The URL can be used to link to this page

Home My WebLink AboutAgreement A-24-067 with CalMHSA Connex.pdf Agreement No. 24-067 Agreement No. 5095-INT-2023-FC Interoperability Solution January 9, 2024 CALIFORNIA MENTAL HEALTH SERVICES AUTHORITY PARTICIPATION AGREEMENT COVER SHEET 1. Fresno County ("Participant") desires to participate in the Program identified below. Name of Program: Interoperability Solution Summary of Program: CaIMHSA will provide "CaIMHSA Connex," a managed Interoperability Software as a Service (SaaS) solution (the "Services"), to assist participating counties in meeting state and federal interoperability requirements. CaIMHSA Connex will facilitate the exchange of protected health information(PHI),personally identifiable information(PII)and other information between organizations and will assist Participants in connecting to larger national exchange networks. 2. California Mental Health Services Authority ("CaIMHSA") and Participant acknowledge that the Program will be governed by CaIMHSA's Joint Powers Agreement and its Bylaws, and by this participation agreement (the "Agreement"). The following exhibits are intended to clarify how the provisions of those documents will be applied to this Program. Q Exhibit A Program Description and Funding Q Exhibit B General Terms and Conditions Q Exhibit C Data Sharing Agreement 3. The amount payable for the term of this Agreement is$581,013. This amount is comprised of a one-time Implementation and Project Management fee plus an annual Managed Services subscription fee. Additional fees may apply if Participant requests additional work or customizations not included in Exhibit A, Section III. Scope of Work, or where third-party fees are applicable. 4. County to confirm if funds payable under this agreement are: From a federal source or program (explain below) Amount$ Grant Funding (explain below): Amount$ Restricted (explain below): Amount$ Contingent(explain below): Amount$ Explanation of Restriction(s): *County confirms that aside from the above,there are no other funding restrictions. 5. The term of the Program is February 6, 2024,through December 31, 2026. Fresno County—Participation Agreement DocuSign Envelope ID:C7B12541-5515-4233-A733-E4FDC34C1BE2 Agreement No. 5095-INT-2023-FC Interoperability Solution January 9, 2024 Authorized Signatures: CalMHSA: DocuSigned by: Signed: 5Name(Printed): Dr.Arnie Miller, Psy.D., MFT 82F9FFBAB7CC446... Title: Executive Director Date: 2/27/2024 Participant(Fresno County): Signed: Name(Printed): Nathan Magsig Title:Chairman of the Board of Supervisors Date: -2 ATTEST: BERNICE E.SEIDEL Clerk of the Board of Supervisors County of Fresno,State of California By_ Deputy For accounting use only: Org No.: 56304730 Account No.: 7295 Fund No.: 0001 Subclass No.: 10000 Fresno County—Participation Agreement Agreement No. 5095-INT-2023-FC Interoperability Solution January 9, 2024 Participation Agreement EXHIBIT A—PROGRAM DESCRIPTION AND FUNDING I. Name of Program: Interoperability Solution II. Term of Program: February 6, 2024,through December 31, 2026. III. Scope of Work: CaIMHSA will provide Participant the following services: A. CaIMHSA Responsibilities 1. California Data Exchange Framework("DxF") Data Exchange Requirements. a. CaIMHSA will provide a third-party brokered Integrating the Healthcare Enterprise (IHE) gateway and/or FHIR endpoint and workflow to facilitate query/response data exchange transactions via CaIMHSA Connex. Available data exchange architecture(s) will align with industry standards and include the following options: i. Fast Healthcare Interoperability Resources (FHIR); ii. Cross-Community Access/Patient Discovery (XCA/XCPD); iii. Cross Enterprise Document Sharing (XDS.b). b. The Services will include a single bi-directional interface, which will include one inbound and one outbound connection to CaIMHSA Connex. c. CaIMHSA will assist Participant in producing necessary reporting and attestation to the Center for Data Insights and Innovation ("CDII") for organizations applying for DxF grant funding through CaIMHSA as an umbrella applicant. 