The URL can be used to link to this page

Home My WebLink AboutAgreement A-17-298 with CA Department of Health Care Services.pdf Agreement No. 17-298 Fresno County, Department of Public Health Contract No. 16-93570 LOCAL DENTAL PILOT PROJECT AGREEMENT The goals of the Local Dental Pilot Project (LDPP) are to increase dental prevention, caries risk assessment and disease management, and continuity of care among Medi-Cal children through innovative pilot projects implemented by alternative programs. Progress toward reaching pilot project(s) goals and objectives will be measured, tracked, and reported by all LDPPs, and in accordance with the Department of Health Care Services (DHCS) guidelines, with the potential for regional and/or statewide expansion of pilot project(s) that demonstrate a positive impact on the oral health of the targeted Medi-Cal populations. LDPPs shall meet the requirements to further the goals of one or more of the three following dental domains or other measures closely tied to the domains: 1. Domain 1- Increase preventive services utilization for children; 2. Domain 2- Increase caries risk assessment and disease management; and, 3. Domain 3- Increase continuity of care. In response to DHCS's final Request for Application (RFA) relating to the LDPP Program on September 30, 2016, Fresno County, Department of Public Health, as a lead entity, submitted its LDPP application (Attachment A), for implementation in Fresno county. DHCS is approving $11,127,285 for the submitted LDPP application. The approved funding will cover program years one through four upon signing this Agreement. The program year is on a calendar year basis. The parties agree to the following: A. That "Local Dental Pilot Project Application Revised July 28, 2016 Section 6: Attestations and Certification" shall be amended and replaced by the following: Section 6: Attestations and Certification 6.1 Attestation I certify that, as the representative of the LDPP lead entity, I agree to the following conditions: 1. The LDPP lead entity will comply with the requirements of Special Terms and Conditions (STCs) and Attachment JJ of the Medi-Cal 2020 Waiver. 2. The LDPP lead entity shall submit invoices at least quarterly, or more frequently, to DHCS in a format specified by the state. 3. Performance metrics for each pilot shall mirror the performance metrics of the dental domains, as applicable, delineated in the STCs and the metrics outlined in the application. 4. This Agreement between DHCS and the LDPP lead entity constitutes the agreement that specifies the LDPP requirements, including a data sharing agreement. [See Exhibit A "HIPAA Business Associate Addendum (BAA)" of this Page 1 Fresno County, Department of Public Health Contract No. 16-93570 Application.] The BAA will apply to the transfer and access of Protected Health Information (PHI) and Personal Information (PI) should the need for sharing such data arise. The DHCS BAA applies to any entity that is acting in a business associate capacity as defined by HIPAA specifically for the purpose of the LDPP's operation and evaluation. DHCS does not anticipate that PHI or PI will be shared with LDPP for the purpose of the LDPP's operation or evaluation. DHCS anticipates that there may be only limited, or no, sharing of PHI or PI from the LDPP to DHCS. However, the BAA will apply if PHI or PI is shared between DHCS and an LDPP lead entity. 5. The LDPP will report and submit timely and complete data to DHCS in a format specified by the state; guidance is forthcoming. Incomplete and/or untimely data submissions may lead to a payment withhold after multiple occurrences and technical assistance has been provided by the state. 6. The LDPP shall submit quarterly and annual progress reports in a manner specified by DHCS. Continuation of the LDPP shall be contingent on timely submission of all required reports. 7. The LDPP will participate, provide data and be evaluated consistent with the performance metrics of the dental domains, as applicable, delineated in the STCs and the metrics outlined in the application. The LDPP lead entity and project participants are required to meet with DHCS evaluators or its designees to assess the LDPP, based on timeframes specified by the state. 8. Payments for LDPPs will be contingent on deliverables and/or achievements as described in the application or subsequent amendments. 9. DHCS reserves the right to suspend or terminate a pilot at any time if the enumerated deliverables and/or achievements are either not met, or if corrective action has been imposed, and/or poor performance continues or for any other reason that, in the opinion of DHCS, jeopardizes the welfare of program participants. 10. If the LDPP intends to use state and federal funds for the development of an information technology application or other software solution, it must be platform independent and interoperable, and scalable with the ability to grow sufficient user capacity for potential statewide deployment. Additionally, the solution must be modular in nature and have the ability to integrate with other components as specified by DHCS. It must be compatible with a wide range of mobile platforms and support multiple browsers. The software solution must: a. Comply with the American's with Disabilities ACT and HIPAA; b. Comply with the Security and Privacy controls for Federal Information Systems and Organizations NISP SP 800-83; c. Utilize FIPS 140-2 validated encryption; and d. Follow Open Web Application Security Project (OWASP) guidelines. Page 2 Fresno County, Department of Public Health Contract No. 16-93570 11. LDPP payments shall not be earned or payable for activities otherwise directly reimbursed by Medi-Cal. 12. The LDPP lead entity has reviewed and compared the activities in the approved LDPP application to its county's Medi-Cal California Medicaid Administrative Activities (CMAA) and/or Targeted Case Management Program (TCM). Appropriate adjustments to reduce the request for LDPP funds were made as necessary to ensure that the LDPP funding for activities and interactions of their care coordination teams do not duplicate payments under the county's CMAA or TCM benefit. The LDPP lead entity has provided documentation for the adjustment(s) in the approved application, which was accepted in accordance with DHCS guidance provided to the LDPP lead entity during the DHCS application review process. 