DIR Personal Data. In addition to the provisions of S ections 13.1 and 1 3.2, the following privacy and data protection provisions shall apply to DIR Personal Data. (a) Service Provider shall hold any DIR Personal Data that it receives in confidence and in compliance with (i) Service Provider's obligations under this Agreement, the Exhibits and Attachments hereto and the Service Management Manual and (ii) subject to Section 15.12, all Laws regarding its use of and access to such DIR Personal Data. (b) Service Provider agrees that Service Provider and Service Provider Personnel shall not use any DIR Personal Data for any purpose other than the fulfillment of the terms and conditions of this Agreement. Service Provider shall not process or disseminate DIR Personal Data to any third party or transfer DIR Personal Data without the approval of DIR unless expressly provided for in this Agreement. Service Provider shall take appropriate action to cause: (i) Any Service Provider Personnel who have access to DIR Personal Data pursuant to this Agreement to be advised of, and comply with, the terms and conditions of this Section 13.3; and (ii) Any Service Provider Personnel who have access to DIR Personal Data to be trained regarding their handling of such DIR Personal Data. Service Provider shall be responsible for any failure of Service Provider Personnel to comply with the terms and conditions regarding DIR Personal Data set forth in this Section 13.3. (c) When interfacing with DIR or the applicable DIR Customer regarding DIR Personal Data, Service Provider shall only disclose or transmit DIR Personal Data to those DIR or DIR Customer employees and DIR Contractors authorized by the DIR Managed Applications Services Manager or identified in the Service Management Manual. (d) With respect to Personal Medical Data, Service Provider shall not need to obtain authorizations from the persons to whom such Personal Medical Data pertains unless DIR determines that such authorizations are necessary and advises Service Provider to obtain such authorization. In such case, Service Provider agrees to reasonably assist DIR or the applicable DIR Customer in obtaining an authorization, or in confirming that such authorization has been obtained, from each person before viewing any Personal Medical Data of such person contained in DIR's files or systems. The authorization form to be used for this purpose shall be provided by DIR. (e) With respect to Personal Medical Data, a person may request to inspect, copy, amend and restrict disclosure of his or her Personal Medical Data when and as permitted by Law. Any such requests that are received by Service Provider shall be directed to, and any actions required shall be determined by, DIR. (f) DIR shall notify Service Provider of any: (i) Limitation in any privacy notice used by DIR to the extent that such limitation may affect Service Provider's use or disclosure of DIR Personal Data; and (ii) Restriction on the use or disclosure of DIR Personal Data to which DIR agreed to the extent that such restriction may affect Service Provider's use or disclosure of such DIR Personal Data. Service Provider agrees to promptly implement any such limitation or restriction as directed by DIR. (g) If Service Provider has knowledge of any unauthorized disclosure of or access to DIR Personal Data, Service Provider shall: (i) Expeditiously report such unauthorized disclosure or access to DIR, (ii) Mitigate, to the extent practicable, any harmful effect of such disclosure or access that is known to Service Provider or its agents, and (iii) Cooperate with DIR in providing any notices regarding impermissible disclosures caused by such disclosure or access which DIR deems appropriate. To the extent such unauthorized disclosure or access is attributable to a breach by Service Provider or Service Provider Personnel of Service Provider's obligations under this Agreement with respect to DIR Personal Data, Service Provider shall bear (A) the costs incurred by Service Provider in complying with its legal obligations relating to such breach and (B) in addition to any other damages for which Service Provider may be liable for under this Agreement (except to the extent such disclosure is due to DIR's failing to provide (including through authorization to provide as part of the Services) the level of encryption required under applicable Law to protect such Data), the following costs incurred by DIR or the DIR Customer in complying with their legal obligations relating to such breach, to the extent applicable, (1) the cost of providing notice to affected individuals, (2) where such breach results in the potential for exposure of personal credit (e.g. social security number) or financial account information the cost of providing such affected individuals with credit monitoring services for twelve (12) months, (3) the cost of providing such affected individuals with $50,000 of identity theft insurance, and (4) call center support for such affected individuals for thirty (30) days and (5) any other Losses for which Service Provider would be liable under S ections 17.1(d) and 1 8.3(c)(v). (h) As reasonably requested by DIR, Service Provider shall deliver to DIR all or any specified Personal Medical Data in the format and on the media reasonably prescribed by DIR and promptly deliver such Data to DIR or a designated DIR Contractor. (i) With respect to Personal Medical Data constituting "protected health information" ("PHI"), as such term is defined by the HIPAA Privacy Rule, Service Provider shall: (i) Subject to Section 15.11, implement the technical, organizational and security measures, including administrative, physical and technical safeguards, to protect the confidentiality, integrity and availability of Personal Medical Data constituting electronic PHI ("ePHI") created, received, maintained or transmitted by Service Provider or Service Provider Personnel in compliance with the HIPAA Security Rule. Service Provider shall cause any Service Provider Personnel who have access to ePHI to agree in writing to protect the confidentiality, integrity and availability of ePHI as required by the HIPAA Security Rule. Service Provider shall expeditiously report to DIR any successful unauthorized access, use, disclosure, modification or destruction of ePHI or interference with system operations in an information system containing PHI of which Service Provider becomes aware: (A) such reports shall be provided only as frequently as the Parties mutually agree, but no more than once per calendar quarter, and (B) if the HIPAA Security Rule is amended to remove the requirement for reporting "unsuccessful" attempts to use, disclose, modify or destroy ePHI from the definition of "Security Incident," this paragraph shall no longer apply as of the effective date of such amendment. For purposes of this provision, "Security Incident" shall have the meaning given in HIPAA Security Regulations, 45 CFR Part 164, as such regulations may be amended from time to time.