2. CMS Interoperability and Patient Access. a. CaIMHSA will provide a technical solution to assist counties in complying with the following CMS Interoperability requirements: i. Patient Access API—CaIMHSA will implement and maintain a secure, standards-based API (HL7 FHIR Release 4.0.1) that allows patients to access their claims and encounter information, as well as a defined sub-set of their clinical information, through third-party applications of their choice. ii. Provider Directory API—CaIMHSA will make provider directory information publicly available via a standards-based API. CaIMHSA will provide Participant with a Provider directory link to publish on Participant's County website. iii. Information Blocking regulations. iv. Receipt of Admission, Discharge, and Transfer(ADT) Event Notification. a) Receipt of ADTs is contingent on source organizations providing the requested data. CaIMHSA will provide the means of processing and ingesting. Participant intervention may be needed to facilitate arrangements to receive appropriate messages. Third party fees may apply and will be paid by Participant. Fresno County—Exhibit A—Program Description and Funding Page 3 of 18 Agreement No. 5095-INT-2023-FC Interoperability Solution January 9, 2024 3. CaIMHSA will manage the implementation of interoperability services, including, but not limited to project management, set-up and configuration, and validation. Implementation professional services including: a. Developing data flow process for bi-directional data exchange. b. Overseeing implementation of county endpoints. c. Developing and implementing CMS interoperability requirements for Patient Access and Provider Directory, per CMS guidelines. d. Work to establish connection within Participant's EHR instance. i. CaIMHSA will workto establish connection with Participant's instance within CaIMHSA's SmartCare EHR program. ii. Connections to non-CaIMHSA SmartCare EHR and non-SmartCare EHR systems will be addressed upon Participant's request. iii. Any such connections may require additional scope of work and may be subject to additional costs. 4. CaIMHSA will manage operational availability of connections to include: a. Managing interoperability infrastructure. b. Monitoring security, HIPAA compliance and applicable data governance to the extent allowed by third party hosting service. c. Maintaining uptime of on-demand, real-time bi-directional data exchange process during the hours of 8:OOam —S:OOpm PST, Monday through Friday. Uptime is subject to the terms as stated in Exhibit B, Section VI. Uptime and Support. i. Enabling XCA/XCPD endpoint, on behalf of County, for response to document queries for DxF compliance. 5. CaIMHSA will provide training and support to Participant's staff regarding the Services. a. Training will be held remotely via webinar format. b. CaIMHSA will make available recorded training videos for future reference. 6. Cal MHSA will develop policies and procedures related to the Services and Cal MHSA Con nex. a. During interface implementation, CaIMHSA will advise on interoperability best practices and assist county designated process owners and/or relevant staff with creating or modifying policies and procedures around interoperability. 7. Additional work or customizations requested by Participant outside of the Scope of Work included in this Agreement shall be subject to additional fees and must be agreed upon in a written contract signed by the Parties. B. Participant Responsibilities Participant shall be responsible for the following: 1. Data Delivery—Participant will deliver data to CaIMHSA in a relational structured format. Participant agrees to take steps necessary to ensure data is extracted in the appropriate format including, but not limited to,working with their current vendor. Fresno County—Exhibit A—Program Description and Funding Page 4 of 18 Agreement No. 5095-INT-2023-FC Interoperability Solution January 9, 2024 2. ISO Object Identifier(OID)-An OID is a globally unique ISO(International Organization for Standardization) identifier. An OID is required to facilitate on-demand, bi-directional data exchange. Participants are required to procure an OID. 3. Project Management and Coordination — Participant agrees to assign staff and a lead contact to communicate and collaborate with CaIMHSA throughout the Interoperability project. IV. Fee Structure Service Type One-Time Fee Annual Rate Implementation and Project Management $250,000 CaIMHSA Managed Services Annual Subscription* $105,000 *CaIMHSA Managed Services Annual Subscription fee is subject to a five percent(5%) annual increase. Fresno County—Exhibit A—Program Description and Funding Page 5 of 18 Agreement No. 5095-INT-2023-FC Interoperability Solution January 9, 2024 Participation Agreement EXHIBIT B—General Terms and Conditions I. Definitions The following words,as used throughout this Participation Agreement,shall be construed to have the following meaning, unless otherwise apparent from the context in which they are used: A. CaIMHSA — California Mental Health Services Authority, a Joint Powers Authority (JPA) created by counties in 2009 at the instigation of the California Mental Health Directors Association to jointly develop and fund mental health services and education programs. B. Member—A PARTICIPANT(or JPA of two or more Counties)that has joined CaIMHSA and executed the CaIMHSA Joint Powers Agreement. C. Participant—Any County participating in the Program either as Member of CaIMHSA or under a Memorandum of Understanding with CaIMHSA. D. Program—The program identified in the Cover Sheet. II. Responsibilities A. Responsibilities of CaIMHSA: 1. Act as the Fiscal and Administrative agent for the Program. 