"'IA l J<.. UJ< V1'.,.KlVIU1'11 LU1'11KAL1 ~UlVllVlAKl Al'llJ Ll'.,Kl1J<1LA11Ul'I - - - - - - - - - - - rorm AA-l'J U.L/1:."!/.LUl I )
Note: All sections must be completed. Incomplete forms will be returned to the orie:inatinl! department.

I.

CONTRACT INFORMATION:
Agency/Department: AHS/Department of Corrections
Contract #: 22960 Amendment#: 2
Vendor Name:
Centurion ofVennont, LLC
VISION Vendor No: 339936
Vendor Address:
1539 Spring Hill Road, Suite 600, Vienna, VA 22182
9/15/2015
1/30/2020
Starting Date:
Amendment Date: 1/31/2019
Ending Date:
Summary of agreement or amendment: To extend tenn and increase fonding respecitvely.

IL FINANCIAL & ACCOUNTING INFORMATION
Maximum Payable:

Prior Maximum:

$1,345,145.09

Current Amendment: $150,720.89
Business Unit(s : 3520;
Estimated
~
%GF
%TF
Funding Split:

m.
A.

;

]

- [notes:
B

31.33

% Cumulative Change:

Cumulative amendments: $ 320,682.09

VISION Account(s): 507500;
8

%SF
%GC

C J % Other
(name)

% EF
% FF

PROCUREMENT & PERFORMANCE INFORMATION (section A & B)
The agency has taken reasonable steps to control the price.of the contract and to allow qualified organizations Lo compete for thi:: work authorized by
this contract. The agency has done this through:

~ Standard Bid/RFP
B.

Prior Contract# (If Renewal):

$ 1,194,424.20

D

0 Simplified

Sole Source

D Qualification Based Selection

D

Statutory

Contract includes performance measures/guarantees to ensure the quality and/or results of the service? ~ Yes

D

No

IV. TYPE OF AGREEMENT (select all that apply)

D

Personal Service

0 Construction O Arch/Eng.

~ Non-Personal Service

D Marketing

~ Info . Tech. ~ Prof. Service

n

n

Commodity
n Retiree/Former SOY EE O Financial Trans n Zero-Dollar
Privatization
Other
SUITABILITY FOR CONTRACT FOR SERVICE
Does this contract meet the determination of an Independent Contractor? If "NO", the
0Yes 0No On/a
contractor must be set up and paid on payroll through the VTHR system.
VI. CONTRACTING PLAN APPLICABLE
Is any element of this contract subject to a pre-approved Agency/Dept. Contracting Waiver Plan? D Yes [8J No

D

V.

VII. CONFLICT OF INTEREST
By signing below, I (Agency/Dept. Head) certify that no person able to control or influence award of this contract had a pecuniary interest in its award or
performance, either personally or through a member of his or her household, family, or business.
Is there an "appearance" of a conflict or interest so that a reasonable person may conclude that this party was
D Yes [8J No selected
for improper reasons: (If yes, explain)
VIII. PRIOR APPROVALS REQUIRED OR REQUESTED
[8J Yes 0 No
Agreement must be Certified by the Attorney General under 3 V.S.A. § 342 (sign line #4 below)
[8J Yes 0 No
(AAG initial)
Attorney General review As To Fonn is required or requested:
[8J Yes 0 No
Agreement must be approved by the Secretary of ADS/CI0
[8J No
Agreement must be approved by the CM0: for Marketing services over $25,000
□ Yes
Yes
[8J
No
Agreement
must be approved by Comm. Human Resources: for Privatization, Retirees, former Employees, & ifa
□
Contract fails the IRS test.
No
~ Yes
Agreement must be approved by the Secretary of Administration
,._, ___ _, h, ni,:,~~ l\1~~1.
IX. AGENCY/DEPARTMENT HEAD CERTIFICATION; APPROVAL
on 20'f'a=
•10-o'g '1'3:4-1:06 GMT
I have made reasonable inquiry as to the accuracy of the above information (sign in order) :
e-Signed by Martha Maksym
on
2018-10-09 13:49:16 GMT
---.....__
~

