Guarantees and Loan Insurance The undersigned stales, to the best of his or her knowledge and belief, that: If any funds have been paid or will be paid to any person for influencing or attempt rig to influence an off cer or employee of any agency, a Member of Congress, an officer or employee of Congress. or an employee of a Member of Congress in connection with this commitment providing for the United States to insure or guarantee a loan, the undersigned shall complete and submit Standard Form-LLL, "Disclosure of Lobbying Activities," in accordance with its instructions. Submission of this statement is a prerequisite for making or entering into this transaction imposed by section 1352, title 31, U.S. Code. Any person who fails to file the required statement shall be subject to a civil penalty of not less than $10,000 and not more than $100,000 for each such failure. APPLICANT'S ORGANIZATION lCity of Lubbock PRINTED NAME AND TITLE OF AUTHORIZED REPRESENTATIVE Prefix: I ' First Name: Middle Name: ' Last Name: Suffix: ' Title: Director of Public Health 6 SIGNATURE: ' DATE: DocuSign Envelope ID:025C3ADA-7A4D-46CS-9128-AF03957BA1EB Fiscal Federal Funding Accountability and Transparency Act (FFATA) CERTIFICATION The certifications enumerated below represent material facts upon which DSHS relies when reporting information to the federal government required under federal law. If the Department later determines that the Contractor knowingly rendered an erroneous certification, DSHS may pursue all available remedies in accordance with Texas and U.S. law. Signor further agrees that it will provide immediate written notice to DSHS if at any time Signor learns that any of the certifications provided for below were erroneous when submitted or have since become erroneous by reason of changed circumstances. If the Signor cannot certify aft of the statements contained in this section, Signor must provide written notice to DSHS detailing which of the below statements it cannot certify and why. Legal Name of Contractor: Primary Address of Contractor: ZIP Code: 9-digits Required www.usps.com FFATA Contact # 1 Name, Email and Phone Number: FFATA Contact #2 Name, Email and Phone Number: DUNS Number: 9-digits Required www.sam.eov State of Texas Comptroller Vendor Identification Number (VIN) 14 Digits Printed Name of Authorized Representative Katherine wells Title of Authorized Representative Director of Public Health Signature of Authorized Representative Date Department of State Health Services Form 4734 — June 2013 DocuSign Envelope ID: 025C3ADA-7A4D-46C9-9128-AF03957BAIEB Fiscal Federal Funding Accountability and Transparency Act (FFATA) CERTIFICATION As the duly authorized representative (Signor) of the Contractor, I hereby certify that the statements made by me in this certification form are true, complete and correct to the best of my knowledge. Did your organization have a gross income, from all sources, of less than $300,000 in your previous tax year? ❑ Yes ❑ No If your answer is "Yes", skip questions "A", "B", and "C" and finish the certification. If your answer is "No", answer questions "A" and "B". A. Certification Regarding % of Annual Gross from Federal Awards. Did your organization receive 80% or more of its annual gross revenue from federal awards during the preceding fiscal year? ❑ Yes ❑ No B. Certification Regarding Amount of Annual Gross from Federal Awards. Did your organization receive $25 million or more in annual gross revenues from federal awards in the preceding fiscal year? ❑ Yes ❑ No If your answer is "Yes" to both question "A" and "B", you must answer question "C". If your answer is "No" to either question "A" or "B", skip question "C" and finish the certification. C. Certification Regarding Public Access to Compensation Information. Does the public have access to information about the compensation of the senior executives in your business or organization (including parent organization, all branches, and all affiliates worldwide) through periodic reports filed under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m(a), 78o(d)) or section 6104 of the Internal Revenue Code of 1986? ❑ Yes ❑ No If your answer is "Yes" to this question, where can this information be accessed? If your answer is "No" to this question, you must provide the names and total compensation of the top five highly compensated officers below. Provide compensation information here: -2- Department of State Health Services Forth 4734 — June 2013 DocuSign Envelope ID; 025C3ADA-7A4D-46C9-9128-AF03957SA1 ES HHS DATA USE AGREEMENT This Data Use Agreement ("DUA"), effective as of the date the Base Contract into which it is incorporated is signed ("Effective Date"), is entered into by and between a Texas Health and Human Services Enterprise agency ("HHS"), and the Contractor identified in the Base Contract, a political subdivision of the State of Texas ("CONTRACTOR. ARTICLE 1. PURPOSE; APPLICABILITY; ORDER OF PRECEDENCE The purpose of this DUA is to facilitate creation, receipt, maintenance, use, disclosure or access to Confidential Information with CONTRACTOR, and describe CONTRACTOR's rights and obligations with respect to the Confidential Information. 45 CFR 164.504(e)(1)-(3). This DUA also describes HHS's remedies in the event of CONTRACTOR's noncompliance with its obligations under this DUA. This DUA applies to both Business Associates and contractors who are not Business Associates who create, receive, maintain, use, disclose or have access to Confidential Information on behalf of HHS, its programs or clients as described in the Base Contract. As of the Effective Date of this DUA, if any provision of the Base Contract, including any General Provisions or Uniform Terms and Conditions, conflicts with this DUA, this DUA controls. ARTICLE 2. DEFINITIONS For the purposes of this DUA, capitalized, underlined terms have the meanings set forth in the following: Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (42 U.S.C. § 1320d, et seq.) and regulations thereunder in 45 CFR Parts 160 and 164, including all amendments, regulations and guidance issued thereafter; The Social Security Act, including Section 1137 (42 U.S.C. §§ 1320b-7), Title XVI of the Act; The Privacy Act of 1974, as amended by the Computer Matching and Privacy Protection Act of 1988, 5 U.S.C. § 552a and regulations and guidance thereunder; Internal Revenue Code, Title 26 of the United States Code and regulations and publications adopted under that code, including IRS Publication 1075; OMB Memorandum 07-18; Texas Business and Commerce Code Ch. 521; Texas Government Code, Ch. 552, and Texas Government Code §2054.1125. In addition, the following terms in this DUA are defined as follows: "Authorized Purpose" means the specific purpose or purposes described in the Statement of Work of the Base Contract for CONTRACTOR to fulfill its obligations under the Base Contract, or any other purpose expressly authorized by HHS in writing in advance. "Authorized User" means a Person: (1) Who is authorized to create, receive, maintain, have access to, process, view, handle, examine, interpret, or analyze Confidential Information pursuant to this DUA; HHS Data Use Agreement TACCHO VERSION (Local City and County Entities) October 23, 2019 Page 1 of 15 DocuSign Envelope ID: 025C3ADA-7A4D46C9-9128-AF03957BAlEB (2) For whom CONTRACTOR warrants and represents has a demonstrable need to create, receive, maintain, use, disclose or have access to the Confidential Information; and (3) Who has agreed in writing to be bound by the disclosure and use limitations pertaining to the Confidential Information as required by this DUA. "Confidential Information" means any communication or record (whether oral, written, electronically stored or transmitted, or in any other form) provided to or made available to CONTRACTOR, or that CONTRACTOR may, for an Authorized Purpose, create, receive, maintain, use, disclose or have access to, that consists of or includes any or all of the following: (1) Client Information; (2) Protected Health Information in any form including without limitation, Electronic Protected Health Information or Unsecured Protected Health Information (herein "PHI"); (3) Sensitive Personal Information defined by Texas Business and Commerce Code Ch. 521; (4) Federal Tax Information; (5) Individually Identifiable Health Information as related to HIPAA, Texas HIPAA and Personal Identifying- Information under the Texas Identity Theft Enforcement and Protection Act; (6) Social Security Administration Data, including, without limitation, Medicaid information; (7) All privileged work product; (8) All information designated as confidential under the constitution and laws of the State of Texas and of the United States, including the Texas Health & Safety Code and the Texas Public Information Act, Texas Government Code, Chapter 552. "Legally Authorized Representative" of the individual, as defined by Texas law, including as provided in 45 CFR 435.923 (Medicaid); 45 CFR 164.502(g)(1) (HIPAA); Tex. Occ. Code § 151.002(6); Tex. H. & S. Code § 166.164; and Estates Code Ch. 752. ARTICLE 3. CONTRACTOR'S DUTIES REGARDING CONFIDENTIAL INFORMATION 3.01 Obligations of CONTRACTOR CONTRACTOR agrees that: (A) CONTRACTOR will exercise reasonable care and no less than the same degree of care CONTRACTOR uses to protect its own confidential, proprietary and trade secret information to prevent any portion of the Confidential Information from being used in HITS Data Use Agreement TACCHO VERSION (Local City and County Entities) October 23, 2019 Page 2 of 15 DocuSign Envelope ID: 025C3ADA-7A40-46C9-9128-AF03957BA1 ES a manner that is not expressly an Authorized Purpose under this DUA or as Required by Law. 45 CFR 164.502(b)(1); 45 CFR 164.514(d) (B) Except as Required b,�, CONTRACTOR will not disclose or allow access to any portion of the Confidential Information to any Person or other entity, other than Authorized User's Workforce or Subcontractors (as defined in 45 C.F.R. 160.103) of CONTRACTOR who have completed training in confidentiality, privacy, security and the importance of promptly reporting any Event or Breach to CONTRACTOR's management, to carry out CONTRACTOR's obligations in connection with the Authorized PgTose. HHS, at its election, may assist CONTRACTOR in training and education on specific or unique HHS processes, systems and/or requirements. CONTRACTOR will produce evidence of completed training to HHS upon request. 45 C.F.R. 164.308(a)(5)(i); Texas Health & Safety Code §181.101 All of CONTRACTOR's Authorized Users, Workforce and Subcontractors with access to a state computer system or database will complete a cybersecurity training program certified under Texas Government Code Section 2054.519 by the Texas Department of Information Resources or offered under Texas Government Code Sec. 2054.519(f). (C) CONTRACTOR will establish, implement and maintain appropriate sanctions against any member of its Workforce or Subcontractor who fails to comply with this DUA, the Base Contract or applicable law. CONTRACTOR will maintain evidence of sanctions and produce it to HHS upon request.45 CFR. 164.308(a)(1)(ii)(C); 164 530(e); 164.410(b); 164.530(b)(1) (D) CONTRACTOR will not, except as otherwise permitted by this DUA, disclose or provide access to any Confidential Information on the basis that such act is Required by Law without notifying either HHS or CONTRACTOR's own legal counsel to determine whether CONTRACTOR should object to the disclosure or access and seek appropriate relief. CONTRACTOR will maintain an accounting of all such requests for disclosure and responses and provide such accounting to HHS within 48 hours of HHS' request. 45 CFR 164.504(e)(2)(ii)(A) (E) CONTRACTOR will not attempt to re -identify or further identify Confidential Information or De -identified Information, or attempt to contact any Individuals whose records are contained in the Confidential Information, except for an Authorized Purpose, without express written authorization from HHS or as expressly permitted by the Base Contract. 45 CFR 164.502(d)(2)(i) and (ii) CONTRACTOR will not engage in prohibited marketing or sale of Confidential Information. 