13. The LDPP lead entity will respond to general inquiries from the state pertaining to the LDPP within five business days after acknowledging receipt, and provide requested information within five business days, unless an alternate timeline is approved or determined necessary by DHCS. 14. The lead entity understands that the state of California must abide by all requirements outlined in the STCs and Attachment JJ. The state may suspend or terminate a LDPP if corrective action has been imposed and persistent poor performance continues. Should a LDPP be terminated, the state shall provide notice to the pilot and request a close-out plan due to the state within 30 calendar days, unless significant harm to beneficiaries is occurring, in which case the state may request a close-out plan within 10 business days. State requirements regarding pilot termination is addressed under Attachment JJ. B. LDPP Agreement Notice All inquiries and notices relating to this Agreement should be directed to the representatives listed below. Either party may make changes to the information above by giving written notice to the other party. Said changes shall not require an amendment to this Contract. The Agreement representatives during the term of this Agreement will be: Department of Health Care Services LDPP Lead Entity Medi-Cal Dental Services Division Fresno County, Department of Public Health Attention: Michael Potter, SSMIIAttention: Brandon Heberer Telephone: (916) 552-8369 Telephone: (559) 600-6521 Page 3 Fresno County, Department of Public Health Contract No. 16-93570 In the event that either DHCS or the LDPP lead entity designates another representative, the current representative must provide written notification to the other party at least thirty-days prior to the effective date that the new representative assumes responsibilities. As a condition for participation in the LDPP, the LDPP lead entity (referred to as "Contractor" below) agrees to comply with all of the following terms and conditions, and with all of the terms and conditions included on any attachment(s) hereto, which is/are incorporated herein by reference: 1. Nondiscrimination. Pursuant to Affordable Care Act section 1557 (42 U.S.C. section 18116), during the performance of this Contract, Contractor shall not, and shall also require and ensure its subcontractors, providers, agents, and employees to not, cause an individual, beneficiary, or applicant to be excluded on the grounds prohibited under Title VI of the Civil Rights Act of 1964 (42 U.S.C. 2000d et seq.), Title IX of the Education Amendments of 1972 (20 U.S.C. 1681 et seq.), the Age Discrimination Act of 1975 (42 U.S.C. 6101 et seq.), or section 504 of the Rehabilitation Act of 1973 (29 U.S.C. 794), or subject to any other applicable State and Federal laws, from participation in, be denied the benefits of, or be subjected to discrimination under, any health program or activity offered through DHCS. 2. Term and Termination. This Agreement will be effective from the date both DHCS and Contractor have executed this Agreement and terminate on December 31 , 2020 unless the application is renewed or the LDPP program is extended, or the LDPP is terminated in accordance with procedures established pursuant to STC 109 and Attachment JJ thereof. 3. Compliance with Laws and Regulations. Contractor agrees to, and shall also require and ensure its subcontractors agree to, comply with all applicable provisions of Chapters 7 and 8 of the Welfare and Institutions Code, and any applicable rules or regulations promulgated by DHCS pursuant to these chapters. Contractor agrees to, and shall also require its subcontractors to, comply with all federal laws and regulations governing and regulating the Medicaid program. 4. Fraud and Abuse. Contractor agrees, and shall also require its subcontractors to agree, that it shall not engage in or commit fraud or abuse. "Fraud" means intentional deception or misrepresentation made by a person with the knowledge that the deception could result in some unauthorized benefit to himself or herself or some other person. "Abuse" means provider practices that are inconsistent with sound fiscal, business, or medical practices, and result in an unnecessary cost to the Medi- Cal program or in reimbursement for services that are not medically necessary or that fail to meet professionally recognized standards for health care. Page 4 Fresno County, Department of Public Health Contract No. 16-93570 5. Governing Law. This Agreement shall be governed by and interpreted in accordance with the laws of the State of California. Venue shall be proper in Sacramento County or in the county where services were rendered. 6. Complete Integration. This Agreement, including any attachments or documents incorporated herein by express reference is intended to be a complete integration and there are no prior or contemporaneous different or additional agreements pertaining to the subject matters of this Agreement. 7. Amendment. No alteration or variation of the terms or provisions of this Agreement shall be valid unless made in writing and signed by the parties to this Agreement, and no oral understanding or agreement not set forth in this Agreement, shall be binding on the parties to this Agreement. 8. Discrepancy or Inconsistency. If there is a discrepancy or inconsistency in the terms of this Agreement and Attachment A, then this Agreement controls. 9. Budget Contingency Clause. It is mutually agreed that if either the federal or state budget of the current year and/or any subsequent years covered under this Agreement does not appropriate sufficient funds for the program, this Agreement shall be of no further force and effect. In this event, the State shall have no liability to pay any funds whatsoever to Contractor or to furnish any other considerations under this Agreement and Contractor shall not be obligated to perform any provisions of this Agreement. If funding for any fiscal year is reduced or deleted by the federal or state budgetary process for purposes of this program, the State shall have the option to either cancel this Agreement with no liability occurring to the State, or offer an agreement amendment to Contractor to reflect the reduced amount. N I hereby certify that all information provided in this agreement is true and accurate to the best of my knowledge, and that this agreement has been completed based on a good faith understanding of LDPP program participation requirements as specified in the Medi-Cal 2020 waiver STCs, Attachments JJ, and any related DHCS approved documents pertaining to the LDPP. Page 5 Fresno County, Department of Public Health Contract No. 16-93570 Signature of LDPP Lead Enti y Representative Date Name: David Luchini, RN, PHN Title: Assistant Director, Department of Public Health LZ9/1 va- Signature f DHCS epresentative Date Name: Mari Cantwell Title: Chief Deputy Director, Health Care Programs Page 6 IN WITNESS WHEREOF, the parties hereto have executed this Agreement as of the day and year hereinabove written. COUNTY OF FRESNO: By Chairman, Board of Supervisors Date: LD 12p 11t>-t BERNICE E. SEIDEL, Clerk Board of Supervisors By: Date: La(2ji--w ri AGREEMENT BETWEEN THE COUNTY OF FRESNO AND THE STATE OF CALIFORNIA Decepol,ey- 31) 2-n20 No.: California Dept. of Health Care Services Term: July 1, 2017— Ky Denti-Cal Oral Health Outreach and Provider Enrollment Activities (#16-93570) APPROVED AS TO LEGAL FORM: DANIEL C. CEDERBORG, COUNTY COUNSEL By 111,A11 I,& _Fv� APPROVED AS TO ACCOUNTING FORM: OSCAR J. GARCIA, CPA, AUDITOR-CONTROLLER/ TREASURER-TAX COLLECTOR By REVIEWED AND RECOMMENDED FOR APPROVAL: By J�kj _� David Pomaville �6� Director Department of Public Health Fund/Subclass: 0001/10000 Organization #: 56201600, 1611, 1618 Revenue: 3505, 5033, 5036, 3530, 4380 ks Fresno County, Department of Public Health 16-93570 Page 1 of 15 Exhibit A HIPAA Business Associate Addendum I. Recitals A. This Contract (Agreement) has been determined to constitute a business associate relationship under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 ("HIPAA"),the Health Information Technology for Economic and Clinical Health Act, Public Law 111-005 ('the HITECH Act"), 42 U.S.C. section 17921 et seq., and their implementing privacy and security regulations at 45 CFR Parts 160 and 164 ("the HIPAA regulations"). B. The Department of Health Care Services ("DHCS") wishes to disclose to Business Associate certain information pursuant to the terms of this Agreement, some of which may constitute Protected