The URL can be used to link to this page

Home My WebLink AboutAgreement A-17-425 with CDSS DHCS.pdf Agreement No. 17-425 Agreement 16-6032 Page 1 of 4 CDSS/County of Fresno California Department of Social Services California Department of Health Care Services MEMORANDUM OF UNDERSTANDING BETWEEN THE CALIFORNIA DEPARTMENT OF SOCIAL SERVICES AND THE CALIFORNIA DEPARTMENT OF HEALTH CARE SERVICES,AS THE COMPACT ADMINISTRATOR AND COMPACT CO-ADMINISTRATOR AND THE COUNTY OF FRESNO 1. Background and Purpose Pursuant to the authority granted by California Welfare and Institutions Code(WIC)Section 16121.2 and Sections 16170-16175, California is a member of the Interstate Compact on Adoption and Medical Assistance(ICAMA). The California Department of Social Services(CDSS)and the California Department of Health Care Services(DHCS), as the Compact Administrator and Compact Co-Administrator respectively, have entered into a Memorandum of Understanding with the Association of Administrators of the Interstate Compact on Adoption and Medical Assistance (AAICAMA)for the implementation of a cloud based database(hereinafter"AAICAMA database"). The AAICAMA database replaces the paper ICAMA 700 form and is used to open Medicaid cases between states for adopted special needs children. AAICAMA has contracted with Blue Iron Network for services supporting the AAICAMA database. The purpose of this Memorandum of Understanding(hereinafter the"MOU") is to outline the terms and conditions for CDSS and DHCS to work with Counties of California for the implementation and utilization of the AAICAMA database to permit the transfer of information between states for establishment of medical benefits for children with adoption assistance agreements and for the provision of training and technical assistance for database users. This MOU is entered into by the CDSS and DHCS, and the County named above(County),for the purpose of authorizing County access to the AAICAMA database. This MOU authorizes County to facilitate the transfer of information between states for establishment of medical benefits for children with adoption assistance agreements through the AAICAMA database. County agrees to comply with the obligations of this MOU as a condition of access to the AAICAMA database. 11. CDSS and DHCS Responsibilities and Rights A. The CDSS and DHCS agree to provide the following services: 1. CDSS will coordinate training for all operations and California ICAMA liaisons; 2. CDSS will identify user roles; 3. CDSS will communicate user access changes to AAICAMA; and 4. CDSS and DHCS will report and respond to any security threat or data breach in accordance with approved policies. B. The CDSS and DHCS have the right as the pass-through entities to inspect, review, or otherwise monitor all activities, procedures, records, reports or forms related to the County's access of the AAICAMA database in order to ensure compliance with this MOU. Agreement 16-6032 Page 2 of 4 CDSS/County of Fresno Ill. County Responsibilities A. County shall maintain any and all information/data provided by the AAICAMA database in strict confidence, and will not reproduce, disclose, or make accessible in whole or in part, in any manner whatsoever, to any third party, unless mandated by law. B. County represents and warrants it is administering a government funded benefit or program, has been granted the legal authority to view the information/data by the consumer or by operation of law, and shall only request the information/data in compliance with state and federal laws. C. County certifies that it will order data from the AAICAMA database only when it intends to use the data in accordance with the Health Insurance Portability and Accountability Act(HIPAA)and all state law HIPAA counterparts and the Medi-Cal confidentiality requirements under Welfare and Institutions Code Section 14100.2, as though the data is being used in connection with a determination of the consumer's eligibility for benefits granted by a governmental instrumentality required by law to consider an applicant's financial responsibility or status, and for no other purpose. Attachment 1, Exhibit A is the required HIPAA Business Associate Addendum to be executed by County and DHCS. D. County certifies it will establish safeguards to ensure only Authorized Users can have access to the AAICAMA database. "Authorized User" is defined as a County employee authorized to order or access the AAICAMA database in relation to the performance of their official duties. County shall provide CDSS with a signed ICAMA Database User Policy for each Authorized User. E. County shall take all necessary measures to prevent unauthorized ordering of or access to the AAICAMA database by any person other than the Authorized User for permissible purposes. County agrees to monitor County employees'access of the AAICAMA database to prohibit employees from using their positions for a purpose that is or gives the appearance of being motivated by a desire for private gain for themselves or others. F. County agrees to indemnify, defend, and save harmless CDSS, DHCS and Blue Iron, and their respective directors, officers, managers, agents, and employees from any and all claims, actions, demands, damages, liabilities, obligations, losses, settlements,judgments, fines, penalties, sanctions, charges, costs and expenses, arising out of, relating to, or in connection with County's use of the AAICAMA database and/or the unauthorized disclosure or dissemination of consumer- recipient information/data by County employees in the performance of this Agreement. County does not assume the risk on behalf of, or agree to indemnify, any other county. G. County acknowledges that neither Blue Iron nor its officers, agents or employees will be liable for loss of profits or for indirect, special, incidental or consequential damages arising out of or related to the provision of verifications of employment and/or income,even if that party has been advised of the possibility of such damages. In no event shall damages of any kind payable by Blue Iron exceed the sum paid by CDSS or DHCS for the service which causes County's claim. This provision shall survive any termination or expiration of this MOU. H. County shall notify CDSS to add or delete a User ID. I. County hereby certifies it will employ all necessary measures to maintain data security and confidentiality when sending,transferring, or otherwise disposing of any consumer report information. In addition to any requirements of this MOU, County agrees to comply with the HIPAA data security and confidentiality requirements in Attachment 1, Exhibit A and the data security and confidentiality provisions of Attachment 2, Exhibit B—CDSS Confidentiality and Security Requirements. J. County shall ensure that all County employees comply with WIC sections 10850 and 14100.2 to protect any confidential information it may receive and possess from the AAICAMA database Agreement 16-6032 Page 3of4 CDGGKCountymfFresno from unauthorized use, access, urdisclosure. K. Unauthorized use, access, or disclosure of confidential information is considered a breach of security. County shall immediately notify CDSS and DHCS of any and all suspected,attempted, or confirmed breach of security by contacting the CDSS Information Security Officer, Lloyd Indig sd(91G)G51-5G58and and the OHCG Information Security Officer, Steve Moore st(B1G)44O'71S1and . L. The use of the AAICAMA database includes information that is protected by the HIPAA and the K8odi-Co| confidentiality and privacy rules and may subject on unauthorized user ho possible civil and criminal liability, punishable by fines and imprisonment. M. Without limitation as to any other applicable rights or remedies, in the event of a breach of security caused by County employee(s),through the use of the information/data provided by Blue Iron, County is responsible for any and all breach notifications to the consumer, any legally required identity theft and/or credit monitoring services, along with associated costs. N. County may not assign or delegate any cf its rights or duties under this K8OU. O. County acknowledges that its access to the AAICAMA database is subject to audit by Blue Iron. County agrees to cooperate with CDSS, DHCS, and Blue Iron in responding to any such audit. IV. Effective Date and Term This MOU is effective on the date that it is signed by all parties. The initial term of this MOU shall be for o period of one year commencing on the effective date. Upon the expiration of the initial term,this MOU shall automatically renew for successive one-year terms unless terminated by any party as provided in Section V/ below. V. Project Representatives The primary points nf contact for the parties pursuant hn this yNDUare: ForCDGG: ForDHC8: Steve Shields, Manager Jeanette K8. Banajou. Chief Adoption Services Bureau Access Programs& Policy Branch Chi|dran'o Services Operation and K8edi'Ca} Eligibility Division Evaluation Branch Department of Health Care Services Children and Family Services Division 15O1 Capitol Avenue California Department of Social Services P.D. Box SS7417. KnS-4GU7 744P Street, rW.S. 8-12-31 Sacramento, CAS5DSS'7417 Sacramento, CA85814 Phone: (91G)552-S413 Phone: (S18)851-8U98 Fax: (S16)44O-5G44 Email: E-mail: ForAA|CAK8A: For Blue Iron: Robin Bookweg. Project Director Gtephan8annuf Association of Administrators of the Interstate Blue Iron Network Compact on Adoption and Medical Assistance 1133 Nineteenth Street, NVV 5811 McFadden Avenue Washington, DC2003G Huntington Beach, CAS2G4S Phone: (202)G82-01OU Phone: (855)258-4766 Agreement 16-6032 Page 4 of 4 CDSS/County of Fresno VI. General Provisions A. No condition or provision of this MOU shall be waived or altered except by written amendment signed by a duly authorized representative of CDSS, DHCS, and County. B. Termination without cause:This MOU may be terminated by any party without cause upon 30 days written notice. C. Termination with cause:This MOU may be terminated immediately by any party if the terms of this MOU are violated in any manner. However, CDSS, DHCS, or County shall provide written notice to the other parties of such termination for cause of this MOU. Blue Iron may immediately suspend and/or terminate County's access to the AAICAMA database if Blue Iron reasonably believes County has violated the HIPAA, any of the state law counterparts to the HIPAA,the Medicaid and Medi-Cal confidentiality laws,or any other applicable law or regulation. D. Other grounds for Termination: In the event that any of the companion agreements,contracts or MOUs discussed in Section I-Background and Purpose terminate or expire,this MOU may be terminated on the effective date of the termination of that companion agreement, contract or MOU even if such termination will occur with less than 30 days written notice. CALIFORNIA DEPARTMENT OF SOCIAL SERVICES By: Name: Deborah Pearce Title: Chief, Contracts and Purchasing Bureau Date: CALIFORNIA DEPARTMENT OF HEALTH CARE SERVICES By: Name: Title: Date: COUNTY OF FRESNO By, A, 03,— Name: Brian Pacheco ATTEST: Title: Chairman.Board of Supervisors BERNICE E.SEIDEL,Clerk Date: �.�TZ.