HomeMy WebLinkAboutAgreement A-23-191 with Pinnacle Training Systems LLC.pdf Agreement No. 23-191
1 SERVICE AGREEMENT
2 This Service Agreement ("Agreement') is dated April 25, 2023 and is between
3 PINNACLE TRAINING SYSTEMS, LLC, a California Limited Liability Corporation, whose
4 address is 6011 N. Fresno Ave, Suite 120, Fresno CA, 93721 ("Contractor"), and the County of
5 Fresno, a political subdivision of the State of California ("County").
6 Recitals
7 A. The Department of Public Health is in need of a vendor to provide mobile vaccination
8 clinics at locations throughout the county for COVID-19 and Flu vaccinations.
9 B. Pinnacle Training Systems, LLC provides mobile vaccination clinics for COVID-19 and
10 FLU to the County and can quickly set up clinics to do vaccinations when requested and enters
11 all vaccination information into the California Immunization Registry (CAIR).
12 C. The County and Contractor entered into services agreement No A-21-067, effective
13 February 15, 2021, under which the contractor agreed to provide COVID-19 vaccination
14 services to County residents until December 31, 2021. The agreement was amended with the
15 First Amendment No. A-21-454 and the Second Amendment No. A-22-282 to increase the
16 maximum compensation, add providing Flu Vaccines, and extend its term until December 31,
17 2022.
18 D. County deems it beneficial to continue receiving services from Contractor under the
19 terms and conditions of this agreement.
20 The Parties therefore agree as follows:
21 Article 1
22 Contractor's Services
23 1.1 Scope of Services. The Contractor shall perform all of the services provided in
24 Exhibit A to this Agreement, titled "Scope of Services."
25 1.2 Representation. The Contractor represents that it is qualified, ready, willing, and
26 able to perform all of the services provided in this Agreement.
27
28
1
1 1.3 Health Insurance Portability and Accountability Act (HIPAA). Contractor shall
2 comply with all provisions of Exhibit E to this Agreement, titled "Health Insurance Portability and
3 Accountability Act (HIPAA)."
4 1.4 Compliance with Laws. The Contractor shall, at its own cost, comply with all
5 applicable federal, state, and local laws and regulations in the performance of its obligations
6 under this Agreement, including but not limited to workers compensation, labor, and
7 confidentiality laws and regulations.
8 Article 2
9 County's Responsibilities
10 2.1 The County shall support with enrolling in vaccine programs as needed, support with
11 vaccine storage and handling equipment as needed and as supplies are available and assist
12 with promotion of events by posting on the County of Fresno Department of Public Health
13 website.
14 Article 3
15 Compensation, Invoices, and Payments
16 3.1 The County agrees to pay, and the Contractor agrees to receive, compensation for
17 the performance of its services under this Agreement as described in Exhibit B to this
18 Agreement, titled "Compensation."
19 3.2 Maximum Compensation. The maximum compensation payable to the Contractor
20 under this Agreement is $637,500, commencing as of January 1, 2023, for the entire term of the
21 Agreement. In no event shall compensation paid for services performed under this Agreement
22 exceed Six Hundred Thirty-Seven Thousand Five Hundred Dollars ($637,500)for the entire
23 term of this Agreement. The Contractor acknowledges that the County is a local government
24 entity and does so with notice that the County's powers are limited by the California Constitution
25 and by State law, and with notice that the Contractor may receive compensation under this
26 Agreement only for services performed according to the terms of this Agreement and while this
27 Agreement is in effect, and subject to the maximum amount payable under this section. The
28
2
1 Contractor further acknowledges that County employees have no authority to pay the Contractor
2 except as expressly provided in this Agreement.
3 3.3 Invoices. The Contractor shall submit monthly invoices to the County of Fresno,
4 Department of Public Health, COVID Response, P.O. Box 11867, Fresno, CA 93775, Attention:
5 Business Office or to dphboap@fresnocountyca.gov. The Contractor shall submit each invoice
6 within 60 days after the month in which the Contractor performs services and in any case within
7 60 days after the end of the term or termination of this Agreement.
8 3.4 Payment. The County shall pay each correctly completed and timely submitted
9 invoice within 45 days after receipt. The County shall remit any payment to the Contractor's
10 address specified in the invoice.
11 3.5 Incidental Expenses. The Contractor is solely responsible for all of its costs and
12 expenses that are not specified as payable by the County under this Agreement.
13 Article 4
14 Term of Agreement
15 4.1 Term. This Agreement is effective on January 1 st, 2023 and terminates on May 31 st
16 2024, except as provided in section 4.2, "Extension," or Article 6, "Termination and Suspension,"
17 below.
18 Article 5
19 Notices
20 5.1 Contact Information. The persons and their addresses having authority to give and
21 receive notices provided for or permitted under this Agreement include the following:
22
For the County:
23 Director, Department of Public Health
County of Fresno
24 P.O. Box 11867
Fresno, CA 93775
25 DPHContracts@fresnocountyca.gov
26 For the Contractor:
Owner— Felicia Gomez
27 Pinnacle Training Systems, LLC.
6011 N. Fresno Street, Suite 120
28 Fresno, CA, 93721
fgomez@pinnacletrainingsystems.com
3
1
5.2 Change of Contact Information. Either party may change the information in section
2
5.1 by giving notice as provided in section 5.3.
3
5.3 Method of Delivery. Each notice between the County and the Contractor provided
4
for or permitted under this Agreement must be in writing, state that it is a notice provided under
5
this Agreement, and be delivered either by personal service, by first-class United States mail, by
6
an overnight commercial courier service, or by Portable Document Format (PDF) document
7
attached to an email.
8
(A) A notice delivered by personal service is effective upon service to the recipient.
9
(B) A notice delivered by first-class United States mail is effective three County
10
business days after deposit in the United States mail, postage prepaid, addressed to the
11
recipient.
12
(C)A notice delivered by an overnight commercial courier service is effective one
13
County business day after deposit with the overnight commercial courier service,
14
delivery fees prepaid, with delivery instructions given for next day delivery, addressed to
15
the recipient.
16
(D)A notice delivered by PDF document attached to an email is effective when
17
transmission to the recipient is completed (but, if such transmission is completed outside
18
of County business hours, then such delivery is deemed to be effective at the next
19
beginning of a County business day), provided that the sender maintains a machine
20
record of the completed transmission.
21
5.4 Claims Presentation. For all claims arising from or related to this Agreement,
22
nothing in this Agreement establishes, waives, or modifies any claims presentation
23
requirements or procedures provided by law, including the Government Claims Act (Division 3.6
24
of Title 1 of the Government Code, beginning with section 810).
25
Article 6
26
Termination and Suspension
27
6.1 Termination for Non-Allocation of Funds. The terms of this Agreement are
28
contingent on the approval of funds by the appropriating government agency. If sufficient funds
4
1 are not allocated, then the County, upon at least 30 days' advance written notice to the
2 Contractor, may:
3 (A) Modify the services provided by the Contractor under this Agreement; or
4 (B) Terminate this Agreement.
5 6.2 Termination for Breach.
6 (A) Upon determining that a breach (as defined in paragraph (C) below) has
7 occurred, the County may give written notice of the breach to the Contractor. The written
8 notice may suspend performance under this Agreement, and must provide at least 30
9 days for the Contractor to cure the breach.
10 (B) If the Contractor fails to cure the breach to the County's satisfaction within the
11 time stated in the written notice, the County may terminate this Agreement immediately.
12 (C) For purposes of this section, a breach occurs when, in the determination of the
13 County, the Contractor has:
14 (1) Obtained or used funds illegally or improperly;
15 (2) Failed to comply with any part of this Agreement;
16 (3) Submitted a substantially incorrect or incomplete report to the County; or
17 (4) Improperly performed any of its obligations under this Agreement.
18 6.3 Termination without Cause. In circumstances other than those set forth above, the
19 County may terminate this Agreement by giving at least 30 days advance written notice to the
20 Contractor.
21 6.4 No Penalty or Further Obligation. Any termination of this Agreement by the County
22 under this Article 6 is without penalty to or further obligation of the County.
23 6.5 County's Rights upon Termination. Upon termination for breach under this Article
24 6, the County may demand repayment by the Contractor of any monies disbursed to the
25 Contractor under this Agreement that, in the County's sole judgment, were not expended in
26 compliance with this Agreement. The Contractor shall promptly refund all such monies upon
27 demand. This section survives the termination of this Agreement.
28
5
1 Article 7
2 Funding Source
3 7.1 Services Funding Source. Funding for these services is provided by the one or
4 more of the following funding sources: Epidemiology and Laboratory Capacity for Infectious
5 Disease (ELC) Enhancing Detection Expansion through Coronavirus Response and Relief
6 (CRR) Supplemental Funds (CFDA 93.323), and/or other additional funding made available
7 through Federal, State, or Local legislation.
8 Article 8
9 Federal Funding Terms and Conditions
10 8.1 Certification Regarding Debarment, Suspension, Ineligibility and Voluntary
11 Exclusion-Lower Tier Covered Transactions.
12 (A) County and Contractor recognize that Contractor is a recipient of Federal funds
13 under the terms of this Agreement. By signing this Agreement, Contractor agrees to
14 comply with applicable Federal suspension and debarment regulations, including but not
15 limited to: 7 CFR 3016.35, 29 CFR 97.35, 45 CFR 92.35, and Executive Order 12549.
16 By signing this Agreement, Contractor attests to the best of its knowledge and belief,
17 that it and its principals:
18 (1) Are not presently debarred, suspended, proposed for debarment, declared
19 ineligible, or voluntarily excluded by any Federal department or agency; and
20 (2) Shall not knowingly enter into any covered transaction with an entity or
21 person who is proposed for debarment under Federal regulations, debarred,
22 suspended, declared ineligible, or voluntarily excluded from participation in
23 such transaction.
24 (B) Contractor shall provide immediate written notice to County if at during any time
25 during the term of this Agreement Contractor learns that the representations it makes
26 above were erroneous when made or have become erroneous by reason of changed
27 circumstances.
28
6
1 (C) Contractor shall include a clause titled, "Certification Regarding Debarment,
2 Suspension, Ineligibility, and Voluntary Exclusion — Lower Tier Covered Transactions"
3 and similar in nature to this paragraph in all lower tier covered transactions and it all
4 solicitations for lower tier covered transactions.
