HomeMy WebLinkAboutAgreement A-18-253 with CA Dept. of Health Care Svc's.pdfCounty of Fresno
18-95036
1
MEDI-CAL COUNTY INMATE PROGRAM AGREEMENT
Article 1 – Parties
A.The parties to this Agreement (Agreement) are County of Fresno (the County) and the
California Department of Health Care Services (DHCS).
B.The County may voluntarily choose to participate in the Medi-Cal County Inmate
Program (MCIP) by entering into this Agreement as authorized by Welfare and
Institutions Code sections 14053.7 and 14053.8, and Government Code sections
26605.6, 26605.7, and 26605.8.
C. DHCS is the single state agency responsible for administering the California Medical
Assistance Program (Medi–Cal), including MCIP, pursuant to California Welfare and
Institutions Code section 14100.1.
Article 2 – Purpose of the Agreement
A.The purpose of this Agreement is to set forth the terms a County must abide by in
order to participate in MCIP. If a County does not participate in MCIP or does not
abide by the terms of this Agreement, the County remains responsible for arranging
for and paying for medical care for its inmates. MCIP creates budgetary savings for
the County for the medical care provided to its Medi-Cal eligible inmates. MCIP makes
federal financial participation (FFP) available for medical care provided to Medi-Cal
eligible county inmates. The County receives budgetary savings because it does not
fund the federal share of MCIP services for their Medi-Cal eligible inmates. MCIP
services are provided by Medi-Cal providers to Medi-Cal eligible inmates, for which
FFP may be claimed consistent with federal law, including but not limited to
subparagraph (A) following paragraph (29) of Section 1905(a) of the Social Security
Act.
1)MCIP allows the Medi-Cal providers to directly bill DHCS for MCIP services and
DHCS will reimburse the Medi-Cal providers at their applicable Medi-Cal rate
for the services rendered, to the extent FFP is available. DHCS will seek and
retain FFP claimed for MCIP services and the County will reimburse DHCS any
remaining balance for the claims paid by DHCS to the Medi-Cal provider for
MCIP services, except for the MCIP services provided by public providers
under the certified public expenditure (CPE) process.
2)W hen the Medi-Cal provider is a Designated Public Hospital (DPH) or other
public provider that incurs the cost of the nonfederal share pursuant to the CPE
process, the Medi-Cal provider shall receive the FFP resulting from
expenditures for the MCIP services. Notwithstanding the sentence above,
DPHs may claim under Subparagraph 1 for MCIP services that are not claimed
through the CPE process established in the Demonstration Project.
Agreement No. 18-253
County of Fresno
18-95036
2
B.The County shall reimburse DHCS its apportioned share of the nonfederal share of
the administrative costs incurred for the administration of MCIP based on Addendum
A.
Article 3 – Term of the Agreement
Subject to the provisions of this Agreement, the term of this Agreement shall be one year
from July 1, 2018, through June 30, 2019.
Article 4 – Maximum Payable Amount
A.The amount under this Agreement that the County shall be obligated to reimburse
DHCS for MCIP services paid by DHCS to Medi-Cal providers shall not exceed the
nonfederal share of the Medi-Cal payments for MCIP services for the County’s
inmates incurred by DHCS. The maximum payable amount shall not exceed:
$2,300,000.00. This amount is subject to the annual limitations listed below:
Year MCIP Services
Total Nonfederal Share
SFY 2018-19 $2,300,000.00
B.The amount that the County shall be obligated to pay DHCS for MCIP administrative
services rendered under this Agreement shall not exceed its apportioned share of the
nonfederal share of the federally claimable costs of administering MCIP incurred by
DHCS. The maximum payable amount shall not exceed the County’s apportioned
share, which shall be based on a methodology specified in Addendum A, which is:
$6,841.67. This amount is subject to the annual limitations listed below:
Year MCIP Administrative Services
Total Nonfederal Share for
the County
SFY 2018-19 $6,841.67
C.The maximum payable amount under this Agreement shall not exceed $2,306,841.67.
D.For future SFY periods not covered under this Agreement, the maximum payable
amount will be determined through a new Agreement or an amendment to this
Agreement.
County of Fresno
18-95036
3
Article 5 – Contact Persons
Any notice, request, demand or other communication required or permitted hereunder,
shall be deemed to be properly given when deposited in the United States mail, postage
prepaid, and addressed:
In the case of the County, to:
County Coordinator
County of Fresno
Attn: David Pomaville, Director
P.O. Box 11867
Fresno, CA 93775
dpomaville@co.fresno.ca.us
(559)600-3200
Or to such person or address as the County may furnish in writing or e-mail to DHCS.
In the case of DHCS, to:
California Department of Health Care Services
Safety Net Financing Division
Medi-Cal Supplemental Payments Section
Attn: Inmate Medi-Cal Claiming Unit
1501 Capitol Avenue, MS 4504
P.O. Box 997436
Sacramento, CA 95899-7436
Or to such person or address as DHCS may, from time to time, furnish in writing or email
to County.
Article 6 – Payment Terms and Invoicing
A.General Terms
1)The County shall compensate DHCS for the County’s apportioned share of the
nonfederal share of MCIP administrative services, and for the nonfederal share
of MCIP services listed in Article 7, as required by Welfare and Institutions
Code sections 14053.7 and 14053.8, and Government Code sections 26605.6,
26605.7, and 26605.8, within sixty (60) days of receipt of an invoice from
DHCS, which specifies both the total federally claimable cost, and the
nonfederal share of the total cost, for payments DHCS has made to providers,
except that the County shall not reimburse the state for the nonfederal share of
services billed by Medi-Cal providers under a CPE process, as described in
Articles 8 and 11, below. MCIP administrative services and MCIP services shall
be separately invoiced by DHCS to the County. Addendum A attached to this
County of Fresno
18-95036
4
Agreement includes details regarding the nonfederal share of administrative
costs. If the County is found to have overpaid DHCS comparing its owed
nonfederal share to payments actually made, DHCS shall refund the
overpayment to the County within forty-five (45) days of an invoice from the
County, containing the same information. This refund may be made by
offsetting the amount against the County’s next quarterly payment due to
DHCS.
2)Failure by the County to timely compensate DHCS pursuant to Paragraphs B
and C shall constitute a material breach of this Agreement by the County,
which, at DHCS’ discretion, may result in termination by DHCS pursuant to
Article 10. The County may cure such breach by rendering payment of the
amount owed to DHCS prior to the termination of this Agreement.
3)In no event shall payment be made by the County for any invoice or portion
thereof exceeding the respective maximum annual Agreement amount
specified in Article 4. Payment for any MCIP administrative services rendered
by DHCS or MCIP services paid by DHCS exceeding the respective maximum
annual Agreement amount shall require an amendment to this Agreement
pursuant to Article 9. If the County fails to execute a retroactive amendment to
the maximum payable amount under this Agreement, DHCS shall terminate the
Agreement pursuant to Article 10.
4)Payments shall be sent to DHCS at the following address (or such other
address as DHCS may specify in writing):
California Department of Health Care Services
Safety Net Financing Division
Medi-Cal Supplemental Payments Section
Attn: Inmate Medi-Cal Claiming Unit
1501 Capitol Avenue, MS 4504
P.O. Box 997436
Sacramento, CA 95899-7436
B.MCIP Services
1)DHCS shall submit to the County a quarterly invoice for MCIP services that
identifies the nonfederal share amount, and a report that contains information
regarding paid claims data for the quarter, including information identifying the
provider of services and the beneficiary, the recipient aid code, and amount of
reimbursement, and other information that may be agreed to between the
parties.
2)The DHCS invoice shall not contain and the County shall not compensate
DHCS for MCIP services provided by Medi-Cal providers where the County
County of Fresno
18-95036
5
incurs the cost of providing MCIP services and claims them through the CPE
process.
3)If the Medi-Cal provider renders MCIP services that are not reimbursable under
the CPE process established, then the invoice shall contain and the County
shall reimburse DHCS for the nonfederal share of DHCS’ payments for these
MCIP services.
C.MCIP Administrative Services
1)DHCS shall submit to the County an annual invoice for the County’s
apportioned share of the nonfederal share of MCIP administrative services
based on Addendum A. The annual invoice for reimbursement identifies the
following summarized categories of DHCS costs for the allocated SFY period
billed: salary, benefits, operating expenses, and total costs. Costs shall be
multiplied by one minus the Federal Medical Assistance Percentage applicable
to such administrative costs subject to the limit on the amount reimbursable by
the County under Article 4. For SFY 2017-18 and thereafter, DHCS shall submit
annual invoices to the County no later than one hundred eighty (180) days
following the close of the SFY.
2)The County shall not be obligated to pay DHCS for the MCIP administrative
services covered by any invoice if DHCS presents the invoice to the County
more than one (1) year after this Agreement terminates.
