HomeMy WebLinkAboutCal Poly Corporation-Promote Study Cardiovascular Health of Mothers Children_A-25-300.pdf COtj County of Fresno Hall of Records, Room 301
2281 Tulare Street
Fresno,California
601 Board of Supervisors 93721-2198
O� 1$56 0 Telephone: (559)600-3529
FRV,t' Minute Order Toll Free: 1-800-742-1011
www.fresnocountyca.gov
June 24, 2025
Present: 5- Vice Chairman Garry Bredefeld, Supervisor Luis Chavez, Supervisor Nathan Magsig,
Chairman Buddy Mendes, and Supervisor Brian Pacheco
Agenda No. 61. Public Health File ID: 25-0555
Re: Under Administrative Policy No. 34 for competitive bids or requests for proposals(AP 34), determine
that an exception to the competitive bidding requirement under AP 34 is satisfied and a Sole Source
Acquisition Request is warranted due to unusual or extraordinary circumstances, and that the best
interests of the County would be served by entering into a Memorandum of Understanding with Cal
Poly Corporation (Cal Poly)as Cal Poly's Early Intervention to Promote Cardiovascular Health of
Mothers and Children project is solely Cal Poly's grant study addressing the reduction of
cardiovascular disease in pregnant and postpartum women and their infants; approve and authorize the
Chairman to execute a Memorandum of Understanding with Cal Poly Corporation to promote and
study cardiovascular health among pregnant and postpartum women and infants, effective upon
execution through June 1, 2030($0); and approve and authorize the Director of Public Health to
execute future supplemental agreements related to the Cal Poly Corporation Memorandum of
Understanding upon approval by Human Resource- Risk Contracts, County Counsel, and County's
Auditor
APPROVED AS RECOMMENDED
Ayes: 5- Bredefeld, Chavez, Magsig, Mendes, and Pacheco
Agreement No. 25-300
County of Fresno Page 65
COtj���
Board Agenda Item 61
O 1856 O
FRE`'�
DATE: June 24, 2025
TO: Board of Supervisors
SUBMITTED BY: David Luchini, RN, PHN, Director, Department of Public Health
SUBJECT: Memorandum of Understanding with Cal Poly Corporation
RECOMMENDED ACTION(S):
1. Under Administrative Policy No. 34 for competitive bids or requests for proposals (AP 34),
determine that an exception to the competitive bidding requirement under AP 34 is satisfied
and a Sole Source Acquisition Request is warranted due to unusual or extraordinary
circumstances, and that the best interests of the County would be served by entering into a
Memorandum of Understanding with Cal Poly Corporation (Cal Poly) as Cal Poly's Early
Intervention to Promote Cardiovascular Health of Mothers and Children project is solely Cal
Poly's grant study addressing the reduction of cardiovascular disease in pregnant and
postpartum women and their infants;
2. Approve and authorize the Chairman to execute a Memorandum of Understanding with Cal
Poly Corporation to promote and study cardiovascular health among pregnant and
postpartum women and infants, effective upon execution through June 1, 2030 ($0); and
3. Approve and authorize the Director of Public Health to execute future supplemental
agreements related to the Cal Poly Corporation Memorandum of Understanding upon
approval by Human Resource -Risk Contracts, County Counsel, and County's Auditor.
There is no additional Net County Cost associated with the recommended actions. Approval of the first and
second recommended actions will allow the Department of Public Health (Department)to partner with Cal
Poly Corporation (Cal Poly)to participate in Cal Poly's Early Intervention to Promote Cardiovascular Health
of Mothers and Children (ENRICH) project which aims to determine the effectiveness of combining pre-and
postnatal lifestyle interventions within established and sustained evidence-based nursing home visiting
programs to reduce cardiovascular disease risk factors in pregnant and postpartum women and infants.
Approval of the third recommended action will allow the Director of Public Health to sign and execute future
supplemental agreements related to the Cal Poly Memorandum of Understanding (MOU)subject to the
approval of Human Resource - Risk Contracts (HR Risk), County Counsel, and County's Auditor. This item
is countywide.
ALTERNATIVE ACTION(S):
There are no viable alternative actions. Should your Board not approve the recommended actions, the
Department will not participate in the ENRICH project and will not be able to provide the necessary education
to reduce cardiovascular disease in pregnant and postpartum women and infants.
SUSPENSION OF COMPETITION/SOLE SOURCE CONTRACT
It is requested that the County find under AP 34 that an exception to the competitive bidding requirement is
satisfied, and a sole source is warranted due to unusual or extraordinary circumstances, as the Early
County of Fresno Page 1 File Number.25-0555
File Number:25-0555
Intervention to Promote Cardiovascular Health of Mothers and Children project is solely Cal Poly's grant
study addressing the reduction of cardiovascular disease in pregnant women and infants. The
recommended action is consistent with the Board's ongoing assignment of the County's current economic
development responsibilities. The Internal Services Department- Purchasing concurs with the Department's
assessment that this satisfies the exception to the competitive bidding process required by AP 34.
FISCAL IMPACT:
There is no fiscal impact associated with the recommended action.
DISCUSSION:
On May 6, 2025, your Board approved bringing the item back at a future Board date once clarification has
been made regarding who the study on cardiovascular health will be conducted on. The study will be
conducted on pregnant and postpartum women and infants.
The ENRICH project aims to determine the effectiveness of combining pre- and postnatal lifestyle
interventions within established and sustained evidence-based nursing home visiting programs to reduce
cardiovascular disease risk factors in Hispanic and non-Hispanic pregnant and postpartum women and
infants. The Department is currently implementing the Nurse-Family Partnership home visiting model.
The ENRICH project for California is solely being studied by Cal Poly. Cal Poly, through its Cal Poly Center
for Health Research, is the only California agency funded by the National Institute of Health (NIH)to promote
and study cardiovascular health among pregnant and postpartum women and infants. The competitive grant
is one of seven awarded through the NIH's ENRICH program, with similar grants also awarded to separate
research teams in Maryland, Pennsylvania, Alabama, Missouri, Colorado, and Illinois. The research will
entail program development, implementation and evaluation of a new program designed to promote cardiac
health in pregnant and postpartum women and infants. In collaboration with local home visiting partners, the
program seeks to reduce such heart disease risk factors as obesity, sedentary lifestyles, smoking, poor
diets, stress and poor sleep. Cal Poly students and faculty studying statistics and world languages and
cultures will be collaborating with counterparts at Brown University, a private research institution in
Providence, Rhode Island, and other centers and home visiting programs to develop and evaluate how
participants respond.
The ENRICH project has outstanding potential for reducing cardiovascular disease risk factors and
interrupting the intergenerational transmission of obesity and cardiovascular disease risk factors in socially
disadvantaged, Hispanic and non-Hispanic populations at high risk of cardiovascular disease morbidity and
mortality. Cal Poly's model of enhancing home visiting is very likely to have a sustained impact because it is
part of an established home visiting infrastructure that has been in place for several years, ensuring
sustainability of the implementation context. The approach has great potential to reduce the healthcare
sector and societal health costs associated with cardiovascular disease.
