The URL can be used to link to this page

Home My WebLink AboutAgreement A-15-050 with Dept. of Health Care Services.pdfAGREEMENT NO . 15-050 STATE OF CALIFORNIA STANDARD AGREEMENT STD 213 _DHCS (Rev 01/1 3) REGISTRATION NUMBER AGREEMENT NUMBER 14-90316 1. Th1s Agreement is entered into between the State Agency and the Contractor named below: STATE AGENCY'S NAME (Also known as DHC S , CDHS , DHS or the State) Department of Health Care Services CONTRACTOR'S NAME (Also referred to as Contractor) County of Fresno 2. The term of this Agreement is : July1 ,2014 through June 30, 2015 3. The maximum amount of this Agreement is : $ 0 Zero dollars 4. The parties agree to comply with the terms and conditions of the following exhibits, which are by this reference made a part of this Agreement. Exhibit A-Program Specifications Exhibit A -Attachment I Exhibit B -Funds Provision Exhibit C *-General Terms and Conditions Exhibit F -Information Confidentiality and Security Requirements Exhibit G-Privacy and Information Security Provisions Exhibit G-Attachment B-Information Exchange Agreement between the Social Security Administration (SSA) and the California Department of Health Care Services 13 pages 1 page 1 page GTC 610 7 pages 32 pages 66 pages ··---··-····--·---·-"-~-·-'"'""""-'"'"·~·~-"-"'''""' __ ,,_ .. , .... _,_ .... ~-"------·-~---------- Items shown above with an Asterisk (*), are hereby incorporated by reference and made part of th is agreement as if attached hereto. These documents can be viewed at http://www.ols.dgs.ca .govi Standard Languageldefault.htm . ·-· .. ---···--..... -........ -----·--····-·-"'-'"'"-'"''''-''"'"'"''-................ ,,., ________ -----------............................... , .. ,_, .......... , .. _.,. __ , ______ ........ -.•... __ ,........................ . ........ ----·-·" ··-·-··-···· ·····--··---·-··-·----~---······. -·· IN WITNESS WHEREOF, this Agreement has been executed by the parties hereto . CONTRACTOR CONTRACTOR'S NAME (if other than an individual, stal e whether a corporation. partnership, etc.) Deborah A . Poochigian , Chairman , Boar ADDRESS Fresno County Department of Behavioral Health 4441 E. Kings Canyon ,Fresno, CA 93702 STATE OF CALIFORNIA AGENCY NAME Department of Health Care Services BY (Authorized Signature} PRINTED NAME AND TITLE OF PERSON SIGNING Christina Soares , Chief, Contracts Management Unit ADDRESS DATE SIGNED (Do not type} 1501 Capitol Avenue , Suite 71 .5195 , MS 1403 , P .O . Box 997413 , Sacramento , CA 95899-7413 ATTEST: BERNICE E . SEIDEL , Clerk Board of Superviso rs By ~~A ~~ California Department of General Services Use Only CKJ Exempt per : W&l Code§ 14703 County of Fresno Contract Number: 14-90316 Page 1 Exhibit A Program Specifications 1. Service Overview The California Department of Health Care Services (hereafter referred to as DHCS or Department) administers the Mental Health Services Act , Projects for Assistance in Transition from Homelessness (PATH) and Community Mental Health Services Grant (MHBG) programs and oversees county provision of community mental health services provided with realignment funds. Contractor (hereafter referred to as County in this Exhibit) must meet certain conditions and requirements to receive funding for these programs and community mental health services. This Agreement , which is County's performance contract, as required by Welfare and Institutions Code (W&I) sections 5650(a), 5847 , and Title 9, California Code of Regulations (CCR), section 3310 , sets forth conditions and requirements that County must meet in order to receive this funding. This Agreement does not cover federal financial participation or State general funds as they relate to Medi-Cal services provided through the Mental Health Plan Contracts . County agrees to comply with all of the conditions and requirements described herein . DHCS shall monitor this Agreement to ensure compliance with applicable federal and State law and applicable regulations (W&I §§ 5610 and 5651 .) 2. Service Location The services shall be performed at appropriate sites as described in this contract. 3. Service Hours The services shall be provided during times required by this contract. 4. Project Representatives A. The project representatives during the term of this Agreement will be : Department of Health Care Services Contract Manager: Dina Kokkos-Gonzales Telephone : (916) 552-9055 Fax: (916) 440-7620 Email : Dina . Kokkos@dhcs .ca .gov B. Direct all inquiries to : Contractor's Name Contract Manager: Dawan Utecht Telephone: (559) 600-9193 Fax: (559) 600-7674 Email : dutecht@_co .fresno .ca. us County of Fresno Contract Number: 14-90316 Page 2 Exhibit A Program Specifications Department of Health Care Services Mental Health Services Division/Program Policy Unit Attention: Dee Taylor 1500 Capitol Avenue , MS 2702 P.O . Box Number 997413 Sacramento , CA, 95899-7413 Telephone : (916) 552-9536 Fax: (916) 440-7620 Email : Dee.Taylor@dhcs.ca .gov Contractor's Name Attention : Dawan Utecht Fresno County Department of Behavioral Health 4441 E. Kings Canyon Fresno , CA , 93702 Telephone : (559) 600-9193 Fax : (559) 600-7674 Email : dutecht@co.fresno .ca .us C . Either party may make changes to the information above by giving written notice to the other party. Said changes shall not require an amendment to this Agreement. 5. Services to be Performed County shall adhere to the program principles and, to the extent funds are available , County shall provide the array of treatment options in accordance with Welfare and Institutions Code sections 5600.2 through 5600 .9 , inclusive . A. GENERAL REQUIREMENTS FOR AGREEMENT County shall comply with all of the requirements Section A .1 of this Provision for all County mental health programs, including those specified in Sections B , C and D. County shall provide all of the data and information specified in Section A .2 to the extent that the data and information is required for each of the County mental health programs , including those specified in Sections B, C and D of this Provision , for which it receives federal or State funds . 1) W&l section 5651 provides specific assurances , listed below, that must be included in this Agreement. County shall : a . Comply with the expenditure requirements of Section 17608.05 , b. Provide services to persons receiving involuntary treatment as required by Part 1 (commencing with Section 5000) and Part 1.5 (commencing with Section 5585) of Division 5 of the Welfare and Institution Code , c. Comply with all of the requirements necessary for Medi-Cal reimbursement for mental health treatment services and case management programs provided to Medi-Cal eligible individuals, including, but not limited to , the provisions set forth in Chapter 3 (commencing with Section 5700) of the Welfare and Institutions Code, and submit cost reports and other data to DHCS in the form and manner determined by the DHCS, d . Ensure that the Local Mental Health Advisory Board has reviewed and approved procedures ensuring citizen and professional involvement at all stages of the planning process pursuant to W&l section 5604.2 , e . Comply with all provisions and requirements in law pertaining to patient rights , Department of Behavioral Health (Fresno County) Contract Number: 14-90316 Page 3 Exhibit A Program Specifications f. Comply with all requirements in federal law and regulation pertaining to federally funded mental health programs , g . Provide all data and information set forth in Sections 5610, 5664 and 5845(d)(6) of the Welfare and Institutions Code , h. If the County elects to provide the services described in Chapter 2 .5 (commencing with Section 5670) of Division 5 of the Welfare and Institution Code , comply with guidelines established for program initiatives outlined in this chapter, and i. Comply with all applicable laws and regulations for all services delivered , including all laws , regulations , and guidelines of the Mental Health Services Act. 2) County shall comply with all data and information submission requirements specified in this Agreement. a . County shall provide all applicable data and information required by federal and/or State law in order to receive any funds to pay for its mental health programs and services, including but not limited to its MHSA programs , PATH grant (if the County receives funds from this grant) or MHBG grant. These federal and State laws include , Title 42 , United States Code, sections 290cc-21 through 290cc-35 and 300x through 300x-9 , inclusive , W&l sections 5610 and 5664 and the regulations that implement , interpret or make specific, these federal and State laws and any DHCS-issued guidelines that relate to the programs or services . b. County shall comply with the reporting requirements set forth in Division 1 of Title 9 of the California Code of Regulations (CCR) and any other reporting requirements for which County receives federal or State funding source for mental health programs . County shall submit complete and accurate information to DHCS including, but not limited , to the following : i. Client and Service Information (CSI) System Data (See Subparagraph c of this Paragraph) ii. MHSA Quarterly Progress Reports, as specified in Title 9, CCR, section 3530 .20 . MHSA Quarterly Progress Reports provide the actual number of clients served by MHSA-funded program . Reports are submitted on a quarterly basis. iii. Full Service Partnership Performance Outcome data , as specified in Title 9, CCR , section 3530.30 . iv . Consumer Perception Survey data, as specified in Title 9 , CCR , section 3530.40 . v . County shall submit the Annual Mental Health Services Act Revenue and Expenditure Report to DHCS and the Mental Health Services Oversight and Accountability Commission (MHSOAC), pursuant to W&l section 5899(a) and Title 9 , CCR , section 3510 and DHCS-issued guidelines. c. County shall submit CSI data to DHCS, in accordance with the requirements set forth in the DHCS' CSI Data Dictionary. County shall : Department of Behavioral Health (Fresno County) Contract Number: 14-90316 Page4 Exhibit A Program Specifications i. Report monthly CSI data to DHCS within 60 calendar days after the end of the month in which services were provided . ii. Report within 60 calendar days or be in compliance with an approved plan of correction the DHCS 's CSI Unit. iii. Make diligent efforts to minimize errors on the CSI error file. iv . Notify DHCS 90 calendar days prior to any change in reporting system and/or change of automated system vendor. d . In the event that DHCS or County determines that changes requiring a change in County's or DHCS ' obligation must be made relating to either the DHCS' or County 's information needs due to federal or state law changes or business requirements , both the DHCS and County agree to provide notice to the other party as soon as practicable prior to implementation . This notice shall include information and comments regarding the anticipated requirements and impacts of the projected changes . DHCS and County agree to meet and discuss the design , development , and costs of the anticipated changes prior to implementation . e . If applicable to a specific federal or State funding source covered by this Agreement , County shall require each of its subcontractors to submit a fiscal year-end cost report , due to DHCS no later than December 31 following the close of the fiscal year , in accordance with applicable federal and State laws regulations and DHCS-issued guidelines . f . If applicable to a specific federal or State funding source covered by this Agreement , County shall comply with W&l section 5751 .7 and ensure that minors are not admitted into inpatient psychiatric treatment with adults . If the health facility does not have specific separate housing arrangements , treatment staff, and treatment programs designed to serve children or adolescents it must request a waiver of this requirement from DHCS as follows: i. If this requirement creates an undue hardship on County , County may request a waiver of this requirement. County shall submit the waiver request on Attachment I of this Agreement , to DHCS . ii. DHCS shall review County's waiver request and provide a written notice of approval or denial of the waiver. If County 's waiver request is denied , it shall comply with the provision ofW&I section 5751 .7 . iii. County shall submit, and DHCS shall accept, the waiver request only at the time County submits this Agreement , signed by County, is submitted to DHCS for execution . County shall complete Attachment I, including responses to items 1 through 4 and attach it to this Agreement. See Exhibit A, Attachment I, entitled "Request For Waiver" of this Agreement for additional submission information . iv . In unusual or emergency circumstances, when counties need to request waivers after the annual Performance Contract has been executed , these requests should be sent immediately to : Licensing and Certification Section, Program Oversight and Compliance Branch , California Department of Health Care Services, 1700 K Street , MS 2800 , Sacramento, CA 95811-4037 , Phone: (916) 323-1864 . Department of Behavioral Health (Fresno County) Contract Number: 14-90316 Page 5 Exhibit A Program Specifications v . Each admission of a minor to a facility that has an approved waiver shall be reported to the Local Mental Health Director. g. If County chooses to participate in the Assisted Outpatient Treatment program (AOT) Demonstration Project Act of 2002 it shall be required to comply with all applicable statutes including , but not limited to , W&l sections 5345 through 5349.5 , inclusive . In addition , County shall submit to DHCS any documents that DHCS requests as part of its statutory responsibilities in accordance with DHCS Letter No .: 03-01 dated March 20 , 2003 . h. For all mental health funding sources received by County that require submission of a cost report , County shall submit a fiscal year-end cost report by December 31st following the close of the fiscal year in accordance with County's existing or future mental health programs applicable federal and State law. State law includes at least W&l section 5705, applicable regulations and DHCS-issued guidelines . The cost report shall be certified by the mental health director and one of the following : the County mental health departments chief financial officer (or equivalent), and individual who has delegated authority to sign for, and reports directly to the county mental health department 's chief financial officer (or equivalent), or the county's auditor-controller (or equivalent) . Data submitted shall be full and complete. The County shall also submit a reconciled cost report certified by the mental health director and the county's auditor-controller as being true and correct, no later than 18 months after the close of the following fiscal year. If the County does not submit the cost reports by the reporting deadlines or does not meet the other requirements, DHCS shall request a plan of correction with specific timelines (W&I §5897 (d)). If County does not submit cost reports by the reporting deadlines or the County does not meet the other requirements, DHCS may , after a hearing held with no less than 20 days-notice to the county mental health director (W&I § 5655) withhold payments from the MHS Fund until the County is in compliance with W&l section 5664 . B. THE MENTAL HEALTH SERVICES ACT PROGRAM 1) Program Description Proposition 63, which created the Mental Health Services Act (MHSA), was approved by the voters of California on November 2, 2004. The Mental Health Services (MHS) Fund , which provides funds to counties for the implementation of its MHSA programs , was established pursuant to W&l section 5890 . The MHSA was designed to expand California's public mental health programs and services through funding received by a one percent tax on incomes in excess of $1 million . Counties use this funding for projects and programs for prevention and early intervention , community services and supports, workforce development and training , innovation , plus capital facilities and technological needs through mental health projects and programs. The State Controller distributes MHS Funds to the counties to plan for and provide mental health programs and other related activities outlined in a county's three-year program and expenditure plan or annual update . MHS Funds are distributed by the State Controller's Office to the counties on a monthly basis . DHCS shall monitor County 's use of MHS Funds to ensure that the county meets the MHSA and MHS Fund requirements . (W&I section 5651 (c).) I - Department of Behavioral Health (Fresno County ) Contract Number: 14-90316 Page 6 Exhibit A Program Specifications 2) Issue Resolution Process County shall have an Issue Resolution Process (Process) to handle client disputes related to the provision of their mental health services . The Process shall be completed in an expedient and appropriate manner. County shall develop a log to record issues submitted as part of the Process . The log shall contain the date of the issue was received ; a brief synopsis of the issue ; the final issue resolut ion outcome ; and the date the final issue resolution was reached . 3) Revenue and Expenditure Report County shall submit its Revenue and Expenditure Report (RER) by December 31 51 following the close of the fiscal yea r in accordance with W&l sections 5705 and 5899 , regulations and DHCS-issued guidelines . The RER shall be certified by the mental health director and one of the following : County mental health department 's chief financial officer (or equivalent), and individual who has delegated authority to sign for, and reports directly to the County mental health department's chief financial officer (or equivalent), or the County 's auditor- controller (or equ ivalent ), using the DHCS-issued certification form . Data submitted shall be full and complete . County shall also submit a reconciled RER certified by the mental health director and the county 's auditor-controller as being true and correct , using the DHCS- issued certification form , no later than 18 months after the close of the following fiscal year. If County does not submit the RER by the reporting deadlines or the RER does not meet the requirements, DHCS shall request a plan of correction with specific timelines (W&I § 5897(d)). If the RER is not timely submitted , or does not meet the requirements , DHCS may , after a hearing held w ith no less than 20 days-notice to the county mental health director (W&I § 5655), withhold payments from the MHS Fund until the County is in compliance with Title 9 , CCR , sections 3505(d) and 3510(c). 