'Jiff#•

I-Date

r---

~o

1-Ae:encv/Deoartment Head

2-Date

2-Ae:encv Secretary (if required)

e-Slgned by John Q uinn
" A.:2 ~ n_na '>n -,;: 1 •.11 8..GM:r
3a-Date

9.R'1'J7r
a.IYate /

Ja-cu:if / ,

3b-Datr- )16-.CMO

3c-Date

~ ¢ 7 . /_~"
,,,,

.

~

4-Attol'ney Gener.aJ./" /

,dY_ _,

5-Date

Jc-Commissioner DHR
e-Signed by Bradley Ferland
on 2018-10-11 18:15:06 GMT

5-Secretary of Administration

/

e-Signed by Peter Kipp
on 2018-10-09 14:30:49 GMT

e-Signed by Candace Elmquist
on 2018-10-10 12:14:18 GMT

Page 1 of 8
Contract #29960
Amendment #2

STATE OF VERMONT
CONTRACT FOR SERVICES

AMENDMENT

It is agreed by and between the State of Vermont, Department of Corrections (hereafter called "State") and
Centurion of Vermont with a principal place of business in 1539 Spring Hill Road, Suite 600, Vienna, VA 22182
(hereafter called "Contractor") that contract #29960 dated 10/22/15 between said State and Contractor is hereby
amended as follows:
To change Page 1, 3. Maximum Amount, from $1,194,424.20 to $1 ,345,145.09.
To change Page 1, 4. Contract Term, from end on 1/31/19 to end on 1/31/20.
To replace existing Attachment E with new Attachment E, revised July 7, 2017.
Except as modified by this above amendment, and any and all previous amendments to this contract, all provisions
of this contract #29960 .dated 10/22/15 shall remain unchanged and in full force and effect.
The effective date of this amendment is 1/31/19.
WE, THE UNDERSIGNED PARTIES, AGREE TO BE BOUND BY THE TERMS OF THIS CONTRACT AS
AMENDED.
STATE OF VERMONT
AGENCY OF HUMAN SERVICES
DEPARTMENT OF CORRECTIONS

C NTRACT

-===c,=
Signed

~;er-,

Lisa Menard, Commissioner
Date:

/J.vjl <I

11

'

Robert Laros
Date:

It 'II /2J'

?
I

H- u,.,,be&lec)-C6 o

(Please PRINT Signature)
Date:

}O/.£J.5[eQ ()J ~

Address: 1539 Spring Hill Road, Suite 600,
Vienna, VA 22182

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 2 of 8
Contract #29960
Amendment #2
ATTACHMENT E
BUSINESS ASSOCIATE AGREEMENT

THIS BUSINESS ASSOCIATE AGREEMENT ("AGREEMENT") IS ENTERED INTO BY AND
BETWEEN THE STATE OF VERMONT AGENCY OF HUMAN SERVICES, OPERA TING BY AND
THROUGH ITS AGENCY OF HUMAN SERVICES, DEPARTMENT OF CORRECTIONS ("COVERED
ENTITY") AND CENTURION OF VERMONT, LLC ("BUSINESS ASSOCIATE") AS OF 10/22/15
("EFFECTIVE DATE"). THIS AGREEMENT SUPPLEMENTS AND IS MADE A PART OF THE
CONTRACT/GRANT TO WHICH IT IS ATTACHED.
Covered Entity and Business Associate enter into this Agreement to comply with standards promulgated under the
Health Insurance Portability and Accountability Act of 1996 ("HIP AA"), including the Standards for the Privacy of
Individually Identifiable Health Information, at 45 CFR Parts 160 and 164 ("Privacy Rule"), and the Security
Standards, at 45 CFR Parts 160 and 164 ("Security Rule"), as amended by Subtitle D of the Health Information
Technology for Economic and Clinical Health Act (HITECH), and any associated federal rules and regulations.
The parties agree as follows:
1.
Definitions. All capitalized terms used but not otherwise defined in this Agreement have the meanings set
forth in 45 CFR Parts 160 and 164 as amended by HITECH and associated federal rules and regulations.