The MOU with Cal Poly contains mutual indemnification language. Approval of the recommended actions will
allow the Department to partner with Cal Poly to reduce cardiovascular disease risk factors in pregnant and
postpartum women and infants by providing the necessary education regarding cardiovascular disease risk
factors during Public Health Nurses home visitations. Approval of the recommendations will also allow the
Director of Public Health to execute future supplemental agreements related to the MOU subject to the
approval of HR Risk, County Counsel, and County's Auditor.
ATTACHMENTS INCLUDED AND/OR ON FILE:
Sole Source Acquisition Request Form
On file with Clerk- MOU with Cal Poly Corporation
County of Fresno Page 2 File Number.25-0555
File Number:25-0555
CAO ANALYST:
Ron Alexander
County of Fresno Page 3 File Number:25-0555
ti co�ti�� [2 Email Me]
o , Sole Source Acquisition Request
j Double click!
pRE`��
1. Fully describe the product(s) and/or service(s) being requested.
To partner with Cal Poly's Early Intervention to Promote Cardiovascular Health of Mothers and Children
(ENRICH) project which aims to determine the effectiveness of combining pre- and postnatal lifestyle
interventions within established and sustained evidence-based nursing home visiting programs to
reduce cardiovascular disease risk factors in Hispanic and non-Hispanic birthing persons and
children. The Department of Public Health is currently implementing the Nurse-Family Partnership
home visiting model. and clients will benefit from the ENRICH curriculum and materials.
2. Identify the selected vendor and contact person; include the address, phone number and e-mail address
for each.
California Polytechnic State University
1 Grand Avenue
San Luis Obispo, CA 93407
Suzanne Phelan, PhD, sphlelan@calpoly.edu, 805-756-2087
3. What is the total cost of the acquisition? If an agreement, state the total cost of the initial term and the
amounts for potential renewal terms.
There is no cost associated with the acquisition. The agreement will be effective upon final signature and
terminate on June 1, 2030.
4. Identify the unique qualities and/or capabilities of the service(s) and/or product(s) that qualify this as a
sole source acquisition.
The ENRICH project for California is solely being studied by Cal Poly. Cal Poly Corporation through its
Cal Poly Center for Health Research is the only California agency funded by the National Institute of
Health (NIH) to promote and study cardiovascular health among pregnant women and infants. The
competitive grant is one of seven awarded through the NIH's ENRICH program, with similar grants
also awarded to separate research teams in Maryland, Pennsylvania, Alabama, Missouri, Colorado,
and Illinois. The research will entail program development, implementation and evaluation of a new
program designed to promote cardiac health in women and children. In collaboration with local home
visiting partners, the program seeks to reduce such heart disease risk factors as obesity, sedentary
lifestyles, smoking, poor diets, stress and poor sleep. Cal Poly students and faculty studying statistics
and world languages and cultures will be collaborating with counterparts at Brown University, a
private research institution in Providence, Rhode Island, and other centers and home visiting
programs to develop and evaluate how participants respond.
5. Explain why the unique qualities and/or capabilities described above are essential to your department.
The ENRICH project has outstanding potential for reducing cardiovascular disease risk factors and
interrupting the intergenerational transmission of obesity and cardiovascular disease risk factors in
socially disadvantaged, Hispanic and non-Hispanic populations at high risk of cardiovascular disease
morbidity and mortality. Cal Poly's model of enhancing home visiting is very likely to have a sustained
impact because it is part of an established home visiting infrastructure that has been in place for
several years, ensuring sustainability of the implementation context. The approach has great
potential to reduce the healthcare sector and societal health costs associated with cardiovascular
disease.
6. Provide a comprehensive explanation of the research done to verify that there is only a sole vendor that is
capable of providing the required service(s) and/or product(s). Include a list of all other vendors contacted
with regard to providing the requested product(s) and/or service(s) and indicate their response.
E-PD-047 (07/2021)
The ENRICH project for California is solely Cal Poly's grant study addressing the reduction of
cardiovascular disease in birthing persons and children. This project is unique to Cal Poly and unique
in scope which will benefit our residents.
chlor 10/21/2024 3:29:50 PM Senior Staff Analyst [a Sign] Double click!
Requested By: Title
I approve this request to sole source for the service(s) and/or product(s) identified herein.
dluchini 10/22/2024 9:00:11 AM [a Sign] Double click!
Department Head Signature
rblackburn 10/30/2024 3:35:18 PM [a Sign] Double click!
Purchasing Manager Signature
E-PD-047 (07/2021)
Agreement No. 25-300
MEMORANDUM OF UNDERSTANDING
Between
COUNTY OF FRESNO
And
CAL POLY CORPORATION, dba CAL POLY PARTNERS, SAN LUIS OBISPO
This Memorandum of Understanding (MOU) is entered into by and between the County
of Fresno, a political subdivision of the State of California, through its Public Health
Department (County), and Board of Trustees of the California State University through
its campus Cal Poly Corporation, dba Cal Poly Partners, San Luis Obispo (Contractor).
This MOU shall set forth the terms in which County and Contractor intend to work
together to promote and study cardiovascular health among pregnant and postpartum
women and infants in the County of Fresno.
Background
The National Institute of Health (NIH) has funded the Cal Poly Corporation, dba Cal
Poly Partners, through its Cal Poly Center for Health Research to promote and study
cardiovascular health among pregnant women and infants. This is a seven-year
research project involving more than 400 participants in California and Rhode Island
enrolled in programs with evidence- based home health visitation services, including
Nurse Family Partnership, Healthy Families of America, and Parents as Teachers.
The grant is part of the NIH Early Intervention to Promote Cardiovascular Health of
Mothers and Children (ENRICH) program to promote heart health and address health
disparities in low-income pregnant and postpartum women and their infants living in low-
resource communities.
The research will entail program development, implementation and evaluation of a new
program designed to promote cardiac health in families. In collaboration with local home
visiting partners, the program seeks to reduce such heart disease risk factors as
obesity, sedentary lifestyles, smoking, poor diets, high blood pressure, and high
glucose.
Cal Poly faculty, students, and staff from diverse disciplines are collaborating with
counterparts at Brown University, a private research institution in Providence, Rhode
Island, and other centers and home visiting programs across the nation to develop and
evaluate the effectiveness of the heart health program relative to usual home visiting.
The research team expects to develop and implement strategies around healthy eating,
activity, obesity prevention and other cardiovascular health behaviors.
The objective of this research is to facilitate the prevention and treatment of
cardiovascular health among pregnant and postpartum women and children.
Scope of Work: The Research project ("Project") entitled "ENRICH" as described in
Attachment A, shall be performed on a reasonable efforts basis.
Page 1 of 20
TERMS AND CONDITIONS:
1 TERM: The term of this MOU shall become effective upon execution and
terminate 0 6/0 1 /2030 unless extended in writing executed by both County and
Contractor.
