l. Parties.This is a contract for personal services between the State of Vermont, Department of Vermont Health Access (hereafter called "State"), and CSG Government Solutions, Inc., with a principal place of business in 180 N. Stetson Avenue, Suite 3200, Chicago, IL 60601 (hereafter called "Contractor"). The Contractor's form of business organization is an S-corporation. It is the Contractor's responsibility to contact the Vermont Department of Taxes to determine if, by law, the Contractor is required to have a Vermont Department of Taxes Business Account Number.
2. Subject Matter.The subject matter of this contract is personal services for Independent Verification and Validation (“IV&V”). Detailed services to be provided by the Contractor are described in Attachment A.
3. Maximum Amount.In consideration of the services to be performed by Contractor, the State agrees to pay Contractor, in accordance with the payment provisions specified in Attachment B, a sum not to exceed $4,954,400.
4. Contract Term.The period of Contractor's performance shall begin on April 1, 2015 and end on August 16, 2018. The State and the Contractor have the option of renewing this contract for up to two
(2) one-year extensions.
Work performed between 04/01/15 and the signing or execution of this agreement that is in conformity with Attachment A may be billed under this agreement. Contractor agrees that in exchange for the consideration of the option to bill for services performed, all terms and conditions described in this agreement shall apply to any and all services performed for or on behalf of the State. Contractor agrees that by submitting invoices, bills, or otherwise seeking compensation for services performed prior to the finalization of this agreement or signing of this agreement, contractor is agreeing to the application of all terms of this contract to that period and to that work. Contractor further agrees to defend, indemnify, and hold the State harmless for any claim, dispute, non-contractual cost or charge, or any liability whatsoever, whether in law, equity, or otherwise, which arises from or is connected to the work performed prior to the execution of this agreement. Contractor further agrees that these terms apply regardless of whether the work is accepted by the State, and regardless of whether payment is issued by the State to the Contractor for the work in question.
5. Prior Approvals.If approval by the Attorney General's Office or the Secretary of Administration is required, (under current law, bulletins, and interpretations), neither this contract nor any amendment to it is binding until it has been approved by either or both such persons.
Approval by the Attorney General's Office is required. Approval by the CIO/Commissioner of DII is required. Approval by the Secretary of Administration is required.
6. Amendment.No changes, modifications, or amendments in the terms and conditions of this contract shall be effective unless reduced to writing, numbered and signed by the duly authorized representative of the State and Contractor.
7. Cancellation.This contract may be suspended or cancelled by either party by giving the other party written notice at least 30-days in advance.
8. Attachments.This contract consists of 52-pages including the following attachments, which are incorporated herein:
Attachment A - Specifications of Work to be Performed Attachment B - Payment Provisions
Attachment C - Customary State Contract provisions Attachment E - Business Associate Agreement
Attachment F - Customary Contract Provisions of the Agency of Human Services Appendix I –Required Forms
Appendix II – Task Order Form
The order of precedence of documents shall be as follows: 1). This document
2). Attachment C
3). Attachment A
4). Attachment B
5). Attachment E
7). Attachment F
8). Other Attachments
WE THE UNDERSIGNED PARTIES AGREE TO BE BOUND BY THIS CONTRACT.
Contractor shall conduct separate Quality Assurance/Independent Verification and Validations (QA/IV&V) for the following State MMIS projects, which shall be collectively referred to herein as “DVHA MMIS Projects” or “Projects”:
1. Design, Development, and Implementation of a Medicaid Management Information System and Integrated Contact Center System and Services (“MMIS Core and Contact Center”);
2. Pharmacy Benefits Management (“PBM”); and
3. Care Management.
E. Task Approval Process
All work must be pre-approved by the State Authorized Representative(s). The State reserves the right to refuse any deliverable required under this contract for failure to sufficiently incorporate the deliverables detailed and contracted for.
All work must be reviewed and accepted by the State Authorized Representative(s) before the Contractor may submit an invoice to the State.
TASK 1 - Develop, Maintain, and Execute the QA/IV&V Plan
The Contractor will develop a QA/IV&V Plan during Project Initiation including a project schedule, as well as maintain and execute the QA/IV&V Plan throughout the duration of the contract. Project Initiation activities that support TASK 1 Deliverables include:
1. Holding an initial introductory meeting with the State Authorized Representative and MMIS Project Managers, and Business Leads to understand the State’s expectations for the QA/IV&V project, status for MMIS Projects (PBM, Care Management, MMIS Core, and Contact Center), review project templates, and discuss any required forms for the QA/IV&V staff (i.e. project document repository access request form).
2. Preparing and submitting a document request to the State Authorized Representative for foundational level project documentation, such as an organizational chart, HSE/MMIS program structure, project contact lists by role (including state and vendor contacts), vendor project schedules (DVHA MMIS Projects), and a schedule of existing standing meetings by project.
3. Obtaining access to the State’s SharePoint sites.
4. Developing a QA/IV&V Plan and Work Plan. The QA/IV&V Plan will include processes for governing the ongoing management of project scope, schedule, cost, quality, resources, risks, issues, and communications, and the Work Plan will include milestones for DDI Vendors’ tasks that are dependencies for completing QA/IV&V deliverables defined in this contract. The QA/IV&V Plan will also detail when and how the DDI Vendors will be engaged in the process.
TASK 1A – High Level QA/IV&V Plan
The Contractor’s High Level QA/IV&V Plan shall include evaluation of the DDI Vendor’s activities, aligned according to PMBOK® phases and the needs of DVHA, and the DVHA Medicaid Project Schedules. The QA/IV&V Plan shall describe the Contractor’s Methodology for delivering QA/IV&V services for the DVHA Medicaid Projects, and will include key SDLC phase focus areas, including the following:
1. Project Governance and Management
2. Requirements Analysis and Management
3. Use Case Development and Application (e.g., Supporting Design, Development, Testing, User)
4. System Design (e.g., Conceptual and Detailed Designs)
5. Development Methodology and Tools The Contractor will:
a. Determine compatibility with the State and that any proprietary tools used by the DDI Vendor do not restrict the future maintainability, portability, and reusability of the system. Ensure methodology is commuinciated, implemented, monitored and complete. If necessary, propose remediation strategy.
b. Verify the DED for each deliverable
c. Evaluate deliverable against the approved DED for completeness
d. Provide Recommendations for improvements and modifications based on industry experience, development methodology and tools best practices, and EPMO standards
e. Verify the prescribed methodology standards as defined in the Plans are executed; and follow strict process guidelines in the development, test and delivery of the new System.
f. Verify all application developed and testing tools are used and best practices are followed for development and testing standards
g. Verify processes and standards support the early identification and remediation of defects in project deliverables
h. Verify approach change methodology, standards and criteria are applied in the development, testing and delivery
i. Verify secure coding tools and methods are used
j. Ensure that DDI Vendors tools do not conflict with, or present compatibility issues for tools or standards, including EPMO standards, for future DVHA initiatives
k. Participate in periodic review and provide recommendations based on industry and DVHA best practices
l. If necessary, identify risks/issues, and recommend remediation strategies.
6. Testing Plan, Methodology and Reports (e.g., System, Integration and User Acceptance Testing)
7. Defects Prevention, Detection and Fixes The Contractor will:
a. Monitor for timely defect resolution with consideration for the DVHA’s thresholds, including the documented testings, SLRs, through various phases of the testing life cycle. The Contractor’s Project Manager, SMEs, and Functional and Technical Leads are the key participants in the project phase participating in the following activities and in the review of the following:
i. Verify the DED for each deliverable
ii. Evaluate deliverable against the approved DED for completeness
iii. Provide Recommendations for improvements and modifications based on industry experience, development methodology and tools best practices, and EPMO standards
iv. Validate the defect management process and procedures to ensure they are effective in managing the identification, triage, resolution, and reporting of defects
v. Determine through discussions with team members whether the processes and procedures are understood and followed across the project team
vi. Monitor UAT defects against the agreed-to threshold and notify DVHA if thresholds are reached or exceeded
vii. If necessary, identify risks/issues, and recommend remediation strategies
8. Integration and Interface Control Plan, Activities and Reports
9. Configuration Management
10. Data Standards, Conversion Planning and Execution
11. Security and Privacy
12. Deployment Planning and Alternatives
a. The Contractor will evaluate the change request process, determine if appropriate processes and tools are in place to manage system changes, including formal logging of change requests and the review, prioritization, timely scheduling of actions and validation of changes were implemented; and if necessary propose remediation strategy. In addition, the Contractor will evaluate implementation plan determine if it is communicated, implemented, monitored and completed in a timely and efficient manner; and if necessary propose remediation strategy. The Contractor will also evaluate operational plans and processes, determine if they are effectively developed, communicated, implemented, monitored and completed; Ensure Help Desk is ready to support; and, if necessary, propose remediation strategy.
b. The Contractor will:
i. Verify the DED for the deliverable
ii. Evaluate the plan against the approved DED for completeness
iii. Provide recommendations for improvements and modifications based on industry experience, change management best practices, and EPMO standards
iv. Ensure that the Plan is updated such that the appropriate change request process is in place for operations
v. Verify there is a separate process for changes versus incidences that need to be remedied under the Software
vi. Warranty Period
vii. If necessary, identify risks/issues, and recommend remediation strategies
c. The Contractor will evaluate readiness to transition to an operational solution in the production environment, determine if the required elements (e.g., people, process, technology) are in place and prepared to support operations; and, if necessary, propose remediation strategy.
13. User Training Plan and Implementation
14. Knowledge Transfer and Transition Planning
15. Hosting Environments
16. Warranty Requirements and Compliance
At the conclusion of each QA/IV&V project, the Contractor will facilitate a transition of all deliverables, artifacts, and information to DVHA staff. The Contractor will share knowledge of all project activities, tasks, and documents readily and openly through the project life cycle, and shall formally transition this information during Project Closing.
The Contractor will ensure that all project data, artifacts, reports, and deliverables are housed in a project repository throughout the course of the project life cycle, which shall be hosted on both TeamCSG℠ and on DVHA infrastructure(State SharePoint). The Contractor will turn over the project repository to DVHA staff upon completion of the QA/IV&V contract. The Contractor will modify Contractor’s standard close out process to meet specific DVHA requirements.
