The URL can be used to link to this page

Home My WebLink AboutAgreement A-24-670 with Nationwide Retirement Solutions Inc..pdf I Docusign Envelope ID: E8655E65-F435-480E-911B-3BF8E884COB5 Agreement No. 24-670 1 SERVICE AGREEMENT 2 This Service Agreement ("Agreement") is dated December 17, 2024 and is between 3 Nationwide Retirement Solutions, Inc., a Delaware corporation, whose address is 3 Nationwide 4 Plaza, Columbus, OH 43015 ("Contractor"), and the County of Fresno, a political subdivision of 5 the State of California ("County"). 6 Recitals 7 WHEREAS, County, pursuant to and in compliance with the Internal Revenue Code of 8 1986, as amended (hereinafter referred to as the "Code"), established and sponsors a Section 9 457(b) Plan and a Section 401(a) Plan (hereinafter the "Plans"); and 10 WHEREAS, County is an eligible employer under Code Section 457(e)(1)(A); and 11 WHEREAS, County requires administrative, recordkeeping, participant enrollment, 12 participant education, regulatory support, and custodial trustee services for the Plans, 13 participants in the Plans, and beneficiaries of participants in the Plans; and 14 WHEREAS, Department of Human Resources staff, with assistance from the Consultant 15 to the Plans, Northwest Capital Management, solicited bids for Administrative, Recordkeeping, 16 and Participant Education services from qualified vendors (RFP No. 24-045) and Contractor 17 submitted the most responsive bid; and 18 WHEREAS, This Agreement will provide Administrative, Recordkeeping, and Participant 19 Education services to the Plans, participants in the Plans, and beneficiaries of participants in the 20 Plans. 21 The parties therefore agree as follows: 22 Article 1 23 Contractor's Services 24 1.1 Scope of Services. The Contractor shall perform all of the services provided in 25 Exhibit A to this Agreement, titled "Scope of Services." 26 1.2 Representation. The Contractor represents that it is qualified, ready, willing, and 27 able to perform all of the services provided in this Agreement. 28 1 I Docusign Envelope ID: E8655E65-F435-480E-911B-3BF8E884COB5 1 1.3 Compliance with Laws. The Contractor shall, at its own cost, comply with all 2 applicable federal, state, and local laws and regulations in the performance of its obligations 3 under this Agreement, including but not limited to workers compensation, labor, and 4 confidentiality laws and regulations. 5 Article 2 6 County's Responsibilities 7 2.1 County is responsible for timely providing all information that County and Contractor 8 mutually agree is necessary for Contractor to perform the Administrative Services under this 9 Agreement. County is responsible for ensuring that the provided information is accurate and 10 complete. Contractor is entitled to rely exclusively on the information provided by the County, 11 whether oral or in writing. 12 2.2 County acknowledges that inaccurate or late information could result in tax penalties, 13 Participant/beneficiary legal claims, or both. Contractor assumes no responsibility for, and will 14 not have any liability for, any consequences that result from Contractor's inability to complete its 15 work in the ordinary course of its business due to the failure of the County to provide accurate 16 and timely information to Contractor. 17 2.3 County agrees to send all Plan contribution information and related funds to 18 Contractor pursuant to the timing described in the County of Fresno 457(b) Deferred 19 Compensation Plan Document and the County of Fresno 401(a) Defined Contribution Plan 20 Document (hereinafter the "Plan Documents"). 21 (A) County may send funds by wire transfer, through an automated clearinghouse, or 22 by check in accordance with written instructions provided by Contractor. Failure to follow the 23 written instructions provided by Contractor may result in delay of posting to Participant 24 accounts. 25 (B) County will provide all contribution allocation information with respect to 26 Participant accounts to Contractor in a mutually agreed upon format. Contribution allocation 27 instructions include direction via electronic sources. If Contractor determines that the 28 contribution or allocation detail is not in good order ("NIGO"), Contractor will notify the County 2 I Docusign Envelope ID: E8655E65-F435-480E-911B-3BF8E884COB5 1 on the same business day that Contractor makes this determination. After such notification, the 2 parties will continue to try to resolve the NIGO status. If the parties do not achieve resolution, 3 Contractor will return the funds to the County within thirty Business Days. Contractor will not be 4 liable for any delay in posting if the County fails to send the funds representing contribution 5 amounts or contribution allocation information in accordance with Contractor's instructions to the 6 central processing site designated by Contractor, or for any delay in posting which results from 7 the receipt of funds and/or contribution allocation that Contractor determines to be NIGO. 8 2.4 County is responsible for determining which employees are eligible to participate in 9 the Plans. 10 2.5 County agrees to be responsible for all maximum deferral limit testing for these 11 Plans. 12 2.6 County agrees to allow and facilitate the periodic distribution of materials to 13 Participants at the time and in the manner determined by the County; provided, however, that all 14 reasonable expenses associated with such distribution will be paid by Contractor. 15 Article 3 16 Compensation, Invoices, and Payments 17 3.1 The County agrees to pay, and the Contractor agrees to receive, compensation for 18 the performance of its services under this Agreement as described in Exhibit B to this 19 Agreement, titled "Compensation." County may demand repayment by the Contractor of any 20 monies disbursed to the Contractor under this Agreement that, in the County's sole judgment, 21 were not expended in compliance with this Agreement. The Contractor shall promptly refund all 22 such monies upon demand. This section survives the termination of this Agreement. 23 3.2 Maximum Compensation. There is no aggregate limit on the compensation that 24 Contractor may receive from employees who participate in the Plans and receive services from 25 Contractor as described in Exhibit A to this Agreement. The Contractor acknowledges that the 26 County is a local government entity, and does so with notice that the County's powers are 27 limited by the California Constitution and by State law, and with notice that the Contractor may 28 receive compensation under this Agreement only for services performed according to the terms 3 I Docusign Envelope ID: E8655E65-F435-480E-911B-3BF8E884COB5 1 of this Agreement and while this Agreement is in effect. The Contractor further acknowledges 2 that County employees have no authority to pay the Contractor except as expressly provided in 3 this Agreement. 4 3.3 Invoices. Invoices are not required of the Contractor under this Agreement. 5 3.4 Payment. The County is not required to make payments to the Contractor under this 6 Agreement. Contractor shall be compensated as described in Exhibit B of this Agreement. 7 3.5 Incidental Expenses. The Contractor is solely responsible for all of its costs and 8 expenses that are not specified as payable by the County under this Agreement. 9 Article 4 10 Term of Agreement 11 4.1 Term. The term of this Agreement shall be for a period of five (5) years, commencing 12 on January 24, 2025, through and including January 23, 2030, except as provided in Article 6, 13 "Termination and Suspension," below. 14 4.2 Extension. The term of this Agreement may not be extended. 15 Article 5 16 Notices 17 5.1 Contact Information. The persons and their addresses having authority to give and 18 receive notices provided for or permitted under this Agreement include the following: 19 For the County: 20 Director of Human Resources County of Fresno 21 2220 Tulare Street, 1411 Floor Fresno, CA 93721 22 Email Address: .:nefits(a-)fresnocountyca.gov Fax: (559) 455-4787 23 24 For the Contractor: AVP, Operations— IRS 25 Lex Cousineau 3 Nationwide Plaza, 3-06-204 26 Columbus, OH 43215 Email Address: .cousineau(a-)nationwide.com 27 28 4 I Docusign Envelope ID: E8655E65-F435-48OF-91 1 B-3BF8E884COB5 1 5.2 Change of Contact Information. Either party may change the information in section 2 5.1 by giving notice as provided in section 5.3. 3 5.3 Method of Delivery. Each notice between the County and the Contractor provided 4 for or permitted under this Agreement must be in writing, state that it is a notice provided under 5 this Agreement, and be delivered either by personal service, by first-class United States mail, by 6 an overnight commercial courier service, by telephonic facsimile transmission, or by Portable 7 Document Format (PDF) document attached to an email. 8 (A) A notice delivered by personal service is effective upon service to the recipient. 9 (B) A notice delivered by first-class United States mail is effective three County 10 business days after deposit in the United States mail, postage prepaid, addressed to the 11 recipient. 12 (C)A notice delivered by an overnight commercial courier service is effective one 13 County business day after deposit with the overnight commercial courier service, delivery fees 14 prepaid, with delivery instructions given for next day delivery, addressed to the recipient. 15 (D)A notice delivered by telephonic facsimile transmission or by PDF document 16 attached to an email is effective when transmission to the recipient is completed (but, if such 17 transmission is completed outside of County business hours, then such delivery is deemed to 18 be effective at the next beginning of a County business day), provided that the sender maintains 19 a machine record of the completed transmission. 20 5.4 Claims Presentation. For all claims arising from or related to this Agreement, 21 nothing in this Agreement establishes, waives, or modifies any claims presentation 22 requirements or procedures provided by law, including the Government Claims Act (Division 3.6 23 of Title 1 of the Government Code, beginning with section 810). 24 Article 6 25 Termination and Suspension 26 6.1 Termination for Non-Allocation of Funds. The terms of this Agreement are 27 contingent on the approval of funds by the appropriating government agency. If sufficient funds 28 5 I Docusign Envelope ID: E8655E65-F435-480E-911B-313F8E884C0135 1 are not allocated, then the County, upon at least 30 days' advance written notice to the 2 Contractor, may: 3 (A) Modify the services provided by the Contractor under this Agreement; or 4 (B) Terminate this Agreement. 5 6.2 Termination for Breach. 6 (A) Upon determining that a breach (as defined in paragraph (C) below) has 7 occurred, the County may give written notice of the breach to the Contractor. The written notice 8 may suspend performance under this Agreement, and must provide at least 30 days for the 9 Contractor to cure the breach. 10 (B) If the Contractor fails to cure the breach to the County's satisfaction within the 11 time stated in the written notice, the County may terminate this Agreement immediately. 12 (C) For purposes of this section, a breach occurs when, in the determination of the 13 County, the Contractor has: 14 (1) Obtained or used funds illegally or improperly; 15 (2) Failed to comply with any part of this Agreement; 16 (3) Submitted a substantially incorrect or incomplete report to the County; or 17 (4) Improperly performed any of its obligations under this Agreement. 18 6.3 Termination without Cause. In circumstances other than those set forth above, the 19 County may terminate this Agreement by giving at least 120 days advance written notice to the 20 Contractor. 21 6.4 No Penalty or Further Obligation. Any termination of this Agreement by the County 22 under this Article 6 is without penalty to or further obligation of the County. 23 6.5 County's Rights upon Termination. Upon termination for breach under this Article 24 6, the County may demand repayment by the Contractor of any monies disbursed to the 25 Contractor under this Agreement that, in the County's sole judgment, were not expended in 26 compliance with this Agreement. The Contractor shall promptly refund all such monies upon 27 demand. This section survives the termination of this Agreement. 28 6 I Docusign Envelope ID: E8655E65-F435-480E-911B-3BF8E884COB5 1 Article 7 2 Independent Contractor 3 7.1 Status. In performing under this Agreement, the Contractor, including its officers, 4 agents, employees, and volunteers, is at all times acting and performing as an independent 5 contractor, in an independent capacity, and not as an officer, agent, servant, employee, joint 6 venturer, partner, or associate of the County. 7 7.2 Verifying Performance. The County has no right to control, supervise, or direct the 8 manner or method of the Contractor's performance under this Agreement, but the County may 9 verify that the Contractor is performing according to the terms of this Agreement. 