The URL can be used to link to this page

Home My WebLink AboutAgreement A-20-262 with DHCS - Participation.pdfState of California—Health and Human Services Agency Department of Health Care Services Medi-Cal County Inmate Program (MCIP) Participation Agreement 20-MCIPFRESNO-10 [Page 1 of 9] DHCS 07/01/2020 County Name: County of Fresno ARTICLE I – STATEMENT OF INTENT The purpose of this Participation Agreement (PA) between the Department of Health Care Services (DHCS) and the County of Fresno (County) is to permit the County to voluntarily participate in the Medi-Cal County Inmate Program (MCIP). ARTICLE II - AUTHORITY This PA is authorized by Welfare and Institutions Code sections 14053.7, 14053.8, and Penal Code section 5072. ARTICLE III – TERM AND TERMINATION OF THE AGREEMENT 1.This PA is effective on July 1, 2020 (date). 2.This PA will remain in effect until terminated by either party pursuant to and in accordance with the requirements and conditions set forth in this PA. 3.Termination Without Cause: Either party may terminate this PA without cause, and terminate the participation of the County in MCIP by issuing at least a 30 day prior written notification to the other party of the intent to terminate. Notice of termination shall result in the County’s immediate withdrawal from MCIP on the termination date and exclusion from further participation in MCIP unless and until such time as the County’s participation is reinstated by DHCS in MCIP. The County shall remain obligated to pay for the non-federal share of all MCIP services provided to the County. 4.Termination With Cause: If the County fails to comply with any of the terms of this PA, DHCS may terminate this PA for cause effective immediately by providing written notice to the County’s representative listed below. Furthermore, DHCS may terminate this PA for cause if DHCS determines that the County does not meet the requirements for participation in MCIP, the County has not submitted a valid reimbursement claim, or that the County is unable to certify that the claims are eligible for federal funds. Termination for cause will result in the County’s immediate withdrawal and exclusion from further participation in the MCIP. Agreement No. 20-262 Medi-Cal County Inmate Program Participation Agreement 20-MCIP FRESNO-10 County: Fresno [Page 2 of 9] DHCS 07/01/2020 The conviction of an employee, subcontractor, or authorized agent of the County, or of an employee or authorized agent of a subcontractor, of any felony or of a misdemeanor involving fraud, abuse of any Medi-Cal applicant or beneficiary, or abuse of the Medi-Cal Program, shall result in the exclusion of that employee, agent, or subco ntractor, or employee or agent of a subcontractor, from participation in MCIP. Failure of the County to exclude a convicted individual from participation in MCIP shall constitute a breach of this agreement for which DHCS may terminate this PA. DHCS may terminate this PA in the event that DHCS determines that the County, or any employee or contractor working with the County has violated the laws, regulations or rules governing MCIP. In cases where DHCS determines in its sole discretion that the health and welfare of Medi-Cal beneficiaries or the public is jeopardized by continuation of this PA, this PA shall be terminated effective the date that DHCS made such determination. After termination of the PA, any overpayment must be returned to DHCS pursuant to Welfare and Institutions Code sections 14176 and 14177. Finally, this PA will terminate automatically upon the termination of the County’s MCIP Administrative Service Agreement. ARTICLE IV – PROJECT REPRESENTATIVES David Pomaville Director, Department of Public Health P.O. Box 11867 Fresno, CA 93775 Telephone: (559) 600-6439 E-Mail: dpomaville@fresnocounty.ca.gov Captain Stephen McComas Jail Programs and Services Bureau 1125 M. Street Fresno, CA 93721 Shelly Taunk, Chief County-Based Claiming and Inmate Services Section Telephone: (916) 345-7934 Fax: (916) 324-0738 E-Mail: Shelly.Taunk@dhcs.ca.gov Direct all inquiries and notices to: Inmates Medi-Cal Claiming Unit Local Governmental Financing Division 1501 Capitol Ave., MS 4603 P.O. Box 997436 Medi-Cal County Inmate Program Participation Agreement 20-MCIP FRESNO-10 County: Fresno [Page 3 of 9] DHCS 07/01/2020 Sacramento, CA 95899-7436 Telephone: (916) 345-7895 E-Mail: DHCSIMCU@dhcs.ca.gov Any notice, request, demand or other communication required or permitted hereunder, shall be deemed to be properly given when delivered to the project representatives identified above. ARTICLE V – PAYMENT TERMS AND INVOICING 1.The County shall compensate DHCS for the County’s apportioned share of the nonfederal share of MCIP services listed in Article VII, as required by Welfare and