�p Board of Supervisors By U t- Attachment 1—Exhibit A-HIPAA Business Associate Addendum D puty Attachment 2—Exhibit B- Confidentiality and Security Requirements 1 IN WITNESS WHEREOF, the parties hereto have executed this Agreement as of the day and 2 year first hereinabove written. 3 4 COUNTY OF FRESNO 5 6 BERNICE E. SEIDEL, Clerk 7 Board of Supervisors 8 By See Attestation on Page 4 9 10 11 APPROVED AS TO LEGAL FORM: DANIEL C. CEDERBORG, COUNTY COUNSEL 12 13 By 14 15 REVIEWED AND RECOMMENDED 16 FOR APPROVAL 17 18 BY �D-�" eifino E.Neir irector 19 Department of So ial Services 20 21 22 23 24 25 26 Fund/Subclass: N/A 27 Organization: 56107001 28 Account:N/A COUNTY OF FRESNO Fresno CA Agreement 16'6032 Attachment CDG8/CountyofFresno Page 1of15 Exhibit A H|PAA Business Associate Addendum 1. Recitals A. This BUSINESS ASSOCIATE ADDENDUM (this "Addendum") is made by and between The California Department of Health Core Gmn/ineo ("Covered Entity" or ^OHC8^) and COUNTY of Fresno ("Business Associate" or "Contractor"). Covered Entity and Business Associate are parties to a Memorandum of Understanding for Business Associate's use of the AAICAMA cloud based database, ("Services Agreement"), which has been determined to constitute e business associate relationship under the Health Insurance Portability and Accountability Act of18SG. Public Law 104-181 (^H|PAX). the Health Information Technology for Economic and Clinical Health Act, Public Law 111'OO5 ('thaH/TECHAct^). 42 U.S.C. section 17921 etueq.. and their implementing privacy and security regulations at 45 CFR Parts 160 and 164 ("the H|PAA regulations"). B. DHCS wishes to disclose to Business Associate certain information pursuant to the terms of the Gan/iceo Agreement, some of which may constitute Protected Health Information (^PH|^), including protected health information in electronic media (WH|^), under federal |mw, and personal information (^P|'') under state law. C. As set forth in the Services Agreement Business Associate may onaate, neoeiva, maintain` tnanomit, use or disclose PHI and P| on DHCS' behalf. DHC8 and Business Associate are each a party tu this Addendum and are collectively referred toos the^pertiee.^ D. The purpose of this Addendum is to protect the privacy and security of the PHI and P| that may be cnaehad, recaivad, moinbainod, tnanamitted, used or disclosed pursuant to the Services AQnaemerd, and to comply with certain standards and requirements of HIP/A. the H|TECH Act and the H|PAA negu!sdions, inc|uding, but not limited to, the requirement that DHC8 must enter into a contract containing specific requirements with Contractor prior tothe disclosure of PHI to {}ontnaotor, as set forth in 45 CFR Parts 180 and 164 and the H|TECH Act, and the Final Omnibus Rule aowell on the Alcohol and Drug Abuse patient records confidentiality law 42 CFR Port 2, and any other applicable state or federal law or regulation. 42 CFR section 2.1(b)(2)(B) allows for the disclosure of such records to qualified personnel for the purpose of conducting management or financial audiha, or program evaluation. 42 CFR Section 2.53(d) provides that patient identifying information disclosed under this section may be disclosed only back to the program from which it was obtained and used only to carry out an audit or evaluation purpose or to investigate or prosecute criminal or other activities, as authorized by an appropriate court order. E. The terms used in this Addendum, but not otherwise dehnod, shall have the same meanings as those terms have in the H|P/A regulations. Any reference to statutory or regulatory language shall beto such language eoin effect orosamended. U. Definitions A. Breach shall have the meaning given to such term under H|PAA. the H|TECHAct. the H|PAA regulations, and the Final Omnibus Rule. B. Business Associate shall generally have the meaning given to such bynn under H|PA\. the H|TECH Act. the H|P/V\ nogu{ations, and the final Omnibus Rule, but as used in this Addendum shall mean COUNTY ofFresno. C. Covered Entity shall generally have the meaning given to such term undarH|PAa4. the H|TECH Act. the H|PAAreQu|etions. and Final Omnibus Ru|a, but as used in this Addendum shall mean the California Department ofHealth Care Services. oHCSmP/*\aAxm1n Agreement 16'6032 Attachment CDG8/CountyofFresno Page 2of15 Exhibit A H|P/V\ Business Associate Addendum D. Electronic Health Record ahoU have the meaning given to such bann in the H|TECH Act, including, but not limited to, 42 U.S.0 Section 17921 and implementing regulations. E. Electronic Protected Health Information (ePH|) means individually identifiable health information transmitted by electronic media or maintained in electronic media, including but not limited to electronic media as set forth under 45 CFR section 160.103, but for purposes of this Addendum is limited to information received by Business Associate from Covered Entib/, or on*obad. received, maintained, or transmitted by Business Associate on behalf of Covered Entity. F. Individually Identifiable Health Information means health infomnation, including demographic information collected from an individuo|, that is created or received by health care provider, health p|on, employer or health care c|earinghoueo, and relates to the post, present or future physical or mental health or condition of an individue|, the provision of health care to on individual, or the past, present, or future payment for the provision of health care to an individual, that identifies the individual or where there is a reasonable basis to believe the information can be used ho identify the individual, am set forth under 45CFR section 1GO.1U3. G. Privacy Rule shall mean the HIPAA Regulation that is found at 45 CFR Parts 160 and 164. H. Personal Information shall have the meaning given to such term in California Civil Code section 1798.29. |. Protected Health Information or PHI means individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or is transmitted or maintained in any other form or medium, as sot forth under45 CFR section 160.103. but for purposes of this Addendum is limited to information received by Business Associate from Covered Erdity, or created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity. J. Required by Law, as set forth under 45 CFR section 164.103, means a mandate contained in law that compels an entity to make a use or disclosure of PHI that is enforceable in a court of law. This ino|udee, but is not limited to, court orders and court-ordered wmnonta, subpoenas or summons issued by o court, grand jury. o governmental or tribal inspector ganena|, or an administrative body authorized to require the production of inhonnation, and o civil or on authorized investigative demand. It also includes Medicare conditions of participation with respect to health mane providers participating in the pnogmam, and statutes or regulations that require the production of infonnation, including statutes or regulations that require such information if payment is sought under a government program providing public benefits. K Secretary means the Secretary of the U.S. Department of Health and Human Services("HHS") or the Secretary's designee. L. Security Incident means the attempted or successful unauthorized acoeas, use, dimo|nauva, modificotion, or destruction of PHI or P|, or confidential data that is essential to the ongoing operation of the Business Associate's organization and intended for internal use; or interference with system operations inan information system. M. Security Rule shall mean the HIPAA regulation that is found at 45 CFR Parts 160 and 164. N. Unsecured PHI shall have the meaning given to such term under the H|TECH Act, 42 U.S.C. section 17932(h), any guidance issued pursuant to such Act, and the HIPAA regulations. D*CGmpvw.a/w\o/1n Attachment Agreement CO8S/CountyofFresno Page 3cf15 Exhibit A H|PAA Business Associate Addendum UL Terms mfAgreement A. Permitted Uses and Disclosures of PHI by Business Associate Permitted Uses and D/sm/wwumem Business Associate may use or disclose PHI only toperform funotiono, activities or services specified in the Services Agreement, for, or on behalf ofDHCG. provided that such use or disclosure would not violate the H|PAA negu|ationo, if done by DHC8. Any such use or disclosure muat, to the ox±and practicable, be limited to the limited data s*d, as defined in 45 CFR section 164.514(e)(2). or, if needed, to the minimum necessary to accomplish the intended purpose ofsuch use ordisclosure, in compliance with the H|TECH Act and any guidance issued pursuant to such Act, the H|PAA nagu|sdiono. the Final Omnibus Rule and 42 CFR Part 2. 1. Specific Use and Disclosure Provisions. Business Associate may: o. Use and disclose for management and administration. Use and disclose PHI for the proper management and administration of the 8uminaoo Associate provided that such disclosures are Required by Lew, or the Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the poraon, and the person notifies the Business Associate of any instances of which it is aware that the confidentiality of the information has been breached. b. Provision of Data ^4ggmngm§om Services. Use PHI to provide data aggregation services hoDHCS. Data aggregation means the combining of PHI created or received by the Business Associate on behalf ofOHC8 with PH! received by the Business Associate in its capacity as the business associate of another covered entib/, to permit data analyses that relate bo the health care operations ofDHCG. c. Report Violations of the Law. Business A0000ioba may use PHI to report violations of law to appropriate State or Federal Authorities, consistent with 45 C.F.R 164.5020). d. De-identification. Business Associate may de-identify PH|, but must do so in accordance with 45 CFFlsection 164.514(b). and Business Associate may use such de- identified information solely for the benefit of Covered Entity for any purpose related to the services being provided to Covered Entity under the Services Agreement. B. Prohibited Uses and Disclosures i. Business Associate shall not disclose PHI about an Individual to a health plan for payment or health care operations purposes if the PHI pertains solely boa health care item or service for which the health oene provider involved has been paid out of pocket infull and the individual requests such nesthction, in accordance with 42 U.S.C. section 17935(o) and 45CFRsection 164.522(a). 2. Business Associate mheU not directly or indirectly receive remuneration in exchange for PHI, except with the prior written consent of OHC0 and as permitted by 42 U.S.C. section 17835(d)(2). DHC8mFvw.omAm1s Agreement 16-6032 Attachment 1 CDSS/County of Fresno Page 4 of 15 Exhibit A HIPAA Business Associate Addendum C. Responsibilities of Business Associate Business Associate agrees: 1. Nondisclosure. Not to use or disclose Protected Health Information other than as permitted or required by this Addendum or as Required by Law. 2. Safeguards. To implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI, including ePHI, that it creates, receives, maintains, uses or transmits on behalf of DHCS, in compliance with 45 CFR sections 164.308, 164.310 and 164.312, and to prevent use or disclosure of PHI other than as provided for by this Addendum. Business Associate shall implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications and other requirements of 45 CFR section 164, subpart C, in compliance with 45 CFR section 164.316. Business Associate shall develop and maintain a written information privacy and security program that includes administrative, technical and physical safeguards appropriate to the size and complexity of the Business Associate's operations and the nature and scope of its activities. Business Associate will provide DHCS with its current and updated policies. 