10 7.3 Benefits. Because of its status as an independent contractor, the Contractor has no 11 right to employment rights or benefits available to County employees. The Contractor is solely 12 responsible for providing to its own employees all employee benefits required by law. The 13 Contractor shall save the County harmless from all matters relating to the payment of 14 Contractor's employees, including compliance with Social Security withholding and all related 15 regulations. 16 7.4 Services to Others. The parties acknowledge that, during the term of this 17 Agreement, the Contractor may provide services to others unrelated to the County. 18 Article 8 19 Indemnity and Defense 20 8.1 Indemnity. The Contractor shall indemnify and hold harmless and defend the 21 County (including its officers, agents, employees, and volunteers) against all claims, demands, 22 injuries, damages, costs, expenses (including attorney fees and costs), fines, penalties, and 23 liabilities of any kind to the County, the Contractor, or any third party that arise from or relate to 24 the performance or failure to perform by the Contractor (or any of its officers, agents, 25 subcontractors, or employees) under this Agreement. The County may conduct or participate in 26 its own defense without affecting the Contractor's obligation to indemnify and hold harmless or 27 defend the County. 28 8.2 Survival. This Article 8 survives the termination of this Agreement. 7 I Docusign Envelope ID: E8655E65-F435-48OF-91 1 B-3BF8E884COB5 1 Article 9 2 Data Security and HIPAA 3 9.1 The Contractor shall be in strict conformance with the terms and conditions 4 described in Exhibit E, "Data Security", and Exhibit F, attached hereto and incorporated herein 5 by this reference. 6 Article 14 7 Insurance 8 10.1 The Contractor shall comply with all the insurance requirements in Exhibit D to this 9 Agreement. 10 Article 11 11 Inspections, Audits, and Public Records 12 11.1 Inspection of Documents. The Contractor shall make available to the County, and 13 the County may examine at any time during business hours and as often as the County deems 14 necessary, all of the Contractor's records and data with respect to the matters covered by this 15 Agreement, excluding attorney-client privileged communications. The Contractor shall, upon 16 request by the County (no more frequently than annually), permit the County to audit and 17 inspect all of such records and data to ensure the Contractor's compliance with the terms of this 18 Agreement. 19 11.2 State Audit Requirements. If the compensation to be paid by the County under this 20 Agreement exceeds $10,000, the Contractor is subject to the examination and audit of the 21 California State Auditor, as provided in Government Code section 8546.7, for a period of three 22 years after final payment under this Agreement. This section survives the termination of this 23 Agreement. 24 11.3 Public Records. The County is not limited in any manner with respect to its public 25 disclosure of this Agreement or any record or data that the Contractor may provide to the 26 County. The County's public disclosure of this Agreement or any record or data that the 27 Contractor may provide to the County may include but is not limited to the following: 28 8 I Docusign Envelope ID: E8655E65-F435-48OF-91 1 B-3BF8E884COB5 1 (A) The County may voluntarily, or upon request by any member of the public or 2 governmental agency, disclose this Agreement to the public or such governmental agency. 3 (B) The County may voluntarily, or upon request by any member of the public or 4 governmental agency, disclose to the public or such governmental agency any record or data 5 that the Contractor may provide to the County, unless such disclosure is prohibited by court 6 order. 7 (C)This Agreement, and any record or data that the Contractor may provide to the 8 County, is subject to public disclosure under the Ralph M. Brown Act (California Government 9 Code, Title 5, Division 2, Part 1, Chapter 9, beginning with section 54950). 10 (D) This Agreement, and any record or data that the Contractor may provide to the 11 County, is subject to public disclosure as a public record under the California Public Records 12 Act (California Government Code, Title 1, Division 7, Chapter 3.5, beginning with section 6250) 13 ("CPRA"). 14 (E) This Agreement, and any record or data that the Contractor may provide to the 15 County, is subject to public disclosure as information concerning the conduct of the people's 16 business of the State of California under California Constitution, Article 1, section 3, subdivision 17 (b). 18 (F) Any marking of confidentiality or restricted access upon or otherwise made with 19 respect to any record or data that the Contractor may provide to the County shall be 20 disregarded and have no effect on the County's right or duty to disclose to the public or 21 governmental agency any such record or data. 22 11.4 Public Records Act Requests. If the County receives a written or oral request 23 under the CPRA to publicly disclose any record that is in the Contractor's possession or control, 24 and which the County has a right, under any provision of this Agreement or applicable law, to 25 possess or control, then the County may demand, in writing, that the Contractor deliver to the 26 County, for purposes of public disclosure, the requested records that may be in the possession 27 or control of the Contractor. Within five business days after the County's demand, the 28 Contractor shall (a) deliver to the County all of the requested records that are in the Contractor's 9 I Docusign Envelope ID: E8655E65-F435-48OF-91 1 B-3BF8E884COB5 1 possession or control, together with a written statement that the Contractor, after conducting a 2 diligent search, has produced all requested records that are in the Contractor's possession or 3 control, or (b) provide to the County a written statement that the Contractor, after conducting a 4 diligent search, does not possess or control any of the requested records. The Contractor shall 5 cooperate with the County with respect to any County demand for such records. If the 6 Contractor wishes to assert that any specific record or data is exempt from disclosure under the 7 CPRA or other applicable law, it must deliver the record or data to the County and assert the 8 exemption by citation to specific legal authority within the written statement that it provides to 9 the County under this section. The Contractor's assertion of any exemption from disclosure is 10 not binding on the County, but the County will give at least 10 days' advance written notice to 11 the Contractor before disclosing any record subject to the Contractor's assertion of exemption 12 from disclosure. The Contractor shall indemnify the County for any court-ordered award of costs 13 or attorney's fees under the CPRA that results from the Contractor's delay, claim of exemption, 14 failure to produce any such records, or failure to cooperate with the County with respect to any 15 County demand for any such records. 16 Article 12 17 Disclosure of Self-Dealing Transactions 18 12.1 Applicability. This Article 12 applies if the Contractor is operating as a corporation, 19 or changes its status to operate as a corporation. 20 12.2 Duty to Disclose. If any member of the Contractor's board of directors is party to a 21 self-dealing transaction, he or she shall disclose the transaction by completing and signing a 22 "Self-Dealing Transaction Disclosure Form" (Exhibit C to this Agreement) and submitting it to 23 the County before commencing the transaction or immediately after. 24 12.3 Definition. "Self-dealing transaction" means a transaction to which the Contractor is 25 a party and in which one or more of its directors, as an individual, has a material financial 26 interest. 27 28 10 I Docusign Envelope ID: E8655E65-F435-48OF-91 1 B-3BF8E884COB5 1 Article 13 2 General Terms 3 13.1 Modification. Except as provided in Article 6, "Termination and Suspension," this 4 Agreement may not be modified, and no waiver is effective, except by written agreement signed 5 by both parties. The Contractor acknowledges that County employees have no authority to 6 modify this Agreement except as expressly provided in this Agreement. 7 13.2 Non-Assignment. Neither party may assign its rights or delegate its obligations 8 under this Agreement without the prior written consent of the other party. 9 13.3 Governing Law. The laws of the State of California govern all matters arising from 10 or related to this Agreement. 11 13.4 Jurisdiction and Venue. This Agreement is signed and performed in Fresno 12 County, California. Contractor consents to California jurisdiction for actions arising from or 13 related to this Agreement, and, subject to the Government Claims Act, all such actions must be 14 brought and maintained in Fresno County. 15 13.5 Construction. The final form of this Agreement is the result of the parties' combined 16 efforts. If anything in this Agreement is found by a court of competent jurisdiction to be 17 ambiguous, that ambiguity shall not be resolved by construing the terms of this Agreement 18 against either party. 19 13.6 Days. Unless otherwise specified, "days" means calendar days. 20 13.7 Headings. The headings and section titles in this Agreement are for convenience 21 only and are not part of this Agreement. 22 13.8 Severability. If anything in this Agreement is found by a court of competent 23 jurisdiction to be unlawful or otherwise unenforceable, the balance of this Agreement remains in 24 effect, and the parties shall make best efforts to replace the unlawful or unenforceable part of 25 this Agreement with lawful and enforceable terms intended to accomplish the parties' original 26 intent. 27 13.9 Nondiscrimination. During the performance of this Agreement, the Contractor shall 28 not unlawfully discriminate against any employee or applicant for employment, or recipient of 11 I Docusign Envelope ID: E8655E65-F435-48OF-91 1 B-3BF8E884COB5 1 services, because of race, religious creed, color, national origin, ancestry, physical disability, 2 mental disability, medical condition, genetic information, marital status, sex, gender, gender 3 identity, gender expression, age, sexual orientation, military status or veteran status pursuant to 4 all applicable State of California and federal statutes and regulation. 5 13.10 No Waiver. Payment, waiver, or discharge by the County of any liability or obligation 6 of the Contractor under this Agreement on any one or more occasions is not a waiver of 7 performance of any continuing or other obligation of the Contractor and does not prohibit 8 enforcement by the County of any obligation on any other occasion. 9 13.11 Entire Agreement. This Agreement, including its exhibits, is the entire agreement 10 between the Contractor and the County with respect to the subject matter of this Agreement, 11 and it supersedes all previous negotiations, proposals, commitments, writings, advertisements, 12 publications, and understandings of any nature unless those things are expressly included in 13 this Agreement. If there is any inconsistency between the terms of this Agreement without its 14 exhibits and the terms of the exhibits, then the inconsistency will be resolved by giving 15 precedence first to the terms of this Agreement without its exhibits, and then to the terms of the 16 exhibits. 17 13.12 No Third-Party Beneficiaries. This Agreement does not and is not intended to 18 create any rights or obligations for any person or entity except for the parties. 19 13.13 Authorized Signature. The Contractor represents and warrants to the County that: 20 (A) The Contractor is duly authorized and empowered to sign and perform its 21 obligations under this Agreement. 22 (B) The individual signing this Agreement on behalf of the Contractor is duly 23 authorized to do so and his or her signature on this Agreement legally binds the Contractor to 24 the terms of this Agreement. 25 13.14 Electronic Signatures. The parties agree that this Agreement may be executed by 26 electronic signature as provided in this section. 27 (A) An "electronic signature" means any symbol or process intended by an individual 28 signing this Agreement to represent their signature, including but not limited to (1) a digital 12 I Docusign Envelope ID: E8655E65-F435-480E-911B-3BF8E884COB5 1 signature; (2) a faxed version of an original handwritten signature; or (3) an electronically 2 scanned and transmitted (for example by PDF document) version of an original handwritten 3 signature. 4 (B) Each electronic signature affixed or attached to this Agreement (1) is deemed 5 equivalent to a valid original handwritten signature of the person signing this Agreement for all 6 purposes, including but not limited to evidentiary proof in any administrative or judicial 7 proceeding, and (2) has the same force and effect as the valid original handwritten signature of 8 that person. 9 (C)The provisions of this section satisfy the requirements of Civil Code section 10 1633.5, subdivision (b), in the Uniform Electronic Transaction Act (Civil Code, Division 3, Part 2, 11 Title 2.5, beginning with section 1633.1). 