Article 7 – DHCS Responsibilities
A.MCIP Services
1)DHCS shall pay the appropriate Medi-Cal fee-for-service rate to Medi-Cal
providers that directly bill DHCS for MCIP services rendered to the County’s
MCIP-eligible inmates and shall seek FFP. DHCS shall be responsible to pay
such providers only to the extent the County commits to reimburse DHCS the
nonfederal share of all federally reimbursable MCIP claims and for which FFP
is available and retained by DHCS for the MCIP service claims.
2)DHCS shall maintain accounting records to a level of detail which identifies the
actual expenditures incurred for MCIP services, the services provided, the
county responsible, the specific inmate treated, the inmate’s aid code, and the
specific provider billing.
3)DHCS shall submit claims in a timely manner to the federal Medicaid Program
to draw down FFP for DHCS, and shall draw down and distribute FFP for MCIP
services claimed through the CPE process. Such claims shall be submitted in
compliance with all applicable laws and regulations.
County of Fresno
18-95036
6
B.MCIP Administrative Services
1)DHCS shall administer MCIP and this Agreement for claiming federal
reimbursement for MCIP services. It is understood by both the County and
DHCS that other administrative activities including, but not limited to,
transporting MCIP eligible beneficiaries, arranging for their care and for their
incarceration remain the administrative responsibilities of the County.
2)DHCS shall maintain accounting records to a level of detail which identifies the
actual expenditures incurred for personnel services which includes
salary/wages, benefits, overhead costs for DHCS’s staff, as well as equipment
and all related operating expenses applicable to these positions including, but
not limited to, general expense, rent and supplies, and travel cost for identified
staff and managerial staff working specifically on activities or assignments
directly related to MCIP.
C.General Responsibilities
1)DHCS shall:
i.Ensure that an appropriate audit trail exists within DHCS records and
accounting system and maintain expenditure data as indicated in this
Agreement.
ii.Designate a person to act as liaison with County with regard to issues
concerning this Agreement. This person shall be identified to County’s
contact person for this Agreement.
iii.Provide a written response by email or mail to County’s contact person
within thirty (30) days of receiving a written request for information
related to MCIP.
iv.With each quarterly invoice, provide paid claim analysis report to the
County regarding MCIP claims submitted by providers for the County’s
MCIP-eligible inmates, as used for the determination of the
corresponding nonfederal share that is the County’s obligation under
this Agreement.
2)Should the scope of work or services to be performed under this Agreement
conflict with DHCS’ responsibilities under federal Medicaid law, the
responsibilities under federal Medicaid law shall take precedence.
3)DHCS’ cessation of any activities due to federal Medicaid law responsibilities
does not relinquish the obligation of the County to reimburse DHCS for MCIP
administrative costs and MCIP services incurred by DHCS in connection with
this Agreement for periods in which the County participated in the program.
County of Fresno
18-95036
7
4)DHCS agrees to provide to the County, or any federal or state department
having monitoring or reviewing authority, access to and the right to examine its
applicable records and documents for compliance with relevant federal and
state statutes, rules and regulations, and this Agreement.
Article 8 – County Responsibilities
A.MCIP Services
1)Except as provided in (vi.) of this section, the County is responsible for
reimbursing DHCS for the nonfederal share of MCIP services paid by DHCS to
Medi-Cal providers rendering MCIP services to the County’s MCIP eligible
beneficiaries.
i.The County may pay a Medi-Cal provider to the extent required by or
otherwise permitted by state and federal law to arrange for services for
the MCIP individuals. Such additional amounts shall be paid entirely with
County funds, and shall not be eligible for Social Security Act Title XIX
FFP.
ii.If DHCS pays the Medi-Cal provider more than what the county would
have paid for services rendered, the county cannot request the
difference from the Medi-Cal provider.
iii.If the county would have paid the Medi-Cal provider less than what
DHCS paid the Medi-Cal provider, the county is still obligated to
reimburse DHCS for the nonfederal share of the payment from DHCS
for MCIP services.
iv.In the event that FFP is not available for any MCIP service claimed
pursuant to this Agreement, the County shall be solely responsible for
arranging and paying for any such MCIP service.
v.If the Centers for Medicare & Medicaid Services (CMS) determines an
overpayment has occurred for a payment made to a Medi-Cal provider
for MCIP services to the County’s MCIP-eligible inmate, including the
application of any federal payment limit that reduces the amount of FFP
available for MCIP services, then DHCS shall seek the overpayment
amount from the provider and return the collected FFP to CMS and
return the collected nonfederal share of the overpayment to the County.
In the event that DHCS cannot recover from the Medi-Cal provider such
overpayment, the County shall pay DHCS an amount equal to the FFP
portion of the unrecovered amount to the extent that section
1903(d)(2)(D) of the Social Security Act is found not to apply.
County of Fresno
18-95036
8
vi.The County is not responsible for reimbursing DHCS for the nonfederal
share of expenditures for MCIP services provided by DPHs when those
services are reimbursed under the CPE process because DHCS is not
responsible for the nonfederal share of expenditures for MCIP services
reimbursed in the CPE process.
vii.The County is responsible for reimbursing DHCS for the nonfederal
share of MCIP services provided by DPHs that are not reimbursed under
the CPE process.
2)If CMS determines DHCS claimed a higher federal medical assistance
percentage (FMAP) rate than is allowed and FFP is reduced by CMS for the
MCIP services provided to a County’s MCIP-eligible inmate for MCIP services,
then the County shall hold DHCS harmless for the return of the FFP to CMS.
B.MCIP Administrative Services
1)As a condition of participating in MCIP, the County accepts its responsibility for
reimbursing DHCS for the County’s apportioned share of the nonfederal share
of costs of MCIP administrative services based on Addendum A, performed by
DHCS in administering MCIP, so that there is no expenditure from the State
General Fund.
2)The County shall reimburse DHCS its allotted portion of the nonfederal share
of funding for compensation, associated operating expenses, equipment, and
travel costs for no more than 3.50 full-time equivalent (FTE) positions
composed of: one-half (0.50) FTE Staff Service Manager I, two (2) FTE Staff
Services Analysts/Associate Governmental Program Analysts, one-half (0.50)
FTE Attorney, and one-half (0.50) FTE Accounting Officer, to be established
and housed at DHCS, to support the reported expenditures submission process
for obtaining federal reimbursement under this Agreement. The County’s
allotted portion shall be based on a methodology specified in Addendum A.
County of Fresno
18-95036
9
C.General Responsibilities
1)Upon the County’s compliance with all applicable provisions in this Agreement
and applicable laws, the County may send its MCIP-eligible inmates to Medi-
Cal providers to receive MCIP services.
2)The County shall reimburse DHCS pursuant to Paragraphs A and B with funds
from the County’s General Fund, or from any other funds allowed under federal
law and regulation, including but not limited to, Section 1903(w) of the Social
Security Act and Code of Federal Regulations, title 42, part 433, subpart B.
3)In the event of any federal deferral or disallowance which is applicable to MCIP
expenditures, the County shall provide all documents requested by DHCS
within fourteen (14) days.
4)The County shall assist with the completion of and delivery of completed Medi-
Cal applications to County Welfare Department (CWD) within 90 calendar days
after the date of admission of the inmate to an Medi-Cal provider off of the
grounds of the county correctional facility which results in an expected stay of
more than 24 hours.
Article 9 – Amendments
A.Amendments to this Agreement shall be made only by a writing signed by the parties
to this Agreement and, if required by state law, by approval of the California
Department of General Services. Notwithstanding the previous sentence, any update
made to the appropriate contact persons identified in Article 5 may be made by e-mail
to the other contact person or persons and without formal amendment.
B.This Agreement shall be amended pursuant to findings from the periodic assessment
identified in Article 11.H, to accurately reflect the State’s administrative costs and
MCIP medical care costs.
Article 10 – Termination and Agreement Disputes
A.This Agreement may be terminated by any party upon written notice given at least
thirty (30) calendar days prior to the termination date. Notice shall be addressed to the
respective parties as identified in Article 5 of this Agreement. The County shall remain
obliged after the termination date to pay for all MCIP administrative costs and MCIP
services incurred by DHCS for periods in which it participated in the program.
B.This Agreement shall be terminated upon cessation of MCIP. The County shall remain
obliged after the termination date to pay for all of the County’s apportioned share of
MCIP administrative costs based on Addendum A and all of the County’s MCIP
services incurred by DHCS for periods in which it participated in the program.
County of Fresno
18-95036
10
C.An informal dispute resolution process shall be undertaken prior to the dispute
resolution processes described in Subparagraphs 1 to 2, below. In case of a dispute
there shall be a discussion between the County and DHCS staff, and if not resolved
then the County shall address the issue to DHCS in a written letter. If unresolved then
the dispute resolution processes in Subparagraphs 1 to 2 shall be undertaken as
appropriate.
1)Nothing in this Agreement shall prevent the County from pursuing any other
administrative and judicial review available to it under law.
2)Judicial review pursuant to Code of Civil Procedure section 1085 shall be
available to resolve disputes relating to the terms, performance, or termination
of this Agreement, or any act, failure to act, conduct, order, or decision of DHCS
that violate this Agreement subject to Article 11.F.