5 (D) Contractor shall, prior to soliciting or purchasing goods and services in excess of
6 $25,000 funded by this Agreement, review and retain the proposed vendor's suspension
7 and debarment status at https://sam.gov/SAM/.
8
9 8.2 Property of County. Contractor agrees to take reasonable and prudent steps to
10 ensure the security of any and all said hardware and software provided to it by County under
11 this Agreement, to maintain replacement-value insurance coverages on said hardware and
12 software of like kind and quality approved by County.
13 All purchases over Five Thousand Dollars ($5,000) made during the life of this Agreement
14 that will outlive the life of this Agreement shall be identified as fixed assets with an assigned
15 Fresno County Department of Public Health (DPH) Accounting Inventory Number. These fixed
16 assets shall be retained by County, as County property, in the event this Agreement is
17 terminated or upon expiration of this Agreement. Contractor agrees to participate in an annual
18 inventory of all County fixed assets and shall be physically present when fixed assets are
19 returned to County possession at the termination or expiration of this Agreement. Contractor is
20 responsible for returning to County all County owned fixed assets upon the expiration or
21 termination of this Agreement.
22 8.3 Prohibition on Publicity. None of the funds, materials, property or services
23 provided directly or indirectly under this Agreement shall be used for Contractor's advertising,
24 fundraising, or publicity (i.e., purchasing of tickets/tables, silent auction donations, etc.) for the
25 purpose of self-promotion. Notwithstanding the above, publicity of the services described in
26 Paragraph One (1) of this Agreement shall be allowed as necessary to raise public awareness
27 about the availability of such specific services when approved in advance by the County's DPH
28
7
1 Director or designee for such items as written/printed materials, the use of media (i.e., radio,
2 television, newspapers) and any other related expense(s).
3 8.4 Conflict of Interest. No officer, employee or agent of the County who exercises any
4 function or responsibility for planning and carrying out of the services provided under this
5 Agreement shall have any direct or indirect personal financial interest in this Agreement. In
6 addition, no employee of the County shall be employed by the Contractor under this Agreement
7 to fulfill any contractual obligations with the County. Contractor shall comply with all Federal,
8 State of California and local conflict of interest laws, statutes and regulations, which shall be
9 applicable to all parties and beneficiaries under this Agreement and any officer, employee or
10 agent of the County.
11 8.5 Change of Leadership/Management. In the event of any change in the status of
12 Contractor's leadership or management, Contractor shall provide written notice to County within
13 thirty (30) days from the date of change. Such notification shall include any new leader or
14 manager's name, address and qualifications. "Leadership or management" shall include any
15 employee, member, or owner of Contractor who either a) directs individuals providing services
16 pursuant to this Agreement, b) exercises control over the manner in which services are
17 provided, or c) has authority over Contractor's finances.
18 8.6 Lobbying Activity. None of the funds provided under this Agreement shall be used
19 for publicity, lobbying or propaganda purposes designed to support or defeat legislation pending
20 in the Congress of the United States of America or the Legislature of the State of California.
21 8.7 State Energy Conservation. Contractor must comply with the mandatory standards
22 and policies relating to energy efficiency, which are contained in the State Energy Conservation
23 Plan issued in compliance with 42 United States (US) Code sections 6321, et. seq.
24 8.8 Clean Air and Water. In the event the funding under this Agreement exceeds One
25 Hundred Fifty Thousand and No/100 Dollars ($150,000), Contractor shall comply with all
26 applicable standards, orders or requirements issued under the Clean Air Act contained in 42
27 U.S. Code 7601 et seq; the Clean Water Act contained in U.S. Code 1368 et seq.; and any
28
8
1 standards, laws and regulations, promulgated thereunder. Under these laws and regulations,
2 CONTRACTOR shall assure:
3 (A) No facility shall be utilized in the performance of the Agreement that has been
4 listed on the Environmental Protection Agency (EPA) list of Violating Facilities;
5 (B) County shall be notified prior to execution of this Agreement of the receipt of any
6 communication from the Director, Office of Federal Activities, U.S. EPA indicating that a
7 facility to be utilized in the performance of this Agreement is under consideration to be
8 listed on the EPA list of Violating Facilities;
9 (C) County and U.S. EPA shall be notified about any known violation of the above
10 laws and regulations; and,
11 (D)This assurance shall be included in every nonexempt subgrant, contract, or
12 subcontract.
13 8.9 Audits and Inspections. The Contractor shall at any time during business hours,
14 and as often as the County may deem necessary, make available to the County for examination
15 all of its records and data with respect to the matters covered by this Agreement. The
16 Contractor shall, upon request by the County, permit the County to audit and inspect all of such
17 records and data necessary to ensure Contractor's compliance with the terms of this
18 Agreement.
19 If this Agreement exceeds ten thousand dollars ($10,000.00), Contractor shall be subject to
20 the examination and audit of the California State Auditor for a period of three (3) years after final
21 payment under contract (Government Code Section 8546.7).
22 In addition, Contractor shall cooperate and participate with County's fiscal review process
23 and comply with all final determinations rendered by the County's fiscal review process. If
24 County reaches an adverse decision regarding Contractor's services to consumers, it may result
25 in the disallowance of payment for services rendered; or in additional controls to the delivery of
26 services, or in the termination of this Agreement, at the discretion of County's DPH Director or
27 designee. If as a result of County's fiscal review process a disallowance is discovered due to
28 Contractor's deficiency, Contractor shall be financially liable for the amount previously paid by
9
1 County to Contractor and this disallowance will be adjusted from Contractor's future payments,
2 at the discretion of County's DPH Director or designee. In addition, County shall have the sole
3 discretion in the determination of fiscal review outcomes, decisions and actions.
4 8.10 Single Audit Clause.
5 (A) If Contractor expends Seven Hundred Fifty Thousand Dollars ($750,000) or more
6 Federal and Federal flow-through monies, Contractor agrees to conduct an annual audit
7 in accordance with the requirements of the Single Audit Standards as set forth in Office
8 of Management and Budget (OMB) Title 2 of the Code of Federal Regulations, Chapter
9 11, Part 200. Contractor shall submit said audit and management letter to County. The
10 audit must include a statement of findings or a statement that there were no findings. If
11 there were negative findings, Contractor must include a corrective action plan signed by
12 an authorized individual. Contractor agrees to take action to correct any material non-
13 compliance or weakness found as a result of such audit. Such audit shall be delivered
14 to County's DPH Administration for review within nine (9) months of the end of any fiscal
15 year in which funds were expended and/or received for the program. Failure to perform
16 the requisite audit functions as required by this Agreement may result in County
17 performing the necessary audit tasks, or at the County's option, contracting with a public
18 accountant to perform said audit, or, may result in the inability of County to enter into
19 future agreements with the Contractor.
20 (B) A single audit report is not applicable if all Contractor's Federal contracts do not
21 exceed the Seven Hundred Fifty Thousand Dollars ($750,000) requirement or
22 Contractor's federal funding is through Drug Medi-Cal.
23 Article 9
24 Confidentiality
25 9.1 Confidentiality. All services performed by the Contractor under this Agreement
26 shall be in strict conformance with all applicable Federal, State of California and/or local laws
27 and regulations relating to confidentiality. In addition, Contractor agrees to abide by the terms
28 and conditions of the Business Associate Agreement attached hereto as Exhibit E.
10
1 Article 10
2 Independent Contractor
3 10.1 Status. In performing under this Agreement, the Contractor, including its officers,
4 agents, employees, and volunteers, is at all times acting and performing as an independent
5 contractor, in an independent capacity, and not as an officer, agent, servant, employee,joint
6 venturer, partner, or associate of the County.
7 10.2 Verifying Performance. The County has no right to control, supervise, or direct the
8 manner or method of the Contractor's performance under this Agreement, but the County may
9 verify that the Contractor is performing according to the terms of this Agreement.
10 10.3 Benefits. Because of its status as an independent contractor, the Contractor has no
11 right to employment rights or benefits available to County employees. The Contractor is solely
12 responsible for providing to its own employees all employee benefits required by law. The
13 Contractor shall save the County harmless from all matters relating to the payment of
14 Contractor's employees, including compliance with Social Security withholding and all related
15 regulations.
16 10.4 Services to Others. The parties acknowledge that, during the term of this
17 Agreement, the Contractor may provide services to others unrelated to the County.
18 Article 11
19 Indemnity and Defense
20 11.1 Indemnity. The Contractor shall indemnify and hold harmless and defend the
21 County (including its officers, agents, employees, and volunteers) against all claims, demands,
22 injuries, damages, costs, expenses (including attorney fees and costs), fines, penalties, and
23 liabilities of any kind to the County, the Contractor, or any third party that arise from or relate to
24 the performance or failure to perform by the Contractor (or any of its officers, agents,
25 subcontractors, or employees) under this Agreement. The County may conduct or participate in
26 its own defense without affecting the Contractor's obligation to indemnify and hold harmless or
27 defend the County.
28 11.2 Survival. This Article 10 survives the termination of this Agreement.
11
1 Article 12
2 Insurance
3 12.1 The Contractor shall comply with all the insurance requirements in Exhibit D to this
4 Agreement.
5 Article 13
6 Inspections, Audits, and Public Records
7 13.1 Inspection of Documents. The Contractor shall make available to the County, and
8 the County may examine at any time during business hours and as often as the County deems
9 necessary, all of the Contractor's records and data with respect to the matters covered by this
10 Agreement, excluding attorney-client privileged communications. The Contractor shall, upon
11 request by the County, permit the County to audit and inspect all of such records and data to
12 ensure the Contractor's compliance with the terms of this Agreement.
13 13.2 State Audit Requirements. If the compensation to be paid by the County under this
14 Agreement exceeds $10,000, the Contractor is subject to the examination and audit of the
15 California State Auditor, as provided in Government Code section 8546.7, for a period of three
16 years after final payment under this Agreement. This section survives the termination of this
17 Agreement. Additional Federal audit requirements may apply if any portion of the compensation
18 to be paid by the County under this Agreement is also provided by Federal funding.