COMPENSATION: No funding will be associated with this agreement.
INDEPENDENT CONTRACTOR: Contractor is an independent contractor, working
under his/her own supervision and direction and is not a representative or employee
of County.
4. MUTUAL HOLD HARMLESS: Contractor shall defend, indemnify and hold harmless
the County, its officials, officers, employees and agents from and against any and all
liability, loss, expense, attorney's fees, or claims for injury or damages arising out of
Contractor's performance of this MOU but only in proportion to and to the extent such
liability, loss, expense, attorney's fees or claims for injury or damages are caused by or
result from the negligent or intentional acts or omissions of Contractor, its officers,
agents or employees. In the execution of this MOU, the Contractor hereby
acknowledges and agrees that their scope of work is distinctly separate from that of
the County. Furthermore, the Contractor assumes full responsibility for defending,
indemnifying, and holding harmless the County, its officials, officers, employees, and
agents from any and all liability, loss, expense, attorney's fees, or claims for injury or
damages arising directly from the Contractor's performance under this MOU. Such
defense, indemnification, and hold harmless obligation shall only apply to the extent
and in proportion to which such liability, loss, expense, attorney's fees, or claims for
injury or damages arise from the negligent or intentional acts or omissions of the
Contractor, its officers, agents, or employees.
The County shall defend, indemnify and hold harmless Contractor, its officers,
employees and agents from and against any and all liability, loss, expense, attorney's
fees, or claims for injury or damages arising out of County's performance of this MOU,
but only in proportion to and to the extent such liability, loss, expense, attorney's fees
or claims for injury or damages are caused by or result from the negligent or intentional
acts or omissions of the County, its officers, agents or employees.
4.1 SURVIVAL. This section 4 survives the termination of this Agreement.
INSURANCE: Without limiting the County's right to obtain indemnification from the
Contractor or any third parties, Contractor, at its sole expense, shall maintain in full
force and effect the following insurance policies throughout the term of this
Agreement.
(A) Commercial General Liability. Commercial general liability insurance with limits
of not less than Two Million Dollars ($2,000,000) per occurrence and an annual
aggregate of Four Million Dollars ($4,000,000). This policy must be issued on a
Page 2 of 20
per occurrence basis. Coverage must include products, completed operations,
property damage, bodily injury, personal injury, and advertising injury. The
Contractor shall obtain an endorsement to this policy naming the County of
Fresno, its officers, agents, employees, and volunteers, individually and
collectively, as additional insureds, but only insofar as the operations under this
Agreement are concerned. Such coverage for additional insureds will apply as
primary insurance and any other insurance, or self-insurance, maintained by the
County is excess only and not contributing with insurance provided under the
Contractor's policy.
(B)Automobile Liability. Automobile liability insurance with limits of not less than
One Million Dollars ($1,000,000) per occurrence for bodily injury and for property
damages. Coverage must include any auto used in connection with this
Agreement.
(C)Workers Compensation. Workers compensation insurance as required by the
laws of the State of California with statutory limits.
(D)Employer's Liability. Employer's liability insurance with limits of not less than
One Million Dollars ($1,000,000) per occurrence for bodily injury and for disease.
(E) Professional Liability. Professional liability insurance with limits of not less than
One Million Dollars ($1,000,000) per occurrence and an annual aggregate of
Three Million Dollars ($3,000,000). If this is a claims-made policy, then (1)the
retroactive date must be prior to the date on which services began under this
Agreement; (2)the Contractor shall maintain the policy and provide to the County
annual evidence of insurance for not less than five years after completion of
services under this Agreement; and (3) if the policy is canceled or not renewed,
and not replaced with another claims-made policy with a retroactive date prior to
the date on which services begin under this Agreement, then the Contractor shall
purchase extended reporting coverage on its claims-made policy for a minimum
of five years after completion of services under this Agreement.
(F) Molestation Liability. Sexual abuse I molestation liability insurance with limits of
not less than Two Million Dollars ($2,000,000) per occurrence, with an annual
aggregate of Four Million Dollars ($4,000,000). This policy must be issued on a
per occurrence basis.
(G)Cyber Liability. Cyber liability insurance with limits of not less than Two Million
Dollars ($2,000,000) per occurrence. Coverage must include claims involving
Cyber Risks. The cyber liability policy must be endorsed to cover the full
replacement value of damage to, alteration of, loss of, or destruction of intangible
property (including but not limited to information or data) that is in the care,
custody, or control of the Contractor.
Definition of Cyber Risks. "Cyber Risks" include but are not limited to (i)
Page 3 of 20
Security Breach, which may include Disclosure of Personal Information to an
Unauthorized Third Party; (ii) data breach; (iii) breach of any of the Contractor's
obligations under [identify the Article, section, or exhibit containing data security
obligations] of this Agreement; (iv) system failure; (v) data recovery; (vi) failure to
timely disclose data breach or Security Breach; (vii) failure to comply with privacy
policy; (viii) payment card liabilities and costs; (ix) infringement of intellectual
property, including but not limited to infringement of copyright, trademark, and
trade dress; (x) invasion of privacy, including release of private information; (xi)
information theft; (xii) damage to or destruction or alteration of electronic
information; (xiii) cyber extortion; (xiv) extortion related to the Contractor's
obligations under this Agreement regarding electronic information, including
Personal Information; (xv) fraudulent instruction; (xvi) funds transfer fraud; (xvii)
telephone fraud; (xviii) network security; (xix) data breach response costs,
including Security Breach response costs; (xx) regulatory fines and penalties
related to the Contractor's obligations under this Agreement regarding electronic
information, including Personal Information; and (xxi) credit monitoring expenses.
Additional Requirements
(A)Verification of Coverage. Within 30 days after the Contractor signs this
Agreement, and at any time during the term of this Agreement as requested by
the County's Risk Manager or the County Administrative Office, the Contractor
shall deliver, or cause its broker or producer to deliver, to the County of Fresno,
Department of Public Health, P.O. Box 11867, Fresno, CA 93775, Attention:
Contracts Section — 6th Floor, or email, DPHContracts@fresnocountyca.gov,
certificates of insurance and endorsements for all of the coverages required
under this Agreement.
(i) Each insurance certificate must state that: (1)the insurance coverage has
been obtained and is in full force; (2) the County, its officers, agents,
employees, and volunteers are not responsible for any premiums on the
policy; and (3) the Contractor has waived its right to recover from the
County, its officers, agents, employees, and volunteers any amounts paid
under any insurance policy required by this Agreement and that waiver
does not invalidate the insurance policy.
(ii) The commercial general liability insurance certificate must also state, and
include an endorsement, that the County of Fresno, its officers, agents,
employees, and volunteers, individually and collectively, are additional
insureds insofar as the operations under this Agreement are concerned.
The commercial general liability insurance certificate must also state that
the coverage shall apply as primary insurance and any other insurance, or
self-insurance, maintained by the County shall be excess only and not
contributing with insurance provided under the Contractor's policy.