12 (D) Each party using a digital signature represents that it has undertaken and 13 satisfied the requirements of Government Code section 16.5, subdivision (a), paragraphs (1) 14 through (5), and agrees that each other party may rely upon that representation. 15 (E) This Agreement is not conditioned upon the parties conducting the transactions 16 under it by electronic means and either party may sign this Agreement with an original 17 handwritten signature. 18 13.15 Counterparts. This Agreement may be signed in counterparts, each of which is an 19 original, and all of which together constitute this Agreement. 20 [SIGNATURE PAGE FOLLOWS] 21 22 23 24 25 26 27 28 13 ii Docusign Envelope ID.E8655E65-F435-48OF-911 B-313HE884COB5 1 The parties are signing this Agreement on the date stated in the introductory clause. 2 Nationwide Retirement Solutions, Inc. COUNTY OF FRESNO 3 4FDocu5igned by: 6, i 1 (1/+SIIAAA1t11�A IIA 5 Lex Cousineau, M, Operations— RS Nathan Magsig, Chairman of the Board of 3 Nationwide Plaza, Columbus, OH 43215 Supervisors of the County of Fresno 6 Attest: 7 Bernice E. Seidel Clerk of the Board of Supervisors 8 County of Fresno, State of California 9 By: _ 10 Deputy 11 For accounting use only: 12 Org No.: 89250200 Account No.: 7295 13 Fund No.: 1060 Subclass No.: 10000 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 14 I Docusign Envelope ID: E8655E65-F435-480E-911B-3BF8E884COB5 Exhibit A 1 Scope of Services 2 Contractor shall provide Administrative Services as described in the County's Request 3 for Proposal No. 24-045, including Addendum Number One (1), cumulatively referred to as 4 "County's RFP 24-045," and the Contractor's Proposal in response thereto, both attached 5 hereto as Attachment A and incorporated herein by reference. Such services include but are not 6 limited to: 7 A.1 Participant Enrollment 8 a. Contractor agrees to process the enrollment of employees eligible to 9 participate in the Plans within 48 hours of receipt of an enrollment that is in good order (as 10 defined in Paragraph A.3, below). Contractor shall report such enrollment to the County in on a 11 schedule that is consistent with the County's payroll schedule. All enrollments shall be included 12 in the soonest possible report to the County. For the purposes of this Exhibit A, enrollments also 13 include any changes to existing enrollment elections. 14 b. The County agrees to allow and facilitate the periodic distribution of 15 materials to Participants at the time and in the manner determined by the County; provided, 16 however, that all reasonable expenses associated with such distribution will be paid by 17 Contractor. 18 A.2 Participant Plan Accounts and Account Access 19 a. Contractor agrees to establish an account for each enrolled participant, 20 beneficiary, and alternate payee of the Plans (for purposes of this Agreement only, hereinafter 21 referred to as "participants"). 22 b. For each such account, Contractor will record and maintain the following 23 information, provided Contractor is provided with same: 24 i. name. 25 ii. Social Security number; 26 iii. mailing address; 27 iv. date of birth; 28 V. current investment allocation direction; A-1 I Docusign Envelope ID: E8655E65-F435-48OF-91 1 B-3BF8E884COB5 Exhibit A 1 vi. contributions allocated and invested; 2 vii. investment transfers; 3 viii. benefit payments; 4 ix. current account balance; 5 X. transaction history since funding under the Agreement; 6 A. contributions since funding under the Agreement; 7 Ai. email address; 8 xiii. beneficiary designation; 9 xiv. benefit tax withholding information; and 10 xv. such other information as agreed upon by County and Contractor. 11 C. Participants will have the unlimited ability to increase (within the 12 limitations of Code Section 457(b)) or decrease contributions to the 457(b) Plan. Contractor will 13 process all requests to increase or decrease contribution amounts within five Business Days 14 (The term "Business Day" means each Monday through Friday during the hours the New York 15 Stock Exchange is open for business. No transactions can be completed on any Business Day 16 after such time as the New York Stock Exchange closes.) of receipt of the request, but the 17 request cannot be effective until the earliest date permissible under the Code or, if later, the 18 date the contribution change can be processed by the County given County's payroll processing 19 schedule. 20 d. Participants will have the ability to exchange existing account balances, in 21 full or in part, and to redirect future contributions from one available investment option to 22 another on any Business Day subject to Contractor's policies and any applicable restrictions or 23 penalties applied by the investment options. 24 e. Contractor will provide reports to the County within thirty days following 25 the end of each calendar quarter reporting period summarizing the following: 26 i. All Participant activity that transpired during the reporting period; 27 ii. Total contributions allocated to each investment or insurance 28 option under the Plan; and A-2 I Docusign Envelope ID: E8655E65-F435-48OF-91 1 B-3BF8E884COB5 Exhibit A 1 iii. Total withdrawals by Participant. This report shall include the 2 amount, type and date of withdrawal. 3 f. Contractor will maintain, for a reasonable amount of time and at least the 4 amount of time required by law and applicable regulations, the records necessary to produce 5 any required reports. County agrees that all related paper and electronic records remains the 6 property of the County. County hereby grants Contractor a free limited license to use any 7 reports to satisfy applicable regulatory requirements. 8 g. Contractor agrees to maintain all Personally Identifiable Information (PII) 9 obtained from or related to all Plan participants as confidential. County and Contractor agree 10 that Contractor, its officers, employees, brokers, registered representatives, affiliates, vendors 11 and professional advisors (such as attorneys, accountants and actuaries) may use and disclose 12 Plan and participant information only to enable or assist it in the performance of its duties 13 hereunder and with other Plan-related activities, and County expressly authorizes Contractor to 14 disclose Plan and participant information to its agents and/or broker of record on file with 15 Contractor. Notwithstanding anything to the contrary contained herein, it is expressly 16 understood that Contractor retains the right to use any and all information in its possession in 17 connection with its defense and/or prosecution of any litigation which may arise in connection 18 with this Agreement, the investment arrangement funding the Plan, or the Plan, or in response 19 to any applicable regulatory sweep, inquiry, exam or investigation, or legally issued subpoena; 20 provided, however, in no event will Contractor release any information to any person or entity 21 except as permitted by applicable law. 22 A.3 Plan Contributions 23 a. Contractor will allocate contribution amounts transmitted by County to 24 Participant accounts in accordance with the latest instructions from Participants or the County 25 (as applicable) on file with Contractor, when such instructions are in good order. 26 b. Contractor agrees to post funds received in good order (as defined below) 27 from County in accordance with the separate funding arrangements between County and 28 Contractor or any of its affiliates. A-3 I Docusign Envelope ID: E8655E65-F435-48OF-91 1 B-3BF8E884COB5 Exhibit A 1 C. The term "in good order" means the receipt of required information by 2 Contractor, in a form deemed reasonably acceptable to Contractor, with respect to the 3 processing of a request or the completion of a task by Contractor that reasonably requires 4 information from a third party. More specifically, Plan contributions and contribution allocation 5 information must meet all of the following requirements in order to be deemed to be in good 6 order: 7 i. All records must include the correct and complete Participant 8 name, Social Security number (or other unique identifier), and the amount to be credited to the 9 participant's account(s); 10 ii. The source of funds must be identified (e.g., 457(b) salary 11 reduction, employer contribution); 12 iii. The Plan name and Plan number must be clearly identified; 13 iv. Both the Participant allocation detail and the total contribution 14 amount must be received, and these two totals must match each other; and 15 V. All Participants making or receiving a contribution must be 16 enrolled in the Plan and have an account established on the recordkeeping system. 17 A.4 Distributions 18 a. Contractor shall make all distributions in accordance with the Plan 19 documents. 20 b. Except as provided in subsection d, below, Contractor shall make all 21 distributions as directed by a Participant or the County. Participants are responsible for selecting 22 a form of payment from those available under the terms of the Plan and making all other 23 elections regarding available distribution options. 24 C. All distributions will be made pro-rata from each of the Participant's 25 investment options and money sources unless directed otherwise by the participant. 26 d. Contractor will provide notice and a distribution form to each Participant 27 attaining age 73 (or such other age as determined by current law) or older in the current 28 calendar year. The notice will inform the Participant that required minimum distributions A-4 I Docusign Envelope ID: E8655E65-F435-480E-911B-3BF8E884COB5 Exhibit A 1 ("RMD") must begin no later than the April 1 of the calendar year following the later of 2 attainment of age 73 (or such other age as determined by current law) or retirement (subject to 3 the terms of the Plan). Contractor will automatically distribute the RMD to the Participant if no 4 direction is received from the Participant. 5 A.5 Unforeseeable Emergency Withdrawals 6 The County instructs Contractor to process all unforeseeable emergency 7 withdrawal requests received in a manner satisfactory to Contractor and in compliance with 8 Section 457(b) of the Code and regulations section 1.457-6(c). and Revenue Ruling 2010-27 9 including any applicable subsequent guidance the Internal Revenue Service may provide. 10 Withdrawals will only be permitted due to an unforeseeable emergency resulting in a severe 11 financial hardship to the participant or beneficiary that cannot be alleviated by any other means 12 available to the participant, in accordance with Contractor's standard unforeseeable emergency 13 procedures. County hereby approves the use of such standard unforeseeable emergency 14 procedures to make these determinations. 15 A.6 Qualified Domestic Relations Orders 16 The County directs Contractor to process Qualified Domestic Relations Orders 17 (hereinafter"QDROs") in accordance with the County's QDRO policy, upon direction given by 18 the County's review and approval of such QDROs. The County may assess a fee for such 19 review at the direction and determination of the County to offset any legal fees associated with 20 QDRO review. This fee shall be taken from participant and alternate payee account balances, 21 pursuant to the County's QDRO policies and procedures. 22 A.7 Tax Reporting 23 a. For each Participant that has received a benefit payment, Contractor shall 24 furnish tax reporting forms. The forms will be provided in the manner and time prescribed by 25 federal and state law. 26 b. To the extent required by federal and state law, Contractor will calculate 27 and withhold from each benefit payment federal and state income taxes. Contractor will report 28 such withholding to the federal and state governments as required by applicable law. A-5 I Docusign Envelope ID: E8655E65-F435-480E-911B-3BF8E884COB5 Exhibit A 1 A.8 Unclaimed Property 2 Contractor shall administer Participant and beneficiary unclaimed property funds, 3 including but not limited to uncashed distribution checks and death claims, in accordance with 4 the County Plan Documents. 5 A.9 Participant Statements 6 a. Participants will receive consolidated quarterly statements detailing their 7 account activity and account balances for the Plan. 8 b. Contractor agrees to deliver account statements (by U.S. mail or 9 electronically) to Participants within thirty calendar days after the end of each calendar quarter. 10 This timeframe is contingent upon Contractor receiving fund returns from the mutual fund 11 providers within four Business Days after the end of each quarter. 12 A.10 Customer Service 13 a. Contractor's customer service representatives will be available toll-free to 14 answer Participant questions and process applicable transactions between the hours of 8:00 15 a.m. and 11:00 p.m. Eastern Time each Monday through Friday, and between the hours of 16 9:00 a.m. and 6:00 p.m. Eastern Time each Saturday, except for certain holidays as dictated by 17 the New York Stock Exchange holiday trading schedule. 