"Agent" means those person(s) who are agents(s) of the Business Associate, in accordance with the Federal common
law of agency, as referenced in 45 CFR § 160.402(c).
"Breach" means the acquisition, access, use or disclosure of protected health information (PHI) which compromises
the security or privacy of the PHI, except as excluded in the definition of Breach in 45 CFR § 164.402.
"Business Associate shall have the meaning given in 45 CFR § 160.103.
"Individual" includes a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
"Protected Health Information" or PHI shall have the meaning given in 45 CFR § 160.103, limited to the information
created or received by Business Associate from or on behalf of Agency.
"Security Incident" means any known successful or unsuccessful attempt by an authorized or unauthorized individual
to inappropriately use, disclose, modify, access, or destroy any information or interference with system operations in
an information system.
"Services" includes all work performed by the Business Associate for or on behalf of Covered Entity that requires
the use and/or disclosure of protected health information to perform a business associate function described in 45
CFR § 160.103 under the definition of Business Associate.
"Subcontractor" means a person or organization to whom a Business Associate delegates a function, activity or
service, other than in the capacity of a member of the workforce of the Business Associate. For purposes of this
Agreement, the term Subcontractor includes Subgrantees.

2.
Identification and Disclosure of Privacy and Security Offices. Business Associate and Subcontractors
shall provide, within ten (10) days of the execution of this agreement, written notice to the Covered Entity's

Page 3 of 8
Contract #29960
Amendment #2
contract/grant manager the names and contact information of both the HIPAA Privacy Officer and HIPAA Security
Officer. This information must be updated any time either of these contacts changes.

STATE OF VERMONT
CONTRACT FOR SERVICES

3.

Permitted and Required Uses/Disclosures of PHI.

3 .1
Except as limited in this Agreement, Business Associate may use or disclose PHI to perform Services,
as specified in the underlying grant or contract with Covered Entity. The uses and disclosures of Business
Associate are limited to the minimum necessary, to complete the tasks or to provide the services associated
with the terms of the underlying agreement. Business Associate shall not use or disclose PHI in any manner
that would constitute a violation of the Privacy Rule if used or disclosed by Covered Entity in that manner.
Business Associate may not use or disclose PHI other than as permitted or required by this Agreement or as
Required by Law.
3 .2
Business Associate may make PHI available to its employees who need access to perform Services
provided that Business Associate makes such employees aware of the use and disclosure restrictions in this
Agreement and binds them to comply with such restrictions. Business Associate may only disclose PHI for
the purposes authorized by this Agreement: (a) to its agents and Subcontractors in accordance with Sections
9 and 18 or, (b) as otherwise permitted by Section·3.
3.3
Business Associate shall be directly liable under HIP AA for impermissible uses and disclosures of the
PHI it handles on behalf of Covered Entity, and for impermissible uses and disclosures, by Business
Associate's Subcontractor(s), of the PHI that Business Associate handles on behalf of Covered Entity and that
it passes on to Subcontractors.
4.
Business Activities. Business Associate may use PHI received in its capacity as a Business Associate to
Covered Entity if necessary for Business Associate' s proper management and administration or to carry out its legal
responsibilities. Business Associate may disclose PHI received in its capacity as Business Associate to Covered
Entity for Business Associate's proper management and administration or to carry out its legal responsibilities if a
disclosure is Required by Law or if Business Associate obtains reasonable written assurances via a written agreement
from the person to whom the information is to be disclosed that the PHI shall remain confidential and be used or
further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the
Agreement requires the person or entity to notify Business Associate, within two (2) business days (who in turn will
notify Covered Entity within two (2) business days after receiving notice of a Breach as specified in Section 6.1 ), in
writing of any Breach of Unsecured PHI of which it is aware. Uses and disclosures of PHI for the purposes identified
in Section 3 must be of the minimum amount of PHI necessary to accomplish such purposes.
5.
Safeguards. Business Associate, its Agent(s) and Subcontractor(s) shall implement and use appropriate
safeguards to prevent the use or disclosure of PHI other than as provided for by this Agreement. With respect to any
PHI that is maintained in or transmitted by electronic media, Business Associate or its Subcontractor(s) shall comply
with 45 CFR sections 164.308 (administrative safeguards), 164.310 (physical safeguards), 164.312 (technical
safeguards) and 164.316 (policies and procedures and documentation requirements). Business Associate or its
Agent(s) and Subcontractor(s) shall identify in writing upon request from Covered Entity all of the safeguards that it
uses to prevent impermissible uses or disclosures of PHI.
6.

