The URL can be used to link to this page

Home My WebLink AboutMASTER AGREEMENT-Occupational Physical Therapy Services_A-24-335.pdf COUP County of Fresno Hall of Records,Room 301 2281 Tulare Street ro Fresno,California Yj Board of Supervisors 93721-2198 0 1556 0 Telephone:(559)600-3529 FRE", Minute Order Toll Free: 1-800-742-1011 www.fres nocou ntyca.gov June 18, 2024 Present: 5- Supervisor Steve Brandau,Chairman Nathan Magsig,Vice Chairman Buddy Mendes, Supervisor Brian Pacheco,and Supervisor Sal Quintero Agenda No. 72, Public Health File ID:24-0575 Re: Approve and authorize the Chairman to execute a Master Agreement for Occupational and Physical Therapy Services,effective July 1,2024, not to exceed five consecutive years,which includes a three-year base contract and two optional one-year extensions,total not to exceed$4,286,875 APPROVED AS RECOMMENDED Ayes: 5- Brandau, Magsig, Mendes, Pacheco,and Quintero Agreement No.24-335 County of Fresno Page 76 coU�� Board Agenda Item 72 O 18-6 O � FRE`'� DATE: June 18, 2024 TO: Board of Supervisors SUBMITTED BY: David Luchini, RN, PHN, Director, Department of Public Health SUBJECT: Master Agreement for Occupational and Physical Therapy Services RECOMMENDED ACTION(S): Approve and authorize the Chairman to execute a Master Agreement for Occupational and Physical Therapy Services, effective July 1, 2024, not to exceed five consecutive years, which includes a three-year base contract and two optional one-year extensions,total not to exceed $4,286,875. Approval of the recommended action will allow the Department of Public Health to continue to utilize contracted pediatric occupational and physical therapists, a California Department of Health Care Services (DHCS) mandated component of the California Children's Services (CCS) Medical Therapy Program (MTP). County Human Resources and the Department of Public Health have had challenges filling permanent Physical and Occupational Therapist positions due to a lack of candidates and competition from local public and private employers. The proposed Agreement will be funded with DHCS and Health Realignment monies, with no Net County Cost. This item is countywide. ALTERNATIVE ACTION(S): Should your Board not approve the recommended action, the Department will continue to maintain a waitlist for approximately 290 children needing therapy services due to the lack of Physical and Occupational Therapists on staff. FISCAL IMPACT: There is no increase in Net County Cost associated with the recommended action.The maximum compensation for the recommended agreement is $857,375 per fiscal year; $4,286,875 for the five-year term, funded by DHCS (50%)and Health Realignment(50%). Sufficient appropriations and estimated revenues will be included in the Department's Org 5620 FY 2024-25 Recommended Budget and will be included in subsequent budget requests for the duration of the term. Actual costs will be based on actual services provided. DISCUSSION: The MTP is a specialty program within CCS that provides medically necessary outpatient occupational therapy(OT), physical therapy(PT), and medical therapy conference (MTC)services for children ranging in age from 0 to 21 with disabilities and special needs conditions, generally due to neurological or musculoskeletal disorders.The services are provided on-site at Medical Therapy Units (MTU) located at three county public elementary schools: Clovis, Powers-Ginsburg, and Storey. Currently, 691 eligible children receive services at the MTUs; services are provided by departmental employees and contracted providers, under master agreement for Occupational and Physical Therapy services Agreement No. 19-292. County of Fresno page 1 File Number.24-0575 File Number:24-0575 Since 2014, the Department has utilized contracted OT and PT services. In 2019,the Department entered into master agreement No. 19-292 to expand the number of contractors available to address continued challenges in filling critical departmental OT and PT positions and provide therapy services to children on the MTP waitlists. CCS MTP anticipates a continued need for pediatric OT/PT contracted services to address the number of CCS waitlisted children. The Department, in consultation with the Department of Internal Services- Purchasing Division, determined that the most effective method to establish a vendor list was a Request for Statement of Qualifications (RFSQ)for the establishment of a Master Agreement. Prior to the release of an RFSQ, the Department conferred with the Human Resources Department- Labor Division, which determined that no collective bargaining issue existed. On March 25, 2024, the Department issued RFSQ No. 24-053 to solicit vendors capable of providing the necessary OT and PT services to MTP clients. The RFSQ notice was distributed to 14 local pediatric OT/PT agencies and published on the County's Public Purchase site. The RFSQ closed on April 22, 2024 and received seven proposals from agencies specializing in healthcare staffing. All have submitted documentation and references as proof of their qualifications affirming their capability to provide the necessary OT and PT staffing services. REFERENCE MATERIAL: BAI#52, June 18, 2019 BAI #35, March 7, 2017 ATTACHMENTS INCLUDED AND/OR ON FILE: On file with Clerk-Master Agreement for Occupational and Physical Therapy Services CAO ANALYST: Ronald W.Alexander, Jr. County of Fresno page 2 File Number.24-0575 Agreement No. 24-335 1 SERVICE AGREEMENT 2 This Master Agreement ("Agreement") is dated June 18, 2024 and is between 3 Contractor(s) listed in Exhibit A "List of Contractors" ("Contractor(s)"), and the County of Fresno, 4 a political subdivision of the State of California ("County"). 5 Recitals 6 A. County, through its Department of Public Health (DPH) California Children's Services 7 (CCS) — Medical Therapy Program (MTP), is in need of Occupational Therapy (OT) and 8 Physical Therapy (PT) services to be performed by qualified Occupational Therapists and 9 Physical Therapists licensed by the State of California; and 10 B. County DPH CCS-MTP is mandated by the California State Law to provide OT and PT 11 services for children, ranging from birth to 21 years old, with handicapping conditions, generally 12 due to neurological, musculoskeletal or other medical disorders, such as but limited to, cerebral 13 palsy and spina bifida; and 14 C. County issued Request for Statement of Qualifications No. 24-053 (RFSQ) soliciting 15 proposals from qualified Contractors to provide onsite OT and PT contracted services to 16 children enrolled in County's CCS-MTP at MTP operated Medical Therapy Unites (MTUs) 17 located at three (3) local school sites in Fresno County; and 18 D. Contractor(s) are willing to provide experienced and qualified staff who can perform OT 19 and/or PT services to County's DPH CCS-MTP MTUs pursuant to the terms and conditions of 20 this agreement. 21 The parties therefore agree as follows: 22 Article 1 23 Contractor's Services 24 1.1 Scope of Services. The Contractor(s) shall perform all of the services provided in 25 Exhibit B to this Agreement, titled "Scope of Services." 26 1.2 Representation. The Contractor(s) represents that it is qualified, ready, willing, and 27 able to perform all of the services provided in this Agreement. 28 1 1 1.3 Compliance with Laws. The Contractor(s) shall, at its own cost, comply with all 2 applicable federal, state, and local laws and regulations in the performance of its obligations 3 under this Agreement, including but not limited to workers compensation, labor, and 4 confidentiality laws and regulations. 5 Article 2 6 County's Responsibilities 7 2.1 The County CCS-MTP's Rehabilitative Therapy Manager or designee, at time of 8 need, shall submit request through written or electronic notification to Contractor(s) listed in 9 Exhibit A for qualified and licensed OT and/or PT staff. 10 2.2 County shall conduct a review and selection process specified in Exhibit C, titled "OT 11 and/or PT Contractor Staffing Assignment Process", to determine selection of Contractor(s) 12 based on two priority factors at the time services are needed at the CCS-MTUs: availability of 13 qualified staffing to provide the services and cost. 14 2.3 The County CCS-MTP Rehabilitation Therapy Manager or designee shall review and 15 approve all of Contractor(s)' submitted licenses, certification, and applicable clearances as 16 identified in the Compliance Requirements section of Exhibit C. Upon approval, County CCS- 17 MTP's Rehabilitative Therapy Manager shall notify Contractor(s) and provide assignment of 18 MTU location, work schedule and program's onboarding process necessary to initiate the 19 commencement of Contractor(s)' service. 20 2.4 County does not guarantee or promise any certain amount of work or service will be 21 granted to Contractor(s) under the terms and conditions of this Agreement. This Agreement 22 does not constitute a guarantee or promise that a total fee or any fee will be received by any 23 Contractor(s). 24 Article 3 25 Compensation, Invoices, and Payments 26 3.1 The County agrees to pay, and the Contractor(s) agrees to receive, compensation 27 for the performance of its services under this Agreement as described in Exhibit D to this 28 Agreement, titled "Compensation". 2 1 3.2 Maximum Compensation. The maximum compensation payable to the 2 Contractor(s) under this Agreement is Eight Hundred Fifty-Seven Thousand Three Hundred 3 Seventy-Five and No/100 Dollars ($857,375.00) for each twelve (12) month period of this 4 Agreement. In no event shall the maximum contract amount for all the services provided by the 5 Contractor(s) to County under the terms and conditions of this Agreement be in excess of Four 6 Million Two Hundred Eighty-Six Thousand Eight Hundred Seventy-Five and No/100 Dollars 7 ($4,286,875.00). 8 The Contractor(s) acknowledges that the County is a local government entity, and does so 9 with notice that the County's powers are limited by the California Constitution and by State law, 10 and with notice that the Contractor(s) may receive compensation under this Agreement only for 11 services performed according to the terms of this Agreement and while this Agreement is in 12 effect, and subject to the maximum amount payable under this section. The Contractor(s) 13 further acknowledges that County employees have no authority to pay the Contractor(s) except 14 as expressly provided in this Agreement. 15 3.3 Invoices. The Contractor(s) shall submit monthly invoices, in arrears by the fifteenth 16 (15th) day of each month. The Contractor(s) shall submit invoices to County of Fresno, 17 Department of Public Health, CCS, P.O. Box 11867, Fresno, CA 93775, Attention: MTP, 18 Rehabilitation Therapy Manager. Invoices shall include name of therapist, service type, service 19 location and dates, contract number, and number of service hours provided. 20 3.4 Payment. The County shall pay each correctly completed and timely submitted 21 invoice within 45 days after receipt. The County shall remit any payment to the Contractor's 22 address specified in the invoice. 23 3.5 Incidental Expenses. The Contractor is solely responsible for all of its costs and 24 expenses that are not specified as payable by the County under this Agreement. 25 26 27 28 3 1 Article 4 2 Term of Agreement 3 4.1 Term. This Agreement is effective on July 1, 2024 and terminates on June 30, 2027, 4 except as provided in section 4.2, "Extension," or Article 6, "Termination and Suspension," 5 below. 6 4.2 Extension. The term of this Agreement may be extended for no more than two, one- 7 year periods only upon written approval of both parties at least 30 days before the first day of 8 the next one-year extension period. The County's DPH Director, or designee, is authorized to 9 sign the written approval on behalf of the County based on the Contractor's satisfactory 10 performance. The extension of this Agreement by the County is not a waiver or compromise of 11 any default or breach of this Agreement by the Contractor(s) existing at the time of the 12 extension whether or not known to the County. 13 Article 5 14 Notices 15 5.1 Contact Information. The persons and their addresses having authority to give and 16 receive notices provided for or permitted under this Agreement include the following: 17 For the County: 18 Director, Department of Public Health County of Fresno 19 PO BOX 11867 Fresno, CA 93775 20 DPHContracts@fresnocountyca.gov 21 For the Contractor: See Exhibit A, "List of Contractors" 22 5.2 Change of Contact Information. Either party may change the information in section 23 5.1 by giving notice as provided in section 5.3. 24 5.3 Method of Delivery. Each notice between the County and the Contractor(s) 25 provided for or permitted under this Agreement must be in writing, state that it is a notice 26 provided under this Agreement, and be delivered either by personal service, by first-class 27 United States mail, by an overnight commercial courier service, or by Portable Document 28 Format (PDF) document attached to an email. 4 1 (A) A notice delivered by personal service is effective upon service to the recipient. 