Skip navigation
Prison Legal News

Vermont DOC Contract Summary With Centurion 2020

• Locations: United States of America -> Vermont • Topics: Centurion
Download original document:
Brief thumbnail
This text is machine-read, and may contain errors. Check the original document to verify accuracy. 
Note: All section mu ·t b comp! t d. Incomplete form

viii be ret urned to the rlglnalini; department.

I. CO~TRACT INFORMATION:
Agency/Department: AHS/ Department of Corrections
Contract #: 29960 Amendment #: 3
Vendor Name:
Centurion of Vermont, LLC
VISION Vendor No: 339936
1539
Spring
Hill
Road,
Suite
600,
Vienna,
VA
22182
Vendor Address:
09/15/15
Ending Date: 6/30/2020
Amendment Date: 1/30/2020
Starting Date:
Summary of agreement or amendment: Amendment to extend tenn and funding to align with Health Services Contract.
II. FIN~ C)AL & ACCOUNTING INFORMATION
Maximum Payable:

~t, 4 Jo,s3 s. 6

Prior Maximum:

Current Amendment: $65,393.51

Business Unit
Estimated
Funding Split:

Cumulative amendments:

: 3520·

I'

- notes:

00.01 % GF
% TF

Prior Contract# (If Renewal):

$1,345,145.09

% Cumulative Change:

$ 386,075.60

VISION Account s : 507500·

CJ %Other

C] % EF

i:=J % SF
i:=J % GC

37.72

C:=J %FF

(name)

ill. PROCUREMENT & PERFORMANCE INFORMATION
A. Identify applicable procurement process utilized.

D Qualification Based Selection D
If Sole Source Contract, contract form includes self-certification language? D Yes ~ N/A

~ Standard Bid/RFP
B.

D Simplified

D Sole Source (See B.)

Statutory

C. Contract includes performance measures/guarantees to ensure the quality and/or results of the service? ~ Yes

IV. TYPE OF AGREEMENT select all that a . t
D Personal Service
D Construction D Arch/Eng. D Marketing ~ Info.Tech. ~Prof.Service
~ Non-Personal Service
om.modi
Retiree/Former SOV EE
Financial Trans
Zero-Dollar
Privatization
V. SUITABILITY FOR CONTRACT FOR SERVICE

D

No

Other

D No D n/a Does this contract meet the determination of an Independent Contractor? If "NO", the contractor
es
must be set up and paid on payroll through the VTHR system.
VI. CONTRACTING PLAN APPLICABLE
~

y

Is any element of this contract subject to a pre-approved Agency/Dept. Contracting Waiver Plan?

VII.

D

Yes

181

No

CONFLICT OF INTEREST

By signing below, I (Agency/Dept. Head) certify that no person able to control or influence award of this contract had a pecuniary interest in its award or
performance, either personally or through a member of his or her household, family, or business.

D

Yes

C8J

No

Is there an "appearance" of a conflict of interest so that a reasonable person may conclude that this party was
selected for improper reasons: (If yes, explain)

VIII. PRIOR APPROVALS RE UIRED OR RE UESTED

181

D
D

Yes
Yes
Yes
Yes
Yes

0
0
0

181
181

No
No
No
No
No

181

Yes

D

No

C8J
C8J

Agreement must be Certified by the Attorney General under 3 V.S.A. § 342 (sign line #4 below)
Attorney General review As To Form is required ($25,000 and above) or otherwise requested: _ _ (AAG initial)
Agreement must be approved by the Secretary of ADS/CIO
Agreement must be approved by the CMO: for Marketing services over $25,000
Agreement must be approved by Comm. Human Resources: for Privatization, Retirees, Former Employees, & if a
Contract fails the IRS test.
Agreement must be approved by the Secretary of Administration

as to

e accuracy of the above informati n (s'gn in order).E-SIGNED by DIANE NEALY
on 2020-01-3118:31:27 GMT

b-CMO

3c-Date

3c-Commissioner DHR

E-SIGNED by Brad Ferland

S-Date

E-SIGNED by PAT TEAM
on 2020-02-03 13:42:04 GMT

E-SIGNEO by Candace Elmquist
on 2020-02-06 17:31:29 GMT

State of Vermont
Agency of Digital Services ,
133 State Street, 5 th Floor
Montpelier, vr 05633-0210
[phone] 802-828-4141

