Free Data Management And Confidentiality Agreement Download

DATA MANAGEMENT AND CONFIDENTIALITY AGREEMENT

This Data Management and Confidentiality Agreement (this “Agreement”) is entered into between OptumInsight, Inc. (“Optum”) and hCentive, Inc. (“Contractor”) in connection with and pursuant to the Professional Services Agreement between Optum and Contractor dated September, 30, 2014 (the “Professional Services Agreement”). Optum and Contractor shall each be referred to herein as a “Party” and together as the “Parties.”

Contractor will be acting as a subcontractor to Optum in connection with a certain Master Services Agreement between the Commonwealth of Massachusetts’ Office of Information Technology (“MassIT”) and Contractor dated September, 30, 2014 (the “MSA”).

1. DEFINITIONS AND SCOPE

   
   

   1. Definitions

      
      

      The following terms used in this Agreement shall have the same meaning as those terms when used in the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and Part 164 (together, the “HIPAA Rules”): Business Associate, Covered Entity, Data Aggregation, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Secretary and, Security Incident. All other terms used but not otherwise defined below or elsewhere in this Agreement shall be construed in a manner consistent with the HIPAA Rules and all other applicable state or federal privacy or security laws and regulations.

      
      

      Terms not otherwise defined in this Agreement or by applicable Law shall have the meaning given in the Professional Services Agreement. The following capitalized terms, shall have the following meanings when used in this Agreement:

      
      

      “ACA” the Patient Protection and Affordable Care Act of 2010, as amended by the Health Care and Education Reconciliation Act.

      
      

      “CCA” shall mean the Commonwealth Health Insurance Connector Authority.

      
      

      “Commonwealth Security Information” shall mean all data that pertains to the security of the Commonwealth’s information technology, specifically, information pertaining to the manner in which the Commonwealth protects its information technology systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users, or the provision of service to unauthorized users, including those measures necessary to detect, document and counter such threats.

      
      

      “EOHHS” shall mean the Commonwealth of Massachusetts’ Executive Office of Health and Human Services.

      “Event” shall mean the following, either individually or collectively: 1) any use or disclosure of PI by Contractor, its subcontractors or agents, not permitted under this Agreement, 2) any Security Incident by the same, or 3) any event caused by the same that would trigger consumer or oversight agency notification obligations under 45 CFR Part 164, Subpart D, Mass. Gen. Laws 93H, or other similar federal or state data privacy or security laws or regulations.

      
      

      “Health Benefit Programs” shall mean: 1) the Commonwealth’s program under the ACA for the enrollment of individuals in qualified health plans (“QHPs”), including the federal program of advanced premium tax credits and the Commonwealth’s program of premium assistance payments, which are designed to make coverage through a QHP more affordable, administered by CCA in accord with Sections 1311, 1401 and 1411 of the ACA, Section 36B of the Internal Revenue Code of 1986, 45 C.F.R. part 155, M.G.L. c. 176Q, s. 3, and other applicable federal and state laws, regulations and waivers (the “CCA Programs”); 2) the Commonwealth’s Medicaid and Children’s Health Insurance Programs, each administered by EOHHS in accord with Titles XIX and XXI of the Social Security Act, M.G.L. c. 118E and other applicable federal and state

      laws, regulations, waivers and demonstration projects (“MassHealth”); and 3) the Health Safety Net Trust Fund, administered by EOHHS pursuant to M.G.L. c.

      118E and applicable regulations (the “HSNTF” and, together with MassHealth, the “EOHHS Programs”).

      
      

      “Household Member” shall mean, with respect to an applicant for or beneficiary of a Health Benefit Program, a member of the applicant’s or beneficiary’s household or family whose income information is relevant to determining the applicant’s or beneficiary’s eligibility for such Health Benefit Program.

      
      

      “Individual” shall mean the person to whom the PI refers and shall include a person or organization who qualifies as a personal representative in accord with 45 CFR § 164.502 (g).

      
      

      “Privacy Rule” shall mean the Standards of Privacy of Individually Identifiable Health Information, at 45 CFR Parts 160 and 164.

      
      

      “Protected Information” or “PI” shall mean any Protected Health Information, any “personal data” as defined in Mass. Gen. Laws c. 66A, any “patient

      identifying information” as defined in 42 CFR Part 2 and any other individually identifiable information that is treated as confidential under any federal or state law or regulation (including, for example, any state and federal tax return information) that Contractor (or its subcontractor or agent) uses, maintains, discloses, receives, creates or otherwise obtains under the Professional Services Agreement. Information, including aggregate information, is considered PI if it is not fully de-identified in accord with 45 CFR §§164.514(a)-(c). PI used, maintained, disclosed, received, created or otherwise obtained by Contractor (or

      its subcontractor or agent) under the Professional Services Agreement shall include information relating to Health Benefit Program applicants, beneficiaries and Household Members.

      
      

      “Security Rule” shall mean the Security Standards for the Protection of Electronic Protected Health Information, at 45 CFR Parts 160 and 164.