2 (B) A notice delivered by first-class United States mail is effective three County 3 business days after deposit in the United States mail, postage prepaid, addressed to the 4 recipient. 5 (C)A notice delivered by an overnight commercial courier service is effective one 6 County business day after deposit with the overnight commercial courier service, 7 delivery fees prepaid, with delivery instructions given for next day delivery, addressed to 8 the recipient. 9 (D)A notice delivered by PDF document attached to an email is effective when 10 transmission to the recipient is completed (but, if such transmission is completed outside 11 of County business hours, then such delivery is deemed to be effective at the next 12 beginning of a County business day), provided that the sender maintains a machine 13 record of the completed transmission. 14 5.4 Claims Presentation. For all claims arising from or related to this Agreement, 15 nothing in this Agreement establishes, waives, or modifies any claims presentation 16 requirements or procedures provided by law, including the Government Claims Act (Division 3.6 17 of Title 1 of the Government Code, beginning with section 810). 18 5.5 Notification of Changes. Contractor(s) shall notify County in writing of any change 19 in organization name, Head of Service or principal business at least fifteen (15) business days 20 in advance of the change. Contractor(s) must immediately notify County of a change in 21 ownership, organizational status, licensure, or ability of Contractor(s) to provide the quantity or 22 quality of the contracted services in this Agreement no more than fifteen (15) days of the 23 change. 24 Article 6 25 Termination and Suspension 26 6.1 Termination for Non-Allocation of Funds. The terms of this Agreement are 27 contingent on the approval of funds by the appropriating government agency. If sufficient funds 28 5 1 are not allocated, then the County, upon at least 30 days' advance written notice to the 2 Contractor(s), may: 3 (A) Modify the services provided by the Contractor under this Agreement; or 4 (B) Terminate this Agreement. 5 6.2 Termination for Breach. 6 (A) Upon determining that a breach (as defined in paragraph (C) below) has 7 occurred, the County may give written notice of the breach to the Contractor(s). The 8 written notice may suspend performance under this Agreement, and must provide at 9 least 30 days for the Contractor(s) to cure the breach. 10 (B) If the Contractor(s)fails to cure the breach to the County's satisfaction within the 11 time stated in the written notice, the County may terminate this Agreement immediately. 12 (C) For purposes of this section, a breach occurs when, in the determination of the 13 County, the Contractor(s) has: 14 (1) Obtained or used funds illegally or improperly; 15 (2) Failed to comply with any part of this Agreement; 16 (3) Submitted a substantially incorrect or incomplete report to the County; or 17 (4) Improperly performed any of its obligations under this Agreement. 18 6.3 Termination without Cause. In circumstances other than those set forth above, the 19 County may terminate this Agreement by giving at least 30 days advance written notice to the 20 Contractor(s). 21 6.4 No Penalty or Further Obligation. Any termination of this Agreement by the County 22 under this Article 6 is without penalty to or further obligation of the County. 23 6.5 County's Rights upon Termination. Upon termination for breach under this Article 24 6, the County may demand repayment by the Contractor(s) of any monies disbursed to the 25 Contractor(s) under this Agreement that, in the County's sole judgment, were not expended in 26 compliance with this Agreement. The Contractor(s) shall promptly refund all such monies upon 27 demand. This section survives the termination of this Agreement. 28 6 1 Article 7 2 Funding Source 3 7.1 Services Funding Source. Funding for these services is provided by the 4 Department of Health Care Services (DHCS) and Public Health Realignment. 5 Article 8 6 Confidentiality 7 8.1 Confidentiality. All services performed by the Contractor(s) under this Agreement 8 shall be in strict conformance with all applicable Federal, State of California and/or local laws 9 and regulations relating to confidentiality. In addition, Contractor agrees to abide by the terms 10 and conditions of the Business Associate Agreement attached hereto as Exhibit E. 11 Article 9 12 Information Privacy and Security Requirements 13 9.1 The Contractor(s) shall comply with all the Information Privacy and Security 14 Requirements in Exhibit F to this Agreement. 15 Article 10 16 Independent Contractor 17 10.1 Status. In performing under this Agreement, the Contractor(s), including its officers, 18 agents, employees, and volunteers, is at all times acting and performing as an independent 19 contractor, in an independent capacity, and not as an officer, agent, servant, employee,joint 20 venturer, partner, or associate of the County. 21 10.2 Verifying Performance. The County has no right to control, supervise, or direct the 22 manner or method of the Contractor's performance under this Agreement, but the County may 23 verify that the Contractor(s) is performing according to the terms of this Agreement. 24 10.3 Benefits. Because of its status as an independent contractor, the Contractor(s) has 25 no right to employment rights or benefits available to County employees. The Contractor(s) is 26 solely responsible for providing to its own employees all employee benefits required by law. The 27 Contractor(s) shall save the County harmless from all matters relating to the payment of 28 7 1 Contractor's employees, including compliance with Social Security withholding and all related 2 regulations. 3 10.4 Services to Others. The parties acknowledge that, during the term of this 4 Agreement, the Contractor may provide services to others unrelated to the County. 5 Article 11 6 Indemnity and Defense 7 11.1 Indemnity. The Contractor(s) shall indemnify and hold harmless and defend the 8 County (including its officers, agents, employees, and volunteers) against all claims, demands, 9 injuries, damages, costs, expenses (including attorney fees and costs), fines, penalties, and 10 liabilities of any kind to the County, the Contractor(s), or any third party that arise from or relate 11 to the performance or failure to perform by the Contractor(s) (or any of its officers, agents, 12 subcontractors, or employees) under this Agreement. The County may conduct or participate in 13 its own defense without affecting the Contractor's obligation to indemnify and hold harmless or 14 defend the County. 15 11.2 Survival. This Article 11 survives the termination of this Agreement. 16 Article 12 17 Insurance 18 12.1 The Contractor(s) shall comply with all the insurance requirements in Exhibit G to 19 this Agreement. 20 Article 13 21 Inspections, Audits, and Public Records 22 13.1 Inspection of Documents. The Contractor(s) shall make available to the County, 23 and the County may examine at any time during business hours and as often as the County 24 deems necessary, all of the Contractor's records and data with respect to the matters covered 25 by this Agreement, excluding attorney-client privileged communications. The Contractor(s) shall, 26 upon request by the County, permit the County to audit and inspect all of such records and data 27 to ensure the Contractor's compliance with the terms of this Agreement. 28 8 1 13.2 State Audit Requirements. If the compensation to be paid by the County under this 2 Agreement exceeds $10,000, the Contractor(s) is subject to the examination and audit of the 3 California State Auditor, as provided in Government Code section 8546.7, for a period of three 4 years after final payment under this Agreement. This section survives the termination of this 5 Agreement. 6 13.3 Public Records. The County is not limited in any manner with respect to its public 7 disclosure of this Agreement or any record or data that the Contractor(s) may provide to the 8 County. The County's public disclosure of this Agreement or any record or data that the 9 Contractor may provide to the County may include but is not limited to the following: 10 (A) The County may voluntarily, or upon request by any member of the public or 11 governmental agency, disclose this Agreement to the public or such governmental 12 agency. 13 (B) The County may voluntarily, or upon request by any member of the public or 14 governmental agency, disclose to the public or such governmental agency any record or 15 data that the Contractor(s) may provide to the County, unless such disclosure is 16 prohibited by court order. 17 (C)This Agreement, and any record or data that the Contractor(s) may provide to the 18 County, is subject to public disclosure under the Ralph M. Brown Act (California 19 Government Code, Title 5, Division 2, Part 1, Chapter 9, beginning with section 54950). 20 (D)This Agreement, and any record or data that the Contractor(s) may provide to the 21 County, is subject to public disclosure as a public record under the California Public 22 Records Act (California Government Code, Title 1, Division 7, Chapter 3.5, beginning 23 with section 6250) ("CPRA"). 24 (E) This Agreement, and any record or data that the Contractor(s) may provide to the 25 County, is subject to public disclosure as information concerning the conduct of the 26 people's business of the State of California under California Constitution, Article 1, 27 section 3, subdivision (b). 28 9 1 (F) Any marking of confidentiality or restricted access upon or otherwise made with 2 respect to any record or data that the Contractor(s) may provide to the County shall be 3 disregarded and have no effect on the County's right or duty to disclose to the public or 4 governmental agency any such record or data. 5 13.4 Public Records Act Requests. If the County receives a written or oral request 6 under the CPRA to publicly disclose any record that is in the Contractor's possession or control, 7 and which the County has a right, under any provision of this Agreement or applicable law, to 8 possess or control, then the County may demand, in writing, that the Contractor(s) deliver to the 9 County, for purposes of public disclosure, the requested records that may be in the possession 10 or control of the Contractor(s). Within five business days after the County's demand, the 11 Contractor(s) shall (a) deliver to the County all of the requested records that are in the 12 Contractor's possession or control, together with a written statement that the Contractor(s), after 13 conducting a diligent search, has produced all requested records that are in the Contractor's 14 possession or control, or (b) provide to the County a written statement that the Contractor(s), 15 after conducting a diligent search, does not possess or control any of the requested records. 16 The Contractor(s) shall cooperate with the County with respect to any County demand for such 17 records. If the Contractor(s) wishes to assert that any specific record or data is exempt from 18 disclosure under the CPRA or other applicable law, it must deliver the record or data to the 19 County and assert the exemption by citation to specific legal authority within the written 20 statement that it provides to the County under this section. The Contractor's assertion of any 21 exemption from disclosure is not binding on the County, but the County will give at least 10 22 days' advance written notice to the Contractor(s) before disclosing any record subject to the 23 Contractor's assertion of exemption from disclosure. The Contractor(s) shall indemnify the 24 County for any court-ordered award of costs or attorney's fees under the CPRA that results from 25 the Contractor's delay, claim of exemption, failure to produce any such records, or failure to 26 cooperate with the County with respect to any County demand for any such records. 27 28 10 1 Article 14 2 Disclosure of Self-Dealing Transactions 3 14.1 Applicability. This Article 11 applies if the Contractor(s) is operating as a 4 corporation, or changes its status to operate as a corporation. 5 14.2 Duty to Disclose. If any member of the Contractor's board of directors is party to a 6 self-dealing transaction, he or she shall disclose the transaction by completing and signing a 7 "Self-Dealing Transaction Disclosure Form" (Exhibit H to this Agreement) and submitting it to 8 the County before commencing the transaction or immediately after. 9 14.3 Definition. "Self-dealing transaction" means a transaction to which the Contractor(s) 10 is a party and in which one or more of its directors, as an individual, has a material financial 11 interest. 12 Article 15 13 General Terms 14 15.1 Modification. Except as provided in Article 6, "Termination and Suspension," this 15 Agreement may not be modified, and no waiver is effective, except by written agreement signed 16 by both parties. The Contractor(s) acknowledges that County employees have no authority to 17 modify this Agreement except as expressly provided in this Agreement. 18 15.2 Non-Assignment. Neither party may assign its rights or delegate its obligations 19 under this Agreement without the prior written consent of the other party. 20 15.3 Governing Law. The laws of the State of California govern all matters arising from 21 or related to this Agreement. 