Health Information ("PHI"), including protected health information in electronic media ("ePHI"), underfederal law, and personal information ("PI") under state law. C. As set forth in this Agreement, Contractor, here and after, is the Business Associate of DHCS acting on DHCS' behalf and provides services, arranges, performs or assists in the performance of functions or activities on behalf of DHCS and creates, receives, maintains, transmits, uses or discloses PHI and PI. DHCS and Business Associate are each a party to this Agreement and are collectively referred to as the "parties." D. The purpose of this Addendum is to protect the privacy and security of the PHI and PI that may be created, received, maintained, transmitted, used or disclosed pursuant to this Agreement, and to comply with certain standards and requirements of HIPAA, the HITECH Act and the HIPAA regulations, including, but not limited to, the requirement that DHCS must enter into a contract containing specific requirements with Contractor prior to the disclosure of PHI to Contractor, as set forth in 45 CFR Parts 160 and 164 and the HITECH Act, and the Final Omnibus Rule as well as the Alcohol and Drug Abuse patient records confidentiality law 42 CFR Part 2, and any other applicable state or federal law or regulation. 42 CFR section 2.1(b)(2)(B) allows for the disclosure of such records to qualified personnel for the purpose of conducting management or financial audits, or program evaluation. 42 CFR Section 2.53(d) provides that patient identifying information disclosed under this section may be disclosed only back to the program from which it was obtained and used only to carry out an audit or evaluation purpose or to investigate or prosecute criminal or other activities, as authorized by an appropriate court order. E. The terms used in this Addendum, but not otherwise defined, shall have the same meanings as those terms have in the HIPAA regulations. Any reference to statutory or regulatory language shall be to such language as in effect or as amended. II. Definitions A. Breach shall have the meaning given to such term under HIPAA, the HITECH Act, the HIPAA regulations, and the Final Omnibus Rule. B. Business Associate shall have the meaning given to such term under HIPAA, the HITECH Act, the HIPAA regulations, and the final Omnibus Rule. C. Covered Entity shall have the meaning given to such term under HIPAA, the HITECH Act, the HIPAA regulations, and Final Omnibus Rule. D. Electronic Health Record shall have the meaning given to such term in the HITECH Act, including, but not limited to, 42 U.S.0 Section 17921 and implementing regulations. DHCS HIPAA BAA 2/15 Fresno County, Department of Public Health 16-93570 Page 2 of 15 Exhibit A HIPAA Business Associate Addendum E. Electronic Protected Health Information (ePHI) means individually identifiable health information transmitted by electronic media or maintained in electronic media, including but not limited to electronic media as set forth under 45 CFR section 160.103. F. Individually Identifiable Health Information means health information, including demographic information collected from an individual, that is created or received by a health care provider, health plan, employer or health care clearinghouse, and relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, that identifies the individual or where there is a reasonable basis to believe the information can be used to identify the individual, as set forth under 45 CFR section 160.103. G. Privacy Rule shall mean the HIPAA Regulation that is found at 45 CFR Parts 160 and 164. H. Personal Information shall have the meaning given to such term in California Civil Code section 1798.29. I. Protected Health Information means individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or is transmitted or maintained in any other form or medium, as set forth under 45 CFR section 160.103. J. Required by law, as set forth under 45 CFR section 164.103, means a mandate contained in law that compels an entity to make a use or disclosure of PHI that is enforceable in a court of law. This includes, but is not limited to, court orders and court-ordered warrants, subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information, and a civil or an authorized investigative demand. It also includes Medicare conditions of participation with respect to health care providers participating in the program, and statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits. K. Secretary means the Secretary of the U.S. Department of Health and Human Services ("HHS") or the Secretary's designee. L. Security Incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI or PI, or confidential data that is essential to the ongoing operation of the Business Associate's organization and intended for internal use; or interference with system operations in an information system. M. Security Rule shall mean the HIPAA regulation that is found at 45 CFR Parts 160 and 164. N. Unsecured PHI shall have the meaning given to such term under the HITECH Act, 42 U.S.C. section 17932(h), any guidance issued pursuant to such Act, and the HIPAA regulations. III. Terms of Agreement A. Permitted Uses and Disclosures of PHI by Business Associate Permitted Uses and Disclosures. Except as otherwise indicated in this Addendum, Business Associate may use or disclose PHI only to perform functions, activities or services specified in this Agreement, for, or on behalf of DHCS, provided that such use or disclosure would not violate the HIPAA regulations, if done by DHCS. Any such use or disclosure must, to the extent practicable, be limited to the limited data set, as defined in 45 CFR section 164.514(e)(2), or, if needed, to the minimum necessary to accomplish DHCS HIPAA BAA 2/15 Fresno County, Department of Public Health 16-93570 Page 3 of 15 Exhibit A HIPAA Business Associate Addendum the intended purpose of such use or disclosure, in compliance with the HITECH Act and any guidance issued pursuant to such Act, the HIPAA regulations, the Final Omnibus Rule and 42 CFR Part 2. 1. Specific Use and Disclosure Provisions. Except as otherwise indicated in this Addendum, Business Associate may: a. Use and disclose for management and administration. Use and disclose PHI for the proper management and administration of the Business Associate provided that such disclosures are required by law, or the Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware that the confidentiality of the information has been breached. b. Provision of Data Aggregation Services. Use PHI to provide data aggregation services to DHCS. Data aggregation means the combining of PHI created or received by the Business Associate on behalf of DHCS with PHI received by the Business Associate in its capacity as the Business Associate of another covered entity, to permit data analyses that relate to the health care operations of DHCS. B. Prohibited Uses and Disclosures 1. Business Associate shall not disclose PHI about an individual to a health plan for payment or health care operations purposes if the PHI pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full and the individual requests such restriction, in accordance with 42 U.S.C. section 17935(a) and 45 CFR section 164.522(a). 