3. Security. To take any and all steps necessary to ensure the continuous security of all computerized data systems containing PHI and/or PI, and to protect paper documents containing PHI and/or PI. These steps shall include, at a minimum: a. Complying with all of the data system security precautions listed in Attachment A, the Business Associate Data Security Requirements; b. Achieving and maintaining compliance with the HIPAA Security Rule (45 CFR Parts 160 and 164), as necessary in conducting operations on behalf of DHCS under this Agreement; c. Providing a level and scope of security that is at least comparable to the level and scope of security established by the Office of Management and Budget in OMB Circular No. A- 130, Appendix III - Security of Federal Automated Information Systems, which sets forth guidelines for automated information systems in Federal agencies; and d. In case of a conflict between any of the security standards contained in any of these enumerated sources of security standards, the most stringent shall apply. The most stringent means that safeguard which provides the highest level of protection to PHI from unauthorized disclosure. Further, Business Associate must comply with changes to these standards that occur after the effective date of this Agreement. Business Associate shall designate a Security Officer to oversee its data security program who shall be responsible for carrying out the requirements of this section and for communicating on security matters with DHCS. D. Mitigation of Harmful Effects. To mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Addendum. As all Business Associate subcontractor agreements include mitigation clauses, Business Associate acknowledges its obligation and responsibility for enforcement of such separate mitigation obligations. DHCS HIPAA BAA 2/15 Agreement 16-6032 Attachment 1 CDSS/County of Fresno Page 5 of 15 Exhibit A HIPAA Business Associate Addendum E. Business Associate's Agents and Subcontractors. 1. To enter into written agreements with any agents, including subcontractors and vendors, to whom Business Associate provides PHI or PI received from or created or received by Business Associate on behalf of DHCS, that impose the same restrictions and conditions under HIPAA on such agents, subcontractors and vendors that apply to Business Associate with respect to such PHI and PI under this Addendum, and that comply with all applicable provisions of HIPAA, the HITECH Act the HIPAA regulations, and the Final Omnibus Rule, including the requirement that any non-employee agents, subcontractors or vendors implement reasonable and appropriate administrative, physical, and technical safeguards to protect such PHI and Pl. Business associates are directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or Required by Law. A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule. A "business associate" also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate. Business Associate shall incorporate, when applicable, the relevant provisions of this Addendum into each subcontract or sub award to such agents, subcontractors and vendors, including the requirement that any security incidents or breaches of unsecured PHI or PI be reported to Business Associate. Business Associate will incorporate those portions of this Addendum that it determines are applicable into any subcontract and subaward with agents, subcontractors, and vendors, including the requirement that any security incidents or breaches of unsecured PHI or PI be reported to Business Associate, 2. In accordance with 45 CFR section 164.504(e)(1)(ii), upon Business Associate's knowledge of a material breach or violation by its subcontractor of the agreement between Business Associate and the subcontractor, Business Associate shall: a. Provide an opportunity for the subcontractor to cure the breach or end the violation and terminate the agreement if the subcontractor does not cure the breach or end the violation within the time specified by DHCS; or b. Immediately terminate the agreement if the subcontractor has breached a material term of the agreement and cure is not possible. F. Availability of Information to DHCS and Individuals. To provide access and information: 1. To the extent that the Services Agreement requires Business Associate to maintain PHI in a Designated Record Set under its custody and control, provide access as DHCS may reasonably require, and in the time and manner designated by DHCS in writing (upon reasonable notice and during Business Associate's normal business hours, if applicable) to PHI in such Designated Record Set, to DHCS (or, as directed by DHCS), to an Individual, in accordance with 45 CFR section 164.524. Designated Record Set means the group of records maintained for DHCS that includes medical, dental and billing records about individuals; enrollment, payment, claims adjudication, and case or medical management systems maintained for DHCS health plans; or those records used to make decisions about individuals on behalf of DHCS. Business Associate shall use the forms and processes developed by DHCS for this purpose and shall respond to requests for access to records transmitted by DHCS within fifteen (15) calendar days of receipt of the written request by producing the records or verifying that there are none. 2. If Business Associate maintains, pursuant to the Services Agreement, an Electronic Health Record with PHI, and an individual requests a copy of such information in an electronic DHCS HIPAA BAA 2/15 Agreement 16-6032 Attachment 1 CDSS/County of Fresno Page 6 of 15 Exhibit A HIPAA Business Associate Addendum format, Business Associate shall provide such information in an electronic format to enable DHCS to fulfill its obligations under the HITECH Act, including but not limited to, 42 U.S.C. section 17935(e). G. Amendment of PHI. To the extent that the Services Agreement requires Business Associate to maintain PHI in a Designated Record Set under its custody and control, make any amendment(s) to PHI that DHCS directs or agrees to pursuant to 45 CFR section 164.526, in the time and manner reasonably designated by DHCS. H. Internal Practices. To make Business Associate's internal practices, books and records relating to the use and disclosure of PHI received from DHCS, or created or received by Business Associate on behalf of DHCS, available to DHCS or to the Secretary of the U.S. Department of Health and Human Services in a time and manner designated by DHCS or by the Secretary, for purposes of determining DHCS' compliance with the HIPAA regulations. If any information needed for this purpose is in the exclusive possession of any other entity or person and the other entity or person fails or refuses to furnish the information to Business Associate, Business Associate shall so certify to DHCS and shall set forth the efforts it made to obtain the information. Any rights of DHCS to access Business Associate's internal practices, books and records is governed by the audit rights set forth in Section V hereof. I. Documentation of Disclosures. To the extent no exception exists under 45 CFR section 164.528, to document and make available to DHCS or(at the direction of DHCS)to an Individual such disclosures of PHI, and information related to such disclosures, necessary to respond to a proper request by the subject Individual for an accounting of disclosures of PHI, in accordance with the HITECH Act and its implementing regulations, including but not limited to 45 CFR section 164.528 and 42 U.S.C. section 17935(c). J. Breaches and Security Incidents. During the term of this Agreement, Business Associate agrees to implement reasonable systems for the discovery and prompt reporting of any breach or security incident, and to take the following steps: 1. Notice to DHCS. (1) To notify DHCS within 24 hours by email or fax of the discovery of Unsecured PHI or PI in electronic media or in any other media if the PHI or PI was, or is reasonably believed to have been, accessed or acquired by an unauthorized person, any suspected Security Incident involving PHI or PI, intrusion or unauthorized access, use or disclosure of PHI or PI in violation of this Addendum. A Breach shall be treated as discovered by Business Associate as of the first business day on which the breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the breach) who is an employee, officer or other agent of Business Associate. Notice shall be provided to the DHCS Program Contract Manager, the DHCS Privacy Officer and the DHCS Information Security Officer. Notice shall be made using the"DHCS Privacy Incident Report form, including all information known at the time. Business Associate shall use the most current version of this form,which is posted on the DHCS Privacy Office website(www.dhcs.ca.gov, then selected"Privacy"in the left column and then"Business Use" near the middle of the page), or use this link: http://www.dhcs.ca.gov/formsandpubs/laws/priv/Pages/DHCSBusinessAssociatesOnly.aspx/ Upon discovery of a Breach or suspected security incident involving PHI, intrusion or unauthorized access, use or disclosure of PHI or PI in violation of this Addendum, Business Associate shall take: DHCS HIPAA BAA 2/15 Agnaennmrd1G'G033 Attachment 1 CDSG/CountyofFresno Page 7of15 Exhibit A H|P/A Business Associate Addendum a. Prompt corrective action to mitigate any hoke or damages involved with the 8nuaoh known to Business Associate and bu protect the operating environment; and b. Any action pertaining to such unauthorized disclosure required by applicable Federal and Gteha laws and regu|otiona, including the provision of any required notices as set forth in Section(111)(J)(4)below. 