The URL can be used to link to this page

Home My WebLink AboutSTATE DPH Office of AIDS-AIDS Drug Assistance Program ADAP_A-23-431pdf.pdf ti COUP County of Fresno Hall of Records,Room 301 2281 Tulare Street r51 �} Fresno,California o Board of Supervisors 93721-2198 O� 185 0 Telephone:(559)600-3529 FRIE" Minute Order Toll Free: 1-800-742-1011 www.co.fresno,ca.us August 22, 2023 Present: 5- Supervisor Steve Brandau,Vice Chairman Nathan Magsig,Supervisor Buddy Mendes, Supervisor Brian Pacheco, and Chairman Sal Quintero Agenda No. 45. Public Health File ID: 23-0780 Re: Approve and authorize the Chairman to execute a retroactive revenue agreement with the California Department of Public Health for the AIDS Drug Assistance Program, effective July 1, 2023,through June 30, 2027($5,000);and approve and authorize the Director of the Department of Public Health to execute the State Contractor's Release APPROVED AS RECOMMENDED Ayes: 5- Brandau, Magsig, Mendes, Pacheco,and Quintero Agreement No.23-431 ounty of Fresno Page 46 coU�� t; Board Agenda Item 45 O i856 O DATE: August 22, 2023 TO: Board of Supervisors SUBMITTED BY: David Luchini, RN, PHN, Director, Department of Public Health SUBJECT: Retroactive Revenue Agreement with the California Department of Public Health for AIDS Drug Assistance Program RECOMMENDED ACTION(S): 1. Approve and authorize the Chairman to execute a retroactive revenue agreement with the California Department of Public Health for the AIDS Drug Assistance Program, effective July 1, 2023,through June 30, 2027 ($5,000); and 2. Approve and authorize the Director of the Department of Public Health to execute the State Contractor's Release. There is no additional Net County Cost associated with the recommended actions.Approval of the recommended actions will allow the Department of Public Health (Department)to continue their designation as an AIDS Drug Assistance Program (ADAP)enrollment site. The California Department of Public Health (CDPH)will reimburse the Department based on the number of ADAP and pre-exposure prophylaxis (PrEP)enrollment services provided. This item is Countywide. ALTERNATIVE ACTION(S): Should your Board not approve the recommended actions, the Department would no longer be designated as an ADAP/PrEP enrollment site and would not be able to provide enrollment services to clients, which will mean the County of Fresno will no longer have an open enrollment site that serves all residents. RETROACTIVE AGREEMENT: The recommended agreement is retroactive to July 1, 2023. The recommended agreement was received from CDPH on May 17, 2023. The time required to prepare the recommended agreement did not allow presentation to your Board at an earlier date. FISCAL IMPACT: There is no increase in Net County Cost associated with the recommended actions. The recommended agreement includes payment provisions calculated based on ADAP client enrollment, with a floor amount of $5,000 with additional payments provided at rates ranging from $50 to$275, depending on the type of service provided. There are no pending invoices related to the recommended agreement. Sufficient appropriations and estimated revenues are included in the Department's Org 5620 FY 2023-24 Recommended Budget and will be requested for the duration of the term. DISCUSSION: Since 1987, the federal government has authorized funding for the ADAP program. The Department has County of Fresno Page 1 File Number:23-0780 File Number:23-0780 been designated by CDPH as an ADAP enrollment site to ensure County residents living with HIV and AIDS have access to life-saving medication. ADAP provides enrolled clients with free FDA-approved medications related to HIV/AIDS through contracted pharmacies. The program also provides premium payment assistance for eligible individuals with private health insurance or Medicare Part D prescription plans. In order to be eligible for the program, clients must not be fully covered by Medi-Cal or any other third-party payers, and their income must not exceed 500% of the Federal Poverty Level. In 2022, the Department provided ADAP and PrEP enrollment services to 52 clients. Upon your Board's approval of the recommended agreement, the Department would continue to screen and enroll new clients into the program, to recertify client data biennially, and to re-enroll clients annually. The Department will ensure ADAP enrollment workers are trained and certified annually as required by CDPH. The recommended Agreement deviates from the County's standard indemnification language in that it requires the County to provide one-way indemnification to the State in the performance of the Agreement. This language is typically present in State grants. The Department has determined that its acceptance of the indemnification language is advantageous to the County, as the State-grant is a funding source for Fresno County's ADAP and PrEP-AP enrollment activities, without which the continued provision of these services would be negatively impacted. REFERENCE MATERIAL: BAI#44, August 4, 2020 BAI#57, September 25, 2018 BAI #57, September 12, 2017 ATTACHMENTS INCLUDED AND/OR ON FILE: On file with Clerk-Agreement with CDPH for ADAP CAO ANALYST: Ron Alexander County of Fresno Page 2 File Number.23-0780 SCO ID: 4265-2310132 Agreement No.23-431 STATE OF CALIFORNIA-DEPARTMENT OF GENERAL SERVICES STANDARD AGREEMENT AGREEMENT NUMBER PURCHASING AUTHORITY NUMBER(if Applicable) STD 213(Rev.0412020) 23-10132 1.This Agreement is entered into between the Contracting Agency and the Contractor named below: CONTRACTING AGENCY NAME California Department of Public Health CONTRACTOR NAME County of Fresno 2.The term of this Agreement is: START DATE July 01, 2023 THROUGH END DATE June 30,2027 3.The maximum amount of this Agreement is: $0 Zero Dollar Not applicable-Contract based solely on usage. 4.The parties agree to comply with the terms and conditions of the following exhibits,which are by this reference made a part of the Agreement. Exhibits Title Pages Exhibit A Scope of Work 18 Exhibit A-I Attachment I, Definition of Terms 10 Exhibit B Budget Detail and Payment Provisions 3 + Exhibit C* General Terms and Conditions GTC 04/ 2017 Exhibit D Special Terms and Conditions 19 Exhibit E Additional Provisions 3 Exhibit F HIPAA Business Associate Addendum 13 Exhibit G ADAP Notice of Privacy Practices 5 + Exhibit H PrEP-AP Notice of Privacy Practices 5 Exhibit I Non Discrimination Clause(OCP-1)STD 017a 1 + Exhibit J Restrictions and Requirements for the Use and Disclosure of HIV/AIDS Public Health Data 4 Exhibit K CDPH Information Systems Security Requirements for Projects(ISO/SR1) 21 Exhibit L Contractor's Release Form CDPH 2352 1 + Exhibit M Attachment I-Security Requirements, Protections,and Confidentiality Checklist 2 + Exhibit N Attachment II-ADAP&PrEP-AP Document Transfer Plan 5 Exhibit 0 Attachment III-Agreement by Employee/Contractor to Comply with Confidentiality Requirements 2 Items shown with an asterisk('),are hereby incorporated by reference and made part of this agreement as if attached hereto. These documents can be viewed at httDs://www.dgs.ca.gov/OLS/Resources Pang 1 of 9 SCO ID: 4265-2310132 STATE OF CALIFORNIA-DEPARTMENT OF GENERAL SERVICES STANDARDAGREEMENT AGREEMENT NUMBER PURCHASING AUTHORITY NUMBER(If Applicable) STD 213(Rev.04/2020) 23-10132 IN WITNESS WHEREOF,THIS AGREEMENT HAS BEEN EXECUTED BY THE PARTIES HERETO. CONTRACTOR CONTRACTOR NAME(if other than an individual,state whether a corporation,partnership,etc.) County of Fresno CONTRACTOR BUSINESS ADDRESS CITY —7 STATE ZIP PO Box 11867 Fresno CA 93775 PRINTED NAME OF PERSON SIGNING TITLE Sal Quintero Chairman of the Board of Supervisors CONTRACTOR AUTHORIZED SIGNATURE DATE SIGNED -/z z/z3 STATE OF CALIFORNIA CO ACTING AGENCY NAME California Department of Public Health CONTRACTING AGENCY ADDRESS CITY STATE ZIP 1616 Capitol Ave,Ste 74.262,MS 1802,PO Box 997377 Sacramento CA 95899 PRINTED NAME OF PERSON SIGNING TITLE Javier Sandoval Chief,Contracts Management Unit CONTRACTING AGENCY AUTHORIZED SIGNATURE DATE SIGNED g:'� 10-10-23 CALIFORNIA DEPART NT OF GENERAL SERVICES APPROVAL EXEMPTION(if Applicable) Exempt per OA Budget Act of 2023 ATTEST: BERNICE E.SEIDEL Clerk of the Board of Supervisors County of Fresno,State of California By VYI/ l/A fi0. U'Liyie� Deputy Pacie 2 of 2 County of Fresno 23-10132 Page 1 of 18 Exhibit A Scope of Work 1) Service Overview The California Department of Public Health (CDPH) works to protect the public's health in the Golden State and helps shapes positive health outcomes for individuals, families and communities and to advance the health and well-being of California's diverse people and the communities. The Contractor agrees to provide to the California Department of Public Health (CDPH) the services described herein: AIDS Drug Assistance Program (ADAP) and Pre-Exposure Prophylaxis Assistance Program (PrEP-AP) enrollment services, which includes ADAP's Medication Assistance Program and Health Insurance Assistance Programs, and the PrEP-AP. California Health and Safety Code section (HSC §) §131019 designates the CDPH Office of AIDS (OA) as the lead agency within the state responsible for coordinating state programs, services and activities related to Human Immunodeficiency Virus (HIV) and acquired immunodeficiency syndrome (AIDS). HSC § 120972 establishes the PrEP- AP within OA. The ADAP Branch administers both ADAP for people living with HIV and AIDS in California, and PrEP-AP for HIV-negative individuals for the prevention of HIV. 2) Service Location The services shall be performed at the following location(s): • Fresno County Department of Public Health, 1221 Fulton Street, Fresno, CA 93721 3) Service Hours The services shall be provided during normal Contractor working hours, Monday through Friday, excluding official state holidays. 4) Project Representatives A. The project representatives during the term of this agreement will be: California Department of Public Health County of Fresno Sharisse Kemp, MSW Sal Quintero ADAP Branch Chief Chairman of the Board of Telephone: (916) 296-4888 Supervisors for the County of Fresno E-mail: sharisse.kemp@cdph.ca.gov Telephone: (559) 600-6480 E-mail: hamartinez@fresnocountyca.gov County of Fresno 23-10132 Page 2 of 18 Exhibit A Scope of Work B. Direct all inquiries to: California Department of Public Health County of Fresno ADAP and PrEP-AP SITE BUSINESS CONTACT Eligibility Specialist Jena Adams, Supervising P.O. Box 997426, MS 7704 Communicable Disease Specialist Sacramento, CA 95899-7426 1221 Fulton Street Telephone: (916) 445-5943 Fresno, CA 93721 E-mail: PrEP.Support@cdph.ca.gov Telephone: (559) 600-3042 CONTRACTS E-mail: jadams@fresnocountyca.gov E-mail: ADAPContracts@cdph.ca.gov INVOICING E-mail: ADAPlnvoices@cdph.ca.gov ADAP Call Center Data Processing Center (CCDPC) Hours: Monday— Friday 8 a.m. to 5 p.m. Telephone: (844) 421-7050 Fax: (844) 421-8008 C. All payments from CDPH to the Contractor; shall be sent to the following address: Remittance Address County of Fresno Attention "Cashier": Irene Parada, Business Manager Address: PO Box 11867, Fresno, CA 93775 Telephone: (559) 600-64-15 E-mail: DPHBOAP@fresnocountyca.gov D. Either- party may make changes to the information in Section 4, Project Representatives, by giving written notice to the other party within 30 calendar days of the change. Said changes shall not require an amendment to this agreement but must be maintained as supporting documentation. Note: Remittance address changes will require the contractor to submit a completed CDPH 9083 Governmental Entity Taxpayer ID Form or STD 204 Payee Data Record Form and the STD 205 Payee Data Supplement which can be requested from and submitted to the CDPH Project Representative for processing. County of Fresno 23-10132 Page 3of '18 Exhibit A Scope of Work 5) Services to be Performed Refer to Exhibit Al "Definitions of Terms" to review definitions of acronyms and other contract related terms and references. The Contractor Shall: O N N C ('M = L- N r 4- O N O O C N >, N (9 O LL ` 4- C O N O U C = O u- CO O R! N - > C N � W t_ C M � O (D O N i N O �� W U Z3 d Q o 3 N d CDC a O (n O7 N C c >, W O C L CU C�v yd UCC Lp .O Us L CoU-p , C Q a) > ou op o ( o O . �q� �� O` oE ni cn ENo C U) � Q pC (n E C U) E C C/) N Co oQun � Cc� o U � oEaEi � w°? 0 +-� Q C Q U C E C C6 < i C L (n L U) (0 It CO ..� .0 L -Y--+ -a O p > a. o �!Q/�� yS2 E .- a, c coJ O X •L 0 O V) 4— O X L'n C O 70 M Q� p a) W .EW 3UU WO .E W ZQ U - -a - — N - B L L +- U O U Cul L L O (a cn u (B E Lu Q� Nn- y E E WQU me CO -a CO -o cn E 0 2 cn o WQ WQ WWO >,n WU C N O OQ (D — O + M E (n C L O 0) � O O � � 0 0 O . a). U CM+. U C U C L L C �_ U t N CO p N (0 � O Q O (n W CL O ~ U H — U _ � !— "_ U C as Cn +' � Cn C).,-. O C N C = (n O X C6 C O Ca Q� '' CL N o N W 4� O ro U C O O U) C� _ Co C U N (D - cn E (D w Q Q C o o -o D co E (n z3 a C E C o ctl w m c U) 0) (D cn C] U Cu i o rY p > o a w W N H U) L o E X = � � a0i t- Q a� �, o U c� o 0) o c ' a. cv v, ate- o o W �' (no- ,� o a x CO E Cc o L E o v, � 0 o U c Q v s ° Qt U E Wj CO W C >, W X C N >, cn >_ += C 'U) N fY (n M O 0 p � C c C C O O Q m °- -0C Q CO(� E O cu v cn �' c C m c Q r0. U Cll O — >, cn (J) U) O 0 -0 O Q cn (� E _ — 0 -a � W C in C o a3 W o cn E q� �, co � '- o O = Q d Co O (D ° z❑ C 'a o C 0 C C6 U) Q U -0 U W U I— co -a m E q o C C 0_ _ c a 111 .,_ 2 O W Z C_ M -- O N ` Un C C cq rn p Un «> N = O O O p C � � d ) L !v 0 rn LL ` C "-' O C O O U N O N N d co C +- N L > U ti °' L � � E � a cam oc �- Q > � Ear d U 0 U)d n o � > a�i a ° � L �, o W c E m U ca Un m > � Q aQ w '> CLa- c�n � _ _0 0- � n CZ � o � E 0 LU � a� C ❑ o ro 0 o � c - Q O o -Flow MDGO 't c c j U rn _ CL a -0 a) p -r p jM O � per. L'DS� 9) aU - U o U) co L (n O U) O cn n cn cu O 0U er Cc ma co MCcl) U° QUW -0 wQ ww w Q WU N ,� C Cp 0 +C O G UPS O O O 4- 0 �. ° O L -c- c O O C N vim- O C p O O O L O �>> O U U O �i (BLS c6 V N :� C � Q� 0 p " W C N g O ~ o O O O O L +- CD C O O � O W ccz 0 2 x cn N W M U >C ❑ N Q Q(L N UB = Q W o c U) O U N 0 C C U > +' N N M O En 4— L C Q L UC O N o U Q O U Q z T -0 C ° '�Z3 U) p S2 X L1 O O QQ O fZ w O Q QQ E j -i O 0 Lu cn, O ° CD };a s= «U)• o rM �_ ° ctS � � Qom �. w W `� � WU a� oa- E rn M a�i Q _ v C) m W ( cu c cQa �? FLU C aXa u� 0 M N � O a— W c, .oU cn N (n cn Nr-;)Q O •.U- N Ull ++ O LL! U V) M � N E N_ 0 U) -a CO_0 z O C -E O � W (Y = E W -C M Q) o W — a C: O O C - Lil o � °r° o(n r y_ moo QmE Qmro Q Qm p piE , p cc p C Co _ C _ -C 2o -c _ - s m c �i C d N d -0 UG -0 ca -C m -0 0 ace U >, c � U >, x 0 ° a� cLv nn♦♦ m m -0 m m -a nn'' m m 70 Uc ca U W m L m x- L m L a) L .mom — � _ 0 c � u� mca0 5' m 'cv0 U) m -ca0 cna) ca E Ew m' E E O M " = w c E m .E a) co m .g m � m .E 0 m m .E m � O y-, (n L L cn -c L S L Ca s 0ZI � 0Cc ors � 0 =5 — � 0 m d ZQ 0 -0 ZQ u .n ZQ 0 -n ZQ 0 0- (D L o co cn w m cn 0 cn U) cLa m m m C c t ca Q 0 v c c m c a.v ca a o � � w m cu� m � w m co� w w � w � Q' U c U) U) -0 U 0 U) 0 co Un 0 U) W 0 W wcn w wQ wc) w0 w wc3 w w0a- w m m m m O O O O Q O � � L � � � L � +� y S 0)— U � - U 0)— U CM} U 7 co :3 v-- M 73 " m :3 v- cu II O I" O O O O + 0 0 0 O +� .0 m m C L m C L m L m C X 0- F LE OU � � OU f-- ~ OU i— � °U W U Un 70 C N O L m •L � � � C Q � •1-- � (n 0 a^ U E Q A U = i= O � U � C O U) m co } N (a coom D a- cn Wo Q O (0 5 > ° rn M n a) m m n °a oW -0 m c O O C L (a L L d C C N "- a) E '°'Q o Lu E -0 0) 0 o E � O (6 Ua � mQ � � — 0 � ° ti c� Q Ec � cc�r, � � cn o � � � C � naa)) c o LCOE cnL co o y a ' E a C ' -0 O (n nO m W C W n � QCO UEQO aO° OoQ) 0M DQ �q -00 Q) -- CIM , Q 0 U) > C• E C C C WO cn C OE ( J7 U WUOp 0 Qm U Q a Q W V) M w U) pi J a mQ) Q) Ol EU OzIIO m C U � mO O - U) RLS Q1 U) p) Q) Q m UO C CLIJ W OU E C _ > CO N \ C C m 0 W m -o W O ._ LLJ L .0 .a U Q) o o o a w > > > O N 00 LO cn O lL ti C 0 C m O O O C(3 L cII L C O N C N cu � Q C) C C Lu N m a) � U 5 4- L O L U I � -� > > C Q O C) > U E W C � Q C +cn - Q m C C N U L O Q O O C > O C UQ R c m m a) o 2i a) U) a) O �> �Q) -0 o " "r w L .. a) o �cl� Q � oE E w -0 � Co = a- o o cn (.,Y>_ O _ Q ^^�'' T- AL` W .F. > W U V Q V U d 0 -0 co O m m o L a) o L ❑ �' o cn ZQ U ai m CU7 � U _ cU) aU - U o - - d p cn cn rn Cn Cn co CA Cn m m m Q) a) o r C V) C C O fC a) to L c.a Q "y 7C =3M :3 � U u) U c� v, mCo Co �m m cu m 0 W WU) 6W W WU U WU a) > C L a) C .� O C L Q) C Q O iOY �� C � �� m U � H: m c6 com , mm - m a) m O O C O Op OC O C O C a) 1x 0 o N CL) o m m _0 U) L C +- (D C) O C U O 7 C a) = m 0 > .� Q a a) a) a � a. o ❑ Lato7)UC U a) 0 LOO Z °mZ) ° a) 0 � a � o o Q) m o U) o aaO "aO) aC QO L an m L ai)o Ea CCo ° a) ca U) ' i w � Q oo a) Q U CT.0 a o mo � E E 4- N j O E u) co a) ° a) l j s= ;a) U _ O C U U U = 3 0 � o � m � � F� o o a' ° a) _0 mN E a ❑ � B U - •� c o c `n (n Qm m a m N x = m U _m O ovi (n �n ° o .0— ' mm u, m T) m O o U O LU a) W a) W s= U O C CO O U to ) � Q o cn o m cn CO �' m m a O m n.W cn m Q a a) C W_ W O ... U)rn W a) LLU) C C a Z — c .a o W WQ O W O N cc C cn — L- C a) O O CD O U L !7 E > LL r cc C -C U > Q O C a) O O O N O C O pM a) E 'E ca U > cn _ L N o � Q c < CZ o � o a c L � � ° CO a) Q � O ,_ o _ 0 � a � CEO r >'= � aim U — �- � � � c� a c � y cox aic � o >,(3) � Na � �, U � w p w c) cv cLo c c6 U) = a ❑ a) 0) c o 0 a) _0 > cn � Q oQU E > ' c c O _ U O cn L) c o � ENa � � jncn = — mom -� E ' � o- o 3 El) a� X s c E M U) ai cu QU - U) CQ � o m °' � U wU m LL u) E c d O O V7 O 0 c M Q) L L L O Rf N ul U) n fl.a U) N wr .c C M7 C 3 M W 0 0 +� W -1-� "N � p � O (0 -0 U) O U) _0 C!) O QU) Q m wQ wU wQ W U U) o >, c m C� L _0 00 _ ; C !O a)Q 1 Cn O W a u) U a) cLC4 4- O p O O Q) > Ucu ca CL E >, m Q O L1J O U U) a O U) .0 = � , C O N — .r C u) u) O N O c6 cQ C Q 4 Q L V) L C w O O Ch .� u) (Q o U U M 0 O C 0x � o > � 3o � v� LL! E c c U cu m Q L U c a o CJ ca 2. O cII (L Q) I-- (n c6 +' O U U) 'C O a ai U) w T >. o Q a) 0 — a) U a� aci o L CO m C "(n � Q U w Q � ° sV) cCm _ . LQ O in 0 O U) O •a i tnM Ca) En U Q3 O a) a) U ca E u) L >, u) TJ a Q) N a) N C 2 Q � E aj O O U E � cv cu U u3 CO o O cn v a) C - �- O O C — E O O O u) UO a 0 a C C L ) 0 � c U v, E °) o E 'er o 0 0 � � co L ac E = U u) ai > 0 -6. m m N ui v > a� m .� Q = a c o u c 0 O E � 0- cn o> � U c � � 'c � � Q0Duc � a) cnUEP L � � m a� o` c � o ,, �- co � = ca � • E U) r° E -o QaN � a L � woo � � a) � o �w ° _ r L a: a C CB >,+ C Q C W C v 0 O C6 �O 0 Q) E Q) +- 6) U �- U coC O (a O — U i d C to O m as o a `i c E > U as L c -a c o "W vi _ � .0 � o `n70 O a) Uo � CLU � 73 C O N O U 'C 0 0 O O CU O U N tUn 0 N C cn ._ v ._ U) E ca ._ S cn U LZ U s E L u, c� �n Un o 0 L ui O N co C C'7 r L o U) C 0 O c) -a CD 'a Q C C: U) ui LL `i d-) a U a) O ` m C W U `- O CO N Q) m = O O a) — = O) >, rp L O l0 a U U OC U OW ) 4- Q _0 oo Q Q E 4_ C cn ] C (n CD U 0 -0 O C — O U cow o EUU ° � n -0Q m zi C � o q a. u a. a_ E z <t wd ' 0 3 QuJ QU U E --c U z 3 m a� O (n a O cn cC m a) m ai i� (D o mr � i c cn a.a. c � � � � m m-- �- m m �- w CO U) 0 U) o (n o U) �-a U) o cn o U) W Q w U W Q W U W Q w U w U w t � r p o m O Q) O a) 0 0 L o F- 0 0 0 0 0 0 — 0 0 i .� Q3 X (D O w o Cl) N C a) W N ca 0 ° L- o W 0 Q) o of C; o cn =+ O O O a) • cu c0 Q O N E ca W 0 -0 2i L O1 Q) cU u U U) c� .° 0 O• 0 (D '� m W C O Q) C O C W C .,._. > >+ O L1 Q) a) cn O m N U) M U) N C U C Q � Y E y- Q � O C C U)Q ) W 4— O (z (n 4- O E: C C + cuO 6 n .(D O COcu + cII O (6 ++ (n +� U O m a O Q) L E 2i U) L a) cn w > � 0 L C L W vm o (n o NQca o > ) O(D > C � () O Q) C)° (n U) C O a) C C . Q) cn (o EcoZ) oco o EQ0 0- 0 > Ocu L E m Ln cn >, a) m W 4o c c( � Q- () co c> a) Q °O 0 M ) p O(n - 41 a (u � c � � �= mot �s (a ° = � cu cn w �- • � L � .� C a�� •� � .� 4_ a� ay � c � � ca. `t � � �. -0 �� x u) cn - cu Co o a O O () n a) 0- © o a o 0-- m w � cn o uJU .� .� U (n � U M U a07-0 M U U o o Q 0 W O N 00 C CO r L � (n r 4. O U L a) O O a O p Q) O N r Q in U O mW a) a) Zi U U a C (II d RT p a Ln O. C �' (NG O cQ O C E O O U C m L U 0 = .� c U � � �Un oom ¢: ? (D = Q O ° o 0) � .cr a) c a m � co O � c b o o O U) a) O c `t W C-1) a) Cl) d a) ` Q U Q) a � U Uo WEo-n U � Q) (n >, o CL N 0- Q Y m co a w o •o �i O � L Q O d O p Q) .Q p F- C Q. Q) W O CU CO ° 4— a3 co Q) O C C (n m +. O p C a) O m 0 0 0 W ay (n c c a U a Q N -�e Q (Ln O s � U p O (D ; U L 0 co c c N a) C as 5 p E c) CDn3o � m L c o o c U) p "Q ,n c o' o ° Q U N N > � U ° (D .L a) OC O T C Q) U O .. c (B `f N •- a N a� p c c ° 0 -0 " +' Cal o c C ° iCQ) O (n 4- N ppn �O • O O LU uvo`( cn 5 : Q) O M ° o= Q O C U) i aj C3 N0 L L C C O Co C O — C �C. O � Q �S) lz E O` Q - aOQQ O '- p - wV) `- CU) Mrnp c aU o A= Q ^�,, �RS rm r�rt� ��'� rOt •�1L, U QCC) +�U-+ W E W (V L 4V U En aV Q] M O Q (� (� r Un l0 3 C U- p m •S� p 0- Q (n W E o Q o o o � Y .� Q � .c � U » .� U � � � T o chi W Q — > o O N co O O O �UO )o o3 3 o °� o o 70 � >, 6 rim 0) a) � � o T E � c° M `� '> c w cn ,O�N i N (n a" cn 0- cn 0 O C d `0 m 0 C Q) O U Q C 0i + C C6 N a t- " C U A.T- U_ O > O O CL m � O C O C O U r � Q a) p U N i P _ ._ ._ v- O cts U W t) D N O m u7 O m cn O O7 U i a- O = Q U -0 VQ) p Q) > L CO > E: co "L' ❑W 'O Q Q 7 ' Qr d Ui O oCu L(6 O aU) J 0Q Q Q no i ooaE < � Q0 � Nc � � U) co Co o vp � > — O O O c ( C , QU) Oi E u) OO -Q O � p � 4- Q W Z � E Q Q W } L (D U) QU n >, p 00 d (1) p 'c M :3O O C .(n t U 3 w 0� U W 0� U LL1 Z Q-p a) U c - H E m .II U) cn U U) U o m o v a) a) mot: Qa cn U fn U In U fn U (n U U V CO m CO W m W Co m U) O U) O U) O U) U) O co U) O Cl) O W U w U Lij U W W U W W U W U Q) Q) O a) O a) O L C 0 0 O O C O O G o o p 0 .0 p O p O O L O O O C W O U) — U �+ cm to Q) C U a) w E Q a) i CL Qa Q � S] W 0w .0C E a) � . � o,:cca) Q S Q Q c U a) — O o cam �' � U ' - > 0 co U can = U p > V cm � -C c cn ❑ cn _o O CC -p U)Q)U Q Lc� � C W O N ❑ C (LS N N E c6 Q >, C w U a) ,� C Q) "D -p C (� L -0 a) Q cO 0 (D U U Q) o — � �aC) � m a Q �C ' wcn a � m c L c � -� Q) O U ao�W aUi O D c 43 Q Y I L- U) C) W O, Q) C C 'C �p L 0 O O U) fY -p v Q) O X O L . -pC Uao U CO W_ CL�L WO -❑no U E c — co ❑ O . o Z)X p CY) M Q Ca- O 0 'o J a) C❑ a) O Cn _a) Q) 'a) U O C .> L � 'a cn cn= c O WCD cu W 0- WW wW_ W 0 N co L. O O ~ a) Oo uaO)� _ p l _ = >. cL- _Q _ ca U) O .Q)O N o U) a) � 0) Ccn E a)O) O Q > C -(D cn o L CT a)— U � — � C C � 070 UEo a c a) 0Q Q c a) a� � � >+U m - N— ¢ — o n� �l o f}°-� 3 cma 0 o W cCa W > � 2 z C W i--r a) U E 1 L U •1--� '` E V Q O W ❑ O � O ❑ cu a) �— -0 O O O -0 4) O a) >, L E oU � s � U a) -0 � W c 0 EQ CT " Q) oW '- o c � O QUZ L a) '� 'C O) C � C 0- Ca "0 C ,N Q Q (� O C O 41 O C =� O)U rn C +-' a) 0) U (n a) cn = Q) n E a. N -C ui Q) I co O O cu a) M a) t Q) x Q ca U Q U U) ca 3 -0 C 0- (n _0 in W d U) V) cn N U cn O � Q) c _c C Q,a- cn U U U U U) U � m � m � m C C C WU WU wU WU O a) O O Q) ( U O d N -0 C O O 10 � C a) C CQ a) U a) O (D a) c a) a) a) �° 0)4- cu m a) 0-•- E a) st !— � t .c O — -0 C U) o O cII O C CD C >. i U -0 0 a) +- L O w O O M C C O 0" O L O U U) 0 > '0 Q) _rZ Q1 U O C 0- 0 U c� — a) O W _ p vim- ^U) - 0 cn I C c L s_ C W 0 5 a) E -0 �° a) o ° a) 0) U Q C CA U a) C E w U W a) Q a) c > >, .- W U O can d -0 0- ., > A cn U 0 O 0 Q � a) C 0- 4) ❑ d >' a) fl N �_ 0) Q a) O — � E a � � C ai OQ a) N Q) (B U �_ + Q 0 C O) O W > � � O � > +• '= C-— Q) o p v) O C _ N Q) O 2 C 0 u) o a) o C = o � � E c� C mc- flcJ N- � oo a) v . O a)Ec Q) U n o v ° — cv a a. _ _ _0 (1) 70W (D C) °' y� MCoo - C E Q N o 4) > cu M M E U >fn a) C Q Q) � a "0 � , n a) ° 0 Fo p -o a 'w ca d 0-� W 0 c U) � �' L) E �.0 i> U-) > a) _0 Q) m C U U r m X � ._ := _ 0 .� O 0 -0 � O O W (LI-) ui W o W U - Q Z U) U . C �? `- -: W Q Q O N 00 i � 3 o C LL O cO = to O O a) N Q.� o 'O Q O C — Ln N N O Q) -- X O E ? a) E � Z a) _C co a >, Q) O W C N (TjN N U ;-- Q M C C c6 a rZ"D C« `- ` O a) X C O C O C U 2 = Q > +oa- c = C r C `a Cy- 0Ocn_ UO = czi-Q c0 -0 � L E >ay> >CU - Q c . a r a) mi mm m 0 � cE am - m B o `o U) cn cn cn (D a) cv a) oc`a u N E 0 � M J c6 c0 CO CO W Q W U W U W Q W U as 0 N C Q) t to d _0 > (a) >, Q 0 O O a V �-0 0 � U > (nU) M CD CM M Q o H Q7 LO o 0 O O X 0- n Q 0- O m -a "= o0 1- = ov n 0 W 0 U w C c CO CL in C > � O W O cucn C > C W U v- C (6 L O N C a? C � O C O OL 4— X N d) p O a) OU - U N E C am) a) c4 Q 3i m Q) Q a) C7 U cz O •C a 0 O � C iN, N O O i cII Q _ m C GS N ❑ O O Q 0 O Q CD C '> C: v cn. � ai � � c — _ a) m 0—0 � � U a) C (B O C U N ❑ +- n m o U E o tL U o c9 0 ' o o w cn' � aD U Ln N n n. J C) d +r C N U N 0 Q W > N ° mn >E Z w nQ WC _ r O N co c Cy') L OC - C Q) p O V O O S2 p a) O � O fl O Q) i J C CO cOv � p cu —cn x n -0 0-m nO a) — X - � a) ° cn o > N i- to >,= r 1 W O O > = p Q) W O = O O a) C U[3 0 m d a a � } � p - m a- Q"a = t' � 0 — > -O � � c a X + -o U) = J -O 0 X �, 'a U) L : O W O - J N .II a) C a W (n CT a) c a W (n a• -Q U � U � U U ca � � coU � ti � � U) C a � � W > c � . cT cca � c � .- cT � � w m 0CL -0 v m .m ti- �~ ., c -� v as c •J c c W — c O W c E N p Q Q O O c U c c p Un Q Q O c U 0 .U) p (CS Z �y 0 -0 -0— 0) E Ln � U � � 0� E � � U cLa E -0 Cn *J a v u) ) ° += o c W -0 C � � o c a) -a C W �� ' G .� U O +, c6 O N 4- n U O .- a) z- a) Q) W W Un Q) ^-' p O -0 Un N O N O � cn E cmd O > a (n N y 6 w > �'> ccn > � U C) a� o a U a U) N cu w w O U ALL c aM c :3 as ix U) •D U) O UJ -0 U) O Cl) UJ O W Q W U W Q W U W Q W U m o W uzcn Q p F' O o C .a a) O O C (n Q3 O O C X CL f- — OU � O pU -0 O F- O > p uj O U) � a) a_ '= O W : W ory o c� c� a) a a) � c °) `u � a 2 O .v Q ui o O -a a .N 0- � � -a cc Qoc +- o m � Ewe CD � v -0o cn CD o m c c E 'U L1 U) a) v 6 U i > C CD O U) .L O 41 'D Q) L a cts a) a U � .U? .Q � fn o 70 m a) n) o (n � i ° " a) :� E .41 a 12 C] F o Z Q O c co ¢ o act a. cc c ti w c w > m c w >,EL E WO = z W +0 o- 1)-- Q O N O N 00 C CO — L C O 0 N O O C E C cn C O Q > LL r LO C O,� E O C p N a) E v— CO r cII N — N ° — O w 0- C .� O U O -o '(Q +� Ln .> CD N >, C C)- E O -O a +�• vi « -0 cn O — C C a m a o � w ° I � o " < _° cam °7 Q ° a� co U) C4- O mw Q cn U `m (nn (T � a�'sCCZ aiCam' EOcL o c W N a� _ O L v L (mil .2 >pl L W C j Q O O Q O p co U O O U L .t c m E Cu .�-0 C _— � � ; � U) � .a c o d U a Q � G a a cn a = C N N >> 0 Q a o Q � M .0 7 U U co � N Q O 40 d N U) (G U O U) (n co = CU cz N m O q) O m i C C 'n C C O C C O _C C cu C m e E m e m e In e m e W -o Un O Cl) 70 U) o CO -o U) o U) 70U) o U) o wQ wU w ¢ wU wQ wU w <t w (3 wU cu Cam. CY pQ -O CL a) OC C O Q cm-C "O C U = L J N U a) N cm—�•E U),- cu C 0) Cu C O-- �Cm C C O = C O O OQ O O t. O C a) o ° O O 0O — oX 0- F— Q � Q Q W O U Un +- -0 C C !n C N C C: -0 — > Q cU O co U vc- 3 a) O += cn a Q O C N O to = C7 C U N (n ❑ *J Q O a O) ° C UW C C C 70 V) O .L O U W aJ O O .� cn a- C) N 0 0 > (n o) "o GdC3 � LU U }..XO N U � C O U C O r- _ ( ;0- L ) O M N -pO p Qw 70 o a) 0 = :3 UCO D 0> QW = (n cn " u O n 0 Q Q Q' � a) � = °LC ' U) Q- N °' � -0 -0 ` o � > m O ' n O :«� - U E � N W W CN m � U O cz 0 R 6Q 0CCDN DO O< 0 C 0 C Q Q 0)( L- . ° >- M c o co Onm Co" Q D- C = 0 C) Vy o-acn cu d a L C = ; a) O O7Q to 0 L O J EcCfS Co Um o � `'a > >,° c o 07 L J 'C 0) Ofo N 0 .c m � � � UM Q � � Q� � 3E (1)g- ITN 4 -0 :p C C N •U C cu O c!i W N C U — .� N o U C y c a) a O '5 co }} _ Q O 0 0 [ten O O Q U O O CD U N •N O W Q LL c -o m U m W - M a= U � > L c c Q .� U 0 O N CO C C'7 = O C)-Q +_- N CD o c c _d E O >, a) LL (0ro a- -p > m � CQ _r _L O N 4) _ - > � Y C 0 a U L� s- (n O U i _ p N co _0 a) m O 0 a � 0 •Y -o -CQM > aa) 0 d E � ° C ° d �;_ w E a) U ya� d[o> E >LU ° s= co � Un- wU a) > � ° =� m Uj co L � C - ado (D o � uiw U 'm v _ co d ocn C a) U 1 O W c = LL OU C) -0Q7 O cn CO Nod0 E Un X i u nc4 a - C6 nO .0 O O ZX 0- o —W U a- U ❑U N >+ O to + ma d CO w m w wa w WU W C ay d co � s- o o as vi � — � co - 0 0 d w a� � I— sZo o ❑ � ow C � o Cc CAL — U) x Q c4 a) d (o a) LL U d W o x 70 ° C 0 d q C:v a) ° O � p O > U U) N Co c6 a) -00O a�? QS Cr () (n C Q U N > E s .� O = C M N ' E C OO C O ❑ C C O -0 -p cm'C u) a O [B U p_ p d U U m C C 0 o L ° U C a) C cn co U - O p a a) U) m O UO O U C O 0- m CII C O u) :� E — .- c v O C U 3 CD U Ca a) O .O N LL C U p E (U V? C �- •C u) _ U .� O O co .� +' C cn C C U U a) cn 0 — U O — Qi M > in C C O a) O C (lS tB L p ° C E aD � Q � m c>o ac a E v o a ° " tea) m E N w E ° o � aci c oo ° c Edo ._ c 0o •Ln u) a) anu' � E E Low m L � o � m � L d mm � `o � � N '� vc°�iZ �rcoEcocncn � � CE NQ 'm om' oQ �'� d� �L °ro o s aa � m � m� m a) LU ar0d a) m m V ° O U "- cn _C N U C d O p p r oc cn Co _ D L c E > N O > v O U ) 2 O U a .— p a' w v .� `� Q -o cn p ay oC > > E °a 0 w m � CDQ U � c`o � 0Q °a � UU � a o -i ui w B O N 00 C CO C O CU L O N U � U) Cn U) Cf) N LL C (� Cl) U) .,-• CO r Rf a cn L .- - >,"c3 V w a cn a '� U W Co] w N N c�C d LLJ Q° m sW �Q c C � � _ Qjm a u O C U U " _a M O N O .-1 0) Cll O U C w ._� O N C w p of m N o U C N N m L m 0- E III Co � -0 (� � � � L a) -0 Q E -0 (� > C c>Q 0 75C D7 N O U U o C += (D N N CU N � (6 ti C a 0 n > O C - � > U O C U - .-a C O .. U o 0 C O O o o o 0V 0M a)C) -0 O � o -oc � coLwaa Q -ac Q m .� cn (n (n U) cn N �+ w U) En N N c O o C cc C v C to C Uf C C C � U Z3 U V 3 U') U Q V Q.Q, S N CO w CO � w Co W coCD Q v m � Cn o Cn Cn o Cq Cn o Cl) Cn o w CO o wU w WU w w0 w wcU a. w w0 L C 4- W O ° O O � 4- tQ x 0- L_ o C L U C O C o C jL w O U ° > > � m c oC 0 L O c j c �aac o Lu m a) � C � ° ooa) E cn2 >,-aEao aa) a U) c a o o a awa0 ° � ' a) v ° — — 0cL (1) = BIa� _ L -r cLoa' �, aci o o a ma_ � � a ca Ll a o m Q E u) 0 -0 'a a) a) E p w o U w � D L L U — L C '� U U) L U U p 7 - (U a >, C - > 1 S U a) C o - Cil Q' U CU O C a) 0 a) L 0- 0 0 !A U ,C p`o � � � B � � wQ � o C� Y0 � Wcn Qw ° C a) m m OQ gU � c "= � a) > Q- -V U � � � •> O ° 0 Q a) .N -°a a) Q E c Z o a) = L ° p � � � � � c o5c — o oQ ° 0 4- 0 moo ` -a ° _a °) _0 `° � -o .0 (D E c6 .0 QCj to N {T a) a) c cII L i .n > uj N Q O t C m O N .L �O C � O N O Cn C6 Q O_ U)) O L U a U C '- L a C O Q C +r _ NL U 'C aD a) c aam) Q1 > ° W c a) a� 3 � 0 � a0 � � � •_• a) •= Cll N -C >, L U o r] O Q 'C—L6 N E U) .0 a > (Q U C C ca N Q) 0_— � N cn cII Q- E w W . 4 C T) o p r C co CU > U cn U >cn a) O D p U c U C U ° p° •� N O O > O C a a- a C O o , W N cn w co v W U U M � W OM Q N 2) ` Q c.) 0 E LL O L 0Cvco C M L. O . O N O O LL r 0 C , C•7 r m O CV O d cu N C d a_ Q 0 0O i d C c� C L 0 a d Z y >% Cr a- N a d `. w d. w W O d a ?>> � o xQ w o U U) C w d O O Q ❑ O L Q L O O _ N .0 O O L- a O av- A , cG C: ❑ 0 a O U o C C _O O O n � a)N O _ yd„ O- U � •C U > d +u]. Cr = Q C O• O a _U O N w O a- Op n O •— cn > ❑ _ U U � � v- O 0-U w cO ca O L C w 23-10132 Page 1 of 10 Exhibit A, Attachment I Definition of Terms Item Definition AIDS Drug Assistance Federally funded program that helps ensure that people living Program (ADAP) with HIV/AIDS who are uninsured and under-insured have access to life-saving medications on the ADAP formulary through medication and health insurance assistance programs. ADAP provides assistance with medication, health insurance prernium payments, and medical out of pocket payments. ADAP and PrEP-AP Benefits available for eligible Clients who enroll in a CDPH/OA Benefits program. These services can include: • Formulary medication assistance • Prescription Claim third party insurance copays, deductibles, and co-insurance • Medi-Cal Prescription Claim share of cost • Outpatient Medical Out of Pocket Cost reimbursements • Private health insurance premium payments • Medicare premium payments • Medigap premium payments • PEP starter packs • PrEP starter packs • HIV Testing • STI Testing • Pregnancy Testing • Renal Function Testing • Hepatitis A, B, and/or C Screenings ADAP and PrEP-AP Data The information collected and used by CDPH/OA, Providers, ADAP Enrollment Sites, and any other entity associated with the delivery of ADAP or PrEP-AP Benefits for the purpose of administering the ADAP program. ADAP Data includes: (1) Client eligibility and enrollment information, (2) Information identifying CDPH/OA authorized enrollment sites and workers, (3) Prescription, dispensing, premiums, billing information, and Outpatient Medical Out of Pocket Costs, and (4) all other data pertaining to this Agreement. Data is a set of values of qualitative or quantitative variables; restated, pieces of data are individual pieces of information. Data is measured, collected and reported, and analyzed, whereupon it can be visualized using graphs or images. 23-10132 Page 2 of 10 Exhibit A, Attachment I Definition of Terms Item Definition ADAP Coordinator Local agency staff designated to act as the primary county contact between the CDPH/OA enrollment sites, CA, and CDPH/OA contractors ADAP Enrollment ADAP's online system used for enrolling clients in ADAP and System (AES) PrEP-AP. Administration Costs Subrecipient administrative activities such as: Usual and recognized overhead activities, including established indirect costs; Management oversight of specific programs funded under the Ryan White HIV/AIDS Program (RWHAP); and other types of program support such as quality assurance, quality control, and related activities (exclusive of RWHAP clinical quality management). Agreement A negotiated and legally binding arrangement between parties as to a course of action. Business Days Monday through Friday, excluding Thanksgiving, Christmas, and New Year's Day. California Department of The lead agency in California providing detection, treatment, Public Health (CDPH) prevention, and surveillance of public health issues. California Department of Is the lead agency in California providing detection, treatment, Public Health Office of prevention, and surveillance of public health relating to HIV/AIDS. AIDS (CDPH/OA) CDC Guidelines The most recent recommendations on preexposure or postexposure prophylaxis published by the federal Centers for Disease Control and Prevention (CDC). CDPH Guidelines Guidelines include all policy, procedures, and management memos made known by CDPH/OA. Current guidelines are located on the OA website at: httr)s://,.,jw�lv.cdnh.ca,gov/Procirarns/CID/DOA/Pactes!OA adau c 0fTlt'lUnigations.a5O)!. 