News Articles
This site contains over 2,000 news articles, legal briefs and publications related to for-profit companies that provide correctional services. Most of the content under the "Articles" tab below is from our Prison Legal News site. PLN, a monthly print publication, has been reporting on criminal justice-related issues, including prison privatization, since 1990. If you are seeking pleadings or court rulings in lawsuits and other legal proceedings involving private prison companies, search under the "Legal Briefs" tab. For reports, audits and other publications related to the private prison industry, search using the "Publications" tab.
For any type of search, click on the magnifying glass icon to enter one or more keywords, and you can refine your search criteria using "More search options." Note that searches for "CCA" and "Corrections Corporation of America" will return different results.
Vermont DOC Contract Summary With Centurion 2020
Document text
Note: All section mu ·t b comp! t d. Incomplete form viii be ret urned to the rlglnalini; department. I. CO~TRACT INFORMATION: Agency/Department: AHS/ Department of Corrections Contract #: 29960 Amendment #: 3 Vendor Name: Centurion of Vermont, LLC VISION Vendor No: 339936 1539 Spring Hill Road, Suite 600, Vienna, VA 22182 Vendor Address: 09/15/15 Ending Date: 6/30/2020 Amendment Date: 1/30/2020 Starting Date: Summary of agreement or amendment: Amendment to extend tenn and funding to align with Health Services Contract. II. FIN~ C)AL & ACCOUNTING INFORMATION Maximum Payable: ~t, 4 Jo,s3 s. 6 Prior Maximum: Current Amendment: $65,393.51 Business Unit Estimated Funding Split: Cumulative amendments: : 3520· I' - notes: 00.01 % GF % TF Prior Contract# (If Renewal): $1,345,145.09 % Cumulative Change: $ 386,075.60 VISION Account s : 507500· CJ %Other C] % EF i:=J % SF i:=J % GC 37.72 C:=J %FF (name) ill. PROCUREMENT & PERFORMANCE INFORMATION A. Identify applicable procurement process utilized. D Qualification Based Selection D If Sole Source Contract, contract form includes self-certification language? D Yes ~ N/A ~ Standard Bid/RFP B. D Simplified D Sole Source (See B.) Statutory C. Contract includes performance measures/guarantees to ensure the quality and/or results of the service? ~ Yes IV. TYPE OF AGREEMENT select all that a . t D Personal Service D Construction D Arch/Eng. D Marketing ~ Info.Tech. ~Prof.Service ~ Non-Personal Service om.modi Retiree/Former SOV EE Financial Trans Zero-Dollar Privatization V. SUITABILITY FOR CONTRACT FOR SERVICE D No Other D No D n/a Does this contract meet the determination of an Independent Contractor? If "NO", the contractor es must be set up and paid on payroll through the VTHR system. VI. CONTRACTING PLAN APPLICABLE ~ y Is any element of this contract subject to a pre-approved Agency/Dept. Contracting Waiver Plan? VII. D Yes 181 No CONFLICT OF INTEREST By signing below, I (Agency/Dept. Head) certify that no person able to control or influence award of this contract had a pecuniary interest in its award or performance, either personally or through a member of his or her household, family, or business. D Yes C8J No Is there an "appearance" of a conflict of interest so that a reasonable person may conclude that this party was selected for improper reasons: (If yes, explain) VIII. PRIOR APPROVALS RE UIRED OR RE UESTED 181 D D Yes Yes Yes Yes Yes 0 0 0 181 181 No No No No No 181 Yes D No C8J C8J Agreement must be Certified by the Attorney General under 3 V.S.A. § 342 (sign line #4 below) Attorney General review As To Form is required ($25,000 and above) or otherwise requested: _ _ (AAG initial) Agreement must be approved by the Secretary of ADS/CIO Agreement must be approved by the CMO: for Marketing services over $25,000 Agreement must be approved by Comm. Human Resources: for Privatization, Retirees, Former Employees, & if a Contract fails the IRS test. Agreement must be approved by the Secretary of Administration as to e accuracy of the above informati n (s'gn in order).E-SIGNED by DIANE NEALY on 2020-01-3118:31:27 GMT b-CMO 3c-Date 3c-Commissioner DHR E-SIGNED by Brad Ferland S-Date E-SIGNED by PAT TEAM on 2020-02-03 13:42:04 GMT E-SIGNEO by Candace Elmquist on 2020-02-06 17:31:29 GMT State of Vermont Agency of Digital Services , 133 State Street, 5 th Floor Montpelier, vr 05633-0210 [phone] 802-828-4141 MEMO Date: 01/31/2020 To: John Quinn - CIO VIA: Jon Provost From: ADS Procurement Advisory Team (PAT) Subject: CIO approval of contract amendment 29960_3 between the Department