Orange County NC Website
Browse       Search
DocuSign Envelope ID:46BCB3EE-5A8D-41 CE-B703-D32F5BCA1053 <br /> NC-DSS Contract- Subcontract Addendum 1.0 <br /> Due to the sensitivity of the data exchanged between invested parties,the following Data Privacy and <br /> Security Language will serve as an addendum to the Contract between [Name of Contractor] and its <br /> subcontractors for the 2017-2018 federal fiscal year. <br /> DATA PRIVACY AND SECURITY <br /> The Contractor certifies that it shall adopt and apply data security standards and procedures that comply <br /> with all applicable federal,,state, and local laws, regulations, and rules. Such standards and procedures <br /> include, but are not Iimited to access to systems and data; transmission and storage of data; access to, <br /> disclosure, sharing and confidentiality of client records; use, retention and disposal of data; and reporting <br /> of security incidents and breaches. <br /> The Contractor agrees to maintain compliance with the following: <br /> NC DHHS Privacy Manual and Security Manual,both located online at <br /> https://www2.ncdhhs.gov/info/olm/manuals/dhs/pol-80/rnan/ <br /> NC Statewide Information Security Manual, located online at <br /> https://it.nc.gov/doclunent/statewide-information-security-manua l <br /> CONFIDENDIALITY <br /> Any information, data, instruments, documents, studies or reports given to or prepared or assembled by <br /> the Contractor under this agreement shall be kept as confidential and not divulged or made available to <br /> any individual or organization without the prior written approval of the division. The contractor <br /> acknowledges that in receiving, storing, processing or otherwise dealing with any confidential <br /> information it will safeguard and not further disclose the information except as otherwise provided in this <br /> contract. <br /> The Contactor shall report a suspected or confirmed security breach to the state Division of Social <br /> Services, or local Department of Social Services/Human Services Contract Administrator, as appropriate <br /> to this contract,within twenty-four(24)hours after the breach is first discovered,provided that the <br /> Contractor shall report a breach involving Social Security Administration data or Internal Revenue <br /> Service data within one(1)hour after the breach is first discovered. If any applicable federal, state,or <br /> local law, regulation, or rule requires the Contractor to give written notice of a security breach to affected <br /> persons,the Contractor shall bear the cost of the notice. During the performance of this contract,the <br /> contractor agrees to notify the Contract Administrator of any contact by the federal Office for Civil Rights <br /> (OCR) received by the contractor. <br /> HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) <br /> The Contractor agrees that, if the Division determines that some or all of the activities within the scope of <br /> this contract are subject to the Health Insurance Portability and Accountability Act of 1996, P.L. 104-91, <br /> as amended("HIPAA"), or its implementing regulations, it will comply with the HIPAA requirements <br /> and will execute such agreements and practices as the Division may require to ensure compliance. <br /> Continuous Monitoring <br /> For contracts involving procurement of cloud-hosted solutions or off-site hosting services, Contractor will <br /> maintain compliance with the State CISO's mandate for a Continuous Monitoring Process. Contractor <br /> must work with the Division to implement a risk management program that continuously monitors risk <br /> through assessments, risk analysis and data inventory. The requirements are based on NIST 800-37, <br />