4 ) Distribution and Use of Local Mental Health Services Funds : a . W&l section 5891 provides that , commencing July 1, 2012 , on or before the 151 h day of each month , pursuant to a methodology provided by DHCS , the State Controller shall distribute to County 's Local Mental Health Serv ice Fund , established by County pursuant to W&l section 5892(f), all unexpended and unreserved funds on deposit as of the last day of the prior month in the Mental Health Services Fund for the provision of specified programs and other related activities . b . County shall allocate the monthly Local MHS Fund in accordance with W&l section 5892 as follows : i. Twenty percent of the funds shall be used for prevention and early intervention (PEl) programs in accordance with Part 3.6 of Division 5 of the Welfare and Institutions Code (commencing w ith Section 5840). The expenditure for PEl may be increased by County if DHCS determines that the increase will decrease the need and cost for additional services to severely mentally ill persons in County by an amount at least commensurate with the proposed increase . ii. The balance of funds shall be distributed to County 's mental health programs for services to persons with severe mental illnesses pursuant to Part 4 of Division 5 of the Welfare and Institutions Code (commencing with Section 5850), for the children 's Department of Behavioral Health (Fresno County ) Contract Number: 14-90316 Page 7 Exhibit A Program Specifications system of care and Part 3 of Division 5 of the Welfare and Institutions Code (commencing w ith Section 5800), for the adult and older adult system of care. iii. Five percent of the total funding for the County 's mental health programs established pursuant to Part 3 of Division 5 of the Welfare and Institutions Code (commencing with Section 5800), Part 3.6 of Division 5 of the Welfare and Institutions Code (commencing w ith Section 5840), and Part 4 of Division 5 of the Welfare and Institutions Code (commencing with Section 5850) shall be utilized for innovative programs in accordance with W&l sections 5830 , 5847 and 5848 . iv. Programs for services pursuant to Part 3 of Division 5 of the Welfare and Institutions Code (commencing with Section 5800), and Part 4 of Division 5 of the Welfare & Institutions Code (commencing w ith Section 5850) may include funds for technological needs and capital facilities , human resource needs , and a prudent reserve to ensure services do not have to be significantly reduced in years in wh ich revenues are below the average of prev ious years . The total allocation for these purposes shall not exceed 20 percent of the average amount of funds allocated to County for the previous five years . v . Allocations in Subparagraphs i. through iii. above , include funding for annual planning costs pursuant to W&l section 5848 . The total of these costs shall not exceed five percent of the total annual revenues received for the Local MHS Fund . The planning costs shall include moneys for County's mental health programs to pay for the costs of having consumers , family members , and other stakeholders participate in the plann ing process and for the planning and implementation required for private provider contracts to be significantly expanded to provide additional services . c . County shall use Local MHS Fund monies to pay for those portions of the mental health programs/services for children and adults for which there is no other source of funds available . (W&I §§ 5813 .5(b), 5878 .3(a) and 9 CCR 3610(d). d . County shall only use Local MHS Funds to expand mental health services . These funds shall not be used to supplant existing state or county funds utilized to provide mental health services . These funds shall only be used to pay for the programs authorized in W&l section 5892 . These funds may not be used to pay for any other program and may not be loaned to County's general fund or any other County fund for any purpose . (W&I § 5891 .) e . All expenditures fo r County mental health programs shall be consistent with a currently approved three-year program and expenditure plan or annual update pursuant to W&l section 5847 . (W&I § 5892 (g).) 5) Three-Year Program and Expenditure Plan and Annual Updates: a . County shall prepare and submit a three -year program and expenditure plan , and annual updates , adopted by County 's Board of Supervisors , to the Mental Health Services Oversight and Accountabil ity Commission (MHSOAC) and the Department of Health Care Services (DHCS ) within 30 calendar days after adoption . The three-year program and expenditure plan and annual updates shall include all of the following : i. A program for Prevention and Early Intervention (PEl) in accordance with Part 3 .6 of Division 5 of the Welfare and Institutions Code (commending with Section 5840). Department of Behavioral Health (Fresno County) Contract Number: 14-90316 Page 8 Exhibit A Program Specifications ii. A program for services to children in accordance with Part 4 of Division 5 of the Welfare and Institutions Code (commencing with Section 5850), to include a wraparound program pursuant to Chapter 4 of Part 6 of Division 9 of the Welfare and Institutions Code (commencing with Section 18250), or provide substantial evidence that it is not feasible to establish a wraparound program in the County . iii. A program for services to adults and seniors in accordance with Part 3 of Division 5 of the Welfare and Institutions Code (commencing with Section 5800). iv . A program for innovations in accordance with Part 3.2 of Division 5 of the Welfare and Institutions Code (commencing with Section 5830). Counties shall expend funds for their innovation programs upon approval by the Mental Health Services Oversight and Accountability Commission . v. A program for technological needs and capital facilities needed to provide services pursuant to Part 3 of Division 5 of the Welfare and Institutions Code (commencing with Section 5800), Part 3.6 of Division 5 of the Welfare and Institutions Code (commencing with Section 5840), and Part 4 of Division 5 of the Welfare and Institutions Code (commencing with Section 5850). All plans for proposed facilities with restrictive settings shall demonstrate that the needs of the people to be served cannot be met in a less restrictive or more integrated setting. vi. Identification of shortages in personnel to provide services pursuant to the above programs and the additional assistance needed from the education and training programs established pursuant to Part 3.1 of Division 5 of the Welfare and Institutions Code (commencing with Section 5820) and Title 9, CCR, section 3830(b). vii. Establishment and maintenance of a prudent reserve to ensure the County program will continue to be able to serve children , adults, and seniors that it is currently serving pursuant to Part 3 of Division 5 of the Welfare and Institutions Code (commencing with Section 5800), Part 3 .6 of Division 5 of the Welfare and Institutions Code (commencing with Section 5840), and Part 4 of Division 5 of the Welfare and Institutions Code (commencing with Section 5850), during years in which revenues for the MHS Fund are below recent averages adjusted by changes in the state population and the California Consumer Price Index. viii. Certification by County's mental health director, which ensures that County has complied with all pertinent regulations, laws, and statutes of the MHSA, including stakeholder participation and non-supplantation requirements . ix . Certification by County 's Mental Health Director and County 's Auditor-Controller that the County has complied with any fiscal accountability requirements as directed by DHCS , and that all expenditures are consistent with the requirements of the MHSA. b. County shall include services in the programs described in Subparagraphs 5.a .i. through 5 .a .v ., inclusive , to address the needs of transition age youth between the ages of 16 years old to 25 years old , including the needs of transition age foster youth pursuant to W&l section 5847(c). Department of Behavioral Health (Fresno County) Contract Number: 14-90316 Page 9 Exhibit A Program Specifications c. County shall prepare expenditure plans for the programs described in Subparagraphs 5.a .i. through 5.a .v ., inclusive , and annual expenditure updates . Each expenditure plan update shall indicate the number of children , adults , and seniors to be served, and the cost per person . (W&I § 5847(e)). d. County's three-year program and expenditure plan and annual updates shall include reports on the achievement of performance outcomes for services pursuant to the Adult and Older Adult Mental Health System of Care Act , Prevention and Early Intervention , and the Children's Mental Health Services Act funded by the MHS Fund and established jointly by DHCS and the MHSOAC, in collaboration with the California Mental Health Director's Association. (W&I § 5848(c)). County contracts with providers shall include the performance goals from the County 's three-year program and expenditure plan and annual updates that apply to each provider's programs and services . e . County's three-year program and expenditure plan and annual update shall consider ways to provide services that are similar to those established pursuant to the Mentally Ill Offender Crime Reduction Grant Program . Funds shall not be used to pay for persons incarcerated in state prison or parolees from state prisons . (W&I § 5813 .5(f)) 6) Planning Requirements and Stakeholder Involvement: a. County shall develop its three-year program and expenditure plan and annual update with local stakeholders, including adults and seniors with severe mental illness, families of children, adults , and seniors with severe mental illness , providers of services, law enforcement agencies , education , social services agencies , veterans, representatives from veterans organizations , providers of alcohol and drug services, health care organizations, and other important interest. Counties shall demonstrate a partnership with constituents and stakeholders throughout the process that includes meaningful stakeholder involvement on mental health policy , program planning, and implementation, monitoring, quality improvement , evaluation, and budget allocations . County shall prepare and circulate a draft plan and update for review and comment for at least 30 calendar days to representatives of stakeholders interest and any interested party who has requested a copy of the draft plans. (W&I § 5848(a)) b. County's mental health board , established pursuant to W&l section 5604 , shall conduct a public hearing on the County 's draft three-year program and expenditure plan and annual updates at the close of the 30 calendar day comment period. Each adopted three-year program and expenditure plan or annual update shall summarize and analyze substantive recommendations and describe substantive changes to the three-year program and expenditure plan and annual updates . The County's mental health board shall review the adopted three-year program and expenditure plan and annual updates and make recommendations to County's mental health department for amendments . (W&I § 5848(b) and Title 9 , CCR , § 3315 .) 