45 CFR 164.501, 164.508(a)(3) and (4); Texas Health & Safety Code Ch. 181.002 (F) CONTRACTOR will not permit, or enter into any agreement with a Subcontractor to, create, receive, maintain, use, disclose, have access to or transmit Confidential Information to carry out CONTRACTOR's obligations in connection with the Authorized Purpose on behalf of CONTRACTOR, unless Subcontractor agrees to comply HHS Data Use Agreement TACCHO VERSION (Local City and County Entities) October 23, 2019 Page 3 of 15 DocuSign Envelope ID: 025C3ADA-7A4D46C9-9128-AF03957BA1EB with all applicable laws, rules and regulations. 45 CFR 164.502(e)(1)(ii); 164.504(e)(1)(i) and (2). (G) CONTRACTOR is directly responsible for compliance with, and enforcement of, all conditions for creation, maintenance, use, disclosure, transmission and Destruction of Confidential Information and the acts or omissions of Subcontractors as may be reasonably necessary to prevent unauthorized use. 45 CFR 164.504(e)(5); 42 CFR 431.300, et seq. (H) If CONTRACTOR maintains PHI in a Designated Record Set which is Confidential Information and subject to this Agreement, CONTRACTOR will make PHI available to HHS in a Designated Record Set upon request. CONTRACTOR will provide PHI to an Individual, or Legally Authorized Representative of the Individual who is requesting PHI in compliance with the requirements of the HIPAA Privacy Re lations. CONTRACTOR will release PHI in accordance with the HIPAA Privacy Regulations upon receipt of a valid written authorization. CONTRACTOR will make other Confidential Information in CONTRACTOR's possession available pursuant to the requirements of HIPAA or other applicable law upon a determination of a Breach of Unsecured PHI as defined in HIPAA. CONTRACTOR will maintain an accounting of all such disclosures and provide it to HHS within 48 hours of HHS' request. 45 CFR 164.524and 164.504(e)(2)(ii)(E). (1) If PHI is subject to this Agreement, CONTRACTOR will make P_HI as required by HIPAA available to HHS for review subsequent to CONTRACTOR's incorporation of any amendments requested pursuant to HIPAA. 45 CFR 164.504(e)(2)(ii)(E) and (F). (J) If PHI is subject to this Agreement, CONTRACTOR will document and make available to HHS the PHI required to provide access, an accounting of disclosures or amendment in compliance with the requirements of the HIPAA Privacy Re lagu tions. 45 CFR 164.504(e)(2)(ii)(G) and 164.528. (K) If CONTRACTOR receives a request for access, amendment or accounting of PHI from an individual with a right of access to information subject to this DUA, it will respond to such request in compliance with the HIPAA Privacy Regulations. CONTRACTOR will maintain an accounting of all responses to requests for access to or amendment of PHI and provide it to HHS within 48 hours of HHS' request. 45 CFR 164.504(e) (2). (L) CONTRACTOR will provide, and will cause its Subcontractors and agents to provide, to HHS periodic written certifications of compliance with controls and provisions relating to information privacy, security and breach notification, including without limitation information related to data transfers and the handling and disposal of Confidential Information. 45 CFR 164.308, 164.530(c); 1 TA 202. (M) Except as otherwise limited by this DUA, the Base Contract, or law applicable to the Confidential Information, CONTRACTOR may use PHI for the proper management and administration of CONTRACTOR or to carry out CONTRACTOR's HHS Data Use Agreement TACCHO VERSION (Local City and County Entities) October 23, 2019 Page 4 of 15 DocuSign Envelope ID: 025C3ADA-7A4D-46C9-9128-AF03957BA1 EB legal responsibilities. Except as otherwise limited by this DUA, the Base Contract, or law applicable to the Confidential Information, CONTRACTOR may disclose PHI for the proper management and administration of CONTRACTOR, or to carry out CONTRACTOR's legal responsibilities, if: 45 CFR 164.504(e)(4)(A). (1) Disclosure is Required by L provided that CONTRACTOR complies with Section 3.01(D); or (2) CONTRACTOR obtains reasonable assurances from the person or entity to which the information is disclosed that the person or entity will: (a)Maintain the confidentiality of the Confidential Information in accordance with this DUA; (b) Use or further disclose the information only as Required by Law or for the Authorized Purpose for which it was disclosed to the Person; and (c)Notify CONTRACTOR in accordance with Section 4.01 of any Event or Breach of Confidential Information of which the Person discovers or should have discovered with the exercise of reasonable diligence. 45 CFR 164.504 (e) (4) (ii) (B). (N) Except as otherwise limited by this DUA, CONTRACTOR will, if required by law and requested by HHS, use commercially reasonable efforts to use PHI to provide data aggregation services to HHS, as that term is defined in the HIPAA, 45 C.F.R. § 164.501 and permitted by HIPAA. 45 CFR 164.504(e)(2)(i)(B) (0) CONTRACTOR will, on the termination or expiration of this DUA or the Base Contract, at its expense, send to HHS or Destroy, at HHS's election and to the extent reasonably feasible and permissible by law, all Confidential Information received from HHS or created or maintained by CONTRACTOR or any of CONTRACTOR's agents or Subcontractors on HHS's behalf if that data contains Confidential Information. CONTRACTOR will certify in writing to HHS that all the Confidential Information that has been created, received, maintained, used by or disclosed to CONTRACTOR, has been Destroyed or sent to HHS, and that CONTRACTOR and its agents and Subcontractors have retained no copies thereof. Notwithstanding the foregoing, HHS acknowledges and agrees that CONTRACTOR is not obligated to send to HHSC and/or Destroy any Confidential Information if federal law, state law, the Texas State Library and Archives Commission records retention schedule, and/or a litigation hold notice prohibit such delivery or Destruction. If such delivery or Destruction is not reasonably feasible, or is impermissible by law, CONTRACTOR will immediately notify HHS of the reasons such delivery or Destruction is not feasible, and agree to extend indefinitely the protections of this DUA to the Confidential Information and limit its further uses and disclosures to the purposes that make the return delivery or Destruction of the Confidential Information not feasible for as long as CONTRACTOR maintains such Confidential. Information. 45 CFR 164.504(e)(2)(Y)Q) HHS Data Use Agreement TACCHO VERSION (Local City and County Entities) October 23, 2019 Page 5 of 15 DocuSign Envelope ID: 025C3ADA-7A4D-46C9-9128-AF03957BAIEB (P) CONTRACTOR will create, maintain, use, disclose, transmit or Destroy Confidential Information in a secure fashion that protects against any reasonably anticipated threats or hazards to the security or integrity of such information or unauthorized uses. 45 CFR 164.306, 164.530(c) (Q) If CONTRACTOR accesses, transmits, stores, and/or maintains Confidential Information, CONTRACTOR will complete and return to HHS at infosecurity@hhsc.state.tx.us the HHS information security and privacy initial inquiry (SPI) at Attachment I . The SPI identifies basic privacy and security controls with which CONTRACTOR must comply to protect HHS Confidential Information. CONTRACTOR will comply with periodic security controls compliance assessment and monitoring by HHS as required by state and federal law, based on the type of Confidential Information CONTRACTOR creates, receives, maintains, uses, discloses or has access to and the Authorized Purpose and level of risk. CONTRACTOR's security controls will be based on the National Institute of Standards and Technology (MIST) Special Publication 800-53. CONTRACTOR will update its security controls assessment whenever there are significant changes in security controls for HHS Confidential Information and will provide the updated document to HHS. HHS also reserves the right to request updates as needed to satisfy state and federal monitoring requirements. 45 CFR 164.306. (R) CONTRACTOR will establish, implement and maintain reasonable procedural, administrative, physical and technical safeguards to preserve and maintain the confidentiality, integrity, and availability of the Confidential Information, and with respect to PHI, as described in the HIPAA Privacy and Security Regulations, or other applicable laws or regulations relating to Confidential Information, to prevent any unauthorized use or disclosure of Confidential Information as long as CONTRACTOR has such Confidential Information in its actual or constructive possession. 45 CFR 164.308 (administrative safeguards); 164.310 (physical safeguards); 164.312 (technical safeguards); 164.530(c)(privacy safeguards). (S) CONTRACTOR will designate and identify, a Person or Persons, as Privacy Official 45 CFR 164.530(a)(1) and Information Security Official, each of whom is authorized to act on behalf of CONTRACTOR and is responsible for the development and implementation of the privacy and security requirements in this DUA. CONTRACTOR will provide name and current address, phone number and e-mail address for such designated officials to HHS upon execution of this DUA and prior to any change. If such persons fail to develop and implement the requirements of the DUA, CONTRACTOR will replace them upon HHS request. 45 CFR 16q 308(a)(2). (T) CONTRACTOR represents and warrants that its Authorized Users each have a demonstrated need to know and have access to Confidential Information solely to the minimum extent necessary to accomplish the Authorized Purpose pursuant to this DUA and the Base Contract, and further, that each has agreed in writing to be bound by the disclosure and use limitations pertaining to the Confidential Information contained in this DUA. 45 CFR 164.502, 164.514(d). HHS Data Use Agreement TACCHO VERSION (Local City and County Entities) October 23, 2019 Page 6 of 15 DocuSign Envelope ID: 025C3ADA-7A4D-46C9-9128-AP03957BA1 ED (U) CONTRACTOR and its Subcontractors will maintain an updated, complete, accurate and numbered list of Authorized Users, their signatures, titles and the date they agreed to be bound by the terms of this DUA, at all times and supply it to HHS, as directed, upon request. (V) CONTRACTOR will implement, update as necessary, and document reasonable and appropriate policies and procedures for privacy, security and Breach of Confidential Information and an incident response plan for an Event or Breach, to comply with the privacy, security and breach notice requirements of this DUA prior to conducting work under the Statement of Work. 45 CFR 164 308, 164.316, 164.514(d); 164.530(i)(1). (W) CONTRACTOR will produce copies of its information security and privacy policies and procedures and records relating to the use or disclosure of Confidential Information received from, created by, or received, used or disclosed by CONTRACTOR for an Authorized Purpose for HHS's review and approval within 30 days of execution of this DUA and upon request by HHS the following business day or other agreed upon time frame. 45 CFR 164.308, 164.514(d). (X) CONTRACTOR will make available to HHS any information HHS requires to fulfill HHS's obligations to provide access to, or copies of, PHI in accordance with HIPAA and other applicable laws and regulations relating to Confidential Information. CONTRACTOR will provide such information in a time and manner reasonably agreed upon or as designated by the Secretary of the U.S. Department of Health and Human Services, or other federal or state law. 45 CFR 164 504(e)(2)(i)(1). (Y) CONTRACTOR will only conduct secure transmissions of Confidential Information whether in paper, oral or electronic form, in accordance with applicable rules, regulations and laws. A secure transmission of electronic Confidential Information in motion includes, but is not limited to, Secure File Transfer Protocol (SFTP) or Encryption at an appropriate level. If required by rule, regulation or law, HHS Confidential Information at rest requires Encryption unless there is other adequate administrative, technical, and physical security. All electronic data transfer and communications of Confidential Information will be through secure systems. Proof of system, media or device security and/or Encryption must be produced to HHS no later than 48 hours after HHS's written request in response to a compliance investigation, audit or the Disc -awry of an Event or Breach. Otherwise, requested production of such proof will be made as agreed upon by the parties. De -identification of HHS Confidential Information is a means of security. With respect to de -identification of PHI, "secure" means de -identified according to HIPAA Privacy standards and regulatory guidance. 