The URL can be used to link to this page

Home My WebLink AboutResolution - 2017-R0174 - Data Usage Agreement With SPAG - 05/11/2017Resolution No.2017-R0174 Item No.6.16 May 11,2017 RESOLUTION BE IT RESOLVED BY THE CITY COUNCIL OF THE CITY OF LUBBOCK: THAT the Mayor of the City of Lubbock is hereby authorized and directed to execute for and on behalf of the City of Lubbock,a Data Usage Agreement with the South Plains Association of Governments -Area Agency on Aging (SPAG)in connection with the existing agreement between the City of Lubbock and SPAG regarding DSHS Contract 83124-17-AlOO (Direct Purchase of Nutrition and Transportation Services Agreement).Said Data Usage Agreement is attached hereto and incorporated in this Resolution as if fully set forth herein and shall be included in the minutes of the Council. Passed by the City Council this May 11 2017. DANIEL M.POPE,MAYOR ATTEST: 'jlQjJ j(J ^ Rebecca Garza,City Secretary! APPROVED AS TO.CONTENT )n Directorget R.Faulkenberry,Parks and Recreati APPROVED AS TO FORM: t Resolution No. 2017-RO174 DATA USE AGREEMENT BETWEEN THE SOUTH PLAINS ASSOCIATION OF GOVERNMENTS AND CITY OF LUBBOCK ("CONTRACTOR") This Data Use Agreement ("DUA"), effective as of the Base Contract (`Effective Date"), is entered into by and between the SOUTH PLAINS ASSOCIATION OF GOVERNMENTS (SPAG) and CITY OF LUBBOCK (`CONTRACTOR"), and incorporated into the terms of the following Base Contract, in Lubbock County, Texas: 83124-17-A100 — Direct Purchase of Nutrition and Transportation Services Agreement ARTICLE 1. PURPOSE; APPLICABILITY; ORDER OF PRECEDENCE The purpose of this DUA is to facilitate creation, receipt, maintenance, use, disclosure or access to Confidential Information with CONTRACTOR, and describe CONTRACTOR's rights and —Obligations with respect to the Confidential Information and the limited purposes for which this CONTRACTOR may create, receive, maintain, use, disclose or have access to CONFIDENTAIL INFORMATION. 45 CFR 164.504(e)(1)-(3) This DUA also describes SPAG's remedies in the event of CONTRACTOR's noncompliance with its obligations under this DUA. This DUA applies to both Business Associates and contractors who are not Business Associates who create, receive, maintain, use, disclose or have access to Confidential Information on behalf of SPAG, its programs or clients as described in the Base Contract. As of the Effective Date of this DUA, if any provision of the Base Contract, including any General Provisions or Uniform Terms and Conditions, conflicts with this DUA, this DUA controls. This DUA is intended to apply only to Confidential Information that CONTRACTOR handles in performing services provided under the Base Contract. ARTICLE 2. DEFINITIONS For the purposes of this DUA, capitalized, underlined terms have the meanings set forth in the following: Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (42 U.S.C. § 1320d, et seq.) and regulations thereunder in 45 CFR Parts 160 and 164, including all amendments, regulations and guidance issued thereafter; The Social Security Act, including Section 1137 (42 U.S.C. §§ 1320b-7), Title XVI of the Act; The Privacy Act of 1974, as amended by the Computer Matching and Privacy Protection Act of 1988, 5 U.S.C. § 552a and regulations and guidance thereunder; Internal Revenue Code, Title 26 of the United States Code and regulations and publications adopted under that code, including IRS Publication 1075; OMB Memorandum 07-18; Texas Business and Commerce Code Ch. 521; Texas Government Code, Ch. 552,and Texas Government Code § 2054.1125. In addition, the following terms in this DUA are defined as follows: "Authorized Purpose" means the specific purpose or purposes described in the Scope of Work of the Base Contract for CONTRACTOR to fulfill its obligations under the Base Contract, or any other purpose expressly authorized by SPAG in writing in advance. SPAG Data Use Agreement V.1 HIPPA Omnibus Compliant April 2017 GOVERNMENTAL ENTITY VERSION - CITY OF LUBBOCK SPAG Agreement No. 83124-17-A100 "Authorized User" means a Person: (1) Who is authorized to create, receive, maintain, have access to, process, view, handle, examine, interpret, or analyze Confidential Information pursuant to this DUA; (2) For whom CONTRACTOR warrants and represents has a demonstrable need to create, receive, maintain, use, disclose or have access to the Confidential Information; and (3) Who has agreed in writing to be bound by the disclosure and use limitations pertaining to the Confidential Information as required by this DUA. "Confidential Information" means any communication or record (whether oral, written, electronically stored or transmitted, or in any other form) provided to or made available to CONTRACTOR or that CONTRACTOR may create, receive, maintain, use, disclose or have access to on behalf of