Laserfiche WebLink
System Agency Contract No.HHSREV 100001023 <br />a. For federal information, including without limitation, Federal Tax Information Social Security <br />Administration Data, and Medicaid Client Information, within the first, consecutive clock hour <br />of Discovery, and for all other types of Confidential Information not more than 24 hours after <br />Discovery, or in a timeframe otherwise approved by System Agency in writing, initially report to <br />System Agency's Privacy and Security Officers via email at: privacyASystem <br />AgencyC.state.tx.us and to the System Agency division responsible for this DUA; and IRS <br />Publication 1075; Privacy Act of 1974, as amended by the Computer Matching and Privacy <br />Protection Act of 1988, 5 U.S.C. § 552a; OMB Memorandunt 07-16 as cited in System <br />AgencyC-CMS Contracts for information exchange. <br />b. Report all information reasonably available to Contractor about the Event or Breach of the <br />privacy or security of Confidential Information. 45 CFR 164.410 <br />c. Name, and provide contact information to System Agency for, Contractor's single point of <br />contact who will communicate with System Agency both on and off business hours during the <br />incident response period. <br />2. 48 -Hour Formal Notice. No later than 48 consecutive clock hours after Discovery, or a <br />time within which Discovery reasonably should have been made by Contractor of an Event or <br />Breach of Confidential Information, provide formal notification to the State, including all <br />reasonably available information about the Event or Breach, and Contractor's investigation, <br />including without limitation and to the extent available: For (a) - (m) below. 45 CFR 164.400- <br />414 <br />a. The date the Event or Breach occurred; <br />b. The date of Contractor's and, if applicable, Subcontractor's Discovery; <br />c. A brief description of the Event or Breach; including how it occurred and who is responsible <br />(or hypotheses, if not yet determined); <br />d. A brief description of Contractor's investigation and the status of the investigation; <br />e. A description of the types and amount of Confidential Information involved; <br />f. Identification of and number of all Individuals reasonably believed to be affected, including <br />first and last name of the individual and if applicable the, Legally authorized representative, last <br />known address, age, telephone number, and email address if it is a preferred contact method, to <br />the extent known or can be reasonably determined by Contractor at that time; <br />g. Contractor's initial risk assessment of the Event or Breach demonstrating whether individual <br />or other notices are required by applicable law or this DUA for System Agency approval, <br />including an analysis of whether there is a low probability of compromise of the Confidential <br />Information or whether any legal exceptions to notification apply; <br />h. Contractor's recommendation for System Agency's approval as to the steps Individuals or <br />Contractor on behalf of Individuals, should take to protect the Individuals from potential harm, <br />including without limitation Contractor's provision of notifications, credit protection, claims <br />monitoring, and any specific protections for a Legally Authorized Representative to take on <br />behalf of an Individual with special capacity or circumstances; <br />i. The steps Contractor has taken to mitigate the harm or potential harm caused (including without <br />limitation the provision of sufficient resources to mitigate); <br />j. The steps Contractor has taken, or will take, to prevent or reduce the likelihood of recurrence of <br />a similar Event or Breach,- <br />System <br />reach; <br />System Agency Data Use Agreement V.8.3 HIPAA Omnibus Compliant April 1, 2015 <br />Page 7 of 11 <br />