45 CFR 164.312, 164.530(d). (Z) For each type of Confidential Information CONTRACTOR creates, receives, maintains, uses, discloses, has access to or transmits in the performance of the Statement of Work, CONTRACTOR will comply with the following laws rules and regulations, only to the extent applicable and required by law: Title 1, Part 10, Chapter 202, Subchapter B, Texas Administrative Code; HHS Data Use Agreement TACCHO VERSION (Local City and County Entities) October 23, 2019 Page 7 of 15 DocuSign Envelope ID: 025C3ADA-7A4D46C9-9128-AF03957DA1 EB • The Privacy Act of 1974; • OMB Memorandum 07-16; • The Federal Information Security Management Act of 2002 (FISMA); • The Health Insurance Portability and Accountability Act of 1996 (HIPAA) as defined in the DUA; • Internal Revenue Publication 1075 — Tax Information Security Guidelines for Federal, State and Local Agencies; • National Institute of Standards and Technology (MIST) Special Publication 800-66 Revision 1— An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule; • NIST Special Publications 800-53 and 800-53A — Recommended Security Controls for Federal Information Systems and Organizations, as currently revised; • NIST Special Publication 800-47 — Security Guide for Interconnecting Information Technology Systems; • NIST Special Publication 800-88, Guidelines for Media Sanitization; • NIST Special Publication 800-111, Guide to Storage of Encryption Technologies for End User Devices containing PHI; and Any other State or Federal law, regulation, or administrative rule relating to the specific HHS program area that CONTRACTOR supports on behalf of HHS. (AA) Notwithstanding anything to the contrary herein, CONTRACTOR will treat any Personal Identifying Information it creates, receives, maintains, uses, transmits, destroys and/or discloses in accordance with Texas Business and Commerce Code, Chapter 521 and other applicable regulatory standards identified in Section 3.01(Z), and Individually Identifiable Health Information CONTRACTOR creates, receives, maintains, uses, transmits, destroys and/or discloses in accordance with HIPAA and other applicable regulatory standards identified in Section 3.01(Z). ARTICLE 4. BREACH NOTICE, REPORTING AND CORRECTION REQUIREMENTS 4.01 Breach or Event Notification to HHS. 45 CFR 164.400414. HHS Data Use Agreement TACCHO VERSION (Local City and County Entities) October 23, 2019 Page 8 of 15 DocuSlgn Envelope ID: 025C3ADA-7A4D-46C9-9129-AF03957BA1 BB (A) CONTRACTOR will cooperate fully with HHS in investigating, mitigating to the extent practicable and issuing notifications directed by HHS, for any Event or Breach of Confidential Information to the extent and in the manner determined by HHS. (B) CONTRACTOR'S obligation begins at the Discovery of an Event or Breach and continues as long as related activity continues, until all effects of the Event are mitigated to HHS's reasonable satisfaction (the "incident response period"). 45 CFR 164.404. (C) Breach Notice: Initial Notice. (a) For federal information, including without limitation, Federal Tax Information, Social Security Administration Data, and Medicaid Client Information, within the first, consecutive clock hour of Discovery, and for all other types of Confidential Information not more than 24 hours after Discovery, or in a timeframe otherwise approved by HHS in writing, initially report to HHS's Privacy and Security Officers via email at: privacy@HHSC.state.tx.us and to the HHS division responsible for this DUA; and IRS Publication 1075; Privacy Act of 1974, as amended by the Computer Matching and Privacy Protection Act of 1988, 5 U.S.C. § 552a; OMB Memorandum 07-16 as cited in HHSC-CMS Contracts for information exchange. (b) Report all information reasonably available to CONTRACTOR about the Event or Breach of the privacy or security of Confidential Information. 45 CFR 164 410. (c) Name, and provide contact information to HHS for, CONTRACTOR's single point of contact who will communicate with HHS both on and off business hours during the incident response period. (2) Formal Notice. No later than two business days after the Initial Notice above, provide formal notification to privacy@HHSC.state.tx.us and to the HHS division responsible for this DUA, including all reasonably available information about the Event or Breach, and CONTRACTOR's investigation, including without limitation and to the extent available: For (a) - (m) below: 45 CFR 164.400-414 (a) The date the Event or Breach occurred; (b) The date of CONTRACTORS and, if applicable, Subcontractor's Discovery; (c) A brief description of the Event or Breach; including how it occurred and who is responsible (or hypotheses, if not yet determined); HHS Data Use Agreement TACCHO VERSION (Local City and County Entities) October 23, 2019 Page 9 of 15 DocuSign Envelope ID: 025C3ADA-7A4D-46C9-9126-AF03957BA1EB (d) A brief description of CONTRACTOR's investigation and the status of the investigation; (e) A description of the types and amount of Confidential Information involved; (f) Identification of and number of all Individuals reasonably believed to be affected, including first and last name of the Individual and if applicable the, Legally Authorized Representative, last known address, age, telephone number, and email address if it is a preferred contact method, to the extent known or can be reasonably determined by CONTRACTOR at that time; (g) CONTRACTOR's initial risk assessment of the Event or Breach demonstrating whether individual or other notices are required by applicable law or this DUA for HHS approval, including an analysis of whether there is a low probability of compromise of the Confidential Information or whether any legal exceptions to notification apply; (h) CONTRACTOR's recommendation for HHS's approval as to the steps Individuals and/or CONTRACTOR on behalf of Individuals, should take to protect the Individuals from potential harm, including without limitation CONTRACTOR's provision of notifications, credit protection, claims monitoring, and any specific protections for a Legally Authorized Representative to take on behalf of an Individual with special capacity or circumstances; (i) The steps CONTRACTOR has taken to mitigate the harm or potential harm caused (including without limitation the provision of sufficient resources to mitigate); 0) The steps CONTRACTOR has taken, or will take, to prevent or reduce the likelihood of recurrence of a similar Event or Breach; (k) Identify, describe or estimate the Persons, Workforce, Subcontractor, or Individuals and any law enforcement that may be involved in the Event or Breach, (1) A reasonable schedule for CONTRACTOR to provide regular updates during normal business hours to the foregoing in the future for response to the Event or Breach, but no less than every three (3) business days or as otherwise directed by HHS, including information about risk estimations, reporting, notification, if any, mitigation, corrective action, root cause analysis and when such activities are expected to be completed; and HHS Data Use Agreement TACCHO VERSION (Local City and County Entities) October 23, 2019 Page 10 of 15 DocuSign Envelope ID: 025C3ADA-7A4D-46C9-9128-AF03957BA1 EB (m) Any reasonably available, pertinent information, documents or reports related to an Event or Breach that HHS requests following Discovery. 4.02 Investigation, Response and Mitigation. 45 CFR 164.308, 310 and 312;164.530 (A) CONTRACTOR will immediately conduct a full and complete investigation, respond to the Event or Breach, commit necessary and appropriate staff and resources to expeditiously respond, and report as required to and by HHS for incident response purposes and for purposes of HHS's compliance with report and notification requirements, to the reasonable satisfaction of HHS. (B) CONTRACTOR will complete or participate in a risk assessment as directed by HHS following an Event or Breach, and provide the final assessment, corrective actions and mitigations to HHS for review and approval. (C) CONTRACTOR will fully cooperate with HHS to respond to inquiries and/or proceedings by state and federal authorities, Persons and/or Individuals about the Event or Breach. (D) CONTRACTOR will fully cooperate with HHS's efforts to seek appropriate injunctive relief or otherwise prevent or curtail such Event or Breach, or to recover or protect any Confidential Information, including complying with reasonable corrective action or measures, as specified by HHS in a Corrective Action Plan if directed by HHS under the Base Contract. 4.03 Breach Notification to Individuals and Reporting to Authorities. Tex. Bus. & Comm. Code §521.053; 45 CFR 164.404 (Individuals), 164.406 (Media); 164.408 (Authorities) (A) HHS may direct CONTRACTOR to provide Breach notification to Individuals, regulators or third -parties, as specified by HHS following a Breach. (B) CONTRACTOR shall give HHS an opportunity to review and provide feedback to CONTRACTOR and to confirm that CONTRACTOR's notice meets all regulatory requirements regarding the time, manner and content of any notification to Individuals, regulators or third -parties, or any notice required by other state or federal authorities, including without limitation, notifications required by Texas Business and Commerce Code, Chapter 521.053(b) and HIPAA. HHS shall have ten (10) business days to provide said feedback to CONTRACTOR. Notice letters will be in CONTRACTOR's name and on CONTRACTOR's letterhead, unless otherwise directed by HHS, and will contain contact information, including the name and title of CONTRACTOR's representative, an email address and a toll -free telephone number, if required by applicable law, rule, or regulation, for the Individual to obtain additional information. (C) CONTRACTOR will provide HHS with copies of distributed and approved communications. HHS Data Use Agreement TACCHO VERSION (Local City and County Entities) October 23, 2019 Page I I of 15 DocuStgn Envelope ID: 025C3ADA-7A40 46C9-9128-AF03957BA1 EB (D) CONTRACTOR will have the burden of demonstrating to the reasonable satisfaction of HHS that any notification required by HHS was timely made. If there are delays outside of CONTRACTOR's control, CONTRACTOR will provide written documentation of the reasons for the delay. (E) If HHS delegates notice requirements to CONTRACTOR, HHS shall, in the time and manner reasonably requested by CONTRACTOR, cooperate and assist with CONTRACTOR's information requests in order to make such notifications and reports. ARTICLE 5. STATEMENT OF WORK "Statement of Work" means the services and deliverables to be performed or provided by CONTRACTOR, or on behalf of CONTRACTOR by its Subcontractors or agents for HHS that are described in detail in the Base Contract. The Statement of Work, including any future amendments thereto, is incorporated by reference in this DUA as if set out word-for-word herein. ARTICLE 6. GENERAL PROVISIONS 6.01. Oversight of Confidential Information CONTRACTOR acknowledges and agrees that HHS is entitled to oversee and monitor CONTRACTOR's access to and creation, receipt, maintenance, use, disclosure of the Confidential Information to confirm that CONTRACTOR is in compliance with this DUA. 6.02 HHS Commitment and Obligations HHS will not request CONTRACTOR to create, maintain, transmit, use or disclose PHI in any manner that would not be permissible under applicable law if done by HHS. 6.03 HHS Right to Inspection At any time upon reasonable notice to CONTRACTOR, or if HHS determines that CONTRACTOR has violated this DUA, HHS, directly or through its agent, will have the right to inspect the facilities, systems, books and records of CONTRACTOR to monitor compliance with this DUA. For purposes of this subsection, HHS's agent(s) include, without limitation, the HHS Office of the Inspector General or the Office of the Attorney General of Texas, outside consultants or legal counsel or other designee. 