TASK 1B – Comprehensive QA/IV&V Plan
Building upon the High Level QA/IV&V Plan described in TASK 1A, Contractor shall detail the its approach to managing the QA/IV&V services for the MMIS DVHA Projects, applying the standard principles of PMBOK® and IEEE. The Comprehensive QA/IV&V Plan will include processes for governing the ongoing management of project scope, schedule, cost, quality, resources, risks, issues, and communications. Contractor will facilitate a meeting with the State Authorized Representative to review the Comprehensive QA/IV&V Plan DED and solicit any feedback (provided by the DDI Vendor in the DVHA MMIS Projects). Contractor shall incorporate any changes into the DED and submit a final version to the State for approval. The DED will be used as an outline to develop the Comprehensive QA/IV&V Plan. The Contractor will develop a Comprehensive QA/IV&V Plan, which will be submitted to the State Authorized Representative for approval within 10-days of contract execution.
TASK 1C – QA/IV&V Plan Updates
The Contractor will maintain the QA/IV&V Plan as needed, or as required by DVHA, throughout the project life cycle. This is done as a normal course of project execution and is not a payment deliverable.
TASK 1D – Work Plan
Contractor shall revise the preliminary Work Plan it submitted in response to RFP 03410-141-15 to align with the existing DHVA MMIS Projects’ schedules gathered during Task 1 Project Initiation activities (described above). The Work Plan shall include milestones for DDI Vendors’ tasks that are dependencies for completing QA/IV&V deliverables, as well as Contractor resource assignments for completing project tasks and deliverables. The revised Work Plan will be submitted to the State Authorized Representative within 15 days of contract execution. The Contractor will apply the standard principles of the IEEE and PMBOK.
TASK 1E – Work Plan Updates
The Contractor shall update and maintain the Work Plan as needed, throughout the project life cycle. This is done as a normal course of project execution and is not a payment deliverable.
TASK 2 - Perform Initial, Periodic, and Final QA/IV&V Assessments
The QA/IV&V assessments and corresponding reports provide an independent, objective perspective representing a point-in-time snap shot of the health of the DVHA MMIS Projects To complete the Initial,
Periodic, and Final QA/IV&V Assessments, the Contractor will perform independent research; attend project meetings to understand project processes, current activities, and status; and coordinate and facilitate brief interviews with key project stakeholders as needed. The QA/IV&V assessments and corresponding reports will include:
1. Bi-Weekly Status Reports
2. Executive Status Reports
3. Ad Hoc Reports
4. Meeting Minutes (for Contractor-led meetings)
TASK 2A – Initial QA/IV&V Report
The Initial QA/IV&V Report provides a comprehensive initial assessment of the DVHA MMIS Projects and analyzes project management plans, processes, documents, schedules, risks, issues, budgets, and requirements. To conduct the Initial QA/IV&V Assessment, the Contractor uses a Risk Assessment Checklist customized to the DVHA MMIS Projects and analyzes existing PBM project documentation collected from DVHA during Project Initiation. A baseline report shall provide an initial project “health check” for the PBM Project and is submitted within 45 days of contract execution.
Additional Initial QA/IV&V reports will be produced and submitted within 45 days of the commencement of the MMIS Core and Care Management projects. If these projects are launched concurrently, the Contractor may produce a consolidated Initial QA/IV&V report.
TASK 2B – Periodic QA/IV&V Reports
The Contractor will complete the Periodic QA/IV&V Reports on a monthly basis throughout the engagement, submit them to the State Authorized Representative for review and approval by 5:00PM EST on the fifth business day of each new month. These monthly assessments are driven by the DVHA MMIS Projects’ areas of highest risk and tied to software life cycle development milestones. To complete the Periodic QA/IV&V Reports the Contractor leverages the prior Risk Assessment Checklist and defines any specific area(s) of focus with DVHA based on the Projects status, areas of concern, and the SDLC phase. Periodic Reports will contain (per 45 CFR 95.626) project management of both the State and Contractor, technical aspects of the Projects, user involvement, buy-in that the system will support the program business needs, review of past project performance, risk management process. The Contractor will deliver two monthly reports for the PBM, eight Care Management Reports, and 29 MMIS Core Reports (inclusive of the Contact Center project). The reports are integrated into a singular document for the reporting periods in which the Projects overlap.
The Contractor is responsible for the development, delivery and support of all assessments and reports sent to the State and Federal partners, including all status reporting. Contractor shall manage this Contract and report to the State on scope, schedule and budget and resources.
The Contractor’s QA/IV&V Project Manager will:
1. Provide the State with an overview of the proposed framework for evaluation of project performance
2. Ensure the Work Plan accurately reflects the activities and completion dates for the QA/IV&V assessments
3. Collect information from various sources such as interviews, project documentation, participation in
meetings, and other sources
4. Analyze information collected using the agreed upon frameworks and standards to assess performance
5. Draft the QA/IV&V assessment to include recommendations on how to address the highest priority improvement opportunities
6. Deliver the QA/IV&V assessment to the appropriate stakeholders from the State and Federal agencies concurrently
7. Review the QA/IV&V assessment with the State, DDI Vendor and/or other stakeholders and prepare minutes from the meeting
8. Update the assessment to correct mistakes of fact, if needed, and provide a final version of the QA/IV&V assessment to the stakeholders previously identified
The Contractor’s QA/IV&V Functional and Technical Leads will provide input to the Periodic QA/IV&V Reports.
TASK 2C – Final QA/IV&V Report(s)
Contractor shall deliver final QA/IV&V Reports for each DVHA MMIS Project. The final QA/IV&V Reports shall consist of Contractor’s final written assessment that the systems demonstrate Project requirements and meet defined acceptance criteria. The Contractor will conduct the final assessments by gathering inputs and using the Risk Assessment Checklist. The Contractor shall also facilitate Lessons Learned sessions for each DVHA MMIS Project and compile the Lessons Learned information for inclusion in the Final QA/IV&V Reports. The Contractor shall produce individual final reports for the PBM and Care Management systems three months after the systems go-live, and six months after the MMIS Core and Contact Center goes live.
TASK 2D – Meeting Minutes (for meetings facilitated by the IV&V Contractor)
The Contractor shall produce meeting minutes resulting from meetings used to review the QA/IV&V assessment with the State, DDI Vendor, and/or other stakeholders. The Contractor ensures that summaries are complete and accurate and that all decisions, action items, risks, and issues are appropriately noted.
TASK 3 - Perform Ongoing Risk and Issues Management
The Contractor shall identify, capture, and communicate to the State all risks and issues; perform risk analysis to determine importance and whether or not the risk/issue is within the Project’s control; propose mitigation or corrective action plans; and review risk, issues, and corrective actions plans with the State. Contractor shall include its Risks and Issues Report in the Bi-weekly QA/IV&V Status Report, which shall be reviewed with DVHA during the Bi-Weekly Status Meetings. If a Risk/Issue is deemed urgent, Contractor shall immediately notify the State, so that corrective action can be initiated without regard for the schedule of Bi-Weekly Status Meetings.
Risk and Issues Management is comprised of TASKS 3A and 3B.
TASK 3A – Risk and Issues Log (and/or Inputs to the Project Risk and Issues Log)
During Project Initiation, the Contractor will establish an online Risk Assessment Tracking Tool in TeamCSG℠ that provides a platform for risks and issues identified for the DVHA MMIS Projects to be reviewed, triaged, assigned, and tracked. Appropriate State employees, including but not limited to: PMO, Program Manager,
MMIS PM’s, Business Leads, SME’s, Team Leads, and Business Analyst Leads, will have access to the Contractor’s Risk Assessment Tracking Tool. For the DVHA MMIS Projects, the Contractor will identify risks and issues and determine which risks and issues might affect the Project and are either within or outside of the Medicaid Project’s control. The Contractor shall prioritize risks and issues based upon its assessment of the probability and consequence of each risk and issue so that the State may determine which risks the State should focus on based on risks or issues of greatest importance.
TASK 3B – Recommended Risk/Issue Responses (e.g., for risks accept, transfer, mitigate, avoid) and Action Plans
The Contractor will prepare action plans to enhance opportunities or minimize threats to the State Authorized Representative. The Contractor shall communicate risks/issues to the State and monitor the execution of action plans and evaluate their effectiveness, track and review residual risks, and identify any new risks or issues through participation in project meetings, observance of project management activities and processes, and targeted interviews with key project staff as needed.
TASK 4 – Review and Evaluate DDI Vendor Deliverables
The Contractor shall conduct formal, independent, detailed assessments of the DEDs and contract deliverables for each MMIS DDI Vendor to evaluate completeness, to identify any potential risks or issues, and to ensure that each DDI Vendor’s deliverables align with the contractual expectations and meet the needs of DVHA.The Contractor shall review the PBM DEDs and deliverables first. . The Contractor shall also review and evaluate the DEDs and deliverables for the MMIS Core and Contact Center, and for Care Management, as the documents for those Projects are completed by the DDI Vendors. For each DDI Vendor deliverable, the Contractor will first review and make recommendations on the DED provided by the DDI Vendor. In addition, the Contractor will validate the documents, policies, and procedures utilized and created by the DDI Vendor. The Contractor will verify and validate the existence of the deliverables, documents and deficiencies, and propose a plan for how the State and the DDI Vendor can remediate identified deficiencies.
For each DDI Vendor deliverable, the Contractor will conduct a review tailored to the subject matter presented. Since the content and purpose of each DDI Vendor deliverable varies, the type of review will also vary. The DDI Vendor deliverable review process is part of the Quality Management plan for this engagement and will be detailed in the Contractor’s Comprehensive QA/IV&V Plan.
TASK 4B – Review of Deliverable Expectation Documents (DEDs)
The Contractor will review the DDI Vendors’ DEDs to assess adherence to IEEE 1012 standards as applicable. The Contractor will make recommendations for deliverable acceptance criteria to ensure the DEDs and subsequent deliverables are thorough, comprehensive, and meet state and federal requirements.
