Access to Protected Information If BA maintains a designated record set on behalf of CE, BA shall make Protected Information maintained by BA or its agents or subcontractors in Designated Record Sets available to CE for inspection and copying within five (5) days of a request by CE to enable CE to fulfill its obligations under state law [Health and Safety Code Section 123110] and the Privacy Rule, including, but not limited to, 45 C.F.R. Section 164.524 [45 C.F.R. Section 164.504(e)(2)(ii)(E)]. If BA maintains Protected Information in electronic format, BA shall provide such information in electronic format as necessary to enable CE to fulfill its obligations under the HITECH Act and HIPAA Regulations, including, but not limited to, 42 U.S.C. Section 17935(e) and 45 C.F.R. Section 164.524.
Security of Information Unless otherwise specifically authorized by the DOH IT Security Officer, Contractor receiving confidential information under this contract assures that: It is compliant with the applicable provisions of the Washington State Office of the Chief Information Officer’s policy, Securing Information Technology Assets, available at ▇▇▇▇://▇▇▇.▇▇.▇▇▇/ocio. It will provide DOH copies of its IT security policies, practices and procedures upon the request of the DOH IT Security Officer. DOH may at any time conduct an audit of the Contractor’s security practices and/or infrastructure to assure compliance with the security requirements of this contract. It has implemented physical, electronic and administrative safeguards that are consistent with ISB IT security standards and guidelines to prevent unauthorized access, use, modification or disclosure of DOH Confidential Information in any form. This includes, but is not limited to, restricting access to specifically authorized individuals and services through the use of: Documented access authorization and change control procedures; Card key systems that restrict, monitor and log access; Locked racks for the storage of servers that contain Confidential Information or AES encryption (128bit or stronger) to protect confidential data at rest; Documented patch management practices that assure all network systems are running critical security updates within 6 days of release when the exploit is in the wild, and within 30 days of release for all others; Documented anti-virus strategies that assure all systems are running the most current anti-virus signatures within 1 day of release; Complex passwords that are systematically enforced and expire at least every 180 days; Strong (Two Factor) authentication mechanisms that assure the identity of individuals who access Confidential Information; Account lock-out after 5 failed authentication attempts for a minimum of 20 minutes, or for Confidential Information, until administrator reset; AES encrypted (128bit or stronger) sessions for all data transmissions. Firewall rules and network address translation that isolate database servers from web servers and public networks; Regular review of firewall rules and configurations to assure compliance with authorization and change control procedures; Log management and intrusion detection/prevention systems; A documented and tested incident response plan Any breach of this clause may result in termination of the contract and the demand for return of all personal information.
Protected Information 5.3.1 In this Section "Protected Information" means:
Confidentiality of Protected Data (a) Vendor acknowledges that the Protected Data it receives pursuant to the Master Agreement originates from the District and that this Protected Data belongs to and is owned by the District.
(b) Vendor will maintain the confidentiality of the Protected Data it receives in accordance with federal and state law (including but not limited to Section 2-d) and the District’s policy on data security and privacy. The District will provide Vendor with a copy of its policy on data security and privacy upon request.
Use and Disclosure of Protected Health Information The Business Associate must not use or further disclose protected health information other than as permitted or required by the Contract or as required by law. The Business Associate must not use or further disclose protected health information in a manner that would violate the requirements of HIPAA Regulations.