Institutions Code sections 14053.7 and 14053.8, Government Code sections 26605.6, 26605.7, and 26605.8, and Penal Code 5072 within 60 days of receipt of an invoice from DHCS, which specifies both the total federally claimable cost and the nonfederal share of the total cost, for payments DHCS has made to providers. The DHCS invoice shall not contain and the County shall not compensate DHCS for MCIP services provided by Medi-Cal providers where the County incurs the cost of providing MCIP services and claims them through the CPE process as outlined specifically for Designated Public Hospitals (DPHs). The County shall not reimburse DHCS for the nonfederal share of services as Certified Public Expenditures (CPEs) of DPHs. 2.DHCS shall submit to the County a quarterly invoice for MCIP services that identifies the nonfederal share amount, and a report that contains information regarding paid claims data for the quarter, including information identifying the provider of services and the beneficiary, the recipient aid code, and amount of reimbursement, and other information that may be agreed to between the parties. If after comparing its owed nonfederal share to payments actually made, the County has overpaid DHCS, and the amount is undisputed DHCS shall refund the overpayment to the County within 180 days of receipt of an invoice containing the same information from the County. This refund may be made by offsetting the amount against the County’s next quarterly payment due to DHCS. 3.DPHs, in MCIP participating counties may submit claims and follow the CPE process which includes a pricing methodology established on an annual basis. These DPHs are paid using Federal Financial Participation (FFP) only. ARTICLE VI – COUNTY RESPONSIBILITIES 1.Except as provided in subdivision (f.) of this section, the County is responsible for reimbursing DHCS for the nonfederal share of MCIP services paid by DHCS. a.The County may pay a Medi-Cal provider to the extent required by or otherwise permitted by state and federal law to arrange for services for Medi-Cal beneficiaries. Such additional amounts shall be paid entirely with county funds, and shall not be eligible for Social Security Act Title XIX FFP. Medi-Cal County Inmate Program Participation Agreement 20-MCIP FRESNO-10 County: Fresno [Page 4 of 9] DHCS 07/01/2020 b.If DHCS pays the Medi-Cal provider more than what the County would have paid for services rendered, the County cannot request and receive the difference from the Medi- Cal provider. c.If the County would have paid the Medi-Cal provider less than what DHCS paid the Medi-Cal provider, the County is still obligated to reimburse DHCS for the nonfederal share of DHCS’ payment for the MCIP services. d.In the event that FFP is not available for any MCIP service claimed pursuant to this PA, the County shall be solely responsible for arranging and paying for the MCIP service. e.If the Centers for Medicare & Medicaid Services (CMS) determines an overpayment has occurred including the application of any federal payment limit that reduces the amount of FFP available then DHCS shall seek the overpayment amount from the provider, return the collected FFP to CMS, and return the collected nonfederal share to the County. In the event that DHCS cannot recover the overpayment from the Medi-Cal provider, the County shall pay DHCS an amount equal to the FFP portion of the unrecovered amount to the extent that Section 1903(d)(2)(D) of the Social Security Act is found not to apply. f.The County is not responsible for reimbursing DHCS for the nonfederal share of expenditures for MCIP services provided by DPHs when those services are reimbursed under the CPE process because DHCS is not responsible for the nonfederal share of expenditures for MCIP services reimbursed in the CPE process. 2.If CMS determines DHCS claimed a higher Federal Medical Assistance Percentage (FMAP) rate than is allowed and FFP is reduced by CMS then the County shall hold DHCS harmless for the return of the FFP to CMS. 3.Upon the County’s compliance with all applicable provisions in this PA and applicable laws, the County may send its MCIP-eligible beneficiaries to Medi-Cal providers to receive MCIP services. 