TASK 4C – Recommendation to Accept/Reject Deliverables with Supporting Comments
The Contractor will review and evaluate the 21 PBM, 32 Care Management, and 37 MMIS and Contact Center DDI Vendors’ Deliverables for correctness, accuracy, completeness, and readability within five (5) business days of submission. Additionally, the Contractor will use the appropriate industry standards and guidelines in the review of the deliverables. In some cases, the standard may have been specified via the contractual
documents, while in other cases it may be a best practice for the specific subject matter. The Contractor will vary its reviews according to the guidance set forth in IEEE 1012 for each phase of the SDLC and to ensure that the deliverables meet the expectations set forth and agreed to in the DED. The Contractor will also lead the deliverable review walkthroughs with the State, as appropriate and document findings and recommendations to either accept or reject the deliverable. The State and the Contractor will have five (5) business days for concurrent review of the deliverables. The State will then meet with the Contractor for the deliverable walkthrough meeting. This meeting will take place within the 4th business day of the concurrent review. If the reviewed deliverable requires changes, the follow up review time will be four (4) business days.
TASK 4D – Report on Status of Actions to Address Deliverable Deficiencies
Should deficiencies be identified during the Deliverable Reviews (TASK 4C), the Contractor will track these deficiencies through resolution. The status of actions to address deliverable deficiencies will be reported in the QA/IV&V Bi-weekly Status Reports (TASK 6A). The Contractor and the State will continuously evaluate
/review the deliverables and any subsequent changes as well as impacts, until each deliverable has been approved. This is done as a normal course of project execution.
TASK 4E – Meeting Minutes
The Contractor will facilitate meetings to review QA/IV&V recommendations on deliverable acceptance and will produce meeting minutes. The Contractor will ensure that summaries are complete and accurate and that all decisions, action items, risks, and issues are appropriately noted. Meeting Minutes will be distributed within two business days of the meeting.
TASK 5 – Support MMIS Certification
TASK 5A – Prepare and Facilitate Certification Training for State Staff
To support federal systems certification, the Contractor will provide Certification training for DVHA staff. In advance of scheduling the training, DVHA will seek guidance from CMS Regional Office 1 to determine if DVHA MMIS Projects will be subject to the Traditional Certification method or the MMIS Gate Review Certification that is currently being piloted with select states. This will be used to determine the training content.
TASK 5B – Evaluation of DDI Outcomes Against CMS Certification Expectations
Throughout the DVHA MMIS Projects’ life cycle, the Contractor will assess the State’s compliance with the CMS Certification including adherence to MITA 3.0, Vermont’s MITA SS-A, and the Seven Conditions and Standards. The Contractor will provide support and oversight to the State and DDI Vendors effort to prepare for the Certification, conduct a mock Certification Review to evaluate certification compliance, and work with the State and DDI Vendor to develop the Vermont-specific Certification checklist requirements. This evaluation is completed 90 days prior to the scheduled CMS Certification Review, to allow time for remediating any identified deficiencies. The Contractor will provide information regarding the impact of Gate Review on the CMS process. The Contractor will inform the State of any impact on scope and cost that may occur.
TASK 5C – CMS Visit Support (before, during, and after)
The Contractor will review the necessary documentation and artifacts to ensure required documentation is submitted to CMS in advance of the scheduled certification review and will participate in the CMS Certification Review process and any meetings requested by DVHA. The Contractor will monitor and track the status of any identified gaps or updates to the review documentation required by CMS pre/during and post meetings with CMS. Contractor shall review the CMS Certification Report and, if needed, prepare a formal response on behalf of Vermont at the direction of the State Authorized Representative. The Contractor will provide information regarding the impact of Gate Review on the CMS Certification process.
TASK 5D – CMS Certification Report Review and Response
Upon receipt of the CMS Certification Review Report, the Contractor shall review the report and provide recommendations to the State Authorized Representative for inclusion in the CMS Certification Review Response Letter.
TASK 6 – Report on Status
The Contractor shall have bi-weekly status meetings with the State to provide an update regarding: (i) the QA/IV&V activities and deliverables in accordance with the Work Plan; (ii) results from the ongoing risk and issue management task (Task 3); and (iii) outstanding actions from the Review and Evaluate Vendor Deliverables task (Task 4).
In advance of each meeting, the Contractor will prepare a written report covering the following information in the format designated by the State:
1. Reporting time period
2. Summary of the current status (e.g., schedule, scope, budget, risks, issues)
3. Major activities and deliverables completed in the last reporting period
4. Major upcoming activities and deliverables for the next reporting period
5. Status of existing risks/issues and identification of new risks/issues
6. Other relevant topics (e.g., scope changes, decisions made)
In addition, the Contractor shall:
i. Provide periodic executive status reports on QA/IV&V reviews and recommendations to stakeholders such as the Executive Committee and Medicaid project teams regarding project status and risk anticipation, prevention and mitigation.
ii. Develop and deliver ad hoc reports regarding the QA/IV&V efforts to stakeholders such as the Executive Committee and Medicaid project teams upon request.
iii. Prepare and distribute minutes from the meetings to discuss the status and other QA/IV&V reports to stakeholders such as the Executive Committee and Medicaid project teams.
TASK 6A – Status Reports
The Contractor will produce and submit Bi-Weekly Status Reports that summarize the QA/IV&V Project plan activities, observations of Project activities, including issues and risks, and any changes in the availability of key IV&V personnel. In addition, the status reports will include a listing of all expected QA/IV&V contract deliverables, expected delivery date, and status. The Contractor will facilitate a status meeting to review the Bi- Weekly Status Reports with the State Authorized Representative and any other designated project staff.
TASK 6B – Executive Status Reports and Ad-hoc Reports
The Contractor will develop a Monthly Executive Status Report that includes a dashboard summary of the DVHA MMIS Project, key risks, an overall summary of Project observations and recommendations from the IV&V team, as well as progress made since the previous review. The Contractor will work with DVHA during Project Initiation to determine the day of the month following the reporting period, to deliver the Executive Status Reports. Additionally, the Contractor will produce periodic Ad Hoc Reports to communicate status and address important Project topics throughout the life of the Project upon written request by the State Authorized Representative.
TASK 6C – Operational Readiness Dashboard
The Contractor will develop and publish an Operational Readiness Dashboard at least 90-days prior to system implementation for the DVHA MMIS Projects that identifies technical and functional tasks used to measure readiness for implementation. The Contractor will collaborate with DVHA MMIS Project Managers to customize the Operational Readiness Checklist to meet project-specific needs. The Contractor will maintain the Dashboard to track completion of Operational Readiness activities and to support DVHA’s implementation decision-making process.
TASK 6D – Meeting Minutes
The Contractor will document Meeting Minutes resulting from bi-weekly status report meetings with DVHA and will ensure that minutes are complete and accurate and that all decisions, action items, risks, and issues are appropriately noted. Contractor shall distribute Meeting Minutes stakeholders such as the Executive Committee and Medicaid Project teams within two business days following the meetings.
TASK ORDERS – Defect Prevention, Detection, and Fixes (Ad Hoc Section)
1. At the request of the State Authorized Representative, the Contractor will provide additional services to State staff that augment and clarify the scope of work described in Tasks 1-6 of this Contract by monitoring DDI Vendors’ activities for timely defect resolution with consideration for the DVHA’s thresholds. This includes, but is not limited to, monitoring the documented testing of SLRs through various phases of the testing life cycle.
2. Task orders shall not be used to change the maximum amount under this Contract. Task orders may require a variance from the maximum amount appropriated for each task if clarifications or augmentations for Tasks 1-6 are deemed necessary by both parties (see below). Both parties recognize that the task order process does not obviate the need for State or federal regulatory review of amendments to the scope, budget, or maximum amount of this agreement.
3. Task orders are intended to clarify and augment Tasks 1 through 6. Clarified and/or additional tasks under the Task Order section of this agreement shall be submitted, in the form of a request for a task order proposal to the Contractor by the State or to the State from the Contractor. Upon review of the proposal, the State and Contractor must complete the Task Order Form (Appendix I). The Contractor
has the right to submit modifications or deny any Task Order submitted by the State. The State can submit modifications or deny proposed Task Order submitted by the Contractor. The final Task Order document shall receive approval by the State, and be signed by the Contractor, the State Authorized Representative, the Office of the Attorney General, and the DVHA Business Office. The Task Order must indicate: scope, source of funds, payment provisions, points of contact, ownership of data and any applicable data use agreement, and project specifics. No task order may increase the maximum amount payable under this contract, substantially deviate from the scope of this contract, or deviate from any term in any part or attachment to or of this contract. The task order process shall not be used in lieu of the amendment process where an amendment is appropriate. Each Task Order must clearly define payment either by rate per hour or deliverable received and approved. Each Task Order must be pre- approved before any work shall begin. The State will not pay for services that are not previously approved in a Task Order by both authorized representatives listed within this section. The State Authorized Representative and the DVHA Business Office have final authority over whether or not a Task Order is initiated under this agreement.
4. Total payments to Contractor for work requested by one or more Task Orders shall not exceed $75,000 for up to 400 hours during the term of this Agreement. Task Orders may be exercised at the discretion of DVHA, across any or all MMIS DDI Projects.
5. A Task Order may assign a Project Manager, who will act as the Authorized State Representative, solely per that task and up to the maximum amount per that task. The Project Manager assigned to a specific Task Order is to sole person to assign work under to the Contractor under that particular Task Order.
6. Changes to a Task Order shall be accomplished by written modification as agreed to by both parties listed below and will be reflected in a new Task Order. The Contractor shall use the Task Order form in Appendix II in order to request a task order.
7. Task Orders must be approved by the parties listed below:
Joseph Liscinsky, MMIS Program Deputy Lead Department of Vermont Health Access
Office of the Vermont Attorney General 109 State Street
Montpelier, VT 05609
8. At the conclusion of a Task Order, the final deliverables/products prepared in accordance with what was agreed upon in the executed Task Order document will be submitted to the State. Acceptance of the deliverables/products by the State shall represent the Contractor’s fulfillment of the project assignment. The State will have sixty days to acknowledge the final deliverables/products or to reject them. Rejection of the final deliverable regarding research projects will not be based on the failure to achieve particular results.
