- I. Recitals —
- MSDH is a state agency with a principal place of business at 570 East Woodrow Wilson, Jackson, MS 39215
- Business Associate is a corporation qualified to do business in Mississippi that will act to perform business services for MSDH with a principal place of business at ___________________.
- This Business Associate Agreement (“Agreement”) is entered into pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”) of 1996, as amended by the Genetic Information Nondiscrimination Act (“GINA”) of 2008 and the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), Title XIII of Division A, and Title IV of Division B of the American Recovery and Reinvestment Act (“ARRA”) of 2009,and its implementing regulations, including, but not necessarily limited to, 45 C.F.R. Part 160, and 45 C.F.R. Part 164 Subparts A and C (“Security Rule”), and 45 C.F.R. Part 160 Subparts A and E (“Privacy Rule”). These statutes and regulations are hereinafter collectively referred to as HIPAA.MSDH, as a covered entity, is required to enter into this Agreement to obtain satisfactory assurances that Business Associate will comply with and appropriately safeguard all Protected Health Information (“PHI”) Used, Disclosed, created, or received by Business Associate on behalf of MSDH. Certain provisions of HIPAA and its implementing regulations apply to Business Associate in the same manner as they apply to MSDH, and such provisions must be incorporated into this Agreement.
- MSDH desires to engage Business Associate to perform certain functions for, or on behalf of, MSDH involving the Disclosure of PHI by MSDH to Business Associate, or the creation or Use of PHI by Business Associate on behalf of MSDH, and Business Associate desires to perform such functions, as set forth in the Underlying Agreement(s) which involve the exchange of information, and wholly incorporated herein.
- Prior Experience —
Vendor must have been in business and provided goods and/or services similar in requirements and scale to those described in this SoQ for a minimum of 3 years.
- Prenatal and Postpartum Cessation Program —
Scope of Work
Section 1: Contractor will implement the following:
- Provide a HIPAA-compliant online web-based portal for MS health care providers to refer pregnant women to the cessation telehealth program.
- Provide a HIPAA-compliant online data portal system for collecting ongoing data on enrollees in the cessation telehealth program.
- Enroll up to 65 (sixty-five) participants per fiscal year in the cessation telehealth program. Provide 4 (four) prenatal and 6 (six) postpartum cessation educational sessions on quitting tobacco use and relapse prevention.
- Provide enrolled tobacco user testing CO monitors and/or saliva tests for tobacco use status.
- Provide 2 (two), $25.00 restricted vouchers at prenatal sessions 3 (three) & 4 (four), if tobacco-free. Provide 2 (two), $25.00 at postpartum sessions 1 (one) – 6 (six) if tobacco-free.
- Provide ongoing data reports as customized by the MS Tobacco Control Program regarding referrals, enrollees, etc., as agreed.
- Provide four (4) (one per quarter) digital media promotion placements for the cessation telehealth program.
- Schedule monthly/ongoing conference calls with state contact(s) to continue collaboration and programmatic updates.
- Provide a program referral training at the following:
- MSDH Office of Adult Health: Tobacco Control Annual Statewide Meeting
- Mississippi Tobacco Free Coalition (MTFC) Quarterly Meeting/Training
- As requested by the MSDH Office of Adult Health: Tobacco Control
*Dates for these meetings may vary. MSDH Office of Adult Health: Tobacco Control will notify the contractor at least 30 days before the meeting*
Section 2: General Service Delivery Protocol/Required Training
- Contractor's personnel are required to have access to a phone, computer, internet, and email service.
- Designated contractor personnel will be available to attend all statewide meetings conducted by the MSDH Office of Adult Health: Tobacco Control during the contract period.
- The Contractor Project Director or designated staff will participate in the MS Tobacco Control Network.
- Contractor will secure approval for all program/campaign materials, press releases, news articles, and website information related to programs sponsored and financed by MSDH OTC at least five (5) business days before publication or dissemination. All materials must be proofread and publication-ready (free of grammatical errors before submission to MSDH.
- All support, printed, and/or published materials produced under this project must include the following reference: the cessation telehealth program is funded by a grant from the Mississippi State Department of Health.”
- Any failure to meet the requirements listed or falsification of information may result in the termination of this contract and/or the elimination of any future funding.
- Personnel designated by the contractor are required to attend quarterly meetings and all other meetings as required by the MSDH Office of Adult Health: Tobacco Control.
- One of the primary goals of the MSDH Office of Adult Health: Tobacco Control is to support our state’s efforts to provide our citizens with the opportunity to breathe smoke-free air. Therefore, all meetings, conferences, workshops, etc., which will be supported by grant funds from the MSDH Office of Adult Health: Tobacco Control, must be conducted in smoke-free facilities.
- The contractor will be responsible for responding to surveys regarding communication activities conducted by the Office of Adult Health: Tobacco Control.
Section 3: General Service Delivery Protocol/Required Training
- Contractor will conduct evaluations of all planned and executed events and activities, as outlined in the Scope of Work. This documentation must be kept on file by the Contractor. Evaluations may include:
a. sign-in sheets and/or registration rosters
b. participants’ survey opinions of the success of the activities
c. participants’ comments related to events
d. Other evaluation tools/methods as directed by the MSDH Office of Adult Health: Tobacco Control
- Contractor will participate in overall program evaluation efforts as requested by the MSDH Office of Adult Health: Tobacco Control staff and any third-party evaluators.
Section 4: Reporting Requirements
- All reporting will be submitted monthly.