MEMO
Date: 01/31/2020
To: John Quinn - CIO
VIA: Jon Provost
From: ADS Procurement Advisory Team (PAT)
Subject: CIO approval of contract amendment 29960_3 between the Department of Corrections
and Centurion of Vermont.
·
The Agency of Digital Services (ADS) PAT team contract amendment 29960_3 between the
Department of Corrections and Centurion of Vermont at our 01/23/2020 meeting.
Centurion provides the Department of Corrections thru this contract with an Electronic Health
Records system.
This amendment extends the term of the contract until June 30, 2020. The extension is intended
to align the Electronic Health Records contract with the dates of the contract that provides the
actual Health Services to inmates in the Vermont Correctional System.

It increases the total maximum payable by $65,393.51 for a new maximum payable of
$1,410,538.60.
The PAT team recommends CIO approval of this contract amendment

.11111.-•.

.

•oJect Name:
ienw/Dept.

..
Centurian 29960 3
AHS DOC

ADS Reviewer Summary & Sign-off

Memo
Ok to Proceed to with project from

llevl,wi,er
Contracting Spe(lallst
1terprlse Architecture
eputy CISO
1lef Data Officer
' Leader
1lefTechnology,Offlcer
eputv Secretary
10

Reviewer Name

Date Received

Date Review Completed

Reviewer's perspective?

Jon Provost
John Hunt
Scott Carbee

Mark Combs
Shawn Nailor
John Quinn

Date e-slgred approval:

.
RFP

Revlewel' Name
· Contracting Specialist
PMO/OPM
Merprlse Architecture
eputy CISO
hlef Data Offlcer
·Leader
isk Management
TO
eputy Secretary

10

Date Received

Date Review Completed

Ok to Post RFP from Reviewer's
perspective?

Jon Provost
John Hunt
Scott Carbee

Rebecca White
Mark Combs
Shawn Nailor
John Quinn

Date e-sl11.ned approval:

Coniract or Amendment
Reviewer Name

r Contracting Specialist
PMO/OPM
nterprlse Architecture
fep utv CISO
:hlef Data Officer
rLeader
ilsk Management
:YO
leouty Secretary
:10

Jon Provost
John Hunt
Scott Carbee
Darin Prall
Rebecca White
Mark Combs
Shawn Nailor
John Quinn

Date Received
1/21/2020
1/21/2020
1/21/2020
1/21/2020
1/21/2020
1/21/2020
1/21/2020
1/21/2020
1/21/2020
1/21/2020

Date Review Completed

Ok to Sign Contract from Reviewer's
perspective?

1/23/2020

Yes

1/23/2020
1/22/2020

Yes
Yes

1/23/2020

Yes

1/23/2020

Yes
Date e-signed approval:

State of Vermont
Agency of Digital Services ,
133 State Street, 5th Floor
Montpelier, vr 05633-0210

[phone] 802-828-4141

MEMO
Date: 01/31/2020
To: John Quinn - CIO
VIA: Jon Provost
From: ADS Procurement Advisory Team (PAT)
Subject: CIO approval of contract amendment 29960 _3 between the Department of Corrections
and Centurion of Vermont.
The Agency of Digital Services (ADS) PAT team contract amendment 29960_3 between the
Department of Corrections and Centurion of Vermont at our 01/23/2020 meeting.
Centurion provides the Department of Corrections thru this contract with an Electronic Health
Records system.
This amendment extends the term of the contract until June 30, 2020. The extension is intended
to align the Electronic Health Records contract with the dates of the contract that provides the
actual Health Services to inmates in the Vermont Correctional System.

It increases the total maximum payable by $65,393.51 for a new maximum payable of
$1 ,410,538.60.
The PAT team recommends CIO approval of this contract amendment

' t L-~•!.J• •

..

• '"'

proJect Name:
Aaencv/Dept,

Centurian 29960 3
AHS DOC

ADS Reviewer Summary & Sign-off
Memo

[

Ok to Proceed to with project from

Reviewer
IT Contracting Specialist
Enter11rise Architecture
DeputvCISO
Chief Data Officer
IT Leader
Chief Technology Officer
Deputy Secretary
CIO

Reviewer Name

Date Received

Date Review Completed

Reviewer's perspective?