2. Manage funds received consistent with the requirements of any applicable laws, regulations, guidelines and/or contractual obligations. 3. Provide regular fiscal reports to Participant and/or other public agencies with a right to such reports. 4. Comply with CaIMHSA's Joint Powers Agreement and Bylaws. B. Responsibilities of Participant: 1. Transfer of funding amount for the Program as specified in Exhibit B, Section V. Fiscal Provisions, which Participant will pay within the payment terms defined within this agreement. 2. Provide CaIMHSA and any other parties deemed necessary with requested information and assistance to fulfill the purpose of the Program. 3. Any and all assessments, creation of individual case plans, and providing or arranging for services. 4. Provide CaIMHSA with requested information and assistance to fulfill the purpose of the Program. 5. Provide feedback on Program performance. 6. Comply with applicable laws, regulations, guidelines, contractual agreements, JPAs, and bylaws. III. Duration,Term, and Amendment A. The term of the Program is February 6, 2024,through December 31, 2026. Fresno County—Exhibit 8—General Terms and Conditions Page 6 of 18 Agreement No. 5095-INT-2023-FC Interoperability Solution January 9, 2024 B. This Agreement may be supplemented, amended, or modified only by the mutual agreement of CaIMHSA and the Participant,expressed in writing and signed by authorized representatives of both parties. IV. Withdrawal, Cancellation,and Termination A. Participant may withdraw from the Program and terminate the Participation Agreement upon six (6) months' written notice. Notice shall be deemed served on the date of mailing. B. The withdraw of a Participant from the Program shall not automatically terminate its responsibility for its share of the expense and liabilities of the Program. The contributions of current and past Participants are chargeable for their respective share of unavoidable expenses and liabilities arising during the period of their participation. V. Fiscal Provisions A. Funding required from Participant shall be in the amount stated on the Cover Sheet of this Agreement. B. Payment Terms— Participant will be invoiced annually by CaIMHSA, and Participant will issue payment amount identified below within thirty(30) days of invoicing. Payment for Year 1 will be due within thirty (30) days of execution of this Participation Agreement. Payment for Years 2 and 3 will be invoiced on and due within thirty(30) days of January 1 of the applicable fiscal period. See below. Year APPLICABLE FISCAL AMOUNT PERIOD 2/6/2024- 1 12/31/2024 $355,000 1/1/2025- 2 12/31/2025 $110,250 1/1/2026- 3 12/31/2026 $115,763 C. In a Multi-County Program, Participants will share the costs of planning, administration, and evaluation in the same proportions as their overall contributions,which are included in the amount stated in Exhibit A, Program Description and Funding. VI. Uptime and Support A. CaIMHSA provides email support Monday through Friday,8:00 a.m.to 5:00 p.m. PST. For any support questions please email: connex@calmhsa.org. B. The services may occasionally become temporarily unavailable for maintenance purposes or other reasons outside of CaIMHSA's control. CaIMHSA will make best efforts to minimize any such unavailability. VII. Disclaimer of Warranties Fresno County—Exhibit 8—General Terms and Conditions Page 7 of 18 Agreement No. 5095-INT-2023-FC Interoperability Solution January 9, 2024 CALMHSA MAKES NO WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, GUARANTEES OR CONDITIONS WITH RESPECT TO THE PROGRAM. THESE DISCLAIMERS WILL APPLY EXCEPT TO THE EXTENT APPLICABLE LAW DOES NOT PERMIT THEM. Vill. Limitation of Liability THE AGGREGATE LIABILITY OF EACH PARTY FOR ALL CLAIMS UNDER THIS AGREEMENT IS LIMITED TO DIRECT DAMAGES UP TO THE AMOUNT PAID UNDER THIS AGREEMENT FOR THE PROGRAM DURING THE 12 MONTHS BEFORE THE CAUSE OF ACTION AROSE. NEITHER PARTY WILL BE LIABLE FOR LOSS OF REVENUE OR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES, OR DAMAGES FOR LOST PROFITS, REVENUES, BUSINESS INTERRUPTION, OR LOSS OF BUSINESS INFORMATION, EVEN IF THE PARTY KNEW THEY WERE POSSIBLE OR REASONABLY FORESEEABLE. Fresno County—Exhibit B—General Terms and Conditions Page 8 of 18 Agreement No. 5095-INT-2023-FC Interoperability Solution January 9, 2024 Participation Agreement EXHIBIT C—DATA SHARING AGREEMENT 1. PARTIES This Data Sharing Agreement ("DSA") is made by and between the parties to the underlying Participation Agreement (each individually a "Party' and collectively the "Parties") who are required to or elect to exchange Protected Health Information ("PHI"), Personally Identifiable Information ("PII") or other data in accordance with this Agreement, as defined below. 