HomeMy WebLinkAboutAgreement A-19-524 with DHCS.pdfCounty of Fresno
19-96152
1
MEDI-CAL COUNTY INMATE PROGRAM AGREEMENT
Article 1 – Parties
A.The parties to this Agreement (Agreement) are County of Fresno (the County) and
the California Department of Health Care Services (DHCS).
B.The County may voluntarily choose to participate in the Medi-Cal County Inmate
Program (MCIP) by entering into this Agreement as authorized by Welfare and
Institutions Code sections 14053.7 and 14053.8, and Government Code sections
26605.6, 26605.7, and 26605.8.
C.DHCS is the single state agency responsible for administering the California
Medical Assistance Program (Medi–Cal), including MCIP, pursuant to California
Welfare and Institutions Code section 14100.1.
Article 2 – Purpose of the Agreement
A.The purpose of this Agreement is to set forth the terms a County must abide by in
order to participate in MCIP. If a County does not participate in MCIP or does not
abide by the terms of this Agreement, the County remains responsible for
arranging for and paying for medical care for its inmates. MCIP creates budgetary
savings for the County for the medical care provided to its Medi-Cal eligible
inmates. MCIP, makes federal financial participation (FFP) available for medical
care provided to Medi-Cal eligible county inmates. The County receives budgetary
savings because it does not fund the federal share of MCIP services for their Medi-
Cal eligible inmates. MCIP services are provided by Medi-Cal providers to Medi-
Cal eligible inmates, for which FFP may be claimed consistent with federal law,
including but not limited to subparagraph (A) following paragraph (29) of Section
1905(a) of the Social Security Act.
1)MCIP allows the Medi-Cal providers to directly bill DHCS for MCIP services
and DHCS will reimburse the Medi-Cal providers at their applicable Medi-
Cal rate for the services rendered, to the extent FFP is available. DHCS
will seek and retain FFP claimed for MCIP services and the County will
reimburse DHCS any remaining balance for the claims paid by DHCS to the
Medi-Cal provider for MCIP services, except for the MCIP services provided
by public providers under the certified public expenditure (CPE) process.
2)When the Medi-Cal provider is a Designated Public Hospital (DPH) or other
public provider that incurs the cost of the nonfederal share pursuant to the
CPE process, the Medi-Cal provider shall receive the FFP resulting from
expenditures for the MCIP services. Notwithstanding the sentence above,
DPHs may claim under Subparagraph 1 for MCIP services that are not
claimed through the CPE process established in the Demonstration Project.
Agreement No. 19-524
County of Fresno
19-96152
2
B.The County shall reimburse DHCS its apportioned share of the nonfederal share
of the administrative costs incurred for the administration of MCIP based on
Addendum A.
Article 3 – Term of the Agreement
Subject to the provisions of this Agreement, the term of this Agreement shall be one year
from July 1, 2019, through June 30, 2020.
Article 4 – Maximum Payable Amount
A.The amount under this Agreement that the County shall be obligated to reimburse
DHCS for MCIP services paid by DHCS to Medi-Cal providers shall not exceed the
nonfederal share of the Medi-Cal payments for MCIP services for the County’s
inmates incurred by DHCS. The maximum payable amount shall not exceed:
$2,300,000.00. This amount is subject to the annual limitations listed below:
Year MCIP Services
Total Nonfederal Share
SFY 2019-20 $2,300,000.00
B.The amount that the County shall be obligated to pay DHCS for MCIP
administrative services rendered under this Agreement shall not exceed its
apportioned share of the nonfederal share of the federally claimable costs of
administering MCIP incurred by DHCS. The maximum payable amount shall not
exceed the County’s apportioned share, which shall be based on a methodology
specified in Addendum A, which is: $6,967.24. This amount is subject to the
annual limitations listed below:
Year MCIP Administrative Services
Total Nonfederal Share for
the County
SFY 2019-20 $6,967.24
C.The maximum payable amount under this Agreement shall not exce ed
$ 2,306,967.24.
D.For future SFY periods not covered under this Agreement, the maximum payable
amount will be determined through a new Agreement or an amendment to this
Agreement.
County of Fresno
19-96152
3
Article 5 – Contact Persons
Any notice, request, demand or other communication required or permitted hereunder,
shall be deemed to be properly given when deposited in the United States mail, postage
prepaid, and addressed:
In the case of the County, to:
County Coordinator
County of Fresno
Attn: David Pomaville, Director
P.O. Box 11867
Fresno, CA 93775
dpomaville@fresnocountyca.gov
(559) 600-6439
Or to such person or address as the County may furnish in writing or e-mail to DHCS.
In the case of DHCS, to:
California Department of Health Care Services
Safety Net Financing Division
County Based Claiming & Inmate Services Section
Attn: Inmate Medi-Cal Claiming Unit
1501 Capitol Avenue, MS 4504
P.O. Box 997436
Sacramento, CA 95899-7436
Or to such person or address as DHCS may, from time to time, furnish in writing or email
to County.
Article 6 – Payment Terms and Invoicing
A.General Terms
1)The County shall compensate DHCS for the County’s apportioned share of
the nonfederal share of MCIP administrative services, and for the
nonfederal share of MCIP services listed in Article 7, as required by Welfare
and Institutions Code sections 14053.7 and 14053.8, and Government
Code sections 26605.6, 26605.7, and 26605.8, within sixty (60) days of
receipt of an invoice from DHCS, which specifies both the total federally
claimable cost, and the nonfederal share of the total cost, for payments
DHCS has made to providers, except that the County shall not reimburse
the state for the nonfederal share of services billed by Medi-Cal providers
under a CPE process, as described in Articles 8 and 11, below. MCIP
administrative services and MCIP services shall be separately invoiced by
County of Fresno
19-96152
4
DHCS to the County. Addendum A attached to this Agreement includes
details regarding the nonfederal share of administrative costs. If the County
is found to have overpaid DHCS comparing its owed nonfederal share to
payments actually made, DHCS shall refund the overpayment to the County
within forty-five (45) days of an invoice from the County, containing the
same information. This refund may be made by offsetting the amount
against the County’s next quarterly payment due to DHCS.
2)Failure by the County to timely compensate DHCS pursuant to
Paragraphs B and C shall constitute a material breach of this Agreement
by the County, which, at DHCS’ discretion, may result in termination by
DHCS pursuant to Article 10. The County may cure such breach by
rendering payment of the amount owed to DHCS prior to the termination
of this Agreement.
3)In no event shall payment be made by the County for any invoice or portion
thereof exceeding the respective maximum annual Agreement amount
specified in Article 4. Payment for any MCIP administrative services
rendered by DHCS or MCIP services paid by DHCS exceeding the
respective maximum annual Agreement amount shall require an
amendment to this Agreement pursuant to Article 9. If the County fails to
execute a retroactive amendment to the maximum payable amount under
this Agreement, DHCS shall terminate the Agreement pursuant to Article
10.
4)Payments shall be sent to DHCS at the following address (or such other
address as DHCS may specify in writing):
California Department of Health Care Services
Safety Net Financing Division
County Based Claiming & Inmate Services Section
Attn: Inmate Medi-Cal Claiming Unit
1501 Capitol Avenue, MS 4504
P.O. Box 997436
Sacramento, CA 95899-7436
B.MCIP Services
1)DHCS shall submit to the County a quarterly invoice for MCIP services that
identifies the nonfederal share amount, and a report that contains
information regarding paid claims data for the quarter, including information
identifying the provider of services and the beneficiary, the recipient aid
code, and amount of reimbursement, and other information that may be
agreed to between the parties.
County of Fresno
19-96152
5
2)The DHCS invoice shall not contain and the County shall not compensate
DHCS for MCIP services provided by Medi-Cal providers where the County
incurs the cost of providing MCIP services and claims them through the
CPE process.
3)If the Medi-Cal provider renders MCIP services that are not reimbursable
under the CPE process established, then the invoice shall contain and the
County shall reimburse DHCS for the nonfederal share of DHCS’ payments
for these MCIP services.
C.MCIP Administrative Services
1)DHCS shall submit to the County an annual invoice for the County’s
apportioned share of the nonfederal share of MCIP administrative services
based on Addendum A. The annual invoice for reimbursement identifies the
following summarized categories of DHCS costs for the allocated SFY
period billed: salary, benef its, operating expenses, and total costs. Costs
shall be multiplied by one minus the Federal Medical Assistance
Percentage applicable to such administrative costs subject to the limit on
the amount reimbursable by the County under Article 4. For SFY 2019-20
and thereafter, DHCS shall submit annual invoices to the County no later
than one hundred eighty (180) days following the close of the SFY.
2)The County shall not be obligated to pay DHCS for the MCIP administrative
services covered by any invoice if DHCS presents the invoice to the County
more than one (1) year after this Agreement terminates.
Article 7 – DHCS Responsibilities
A.MCIP Services
1)DHCS shall pay the appropriate Medi-Cal fee-for-service rate to Medi-Cal
providers that directly bill DHCS for MCIP services rendered to the County’s
MCIP-eligible inmates and shall seek FFP. DHCS shall be responsible to
pay such providers only to the extent the County commits to reimburse
DHCS the nonfederal share of all federally reimbursable MCIP claims and
for which FFP is available and retained by DHCS for the MCIP service
claims.