Page 4 of 20
(iii) The automobile liability insurance certificate must state that the policy
covers any auto used in connection with this Agreement.
(iv) The professional liability insurance certificate, if it is a claims-made policy,
must also state the retroactive date of the policy, which must be prior to
the date on which services began under this Agreement.
(v) The cyber liability insurance certificate must also state that it is endorsed,
and include an endorsement, to cover the full replacement value of
damage to, alteration of, loss of, or destruction of intangible property
(including but not limited to information or data) that is in the care,
custody, or control of the Contractor.
(B)Acceptability of Insurers. All insurance policies required under this Agreement
must be issued by admitted insurers licensed to do business in the State of
California and possessing at all times during the term of this Agreement an A.M.
Best, Inc. rating of no less than A: VII.
(C)Notice of Cancellation or Change. For each insurance policy required under
this Agreement, the Contractor shall provide to the County, or ensure that the
policy requires the insurer to provide to the County, written notice of any
cancellation or change in the policy as required in this paragraph. For
cancellation of the policy for nonpayment of premium, the Contractor shall, or
shall cause the insurer to, provide written notice to the County not less than 10
days in advance of cancellation. For cancellation of the policy for any other
reason, and for any other change to the policy, the Contractor shall, or shall
cause the insurer to, provide written notice to the County not less than 30 days in
advance of cancellation or change. The County in its sole discretion may
determine that the failure of the Contractor or its insurer to timely provide a
written notice required by this paragraph is a breach of this Agreement.
(D)County's Entitlement to Greater Coverage. If the Contractor has or obtains
insurance with broader coverage, higher limits, or both, than what is required
under this Agreement, then the County requires and is entitled to the broader
coverage, higher limits, or both. To that end, the Contractor shall deliver, or
cause its broker or producer to deliver, to the County's Risk Manager certificates
of insurance and endorsements for all of the coverages that have such broader
coverage, higher limits, or both, as required under this Agreement.
(E)Waiver of Subrogation. The Contractor waives any right to recover from the
County, its officers, agents, employees, and volunteers any amounts paid under
the policy of worker's compensation insurance required by this Agreement. The
Contractor is solely responsible to obtain any policy endorsement that may be
necessary to accomplish that waiver, but the Contractor's waiver of subrogation
under this paragraph is effective whether or not the Contractor obtains such an
endorsement.
Page 5 of 20
(F) County's Remedy for Contractor's Failure to Maintain. If the Contractor fails
to keep in effect at all times any insurance coverage required under this
Agreement, the County may, in addition to any other remedies it may have,
suspend or terminate this Agreement upon the occurrence of that failure, or
purchase such insurance coverage, and charge the cost of that coverage to the
Contractor. The County may offset such charges against any amounts owed by
the County to the Contractor under this Agreement.
(G)Subcontractors. The Contractor shall require and verify that all subcontractors
used by the Contractor to provide services under this Agreement maintain
insurance meeting all insurance requirements provided in this Agreement. This
paragraph does not authorize the Contractor to provide services under this
Agreement using subcontractors.
ALTERATION OF TERMS: The body of this MOU fully expresses all understandings
of the parties concerning all matters covered and shall constitute the total MOU. No
addition to, or alteration of, the terms of this MOU whether by written or verbal
understanding of the parties, their officers, agents, or employees shall be valid unless
made in the form of written amendment to this MOU which is formally approved and
executed by all parties.
L NOTICES: All notices, claims, correspondence, reports and/or statements authorized
or required by this MOU shall be addressed as follows:
County:
David Luchini, RN, PHN
Director— Department of Public Health
Health Agency: Fresno County Department of Public Health
County of Fresno
Address: 1221 Fulton Street
Fresno, CA 93721
Email: dluchini@fresnocountyca.gov
Phone: 559-600-3200
Contractor:
Name: Darya Veach
Title: Director, Sponsored Programs
Email: sponprog@calpoly.edu
Phone: 805-756-1123
Change of Contact Information. Either party may change the information in section
7 by giving notice as provided in section 9.
9. Method of Delivery. Each notice between the County and the City provided for or
permitted under this Agreement must be in writing, state that it is a notice provided
Page 6 of 20
under this Agreement, and be delivered either by personal service, by first-class
United States mail, by an overnight commercial courier service, by telephonic
facsimile transmission, or by Portable Document Format (PDF) document attached
to an email.
a) A notice delivered by personal service is effective upon service to the recipient.
b) A notice delivered by first-class United States mail is effective three County
business days after deposit in the United States mail, postage prepaid,
addressed to the recipient.
c) A notice delivered by an overnight commercial courier service is effective one
County business day after deposit with the overnight commercial courier service,
delivery fees prepaid, with delivery instructions given for next day delivery,
addressed to the recipient.
d) A notice delivered by telephonic facsimile transmission or by PDF document
attached to an email is effective when transmission to the recipient is completed
(but, if such transmission is completed outside of County business hours, then
such delivery is deemed to be effective at the next beginning of a County
business day), provided that the sender maintains a machine record of the
completed transmission.
10. DISPUTE RESOLUTION: Any dispute resolution action arising out of this
MOU shall be resolved in accordance with the laws of the State of California.
11. APPLICABLE LAW AND FORUM: This MOU shall be construed and interpreted
according to California law.
1Z TERMINATION:
1. Termination without cause.
This Agreement may be terminated by either Party without cause upon thirty
(30)days written notice.
2. Termination with cause.
This Agreement may be terminated immediately by either Party if the terms of
this Agreement are violated in any manner.
3. Other grounds for termination.
In the event that any other Agreement, as being related to or necessary for the
performance of this Agreement, terminates or expires, this Agreement may be
terminated upon the effective date of the termination of that Agreement,
informal Agreement, even if such termination shall occur with less than thirty
(30) days written notice.
PUBLICITY: The Corporation/University will not use the name of County, or its
employees or subcontractor of Community Health Centers, in any publicity without
approval. County shall not use the name of the University or Corporation, nor any of
its employees, or other persons or entities affiliated with the project, in any publicity,
advertising, or news release without the prior written approval of the authorized
representative of the University or Corporation. Except for on-campus or internal
Page 7 of 20
County newsletters and reports.
14. NON-DISCLOSURE: Contractor and its officers, employees, agents, and
subcontractors shall comply with any and all federal, state, and local laws, which
provide for the confidentiality of protected health information, records, and other
information. Contractor shall not use or disclose protected health information or any
confidential records or other confidential information received from the County or
prepared in connection with the performance of this Agreement. Contractor shall not
use any confidential information gained by Contractor in the performance of this
Agreement except for the sole purpose of carrying out Contractor obligations under
this Agreement or as required by law. Anything in this Agreement to the contrary
notwithstanding, any and all protected health information, knowledge, know-how,
practices, process, or other information (hereinafter referred to as "Confidential
Information") disclosed in writing or in other tangible form which is designated
Confidential Information or which, if initially orally disclosed, is reduced to writing
within forty-five (45) days of disclosure, to either party by the other shall be received
and maintained by the receiving party in strict confidence and shall not be disclosed
to any third party unless required by law.
