The URL can be used to link to this page

Home My WebLink AboutAgreement A-14-646-1 with CDPH for CLPPP.pdfFresnoCounty14-10020A01Page2of5STD213A(continued)II.ExhibitA,ScopeofWorkamendstoaddparagraph1,SectionB,andreadsthefollowing:B.CaseLeadPoisoningDefinition1)Asofthedateofimplementationofthiscontract,thefollowingdefinitionofacaseofleadpoisoningwillsupersedethedefinitionsprovidedelsewhereinthiscontractandinanyappendedreferencematerialsinExhibitsEandF.2)Acaseofleadpoisoningwillbedefinedasanychildwhoisfoundwith•asinglebloodleadlevel(BLL)14.5mcq/dL(venous)or•persistentBLLs9.5mcq/dL,takenatleast30daysapartandwiththesecondtestbeingvenous.3)Forcasemakingbloodleadlevelandresponsetime,thefollowingnowapplies:BloodLeadLevelmcg/dLResponseTimeAfterReceiptofNotificationShouldBe:>69.5Within24hours44.5to69.4Within48hours19.5to44.4Within1week14.5to19.4Within2weeks9.5to14.4,Within4weekspersistent**bloodleadvaluesmustbeatleast30daysapart FresnoCounty14-10020A01Page3of54)Bloodleadlevelcriteriaforcaseclosure:Casemanagementisconcludedandacaseisclosedwhen:therehavebeentwoormorevenousblood-leadlevelsdemonstratingthattheblood-leadlevelisclearlytrendingdownward:BLLhasconsistentlyremainedlessthan9.5mcq/dLforatleastoneyear(360calendardays)withoneBLL4.5mcq/dL:andtherehasbeenachievementoftheotherobjectivesofthecasemanagementplan.5)Forallchildrenwithinitialbloodleadlevelsof4.5to14.4mcq/dLnotmakingcasedefinition,basicactivitieswillbecarriedoutwithintwomonthsofnotification,toreduceleadexposure.Thesewouldincludeasaminimummonitoringandoutreachandeducation,andmayincludeothergradedresponsesuptoandincludingpublichealthnursingandenvironmentalinvestigationsasforcases,asresourcesallow.AllChildrenwithinitialBLLsof9.5to14.4mcg/dLfoundonfollow-uptohavepersistentBLLsof>9.5to14.4mcg/dLwouldbecomecasesandreceiveallcasemanagementservices.III.Provision4(AmountsPayable)ofExhibitB-BudgetDetailandPaymentProvisions,isamendedtoreadasfollows:4.AmountsPayableA.Theamountspayableunderthisagreementshallnotexceed:1)$1,038,494forthebudgetperiodof7/01/14through6/30/152)$1,033,380forthebudgetperiodof7/01/15through6/30/163)S1.033.380$1.394.936forthebudgetperiodof7/01/16through6/30/17IV.ExhibitB,AttachmentIII,Budget(Year3)isherebyreplacedinitsentiretywithExhibitB,A01,AttachmentIII,Budget(Year3).AllreferencestoExhibitB,AttachmentIII,inanyexhibitincorporatedintothisagreement,shallhereinafterbedeemedtoreadExhibitB,A01,AttachmentIIIBudget(Year3). FresnoCounty14-10020A01Page4of5V.ExhibitB,AttachmentIII,PersonnelSupplementaltotheBudget(Year3),isamendedtoreadasfollowing:AsofthedateofimplementationofthiscontractanyadditionalpersonnelhiredbytheContractororanyincreaseintimeofexistingpersonnel,aretobeconsideredasaresultoftheincreasedfundstotheContractor,toperformtheexpandedScopeofWorkactivities.AnyadditionalpersonnelhiredbytheContractor,willbeincorporatedintothebudget,andwillbereferencedinthecontractasExhibitB,AttachmentIII,PersonnelSupplementalToTheBudget(Year3).VI.ExhibitE,AdditionalProvisions,ParagraphI,AdditionalIncorporatedDocuments,amendstoreadthefollowing:Asofthedateofimplementationofthiscontract,thefollowingdefinitionofacaseofleadpoisoningwillsupersedethedefinitionsprovidedelsewhereinthiscontractandinanyappendedreferencematerialsinExhibitsEandF.Acaseofleadpoisoningwillbedefinedasanychildwhoisfoundwith•asinglebloodleadlevel(BLL)14.5mcq/dL(venous)or•persistentBLLs9.5mcq/dL,takenatleast30daysapartandwiththesecondtestbeingvenous.Forcasemakingbloodleadlevelandresponsetime,thefollowingnowapplies:BloodLeadLevelmcq/dLResponseTimeAfterReceiptofNotificationShouldBe:>69.5Within24hours44.5to69.4Within48hours19.5to44.4Within1week14.5to19.4Within2weeks9.5to14.4.persistent*Within4weeks*bloodleadvaluesmustboatleast30daysapartBloodleadlevelcriteriaforcaseclosure:Casemanagementisconcludedandacaseisclosedwhen:therehavebeentwoormorevenousblood-leadlevelsdemonstratingthattheblood-leadlevelisclearlytrendingdownward;BLLhasconsistentlyremainedlessthan9.5mcg/dLforatleastoneyear(360calendardays)withoneBLL4.5mcq/dL;andtherehasbeenachievementoftheotherobjectivesofthecasemanagementplan. FresnoCounty14-10020A01Page5of5VII.Forallchildrenwithinitialbloodleadlevelsof