18 b. Contractor will provide a full-time retirement specialist to the Plans. The 19 retirement specialist shall — 20 i. Conduct group meetings with newly hired County employees 21 regarding the benefit of the Plans during biweekly new employee onboarding and/or as 22 determined by the County. 23 ii. [INSERT ADDITIONAL DUTIES HERE]. 24 A.11 Website 25 a. Contractor will create and maintain a secure Internet website for and on 26 behalf of the County for the use of its participants. The website shall comply with applicable data 27 protection and privacy laws. This website shall include multi-factor authentication, information 28 encryption using Secure Sockets Layer, and a secure firewall. Contractor shall apply encryption A-6 I Docusign Envelope ID: E8655E65-F435-48OF-91 1 B-3BF8E884COB5 Exhibit A 1 methodology that conforms to the NIST approved algorithms, key lengths, and related 2 standards. Participants may access the website via the internet at ✓vww.Fresno457.com to 3 review and make changes to their accounts. The www.F-resno457.com URL is the exclusive 4 property of County. The website is available twenty-four (24) hours a day, except for routine 5 maintenance of the system. 6 b. Using this website, Participants may: (i) obtain information regarding their 7 accounts, and (ii) conduct certain routine transactions with respect to their accounts. The 8 County authorizes Contractor to honor instructions regarding such transactions that a 9 Participant submits using the secure Internet website. Contractor shall implement reasonable 10 physical and technical safeguards to protect personal information made available on its Internet 11 website. Such safeguards shall be no less rigorous than generally accepted industry practices. 12 C. The website is available twenty-four hours a day, except for routine 13 maintenance of the system. 14 d. The Participant website experience will include access to an education 15 library offering investment education. Content is delivered via multiple formats which can include 16 short videos, print materials, and workshop modules. 17 A.12 Interactive Voice Response System 18 a. Contractor will provide an interactive voice response (IVR) toll free 19 telephone number, which shall be operative twenty-four hours per day, seven days per week, 20 except for routine maintenance of the system. 21 b. Participants will be able to conduct routine Plan transactions and obtain 22 account balance information through the IVR. 23 C. The County authorizes Contractor to honor Participant instructions, which 24 may be submitted using the toll-free number, either through the IVR or a live representative. 25 A.13 Participant Engagement Program 26 a. Contractor will provide a personalized communication program 27 (Participant Engagement Program or"PEP") designed to engage Participants in retirement 28 A-7 I Docusign Envelope ID: E8655E65-F435-480E-91113-313F8E884COB5 Exhibit A 1 planning and motivate them to take action to improve their financial future. The program may 2 include delivery methods such as email, digital targeting, social targeting, and Direct Mail. 3 b. Use of Third-Party Marketing Firm: County understands that Contractor 4 may use a third-party marketing firm to provide the PEP, that the use of a third-party marketing 5 firm may be essential to provide the PEP due to its personalized features, and that such a 6 program cannot be offered without such use. Contractor shares Participant data with the 7 marketing firm to allow it to target the appropriate retirement plan messages to each Participant 8 based on the Participant's individual characteristics, demographics, and behaviors while 9 considering the Participant's preferences for accessing information, electronically or otherwise, 10 for more impactful delivery. 11 C. Sharing of Participant Data: To facilitate the personalized communication 12 program, County approves the sharing of data with a third-party marketing firm. Participant data 13 will only be shared with the third-party marketing firm for Plan-related purposes. Only third-party 14 marketing firms that comply with all applicable state and federal privacy laws, including the 15 relevant provisions of the Gramm-Leach-Bliley Act, will be utilized. All Participant data will be 16 secured and protected at all times to avoid unauthorized access, and the third-party marketing 17 firm must agree to abide by all current applicable legal and industry-standard data security and 18 privacy requirements. 19 20 21 22 23 24 25 26 27 28 A-8 I Docusign Envelope ID: E8655E65-F435-480E-911B-3BF8E884COB5 Exhibit B 1 Compensation 2 The Contractor will be compensated for performance of its services under this 3 Agreement as provided in this Exhibit B. The Contractor is not entitled to any compensation 4 except as expressly provided in this Exhibit B. 5 B.1 As compensation for the performance of the Administrative Services provided by 6 Contractor pursuant to this Agreement, the County and Contractor agree that Contractor shall 7 be entitled to receive an annualized compensation requirement of 0.08% (8 basis points) of the 8 Plan's account value held by Contractor ("Compensation Requirement") to be calculated and 9 collected according to Contractor's standard business practices. Contractor's Compensation 10 Requirement will be calculated and assessed monthly based on the market value of total Plan 11 assets held by Contractor as of the last Business Day of each month. The Compensation 12 Requirement will be calculated and assessed as follows: Compensation Requirement x Total 13 Plan Assets on Last Business Day of Month x (number of calendar days since the last fee was 14 assessed) / (number of days in the calendar year) at market close. Contractor's Compensation 15 Requirement will be taken in the form of an explicit asset management charge applied against 16 all Plan assets under management, including Plan balances held in the Self-Directed Brokerage 17 Account ("SDBA"), and excluding outstanding participant loan balances. 18 B.2 The County acknowledges that Contractor and its affiliates receive payments in 19 connection with the sale and servicing of investments allocated to participant Plan account 20 ("Investment Option Payments"). The Investment Option Payments include mutual fund service 21 fee payments as described in detail at www.Fresno457.com, and other payments received from 22 investment option providers. The County directs Contractor to credit all Investment Option 23 Payments to participant accounts on a quarterly basis. The Investment Option Payments shall 24 be credited to participant accounts on a pro-rata basis based on each participant's total assets 25 held in all Plan investment options that generated the Investment Option Payments. 26 B.3 County directs Contractor to assess and collect an additional asset management 27 charge, as determined by the Deferred Compensation Management Council, to be applied 28 against all Plan assets under management, excluding participant loan balances, to be remitted B-1 I Docusign Envelope ID: E8655E65-F435-48OF-911 B-3BF8E884COB5 Exhibit B 1 to and used by the County for reasonable and necessary Plan related expenses. This additional 2 asset management charge will be calculated and collected from participant accounts according 3 to Contractor's standard business practices as described in Paragraph B.1, above. This Plan 4 expense charge will be in addition to Contractor's Compensation Requirement described in 5 Paragraph B.1, above. County will provide Contractor with direction in writing as to the amount 6 of this additional asset management charge. 7 BA The County directs Contractor to establish and maintain a separate account (the 8 "Plan Expense Account") to which the asset management charge referred to in Paragraphs B.1 9 and B.2 of this Exhibit B will be credited. The Plan Expense Account will be funded on a monthly 10 basis. The County will select a single investment vehicle to be used for the Plan Expense 11 Account, which cannot be an investment vehicle included in the participant investment option 12 lineup. The County will direct Contractor, in writing, to pay reasonable and necessary Plan 13 expenses directly to the County or to a Plan service provider. 14 a. When each invoice is submitted to Contractor for payment, the County 15 shall certify in writing that the expenses represented by the invoice are reasonable and 16 necessary Plan expenses. As the fiduciary of the Plan, the County is solely responsible for 17 making determinations with respect to the appropriateness of all expenses of the Plan and how 18 the Plan Expense Account is managed. 19 b. The account balance, account transactions and investment experience of 20 the Plan Expense Account will be reported to the County no later than thirty (30) Business Days 21 after the end of each calendar quarter. 22 C. At the direction of County, any balance in the Plan Expense Account that 23 has not been applied to pay for reasonable and necessary Plan expenses can be allocated to 24 participant accounts on a pro-rata basis based on their total account balance on an annual basis 25 to be mutually determined by the County in accordance with Contractor's administrative 26 capabilities. 27 B.5 Contractor will provide the County with a quarterly Compensation Requirement 28 report within thirty (30) Business Days after the end of each quarter. B-2 I Docusign Envelope ID: E8655E65-F435-480E-911B-3BF8E884COB5 Exhibit B 1 B.6 Contractor will return the fees described in Paragraph B.1, above, if they fail to 2 meet the performance standards in this Paragraph B.6. Such fees shall be credited directly to 3 the Plan Expense Account. 4 Activity Performance Standard Amount at Risk 5 CONTRACTOR will increase participation rate 15% over the duration of the contract term. $5,000, payable 6 Participant Rate Increase Participation rate of 66.17% as of May 12, 2024, at the end of the 7 will determine the beginning rate, with a final rate contract term of 76.09% at the end of the contract term. $ Contribution CONTRACTOR will reconcile contributions within $1,700 per 9 Reconciliation three (3) business days from receipt of deposit if annum if less received in good order than 99% 10 Contribution CONTRACTOR will post contributions within $2,500 per 11 Posting three (3) business days from receipt of deposit if annum if less received in good order than 99% 12 Annual Enrollment 500 or 50% of all newly hired employees in most $2,500 per 13 Commitments recent 12 months whichever is less annum Hardship CONTRACTOR will process hardship $2,500 per 14 Withdrawals withdrawals within three (3) business days from annum if less 15 receipt of request if received in good order than 99% CONTRACTOR will process loan requests within $2,500 per 16 Loans three (3) business days from receipt of request if annum if less 17 received in good order than 99% CONTRACTOR will process distribution requests $2,500 per 18 Distributions within three (3) business days from receipt of annum if less 19 request if received in good order than 99% Investment Fund CONTRACTOR will process investment fund $1,700 per 20 Transfers transfers the same day if received before the annum if less 21 close of the NYSE if received in good order than 99% CONTRACTOR will process and invest rollovers $2,500 per 22 Rollovers into Plan into the Plan within five (5) business days from annum if less 23 receipt of deposit if received in good order than 99% 24 Participant CONTRACTOR will mail statements to $1,700 per participants within twenty (20) calendar days after Statements annum 25 the end of each quarter 26 Average Wait Time CONTRACTOR agrees to an average wait time $1,700 per for Call Center of forty (40) seconds annum if less 27 than 99% 28 Webinars 20 webinars per year/4 per quarter $3,200 per annum B-3 I Docusign Envelope ID: E8655E65-F435-480E-911B-3BF8E884COB5 Exhibit B 1 2 B.7 To the extent offered under the Plan, in addition to the above-described fees, 3 Contractor shall also receive fees with respect to a participant's use of participant loan 4 administration, the Self-Directed Brokerage Account ("SDBA"), and managed account services 5 as follows: 6 a. Loans—All participant loan fees are governed by Contractor's Plan Loan 7 Procedures document, as approved by the Deferred Compensation Management Council. 8 b. Self-Directed Brokerage Account —The Plan offers an SDBA investment 9 option for qualifying participants in the Plan. Initial and annual administrative fees may be 10 charged as outlined in the separate fee agreement for the SDBA that will be provided to each 11 Participant by Contractor. 12 C. Managed account services — Managed account services are offered by 13 Morningstar or Nationwide Investment Advisors ("NIA"), an affiliate of Contractor, and the Plan 14 Sponsor must execute a separate agreement with Morningstar or NIA if the Plan Sponsor wants 15 to add managed account services to the Plan. Only participants who choose to utilize the 16 managed account service are assessed fees. Such fees are authorized in a separate 17 agreement between the participant and Morningstar or NIA and are assessed pursuant to the 18 terms and conditions of such agreement. 