of Corrections and Centurion of Vermont. · The Agency of Digital Services (ADS) PAT team contract amendment 29960_3 between the Department of Corrections and Centurion of Vermont at our 01/23/2020 meeting. Centurion provides the Department of Corrections thru this contract with an Electronic Health Records system. This amendment extends the term of the contract until June 30, 2020. The extension is intended to align the Electronic Health Records contract with the dates of the contract that provides the actual Health Services to inmates in the Vermont Correctional System. It increases the total maximum payable by $65,393.51 for a new maximum payable of $1,410,538.60. The PAT team recommends CIO approval of this contract amendment .11111.-•. . •oJect Name: ienw/Dept. .. Centurian 29960 3 AHS DOC ADS Reviewer Summary & Sign-off Memo Ok to Proceed to with project from llevl,wi,er Contracting Spe(lallst 1terprlse Architecture eputy CISO 1lef Data Officer ' Leader 1lefTechnology,Offlcer eputv Secretary 10 Reviewer Name Date Received Date Review Completed Reviewer's perspective? Jon Provost John Hunt Scott Carbee Mark Combs Shawn Nailor John Quinn Date e-slgred approval: . RFP Revlewel' Name · Contracting Specialist PMO/OPM Merprlse Architecture eputy CISO hlef Data Offlcer ·Leader isk Management TO eputy Secretary 10 Date Received Date Review Completed Ok to Post RFP from Reviewer's perspective? Jon Provost John Hunt Scott Carbee Rebecca White Mark Combs Shawn Nailor John Quinn Date e-sl11.ned approval: Coniract or Amendment Reviewer Name r Contracting Specialist PMO/OPM nterprlse Architecture fep utv CISO :hlef Data Officer rLeader ilsk Management :YO leouty Secretary :10 Jon Provost John Hunt Scott Carbee Darin Prall Rebecca White Mark Combs Shawn Nailor John Quinn Date Received 1/21/2020 1/21/2020 1/21/2020 1/21/2020 1/21/2020 1/21/2020 1/21/2020 1/21/2020 1/21/2020 1/21/2020 Date Review Completed Ok to Sign Contract from Reviewer's perspective? 1/23/2020 Yes 1/23/2020 1/22/2020 Yes Yes 1/23/2020 Yes 1/23/2020 Yes Date e-signed approval: State of Vermont Agency of Digital Services , 133 State Street, 5th Floor Montpelier, vr 05633-0210 [phone] 802-828-4141 MEMO Date: 01/31/2020 To: John Quinn - CIO VIA: Jon Provost From: ADS Procurement Advisory Team (PAT) Subject: CIO approval of contract amendment 29960 _3 between the Department of Corrections and Centurion of Vermont. The Agency of Digital Services (ADS) PAT team contract amendment 29960_3 between the Department of Corrections and Centurion of Vermont at our 01/23/2020 meeting. Centurion provides the Department of Corrections thru this contract with an Electronic Health Records system. This amendment extends the term of the contract until June 30, 2020. The extension is intended to align the Electronic Health Records contract with the dates of the contract that provides the actual Health Services to inmates in the Vermont Correctional System. It increases the total maximum payable by $65,393.51 for a new maximum payable of $1 ,410,538.60. The PAT team recommends CIO approval of this contract amendment ' t L-~•!.J• • .. • '"' proJect Name: Aaencv/Dept, Centurian 29960 3 AHS DOC ADS Reviewer Summary & Sign-off Memo [ Ok to Proceed to with project from Reviewer IT Contracting Specialist Enter11rise Architecture DeputvCISO Chief Data Officer IT Leader Chief Technology Officer Deputy Secretary CIO Reviewer Name Date Received Date Review Completed Reviewer's perspective? Jon Provost John Hunt Scott Carbee Mark Combs Shawn Nailor John Quinn Date e-signed approval : RFP Reviewer Name IT Contracting Specialist EPMO/OPM Enterprise Architecture Deputy CISO Chief Data Officer IT Leader Risk M anagement CTO Deputy Secretary CIO Date Received Date Review Completed Ok to Post RFP from Reviewer's perspective? Jon Provost John Hunt Scott Carbee Rebecca White Mark Combs Shawn Nailor John Quinn Date e-Sil!ned approval: Contract or Amendment Reviewer Name IT Contracting Speclaiist EPMO/OPM Enterprise Architecture Oep1JtyCISO Chief Data Officer IT Leader Risk Management CTO Deputy Secretary CIO Date Received Date Review Completed Ok to Sign Contract from Reviewer's perspective? Jon Provost 1/21/2020 1/21/2020 1/23/2020 Yes John Hunt 1/21/2020 1/23/2020 Yes Scott Carbee 1/21/2020 1/21/2020 1/22/2020 Yes Darin Prail 1/21/2020 1/23/2020 Yes Rebecca White 1/21/2020 Mark Combs 1/21/2020 1/21/2020 1/23/2020 Yes Shawn Nailor John Quinn 1/21/2020 Date e-signed approval: ~ .YERMONT State ofVermont Department of Corrections NOB 2 South, 280 State Drive