2. PURPOSE AND AUTHORITY The privacy, security and integrity of PHI, PII and other data exchanged pursuant to this DSA and the underlying Participation Agreement are essential. This DSA is intended to facilitate data exchange between the Parties in compliance with all applicable federal, state, and local laws, regulations, and policies. This DSA sets forth a common set of terms, conditions, and obligations to support secure real- time access to, or exchange of, PHI, PII and other data between and among the Parties. 3. DEFINITIONS A. "Agreement" shall mean this Data Sharing Agreement. B. "Applicable Law" shall mean all federal, state, local, or tribal laws and regulations then in effect and applicable to the subject matter herein. For the avoidance of doubt, federal government entities are only subject to federal law. C. "Authorization" shall have the meaning and include the requirements set forth at 45 CFR § 164.508 of the HIPAA Regulations and at Cal. Civ. Code § 56.05. The term shall include all requirements for obtaining consent to disclose confidential substance abuse disorder treatment records as set forth in 42 C.F.R. Part 2, when applicable, and shall include any additional requirements under Applicable Law to disclose PHI or PII. D. "Breach" shall mean the unauthorized acquisition, access, disclosure, or use of PHI, PII or other data in a manner not permitted by the Agreement or Applicable Law. E. "Business Associate" shall mean an organization that is defined as a "business associate" in 45 C.F.R. § 160.103 of the HIPAA Regulations. F. "Confidential Participant Information" shall mean proprietary or confidential materials or information of a Party in any medium or format that a Party labels as such upon disclosure or that, given the nature of the information or the circumstances surrounding its disclosure, reasonably should be considered confidential. Notwithstanding any label to the contrary, Confidential Participant Information does not include any information which is or becomes known publicly Fresno County—Exhibit C—Data Sharing Agreement Page 9 of 18 9 Agreement No. 5095-INT-2023-FC Interoperability Solution January 9, 2024 through no fault of the party to which such information is disclosed (a "Receiving Party'); is learned of by a Receiving Party from a third party entitled to disclose it; is already known to a Receiving Party before receipt from the disclosing Party as documented by the Receiving Party's written records;or is independently developed by a Receiving Party without reference to,reliance on, or use of the disclosing Party's Confidential Participant Information. G. "Covered Entity"shall have the meaning set forth at 45 C.F.R. § 160.103 and shall also include the following as these terms are defined in California Civil Code § 56.05: "provider of health care," "health care service plan," and "licensed health care professional." H. "Effective Date" shall mean the date of execution of the underlying Participation Agreement. I. "Governmental Participants" shall mean those Parties that are local (e.g., municipalities, counties), state,tribal, or federal entities. J. "Health Care Operations" for the purposes of this Agreement shall consist of the following activities: I. Quality Assessment and Improvement activities as described in subsection (1) of the definition of health care operations set forth at 45 C.F.R. § 164.501. II. Population-based activities relating to improving health or reducing health care costs, protocol development,case management and care coordination and contacting of health care providers and patients with information about treatment alternatives as set forth at 45 C.F.R. § 154.501. K. "HIPAA Regulations" shall mean the standards for privacy of individually identifiable health information,the security standards for the protection of electronic protected health information and the breach notification rule (45 C.F.R. §§ 160 and 164) promulgated by the U.S. Department of Health and Human Services under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, as in effect on the Effective Date and as may be amended, modified, or renumbered. L. "Individual User" shall mean the person who is the subject of PHI or