7) County Requirements for Handling MHSA Funds a. County shall place all funds received from the State MHS Fund into a Local MHS Fund . The Local MHS Fund balance shall be invested consistent with other County funds and the interest earned on the investments shall be transferred into the Local MHS Fund . (W&I § 5892(f).) 10 Department of Behavioral Health (Fresno County ) Contract Number: 14-90316 Page 10 Exhibit A Program Specifications b. The earnings on investment of these funds shall be available for distribution from the fund in future years . (W&I § 5892 (f).) c . Other than funds placed in a reserve in accordance with an approved plan, any funds allocated to County which it has not spent for the authorized purpose within the three years shall revert to the State . County llJay retain MSHA Funds for capital facilities , technological needs , or education and training for up to 10 years before reverting to the State. (W&I § 5892(h).) 8) Department Compliance Investigations: DHCS may invest igate County 's performance of the Mental Health Services Act related provisions of this Agreement and compliance with the provisions of the Mental Health Services Act , and relevant regulations . In conducting such an investigation DHCS may inspect and copy books , records , papers , accounts , documents and any writing as defined by Evidence Code Sect ion 250 that is pertinent or material to the investigation of the County. For purposes of this Paragraph "provider " means any person or entity that provides services , goods , supplies or merchandise , which are directly or indirectly funded pursuant to MHSA. (Gov . Code§§ 1180, 1181 , 1182 and W&l Code§ 14124 .2 .) 9) County Breach , Plan of Correction and Withholding of State Mental Health Funds : a. If DHCS determines that County is out-of-compliance with the Mental Health Services Act related provisions of this Agreement , DHCS may request that County submit a plan of correction , including a specific timeline to correct the deficiencies , to DHCS . (W&I § 5897(d).) b. If DHCS determines that County is substantially out-of-compliance with any provision of the Mental Health Services Act or relevant regulations , including all reporting requirements , and that administrative action is necessary , DHCS may after a hearing held with no less than 20 days-notice to the county mental health director (W&I § 5655): i. Withhold part or all state mental health funds from County ; and/or ii. Require County to enter into negotiations w ith DHCS to agree on a plan for County to address County's non-compliance . (W&I § 5655 .) C. PROJECTS FOR ASSISTANCE IN TRANSITION FROM HOMELESSNESS (PATH) PROGRAM (Title 42, United States Code, sections 290cc-21 through 290cc-35, inclusive) Pursuant to Title 42 , United State Code , sections 290cc-21 through 290cc-35 , inclusive , the State of California has been awarded federal homeless funds through the federal McKinney Projects for Assistance in Transition from Homelessness (PATH) formula grant. The PATH grant funds community based outreach , mental health and substance abuse referral/treatment , case management and other support services, as well as a limited set of housing services for the homeless mentally ill. While county mental health programs serve thousands of homeless persons with realignment funds and other local revenues , the PATH grant augments these programs by II Department of Behavioral Health (Fresno County) Contract Number: 14-90316 Page 11 Exhibit A Program Specifications providing services to approximately 8 ,300 additional persons annually. The county determines its use of PATH funds based on county priorities and needs. If County wants to receive PATH funds , it shall submit its RFA responses and required documentation specified in DHCS ' Request for Application (RFA). County shall complete its RFA responses in accordance w ith the instructions , enclosures and attachments available on the DHCS website at: http ://www .dhcs .ca .gov/services/MH/Pages/PATH .aspx. If County applied for and DHCS approved its request to receive PATH grant funds , the RFA , County 's RFA responses and required documentation , and DHCS ' approval constitute provisions of this Agreement and are incorporated by reference herein . County shall comply with all provisions of the RFA and the County 's RFA responses in order to receive its PATH grant funds . D. COMMUNITY MENTAL HEALTH SERVICES GRANT (MHBG) PROGRAM (Title 42, United States Code section 300x-1 et seq.) DHCS awards federal Community Mental Health Services Block Grant funds (known as Mental Health Block Grant (MHBG )) to counties in California . The county mental health agencies provide a broad array of mental health services within their mental health system of care (SOC) programs . These programs provide services to the following target populations : children and youth with serious emotional disturbances (SED), adults and older adults with serious mental illnesses (SMI ). The MHBG funds provide the counties with a stable , flexible , and non-categorical funding base that the counties can use to develop innovative programs or augment existing programs within their SOC . The MHBG funds also assist the counties in providing an appropriate level of community mental health services to the most needy individuals in the target populations who have a mental health diagnosis , and/or individuals who have a mental health diagnosis w ith a co -occurring substance abuse disorder. If County wants to receive MHBG funds , it shall submit its RFA responses and required documentation specified in DHCS ' RFA. County shall complete its RFA responses in accordance with the instructions , enclosures and attachments available on the DHCS website at: http ://www.dhcs .ca .gov/serv ices/MH/Pages/MHBG .aspx . If County applied for and DHCS approved its request to receive MHBG grant funds , the RFA , County's RFA responses and requ ired documentation , and DHCS ' approval constitute provisions of this Agreement and are incorporated by reference herein . County shall comply with all provisions of the RFA and the County's RFA responses in order to receive its MHBG grant funds . I? Department of Behavioral Health (Fresno County) Contract Number: 14 -90316 Page 12 Exhibit A Program Specifications E. SPECIAL TERMS AND CONDITIONS 1. Audit and Record Retention (Applicable to agreements in excess of $1 0 ,000) a . The Contractor and/or Subcontractor shall maintain books , records , documents, and other evidence , accounting procedures and practices , sufficient to properly reflect all direct and indirect costs of whatever nature claimed to have been incurred in the performance of this Agreement , including any matching costs and expenses . The foregoing constitutes "records " for the purposes of this provision. b. The Contractor's and /or Subcontractor's facility or office or such part thereof as may be engaged in the performance of this Agreement and his/her records shall be subject at all reasonable times to inspection , audit , and reproduction . c. Contractor agrees that DHCS , the Department of General Services , the Bureau of State Audits , or their designated representatives including the Comptroller General of the United States shall have the right to review and copy any records and supporting documentation pertaining to the performance of this Agreement. Contractor agrees to allow the auditor(s) access to such records during normal business hours and to allow interviews of any employees who might reasonably have information related to such records . Further, the Contractor agrees to include a similar right of the State to audit records and interview staff in any subcontract related to performance of this Agreement. (GC 8546 .7 , CCR Title 2, Section 1896). d . The Contractor and/or Subcontractor shall preserve and make available his/her records (1) for a period of three years from the date of final payment under this Agreement , and (2) for such longer per iod , if any, as is required by applicable statute , by any other provision of this Agreement , or by subparagraphs (1) or (2) below. 1) If this Agreement is completely or partially terminated , the records relating to the work terminated shall be preserved and made available for a period of three years from the date of any resulting final settlement. 2) If any lit igation , claim , negotiation , audit , or other action involving the records has been started before the expiration of the three-year period , the records shall be retained unti l completion of the action and resolution of all issues which arise from it , or until the end of the regular three -year period , whichever is later. e . The Contractor and/or Subcontractor shall comply with the above requirements and be aware of the penalties for violations of fraud and for obstruction of investigation as set forth in Public Contract Code § 10115 .10 , if applicable . f . The Contractor and/o r Subcontractor may , at its discretion , following receipt of final payment under this Agreement , reduce its accounts , books , and records related to this Agreement to microfilm , computer disk , CD ROM , DVD , or other data storage medium. Upon request by an authorized representative to inspect, audit or obtain copies of said records , the Contractor and/or Subcontractor must supply or make available applicable devices , hardware , and/or software necessary to view , copy , and/or print said records . Applicable devices may include , but are not limited to , microfilm readers and microfilm printers, etc. g. The Contractor shall , if applicable , comply with the Single Audit Act and the audit reporting requirements set forth in OMB Circular A-133. 2. Dispute Resolution Process a . A Contractor grievance exists whenever there is a dispute arising from DHCS ' action in the administration of an agreement. If there is a dispute or grievance between the 13 Department of Behavioral Health (Fresno County) Contract Number: 14-90316 Page 13 Exhibit A Program Specifications Contractor and DHCS , the Contractor must seek resolution using the procedure outlined below. 