      
      

   2. Scope

      
      

      All activities, functions and services performed or provided by Contractor (or its subcontractor or agent) under the Professional Services Agreement are subject to this Agreement. The Parties shall develop, in accord with applicable state and federal laws and regulations including privacy and security laws and regulations, separate data management and confidentiality agreements to govern the conduct of any other arrangement or agreement whereby Contractor (or its subcontractors or agents) performs activities, or functions on behalf of, or provides services to or for, Optum

      that involve MassIT’s PI.

      
      

      The provisions in this Agreement shall supersede any other data management, privacy or security provision to the contrary in the Professional Services Agreement, unless such other provision relates to the privacy or security of PI and is more stringent than the contrary provision in this Agreement, or such provision explicitly states it shall take precedence over this Agreement.

      
      

2. CONTRACTOR OBLIGATIONS UNDER THIS AGREEMENT

   
   

   1. Mass. Gen. Laws c. 66A, 42 CFR Part 2 and other Privacy and Security Obligations

      
      

      Contractor acknowledges that in the performance of the Professional Services Agreement it will create, receive, use, disclose, maintain, transmit or otherwise obtain “Personal Data,” and that in so doing, it becomes a “Holder” of Personal Data, as such terms are used within Mass. Gen. Laws c. 66A. Contractor agrees that, in a manner consistent with the Privacy and Security Rules, it shall comply with Mass. Gen. Laws c. 66A and any other applicable privacy or security law or regulation (state or federal) governing Contractor’s use, disclosure, and maintenance of any PI under the Professional Services Agreement, including for example, Mass. Gen. Laws

      c. 93H, 42 CFR Part 431, Subpart F, M.G.L. c. 93H, 801 CMR §3.00 and Executive Order 504.

      
      

      Contractor further agrees that, upon being provided written notice of, or otherwise having agreed to, such obligations, to the extent applicable, it shall comply with (and shall cause its employees and other representatives to comply with) any other privacy and security obligation that is required as the result of Optum, MassIT, EOHHS and/or CCA having entered into an agreement (any such agreement, a “Third Party Agreement”) with a third party (such as the Social Security Administration, the Department of Revenue or the Centers for Medicaid and Medicare Services) to obtain

      or to access PI from a third party (any such third party, “Third Party” and any such PI, “Third Party Data”) or to access any system, database or application containing Third Party Data or through which Third Party Data could be accessed (any such system, database or application, a “Third Party Data System”), including, by way of illustration and not limitation, signing a written compliance acknowledgment or confidentiality agreement, undergoing a background check or completing training. The Parties acknowledge and agree that Third Party Data includes, without limitation, all data that Optum, EOHHS, CCA or MassIT receives, uses or obtains from Massachusetts Department of Revenue, the Social Security Administration, the Internal Revenue Service, the Department of Homeland Security or through the Federal Data Services Hub and, notwithstanding anything herein to the contrary, Contractor may not access any such data unless disclosure of such data to Contractor is permitted under the applicable Third Party Agreement(s); all conditions for disclosure under such agreement(s) have been satisfied; and Contractor is notified of such Third Party Agreement and the privacy and security obligations applicable to its access to such Third Party Data or Third Party Data System. Without limiting the generality of the foregoing paragraphs, Contractor acknowledges and agrees that it cannot use or disclose PI except as specifically permitted under Section 3.

      
      

   2. Business Associate

      
      

      Under the Professional Services Agreement, Optum or MassIT are responsible for administering the development, configuration, implementation, maintenance and support of new or enhanced computing systems for the CCA Programs and the EOHHS Programs.

      
      

      In its performance of the MSA, to the extent that MassIT receives, creates, maintains or transmits PI relating to CCA Program applicants, beneficiaries and/or Household Members, MassIT is a Business Associate of CCA (CCA being deemed a Covered Entity under the HIPAA Rules). To the extent that MassIT receives, creates, maintains or transmits PI relating to EOHHS Program applicants, beneficiaries and/or Household Members, (EOHHS being deemed a Covered Entity under the HIPAA Rules), MassIT is a Business Associate of EOHHS.

      
      

      In Optum’s performance of the MSA, to the extent that Optum receives, creates, maintains or transmits PI relating to CCA Program applicants, beneficiaries and/or Household Members and/or EOHHS Program applicants, beneficiaries and/or Household Members, Optum is a Business Associate of MassIT and Optum has agreed to comply with all requirements of the HIPAA Rules applicable to a Business Associate. To the extent that Optum is to carry out an obligation of MassIT under the Privacy Rule, Optum agrees that it shall comply with the requirements of the Privacy Rule that apply to MassIT in the performance of such obligation.

      
      

      In Contractor’s performance of the Professional Services Agreement, to the extent that Contractor receives, creates, maintains or transmits PI relating to CCA Program applicants, beneficiaries and/or Household Members and/or EOHHS Program

      applicants, beneficiaries and/or Household Members, Contractor is a Business Associate of Optum and Contractor agrees to comply with all requirements of the HIPAA Rules applicable to a Business Associate. To the extent that Contractor is to carry out an obligation of Optum or MassIT under the Privacy Rule, Contractor agrees that it shall comply with the requirements of the Privacy Rule that apply to Optum or MassIT in the performance of such obligation.