Waterbury, VT 05671-2000 doc.vermont.gov Agency of Human Services [phone] 802-241-2442 [phone] 802-241-0000 [fax] 802-241-0020 E-SIGNED by Bradley Ferland on 2020-01-14 13:54:07 GMT Memorandum To: Susanne Young, Secretary of Administration Thru: Mike Smith, Secretary, Agency of Human Services E-SIGNED by Candace Elmquis on 2020-01-13 20:01:36 GMT E-SIGNED by Dawn O'Toole on 2020-01-08 18:20:29 GMT From: Jim Baker, Interim Commissioner, Department of Corrections Date: January 8, 2020 RE: E-SIGNED by Diane Nealy on 2020-01-08 16:32:31 GMT Bulletin 3.5 Term Waiver Request, Centurion of Vermont LLC, Contract #29960 The Vermont Department of Corrections (DOC) is seeking to extend the term of the current contract for the Electronic Health Record services with our Contractor, Centurion of Vermont, LLC. In addition to aligning this contract with the time extension of the contract with Centurion of Vermont for Inmate Health Services, the term waiver extension will allow DOC to more thoroughly review and score the Request for Proposal (RFP) responses and ensure that there is sufficient time for the following processes prior to the cunent contract s expiration: vendor selection, contract negotiation, contract development, contract routing, and final execution of the future contract. We are confident that these items can all be addressed during this 5-month contract extension and will result with a selection that meets the needs of the DOC and all stakeholders. Current Contract Term: 10/22/2015 through 01/31/2020, and the approval of this request would allow us to extend the term b 5 months (through June 30, 2020). N ;I. Page 1 of8 Contract #29960 AM #3 STATE OF VERMONT CONTRACT AMENDMENT It is hereby agreed by and between the State of Vermont, Department of Corrections (the "State") and Centurion of Vermont, with a principal place of business in 1539 Spring Hill Road, Suite 600, Vienna, VA 22182 (the "Contractor") that the contract between them originally dated as of Octa.her 22, 2015, Contract #29960, as amended to date, (the "Contract") is hereby amended as follows: Maximum Amoqnt. I. The maximum amount payable under the Contract, wherever such reference appears in the Contract, shall be changed from $1,345,145.09 to $1,410,538.60 representing an increase of $65,393.51. II. Contract Term. The Contract end date, wherever such reference appears in the Contract, shall be changed from January 31, 2020 to June 30, 2020. III. Attachment E, Standard State Provil!lions for Contracts and Grants. Attachment E is hereby deleted in its entirety and replaced by the Attachment E (5/21/19) attached to this Amendment . . Taxes Due to the State. Contractor certifies under the pains and penalties of perjury that, as of the date this contract amendment is signed, the Contractor is in good standing with respect to, or in full compliance with a plan to pay, any and all taxes due the State of Vermont. Child upport (Applicable to natural persons only; not applicable to corporations. partnerships or LLCs). Contractor is under no obligation to pay child support or is in good standing with respect to or in full compliance with a plan to pay any and all child support payable under a support order as of the date of this amendment. Certification Regarding Suspension or Debannent Contractor certifies under the pains and penalties of perjury that, as of the date this contract aµiendment is signed, neither Contractor nor Contractor's principals (officers, directors, owners, or partners) are presently debarred, suspended, proposed for debarment, declared ineligible or excluded from participation in federal programs, or programs supported in whole or in part by federal funds. Contractor further certifies under pains and penalties of perjury that, as of the date this contract amendment is signed, Contractor is not presently debmed, suspended, nor named on the State's debarment list at: http://bgs.vennont.gov/purchasing-contracting/debann.ent SOV Cybersecurin, Standard 19-01. All products and service provided to or for the use of the State under this Contract shall be in compliance with State of Vermont Cybersecurity Standard 19-01, which Contractor acknowledges has been provided to it, and is available on-line at the following URL: 'lt ://di italservices. vc nont. ov/c ber ·ecurit /c bersecuril 1-standards-anddirectives Page 2 ofB Contract #29960 AM #3 This document consists of 8 pages. Except as modified by this Amendment No. three (3) all provisions of the Contract remain in full force and effect. The effective