Bid Event id number: evt0001028 KanCare Medicaid and chip capitated Managed Care Services Preface: High Priority Events and Items
|
|  Yüklə 1.13 Mb.
|
CONFIDENTIALITYPursuant to HIPAA and the Privacy Rule, Protected Health Information that CONTRACTOR will create, have access to and/or receive from KDHE-DHCF may be used or disclosed only in accordance with this Agreement and the Privacy Rule. The KDHE-DHCF and CONTRACTOR agree as follows: 4.1.1.39.1. Definitions 4.1.1.39.1.1 Individual. "Individual" shall have the same meaning as the term "individual" in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g). 4.1.1.39.1.2 KDHE. “KDHE” shall mean State of Kansas, Secretary of the Department of Health and Environment or the Kansas Department of Health and Environment, depending on context in which used. 4.1.1.39.1.3 Privacy Rule. "Privacy Rule" shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Parts 160, 164(A) and (E). 4.1.1.39.1.4 Protected Health Information. "Protected Health Information" shall have the same meaning as the term "protected health information" in 45 C.F.R. § 160.103, limited to the information created or received by CONTRACTOR from or on behalf of KDHE. 4.1.1.39.1.5 Required By Law. "Required By Law" shall have the same meaning as the term "required by law" in 45 C.F.R. § 164.103. 4.1.1.39.1.6 Secretary. "Secretary" shall mean the Secretary of Health and Human Services or the Secretary’s designee. 4.1.1.39.1.7 Data Aggregation Services. “Data Aggregation Services” shall mean, with respect to Protected Health Information created or received by CONTRACTOR in its capacity as a recipient of PHI from KDHE, the combining of such PHI by CONTRACTOR with the protected health information received by CONTRACTOR in its capacity as a receiver of PHI from another agency, to permit data analyses that relate to the health care operations of the respective covered entities, as defined in 45 C.F.R. § 164.501. 4.1.1.39.1.8 Data Record Set. “Data Record Set” shall mean a group of records maintained by or for KDHE that consists of the following:
4.1.1.39.1.9 Electronic Transactions Standards. “Electronic Transactions Standards” shall mean the Standards for Electronic Transactions at 45 C.F.R. Parts 160 and 162. 4.1.1.39.1.10 HHS. “HHS” shall mean the United States Department of Health and Human Services. 4.1.1.39.1.11 Other Terms. Other capitalized terms shall have the meaning ascribed to them elsewhere in this Agreement, or, if no such definition is specified herein, shall have the same meaning as those terms in 45 C.F.R. §§ 160.103 and 164.501. Any reference to any Part, Subpart or section in the Code of Federal Regulations (“C.F.R.”) shall include any regulation issued there under regardless of the date of issue. 4.1.1.39.2 Confidentiality Under the Health Insurance Portability and Accountability Act, 1996 (HIPAA): KDHE is a Covered Entity under HIPAA. CONTRACTOR acknowledges that for the purposes of the Trial and this Agreement, CONTRACTOR is a “business associate” as that term is defined in 45 CFR § 160.103, and therefore the requirements of HIPAA apply to CONTRACTOR in the same manner that they apply to KDHE pursuant to 42 USC § 17931(a). These obligations continue as long as the data is in the hands of CONTRACTOR. Definition: For purposes of this section, the terms “Protected Health Information” and “PHI” shall have the same meaning as the term "protected health information" in 45 C.F.R. § 160.103 and is individually identifiable information in any medium pertaining to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual, that CONTRACTOR receives from KDHE or that CONTRACTOR creates or receives on behalf of KDHE. The terms “Protected Health Information” and “PHI” apply to the original data and to any health data derived or extracted from the original data that has not been de-identified. Electronic protected health information (EPHI) is a subset of PHI and means individually identifiable health information that is transmitted by or maintained in electronic media. 4.1.1.39.2.1 Required/Permitted Uses Section 164.504(e)(2)(i): CONTRACTOR is required/permitted to use the PHI for the purposes of determining potential improper billing and fraud in the Kansas Medicaid Program. 4.1.1.39.2.2 Required/Permitted Disclosures Section 164.504(e)(2)(i): CONTRACTOR shall disclose KDHE’s PHI only as allowed herein or as specifically directed by KDHE. 4.1.1.39.2.3 Limitation of Use and Disclosure Section 164.504(e)(2)(ii)(A): CONTRACTOR agrees that it will not use or further disclose the PHI other than as permitted or required by this CONTRACT or as required by law. 4.1.1.39.2.4 Disclosures Allowed for Management and Administration Section 164.504(e)(2)(i)(A) and 164.504(e)(4)(i): CONTRACTOR is permitted to use and disclose PHI received from KDHE in its capacity as a recipient of PHI from KDHE if such use is necessary for the management and administration of this Agreement or to carry out the legal responsibilities of CONTRACTOR. 4.1.1.39.2.5 Minimum Necessary: CONTRACTOR agrees to limit the amount of PHI used and/or disclosed pursuant to this section to the minimum necessary to achieve the purpose of the use and disclosure. 4.1.1.39.2.6 Safeguarding and Securing PHI Sections 164.308, 164.310, 164.312, 164.314 and 164.504(e)(2)(ii)(B): CONTRACTOR agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI and or EPHI that CONTRACTOR creates, receives, maintains, or transmits. CONTRACTOR will furnish KDHE with a written description of such safeguards taken upon request. CONTRACTOR agrees to allow authorized representatives of KDHE access to premises where the PHI and or EPHI is kept for the purpose of inspecting physical security arrangements. 4.1.1.39.2.7 Agents and Subcontractors Section 164.504(e)(2)(ii)(D): CONTRACTOR will ensure that any entity, including agents and subcontractors, to whom it discloses PHI received from KDHE or created or received by CONTRACTOR on behalf of KDHE agrees to the same restrictions, conditions and safeguards that apply to CONTRACTOR with respect to such information. 4.1.1.39.2.8 Right to Review: KDHE reserves the right to review terms of agreements and CONTRACTs between CONTRACTOR and its subcontractors as they relate to the use and disclosure of PHI belonging to KDHE. 4.1.1.39.2.9 Ownership: CONTRACTOR shall at all times recognize KDHE’s ownership of the PHI. 4.1.1.39.2.10 Notification Section 164.304, 164.314 (a)(2)(C) and 164.504(e)(2)(ii)(C): CONTRACTOR shall notify KDHE both orally and in writing of any use or disclosure of PHI and or EPHI not allowed by the provisions of this Agreement of which it becomes aware (hereinafter a “Breach”), and of any instance where the PHI is subpoenaed, copied or removed by anyone except an authorized representative of KDHE or CONTRACTOR. CONTRACTOR will provide such notice to KDHE without unreasonable delay but not later than five (5) business days after becoming aware of such incident, except where a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security. For purposes of clarity for this provision, CONTRACTOR must notify KDHE of any such incident within the above timeframe even if CONTRACTOR has not conclusively determined within that time that the incident constitutes a Breach as defined by HIPAA. For purposes of this Agreement, CONTRACTOR is deemed to have become aware of the Breach as of the first day on which such Breach is known or reasonably should have been known to such entity or associate of CONTRACTOR, including any person, other than the individual committing the Breach, that is an employee, officer or other agent of CONTRACTOR or an associate of CONTRACTOR. 4.1.1.39.2.11 Such notice will also include: 4.1.1.39.2.11.1 The names of the Individuals whose PHI has been, or is reasonably believed to have been, the subject of a Breach; 4.1.1.39.2.11.2 To include a draft letter for KDHE to utilize to notify the Individuals that their Unsecured Protected Health Information has been, or is reasonably believed to have been, the subject of a Breach. The draft letter must include, to the extent possible: 4.1.1.39.2.11.2.1 A brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known; 4.1.1.39.2.11.2.2 A description of the types of Unsecured Protected Health Information that were involved in the Breach (such as full name, Social Security Number, date of birth, home address, account number, disability code, or other types of information that were involved); 4.1.1.39.2.11.2.3 Any steps the Individuals should take to protect themselves from potential harm resulting from the Breach; 4.1.1.39.2.11.2.4 A brief description of what KDHE and CONTRACTOR are doing to investigate the Breach, to mitigate losses, and to protect against any further Breaches; and 4.1.1.39.2.11.2.5 Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, web site, or postal address. 4.1.1.39.2.11.2.6 Indemnification for Breach Notification. In addition to the obligations set forth in Section IX.H. below, CONTRACTOR shall indemnify KDHE for costs associated with any incident involving the acquisition, access, use or disclosure of PHI in a manner not permitted under 45 C.F.R. part E. 4.1.1.39.2.12 CONTRACTOR will notify KDHE Privacy Officer immediately by telephone of any breach of security or privacy. If unable to contact KDHE Privacy Officer by telephone, CONTRACTOR will send an e-mail to the Privacy Officer. CONTRACTOR will follow phone or e-mail notification with a faxed or other written explanation of the breach, to include the following: date and time of breach, media or medium that contained the PHI, origination and destination of PHI, CONTRACTOR unit and personnel associated with the breach, detailed description of PHI, anticipated mitigation steps, and the name, address, phone, fax number, and e-mail of the individual who is responsible for the mitigation. Address communications to: Cory Sheedy KDHE Privacy Officer Kansas Department of Health and Environment 1000 S.W. Jackson Street, Suite 560 Topeka, Kansas 66612 Phone: (785) 291-3951 Fax: (785) 296-8825 4.1.1.39.2.13 Transmission of PHI §§ 164.312 (c)(1) and 164.312 (c)(2): CONTRACTOR agrees to follow the HIPAA standards with regard to the transmission of PHI. 4.1.1.39.2.14 Employee Compliance with Applicable Laws and Regulations: CONTRACTOR agrees to require each of its employees having any involvement with the PHI to comply with applicable laws and regulations relating to security, confidentiality and privacy of the PHI and with the provisions of this Agreement. 4.1.1.39.2.15 Custodial Responsibility: _____________, an employee of CONTRACTOR, is designated as the custodian of PHI and will be responsible for observance of all conditions of use. If custodianship is transferred within the organization, CONTRACTOR shall notify KDHE promptly. 4.1.1.39.2.16 Access, Amendment, and Accounting of Disclosures § 164.504(e)(2)(ii)(E-G): CONTRACTOR will provide access to the PHI in accordance with 45 C.F.R. § 164.524. CONTRACTOR will make the PHI available for amendment and incorporate any amendments to the PHI in accordance with 45 C.F.R. § 164.526. CONTRACTOR will make available the information required to provide an accounting of disclosures in accordance with 45 C.F.R. § 164.528. 4.1.1.39.2.17 Documentation Verifying HIPAA Compliance § 164.504(e)(2)(ii)(H): CONTRACTOR will make its policies, procedures, and documentation relating to the security and privacy of protected health information, including EPHI, available to the Secretary of Health and Human Services for purposes of determining KDHE’s compliance with 45 C.F.R. Parts 160 and 164. CONTRACTOR will make these same policies, procedures, and documentation available to KDHE or its designee upon request. 4.1.1.39.2.18 CONTRACT Termination §§ 164.314(a)(2)(i)(D) and 164.504(e)(2)(ii)(I): CONTRACTOR agrees that within forty-five (45) days of the termination of this CONTRACT, it will return or destroy, at KDHE’s direction, any and all PHI that it maintains in any form and will retain no copies of the PHI. If the return or destruction of the PHI is not feasible, the protections of this section of the CONTRACT shall be extended to the information, and further use and disclosure of PHI is limited to those purposes that make the return or destruction of PHI infeasible. Any use or disclosure of PHI except for the limited purpose is prohibited. 4.1.1.39.2.19 Termination for Compliance Violation § 164.314 (a)(2)(i)(D) 164.504(e)(2)(iii) and § 164.504(e)(1)(ii): CONTRACTOR acknowledges that KDHE is authorized to terminate this Agreement if KDHE determines that CONTRACTOR has violated a material term of this section of the Agreement. If termination of the Agreement is not feasible due to an unreasonable burden on KDHE, CONTRACTOR’s violation will be reported to the Secretary, along with steps KDHE took to cure or end the violation or breach along with steps KDHE took to cure or end the violation or breach and the reason(s) for which KDHE did not terminate the CONTRACT. 4.1.1.39.3 General Terms. Interpretation of Provisions. In the event of an inconsistency between the provisions of this Agreement and the mandatory terms of the Privacy Rule (as may be expressly amended from time to time by the HHS or as a result of final interpretations by HHS, an applicable court, or another applicable regulatory agency with authority over the Parties), the terms of the Privacy Rule shall prevail. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits KDHE to comply with the Privacy Rule, the Electronic Transactions Standards, or any other requirement under the HIPAA law.
All services executed, subcontracted, or otherwise procured under the provisions of this CONTRACT are to be performed at a physical location within the United States of America. This condition applies to all parties acting in performance of this CONTRACT, including the CONTRACTOR(s), and any of its subcontractors, or others from which the services may be procured. Expressed written permission shall be obtained from the Director of Purchases prior to sourcing or shifting contractual functions to a location outside the United States. This requirement does not restrict provisions of the North America Free Trade Agreement; nor, does this requirement apply to products and supplies available to the general public, which are manufactured outside the United States. Failure to abide by this provision may result in termination of the CONTRACT for cause. Data containing Private Health Information (PHI) or Personal Identification Information (PII) shall not be transmitted to or processed at any site outside the United States. If, during the term of the CONTRACT, the CONTRACTOR or subcontractor plans to move work previously performed in the United States to a location outside of the United States, the CONTRACTOR shall immediately notify the Division of Purchases and the respective agency in writing, indicating the desired new location, the nature of the work to be moved and the percentage of work that would be relocated. The Director of Purchases, with the advice of the respective agency, must approve any changes prior to work being relocated. Acceptance: ____ Yes (Initial) ____ No (Initial and Provide a Detailed Explanation of Exception) 4.1.1.41 Immigration and Reform Control Act of 1986 (IRCA) All CONTRACTORs are expected to comply with the Immigration and Reform Control Act of 1986 (IRCA), as may be amended from time to time. This Act, with certain limitations, requires the verification of the employment status of all individuals who were hired on or after November 6, 1986, by the CONTRACTOR as well as any subcontractor or sub-contractors. The usual method of verification is through the Employment Verification (I-9) Form. With the submission of this bid, the CONTRACTOR hereby certifies without exception that such CONTRACTOR has complied with all federal and state laws relating to immigration and reform. Any misrepresentation in this regard or any employment of persons not authorized to work in the United States constitutes a material breach and, at the State's option, may subject the CONTRACT to termination for cause and any applicable damages. Unless provided otherwise herein, all CONTRACTORs are expected to be able to produce for the State any documentation or other such evidence to verify CONTRACTOR's IRCA compliance with any provision, duty, certification, or like item under the CONTRACT. CONTRACTOR will provide a copy of a signed Certification Regarding Immigration Reform and Control From http://www.da.ks.gov/purch/CertificationImmigrationForm.doc with the technical proposal. Acceptance: ____ Yes (Initial) ____ No (Initial and Provide a Detailed Explanation of Exception) 4.1.1.42 Worker Misclassification The CONTRACTOR and all tiered subcontractors under the CONTRACTOR shall properly classify workers as employees rather than independent CONTRACTORs and treat them accordingly for purposes of workers' compensation insurance coverage, unemployment taxes, social security taxes, and income tax withholding. Failure to do so may result in CONTRACT termination. Acceptance: ____ Yes (Initial) ____ No (Initial and Provide a Detailed Explanation of Exception) 4.1.1.43 Mandatory Provisions The provisions found in Contractual Provisions Attachment (DA 146a) are incorporated by reference and made a part of this CONTRACT. Acceptance: ____ Yes (Initial) ____ No (Initial and Provide a Detailed Explanation of Exception) 4.1.1.44 Payment Payment schedule shall be on a frequency mutually agreed upon by both the agency and the CONTRACTOR. Acceptance: ____ Yes (Initial) ____ No (Initial and Provide a Detailed Explanation of Exception) 4.1.1.45 Performance Guaranty / Bond The CONTRACTOR shall file with the Director of Purchases a performance guaranty/bond in the amount of $5,000,000. The guaranty shall be released upon the completion of this CONTRACT subject to total or partial forfeiture for failure to adequately perform the terms of this CONTRACT. If damages exceed the amount of the guaranty, the State may seek additional damages. A performance guaranty must be one of the following: (1) certificate of deposit payable to the State; or (2) a properly executed bond payable to the State. Necessary bond forms will be furnished by the Division of Purchases and can be completed by any General Insurance Agent. Bonds shall be issued by a Surety Company licensed to do business in the State of Kansas. Acceptance: ____ Yes (Initial) ____ No (Initial and Provide a Detailed Explanation of Exception) 4.1.1.46 Equipment All proposed equipment, equipment options, and hardware expansions must be identified by manufacturer and model number and descriptive literature of such equipment must be submitted with the bid response. Acceptance: ____ Yes (Initial) ____ No (Initial and Provide a Detailed Explanation of Exception) 4.1.1.47 Implied Requirements All products and services not specifically mentioned in this solicitation, but which are necessary to provide the functional capabilities described by the specifications, shall be included. Furthermore, all products and services required to make the VENDOR’s proposal functional shall be identified in the VENDOR's proposal. If additional products or services are later found to be necessary to make the VENDOR’s proposal functional, or to make the VENDOR’s proposal compliant with the specifications, regardless of whether the additional needed products or services are identified as being necessary by the State or the VENDOR, such products or services shall be provided by the VENDOR at no charge to the State. Acceptance: ____ Yes (Initial) ____ No (Initial and Provide a Detailed Explanation of Exception) 4.1.1.48 Warranty The State requires a warranty on any and all equipment, hardware, software, and services proposed to be effective throughout the term of this CONTRACT plus any renewals or extensions agreed to by the parties. The date the defect or issue was discovered will be the determination date for warranty purposes. This warranty shall be included in the cost of the solution. 4.1.1.48.1 The CONTRACTOR will be the sole point of contact on any problems with the equipment, hardware, software, systems or services proposed during the warranty period. 4.1.1.48.2 The CONTRACTOR shall be responsible for all work performed under these specifications. The CONTRACTOR shall make good, repair and replace, at the CONTRACTOR's own expense, as may be necessary, any defective work, material acceptance, if in the opinion of the agency or the Division of Purchases said defect is due to imperfection in material, design, or workmanship for the warranty period specified. Acceptance: ____ Yes (Initial) ____ No (Initial and Provide a Detailed Explanation of Exception) 4.1.1.49 Acceptance No CONTRACT provision or use of items by the State shall constitute acceptance or relieve the CONTRACTOR of liability in respect to any expressed or implied warranties. Acceptance: ____ Yes (Initial) ____ No (Initial and Provide a Detailed Explanation of Exception) 4.1.1.50 Ownership All data, forms, procedures, software, manuals, system descriptions, or set of systems rules, source code, and workflows developed or accumulated by the CONTRACTOR under this CONTRACT shall be owned by the using agency. The CONTRACTOR may not release any materials without the written approval of the using agency. Acceptance: ____ Yes (Initial) ____ No (Initial and Provide a Detailed Explanation of Exception) |