SPAG that consists of or includes any or all of the following: (1) Client Information; (2) Protected Health Information (PHI) in any form including without limitation, Electronic Protected Health Information or Unsecured Protected Health Information; (3) Sensitive Personal Information defined by Texas Business and Commerce Code Ch. 521; (4) Federal Tax Information; (5) Personally Identifiable Information; (6) Social Security Administration Data, including, without limitation, Medicaid information; (7) All privileged work product; (8) All information designated as confidential under the constitution and laws of the State of Texas and of the United States, including the Texas Health & Safety Code and the Texas Public Information Act, Texas Government Code, Chapter 552. "Locally Authorized Representative" of the Individual, as defined by Texas Law, including as provided in 45 CFR 435.923 (Medicaid); 45 CFR 164.502(g)(1) (HIPAA); Tex. Occ. Code § 151.002(6); Tex. H. & S. Code § 166.164; Estates Code Ch. 752 and Texas Prob. Code §3. ARTICLE 3. CONTRACTOR'S DUTIES REGARDING CONFIDENTIAL INFORMATION Section 3.01 Obligations of CONTRACTOR CONTRACTOR agrees that: (A) CONTRACTOR will exercise reasonable care and no less than the same degree of care CONTRACTOR uses to protect its own confidential, proprietary and trade secret information to prevent any portion of the Confidential Information from being used in a manner that is not expressly an Authorized Purpose under this DUA or as Required bLaw. 45 CFR 164.502(b)(1); 45 CFR 164.514(d) (B) CONTRACTOR will not, without SPAG's prior written consent, disclose or allow access to any portion of the Confidential Information to any Person or any other entity, other than Authorized User's Workforce or Subcontractors of CONTRACTOR who have completed training in confidentiality, privacy, security and the importance of promptly reporting any Event or Breach to CONTRACTOR'S management, to carry out the Authorized Purpose or as Required by Law. SPAG Data Use Agreement VA HIPPA Omnibus Compliant April 2017 Page 2 of 13 SPAG Agreement No. 83124-17-A100 SPAG, at its election, may assist CONTRACTOR in training and education on specific or unique SPAG processes, systems and/or requirements. CONTRACTOR will produce evidence of completed training to SPAG upon request. 45 C.F.R. 164.308(a)(5)(1); Texas Health Safety Code §181.01 (C) CONTRACTOR will establish, implement and maintain appropriate sanctions against any member of its Workforce or Subcontractor who fails to comply with this DUA, the Base Contract or applicable law. CONTRACTOR will maintain evidence of sanctions and produce it to SPAG upon request. 45 C.F.R. 164.308(a)(1)(ii)(C); 164.530(e); 164.410(b);164.530(b)(1) (D) CONTRACTOR will not, except as otherwise permitted by this DUA, disclose or provide access to any Confidential Information on the basis that such act is Required by Law without notifying either SPAG or CONTRACTOR's own legal counsel to determine whether CONTRACTOR should object to the disclosure or access and seek appropriate relief. CONTRACTOR will maintain an accounting of all such requests for disclosure and responses and provide such accounting to SPAG within 48 hours of SPAG's request. 45 CFR 164.504(e)(2)(ii)(A) (E) CONTRACTOR will not attempt to re -identify or further identify Confidential Information or De -identified Information, or attempt to contact any individuals whose records are contained in the Confidential Information, except for an Authorized Purpose, without express written authorization from SPAG or as expressly permitted by this Base Contract. 45 CFR 164.502(d)(2)(i) and (ii) CONTRACTOR will not engage in prohibited marketing or sale of Confidential Information. 45 CFR 164.501, 164.508(a)(3) and (4); Texas Health & Safety Code Ch. 181.002 (F) CONTRACTOR will not permit, or enter into any agreement with a Subcontractor to, create, receive, maintain, use , disclose, have access to or transmit Confidential Information, on behalf of CONTRACTOR without requiring that Subcontractor first execute the Form Subcontractor Agreement, Attachment 1, which ensures that the Subcontractor will comply with the identical terms, conditions, safeguards and restrictions as contained in this DUA for PHI and any other relevant Confidential Information and which permits more strict limitations; 45 CFR 164.502(e)(1)(1)(ii); 164.504(e)(1)(i) and (2) (G) CONTRACTOR is directly responsible for compliance with and enforcement of, all conditions for creation, maintenance, use, disclosure, transmission and Destruction of Confidential Information and the acts or omissions of Subcontractors as may be reasonably necessary to prevent authorized use. 45 CFR 164.504(e)(5); 42 CFR 431.300, et seq. (H) If CONTRACTOR maintains PHI in a Designated Record Set, CONTRACTOR will make PHI available to SPAG in a Designated Record Set or, as directed by SPAG, provide PHI to the Individual, or Legally Authorized Representative of the Individual who is requesting PHI in compliance with the requirements of the HIPAA Privacy Regulations. CONTRACTOR will make other Confidential Information in CONTRACTOR's possession available pursuant to the requirements of HIPAA or other applicable law upon a determination of a Breach of Unsecured PHI as defined in HIPAA. 