Furthermore, neither party shall use said Confidential Information for any purpose
other than those purposes specified in this Agreement. The parties may disclose
Confidential Information to those requiring access thereto for the purpose of this
Agreement provided, however, that prior to making any such disclosures, such
employees shall be apprised of the duty and obligation to maintain Confidential
Information in confidence and not use such information for any purpose other than in
accordance with the terms and conditions of this Agreement. All parties agree to use
reasonable efforts not to disclose any agreed to Confidential Information. Nothing
contained herein will in any way restrict or impair either party's right to use, disclose,
or otherwise deal with any Confidential Information which at the time of receipt:
(a) was lawfully known by the receiving party before receipt of it from the disclosing
party;
(b) is or becomes generally available in the public domain, or thereafter becomes
available to the public through no wrongful act or omission of the receiving party;
(c) is rightfully provided to the receiving party by a third party, without restriction on
disclosure or use;
(d) is independently developed by personnel of the receiving party, without breach
of the obligations of confidentiality set forth in this Agreement;
(e) is explicitly approved for release by written authorization of the disclosing party,
but only to the extent of and subject to such conditions as may be imposed in
such written authorizations; or
(f)is made available by the disclosing party to a third party, without restriction
concerning use or disclosure and not in violation of any confidentiality
agreement.
No party will be liable for disclosure of Confidential Information to the extent made: (a)
Page 8 of 20
to comply with a valid Public Records Act request (as applicable to public entities); or
(b) in response to a valid order of court or authorized government agency, provided that
notice must first be given to the party owning the Confidential Information, so a
protective order, if appropriate, may be sought by the owner. Any such required
disclosure shall not, in and of itself, change the status of the disclosed information as
Confidential Information under the terms of this Agreement. The above obligations for
Confidential Information shall be in effect for a period of 1 year from the termination or
expiration of the Agreement.
15. NO DELEGATION OR ASSIGNMENT: County and Contractor shall not delegate,
transfer or assign its duties or rights under this MOU, either in whole or in part, directly
or indirectly, by acquisition, asset sale, merger, change of control, operation of law or
otherwise, without the prior written consent of the other party and any prohibited
delegation or assignment shall render the contract in breach. Upon consent to any
delegation, transfer or assignment, the parties will enter into an amendment to reflect
the transfer and successor to Contractor or County.
1Si. SIGNATURE AUTHORITY: Each party has the full power and authority to enter
into and perform this MOU, and the person signing this MOU on behalf of each party
has been properly authorized and empowered to enter into this MOU.
IL MISCELLANEOUS There are no third-party intended beneficiaries of this
Agreement. No provision of this Agreement may be waived or modified except in an
amendment to this Agreement signed by both parties. No waiver shall be implied from
the passage of time, and no waiver shall be construed to constitute an ongoing waiver.
Page 9 of 20
IN WITNESS WHEREOF,the parties hereto have executed this MOU as of the day and year
first above written.
Contractor:
Cal Poly Corporation, dba Cal Poly Partners, San Luis Obispo
Darya Veach, Director, Sponsored Programs
Signature:pary+Vath(gay 9.20�25 0W.49 POn Date: 05/09/2025
County of Fresno:
Ernest Buddy Mendes, Chairman of the Board.of Supervisors of the County of Fresno
Signature ._ — o Date: a�aDo2 s
ATTEST:
BERNICE E.SEIDEL
EXHIBITS/ATTACHMENTS' Clerk of the Board Supervisors
• County of Fresno,State of California
ATTACHMENT A: ENRICH National Institute of Health Study
ATTACHMENT B: HIPAA Business Associate Exhibit By Deputy
Page 10 of 20
ATTACHMENT A
ENRICH
National Institute of Health (NIH) Study
The goal of ENRICH is to determine the effectiveness of combining pre-and postnatal lifestyle interventions
within established and sustained evidence-based home visiting programs, Nurse Family Partnership,
Healthy Families America and Parents as Teachers to reduce cardiovascular disease risk factors in
Hispanic and non-Hispanic birthing women and children. During the initial 2-year phase, we will work with
our home visiting partners in the development of a high-impact heart health program. During the subsequent
5-year phase, we will conduct a Hybrid Type 1 effectiveness-implementation trial in which we recruit 550
perinatal women (275 in CA and 275 in RI)who are randomized to receive a usual home visiting program or
usual home visiting with heart health content integrated into the curriculum.
ENRICH is important for public health for many reasons
• The program has outstanding potential for reducing cardiovascular disease risk factors and interrupting
the intergenerational transmission of obesity and cardiovascular disease risk factors in socially
disadvantaged, Hispanic and non-Hispanic populations at high risk of cardiovascular disease morbidity
and mortality.
• Our model of enhancing home visiting is very likely to have a sustained impact because it is part of an
established home visiting infrastructure that has been in place for several years, ensuring sustainability of
the implementation context.
• The approach has great potential to reduce the healthcare sector and societal health costs associated
with cardiovascular disease.
Overall Procedures
1. Public Health staff will provide clients with program brochures related to the ENRICH program.
2. If a Public Health client requests more information regarding ENRICH, Public Health staff will provide the
client a "Permission to Contact"form for voluntary client signature. Signed forms will be provided to Cal Poly
representatives who will contact the client to provide more detailed information about the program. Forms
may be completed using paper and pencil method or electronically.
3. Public Health client may also be identified through County electronic records and offered participation via
telephone, email, text message, or by returning the permission to contact card to Cal Poly or Public Health
staff.
4. If a Public Health client opts to enroll in the Cal Poly ENRICH, Cal Poly representatives will conduct study-
related activities in accordance with institutionally approved protocols, including screening, consenting, and
assessment activities. Public Health staff will integrate brief intervention modules into home visiting activities,
as feasible.
5. For Public Health clients who have provided informed consent and volunteered to participate in ENRICH,
Public Health staff may provide information about the client's attendance or contact information changes or
other information to Cal Poly ENRICH staff in accordance with institutionally approved protocols.
6. When feasible, home visitors will attend training sessions describing the ENRICH heart health curriculum
and provide the curriculum to their clients, as they deem appropriate.
7. Cal Poly will answer Public Health client's questions related to ENRICH and refer clients to Public Health
staff if a client's questions are related to Public Health matters and care.
Cal Poly representatives will abide by the following procedures:
1. Coordinate with home visiting personnel regarding scheduled visits by Cal Poly personnel to clinics for
training, recruitment or other purposes.
2. Inform Public Health staff of a client's participation in the study.
3. Provide home visitors with access to the ENRICH curriculum to deliver to their clients who have enrolled in
the ENRICH intervention.
4. Provide home visitors with opportunities to attend training sessions describing the ENRICH heart health
curriculum.
5. For Public Health clients who have provided informed consent and volunteered to participate in ENRICH,
Page 11 of 20
Cal Poly may provide a limited scope of information about the client's measures to Public Health staff in
accordance with institutionally approved protocols.
