The URL can be used to link to this page

Home My WebLink AboutAgreement A-23-121 Amendment I to Agreement 18-292.pdf Agreement No. 23-121 DocuSign Envelope ID: l389F4AFF-1763-4E41-A42l3-E56110EA234E 1 AMENDMENT NO. 1 TO AGREEMENT 2 This Amendment No. 1 to Service Agreement ("Amendment No. 18-292) is dated 3 March 28 2023 and is between the COUNTY OF FRESNO, a Political Subdivision of the State 4 of California, hereinafter referred to as "COUNTY", and BAART BEHAVIORAL HEALTH SERVICES, 5 INC., a California corporation, whose address is 1720 Lakepointe Drive, Suite 117, Lewisville, TX 6 75057, hereinafter referred to as "PROVIDER" (collectively the parties). 7 WHEREAS, the parties entered into that certain Agreement, identified as COUNTY Agreement 8 No. 18-292, effective June 5, 2018, whereby PROVIDER agreed to provide Narcotic Treatment Program 9 (NTP) services for Opioid Use Disorders; and 10 WHEREAS, PROVIDER has the necessary certification, licensure and permits from the 11 Department of Health Care Services and the U.S. Drug Enforcement Administration (DEA) and is willing 12 and able to provide NTP services as required by the COUNTY, pursuant to both Title 9 and 22 of the 13 California Code of Regulations, California Health and Safety Code Sections 11750 et seq., the California 14 Alcohol and Drug Standards and per the terms and conditions of this agreement. 15 WHEREAS, PROVIDER has seen in an increase in the number of persons served, and has 16 increased Buprenorphine-Naloxone dosing in order to facilitate easier transition for individuals after 17 release or transfer to out-of-county detention facilities and prevent abuse. 18 WHEREAS, COUNTY and PROVIDER now desire to amend the Agreement regarding the 19 changes as stated below. 20 NOW, THEREFORE, the parties agree to amend the Agreement as follows: 21 1. All references in existing Agreement to "Exhibit A" shall be deemed references to 22 "Revised Exhibit A." Revised Exhibit A is attached and incorporated by this reference. 23 2. All references in existing Agreement to "Exhibits B-1 and B-2" shall be deemed 24 references to "Revised Exhibits B-1 and B-2." Revised Exhibits B-1 and B-2 are attached and 25 incorporated by this reference. 26 3. That the COUNTY Agreement No. 18-292, Section Four(4) "COMPENSATION", on 27 Page Four(4), beginning on Line Nine (9) with the word "Should" and ending on Line Twelve (12) with 28 the word "period" shall be deleted in its entirety and replaced with the following: -1- ii DocuSign Envelope ID: B89F4AFF-1763-4E41-A42B-E5611OEA234E 1 "A. Should the Agreement be extended as stated in Section Two (2), TERM, for the 2 extension periods of July 1, 2021 through June 30, 2022, and July 1, 2022 through June 30, 2023, in no 3 event shall actual services performed be in excess of One Hundred Fifty Thousand and No/100 4 ($150,000) for the period of July 1, 2021 through June 30, 2022 and Two Hundred Forty-Five Thousand 5 and No/100 ($245,000) for the period of July 1, 2022 through June 30, 2023." 6 4. That the County Agreement 18-292, Section Twelve (12), HOLD HARMLESS, on Page 7 Eight (8), beginning on Line Fifteen (15) with the word "PROVIDER" and ending on Line Twenty-One 8 (21) with the word "Agreement" shall be deleted in its entirety and replaced with the following: 9 "A. The PROVIDER shall indemnify and hold harmless and defend the County (including 10 its officers, agents, employees, and volunteers) against all claims, demands, injuries, damages, costs, 11 expenses (including attorney fees and costs), fines, penalties, and liabilities of any kind to the County, 12 the PROVIDER, or any third party that arise from or relate to the performance or failure to perform by 13 the PROVIDER (or any of its officers, agents, subcontractors, or employees) under this Agreement. The 14 County may conduct or participate in its own defense without affecting the PROVIDER'S obligation to 15 indemnify and hold harmless or defend the County. 16 B. This Section 12 survives the termination of this Agreement." 17 5. That the County Agreement 18-292, Section Thirteen (13), INSURANCE, on Page Eight 18 (8), beginning on Line Twenty-Three (23) with the word "Without" and ending on Page Ten (10), Line 19 Eighteen (18) with the word "better" shall be deleted in its entirety and replace with the following: 20 "PROVIDER shall comply with all the insurance requirements in Exhibit K to this 21 Agreement. Exhibit K is attached and incorporated by this reference." 22 6. That the County Agreement 18-292, Section Eighteen (18), DATA SECURITY, on Page 23 Fourteen (14), beginning on Line Four (4) with the word "For" and ending on Page Fifteen (15), on Line 24 Eighteen (18) with the word "notification" shall be deleted in its entirety and replaced with the following: 25 "PROVIDER shall comply with all the data security requirements in Exhibit L to this 26 Agreement. Exhibit L is attached and incorporated by this reference." 27 7. ELECTRONIC SIGNATURE: The parties agree that this Agreement may be executed by 28 electronic signature as provided in this section. An "electronic signature" means any symbol or -2- 11 DocuSign Envelope ID:B89F4AFF-1763-4E41-A42B-E56110EA234E 1 process intended by an individual signing this Agreement to represent their signature, including but not 2 limited to (1) a digital signature; (2) a faxed version of an original handwritten signature; or(3) an 3 electronically scanned and transmitted (for example by PDF document) of a handwritten signature. Each 4 electronic signature affixed or attached to this Agreement(1) is deemed equivalent to a valid original 5 handwritten signature of the person signing this Agreement for all purposes, including but not limited to 6 evidentiary proof in any administrative or judicial proceeding, and (2) has the same force and effect as 7 the valid original handwritten signature of that person. The provisions of this section satisfy the 8 requirements of Civil Code section 1633.5, subdivision (b), in the Uniform Electronic Transaction Act 9 (Civil Code, Division 3, Part 2, Title 2.5, beginning with section 1633.1). Each party using a digital 10 signature represents that it has undertaken and satisfied the requirements of Government Code section 11 16.5, subdivision (a), paragraphs (1) through (5), and agrees that each other party may rely upon that 12 representation. This Agreement is not conditioned upon the parties conducting the transactions under it 13 by electronic means and either party may sign this Agreement with an original handwritten signature. 14 8. COUNTY and PROVIDER agree that this Amendment I is sufficient to amend the 15 Agreement and, that upon execution of this Amendment I, the Agreement and Amendment I together 16 shall be considered the Agreement. 