23-10132 Page 3 of 10 Exhibit A, Attachment I Definition of Terms Item Definition Centers for Medicare The United States federal agency that administers Medicare, and Medicaid Services Medicaid, and the State Children's Health Insurance Program, (CMS) among others. Client May mean either of the following: a) Individuals enrolled in ADAP and eligible for ADAP services who meet the following criteria: 1. are HIV infected; 2. are a resident of California; 3. are 18 years of age or older; 4. are enrolled in the medication manufacturer's assistance program (if eligible); 5. have an annual modified adjusted gross income (MAGI) that does not exceed 500% of the federal poverty level (FPL) based on family size and household income; and 6. are not fully covered by or eligible for Medi-Cal or other third-party payers. b) Individuals enrolled in PrEP-AP and eligible for PrEP-AP services who meet the following criteria: 1. are a resident of California; 2. have a negative HIV/AIDS test result (dated within 6 months of the PrEP-AP application); 3. are 12 years of age or older; 4. have an annual MAGI that does not exceed 500% of the FPL based on family size and household income; 5. are not fully covered by or eligible for Medi-Cal or other third-party payers; and 6. are enrolled in the medication manufacturer's assistance program (if eligible). Closed Site Enrollment Site that only serves ADAP/PrEP-AP applicants/clients associated and enrolled with their entity. Community-Based Non-profit 501(c)(3) entities that operate within a single local Organization (CBO) community. Contract Year Twelve-month periods from the anniversary of the End Date. 23-10132 Page 4 of 10 Exhibit A, Attachment I Definition of Terms Item Definition Contractor The entity awarded the Agreement identified on the STD 2.13. Deductible The amount a client owes for covered prescription services before their health insurance plan will pay. Dispense Fee The amount reimbursed to a pharmacy when filling a prescription to cover the charge for professional services and overhead costs. Effective Date The date this Agreement becomes effective as listed on the STD 213 of this Agreement. Eligibility Documents Documents used by CDPH/OA to establish Client eligibility for program benefits. These documents include but are not limited to ADAP/PrEP-AP applications, , initial diagnosis verification, proof of identity, proof of income, proof of State residency. If applicable, proof of Medi-Cal application, proof of Medi-Cal ineligibility, dependent verification. Copies of health care coverage cards, and recent premium and billing statements. Emergency Access A process that ensures that ADAP clients have continuous access to their life-saving treatment. Allows expeditious access to ADAP formulary medications for ADAP clients who do not have access to ADAP medications and are at risk for a treatment interruption. Employer-Based Health A subsidy program that provides premium assistance for an Insurance Premium ADAP client's portion of their employer-based insurance Payment (EB-HIPP) premiums. Individuals enrolled in EB-HIPP are also eligible for the medical out-of-pocket benefit. End Date The date this Agreement terminates as listed on the STD 213 of this Agreement. Enrollment site (ES) OA approved enrollment site managed by a non-profit organization to provide ADAP, insurance assistance program, and PrEP-AP enrollment services for eligible clients. 23-10132 Page 5 of 10 Exhibit A, Attachment I Definition of Terms Item Definition ES Business Contact Contractor's primary administrative contact who is dedicated to overseeing the Agreement. Acts as the primary contact between OA, the ADAP Coordinator within the LHJ, and CDPH/OA service contractors. This staff person may not also be an active EW. Enrollment Worker (EW) Enrollment site staff certified to provide ADAP/PrEP-AP enrollment services via the AES. ePrescribing Abbreviation for electronic prescribing referring to the use of technology such as a computer or wireless device to write and transmit a prescription directly to a pharmacy. May include clinical and cost information. Execution Date The date the Agreement is signed by CDPH/OA. Federal Poverty Level Income level is determined by the federal Department of Health (FPL) and Human Services to represent poverty. FPL varies according to family size and changes yearly. Fiscal Year(FY) July 1 through June 30 Formulary Defined in California Health and Safety code section 120955(a)(2): The director, in consultation with the ADAP Medical Advisory Committee, shall develop, maintain, and update as necessary a list of drugs to be provided under this program. ADAP's formulary is located at CDPH/OA web page: https:/iwww.cdph.ca.gov/Programs/CiD'DO/VPages/OA adap re sourcespage.aspx. PrEP-AP's formulary is located at CDPH/OA webpage: i,ttps://tivww.cdpi-i.ca.govt,ProgramsiCiDiDOA'Pages/OA adap re Sources prepAP.aspx Go Live Date The date Participating Entities begin receiving products and services through the Agreement. Page 6 of 10 Exhibit A, Attachment I Definition of Terms Item Definition Health Insurance The Health Insurance Portability and Accountability Act of 1996, Portability and Public Law 104-191 as amended, and the regulations Accountability Act promulgated thereunder. (HIPAA) Health Resources and The Federal agency that administers Ryan White funding. Services Administration (HRSA) Insurance Benefits Service contractor that manages and processes health insurance Manager (IBM) premium payments for clients enrolled in CDPH/OA's medication and insurance assistance programs. Local Health One of 58 counties and three cities (Pasadena, Long Beach, and Jurisdiction/Department Berkeley) in the state of California. (LHJ) Medical Advisory An advisory body to CDPH/OA and consists of physicians, Committee (MAC) pharmacists, health professionals, and community members who review the Formulary and make recommendations for additions, deletions, or other changes to the Formulary. Medical Benefits Service contractor that manages and processes outpatient Manager (MBM) medical out of pocket payments for clients enrolled in CDPH/OA's medication and insurance assistance programs, including ADAP and PrEP-AP. Medical Out of Pocket' For eligible clients enrolled in any of CDPH/OA's premium Costs (MOOP) benefit assistance programs, covers outpatient medical out-of-pocket costs that count towards the client's health insurance policy's annual out of pocket maximum. May include copayments, deductibles, coinsurance, share of costs, and other specific expenses. Medi-Cal Share of Cost Medi-Cal is the California Medicaid program. Share of Cost is the monthly amount of medical expenses, including prescriptions, a Medi-Cal beneficiary with a share of cost obligation must incur before they are eligible to receive Medi-Cal benefits. 23-10132 Page 7 of 10 Exhibit A, Attachment I Definition of Terms Item Definition Medicare Part D Subsidy program that pays Medicare Part D and Medigap Premium Payment insurance premiums for individuals who are enrolled in ADAP and Program (MDPP) a Medicare Part D prescription drug plan. Individuals that are enrolled in MDPP are also eligible for the MOOP benefit, Medication Assistance The ADAP MAP pays for the prescription costs of medication on Program (MAP) the ADAP Formulary for eligible individuals. Minor Clients Clients between the ages of 12-17. Modified Adjusted Gross As defined in Health and Safety Code section 120960(i)(5), MAGI Income (MAGI) is based on federal Internal Revenue Code which includes Federal Adjusted Gross Income (FAGI) plus the following income if applicable: a) non-taxable Social Security benefits which includes disability payments (SSDI) but does not include Supplemental Security Income (SSI), b) tax-exempt interest, and, c) excluded foreign earned income and housing expenses for Americans living abroad. Multi-Factor An authentication method in which an authorized user is granted Authentication (MFA) individual access to the AES only after successfully presenting two or more pieces of evidence to an authentication mechanism. This additional layer of security and verification is to ensure the protection of client data. National Drug Code The NDC is a unique 11-digit, 3-segment number which identifies (NDC) the labeler, product, and trade package size. The first segment, the labeler code, is assigned by the FDA. A labeler is any firm that manufactures (including repackagers or relabelers) or distributes (under its own name) the drug. The second segment, the product code, identifies a specific strength, dosage form, and formulation for a particular firm. The third segment, the package code, identifies package sizes and types. Both the product and package codes are assigned by the firm. For purposes of this contract the NDC shall be reported in the 11-digit format 5-4-2. 23-10132 Page 8 of 10 Exhibit A, Attachment I Definition of Terms Item Definition Office of AIDS (OA) The lead agency responsibility for coordinating state programs, services, and activities relating to HIV/AIDS as designated by California Health and Safety Code Section 131019. OA Advisor OA staff assigned to a LHJ or ES for monitoring and technical assistance. Office of AIDS-Health Program that pays for private health insurance premiums and Insurance Premium medical out of pocket costs for clients co-enrolled in ADAP's Payment (OA-HIPP) medication assistance program. Open Site An enrollment site that serves all CDPH PrEP-AP/ADAP applicants/clients. Payer of Last Resort The state and federal requirement that RWHAP services are billed after the primary payers have been billed. May also be written as Payor of Last Resort. PEP starter packs An initial supply of PEP medication. Pharmacy Benefit Service contractor administering the ADAP statewide pharmacy Manager (PBM) network and providing pharmaceutical services for ADAP and PrEP-AP. Pharmacy Provider The pharmacies subcontracted with the Contractor to dispense Network drugs on the ADAP and/or PrEP-AP formulary to Clients. Post-Exposure A fixed-dose combination of tenofovir disoproxil fumarate (TDF) Prophylaxis (PEP) and emtricitabine (FTC) with integrase or protease inhibitors, or another drug or drug combination that meets the same clinical eligibility recommendations provided in CDC guidelines. Pre-Exposure A fixed-dose combination of TDF with FTC, or another drug or Prophylaxis (PrEP) drug combination that meets the sarne clinical eligibility recommendations provided in CDC guidelines. 23-10132 Page 9 of 10 Exhibit A, Attachment 1 Definition of Terms Item Definition PrEP-AP provides assistance with PrEP-related medical out-of- pocket costs and access to medications on the PrEP-AP formulary for the prevention of HIV and treatment of sexually transmitted infections. The PrEP-AP provides assistance to both uninsured and insured individuals at risk for, but not infected with HIV. PrEP starter packs An initial supply of PrEP medication. Prescription Claims Claims for outpatient prescription drugs on the Formulary dispensed to Clients. Protected Health Information that identifies, or can be used to identify, an Information (PHI) individual. PHI contains information that relates to the past, present or future health condition of an individual patient in any form, including paper, electronic, and oral communications as defined by the Health Insurance Portability and Accountability Act Provider Persons that provide health or health-related services to Clients; includes EWs, case managers, pharmacists, medical providers, insurance plans or administrators, and physicians. Rapid ART Rapid or immediate initiation of antiretroviral therapy (ART), with the goals of providing Intake, first care appointment, and ART initiation within 5 days of new HIV diagnosis. Recognized Holidays Christmas, Thanksgiving, and New Year's Day. State For the purposes of this Agreement, refers to CDPH/OA. Telemedicine Telemedicine is the use of telecommunication and information technology to provide clinical services from a distance. CDPH/OA contracts to provide telemedicine services to PrEP-AP clients for PrEP- and PEP-related medical services. This allows PrEP-AP clients to access PrEP-related clinical services from the comfort of their own home using a mobile device. 23-10132 Page 10of10 Exhibit A, Attachment I Definition of Terms Item Definition Temporary Access An approved TAP grants an applicant 30 days of temporary Period (TAP) ADAP eligibility in which to obtain and submit required documentation to a certified ADAP enrollment worker so as to substantiate program eligibility. Temporary Coverage A pharmacy where an individual can apply for temporary Enrollment Site (TCES) coverage under PrEP-AP. Third Party Payer Any private, state, or federal program that provides reimbursement to health care providers for prescriptions and medical services rendered to a client, examples include but are not limited to Medi-Cal, Medicare, and private health insurance. 23-10132 Page 1 of 3 Exhibit B Budget Detail and Payment Provisions 1. Invoicing and Payment A. In no event shall the Contractor request reimbursement from the State for obligations entered into or for costs incurred prior to the commencement date or after the expiration of this Agreement. B. For services satisfactorily rendered, and for which the Contractor has submitted all required forms and documentation, CDPH/OA/ADAP agrees to compensate the Contractor for actual services provided in accordance with the amounts specified in Exhibit B. Section 1.E., Amounts Payable. C. Payments shall be processed by CDPH/OA/ADAP no later than the end of the quarter dates noted below. First Quarter: July 1 — September 30 Payment no later than November 30 Second Quarter: October 1 — December 31 Payment no later than February 28 Third Quarter: January 1 — March 31 Payment no later than May 31 Fourth Quarter: April 1 —June 30 Payment no later than August 31 (FINAL) Supplemental: July 1 — June 30 Payment no later than August 31 D. Payments shall: 1) Be calculated based on current ADAP client enrollment data as provided by the ADAP Enrollment System (AES) to determine the number of ADAP services provided at each enrollment site. 2) Identify the payment period and/or performance period covered. 3) Itemize ADAP services for the payment period in the same level of detail as indicated in Section E Amounts Payable. Subject to the terms of this agreement, payment will only be made for those services expressly identified in this agreement as approved by CDPH/OA/ADAP. E. Amounts Payable Enrollment sites will be paid a fee for services performed, calculated on current client enrollment data as provided by AES to determine the number of program services provided at each enrollment site. Services must be complete with all required forms and verifying documentation. The following documents and any subsequent updates are not attached but are incorporated herein and made a part hereof by this reference. CDPH will maintain on 23-10132 Page 2 of 3 Exhibit B Budget Detail and Payment Provisions file, all documents referenced herein and any subsequent updates, as required by program directives. CDPH shall provide the Contractor with copies of said documents and any periodic updates thereto, under separate cover. AIDS Drug Assistance Program Enrollment Site Fee for Service Pay Schedule, located at in the Reference Guides page listed as Enrollment Site Fee Schedule in the attached link below: hitC ://`."i'.;rL'%.rdr;li.ca.lOV/I?!"OR( tnis/Cld/C�Oa/p QeSiOcl adan resource_; 1. Budget Contingency Clause A. It is mutually agreed that if the Budget Act of the current year and/or any subsequent years covered under this Agreement does not appropriate sufficient funds for the program, this Agreement shall be of no further force and effect. In this event, the State shall have no liability to pay any funds whatsoever to Contractor or to furnish any other considerations under this Agreement and Contractor shall not be obligated to perform any provisions of this Agreement. B. If funding for any fiscal year is reduced or deleted by the Budget Act for purposes of this program, the State shall have the option to either cancel this Agreement with no liability occurring to the State or offer an agreement amendment to Contractor to reflect the reduced amount. 2. Prompt Payment Clause Payment will be made in accordance with, and within the time specified in, Government Code Chapter 4.5, commencing with Section 927. 3. Timely Submission of Final Invoice A. Final payment shall be processed no more than sixty (60) calendar days following the expiration or termination date of this agreement, unless a later or alternate deadline is agreed to in writing by the program contract manager. B. CDPH/OA/ADAP shall make payment to the Contractor quarterly in arrears for costs associated with the provision of ADAP enrollment services at the ADAP Enrollment Site in the local health jurisdiction (LHJ), under this contract agreement. Payment to the Contractor will be contingent upon receipt and execution of this contract agreement and the provision of ADAP/PrEP-AP enrollment services (as verified by CDPH/OA/ADAP through the AES data). C. This contract agreement is subject to any additional restrictions, limitations, or conditions enacted by the Congress or the State Legislature, which may affect the provisions, terms, or funding of this contract agreement in any manner. D. The Contractor is hereby advised of its obligation to submit to the state a completed copy of the "Contractor's Release Form (Exhibit L)". 4. Expense Allowability / Fiscal Documentation 23-10132 Exhibit B Page 3 of 3 Budget Detail and Payment Provisions A. Invoice(s) and/or claims accepted for payment by the State shall not be deemed evidence of allowable agreement costs. B. Contractor shall maintain for review and audit by the state for three years and supply to CDPH upon request adequate documentation of all expenses claimed pursuant to this agreement to permit a determination of expense allowability. C. If the allowability of an expense cannot be determined by the State because invoice detail, fiscal records, or backup documentation is nonexistent or inadequate acc(Drding to generally accepted accounting principles or practices, all questionable costs may be dis- allowed, and payment may be withheld by the State. Upon receipt of adequate documentation supporting a disallowed or questionable expense, reimbursement may resume for the amount substantiated and deemed allowable. 5. Recovery of Overpayments A. Contractor agrees that claims based upon the terms of this agreement or an audit finding and/or an audit finding that is appealed and upheld will be recovered by the State by one of the following options: 1. Contractor's remittance to the State of the full amount of the audit exception within 30 days following the State's request for re-payment. 2. A repayment schedule which is agreeable to both the State and the Contractor. B. The State reserves the right to select which option as indicated above in paragraph A will be employed and the Contractor will be notified by the State in writing of the claim procedure to be utilized. C. Interest on the unpaid balance of the audit finding or debt will accrue at a rate equal to the monthly average of the rate received on investments in the Pooled Money Investment Fund commencing on the date that an audit or examination finding is mailed to the Contractor, beginning 30 business days after Contractor's receipt of the State's demand for repayment. D. If the Contractor has filed a valid appeal regarding the report of audit findings, recovery of the overpayments will be deferred until a final administrative decision on the appeal has been reached. If the Contractor loses the final administrative appeal, Contractor shall repay to the State the over-claimed or disallowed expenses, plus accrued interest. Interest accrues from the Contractor's first receipt of State's notice requesting reimbursement of questioned audit costs or disallowed expenses. 6. Travel and Per Diem Reimbursement No travel shall be permitted under this agreement. General Terms and Conditions (GTC 04/2017) EXHIBIT C 1. APPROVAL: This Agreement is of no force or effect until signed by both parties and approved by the Department of General Services, if required. Contractor may not commence performance until such approval has been obtained. 2. AMENDMENT: No amendment or variation of the terms of this Agreement shall be valid unless made in writing, signed by the parties and approved as required. No oral understanding or Agreement not incorporated in the Agreement is binding on any of the parties. 3. ASSIGNMENT: This Agreement is not assignable by the Contractor, either in whole or in part, without the consent of the State in the form of a formal written amendment. 4. AUDIT: Contractor agrees that the awarding department, the Department of General Services, the Bureau of State Audits, or their designated representative shall have the right to review and to copy any records and supporting documentation pertaining to the performance of this Agreement. Contractor agrees to maintain such records for possible audit for a minimum of three (3) years after final payment, unless a longer period of records retention is stipulated. Contractor agrees to allow the auditor(s) access to such records during normal business hours and to allow interviews of any employees who might reasonably have information related to such records. Further, Contractor agrees to include a similar right of the State to audit records and interview staff in any subcontract related to performance of this Agreement. (Gov. Code §8546.7, Pub. Contract Code §10115 et seq., CCR Title 2, Section 1896). 5. INDEMNIFICATION: Contractor agrees to indemnify, defend and save harmless the State,its officers, agents and employees from any and all claims and losses accruing or resulting to any and all contractors, subcontractors, suppliers, laborers, and any other person, firm or corporation furnishing or supplying work services, materials, or supplies in connection with the performance of this Agreement, and from any and all claims and losses accruing or resulting to any person, firm or corporation who may be injured or damaged by Contractor in the performance of this Agreement. 6. DISPUTES: Contractor shall continue with the responsibilities under this Agreement during any dispute. 7. TERMINATION FOR CAUSE: The State may terminate this Agreement and be relieved of any payments should the Contractor fail to perform the requirements of this Agreement at the time and in the manner herein provided. In the event of such termination the State may proceed with the work in any manner deemed proper by the State. All costs to the State shall be deducted from any sum due the Contractor under this Agreement and the balance, if any, shall be paid to the Contractor upon demand. 8. INDEPENDENT CONTRACTOR: Contractor, and the agents and employees of Contractor, in the performance of this Agreement, shall act in an independent capacity and not as officers or employees or agents of the State. 9. RECYCLING CERTIFICATION: The Contractor shall certify in writing under penalty of perjury, the minimum, if not exact, percentage of post-consumer material as defined in the Public Contract Code Section 12200, in products, materials, goods, or supplies offered or sold to the State regardless of whether the product meets the requirements of Public Contract Code Section 12209. With respect to printer or duplication cartridges that comply with the requirements of Section 12156(e), the certification required by this subdivision shall specify that the cartridges so comply (Pub. Contract Code §12205). 10. NON-DISCRIMINATION CLAUSE: During the performance of this Agreement, Contractor and its subcontractors shall not deny the contract's benefits to any person on the basis of race, religious creed, color, national origin, ancestry, physical disability, mental disability, medical condition, genetic information, marital status, sex, gender, gender identity, gender expression, age, sexual orientation, or military and veteran status, nor shall they discriminate unlawfully against any employee or applicant for employment because of race, religious creed, color, national origin, ancestry, physical disability, mental disability, medical condition, genetic information, marital status, sex, gender, gender identity, gender expression, age, sexual orientation, or military and veteran status. Contractor shall insure that the evaluation and treatment of employees and applicants for employment are free of such discrimination. Contractor and subcontractors shall comply with the provisions of the Fair Employment and Housing Act (Gov. Code §12900 et seq.), the regulations promulgated thereunder (Cal. Code Regs., tit. 2, §11000 et seq.), the provisions of Article 9.5, Chapter 1, Part 1, Division 3, Title 2 of the Government Code (Gov. Code §§11135-11139.5), and the regulations or standards adopted by the awarding state agency to implement such article. Contractor shall permit access by representatives of the Department of Fair Employment and Housing and the awarding state agency upon reasonable notice at any time during the normal business hours, but in no case less than 24 hours' notice, to such of its books, records, accounts, and all other sources of information and its facilities as said Department or Agency shall require to ascertain compliance with this clause. Contractor and its subcontractors shall give written notice of their obligations under this clause to labor organizations with which they have a collective bargaining or other agreement. (See Cal. Code Regs., tit. 2, §11105.) Contractor shall include the nondiscrimination and compliance provisions of this clause in all subcontracts to perform work under the Agreement. 11. CERTIFICATION CLAUSES: The CONTRACTOR CERTIFICATION CLAUSES contained in the document CCC 04/2017 are hereby incorporated by reference and made a part of this Agreement by this reference as if attached hereto. 12. TIMELINESS: Time is of the essence in this Agreement. 13. COMPENSATION: The consideration to be paid Contractor, as provided herein, shall be in compensation for all of Contractor's expenses incurred in the performance hereof, including travel, per diem, and taxes, unless otherwise expressly so provided. 14. GOVERNING LAW: This contract is governed by and shall be interpreted in accordance with the laws of the State of California. 15. ANTITRUST CLAIMS: The Contractor by signing this agreement hereby certifies that if these services or goods are obtained by means of a competitive bid, the Contractor shall comply with the requirements of the Government Codes Sections set out below. a. The Government Code Chapter on Antitrust claims contains the following definitions: 1) "Public purchase" means a purchase by means of competitive bids of goods, services, or materials by the State or any of its political subdivisions or public agencies on whose behalf the Attorney General may bring an action pursuant to subdivision (c) of Section 16750 of the Business and Professions Code. 2) "Public purchasing body" means the State or the subdivision or agency making a public purchase. Government Code Section 4550. b. In submitting a bid to a public purchasing body, the bidder offers and agrees that if the bid is accepted, it will assign to the purchasing body all rights, title, and interest in and to all causes of action it may have under Section 4 of the Clayton Act (15 U.S.C. Sec. 15) or under the Cartwright Act (Chapter 2 (commencing with Section 16700) of Part 2 of Division 7 of the Business and Professions Code), arising from purchases of goods, materials, or services by the bidder for sale to the purchasing body pursuant to the bid. Such assignment shall be made and become effective at the time the purchasing body tenders final payment to the bidder. Government Code Section 4552. C. If an awarding body or public purchasing body receives, either through judgment or settlement, a monetary recovery for a cause of action assigned under this chapter, the assignor shall be entitled to receive reimbursement for actual legal costs incurred and may, upon demand, recover from the public body any portion of the recovery, including treble damages, attributable to overcharges that were paid by the assignor but were not paid by the public body as part of the bid price, less the expenses incurred in obtaining that portion of the recovery. Government Code Section 4553. d. Upon demand in writing by the assignor, the assignee shall, within one year from such demand, reassign the cause of action assigned under this part if the assignor has been or may have been injured by the violation of law for which the cause of action arose and (a) the assignee has not been injured thereby, or (b) the assignee declines to file a court action for the cause of action. See Government Code Section 4554. 16. CHILD SUPPORT COMPLIANCE ACT: For any Agreement in excess of $100,000, the contractor acknowledges in accordance with Public Contract Code 7110, that: a. The contractor recognizes the importance of child and family support obligations and shall fully comply with all applicable state and federal laws relating to child and family support enforcement, including, but not limited to, disclosure of information and compliance with earnings assignment orders, as provided in Chapter 8 (commencing with section 5200) of Part 5 of Division 9 of the Family Code; and b. The contractor, to the best of its knowledge is fully complying with the earnings assignment orders of all employees and is providing the names of all new employees to the New Hire Registry maintained by the California Employment Development Department. 17. UNENFORCEABLE PROVISION: In the event that any provision of this Agreement is unenforceable or held to be unenforceable, then the parties agree that all other provisions of this Agreement have force and effect and shall not be affected thereby. 18. PRIORITY HIRING CONSIDERATIONS: If this Contract includes services in excess of $200,000, the Contractor shall give priority consideration in filling vacancies in positions funded by the Contract to qualified recipients of aid under Welfare and Institutions Code Section 11200 in accordance with Pub. Contract Code §10353. 19. SMALL BUSINESS PARTICIPATION AND DVBE PARTICIPATION REPORTING REQUIREMENTS: a. If for this Contract Contractor made a commitment to achieve small business participation, then Contractor must within 60 days of receiving final payment under this Contract (or within such other time period as may be specified elsewhere in this Contract) report to the awarding department the actual percentage of small business participation that was achieved. (Govt. Code § 14841.) b. If for this Contract Contractor made a commitment to achieve disabled veteran business enterprise (DVBE) participation, then Contractor must within 60 days of receiving final payment under this Contract (or within such other time period as may be specified elsewhere in this Contract) certify in a report to the awarding department: (1) the total amount the prime Contractor received under the Contract; (2) the name and address of the DVBE(s) that participated in the performance of the Contract; (3) the amount each DVBE received from the prime Contractor; (4) that all payments under the Contract have been made to the DVBE; and (5) the actual percentage of DVBE participation that was achieved. A person or entity that knowingly provides false information shall be subject to a civil penalty for each violation. (Mil. & Vets. Code § 999.5(d); Govt. Code § 14841.) 20. LOSS LEADER: If this contract involves the furnishing of equipment, materials, or supplies then the following statement is incorporated: It is unlawful for any person engaged in business within this state to sell or use any article or product as a "loss leader" as defined in Section 17030 of the Business and Professions Code. (PCC 10344(e).) Contractor Certification Clauses CCC 04/2017 CERTIFICATION I,.the official named below, CERTIFY UNDER PENALTY OF PERJURY that I am duly authorized to legally bind the prospective Contractor to the clause(s) listed below. This certification is made under the laws of the State of California. Contractor/Bidder Firm Name (Printed) Federal ID Number County of Fresno By (Authorized Signature) ATTEST: BERNICE E.SEIDEL Clerk of the Board of Supervisors County of Fresno,State of California -- P to me nd Title of Person Signing By A rta V arc. Deputy Sal Quintero, Chairman of the Board of Supervisors of the County of Fresno Date Executed Executed in the County of ,Iz71Z3 Fresno CONTRACTOR CERTIFICATION CLAUSES 1. STATEMENT OF COMPLIANCE: Contractor has, unless exempted, complied with the nondiscrimination program requirements. (Gov. Code §12990 (a-f) and CCR, Title 2, Section 11102) (Not applicable to public entities.) 