6.04 Term; Termination of DUA; Survival This DUA will be effective on the date on which CONTRACTOR executes the DUA, and will terminate upon termination of the Base Contract and as set forth herein. If the Base Contract is extended or amended, this DUA shall be extended or amended concurrent with such extension or amendment. HHS Data Use Agreement TACCHO VERSION (Local City and County Entities) October 23, 2019 Page 12 of 15 DocuSign Envelope lU 025C3ADA-7A4D-46C9-9128-AF03957BA1EB (A) HHS may immediately terminate this DUA and Base Contract upon a material violation of this DUA. (B) Termination or Expiration of this DUA will not relieve CONTRACTOR of its obligation to return or Destroy the Confidential Information as set forth in this DUA and to continue to safeguard the Confidential Information until such time as determined by HHS. (C) If HHS determines that CONTRACTOR has violated a material term of this DUA; HHS may in its sole discretion: (1) Exercise any of its rights including but not limited to reports, access and inspection under this DUA and/or the Base Contract; or (2) Require CONTRACTOR to submit to a Corrective Action Plan, including a plan for monitoring and plan for reporting, as HHS may determine necessary to maintain compliance with this DUA; or (3) Provide CONTRACTOR with a reasonable period to cure the violation as determined by HHS; or (4) Terminate the DUA and Base Contract immediately, and seek relief in a court of competent jurisdiction in Texas. Before exercising any of these options, HHS will provide written notice to CONTRACTOR describing the violation, the requested corrective action CONTRACTOR may take to cure the alleged violation, and the action HHS intends to take if the alleged violated is not timely cured by CONTRACTOR. (D) If neither termination nor cure is feasible, HHS shall report the violation to the Secretary of the U.S. Department of Health and Human Services. (E) The duties of CONTRACTOR or its Subcontractor under this DUA survive the expiration or termination of this DUA until all the Confidential Information is Destroyed or returned to HHS, as required by this DUA. 6.05 Governing Law, Venue and Litigation (A) The validity, construction and performance of this DUA and the legal relations among the Parties to this DUA will be governed by and construed in accordance with the laws of the State of Texas. (B) The Parties agree that the courts of Texas, will be the exclusive venue for any litigation, special proceeding or other proceeding as between the parties that may be brought, or arise out of, or in connection with, or by reason of this DUA. 6.06 Injunctive Relief HHS Data Use Agreement TACCHO VERSION (Local City and County Entities) October 23, 2019 Page 13 of 15 DocuSign Envelope ID: 025C3ADA-7A4D46C9-9128-AF03957BAlEB (A) CONTRACTOR acknowledges and agrees that HHS may suffer irreparable injury if CONTRACTOR or its Subcontractor fails to comply with any of the terms of this DUA with respect to the Confidential Information or a provision of HIPAA or other laws or regulations applicable to Confidential Information. (B) CONTRACTOR further agrees that monetary damages may be inadequate to compensate HHS for CONTRACTOR's or its Subcontractor's failure to comply. Accordingly, CONTRACTOR agrees that HHS will, in addition to any other remedies available to it at law or in equity, be entitled to seek injunctive relief without posting a bond and without the necessity of demonstrating actual damages, to enforce the terms of this DUA. 6.07 Responsibility. To the extent permitted by the Texas Constitution, laws and rules, and without waiving any immunities or defenses available to CONTRACTOR as a governmental entity, CONTRACTOR shall be solely responsible for its own acts and omissions and the acts and omissions of its employees, directors, officers, Subcontractors and agents. HHS shall be solely responsible for its own acts and omissions. 6.08 insurance (A) As a governmental entity, and in accordance with the limits of the Texas Tort Claims Act, Chapter 101 of the Texas Civil Practice and Remedies Code, CONTRACTOR either maintains commercial insurance or self -insures with policy limits in an amount sufficient to cover CONTRACTOR's liability arising under this DUA. CONTRACTOR will request that HHS be named as an additional insured. HHSC reserves the right to consider alternative means for CONTRACTOR to satisfy CONTRACTOR's financial responsibility under this DUA. Nothing herein shall relieve CONTRACTOR of its financial obligations set forth in this DUA if CONTRACTOR fails to maintain insurance. (B) CONTRACTOR will provide HHS with written proof that required insurance coverage is in effect, at the request of HHS. 6.08 Fees and Costs Except as otherwise specified in this DUA or the Base Contract, if any legal action or other proceeding is brought for the enforcement of this DUA, or because of an alleged dispute, contract violation, Event, Breach, default, misrepresentation, or injunctive action, in connection with any of the provisions of this DUA, each party will bear their own legal expenses and the other cost incurred in that action or proceeding. 6.09 Entirety of the Contract This DUA is incorporated by reference into the Base Contract as an amendment thereto and, together with the Base Contract, constitutes the entire agreement between the parties. No change, waiver, or discharge of obligations arising under those documents will be valid unless in writing and executed by the party against whom such change, waiver, or discharge is sought to be HHS Data Use Agreement TACCHO VERSION (Local City and County Entities) October 23, 2019 Page 14 of 15 DocuSign Envelope ID:025C3ADA-7A4D-46C9-9128-AF03957BA1EB enforced. If any provision of the Base Contract, including any General Provisions or Uniform Terms and Conditions, conflicts with this DUA, this DUA controls. 6.10 Automatic Amendment and Interpretation If there is (i) a change in any law, regulation or rule, state or federal, applicable to HIPPA and/or Confidential Information, or (ii) any change in the judicial or administrative interpretation of any such law, regulation or rule„ upon the effective date of such change, this DUA shall be deemed to have been automatically amended, interpreted and read so that the obligations imposed on HHS and/or CONTRACTOR remain in compliance with such changes. Any ambiguity in this DUA will be resolved in favor of a meaning that permits HHS and CONTRACTOR to comply with HIPAA or any other law applicable to Confidential Information. HHS Data Use Agreement TACCHO VERSION (Local City and County Entities) October 23, 2019 Page 15 of 15 DocuSion Envelope ID: 025C3ADA-7A4D-46C9-9128-AF03957BA1EB TEXAS Texas HHS System - Data Use Agreement - Attachment 2 Health and Human SECURITY AND PRIVACY INQUIRY (SPI) Services If you are a bidder for a new procurement/contract, in order to participate in the bidding process, you must have corrected any "No" responses (except A9a) prior to the contract award date. If you are an applicant for an open enrollment, you must have corrected any "No" answers (except A9a and Ail) prior to performing any work on behalf of any Texas HHS agency. For any questions answered "No" (except A9a and All), an Action Plan for Compliance with a Timeline must be documented in the designated area below the question. The timeline for compliance with HIPAA-related requirements for safeguarding Protected Health Information is 30 calendar days from the date this form is signed. Compliance with requirements related to other types of Confidential Information must be confirmed within 90 calendar days from the date the form is signed. SECTION A: APPLICANT/BIDDER INFORMATION (To be completed by Applicant/Bidder) 1. Does the applicant/bidder access, create, disclose, receive, transmit, maintain, or store Texas ® Yes HHS Confidential Information in electronic systems (e.g., laptop, personal use computer, Q No mobile device, database, server, etc.)? IF NO, STOP. THE SPI FORM IS NOT REQUIRED. 2. Entity or Applicant/Bidder Legal Name Legal Name: Legal Entity Tax Identification Number (TIN) (Last Four Numbers Only): Procurement/Contract#: Address: City: State: ZIP: Telephone #: Email Address: 3. Number of Employees, at all locations, in Total Employees: Applicant/Bidder's Workforce "Workforce" means all employees, volunteers, trainees, and other Persons whose conduct is under the direct control of Applicant/Bidder, whether or not they are paid by Applicant/ Bidder. If Applicant/Bidder is a sole proprietor, the workforce may be only one employee. 4. Number of Subcontractors Total Subcontractors: (if Applicant/Bidder will not use subcontractors, enter "0") S. Name of Information Technology Security Official A. Security Official: and Name of Privacy Official for Applicant/Bidder Legal Name: (Privacy and Security Official may be the same person.) Address: City: State: ZIP: Telephone #: Email Address: B. Privacy Official: Legal Name: Address: City: State: ZIP: Telephone #: Email Address: SPI Version 2.1 (06/2018) Texas HHS System - Data Use Agreement -Attachment 2: Page 1 of 18 SECURITY AND PRIVACY INQUIRY (SPI) DocuSign Envelope ID: 025C3ADA-7A4D-46C9-9128-AF03957BAI EB 6. Type(s) of Texas HHS Confidential Information the HIPAA CIIIS IRSnFTI CM❑S SSA PH Applicant/Bidder will create, receive, maintain, use, 13 disclose or have access to: (Check all that apply) Other (Please List) • Health Insurance Portability and Accountability Act (HIPAA) data • Criminal Justice Information Services (01S) data • Internal Revenue Service Federal Tax Information (IRS FTI) data • Centers for Medicare & Medicaid Services (CMS) • Social Security Administration (SSA) • Personally identifiable Information (P1l) 7. Number of Storage Devices for Texas HHS Confidential Information (as defined in the Total # Texas HHS System Data Use Agreement (DUA)) (Sum a-d) Cloud Services involve using a network of remote servers hosted on the Internet to store, 0 manage, and process data, rather than a local server or a personal computer. A Data Center is a centralized repository, either physical or virtual, for the storage, management, and dissemination of data and information organized around a particular body of knowledge or pertaining to a particular business. a. Devices. Number of personal user computers, devices or drives, including mobile devices and mobile drives. b. Servers. Number of Servers that are not in a data center or using Cloud Services. c. Cloud Services. Number of Cloud Services in use. d. Data Centers. Number of Data Centers in use. 8. Number of unduplicated individuals for whom Applicant/Bidder reasonably expects to Select Option handle Texas HHS Confidential Information during one year: (a-d) a. 499 individuals or less O a. b. 500 to 999 individuals © b. c. 1,000 to 99,999 individuals 0 C. d. 100,000 individuals or more ® d. 9. HIPAA Business Associate Agreement a. Will Applicant/Bidder use, disclose, create, receive, transmit or maintain protected 0 Yes health information on behalf of a HIPAA-covered Texas HHS agency for a HIPAA- O No covered function? b. Does Applicant/Bidder have a Privacy Notice prominently displayed on a Webpage or a © Yes Public Office of Applicant/Bidder's business open to or that serves the public? (This is a o No HIPAA requirement. Answer "N/A" if not applicable, such as for agencies not covered 0 N/A by H I PAA.) Action Plan for Compliance with a Timeline: Compliance Date: 10. Subcontractors. If the Applicant/Bidder responded "0" to Question 4 (indicating no subcontractors), check "N/A" for both 'a.' and 'b.' a. Does Applicant/Bidder require subcontractors to execute the DUA Attachment 1 Q Yes Subcontractor Agreement Form? © No Q N/A Action Plan for Compliance with a Timeline: Compliance Date: SPI Version 2.1 (06/2018) Texas HHS System - Data Use Agreement - Attachment 2: Page 2 of 18 SECURITYAND PRIVACY INQUIRY (SPI) I U: UY5[;3AUA-(A4U-4b(.;U-V 1 Zd-AtUJ'db 1 $A1 Ld b. Will Applicant/Bidder agree to require subcontractors who will access Confidential O Yes Information to comply with the terms of the DUA, not disclose any Confidential O No Information to them until they have agreed in writing to the same safeguards and to O N/A discontinue their access to the Confidential Information if they fail to comply? Action Plan for Compliance with a Timeline: I Compliance Date: 11. Does Applicant/Bidder have any Optional Insurance currently in place? ® Yes Optional Insurance provides coverage for: (1) Network Security and Privacy; (2) Data Breach; (3) Cyber O No Liability (lost data, lost use or delay/suspension in business, denial of service with e-business, the Internet, ©N/p` networks and informational assets, such as privacy, intellectual property, virus transmission, extortion, sabotage or web activities); (4) Electronic Media Liability; (5) Crime/Theft; (6) Advertising Injury and Personal Injury Liability; and (7) Crisis Management and Notification Expense Coverage. SPI Version 2.1 (06/2018) Texas H H S System - Data Use Agreement - Attachment 2: Page 3 of 18 SECURITY AND PRIVACY INQUIRY (SPI) DocuSign Envelope ID: 025C3ADA-7A4D46C9-9128-AF03957BA1E8 SECTION B: PRIVACY ANALYSIS AND a • be completed by f f i f f For any questions answered "No," an Action Plan for Compliance with a Timeline must be documented in the designated area below the question. The timeline for compliance with HIPAA-related requirements for safeguarding Protected Health Information Is 30 calendar days from the date this form Is signed. Compliance with requirements related to other types of Confidential Information must be confirmed within 90 calendar days from the date the form is signed. 