D.The terms of Article 6 (Payment Terms and Invoicing), Article 10 (Termination and
Agreement Disputes), Article 11.B (Indemnification), and Article 11.D (Records) shall
survive after the termination date.
Article 11 – General Provisions
A.Definitions.
1)The term “certified public expenditure process” or “CPE process” means the
process established for the Medi-Cal program under state law (including but
not limited to section 14166.1, et seq.), the California Medi-Cal state plan, and
approved Medicaid demonstration projects and waivers through which public
Medi-Cal providers claim federal financial participation for their allowable
expenditures.
2)The term “days” as used in this Agreement shall mean calendar days unless
specified otherwise.
3)The term “Demonstration Project” means the California Medi-Cal 2020
Demonstration, Number 11-W-00193/9, as approved by CMS effective
beginning December 30, 2015.
4)The term “designated public hospital” is defined as set forth in the
Demonstration Project, which shall be codified in state law at Welfare and
Institutions Code section 14184.10, subdivision (f) pursuant to SB 815 (2016),
and as may be modified from time to time.
5)The term “inmate” as used in this Agreement includes the persons identified in
Welfare and Institutions Code sections 14053.7(e)(2)(A) and 14053.8(k)
“juvenile inmate,” and Government Code sections 26605.6(a) “prisoner,”
County of Fresno
18-95036
11
26605.7(a) “prisoner” and (d)(1) “probationer,” and 26605.8 “prisoner” and
“probationer.”
6)The term “MCIP” or “Medi-Cal County Inmate Program” contains the following
three components: the Adult County Inmate Program (ACIP), as authorized in
state law pursuant to Welfare and Institutions Code section 14053.7 and Penal
Code section 5072, the Juvenile County Ward Program (JCWP), as authorized
in Welfare and Institutions Code section 14053.8, and the County
Compassionate Release Program (CCRP) and County Medical Probation
Program (CMPP), as authorized by Government Code sections 26605.6,
26605.7, and 26605.8.
7)“MCIP administrative services” means the administrative services provided by
DHCS personnel for the administration of MCIP, which shall include, but not be
limited to those services provided by the personnel in Article 8 when claiming
federal reimbursement for MCIP services and seeking reimbursement for
DHCS from the County.
8)“Medi-Cal provider” means, any individual, partnership, group association,
corporation, institution, or entity and the officer, directors, owners, managing
employees or agents of any partnership, group association, corporation,
institution, or entity that provides services, goods, supplies, or merchandise,
directly or indirectly, to a Medi-Cal beneficiary, and that has been enrolled in
the Medi-Cal program.
For purposes of MCIP, a Medi-Cal provider may claim for MCIP services
rendered to the MCIP-eligible inmate depending on the MCIP component
program. For example, a clinic cannot seek reimbursement from DHCS for
outpatient services provided to an ACIP inmate because the outpatient services
provided are not allowable as MCIP services for ACIP. A Medi-Cal provider
does not go through a separate Medi-Cal enrollment or certification process to
participate in MCIP.
9)“MCIP services” constitutes all of the following, only to the extent federal
financial participation is available: a) in ACIP, Medi-Cal allowable inpatient
hospital services, including inpatient psychiatric services, and physician
services provided during the inpatient hospital service stay of adult inmates in
county correctional facilities who are determined eligible for Medi-Cal pursuant
to Welfare and Institutions Code section 14053.7; b) in the Compassionate
Release Program pursuant to Government Code section 26605.6 and Medical
Probation Program pursuant to Government Code section 26605.7, full-scope
Medi-Cal services; c) in JCWP, Medi-Cal allowable inpatient hospital services,
including inpatient psychiatric services and physician services, of juvenile
inmates in county correctional facilities who are determined eligible for Medi-
Cal services pursuant to Welfare and Institutions Code section 14053.8; and,
d) any other Medi-Cal program for which federal reimbursement is available for
County of Fresno
18-95036
12
coverage of adult inmates and juvenile inmates in county correctional facilities,
if authorized by law and agreed to by the County and DHCS by amending this
Agreement.
10) The term “Medi-Cal rate” means the reimbursement determined by the
reimbursement methodology approved for the Medi-Cal provider under the
California State Plan, or Social Security Act section 1115 Demonstration
Project or section 1915 waiver.
11) The State Fiscal Year (SFY) begins on July 1st of each year and ends on June
30th in the subsequent calendar year.
B.Indemnification. It is agreed that the County shall defend, hold harmless, and
indemnify DHCS, its officers, employees, and agents from any and all reported
expenditures, liability, loss, or expense (including reasonable attorney fees) for injuries
or damage to any person, any property, or both which arise out of the terms and
conditions of this Agreement and the negligent or intentional acts or omissions of the
County, its officers, employees, or agents.
C.Severability. If any term, condition, or provision of this Agreement is held by a court
of competent jurisdiction to be invalid, void, or unenforceable, the remaining provisions
will nevertheless continue in full force and effect, and shall not be affected, impaired
or invalidated in any way. Notwithstanding the previous sentence, if a decision by a
court of competent jurisdiction invalidates, voids, or renders unenforceable a term,
condition, or provision in this Agreement that is included in the purpose of this
Agreement then the parties to this Agreement shall either amend this Agreement
pursuant to Article 9, or it shall be terminated pursuant to Article 10.
D.Records. DHCS and the County shall maintain and preserve all records relating to
this Agreement for a period of three (3) years from DHCS’ receipt of the last payment
of FFP, or until three years after all audit findings are resolved, whichever is later. This
does not limit any responsibilities held by DHCS or the County provided for elsewhere
in this Agreement, or in state or federal law.
E.Compliance with Applicable Laws. All parties performance under this Agreement shall
be in accordance with all applicable federal and state laws, including, but not limited
to:
1)The Americans with Disabilities Act of 1990, as amended;
2)Section 504 of the Rehabilitation Act of 1973, as amended;
3)Title XIX of the Social Security Act;
4)Welfare and Institutions Code section 14000 et seq.;
5)Government Code section 53060;
6)The California Medicaid State Plan;
County of Fresno
18-95036
13
7)Laws and regulations including, but not limited to those related to licensure,
certification, confidentiality of records, quality assurance, and
nondiscrimination;
8)The Policy and Procedure Letters, and similar instructions, published with
regulatory authority;
9)Government Code sections 26605.6, 26605.7, and 26605.8;
10)Penal Code section 5072;
11)Title 42 of the Code of Federal Regulations; and,
12)California Code of Regulations.
F.Controlling Law and Venue. The validity of this Agreement and its terms or provisions,
as well as the rights and duties of the parties hereunder, the interpretation and
performance of this Agreement shall be governed by the laws of the State of California.
Venue of any action brought with regards to this Agreement shall be in any county in
which the Attorney General maintains an office.
G.Integration Clause.
1)This Agreement and any exhibits and addendums attached hereto shall
constitute the entire Agreement among the parties to it pertaining to the
implementation of MCIP and supersedes any prior or contemporaneous
understanding or agreement with respect to the subject matter of this
Agreement.
2)Notwithstanding Subparagraph G.1., DHCS Form 9098 or DHCS Form 6208
(whichever is applicable) is incorporated by reference into this Agreement if the
County has a DHCS Form 9098 or DHCS Form 6208 on record.
Notwithstanding Subparagraph G.1., the terms of the DHCS Form 9098 or
DHCS Form 6208 controls to the extent there is a conflict with this Agreement,
except for Article 10 of this Agreement. If the DHCS Form 9098 or DHCS Form
6208 does not address a matter addressed by this Agreement, then this
Agreement controls.
H.Periodic Assessment. Pursuant to Welfare and Institutions Code sections 14053.7
and 14053.8, and Government Code sections 26605.6, 26605.7, and 26605.8, the
County enters into this Agreement in order to implement MCIP under which the County
may participate and for which the County will pay the nonfederal share of all federally
reimbursable administrative costs and medical care costs incurred by DHCS
performing activities described in Article 7. The County agrees that DHCS, in its sole
discretion, may conduct a periodic assessment in consultation with the counties, of
such costs incurred by DHCS to determine compliance with Welfare and Institutions
Code sections 14053.7 and 14053.8, Penal Code section 5072, and Government
Code sections 26605.6, 26605.7, and 26605.8, and DHCS agrees to ensure that all
invoicing as described in Article 6 and any other relevant documentation will be
accordingly updated to ensure compliance with Welfare and Institutions Code sections
County of Fresno
18-95036
14
14053.7 and 14053.8, Penal Code section 5072, and Government Code sections
26605.6, 26605.7, and 26605.8.
I.Conformance Clause. Any provision of this Agreement in conflict with present or
future governing authorities is hereby amended to conform to those authorities and
such amended provisions supersede any conflicting provisions in this Agreement.
The governing authorities include, but are not limited to the authorities listed in Article
11.E.