2. DRUG-FREE WORKPLACE REQUIREMENTS: Contractor will comply with the requirements of the Drug-Free Workplace Act of 1990 and will provide a drug-free workplace by taking the following actions: a. Publish a statement notifying employees that unlawful manufacture, distribution, dispensation, possession or use of a controlled substance is prohibited and specifying actions to be taken against employees for violations. b. Establish a Drug-Free Awareness Program to inform employees about: 1) the dangers of drug abuse in the workplace; 2) the person's or organization's policy of maintaining a drug-free workplace; 3) any available counseling, rehabilitation and employee assistance programs; and, 4) penalties that may be imposed upon employees for drug abuse violations. c. Every employee who works on the proposed Agreement will: 1) receive a copy of the company's drug-free workplace policy statement; and, 2) agree to abide by the terms of the company's statement as a condition of ernployment on the Agreement. Failure to comply with these requirements may result in suspension of payments under the Agreement or termination of the Agreement or both and Contractor may be ineligible for award of any future State agreements if the department determines that any of the following has occurred: the Contractor has made false certification, or violated the certification by failing to carry out the requirements as noted above. (Gov. Code §8350 et seq.) 3. NATIONAL LABOR RELATIONS BOARD CERTIFICATION: Contractor certifies that no more than one (1) final unappealable finding of contempt of court by a Federal court has been issued against Contractor within the immediately preceding two-year period because of Contractor's failure to comply with an order of a Federal court, which orders Contractor to comply with an order of the National Labor Relations Board. (Pub. Contract Code §10296) (Not applicable to public entities.) 4. CONTRACTS FOR LEGAL SERVICES $50,000 OR MORE- PRO BONO REQUIREMENT: Contractor hereby certifies that Contractor will comply with the requirements of Section 6072 of the Business and Professions Code, effective January 1, 2003. Contractor agrees to make a good faith effort to provide a minimum number of hours of pro bono legal services during each year of the contract equal to the lessor of 30 multiplied by the number of full time attorneys in the firm's offices in the State, with the number of hours prorated on an actual day basis for any contract period of less than a full year or 10% of its contract with the State. Failure to make a good faith effort may be cause for non-renewal of a state contract for legal services, and may be taken into account when determining the award of future contracts with the State for legal services. 5. EXPATRIATE CORPORATIONS: Contractor hereby declares that it is not an expatriate corporation or subsidiary of an expatriate corporation within the meaning of Public Contract Code Section 10286 and 10286.1, and is eligible to contract with the State of California. 6. SWEATFREE CODE OF CONDUCT: a. All Contractors contracting for the procurement or laundering of apparel, garments or corresponding accessories, or the procurement of equipment, materials, or supplies, other than procurement related to a public works contract, declare under penalty of perjury that no apparel, garments or corresponding accessories, equipment, materials, or supplies furnished to the state pursuant to the contract have been laundered or produced in whole or in part by sweatshop labor, forced labor, convict labor, indentured labor under penal sanction, abusive forms of child labor or exploitation of children in sweatshop labor, or with the benefit of sweatshop labor, forced labor, convict labor, indentured labor under penal sanction, abusive forms of child labor or exploitation of children in sweatshop labor. The contractor further declares under penalty of perjury that they adhere to the Sweatfree Code of Conduct as set forth on the California Department of Industrial Relations website located at www.dir.ca.gov, and Public Contract Code Section 6108. b. The contractor agrees to cooperate fully in providing reasonable access to the contractor's records, documents, agents or employees, or premises if reasonably required by authorized officials of the contracting agency, the Department of Industrial Relations, or the Department of Justice to determine the contractor's compliance with the requirements under paragraph (a). 7. DOMESTIC PARTNERS: For contracts of $100,000 or more, Contractor certifies that Contractor is in compliance with Public Contract Code section 10295.3. 8. GENDER IDENTITY: For contracts of$100,000 or more, Contractor certifies that Contractor is in compliance with Public Contract Code section 10295.35. DOING BUSINESS WITH THE STATE OF CALIFORNIA The following laws apply to persons or entities doing business with the State of California. 1. CONFLICT OF INTEREST: Contractor needs to be aware of the following provisions regarding current or former state employees. If Contractor has any questions on the status of any person rendering services or involved with the Agreement, the awarding agency must be contacted immediately for clarification. Current State Employees (Pub. Contract Code §10410): 1). No officer or employee shall engage in any employment, activity or enterprise from which the officer or employee receives compensation or has a financial interest and which is sponsored or funded by any state agency, unless the employment, activity or enterprise is required as a condition of regular state employment. 2). No officer or employee shall contract on his or her own behalf as an independent contractor with any state agency to provide goods or services. Former State Employees (Pub. Contract Code §10411): 1). For the two-year period from the date he or she left state employment, no former state officer or employee may enter into a contract in which he or she engaged in any of the negotiations, transactions, planning, arrangements or any part of the decision-making process relevant to the contract while employed in any capacity by any state agency. 2). For the twelve-month period from the date he or she left state employment, no former state officer or employee may enter into a contract with any state agency if he or she was employed by that state agency in a policy-making position in the same general subject area as the proposed contract within the 12-month period prior to his or her leaving state service. If Contractor violates any provisions of above paragraphs, such action by Contractor shall render this Agreement void. (Pub. Contract Code §10420) Members of boards and commissions are exempt from this section if they do not receive payment other than payment of each meeting of the board or commission, payment for preparatory time and payment for per diem. (Pub. Contract Code §10430 (e)) 2. LABOR CODE/WORKERS' COMPENSATION: Contractor needs to be aware of the provisions which require every employer to be insured against liability for Worker's Compensation or to undertake self-insurance in accordance with the provisions, and Contractor affirms to comply with such provisions before commencing the performance of the work of this Agreement. (Labor Code Section 3700) 3. AMERICANS WITH DISABILITIES ACT: Contractor assures the State that it complies with the Americans with Disabilities Act (ADA) of 1990, which prohibits discrimination on the basis of disability, as well as all applicable regulations and guidelines issued pursuant to the ADA. (42 U.S.C. 12101 et seq.) 4. CONTRACTOR NAME CHANGE: An amendment is required to change the Contractor's name as listed on this Agreement. Upon receipt of legal documentation of the name change the State will process the amendment. Payment of invoices presented with a new name cannot be paid prior to approval of said amendment. 5. CORPORATE QUALIFICATIONS TO DO BUSINESS IN CALIFORNIA: a. When agreements are to be performed in the state by corporations, the contracting agencies will be verifying that the contractor is currently qualified to do business in California in order to ensure that all obligations due to the state are fulfilled. b. "Doing business" is defined in R&TC Section 23101 as actively engaging in any transaction for the purpose of financial or pecuniary gain or profit. Although there are some statutory exceptions to taxation, rarely will a corporate contractor performing within the state not be subject to the franchise tax. c. Both domestic and foreign corporations (those incorporated outside of California) must be in good standing in order to be qualified to do business in California. Agencies will determine whether a corporation is in good standing by calling the Office of the Secretary of State. 6. RESOLUTION: A county, city, district, or other local public body must provide the State with a copy of a resolution, order, motion, or ordinance of the local governing body which by law has authority to enter into an agreement, authorizing execution of the agreement. 7. AIR OR WATER POLLUTION VIOLATION: Under the State laws, the Contractor shall not be: (1) in violation of any order or resolution not subject to review promulgated by the State Air Resources Board or an air pollution control district; (2) subject to cease and desist order not subject to review issued pursuant to Section 13301 of the Water Code for violation of waste discharge requirements or discharge prohibitions; or (3) finally determined to be in violation of provisions of federal law relating to air or water pollution. 8. PAYEE DATA RECORD FORM STD. 204: This form must be completed by all contractors that are not another state agency or other governmental entity. 23-10132 Page 1 of 19 Exhibit D Special Terms and Conditions (For Subvention/Local Assistance Agreements rev 0212022) The provisions herein apply to this Agreement unless the provisions are removed by reference, the provisions are superseded by an alternate provision appearing elsewhere in this Agreement, or the applicable conditions do not exist. Index of Special Terms and Conditions 1 . Procurement Rules 11. Officials Not to Benefit 2. Equipment Ownership / Inventory / 12. Prohibited Use of State Funds for Disposition Software 3. Subcontract Requirements 13. Contract Uniformity (Fringe Benefit 4. Income Restrictions Allowability) 5. Site Inspection 14. Cancellation 6. Intellectual Property Rights 7. Prior Approval of Training Seminars, Workshops or Conferences 8. Confidentiality of Information 9. Documents, Publications, and Written Reports 10. Dispute Resolution Process Page 1 of '19 23-10132 Page 2 of 19 Exhibit D Special Terms and Conditions 1. Procurement Rules (Applicable to all Subvention /Local Assistance contracts in which equipment, property, commodities and/or supplies are furnished by CDPH or expenses for said items are reimbursed with state or federal funds.) A. Equipment definitions Wherever the term equipment /property is used, the following definitions shall apply: 1. Major equipment/property: A tangible or intangible item having a base unit cost of $2,500 or more with a life expectancy of one (1) year or more and is either furnished by CDPH or the cost is reimbursed through this Agreement. Software and videos are examples of intangible items that meet this definition. 2. Minor equipment/property: A tangible item having a base unit cost of less than 2 500 with a life expectancy of one (1) year or more and is either furnished by CDPH or the cost is reimbursed through this Agreement. B. Government and public entities (including state colleges/universities and auxiliary organizations), whether acting as a contractor, may secure all commodities, supplies, equipment and services related to such purchases that are required in performance of this Agreement. Said procurements are subject to Paragraphs d through g of this provision. Paragraph c of this provision shall also apply, if equipment purchases are delegated to subcontractors that are nonprofit organizations or commercial businesses. C. Nonprofit organizations and commercial businesses, whether acting as a contractor and/or subcontractor, may secure commodities, supplies, equipment and services related to such purchases for performance under this Agreement. 1. Equipment purchases shall not exceed $50,000 annually. To secure equipment above the annual maximum limit of$50,000, the Contractor shall make arrangements through the appropriate CDPH Program Contract Manager to have all remaining equipment purchased through CDPH's Purchasing Unit. The cost of equipment purchased by or through CDPH shall be deducted from the funds available in this Agreement. Contractor shall submit to the CDPH Program Contract Manager a list of equipment specifications for those items that the State must procure. The State may pay the vendor directly for such arranged equipment purchases and title to the equipment will remain with CDPH_ The equipment will be delivered to the Contractor's address, as stated on the face of the Agreement, unless the Contractor notifies the CDPH Program Contract Manager, in writing, of an alternate delivery address. Page 2 of 19 23-10132 Page 3 of 19 Exhibit D Special Terms and Conditions 2. All equipment purchases are subject to paragraphs d through g of this provision. Paragraph b of this provision shall also apply if equipment purchases are delegated to subcontractors that are either a government or public entity. 3. Nonprofit organizations and commercial businesses shall use a procurement system that meets the following standards: (a) Maintain a code or standard of conduct that shall govern the performance of its officers, employees, or agents engaged in awarding procurement contracts. No employee, officer, or agent shall participate in the selection, award, or administration of a procurement, or bid contract in which, to his or her knowledge, he or she has a financial interest. (b) Procurements shall be conducted in a manner that provides, to the maximum extent practical, open and free competition. (c) Procurements shall be conducted in a manner that provides for all of the following: I. Avoid purchasing unnecessary or duplicate items. 11. Equipment solicitations shall be based upon a clear and accurate description of the technical requirements of the goods to be procured. III. Take positive steps to utilize small and veteran owned businesses. D. Unless waived or otherwise stipulated in writing by CDPH, prior written authorization from the appropriate CDPH Program Contract Manager will be required before the Contractor will be reimbursed for any purchase exceeding $2,500 or more for commodities, supplies, equipment, and services related to such purchases. The Contractor must provide in its request for authorization all particulars necessary, as specified by CDPH, for evaluating the necessity or desirability of incurring such costs. The term "purchase" excludes the purchase of services from a subcontractor and public utility services at rates established for uniform applicability to the general public. E. In special circumstances determined by CDPH (e.g., when CDPH has a need to monitor certain purchases, etc.), CDPH may require prior written authorization and/or- the submission of paid vendor receipts for any purchase regardless of dollar amount. CDPH reserves the right to either deny claims for reimbursement or to request repayment for any Contractor purchase that CDPH determines to be unnecessary in carrying out performance under this Agreement. F. The Contractor must maintain a copy or narrative description of the procurement system, guidelines, rules, or regulations that will be used to make purchases under this Agreement. The State reserves the right to request a copy of these documents and to inspect the purchasing practices of the Contractor at any time. Page 3 of 19 23-10132 Page 4 of 19 Exhibit D Special Terms and Conditions G. For all purchases, the Contractor must maintain copies of all paid vendor invoices, documents, bids and other information used in vendor selection for inspection or audit. Justifications supporting the absence of bidding (i.e., sole source purchases) shall also be maintained on file by the Contractor for inspection or audit. 2. Equipment Ownership / Inventory / Disposition (Applicable to agreements in which equipment and/or property is furnished by CDPH and/or when said items are purchased or reimbursed with State and Federal funds (absence a Federal requirement for transfer of title)) A. Wherever the terms equipment and/or property are used in this provision, the definitions in provision 1, paragraph A., shall apply. Unless otherwise stipulated in this Agreement, all equipment and/or property that are purchased/reimbursed with agreement funds or furnished by CDPH under the terms of this Agreement shall be considered state equipment and the property of CDPH. 1. CDPH requires the reporting, tagging and annual inventorying of all equipment and/or property that is furnished by CDPH or purchased/reimbursed with funds provided through this Agreement. Upon receipt of equipment and/or property, the Contractor shall report the receipt to the CDPH Program Contract Manager. To report the receipt of said items and to receive property tags, Contractor shall use a form or format designated by CDPH's Asset Management Unit. If the appropriate form (i.e., Contractor Equipment Purchased with CDPH Funds) does not accompany this Agreement, Contractor shall request a copy from the CDPH Program Contract Manager. 2. If the Contractor enters into an agreement with a term of more than twelve months, the Contractor shall submit an annual inventory of state equipment and/or property to the CDPH Program Contract Manager using a form or format designated by CDPH's Asset Management Unit. If an inventory report form (i.e., Inventory/Disposition of CDPH-Funded Equipment) does not accompany this Agreement, Contractor shall request a copy from the CDPH Program Contract Manager. Contractor shall: (a) Include in the inventory report, equipment and/or property in the Contractor's possession and/or in the possession of a subcontractor (including independent consultants). (b) Submit the inventory report to CDPH according to the instructions appearing on the inventory form or issued by the CDPH Program Contract Manager. Page 4 of 19 23-10132 Page 5 of 19 Exhibit D Special Terms and Conditions (c) Contact the CDPH Program Contract Manager to learn how to remove, trade-in, sell, transfer or survey off from the inventory report, expired equipment and/or property that is no longer wanted, usable or has passed its life expectancy, Instructions will be supplied by CDPH's Asset Management Unit. B. Title to state equipment and/or properly shall not be affected by its incorporation or attachment to any property not owned by the State. C. Unless otherwise stipulated, CDPH shall be under no obligation to pay the cost of restoration or rehabilitation of the Contractor's and/or Subcontractor's facility which may be affected by the removal of any state equipment and/or property. D. The Contractor shall maintain and administer a sound business program for ensuring the proper use, maintenance, repair, protection, insurance and preservation of state equipment and/or property. 1. In administering this provision, CDPH may require the Contractor to repair or replace to CDPH's satisfaction any damaged, lost or stolen state equipment and/or property. Contractor shall immediately file a theft report with the appropriate police agency or the California Highway Patrol and Contractor shall promptly submit one copy of the theft report to the CDPH Program Contract Manager. E. Unless otherwise stipulated by the program funding this Agreement, equipment and/or property purchased/reimbursed with agreement funds or furnished by CDPH under the terms of this Agreement, shall only be used for performance of this Agreement or another CDPH agreement. F. Within sixty (60) calendar days prior to the termination or end of this Agreement, the Contractor shall provide a final inventory report of equipment and/or property to the CDPH Program Contract Manager and shall, at that time, query CDPH as to the requirements, including the manner and method, of returning state equipment and/or property to CDPH. Final disposition of equipment and/or property shall be at CDPH expense and according to CDPH instructions. Equipment and/or property disposition instructions shall be issued by CDPH immediately after receipt of the final inventory report. At the termination or conclusion of this Agreement, CDPH may at its discretion, authorize the continued use of state equipment and/or property for performance of work under a different CDPH agreement. G. Motor Vehicles (Applicable only if motor vehicles are purchased/reimbursed with agreement funds or furnished by CDPH under this Agreement.) 1. If motor vehicles are purchased/reimbursed or furnished by CDPH under the terms of this Agreement, within thirty (30) calendar days prior to the termination or end of this Page 5 of 19 23-10132 Page 6 of 19 Exhibit D Special Terms and Conditions Agreement, the Contractor shall return such vehicles to CDPH and shall deliver all necessary documents of title or registration to enable the proper transfer of a marketable title to CDPH. 2. If motor vehicles are purchased/reimbursed or furnished by CDPH under the terms of this Agreement, the State of California shall be the legal owner of said motor vehicles and the Contractor shall be the registered owner. The Contractor shall only use said vehicles for the performance under the terms of this Agreement. 3. The Contractor agrees that all operators of motor vehicles, purchased/reimbursed or furnished by CDPH under the terms of this Agreement, shall hold a valid State of California driver's license. In the event that ten or more passengers are to be transported in any one vehicle, the operator shall also hold a State of California Class B driver's license. 4. If any motor vehicle is purchased/reimbursed or furnished by CDPH under the terms of this Agreement, the Contractor, as applicable, shall provide, maintain, and certify that, at a minimum, the following type and amount of automobile liability insurance is in effect during the term of this Agreement or any extension period during which any vehicle remains in the Contractor's possession: Automobile Liability Insurance (a) The Contractor, by signing this Agreement, hereby certifies that it possesses or will obtain automobile liability insurance in the amount of $1,000,000 per occurrence for bodily injury and property damage combined. Said insurance must be obtained and made effective upon the delivery date of any motor vehicle purchased/reimbursed with agreement funds or furnished by CDPH under the terms of this Agreement to the Contractor. (b) The Contractor shall, as soon as practical, furnish a copy of the certificate of insurance to the CDPH Program Contract Manager. The certificate of insurance shall identify the CDPH contract or agreement number for which the insurance applies. (c) The Contractor agrees that bodily injury and property damage liability insurance, as required herein, shall remain in effect at all times during the term of this Agreement or until such time as the motor vehicle is returned to CDPH. (d) The Contractor agrees to provide at least thirty (30) days prior to the expiration date of said insurance coverage a copy of a new certificate of insurance evidencing continued coverage, as indicated herein for not less than the remainder of the term of this Agreement, the term of any extension or continuation thereof, or for a period of not less than one (1) year. Page 6 of 19 23-10132 Page 7 of 19 Exhibit D Special Terms and Conditions (e) The Contractor, if not a self-insured government and/or public entity, must provide evidence, that any required certificates of insurance contain the following provisions: I. The insurer will not cancel the insured's coverage without giving 'thirty (30) calendar days prior written notice to the State. II, The State of California, its officers, agents, employees, and servants are included as additional insureds, but only with respect to work performed for the State under this Agreement and any extension or continuation of this Agreement. III. The insurance carrier shall notify CDPH in writing, of the Contractor's failure to pay premiums; its cancellation of such policies; or any other substantial change, including, but not limited to, the status, coverage, or scope of the required insurance. Such notices shall contain a reference to each agreement number for which the insurance was obtained. (f) The Contractor is hereby advised that copies of certificates of insurance may be subject to review and approval by the Department of General Services (DGS), Office of Risk and Insurance Management. The Contractor- shall be notified by CDPH, in writing, if this provision is applicable to this Agreement. If DGS approval of the certificate of insurance is required, the Contractor agrees that no work or services shall be performed prior to obtaining said approval. (g) In the event the Contractor fails to keep insurance coverage as required herein in effect at all times during vehicle possession, CDPH may, in addition to any other remedies it may have, terminate this Agreement upon the occurrence of such event. 3. Subcontract Requirements (Applicable to agreements under which services are to be performed by subcontractors including independent consultants.) A. Prior written authorization by the State is required before the Contractor enters into or is reimbursed for any subcontract for services exceeding $2,500 for any articles, supplies, equipment, or services. The Contractor shall obtain and submit articles of at least three completive quotations or adequate justification for the absence of bidding. B. CDPH reserves the right to approve or disapprove the selection of subcontractors and with advance written notice, require the substitution of subcontractors and require the Contractor to terminate subcontracts entered into in support of this Agreement. Page 7 of 19 Exhibit D Special Terms and Conditions 1. Upon receipt of a written notice from CDPH requiring the substitution and/or termination of a subcontract, the Contractor shall take steps to ensure the completion of any work in progress and select a replacement, if applicable, within 30 calendar days, unless a longer period is agreed to by CDPH. C. Actual subcontracts (i.e., written agreement between the Contractor and a subcontractor) exceeding $2,500 are subject to the prior review and written approval of CDPH. D. Contractor shall maintain a copy of each subcontract entered into in support of this Agreement and shall, upon request by CDPH, make copies available for approval, inspection, or audit. E. CDPH assumes no responsibility for the payment of subcontractors used in the performance of this Agreement. Contractor accepts sole responsibility for the payment of subcontractors used in the performance of this Agreement. F The Contractor is responsible for all performance requirements under this Agreement even though performance may be carried out through a subcontract. G. The Contractor shall ensure that all subcontracts for services include provision(s) requiring compliance with applicable terms and conditions specified in this Agreement and shall be the subcontractor's sole point of contact for all matters related to the performance and payment during the term of this Agreement. H. The Contractor agrees to include the following clause, relevant to record retention, in all subcontracts for services: "(Subcontractor Name) agrees to maintain and preserve, until three years after termination of (Agreement Number) and final payment from CDPH to the Contractor, to permit CDPH or any duly authorized representative, to have access to, examine or audit any pertinent books, documents, papers and records related to this subcontract and to allow interviews of any employees who might reasonably have information related to such records." 4. Income Restrictions Unless otherwise stipulated in this Agreement, the Contractor agrees that any refunds, rebates, credits, or other amounts (including any interest thereon) accruing to or received by the Contractor under this Agreement shall be paid by the Contractor to CDPH, to the extent that they are properly allocable to costs for which the Contractor has been reimbursed by CDPH under this Agreement. 5. Site Inspection The State, through any authorized representatives, has the right at all reasonable times to Page 8of19 23-10132 Page 9 of 19 Exhibit D Special Terms and Conditions inspect or otherwise evaluate the work performed or being performed hereunder including subcontract supported activities and the premises in which it is being performed. If any inspection or evaluation is made of the premises of the Contractor or Subcontractor, the Contractor shall provide and shall require Subcontractors to provide all reasonable facilities and assistance for the safety and convenience of the authorized representatives in the performance of their duties. All inspections and evaluations shall be performed in such a manner as will not unduly delay the services performed. 6. Intellectual Property Rights A. Ownership 1. Except where CDPH has agreed in a signed writing to accept a license, CDPH shall be and remain, without additional compensation, the sole owner of any and all rights, title and interest in all Intellectual Property, from the moment of creation, whether or not jointly conceived, that are made, conceived, derived from, or reduced to practice by Contractor or CDPH and which result directly or indirectly from this Agreement. 2. For the purposes of this Agreement, Intellectual Property means recognized protectable rights and interest such as: patents, (whether or not issued) copyrights, trademarks, service marks, applications for any of the foregoing, inventions, trade secrets, trade dress, logos, insignia, color combinations, slogans, moral rights, right of publicity, author's rights, contract and licensing rights, works, mask works, industrial design rights, rights of priority, know how, design flows, methodologies, devices, business processes, developments, innovations, good will and all other legal rights protecting intangible proprietary information as may exist now and/or hereafter come into existence, and all renewals and extensions, regardless of whether those rights arise under the laws of the United States, or any other state, country or jurisdiction. (a) For the purposes of the definition of Intellectual Property, "works" means all literary works, writings and printed matter including the medium by which they are recorded or reproduced, photographs, art work, pictorial and graphic representations and works of a similar nature, film, motion pictures, digital images, animation cells, and other audiovisual works including positives and negatives thereof, sound recordings, tapes, educational materials, interactive videos and any other materials or products created, produced, conceptualized and fixed in a tangible medium of expression. It includes preliminary and final products and any materials and information developed for the purposes of producing those final products. Works does not include articles submitted to peer review or reference journals or independent research projects. 3. In the performance of this Agreement, Contractor will exercise and utilize certain of its Intellectual Property in existence prior to the effective date of this Agreement. In addition, under this Agreement, Contractor may access and utilize certain of CDPH's Intellectual Property in existence prior to the effective date of this Agreement. Except Page 9 of 19 23-10132 Page 10 of 19 Exhibit D Special Terms and Conditions as otherwise set forth herein, Contractor shall not use any of CDPH's Intellectual Property now existing or hereafter existing for any purposes without the prior written permission of CDPH. Except as otherwise set forth herein, neither the Contractor nor CDPH shall give any ownership interest in or rights to its Intellectual Property to the other Party. If during the term of this Agreement. Contractor accesses any third-party Intellectual Property that is licensed to CDPH. Contractor agrees to abide by all license and confidentiality restrictions applicable to CDPH in the third-party's license agreement. 4. Contractor agrees to cooperate with CDPH in establishing or maintaining CDPH's exclusive rights in the Intellectual Property, and in assuring CDPH's sole rights against third parties with respect to the Intellectual Property. If the Contractor enters into any agreements or subcontracts with other parties in order to perform this Agreement, Contractor shall require the terms of the Agreement(s) to include all Intellectual Property provisions. Such terms must include, but are not limited to, the subcontractor assigning and agreeing to assign to CDPH all rights, title and interest in Intellectual Property made, conceived, derived from, or reduced to practice by the subcontractor, Contractor or CDPH and which result directly or indirectly from this Agreement or any subcontract. 5. Contractor further agrees to assist and cooperate with CDPH in all reasonable respects, and execute all documents and, subject to reasonable availability, give testimony and take all further acts reasonably necessary to acquire, transfer, maintain, and enforce CDPH's Intellectual Property rights and interests. B. Retained Rights / License Rights 1. Except for Intellectual Property made, conceived, derived from, or reduced to practice by Contractor or CDPH and which result directly or indirectly from this Agreement, Contractor shall retain title to all of its Intellectual Property to the extent such Intellectual Property is in existence prior to the effective date of this Agreement. Contractor hereby grants to CDPH, without additional compensation, a permanent, non-exclusive, royalty free, paid-up, worldwide, irrevocable, perpetual, non-terminable license to use, reproduce, manufacture, sell, offer to sell, import, export, modify, publicly and privately display/perform, distribute, and dispose Contractor's Intellectual Property with the right to sublicense through multiple layers, for any purpose whatsoever, to the extent it is incorporated in the Intellectual Property resulting from this Agreement, unless Contractor assigns all rights, title and interest in the Intellectual Property as set forth herein. 