22 15.4 Jurisdiction and Venue. This Agreement is signed and performed in Fresno 23 County, California. Contractor(s) consents to California jurisdiction for actions arising from or 24 related to this Agreement, and, subject to the Government Claims Act, all such actions must be 25 brought and maintained in Fresno County. 26 15.5 Construction. The final form of this Agreement is the result of the parties' combined 27 efforts. If anything in this Agreement is found by a court of competent jurisdiction to be 28 11 1 ambiguous, that ambiguity shall not be resolved by construing the terms of this Agreement 2 against either party. 3 15.6 Days. Unless otherwise specified, "days" means calendar days. 4 15.7 Headings. The headings and section titles in this Agreement are for convenience 5 only and are not part of this Agreement. 6 15.8 Severability. If anything in this Agreement is found by a court of competent 7 jurisdiction to be unlawful or otherwise unenforceable, the balance of this Agreement remains in 8 effect, and the parties shall make best efforts to replace the unlawful or unenforceable part of 9 this Agreement with lawful and enforceable terms intended to accomplish the parties' original 10 intent. 11 15.9 Nondiscrimination. During the performance of this Agreement, the Contractor(s) 12 shall not unlawfully discriminate against any employee or applicant for employment, or recipient 13 of services, because of race, religious creed, color, national origin, ancestry, physical disability, 14 mental disability, medical condition, genetic information, marital status, sex, gender, gender 15 identity, gender expression, age, sexual orientation, military status or veteran status pursuant to 16 all applicable State of California and federal statutes and regulation. 17 15.10 No Waiver. Payment, waiver, or discharge by the County of any liability or obligation 18 of the Contractor(s) under this Agreement on any one or more occasions is not a waiver of 19 performance of any continuing or other obligation of the Contractor(s) and does not prohibit 20 enforcement by the County of any obligation on any other occasion. 21 15.11 Entire Agreement. This Agreement, including its exhibits, is the entire agreement 22 between the Contractor(s) and the County with respect to the subject matter of this Agreement, 23 and it supersedes all previous negotiations, proposals, commitments, writings, advertisements, 24 publications, and understandings of any nature unless those things are expressly included in 25 this Agreement. If there is any inconsistency between the terms of this Agreement without its 26 exhibits and the terms of the exhibits, then the inconsistency will be resolved by giving 27 precedence first to the terms of this Agreement Without its exhibits, and then to the terms of the 28 exhibits. 12 1 15.12 No Third-Party Beneficiaries. This Agreement does not and is not intended to 2 create any rights or obligations for any person or entity except for the parties. 3 15.13 Authorized Signature. The Contractor(s) represents and warrants to the County 4 that: 5 (A) The Contractor(s) is duly authorized and empowered to sign and perform its 6 obligations under this Agreement. 7 (B) The individual signing this Agreement on behalf of the Contractor(s) is duly 8 authorized to do so and his or her signature on this Agreement legally binds the 9 Contractor(s) to the terms of this Agreement. 10 15.14 Electronic Signatures. The parties agree that this Agreement may be executed by 11 electronic signature as provided in this section. 12 (A) An "electronic signature" means any symbol or process intended by an individual 13 signing this Agreement to represent their signature, including but not limited to (1) a 14 digital signature; (2) a faxed version of an original handwritten signature; or (3) an 15 electronically scanned and transmitted (for example by PDF document) version of an 16 original handwritten signature. 17 (B) Each electronic signature affixed or attached to this Agreement (1) is deemed 18 equivalent to a valid original handwritten signature of the person signing this Agreement 19 for all purposes, including but not limited to evidentiary proof in any administrative or 20 judicial proceeding, and (2) has the same force and effect as the valid original 21 handwritten signature of that person. 22 (C)The provisions of this section satisfy the requirements of Civil Code section 23 1633.5, subdivision (b), in the Uniform Electronic Transaction Act (Civil Code, Division 3, 24 Part 2, Title 2.5, beginning with section 1633.1). 25 (D) Each party using a digital signature represents that it has undertaken and 26 satisfied the requirements of Government Code section 16.5, subdivision (a), 27 paragraphs (1) through (5), and agrees that each other party may rely upon that 28 representation. 13 1 (E) This Agreement is not conditioned upon the parties conducting the transactions 2 under it by electronic means and either party may sign this Agreement with an original 3 handwritten signature. 4 15.15 Counterparts. This Agreement may be signed in counterparts, each of which is an 5 original, and all of which together constitute this Agreement. 6 [SIGNATURE PAGE FOLLOWS] 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 14 1 The parties are signing this Agreement on the date stated in the introductory clause. 2 CONTRACTOR(S) COUNTY OF FRESNO 3 See Exhibit A "List of Contractors" 4 Subsequent signature pages are attached. 5 Nathan Magsig, Chairman of the Board of Supervisors of the County of Fresno 6 Attest: 7 Bernice E. Seidel Clerk of the Board of Supervisors 8 County of Fresno, State of California 9 By: 10 Deputy 11 For accounting use only: 12 Org No.: 56201601 Account No.: 7295 13 Fund No.: 0001 Subclass No.: 10000 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 15 ii DocuSign Envelope ID:36E76EEF-299B-42B3-AB8D-347DD7CA35A2 1 CONTRACTOR: 2 ATC Healthcare Services, LLC 3 DocuSignod by: 4 EF6538E2EAFC43E... David Savitsky-CEO 5 1983 Marcus Avenue, E-122 6 Lake Success, NY 11042 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 16 1 CONTRACTOR: 2 Health Advocates Network, Inc. 3 4 5 Aby Mamboleo, Branch Director 100 N. Barranca Street, Suite 430 6 Covina, CA 91791 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 17 1 CONTRACTOR: 2 HealthPRO Pediatrics, LLC 3 ^�-r-�� 4 �r�� 5 Thomas Guild, Executive Vice President 1 Marcus Drive, Suite 101 6 Greenville, SC 29615 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 18 1 CONTRACTOR: 2 Infojini, Inc. 3 4 5 Sandeep Harjan, President 10015 Old Columbia Road, Suite B215 6 Columbia, MD 21406 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 19 1 CONTRACTOR: 2 JayKay Services, Inc. 3 4 h-�--Wy .alika, General Manager 5 2054 Classique Lane, 6 Tavares, FL 32778 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 20 1 CONTRACTOR: 2 Meda Health, LLC 3 CEO 4 Logan Frank, CEO 5 15331 W. Bell Road, Suite 212 6 Surprise, AZ 85374 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 21 1 CONTRACTOR: 2 Worldwide Travel Staffing, Limited. 3 4 . eo IatZ, CEOove, -- 5 2829 Sheridan D 6 Tonawanda, NY 1 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 22 Exhibit A List of Contractor(s) 1. ATC Healthcare Services, LLC Business Type: LLC Business Address: 1983 Marcus Avenue, E-122 Lake Success, NY 11042 Contact: Cheryl Stein, Vice President of Contracting 516-750-1618 cstein(a-)_atchealthcare.com 2. Health Advocates Network, Inc. Business Type: Corporation Business Address: 100 N. Barranca Street, Suite 430 Covina, CA 91791 Contact: Andrea Goodwin, Director of Sales and Operations 800-928-5561 Andrea.Goodwin@hanstaff.com 3. HealthPRO Pediatrics, LLC Business Type: LLC Business Address: 1 Marcus Drive, Suite 101 Greenville, SC 29615 Contact: Krupa Kuruvilla, Regional Vice President 270-506-4254 pedsrfp(a_)health propediatrics.com 4. Infojini, Inc. Business Type: Corporation Business Address: 10015 Old Columbia Road, Suite B215 Columbia, MD 21406 Contact: Sandeep Harjani, President 443-257-0086 statebids@infojiniconsulting.com 5. JayKay Services, Inc. Business Type: Corporation Business Address: 2054 Classique Lane, Tavares, FL 32778 Contact: Nancy Malika, General Manager 909-686-6088 nmalika@jaykaymedicalstaffing.com A-1 Exhibit A List of Contractor(s) 6. Meda Health, LLC Business Type: LLC Business Address: 15331 W. Bell Road, Suite 212 Surprise,AZ 85374 Contact: Logan Frank, Chief Executive Officer 480-336-1181 Ifrank@medahealthstaffing.com 7. Worldwide Travel Staffing, Limited Business Type: Corporation Business Address: 2829 Sheridan Drive Tonawanda, NY 14150 Contact: Leo R. Blatz, Chief Executive Officer 866-633-3700; ext. 101 Iblatz(a)worldwidetravelstaffing.com A-2 Exhibit B 1 Scope of Services 2 The Medical Therapy Program (MTP), established by Title V and Health and Safety 3 Code Section 123800 et seq., is a special program within California Children's Services (CCS) 4 that provides physical therapy, occupational therapy, and Medical Therapy Conference (MTC) 5 services for children (birth to 21 years old) who have disabling conditions generally due to a 6 neurological or musculoskeletal disorder. These are physical problems that affect the child's 7 ability to control the movements of the body. 8 The MTP provides services at three (3) outpatient clinics known as Medical Therapy 9 Units (MTUs). These MTUs are located on local school sites in Fresno County. Each MTU is 10 equipped to conduct the necessary special needs pediatric OT and PT services onsite. 11 Services To Be Provided by Contractor(s) 12 Contractor(s) shall provide licensed OT and/or PT staff onsite at the three (3) MTUs — 13 Garfield (Clovis) MTU, Ginsburg MTU, and Storey MTU- located within Fresno County, 2 to 5 14 days per week, up to 8 hours per day. Contractor(s) shall not bill in excess of five thousand eight hundred (5,800) combined service hours annually for OT/PT services. The following 15 responsibilities include but may not be limited to: 16 A. Conduct licensed OT and/or PT duties in accordance with State and County regulations 17 and guidelines; 18 B. Evaluate, plan, schedule and provide treatment to assigned and scheduled MTP clients; 19 C. Complete required documentations accurately and in a timely manner, in accordance 20 with State and County regulations and guidelines; 21 D. Communicate appropriate information to physicians, other MTP team members, parents, clients' teachers and other agencies as needed to implement required client treatment 22 services; 23 E. Attend and participate in medical therapy conferences; 24 F. Fabricate, modify and apply splints as prescribed; 25 G. Coordinate, teach, supervise and develop functional exercises to provide corrective 26 therapy; H. May conduct home visits to assess the needs for the prescribed durable medical 27 equipment (DME) and assess the environment for completing functional tasks and/or 28 environmental barriers; B-1 Exhibit B 1 I. Assess and order DME and orthotics as prescribed; 2 J. Provide instructional training to clients, family members and caregivers regarding home 3 exercise programs and equipment needs. K. Contractor(s) shall ensure acknowledgment with staff that all staff are independent 4 contractors, thus not employees of the County of Fresno, and are at will staff. 5 L. Although not employees of the County, staff are to abide by all rules and regulations of 6 the MTP under direction of MTP Rehabilitative Therapy Manager upon commencing 7 work duties with DPH. 8 M. It is acknowledged that staffing services are to be on a temporary basis. At the point DPH no longer needs staffing services, DPH will notify Contractor(s) immediately that 9 staff will no longer be needed for continuing services. 10 Compliance Monitoring 11 A. Contractor(s) shall provide a copy of the following licenses, certificates, and clearances 12 of potential OT and PT staff to the CCS MTP Rehabilitative Therapy Manager before 13 staff can be considered qualified to provide services at the MTUs: 14 a. OT's valid license as an Occupational Therapist with the State of 15 California — Department of Consumer Affairs, California Board of 16 Occupational Therapy. b. PT's valid license as a Physical Therapist with the State of California — 17 Department of Consumer Affairs, Physical Therapy Board of California. 18 C. Proof that staff has a minimum of three (3) months pediatric experience; 19 or if less than three (3) months' experience, written approval from the 20 MTP Rehabilitative Therapy Manager. 21 d. All current licenses, credentials, board regulations, and/or certifications as required as part of their respective job classification. 22 e. Current annual HIPAA training certificate for all staff. 23 f. Contractor(s) shall ensure staff abide by all of County's confidentiality 24 requirements. 25 9• Current Cardiopulmonary Resuscitation (CPR) certification for all staff. 26 h. Current annual medical clearance (i.e. updated required vaccinations, annual Tuberculosis skin test, etc.), as required per OSHA training 27 regulations. See links for additional information: 28 B-2 Exhibit B 1 i. Aerosol Transmissible Diseases — 2 https://www.dir.ca.gov/title8/5199.html 3 ii. Blood Borne Pathogen —littps://www.dir.ca.gov/title8/5193.html B. Contractor(s) shall ensure staff be CCS Paneled within one-year of continued CCS work 4 service. Contractor(s) will be responsible for securing the paneling credentials from the 5 State. 