date of this amendment is: 01/30/2020. The signatures of the undersigned indicate that each has read ~d agrees to be bound by this Amendment to the Contract. STATE OF VERMONT By: --------- Judy Henkin Name: ------- Name: ::>le, @cl Tide: Deputy Commissioner of Corrections - - - ---- Title: CGcJ Date: Date: :;5/q/at79C) --------- 1-l. k < ~ e r Pagel of8 Contract #29960 AM #3 ATTACITh:IENT E BUSINESS ASSOCIATE AGREEMENT SOV CONTRACTOR/GRANTEE/BUSINESS ASSOCIATE: CENTURION OF VERMONT. LLC SOV CONTRACT NO.: 29960 CONTRACT EFFECTIVE DATE: 9/15/15 This Business Associate Agreement ("Agreement'') is entered into by and between the State of Vennont Agency of Human Services, operating by and through its Department of Corrections ("Covered Entity") and Party identified in this Agreement as Contractor or Grantee above ("BusineH Asaociate"). This Agreement supplements and is made a part of the contract or grant (''Contract or Grant) to which it is attached. Covered Entity and Business Asaociate enter into this Agreement to comply with the sf.andards promulgated under the Health Insurance Portability and Accountability Act of 1996 (''IDPM"), including the Standards for the Privacy of Individually Identifiable Health Information, at 45 CFR Parts 160 and 164 ("~vacy Rule''), and the Security Standards, at 45 CFR Parta 160 and 164 ("Security Rule"), as amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act (HITECH}, and any associated federal rules and regulations. The partiea •Klee •• folloWI: 1. DcOnlUon . All capitalized tenns used but not otherwise defined in this Agreement have the meanings set as amended by lliTECH and associated federal rules and regulations. Tenns defined in this Agreement are italicized. Unless otherwise specified. when used in this Agreement, defined tenns used in the singular shall be understood if appropriate ~ their context to include the plural when applicable. forth in 45 CFR Parts 160 and 164 "Agenf' means an Individual acting within the scope of the agency of the Business Associate, in accordance with the Federal common law of agency, aa referenced in 45 CFR § 160.402(c) and includes Workforce members and Subcontractors. "Breach" means the acquisition, Access, Use or Disclosure of Protected Health Information (PHI) which compromises the Security or privacy of the PHI, except as excluded in the defmition of Breach in 45 CFR § 164.402. · "Bustness Associate" shall have the meaning given for "Business Associate" in 45 CFR § 160.103 and means Contractor or Grantee and includes its Workfon:e, Agents and Subcontractors. "Electronit! PHl'' shall mean PHI created, received, maintained or transmitted electronically in accordance with 45 CFR § 160.103. "lndividuaf' includes a Person who qualifies as a personal rq,rcsentative in accordance with 45 CFR § 164.502(g). "Protected Health Information" ("PHf') shall have the meaning given in 45 CFR § 160,103, limited to the PHI created or received by Business Associate from or on behalf of Covered Entity. "Required by Law" means a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court oflaw and shall have the meaning given in 45 CFR § 164.103. "Report' means submissions required by this Agreement III provided in section 2.3. "Security Incident' means the attempted or 1111cc:essful unauthorir.ed Access, Use, Disclosure, modification, or destruction of Information or interference with system operations in an Infonnation System relating to PHI in accordance with 4S CFR § 164.304. Contract #29960 AM #3 Page4 of8 "Services" includes all work performed by the Business Associate for or on behalf of Covered Entity that requires the Use and/orDisclo8Ure of PHJro perfonn a Business Associate function described in 4.5 CFR § 160.103. "Subcontractor' means a Penon to whom Business Associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such Business Associate. "Successji,I Security lncidenf' shall mean a Security Incident that results in the unauthorized Access, Use, Disclosure, modification, or destruction of information or int.erference with system operations in an Infonnation System. "Unsuccessfi,I Security Incident' shall mean a Security IncidenL such as routine occurrences that do not result in unauthorized Access, Use, Disclosure, modification. or destruction of information or intexference with system operations in an Infonnation System, such as: (i) unsuccessful attempts to penetrat.e computer networks or services maintained by Business Associate; and (ii) immaterial incidents such as pings and other broadcast attacks on Business Associate's firewall, port scans, unsuccessful log-on attei:npts, denials of service and any combination of the above with respect to Business Associate 's Infonnation System. "Targeted Unsuccessfi,l Security Incident' means an Ur,successji,I Security Incident that appears to be an attempt to obtain unauthorized Access, Use, Disclosure, modification or destruction of the Covered Entity's Electronic PHI. 2. Contact lnformatlon ror Privacy and Scturlry Officers and Rcborts. 