6. Maintain strict confidentiality of all participant records and ensure all HIPAA requirements are met
throughout research study procedures.
7. Provide written and verbal confirmation to participants that participation in ENRICH is entirely voluntary
and separate from usual home visiting services. Participants can withdraw from ENRICH at any time without
adversely affecting their eligibility or receipt of usual home visiting services.
8. If a home visiting client withdraws from ENRICH, Cal Poly will in no way hold Public Health responsible or
expect Public Health to convince a participant to re-enroll.
Public Health representatives will abide by the following procedures:
1. Offer(and not require)evidence-based home visiting clients the opportunity to participate in ENRICH.
2. Public Health staff may provide information about a client(e.g., contact information changes, attendance,
or other information) to Cal Poly ENRICH staff in accordance with institutionally approved protocols and
client consent.
3. When feasible, attend home visitor training sessions describing the ENRICH heart health curriculum and
provide curriculum to consenting clients.
Page 12 of 20
Attachment B
HIPAA Business Associate Exhibit
I. Recitals.
A. This Agreement has been determined to constitute a business associate relationship under the
Health Insurance Portability and Accountability Act ("HIPAA") and its implementing privacy and security
regulations at 45 CFR Parts160 and 164 ("the HIPAA regulations").
B. The County of Fresno("County")wishes to,or may,disclose to Cal Poly Corporation,San Luis
Obispo ("Business Associate") certain information pursuant to the terms of this Agreement, some of which
may constitute Protected Health Information("PHI")pursuant to HIPAA regulations.
C. "Protected Health Information" or "PHI" means any information, whether oral or recorded in
any form or medium that relates to the past, present, or future physical or mental condition of an individual,
the provision of health or dental care to an individual, or the past,present, or future payment for the provision
of health or dental care to an individual; and that identifies the individual or with respect to which there is a
reasonable basis to believe the information can be used to identify the individual. PHI shall have the meaning
given to such term under HIPAA and HIPAA regulations, as the same may be amended from time to time.
D. "Security Incident" means the attempted or successful unauthorized access, use, disclosure,
modification, or destruction of PHI, or confidential data that is essential to the ongoing operation of the
Business Associate's organization and intended for internal use; or interference with system operations in an
information system.
E. As set forth in this Agreement, Cal Poly Corporation, San Luis Obispo. ("Contractor") is the
Business Associate of County that provides services, arranges, performs or assists in the performance of
functions or activities on behalf of County and creates, receives,maintains, transmits,uses or discloses PHI.
F. County and Business Associate desire to protect the privacy and provide for the security of PHI
created, received, maintained, transmitted, used or disclosed pursuant to this Agreement, in compliance with
HIPAA and HIPAA regulations.
G. The purpose of this Exhibit is to satisfy certain standards and requirements of HIPAA and the
HIPAA regulations, and other applicable laws.
H. The terms used in this Exhibit,but not otherwise defined,shall have the same meanings as those
terms are defined in the HIPAA regulations.
In exchanging information pursuant to this Agreement,the parties agree as follows:
II. Permitted Uses and Disclosures of PHI by Business Associate.
A. Permitted Uses and Disclosures. Except as otherwise indicated in this Exhibit, Business
Associate may use or disclose PHI only to perform functions,activities or services specified in this Agreement,
for, or on behalf of County, provided that such use or disclosure would not violate the HIPAA regulations, if
done by County.
B. Specific Use and Disclosure Provisions. Except as otherwise indicated in this Exhibit,
Business Associate may:
1) Use and Disclose for Management and Administration. Use and disclose PHI for the
Page 13 of 20
proper management and administration of the Business Associate or to carry out the legal responsibilities of
the Business Associate, provided that disclosures are required by law, or the Business Associate obtains
reasonable assurances from the person to whom the information is disclosed that it will remain confidential
and will be used or further disclosed only as required by law or for the purpose for which it was disclosed to
the person, and the person notifies the Business Associate of any instances of which it is aware that the
confidentiality of the information has been breached.
III. Responsibilities of Business Associate.
Business Associate agrees:
A. Nondisclosure. Not to use or disclose Protected Health Information (PHI) other than as
permitted or required by this Agreement or as required by law.
B. Safeguards. To implement administrative, physical, and technical safeguards that reasonably
and appropriately protect the confidentiality, integrity, and availability of the PHI, including electronic PHI,
that it creates, receives, maintains, uses or transmits on behalf of County; and to prevent use or disclosure of
PHI other than as provided for by this Agreement. Business Associate shall develop and maintain a written
information privacy and security program that includes administrative, technical and physical safeguards
appropriate to the size and complexity of the Business Associate's operations and the nature and scope of its
activities, and which incorporates the requirements of section C, Security, below. Business Associate will
provide County with its current and updated policies.
C. Security. The Business Associate shall take any and all steps necessary to ensure the continuous
security of all computerized data systems containing County PHI. These steps shall include, at a minimum:
1) Complying with all of the data system security precautions listed in the Business
Associate Data Security Standards set forth in Attachment 1 to this Exhibit;
2) Security Officer. If the incident occurs after business hours or on a weekend or holiday
and involves electronic PHI, notification shall be provided by calling the County ITSD Help Desk. Business
Associate shall take:
i. Prompt corrective action to mitigate any risks or damages involved with the breach
and to protect the operating environment and
ii. Any action pertaining to such unauthorized disclosure required by applicable Federal
and State laws and regulations.
3) Investigation of Breach. To immediately investigate such security incident,breach, or
unauthorized use or disclosure of PHI or confidential data. Within seventy-two (72) hours of the discovery,to
notify the County:
i. What data elements were involved, and the extent of the data involved in the
breach,
ii. A description of the unauthorized persons known or reasonably believed to
have improperly used or disclosed PHI or confidential data,
iii. A description of where the PHI or confidential data is believed to have been
improperly transmitted, sent, or utilized,
iv. A description of the probable causes of the improper use or disclosure; and
V. Whether Civil Code sections 1798.29 or 1798.82 or any other federal or state
laws requiring individual notifications of breaches are triggered.
4) Written Report. To provide a written report of the investigation to the County under
Page 14 of 20
HIPAA within ten (10) working days of the discovery of the breach or unauthorized use or disclosure. The
report shall include,but not be limited to,the information specified above, as well as a full,detailed corrective
action plan, including information on measures that were taken to halt and/or contain the improper use or
disclosure.
5) Notification of Individuals. To notify individuals of the breach or unauthorized use or
disclosure when notification is required under state or federal law and to pay any costs of such notifications,
as well as any costs associated with the breach. The County shall approve the time,manner and content of any
such notifications.
6) County Contact Information. To direct communications to the above referenced
County staff, Business Associate shall initiate contact as indicated herein. County reserves the right to make
changes to the contact information below by giving written notice to the Business Associate. Said changes
shall not require an amendment to this Exhibit or the Agreement to which it is incorporated.