6 C. Contractor(s) shall be responsible for ensuring recovery of any and all County property 7 checked out to temporary staff either upon request or upon dismissal of staff. This may 8 include, but is not limited to: 9 a. ID badge 10 b. Laptop, bag, charger, etc. 11 c. Desk keys d. Cell phone 12 e. Work materials (paper charts, service notes, etc.) 13 D. Reports: 14 Contractor(s) shall furnish to County such statements records, reports, data, and other 15 information as County may request pertaining to matters covered by this Agreement. 16 17 18 19 20 21 22 23 24 25 26 27 28 B-3 Exhibit C OT and/or PT Contractor Staff Assignment Process COMMENCEMENT OF SERVICE ASSIGNMENT 1. At least two (2) work weeks or ten (10) working days prior to the effectivity of the Master Agreement, CCS-MTP Rehabilitative Therapy Manager(RTM) or designee will notify Contractor(s) of the number of OT and/or PT staff needed by the program at a specified date of service. 2. Contractor(s) will be given five (5) working days to submit a list of available licensed OT and/or PT staff for the RTM or designee's evaluation. The qualification of OT and/or PT staff is based on the list of compliance requirements identified in RFSQ No. 24-053 and below in the Compliance Requirements section. 3. In order to prevent disruption of Medical Therapy services to CCS enrolled clients, selection criteria of qualified OT and/or PT staff from Contractor(s) shall be based on: a. Availability of qualified staff at the required date of service; b. Cost, in the event that multiple Contractors have available and equally qualified staff. 4. After selection, RTM or designee will notify the Contractor(s)who best meet all the County's requirements. Notification shall include the names of selected therapy staff, start date of service and Medical Therapy Unit (MTU) assignment location. 5. Upon receipt of County's notification of therapy staff selection, Contractor shall provide a confirmation of assignment within 24 business hours. Non-confirmation will allow the County's RTM to select the next qualified and available Contractor. 6. After qualified therapy staff is confirmed acceptable and available, RTM will send a notification to Contractor(s) stating the therapy service staff requirement has been fulfilled. DISCONTINUATION OR TERMINIATION OF SERVICE ASSIGNMENT 1. Contractor(s) shall provide at least two (2) work week notification to the County through CCS-MTP's RTM or designee, stating the discontinuation of Contractor's therapy staff. 2. County shall follow the review and selection process as per the Commencement of Service Assignment section above, items no. 2 through 6. 3. In the event Contractor provided less than two (2) work week notification of discontinuation of therapy services, County's time to process the evaluation and selection of replacement therapy services shall be reduced accordingly. C-1 Exhibit C OT and/or PT Contractor Staff Assignment Process COMPLIANCE REQUIREMENTS COMPLY/ NOT COMPLY 1. Staff is licensed Occupational and/or Physical Therapist with a minimum of three (3) months documented pediatric experience. 2. Staff has maintained all licenses, credentials, board regulations, and/or certifications. 3. Staff has maintained Cardiopulmonary Resuscitation (CPR) certification. 4. Staff has completed yearly H I PAA training. 5. Staff has maintained appliable annual medical clearance (i.e. updated required vaccinations, annual Tuberculosis skin test, etc.), as required per OSHA training regulations. 6. Contractor has maintained County's minimum insurance and indemnification requirements, as provided in the Occupational and Physical Therapy Master Agreement. C-2 Exhibit D Compensation ATC Healthcare Services, LLC Classification Hourly Rate Occupational Therapist $94.50 Physical Therapist $98.25 Overtime Pay: 1 '/2 times the normal hourly rate will be charged for all hours worked over eight (8) in a day; 2 times the normal hourly rate will be charged for all hours worked over twelve (12) in a day; 1 '/z times the normal hourly rate will be charged for all hours worked over forty (40) in one week. Holiday Pay: 1 %2 times the hourly bill rate. Health Advocates Network, Inc. Classification Hourly Rate Occupational Therapist $89.00 Physical Therapist $96.00 HealthPRO Pediatrics, LLC Classification Hourly Rate Occupational Therapist $95.00 Physical Therapist $95.00 Info'ini, Inc. Classification Hourly Rate Occupational Therapist $85.00 Physical Therapist $85.00 Overtime Pay: 1 '/2 times the normal hourly rate. Holiday Pay: 1 '/2 times the normal hourly rate. JayKay Services, Inc. Classification Hourly Rate Occupational Therapist $75.00 Physical Therapist $75.00 Overtime Pay: 1 '/2 times the normal hourly rate. Holiday Pay: 1 '/2 times the normal hourly rate. D-1 Exhibit D Compensation Meda Health, LLC Classification Hourly Rate Occupational Therapist $80.00 Physical Therapist $80.00 Overtime Pay: Overtime will be billed at 1.4x the base hourly rate for all hours worked over 40. Holiday Pay: Holiday hours will be billed at 1.4x the base hourly rate. Worldwide Travel Staffing, Limited Classification Hourly Rate Occupational Therapist $95.00 Physical Therapist $100.00 Overtime Pay: Overtime will be billed at 1.4x the base hourly rate for all hours worked over 40. Holiday Pay: Holiday hours will be billed at 1.4x the base hourly rate. D-2 Exhibit E Health Insurance Portability and Accountability Act (HIPAA) 1. The County is a "Covered Entity," and the Contractor is a "Business Associate," as these terms are defined by 45 CFR 160.103. In connection with providing services under the Agreement, the parties anticipate that the Contractor will create and/or receive Protected Health Information ("PHI")from or on behalf of the County. The parties enter into this Business Associate Agreement (BAA) to comply with the Business Associate requirements of HIPAA, to govern the use and disclosures of PHI under this Agreement. "HIPAA Rules" shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164. The parties to this Agreement shall be in strict conformance with all applicable federal and State of California laws and regulations, including, but not limited to California Welfare and Institutions Code sections 5328, 10850, and 14100.2 et seq.; 42 CFR 2; 42 CFR 431; California Civil Code section 56 et seq.; the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAX), including, but not limited to, 45 CFR Parts160, 45 CFR 162, and 45 CFR 164; the Health Information Technology for Economic and Clinical Health Act ("HITECH") regarding the confidentiality and security of patient information, including, but not limited to 42 USC 17901 et seq.; and the Genetic Information Nondiscrimination Act ("GINA") of 2008 regarding the confidentiality of genetic information. Except as otherwise provided in this Agreement, the Contractor, as a business associate of the County, may use or disclose Protected Health Information ("PHI") to perform functions, activities or services for or on behalf of the County, as specified in this Agreement, provided that such use or disclosure shall not violate HIPAA Rules. The uses and disclosures of PHI may not be more expansive than those applicable to the County, as the "Covered Entity" under the HIPAA Rules, except as authorized for management, administrative or legal responsibilities of the Contractor. 2. The Contractor, including its subcontractors and employees, shall protect from unauthorized access, use, or disclosure of names and other identifying information, including genetic information, concerning persons receiving services pursuant to this Agreement, except where permitted in order to carry out data aggregation purposes for health care operations [45 E-1 Exhibit E Health Insurance Portability and Accountability Act (HIPAA) CFR §§ 164.504(e)(2)(i), 164.504(e)(2)(ii)(A), and 164.504(e)(4)(i)]. This pertains to any and all persons receiving services pursuant to a County-funded program. This requirement applies to electronic PHI. The Contractor shall not use such identifying information or genetic information for any purpose other than carrying out the Contractor's obligations under this Agreement. 3. The Contractor, including its subcontractors and employees, shall not disclose any such identifying information or genetic information to any person or entity, except as otherwise specifically permitted by this Agreement, authorized by Subpart E of 45 CFR Part 164 or other law, required by the Secretary of the United States Department of Health and Human Services ("Secretary"), or authorized by the client/patient in writing. In using or disclosing PHI that is permitted by this Agreement or authorized by law, the Contractor shall make reasonable efforts to limit PHI to the minimum necessary to accomplish intended purpose of use, disclosure or request. 4. For purposes of the above sections, identifying information shall include, but not be limited to, name, identifying number, symbol, or other identifying particular assigned to the individual, such as fingerprint or voiceprint, or photograph. 5. For purposes of the above sections, genetic information shall include genetic tests of family members of an individual or individual(s), manifestation of disease or disorder of family members of an individual, or any request for or receipt of genetic services by individual or family members. Family member means a dependent or any person who is first, second, third, or fourth degree relative. 6. The Contractor shall provide access, at the request of the County, and in the time and manner designated by the County, to PHI in a designated record set (as defined in 45 CFR § 164.501), to an individual or to COUNTY in order to meet the requirements of 45 CFR § 164.524 regarding access by individuals to their PHI. With respect to individual requests, access shall be provided within thirty (30) days from request. Access may be extended if the Contractor cannot provide access and provides the individual with the reasons for the delay and E-2 Exhibit E Health Insurance Portability and Accountability Act (HIPAA) the date when access may be granted. PHI shall be provided in the form and format requested by the individual or the County. The Contractor shall make any amendment(s)to PHI in a designated record set at the request of the County or individual, and in the time and manner designated by the County in accordance with 45 CFR § 164.526. The Contractor shall provide to the County or to an individual, in a time and manner designated by the County, information collected in accordance with 45 CFR § 164.528, to permit the County to respond to a request by the individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528. 7. The Contractor shall report to the County, in writing, any knowledge or reasonable belief that there has been unauthorized access, viewing, use, disclosure, security incident, or breach of unsecured PHI not permitted by this Agreement of which the Contractor becomes aware, immediately and without reasonable delay and in no case later than two (2) business days of discovery. Immediate notification shall be made to the County's Information Security Officer and Privacy Officer and the County's Department of Public Health ("DPH") HIPAA Representative, within two (2) business days of discovery. The notification shall include, to the extent possible, the identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, disclosed, or breached. The Contractor shall take prompt corrective action to cure any deficiencies and any action pertaining to such unauthorized disclosure required by applicable federal and State laws and regulations. The Contractor shall investigate such breach and is responsible for all notifications required by law and regulation or deemed necessary by the County and shall provide a written report of the investigation and reporting required to the County's Information Security Officer and Privacy Officer and the County's DPH HIPAA Representative. This written investigation and description of any reporting necessary shall be postmarked within the thirty (30) working days of the discovery of the breach to the addresses below: E-3 Exhibit E Health Insurance Portability and Accountability Act (HIPAA) County of Fresno County of Fresno County of Fresno Department of Public Health Department of Public Health Department of Internal HIPAA Representative Privacy Officer Services (559) 600-6439 (559) 600-6403 Information Security Officer P.O. Box 11867 P.O. Box 11867 (559) 600-5800 Fresno, California 93775 Fresno, California 93775 333 W. Pontiac Way Clovis, California 93612 8. The Contractor shall make its internal practices, books, and records relating to the use and disclosure of PHI received from the County, or created or received by the Contractor on behalf of the County, in compliance with HIPAA's Privacy Rule, including, but not limited to the requirements set forth in Title 45, CFR, Sections 160 and 164. The Contractor shall make its internal practices, books, and records relating to the use and disclosure of PHI received from the County, or created or received by the Contractor on behalf of the County, available to the Secretary upon demand. The Contractor shall cooperate with the compliance and investigation reviews conducted by the Secretary. PHI access to the Secretary must be provided during the Contractor's normal business hours; however, upon exigent circumstances access at any time must be granted. Upon the Secretary's compliance or investigation review, if PHI is unavailable to the Contractor and in possession of a subcontractor of the Contractor, the Contractor must certify to the Secretary its efforts to obtain the information from the subcontractor. 