PII. M. "Payment" shall have the same meaning as set forth at 45 C.F.R. § 164.501 of the HIPAA Regulations. N. "Personally Identifiable Information" or "PII" shall have the same meaning as "Personal Information" set forth in Section 1798.140(o) of the California Civil Code, but shall be limited to PII exchanged pursuant to this Agreement. Fresno County—Exhibit C—Data Sharing Agreement Page 10 of 18 10 Agreement No. 5095-INT-2023-FC Interoperability Solution January 9, 2024 O. "Personal Representative"shall refer to a person who, under Applicable Law, has authority to act on behalf of an individual as set forth in 45 C.F.R. § 164.502(g). P. "Protected Health Information"or"PHI" shall refer to"protected health information" as set forth at 45 C.F.R. § 160.103 of the HIPAA Regulations and "medical information" as set forth at Civil Code § 56.05. Q. "Public Health Activities" shall mean an access, use or disclosure permitted under the HIPAA Regulations and any other Applicable Law for public health activities and purposes, including an access, use or disclosure permitted under 45 C.F.R.§ 164.512(b)and 45 C.F.R.§ 164.514(e). Public Health Activities excludes the following oversight activities: audits;civil,administrative or criminal investigations; inspections; licensure or disciplinary actions; and civil, administrative or criminal proceedings or actions other than enforcement activities by a county health officer that are authorized under Cal. Health &Safety Code § 101030. R. "Health Information Exchange" or"HIE" shall mean a data exchange intermediary that facilitates the exchange of patient information or other data. S. "Recipient"shall mean a Party that receives PHI, PII or other data from a Submitter. For purposes of illustration only, Recipients include, but are not limited to, Parties who receive queries, responses, subscriptions, publications or unsolicited messages. T. "Research" shall mean a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge. U. "Sale of Information" shall mean the disclosure of PHI, PII and/or other data in return for direct or indirect remuneration from or on behalf of the recipient of the Information. Sale of PHI, PII or other data shall not include the disclosure of PHI, PII or other data for the activities set forth in 45 C.F.R. § 164.502(a)(5)(ii)(B)(2). V. "Social Services" shall mean the delivery of items, resources, and/or services to address social determinants of health and social drivers of health, including but not limited to housing, foster care, nutrition, access to food, transportation, employment, and other social needs. W. "Social Services Activities"shall mean the Social Services provided by Social Service Organizations. X. "Social Services Organization" shall mean a person or entity whose primary business purpose is to provide Social Services to individuals. Social Services Organizations can include but are not Fresno County—Exhibit C—Data Sharing Agreement Page 11 of 18 11 Agreement No. 5095-INT-2023-FC Interoperability Solution January 9, 2024 limited to government entities(including multi-department health and human services agencies), community-based organizations, nonprofits, and private entities. Y. "Submitter" shall mean a Party that submits PHI, PII or other data to a Recipient. Z. "System"shall mean software, portal, platform, or other electronic medium controlled by a Party through which the Party conducts PHI, PII or other data exchange-related activities. For purposes of this definition, it shall not matter whether the Party controls the software, portal, platform,or medium through ownership, lease, license, or otherwise. AA. "Treatment" shall have the same meaning as set forth at 45 C.F.R. § 164.501 of the HIPAA Regulations. 4. USE OF PHI, PII AND OTHER DATA A. REQUIRED PURPOSES.Subject to applicable law,the Parties are required to exchange PHI, PII and other data and/or provide access to PHI, PII and other data pursuant to state and federal laws and regulations for Treatment, Payment, Health Care Operations and Public Health Activities as those terms are defined herein. Notwithstanding the foregoing, a Party may only disclose PHI, PII or other data to another Party for Health Care Operations if each entity either has or had a relationship with the Individual User who is the subject of the PHI, PII or data being requested and the PHI, PII or data pertains to such relationship. B. PERMITTED PURPOSES. The Parties are permitted to exchange or provide access to PHI, PII and other data including information subject to 42 C.F.R. Part 2, for any purpose not set forth in Section C below, provided appropriate Authorizations are made, if necessary, and the disclosure or use of the PHI, PII or other data is permissible under Applicable Law. C. PROHIBITED PURPOSES. Unless otherwise permitted by Applicable Law or a legally valid agreement, the Parties shall not access PHI, PII or other data related to this Agreement or the underlying Participation Agreement in order to sell such information. No Party shall access PHI, PII or other data related to this Agreement or the underlying Participation Agreement in order to unlawfully discriminate or unlawfully deny or limit access to medical services, or to prosecute or take any other adverse action against an individual who accesses medical services. 