      
      

   3. Ownership and Control of Data

      
      

      Contractor acknowledges and agrees that neither this Agreement nor the Professional Services Agreement confer rights of ownership or control over PI on Contractor.

      
      

   4. Agents and Subcontractors

      
      

      If Contractor uses an agent or subcontractor to perform any activity under the Professional Services Agreement involving PI, Contractor shall ensure that the agent or subcontractor agrees in writing to the same restrictions and conditions that apply to Contractor under this Agreement with respect to such information, including but not limited to, implementing reasonable safeguards to protect such information.

      Contractor must ensure that any required written agreement for agents and subcontractors meets all requirements of a Business Associate agreement, as required for agents and subcontractors of a Business Associate under the Privacy and Security Rules.

      
      

      Contractor shall cause its subcontractors and agents who (a) have access to personal information as defined in Mass. Gen. Law c. 93H, and personal data, as defined in Mass. Gen. Laws c. 66A, that Contractor (or its other subcontractor or agent) uses, maintains, receives, creates or otherwise obtains under the Professional Services Agreement, or (b) have access to Contractor, Optum, MassIT, CCA or EOHHS systems containing such information or data, to sign an Executive Order 504 Contractor Certification Form or other written agreement containing all applicable data security obligations as required by such certification form prior to being granted access to such data. Upon Optum or MassIT’s request, Contractor shall provide a listing of its subcontractors and agents who have such access and copies of these certifications.

      
      

      Contractor shall cause its subcontractors and agents who need access to Third Party Data or a Third Party System to comply (and cause their employees and other representatives to comply) with any privacy and security obligation that may be required in connection with such access as the result of Optum, CCA, EOHHS or MassIT having entered into a Third Party Agreement to obtain or to access the Third Party Data, including, by way of illustration and not limitation, signing any written compliance acknowledgment or confidentiality agreement, undergoing a background check or completing training. Contractor shall ensure that such subcontractors and agents have satisfied all such requirements prior to being granted access to the Third Part Data or Third Party System. Contractor shall work with CCA, EOHHS, or MassIT, either directly or through Optum, as appropriate, to ensure that all such

      requirements are satisfied or, as directed in writing, directly with the appropriate third party.

      
      

      Contractor is solely responsible for its agents’ and subcontractors’ compliance with this provision, and shall not be relieved of any obligation under this Agreement because the data was in the hands of its agents or subcontractors.

      
      

   5. Data Security

      
      

      1. Administrative, Physical and Technical Safeguards

         
         

         Contractor shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PI and that prevent use or disclosure of such data other than as provided for by this Agreement. All such safeguards must meet, at a minimum, all standards set forth in the Privacy and Security Rules, as applicable to a Business Associate, the standards set forth in National Institute of Standards and Technology standard: NIST 800-53 Revision 4 – Information Security, moderate standard, and all Commonwealth security and information technology resource policies, processes and mechanisms established for access to PI or systems containing PI, including those established by Executive Order 504 that are applicable to Contractor in connection with its activities under the Professional Services Agreement. As one of its safeguards, Contractor shall not transmit PI in non-secure transmissions over the Internet or any wireless communication device, except Contractor may permit its staff to use cellular phones in accord with MassIT’s Privacy and Security Policies and Procedures.

         
         

         Contractor must comply with all security mechanisms and processes established for access to any of Optum or MassIT’s (and, if, and to the extent required by Contractor’s activities and permitted under the Professional Services Agreement, to CCA’s or EOHHS’s) databases, systems or other information technology resources as well as all Commonwealth security and information technology resource policies, processes, and mechanisms established for access to PI that are applicable to Contractor in connection with its activities under the Professional Services Agreement. Contractor shall protect from inappropriate use or disclosure any password, user ID, or other mechanism or code permitting access to any Optum, MassIT, CCA or EOHHS system, database, or other information technology resource or any other system, database or information technology resource containing PI. Contractor shall give Optum, MassIT, CCA or EOHHS, as appropriate, prior notice of any change in personnel whenever the change requires a termination or modification of any such password, user ID, or other security mechanism or code, to maintain the integrity of the system, database or resource.

         
         

         Upon reasonable notice, Contractor agrees to allow representatives of Optum and MassIT access to premises where PI is stored for the purpose of inspecting

         privacy and physical security arrangements implemented by Contractor to protect such data.

         Upon request, Optum, MassIT, CCA or EOHHS may inspect Contractor’s written policies, procedures, standards and guidelines related to the protection, security, use and disclosure of PI, Commonwealth Security Information, and the security and integrity of Contractor technology resources.

         
         

      2. Commonwealth Security Information

         
         

         

         If, through the Professional Services Agreement, Contractor obtains access to any Commonwealth Security Information, Contractor is prohibited from making any disclosures of or about such information, unless in accord with Optum’s express written instructions (obtained either directly or through Optum). If Contractor is granted access to such information in order to perform its obligations under the Professional Services Agreement, Contractor may only use such information for the purposes for which it obtained access. In using the information for such permitted purposes, Contractor shall limit access to the information only to staff, subcontractors or agents necessary to perform the permitted purposes and it may release or disclose such information as may be Required by Law, and then only in accordance with this Agreement (including Section 2.7 hereof). While in possession of such information, Contractor shall apply all applicable privacy and security requirements set forth in this Agreement to maintain the confidentiality, security, integrity, and availability of such information. Notwithstanding any other provision in this Agreement, Contractor shall report any non-permitted use or disclosure of Commonwealth Security Information to Optum and MassIT within twenty-four (24) hours following the date upon which Contractor becomes aware of the use or disclosure. Contractor shall immediately take all reasonable and legal actions to retrieve such information if disclosed to any non-permitted individual or entity; shall include a summary of such retrieval actions in its required report of the non-permitted disclosure; and shall take such further commercially reasonable retrieval action as Optum or MassIT may require.