Documenting and Reporting Breaches.

6.1
Business Associate shall report to Covered Entity any Breach of Unsecured PHI, including Breaches
reported to it by a Subcontractor, as soon as it (or any of its employees or agents) becomes aware of any such

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 4 of 8
Contract #29960
Amendment #2
Breach, and in no case later than two (2) business days after it (or any of its employees or agents) becomes
aware of the Breach, except when a law enforcement official determines that a notification would impede a
criminal investigation or cause damage to national security.

6.2
Business Associate shall provide Covered Entity with the names of the individuals whose Unsecured
PHI has been, or is reasonably believed to have been, the subject of the Breach and any other available
information that is required to be given to the affected individuals, as set forth in 45 CFR § 164.404(c), and,
if requested by Covered Entity, information necessary for Covered Entity to investigate the impermissible
use or disclosure. Business Associate shall continue to provide to Covered Entity information concerning the
Breach as it becomes available to it. Business Associate shall require its Subcontractor(s) to agree to these
same terms and conditions.
6.3
When Business Associate determines that an impermissible acquisition, use or disclosure of PHI by a
member of its workforce is not a Breach, as that term is defined in 45 CFR § 164.402, and therefore does not
necessitate notice to the impacted individual(s), it shall document its assessment ofrisk, conducted as set forth
in 45 CFR § 402(2). When requested by Covered Entity, Business Associate shall make its risk assessments
available to Covered Entity. It shall also provide Covered Entity with 1) the name of the person(s) making
the assessment, 2) a brief summary of the facts, and 3) a brief statement of the reasons supporting the
determination of low probability that the PHI had been compromised. When a breach is the responsibility of
a member of its Subcontractor's workforce, Business Associate shall either 1) conduct. its own risk assessment
and draft a summary of the event and assessment or 2) require its Subcontractor to conduct the assessment
and draft a summary of the event. In either case, Business Associate shall make these assessments and reports
available to Covered Entity.
6.4
Business Associate shall require, by contract, a Subcontractor to report to Business Associate and
Covered Entity any Breach of which the Subcontractor becomes aware, no later than two (2) business days
after becomes aware of the Breach.
7.
Mitigation and Corrective Action. Business Associate shall mitigate, to the extent practicable, any harmful
effect that is known to it of an impermissible use or disclosure of PHI, even if the impermissible use or disclosure
does not constitute a Breach. Business Associate shall draft and carry out a plan of corrective action to address any
incident of impermissible use or disclosure of PHI. If requested by Covered Entity, Business Associate shall make
its mitigation and corrective action plans available to Covered Entity. Business Associate shall require a
Subcontractor to agree to these same terms and conditions.
8.

Providing Notice of Breaches.