17 The Agreement, as hereby amended, is ratified, and continued. All provisions, terms, 18 covenants, conditions, and promises contained in the Agreement and not amended herein shall remain 19 in full force and effect. 20 21 22 /!/ 23 24 25 26 27 /!! 28 -3- ii DocuSign Envelope ID:1389NAFF-1763-4E41-A4213-E56110EA234E 1 1H 2 /// 3 111 4 Ill 5 111 6 111 7 111 8 111 9 IN WITNESS WHEREOF,the parties hereto have executed this Agreement as of the day and year 10 first hereinabove written. 11 12 BAART Behavioral Health COUNTY OF FRESNO Services, CuocuSlgned by: 13 Gd,G� vlatj & • ' 8 14 (Authorize Igna ure1141' S I Q i ero) 15 Genco Gilberto D'Andria C a he Board of Supervisors of the County of Fresno 16 Print Name&Title 17 VP Treasurer 18 19 Mailing Address ATTEST: Bernice E. Seidel 20 1720 Lakepointe Drive, Suite 117 Clerk of the Board of Supervisors Lewisville,TX 75057 County of Fresno, State of California 21 Phone No.: (469)912-7451 Contact: John Machado, Contract 22 Manager 23 , her' 24 By: ALJC6t4�' Deputy 25 FOR ACCOUNTING USE ONLY: 26 Fund: 0001 27 Subclass: 10000 ORG: 56302081 28 Account: 7295/0 -4- DocuSign Envelope ID: B89F4AFF-1 763-4E41-A42B-E561 1 OEA234E Revised Exhibit A Page 1 of 3 SCOPE OF WORK In-Custody Narcotic Treatment Program Services ORGANIZATION: BAART BEHAVIORAL HEALTH SERVICES, INC. 1720 Lakepoint Dr., Ste 117 Lewisville, TX 75057 SERVICE ADDRESS: 539 N. Van Ness, Fresno, CA 93728 PROGRAM DIRECTOR: Jennifer Amity Berool, (559) 266-9581 NTP IN-CUSTODY DOSING SERVICES: Narcotic Treatment Program (NTP) services will be provided to in-custody opioid dependent individuals (18 and older)who received NTP services prior to incarceration and to those identified by jail staff as potentially having an opioid dependence but are not currently receiving NTP services. Emphasis will be placed on stabilization during incarceration through the provision of methadone dosing for individuals who meet medical necessity. Additionally, Buprenorphine may be administered to individuals who are under the care of a physician who prescribed the medication prior to incarceration. Services must be performed within all applicable regulations and standards, including but not limited to California Code of Regulations (CCR) Title 22, Alcohol and Other Drug (AOD) Certification Standards, CCR Title 9, U.S. Drug Enforcement Administration (DEA) regulations, all Department of Health Care Services (DHCS) Mental Health Substance Use Disorder Services (MHSUDS)/Behavioral Health (BH) Information Notices, Fresno County Substance Use Disorder (SUD) Bulletins, Medi-Cal Certifications (Mental Health and SUD), and any other required laws, regulations, policies, or procedures mandated by local, state, or federal agencies. SERVICES TO BE PROVIDED: BAART will be responsible for: • Conducting assessment, intake, and dosing services seven (7) days per week during NTP clinic hours. • Providing jail medical staff a dosing report daily, including dosing schedules. • Coordinating transportation to the primary NTP clinic, as needed. • Providing in-custody individuals with referrals and linkages to community-based SUD treatment services and other resources prior to release in order to assist with continued engagement in treatment and/or recovery services. DocuSign Envelope ID:B89F4AFF-1763-4E41-A42B-E56110EA234E Revised Exhibit A Page 2 of 3 • Maintaining a daily census of all in-custody individuals receiving NTP dosing services. • Providing Fresno County with individual, programmatic and other demographic information upon request. Person-Centered Approach: Services to in-custody individuals must be clinically appropriate, focused on the long-term recovery success and include cultural/linguistic awareness while taking on an emphatic, non- judgmental, person-centered approach that fits the needs of the individual. This includes referrals to community-based treatment and recovery resources upon release from custody. Licenses and Certifications: BAART must possess and maintain all of the necessary certifications, licenses and permits from the DHCS and U.S. DEA for the duration of the contract. Referrals: Individuals continuing to receive NTP dosing services upon release from custody will be referred to a community-based NTP provider for continued services based on individual preference and/or the geographic location of the treatment facility to the individual's residence. Out-of-county individuals must be referred back to their county of residence for continued services unless they plan to establish a residence in Fresno County. These individuals must transfer their Medi-Cal eligible benefits to Fresno County in order for the community-based treatment provider to be eligible for reimbursement through a Fresno County contract. Medication Management: BAART shall establish medication policies and procedures, which will inform the individual of the effects of the medication(s) as well as any side effects and risks. BAART will provide necessary training on medication management to all staff that are involved in the care of the individual. STAFFING REQUIREMENTS: BAART shall determine staffing levels needed to implement and maintain the program; however, the agency must comply with CCR Title 9 regulations and any other federal, state, or local requirements as applied to staff qualifications. GRIEVANCES AND INCIDENT REPORTS: BAART must notify Fresno County of all incidents or unusual occurrences reportable to state licensing bodies that affect Fresno County individuals within twenty-four (24) hours of the incident. Within fifteen (15) days of a grievance or incident affecting a Fresno County-sponsored DocuSign Envelope ID:B89F4AFF-1 763-4E41-A42B-E561 1 OEA234E Revised Exhibit A Page 3 of 3 individual MART shall submit a corrective action plan showing actions taken to resolve the complaint or incident. PROGRAM OUTCOMES: BAART must track and report the following outcome indicators to DBH on a quarterly basis in a mutually accepted format: 1. 100% of identified in-custody individuals will receive NTP dosing services within 24 hours of initial request and will continue to receive NTP dosing services as long as the NTP physician deems the service medically necessary and the individual is willing to participate. 2. 100% of in-custody individuals receiving NTP services will be provided informational resources about the medication they are prescribed including potential side-effects, other services available, and the benefits of continued engagement in SUD treatment. 3. 100% of in-custody individuals who receive NTP services will be provided with referrals to appropriate community-based SUD treatment services prior to discharge from custody. Individuals receiving NTP dosing services upon discharge must be referred to an NTP. Referrals will be based on geographic location of the individuals's residence upon release as well as the individual's preference. 