         
         

   6. Non-Permitted Use or Disclosure Report and Mitigation Activities

      
      

      1. Mitigation and Other Activities

         
         

         Upon becoming aware of any Event, Contractor shall take all reasonable and appropriate action necessary to: a) retrieve, to the extent practicable, any PI involved in the Event; b) mitigate, to the extent practicable, any harmful effect of the Event known to Contractor; and c) take such further action as may be required by any applicable state or federal law or regulation concerning the privacy and security of any PI involved in the Event.

         Upon request, Contractor shall take such further commercially reasonable actions as identified by Optum, MassIT, EOHHS or CCA, as

         the case may be, to, or shall take such additional action to assist those entities to, further mitigate, to the extent practicable, any harmful effect of the Event. Any actions to mitigate harmful effects of such Event undertaken by Contractor on its own initiative or pursuant to a request under this paragraph shall not relieve Contractor of its obligations to report such Event under this paragraph or any other provisions of this Agreement.

         
         

      2. Notification and Reporting Activities

         
         

         For all Events and all notices made pursuant to this Agreement, Contractor shall notify Optum as soon as possible, but in any event before Contractor notifies MassIT, CCA and/or EOHHS. Contractor shall, to the extent practicable, coordinate all such notices with Optum, consistent with meeting the deadlines set forth in this Agreement.

         As soon as possible, but in any event no later than two (2) business days following the date upon which Contractor becomes aware of the Event, Contractor shall verbally report the Event to Optum as well as MassIT, CCA and/or EOHHS, as the case may be, with as much of the details listed below as possible, and shall follow such verbal report within five

         1. business days with a written report outlining the Event with the following details to the extent that such details are available at the time of the report and subsequently as additional information becomes available:

            1. the date of the Event, if known or if not known, the estimated date;

            2. the date of the discovery of the Event;

            3. the nature of the Event, including as much specific detail as possible (for example, cause, contributing factors, chronology of events) and the nature of the PI involved (for example, types of identifiers involved such as name, address, age, social security numbers or account numbers; or medical or financial or other types of information);

            4. include any sample forms or documents that were involved in the Event to illustrate the type of PI involved (with personal identifiers removed or redacted);

            5. the exact number of individuals whose PI was involved in the Event, if known, or if not known, a reasonable estimate based on the known facts, together with a description of how the exact or estimated number of individuals was determined (if different types of PI was involved for different individuals, please categorize the exact or estimated numbers of individuals involved according to type of PI);

            6. the harmful effects of the Event known to Contractor, all actions Contractor has taken or plans to take to mitigate such effects, and the results of all mitigation actions already taken;

            7. a summary of the nature and scope of Contractor’s investigation; and

            8. a summary of steps taken in connection with and to prevent such Event in the future, including copies of revised policies and procedures, changes in business processes, and staff training.

               
               

               Contractor shall provide the verbal and written reports described above to the following entity or entities:

               1. If an Event involves PI relating solely to applicants, beneficiaries and/or Household Members of EOHHS Programs, Contractor shall report such Event to the Privacy Officer of EOHHS;

               2. If an Event involves PI relating solely to applicants, beneficiaries and/or Household Members of CCA Programs, Contractor shall report such Event to the Privacy Officer of CCA;

               3. If an Event involves PI relating to applicants, members and/or Household Members of both EOHHS and CCA Programs, or if Contractor cannot determine conclusively that the PI relates to solely to applicants, beneficiaries and/or Household Members of a CCA or EOHHS Program, Contractor shall report such Event to the Privacy Officers of EOHHS and CCA;

               4. With respect to an Event pertaining to system administration, data security or system security, in addition to other notification and reporting obligations under this Agreement, Contractor shall report such Event to the MassIT’s Privacy and Security Officers; and

               5. With respect to an Event pertaining to Third Party Data or Third Party Systems, Contractor shall report such Event to the Privacy Officers of EOHHS, CCA and MassIT. Contractor acknowledges and agrees that it may be subject to reporting obligations under one or more Third Party Agreements in addition to, or that differ fromits obligations under this Section 2.6.

                  
                  

                  In cases where Contractor provides notice to more than one entity in accordance with the foregoing procedures, Contractor and Optum will work together in good faith with MassIT, EOHHS and CCA, and shall promptly determine and notify Contractor in writing of the appropriate entity(ies) for further information, notification, mitigation or other action, and Contractor shall provide such further information, notification, mitigation or actions required by this Agreement as directed by the entity so identified.