19 13.3 Public Records. The County is not limited in any manner with respect to its public
20 disclosure of this Agreement or any record or data that the Contractor may provide to the
21 County. The County's public disclosure of this Agreement or any record or data that the
22 Contractor may provide to the County may include but is not limited to the following:
23 (A) The County may voluntarily, or upon request by any member of the public or
24 governmental agency, disclose this Agreement to the public or such governmental
25 agency.
26 (B) The County may voluntarily, or upon request by any member of the public or
27 governmental agency, disclose to the public or such governmental agency any record or
28
12
1 data that the Contractor may provide to the County, unless such disclosure is prohibited
2 by court order.
3 (C)This Agreement, and any record or data that the Contractor may provide to the
4 County, is subject to public disclosure under the Ralph M. Brown Act (California
5 Government Code, Title 5, Division 2, Part 1, Chapter 9, beginning with section 54950).
6 (D)This Agreement, and any record or data that the Contractor may provide to the
7 County, is subject to public disclosure as a public record under the California Public
8 Records Act (California Government Code, Title 1, Division 7, Chapter 3.5, beginning
9 with section 6250) ("CPRA").
10 (E) This Agreement, and any record or data that the Contractor may provide to the
11 County, is subject to public disclosure as information concerning the conduct of the
12 people's business of the State of California under California Constitution, Article 1,
13 section 3, subdivision (b).
14 (F) Any marking of confidentiality or restricted access upon or otherwise made with
15 respect to any record or data that the Contractor may provide to the County shall be
16 disregarded and have no effect on the County's right or duty to disclose to the public or
17 governmental agency any such record or data.
18 13.4 Public Records Act Requests. If the County receives a written or oral request
19 under the CPRA to publicly disclose any record that is in the Contractor's possession or control,
20 and which the County has a right, under any provision of this Agreement or applicable law, to
21 possess or control, then the County may demand, in writing, that the Contractor deliver to the
22 County, for purposes of public disclosure, the requested records that may be in the possession
23 or control of the Contractor. Within five business days after the County's demand, the
24 Contractor shall (a) deliver to the County all of the requested records that are in the Contractor's
25 possession or control, together with a written statement that the Contractor, after conducting a
26 diligent search, has produced all requested records that are in the Contractor's possession or
27 control, or (b) provide to the County a written statement that the Contractor, after conducting a
28 diligent search, does not possess or control any of the requested records. The Contractor shall
13
1 cooperate with the County with respect to any County demand for such records. If the
2 Contractor wishes to assert that any specific record or data is exempt from disclosure under the
3 CPRA or other applicable law, it must deliver the record or data to the County and assert the
4 exemption by citation to specific legal authority within the written statement that it provides to
5 the County under this section. The Contractor's assertion of any exemption from disclosure is
6 not binding on the County, but the County will give at least 10 days' advance written notice to
7 the Contractor before disclosing any record subject to the Contractor's assertion of exemption
8 from disclosure. The Contractor shall indemnify the County for any court-ordered award of costs
9 or attorney's fees under the CPRA that results from the Contractor's delay, claim of exemption,
10 failure to produce any such records, or failure to cooperate with the County with respect to any
11 County demand for any such records.
12 Article 14
13 Disclosure of Self-Dealing Transactions
14 14.1 Applicability. This Article 11 applies if the Contractor is operating as a corporation,
15 or changes its status to operate as a corporation.
16 14.2 Duty to Disclose. If any member of the Contractor's board of directors is party to a
17 self-dealing transaction, he or she shall disclose the transaction by completing and signing a
18 "Self-Dealing Transaction Disclosure Form" (Exhibit C to this Agreement) and submitting it to
19 the County before commencing the transaction or immediately after.
20 14.3 Definition. "Self-dealing transaction" means a transaction to which the Contractor is
21 a party and in which one or more of its directors, as an individual, has a material financial
22 interest.
23 Article 15
24 General Terms
25 15.1 Modification. Except as provided in Article 6, "Termination and Suspension," this
26 Agreement may not be modified, and no waiver is effective, except by written agreement signed
27 by both parties. Notwithstanding the above, changes to object levels in the budget, attached
28 hereto as Exhibit B, that do not exceed ten percent (10%) of the maximum compensation
14
1 payable to the Contractor, may be made with the written approval of the County's Department of
2 Public Health Director, or designee. The ten percent (10%) budget modification maximum
3 applies to the cumulative adjustments made through the life of the Agreement. Additionally,
4 said budget changes shall not result in any change to the maximum compensation amount
5 payable to Contractor, nor shall it reduce the delivery of services or significantly modify the
6 scope of the services originally intended and approved under this Agreement, as stated herein.
7 The Contractor acknowledges that County employees have no authority to modify this
8 Agreement except as expressly provided in this Agreement.
9 15.2 Non-Assignment. Neither party may assign its rights or delegate its obligations
10 under this Agreement without the prior written consent of the other party.
11 15.3 Governing Law. The laws of the State of California govern all matters arising from
12 or related to this Agreement.
13 15.4 Jurisdiction and Venue. This Agreement is signed and performed in Fresno
14 County, California. Contractor consents to California jurisdiction for actions arising from or
15 related to this Agreement, and, subject to the Government Claims Act, all such actions must be
16 brought and maintained in Fresno County.
17 15.5 Construction. The final form of this Agreement is the result of the parties' combined
18 efforts. If anything in this Agreement is found by a court of competent jurisdiction to be
19 ambiguous, that ambiguity shall not be resolved by construing the terms of this Agreement
20 against either party.
21 15.6 Days. Unless otherwise specified, "days" means calendar days.
22 15.7 Headings. The headings and section titles in this Agreement are for convenience
23 only and are not part of this Agreement.
24 15.8 Severability. If anything in this Agreement is found by a court of competent
25 jurisdiction to be unlawful or otherwise unenforceable, the balance of this Agreement remains in
26 effect, and the parties shall make best efforts to replace the unlawful or unenforceable part of
27 this Agreement with lawful and enforceable terms intended to accomplish the parties' original
28 intent.
15
1 15.9 Nondiscrimination. During the performance of this Agreement, the Contractor shall
2 not unlawfully discriminate against any employee or applicant for employment, or recipient of
3 services, because of race, religious creed, color, national origin, ancestry, physical disability,
4 mental disability, medical condition, genetic information, marital status, sex, gender, gender
5 identity, gender expression, age, sexual orientation, military status or veteran status pursuant to
6 all applicable State of California and federal statutes and regulation.
7 15.10 No Waiver. Payment, waiver, or discharge by the County of any liability or obligation
8 of the Contractor under this Agreement on any one or more occasions is not a waiver of
9 performance of any continuing or other obligation of the Contractor and does not prohibit
10 enforcement by the County of any obligation on any other occasion.
11 15.11 Entire Agreement. This Agreement, including its exhibits, is the entire agreement
12 between the Contractor and the County with respect to the subject matter of this Agreement,
13 and it supersedes all previous negotiations, proposals, commitments, writings, advertisements,
14 publications, and understandings of any nature unless those things are expressly included in
15 this Agreement. If there is any inconsistency between the terms of this Agreement without its
16 exhibits and the terms of the exhibits, then the inconsistency will be resolved by giving
17 precedence first to the terms of this Agreement without its exhibits, and then to the terms of the
18 exhibits.
19 15.12 No Third-Party Beneficiaries. This Agreement does not and is not intended to
20 create any rights or obligations for any person or entity except for the parties.
21 15.13 Authorized Signature. The Contractor represents and warrants to the County that:
22 (A) The Contractor is duly authorized and empowered to sign and perform its
23 obligations under this Agreement.
24 (B) The individual signing this Agreement on behalf of the Contractor is duly
25 authorized to do so and his or her signature on this Agreement legally binds the
26 Contractor to the terms of this Agreement.
27 15.14 Electronic Signatures. The parties agree that this Agreement may be executed by
28 electronic signature as provided in this section.
16
1 (A) An "electronic signature" means any symbol or process intended by an individual
2 signing this Agreement to represent their signature, including but not limited to (1) a
3 digital signature; (2) a faxed version of an original handwritten signature; or (3) an
4 electronically scanned and transmitted (for example by PDF document) version of an
5 original handwritten signature.
6 (B) Each electronic signature affixed or attached to this Agreement (1) is deemed
7 equivalent to a valid original handwritten signature of the person signing this Agreement
8 for all purposes, including but not limited to evidentiary proof in any administrative or
9 judicial proceeding, and (2) has the same force and effect as the valid original
10 handwritten signature of that person.
11 (C)The provisions of this section satisfy the requirements of Civil Code section
12 1633.5, subdivision (b), in the Uniform Electronic Transaction Act (Civil Code, Division 3,
13 Part 2, Title 2.5, beginning with section 1633.1).
14 (D) Each party using a digital signature represents that it has undertaken and
15 satisfied the requirements of Government Code section 16.5, subdivision (a),
16 paragraphs (1) through (5), and agrees that each other party may rely upon that
17 representation.
18 (E) This Agreement is not conditioned upon the parties conducting the transactions
19 under it by electronic means and either party may sign this Agreement with an original
20 handwritten signature.
21 15.15 Counterparts. This Agreement may be signed in counterparts, each of which is an
22 original, and all of which together constitute this Agreement.
23 [SIGNATURE PAGE FOLLOWS]
24
25
26
27
28
17
1 The parties are signing this Agreement on the date stated in the introductory clause.
2
PINNACLE TRAINING SYSTEMS, LLC COUNTY OF FRESNO
3
4
5 is Gomez, Owner SqqrQ nXr6, hairman of the Board of
SkoaWidem.0the County of Fresno
6 6011 N. Fresno St., Suite 120
Fresno, CA 93721 Attest:
7 Bemire Seidel
Clerk of the Board of Supervisors
8 County of Fresno, State of California
9
By:
10 Deputy
11 For accounting use only:
12 Org No.: 56201018
Account No.: 7295
13 Fund No.: 0001
Subclass No.:10000
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
18
r
Exhibit A
1 Scope of Services
2 COVID-19 VACCINE PROGRAM SERVICES
3
4 PTS shall provide the Services to the CLIENT as set forth below, upon the terms and conditions
set forth in this Agreement. The CLIENT and PTS may amend this Schedule, by written
5 agreement between the Parties, from time to time during the Term of the Agreement and/or any
6 renewal period.