Jon Provost
John Hunt
Scott Carbee

Mark Combs
Shawn Nailor
John Quinn

Date e-signed approval :

RFP
Reviewer Name
IT Contracting Specialist
EPMO/OPM
Enterprise Architecture
Deputy CISO
Chief Data Officer
IT Leader
Risk M anagement
CTO
Deputy Secretary
CIO

Date Received

Date Review Completed

Ok to Post RFP from Reviewer's
perspective?

Jon Provost
John Hunt
Scott Carbee

Rebecca White
Mark Combs
Shawn Nailor
John Quinn

Date e-Sil!ned approval:

Contract or Amendment
Reviewer Name
IT Contracting Speclaiist

EPMO/OPM
Enterprise Architecture
Oep1JtyCISO
Chief Data Officer
IT Leader
Risk Management
CTO
Deputy Secretary
CIO

Date Received

Date Review Completed

Ok to Sign Contract from Reviewer's
perspective?

Jon Provost

1/21/2020
1/21/2020

1/23/2020

Yes

John Hunt

1/21/2020

1/23/2020

Yes

Scott Carbee

1/21/2020
1/21/2020

1/22/2020

Yes

Darin Prail

1/21/2020

1/23/2020

Yes

Rebecca White

1/21/2020

Mark Combs

1/21/2020
1/21/2020

1/23/2020

Yes

Shawn Nailor
John Quinn

1/21/2020

Date e-signed approval:

~

.YERMONT

State ofVermont
Department of Corrections
NOB 2 South, 280 State Drive
Waterbury, VT 05671-2000
doc.vermont.gov

Agency of Human Services
[phone]

802-241-2442

[phone]

802-241-0000

[fax]

802-241-0020

E-SIGNED by Bradley Ferland
on 2020-01-14 13:54:07 GMT

Memorandum
To:

Susanne Young, Secretary of Administration

Thru: Mike Smith, Secretary, Agency of Human Services

E-SIGNED by Candace Elmquis
on 2020-01-13 20:01:36 GMT
E-SIGNED by Dawn O'Toole
on 2020-01-08 18:20:29 GMT

From: Jim Baker, Interim Commissioner, Department of Corrections
Date: January 8, 2020
RE:

E-SIGNED by Diane Nealy
on 2020-01-08 16:32:31 GMT

Bulletin 3.5 Term Waiver Request, Centurion of Vermont LLC, Contract #29960

The Vermont Department of Corrections (DOC) is seeking to extend the term of the current
contract for the Electronic Health Record services with our Contractor, Centurion of Vermont,
LLC. In addition to aligning this contract with the time extension of the contract with Centurion
of Vermont for Inmate Health Services, the term waiver extension will allow DOC to more
thoroughly review and score the Request for Proposal (RFP) responses and ensure that there is
sufficient time for the following processes prior to the cunent contract s expiration: vendor
selection, contract negotiation, contract development, contract routing, and final execution of the
future contract. We are confident that these items can all be addressed during this 5-month
contract extension and will result with a selection that meets the needs of the DOC and all
stakeholders.
Current Contract Term: 10/22/2015 through 01/31/2020, and the approval of this request would
allow us to extend the term b 5 months (through June 30, 2020).

N

;I.

Page 1 of8

Contract #29960 AM #3
STATE OF VERMONT

CONTRACT AMENDMENT
It is hereby agreed by and between the State of Vermont, Department of Corrections (the "State")
and Centurion of Vermont, with a principal place of business in 1539 Spring Hill Road, Suite
600, Vienna, VA 22182 (the "Contractor") that the contract between them originally dated as of
Octa.her 22, 2015, Contract #29960, as amended to date, (the "Contract") is hereby amended as
follows:

Maximum Amoqnt.

I.

The maximum amount payable under the Contract, wherever such
reference appears in the Contract, shall be changed from $1,345,145.09 to $1,410,538.60
representing an increase of $65,393.51.

II.

Contract Term. The Contract end date, wherever such reference appears in the
Contract, shall be changed from January 31, 2020 to June 30, 2020.

III.

Attachment E, Standard State Provil!lions for Contracts and Grants. Attachment E is
hereby deleted in its entirety and replaced by the Attachment E (5/21/19) attached to this
Amendment . .

Taxes Due to the State. Contractor certifies under the pains and penalties of perjury that, as of
the date this contract amendment is signed, the Contractor is in good standing with respect to, or
in full compliance with a plan to pay, any and all taxes due the State of Vermont.