Section 5: Payment
- By the 15th of every month, the contractor will submit an invoice and a monthly summative report reflecting the scope of work deliverables to the MSDH Office of Adult Health: Tobacco Control to receive reimbursement for completed services. Invoice documentation will reflect the following information: cover sheets for each budget category, expenditures by month for the fiscal year to date, and budget justification by line item.
- Failure to do any of the following required documentation will result in delayed payment:
a. Submit monthly reporting
b. Conduct all deliverables outlined in the Scope of Work by the timeline indicated
- II. Definitions —
- “Breach” shall mean the acquisition, access, Use or Disclosure of PHI in a manner not permitted by the Privacy Rule which compromises the security or privacy of the PHI, and subject to the exceptions set forth in 45 C.F.R. § 164.402.
- “Business Associate” shall mean _____________,including all workforce members, representatives, agents, successors, heirs, and permitted assigns.
- “Covered Entity” shall mean the Mississippi State Department of Health, an agency of the State of Mississippi.
- "Data Aggregation” shall have the same meaning as the term “Data aggregation” in 45 C.F.R. §164.501.
- “Designated Record Set” shall have the same meaning as the term “Designated Record Set” in 45 C.F.R. §164.501.
- “Disclosure” shall have the same meaning as the term “Disclosure” in 45 C.F.R. § 160.103.
- “MSDH” shall mean the Mississippi State Department of Health, an agency of the State of Mississippi.
- “Individual” shall have the same meaning as the term “Individual” in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
- “Privacy Officer” shall mean the person designated by MSDH to oversee its implementation of and compliance with HIPAA.
- "Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Parts 160 and 164, Subparts A and E.
- “Protected Health Information” or “PHI” shall have the same meaning as the term “Protected health information” in 45 C.F.R. § 160.103, limited to the information created or received by Business Associate from or on behalf of MSDH.
- “Reproductive health care services. "Reproductive health care services" means all supplies, care and services of a medical, behavioral health, mental health, surgical, psychiatric, therapeutic, diagnostic, preventive, rehabilitative or supportive nature, including medication, relating to pregnancy, contraception, assisted reproduction, pregnancy loss management or the termination of a pregnancy in accordance with the applicable standard of care as defined by major medical professional organizations and agencies with expertise in the field of reproductive health care.”
- “Secretary” shall mean the Secretary of the Department of Health and Human Services or his/her designee
- “Security Incident” shall have the same meaning as the term “Security incident” in 45 C.F.R. §164.304.
- “Security Rule” shall mean the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. Parts 160 and 164, Subparts A and C.
- “Standard” shall have the same meaning as the term “Standard” in 45 C.F.R. § 160.103.
- “Underlying Agreement” shall mean any applicable Memorandum of Understanding (“MOU”),agreement, contract, or any other similar device, and any proposal or Request for Proposal (“RFP”) related thereto and agreed upon between the Parties, entered into between MSDH and Business Associate. Under this Business Associate Agreement, “Underlying Agreement” shall refer to the following: ___________________.
- “Unsecured Protected Health Information” shall have the same meaning as the term “Unsecured protected health information” in 45 C.F.R. § 164.402.
- “Use” shall have the same meaning as the term “Use” in 45 C.F.R. § 160.103
- “Violation” or “Violate” shall have the same meaning as the terms “Violation” or “Violate” in 45 C.F.R. § 160.103.
All other terms not defined herein shall have the meanings assigned in HIPAA and its implementing regulations.
- Required Certification, Accreditation, and/or Licenses —
Vendor shall provide notarized copies of all valid licenses and certificates required for performance of the work. The notarized copies shall be delivered to the agency no later than ten days after Vendor receives the Notice of Intent to Award from the agency. Current notarized copies of licenses and certificates shall be provided to the agency within twenty-four hours of demand at any time during the contract term. Vendor must possess and maintain the minimum vendor certifications, accreditations, and/or licensures described in this SoQ, by way of illustration and not limitation, the following:
- Counselors must be Certified Tobacco Treatment Specialists and provide a copy of the validated active Certification.
- Financial Stability or Solvency —
Vendor must be financially stable or solvent, if required. Each vendor shall submit copies of the most recent years independently audited financial statements as well as financial statements for the preceding three years, if they exist. The submission must include the audit opinion, the balance sheet, and statements of income, retained earnings, cash flows, and the notes to the financial statements. If independently audited financial statements do not exist, Vendor must state the reason and, instead submit sufficient information to enable the Agency to access the financial stability or solvency of the vendor, such as financial statements, credit ratings, a line of credit, or other financial arrangements sufficient to enable the vendor to be capable of meeting the requirements of this SoQ.
- III. Obligations and Activities of Business Associate —
- Business Associate agrees to not Use or Disclose PHI other than as permitted or required by this Agreement and the Underlying Agreement(s), or as Required by Law.
- Business Associate agrees to utilize appropriate safeguards and comply, where applicable, with the HIPAA Privacy and Security Rules, to prevent Use or Disclosure of the PHI other than as permitted or provided for by this Agreement and shall: (i) implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Protected Health Information and Electronic Protected Health Information that Business Associate creates, receives, maintains, or transmits on behalf of MSDH; (ii) ensure that any subcontractor to whom Business Associate provides such information agrees to implement reasonable and appropriate safeguards to protect it; and (iii) report to MSDH any Security Incident of which Business Associate becomes aware.
- Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate in Violation of the requirements of this Agreement and/or state or federal laws and regulations.