7 PTS shall provide the following COVID-19 Vaccines: (1) COVID-19 Vaccine. PTS shall provide
Flu Vaccines. Additionally, PTS shall provide reporting of vaccines administered as set forth
8 below.
9 Staff performing the vaccines will be licensed staff within their scope of practice allowed under
the State law. All PTS Staff will be trained to conduct the administration of the vaccines
10 according to the manufacturer's specifications and instructions. Vaccine storage and associated
reporting will be provided as per County, CDC, and manufacturing instructions. Vaccine and
11 administration and protocols will be compliant with applicable federal and state law.
12 PTS will administer the COVID-19 and Flu vaccines at various CLIENT locations. The vaccine
13 administration will be provided to CLIENT's employees referred by CLIENT.
14 Individuals to be vaccinated will be required to complete a questionnaire and waiver (one time)
prior to vaccine administration.
15 The CLIENT will provide the following:
16 . Support with enrolling in vaccine programs as needed.
17 • Support with vaccine storage and handling equipment as needed and as supplies are
18 available.
19 • Assist with promotion of events by posting on the County of Fresno Department of Public
Health website.
20 PTS will be responsible for the following:
21 PTS will coordinate vaccine events, including securing a venue, scheduling of dates and
22 times, and promoting the events.
23 • PTS will enroll as a Provider in the federal COVID-19 Vaccination Program, utilizing the
California Department of Public Health's (CDPH) enrollment portal and agree and
24 adhere to all requirements specified in the Provider agreement. When enrolled, PTS will
be responsible for ordering the appropriate amount of vaccine and ancillary supplies for
25 receipt prior to the event.
26 PTS shall administer the vaccine and enter all vaccinations into the local immunization
27 registry (CAIR) within 24 hours of administration PTS is encouraged to utilize MyTurn for
vaccine events and vaccine administration; if this method is utilized, vaccinations will be
28 automatically sent to CAIR within 24-48 hours
A-1
Exhibit A
1 • PTS will provide all office supplies, ancillary medical supplies not included with vaccine,
2 PPE, tables, chairs, tents, etc., when needed.
• COVID-19 vaccines, ancillary supplies are expected to be provided through CDPH in the
3 quantity noted below per 100 vaccine doses, however, should CDPH no longer provide
4 these supplies, PTS would be expected to obtain any needed supplies:
5 o 105 needles
6 o 105 syringes
7 0 210 alcohol prep pads
o 1 needle information card
8
o 100 vaccination cards
9
o 2 disposable face shields
10
o 4 surgical masks
11
PTS will provide to CLIENT a method through which Vaccine Events can be requested.
12
• Vaccine will be stored, handled, and transported according to CDC or VFC
13 recommendations, such as noted in on VFC's EZIZ website and CDC's Vaccine Storage
and Handling Toolkit, linked here:
14
o https://eziz.org/vaccine-storage/monitoring-temperature/
15
o https://www.cdc.gov/vaccines/hcp/admin/storage/toolkit/index.html
16
• PTS will document any wasted vaccine doses per CDPH and DPH guidance, which may
17 vary based on the vaccine type and vaccine program.
18 • PTS Staff shall complete any training required by the vaccine program(s) PTS
participates in (i.e, CDPH COVID Vaccine Program or State Flu Partner Program), PTS
19 Staff will complete the required training and at the interval required by the program(s).
20 . Per federal regulations, PTS will provide the appropriate EUA (Emergency Use
21 Authorization) document or VIS (Vaccine Information Statement) to all vaccine recipients
prior to administering any vaccine:
22 PTS will report to VAERS any administration error(s) and adverse event(s) per the
23
• instructions at websites listed below:
24 o https://www.cdc.gov/vaccinesafety/ensuringsafety/monitoring/vaers/reportingaes.
html
25
o https:Hvaers.hhs.gov/docsNAERS Table of Reportable Events Following Vac
26 cination.pdf
27 o https://www.cdc.qov/vaccinesafetv/ensuringsafety/monitoring/vaers/reportingaes.
html#anchor 1617059048753
28
A-2
Exhibit A
1 . PTS will also report any additional select adverse events and/or any revised safety
reporting requirements per FDA's conditions of authorized use of vaccine(s) throughout
2 the duration of any COVID-19 Vaccine being authorized under an Emergency Use
3 Authorization (EUA).
4 • Per CAIR regulations, PTS will provide a paper copy of CAR notification or post CAR
Notification poster near registration. Details regarding notification are available at the
5 following website: icip://cdii vvuu.urg/caic/-aisciosure-wiit y/
6 • PTS will make provision of patients with a history of anaphylaxis (due to any cause) to
remain for observation for 30 minutes. For all other persons, observation period is 15
7 minutes. PTS may adjust these observation periods based on CDC, CDPH, and local
8 recommendations.
9 . In the event of anaphylactic reaction, PTS will maintain appropriate emergency
equipment at the event to manage anaphylaxis resulting from vaccination and will follow
10 CDC recommended equipment linked here: nttps://www.cdc.gov/vaccines/covid-19/info-
by-product/pfizer/anaphylaxis-management.html. Equipment supply should be sufficient
11 to manage multiple patients experiencing anaphylaxis.
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
A-3
Exhibit B
1 Compensation
2 The Contractor will be compensated for the performance of its services under this
3 Agreement as provided in this Exhibit B. The Contractor is not entitled to any compensation
4 except as expressly provided in this Exhibit B.
5 In consideration of the Services provided by Contractor, the CLIENT shall pay
6 Contractor in accordance with the terms set forth below. The CLIENT and Contractor may
7 amend this Schedule, by written Agreement between the Parties, from time to time during the
8 Term and/or any renewal period.
9 Compensation for the period 01/01/2023 through Agreement Termination:
10 1. $[2,4001 per event fee with a minimum quota of (1-49) encounters, and/or 1 to 2-hour
single event.
11 2. $[4,2001 per event fee with a minimum quota of (50-149) encounters, and/or 1 to 2-hour
single event.
12 3. $[7,5001 per event fee with a minimum quota of(150-300) encounters, and/or 2 to 5-hour
13 events.
4. $[12,0001 per event fee with a minimum quota of(301-500) encounters, and/or 5 to 8-hour
14 events.
5. l 7,0001 per event fee with a minimum quota of(501-750) encounters, and/or 5 to 8-hour
15 single event.
6. $[23,0001 per event fee with a minimum quota of (751-1,000) encounters, and/or 5 to 8-
16 hour single event.
17
Note: The word "event" covers any venue where a vaccination clinic is held.
18
19
20
21
22
23
24
25
26
27
28
B-1
Exhibit C
Self-Dealing Transaction Disclosure Form
In order to conduct business with the County of Fresno ("County"), members of a
contractor's board of directors ("County Contractor"), must disclose any self-dealing transactions
that they are a party to while providing goods, performing services, or both for the County. A
self-dealing transaction is defined below:
"A self-dealing transaction means a transaction to which the corporation is a party and in
which one or more of its directors has a material financial interest."
The definition above will be used for purposes of completing this disclosure form.
Instructions
(1) Enter board member's name, job title (if applicable), and date this disclosure is being
made.
(2) Enter the board member's company/agency name and address.
(3) Describe in detail the nature of the self-dealing transaction that is being disclosed to the
County. At a minimum, include a description of the following:
a. The name of the agency/company with which the corporation has the transaction;
and
b. The nature of the material financial interest in the Corporation's transaction that
the board member has.
(4) Describe in detail why the self-dealing transaction is appropriate based on applicable
provisions of the Corporations Code.
The form must be signed by the board member that is involved in the self-dealing
transaction described in Sections (3) and (4).
C-1
Exhibit C
(1) Company Board Member Information:
Name: Date:
Job Title:
(2) Company/Agency Name and Address:
(3) Disclosure (Please describe the nature of the self-dealing transaction you are a
party to)
(4) Explain why this self-dealing transaction is consistent with the requirements of
Corporations Code § 5233 (a)
(5) Authorized Signature
Signature: Date:
C-2
Exhibit D
Insurance Requirements
1. Required Policies
Without limiting the County's right to obtain indemnification from the Contractor or any third
parties, Contractor, at its sole expense, shall maintain in full force and effect the following
insurance policies or a program of self-insurance, including but not limited to, an insurance
pooling arrangement or Joint Powers Agreement (JPA) throughout the term of this Agreement.
(A) Commercial General Liability. Commercial general liability insurance with limits of not
less than Two Million Dollars ($2,000,000) per occurrence and an annual aggregate of
Four Million Dollars ($4,000,000). This policy must be issued on a per occurrence basis.
Coverage must include products, completed operations, property damage, bodily injury,
personal injury, and advertising injury. The Contractor shall obtain an endorsement to
this policy naming the County of Fresno, its officers, agents, employees, and volunteers,
individually and collectively, as additional insureds, but only insofar as the operations
under this Agreement are concerned. Such coverage for additional insureds will apply as
primary insurance and any other insurance, or self-insurance, maintained by the County
is excess only and not contributing with insurance provided under the Contractor's
policy. COUNTY may require specific coverages including completed operations,
products liability, contractual liability or any other liability insurance deemed necessary
because of the nature of this contract.
(B) Automobile Liability. Automobile liability insurance with limits of not less than One
Million Dollars ($1,000,000) per occurrence for bodily injury and for property damages.
Coverage must include any auto used in connection with this Agreement.
(C)Workers Compensation. Workers compensation insurance as required by the laws of
the State of California with statutory limits.
(D) Employer's Liability. Employer's liability insurance with limits of not less than One
Million Dollars ($1,000,000) per occurrence for bodily injury and for disease.
(E) Professional Liability. Professional liability insurance with limits of not less than One
Million Dollars ($1,000,000) per occurrence and an annual aggregate of Three Million
Dollars ($3,000,000). If this is a claims-made policy, then (1) the retroactive date must
be prior to the date on which services began under this Agreement; (2) the Contractor
shall maintain the policy and provide to the County annual evidence of insurance for not
less than five years after completion of services under this Agreement; and (3) if the
policy is canceled or not renewed, and not replaced with another claims-made policy
with a retroactive date prior to the date on which services begin under this Agreement,
then the Contractor shall purchase extended reporting coverage on its claims-made
policy for a minimum of five years after completion of services under this Agreement.