                  
                  

      3. Consumer Notification

         In the event the consumer notification provisions of 45 CFR Part 164, Subpart D, Mass. Gen. Laws c. 93H or similar notification requirements in other state or federal laws or regulations are triggered by an Event, Contractor shall promptly comply with its obligations under such laws or regulations. For the avoidance of doubt, such obligations may include providing additional notification(s) to MassIT, EOHHS and/or CCA in accordance with 45 CFR §164.410 and/or Mass. Gen. Laws c. 93H, §3(a). If Optum, MassIT, CCA or EOHHS determine, in their sole discretion, that any of them is required to give such notifications, Contractor shall, at MassIT’s, CCA’s or EOHHS’ request, assist MassIT, CCA and/or EOHHS in drafting these notices and any related required notices to state agencies for Optum, MassIT, CCA or EOHHS review and approval (as applicable), but in no event shall Contractor have the authority to give these notifications on Optum’s, MassIT’s, CCA’s or EOHHS’ behalf.

         Contractor shall reimburse MassIT, CCA or EOHHS, as the case may be, for reasonable costs incurred by Optum, MassIT, CCA’s or EOHHS associated with such notification, but only to the extent that such costs are due to: (a) Contractor’s failure to meet its responsibilities under, or in violation of, any provision of this Agreement, (b) Contractor’s violation of law, (c) Contractor’s negligence, (d) Contractor’s failure to protect data under its control with encryption or other security measures that constitute an explicit safe-harbor or exception to any requirement to give notice under such laws, or (e) any activity or omission of its employees, agents, or subcontractors resulting in or contributing to an Event triggering such laws.

         
         

   7. Response to Legal Process

      
      

      Unless explicitly prohibited by applicable law or regulation, Contractor shall report to Optum and to the Privacy Officers of MassIT, EOHHS and CCA, both verbally and in writing, any instance where PI or any other data obtained under this Agreement is subpoenaed or becomes the subject of a court or administrative order or other legal process. Contractor shall provide such report as soon as feasible upon receiving or otherwise becoming aware of the legal process; provided, that the Contractor shall provide such report no later than five (5) business days prior to the applicable response date.

      
      

      In response to such legal process, and in accordance with instructions from Optum, MassIT, EOHHS and/or CCA, as appropriate, Contractor shall take all reasonable steps, including objecting to the request when appropriate, to comply with Mass.

      Gen. Laws c. 66A, 42 CFR §431.306(f), 42 CFR Part 2 and any other applicable federal and state law or regulation. If Optum, MassIT, EOHHS or CCA determine that it shall respond directly, Contractor shall cooperate and assist such entity in its response.

      
      

      Contractor’s activities under this Section 2.7 shall be at the sole expense of Optum, MassIT, EOHHS and/or CCA, as appropriate, unless the legal process resulted from

      Contractor’s violation of the Professional Services Agreement or this Agreement or an Event.

      
      

   8. Individual’s Privacy Rule Rights

      
      

      Contractor shall take such action as may be requested by Optum, MassIT, EOHHS and/or CCA to meet any such entity’s obligations under 45 CFR §§ 164.524, 164.526 or 164.528 or other applicable law or regulation pertaining to an Individual’s right to access, amend or obtain an accounting of uses and/or disclosures of its PI, with respect to any relevant PI in Contractor’s possession in sufficient time and manner for such entity to meet its obligations under such Privacy Rule provisions or other law or regulation. If an Individual contacts Contractor with respect to exercising any rights the Individual may have under 45 CFR §§ 164.524, 164.526 or 164.528 or similar law or regulation with respect to PI in Contractor’s possession, Contractor shall notify Optum and MassIT, EOHHS and/or CCA, as appropriate, within two business days of the Individual’s request and cooperate with the appropriate entity to meet any of its obligations with respect to such request.

      
      

      With respect to an Individual’s right to an accounting under 45 CFR § 164.528 and Mass. Gen. Laws c. 66A, Contractor shall document all uses and disclosures of PI and other data access activities as would be necessary for Optum, MassIT, EOHHS and CCA to respond to a request by an Individual for an accounting in accord with 45 CFR § 164.528 and/or Mass. Gen. Laws c. 66A, as appropriate.

      
      

   9. Optum, MassIT, CCA, EOHHS and HHS Record Access

      
      

      Contractor shall make its internal practices, books, and records, including policies and procedures and PI, relating to the use and disclosure of PI available to Optum, Mass IT, CCA, EOHHS and/or the Secretary for review and inspection, in a time and manner designated by Optum, MassIT, CCA, EOHHS or the Secretary, for purposes of enabling Optum, MassIT, CCA, EOHHS or the Secretary determining compliance with the Privacy and Security Rules and privacy and security requirements of Third Party Agreements.

      
      

   10. Electronic and Paper Databases Updates

       
       

       Within thirty (30) days of the effective date of this Agreement, Contractor shall provide Optum, MassIT, CCA and EOHHS an accurate list of electronic and paper databases containing PI that is subject to this Agreement, together with a brief description of the various uses of the databases. Contractor shall update such lists as necessary in accord with the addition or termination of such databases. Optum, MassIT, CCA and EOHHS may inspect Contractor’s information security plan and electronic security plan under Executive Order 504 in accordance with designated time frames under that Executive Order.