45 CFR 164.524 and 164.504(e)(2)(ii)(E) SPAG Data Use Agreement V.1 HIPPA Omnibus Compliant April 2017 Page 3 of 13 SPAG Agreement No. 83124-17-A100 (I) CONTRACTOR will make PHI as required by HIPAA available for amendment and incorporate any amendments to this information that SPAG directs or agrees to pursuant to the HIPAA. 45 CFR 164.504(e)(2)(ii)(E) and (F) (J) CONTRACTOR will document and make available to SPAG the PHI required to provide access, an accounting of disclosures or amendment in compliance with the requirements of the HIPAA Privacy Regulations. 45 CFR 164.504(e)(2)(ii)(G) and 164.528 (K) If CONTRACTOR receives a request for access, amendment or accounting of PHI from an individual with a right of access to information subject to this DUA, it will respond to such request in compliance with HIPAA Privacy Regulations. CONTRACTOR will maintain an accounting of all responses to request for access to or amendment of PHI and provide it to SPAG within 48 hours of SPAG's request. 45 CFR 164.504(e)(2) (L) CONTRACTOR will provide, and will cause its Subcontractors and agents to provide, to SPAG periodic written certifications of compliance with controls and provisions relating to information privacy, security and breach notification, including without limitation information related to data transfers and the handling and disposal of Confidential Information. 45 CFR 164.308, 164.530(c); 1 TA 202 (M) Except as otherwise limited by this DUA, the Base Contract, or law applicable to the Confidential Information. CONTRACTOR may use or disclose PHI for the proper management and administration of CONTRACTOR or to carry out CONTRACTOR's legal responsibilities if. 45 CFR 164.504(e) (ii) (1) (A) (1) Disclosure is Required by provided that CONTRACTOR complies with Section 3.01(D); (2) CONTRACTOR obtains reasonable assurances from the Person to whom the information is disclosed that the Person will: (a) Maintain the confidentiality of the Confidential Information in accordance with this DUA; (b) Use or further disclose the information only as Required by Law or for the Authorized Purpose for which it was disclosed to the Person; and (c) Notify CONTRACTOR in accordance with Section 4.01 of any Event or Breach of Confidential Information of which the Person discovers or should have discovered with the exercise of reasonable diligence. 45 CFR 164.504(e)(4)(ii)(B) (N) Except as otherwise limited by this DUA, CONTRACTOR will, if requested by SPAG, use PHI to provide data aggregation services to SPAG, as that term is defined in the HIPAA. 45 C.F.R. § 164.501 and permitted by HIPAA. 45 CFR 164.504(e)(2)(i)(B) (0) CONTRACTOR will, on the termination or expiration of this DUA or the Base Contract, at its expense, return to SPAG or Destroy, at SPAG's election, and to the extent reasonably feasible and permissible by law, all Confidential Information received from SPAG or created or maintained by CONTRACTOR or any of CONTRACTOR's agents or Subcontractors on SPAG's behalf if that data contains Confidential Information. CONTRACTOR will certify in writing to SPAG that all the SPAG Data Use Agreement V.1 HIPPA Omnibus Compliant April 2017 Page 4 of 13 SPAG Agreement No. 83124-17-A100 Confidential Information that has been created, received, maintained, used by or disclosed to CONTRACTOR, has been Destroyed or returned to SPAG, and that CONTRACTOR and its agents and Subcontractors have retained no copies thereof. Notwithstanding the foregoing, CONTRACTOR acknowledges and agrees that it may not Destroy any Confidential Information if federal or state law, or SPAG record retention policy or a litigation hold notice prohibits such Destruction. If such return or Destruction is not reasonably feasible, or is impermissible by law, CONTRACTOR will immediately notify SPAG of the reasons such return or Destruction is not feasible, and agree to extend indefinitely the protections of this DUA to the Confidential Information and limit its further uses and disclosures to the purposes that make the return of the Confidential Information not feasible for as long as CONTRACTOR maintains such Confidential Information. 