2. Investigation and Investigation Report. To immediately investigate such security incident involving PH|. Bneooh, or unauthorized eoceno, use or disclosure of PHI or P| in violation of this Addendum. Within five (5) days of the discovery, Business Associate ohe|| submit e ^DHCS Privacy Incident Report" containing the information marked with on asterisk and all other applicable information listed nn the form, bo the extent known ot that time, hn the DHCG Program Contract Manager, theOHCG Privacy Officer, and the DHCG |nfunnedinn Security Officer Business Associate shall use the most current version of this form,which is posted on the DHCS Privacy Offinevveboite . then select "Privacy" in the left column and then"Business Use" near the middle of the page)or use this link: 3. Complete Report. To provide a complete report of the investigation to the DHCG Program Contract Manager, the DHC8 Privacy Officer, and the DHCG Information Security Officer within ten (10)working days of the discovery of the Breach or unauthorized use or disclosure. If all of the required information was not included in either the initial report, or the Investigation Report, then a separate Complete Report must besubmitted. The report shall be submitted on the"DHCS Privacy Incident Report"form and shall include an assessment of all known factors relevant to o determination of whether a breach occurred under applicable provisions of HIP/A. the H|TECH Act, the H|PAA regulations and/or obaba law. The report shall also include ofull, detailed corrective action p|on, including information on measures that were taken to halt and/or contain the improper use ordisclosure. If DHCS requests information in addition to that listed on the ^DHC8 Privacy Incident Report" form, Business Associate shall make reasonable efforts to provide OHC@ with such information. If necessary, a Supplemental Report may be used to submit revised or additional information after the completed report is submitted, by submitting the revised or additional information on an updated ^DHCG Privacy Incident Report" form. DHCG will review and approve or disapprove the determination of whether o Breach onourrad, determine whether it is reportable to the appropriate entitieo, and if individual notifications are required. Business Associate will provide any corrective action plan toDHCG for review. . 4. Notification mf Individuals. |f the cause ofa Breach of PHI orP| io attributable buBusiness Associate or its subcontractors, agents or vendors, Business Associate shall notify individuals as o result of the Breach o/ unauthorized use or disclosure when notification is required under state or federal law, and Business Associate shall pay the cost of such notifications, oo well as up to 12 months of any credit monitoring reasonably offered as a result of the Breach. The notifivationashall comply with the requirements set for in42U.S.C. section 17932 and its implementing nsgu|ationa, including but not limited to the requirement that the notifications be made without unreasonable delay and in no event less than 80 calendar days. The DHCS Program Contract Manager, the DHC8 Privacy Officer, and the DHCG Information Security Officer shall approve the time, manner, and content of any such notifications and their review and approval must be obtained before the notifications are made, which approval shall not be unreasonably delayed orwithheld. 5. Responsibility for Reporting of Breaches. If the cause of a breach of PHI or P| is attributable to Business Associate or its a0ento, aubuontnocb»no or vendors, Business Associate is responsible for all required reporting of the breech as opocUiad in 42 U.G.C. section 17832 and its implementing regu|otinno, including notification to media outlets and to DHCGH/PAABA^2/1S Agreement 16-6032 Attachment 1 CDSS/County of Fresno Page 8 of 15 Exhibit A HIPAA Business Associate Addendum the Secretary. If a breach of unsecured PHI involves more than 500 residents of the State of California or its jurisdiction, Business Associate shall notify the Secretary of the breach immediately upon discovery of the breach. If Business Associate has reason to believe that duplicate reporting of the same breach or incident may occur because its subcontractors, agents or vendors may report the breach or incident to DHCS in addition to Business Associate, Business Associate shall notify DHCS, and DHCS and Business Associate may take appropriate action to prevent duplicate reporting. The breach reporting requirements of this paragraph are in addition to the reporting requirements set forth in subsection 1, above. 6. DHCS Contact Information. To direct communications to the above referenced DHCS staff, the Contractor shall initiate contact as indicated herein. DHCS reserves the right to make changes to the contact information below by giving written notice to the Contractor. Said changes shall not require an amendment to this Addendum or the Services Agreement to which it is incorporated. DHCS Program DHCS Privacy Officer DHCS Information Security Officer Contract Manager See the Memorandum of Privacy Officer Information Security Officer Understanding for clo: Office of HIPAA Compliance DHCS Information Security Office Program Contract Department of Health Care Services P.O. Box 997413, MS 6400 Manager(Project P.O. Box 997413, MS 4722 Sacramento, CA 95899-7413 Representative) Sacramento, CA 95899-7413 information Email: iso a()dhcs.ca.gov Email:privacyofficer@.dhcs.ca.gov Fax: (916)440-5537 Telephone: (916)445-4646 Telephone: EITS Service Desk (916)440-7000 or Fax: 916 440-7680 800 579-0874 K. Termination of Services Agreement. In accordance with Section 13404(b) of the HITECH Act and to the extent required by the HIPAA regulations, if Business Associate knows of a material breach or violation by DHCS of this Addendum, it shall take the following steps: 1. Provide an opportunity for DHCS to cure the breach or end the violation and terminate the Services Agreement if DHCS does not cure the breach or end the violation within the time specified by Business Associate; or 2. Immediately terminate the Services Agreement if DHCS has breached a material term of the Addendum and cure is not possible. L. Due Diligence. Business Associate shall exercise due diligence and shall take reasonable steps to ensure that it remains in compliance with this Addendum and is in compliance with applicable provisions of HIPAA, the HITECH Act and the HIPAA regulations, and that its non-employee agents, subcontractors and vendors are in compliance with their obligations as required by their respective written agreements. M. Sanctions and/or Penalties. Business Associate understands that a failure to comply with the provisions of HIPAA, the HITECH Act and the HIPAA regulations that are applicable to Business Associate may result in the imposition of sanctions and/or penalties on Business Associate under HIPAA,the HITECH Act and the HIPAA regulations. DHCS HIPAA BAA 2/15 Agnaement1G-GO32 Attachment CD88/Counb/ofFresno Page Bof15 Exhibit A H|PAA Business Associate Addendum IV. Obligations ofDHCS DHCS agrees to: A. Notice of Privacy Practices. Provide Business Associate with the Notice of Privacy Practices that DHCS produces in accordance with 45 CFR section 164.520, as well as any changes to such notice. Visit the DHCS Privacy Office to view the most current Notice of Privacy Practices at: or the DHCS webobe at aa|act "Privacy in the left column and "Notice of Privacy Practices" on the right side of the poge). B. Permission by Individuals for Use and Disclosure of PHI. Provide the Business Associate with any changes in, or revocation of, permission by an Individual to use or disclose PH|, if such changes affect the Business Associate's permitted or required uses and disclosures. C. Notification ofRestrictions. Timely notify the Business Associate in writing of any restriction to the use or disclosure of PHI that DHCS has agreed to in accordance with 45 CFR section 1G4.522. ho the extent that such restriction may affect the Business Associate's use ordisclosure of PHI. D. Requests Conflicting with HIFA4 Rules. Not request the Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA regulations if done by DHCS. V. Audits, Inspection and Enforcement A. From time botime, DHCS may inspect the facilities, systems (limited solely to those systems that contain PH|), books and records of Business Associate ho monitor compliance with the Gen/icnm Agreement and this Addendum. Business Associate may require DHCS, or any third party acting on behalf of DHCS, to sign a confidentiality agreement acceptable to Business Associate prior to providing access to Business Associate's booko, naconda, and systems pursuant tothis Section. Business Associate shall promptly remedy any violation of any provision of this Addendum and ohoU certify the same to the DHCS Privacy Officer in writing. The fact that DHCS inmpects, or fails to inopent, or has the right to inspect, Business A0000ieba'e haci}iUao, systems and procedures does not no|iavo Business Associate of its responsibility to comply with this Addendum, nor does DHCQ': 1. Failure to detect or 2. Detection' but failure to notify Business Associate or require Business Associate's remediation of any unsatisfactory practices constitute acceptance of such practice or a waiver uf DHCS'enforcement rights under this Agreement and this Addendum. B. |f Business Associate is the subject ofan audd, compliance neview, or complaint investigation by the Secretary or the Office of Civil Rights, U.S. Department of Health and Human Services,that is na|ah*d to the podbmnonue of its obligations pursuant to this H|PAA Business Associate Addendum, Business Associate shall notify DHCS and provide DHCS with o copy of any PHI or PI that Business Associate provides to the Secretary or the Office of Civil Rights concurrently with providing such PHI or P| to the Secretary. 8uoinomo Associate in responsible for any civil penalties assessed due to an audit or investigation of Business Associate, in accordance with 42 U.8.C. section 17Q34(c). Agnaoment18'GO33 Attachment CDGS/CountyofFresno Page 1Oof15 Exhibit A H|PAA Business Associate Addendum h'|. Termination A. Term. The Tenn of this Addendum shall commence as of the effective date of this Addendum and shall extend beyond the termination of the Services Agreement and shall terminate when all the PHI provided by OHC8to Business Associate, or created or received by Business Associate on behalf of DHCQ, is destroyed or returned to DHCG, in eouomdenoa with 45 CFR 164.604(e)(2)(ii)(1). B. Termination for Cmeoa In accordance with 45 CFR section 164.504(o)(1)(ii). upon DHCG' knowledge of material breach or violation of this Addendum by Business Aoanoiote. DHCG shall: 1. Provide an opportunity for Business Associate to cure the bnaooh or end the violation and terminate this Agreement if Business Associate does not cure the breach or end the violation within a reasonable time oo specified byOHCS; or 2. Immediately terminate this Agreement if Business Associate has breached a material term of this Addendum and cure ia not possible. C. Judicial orAdministrative Proceedings. Business Associate will notify DHC8if itis named as a defendant in a criminal proceeding fore violation ofH|PAA. Either party may terminate the Services Agreement if the other party is found guilty of a criminal violation of HIPAA. DHCSmoy terminate the Services Agreement if a finding or stipulation that the Business Associate has violated any standard or requirement cfH|P/A. or other security orprivacy |omm is made in any administrative or civil proceeding in which the Business Associate is a party or has been joined. D. Effect of Termination. Upon termination or expiration of this Addendum for any reason, Business Associate shall return or destroy all PHI received from DHCS(or created or received by Business Associate on behalf of DHCS) that Business Associate still maintains in any form, and ohoU retain no copies of such PHI. If return or destruction is not feasible, Business Associate shall notify DHCS of the conditions that make the return or destruction infeasible, and DHCS and Business Associate shall determine the bannn and conditions under which Business Associate may retain the PHI. Business Associate shall continue to extend the protections of this Addendum to such PH|, and shall limit further use of such