2. Nothing in this provision shall restrict, limit, or otherwise prevent Contractor from using any ideas, concepts, know-how, methodology or techniques related to its performance under this Agreement, provided that Contractor's use does not infringe the patent, copyright, trademark rights, license or other Intellectual Property rights of CDPH or Page '10 of 19 Page 11 of 19 Exhibit D Special Terms and Conditions third party, or result in a breach or default of any provisions of this Exhibit or result in a breach of any provisions of law relating to confidentiality. C. Copyright 1. Contractor agrees that for purposes of copyright law, all works [as defined in Paragraph A, subparagraph 2.(a) of this provision] of authorship made by or on behalf of Contractor in connection with Contractor's performance of this Agreement shall be deemed "works made for hire". Contractor further agrees that the work of each person utilized by Contractor in connection with the performance of this Agreement will be a "work made for hire,"whether that person is an employee of Contractor or that person has entered into an agreement with Contractor to perform the work. Contractor shall enter into a written agreement with any such person that: (1) all work performed for Contractor shall be deemed a "work made for hire" under the Copyright Act and (ii) that person shall assign all right, title, and interest to CDPH to any work product made, conceived, derived from, or reduced to practice by Contractor or CDPH and which result directly or indirectly from this Agreement. 2. All materials, including, but not limited to, visual works or text, reproduced or distributed pursuant to this Agreement that include Intellectual Property made, conceived, derived from, or reduced to practice by Contractor or CDPH and which result directly or indirectly from this Agreement, shall include CDPH's notice of copyright, which shall read in 3mm or larger typeface: "O [Enter Current Year e.g., 2014, etc.], California Department of Public Health. This material may not be reproduced or disseminated without prior written permission from the California Department of Public Health." This notice should be placed prominently on the materials and set apart from other matter on the page where it appears. Audio productions shall contain a similar audio notice of copyright. D. Patent Rights With respect to inventions made by Contractor in the performance of this Agreement, which did not result from research and development specifically included in the Agreement's scope of work, Contractor hereby grants to CDPH a license as described under Section b of this provision for devices or material incorporating or made through the use of such inventions. If such inventions result from research and development work specifically included within the Agreement's scope of work, then Contractor agrees to assign to CDPH, without additional compensation, all its right, title and interest in and to such inventions and to assist CDPH in securing United States and foreign patents with respect thereto. E. Third-Party Intellectual Property Except as provided herein, Contractor agrees that its performance of this Agreement shall not be dependent upon or include any Intellectual Property of Contractor or third party Page 11 of 19 23-10132 Page 12of19 Exhibit D Special Terms and Conditions without first: (i) obtaining CDPH's prior written approval; and (ii) granting to or obtaining for CDPH, without additional compensation, a license, as described in Section b of this provision, for any of Contractor's or third-party's Intellectual Property in existence prior to the effective date of this Agreement. If such a license upon these terms is unattainable and CDPH determines that the Intellectual Property should be included in or is required for Contractor's performance of this Agreement, Contractor shall obtain a license under terms acceptable to CDPH. F. Warranties (1) Contractor represents and warrants that: (a) It is free to enter into and fully perform this Agreement. (b) It has secured and will secure all rights and licenses necessary for its performance of this Agreement. (c) Neither Contractor's performance of this Agreement, nor the exercise by either Party of the rights granted in this Agreement, nor any use, reproduction, manufacture, sale, offer to sell, import, export, modification, public and private display/performance, distribution, and disposition of the Intellectual Property made, conceived, derived from, or reduced to practice by Contractor or CDPH and which result directly or indirectly from this Agreement will infringe upon or violate any Intellectual Property right, non-disclosure obligation, or other proprietary right or interest of any third-party or entity now existing under the laws of, or hereafter existing or issued by, any state, the United States, or any foreign country. There is currently no actual or threatened claim by any such third party based on an alleged violation of any such right by Contractor. (d) Neither Contractor's performance nor any part of its performance will violate the right of privacy of, or constitute a libel or slander against any person or entity. (e) It has secured and will secure all rights and licenses necessary for Intellectual Property including, but not limited to, consents, waivers or releases from all authors Of music or performances used, and talent (radio, television and motion picture talent), owners of any interest in and to real estate, sites, locations, property or props that may be used or shown. (f) It has not granted and shall not grant to any person or entity any right that would or might derogate, encumber, or interfere with any of the rights granted to CDPH in this Agreement. (g) It has appropriate systems and controls in place to ensure that state funds will not be used in the performance of this Agreement for the acquisition, operation or maintenance of computer software in violation of copyright laws. Page 12 of 19 ....... .,y-I wnv 23-10132 Page 13 of 19 Exhibit D Special Terms and Conditions (h) It has no knowledge of any outstanding claims, licenses or other charges, liens, or encumbrances of any kind or nature whatsoever that could affect in any way Contractor's performance of this Agreement. (2) CDPH MAKES NO WARRANTY THAT THE INTELLECTUAL PROPERTY RESULTING FROM THIS AGREEMENT DOES NOT INFRINGE UPON ANY PATENT, TRADEMARK, COPYRIGHT OR THE LIKE, NOW EXISTING OR SUBSEQUENTLY ISSUED. G. Intellectual Property Indemnity (1) Contractor shall indemnify, defend and hold harmless CDPH and its licensees and assignees, and its officers, directors, employees, agents, representatives, successors, and users of its products, ("Indemnitees") from and against all claims, actions, damages, losses, liabilities (or actions or proceedings with respect to any thereof), whether or not rightful, arising from any and all actions or claims by any third party or expenses related thereto (including, but not limited to, all legal expenses, court costs, and attorney's fees incurred in investigating, preparing, serving as a witness in, or defending against, any such claim, action, or proceeding, commenced or threatened) to which any of the Indemnitees may be subject, whether or not Contractor is a party to any pending or threatened litigation, which arise out of or are related to (i) the incorrectness or breach of any of the representations, warranties, covenants or agreements of Contractor pertaining to Intellectual Property; or (ii) any Intellectual Property infringement, or any other type of actual or alleged infringement claim, arising out of CDPH's use, reproduction, manufacture, sale, offer to sell, distribution, import, export, modification, public and private performance/display, license, and disposition of the Intellectual Property made, conceived, derived from, or reduced to practice by Contractor or CDPH and which result directly or indirectly from this Agreement. This indemnity obligation shall apply irrespective of whether the infringement claim is based on a patent, trademark or copyright registration that issued after the effective date of this Agreement. CDPH reserves the right to participate in and/or control, at Contractor's expense, any such infringement action brought against CDPH. (2) Should any Intellectual Property licensed by the Contractor to CDPH under this Agreement become the subject of an Intellectual Property infringement claim, Contractor will exercise its authority reasonably and in good faith to preserve CDPH's right to use the licensed Intellectual Property in accordance with this Agreement at no expense to CDPH. CDPH shall have the right to monitor and appear through its own counsel (at Contractor's expense) in any such claim or action. In the defense or settlement of the claim, Contractor may obtain the right for CDPH to continue using the licensed Intellectual Property or replace or modify the licensed Intellectual Property so that the replaced or modified Intellectual Property becomes non-infringing provided that such replacement or modification is functionally equivalent to the original Page 13 of 19 23-10132 Page 14 of 19 Exhibit D Special Terms and Conditions licensed Intellectual Property. If such remedies are not reasonably available, CDPH shall be entitled to a refund of all monies paid under this Agreement without restriction or limitation of any other rights and remedies available at law or in equity. (3) Contractor agrees that damages alone would be inadequate to compensate CDPH for breach of any term of this Intellectual Property Exhibit by Contractor. Contractor acknowledges CDPH would suffer irreparable harm in the event of such breach and agrees CDPH shall be entitled to obtain equitable relief, including without limitation an injunction, from a court of competent jurisdiction without restriction or limitation of any other rights and remedies available at law or in equity. H. Survival The provisions set forth herein shall survive any termination or expiration of this Agreement or any project schedule. 7. Prior Approval of Training Seminars, Workshops or Conferences Contractor shall obtain prior CDPH approval of the location, costs, dates, agenda, instructors, instructional materials, and attendees at any reimbursable training seminar, workshop, or conference conducted pursuant to this Agreement and of any reimbursable publicity or educational materials to be made available for distribution. The Contractor shall acknowledge the support of the State whenever publicizing the work under this Agreement in any media. This provision does not apply to necessary staff meetings or training sessions held for the staff of the Contractor in order to conduct routine business matters. 8. Confidentiality of Information The Contractor and its employees, agents, or subcontractors shall: a. Protect from unauthorized disclosure names and other identifying information concerning persons either receiving services pursuant to this Agreement or persons whose names or identifying information become available or are disclosed to the Contractor, its employees, agents, or subcontractors as a result of services performed under this Agreement, except for statistical information not identifying any such person. b. Not use such identifying information for any purpose other than carrying out the Contractor's obligations under this Agreement. c. Promptly transmit to the CDPH Contract Manager all requests for disclosure of such identifying information not emanating from the client or person. cf. Not disclose, except as otherwise specifically permitted by this Agreement or authorized by the client, any such identifying information to anyone other than CDPH without prior Page 14 of 19 23-10132 Page 15 of 19 Exhibit D Special Terms and Conditions written authorization from the CDPH Contract Manager, except if disclosure is required by State or Federal law. e. For purposes of this provision, identity shall include, but not be limited to name, identifying number, symbol, or other identifying particular assigned to the individual, such as finger or voice print or a photograph. f. As deemed applicable by CDPH, this provision may be supplernented by additional terms and conditions covering personal health information (PHI) or personal, sensitive, and/or confidential information (PSCI). Said terms and conditions will be outlined in one or more exhibits that will either be attached to this Agreement or incorporated into this Agreement by reference. 9. Documents, Publications and Written Reports (Applicable to agreements over $5,000 under which publications, written reports and documents are developed or produced. Government Code Section 7550.) Any document, publication or written report (excluding progress reports, financial reports and normal contractual communications) prepared as a requirement of this Agreement shall contain, in a separate section preceding the main body of the document, the number and dollar amounts of all contracts or agreements and subcontracts relating to the preparation of such document or report, if the total cost for work by nonemployees of the State exceeds $5,000. 10. Dispute Resolution Process A. A Contractor grievance exists whenever there is a dispute arising from CDPH's action in the administration of an agreement. If there is a dispute or grievance between the Contractor and CDPH, the Contractor must seek resolution using the procedure outlined below. 1. The Contractor should first informally discuss the problem with the CDPH Program Contract Manager. If the problem cannot be resolved informally, the Contractor shall direct its grievance together with any evidence, in writing, to the CDPH Program Branch Chief. The grievance shall state the issues in dispute, the legal authority or other basis for the Contractor's position and the remedy sought. The CDPH Program Branch Chief shall render a decision within ten (10) business days after receipt of the written grievance from the Contractor. The CDPH Program Branch Chief shall respond in writing to the Contractor indicating the decision and reasons, therefore. If the Contractor disagrees with the CDPH Program Branch Chief's decision, the Contractor may appeal to the second level. 2, When appealing to the second level, the Contractor must prepare an appeal indicating the reasons for disagreement with CDPH Program Branch Chief's decision. The Page 15 of 19 23-10132 Page 16of19 Exhibit D Special Terms and Conditions Contractor shall include with the appeal a copy of the Contractor's original statement of dispute along with any supporting evidence and a copy of the CDPH Program Branch Chief's decision. The appeal shall be addressed to the CDPH Dep uty Director of the division in which the branch is organized within ten (10) business days from receipt of the CDPH Program Branch Chief's decision. The CDPH Deputy Director of the division in which the branch is organized, or his/her designee shall meet with the Contractor to review the issues raised. A written decision signed by the CDPH Deputy Director of the division in which the branch is organized or his/her designee shall be directed to the Contractor within twenty (20) business days of receipt of the Contractor's second level appeal. B. If the Contractor wishes to appeal the decision of the Deputy Director of the division in which the branch is organized or his/her designee, the Contractor shall follow the procedures set forth in Division 25.1 (commencing with Section 38050) of the Health and Safety Code and the regulations adopted thereunder. (Title 1, Division 2, Chapter 2, Article 3 (commencing with Section 1140) of the California Code of Regulations). C. Disputes arising out of an audit, examination of an agreement or other action not covered by subdivision (a) of Section 20204, of Chapter 2.1, Title 22 Division 2, Subdivision 2, of the California Code of Regulations, and for which no procedures for appeal are provided in statute, regulation or the Agreement, shall be handled in accordance with the procedures identified in Sections 51016 through 51047, Title 22 Division 3, Subdivisionl, Chapter 3, California Code of Regulations. D. Unless otherwise stipulated in writing by CDPH, all dispute, grievance and/or appeal correspondence shall be directed to the CDPH Contract Manager. E. There are organizational differences within CDPH's funding programs and the management levels identified in this dispute resolution provision may not apply in every contractual situation. When a grievance is received and organizational differences exist, the Contractor shall be notified in writing by the CDPH Contract Manager of the level, name, and/or title of the appropriate management official that is responsible for issuing a decision at a given level. 11. Officials Not to Benefit No members of or delegate of Congress or the State Legislature shall be admitted to any share or part of this Agreement, or to any benefit that may arise therefrom. This provision shall not be construed to extend to this Agreement if made with a corporation for its general benefits. 12. Prohibited Use of State Funds for Software Page 16 of 19 23-10132 Page 17 of 19 Exhibit D Special Terms and Conditions Contractor certifies that it has appropriate systems and controls in place to ensure that state funds will not be used in the performance of this Agreement for the acquisition, operation or maintenance of computer software in violation of copyright laws. 13. Contract Uniformity (Fringe Benefit Allowability) (Applicable only to nonprofit organizations.) Pursuant to the provisions of Article 7 (commencing with Section 100525) of Chapter 3 of Part 1 of Division 101 of the Health and Safety Code, CDPH sets forth the following policies, procedures, and guidelines regarding the reimbursement of fringe benefits. A. As used herein fringe benefits shall mean an employment benefit given by one's employer to an employee in addition to one's regular or normal wages or salary. B. As used herein, fringe benefits do not include: 1. Compensation for personal services paid currently or accrued by the Contractor for services of employees rendered during the term of this Agreement, which is identified as regular or normal salaries and wages, annual leave, vacation, sick leave, holidays, jury duty and/or military leave/training 2. Director's and executive committee member's fees 3. Incentive awards and/or bonus incentive pay 4. Allowances for off-site pay 5. Location allowances 6. Hardship pay 7. Cost-of-living differentials C. Specific allowable fringe benefits include: 1. Fringe benefits in the form of employer contributions for the employer's portion of payroll taxes (i.e., FICA, SUI, SDI), employee health plans (i.e., health, dental and vision), unemployment insurance, worker's compensation insurance, and the employer's share of pension/retirement plans, provided they are granted in accordance with established written organization policies and meet all legal and Internal Revenue Service requirements. D. To be an allowable fringe benefit, the cost must meet the following criteria: 1. Be necessary and reasonable for the performance of the Agreement. 2. Be determined in accordance with generally accepted accounting principles. 3. Be consistent with policies that apply uniformly to all activities of the Contractor. E. Contractor agrees that all fringe benefits shall be at actual cost. Page 17 of 19 23-10132 Page 18of19 Exhibit D Special Terms and Conditions F. Earned/Accrued Compensation 1 . Compensation for vacation, sick leave and holidays is limited to that amount earned/accrued within the agreement term. Unused vacation, sick leave a nd holidays earned from periods prior to the agreement term cannot be claimed as allowable costs. See section F.3.A. below for an example. 2. For multiple year agreements, vacation and sick leave compensation, which is earned/accrued but not paid, due to employee(s) not taking time off may be carried over and claimed within the overall term of the multiple years of the Agreement. Holidays cannot be carried over from one agreement year to the next. See Provision F.3.13. for an example. 3. For single year agreements, vacation, sick leave and holiday compensation that is earned/accrued but not paid, due to employee(s) not taking time off within the term of the Agreement, cannot be claimed as an allowable cost. See Provision F.3.C. for an example. A. Example No. 1: If an employee, John Doe, earns/accrues three weeks of vacation and twelve days of sick leave each year, then that is the maximum amount that may be claimed during a one year agreement. If John Doe has five weeks of vacation and eighteen days of sick leave at the beginning of an agreement, the Contractor during a one- year budget period may only claim up to three weeks of vacation and twelve days of sick leave as actually used by the employee. Amounts earnedfaccrued in periods prior to the beginning of the Agreement are not an allowable cost. B. Example No. 2: If during a three-year (multiple year) agreement, John Doe does not use his three weeks of vacation in year one, or his three weeks in year two, but he does actually use nine weeks in year three; the Contractor would be allowed to claim all nine weeks paid for in year three. The total compensation over the three-year period cannot exceed 156 weeks (3 x 52 weeks). C. Example No. 3: If during a single year agreement, John Doe works fifty weeks and used one week of vacation and one week of sick leave and all fifty-two weeks have been billed to CDPH, the remaining unused two weeks of vacation and seven days of sick leave may not be claimed as an allowable cost. Page 18 of 19 23-10132 Page 19 of 19 Exhibit D Special Terms and Conditions 14. Cancellation A. This agreement may be cancelled by CDPH without cause upon 30 calendar days advance written notice to the Contractor. B. CDPH reserves the right to cancel or terminate this agreement immediately for cause. The Contractor may submit a written request to terminate this agreement only if CDPH substantially fails to perform its responsibilities as provided herein. C. The term "for cause" shall mean that the Contractor fails to meet the terms, conditions, and/or responsibilities of this agreement. D_ Agreement termination or cancellation shall be effective as of the date indicated in CDPH's notification to the Contractor. The notice shall stipulate any final performance, invoicing or payment requirements. E. Upon receipt of a notice of termination or cancellation, the Contractor shall take immediate steps to stop performance and to cancel or reduce subsequent agreement costs. F. In the event of early termination or cancellation, the Contractor shall be entitled to compensation for services performed satisfactorily under this agreement and expenses incurred up to the date of cancellation and any non-cancelable obligations incurred in support of this agreement. Page 19 of 19 Page 1 of 3 Exhibit E Additional Provisions 1. Additional Incorporated Documents A. The following documents and any subsequent updates are not attached, but are incorporated herein and made a part hereof by this reference. CDPH will maintain on file, all documents referenced herein and any subsequent updates, as required by program directives. CDPH shall provide the Contractor with copies of said documents and any periodic updates thereto, under separate cover. 1) Confidentiality Tables and Information Flows located at https:/,1;)artriers.cdph.ca.gcv/sites!i'\Di,PEii,ollrnentVVorkers/ 2) Quality Performance Metrics located at www.cd ph.ca.qov/P cog rams(CIDiDOA/Pages/OA adap resourcespage.aspx 3) CDPH Guidelines located at https://wwvv.cdph.ca.goviPi-ograms/CID/DOA/Pages/OA adap communications.aspx 4) AIDS Drug Assistance Program Formulary located at https://www.cdpli.ca-qov/Pi-ografiis/CID/DQA/Pages/OA adap resourcespage.aspx 5) Pre-Exposure Prophylaxis Assistance Program Formulary located at https://www.cdoh.ca..goviP►-ograrns/CID/DOA/Pages/OA adap resources prepAP.aspx 6) AIDS Drug Assistance Program Enrollment Site Fee for Service Pay Schedule located at https://www.cdpfi.ca.qov/programs/cid/doa/pages/oa adap resourcespage.aspx 2. Insurance Requirements A. General Provisions Applying to All Policies 1) Coverage Term— Coverage needs to be in force for the complete term of the Agreement. If insurance expires during the term of the Agreement, a new certificate and required endorsements must be received by the State at least ten (10) days prior to the expiration of this insurance. Any new insurance must comply with the original Agreement terms. 2) Policy Cancellation or Termination and Notice of Non-Renewal — Contractor shall provide to the CDPH within five (5) business days following receipt by Contractor a copy of any cancellation or non-renewal of insurance required by this Contract. In the event Contractor fails to keep in effect at all times the specified insurance coverage, the CDPH may, in addition to any other remedies it may have, terminate this Contract upon the occurrence of such event, subject to the provisions of this Contract. 3) Premiums Assessments and Deductibles — Contractor is responsible for any premiums, policy assessments, deductibles or self-insured retentions contained within their insurance program. 4) Primary Clause—Any required insurance contained in this Agreement shall be primary and not excess or contributory to any other insurance carried by the CDPH. 5) Insurance Carrier Required Rating —All insurance companies must carry an AM Best rating of at least"A—" with a financial category rating of no lower than VI. If Contractor is self-insured for a portion or all of its insurance, review of financial information including a letter of credit may be required. 23-10132 Page 2 of 3 Exhibit E Additional Provisions 6) Endorsements—Any required endorsements requested by the CDPH must be physically attached to all requested certificates of insurance and not substituted by referring to such coverage on the certificate of insurance. 7) Inadequate Insurance — Inadequate or lack of insurance does not negate Contractor's obligations under the Agreement. 8) Use of Subcontractors - In the case of Contractor's utilization of Subcontractors to complete the contracted scope of work, Contractor shall include all Subcontractors as insured under Contractor's insurance or supply evidence of the Subcontractor's insurance to the CDPH equal to policies, coverages, and limits required of Contractor. B. Insurance Coverage Requirements Contractor shall display evidence of certificate of insurance evidencing the following coverage: 1) Commercial General Liability — Contractor shall maintain general liability with limits not less than $1,000,000 per occurrence for bodily injury and property damage combined with a $2,000,000 annual policy aggregate. The policy shall include coverage for liabilities arising out of premises, operations, independent Contractors, products, completed operations, personal and advertising injury, and liability assumed under an insured Agreement. This insurance shall apply separately to each insured against whom claim is made or suit is brought subject to Contractor's limit of liability. The policy shall be endorsed to include, "The State of California, its officers, agents, employees, and servants as additional insured, but only insofar as the operations under this Agreement are concerned." This endorsement must be supplied under form acceptable to the Office of Risk and Insurance Management. 2) Automobile Liability (when required)— Contractor shall maintain motor vehicle liability insurance with limits not less than $1,000,000 combined single limit per accident. Such insurance shall cover liability arising out of a motor vehicle including owned, hired and non-owned motor vehicles. Should the scope of the Agreement involve transportation of hazardous materials, evidence of an MCS-90 endorsement is required. The policy shall be endorsed to include, "The State of California, its officers, agents, employees, and servants as additional insured, but only insofar as the operations under this Agreement are concerned." This endorsement must be supplied under form acceptable to the Office of Risk and Insurance Management. 3) Worker's Compensation and Employer's Liability (when required) —Contractor shall maintain statutory worker's compensation and employer's liability coverage for all its employees who will be engaged in the performance of the Agreement. Employer's liability limits of$1,000,000 are required. When work is performed on State owned or controlled property the policy shall contain a waiver of subrogation endorsement in favor of the State. This endorsement must be supplied under form acceptable to the Office of Risk and Insurance Management. 4) Professional Liability (when required) — Contractor shall maintain professional liability covering any damages caused by a negligent error; act or ornission with limits not less than $1,000,000 per occurrence and $1,000,000 policy aggregate. The policy's retroactive date must be displayed on the certificate of insurance and must be before the date this Agreement was executed or before the beginning of Agreement work. 23-10132 Page 3 of 3 Exhibit E Additional Provisions 5) Environmental/Pollution Liability (when required)— Contractor shall maintain pollution liability for limits not less than $1,000,000 per claim covering Contractor's liability for bodily injury, property damage and environmental damage resulting from pollution and related cleanup costs incurred arising out of the work or services to be performed under this Agreement. Coverage shall be provided for both work performed on site as well as transportation and proper disposal of hazardous materials. The policy shall be endorsed to include, "The State of California, its officers, agents, employees, and servants as additional insured, but only insofar as the operations under this Agreement are concerned." This endorsement must be supplied under form acceptable to the Office of Risk and Insurance Management. 