1) The Contractor should first informally discuss the problem with the DHCS Program Contract Manager. If the problem cannot be resolved informally , the Contractor shall direct its grievance together with any evidence , in writing , to the program Branch Chief. The grievance shall state the issues in dispute , the legal authority or other basis for the Contractor's position and the remedy sought. The Branch Chief shall render a decision within ten (10) working days after receipt of the written grievance from the Contractor. The Branch Chief shall respond in writing to the Contractor indicating the decision and reasons therefore . If the Contractor disagrees with the Branch Chiefs decision, the Contractor may appeal to the second level. 2) When appealing to the second level , the Contractor must prepare an appeal indicating the reasons for disagreement with Branch Chiefs decision . The Contractor shall include with the appeal a copy of the Contractor's original statement of dispute along with any supporting evidence and a copy of the Branch Chief's decision . The appeal shall be addressed to the Deputy Director of the division in which the branch is organized within ten (1 0) working days from receipt of the Branch Chief's decision . The Deputy Director of the division in which the branch in organized or his/her designee shall meet with the Contractor to review the issues raised . A written decision signed by the Deputy Director of the division in which the branch is organized or his/her designee shall be directed to the Contractor within twenty (20) workings days of receipt of the Contractor's second level appeal. b . If the Contractor wishes to appeal the decision of the Deputy Director of the division in which the branch is organized or his/her designee , the Contractor shall follow the procedures set forth in Health and Safety Code Section 100171 . c. Unless otherwise stipulated in writing by DHCS, all dispute, grievance and/or appeal correspondence shall be directed to the DHCS Program Contract Manager. d. There are organizational differences within DHCS ' funding programs and the management levels identified in this dispute resolution provision may not apply in every contractual situation . When a grievance is received and organizational differences exist , the Contractor shall be notified in writing by the DHCS Program Contract Manager of the level , name , and/or title of the appropriate management official that is responsible for issuing a decision at a given level. 3. Novation a . If the Contractor proposes any novation agreement , DHCS shall act upon the proposal within 60 days after rece ipt of the written proposal. DHCS may review and consider the proposal , consult and negotiate with the Contractor, and accept or reject all or part of the proposal. Acceptance or rejection of the proposal may be made orally within the 60-day period and confirmed in writing within five days of said decision . Upon written acceptance of the proposal , DHCS will initiate an amendment to this Agreement to formally implement the approved proposal. 14 * t--\--Int. a_pck\"L ca.lol o -1\t-Mtvo Exhibit A, Attachment I Request for Waiver County of Fresno Contract Number: 14-90316 Page 1 Request for Waiver Pursuant To Section 5751.7 of the Welfare and Institutions Codes ______________ hereby requests a waiver for the following public or private health facilities pursuant to Section 5751.7 of the Welfare and Institutions Code for the term of this contract. These are facilities where minors may be provided psychiatric treatment with nonspecific separate housing arrangements , treatment staff, and treatment programs designed to serve minors . However, no minor shall be admitted for psychiatric treatment into the same treatment ward as an adult receiving treatment who is in the custody of any jailor for a violent crime , is a known registered sex offender, or has a known history of, or exhibits inappropriate sexual or other violent behavior which would present a threat to the physical safety of others . The request for waiver must include , as an attachment, the following : 1. A description of the hardship to the County/City due to inadequate or unavailable alternative resources that would be caused by compliance with the state policy regarding the provision of psychiatric treatment to minors . 2. The specific treatment protocols and adm in istrative procedures established by the County/City for identifying and providing appropriate treatment to minors admitted w ith adults . 3. Name , address , and telephone number of the facil ity • Number of Beds • Type of Facility I Licensure (including licensing agency and license#) • A copy of the facility 's license or certificate 4 . The County Board of Supervisors ' decision to designate a facility as a facility for evaluation and treatment pursuant to Welfare and Institutions Codes 5 150 , 5585 .50 , and 5585 .55 . Execution of this contract shall constitute approval of this waiver. Any waiver granted in the prior fiscal year's contract shall be deemed to continue until execution of this contract. 1. Budget Contingency Clause Department of Behavioral Health (Fresno County) 14-90316 Exhibit B Funds Provision Page 1 A. It is mutually agreed that if the Budget Act of the current year and/or any subsequent years covered under this Agreement does not appropriate sufficient funds for the program , this Agreement shall be of no further force and effect. In this event, DHCS shall have no liability to pay any funds whatsoever to Department of Behavioral Health (Fresno County) or to furnish any other considerations under this Agreement and Department of Behavioral Health (Fresno County) shall not be obligated to perform any provisions of this Agreement. B. If funding for any fiscal year is reduced or deleted by the Budget Act for purposes of this program , DHCS shall have the option to either cancel this Agreement with no liability occurring to DHCS , or offer an agreement amendment to Department of Behavioral Health (Fresno County) to reflect the reduced amount. l<o GTC 610 EXHIBIT C GENERAL TERMS AND CONDITIONS 1. APPROVAL: This Agreement is of no force or effect until signed by both parties and approved by the Department of General Services , if required . Contractor may not commence performance until such approval has been obtained. 2. AMENDMENT: No amendment or variation of the terms of this Agreement shall be valid unless made in writing , signed by the parties and approved as required. No oral understanding or Agreement not incorporated in the Agreement is binding on any of the parties. 3. ASSIGNMENT: This Agreement is not assignable by the Contractor, either in whole or in part, without the consent of the State in the form of a formal written amendment. 4. AUDIT : Contractor agrees that the awarding department, the Department of General Services , the Bureau of State Audits , or their designated representative shall have the right to review and to copy any records and supporting documentation pertaining to the performance of this Agreement. Contractor agrees to maintain such records for possible audit for a minimum of three (3) years after final payment, unless a longer period of records retention is stipulated. Contractor agrees to allow the auditor(s) access to such records during normal business hours and to allow interviews of any employees who might reasonably have information related to such records. Further, Contractor agrees to include a similar right of the State to audit records and interview staff in any subcontract related to performance of this Agreement. (Gov. Code §8546.7, Pub. Contract Code §10115 et seq., CCR Title 2 , Section 1896). 5. INDEMNIFICATION: Contractor agrees to indemnify , defend and save harmless the State, its officers , agents and employees from any and all claims and losses accruing or resulting to any and all contractors, subcontractors , suppliers , laborers , and any other person, firm or corporation furnishing or supplying work service s, materials , or supplies in connection with the performance of this Agreement, and from any and all claims and losses accruing or resulting to any person, firm or corporation who may be injured or damaged by Contractor in the performance of this Agreement. 6. DISPUTES: Contractor shall continue with the responsibilities under this Agreement during any dispute. 7. TERMINATION FOR CAUS E : The State may terminate this Agreement and be relieved of any payments should the Contractor fail to perform the requirements of this Agreement at the time and in the manner herein provided. In the event of such termination the State may proceed with the work in any manner deemed proper by the State. All costs to the State shall be deducted from any sum due the Contractor under this Agreement and the balance, if any , shall be paid to the Contractor upon demand . ., '{ 8. INDEPENDENT CONTRACTOR: Contractor, and the agents and employees of Contractor, in the performance of this Agreement, shall act in an independent capacity and not as officers or employees or agents of the State. 9. RECYCLING CERTIFICATION: The Contractor shall certify in writing under penalty of perjury, the minimum, if not exact, percentage of post consumer material as defined in the Public Contract Code Section 12200, in products , materials , goods , or supplies offered or sold to the State regardless of whether the product meets the requirements of Public Contract Code Section 12209. With respect to printer or duplication cartridges that comply with the requirements of Section 12156(e), the certification required by this subdivision shall specify that the cartridges so comply (Pub. Contract Code §12205). 