2)DHCS shall maintain accounting records to a level of detail which identifies
the actual expenditures incurred for MCIP services, the services provided,
the county responsible, the specific inmate treated, the inmate’s aid code,
and the specific provider billing.
3)DHCS shall submit claims in a timely manner to the federal Medicaid
Program to draw down FFP for DHCS, and shall draw down and distribute
County of Fresno
19-96152
6
FFP for MCIP services claimed through the CPE process. Such claims shall
be submitted in compliance with all applicable laws and regulations.
B.MCIP Administrative Services
1)DHCS shall administer MCIP and this Agreement for claiming federal
reimbursement for MCIP services. It is understood by both the County and
DHCS that other administrative activities including, but not limited to,
transporting MCIP eligible beneficiaries, arranging for their care and for their
incarceration remain the administrative responsibilities of the County.
2)DHCS shall maintain accounting records to a level of detail which identifies
the actual expenditures incurred for personnel services which includes
salary/wages, benefits, overhead costs for DHCS’s staff , as well as
equipment and all related operating expenses applicable to these positions
including, but not limited to, general expense, rent and supplies, and travel
cost for identified staff and managerial staff working specifically on activities
or assignments directly related to MCIP.
C.General Responsibilities
1)DHCS shall:
i.Ensure that an appropriate audit trail exists within DHCS records and
accounting system and maintain expenditure data as indicated in this
Agreement.
ii.Designate a person to act as liaison with County with regard to issues
concerning this Agreement. This person shall be identified to
County’s contact person for this Agreement.
iii.Provide a written response by email or mail to County’s contact
person within thirty (30) days of receiving a written request for
information related to MCIP.
iv.With each quarterly invoice, provide paid claim analysis report to the
County regarding MCIP claims submitted by providers for the
County’s MCIP-eligible inmates, as used for the determination of the
corresponding nonfederal share that is the County’s obligation under
this Agreement.
2)Should the scope of work or services to be performed under this Agreement
conflict with DHCS’ responsibilities under federal Medicaid law, the
responsibilities under federal Medicaid law shall take precedence.
County of Fresno
19-96152
7
3)DHCS’ cessation of any activities due to federal Medicaid law
responsibilities does not relinquish the obligation of the County to reimburse
DHCS for MCIP administrative costs and MCIP services incurred by DHCS
in connection with this Agreement for periods in which the County
participated in the program.
4)DHCS agrees to provide to the County, or any federal or state department
having monitoring or reviewing authority, access to and the right to examine
its applicable records and documents for compliance with relevant federal
and state statutes, rules and regulations, and this Agreement.
Article 8 – County Responsibilities
A.MCIP Services
1)Except as provided in (vi.) of this section, the County is responsible for
reimbursing DHCS for the nonfederal share of MCIP services paid by DHCS
to Medi-Cal providers rendering MCIP services to the County’s MCIP
eligible beneficiaries.
i.The County may pay a Medi-Cal provider to the extent required by
or otherwise permitted by state and federal law to arrange for
services for the MCIP individuals. Such additional amounts shall be
paid entirely with County funds, and shall not be eligible for Social
Security Act Title XIX FFP.
ii.If DHCS pays the Medi-Cal provider more than what the county
would have paid for services rendered, the county cannot request
the difference from the Medi-Cal provider.
iii.If the county would have paid the Medi-Cal provider less than what
DHCS paid the Medi-Cal provider, the county is still obligated to
reimburse DHCS for the nonfederal share of the payment from
DHCS for MCIP services.
iv.In the event that FFP is not available for any MCIP service claimed
pursuant to this Agreement, the County shall be solely responsible
for arranging and paying for any such MCIP service.
v.If the Centers for Medicare & Medicaid Services (CMS) determines
an overpayment has occurred for a payment made to a Medi -Cal
provider for MCIP services to the County’s MCIP-eligible inmate,
including the application of any federal payment limit that reduces
the amount of FFP available for MCIP services, then DHCS shall
seek the overpayment amount from the provider and return the
collected FFP to CMS and return the collected nonfederal share of
County of Fresno
19-96152
8
the overpayment to the County. In the event that DHCS cannot
recover from the Medi-Cal provider such overpayment, the County
shall pay DHCS an amount equal to the FFP portion of the
unrecovered amount to the extent that section 1903(d)(2)(D) of the
Social Security Act is found not to apply.
vi.The County is not responsible for reimbursing DHCS for the
nonfederal share of expenditures for MCIP services provided by
DPHs when those services are reimbursed under the CPE process
because DHCS is not responsible for the nonfederal share of
expenditures for MCIP services reimbursed in the CPE process.
vii.The County is responsible for reimbursing DHCS for the nonfederal
share of MCIP services provided by DPHs that are not reimbursed
under the CPE process.
2)If CMS determines DHCS claimed a higher federal medical assistance
percentage (FMAP) rate than is allowed and FFP is reduced by CMS for the
MCIP services provided to a County’s MCIP-eligible inmate for MCIP
services, then the County shall hold DHCS harmless for the return of the
FFP to CMS.
B.MCIP Administrative Services
1)As a condition of participating in MCIP, the County accepts its responsibility
for reimbursing DHCS for the County’s apportioned share of the nonfederal
share of costs of MCIP administrative services based on Addendum A,
performed by DHCS in administering MCIP, so that there is no expenditure
from the State General Fund.
2)The County shall reimburse DHCS its allotted portion of the nonfederal
share of funding for compensation, associated operating expenses,
equipment, and travel costs for no more than 3.50 full-time equivalent (FTE)
positions composed of: one-half (0.50) FTE Staff Service Manager I, one
(1) FTE Health Program Specialist I, one (1) FTE Staff Services
Analyst/Associate Governmental Program Analyst, one -half (0.50) FTE
Attorney, and one-half (0.50) FTE Accounting Officer, to be established and
housed at DHCS, to support the reported expenditures submission process
for obtaining federal reimbursement under this Agreement. The County’s
allotted portion shall be based on a methodology specified in Addendum A.
County of Fresno
19-96152
9
C. General Responsibilities
1) Upon the County’s compliance with all applicable provisions in this
Agreement and applicable laws, the County may send its MCIP-eligible
inmates to Medi-Cal providers to receive MCIP services.
2) The County shall reimburse DHCS pursuant to Paragraphs A and B with
funds from the County’s General Fund, or from any other funds allowed
under federal law and regulation, including but not limited to, Section
1903(w) of the Social Security Act and Code of Federal Regulations, title
42, part 433, subpart B.
3) In the event of any federal deferral or disallowance which is applicable to
MCIP expenditures, the County shall provide all documents requested by
DHCS within fourteen (14) days.
4) The County shall assist with the completion of and delivery of completed
Medi-Cal applications to County Welfare Department (CWD) within 90
calendar days after the date of admission of the inmate to a Medi-Cal
provider off of the grounds of the county correctional facility which results in
an expected stay of more than 24 hours.
Article 9 – Amendments
A. Amendments to this Agreement shall be made only by a writing signed by the
parties to this Agreement and, if required by state law, by approval of the California
Department of General Services. Notwithstanding the previous sentence, any
update made to the appropriate contact persons identified in Article 5 may be made
by e-mail to the other contact person or persons and without formal amendment.
B. This Agreement shall be amended pursuant to findings from the periodic
assessment identified in Article 11.H, to accurately reflect the State’s
administrative costs and MCIP medical care costs.
Article 10 – Termination and Agreement Disputes
A. This Agreement may be terminated by any party upon written notice given at least
thirty (30) calendar days prior to the termination date. Notice shall be addressed
to the respective parties as identified in Article 5 of this Agreement. The County
shall remain obliged after the termination date to pay for all MCIP administrative
costs and MCIP services incurred by DHCS for periods in which it participated in
the program.
B. This Agreement shall be terminated upon cessation of MCIP. The County shall
remain obliged after the termination date to pay for all of the County’s apportioned
share of MCIP administrative costs based on Addendum A and all of the County’s
County of Fresno
19-96152
10
MCIP services incurred by DHCS for periods in which it participated in the
program.
C.An informal dispute resolution process shall be undertaken prior to the dispute
resolution processes described in Subparagraphs 1 to 2, below. In case of a
dispute there shall be a discussion between the County and DHCS staff, and if not
resolved then the County shall address the issue to DHCS in a written letter. If
unresolved then the dispute resolution processes in Subparagraphs 1 to 2 shall be
undertaken as appropriate.
1)Nothing in this Agreement shall prevent the County from pursuing any other
administrative and judicial review available to it under law.
2)Judicial review pursuant to Code of Civil Procedure section 1085 shall be
available to resolve disputes relating to the terms, performance, or
termination of this Agreement, or any act, failure to act, conduct, order, or
decision of DHCS that violate this Agreement subject to Article 11.F.
D.The terms of Article 6 (Payment Terms and Invoicing), Article 10 (Termination and
Agreement Disputes), Article 11.B (Indemnification), and Article 11.D (Records)
shall survive after the termination date.