- Breaches and Security Incidents. During the term of this Agreement, Business Associate agrees to implement reasonable systems for the discovery and prompt reporting of any actual or suspected Breach or Security Incident. Business Associate agrees to take the following steps:
Notice to MSDH. (1) To notify their MSDH Point-of-Contact, MSDH IT Security Officer and MSDH Privacy Officer without unreasonable delay, and no later than five (5) days after discovery, by telephone call and email or registered or certified mail upon the discovery of an actual or suspected Breach of Unsecured PHI in electronic media or in any other media. (2) To notify their MSDH Point-of-Contact, MSDH IT Security Officer and MSDH Privacy Officer without unreasonable delay, and no later than five (5) days after discovery, by telephone call and email or registered or certified mail of any actual or suspected Security Incident affecting this Agreement, including but not limited to an actual or suspected Security Incident that involves data provided to MSDH by the Social Security Administration. A Breach or Security Incident shall be treated as discovered by Business Associate as of the first day on which the Breach or Security Incident is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the Breach or Security Incident) who is a workforce member, officer, or other agent of Business Associate.
The notification shall include, to the extent possible and subsequently as the information becomes available, a reasonably detailed description of the actual or suspected Breach or Security Incident, the identification of all Individuals whose Unsecured PHI is reasonably believed by Business Associate to have been affected by the Breach or Security Incident along with any other available information that is required to be included in the notification to the Individual, HHS and/or the media, all in accordance with the data breach notification requirements set forth in 42 U.S.C. § 17932 and 45 C.F.R. Parts 160 and 164, Subparts A, D, and E, or any other applicable notification requirements.
Upon discovery of an actual or suspected Breach or Security Incident, Business Associate shall take:- Prompt corrective action to mitigate any risks or damages involved with the Breach or Security Incident and to protect the operating environment; and
- Any action pertaining to such unauthorized Disclosure required by applicable Federal and State laws and regulations.
Investigation. To immediately investigate any such actual or suspected Breach or Security Incident upon discovery in order to determine if the actual or suspected Breach or Security Incident is a Violation of any applicable federal or state laws or regulations, and to submit updated information by email or registered or certified mail, as it becomes available, to the MSDH IT Security Officer and MSDH Privacy Officer.
Complete Report. To provide a complete written report by email or registered or certified mail of the investigation to the MSDH IT Security Officer and MSDH Privacy Officer within ten (10) working days of the discovery of any actual or suspected Breach or Security Incident. The report shall include:- the identification of each Individual whose PHI was or is believed to have been involved;
- a reasonably detailed description of the types of PHI involved; and
- a full, detailed corrective action plan, including information on measures that were taken to halt and/or contain any suspected or actual Breach of security, intrusion or unauthorized Use or Disclosure.
If MSDH requests information in addition to that provided in the written report, Business Associate shall make reasonable efforts to provide MSDH with such information. If necessary, a supplemental report may be utilized to submit revised or additional information after the completed report is submitted.
Notification of Individuals. If the cause of an actual Breach of PHI is attributable to Business Associate or its subcontractors, agents or vendors, Business Associate shall notify each Individual of the Breach when notification is required under state or federal law and shall pay any costs of such notifications, as well as any costs associated with the Breach. The notifications shall comply with the requirements set forth in 42 U.S.C. § 17932 and its implementing regulations. The MSDH IT Security Officer and MSDH Privacy Officer shall approve the time, manner, and content of any such notifications and their review and approval must be obtained before the notifications are made.
Responsibility for Reporting of Breaches. If the cause of a Breach of PHI is attributable to Business Associate or its agents, subcontractors, or vendors, and Business Associate is a covered entity as defined under HIPAA and the HIPAA regulations, Business Associate is responsible for
all required reporting of the Breach as specified in 42 U.S.C. § 17932 and its implementing regulations, including notification to media outlets and to the Secretary of the U.S. Department of Health and Human Services. If Business Associate has reason to believe that duplicate reporting of the same Breach or Security Incident may occur because its subcontractors, agents or vendors may report the Breach or Security Incident to MSDH in addition to Business Associate, Business Associate shall notify MSDH, and MSDH and Business Associate may take appropriate action to prevent duplicate reporting. The Breach reporting requirements of this paragraph are in addition to the reporting requirements set forth above. - Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions and conditions that apply to the Business Associate with respect to such information, all in accordance with 45 C.F.R. §§ 164.308 and 164.502
- Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or transmit electronic PHI on behalf of Business Associate agree to comply with the applicable requirements of the Security Rule and Privacy Rule by entering into a Business Associate Agreement, in accordance with 45 C.F.R. §§ 164.308, 164.314, 164.502, and 164.504, and Business Associate shall provide MSDH with a copy of all such executed agreements between Business Associate and Business Associate’s subcontractors. Business Associate understands that submission of their subcontractors’ Business Associate Agreement(s) to MSDH does not constitute MSDH approval of any kind, including of the utilization of such subcontractors or of the adequacy of such agreements.
- Business Associate agrees that nothing in this Agreement is meant to take the place of any HIPAA-mandated reporting duties that apply directly to the Business Associate as a covered entity under HIPAA and its implementing regulations.
- Business Associate agrees to provide access, at the request of MSDH, and in the time and manner designated by MSDH, to PHI in a Designated Record Set, to MSDH or, as directed by MSDH, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524.
- Business Associate agrees to document such Disclosures of PHI and information related to such Disclosures as would be required for MSDH to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 C.F.R. § 164.528. Business Associate agrees to retain such documentation for at least six (6) years after the date of Disclosure; the provisions of this Section shall survive termination of this Agreement for any reason.