2.1 Business Associate shall provide, within ten (10) days of the execution of this Agreemen~ written notice ro the Contract or Grant manager the nll.Dles aml cunlacl infonnatiou of both the HIPAA Privacy Officer and .HIPAA Security Officer of the Business Associate. This information must be updated by Business Associate any time these contacts change. 2.2 Covered Entity's HIPAA Privacy Officer and HIPAA Security Officer contact information is posted at: http;flhumanscrvices.vc1mont.gov/policy-legisla1ion/hipaa/hipaa-info-bcnellciaries/ahs-hip acontacts/ BusineSB Associate shall submit all Reports required by thiN Agreement to the following email address: ~S.PrivacyAndSeourity@vennont.Jtov 2.3 3. Permittc!d agd Required U es/DI closures of PHI. 3.1 Subject to the terms in this Agreement, Business Associate may Use or Disclose PHI to perfonn Services, as specified in the Contract or Grant. Such Uses and Disclosures are limited to the minimum necessary to provide the Services. BWBiness Associate shall not Uae or Disclose PHI in any manner that would constitute a violation of the Privacy Rule if Used or Disclosed by Covered Entity in that mam1er. Business Associate may not Use or Disclose PHI other than as permitted or required by this Agreement or as Required by Law and only in compliance with applicable laws and regulations. 3.2 Business .Associate may make PHI available to its Workforce, Agent and subcontractor who need Access to perfonn Services as pennitt.ed by this Agreement, provided that /Justness Associate makes them aware of the Us~ and Disclosure restrictions in this Agreement and binds them to comply with such restrictions. 3.3 Business Associate shall be directly liable under HIPAA for impermissible Uses and Disclosures of PHI. 4. Buslnest Activltie1. Business Associate may Use Pm if neGessary for Business Associate's proper management and administration or to carry out its legal responsibilities. Bwiness Associate may Disclose PHI for Business Associate 's proper management and administration or to carry out its legal responsibilities if a Disclosure is Required by Law or if Business Associate obtains reasonable written assJml[lces via a written agreement from the Person to whom the information is to be Disclosed that such PHI shall remain confidential and be Used or further Disclosed only as Required by Law or for the purpose for which it was Disclosed to the Person, and the Agreement Contract #29960 AM #3 Page5of8 requires the Person to notify Business Associate, within five (S) business days, in writing of any Breach of Umecured PHI of which it is aware. Such Uses and Disclosures of PHI must be of the minimum amount ncceasmy to accomplish such pwp08CS. 5. Electronic PHl SecurJty Rule ObHgation . S. l With respect to Electronic PHI, Business AssociQte shall: a) Implement and use Administrative. Physical, and Technical Safeguards in compliance with 45 CFR sections 164.308, 164.310, and 164.312; b) Identify in writing upon ~uest from Covered Entity all the safeguards that it Electronic PHI; ~ to protect such c) Prior to any Use or Disclosure of Electronic PHI by an Agent or Subcontractor, ensure that any Agent or Subcontractor to whom it provides Electronic PHI agrees in writing to implement and use Administrative, Physical, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity and Availability of Electronic PHI. The written agreement must identify Coven,d Entity a11 a direct and intended third party beneficimy with the right to enforce any breach of the agreement concerning the Use or Diaclosure of Electronic PHI, arid be provided to Covered Entity upon request; any d) Report in writing to Covered Entity Successful Security Incident or Targeted Security Incident as soon as it becomes aware of such incident and in no event later than five (5) busines11 days after such awareness. Such report shall be timely made notwithstanding the fact that little information may be known at the time of the report and need only include such information then available; e) Following such