9. Ad-Hoc phone calls and e-mail communications from various State staff will not be paid for under this Contract unless previously approved with a Task Order by the Authorized Representatives of the State.
F. Request for Approval to Subcontract
Per Attachment C, Section 15, under no circumstance shall the Contractor enter into a sub-agreement for any work required under this Contract without prior authorization from the State. Before the Contractor can subcontract any work under this agreement, the Contractor must submit a Request for Approval to Contract form, attached hereto as Appendix I (Required Forms),. to:
MMIS Program Deputy Lead Department of Vermont Health Access 459 Hurricane Lane
Upon receipt of the Request for Approval to Contract form, the State shall review and respond to the request within five (5) business days.
Contractor shall be responsible for directing and supervising each of its subcontractors and any other person performing any of the Work under an agreement with Contractor. Contractor shall be responsible and liable to the State for all acts or omissions of subcontractors and any other person performing any of the Work under an agreement with Contractor or any subcontractor.
Should the status of any third party or Subcontractor change, the Contractor is responsible for updating the State within fourteen (14) days of said change.
G. State Oversight
The State must approve any permanent or temporary changes to or deletions from the Contractor’s management, supervisory and key professional personnel assigned to this contract. The State reserves the right to terminate the contract if personnel so assigned are changed or modified without such State approval. The number of days spent on-site shall be at the State’s direction and with the State’s approval. Nothing in this Contract creates any employment or principal-agent relationship, nor authorizes the State to direct the Contractor’s termination of, or other adverse action related to, the employment of any individual.
Contractor and State will establish timeline and/or other performance expectations at time of the specific project assignment within each Task Order. The Authorized Representative of the State will assign and prioritize all tasks for all AHS departments outside of DVHA. The State and the Contractor will establish regular reviews of progress as needed, based on the specific assignment. Reviews may be in person, conference call or electronic. Overall contract performance and assignments will be reviewed at least quarterly.
In the event the Contractor’s work towards task(s) is unsatisfactory, the Contractor shall produce a corrective action plan and submit to the State for approval, and the State shall monitor the Contractor to ensure that the work towards tasks is rectified as satisfactory.
H. Professional Liability Insurance Coverage
In addition to the insurance required in Attachment C to this Contract, before commencing work on this Contract and throughout the term of this Contract, the Contractor shall procure and maintain professional liability insurance for any and all services performed under this Contract, with minimum third party coverage of $1,000,000 per claim, and $3,000,000 aggregate.
I. Confidentiality and Non-Disclosure; Security Breach Reporting
1. Confidentiality of Contractor Information. The Contractor acknowledges and agrees that this Contract and any and all Contractor information obtained by the State in connection with this Contract are subject to the State of Vermont Access to Public Records Act, 1 V.S.A. § 315 et seq. The State will not disclose information for which a reasonable claim of exemption can be made pursuant to 1 V.S.A. § 317(c), including, but not limited to, trade secrets, proprietary information or financial information, including any formulae, plan, pattern, process, tool, mechanism, compound, procedure, production data, or compilation of information which is not patented, which is known only to the Contractor, and which gives the Contractor an opportunity to obtain business advantage over competitors who do not know it or use it.
The State shall immediately notify Contractor of any request made under the Access to Public Records Act, or any request or demand by any court, governmental agency or other person asserting a demand or request for Contractor information. Contractor may, in its discretion, seek an appropriate protective order, or otherwise defend any right it may have to maintain the confidentiality of such information under applicable State law within three business days of the State’s receipt of any such request. Contractor agrees that it will not make any claim against the State if the State makes available to the public any information in accordance with the Access to Public Records Act or in response to a binding order from a court or governmental body or agency compelling its production. Contractor shall indemnify the State for any costs or expenses incurred by the State, including, but not limited to, attorneys’ fees awarded in accordance with 1 V.S.A. § 320, in connection with any action brought in connection with Contractor’s attempts to prevent or unreasonably delay public disclosure of Contractor’s information.
The State agrees that (a) it will use the Contractor information only as may be necessary in the course of performing duties, receiving services or exercising rights under this Contract; (b) it will provide at a minimum the same care to avoid disclosure or unauthorized use of Contractor information as it provides to protect its own similar confidential and proprietary information; (c) except as required by the Access to Records Act, it will not disclose such information orally or in writing to any third party unless that third party is subject to a written confidentiality agreement that contains restrictions and safeguards at least as restrictive as those contained in this Contract; (d) it will take all reasonable precautions to protect the Contractor’s information; and (e) it will not otherwise appropriate such information to its own use or to the use of any other person or entity.
Contractor may affix an appropriate legend to Contractor information that is provided under this Contract to reflect the Contractor’s determination that any such information is a trade secret, proprietary information or financial information at time of delivery or disclosure.
2. Confidentiality of State Information. In performance of this Contract, and any exhibit or schedule hereunder, the Party acknowledges that certain State Data (as defined below), to which the Contractor may have access may contain individual federal tax information, personal protected health information and other individually identifiable information protected by State or federal law. In addition to the provisions of this Section, the Party shall execute the HIPAA Business Associate Agreement attached as Attachment E. Before receiving or controlling State Data, the Contractor will have an information security policy that protects its systems and processes and media that may contain State Data from internal and external security threats and State Data from unauthorized disclosure, and will have provided a copy of such policy to the State. State Data shall not be stored, accessed from, or transferred to any location outside the United States.
Unless otherwise instructed by the State, Contractor agrees to keep confidential all information received and collected by Contractor in connection with this Contract (“State Data”). The Contractor agrees not to publish, reproduce, or otherwise divulge any State Data in whole or in part, in any manner or form or authorize or permit others to do so. Contractor will take reasonable measures as are necessary to restrict access to State Data in the Contractor’s possession to only those employees on its staff who must have the information on a “need to know” basis. The Contractor
shall use State Data only for the purposes of and in accordance with this Contract. The Contractor shall provide at a minimum the same care to avoid disclosure or unauthorized use of State Data as it provides to protect its own similar confidential and proprietary information.
The Contractor shall promptly notify the State of any request or demand by any court, governmental agency or other person asserting a demand or request for State Data to which the Contractor or any third party hosting service of the Contractor may have access, so that the State may seek an appropriate protective order.
3. Security of State Information. The Contractor represents and warrants that it has implemented and it shall maintain during the term of this Contract the highest industry standard administrative, technical, and physical safeguards and controls consistent with NIST Special Publication 800-53 (version 3 or higher) and Federal Information Processing Standards Publication 200 and designed to (i) ensure the security and confidentiality of State Data; (ii) protect against any anticipated security threats or hazards to the security or integrity of the State Data; and (iii) protect against unauthorized access to or use of State Data. Such measures shall include at a minimum: (1) access controls on information systems, including controls to authenticate and permit access to State Data only to authorized individuals and controls to prevent the Contractor employees from providing State Data to unauthorized individuals who may seek to obtain this information (whether through fraudulent means or otherwise); (2) industry-standard firewall protection; (3) encryption of electronic State Data while in transit from the Contractor networks to external networks; (4) measures to store in a secure fashion all State Data which shall include multiple levels of authentication; (5) dual control procedures, segregation of duties, and pre-employment criminal background checks for employees with responsibilities for or access to State Data; (6) measures to ensure that the State Data shall not be altered or corrupted without the prior written consent of the State; (7) measures to protect against destruction, loss or damage of State Data due to potential environmental hazards, such as fire and water damage; (8) staff training to implement the information security measures; and (9) monitoring of the security of any portions of the Contractor systems that are used in the provision of the services against intrusion on a twenty-four (24) hour a day basis.
4. Security Breach Reporting. The Contractor acknowledges that in the performance of its obligations under this Contract, it will be a “data collector” pursuant to Chapter 62 of Title 9 of the Vermont Statutes (9 V.S.A. §2430(3)). In addition to the requirements set forth in any Business Associate Agreement attached to this Contract as Attachment E, in the event of any actual or suspected security breach the Contractor either suffers or learns of that either compromises or could compromise State Data (including PII, PHI or ePHI) in any format or media, whether encrypted or unencrypted (for example, but not limited to: physical trespass on a secure facility; intrusion or hacking or other brute force attack on any State environment; loss or theft of a PC, laptop, desktop, tablet, smartphone, removable data storage device or other portable device; loss or theft of printed materials; or failure of security policies) (collectively, a “Security Breach”), and in accordance with 9 V.S.A. § 2435(b)(2), the Contractor shall immediately notify appropriate State personnel of such Security Breach.
The Contractor’s report shall identify: (i) the nature of the Security Breach; (ii) the State Data used or disclosed; (iii) who made the unauthorized use or received the unauthorized disclosure; (iv) what the Contractor has done or shall do to mitigate any deleterious effect of the unauthorized use or disclosure; and (v) what corrective action the Contractor has taken or shall take to prevent future similar unauthorized use or disclosure. The Contractor shall provide such other information, including a written report, as reasonably requested by the State.
The Contractor agrees to comply with all applicable laws, as such laws may be amended from time to time (including, but not limited to, Chapter 62 of Title 9 of the Vermont Statutes, HIPAA and/or HITECH) that require notification in the event of unauthorized release of personally-identifiable information or other event requiring notification. In the event of a breach of any of the Contractor’s security obligations or other event requiring notification under applicable law (“Notification Event”), the Contractor agrees to fully cooperate with the State, assume responsibility for such notice if the State determines it to be appropriate under the circumstances of any particular Security Breach, and assume all costs associated with a Security Breach and Notification Event, including but not limited to, notice, outside investigation and services (including mailing, call center, forensics, counsel and/or crisis management), and/or credit monitoring, in the sole determination of the State.
In addition to any other indemnification obligations in this Contract, the Contractor shall fully indemnify and save harmless the State from any costs, loss or damage to the State resulting from a Security Breach or the unauthorized disclosure of State Data by the Contractor, its officers, agents, employees, and subcontractors.
