Bidders to provide comprehensive language access services to support MSDH across public Health programs.

Project Information

Bid Title
Bidders to provide comprehensive language access services to support MSDH across public Health programs.
Issuing Agency
State Government of Mississippi
Location
Mississippi
Published Date
Jun 10, 2026
Closing Date
Jul 1, 2026
Government Level
State & Local
Status
Closed
Ref. #
1301-26-R-IFBD-00071
Original Source
Join to Access Full Details
Project Description

Procurement Details

Smart Number 1301-26-R-IFBD-00071 Advertised Date 06/10/2026 10:00 AM
RFx # 3160008084 Submission Date 07/01/2026 2:00 PM
RFx Status Open Major Procurement Category PERSONNEL SERVICES NON-IT
RFx Opening Date 07/01/2026 2:00 PM Sub Procurement Category PERSONNEL SERVICE - NON-TECHNOLOGY
RFx Type Invitation for Bid
Agency MS DEPT OF HEALTH
RFx Description Bidders to provide comprehensive language access services to support MSDH across public Health programs.

Contact Information
Name Patricia Slack Email PATRICIA.SLACK@MSDH.MS.GOV
Phone 6013593225 Fax

RFx Items
PRODUCT CATEGORY PRODUCT DESCRIPTION
96146 Serv MiscNo1InterFrn

Awarded
VENDOR NAME VENDOR NUMBER AWARD DATE AWARD AMOUNT FUNDING SOURCE

Bid Attachments
Attachments
BAA
Attachments
CL ad
Attachments
IFB

Attachment Preview
MISSISSIPPI STATE DEPARTMENT OF HEALTH
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement is entered into by and between the Mississippi State Department of
Health (“MSDH”) the Covered Entity and
(“Business Associate”), hereinafter referred to as the Parties, and modifies any other prior existing
agreement or contract for this purpose. In consideration of the mutual promises below and the exchange
of information pursuant to this Agreement and in order to comply with all legal requirements for the
protection of this information, the Parties therefore agree as follows:
I. RECITALS
a.
MSDH is a state agency with a principal place of business at 570 East Woodrow Wilson,
Jackson, MS 39215
b. Business Associate is a corporation qualified to do business in Mississippi that will act to
perform business services for MSDH with a principal place of business at
.
c.
This Business Associate Agreement (“Agreement”) is entered into pursuant to the Health
Insurance Portability and Accountability Act (“HIPAA”) of 1996, as amended by the Genetic
Information Nondiscrimination Act (“GINA”) of 2008 and the Health Information Technology
for Economic and Clinical Health Act (“HITECH Act”), Title XIII of Division A,
and Title IV of Division B of the American Recovery and Reinvestment Act (“ARRA”) of 2009,
and its implementing regulations, including, but not necessarily limited to, 45 C.F.R. Part 160, and
45 C.F.R. Part 164 Subparts A and C (“Security Rule”), and 45 C.F.R. Part 160 Subparts A and E
(“Privacy Rule”). These statutes and regulations are hereinafter collectively referred to as HIPAA.
MSDH, as a covered entity, is required to enter into this Agreement to obtain satisfactory
assurances that Business Associate will comply with and appropriately safeguard all Protected
Health Information (“PHI”) Used, Disclosed, created, or received by Business Associate on behalf
of MSDH. Certain provisions of HIPAA and its implementing regulations apply to Business
Associate in the same manner as they apply to MSDH, and such provisions must be incorporated
into this Agreement.
d. MSDH desires to engage Business Associate to perform certain functions for, or on behalf of,
MSDH involving the Disclosure of PHI by MSDH to Business Associate, or the creation or Use of
PHI by Business Associate on behalf of MSDH, and Business Associate desires to perform such
functions, as set forth in the Underlying Agreement(s) which involve the exchange of information,
and wholly incorporated herein.
II. DEFINITIONS
a. “Breach” shall mean the acquisition, access, Use or Disclosure of PHI in a manner not
permitted by the Privacy Rule which compromises the security or privacy of the PHI,
and subject to the exceptions set forth in 45 C.F.R. § 164.402.
b. “Business Associate” shall mean
,
including all workforce members, representatives, agents, successors, heirs, and permitted
assigns.
MSDH BAA
Page 1 of 14
Form 1063
Rev. February 2026
c. “Covered Entity” shall mean the Mississippi State Department of Health, an agency of the State
of Mississippi.