6) Aircraft Liability (when required) - Contractor shall maintain aircraft liability with a limit not less than $3,000,000. The policy shall be endorsed to include, "The State of California, its officers, agents, employees and servants as additional insured, but only insofar as the operations under this Agreement." This endorsement must be supplied under form acceptable to the Office of Risk and Insurance Management. Page 1 of 13 Exhibit F HIPAA Business Associate Addendum 1. Recitals A. The underlying contract (Agreement), to which this HIPAA Business Associate Addendum is attached to and made a part of, has been determined to constitute a business associate relationship under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (HIPAA), the Health Information Technology for Economic and Clinical Health Act, Public Law 111-005 (the HITECH Act), 42 U.S.C. section 17921 et seq., and their implementing privacy and security regulations at 45 CFR Parts 160 and 164 (the HIPAA regulations). B. The California Department of Public Health (CDPH) wishes to disclose to (Business Associate) certain information pursuant to the terms of the Agreement, some of which may constitute Protected Health Information (PHI), including protected health information in electronic media (ePHI), under federal law, and personal information (PI) under state law. C. As set forth in the Agreement, Business Associate is acting on CDPH's behalf and provides services, arranges, performs or assists in the performance of functions or activities on behalf of CDPH and creates, receives, maintains, transmits, uses or discloses PHI or PI. CDPH and Business Associate are each a party to the Agreement and are collectively referred to as the "parties." D. The purpose of this Addendum is to protect the privacy and security of the PHI and PI that may be created, received, maintained, transmitted, used or disclosed pursuant to the Agreement, and to comply with certain standards and requirements of HIPAA, the HITECH Act and the HIPAA regulations, including, but not limited to, the requirement that CDPH must enter into a contract containing specific requirements with Business Associate prior to the disclosure of PHI and PI to Business Associate, as set forth in 45 CFR Parts 160 and 164 and the HITECH Act. E. The terms used in this Addendum, but not otherwise defined, shall have the same meanings as those terms have in the HIPAA regulations. Any reference to statutory or regulatory language shall be to such language as in effect or as amended. II. Definitions A. Breach shall have the meaning given to such term under HIPAA, the HITECH Act, and the HIPAA regulations. B. Business Associate shall have the meaning given to such term under HIPAA, the HITECH Act, and the HIPAA regulations. C. Covered Entity shall have the meaning given to such term under HIPAA, the HITECH Act, and the HIPAA regulations. D. Designated Record Set means the group of records maintained for CDPH that includes medical, dental, and billing records about individuals, enrollment, payment, claims adjudication, and case or medical management systems maintained for CDPH health plans; or those records used to make decisions about individuals on behalf of CDPH. E. Electronic Health Record shall have the meaning given to such term in the HITECH Act, including, but not limited to, 42 U.S.0 section 17921 and implementing regulations. W BAA 9-22 Page 2 of 13 Exhibit F HIPAA Business Associate Addendum F. Electronic Protected Health Information (ePHI) means individually identifiable health information transmitted by electronic media or maintained in electronic media, including but not limited to electronic media as set forth under 45 CFR Part 160.103. G. Individually Identifiable Health Information means health information, including demographic information collected from an individual, that is created or received by a health care provider, health plan, employer or health care clearinghouse, and relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, that identifies the individual or where there is a reasonable basis to believe the information can be used to identify the individual, as set forth under 45 CFR Part 160,103. H. Privacy Rule shall mean the HIPAA Regulation that is found at 45 CFR Parts 160 and 164. I. Personal Information shall have the meaning given to such term in California Civil Code sections 1798.3 and 1798.29. J. Protected Health Information means individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or is transmitted or maintained in any other form or medium, as set forth under 45 CFR Part 160.103. K. Required by law, as set forth under 45 CFR Part 164.103, means a mandate contained in law that compels an entity to make a use or disclosure of PHI or PI that is enforceable in a court of law. This includes, but is not limited to, court orders and court-ordered warrants, subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information, and a civil or an authorized investigative demand. It also includes Medicare conditions of participation with respect to health care providers participating in the program, and statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits. L. Secretary means the Secretary of the U.S. Department of Health and Human Services (HHS) or the Secretary's designee. M. Security Incident means a suspected or successful unauthorized access, use, disclosure, modification, or destruction of PHI or PI; successful unauthorized access, use, disclosure, modification, or destruction of confidential information, that is essential to the ongoing operation of Business Associate's organization and intended for internal use; or interference with system operations in an information system. N. Security Rule shall mean the HIPAA regulation that is found at 45 CFR Parts 160 and 164. O. Unsecured PHI shall have the meaning given to such term under the HITECH Act, 42 U.S.C. section 17932(h), any guidance issued pursuant to such Act and the HIPAA regulations. 111. Terms of Agreement A. Permitted Uses and Disclosures of PHI and PI by Business Associate Permitted Uses and Disclosures. Except as otherwise indicated in this Addendum; Business Associate may use or disclose PHI and PI only to perform functions, activities or services specified in the Agreement, for, or on behalf of CDPH, provided that such use or disclosure would not violate the HIPAA regulations, if done by CDPH. Any such use or disclosure must, to the extent practicable, be restricted to PAA BAA 9-22 23-10132 Page 3 of 13 Exhibit F HIPAA Business Associate Addendum a limited PHI and PI dataset, as defined in 45 CFR section 164.514(e)(2), or, if needed, to the minimum necessary, as defined in 45 CFR section 164.514(d), to accomplish the intended purpose of such use or disclosure, in compliance with the HITECH Act and any guidance issued pursuant to such Act, and the HIPAA regulations. 1. Specific Use and Disclosure Provisions. Except as otherwise indicated in this Addendum, Business Associate may: a. Use and disclose for management and administration. Use and disclose PHI and PI for the proper management and administration of Business Associate provided that such disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware that the confidentiality of the information has been breached. b. Provision of PHI and PI Aggregation Services. Use PHI or PI to provide aggregation services to CDPH. PHI and PI aggregation means the combining of PHI and PI created or received by Business Associate on behalf of CDPH with PHI and PI received by Business Associate in its capacity as Business Associate of another covered entity, to permit PHI and PI analyses that relate to the health care operations of CDPH. B. Prohibited Uses and Disclosures 1. Business Associate shall not disclose PHI or PI about an individual to a health plan for payment or health care operations purposes if the PHI and PI pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full and the individual requests such restriction, in accordance with 42 U.S.C. section 17935(a) and 45 CFR section 164.522(a). 2. Business Associate shall not directly or indirectly receive remuneration in exchange for PHI or PI, except with the prior written consent of CDPH and as permitted by 42 U.S.C. section 17935(d)(2). C. Responsibilities of Business Associate Business Associate agrees: 1. !Nondisclosure. Not to use or disclose PHI or PI other than as permitted or required by the Agreement or as required by law. 2. Safeguards. To implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI and PI, including ePHI, that it creates, receives, maintains, uses, or transmits on behalf of CDPH, in compliance with 45 CFR Parts '164.308, '164.310 and 164.312, and to prevent use or disclosure of PHI and PI other than as provided for by the Agreement. Business Associate shall implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications and other requirements of 45 CFR Part 164, subpart C, in compliance with 45 CFR Part 164.316. Business Associate shall develop and maintain a written information privacy and security program that includes administrative, technical and physical safeguards appropriate to the size and complexity of Business Associate's operations and the nature and scope of its activities, and which incorporates the requirements of section 3, Security, below. Upon request by CDPH, Business Associate will provide CDPH with Business Associate's current and updated policies within five (5) business days. CDPH HIPAA BAA 9-22 23-10132 Page 4 of 13 Exhibit F HIPAA Business Associate Addendum 3. Security. To take all steps necessary to ensure the continuous confidentiality, integrity, and availability of all systems and devices holding, processing, or transporting PHI or PI, and to protect physical documents containing PHI or Pl. These steps shall include, at a minimum: a. Complying with all of the PHI and PI system security precautions listed in Attachment A, Business Associate PHI and PI Security Requirements; b. Achieving and maintaining compliance with the HIPAA Security Rule (45 CFR Parts 160 and 164), as necessary in conducting operations on behalf of CDPH under the Agreement: c. Providing a level and scope of security that is at least comparable to the level and scope of security established by the Office of Management and Budget in OMB Circular No. A-130, Appendix III - Security of Federal Automated Information Systems, which sets forth guidelines for automated information systems in Federal agencies; d. In case of a conflict between any of the security standards contained in any of these enumerated sources of security standards, the most stringent shall apply. The most stringent means that safeguard which provides the highest level of protection to PHI and Pl from unauthorized disclosure. Further, Business Associate must comply with changes to these standards that occur after the effective date of the Agreement; and e. Business Associate shall designate a Security Officer to oversee its PHI and PI security program who shall be responsible for carrying out the requirements of this section and for communicating on security matters with CDPH. D. Mitigation of Harmful Effects. To mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI or PI by Business Associate or its subcontractors in violation of the requirements of this Addendum. E. Business Associate's Agents and Subcontractors. 1. To enter into written agreements with any agents, including subcontractors and vendors, to whom Business Associate provides PHI or PI received from or created or received by Business Associate on behalf of CDPH, that impose the same restrictions and conditions on such agents, subcontractors and vendors that apply to Business Associate with respect to such PHI and PI under this Addendum, and that comply with all applicable provisions of HIPAA, the HITECH Act and the HIPAA regulations. 2. In accordance with 45 CFR section 164.504(e)(1)(ii), upon Business Associate's knowledge of a material breach or violation by its subcontractor of the agreement between Business Associate and the subcontractor, Business Associate shall: a. Provide an opportunity for the subcontractor to cure the breach, end the violation, or terminate the agreement if the subcontractor does not cure the breach or end the violation within the time specified by CDPH; or b. Immediately terminate the agreement if the subcontractor has breached a material term of the agreement and curing the breach is not possible. F. Availability of Information to CDPH and Individuals. To provide access and information: CDPH HIPAA BAA 9-22 23-10132 Page 5 of 13 Exhibit F HIPAA Business Associate Addendum 1. To provide access as CDPH may require, and in the time and manner designated by CDPH (upon reasonable notice and during Business Associate's normal business hours) to PHI and PI in a Designated Record Set, to CDPH (or, as directed by CDPH), to an individual, in accordance with 45 CFR Part 164.524. Business Associate shall use the forms and processes developed by CDPH for this purpose and shall respond to requests for access to records transmitted by CD PH within fifteen (15) calendar days of receipt of the request by producing the records or verifying that there are none. 2. If Business Associate maintains an Electronic Health Record with PHI and PI, and an individual requests a copy of such information in an electronic format, Business Associate shall provide such information in an electronic format to enable CDPH to fulfill its obligations under the HITECH Act, including but not limited to, 42 U.S.C. section 17935(e). 3. If Business Associate receives PHI or PI from CDPH that was provided to CDPH by the Social Security Administration, upon request by CDPH, Business Associate shall provide CDPH with a list of all employees, contractors and agents who have access to the Social Security PH I or PI, including employees, contractors and agents of its subcontractors and agents. G. Amendment of PHI and Pl. To make any amendment(s) to PHI or PI that CDPH directs or agrees to pursuant to 45 CFR Part 164.526 and, as applicable, Civil Code 1798.35, in the time and manner designated by CDPH. H. Internal Practices. To make Business Associate's internal practices, books and records relating to the use and disclosure of PHI and PI received from CDPH or created or received by Business Associate on behalf of CDPH, available to CDPH or to the Secretary in a time and manner designated by CDPH or by the Secretary, for purposes of determining CDPH's compliance with the HIPAA regulations. If any information needed for this purpose is in the exclusive possession of any other entity or person and the other entity or person fails or refuses to furnish the information to Business Associate, Business Associate shall so certify to CDPH and shall set forth the efforts it made to obtain the information. 1. Documentation of Disclosures. To document and make available to CDPH or(at the direction of CDPH) to an individual such disclosures of PHI or PI, and information related to such disclosures, necessary to respond to a proper request by the subject individual for an accounting of disclosures of PHI or PI, in accordance with the HITECH Act and its implementing regulations, including but not limited to 45 CFR Part 164.528 and 42 U.S.C. section 17935(c) and, as applicable, Civil Code section 1798.27. If Business Associate maintains electronic health records for CDPH, Business Associate must provide an accounting of disclosures, including those disclosures for treatment, payment, or health care operations. If Business Associate acquires electronic health records for CDPH, Business Associate must provide an accounting of disclosures, including those disclosures for treatment, payment, or health care operations, effective with disclosures on or after the date the electronic health record is acquired. The electronic accounting of disclosures shall be for disclosures during the three years prior to the request for an accounting. J. Breaches and Security Incidents. During the term of the Agreement, Business Associate agrees to implement reasonable systems for the discovery and prompt reporting of any breach or security incident, and to take the following steps: 1. Notice to CDPH. (1) To notify CDPH immediately by both telephone call and email upon the discovery of a breach of unsecured PHI or PI in electronic media or in any other media if the PHI or PI was, or is reasonably believed to have been, accessed or acquired by an unauthorized person, or upon the discovery of a suspected security incident that involves PHI or PI provided to CDPH by the Social Security Administration. If a law enforcement agency determines the notification will impede a criminal investigation, the notification required by this section shall be made to CDPH immediately CDPH HIPAA BAA 9-22 Page 6 of 13 Exhibit F HIPAA Business Associate Addendum after the law enforcement agency determines such notification will not compromise the investigation. (2) To notify CDPH within twenty-four (24) hours by email of the discovery of any suspected security incident, intrusion or unauthorized access, use or disclosure of PHI or PI in violation of the Agreement and this Addendum, or potential loss of confidential PHi or PI affecting the Agreement. If a law enforcement agency determines the notification will impede a criminal investigation, the notification required by this section shall be made to CDPH immediately after the law enforcement agency determines such notification will not compromise the investigation. A breach shall be treated as discovered by Business Associate as of the first day on which the breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the breach) who is an employee, officer, or other agent of Business Associate. Notice shall be provided to the CDPH Program Contract Manager, the CDPH Privacy Officer and the CDPH information Security Officer. If the incident occurs after business hours or on a weekend or holiday and involves ePHI, notice shall be provided by calling the CDPH ITSD Service Desk. Notice shall be made using the "CDPH Privacy Incident Report" form, including all information known at the time. Business Associate shall use the most current version of this form,which is posted on the CDPH Privacy Office website (i,ttos://www.c.dph.ca,ciov:/Programs/OL`/Pages/Privacy-Office.asp>;), Upon discovery of a breach or suspected security incident, intrusion, or unauthorized access, use or disclosure of PHi or PI, Business Associate shall take: a. Prompt corrective action to mitigate any risks or damages involved with the breach and to protect the operating environment; and b. Any action pertaining to such unauthorized disclosure required by applicable federal and state laws and regulations. 2. Investigation and Investigation Report. To immediately investigate such security incident, breach, or unauthorized access, use or disclosure of PHI or Pl. Business Associate shall cooperate in good faith with CDPH in the investigation of any Breach or Security Incident. CDPH preserves the right to participate in the investigation of a security incident involving its PHI or PI or conduct its own independent investigation, and Business Associate shall cooperate fully in such investigations. Within seventy-two (72) hours of the discovery, Business Associate shall submit an updated "CDPH Privacy Incident Report" containing the information marked with an asterisk and all other applicable information listed on the form, to the extent known at that time, to the CDPH Program Contract Manager, the CDPH Privacy Officer, and the CDPH Information Security Officer. 3. Complete Report. To provide a complete report of the investigation to the CDPH Program Contract Manager, the CDPH Privacy Officer, and the CDPH Information Security Officer within ten (10) working days of the discovery of the breach or unauthorized use or disclosure. The report shall be submitted on the "CDPH Privacy incident Report" form and shall include an assessment of all known factors relevant to a determination of whether a breach occurred under applicable provisions of HIPAA, the HiTECH Act, the HIPAA regulations and/or state law_ The report shall also include a full, detailed corrective action plan, including information on measures that were taken to halt and/or contain the improper use or disclosure. if CDPH requests information in addition to that listed on the "CDPH Privacy Incident Report" form, Business Associate shall make reasonable efforts to provide CDPH with such information. If necessary, a Supplemental Report may be used to submit revised or additional information after the completed report is submitted, by submitting the revised or additional information on an updated "CDPH Privacy Incident Report" form. CDPH will review and approve the determination of whether a breach occurred, and individual notifications are required, and the corrective action plan. AA BAA 9-22 23-10132 Page 7 of 13 Exhibit F HIPAA Business Associate Addendum 4. Notification of Individuals. If the cause of a breach of PHI or PI is attributable to Business Associate or its subcontractors, agents or vendors, Business Associate shall notify individuals of the breach or unauthorized use or disclosure when notification is required under state or federal law and shall pay any costs of such notifications, as well as any costs associated with the breach. The notifications shall comply with the requirements set forth in California Civil Code section 1798.29 and 42 U.S.C. section 17932 and its implementing regulations, including, but not limited to, the requirement that the notifications be made without unreasonable delay and in no event later than sixty (60) calendar days. The CDPH Program Contract Manager, the CDPH Privacy Officer, and the CDPH Information Security Officer shall approve the time, manner, and content of any such notifications and their review and approval must be obtained before the notifications are made. 5. Responsibility for Reporting of Breaches. If the cause of a breach of PHI or PI is attributable to Business Associate or its agents, subcontractors or vendors, Business Associate is responsible for all required reporting of the breach as specified in 42 U.S.C. section 17932 and its implementing regulations, including notification to media outlets and to the Secretary. If a breach of unsecured PHI or PI involves more than five hundred (500) residents of the State of California or its jurisdiction, Business Associate shall notify the Secretary of the breach immediately upon discovery of the breach. If Business Associate has reason to believe that duplicate reporting of the same breach or incident may occur because its subcontractors, agents or vendors may report the breach or incident to CDPH in addition to Business Associate, Business Associate shall notify CDPH, and CDPH and Business Associate may take appropriate action to prevent duplicate reporting. The breach reporting requirements of this paragraph are in addition to the reporting requirements set forth in subsection 1, above. 6. CDPH Contact Information. To direct communications to the above referenced CDPH staff, the Business Associate shall initiate contact as indicated herein. CDPH reserves the right to make changes to the contact information below by giving written notice to the Business Associate. Said changes shall not require an amendment to this Addendum or the Agreement to which it is incorporated. CDPH Program Contract CDPH Privacy Officer CDPH Information Security Officer Manager See the Scope of Work exhibit Privacy Officer Chief Information Security Officer for Program Contract Manager Office of Legal Services Information Security Office information California Dept. of Public Health California Dept. of Public Health P.O. Box 997377, MS 0506 P.O. Box 997413, MS 6302 Sacramento, CA 95899-7377 Sacramento, CA 95899-7413 Email: pCiy cycicdph.ca.gov Email cd^t-I.inf,�s-; '_u-it,ioffiice _ ni .c_a.a w Telephone: (877) 421-9634 Telephone: IT Service Desk (855) 500-0016 K. Due Diligence. Business Associate shall exercise due diligence and shall take reasonable steps to ensure that it remains in compliance with this Addendum and is in compliance with applicable provisions of HIPAA, the HITECH Act and the HIPAA regulations, and that its agents, subcontractors and vendors are in compliance with their obligations as required by this Addendum. L. Sanctions and/or Penalties. Business Associate understands that a failure to comply with the provisions of HIPAA, the HITECH Act and the HIPAA regulations that are applicable to Business Associate may result in the imposition of sanctions and/or penalties on Business Associate under HIPAA, the HITECH Act and the HIPAA regulations. CDPH HIPAA BAA 9-22 23-10132 Page 8 of 13 Exhibit F HIPAA Business Associate Addendum IV. Obligations of CDPH CDPH agrees to: A. Notice of Privacy Practices. Provide Business Associate with the Notice of Privacy Practices that CDPH produces in accordance with 45 CFR Part 164.520, as well as any changes to such notice. B. Permission by Individuals for Use and Disclosure of PHI and Pl. Provide Business Associate with any changes in, or revocation of, permission by an individual to use or disclose PHI and PI, if such changes affect Business Associate's permitted or required uses and disclosures. C. Notification of Restrictions. Notify Business Associate of any restriction to the use or disclosure of PHI and PI that CDPH has agreed to in accordance with 45 CFR Part 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI and PI. D. Requests Conflicting with HIPAA Rules. Not request Business Associate use or disclose PHI and PI in any manner that would not be permissible under the HIPAA regulations if done by CDPH. V. Audits, Inspection and Enforcement A. From time to time, CDPH may inspect the facilities, systems, books and records of Business Associate to monitor compliance with the Agreement and this Addendum. Business Associate shall promptly remedy any violation of any provision of this Addendum and shall certify the same to the CDPH Privacy Officer in writing. The fact that CDPH inspects, or fails to inspect, or has the right to inspect, Business Associate's facilities, systems and procedures does not relieve Business Associate of its responsibility to comply with this Addendum, nor does CDPH's: 1. Failure to detect; or 2. Detection, but failure to notify Business Associate or require Business Associate's remediation of any unsatisfactory practices constitute acceptance of such practice or a waiver of CDPH's enforcement rights under the Agreement and this Addendum. B. If Business Associate is the subject of an audit, compliance review, or complaint investigation by the Secretary or the Office of Civil Rights, U.S. Department of Health and Human Services, that is related to the performance of its obligations pursuant to this HIPAA Business Associate Addendum, Business Associate shall notify CDPH and provide CDPH with a copy of any PHI or PI that Business Associate provides to the Secretary or the Office of Civil Rights concurrently with providing such PHI or PI to the Secretary. Business Associate is responsible for any civil penalties assessed due to an audit or investigation of Business Associate, in accordance with 42 U.S.C. section 17934(c). VI. Requests for PHI or PI by Third Parties. Business Associate and its employees, agents, or subcontractors shall promptly transmit to the CDPH Program Contract Manager all requests for disclosure of any PHI or PI requested by third parties to the agreement between Business Associate and CDPH (except from an individual for an accounting of disclosures of the individual's personal information pursuant to applicable state or federal law), including but not limited to, requests under the California Public Records Act, subpoenas, or court orders, unless prohibited from doing so by applicable state or federal law. VII.Termination CDPH HIPAA BAA 9-22 23-10132 Page 9 of 13 Exhibit F HIPAA Business Associate Addendum A. Term. The Term of this Addendum shall commence as of the effective date of this Addendum and shall extend beyond the termination of the Agreement and shall terminate when all the PHI and PI provided by CDPH to Business Associate or created or received by Business Associate on behalf of CDPH, is destroyed or returned to CDPH, in accordance with 45 CFR section 164.504(e)(2)(ii)(J)_ B. Termination for Cause by CDPH. In accordance with 45 CFR section 164.504(e)(1)(ii), upon CDPH's knowledge of a material breach or violation of this Addendum by Business Associate, CDPH shall: 1. Provide an opportunity for Business Associate to cure the breach or end the violation and terminate the Agreement if Business Associate does not cure the breach or end the violation within the time specified by CDPH; or 2. Immediately terminate the Agreement if Business Associate has breached a material term of this Addendum and cure is not possible. C. Termination for Cause by Business Associate. In accordance with 42 U.S.C. section 17934(b) of the HITECH Act and to the extent required by the HIPAA regulations, if Business Associate knows of a material breach or violation by CDPH of this Addendum, it shall take the following steps: 1. Provide an opportunity for CDPH to cure the breach or end the violation and terminate the Agreement if CDPH does not cure the breach or end the violation within the time specified by Business Associate; or 2. Immediately terminate the Agreement if CDPH has breached a material term of the Addendum and cure is not possible. D. Judicial or Administrative Proceedings. Business Associate will notify CDPH if it is named as a defendant in a criminal proceeding for a violation of HIPAA. CDPH may terminate the Agreement if Business Associate is found guilty of a criminal violation of HIPAA. CDPH may terminate the Agreement if a finding or stipulation that Business Associate has violated any standard or requirement of HIPAA, or other security or privacy laws is made in any administrative or civil proceeding in which Business Associate is a party or has been joined. E. Effect of Termination. Upon termination or expiration of the Agreement for any reason, Business Associate shall return or destroy all PHI and/ PI received from CDPH (or created or received by Business Associate on behalf of CDPH) that Business Associate still maintains in any form and shall retain no copies of such PHI and PI. If return or destruction is not feasible, Business Associate shall notify CDPH of the conditions that make the return or destruction infeasible, and CDPH and Business Associate shall determine the terms and conditions under which Business Associate may retain the PHI and P1. Business Associate shall continue to extend the protections of this Addendum to such PHI and PI and shall limit further use of such PHI and PI to those purposes that make the return or destruction of such PHI and PI infeasible. This provision shall apply to PHI and PI that is in the possession of subcontractors or agents of Business Associate. Vlll. Miscellaneous Provisions A. Disciaimer. CDPH makes no warranty or representation that compliance by Business Associate with this Addendum, HIPAA or the HIPAA regulations will be adequate or satisfactory for Business Associate's own purposes or that any information in Business Associate's possession or control, or transmitted or received by Business Associate, is or will be secure from unauthorized use or disclosure. Business Associate is solely responsible for all decisions made by Business Associate regarding the safeguarding of PHI and PI. CDPH HIPAA BAA 9-22 23-10132 Page 10 of 13 Exhibit F HIPAA Business Associate Addendum B. Amendment. The parties acknowledge that federal and state laws relating to electronic PHI and PI security and privacy are rapidly evolving and that amendment of this Addendum may be required to provide for procedures to ensure compliance with such developments. The parties specifically agree to take such action as is necessary to implement the standards and requirements of HIPAA, the HITECH Act, the HIPAA regulations, and other applicable laws relating to the security or privacy of PHI and PI. Upon CDPH's request, Business Associate agrees to promptly enter into negotiations with CDPH concerning an amendment to this Addendum embodying written assurances consistent with the standards and requirements of HIPAA, the HITECH Act, the HIPAA regulations or other applicable laws. CDPH may terminate the Agreement upon thirty (30) days written notice in the event: 1. Business Associate does not promptly enter into negotiations to amend this Addendum when requested by CDPH pursuant to this Section; or 2. Business Associate does not enter into an amendment providing assurances regarding the safeguarding of PHI and PI that CDPH in its sole discretion, deems sufficient to satisfy the standards and requirements of HIPAA, the HITECH Act, the HIPAA regulations, and other applicable laws relating to the security or privacy of PHI and PI. C. Assistance in Litigation or Administrative Proceedings. Business Associate shall make itself and any subcontractors, employees or agents assisting Business Associate in the performance of its obligations under the Agreement, available to CDPH at no cost to CDPH to testify as witnesses, or otherwise, in the event of litigation or administrative proceedings being commenced against CDPH, its directors, officers or employees based upon claimed violation of HIPAA, the HIPAA regulations or other laws relating to security and privacy, which involves inactions or actions by Business Associate, except where Business Associate or its subcontractor, employee or agent is a named adverse party. D. No Third-Party Beneficiaries. Nothing express or implied in the terms and conditions of this Addendum is intended to confer, nor shall anything herein confer, upon any person other than CDPH or Business Associate and its respective successors or assignees, any rights, remedies, obligations, or liabilities whatsoever. E. Interpretation. The terms and conditions in this Addendum shall be interpreted as broadly as necessary to implement and comply with HIPAA, the HITECH Act, the HIPAA regulations, and applicable state laws. The parties agree that any ambiguity in the terms and conditions of this Addendum shall be resolved in favor of a meaning that complies and is consistent with HIPAA, the HITECH Act, and the HIPAA regulations, and applicable state laws. F. Regulatory References. A reference in the terms and conditions of this Addendum to a section in the HIPAA regulations means the section as in effect or as amended. G. Survival. The respective rights and obligations of Business Associate under Section VII.E of this Addendum shall survive the termination or expiration of the Agreement. H. No Waiver of Obligations. No change, waiver or discharge of any liability or obligation hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing or other obligation, or shall prohibit enforcement of any obligation, on any other occasion. CDPI-I HIPAA BAA 9-22 23-10132 Pagel 1 of 13 Exhibit F HIPAA Business Associate Addendum Attachment A Business Associate PHI and PI Security Requirements I. Personnel Controls A. Workforce Members Training and Confidentiality. Before being allowed access to PHI and PI, all Business Associate's workforce members who will be granted access to PHI and Pi must be trained in their security and privacy roles and responsibilities at Business Associates expense and must sign a confidentiality and acceptable PHI and PI use statement. Training must be on an annual basis. Acknowledgments of completed training and confidentiality statements, which have been signed and dated by workforce members must be retained by the Business Associate for a period of six (6) years following contract termination. Business Associate shall provide the acknowledgements within five (5) business days to CDPH if so requested. B. Workforce Members Discipline. Appropriate sanctions, including termination of employment where appropriate, must be applied against workforce members who fail to comply with privacy policies and procedures, acceptable use agreements, or any other provisions of these requirements. C. Workforce Member Assessment Before being permitted access to PHI and PI, Business Associate must assure there is no indication its workforce member may present a risk to the security or integrity of PHI and PI. Business Associate shall retain the workforce member's assessment documentation for a period of three (3) years following contract termination. If. Technical Security Controls A. Encryption. All desktop computers, mobile computing devices, and portable electronic storage media that processes or stores PHI and PI must be encrypted using a FIPS 140-2 certified 128 bit or higher algorithm. The encryption solution must be full disk unless approved by the CDPH Information Security Office (ISO) and Privacy Office (PO). FIPS 140-2 certified 128 bit or higher algorithm end- to-end, individual file encryption, or ISO approved compensating security controls, shall be used to protect PHI and PI transmitted or accessed outside the Business Associate's secure internal network (e.g., email, remote access, file transfer, internet/website communication tools). B. Server Security. Servers containing unencrypted PHI and PI must have sufficient local and network perimeter administrative, physical, and technical controls in place to protect the CDPH information asset, based upon a current risk assessment/system security review. C. Minimum Necessary. Only the minimum amount of PHI and PI required to complete an authorized task or workflow may be copied, downloaded, or exported to any individual device. D. Antivirus software. Business Associates shall employ automatically updated malicious code protection mechanisms (anti-malware programs or other physical or software-based solutions) at its network perimeter and at workstations, servers, or mobile computing devices to continuously monitor and take actions against system or device attacks, anomalies, and suspicious or inappropriate activities. E. Patch Management. All devices that process or store PHI and PI must have a documented patch management process. Vulnerability patching for Common Vulnerability Scoring System (CVSS) "Critical" severity ratings (CVSS 9.0 — 10.0) shall be completed within forty-eight (48) hours of publication or availability of vendor supplied patch; "High" severity rated (CVSS 7.0- 8.9) shall be completed within seven (7) calendar days of publication or availability of vendor supplied patch; all CDPH HIPAA BAA 9-22 Page 12 of 13 Exhibit F HIPAA Business Associate Addendum other vulnerability ratings (CVSS 0.1 — 6.9) shall be completed within thirty (30) days of publication or availability of vendor supplied patch, unless prior ISO and PO variance approval is granted. F. User Identification and Access Control. All Business Associate workforce members must have a unique local and/or network user identification (ID) to access PHI and Pi, The unique ID may be passwords, physical authenticators, or biometrics, or in the case of multi-factor authentication, some combination thereof. Should a workforce member no longer be authorized to access PHi and PI, or an ID has been compromised, that ID shall be promptly disabled or deleted. User ID's must integrate with user role-based access controls to ensure that individual access to PHI and PI is commensurate with job-related responsibilities. G. PHI and Pi Destruction. When no longer required for business needs or legal retention periods, all electronic and physical media holding PHI and Pi must be purged from Business Associate's systems and facilities using the appropriate guidelines for each media type as described in the prevailing "National Institute of Standards and Technology— Special Publication 800-88" —"Media Sanitization Decision Matrix." H. System Inactivity Timeout. Business Associate's computing devices holding, or processing PHI and PI must be configured to automatically log-off an authenticated user or lock the device in a manner where the user must reauthenticate the user session after no more than twenty (20) minutes of user inactivity. 