5. AUTHORIZATIONS To the extent required by Applicable Law, the Parties shall not disclose PHI, PII or other data to another Party unless a legally valid Authorization has been obtained. For the avoidance of doubt,the Parties shall not be required to obtain an Authorization prior to disclosing PHI, PII or other data pursuant to this Fresno County—Exhibit C—Data Sharing Agreement Page 12 of 18 12 Agreement No. 5095-INT-2023-FC Interoperability Solution January 9, 2024 Agreement unless an Authorization is required under Applicable Law. Any disclosure of PHI, PII or other data by a Submitter shall be deemed an express representation that the Submitter has complied with this Section and unless the Recipient has actual knowledge to the contrary,the Recipient may reasonably and justifiably rely upon such representation. 6. BREACH NOTIFICATION A. OBLIGATIONS OF PARTIES. I. As soon as reasonably practicable after discovering a Breach has occurred, and within any timeframes prescribed by an applicable Business Associate Agreement or required by Applicable Law, the discovering Party shall notify the Covered Entity and/or Party impacted by the breach of any confirmed or reasonably suspected Breach. II. As soon as reasonably practicable after discovering a Breach has occurred,and within any timeframes prescribed by an applicable Business Associate Agreement or required by Applicable Law, the discovering Party shall provide a written report of the Breach to the Covered Entity and/or Party impacted by the Breach. The discovering Party shall supplement the information contained in the written report as it becomes available and shall cooperate with the Covered Entity and/or the Party impacted by the breach. The written report should include sufficient information for the recipient of the notification to understand the nature of the Breach. For instance,such written report should include, to the extent available, the following information: a. A brief description of what happened, including the date of the non- permitted Use or Disclosure, Security Incident, or Breach and the date of Discovery of the non-permitted Use or Disclosure, Security Incident, or Breach, if known; b. The number of Individuals whose PHI, PII or other data is involved; c. A description of the specific type of PHI, PII or other data involved in the non- permitted Use or Disclosure, Security Incident, or Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code or other types of information were involved); d. The identification of each Individual whose Unsecured PHI or PII has been, or is reasonably believed by the discovering Party to have been, accessed, acquired, Used, or Disclosed; e. Any other information necessary to conduct an assessment of whether notification to the Individuals) is required by applicable law; Fresno County—Exhibit C—Data Sharing Agreement Page 13 of 18 13 Agreement No. 5095-INT-2023-FC Interoperability Solution January 9, 2024 f. Any steps the discovering Party believes that the Individual(s) could take to protect him or herself from potential harm from the non-permitted Use or Disclosure, Security Incident, or Breach; g. A brief description of what the discovering Party is doing to investigate, to mitigate harm to the Individual(s), and to protect against any further similar occurrences; and h. The name and contact information for a person highly knowledge of the facts and circumstances of the non-permitted Use or Disclosure of PHI, PII or other data, Security Incident, or Breach. III. Notwithstanding the above, if a Party is notified, in writing or by oral statement by any law enforcement official or by any other governmental agency (e.g., Federal Trade Commission), that a Breach notification would impede a criminal investigation or cause damage to national security, and the statement has been documented consistent with 45 C.F.R. § 164.412(b),then the Party shall delay the Breach notification for the time period specified by the law enforcement official and as required by Applicable Law. IV. Where conflict exists between the terms of this DSA and an applicable Business Associate Agreement,the Business Associate Agreement shall prevail. 