PHI to those purposes that make the return or destruction of such PHI infeasible. This provision ehoU apply to PH} that is in the possession of subcontractors or agents uf Business Associate. VU. Miscellaneous Provisions A. Disclaimer DHCS makes no warranty or representation that compliance by Business Associate with this Addandum. H|PA\ or the H|P/V\ regulations will be adequate or satisfactory for Business Associate's own purposes or that any information in Business Associate's possession or contno|, or transmitted or received by Business A0000iabe, is or will be secure from unauthorized use ordisclosure. Business Associate io solely responsible for all decisions made by Business Associate regarding the safeguarding ofPHI. B. Amendment. The parties acknowledge that federal and state !owo relating to electronic data security and privacy are rapidly evolving and that amendment of this Addendum may be required to provide for procedures to ensure compliance with such developments. The parties specifically agree to take such action as is necessary to implement the standards and requirements of H|PAA. the H|TECH Act, the H|P/A regulations and other applicable |nwu relating to the security or privacy of PHI to the extent that amendments are necessary in order for this Addendum to remain compliant with applicable law. Upon OHCG' request, Business Associate agrees to DnCSmP/v\8/A2/1* Agreement 16-6032 Attachment 1 CDSS/County of Fresno Page 11 of 15 Exhibit A HIPAA Business Associate Addendum promptly enter into negotiations with DHCS concerning such an amendment to this Addendum. DHCS may terminate this Agreement upon thirty(30)days written notice in the event: 1. Business Associate does not enter into negotiations to amend this Addendum when requested by DHCS pursuant to this Section; or 2. Business Associate does not enter into the required amendment that is necessary to maintain compliance with applicable law. C. Assistance in Litigation or Administrative Proceedings. Business Associate shall make itself and any subcontractors, employees or agents assisting Business Associate in the performance of its obligations under this Agreement, available to DHCS at mutually convenient times and places to testify as witnesses, or otherwise, in the event of litigation or administrative proceedings being commenced against DHCS, its directors, officers or employees based upon claimed violation of HIPAA, the HIPAA regulations or other laws relating to security and privacy, which involves inactions or actions by the Business Associate, except where Business Associate or its subcontractor, employee or agent is a named adverse party. D. No Third-Party Beneficiaries. Nothing express or implied in the terms and conditions of this Addendum is intended to confer, nor shall anything herein confer, upon any person other than DHCS or Business Associate and their respective successors or permitted assignees, any rights, remedies, obligations or liabilities whatsoever. E. Interpretation. The terms and conditions in this Addendum shall be interpreted as broadly as necessary to implement and comply with the required provisions of HIPAA, the HITECH Act, the HIPAA regulations and applicable state laws. The parties agree that any ambiguity in the terms and conditions of this Addendum shall be resolved in favor of a meaning that complies and is consistent with the required provisions of HIPAA, the HITECH Act and the HIPAA regulations. F. Regulatory References. A reference in the terms and conditions of this Addendum to a section in the HIPAA regulations means the section as in effect or as amended. G. Survival. The respective rights and obligations of Business Associate under Section VI.D of this Addendum shall survive the termination or expiration of this Agreement. H. No Waiver of Obligations. No change, waiver or discharge of any liability or obligation hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing or other obligation, or shall prohibit enforcement of any obligation, on any other occasion. 1. Entire Agreement. This Addendum and the Services Agreement shall constitute the entire agreement of the parties hereto with respect to the subject matter hereof and supersede all prior agreements, understandings and representations, whether oral or written, relating to such subject matter. J. Severability. If any provision of this Addendum is held illegal, invalid, prohibited or unenforceable by a court of competent jurisdiction, that provision shall be limited or eliminated in that jurisdiction to the minimum extent necessary so that this Addendum shall otherwise remain in full force and effect and enforceable. K. Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State of California, without regard to its conflicts of laws principles, to the extent not preempted by HIPAA or other applicable federal law. DHCS HIPAA BAA 2/15 Agreement 16-6032 Attachment 1 CDSS/County of Fresno Page 12 of 15 Exhibit A HIPAA Business Associate Addendum BU81NE"SSOCIATE: COVERED ENTITY: COU 7FEa� DHCS By:� By: Name: Deffino E. Nei,- ra\ Name: Title: Director, Depart rpent of Social Services Title: Date: DI )qb Date: DHCS HIPAA BAA 2/15 Agneemont1G'SO32 Attachment 1 COSS/CouNwofFresno Page 13of16 Exhibit A H|PAA Business Associate Addendum Attachment Business Associate Data Security Requirements L Personnel Controls A. Employee Training. All workforce members who assist in the performance of functions or activities on behalf of DHCG, or access or disclose OHC8 PHI or P| must complete information privacy and security training, at least annually, at Business Associate's expense. Each workforce member who receives information privacy and security training must sign a certification, indicating the member's name and the date on which the training was completed. These certifications must ba retained for o period of six(G)years following contract termination. B. Employee Discipline. Appropriate sanctions must be applied against workforce members who fail to comply with privacy policies and procedures or any provisions of these requirements, including termination of employment where appropriate. C. Confidentially Statement All employees execute a Non-Disclosure Ag- reement at the time of D. Background Check. 8ehona o member of the workforce may access OHC8 PHI or PI, a thorough background check of that worker must be conduoiad, with evaluation of the naau|ba to assure that there is no indication that the worker may present risk bothe security or integrity of confidential data ore risk for theft or misuse of confidential data. The Contractor shall retain each workforce member'e background check documentation fora period of three (3) years following contract termination. 11' Technical Security Controls A. Wor*stmtimm&-aptopencryption. All workstations and laptops that pn000uo and/or store DHCG PHI or P| must be encrypted using a F|PG 140-2 certified algorithm which is 128bitorhigher, such me Advanced Encryption Standard (AEG). The encryption solution must be full disk unless approved by the DHCS Information Security Office. B. Server Security. Servers containing unancryptod OHC8 PHI or P| must have sufficient odminindrative, physioa|, and technical controls in place to protect that data, based upon a hah assessment/system security review. C. Minimum Necessary. Only the minimum necessary amount of OHCS PHI or P| required to perform necessary business functions may be copied, downloaded, or exported. Q. Removable media devices. All electronic files that contain OHC8 PHI or P| data must be encrypted when stored on any removable media or portable device (i.e. U8B thumb drives, Ooppies. CCVOVD, omortphoneo' backup tapes etc.). Encryption must ben F|PG 148-2 certified algorithm which is128bito/higher, such asAEG. E. Antivirus software. All workstations, laptops and other systems that process and/or store DHCS PHI or P1 must install and actively use comprehensive anti-virus software solution with automatic updates scheduled at least daily. F. Patch Management All workstations, laptops and other systems that process and/or store DHC8 PHI or PI must have critical security patches app|ied, with oyobam reboot if necessary. There must be o documented patch management pnooaao which determines installation dmeframe based on risk anaenomemd and vendor recommendations. At o manimum, all applicable patches must be installed within 3O days uf vendor release. DHCGH|PAAB/*\2/15 Agreement 16-6032 Attachment 1 CDSS/County of Fresno Page 14 of 15 Exhibit A HIPAA Business Associate Addendum G. User IDs and Password Controls. All users must be issued a unique user name for accessing DHCS PHI or Pl. Username must be promptly disabled, deleted, or the password changed upon the transfer or termination of an employee with knowledge of the password, at maximum within 24 hours. Passwords are not to be shared. Passwords must be at least eight characters and must be a non-dictionary word. Passwords must not be stored in readable format on the computer. Passwords must be changed every 90 days, preferably every 60 days. Passwords must be changed if revealed or compromised. Passwords must be composed of characters from at least three of the following four groups from the standard keyboard: • Upper case letters(A-Z) • Lower case letters(a-z) • Arabic numerals(0-9) • Non-alphanumeric characters(punctuation symbols) H. Data Destruction. When no longer needed, all DHCS PHI or PI must be cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization such that the PHI or PI cannot be retrieved. 1. System Timeout. The system providing access to DHCS PHI or PI must provide an automatic timeout, requiring re-authentication of the user session after no more than 20 minutes of inactivity. J. Warning Banners. All systems providing access to DHCS PHI or PI must display a warning banner stating that data is confidential, systems are logged, and system use is for business purposes only by authorized users. User must be directed to log off the system if they do not agree with these requirements. K. System Logging. The system must maintain an automated audit trail which can identify the user or system process which initiates a request for DHCS PHI or PI, or which alters DHCS PHI or Pl. The audit trail must be date and time stamped, must log both successful and failed accesses, must be read only, and must be restricted to authorized users. If DHCS PHI or PI is stored in a database, database logging functionality must be enabled. Audit trail data must be archived for at least 3 years after occurrence. L. Access Controls. The system providing access to DHCS PHI or PI must use role based access controls for all user authentications, enforcing the principle of least privilege. M. Transmission encryption. All data transmissions of DHCS PHI or PI outside the secure internal network must be encrypted using a FIPS 140-2 certified algorithm which is 128bit or higher, such as AES. Encryption can be end to end at the network level, or the data files containing PHI can be encrypted. This requirement pertains to any type of PHI or PI in motion such as website access,file transfer, and E-Mail. N. Intrusion Detection. All systems involved in accessing, holding, transporting, and protecting DHCS PHI or PI that are accessible via the Internet must be