Child

upport (Applicable to natural persons only; not applicable to corporations. partnerships or
LLCs). Contractor is under no obligation to pay child support or is in good standing with respect
to or in full compliance with a plan to pay any and all child support payable under a support
order as of the date of this amendment.

Certification Regarding Suspension or Debannent Contractor certifies under the pains and
penalties of perjury that, as of the date this contract aµiendment is signed, neither Contractor nor
Contractor's principals (officers, directors, owners, or partners) are presently debarred,
suspended, proposed for debarment, declared ineligible or excluded from participation in federal
programs, or programs supported in whole or in part by federal funds.
Contractor further certifies under pains and penalties of perjury that, as of the date this contract
amendment is signed, Contractor is not presently debmed, suspended, nor named on the State's
debarment list at: http://bgs.vennont.gov/purchasing-contracting/debann.ent
SOV Cybersecurin, Standard 19-01. All products and service provided to or for the use of the
State under this Contract shall be in compliance with State of Vermont Cybersecurity Standard
19-01, which Contractor acknowledges has been provided to it, and is available on-line at the
following URL: 'lt ://di italservices. vc nont. ov/c ber ·ecurit /c bersecuril 1-standards-anddirectives

Page 2 ofB

Contract #29960 AM #3

This document consists of 8 pages. Except as modified by this Amendment No. three (3) all
provisions of the Contract remain in full force and effect.
The effective date of this amendment is: 01/30/2020.
The signatures of the undersigned indicate that each has read ~d agrees to be bound by this
Amendment to the Contract.

STATE OF VERMONT
By:

---------

Judy Henkin
Name: -------

Name: ::>le, @cl

Tide: Deputy
Commissioner of Corrections
- - - ----

Title: CGcJ

Date:

Date: :;5/q/at79C)

---------

1-l. k < ~ e r

Pagel of8

Contract #29960 AM #3
ATTACITh:IENT E
BUSINESS ASSOCIATE AGREEMENT

SOV CONTRACTOR/GRANTEE/BUSINESS ASSOCIATE:
CENTURION OF VERMONT. LLC
SOV CONTRACT NO.: 29960

CONTRACT EFFECTIVE DATE: 9/15/15

This Business Associate Agreement ("Agreement'') is entered into by and between the State of Vennont Agency of
Human Services, operating by and through its Department of Corrections ("Covered Entity") and Party identified
in this Agreement as Contractor or Grantee above ("BusineH Asaociate"). This Agreement supplements and is made
a part of the contract or grant (''Contract or Grant) to which it is attached.
Covered Entity and Business Asaociate enter into this Agreement to comply with the sf.andards promulgated under
the Health Insurance Portability and Accountability Act of 1996 (''IDPM"), including the Standards for the Privacy
of Individually Identifiable Health Information, at 45 CFR Parts 160 and 164 ("~vacy Rule''), and the Security
Standards, at 45 CFR Parta 160 and 164 ("Security Rule"), as amended by Subtitle D of the Health Information
Technology for Economic and Clinical Health Act (HITECH}, and any associated federal rules and regulations.

The partiea •Klee •• folloWI:
1.

DcOnlUon . All capitalized tenns used but not otherwise defined in this Agreement have the meanings set
as amended by lliTECH and associated federal rules and regulations. Tenns
defined in this Agreement are italicized. Unless otherwise specified. when used in this Agreement, defined tenns
used in the singular shall be understood if appropriate ~ their context to include the plural when applicable.
forth in 45 CFR Parts 160 and 164

"Agenf' means an Individual acting within the scope of the agency of the Business Associate, in accordance with the
Federal common law of agency, aa referenced in 45 CFR § 160.402(c) and includes Workforce members and
Subcontractors.
"Breach" means the acquisition, Access, Use or Disclosure of Protected Health Information (PHI) which
compromises the Security or privacy of the PHI, except as excluded in the defmition of Breach in 45 CFR §
164.402.
·

"Bustness Associate" shall have the meaning given for "Business Associate" in 45 CFR § 160.103 and means
Contractor or Grantee and includes its Workfon:e, Agents and Subcontractors.
"Electronit! PHl'' shall mean PHI created, received, maintained or transmitted electronically in accordance with 45
CFR § 160.103.
"lndividuaf' includes a Person who qualifies as a personal rq,rcsentative in accordance with 45 CFR § 164.502(g).
"Protected Health Information" ("PHf') shall have the meaning given in 45 CFR § 160,103, limited to the PHI
created or received by Business Associate from or on behalf of Covered Entity.
"Required by Law" means a mandate contained in law that compels an entity to make a use or disclosure of PHI and
that is enforceable in a court oflaw and shall have the meaning given in 45 CFR § 164.103.
"Report' means submissions required by this Agreement III provided in section 2.3.