2. Business Associate shall not directly or indirectly receive remuneration in exchange for PHI, except with the prior written consent of DHCS and as permitted by 42 U.S.C. section 17935(d)(2). C. Responsibilities of Business Associate Business Associate agrees: 1. Nondisclosure. Not to use or disclose Protected Health Information (PHI) other than as permitted or required by this Agreement or as required by law. 2. Safeguards. To implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI, including electronic PHI, that it creates, receives, maintains, uses or transmits on behalf of DHCS, in compliance with 45 CFR sections 164.308, 164.310 and 164.312, and to prevent use or disclosure of PHI other than as provided for by this Agreement. Business Associate shall implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications and other requirements of 45 CFR section 164, subpart C, in compliance with 45 CFR section 164.316. Business Associate shall develop and maintain a written information privacy and security program that includes administrative, technical and physical safeguards appropriate to the size and complexity of the Business Associate's operations and the nature and scope of its activities, and which incorporates the requirements of section 3, Security, below. Business Associate will provide DHCS with its current and updated policies. DHCS HIPAA BAA 2/15 Fresno County, Department of Public Health 16-93570 Page 4 of 15 Exhibit A HIPAA Business Associate Addendum 3. Security. To take any and all steps necessary to ensure the continuous security of all computerized data systems containing PHI and/or PI, and to protect paper documents containing PHI and/or PI. These steps shall include, at a minimum: a. Complying with all of the data system security precautions listed in Attachment A, the Business Associate Data Security Requirements; b. Achieving and maintaining compliance with the HIPAA Security Rule (45 CFR Parts 160 and 164), as necessary in conducting operations on behalf of DHCS under this Agreement; c. Providing a level and scope of security that is at least comparable to the level and scope of security established by the Office of Management and Budget in OMB Circular No. A-130, Appendix III - Security of Federal Automated Information Systems, which sets forth guidelines for automated information systems in Federal agencies; and d. In case of a conflict between any of the security standards contained in any of these enumerated sources of security standards, the most stringent shall apply. The most stringent means that safeguard which provides the highest level of protection to PHI from unauthorized disclosure. Further, Business Associate must comply with changes to these standards that occur after the effective date of this Agreement. Business Associate shall designate a Security Officer to oversee its data security program who shall be responsible for carrying out the requirements of this section and for communicating on security matters with DHCS. D. Mitigation of Harmful Effects. To mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate or its subcontractors in violation of the requirements of this Addendum. E. Business Associate's Agents and Subcontractors. 1. To enter into written agreements with any agents, including subcontractors and vendors, to whom Business Associate provides PHI or PI received from or created or received by Business Associate on behalf of DHCS, that impose the same restrictions and conditions on such agents, subcontractors and vendors that apply to Business Associate with respect to such PHI and PI under this Addendum, and that comply with all applicable provisions of HIPAA, the HITECH Act the HIPAA regulations, and the Final Omnibus Rule, including the requirement that any agents, subcontractors or vendors implement reasonable and appropriate administrative, physical, and technical safeguards to protect such PHI and PI. Business associates are directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law. A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule. A "business associate" also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate. Business Associate shall incorporate, when applicable, the relevant provisions of this Addendum into each subcontract or subaward to such agents, subcontractors and vendors, including the requirement that any security incidents or breaches of unsecured PHI or PI be reported to Business Associate. DHCS HIPAA BAA 2/15 Fresno County, Department of Public Health 16-93570 Page 5 of 15 Exhibit A HIPAA Business Associate Addendum 2. In accordance with 45 CFR section 164.504(e)(1)(ii), upon Business Associate's knowledge of a material breach or violation by its subcontractor of the agreement between Business Associate and the subcontractor, Business Associate shall: a. Provide an opportunity for the subcontractor to cure the breach or end the violation and terminate the agreement if the subcontractor does not cure the breach or end the violation within the time specified by DHCS; or b. Immediately terminate the agreement if the subcontractor has breached a material term of the agreement and cure is not possible. F. Availability of Information to DHCS and Individuals. To provide access and information: 1. To provide access as DHCS may require, and in the time and manner designated by DHCS (upon reasonable notice and during Business Associate's normal business hours) to PHI in a Designated Record Set, to DHCS (or, as directed by DHCS), to an Individual, in accordance with 45 CFR section 164.524. Designated Record Set means the group of records maintained for DHCS that includes medical, dental and billing records about individuals; enrollment, payment, claims adjudication, and case or medical management systems maintained for DHCS health plans; or those records used to make decisions about individuals on behalf of DHCS. Business Associate shall use the forms and processes developed by DHCS for this purpose and shall respond to requests for access to records transmitted by DHCS within fifteen (15) calendar days of receipt of the request by producing the records or verifying that there are none. 2. If Business Associate maintains an Electronic Health Record with PHI, and an individual requests a copy of such information in an electronic format, Business Associate shall provide such information in an electronic format to enable DHCS to fulfill its obligations under the HITECH Act, including but not limited to, 42 U.S.C. section 17935(e). 3. If Business Associate receives data from DHCS that was provided to DHCS by the Social Security Administration, upon request by DHCS, Business Associate shall provide DHCS with a list of all employees, contractors and agents who have access to the Social Security data, including employees, contractors and agents of its subcontractors and agents. G. Amendment of PHI. To make any amendment(s) to PHI that DHCS directs or agrees to pursuant to 45 CFR section 164.526, in the time and manner designated by DHCS. H. Internal Practices. To make Business Associate's internal practices, books and records relating to the use and disclosure of PHI received from DHCS, or created or received by Business Associate on behalf of DHCS, available to DHCS or to the Secretary of the U.S. Department of Health and Human Services in a time and manner designated by DHCS or by the Secretary, for purposes of determining DHCS' compliance with the HIPAA regulations. If any information needed for this purpose is in the exclusive possession of any other entity or person and the other entity or person fails or refuses to furnish the information to Business Associate, Business Associate shall so certify to DHCS and