J.Waiver. No covenant, condition, duty, obligation, or undertaking made a part of this
Agreement shall be waived except by amendment of the Agreement by the parties
hereto, and forbearance or indulgence in any other form or manner by either party in
any regard whatsoever shall not constitute a waiver of the covenant, condition, duty,
obligation, or undertaking to be kept, performed, or discharged by the other party to
which the same may apply; and, until performance or satisfaction of all covenants,
duties, obligations, or undertakings is complete, the party shall have the right to invoke
any remedy available under this Agreement, or under law, notwithstanding such
forbearance or indulgence.
K.Third Party Benefit. None of the provisions of this Agreement are or shall be construed
as for the benefit of, or enforceable by, any person not a party to this Agreement.
L.Conflict of Interest. The County is subject to the Medi-Cal Conflict of Interest Law, as
applicable and set forth in Welfare and Institutions Code section 14022 and Article 1.1
(commencing with section 14030), and implemented pursuant to California Code of
Regulations, title 22, section 51466.
M.Budget Contingency Clause.
1)DHCS will seek an appropriation in the Budget Act each State fiscal year which
would authorize DHCS to pay Medi-Cal providers for MCIP services. It is
mutually agreed that if the State Budget Act of the current SFY or any
subsequent SFYs covered under this Agreement does not appropriate any
funds for MCIP, this Agreement shall be of no further force and effect. In this
event, an Article 10.B termination shall be implemented and DHCS shall have
no liability to pay any funds whatsoever to Medi-Cal providers for MCIP
services for the County’s inmates rendered through the termination date of this
Agreement.
2)If funding associated with MCIP for any SFY is reduced by the State Budget
Act DHCS shall have the option to cancel this Agreement, with no liability
occurring to the State.
County of Fresno
18-95036
15
N.Limitation of State Liability.
1)Notwithstanding any other provision of this Agreement, DHCS shall be held
harmless from any federal audit disallowance and interest resulting from
payments made by the federal Medicaid program as reimbursement for claims
providing services for MCIP, less the amounts already remitted to or recovered
by DHCS for the disallowed claim.
2)To the extent that a federal audit disallowance and interest results from a claim
or claims for which the Medi-Cal provider has received reimbursement for MCIP
services under this Agreement, DHCS shall recoup from the Medi-Cal provider,
upon written notice, amounts equal to the amount of the disallowance and
interest in that fiscal year for the disallowed claim, less the amounts already
remitted to or recovered by DHCS. All subsequent claims submitted to DHCS
applicable to any previously disallowed claim, may be held in abeyance, with
no payment made, until the federal disallowance issue is resolved.
O.Exclusions. The County shall comply with the following requirements:
1)The conviction of an employee or subcontractor of the County, or of an
employee of a subcontractor, of any felony or of a misdemeanor involving fraud,
abuse of any Medi-Cal beneficiary, or abuse of the Medi-Cal program, shall
result in the exclusion of that employee or subcontractor, or employee of a
subcontractor, from participation in MCIP except as a beneficiary.
2)Exclusion after conviction described in Article 11.O.1 shall result regardless of
any subsequent order under Penal Code section 1203.4 allowing a person to
withdraw his or her plea of guilty and to enter a plea of not guilty, or setting
aside the verdict of guilty, or dismissing the accusation, information, or
indictment.
3)Suspension or exclusion of an employee or a subcontractor, or of an employee
of a subcontractor, from participation in the Medi-Cal program, the Medicaid
program, or the Medicare program, shall result in the exclusion of that
employee or subcontractor, or employee of a subcontractor, from participation
in MCIP, except as a beneficiary.
4)Revocation, suspension, or restriction of the license, certificate, or registration
of any employee, subcontractor, or employee of a subcontractor, shall result in
exclusion from MCIP, when such license, certificate, or registration is required
for the provision of services.
County of Fresno
18-95036
16
P.Confidentiality. The County shall comply with the applicable confidentiality
requirements as specified in Section 1902(a)(7) of the Social Security Act; Code of
Federal Regulations, title 42, section 431.300; Welfare and Institutions Code section
14100.2; and California Code of Regulations, title 22, section 51009; and, the
Business Associates Agreement attached and hereby incorporated by reference.
Q.Data Sharing.
1)The County shall comply with all provisions of the current Business Associates
Agreement (BAA) incorporated by reference and made part of this Agreement
as Addendum B.
County of Fresno
18-95036
ADDENDUM A: MCIP Administrative Costs for State Fiscal Year 2018-19
The Medi-Cal County Inmate Program (MCIP) agreement is a one-year contract giving counties
the option to participate on an annual basis. At the beginning of each calendar year, counties
have the opportunity to participate in the program for the upcoming State Fiscal Year (SFY) by
completing the MCIP Agreement.
The methodology for calculating each county’s nonfederal share of administrative costs was
developed by DHCS, in consultation with the California State Association of Counties, County
Health Executives Association of California, California Association of Public Hospitals and Health
Systems, and the California State Sheriffs’ Association. For SFY 2018-19 the nonfederal share of
administrative costs allocated to each county will be based on the following:
1) 30% of the total administrative costs will be distributed evenly to participating
counties over 50,000 in population. *
2) 70% of the total administrative costs will be allocated to participating counties
pro-rata based on population. *
*Population data will be obtained from the California Department of Finance,
Demographic Estimates
DHCS will invoice participating counties for the nonfederal share of administrative costs six
months after the close of the SFY based on actual administrative costs per the methodology
above, not exceeding the estimated amounts in the MCIP agreements.
County of Fresno
18-95036
Page 1 of 15
ADDENDUM B
HIPAA Business Associate Addendum
DHCS HIPAA BAA 2/15
I. Recitals
A. This Contract (Agreement) has been determined to constitute a business associate relationship under
the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”), the Health
Information Technology for Economic and Clinical Health Act, Public Law 111-005 ('the HITECH Act"),
42 U.S.C. section 17921 et seq., and their implementing privacy and security regulations at 45 CFR Parts
160 and 164 (“the HIPAA regulations”).
B. The Department of Health Care Services (“DHCS”) wishes to disclose to Business Associate certain
information pursuant to the terms of this Agreement, some of which may constitute Protected Health
Information (“PHI”), including protected health information in electronic media (“ePHI”), under federal law,
and personal information ("PI") under state law.
C. As set forth in this Agreement, Contractor, here and after, is the Business Associate of DHCS acting on
DHCS' behalf and provides services, arranges, performs or assists in the performance of functions or
activities on behalf of DHCS and creates, receives, maintains, transmits, uses or discloses PHI and PI.
DHCS and Business Associate are each a party to this Agreement and are collectively referred to as the
"parties.”
D. The purpose of this Addendum is to protect the privacy and security of the PHI and PI that may be
created, received, maintained, transmitted, used or disclosed pursuant to this Agreement, and to comply
with certain standards and requirements of HIPAA, the HITECH Act and the HIPAA regulations, including,
but not limited to, the requirement that DHCS must enter into a contract containing specific requirements
with Contractor prior to the disclosure of PHI to Contractor, as set forth in 45 CFR Parts 160 and 164 and
the HITECH Act, and the Final Omnibus Rule as well as the Alcohol and Drug Abuse patient records
confidentiality law 42 CFR Part 2, and any other applicable state or federal law or regulation. 42 CFR
section 2.1(b)(2)(B) allows for the disclosure of such records to qualified personnel for the purpose of
conducting management or financial audits, or program evaluation. 42 CFR Section 2.53(d) provides that
patient identifying information disclosed under this section may be disclosed only back to the program
from which it was obtained and used only to carry out an audit or evaluation purpose or to investigate or
prosecute criminal or other activities, as authorized by an appropriate court order.
E. The terms used in this Addendum, but not otherwise defined, shall have the same meanings as those
terms have in the HIPAA regulations. Any reference to statutory or regulatory language shall be to such
language as in effect or as amended.
II. Definitions
A. Breach shall have the meaning given to such term under HIPAA, the HITECH Act, the HIPAA regulations,
and the Final Omnibus Rule.
B. Business Associate shall have the meaning given to such term under HIPAA, the HITECH Act, the HIPAA
regulations, and the final Omnibus Rule.
C. Covered Entity shall have the meaning given to such term under HIPAA, the HITECH Act, the HIPAA
regulations, and Final Omnibus Rule.
D. Electronic Health Record shall have the meaning given to such term in the HITECH Act, including, but
not limited to, 42 U.S.C Section 17921 and implementing regulations.
County of Fresno
18-95036
Page 2 of 15
ADDENDUM B
HIPAA Business Associate Addendum
DHCS HIPAA BAA 2/15
E. Electronic Protected Health Information (ePHI) means individually identifiable health information
transmitted by electronic media or maintained in electronic media, including but not limited to electronic
media as set forth under 45 CFR section 160.103.
F. Individually Identifiable Health Information means health information, including demographic information
collected from an individual, that is created or received by a health care provider, health plan, employer
or health care clearinghouse, and relates to the past, present or future physical or mental health or
condition of an individual, the provision of health care to an individual, or the past, present, or future
payment for the provision of health care to an individual, that identifies the individual or where there is a
reasonable basis to believe the information can be used to identify the individual, as set forth under 45
CFR section 160.103.