"Security Incident' means the attempted or 1111cc:essful unauthorir.ed Access, Use, Disclosure, modification, or
destruction of Information or interference with system operations in an Infonnation System relating to PHI in
accordance with 4S CFR § 164.304.

Contract #29960 AM #3

Page4 of8

"Services" includes all work performed by the Business Associate for or on behalf of Covered Entity that requires
the Use and/orDisclo8Ure of PHJro perfonn a Business Associate function described in 4.5 CFR § 160.103.
"Subcontractor' means a Penon to whom Business Associate delegates a function, activity, or service, other than in
the capacity of a member of the workforce of such Business Associate.
"Successji,I Security lncidenf' shall mean a Security Incident that results in the unauthorized Access, Use,
Disclosure, modification, or destruction of information or int.erference with system operations in an Infonnation
System.
"Unsuccessfi,I Security Incident' shall mean a Security IncidenL such as routine occurrences that do not result in
unauthorized Access, Use, Disclosure, modification. or destruction of information or intexference with system
operations in an Infonnation System, such as: (i) unsuccessful attempts to penetrat.e computer networks or services
maintained by Business Associate; and (ii) immaterial incidents such as pings and other broadcast attacks on
Business Associate's firewall, port scans, unsuccessful log-on attei:npts, denials of service and any combination of
the above with respect to Business Associate 's Infonnation System.
"Targeted Unsuccessfi,l Security Incident' means an Ur,successji,I Security Incident that appears to be an attempt to
obtain unauthorized Access, Use, Disclosure, modification or destruction of the Covered Entity's Electronic PHI.

2.

Contact lnformatlon ror Privacy and Scturlry Officers and Rcborts.

2.1 Business Associate shall provide, within ten (10) days of the execution of this Agreemen~ written
notice ro the Contract or Grant manager the nll.Dles aml cunlacl infonnatiou of both the HIPAA Privacy
Officer and .HIPAA Security Officer of the Business Associate. This information must be updated by
Business Associate any time these contacts change.
2.2
Covered Entity's HIPAA Privacy Officer and HIPAA Security Officer contact information is
posted at: http;flhumanscrvices.vc1mont.gov/policy-legisla1ion/hipaa/hipaa-info-bcnellciaries/ahs-hip acontacts/

BusineSB Associate shall submit all Reports required by thiN Agreement to the following email
address: ~S.PrivacyAndSeourity@vennont.Jtov

2.3

3.

Permittc!d agd Required U es/DI closures of PHI.

3.1
Subject to the terms in this Agreement, Business Associate may Use or Disclose PHI to perfonn
Services, as specified in the Contract or Grant. Such Uses and Disclosures are limited to the minimum
necessary to provide the Services. BWBiness Associate shall not Uae or Disclose PHI in any manner that
would constitute a violation of the Privacy Rule if Used or Disclosed by Covered Entity in that mam1er.
Business Associate may not Use or Disclose PHI other than as permitted or required by this Agreement or
as Required by Law and only in compliance with applicable laws and regulations.

3.2
Business .Associate may make PHI available to its Workforce, Agent and subcontractor who need
Access to perfonn Services as pennitt.ed by this Agreement, provided that /Justness Associate makes them
aware of the Us~ and Disclosure restrictions in this Agreement and binds them to comply with such
restrictions.
3.3
Business Associate shall be directly liable under HIPAA for impermissible Uses and Disclosures
of PHI.

4.
Buslnest Activltie1. Business Associate may Use Pm if neGessary for Business Associate's proper
management and administration or to carry out its legal responsibilities. Bwiness Associate may Disclose PHI for
Business Associate 's proper management and administration or to carry out its legal responsibilities if a Disclosure
is Required by Law or if Business Associate obtains reasonable written assJml[lces via a written agreement from the
Person to whom the information is to be Disclosed that such PHI shall remain confidential and be Used or further
Disclosed only as Required by Law or for the purpose for which it was Disclosed to the Person, and the Agreement

Contract #29960 AM #3

Page5of8

requires the Person to notify Business Associate, within five (S) business days, in writing of any Breach of
Umecured PHI of which it is aware. Such Uses and Disclosures of PHI must be of the minimum amount ncceasmy
to accomplish such pwp08CS.