Article 11 – General Provisions
A.Definitions.
1)The term “certified public expenditure process” or “CPE process” means the
process established for the Medi-Cal program under state law (including but
not limited to Welfare and Institutions Code section 14166.1, et seq.), the
California Medi-Cal state plan, and approved Medicaid demonstration
projects and waivers through which public Medi-Cal providers claim federal
financial participation for their allowable expenditures.
2)The term “days” as used in this Agreement shall mean calendar days unless
specified otherwise.
3)The term “Demonstration Project” means the California Medi-Cal 2020
Demonstration, Number 11-W -00193/9, as approved by CMS effective
beginning December 30, 2015.
4)The term “designated public hospital” is defined as set forth in the
Demonstration Project, which shall be codified in state law at Welfare and
Institutions Code section 14184.10, subdivision (f) pursuant to SB 815
(2016), and as may be modified from time to time .
County of Fresno
19-96152
11
5)The term “inmate” as used in this Agreement includes the persons identified
in Welfare and Institutions Code sections 14053.7(e)(2)(A) and 14053.8(k)
“juvenile inmate,” and Government Code sections 26605.6(a) “prisoner,”
26605.7(a) “prisoner” and (d)(1) “probationer,” and 26605.8 “prisoner” and
“probationer.”
6)The term “MCIP” or “Medi-Cal County Inmate Program” contains the
following three components: the Adult County Inmate Program (ACIP), as
authorized in state law pursuant to Welfare and Institutions Code section
14053.7 and Penal Code section 5072, the Juvenile County Ward Program
(JCWP), as authorized in Welfare and Institutions Code section 14053.8,
and the County Compassionate Release Program (CCRP) and County
Medical Probation Program (CMPP), as authorized by Government Code
sections 26605.6, 26605.7, and 26605.8.
7)“MCIP administrative services” means the administrative services provided
by DHCS personnel for the administration of MCIP, which shall include, but
not be limited to those services provided by the personnel in Article 8 when
claiming federal reimbursement for MCIP services and seeking
reimbursement for DHCS from the County.
8)“Medi-Cal provider” means, any individual, partnership, group association,
corporation, institution, or entity and the officer, directors, owners,
managing employees or agents of any partnership, group association,
corporation, institution, or entity that provides services, goods, supplies, or
merchandise, directly or indirectly, to a Medi-Cal beneficiary, and that has
been enrolled in the Medi-Cal program.
For purposes of MCIP, a Medi-Cal provider may claim for MCIP services
rendered to the MCIP-eligible inmate depending on the MCIP component
program. For example, a clinic cannot seek reimbursement from DHCS for
outpatient services provided to an ACIP inmate because the outpatient
services provided are not allowable as MCIP services for ACIP. A Medi-Cal
provider does not go through a separate Medi-Cal enrollment or certification
process to participate in MCIP.
9)“MCIP services” constitutes all of the following, only to the extent federal
financial participation is available: a) in ACIP, Medi-Cal allowable inpatient
hospital services, including inpatient psychiatric services , and physician
services provided during the inpatient hospital service stay of adult inmates
in county correctional facilities who are determined eligible for Medi-Cal
pursuant to Welfare and Institutions Code section 14053.7 ; b) in the
Compassionate Release Program pursuant to Government Code section
26605.6 and Medical Probation Program pursuant to Government Code
section 26605.7, full-scope Medi-Cal services; c) in JCWP, Medi-Cal
allowable inpatient hospital services, including inpatient psychiatric services
County of Fresno
19-96152
12
and physician services, of juvenile inmates in county correctional facilities
who are determined eligible for Medi-Cal services pursuant to Welfare and
Institutions Code section 14053.8; and, d) any other Medi-Cal program for
which federal reimbursement is available for coverage of adult inmates and
juvenile inmates in county correctional facilities, if authorized by law and
agreed to by the County and DHCS by amending this Agreement.
10) The term “Medi-Cal rate” means the reimbursement determined by the
reimbursement methodology approved for the Medi-Cal provider under the
California State Plan, or Social Security Act section 1115 Demonstration
Project or section 1915 waiver.
11) The State Fiscal Year (SFY) begins on July 1st of each year and ends on
June 30th in the subsequent calendar year.
B.Indemnification. It is agreed that the County shall defend, hold harmless, and
indemnify DHCS, its officers, employees, and agents from any and all reported
expenditures, liability, loss, or expense (including reasonable attorney fees) for
injuries or damage to any person, any property, or both which arise out of the terms
and conditions of this Agreement and the negligent or intentional acts or omissions
of the County, its officers, employees, or agents.
C.Severability. If any term, condition, or provision of this Agreement is held by a
court of competent jurisdiction to be invalid, void, or unenforceable, the remaining
provisions will nevertheless continue in full force and effect, and shall not be
affected, impaired or invalidated in any way. Notwithstanding the previous
sentence, if a decision by a court of competent jurisdiction invalidates, voids, or
renders unenforceable a term, condition, or provision in this Agreement that is
included in the purpose of this Agreement then the parties to this Agreement shall
either amend this Agreement pursuant to Article 9, or it shall be terminated
pursuant to Article 10.
D.Records. DHCS and the County shall maintain and preserve all records relating
to this Agreement for a period of three (3) years from DHCS’ receipt of the last
payment of FFP, or until three years after all audit findings are resolved, whichever
is later. This does not limit any responsibilities held by DHCS or the County
provided for elsewhere in this Agreement, or in state or federal law.
E.Compliance with Applicable Laws. All parties performance under this Agreement
shall be in accordance with all applicable federal and state laws, including, but not
limited to:
1)The Americans with Disabilities Act of 1990, as amended;
2)Section 504 of the Rehabilitation Act of 1973, as am ended;
3)Title XIX of the Social Security Act;
4)Welfare and Institutions Code section 14000 et seq.;
County of Fresno
19-96152
13
5)Government Code section 53060;
6)The California Medicaid State Plan;
7)Laws and regulations including, but not limited to those related to
licensure, certification, confidentiality of records, quality assurance, and
nondiscrimination;
8)The Policy and Procedure Letters, and similar instructions, published with
regulatory authority;
9)Government Code sections 26605.6, 26605.7, and 26605.8;
10)Penal Code section 5072;
11)Title 42 of the Code of Federal Regulations; and,
12)California Code of Regulations.
F.Controlling Law and Venue. The validity of this Agreement and its terms or
provisions, as well as the rights and duties of the parties hereunder, the
interpretation and performance of this Agreement shall be governed by the laws of
the State of California. Venue of any action brought with regards to this Agreement
shall be in any county in which the Attorney General maintains an office .
G.Integration Clause.
1)This Agreement and any exhibits and addendums attached hereto shall
constitute the entire Agreement among the parties to it pertaining to the
implementation of MCIP and supersedes any prior or contemporaneous
understanding or agreement with respect to the subject matter of this
Agreement.
2)Notwithstanding Subparagraph G.1., DHCS Form 9098 or DHCS Form
6208 (whichever is applicable) is incorporated by reference into this
Agreement if the County has a DHCS Form 9098 or DHCS Form 6208 on
record. Notwithstanding Subparagraph G.1., the terms of the DHCS Form
9098 or DHCS Form 6208 controls to the extent there is a conflict with this
Agreement, except for Article 10 of this Agreement. If the DHCS Form 9098
or DHCS Form 6208 does not address a matter addressed by this
Agreement, then this Agreement controls.
H.Periodic Assessment. Pursuant to Welfare and Institutions Code sections 14053.7
and 14053.8, and Government Code sections 26605.6, 26605.7, and 26605.8 , the
County enters into this Agreement in order to implement MCIP under which the
County may participate and for which the County will pay the nonfederal share of
all federally reimbursable administrative costs and medical care costs incurred by
DHCS performing activities described in Article 7. The County agrees that DHCS,
in its sole discretion, may conduct a periodic assessment in consultation with the
counties, of such costs incurred by DHCS to determine compliance with Welfare
and Institutions Code sections 14053.7 and 14053.8, Penal Code section 5072,
and Government Code sections 26605.6, 26605.7, and 26605.8, and DHCS
agrees to ensure that all invoicing as described in Article 6 and any other relevant
County of Fresno
19-96152
14
documentation will be accordingly updated to ensure compliance with Welfare and
Institutions Code sections 14053.7 and 14053.8, Penal Code section 5072, and
Government Code sections 26605.6, 26605.7, and 26605.8 .
I.Conformance Clause. Any provision of this Agreement in conflict with present or
future governing authorities is hereby amended to conform to those authorities and
such amended provisions supersede any conflicting provisions in this Agreement.
The governing authorities include, but are not limited to the authorities listed in
Article 11.E.
J.Waiver. No covenant, condition, duty, obligation, or undertaking made a part of
this Agreement shall be waived except by amendment of the Agreement by the
parties hereto, and forbearance or indulgence in any other form or manner by
either party in any regard whatsoever shall not constitute a waiver of the covenant,
condition, duty, obligation, or undertaking to be kept, performed, or discharged by
the other party to which the same may apply; and, until performance or satisfaction
of all covenants, duties, obligations, or undertakings is complet e, the party shall
have the right to invoke any remedy available under this Agreement, or under law,
notwithstanding such forbearance or indulgence.