G. Privacy Rule shall mean the HIPAA Regulation that is found at 45 CFR Parts 160 and 164.
H. Personal Information shall have the meaning given to such term in California Civil Code section 1798.29.
I. Protected Health Information means individually identifiable health information that is transmitted by
electronic media, maintained in electronic media, or is transmitted or maintained in any other form or
medium, as set forth under 45 CFR section 160.103.
J. Required by law, as set forth under 45 CFR section 164.103, means a mandate contained in law that
compels an entity to make a use or disclosure of PHI that is enforceable in a court of law. This includes,
but is not limited to, court orders and court-ordered warrants, subpoenas or summons issued by a court,
grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the
production of information, and a civil or an authorized investigative demand. It also includes Medicare
conditions of participation with respect to health care providers participating in the program, and statutes
or regulations that require the production of information, including statutes or regulations that require
such information if payment is sought under a government program providing public benefits.
K. Secretary means the Secretary of the U.S. Department of Health and Human Services ("HHS") or the
Secretary's designee.
L. Security Incident means the attempted or successful unauthorized access, use, disclosure, modification,
or destruction of PHI or PI, or confidential data that is essential to the ongoing operation of the Business
Associate’s organization and intended for internal use; or interference with system operations in an
information system.
M. Security Rule shall mean the HIPAA regulation that is found at 45 CFR Parts 160 and 164.
N. Unsecured PHI shall have the meaning given to such term under the HITECH Act, 42 U.S.C. section
17932(h), any guidance issued pursuant to such Act, and the HIPAA regulations.
III. Terms of Agreement
A. Permitted Uses and Disclosures of PHI by Business Associate
Permitted Uses and Disclosures. Except as otherwise indicated in this Addendum, Business Associate
may use or disclose PHI only to perform functions, activities or services specified in this Agreement, for,
or on behalf of DHCS, provided that such use or disclosure would not violate the HIPAA regulations, if
done by DHCS. Any such use or disclosure must, to the extent practicable, be limited to the limited data
set, as defined in 45 CFR section 164.514(e)(2), or, if needed, to the minimum necessary to accomplish
County of Fresno
18-95036
Page 3 of 15
ADDENDUM B
HIPAA Business Associate Addendum
DHCS HIPAA BAA 2/15
the intended purpose of such use or disclosure, in compliance with the HITECH Act and any guidance
issued pursuant to such Act, the HIPAA regulations, the Final Omnibus Rule and 42 CFR Part 2.
1. Specific Use and Disclosure Provisions. Except as otherwise indicated in this Addendum,
Business Associate may:
a. Use and disclose for management and administration. Use and disclose PHI for the proper
management and administration of the Business Associate provided that such disclosures are
required by law, or the Business Associate obtains reasonable assurances from the person to
whom the information is disclosed that it will remain confidential and will be used or further
disclosed only as required by law or for the purpose for which it was disclosed to the person, and
the person notifies the Business Associate of any instances of which it is aware that the
confidentiality of the information has been breached.
b. Provision of Data Aggregation Services. Use PHI to provide data aggregation services to
DHCS. Data aggregation means the combining of PHI created or received by the Business
Associate on behalf of DHCS with PHI received by the Business Associate in its capacity as the
Business Associate of another covered entity, to permit data analyses that relate to the health
care operations of DHCS.
B. Prohibited Uses and Disclosures
1. Business Associate shall not disclose PHI about an individual to a health plan for payment or health
care operations purposes if the PHI pertains solely to a health care item or service for which the
health care provider involved has been paid out of pocket in full and the individual requests such
restriction, in accordance with 42 U.S.C. section 17935(a) and 45 CFR section 164.522(a).
2. Business Associate shall not directly or indirectly receive remuneration in exchange for PHI, except
with the prior written consent of DHCS and as permitted by 42 U.S.C. section 17935(d)(2).
C. Responsibilities of Business Associate
Business Associate agrees:
1. Nondisclosure. Not to use or disclose Protected Health Information (PHI) other than as permitted
or required by this Agreement or as required by law.
2. Safeguards. To implement administrative, physical, and technical safeguards that reasonably and
appropriately protect the confidentiality, integrity, and availability of the PHI, including electronic PHI,
that it creates, receives, maintains, uses or transmits on behalf of DHCS, in compliance with 45 CFR
sections 164.308, 164.310 and 164.312, and to prevent use or disclosure of PHI other than as
provided for by this Agreement. Business Associate shall implement reasonable and appropriate
policies and procedures to comply with the standards, implementation specifications and other
requirements of 45 CFR section 164, subpart C, in compliance with 45 CFR section 164.316.
Business Associate shall develop and maintain a written information privacy and security program
that includes administrative, technical and physical safeguards appropriate to the size and complexity
of the Business Associate’s operations and the nature and scope of its activities, and which
incorporates the requirements of section 3, Security, below. Business Associate will provide DHCS
with its current and updated policies.
County of Fresno
18-95036
Page 4 of 15
ADDENDUM B
HIPAA Business Associate Addendum
DHCS HIPAA BAA 2/15
3. Security. To take any and all steps necessary to ensure the continuous security of all computerized
data systems containing PHI and/or PI, and to protect paper documents containing PHI and/or PI.
These steps shall include, at a minimum:
a. Complying with all of the data system security precautions listed in Attachment A, the Business
Associate Data Security Requirements;
b. Achieving and maintaining compliance with the HIPAA Security Rule (45 CFR Parts 160 and 164),
as necessary in conducting operations on behalf of DHCS under this Agreement;
c. Providing a level and scope of security that is at least comparable to the level and scope of
security established by the Office of Management and Budget in OMB Circular No. A-130,
Appendix III - Security of Federal Automated Information Systems, which sets forth guidelines for
automated information systems in Federal agencies; and
d. In case of a conflict between any of the security standards contained in any of these enumerated
sources of security standards, the most stringent shall apply. The most stringent means that
safeguard which provides the highest level of protection to PHI from unauthorized disclosure.
Further, Business Associate must comply with changes to these standards that occur after the
effective date of this Agreement.
Business Associate shall designate a Security Officer to oversee its data security program who shall
be responsible for carrying out the requirements of this section and for communicating on security
matters with DHCS.
D. Mitigation of Harmful Effects. To mitigate, to the extent practicable, any harmful effect that is known
to Business Associate of a use or disclosure of PHI by Business Associate or its subcontractors in
violation of the requirements of this Addendum.
E. Business Associate’s Agents and Subcontractors.
1. To enter into written agreements with any agents, including subcontractors and vendors, to whom
Business Associate provides PHI or PI received from or created or received by Business Associate
on behalf of DHCS, that impose the same restrictions and conditions on such agents, subcontractors
and vendors that apply to Business Associate with respect to such PHI and PI under this Addendum,
and that comply with all applicable provisions of HIPAA, the HITECH Act the HIPAA regulations, and
the Final Omnibus Rule, including the requirement that any agents, subcontractors or vendors
implement reasonable and appropriate administrative, physical, and technical safeguards to protect
such PHI and PI. Business associates are directly liable under the HIPAA Rules and subject to civil
and, in some cases, criminal penalties for making uses and disclosures of protected health
information that are not authorized by its contract or required by law. A business associate also is
directly liable and subject to civil penalties for failing to safeguard electronic protected health
information in accordance with the HIPAA Security Rule. A “business associate” also is a
subcontractor that creates, receives, maintains, or transmits protected health information on behalf
of another business associate. Business Associate shall incorporate, when applicable, the relevant
provisions of this Addendum into each subcontract or subaward to such agents, subcontractors and
vendors, including the requirement that any security incidents or breaches of unsecured PHI or PI be
reported to Business Associate.
County of Fresno
18-95036
Page 5 of 15
ADDENDUM B
HIPAA Business Associate Addendum
DHCS HIPAA BAA 2/15
2. In accordance with 45 CFR section 164.504(e)(1)(ii), upon Business Associate’s knowledge of a
material breach or violation by its subcontractor of the agreement between Business Associate and
the subcontractor, Business Associate shall:
a. Provide an opportunity for the subcontractor to cure the breach or end the violation and terminate
the agreement if the subcontractor does not cure the breach or end the violation within the time
specified by DHCS; or
b. Immediately terminate the agreement if the subcontractor has breached a material term of the
agreement and cure is not possible.
F. Availability of Information to DHCS and Individuals. To provide access and information:
1. To provide access as DHCS may require, and in the time and manner designated by DHCS (upon
reasonable notice and during Business Associate’s normal business hours) to PHI in a Designated
Record Set, to DHCS (or, as directed by DHCS), to an Individual, in accordance with 45 CFR section
164.524. Designated Record Set means the group of records maintained for DHCS that includes
medical, dental and billing records about individuals; enrollment, payment, claims adjudication, and
case or medical management systems maintained for DHCS health plans; or those records used to
make decisions about individuals on behalf of DHCS. Business Associate shall use the forms and
processes developed by DHCS for this purpose and shall respond to requests for access to records
transmitted by DHCS within fifteen (15) calendar days of receipt of the request by producing the
records or verifying that there are none.