       
       

   11. Privacy and Security Officer(s)

       
       

       Within five (5) days of the effective date of this Agreement, Contractor shall notify Optum in writing of the name of its Privacy Officer and Security Officer under Executive Order 504, who both shall be responsible for compliance with this Agreement. Contractor shall also notify Optum in writing within five (5) business days of any transfer of the Privacy or Security Officer’s duties to other persons within its organization.

       
       

   12. CORI Regulations

       
       

       Contractor shall, pursuant to and in accordance with 101 CMR 15.00, require and consider the criminal history information pertaining to: (a) all applicants and employees seeking a position within Contractor that entails the potential for unsupervised contact with MassHealth applicants or member; (b) those Contractor applicants and employees for whom criminal history information is necessary to comply with other legal requirements; and (c) those Contractor applicants and employees for whom criminal history information is deemed to be relevant to the duties and qualifications of the position by Contractor or EOHHS (subject to applicable exceptions are set forth in 101 CMR 15.03). For purposes of subsection

       (c) of the foregoing sentence, Contractor acknowledges and agrees that EOHHS deems criminal history information to be relevant to the duties and qualifications of any Contractor applicant or employee whose position would or does entail access (including potential access) to PI. Contractor shall otherwise comply with all applicable terms of 101 CMR 15.00.

       
       

3. PERMITTED USES AND DISCLOSURES BY CONTRACTOR

   
   

   Except as otherwise limited in this Agreement, including this Section 3, Contractor may use or disclose PI only as follows:

   
   

   1. Functions and Services

      
      

      Contractor may use or disclose PI to perform functions, activities, or services for, or on behalf of, Optum (including for MassIT, CCA or EOHHS) as specified in the Professional Services Agreement, or as otherwise required by, and in accordance with, the provisions of this Agreement; provided such use or disclosure would not:

      1. violate the Privacy Rule if done by Optum, MassIT, EOHHS or CCA (as applicable); (b) violate the minimum necessary policies and procedures of Optum, MassIT, EOHHS or CCA that are known to Contractor or that Optum, EOHHS or CCA advises Contractor of; or (c) conflict with statements in Optum’s, EOHHS’s or CCA’s Notice of Privacy Practices. In performing functions, activities, or services under, or otherwise complying with, the Professional Services Agreement and this Agreement, Contractor represents that it shall seek from Optum, MassIT, CCA and EOHHS only the amount of PI that is minimally necessary to perform the particular function, activity, or service. To the extent the Professional Services Agreement permits Contractor to request, on Optum’s, MassIT’s, CCA or EOHHS’s behalf, PI

         from other Covered Entities under the Privacy Rule, Contractor shall only request an amount of PI that is reasonably limited to the minimal necessary to perform the intended function, activity, or service.

         
         

   2. Required By Law

      
      

      Contractor may use or disclose PI as Required by Law, consistent with the restrictions of 42 CFR Part 431, Subpart F (including 42 CFR §431.306(f)), 42 CFR Part 2, Mass. Gen. Laws c. 66A, any other applicable privacy or security law or regulation (state or federal) or any applicable Third Party Agreement governing or restricting Contractor’s use, disclosure, and maintenance of PI.

      
      

   3. Restriction on Contacting Individual

      
      

      Contractor shall not use PI to attempt to contact the Individual: (a) unless such contact is otherwise necessary to perform the first-line call center support services or Optum instructs Contractor to do so in writing, or (b) except pursuant to and in accordance with written instructions from the Privacy Officers of EOHHS and CCA.

      
      

   4. Publication Restriction

      
      

      Contractor agrees that it shall not publish or otherwise disclose PI or other information obtained pursuant to the Professional Services Agreement in any form or any statistical tabulations or research results derived from such data, whether or not the PI or data can be linked to a specific individual or has otherwise been

      de-identified in accord with the standards set forth in 45 CFR §164.514, without prior written permission from the Privacy Officer of Optum, EOHHS and CCA.

      
      

   5. Management and Administration

      
      

      Contractor may use protected health information as necessary for the proper management and administration of the Contractor or as necessary to carry out the legal responsibilities of the Contractor, provided, that, such use must comply with all applicable terms and conditions set forth in this Agreement.

      
      

   6. Aggregation

      
      

      Contractor may provide Data Aggregation services relating to the health care operations of CCA and/or EOHHS if and to the extent specified in the Professional Services Agreement or pursuant to written permission from the Privacy Officer of Optum. Contractor shall provide Data Aggregation services in accordance with the terms and conditions of this Agreement (including the terms of Section 3.1). Unless authorized in writing by the Privacy Officer of Optum, Contractor shall use and disclose aggregated data only to perform functions, activities, or services for, or on behalf of, Optum (including for MassIT, CCA or EOHHS) as specified in the Professional Services Agreement, or as otherwise required by, and in accordance

      with, the provisions of this Agreement (and, for the avoidance of doubt, not for Contractor’s own purposes).