K.Third Party Benefit. None of the provisions of this Agreement are or shall be
construed as for the benefit of, or enforceable by, any person not a party to this
Agreement.
L.Conflict of Interest. The County is subject to the Medi-Cal Conflict of Interest Law,
as applicable and set forth in Welfare and Institutions Code section 14022 and
Article 1.1 (commencing with section 14030), and implemented pursuant to
California Code of Regulations, title 22, section 51466.
M.Budget Contingency Clause.
1)DHCS will seek an appropriation in the Budget Act each State fiscal year
which would authorize DHCS to pay Medi-Cal providers for MCIP services.
It is mutually agreed that if the State Budget Act of the current SFY or any
subsequent SFYs covered under this Agreement does not appropriate any
funds for MCIP, this Agreement shall be of no further force and effect. In
this event, an Article 10.B termination shall be implemented and DHCS shall
have no liability to pay any funds whatsoever to Medi-Cal providers for
MCIP services for the County’s inmates rendered through the termination
date of this Agreement.
2)If funding associated with MCIP for any SFY is reduced by the State Budget
Act DHCS shall have the option to cancel this Agreement, with no liability
occurring to the State.
County of Fresno
19-96152
15
N.Limitation of State Liability.
1)Notwithstanding any other provision of this Agreement, DHCS shall be held
harmless from any federal audit disallowance and interest resulting from
payments made by the federal Medicaid program as reimbursement for
claims providing services for MCIP, less the amounts already remitted to or
recovered by DHCS for the disallowed claim.
2)To the extent that a federal audit disallowance and interest results from a
claim or claims for which the Medi-Cal provider has received reimbursement
for MCIP services under this Agreement, DHCS shall recoup from the Medi-
Cal provider, upon written notice, amounts equal to the amount of the
disallowance and interest in that fiscal year for the disallowed claim, less
the amounts already remitted to or recovered by DHCS. All subsequent
claims submitted to DHCS applicable to any previously disallowed claim,
may be held in abeyance, with no payment made, until the federal
disallowance issue is resolved.
O.Exclusions. The County shall comply with the following requirements:
1)The conviction of an employee or subcontractor of the County, or of an
employee of a subcontractor, of any felony or of a misdemeanor involving
fraud, abuse of any Medi-Cal beneficiary, or abuse of the Medi-Cal program,
shall result in the exclusion of that employee or subcontractor, or employee
of a subcontractor, from participation in MCIP except as a beneficiary.
2)Exclusion after conviction described in Article 11.O.1 shall result regardless
of any subsequent order under Penal Code section 1203.4 allowing a
person to withdraw his or her plea of guilty and to enter a plea of not guilty,
or setting aside the verdict of guilty, or dismissing the accusation,
information, or indictment.
3)Suspension or exclusion of an employee or a subcont ractor, or of an
employee of a subcontractor, from participation in the Medi -Cal program,
the Medicaid program, or the Medicare program, shall result in the exclusion
of that employee or subcontractor, or employee of a subcontractor, from
participation in MCIP, except as a beneficiary.
4)Revocation, suspension, or restriction of the license, certificate, or
registration of any employee, subcontractor, or employee of a
subcontractor, shall result in exclusion from MCIP, when such license,
certificate, or registration is required for the provision of services.
County of Fresno
19-96152
16
P.Confidentiality. The County shall comply with the applicable confidentiality
requirements as specified in Section 1902(a)(7) of the Social Security Act; Code
of Federal Regulations, title 42, section 431.300; Welfare and Institutions Code
section 14100.2; and California Code of Regulations, title 22, section 51009; and,
the Business Associates Agreement attached and hereby incorporated by
reference.
Q.Data Sharing.
1)The County shall comply with all provisions of the current Business
Associates Agreement (BAA) incorporated by reference and made part of
this Agreement as Addendum B.
County of Fresno
19-96152
The persons signing this Agreement on behalf of County and DHCS , as applicable ,
represent and warrant that he or she is an individual duly authorized and having authority
to sign on behalf of, and approve for , County or DHCS , as applicable , and is authorized
and designated to enter into and approve this Agreement on behalf of County or DHCS ,
as applicable.
ATTEST:
BERNICE E . SEIDEL
County of Fresno Clerk of the Board of Supervisors
~:£n~California
Signature : _•_2 ___ Q~--~~=~_2 ______ Depu~
Name: Nathan Magsig
Title : Chairman of the Board of Supervisors of the County of Fresno
Date :
CALIFORNIA DEPARTMENT OF HEAL TH CARE SERVICES
Contracts Section
Signature :
Name : Carrie Talbot
Title : SSM I Contracts Section
Date :
17
County of Fresno
19-96152
ADDENDUM A: MCIP Administrative Costs for State Fiscal Year 2019-20
The Medi-Cal County Inmate Program (MCIP) agreement is a one-year contract giving counties
the option to participate on an annual basis. At the beginning of each calendar year, counties
have the opportunity to participate in the program for the upcoming State Fiscal Year (SFY) by
completing the MCIP Agreement.
The methodology for calculating each county’s nonfederal share of administrative costs was
developed by DHCS, in consultation with the California State Association of Counties, County
Health Executives Association of California, California Association of Public Hospitals and Health
Systems, and the California State Sheriffs’ Association. For SFY 2019-20 the nonfederal share of
administrative costs allocated to each county will be based on the following:
30% of the total administrative costs will be distributed evenly to participating
counties over 50,000 in population. *
70% of the total administrative costs will be allocated to participating counties
pro-rata based on population. *
*Population data will be obtained from the California Department of Finance,
Demographic Estimates
DHCS will invoice participating counties for the nonfederal share of administrative costs six
months after the close of the SFY based on actual administrative costs per the methodology
above, not exceeding the estimated amounts in the MCIP agreements.
County of Fresno
19-96152
Page 1 of 15
Addendum B
HIPAA Business Associate Addendum
DHCS HIPAA BAA 2/15
I.Recitals
A.This Contract (Agreement) has been determined to constitute a business associate relationship under
the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”), the
Health Information Technology for Economic and Clinical Health Act, Public Law 111-005 ('the HITECH
Act"), 42 U.S.C. section 17921 et seq., and their implementing privacy and security regulations at 45
CFR Parts 160 and 164 (“the HIPAA regulations”).
B.The Department of Health Care Services (“DHCS”) wishes to disclose to Business Associate certain
information pursuant to the terms of this Agreement, some of which may constitute Protected Health
Information (“PHI”), including protected health information in electronic media (“ePHI”), under federal
law, and personal information ("PI") under state law.
C.As set forth in this Agreement, Contractor, here and after, is the Business Associate of DHCS acting on
DHCS' behalf and provides services, arranges, performs or assists in the performance of functions or
activities on behalf of DHCS and creates, receives, maintains, transmits, uses or discloses PHI and PI.
DHCS and Business Associate are each a party to this Agreement and are collectively referred to as
the "parties.”
D.The purpose of this Addendum is to protect the privacy and security of the PHI and PI that may be
created, received, maintained, transmitted, used or disclosed pursuant to this Agreement, and to
comply with certain standards and requirements of HIPAA, the HITECH Act and the HIPAA regulations,
including, but not limited to, the requirement that DHCS must enter into a contract containing specific
requirements with Contractor prior to the disclosure of PHI to Contractor, as set forth in 45 CFR Parts
160 and 164 and the HITECH Act, and the Final Omnibus Rule as well as the Alcohol and Drug Abuse
patient records confidentiality law 42 CFR Part 2, and any other applicable state or federal law or
regulation. 42 CFR section 2.1(b)(2)(B) allows for the disclosure of such records to qualified personnel
for the purpose of conducting management or financial audits, or program evaluation. 42 CFR Section
2.53(d) provides that patient identifying information disclosed under this section may be disclosed only
back to the program from which it was obtained and used only to carry out an audit or evaluation
purpose or to investigate or prosecute criminal or other activities, as authorized by an appropriate court
order.
E.The terms used in this Addendum, but not otherwise defined, shall have the same meanings as those
terms have in the HIPAA regulations. Any reference to statutory or regulatory language shall be to
such language as in effect or as amended.
II.Definitions
A.Breach shall have the meaning given to such term under HIPAA, the HITECH Act, the HIPAA
regulations, and the Final Omnibus Rule.
B.Business Associate shall have the meaning given to such term under HIPAA, the HITECH Act, the
HIPAA regulations, and the final Omnibus Rule.
C.Covered Entity shall have the meaning given to such term under HIPAA, the HITECH Act, the HIPAA
regulations, and Final Omnibus Rule.
D.Electronic Health Record shall have the meaning given to such term in the HITECH Act, including, but
not limited to, 42 U.S.C Section 17921 and implementing regulations.
County of Fresno
19-96152
Page 2 of 15
Addendum B
HIPAA Business Associate Addendum
DHCS HIPAA BAA 2/15
E.Electronic Protected Health Information (ePHI) means individually identifiable health information
transmitted by electronic media or maintained in electronic media, including but not limited to electronic
media as set forth under 45 CFR section 160.103.