- Where applicable, Business Associate agrees to retain and securely store all data and documents falling under this Agreement and the Underlying Agreement(s) in accordance with HIPAA, the HITECH Act, and their implementing regulations.
- Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that MSDH directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of MSDH or an Individual, and in the time and manner designated by MSDH.
- Business Associate agrees to provide to MSDH or an Individual, in a time and manner designated by MSDH, information collected in accordance with Section (III) of this Agreement, to permit MSDH to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 C.F.R. § 164.528.
- Business Associate agrees that it shall only Use or Disclose the minimum PHI necessary to perform functions, activities, or services for, or on behalf of, MSDH as specified in the Underlying Agreement(s). Business Associate agrees to comply with any guidance issued by the Secretary on what constitutes “minimum necessary” for purposes of the Privacy Rule, and any minimum necessary policies and procedures communicated to Business Associate by MSDH.
- Routine transmission of PHI by fax is not recommended. If information must be faxed, Business Associate agrees PHI shall be limited to those recipients who have a need to gain access to the information. The information to be faxed shall be limited to the “minimum necessary” to accomplish the proposed function. A cover sheet must be utilized which includes a required confidential statement prohibiting unlawful redisclosure. In the event a fax is received by an unintended recipient, Business Associate should obtain the recipient’s contact information, attempt to identify the misdirected document, and then contact MSDH Privacy Officer. Generally, Business Associate should instruct the recipient of the misdirected fax to await further instructions from the Business Associate. Recipients should not be told to throw away a misdirected fax. MSDH may instruct the recipient to return or destroy the document, depending on the facts.
- Business Associate agrees that to the extent that Business Associate carries out MSDH’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to MSDH in the performance of such obligation.
- Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the Use and Disclosure of PHI received from, or created or received by Business Associate on behalf of, MSDH available to the Secretary for purposes of determining MSDH's compliance with the Privacy Rule.
- Business Associate agrees that nothing in this Agreement shall permit Business Associate to access, store, share, maintain, transmit or Use or Disclose PHI in any form via any medium with any third party, including Business Associate’s subcontractors, beyond the boundaries and jurisdiction of the United States without express written authorization from MSDH.
- Business Associate agrees that all MSDH data will be encrypted using industry standard algorithms, preferably AES256 or Triple DES and/or SSL/TLS 1.2+.
- Business Associate agrees to comply with the State of Mississippi ITS Enterprise Security Policy, which will be provided by MSDH upon request.
- Business Associate agrees to make an executive summary of its most recent information security audit available to MSDH upon request by MSDH.
- The provisions of the HITECH Act that apply to Business Associate and are required to be incorporated by reference in a business associate agreement are hereby incorporated into this Agreement, including, without limitation, 42 U.S.C. §§ 17935(b), (c), (d) and(e), and 17936(a) and (b), and their implementing regulations.
- 42 U.S.C. §§ 17931(b) and 17934(c), and their implementing regulations, each apply to Business Associate with respect to its status as a business associate to the extent set forth in each such section.
- Business Associate shall be responsible for, and shall reimburse MSDH for costs and expenses associated with steps reasonably implemented by MSDH to mitigate any Breach or other non‐ permitted Use or Disclosure of PHI or medical, health or personal information protected by other federal or state law, including, without limitation, the following: data analysis to determine appropriate mitigation steps in the event of a Breach, including assistance from Business Associate in the investigation of the Breach and, as needed, access to Business Associate’s systems and records for purposes of Breach data analysis; preparation and mailing of notification(s) about the Breach to impacted Individuals, the media and regulators; costs associated with proper handling of inquiries from Individuals and other entities about the Breach (such as the establishment of toll‐free numbers, maintenance of call centers for intake, preparation of scripts, questions/answers, and other communicative information about the Breach); credit monitoring and account monitoring services for impacted Individuals for a reasonable period (which shall be no less than 12 months); other mitigation action steps required of MSDH by federal or state regulators; and other reasonable mitigation steps required by MSDH.
- Business Associate shall not, without written authorization from MSDH, perform marketing or fundraising on behalf of MSDH, or engage in the types of communications on behalf of MSDH that are excepted from the definition of “marketing” established at 45 C.F.R. §164.501. If MSDH requests and authorizes Business Associate to engage in these activities, Business Associate shall comply with the applicable provisions of the HITECH Act and the HIPAA Rules.
- Business Associate shall not directly or indirectly receive remuneration in exchange for an Individual's PHI unless it is pursuant to specific written authorization by the Individual or subject to an exception established in the HIPAA Rules.
- Without prior written approval from MSDH, Business Associate shall not publicly release any report, article, paper, graph, chart, or other product created, in whole or in part, using data provided or developed under this Agreement.
- Business Associate agrees to utilize reasonable measures (including training) to ensure compliance with the requirements of this Agreement by employees who assist in the performance of functions or activities under this Agreement and Use or Disclose MSDH data, and to discipline such employees who intentionally violate any provisions of this Agreement.
- IV. Permitted Uses and Disclosures by Business Associate —
- General Use and Disclosure Provisions: Subject to the terms of this Agreement, Business Associate may Use or Disclose PHI to perform functions, activities, or services for, or on behalf of, MSDH as specified in the Underlying Agreement(s), provided that such Use or Disclosure would not Violate what is Required by Law or the Privacy Rule if done by MSDH, except for the specific Uses and Disclosures set forth below, for the purpose of performing the Underlying Agreement(s).
- Specific Use and Disclosure Provisions:
- Business Associate may Use PHI, if necessary, for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate under the Underlying Agreement(s) entered into between MSDH and Business Associate.