d. “Data Aggregation” shall have the same meaning as the term “Data aggregation” in 45 C.F.R.
§164.501.
e.
“Designated Record Set” shall have the same meaning as the term “Designated Record Set” in
45 C.F.R. §164.501.
f.
“Disclosure” shall have the same meaning as the term “Disclosure” in 45 C.F.R. § 160.103.
g. “MSDH” shall mean the Mississippi State Department of Health, an agency of the State of
Mississippi.
h. “Individual” shall have the same meaning as the term “Individual” in 45 C.F.R. § 160.103 and
shall include a person who qualifies as a personal representative in accordance with 45
C.F.R. § 164.502(g).
i.
“Privacy Officer” shall mean the person designated by MSDH to oversee its implementation of
and compliance with HIPAA.
j.
“Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health
Information at 45 C.F.R. Parts 160 and 164, Subparts A and E.
k. “Protected Health Information” or “PHI” shall have the same meaning as the term “Protected
health information” in 45 C.F.R. § 160.103, limited to the information created or received by
Business Associate from or on behalf of MSDH.
l.
“Qualified Service Organization” shall have the same meaning as defined in 42 CFR § 2.11.
m. “Required by Law” shall have the same meaning as the term “Required by law” in 45 C.F.R.
§ 164.103.
n. “Secretary” shall mean the Secretary of the Department of Health and Human Services or
his/her designee
o. “Security Incident” shall have the same meaning as the term “Security incident” in 45 C.F.R.
§164.304.
p. “Security Rule” shall mean the Security Standards for the Protection of Electronic Protected
Health Information at 45 C.F.R. Parts 160 and 164, Subparts A and C.
q. “Standard” shall have the same meaning as the term “Standard” in 45 C.F.R. § 160.103.
r.
“Underlying Agreement” shall mean any applicable Memorandum of Understanding (“MOU”),
agreement, contract, or any other similar device, and any proposal or Request for Proposal
(“RFP”) related thereto and agreed upon between the Parties, entered into between MSDH and
Business Associate. Under this Business Associate Agreement, “Underlying Agreement” shall.
refer to the following:
MSDH BAA
Page 2 of 14
Form 1063
Rev. February 2026
s. “Unsecured Protected Health Information” shall have the same meaning as the term
“Unsecured protected health information” in 45 C.F.R. § 164.402.
t.
“Use” shall have the same meaning as the term “Use” in 45 C.F.R. § 160.103
u. “Violation” or “Violate” shall have the same meaning as the terms “Violation” or “Violate” in 45
C.F.R. § 160.103.
All other terms not defined herein shall have the meanings assigned in HIPAA and its implementing
regulations.
III. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE
a.
Business Associate agrees to not Use or Disclose PHI other than as permitted or required by this
Agreement and the Underlying Agreement(s), or as Required by Law.
b.
Business Associate agrees to utilize appropriate safeguards and comply, where applicable,
with the HIPAA Privacy and Security Rules, to prevent Use or Disclosure of the PHI other
than as permitted or provided for by this Agreement and shall: (i) implement administrative,
physical, and technical safeguards that reasonably and appropriately protect the
confidentiality, integrity, and availability of Protected Health Information and Electronic
Protected Health Information that Business Associate creates, receives, maintains, or transmits
on behalf of MSDH; (ii) ensure that any subcontractor to whom Business Associate provides
such information agrees to implement reasonable and appropriate safeguards to protect it; and
(iii) report to MSDH any Security Incident of which Business Associate becomes aware.
c.
Business Associate shall implement and maintain a comprehensive written information
security program that:
- Is aligned with NIST SP 800-53 Rev. 5 Moderate baseline controls, including but not limited
to the Access Control (AC), Identification and Authentication (IA), Audit and Accountability
(AU), System and Communications Protection (SC), Risk Assessment (RA), and Incident
Response (IR) control families.
- Incorporates administrative, technical, and physical safeguards consistent with HIPAA, the
HITECH Act, and Zero Trust Architecture principles.
- Is reviewed at least annually and updated based on risk assessments, emerging threats, and
regulatory changes.