45 CFR 164.504(e)(2)(ii)(J) (P) CONTRACTOR will create, maintain, use, disclose, transmit or Destroy Confidential Information in a secure fashion that protects against any reasonably anticipated threats or hazards to the security or integrity of such information uses. 45 CFR 164.306, 164.530(c) (Q) If CONTRACTOR accesses, transmits, stores, and/or maintains Confidential Information, CONTRACTOR will complete and return to SPAG at aaareports@spag.org the HHS information security and privacy initial inquiry (SPI) at Attachment 2. The SPI identifies basic privacy and security controls with which CONTRACTOR must comply to protect SPAG Confidential Information. CONTRACTOR, will comply with periodic security controls compliance assessment and monitoring by SPAG as required by state and federal law, based on the type of Confidential Information CONTRACTOR creates, receives maintains, uses, discloses or has access to and the Authorized P ose and level of risk. CONTRACTOR's security controls will be based on the National Institute of Standards and Technology (MIST) Special Publication 800-53. CONTRACTOR will update its security controls assessment whenever there are significant changes in security controls for SPAG Confidential Information and will provide the updated document to SPAG. SPAG also reserves the right to request updates as needed to satisfy state and federal monitoring requirements. 45 CFR 164.306 (R) CONTRACTOR will establish, implement and maintain any and all appropriate procedural, administrative, physical and technical safeguards to preserve and maintain the confidentiality, integrity and availability of the Confidential Information, and with respect to PHI, as described in the HIPAA Privacy and Security Regulations, or other applicable laws or regulations relating to Confidential Information, to prevent any unauthorized use or disclosure of Confidential Information as long as CONTRACTOR has such Confidential Information in its actual or constructive possession. 45 CFR 164.308 (administrative safeguards); 164.310 (physical safeguards); 164.312 (technical safeguards); 164.530 (c) (privacy safeguards) (S) CONTRACTOR will designate and identify, subject to SPAG approval, a Person or Persons, as Privacy Official 45 CFR 164.530 (a)(1) and Information Security Official, each of whom is authorized to act on behalf of CONTRACTOR and is responsible for the development and implementation of the privacy and security requirements in this DUA. CONTRACTOR will provide name and current address, phone number and e-mail address for such designated officials to SPAG upon execution of this DUA and prior to any change. 45 CFR 164.308(a)(2) (T) CONTRACTOR represents and warrants that its Authorized Users each have a demonstrated need to know and have access to Confidential Information solely to the minimum extent SPAG Data Use Agreement VA HIPPA Omnibus Compliant April 2017 Page 5 of 13 SPAG Agreement No. 83124-17-A100 necessary to accomplish the Authorized Purpose pursuant to this DUA and the Base Contract, and further that each has agreed in writing to be bound by the disclosure and use limitations pertaining to the Confidential Information contained in this DUA. 45 CFR 264.502, 264.514(d) (U) CONTRACTOR and its Subcontractors will maintain an updated, complete, accurate and numbered list of Authorized Users, their signatures, titles and the date they agreed to be bound by the terms of this DUA, at all times and supply it to SPAG, as directed, upon request. (V) CONTRACTOR will implement, update as necessary, and document reasonable and appropriate policies and procedures for privacy, security and Breach of Confidential Information and an incident response plan for an Event or Breach, to comply with the privacy, security and breach notice requirements of this DUA prior to conducting work under the DUA. 45 CFR 164.308, 164.316; 164.514(d); 164.530(i) (1) (W) CONTRACTOR will produce copies of its information security and privacy policies and procedures and records relating to the use or disclosure of Confidential Information received from, created by, or received, used or disclosed by CONTRACTOR on behalf of SPAG for SPAG's review and approval within 30 days of execution of this DUA and upon request by SPAG the following business day or other agreed upon time frame. 45 CFR 164.308, 164.514(d) (X) CONTRACTOR will make available to SPAG any information SPAG requires to fulfill SPAG's obligations to provide access to, or copies of, PHI in accordance with HIPAA and other applicable laws and regulations relating to Confidential Information. CONTRACTOR will provide such information in a time and manner reasonably agreed upon or as designated by HHS, or other federal or state law. 45 CFR 164.504(e)(2)(1)(1) (Y) CONTRACTOR will only conduct secure transmissions of Confidential Information whether in paper, oral or electronic form. A secure transmission of electronic Confidential Information in motion includes secure File Transfer Protocol (SFTP) or Encryption at an appropriate level or otherwise