Authority/Reference(s) HHS Circular
Revision Date July 1, 2015

DFPS must comply with state and federal requirements regarding the protection of confidential information. By incorporating the HHS Data Use Agreement (DUA) and the Information Security and Privacy Initial Inquiry (SPI) into DFPS contracts, contractors are accountable for having processes in place to ensure the protection of confidential information. Unless exempt, this requirement applies to all contracts that contain confidential information including:

  • Client services and administrative contracts;
  • Interagency and Interlocal agreements; and
  • Memorandum of Understandings (MOU).

DUA Exemptions:

HHCS-PCS provides a list of goods and services that are exempt from the DUA on their Procurement and Contracting Services page:

When submitting a procurement request for a service that is exempt from DUA requirements, DFPS must include comments indicating that the service is exempt.

Monitoring Requirements:

Contracts that contain confidential information and are required to be monitored, as determined by the Risk Assessment Instrument, must include monitoring for compliance with information security and privacy requirements, and staff must document the review of information security and privacy controls during monitoring activities. This requirement also applies to contracts that contain confidential information but are exempt from the DUA.