1. Warning Banners. During a user log-on process, all systems providing access to PHI and PI, must display a warning banner stating that the PHI and PI is confidential, system and user activities are logged, and system and PHI and PI use is for authorized business purposes only. User must be directed to log-off the system if they do not agree with these conditions. J. System Logging. Business Associate shall ensure its information systems and devices that hold or process PHI and Pi are capable of being audited and the events necessary to reconstruct transactions and support after-the-fact investigations are maintained.This includes the auditing necessary to cover related events, such as the various steps in distributed, transaction-based processes and actions in service-oriented architectures. Audit trail information with PHi and PI must be stored with read-only permissions and be archived for three (3) years after event occurrence. There must also be a documented and routine procedure in place to review system logs for unauthorized access. K. Intrusion Detection. All Business Associate systems and devices holding, processing, or transporting PHI and PI that interact with entrusted devices or systems via the Business Associate intranet and/or the internet must be protected by a monitored comprehensive intrusion detection system and/or intrusion prevention system. Ill. Audit Controls A. System Security Review. Business Associate, to assure that administrative, physical, and technical controls are functioning effectively and providing adequate levels of protection for PHI and Pi, shall conduct at least, an annual administrative assessment of risk, including the likelihood and magnitude of harm from the unauthorized access, use, disclosure, disruption, modification, or destruction of an information system or device holding processing, or transporting PHi and P1, along with periodic technical security reviews using vulnerability scanning tools and other appropriate technical assessments. "H HiPAA BAA 9-22 Page 13of13 Exhibit F HIPAA Business Associate Addendum B. Change Control. All Business Associate systems and devices holding, processing, or transporting PHI and PI shall have a documented change control process for hardware, firmware, and software to protect the systems and assets against improper modification before, during, and after system implementation. IV. Business Continuity/ Disaster Recovery Controls A. Emergency Mode Operation Plan. Business Associate shall develop and maintain technical recovery and business continuity plans for systems holding, processing, or transporting PHI and PI to ensure the continuation of critical business processes and the confidentiality, integrity, and availability of PHI and PI following an interruption or disaster event lasting more than twenty-four (24) hours. B. PHI and PI Backup Plan. Business Associate shall have a documented, tested, accurate, and regularly scheduled full backup process for systems and devices holding PHI and PI. V. Paper Document Controls A. Supervision of PHI and Pl. PHI and PI in any physical format shall not be left unattended at any time. When not under the direct observation of an authorized Business Associate workforce member, the PHI and PI must be stored in a locked file cabinet, desk, or room. It also shall not be left unattended at any time in private vehicles or common carrier transportation, and it shall not be placed in checked baggage on common carrier transportation. B. Escorting Visitors. Visitors who are not authorized to see PHi and PI must be escorted by authorized workforce members when in areas where PHI and PI is present, and PHI and PI shall be kept out of sight of visitors. C. Removal of PHI and Pl. PHI and PI in any format must not be removed from the secure computing environment or secure physical storage of the Business Associate, except with express written permission of the PHI and PI owner. D. Faxing and Printing. Business Associate shall control access to information system output devices, such as printers and facsimile devices, to prevent unauthorized individuals from obtaining any output containing PHI and PI. Fax numbers shall be verified with the intended recipient before transmittal. E. Mailing. Mailings of PHI and Pi shall be sealed and secured from damage or inappropriate viewing to the extent possible. Mailings which include five hundred (500) or more individually identifiable records of PHI and P1 in a single package shall be sent using a tracked mailing method which includes verification of delivery and receipt, unless the prior written permission of CDPH to use another method is obtained. HIPAA BAA 9-22 California Department of Public Health State of California-Health and Human Jejvwc� `&OX a, D 'w Exhibit G !)("'DPH Pui !i, Health 4tiioxM`� MESSAGE FROM AIDS DRUG ASSISTANCE PROGRAM NOTICE OF PRIVACY PRACTICES Effective May 30, 2019 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. The AIDS Drug Assistance Program (ADAP) must keep your health information private. ADAP receives information about you when you apply for benefits and when your pharmacist sends ADAP a bill for your care. ADAP also receives medical information on your treatment when ADAP approves your care. ADAP must give you this notice about the law and how ADAP can use and share your health information and what your rights are. All information requested by ADAP must be provided in order participate in ADAP. HOW ADAP MAY USE AND SHARE INFORMATION ABOUT YOU ADAP may only use and share information about you, as required or permitted by law, in the operation of ADAP, Ryan White HIV/AIDS Program, Covered California, and Medi-Cal. This information includes things like your name, address, medical history, Social Security number, medical care given to you, and other personal information. ADAP uses this information and shares it with others for the following reasons: • For payment: ADAP and others that work with ADAP review, approve, and pay for pharmacy bills sent to ADAP for your medical care. When ADAP does this, ADAP shares information with the pharmacy benefits manager, pharmacists and doctors and others who bill ADAP for your care. • For health care operations: ADAP may use your health records to check the quality of the prescription drug treatment you receive and to check your medical need to receive restricted ADAP drugs. ADAP may also use this information in audits or fraud investigations, or for planning and managing ADAP. • For eligibility determination: ADAP may share your ADAP information with a Covered California Certified Enrollment Counselor, or with a benefits counselor, case manager, or OA-Health Insurance Premium Payment Program (OA-HIPP) enrollment worker who is an employee or contractor of a Health Insurance and Portability and Accountability Act (HIPAA)-covered county health department delivering HIV or AIDS health care services, for the purpose of enrolling you in and NPP 05-19 Page 1 of 5 Page 2 of 5 continuing your access to a Medi-Cal or Covered California health plan . ADAP may also share your name and Social Security number or individual taxpayer identification number with the California State Franchise Tax Board. This allows ADAP to verify your income from reported tax records and allows us to obtain required financial documentation if you do not have these records. SOME OTHER WAYS ADAP MAY SHARE YOUR INFORMATION The law also allows ADAP to use or disclose information ADAP has about you for the following reasons: • To contact you about your ADAP benefits. • When required by state or federal law. • To agencies that oversee audits or investigations for purposes directly related to ADAP. • In appeals of decisions about health care claims paid or denied by ADAP. • To the federal government when it is checking on how ADAP is meeting privacy laws. • To other government agencies that give public benefits such as Medi-Cal, under specified conditions permitted by law. • To Federal, State, or private entities for purposes of obtaining reimbursement for services as the payer of last resort; such activities may create an explanation of benefits that could be sent to a primary policyholder who may not be ADAP client. ADAP may give out health information about you to organizations that help run ADAP. If ADAP does perform such disclosures, ADAP will protect the privacy of your information that ADAP shares. Some state laws limit sharing the information listed above. For example, there are special laws, which protect information about HIV/AIDS status, mental health treatment, developmental disabilities, and drug and alcohol abuse care. ADAP will obey these laws. WHEN WRITTEN PERMISSION IS NEEDED If ADAP wants to use or give out personal and health information about you for any reason that is not listed above, ADAP must ask your permission in writing. You may take back your written permission at any time, except if we have already acted because of your permission. ADAP NPP 05-19 Page 2 of 5 WHAT ARE YOUR PRIVACY RIGHTS UNDER THE LAW? You have the right to: • Ask ADAP not to use or share your personal health care information in the ways listed above. However, ADAP may not be able to honor your request. • Ask ADAP to contact you in writing only or at a different address, post office box, or by telephone. ADAP will accept reasonable requests if needed for your safety_ • See and get a copy of your ADAP information. You may have someone else see and get a copy of your ADAP information. ADAP has information about your eligibility, your health care bills, and some medical records that ADAP uses to allow or manage your health care services. You will need to pay a fee for ADAP to copy and mail the records. ADAP may keep you from seeing all or parts of your records when the law allows. If ADAP does deny your access request, ADAP will give you information on how to appeal our decision. • Change the records if you believe some information ADAP has about you is wrong. ADAP may deny your request if the information was not made or kept by ADAP or the information is already correct and complete. If your request is denied, you may write a letter disagreeing with ADAP's decision and your letter will be kept with your records. IMPORTANT ADAP DOES NOT HAVE COMPLETE COPIES OF YOUR MEDICAL RECORDS. IF YOU WANT TO LOOK AT, GET A COPY OF, OR CHANGE YOUR MEDICAL RECORDS, PLEASE CONTACT YOUR DOCTOR, CLINIC, OR HEALTH CARE PLAN. • You have the right to ask for a list of the times when ADAP has shared your health information after April 14, 2003. The list will tell you what information ADAP shared, with whom, when, and for what reasons. The list will not have when ADAP gave information to you, when ADAP had your permission to make a disclosure, or when ADAP shared your information for treatment, payment, or health care operations. • You have a right to receive a written copy of this Notice of Privacy Practices when you request it. You can also find this notice on our website at IlTii)5'%iwVdW c'dlJil Cd GfJ'v�;='i�C�f-il"l�S�!�I!��LJ..i/1if''cat��E�Ji-lciCitl�.ca�p?;t VPP 05-19 Page 3 of 5 Page 4 of 5 HOW DO YOU CONTACT ADAP TO USE YOUR RIGHTS? Please call or write ADAP if you want to receive the form(s) you will need to exercise your privacy rights. ADAP Health Insurance Portability and Accountability Act Coordinator c/o ADAP Department of Public Health MS 7704, P.O. Box 997426 Sacramento, CA 95899-7426 (844) 421-7050 You may also contact your ADAP enrollment worker for the forms necessary to exercise your rights. If you believe that ADAP has not protected your privacy, you may file a complaint by calling or writing to: Privacy Officer California Department of Public Health Office of Legal Services Privacy Office 1415 L Street Suite 500 Sacramento, CA 95814 (877) 421-9634 iwivacy6�cdoh.ca.gov ADAP NPP 05-19 Page 4 of 5 Page 5 of 5 COMPLAINTS You may also call or write the Secretary of the United States (U.S.), Department of Health and Human Services, Office for Civil Rights, 90 7th Street, Suite 4-100, San Francisco, CA 94103, telephone (800) 368-1019, TDD (800) 537-7697, or email at ocrrnail(ci�hhs.gsjv. ADAP cannot take away your health care benefits, retaliate in any way if you file a complaint, or use any of the privacy rights in this notice. If you have any questions about this notice, and want more information please contact the California Department of Public Health, Privacy Officer, at the address and telephone number listed above. CHANGES TO NOTICE OF PRIVACY PRACTICES ADAP must obey the rules of this notice. ADAP has the right to make changes to this ADAP Notice of Privacy Practices. If ADAP does make any material changes, ADAP will amend this notice and give it to you right away. To get a copy of this notice in other languages, Braille, large print, or computer disk, please call or write to ADAP at the phone number or address listed. ADAP NPP 05-19 Page 5 of 5 •"` � 23-10132 a Page 1 of 5 V �Exhibit H I)CDPH So ' State California H�art . Health and Human Services Agency California Department c= Public Health MESSAGE FROM PrEP ASSISTANCE PROGRAM NOTICE OF PRIVACY PRACTICES Effective June 18, 2019 THIS NOT ICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN! GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. The Pre-Exposure Prophylaxis Assistance Program (PrEP-AP) must keep your health information private. PrEP-AP receives information about you when you apply for benefits and when your pharmacist sends PrEP-AP a bill for your care. PrEP-AP also receives medical information on your treatment when PrEP-AP approves your care. PrEP-AP must give you this notice about the law and how PrEP-AP can use and share your health information and what your rights are. All information requested by PrEP-AP must be provided in order participate in PrEP-AP. HOW PrEP-AP MAY USE ARID SHARE INFORMATION ABOUT YOU PrEP-AP may only use and share information about you, as required or permitted by law, in the operation of PrEP-AP consistent with California Health and Safety Code section 120972, This information includes things like your name, address, medical history, Social Security number, medical care given to you and other personal Information. PrEP-AP uses this information and shares it with others for the following reasons: For payment: PrEP-AP and others that work with PrEP-AP review, approve, and pay for pharmacy bills sent to PrEP-AP for your medical care. When PrEP-AP does this, PrEP-AP shares information with the pharmacy benefits manager, pharlriaclsts and doctors and others who bill PrEP-AP for your care. For health care operations: PrEP-AP may use your health records to check the quality of the prescription drug treatment you receive and to check, your medical need to receive restricted PrEP-AP drugs. PrEP-AP may also use this information in audits or fraud investigations, or for planning and managing PrEP-AP. For eligibility determination: PrEP-AP may share your PrEP-AP information with contractors for the purpose of PrEP-AP administration, including eligibility and enrollment activities. PrEP-AP NPP 06-19 Page 'I of 5 23-10132 Page 2 of 5 PrEP-AP may also share your name and Social Security number or individual taxpayer identification number with the California State Franchise Tax Board. This allows PrEP-AP to verify your income from reported tax records and allows us to obtain required financial documentation if you do not have these records. SOME OTHER WAYS PrEP-AP MAY SHARE YOUR INFORMATION The law also allows PrEP-AP to use or disclose information PrEP-AP has about you for the following reasons: • To contact you about your PrEP-AP benefits. • When required by state or federal law. • To agencies that oversee audits or investigations for purposes directly related to PrEP-AP. • In appeals of decisions about health care claims paid or denied by PrEP-AP. • To the federal government when it is checking on how PrEP-AP is meeting privacy laws. • To other government agencies that give public benefits such as Medi-Cal, under specified conditions permitted by law. • To Federal, State, or private entities for purposes of obtaining reimbursement for services as the payer of last resort; such activities may create an explanation of benefits that could be sent to a primary policyholder who may not be the PrEP-AP client. PrEP-AP may give out health information about you to organizations that help run PrEP- AP. If PrEP-AP does perform such disclosures, PrEP-AP will protect the privacy of your information that PrEP-AP shares. Some state laws limit sharing the information listed above. For example, there are special laws, which protect information about HIV/AIDS status, mental health treatment, developmental disabilities, and drug and alcohol abuse care. PrEP-AP will obey these laws. WHEN WRITTEN PERMISSION IS NEEDED If PrEP-AP wants to use or give out personal and health information about you for any reason that is not listed above, PrEP-AP must ask your permission in writing. You may take back your written permission at any time, except if we have already acted because of your permission. PrEP-AP NPP 06-19 Page 2 of 5 23-10132 Page 3 of 5 WHAT ARE YOUR PRIVACY RIGHTS UNDER THE LAW? You have the right to: • Ask PrEP-AP not to use or share your personal health care information in the ways listed above. However, PrEP-AP may not be able to honor your request. • Ask PrEP-AP to contact you in writing only or at a different address, post office box, or by telephone. PrEP-AP will accept reasonable requests if needed for your safety. • See and get a copy of your PrEP-AP information. You may have someone else see and get a copy of your PrEP-AP information. PrEP-AP has information about your eligibility, your health care bills, and some medical records that PrEP-AP uses to allow or manage your health care services. You will need to pay a fee for PrEP-AP to copy and mail the records. PrEP-AP may keep you from seeing all or parts of your records when the law allows. If PrEP-AP does deny your access request, PrEP-AP will give you information on how to appeal our decision. • Change the records if you believe some information PrEP-AP has about you is wrong. PrEP-AP may deny your request if the information was not made or kept by PrEP-AP or the information is already correct and complete. If your request is denied, you may write a letter disagreeing with PrEP-AP's decision and your letter will be kept with your records. IMPORTANT PrEP-AP DOES NOT HAVE COMPLETE COPIES OF YOUR MEDICAL RECORDS. IF YOU WANT TO LOOK AT, GET A COPY OF, OR CHANGE YOUR MEDICAL RECORDS, PLEASE CONTACT YOUR DOCTOR, CLINIC, OR HEALTH CARE PLAN. • You have the right to ask for a list of the times when PrEP-AP has shared your health information. The list will tell you what information PrEP-AP shared, with whom, when, and for what reasons. The list will not have when PrEP-AP gave information to you, when PrEP-AP had your permission to make a disclosure, or when PrEP-AP shared your information for treatment, payment, or health care operations. • You have a right to receive a written copy of this Notice of Privacy Practices when you request it. You can also find this notice on our website at: PrEP-AP NPP 06-19 Page 3 of 5 23-10132 Page 4 of 5 HOW DO YOU CONTACT PrEP-AP TO USE YOUR RIGHTS? Please call or write PrEP-AP if you want to receive the form(s) you will need to exercise your privacy rights. ADAP Health Insurance Portability and Accountability Act Coordinator c/o PrEP-AP Department of Public Health MS 7704, P.O. Box 997426 Sacramento, CA 95899-7426 (844) 421-7050 You may also contact your PrEP-AP enrollment worker for the forms necessary to exercise your rights. If you believe that PrEP-AP has not protected your privacy, you may file a complaint by calling or writing to: Privacy Officer California Department of Public Health Office of Legal Services Privacy Office 1415 L Street Suite 500 Sacramento, CA 95814 (877) 421-9634 privacytaa,cdph.ca.goy PrEP-AP NPP 06-19 Page 4 of 5 23-10132 Page 5 of 5 COMPLAINTS You may also call or write the Secretary of the United States (U.S.), Department of Health and Human Services, Office for Civil Rights, 90 7th Street, Suite 4-100, San Francisco, CA 94103, telephone (800) 368-1019, TDD (800) 537-7697, or email at U �I'i'ilcali(C!?f"ill�.Q is/. PrEP-AP cannot take away your health care benefits, retaliate in any way if you fi le a complaint, or use any of the privacy rights in this notice. If you have any questions about this notice, and want more information please contact the California Department of Public Health, Privacy Officer, at the address and telephone number listed above. CHANGES TO NOTICE OF PRIVACY PRACTICES PrEP-AP must obey the rules of this notice. PrEP-AP has the right to make changes to this PrEP-AP Notice of Privacy Practices. If PrEP-AP does make any material changes, PrEP-AP will amend this notice and give it to you right away. To get a copy of this notice in other languages, Braille, large print, or computer disk, please call or write to PrEP-AP at the phone number or address listed. PrEP-AP NPP 06-19 Page 5 of 5 23-10132 STATE OF CALIFORNIA Page 1 of 1 NONDISCRIMINATION CLAUSE (OCP-1) STD.17A(Rev.10/2019) Exhibit I 1. During the performance of this contract, contractor and its subcontractors shall not unlawfully discriminate, harass or allow harassment, against any employee or applicant for employment because of sex, sexual orientation, race, color, religious creed, marital status, denial of family and medical care leave, ancestry, national origin,medical condition (cancer/genetic characteristics), age (40 and above), disability (mental and physical) including HIV and AIDS, denial of pregnancy disability leave or reasonable acconunodation. Contractor and subcontractors shall ensure that the evaluation and treatment of their employees and applicants for employment are free from such discrimination and harassment. Contractor and subcontractors shall comply with the provisions of the Fair Employment and Housing Act (Gov. Code, §12900 et seq.) and the applicable regulations promulgated thereunder (Cal. Code Regs, tit. 2, §7285.0 et seq.). The applicable regulations of the Fair Employment and Housing Commission implementing Government Code, §12990 (aHo, are incorporated into this contract by reference and made a part hereof as if set forth in ful I (Cal. Code Regs, tit. 2, §7285.0 et seq.). Contractor and its subcontractors shall give written notice of their obligations under this clause to labor organizations with which they have a collective bargaining or other agreement. 2. This Contractor shall include the non-discrimination and compliance provisions of this clause in all subcontracts to perform work tinder contract. Page i or v Exhibit J Restrictions and Requirements for the Use and Disclosure of HIV/AIDS Public Health Data This Attachment sets forth the HIV/AIDS-specific information use and disclosure requirements that Contractor is obligated to follow (in addition to all other confidentiality requirements set forth in the contract and other attachments thereto) with respect to all HIV/AIDS Public Health data disclosed to Contractor by the California Department of Public Health (CDPH). 1. Definitions: For purposes of this Agreement, the following definitions shall apply: A. HIV/AIDS Public Health Data: "HIV/AIDS Public Health data" means confidential public health record or records collected or maintained by the CDPH Office of AiDS Programs, including but not limited to the AIDS Drug Assistance Program (ADAP), the Pre-Exposure Prophylaxis Assistance Program (PrEP-AP), and the HIV Care Program relating to human immunodeficiency virus (HIV) or acquired immunodeficiency syndrome (AIDS), containing personally identifying information, that were developed or acquired by a state public health agency, or an agent of that agency." Confidential public health record or records" is defined in Health and Safety (H&S) Code section 121035, subdivision (c), and means "any paper or electronic record maintained by the department or a local health department or agency, or its agent, that includes data or information in a manner that identifies personal information, including, but not limited to, name, social security number, address, employer, or other information that may directly or indirectly lead to the identification of the individual who is the subject of the record." HIV/AIDS Public Health data includes, but is not limited to: client name (first, middle initial, last), date of birth, and Social Security Number. B. Disclosure: "Disclosure" means the release, transfer, provision of, access to, or divulging in any other manner of information. "Disclosure" includes the disclosure, release, transfer, dissemination, or communication of all or any part of any confidential research record orally, in writing, or by electronic means to any person or entity, or providing the means for obtaining the records (H&S Code sections 121035 and 121125). C. Use: "Use" means the sharing, employment, application, utilization, examination, or analysis of information. 11. Legal Authority for Disclosure and Use of HIV/AIDS Public Health Data: The legal authority for CDPH to collect, use, and disclose HIV/AIDS Public Health Data, and for Contractor to receive and use HIV/AIDS Public Health Data is as follows: A. General Legal Authority: 1. Office of Aids (OA): H&S Code section 131019, provides as follows: "There is in the State Department of Public Health an Office of AIDS. The State Department of Public Health, Office of AIDS, shall be the lead agency within the state, responsible for coordinating state programs, services, and activities relating to the human immunodeficiency virus (HIV), acquired immune deficiency syndrome (AIDS), and AiDS related conditions (ARC)." 2. Office of Aids (OA): H&S Code section 131051, provides as follows: `The duties, powers, functions, jurisdiction, and responsibilities transferred to the State Department of Public Health shall, pursuant to the act that added this section, include all of the following previously performed by the former State Department of Health Services: (a) Under the jurisdiction of the Deputy Director for Prevention Services: (1) The Office of AIDS, including but not limited to: (A) The AIDS Drug Assistance Program (Chapter 6 Page 2 of 4 Exhibit J Restrictions and Requirements for the Use and Disclosure of HIV/AIDS Public Health Data (commencing with Section 120950) of Part 4 of Division 105).... (C) The CARE Services Program, provided for pursuant to the federal Ryan White CARE Act, 42 U.S.C. Section 300ff, (D) The CARE/Health Insurance Premium Payment Program (federal Ryan White CARE Act, 42 U.S.C. Sec. 300ff).... (G) The AIDS Case Management Prograrn (federal Ryan White CARE Act, 42 U.S.C. Sec. 300ff; Chapter 2 (commencing with Section 120815) of Part 4 of Division 105)." B. AIDS Drug Assistance Program (ADAP) Legal Authority: 1_ Legislative Intent for Drug Assistance: H&S Code section 120950, subdivision (b), provides as follows: "For reasons of compassion and cost effectiveness, the State of California has a compelling interest in ensuring that its citizens infected with the HIV virus have access to these drugs." 2. Subsidy for Drug Treatment: H&S Code section 120950, subdivision (c), provides as follows: "The department subsidizes the cost of these drugs for persons who do not have private health coverage, are not eligible for Medi-Cal, or cannot afford to purchase the drug privately. The subsidy program is funded through state and federal sources_" 3. Establishment of ADAP: H&S Code section 120955, subdivision (a)(1), provides as follows: " To the extent that state and federal funds are appropriated in the annual Budget Act for these purposes, the director shall establish and may administer a program to provide drug treatments to persons infected with human immunodeficiency virus (HIV), the etiologic agent of acquired immunodeficiency syndrome (AIDS)." 4. Paver of Last Resort: H&S Code section 120955, subdivision (h), provides as follows: "Reimbursement under this chapter shall not be made for any drugs that are available to the recipient under any other private, state, or federal programs, or under any other contractual or legal entitlements, except that the director may authorize an exemption from this subdivision where exemption would represent a cost savings to the state." 5. Disclosure Permitted for ADAP Administration and Coordination of Client Eligibility: H&S Code section 120970, subdivision (i), provides as follows: "All types of information, whether written or oral, concerning a client, made or kept in connection with the administration of ADAP services, which includes subsidizing costs associated with health care service plan contracts and health insurance premium payment assistance, shall be confidential, and shall not be used or disclosed except ... for purposes directly connected with the administration of the program," (paragraph 1); and "for coordinating client eligibility with programs funded by the federal Ryan White HIV/AIDS Program (Ryan White HIV/AIDS Treatment Extension Act of 2009, (Public Law 111-87, 42 U_S.C, Sec. 201, et seq.))" (paragraph 2). C. Pre-Exposure Prophylaxis Assistance Program (PrEP-AP) Legal Authority_: .1. General Authority: H&S Code section 120972, subdivision (a), provides as follows: "To the extent that funds are available for these purposes, the director may establish and administer a program within the department's Office of AIDS to subsidize certain costs of medications for the prevention of HIV infection and other related medical services, as authorized by this section...." 