- Business Associate may Disclose PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate, provided that Disclosures are Required by Law and the person to whom the PHI was Disclosed notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
- If Business Associate must Disclose PHI pursuant to law or legal process, Business Associate shall notify MSDH by phone and in writing without unreasonable delay and at least five (5) days in advance of any Disclosure so that MSDH may take appropriate steps to address the Disclosure, if needed.
- In the event that Business Associate works for more than one covered entity, Business Associate may Use and Disclose PHI for Data Aggregation purposes, however, only in order to analyze data for permitted health care operations, and only to the extent that such is permitted under the Privacy Rule.
- Business Associate may Use and Disclose de‐identified health information if (a) the Use is communicated to MSDH and (b) the de‐identified health information meets the implementation specifications for de‐identification under the Privacy Rule.
- V. Obligations of MSDH —
- MSDH shall provide Business Associate with the Notice of Privacy Practices that MSDH produces in accordance with 45 C.F.R. § 164.520, as well as any changes to such Notice of Privacy Practices, upon request.
- MSDH shall notify Business Associate of any limitation(s) in its Notice of Privacy Practices to the extent that such limitation may affect Business Associate's Use or Disclosure of PHI.
- MSDH shall notify Business Associate of any changes in, or revocation of, permission by an Individual to Use or Disclose PHI, to the extent that such changes may affect Business Associate's Use or Disclosure of PHI.
- MSDH shall notify Business Associate of any restriction to the Use or Disclosure of PHI that MSDH has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s Use or Disclosure of PHI.
- Permissible Requests by MSDH: MSDH shall not request Business Associate to Use or Disclose PHI in any manner that would not be permissible under the Privacy Rule if done by MSDH, except as provided for in Section (IV) of this Agreement.
- VI. Terms and Termination —
- Term. For any new Underlying Agreement(s) entered into between MSDH and Business Associate, the effective date of this Agreement is the effective date of the Underlying Agreement(s) entered into between MSDH and Business Associate. For any ongoing Underlying Agreement(s) entered into between MSDH and Business Associate, the effective date of this Agreement is the date first herein written. This Agreement shall terminate when all of the PHI provided by MSDH to Business Associate or created or received by Business Associate on behalf of MSDH, is destroyed or returned to MSDH, or, if it is infeasible to return or destroy PHI, protections are extended to such information in accordance with the termination provisions in this Section. Termination of this Agreement shall automatically terminate the Underlying Agreement(s).
- Termination for Cause. Upon MSDH's knowledge of a material Violation by Business Associate, MSDH shall, at its discretion, either:
- provide an opportunity for Business Associate to cure or end the Violation within a time specified by MSDH, after which MSDH may in its discretion terminate this Agreement and the Underlying Agreement(s) if Business Associate does not cure or end the Violation within the time specified by MSDH; or
- immediately terminate this Agreement and the associated Underlying Agreement(s) if Business Associate has broken a material term of this Agreement and cure is not possible.
- Effect of Termination.
- Upon termination of this Agreement and the Underlying Agreement(s) for any reason, Business Associate shall return or destroy all PHI received from or created or received by Business Associate on behalf of, MSDH in accordance with State and Federal retention guidelines. This provision shall also apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI.
- In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to MSDH notification of the conditions that make return or destruction infeasible. Upon notification in writing that return or destruction of PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further Uses and Disclosures to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
- Reproductive Health Care Disclosure Prohibited: Business Associate shall not disclose or respond to any request or demand for PHI that is actually or potentially related to reproductive health care where the request or demand is for the purpose of health oversight activities, law enforcement activities, judicial or administrative proceedings, or disclosures to coroners and medical examiners. Business Associate agrees that it will not use, disclose, transmit, or otherwise provide PHI for the purpose(s) of a) identifying an individual, conducting a criminal, civil or administrative investigation about an individual, or imposing criminal, civil or administrative liability upon an individual, for the mere act of seeking, obtaining, providing or facilitating lawful reproductive health care services.
- Business Associate will require that any request or demand for PHI under this section be accompanied by a signed and valid attestation ensuring that the PHI sought is not for a prohibited purpose. Any request or demand for such PHI must be forwarded to the Department for review, together with the signed attestation from the requesting party.
- VII. Miscellaneous —
- Statutory and Regulatory References. A reference in this Agreement to a section in HIPAA, its implementing regulations, or other applicable law means the section as in effect or as amended, and for which compliance is required.
- Amendments/Changes in Law.
- General. Modifications or amendments to this Agreement may be made upon mutual agreement of the Parties, in writing signed by the Parties hereto and approved as required by law. No oral statement of any person shall modify or otherwise affect the terms, conditions, or specifications stated in this Agreement. Such modifications or amendments signed by the Parties shall be attached to and become part of this Agreement.
- Amendments as a Result of Changes in the Law. The Parties agree to take such action as is necessary to amend this Agreement as is necessary to effectively comply with any subsequent changes or clarifications of statutes, regulations, or rules related to this Agreement. The Parties further agree to take such action as is necessary to comply with the requirements of HIPAA, its implementing regulations, and other applicable law relating to the security and privacy of PHI.
- Procedure for Implementing Amendments as a Result of Changes in Law. In the event that there are subsequent changes or clarifications of statutes, regulations or rules relating to this Agreement, or the Parties’ compliance with the laws referenced in Section (VII)(b) of this Agreement necessitates an amendment, the requesting party shall notify the other party of any actions it reasonably deems are necessary to comply with such changes or to ensure compliance, and the Parties promptly shall take such actions. In the event that there shall be a change in the federal or state laws, rules or regulations, or any interpretation of any such law, rule, regulation, or general instructions which may render any of the material terms of this Agreement unlawful or unenforceable, or materially affects the financial arrangement contained in this Agreement, the Parties may, by providing advanced written notice, propose an amendment to this Agreement addressing such issues.