(F) Molestation Liability. Sexual abuse / molestation liability insurance with limits of not
less than Two Million Dollars ($2,000,000) per occurrence, with an annual aggregate of
Four Million Dollars ($4,000,000). This policy must be issued on a per occurrence basis.
(G)Cyber Liability. Cyber liability insurance with limits of not less than Two Million Dollars
($2,000,000) per occurrence. Coverage must include claims involving Cyber Risks. The
cyber liability policy must be endorsed to cover the full replacement value of damage to,
D-1
Exhibit D
alteration of, loss of, or destruction of intangible property (including but not limited to
information or data) that is in the care, custody, or control of the Contractor.
Definition of Cyber Risks. "Cyber Risks" include but are not limited to (i) Security
Breach, which may include Disclosure of Personal Information to an Unauthorized Third
Party; (ii) data breach; (iii) breach of any of the Contractor's obligations under Exhibit F
of this Agreement; (iv) system failure; (v) data recovery; (vi)failure to timely disclose
data breach or Security Breach; (vii)failure to comply with privacy policy; (viii) payment
card liabilities and costs; (ix) infringement of intellectual property, including but not
limited to infringement of copyright, trademark, and trade dress; (x) invasion of privacy,
including release of private information; (xi) information theft; (xii) damage to or
destruction or alteration of electronic information; (xiii) cyber extortion; (xiv) extortion
related to the Contractor's obligations under this Agreement regarding electronic
information, including Personal Information; (xv) fraudulent instruction; (xvi) funds
transfer fraud; (xvii) telephone fraud; (xviii) network security; (xix) data breach response
costs, including Security Breach response costs; (xx) regulatory fines and penalties
related to the Contractor's obligations under this Agreement regarding electronic
information, including Personal Information; and (xxi) credit monitoring expenses.
2. Additional Requirements
(A) Verification of Coverage. Within 30 days after the Contractor signs this Agreement,
and at any time during the term of this Agreement as requested by the County's Risk
Manager or the County Administrative Office, the Contractor shall deliver, or cause its
broker or producer to deliver, to the County of Fresno, Department of Public Health, P.O.
Box 11867, Fresno, CA 93775, Attention: Contracts Section —6t" Floor, or email,
DPHContracts@fresnocountyca.gov, certificates of insurance and endorsements for all
of the coverages required under this Agreement.
(i) Each insurance certificate must state that: (1) the insurance coverage has been
obtained and is in full force; (2) the County, its officers, agents, employees, and
volunteers are not responsible for any premiums on the policy; and (3) the
Contractor has waived its right to recover from the County, its officers, agents,
employees, and volunteers any amounts paid under any insurance policy
required by this Agreement and that waiver does not invalidate the insurance
policy.
(ii) The commercial general liability insurance certificate must also state, and include
an endorsement, that the County of Fresno, its officers, agents, employees, and
volunteers, individually and collectively, are additional insureds insofar as the
operations under this Agreement are concerned. The commercial general liability
insurance certificate must also state that the coverage shall apply as primary
insurance and any other insurance, or self-insurance, maintained by the County
shall be excess only and not contributing with insurance provided under the
Contractor's policy.
(iii) The automobile liability insurance certificate must state that the policy covers any
auto used in connection with this Agreement.
D-2
Exhibit D
(iv) The professional liability insurance certificate, if it is a claims-made policy, must
also state the retroactive date of the policy, which must be prior to the date on
which services began under this Agreement.
(v) The technology professional liability insurance certificate must also state that
coverage encompasses all of the Contractor's obligations under this Agreement,
including but not limited to claims involving Cyber Risks, as that term is defined in
this Agreement.
(vi) The cyber liability insurance certificate must also state that it is endorsed, and
include an endorsement, to cover the full replacement value of damage to,
alteration of, loss of, or destruction of intangible property (including but not limited
to information or data) that is in the care, custody, or control of the Contractor.
(B) Acceptability of Insurers. All insurance policies required under this Agreement must be
issued by admitted insurers licensed to do business in the State of California and
possessing at all times during the term of this Agreement an A.M. Best, Inc. rating of no
less than A: VII.
(C) Notice of Cancellation or Change. For each insurance policy required under this
Agreement, the Contractor shall provide to the County, or ensure that the policy requires
the insurer to provide to the County, written notice of any cancellation or change in the
policy as required in this paragraph. For cancellation of the policy for nonpayment of
premium, the Contractor shall, or shall cause the insurer to, provide written notice to the
County not less than 10 days in advance of cancellation. For cancellation of the policy
for any other reason, and for any other change to the policy, the Contractor shall, or shall
cause the insurer to, provide written notice to the County not less than 30 days in
advance of cancellation or change. The County in its sole discretion may determine that
the failure of the Contractor or its insurer to timely provide a written notice required by
this paragraph is a breach of this Agreement.
(D) County's Entitlement to Greater Coverage. If the Contractor has or obtains insurance
with broader coverage, higher limits, or both, than what is required under this
Agreement, then the County requires and is entitled to the broader coverage, higher
limits, or both. To that end, the Contractor shall deliver, or cause its broker or producer
to deliver, to the County's Risk Manager certificates of insurance and endorsements for
all of the coverages that have such broader coverage, higher limits, or both, as required
under this Agreement.
(E) Waiver of Subrogation. The Contractor waives any right to recover from the County, its
officers, agents, employees, and volunteers any amounts paid under the policy of
worker's compensation insurance required by this Agreement. The Contractor is solely
responsible to obtain any policy endorsement that may be necessary to accomplish that
waiver, but the Contractor's waiver of subrogation under this paragraph is effective
whether or not the Contractor obtains such an endorsement.
(F) County's Remedy for Contractor's Failure to Maintain. If the Contractor fails to keep
in effect at all times any insurance coverage required under this Agreement, the County
may, in addition to any other remedies it may have, suspend or terminate this
Agreement upon the occurrence of that failure, or purchase such insurance coverage,
D-3
Exhibit D
and charge the cost of that coverage to the Contractor. The County may offset such
charges against any amounts owed by the County to the Contractor under this
Agreement.
(G)Subcontractors. The Contractor shall require and verify that all subcontractors used by
the Contractor to provide services under this Agreement maintain insurance meeting all
insurance requirements provided in this Agreement. This paragraph does not authorize
the Contractor to provide services under this Agreement using subcontractors.
D-4
Exhibit E
Health Insurance Portability and Accountability Act (HIPAA)
1. The County is a "Covered Entity," and the Contractor is a "Business Associate,"
as these terms are defined by 45 CFR 160.103. In connection with providing services under the
Agreement, the parties anticipate that the Contractor will create and/or receive Protected Health
Information ("PHI") from or on behalf of the County. The parties enter into this Business
Associate Agreement (BAA) to comply with the Business Associate requirements of HIPAA, to
govern the use and disclosures of PHI under this Agreement. "HIPAA Rules" shall mean the
Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164.
The parties to this Agreement shall be in strict conformance with all applicable federal
and State of California laws and regulations, including, but not limited to California Welfare and
Institutions Code sections 5328, 10850, and 14100.2 et seq.; 42 CFR 2; 42 CFR 431; California
Civil Code section 56 et seq.; the Health Insurance Portability and Accountability Act of 1996, as
amended ("HIPAA"), including, but not limited to, 45 CFR Parts160, 45 CFR 162, and 45 CFR
164; the Health Information Technology for Economic and Clinical Health Act ("HITECH")
regarding the confidentiality and security of patient information, including, but not limited to 42
USC 17901 et seq.; and the Genetic Information Nondiscrimination Act ("GINA") of 2008
regarding the confidentiality of genetic information.
Except as otherwise provided in this Agreement, the Contractor, as a business associate
of the County, may use or disclose Protected Health Information ("PHI") to perform functions,
activities or services for or on behalf of the County, as specified in this Agreement, provided that
such use or disclosure shall not violate HIPAA Rules. The uses and disclosures of PHI may not
be more expansive than those applicable to the County, as the "Covered Entity" under the
HIPAA Rules, except as authorized for management, administrative or legal responsibilities of
the Contractor.
2. The Contractor, including its subcontractors and employees, shall protect from
unauthorized access, use, or disclosure of names and other identifying information, including
genetic information, concerning persons receiving services pursuant to this Agreement, except
E-1
Exhibit E
Health Insurance Portability and Accountability Act (HIPAA)
where permitted in order to carry out data aggregation purposes for health care operations [45
CFR §§ 164.504(e)(2)(i), 164.504(e)(2)(ii)(A), and 164.504(e)(4)(i)]. This pertains to any and all
persons receiving services pursuant to a County-funded program. This requirement applies to
electronic PHI. The Contractor shall not use such identifying information or genetic information
for any purpose other than carrying out the Contractor's obligations under this Agreement.
3. The Contractor, including its subcontractors and employees, shall not disclose
any such identifying information or genetic information to any person or entity, except as
otherwise specifically permitted by this Agreement, authorized by Subpart E of 45 CFR Part 164
or other law, required by the Secretary of the United States Department of Health and Human
Services ("Secretary"), or authorized by the client/patient in writing. In using or disclosing PHI
that is permitted by this Agreement or authorized by law, the Contractor shall make reasonable
efforts to limit PHI to the minimum necessary to accomplish intended purpose of use, disclosure
or request.
4. For purposes of the above sections, identifying information shall include, but not
be limited to, name, identifying number, symbol, or other identifying particular assigned to the
individual, such as fingerprint or voiceprint, or photograph.
5. For purposes of the above sections, genetic information shall include genetic
tests of family members of an individual or individual(s), manifestation of disease or disorder of
family members of an individual, or any request for or receipt of genetic services by individual or
family members. Family member means a dependent or any person who is first, second, third,
or fourth degree relative.
6. The Contractor shall provide access, at the request of the County, and in the time
and manner designated by the County, to PHI in a designated record set (as defined in 45 CFR
§ 164.501), to an individual or to COUNTY in order to meet the requirements of 45 CFR §
164.524 regarding access by individuals to their PHI. With respect to individual requests,
access shall be provided within thirty (30) days from request. Access may be extended if the
E-2
Exhibit E
Health Insurance Portability and Accountability Act (HIPAA)
Contractor cannot provide access and provides the individual with the reasons for the delay and
the date when access may be granted. PHI shall be provided in the form and format requested
by the individual or the County.