report, provide Covered Entity with the infonnation necessary for Covered Entity to investigate any such incident; and t) Continue to provide to Covered Entity information concerning the incident as it becomes available to it. Reporting Unsuccessful Security Incidents. Business Associate shall provide Covered Entity upon written request a Report that: {a) identifies the categories of Unsuccessful Security Incidents; (b) indicates whether Business As.sociate believes its current defen11ive security measures are adequate to address all 5.2 Unsuccessful Security Incidenta, given the scope and nature of such attempts; and {c) if the security measures are not adequate, the measures Bwiness Associate will implement to address the security inadequacies. 5.3 Bustneas Associate shall comply with any reasonable policies and procedures Coveffld Entity implements to obtain compliance under the Security Rule. 6. Reportlne nd Documenting Breaches. 6.1 Business Associate shall Report to Covered Entity any Breach of Unsecured PHI as soon as it, or any Person to whom PHI is disclosed under this Agreement, becomes aware of any such Breach, and in no event later than five (S) buainess days after such awareness, except when a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security. Such Report shall be timely made notwithstanding the fact that little infonnation may be known at the time of the Report and need only include such infonnation then available. 6.2 Following the Report described in 6.1, Business Associate shall conduct a risk assessment and provide it to Covered Entity with a summary of the event Business A,gsociate shall provide Covered Entity with the names of any Individual whose Unsecured PHI has been, or is reasonably believed to have been, the subject of the Breach and any other available information that ie required to be given to the affected Individ110I, as set forth in 45 CFR § l64.404(c). Upon request by Covered Entity, Business Associate shall Contract #29960 AM #3 Page 6of8 provide information necessary for Covered Entity to investigate the impennissible Use or Disclosure. Business Associate shall continue to provide to Covered Entity information concerning the Breach as it becomes available. 6.3 When Business Associate determines that an impennwible acquisition, Access, Use or Disclosure of PHI for which it is responsible is not a Breach, and therefore does not necessitate notice to the impacted Individual, it shall document its assessment of risk, conducted as set forth in 4.5 CFR § 402(2). Business Associate shall make ill risk assessment available to Covered Entity upon request. It shall include 1) the name of the penon making the assessment, 2) a brief summary of the facts, and 3) a brief statement of the reasons supporting the determination oflow probability that the PHI had been compromised. ,~ Mltigalion and Corrective Action. Business Associate shalt mitigate, to the extent practicable, any harmful effect that is known to it of an impermissible Use or Disclosure of PHI, even if the impennissible Use or Disclosure does not constitute a Breach. Business Associate shall draft and cany out a plan of corrective action to address any incident of impennissible Use or Disclosure of PHI. Business Associate shall make its mitigation and corrective action plans available to Covered Entity upon request 8. Providing Notice pf Breaches. 8.1 If Covered Entity determines that a Breach of PHI for which Business Associate was responsible, and if requested by Covered Entity, Business Associate shall provide notice to the Individual whose PHI has been the subject of the Breach. When so rcquest.ed, Business Associate shall consult with Covered Entity about the timeliness, content ~d method of notice, and shall receive Covered Entity's approval concerning these elements. Business Associate shall be responsible for the cost of notice and related remedies. · 8.2 The notice to affected Individuals shall be provided as soon as reasonably possible and in no case later than 60 calendar days after Business Associate reported the Breach to Covered Entity. 8.3 The notice to affected Individuals shall be written in plain language and shall include, to the extent possible, 1) a brief description of what happened, 2) a description of the types of Unsecured Pm that were involved in the Breach, 3) any steps Individuals can take to protect themselves from potential harm resulting from the Breach, 4) a brief description of what the Business Associate is doing to investigate the Breach to mitigate harm to Individuals and to protec;:t against further Breaches, and 5) contact procedures for Individuals to ask questions or obtain additional information, as set forth in 45 CFR § 164.404(c). 