protected by a comprehensive intrusion detection and prevention solution. Ill. Audit Controls A. System Security Review. All systems processing and/or storing DHCS PHI or P1 must have at least an annual system risk assessment/security review which provides assurance that administrative, physical, and technical controls are functioning effectively and providing adequate levels of protection. Reviews should include vulnerability scanning tools. DHCS HIPAA BAA 2/15 Agreement18-8O32 Attachment CD8G/CountyofFresno Page 15of15 Exhibit A H|P/A Business Associate Addendum B. Log Reviews. All eyobamo processing and/or storing DHC8 9H| or P| must have a routine procedure in place to review system logs for unauthorized access. C. Change Control. All systems processing and/or storing OHCG PHI or P| must have a documented change control procedure that ensures separation of duties and protects the confidentiality, integrity and availability ofdata. I\/' Business Continuity/Disaster Recovery Controls A. Emergency Mode Operation Plan. Contractor must establish n documented plan toenable continuation of critical business processes and protection of the security of electronic DHCS PHI orP| in the event ofanemergency. Emergency means any circumstance or situation that causes normal computer operations to become unavailable for use in performing the work required under this Agreement for more than 24hours. B. Data Backup Plan. Contractor must have established documented procedures to backup DHCG PHI to maintain retrievable exact copies ofDHCG PHI orP|. The plan must include regular schedule for making backups, storing backups offsite, an inventory of backup media, and an estimate of the amount of time needed to restore DHCS PHI or PI should it be lost. At minimum,the schedule must bea weekly full backup and monthly offsite storage ofDHC8data. V. Paper Document Controls The section is applicably only if, and when. Contractor converts DHC8 PHI or P| into paper form for use and handling in a manner consistent with the terms of provisions of this Addendum. A. Supervision of Data. OHCG PHI or P| in paper form shall not be left unattended at anytime. unless itia locked ina file cabinet, file room, desk oroffice. Unattended means that information io not being observed by an employee authorized to access the information. DHCG PHI or PI in paper form shall not be left unattended at any time in vehicles or planes and shall not be checked in baggage un commercial airplanes. B. Escorting Visitors. Visitors ho areas where OHCG PHI or PI is contained ehoU be escorted and OHC8 PHI orP| shall ba kept out of sight while visitors are in the area. C. Confidential Destruction. OHC8 PHI urP| must be disposed of through confidential means, such ae cross cut shredding and pulverizing. D. Removal mfData. DHCS PHI orP| must not be removed from the premises of the Contractor except with express written permission cfDHC8. E. Faxing. Faxes containing DHCS PHI or PI shall not be left unattended and fax machines shall be in secure areas. Faxes shall contain a confidentiality statement notifying persons receiving faxes in error bo destroy them. Fax numbers shall be verified with the intended recipient before sending the fax. F. Mailing. Mailings of DHCS PHI or PI shall be sealed and secured from damage or inappropriate viewing of PHI or PI to the extent possible. Mailings which include 5OOormore individually identifiable records ofDHCG PHI orP| in asing|a package shall be sent using atnackod mailing method which includes verification of delivery and necmipt, unless the prior written permission of DHC8to use another method ioobtained. oHCSn|PAAB*A2/10 Agreement 16-6032 Attachment 2 CDSS/County of Fresno Page 1 of 10 Exhibit B The California Department of Social Services Confidentiality and Information Security Requirements—Contractor/Entity This Confidentiality and Information Security Requirements Exhibit (hereinafter referred to as "this Exhibit") sets forth the information security and privacy requirements Contractor/Entity (hereinafter referred to as "Contractor") is obligated to follow with respect to all confidential and sensitive information (as defined herein) disclosed to or collected by Contractor, pursuant to Contractor's Agreement (the "Agreement")with the California Department of Social Services (hereinafter"CDSS") in which this Exhibit is incorporated. The CDSS and Contractor desire to protect the privacy and provide for the security of CDSS Confidential, Sensitive, and/or Personal (CSP) Information in (hereinafter referred to as "CDSS CSP")compliance with state and federal statutes, rules and regulations. 1. Order of Precedence. With respect to information security and privacy requirements for all CDSS CSP, the terms and conditions of this Exhibit shall take precedence over any conflicting terms or conditions set forth in any other part of the Agreement between Contractor and CDSS and shall prevail over any such conflicting terms or conditions. 11. Effect on lower tier transactions. The terms of this Exhibit shall apply to all lower tier transactions (e.g. agreements, sub-agreements, contracts, subcontracts, and sub-awards, etc.) regardless of whether they are for the acquisition of services, goods, or commodities. The Contractor shall incorporate the contents of this Exhibit into each lower tier transaction to its agents, contractors, subcontractors, or independent consultants, etc. Ill. Confidentiality of Information. a. DEFINITIONS. The following definitions relate to CDSS Confidential, Sensitive, and/or Personal Information. i. "Confidential Information" is information maintained by the CDSS that is exempt from disclosure under the provisions of the California Public Records Act (Government Codes Sections 6250-6265) or has restrictions on disclosure in accordance with other applicable state or federal laws. ii. "Sensitive Information" is information maintained by the CDSS, which is not confidential by definition, but requires special precautions to protect it from unauthorized access and/or modification (i.e., financial or operational information). Sensitive information is information in which the disclosure would jeopardize the integrity of the CDSS (i.e., CDSS' fiscal resources and operations). iii. "Personal Information" is information, in any medium (paper, electronic, or oral) that identifies or describes an individual (i.e., name, social security number, driver's license, home/mailing address, telephone number, financial matters with security codes, medical insurance policy number, Protected Health Information (PHI), etc.) and must be protected from inappropriate access, use or disclosure and must be made accessible to information subjects upon request. It can also be information in the possession of the Department in which the disclosure is limited by law or contractual Agreement(i.e., proprietary information, etc.). iv. "Breach" is 1. the unauthorized acquisition, access, use, or disclosure of CDSS CSP in a manner which compromises the security, confidentiality or integrity of the information; or 2. the same as the definition of "breach of the security of the system" set forth in California Civil Code section 1798.29(f). CDSS EXHIBIT B.DOCX Agreement 16-6032 Attachment 2 CDSS/County of Fresno Page 2 of 10 v. "Security Incident" is 1. an attempted breach; 2. the attempted or successful unauthorized access or disclosure, modification or destruction of CDSS CSP, in violation of any state or federal law or in a manner not permitted under the Agreement between Contractor and CDSS, including this Exhibit; or 3. the attempted or successful modification or destruction of, or interference with, Contractor's system operations in an information technology system, that negatively impacts the confidentiality, availability or integrity of CDSS CSP. b. CDSS CSP by the CDSS which may become available to the Contractor as a result of the implementation of the Agreement shall be protected by the Contractor from unauthorized access, use, and disclosure as described in this Exhibit. c. Contractor is notified that unauthorized disclosure of CDSS CSP may be subject to civil and/or criminal penalties under state and federal law, including but not limited to: • California Welfare and Institutions Code section 10850 • Information Practices Act—California Civil Code section 1798 et seq. • Public Records Act—California Government Code section 6250 et seq. • California Penal Code Section 502, 11140-11144, 13301-13303 • Health Insurance Portability and Accountability Act of 1996("HIPAA")—45 CFR Parts 160 and 164 • Safeguarding Information for the Financial Assistance Programs - 45 CFR Part 205.50 d. EXCLUSIONS. "Confidential Information", "Sensitive Information", and "Personal Information"(CDSS CSP)does not include information that i. is or becomes generally known or available to the public other than because of a breach by Contractor of these confidentiality provisions; ii. already known to Contractor before receipt from CDSS without an obligation of confidentiality owed to CDSS; iii. provided to Contractor from a third party except where Contractor knows, or reasonably should know, that the disclosure constitutes a breach of confidentiality or a wrongful or tortious act; or iv. independently developed by Contractor without reference to the CDSS CSP. IV. Contractor Responsibilities. a. Training. The Contractor shall instruct all employees, agents, and subcontractors with access to the CDSS CSP regarding: i. The confidential nature of the information; ii. The civil and criminal sanctions against unauthorized access, use, or disclosure found in the California Civil Code Section 1798.55, Penal Code Section 502 and other state and federal laws; iii. CDSS procedures for reporting actual or suspected information security incidents in Paragraph V—Information Security Incidents and/or Breaches; and CDSS EXHIBIT B.DOCX Agreement 16-6032 Attachment 2 CO8G/CountyofFresno Page 3of1O iv. That unauthorized auoeon, use, or disclosure of CDGG C8P is grounds for immediate termination of this Agreement with CDSS and the Contractor and may be subject to penalties, both civil and criminal. b. Use Restrictions. The Contractor mhoU ensure that their amployeeo, aganta, contnaob000, eubcontneotoxs, and independent consultants will not intentionally seek out, naod, use, or disclose the CO8G C8P other than for the purposes of providing the requested services to CDSS and meeting its obligations under the Agreement. c' Disclosure. The Contractor shall not disclose any individually identifiable COG8C8Pto any person other than for the purposes of providing the requested services to CDSS and meeting its obligations under the Agreement. Contractor is permitted to disclose individually identifiable CDSS C8P with the consent of the individual to its service providaro, its vendors, and its partners for the purposes of Contractor providing services hoCD88or otherwise bz meet Contractor's obligations under the Agreement. ForCDGG CGP. Contractor must provide COG8 Program Manager and CD88 Information Security Office with a list of Contractor authorized service providers and ensure they are bound by obligations sufficient to protect CDSS CSP in accordance with this Agreement. d' Subpoena. |f Contractor receives