4. 100% of in-custody individuals receiving NTP services will receive a satisfaction survey prior to discharge. 5. 90% of surveys will reflect a perception of satisfactory care. Outcomes: Outcomes related to timeliness of services, distribution of information related to NTP services, referrals, and quality of care through survey data will be tracked utilizing the outcomes measures mentioned above and will be made available during annual site reviews and upon request from the County. Efficiency of services such as service delivery cost per service unit, length of services provided, direct service hours of program staff and staff mileage will be tracked. Attention to outcomes will be used for process improvement. DocuSign Envelope ID:B89F4AFF-1 763-4E41-A42B-E561 1 OEA234E Revised Exhibit B-1 Page 1 of 2 Department of Health Care Services Local Governmental Financing Division Drug Medi-Cal (DMC) Rates for Fiscal Year 2022-23 Non Perinatal DMC Description Unit of Service (UOS) FY 2022-23 UOS Rate'* Narcotic Treatment Program (NTP) - Daily $16.20 Methadone NTP - Individual Counseling One 10-minute Increment $19.01 NTP - Group Counseling One 10-minute Increment $4.49 Intensive Outpatient Treatment Face-to-Face Visit $87.24 Naltrexone' Face-to-Face Visit $19.06 Residential - for EPSDT Beneficiaries Daily $128.47 Outpatient Drug Free (ODF) Individual Face-to-Face Visit (Per $95.07 Counseling Person ODF Group Counseling Face-to-Face Visit (Per $40.40 Person) Perinatal DMC Description Unit of Service (UOS) FY 22-23 UOS Rate** NTP - Methadone Daily $17.45 NTP - Individual Counseling' One 10-minute Increment $27.21 NTP - Group Counseling' One 10-minute Increment $9.09 Intensive Outpatient Treatment Face-to-Face Visit $104.37 Perinatal Residential Daily $128.47 ODF Individual Counseling Face-to-Face Visit (Per $136.08 Person ODF Group Counseling Face-to-Face Visit (Per $81 82 Person) ' - From FY 2002-03 through FY 2008-09, Naltrexone was frozen at the $21 .19 (FY 1999- 2000) approved rate. Counties and service providers have not provided, submitted claims, nor reported cost for this service since FY 1997-98. For FY 2009-10, the $21.19 frozen rate was reduced by 10 percent to $19.07. The rate was reduced to $19.06 when county DocuSign Envelope ID:B89F4AFF-1763-4E41-A42B-E56110EA234E Revised Exhibit B-1 Page 2 of 2 administration was excluded from the rates. Drug Medi-Cal used $19.06 as the FY 22-23 developed rate. 2 - FY 2009-2010 rates were adjusted by the cumulative growth of the change in the Implicit Price Deflator (IDP), in accordance with Welfare & Institutions Code Section 14021.9(b). The 15.6 percent is a year-to-year summation of the change in IDP's which are as follows: 0% for FY 2009-10, 3.2% for FY 2010-11 2.7% for FY 2011-12, 2.8% for FY 2012-13,3.0% for FY 2013-14, 1.10% for FY 2014-15, -0.30% for FY 2015-16, 1.3% for FY 2016-17, 3.5% for FY 2017-18, 3.2% for FY 2018-19 , 1.4% for FY 2019- 20, 2.6% for FY 20-21 , 7.1% for FY 21-22, and 4.8% for FY 22-23. DocuSign Envelope ID:B89F4AFF-1763-4E41-A42B-E56110EA234E Revised Exhibit B-2 Page 1 of 1 Department of Health Care Services Local Governmental Financing Division Drug Medi-Cal (DMC) Rates for Fiscal Year 2022-23 Additional Medication Assisted Treatments Available in Waiver Opt-In Counties Narcotic Treatment Programs Non Perinatal DMC Additional Medication Addiction Treatment (MAT Rates Description Unit of Service (UOS) FY 2022-23UOS Rate** Narcotic Treatment Program (NTP) — Daily $31.32 Buprenorphine- Mono NTP — Buprenorphine-Naloxone: Daily $31.80 Tablets NTP - Buprenorphine-Naloxone: Film Daily $28.31 NTP - Buprenorphine Injectable Monthly $1,970.17 NTP - Naltrexone Injectable Monthly $2,151.97 NTP - Disulfiram Daily $11.30 NTP-Naloxone Dispensed according to $144.96 need Perinatal DMC Additional Medication Addiction Treatment MAT Rates Description Unit of Service (UOS) FY 22-23 UOS Rate** NTP - Buprenorphine-Mono Daily $42.38 NTP - Buprenorphine-Naloxone: Daily $42.85 Tablets NTP - Buprenorphine-Naloxone: Film Daily $39.37 NTP - Buprenorphine Injectable Monthly $1,970.17 NTP - Naltrexone Injectable Monthly $2,151 .97 NTP - Disulfiram Daily $11.47 NTP-Naloxone Dispensed according to $144.96 need DocuSign Envelope ID:B89F4AFF-1763-4E41-A42B-E56110EA234E Exhibit K Page 1 of 4 Insurance Requirements 1. Required Policies Without limiting the County's right to obtain indemnification from the Contractor or any third parties, Contractor, at its sole expense, shall maintain in full force and effect the following insurance policies throughout the term of this Agreement. (A) Commercial General Liability. Commercial general liability insurance with limits of not less than Two Million Dollars ($2,000,000) per occurrence and an annual aggregate of Four Million Dollars ($4,000,000). This policy must be issued on a per occurrence basis. Coverage must include products, completed operations, property damage, bodily injury, personal injury, and advertising injury. The Contractor shall obtain an endorsement to this policy naming the County of Fresno, its officers, agents, employees, and volunteers, individually and collectively, as additional insureds, but only insofar as the operations under this Agreement are concerned. Such coverage for additional insureds will apply as primary insurance and any other insurance, or self-insurance, maintained by the County is excess only and not contributing with insurance provided under the Contractor's policy. (B) Automobile Liability. Automobile liability insurance with limits of not less than One Million Dollars ($1,000,000) per occurrence for bodily injury and for property damages. Coverage must include any auto used in connection with this Agreement. (C)Workers Compensation. Workers compensation insurance as required by the laws of the State of California with statutory limits. (D) Employer's Liability. Employer's liability insurance with limits of not less than One Million Dollars ($1,000,000) per occurrence for bodily injury and for disease. (E) Professional Liability. Professional liability insurance with limits of not less than One Million Dollars ($1,000,000) per occurrence and an annual aggregate of Three Million Dollars ($3,000,000). If this is a claims-made policy, then (1) the retroactive date must be prior to the date on which services began under this Agreement; (2)the Contractor shall maintain the policy and provide to the County annual evidence of insurance for not less than five years after completion of services under this Agreement; and (3) if the policy is canceled or not renewed, and not replaced with another claims-made policy with a retroactive date prior to the date on which services begin under this Agreement, then the Contractor shall purchase extended reporting coverage on its claims-made policy for a minimum of five years after completion of services under this Agreement. (F) Molestation Liability. Sexual abuse/ molestation liability insurance with limits of not less than Two Million Dollars ($2,000,000) per occurrence, with an annual aggregate of Four Million Dollars ($4,000,000). This policy must be issued on a per occurrence basis. (G)Technology Professional Liability (Errors and Omissions). Technology professional liability (errors and omissions) insurance with limits of not less than Two Million Dollars ($2,000,000) per occurrence and in the aggregate. Coverage must encompass all of the Contractor's obligations under this Agreement, including but not limited to claims involving Cyber Risks. DocuSign Envelope ID:B89F4AFF-1763-4E41-A42B-E5611OEA234E Exhibit K Page 2 of 4 (H) Cyber Liability. Cyber liability insurance with limits of not less than Two Million Dollars ($2,000,000) per occurrence. Coverage must include claims involving Cyber Risks. The Cyber liability policy must be endorsed to cover the full replacement value of damage to, alteration of, loss of, or destruction of intangible property (including but not limited to information or data) that is in the care, custody, or control of the Contractor. Definition of Cyber Risks. "Cyber Risks" include but are not limited to (i) Security Breach, which may include Disclosure of Personal Information to an Unauthorized Third Party; (ii) data breach; (iii) breach of any of the Contractor's obligations under[identify the Article, section, or exhibit containing data security obligations] of this Agreement; (iv) system failure; (v) data recovery; (vi) failure to timely disclose data breach or Security Breach; (vii) failure to comply with privacy policy; (viii) payment card liabilities and costs; (ix) infringement of intellectual property, including but not limited to infringement of copyright, trademark, and trade dress; (x) invasion of privacy, including release of private information; (xi) information theft; (xii) damage to or destruction or alteration of electronic information; (xiii) cyber extortion; (xiv) extortion related to the Contractor's obligations under this Agreement regarding electronic information, including Personal Information; (xv) fraudulent instruction; (xvi) funds transfer fraud; (xvii) telephone fraud; (xviii) network security; (xix) data breach response costs, including Security Breach response costs; (xx) regulatory fines and penalties related to the Contractor's obligations under this Agreement regarding electronic information, including Personal Information; and (xxi) credit monitoring expenses. If the Contractor is a governmental entity, it may satisfy the policy requirements above through a program of self-insurance, including an insurance pooling arrangement or joint exercise of powers agreement. 2. Additional Requirements (A) Verification of Coverage. Within 30 days after the Contractor signs this Agreement, and at any time during the term of this Agreement as requested by the County's Risk Manager or the County Administrative Office, the Contractor shall deliver, or cause its broker or producer to deliver, to the County Risk Manager, at 2220 Tulare Street, 16th Floor, Fresno, California 93721, or HRRiskManagement@fresnoCountyca.gov, and by mail or email to the person identified to receive notices under this Agreement, certificates of insurance and endorsements for all of the coverages required under this Agreement. (i) Each insurance certificate must state that: (1) the insurance coverage has been obtained and is in full force; (2) the County, its officers, agents, employees, and volunteers are not responsible for any premiums on the policy; and (3) the Contractor has waived its right to recover from the County, its officers, agents, employees, and volunteers any amounts paid under any insurance policy required by this Agreement and that waiver does not invalidate the insurance policy. (ii) The commercial general liability insurance certificate must also state, and include an endorsement, that the County of Fresno, its officers, agents, employees, and DocuSign Envelope ID:B89F4AFF-1 763-4E41-A42B-E561 1 OEA234E Exhibit K Page 3 of 4 volunteers, individually and collectively, are additional insureds insofar as the operations under this Agreement are concerned. The commercial general liability insurance certificate must also state that the coverage shall apply as primary insurance and any other insurance, or self-insurance, maintained by the County shall be excess only and not contributing with insurance provided under the Contractor's policy. (iii) The automobile liability insurance certificate must state that the policy covers any auto used in connection with this Agreement. (iv) The professional liability insurance certificate, if it is a claims-made policy, must also state the retroactive date of the policy, which must be prior to the date on which services began under this Agreement. (v) The technology professional liability insurance certificate must also state that coverage encompasses all of the Contractor's obligations under this Agreement, including but not limited to claims involving Cyber Risks, as that term is defined in this Agreement. (vi) The cyber liability insurance certificate must also state that it is endorsed, and include an endorsement, to cover the full replacement value of damage to, alteration of, loss of, or destruction of intangible property (including but not limited to information or data) that is in the care, custody, or control of the Contractor. (B) Acceptability of Insurers. All insurance policies required under this Agreement must be issued by admitted insurers licensed to do business in the State of California and possessing at all times during the term of this Agreement an A.M. Best, Inc. rating of no less than A: VII. (C) Notice of Cancellation or Change. For each insurance policy required under this Agreement, the Contractor shall provide to the County, or ensure that the policy requires the insurer to provide to the County, written notice of any cancellation or change in the policy as required in this paragraph. For cancellation of the policy for nonpayment of premium, the Contractor shall, or shall cause the insurer to, provide written notice to the County not less than 10 days in advance of cancellation. For cancellation of the policy for any other reason, and for any other change to the policy, the Contractor shall, or shall cause the insurer to, provide written notice to the County not less than 30 days in advance of cancellation or change. The County in its sole discretion may determine that the failure of the Contractor or its insurer to timely provide a written notice required by this paragraph is a breach of this Agreement. (D) County's Entitlement to Greater Coverage. If the Contractor has or obtains insurance with broader coverage, higher limits, or both, than what is required under this Agreement, then the County requires and is entitled to the broader coverage, higher limits, or both. To that end, the Contractor shall deliver, or cause its broker or producer to deliver, to the County's Risk Manager certificates of insurance and endorsements for all of the coverages that have such broader coverage, higher limits, or both, as required under this Agreement. DocuSign Envelope ID:689F4AFF-1763-4E41-A42B-E5611OEA234E Exhibit K Page 4 of 4 (E) Waiver of Subrogation. The Contractor waives any right to recover from the County, its officers, agents, employees, and volunteers any amounts paid under the policy of worker's compensation insurance required by this Agreement. The Contractor is solely responsible to obtain any policy endorsement that may be necessary to accomplish that waiver, but the Contractor's waiver of subrogation under this paragraph is effective whether or not the Contractor obtains such an endorsement. (F) County's Remedy for Contractor's Failure to Maintain. If the Contractor fails to keep in effect at all times any insurance coverage required under this Agreement, the County may, in addition to any other remedies it may have, suspend or terminate this Agreement upon the occurrence of that failure, or purchase such insurance coverage, and charge the cost of that coverage to the Contractor. The County may offset such charges against any amounts owed by the County to the Contractor under this Agreement. (G)SubContractors. The Contractor shall require and verify that all subContractors used by the Contractor to provide services under this Agreement maintain insurance meeting all insurance requirements provided in this Agreement. This paragraph does not authorize the Contractor to provide services under this Agreement using subContractors. DocuSign Envelope ID:B89F4AFF-1 763-4E41-A42B-E561 1 OEA234E Exhibit L Data Security 1. Definitions Capitalized terms used in this Exhibit L have the meanings set forth in this section 1. (A) "Authorized Employees" means the Contractor's employees who have access to Personal Information. (B) "Authorized Persons" means: (i) any and all Authorized Employees; and (ii) any and all of the Contractor's subcontractors, representatives, agents, outsourcers, and consultants, and providers of professional services to the Contractor, who have access to Personal Information and are bound by law or in writing by confidentiality obligations sufficient to protect Personal Information in accordance with the terms of this Exhibit L. (C) "Director" means the County's Director of the Department of Behavioral Health or his or her designee. (D) "Disclose" or any derivative of that word means to disclose, release, transfer, disseminate, or otherwise provide access to or communicate all or any part of any Personal Information orally, in writing, or by electronic or any other means to any person. (E) "Person" means any natural person, corporation, partnership, limited liability company, firm, or association. (F) "Personal Information" means any and all information, including any data, provided, or to which access is provided, to the Contractor by or upon the authorization of the County, under this Agreement, including but not limited to vital records, that: (i) identifies, describes, or relates to, or is associated with, or is capable of being used to identify, describe, or relate to, or associate with, a person (including, without limitation, names, physical descriptions, signatures, addresses, telephone numbers, e-mail addresses, education, financial matters, employment history, and other unique identifiers, as well as statements made by or attributable to the person); (ii) is used or is capable of being used to authenticate a person (including, without limitation, employee identification numbers, government-issued identification numbers, passwords or personal identification numbers (PINs), financial account numbers, credit report information, answers to security questions, and other personal identifiers); or(iii) is personal information within the meaning of California Civil Code section 1798.3, subdivision (a), or 1798.80, subdivision (e). Personal Information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. (G)"Privacy Practices Complaint" means a complaint received by the County relating to the Contractor's (or any Authorized Person's) privacy practices, or alleging a Security Breach. Such complaint shall have sufficient detail to enable the Contractor to promptly investigate and take remedial action under this Exhibit L. (H) "Security Safeguards" means physical, technical, administrative or organizational security procedures and practices put in place by the Contractor(or any Authorized Persons) that relate to the protection of the security, confidentiality, value, or integrity of Personal Information. Security Safeguards shall satisfy the minimal requirements set forth in section 3(C) of this Exhibit L. L-1 DocuSign Envelope ID:689F4AFF-1763-4E41-A426-E5611OEA234E Exhibit L Data Security (1) "Security Breach" means (i) any act or omission that compromises either the security, confidentiality, value, or integrity of any Personal Information or the Security Safeguards, or(ii) any unauthorized Use, Disclosure, or modification of, or any loss or destruction of, or any corruption of or damage to, any Personal Information. (J) "Use" or any derivative of that word means to receive, acquire, collect, apply, manipulate, employ, process, transmit, disseminate, access, store, disclose, or dispose of Personal Information. 2. Standard of Care (A) The Contractor acknowledges that, in the course of its engagement by the County under this Agreement, the Contractor, or any Authorized Persons, may Use Personal Information only as permitted in this Agreement. (B) The Contractor acknowledges that Personal Information is deemed to be confidential information of, or owned by, the County (or persons from whom the County receives or has received Personal Information) and is not confidential information of, or owned or by, the Contractor, or any Authorized Persons. The Contractor further acknowledges that all right, title, and interest in or to the Personal Information remains in the County (or persons from whom the County receives or has received Personal Information) regardless of the Contractor's, or any Authorized Person's, Use of that Personal Information. (C)The Contractor agrees and covenants in favor of the Country that the Contractor shall: (i) keep and maintain all Personal Information in strict confidence, using such degree of care under this section 2 as is reasonable and appropriate to avoid a Security Breach; (ii) Use Personal Information exclusively for the purposes for which the Personal Information is made accessible to the Contractor pursuant to the terms of this Exhibit L; (iii) not Use, Disclose, sell, rent, license, or otherwise make available Personal Information for the Contractor's own purposes or for the benefit of anyone other than the County, without the County's express prior written consent, which the County may give or withhold in its sole and absolute discretion; and (iv) not, directly or indirectly, Disclose Personal Information to any person (an "Unauthorized Third Party") other than Authorized Persons pursuant to this Agreement, without the Director's express prior written consent. (D) Notwithstanding the foregoing paragraph, in any case in which the Contractor believes it, or any Authorized Person, is required to disclose Personal Information to government regulatory authorities, or pursuant to a legal proceeding, or otherwise as may be required by applicable law, Contractor shall (i) immediately notify the County of the specific demand for, and legal authority for the disclosure, including providing County with a copy of any notice, discovery demand, subpoena, or order, as applicable, received by the Contractor, or any Authorized Person, from any government regulatory authorities, or in relation to any legal proceeding, and (ii) promptly notify the County L-2 DocuSign Envelope ID:B89F4AFF-1763-4E41-A42B-E56110EA234E Exhibit L Data Security before such Personal Information is offered by the Contractor for such disclosure so that the County may have sufficient time to obtain a court order or take any other action the County may deem necessary to protect the Personal Information from such disclosure, and the Contractor shall cooperate with the County to minimize the scope of such disclosure of such Personal Information. (E) The Contractor shall remain liable to the County for the actions and omissions of any Unauthorized Third Party concerning its Use of such Personal Information as if they were the Contractor's own actions and omissions. 3. Information Security (A) The Contractor covenants, represents and warrants to the County that the Contractor's Use of Personal Information under this Agreement does and will at all times comply with all applicable federal, state, and local, privacy and data protection laws, as well as all other applicable regulations and directives, including but not limited to California Civil Code, Division 3, Part 4, Title 1.81 (beginning with section 1798.80), and the Song- Beverly Credit Card Act of 1971 (California Civil Code, Division 3, Part 4, Title 1.3, beginning with section 1747). If the Contractor Uses credit, debit or other payment cardholder information, the Contractor shall at all times remain in compliance with the Payment Card Industry Data Security Standard ("PCI DSS") requirements, including remaining aware at all times of changes to the PCI DSS and promptly implementing and maintaining all procedures and practices as may be necessary to remain in compliance with the PCI DSS, in each case, at the Contractor's sole cost and expense. (B) The Contractor covenants, represents and warrants to the County that, as of the effective date of this Agreement, the Contractor has not received notice of any violation of any privacy or data protection laws, as well as any other applicable regulations or directives, and is not the subject of any pending legal action or investigation by, any government regulatory authority regarding same. (C)Without limiting the Contractor's obligations under section 3(A) of this Exhibit L, the Contractor's (or Authorized Person's) Security Safeguards shall be no less rigorous than accepted industry practices and, at a minimum, include the following: (i) limiting Use of Personal Information strictly to the Contractor's and Authorized Persons' technical and administrative personnel who are necessary for the Contractor's, or Authorized Persons', Use of the Personal Information pursuant to this Agreement; (ii) ensuring that all of the Contractor's connectivity to County computing systems will only be through the County's security gateways and firewalls, and only through security procedures approved upon the express prior written consent of the Director; (iii) to the extent that they contain or provide access to Personal Information, (a) securing business facilities, data centers, paper files, servers, back-up systems and computing equipment, operating systems, and software applications, including, but not limited to, all mobile devices and other equipment, operating systems, and software applications with information storage capability; (b) L-3 DocuSign Envelope ID:B89F4AFF-1763-4E41-A42B-E56110EA234E Exhibit L Data Security employing adequate controls and data security measures, both internally and externally, to protect (1) the Personal Information from potential loss or misappropriation, or unauthorized Use, and (2) the County's operations from disruption and abuse; (c) having and maintaining network, device application, database and platform security; (d) maintaining authentication and access controls within media, computing equipment, operating systems, and software applications; and (e) installing and maintaining in all mobile, wireless, or handheld devices a secure internet connection, having continuously updated anti-virus software protection and a remote wipe feature always enabled, all of which is subject to express prior written consent of the Director; (iv) encrypting all Personal Information at advance encryption standards of Advanced Encryption Standards (AES) of 128 bit or higher (a) stored on any mobile devices, including but not limited to hard disks, portable storage devices, or remote installation, or (b) transmitted over public or wireless networks (the encrypted Personal Information must be subject to password or pass phrase, and be stored on a secure server and transferred by means of a Virtual Private Network (VPN) connection, or another type of secure connection, all of which is subject to express prior written consent of the Director); (v) strictly segregating Personal Information from all other information of the Contractor, including any Authorized Person, or anyone with whom the Contractor or any Authorized Person deals so that Personal Information is not commingled with any other types of information; (vi) having a patch management process including installation of all operating system and software vendor security patches; (vii) maintaining appropriate personnel security and integrity procedures and practices, including, but not limited to, conducting background checks of Authorized Employees consistent with applicable law; and (viii) providing appropriate privacy and information security training to Authorized Employees. (D) During the term of each Authorized Employee's employment by the Contractor, the Contractor shall cause such Authorized Employees to abide strictly by the Contractor's obligations under this Exhibit L. The Contractor shall maintain a disciplinary process to address any unauthorized Use of Personal Information by any Authorized Employees. (E) The Contractor shall, in a secure manner, backup daily, or more frequently if it is the Contractor's practice to do so more frequently, Personal Information received from the County, and the County shall have immediate, real time access, at all times, to such backups via a secure, remote access connection provided by the Contractor, through the Internet. (F) The Contractor shall provide the County with the name and contact information for each Authorized Employee (including such Authorized Employee's work shift, and at least one alternate Authorized Employee for each Authorized Employee during such work shift) who shall serve as the County's primary security contact with the Contractor and shall be L-4 DocuSign Envelope ID:B89F4AFF-1 763-4E41-A42B-E561 1 OEA234E Exhibit L Data Security available to assist the County twenty-four(24) hours per day, seven (7) days per week as a contact in resolving the Contractor's and any Authorized Persons' obligations associated with a Security Breach or a Privacy Practices Complaint. (G)The Contractor shall not knowingly include or authorize any Trojan Horse, back door, time bomb, drop dead device, worm, virus, or other code of any kind that may disable, erase, display any unauthorized message within, or otherwise impair any County computing system, with or without the intent to cause harm. 4. Security Breach Procedures (A) Immediately upon the Contractor's awareness or reasonable belief of a Security Breach, the Contractor shall (i) notify the Director of the Security Breach, such notice to be given first by telephone at the following telephone number, followed promptly by email at the following email addresses: (559) 600-4645, dbhcontractedservices(a-)fresnocountyca.gov, dbhforensicservices(D_fresnocountyca.gov (which telephone number and email address the County may update by providing notice to the Contractor), and (ii) preserve all relevant evidence (and cause any affected Authorized Person to preserve all relevant evidence) relating to the Security Breach. The notification shall include, to the extent reasonably possible, the identification of each type and the extent of Personal Information that has been, or is reasonably believed to have been, breached, including but not limited to, compromised, or subjected to unauthorized Use, Disclosure, or modification, or any loss or destruction, corruption, or damage. (B) Immediately following the Contractor's notification to the County of a Security Breach, as provided pursuant to section 4(A) of this Exhibit L, the Parties shall coordinate with each other to investigate the Security Breach. The Contractor agrees to fully cooperate with the County, including, without limitation: (i) assisting the County in conducting any investigation; (ii) providing the County with physical access to the facilities and operations affected; (iii) facilitating interviews with Authorized Persons and any of the Contractor's other employees knowledgeable of the matter; and (iv) making available all relevant records, logs, files, data reporting and other materials required to comply with applicable law, regulation, industry standards, or as otherwise reasonably required by the County. To that end, the Contractor shall, with respect to a Security Breach, be solely responsible, at its cost, for all notifications required by law and regulation, or deemed reasonably necessary by the County, and the Contractor shall provide a written report of the investigation and reporting required to the Director within 30 days after the Contractor's discovery of the Security Breach. (C) County shall promptly notify the Contractor of the Director's knowledge, or reasonable belief, of any Privacy Practices Complaint, and upon the Contractor's receipt of that notification, the Contractor shall promptly address such Privacy Practices Complaint, including taking any corrective action under this Exhibit L, all at the Contractor's sole L-5 DocuSign Envelope ID: B89F4AFF-1763-4E41-A42B-E56110EA234E Exhibit L Data Security expense, in accordance with applicable privacy rights, laws, regulations and standards. In the event the Contractor discovers a Security Breach, the Contractor shall treat the Privacy Practices Complaint as a Security Breach. Within 24 hours of the Contractor's receipt of notification of such Privacy Practices Complaint, the Contractor shall notify the County whether the matter is a Security Breach, or otherwise has been corrected and the manner of correction, or determined not to require corrective action and the reason for that determination. (D)The Contractor shall take prompt corrective action to respond to and remedy any Security Breach and take mitigating actions, including but not limiting to, preventing any reoccurrence of the Security Breach and correcting any deficiency in Security Safeguards as a result of such incident, all at the Contractor's sole expense, in accordance with applicable privacy rights, laws, regulations and standards. The Contractor shall reimburse the County for all reasonable costs incurred by the County in responding to, and mitigating damages caused by, any Security Breach, including all costs of the County incurred relation to any litigation or other action described section 4(E) of this Exhibit L. (E) The Contractor agrees to cooperate, at its sole expense, with the County in any litigation or other action to protect the County's rights relating to Personal Information, including the rights of persons from whom the County receives Personal Information. 5. Oversight of Security Compliance (A) The Contractor shall have and maintain a written information security policy that specifies Security Safeguards appropriate to the size and complexity of the Contractor's operations and the nature and scope of its activities. (B) Upon the County's written request, to confirm the Contractor's compliance with this Exhibit L, as well as any applicable laws, regulations and industry standards, the Contractor grants the County or, upon the County's election, a third party on the County's behalf, permission to perform an assessment, audit, examination or review of all controls in the Contractor's physical and technical environment in relation to all Personal Information that is Used by the Contractor pursuant to this Agreement. The Contractor shall fully cooperate with such assessment, audit or examination, as applicable, by providing the County or the third party on the County's behalf, access to all Authorized Employees and other knowledgeable personnel, physical premises, documentation, infrastructure and application software that is Used by the Contractor for Personal Information pursuant to this Agreement. In addition, the Contractor shall provide the County with the results of any audit by or on behalf of the Contractor that assesses the effectiveness of the Contractor's information security program as relevant to the security and confidentiality of Personal Information Used by the Contractor or Authorized Persons during the course of this Agreement under this Exhibit L. (C) The Contractor shall ensure that all Authorized Persons who Use Personal Information agree to the same restrictions and conditions in this Exhibit L. that apply to the Contractor with respect to such Personal Information by incorporating the relevant provisions of these provisions into a valid and binding written agreement between the Contractor and such Authorized Persons, or amending any written agreements to provide same. L-6 DocuSign Envelope ID:B89F4AFF-1763-4E41-A426-E56110EA234E Exhibit L Data Security 6. Return or Destruction of Personal Information. Upon the termination of this Agreement, the Contractor shall, and shall instruct all Authorized Persons to, promptly return to the County all Personal Information, whether in written, electronic or other form or media, in its possession or the possession of such Authorized Persons, in a machine readable form used by the County at the time of such return, or upon the express prior written consent of the Director, securely destroy all such Personal Information, and certify in writing to the County that such Personal Information have been returned to the County or disposed of securely, as applicable. If the Contractor is authorized to dispose of any such Personal Information, as provided in this Exhibit L, such certification shall state the date, time, and manner (including standard) of disposal and by whom, specifying the title of the individual. The Contractor shall comply with all reasonable directions provided by the Director with respect to the return or disposal of Personal Information and copies of Personal Information. If return or disposal of such Personal Information or copies of Personal Information is not feasible, the Contractor shall notify the County according, specifying the reason, and continue to extend the protections of this Exhibit L to all such Personal Information and copies of Personal Information. The Contractor shall not retain any copy of any Personal Information after returning or disposing of Personal Information as required by this section 6. The Contractor's obligations under this section 6 survive the termination of this Agreement and apply to all Personal Information that the Contractor retains if return or disposal is not feasible and to all Personal Information that the Contractor may later discover. 7. Equitable Relief. The Contractor acknowledges that any breach of its covenants or obligations set forth in this Exhibit L may cause the County irreparable harm for which monetary damages would not be adequate compensation and agrees that, in the event of such breach or threatened breach, the County is entitled to seek equitable relief, including a restraining order, injunctive relief, specific performance and any other relief that may be available from any court, in addition to any other remedy to which the County may be entitled at law or in equity. Such remedies shall not be deemed to be exclusive but shall be in addition to all other remedies available to the County at law or in equity or under this Agreement. 8. Indemnity. The Contractor shall defend, indemnify and hold harmless the County, its officers, employees, and agents, (each, a "County Indemnitee") from and against any and all infringement of intellectual property including, but not limited to infringement of copyright, trademark, and trade dress, invasion of privacy, information theft, and extortion, unauthorized Use, Disclosure, or modification of, or any loss or destruction of, or any corruption of or damage to, Personal Information, Security Breach response and remedy costs, credit monitoring expenses, forfeitures, losses, damages, liabilities, deficiencies, actions, judgments, interest, awards, fines and penalties (including regulatory fines and penalties), costs or expenses of whatever kind, including attorneys' fees and costs, the cost of enforcing any right to indemnification or defense under this Exhibit L and the cost of pursuing any insurance providers, arising out of or resulting from any third party claim or action against any County Indemnitee in relation to the Contractor's, its officers, employees, or agents, or any Authorized Employee's or Authorized Person's, performance or failure to perform under this Exhibit L or arising out of or resulting from the Contractor's failure to comply with any of its obligations under this section 8. The provisions of this section 8 do not apply to the acts or omissions of the County. The provisions of this section 8 are cumulative to any other obligation of the Contractor to, defend, indemnify, or hold harmless any County Indemnitee under this Agreement. The provisions of this section 8 shall survive the termination of this Agreement. L-7 DocuSign Envelope ID:B89F4AFF-1763-4E41-A42B-E56110EA234E Exhibit L Data Security 9. Survival. The respective rights and obligations of the Contractor and the County as stated in this Exhibit L shall survive the termination of this Agreement. 10. No Third Party Beneficiary. Nothing express or implied in the provisions of in this Exhibit L is intended to confer, nor shall anything in this Exhibit L confer, upon any person other than the County or the Contractor and their respective successors or assignees, any rights, remedies, obligations or liabilities whatsoever. 11. No County Warranty. The County does not make any warranty or representation whether any Personal Information in the Contractor's (or any Authorized Person's) possession or control, or Use by the Contractor (or any Authorized Person), pursuant to the terms of this Agreement is or will be secure from unauthorized Use, or a Security Breach or Privacy Practices Complaint. L-8