F.Individually Identifiable Health Information means health information, including demographic information
collected from an individual, that is created or received by a health care provider, health plan, employer
or health care clearinghouse, and relates to the past, present or future physical or mental health or
condition of an individual, the provision of health care to an individual, or the past, present, or future
payment for the provision of health care to an individual, that identifies the individual or where there is a
reasonable basis to believe the information can be used to identify the individual, as set forth under 45
CFR section 160.103.
G.Privacy Rule shall mean the HIPAA Regulation that is found at 45 CFR Parts 160 and 164.
H.Personal Information shall have the meaning given to such term in California Civil Code section
1798.29.
I.Protected Health Information means individually identifiable health information that is transmitted by
electronic media, maintained in electronic media, or is transmitted or maintained in any other form or
medium, as set forth under 45 CFR section 160.103.
J.Required by law, as set forth under 45 CFR section 164.103, means a mandate contained in law that
compels an entity to make a use or disclosure of PHI that is enforceable in a court of law. This
includes, but is not limited to, court orders and court-ordered warrants, subpoenas or summons issued
by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized
to require the production of information, and a civil or an authorized investigative demand. It also
includes Medicare conditions of participation with respect to health care providers participating in the
program, and statutes or regulations that require the production of information, including statutes or
regulations that require such information if payment is sought under a government program providing
public benefits.
K.Secretary means the Secretary of the U.S. Department of Health and Human Services ("HHS") or the
Secretary's designee.
L.Security Incident means the attempted or successful unauthorized access, use, disclosure,
modification, or destruction of PHI or PI, or confidential data that is essential to the ongoing operation of
the Business Associate’s organization and intended for internal use; or interference with system
operations in an information system.
M.Security Rule shall mean the HIPAA regulation that is found at 45 CFR Parts 160 and 164.
N.Unsecured PHI shall have the meaning given to such term under the HITECH Act, 42 U.S.C. section
17932(h), any guidance issued pursuant to such Act, and the HIPAA regulations.
III.Terms of Agreement
A.Permitted Uses and Disclosures of PHI by Business Associate
Permitted Uses and Disclosures. Except as otherwise indicated in this Addendum, Business
Associate may use or disclose PHI only to perform functions, activities or services specified in this
Agreement, for, or on behalf of DHCS, provided that such use or disclosure would not violate th e
County of Fresno
19-96152
Page 3 of 15
Addendum B
HIPAA Business Associate Addendum
DHCS HIPAA BAA 2/15
HIPAA regulations, if done by DHCS. Any such use or disclosure must, to the extent practicable, be
limited to the limited data set, as defined in 45 CFR section 164.514(e)(2), or, if needed, to the
minimum necessary to accomplish the intended purpose of such use or disclosure, in compliance with
the HITECH Act and any guidance issued pursuant to such Act, the HIPAA regulations, the Final
Omnibus Rule and 42 CFR Part 2.
1.Specific Use and Disclosure Provisions. Except as otherwise indicated in this Addendum,
Business Associate may:
a.Use and disclose for management and administration. Use and disclose PHI for the proper
management and administration of the Business Associate provided that such disclosures are
required by law, or the Business Associate obtains reasonable assurances from the person to
whom the information is disclosed that it will remain confidential and will be used or further
disclosed only as required by law or for the purpose for which it was disclosed to the person,
and the person notifies the Business Associate of any instances of which it is aware that the
confidentiality of the information has been breached.
b.Provision of Data Aggregation Services. Use PHI to provide data aggregation services to
DHCS. Data aggregation means the combining of PHI created or received by the Business
Associate on behalf of DHCS with PHI received by the Business Associate in its capacity as the
Business Associate of another covered entity, to permit data analyses that relate to the health
care operations of DHCS.
B.Prohibited Uses and Disclosures
1.Business Associate shall not disclose PHI about an individual to a health plan for payment or health
care operations purposes if the PHI pertains solely to a health care item or service for which the
health care provider involved has been paid out of pocket in full and the individual requests such
restriction, in accordance with 42 U.S.C. section 17935(a) and 45 CFR section 164.522(a).
2.Business Associate shall not directly or indirectly receive remuneration in exchange for PHI, except
with the prior written consent of DHCS and as permitted by 42 U.S.C. section 17935(d)(2).
C.Responsibilities of Business Associate
Business Associate agrees:
1.Nondisclosure. Not to use or disclose Protected Health Information (PHI) other than as permitted
or required by this Agreement or as required by law.
2.Safeguards. To implement administrative, physical, and technical safeguards that reasonably and
appropriately protect the confidentiality, integrity, and availability of the PHI, including electronic
PHI, that it creates, receives, maintains, uses or transmits on behalf of DHCS, in compliance with
45 CFR sections 164.308, 164.310 and 164.312, and to prevent use or disclosure of PHI other than
as provided for by this Agreement. Business Associate shall implement reasonable and appropriate
policies and procedures to comply with the standards, implementation specifications and other
requirements of 45 CFR section 164, subpart C, in compliance with 45 CFR section 164.316.
Business Associate shall develop and maintain a written information privacy and security program
that includes administrative, technical and physical safeguards appropriate to the size and
complexity of the Business Associate’s operations and the nature and scope of its activities, and
County of Fresno
19-96152
Page 4 of 15
Addendum B
HIPAA Business Associate Addendum
DHCS HIPAA BAA 2/15
which incorporates the requirements of section 3, Security, below. Business Associate will provide
DHCS with its current and updated policies.
3.Security. To take any and all steps necessary to ensure the continuous security of all
computerized data systems containing PHI and/or PI, and to protect paper documents containing
PHI and/or PI. These steps shall include, at a minimum:
a.Complying with all of the data system security precautions listed in Attachment A, the Business
Associate Data Security Requirements;
b.Achieving and maintaining compliance with the HIPAA Security Rule (45 CFR Parts 160 and
164), as necessary in conducting operations on behalf of DHCS under this Agreement;
c.Providing a level and scope of security that is at least comparable to the level and scope of
security established by the Office of Management and Budget in OMB Circular No. A-130,
Appendix III - Security of Federal Automated Information Systems, which sets forth guidelines
for automated information systems in Federal agencies; and
d.In case of a conflict between any of the security standards contained in any of these
enumerated sources of security standards, the most stringent shall apply. The most stringent
means that safeguard which provides the highest level of protection to PHI from unauthorized
disclosure. Further, Business Associate must comply with changes to these standards that
occur after the effective date of this Agreement.
Business Associate shall designate a Security Officer to oversee its data security program who
shall be responsible for carrying out the requirements of this section and for communicating on
security matters with DHCS.
D.Mitigation of Harmful Effects. To mitigate, to the extent practicable, any harmful effect that is known
to Business Associate of a use or disclosure of PHI by Business Associate or its subcontractors in
violation of the requirements of this Addendum.
E.Business Associate’s Agents and Subcontractors.
1.To enter into written agreements with any agents, including subcontractors and vendors, to whom
Business Associate provides PHI or PI received from or created or received by Business Associate
on behalf of DHCS, that impose the same restrictions and conditions on such agents,
subcontractors and vendors that apply to Business Associate with respect to such PHI and PI under
this Addendum, and that comply with all applicable provisions of HIPAA, the HITECH Act the
HIPAA regulations, and the Final Omnibus Rule, including the requirement that any agents,
subcontractors or vendors implement reasonable and appropriate administrative, physical, and
technical safeguards to protect such PHI and PI. Business associates are directly liable under the
HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and
disclosures of protected health information that are not authorized by its contract or required by law.
A business associate also is directly liable and subject to civil penalties for failing to safeguard
electronic protected health information in accordance with the HIPAA Security Rule. A “business
associate” also is a subcontractor that creates, receives, maintains, or transmits protected health
information on behalf of another business associate. Business Associate shall incorporate, when
applicable, the relevant provisions of this Addendum into each subcontract or subaward to such
agents, subcontractors and vendors, including the requirement that any security incidents or
breaches of unsecured PHI or PI be reported to Business Associate.
County of Fresno
19-96152
Page 5 of 15
Addendum B
HIPAA Business Associate Addendum
DHCS HIPAA BAA 2/15
2.In accordance with 45 CFR section 164.504(e)(1)(ii), upon Business Associate’s knowledge of a
material breach or violation by its subcontractor of the agreement between Business Associate and
the subcontractor, Business Associate shall:
a.Provide an opportunity for the subcontractor to cure the breach or end the violation and
terminate the agreement if the subcontractor does not cure the breach or end the violation
within the time specified by DHCS; or
b.Immediately terminate the agreement if the subcontractor has breached a material term of the
agreement and cure is not possible.
F.Availability of Information to DHCS and Individuals. To provide access and information:
1.To provide access as DHCS may require, and in the time and manner designated by DHCS (upon
reasonable notice and during Business Associate’s normal business hours) to PHI in a Designated
Record Set, to DHCS (or, as directed by DHCS), to an Individual, in accordance with 45 CFR
section 164.524. Designated Record Set means the group of records maintained for DHCS that
includes medical, dental and billing records about individuals; enrollment, payment, claims
adjudication, and case or medical management systems maintained for DHCS health plans; or
those records used to make decisions about individuals on behalf of DHCS. Business Associate
shall use the forms and processes developed by DHCS for this purpose and shall respond to
requests for access to records transmitted by DHCS within fifteen (15) calendar days of receipt of
the request by producing the records or verifying that there are none.