Appears in 2 contracts
Sources: Master Services Agreement, Master Services Agreement
DIR Personal Data. In addition to the provisions of S ections Sections 13.1 and 1 3.213.2, the following privacy and data protection provisions shall apply to DIR Personal Data.
(a) Service Provider shall hold any DIR Personal Data that it receives in confidence and in compliance with (i) Service Provider's obligations under this Agreement, the Exhibits and Attachments hereto and the Service Management Manual and (ii) subject to Section 15.1215.11, all Laws regarding its use of and access to such DIR Personal Data.
(b) Service Provider agrees that Service Provider and Service Provider Personnel shall not use any DIR Personal Data for any purpose other than the fulfillment of the terms and conditions of this Agreement. Service Provider shall not process or disseminate DIR Personal Data to any third party or transfer DIR Personal Data without the approval of DIR unless expressly provided for in this Agreement. Service Provider shall take appropriate action to cause:
(i) Any Service Provider Personnel who have access to DIR Personal Data pursuant to this Agreement to be advised of, and comply with, the terms and conditions of this Section 13.3; and
(ii) Any Service Provider Personnel who have access to DIR Personal Data to be trained regarding their handling of such DIR Personal Data. Service Provider shall be responsible for any failure of Service Provider Personnel to comply with the terms and conditions regarding DIR Personal Data set forth in this Section 13.3.
(c) When interfacing with DIR or the applicable DIR Customer regarding DIR Personal Data, Service Provider shall only disclose or transmit DIR Personal Data to those DIR or DIR Customer employees and DIR Contractors authorized by the DIR Managed Applications Data Center Services Manager or identified in the Service Management Manual.
(d) With respect to Personal Medical Data, Service Provider shall not need to obtain authorizations from the persons to whom such Personal Medical Data pertains unless DIR determines that such authorizations are necessary and advises Service Provider to obtain such authorization. In such case, Service Provider agrees to reasonably assist DIR or the applicable DIR Customer in obtaining an authorization, or in confirming that such authorization has been obtained, from each person before viewing any Personal Medical Data of such person contained in DIR's files or systems. The authorization form to be used for this purpose shall be provided by DIR.
(e) With respect to Personal Medical Data, a person may request to inspect, copy, amend and restrict disclosure of his or her Personal Medical Data when and as permitted by Law. Any such requests that are received by Service Provider shall be directed to, and any actions required shall be determined by, DIR.
(f) DIR shall notify Service Provider of any:
(i) Limitation in any privacy notice used by DIR to the extent that such limitation may affect Service Provider's use or disclosure of DIR Personal Data; and
(ii) Restriction on the use or disclosure of DIR Personal Data to which DIR agreed to the extent that such restriction may affect Service Provider's use or disclosure of such DIR Personal Data. Service Provider agrees to promptly implement any such limitation or restriction as directed by DIR.
(g) If Service Provider has knowledge of any unauthorized disclosure of or access to DIR Personal Data, Service Provider shall:
(i) Expeditiously report such unauthorized disclosure or access to DIR,
(ii) Mitigate, to the extent practicable, any harmful effect of such disclosure or access that is known to Service Provider or its agents, and
(iii) Cooperate with DIR in providing any notices regarding impermissible disclosures caused by such disclosure or access which DIR deems appropriate. To the extent such unauthorized disclosure or access is attributable to a breach by Service Provider or Service Provider Personnel of Service Provider's obligations under this Agreement with respect to DIR Personal Data, Service Provider shall bear (A) the costs incurred by Service Provider in complying with its legal obligations relating to such breach and (B) in addition to any other damages for which Service Provider may be liable for under this Agreement (except to the extent such disclosure is due to DIR's failing to provide (including through authorization to provide as part of the Services) the level of encryption required under applicable Law to protect such Data), the following costs incurred by DIR or the DIR Customer in complying with their legal obligations relating to such breach, to the extent applicable, (1) the cost of providing notice to affected individuals, (2) where such breach results in the potential for exposure of personal credit (e.g. social security number) or financial account information the cost of providing such affected individuals with credit monitoring services for twelve (12) months, (3) the cost of providing such affected individuals with $50,000 of identity theft insurance, and (4) call center support for such affected individuals for thirty (30) days and (5) any other Losses for which Service Provider would be liable under S ections 17.1(d) and 1 8.3(c)(v).
(h) As reasonably requested by DIR, Service Provider shall deliver to DIR all or any specified Personal Medical Data in the format and on the media reasonably prescribed by DIR and promptly deliver such Data to DIR or a designated DIR Contractor.