      
      

   7. De-identification

      
      

      If and to the extent specified in the Professional Services Agreement or authorized in writing by Privacy Officer of Optum, Contractor may use PI to de-identify such information in accord with the standards set forth in 45 CFR §164.514. Unless authorized in writing by the Privacy Officer of Optum, Contractor shall de-identify PI pursuant to 45 CFR §164.514(b)(2). Contractor’s use of PI for de-identification purposes shall comply with the terms and conditions of this Agreement (including the terms of Section 3.1). Unless authorized in writing by the Privacy Officers of EOHHS and CCA, Contractor shall use and disclose de-identified data only to perform functions, activities, or services for, or on behalf of, Optum (including for MassIT, CCA or EOHHS) as specified in the Professional Services Agreement, or as otherwise required by, and in accordance with, the provisions of this Agreement (and, for the avoidance of doubt, not for Contractor’s own purposes).

      
      

   8. Limited Data Sets

      
      

      If and to the extent specified in the Professional Services Agreement or authorized in writing by the Privacy Officer of Optum, Contractor may use PI to create limited data sets (as defined in 45 CFR §164.514(e)(2)) for Optum (including for MassIT, CCA or EOHHS) in accord with the standards set forth in 45 CFR §164.514. Contractor’s use of PI to create a limited data set shall comply with the terms and conditions of this Agreement (including the terms of Section 3.1).

      
      

4. OPTUM’S OBLIGATIONS UNDER THIS AGREEMENT

   
   

   1. Changes in Notice of Privacy Practices

      
      

      Optum shall notify Contractor’s Privacy Officer in writing of any changes in

      EOHHS’ or CCA’s Notice of Privacy Practices to the extent that such change may affect Contractor’s use or disclosure of PI under the Professional Services

      Agreement, and shall provide Contractor with a new copy of EOHHS’ or CCA’s Notice of Privacy Practices as modified or amended.

      
      

   2. Notification of Changes in Authorizations to Disclose

      
      

      Optum shall notify Contractor’s Privacy Officer in writing of any changes in, or revocation of, permission by an Individual to use or disclose PI that Optum becomes aware of, to the extent that such changes may affect Contractor’s use or disclosure of PI under the Professional Services Agreement.

      
      

   3. Notification of Restrictions

      To the extent that CCA or EOHHS inform Optum, Optum shall notify Contractor’s Privacy Officer in writing of any restriction to the use or disclosure of PI that CCA or EOHHS has agreed to in accord with 45 CFR §164.522, to the extent that such restriction may affect Contractor’s use or disclosure of PI under the Professional Services Agreement.

      
      

   4. Requests to Use or Disclose PI

      
      

      Optum shall not request Contractor to use or disclose PI in a manner that Optum knows would violate the Privacy Rule if done by Optum, MassIT, CCA or EOHHS (except for uses and disclosures specifically authorized under Sections 3.5 and 3.6 hereof).

      
      

5. TERMINATION

   
   

   1. Termination for Privacy or Security Violation

      
      

      Notwithstanding any other provision in this Agreement or the Professional Services Agreement, Optum may terminate this Agreement and the Professional Services Agreement, in whole or in part, immediately upon written notice, if Optum determines, in its sole discretion, that Contractor has violated any material term of this Agreement or any provision of the Professional Services Agreement pertaining to the security and privacy of any PI.

      
      

   2. Cure

      
      

      Prior to terminating this Agreement and the Professional Services Agreement as permitted above, Optum, in its sole discretion, may provide Contractor with written notice of the violation and permit Contractor to cure the breach or end the violation, provided that such cure is reasonably capable of prompt and complete resolution. If such an opportunity is provided, but cure is not feasible, or Contractor fails to cure the breach or end the violation within a time period set by Optum, Optum may terminate this Agreement and the Professional Services Agreement immediately upon written notice. Notwithstanding the foregoing, Optum shall not be entitled to provide Contractor with an opportunity to cure if MassIT, CCA or EOHHS object to such cure period.

      
      

   3. Effect of Termination

      
      

      1. Except as provided immediately below, upon termination of the Professional Services Agreement for any reason whatsoever, Contractor shall, at Optum’s direction, return or destroy all PI and, at Optum’s direction, either return or destroy Commonwealth Security Information, and Contractor shall not retain any copies of such information in any form. In no event shall Contractor destroy any PI or Commonwealth Security Information without first obtaining Optum’s approval as applicable. In the event destruction is permitted,

         Contractor shall destroy PI and Commonwealth Security Information in accord with standards set forth in NIST Special Publication 800-88, Guidelines for Media Sanitization, all applicable state retention laws and regulations, all applicable state and federal security laws and regulations, and all state data security policies including policies issued by Optum, MassIT, CCA and EOHHS. This provision shall apply to all PI and Commonwealth Security Information in the possession of Contractor’s subcontractors or agents, and Contractor shall ensure that all such information in the possession of its subcontractors or agents has been returned or destroyed and that no subcontractor or agent retains any copies of such information in any form, in accord with Optum’s instructions, as appropriate.

         
         

      2. If Contractor determines that returning or destroying PI or Commonwealth Security Information is not feasible including the inability to extract PI from the confidential information of other customers of Contractor, Contractor shall provide Optum (or MassIT, CCA or EOHHS as applicable) with written notification of the conditions that make return or destruction not feasible. If based on Contractor’s representations, Optum and MassIT concur that return or destruction is not feasible, Contractor shall extend all protections set forth in this Agreement to all such information and shall limit further uses and disclosures of such information to those purposes that make its return or destruction not feasible, for as long as Contractor (or any of its subcontractors or agents) maintains the information.