2.If Business Associate maintains an Electronic Health Record with PHI, and an individual requests a
copy of such information in an electronic format, Business Associate shall provide such information
in an electronic format to enable DHCS to fulfill its obligations under the HITECH Act , including but
not limited to, 42 U.S.C. section 17935(e).
3.If Business Associate receives data from DHCS that was provided to DHCS by the Social Security
Administration, upon request by DHCS, Business Associate shall provide DHCS with a list of all
employees, contractors and agents who have access to the Social Security data, including
employees, contractors and agents of its subcontractors and agents.
G.Amendment of PHI. To make any amendment(s) to PHI that DHCS directs or agrees to pursuant to
45 CFR section 164.526, in the time and manner designated by DHCS.
H.Internal Practices. To make Business Associate’s internal practices, books and records relating to the
use and disclosure of PHI received from DHCS, or created or received by Business Associate on behalf
of DHCS, available to DHCS or to the Secretary of the U.S. Department of Health and Human Services
in a time and manner designated by DHCS or by the Secretary, for purposes of determining DHCS’
compliance with the HIPAA regulations. If any information needed for this purpose is in the exclusive
possession of any other entity or person and the other entity or person fails or refuses to furnish t he
information to Business Associate, Business Associate shall so certify to DHCS and shall set forth the
efforts it made to obtain the information.
County of Fresno
19-96152
Page 6 of 15
Addendum B
HIPAA Business Associate Addendum
DHCS HIPAA BAA 2/15
I.Documentation of Disclosures. To document and make available to DHCS or (at the direction of
DHCS) to an Individual such disclosures of PHI, and information related to such disclosures, necessary
to respond to a proper request by the subject Individual for an accounting of disclosures of PHI, in
accordance with the HITECH Act and its implementing regulations, including but not limited to 45 CFR
section 164.528 and 42 U.S.C. section 17935(c). If Business Associate maintains electronic health
records for DHCS as of January 1, 2009, Business Associate must provide an accounting of
disclosures, including those disclosures for treatment, payment or health care operations, effective with
disclosures on or after January 1, 2014. If Business Associate acquires electronic health records for
DHCS after January 1, 2009, Business Associate must provide an accounting of disclosures, including
those disclosures for treatment, payment or health care operations, effective with disclosures on or
after the date the electronic health record is acquired, or on or after January 1, 2011, whichever date is
later. The electronic accounting of disclosures shall be for disclosures during the three years prior to
the request for an accounting.
J.Breaches and Security Incidents. During the term of this Agreement, Business Associate agrees to
implement reasonable systems for the discovery and prompt reporting of any breach or security
incident, and to take the following steps:
1.Notice to DHCS. (1) To notify DHCS immediately upon the discovery of a suspected security
incident that involves data provided to DHCS by the Social Security Administration. This notification
will be by telephone call plus email or fax upon the discovery of the breach. (2) To notify DHCS
within 24 hours by email or fax of the discovery of unsecured PHI or PI in electronic media or in
any other media if the PHI or PI was, or is reasonably believed to have been, accessed or acquired
by an unauthorized person, any suspected security incident, intrusion or unauthorized access, use
or disclosure of PHI or PI in violation of this Agreement and this Addendum, or potential loss of
confidential data affecting this Agreement. A breach shall be treated as discovered by Business
Associate as of the first day on which the breach is known, or by exercising reasonable diligence
would have been known, to any person (other than the person committing the breach) who is an
employee, officer or other agent of Business Associate.
Notice shall be provided to the DHCS Program Contract Manager, the DHCS Privacy Officer and
the DHCS Information Security Officer. If the incident occurs after business hours or on a weekend
or holiday and involves data provided to DHCS by the Social Security Administration, notice shall
be provided by calling the DHCS EITS Service Desk. Notice shall be made using the “DHCS
Privacy Incident Report” form, including all information known at the time. Business Associate
shall use the most current version of this form, which is posted on the DHCS Privacy Office website
(www.dhcs.ca.gov, then select “Privacy” in the left column and then “Business Use” near the middle
of the page) or use this link:
http://www.dhcs.ca.gov/formsandpubs/laws/priv/Pages/DHCSBusinessAssociatesOnly.aspx
Upon discovery of a breach or suspected security incident, intrusion or unauthorized access, use or
disclosure of PHI or PI, Business Associate shall take:
a.Prompt corrective action to mitigate any risks or damages involved with the breach and to
protect the operating environment; and
b.Any action pertaining to such unauthorized disclosure required by applicable Federal and State
laws and regulations.
County of Fresno
19-96152
Page 7 of 15
Addendum B
HIPAA Business Associate Addendum
DHCS HIPAA BAA 2/15
2.Investigation and Investigation Report. To immediately investigate such security incident,
breach, or unauthorized access, use or disclosure of PHI or PI. If the initial report did not include all
of the requested information marked with an asterisk, then within 72 hours of the discovery,
Business Associate shall submit an updated “DHCS Privacy Incident Report” containing the
information marked with an asterisk and all other applicable information listed on the form, to the
extent known at that time, to the DHCS Program Contract Manager, the DHCS Privacy Officer, and
the DHCS Information Security Officer:
3.Complete Report. To provide a complete report of the investigation to the DHCS Program
Contract Manager, the DHCS Privacy Officer, and the DHCS Inf ormation Security Officer within ten
(10) working days of the discovery of the breach or unauthorized use or disclosure. If all of the
required information was not included in either the initial report, or the Investigation Report, then a
separate Complete Report must be submitted. The report shall be submitted on the “DHCS Privacy
Incident Report” form and shall include an assessment of all known factors relevant to a
determination of whether a breach occurred under applicable provisions of HIPAA, the HITECH Act,
the HIPAA regulations and/or state law. The report shall also include a full, detailed corrective
action plan, including information on measures that were taken to halt and/or contain the improper
use or disclosure. If DHCS requests information in addition to that listed on the ”DHCS Privacy
Incident Report” form, Business Associate shall make reasonable efforts to provide DHCS with
such information. If necessary, a Supplemental Report may be used to submit revised or additional
information after the completed report is submitted, by submitting the revised or additional
information on an updated “DHCS Privacy Incident Report” form. DHCS will review and approve or
disapprove the determination of whether a breach occurred, is reportable to the appropriate entities,
if individual notifications are required, and the corrective action plan.
4.Notification of Individuals. If the cause of a breach of PHI or PI is attributable to Business
Associate or its subcontractors, agents or vendors, Business Associate shall notify individuals of the
breach or unauthorized use or disclosure when notification is required under state or federal law
and shall pay any costs of such notifications, as well as any costs associated with the breach. The
notifications shall comply with the requirements set forth in 42 U.S.C. section 17932 and its
implementing regulations, including, but not limited to, the requirement that the notifications be
made without unreasonable delay and in no event later than 60 calendar days. The DHCS
Program Contract Manager, the DHCS Privacy Officer, and the DHCS Information Security Officer
shall approve the time, manner and content of any such notifications and their review and appr oval
must be obtained before the notifications are made.
5.Responsibility for Reporting of Breaches. If the cause of a breach of PHI or PI is attributable to
Business Associate or its agents, subcontractors or vendors, Business Associate is responsible for
all required reporting of the breach as specified in 42 U.S.C. section 17932 and its implementing
regulations, including notification to media outlets and to the Secretary. If a breach of unsecured
PHI involves more than 500 residents of the State of California or its jurisdiction, Business
Associate shall notify the Secretary of the breach immediately upon discovery of the breach. If
Business Associate has reason to believe that duplicate reporting of the same breach or incident
may occur because its subcontractors, agents or vendors may report the breach or incident to
DHCS in addition to Business Associate, Business Associate shall notify DHCS, and DHCS and
Business Associate may take appropriate action to prevent duplicate reporting. The breach
reporting requirements of this paragraph are in addition to the reporting requirements set forth in
subsection 1, above.
6.DHCS Contact Information. To direct communications to the above referenced DHCS staff, the
Contractor shall initiate contact as indicated herein. DHCS reserves the right to make changes to
County of Fresno
19-96152
Page 8 of 15
Addendum B
HIPAA Business Associate Addendum
DHCS HIPAA BAA 2/15
the contact information below by giving written notice to the Contractor. Said changes shall not
require an amendment to this Addendum or the Agreement to which it is incorporated.