J. Ownership and License in Deliverables
1. Contractor Intellectual Property.
Contractor shall retain all right, title and interest in and to all Contractor Intellectual Property that Contractor delivers to the State in accordance with Attachment A of this Contract. “Contractor Intellectual Property” means any intellectual property, tangible or intangible, that is owned by Contractor and contained in or necessary for the use of the items that Contractor is required to deliver to the State under this Contract, including Work Product (“Deliverables”). Should the State require a license for the use of Contractor Intellectual Property in connection with the development or use of the Deliverables, the Contractor shall grant the State a royalty-free license for such development and use. For the avoidance of doubt, Work Product shall not be deemed to include Contractor Intellectual Property, provided the State shall be granted an irrevocable, perpetual, non-exclusive royalty-free license to any such Contractor Intellectual Property that is incorporated into Work Product.
2. State Intellectual Property; State Intellectual Property; User Name
The State shall retain all right, title and interest in and to (i) all content and all property, data and information furnished by or on behalf of the State or any agency, commission or board thereof, and to all information that is created under this Contract, including, but not limited to, all data that is generated under this Contract as a result of the use by Contractor, the State or any third party of any technology systems or knowledge bases that are developed for the State and used by
Contractor hereunder, and all other rights, tangible or intangible; and (ii) all State trademarks, trade names, logos and other State identifiers, Internet uniform resource locators, State user name or names, Internet addresses and e-mail addresses obtained or developed pursuant to this Contract (collectively, “State Intellectual Property”).
Contractor may not use State Intellectual Property for any purpose other than as specified in this Contract. Upon expiration or termination of this Contract, Contractor shall return or destroy all State Intellectual Property and all copies thereof, and Contractor shall have no further right or license to such State Intellectual Property.
Contractor acquires no rights or licenses, including, without limitation, intellectual property rights or licenses, to use State Intellectual Property for its own purposes. In no event shall the Contractor claim any security interest in State Intellectual Property.
3. Work Product
All Work Product shall belong exclusively to the State, with the State having the sole and exclusive right to apply for, obtain, register, hold and renew, in its own name and/or for its own benefit, all patents and copyrights, and all applications and registrations, renewals and continuations thereof and/or any and all other appropriate protection. To the extent exclusive title and/or complete and exclusive ownership rights in and to any Work Product may not originally vest in the State by operation of law or otherwise as contemplated hereunder, Contractor shall immediately upon request, unconditionally and irrevocably assign, transfer and convey to the State all right, title and interest therein.
“Work Product” means any tangible or intangible ideas, inventions, improvements, modifications, discoveries, development, customization, configuration, methodologies or processes, designs, models, drawings, photographs, reports, formulas, algorithms, patterns, devices, compilations, databases, computer programs, work of authorship, specifications, operating instructions, procedures manuals or other documentation, technique, know-how, secret, or intellectual property right whatsoever or any interest therein (whether patentable or not patentable or registerable under copyright or similar statutes or subject to analogous protection), that is specifically made, conceived, discovered or reduced to practice by Contractor, either solely or jointly with others, pursuant to this Contract. Work Product does not include Contractor Intellectual Property or third party intellectual property.
To the extent delivered under this Contract, upon full payment to Contractor in accordance with Attachment B, and subject to the terms and conditions contained herein, Contractor hereby (i) assigns to State all rights in and to all Deliverables, except to the extent they include any Contractor Intellectual Property; and (ii) grants to State a perpetual, non-exclusive, irrevocable, royalty-free license to use for State’s internal business purposes, any Contractor Intellectual Property included in the Deliverables in connection with its use of the Deliverables and, subject to the State’s obligations with respect to Confidential Information, authorize others to do the same on the State’s behalf. Except for the foregoing license grant, Contractor or its licensors retain all rights in and to all Contractor Intellectual Property.
The Contractor shall not sell or copyright a Deliverable without explicit permission from the State.
If the Contractor is operating a system or application on behalf of the State of Vermont, then the Contractor shall not make information entered into the system or application available for uses by any other party than the State of Vermont, without prior authorization by the State. Nothing herein shall entitle the State to pre-existing Contractor Intellectual Property or Contractor Intellectual Property developed outside of this Contract with no assistance from State.
K. Access to State Data
Within ten (10) business days of a request by State, the Contractor will make available to State a complete and secure (i.e. encrypted and appropriately authenticated) download file of State Intellectual Property and State Data in a format acceptable to State including all schema and transformation definitions and/or delimited text files with documented, detailed schema definitions along with attachments in their native format. Provided, however, in the event the Contractor ceases conducting business in the normal course, becomes insolvent, makes a general assignment for the benefit of creditors, suffers or permits the appointment of a receiver for its business or assets or avails itself of or becomes subject to any proceeding under the Federal Bankruptcy Act or any statute of any state relating to insolvency or the protection of rights of creditors, the Contractor shall immediately return all State Intellectual Property and State Data to State control; including, but not limited to, making all necessary access to applicable remote systems available to the State for purposes of downloading all State Data.
The Contractor’s policies regarding the retrieval of data upon the termination of services have been made available to the State upon execution of this Contract under separate cover. The Contractor shall provide the State with not less than thirty (30) days advance written notice of any material amendment or modification of such policies.
L. Contractor’s Representations and Warranties
1. General Representations and Warranties. The Contractor represents, warrants and covenants that:
a) The Contractor has all requisite power and authority to execute, deliver and perform its obligations under this Contract and the execution, delivery and performance of this Contract by the Contractor has been duly authorized by the Contractor.
b) There is no outstanding litigation, arbitrated matter or other dispute to which the Contractor is a party which, if decided unfavorably to the Contractor, would reasonably be expected to have a material adverse effect on the Contractor’s ability to fulfill its obligations under this Contract.
c) The Contractor will comply with all laws applicable to its performance of the services and otherwise to the Contractor in connection with its obligations under this Contract.
d) The Contractor owns, or has the right to use under valid and enforceable agreements, all intellectual property rights reasonably necessary for and related to delivery of the services and provision of the deliverables as set forth in this Contract and none of the deliverables or other
materials or technology provided by the Contractor to the State will infringe upon or misappropriate the intellectual property rights of any third party.
e) The Contractor has adequate resources to fulfill its obligations under this Contract.
2. Contractor’s Performance Warranties. Contractor represents and warrants to the State that:
a) All deliverables will be free from material errors and shall perform in accordance with the specifications therefor.
b) Each and all of the services shall be performed in a timely, diligent, professional and workpersonlike manner, in accordance with the highest professional or technical standards applicable to such services, by qualified persons with the technical skills, training and experience to perform such services in the planned environment. At its own expense and without limiting any other rights or remedies of the State hereunder, the Contractor shall re-perform any services that the State has determined to be unsatisfactory in its reasonable discretion, or the Contractor shall refund that portion of the fees attributable to each such deficiency.
c) All Deliverables supplied by the Contractor to the State shall be transferred free and clear of any and all restrictions on the conditions of transfer, modification, licensing, sublicensing and free and clear of any and all lines, claims, mortgages, security interests, liabilities and encumbrances or any kind.
d) Any time software is delivered to the State, whether delivered via electronic media or the internet, no portion of such software or the media upon which it is stored or delivered will have any type of software routine or other element which is designed to facilitate unauthorized access to or intrusion upon; or unrequested disabling or erasure of; or unauthorized interference with the operation of any hardware, software, data or peripheral equipment of or utilized by the State. Notwithstanding the foregoing, Contractor assumes no responsibility for the State’s negligence or failure to protect data from viruses, or any unintended modification, destruction or disclosure.
M. Continuity of Performance.In the event of a dispute between the Contractor and the State, each party will continue to perform its obligations under this Contract during the resolution of such dispute unless and until this Contract is terminated in accordance with its terms.
N. Contractor Default. The Contractor shall be in default under this Contract if Contractor commits any material breach of any covenant, warranty, obligation or certification under this Contract, fails to perform the Services in conformance with the specifications and warranties provided in this Contract, or clearly manifests an intent not to perform future obligations under this Contract, and such breach or default is not cured, or such manifestation of an intent not to perform is not corrected by reasonable written assurances of performance within thirty (30) days after delivery of the State’s notice period, or such longer period as the State may specify in such notice.
O. Remedies for Default.In the event either party is in default under this Contract, the non-defaulting party may, at its option, pursue any or all of the remedies available to it under this Contract, including termination for cause, and at law or in equity.
P. Return of Property. Upon termination of this Contract for any reason whatsoever, Contractor shall immediately deliver to State all State Intellectual Property and State Data (including without limitation any Deliverables for which State has made payment in whole or in part), that are in the possession or under the control of Contractor in whatever stage of development and form of recordation such State property is expressed or embodied at that time.
Q. No Waiver of Remedies.No delay or failure to exercise any right, power or remedy accruing to either party upon breach or default by the other under this Contract shall impair any such right, power or remedy, or shall be construed as a waiver of any such right, power or remedy, nor shall any waiver of a single breach or default be deemed a waiver of any subsequent breach or default. All waivers must be in writing.
R. Limitation of Liability.THE CONTRACTOR SHALL NOT BE LIABLE TO THE STATE FOR ANY INDIRECT OR SPECIAL DAMAGES, DAMAGES WHICH ARE UNFORESEEABLE TO THE PARTIES AT THE TIME OF CONTRACTING, OR DAMAGES WHICH ARE NOT PROXIMATELY CAUSED BY A PARTY, IN CONNECTION WITH OR ARISING OUT OF THE SUBJECT MATTER OF THIS CONTRACT. THIS LIMITATION SHALL NOT APPLY TO STATE CLAIMS ARISING OUT OF (A) CONTRACTOR’S OBLIGATION TO INDEMNIFY THE STATE FOR COPYRIGHT, PATENT OR OTHER INTELLECTUAL PROPERTY INFRINGEMENT; (B) PERSONAL INJURY OR DAMAGE TO REAL OR PERSONAL PROPERTY; OR (C) CONTRACTOR’S GROSS NEGLIGENCE, FRAUD OR INTENTIONAL MISCONDUCT.
