|
h. Ensure Authorized Users have appropriate role-based access to the Data Platform and the Data
<br /> that complies with the Minimum Necessary Standard under HIPAA.
<br /> i. Implement and maintain written policies and procedures that address: (1) identification and
<br /> authorization of Authorized Users;(2)audit controls and periodic reviews to ensure all access and
<br /> use occurs by Authorized Users for Permitted Purposes only;(3) notification to Authorized Users
<br /> of any changes in the Data Platform,the Data, or the policies and processes through which they
<br /> are accessed or used; (4) notification to N3CN of any violation of this Agreement, including any
<br /> unauthorized access to or use of the Data Platform or any unauthorized access, use, storage,
<br /> maintenance,ortransfer of the Data;and(5) protection against malware and other mechanisms,
<br /> both tangible and intangible,designed to disrupt,destroy,damage,or delay the operation of the
<br /> Data Platform or the Data.
<br /> j. Follow all N3CN and State-issued policies and procedures related to accessing, using, storing,
<br /> maintaining, transferring, monitoring, and auditing State-owned data and Data within the Data
<br /> Platform. This obligation includes communicating to N3CN and working with N3CN to resolve any
<br /> suspected violations of those policies and procedures including any suspected breaches of PHI,
<br /> IIHI,or P1I.
<br /> k. Report to N3CN monthly or as requested the results of all periodic audits and reviews to ensure
<br /> all access to and use of the Data Platform and the Data are by Authorized Users for Permitted
<br /> Purposes according to Applicable taw. Participant must perform audits and reviews at least
<br /> monthly.
<br /> I. Cooperate fully with N3CN, the State, and any regulatory or credentialing authority in any
<br /> investigation or audit by making available all personnel, and all books, records, and related
<br /> information created or maintained in connection with Participant's access and use of the Data
<br /> Platform or access,use,storage,maintenance,or transfer of Data.
<br /> m. Notify N3CN as soon as practical after first becoming aware of a Data Breach. In the case of a
<br /> breach involving social security numbers, Participant must notify N3CN within sixty minutes of
<br /> becoming aware of the breach. This timeline is a State requirement for all entities accessing and
<br /> using State-owned data. For confirmed breaches of PHI, notification must be made to N3CN
<br /> within twenty-four hours. This timeline also is a State requirement for entities accessing and using
<br /> State-owned data. The notification will include,to the extent available:
<br /> i. A brief description of what happened, including the date of the Data Breach and the date
<br /> of discovery of the Data Breach;
<br /> ii. The identification of each Individual whose Data has been,or is reasonably believed to have
<br /> been,accessed,acquired,used,or Disclosed;
<br /> ill. A description of the roles of the people involved in the Data Breach (e.g., employees,
<br /> Authorized Users,service providers,unauthorized persons,etc.);
<br /> iv. A description of the types of Data involved in the Data Breach (whether full name, Social
<br /> Security number, date of birth, home address,account number, diagnosis, disability code,
<br /> or other types of Identifiable information);
<br /> v. The number of Individuals or records impacted/estimated to be impacted by the Data
<br /> Breach;
<br /> Page 8 of 21
<br />
|