9. Safeguards The Contractor shall implement administrative, physical, and technical safeguards as required by the HIPAA Security Rule, Subpart C of 45 CFR Part 164, that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI, including electronic PHI, that it creates, receives, maintains or transmits on behalf of the County and to prevent unauthorized access, viewing, use, disclosure, or breach of PHI other than as provided for by this Agreement. The Contractor shall conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic PHI. The Contractor shall develop and maintain a written information privacy and security program that includes administrative, technical and physical safeguards appropriate to the size and E-4 Exhibit E Health Insurance Portability and Accountability Act (HIPAA) complexity of the Contractor's operations and the nature and scope of its activities. Upon the County's request, the Contractor shall provide the County with information concerning such safeguards. The Contractor shall implement strong access controls and other security safeguards and precautions in order to restrict logical and physical access to confidential, personal (e.g., PHI) or sensitive data to authorized users only. Said safeguards and precautions shall include the following administrative and technical password controls for all systems used to process or store confidential, personal, or sensitive data: A. Passwords must not be: (1) Shared or written down where they are accessible or recognizable by anyone else; such as taped to computer screens, stored under keyboards, or visible in a work area; (2) A dictionary word; or (3) Stored in clear text B. Passwords must be: (1) Eight (8) characters or more in length; (2) Changed every ninety (90) days; (3) Changed immediately if revealed or compromised; and (4) Composed of characters from at least three (3) of the following four(4) groups from the standard keyboard: a) Upper case letters (A-Z); b) Lowercase letters (a-z); c) Arabic numerals (0 through 9); and d) Non-alphanumeric characters (punctuation symbols). The Contractor shall implement the following security controls on each workstation or portable computing device (e.g., laptop computer) containing confidential, personal, or sensitive data: E-5 Exhibit E Health Insurance Portability and Accountability Act (HIPAA) 1. Network-based firewall and/or personal firewall; 2. Continuously updated anti-virus software; and 3. Patch management process including installation of all operating system/software vendor security patches. The Contractor shall utilize a commercial encryption solution that has received FIPS 140-2 validation to encrypt all confidential, personal, or sensitive data stored on portable electronic media (including, but not limited to, compact disks and thumb drives) and on portable computing devices (including, but not limited to, laptop and notebook computers). The Contractor shall not transmit confidential, personal, or sensitive data via e-mail or other internet transport protocol unless the data is encrypted by a solution that has been validated by the National Institute of Standards and Technology (NIST) as conforming to the Advanced Encryption Standard (AES) Algorithm. The Contractor must apply appropriate sanctions against its employees who fail to comply with these safeguards. The Contractor must adopt procedures for terminating access to PHI when employment of employee ends. 10. Mitigation of Harmful Effects The Contractor shall mitigate, to the extent practicable, any harmful effect that is suspected or known to the Contractor of an unauthorized access, viewing, use, disclosure, or breach of PHI by the Contractor or its subcontractors in violation of the requirements of these provisions. The Contractor must document suspected or known harmful effects and the outcome. 11. The Contractor's Subcontractors The Contractor shall ensure that any of its contractors, including subcontractors, if applicable, to whom the Contractor provides PHI received from or created or received by the Contractor on behalf of the County, agree to the same restrictions, safeguards, and conditions that apply to the Contractor with respect to such PHI and to incorporate, when applicable, the relevant provisions of these provisions into each subcontract or sub-award to such agents or subcontractors. E-6 Exhibit E Health Insurance Portability and Accountability Act (HIPAA) Nothing in this section 11 or this Exhibit E authorizes the Contractor to perform services under this Agreement using subcontractors. 12. Employee Training and Discipline The Contractor shall train and use reasonable measures to ensure compliance with the requirements of these provisions by employees who assist in the performance of functions or activities on behalf of the County under this Agreement and use or disclose PHI, and discipline such employees who intentionally violate any provisions of these provisions, which may include termination of employment. 13. Termination for Cause Upon the County's knowledge of a material breach of these provisions by the Contractor, the County will either: A. Provide an opportunity for the Contractor to cure the breach or end the violation, and the County may terminate this Agreement if the Contractor does not cure the breach or end the violation within the time specified by the County; or B. Immediately terminate this Agreement if the Contractor has breached a material term of this Exhibit E and cure is not possible, as determined by the County. C. If neither cure nor termination is feasible, the County's Privacy Officer will report the violation to the Secretary of the U.S. Department of Health and Human Services. 14. Judicial or Administrative Proceedings The County may terminate this Agreement if: (1) the Contractor is found guilty in a criminal proceeding for a violation of the HIPAA Privacy or Security Laws or the HITECH Act; or (2) there is a finding or stipulation in an administrative or civil proceeding in which the Contractor is a party that the Contractor has violated a privacy or security standard or requirement of the HITECH Act, HIPAA or other security or privacy laws. 15. Effect of Termination Upon termination or expiration of this Agreement for any reason, the Contractor shall return or destroy all PHI received from the County (or created or received by the Contractor on E-7 Exhibit E Health Insurance Portability and Accountability Act (HIPAA) behalf of the County) that the Contractor still maintains in any form, and shall retain no copies of such PHI. If return or destruction of PHI is not feasible, the Contractor shall continue to extend the protections of these provisions to such information, and limit further use of such PHI to those purposes that make the return or destruction of such PHI infeasible. This provision applies to PHI that is in the possession of subcontractors or agents, if applicable, of the Contractor. If the Contractor destroys the PHI data, a certification of date and time of destruction shall be provided to the County by the Contractor. 16. Compliance with Other Laws To the extent that other state and/or federal laws provide additional, stricter and/or more protective privacy and/or security protections to PHI or other confidential information covered under this BAA, the Contractor agrees to comply with the more protective of the privacy and security standards set forth in the applicable state or federal laws to the extent such standards provide a greater degree of protection and security than HIPAA Rules or are otherwise more favorable to the individual. 17. Disclaimer The County makes no warranty or representation that compliance by the Contractor with these provisions, the HITECH Act, or the HIPAA Rules, will be adequate or satisfactory for the Contractor's own purposes or that any information in the Contractor's possession or control, or transmitted or received by the Contractor, is or will be secure from unauthorized access, viewing, use, disclosure, or breach. The Contractor is solely responsible for all decisions made by the Contractor regarding the safeguarding of PHI. 18. Amendment The parties acknowledge that Federal and State laws relating to electronic data security and privacy are rapidly evolving and that amendment of this Exhibit E may be required to provide for procedures to ensure compliance with such developments. The parties specifically agree to take such action as is necessary to amend this agreement in order to implement the standards and requirements of the HIPAA Rules, the HITECH Act and other applicable laws E-8 Exhibit E Health Insurance Portability and Accountability Act (HIPAA) relating to the security or privacy of PHI. The County may terminate this Agreement upon thirty (30) days written notice in the event that the Contractor does not enter into an amendment providing assurances regarding the safeguarding of PHI that the County in its sole discretion, deems sufficient to satisfy the standards and requirements of the HIPAA Rules, and the HITECH Act. 19. No Third-Party Beneficiaries Nothing expressed or implied in the provisions of this Exhibit E is intended to confer, and nothing in this Exhibit E does confer, upon any person other than the County or the Contractor and their respective successors or assignees, any rights, remedies, obligations or liabilities whatsoever. 20. Interpretation The provisions of this Exhibit E shall be interpreted as broadly as necessary to implement and comply with the HIPAA Rules, and applicable State laws. The parties agree that any ambiguity in the terms and conditions of these provisions shall be resolved in favor of a meaning that complies and is consistent with the HIPAA Rules. 21. Regulatory References A reference in the terms and conditions of these provisions to a section in the HIPAA Rules means the section as in effect or as amended. 22. Survival The respective rights and obligations of the Contractor as stated in this Exhibit E survive the termination or expiration of this Agreement. 23. No Waiver of Obligation Change, waiver or discharge by the County of any liability or obligation of the Contractor under this Exhibit E on any one or more occasions is not a waiver of performance of any continuing or other obligation of the Contractor and does not prohibit enforcement by the County of any obligation on any other occasion. E-9 Exhibit F Information Privacy and Security Requirements This Information Privacy and Security Requirements Exhibit (Exhibit) sets forth the information privacy and security requirements Contractor is obligated to follow with respect to all personal and confidential information (as defined herein) disclosed to Contractor, or collected, created, maintained, stored, transmitted or used by Contractor for or on behalf of the California Department of Public Health ( CDPH), pursuant to Contractor's agreement with CDPH. (Such personal and confidential information is referred to herein collectively as CDPH PCI.) CDPH and Contractor desire to protect the privacy and provide for the security of CDPH PCI pursuant to this Exhibit and in compliance with state and federal laws applicable to the CDPH PCI. I. Order of Precedence: With respect to information privacy and security requirements for all CDPH PCI, the terms and conditions of this Exhibit shall take precedence over any conflicting terms or conditions set forth in any other part of the agreement between Contractor and CDPH, including Exhibit A (Scope of Work), all other exhibits and any other attachments, and shall prevail over any such conflicting terms or conditions. II. Effect on lower tier transactions: The terms of this Exhibit shall apply to all contracts, subcontracts, and subawards, and the information privacy and security requirements Contractor is obligated to follow with respect to CDPH PCI disclosed to Contractor, or collected, created, maintained, stored, transmitted or used by Contractor for or on behalf of CDPH, pursuant to Contractor's agreement with CDPH. When applicable the Contractor shall incorporate the relevant provisions of this Exhibit into each subcontract or subaward to its agents, subcontractors, or independent consultants. III. Definitions: For purposes of the agreement between Contractor and CDPH, including this Exhibit, the following definitions shall apply: A. Breach: "Breach" means: 1. the unauthorized acquisition, access, use, or disclosure of CDPH PCI in a manner which compromises the security, confidentiality, or integrity of the