(i) With respect to Personal Medical Data constituting "protected health information" ("PHI"), as such term is defined by the HIPAA Privacy Rule, Service Provider shall:
(i) Subject to Section 15.11, implement the technical, organizational and security measures, including administrative, physical and technical safeguards, to protect the confidentiality, integrity and availability of Personal Medical Data constituting electronic PHI ("ePHI") created, received, maintained or transmitted by Service Provider or Service Provider Personnel in compliance with the HIPAA Security Rule. Service Provider shall cause any Service Provider Personnel who have access to ePHI to agree in writing to protect the confidentiality, integrity and availability of ePHI as required by the HIPAA Security Rule. Service Provider shall expeditiously report to DIR any successful unauthorized access, use, disclosure, modification or destruction of ePHI or interference with system operations in an information system containing PHI of which Service Provider becomes aware:
(A) such reports shall be provided only as frequently as the Parties mutually agree, but no more than once per calendar quarter, and
(B) if the HIPAA Security Rule is amended to remove the requirement for reporting "unsuccessful" attempts to use, disclose, modify or destroy ePHI from the definition of "Security Incident," this paragraph shall no longer apply as of the effective date of such amendment. For purposes of this provision, "Security Incident" shall have the meaning given in HIPAA Security Regulations, 45 CFR Part 164, as such regulations may be amended from time to time.
Appears in 1 contract
Sources: Master Services Agreement
DIR Personal Data. In addition to the provisions of S ections 13.1 Section 6.1 Confidentiality and 1 3.2Section 6.2 DIR Data, the following privacy and data protection provisions shall apply to DIR Personal Data.
(a) Service Provider Successful Respondent shall hold any DIR Personal Data that it receives in confidence and in compliance with with:
(i) Service Provider's Successful Respondent’s obligations under this Agreement, the Exhibits Exhibits, and Attachments hereto and the Service Management Manual and SMM; and
(ii) subject to Section 15.128.11 Compliance with Laws, all Laws regarding its use of and access to such DIR Personal Data.
(b) Service Provider Successful Respondent agrees that Service Provider Successful Respondent and Service Provider Successful Respondent Personnel shall not use any DIR Personal Data for any purpose other than the fulfillment of the terms and conditions of this Agreement. Service Provider Successful Respondent shall not process or disseminate DIR Personal Data to any third party or transfer DIR Personal Data without the approval of DIR unless expressly provided for in this Agreement. Service Provider Successful Respondent shall take appropriate action to cause:
(i) Any Service Provider any Successful Respondent Personnel who have access to DIR Personal Data pursuant to this Agreement to be advised of, and any comply with, the terms and conditions of this Section 13.3Section; and
(ii) Any Service Provider any Successful Respondent Personnel who have access to DIR Personal Data to be trained regarding their handling of such DIR Personal Data. Service Provider Successful Respondent shall be responsible for any failure of Service Provider Successful Respondent Personnel to comply with the terms and conditions regarding DIR Personal Data set forth in this Section 13.3Section.
(c) When interfacing with DIR or the applicable DIR DCS Customer regarding DIR Personal Data, Service Provider Successful Respondent shall only disclose or transmit DIR Personal Data to those DIR or DIR DCS Customer employees and DIR Contractors authorized by the Designated DIR Managed Applications Services Manager Representative or identified in the Service Management ManualSMM.
(d) With respect to Personal Medical Data, Service Provider Successful Respondent shall not need to obtain authorizations from the persons to whom such Personal Medical Data pertains unless DIR determines that such authorizations are necessary and advises Service Provider Successful Respondent to obtain such authorization. In such case, Service Provider Successful Respondent agrees to reasonably assist DIR or the applicable DIR DCS Customer in obtaining an authorization, or in confirming that such authorization has been obtained, from each person before viewing any Personal Medical Data of such person contained in DIR's files or systems. The authorization form to be used for this purpose shall be provided by DIR.
(e) With respect to Personal Medical Data, a person may request to inspect, copy, amend amend, and restrict disclosure of his or her Personal Medical Data when and as permitted by Law. Any such requests that are received by Service Provider Successful Respondent shall be directed to, and any actions required shall be determined by, DIR.
(f) DIR shall notify Service Provider Successful Respondent of any:
(i) Limitation in any privacy notice used by DIR to the extent that such limitation may affect Service Provider's Successful Respondent’s use or disclosure of DIR Personal Data; and
(ii) Restriction Restrictions on the use or disclosure of DIR Personal Data to which DIR agreed to the extent that such restriction may affect Service Provider's Successful Respondent’s use or disclosure of such DIR Personal Data. Service Provider Successful Respondent agrees to promptly implement any such limitation or restriction as directed by DIR.
(g) If Service Provider Successful Respondent has knowledge of any unauthorized disclosure of or access to DIR Personal Data, Service Provider Successful Respondent shall:
(i) Expeditiously report such unauthorized disclosure or access to DIR,DIR within three (3) hours of discovering the unauthorized disclosure or access;
(ii) Mitigatemitigate, to the extent practicable, any harmful effect of such disclosure or access that is known to Service Provider Successful Respondent or its agents, ; and
(iii) Cooperate cooperate with DIR in providing any notices regarding impermissible disclosures caused by such disclosure or access which DIR deems appropriate. .