d. Business Associate shall implement and enforce the Principle of Least Privilege, ensuring
that workforce members, systems, applications, and automated processes are granted only the
minimum access necessary to perform authorized functions.
- Access rights shall be:
o Approved through documented authorization procedures
o Reviewed at least quarterly
o Immediately revoked upon termination or role change
o Technically enforced through centralized access control mechanisms.
e.
Business Associate shall implement:
MSDH BAA
Page 3 of 14
Form 1063
Rev. February 2026
- Role-Based Access Control (RBAC) to ensure access to PHI is provisioned
based on defined job roles and responsibilities.
- Attribute-Based Access Control (ABAC) or equivalent dynamic access controls
where appropriate, incorporating contextual attributes such as:
o User Role
o Device trust level
o Geographic location
o Time of access
o Risk score or authentication strength
- Access decisions shall be centrally managed and logged.
f.
Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known
to Business Associate of a Use or Disclosure of PHI by Business Associate in Violation of the
requirements of this Agreement and/or state or federal laws and regulations.
g. Breaches and Security Incidents. During the term of this Agreement, Business Associate
agrees to implement reasonable systems for the discovery and prompt reporting of any actual or
suspected Breach or Security Incident. Business Associate agrees to take the following steps:
Notice to MSDH. (1) To notify their MSDH Point-of-Contact, MSDH IT Security Officer and
MSDH Privacy Officer without unreasonable delay, and no later than five (5) days after
discovery, by telephone call and email or registered or certified mail upon the discovery of
an actual or suspected Breach of Unsecured PHI in electronic media or in any other media. (2)
To notify their MSDH Point-of-Contact, MSDH IT Security Officer and MSDH Privacy Officer
without unreasonable delay, and no later than five (5) days after discovery, by telephone
call and email or registered or certified mail of any actual or suspected Security Incident
affecting this Agreement, including but not limited to an actual or suspected Security Incident
that involves data provided to MSDH by the Social Security Administration. A Breach or
Security Incident shall be treated as discovered by Business Associate as of the first day on
which the Breach or Security Incident is known, or by exercising reasonable diligence would
have been known, to any person (other than the person committing the Breach or Security
Incident) who is a workforce member, officer, or other agent of Business Associate.
The notification shall include, to the extent possible and subsequently as the information becomes
available, a reasonably detailed description of the actual or suspected Breach or Security Incident,
the identification of all Individuals whose Unsecured PHI is reasonably believed by Business
Associate to have been affected by the Breach or Security Incident along with any other available
information that is required to be included in the notification to the Individual, HHS and/or the
media, all in accordance with the data breach notification requirements set forth in 42 U.S.C. §
17932 and 45 C.F.R. Parts 160 and 164, Subparts A, D, and E, or any other applicable notification
requirements.
Upon discovery of an actual or suspected Breach or Security Incident, Business Associate shall
take:
- Prompt corrective action to mitigate any risks or damages involved with the Breach or
Security Incident and to protect the operating environment; and
MSDH BAA
- Any action pertaining to such unauthorized Disclosure required by applicable Federal
and State laws and regulations.
Page 4 of 14
Form 1063
Rev. February 2026
Investigation. To immediately investigate any such actual or suspected Breach or Security
Incident upon discovery in order to determine if the actual or suspected Breach or Security
Incident is a Violation of any applicable federal or state laws or regulations, and to submit
updated information by email or registered or certified mail, as it becomes available, to the
MSDH IT Security Officer and MSDH Privacy Officer.
Complete Report. To provide a complete written report by email or registered or certified mail of
the investigation to the MSDH IT Security Officer and MSDH Privacy Officer within ten (10)
working days of the discovery of any actual or suspected Breach or Security Incident. The report
shall include:
- the identification of each Individual whose PHI was or is believed to have been
involved;
- a reasonably detailed description of the types of PHI involved; and
- a full, detailed corrective action plan, including information on measures that were
taken to halt and/or contain any suspected or actual Breach of security, intrusion or
unauthorized Use or Disclosure.
If MSDH requests information in addition to that provided in the written report, Business
Associate shall make reasonable efforts to provide MSDH with such information. If necessary, a
supplemental report may be utilized to submit revised or additional information after the
completed report is submitted.
Notification of Individuals. If the cause of an actual Breach of PHI is attributable to Business
Associate or its subcontractors, agents or vendors, Business Associate shall notify each Individual
of the Breach when notification is required under state or federal law and shall pay any costs of
such notifications, as well as any costs associated with the Breach. The notifications shall comply
with the requirements set forth in 42 U.S.C. § 17932 and its implementing regulations. The
MSDH IT Security Officer and MSDH Privacy Officer shall approve the time, manner, and
content of any such notifications and their review and approval must be obtained before the
notifications are made.
Responsibility for Reporting of Breaches. If the cause of a Breach of PHI is attributable to
Business Associate or its agents, subcontractors, or vendors, and Business Associate is a covered
entity as defined under HIPAA and the HIPAA regulations, Business Associate is responsible for
all required reporting of the Breach as specified in 42 U.S.C. § 17932 and its implementing
regulations, including notification to media outlets and to the Secretary of the U.S. Department of
Health and Human Services. If Business Associate has reason to believe that duplicate reporting
of the same Breach or Security Incident may occur because its subcontractors, agents or vendors
may report the Breach or Security Incident to MSDH in addition to Business Associate, Business
Associate shall notify MSDH, and MSDH and Business Associate may take appropriate action to
prevent duplicate reporting. The Breach reporting requirements of this paragraph are in addition to
the reporting requirements set forth above.
h.
Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or
transmit PHI on behalf of the Business Associate agree to the same restrictions and conditions
that apply to the Business Associate with respect to such information, all in accordance with 45
C.F.R. §§ 164.308 and 164.502.
i.
If Business Associate stores, processes, or transmits MSDH data in cloud environments:
MSDH BAA
Page 5 of 14
Form 1063
Rev. February 2026
Commodity Codes
  • NAICS 541512Computer Systems Design Services
  • NAICS 541611Administrative Management and General Management Consulting Services
  • NAICS 541990All Other Professional, Scientific, and Technical Services
* Disclaimer: Government BidHub provides information on bids, RFPs (Requests for Proposals), and RFQs (Requests for Qualifications) solely for convenience and informational purposes. This site is not an official public notice board. For official details, responses, or inquiries, please contact the relevant government agency directly.

Government Bids

Empower Your Bidding Strategy

Unlock Government BidHub's unparalleled access to high-quality, tailored bid information.

  • Access an extensive database of bids, including comprehensive local and state opportunities.
  • Receive customized alerts for the bids that matter most to your business.
  • Explore detailed specifications to ensure precise and competitive submissions.
  • Gain a competitive edge with up-to-date information and exclusive opportunities.

See Also

PERSONNEL SERVICES NON-IT

Procurement Details Smart Number 1301-26-R-IFBD-00074 Advertised Date 06/30/2026 10:30 AM RFx # 3160008132

State Government of Mississippi

Bid Due: 7/27/2026

Contractor to provide occupat...

Procurement Details Smart Number 3374-26-R-RFIN-00016 Advertised Date 06/30/2026 12:00 AM RFx # 3150006898

State Government of Mississippi

Bid Due: 7/16/2026