4.5to14.4mcq/dLnotmakingcasedefinition,basicactivitieswillbecarriedoutwithintwomonthsofnotification,toreduceleadexposure.Thesewouldincludeasaminimummonitoringandoutreachandeducation,andmayincludeothergradedresponsesuptoandincludingpublichealthnursingandenvironmentalinvestigationsasforcases,asresourcesallow.AllChildrenwithinitialBLLsof9.5to14.4mcq/dLfoundonfollow-uptohavepersistentBLLsof>9.5to14.4mcq/dLwouldbecomecasesandreceiveallcasemanagementservices.ExhibitF,GlossaryofCLPPBRelatedAcronymsandTerms,amendstoreadthefollowing:Acaseofleadpoisoningwillbedefinedasanychildwhoisfoundwith:•Asinglebloodleadlevel(BLL)S14.5mcg/dL(venous)or•PersistentBLLsS9.5mcg/dL.takenatleast30daysapart,andwiththesecondtestbeingvenousExhibitH,InformationPrivacyandSecurityReguirements,isherebyaugmentedtothisagreement.VII. CountyofFresnoDepartmentofPublicHealth14-10020A01ExhibitB,AttachmentIIIBudgetYear3(07/01/2016through06/30/2017)PersonnelPositionTitleitofStaffAnnualSalaryFTE%AnnualCostTotalsHealthEducator(HE)CLPPPCoordinator1$63,40740094-75%$63r403-$47.555PublicHealthNurseII(PHNII)1$81,43240094-50%$84^33$40,716PublicHealthNurse1(PHN1)1$61,544100%$61,544SupervisingPublicHealthNurse(SPHN)1$99,4483094-40%$-39834-$39,779HealthEducationAssistant(HEA)1$44,200100%$44,200HC1|thAideli(HA14)4.$20372100%$20878HealthEducationSDecialisti$38,88990%$35,000SupervisingOfficeAssistantH(SQA-H-)4$46410ino/TCXJT0C1nioiOfficeAssistantIII-A(OAIII-A)1$38,272100%$38,272OfficeAssistantIII-B(OAlll-B)1$38,2723094-10%$7884$3,827OfficeAssistantIII-B(OAlll-C)1$38,27210%$3,827OfficeAssistantIII-B(OAlll-D)1$38,27210%$3,827Supv.Reg.Env.HealthSpecialist(SREHS)1$86,840409425%8884$21,711Reg.Env.HealthSpecialistIII(REHSIII)3$66,066$19,819100%$66,06650%$33,03350%$33,033Epidemiologist1$56,95040%$22,780SeniorEpidemiologist1$68,43315%$10,265ProgramTechnician1$35,24450%$17,622CountvHealthEducationSpecialist1$38,889100%$38,889$385,008$561,946DivisionManager(DM)1$100,2912%$2,006ManagementAnalystIII(MAIII)1$85,4975%$4,275Sr.CommunityRevitalizationSpec.(SCRS)1$68,91620%$13,783CommunityRevitalizationSpec.-A(CRS-A)1$61,45225%$15,363CommunityRevitalizationSpec.-B(CRS-B)1$61,4525%$3,073City/Tier32SeniorAdminClerk(SAC)1$37,08030%$11,124$49,624TotalSalary:$434763-2$611.570FringeBenefits(Countv)(75r04%74.55%)1:288,010$418,931FringeBenefits(City/Tier3)(31.94%%)2:$15,850TotalFringeBenefits:TotalPersonnel:$304-760$434.781$739T392$1.046.351lof2 CountyofFresnoDepartmentofPublicHealth14-10020A01OperatingExpenses:GeneralExpenses:telephone($2,100),DataProcessing($14,500),Household$38,459$44,760Expenses($4,560),CopierMaintenance($1,500),Postage($5,300),OfficeExpense($5,200),Facilities($3,600),Util.($4,000),EducationalMaterials($4,000)Printing:Educationalmaterialsandbrochuresfordistributiontohealthcareproviders,thepublicathealthfairs,andatcommunitypresentations,Costsincludecolorcopiesandlamination,whennecessary.TravelandPerDiem:AtCalHRmileagereimbursementratesformeetings,casemgmtservices,investigations,andoutreachandengagement;Countyfleetservicecharge($3,500).c.f.Goals1-1,2-1,3-1,5-1,5-11and5-111Tier3ofSOW.Training:ProposedcostsforStafftraining,andassociatedcostsforlodging,mealstoattendtraining.RefertoGoal1-1ofSOW.MediaExpense:radioandtelevisionpublicserviceannouncementsandcommercials,advertisingonbillboards,buswrapsandnewspapers.RefertoGoal2-1ofSOW.TotalOperatingExpenses:)$103,673$115,437|OtherCosts:Tier3Fundingz:Officesupplies($1969),printing($1,000),training($3,500),$80,016Tier3RemediationService($45,000),Env.Sampling($17,000),Ed.Materials($5,000),IndirectCostat10%($6,547)XRFLoanProgram:XRFQualityAssurance/QualityControl(QA/QC)for$2,000$1,000,Maintenance($1,000)EducationalMaterials$4,000$5,600$7,840$8,842$10,022$40,750$43.973TotalOtherCosts:|$86,0161IndirectCosts(15%)AnnualBudgetTotal:$408/299$147.132$1,033/380$1.394,936'TotalFringeBenefitCostsof$286,061isfromRetirementcontributions($206,493),HealthInsurancecost($47,040),Unemploymentcontributions($2,170),Supplementaldisabilityinsurance($29,113),andBenefitsAdministrationcosts($1,245).TotalCountysalariesIs$380,569.Formulais$286,061/$380,569=75.17%FringeBenefitPercentageRates.'Tier3-TheCityofFresnomustperformTier3servicestocarryoutenvironmentalinvestigationandtodevelopcollaborationandpartnershipswithinvestigationandenforcementagenciesasoutlinedinGoals/Objectives5-11and5-111.CDPHshallreimbursethecontractorforservicesperformedandinvoicedduringinvoicedperiod.2of2 