(h) To the extent such unauthorized disclosure or access is attributable to a breach by Service Provider Successful Respondent or Service Provider Successful Respondent Personnel of Service Provider's Successful Respondent’s obligations under this Agreement with respect to DIR Personal Data, Service Provider Successful Respondent shall bear bear:
(Ai) the costs incurred by Service Provider Successful Respondent in complying with its legal obligations relating to such breach and breach; and
(Bii) in addition to any other damages for which Service Provider Successful Respondent may be liable for under this Agreement ([except to the extent such disclosure is due to DIR's ’s failing to provide (including through authorization to provide as part of the Services) the level of encryption required under applicable Law to protect such Data)], the following costs incurred by DIR or the DIR DCS Customer in complying with their legal obligations relating to such breach, to the extent applicable, (1) :
A. the cost of providing notice to affected individuals, (2) where such breach results in the potential for exposure of personal credit (e.g. social security number) or financial account information ;
B. the cost of providing such affected individuals with credit credit-monitoring services for twelve thirty-six (1236) months, (3) the cost of providing such affected individuals with $50,000 of identity theft insurance, and (4) ;
C. creating a call center support for such affected individuals for thirty (30) days and (5) after the last notification is sent;
D. any related governmental fees or fines assessed against DIR or DCS Customers; and
E. any other Losses for which Service Provider Successful Respondent would be liable under S ections 17.1(d) Section 10.1.4 DIR Data or Confidential Information. The above shall not be considered damages subject to, and 1 8.3(c)(v)shall not be counted toward, any liability exclusion or cap specified in Article 11.
(hi) As reasonably requested by DIR, Service Provider Successful Respondent shall deliver to DIR all or any specified Personal Medical Data in the format and on the media reasonably prescribed by DIR and promptly deliver such Data to DIR or a designated DIR Contractor.
(ij) With respect to Personal Medical Data constituting "protected health information" ("PHI"), as such term is defined by the HIPAA Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, Service Provider Successful Respondent shall:
(i) Subject to Section 15.118.11 Compliance with Laws, implement the technical, organizational organizational, and security measures, including administrative, physical physical, and technical safeguards, to protect the confidentiality, integrity integrity, and availability of Personal Medical Data constituting containing electronic PHI ("ePHI") created, received, maintained maintained, or transmitted by Service Provider Successful Respondent or Service Provider Successful Respondent Personnel in compliance with the HIPAA Security Rule. Service Provider Successful Respondent shall cause any Service Provider Successful Respondent Personnel who have access to ePHI to agree in writing to protect the confidentiality, integrity integrity, and availability of ePHI as required by the HIPAA Security Rule. Service Provider Successful Respondent shall expeditiously report to DIR any successful unauthorized access, use, disclosure, modification modification, or destruction of ePHI or interference with system operations in an information system containing PHI of which Service Provider Successful Respondent becomes aware:
(A) A. such reports shall be provided only as frequently as the Parties mutually agree, agree but no more than once per person calendar quarter, ; and
(B) B. if the HIPAA Security Rule is amended to remove the requirement for reporting "“unsuccessful" ” attempts to use, disclose, modify modify, or destroy ePHI from the definition of "“Security Incident," ” this paragraph shall no longer apply as of the effective date of such amendment. For purposes of this provision, "“Security Incident" ” shall have the meaning given in HIPAA Security RegulationsRegulation, 45 CFR Part 1641647, as such regulations may be amended from time to time.
Appears in 1 contract
DIR Personal Data. In addition to the provisions of S ections 13.1 Section 6.1 Confidentiality and 1 3.2Section 6.2 DIR Data, the following privacy and data protection provisions shall apply to DIR Personal Data.
(a) Service Provider Successful Respondent shall hold any DIR Personal Data that it receives in confidence and in compliance with with:
(i) Service Provider's Successful Respondent’s obligations under this Agreement, the Exhibits Exhibits, and Attachments hereto and the Service Management Manual and SMM; and
(ii) subject to Section 15.128.11 Compliance with Laws, all Laws regarding its use of and access to such DIR Personal Data.
(b) Service Provider Successful Respondent agrees that Service Provider Successful Respondent and Service Provider Successful Respondent Personnel shall not use any DIR Personal Data for any purpose other than the fulfillment of the terms and conditions of this Agreement. Service Provider Successful Respondent shall not process or disseminate DIR Personal Data to any third party or transfer DIR Personal Data without the approval of DIR unless expressly provided for in this Agreement. Service Provider Successful Respondent shall take appropriate action to cause:
(i) Any Service Provider any Successful Respondent Personnel who have access to DIR Personal Data pursuant to this Agreement to be advised of, and comply with, the terms and conditions of this Section 13.3Section; and
(ii) Any Service Provider any Successful Respondent Personnel who have access to DIR Personal Data to be trained regarding their handling of such DIR Personal Data. Service Provider Successful Respondent shall be responsible for any failure of Service Provider Successful Respondent Personnel to comply with the terms and conditions regarding DIR Personal Data set forth in this Section 13.3Section.
(c) When interfacing with DIR or the applicable DIR Customer regarding DIR Personal Data, Service Provider Successful Respondent shall only disclose or transmit DIR Personal Data to those DIR or DIR Customer employees and DIR Contractors authorized by the Designated DIR Managed Applications Services Manager Representative or identified in the Service Management ManualSMM.
(d) With respect to Personal Medical Data, Service Provider Successful Respondent shall not need to obtain authorizations from the persons to whom such Personal Medical Data pertains unless DIR determines that such authorizations are necessary and advises Service Provider Successful Respondent to obtain such authorization. In such case, Service Provider Successful Respondent agrees to reasonably assist DIR or the applicable DIR Customer in obtaining an authorization, or in confirming that such authorization has been obtained, from each person before viewing any Personal Medical Data of such person contained in DIR's files or systems. The authorization form to be used for this purpose shall be provided by DIR.
(e) With respect to Personal Medical Data, a person may request to inspect, copy, amend amend, and restrict disclosure of his or her Personal Medical Data when and as permitted by Law. Any such requests that are received by Service Provider Successful Respondent shall be directed to, and any actions required shall be determined by, DIR.