1. Written Policies & Procedures. Does Applicant/Bidder have current written privacy and Yes or No security policies and procedures that, at a minimum: a. Does Applicant/Bidder have current written privacy and security policies and ® Yes procedures that identify Authorized Users and Authorized Purposes (as defined in the 4 No DUA) relating to creation, receipt, maintenance, use, disclosure, access or transmission of Texas HHS Confidential Information? Action Plan for Compliance with a Timeline: Compliance Date: b. Does Applicant/Bidder have current written privacy and security policies and 0 Yes procedures that require Applicant/Bidder and its Workforce to comply with the ®No applicable provisions of HIPAA and other laws referenced in the DUA, relating to creation, receipt, maintenance, use, disclosure, access or transmission of Texas HHS Confidential Information on behalf of a Texas HHS agency? Action Plan for Compliance with a Timeline: Compliance Date: c. Does Applicant/Bidder have current written privacy and security policies and procedures O Yes that limit use or disclosure of Texas HHS Confidential Information to the minimum that is O No necessary to fulfill the Authorized Purposes? Action Plan for Compliance with a Timeline: Compliance Date: d. Does Applicant/Bidder have current written privacy and security policies and procedures O Yes that respond to an actual or suspected breach of Texas HHS Confidential Information, to "No" "No" 0 No include at a minimum (if any responses are check for all three): i. Immediate breach notification to the Texas HHS agency, regulatory authorities, and other required Individuals or Authorities, in accordance with Article 4 of the DUA; ii. Following a documented breach response plan, in accordance with the DUA and applicable law; & iii. Notifying Individuals and Reporting Authorities whose Texas HHS Confidential Information has been breached, as directed by the Texas HHS agency? SPI Version 2.1 (06/2018) Texas H HS System - Data Use Agreement -Attachment 2: Page 4 of 18 SECURITY AND PRIVACY INQUIRY (SPI) uucu,Nyn CIIVVIVVW iu v<7Vonun-r nry •w.a-a co-nr voaV on Co Action Plan for Compliance with a Timeline: Compliance Date: e. Does Applicant/Bidder have current written privacy and security policies and procedures 0 Yes that conduct annual workforce training and monitoring for and correction of any training ®No delinquencies? Action Plan for Compliance with a Timeline: Compliance Date: f. Does Applicant/Bidder have current written privacy and security policies and 0 Yes procedures that permit or deny individual rights of access, and amendment or correction, when appropriate? Q No Action Plan for Compliance with a Timeline: Compliance Date: g. Does Applicant/Bidder have current written privacy and security policies and procedures 0 Yes that permit only Authorized Users with up-to-date privacy and security training, and 0 No with a reasonable and demonstrable need to use, disclose, create, receive, maintain, access or transmit the Texas HHS Confidential Information, to carry out an obligation under the DUA for an Authorized Purpose, unless otherwise approved in writing by a Texas HHS agency? Action Plan for Compliance with a Timeline: Compliance Date: h. Does Applicant/Bidder have current written privacy and security policies and procedures 0 Yes that establish, implement and maintain proof of appropriate sanctions against any © No Workforce or Subcontractors who fail to comply with an Authorized Purpose or who is not an Authorized User, and used or disclosed Texas HHS Confidential Information in violation of the DUA, the Base Contract or applicable law? Action Plan for Compliance with a Timeline: Compliance Date: L Does Applicant/Bidder have current written privacy and security policies and 0 Yes procedures that require updates to policies, procedures and plans following major 0 No changes with use or disclosure of Texas HHS Confidential Information within 60 days of identification of a need for update? Action Plan for Compliance with a Timeline: Compliance Date: 5P1 Version 2.1 (06/2018) Texas HHS System -Data Use Agreement Attachment 2: Page 5 of 18 SECURITYAND PRIVACY INQUIRY (SPI) vuuuaiyn a ivvruNU w. i r u j. Does Applicant/Bidder have current written privacy and security policies and 0 Yes procedures that restrict permissions or attempts to re -identify or further identify O No de -identified Texas HHS Confidential Information, or attempt to contact any Individuals whose records are contained in the Texas HHS Confidential Information, except for an Authorized Purpose, without express written authorization from a Texas HHS agency or as expressly permitted by the Base Contract? Action Plan for Compliance with a Timeline: Compliance Date: k. If Applicant/Bidder intends to use, disclose, create, maintain, store or transmit Texas HHS 0 Yes Confidential Information outside of the United States, will Applicant/Bidder obtain the 0 No express prior written permission from the Texas HHS agency and comply with the Texas HHS agency conditions for safeguarding offshore Texas HHS Confidential Information? Action Plan for Compliance with a Timeline: Compliance Date: I. Does Applicant/Bidder have current written privacy and security policies and procedures 0 Yes that require cooperation with Texas HHS agencies' or federal regulatory inspections, O No audits or investigations related to compliance with the DUA or applicable law? Action Plan for Compliance with a Timeline: Compliance Date: m. Does Applicant/Bidder have current written privacy and security policies and 0 Yes procedures that require appropriate standards and methods to destroy or dispose of 0 No Texas HHS Confidential Information? Action Plan for Compliance with a Timeline: Compliance Date: n. Does Applicant/Bidder have current written privacy and security policies and procedures 0 Yes that prohibit disclosure of Applicant/Bidder's work product done on behalf of Texas HHS 0 No pursuant to the DUA, or to publish Texas HHS Confidential Information without express prior approval of the Texas HHS agency? Action Plan for Compliance with a Timeline: Compliance Date: 2. Does Applicant/Bidder have a current Workforce training program? 0 Yes Training of Workforce must occur at least once ev"year, and within 30 days of date of hiring a new O No Workforce memberwho will handle Texas HHS Confidential Information. Training must include: (1) privacy and security policies, procedures, plans and applicable requirements for handling Texas HHS Confidential Information, (2) a requirement to complete training before access is given to Texas HHS Confidential Information, and (3) written proof of training and a procedure for monitoring timely completion of training. SPI Version 2.1 (06/2018) Texas HHS System - Data Use Agreement -Attachment 2: Page 6 of 18 SECURITY AND PRIVACY INQUIRY (SPI) UU[:UOI9I1 GI IYCIuptl IL. UG.7L..7/iU/'1-! n'FU-YVL.7-.7 1 I Co Action Plan for Compliance with a Timeline: Compliance Date 3. Does Applicant/Bidder have Privacy Safeguards to protect Texas HHS Confidential 0 Yes Information in oral, paper and/or electronic form? O No "Privacy Safeguards" means protection of Texas HHS Confidential Information by establishing, implementing and maintaining required Administrative, Physical and Technical policies, procedures, processes and controls, required by the DUA, HIPAA (45 CFR 164.530), Social Security Administration, Medicaid and laws, rules or regulations, as applicable. Administrative safeguards include administrative protections, policies and procedures for matters such as training, provision of access, termination, and review of safeguards, incident management, disaster recovery plans, and contract provisions. Technical safeguards include technical protections, policies and procedures, such as passwords, logging, emergencies, how paper is faxed or mailed, and electronic protections such as encryption of data. Physical safeguards include physical protections, policies and procedures, such as locks, keys, physical access, physical storage and trash. Action Plan for Compliance with a Timeline: Compliance Date: 4. Does Applicant/Bidder and all subcontractors (if applicable) maintain a current list of 0 Yes Authorized Users who have access to Texas HHS Confidential information, whether oral, o No written or electronic? Action Plan for Compliance with a Timeline: Compliance Date: 5. Does Applicant/Bidder and all subcontractors (if applicable) monitor for and remove 0 Yes terminated employees or those no longer authorized to handle Texas HHS 0 No Confidential Information from the list of Authorized Users? Action Plan for Compliance with a Timeline: Compliance Date: SPI Version 2.1 (0612018) Texas HHS System - Data Use Agreement -Attachment 2: Page 7 of 18 SECURITY AND PRIVACY INQUIRY (SPI) 11vGUJ19II Cl 1volu w RJ. vcv%.Onum-!Icv-nrwav On Icu SESSjTIT&T (to be completed by Applicant/Bidder) This section is about your electronic system. If your business DOES NOT store, access, or No Electronic transmit Texas HHS Confidential Information in electronic systems (e.g., laptop, personal Systems use computer, mobile device, database, server, etc.) select the box to the right, and "YES" will be entered for all questions In this section. For any questions answered "No," an Action Plan for Compliance with a Timeline must be documented in the designated area below the question. The timeline for compliance with HIPAA-related items is 30 calendar days, PII-related items is 90 calendar days. 1. Does the Applicant/Bidder ensure that services which access, create, disclose, receive, O Yes transmit, maintain, or store Texas HHS Confidential Information are maintained IN the ©No United States (no offshoring) unless ALL of the following requirements are met? a. The data is encrypted with FIPS 140-2 validated encryption b. The offshore provider does not have access to the encryption keys c. The Applicant/Bidder maintains the encryption key within the United States d. The Application/Bidder has obtained the express prior written permission of the Texas HHS agency For more information regarding FIPS 140-2 encryption products, please refer to: htto://csrc. nist, aav/publications/sons Action Plan for Compliance with a Timeline: Compliance Date: 2. Does Applicant/Bidder utilize an IT security -knowledgeable person or company to maintain 0 Yes or oversee the configurations of Applicant/Bidder's computing systems and devices? O No Action Plan for Compliance with a Timeline: Compliance Date: 3. Does Applicant/Bidder monitor and manage access to Texas HHS Confidential Information O Yes (e.g., a formal process exists for granting access and validating the need for users to access ©No Texas HHS Confidential Information, and access is limited to Authorized Users)? Action Plan for Compliance with a Timeline: Compliance Date: 4. Does Applicant/Bidder a) have a system for changing default passwords, b) require user © Yes password changes at least every 90 calendar days, and c) prohibit the creation of weak O No passwords (e.g., require a minimum of 8 characters with a combination of uppercase, lowercase, special characters, and numerals, where possible) for all computer systems that access or store Texas HHS Confidential Information. If yes, upon request must provide evidence such as a screen shot or a system report. Action Plan for Compliance with a Timeline: Compliance Date: SPI Version 2.1 (06/2018) Texas HHS System - Data Use Agreement - Attachment 2: Page 8 of 18 SECURITY AND PRIVACY