FresnoCounty14-10020A01Page1of9ExhibitHInformationPrivacyandSecurityRequirements(ForNon-HIPAA/HITECHActContracts)ThisInformationPrivacyandSecurityRequirementsExhibit(ForNon-HIPAA/HITECHActContracts)(hereinafterreferredtoas“thisExhibit")setsforththeinformationprivacyandsecurityrequirementsContractorisobligatedtofollowwithrespecttoallpersonalandconfidentialinformation(asdefinedherein)disclosedtoContractor,orcollected,created,stored,transmittedorusedbyContractorfororonbehalfoftheCaliforniaDepartmentofPublicHealth(hereinafter“CDPH"),pursuanttoContractor'sagreementwithCDPH.(Suchpersonalandconfidentialinformationisreferredtohereincollectivelyas“CDPHPCI".)CDPHandContractordesiretoprotecttheprivacyandprovideforthesecurityofCDPHPCIpursuanttothisPrivacyExhibitandincompliancewithstateandfederallawsapplicabletotheCDPHPCI.I.OrderofPrecedence:WithrespecttoinformationprivacyandsecurityrequirementsforallCDPHPCI,thetermsandconditionsofthisExhibitshalltakeprecedenceoveranyconflictingtermsorconditionssetforthinanyotherpartoftheagreementbetweenContractorandCDPH,includingExhibitA(ScopeofWork),allotherexhibitsandanyotherattachments,andshallprevailoveranysuchconflictingtermsorconditions.II.Effectonlowertiertransactions:ThetermsofthisExhibitshallapplytoallcontracts,subcontracts,andsubawards,andtheinformationprivacyandsecurityrequirementsContractorisobligatedtofollowwithrespecttoCDPHPCIdisclosedtoContractor,orcollected,created,stored,transmittedorusedbyContractorfororonbehalfofCDPH,pursuanttoContractor'sagreementwithCDPH.WhenapplicabletheContractorshallincorporatetherelevantprovisionsofthisExhibitintoeachsubcontractorsubawardtoitsagents,subcontractors,orindependentconsultants.III.Definitions:ForpurposesoftheagreementbetweenContractorandCDPH,includingthisExhibit,thefollowingdefinitionsshallapply:A.Breach:"Breach”means:1.theunauthorizedacquisition,access,use,ordisclosureofCDPHPCIinamannerwhichcompromisesthesecurity,confidentialityorintegrityoftheinformation;or2.thesameasthedefinitionof"breachofthesecurityofthesystem"setforthinCaliforniaCivilCodesection1798.29(f).B.ConfidentialInformation:“Confidentialinformation"meansinformationthat:1.doesnotmeetthedefinitionof"publicrecords"setforthinCaliforniaGovernmentCodesection6252(e),orisexemptfromdisclosureunderanyoftheprovisionsofSection6250,etseq.ofheCaliforniaGovernmentCodeoranyotherapplicablestateorfederallaws;or2.iscontainedindocuments,files,folders,booksorrecordsthatareclearlylabeled,markedordesignatedwiththeword"confidential"byCDPH;or3.is“personalinformation"asdefinedinthisExhibit.C.Disclosure:"Disclosure”meanstherelease,transfer,provisionof,accessto,ordivulginginanyothermannerofinformation.D.PersonalInformation:"Personalinformation"meansinformation,inanymedium(paper,electronic,oral)that:1.byitselfdirectlyidentifiesoruniquelydescribesanindividual;orCDPHIPSR(8/14) 2.3.4.5.6.7.FresnoCounty14-10020A01Page2of9ExhibitHInformationPrivacyandSecurityRequirements(ForNon-HIPAA/HITECHActContracts)createsasubstantialriskthatitcouldbeusedincombinationwithotherinformationtoindirectlyidentifyoruniquelydescribeanindividual,orlinkanindividualtotheotherinformation;ormeetsthedefinitionof“personalinformation"setforthinCaliforniaCivilCodesection1798.3(a)orisoneofthedataelementssetforthinCaliforniaCivilCodesection1798.29(g)(1)or(g)(2);ormeetsthedefinitionof“medicalinformation"setforthineitherCaliforniaCivilCodesection1798.29(h)(2)orCaliforniaCivilCodesection56.05(g);ormeetsthedefinitionof"healthinsuranceinformation"setforthinCaliforniaCivilCodesection1798.29(h)(3);orIsprotectedfromdisclosureunderapplicablestateorfederallaw.E.SecurityIncident:“SecurityIncident"means:1.anattemptedbreach;or2.theattemptedorsuccessfulmodificationordestructionofCDPHPCI,inviolationofanystateorfederallaworinamannernotpermittedundertheagreementbetweenContractorandCDPH,includingthisExhibit;or3.theattemptedorsuccessfulmodificationordestructionof,