The Contractor shall make any amendment(s) to PHI in a designated record set at the
request of the County or individual, and in the time and manner designated by the County in
accordance with 45 CFR § 164.526.
The Contractor shall provide to the County or to an individual, in a time and manner
designated by the County, information collected in accordance with 45 CFR § 164.528, to permit
the County to respond to a request by the individual for an accounting of disclosures of PHI in
accordance with 45 CFR § 164.528.
7. The Contractor shall report to the County, in writing, any knowledge or
reasonable belief that there has been unauthorized access, viewing, use, disclosure, security
incident, or breach of unsecured PHI not permitted by this Agreement of which the Contractor
becomes aware, immediately and without reasonable delay and in no case later than two (2)
business days of discovery. Immediate notification shall be made to the County's Information
Security Officer and Privacy Officer and the County's Department of Public Health ("DPH")
HIPAA Representative, within two (2) business days of discovery. The notification shall include,
to the extent possible, the identification of each individual whose unsecured PHI has been, or is
reasonably believed to have been, accessed, acquired, used, disclosed, or breached. The
Contractor shall take prompt corrective action to cure any deficiencies and any action pertaining
to such unauthorized disclosure required by applicable federal and State laws and regulations.
The Contractor shall investigate such breach and is responsible for all notifications required by
law and regulation or deemed necessary by the County and shall provide a written report of the
investigation and reporting required to the County's Information Security Officer and Privacy
Officer and the County's DPH HIPAA Representative.
This written investigation and description of any reporting necessary shall be
E-3
Exhibit E
Health Insurance Portability and Accountability Act (HIPAA)
postmarked within the thirty (30) working days of the discovery of the breach to the addresses
below:
County of Fresno County of Fresno County of Fresno
Department of Public Health Department of Public Health Department of Internal
HIPAA Representative Privacy Officer Services
(559) 600-6439 (559) 600-6405 Information Security Officer
P.O. Box 11867 P.O. Box 11867 (559) 600-5800
Fresno, California 93775 Fresno, California 93775 333 W. Pontiac Way
Clovis, California 93612
8. The Contractor shall make its internal practices, books, and records relating to
the use and disclosure of PHI received from the County, or created or received by the
Contractor on behalf of the County, in compliance with HIPAA's Privacy Rule, including, but not
limited to the requirements set forth in Title 45, CFR, Sections 160 and 164. The Contractor
shall make its internal practices, books, and records relating to the use and disclosure of PHI
received from the County, or created or received by the Contractor on behalf of the County,
available to the Secretary upon demand.
The Contractor shall cooperate with the compliance and investigation reviews conducted
by the Secretary. PHI access to the Secretary must be provided during the Contractor's normal
business hours; however, upon exigent circumstances access at any time must be granted.
Upon the Secretary's compliance or investigation review, if PHI is unavailable to the Contractor
and in possession of a subcontractor of the Contractor, the Contractor must certify to the
Secretary its efforts to obtain the information from the subcontractor.
9. Safeguards
The Contractor shall implement administrative, physical, and technical safeguards as
required by the HIPAA Security Rule, Subpart C of 45 CFR Part 164, that reasonably and
appropriately protect the confidentiality, integrity, and availability of PHI, including electronic
PHI, that it creates, receives, maintains or transmits on behalf of the County and to prevent
unauthorized access, viewing, use, disclosure, or breach of PHI other than as provided for by
this Agreement. The Contractor shall conduct an accurate and thorough assessment of the
E-4
Exhibit E
Health Insurance Portability and Accountability Act (HIPAA)
potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic PHI.
The Contractor shall develop and maintain a written information privacy and security program
that includes administrative, technical and physical safeguards appropriate to the size and
complexity of the Contractor's operations and the nature and scope of its activities. Upon the
County's request, the Contractor shall provide the County with information concerning such
safeguards.
The Contractor shall implement strong access controls and other security safeguards
and precautions in order to restrict logical and physical access to confidential, personal (e.g.,
PHI) or sensitive data to authorized users only. Said safeguards and precautions shall include
the following administrative and technical password controls for all systems used to process or
store confidential, personal, or sensitive data:
A. Passwords must not be:
(1) Shared or written down where they are accessible or recognizable by anyone
else; such as taped to computer screens, stored under keyboards, or visible
in a work area;
(2) A dictionary word; or
(3) Stored in clear text
B. Passwords must be:
(1) Eight (8) characters or more in length;
(2) Changed every ninety (90) days;
(3) Changed immediately if revealed or compromised; and
(4) Composed of characters from at least three (3) of the following four (4)
groups from the standard keyboard:
a) Upper case letters (A-Z);
b) Lowercase letters (a-z);
c) Arabic numerals (0 through 9); and
E-5
Exhibit E
Health Insurance Portability and Accountability Act (HIPAA)
d) Non-alphanumeric characters (punctuation symbols).
The Contractor shall implement the following security controls on each workstation or
portable computing device (e.g., laptop computer) containing confidential, personal, or sensitive
data:
1. Network-based firewall and/or personal firewall;
2. Continuously updated anti-virus software; and
3. Patch management process including installation of all operating system/software
vendor security patches.
The Contractor shall utilize a commercial encryption solution that has received FIPS
140-2 validation to encrypt all confidential, personal, or sensitive data stored on portable
electronic media (including, but not limited to, compact disks and thumb drives) and on portable
computing devices (including, but not limited to, laptop and notebook computers).
The Contractor shall not transmit confidential, personal, or sensitive data via e-mail or
other internet transport protocol unless the data is encrypted by a solution that has been
validated by the National Institute of Standards and Technology (NIST) as conforming to the
Advanced Encryption Standard (AES) Algorithm. The Contractor must apply appropriate
sanctions against its employees who fail to comply with these safeguards. The Contractor must
adopt procedures for terminating access to PHI when employment of employee ends.
10. Mitigation of Harmful Effects
The Contractor shall mitigate, to the extent practicable, any harmful effect that is
suspected or known to the Contractor of an unauthorized access, viewing, use, disclosure, or
breach of PHI by the Contractor or its subcontractors in violation of the requirements of these
provisions. The Contractor must document suspected or known harmful effects and the
outcome.
11. The Contractor's Subcontractors
The Contractor shall ensure that any of its contractors, including subcontractors, if
E-6
Exhibit E
Health Insurance Portability and Accountability Act (HIPAA)
applicable, to whom the Contractor provides PHI received from or created or received by the
Contractor on behalf of the County, agree to the same restrictions, safeguards, and conditions
that apply to the Contractor with respect to such PHI and to incorporate, when applicable, the
relevant provisions of these provisions into each subcontract or sub-award to such agents or
subcontractors.
Nothing in this section 11 or this Exhibit F authorizes the Contractor to perform services
under this Agreement using subcontractors.
12. Employee Training and Discipline
The Contractor shall train and use reasonable measures to ensure compliance with the
requirements of these provisions by employees who assist in the performance of functions or
activities on behalf of the County under this Agreement and use or disclose PHI, and discipline
such employees who intentionally violate any provisions of these provisions, which may include
termination of employment.
13. Termination for Cause
Upon the County's knowledge of a material breach of these provisions by the Contractor,
the County will either:
A. Provide an opportunity for the Contractor to cure the breach or end the
violation, and the County may terminate this Agreement if the Contractor does not cure the
breach or end the violation within the time specified by the County; or
B. Immediately terminate this Agreement if the Contractor has breached a
material term of this Exhibit F and cure is not possible, as determined by the County.
C. If neither cure nor termination is feasible, the County's Privacy Officer will
report the violation to the Secretary of the U.S. Department of Health and Human Services.
14. Judicial or Administrative Proceedings
The County may terminate this Agreement if: (1) the Contractor is found guilty in a
criminal proceeding for a violation of the HIPAA Privacy or Security Laws or the HITECH Act; or
E-7
Exhibit E
Health Insurance Portability and Accountability Act (HIPAA)
(2) there is a finding or stipulation in an administrative or civil proceeding in which the Contractor
is a party that the Contractor has violated a privacy or security standard or requirement of the
HITECH Act, HIPAA or other security or privacy laws.
15. Effect of Termination
Upon termination or expiration of this Agreement for any reason, the Contractor shall
return or destroy all PHI received from the County (or created or received by the Contractor on
behalf of the County) that the Contractor still maintains in any form, and shall retain no copies of
such PHI. If return or destruction of PHI is not feasible, the Contractor shall continue to extend
the protections of these provisions to such information, and limit further use of such PHI to those
purposes that make the return or destruction of such PHI infeasible. This provision applies to
PHI that is in the possession of subcontractors or agents, if applicable, of the Contractor. If the
Contractor destroys the PHI data, a certification of date and time of destruction shall be
provided to the County by the Contractor.
16. Compliance with Other Laws
To the extent that other state and/or federal laws provide additional, stricter and/or more
protective privacy and/or security protections to PHI or other confidential information covered
under this BAA, the Contractor agrees to comply with the more protective of the privacy and
security standards set forth in the applicable state or federal laws to the extent such standards
provide a greater degree of protection and security than HIPAA Rules or are otherwise more
favorable to the individual.
17. Disclaimer
The County makes no warranty or representation that compliance by the Contractor with
these provisions, the HITECH Act, or the HIPAA Rules, will be adequate or satisfactory for the
Contractor's own purposes or that any information in the Contractor's possession or control, or
transmitted or received by the Contractor, is or will be secure from unauthorized access,
viewing, use, disclosure, or breach. The Contractor is solely responsible for all decisions made
E-8
Exhibit E
Health Insurance Portability and Accountability Act (HIPAA)
by the Contractor regarding the safeguarding of PHI.