- Survival. The respective rights and obligations of Business Associate provided for in Sections (III)(j) and (VI)(c) of this Agreement shall survive the termination of this Agreement.
- Interpretation. Any ambiguity in this Agreement shall be resolved to permit MSDH to comply with HIPAA, its implementing regulations, and other applicable law relating to the security and privacy of PHI.
- Indemnification. To the fullest extent allowed by law, Business Associate shall indemnify, defend, save and hold harmless, protect, and exonerate MSDH, its employees, agents, and representatives, and the State of Mississippi from and against all claims, demands, liabilities, suits, actions, damages, losses, and costs of every kind and nature whatsoever including, without limitation, court costs, investigative fees and expenses, and attorney’s fees, arising out of or caused by Business Associate and/or its partners, principals, agents, and employees in the performance of or failure to perform this Agreement. In MSDH’s sole discretion, Business Associate may be allowed to control the defense of any such claim, suit, etc. In the event Business Associate defends said claim, suit, etc., Business Associate shall utilize legal counsel acceptable to MSDH. Business Associate shall be solely responsible for all costs and/or expenses associated with such defense, and MSDH shall be entitled to participate in said defense. Business Associate shall not settle any claim, suit, etc. without MSDH’s concurrence, which MSDH shall not unreasonably withhold.
MSDH’s liability, as an entity of the State of Mississippi, is determined and controlled in accordance with Mississippi Code Annotated § 11‐46‐1 et seq., including all defenses and exceptions contained therein. Nothing in this Agreement shall have the effect of changing or altering the liability or of eliminating any defense available to the State under statute. - Disclaimer. MSDH makes no warranty or representation that compliance by Business Associate with this Agreement, HIPAA, its implementing regulations, or other applicable law will be adequate or satisfactory for Business Associate’s own purposes or that any information in Business Associate’s possession or control, or transmitted or received by Business Associate, is or will be secure from unauthorized Use or Disclosure. Business Associate is solely responsible for all decisions made by Business Associate regarding the safeguarding of PHI.
- Notices. Any notice from one party to the other under this Agreement shall be in writing and may be either personally delivered, emailed, or sent by registered or certified mail in the United States Postal Service, Return Receipt Requested, postage prepaid, addressed to each party at the addresses which follow or to such other addresses provided for in this Agreement or as the Parties may hereinafter designate in writing:
MSDH: (Covered Entity)
Privacy Officer
Mississippi State Department of Health
570 East Woodrow Wilson
Suite O-150
P.O. Box 1700
Jackson, MS 39215
601-576-7874
IT Security Officer
Mississippi State Department of Health
570 East Woodrow Wilson
Suite O-450
P.O. Box 1700
Jackson, MS 39215
601-576-7821
Business Associate:
Name of Business: _____________
Attn: ________________________
Title: ________________________
Address: _____________________
Phone: ______________________
Email: _______________________
Any such notice shall be deemed to have been given as of the date transmitted. - Severability. It is understood and agreed by the Parties hereto that if any part, term, or provision of this Agreement is by the courts or other judicial body held to be illegal or in conflict with any law of the State of Mississippi or any federal law, the validity of the remaining portions or provisions shall not be affected and the obligations of the parties shall be construed in full force as if this Agreement did not contain that particular part, term, or provision held to be invalid.
- Applicable Law. This Agreement shall be construed broadly to implement and comply with the requirements relating to HIPAA and its implementing regulations. All other aspects of this Agreement shall be governed by and construed in accordance with the laws of the State of Mississippi, excluding its conflicts of laws provisions, and any litigation with respect thereto shall be brought in the courts of the State. Business Associate shall comply with applicable federal, state, and local laws, regulations, policies, and procedures as now existing and as may be amended or modified. Where provisions of this Agreement differ from those mandated by such laws and regulations, but are nonetheless permitted by such laws and regulations, the provisions of this Agreement shall control.
- Non‐Assignment and Subcontracting. Business Associate shall not assign, subcontract, or otherwise transfer this Agreement, in whole or in part, without the prior written consent of MSDH. Any attempted assignment or transfer of its obligations without such consent shall be null and void. No such approval by MSDH of any subcontract shall be deemed in any way to provide for the incurrence of any obligation of MSDH in addition to the total compensation agreed upon in this Agreement. Subcontracts shall be subject to the terms and conditions of this Agreement and to any conditions of approval that MSDH may deem necessary. Subject to the foregoing, this Agreement shall be binding upon the respective successors and assigns of the parties. MSDH may assign its rights and obligations under this Agreement to any successor or affiliated entity.
- Entire Agreement. This Agreement contains the entire agreement between the Parties and supersedes all prior discussions, instructions, directions, understandings, negotiations, agreements, and services for like services.
- No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Parties and their respective successors, heirs, or permitted assigns, any rights, remedies, obligations, or liabilities whatsoever.
- Assistance in Litigation or Administrative Proceedings. Business Associate shall make itself and any workforce members, contractors, subcontractors, representatives, agents, affiliates, or subsidiaries assisting Business Associate in the fulfillment of its obligations under this Agreement, available to MSDH, at no cost to MSDH, to testify as witnesses, or otherwise, in the event of litigation or administrative proceedings being commenced against MSDH, its directors, officers, or any other workforce member based upon claimed Violation of HIPAA, its implementing regulations, or other applicable law, except where Business Associate or its workforce members, contractors, subcontractors, representatives, agents, affiliates, or subsidiaries are a named adverse party.