DHCS Program
Contract Manager
DHCS Privacy Officer DHCS Information Security Officer
See the Scope of Work
exhibit for Program
Contract Manager
information
Privacy Officer
c/o: Office of HIPAA Compliance
Department of Health Care Services
P.O. Box 997413, MS 4722
Sacramento, CA 95899-7413
Email: privacyofficer@dhcs.ca.gov
Telephone: (916) 445-4646
Fax: (916) 440-7680
Information Security Officer
DHCS Information Security Office
P.O. Box 997413, MS 6400
Sacramento, CA 95899-7413
Email: iso@dhcs.ca.gov
Fax: (916) 440-5537
Telephone: EITS Service Desk
(916) 440-7000 or
(800) 579-0874
K.Termination of Agreement. In accordance with Section 13404(b) of the HITECH Act and to the extent
required by the HIPAA regulations, if Business Associate knows of a material breach or violation by
DHCS of this Addendum, it shall take the following steps:
1.Provide an opportunity for DHCS to cure the breach or end the violation and terminate the
Agreement if DHCS does not cure the breach or end the violation within the time specified by
Business Associate; or
2.Immediately terminate the Agreement if DHCS has breached a material term of the Addendum and
cure is not possible.
L.Due Diligence. Business Associate shall exercise due diligence and shall take reasonable steps to
ensure that it remains in compliance with this Addendum and is in compliance with applicable
provisions of HIPAA, the HITECH Act and the HIPAA regulations, and that its agents, subcontractors
and vendors are in compliance with their obligations as required by this Addendum.
M.Sanctions and/or Penalties. Business Associate understands that a failure to comply with the
provisions of HIPAA, the HITECH Act and the HIPAA regulations that are applicable to Business
Associate may result in the imposition of sanctions and/or penalties on Business Associate under
HIPAA, the HITECH Act and the HIPAA regulations.
IV.Obligations of DHCS
DHCS agrees to:
A.Notice of Privacy Practices. Provide Business Associate with the Notice of Privacy Practices that
DHCS produces in accordance with 45 CFR section 164.520, as well as any changes to such notice.
Visit the DHCS Privacy Office to view the most current Notice of Privacy Practices at:
http://www.dhcs.ca.gov/formsandpubs/laws/priv/Pages/default.aspx or the DHCS website at
www.dhcs.ca.gov (select “Privacy in the left column and “Notice of Privacy Practices” on the right side
of the page).
B.Permission by Individuals for Use and Disclosure of PHI. Provide the Business Associate with any
changes in, or revocation of, permission by an Individual to use or disclose PHI, if such changes affect
the Business Associate’s permitted or required uses and disclosures.
County of Fresno
19-96152
Page 9 of 15
Addendum B
HIPAA Business Associate Addendum
DHCS HIPAA BAA 2/15
C.Notification of Restrictions. Notify the Business Associate of any restriction to the use or disclosure
of PHI that DHCS has agreed to in accordance with 45 CFR section 164.522, to the extent that such
restriction may affect the Business Associate’s use or disclosure of PHI.
D.Requests Conflicting with HIPAA Rules. Not request the Business Associate to use or disclose PHI
in any manner that would not be permissible under the HIPAA regulations if done by DHCS.
V.Audits, Inspection and Enforcement
A.From time to time, DHCS may inspect the facilities, systems, books and records of Business Associate
to monitor compliance with this Agreement and this Addendum. Business Associate shall promptly
remedy any violation of any provision of this Addendum and shall certify the same to the DHCS Privacy
Officer in writing. The fact that DHCS inspects, or fails to inspect, or has the right to inspect, Business
Associate’s facilities, systems and procedures does not relieve Business Associate of its responsibility
to comply with this Addendum, nor does DHCS’:
1.Failure to detect or
2.Detection, but failure to notify Business Associate or require Business Associate’s remediation of
any unsatisfactory practices constitute acceptance of such practice or a waiver of DHCS’
enforcement rights under this Agreement and this Addendum.
B.If Business Associate is the subject of an audit, compliance review, or complaint investigation by the
Secretary or the Office of Civil Rights, U.S. Department of Health and Human Services, that is related
to the performance of its obligations pursuant to this HIPAA Business Associate Addendum, Business
Associate shall notify DHCS and provide DHCS with a copy of any PHI or PI that Business Associate
provides to the Secretary or the Office of Civil Rights concurrently with providing such PHI or PI to the
Secretary. Business Associate is responsible for any civil penalties assessed due to an audit or
investigation of Business Associate, in accordance with 42 U.S.C. section 17934(c).
VI.Termination
A.Term. The Term of this Addendum shall commence as of the effective date of this Addendum and
shall extend beyond the termination of the contract and shall terminate when all the PHI provided by
DHCS to Business Associate, or created or received by Business Associate on behalf of DHCS, is
destroyed or returned to DHCS, in accordance with 45 CFR 164.504(e)(2)(ii)(I).
B.Termination for Cause. In accordance with 45 CFR section 164.504(e)(1)(ii), upon DHCS’ knowledge
of a material breach or violation of this Addendum by Business Associate, DHCS shall:
1.Provide an opportunity for Business Associate to cure the breach or end the violation and terminate
this Agreement if Business Associate does not cure the breach or end the violation within the time
specified by DHCS; or
2.Immediately terminate this Agreement if Business Associate has breached a material term of this
Addendum and cure is not possible.
County of Fresno
19-96152
Page 10 of 15
Addendum B
HIPAA Business Associate Addendum
DHCS HIPAA BAA 2/15
C.Judicial or Administrative Proceedings. Business Associate will notify DHCS if it is named as a
defendant in a criminal proceeding for a violation of HIPAA. DHCS may terminate this Agreement if
Business Associate is found guilty of a criminal violation of HIPAA. DHCS may terminate this
Agreement if a finding or stipulation that the Business Associate has violated any standard or
requirement of HIPAA, or other security or privacy laws is made in any administrative or civil
proceeding in which the Business Associate is a party or has been joined.
D.Effect of Termination. Upon termination or expiration of this Agreement for any reason, Business
Associate shall return or destroy all PHI received from DHCS (or created or received by Business
Associate on behalf of DHCS) that Business Associate still maintains in any form, and shall retain no
copies of such PHI. If return or destruction is not feasible, Business Associate shall notify DHCS of the
conditions that make the return or destruction infeasible, and DHCS and Business Associate shall
determine the terms and conditions under which Business Associate may retain the PHI. Business
Associate shall continue to extend the protections of this Addendum to such PHI, and shall limit further
use of such PHI to those purposes that make the return or destruction of such PHI infeasible. This
provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate.
VII. Miscellaneous Provisions
A.Disclaimer. DHCS makes no warranty or representation that compliance by Business Associate with
this Addendum, HIPAA or the HIPAA regulations will be adequate or satisfactory for Business
Associate’s own purposes or that any information in Business Associate’s possession or control, or
transmitted or received by Business Associate, is or will be secure from unauthorized use or disclosure.
Business Associate is solely responsible for all decisions made by Business Associate regarding the
safeguarding of PHI.
B.Amendment. The parties acknowledge that federal and state laws relating to electronic data security
and privacy are rapidly evolving and that amendment of this Addendum may be required to provide for
procedures to ensure compliance with such developments. The parties specifically agree to take such
action as is necessary to implement the standards and requirements of HIPAA, the HITECH Act, the
HIPAA regulations and other applicable laws relating to the security or privacy of PHI. Upon DHCS’
request, Business Associate agrees to promptly enter into negotiations with DHCS concerning an
amendment to this Addendum embodying written assurances consistent with the standards and
requirements of HIPAA, the HITECH Act, the HIPAA regulations or other applicable laws. DHCS may
terminate this Agreement upon thirty (30) days written notice in the event:
1.Business Associate does not promptly enter into negotiations to amend this Addendum when
requested by DHCS pursuant to this Section; or
2.Business Associate does not enter into an amendment providing assurances regarding the
safeguarding of PHI that DHCS in its sole discretion, deems sufficient to satisfy the standards and
requirements of HIPAA and the HIPAA regulations.
C.Assistance in Litigation or Administrative Proceedings. Business Associate shall make itself and
any subcontractors, employees or agents assisting Business Associate in the performance of its
obligations under this Agreement, available to DHCS at no cost to DHCS to testify as witnesses, or
otherwise, in the event of litigation or administrative proceedings being commenced against DHCS, its
directors, officers or employees based upon claimed violation of HIPAA, the HIPAA regulations or other
laws relating to security and privacy, which involves inactions or actions by the Business Associate,
except where Business Associate or its subcontractor, employee or agent is a named adverse party.
County of Fresno
19-96152
Page 11 of 15
Addendum B
HIPAA Business Associate Addendum
DHCS HIPAA BAA 2/15
D.No Third-Party Beneficiaries. Nothing express or implied in the terms and conditions of this
Addendum is intended to confer, nor shall anything herein confer, upon any person other than DHCS or
Business Associate and their respective successors or assignees, any rights, remedies, obligations or
liabilities whatsoever.
E.Interpretation. The terms and conditions in this Addendum shall be interpreted as broadly as
necessary to implement and comply with HIPAA, the HITECH Act, the HIPAA regulations and
applicable state laws. The parties agree that any ambiguity in the terms and conditions of this
Addendum shall be resolved in favor of a meaning that complies and is consistent with HIPAA, the
HITECH Act and the HIPAA regulations.
F.Regulatory References. A reference in the terms and conditions of this Addendum to a section in the
HIPAA regulations means the section as in effect or as amended.