(f) DIR shall notify Service Provider Successful Respondent of any:
(i) Limitation in any privacy notice used by DIR to the extent that such limitation may affect Service Provider's Successful Respondent’s use or disclosure of DIR Personal Data; and
(ii) Restriction Restrictions on the use or disclosure of DIR Personal Data to which DIR agreed to the extent that such restriction may affect Service Provider's Successful Respondent’s use or disclosure of such DIR Personal Data. Service Provider Successful Respondent agrees to promptly implement any such limitation or restriction as directed by DIR.
(g) If Service Provider Successful Respondent has knowledge of any unauthorized disclosure of or access to DIR Personal Data, Service Provider Successful Respondent shall:
(i) Expeditiously report such unauthorized disclosure or access to DIR,DIR within three (3) hours of discovering the unauthorized disclosure or access;
(ii) Mitigatemitigate, to the extent practicable, any harmful effect of such disclosure or access that is known to Service Provider Successful Respondent or its agents, ; and
(iii) Cooperate cooperate with DIR in providing any notices regarding impermissible disclosures caused by such disclosure or access which DIR deems appropriate. .
(h) To the extent such unauthorized disclosure or access is attributable to a breach by Service Provider Successful Respondent or Service Provider Successful Respondent Personnel of Service Provider's Successful Respondent’s obligations under this Agreement with respect to DIR Personal Data, Service Provider Successful Respondent shall bear bear:
(Ai) the costs incurred by Service Provider Successful Respondent in complying with its legal obligations relating to such breach and breach; and
(Bii) in addition to any other damages for which Service Provider Successful Respondent may be liable for under this Agreement ([except to the extent such disclosure is due to DIR's ’s failing to provide (including through authorization to provide as part of the Services) the level of encryption required under applicable Law to protect such Data)], the following costs incurred by DIR or the DIR Customer in complying with their legal obligations relating to such breach, to the extent applicable, (1) :
A. the cost of providing notice to affected individuals, (2) where such breach results in the potential for exposure of personal credit (e.g. social security number) or financial account information ;
B. the cost of providing such affected individuals with credit credit-monitoring services for twelve thirty-six (1236) months, (3) the cost of providing such affected individuals with $50,000 of identity theft insurance, and (4) ;
C. creating a call center support for such affected individuals for thirty (30) days and (5) after the last notification is sent;
D. any related governmental fees or fines assessed against DIR or DIR Customers; and
E. any other Losses for which Service Provider Successful Respondent would be liable under S ections 17.1(d) and 1 8.3(c)(v).
(h) As reasonably requested by DIR, Service Provider shall deliver to DIR all or any specified Personal Medical Data in the format and on the media reasonably prescribed by DIR and promptly deliver such Data to DIR or a designated DIR Contractor.
(i) With respect to Personal Medical Data constituting "protected health information" ("PHI"), as such term is defined by the HIPAA Privacy Rule, Service Provider shall:
(i) Subject to Section 15.11, implement the technical, organizational and security measures, including administrative, physical and technical safeguards, to protect the confidentiality, integrity and availability of Personal Medical Data constituting electronic PHI ("ePHI") created, received, maintained or transmitted by Service Provider or Service Provider Personnel in compliance with the HIPAA Security Rule. Service Provider shall cause any Service Provider Personnel who have access to ePHI to agree in writing to protect the confidentiality, integrity and availability of ePHI as required by the HIPAA Security Rule. Service Provider shall expeditiously report to DIR any successful unauthorized access, use, disclosure, modification or destruction of ePHI or interference with system operations in an information system containing PHI of which Service Provider becomes aware:
(A) such reports shall be provided only as frequently as the Parties mutually agree, but no more than once per calendar quarter, and
(B) if the HIPAA Security Rule is amended to remove the requirement for reporting "unsuccessful" attempts to use, disclose, modify or destroy ePHI from the definition of "Security Incident," this paragraph shall no longer apply as of the effective date of such amendment. For purposes of this provision, "Security Incident" shall have the meaning given in HIPAA Security Regulations, 45 CFR Part 164, as such regulations may be amended from time to time.10.1.4
Appears in 1 contract
Sources: Master Services Agreement
DIR Personal Data. In addition to the provisions of S ections Sections 13.1 and 1 3.213.2, the following privacy and data protection provisions shall apply to DIR Personal Data.
(a) Service Provider shall hold any DIR Personal Data that it receives in confidence and in compliance with (i) Service Provider's obligations under this Agreement, the Exhibits and Attachments hereto and the Service Management Manual and (ii) subject to Section 15.1215.11, all Laws regarding its use of and access to such DIR Personal Data.
(b) Service Provider agrees that Service Provider and Service Provider Personnel shall not use any DIR Personal Data for any purpose other than the fulfillment of the terms and conditions of this Agreement. Service Provider shall not process or disseminate DIR Personal Data to any third party or transfer DIR Personal Data without the approval of DIR unless expressly provided for in this Agreement. Service Provider shall take appropriate action to cause:
(i) Any Service Provider Personnel who have access to DIR Personal Data pursuant to this Agreement to be advised of, and comply with, the terms and conditions of this Section 13.3; and
(ii) Any Service Provider Personnel who have access to DIR Personal Data to be trained regarding their handling of such DIR Personal Data. Service Provider shall be responsible for any failure of Service Provider Personnel to comply with the terms and conditions regarding DIR Personal Data set forth in this Section 13.3.