10. NON-DISCRIMINATION CLAUSE: During the performance ofthis Agreement, Contractor and its subcontractors shall not unlawfully discriminate, harass , or allow harassment against any employee or applicant for employment because of sex, race , color, ancestry, religious creed, national origin, physical disability (including HIV and AIDS), mental disability, medical condition (e .g., cancer), age (over 40), marital status, and denial of family care leave. Contractor and subcontractors shall insure that the evaluation and treatment of their employees and applicants for employment are free from such discrimination and harassment. Contractor and subcontractors shall comply with the provisions of the Fair Employment and Housing Act (Gov . Code §12990 (a-f) et seq.) and the applicable regulations promulgated thereunder (California Code of Regulations, Title 2 , Section 7285 et seq.). The applicable regulations ofthe Fair Employment and Housing Commission implementing Government Code Section 12990 (a-f), set forth in Chapter 5 of Division 4 of Title 2 of the California Code of Regulations , are incorporated into this Agreement by reference and made a part hereof as if set forth in full. Contractor and its subcontractors shall give written notice of their obligations under this clause to labor organizations with which they have a collective bargaining or other Agreement. Contractor shall include the nondiscrimination and compliance provisions of this clause in all subcontracts to perform work under the Agreement. 11. CERTIFICATION CLAUSES: The CONTRACTOR CERTIFICATION CLAUSES contained in the document CCC 307 are hereby incorporated by reference and made a part of this Agreement by this reference as if attached hereto . 12. TIMELINESS : Time is of the essence in this Agreement. 13 . COMPENSATION: The consideration to be paid Contractor, as provided herein, shall be in compensation for all of Contractor's expenses incurred in the performance hereof, including travel , per diem, and taxes , unless otherwise expressly so provided. 14 . GOVERNING LAW: This contract is governed by and shall be interpreted in accordance with the laws of the State of California. 15. ANTITRUST CLAIMS: The Contractor by signing this agreement hereby certifies that if these services or goods are obtained by means of a competitive bid, the Contractor shall comply with the requirements of the Government Codes Sections set out below. a . The Government Code Chapter on Antitrust claims contains the following definitions: 1) "Public purchase" means a purchase by means of competitive bids of goods , services , or materials by the State or any of its political subdivisions or public agencies on whose behalf the Attorney General may bring an action pursuant to subdivision (c) of Section 167 50 of the Business and Professions Code . 2) "Public purchasing body" means the State or the subdivision or agency making a public purchase . Government Code Section 4550. b. In submitting a bid to a public purchasing body, the bidder offers and agrees that if the bid is accepted, it will assign to the purchasing body all rights , title , and interest in and to all causes of action it may have under Section 4 of the Clayton Act (15 U.S .C. Sec. 15) or under the Cartwright Act (Chapter 2 (commencing with Section 16700) of Part 2 of Division 7 of the Business and Professions Code), arising from purchases of goods, materials, or services by the bidder for sale to the purchasing body pursuant to the bid. Such assignment shall be made and become effective at the time the purchasing body tenders final payment to the bidder. Government Code Section 4552. c . If an awarding body or public purchasing body receives , either through judgment or settlement, a monetary recovery for a cause of action assigned under this chapter, the assignor shall be entitled to receive reimbursement for actual legal costs incurred and may, upon demand, recover from the public body any portion of the recovery , including treble damages , attributable to overcharges that were paid by the assignor but were not paid by the public body as part of the bid price, less the expenses incurred in obtaining that portion of the recovery. Government Code Section 4553. d . Upon demand in writing by the assignor , the assignee shall , within one year from such demand , reassign the cause of action assigned under this part if the assignor has been or may have been injured by the violation of law for which the cause of action arose and (a) the assignee has not been injured thereby, or (b) the assignee declines to file a court action for the cause of action. See Government Code Section 4554 . 16. CHILD SUPPORT COMPLIANCE ACT: For any Agreement in excess of$100,000 , the contractor acknowledges in accordance with Public Contract Code 7110 , that: a. The contractor recognizes the importance of child and famil y support obligations and shall fully comply with all applicable state and federal laws relating to child and family support enforcement, including , but not limited to , disclosure of information and compliance with earnings assignment orders , as provided in Chapter 8 (commencing with section 5200) of Part 5 ofDivision 9 ofthe Family Code ; and b . The contractor, to the best of its knowledge is full y complying with the earnings assignment orders of all employees and is pro viding the names of all new employees to the New Hire Registry maintained by the California Employment Development Department. 1'1 17. UNENFORCEABLE PROVISION: In the event that any provision ofthis Agreement is unenforceable or held to be unenforceable , then the parties agree that all other provisions of this Agreement have force and effect and shall not be affected thereby. 18. PRIORITY HIRING CONSIDERATIONS: Ifthis Contract includes services in excess of $200 ,000 , the Contractor shall give priority consideration in filling vacancies in positions funded by the Contract to qualified recipients of aid under Welfare and Institutions Code Section 11200 in accordance with Pub. Contract Code §10353. 19 . SMALL BUSINESS PARTICIPATION AND DVBE PARTICIPATION REPORTING REQUIREMENTS: a. If for this Contract Contractor made a commitment to achieve small business participation, then Contractor must within 60 days of receiv ing final payment under this Contract (or within such other time period as may be specified elsewhere in this Contract) report to the awarding department the actual percentage of small business participation that was achieved. (Govt . Code § 14841.) b. If for this Contract Contractor made a commitment to achieve disabled veteran business enterprise (DVBE) participation, then Contractor must within 60 days of receiving final payment under this Contract (or within such other time period as may be specified elsewhere in this Contract) certify in a report to the awarding department: (1) the total amount the prime Contractor received under the Contract; (2) the name and address of the DVBE(s) that participated in the performance ofthe Contract; (3) the amount each DVBE received from the prime Contractor; (4) that all payments under the Contract have been made to the DVBE; and (5) the actual percentage ofDVBE participation that was achieved. A person or entity that knowingly provides false information shall be subject to a civil penalty for each violation. (Mil. & Vets . Code§ 999.5(d); Govt . Code§ 14841.) 20. LOSS LEADER: If this contract involves the furnishing of equipment, materials , or supplies then the following statement is incorporated: It is unlawful for an y person engaged in business within this state to sell or use any article or product as a "loss leader" as defined in Section 17030 of the Business and Professions Code. (PCC 10344(e).) C:\Use rs\mmuro\A ppData\Locai\M icrosoft\ W indows\ Temporary In te rn et Fi les\Content0ut loo k\ZCNC030U\3 Exhibit C GTC-6 1 O.doc Department of Behavioral Health (Fresno County) 14-90316 Page 1 of 7 Exhibit F Information Confidentiality and Security Requirements 1. Definitions. For purposes of this Exhibit , the following definitions shall apply: A. Public Information: Information that is not exempt from disclosure under the provisions of the California Public Records Act (Government Code sections 6250-6265) or other applicable state or federal laws . B. Confidential Information: Information that is exempt from disclosure under the provisions of the California Public Records Act (Government Code sections 6250-6265) or other applicable state or federal laws . C. Sensitive Information: Information that requires special precautions to protect from unauthorized use , access , disclosure, modification , loss, or deletion . Sensitive Information may be either Public Information or Confidential Information . It is information that requires a higher than normal assurance of accuracy and completeness . Thus , the key factor for Sensitive Information is that of integrity. Typically , Sensitive Information includes records of agency financial transactions and regulatory actions . D. Personal Information: Information that identifies or describes an individual , including , but not limited to , their name , social security number , physical description , home address , home telephone number , education , f inancial matters , and medical or employment history. It is DHCS' policy to consider all information about individuals private unless such information is determined to be a public record. This information must be protected from inappropriate access , use , or disclosure and must be made accessible to data subjects upon request. Personal Information includes the following : Notice-triggering Personal Information : Specific items of personal information (name plus Social Security number, driver license/California identification card number, or financial account number) that may trigger a requirement to notify individuals if it is acquired by an unauthorized person . For purposes of this provision , identity shall include , but not be limited to name , identifying number , symbol , or other identifying particular assigned to the individual , such as finger or voice print or a photograph . See Civil Code sections 1798 .29 and 1798 .82 . 