23-10132 Page 3 of 4 Exhibit J Restrictions and Requirements for the Use and Disclosure of HIV/AIDS Public Health Data 2. Disclosure Permitted for PrEP-AP Administration: H&S Code section 120972, subdivision (i), provides as follows: "All types of information; whether written or oral, concerning a client, made or maintained in connection with the administration of this program, shall be confidential, and shall not be used or disclosed except for any of the following: (1) For purposes directly connected with the administration of the program. (2) If disclosure is otherwise authorized by law." D. California HIV/AIDS Disclosure Authority: 1. Disclosure Permitted for Public Health Purposes: H&S Code section 121025, subdivision (a), provides as follows: "Public health records relating to [HIV/AIDS], containing personally identifying information, that were developed or acquired by a state or local public health agency, or an agent of that agency, are confidential and shall not be disclosed, except as otherwise provided by law for public health purposes...." 2. Disclosure Permitted to Carry Out the Investigation, Control, or Surveillance Duties of CDPH and Contractor: H&S section 121025, subdivision (b), provides as follows: "In accordance with subdivision (g) of section 121022, a state or local public health agency, or an agent of that agency, may disclose personally identifying information in public health records... to other local, state, or federal public health agencies... when the confidential information is necessary to carry out the duties of the agency... in the investigation, control, or surveillance of disease, as determined by the state or local public health agency." 3. Only Minimum Necessary Disclosure Permitted: H&S Code section 121025, subdivision (c), provides as follows: "Any disclosures authorized... shall include only the information necessary for the purpose of that disclosure...." 4. Agreement Required: H&S Code section 121025, subdivision (c), provides as follows: "Except as provided in paragraphs (1) to (3), inclusive... any disclosure authorized by subdivision (a) or (b) shall not be made without written authorization as described in subdivision (a)...." 5. Disclosure for the Purpose of Facilitating Appropriate HIV/AIDS Medical Care and Treatment: H&S Code section 121025, subdivision (c)(2)(A), provides as follows: "State public health agency HIV surveillance staff, HIV prevention staff, AIDS Drug Assistance Program staff, and care services staff may further disclose the information to local public health agency staff, who may further disclose the information to the HIV-positive person who is the subject of the record, or the health care provider who provides his or her HIV care, for the purpose of proactively offering and coordinating care and treatment services to hire or her." 5. State and Local Breach Investigation: H&S Code section 121022, subdivision (h), provides as follows: "(1) Any potential or actual breach of confidentiality of HIV-related public health records shall be investigated by the local health officer, in coordination with the department, when appropriate. The local health officer shall immediately report any evidence of an actual breach of confidentiality of HIV-related public health records at a city or county level to the department and the appropriate law enforcement agency. (2) The department shall investigate any potential or actual breach of confidentiality of HIV- 23-10132 Page 4 of 4 Exhibit J Restrictions and Requirements for the Use and Disclosure of HIV/AIDS Public Health Data related public health records at the state level, and shall report any evidence of such a breach of confidentiality to an appropriate law enforcement agency." Ili. Disclosure Restrictions: The Contractor and its employees or agents, shall protect from unauthorized disclosure any HIV/AIDS Public Health Data. The Contractor shall not disclose, except as otherwise specifically permitted by the contract between CDPH and Contractor, any HIV/AIDS Public Health Data to anyone other than CDPH, Office of AIDS, ADAP Branch, PrEP-AP, and HIV Care Branch staff. Contractor and its employees and agents shall not disclose any HIV/AIDS Public Health Data to persons who are not authorized by statute to receive such information, except if disclosure is required by state or federal law. IV. Use Restrictions: The Contractor and its employees or agents, shall not use any HIV/AIDS Public Health Data for any purpose other than carrying out the Contractor's obligations under the contract between CDPH and Contractor (compare HIV/AIDS Public Health client data against Medi-Cal beneficiary data and provide results to CDPH), pursuant to the statutes and regulations set forth in Section II, above, or as otherwise allowed or required by state or federal law. V. Confidentiality Agreements: All employees, agents, including subcontractors, to whom Contractor provides HIV/AIDS Public Health Data received from or created or received by Contractor, agree to the same restrictions and conditions that apply to Contractor with respect to such HIV/AIDS Public Health Data. 23-10132 Page 1 of 21 Exhibit K COPI rnr I PublicHealth INFORMATION SECURITY OFFICE Information Systems Security Requirements for Projects ISO / SR1 } Version 4.0 February 2010 23-10132 Page 2 of 21 TABLE OF CONTENTS LPURPOSE..........................................................................................................................................4 I1. SCOPE OF REQUIREMENTS.......................................................................................................4 111. CONTACT.........................................................................................................................................4 IV. INFORMATION SYSTEMS SECURITY REQUIREMENTS.................................................... 5 A. ADMINISTRATIVE./MANAGEMENT SAFEGUARDS................. 1. Workforce Confidentiality Statement........................................................................... 5 2. Access•Authorization&Maintenance......................................................................... i 3. !)formation Svstem Activity Revieii....................................._....................................... 5 4. Periodic Svstem Security& Log Revimi...................................................................... 5 5. Disaster Recovery Plan............................................................................................... 6 6. Change Control. ............................................................ --.._............................. 6 7. Supervision ofhformation.......................................................................................... 6 8. Escorting Visitors........................................................................................................ 6 B. TECHNICAL AND OPERATIONAL SAFEGUARDS.........................................................................7 1. Systern Security Compliance........................................................................................ 7 2. Malware Protection..................................................................................................... 7 _i. Patch Management,............ ...**............. 7 4. Encrypted Electronic Transvnissfons........................................................................... 7 5. Encrypted Information Storage................................................................................... 7 6. Workstation/Laptop Encv_lpticm................................................................................. 7 7. Removable Media Encryption................... ................................................................. 8 8. Secure Connectivitv...................................................................... ......... 8 ...................... 9. Intrusion Detection and Prevention............................................................................. 8 10. Minimum Information Download................................................................................ 8 11. Infar•mation Sanitization.............................................................................................. 8 12. Removal of'Inforrnation...............................................................................................8 13. Faring or Mailing qlb formation................................................................................ 9 C. SOLUTION ARCHITECI'URE..................................................................................................... 10 1. System Security Cornpliance...................................................................................... 10 2. Warning Banner......................................................................................................... 10 3. Layered Application Design...................................................................................... 10 4. Input Validation......................................................................................................... 11 5. Data Queries............................................................................................................. 1/ 6. Username/Password Based Authentication............................................................... 12 7. Administrative/Privileged Accounts Management................................................... 12 8. Service Accounts Managentent.................................................................................. 13 9. Authentication and Authorization.............................................................................. 13 10. Authentication Logging............................................................................................. 14 11. Automatic Svstem Session Expiration........................................................................ 14 12. _4utomatic Svstem Lock-out and Reporting................ ............ 14 13. Atrdit(Acces..$)................................................................................................ .... 14 14. Audit(Minimum Irformationl•.................................................................................. 14 1.5. Application Security Controls................................................................................... 15 16. Application Code Security......................................................................................... 15 17. Strong.4whenticatfort................................................................................................ 16 D. DOCUMENTATION OF SOLUTION............................................................................................. 17 1. Systern Corrligur•atiort.................................................................... ..... 17 . ....................... 2. In%rrnation Classyleation......................................................................................... 17 3. System Roles and Relationships................................................................................. 17 4. Audit Method Documentation.................................................................................... 17 5. Retention gfDocurnentation...................................................................................... 17 E. ISO NOTIFICATIONS AND APPROVALS ................................................................................... 19 23-10132 Page 3 of 21 1. Security Compliance Notificcttion.............................................................................. 18 2. Notification of Changes to Solution........................................................................... 1,3 3. Notification ofBreach............................................................................................... 18 4. Project Securih'Approvals........................................................................................ 18 S. Application Security Approvals................................................................................. 19 F. APPENDix A—SR1 ExiimPTION FORM...................................................................................20 23-10132 Page 4 of 21 Type: ISO Requirements Issued: February 08, 2010 Doc Number: SR1 v4.0 • C O li )H Revised: 11 Title: Information Systems Security Requirements for Projects ..Health IMPORTANT NOTE: If an exemption from any SR1 requirement is required, the SR1 Exemption Form in Appendix A must be completed by the Project Manager or Contract Manager. I. Purpose This document provides the minimum security requirements mandated by the California Department of Public Health (CDPH) Information Security Office (ISO) for projects governed and/or subject to the policies and standards of CDPH. Projects that intend to deploy systems/applications into the CDPH system infrastructure, or will utilize CDPH information system services, are also subject to these minimum security requirements. This document is intended to assist CDPH and its service customers in understanding the criteria CDPH will use when evaluating and certifying the system design, security features and protocols used by project solutions utilizing CDPH services. These security requirements will also be used in conjunction with the CDPH ISO compliance review program of its information system services customers. This document will serve as a universal set of requirements which must be met regardless of physical hosting location or entities providing operations and maintenance responsibility. These requirements do not serve any specific project, nor do they prescribe any specific implementation technology. U. Scope of Requirements The information security requirements in this document are organized in five categories (sections) and address at a minimum: • Administrative/Management Safeguards ■ Technical and Operational Safeguards ■ Solution Architecture • Documentation of Solution ■ ISO Notifications and Approvals III. Contact Chief Information Security Officer California Department of Public Health Information Security Office (ISO) cdphiso@cdph.ca.gov 23-10132 Page 5 of 21 IV. Information Systems Security Requirements A. Administrative / Management Safeguards 1. Workforce Confidentiality Statement All persons working with CDPH information must sign a Security and Confidentiality Acknowledgement Statement. The Statement must include, at a rninimum: General Use, Sercurity and Privacy safeguards, Unacceptable Use, Audit and Enforcement policies. (Contact the CDPH ISO for the current version of the Security & Confidentiality Acknowledgement Statement in use.) The Statement must be signed by the Project member prior to being granted access to the CDPH information. The Statement must be renewed annually. 2. Access Authorization & Maintenance Project/Program must document and implement clearly defined rules and processes for vetting and granting authorizations, as well as procedures for the supervision of workforce members who work with CDPH information or in locations where it might be accessed. On at least a semi-annual basis, Project/Program will review and remove all authorizations for individuals who have left the department, transferred to another unit, or assumed new job duties within CDPH. 3. Information System Activity Review Project/Program must implement and document procedures to regularly review records of information system activity(such as audit logs, access reports, and security incident tracking reports). Project/Program must ensure any hosting or maintenance agreements clearly identify responsibility for this activity. Logs may be stored within the system or preferably on a centralized logging server or service, and must be maintained for a minimum of three years. 4. Periodic System Security & Log Review All systems must allow for periodic system security reviews that provide assurance that management, operations, personnel, and technical controls are functioning effectively and providing adequate levels of protection. These reviews may include technical tools and security procedures (such as vulnerability assessment products and penetration testing). All systems processing andlor storing CDPH information must have a method or procedure in place to create and review system logs for unauthorized access. Logs may be stored within the system or on a centralized logging server or service, and must be maintained for a minimum of three years. 23-10132 Page 6 of 21 5. Disaster Recovery Plan Project/Program will establish procedures that allow facility access in support of restoration of lost information under the Disaster Recovery Plan (DRP) and emergency mode operations plan in the event of an emergency. The restoration/recovery support procedures must be added to the existing DRP to restore any loss of information and assure continuity of computing operations for support of both the application and information. Recovery procedures must be developed using the most current DRP template provided by the CDPH ISO. All systems, as part of a new or existing project, must allow for periodic system recovery testing. The period between tests should be defined as part of the project and be consistent with relevant CDPH disaster recovery standards. Such testing should provide assurances that plans and controls (management, operations, personnel, and technical)are functioning effectively and providing adequate levels of protection during an incident, disaster, or breach. Project/Program will conduct an annual Business Impact Analysis of the application to determine the Maximum Acceptable Outage (MAO), cost of lost functionality, system component dependencies, business function dependencies, and business partner dependencies. 6. Change Control All systems processing and/or storing CDPH information must have a documented change control procedure that ensures separation of duties and protects the confidentiality, integrity, and availability of information. Systems running within the CDPH environment and/or utilizing CDPH services must comply with CDPH standards for change control process and procedures. 7. Supervision of Information Classified information in paper form must not be left unattended at any time, unless it is locked in a file cabinet, file room, desk, or office. Unattended means that information is not being observed by an employee authorized to access the information. Classified information in paper form must also not be left unattended at any time in vehicles or planes, and must not be transported in checked-in baggage on commercial airplanes. 8. Escorting Visitors Visitors to areas where classified information is contained must be escorted and classified information must be kept out of sight while visitors are in the area. 23-10132 Page 7 of 21 B. Technical and Operational Safeguards 1. System Security Compliance All Project systems must comply with applicable CDPH security policies and requirements, as specified in the State Administrative Manual (SAM), Public Health Administrative Manual (PRAM), Privacy Act, and any other applicable State or Federal regulation. All security safeguards and precautions must be subject to the approval of the CDPH ISO. 2. Malware Protection All systems must install and actively use anti-virus software, with a minimum daily automatic update scheduled. Systems such as mainfrarnes, where anti-virus is unavailable, are excluded from this requirement. All security safeguards and precautions must be subject to the approval of the CDPH ISO. 3. Patch Management All systems must install and actively use a comprehensive third-party patch management program, and routinely update system and application software within two weeks of vendor release unless the CDPH ISO validates a patch is not applicable. Critical updates may require a more restrictive timeline. All security safeguards and precautions must be subject to the approval of the CDPH ISO. 4. Encrypted Electronic Transmissions All information electronic transmissions that contain classified information (such as website access, file transfers or through e-mail) must be encrypted end-to-end using an industry- recognized encryption standard (such as Transport Layer Security (TLS) or its predecessor, Secure Socket Layer(SSL), Secure File Transfer Protocol (SFTP), or any FIPS 140-2 certified encryption algorithm). Classified information must be encrypted at the minimum of Advanced Encryption Standard (AES) with a 128 bit key or higher. Equivalent or stronger algorithms may be used upon approval of the CDPH ISO. 5. Encrypted Information Storage All classified information must be encrypted when electronically stored using a CDPH approved encryption standard. Classified information must be encrypted at the minimum of AES with a 128 bit key or higher, or any FIPS 140-2 certified encryption algorithm. Equivalent or stronger algorithms may be used upon approval of the CDPH ISO. 6. Workstation / Laptop Encryption All workstations and laptops that process and/or store classified CDPH information must be encrypted with a CDPH ISO approved solution. Classified CDPH information must be encrypted at the minimum of AES with a 128 bit key or higher, or any FIPS 140-2 certified encryption algorithm. Equivalent or stronger algorithms may be used upon approval of the CDPH ISO. 23-10132 Page 8 of 21 7. Removable Media Encryption All electronic files that contain classified CDPH information must be encrypted at the minimum of AES with a 128 bit key or higher, or any FIPS 140-2 certified encryption algorithm when stored on any removable media type device (such as USB thumb drives, floppies, CD/DVD, tape backup, etc.). Equivalent or stronger algorithms may be used upon approval of the CDPH ISO. The solution should follow best practices described in National Institute of Standards &Technology (NIST)800-111, Guide to Storage Encryption Technologies for End User Devices. 8. Secure Connectivity All transmission and data-links between the information and application/system, and DBMS and the Office of Technology Services (OTech)Wide Area Network (WAN), must be secure between transmission systems as required by regulation, policy and/or standard and as prescribed for the given application/system. 9. Intrusion Detection and Prevention All systems that are accessible via the Internet, are critical, and/or contain classified information must install and actively use a CDPH ISO approved comprehensive third-party real-time intrusion detection and prevention solution.The solution must also report security events directly to a CDPH enterprise monitoring solution. All security safeguards and precautions must be subject to the approval of the CDPH ISO. 10. Minimum Information Download In accordance with the principle of need-to-know, only the minimum amount of information required to perform necessary business functions should be copied or downloaded. 11. Information Sanitization All classified CDPH information (electronic or paper) must be sanitized from systems when the information is no longer necessary. The sanitization method must conform to NIST Special Publication 800-88 Guidelines for Media Sanitization. Once information has been sanitized, the CDPH contract manager must be notified. If an agency or other entity is unable to sanitize the media in accordance with NIST 800-88 and provide notification, the media must be returned to CDPH after usage for sanitization in an approved manner. 12. Removal of Information Classified CDPH information (electronic or paper) must not be removed from CDPH premises, or from the premises of an authorized vendor or contractor, without the written permission of the CDPH ISO. 23-10132 Page 9 of 21 13. Faxing or Mailing of Information Facsimile transmissions containing classified CDPH information must not be left unattended if fax machines are not in a secure area. Facsimile transmissions must include a cover sheet that contains a security statement notifying persons receiving faxes in error to destroy them and notify the CDPH ISO immediately. Fax numbers must be verified before sending. Classified CDPH information must only be mailed using secure methods. Large volume mailings of classified CDPH information must be by a secure, bonded courier with signature required upon receipt. Disks and other transportable media sent through the mail must be encrypted with a CDPH ISO approved solution. 23-10132 Page 10 of 21 C. Solution Architecture 1. System Security Compliance The system must comply with all applicable CDPH security policies and requirements, as well as those specified in the State Administrative Manual (SAM), Public Health Administrative Manual (PHAM) Privacy Act, and any other applicable State or Federal regulation. All security safeguards and precautions must be subject to the approval of the CDPH ISO. The system may share data with other entities only after all applicable agreements are in place. For example, using a CDPH data release form, Business Associate Agreement, or Data Use Agreement. These agreements must ensure data is protected according to all applicable standards and policies. Any data which is exported outside the scope of the system and its security provisions (such as exports for statistical analysis) require approval by the CDPH ISO to ensure sufficient security is in place to protect the exported data. 2. Warning Banner All systems containing CDPH information must display a login warning banner stating that information is classified, activity is logged, and system use is for business purposes only. User must be directed to log off the system if they do not agree and comply with these requirements. The following warning banner must be used for all access points (such as desktops, laptops, web applications, mainframe applications, servers and network devices): WARNING: This is a State of California computer system that is for official use by authorized users and is subject to being monitored and/or restricted at any time. Unauthorized or improper use of this system may result in administrative disciplinary action and/or civil and criminal penalties. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY, if you do not agree to the conditions stated in this warning. 3. Layered Application Design Applications must be able to be segmented into a layered application design separating, at a minimum, the Presentation, Application/Business Logic, and Data Access Logic, and Data Persistence/Database layers. The Presentation, Application/Business Logic, and Data Access Logic layers must be separated physically by a firewall regardless of physical implementation. Any system request made to the Business logic layer must be authenticated. The Data Access Logic Layer may take the form of stored procedures, database Application Programming Interface (API), Data Access Objects/Components, Data Access Middleware, Shared Data Services, or Secure Web Service. Any system request made to the Data Access 23-10132 Page 11 of 21 logic layer must be authenticated and authorized. No direct access to the Data Persistence/Database layer will be permitted, except through the Data Access logic layer. All calls to the Data Persistence/Database layer will be made through the Data Access logic layer as a trusted sub-system that utilizes a single database access account to all transactions. The Data Access Logic Layer must take the form of stored procedures, database API, Data Access Objects/Components, Data Access Middleware, Shared Data Services, or Secure Web Service. System requests made to the Business logic and Data Access logic layers must be authenticated and authorized. Vendor-provided commercial off-the-shelf(COTS) packages, or components where physical separation of layers is not possible, requires CDPH ISO approval. Presentation Layer �. Layers separated Application/ J ; by firewall Business Logic (Presentation and Layer ; ly Application layers at minimum) — — — — — — — — — — — — — — — — Data Layer iNZ t 4. Input Validation All user input must be validated before being committed to the database or other application information repository. The system must manage client input controls from server side to the extent possible. Data queries from the Presentation or the Business Logic layers must be validated for appropriate use of query language, and validated for appropriate quantity and quality of data input. This includes In-line Structured Query Language (SQL) calls. The system must validate client input on the server side to the extent possible. All third-party client side input controls must be documented and approved by the CDPH ISO. 5. Data Queries All Data queries (including In-line SQL calls)will not be allowed from the Presentation or the Business Logic layers unless validated for appropriate use of query language and validated for appropriate quantity/quality of data input. All data queries solution must be approved by the CDPH ISO. Database table names and column names must not be exposed. Applications must use an alias for every table and column. Dynamic SQL will not be permitted from the Presentation Layer without prior approval from the CDPH ISO. 23-10132 Page 12 of 21 6. Username/Password Based Authentication When usernames and passwords are going to be used as the method for system authentication, the following requirements must be met: • Username requirements: ■ Must be unique and traceable to an individual. ■ Must not be shared. ■ Must not be hard-coded into system logic. • Password requirements: ■ Must not be shared. ■ Must be 8 characters or more in length. ■ Must not be a word found in the dictionary, regardless of language. ■ Must be encrypted using irreversible industry-accepted strong encryption. ■ Must be changed at least every 60 days. ■ Must not be the same as any of the previous 10 passwords. ■ Must be changed immediately if revealed or compromised. ■ Must be composed of characters from at least three of the following four groups from the standard keyboard: • Upper case letters (A-Z); • Lower case letters (a-z); • Numbers (0 through 9); and • Non-alphanumeric characters (punctuation symbols). • Account security: • Accounts must be locked after three (3)failed logon attempts. ■ Account lock-out reset timers must be set for a minimum of'15 minutes. ■ Accounts must be promptly disabled, deleted, or the password changed upon the transfer or termination of an employee with knowledge of the password. 7. Administrative / Privileged Accounts Management A privileged account is an account that allows an individual to perform maintenance on an operating system or applications (e.g. create/remove users, install applications, create/modify databases, etc.). Privileged accounts require the approval of the individual's manager, the CDPH ISO, and must include a business justification stating why privileged access is required and what it will be used for. Individuals granted privileged accounts must have already signed the Security and Confidentiality Acknowledgement Statement. (Contact the CDPH ISO for the current version of the Security & Confidentiality Acknowledgement Statement in use.) The use of shared privileged accounts (e.g. Administrator) is strictly prohibited. System administration must be performed using a different username rather than the one used for daily non-administrative activities. Administrative accounts must be used only for administrative activity within the authorized role of that account and the individual using it. It must be logged out of immediately after administrative work is complete. • Username requirements: ■ Must be unique and traceable to an individual. ■ Must not be shared. ■ Must not be hard-coded into system logic. • Must be the same across different zones (e.g. Web Zone, Internal network, and Test Labs/ Environments). • The default built-in Administrator account must be renamed and disabled. 23-10132 Page 13 of 21 ■ The naming convention for privileged accounts must not make it obvious that usernames belong to privileged accounts. ■ If a generic privileged account is created: • Must only be used in an Emergency. • Must not be used for routine maintenance. • The password storage and management process for generic privileged accounts must be approved by the CDPH ISO. • Password requirements: ■ Must not to be shared. ■ Must be 12 characters or more in length. ■ Must not be a word found in the dictionary, regardless of language. ■ Must be encrypted using irreversible industry-accepted strong encryption. ■ Must be changed at least every 60 days. ■ Must not be the same as any of the previous 10 passwords. ■ Must be changed immediately if revealed, or compromised. ■ Must be comprised of characters from at least three of the following four groups from the standard keyboard: • Upper case letters (A-Z); • Lower case letters (a-z); • Numbers (0 through 9); • Non-alphanumeric characters (punctuation symbols). ■ Must be changed immediately upon the termination or transfer of an employee with knowledge of the password. ■ Must not be the same across different zones (e.g. Web Zone, Internal network, and Test Labs/ Environments). • Account security: ■ Accounts must be locked after three (3)failed logon attempts. ■ Account lock-out timers must be set for at least 60 minutes. 8. Service Accounts Management A service account is an account used to run a service and whose password is known by multiple individuals, When and where it is necessary to use a service account, the account request will be approved by the manager of the Project/Program requesting the account and by the CDPH ISO. Requirements, stating the need for a service account, will be documented in the request. A service account password is shared among the individuals authorized to access the account, and is subject to controls as stated in the password requirements in this document. Restrictions for Service Accounts ■ Sharing passwords via email is prohibited, unless the body of the email itself is encrypted using strong encryption. ■ When users are no longer authorized to access an existing service account, the service account password must be changed. 