S. Modification of Attachment C. Attachment C Section 6 of this Contract is hereby deleted entirely and replaced with the following language:
Independence, Liability: The Contractor will act in an independent capacity and not as officers or employees of the State.
The Party shall defend the State and its officers and employees against all claims or suits arising in whole or in part from any act or omission of the Contractor or of any agent of the Contractor. The State shall notify the Contractor in the event of any such claim or suit, and the Contractor shall immediately retain counsel and otherwise provide a complete defense against the entire claim or suit. The Contractor shall notify its insurance company and the State within 10 days of receiving any claim for damages, notice of claims, pre-claims, or service of judgments or claims, for any act or omissions in the performance of this Contract.
After a final judgment or settlement the Contractor may request recoupment of specific defense costs and may file suit in Washington Superior Court requesting recoupment. The Contractor shall be entitled to recoup costs only upon a showing that such costs were entirely unrelated to the defense of any claim caused by the negligent act or omission, or willful misconduct, of the Contractor.
The Contractor shall indemnify the State and its officers and employees in the event that the State, its officers or employees become legally obligated to pay any damages or losses caused by the negligent act or omission, or willful misconduct, of the Contractor. The Contractor shall have no obligation to indemnify the state, its officers or employees from and against any claims, suits, actions, losses,
damages, liabilities, costs and expenses attributable solely to the acts or omissions of the State, its officers, employees or agents.
STATE OF VERMONT, CONTRACT FOR PERSONAL SERVICES PAGE 25 OF 52 DEPARTMENT OF VERMONT HEALTH ACCESS
CSG GOVERNMENT SOLUTIONS, INC. CONTRACT # 28461
H. Project Timeline
Task 1 - Develop, Maintain and Execute the QA/IV&V Plan
Task 1A - High-Level QA/IV&V Plan
Task 1B - Comprehensive QA/IV&V Plan
Task 1C - QA/IV&V Plan Updates
Task 1D - Work Plan
Task 1E - Work Plan Updates
Task 2 - Perform Initial, Periodic and Final QA/IV&V Assessments
Task 2A - Initial QA/IV&V Report
Task 2B - Periodic QA/IV&V Report - PBM
Task 2B - Periodic QA/IV&V Report - Care Management
Task 2B - Periodic QA/IV&V Report - MMIS and Integrated Contact Center
Task 2C - Final QA/IV&V Report - PBM
Task 2C - Final QA/IV&V Report - Care Management
Task 2C - Final QA/IV&V Report - MMIS and Integrated Contact Center
Task 2D - Meeting Minutes
Task 3 - Perform Ongoing Risk and Issues Management
Task 3A - Risk and Issues Log (and/or Inputs to the Project Risk and Issues Log)
Task 3B - Recommended Risk/Issue Responses (e.g., for risks accept, transfer, mitigate, avoid) and Action
Task 4 - Review and Evaluate DDI Vendor Deliverables
Task 4B - Review of Deliverable Expectation Documents
Task 4C - Recommendation to Accept/Reject Deliverables with Supporting Comments
Task 4D - Report on Status of Actions to Address Deliverable Deficiencies
Task 4E - Meeting Minutes
Task 5 - Support MMIS Certification
Task 5A - Prepare and Facilitate Certification Training for State Staff
Task 5B - Evaluation of DDI Outcomes Against CMS Certification Expectations
Task 5C - CMS Visit Support (Before, During, and After)
Task 5D - CMS Certification Report Review and Response
Task 6 - Report on Status
Task 6A - Status Reports
Task 6B - Executive Status Reports
Task 6B -Ad Hoc Reports
Task 6C - Operational Readiness Dashboard - Care Management
Task 6C - Operational Readiness Dashboard - MMIS and Contact Center
Task 6D - Meeting Minutes
DEPARTMENT OF VERMONT HEALTH ACCESS
MMIS AND INTEGRATED CONTACT CENTER SYSTEM AND SERVICES IV&V PROJECT ORGANIZATIONAL CHART
Key Project Personnel
DVHA Project Manager
Joe Liscinsky Contract Manager
ATTACHMENT B PAYMENT PROVISIONS
The maximum dollar amount payable under this agreement is not intended as any form of a guaranteed amount. The Contractor will be paid for services specified in Attachment A, for services actually performed, up to the maximum allowable amount specified in this agreement. State of Vermont payment terms are Net 30-days from date of invoice, payments against this contract will comply with the State’s payment terms. The payment schedule for delivered products, or rates for services performed, and any additional reimbursements, are included in this attachment. The following provisions specifying payments are:
1. A certificate of insurance must be submitted prior to commencement of work and release of payments.
2. Contractor invoices shall be submitted no more frequently than monthly, but no later than quarterly.Invoices shall be printed on the Contractor’s official letterhead, reference this contract number, include the date of invoice, remit address, the title and name of personnel performing work, the actual number of hours worked during the specified billing period, a detailed description of the work completed, organized by Task and priced per the Rate Chart or Deliverable-Based Payment Schedule below, any other applicable expenses, the total amount billed, and be signed off by an Authorized Representative of the Contractor. The State shall pay the Contractor on a fixed price basis, with payments tied to contractually-defined deliverables in accordance with the Deliverable-Based Schedule below. The State has the right to deny payment of any invoice that does not align with the stipulations listed above within this Section. The State can request that the Contractor amend any invoices that are not consistent with the provisions stated above. In the event that the Contractor must amend an invoice at the request of the State, the Contractor shall adjust the date of the invoice to accurately reflect the resubmittal date. Invoices should be submitted to:
Karen Wingate, Financial Director
Contracts & Grant Administrator Business Office Department of Vermont Health Access
312 Hurricane Lane, Suite 201
Williston, VT 05495
3. No benefits, expenses, or insurance will be reimbursed by the State.
4. Payments for the period of April 1, 2015 to expiring date August 16, 2018, shall not exceed
5. The Contractor shall bill for actual hours worked or deliverables accepted and approved by the State Authorized Representative.
6. Retainage. The State will hold back 10% of each deliverable payment as retainage. Upon completion of all deliverables to the satisfaction of the State, Contractor may submit a quarterly invoice for all retainage withheld during the prior quarter, which will be paid to the Contractor in full, subject to the
terms and conditions of this Contract.
7. Payment Schedule:
TASKS 1 -6 - Deliverable-Based Payments
The Contractor will perform TASKS 1 through 6, as specified in Attachment A of this Contract, on a fixed price basis, with payments tied to contractually-defined deliverables and the State’s finding of satisfactory performance. Enclosed herein is the deliverable-based payment schedule:
Anticipated Due Date
Monthly Invoice #1
Monthly Invoice #2
Monthly Invoice #3
Monthly Invoice #4
Monthly Invoice #5
Monthly Invoice #6
Monthly Invoice #7
Monthly Invoice #8
Monthly Invoice #9
Monthly Invoice #10
Monthly Invoice #11
Monthly Invoice #12
Monthly Invoice #13
Monthly Invoice #14
Monthly Invoice #15
Monthly Invoice #16
Monthly Invoice #17
Monthly Invoice #18
Monthly Invoice #19
Monthly Invoice #20
Monthly Invoice #21
Monthly Invoice #22
Monthly Invoice #23
Monthly Invoice #24
Monthly Invoice #25
Anticipated Due Date
Monthly Invoice #26
Monthly Invoice #27
Monthly Invoice #28
Monthly Invoice #29
Monthly Invoice #30
Monthly Invoice #31
Monthly Invoice #32
Monthly Invoice #33
Monthly Invoice #34
Monthly Invoice #35
Monthly Invoice #36
Monthly Invoice #37
Monthly Invoice #38
Monthly Invoice #39
Monthly Invoice #40
Monthly Invoice #41
Total Cost Summary
Fixed Cost per
Payment Schedule Notes
QA/IV &V Plan Updates
Included in Monthly Invoice 2
Work Plan and Updtates
Included in Monthly Invoice 2
Risk & Issue Log with Reccommended Risk/Issue Responses
Included in Monthly Invoices 1-35
Bi-Weekly Status Reports and Meeting Minutes
Included in Monthly Invoices 1-40
Executive Status Reports and Ad Hoc Reports
Included in Monthly Invoices 1-32
Evaluation of CMS Certification Compliance
Included in Monthly Invoice 36
CMS Visit Support (before, during and after)
Included in Monthly Invoice 38
CMS Certification Report Review and Response
Included in Monthly Invoice 41
MMIS, Medicaid Operation Services and Contact Center
QA/IV &V Reports and Meeting Minutes
Included in Monthly Invoice 2-32
Review of Deliverable Expectations Documents
Included in Monthly Invoice 2-32
Deliverable Reviews and Reports
Included in Monthly Invoice 2-32
Care Management Solution
QA/IV&V Reports and Meeting Minutes
Included in Monthly Invoice 2-11
Review of Deliverable Expectations Documents
Included in Monthly Invoice 2-11
Deliverable Reviews and Reports
Included in Monthly Invoice 2-11
Primary Benefit Management Solution
QA/IV&V Reports and Meeting Minutes
Included in Monthly Invoice 2-5
Review of Deliverable Expectation Documents
Included in Monthly Invoice 2-5
Deliverable Review and Reports
Included in Monthly Invoice 2-5
Defect Prevention, Dectection, and Fixes (Ad Hoc Section)
One or multiple occurences, as requested.
Total aggregate cost not to exceed
Payments shall be remitted to:
CSG Government Solutions, Inc. 180 N. Stetson Avenue, Suite 3200
Chicago, IL 60601
8. The Contractor shall request approval from the State before new personnel can begin work pertaining to this agreement. The State has the right to reject any of the Contractor’s personnel if he or she does not suit the needs of this agreement. The State’s right to reject Contractor personnel hereunder relates solely to the removal of individuals from work on this Contract with the State and does not create any employment or principal-agent relationship. Nothing in this Contract authorizes the State to direct the Contractor’s termination of, or other adverse action related to, the employment of any individual. Requests may be submitted to the DVHA Business Office. The approved personnel are reflected in the Rate Chart below:
QA/IV&V Project Manager
Care Management (Clinical) Expert
Medicaid Business Process Expert
Multiple Vendor Oversight Expert
Privacy & Security Subject Matter Expert
Financial Subject Matter Expert
Pharmacy Subject Matter Expert
* The Account Executive and Project Advisors are provided at no-cost for the duration of the engagement.