shall set forth the efforts it made to obtain the information. DHCS HIPAA BAA 2/15 Fresno County, Department of Public Health 16-93570 Page 6 of 15 Exhibit A HIPAA Business Associate Addendum I. Documentation of Disclosures. To document and make available to DHCS or (at the direction of DHCS) to an Individual such disclosures of PHI, and information related to such disclosures, necessary to respond to a proper request by the subject Individual for an accounting of disclosures of PHI, in accordance with the HITECH Act and its implementing regulations, including but not limited to 45 CFR section 164.528 and 42 U.S.C. section 17935(c). If Business Associate maintains electronic health records for DHCS as of January 1, 2009, Business Associate must provide an accounting of disclosures, including those disclosures for treatment, payment or health care operations, effective with disclosures on or after January 1, 2014. If Business Associate acquires electronic health records for DHCS after January 1, 2009, Business Associate must provide an accounting of disclosures, including those disclosures for treatment, payment or health care operations, effective with disclosures on or after the date the electronic health record is acquired, or on or after January 1, 2011, whichever date is later. The electronic accounting of disclosures shall be for disclosures during the three years prior to the request for an accounting. J. Breaches and Security Incidents. During the term of this Agreement, Business Associate agrees to implement reasonable systems for the discovery and prompt reporting of any breach or security incident, and to take the following steps: 1. Notice to DHCS. (1) To notify DHCS immediately upon the discovery of a suspected security incident that involves data provided to DHCS by the Social Security Administration. This notification will be by telephone call plus email or fax upon the discovery of the breach. (2) To notify DHCS within 24 hours by email or fax of the discovery of unsecured PHI or PI in electronic media or in any other media if the PHI or PI was, or is reasonably believed to have been, accessed or acquired by an unauthorized person, any suspected security incident, intrusion or unauthorized access, use or disclosure of PHI or PI in violation of this Agreement and this Addendum, or potential loss of confidential data affecting this Agreement. A breach shall be treated as discovered by Business Associate as of the first day on which the breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the breach) who is an employee, officer or other agent of Business Associate. Notice shall be provided to the DHCS Program Contract Manager, the DHCS Privacy Officer and the DHCS Information Security Officer. If the incident occurs after business hours or on a weekend or holiday and involves data provided to DHCS by the Social Security Administration, notice shall be provided by calling the DHCS EITS Service Desk. Notice shall be made using the "DHCS Privacy Incident Report" form, including all information known at the time. Business Associate shall use the most current version of this form, which is posted on the DHCS Privacy Office website (www.dhcs.ca.gov, then select "Privacy" in the left column and then "Business Use" near the middle of the page) or use this link: http://www.dhcs.ca.gov/formsandpubs/laws/priv/Pages/DHCSBusinessAssociatesOnly.aspx Upon discovery of a breach or suspected security incident, intrusion or unauthorized access, use or disclosure of PHI or PI, Business Associate shall take: a. Prompt corrective action to mitigate any risks or damages involved with the breach and to protect the operating environment; and b. Any action pertaining to such unauthorized disclosure required by applicable Federal and State laws and regulations. DHCS HIPAA BAA 2/15 Fresno County, Department of Public Health 16-93570 Page 7 of 15 Exhibit A HIPAA Business Associate Addendum 2. Investigation and Investigation Report. To immediately investigate such security incident, breach, or unauthorized access, use or disclosure of PHI or PI. If the initial report did not include all of the requested information marked with an asterisk, then within 72 hours of the discovery, Business Associate shall submit an updated "DHCS Privacy Incident Report"containing the information marked with an asterisk and all other applicable information listed on the form, to the extent known at that time, to the DHCS Program Contract Manager, the DHCS Privacy Officer, and the DHCS Information Security Officer: 3. Complete Report. To provide a complete report of the investigation to the DHCS Program Contract Manager, the DHCS Privacy Officer, and the DHCS Information Security Officer within ten (10) working days of the discovery of the breach or unauthorized use or disclosure. If all of the required information was not included in either the initial report, or the Investigation Report, then a separate Complete Report must be submitted. The report shall be submitted on the "DHCS Privacy Incident Report" form and shall include an assessment of all known factors relevant to a determination of whether a breach occurred under applicable provisions of HIPAA, the HITECH Act, the HIPAA regulations and/or state law. The report shall also include a full, detailed corrective action plan, including information on measures that were taken to halt and/or contain the improper use or disclosure. If DHCS requests information in addition to that listed on the "DHCS Privacy Incident Report' form, Business Associate shall make reasonable efforts to provide DHCS with such information. If necessary, a Supplemental Report may be used to submit revised or additional information after the completed report is submitted, by submitting the revised or additional information on an updated "DHCS Privacy Incident Report' form. DHCS will review and approve or disapprove the determination of whether a breach occurred, is reportable to the appropriate entities, if individual notifications are required, and the corrective action plan. 4. Notification of Individuals. If the cause of a breach of PHI or PI is attributable to Business Associate or its subcontractors, agents or vendors, Business Associate shall notify individuals of the breach or unauthorized use or disclosure when notification is required under state or federal law and shall pay any costs of such notifications, as well as any costs associated with the breach. The notifications shall comply with the requirements set forth in 42 U.S.C. section 17932 and its implementing regulations, including, but not limited to, the requirement that the notifications be made without unreasonable delay and in no event later than 60 calendar days. The DHCS Program Contract Manager, the DHCS Privacy Officer, and the DHCS Information Security Officer shall approve the time, manner and content of any such notifications and their review and approval must be obtained before the notifications are made. 5. Responsibility for Reporting of Breaches. If the cause of a breach of PHI or PI is attributable to Business Associate or its agents, subcontractors or vendors, Business Associate is responsible for all required reporting of the breach as specified in 42 U.S.C. section 17932 and its implementing regulations, including notification to media outlets and to the Secretary. If a breach of unsecured PHI involves more than 500 residents of the State of California or its jurisdiction, Business Associate shall notify the Secretary of the breach immediately upon discovery of the breach. If Business Associate has reason to believe that duplicate reporting of the same breach or incident may occur because its subcontractors, agents or vendors may report the breach or incident to DHCS in addition to Business Associate, Business Associate shall notify DHCS, and DHCS and Business Associate may take appropriate action to prevent duplicate reporting. The breach reporting requirements of this paragraph are in addition to the reporting requirements set forth in subsection 1, above. 