4.The County understands and agrees that the overall nature of the medical facilities in which an inmate receives medical services must be one of community interaction such that members of the general public may be admitted to receive services and admission into the medical facility or into specific beds within the facility is not limited to individuals under the responsibility of a correctional facility, and that inmates are admitted to specific medical units based not on their statutes as inmates of a correctional institution, but rather on their treatment needs and plan of care. 5.Ensure that an appropriate audit trail exists within records and accounting system and maintain expenditure data as indicated in this PA. 6.The County agrees to provide to DHCS or any federal or state department with monitoring or reviewing authority, access and the right to examine its applicable records and Medi-Cal County Inmate Program Participation Agreement 20-MCIP FRESNO-10 County: Fresno [Page 5 of 9] DHCS 07/01/2020 documents for compliance with relevant federal and state statutes, rules and regulations, and this PA. 7.In the event of any federal deferral or disallowance applicable to MCIP expenditures, the County shall provide all documents requested by DHCS within 14 days. 8.The County shall assist with the completion and delivery of completed Medi-Cal applications to the County Welfare Department within 90 days after the date of admission of the beneficiary to a Medi-Cal provider off of the grounds of the County correctional facility resulting in an expected stay of more than 24 hours. 9.As a condition of participation in MCIP, and in recognition of revenue generated by MCIP, the County shall pay quarterly administrative costs directly to DHCS. a.The quarterly administrative costs payment shall be used to cover DHCS’ administrative costs associated with MCIP, including, but not limited to, claims processing, technical assistance, and monitoring. DHCS shall determine and report staffing requirements upon which projected costs will be based. b.The amount of the administrative costs shall be based upon the anticipated state salaries, benefits, operating expenses, and equipm ent necessary to administer MCIP and other costs related to that process. c.The County shall enter in to a separate agreement with DHCS to reimburse DHCS for the administrative costs of administering MCIP. ARTICLE VII – DHCS RESPONSIBILITIES 1.DHCS shall pay the appropriate Medi-Cal fee-for-service rate to Medi-Cal providers that directly bill DHCS for MCIP services rendered to the County’s MCIP eligible beneficiaries and seek FFP for these service claims. DHCS shall be responsible to pay such Medi-Cal providers only to the extent the County commits to reimburse DHCS for the nonfederal share of all federally reimbursable MCIP claims and for which FFP is available and obtained by DHCS for the MCIP service claims. 2.DHCS shall maintain accounting records to a level of detail which identifies the actual expenditures incurred for MCIP services, the services provided, the county responsible, the specific MCIP-eligible beneficiary treated, the MCIP-eligible beneficiaries aid code, and the specific provider billing. 3.DHCS shall submit claims in a timely manner to CMS to draw down FFP and shall distribute FFP for all eligible claims. 4.DHCS shall: a.Ensure that an appropriate audit trail exists within records and accounting system and maintain expenditure data as indicated in this PA. Medi-Cal County Inmate Program Participation Agreement 20-MCIP FRESNO-10 County: Fresno [Page 6 of 9] DHCS 07/01/2020 b.Designate a person to act as liaison with the County concerning issues arising under this PA. This person shall be identified to the County’s contact person for this PA. c.Provide a written response by email or mail to the County’s contact person within 30 days of receiving a written request for information related to MCIP. d.With each quarterly administrative cost invoice, provide a paid claim analysis report to the County regarding MCIP claims submitted by providers for the County’s MCIP - eligible beneficiaries. This analysis shall be used to determine the amount of the non- federal share that the County is obligated to pay under this PA. 5.Should the services to be performed under this PA conflict with DHCS’ responsibilities under federal Medicaid law, those responsibilities shall take precedence. 6.DHCS’ cessation of any activities due to federal Medicaid responsibilities does not relinquish the obligation of the County to reimburse DHCS for MCIP services incurred by DHCS in connection with this PA for periods in which the County participated in MCIP. 7.DHCS agrees to provide to the County, or any federal or state department with monitoring or reviewing authority, access and the right to examine its applicable records and documents for compliance with relevant federal and state statutes, rules and regulations, and this PA. ARTICLE VIII – FISCAL PROVISIONS 1.DHCS will invoice the County quarterly at the address above. Each invoice shall include the agreement number and supporting documentation for the previous quarter’s paid claims. 