[Signature Page Follows]
| Business Associate: | | | |
| __________________________________________ | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | |
| By: | _____________________________________ | | | By: | _____________________________________ |
| | (Authorized Signature) | | | | (Authorized Signature) |
| | | | | | | | | | | | | | | | | | | |
| Print Name: | _______________________________ | | | Print Name: | ______________________________ |
| Title: | ____________________________________ | | | Title: | ____________________________________ |
| Address: | _________________________________ | | | Address: | _________________________________ |
| Phone Number: | ___________________________ | | | Phone Number: | ____________________________ |
| Date: | ___________________________________ | | | Date: | ____________________________________ |
| | | | | | |
| Mississippi State Department of Health | | | | |
| | | | | |
| By: | _____________________________________ | | | | |
| | (Authorized Signature) | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | |
| Print Name: | _______________________________ | | | | | | | | | | |
| Title: | ___________________________________ | | | | | | | | | | |
| Address: | _________________________________ | | | | | | | | | | |
| Phone Number: | ___________________________ | | | | | | | | | | |
| Date: | ___________________________________ | | | | | | | | | | |
- Ability to Perform —
The vendor may be required before the award of any contract to show to the complete satisfaction of the agency that it has the necessary facilities, ability, and financial resources to provide the service specified therein in a satisfactory manner. The vendor may also be required to give a past history and references in order to satisfy the agency in regard to the vendor’s qualifications. The agency may make reasonable investigations deemed necessary and proper to determine the ability of the vendor to perform the work, and the vendor shall furnish to the agency all information for this purpose that may be requested. The agency reserves the right to reject any quote if the evidence submitted by, or investigation of, the vendor fails to satisfy the agency that the vendor is properly qualified to carry out the obligations of the contract and to complete the work described therein. Evaluation of the vendor’s qualifications shall include:
- the ability, capacity, skill, and financial resources to perform the work or provide the service required;
- the ability of the bidder to perform the work or provide the service promptly or within the time specified, without delay or interference;
- the character, integrity, reputation, judgment, experience, and efficiency of the vendor; and,
- the quality of performance of previous contracts or services.
- Insurance —
The Bidder shall ensure that the professional staff and other decision-making staff shall be required to carry professional liability insurance in an amount commensurate with the professional responsibilities and liabilities under the terms of this Solicitation.
The Bidder shall obtain, pay for and keep in force during the Contract period general liability insurance against bodily injury or death in an amount commensurate with the responsibilities and liabilities under the terms of this Solicitation.
- MAGIC Vendor ID Number (required) —
Please enter your MAGIC Vendor ID Number here.
- Licences and Certifications (required) —
Provide notarized copies of all valid licenses and certificates required for performance of the work.
- Independently Audited Financial Statements (required) —
Submit copies of the most recent years independently audited financial statements as well as financial statements for the preceding three years, if they exist.
- Conflicts of Interest
- Other Current MSDH Contracts (required) —
List all other current agreements/contracts with MSDH, including the dollar amount associated with the agreement/contract and the beginning and ending dates. If no other funds are received, please mark N/A.
Please provide each entry in the following format:
MSDH Program or Agreement/Contract Name #1
- Dollar Amount
- Contract Beginning Date
- Contract Ending Date
- Organization Governing Body (required) —
Please list the name of each member of your organization’s Board of Directors or other governing body (i.e., trustee, alderman, partner, owner).
- Governing Body or Project Staff Affiliations (required) —
Are any members of the governing body or project staff also MSDH employees, MSDH Board Members, or spouses, parents, or children of MSDH employees?
- Governing Body or Staff Affiliations - Explanation (required) —
You have indicated that one or more members of your governing body or project staff are also MSDH employees, MSDH Board Members, or spouses, parents, or children of MSDH employees.
Please provide the following for all such individuals:
- Name of Individual
- Indicate if individual is an MSDH Employee, MSDH Board Member, or relative type of MSDH employee.
- Applicable position held with MSDH
- Income From Business (required) —
Does the MSDH Board Member, Employee, or Relative receive more than $2,500.00 per year in income from the business?
- Ownership Status - Percentage (required) —
Does the MSDH Board Member, Employee, or Relative own ten (10%) percent or more of the fair market value in the business, either directly or indirectly through another business?
- Ownership Status - Amount (required) —
Does the MSDH Board Member, Employee, or Relative have ownership interest in the business, in which the fair market value exceeds $5,000.00?
- Position Within Business (required) —
Is the MSDH Board Member, Employee, or Relative a director, officer, or employee of the business?
- Conflict of Interest Certification (required) —
I hereby certify that the information set forth above is true and complete to the best of my knowledge and that no MSDH employee, spouse, parent, or child of an MSDH employee, serves as a member of the governing body, project staff, or has an ownership or pecuniary interest in the agreement/contract or organization. I agree to notify MSDH within thirty (30) days if any of these conditions change during the agreement/contract.
- Additional Information
- Debarment, Suspension, and Eligibility (required) —
The applicant certifies that they or any of its principals _____ presently debarred, suspended, proposed for debarment, or declared ineligible for award of federal or state contracts.
Select the answer which best fills in the blank for the applicant.
- Charges From A Government Agency (required) —
The applicant certifies that they or any of its principals _____ presently indicted for, or otherwise criminally or civilly charged by a government entity.