(c) When interfacing with DIR or the applicable DIR Customer regarding DIR Personal Data, Service Provider shall only disclose or transmit DIR Personal Data to those DIR or DIR Customer employees and DIR Contractors authorized by the DIR Managed Applications Data Center Services Manager or identified in the Service Management Manual.
(d) With respect to Personal Medical Data, Service Provider shall not need to obtain authorizations from the persons to whom such Personal Medical Data pertains unless DIR determines that such authorizations are necessary and advises Service Provider to obtain such authorization. In such case, Service Provider agrees to reasonably assist DIR or the applicable DIR Customer in obtaining an authorization, or in confirming that such authorization has been obtained, from each person before viewing any Personal Medical Data of such person contained in DIR's files or systems. The authorization form to be used for this purpose shall be provided by DIR.
(e) With respect to Personal Medical Data, a person may request to inspect, copy, amend and restrict disclosure of his or her Personal Medical Data when and as permitted by Law. Any such requests that are received by Service Provider shall be directed to, and any actions required shall be determined by, DIR.
(f) DIR shall notify Service Provider of any:
(i) Limitation in any privacy notice used by DIR to the extent that such limitation may affect Service Provider's use or disclosure of DIR Personal Data; and
(ii) Restriction on the use or disclosure of DIR Personal Data to which DIR agreed to the extent that such restriction may affect Service Provider's use or disclosure of such DIR Personal Data. Service Provider agrees to promptly implement any such limitation or restriction as directed by DIR.
(g) If Service Provider has knowledge of any unauthorized disclosure of or access to DIR Personal Data, Service Provider shall:
(i) Expeditiously report such unauthorized disclosure or access to DIR,
(ii) Mitigate, to the extent practicable, any harmful effect of such disclosure or access that is known to Service Provider or its agents, and
(iii) Cooperate with DIR in providing any notices regarding impermissible disclosures caused by such disclosure or access which DIR deems appropriate. To the extent such unauthorized disclosure or access is attributable to a breach by Service Provider or Service Provider Personnel of Service Provider's obligations under this Agreement with respect to DIR Personal Data, Service Provider shall bear (A) the costs incurred by Service Provider in complying with its legal obligations relating to such breach and (B) in addition to any other damages for which Service Provider may be liable for under this Agreement (except to the extent such disclosure is due to DIR's failing to provide (including through authorization to provide as part of the Services) the level of encryption required under applicable Law to protect such Data), the following costs incurred by DIR or the DIR Customer in complying with their legal obligations relating to such breach, to the extent applicable, (1) the cost of providing notice to affected individuals, (2) where such breach results in the potential for exposure of personal credit (e.g. social security number) or financial account information the cost of providing such affected individuals with credit monitoring services for twelve (12) months, (3) the cost of providing such affected individuals with $50,000 of identity theft insurance, and (4) call center support for such affected individuals for thirty (30) days and (5) any other Losses for which Service Provider would be liable under S ections Sections 17.1(d) and 1 8.3(c)(v18.3(c)(v).
(h) As reasonably requested by DIR, Service Provider shall deliver to DIR all or any specified Personal Medical Data in the format and on the media reasonably prescribed by DIR and promptly deliver such Data to DIR or a designated DIR Contractor.
(i) With respect to Personal Medical Data constituting "protected health information" ("PHI"), as such term is defined by the HIPAA Privacy Rule, Service Provider shall:
(i) Subject to Section 15.11, implement the technical, organizational and security measures, including administrative, physical and technical safeguards, to protect the confidentiality, integrity and availability of Personal Medical Data constituting electronic PHI ("ePHI") created, received, maintained or transmitted by Service Provider or Service Provider Personnel in compliance with the HIPAA Security Rule. Service Provider shall cause any Service Provider Personnel who have access to ePHI to agree in writing to protect the confidentiality, integrity and availability of ePHI as required by the HIPAA Security Rule. Service Provider shall expeditiously report to DIR any successful unauthorized access, use, disclosure, modification or destruction of ePHI or interference with system operations in an information system containing PHI of which Service Provider becomes aware:
(A) such reports shall be provided only as frequently as the Parties mutually agree, but no more than once per calendar quarter, and
(B) if the HIPAA Security Rule is amended to remove the requirement for reporting "unsuccessful" attempts to use, disclose, modify or destroy ePHI from the definition of "Security Incident," this paragraph shall no longer apply as of the effective date of such amendment. For purposes of this provision, "Security Incident" shall have the meaning given in HIPAA Security Regulations, 45 CFR Part 164, as such regulations may be amended from time to time.
Appears in 1 contract
Sources: Master Services Agreement
DIR Personal Data. In addition to the provisions of S ections Sections 13.1 and 1 3.213.2, the following privacy and data protection provisions shall apply to DIR Personal Data.
(a) Service Provider shall hold any DIR Personal Data that it receives in confidence and in compliance with (i) Service Provider's obligations under this Agreement, the Exhibits and Attachments hereto and the Service Management Manual and (ii) subject to Section 15.12, all Laws regarding its use of and access to such DIR Personal Data.
(b) Service Provider agrees that Service Provider and Service Provider Personnel shall not use any DIR Personal Data for any purpose other than the fulfillment of the terms and conditions of this Agreement. Service Provider shall not process or disseminate DIR Personal Data to any third party or transfer DIR Personal Data without the approval of DIR unless expressly provided for in this Agreement. Service Provider shall take appropriate action to cause:
(i) Any Service Provider Personnel who have access to DIR Personal Data pursuant to this Agreement to be advised of, and comply with, the terms and conditions of this Section 13.3; and
(ii) Any Service Provider Personnel who have access to DIR Personal Data to be trained regarding their handling of such DIR Personal Data. Service Provider shall be responsible for any failure of Service Provider Personnel to comply with the terms and conditions regarding DIR Personal Data set forth in this Section 13.3.
