Vermont DOC Contract Summary With Centurion 2018 - Amendment #2
Download original document:
Document text
Document text
This text is machine-read, and may contain errors. Check the original document to verify accuracy.
"'IA l J<.. UJ< V1'.,.KlVIU1'11 LU1'11KAL1 ~UlVllVlAKl Al'llJ Ll'.,Kl1J<1LA11Ul'I - - - - - - - - - - - rorm AA-l'J U.L/1:."!/.LUl I ) Note: All sections must be completed. Incomplete forms will be returned to the orie:inatinl! department. I. CONTRACT INFORMATION: Agency/Department: AHS/Department of Corrections Contract #: 22960 Amendment#: 2 Vendor Name: Centurion ofVennont, LLC VISION Vendor No: 339936 Vendor Address: 1539 Spring Hill Road, Suite 600, Vienna, VA 22182 9/15/2015 1/30/2020 Starting Date: Amendment Date: 1/31/2019 Ending Date: Summary of agreement or amendment: To extend tenn and increase fonding respecitvely. IL FINANCIAL & ACCOUNTING INFORMATION Maximum Payable: Prior Maximum: $1,345,145.09 Current Amendment: $150,720.89 Business Unit(s : 3520; Estimated ~ %GF %TF Funding Split: m. A. ; ] - [notes: B 31.33 % Cumulative Change: Cumulative amendments: $ 320,682.09 VISION Account(s): 507500; 8 %SF %GC C J % Other (name) % EF % FF PROCUREMENT & PERFORMANCE INFORMATION (section A & B) The agency has taken reasonable steps to control the price.of the contract and to allow qualified organizations Lo compete for thi:: work authorized by this contract. The agency has done this through: ~ Standard Bid/RFP B. Prior Contract# (If Renewal): $ 1,194,424.20 D 0 Simplified Sole Source D Qualification Based Selection D Statutory Contract includes performance measures/guarantees to ensure the quality and/or results of the service? ~ Yes D No IV. TYPE OF AGREEMENT (select all that apply) D Personal Service 0 Construction O Arch/Eng. ~ Non-Personal Service D Marketing ~ Info . Tech. ~ Prof. Service n n Commodity n Retiree/Former SOY EE O Financial Trans n Zero-Dollar Privatization Other SUITABILITY FOR CONTRACT FOR SERVICE Does this contract meet the determination of an Independent Contractor? If "NO", the 0Yes 0No On/a contractor must be set up and paid on payroll through the VTHR system. VI. CONTRACTING PLAN APPLICABLE Is any element of this contract subject to a pre-approved Agency/Dept. Contracting Waiver Plan? D Yes [8J No D V. VII. CONFLICT OF INTEREST By signing below, I (Agency/Dept. Head) certify that no person able to control or influence award of this contract had a pecuniary interest in its award or performance, either personally or through a member of his or her household, family, or business. Is there an "appearance" of a conflict or interest so that a reasonable person may conclude that this party was D Yes [8J No selected for improper reasons: (If yes, explain) VIII. PRIOR APPROVALS REQUIRED OR REQUESTED [8J Yes 0 No Agreement must be Certified by the Attorney General under 3 V.S.A. § 342 (sign line #4 below) [8J Yes 0 No (AAG initial) Attorney General review As To Fonn is required or requested: [8J Yes 0 No Agreement must be approved by the Secretary of ADS/CI0 [8J No Agreement must be approved by the CM0: for Marketing services over $25,000 □ Yes Yes [8J No Agreement must be approved by Comm. Human Resources: for Privatization, Retirees, former Employees, & ifa □ Contract fails the IRS test. No ~ Yes Agreement must be approved by the Secretary of Administration ,._, ___ _, h, ni,:,~~ l\1~~1. IX. AGENCY/DEPARTMENT HEAD CERTIFICATION; APPROVAL on 20'f'a= •10-o'g '1'3:4-1:06 GMT I have made reasonable inquiry as to the accuracy of the above information (sign in order) : e-Signed by Martha Maksym on 2018-10-09 13:49:16 GMT ---.....__ ~ 'Jiff#• I-Date r--- ~o 1-Ae:encv/Deoartment Head 2-Date 2-Ae:encv Secretary (if required) e-Slgned by John Q uinn " A.:2 ~ n_na '>n -,;: 1 •.11 8..GM:r 3a-Date 9.R'1'J7r a.IYate / Ja-cu:if / , 3b-Datr- )16-.CMO 3c-Date ~ ¢ 7 . /_~" ,,,, . ~ 4-Attol'ney Gener.aJ./" / ,dY_ _, 5-Date Jc-Commissioner DHR e-Signed by Bradley Ferland on 2018-10-11 18:15:06 GMT 5-Secretary of Administration / e-Signed by Peter Kipp on 2018-10-09 14:30:49 GMT e-Signed by Candace Elmquist on 2018-10-10 12:14:18 GMT Page 1 of 8 Contract #29960 Amendment #2 STATE OF VERMONT CONTRACT FOR SERVICES AMENDMENT It is agreed by and between the State of Vermont, Department of Corrections (hereafter called "State") and Centurion of Vermont with a principal place of business in 1539 Spring Hill Road, Suite 600, Vienna, VA 22182 (hereafter called "Contractor") that contract #29960 dated 10/22/15 between said State and Contractor is hereby amended as follows: To change Page 1, 3. Maximum Amount, from $1,194,424.20 to $1 ,345,145.09. To change Page 1, 4. Contract Term, from end on 1/31/19 to end on 1/31/20. To replace existing Attachment E with new Attachment E, revised July 7, 2017. Except as modified by this above amendment, and any and all previous amendments to this contract, all provisions of this contract #29960 .dated 10/22/15 shall remain unchanged and in full force and effect. The effective date of this amendment is 1/31/19. WE, THE UNDERSIGNED PARTIES, AGREE TO BE BOUND BY THE TERMS OF THIS CONTRACT AS AMENDED. STATE OF VERMONT AGENCY OF HUMAN SERVICES DEPARTMENT OF CORRECTIONS C NTRACT -===c,= Signed ~;er-, Lisa Menard, Commissioner Date: /J.vjl <I 11 ' Robert Laros Date: It 'II /2J' ? I H- u,.,,be&lec)-C6 o (Please PRINT Signature) Date: }O/.