5.

Electronic PHl SecurJty Rule ObHgation .

S. l With respect to Electronic PHI, Business AssociQte shall:
a) Implement and use Administrative. Physical, and Technical Safeguards in compliance with 45 CFR
sections 164.308, 164.310, and 164.312;

b) Identify in writing upon ~uest from Covered Entity all the safeguards that it
Electronic PHI;

~

to protect such

c) Prior to any Use or Disclosure of Electronic PHI by an Agent or Subcontractor, ensure that any Agent or
Subcontractor to whom it provides Electronic PHI agrees in writing to implement and use Administrative,
Physical, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity
and Availability of Electronic PHI. The written agreement must identify Coven,d Entity a11 a direct and
intended third party beneficimy with the right to enforce any breach of the agreement concerning the Use or
Diaclosure of Electronic PHI, arid be provided to Covered Entity upon request;

any

d) Report in writing to Covered Entity
Successful Security Incident or Targeted Security Incident as
soon as it becomes aware of such incident and in no event later than five (5) busines11 days after such
awareness. Such report shall be timely made notwithstanding the fact that little information may be known
at the time of the report and need only include such information then available;
e) Following such report, provide Covered Entity with the infonnation necessary for Covered Entity to
investigate any such incident; and

t) Continue to provide to Covered Entity information concerning the incident as it becomes available to it.
Reporting Unsuccessful Security Incidents. Business Associate shall provide Covered Entity upon
written request a Report that: {a) identifies the categories of Unsuccessful Security Incidents; (b) indicates
whether Business As.sociate believes its current defen11ive security measures are adequate to address all

5.2

Unsuccessful Security Incidenta, given the scope and nature of such attempts; and {c) if the security
measures are not adequate, the measures Bwiness Associate will implement to address the security
inadequacies.
5.3
Bustneas Associate shall comply with any reasonable policies and procedures Coveffld Entity
implements to obtain compliance under the Security Rule.
6.

Reportlne nd Documenting Breaches.
6.1
Business Associate shall Report to Covered Entity any Breach of Unsecured PHI as soon as it, or
any Person to whom PHI is disclosed under this Agreement, becomes aware of any such Breach, and in no
event later than five (S) buainess days after such awareness, except when a law enforcement official
determines that a notification would impede a criminal investigation or cause damage to national security.
Such Report shall be timely made notwithstanding the fact that little infonnation may be known at the time
of the Report and need only include such infonnation then available.
6.2
Following the Report described in 6.1, Business Associate shall conduct a risk assessment and
provide it to Covered Entity with a summary of the event Business A,gsociate shall provide Covered Entity
with the names of any Individual whose Unsecured PHI has been, or is reasonably believed to have been,
the subject of the Breach and any other available information that ie required to be given to the affected
Individ110I, as set forth in 45 CFR § l64.404(c). Upon request by Covered Entity, Business Associate shall

Contract #29960 AM #3

Page 6of8

provide information necessary for Covered Entity to investigate the impennissible Use or Disclosure.
Business Associate shall continue to provide to Covered Entity information concerning the Breach as it
becomes available.
6.3
When Business Associate determines that an impennwible acquisition, Access, Use or Disclosure
of PHI for which it is responsible is not a Breach, and therefore does not necessitate notice to the impacted
Individual, it shall document its assessment of risk, conducted as set forth in 4.5 CFR § 402(2). Business
Associate shall make ill risk assessment available to Covered Entity upon request. It shall include 1) the
name of the penon making the assessment, 2) a brief summary of the facts, and 3) a brief statement of the
reasons supporting the determination oflow probability that the PHI had been compromised.
,~
Mltigalion and Corrective Action. Business Associate shalt mitigate, to the extent practicable, any
harmful effect that is known to it of an impermissible Use or Disclosure of PHI, even if the impennissible Use or
Disclosure does not constitute a Breach. Business Associate shall draft and cany out a plan of corrective action to
address any incident of impennissible Use or Disclosure of PHI. Business Associate shall make its mitigation and
corrective action plans available to Covered Entity upon request
8.