2. If Business Associate maintains an Electronic Health Record with PHI, and an individual requests a
copy of such information in an electronic format, Business Associate shall provide such information
in an electronic format to enable DHCS to fulfill its obligations under the HITECH Act, including but
not limited to, 42 U.S.C. section 17935(e).
3. If Business Associate receives data from DHCS that was provided to DHCS by the Social Security
Administration, upon request by DHCS, Business Associate shall provide DHCS with a list of all
employees, contractors and agents who have access to the Social Security data, including
employees, contractors and agents of its subcontractors and agents.
G. Amendment of PHI. To make any amendment(s) to PHI that DHCS directs or agrees to pursuant to 45
CFR section 164.526, in the time and manner designated by DHCS.
H. Internal Practices. To make Business Associate’s internal practices, books and records relating to the
use and disclosure of PHI received from DHCS, or created or received by Business Associate on behalf
of DHCS, available to DHCS or to the Secretary of the U.S. Department of Health and Human Services
in a time and manner designated by DHCS or by the Secretary, for purposes of determining DHCS’
compliance with the HIPAA regulations. If any information needed for this purpose is in the exclusive
possession of any other entity or person and the other entity or person fails or refuses to furnish the
information to Business Associate, Business Associate shall so certify to DHCS and shall set forth the
efforts it made to obtain the information.
County of Fresno
18-95036
Page 6 of 15
ADDENDUM B
HIPAA Business Associate Addendum
DHCS HIPAA BAA 2/15
I. Documentation of Disclosures. To document and make available to DHCS or (at the direction of
DHCS) to an Individual such disclosures of PHI, and information related to such disclosures, necessary
to respond to a proper request by the subject Individual for an accounting of disclosures of PHI, in
accordance with the HITECH Act and its implementing regulations, including but not limited to 45 CFR
section 164.528 and 42 U.S.C. section 17935(c). If Business Associate maintains electronic health
records for DHCS as of January 1, 2009, Business Associate must provide an accounting of disclosures,
including those disclosures for treatment, payment or health care operations, effective with disclosures
on or after January 1, 2014. If Business Associate acquires electronic health records for DHCS after
January 1, 2009, Business Associate must provide an accounting of disclosures, including those
disclosures for treatment, payment or health care operations, effective with disclosures on or after the
date the electronic health record is acquired, or on or after January 1, 2011, whichever date is later. The
electronic accounting of disclosures shall be for disclosures during the three years prior to the request
for an accounting.
J. Breaches and Security Incidents. During the term of this Agreement, Business Associate agrees to
implement reasonable systems for the discovery and prompt reporting of any breach or security incident,
and to take the following steps:
1. Notice to DHCS. (1) To notify DHCS immediately upon the discovery of a suspected security
incident that involves data provided to DHCS by the Social Security Administration. This notification
will be by telephone call plus email or fax upon the discovery of the breach. (2) To notify DHCS
within 24 hours by email or fax of the discovery of unsecured PHI or PI in electronic media or in
any other media if the PHI or PI was, or is reasonably believed to have been, accessed or acquired
by an unauthorized person, any suspected security incident, intrusion or unauthorized access, use or
disclosure of PHI or PI in violation of this Agreement and this Addendum, or potential loss of
confidential data affecting this Agreement. A breach shall be treated as discovered by Business
Associate as of the first day on which the breach is known, or by exercising reasonable diligence
would have been known, to any person (other than the person committing the breach) who is an
employee, officer or other agent of Business Associate.
Notice shall be provided to the DHCS Program Contract Manager, the DHCS Privacy Officer and the
DHCS Information Security Officer. If the incident occurs after business hours or on a weekend or
holiday and involves data provided to DHCS by the Social Security Administration, notice shall be
provided by calling the DHCS EITS Service Desk. Notice shall be made using the “DHCS Privacy
Incident Report” form, including all information known at the time. Business Associate shall use the
most current version of this form, which is posted on the DHCS Privacy Office website
(www.dhcs.ca.gov, then select “Privacy” in the left column and then “Business Use” near the middle
of the page) or use this link:
http://www.dhcs.ca.gov/formsandpubs/laws/priv/Pages/DHCSBusinessAssociatesOnly.aspx
Upon discovery of a breach or suspected security incident, intrusion or unauthorized access, use or
disclosure of PHI or PI, Business Associate shall take:
a. Prompt corrective action to mitigate any risks or damages involved with the breach and to protect
the operating environment; and
b. Any action pertaining to such unauthorized disclosure required by applicable Federal and State
laws and regulations.
County of Fresno
18-95036
Page 7 of 15
ADDENDUM B
HIPAA Business Associate Addendum
DHCS HIPAA BAA 2/15
2. Investigation and Investigation Report. To immediately investigate such security incident, breach,
or unauthorized access, use or disclosure of PHI or PI. If the initial report did not include all of the
requested information marked with an asterisk, then within 72 hours of the discovery, Business
Associate shall submit an updated “DHCS Privacy Incident Report” containing the information marked
with an asterisk and all other applicable information listed on the form, to the extent known at that
time, to the DHCS Program Contract Manager, the DHCS Privacy Officer, and the DHCS Information
Security Officer:
3. Complete Report. To provide a complete report of the investigation to the DHCS Program Contract
Manager, the DHCS Privacy Officer, and the DHCS Information Security Officer within ten (10)
working days of the discovery of the breach or unauthorized use or disclosure. If all of the required
information was not included in either the initial report, or the Investigation Report, then a separate
Complete Report must be submitted. The report shall be submitted on the “DHCS Privacy Incident
Report” form and shall include an assessment of all known factors relevant to a determination of
whether a breach occurred under applicable provisions of HIPAA, the HITECH Act, the HIPAA
regulations and/or state law. The report shall also include a full, detailed corrective action plan,
including information on measures that were taken to halt and/or contain the improper use or
disclosure. If DHCS requests information in addition to that listed on the ”DHCS Privacy Incident
Report” form, Business Associate shall make reasonable efforts to provide DHCS with such
information. If necessary, a Supplemental Report may be used to submit revised or additional
information after the completed report is submitted, by submitting the revised or additional information
on an updated “DHCS Privacy Incident Report” form. DHCS will review and approve or disapprove
the determination of whether a breach occurred, is reportable to the appropriate entities, if individual
notifications are required, and the corrective action plan.
4. Notification of Individuals. If the cause of a breach of PHI or PI is attributable to Business Associate
or its subcontractors, agents or vendors, Business Associate shall notify individuals of the breach or
unauthorized use or disclosure when notification is required under state or federal law and shall pay
any costs of such notifications, as well as any costs associated with the breach. The notifications
shall comply with the requirements set forth in 42 U.S.C. section 17932 and its implementing
regulations, including, but not limited to, the requirement that the notifications be made without
unreasonable delay and in no event later than 60 calendar days. The DHCS Program Contract
Manager, the DHCS Privacy Officer, and the DHCS Information Security Officer shall approve the
time, manner and content of any such notifications and their review and approval must be obtained
before the notifications are made.
5. Responsibility for Reporting of Breaches. If the cause of a breach of PHI or PI is attributable to
Business Associate or its agents, subcontractors or vendors, Business Associate is responsible for
all required reporting of the breach as specified in 42 U.S.C. section 17932 and its implementing
regulations, including notification to media outlets and to the Secretary. If a breach of unsecured PHI
involves more than 500 residents of the State of California or its jurisdiction, Business Associate shall
notify the Secretary of the breach immediately upon discovery of the breach. If Business Associate
has reason to believe that duplicate reporting of the same breach or incident may occur because its
subcontractors, agents or vendors may report the breach or incident to DHCS in addition to Business
Associate, Business Associate shall notify DHCS, and DHCS and Business Associate may take
appropriate action to prevent duplicate reporting. The breach reporting requirements of this
paragraph are in addition to the reporting requirements set forth in subsection 1, above.
6. DHCS Contact Information. To direct communications to the above referenced DHCS staff, the
Contractor shall initiate contact as indicated herein. DHCS reserves the right to make changes to the
County of Fresno
18-95036
Page 8 of 15
ADDENDUM B
HIPAA Business Associate Addendum
DHCS HIPAA BAA 2/15
contact information below by giving written notice to the Contractor. Said changes shall not require
an amendment to this Addendum or the Agreement to which it is incorporated.