Select the answer which best fills in the blank for the applicant.
- Conviction or Acknowledgment of Fault (required) —
The applicant certifies that they or any of its principals _____ within the last five (5) years, been the subject of a federal or state criminal proceeding resulting in a conviction or other acknowledgment of fault, been the subject of a federal or state civil or administrative proceeding resulting in a finding of fault with a monetary fine, penalty, reimbursement, restitution, and/or damages greater than $5,000 or other acknowledgment of fault; convicted of or had a civil judgment rendered against them for commission of fraud or criminal offense in connection with obtaining, attempting to obtain, or performing a public (federal, state or local) contract or subcontract; violation of Federal or State antitrust statues relating to the submission of offers; or commission of embezzlement, theft, forgery, bribery, falsification or destruction of records, making false statements or receiving stolen property.
Select the answer which best fills in the blank for the applicant.
- Contract Termination By Default (required) —
The applicant certifies that they or any of its principals _____ within the last three (3) years preceding this offer, had one or more contracts terminated for default by any federal agency.
Select the answer which best fills in the blank for the applicant.
- Felony Criminal Violations (required) —
The applicant certifies that they or any of its principals _____ within the last twenty-four (24) months, been convicted of a felony criminal violation under federal or state law.
Select the answer which best fills in the blank for the applicant.
- Financial Records (required) —
Does the applicant have a financial management system that provides records that can identify the source and award-supported activities and provides control and accountability of project funds, property, and other assets?
- Audit Status / Fiscal Responsibility (required) —
Does the applicant receive an annual audit in accordance with Uniform Guidance §200.514 (formerly A-133)?
- Most Recent Audit (required) —
What is the most recent fiscal year for which this audit was completed?
- Report Findings (required) —
Were there any audit findings in the most recent report?
If "Yes", please be sure to provide an explanation in the applicable upcoming question. Failure to provide an explanation may cause your submittal to be deemed non-responsive.
- Recent Audit Report (required) —
Please upload a copy of your most recent Uniform Guidance §200.514 (formerly A-133) Audit Report.
- Explanation or Other Information (required) —
Please provide any additional information around your Audit Status that you feel is necessary here. This includes an explanation regarding any audit findings in your most recent audit.
If you have nothing to add here, please state that you have no additional information to provide.
- No Annual Audit (required) —
You have stated that the applicant does not receive an annual audit in accordance with Uniform Guidance §200.514 (formerly A-133).
Please select the option which best fits the reason why.
- No Annual Audit - Other (required) —
If you selected "Other" in the previous question regarding why you do not receive an annual audit in accordance with Uniform Guidance §200.514 (formerly A-133) please specify here.
If your answer to the previous question was not "Other", please respond here with "N/A".
- W9 (required) —
Upload a copy of your current W9 here.
- SOQ Confirmation (required) —
Vendor confirms and acknowledges that they have read this SOQ in its entirety and fully understands all requirements. Submitting party further confirms that they are authorized on behalf of the vendor to submit such a quote.
- Confirmation required or bid will be disqualified (required) —
Any work performed prior to execution is done at the vendor’s own risk and may not be eligible for payment. MSDH reserves the right, in its sole discretion, to determine on a case-by-case basis whether payment is allowable based on the particular circumstances.
- Vendor Signatory Authority (required) —
If awarded a contract, who would sign on behalf of the company. Please list the full name and title of the individual signing.
EXAMPLE
Name, Title
- Electronic Pricing Table (required) —
Do you wish to use the electronic pricing table available within OpenGov?
- Period of Performance - Start (required) —
What is the estimated calendar date on which the period of performance for services obtained through this SOQ shall begin?
EXAMPLE:
July 1, 2025
- Period of Performance - End (required) —
What is the estimated calendar date on which the initial period of performance for services obtained through this SOQ shall end?
EXAMPLE:
December 31, 2025
- Minimum Qualifications? —
Are there minimum requirements or prerequisites for vendors submitting a quote for this SOQ?
If so, which of the following apply?
If there are no prerequisites or minimum requirements for this SOQ then you may skip this question.
- Number of Years (required) —
What is the minimum number of years of experience required by the vendor?
Your answer should be structured as if filling in the highlighted area below:
Contractor must have been in business and provided services similar in requirements and scale to those described in this SoQ for a minimum of ____ years.
- Independently Audited Financial Statements? (required) —
Will the vendor be required to submit Independently Audited Financial Statements as part of their submittal to this SOQ?
- Licenses and/or Certifications (required) —
Will the vendor be required to provide notarized copies of all valid licenses and/or certificates as part of their response to this SOQ? This does not include items required after the notice of intent to award.
- Federal Grant? (required) —
Is there any federal grant money being used with this procurement?
- Business Associate Agreement? (required) —
Will the business associate agreement be used?
- Funding Information
- Cost Center (required) —
Please specify the cost center information. Be sure to include the % of each cost center. If there are multiple cost centers, please separate each with a comma and be sure they add up to 100% or your posting will not be approved.
EXAMPLE 1
1301010707 100%
- Functional Area (required) —
Please specify the functional area information. Be sure to include the % of each functional area. If there are multiple functional areas, please separate each with a comma and be sure they add up to 100% or your posting will not be approved.
EXAMPLE 1
13010101000000DV 100%
- Internal Order (required) —
Please specify the internal order information. Be sure to include the % of each internal order. If there are multiple internal orders, please separate each with a comma and be sure they add up to 100% or your posting will not be approved.
EXAMPLE 1
30000035771 100%