19 20 21 22 23 24 25 26 27 28 B-4 Docusign Envelope ID: E8655E65-F435-48OF-91 1 B-3BF8E884COB5 Exhibit C Self-Dealing Transaction Disclosure Form In order to conduct business with the County of Fresno ("County"), members of a contractor's board of directors ("County Contractor"), must disclose any self-dealing transactions that they are a party to while providing goods, performing services, or both for the County. A self-dealing transaction is defined below: "A self-dealing transaction means a transaction to which the corporation is a party and in which one or more of its directors has a material financial interest." The definition above will be used for purposes of completing this disclosure form. Instructions (1) Enter board member's name, job title (if applicable), and date this disclosure is being made. (2) Enter the board member's company/agency name and address. (3) Describe in detail the nature of the self-dealing transaction that is being disclosed to the County. At a minimum, include a description of the following: a. The name of the agency/company with which the corporation has the transaction; and b. The nature of the material financial interest in the Corporation's transaction that the board member has. (4) Describe in detail why the self-dealing transaction is appropriate based on applicable provisions of the Corporations Code. The form must be signed by the board member that is involved in the self-dealing transaction described in Sections (3) and (4). C-1 Docusign Envelope ID: E8655E65-F435-48OF-91 1 B-3BF8E884COB5 Exhibit C (1) Company Board Member Information: Name: Date: Job Title: (2) Company/Agency Name and Address: (3) Disclosure (Please describe the nature of the self-dealing transaction you are a party to) (4) Explain why this self-dealing transaction is consistent with the requirements of Corporations Code § 5233 (a) (5) Authorized Signature Signature: Date: C-2 Docusign Envelope ID: E8655E65-F435-480E-911B-3BF8E884COB5 Exhibit D Insurance Requirements 1. Required Policies Without limiting the County's right to obtain indemnification from the Contractor or any third parties, Contractor, at its sole expense, shall maintain in full force and effect the following insurance policies throughout the term of this Agreement. (A) Commercial General Liability. Commercial general liability insurance with limits of not less than Two Million Dollars ($2,000,000) per occurrence and an annual aggregate of Four Million Dollars ($4,000,000). This policy must be issued on a per occurrence basis. Coverage must include products, completed operations, property damage, bodily injury, personal injury, and advertising injury. The Contractor shall obtain an endorsement to this policy naming the County of Fresno, its officers, agents, employees, and volunteers, individually and collectively, as additional insureds, but only insofar as the operations under this Agreement are concerned. Such coverage for additional insureds will apply as primary insurance and any other insurance, or self-insurance, maintained by the County is excess only and not contributing with insurance provided under the Contractor's policy. (B) Automobile Liability. Automobile liability insurance with limits of not less than One Million Dollars ($1,000,000) per occurrence for bodily injury and for property damages. Coverage must include any auto used in connection with this Agreement. (C)Workers Compensation. Workers compensation insurance as required by the laws of the State of California with statutory limits. (D) Employer's Liability. Employer's liability insurance with limits of not less than One Million Dollars ($1,000,000) per occurrence for bodily injury and for disease. (E) Professional Liability. Professional liability insurance with limits of not less than One Million Dollars ($1,000,000) per occurrence and an annual aggregate of Three Million Dollars ($3,000,000). If this is a claims-made policy, then (1)the retroactive date must be prior to the date on which services began under this Agreement; (2) the Contractor shall maintain the policy and provide to the County annual evidence of insurance for not less than five years after completion of services under this Agreement; and (3) if the policy is canceled or not renewed, and not replaced with another claims-made policy with a retroactive date prior to the date on which services begin under this Agreement, then the Contractor shall purchase extended reporting coverage on its claims-made policy for a minimum of five years after completion of services under this Agreement. (F) Technology Professional Liability (Errors and Omissions). Technology professional liability (errors and omissions) insurance with limits of not less than Two Million Dollars ($2,000,000) per occurrence and in the aggregate. Coverage must encompass all of the Contractor's obligations under this Agreement, including but not limited to claims involving Cyber Risks. (G)Cyber Liability. Cyber liability insurance with limits of not less than Two Million Dollars ($2,000,000) per occurrence. Coverage must include claims involving Cyber Risks. The cyber liability policy must be endorsed to cover the full replacement value of damage to, D-1 Docusign Envelope ID: E8655E65-F435-480E-911B-313F8E884C0135 Exhibit D alteration of, loss of, or destruction of intangible property (including but not limited to information or data) that is in the care, custody, or control of the Contractor. Definition of Cyber Risks. "Cyber Risks" include but are not limited to (i) Security Breach, which may include Disclosure of Personal Information to an Unauthorized Third Party; (ii) data breach; (iii) breach of any of the Contractor's obligations under Exhibit E of this Agreement; (iv) system failure; (v) data recovery; (vi) failure to timely disclose data breach or Security Breach; (vii) failure to comply with privacy policy; (viii) payment card liabilities and costs; (ix) infringement of intellectual property, including but not limited to infringement of copyright, trademark, and trade dress; (x) invasion of privacy, including release of private information; (xi) information theft; (xii) damage to or destruction or alteration of electronic information; (xiii) cyber extortion; (xiv) extortion related to the Contractor's obligations under this Agreement regarding electronic information, including Personal Information; (xv) fraudulent instruction; (xvi) funds transfer fraud; (xvii) telephone fraud; (xviii) network security; (xix) data breach response costs, including Security Breach response costs; (xx) regulatory fines and penalties related to the Contractor's obligations under this Agreement regarding electronic information, including Personal Information; and (xxi) credit monitoring expenses. 2. Additional Requirements (A) Verification of Coverage. Within 30 days after the Contractor signs this Agreement, and at any time during the term of this Agreement as requested by the County's Risk Manager or the County Administrative Office, the Contractor shall deliver, or cause its broker or producer to deliver, to the County Risk Manager, at 2220 Tulare Street, 16th Floor, Fresno, California 93721, or HRRiskManagement@fresnocountyca.gov, and by mail or email to the person identified to receive notices under this Agreement, certificates of insurance and endorsements for all of the coverages required under this Agreement. (i) Each insurance certificate must state that: (1) the insurance coverage has been obtained and is in full force; (2) the County, its officers, agents, employees, and volunteers are not responsible for any premiums on the policy; and (3) the Contractor has waived its right to recover from the County, its officers, agents, employees, and volunteers any amounts paid under any insurance policy required by this Agreement and that waiver does not invalidate the insurance policy. (ii) The commercial general liability insurance certificate must also state, and include an endorsement, that the County of Fresno, its officers, agents, employees, and volunteers, individually and collectively, are additional insureds insofar as the operations under this Agreement are concerned. The commercial general liability insurance certificate must also state that the coverage shall apply as primary insurance and any other insurance, or self-insurance, maintained by the County shall be excess only and not contributing with insurance provided under the Contractor's policy. (iii) The automobile liability insurance certificate must state that the policy covers any auto used in connection with this Agreement. D-2 Docusign Envelope ID: E8655E65-F435-48OF-91 1 B-3BF8E884COB5 Exhibit D (iv) The professional liability insurance certificate, if it is a claims-made policy, must also state the retroactive date of the policy, which must be prior to the date on which services began under this Agreement. (v) The technology professional liability insurance certificate must also state that coverage encompasses all of the Contractor's obligations under this Agreement, including but not limited to claims involving Cyber Risks, as that term is defined in this Agreement. (vi) The cyber liability insurance certificate must also state that it is endorsed, and include an endorsement, to cover the full replacement value of damage to, alteration of, loss of, or destruction of intangible property (including but not limited to information or data) that is in the care, custody, or control of the Contractor. (B) Acceptability of Insurers. All insurance policies required under this Agreement must be issued by admitted insurers licensed to do business in the State of California and possessing at all times during the term of this Agreement an A.M. Best, Inc. rating of no less than A: VI I. (C) Notice of Cancellation or Change. For each insurance policy required under this Agreement, the Contractor shall provide to the County, or ensure that the policy requires the insurer to provide to the County, written notice of any cancellation or change in the policy as required in this paragraph. For cancellation of the policy for nonpayment of premium, the Contractor shall, or shall cause the insurer to, provide written notice to the County not less than 10 days in advance of cancellation. For cancellation of the policy for any other reason, and for any other change to the policy, the Contractor shall, or shall cause the insurer to, provide written notice to the County not less than 30 days in advance of cancellation or change. The County in its sole discretion may determine that the failure of the Contractor or its insurer to timely provide a written notice required by this paragraph is a breach of this Agreement. (D) County's Entitlement to Greater Coverage. If the Contractor has or obtains insurance with broader coverage, higher limits, or both, than what is required under this Agreement, then the County requires and is entitled to the broader coverage, higher limits, or both. To that end, the Contractor shall deliver, or cause its broker or producer to deliver, to the County's Risk Manager certificates of insurance and endorsements for all of the coverages that have such broader coverage, higher limits, or both, as required under this Agreement. (E) Waiver of Subrogation. The Contractor waives any right to recover from the County, its officers, agents, employees, and volunteers any amounts paid under the policy of worker's compensation insurance required by this Agreement. The Contractor is solely responsible to obtain any policy endorsement that may be necessary to accomplish that waiver, but the Contractor's waiver of subrogation under this paragraph is effective whether or not the Contractor obtains such an endorsement. (F) County's Remedy for Contractor's Failure to Maintain. If the Contractor fails to keep in effect at all times any insurance coverage required under this Agreement, the County may, in addition to any other remedies it may have, suspend or terminate this Agreement upon the occurrence of that failure, or purchase such insurance coverage, D-3 Docusign Envelope ID: E8655E65-F435-48OF-91 1 B-3BF8E884COB5 Exhibit D and charge the cost of that coverage to the Contractor. The County may offset such charges against any amounts owed by the County to the Contractor under this Agreement. (G)Subcontractors. The Contractor shall require and verify that all subcontractors used by the Contractor to provide services under this Agreement maintain insurance meeting all insurance requirements provided in this Agreement. This paragraph does not authorize the Contractor to provide services under this Agreement using subcontractors. D-4 Docusign Envelope ID: E8655E65-F435-480E-911B-3BF8E884COB5 Exhibit E Data Security 1. Definitions Capitalized terms used in this Exhibit E have the meanings set forth in this section 1. (A) "Authorized Employees" means the Contractor's employees who have access to Personal Information. (B) "Authorized Persons" means: (i) any and all Authorized Employees; and (ii) any and all of the Contractor's subcontractors, representatives, agents, outsourcers, and consultants, and providers of professional services to the Contractor, who have