DHCS Program
Contract Manager
DHCS Privacy Officer DHCS Information Security Officer
See the Scope of Work
exhibit for Program
Contract Manager
information
Privacy Officer
c/o: Office of HIPAA Compliance
Department of Health Care Services
P.O. Box 997413, MS 4722
Sacramento, CA 95899-7413
Email: privacyofficer@dhcs.ca.gov
Telephone: (916) 445-4646
Fax: (916) 440-7680
Information Security Officer
DHCS Information Security Office
P.O. Box 997413, MS 6400
Sacramento, CA 95899-7413
Email: iso@dhcs.ca.gov
Fax: (916) 440-5537
Telephone: EITS Service Desk
(916) 440-7000 or
(800) 579-0874
K. Termination of Agreement. In accordance with Section 13404(b) of the HITECH Act and to the extent
required by the HIPAA regulations, if Business Associate knows of a material breach or violation by
DHCS of this Addendum, it shall take the following steps:
1. Provide an opportunity for DHCS to cure the breach or end the violation and terminate the Agreement
if DHCS does not cure the breach or end the violation within the time specified by Business Associate;
or
2. Immediately terminate the Agreement if DHCS has breached a material term of the Addendum and
cure is not possible.
L. Due Diligence. Business Associate shall exercise due diligence and shall take reasonable steps to
ensure that it remains in compliance with this Addendum and is in compliance with applicable provisions
of HIPAA, the HITECH Act and the HIPAA regulations, and that its agents, subcontractors and vendors
are in compliance with their obligations as required by this Addendum.
M. Sanctions and/or Penalties. Business Associate understands that a failure to comply with the
provisions of HIPAA, the HITECH Act and the HIPAA regulations that are applicable to Business
Associate may result in the imposition of sanctions and/or penalties on Business Associate under HIPAA,
the HITECH Act and the HIPAA regulations.
IV. Obligations of DHCS
DHCS agrees to:
A. Notice of Privacy Practices. Provide Business Associate with the Notice of Privacy Practices that
DHCS produces in accordance with 45 CFR section 164.520, as well as any changes to such notice.
Visit the DHCS Privacy Office to view the most current Notice of Privacy Practices at:
http://www.dhcs.ca.gov/formsandpubs/laws/priv/Pages/default.aspx or the DHCS website at
www.dhcs.ca.gov (select “Privacy in the left column and “Notice of Privacy Practices” on the right side of
the page).
B. Permission by Individuals for Use and Disclosure of PHI. Provide the Business Associate with any
changes in, or revocation of, permission by an Individual to use or disclose PHI, if such changes affect
the Business Associate’s permitted or required uses and disclosures.
County of Fresno
18-95036
Page 9 of 15
ADDENDUM B
HIPAA Business Associate Addendum
DHCS HIPAA BAA 2/15
C. Notification of Restrictions. Notify the Business Associate of any restriction to the use or disclosure of
PHI that DHCS has agreed to in accordance with 45 CFR section 164.522, to the extent that such
restriction may affect the Business Associate’s use or disclosure of PHI.
D. Requests Conflicting with HIPAA Rules. Not request the Business Associate to use or disclose PHI
in any manner that would not be permissible under the HIPAA regulations if done by DHCS.
V. Audits, Inspection and Enforcement
A. From time to time, DHCS may inspect the facilities, systems, books and records of Business Associate
to monitor compliance with this Agreement and this Addendum. Business Associate shall promptly
remedy any violation of any provision of this Addendum and shall certify the same to the DHCS Privacy
Officer in writing. The fact that DHCS inspects, or fails to inspect, or has the right to inspect, Business
Associate’s facilities, systems and procedures does not relieve Business Associate of its responsibility to
comply with this Addendum, nor does DHCS’:
1. Failure to detect or
2. Detection, but failure to notify Business Associate or require Business Associate’s remediation of any
unsatisfactory practices constitute acceptance of such practice or a waiver of DHCS’ enforcement
rights under this Agreement and this Addendum.
B. If Business Associate is the subject of an audit, compliance review, or complaint investigation by the
Secretary or the Office of Civil Rights, U.S. Department of Health and Human Services, that is related to
the performance of its obligations pursuant to this HIPAA Business Associate Addendum, Business
Associate shall notify DHCS and provide DHCS with a copy of any PHI or PI that Business Associate
provides to the Secretary or the Office of Civil Rights concurrently with providing such PHI or PI to the
Secretary. Business Associate is responsible for any civil penalties assessed due to an audit or
investigation of Business Associate, in accordance with 42 U.S.C. section 17934(c).
VI. Termination
A. Term. The Term of this Addendum shall commence as of the effective date of this Addendum and shall
extend beyond the termination of the contract and shall terminate when all the PHI provided by DHCS to
Business Associate, or created or received by Business Associate on behalf of DHCS, is destroyed or
returned to DHCS, in accordance with 45 CFR 164.504(e)(2)(ii)(I).
B. Termination for Cause. In accordance with 45 CFR section 164.504(e)(1)(ii), upon DHCS’ knowledge
of a material breach or violation of this Addendum by Business Associate, DHCS shall:
1. Provide an opportunity for Business Associate to cure the breach or end the violation and terminate
this Agreement if Business Associate does not cure the breach or end the violation within the time
specified by DHCS; or
2. Immediately terminate this Agreement if Business Associate has breached a material term of this
Addendum and cure is not possible.
County of Fresno
18-95036
Page 10 of 15
ADDENDUM B
HIPAA Business Associate Addendum
DHCS HIPAA BAA 2/15
C. Judicial or Administrative Proceedings. Business Associate will notify DHCS if it is named as a
defendant in a criminal proceeding for a violation of HIPAA. DHCS may terminate this Agreement if
Business Associate is found guilty of a criminal violation of HIPAA. DHCS may terminate this Agreement
if a finding or stipulation that the Business Associate has violated any standard or requirement of HIPAA,
or other security or privacy laws is made in any administrative or civil proceeding in which the Business
Associate is a party or has been joined.
D. Effect of Termination. Upon termination or expiration of this Agreement for any reason, Business
Associate shall return or destroy all PHI received from DHCS (or created or received by Business
Associate on behalf of DHCS) that Business Associate still maintains in any form, and shall retain no
copies of such PHI. If return or destruction is not feasible, Business Associate shall notify DHCS of the
conditions that make the return or destruction infeasible, and DHCS and Business Associate shall
determine the terms and conditions under which Business Associate may retain the PHI. Business
Associate shall continue to extend the protections of this Addendum to such PHI, and shall limit further
use of such PHI to those purposes that make the return or destruction of such PHI infeasible. This
provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate.
VII. Miscellaneous Provisions
A. Disclaimer. DHCS makes no warranty or representation that compliance by Business Associate with
this Addendum, HIPAA or the HIPAA regulations will be adequate or satisfactory for Business Associate’s
own purposes or that any information in Business Associate’s possession or control, or transmitted or
received by Business Associate, is or will be secure from unauthorized use or disclosure. Business
Associate is solely responsible for all decisions made by Business Associate regarding the safeguarding
of PHI.
B. Amendment. The parties acknowledge that federal and state laws relating to electronic data security
and privacy are rapidly evolving and that amendment of this Addendum may be required to provide for
procedures to ensure compliance with such developments. The parties specifically agree to take such
action as is necessary to implement the standards and requirements of HIPAA, the HITECH Act, the
HIPAA regulations and other applicable laws relating to the security or privacy of PHI. Upon DHCS’
request, Business Associate agrees to promptly enter into negotiations with DHCS concerning an
amendment to this Addendum embodying written assurances consistent with the standards and
requirements of HIPAA, the HITECH Act, the HIPAA regulations or other applicable laws. DHCS may
terminate this Agreement upon thirty (30) days written notice in the event:
1. Business Associate does not promptly enter into negotiations to amend this Addendum when
requested by DHCS pursuant to this Section; or
2. Business Associate does not enter into an amendment providing assurances regarding the
safeguarding of PHI that DHCS in its sole discretion, deems sufficient to satisfy the standards and
requirements of HIPAA and the HIPAA regulations.
C. Assistance in Litigation or Administrative Proceedings. Business Associate shall make itself and
any subcontractors, employees or agents assisting Business Associate in the performance of its
obligations under this Agreement, available to DHCS at no cost to DHCS to testify as witnesses, or
otherwise, in the event of litigation or administrative proceedings being commenced against DHCS, its
directors, officers or employees based upon claimed violation of HIPAA, the HIPAA regulations or other
laws relating to security and privacy, which involves inactions or actions by the Business Associate,
except where Business Associate or its subcontractor, employee or agent is a named adverse party.
County of Fresno
18-95036
Page 11 of 15
ADDENDUM B
HIPAA Business Associate Addendum
DHCS HIPAA BAA 2/15
D. No Third-Party Beneficiaries. Nothing express or implied in the terms and conditions of this Addendum
is intended to confer, nor shall anything herein confer, upon any person other than DHCS or Business
Associate and their respective successors or assignees, any rights, remedies, obligations or liabilities
whatsoever.
E. Interpretation. The terms and conditions in this Addendum shall be interpreted as broadly as necessary
to implement and comply with HIPAA, the HITECH Act, the HIPAA regulations and applicable state laws.
The parties agree that any ambiguity in the terms and conditions of this Addendum shall be resolved in
favor of a meaning that complies and is consistent with HIPAA, the HITECH Act and the HIPAA
regulations.
F. Regulatory References. A reference in the terms and conditions of this Addendum to a section in the
HIPAA regulations means the section as in effect or as amended.
