Information Resources Use and Security Policy

26.1. Contracts must require that vendors comply with all applicable rules associated with this Policy, practice standards and agreements, and address all federal and state laws to which the university must adhere to ensure that it remains in compliance with such law.

26.2. The university shall control Vendor access to its Category-I data based on data sensitivity, confidentiality, and risk (as determined in accordance with Section 9 of this Policy) and by use of the following measures:

26.2.1. The Vendor shall represent, warrant, and certify it will:

26.2.1.1. Hold all Category-I Data in the strictest confidence;

26.2.1.2. Not release any Category-I Data concerning a university student unless Vendor obtains the university's prior written approval and performs such a release in full compliance with all applicable privacy laws, including FERPA;

26.2.1.3. Not otherwise use or disclose Category-I data except as required or permitted by law;

26.2.1.4. Safeguard Category-I data according to all commercially reasonable administrative, physical, and technical standards (for example, such standards established by the National Institute of Standards and Technology or the Center for Internet Security);

26.2.1.5. Continually monitor its operations and take any action necessary to assure the Category-I data is safeguarded in accordance with the terms of this Policy; and

26.2.1.6. Comply with the Vendor Access Requirements that are set forth in this section.

26.2.2. To the extent that the Category-I Data includes Protected Health Information as defined in 45 CFR sec. 164.501, if required by the university, Vendor shall execute a HIPAA Business Associate agreement in the form required by UT System.

26.2.3. The university shall require the following from the Vendor:

26.2.3.1. If an unauthorized use or disclosure of any Category-I data occurs, the Vendor must provide:

26.2.3.1.1. Written notice within one (1) business day after the Vendor's discovery of such use or disclosure; and

26.2.3.1.2. All information that the university requests concerning such unauthorized use or disclosure.

26.2.3.2. Within 30 days after the termination or expiration of a Purchase Order, Contract, or Agreement for any reason, Vendor shall either:

26.2.3.2.1. Return or destroy, as applicable, all Category-I data provided to the Vendor by the university, including all such data provided to the Vendor's employees, subcontractors, agents, or other affiliated persons or entities; or

26.2.3.2.2. In the event that returning or destroying the Category-I data is not feasible, provide notification of the conditions that make return or destruction infeasible, in which case, the Vendor must continue to protect all Category-I data that it retains and agree to limit further uses and disclosures of such Category-I data to those purposes that make the return or destruction infeasible as long as Vendor maintains such data.