£J.5[eQ ()J ~ Address: 1539 Spring Hill Road, Suite 600, Vienna, VA 22182 STATE OF VERMONT CONTRACT FOR SERVICES Page 2 of 8 Contract #29960 Amendment #2 ATTACHMENT E BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ("AGREEMENT") IS ENTERED INTO BY AND BETWEEN THE STATE OF VERMONT AGENCY OF HUMAN SERVICES, OPERA TING BY AND THROUGH ITS AGENCY OF HUMAN SERVICES, DEPARTMENT OF CORRECTIONS ("COVERED ENTITY") AND CENTURION OF VERMONT, LLC ("BUSINESS ASSOCIATE") AS OF 10/22/15 ("EFFECTIVE DATE"). THIS AGREEMENT SUPPLEMENTS AND IS MADE A PART OF THE CONTRACT/GRANT TO WHICH IT IS ATTACHED. Covered Entity and Business Associate enter into this Agreement to comply with standards promulgated under the Health Insurance Portability and Accountability Act of 1996 ("HIP AA"), including the Standards for the Privacy of Individually Identifiable Health Information, at 45 CFR Parts 160 and 164 ("Privacy Rule"), and the Security Standards, at 45 CFR Parts 160 and 164 ("Security Rule"), as amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act (HITECH), and any associated federal rules and regulations. The parties agree as follows: 1. Definitions. All capitalized terms used but not otherwise defined in this Agreement have the meanings set forth in 45 CFR Parts 160 and 164 as amended by HITECH and associated federal rules and regulations. "Agent" means those person(s) who are agents(s) of the Business Associate, in accordance with the Federal common law of agency, as referenced in 45 CFR § 160.402(c). "Breach" means the acquisition, access, use or disclosure of protected health information (PHI) which compromises the security or privacy of the PHI, except as excluded in the definition of Breach in 45 CFR § 164.402. "Business Associate shall have the meaning given in 45 CFR § 160.103. "Individual" includes a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g). "Protected Health Information" or PHI shall have the meaning given in 45 CFR § 160.103, limited to the information created or received by Business Associate from or on behalf of Agency. "Security Incident" means any known successful or unsuccessful attempt by an authorized or unauthorized individual to inappropriately use, disclose, modify, access, or destroy any information or interference with system operations in an information system. "Services" includes all work performed by the Business Associate for or on behalf of Covered Entity that requires the use and/or disclosure of protected health information to perform a business associate function described in 45 CFR § 160.103 under the definition of Business Associate. "Subcontractor" means a person or organization to whom a Business Associate delegates a function, activity or service, other than in the capacity of a member of the workforce of the Business Associate. For purposes of this Agreement, the term Subcontractor includes Subgrantees. 2. Identification and Disclosure of Privacy and Security Offices. Business Associate and Subcontractors shall provide, within ten (10) days of the execution of this agreement, written notice to the Covered Entity's Page 3 of 8 Contract #29960 Amendment #2 contract/grant manager the names and contact information of both the HIPAA Privacy Officer and HIPAA Security Officer. This information must be updated any time either of these contacts changes. STATE OF VERMONT CONTRACT FOR SERVICES 3. Permitted and Required Uses/Disclosures of PHI. 3 .1 Except as limited in this Agreement, Business Associate may use or disclose PHI to perform Services, as specified in the underlying grant or contract with Covered Entity. The uses and disclosures of Business Associate are limited to the minimum necessary, to complete the tasks or to provide the services associated with the terms of the underlying agreement. Business Associate shall not use or disclose PHI in any manner that would constitute a violation of the Privacy Rule if used or disclosed by Covered Entity in that manner. Business Associate may not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law. 3 .2 Business Associate may make PHI available to its employees who need access to perform Services provided that Business Associate makes such employees aware of the use and disclosure restrictions in this Agreement and binds them to comply with such restrictions. Business Associate may only disclose PHI for the purposes authorized by this Agreement: (a) to its agents and Subcontractors in accordance with Sections 9 and 18 or, (b) as otherwise permitted by Section·3. 3.3 Business Associate shall be directly liable under HIP AA for impermissible uses and disclosures of the PHI it handles on behalf of Covered Entity, and for impermissible uses and disclosures, by Business Associate's Subcontractor(s), of the PHI that Business Associate handles on behalf of Covered Entity and that it passes on to Subcontractors. 4. Business Activities. Business Associate may use PHI received in its capacity as a Business Associate to Covered Entity if necessary for Business Associate' s proper management and administration or to carry out its legal responsibilities. Business Associate may disclose PHI received in its capacity as Business Associate to Covered Entity for Business Associate's proper management and administration or to carry out its legal responsibilities if a disclosure is Required by Law or if Business Associate obtains reasonable written assurances via a written agreement from the person to whom the information is to be disclosed that the PHI shall remain confidential and be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the Agreement requires the person or entity to notify Business Associate, within two (2) business days (who in turn will notify Covered Entity within two (2) business days after receiving notice of a Breach as specified in Section 6.1 ), in writing of any Breach of Unsecured PHI of which it is aware. Uses and disclosures of PHI for the purposes identified in Section 3 must be of the minimum amount of PHI necessary to accomplish such purposes. 5. Safeguards. Business Associate, its Agent(s) and Subcontractor(s) shall implement and use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for by this Agreement. With respect to any PHI that is maintained in or transmitted by electronic media, Business Associate or its Subcontractor(s) shall comply with 45 CFR sections 164.308 (administrative safeguards), 164.310 (physical safeguards), 164.312 (technical safeguards) and 164.316 (policies and procedures and documentation requirements). Business Associate or its Agent(s) and Subcontractor(s) shall identify in writing upon request from Covered Entity all of the safeguards that it uses to prevent impermissible uses or disclosures of PHI. 6. Documenting and Reporting Breaches. 6.1 Business Associate shall report to Covered Entity any Breach of Unsecured PHI, including Breaches reported to it by a Subcontractor, as soon as it (or any of its employees or agents) becomes aware of any such STATE OF VERMONT CONTRACT FOR SERVICES Page 4 of 8 Contract #29960 Amendment #2 Breach, and in no case later than two (2) business days after it (or any of its employees or agents) becomes aware of the Breach, except when a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security. 6.2 Business Associate shall provide Covered Entity with the names of the individuals whose Unsecured PHI has been, or is reasonably believed to have been, the subject of the Breach and any other available information that is required to be given to the affected individuals, as set forth in 45 CFR § 164.404(c), and, if requested by Covered Entity, information necessary for Covered Entity to investigate the impermissible use or disclosure. Business Associate shall continue to provide to Covered Entity information concerning the Breach as it becomes available to it. Business Associate shall require its Subcontractor(s) to agree to these same terms and conditions. 6.3 When Business Associate determines that an impermissible acquisition, use or disclosure of PHI by a member of its workforce is not a Breach, as that term is defined in 45 CFR § 164.402, and therefore does not necessitate notice to the impacted individual(s), it shall document its assessment ofrisk, conducted as set forth in 45 CFR § 402(2). When requested by Covered Entity, Business Associate shall make its risk assessments available to Covered Entity. It shall also provide Covered Entity with 1) the name of the person(s) making the assessment, 2) a brief summary of the facts, and 3) a brief statement of the reasons supporting the determination of low probability that the PHI had been compromised. When a breach is the responsibility of a member of its Subcontractor's workforce, Business Associate shall either 1) conduct. its own risk assessment and draft a summary of the event and assessment or 2) require its Subcontractor to conduct the assessment and draft a summary of the event. In either case, Business Associate shall make these assessments and reports available to Covered Entity. 6.4 Business Associate shall require, by contract, a Subcontractor to report to Business Associate and Covered Entity any Breach of which the Subcontractor becomes aware, no later than two (2) business days after becomes aware of the Breach. 7. Mitigation and Corrective Action. Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to it of an impermissible use or disclosure of PHI, even if the impermissible use or disclosure does not constitute a Breach. Business Associate shall draft and carry out a plan of corrective action to address any incident of impermissible use or disclosure of PHI. If requested by Covered Entity, Business Associate shall make its mitigation and corrective action plans available to Covered Entity. Business Associate shall require a Subcontractor to agree to these same terms and conditions. 8. Providing Notice of Breaches. 8.1 If Covered Entity determines that an impermissible acquisition, access, use or disclosure of PHI for which one of Business Associate' s employees or agents was responsible constitutes a Breach as defined in 45 CFR § 164.402, and if requested by Covered Entity, Business Associate shall provide notice to the individual(s) whose PHI has been the subject of the Breach. When requested to provide notice, Business Associate shall consult with Covered Entity about the timeliness, content and method of notice, and shall receive Covered Entity's approval concerning these elements. The cost of notice and related remedies shall be borne by Business Associate. 8.2 If Covered Entity or Business Associate determines that an impermissible acquisition, access, use or disclosure of PHI by a Subcontractor of Business Associate constitutes a Breach as defined in 45 CFR § 164.402, and if requested by Covered Entity or Business Associate, Subcontractor shall provide notice to the individual(s) whose PHI has been the subject of the Breach. When Covered Entity requests that Business Page 5 of 8 Contract #29960 Amendment #2 Associate or its Subcontractor provide notice, Business Associate shall either 1) consult with Covered Entity about the specifics of the notice as set forth in section 8.1, above, or 2) require, by contract, its Subcontractor to consult with Covered Entity about the specifics of the notice as set forth in section 8 .1 STATE OF VERMONT CONTRACT FOR SERVICES 8.3 The notice to affected individuals shall be provided as soon as reasonably possible and in no case later than 60 calendar days after Business Associate reported the Breach to Covered Entity. 8.4 The notice to affected individuals shall be written in plain language and shall include, to the extent possible, 1) a brief description of what happened, 2) a description of the types of Unsecured PHi that were involved in the Breach, 3) any steps individuals can take to protect themselves from potential harm resulting from the Breach, 4) a brief description of what the Business Associate is doing to investigate the Breach, to mitigate harm to individuals and to protect against further Breaches, and 5) contact procedures for individuals to ask questions or obtain additional information., as set forth in 45 CFR § 164.404(c). 8.5 Business Associate shall notify individuals of Breaches as specified in 45 CFR § 164.404(d) (methods of individual notice). In addition, when a Breach involves more than 500 residents of Vermont, Business Associate shall, if requested by Covered Entity, notify prominent media outlets serving Vermont, following the requirements set forth in 45 CFR § 164.406. 9. Agreements with Subcontractors. Business Associate shall enter into a Business Associate Agreement with any Subcontractor to whom it provides PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity in which the Subcontractor agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such PHI. Business Associate must enter into this Business Associate Agreement before any use by or disclosure of PHI to such agent. The written agreement must identify Covered Entity as a direct and intended third party beneficiary with the right to enforce any breach of the agreement concerning the use or disclosure of PHI. Business Associate shall provide a copy of the Business Associate Agreement it enters into with a subcontractor to Covered Entity upon request. Business associate may not make any disclosure of PHI to any Subcontractor without prior written consent of Covered Entity. 10. Access to PHI. Business Associate shall provide access to PHI in a Designated Record Set to Covered Entity or as directed by Covered Entity to an Individual to meet the requirements under 45 CFR § 164.524. Business Associate shall provide such access in the time and manner reasonably designated by Covered Entity. Within three (3) business days, Business Associate shall forward to Covered Entity for handling any request for access to PHI that Business Associate directly receives from an Individual. 