orinterferencewith,Contractor’ssystemoperationsinaninformationtechnologysystem,thatnegativelyimpactstheconfidentiality,availabilityorintegrityofCDPHPCI.F.Use:“Use"meansthesharing,employment,application,utilization,examination,oranalysisofinformation.IV.DisclosureRestrictions:TheContractoranditsemployees,agents,orsubcontractorsshallprotectfromunauthorizeddisclosureanyCDPHPCI.TheContractorshallnotdisclose,exceptasotherwisespecificallypermittedbytheagreementbetweenContractorandCDPH(includingthisExhibit),anyCDPHPCItoanyoneotherthanCDPHwithoutpriorwrittenauthorizationfromtheCDPHProgramContractManager,exceptifdisclosureisrequiredbyStateorFederallaw.V.UseRestrictions:TheContractoranditsemployees,agents,orsubcontractorsshallnotuseanyCDPHPCIforanypurposeotherthancarryingouttheContractor'sobligationsunderitsagreementwithCDPH.VI.Safeguards:TheContractorshallimplementadministrative,physical,andtechnicalsafeguardsthatreasonablyandappropriatelyprotecttheprivacy,confidentiality,security,integrity,andavailabilityofCDPHPCI,includingelectronicorcomputerizedCDPHPCI.AteachlocationwhereCDPHPCIislocated,theContractorshalldevelopandmaintainawritteninformationprivacyandsecurityprogramthatincludesadministrative,technicalandphysicalsafeguardsappropriatetothesizeandcomplexityoftheContractor'soperationsandthenatureandscopeofitsactivitiesinperformingitsagreementwithCDPH,includingthisExhibit,andwhichincorporatestherequirementsofSectionVII,Security,below.ContractorshallprovideCDPHwithContractor'scurrentandupdatedpolicies.VII.Security:TheContractorshalltakeanyandallstepsreasonablynecessarytoensurethecontinuoussecurityofallcomputerizeddatasystemscontainingCDPHPCI.Thesestepsshallinclude,ataminimum,complyingwithallofthedatasystemsecurityprecautionslistedintheContractorDataSecurityStandardssetforthinAttachment1tothisExhibit.CDPHIPSR(8/14) FresnoCounty14-10020A01Page3of9ExhibitHInformationPrivacyandSecurityRequirements(ForNon-HIPAA/HITECHActContracts)VIII.SecurityOfficer:AteachlocationwhereCDPHPCIislocated,theContractorshalldesignateaSecurityOfficertooverseeitscompliancewiththisExhibitandforcommunicatingwithCDPHonmattersconcerningthisExhibit.IX.Training;TheContractorshallprovidetrainingonitsobligationsunderthisExhibit,atitsownexpense,toallofitsemployeeswhoassistintheperformanceofContractor'sobligationsunderContractor'sagreementwithCDPH,includingthisExhibit,orotherwiseuseordiscloseCDPHPCI.A.TheContractorshallrequireeachemployeewhoreceivestrainingtocertify,eitherinhardcopyorelectronicform,thedateonwhichthetrainingwascompleted.B.TheContractorshallretaineachemployee'scertificationsforCDPHinspectionforaperiodofthreeyearsfollowingcontracttermination.X.EmployeeDiscipline:Contractorshallimposedisciplinethatitdeemsappropriate(initssolediscretion)onsuchemployeesandotherContractorworkforcemembersunderContractor'sdirectcontrolwhointentionallyviolateanyprovisionsofthisExhibit.XI.BreachandSecurityIncidentResponsibilities:A.NotificationtoCDPHofBreachorSecurityIncident:TheContractorshallnotifyCDPHimmediatelybytelephonecallplusemailorfaxuponthediscoveryofabreach(asdefinedinthisExhibit),orwithintwenty-four(24)hoursbyemailorfaxofthediscoveryofanysecurityincident(asdefinedinthisExhibit),unlessalawenforcementagencydeterminesthatthenotificationwillimpedeacriminalinvestigation,inwhichcasethenotificationrequiredbythissectionshallbemadetoCDPHimmediatelyafterthelawenforcementagencydeterminesthatsuchnotificationwillnotcompromisetheinvestigation.NotificationshallbeprovidedtotheCDPHProgramContractManager,theCDPHPrivacyOfficerandtheCDPHChiefInformationSecurityOfficer,usingthecontactinformationlistedinSectionXl(c),below.IfthebreachorsecurityincidentisdiscoveredafterbusinesshoursoronaweekendorholidayandinvolvesCDPHPCIinelectronicorcomputerizedform,notificationtoCDPHshallbeprovidedbycallingtheCDPHIITServiceDeskatthetelephonenumberslistedinSectionXl(c),below.ForpurposesofthisSection,breachesandsecurityincidentsshallbetreatedasdiscoveredbyContractorasofthefirstdayonwhichsuchbreachorsecurityincidentisknowntotheContractor.Contractorshalltake:1.promptcorrectiveactiontomitigateanyrisksordamagesinvolvedwiththebreachorsecurityincidentandtoprotecttheoperatingenvironment;and2.anyactionpertainingtoabreachrequiredbyapplicablefederalandstatelaws,including,specifically,CaliforniaCivilCodesection1798.29.B.InvestigationofBreach:TheContractorshallimmediatelyinvestigatesuchbreachorsecurityincident.Assoonastheinformationisknownandsubjecttothelegitimateneedsoflawenforcement,ContractorshallinformtheCDPHProgramContractManager,theCDPHPrivacyOfficer,andtheCDPHChiefInformationSecurityOfficerof:1.whatdataelementswereinvolvedandtheextentofthedatainvolvedinthebreach,including,specifically,thenumberofindividualswhosepersonalinformationwasbreached;andCDPHIPSR(8/14) FresnoCounty14-10020A01Page4of9ExhibitHInformationPrivacyandSecurityRequirements(ForNon-HIPAA/HITECHActContracts)2.adescriptionoftheunauthorizedpersonsknownorreasonablybelievedtohaveimproperlyusedtheCDPHPCIand/oradescriptionoftheunauthorizedpersonsknownorreasonablybelievedtohaveimproperlyaccessedoracquiredtheCDPHPCI,ortowhomitisknownorreasonablybelievehavehadtheCDPHPCIimproperlydisclosedtothem;and3.adescriptionofwheretheCDPHPCIisbelievedtohavebeenimproperlyusedordisclosed;and4.adescriptionoftheprobablecausesofthebreachorsecurityincident;and5.whetherCivilCodesections1798.29oranyotherfederalorstatelawsrequiringindividualnotificationsofbreacheshavebeentriggered.C.WrittenReport:TheContractorshallprovideawrittenreportoftheinvestigationtotheCDPHProgramContractManager,theCDPHPrivacyOfficer,andtheCDPHChiefInformationSecurityOfficerassoonaspracticableafterthediscoveryofthebreachorsecurityincident.Thereportshallinclude,butnotbelimitedto,theinformationspecifiedabove,aswellasafull,detailedcorrectiveactionplan,includinginformationonmeasuresthatweretakentohaltand/orcontainthebreachorsecurityincident,andmeasurestobetakentopreventtherecurrenceofsuchbreachorsecurityincident.D.NotificationtoIndividuals:Ifnotificationtoindividualswhoseinformationwasbreachedisrequiredunderstateorfederallaw,andregardlessofwhetherContractorisconsideredonlyacustodianand/ornon-owneroftheCDPHPCI,Contractorshall,atitssoleexpense,andatthesoleelectionofCDPH,either:1.makenotificationtotheindividualsaffectedbythebreach(includingsubstitutenotification),pursuanttothecontentandtimelinessprovisionsofsuchapplicablestateorfederalbreachnoticelaws.ContractorshallinformtheCDPHPrivacyOfficerofthetime,mannerandcontentofanysuchnotifications,priortothetransmissionofsuchnotificationstotheindividuals;or2.cooperatewithandassistCDPHinitsnotification(includingsubstitutenotification)totheindividualsaffectedbythebreach.E.SubmissionofSampleNotificationtoAttorneyGeneral:Ifnotificationtomorethan500individualsisrequiredpursuanttoCaliforniaCivilCodesection1798.29,andregardlessofwhetherContractorisconsideredonlyacustodianand/ornon-owneroftheCDPHPCI,Contractorshall,atitssoleexpense,andatthesoleelectionofCDPH,either:1.electronicallysubmitasinglesamplecopyofthesecuritybreachnotification,excludinganypersonallyidentifiableinformation,totheAttorneyGeneralpursuanttotheformat,contentandtimelinessprovisionsofSection1798.29(e).ContractorshallinformtheCDPHPrivacyOfficerofthetime,mannerandcontentofanysuchsubmissions,priortothetransmissionofsuchsubmissionstotheAttorneyGeneral;or2.cooperatewithandassistCDPHinitssubmissionofasamplecopyofthenotificationtotheAttorneyGeneral.F.CDPHContactInformation:TodirectcommunicationstotheabovereferencedCDPHstaff,theContractorshallinitiatecontactasindicatedherein.CDPHreservestherighttomakechangestothecontactinformationbelowbywrittennoticetotheContractor.SaidchangesshallnotrequireanamendmenttothisExhibitortheagreementtowhichitisincorporated.CDPHProgramCDPHPrivacyOfficerCDPHChiefInformationCDPHIPSR(8/14) FresnoCounty14-10020A01Page5of9ExhibitHInformationPrivacyandSecurityRequirements(ForNon-HIPAA/HITECHActContracts)ContractManagerSecurityOfficer(andCDPHITServiceDesk)SeetheScopeofWorkexhibitforProgramContractManagerPrivacyOfficerPrivacyOffice,c/oOfficeofLegalServicesCaliforniaDepartmentofPublicHealthP.O.Box997377,MS0506Sacramento,CA95899-7377Email:DrivacvSJcdoh.ca.qovTelephone:(877)421-9634ChiefInformationSecurityOfficerInformationSecurityOfficeCaliforniaDepartmentofPublicHealthP.O.Box997413,MS6302Sacramento,CA95899-7413Email:cdDhiso@cdDh.ca.oovTelephone:ITServiceDesk(916)440-7000or(800)579-0874XII.DocumentationofDisclosuresforRequestsforAccounting:ContractorshalldocumentandmakeavailabletoCDPHor(atthedirectionofCDPH)toanIndividualsuchdisclosuresofCDPHPCI,andinformationrelatedtosuchdisclosures,necessarytorespondtoaproperrequestbythesubjectIndividualforanaccountingofdisclosuresofpersonalinformationasrequiredbyapplicablestateorfederallaw.XIII.RequestsforCDPHPCIbyThirdParties;TheContractoranditsemployees,agents,orsubcontractorsshallpromptlytransmittotheCDPHProgramContractManagerallrequestsfordisclosureofanyCDPHPCIemanatingfromthirdpartiestotheagreementbetweenContractorandCDPH(andnotemanatingfromanIndividualforanaccountingofdisclosuresofpersonalinformationpursuanttoapplicablestateorfederallaw),unlessprohibitedfromdoingsobyapplicablestateorfederallaw.XIV.Audits.InspectionandEnforcement:Fromtimetotime,CDPHmayinspectthefacilities,systems,booksandrecordsofContractortomonitorcompliancewiththisExhibit.ContractorshallpromptlyremedyanyviolationofanyprovisionofthisExhibitandshallcertifythesametotheCDPHProgramContractManagerinwriting.XV.ReturnorDestructionofCDPHPCIonExpirationorTermination:OnexpirationorterminationoftheagreementbetweenContractorandCDPHforanyreason,ContractorshallreturnordestroytheCDPHPCI.Ifreturnordestructionisnotfeasible,ContractorshallexplaintoCDPHwhy,Inwriting,totheCDPHProgramContractManager,theCDPHPrivacyOfficerandtheCDPHChiefInformationSecurityOfficer,usingthecontactinformationlistedinSectionXl(c),above.A.RetentionRequiredbvLaw:Ifrequiredbystateorfederallaw,Contractormayretain,afterexpirationortermination,CDPHPCIforthetimespecifiedasnecessarytocomplywiththelaw.B.ObligationsContinueUntilReturnorDestruction;Contractor'sobligationsunderthisExhibitshallcontinueuntilContractorreturnsordestroystheCDPHPCIorreturnstheCDPHPCItoCDPH;providedhowever,thatonexpirationorterminationoftheagreementbetweenContractorandCDPH,ContractorshallnotfurtheruseordisclosetheCDPHPCIexceptasRequiredbystateorfederallaw.C.NotificationofElectiontoDestroyCDPHPCI:IfContractorelectstodestroytheCDPHPCI,Contractorshallcertifyinwriting,totheCDPHProgramContractManager,theCDPHPrivacyOfficerandtheCDPHChiefInformationSecurityOfficer,usingthecontactinformationlistedinSectionXl(c),above,thattheCDPHPCIhasbeendestroyed.CDPHIPSR(8/14) FresnoCounty14-10020A01Page6of9ExhibitHInformationPrivacyandSecurityRequirements(ForNon-HIPAA/HITECHActContracts)XVI.Amendment:ThepartiesacknowledgethatFederalandStatelawsrelatingtoinformationsecurityandprivacyarerapidlyevolvingandthatamendmentofthisExhibitmayberequiredtoprovideforprocedurestoensurecompliancewithsuchlaws.ThepartiesspecificallyagreetotakesuchactionasisnecessarytoimplementnewstandardsandrequirementsimposedbyregulationsandotherapplicablelawsrelatingtothesecurityorprivacyofCDPHPCI.ThepartiesagreetopromptlyenterintonegotiationsconcerninganamendmenttothisExhibitconsistentwithnewstandardsandrequirementsimposedbyapplicablelawsandregulations.XVII.AssistanceinLitigationorAdministrativeProceedings:Contractorshallmakeitselfandanysubcontractors,employeesoragentsassistingContractorintheperformanceofitsobligationsundertheagreementbetweenContractorandCDPH,availabletoCDPHatnocosttoCDPHtotestifyaswitnesses,intheeventoflitigationoradministrativeproceedingsbeingcommencedagainstCDPH,itsdirector,officersoremployeesbaseduponclaimedviolationoflawsrelatingtosecurityandprivacy,whichinvolvesinactionsoractionsbytheContractor,exceptwhereContractororitssubcontractor,employeeoragentisanamedadverseparty.XVIII.NoThird-PartvBeneficiaries:NothingexpressorimpliedinthetermsandconditionsofthisExhibitisintendedtoconfer,norshallanythinghereinconfer,uponanypersonotherthanCDPHorContractorandtheirrespectivesuccessorsorassignees,anyrights,remedies,obligationsorliabilitieswhatsoever.XIX.Interpretation:ThetermsandconditionsinthisExhibitshallbeinterpretedasbroadlyasnecessarytoimplementandcomplywithregulationsandapplicableStatelaws.ThepartiesagreethatanyambiguityinthetermsandconditionsofthisExhibitshallberesolvedinfavorofameaningthatcompliesandisconsistentwithFederalandStatelawsandregulations.XX.Survival:IfContractordoesnotreturnordestroytheCDPHPCIupontheexpirationorterminationoftheAgreement,therespectiverightsandobligationsofContractorunderSectionsVI,VIIandXIofthisExhibitshallsurvivetheterminationorexpirationoftheagreementbetweenContractorandCDPH.CDPHIPSR(8/14) FresnoCounty14-10020A01Page7of9ExhibitHInformationPrivacyandSecurityRequirements(ForNon-HIPAA/HITECHActContracts)Attachment1ContractorDataSecurityStandards1.GeneralSecurityControlsA.ConfidentialityStatement.AllpersonsthatwillbeworkingwithCDPHPCImustsignaconfidentialitystatement.Thestatementmustincludeataminimum,GeneralUse,SecurityandPrivacysafeguards,UnacceptableUse,andEnforcementPolicies.ThestatementmustbesignedbytheworkforcememberpriortoaccesstoCDPHPCI.Thestatementmustberenewedannually.TheContractorshallretaineachperson'swrittenconfidentialitystatementforCDPHinspectionforaperiodofthree(3)yearsfollowingcontracttermination.B.Backgroundcheck.BeforeamemberoftheContractor'sworkforcemayaccessCDPHPCI,Contractormustconductathoroughbackgroundcheckofthatworkerandevaluatetheresultstoassurethatthereisnoindicationthattheworkermaypresentariskfortheftofconfidentialdata.TheContractorshallretaineachworkforcemember'sbackgroundcheckdocumentationforaperiodofthree(3)yearsfollowingcontracttermination.C.Workstation/Laptopencryption.Allworkstationsandlaptopsthatprocessand/orstoreCDPHPCImustbeencryptedusingaFIPS140-2certifiedalgorithm,suchasAdvancedEncryptionStandard(AES),witha128bitkeyorhigher.TheencryptionsolutionmustbefulldiskunlessapprovedbytheCDPHInformationSecurityOffice.D.ServerSecurity.ServerscontainingunencryptedCDPHPCImusthavesufficientadministrative,physical,andtechnicalcontrolsinplacetoprotectthatdata,baseduponariskassessment/systemsecurityreview.E.MinimumNecessary.OnlytheminimumnecessaryamountofCDPHPCIrequiredtoperformnecessarybusinessfunctionsmaybecopied,downloaded,orexported.F.Removablemediadevices.AllelectronicfilesthatcontainCDPHPCIdatamustbeencryptedwhenstoredonanyremovablemediaorportabledevice(i.e.USBthumbdrives,floppies,CD/DVD,Blackberry,backuptapesetc.).MustbeencryptedusingaFIPS140-2certifiedalgorithm,suchasAdvancedEncryptionStandard(AES),witha128bitkeyorhigherG.Antivirussoftware.Allworkstations,laptopsandothersystemsthatprocessand/orstoreCDPHPCImustinstallandactivelyusecomprehensiveanti-virussoftwaresolutionwithautomaticupdatesscheduledatleastdaily.H.PatchManagement.Allworkstations,laptopsandothersystemsthatprocessand/orstoreCDPHPCImusthavesecuritypatchesapplied,withsystemrebootifnecessary.Theremustbeadocumentedpatchmanagementprocesswhichdeterminesinstallationtimeframebasedonriskassessmentandvendorrecommendations.Atamaximum,allapplicablepatchesmustbeinstalledwithin30daysofvendorrelease.I.UserIDsandPasswordControls.AllusersmustbeissuedauniqueusernameforaccessingCDPHPCI.Usernamemustbepromptlydisabled,deleted,orthepasswordchangeduponthetransferorterminationofanemployeewithknowledgeofthepassword.Passwordsarenottobeshared.Mustbeatleasteightcharacters.Mustbeanon-dictionaryword.Mustnotbestoredinreadableformatonthecomputer.Mustbechangedevery60days.MustbechangedifrevealedCDPHIPSR(8/14) FresnoCounty14-10020A01Page8of9ExhibitHInformationPrivacyandSecurityRequirements(ForNon-HIPAA/HITECHActContracts)orcompromised.Mustbecomposedofcharactersfromatleastthreeofthefollowingfourgroupsfromthestandardkeyboard:•Uppercaseletters(A-Z)•Lowercaseletters(a-z)•Arabicnumerals(0-9)•Non-alphanumericcharacters(punctuationsymbols)J.DataSanitization.AllCDPHPCImustbesanitizedusingNISTSpecialPublication800-88standardmethodsfordatasanitizationwhentheCDPHPSCIisnolongerneeded.2.SystemSecurityControlsA.SystemTimeout.Thesystemmustprovideanautomatictimeout,requiringre-authenticationoftheusersessionafternomorethan20minutesofinactivity.B.WarningBanners.AllsystemscontainingCDPHPCImustdisplayawarningbannerstatingthatdataisconfidential,systemsarelogged,andsystemuseisforbusinesspurposesonly.Usermustbedirectedtologoffthesystemiftheydonotagreewiththeserequirements.C.SystemLogging.ThesystemmustmaintainanautomatedaudittrailwhichcanidentifytheuserorsystemprocesswhichinitiatesarequestforCDPHPCI,orwhichaltersCDPHPCI.Theaudittrailmustbedateandtimestamped,mustlogbothsuccessfulandfailedaccesses,mustbereadonly,andmustberestrictedtoauthorizedusers.IfCDPHPCIisstoredinadatabase,databaseloggingfunctionalitymustbeenabled.Audittraildatamustbearchivedforatleast3yearsafteroccurrence.D.AccessControls.Thesystemmustuserolebasedaccesscontrolsforalluserauthentications,enforcingtheprincipleofleastprivilege.E.Transmissionencryption.AlldatatransmissionsofCDPHPCIoutsidethesecureinternalnetworkmustbeencryptedusingaFIPS140-2certifiedalgorithm,suchasAdvancedEncryptionStandard(AES),witha128bitkeyorhigher.Encryptioncanbeendtoendatthenetworklevel,orthedatafilescontainingCDPHPCIcanbeencrypted.ThisrequirementpertainstoanytypeofCDPHPCIinmotionsuchaswebsiteaccess,filetransfer,andE-Mail.F.IntrusionDetection.Allsystemsinvolvedinaccessing,holding,transporting,andprotectingCDPHPCIthatareaccessibleviatheInternetmustbeprotectedbyacomprehensiveintrusiondetectionandpreventionsolution.3.AuditControlsA.SystemSecurityReview.Allsystemsprocessingand/orstoringCDPHPCImusthaveatleastanannualsystemriskassessment/securityreviewwhichprovidesassurancethatadministrative,physical,andtechnicalcontrolsarefunctioningeffectivelyandprovidingadequatelevelsofprotection.Reviewsshallincludevulnerabilityscanningtools.B.LogReviews.Allsystemsprocessingand/orstoringCDPHPCImusthavearoutineprocedureinplacetoreviewsystemlogsforunauthorizedaccess.CDPHIPSR(8/14) FresnoCounty14-10020A01Page9of9ExhibitHInformationPrivacyandSecurityRequirements(ForNon-HIPAA/HITECHActContracts)C.ChangeControl.Allsystemsprocessingand/orstoringCDPHPCImusthaveadocumentedchangecontrolprocedurethatensuresseparationofdutiesandprotectstheconfidentiality,integrityandavailabilityofdata.4.BusinessContinuity/DisasterRecoveryControlsA.DisasterRecovery.ContractormustestablishadocumentedplantoenablecontinuationofcriticalbusinessprocessesandprotectionofthesecurityofelectronicCDPHPCIintheeventofanemergency.Emergencymeansanycircumstanceorsituationthatcausesnormalcomputeroperationstobecomeunavailableforuseinperformingtheworkrequiredunderthisagreementformorethan24hours.B.DataBackupPlan.ContractormusthaveestablisheddocumentedprocedurestobackupCDPHPCItomaintainretrievableexactcopiesofCDPHPCI.Theplanmustincludearegularscheduleformakingbackups,storingbackupsoffsite,aninventoryofbackupmedia,andtheamountoftimetorestoreCDPHPCIshoulditbelost.Ataminimum,theschedulemustbeaweeklyfullbackupandmonthlyoffsitestorageofCDPHdata.5.PaperDocumentControlsA.SupervisionofData.CDPHPCIinpaperformshallnotbeleftunattendedatanytime,unlessitislockedinafilecabinet,fileroom,deskoroffice.Unattendedmeansthatinformationisnotbeingobservedbyanemployeeauthorizedtoaccesstheinformation.CDPHPCIinpaperformshallnotbeleftunattendedatanytimeinvehiclesorplanesandshallnotbecheckedinbaggageoncommercialairplanes.B.EscortingVisitors.VisitorstoareaswhereCDPHPCIiscontainedshallbeescortedandCDPHPHIshallbekeptoutofsightwhilevisitorsareinthearea.C.ConfidentialDestruction.CDPHPCImustbedisposedofthroughconfidentialmeans,usingNISTSpecialPublication800-88standardmethodsfordatasanitizationwhentheCDPHPSCIisnolongerneeded.D.RemovalofData.CDPHPCImustnotberemovedfromthepremisesoftheContractorexceptwithexpresswrittenpermissionofCDPH.E.Faxing.FaxescontainingCDPHPCIshallnotbeleftunattendedandfaxmachinesshallbeinsecureareas.Faxesshallcontainaconfidentialitystatementnotifyingpersonsreceivingfaxesinerrortodestroythem.Faxnumbersshallbeverifiedwiththeintendedrecipientbeforesending.F.Mailing.CDPHPCIshallonlybemailedusingsecuremethods.LargevolumemailingsofCDPHPHIshallbebyasecure,bondedcourierwithsignaturerequiredonreceipt.DisksandothertransportablemediasentthroughthemailmustbeencryptedwithaCDPHapprovedsolution,suchasasolutionusingavendorproductspecifiedontheCSSI.CDPHIPSR(8/14) AGREEMENTBETWEENTHECOUNTYOFFRESNOANDTHESTATEOFCALIFORNIANo.:CADepartmentofPublicHealthTerm:July1.2014-June30,2017ChildhoodLeadPoisoningPreventionProgramAgreementAmendment[(#14-10020,A01)APPROVEDASTOLEGALFORM:DANIELC.CEDERBORG,COUNTYCOUNSELAPPROVEDASTOACCOUNTINGFORM:VICKICROW,C.P.A.,AUDITOR-CONTROLLER/TREASURER-TAXCOLLECTORfBy•IREVIEWE^ANDRECOMMENDEDFORAPPROVAL:DavidPomaville^DirectorDepartmentofPublicHealthFund/Subclass:Organizationif:Revenue:0001/10000562016123530ks