INQUIRY (SPI) UOGUO191I r-livelupu ELF. uLut,.amutvIllwu-wal..7-.7 ILv`Hru.7.70 l aniCa S. Does each member of Applicant/Bidder's Workforce who will use, disclose, create, receive, OYes transmit or maintain Texas HHS Confidential Information have a unique user name O No (account) and private password? Action Plan for Compliance with a Timeline: Compliance Date: 6. Does Applicant/Bidder lock the password after a certain number of failed attempts and O Yes after 15 minutes of user inactivity in all computing devices that access or store Texas ©No HHS Confidential Information? Action Plan for Compliance with a Timeline: Compliance Date: 7. Does Applicant/Bidder secure, manage and encrypt remote access (including wireless © Yes access) to computer systems containing Texas HHS Confidential Information? (e.g., a formal ©No process exists for granting access and validating the need for users to remotely access Texas HHS Confidential Information, and remote access is limited to Authorized Users). Encryption is required for all Texas HHS Confidential Information. Additionally, FIPS 140-2 validated encryption is required for Health Insurance Portability and Accountability Act (HIPAA) data, Criminal Justice Information Services (015) data, Internal Revenue Service Federal Tax Information (IRS M) data, and Centers for Medicare & Medicaid Services (CMS) data. For more information regarding FIPS 140-2 encryption products, please refer to: htt : Csrc.n t.gov1publications r s Action Plan for Compliance with a Timeline: Compliance Date: 8. Does Applicant/Bidder implement computer security configurations or settings for all ©Yes computers and systems that access or store Texas HMS Confidential Information? No (e.g., non -essential features or services have been removed or disabled to reduce the threat of breach and to limit exploitation opportunities for hackers or intruders, etc.) Action Plan for Compliance with a Timeline: Compliance Date: 9. Does Applicant/Bidder secure physical access to computer, paper, or other systems Q Yes containing Texas HHS Confidential Information from unauthorized personnel and theft No (e.g., door locks, cable locks, laptops are stored in the trunk of the car instead of the passenger area, etc.)? Action Plan for Compliance with a Timeline: Compliance Date: SPI Version 2.1 (0612018) Texas HHS System - Data Use Agreement - Attachment 2: Page 9 of 18 SECURITY AND PRIVACY INQUIRY (SPI) uocuaign enveiope w: ico-r%rvoevr or%i co 10. Does Applicant/Bidder use encryption products to protect Texas HHS Confidential © Yes Information that is transmitted over a public network (e.g., the Internet, Wil'i, etc.)? O No If yes, upon request must provide evidence such as a screen shot or a system report. Encryption is required far all HHS Confidential Information. Additionally, FIPS 140-2 validated encryption is required for Health Insurance Portability and Accountability Act (HIPAA) data, Criminal Justice Information Services (CIIS) data, Internal Revenue Service Federal Tax Information (IRS FTi) data, and Centers for Medicare & Medicaid Services (CMS) data. For more information regarding FIPS 140-2 encryption products, please refer to: http://csrc, nist.aov/publications/firms Action Plan for Compliance with a Timeline: Compliance Date: 11. Does Applicant/Bidder use encryption products to protect Texas HHS Confidential © Yes Information stored on end user devices (e.g., laptops, USBs, tablets, smartphones, external ©No hard drives, desktops, etc.)? If yes, upon request must provide evidence such as a screen shot or a system report. Encryption is required for all Texas HHS Confidential Information. Additionally, FIPS 140-2 validated encryption is required for Health Insurance Portability and Accountability Act (HIPAA) data, Criminal Justice Information Services (CJIS) data, internal Revenue Service Federal Tax Information (IRS FTI) data, and Centers for Medicare & Medicaid Services (CMS) data. For more information regarding FIPS 140-2 encryption products, please refer to: httn://csrc. nist.nov/ioublications/figs Action Plan for Compliance with a Timeline: Compliance Date: 12. Does Applicant/Bidder require Workforce members to formally acknowledge rules outlining ©Yes their responsibilities for protecting Texas HHS Confidential Information and associated ©No systems containing HHS Confidential Information before their access is provided? Action Plan for Compliance with a Timeline: Compliance -Date: 13. Is Applicant/Bidder willing to perform or submit to a criminal background check on ©Yes Authorized Users? O No Action Plan for Compliance with a Timeline: Compliance Date: 14. Does Applicant/Bidder prohibit the access, creation, disclosure, reception, transmission, Q Yes maintenance, and storage of Texas HHS Confidential Information with a subcontractor O No (e.g., cloud services, social media, etc.) unless Texas HHS has approved the subcontractor agreement which must include compliance and liability clauses with the same requirements as the Applicant/Bidder? Action Plan for Compliance with a Timeline: Compliance Date: SPI Version 2.1 (06/2018) Texas HHS System - Data Use Agreement - Attachment 2: Page 10 of 18 SECURITY AND PRIVACY INQUIRY (SPI) DocuSign Envelope ID: 025C3ADA-7A4D46C9-9128-AF03957BA1 EB 15. Does Applicant/Bidder keep current on security updates/patches (including firmware, ©Yes software and applications) for computing systems that use, disclose, access, create, O No transmit, maintain or store Texas HHS Confidential Information? Action Plan for Compliance with a Timeline: Compliance Date: 16. Do Applicant/Bidder's computing systems that use, disclose, access, create, transmit, OYes maintain or store Texas HHS Confidential Information contain up-to-date anti- ©No malware and antivirus protection? Action Plan for Compliance with a Timeline: Compliance Date: 17. Does the Applicant/Bidder review system security logs on computing systems that access 0 Yes or store Texas HHS Confidential Information for abnormal activity or security concerns on ©No a regular basis? Action Plan for Compliance with a Timeline: Compliance Date: 18. Notwithstanding records retention requirements, does Applicant/Bidder's disposal O Yes processes for Texas HHS Confidential Information ensure that Texas HHS Confidential ©No Information is destroyed so that it is unreadable or undecipherable? Action Plan for Compliance with a Timeline: Compliance Date: 19. Does the Applicant/Bidder ensure that all public facing websites and mobile () Yes applications containing Texas HHS Confidential Information meet security testing ©No standards set forth within the Texas Government Code (TGC), Section 2054.516; including requirements for implementing vulnerability and penetration testing and addressing identified vulnerabilities? for more information regarding TGC, Section 2054.516 DATA SECURITY PLAN FOR ONLINE AND MOBILE APPLICATIONS, please refer to: httos://legiscan.com/TX/text/HB812017 Action Plan for Compliance with a Timeline: Compliance Date: SPI Version 2.1 (06/2018) Texas HHS System - Data Use Agreement - Attachment 2: Page 11 of 18 SECURITY AND PRIVACY INQUIRY (SPI) DocuSign Envelope ID: 025C3ADA-7A4D-46C9-9128-AF03957BA1EB SECTIONt: SIGNATURE AND SUBMISSIONr be completed by Applicant/Bidder) Please sign the form digitally, if passible. if you can't, provide a handwritten signature. 1.1 certify that all of the information provided in this form is truthful and correct to the best of my knowledge. If I learn that any such information was not correct, I agree to notify Texas HHS of this immediately. 2. Signature 3. Title . Date: To submit the completed, signed form: • Email the form as an attachment to the appropriate Texas HHS Contract Manager(s). Section E. To Be Completed by Texas HHS Agency Staff: Agency(s): Requesting De artment s : HHSC: DFPS: DSHS: Legal Entity Tax Identification Number (TIN) (Last four Only): MENEM= PO/Contract(s) #: I Contract Manager: Contract Manager Email Address: Contract Manager Telephone #: Contract Manager: Contract Manager Email Address: Contract Manager Telephone #: Contract Manager: Contract Manager Email Address: Contract Manager Telephone #: Contract Manager: Contract Manager Email Address: Contract Manager Telephone #: Contract Manager: Contract Manager Email Address: Contract Manager Telephone #: Contract Manager: Contract Manager Email Address: Contract Manager Telephone #: Contract Manager: Contract Manager Email Address: Contract Manager Telephone #: Contract Manager: Contract Manager Email Address: Contract Manager Telephone #: SPI Version 2.1 (06/2018) Texas HHS System - Data Use Agreement - Attachment 2: Page 12 of 18 SECURITYAND PRIVACY INQUIRY (SPI) Docusign Envelope ID: 025 iv3 i mu 4Div ,43 min Luivir= i uvu THE SECURITY AND PRIVACY INQUIRY (SPI) Below are instructions for Applicants, Bidders and Contractors for Texas Health and Human Services requiring the Attachment 2, Security and Privacy Inquiry (SPI) to the Data Use Agreement (DUA). Instruction item numbers below correspond to sections on the SPI form. If you are a bidder for a new procurement/contract, in order to participate in the bidding process, you must have corrected any "No" responses (except A9a) prior to the contract award date. If you are an applicant for an open enrollment, you must have corrected any "No" answers (except A9a and A11) prior to performing any work on behalf of any Texas HHS agency. For any questions answered "No" (except A9a and A11), an Action Plan for Compliance with a Timeline must be documented in the designated area below the question. The timeline for compliance with HIPAA-related requirements for safeguarding Protected Health Information is 30 calendar days from the date this form is signed. Compliance with requirements related to other types of Confidential Information must be confirmed within 90 calendar days from the date the form is signed. SECTION A. APPLICANT /BIDDER INFORMATION Item #1.Only contractors that access, transmit, store, and/or maintain Texas HHS Confidential Information will complete and email this form as an attachment to the appropriate Texas HHS Contract Manager. Item #2. Entity or Applicant/Bidder Legal Name. Provide the legal name of the business (the name used for legal purposes, like filing a federal or state tox form on behalf of the business, and is not a trade or assumed named "dba"), the legal tax identification number (last four numbers only) of the entity or applicant/bidder, the address of the corporate or main branch of the business, the telephone number where the business can be contacted regarding questions related to the information on this form and the website of the business, if a website exists. Item #3. Number of Employees, at all locations, in Applicant/Bidder's workforce. Provide the total number of individuals, including volunteers, subcontractors, trainees, and other persons who work for the business. If you are the only employee, please answer "1." Item #4. Number of Subcontractors. Provide the total number of subcontractors working for the business. if you have none, please answer "0"zero. Item #S. Number of unduplicated individuals for whom Applicant/Bidder reasonably expects to handle HHS Confidential Information during one year. Select the radio button that corresponds with the number of clients/consumers for whom you expect to handle Texas HHS Confidential Information during a year. Only count clients/consumers once, no matter how many direct services the client receives during a year. Item #5. Name of Information Technology Security Official and Name of Privacy Official for Applicant/Bidder. As with all other fields on the SPI, this is a required field. This may be the same person and the owner of the business if such person has the security and privacy knowledge that is required to implement the requirements of the DUA and respond to questions related to the SPI. In 4.A. provide the name, address, telephone number, and email address of the person whom you have designated to answer any security questions found in Section C and in 4.8. provide this information for the person whom you have designated as the person to answer any privacy questions found in Section B. The business may contract out for this expertise; however, designated individual(s) must have knowledge of the business's devices, systems and methods for use, disclosure, creation, receipt, transmission and maintenance