protected as required by rule, regulation or law. Confidential Information at rest requires Encryption unless there is adequate administrative, technical, and physical security, or as otherwise protected as required by rule, regulation or law. All electronic data transfer and communications of Confidential Information will be through secure systems. Proof of system, media or device security and/or Encryption must be produced to SPAG no later than 48 hours after SPAG's written request in response to a compliance investigation, audit or the Discovery of an Event or Breach. Otherwise, requested production of such proof will be made as agreed upon by the parties. De -identification of Confidential Information is a means of security. With respect to de -identification of PHI "secure" means de -identified according to HIPAA Privacy standards and regulatory guidance. 45 CFR 164.312; 164.530(d) (Z) CONTRACTOR will comply with the following laws and standards if applicable to the type of Confidential Information and Contractor's Authorized Purpose: • Title 1, Part 10, p Chapter 202, Subcha ter B, Texas Administrative Code; • The Privacy Act of 1974; • OMB Memorandum 07-16; • The Federal Information Security Management Act of 2002 (FISMA); SPAG Data Use Agreement V.1 HIPPA Omnibus Compliant April 2017 Page 6 of 13 SPAG Agreement No. 83124-17-A100 • The Health Insurance Portability and Accountability Act of 1996 HIPAA as defined in the DUA; • Internal Revenue Publication 1075 — Tax Information Security Guidelines for Federal, State and Local Agencies; • National Institute of Standards and Technology (MIST) Special Publication 800-66 Revision 1 — An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule; • NIST Special Publications 800-53 and 800-53A — Recommended Security Controls for Federal Information Systems and Organizations, as currently revised; • NIST Special Publication 800-47 — Security Guide for Interconnecting Information Technology Systems; • NIST Special Publication 800-88, Guidelines for Media Sanitization; • NIST Special Publication 800-111, Guide to Storage of Encryption Technologies for End User Devices containing PHI; and • Any other State or Federal law, regulation, or administrative rule relating to the specific SPAG program area that CONTRACTOR supports on behalf of SPAG. ARTICLE 4. BREACH NOTICE, REPORTING AND CORRECTION REQUIREMENTS Section 4.01. Breach or Event Notification to SPAG. 45 CFR 164.400-414 (A) CONTRACTOR will cooperate fully with SPAG in investigating, mitigating to the extent practical and issuing notifications directed by SPAG, for any Event or Breach of Confidential Information to the extent and in the manner determined by SPAG. (B) CONTRACTOR'S obligation begins at the Discovery of an Event or Breach and continues as long as related activity continues, until all effects of the Event are mitigated to SPAG's satisfaction (the "incident response period"). 45 CFR 164.404 (C) Breach Notice: 1. Initial Notice. a. For federal information, including without limitation, Federal Tax Information, Social Security Administration Data. and Medicaid Client Information, within the first, consecutive clock hour of Discovery, and for all other types of Confidential Information not more than 24 hours after Discovery or in a timeframe otherwise approved by SPAG in writing, initially report to SPAG Administration via email at: aaareports e,spag.org; and IRS Publication 1075; Privacy Act of 1974, as amended by the Computer Matching and Privacy Protection Act of 1988, 5 U.S.C. § 552a; OMB Memorandum 07-16 as cited in HHSC-CMS Contracts for information exchange. b. Report all information reasonably available to CONTRACTOR about the Event or Breach of the privacy or security of Confidential Information. 45 CFR 264.410 c. Name, and provide contact information to SPAG for, CONTRACTOR's single point of contact who will communicate with SPAG both on and off business hours during the incident response period. 2. 48-Hour Formal Notice. No later than 48 consecutive clock hours after Discovery, or a time within which Discovery reasonably should have been made by CONTRACTOR of an Event or Breach SPAG Data Use Agreement V.1 HIPPA Omnibus Compliant April 2017 Page 7 of 13 SPAG Agreement No. 83124-17-A100 of Confidential Information, provide formal notification to the SPAG, including all reasonably available information about the Event or Breach, and CONTRACTOR's investigation, including without limitation and to the extent available: For (a) — (m) below: 45 CFR 164.400-414 a. The date the Event or Breach occurred; b. The date of CONTRACTOR's and, if applicable, Subcontractor's Discovery; c. A brief description of the Event or Breach, including how it occurred and who is responsible (or hypotheses, if not yet determined); d. A brief description of CONTRACTOR's