8.4 Businesa Associate shall notify Individuals of Breaches as specified in 45 CFR § 164.404(d) (methods of Indivtdual notice). In addition, when a Breach involves more than SOO residents ofVennont. Business Associate shall, if requested by Covered Entity, notify prominent media outlets serving Vennont, following the requirements set forth in 45 CFR § 164.406. 9. Agreements with Subcont.radon. Business Associate shall enter into a Business Associate Agreement with any Subcontractor to whom it provides PHI to require compliance with HIPAA and to ensun: Business Associate and Subcontractor comply with the terms and conditions of this Agreement. Business .Associate must enter into such written agreement before any USC! by or Disclosure of PHI to such Subcontractor. The written agreement must identify Covered Entity as a direct and intended third party beneficiary with the right to enforce any breach of the agreement concerning the Use or Disclosure of PHI. Business Associate shall provide a copy of the written agreement it enters into with a Subcontractor to Covered Entity upon request. Business Associate may not make any Disclosure of PHI to any Subcontractor without prior written consent of Covered Entity. 10, Acgss to PHI. Businesa Associate shall provide access to PHI in a Designated Record Set to Covered Entity or as directed by Covered Entity to an Individual to meet the requirements under4S CFR § 164.524. Business Associate shall provide such access in the time and manner reasonably designated by Covered Entity. Within five (S) business days, Business Associate shall forward to Covered Entity for handling any request for Access to PHI that Business Associate directly receives from an Individual. Contract #29960 AM #3 Page7 of8 11. Amendment of PHI. Bu.sinus Associate shall make aiiy amendment& to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuaot to 4j CFR § 164.526, whether at the request of Covered Entity or an Individual. Busiriess Associate shall make such amendments in the time and manner reasonably designated by Covered Entity. Within five (S) business days, Business Associate shall forward to Covered Entity for handling any reques~ for amendment to PHI that Business Associate directly receives from an Individual. 12. Accounting of Disclosures. Business Associate shall document Discl05ures of Pm and all information related to such Disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528. Business .Associate ahall provide such information to Covered Entity or as directed by Covered Entity to an Individual, to pennit Covered Entity to respond to an accounting request. Business Associate shall provide such infonnation in the time and manner reasonably designated by Covered F.ntity. Within five (5) buaineas days, Business .Associate shall forward to Covered Entity for handling any accounting request that Business Associate directly receives from an Individual. Btiok• and ·Records. Subject to the attorney-client and other applicable legal privileges, Business Associate shall make its internal practices, books, and records (including policies and procedures and PHI) relating to the Use and Disclosure of PHI available to the SecretaJy of Health and Human Services (HHS) in the time and manner designated by the Secretary. Business Associate shall make the same information available to Covered Entity, upon Covered Entity's request, in the time and manner reasonably designated by Covered Entity so that Covered Entity may detennine whether Business Associate is in compliance with this Agreement. 13. 14. Termln.ation. 14.1 Thia Agreement commences on the Effective Date and shall remain in effect until tenninated by Covered Entity or until all the PHI is destroyed or returned to Covered Entity subject to Section 18.8. 14.2 If Business Associate fails to comply with any material term of this Agreement, Covered Entity may provide an opportunity for Business Associate to cure. If Business Associate does not cure within the time specified by Covered Entity or if Covered Entity believes that cure is not reasonably possible, Covered Entity may immediately tcnnina.te the Contract or Grant without incurring liability or penalty for such termination. If neither tennination nor cure arc feasible, Covered Entity shall report the breach to the Secretary of HHS. Covered EntitY, has the right to seek to cure such failure by Business Associate. Regardless of whether Covered Entity cures, it retains any right or remedy available at law, in equity, or under the Contract or Grant and Business Associate retains its responsibility for such failure. 