ATTACHMENT C: STANDARD STATE PROVISIONS FOR CONTRACTS AND GRANTS
1. Entire Agreement: This Agreement, whether in the form of a Contract, State Funded Grant, or Federally Funded Grant, represents the entire agreement between the parties on the subject matter. All prior agreements, representations, statements, negotiations, and understandings shall have no effect.
2. Applicable Law: This Agreement will be governed by the laws of the State of Vermont.
3. Definitions: For purposes of this Attachment, “Party” shall mean the Contractor, Grantee or Subrecipient, with whom the State of Vermont is executing this Agreement and consistent with the form of the Agreement.
4. Appropriations: If this Agreement extends into more than one fiscal year of the State (July 1 to June 30), and if appropriations are insufficient to support this Agreement, the State may cancel at the end of the fiscal year, or otherwise upon the expiration of existing appropriation authority. In the case that this Agreement is a Grant that is funded in whole or in part by federal funds, and in the event federal funds become unavailable or reduced, the State may suspend or cancel this Grant immediately, and the State shall have no obligation to pay Subrecipient from State revenues.
5. No Employee Benefits For Party: The Party understands that the State will not provide any individual retirement benefits, group life insurance, group health and dental insurance, vacation or sick leave, workers compensation or other benefits or services available to State employees, nor will the state withhold any state or federal taxes except as required under applicable tax laws, which shall be determined in advance of execution of the Agreement. The Party understands that all tax returns required by the Internal Revenue Code and the State of Vermont, including but not limited to income, withholding, sales and use, and rooms and meals, must be filed by the Party, and information as to Agreement income will be provided by the State of Vermont to the Internal Revenue Service and the Vermont Department of Taxes.
6. Independence, Liability: The Party will act in an independent capacity and not as officers or employees of the State.
The Party shall defend the State and its officers and employees against all claims or suits arising in whole or in part from any act or omission of the Party or of any agent of the Party. The State shall notify the Party in the event of any such claim or suit, and the Party shall immediately retain counsel and otherwise provide a complete defense against the entire claim or suit.
After a final judgment or settlement the Party may request recoupment of specific defense costs and may file suit in Washington Superior Court requesting recoupment. The Party shall be entitled to recoup costs only upon a showing that such costs were entirely unrelated to the defense of any claim arising from an act or omission of the Party.
The Party shall indemnify the State and its officers and employees in the event that the State, its officers or employees become legally obligated to pay any damages or losses arising from any act or omission of the Party.
7. Insurance: Before commencing work on this Agreement the Party must provide certificates of insurance to show that the following minimum coverages are in effect. It is the responsibility of the Party to maintain current certificates of insurance on file with the state through the term of the Agreement. No warranty is made that the coverages and limits listed herein are adequate to cover and protect the interests of the Party for the Party’s operations. These are solely minimums that have been established to protect the interests of the State.
Workers Compensation: With respect to all operations performed, the Party shall carry workers’ compensation insurance in accordance with the laws of the State of Vermont.
General Liability and Property Damage: With respect to all operations performed under the contract, the Party shall carry general liability insurance having all major divisions of coverage including, but not limited to:
Premises - Operations
Products and Completed Operations Personal Injury Liability Contractual Liability
The policy shall be on an occurrence form and limits shall not be less than:
Party shall name the State of Vermont and its officers and employees as additional insureds for liability arising out of this Agreement.
Automotive Liability: The Party shall carry automotive liability insurance covering all motor vehicles, including hired and non-owned coverage, used in connection with the Agreement. Limits of coverage shall not be less than: $1,000,000 combined single limit.
Party shall name the State of Vermont and its officers and employees as additional insureds for liability arising out of this Agreement.
Professional Liability: Before commencing work on this Agreement and throughout the term of this Agreement, the Party shall procure and maintain professional liability insurance for any and all services performed under this Agreement, with minimum coverage of $1,000,000. per occurrence,and
8. Reliance by the State on Representations: All payments by the State under this Agreement will be made in reliance upon the accuracy of all prior representations by the Party, including but not limited to bills, invoices, progress reports and other proofs of work.
9. Requirement to Have a Single Audit: In the case that this Agreement is a Grant that is funded in whole or in part by federal funds, the Subrecipient will complete the Subrecipient Annual Report annually within 45 days after its fiscal year end, informing the State of Vermont whether or not a Single Audit is required for the prior fiscal year. If a Single Audit is required, the Subrecipient will submit a copy of the audit report to the granting Party within 9 months. If a single audit is not required, only the Subrecipient Annual Report is required.
For fiscal years ending before December 25, 2015, a Single Audit is required if the subrecipient expends
$500,000 or more in federal assistance during its fiscal year and must be conducted in accordance with OMB Circular A-133. For fiscal years ending on or after December 25, 2015, a Single Audit is required if the subrecipient expends $750,000 or more in federal assistance during its fiscal year and must be conducted in accordance with 2 CFR Chapter I, Chapter II, Part 200, Subpart F. The Subrecipient Annual Report is required to be submitted within 45 days, whether or not a Single Audit is required.
10. Records Available for Audit: The Party shall maintain all records pertaining to performance under this agreement. “Records” means any written or recorded information, regardless of physical form or characteristics, which is produced or acquired by the Party in the performance of this agreement. Records produced or acquired in a machine readable electronic format shall be maintained in that format. The records described shall be made available at reasonable times during the period of the Agreement and for three years thereafter or for any period required by law for inspection by any authorized representatives of the State or Federal Government. If any litigation, claim, or audit is started before the expiration of the three year period, the records shall be retained until all litigation, claims or audit findings involving the records have been resolved.
11. Fair Employment Practices and Americans with Disabilities Act: Party agrees to comply with the requirement of Title 21V.S.A. Chapter 5, Subchapter 6, relating to fair employment practices, to the full extent applicable. Party shall also ensure, to the full extent required by the Americans with Disabilities Act of 1990, as amended, that qualified individuals with disabilities receive equitable access to the services, programs, and activities provided by the Party under this Agreement. Party further agrees to include this provision in all subcontracts.
12. Set Off: The State may set off any sums which the Party owes the State against any sums due the Party under this Agreement; provided, however, that any set off of amounts due the State of Vermont as taxes shall be in accordance with the procedures more specifically provided hereinafter.
13. Taxes Due to the State:
a. Party understands and acknowledges responsibility, if applicable, for compliance with State tax laws, including income tax withholding for employees performing services within the State, payment of use tax on property used within the State, corporate and/or personal income tax on income earned within the State.
b. Party certifies under the pains and penalties of perjury that, as of the date the Agreement is signed, the Party is in good standing with respect to, or in full compliance with, a plan to pay any and all taxes due the State of Vermont.
c. Party understands that final payment under this Agreement may be withheld if the Commissioner of Taxes determines that the Party is not in good standing with respect to or in full compliance with a plan to pay any and all taxes due to the State of Vermont.
d. Party also understands the State may set off taxes (and related penalties, interest and fees) due to the State of Vermont, but only if the Party has failed to make an appeal within the time allowed by law, or an appeal has been taken and finally determined and the Party has no further legal recourse to contest the amounts due.
14. Child Support: (Applicable if the Party is a natural person, not a corporation or partnership.) Party states that, as of the date the Agreement is signed, he/she:
a. is not under any obligation to pay child support; or
b. is under such an obligation and is in good standing with respect to that obligation; or
c. has agreed to a payment plan with the Vermont Office of Child Support Services and is in full compliance with that plan.
Party makes this statement with regard to support owed to any and all children residing in Vermont. In addition, if the Party is a resident of Vermont, Party makes this statement with regard to support owed to any and all children residing in any other state or territory of the United States.
15. Sub-Agreements: Party shall not assign, subcontract or subgrant the performance of this Agreement or any portion thereof to any other Party without the prior written approval of the State. Party also agrees to include in all subcontract or subgrant agreements a tax certification in accordance with paragraph 13 above.
16. No Gifts or Gratuities: Party shall not give title or possession of any thing of substantial value (including property, currency, travel and/or education programs) to any officer or employee of the State during the term of this Agreement.
17. Copies: All written reports prepared under this Agreement will be printed using both sides of the paper.
18. Certification Regarding Debarment: Party certifies under pains and penalties of perjury that, as of the date that this Agreement is signed, neither Party nor Party’s principals (officers, directors, owners, or partners) are presently debarred, suspended, proposed for debarment, declared ineligible or excluded from participation in federal programs, or programs supported in whole or in part by federal funds.
19. Certification Regarding Use of State Funds: In the case that Party is an employer and this Agreement is a State Funded Grant in excess of $1,001, Party certifies that none of these State funds will be used to interfere with or restrain the exercise of Party’s employee’s rights with respect to unionization.
20. Internal Controls: In the case that this Agreement is an award that is funded in whole or in part by Federal funds, in accordance with 2 CFR Part II, §200.303, the Party must establish and maintain effective internal control over the Federal award to provide reasonable assurance that the Party is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
21. Mandatory Disclosures: In the case that this Agreement is an award funded in whole or in part by Federal funds, in accordance with 2CFR Part II, §200.113, Party must disclose, in a timely manner, in writing to the State, all violations of Federal criminal law involving fraud, bribery, or gratuity violations potentially affecting the Federal award. Failure to make required disclosures may result in the imposition of sanctions which may include disallowance of costs incurred, withholding of payments, termination of the Agreement, suspension/debarment, etc.
22. Conflict of Interest: Party must disclose in writing any potential conflict of interest in accordance with Uniform Guidance §200.112, Bulletin 5 Section IX and Bulletin 3.5 Section IV.B.