6. DHCS Contact Information. To direct communications to the above referenced DHCS staff, the Contractor shall initiate contact as indicated herein. DHCS reserves the right to make changes to the DHCS HIPAA BAA 2/15 Fresno County, Department of Public Health 16-93570 Page 8 of 15 Exhibit A HIPAA Business Associate Addendum contact information below by giving written notice to the Contractor. Said changes shall not require an amendment to this Addendum or the Agreement to which it is incorporated. DHCS Program DHCS Privacy Officer DHCS Information Security Officer Contract Manager See the Scope of Work Privacy Officer Information Security Officer exhibit for Program c/o: Office of HIPAA Compliance DHCS Information Security Office Contract Manager Department of Health Care Services P.O. Box 997413, MS 6400 information P.O. Box 997413, MS 4722 Sacramento, CA 95899-7413 Sacramento, CA 95899-7413 Email: iso@dhcs.ca.gov Email: privacyofficer@dhcs.ca.gov Fax: (916)440-5537 Telephone: (916)445-4646 Telephone: EITS Service Desk (916)440-7000 or Fax: 916 440-7680 800 579-0874 K. Termination of Agreement. In accordance with Section 13404(b) of the HITECH Act and to the extent required by the HIPAA regulations, if Business Associate knows of a material breach or violation by DHCS of this Addendum, it shall take the following steps: 1. Provide an opportunity for DHCS to cure the breach or end the violation and terminate the Agreement if DHCS does not cure the breach or end the violation within the time specified by Business Associate; or 2. Immediately terminate the Agreement if DHCS has breached a material term of the Addendum and cure is not possible. L. Due Diligence. Business Associate shall exercise due diligence and shall take reasonable steps to ensure that it remains in compliance with this Addendum and is in compliance with applicable provisions of HIPAA, the HITECH Act and the HIPAA regulations, and that its agents, subcontractors and vendors are in compliance with their obligations as required by this Addendum. M. Sanctions and/or Penalties. Business Associate understands that a failure to comply with the provisions of HIPAA, the HITECH Act and the HIPAA regulations that are applicable to Business Associate may result in the imposition of sanctions and/or penalties on Business Associate under HIPAA, the HITECH Act and the HIPAA regulations. IV. Obligations of DHCS DHCS agrees to: A. Notice of Privacy Practices. Provide Business Associate with the Notice of Privacy Practices that DHCS produces in accordance with 45 CFR section 164.520, as well as any changes to such notice. Visit the DHCS Privacy Office to view the most current Notice of Privacy Practices at: http://www.dhcs.ca.gov/formsandpubs/laws/priv/Pages/default.aspx or the DHCS website at www.dhcs.ca.gov (select "Privacy in the left column and "Notice of Privacy Practices" on the right side of the page). B. Permission by Individuals for Use and Disclosure of PHI. Provide the Business Associate with any changes in, or revocation of, permission by an Individual to use or disclose PHI, if such changes affect the Business Associate's permitted or required uses and disclosures. DHCS HIPAA BAA 2/15 Fresno County, Department of Public Health 16-93570 Page 9 of 15 Exhibit A HIPAA Business Associate Addendum C. Notification of Restrictions. Notify the Business Associate of any restriction to the use or disclosure of PHI that DHCS has agreed to in accordance with 45 CFR section 164.522, to the extent that such restriction may affect the Business Associate's use or disclosure of PHI. D. Requests Conflicting with HIPAA Rules. Not request the Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA regulations if done by DHCS. V. Audits, Inspection and Enforcement A. From time to time, DHCS may inspect the facilities, systems, books and records of Business Associate to monitor compliance with this Agreement and this Addendum. Business Associate shall promptly remedy any violation of any provision of this Addendum and shall certify the same to the DHCS Privacy Officer in writing. The fact that DHCS inspects, or fails to inspect, or has the right to inspect, Business Associate's facilities, systems and procedures does not relieve Business Associate of its responsibility to comply with this Addendum, nor does DHCS': 1. Failure to detect or 2. Detection, but failure to notify Business Associate or require Business Associate's remediation of any unsatisfactory practices constitute acceptance of such practice or a waiver of DHCS' enforcement rights under this Agreement and this Addendum. B. If Business Associate is the subject of an audit, compliance review, or complaint investigation by the Secretary or the Office of Civil Rights, U.S. Department of Health and Human Services, that is related to the performance of its obligations pursuant to this HIPAA Business Associate Addendum, Business Associate shall notify DHCS and provide DHCS with a copy of any PHI or PI that Business Associate provides to the Secretary or the Office of Civil Rights concurrently with providing such PHI or PI to the Secretary. Business Associate is responsible for any civil penalties assessed due to an audit or investigation of Business Associate, in accordance with 42 U.S.C. section 17934(c). VI. Termination A. Term. The Term of this Addendum shall commence as of the effective date of this Addendum and shall extend beyond the termination of the contract and shall terminate when all the PHI provided by DHCS to Business Associate, or created or received by Business Associate on behalf of DHCS, is destroyed or returned to DHCS, in accordance with 45 CFR 164.504(e)(2)(ii)(1). B. Termination for Cause. In accordance with 45 CFR section 164.504(e)(1)(ii), upon DHCS' knowledge of a material breach or violation of this Addendum by Business Associate, DHCS shall: 1. Provide an opportunity for Business Associate to cure the breach or end the violation and terminate this Agreement if Business Associate does not cure the breach or end the violation within the time specified by DHCS; or 2. Immediately terminate this Agreement if Business Associate has breached a material term of this Addendum and cure is not possible. DHCS HIPAA BAA 2/15 Fresno County, Department of Public Health 16-93570 Page 10 of 15 Exhibit A HIPAA Business Associate Addendum C. Judicial or Administrative Proceedings. Business Associate will notify DHCS if it is named as a defendant in a criminal proceeding for a violation of HIPAA. DHCS may terminate this Agreement if Business Associate is found guilty of a criminal violation of HIPAA. DHCS may terminate this Agreement if a finding or stipulation that the Business Associate has violated any standard or requirement of HIPAA, or other security or privacy laws is made in any administrative or civil proceeding in which the Business Associate is a party or has been joined. D. Effect of Termination. Upon termination or expiration of this Agreement for any reason, Business Associate shall return or destroy all PHI received from DHCS (or created or received by Business Associate on behalf of DHCS) that Business Associate still maintains in any form, and shall retain no copies of such PHI. If return or destruction is not feasible, Business Associate shall notify DHCS of the conditions that make the return or destruction infeasible, and DHCS and Business Associate shall determine the terms and conditions under which Business Associate may retain the PHI. Business Associate shall continue to extend the protections of this Addendum to such PHI, and shall limit further use of such PHI to those purposes that make the return or destruction of such PHI infeasible. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. VII.Miscellaneous Provisions A. Disclaimer. DHCS makes no warranty or representation that compliance by Business Associate with this Addendum, HIPAA or the HIPAA regulations will be adequate or satisfactory for Business Associate's own purposes or that any information in Business Associate's possession or control, or transmitted or received by Business Associate, is or will be secure from unauthorized use or disclosure. Business Associate is solely responsible for all decisions made by Business Associate regarding the safeguarding of PHI. B. Amendment. The parties acknowledge that federal and state laws relating to electronic data security and privacy are rapidly evolving and that amendment of this Addendum may be required to provide for procedures to ensure compliance with such developments. The parties specifically agree to take such action as is necessary to implement the standards and requirements of HIPAA, the HITECH Act, the HIPAA regulations and other applicable laws relating to the security or privacy of PHI. Upon DHCS' request, Business Associate agrees to promptly enter into negotiations with DHCS concerning an amendment to this Addendum embodying written assurances consistent with the standards and requirements of HIPAA, the HITECH Act, the HIPAA regulations or other applicable laws. DHCS may terminate this Agreement upon thirty (30) days written notice in the event: 1. Business Associate does not promptly enter into negotiations to amend this Addendum when requested by DHCS pursuant to this Section; or 2. Business Associate does not enter into an amendment providing assurances regarding the safeguarding of PHI that DHCS in its sole discretion, deems sufficient to satisfy the standards and requirements of HIPAA and the HIPAA regulations. C. Assistance in Litigation or Administrative Proceedings. Business Associate shall make itself and any subcontractors, employees or agents assisting Business Associate in the performance of its obligations under this Agreement, available to DHCS at no cost to DHCS to testify as witnesses, or otherwise, in the event of litigation or administrative proceedings being commenced against DHCS, its directors, officers or employees based upon claimed violation of HIPAA, the HIPAA regulations or other laws relating to security and privacy, which involves inactions or actions by the Business Associate, except where Business Associate or its subcontractor, employee or agent is a named adverse party. DHCS HIPAA BAA 2/15 Fresno County, Department of Public Health 16-93570 Page 11 of 15 Exhibit A HIPAA Business Associate Addendum D. No Third-Party Beneficiaries. Nothing express or implied in the terms and conditions of this Addendum is intended to confer, nor shall anything herein confer, upon any person other than DHCS or Business Associate and their respective successors or assignees, any rights, remedies, obligations or liabilities whatsoever. E. Interpretation. The terms and conditions in this Addendum shall be interpreted as broadly as necessary to implement and comply with HIPAA, the HITECH Act, the HIPAA regulations and applicable state laws. The parties agree that any ambiguity in the terms and conditions of this Addendum shall be resolved in favor of a meaning that complies and is consistent with HIPAA, the HITECH Act and the HIPAA regulations. F. Regulatory References. A reference in the terms and conditions of this Addendum to a section in the HIPAA regulations means the section as in effect or as amended. G. Survival. The respective rights and obligations of Business Associate under Section VI.D of this Addendum shall survive the termination or expiration of this Agreement. H. No Waiver of Obligations. No change, waiver or discharge of any liability or obligation hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing or other obligation, or shall prohibit enforcement of any obligation, on any other occasion. DHCS HIPAA BAA 2/15 Fresno County, Department of Public Health 16-93570 Page 12 of 15 Exhibit A HIPAA Business Associate Addendum Attachment A Business Associate Data Security Requirements I. Personnel Controls A. Employee Training. All workforce members who assist in the performance of functions or activities on behalf of DHCS, or access or disclose DHCS PHI or PI must complete information privacy and security training, at least annually, at Business Associate's expense. Each workforce member who receives information privacy and security training must sign a certification, indicating the member's name and the date on which the training was completed. These certifications must be retained for a period of six (6) years following contract termination. B. Employee Discipline. Appropriate sanctions must be applied against workforce members who fail to comply with privacy policies and procedures or any provisions of these requirements, including termination of employment where appropriate. C. Confidentiality Statement. All persons that will be working with DHCS PHI or PI must sign a confidentiality statement that includes, at a minimum, General Use, Security and Privacy Safeguards, Unacceptable Use, and Enforcement Policies. The statement must be signed by the workforce member prior to access to DHCS PHI or PI. The statement must be renewed annually. The Contractor shall retain each person's written confidentiality statement for DHCS inspection for a period of six (6) years following contract termination. D. Background Check. Before a member of the workforce may access DHCS PHI or PI, a thorough background check of that worker must be conducted, with evaluation of the results to assure that there is no indication that the worker may present a risk to the security or integrity of confidential data or a risk for theft or misuse of confidential data. The Contractor shall retain each workforce member's background check documentation for a period of three (3) years following contract termination. II. Technical Security Controls A. Workstation/Laptop encryption. All workstations and laptops that process and/or store DHCS PHI or PI must be encrypted using a FIPS 140-2 certified algorithm which is 128bit or higher, such as Advanced Encryption Standard (AES). The encryption solution must be full disk unless approved by the DHCS Information Security Office. B. Server Security. Servers containing unencrypted DHCS PHI or PI must have sufficient administrative, physical, and technical controls in place to protect that data, based upon a risk assessment/system security review. C. Minimum Necessary. Only the minimum necessary amount of DHCS PHI or PI required to perform necessary business functions may be copied, downloaded, or exported. D. Removable