of Texas NHS Confidential Information and be willing to be the point of contact for privacy and security questions. Item #6. Type(s) of HHS Confidential Information the Entity or Applicant/Bidder Will Create, Receive, Maintain, Use, Disclose or Have Access to: Provide a complete listing of all Texas HHS Confidential Information that the Contractor will create, receive, maintain, use, disclose or have access to. The DUA section Article 2, Definitions, defines Texas HHS Confidential Information as: "Confidential Information" means any communication or record (whether oral, written, electronically stored or transmitted, or in any other form) provided to or made available to CONTRACTOR or that CONTRACTOR may create, receive, maintain, use, disclose or have access to on behalf of Texas HHS that consists of or includes any or all of the following: (1) Client Information; (2) Protected Health Information in any form including without limitation, Electronic Protected Health Information or Unsecured Protected Health Information; (3) Sensitive Personal Information defined by Texas Business and Commerce Code Ch. 521; SPI Version 2.1 (06/2018) Texas HHS System - Data Use Agreement -Attachment 2: Page 13 of 18 SECURITY AND PRIVACY INQUIRY (SPI) DocuSign Envelope ID: 025C3ADA-7A4D46C9-9128-AF03957BA1EB (4) teaeral lax information; (5) Personally identifiable information, (6) Social Security Administration Data, including, without limitation, Medicaid information; (7) All privileged work product; (8) All information designated as confidential under the constitution and laws of the State of Texas and of the United States, including the Texas Health & Safety Code and the Texas Public Information Act, Texas Government Code, Chapter 552. Definitions for the following types of confidential information can be found the following sites: • Health Insurance Portability and Accountability Act (HIPAA) - http://www.hhs.gov/hitraa/index.html • Criminal Justice Information Services (015) - htt s: www. bi. ov services c'is c'is-securit - olic -resource-center • Internal Revenue Service Federal Tax Information (IRS FTI) - htt s: www.irs. ov ub irs- d 1075. d • Centers for Medicare & Medicaid Services (CMS) - https://www.cros.gov/Regulations-and-Guidance/Regulations-and- Guldance.html • Social Security Administration (SSA) - https.11www.sso.gov/regulations/ • Personally Identifiable Information (PIi) - http://Csrc.nist.gov/publications/nistpubsl8OO-l22/sp800-122.pdf Item #7. Number of Storage devices for Texas HHS Confidential information. The total number of devices is automatically calculated by exiting the fields in lines a - d. Use the <Tab> key when exiting the field to prompt calculation, if it doesn't otherwise sum correctly. • Item 7a. Devices. Provide the number of personal user computers, devices, and drives (including mobile devices, laptops, USB drives, and external drives) on which your business stores or will store Texas HHS Confidential information. • item 7b. Servers. Provide the number of servers not housed in a data center or "in the cloud, "on which Texas HHS Confidential Information is stored or will be stored. A server is a dedicated computer that provides data or services to other computers. It may provide services or data to systems on a local area network (!AN) or a wide area network (WAN) over the Internet. If none, answer "0" (zero). • Item 7c. Cloud Services. Provide the number of cloud services to which Texas HHS Confidential Information is stored. Cloud Services involve using a network of remote servers hosted on the Internet to store, manage, and process data, rather than on a local server or a personal computer. If none, answer "0" (zero.) • Item 7d. Data Centers. Provide the number of data centers in which you store Texas HHS Confidential Information. A Data Center is a centralized repository, either physical or virtual, for the storage, management, and dissemination of data and information organized around a particular body of knowledge or pertaining to a particular business. If none, answer "0" (zero). item #8. Number of unduplicated individuals for whom the Applicant/Bidder reasonably expects to handle Texas HHS Confidential information during one year. Select the radio button that corresponds with the number of clients/consumers for whom you expect to handle Confidential Information during a year. Only count clients/consumers once, no matter how many direct services the client receives during a year. Item #9. HIPAA Business Associate Agreement. • item #9a. Answer "Yes" if your business will use, disclose, create, receive, transmit, or store information relating to a client/consumer's healthcare on behalf of the Department of State Health Services, the Department of Disability and Aging Services, or the Health and Human Services Commission for treatment, payment, or operation of Medicaid or Medicaid clients. If your contract does not include HIPAA covered information, respond "no." If "no,"a compliance plan is not required. • Item #9b. Answer "Yes" if your business has a notice of privacy practices (a document that explains how you protect and use a client/consumer's healthcare information) displayed either on a website (if one exists for your business) or in your place of business (if that location is open to clients/consumers or the public). If your contract does not include HIPAA covered information, respond "N/A." Item #10. Subcontractors. If your business responded "0" to question 4 (number of subcontractors), Answer "N/A" to Items 100 and 10b to indicate not applicable. • item #10a. Answer "Yes" if your business requires that all subcontractors sign Attachment 1 of the DUA. • item #10b. Answer "Yes" if your business obtains Texas HHS approval before permitting subcontractors to handle Texas HHS Confidential information on your business's behalf. item #11. Optional Insurance. Answer "yes" if applicant has optional insurance in place to provide coverage for a Breach or any SPI Version 2.1 (0612018) Texas HHS System - Data Use Agreement - Attachment 2: Page 14 of 18 SECURITY AND PRIVACY INQUIRY (SPI) DocuSign Envelope ID:025C3ADA-7A4D-46C9-9i28-AF03957BA1EB other situations listea in this question. If you are not required to have this optional coverage, answer N/A A compliance plan is not required. SECTION B. PRIVACY RISK ANALYSIS AND ASSESSMENT Reasonable and appropriate written Privacy and Security policies and procedures are required, even for sole proprietors who are the only employee, to demonstrate how your business will safeguard Texas HHS Confidential Information and respond in the event of a Breach of Texas HHS Confidential Information. To ensure that your business is prepared, all of the items below must be addressed in your written Privacy and Security policies and procedures. Item #1. Answer "Yes" if you have written policies in place for each of the areas (a-o). • Item #1a. Answer "yes" if your business has written policies and procedures that identify everyone, including subcontractors, who are authorized to use Texas HHS Confidential Information. The policies and procedures should also identify the reason why these Authorized Users need to access the Texas HHS Confidential Information and this reason must align with the Authorized Purpose described in the Scope of Work or description of services in the Base Contract with the Texas HHS agency. • Item #lb. Answer "Yes" if your business has written policies and procedures that require your employees (including yourself), your volunteers, your trainees, and any other persons whose work you direct, to comply with the requirements of HIPAA, if applicable, and other confidentiality laws as they relate to your handling of Texas HHS Confidential Information. Refer to the laws and rules that apply, including those referenced in the DUA and Scope of Work or description of services in the Base Contract. • Item #lc. Answer "Yes" if your business has written policies and procedures that limit the Texas HHS Confidential Information you disclose to the minimum necessary for your workforce and subcontractors (if applicable) to perform the obligations described in the Scope of Work or service description in the Base Contract. (e.g., if a client/consumer's Social Security Number is not required for a workforce member to perform the obligations described in the Scope of Work or service description in the Base Contract, then the Social Security Number will not be given to them.) If you are the only employee for your business, policies and procedures must not include a request for, or use of, Texas HHS Confidential Information that is not required for performance of the services. • Item #1d. Answer "Yes" if your business has written policies and procedures that explain how your business would respond to an actual or suspected breach of Texas HHS Confidential Information. The written policies and procedures, at a minimum, must include the three items below. If any response to the three items below are no, answer "no." O Item #idi. Answer "Yes" if your business has written policies and procedures that require your business to immediately notify Texas HHS, the Texas HHS Agency, regulatory authorities, or other required Individuals or Authorities of a Breach as described in Article 4, Section 4 of the DUA. Refer to Article 4, Section 4.01: Initial Notice of Breach must be provided in accordance with Texas HH5 and DUA requirements with as much information as possible about the Event/Breach and a name and contact who will serve as the single point of contact with HHS both on and off business hours. Time frames related to Initial Notice include: • within one hour of Discovery of an Event or Breach of Federal Tax Information, Social Security Administration Data, or Medicaid Client Information • within 24 hours of all other types of Texas HHS Confidential Information 48-hour Formal Notice must be provided no later than 48 hours after Discoveryfor protected health information, sensitive personal information or other non-public information and must include applicable information as referenced in Section 4.01 (C) 2. of the DUA. O Item #idii. Answer "Yes" if your business has written policies and procedures require you to have and follow a written breach response plan as described in Article 4 Section 4.02 of the DUA. O Item #1diii. Answer "Yes" if your business has written policies and procedures require you to notify Reporting Authorities and Individuals whose Texas HHS Confidential Information has been breached as described in Article 4 Section 4.03 of the DUA. • Item #1e. Answer "Yes" if your business has written policies and procedures requiring annual training of your entire workforce on matters related to confidentiality, privacy, and security, stressing the importance of promptly reporting any Event or Breach, outlines the process that you will use to require attendance and track completion for employees who failed to complete annual training. SPI Version 2.1 (0612018) Texas HHS System - Data Use Agreement - Attachment 2: Page 15 of 18 SECURITY AND PRIVACY INQUIRY (SPI) DocuSign Envelope ID: 025C3ADA-7A4D-46C9-9t29-AF03957BA1ES • Item #1f. Answer "Yes" if your business has written policies and procedures requiring you to allow individuals (clients/consumers) to access their individual record of Texas HHS Confidential Information, and allow them to amend or correct that information, if applicable. • Item #1g. Answer "Yes" if your business has written policies and procedures restricting access to Texas HHS Confidential Information to only persons who have been authorized and trained on how to handle Texas HHS Confidential Information • Item #1h. Answer "Yes" if your business has written policies and procedures requiring sanctioning of any subcontractor, employee, trainee, volunteer, or anyone whose work you direct when they have accessed Texas HHS Confidential Information but are not authorized to do so, and that you have a method of proving that you have sanctioned such an individuals. If you are the only employee, you must demonstrate how you will document the noncompliance, update policies and procedures if needed, and seek additional training or education to prevent future occurrences. • Item #1i. Answer "Yes" if your business has written policies and procedures requiring you to update your policies within 60 days after you have made changes to how you use or disclose Texas HHS Confidential