Laserfiche WebLink
System Agency Contract No.HHSREV 100001023 <br />protected as required by rule, regulation or law. All electronic data transfer and communications of <br />Confidential Information will be through secure systems. Proof of system, media or device security or <br />Encryption must be produced to System Agency no later than 48 hours after System Agency's written <br />request in response to a compliance investigation, audit or the Discovery of an Event or Breach. <br />Otherwise, requested production of such proof will be made as agreed upon by the parties. De - <br />identification of System Agency Confidential Information is a means of security. With respect to de - <br />identification of PHI, "secure" means de -identified according to H1PAA Privacy standards and regulatory <br />guidance. 45 CFR 164.312; 164.530(d) <br />(Z) Contractor will comply with the following laws and standards if applicable to the type of <br />Confidential Inforneation and Contractor's Authorized Purpose: <br />• Title 1, Part 10, Chapter 202, Subchapter B, Texas Administrative Code; <br />• The Privacy Act of 1974; <br />• OMB Memorandum 07-16; <br />• The Federal Information Security Management Act of 2002 (FISMA); <br />• The Health Insurance Portability and Accountability Act of 1996 (H]PAAas defined in the <br />DUA; <br />• Internal Revenue Publication 1075 — Tax Information Security Guidelines for Federal, State <br />and Local Agencies; <br />• National Institute of Standards and Technology (NIST) Special Publication 800-66 Revision <br />1 — An Introductory Resource Guide for Implementing the Health Insurance Portability and <br />Accountability Act (HIPAA) Security Rule; <br />• NIST Special Publications 800-53 and 800-53A — Recommended Security Controls for <br />Federal Information Systems and Organizations, as currently revised; <br />• NIST Special Publication 800-47 — Security Guide for Interconnecting Information <br />Technology Systems; <br />• NIST Special Publication 800-88, Guidelines for Media Sanitization; <br />• NIST Special Publication 800-111, Guide to Storage of Encryption Technologies for End <br />User Devices containing PHI; and <br />• Any other State or Federal law, regulation, or administrative rule relating to the specific System <br />Agency program area that Contractor supports on behalf of System Agency. <br />ARTICLE 4. BREACH NOTICE, REPORTING AND CORRECTION REQUIREMENTS <br />Section 4.01. Breach or Event Notification to System Agency. 45 CFR 164.400-414 <br />(A) Contractor will cooperate fully with System Agency in investigating, mitigating to the <br />extent practicable and issuing notifications directed by System Agency, for any Event or Breach <br />of Confidential Information to the extent and in the manner determined by System Agency. <br />(B) Contractor's obligation begins at the Discovery of an Event or Breach and continues as <br />long as related activity continues, until all effects of the Event are mitigated to System Agency's <br />satisfaction (the "incident response period"). 45 CFR 164.404 <br />(C) Breach Notice: <br />1. Initial Notice. <br />System Agency Data Use Agreement V.8.3 HIPAA Omnibus Compliant April 1, 2015 <br />Page 6 of 11 <br />