8.1
If Covered Entity determines that an impermissible acquisition, access, use or disclosure of PHI for
which one of Business Associate' s employees or agents was responsible constitutes a Breach as defined in 45
CFR § 164.402, and if requested by Covered Entity, Business Associate shall provide notice to the
individual(s) whose PHI has been the subject of the Breach. When requested to provide notice, Business
Associate shall consult with Covered Entity about the timeliness, content and method of notice, and shall
receive Covered Entity's approval concerning these elements. The cost of notice and related remedies shall
be borne by Business Associate.
8.2
If Covered Entity or Business Associate determines that an impermissible acquisition, access, use or
disclosure of PHI by a Subcontractor of Business Associate constitutes a Breach as defined in 45 CFR §
164.402, and if requested by Covered Entity or Business Associate, Subcontractor shall provide notice to the
individual(s) whose PHI has been the subject of the Breach. When Covered Entity requests that Business

Page 5 of 8
Contract #29960
Amendment #2
Associate or its Subcontractor provide notice, Business Associate shall either 1) consult with Covered Entity
about the specifics of the notice as set forth in section 8.1, above, or 2) require, by contract, its Subcontractor
to consult with Covered Entity about the specifics of the notice as set forth in section 8 .1

STATE OF VERMONT
CONTRACT FOR SERVICES

8.3
The notice to affected individuals shall be provided as soon as reasonably possible and in no case later
than 60 calendar days after Business Associate reported the Breach to Covered Entity.
8.4
The notice to affected individuals shall be written in plain language and shall include, to the extent
possible, 1) a brief description of what happened, 2) a description of the types of Unsecured PHi that were
involved in the Breach, 3) any steps individuals can take to protect themselves from potential harm resulting
from the Breach, 4) a brief description of what the Business Associate is doing to investigate the Breach, to
mitigate harm to individuals and to protect against further Breaches, and 5) contact procedures for individuals
to ask questions or obtain additional information., as set forth in 45 CFR § 164.404(c).
8.5
Business Associate shall notify individuals of Breaches as specified in 45 CFR § 164.404(d) (methods
of individual notice). In addition, when a Breach involves more than 500 residents of Vermont, Business
Associate shall, if requested by Covered Entity, notify prominent media outlets serving Vermont, following
the requirements set forth in 45 CFR § 164.406.
9.
Agreements with Subcontractors. Business Associate shall enter into a Business Associate Agreement with
any Subcontractor to whom it provides PHI received from Covered Entity or created or received by Business
Associate on behalf of Covered Entity in which the Subcontractor agrees to the same restrictions and conditions that
apply through this Agreement to Business Associate with respect to such PHI. Business Associate must enter into
this Business Associate Agreement before any use by or disclosure of PHI to such agent. The written agreement must
identify Covered Entity as a direct and intended third party beneficiary with the right to enforce any breach of the
agreement concerning the use or disclosure of PHI. Business Associate shall provide a copy of the Business Associate
Agreement it enters into with a subcontractor to Covered Entity upon request. Business associate may not make any
disclosure of PHI to any Subcontractor without prior written consent of Covered Entity.
10.
Access to PHI. Business Associate shall provide access to PHI in a Designated Record Set to Covered Entity
or as directed by Covered Entity to an Individual to meet the requirements under 45 CFR § 164.524. Business
Associate shall provide such access in the time and manner reasonably designated by Covered Entity. Within three
(3) business days, Business Associate shall forward to Covered Entity for handling any request for access to PHI that
Business Associate directly receives from an Individual.
11.
Amendment of PHI. Business Associate shall make any amendments to PHI in a Designated Record Set
that Covered Entity directs or agrees to pursuant to 45 CFR § 164.526, whether at the request of Covered Entity or
an Individual. Business Associate shall make such amendments in the time and manner reasonably designated by
Covered Entity. Within three (3) business days, Business Associate shall forward to Covered Entity for handling any
request for amendment to PHI that Business Associate directly receives from an Individual.
12.
Accounting of Disclosures. Business Associate shall document disclosures of PHI and all information related
to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting
of disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate shall provide such information to
Covered Entity or as directed by Covered Entity to an Individual, to permit Covered Entity to respond to an accounting
request. Business Associate shall provide such information in the time and manner reasonably designated by Covered
Entity. Within three (3) business days, Business Associate shall forward to Covered Entity for handling any
accounting request that Business Associate directly receives from an Individual.

