RFR - Community Partners

More documents

Recommendations

Info

ATTACHMENT B Exhibit 7: Business Associate Confidentiality Agreement I. Definitions All terms used but not otherwise defined in the MassHealth and Commonwealth Care Enrollment Outreach Grant Contract or RFR shall be construed in a manner consistent with the Privacy Rule, the Security Rule, and other applicable state or federal confidentiality or data security laws. (a) Individual. “Individual” shall mean the person who is the subject of the Protected Information, and shall include a person who qualifies as a personal representative in accord with 45 CFR § 164.502 (g). (b) Privacy Rule. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information, at 45 CFR Parts 160 and 164. (c) Protected Information (PI). “Protected Information” shall mean any “Personal Data” as defined in M.G.L. c. 66A and any “Protected Health Information,” as defined in the Privacy Rule, that Contractor creates, receives, obtains, uses, maintains, or discloses under this Contract. (d) Required By Law. “Required By Law” shall have the same meaning as used in the Privacy Rule. (e) Secretary. “Secretary” shall mean the Secretary of the US Department of Health and Human Services or the Secretary’s designee. (f) Security Incident. “Security Incident” shall have the same meaning as used in the Security Rule. (g) Security Rule. “Security Rule” shall mean the Security Standards for the Protections of Electronic Protected Health Information, at 45 CFR Parts 160, 162, and 164. II. Contractor’s Obligations (a) Contractor acknowledges that in the performance of this Contract it will become a “Holder” of “Personal Data,” as such terms are used within M.G.L. c. 66A. Contractor agrees that, in a manner consistent with the Privacy Rule and the Security Rule, as applicable, it shall comply with M.G.L. c. 66A and any other applicable state or federal law governing the privacy or security of any data created, received, obtained, used, maintained, or disclosed under this Contract. (b) Contractor acknowledges that in the performance of this Contract it is MassHealth’s Business Associate, as that term is used in the Privacy Rule and Security Rule, and that it shall comply with all standards applicable to a Business Associate under such rules. (c) At all times, Contractor shall recognize MassHealth’s right to control access, use, disclosure, and disposition of all data created, obtained, received, used, maintained, or disclosed under this Contract, including all PI, and any data derived or extracted from such data. (d) Contractor shall not use or disclose PI other than as permitted or required by this MassHealth and Commonwealth Care Outreach Grant Contract or as Required By Law, consistent with the restrictions of 42 CFR 431.306 (f), M.G.L. c. 66A, any other applicable federal or state privacy or security law. RFR for MassHealth and Commonwealth Care Enrollment Outreach Grants 1 FY 2008
(e) Contractor shall ensure that any agent or subcontractor to whom it provides PI received from, or created or received by it on behalf of MassHealth agrees in writing to the same restrictions and conditions that apply to Contractor under this Contract with respect to such information. Contractor is solely responsible for its agents’ and subcontractors’ compliance with all provisions of this MassHealth and Commonwealth Care Enrollment Outreach Grant Contract. Contractor is not relieved of any obligation under this Contract because PI was in the hands of its agent or subcontractor or because its agent or subcontractor failed to fulfill any reporting obligation to it necessary for Contractor to fulfill its reporting obligations hereunder. (f) Contractor shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PI. Upon MassHealth’s request, Contractor shall permit representatives of MassHealth access to premises where PI is maintained, created, used, or disclosed for the purpose of inspecting privacy and security arrangements. Such safeguards shall meet, at a minimum, all standards set in the Privacy and Security Rules, as applicable to a business associate. Contractor shall comply with all security mechanisms and processes established for access to any of MassHealth’s databases. Contractor shall protect from inappropriate use or disclosure any password, user ID, or other mechanism or code permitting access to any database containing MassHealth’s PI, and shall give MassHealth prior notice of any change in personnel whenever the change requires a termination or modification of any such password, user ID, or other security mechanism or code to maintain the integrity of the database. (g) Immediately upon becoming aware of any use or disclosure of PI not permitted under this Contract or of any Security Incident, Contractor shall take all appropriate action necessary to: 1) retrieve, to the extent practicable, any PI used or disclosed in the non-permitted manner, 2) mitigate, to the extent practicable, any harmful effect of the non-permitted use or disclosure of the PI known to Contractor, and 3) take such further action as may be required by any applicable state or federal law concerning the privacy and security of such PI. Within two business days of becoming aware of the non-permitted use or disclosure, Contractor shall report to MassHealth, both verbally and in writing, the nature of the nonpermitted use or disclosure, the harmful effects known to Contractor, all actions it has taken or plans to take in accord with this paragraph, and the results of all mitigation actions already taken by it under this paragraph. Upon MassHealth’s request, Contractor shall take such further actions as deemed appropriate by MassHealth to mitigate, to the extent practicable, any harmful effect of the non-permitted use or disclosure. Any actions to mitigate harmful effects of privacy or security violations undertaken by Contractor on its own initiative or pursuant to MassHealth’s request under this paragraph shall not relieve Contractor of its obligations to report such violations as set forth in other provisions of this Contract. (h) Contractor shall immediately report to MassHealth, both verbally and in writing, any instance where PI or any other data obtained under this Contract is requested, subpoenaed, or becomes the subject of a court or administrative order or other legal process. In response to such requests, Contractor shall take all necessary legal steps to comply with M.G.L. c. 66A, Medicaid regulations including 42 CFR 431.306 (f), and any other applicable federal and state law. In no event shall Contractor’s immediate reporting obligations under this paragraph be delayed beyond two business days from obtaining such knowledge or request for data. (i) Contractor shall provide MassHealth, or upon MassHealth’s request, the Individual, with access to or copies of any PI maintained by it, as shall be necessary for MassHealth to meet its obligation under 45 CFR § 164.524 to provide an Individual with access to certain PI pertaining to the Individual. Such access or copies shall be provided to MassHealth or to the Individual at a reasonable time and manner to be specified by MassHealth in the request and as shall be necessary for MassHealth to meet all time and other requirements set forth in 45 CFR § 164.524. In the event Contractor receives a request for access RFR for MassHealth and Commonwealth Care Enrollment Outreach Grants 2 FY 2008
Page 1 and 2: COMMONWEALTH OF MASSACHUSETTS EXECU
Page 3 and 4: SECTION 1. OVERVIEW MassHealth, the
Page 5 and 6: E. A history of learning a new prog
Page 7 and 8: • the name, address, e-mail, fax
Page 9 and 10: 1. Commonwealth of Massachusetts St
Page 11 and 12: Bidders are solely responsible for
Page 13 and 14: 6.5 RFR Inquiries: Bidders may make
Page 15 and 16: enefits with payments directed to d
Page 17: ATTACHMENT B: Mandatory Forms and C
Page 21 and 22: disclosures are Required By Law, or
Page 23 and 24: ATTACHMENT C: BUDGET WORKSHEET (Bid
Page 25 and 26: The Contractor shall not disseminat
Page 27: 15. Independent Contractor The Cont

RFR - Community Partners

Create successful ePaper yourself

Delete template?

Save as template?