Information. • Item #1j. Answer "Yes" if your business has written policies and procedures requiring you to restrict attempts to take de -identified data and re -identify it or restrict any subcontractor, employee, trainee, volunteer, or anyone whose work you direct, from contacting any individuals for whom you have Texas HHS Confidential Information except to perform obligations under the contract, or with written permission from Texas HHS. • Item M. Answer "Yes" if your business has written policies and procedures prohibiting you from using, disclosing, creating, maintaining, storing or transmitting Texas HHS Confidential Information outside of the United States. • Item #11. Answer "Yes" if your business has written policies and procedures requiring your business to cooperate with HHS agencies or federal regulatory entities for inspections, audits, or investigations related to compliance with the DUA or applicable law. • Item #1m. Answer "Yes" if your business has written policies and procedures requiring your business to use appropriate standards and methods to destroy or dispose of Texas HHS Confidential Information. Policies and procedures should comply with Texas HHS requirements for retention of records and methods of disposal. + Item #1n. Answer "Yes" if your business has written policies and procedures prohibiting the publication of the work you created or performed on behalf of Texas HHS pursuant to the DUA, or other Texas HHS Confidential Information, without express prior written approval of the HHS agency. Item R. Answer "Yes" if your business has a current training program that meets the requirements specified in the SPI for you, your employees, your subcontractors, your volunteers, your trainees, and any other persons under you direct supervision. Item #3. Answer "Yes" if your business has privacy safeguards to protect Texas HHS Confidential Information as described in the SPI. Item #4. Answer "Yes" if your business maintains current lists of persons in your workforce, including subcontractors (if applicable), who are authorized to access Texas HHS Confidential Information. If you are the only person with access to Texas HHS Confidential Information, please answer "yes." Item #5. Answer "Yes" if your business and subcontractors (if applicable) monitor for and remove from the list of Authorized Users, members of the workforce who are terminated or are no longer authorized to handle Texas HHS Confidential Information. If you are the only one with access to Texas HHS Confidential Information, please answer "Yes." SECTION C. SECURITY RISK ANALYSIS AND ASSESSMENT This section is about your electronic systems. If you DO NOT store Texas HHS Confidential Information in electronic systems (e.g., laptop, personal computer, mobile device, database, server, etc.), select the "No Electronic Systems" box and respond "Yes" for all questions in this section. Item K. Answer "Yes" if your business does not "offshore" or use, disclose, create, receive, transmit or maintain Texas HHS Confidential Information outside of the United States. If you are not certain, contact your provider of technology services (application, cloud, data center, network, etc.) and request confirmation that they do not off- shore their data. SPI Version 2.1 (06/2018) Texas HHS System - Data Use Agreement - Attachment 2: Page 16 of 18 SECURITY AND PRIVACY INQUIRY (SPI) DocuSign Envelope ID: 025C3ADA-7A4D46C9-9128-AF03957BA1EB Item #Z. Answer "Yes" It your business uses a person or company who is knowledgeable in IT security to maintain or oversee the configurations of your business's computing systems and devices. You may be that person, or you may hire someone who can provide that service for you. Item #3. Answer "Yes" if your business monitors and manages access to Texas HHS Confidential Information (i.e., reviews systems to ensure that access is limited to Authorized Users; has formal processes for granting, validating, and reviews the need for remote access to Authorized Users to Texas HHS Confidential Information, etc.). If you are the only employee, answer "Yes" if you have implemented a process to periodically evaluate the need for accessing Texas HHS Confidential Information to fulfill your Authorized Purposes. Item #4. Answer "Yes" if your business has implemented a system for changing the password a system initially assigns to the user (also known as the default password), and requires users to change their passwords at least every 90 days, and prohibits the creation of weak passwords for all computer systems that access or store Texas HHS Confidential Information (e.g., a strong password has a minimum of 8 characters with a combination of uppercase, lowercase, special characters, and numbers, where possible). If your business uses a Microsoft Windows system, refer to the Microsoft website on how to do this, see example: htt s: docs.mkroso .com en -us windows securit threat- rotection securit - olic -settin s assword- olio Item #5. Answer "Yes" if your business assigns a unique user name and private password to each of your employees, your subcontractors, your volunteers, your trainees and any other persons under your direct control who will use, disclose, create, receive, transmit or maintain Texas HHS Confidential Information. Item #6. Answer "Yes" if your business locks the access after a certain number of failed attempts to login and after 15 minutes of user inactivity on all computing devices that access or store Texas H H S Confidential Information. If your business uses a Microsoft Windows system, refer to the Microsoft website on how to do this, see example: h ttps://docs. microsoft. com/en-us/windows/security/threat-protection/securit y-policy-settingslaccoun t-lockout-pol icy Item #7. Answer "Yes" if your business secures, manages, and encrypts remote access, such as: using Virtual Private Network (VPN) software on your home computer to access Texas HHS Confidential Information that resides on a computer system at a business location or, if you use wireless, ensuring that the wireless is secured using a password code. If you do not access systems remotely or over wireless, answer "Yes." Item #8. Answer "Yes" if your business updates the computer security settings for all your computers and electronic systems that access or store Texas HHS Confidential Information to prevent hacking or breaches (e.g., non -essential features or services have been removed or disabled to reduce the threat of breach and to limit opportunities for hackers or intruders to access your system). For example, Microsoft's Windows security checklist: htt s: docs.microso .com gn-us windows securit threat rotection securit - olic -settin s how -to -con i ure-securit - olic -settin s Item #9. Answer "Yes" if your business secures physical access to computer, paper, or other systems containing Texas HHS Confidential Information from unauthorized personnel and theft (e.g., door locks, cable locks, laptops are stored in the trunk of the car instead of the passenger area, etc.). If you are the only employee and use these practices for your business, answer "Yes." Item #20. Answer "Yes" if your business uses encryption products to protect Texas HHS Confidential Information that is transmitted over a public network (e.g., the Internet, WIFI, etc.) or that is stored on a computer system that is physically or electronically accessible to the public (FIPS 140-2 validated encryption is required for Health Insurance Portability and Accountability Act (HIPAA) data, Criminal Justice Information Services (CJIS) data, Internal Revenue Service Federal Tax Information (IRS FTI) data, and Centers for Medicare & Medicaid Services (CMS) data.) For more information regarding FIPS 140-2 encryption products, please refer to: http://csrc.nist.uov/publications/fips). Item #11. Answer "Yes" if your business stores Texas HHS Confidential Information on encrypted end -user electronic devices (e.g., laptops, USBs, tablets, smartphones, external hard drives, desktops, etc.) and can produce evidence of the encryption, such as, a screen shot or a system report (FIPS 140-2 encryption is required for Health Insurance Portability and Accountability Act (HIPAA) data, Criminal Justice Information Services (CJIS) data, Internal Revenue Service Federal Tax Information (IRS FTI) data, and Centers for Medicare & Medicaid Services (CMS) data). For more information regarding FIPS 140-2 validated encryption products, please refer to: http://Csrc.nist.gov/publicationslfips). If you do not utilize end -user electronic devices for storing Texas HHS Confidential Information, answer "Yes." SPI Version 2.1 (06/2018) Texas HHS System - Data Use Agreement -Attachment 2: Page 17 of 18 SECURITY AND PRIVACY INQUIRY (SPI) DocuSign Envelope ID: 025C3ADA-7A4D-46C9-9128-AF03957BA1 ES Item #12. Answer "Yes" if your business requires employees, volunteers, trainees and other workforce members to sign a document that clearly outlines their responsibilities for protecting Texas HHS Confidential Information and associated systems containing Texas HHS Confidential Information before they can obtain access. If you are the only employee answer "Yes" if you have signed or are willing to sign the DUA, acknowledging your adherence to requirements and responsibilities. Item #13. Answer "Yes" if your business is willing to perform a criminal background check on employees, subcontractors, volunteers, or trainees who access Texas HHS Confidential Information. If you are the only employee, answer "Yes" if you are willing to submit to a background check. Item #14. Answer "Yes" if your business prohibits the access, creation, disclosure, reception, transmission, maintenance, and storage of Texas HHS Confidential Information on Cloud Services or social media sites if you use such services or sites, and there is a Texas HHS approved subcontractor agreement that includes compliance and liability clauses with the same requirements as the Applicant/Bidder. If you do not utilize Cloud Services or media sites for storing Texas HHS Confidential Information, answer "Yes." Item #15. Answer "Yes" if your business keeps current on security updates/patches (including firmware, software and applications) for computing systems that use, disclose, access, create, transmit, maintain or store Texas HHS Confidential Information. If you use a Microsoft Windows system, refer to the Microsoft website on how to ensure your system is automatically updating, see example: https.11portal.msrc,microsoft com/en-us/ Item #16. Answer "Yes" if your business's computing systems that use, disclose, access, create, transmit, maintain or store Texas HHS Confidential Information contain up-to-date anti-malware and antivirus protection. If you use a Microsoft Windows system, refer to the Microsoft website on how to ensure your system is automatically updating, see example: https://dots. microsoft.com/en-us/windows/security/threat-protection Item #17. Answer "Yes" if your business reviews system security logs on computing systems that access or store Texas HHS Confidential Information for abnormal activity or security concerns on a regular basis. If you use a Microsoft Windows system, refer to the Microsoft website for ensuring your system is logging security events, see example; https://docs.microsoft. com/en-us/windows/security/threat-protection/auditing/basic-security-audit-policies Item #18. Answer "Yes" if your business disposal processes for Texas HHS Confidential Information ensures that Texas HHS Confidential Information is destroyed so that it is unreadable or undecipherable. Simply deleting data or formatting the hard drive is not enough; ensure you use products that perform a secure disk wipe. Please see NIST SP 800-88 R1, Guidelines for Media Sonitizotion and the applicable laws and regulations for the information type for further guidance. Item #19. Answer "Yes" if your business ensures that all public facing websites and mobile applications containing HHS Confidential Information meet security testing standards set forth within the Texas Government Code (TGC), Section 2054.516 SECTION D. SIGNATURE AND SUBMISSION Click on the signature area to digitally sign the document. Email the form as an attachment to the appropriate Texas HHS Contract Manager. SPI Version 2.1 (06/2018) Texas HHS System - Data Use Agreement - Attachment 2: Page 18 of 18 SECURITY AND PRIVACY INQUIRY (SPI)