information; or 2. the same as the definition of"breach of the security of the system" set forth in California Civil Code section 1798.29(f). B. Confidential Information: "Confidential information" means information that: 1. does not meet the definition of"public records" set forth in California Government Code section 6252(e), or is exempt from disclosure under any of the provisions of Section 6250, et seq. of the California Government Code or any other applicable state or federal laws; or 2. is contained in documents, files, folders, books, or records that are clearly labeled, marked or designated with the word "confidential" by CDPH. C. Disclosure: "Disclosure" means the release, transfer, provision of, access to, or divulging in any manner of information outside the entity holding the information. D. PCI: "PCI" means "personal information" and "confidential information" (as these terms are defined herein: CDPH IPSR 9-22 F-1 Exhibit F Information Privacy and Security Requirements E. Personal Information: "Personal information" means information, in any medium (paper, electronic, oral) that: 1. directly or indirectly collectively identifies or uniquely describes an individual; or 2. could be used in combination with other information to indirectly identify or uniquely describe an individual, or link an individual to the other information; or 3. meets the definition of"personal information" set forth in California Civil Code section 1798.3, subdivision (a) or 4. is one of the data elements set forth in California Civil Code section 1798.29, subdivision (g)(1) or (g)(2); or 5. meets the definition of"medical information" set forth in either California Civil Code section 1798.29, subdivision (h)(2) or California Civil Code section 56.05, subdivision 0); or 6. meets the definition of"health insurance information" set forth in California Civil Code section 1798.29, subdivision (h)(3); or 7. is protected from disclosure under applicable state or federal law. F. Security Incident: "Security Incident" means: 1. an attempted breach; or 2. the attempted or successful unauthorized access or disclosure, modification, or destruction of CDPH PCI, in violation of any state or federal law or in a manner not permitted under the agreement between Contractor and CDPH, including this Exhibit; or 3. the attempted or successful modification or destruction of, or interference with, Contractor's system operations in an information technology system, that negatively impacts the confidentiality, availability, or integrity of CDPH PCI; or 4. any event that is reasonably believed to have compromised the confidentiality, integrity, or availability of an information asset, system, process, data storage, or transmission. Furthermore, an information security incident may also include an event that constitutes a violation or imminent threat of violation of information security policies or procedures, including acceptable use policies. G. Use: "Use" means the sharing, employment, application, utilization, examination, or analysis of information. IV. Disclosure Restrictions: The Contractor and its employees, agents, and subcontractors shall protect from unauthorized disclosure any CDPH PCI. The Contractor shall not disclose, except as otherwise specifically permitted by the agreement between Contractor and CDPH (including this Exhibit), any CDPH PCI to anyone other than CDPH personnel or programs without prior written authorization from the CDPH Program Contract Manager, except if disclosure is required by State or Federal law. CDPH IPSR 9-22 F-2 Exhibit F Information Privacy and Security Requirements V. Use Restrictions: The Contractor and its employees, agents, and subcontractors shall not use any CDPH PCI for any purpose other than performing the Contractor's obligations under its agreement with CDPH. VI. Safeguards: The Contractor shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the privacy, confidentiality, security, integrity, and availability of CDPH PCI, including electronic or computerized CDPH PCI. At each location where CDPH PCI exists under Contractor's control, the Contractor shall develop and maintain a written information privacy and security program that includes administrative, technical and physical safeguards appropriate to the size and complexity of the Contractor's operations and the nature and scope of its activities in performing its agreement with CDPH, including this Exhibit, and which incorporates the requirements of Section VII, Security, below. Contractor shall provide CDPH with Contractor's current and updated policies within five (5) business days of a request by CDPH for the policies. VI I. Security: The Contractor shall take any and all steps reasonably necessary to ensure the continuous security of all computerized data systems containing CDPH PCI. These steps shall include, at a minimum, complying with all of the data system security precautions listed in the Contractor Data Security Standards set forth in Attachment 1 to this Exhibit. VIII. Security Officer: At each place where CDPH PCI is located, the Contractor shall designate a Security Officer to oversee its compliance with this Exhibit and to communicate with CDPH on matters concerning this Exhibit. IX. Training: The Contractor shall provide training on its obligations under this Exhibit, at its own expense, to all of its employees who assist in the performance of Contractor's obligations under Contractor's agreement with CDPH, including this Exhibit, or otherwise use or disclose CDPH PCI. A. The Contractor shall require each employee who receives training to certify, either in hard copy or electronic form, the date on which the training was completed. B. The Contractor shall retain each employee's certifications for CDPH inspection for a period of three years following contract termination or completion. C. Contractor shall provide CDPH with its employee's certifications within five (5) business days of a request by CDPH for the employee's certifications. X. Employee Discipline: Contractor shall impose discipline that it deems appropriate (in its sole discretion) on such employees and other Contractor workforce members under Contractor's direct control who intentionally or negligently violate any provisions of this Exhibit. CDPH IPSR 9-22 F-3 Exhibit F Information Privacy and Security Requirements XI. Breach and Security Incident Responsibilities: A. Notification to CDPH of Breach or Security Incident: The Contractor shall notify CDPH immediately by telephone and email upon the discovery of a breach (as defined in this Exhibit), and within twenty-four(24) hours by email of the discovery of any security incident (as defined in this Exhibit), unless a law enforcement agency determines that the notification will impede a criminal investigation, in which case the notification required by this section shall be made to CDPH immediately after the law enforcement agency determines that such notification will not compromise the investigation. Notification shall be provided to the CDPH Program Contract Manager, the CDPH Privacy Officer and the CDPH Chief Information Security Officer, using the contact information listed in Section XI (F), below. If the breach or security incident is discovered after business hours or on a weekend or holiday and involves CDPH PCI in electronic or computerized form, notification to CDPH shall be provided by calling the CDPH Information Security Office at the telephone numbers listed in Section XI(F), below. For purposes of this Section, breaches and security incidents shall be treated as discovered by Contractor as of the first day on which such breach or security incident is known to the Contractor, or, by exercising reasonable diligence would have been known to the Contractor. Contractor shall be deemed to have knowledge of a breach if such breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is an employee or agent of the Contractor. Contractor shall take: 1. prompt corrective action to mitigate any risks or damages involved with the breach or security incident and to protect the operating environment; and 2. any action pertaining to a breach required by applicable federal and state laws, including, specifically, California Civil Code section 1798.29. B. Investigation of Breach and Security Incidents: The Contractor shall immediately investigate such breach or security incident. As soon as the information is known and subject to the legitimate needs of law enforcement, Contractor shall inform the CDPH Program Contract Manager, the CDPH Privacy Officer, and the CDPH Chief Information Security Officer of: 1. what data elements were involved and the extent of the data disclosure or access involved in the breach, including, specifically, the number of individuals whose personal information was breached; 2. a description of the unauthorized persons known or reasonably believed to have improperly used the CDPH PCI and/or a description of the unauthorized persons known or reasonably believed to have improperly accessed or acquired the CDPH PCI, or to whom it is known or reasonably believed to have had the CDPH PCI improperly disclosed to them; 3. a description of where the CDPH PCI is believed to have been improperly used or disclosed; 4. a description of the probable and proximate causes of the breach or security incident; and 5. whether Civil Code section 1798.29 or any other federal or state laws requiring individual notifications of breaches have been triggered. CDPH IPSR 9-22 F-4 Exhibit F Information Privacy and Security Requirements C. Written Report: The Contractor shall provide a written report of the investigation to the CDPH Program Contract Manager, the CDPH Privacy Officer, and the CDPH Chief Information Security Officer as soon as practicable after the discovery of the breach or security incident. The report shall include, but not be limited to, the information specified above, as well as a complete, detailed corrective action plan, including information on measures that were taken to halt and/or contain the breach or security incident, and measures to be taken to prevent the recurrence or further disclosure of data regarding such breach or security incident. D. Notification to Individuals: If notification to individuals whose information was breached is required under state or federal law, and regardless of whether Contractor is considered only a custodian and/or non-owner of the CDPH PCI, Contractor shall, at its sole expense, and at the sole election of CDPH, either: 1. make notification to the individuals affected by the breach (including substitute notification), pursuant to the content and timeliness provisions of such applicable state or federal breach notice laws. Contractor shall inform the CDPH Privacy Officer of the time, manner and content of any such notifications, prior to the transmission of such notifications to the individuals; or 2. cooperate with and assist CDPH in its notification (including substitute notification) to the individuals affected by the breach. E. Submission of Sample Notification to Attorney General: If notification to more than 500 individuals is required pursuant to California Civil Code section 1798.29, and regardless of whether Contractor is considered only a custodian and/or non-owner of the CDPH PCI, Contractor shall, at its sole expense, and at the sole election of CDPH, either: 1. electronically submit a single sample copy of the security breach notification, excluding any personally identifiable information, to the Attorney General pursuant to the format, content and timeliness provisions of Section 1798.29, subdivision (e). Contractor shall inform the CDPH Privacy Officer of the time, manner and content of any such submissions, prior to the transmission of such submissions to the Attorney General; or 2. cooperate with and assist CDPH in its submission of a sample copy of the notification to the Attorney General. F. CDPH Contact Information: To direct communications to the above referenced CDPH staff, the Contractor shall initiate contact as indicated herein. CDPH reserves the right to make changes to the contact information below by verbal or written notice to the Contractor. Said changes shall not require an amendment to this Exhibit or the agreement to which it is incorporated. CDPH IPSR 9-22 F-5 Exhibit F Information Privacy and Security Requirements CDPH Program CDPH Privacy Officer CDPH Chief Information Security Contract Manager Officer See the Scope of Work Privacy Officer Chief Information Security Officer exhibit for Program Privacy Office Information Security Office Contract Manager c/o Office of Legal Services California Dept. of Public Health California Dept. of Public Health P.O. Box 997413, MS 6302 P.O. Box 997377, MS 0506 Sacramento, CA 95899-7413 Sacramento, CA 95899-7377 Email: Email: privacy()-cdph.ca.gov CDPH.InfoSecurityOffice(aD-cdph.ca.gov Telephone: (877)421-9634 Telephone: (855) 500-0016 XI I. Documentation of Disclosures for Requests for Accounting: Contractor shall document and make available to CDPH or (at the direction of CDPH) to an Individual such disclosures of CDPH PCI, and information related to such disclosures, necessary to respond to a proper request by the subject