G.Survival. The respective rights and obligations of Business Associate under Section VI.D of this
Addendum shall survive the termination or expiration of this Agreement.
H.No Waiver of Obligations. No change, waiver or discharge of any liability or obligation hereunder on
any one or more occasions shall be deemed a waiver of performance of any continuing or other
obligation, or shall prohibit enforcement of any obligation, on any other occasion.
County of Fresno
19-96152
Page 12 of 15
Addendum B
HIPAA Business Associate Addendum
DHCS HIPAA BAA 2/15
Attachment A
Business Associate Data Security Requirements
I.Personnel Controls
A.Employee Training. All workforce members who assist in the performance of functions or
activities on behalf of DHCS, or access or disclose DHCS PHI or PI must complete information
privacy and security training, at least annually, at Business Associate’s expense. Each workforce
member who receives information privacy and security training must sign a certification, indicating
the member’s name and the date on which the training was completed. These certifications must
be retained for a period of six (6) years following contract termination.
B.Employee Discipline. Appropriate sanctions must be applied against workforce members who fail
to comply with privacy policies and procedures or any provisions of these requirements, including
termination of employment where appropriate.
C.Confidentiality Statement. All persons that will be working with DHCS PHI or PI must sign a
confidentiality statement that includes, at a minimum, General Use, Security and Privacy
Safeguards, Unacceptable Use, and Enforcement Policies. The statement must be signed by the
workforce member prior to access to DHCS PHI or PI. The statement must be renewed annually.
The Contractor shall retain each person’s written confidentiality statement for DHCS inspection for a
period of six (6) years following contract termination.
D.Background Check. Before a member of the workforce may access DHCS PHI or PI, a thorough
background check of that worker must be conducted, with evaluation of the results to assure that
there is no indication that the worker may present a risk to the security or integrity of confidential
data or a risk for theft or misuse of confidential data. The Contractor shall retain each workforce
member’s background check documentation for a period of three (3) years following contract
termination.
II.Technical Security Controls
A.Workstation/Laptop encryption. All workstations and laptops that process and/or store DHCS
PHI or PI must be encrypted using a FIPS 140-2 certified algorithm which is 128bit or higher, such
as Advanced Encryption Standard (AES). The encryption solution must be full disk unless
approved by the DHCS Information Security Office.
B.Server Security. Servers containing unencrypted DHCS PHI or PI must have sufficient
administrative, physical, and technical controls in place to protect that data, based upon a risk
assessment/system security review.
C.Minimum Necessary. Only the minimum necessary amount of DHCS PHI or PI required to perform
necessary business functions may be copied, downloaded, or exported.
D.Removable media devices. All electronic files that contain DHCS PHI or PI data must be
encrypted when stored on any removable media or portable device (i.e. USB thumb drives, floppies,
CD/DVD, smartphones, backup tapes etc.). Encryption must be a FIPS 140-2 certified algorithm
which is 128bit or higher, such as AES.
County of Fresno
19-96152
Page 13 of 15
Addendum B
HIPAA Business Associate Addendum
DHCS HIPAA BAA 2/15
E.Antivirus software. All workstations, laptops and other systems that process and/or store DHCS
PHI or PI must install and actively use comprehensive anti-virus software solution with automatic
updates scheduled at least daily.
F.Patch Management. All workstations, laptops and other systems that process and/or store DHCS
PHI or PI must have critical security patches applied, with system reboot if necessary. There must
be a documented patch management process which determines installation timeframe based on
risk assessment and vendor recommendations. At a maximum, all applicable patches must be
installed within 30 days of vendor release.
G.User IDs and Password Controls. All users must be issued a unique user name for accessing
DHCS PHI or PI. Username must be promptly disabled, deleted, or the password changed upon
the transfer or termination of an employee with knowledge of the password, at maximum within 24
hours. Passwords are not to be shared. Passwords must be at least eight characters and must be
a non-dictionary word. Passwords must not be stored in readable format on the computer.
Passwords must be changed every 90 days, preferably every 60 days. Passwords must be
changed if revealed or compromised. Passwords must be composed of characters from at least
three of the following four groups from the standard keyboard:
Upper case letters (A-Z)
Lower case letters (a-z)
Arabic numerals (0-9)
Non-alphanumeric characters (punctuation symbols)
H.Data Destruction. When no longer needed, all DHCS PHI or PI must be cleared, purged, or
destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization such
that the PHI or PI cannot be retrieved.
I.System Timeout. The system providing access to DHCS PHI or PI must provide an automatic
timeout, requiring re-authentication of the user session after no more than 20 minutes of inactivity.
J.Warning Banners. All systems providing access to DHCS PHI or PI must display a warning
banner stating that data is confidential, systems are logged, and system use is for business
purposes only by authorized users. User must be directed to log off the system if they do not agree
with these requirements.
K.System Logging. The system must maintain an automated audit trail which can identify the user
or system process which initiates a request for DHCS PHI or PI, or which alters DHCS PHI or PI.
The audit trail must be date and time stamped, must log both successful and failed accesses, must
be read only, and must be restricted to authorized users. If DHCS PHI or PI is stored in a
database, database logging functionality must be enabled. Audit trail data must be archived for at
least 3 years after occurrence.
L.Access Controls. The system providing access to DHCS PHI or PI must use role based access
controls for all user authentications, enforcing the principle of least privilege.
County of Fresno
19-96152
Page 14 of 15
Addendum B
HIPAA Business Associate Addendum
DHCS HIPAA BAA 2/15
M.Transmission encryption. All data transmissions of DHCS PHI or PI outside the secure internal
network must be encrypted using a FIPS 140-2 certified algorithm which is 128bit or higher, such as
AES. Encryption can be end to end at the network level, or the data files containing PHI can be
encrypted. This requirement pertains to any type of PHI or PI in motion such as website access, file
transfer, and E-Mail.
N.Intrusion Detection. All systems involved in accessing, holding, transporting, and protecting DHCS
PHI or PI that are accessible via the Internet must be protected by a comprehensive intrusion
detection and prevention solution.
III.Audit Controls
A.System Security Review. All systems processing and/or storing DHCS PHI or PI must have at
least an annual system risk assessment/security review which provides assurance that
administrative, physical, and technical controls are functioning effectively and providing adequate
levels of protection. Reviews should include vulnerability scanning tools.
B.Log Reviews. All systems processing and/or storing DHCS PHI or PI must have a routine
procedure in place to review system logs for unauthorized access.
C.Change Control. All systems processing and/or storing DHCS PHI or PI must have a documented
change control procedure that ensures separation of duties and protects the confidentiality, integrity
and availability of data.
IV.Business Continuity / Disaster Recovery Controls
A.Emergency Mode Operation Plan. Contractor must establish a documented plan to enable
continuation of critical business processes and protection of the security of electronic DHCS PHI or
PI in the event of an emergency. Emergency means any circumstance or situation that causes
normal computer operations to become unavailable for use in performing the work required under
this Agreement for more than 24 hours.
B.Data Backup Plan. Contractor must have established documented procedures to backup DHCS
PHI to maintain retrievable exact copies of DHCS PHI or PI. The plan must include a regular
schedule for making backups, storing backups offsite, an inventory of backup media, and an
estimate of the amount of time needed to restore DHCS PHI or PI should it be lost. At a minimum,
the schedule must be a weekly full backup and monthly offsite storage of DHCS data.
V.Paper Document Controls
A.Supervision of Data. DHCS PHI or PI in paper form shall not be left unattended at any time,
unless it is locked in a file cabinet, file room, desk or office. Unattended means that information is
not being observed by an employee authorized to access the information. DHCS PHI or PI in paper
form shall not be left unattended at any time in vehicles or planes and shall not be checked in
baggage on commercial airplanes.
B.Escorting Visitors. Visitors to areas where DHCS PHI or PI is contained shall be escorted and
DHCS PHI or PI shall be kept out of sight while visitors are in the area.
County of Fresno
19-96152
Page 15 of 15
Addendum B
HIPAA Business Associate Addendum
DHCS HIPAA BAA 2/15
C.Confidential Destruction. DHCS PHI or PI must be disposed of through confidential means, such
as cross cut shredding and pulverizing.
D.Removal of Data. DHCS PHI or PI must not be removed from the premises of the Contractor
except with express written permission of DHCS.
E.Faxing. Faxes containing DHCS PHI or PI shall not be left unattended and fax machines shall be
in secure areas. Faxes shall contain a confidentiality statement notifying persons receiving faxes in
error to destroy them. Fax numbers shall be verified with the intended recipient before sending the
fax.
F.Mailing. Mailings of DHCS PHI or PI shall be sealed and secured from damage or inappropriate
viewing of PHI or PI to the extent possible. Mailings which include 500 or more individually
identifiable records of DHCS PHI or PI in a single package shall be sent using a tracked mailing
method which includes verification of delivery and receipt, unless the prior written permission of
DHCS to use another method is obtained.
California Department of Health Care Services
Name/No.: Medi-Cal County Inmate Program (MCIP) Agreement (No. 19-96159)
Fund/Subclass: 0001/10000
Organization #: 56201683
Revenue Account #: 7295