investigation and the status of the investigation; e. A description of the types and amount of Confidential Information involved; f. Identification of and number of all Individuals reasonably believed to be affected, including first and last name of the individual and if applicable the, Legally authorized representative, last known address, age, telephone number, and email address if it is a preferred contact method, to the extent known or can be reasonably determined by CONTRACTOR at that time; g. CONTRACTOR's initial risk assessment of the Event or Breach demonstrating whether individual or other notices are required by applicable law or this DUA for SPAG approval, including an analysis of whether there is a low probability of compromise of the Confidential Information or whether any legal exceptions to notification apply; h. CONTRACTOR's recommendation for SPAG's approval as to the steps Individuals and/or CONTRACTOR on behalf of individuals, should take to protect the Individuals from potential harm, including without limitation CONTRACTOR's provision of notifications, credit protection, claims monitoring, and any specific protections for a Legally Authorized Representative to take on behalf of an Individual with special capacity or circumstances; i. The steps CONTRACTOR has taken to mitigate the harm or potential harm caused (including without limitation the provision of sufficient resources to mitigate); j. The step CONTRACTOR has taken, or will take, to prevent or reduce the likelihood of recurrence of a similar Event or Breach: k. Identify, describe or estimate of the Persons, Workforce, Subcontractor, or Individuals and any law enforcement that may be involved in the Event or Breach; 1. A reasonable schedule for CONTRACTOR to provide regular updates to the foregoing in the future for response to the Event or Breach, but no less than every three (3) business days or as otherwise directed by SPAG, including information about risk estimations, reporting, notification, if any, mitigation, corrective action, root cause analysis and when such activities are expected to be completed; and in. Any reasonably available, pertinent information, documents or reports related to an Event or Breach that SPAG requests following Discovery. Section 4.02 Investigation, Response and Mitigation. For A-F below: 45 CFR 164.308, 310 and 312; 164.530 (A) CONTRACTOR will immediately conduct a full and complete investigation, respond to the Event or Breach, commit necessary and appropriate staff and resources to expeditiously respond and SPAG Data Use Agreement V.1 HIPPA Omnibus Compliant April 2017 Page 8 of 13 SPAG Agreement No. 83124-17-A100 report as required to and by SPAG for incident response purposes and for purposes of SPAG's compliance with report and notification requirements, to the satisfaction of SPAG. (B) CONTRACTOR will complete or participate in a risk assessment as .directed by SPAG following an Event or Breach, and provide the final assessment, corrective actions and mitigations to SPAG for review and approval. (C) CONTRACTOR will fully cooperate with SPAG to respond to inquiries and/or proceedings by state and federal authorities, Persons and/or Individuals about the Event or Breach. (D) CONTRACTOR will fully cooperate with SPAG's efforts to seek appropriate injunctive relief or otherwise prevent or curtail such Event or Breach, or to recover or protect any Confidential Information, including complying with reasonable corrective action or measures, as specified by SPAG in a Corrective Action Plan if directed by SPAG under the Base Contract. Section 4.03 Breach Notification to Individuals and Reporting to Authorities, Tex Bus. & Comm. Code §521.053; 45 CFR 164.404 (Individuals), 164.406 (Media); 164.408 (Authorities) (A) SPAG may direct CONTRACTOR to provide Breach notification to Individuals, regulators or third -parties, as specified by SPAG following a Breach. (B) CONTRACTOR must obtain SPAG's prior written approval of the time, manner and content of any notification to Individuals, regulators or third -parties, or any notice required by other state or federal authorities. Notice letters will be in CONTRACTOR's name and on CONTRACTOR's letterhead, unless otherwise directed by SPAG, and will contain contact information, including the name and title of CONTRACTOR's representative, an email address and a toll -free telephone number, for the Individual to obtain additional information. (C) CONTRACTOR will provide SPAG with copies of distributed and approved communications. (D) CONTRACTOR will have the burden of demonstrating to the satisfaction of SPAG that any notification required by SPAG was timely made. If there are delays outside of CONTRACTOR's control, CONTRACTOR will provide written documentation of the reasons for the delay. (E) If SPAG delegates notice