2. Nondisclosure . The Contractor and its employees , agents, or subcontractors shall protect from unauthorized disclosure any Personal Information , Sensitive Information , or Confidential Information (hereinafter identified as PSCI). 3. The Contractor and its employees , agents , or subcontractors shall not use any PSCI for any purpose other than carrying out the Contractor's obligations under this Agreement. 4 . The Contractor and its employees , agents , or subcontractors shall promptly transmit to the DHCS Program Contract Manager all requests for disclosure of any PSCI not emanating from the person who is the subject of PSCI. 5. The Contractor shall not disclose , except as otherwise specifically permitted by this Agreement or authorized by the person who is the subject of PSCI , any PSCI to anyone other than DHCS without prior written authorization from the DHCS Program Contract Manager, except if disclosure is required by State or Federal law . DHC S ICS R (3/1 1) '"\I Department of Behavioral Health (Fresno County) 14-90316 Page 2 of 7 Exhibit F Information Confidentiality and Security Requirements 6. The Contractor shall observe the following requirements: A. Safeguards . The Contractor shall implement administrative , physical, and technical safeguards that reasonably and appropriately protect the confidentiality , integrity, and availability of the PSCI , including electronic PSCI that it creates , receives , maintains , uses , or transmits on behalf of DHCS. Contractor shall develop and maintain a written information privacy and security program that includes administrative , technical and physical safeguards appropriate to the size and complexity of the Contractor's operations and the nature and scope of its activities , Including at a minimum the following safeguards : 1) Personnel Controls a. Employee Training. All workforce members who assist in the performance of functions or activities on behalf of DHCS , or access or disclose DHCS PSCI, must complete information privacy and security training , at least annually , at Business Associate 's expense . Each workforce member who receives information privacy and security training must sign a certification , indicating the member's name and the date on which the training was completed . These certifications must be retained for a period of six (6) years following contract termination . b. Employee Discipline. Appropriate sanctions must be applied against workforce members who fail to comply with privacy policies and procedures or any provisions of these requirements , including termination of employment where appropriate . c. Confidentiality Statement. All persons that will be working with DHCS PHI or PI must sign a confidentiality statement that includes , at a minimum , General Use , Security and Privacy Safeguards , Unacceptable Use , and Enforcement Policies . The statement must be signed by the workforce member prior to access to DHCS PHI or Pl. The statement must be renewed annually . The Contractor shall retain each person 's written confidentiality statement for DHCS inspection for a period of six (6) years following contract termination. d. Background Check. Before a member of the workforce may access DHCS PHI or PI , a thorough background check of that worker must be conducted , with evaluation of the results to assure that there is no indication that the worker may present a risk to the security or integrity of confidential data or a risk for theft or misuse of confidential data . The Contractor shall retain each workforce member's background check documentation for a period of three (3) years following contract termination . 2) Technical Security Controls a. Workstation/Laptop encryption. All workstations and laptops that process and/or store DHCS PHI or PI must be encrypted using a FIPS 140-2 certified algorithm which is 128bit or higher, such as Advanced Encryption Standard (AES). The encryption solution must be full disk unless approved by the DHCS Information Security Office. b. Server Security. Servers containing unencrypted DHCS PHI or PI must have sufficient administrative, physical , and technical controls in place to protect that data , based upon a risk assessment/system security review . DHCS ICSR (3/11 ) Department of Behavioral Health (Fresno County) 14-90316 Page 3 of 7 Exhibit F Information Confidentiality and Security Requirements c. Minimum Necessary. Only the minimum necessary amount of DHCS PHI or PI required to perform necessary business functions may be copied , downloaded , or exported . d. Removable media devices. All electronic files that contain DHCS PHI or PI data must be encrypted when stored on any removable media or portable device (i.e . USB thumb drives , floppies, CD/DVD , Blackberry , backup tapes etc .). Encryption must be a FIPS 140-2 certified algorithm which is 128bit or higher, such as AES . e. Antivirus software. All workstations , laptops and other systems that process and/or store DHCS PHI or PI must install and actively use comprehensive anti-virus software solution with automatic updates scheduled at least daily . f. Patch Management. All workstations , laptops and other systems that process and/or store DHCS PHI or PI must have critical security patches applied , with system reboot if necessary . There must be a documented patch management process which determines installation timeframe based on risk assessment and vendor recommendations. At a maximum , all applicable patches must be installed within 30 days of vendor release. g. User IDs and Password Controls. All users must be issued a unique user name for accessing DHCS PHI or Pl. Username must be promptly disabled, deleted, or the password changed upon the transfer or termination of an employee with knowledge of the password , at maximum within 24 hours . Passwords are not to be shared . Passwords must be at least eight characters and must be a non-dictionary word . Passwords must not be stored in readable format on the computer . Passwords must be changed every 90 days , preferably every 60 days . Passwords must be changed if revealed or compromised . Passwords must be composed of characters from at least three of the following four groups from the standard keyboard : • Upper case letters (A-Z) • Lower case letters (a-z) • Arabic numerals (0-9) • Non-alphanumeric characters (punctuation symbols) h. Data Destruction. When no longer needed, all DHCS PHI or PI must be wiped using the Gutmann or US Department of Defense (DoD) 5220 .22-M (7 Pass) standard , or by degaussing. Media may also be physically destroyed in accordance with NIST Special Publication 800-88 . Other methods require prior written permission of the DHCS Information Security Office . i. System Timeout. The system providing access to DHCS PHI or PI must provide an automatic timeout, requiring re-authentication of the user session after no more than 20 minutes of inactivity . j. Warning Banners. All systems providing access to DHCS PHI or PI must display a warning banner stating that data is confidential, systems are logged , and system use is for business purposes only by authorized users . User must be directed to log off the system if they do not agree with these requirements . k. System Logging. The system must maintain an automated audit trail which can identify the user or system process which initiates a request for DHCS PHI or PI , or which alters DHCS ICSR (3/11 ) Department of Behavioral Health (Fresno County) 14 -90316 Page 4 of 7 Exhibit F Information Confidentiality and Security Requirements DHCS PHI or Pl. The audit trail must be date and time stamped , must log both successful and failed accesses , must be read only , and must be restricted to authorized users . If DHCS PHI or PI is stored in a database , database logging functionality must be enabled . Audit trail data must be archived for at least 3 years after occurrence . I. Access Controls. The system providing access to DHCS PHI or PI must use role based access controls for all user authentications , enforcing the principle of least privilege. m. Transmission encryption. All data transmissions of DHCS PHI or PI outside the secure internal network must be encrypted using a FIPS 140-2 certified algorithm which is 128bit or higher, such as AES . Encryption can be end to end at the network level , or the data files containing PHI can be encrypted . This requirement pertains to any type of PHI or PI in motion such as website access , file transfer , and E-Mail. n. Intrusion Detection . All systems involved in accessing , holding , transporting , and protecting DHCS PHI or PI that are accessible via the Internet must be protected by a comprehensive intrusion detection and prevention solution . 3) Audit Controls a. System Security Review. All systems processing and/or storing DHCS PHI or PI must have at least an annual system risk assessment/security review which provides assurance that administrative , physical , and technical controls are functioning effectively and providing adequate levels of protection. Reviews should include vulnerability scanning tools . b. Log Reviews. All systems processing and/or storing DHCS PHI or PI must have a routine procedure in place to review system logs for unauthorized access . c. Change Control. All systems processing and/or storing DHCS PHI or PI must have a documented change control procedure that ensures separation of duties and protects the confidentiality , integrity and availability of data . 4) Business Continuity I Disaster Recovery Controls a. Emergency Mode Operation Plan. Contractor must establish a documented plan to enable continuation of critical business processes and protect ion of the security of electronic DHCS PHI or PI in the event of an emergency . Emergency means any circumstance or situat ion that causes normal computer operations to become unavailable for use in performing the work required under this Agreement for more than 24 hours . b. Data Backup Plan. Contractor must have established documented procedures to backup DHCS PHI to maintain retrievable exact copies of DHCS PHI or Pl. The plan must include a regular schedule for making backups , storing backups offsite , an inventory of backup media , and an estimate of the amount of time needed to restore DHCS PHI or PI should it be lost. At a minimum , the schedule must be a weekly full backup and monthly offsite storage of DHCS data . 