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 6 of 8
Contract #29960
Amendment #2
13.
Books and Records. Subject to the attorney-client and other applicable legal privileges, Business Associate
shall make its internal practices, books, and records (including policies and procedures and PHI) relating to the use
and disclosure of PHI received from Covered Entity or created or received by Business Associate on behalf of
Covered Entity available to the Secretary of HHS in the time and manner designated by the Secretary. Business
Associate shall make the same information available to Covered Entity, upon Covered Entity's request, in the time
and manner reasonably designated by Covered Entity so that Covered Entity may determine whether Business
Associate is in compliance with this Agreement.
14.

Termination.

14.1 This Agreement commences on the Effective Date and shall remain in effect until terminated by
Covered Entity or until all of the PHI provided by Covered Entity to Business Associate or created or received
by Business Associate on behalf of Covered Entity is destroyed or returned to Covered Entity subject to
Section 19.8.
14.2 If Business Associate breaches any material term of this Agreement, Covered Entity may either: (a)
provide an opportunity for Business Associate to cure the breach and Covered Entity may terminate the
contract or grant without liability or penalty if Business Associate does not cure the breach within the time
specified by Covered Entity; or (b) immediately terminate the contract or grant without liability or penalty if
Covered Entity believes that cure is not reasonably possible; or (c) if neither termination nor cure are feasible,
Covered Entity shall report the breach to the Secretary. Covered Entity has the right to seek to cure any breach
by Business Associate and this right, regardless of whether Covered Entity cures such breach, does not lessen
any right or remedy available to Covered Entity at law, in equity, or under the contract or grant, nor does it
lessen Business Associate's responsibility for such breach or its duty to cure such breach.
15.

Return/Destruction of PHI.

15 .1 Business Associate in connection with the expiration or termination of the contract or grant shall return
or destroy, at the discretion of the Covered Entity, all PHI received from Covered Entity or created or received
by Business Associate on behalf of Covered Entity pursuant to this contract or grant that Business Associate
still maintains in any form or medium (including electronic) within thirty (30) days after such expiration or
termination. Business Associate shall not retain any copies of the PHI. Business Associate shall certify in
writing for Covered Entity (1) when all PHI has been returned or destroyed and (2) that Business Associate
does not continue to maintain any PHI. Business Associate is to provide this certification during this thirty
(30) day period.
15.2 Business Associate shall provide to Covered Entity notification of any conditions that Business
Associate believes make the return or destruction of PHI infeasible. If Covered Entity agrees that return or
destruction is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and
limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible
for so long as Business Associate maintains such PHI. This shall also apply to all Agents and Subcontractors
of Business Associate.
16.
Penalties. Business Associate understands that: (a) there may be civil or criminal penalties for misuse or
misappropriation of PHI and (b) violations of this Agreement may result in notification by Covered Entity to law
enforcement officials and regulatory, accreditation, and licensure organizations.
17.
Training. Business Associate understands that it is its obligation to comply with the law and shall provide
appropriate training and education to ensure compliance with this Agreement. If requested by Covered Entity,

Page 7 of 8
Contract #29960
Amendment #2
Busine~s Associate shall participate in AHS training regarding the use, confidentiality, and security of PHI, however,
participation in such training shall not supplant nor relieve Business Associate of its obligations under this Agreement
to independently assure compliance with the law and this Agreement.
STATE OF VERMONT
CONTRACT FOR SERVICES

18.
Security Rule Obligations. The following provisions of this section apply to the extent that Business
Associate creates, receives, maintains or transmits Electronic PHI on behalf of Covered Entity.