7. PRIVACY AND SECURITY A. GENERAL. The Parties agree to at all times fully comply with any applicable Business Associate Agreement and all applicable law relating to this Agreement and the use of PHI, PII and other data including, but not limited to, the HIPAA Regulations. B. SAFEGUARDS. The Parties shall be responsible for maintaining a secure environment that supports the exchange of PHI, PII and other data as set forth in this Agreement and applicable law. Each Party, regardless of whether it, pursuant to federal law, is subject to the HIPAA Regulations, shall use appropriate safeguards to prevent unauthorized use or disclosure of PHI, PII and other data in a manner consistent with HIPAA Regulations, including implementing appropriate administrative, physical, and technical safeguards that protect the confidentiality, integrity, and availability of PHI, PII and other data. C. PRIVACY STANDARDS AND SAFEGUARDS RELATED TO BEHAVIORAL HEALTH. In the event that a Party uses, accesses, or discloses behavioral health information,the Party shall, prior to engaging in any such activity, implement appropriate administrative, physical, and technical safeguards Fresno County—Exhibit C—Data Sharing Agreement Page 14 of 18 14 Agreement No. 5095-INT-2023-FC Interoperability Solution January 9, 2024 that protect the confidentiality, integrity, and availability of such information in accordance with Applicable Law, including but not limited to,42 C.F.R. Part 2 and the California Lanterman-Petris- Short Act. D. TRAINING POLICIES AND PROCEDURES. Each Party shall, pursuant to this Agreement, an applicable Business Associate Agreement, Applicable Law, or applicable federal and state guidance, have written privacy and security policies relating to the use and disclosure of PHI, PII and/or other data that are consistent with and satisfy the requirements set forth in the HIPAA Regulations and Applicable Law. Before granting access to PHI or PII, each Party shall train staff, contractors, agents, employees, and workforce members, as defined under the HIPAA Regulations,who will have access to PHI or PII under this Agreement. Each Party shall also provide refresher training consistent with each Party's internal privacy and security policies but no less than annually. 8. MINIMUM NECESSARY Any use or disclosure of PHI or PII pursuant to this Agreement or the underlying Participation Agreement will be limited to the minimum PHI or PII necessary to achieve the purpose for which the information is shared, except where limiting such use or disclosure to the minimum necessary (i) is not feasible, (ii) is not required under the HIPAA Regulations (such as for Treatment) or any other Applicable Law, (iii) is a disclosure to an Individual User or Individual User's Personal Representative, (iv) is a disclosure pursuant to an Individual User's Authorization, or(v) is a disclosure required by Applicable Law. 9. INDIVIDUAL ACCESS An Individual User or an Individual User's Personal Representative shall have the right to inspect, obtain a copy of, and have bidirectional electronic access to PHI or PII about the Individual User to the extent consistent with Applicable Law. Prior to initiating Individual Access services, the Party shall be required to verify the identity of the Individual User or the Individual User's Personal Representative using standards and methods consistent with HIPAA regulations or other Applicable Law. 10. INDIVIDUAL USER OPT OUT Nothing in this Agreement shall prohibit an Individual User or an Individual User's Personal Representative from opting out of having the Individual User's PHI or PII exchanged pursuant to this Agreement. 11. REASONABLE AND GOOD FAITH COOPERATION The Parties to this Agreement agree to cooperate in good to implement the provisions of this Agreement. The Parties agree to provide such non-privileged information to the reasonably requested for purposes of performing activities related to this Agreement and the underlying Participation Agreement. The Parties Fresno County—Exhibit C—Data Sharing Agreement Page 15 of 18 15 Agreement No. 5095-INT-2023-FC Interoperability Solution January 9, 2024 agree to provide any requested information and assistance to the other Party in the investigation of breaches and disputes, subject to the assisting Party's right to restrict or condition its cooperation or disclosure of information in the interest of(A) preserving privileges in any foreseeable dispute or litigation or (B) protecting its Confidential Participant Information. In no case shall a Party be required to disclose PHI or PII in violation of Applicable Law. 12. COMPLIANCE WITH THIS AGREEMENT Except to the extent prohibited by Applicable Law, each Party shall comply fully with all provisions of this Agreement. To the extent that a Party delegates its duties under this Agreement to a third party (by contract or otherwise) and such third party will have access to PHI, PII or other data pursuant to this Agreement, that delegation shall be in writing and require the third party, prior to exchanging PHI, PII or other data, to agree to the same restrictions and conditions that apply through this Agreement to the Parties. 