Ana səhifə

State of california


Yüklə 0.57 Mb.
səhifə15/15
tarix25.06.2016
ölçüsü0.57 Mb.
1   ...   7   8   9   10   11   12   13   14   15

Department Contact Information. To direct communications to the above referenced Department staff, the Contractor shall initiate contact as indicated herein. The Department reserves the right to make changes to the contact information below by giving written notice to the Contractor. Said changes shall not require an amendment to this Addendum or the Agreement to which it is incorporated.

Contractor shall use the following contact information up to and including June 30, 2012:





Department Program Contract Manager

DMH Information Security Officer

See the Exhibit A, Scope of Work for Program Contract Manager information

Information Security Officer

California Department of Mental Health

1600 9th Street, Room 150

Sacramento, CA 95814


Phone: (916) 651-6776

Email: iso@dmh.ca.gov

Fax: (916) 651-1341


Contractor shall use the following contact information on July 1, 2012, and thereafter:




Department Program Contract Manager

DHCS Privacy Officer

DHCS Information Security Officer

See the Exhibit A, Scope of Work for Program Contract Manager information

Privacy Officer

c/o: Office of HIPAA Compliance

Department of Health Care Services

P.O. Box 997413, MS 4722

Sacramento, CA 95899-7413
Email: privacyofficer@dhcs.ca.gov
Telephone:  (916) 445-4646
Fax: (916) 440-7680


Information Security Officer

DHCS Information Security Office

P.O. Box 997413, MS 6400

Sacramento, CA 95899-7413


Email:  iso@dhcs.ca.gov
Telephone:     ITSD Service Desk

                          (916) 440-7000 or

                          (800) 579-0874
Fax:     (916) 440-5537

L. Termination of Agreement. In accordance with Section 13404(b) of the HITECH Act and to the extent required by the HIPAA regulations, if Contractor knows of a material breach or violation by the Department of this Exhibit F, it shall take the following steps:




  1. Provide an opportunity for the Department to cure the breach or end the violation and terminate the Agreement if the Department does not cure the breach or end the violation within the time specified by Contractor; or

  2. Immediately terminate the Agreement if the Department has breached a material term of the Exhibit F and cure is not possible.

M. Due Diligence. Contractor shall exercise due diligence and shall take reasonable steps to ensure that it remains in compliance with this Exhibit F and is in compliance with applicable provisions of HIPAA, the HITECH Act and the HIPAA regulations, and that its agents, subcontractors and vendors are in compliance with their obligations as required by this Exhibit F.


N. Sanctions and/or Penalties. Contractor understands that a failure to comply with the provisions of HIPAA, the HITECH Act and the HIPAA regulations that are applicable to Contractors may result in the imposition of sanctions and/or penalties on Contractor under HIPAA, the HITECH Act and the HIPAA regulations.



  1. Obligations of the Department.

The Department agrees to:


A. Permission by Individuals for Use and Disclosure of PHI. Provide the Contractor with any changes in, or revocation of, permission by an Individual to use or disclose PHI, if such changes affect the Contractor’s permitted or required uses and disclosures.
B. Notification of Restrictions. Notify the Contractor of any restriction to the use or disclosure of PHI that the Department has agreed to in accordance with 45 CFR Section 164.522, to the extent that such restriction may affect the Contractor’s use or disclosure of PHI.
C. Requests Conflicting with HIPAA Rules. Not request the Contractor to use or disclose PHI in any manner that would not be permissible under the HIPAA regulations if done by the Department.


  1. Audits, Inspection and Enforcement


A. From time to time, and subject to all applicable federal and state privacy and security laws and regulations, the Department may conduct a reasonable inspection of the facilities, systems, books and records of Contractor to monitor compliance with this Exhibit F. Contractor shall promptly remedy any violation of any provision of this Exhibit F. The fact that the Department inspects, or fails to inspect, or has the right to inspect, Contractor’s facilities, systems and procedures does not relieve Contractor of its responsibility to comply with this Exhibit F. The Department's failure to detect a non-compliant practice, or a failure to report a detected non-compliant practice to Contractor does not constitute acceptance of such practice or a waiver of The Department's enforcement rights under this Agreement, including this Exhibit F.
B. If Contractor is the subject of an audit, compliance review, or complaint investigation by the Secretary or the Office of Civil Rights, U.S. Department of Health and Human Services, that is related to the performance of its obligations pursuant to this HIPAA Business Associate Exhibit F, Contractor shall notify the Department. Upon request from the Department, Contractor shall provide the Department with a copy of any PHI or PI that Business Associate provides to the Secretary or the Office of Civil Rights concurrently with providing such PHI or PI to the Secretary. Contractor is responsible for any civil penalties assessed due to an audit or investigation of Contractor, in accordance with 42 U.S.C. Section 17934(c).