2.Counties are required to sign and submit the MCIP Certification and Hold Harmless by an authorized county representative to DHCS annually to ensure the County is providing efficient oversight of federal expenditures. ARTICLE IX – BUDGET CONTIGENCY CLAUSE 1.It is mutually agreed that if the State Budget Act of the current State Fiscal Year (SFY) and any subsequent SFYs covered under this PA does not provide sufficient funds for MCIP, this PA shall be of no further force and effect. In this event, the DHCS shall have no liability to pay any funds whatsoever to the County or to furnish any other considerations under the PA and the County shall not be obligated to perform any provisions of this PA. 2.If funding for any SFY is reduced or deleted by the State Budget Act for purposes of MCIP, DHCS shall have the option to either cancel this PA, with no liability occurring to DHCS, or offer an agreement amendment to the County to reflect the reduced amount. ARTICLE X – LIMITATION OF STATE LIABILITY Medi-Cal County Inmate Program Participation Agreement 20-MCIP FRESNO-10 County: Fresno [Page 7 of 9] DHCS 07/01/2020 1.In the event of a federal audit disallowance, the County shall cooperate with DHCS in replying to and complying with any federal audit exception related to MCIP. The County shall assume sole financial responsibility for any and all federal audit disallowances related to the rendering of services under this PA. The County shall assume sole financial responsibility for any and all penalties and interest charged as a result of a federal audit disallowance related to the rendering of services under this PA. The amount of th e federal audit disallowance, plus interest and penalties shall be payable on demand from DHCS. 2.To the extent that a federal audit disallowance and interest results from a claim or claims for which the Medi-Cal provider has received reimbursement for MCIP services under this PA, DHCS shall recoup from the Medi-Cal provider, upon written notice of 60 days after the completion of an audit or other examination that results in the discovery of an overpayment per Welfare and Institutions Code section14172.5), amounts equal to the amount of the disallowance and interest in that state fiscal year for the disallowed claim, less the amounts already remitted to or recovered by DHCS. ARTICLE XI – AMENDMENT 1.This PA and any exhibits attached hereto, along with the MCIP Administrative Agreement shall constitute the entire agreement among the parties regarding MCIP and supersedes any prior or contemporaneous understanding or agreement with respect to MCIP and may be amended only by a written amendment to this PA. 2.Changes to the project representatives may be made via written communication including email by either party and shall not constitute a formal amendment to the PA. ARTICLE XII – GENERAL PROVISIONS 1.None of the provisions of this PA are or shall be construed as for the benefit of, or enforceable by any person not a party to this PA. 2.The interpretation and performance of this PA shall be governed by the State of California. The venue shall lie only in counties in which the California Attorney General maintains an office. DHCS and the County shall maintain and preserve all records relating to this PA for a period of three years from DHCS’ receipt of the last payment of FFP or until three years after all audit findings are resolved, whichever is later. This does not limit any responsibilities held by DHCS or the County provided for elsewhere in this PA, or in state or federal law. ARTICLE XIII – INDEMNIFICATION It is agreed that the County shall defend, hold harmless, and indemnify DHCS, its officers, employees, and agents from any and all claims liability, loss or expense (including reasonable attorney fees) for injuries or damage to any person or property which arise out of the terms and Medi-Cal County Inmate Program Participation Agreement 20-MCIP FRESNO-10 County: Fresno [Page 8 of 9] DHCS 07/01/2020 conditions of this PA and the negligent and intentional acts or omissions of the County, its officers, employees, or agents. ARTICLE XIV – AVOIDANCE OF CONFLICTS OF INTEREST The County is subject to compliance with the Medi-Cal Conflict of Interest Law, as applicable and set forth in Welfare and Institutions Code section 14022, and Article 1.1 (commencing with Welfare and Institutions Code section 14047), and implemented pursuant to 22 California Code of Regulations, section 51466. ARTICLE XV – CONFIDENTIALITY The County shall comply with the applicable confidentiality requirements as specified in Section 1902(a)(7) of the Social Security Act; 42 Code of Federal Regulations, part 431.300; Welfare and Institutions Code section 14100.2; and 22 California Code of Regulations, section 51009; and, the Business Associates Agreement hereby incorporated by reference. THIS SPACE INTENTIONALLY LEFT BLANK County of Fresno 20-MCIPFRESNO-10 Page 1 of 6 DHCS HIPAA BAA 11/19/19 Exhibit X Business Associate Addendum 1.This Agreement has been determined to constitute a business associate relationship under the Health Insurance Portability and Accountability Act (HIPAA) and its implementing privacy and security regulations at 45 Code of Federal Regulations, Parts 160 and 164 (collectively, and as used in this Agreement) 2.The term “Agreement” as used in this document refers to and includes both this Business Associate Addendum and the contract to which this Business Associate Agreement is attached as an exhibit, if any. 3.For purposes of this Agreement, the term “Business Associate” shall have the same meaning as set forth in 45 CFR section 160.103. 