requirements to CONTRACTOR, SPAG shall, in the time and manner reasonably requested by CONTRACTOR, cooperate and assist with CONTRACTOR's information requests in order to make such notifications and reports. ARTICLE 5. SCOPE OF WORK Scope of Work means the services and deliverables to be performed or provided by CONTRACTOR, or on behalf of CONTRACTOR by its Subcontractors or agents for SPAG that are described in detail in the Base Contract. The Scope of Work, including any future amendments thereto, is incorporated by reference in this DUA as if set out word-for-word herein. ARTICLE 6. GENERAL PROVISIONS Section 6.01 Ownership of Confidential Information CONTRACTOR acknowledges and agrees that the Confidential Information is and will remain the property of SPAG. CONTRACTOR agrees it acquires no title or rights to the Confidential Information. SPAG Data Use Agreement V.1 H1PPA Omnibus Compliant April 2017 Page 9 of 13 SPAG Agreement No. 83124-17-A100 Section 6.02 SPAG Commitment and Obligations SPAG will not request CONTRACTOR to create, maintain, transmit, use or disclose PHI in any manner that would not be permissible under applicable law if done by SPAG. Section 6.03 SPAG Right to Inspection At any time upon reasonable notice to CONTRACTOR, or if SPAG determines that CONTRACTOR has violated this DUA, SPAG, directly or through its agent, will have the right to inspect the facilities, systems, books and records of CONTRACTOR to monitor compliance with this DUA. Section 6.04 Term, Termination of DUA; Survival This DUA will be effective on the date on which CONTRACTOR executes the DUA, and will terminate upon termination of the Base Contract and as set forth herein. If the Base Contract is extended or amended, this DUA is updated automatically concurrent with such extension or amendment. (A) SPAG may immediately terminate this DUA and Base Contract upon a material violation of this DUA. (B) Termination or Expiration of this DUA will not relieve CONTRACTOR of its obligation to return or Destroy the Confidential Information as set forth in this DUA and to continue to safeguard the Confidential Information until such time as determined by SPAG. (C) If SPAG determines that CONTRACTOR has violated a material term of this DUA; SPAG may in its sole discretion: 1. Exercise any of its rights including but not limited to reports, access and inspection under this DUA and/or the Base Contract; or 2. Require CONTRACTOR to submit to a corrective action plan, including a plan for monitoring and plan for reporting, as SPAG may determine necessary to maintain compliance with this DUA; or 3. Provide CONTRACTOR with a reasonable period to cure the violation as determined by SPAG; or 4. Terminate the DUA and Base Contract immediately, and seek relief in a court of competent jurisdiction in Lubbock County, Texas. Before exercising any of these options, SPAG will provide written notice to CONTRACTOR describing the violation and the action it intends to take. (D) If neither termination nor cure is feasible, SPAG shall report the violation to HHS. (E) The duties of CONTRACTOR or its Subcontractor under this DUA survive the expiration or termination of this DUA until all the Confidential Information is Destroyed or returned to SPAG, as required by this DUA. Section 6.05 Governing Law, Venue and Litigation SPAG Data Use Agreement V.1 HIPPA Omnibus Compliant April 2017 Page 10 of 13 SPAG Agreement No. 83124-17-A100 (A) The validity, construction and performance of this DUA and the legal relations among the Parties to this DUA will be governed by and construed in accordance with the laws of the State of Texas. (B) The Parties agree that the courts of Lubbock County, Texas, will be the exclusive venue for any litigation, special proceeding or other proceeding as between the parties that may be brought, or arise out of, or in connection with, or by reason of this DUA. Section 6.06 Injunctive Relief (A) CONTRACTOR acknowledges and agrees that SPAG may suffer irreparable injury if CONTRACTOR or its Subcontractor fail to comply with any of the terms of this DUA with respect to the Confidential Information or a provision of HIPAA or other laws or regulations applicable to Confidential Information. (B) CONTRACTOR further agrees that monetary damages may be inadequate to compensate SPAG for CONTRACTOR's or its Subcontractor's failure to comply. Accordingly, CONTRACTOR agrees that SPAG will, in addition to any other remedies available to it by law or in equity, be entitled to seek injunctive relief without posting a bond and without the necessity of demonstrating actual damages, to enforce the terms of this DUA. Section 6.07 Insurance (A) CONTRACTOR represents and warrants that it maintains either self-insurance or commercial insurance with policy limits sufficient to cover any liability arising