  1. Termination.


A. Term. The Term of this Exhibit F shall extend beyond the termination of the Agreement and shall terminate when all Department PHI is destroyed or returned to the Department, in accordance with 45 CFR Section 164.504(e)(2)(ii)(I).
B. Termination for Cause. In accordance with 45 CFR Section 164.504(e)(1)(ii), upon the Department’s knowledge of a material breach or violation of this Exhibit F by Contractor, the Department shall:


  1. Provide an opportunity for Contractor to cure the breach or end the violation and terminate this Agreement if Contractor does not cure the breach or end the violation within the time specified by the Department; or

  2. Immediately terminate this Agreement if Contractor has breached a material term of this Exhibit F and cure is not possible.

C. Judicial or Administrative Proceedings. Contractor will notify the Department if it is named as a defendant in a criminal proceeding for a violation of HIPAA. The Department may terminate this Agreement if Contractor is found guilty of a criminal violation of HIPAA. The Department may terminate this Agreement if a finding or stipulation that the Contractor has violated any standard or requirement of HIPAA, or other security or privacy laws is made in any administrative or civil proceeding in which the Contractor is a party or has been joined. DHCS will consider the nature and seriousness of the violation in deciding whether or not to terminate the Agreement.
D. Effect of Termination. Upon termination or expiration of this Agreement for any reason, Contractor shall return or destroy all Department PHI that Contractor still maintains in any form, and shall retain no copies of such PHI. If return or destruction is not feasible, Contractor shall notify the Department of the conditions that make the return or destruction infeasible, and the Department and Contractor shall determine the terms and conditions under which Contractor may retain the PHI. Contractor shall continue to extend the protections of this Exhibit F to such PHI, and shall limit further use of such PHI to those purposes that make the return or destruction of such PHI infeasible. This provision shall apply to Department PHI that is in the possession of subcontractors or agents of Contractor.


  1. Miscellaneous Provisions.


A. Disclaimer. The Department makes no warranty or representation that compliance by Contractor with this Exhibit F, HIPAA or the HIPAA regulations will be adequate or satisfactory for Contractor’s own purposes or that any information in Contractor’s possession or control, or transmitted or received by Contractor, is or will be secure from unauthorized use or disclosure. Contractor is solely responsible for all decisions made by Contractor regarding the safeguarding of the Department PHI.
B. Amendment. The parties acknowledge that federal and state laws relating to electronic data security and privacy are rapidly evolving and that amendment of this Exhibit F may be required to provide for procedures to ensure compliance with such developments. The parties specifically agree to take such action as is necessary to implement the standards and requirements of HIPAA, the HITECH Act, the HIPAA regulations and other applicable laws relating to the security or privacy of Department PHI. Upon the Department’s request, Contractor agrees to promptly enter into negotiations with the Department concerning an amendment to this Exhibit F embodying written assurances consistent with the standards and requirements of HIPAA, the HITECH Act, the HIPAA regulations or other applicable laws. The Department may terminate this Agreement upon thirty (30) days written notice in the event:
1) Contractor does not promptly enter into negotiations to amend this Exhibit F when requested by the Department pursuant to this section; or
2) Contractor does not enter into an amendment providing assurances regarding the safeguarding of Department PHI that the Department deems is necessary to satisfy the standards and requirements of HIPAA and the HIPAA regulations.
C. Assistance in Litigation or Administrative Proceedings. Contractor shall make itself and any subcontractors, employees or agents assisting Contractor in the performance of its obligations under this Agreement, available to the Department at no cost to the Department to testify as witnesses, or otherwise, in the event of litigation or administrative proceedings being commenced against the Department, its directors, officers or employees based upon claimed violation of HIPAA, the HIPAA regulations or other laws relating to security and privacy, which involves inactions or actions by the Contractor, except where Contractor or its subcontractor, employee or agent is a named adverse party.
D. No Third-Party Beneficiaries. Nothing express or implied in the terms and conditions of this Exhibit F is intended to confer, nor shall anything herein confer, upon any person other than the Department or Contractor and their respective successors or assignees, any rights, remedies, obligations or liabilities whatsoever.
E. Interpretation. The terms and conditions in this Exhibit F shall be interpreted as broadly as necessary to implement and comply with HIPAA, the HITECH Act, the HIPAA regulations and applicable state laws. The parties agree that any ambiguity in the terms and conditions of this Exhibit F shall be resolved in favor of a meaning that complies and is consistent with HIPAA, the HITECH Act and the HIPAA regulations.
F. Regulatory References. A reference in the terms and conditions of this Exhibit F to a section in the HIPAA regulations means the section as in effect or as amended.
G. Survival. The respective rights and obligations of Contractor under Section 6, Item D of this Exhibit F shall survive the termination or expiration of this Agreement.
H. No Waiver of Obligations. No change, waiver or discharge of any liability or obligation hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing or other obligation, or shall prohibit enforcement of any obligation, on any other occasion.