AHS -State of Vermont – Attachment C_3-1-2015_rev
ATTACHMENT E BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (“Agreement”) is entered into by and between the State of Vermont Agency of Human Services operating by and through its Department of Vermont Heath Access (“Covered Entity”) and CSG Government Solutions, Inc., (“Business Associate”) as of April 1, 2015 (“Effective Date”). This Agreement supplements and is made a part of the Contract to which it is an attachment.
Covered Entity and Business Associate enter into this Agreement to comply with standards promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), including the Standards for the Privacy of Individually Identifiable Health Information, at 45 CFR Parts 160 and 164 (“Privacy Rule”), and the Security Standards, at 45 CFR Parts 160 and 164 (“Security Rule”), as amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act (HITECH), and any associated federal rules and regulations.
The parties agree as follows:
1. Definitions. All capitalized terms used but not otherwise defined in this Agreement have the meanings set forth in 45 CFR Parts 160 and 164 as amended by HITECH and associated federal rules and regulations.
“Agent” means those person(s) who are agents(s) of the Business Associate, in accordance with the Federal common law of agency, as referenced in 45 CFR § 160.402(c).
“Breach” means the acquisition, access, use or disclosure of protected health information (PHI) which compromises the security or privacy of the PHI, except as excluded in the definition of Breach in 45 CFR § 164.402.
“Business Associate shall have the meaning given in 45 CFR § 160.103.
“Individual” includes a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
“Protected Health Information” or PHI shall have the meaning given in 45 CFR § 160.103, limited to the information created or received by Business Associate from or on behalf of Agency.
“Security Incident” means any known successful or unsuccessful attempt by an authorized or unauthorized individual to inappropriately use, disclose, modify, access, or destroy any information or interference with system operations in an information system.
“Services” includes all work performed by the Business Associate for or on behalf of Covered Entity that requires the use and/or disclosure of protected health information to perform a business associate function described in 45 CFR § 160.103 under the definition of Business Associate.
“Subcontractor” means a person or organization to whom a Business Associate delegates a function, activity or
service, other than in the capacity of a member of the workforce of the Business Associate. For purposes of this Agreement, the term Subcontractor includes Subgrantees.
2. Identification and Disclosure of Privacy and Security Offices.Business Associate and Subcontractors shall provide, within ten (10) days of the execution of this agreement, written notice to the Covered Entity’s contract/grant manager the names and contact information of both the HIPAA Privacy Officer and HIPAA Security Officer. This information must be updated any time either of these contacts changes.
3. Permitted and Required Uses/Disclosures of PHI.
3.1 Except as limited in this Agreement, Business Associate may use or disclose PHI to perform Services, as specified in the underlying grant or contract with Covered Entity. The uses and disclosures of Business Associate are limited to the minimum necessary, to complete the tasks or to provide the services associated with the terms of the underlying agreement. Business Associate shall not use or disclose PHI in any manner that would constitute a violation of the Privacy Rule if used or disclosed by Covered Entity in that manner. Business Associate may not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law.
3.2 Business Associate may make PHI available to its employees who need access to perform Services provided that Business Associate makes such employees aware of the use and disclosure restrictions in this Agreement and binds them to comply with such restrictions. Business Associate may only disclose PHI for the purposes authorized by this Agreement: (a) to its agents and Subcontractors in accordance with Sections 9 and 17 or, (b) as otherwise permitted by Section 3.
3.3 Business Associate shall be directly liable under HIPAA for impermissible uses and disclosures of the PHI it handles on behalf of Covered Entity, and for impermissible uses and disclosures, by Business Associate’s Subcontractor(s), of the PHI that Business Associate handles on behalf of Covered Entity and that it passes on to Subcontractors.
4. Business Activities. Business Associate may use PHI received in its capacity as a Business Associate to Covered Entity if necessary for Business Associate’s proper management and administration or to carry out its legal responsibilities. Business Associate may disclose PHI received in its capacity as Business Associate to Covered Entity for Business Associate’s proper management and administration or to carry out its legal responsibilities if a disclosure is Required by Law or if Business Associate obtains reasonable written assurances via a written agreement from the person to whom the information is to be disclosed that the PHI shall remain confidential and be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the Agreement requires the person or entity to notify Business Associate, within two (2) business days (who in turn will notify Covered Entity within two (2) business days after receiving notice of a Breach as specified in Section 6.1), in writing of any Breach of Unsecured PHI of which it is aware. Uses and disclosures of PHI for the purposes identified in Section 3 must be of the minimum amount of PHI necessary to accomplish such purposes.
5. Safeguards. Business Associate, its Agent(s) and Subcontractor(s) shall implement and use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for by this Agreement. With respect
to any PHI that is maintained in or transmitted by electronic media, Business Associate or its Subcontractor(s) shall comply with 45 CFR sections 164.308 (administrative safeguards), 164.310 (physical safeguards), 164.312 (technical safeguards) and 164.316 (policies and procedures and documentation requirements). Business Associate or its Agent(s) and Subcontractor(s) shall identify in writing upon request from Covered Entity all of the safeguards that it uses to prevent impermissible uses or disclosures of PHI.
6. Documenting and Reporting Breaches.
6.1 Business Associate shall report to Covered Entity any Breach of Unsecured PHI, including Breaches reported to it by a Subcontractor, as soon as it (or any of its employees or agents) becomes aware of any such Breach, and in no case later than two (2) business days after it (or any of its employees or agents) becomes aware of the Breach, except when a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security.
6.2 Business Associate shall provide Covered Entity with the names of the individuals whose Unsecured PHI has been, or is reasonably believed to have been, the subject of the Breach and any other available information that is required to be given to the affected individuals, as set forth in 45 CFR § 164.404(c), and, if requested by Covered Entity, information necessary for Covered Entity to investigate the impermissible use or disclosure. Business Associate shall continue to provide to Covered Entity information concerning the Breach as it becomes available to it. Business Associate shall require its Subcontractor(s) to agree to these same terms and conditions.
6.3 When Business Associate determines that an impermissible acquisition, use or disclosure of PHI by a member of its workforce is not a Breach, as that term is defined in 45 CFR § 164.402, and therefore does not necessitate notice to the impacted individual(s), it shall document its assessment of risk, conducted as set forth in 45 CFR § 402(2). When requested by Covered Entity, Business Associate shall make its risk assessments available to Covered Entity. It shall also provide Covered Entity with 1) the name of the person(s) making the assessment, 2) a brief summary of the facts, and 3) a brief statement of the reasons supporting the determination of low probability that the PHI had been compromised. When a breach is the responsibility of a member of its Subcontractor’s workforce, Business Associate shall either 1) conduct its own risk assessment and draft a summary of the event and assessment or 2) require its Subcontractor to conduct the assessment and draft a summary of the event. In either case, Business Associate shall make these assessments and reports available to Covered Entity.
6.4 Business Associate shall require, by contract, a Subcontractor to report to Business Associate and Covered Entity any Breach of which the Subcontractor becomes aware, no later than two (2) business days after becomes aware of the Breach.
7. Mitigation and Corrective Action.Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to it of an impermissible use or disclosure of PHI, even if the impermissible use or disclosure does not constitute a Breach. Business Associate shall draft and carry out a plan of corrective action to address any incident of impermissible use or disclosure of PHI. If requested by Covered Entity, Business Associate shall make its mitigation and corrective action plans available to Covered Entity. Business Associate
shall require a Subcontractor to agree to these same terms and conditions.
8. Providing Notice of Breaches.
8.1 If Covered Entity determines that an impermissible acquisition, access, use or disclosure of PHI for which one of Business Associate’s employees or agents was responsible constitutes a Breach as defined in 45 CFR § 164.402, and if requested by Covered Entity, Business Associate shall provide notice to the individual(s) whose PHI has been the subject of the Breach. When requested to provide notice, Business Associate shall consult with Covered Entity about the timeliness, content and method of notice, and shall receive Covered Entity’s approval concerning these elements. The cost of notice and related remedies shall be borne by Business Associate.
8.2 If Covered Entity or Business Associate determines that an impermissible acquisition, access, use or disclosure of PHI by a Subcontractor of Business Associate constitutes a Breach as defined in 45 CFR § 164.402, and if requested by Covered Entity or Business Associate, Subcontractor shall provide notice to the individual(s) whose PHI has been the subject of the Breach. When Covered Entity requests that Business Associate or its Subcontractor provide notice, Business Associate shall either 1) consult with Covered Entity about the specifics of the notice as set forth in section 8.1, above, or 2) require, by contract, its Subcontractor to consult with Covered Entity about the specifics of the notice as set forth in section 8.1
8.3 The notice to affected individuals shall be provided as soon as reasonably possible and in no case later than 60 calendar days after Business Associate reported the Breach to Covered Entity.
8.4 The notice to affected individuals shall be written in plain language and shall include, to the extent possible, 1) a brief description of what happened, 2) a description of the types of Unsecured PHI that were involved in the Breach, 3) any steps individuals can take to protect themselves from potential harm resulting from the Breach, 4) a brief description of what the Business Associate is doing to investigate the Breach, to mitigate harm to individuals and to protect against further Breaches, and 5) contact procedures for individuals to ask questions or obtain additional information, as set forth in 45 CFR § 164.404(c).
8.5 Business Associate shall notify individuals of Breaches as specified in 45 CFR § 164.404(d) (methods of individual notice). In addition, when a Breach involves more than 500 residents of Vermont, Business Associate shall, if requested by Covered Entity, notify prominent media outlets serving Vermont, following the requirements set forth in 45 CFR § 164.406.
9. Agreements with Subcontractors. Business Associate shall enter into a Business Associate Agreement with any Subcontractor to whom it provides PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity in which the Subcontractor agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such PHI. Business Associate must enter into this Business Associate Agreement before any use by or disclosure of PHI to such agent. The written agreement must identify Covered Entity as a direct and intended third party beneficiary with the right to enforce any breach of the agreement concerning the use or disclosure of PHI. Business Associate
shall provide a copy of the Business Associate Agreement it enters into with a subcontractor to Covered Entity upon request. Business associate may not make any disclosure of PHI to any Subcontractor without prior written consent of Covered Entity.