11. Amendment of PHI. Business Associate shall make any amendments to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 CFR § 164.526, whether at the request of Covered Entity or an Individual. Business Associate shall make such amendments in the time and manner reasonably designated by Covered Entity. Within three (3) business days, Business Associate shall forward to Covered Entity for handling any request for amendment to PHI that Business Associate directly receives from an Individual. 12. Accounting of Disclosures. Business Associate shall document disclosures of PHI and all information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate shall provide such information to Covered Entity or as directed by Covered Entity to an Individual, to permit Covered Entity to respond to an accounting request. Business Associate shall provide such information in the time and manner reasonably designated by Covered Entity. Within three (3) business days, Business Associate shall forward to Covered Entity for handling any accounting request that Business Associate directly receives from an Individual. STATE OF VERMONT CONTRACT FOR SERVICES Page 6 of 8 Contract #29960 Amendment #2 13. Books and Records. Subject to the attorney-client and other applicable legal privileges, Business Associate shall make its internal practices, books, and records (including policies and procedures and PHI) relating to the use and disclosure of PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity available to the Secretary of HHS in the time and manner designated by the Secretary. Business Associate shall make the same information available to Covered Entity, upon Covered Entity's request, in the time and manner reasonably designated by Covered Entity so that Covered Entity may determine whether Business Associate is in compliance with this Agreement. 14. Termination. 14.1 This Agreement commences on the Effective Date and shall remain in effect until terminated by Covered Entity or until all of the PHI provided by Covered Entity to Business Associate or created or received by Business Associate on behalf of Covered Entity is destroyed or returned to Covered Entity subject to Section 19.8. 14.2 If Business Associate breaches any material term of this Agreement, Covered Entity may either: (a) provide an opportunity for Business Associate to cure the breach and Covered Entity may terminate the contract or grant without liability or penalty if Business Associate does not cure the breach within the time specified by Covered Entity; or (b) immediately terminate the contract or grant without liability or penalty if Covered Entity believes that cure is not reasonably possible; or (c) if neither termination nor cure are feasible, Covered Entity shall report the breach to the Secretary. Covered Entity has the right to seek to cure any breach by Business Associate and this right, regardless of whether Covered Entity cures such breach, does not lessen any right or remedy available to Covered Entity at law, in equity, or under the contract or grant, nor does it lessen Business Associate's responsibility for such breach or its duty to cure such breach. 15. Return/Destruction of PHI. 15 .1 Business Associate in connection with the expiration or termination of the contract or grant shall return or destroy, at the discretion of the Covered Entity, all PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity pursuant to this contract or grant that Business Associate still maintains in any form or medium (including electronic) within thirty (30) days after such expiration or termination. Business Associate shall not retain any copies of the PHI. Business Associate shall certify in writing for Covered Entity (1) when all PHI has been returned or destroyed and (2) that Business Associate does not continue to maintain any PHI. Business Associate is to provide this certification during this thirty (30) day period. 15.2 Business Associate shall provide to Covered Entity notification of any conditions that Business Associate believes make the return or destruction of PHI infeasible. If Covered Entity agrees that return or destruction is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible for so long as Business Associate maintains such PHI. This shall also apply to all Agents and Subcontractors of Business Associate. 16. Penalties. Business Associate understands that: (a) there may be civil or criminal penalties for misuse or misappropriation of PHI and (b) violations of this Agreement may result in notification by Covered Entity to law enforcement officials and regulatory, accreditation, and licensure organizations. 17. Training. Business Associate understands that it is its obligation to comply with the law and shall provide appropriate training and education to ensure compliance with this Agreement. If requested by Covered Entity, Page 7 of 8 Contract #29960 Amendment #2 Busine~s Associate shall participate in AHS training regarding the use, confidentiality, and security of PHI, however, participation in such training shall not supplant nor relieve Business Associate of its obligations under this Agreement to independently assure compliance with the law and this Agreement. STATE OF VERMONT CONTRACT FOR SERVICES 18. Security Rule Obligations. The following provisions of this section apply to the extent that Business Associate creates, receives, maintains or transmits Electronic PHI on behalf of Covered Entity. 