o subpoena or other validly issued administrative or judicial notice requesting the disclosure ofCDG8 CSP. Contractor will immediately notify the CDQS Program Contract Manager and the CO8G Information Security and Privacy Officer. In no event should notification to CD@G occur more than twenty-four(24) hours after knowingly receiving such request. e' |mfmmnatimm Security Officer. The Contractor shall designate an Information Security Officer to oversee its compliance with this Exhibit and to communicate with COGG on matters concerning this Exhibit. f. Requests for CDSS C0P by Third Parties. The Contractor and its amnp|oyeao, agento, or subcontractors oho|| promptly transmit hnthe CD88 Program Contract Manager and the CD8G Information Security and Privacy Officer all requests for disclosure ofany COS8 CSP requested by third parties ho the Agreement between Contractor and CD88 (except from an Individual for an accounting of disclosures of the indkviduo|'a personal information pursuant to applicable state or federal |om), un|amm prohibited from doing so by applicable state or federal law. �. Documentation of Disclosures for Requests for Accounting. Contractor shall maintain an accurate accounting of all requests for disclosure ofCD8S CGP Information and the information necessary to respond to a request for an accounting of disclosures of personal information as required by Civil Code section 1798.25, or any applicable state or hadana| law. h' Return or Destruction ofCDSS CSPmn Expiration orTermination. Upon expiration or termination of the Agreement between Contractor and CDG8 for any nsoaon. Contractor shall return or destroy the CDSS C8P. If return or destruction is not feasible, Contractor shall provide a written explanation to the CDSG Program Contract Manager and the CDG8 Information Security and Privacy Officer, using the contact information in this Agreement. CDG@, in its sole diocodion, will make o determination of the acceptability of the explanation and, if retention is pannitted, shall inform Contractor in writing of any additional banns and conditions applicable to the retention of the COGG C8P. i. Retention Required by Law. If required by state or federal |avv. Contractor may netein, after expiration or termination, COSB C8p for the time specified as necessary to comply with the law. CD8G EXHIBIT B.00CX Agreement 16-6032 Attachment 2 CDSS/Counh/ofFresno Page 4of1O j. Obligations Continue Until Return or Destruction. Contractor's obligations regarding the confidentiality ofCDG8 CGP set forth in this Agnaoment, including but not limited to obligations related to responding to Public Records Act requests and subpoenas shall continue until Contractor returns or destroys the CDSS CSP or returns the CDSS CSP to CD8G; provided however, that on expiration or termination of the Agreement between Contractor and CDSS, Contractor shall not further use or disclose the CDSS CSP except aa required by state or federal law. k. Notification of Election to Destroy CDSS CSP. If Contractor elects to destroy the CDQG CGP. Contractor ahe|| certify in xvriting, to the COQ8 Program Contract yNonoQer and the CD8G Information Security and Privacy Officer, using the contact information, that the CDSGCGP has been destroyed. |. Background Check. Before a member cf the Contractors workforce may access CDS8 CSP, Contractor must conduct a thorough background check of that worker and evaluate the results to assure that there is no indication that the worker may present a risk bothe Gbta'n information technology systems and the data contained therein. The Contractor aho|| retain each workforce membar'a background check documentation fora period of three(3) years following Agreement termination. mm' Confidentiality Safeguards. The Contractor shall implement administrative, phyaioo|, and technical safeguards that reasonably and appropriately protect the confidentiality, intagrity, and availability ofthe COSG CSP that it oreateu, reoeiveo, mointoins, useo, or tnonornds pursuant bo the Agreement. Contractor shall develop and maintain avvrdten information privacy and security program that includes odminiatrabve, technical and physical safeguards appropriate to the size and complexity of the Contractor's operations and the nature and scope of its octivbios, including at a minimum the following safeguards: |' General Security Controls 1. User Confidentiality Statement. All persons with access toCOGSC8P must sign the CD8G User Confidentiality Agreement (Exhibit E. Attachment 2). The statement must be signed prior bu access toCDG8 CSP. The statement must be renewed annually. The Contractor shall retain each paroon'o written confidentiality statement for CDSS inspection for a period of three(3)years following contract termination. 2. Workstation/Laptop Encryption. All Contractor-owned or managed workstations, |optopa, bab|eta, smart phonea, and similar dsmimao that process and/or store COG8CGP must ba encrypted using oF|P814O'2 certified algorithm which is 128 bit or higher, such as Advanced Encryption Standard (AEG). The encryption solution must be full disk unless approved by the CO8S Information Security Office. 3' Data Encryption. Any COG8 C8P shall be encrypted at rest when stored on network file shares or document repositories. 4' Server Security. Servers containing unenorypted CDGQ CGP must have sufficient administrative, phya{ma|, and technical controls in place to protect that data, based upon a risk assessment/system security review. 5. Y0ioirmunn Necessary. Only the minimum necessary amount of the CDSG C8P required to perform necessary business functions may be copied, downloaded, orexported. 6. Removable &Owdim Devices. All electronic files that contain the CDGS CGP must be encrypted when obonad on any removable media or portable device (i.e. USB thumb drives, floppies, CCVDVD, smart phone, backup tapes etc.). Encryption must be o F|PG 140-2 certified algorithm which io128 bit or higher, such neAEG. CO8G EXHIBIT 8.00CX Agreement 16-6032 Attachment 2 CDSS/County of Fresno Page 5 of 10 7. Antivirus Software. All Contractor-owned or managed workstations, laptops, tablets, smart phones, and similar devices that process and/or store CDSS CSP must install and actively use comprehensive anti-virus software solution with automatic updates scheduled at least daily. 8. Patch Management. Contractor must submit a documented patch management system, to be approved by the CDSS Information Security Office, in place to install security patches in a timely manner on all Contractor-owned or managed workstations, laptops, tablets, smart phones, and similar devices that process and/or store CDSS CSP as appropriate based on Contractor's risk assessment of such patches, the technical requirements of Contractor's systems, and vendor's written recommendations. In lieu of an approved patch management system, all applicable patches must be installed within thirty (30) days of vendor release or patch installation occurs within the CDSS approved timeframes by the next scheduled change release, or accept risk with an approved risk analysis by the Contractor. 9. User IDs and Password Controls. All users must be issued a unique user name for accessing CDSS CSP which meets or exceeds CDSS current Password policy. (Contact CDSS Information Security and Privacy Officer for current policy.) 10. Data Destruction. Upon termination of the Agreement, all CDSS CSP must be wiped using the Gutmann or US Department of Defense (DoD) 5220.22-M (7 Pass) standard, or by degaussing. Media may also be physically destroyed in accordance with NIST Special Publication 800-88. Other methods require prior written permission of the CDSS Information Security Office. ii. System Security Controls 1. System Timeout. The system providing access to the CDSS CSP must provide an automatic timeout, requiring re-authentication of the user session after no more than twenty(20)minutes of inactivity. 2. Warning Banners. All systems containing CDSS CSP must display a warning banner stating that data is confidential, systems are logged, and system use is for business purposes only. User must be directed to log off the system if they do not agree with these requirements. 3. System Logging. The system must maintain an automated audit trail which can identify the user or system process which initiates a request for CDSS CSP, or which alters CDSS CSP. The audit trail must be date and time stamped, must log both successful and failed accesses, must be read only, and must be restricted to authorized users. If CDSS CSP is stored in a database, database logging functionality must be enabled. Audit trail data must be archived for at least three (3) years after occurrence. 4. Access Controls. The system must use role based access controls for all user authentications, enforcing the principle of least privilege. 5. Transmission Encryption. All data transmissions of CDSS CSP outside the secure internal network must be encrypted using a FIPS 140- 2 certified algorithm, such as Advanced Encryption Standard (AES), with a 128bit key or higher. Encryption can be end to end at the network level, or the data files containing CDSS CSP can be encrypted. This requirement pertains to any type of CDSS CSP in motion such as website access, file transfer, and E-Mail. CDSS EXHIBIT B.DOCX Agreement 16-6032 Attachment COG8/Countycf Fresno Page Gnf1O 6. Intrusion Detection. All systems involved in oucesoing, holdinQ, inanapoding, and protecting CDGS CSP that are oocmnaib|e via the Internet must be protected by comprehensive intrusion detection and prevention solution. O|. Audit Controls 1. System Security Review. All systems processing and/or storing CD@G CSP must have at least an annual system risk ammeaemonUsocuhh/ review which provides moaunenoe that odminisdrativa, physical, and technical controls one functioning effectively and providing adequate levels ofprotection. Reviews shall include vulnerability scanning tools. 2. Log Reviews. All systems processing and/or storing CDSG CSP must have a routine procedure in place bo review system logs for unauthorized access. 3. Change Control. All ayah*mo processing and/or storing CO8SC8P must have o documented change control procedure that ensures separation of duties and pndeda the oonhdenUa|ity, integrity and availability ofdata. iv' Business Continuity/Disaster Recovery Controls 1. Disaster Recovery. Contractor must establish a documented plan to enable continuation of critical business prooameoa and protection of the security of electronic COGG CSP in the event of on emergency. Emergency means any circumstance or situation that oau000 normal computer operations to become unavailable for use in performing the work required under this Agreement for more than twenty-four (24) hours. 2' Data Backup Plan. Contractor must have established documented procedures bz backup COG8 CSP to maintain retrievable exact copies of CD8G CSP. The plan must include a regular schedule for making baokupo, storing backups offsite, an inventory ofbackup media, and the amount of time to nmmbora CDSS CSP should it be lost. At a minimum, the schedule must baa weekly full backup and monthly offsite storage of COG8data. v' Paper Document Controls 1. Supervision mfInformation. CDS8 CSP in paper form shall not beleft unattended oi any time, unless it in locked in o file oabinet, file room, desk oroffice. Unattended means that information may bo observed by an individual not authorized bx access the information. CDG8CGP in paper form shall not be left unattended at any time in vehicles orplanes and shall not ba checked in baggage on commercial airplanes. 