(c) When interfacing with DIR or the applicable DIR Customer regarding DIR Personal Data, Service Provider shall only disclose or transmit DIR Personal Data to those DIR or DIR Customer employees and DIR Contractors authorized by the DIR Managed Applications Services Manager or identified in the Service Management Manual.
(d) With respect to Personal Medical Data, Service Provider shall not need to obtain authorizations from the persons to whom such Personal Medical Data pertains unless DIR determines that such authorizations are necessary and advises Service Provider to obtain such authorization. In such case, Service Provider agrees to reasonably assist DIR or the applicable DIR Customer in obtaining an authorization, or in confirming that such authorization has been obtained, from each person before viewing any Personal Medical Data of such person contained in DIR's files or systems. The authorization form to be used for this purpose shall be provided by DIR.
(e) With respect to Personal Medical Data, a person may request to inspect, copy, amend and restrict disclosure of his or her Personal Medical Data when and as permitted by Law. Any such requests that are received by Service Provider shall be directed to, and any actions required shall be determined by, DIR.
(f) DIR shall notify Service Provider of any:
(i) Limitation in any privacy notice used by DIR to the extent that such limitation may affect Service Provider's use or disclosure of DIR Personal Data; and
(ii) Restriction on the use or disclosure of DIR Personal Data to which DIR agreed to the extent that such restriction may affect Service Provider's use or disclosure of such DIR Personal Data. Service Provider agrees to promptly implement any such limitation or restriction as directed by DIR.
(g) If Service Provider has knowledge of any unauthorized disclosure of or access to DIR Personal Data, Service Provider shall:
(i) Expeditiously report such unauthorized disclosure or access to DIR,
(ii) Mitigate, to the extent practicable, any harmful effect of such disclosure or access that is known to Service Provider or its agents, and
(iii) Cooperate with DIR in providing any notices regarding impermissible disclosures caused by such disclosure or access which DIR deems appropriate. To the extent such unauthorized disclosure or access is attributable to a breach by Service Provider or Service Provider Personnel of Service Provider's obligations under this Agreement with respect to DIR Personal Data, Service Provider shall bear (A) the costs incurred by Service Provider in complying with its legal obligations relating to such breach and (B) in addition to any other damages for which Service Provider may be liable for under this Agreement (except to the extent such disclosure is due to DIR's failing to provide (including through authorization to provide as part of the Services) the level of encryption required under applicable Law to protect such Data), the following costs incurred by DIR or the DIR Customer in complying with their legal obligations relating to such breach, to the extent applicable, (1) the cost of providing notice to affected individuals, (2) where such breach results in the potential for exposure of personal credit (e.g. social security number) or financial account information the cost of providing such affected individuals with credit monitoring services for twelve (12) months, (3) the cost of providing such affected individuals with $50,000 of identity theft insurance, and (4) call center support for such affected individuals for thirty (30) days and (5) any other Losses for which Service Provider would be liable under S ections Sections 17.1(d) and 1 8.3(c)(v18.3(c)(v).
(h) As reasonably requested by DIR, Service Provider shall deliver to DIR all or any specified Personal Medical Data in the format and on the media reasonably prescribed by DIR and promptly deliver such Data to DIR or a designated DIR Contractor.
(i) With respect to Personal Medical Data constituting "protected health information" ("PHI"), as such term is defined by the HIPAA Privacy Rule, Service Provider shall:
(i) Subject to Section 15.11, implement the technical, organizational and security measures, including administrative, physical and technical safeguards, to protect the confidentiality, integrity and availability of Personal Medical Data constituting electronic PHI ("ePHI") created, received, maintained or transmitted by Service Provider or Service Provider Personnel in compliance with the HIPAA Security Rule. Service Provider shall cause any Service Provider Personnel who have access to ePHI to agree in writing to protect the confidentiality, integrity and availability of ePHI as required by the HIPAA Security Rule. Service Provider shall expeditiously report to DIR any successful unauthorized access, use, disclosure, modification or destruction of ePHI or interference with system operations in an information system containing PHI of which Service Provider becomes aware:
(A) such reports shall be provided only as frequently as the Parties mutually agree, but no more than once per calendar quarter, and
(B) if the HIPAA Security Rule is amended to remove the requirement for reporting "unsuccessful" attempts to use, disclose, modify or destroy ePHI from the definition of "Security Incident," this paragraph shall no longer apply as of the effective date of such amendment. For purposes of this provision, "Security Incident" shall have the meaning given in HIPAA Security Regulations, 45 CFR Part 164, as such regulations may be amended from time to time.
Appears in 1 contract
Sources: Master Services Agreement
DIR Personal Data. In addition to the provisions of S ections Sections 13.1 and 1 3.213.2, the following privacy and data protection provisions shall apply to DIR Personal Data.
(a) Service Provider shall hold any DIR Personal Data that it receives in confidence and in compliance with (i) Service Provider's obligations under this Agreement, the Exhibits and Attachments hereto and the Service Management Manual and (ii) subject to Section 15.1215.11, all Laws regarding its use of and access to such DIR Personal Data.