9. Authentication and Authorization Any systern deployed during a project, or as a result of a project, must provide secure role-based access for authorization (separation between system/server administrators and application/database administrators) utilizing the principle of least privilege at all layers/tiers. In all cases, applications must default to explicitly deny access where authentication and/or authorization mechanisms are required. No application that requires a login can offer to, or be capable of, remembering a user's credentials. 23-10132 Page 14 of 21 10. Authentication Logging The system must log success and failures of user authentication at all layers as well as log all user transactions at the database layer as required by regulation, policy or standard, and as prescribed for the given application/system. This logging must be included for all user privilege levels including, but not limited to, systems administrators. This requirement applies to systems that process, store, and/or interface with CDPH information. 11. Automatic System Session Expiration The system must provide an automatic timeout, requiring re-authentication of the user session after 20 minutes of inactivity. 12. Automatic System Lock-out and Reporting The system must provide an automatic lock-out of users and a means to audit a minimum of three (3)failed log-in attempts. The means of providing audit information must be approved by the CDPH ISO. 13. Audit (Access) All systems/applications will implement role-based access to auditing functions and audit trail information utilizing the principle of least privilege. All systems/applications will implement a secure online interface to Audit Capabilities and Reporting by way of API or network service (or Web Service)to allow CDPH ISO to view logs, auditing procedures, and audit reporting. 14. Audit (Minimum Information) The minimum log information below is required for any system that contains, or is involved in the transmission of, classified information. The log information should be available on every system running a production environment. This information must be provided upon request of the CDPH ISO for investigations and risk assessments. The system must record, at minimum, the following events and any other events deemed appropriate by the CDPH ISO: Transaction Types • Any and all administrative changes to the system (such as administrative password changes, forgotten password resets, system variables, network configuration changes, disk sub-system modifications, etc). • Logon failures. • Logons during non-business hours. • Failed access to an application or data. • Addition, deletion; or modification of users or program access privileges. • Changes in file access restrictions. • Database addition, deletion, or modification. • Copy of files before and after read/write changes. • Transaction issued. 23-10132 Page 15 of 21 Individual audit trail records must contain the information needed to associate each query transaction to its initiator and relevant business purpose. Individual audit trail records should capture, at a minirnum, the following: Minimum Audit Trail Record Content • Date and time stamp_ • Unique username of transaction initiator. • Transaction recorded. • Success or failure of transaction recorded. • Relevant business process or application component involved. • Data captured (if any). Audit Trail logs must be maintained at minimum for three (3)years after the occurrence, or a set period of time determined by the CDPH ISO that would not hinder a detailed forensic investigation of the occurrence. The CDPH ISO has final approval authority. 15. Application Security Controls For any application which accesses classified information, the following technical controls must be present, unless an exception is granted by the CDPH ISO: • Must use least privileged accounts to execute code and to access databases. • User access rights must be authenticated and authorized on entry to each application tier. • All user input must be validated, including parameters passed to all public web service methods. • Information that is not required must not be exposed. • If a web application fails, it must not leave sensitive data unprotected or expose any details in error messages presented to the user.Any exceptions must be logged or emailed to the appropriate team member. • Any sensitive data stored in session, cookies, disk files, etc., must be encrypted. Any sensitive data passed between tiers must be encrypted or must use SSL_ • Applications must be protected from the Internet by a front-end web application, firewall, gateway, and proxy of a type approved by the CDPH ISO, which must be included in the documented system design. • Postback Universal Resource Locators (URLs) must not contain unencrypted record identifiers or database keys. • Postback URLs must not include query strings. 16. Application Code Security Application developers should use tools and methods during development to ensure all custom source code is free from security vulnerabilities. At a minimum, the application must be free of the vulnerabilities described in the CWE/SANS Top 25 Most Dangerous Programmer Errors (littp://www.sans.org/top25errors/). CDPH has the right to conduct a vulnerability scan against the application prior to its activation, and may disapprove use of the application until the vulnerabilities are remediated and the application re-tested. Any verified vulnerabilities from this list must be corrected by the organization which developed the application, at no additional cost to CDPH. Unless an exception is granted by the CDPH ISO, vulnerabilities identified within third-party components must be remediated by the third-party vendor at no additional cost to CDPH. Otherwise, a different third- party component must be selected and implemented. 23-10132 Page 16 of 21 17. Strong Authentication Any information system providing access to Personally Identifiable Information (PII) and/or classified information from the Internet must assess the need for additional strong authentication, to prevent a significant data breach if a password is compromised. Strong authentication is defined as additional mandatory authentication over and beyond the password, for each account which has direct access to PII and/or classified information, or which has administrative privileges. The following factors should be included in the assessment: • Applicable policies and regulations. • Sensitivity of the PH or classified information. • Number of data records. • Number of user accounts with access to data. • Level of control over end users. • Level and frequency of log monitoring. • Automated alerts and controls for unusual data access patterns. • End user training on security practices. • Other mitigating security controls. The Project/Program providing access to PH and/or classified information from the Internet must either implement an approved strong authentication method, or document why strong authentication will not be utilized. This documentation must be provided to the CDPH ISO for review and approval. The following methods are approved for strong authentication: • Physical Token: A physical device in the possession of the account holder, which must be physically connected to the computer. Examples include a USB token or Smartcard. • One Time Password (OTP): A temporary one time pass code is provided to the account holder, either by a physical device in their possession, or by way of a pre-defined communication channel such as cell phone or e-mail address. Examples include OTP token, or OTP sent via SMS text message, e-mail, or by automated voice call. • X.509 Certificate: A digital certificate which has been installed on the access point computer or device, utilizing a Public Key Infrastructure (PKI). • Firewall Rules: Firewall TCP/IP rules which ensure the account is only usable from an authorized access point; based upon specific IP address or IP subnet. The following strong authentication method is approved for personal data access, where accounts have access to only the account holder's personal data, or a single data record they are custodian over such as a family member or information about their company. For example, an application where a client can submit or edit an enrollment form for themselves or sorneone else, but cannot access any other data records. • Personal Challenge Questions: During registration, the account holder pre-answers one or more questions known only to them. When logging into a different computer, typically tracked with a cookie, they cannot login without correctly answering the pre- configured questions. The user should be prompted for whether the new computer is trusted vs. a one-time login, and this information used to determine whether to save a new cookie. The proposed strong authentication mechanism must be included in the detailed design documentation as described in Section E.5, Application Security Approvals. 23-10132 Page 17 of 21 D. Documentation of Solution 1. System Configuration Project/Program must document and maintain documentation for the system/application. This should include the Following: • Detailed design. • Description of hardware, software, and network components. • Special system configurations. • External interfaces. • All layers of security controls. 2. Information Classification Project/Program will document and maintain an information classification matrix of all information elements accessed and/or processed by solution. The matrix should identify at a minimum: • Information element. • Information classification/sensitivity. • Relevant function/process, or where is it used. • System and database, or where is it stored. 3. System Roles and Relationships Project must document the following roles and ensure everyone understands their role, and complies with all applicable policies and regulations. • The designated owner of the system. • The designated custodian(s) of the system. • The users of the system. • The security administrator for the system. • Outside entities sending or receiving data to system. Project must document the organizational structure and relationships between these roles. 4. Audit Method Documentation Project/Program will document the solution's auditing features and provide samples of audit reporting. 5. Retention of Documentation The system/application administrators will retain documentation, including audit and activity logs, for a minimum of three (3) years (up to seven (7) years maximum) from the date of its creation or the date it was last in effect, whichever is later. Shorter retention periods must be allowed contingent upon applicable regulations, policies, and standards, and upon approval by the CDPH ISO. In certain circumstances the retention period must be lengthened to comply with regulatory requirements. 23-10132 Page 18 of 21 E. ISO Notifications and Approvals 1. Security Compliance Notification As pail of each project, assigned staff will document how the proposed solution meets or addresses the requirements specified in this document. This documentation must be submitted to the CDPH ISO prior to taking custody of CDPH information. 2. Notification of Changes to Solution Once a project is approved as final by the CDPH ISO, no changes will be made to the project scope, documentation, systems or components without a change approval by the CDPH ISO. 3. Notification of Breach The system/application administrators must immediately, and in writing, report to the CDPH ISO any and all breaches or compromises of system and/or information security. They must also take such remedial steps as may be necessary to restore security and repair damage, if any. In the event of a breach or compromise of system and/or information security, the CDPH ISO may require a system/application security audit. The CDPH ISO must review the recommendations from the security audit, and make final decisions on the steps necessary to restore security and repair damage. The system/application administrators must properly implement any and all recommendations of the security audit, as approved by the CDPH ISO. 4. Project Security Approvals Projects must ensure checkpoints throughout the System Development Life Cycle (SDLC)which verify security requirements are being met. This must be incorporated in the project plan along with identification of necessary resources, timelines, and costs to address these requirements. The CDPH ISO should be involved throughout the SDLC to ensure this occurs. For reportable Feasibility Study Reports (FSRs), the California Office of Information Security (OIS) requires submission of the Questionnaire for Information Security and Privacy Components in Feasibility Study Reports and Project-Related Documents. See http://www.cio.ca.gov/OIS/Government/documents/dots/Info_Sec and_Priv_Components_FSR- Questionnaire.doc. The response to this document must be approved by the CDPH ISO prior to submission. Projects must ensure all applicable security requirements and deliverables are included in the project plan, and that ISO approvals are obtained, where required. This includes those listed in the following section, and any covered by other sections of this document. The CDPH ISO must be given reasonable time to review and cornment on these deliverables. 23-10132 Page 19 of 21 5. Application Security Approvals At a minimum, for any application which accesses classified information, the following documented CDPH ISO approvals must be obtained at the appropriate project phases, and before the application is moved to production. • CDPH ISO approval of a dated, detailed design document. This design must include network layout including specific firewall port requirements, server hosting locations, operating systems, databases, data exchange interfaces, and points of authentication/authorization. The project must not move beyond the design phase until there is a CDPH ISO approved design. • CDPH ISO approval of any non-standard development tools (such as programming languages or toolkits). • CDPH ISO approval of a plan for an independent security code review which addresses at minimum the current Open Web Application Security Project (OWASP) top ten application vulnerabilities, and CWE/SANS Top 25 Most Dangerous Programmer Errors, where applicable. CDPH ISO must approve any findings of that code review not being corrected. CDPH ISO recommends the security code review be carried out during the development process rather than only at the end. • CDPH ISO approval of a plan for security code reviews of future maintenance code changes, which addresses at minimum the current OWASP top ten application vulnerabilities, CWE/SANS Top 25 Most Dangerous Programmer Errors, where applicable. • CDPH ISO approval of a plan for an independent automated security vulnerability assessment of the application, and approval of the findings of that assessment. The assessment must assess at minimum the OWASP top ten risks and CWE/SANS Top 25 Most Dangerous Programmer Errors,where applicable. Independent as indicated above is defined as organizationally separate from those developing or configuration the application. The independence and skill level of the entities being utilized must be approved by the CDPH ISO. Application code and infrastructure is subject to a CDPH ISO audit, and must match the approved detailed design. 23-10132 Page 20 of 21 F. Appendix A—SR1 Exemption Form REF Security Requirement Exemption Business Justification (Yes, No, or N/A A Administrative / Management Safeguards 1 Workforce Confidentiality Statement 2 Access Authorization & Maintenance 3 Information System Activity Review 4 Periodic System Security & Log Review 5 Disaster Recovery Plan 6 Change Control 7 Supervision of Information 8 Escorting Visitors B Technical and Operational Safeguards 1 System Security Compliance 2 Malware Protection 3 Patch Management 4 Encrypted Electronic Transmissions 5 Encrypted Data Storage 6 Workstation/ Laptop Encryption 7 Removable Media Encryption 8 Secure Connectivity 9 Intrusion Detection and Prevention 10 Minimum Information Download 11 Information Sanitization 12 Removal of Information 13 Faxing or Mailing of Information C Solution Architecture 1 System Security Compliance 2 Warning Banner 3 Layered Application Design 4 Input Validation 5 Data Queries 6 Username/Password Based Authentication 7 Administrative/ Privileged Accounts Management 8 Service Accounts Management 9 Authentication and Authorization 10 Authentication Logging 11 Automatic System Session Expiration 12 Automatic System Lock-out and Reporting 23-10132 Page 21 of 21 REF Security Requirement Exemption Business Justification (Yes, No, or N/A 13 Audit (Access) 14 Audit (Minimum Information) 15 Application Security Controls 16 Application Code Security 17 Strong Authentication D Documentation of Solution 1 System Configuration 2 Information Classification 3 System Roles and Relationships 4 Audit Method Documentation 5 Retention of Documentation E ISO Notifications 1 Security Compliance Notification 2 Notification of Changes to Solution 3 Notification of Breach 4 Project Security Approvals 5 Application Security Approvals SR1-Information Systems Security Requirements for Projects Page 21 of 21 Slate of California—Fleallh and Hurnan Services Agency 23-10132 California Department of Public Health Page 1 of 1 Exhibit L Contractor's Release Instructions to Contractor: With final invoice(s) submit one (1) original and one (1) copy. The original must bear the original signature of a person authorized to bind the Contractor. The additional copy may bear photocopied signatures. Submission of Final Invoice Pursuant to contract number 23-10132 entered into between the California Department of Public Health (CDPH) and the Contractor(identified below), the Contractor does acknowledge that final payment has been requested via invoice number(s) , in the amounts)of$ and dated If necessary, enter"See Attached" in the appropriate blocks and attach a list of invoice numbers,dollar amounts and invoice dates. Release of all Obligations By signing this form, and upon receipt of the amount specified in the invoice number(s) referenced above, the Contractor does hereby release and discharge the State, its officers, agents and employees of and from any and all liabilities, obligations, claims, and dernands whatsoever arising from the above referenced contract. Repayments Due to Audit Exceptions/Record Retention By signing this form, Contractor acknowledges that expenses authorized for reimbursement does not guarantee final allowability of said expenses. Contractor agrees that the amount of any sustained audit exceptions resulting from any subsequent audit made after final payment will be refunded to the State. All expense and accounting records related to the above referenced contract must be maintained for audit purposes for no less than three years beyond the date of final payment, unless a longer term is stated in said contract. Recycled Product Use Certification By signing this form, Contractor certifies under penalty of perjury that a minimurn of 0% unless otherwise specified in writing of post consumer material, as defined in the Public Contract Code Section 12200, in products, materials, goods,or supplies offered or sold to the State regardless of whether it meets the requirements of Public Contract Code Section 12209. Contractor specifies that printer or duplication cartridges offered or sold to the State comply with the requirements of Section 12156(e). Reminder to Return State Equipment/Property (If Applicable) (Applies only if equipment was provided by CDPH or purchased with or reimbursed by contract funds) Unless CDPH has approved the continued use and possession of State equipment(as defined in the above referenced contract)for use in connection with another CDPH agreement, Contractor agrees to promptly initiate arrangements to account for and return said equipment to CDPH,at CDPH's expense, if said equipment has not passed its useful life expectancy as defined in the above referenced contract. Patents/ Other Issues By signing this form, Contractor further agrees, in connection with patent matters and with any claims that are not specifically released as set forth above, that it will comply with all of the provisions contained in the above referenced contract, including, but not limited to, those provisions relating to notification to the State and related to the defense or prosecution of litigation. ONLY SIGN AND DATE THIS DOCUMENT WHEN ATTACHING IT TO THE FINAL INVOICE Contractor's Legal Name (as on contract): County Of Fresno Signature of Contractor or Official Designee: Date: Printed Name/Title of Person Signing: Distribution: Accounting(Original) Program CDPH 2352 17/ N N c+3 y— ll O 0 r N +r O ❑ ❑ 7 N @ Q) 0 IL J O Q O C) •F W W L W (D O O Q a.) O E 0O Q) c6 co O U Z3 i O U O C e U Q> > U U C E u) O O o o co a) V C C U OC U p fl CQ r O V � � 4m= OL Q � > U O CO N 'O U RS M N (� FloU U CCQ (n N O O v- >, O) O X Q C a) W E 4 Q Y Y L (B O N (ri N C C O L O � Q ' C �_ Ep �, c U �' -Q � o � 0 E ` co ° Ec ►U E0 O O — Q C E c coQ t v O O (i5 Q) C X ', N �_ � O O) -Q O t11 a O W _ N N Ln aCi N = m U CL 4 o o Q L � oa. ,•. — p �; m o ; � cu 0 U) _ �_ O U C C U a) tC' _C � (l7 �_ U O re E r cn U C O � 'v E a ,U cO Q w N O o 0 U4.1 O U ••O � cn E � (a aJ U .v � a O v cn a) CU �� E � C 1a� ascn ..U5.. C • � o 0 E N O U O N O E o o cn o a C c _ L U O) oz E c6 °' w Z CCi C i N U L ` + "" U z C Z7 oM— o C ow oo mU 00 O U r 0 U .� Q O U t±l 0 m � (p4 CL� �, FRS L E (B7 � C (� O U O U (D Lp CCl Q U O c6 U v E L a� W !— cn CV co 7 N N M — n O _U O N L a) ❑ ❑ ❑ ❑ ❑M 7 Ql N m T d O � -�-• L C L Q) O OC p L C — O Oci3 O += L j � a) w O U : N U) U O UQ UO "' cn +' O ZI (6 = L L N Q (G C > U) O >+ C U +-+ U) O C .� U O U C O E U) O O — U O Qco W U a O ' `t Q � az ° a- d � c ' •— a� C O _� O Q. N p s O m C C Q s O O U L O O Cu -0 L cn O U O a) 70 OW i U C C O v C U +- cII C C Q C O CD W O U C@ ` E C > Q O C � L N Q L a O Lu U N E � Qp cn . CQ nQ � � E Q- c� O o- m 0 : O ,t o co ui LC Q O L C cu U 2 n- c� U U � U) � o o E Qv C p `n o O � � U c6 � � tts L . cn � co U N O_ > p Q � a) � E Q � U O cn _ U O n p N U .cn cz U U U O � 4- +. + ( > Q a) a) L C ca Y U) U C a) ++ V � -O Cc O U C O Q) � cn N C C C L cn cv a� cn U cn U E 91 N O a� M aD C L E a — L E � pcn Q o C � C (UB = N cLLJ "—L E 7o Q Z cn U C s y O U O a) O = O 4- Ov N c6 � roU � � UQ- 0E o °' `o C '' C C6 uj U C C� E ti 0 0 p Q? p U p m E U U U > U Z Q C N v N U N a) O N O ro f- p (� f N E us f fn - .� cn E _ •L � O Q LAI ANAL IV -LLC1UJ1111C111 II p - agelnf 5 ADAP and PrEP-AP Document Transfer Plan Instructions: Please complete when moving/transferring client files and/or moving to a new office. Submit the completed Transfer Plan to your CDPH ADAP or PrEP-AP Advisor. Your advisor will contact you after the Transfer Plan has been reviewed/a proved. Enrollment Site Contact Enrollment Site Number: Name: Date client files will Phone Number: be transferred: Email Address: Address of new office or location where client files are being transferred to: Enrollment Site Name: Current Enrollment Site Address: Enrollment Site Phone Number: Enrollment Site Fax Number: Acknowledge ADAP and PrEP-AP Policy for Transferring Client Files: It is the policy of (ENROLLMENT SITE NAME) to ensure that any transfer of ADAP and PrEP-AP documentation will be safe, secured and implemented in accordance with CDPH ADAP and PrEP-AP confidentiality and security requirements for safeguarding the confidentiality of protected health information. ADAP and PrEP-AP Eligibility Workers (EWs)will implement reasonable and appropriate administrative, technical, and physical measures to safeguard protected health information from any intentional or unintentional use or disclosure that might violate County, State or Federal privacy regulations, Health and Safety Code, and in accordance with the ADAP and/or PrEP-AP Site Agreement, Security Requirements, Protections, and Confidentiality Checklist (Attachment 1), HIPAA Business Associate Addendum (Exhibit F), Plan for Transporting Confidential ADAP and PrEP-AP Client Files Policy and Procedure. Why are client files being transferred? Select all that apply. If files are being transferred for a reason not listed above, please contact your ADAP or PrEP-AP Advisor. ❑ Relocation of the ADAP and/or PrEP-AP Enrollment Site and client files to a new office/location. CXI IIUR IV '""-""""""`" Page 2 of 5 ❑ Relocating ADAP and/or PrEP-AP client files to a new location for storage purposes. If different from the ADAP and/or PrEP-AP Enrollment Site address, please provide address of the storage location below. Storage Location Address: ❑ Providing in-home client enrollment services when a client is unable to travel to the ADAP a nd/or PrEP-AP Enrollment Site. Please provide address: ❑ Closure of an ADAP and/or PrEP-AP Enrollment Site. Note: If files are being transferred for a reason not listed above, please contact your ADAP or PrEP-AP Advisor. 1. How many client files will be transferred? 2. Describe the methods that will be used to secure client files when being transferred (i.e., locked container, by vehicle/trunk, no stops on way to new location, etc.). 3. Which site staff person/s will supervise the security and transfer of client files as they are moved to the new location? Will a vendor be utilized? If so, please explain. 4. Please describe where and how the client files will be stored at their new location. tmoit Iv Page 3 of 5 5. In this section, outline, step-by-step, the process that will be followed in the transferring of client files to their new location. Attach an additional page if necessary. 6. If the client files will be stored at an off-site storage facility: a. What is the protocol for accessing the files at the storage facility? b. How can these files be accessible during normal working hours? c. What is the timeframe for access to the client files once the request is received? LXhlDIt N """' "'"" �� Page 4 of 5 d. How will the client files by stored and secured? e. Who can access the files while they are at the storage facility? f. Are any of these files also accessible electronically? g. Is the storage facility owned and/or operated by a third-party organization? SIGNATURE OF SITE CONTACT/AGENCY ADMINISTRATOR DATE SIGNED Additional Comments (continued on next page). txnmom Page omn - 23-10132 4.• °i rti Attachment III Page 1 of 2 r � * a I0Y. State of California Health Health and Human Services Agency California Department of Public Health Agreement by Employee/Contractor to Comply with Confidentiality Requirements Summary of Statutes Pertaining to Confidential Public Health Records and Penalties for Disclosure All HIV/AIDS case reports and any information collected or maintained in the course of surveillance- related activities that may directly or indirectly identify an individual are considered confidential public health record(s) under California Health and Safety Code (HSC), Section 121035(c) and must be handled with the utmost confidentiality. Furthermore, HSC §121025(a) prohibits the disclosure of HIV/AIDS-related public health records that contain any personally identifying information to any third party, unless authorized by law for public health purposes, or by the written consent of the individual identified in the record or his/her guardian/conservator. Except as permitted by law, any person who negligently discloses information contained in a confidential public health record to a third party is subject to a civil penalty of up to $5,000 plus court costs, as provided in HSC §121025(e)(1). Any person who willfully or maliciously discloses the content of a public health record, except as authorized by law, is subject to a civil penalty of $5,000-$25,000 plus court costs as provided by HSC §121025(e)(2). Any willful, malicious, or negligent disclosure of information contained in a public health record in violation of state law that results in economic, bodily, or psychological harm to the person named in the record is a misdemeanor, punishable by imprisonment for a period of up to one year and/or a fine of up to $25,000 plus court costs (HSC §121025(e)(3)). Any person who is guilty of a confidentiality infringement of the foregoing type may be sued by the injured party and shall be personally liable for all actual damages incurred for economic, bodily, or psychological harrn as a result of the breach (HSC §121025(e)(4)), Each disclosure in violation of California law is a separate, actionable offense (HSC §121025(e)(5)). Because an assurance of case confidentiality is the foremost concern of the California Department of Public Health, Office of AIDS (CDPH/OA), any actual or potential breach of confidentiality shall be immediately reported. In the event of any suspected breach, staff shall immediately notify the director or supervisor of the local health department's HIV/AIDS surveillance unit who in turn shall notify the CDPH/OA Surveillance Section Chief or designee. CDPI-I/OA, in conjunction with the local health department and the local health officer shall promptly investigate the suspected breach. Any evidence of an actual breach shall be reported to the law enforcement agency that has jurisdiction. CDPH 8720 (07/17) Page 1 of 2 y 23-10132 Attachment III Page 2 of 2 Employee Confidentiality Pledge I recognize that in carrying out my assigned duties, I may obtain access to private information about persons diagnosed with HIV or AIDS that was provided under an assurance of confidentiality. 1 understand that I am prohibited from disclosing or otherwise releasing any personally identifying information, either directly or indirectly, about any individual named in any HIV/AIDS confidential public health record. Should I be responsible for any breach of confidentiality, I understand that civil and/or criminal penalties may be brought against me. I acknowledge that my responsibility to ensure the privacy of protected health information contained in any electronic records, paper documents, or verbal communications to which I may gain access shall not expire, even after my employment or affiliation with the Department has terminated. By my signature, I acknowledge that I have read, understand, and agree to comply with the terms and conditions above. Employee name (print) Employee Signature Date Supervisor name (print) Supervisor Signature Date Name of Employer PLEASE RETAIN A COPY OF THIS DOCUMENT FOR YOUR RECORDS CDPH 8720 (07/17) Page 2 of 2 byµ Ci Th �• • State of California—Health and Human Services Agency �IV California Department of Public HealthY �, !)CDPH ,. TOMAS J.ARAGbN,MD,DrPH GAVIN NEWSOM Director and State Public Health Officer Governor Enrollment Site Fee-for-Service Pay Schedule As referenced in the enrollment site contract under'Exhibit B -Budget Detail and Payment Provisions,' enrollment sites will be paid based on this fee schedule for enrollment services. This fee schedule is subject to change. Updated: November 7, 2022 Payment for ADAP Enrollment Services All enrollment sites with an executed contract to provide ADAP enrollment services with a minimum of one ADAP enrollment per fiscal year(FY)will receive a floor amount of$5,000 with additional payment(s) per FY for performing the following services, provided the enrollment service includes all the required eligibility forms and verifying documentation: • New ADAP Medication Program Enrollments: $100/per new enrollment • New ADAP Insurance Assistance Program enrollments(including Medicare Part D Premium Assistance Program): $275/per new enrollment • ADAP annual re-enrollments: $100/per re-enrollment • ADAP Insurance Assistance Program annual re-enrollments (including Employer-based Health Insurance Premium Payment(EB-HIPP), Office of AIDS Health Insurance Premium Payment(OA- HIPP), and the Medicare Part D Premium Payment(MDPP) assistance programs): $125/per re- enrollment Payment for PrEP-AP Enrollment Services All enrollment sites with an executed contract to provide PrEP-AP enrollment services will receive payment(s) per FY for performing the following services, provided the enrollment service includes all the required eligibility forms and verifying documentation: • New PrEP-AP enrollments: $100/per new enrollment • PrEP-AP annual re-enrollments: $100/per re-enrollment Payment for PrEP-AP Temporary Coverage Enrollment Services All pharmacy enrollment sites with an executed contract to provide PrEP-AP Temporary Coverage enrollment services will receive payment(s) per FY for performing the following service, provided the enrollment service includes all the required forms: • PrEP-AP Temporary Coverage enrollments: $50/per new enrollment �E„Hciui of Office of AIDS, MS 7700 • P.O. Box 997426 • Sacramento, CA 95899-7426 (844) 421-7050 9 (916) (844) 421-8008 FAX https://www.cdph.ca.gov/Programs/CID/DOA/Pages/OAmain.asp �y Agreement Between the County of Fresno and California Department of Public Health Name: AIDS Drug Assistance Program (ADAP) and Pre-Exposure Prophylaxis Assistance Program (PrEP-AP) Enrollment Services Agreement No. 23-10132 Fund/Subclass: 00011/10000 Organization #: 56201644 Revenue Account #: 3530