18. Amendment
The parties acknowledge that Federal and State laws relating to electronic data security
and privacy are rapidly evolving and that amendment of this Exhibit F may be required to
provide for procedures to ensure compliance with such developments. The parties specifically
agree to take such action as is necessary to amend this agreement in order to implement the
standards and requirements of the HIPAA Rules, the HITECH Act and other applicable laws
relating to the security or privacy of PHI. The County may terminate this Agreement upon thirty
(30) days written notice in the event that the Contractor does not enter into an amendment
providing assurances regarding the safeguarding of PHI that the County in its sole discretion,
deems sufficient to satisfy the standards and requirements of the HIPAA Rules, and the
HITECH Act.
19. No Third-Party Beneficiaries
Nothing expressed or implied in the provisions of this Exhibit F is intended to confer, and
nothing in this Exhibit F does confer, upon any person other than the County or the Contractor
and their respective successors or assignees, any rights, remedies, obligations or liabilities
whatsoever.
20. Interpretation
The provisions of this Exhibit F shall be interpreted as broadly as necessary to
implement and comply with the HIPAA Rules, and applicable State laws. The parties agree that
any ambiguity in the terms and conditions of these provisions shall be resolved in favor of a
meaning that complies and is consistent with the HIPAA Rules.
21. Regulatory References
A reference in the terms and conditions of these provisions to a section in the HIPAA
Rules means the section as in effect or as amended.
22. Survival
E-9
Exhibit E
Health Insurance Portability and Accountability Act (HIPAA)
The respective rights and obligations of the Contractor as stated in this Exhibit F survive
the termination or expiration of this Agreement.
23. No Waiver of Obligation
Change, waiver or discharge by the County of any liability or obligation of the Contractor
under this Exhibit F on any one or more occasions is not a waiver of performance of any
continuing or other obligation of the Contractor and does not prohibit enforcement by the County
of any obligation on any other occasion.
E-10
Exhibit F
Data Security
1. Definitions
Capitalized terms used in this Exhibit F have the meanings set forth in this section 1.
a. "Authorized Employees" means the Contractor's employees who have access to
Personal Information.
b. "Authorized Persons" means: (i) any and all Authorized Employees; and (ii) any and all
of the Contractor's subcontractors, representatives, agents, outsourcers, and
consultants, and providers of professional services to the Contractor, who have access
to Personal Information and are bound by law or in writing by confidentiality obligations
sufficient to protect Personal Information in accordance with the terms of this Exhibit F.
c. "Director" means the County's Director of the Department of Public Health or his or her
designee.
d. "Disclose" or any derivative of that word means to disclose, release, transfer,
disseminate, or otherwise provide access to or communicate all or any part of any
Personal Information orally, in writing, or by electronic or any other means to any person.
e. "Person" means any natural person, corporation, partnership, limited liability company,
firm, or association.
f. "Personal Information" means any and all information, including any data, provided, or
to which access is provided, to the Contractor by or upon the authorization of the
County, under this Agreement, including but not limited to vital records, that: (i) identifies,
describes, or relates to, or is associated with, or is capable of being used to identify,
describe, or relate to, or associate with, a person (including, without limitation, names,
physical descriptions, signatures, addresses, telephone numbers, e-mail addresses,
education, financial matters, employment history, and other unique identifiers, as well as
statements made by or attributable to the person); (ii) is used or is capable of being used
to authenticate a person (including, without limitation, employee identification numbers,
government-issued identification numbers, passwords or personal identification numbers
(PINs), financial account numbers, credit report information, answers to security
questions, and other personal identifiers); or (iii) is personal information within the
meaning of California Civil Code section 1798.3, subdivision (a), or 1798.80, subdivision
(e). Personal Information does not include publicly available information that is lawfully
made available to the general public from federal, state, or local government records.
g. "Privacy Practices Complaint" means a complaint received by the County relating to
the Contractor's (or any Authorized Person's) privacy practices, or alleging a Security
Breach. Such complaint shall have sufficient detail to enable the Contractor to promptly
investigate and take remedial action under this Exhibit F.
h. "Security Safeguards" means physical, technical, administrative or organizational
security procedures and practices put in place by the Contractor (or any Authorized
Persons) that relate to the protection of the security, confidentiality, value, or integrity of
Personal Information. Security Safeguards shall satisfy the minimal requirements set
forth in section 3(C) of this Exhibit F.
F-1
Exhibit F
Data Security
i. "Security Breach" means (i) any act or omission that compromises either the security,
confidentiality, value, or integrity of any Personal Information or the Security Safeguards,
or (ii) any unauthorized Use, Disclosure, or modification of, or any loss or destruction of,
or any corruption of or damage to, any Personal Information.
j. "Use" or any derivative of that word means to receive, acquire, collect, apply,
manipulate, employ, process, transmit, disseminate, access, store, disclose, or dispose
of Personal Information.
2. Standard of Care
a. The Contractor acknowledges that, in the course of its engagement by the County under
this Agreement, the Contractor, or any Authorized Persons, may Use Personal
Information only as permitted in this Agreement.
b. The Contractor acknowledges that Personal Information is deemed to be confidential
information of, or owned by, the County (or persons from whom the County receives or
has received Personal Information) and is not confidential information of, or owned or by,
the Contractor, or any Authorized Persons. The Contractor further acknowledges that all
right, title, and interest in or to the Personal Information remains in the County (or
persons from whom the County receives or has received Personal Information)
regardless of the Contractor's, or any Authorized Person's, Use of that Personal
Information.
c. The Contractor agrees and covenants in favor of the Country that the Contractor shall:
i. keep and maintain all Personal Information in strict confidence, using such
degree of care under this section 2 as is reasonable and appropriate to avoid a
Security Breach;
ii. Use Personal Information exclusively for the purposes for which the Personal
Information is made accessible to the Contractor pursuant to the terms of this
Exhibit F;
iii. not Use, Disclose, sell, rent, license, or otherwise make available Personal
Information for the Contractor's own purposes or for the benefit of anyone other
than the County, without the County's express prior written consent, which the
County may give or withhold in its sole and absolute discretion; and
iv. not, directly or indirectly, Disclose Personal Information to any person (an
"Unauthorized Third Party") other than Authorized Persons pursuant to this
Agreement, without the Director's express prior written consent.
d. Notwithstanding the foregoing paragraph, in any case in which the Contractor believes it,
or any Authorized Person, is required to disclose Personal Information to government
regulatory authorities, or pursuant to a legal proceeding, or otherwise as may be
required by applicable law, Contractor shall (i) immediately notify the County of the
specific demand for, and legal authority for the disclosure, including providing County
with a copy of any notice, discovery demand, subpoena, or order, as applicable,
received by the Contractor, or any Authorized Person, from any government regulatory
F-2
Exhibit F
Data Security
authorities, or in relation to any legal proceeding, and (ii) promptly notify the County
before such Personal Information is offered by the Contractor for such disclosure so that
the County may have sufficient time to obtain a court order or take any other action the
County may deem necessary to protect the Personal Information from such disclosure,
and the Contractor shall cooperate with the County to minimize the scope of such
disclosure of such Personal Information.
e. The Contractor shall remain liable to the County for the actions and omissions of any
Unauthorized Third Party concerning its Use of such Personal Information as if they
were the Contractor's own actions and omissions.
3. Information Security
a. The Contractor covenants, represents and warrants to the County that the Contractor's
Use of Personal Information under this Agreement does and will at all times comply with
all applicable federal, state, and local, privacy and data protection laws, as well as all
other applicable regulations and directives, including but not limited to California Civil
Code, Division 3, Part 4, Title 1.81 (beginning with section 1798.80), and the Song-
Beverly Credit Card Act of 1971 (California Civil Code, Division 3, Part 4, Title 1.3,
beginning with section 1747). If the Contractor Uses credit, debit or other payment
cardholder information, the Contractor shall at all times remain in compliance with the
Payment Card Industry Data Security Standard ("PCI DSS") requirements, including
remaining aware at all times of changes to the PCI DSS and promptly implementing and
maintaining all procedures and practices as may be necessary to remain in compliance
with the PCI DSS, in each case, at the Contractor's sole cost and expense.
b. The Contractor covenants, represents and warrants to the County that, as of the
effective date of this Agreement, the Contractor has not received notice of any violation
of any privacy or data protection laws, as well as any other applicable regulations or
directives, and is not the subject of any pending legal action or investigation by, any
government regulatory authority regarding same.
c. Without limiting the Contractor's obligations under section 3(A) of this Exhibit F, the
Contractor's (or Authorized Person's) Security Safeguards shall be no less rigorous than
accepted industry practices and, at a minimum, include the following:
i. limiting Use of Personal Information strictly to the Contractor's and Authorized
Persons' technical and administrative personnel who are necessary for the
Contractor's, or Authorized Persons', Use of the Personal Information pursuant to
this Agreement;
ii. ensuring that all of the Contractor's connectivity to County computing systems
will only be through the County's security gateways and firewalls, and only
through security procedures approved upon the express prior written consent of
the Director;
iii. to the extent that they contain or provide access to Personal Information, (a)
securing business facilities, data centers, paper files, servers, back-up systems
and computing equipment, operating systems, and software applications,
including, but not limited to, all mobile devices and other equipment, operating
F-3
Exhibit F
Data Security
systems, and software applications with information storage capability; (b)
employing adequate controls and data security measures, both internally and
externally, to protect (1) the Personal Information from potential loss or
misappropriation, or unauthorized Use, and (2) the County's operations from
disruption and abuse; (c) having and maintaining network, device application,
database and platform security; (d) maintaining authentication and access
controls within media, computing equipment, operating systems, and software
applications; and (e) installing and maintaining in all mobile, wireless, or
handheld devices a secure internet connection, having continuously updated
anti-virus software protection and a remote wipe feature always enabled, all of
which is subject to express prior written consent of the Director;
iv. encrypting all Personal Information at advance encryption standards of Advanced
Encryption Standards (AES) of 128 bit or higher (a) stored on any mobile
devices, including but not limited to hard disks, portable storage devices, or
remote installation, or (b) transmitted over public or wireless networks (the
encrypted Personal Information must be subject to password or pass phrase, and
be stored on a secure server and transferred by means of a Virtual Private
Network (VPN) connection, or another type of secure connection, all of which is
subject to express prior written consent of the Director);
V. strictly segregating Personal Information from all other information of the
Contractor, including any Authorized Person, or anyone with whom the
Contractor or any Authorized Person deals so that Personal Information is not
commingled with any other types of information;
vi. having a patch management process including installation of all operating system
and software vendor security patches;
vii. maintaining appropriate personnel security and integrity procedures and
practices, including, but not limited to, conducting background checks of
Authorized Employees consistent with applicable law; and
viii. providing appropriate privacy and information security training to Authorized
Employees.