2' Escorting Visitors. Visitors to areas vvhana the CDGG CSP are contained ahoU be escorted and COGG CSP shall be kept out of sight while visitors are in the area. 3. Confidential Destruction. COSG CSP must be disposed of through confidential means, such oo cross cut shredding and/or pulverizing. 4. Rmnnmvm) of Information. CDGS CSP must not be removed from the premises of the Contractor except for identified routine business purposes or with express written permission ofCOG8. 5' Faxing. CDSG CSP that must be transmitted by fax shall require that the Contractor confirms the recipient fax number before sending, takes CDG8 EXH|B|TB.00CX Agreement 18-8032 Attachment 2 CD8G/CountycfFresno Page 7of1O precautions bo ensure that the fax was appropriately nacokxad, maintains procedures to notify recipients if the Contractor's fax number changes, and maintains fax machines ina secure area. 6' y0mOimg. Paper copies ofCDG8 CGP ohoU be moiled using a oecure, bonded mail smmice, such as Federal Express, UPS, or by registered U.S. Postal Gen/ice (i.e., accountable mail using naathobad delivery). All packages must bedouble packed with o sealed envelope and eoeo{ed outer envelope or locked box. V. Information Security Incidents and/or Breaches a. Incidents and/or Breaches Response Responsibility. The Contractor shall be responsible for facilitating the Incident end/or Breach response pnzuoao as described in California Civil Code 1798.29(a). California Civil Code 17S8.82UD. and 8AyN534O. Incident Management. b. Discovery and Notification of Incidents and/or Breaches. The Contractor shall notify the COGG Program Contract Manager and the CD@8 Information Security and Privacy Officer within one working day by telephone call and email upon the discovery ufthe Incident and/or Breach affecting the eeouhb/ ofCD88 CGP if the CD8S CGPwao. or is reasonably believed to have been, acquired by on unauthorized peruon, or there is an intrusion, potential loss, actual loss, or unauthorized use or disclosure of the CDSS CSP is in violation of this Agreement, this provision, or applicable law. The Contractor shall take: i Prompt corrective action to mitigate the risks or damages involved with the Incident and/or Breach and ho protect the operating environment; and ii. Any action pertaining to such unauthorized disclosure required by applicable Federal and State laws and regulations. o. Isolation of System or Device. A system or device, containing CDS8 CSP, compromised by an Incident and/or Breach involving on exploitation of o technical vu|nensbi|ity, shall ba promptly disconnected from Contractor's production environment with anuaoo to only individuals who are participating in the inwaotigedion, mitigation, and namediotion of the Incident and/or Breach. Such system or device shall remain disconnected from the production environment until the risk from the exploited vulnerability has been adequately mitigated. CD8S must be contacted prior to placing the previously compromised system or device. containing CO8G C8P, back in the production environment. The affected system or device, containing CDSSCGP. shall not be returned to operation in the production environment until the CDGG Information Security and Privacy Officer gives its approval. d. Investigation of Incidents and/or Breaches. The Contractor shall promptly investigate such Incidents and/or Breaches. e. Updates on Investigation. The Contractor shall provide regular (at /aoot once awmak) ennoi| updates on the progress of the Incident and/or Breach investigation to the CO8G Program Contract Manager and theCOG8 Information Security and Privacy Officer until they are no longer noaded, as mutually agreed upon between the Contractor and the CD8S Information Security and Privacy Officer. f. Written Report. The Contractor shall provide o written report of the investigation to the CDSS Program Contract Manager and the CDSS Information Security and Privacy Officer within ten (10)working days of the discovery ofthe Incident and/or Breach. To the extent Contractor has such information,the report shall include but not be limited to the following: i Contractor point of contact information; ii Description of what hoppenmd, including the date of the Incident and/or Breach and the date of the discovery of the Incident and/or Breach, ifknown; CDQG EXHIBIT B.DC>CX Agreamant16-6O32 Attachment CDS8/CountycfFresno Page 8of1D iii Description of the types ofCDGG CSP that were involved and the extent ofthe information involved in the Incident and/or Breach; iv. A description of the unauthorized persons known or reasonably believed to have improperly used or disclosed CDGGCGP; v. Ademchption of where the CDGS CGP is believed to have been improperly transmitted, sent, orutilized; vi. A description of the probable causes of the improper use ordisclosure; vii Whether Civil Coda sections 1798.28 or 1798.82 or any other federal or state laws requiring individual notifications of breaches are triggered; and viii FuU, detailed corrective action p|an, including information on measures that were taken bo halt and/or contain the Incident and/or Breach. g' Notification of Individuals. The Contractor ohoU notify individuals of the breach or unauthorized use or disclosure when notification is required under applicable state or federal law aa reasonably determined byCOS8. Contractor shall bo responsible for the notifimytiono, as well as any costs associated with the breach. The COGG PnzQnsm Contract Manager and the CDSS Information Security and Privacy Officer shall promptly approve the time, manner and content of any such notifications, and such approval shall not be unreasonably withheld. VI. Contact Information. To direct communications to the above referenced CD8S staff, the Contractor shall initiate contact as indicated herein. CDGG reserves the right to make changes bo the contact information below by giving written notice hothe Contractor. Said changes ahei| not require an amendment to this Exhibit or the Agreement to which it is incorporated. CDSS Program Contract Manager CDSS Information Security&Privacy Officer California Department of Social Services Information Security&Privacy Officer See the Scope of Work exhibit for Program 744 P Street, MS 9-9-70 Contract Manager information Sacramento, CA 95814 Email: iso@dss.ca.gov \fU' Audits and Inspections. From time to time. CDGG may inspect the haoi|itieo, ayotemm, books and records of the Contractor to monitor compliance with the safeguards required in this Exhibit. Contractor shall promptly remedy any violation of any provision of this Exhibit and shall certify the same hnthe CDSG Program Contract Manager and the CO8G Information Security and Privacy Officer in writing. The fact that CDGG inopecto, or fails to inapect, or has the right to inopect. Contractor's facilities, systems and procedures does not relieve Contractor of its responsibility to comply with this Exhibit. Vib. Amendment. The parties acknowledge that federal and state laws regarding information security and privacy rapidly evolves and that amendment of this Exhibit may be required to provide for procedures to ensure compliance with such laws. The parties specifically agree bo take such action as is necessary to implement new standards and requirements imposed by regulations and other applicable laws relating to the security or privacy ofCD88C8P. CDG8 EXHIBIT B.DOCX Agreoment1G-GO33 Attachment COG@/CounhyofFresno Page 9cf1O IX. Interpretation. The henno and conditions in this Exhibit yhoU be interpreted as broadly as necessary to implement and comply with regulations and applicable State laws. The parties agree that any ambiguity in the terms and conditions of this Exhibit shall be resolved in favor of a meaning that complies and is consistent with federal and state laws and regulations. X. Termination. An information Incident end/or Breach by Controctor, its emp|oyeen, agentm, or aubnundnaotoro, as determined by CDGS, may constitute o material breach of the Agreement between Contractor and CDSS and grounds for immediate termination of the Agreement. COGG EXHIBIT B.DOCX Agreement 16-6032 Attachment 2 CDS8/CountyofFresno Page 10of1U CALIFORNIA DEPARTMENT of SOCIAL SERVICES USER CONFIDENTIALITY AGREEMENT Information resources maintained by the California Department ofSocial Services (CD8G) and provided to your entity may be confidenUa|, sensitive, and/or personal. Confidential, Sensitive, and/or Personal (CSP) information is not open hothe public and requires opooio( precautions to protect it from wrongful eocaon, use, diodosuna, modifination, and destruction. The CDSS strictly enforces information security. If you violate these pnovisionm, you may be subject hoadministrative, civil, and/or criminal penalty. | hereby acknowledge that the confidential and/or sensitive records of the COG8 are subject to INITIAL strict confidentiality requirements imposed by state and federal law include the California Welfare and Institutions Code §10950. Information 9nyotimao Act— California/Civil Code §1798 et seq., Public Records Act— Co|ifornio Government Code §G25O et seq., California Penal Code§5O2. 1114O-11144, 13301-13303. Health Insurance Portability and Accountability Act of 1996 (^H|PAA^) — 45 CFR Parts 160 and 164. and Safeguarding Information for the Financial Assistance Programs-45CFR Part 2O5.5D. 1 acknowledge that my supervisor reviewed with me the confidentiality and security requirements, INITIAL policies, and administrative processes of my organization,the CDSS, and of the State. | acknowledge that | will not intentionally seek out, read, use, nr disclose the COSG C8P other INITIAL than for the purposes of providing the requested services to CDQ8 and meeting its obligations under the Agreement. | acknowledge that the Contractor shall impose discipline that it deems appropriate (in its mo|a INITIAL discretion) on such employees and other entity workforce members under Contractor's direct control who intentionally or negligently violate any provisions of this Exhibit. | acknowledge that unauthorized accmom, use, or disclosure of CDGG CGP is grounds for INITIAL immediate termination of this Agreement with CDGG and the Contractor and may be subject to penalties, both civil and criminal. I hereby agree to protect the CDSS' information on either paper or electronic form by: INITIAL ° Only accessing or using the COSG supplied information as specified in the Agreement for the performance of the specific work |omassigned. ° Never accessing information for curiosity or personalreaeona. ° Never showing or discussing C8P information to or with anyone who does not have the needtoknovv ° Never removing CGP information from the work site without authorization. ° Following encryption requirements for all CSP information in any portable device ormedia. "I certify that I have read and initialed the confidentiality statements printed above and will abide by them." Name(Printed): Signature: Date Signed: