HomeMy WebLinkAboutAgreement A-15-273 with CA. Dept. of Public Health.pdfAgreement No.15-273
,1 CaiREDIE
/
' California R•portable Dlsoase
;; Information Exchange ~~-H Pub!rcHeatth
CaiREDIE Data Use And Disclosure Agreement
This California Reportable Disease Information Exchange (CaiREDIE) Data Use And Disclosure
Agreement (hereinafter referred to as "Agreement") sets forth the information privacy and security
requirements that the County of Fresno Department of Public Health (hereinafter "Data
Recipient") is obligated to follow with respect to all CaiREDIE System Data, and other personal and
confidential information, (as each of these types of data and information are defined herein),
disclosed to Data Recipient by the California Department of Public Health (hereinafter "CDPH").
(Such CaiREDIE System Data and other personal and confidential information are also referred to
herein collectively as "Protected Data".) This Agreement covers Protected Data in any medium
(paper, electronic, oral) the Protected Data exist in. By entering into this Agreement, CDPH and Data
Recipient desire to protect the privacy and provide for the security of all Protected Data in compliance
with all state and federal laws applicable to the Protected Data. Permission to receive, use and
disclose Protected Data requires execution of this Agreement that describes the terms, conditions
and limitations ofData Recipient's collection, use and disclosure of the Protected Data.
I. Supersession: This Agreement supersedes Agreement Number None , dated None ,
between CDPH and Data Recipient.
II. Definitions: For purposes of this Agreement, the following definitions shall apply:
A. Breach: "Breach" means:
1. the acquisition, access, use, or disclosure of Protected Data, in any medium
(paper, electronic, oral), in violation of any state or federal law or in a manner
not permitted under this Agreement, that compromises the privacy, security or
integrity of the information. For purposes of this definition, "compromises the
privacy, security or integrity of the information" means poses a significant risk
of financial, reputational, or other harm to an individual or individuals; or
2. the same as the definition of "breach of the security of the system" set forth
in California Civil Code section 1798.29(f).
B. Confidential Information: "Confidential information" means information that:
1. does not meet the definition of "public records" set forth in California
Government Code section 6252, subdivision (e), or is exempt from disclosure
under any of the provisions of Section 6250, et seq. of the California
Government Code or any other applicable state or federal laws; or
2. is contained in documents, files, folders, books, or records that are clearly
labeled, marked, or designated with the word "confidential" by CDPH; or
CDPH CaiRE DIE DUDA (Approved by OLS 04-24-2015) Page 1 of 14
,1 CaiREDIE
7 0 California R(lportable Disease ;;:
1; Information Exchange
3. is "personal information" as defined in this Agreement; or
4. meets the definition of "confidential public health record or records" as set
forth in California Health and Safety Code section 121035, subdivision (c) if
the record or records contains or consists of information relating to human
immunodeficiency virus (HIV) or acquired immunodeficiency syndrome
(AIDS).
C. Disclosure: "Disclosure" means the release, transfer, prov1s1on of, access to, or
divulging in any other manner of information. "Disclosure" includes the disclosure,
release, transfer, dissemination, or communication of all or any part of any
confidential research record orally, in writing, or by electronic means to any person
or entity, or providing the means for obtaining the records (Health and Safety Code
sections 121035 and 121125).
D. California Reportable Disease Information Exchange (CaiREDIE) System Data:
"California Reportable Disease Information Exchange (CaiREDIE) System Data"
means data in or from the state-wide reportable disease database supported and
maintained by CDPH of demographic, epidemiologic (including clinical information,
risk factor information, and laboratory test result information), and administrative
information on reportable diseases, known as the California Reportable Disease
Information Exchange (CaiREDIE). CaiREDIE data specifically includes information
contained in or extracted from the following:
1. Confidential Morbiditv Report (CMR) required by Title 17 of the California
Code of Regulations CCR) Sections 2500. 2593. 2641.5-2643.20. and 2800-
2812 Reportable Diseases and Conditions.
2. Laboratory Test and Result information required by Title 17 of the CCR
Sections 2505 and 2641.5 -2643.20.
3. Communicable Disease Control Report Forms (required for specific diseases
and conditions that are mandated by state laws and regulations to be
reported by healthcare providers and laboratories to local health officers).
E. Personal Information: "Personal information" means information that:
1. by itself directly identifies or uniquely describes an individual; or
2. creates a substantial risk that it could be used in combination with other
information to indirectly identify or uniquely describe an individual, or link an
individual to the other information; or
CDPH CaiREDIE DUDA (Approved by OLS 04-24-2015) Page 2 of 14
,1 CaiREDIE
--,~.. C~llfornla R"'portabf~ Ols{laSii? ,.~-J.~ 1 Information ExchatHJe
3. meets the definition of "personal information" set forth in California Civil Code
section 1798.3, subdivision (a); or
4. is one of the data elements set forth in California Civil Code section 1798.29,
subdivisions ~)(4~1 ~}-eF-(3f; or
(g) (1) or (2)
5. meets the definition of "medical information" set forth in either California Civil
Code section 1798.29, subdivision-fBf2)-or California Civil Code section
56.05, subdivision~}; or (h) (2)
(j)
6. meets the definition of "health insurance information" set forth in California
Civil Code section 1798.29, subdivision-~3-}.-
(h)(3)
F. Protected Data: "Protected Data" means data that consists of one or more of the
following types of informastion :
1. "California Reportable Disease Information Exchange (CaiREDIE) System
Data", as defined above; or
2. "Personal Information", as defined above; or
3. "Confidential Information", as defined above.
G. Security Incident: "Security Incident" means:
1. an attempted breach; or
2. the attempted or successful modification or destruction of Protected Data, in
violation of any state or federal law or in a manner, not permitted under this
Agreement; or
3. the attempted or successful modification or destruction of, or interference
with, Data Recipient's system operations in an information technology
system, that negatively impacts the confidentiality, availability or integrity of
Protected Data, or hinders or makes impossible Data Recipient's receipt,
collection, creation, storage, transmission or use of Protected Data by Data
Recipient pursuant to this Agreement.
H. Use: "Use" means the sharing, employment, application, utilization, examination, or
analysis of information.
Ill. Background and Purpose: The California Reportable Disease Information Exchange
(CaiREDIE) is a system of applications that encompasses the core surveillance and
reporting application, electronic laboratory reporting (ELR) application, ELR message
handling application, provider reporting application, alerting and notification application,
CDPH CaiREDIE DUDA (Approved by OLS 04-24-2015) Page 3 of 14
,1 CaiREDIE 7 .. " California R~portable Dls~ast"
Information Exchange ~H
PublicHeatth
Data Warehouse (OW), and Data Distribution Portal (DDP) that the CDPH has
implemented for web-based disease reporting and surveillance. The purpose of this
application is to improve the efficiency of surveillance activities and the early detection of
public health events through the collection of more complete and timely surveillance
information on a state wide basis. CaiREDIE is a secure, web-based electronic solution for
health care providers to report cases of conditions of public health interest; and for
laboratories to report laboratory reports for notifiable conditions to LHDs and the CDPH,
and for LHDs to report conditions to CDPH. CaiREDIE is an integral part of the overall
California public health emergency preparedness and response strategy where completion
and implementation of CaiREDIE allows for 24/7/365 reporting and receipt of notifiable
conditions. LHDs and CDPH will have access to disease and laboratory reports in near
real-time for disease surveillance, public health investigation, and case management
activities. CaiREDIE is the system of record for communicable disease surveillance data
within California.
IV. Legal Authority for Use and Disclosure of Protected Data: The legal authority for CDPH to
collect, use and disclose Protected Data, and for Data Recipient to receive and use
Protected Data is set forth in Appendix A.
V. Disclosure Restrictions: The Data Recipient and its employees or agents, shall protect
from unauthorized disclosure any Protected Data. The Data Recipient shall not disclose,
except as otherwise specifically permitted by this Agreement, any Protected Data to
anyone other than CDPH, except if disclosure is required by state or federal law.
VI. Use Restrictions: The Data Recipient and its employees or agents, shall not use any
Protected Data for any purpose other than carrying out the Data Recipient's obligations
under the statutes and regulations set forth in Section IV, above, or as otherwise allowed or
required by state or federal law.
VII. Safeguards: Data Recipient shall implement administrative, physical, and technical
safeguards that reasonably and appropriately protect the privacy, confidentiality, security,
integrity, and availability of Protected Data, including electronic or computerized Protected
Data. The Data Recipient shall develop and maintain a written information privacy and
security program that includes administrative, technical and physical safeguards
appropriate to the size and complexity of the Data Recipient's operations and the nature
and scope of its activities in performing its legal obligations and duties (including
performance of its duties and obligations under this Agreement), and which incorporates
the requirements of Section IX, Security, below. Data Recipient shall provide CDPH with
Data Recipient's current and updated policies.
VIII. California HIV/AIDS-Specific Statutes Pertaining to Confidential Public Health Records and
Penalties for Discfosures: All HIV/AIDS case reports and any HIV/AIDS related information
collected or maintained by CDPH (or its agents or contractors) or a local health department
or agency (or its agent or contractors), that may directly or indirectly identify an individual
are considered confidential public health record(s) under California Health and Safety Code
CDPH CaiREDIE DUDA (Approved by OLS 04-24-2015) Page 4 of 14
,1 CaiREDIE
7:~ ca
1
1ttornta Reporhatable Disease
In orm.atton Exc nge
(HSC) section 121035(c) and must be handled with the utmost confidentiality.
Furthermore, HSC section 121025(a) prohibits the disclosure of HIV/AIDS-related public
health records that contain any personally identifying information to any third-party, unless
authorized by law for public health purposes, or by the written consent of the individual
identified in the record or his/her guardian/conservator. Except as permitted by law, any
person who negligently discloses information contained in a confidential public health
record to a third party is subject to a civil penalty of up to $5,000 plus court costs, as
provided in HSC section 121025(e)(1). Any person who willfully or maliciously discloses
the content of a public health record, except as authorized by law, is subject to a civil
penalty of $5,000-$25,000 plus court costs as provided by HSC 121025(e)(2). Any willfully,
malicious, or negligent disclosure of information contained in a public health record in
violation of state law that results in economic, bodily, psychological harm to a person
named in the record is a misdemeanor, punishable by imprisonment for a period of up to
one year and/or a fine of up to $25,000 plus court costs [HSC section 121025(e)(3)]. Any
person who is guilty of a confidentiality infringement of the foregoing type may be sued by
the injured party and shall be personally liable for all actual damages incurred for
economic, bodily, or psychological harm as a result of the breach [HSC section
121025(e)(4)]. Each disclosure in violation of California law is a separate, actionable
offense [HSC section 121025(e)(5).
IX. Security: The Data Recipient shall take all steps necessary to ensure the continuous
security of all computerized data systems containing Protected Data. These steps shall
include, at a minimum:
A. complying with all applicable CDPH data system security statutory and regulatory,
compliance requirements:
http:Ucdphintranet/technology/ISO/Documents/CDPH%201nfo%20Sec%20Policy%20-
%20Aug%202010.pdf
B. providing a level and scope of security that is at least comparable to the level and
scope of security established by the Office of Management and Budget in OMB
Circular No. A-130, Appendix Ill-Security of Federal Automated Information
Systems, which sets forth guidelines for automated information systems in Federal
agencies; and
C. in case of a conflict between any of the security standards contained in any of the
aforementioned sources of security standards, the most stringent shall apply. The
most stringent means that safeguard which provides the highest level of protection
to Protected Data from breaches and security incidents.
X. Security Officer: The Data Recipient shall designate a Security Officer to oversee its
compliance with this Agreement and for communicating with CDPH on matters concerning
this Agreement.
CDPH CaiREDIE DUDA (Approved by OLS 04-24-2015) Page 5 of 14
"CaiREDIE 7' Callfornt.l R•portable Dlseaso
lnformatton Exchatl9e-
~.:.-~~~P.H
PubticHeatth
XI. Training: The Data Recipient shall provide training on its obligations under this Agreement,
at its own expense, to all of its employees who assist in the performance of Data
Recipient's obligations under this Agreement, or otherwise use or disclose Protected Data.
A. The Data Recipient shall require each employee who receives training to a
certification, indicating the employee's name and the date on which the training was
completed.
B. The Data Recipient shall retain each employee's written certifications for CDPH
inspection for a period of three years following contract termination.
XII. Employee Discipline: Data Recipient shall discipline such employees and other Data
Recipient workforce members who intentionally violate any provisions of this Agreement,
including, if warranted, by termination of employment.
XIII. Breach and Security Incident Responsibilities:
A. Notification to CDPH of Breach or Securitv Incident: The Data Recipient shall notify
CDPH immediately by telephone call plus email or fax upon the discovery of a
breach (as defined in this Agreement), or within twenty-four (24) hours by email or
fax of the discovery of any security incident (as defined in this Agreement).
Notification shall be provided to the CDPH Program Manager, the CDPH Privacy
Officer and the CDPH Chief Information Security Officer, using the contact
information listed in Section XIII(E), below. If the breach or security incident occurs
after business hours or on a weekend or holiday and involves Protected Data in
electronic or computerized form, notification to CDPH shall be provided by calling
the CDPH IT Service Desk at the telephone numbers listed in Section XIII(E),),
below For purposes of this Section, breaches and security incidents shall be
treated as discovered by Data Recipient as of the first day on which such breach or
security incident is known to the Data Recipient, or, by exercising reasonable
diligence would have been known to the Data Recipient. Data Recipient shall be
deemed to have knowledge of a breach or security incident if such breach or
security incident is known, or by exercising reasonable diligence would have been
known, to any person, other than the person committing the breach or security
incident, who is an employee or agent of the Data Recipient.
Data Recipient shall take:
1. prompt corrective action to mitigate any risks or damages involved with the
breach or security incident and to protect the operating environment; and
2. any action pertaining to a breach required by applicable federal and state
laws, including, specifically, California Civil Code section 1798.29.
CDPH CaiREDIE DUDA (Approved by OLS 04-24-2015) Page 6 of 14
,1 CaiREDIE
7 ;; California R•portabl• Dl,.ase
~: lnfonn.atJon Exchange-ft~!i
PublicHMHh
B. Investigation of Breach: The Data Recipient shall immediately investigate such
breach or security incident, and within seventy-two (72) hours of the discovery, shall
inform the CDPH Help Desk, the CDPH Privacy Officer, and the CDPH Chief
Information Security Officer of:
1. what data elements were involved and the extent of the data involved in the
breach, including, specifically, the number of individuals whose personal
information was breached; and
2. a description of the unauthorized persons known or reasonably believed to
have improperly used the Protected Data and/or a description of the
unauthorized persons known or reasonably believed to have improperly
accessed or acquired the Protected Data, or to whom it is known or
reasonably believe have had the Protected Data improperly disclosed to
them; and
3. a description of where the Protected Data is believed to have been improperly
used or disclosed; and
4. a description of the probable causes of the breach or security incident; and
5. whether Civil Code section 1798.29 or any other federal or state Jaws
requiring individual notifications of breaches have been triggered.
C. Written Report: The Data Recipient shall provide a written report of the investigation
to the CDPH Program Manager, the CDPH Privacy Officer, and the CDPH Chief
Information Security Officer within five (5) working days of the discovery of the
breach or security incident. The report shall include, but not be limited to, the
information specified above, as well as a full, detailed corrective action plan,
including information on measures that were taken to halt and/or contain the breach
or security incident, and measures to be taken to prevent the recurrence of such
breach or security incident.
D. Notification to Individuals: If notification to individuals whose information was
breached is required under state or federal Jaw, and regardless of whether Data
Recipient is considered only a custodian and/or non-owner of the Protected Data,
Data Recipient shall, at its sole expense, and at the sole election of CDPH, either:
1. make notification to the individuals affected by the breach (including
substitute notification), pursuant to the content and timeliness provisions of
such applicable state or federal breach notice Jaws. The CDPH Privacy
Officer shall approve the time, manner and content of any such notifications,
prior to the transmission of such notifications to the individuals; or
CDPH CaiREDIE DUDA (Approved by OLS 04-24-2015) Page 7 of 14
,1 CaiREDIE
7 t .... ~ Caltfornla RE:Iportable Dl~ease
lnformatlon Exchange
~.:.,
~s;..~.PH
PubhcH..ath
2. cooperate with and assist CDPH in its notification (including substitute
notification) to the individuals affected by the breach.
E. CDPH Contact Information: To direct communications to the above referenced
CDPH staff, the Data Recipient shall initiate contact as indicated herein. CDPH
reserves the right to make changes to the contact information below by giving written
notice to the Data Recipient. Said changes shall not require an amendment to this
Agreement.
CDPH Program Manager CDPH Privacy Officer CDPH Chief Information Security
Officer (and CDPH IT Service Desk)
CaiREDIE Help Desk Privacy Officer Chief Information Security Officer
California Department of Public Health Privacy Office, Information Security Office
P.O. Box 997377, MS 7303 c/o Office of Legal Services California Department of Public Health
Sacramento, CA 95899-7377 California Department of Public Health P.O. Box 997413, MS 6302
California Department of Public Health 1415 L Street, Suite 500 Sacramento, CA 95899-7 413
Sacramento, CA 95814
Email: CaiREDIEHeiQ@CdQh.ca.gov Email: Qrivacy:@cdQh.ca.gov Email: cdQhiso@cdQh.ca.gov
Telephone: (866) 866-1428 Telephone: (877) 421-9634 Telephone: IT Service Desk
(916) 440-7000 or
(800) 579-0874
XIV. Indemnification: Data Recipient shall indemnify, hold harmless and defend CDPH from and
against any and all claims, losses, liabilities, damages, costs and other expenses (including
attorneys fees) that result from or arise directly or indirectly out of or in connection with any
negligent act or omission or willful misconduct of Data Recipient, its officers, employees or
agents relative to the Protected Data, including without limitation, any violations of Data
Recipient's responsibilities under this Agreement.
XV. Term of Agreement: This Agreement shall remain in effect for three (3) years after the
latest signature date in the signature block below. After three (3) years, this Agreement will
expire without further action. If the parties wish to extend this Agreement, they may do so
by reviewing, updating, and reauthorizing this Agreement. The newly signed agreement
should explicitly supersede this Agreement, which should be referenced by Agreement
Number and date in Section I of the new Agreement. If one or both of the parties wish to
terminate this Agreement prematurely, they may do so upon 30 days advanced notice.
CDPH may also terminate this Agreement pursuant to Sections XVII or XVIII, below.
XVI. Termination for Cause:
A. Termination Upon Breach: A breach by Data Recipient of any provision of this
Agreement, as determined by CDPH, shall constitute a material breach of the
Agreement and grounds for immediate termination of the Agreement by CDPH. At its
sole discretion, CDPH may give Data Recipient 30 days to cure the breach.
CDPH CaiREDIE DUDA (Approved by OLS 04-24-2015) Page 8 of 14
'I CaiREDIE 7:.: californfa R~portable-Disease
Information Exchange
B. Judicial or Administrative Proceedings: Data Recipient will notify CDPH if it is
named as a defendant in a criminal proceeding related to a violation of this
Agreement. CDPH may terminate the Agreement if Data Recipient is found guilty of
a criminal violation related to a violation of this Agreement. CDPH may terminate
the Agreement if a finding or stipulation that the Data Recipient has violated any
security or privacy laws is made in any administrative or civil proceeding in which the
Data Recipient is a party or has been joined.
XVII. Return or Destruction of Protected Data on Expiration or Termination: On expiration or
termination of the agreement between Data Recipient and CDPH for any reason, Data
Recipient shall return or destroy the Protected Data. If return or destruction is not feasible,
Data Recipient shall explain to CDPH why, in writing, to the CDPH Help Desk, the CDPH
Privacy Officer and the CDPH Chief Information Security Officer, using the contact
information listed in Section XIII(E), above.
A. Retention Required by Law: If Required by state or federal law, Data Recipient may
retain, after expiration or termination, Protected Data for the time specified as
necessary to comply with the law.
B. Obligations Continue Until Return or Destruction: Data Recipient's obligations under
this Agreement shall continue until Data Recipient destroys the Protected Data or
returns the Protected Data to CDPH; provided however, that on expiration or
termination of the Agreement, Data Recipient shall not further use or disclose the
Protected Data except as required by state or federal law.
C. Notification of Election to Destroy Protected Data: If Data Recipient elects to destroy
the Protected Data, Data Recipient shall certify in writing, to the CDPH Program
Manager, the CDPH Privacy Officer and the CDPH Chief Information Security
Officer, using the contact information listed in Section XIII(E), above. that the
Protected Data has been destroyed.
XVIII. Amendment: The parties acknowledge that Federal and State laws relating to information
security and privacy are rapidly evolving and that amendment of this Agreement may be
required to provide for procedures to ensure compliance with such laws. The parties
specifically agree to take such action as is necessary to implement new standards and
requirements imposed by regulations and other applicable laws relating to the security or
privacy of Protected Data. Upon CDPH' request, Data Recipient agrees to promptly enter
into negotiations with CDPH concerning an amendment to this Agreement embodying
written assurances consistent with new standards and requirements imposed by
regulations and other applicable laws. CDPH may terminate this Agreement upon thirty
(30) days written notice in the event:
A. Data Recipient does not promptly enter into negotiations to amend this Agreement
when requested by CDPH pursuant to this Section or
CDPH CaiREDIE DUDA {Approved by OLS 04-24-2015) Page 9 of 14
,1 CaiREDIE
7~ Catffornl.a Rl?portablt? Ols{las~ ~ tnformatton Exchan9e ~.H
PublicHealth
B. Data Recipient does not enter into an amendment providing assurances regarding
the safeguarding of Protected Data that CDPH in its sole discretion deems sufficient
to satisfy the standards and requirements of applicable laws and regulations relating
to the security or privacy of Protected Data.
XIX. Assistance in Litigation or Administrative Proceedings: Data Recipient shall make itself and
any employees or agents assisting Data Recipient in the performance of its obligations
under this Agreement, available to CDPH at no cost to CDPH to testify as witnesses, or
otherwise, in the event of litigation or administrative proceedings being commenced against
CDPH, its director, officers or employees based upon claimed violation of Jaws relating to
security and privacy, which involves inactions or actions by the Data Recipient, except
where Data Recipient or its employee or agent is a named adverse party.
XX. Disclaimer: CDPH makes no warranty or representation that compliance by Data Recipient
with this Agreement will be adequate or satisfactory for Data Recipient's own purposes or
that any information in Data Recipient's possession or control, or transmitted or received by
Data Recipient, is or will be secure from unauthorized use or disclosure. Data Recipient is
solely responsible for all decisions made by Data Recipient regarding the safeguarding of
Protected Data.
XXI. Transfer of Rights: Data Recipient has no right and shall not subcontract, delegate, assign,
or otherwise transfer or delegate any of its rights or obligations under this Agreement to any
other person or entity. Any such transfer of rights shall be null and void.
XXII. No Third-Party Beneficiaries: Nothing express or implied in the terms and conditions of this
Agreement is intended to confer, nor shall anything herein confer, upon any person other
than CDPH or Data Recipient and their respective successors or assignees, any rights,
remedies, obligations or liabilities whatsoever.
XXIII. Interpretation: The terms and conditions in this Agreement shall be interpreted as broadly
as necessary to implement and comply with regulations and applicable State and Federal
laws. The parties agree that any ambiguity in the terms and conditions of this Agreement
shall be resolved in favor of a meaning that complies and is consistent with Federal and
State Jaws.
XXIV. Survival: The respective rights and obligations of Data Recipient under Sections VII, IX ,
XIII and XVII of this Agreement shall survive the termination or expiration of this
Agreement.
XXV. Entire Agreement: This Agreement constitutes the entire agreement between CDPH and
Data Recipient. Any and all modifications of this Agreement must be in writing and signed
by all parties. Any oral representations or agreements between the parties shall be of no
force or effect.
CDPH CaiREDIE DUDA (Approved by OLS 04-24-2015) Page 10 of 14
,1 CaiREDIE
7~, CaUforma R4?portabl~~?-Dls•ase
;, Information Exchange ~!:! PublicHealth
Appendix A
Legal Authority for Use and Disclosure of Protected Data
I. Legal Authority for Use and Disclosure of Protected Data: The legal authority for CDPH
to collect, use and disclose Protected Data, and for Data Recipient to receive and use
Protected Data is as follows:
A. General Legal Authority:
1. California Information Practices Act:
a) California Civil Code section 1798.24, subdivision (e), provides in part
as follows: "No agency may disclose any personal information in a
manner that would link the information disclosed to the individual to
whom it pertains unless the information is disclosed, as follows:To a
person, or to another agency where the transfer is necessary for the
transferee agency to perform its constitutional or statutory duties, and
the use is compatible with a purpose for which the information was
collected ... "
B. Specific Legal Authority --List of Reportable Diseases and Conditions:
1. California Health and Safety Code section 120130 provides in part as follows:
"The department shall establish a Jist of reportable diseases and conditions.
For each reportable disease and condition, the department shall specify the
timeliness requirements related to the reporting of each disease and
condition, and the mechanisms required for, and the content to be included in,
reports made pursuant to this section. The list of reportable diseases and
conditions may include both communicable and noncommunicable diseases.
Those diseases listed as reportable shall be properly reported as required to
the department by the health Officer .... "
California Health and Safety Code section 120130 also provides in part as
follows: "Commencing July 1, 2009, or within one year of the establishment of
a state electronic laboratory reporting system, whichever is later, a report
generated pursuant to [Section 120130] by a laboratory shall be submitted
electronically in a manner specified by the department .... "
2. Title 17 of the California Code of Regulations, section 2500, subdivision (g),
provides in part as follows: "Upon the State Department of Public Health's
request, a local health jurisdiction shall provide to the Department the
CDPH CaiREDIE DUDA (Approved by OLS 04-24-2015) Page 12 of 14
'I CaiREDIE
7 ,,, California Reponabl• DISease
;: Information Ex:<hangil?
d.:,
~~~.PH
Pctbhclfealth
information reported pursuant to this section .... " Other sections of Title 17
of the California Code of Regulations provide authority for the uses and
disclosures that are the subject of this Agreement, including, Sections 2501,
2502,2593.2641.5-2643.20. and 2800-2812.
C. Health Insurance Portability and Accountability Act of 1996 (HIPAA) Authority:
1. CDPH HIPAA Status: CDPH is a "hybrid entity" for purposes of applicability of
the federal regulations entitled "Standards for Privacy of Individually
Identifiable Health Information" ("Privacy Rule") (45 C.F.R. Parts 160, 162,
and 164) promulgated pursuant to the Health Insurance Portability and
Accountability Act of 1996 (HIPAA) (42 U.S.C. §§ 1320d -1320d-8) (as
amended by Subtitle D Privacy, of the Health Information Technology for
Economic and Clinical Health (HITECH) Act (Pub. L. 111-5, 123 Stat. 265-
66)). Some of the CDPH programs that collect, use or disclose Protected
Data may be programs designated by CDPH as HIPAA-covered "health care
components" of CDPH. (45 C.F.R. § 164.504(c)(3)(iii).). All Protected Data of
any CDPH health care component that is collected, used or disclosed as part
of the CaiREDIE system fits within one or more of the exceptions set forth in
subsection 3, below ("Protected Data Use and Disclosure Permitted by
HIPAA").
2. Parties Are "Public Health Authorities": CDPH and Data Recipient are each a
"public health authority" as that term is defined in the Privacy Rule. (45
C.F.R. §§ 164.501; 164.512(b)(1)(i).)
3. Protected Data Use and Disclosure Permitted by HIPAA: To the extent a
disclosure or use of Protected Data is a disclosure or use of "Protected Health
Information" (PHI) of an individual, as that term is defined in Section 160.103
of Title 45, Code of Federal Regulations, the following Privacy Rule provisions
apply to permit such Protected Data disclosure and/or use by CDPH and Data
Recipient, without the consent or authorization of the individual who is the
subject of the PHI:
a) The HIPAA Privacy Rule creates a special rule for a subset of public
health disclosures whereby HIPAA cannot preempt state law if, "[t]he
provision of state law, including state procedures established under
such law, as applicable, provides for the reporting of disease or injury,
child abuse, birth, or death, or for the conduct of public health
surveillance, investigation, or intervention." (45 C.F.R. § 60.203(c)
[HITECH Act, § 13421, sub. (a)].) [NOTE: See State laws and
regulations listed in §§ IV.A and IV.B, above.];
CDPH CaiREDIE DUDA (Approved by OLS 04-24-2015) Page 13 of 14
,1 CaiREDIE 7·:-Caltfornta ReportablE' Olst?as€1
lnformatton Exchange ~;.H
PubhcHealth
b) A covered entity may disclose PHI to a "public health authority"
carrying out public health activities authorized by law; (45 C.F.R. §
164.512(b).); and
c) Other, non-public health-specific provisions of HIPAA may also provide
the legal basis for all or specific Protected Data uses and disclosures.
CDPH CaiREDIE DUDA (Approved by OLS 04-24-2015) Page 14 of 14
GTC 610
EXHIBITC
GENERAL TERMS AND CONDITIONS
1. APPROVAL: This Agreement is of no force or effect until signed by both parties and
approved by the Department of General Services, if required. Contractor may not commence
performance until such approval has been obtained.
2. AMENDMENT: No amendment or variation of the terms of this Agreement shall be valid
unless made in writing, signed by the parties and approved as required. No oral understanding or
Agreement not incorporated in the Agreement is binding on any of the parties.
3. ASSIGNMENT: This Agreement is not assignable by the Contractor, either in whole or in
part, without the consent of the State in the form of a formal written amendment.
4. AUDIT: Contractor agrees that the awarding department, the Department of General Services,
the Bureau of State Audits, or their designated representative shall have the right to review and
to copy any records and supporting documentation pertaining to the performance of this
Agreement. Contractor agrees to maintain such records for possible audit for a minimum of three
(3) years after final payment, unless a longer period of records retention is stipulated. Contractor
agrees to allow the auditor(s) access to such records during normal business hours and to allow
interviews of any employees who might reasonably have information related to such records.
Further, Contractor agrees to include a similar right of the State to audit records and interview
staff in any subcontract related to performance ofthis Agreement. (Gov. Code §8546.7, Pub.
Contract Code §10115 et seq., CCR Title 2, Section 1896).
5. INDEMNIFICATION: Contractor agrees to indemnify, defend and save harmless the State, its
officers, agents and employees from any and all claims and losses accruing or resulting to any
and all contractors, subcontractors, suppliers, laborers, and any other person, firm or corporation
furnishing or supplying work services, materials, or supplies in connection with the performance
of this Agreement, and from any and all claims and losses accruing or resulting to any person,
firm or corporation who may be injured or damaged by Contractor in the performance of this
Agreement.
6. DISPUTES: Contractor shall continue with the responsibilities under this Agreement during
any dispute.
7. TERMINATION FOR CAUSE: The State may terminate this Agreement and be relieved of
any payments should the Contractor fail to perform the requirements of this Agreement at the
time and in the manner herein provided. In the event of such termination the State may proceed
with the work in any manner deemed proper by the State. All costs to the State shall be deducted
from any sum due the Contractor under this Agreement and the balance, if any, shall be paid to
the Contractor upon demand.
8. INDEPENDENT CONTRACTOR: Contractor, and the agents and employees of Contractor,
in the performance of this Agreement, shall act in an independent capacity and not as officers or
employees or agents of the State.
9. RECYCLING CERTIFICATION: The Contractor shall certify in writing under penalty of
perjury, the minimum, if not exact, percentage of post consumer material as defined in the Public
Contract Code Section 12200, in products, materials, goods, or supplies offered or sold to the
State regardless of whether the product meets the requirements of Public Contract Code Section
12209. With respect to printer or duplication cartridges that comply with the requirements of
Section 12156(e), the certification required by this subdivision shall specify that the cartridges so
comply (Pub. Contract Code §12205).
I 0. NON-DISCRIMINATION CLAUSE: During the performance of this Agreement, Contractor
and its subcontractors shall not unlawfully discriminate, harass, or allow harassment against any
employee or applicant for employment because of sex, race, color, ancestry, religious creed,
national origin, physical disability (including HIV and AIDS), mental disability, medical
condition (e.g., cancer), age (over 40), marital status, and denial of family care leave. Contractor
and subcontractors shall insure that the evaluation and treatment of their employees and
applicants for employment are free from such discrimination and harassment. Contractor and
subcontractors shall comply with the provisions of the Fair Employment and Housing Act (Gov.
Code §12990 (a-f) et seq.) and the applicable regulations promulgated thereunder (California
Code of Regulations, Title 2, Section 7285 et seq.). The applicable regulations of the Fair
Employment and Housing Commission implementing Government Code Section 12990 (a-f), set
forth in Chapter 5 of Division 4 of Title 2 of the California Code of Regulations, are incorporated
into this Agreement by reference and made a part hereof as if set forth in full. Contractor and its
subcontractors shall give written notice of their obligations under this clause to labor
organizations with which they have a collective bargaining or other Agreement.
Contractor shall include the nondiscrimination and compliance provisions of this clause in all
subcontracts to perform work under the Agreement.
11. CERTIFICATION CLAUSES: The CONTRACTOR CERTIFICATION CLAUSES
contained in the document CCC 307 are hereby incorporated by reference and made a part of this
Agreement by this reference as if attached hereto.
12. TIMELINESS: Time is of the essence in this Agreement.
13. COMPENSATION: The consideration to be paid Contractor, as provided herein, shall be in
compensation for all of Contractor's expenses incurred in the performance hereof, including
travel, per diem, and taxes, unless otherwise expressly so provided.
14. GOVERNING LAW: This contract is governed by and shall be interpreted in accordance
with the laws ofthe State of California.
15. ANTITRUST CLAIMS: The Contractor by signing this agreement hereby certifies that if
these services or goods are obtained by means of a competitive bid, the Contractor shall comply
with the requirements ofthe Government Codes Sections set out below.
a. The Government Code Chapter on Antitrust claims contains the following definitions:
I) "Public purchase" means a purchase by means of competitive bids of goods, services, or
materials by the State or any of its political subdivisions or public agencies on whose behalf the
Attorney General may bring an action pursuant to subdivision (c) of Section 16750 of the
Business and Professions Code.
2) "Public purchasing body" means the State or the subdivision or agency making a public
purchase. Government Code Section 4550.
b. In submitting a bid to a public purchasing body, the bidder offers and agrees that if the bid is
accepted, it will assign to the purchasing body all rights, title, and interest in and to all causes of
action it may have under Section 4 of the Clayton Act (15 U.S.C. Sec. 15) or under the
Cartwright Act (Chapter 2 (commencing with Section 16700) of Part 2 of Division 7 of the
Business and Professions Code), arising from purchases of goods, materials, or services by the
bidder for sale to the purchasing body pursuant to the bid. Such assignment shall be made and
become effective at the time the purchasing body tenders final payment to the bidder.
Government Code Section 4552.
c. If an awarding body or public purchasing body receives, either through judgment or
settlement, a monetary recovery for a cause of action assigned under this chapter, the assignor
shall be entitled to receive reimbursement for actual legal costs incurred and may, upon demand,
recover from the public body any portion of the recovery, including treble damages, attributable
to overcharges that were paid by the assignor but were not paid by the public body as part of the
bid price, less the expenses incurred in obtaining that portion of the recovery. Government Code
Section 4553.
d. Upon demand in writing by the assignor, the assignee shall, within one year from such
demand, reassign the cause of action assigned under this part if the assignor has been or may
have been injured by the violation of law for which the cause of action arose and (a) the assignee
has not been injured thereby, or (b) the assignee declines to file a court action for the cause of
action. See Government Code Section 4554.
16. CHILD SUPPORT COMPLIANCE ACT: For any Agreement in excess of$100,000, the
contractor acknowledges in accordance with Public Contract Code 7110, that:
a. The contractor recognizes the importance of child and family support obligations and shall
fully comply with all applicable state and federal laws relating to child and family support
enforcement, including, but not limited to, disclosure of information and compliance with
earnings assignment orders, as provided in Chapter 8 (commencing with section 5200) of Part 5
of Division 9 of the Family Code; and
b. The contractor, to the best of its knowledge is fully complying with the earnings assignment
orders of all employees and is providing the names of all new employees to the New Hire
Registry maintained by the California Employment Development Department.
17. UNENFORCEABLE PROVISION: In the event that any provision of this Agreement is
unenforceable or held to be unenforceable, then the parties agree that all other provisions of this
Agreement have force and effect and shall not be affected thereby.
18. PRIORITY HIRING CONSIDERATIONS: Ifthis Contract includes services in excess of
$200,000, the Contractor shall give priority consideration in filling vacancies in positions funded
by the Contract to qualified recipients of aid under Welfare and Institutions Code Section 11200
in accordance with Pub. Contract Code § 10353.
19. SMALL BUSINESS PARTICIPATION AND DVBE PARTICIPATION REPORTING
REQUIREMENTS:
a. If for this Contract Contractor made a commitment to achieve small business participation,
then Contractor must within 60 days of receiving final payment under this Contract (or within
such other time period as may be specified elsewhere in this Contract) report to the awarding
department the actual percentage of small business participation that was achieved. (Govt. Code
§ 14841.)
b. If for this Contract Contractor made a commitment to achieve disabled veteran business
enterprise (DVBE) participation, then Contractor must within 60 days of receiving final payment
under this Contract (or within such other time period as may be specified elsewhere in this
Contract) certify in a report to the awarding department: (1) the total amount the prime
Contractor received under the Contract; (2) the name and address of the DVBE(s) that
participated in the performance of the Contract; (3) the amount each DVBE received from the
prime Contractor; (4) that all payments under the Contract have been made to the DVBE; and (5)
the actual percentage ofDVBE participation that was achieved. A person or entity that
knowingly provides false information shall be subject to a civil penalty for each violation. (Mil.
& Vets. Code§ 999.5(d); Govt. Code§ 14841.)
20. LOSS LEADER:
If this contract involves the furnishing of equipment, materials, or supplies then the following
statement is incorporated: It is unlawful for any person engaged in business within this state to
sell or use any article or product as a "loss leader" as defined in Section 17030 ofthe Business
and Professions Code. (PCC 10344(e).)
C:\Users\kscharnhorst\AppData\Locai\Microsoft\Windows\Temporary Internet Files\Content.Outlook\Nl7VILFF\GTC-6l O.doc
CCC-307
CERTIFICATION
I, the official named below, CERTIFY UNDER PENALTY OF PERJURY that I am duly
authorized to legally bind the prospective Contractor to the clause(s) listed below. This
certification is made under the laws of the State of California.
Contractor/Bidder Firm Name (Printed) Federal ID Number
County of Fresno
By(Aut~a.
Printed Name and Title of Person Signing
Deborah A. Poochigian, Chairman, Board of Supervisors I Executed in the County of
Fresno
ONTRACTOR CERTIFICATION CLAUSES
4-6000-512
ATTEST:
BERNICE E. SEIDEL, Clerk
Board of Supervisors
By ~)c~
1. STATEMENT OF COMPLIANCE: Contractor has, unless exempted, complied with
the nondiscrimination program requirements. (Gov. Code §12990 (a-t) and CCR, Title 2,
Section 81 03) (Not applicable to public entities.)
2. DRUG-FREE WORKPLACE REQUIREMENTS: Contractor will comply with the
requirements of the Drug-Free Workplace Act of 1990 and will provide a drug-free
workplace by taking the following actions:
a. Publish a statement notifying employees that unlawful manufacture, distribution,
dispensation, possession or use of a controlled substance is prohibited and specifying
actions to be taken against employees for violations.
b. Establish a Drug-Free Awareness Program to inform employees about:
1) the dangers of drug abuse in the workplace;
2) the person's or organization's policy of maintaining a drug-free workplace;
3) any available counseling, rehabilitation and employee assistance programs; and,
4) penalties that may be imposed upon employees for drug abuse violations.
c. Every employee who works on the proposed Agreement will:
1) receive a copy of the company's drug-free workplace policy statement; and,
2) agree to abide by the terms of the company's statement as a condition of employment
on the Agreement.
Failure to comply with these requirements may result in suspension of payments under
the Agreement or termination of the Agreement or both and Contractor may be ineligible
for award of any future State agreements if the department determines that any of the
following has occurred: the Contractor has made false certification, or violated the
puty
certification by failing to carry out the requirements as noted above. (Gov. Code §8350 et
seq.)
3. NATIONAL LABOR RELATIONS BOARD CERTIFICATION: Contractor certifies
that no more than one (1) final unappealable finding of contempt of court by a Federal
court has been issued against Contractor within the immediately preceding two-year
period because of Contractor's failure to comply with an order of a Federal court, which
orders Contractor to comply with an order of the National Labor Relations Board. (Pub.
Contract Code § 1 0296) (Not applicable to public entities.)
4. CONTRACTS FOR LEGAL SERVICES $50,000 OR MORE-PRO BONO
REQUIREMENT: Contractor hereby certifies that contractor will comply with the
requirements of Section 6072 ofthe Business and Professions Code, effective January 1,
2003.
Contractor agrees to make a good faith effort to provide a minimum number of hours of
pro bono legal services during each year of the contract equal to the lessor of 30
multiplied by the number of full time attorneys in the firm's offices in the State, with the
number of hours prorated on an actual day basis for any contract period of less than a full
year or 1 0% of its contract with the State.
Failure to make a good faith effort may be cause for non-renewal of a state contract for
legal services, and may be taken into account when determining the award of future
contracts with the State for legal services.
5. EXPATRIATE CORPORATIONS: Contractor hereby declares that it is not an
expatriate corporation or subsidiary of an expatriate corporation within the meaning of
Public Contract Code Section 10286 and 10286.1, and is eligible to contract with the
State of California.
6. SWEATFREE CODE OF CONDUCT:
a. All Contractors contracting for the procurement or laundering of apparel, garments or
corresponding accessories, or the procurement of equipment, materials, or supplies, other
than procurement related to a public works contract, declare under penalty of perjury that
no apparel, garments or corresponding accessories, equipment, materials, or supplies
furnished to the state pursuant to the contract have been laundered or produced in whole
or in part by sweatshop labor, forced labor, convict labor, indentured labor under penal
sanction, abusive forms of child labor or exploitation of children in sweatshop labor, or
with the benefit of sweatshop labor, forced labor, convict labor, indentured labor under
penal sanction, abusive forms of child labor or exploitation of children in sweatshop
labor. The contractor further declares under penalty of perjury that they adhere to the
Sweatfree Code of Conduct as set forth on the California Department of Industrial
Relations website located at www.dir.ca.gov, and Public Contract Code Section 6108.
b. The contractor agrees to cooperate fully in providing reasonable access to the
contractor's records, documents, agents or employees, or premises if reasonably required
by authorized officials of the contracting agency, the Department of Industrial Relations,
or the Department of Justice to determine the contractor's compliance with the
requirements under paragraph (a).
7. DOMESTIC PARTNERS: For contracts over $100,000 executed or amended after
January 1, 2007, the contractor certifies that contractor is in compliance with Public
Contract Code section 1 0295.3.
DOING BUSINESS WITH THE STATE OF CALIFORNIA
The following laws apply to persons or entities doing business with the State of
California.
1. CONFLICT OF INTEREST: Contractor needs to be aware of the following provisions
regarding current or former state employees. If Contractor has any questions on the
status of any person rendering services or involved with the Agreement, the awarding
agency must be contacted immediately for clarification.
Current State Employees (Pub. Contract Code § 1041 0):
1). No officer or employee shall engage in any employment, activity or enterprise from
which the officer or employee receives compensation or has a financial interest and
which is sponsored or funded by any state agency, unless the employment, activity or
enterprise is required as a condition of regular state employment.
2). No officer or employee shall contract on his or her own behalf as an independent
contractor with any state agency to provide goods or services.
Former State Employees (Pub. Contract Code §10411):
1). For the two-year period from the date he or she left state employment, no former state
officer or employee may enter into a contract in which he or she engaged in any of the
negotiations, transactions, planning, arrangements or any part of the decision-making
process relevant to the contract while employed in any capacity by any state agency.
2). For the twelve-month period from the date he or she left state employment, no former
state officer or employee may enter into a contract with any state agency if he or she was
employed by that state agency in a policy-making position in the same general subject
area as the proposed contract within the 12-month period prior to his or her leaving state
service.
If Contractor violates any provisions of above paragraphs, such action by Contractor shall
render this Agreement void. (Pub. Contract Code § 1 0420)
Members of boards and commissions are exempt from this section if they do not receive
payment other than payment of each meeting of the board or commission, payment for
preparatory time and payment for per diem. (Pub. Contract Code §10430 (e))
2. LABOR CODE/WORKERS' COMPENSATION: Contractor needs to be aware ofthe
provisions which require every employer to be insured against liability for Worker's
Compensation or to undertake self-insurance in accordance with the provisions, and
Contractor affirms to comply with such provisions before commencing the performance
of the work of this Agreement. (Labor Code Section 3700)
3. AMERICANS WITH DISABILITIES ACT: Contractor assures the State that it
complies with the Americans with Disabilities Act (ADA) of 1990, which prohibits
discrimination on the basis of disability, as well as all applicable regulations and
guidelines issued pursuant to the ADA. (42 U.S.C. 12101 et seq.)
4. CONTRACTOR NAME CHANGE: An amendment is required to change the
Contractor's name as listed on this Agreement. Upon receipt of legal documentation of
the name change the State will process the amendment. Payment of invoices presented
with a new name cannot be paid prior to approval of said amendment.
5. CORPORATE QUALIFICATIONS TO DO BUSINESS IN CALIFORNIA:
a. When agreements are to be performed in the state by corporations, the contracting
agencies will be verifying that the contractor is currently qualified to do business in
California in order to ensure that all obligations due to the state are fulfilled.
b. "Doing business" is defined in R&TC Section 23101 as actively engaging in any
transaction for the purpose of financial or pecuniary gain or profit. Although there are
some statutory exceptions to taxation, rarely will a corporate contractor performing
within the state not be subject to the franchise tax.
c. Both domestic and foreign corporations (those incorporated outside of California) must
be in good standing in order to be qualified to do business in California. Agencies will
determine whether a corporation is in good standing by calling the Office of the Secretary
of State.
6. RESOLUTION: A county, city, district, or other local public body must provide the
State with a copy of a resolution, order, motion, or ordinance of the local governing body
which by law has authority to enter into an agreement, authorizing execution of the
agreement.
7. AIR OR WATER POLLUTION VIOLATION: Under the State laws, the Contractor
shall not be: (1) in violation of any order or resolution not subject to review promulgated
by the State Air Resources Board or an air pollution control district; (2) subject to cease
and desist order not subject to review issued pursuant to Section 13301 of the Water
Code for violation of waste discharge requirements or discharge prohibitions; or (3)
finally determined to be in violation of provisions of federal law relating to air or water
pollution.
8. PAYEE DATA RECORD FORM STD. 204: This form must be completed by all
contractors that are not another state agency or other governmental entity.
State of California-Health and Human Services Agency Cal~ornia Department of Public Health
Contracts and Purchasing Services Section
Darfur Contracting Act
Pursuant to Public Contract Code (PCC) sections 104 75-10481, the Darfur Contracting Act's intent is to
preclude State agencies from contracting with scrutinized companies that do business in the African nation of
Sudan. A scrutinized company is a company doing specified types of business in Sudan as defined in PCC
section 10476. Scrutinized companies are ineligible to, and cannot, contract with a State agency for goods or
services (PCC section 10477(a)) unless obtaining permission from the Department of General Services
according to the criteria set forth in PCC section 10477(b).
Therefore, to be eligible to contract with the California Department of Public Health, please initial one of the
following three paragraphs and complete the certification below:
1.
2.
3.
DAP
Initials
Initials
Initials
CERTIFICATION
We do not currently have, or we have not had within the previous
three years, business activities or other operations outside of the United States.
OR
We are a scrutinized company as defined in Public Contract Code
section 10476, but we have received written permission from the Department of General
Services (DGS) to submit a bid or proposal pursuant to Public Contract Code section
1 0477(b) or submit a contracUpurchase order. A copy of the written permission from
DGS is included with our bid, proposal or contracUpurchase order.
OR
We currently have, or we have had within the previous three years,
business activities or other operations outside of the United States,
but we certify below that we are not a scrutinized company
as defined in Public Contract Code section 10476.
I, the official named below, CERTIFY UNDER PENALTY OF PERJURY that I am duly authorized to legally bind this
company to the clause listed above. This certification is made under the laws of the State of California.
Company Name (Printed)
County of Fresno
By(Aut~)Q.
Poochi ian, Chairman, Board of Su ervisors
Federai/D Number
94-6000-512
ATIEST:
BERNICE E. SEIDEL, Clerk
Boa~upervisors•
By ( \ ~-< e "'t!t ~uty
Executed in the County and State of
Fresno, CA
CDPH 9067 (4/09)
AGREEMENT BETWEEN THE COUNTY OF FRESNO AND THE STATE OF CALIFORNIA
No.: California Dept. of Public Health
California Reportable Disease
Information Exchange (CalREDIE)
APPROVED AS TO LEGAL FORM:
DANIEL C. CEDERBORG,
COUNTY COUNSEL
By
APPROVED AS TO ACCOUNTING FORM:
VICKI CROW, C.P.A., AUDITOR-CONTROLLER!
TREASURER-TAX COLLECTOR
By~{~
REVIEWED AND RECOMMENDED FOR APPROVAL:
By m~~/211
David Pomaville
Director
Department of Public Health
Fund/Subclass:
Organization#:
Revenue:
ks
0001/10000
5620
Term: July 1, 2015-June 30, 2018