Attachment A
Business Associate Data Security Requirements
I. Personnel Controls

A. Employee Training. All workforce members who assist in the performance of functions or activities on behalf of the Department, or access or disclose Department PHI or PI must complete information privacy and security training, at least annually, at Contractor's expense. Each workforce member who receives information privacy and security training must sign a certification, indicating the member’s name and the date on which the training was completed. These certifications must be retained for a period of six (6) years following termination of this Agreement.
B. Employee Discipline. Appropriate sanctions must be applied against workforce members who fail to comply with privacy policies and procedures or any provisions of these requirements, including termination of employment where appropriate.
C. Confidentiality Statement. All persons that will be working with Department PHI or PI must sign a confidentiality statement that includes, at a minimum, General Use, Security and Privacy Safeguards, Unacceptable Use, and Enforcement Policies. The statement must be signed by the workforce member prior to access to Department PHI or PI. The statement must be renewed annually. The Contractor shall retain each person’s written confidentiality statement for Department inspection for a period of six (6) years following termination of this Agreement.
D. Background Check. Before a member of the workforce may access Department PHI or PI, a background screening of that worker must be conducted.  The screening should be commensurate with the risk and magnitude of harm the employee could cause, with more thorough screening being done for those employees who are authorized to bypass significant technical and operational security controls. The Contractor shall retain each workforce member’s background check documentation for a period of three (3) years.
2. Technical Security Controls
A. Workstation/Laptop encryption. All workstations and laptops that store Department PHI or PI either directly or temporarily must be encrypted using a FIPS 140-2 certified algorithm which is 128bit or higher, such as Advanced Encryption Standard (AES). The encryption solution must be full disk unless approved by the Department Information Security Office.
B. Server Security. Servers containing unencrypted Department PHI or PI must have sufficient administrative, physical, and technical controls in place to protect that data, based upon a risk assessment/system security review.
C. Minimum Necessary. Only the minimum necessary amount of Department PHI or PI required to perform necessary business functions may be copied, downloaded, or exported.
D. Removable media devices. All electronic files that contain Department PHI or PI data must be encrypted when stored on any removable media or portable device (i.e. USB thumb drives, floppies, CD/DVD, Blackberry, backup tapes etc.). Encryption must be a FIPS 140-2 certified algorithm which is 128bit or higher, such as AES.
E. Antivirus software. All workstations, laptops and other systems that process and/or store Department PHI or PI must install and actively use comprehensive anti-virus software solution with automatic updates scheduled at least daily.
F. Patch Management. All workstations, laptops and other systems that process and/or store Department PHI or PI must have critical security patches applied, with system reboot if necessary. There must be a documented patch management process which determines installation timeframe based on risk assessment and vendor recommendations.  At a maximum, all applicable patches must be installed within 30 days of vendor release. Applications and systems that cannot be patched within this time frame due to significant operational reasons must have compensatory controls implemented to minimize risk until the patches can be installed. Applications and systems that cannot be patched must have compensatory controls implemented to minimize risk, where possible.

G. User IDs and Password Controls. All users must be issued a unique user name for accessing Department PHI or PI. Username must be promptly disabled, deleted, or the password changed upon the transfer or termination of an employee with knowledge of the password. Passwords are not to be shared. Passwords must be at least eight characters and must be a non-dictionary word. Passwords must not be stored in readable format on the computer. Passwords must be changed at least every 90 days, preferably every 60 days. Passwords must be changed if revealed or compromised. Passwords must be composed of characters from at least three of the following four groups from the standard keyboard:


  1. Upper case letters (A-Z)

  2. Lower case letters (a-z)

  3. Arabic numerals (0-9)

  4. Non-alphanumeric characters (punctuation symbols)


H. Data Destruction. When no longer needed, all Department PHI or PI must be wiped using the Gutmann or US Department of Defense (DoD) 5220.22-M (7 Pass) standard, or by degaussing. Media may also be physically destroyed in accordance with NIST Special Publication 800-88. Other methods require prior written permission of the Department Information Security Office.
I. System Timeout. The system providing access to Department PHI or PI must provide an automatic timeout, requiring re-authentication of the user session after no more than 20 minutes of inactivity.
J. Warning Banners. All systems providing access to Department PHI or PI must display a warning banner stating that data is confidential, systems are logged, and system use is for business purposes only by authorized users. User must be directed to log off the system if they do not agree with these requirements.

K. System Logging. The system must maintain an automated audit trail which can identify the user or system process which initiates a request for Department PHI or PI, or which alters Department PHI or PI. The audit trail must be date and time stamped, must log both successful and failed accesses, must be read only, and must be restricted to authorized users. If Department PHI or PI is stored in a database, database logging functionality must be enabled. Audit trail data must be archived for at least 3 years after occurrence.
L. Access Controls. The system providing access to Department PHI or PI must use role based access controls for all user authentications, enforcing the principle of least privilege.
M. Transmission encryption. All data transmissions of Department PHI or PI outside the secure internal network must be encrypted using a FIPS 140-2 certified algorithm which is 128bit or higher, such as AES.  Encryption can be end to end at the network level, or the data files containing Department PHI can be encrypted. This requirement pertains to any type of Department PHI or PI in motion such as website access, file transfer, and E-Mail.
N. Intrusion Detection. All systems involved in accessing, holding, transporting, and protecting Department PHI or PI that are accessible via the Internet must be protected by a comprehensive intrusion detection and prevention solution.
3. Audit Controls
A. System Security Review. Contractor must ensure audit control mechanisms that record and examine system activity are in place. All systems processing and/or storing Department PHI or PI must have at least an annual system risk assessment/security review which provides assurance that administrative, physical, and technical controls are functioning effectively and providing adequate levels of protection. Reviews should include vulnerability scanning tools.
B. Log Reviews. All systems processing and/or storing Department PHI or PI must have a routine procedure in place to review system logs for unauthorized access.
C. Change Control. All systems processing and/or storing Department PHI or PI must have a documented change control procedure that ensures separation of duties and protects the confidentiality, integrity and availability of data.
4. Business Continuity / Disaster Recovery Controls
A. Emergency Mode Operation Plan. Contractor must establish a documented plan to enable continuation of critical business processes and protection of the security of Department PHI or PI held in an electronic format in the event of an emergency. Emergency means any circumstance or situation that causes normal computer operations to become unavailable for use in performing the work required under this Agreement for more than 24 hours.
B. Data Backup Plan. Contractor must have established documented procedures to backup Department PHI to maintain retrievable exact copies of Department PHI or PI. The plan must include a regular schedule for making backups, storing backups offsite, an inventory of backup media, and an estimate of the amount of time needed to restore Department PHI or PI should it be lost. At a minimum, the schedule must be a weekly full backup and monthly offsite storage of Department data.
5. Paper Document Controls
A. Supervision of Data. Department PHI or PI in paper form shall not be left unattended at any time, unless it is locked in a file cabinet, file room, desk or office. Unattended means that information is not being observed by an employee authorized to access the information. Department PHI or PI in paper form shall not be left unattended at any time in vehicles or planes and shall not be checked in baggage on commercial airplanes.
B. Escorting Visitors. Visitors to areas where Department PHI or PI is contained shall be escorted and Department PHI or PI shall be kept out of sight while visitors are in the area.
C. Confidential Destruction. Department PHI or PI must be disposed of through confidential means, such as cross cut shredding and pulverizing.

D. Removal of Data. Only the minimum necessary Department PHI or PI may be removed from the premises of the Contractor except with express written permission of the Department. Department PHI or PI shall not be considered "removed from the premises" if it is only being transported from one of Contractor's locations to another of Contractors locations.
E. Faxing. Faxes containing Department PHI or PI shall not be left unattended and fax machines shall be in secure areas. Faxes shall contain a confidentiality statement notifying persons receiving faxes in error to destroy them. Fax numbers shall be verified with the intended recipient before sending the fax.
F. Mailing. Mailings containing Department PHI or PI shall be sealed and secured from damage or inappropriate viewing of such PHI or PI to the extent possible. Mailings which include 500 or more individually identifiable records of Department PHI or PI in a single package shall be sent using a tracked mailing method which includes verification of delivery and receipt, unless the prior written permission of the Department to use another method is obtained.
1   ...   7   8   9   10   11   12   13   14   15


Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©atelim.com 2016
rəhbərliyinə müraciət