d. During the term of each Authorized Employee's employment by the Contractor, the
Contractor shall cause such Authorized Employees to abide strictly by the Contractor's
obligations under this Exhibit F. The Contractor shall maintain a disciplinary process to
address any unauthorized Use of Personal Information by any Authorized Employees.
e. The Contractor shall, in a secure manner, backup daily, or more frequently if it is the
Contractor's practice to do so more frequently, Personal Information received from the
County, and the County shall have immediate, real time access, at all times, to such
backups via a secure, remote access connection provided by the Contractor, through the
Internet.
f. The Contractor shall provide the County with the name and contact information for each
Authorized Employee (including such Authorized Employee's work shift, and at least one
alternate Authorized Employee for each Authorized Employee during such work shift)
F-4
Exhibit F
Data Security
who shall serve as the County's primary security contact with the Contractor and shall be
available to assist the County twenty-four (24) hours per day, seven (7) days per week
as a contact in resolving the Contractor's and any Authorized Persons' obligations
associated with a Security Breach or a Privacy Practices Complaint.
g. The Contractor shall not knowingly include or authorize any Trojan Horse, back door,
time bomb, drop dead device, worm, virus, or other code of any kind that may disable,
erase, display any unauthorized message within, or otherwise impair any County
computing system, with or without the intent to cause harm.
4. Security Breach Procedures
a. Immediately upon the Contractor's awareness or reasonable belief of a Security Breach,
the Contractor shall (i) notify the Director of the Security Breach, such notice to be given
first by telephone at the following telephone number, followed promptly by email at the
following email address: (559) 600-6439 and DPHContracts@fresnocountyca.gov
(which telephone number and email address the County may update by providing notice
to the Contractor), and (ii) preserve all relevant evidence (and cause any affected
Authorized Person to preserve all relevant evidence) relating to the Security Breach. The
notification shall include, to the extent reasonably possible, the identification of each type
and the extent of Personal Information that has been, or is reasonably believed to have
been, breached, including but not limited to, compromised, or subjected to unauthorized
Use, Disclosure, or modification, or any loss or destruction, corruption, or damage.
b. Immediately following the Contractor's notification to the County of a Security Breach, as
provided pursuant to section 4(A) of this Exhibit F, the Parties shall coordinate with each
other to investigate the Security Breach. The Contractor agrees to fully cooperate with
the County, including, without limitation:
i. assisting the County in conducting any investigation;
ii. providing the County with physical access to the facilities and operations
affected;
iii. facilitating interviews with Authorized Persons and any of the Contractor's other
employees knowledgeable of the matter; and
iv. making available all relevant records, logs, files, data reporting and other
materials required to comply with applicable law, regulation, industry standards,
or as otherwise reasonably required by the County.
To that end, the Contractor shall, with respect to a Security Breach, be solely
responsible, at its cost, for all notifications required by law and regulation, or deemed
reasonably necessary by the County, and the Contractor shall provide a written report of
the investigation and reporting required to the Director within 30 days after the
Contractor's discovery of the Security Breach.
c. County shall promptly notify the Contractor of the Director's knowledge, or reasonable
belief, of any Privacy Practices Complaint, and upon the Contractor's receipt of that
notification, the Contractor shall promptly address such Privacy Practices Complaint,
F-5
Exhibit F
Data Security
including taking any corrective action under this Exhibit F, all at the Contractor's sole
expense, in accordance with applicable privacy rights, laws, regulations and standards.
In the event the Contractor discovers a Security Breach, the Contractor shall treat the
Privacy Practices Complaint as a Security Breach. Within 24 hours of the Contractor's
receipt of notification of such Privacy Practices Complaint, the Contractor shall notify the
County whether the matter is a Security Breach, or otherwise has been corrected and
the manner of correction, or determined not to require corrective action and the reason
for that determination.
d. The Contractor shall take prompt corrective action to respond to and remedy any
Security Breach and take mitigating actions, including but not limiting to, preventing any
reoccurrence of the Security Breach and correcting any deficiency in Security
Safeguards as a result of such incident, all at the Contractor's sole expense, in
accordance with applicable privacy rights, laws, regulations and standards. The
Contractor shall reimburse the County for all reasonable costs incurred by the County in
responding to, and mitigating damages caused by, any Security Breach, including all
costs of the County incurred relation to any litigation or other action described section
4(E) of this Exhibit F.
e. The Contractor agrees to cooperate, at its sole expense, with the County in any litigation
or other action to protect the County's rights relating to Personal Information, including
the rights of persons from whom the County receives Personal Information.
5. Oversight of Security Compliance
a. The Contractor shall have and maintain a written information security policy that
specifies Security Safeguards appropriate to the size and complexity of the Contractor's
operations and the nature and scope of its activities.
b. Upon the County's written request, to confirm the Contractor's compliance with this
Exhibit F, as well as any applicable laws, regulations and industry standards, the
Contractor grants the County or, upon the County's election, a third party on the
County's behalf, permission to perform an assessment, audit, examination or review of
all controls in the Contractor's physical and technical environment in relation to all
Personal Information that is Used by the Contractor pursuant to this Agreement. The
Contractor shall fully cooperate with such assessment, audit or examination, as
applicable, by providing the County or the third party on the County's behalf, access to
all Authorized Employees and other knowledgeable personnel, physical premises,
documentation, infrastructure and application software that is Used by the Contractor for
Personal Information pursuant to this Agreement. In addition, the Contractor shall
provide the County with the results of any audit by or on behalf of the Contractor that
assesses the effectiveness of the Contractor's information security program as relevant
to the security and confidentiality of Personal Information Used by the Contractor or
Authorized Persons during the course of this Agreement under this Exhibit F.
c. The Contractor shall ensure that all Authorized Persons who Use Personal Information
agree to the same restrictions and conditions in this Exhibit F. that apply to the
Contractor with respect to such Personal Information by incorporating the relevant
provisions of these provisions into a valid and binding written agreement between the
F-6
Exhibit F
Data Security
Contractor and such Authorized Persons, or amending any written agreements to
provide same.
6. Return or Destruction of Personal Information. Upon the termination of this Agreement,
the Contractor shall, and shall instruct all Authorized Persons to, promptly return to the County
all Personal Information, whether in written, electronic or other form or media, in its possession
or the possession of such Authorized Persons, in a machine readable form used by the County
at the time of such return, or upon the express prior written consent of the Director, securely
destroy all such Personal Information, and certify in writing to the County that such Personal
Information have been returned to the County or disposed of securely, as applicable. If the
Contractor is authorized to dispose of any such Personal Information, as provided in this Exhibit
F, such certification shall state the date, time, and manner (including standard) of disposal and
by whom, specifying the title of the individual. The Contractor shall comply with all reasonable
directions provided by the Director with respect to the return or disposal of Personal Information
and copies of Personal Information. If return or disposal of such Personal Information or copies
of Personal Information is not feasible, the Contractor shall notify the County according,
specifying the reason, and continue to extend the protections of this Exhibit F to all such
Personal Information and copies of Personal Information. The Contractor shall not retain any
copy of any Personal Information after returning or disposing of Personal Information as
required by this section 6. The Contractor's obligations under this section 6 survive the
termination of this Agreement and apply to all Personal Information that the Contractor retains if
return or disposal is not feasible and to all Personal Information that the Contractor may later
discover.
7. Equitable Relief. The Contractor acknowledges that any breach of its covenants or
obligations set forth in this Exhibit F may cause the County irreparable harm for which monetary
damages would not be adequate compensation and agrees that, in the event of such breach or
threatened breach, the County is entitled to seek equitable relief, including a restraining order,
injunctive relief, specific performance and any other relief that may be available from any court,
in addition to any other remedy to which the County may be entitled at law or in equity. Such
remedies shall not be deemed to be exclusive but shall be in addition to all other remedies
available to the County at law or in equity or under this Agreement.
8. Indemnity. The Contractor shall defend, indemnify and hold harmless the County, its
officers, employees, and agents, (each, a "County Indemnitee")from and against any and all
infringement of intellectual property including, but not limited to infringement of copyright,
trademark, and trade dress, invasion of privacy, information theft, and extortion, unauthorized
Use, Disclosure, or modification of, or any loss or destruction of, or any corruption of or damage
to, Personal Information, Security Breach response and remedy costs, credit monitoring
expenses, forfeitures, losses, damages, liabilities, deficiencies, actions,judgments, interest,
awards, fines and penalties (including regulatory fines and penalties), costs or expenses of
whatever kind, including attorneys' fees and costs, the cost of enforcing any right to
indemnification or defense under this Exhibit F and the cost of pursuing any insurance
providers, arising out of or resulting from any third party claim or action against any County
Indemnitee in relation to the Contractor's, its officers, employees, or agents, or any Authorized
Employee's or Authorized Person's, performance or failure to perform under this Exhibit F or
arising out of or resulting from the Contractor's failure to comply with any of its obligations under
this section 8. The provisions of this section 8 do not apply to the acts or omissions of the
F-7
Exhibit F
Data Security
County. The provisions of this section 8 are cumulative to any other obligation of the Contractor
to, defend, indemnify, or hold harmless any County Indemnitee under this Agreement. The
provisions of this section 8 shall survive the termination of this Agreement.
9. Survival. The respective rights and obligations of the Contractor and the County as stated
in this Exhibit F shall survive the termination of this Agreement.
10. No Third Party Beneficiary. Nothing express or implied in the provisions of in this Exhibit F
is intended to confer, nor shall anything in this Exhibit F confer, upon any person other than the
County or the Contractor and their respective successors or assignees, any rights, remedies,
obligations or liabilities whatsoever.
11. No County Warranty. The County does not make any warranty or representation whether
any Personal Information in the Contractor's (or any Authorized Person's) possession or control,
or Use by the Contractor (or any Authorized Person), pursuant to the terms of this Agreement is
or will be secure from unauthorized Use, or a Security Breach or Privacy Practices Complaint.
F-8