4.The Department of Health Care Services (DHCS) intends that Business Associate may create, receive, maintain, transmit or aggregate certain information pursuant to the terms of this Agreement , some of which information may constitute Protected Health Information (PHI) and/or confidential information protected by Federal and/or state laws. 4.1 As used in this Agreement and unless otherwise stated, the term “PHI” refers to and includes both “PHI” as defined at 45 CFR section 160.103 and Personal Information (PI) as defined in the Information Practices Act at California Civil Code section 1798.3(a). PHI includes information in any form, including paper, oral, and electronic. 4.2 As used in this Agreement, the term “confidential information” refers to information not otherwise defined as PHI in Section 4.1 of this Agreement, but to which state and/or federal privacy and/or security protections apply. 5.Contractor (however named elsewhere in this Agreement) is the Business Associate of DHCS acting on DHCS's behalf and provides services or arranges, performs or assists in the performance of functions or activities on behalf of DHCS, and may create, receive, maintain, transmit, aggregate, use or disclose PHI (collectively, “use or disclose PHI”) in order to fulfill Business Associate’s obligations under this Agreement. DHCS and Business Associate are each a party to this Agreement and are collectively referred to as the "parties.” 6.The terms used in this Agreement, but not otherwise defined, shall have the same meanings as those terms in HIPAA. Any reference to statutory or regulatory language shall be to such language as in effect or as amended. 7.Permitted Uses and Disclosures of PHI by Business Associate. Except as otherwise indicated in this Agreement, Business Associate may use or disclose PHI only to perform functions, activities or services specified in this Agreement on behalf of DHCS, provided that such use or disclosure would not violate HIPAA if done by DHCS. 7.1 Specific Use and Disclosure Provisions. Except as otherwise indicated in this Agreement, Business Associate may use and disclose PHI if necessary for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. Business Associate may disclose PHI for this purpose if the disclosure is required by law, or the Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware that the confidentiality of the information has been breached. 8.Compliance with Other Applicable Law County of Fresno 20-MCIPFRESNO-10 Page 2 of 6 DHCS HIPAA BAA 11/19/19 8.1 To the extent that other state and/or federal laws provide additional, stricter and/or more protective (collectively, more protective) privacy and/or security protections to PHI or other confidential information covered under this Agreement beyond those provided through HIPAA, Business Associate agrees: 8.1.1 To comply with the more protective of the privacy and security standards set forth in applicable state or federal laws to the extent such standards provide a greater degree of protection and security than HIPAA or are otherwise more favorable to the individuals whose information is concerned; and 8.1.2 To treat any violation of such additional and/or more protective standards as a breach or security incident, as appropriate, pursuant to Section 18. of this Agreement. 8.2 Examples of laws that provide additional and/or stricter privacy protections to certain types of PHI and/or confidential information, as defined in Section 4. of this Agreement, include, but are not limited to the Information Practices Act, California Civil Code sections 1798-1798.78, Confidentiality of Alcohol and Drug Abuse Patient Records, 42 CFR Part 2, Welfare and Institutions Code section 5328, and California Health and Safety Code section 11845.5. 8.3 If Business Associate is a Qualified Service Organization (QSO) as defined in 42 CFR section 2.11, Business Associate agrees to be bound by and comply with subdivisions (2)(i) and (2)(ii) under the definition of QSO in 42 CFR section 2.11. 9. Additional Responsibilities of Business Associate 9.1 Nondisclosure. Business Associate shall not use or disclose PHI or other confidential information other than as permitted or required by this Agreement or as required by law. 9.2 Safeguards and Security. 9.2.1 Business Associate shall use safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI and other confidential data and comply, where applicable, with subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by this Agreement. Such safeguards shall be, at a minimum, at Federal Information Processing Standards (FIPS) Publication 199 protection levels. 9.2.2 Business Associate shall, at a minimum, utilize an industry-recognized security framework when selecting and implementing its security controls, and shall maintain continuous compliance with its selected framework as it may be updated from time to time. Examples of industry-recognized security frameworks include but are not limited to 9.2.2.1 NIST SP 800-53 – National Institute of Standards and Technology Special Publication 800-53 9.2.2.2 FedRAMP – Federal Risk and Authorization Management Program 9.2.2.3 PCI – PCI Security Standards Council 9.2.2.4 ISO/ESC 27002 – International Organization for Standardization / International Electrotechnical Commission standard 27002 9.2.2.5 IRS PUB 1075 – Internal Revenue Service Publication 1075 9.2.2.6 HITRUST CSF – HITRUST Common Security Framework 9.2.3 Business Associate shall maintain, at a minimum, industry standards for transmission and storage of PHI and other confidential information. County of Fresno 20-MCIPFRESNO-10 Page 3 of 6 DHCS HIPAA BAA 11/19/19 9.2.4 Business Associate shall apply security patches and upgrades, and keep virus software up-to- date, on all systems on which PHI and other confidential information may be used. 9.2.5 Business Associate shall ensure that all members of its workforce with access to PHI and/or other confidential information sign a confidentiality statement prior to access to such data. The statement must be renewed annually. 9.2.6 Business Associate shall identify the security official who is responsible for the development and implementation of the policies and procedures required by 45 CFR Part 164, Subpart C. 9.3 Business Associate’s Agent. Business Associate shall ensure that any agents, subcontractors, subawardees, vendors or others (collectively, “agents”) that use or disclose PHI and/or confidential information on behalf of Business Associate agree to the same restrictions and conditions that apply to Business Associate with respect to such PHI and/or confidential information. 10. Mitigation of Harmful Effects. Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI and other confidential information in violation of the requirements of this Agreement. 11. Access to PHI. Business Associate shall make PHI available in accordance with 45 CFR section 164.524. 12. Amendment of PHI. Business Associate shall make PHI available for amendment and incorporate any amendments to protected health information in accordance with 45 CFR section 164.526. 13. Accounting for Disclosures. Business Associate shall make available the information required to provide an accounting of disclosures in accordance with 45 CFR section 164.528. 14. Compliance with DHCS Obligations. To the extent Business Associate is to carry out an obligation of DHCS under 45 CFR Part 164, Subpart E, comply with the requirements of the subpart that apply to DHCS in the performance of such obligation. 15. Access to Practices, Books and Records. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI on behalf of DHCS available to DHCS upon reasonable request, and to the federal Secretary of Health and Human Services for purposes of determining DHCS’ compliance with 45 CFR Part 164, Subpart E. 16. Return or Destroy PHI on Termination; Survival. At termination of this Agreement, if feasible, Business Associate shall return or destroy all PHI and other confidential information received from, or created or received by Business Associate on behalf of, DHCS that Business Associate still maintains in any form and retain no copies of such information. If return or destruction is not feasible, Business Associate shall notify DHCS of the conditions that make the return or destruction infeasible, and DHCS and Business Associate shall determine the terms and conditions under which Business Associate may retain the PHI. If such return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible. 17. Special Provision for SSA Data. If Business Associate receives data from or on behalf of DHCS that was verified by or provided by the Social Security Administration (SSA data) and is subject to an agreement between DHCS and SSA, Business Associate shall provide, upon request by DHCS, a list of all employees and agents and employees who have access to such data, including employees and agents of its agents, to DHCS. 18. Breaches and Security Incidents. Business Associate shall implement reasonable systems for the discovery and prompt reporting of any breach or security incident, and take the following steps: 18.1 Notice to DHCS. County of Fresno 20-MCIPFRESNO-10 Page 4 of 6 DHCS HIPAA BAA 11/19/19 18.1.1 Business Associate shall notify DHCS immediately upon the discovery of a suspected breach or security incident that involves SSA data. This notification will be provided by email upon discovery of the breach. If Business Associate is unable to provide notification by email, then Business Associate shall provide notice by telephone to DHCS. 18.1.2 Business Associate shall notify DHCS within 24 hours by email (or by telephone if Business Associate is unable to email DHCS) of the discovery of: 18.1.2.1 Unsecured PHI if the PHI is reasonably believed to have been accessed or acquired by an unauthorized person; 18.1.2.2 Any suspected security incident which risks unauthorized access to PHI and/or other confidential information; 18.1.2.3 Any intrusion or unauthorized access, use or disclosure of PHI in violation of this Agreement; or 18.1.2.4 Potential loss of confidential data affecting this Agreement. 18.1.3 Notice shall be provided to the DHCS Program Contract Manager (as applicable), the DHCS Privacy Office, and the DHCS Information Security Office (collectively, “DHCS Contacts”) using the DHCS Contact Information at Section 18.6. below. Notice shall be made using the current DHCS “Privacy Incident Reporting Form” (“PIR Form”; the initial notice of a security incident or breach that is submitted is referred to as an “Initial PIR Form”) and shall include all information known at the time the incident is reported. The form is available online at http://www.dhcs.ca.gov/formsandpubs/laws/priv/Pages/DHCSBusinessAssociatesOnly.aspx. Upon discovery of a breach or suspected security incident, intrusion or unauthorized access, use or disclosure of PHI, Business Associate shall take: 18.1.3.1 Prompt action to mitigate any risks or damages involved with the security incident or breach; and 18.1.3.2 Any action pertaining to such unauthorized disclosure required by applicable Federal and State law. 18.2 Investigation. Business Associate shall immediately investigate such security incident or confidential breach. 18.3 Complete Report. To provide a complete report of the investigation to the DHCS contacts within ten (10) working days of the discovery of the security incident or breach. This “Final PIR” must include any applicable additional information not included in the Initial Form. The Final PIR Form shall include an assessment of all known factors relevant to a determination of whether a breach occurred under HIPAA and other applicable federal and state laws. The report shall also include a full, detailed corrective action plan, including its implementation date and information on mitigation measures taken to halt and/or contain the improper use or disclosure. If DHCS requests information in addition to that requested through the PIR form, Business Associate shall make reasonable efforts to provide DHCS with such information. A “Supplemental PIR” may be used to submit revised or additional information after the Final PIR is submitted. DHCS will review and approve or disapprove Business Associate’s determination of whether a breach occurred, whether the security incident or breach is reportable to the appropriate entities, if individual notifications are required, and Business Associate’s corrective action plan. County of Fresno 20-MCIPFRESNO-10 Page 5 of 6 DHCS HIPAA BAA 11/19/19 18.3.1 If Business Associate does not complete a Final PIR within the ten (10) working day timeframe, Business Associate shall request approval from DHCS within the ten (10) working day timeframe of a new submission timeframe for the Final PIR. 18.4 Notification of Individuals. If the cause of a breach is attributable to Business Associate or its agents, Business Associate shall notify individuals accordingly and shall pay all costs of such notifications, as well as all costs associated with the breach. The notifications shall comply with applicable federal and state law. DHCS shall approve the time, manner and content of any such notifications and their review and approval must be obtained before the notifications are made. 18.5 Responsibility for Reporting of Breaches to Entities Other than DHCS. If the cause of a breach of PHI is attributable to Business Associate or its subcontractors, Business Associate is responsible for all required reporting of the breach as required by applicable federal and state law. 18.6 DHCS Contact Information. To direct communications to the above referenced DHCS staff, the Contractor shall initiate contact as indicated here. DHCS reserves the right to make changes to the contact information below by giving written notice to Business Associate. These changes shall not require an amendment to this Agreement. DHCS Program Contract Manager DHCS Privacy Office DHCS Information Security Office See the Scope of Work exhibit for Program Contract Manager information. If this Business Associate Agreement is not attached as an exhibit to a contract, contact the DHCS signatory to this Agreement. Privacy Office c/o: Office of HIPAA Compliance Department of Health Care Services P.O. Box 997413, MS 4722 Sacramento, CA 95899-7413 Email: incidents@dhcs.ca.gov Telephone: (916) 445-4646 Information Security Office DHCS Information Security Office P.O. Box 997413, MS 6400 Sacramento, CA 95899-7413 Email: incidents@dhcs.ca.gov 19. Responsibility of DHCS. DHCS agrees to not request the Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA and/or other applicable federal and/or state law. 20. Audits, Inspection and Enforcement 20.1 From time to time, DHCS may inspect the facilities, systems, books and records of Business Associate to monitor compliance with this Agreement. Business Associate shall promptly remedy any violation of this Agreement and shall certify the same to the DHCS Privacy Officer in writing. Whether or how DHCS exercises this provision shall not in any respect relieve Business Associate of its responsibility to comply with this Agreement. 20.2 If Business Associate is the subject of an audit, compliance review, investigation or any proceeding that is related to the performance of its obligations pursuant to this Agreement, or is the subject of any judicial or administrative proceeding alleging a violation of HIPAA, Business Associate shall promptly notify DHCS unless it is legally prohibited from doing so. 21. Termination 21.1 Termination for Cause. Upon DHCS’ knowledge of a violation of this Agreement by Business Associate, DHCS may in its discretion: 21.1.1 Provide an opportunity for Business Associate to cure the violation and terminate this Agreement if Business Associate does not do so within the time specified by DHCS; or County of Fresno 20-MCIPFRESNO-10 Page 6 of 6 DHCS HIPAA BAA 11/19/19 21.1.2 Terminate this Agreement if Business Associate has violated a material term of this Agreement. 21.2 Judicial or Administrative Proceedings. DHCS may terminate this Agreement if Business Associate is found to have violated HIPAA, or stipulates or consents to any such conclusion, in any judicial or administrative proceeding. 22.Miscellaneous Provisions 22.1 Disclaimer. DHCS makes no warranty or representation that compliance by Business Associate with this Agreement will satisfy Business Associate’s business needs or compliance obligations. Business Associate is solely responsible for all decisions made by Business Associate regarding the safeguarding of PHI and other confidential information. 22.2. Amendment. 22.2.1 Any provision of this Agreement which is in conflict with current or future applicable Federal or State laws is hereby amended to conform to the provisions of those laws. Such amendment of this Agreement shall be effective on the effective date of the laws necessitating it, and shall be binding on the parties even though such amendment may not have been reduced to writing and formally agreed upon and executed by the parties. 22.2.2 Failure by Business Associate to take necessary actions required by amendments to this Agreement under Section 22.2.1 shall constitute a material violation of this Agreement. 22.3 Assistance in Litigation or Administrative Proceedings. Business Associate shall make itself and its employees and agents available to DHCS at no cost to DHCS to testify as witnesses, or otherwise, in the event of litigation or administrative proceedings being commenced against DHCS, its directors, officers and/or employees based upon claimed violation of HIPAA, which involve inactions or actions by the Business Associate. 22.4 No Third-Party Beneficiaries. Nothing in this Agreement is intended to or shall confer, upon any third person any rights or remedies whatsoever. 22.5 Interpretation. The terms and conditions in this Agreement shall be interpreted as broadly as necessary to implement and comply with HIPAA and other applicable laws. 22.6 No Waiver of Obligations. No change, waiver or discharge of any liability or obligation hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing or other obligation, or shall prohibit enforcement of any obligation, on any other occasion. California Department of Health Care Services Name/No.: Medi-Cal County Inmate Program (MCIP) Participation Agreement (No. 20-MCIPFRESNO-10) Fund/Subclass: 0001/10000 Organization #: 56201683 Revenue Account #: 7295 Est. $800,000 Annually