County of Fresno
Administration
Attn: HIPAA compliance officer
Address P.O. Box 11867, Fresno, CA 93775
Phone (559) 600-6403
D. Employee Training and Discipline. To train and use reasonable measures to ensure compliance
with the requirements of this Exhibit by employees who assist in the performance of functions or activities on
behalf of County under this Agreement and use or disclose PHI; and discipline such employees who
intentionally violate any provisions of this Exhibit, including by termination of employment. In complying
with the provisions of this section K,Business Associate shall observe the following requirements:
1) Business Associate shall provide information privacy and security training, at least
annually, at its own expense, to all its employees who assist in the performance of functions or activities on
behalf of County under this Agreement and use or disclose PHI.
2) Business Associate shall require each employee who receives information privacy and
security training to sign a certification,indicating the employee's name and the date on which the training was
completed.
3) Business Associate shall retain each employee's written certifications for County
inspection for a period of six(6)years following contract termination.
IV. Obligations of County.
County agrees to:
A. Notice of Privacy Practices. Provide Business Associate with applicable and relevant Notice(s)
of Privacy Practices that County HIPAA-covered healthcare components produce in accordance with 45 CFR
164.520, as well as any changes to such notice(s).
B. Permission by Individuals for Use and Disclosure of PHI. Provide the Business Associate
with any changes in, or revocation of, permission by an Individual to use or disclose PHI, if such changes
affect the Business Associate's permitted or required uses and disclosures.
C. Notification of Restrictions. Notify the Business Associate of any restriction to the use or
disclosure of PHI that County has agreed to in accordance with 45 CFR 164.522, to the extent that such
Page 15 of 20
restriction may affect the Business Associate's use or disclosure of PHI.
D. Requests Conflicting with HIPAA Rules. Not request the Business Associate to use or disclose
PHI in any manner that would not be permissible under the HIPAA regulations if done by County.
V. Audits,Inspection and Enforcement.
From time to time,County may inspect the facilities,systems,books and records of Business Associate
to monitor compliance with this Agreement and this Exhibit. Business Associate shall promptly remedy any
violation of any provision of this Exhibit and shall certify the same to the County Privacy Officer or the County
Chief Information Security Officer in writing. The fact that County inspects,or fails to inspect,or has the right
to inspect, Business Associate's facilities, systems and procedures does not relieve Business Associate of its
responsibility to comply with this Exhibit, nor does County's:
A. Failure to detect or
B. Detection, but failure to notify Business Associate or require Business Associate's remediation
of any unsatisfactory practices constitute acceptance of such practice or a waiver of County's enforcement
rights under this Agreement and this Exhibit.
VI. Termination.
A. Termination for Cause. Upon County's knowledge of a material breach of this Exhibit by
Business Associate, County shall:
1) Provide an opportunity for Business Associate to cure the breach or end the violation
and terminate this Agreement if Business Associate does not cure the breach or end the violation within the
time specified by County;
2) Immediately terminate this Agreement if Business Associate has breached a material
term of this Exhibit and cure is not possible; or
3) If neither cure nor termination is feasible, report the violation to the Secretary of the
U.S. Department of Health and Human Services.
B. Judicial or Administrative Proceedings. Business Associate will notify County if it is named
as a defendant in a criminal proceeding for a violation of HIPAA. County may terminate this Agreement if
Business Associate is found guilty of a criminal violation of HIPAA. County may terminate this Agreement
if a finding or stipulation that the Business Associate has violated any standard or requirement of HIPAA, or
other security or privacy laws is made in any administrative or civil proceeding in which the Business Associate
is a party or has been joined.
C. Effect of Termination. Upon termination or expiration of this Agreement for any reason,
Business Associate shall promptly return or destroy all PHI received from County (or created or received by
Business Associate on behalf of County) that Business Associate still maintains in any form, and shall retain
no copies of such PHI or, if return or destruction is not feasible, shall continue to extend the protections of this
Exhibit to such information, and shall limit further use of such PHI to those purposes that make the return or
destruction of such PHI infeasible. This provision shall apply to PHI that is in the possession of subcontractors
or agents of Business Associate,
VII. Miscellaneous Provisions.
Page 16 of 20
A. Disclaimer. County makes no warranty or representation that compliance by Business
Associate with this Exhibit, HIPAA or the HIPAA regulations will be adequate or satisfactory for Business
Associate's own purposes or that any information in Business Associate's possession or control,or transmitted
or received by Business Associate,is or will be secure from unauthorized use or disclosure. Business Associate
is solely responsible for all decisions made by Business Associate regarding the safeguarding of PHI.
B. Amendment. The parties acknowledge that federal and state laws relating to electronic data
security and privacy are rapidly evolving and that amendment of this Exhibit may be required to provide for
procedures to ensure compliance with such developments. The parties specifically agree to take such action
as is necessary to implement the standards and requirements of HIPAA, the HIPAA regulations and other
applicable laws relating to the security or privacy of PHI. Upon County's request, Business Associate agrees
to promptly enter into negotiations with County concerning an amendment to this Exhibit embodying written
assurances consistent with the standards and requirements of HIPAA, the HIPAA regulations or other
applicable laws. County may terminate this Agreement upon thirty(30) days written notice in the event:
1) Business Associate does not promptly enter into negotiations to amend this Exhibit
when requested by County pursuant to this Section or
2) Business Associate does not enter into an amendment providing assurances regarding
the safeguarding and security of PHI that County,in its sole discretion,deems sufficient to satisfy the standards
and requirements of HIPAA and the HIPAA regulations.
C. Assistance in Litigation or Administrative Proceedings. Business Associate shall make itself
and any subcontractors,employees,or agents assisting Business Associate in the performance of its obligations
under this Agreement, available to County at no cost to County to testify as witnesses, or otherwise, in the
event of litigation or administrative proceedings being commenced against County, its directors, officers or
employees based upon claimed violation of HIPAA, the HIPAA regulations or other laws relating to security
and privacy, which involves inactions or actions by the Business Associate, except where Business Associate
or its subcontractor, employee, or agent is a named adverse party.
D. No Third-Party Beneficiaries. Nothing express or implied in the terms and conditions of this
Exhibit is intended to confer,nor shall anything herein confer,upon any person other than County or Business
Associate and their respective successors or assignees, any rights, remedies, obligations or liabilities
whatsoever.
E. Interpretation. The terms and conditions in this Exhibit shall be interpreted as broadly as
necessary to implement and comply with HIPAA,the HIPAA regulations and applicable state laws. The parties
agree that any ambiguity in the terms and conditions of this Exhibit shall be resolved in favor of a meaning
that complies and is consistent with HIPAA and the HIPAA regulations.
F. Regulatory References. A reference in the terms and conditions of this Exhibit to a section in
the HIPAA regulations means the section as in effect or as amended.
G. Survival. The respective rights and obligations of Business Associate under Section VII. C of
this Exhibit shall survive the termination or expiration of this Agreement.