13. ACCURACY OF PHI, PII AND OTHER DATA When acting as a Submitter, each Party represents that at the time of transmission, the PHI, PII and/or other data it provides is an accurate representation of the data contained in, or available through, its System and is (i) sent from a System that employs security controls that meet industry standards so that the PHI, PII and/or other data being transmitted is intended to be free from malicious software, and (ii) provided in a timely manner. 14. EXPRESS WARRANTY OF AUTHORITY TO EXCHANGE INFORMATION To the extent each Party discloses PHI, PII or other data to the other Party,the disclosing Party represents and warrants that it has sufficient authority to disclose such PHI, PII and/or other data. 15. THIRD-PARTY TECHNOLOGY The Parties acknowledge that each Party may use technology solutions,applications, interfaces,software, platforms,clearinghouses,and other IT resources to support exchange of PHI, PII and other data that may be provided by third parties ("Third-Party Technology"). Each Party shall have agreements in place that require Third-Party Technology vendors(i)to provide reliable,stable,and secure services to the Party and (ii)to adhere to the same or similar privacy and security standards applicable to the Party pursuant to this Agreement. However, each Party acknowledges that Third-Party Technology may be interrupted or not available at times and that this could prevent a Party from transmitting PHI, PII or other data.The Parties do not make any representations or warranties as to their Third-Party Technology. 16. TERM This Agreement shall commence on the Effective Date of the underlying agreement and shall continue until termination or expiration of the underlying agreement. Fresno County—Exhibit C—Data Sharing Agreement Page 16 of 18 16 Agreement No. 5095-INT-2023-FC Interoperability Solution January 9, 2024 17. EFFECT OF TERMINATION Upon any termination of this Agreement for any reason the Parties shall have no rights under this Agreement to exchange data with each other. Termination of this Agreement shall not affect any rights or obligations which by their terms should survive termination or expiration. 18. LIABILITY Each Party shall be responsible for its acts and omissions and not for the acts or omissions of the other Party. Notwithstanding any provision in this Agreement to the contrary, neither Party shall be liable for any act or omission if a cause of action for such act or omission is otherwise prohibited by Applicable Law. 19. GOVERNING LAW This Agreement shall be governed and enforced pursuant to the laws of the State of California, without giving effect to its conflicts of laws provisions, except to the extent California law is preempted by any provision of federal law. 20. ASSIGNMENT Neither Party shall assign or transfer this Agreement, or any part thereof, without the express written consent of the other Party,which shall not be unreasonably delayed or denied.Any assignment that does not comply with the requirements of this Section shall be void and have no binding effect. 21. SURVIVAL All Sections which by their nature are meant to survive this Agreement shall survive expiration or termination of this Agreement. 22. WAIVER No failure or delay by any Party in exercising its rights under this Agreement shall operate as a waiver of such rights, and no waiver of any right shall constitute a waiver of any prior, concurrent, or subsequent right. 23. THIRD-PARTY BENEFICIARIES Nothing in this Agreement shall confer upon any person other than the parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever. 24. FORCE MAJEUR Fresno County—Exhibit C—Data Sharing Agreement Page 17 of 18 17 Agreement No. 5095-INT-2023-FC Interoperability Solution January 9, 2024 No Party shall be responsible for any delays or failures in performance caused by the occurrence of events or other circumstances that are beyond its reasonable control after the exercise of commercially reasonable efforts to either prevent or mitigate the effect of any such occurrence or event. Fresno County—Exhibit C—Data Sharing Agreement Page IS of IS 18