18.1 Business Associate shall implement and use administrative, physical, and technical safeguards in compliance with 45 CFR sections 164.308, 164.310, and 164.312 with respect to the Electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity. Business Associate shall identify in writing upon request from Covered Entity all of the safeguards that it uses to protect such Electronic PHI. 18.2 Business Associate shall ensure that any Agent and Subcontractor to whom it provides Electronic PHI agrees in a written agreement to implement and use administrative, physical, and technical safeguards that reasonably and appropriately protect the Confidentiality, Integrity and Availability of the Electronic PHI. Business Associate must enter into this written agreement before any use or disclosure of Electronic PHI by such Agent or Subcontractor. The written agreement must identify Covered Entity as a direct and intended third party beneficiary with the right to enforce any breach of the agreement concerning the use or disclosure of Electronic PHI. Business Associate shall provide a copy of the written agreement to Covered Entity upon request. Business Associate may not make any disclosure of Electronic PHI to any Agent or Subcontractor without the prior written consent of Covered Entity. 18.3 Business Associate shall report in writing to Covered Entity any Security Incident pertaining to such Electronic PHI (whether involving Business Associate or an Agent or Subcontractor). Business Associate shall provide this written report as soon as it becomes aware of any such Security Incident, and in no case later than two (2) business days after it becomes aware of the incident. Business Associate shall provide Covered Entity with the information necessary for Covered Entity to investigate any such Security Incident. 18.4 Business Associate shall comply with any reasonable policies and procedures Covered Entity implements to obtain compliance under the Security Rule. 19. Miscellaneous. 19 .1 In the event of any conflict or inconsistency between the terms of this Agreement and the terms of the contract/grant, the terms of this Agreement shall govern with respect to its subject matter. Otherwise, the terms of the contract/grant continue in effect. 19.2 Business Associate shall cooperate with Covered Entity to amend this Agreement from time to time as is necessary for Covered Entity to comply with the Privacy Rule, the Security Rule, or any other standards promulgated under HIP AA. 19.3 Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the Privacy Rule, Security Rule, or any other standards promulgated under HIP AA. 19 .4 In addition to applicable Vermont law, the parties shall rely on applicable federal law (e.g., HIP AA, the Privacy Rule and Security Rule, and the HIP AA omnibus final rule) in construing the meaning and effect of this Agreement. STATE OF VERMONT CONTRACT FOR SERVICES Page 8 of 8 Contract #29960 Amendment #2 19.5 As between Business Associate and Covered Entity, Covered Entity owns all PHI provided by Covered Entity to Business Associate or created or received by Business Associate on behalf of Covered Entity. 19 .6 Business Associate shall abide by the terms and conditions of this Agreement with respect to all PHI it receives from Covered Entity or creates or receives on behalf of Covered Entity even if some of that information relates to specific services for which Business Associate may not be a "Business Associate" of Covered Entity under the Privacy Rule. 19.7 Business Associate is prohibited from directly or indirectly receiving any remuneration in exchange for an individual's PHI. Business Associate will refrain from marketing activities that would violate HIP AA, including specifically Section 13406 of the HITECH Act. Reports or data containing the PHI may not be sold without Agency's or the affected individual's written consent. 19.8 The provisions of this Agreement that by their terms encompass continuing rights or responsibilities shall survive the expiration or termination of this Agreement. For example: (a) the provisions of this Agreement shall continue to apply if Covered Entity determines that it would be infeasible for Business Associate to return or destroy PHI as provided in Section 14.2 and (b) the obligation of Business Associate to provide an accounting of disclosures as set forth in Section 12 survives the expiration or termination of this Agreement with respect to accounting requests, if any, made after such expiration or termination. Rev: 7/7/17