from any acts or omissions by CONTRACTOR or its employees, directors, officers, Subcontractors, or agents or other members of its Workforce under this DUA. CONTRACTOR warrants that SPAG will be a loss payee and beneficiary for any such claims. (B) CONTRACTOR will provide SPAG with written proof that required insurance coverage is in effect, at the request of SPAG. Section 6.08 Fees and Costs Except as otherwise specified in this DUA or the Base Contract, including but not limited to requirements to insure and/or indemnify SPAG, if any legal action or other proceeding is brought for the enforcement of this DUA, or because of an alleged dispute, contract violation, Event, Breach, default, misrepresentation, or injunctive action, in connection with any of the provisions of this DUA, each party will bear their own legal expenses and the other cost incurred in that action or proceeding. Section 6.09 Entirety of the Contract This Data Use Agreement is incorporated by reference into the Base Contract and, together with the Base Contract, constitutes the entire agreement between the parties. No change, waiver, or discharge of obligations arising under those documents will be valid unless in writing and executed by the party against whom such change, waiver, or discharge is sought to be enforced. Section 6.10 Automatic Amendment and Interpretation Upon the effective date of any amendment or issuance of additional regulations to HIPAA. or any other law applicable to Confidential Information, this DUA will automatically be amended so that the obligations imposed on SPAG and/or CONTRACTOR remain in compliance with such requirements. Any ambiguity in this DUA will be resolved in favor of a meaning that permits SPAG and CONTRACTOR to comply with HIPAA or any other law applicable to Confidential Information. SPAG Data Use Agreement V.1 HIPPA Omnibus Compliant April 2017 Page 11 of 13 SPAG Agreement No. 83124-17-A100 ARTICLE 7. AUTHORITY TO EXECUTE The Parties have executed this DUA in their capacities as stated below with authority to bind their organizations on the dates set forth by their signatures. IN WITNESS HEREOF, SPAG and CONTRACTOR have each caused his DUA to be signed and delivered by its daily authorized representative. SOUTH PLAINS ASSOCIATION OF GOVERNMENTS ARE�Q ENCYf��G NAME: Tim C. Price TITLE: Executive Director DATE: THE CITY OF LUBBOCK, TEXAS NAME: Daniel M. Pope TITLE: Mayor DATE: May 11, ?0117 ATTEST: D , OAS, Reb cca Garza, City cretary AP ROVED AS A0 CONTENT: 16�11 L" �i 0 11 L) Bridget R. Faulkenberry, Parks & Recreation Director SPAG Data Use Agreement V.1 HIPPA Omnibus Compliant April 2017 Page 12 of 13 SPAG Agreement No. 83124-17-A100 ATTACHMENT 1. Subcontractor Agreement Form SPAG AGREEMENT NUMBER 83124-17-A 100 The DUA between SPAG and CONTRACTOR establishes the permitted and required uses and disclosures of Confidential Information by CONTRACTOR. CONTRACTOR has subcontracted with South Plains Association of Governments Area Agency on Aging (SUBCONTRACTOR) for performance of duties on behalf of CONTACTOR which are subject to the DUA. SUBCONTRACTOR acknowledges, understands and agrees to be bound by the identical terms and conditions applicable to CONTRACTOR under the DUA, incorporated by reference in this Agreement, with respect to HHS Confidential Information. CONTRACTOR and SUBCONTRACTOR agree that HHS is a third -party beneficiary to applicable provisions of the subcontract. HHS has the right but not the obligation to review or approve the terms and conditions of the subcontract by virtue of this Subcontractor Agreement Form. CONTRACTOR and SUBCONTRACTOR assure HHS that any Breach or Event as defined by the DUA that SUBCONTRACTOR Discovers will be reported to HHS by CONTRACTOR in the time, manner and content required by the DUA. If CONTRACTOR knows or should have known in the exercise of reasonable diligence of a pattern of activity or practice by SUBCONTRACTOR that constitutes a material breach or violation of the DUA or the SUBCONTRACTOR's obligations CONTRACTOR will: 1. Take reasonable steps to cure the violation or end the violation, as applicable; 2. If the steps are unsuccessful, terminate the contract or arrangement with SUBCONTRACTOR, if feasible; 3. Notify HHS immediately upon discovery of the pattern of activity or practice of SUBCONTRACTOR that constitutes a material breach or violation of the DUA and keep HHS reasonably and regularly informed about steps CONTRACTOR is taking to cure or end the violation or terminate SUBCONTACTOR's contract or arrangement. This Subcontractor Agreement Form is executed by the parties in their capacities indicated below. CONTRACT BY: SUBCONTRACTOR BY: NAME: TIM C. PIERCE NAME: TITLE: EXECUTIVE DIRECTOR TITLE: DATE: ±&o , DATE: SPAG Data Use Agreement V.1 HIPPA Omnibus Compliant April 2017 Page 13 of 13