Providing Notice pf Breaches.
8.1
If Covered Entity determines that a Breach of PHI for which Business Associate was responsible,
and if requested by Covered Entity, Business Associate shall provide notice to the Individual whose PHI
has been the subject of the Breach. When so rcquest.ed, Business Associate shall consult with Covered
Entity about the timeliness, content ~d method of notice, and shall receive Covered Entity's approval
concerning these elements. Business Associate shall be responsible for the cost of notice and related
remedies.
·
8.2
The notice to affected Individuals shall be provided as soon as reasonably possible and in no case
later than 60 calendar days after Business Associate reported the Breach to Covered Entity.
8.3
The notice to affected Individuals shall be written in plain language and shall include, to the extent
possible, 1) a brief description of what happened, 2) a description of the types of Unsecured Pm that were
involved in the Breach, 3) any steps Individuals can take to protect themselves from potential harm
resulting from the Breach, 4) a brief description of what the Business Associate is doing to investigate the
Breach to mitigate harm to Individuals and to protec;:t against further Breaches, and 5) contact procedures
for Individuals to ask questions or obtain additional information, as set forth in 45 CFR § 164.404(c).
8.4
Businesa Associate shall notify Individuals of Breaches as specified in 45 CFR § 164.404(d)
(methods of Indivtdual notice). In addition, when a Breach involves more than SOO residents ofVennont.
Business Associate shall, if requested by Covered Entity, notify prominent media outlets serving Vennont,
following the requirements set forth in 45 CFR § 164.406.

9.
Agreements with Subcont.radon. Business Associate shall enter into a Business Associate Agreement
with any Subcontractor to whom it provides PHI to require compliance with HIPAA and to ensun: Business
Associate and Subcontractor comply with the terms and conditions of this Agreement. Business .Associate must
enter into such written agreement before any USC! by or Disclosure of PHI to such Subcontractor. The written
agreement must identify Covered Entity as a direct and intended third party beneficiary with the right to enforce any
breach of the agreement concerning the Use or Disclosure of PHI. Business Associate shall provide a copy of the
written agreement it enters into with a Subcontractor to Covered Entity upon request. Business Associate may not
make any Disclosure of PHI to any Subcontractor without prior written consent of Covered Entity.
10,
Acgss to PHI. Businesa Associate shall provide access to PHI in a Designated Record Set to Covered
Entity or as directed by Covered Entity to an Individual to meet the requirements under4S CFR § 164.524. Business
Associate shall provide such access in the time and manner reasonably designated by Covered Entity. Within five
(S) business days, Business Associate shall forward to Covered Entity for handling any request for Access to PHI
that Business Associate directly receives from an Individual.

Contract #29960 AM #3

Page7 of8

11.
Amendment of PHI. Bu.sinus Associate shall make aiiy amendment& to PHI in a Designated Record Set
that Covered Entity directs or agrees to pursuaot to 4j CFR § 164.526, whether at the request of Covered Entity or
an Individual. Busiriess Associate shall make such amendments in the time and manner reasonably designated by
Covered Entity. Within five (S) business days, Business Associate shall forward to Covered Entity for handling any
reques~ for amendment to PHI that Business Associate directly receives from an Individual.
12.
Accounting of Disclosures. Business Associate shall document Discl05ures of Pm and all information
related to such Disclosures as would be required for Covered Entity to respond to a request by an Individual for an
accounting of disclosures of PHI in accordance with 45 CFR § 164.528. Business .Associate ahall provide such
information to Covered Entity or as directed by Covered Entity to an Individual, to pennit Covered Entity to respond
to an accounting request. Business Associate shall provide such infonnation in the time and manner reasonably
designated by Covered F.ntity. Within five (5) buaineas days, Business .Associate shall forward to Covered Entity for
handling any accounting request that Business Associate directly receives from an Individual.
Btiok• and ·Records. Subject to the attorney-client and other applicable legal privileges, Business
Associate shall make its internal practices, books, and records (including policies and procedures and PHI) relating
to the Use and Disclosure of PHI available to the SecretaJy of Health and Human Services (HHS) in the time and
manner designated by the Secretary. Business Associate shall make the same information available to Covered
Entity, upon Covered Entity's request, in the time and manner reasonably designated by Covered Entity so that
Covered Entity may detennine whether Business Associate is in compliance with this Agreement.
13.

14.