15. Return/Destruction of Pm. 15.1 Busiriess .Associate in connection with the expiration or tennination of the Contract or G~t shall return or destroy, at the discretion oftbe Covered Entity, PHI that Business Associate still maintains in any fonn or medium (including electronic) within thirty (30) days after such expiration or tennination. Business Associate shall not retain any copies of PHI. Business .Associate shall certify in writing and report to Covered Entity (1) when all PHI has been returned or destroyed and (2) that Business Associate does not continue to maintain any PHI. BWJiness Associate is to provide this certification during this thirty (30) day period. 15.2 Business Associate shall report to Covered Entity any conditions that Business Associate believes make the return or destruction of PHI infeasible. Business Associate shall extend the protections of this Agreement to such Pm and limit further Uses and Disclosures to those purposes that make the return or destruction infeasible for so long as Business Associate maintains such PHI. 16. Penaltiea. Business As11ociate understands that: (a) there may be civil or criminal penalties for misuse or misappropriation of PHI and (b) violations of this Agreement may result in notification by Covered Entity to law enforcement officials and regulatory, accreditation, and licensure organizations. 17. Training. Business Associate understands its obligation to comply with the law and shall provide appropriate training and education to ensure compliance with this AgreemenL If requested by Covered Entity, Contract #29960 AM #3 Page 8of8 Business Associate shall participate in Covered Entity's training regarding the Use, Confidentiality, and Security of PHI; however, participation in such trainins shall not supplant nor relieve Bustness Associate of ita obligations under this Agreement to independently assure compliance with the law and this Agreement. 18. Mlsce1Janeous. 18.I In the event of any conflict or incomiatency.between the terms of this .Agreement and the terms of the Contract or Grant, the terms of this Agreement shall govern with respect to its 11Ubject matter. Otherwise, the terms of the Contract or Grant continue in effect. 18.2 Each party shall cooperate with the other party to amend this Agreement from time to time as is necessary for such party to comply with the Privacy Rule, the Security Rule, or any other standards promulgated wider HIPAA. Thia Agreemc::nt may not be amended, except by a writing signed by all parties hereto. 18.3 Any ambiguity in this Agreement shall be resolved to pennit the parties to comply with the Privacy Rule, Security Rule, or any other standards promulgated under HIPAA 18.4 In addition to applicable Vermont law, the parties shall rely on applicable federal law (e.g., HIPAA, the Privacy Rule, Security Rule, and HITECH) in construing the meaning and effect of this Agreement · 18.5 Business Associate shall not have or claim any ownership of PHI. 18,6 Business Associate shall abide by the terms and conditions of this Agreement with respect to all PHI even if some of that information relates to specific services for which Business Associate may not be a "Business Associate" of Covered Entity under the Privacy Rule. 18.7 Busilless Associate is prohibited from directly or indirectly receiving any remuneration in exchange for an Individual's PHI. Business Associate will refrain from marketing activities that would violate HIPM including specifically Section 13406 of the HITECH Act. Reports or data containing PHI may not be sold without Covered Entity's or the affected Individual's written consent 18.8 The provisions of this .Agreement that by their tenns encompasa continuing rights or responsibilities shall survive the expiration or termination of thill Agreement. For example: (a) the provisions of this Agreement shall continue to apply if Covered Entity determines that it would be infeasible for Business Associate to return or destroy PHI as provided in Section 14.2 and (b) the obligation of Bwiness Associate to provide an accounting of disclosures as set forth in Section 12 survives the eit,p iration or termination of this Agreement with respect to accounting requests, if any, made after such expiration or temtlnation. Rev. 0S/21/2019