Individual for an accounting of disclosures of personal information as required by Civil Code section 1798.25, or any applicable state or federal law. XIII. Requests for CDPH PCI by Third Parties: The Contractor and its employees, agents, or subcontractors shall promptly transmit to the CDPH Program Contract Manager all requests for disclosure of any CDPH PCI requested by third parties to the agreement between Contractor and CDPH (except from an Individual for an accounting of disclosures of the individual's personal information pursuant to applicable state or federal law), unless prohibited from doing so by applicable state or federal law. XIV. Audits, Inspection and Enforcement: CDPH may inspect the facilities, systems, books and records of Contractor to monitor compliance with this Exhibit. Contractor shall promptly remedy any violation of any provision of this Exhibit and shall certify the same to the CDPH Program Contract Manager in writing. XV. Return or Destruction of CDPH PCI on Expiration or Termination: Upon expiration or termination of the agreement between Contractor and CDPH for any reason, Contractor shall securely return or destroy the CDPH PCI. If return or destruction is not feasible, Contractor shall provide a written explanation to the CDPH Program Contract Manager, the CDPH Privacy Officer and the CDPH Chief Information Security Officer, using the contact information listed in Section XI (F), above. A. Retention Required by Law: If required by state or federal law, Contractor may retain, after expiration or termination, CDPH PCI for the time specified as necessary to comply with the law. B. Obligations Continue Until Return or Destruction: Contractor's obligations under this Exhibit shall continue until Contractor returns or destroys the CDPH PCI or returns the CDPH PCI to CDPH; provided however, that on expiration or termination of the agreement between Contractor and CDPH, Contractor shall not further use or disclose the CDPH PCI except as required by state or federal law. C. Notification of Election to Destroy CDPH PCI: If Contractor elects to destroy the CDPH PCI, Contractor shall certify in writing, to the CDPH Program Contract Manager, the CDPH Privacy CDPH IPSR 9-22 F-6 Exhibit F Information Privacy and Security Requirements Officer and the CDPH Chief Information Security Officer, using the contact information listed in Section XI (F), above, that the CDPH PCI has been securely destroyed. The notice shall include the date and type of destruction method used. XVI. Amendment: The parties acknowledge that federal and state laws regarding information security and privacy rapidly evolves and that amendment of this Exhibit may be required to provide for procedures to ensure compliance with such laws. The parties specifically agree to take such action as is necessary to implement new standards and requirements imposed by regulations and other applicable laws relating to the security or privacy of CDPH PCI. The parties agree to promptly enter into negotiations concerning an amendment to this Exhibit consistent with new standards and requirements imposed by applicable laws and regulations. XVII. Assistance in Litigation or Administrative Proceedings: Contractor shall make itself and any subcontractors, workforce employees or agents assisting Contractor in the performance of its obligations under the agreement between Contractor and CDPH, available to CDPH at no cost to CDPH to testify as witnesses, in the event of litigation or administrative proceedings being commenced against CDPH, its director, officers or employees based upon claimed violation of laws relating to security and privacy, which involves inactions or actions by the Contractor, except where Contractor or its subcontractor, workforce employee or agent is a named adverse party. XVIII. No Third-Party Beneficiaries: Nothing express or implied in the terms and conditions of this Exhibit is intended to confer, nor shall anything herein confer, upon any person other than CDPH or Contractor and their respective successors or assignees, any rights, remedies, obligations, or liabilities whatsoever. XIX. Interpretation: The terms and conditions in this Exhibit shall be interpreted as broadly as necessary to implement and comply with regulations and applicable State laws. The parties agree that any ambiguity in the terms and conditions of this Exhibit shall be resolved in favor of a meaning that complies and is consistent with federal and state laws and regulations. XX. Survival: If Contractor does not return or destroy the CDPH PCI upon the completion or termination of the Agreement, the respective rights and obligations of Contractor under Sections VI, VII and XI of this Exhibit shall survive the completion or termination of the agreement between Contractor and CDPH. CDPH IPSR 9-22 F-7 Exhibit F Information Privacy and Security Requirements Attachment 1 Contractor Data Security Standards I. Personnel Controls A. Workforce Members Training and Confidentiality. Before being allowed access to CDPH PCI, all Contractor's workforce members who will be granted access to CDPH PCI must be trained in their security and privacy roles and responsibilities at Contractor's expense and must sign a confidentiality and acceptable CDPH PCI use statement. Training must be on an annual basis. Acknowledgments of completed training and confidentiality statements, which have been signed and dated by workforce members must be retained by the Contractor for a period of three (3) years following contract termination. Contractor shall provide the acknowledgements within five (5) business days to CDPH if so requested. B. Workforce Members Discipline. Appropriate sanctions, including termination of employment where appropriate, must be applied against workforce members who fail to comply with privacy policies and procedures, acceptable use agreements, or any other provisions of these requirements. C. Workforce Member Assessment. Before being permitted access to CDPH PCI, Contractor must assure there is no indication its workforce member may present a risk to the security or integrity of CDPH PCI. Contractor shall retain the workforce member's assessment documentation for a period of three (3) years following contract termination. II. Technical Security Controls A. Encryption. All desktop computers, mobile computing devices, and portable electronic storage media that processes or stores CDPH PCI must be encrypted using a FIPS 140-2 certified 128 bit or higher algorithm. The encryption solution must be full disk unless approved by the CDPH Information Security Office (ISO) and Privacy Office (PO). FIPS 140-2 certified 128 bit or higher algorithm end-to-end, individual file encryption, or ISO approved compensating security controls, shall be used to protect CDPH PCI transmitted or accessed outside the Contractor's secure internal network(e.g., email, remote access, file transfer, internet/website communication tools). B. Server Security. Servers containing unencrypted CDPH PCI must have sufficient local and network perimeter administrative, physical, and technical controls in place to protect the CDPH information asset, based upon a current risk assessment/system security review. C. Minimum Necessary. Only the minimum amount of CDPH PCI required to complete an authorized task or workflow may be copied, downloaded, or exported to any individual device. D. Antivirus software. Contractor shall employ automatically updated malicious code protection mechanisms (anti-malware programs or other physical or software-based solutions)at its network perimeter and at workstations, servers, or mobile computing devices to continuously monitor and take action against system or device attacks,anomalies, and suspicious or inappropriate activities. E. Patch Management. All devices that process or store CDPH PCI must have a documented patch management process. Vulnerability patching for Common Vulnerability Scoring System (CVSS) "Critical" severity ratings (CVSS 9.0 — 10.0) shall be completed within forty-eight (48) hours of publication or availability of vendor supplied patch; "High" severity rated (CVSS 7.0- 8.9) shall be completed within seven (7) calendar days of publication or availability of vendor supplied patch; CDPH IPSR 9-22 F-g Exhibit F Information Privacy and Security Requirements all other vulnerability ratings (CVSS 0.1 — 6.9) shall be completed within thirty (30) days of publication or availability of vendor supplied patch, unless prior ISO and PO variance approval is granted. F. User Identification and Access Control. All Contractor workforce members must have a unique local and/or network user identification (ID) to access CDPH PCI. The unique ID may be passwords, physical authenticators, or biometrics, or in the case of multi-factor authentication, some combination thereof. Should a workforce member no longer be authorized to access CDPH PCI, or an ID has been compromised, that ID shall be promptly disabled or deleted. User ID's must integrate with user role-based access controls to ensure that individual access to CDPH PCI is commensurate with job-related responsibilities. G. CDPH PCI Destruction. When no longer required for business needs or legal retention periods, all electronic and physical media holding CDPH PCI must be purged from Contractor's systems and facilities using the appropriate guidelines for each media type as described in the prevailing "National Institute of Standards and Technology — Special Publication 800-88" — "Media Sanitization Decision Matrix." H. System Inactivity Timeout. Contractor's computing devices holding, or processing CDPH PCI must be configured to automatically log-off an authenticated user or lock the device in a manner where the user must reauthenticate the user session after no more than twenty (20) minutes of user inactivity. I. Warning Banners. During a user log-on process, all systems providing access to CDPH PCI, must display a warning banner stating that the CDPH PCI is confidential, system and user activities are logged, and system and CDPH PCI use is for authorized business purposes only. User must be directed to log-off the system if they do not agree with these conditions. J. System Logging. Contractor shall ensure its information systems and devices that hold or process CDPH PCI are capable of being audited and the events necessary to reconstruct transactions and support after-the-fact investigations are maintained. This includes the auditing necessary to cover related events, such as the various steps in distributed, transaction-based processes and actions in service-oriented architectures. Audit trail information with CDPH PCI must be stored with read-only permissions and be archived for three (3) years after event occurrence. There must also be a documented and routine procedure in place to review system logs for unauthorized access. K. Intrusion Detection. All Contractor systems and devices holding, processing, or transporting CDPH PCI that interact with untrusted devices or systems via the Contractor intranet and/or the internet must be protected by a monitored comprehensive intrusion detection system and/or intrusion prevention system. III. Audit Controls A. System Security Review. Contractor, to assure that administrative, physical, and technical controls are functioning effectively and providing adequate levels of protection for CDPH PCI, shall conduct at least, an annual administrative assessment of risk, including the likelihood and magnitude of harm from the unauthorized access, use, disclosure, disruption, modification, or destruction of an information system or device holding processing, or transporting CDPH PCI, CDPH IPSR 9-22 F-9 Exhibit F Information Privacy and Security Requirements along with periodic technical security reviews using vulnerability scanning tools and other appropriate technical assessments. B. Change Control. All Contractor systems and devices holding, processing, or transporting CDPH PCI shall have a documented change control process for hardware, firmware, and software to protect the systems and assets against improper modification before, during, and after system implementation. IV. Business Continuity I Disaster Recovery Controls A. Emergency Mode Operation Plan. Contractor shall develop and maintain technical recovery and business continuity plans for systems holding, processing, or transporting CDPH PCI to ensure the continuation of critical business processes and the confidentiality, integrity, and availability of CDPH PCI following an interruption or disaster event lasting more than twenty-four(24) hours. B. CDPH PCI Backup Plan. Contractor shall have a documented, tested, accurate, and regularly scheduled full backup process for systems and devices holding CDPH PCI. V. Paper Document Controls A. Supervision of CDPH PCI. CDPH PCI in any physical format shall not be left unattended at any time. When not under the direct observation of an authorized Contractor workforce member, the CDPH PCI must be stored in a locked file cabinet,desk,or room. It also shall not be left unattended at any time in private vehicles or common carrier transportation, and it shall not be placed in checked baggage on common carrier