H. No Waiver of Obligations. No change, waiver or discharge of any liability or obligation
hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing or other
obligation, or shall prohibit enforcement of any obligation, on any other occasion.
Page 17 of 20
Attachment 1
Business Associate Data Security Standards
I. General Security Controls.
A. Confidentiality Statement. All persons that will be working with County PHI must sign a
confidentiality statement. The statement must include at a minimum, General Use, Security and Privacy
Safeguards, Unacceptable Use, and Enforcement Policies. The statement must be signed by the workforce
member prior to access to County PHI. The statement must be renewed annually. The Business Associate shall
retain each person's written confidentiality statement for County inspection for a period of six (6) years
following contract termination.
B. Background Check. Before a member of the Business Associate's workforce may access
County PHI, Business Associate must conduct a thorough background check of that worker and evaluate the
results to assure that there is no indication that the worker may present a risk for theft of confidential data. The
Business Associate shall retain each workforce member's background check documentation for a period of
three (3)years following contract termination.
C. Workstation/Laptop Encryption. All workstations and laptops that process and/or store County
PHI must be encrypted using a FIPS 140-2 certified algorithm, such as Advanced Encryption Standard(AES),
with a 128bit key or higher. The encryption solution must be full disk unless approved by the County
Information Security Office.
D. Server Security. Servers containing unencrypted County PHI must have sufficient
administrative, physical, and technical controls in place to protect that data, based upon a risk
assessment/system security review.
E. Minimum Necessary. Only the minimum necessary amount of County PHI required to perform
necessary business functions may be copied, downloaded, or exported.
F. Removable Media Devices. All electronic files that contain County PHI data must be encrypted
when stored on any removable media or portable device using a FIPS 140-2 certified algorithm, such as
Advanced Encryption Standard(AES), with a 128bit key or higher.
G. Antivirus Software. All workstations, laptops and other systems that process and/or store
County PHI must install and actively use comprehensive anti-virus software solution with automatic updates
scheduled at least daily.
H. Patch Management. All workstations, laptops and other systems that process and/or store
County PHI must have security patches applied,with system reboot if necessary. There must be a documented
patch management process which determines installation timeframe based on risk assessment and vendor
recommendations. At a maximum, all applicable patches must be installed within thirty (30) days of vendor
release.
I. User IDs and Password Controls. All users must be issued a unique user name for accessing
County PHI. Username must be promptly disabled, deleted, or the password changed upon the transfer or
termination of an employee with knowledge of the password. Passwords are not to be shared. Must be at least
eight characters. Must be a non-dictionary word. Must not be stored in readable format on the computer.Must
be changed every sixty (60) days. Must be changed if revealed or compromised. Must be composed of
characters from at least three of the following four groups from the standard keyboard:
• Upper case letters (A-Z)
Page 18 of 20
• Lower case letters (a-z)
• Arabic numerals (0-9)
• Non-alphanumeric characters (punctuation symbols)
J. Data Sanitization. All County PHI must be sanitized using NIST Special Publication 800-88
standard methods for data sanitization when the County PSCI is no longer needed.
II. System Security Controls.
A. System Timeout. The system must provide an automatic timeout, requiring re-authentication
of the user session after no more than twenty(20) minutes of inactivity.
B. Warning Banners. All systems containing County PHI must display a warning banner stating
that data is confidential, systems are logged, and system use is for business purposes only. User must be
directed to log off the system if they do not agree with these requirements.
C. System Logging. The system must maintain an automated audit trail which can identify the
user or system process which initiates a request for County PHI, or which alters County PHI. The audit trail
must be date and time stamped, must log both successful and failed accesses, must be read only, and must be
restricted to authorized users. If County PHI is stored in a database, database logging functionality must be
enabled. Audit trail data must be archived for at least six(6) years after occurrence.
D. Access Controls. The system must use role based access controls for all user authentications,
enforcing the principle of least privilege.
E. Transmission Encryption. All data transmissions of County PHI outside the secure internal
network must be encrypted using a FIPS 140-2 certified algorithm, such as Advanced Encryption Standard
(AES), with a 128bit key or higher. Encryption can be end to end at the network level, or the data files
containing County PHI can be encrypted. This requirement pertains to any type of County PHI in motion such
as website access, file transfer, and E-Mail.
F. Intrusion Detection. All systems involved in accessing, holding, transporting, and protecting
County PHI that are accessible via the Internet must be protected by a comprehensive intrusion detection and
prevention solution.
III. Audit Controls.
A. System Security Review. All systems processing and/or storing County PHI must have at least
an annual system risk assessment/security review which provides assurance that administrative,physical, and
technical controls are functioning effectively and providing adequate levels of protection. Reviews shall
include vulnerability scanning tools.
B. Log Reviews. All systems processing and/or storing County PHI must have a routine procedure
in place to review system logs for unauthorized access.
C. Change Control. All systems processing and/or storing County PHI must have a documented
change control procedure that ensures separation of duties and protects the confidentiality, integrity and
availability of data.
IV. Business Continuity/Disaster Recovery Controls.
A. Disaster Recovery. Business Associate must establish a documented plan to enable
Page 19 of 20
continuation of critical business processes and protection of the security of electronic County PHI in the event
of an emergency. Emergency means any circumstance or situation that causes normal computer operations to
become unavailable for use in performing the work required under this Agreement for more than twenty-four
(24)hours.
B. Data Backup Plan. Business Associate must have established documented procedures to back-
up County PHI to maintain retrievable exact copies of County PHI. The plan must include a regular schedule
for making back-ups,storing back-ups offsite,an inventory of back-up media,and the amount of time to restore
County PHI should it be lost. At a minimum, the schedule must be a weekly full back-up and monthly offsite
storage of County data.
V. Paper Document Controls.
A. Supervision of Data. County PHI in paper form shall not be left unattended at any time,unless
it is locked in a file cabinet,file room,desk or office. Unattended means that information is not being observed
by an employee authorized to access the information. County PHI in paper form shall not be left unattended
at any time in vehicles or planes and shall not be checked in baggage on commercial airplanes.
B. Escorting Visitors. Visitors to areas where County PHI is contained shall be escorted and
County Protected Health Information shall be kept out of sight while visitors are in the area.
C. Confidential Destruction. County PHI must be disposed of through confidential means, using
NIST Special Publication 800-88 standard methods for data sanitization when the County PSCI is no longer
needed.
D. Removal of Data. County PHI must not be removed from the premises of the Business
Associate except with express written permission of County.
E. Faxing. Faxes containing County PHI shall not be left unattended and fax machines shall be
in secure areas. Faxes shall contain a confidentiality statement notifying persons receiving faxes in error to
destroy them. Fax numbers shall be verified with the intended recipient before sending.
F. Mailing. County PHI shall only be mailed using secure methods. Large volume mailings of
County Protected Health Information shall be by a secure, bonded courier with signature required on receipt.
Disks and other transportable media sent through the mail must be encrypted with a County approved solution,
such as a solution using a vendor product specified on the CSSI.
Page 20 of 20