media devices. All electronic files that contain DHCS PHI or PI data must be encrypted when stored on any removable media or portable device (i.e. USB thumb drives, floppies, CD/DVD, smartphones, backup tapes etc.). Encryption must be a FIPS 140-2 certified algorithm which is 128bit or higher, such as AES. E. Antivirus software. All workstations, laptops and other systems that process and/or store DHCS PHI or PI must install and actively use comprehensive anti-virus software solution with automatic updates scheduled at least daily. DHCS HIPAA BAA 2/15 Fresno County, Department of Public Health 16-93570 Page 13 of 15 Exhibit A HIPAA Business Associate Addendum F. Patch Management. All workstations, laptops and other systems that process and/or store DHCS PHI or PI must have critical security patches applied, with system reboot if necessary. There must be a documented patch management process which determines installation timeframe based on risk assessment and vendor recommendations. At a maximum, all applicable patches must be installed within 30 days of vendor release. G. User IDs and Password Controls. All users must be issued a unique user name for accessing DHCS PHI or PI. Username must be promptly disabled, deleted, or the password changed upon the transfer or termination of an employee with knowledge of the password, at maximum within 24 hours. Passwords are not to be shared. Passwords must be at least eight characters and must be a non- dictionary word. Passwords must not be stored in readable format on the computer. Passwords must be changed every 90 days, preferably every 60 days. Passwords must be changed if revealed or compromised. Passwords must be composed of characters from at least three of the following four groups from the standard keyboard: • Upper case letters (A-Z) • Lower case letters (a-z) • Arabic numerals (0-9) • Non-alphanumeric characters (punctuation symbols) H. Data Destruction. When no longer needed, all DHCS PHI or PI must be cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization such that the PHI or PI cannot be retrieved. I. System Timeout. The system providing access to DHCS PHI or PI must provide an automatic timeout, requiring re-authentication of the user session after no more than 20 minutes of inactivity. J. Warning Banners. All systems providing access to DHCS PHI or PI must display a warning banner stating that data is confidential, systems are logged, and system use is for business purposes only by authorized users. User must be directed to log off the system if they do not agree with these requirements. K. System Logging. The system must maintain an automated audit trail which can identify the user or system process which initiates a request for DHCS PHI or PI, or which alters DHCS PHI or PI. The audit trail must be date and time stamped, must log both successful and failed accesses, must be read only, and must be restricted to authorized users. If DHCS PHI or PI is stored in a database, database logging functionality must be enabled. Audit trail data must be archived for at least 3 years after occurrence. L. Access Controls. The system providing access to DHCS PHI or PI must use role based access controls for all user authentications, enforcing the principle of least privilege. DHCS HIPAA BAA 2/15 Fresno County, Department of Public Health 16-93570 Page 14 of 15 Exhibit A HIPAA Business Associate Addendum M. Transmission encryption. All data transmissions of DHCS PHI or PI outside the secure internal network must be encrypted using a FIPS 140-2 certified algorithm which is 128bit or higher, such as AES. Encryption can be end to end at the network level, or the data files containing PHI can be encrypted. This requirement pertains to any type of PHI or PI in motion such as website access, file transfer, and E-Mail. N. Intrusion Detection. All systems involved in accessing, holding, transporting, and protecting DHCS PHI or PI that are accessible via the Internet must be protected by a comprehensive intrusion detection and prevention solution. III. Audit Controls A. System Security Review. All systems processing and/or storing DHCS PHI or PI must have at least an annual system risk assessment/security review which provides assurance that administrative, physical, and technical controls are functioning effectively and providing adequate levels of protection. Reviews should include vulnerability scanning tools. B. Log Reviews. All systems processing and/or storing DHCS PHI or PI must have a routine procedure in place to review system logs for unauthorized access. C. Change Control. All systems processing and/or storing DHCS PHI or PI must have a documented change control procedure that ensures separation of duties and protects the confidentiality, integrity and availability of data. IV. Business Continuity/ Disaster Recovery Controls A. Emergency Mode Operation Plan. Contractor must establish a documented plan to enable continuation of critical business processes and protection of the security of electronic DHCS PHI or PI in the event of an emergency. Emergency means any circumstance or situation that causes normal computer operations to become unavailable for use in performing the work required under this Agreement for more than 24 hours. B. Data Backup Plan. Contractor must have established documented procedures to backup DHCS PHI to maintain retrievable exact copies of DHCS PHI or PI. The plan must include a regular schedule for making backups, storing backups offsite, an inventory of backup media, and an estimate of the amount of time needed to restore DHCS PHI or PI should it be lost. At a minimum, the schedule must be a weekly full backup and monthly offsite storage of DHCS data. V. Paper Document Controls A. Supervision of Data. DHCS PHI or PI in paper form shall not be left unattended at any time, unless it is locked in a file cabinet, file room, desk or office. Unattended means that information is not being observed by an employee authorized to access the information. DHCS PHI or PI in paper form shall not be left unattended at any time in vehicles or planes and shall not be checked in baggage on commercial airplanes. B. Escorting Visitors. Visitors to areas where DHCS PHI or PI is contained shall be escorted and DHCS PHI or PI shall be kept out of sight while visitors are in the area. C. Confidential Destruction. DHCS PHI or PI must be disposed of through confidential means, such as cross cut shredding and pulverizing. DHCS HIPAA BAA 2/15 Fresno County, Department of Public Health 16-93570 Page 15 of 15 Exhibit A HIPAA Business Associate Addendum D. Removal of Data. DHCS PHI or PI must not be removed from the premises of the Contractor except with express written permission of DHCS. E. Faxing. Faxes containing DHCS PHI or PI shall not be left unattended and fax machines shall be in secure areas. Faxes shall contain a confidentiality statement notifying persons receiving faxes in error to destroy them. Fax numbers shall be verified with the intended recipient before sending the fax. F. Mailing. Mailings of DHCS PHI or PI shall be sealed and secured from damage or inappropriate viewing of PHI or PI to the extent possible. Mailings which include 500 or more individually identifiable records of DHCS PHI or PI in a single package shall be sent using a tracked mailing method which includes verification of delivery and receipt, unless the prior written permission of DHCS to use another method is obtained. DHCS HIPAA BAA 2/15