transportation. B. Escorting Visitors. Visitors who are not authorized to see CDPH PCI must be escorted by authorized workforce members when in areas where CDPH PCI is present, and CDPH PCI shall be kept out of sight of visitors. C. Removal of CDPH PCI. CDPH PCI in any format must not be removed from the secure computing environment or secure physical storage of the Contractor, except with express written permission of the CDPH PCI owner. D. Faxing and Printing. Contractor shall control access to information system output devices, such as printers and facsimile devices, to prevent unauthorized individuals from obtaining any output containing CDPH PCI. Fax numbers shall be verified with the intended recipient before transmittal. E. Mailing. Mailings of CDPH PCI shall be sealed and secured from damage or inappropriate viewing to the extent possible. Mailings which include five hundred (500) or more individually identifiable records of CDPH PCI in a single package shall be sent using a tracked mailing method which includes verification of delivery and receipt, unless the prior written permission of CDPH to use another method is obtained. CDPH IPSR 9-22 F-10 Exhibit G Insurance Requirements 1. Required Policies Without limiting the County's right to obtain indemnification from the Contractor or any third parties, Contractor, at its sole expense, shall maintain in full force and effect the following insurance policies throughout the term of this Agreement. (A) Commercial General Liability. Commercial general liability insurance with limits of not less than Two Million Dollars ($2,000,000) per occurrence and an annual aggregate of Four Million Dollars ($4,000,000). This policy must be issued on a per occurrence basis. Coverage must include products, completed operations, property damage, bodily injury, personal injury, and advertising injury. The Contractor shall obtain an endorsement to this policy naming the County of Fresno, its officers, agents, employees, and volunteers, individually and collectively, as additional insureds, but only insofar as the operations under this Agreement are concerned. Such coverage for additional insureds will apply as primary insurance and any other insurance, or self-insurance, maintained by the County is excess only and not contributing with insurance provided under the Contractor's policy. (B) Automobile Liability. Automobile liability insurance with limits of not less than One Million Dollars ($1,000,000) per occurrence for bodily injury and for property damages. Coverage must include any auto used in connection with this Agreement. (C)Workers Compensation. Workers compensation insurance as required by the laws of the State of California with statutory limits. (D) Employer's Liability. Employer's liability insurance with limits of not less than One Million Dollars ($1,000,000) per occurrence for bodily injury and for disease. (E) Professional Liability. Professional liability insurance with limits of not less than One Million Dollars ($1,000,000) per occurrence and an annual aggregate of Three Million Dollars ($3,000,000). If this is a claims-made policy, then (1)the retroactive date must be prior to the date on which services began under this Agreement; (2)the Contractor shall maintain the policy and provide to the County annual evidence of insurance for not less than five years after completion of services under this Agreement; and (3) if the policy is canceled or not renewed, and not replaced with another claims-made policy with a retroactive date prior to the date on which services begin under this Agreement, then the Contractor shall purchase extended reporting coverage on its claims-made policy for a minimum of five years after completion of services under this Agreement. (F) Molestation Liability. Sexual abuse/ molestation liability insurance with limits of not less than Two Million Dollars ($2,000,000) per occurrence, with an annual aggregate of Four Million Dollars ($4,000,000). This policy must be issued on a per occurrence basis. (G)Cyber Liability. Cyber liability insurance with limits of not less than Two Million Dollars ($2,000,000) per occurrence. Coverage must include claims involving Cyber Risks. The cyber liability policy must be endorsed to cover the full replacement value of damage to, alteration of, loss of, or destruction of intangible property (including but not limited to information or data) that is in the care, custody, or control of the Contractor. G-1 Exhibit G Definition of Cyber Risks. "Cyber Risks" include but are not limited to (i) Security Breach, which may include Disclosure of Personal Information to an Unauthorized Third Party; (ii) data breach; (iii) breach of any of the Contractor's obligations under Article 1 of this Agreement; (iv) system failure; (v) data recovery; (vi)failure to timely disclose data breach or Security Breach; (vii)failure to comply with privacy policy; (viii) payment card liabilities and costs; (ix) infringement of intellectual property, including but not limited to infringement of copyright, trademark, and trade dress; (x) invasion of privacy, including release of private information; (xi) information theft; (xii) damage to or destruction or alteration of electronic information; (xiii) cyber extortion; (xiv) extortion related to the Contractor's obligations under this Agreement regarding electronic information, including Personal Information; (xv)fraudulent instruction; (xvi) funds transfer fraud; (xvii) telephone fraud; (xviii) network security; (xix) data breach response costs, including Security Breach response costs; (xx) regulatory fines and penalties related to the Contractor's obligations under this Agreement regarding electronic information, including Personal Information; and (xxi) credit monitoring expenses. 2. Additional Requirements (A) Verification of Coverage. Within 30 days after the Contractor signs this Agreement, and at any time during the term of this Agreement as requested by the County's Risk Manager or the County Administrative Office, the Contractor shall deliver, or cause its broker or producer to deliver, to the County of Fresno, Department of Public Health, P.O. Box 11867, Fresno, CA 93775, Attention: Contracts Section —6t" Floor, or email, DPHContracts@fresnocountyca.gov, certificates of insurance and endorsements for all of the coverages required under this Agreement. (i) Each insurance certificate must state that: (1) the insurance coverage has been obtained and is in full force; (2) the County, its officers, agents, employees, and volunteers are not responsible for any premiums on the policy; and (3)the Contractor has waived its right to recover from the County, its officers, agents, employees, and volunteers any amounts paid under any insurance policy required by this Agreement and that waiver does not invalidate the insurance policy. (ii) The commercial general liability insurance certificate must also state, and include an endorsement, that the County of Fresno, its officers, agents, employees, and volunteers, individually and collectively, are additional insureds insofar as the operations under this Agreement are concerned. The commercial general liability insurance certificate must also state that the coverage shall apply as primary insurance and any other insurance, or self-insurance, maintained by the County shall be excess only and not contributing with insurance provided under the Contractor's policy. (iii) The automobile liability insurance certificate must state that the policy covers any auto used in connection with this Agreement. (iv) The professional liability insurance certificate, if it is a claims-made policy, must also state the retroactive date of the policy, which must be prior to the date on which services began under this Agreement. G-2 Exhibit G (v) The technology professional liability insurance certificate must also state that coverage encompasses all of the Contractor's obligations under this Agreement, including but not limited to claims involving Cyber Risks, as that term is defined in this Agreement. (vi) The cyber liability insurance certificate must also state that it is endorsed, and include an endorsement, to cover the full replacement value of damage to, alteration of, loss of, or destruction of intangible property (including but not limited to information or data)that is in the care, custody, or control of the Contractor. (B) Acceptability of Insurers. All insurance policies required under this Agreement must be issued by admitted insurers licensed to do business in the State of California and possessing at all times during the term of this Agreement an A.M. Best, Inc. rating of no less than A: VI I. (C) Notice of Cancellation or Change. For each insurance policy required under this Agreement, the Contractor shall provide to the County, or ensure that the policy requires the insurer to provide to the County, written notice of any cancellation or change in the policy as required in this paragraph. For cancellation of the policy for nonpayment of premium, the Contractor shall, or shall cause the insurer to, provide written notice to the County not less than 10 days in advance of cancellation. For cancellation of the policy for any other reason, and for any other change to the policy, the Contractor shall, or shall cause the insurer to, provide written notice to the County not less than 30 days in advance of cancellation or change. The County in its sole discretion may determine that the failure of the Contractor or its insurer to timely provide a written notice required by this paragraph is a breach of this Agreement. (D) County's Entitlement to Greater Coverage. If the Contractor has or obtains insurance with broader coverage, higher limits, or both, than what is required under this Agreement, then the County requires and is entitled to the broader coverage, higher limits, or both. To that end, the Contractor shall deliver, or cause its broker or producer to deliver, to the County's Risk Manager certificates of insurance and endorsements for all of the coverages that have such broader coverage, higher limits, or both, as required under this Agreement. (E) Waiver of Subrogation. The Contractor waives any right to recover from the County, its officers, agents, employees, and volunteers any amounts paid under the policy of worker's compensation insurance required by this Agreement. The Contractor is solely responsible to obtain any policy endorsement that may be necessary to accomplish that waiver, but the Contractor's waiver of subrogation under this paragraph is effective whether or not the Contractor obtains such an endorsement. (F) County's Remedy for Contractor's Failure to Maintain. If the Contractor fails to keep in effect at all times any insurance coverage required under this Agreement, the County may, in addition to any other remedies it may have, suspend or terminate this Agreement upon the occurrence of that failure, or purchase such insurance coverage, and charge the cost of that coverage to the Contractor. The County may offset such charges against any amounts owed by the County to the Contractor under this Agreement. G-3 Exhibit G (G)Subcontractors. The Contractor shall require and verify that all subcontractors used by the Contractor to provide services under this Agreement maintain insurance meeting all insurance requirements provided in this Agreement. This paragraph does not authorize the Contractor to provide services under this Agreement using subcontractors. G-4 Exhibit H Self-Dealing Transaction Disclosure Form In order to conduct business with the County of Fresno ("County"), members of a contractor's board of directors ("County Contractor"), must disclose any self-dealing transactions that they are a party to while providing goods, performing services, or both for the County. A self-dealing transaction is defined below: "A self-dealing transaction means a transaction to which the corporation is a party and in which one or more of its directors has a material financial interest." The definition above will be used for purposes of completing this disclosure form. Instructions (1) Enter board member's name,job title (if applicable), and date this disclosure is being made. (2) Enter the board member's company/agency name and address. (3) Describe in detail the nature of the self-dealing transaction that is being disclosed to the County. At a minimum, include a description of the following: a. The name of the agency/company with which the corporation has the transaction; and b. The nature of the material financial interest in the Corporation's transaction that the board member has. (4) Describe in detail why the self-dealing transaction is appropriate based on applicable provisions of the Corporations Code. The form must be signed by the board member that is involved in the self-dealing transaction described in Sections (3) and (4). H-1 Exhibit H (1) Company Board Member Information: Name: Date: Job Title: (2) Company/Agency Name and Address: (3) Disclosure (Please describe the nature of the self-dealing transaction you are a party to) (4) Explain why this self-dealing transaction is consistent with the requirements of Corporations Code § 5233 (a) (5) Authorized Signature Signature: Date: H-2