access to Personal Information and are bound by law or in writing by confidentiality obligations sufficient to protect Personal Information in accordance with the terms of this Exhibit E. (C) "Director" means the County's Director of Internal Services/Chief Information Officer or his or her designee. (D) "Disclose" or any derivative of that word means to disclose, release, transfer, disseminate, or otherwise provide access to or communicate all or any part of any Personal Information orally, in writing, or by electronic or any other means to any person. (E) "Person" means any natural person, corporation, partnership, limited liability company, firm, or association. (F) "Personal Information" means any and all information, including any data, provided, or to which access is provided, to the Contractor by or upon the authorization of the County, under this Agreement, including but not limited to vital records, that: (i) identifies, describes, or relates to, or is associated with, or is capable of being used to identify, describe, or relate to, or associate with, a person (including, without limitation, names, physical descriptions, signatures, addresses, telephone numbers, e-mail addresses, education, financial matters, employment history, and other unique identifiers, as well as statements made by or attributable to the person); (ii) is used or is capable of being used to authenticate a person (including, without limitation, employee identification numbers, government-issued identification numbers, passwords or personal identification numbers (PINs), financial account numbers, credit report information, answers to security questions, and other personal identifiers); or (iii) is personal information within the meaning of California Civil Code section 1798.3, subdivision (a), or 1798.80, subdivision (e). Personal Information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. (G)"Privacy Practices Complaint" means a complaint received by the County relating to the Contractor's (or any Authorized Person's) privacy practices, or alleging a Security Breach. Such complaint shall have sufficient detail to enable the Contractor to promptly investigate and take remedial action under this Exhibit E. (H) "Security Safeguards" means physical, technical, administrative or organizational security procedures and practices put in place by the Contractor (or any Authorized Persons) that relate to the protection of the security, confidentiality, value, or integrity of Personal Information. Security Safeguards shall satisfy the minimal requirements set forth in section 3(C) of this Exhibit E. E-1 Docusign Envelope ID: E8655E65-F435-48OF-91 1 B-3BF8E884COB5 Exhibit E (1) "Security Breach" means (i) any act or omission that compromises either the security, confidentiality, value, or integrity of any Personal Information or the Security Safeguards, or (ii) any unauthorized Use, Disclosure, or modification of, or any loss or destruction of, or any corruption of or damage to, any Personal Information. (J) "Use" or any derivative of that word means to receive, acquire, collect, apply, manipulate, employ, process, transmit, disseminate, access, store, disclose, or dispose of Personal Information. 2. Standard of Care (A) The Contractor acknowledges that, in the course of its engagement by the County under this Agreement, the Contractor, or any Authorized Persons, may Use Personal Information only as permitted in this Agreement. (B) The Contractor acknowledges that Personal Information is deemed to be confidential information of, or owned by, the County (or persons from whom the County receives or has received Personal Information) and is not confidential information of, or owned or by, the Contractor, or any Authorized Persons. The Contractor further acknowledges that all right, title, and interest in or to the Personal Information remains in the County (or persons from whom the County receives or has received Personal Information) regardless of the Contractor's, or any Authorized Person's, Use of that Personal Information. (C)The Contractor agrees and covenants in favor of the Country that the Contractor shall: (i) keep and maintain all Personal Information in strict confidence, using such degree of care under this section 2 as is reasonable and appropriate to avoid a Security Breach; (ii) Use Personal Information exclusively for the purposes for which the Personal Information is made accessible to the Contractor pursuant to the terms of this Exhibit E; (iii) not Use, Disclose, sell, rent, license, or otherwise make available Personal Information for the Contractor's own purposes or for the benefit of anyone other than the County, without the County's express prior written consent, which the County may give or withhold in its sole and absolute discretion; and (iv) not, directly or indirectly, Disclose Personal Information to any person (an "Unauthorized Third Party") other than Authorized Persons pursuant to this Agreement, without the Director's express prior written consent. (D) Notwithstanding the foregoing paragraph, in any case in which the Contractor believes it, or any Authorized Person, is required to disclose Personal Information to government regulatory authorities, or pursuant to a legal proceeding, or otherwise as may be required by applicable law, Contractor shall, except as prohibited by law, (i) immediately notify the County of the specific demand for, and legal authority for the disclosure, including providing County with a copy of any notice, discovery demand, subpoena, or order, as applicable, received by the Contractor, or any Authorized Person, from any government regulatory authorities, or in relation to any legal proceeding, and (ii) E-2 Docusign Envelope ID: E8655E65-F435-48OF-91 1 B-3BF8E884COB5 Exhibit E promptly notify the County before such Personal Information is offered by the Contractor for such disclosure so that the County may have sufficient time to obtain a court order or take any other action the County may deem necessary to protect the Personal Information from such disclosure, and the Contractor shall cooperate with the County to minimize the scope of such disclosure of such Personal Information. (E) The Contractor shall remain liable to the County for the actions and omissions of any Unauthorized Third Party concerning its Use of such Personal Information as if they were the Contractor's own actions and omissions. 3. Information Security (A) The Contractor covenants, represents and warrants to the County that the Contractor's Use of Personal Information under this Agreement does and will at all times comply with all applicable federal, state, and local, privacy and data protection laws, as well as all other applicable regulations and directives, including but not limited to California Civil Code, Division 3, Part 4, Title 1.81 (beginning with section 1798.80), and the Song- Beverly Credit Card Act of 1971 (California Civil Code, Division 3, Part 4, Title 1.3, beginning with section 1747). If the Contractor Uses credit, debit or other payment cardholder information, the Contractor shall at all times remain in compliance with the Payment Card Industry Data Security Standard ("PCI DSS") requirements, including remaining aware at all times of changes to the PCI DSS and promptly implementing and maintaining all procedures and practices as may be necessary to remain in compliance with the PCI DSS, in each case, at the Contractor's sole cost and expense. (B) The Contractor covenants, represents and warrants to the County that, as of the effective date of this Agreement, the Contractor has not received notice of any violation of any privacy or data protection laws, as well as any other applicable regulations or directives, and is not the subject of any pending legal action or investigation by, any government regulatory authority regarding same. (C)Without limiting the Contractor's obligations under section 3(A) of this Exhibit E, the Contractor's (or Authorized Person's) Security Safeguards shall be no less rigorous than accepted industry practices and, at a minimum, include the following: (i) limiting Use of Personal Information strictly to the Contractor's and Authorized Persons' technical and administrative personnel who are necessary for the Contractor's, or Authorized Persons', Use of the Personal Information pursuant to this Agreement; (ii) to the extent applicable, ensuring that all of the Contractor's connectivity to County computing systems will only be through the County's security gateways and firewalls, and only through security procedures approved upon the express prior written consent of the Director; (iii) to the extent that they contain or provide access to Personal Information, (a) securing business facilities, data centers, paper files, servers, back-up systems and computing equipment, operating systems, and software applications, including, but not limited to, all mobile devices and other equipment, operating systems, and software applications with information storage capability; (b) E-3 Docusign Envelope ID: E8655E65-F435-48OF-91 1 B-3BF8E884COB5 Exhibit E employing adequate controls and data security measures, both internally and externally, to protect (1) the Personal Information from potential loss or misappropriation, or unauthorized Use, and (2) the County's operations that directly relate to this Agreement from disruption and abuse; (c) having and maintaining network, device application, database and platform security; (d) maintaining authentication and access controls within media, computing equipment, operating systems, and software applications; and (e) installing and maintaining in all mobile, wireless, or handheld devices a secure internet connection, having continuously updated anti-virus software protection on devices that commonly have such protection and a remote wipe feature always enabled; (iv) encrypting all Personal Information using encryption standards of Advanced Encryption Standards (AES) of 128 bit or higher (a) stored on any mobile devices, including but not limited to hard disks, portable storage devices, or remote installation, or(b) transmitted over public or wireless networks (the encrypted Personal Information must be subject to password or pass phrase, and be stored on a secure server and transferred by means of a Virtual Private Network (VPN) connection, or another type of secure connection; (v) strictly segregating Personal Information from all other information of the Contractor, including any Authorized Person, or anyone with whom the Contractor or any Authorized Person deals so that Personal Information is not commingled with any other types of information; (vi) having a patch management process that includes installation of applicable operating system and software vendor security patches; (vii) maintaining appropriate personnel security and integrity procedures and practices, including, but not limited to, conducting background checks of Authorized Employees consistent with applicable law; and (viii) providing appropriate privacy and information security training to Authorized Employees. (D) During the term of each Authorized Employee's employment by the Contractor, the Contractor shall cause such Authorized Employees to abide strictly by the Contractor's obligations under this Exhibit E. The Contractor shall maintain a disciplinary process to address any unauthorized Use of Personal Information by any Authorized Employees. (E) The Contractor shall, in a secure manner, backup daily, or more frequently if it is the Contractor's practice to do so more frequently, Personal Information received from the County. (F) The Contractor shall provide the County with the contact information to assist the County twenty-four (24) hours per day, seven (7) days per week as a contact in resolving the Contractor's and any Authorized Persons' obligations associated with a Security Breach or a Privacy Practices Complaint. (G)The Contractor shall not knowingly include or authorize any Trojan Horse, back door, time bomb, drop dead device, worm, virus, or other code of any kind that may disable, E-4 Docusign Envelope ID: E8655E65-F435-48OF-91 1 B-3BF8E884COB5 Exhibit E erase, display any unauthorized message within, or otherwise impair any County computing system, with or without the intent to cause harm. 4. Security Breach Procedures (A) Immediately upon the Contractor's awareness or reasonable belief of a Security Breach, the Contractor shall (i) notify the Director of the Security Breach, such notice to be given first by telephone at the following telephone number, followed promptly by email at the following email address: (559) 600-6200 / [generic ISD email address] (which telephone number and email address the County may update by providing notice to the Contractor), and (ii) preserve all relevant evidence (and cause any affected Authorized Person to preserve all relevant evidence) relating to the Security Breach. The notification shall include, to the extent reasonably possible, the identification of each type and the extent of Personal Information that has been, or is reasonably believed to have