G. Survival. The respective rights and obligations of Business Associate under Section VI.D of this
Addendum shall survive the termination or expiration of this Agreement.
H. No Waiver of Obligations. No change, waiver or discharge of any liability or obligation hereunder on
any one or more occasions shall be deemed a waiver of performance of any continuing or other
obligation, or shall prohibit enforcement of any obligation, on any other occasion.
County of Fresno
18-95036
Page 12 of 15
ADDENDUM B
HIPAA Business Associate Addendum
DHCS HIPAA BAA 2/15
Attachment A
Business Associate Data Security Requirements
I. Personnel Controls
A. Employee Training. All workforce members who assist in the performance of functions or activities
on behalf of DHCS, or access or disclose DHCS PHI or PI must complete information privacy and
security training, at least annually, at Business Associate’s expense. Each workforce member who
receives information privacy and security training must sign a certification, indicating the member’s
name and the date on which the training was completed. These certifications must be retained for a
period of six (6) years following contract termination.
B. Employee Discipline. Appropriate sanctions must be applied against workforce members who fail
to comply with privacy policies and procedures or any provisions of these requirements, including
termination of employment where appropriate.
C. Confidentiality Statement. All persons that will be working with DHCS PHI or PI must sign a
confidentiality statement that includes, at a minimum, General Use, Security and Privacy Safeguards,
Unacceptable Use, and Enforcement Policies. The statement must be signed by the workforce
member prior to access to DHCS PHI or PI. The statement must be renewed annually. The
Contractor shall retain each person’s written confidentiality statement for DHCS inspection for a
period of six (6) years following contract termination.
D. Background Check. Before a member of the workforce may access DHCS PHI or PI, a thorough
background check of that worker must be conducted, with evaluation of the results to assure that
there is no indication that the worker may present a risk to the security or integrity of confidential data
or a risk for theft or misuse of confidential data. The Contractor shall retain each workforce member’s
background check documentation for a period of three (3) years following contract termination.
II. Technical Security Controls
A. Workstation/Laptop encryption. All workstations and laptops that process and/or store DHCS PHI
or PI must be encrypted using a FIPS 140-2 certified algorithm which is 128bit or higher, such as
Advanced Encryption Standard (AES). The encryption solution must be full disk unless approved by
the DHCS Information Security Office.
B. Server Security. Servers containing unencrypted DHCS PHI or PI must have sufficient
administrative, physical, and technical controls in place to protect that data, based upon a risk
assessment/system security review.
C. Minimum Necessary. Only the minimum necessary amount of DHCS PHI or PI required to perform
necessary business functions may be copied, downloaded, or exported.
D. Removable media devices. All electronic files that contain DHCS PHI or PI data must be encrypted
when stored on any removable media or portable device (i.e. USB thumb drives, floppies, CD/DVD,
smartphones, backup tapes etc.). Encryption must be a FIPS 140-2 certified algorithm which is 128bit
or higher, such as AES.
E. Antivirus software. All workstations, laptops and other systems that process and/or store DHCS
PHI or PI must install and actively use comprehensive anti-virus software solution with automatic
updates scheduled at least daily.
County of Fresno
18-95036
Page 13 of 15
ADDENDUM B
HIPAA Business Associate Addendum
DHCS HIPAA BAA 2/15
F. Patch Management. All workstations, laptops and other systems that process and/or store DHCS
PHI or PI must have critical security patches applied, with system reboot if necessary. There must
be a documented patch management process which determines installation timeframe based on risk
assessment and vendor recommendations. At a maximum, all applicable patches must be installed
within 30 days of vendor release.
G. User IDs and Password Controls. All users must be issued a unique user name for accessing
DHCS PHI or PI. Username must be promptly disabled, deleted, or the password changed upon the
transfer or termination of an employee with knowledge of the password, at maximum within 24 hours.
Passwords are not to be shared. Passwords must be at least eight characters and must be a non-
dictionary word. Passwords must not be stored in readable format on the computer. Passwords must
be changed every 90 days, preferably every 60 days. Passwords must be changed if revealed or
compromised. Passwords must be composed of characters from at least three of the following four
groups from the standard keyboard:
• Upper case letters (A-Z)
• Lower case letters (a-z)
• Arabic numerals (0-9)
• Non-alphanumeric characters (punctuation symbols)
H. Data Destruction. When no longer needed, all DHCS PHI or PI must be cleared, purged, or
destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization such
that the PHI or PI cannot be retrieved.
I. System Timeout. The system providing access to DHCS PHI or PI must provide an automatic
timeout, requiring re-authentication of the user session after no more than 20 minutes of inactivity.
J. Warning Banners. All systems providing access to DHCS PHI or PI must display a warning banner
stating that data is confidential, systems are logged, and system use is for business purposes only
by authorized users. User must be directed to log off the system if they do not agree with these
requirements.
K. System Logging. The system must maintain an automated audit trail which can identify the user or
system process which initiates a request for DHCS PHI or PI, or which alters DHCS PHI or PI. The
audit trail must be date and time stamped, must log both successful and failed accesses, must be
read only, and must be restricted to authorized users. If DHCS PHI or PI is stored in a database,
database logging functionality must be enabled. Audit trail data must be archived for at least 3 years
after occurrence.
L. Access Controls. The system providing access to DHCS PHI or PI must use role based access
controls for all user authentications, enforcing the principle of least privilege.
County of Fresno
18-95036
Page 14 of 15
ADDENDUM B
HIPAA Business Associate Addendum
DHCS HIPAA BAA 2/15
M. Transmission encryption. All data transmissions of DHCS PHI or PI outside the secure internal
network must be encrypted using a FIPS 140-2 certified algorithm which is 128bit or higher, such as
AES. Encryption can be end to end at the network level, or the data files containing PHI can be
encrypted. This requirement pertains to any type of PHI or PI in motion such as website access, file
transfer, and E-Mail.
N. Intrusion Detection. All systems involved in accessing, holding, transporting, and protecting DHCS
PHI or PI that are accessible via the Internet must be protected by a comprehensive intrusion
detection and prevention solution.
III. Audit Controls
A. System Security Review. All systems processing and/or storing DHCS PHI or PI must have at least
an annual system risk assessment/security review which provides assurance that administrative,
physical, and technical controls are functioning effectively and providing adequate levels of
protection. Reviews should include vulnerability scanning tools.
B. Log Reviews. All systems processing and/or storing DHCS PHI or PI must have a routine procedure
in place to review system logs for unauthorized access.
C. Change Control. All systems processing and/or storing DHCS PHI or PI must have a documented
change control procedure that ensures separation of duties and protects the confidentiality, integrity
and availability of data.
IV. Business Continuity / Disaster Recovery Controls
A. Emergency Mode Operation Plan. Contractor must establish a documented plan to enable
continuation of critical business processes and protection of the security of electronic DHCS PHI or
PI in the event of an emergency. Emergency means any circumstance or situation that causes
normal computer operations to become unavailable for use in performing the work required under
this Agreement for more than 24 hours.
B. Data Backup Plan. Contractor must have established documented procedures to backup DHCS
PHI to maintain retrievable exact copies of DHCS PHI or PI. The plan must include a regular
schedule for making backups, storing backups offsite, an inventory of backup media, and an
estimate of the amount of time needed to restore DHCS PHI or PI should it be lost. At a minimum,
the schedule must be a weekly full backup and monthly offsite storage of DHCS data.
V. Paper Document Controls
A. Supervision of Data. DHCS PHI or PI in paper form shall not be left unattended at any time, unless
it is locked in a file cabinet, file room, desk or office. Unattended means that information is not being
observed by an employee authorized to access the information. DHCS PHI or PI in paper form shall
not be left unattended at any time in vehicles or planes and shall not be checked in baggage on
commercial airplanes.
B. Escorting Visitors. Visitors to areas where DHCS PHI or PI is contained shall be escorted and
DHCS PHI or PI shall be kept out of sight while visitors are in the area.
C. Confidential Destruction. DHCS PHI or PI must be disposed of through confidential means, such
as cross cut shredding and pulverizing.
County of Fresno
18-95036
Page 15 of 15
ADDENDUM B
HIPAA Business Associate Addendum
DHCS HIPAA BAA 2/15
D. Removal of Data. DHCS PHI or PI must not be removed from the premises of the Contractor except
with express written permission of DHCS.
E. Faxing. Faxes containing DHCS PHI or PI shall not be left unattended and fax machines shall be in
secure areas. Faxes shall contain a confidentiality statement notifying persons receiving faxes in
error to destroy them. Fax numbers shall be verified with the intended recipient before sending the
fax.
F. Mailing. Mailings of DHCS PHI or PI shall be sealed and secured from damage or inappropriate
viewing of PHI or PI to the extent possible. Mailings which include 500 or more individually identifiable
records of DHCS PHI or PI in a single package shall be sent using a tracked mailing method which
includes verification of delivery and receipt, unless the prior written permission of DHCS to use
another method is obtained.