(b) Service Provider agrees that Service Provider and Service Provider Personnel shall not use any DIR Personal Data for any purpose other than the fulfillment of the terms and conditions of this Agreement. Service Provider shall not process or disseminate DIR Personal Data to any third party or transfer DIR Personal Data without the approval of DIR unless expressly provided for in this Agreement. Service Provider shall take appropriate action to cause:
(i) Any Service Provider Personnel who have access to DIR Personal Data pursuant to this Agreement to be advised of, and comply with, the terms and conditions of this Section 13.3; and
(ii) Any Service Provider Personnel who have access to DIR Personal Data to be trained regarding their handling of such DIR Personal Data. Service Provider shall be responsible for any failure of Service Provider Personnel to comply with the terms and conditions regarding DIR Personal Data set forth in this Section 13.3.
(c) When interfacing with DIR or the applicable DIR Customer regarding DIR Personal Data, Service Provider shall only disclose or transmit DIR Personal Data to those DIR or DIR Customer employees and DIR Contractors authorized by the DIR Managed Applications Data Center Services Manager or identified in the Service Management Manual.
(d) With respect to Personal Medical Data, Service Provider shall not need to obtain authorizations from the persons to whom such Personal Medical Data pertains unless DIR determines that such authorizations are necessary and advises Service Provider to obtain such authorization. In such case, Service Provider agrees to reasonably assist DIR or the applicable DIR Customer in obtaining an authorization, or in confirming that such authorization has been obtained, from each person before viewing any Personal Medical Data of such person contained in DIR's files or systems. The authorization form to be used for this purpose shall be provided by DIR.
(e) With respect to Personal Medical Data, a person may request to inspect, copy, amend and restrict disclosure of his or her Personal Medical Data when and as permitted by Law. Any such requests that are received by Service Provider shall be directed to, and any actions required shall be determined by, DIR.
(f) DIR shall notify Service Provider of any:
(i) Limitation in any privacy notice used by DIR to the extent that such limitation may affect Service Provider's use or disclosure of DIR Personal Data; and
(ii) Restriction on the use or disclosure of DIR Personal Data to which DIR agreed to the extent that such restriction may affect Service Provider's use or disclosure of such DIR Personal Data. Service Provider agrees to promptly implement any such limitation or restriction as directed by DIR.
(g) If Service Provider has knowledge of any unauthorized disclosure of or access to DIR Personal Data, Service Provider shall:
(i) Expeditiously report such unauthorized disclosure or access to DIR,
(ii) Mitigate, to the extent practicable, any harmful effect of such disclosure or access that is known to Service Provider or its agents, and
(iii) Cooperate with DIR in providing any notices regarding impermissible disclosures caused by such disclosure or access which DIR deems appropriate. To the extent such unauthorized disclosure or access is attributable to a breach by Service Provider or Service Provider Personnel of Service Provider's obligations under this Agreement with respect to DIR Personal Data, Service Provider shall bear (A) the costs incurred by Service Provider in complying with its legal obligations relating to such breach and (B) in addition to any other damages for which Service Provider may be liable for under this Agreement (except to the extent such disclosure is due to DIR's failing to provide (including through authorization to provide as part of the Services) the level of encryption required under applicable Law to protect such Data), the following costs incurred by DIR or the DIR Customer in complying with their legal obligations relating to such breach, to the extent applicable, (1) the cost of providing notice to affected individuals, (2) where such breach results in the potential for exposure of personal credit (e.g. social security number) or financial account information the cost of providing such affected individuals with credit monitoring services for twelve (12) months, (3) the cost of providing such affected individuals with $50,000 of identity theft insurance, and (4) call center support for such affected individuals for thirty (30) days and (5) any other Losses for which Service Provider would be liable under S ections Sections 17.1(d) and 1 8.3(c)(v18.3(c)(v).
(h) As reasonably requested by DIR, Service Provider shall deliver to DIR all or any specified Personal Medical Data in the format and on the media reasonably prescribed by DIR and promptly deliver such Data to DIR or a designated DIR Contractor.
(i) With respect to Personal Medical Data constituting "protected health information" ("PHI"), as such term is defined by the HIPAA Privacy Rule, Service Provider shall:
(i) Subject to Section 15.11, implement the technical, organizational and security measures, including administrative, physical and technical safeguards, to protect the confidentiality, integrity and availability of Personal Medical Data constituting electronic PHI ("ePHI") created, received, maintained or transmitted by Service Provider or Service Provider Personnel in compliance with the HIPAA Security Rule. Service Provider shall cause any Service Provider Personnel who have access to ePHI to agree in writing to protect the confidentiality, integrity and availability of ePHI as required by the HIPAA Security Rule. Service Provider shall expeditiously report to DIR any successful unauthorized access, use, disclosure, modification or destruction of ePHI or interference with system operations in an information system containing PHI of which Service Provider becomes aware:
(A) such reports shall be provided only as frequently as the Parties mutually agree, but no more than once per calendar quarter, and
(B) if the HIPAA Security Rule is amended to remove the requirement for reporting "unsuccessful" attempts to use, disclose, modify or destroy ePHI from the definition of "Security Incident," this paragraph shall no longer apply as of the effective date of such amendment. For purposes of this provision, "Security Incident" shall have the meaning given in HIPAA Security Regulations, 45 CFR Part 164, as such regulations may be amended from time to time.
Appears in 1 contract
Sources: Master Services Agreement