Termln.ation.
14.1
Thia Agreement commences on the Effective Date and shall remain in effect until tenninated by
Covered Entity or until all the PHI is destroyed or returned to Covered Entity subject to Section 18.8.
14.2
If Business Associate fails to comply with any material term of this Agreement, Covered Entity
may provide an opportunity for Business Associate to cure. If Business Associate does not cure within the
time specified by Covered Entity or if Covered Entity believes that cure is not reasonably possible, Covered
Entity may immediately tcnnina.te the Contract or Grant without incurring liability or penalty for such
termination. If neither tennination nor cure arc feasible, Covered Entity shall report the breach to the
Secretary of HHS. Covered EntitY, has the right to seek to cure such failure by Business Associate.
Regardless of whether Covered Entity cures, it retains any right or remedy available at law, in equity, or
under the Contract or Grant and Business Associate retains its responsibility for such failure.

15.

Return/Destruction of Pm.
15.1
Busiriess .Associate in connection with the expiration or tennination of the Contract or G~t shall
return or destroy, at the discretion oftbe Covered Entity, PHI that Business Associate still maintains in any

fonn or medium (including electronic) within thirty (30) days after such expiration or tennination. Business
Associate shall not retain any copies of PHI. Business .Associate shall certify in writing and report to
Covered Entity (1) when all PHI has been returned or destroyed and (2) that Business Associate does not
continue to maintain any PHI. BWJiness Associate is to provide this certification during this thirty (30) day
period.
15.2
Business Associate shall report to Covered Entity any conditions that Business Associate believes
make the return or destruction of PHI infeasible. Business Associate shall extend the protections of this
Agreement to such Pm and limit further Uses and Disclosures to those purposes that make the return or
destruction infeasible for so long as Business Associate maintains such PHI.
16.
Penaltiea. Business As11ociate understands that: (a) there may be civil or criminal penalties for misuse or
misappropriation of PHI and (b) violations of this Agreement may result in notification by Covered Entity to law
enforcement officials and regulatory, accreditation, and licensure organizations.

17.
Training. Business Associate understands its obligation to comply with the law and shall provide
appropriate training and education to ensure compliance with this AgreemenL If requested by Covered Entity,

Contract #29960 AM #3

Page 8of8

Business Associate shall participate in Covered Entity's training regarding the Use, Confidentiality, and Security of

PHI; however, participation in such trainins shall not supplant nor relieve Bustness Associate of ita obligations
under this Agreement to independently assure compliance with the law and this Agreement.
18.

Mlsce1Janeous.
18.I
In the event of any conflict or incomiatency.between the terms of this .Agreement and the terms of
the Contract or Grant, the terms of this Agreement shall govern with respect to its 11Ubject matter.
Otherwise, the terms of the Contract or Grant continue in effect.
18.2
Each party shall cooperate with the other party to amend this Agreement from time to time as is
necessary for such party to comply with the Privacy Rule, the Security Rule, or any other standards
promulgated wider HIPAA. Thia Agreemc::nt may not be amended, except by a writing signed by all parties
hereto.
18.3
Any ambiguity in this Agreement shall be resolved to pennit the parties to comply with the
Privacy Rule, Security Rule, or any other standards promulgated under HIPAA
18.4
In addition to applicable Vermont law, the parties shall rely on applicable federal law (e.g.,
HIPAA, the Privacy Rule, Security Rule, and HITECH) in construing the meaning and effect of this
Agreement
·
18.5

Business Associate shall not have or claim any ownership of PHI.

18,6
Business Associate shall abide by the terms and conditions of this Agreement with respect to all
PHI even if some of that information relates to specific services for which Business Associate may not be a

"Business Associate" of Covered Entity under the Privacy Rule.
18.7
Busilless Associate is prohibited from directly or indirectly receiving any remuneration in
exchange for an Individual's PHI. Business Associate will refrain from marketing activities that would
violate HIPM including specifically Section 13406 of the HITECH Act. Reports or data containing PHI
may not be sold without Covered Entity's or the affected Individual's written consent
18.8
The provisions of this .Agreement that by their tenns encompasa continuing rights or
responsibilities shall survive the expiration or termination of thill Agreement. For example: (a) the
provisions of this Agreement shall continue to apply if Covered Entity determines that it would be
infeasible for Business Associate to return or destroy PHI as provided in Section 14.2 and (b) the obligation
of Bwiness Associate to provide an accounting of disclosures as set forth in Section 12 survives the
eit,p iration or termination of this Agreement with respect to accounting requests, if any, made after such
expiration or temtlnation.
Rev. 0S/21/2019