18.1 Business Associate shall implement and use administrative, physical, and technical safeguards in
compliance with 45 CFR sections 164.308, 164.310, and 164.312 with respect to the Electronic PHI that it
creates, receives, maintains or transmits on behalf of Covered Entity. Business Associate shall identify in
writing upon request from Covered Entity all of the safeguards that it uses to protect such Electronic PHI.
18.2 Business Associate shall ensure that any Agent and Subcontractor to whom it provides Electronic PHI
agrees in a written agreement to implement and use administrative, physical, and technical safeguards that
reasonably and appropriately protect the Confidentiality, Integrity and Availability of the Electronic PHI.
Business Associate must enter into this written agreement before any use or disclosure of Electronic PHI by
such Agent or Subcontractor. The written agreement must identify Covered Entity as a direct and intended
third party beneficiary with the right to enforce any breach of the agreement concerning the use or disclosure
of Electronic PHI. Business Associate shall provide a copy of the written agreement to Covered Entity upon
request. Business Associate may not make any disclosure of Electronic PHI to any Agent or Subcontractor
without the prior written consent of Covered Entity.
18.3 Business Associate shall report in writing to Covered Entity any Security Incident pertaining to such
Electronic PHI (whether involving Business Associate or an Agent or Subcontractor). Business Associate
shall provide this written report as soon as it becomes aware of any such Security Incident, and in no case
later than two (2) business days after it becomes aware of the incident. Business Associate shall provide
Covered Entity with the information necessary for Covered Entity to investigate any such Security Incident.
18.4 Business Associate shall comply with any reasonable policies and procedures Covered Entity
implements to obtain compliance under the Security Rule.
19.

Miscellaneous.

19 .1 In the event of any conflict or inconsistency between the terms of this Agreement and the terms of the
contract/grant, the terms of this Agreement shall govern with respect to its subject matter. Otherwise, the
terms of the contract/grant continue in effect.
19.2 Business Associate shall cooperate with Covered Entity to amend this Agreement from time to time
as is necessary for Covered Entity to comply with the Privacy Rule, the Security Rule, or any other
standards promulgated under HIP AA.
19.3 Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the
Privacy Rule, Security Rule, or any other standards promulgated under HIP AA.
19 .4 In addition to applicable Vermont law, the parties shall rely on applicable federal law (e.g., HIP AA,
the Privacy Rule and Security Rule, and the HIP AA omnibus final rule) in construing the meaning and
effect of this Agreement.

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 8 of 8
Contract #29960
Amendment #2
19.5 As between Business Associate and Covered Entity, Covered Entity owns all PHI provided by
Covered Entity to Business Associate or created or received by Business Associate on behalf of Covered
Entity.

19 .6 Business Associate shall abide by the terms and conditions of this Agreement with respect to all PHI
it receives from Covered Entity or creates or receives on behalf of Covered Entity even if some of that
information relates to specific services for which Business Associate may not be a "Business Associate" of
Covered Entity under the Privacy Rule.
19.7 Business Associate is prohibited from directly or indirectly receiving any remuneration in exchange
for an individual's PHI. Business Associate will refrain from marketing activities that would violate HIP AA,
including specifically Section 13406 of the HITECH Act. Reports or data containing the PHI may not be sold
without Agency's or the affected individual's written consent.
19.8 The provisions of this Agreement that by their terms encompass continuing rights or responsibilities
shall survive the expiration or termination of this Agreement. For example: (a) the provisions of this
Agreement shall continue to apply if Covered Entity determines that it would be infeasible for Business
Associate to return or destroy PHI as provided in Section 14.2 and (b) the obligation of Business Associate to
provide an accounting of disclosures as set forth in Section 12 survives the expiration or termination of this
Agreement with respect to accounting requests, if any, made after such expiration or termination.

Rev: 7/7/17