been, breached, including but not limited to, compromised, or subjected to unauthorized Use, Disclosure, or modification, or any loss or destruction, corruption, or damage. (B) Immediately following the Contractor's notification to the County of a Security Breach, as provided pursuant to section 4(A) of this Exhibit E, the Parties shall coordinate with each other to investigate the Security Breach. The Contractor agrees to fully cooperate with the County, including, without limitation: (i) assisting the County in conducting any investigation; (ii) facilitating interviews with Authorized Persons and any of the Contractor's other employees knowledgeable of the matter; and (iii) making available documentation required to comply with applicable law, regulation, industry standards. To that end, subject to any limitation of liability specified in the Agreement, the Contractor shall, with respect to a Security Breach, be solely responsible, at its cost, for all notifications required by law and regulation, or deemed reasonably necessary by the County, and the Contractor shall provide a written report of the investigation and reporting required to the Director within 30 days after the Contractor's investigation of the Security Breach. (C) County shall promptly notify the Contractor of the Director's knowledge, or reasonable belief, of any Privacy Practices Complaint, and upon the Contractor's receipt of that notification, the Contractor shall promptly address such Privacy Practices Complaint, including taking commercially reasonable corrective action under this Exhibit E, at the Contractor's sole expense, in accordance with applicable privacy rights, laws, regulations and standards. In the event the Contractor discovers a Security Breach, the Contractor shall treat the Privacy Practices Complaint as a Security Breach. Within 24 hours of the Contractor's receipt of notification of such Privacy Practices Complaint, the Contractor shall notify the County whether the matter is a Security Breach, or otherwise has been corrected and the manner of correction, or determined not to require corrective action and the reason for that determination. (D) The Contractor shall take prompt commercially reasonable corrective action to respond to and remedy any Security Breach and take mitigating actions, including but not limiting E-5 Docusign Envelope ID: E8655E65-F435-480E-911B-3BF8E884COB5 Exhibit E to, preventing any reoccurrence of the Security Breach and correcting any deficiency in Security Safeguards as a result of such incident, all at the Contractor's sole expense, in accordance with applicable privacy rights, laws, regulations and standards. Subject to the Agreement, the Contractor shall reimburse the County for all reasonable direct damages incurred by the County in responding to, and mitigating damages caused by, any Security Breach, including all costs of the County incurred relation to any litigation or other action described section 4(E) of this Exhibit E. (E) Subject to the Agreement, the Contractor agrees to cooperate, at its sole expense, with the County in any litigation or other action to protect the County's rights relating to Personal Information, including the rights of persons from whom the County receives Personal Information. 5. Oversight of Security Compliance (A) The Contractor shall have and maintain a written information security policy that specifies Security Safeguards appropriate to the size and complexity of the Contractor's operations and the nature and scope of its activities. (B) Upon the County's written request, to confirm the Contractor's compliance with this Exhibit E, as well as any applicable laws, regulations and industry standards, the Contractor grants the County or, upon the County's election, a third party on the County's behalf, permission to perform an assessment, audit, examination or review of all controls in the Contractor's physical and technical environment in relation to all Personal Information that is Used by the Contractor pursuant to this Agreement. The Contractor shall fully cooperate with such assessment, audit or examination, as applicable, by providing the County or the third party on the County's behalf, access to all Authorized Employees and other knowledgeable personnel and documentation. (C)The Contractor shall ensure that all Authorized Persons who Use Personal Information agree to substantially similar restrictions and conditions in this Exhibit E that apply to the Contractor with respect to such Personal Information by incorporating the relevant provisions of these provisions into a valid and binding written agreement between the Contractor and such Authorized Persons, or amending any written agreements to provide same. 6. Return or Destruction of Personal Information. Upon the termination of this Agreement, the Contractor shall, and shall instruct all Authorized Persons to, promptly return to the County all Personal Information, whether in written, electronic or other form or media, in its possession or the possession of such Authorized Persons, in a machine readable form used by the County at the time of such return, or upon the express prior written consent of the Director, securely destroy all such Personal Information, and certify in writing to the County that such Personal Information have been returned to the County or disposed of securely, as applicable. If the Contractor is authorized to dispose of any such Personal Information, as provided in this Exhibit E, such certification shall state the date, time, and manner (including standard) of disposal and by whom, specifying the title of the individual. The Contractor shall comply with all reasonable directions provided by the Director with respect to the return or disposal of Personal Information and copies of Personal Information. If return or disposal of such Personal Information or copies of Personal Information is not feasible, the Contractor shall notify the County according, specifying the reason, and continue to extend the E-6 Docusign Envelope ID: E8655E65-F435-48OF-91 1 B-3BF8E884COB5 Exhibit E protections of this Exhibit E to all such Personal Information and copies of Personal Information. The Contractor shall not retain any copy of any Personal Information after returning or disposing of Personal Information as required by this section 6. The Contractor's obligations under this section 6 survive the termination of this Agreement and apply to all Personal Information that the Contractor retains if return or disposal is not feasible and to all Personal Information that the Contractor may later discover. 7. Equitable Relief. The Contractor acknowledges that any breach of its covenants or obligations set forth in this Exhibit E may cause the County irreparable harm for which monetary damages would not be adequate compensation and agrees that, in the event of such breach or threatened breach, the County is entitled to seek equitable relief, including a restraining order, injunctive relief, specific performance and any other relief that may be available from any court, in addition to any other remedy to which the County may be entitled at law or in equity. Such remedies shall not be deemed to be exclusive but shall be in addition to all other remedies available to the County at law or in equity or under this Agreement. 8. Survival. The respective rights and obligations of the Contractor and the County as stated in this Exhibit E shall survive the termination of this Agreement. 9. No Third Party Beneficiary. Nothing express or implied in the provisions of in this Exhibit E is intended to confer, nor shall anything in this Exhibit E confer, upon any person other than the County or the Contractor and their respective successors or assignees, any rights, remedies, obligations or liabilities whatsoever. E-7 Docusign Envelope ID: E8655E65-F435-48OF-91 1 B-3BF8E884COB5 Exhibit F Health Insurance Portability and Accountability Act (HIPAA) 1. The County is a "Covered Entity," and the Contractor is a "Business Associate," as these terms are defined by 45 CFR 160.103. In connection with providing services under the Agreement, the parties anticipate that the Contractor will create and/or receive Protected Health Information ("PHI")from or on behalf of the County. The parties enter into this Business Associate Agreement (BAA)to comply with the Business Associate requirements of HIPAA, to govern the use and disclosures of PHI under this Agreement. "HIPAA Rules" shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164. The parties to this Agreement shall be in strict conformance with all applicable federal and State of California laws and regulations, including, but not limited to California Welfare and Institutions Code sections 5328, 10850, and 14100.2 et seq.; 42 CFR 2; 42 CFR 431; California Civil Code section 56 et seq.; the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"), including, but not limited to, 45 CFR Parts160, 45 CFR 162, and 45 CFR 164; the Health Information Technology for Economic and Clinical Health Act ("HITECH") regarding the confidentiality and security of patient information, including, but not limited to 42 USC 17901 et seq.; and the Genetic Information Nondiscrimination Act ("GINA") of 2008 regarding the confidentiality of genetic information. Except as otherwise provided in this Agreement, the Contractor, as a business associate of the County, may use or disclose Protected Health Information ("PHI") to perform functions, activities or services for or on behalf of the County, as specified in this Agreement, provided that such use or disclosure shall not violate HIPAA Rules. The uses and disclosures of PHI may not be more expansive than those applicable to the County, as the "Covered Entity" under the HIPAA Rules, except as authorized for management, administrative or legal responsibilities of the Contractor. 2. The Contractor, including its subcontractors and employees, shall protect from unauthorized access, use, or disclosure of names and other identifying information, including genetic information, concerning persons receiving services pursuant to this Agreement, except where permitted in order to carry out data aggregation purposes for health care operations [45 CFR§§ 164.504(e)(2)(i), 164.504(e)(2)(ii)(A), and 164.504(e)(4)(i)]. This pertains to any and all persons receiving services pursuant to a County-funded program. This requirement applies to electronic PHI. The Contractor shall not use such identifying information or genetic information for any purpose other than carrying out the Contractor's obligations under this Agreement. 3. The Contractor, including its subcontractors and employees, shall not disclose any such identifying information or genetic information to any person or entity, except as otherwise specifically permitted by this Agreement, authorized by Subpart E of 45 CFR Part 164 or other law, required by the Secretary of the United States Department of Health and Human Services ("Secretary"), or authorized by the client/patient in writing. In using or disclosing PHI that is permitted by this Agreement or authorized by law, the Contractor shall make reasonable efforts to limit PHI to the minimum necessary to accomplish intended purpose of use, disclosure or request. 4. For purposes of the above sections, identifying information shall include, but not be limited to, name, identifying number, symbol, or other identifying particular assigned to the individual, such as fingerprint or voiceprint, or photograph. 5. For purposes of the above sections, genetic information shall include genetic tests of family members of an individual or individual(s), manifestation of disease or disorder of family members of an individual, or any request for or receipt of genetic services by individual or family F-1 Docusign Envelope ID: E8655E65-F435-48OF-91 1 B-3BF8E884COB5 Exhibit F members. Family member means a dependent or any person who is first, second, third, or fourth degree relative. 6. The Contractor shall provide access, at the request of the County, and in the time and manner designated by the County, to PHI in a designated record set (as defined in 45 CFR § 164.501), to an individual or to COUNTY in order to meet the requirements of 45 CFR § 164.524 regarding access by individuals to their PHI. With respect to individual requests, access shall be provided within thirty (30) days from request. Access may be extended if the Contractor cannot provide access and provides the individual with the reasons for the delay and the date when access may be granted. PHI shall be provided in the form and format requested by the individual or the County. The Contractor shall make any amendment(s) to PHI in a designated record set at the request of the County or individual, and in the time and manner designated by the County in accordance with 45 CFR § 164.526. The Contractor shall provide to the County or to an individual, in a time and manner designated by the County, information collected in accordance with 45 CFR § 164.528, to permit the County to respond to a request by the individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528. 7. The Contractor shall report to the County, in writing, any knowledge or reasonable belief that there has been unauthorized access, viewing, use, disclosure, security incident, or breach of unsecured PHI not permitted by this Agreement of which the Contractor becomes aware, immediately and without reasonable delay and in no case later than two (2) business days of discovery. Immediate notification shall be made to the County's Information Security Officer and Privacy Officer and the County's Department of Public Health ("DPH") HIPAA Representative, within two (2) business days of discovery. The notification shall include, to the extent possible, the identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, disclosed, or breached. The Contractor shall take prompt corrective action to cure any deficiencies and any action pertaining to such unauthorized disclosure required by applicable federal and State laws and regulations. The Contractor shall investigate such breach and is responsible for all notifications required by law and regulation or deemed necessary by the County and shall provide a written report of the investigation and reporting required to the County's Information Security Officer and Privacy Officer and the County's DPH HIPAA Representative. This written investigation and description of any reporting necessary shall be postmarked within the thirty (30) working days of the discovery of the breach to the addresses below: County of Fresno County of Fresno County of Fresno Department of Public Health Department of Public Health Department of Internal Services HIPAA Representative Privacy Officer Information Security Officer (559) 600-6439 (559) 600-6405 (559) 600-5800 P.O. Box 11867 P.O. Box 11867 2048 North Fine Street Fresno, California 93775 Fresno, California 93775 Fresno, California 93727 8. The Contractor shall make its internal practices, books, and records relating to the use and disclosure of PHI received from the County, or created or received by the Contractor on behalf of the County, in compliance with Parts the HIPAA Rules. The Contractor shall make its internal practices, books, and records relating to the use and disclosure of PHI F-2 Docusign Envelope ID: E8655E65-F435-48OF-91 1 B-3BF8E884COB5 Exhibit F received from the County, or created or received by the Contractor on behalf of the County, available to the Secretary upon demand. The Contractor shall cooperate with the compliance and investigation reviews conducted by the Secretary. PHI access to the Secretary must be provided during the Contractor's normal business hours; however, upon exigent circumstances access at any time must be granted. Upon the Secretary's compliance or investigation review, if PHI is unavailable to the Contractor and in possession of a subcontractor of the Contractor, the Contractor must certify to the Secretary its efforts to obtain the information from the subcontractor. 9. Safeguards The Contractor shall implement administrative, physical, and technical safeguards as required by the HIPAA Security Rule, Subpart C of 45 CFR Part 164, that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI, including electronic PHI, that it creates, receives, maintains or transmits on behalf of the County and to prevent unauthorized access, viewing, use, disclosure, or breach of PHI other than as provided for by this Agreement. The Contractor shall conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic PHI. The Contractor shall develop and maintain a written information privacy and security program that includes administrative, technical and physical safeguards appropriate to the size and complexity of the Contractor's operations and the nature and scope of its activities. Upon the County's request, the Contractor shall provide the County with information concerning such safeguards. The Contractor shall implement strong access controls and other security safeguards and precautions in order to restrict logical and physical access to confidential, personal (e.g., PHI) or sensitive data to authorized users only. Said safeguards and precautions shall include the following administrative and technical password controls for all systems used to process or store confidential, personal, or sensitive data: A. Passwords must not be: (1) Shared or written down where they are accessible or recognizable by anyone else; such as taped to computer screens, stored under keyboards, or visible in a work area; (2) A dictionary word; or (3) Stored in clear text B. Passwords must be: (1) Eight (8) characters or more in length; (2) Changed every ninety (90) days; (3) Changed immediately if revealed or compromised; and (4) Composed of characters from at least three (3) of the following four(4) groups from the standard keyboard: a) Upper case letters (A-Z); b) Lowercase letters (a-z); c) Arabic numerals (0 through 9); and d) Non-alphanumeric characters (punctuation symbols). The Contractor shall implement the following security controls on each workstation or portable computing device (e.g., laptop computer) containing confidential, personal, or sensitive F-3 Docusign Envelope ID: E8655E65-F435-48OF-91 1 B-3BF8E884COB5 Exhibit F data: 1. Network-based firewall and/or personal firewall; 2. Continuously updated anti-virus software; and 3. Patch management process including installation of all operating system/software vendor security patches. The Contractor shall utilize a commercial encryption solution that has received FIPS 140-2 validation to encrypt all confidential, personal, or sensitive data stored on portable electronic media (including, but not limited to, compact disks and thumb drives) and on portable computing devices (including, but not limited to, laptop and notebook computers). The Contractor shall not transmit confidential, personal, or sensitive data via e-mail or other internet transport protocol unless the data is encrypted by a solution that has been validated by the National Institute of Standards and Technology (NIST) as conforming to the Advanced Encryption Standard (AES) Algorithm. The Contractor must apply appropriate sanctions against its employees who fail to comply with these safeguards. The Contractor must adopt procedures for terminating access to PHI when employment of employee ends. 10. Mitigation of Harmful Effects The Contractor shall mitigate, to the extent practicable, any harmful effect that is suspected or known to the Contractor of an unauthorized access, viewing, use, disclosure, or breach of PHI by the Contractor or its subcontractors in violation of the requirements of these provisions. The Contractor must document suspected or known harmful effects and the outcome. 11. The Contractor's Subcontractors The Contractor shall ensure that any of its contractors, including subcontractors, if applicable, to whom the Contractor provides PHI received from or created or received by the Contractor on behalf of the County, agree to the same restrictions, safeguards, and conditions that apply to the Contractor with respect to such PHI and to incorporate, when applicable, the relevant provisions of these provisions into each subcontract or sub-award to such agents or subcontractors. Nothing in this section 11 or this Exhibit F authorizes the Contractor to perform services under this Agreement using subcontractors. 12. Employee Training and Discipline The Contractor shall train and use reasonable measures to ensure compliance with the requirements of these provisions by employees who assist in the performance of functions or activities on behalf of the County under this Agreement and use or disclose PHI, and discipline such employees who intentionally violate any provisions of these provisions, which may include termination of employment. 13. Termination for Cause Upon the County's knowledge of a material breach of these provisions by the Contractor, the County will either: A. Provide an opportunity for the Contractor to cure the breach or end the violation, and the County may terminate this Agreement if the Contractor does not cure the breach or end the violation within the time specified by the County; or B. Immediately terminate this Agreement if the Contractor has breached a material term of this Exhibit F and cure is not possible, as determined by the County. F-4 Docusign Envelope ID: E8655E65-F435-480E-911B-3BF8E884COB5 Exhibit F C. If neither cure nor termination is feasible, the County's Privacy Officer will report the violation to the Secretary of the U.S. Department of Health and Human Services. 14. Judicial or Administrative Proceedings The County may terminate this Agreement if: (1) the Contractor is found guilty in a criminal proceeding for a violation of the HIPAA Privacy or Security Laws or the HITECH Act; or (2) there is a finding or stipulation in an administrative or civil proceeding in which the Contractor is a party that the Contractor has violated a privacy or security standard or requirement of the HITECH Act, HIPAA or other security or privacy laws. 15. Effect of Termination Upon termination or expiration of this Agreement for any reason, the Contractor shall return or destroy all PHI received from the County (or created or received by the Contractor on behalf of the County) that the Contractor still maintains in any form, and shall retain no copies of such PHI. If return or destruction of PHI is not feasible, the Contractor shall continue to extend the protections of these provisions to such information, and limit further use of such PHI to those purposes that make the return or destruction of such PHI infeasible. This provision applies to PHI that is in the possession of subcontractors or agents, if applicable, of the Contractor. If the Contractor destroys the PHI data, a certification of date and time of destruction shall be provided to the County by the Contractor. 16. Compliance with Other Laws 13.16 To the extent that other state and/or federal laws provide additional, stricter and/or more protective privacy and/or security protections to PHI or other confidential information covered under this BAA, the Contractor agrees to comply with the more protective of the privacy and security standards set forth in the applicable state or federal laws to the extent such standards provide a greater degree of protection and security than HIPAA Rules or are otherwise more favorable to the individual. 17. Disclaimer The County makes no warranty or representation that compliance by the Contractor with these provisions, the HITECH Act, or the HIPAA Rules, will be adequate or satisfactory for the Contractor's own purposes or that any information in the Contractor's possession or control, or transmitted or received by the Contractor, is or will be secure from unauthorized access, viewing, use, disclosure, or breach. The Contractor is solely responsible for all decisions made by the Contractor regarding the safeguarding of PHI. 18. Amendment The parties acknowledge that Federal and State laws relating to electronic data security and privacy are rapidly evolving and that amendment of this Exhibit F may be required to provide for procedures to ensure compliance with such developments. The parties specifically agree to take such action as is necessary to amend this agreement in order to implement the standards and requirements of the HIPAA Rules, the HITECH Act and other applicable laws relating to the security or privacy of PHI. The County may terminate this Agreement upon thirty (30) days written notice in the event that the Contractor does not enter into an amendment providing assurances regarding the safeguarding of PHI that the County in its sole discretion, deems sufficient to satisfy the standards and requirements of the HIPAA Rules, and the HITECH Act. 19. No Third-Party Beneficiaries F-5 Docusign Envelope ID: E8655E65-F435-480E-911B-3BF8E884COB5 Exhibit F Nothing expressed or implied in the provisions of this Exhibit F is intended to confer, and nothing in this Exhibit F does confer, upon any person other than the County or the Contractor and their respective successors or assignees, any rights, remedies, obligations or liabilities whatsoever. 20. Interpretation The provisions of this Exhibit F shall be interpreted as broadly as necessary to implement and comply with the HIPAA Rules, and applicable State laws. The parties agree that any ambiguity in the terms and conditions of these provisions shall be resolved in favor of a meaning that complies and is consistent with the HIPAA Rules. 21. Regulatory References A reference in the terms and conditions of these provisions to a section in the HIPAA Rules means the section as in effect or as amended. 22. Survival The respective rights and obligations of the Contractor as stated in this Exhibit F survive the termination or expiration of this Agreement. 23. No Waiver of Obligation Change, waiver or discharge by the County of any liability or obligation of the Contractor under this Exhibit F on any one or more occasions is not a waiver of performance of any continuing or other obligation of the Contractor and does not prohibit enforcement by the County of any obligation on any other occasion. F-6