         
         

      3. Notwithstanding any other provision concerning the term of this Agreement or the Professional Services Agreement, all protections pertaining to PI and/or Commonwealth Security Information shall survive the termination of this Agreement and the Professional Services Agreement and shall continue to apply until such time as all such information is returned to MassIT, CCA or CCA has directed or destroyed in accordance with Section 5.3.1 above, or until any period of storage following termination is ended, or if return or destruction is not feasible, for as long as Contractor or a subcontractor or agent maintains the information in accord with Section 5.3.2 immediately above

      
      

6. MISCELLANEOUS PROVISIONS

   
   

   1. Regulatory References

      
      

      Any reference in this Agreement to a section in the Privacy or Security Rules or other regulation or law refers to that section as in effect or as amended.

      
      

   2. Amendment

Contractor agrees to take such action as is necessary to amend this Agreement in order for Optum, EOHHS, CCA or MassIT to comply with any requirements of the Privacy and Security Rules, the Health Insurance Portability and Accountability Act

of 1996, Pub. L. No. 104-191 (HIPAA), 42 CFR Part 2 and any other applicable state or federal law or regulation pertaining to the privacy, confidentiality, or security of PI. Upon Optum’s written request, Contractor agrees to enter promptly into negotiations for any amendment as Optum, MassIT, EOHHS or CCA, in its sole discretion, deems necessary for Optum’s, MassIT’s, CCA’s or EOHHS’s compliance with any such laws or regulations. Contractor agrees that, notwithstanding any other provision in this Agreement or the Professional Services Agreement, Optum may terminate this Agreement and the Professional Services Agreement immediately upon written notice, in the event Contractor fails to enter into negotiations for, and to execute, any such amendment.

No amendment to this Agreement will be effective unless it is in writing and signed by both Parties.

1. Required Change in Privacy or Security Requirements

   
   

   In the case of any Required Change in privacy or security requirements, Optum shall give Contractor written notice of such change with as much advance notice as is reasonably possible under the circumstances; from and after the date that Contractor received such notice or knew (or by exercising reasonable diligence would have known) of the required change, Contractor shall have the obligation to comply with any such required change, subject to this Section 6.2.1,

   
   

   1. Upon notice of a Required Change, either party may propose changes to the Contract requirements, Services, milestones or schedules to implement the required changes under the Contract’s change request process. The Change Request shall include interim steps to achieve compliance as are practicable under the circumstances.

   2. If and to the extent that the Required Change constitutes a compensable change under the Contract under Section 5.7(c) of the MSA, Contractor shall be entitled to an equitable adjustment of the Contract price. The parties agree to work together in good faith to reach agreement regarding any request for equitable adjustment by Contractor including mutual agreement regarding the appropriate share of costs to be borne by the Contractor for changes that must be implemented on a broader basis by Contractor. Failure to reach agreement shall be subject to the Contract’s dispute escalation and resolution process.

   3. Provided Optum provides additional compensation in line with Contract provisions on additional fees, Contractor shall continue to provide the Services and deliver any Deliverables in accordance with Contract requirements even if either party has escalated such matter for dispute resolution.

1. Survival

   
   

   In accordance with Section 5.3.3, above, certain obligations of Contractor under this Agreement shall survive the termination of this Agreement and the Professional

   Services Agreement. Additionally, the obligations of Contractor under Section 5.3 of this Agreement shall survive the termination of this Agreement and the Professional Services Agreement.

   
   

2. Waiver

   
   

   Optum’s, MassIT’s, CCA’s or EOHHS’ exercise or non-exercise of any authority under this Agreement, or the exercise or non-exercise of inspection or approval of privacy or security practices or approval of subcontractors, shall not relieve Contractor of any obligations set forth herein, nor be construed as a waiver of any of Contractor’s obligations or as an acceptance of any unsatisfactory practices or privacy or security failures or breaches by Contractor.

   
   

3. Third Party Beneficiaries

   
   

   MassIT, EOHHS and CCA are each an intended third-party beneficiary of, with a right to enforce, this Agreement.

   
   

4. Interpretation

   
   

   Any ambiguity in this Agreement shall be resolved to permit Optum, EOHHS, CCA and/or MassIT to comply with the Privacy and Security Rules, HIPAA, 42 CFR Part 2 and any other applicable law or regulation pertaining to the privacy, confidentiality, or security of PI.

   
   

5. Effective Date

This Agreement shall be effective immediately upon its execution by the Parties.

IN WITNESS THEREOF, the Parties have caused their duly authorized representatives to execute this Data Management and Confidentiality Agreement as of the date(s) written below.

CONTRACTOR: OPTUM:

hCenitiv,e

Inc.

OPT

Bv:

Name:

By:

-

,

Name· 1 n :

Title: Title: CIO, Optum

Date: Date: 9 - .:So - / 4

IN WITNESS THEREOF, the Parties have caused their duly authorized representatives to execute this Data Management and Confidentiality Agreement as of the date(s) written below.