5) Paper Document Controls DHCS ICSR (3/11) Department of Behavioral Health (Fresno County) 14-90316 Page 5 of 7 Exhibit F Information Confidentiality and Security Requirements a. Supervision of Data. DHCS PHI or PI in paper form shall not be left unattended at any time, unless it is locked in a file cabinet , file room , desk or office . Unattended means that information is not being observed by an employee authorized to access the information. DHCS PHI or PI in paper form shall not be left unattended at any time in vehicles or planes and shall not be checked in baggage on commercial airplanes. b. Escorting Visitors. Visitors to areas where DHCS PHI or PI is contained shall be escorted and DHCS PHI or PI shall be kept out of sight while visitors are in the area . c. Confidential Destruction. DHCS PHI or PI must be disposed of through confidential means , such as cross cut shredding and pulverizing . d. Removal of Data. DHCS PHI or PI must not be removed from the premises of the Contractor except with express written permission of DHCS . e. Faxing. Faxes containing DHCS PHI or PI shall not be left unattended and fax machines shall be in secure areas. Faxes shall contain a confidentiality statement notifying persons receiving faxes in error to destroy them . Fax numbers shall be verified with the intended recipient before sending the fax . f. Mailing. Mailings of DHCS PHI or PI shall be sealed and secured from damage or inappropriate viewing of PHI or PI to the extent possible . Mailings which include 500 or more individually identifiable records of DHCS PHI or PI in a single package shall be sent using a tracked mailing method which includes verification of delivery and receipt, unless the prior written permission of DHCS to use another method is obtained. B. Security Officer. The Contractor shall designate a Security Officer to oversee its data security program who will be responsible for carrying out its privacy and security programs and for communicating on security matters with DHCS . C. Discovery and Notification of Breach . The Contractor shall notify DHCS immediately by telephone call plus email or fax upon the discovery of breach of security of PSCI in computerized form if the PSCI was , or is reasonably believed to have been , acquired by an unauthorized person, or upon the discovery of a suspected security incident that involves data provided to DHCS by the Social Security Administration or within twenty-four (24) hours by email or fax of the discovery of any suspected security incident, intrusion or unauthorized use or disclosure of PSCI in violation of this Agreement, or potential loss of confidential data affecting this Agreement. Notification shall be provided to the DHCS Program Contract Manager, the DHCS Privacy Officer and the DHCS Information Security Officer. Notice shall be made using the "DHCS Privacy Incident Report " form , including all information known at the time. The Contractor shall use the most current version of this form , which is posted on the DHCS Privacy Office website (www.dhcs .ca .gov , then select "Privacy " in the left column and then "Business Use " near the middle of the page) or use this link : http ://www .dhcs .ca.gov/formsandpubs/laws/priv/Pages/DHCSBusinessAssociatesOnly .aspx If the incident occurs after business hours or on a weekend or holiday and involves electronic PSCI , notification shall be provided by calling the DHCS Information Technology Services Division (ITSD) Help Desk . Contractor shall take : 1) Prompt corrective action to mitigate any risks or damages involved with the breach and to protect the operating environment and DHCS ICSR (3/11) Department of Behavioral Health (Fresno County) 14-90316 Page 6 of 7 Exhibit F Information Confidentiality and Security Requirements 2) Any action pertaining to such unauthorized disclosure required by applicable Federal and State laws and regulations . D. Investigation of Breach . The Contractor shall immediately investigate such security incident , breach , or unauthorized use or disclosure of PSCI and within seventy-two (72) hours of the discovery , The Contractor shall submit an updated "DHCS Privacy Incident Report " containing the information marked with an asterisk and all other applicable information listed on the form , to the extent known at that time , to the DHCS Program Contract Manager, the DHCS Privacy Officer, and the DHCS Information Security Officer : E. Written Report. The Contractor shall provide a written report of the investigation to the DHCS Program Contract Manager, the DHCS Privacy Officer, and the DHCS Information Security Officer within ten (1 0) working days of the discovery of the breach or unauthorized use or disclosure . The report shall include, but not be limited to , the information specified above, as well as a full , detailed corrective action plan , including information on measures that were taken to halt and/or contain the improper use or disclosure . F. Notification of Individuals . The Contractor shall notify individuals of the breach or unauthorized use or disclosure when notification is requ ired under state or federal law and shall pay any costs of such notifications, as well as any costs associated with the breach . The DHCS Program Contract Manager, the DHCS Privacy Officer , and the DHCS Information Security Officer shall approve the time , manner and content of any such notifications . 7. Affect on lower tier transactions. The terms of this Exhibit shall apply to all contracts, subcontracts , and subawards , regardless of whether they are for the acquisition of services , goods , or commodities . The Contractor shall incorporate the contents of this Exhibit into each subcontract or subaward to its agents , subcontractors , or independent consultants . 8. Contact Information . To direct communications to the above referenced DHCS staff, the Contractor shall initiate contact as indicated herein . DHCS reserves the right to make changes to the contact information below by giving written notice to the Contractor . Said changes shall not require an amendment to this Exhibit or the Agreement to which it is incorporated . DHCS Program Contract DHCS Privacy Officer DHCS Information Security Officer Manager See the Scope of Work Privacy Officer Information Security Officer exhibit for Program c/o Office of Legal Services DHCS Information Security Office Contract Manager Department of Health Care Services P.O. Box 997413 , MS 6400 information P.O. Box 997413 , MS 0011 Sacramento, CA 95899-7413 Sacramento , CA 95899 -7 413 Email : iso@dhcs.ca .qov Email : Qr i vac~officer@dhcs .ca .gov Telephone : ITSD Help Desk Telephone : (916 ) 445 -4646 (916) 440-7000 or (800) 579-087 4 9. Audits and Inspections. From time to time , DHCS may inspect the facilities, systems, books and records of the Contractor to monitor compliance with the safeguards required in the Information Confidentiality and Security Requirements (ICSR) exhibit. Contractor shall promptly remedy any violation of any provision of this ICSR exhibit. The fact that DHCS inspects , or fails to inspect , or has DHCS ICSR (3/11) Department of Behavioral Health (Fresno County) 14-90316 Page 7 of 7 Exhibit F Information Confidentiality and Security Requirements the right to inspect, Contractor's facilities , systems and procedures does not relieve Contractor of its responsibility to comply with this ICSR exhibit. DHCS ICSR (3/11) Department of Behavioral Health (Fresno County) Contract Number : 14-90316 Page 1 EXHIBIT G PRIVACY AND INFORMATION SECURITY PROVISIONS Th is Exhibit G is intended to protect the privacy and security of specified Department information that Contractor may access , receive , or transmit under this Agreement. The Department information covered under this Exhibit G consists of: ( 1) Protected Health Information as defined under the Health Insurance Portability and Accountability Act of 1996 , Public Law 104-191 ("HIPAA")(PHI): and (2) Personal Information (PI) as defined under the California Information Practices Act (CIPA), at California Civil Code Section 1798.3. Personal Information may include data provided to the Department by the Social Security Administration . Exhibit G consists of the follow ing parts : 1. Exhibit G-1 , HIPAA Business Associate Addendum , which provides for the privacy and security of PHI. 2 . Exhibit G-2 , which provides for the privacy and security of PI in accordance with specified provisions of the Agreement between the Department and the Social Security Administration , known as the Information Exchange Agreement (lEA) and the Computer Match ing and Privacy Protection Act Agreement between the Social Security Administration and the California Health and Human Services Agency (Computer Agreement) to the extent Contractor access , receives , or transmits PI under these Agreements . Exhibit G -2 further provides for the privacy and security of PI under Civil Code Section 1798.3(a) and 1798 .29. 3 . Exhibit G-3 , Miscellaneous Provision , sets forth additional terms and cond itions that extend to the provisions of Exh ibit G in its entirety . 1. Recitals. Department of Behavioral Health (Fresno County) Contract Number : 14-90316 Page 2 EXHIBIT G-1 HIPAA Business Associate Addendum A A business associate relationship under the Health Insurance Portability and Accountability Act of 1996 , Public Law 104-191 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act, Public Law 111-005 ("the HITECH Act"), 42 U.S .C. Section 17921 et seq ., and their implementing privacy and security regulations at 45 CFR Parts 160 and 164 ("the HIPAA regulations ") between Department and Contractor arises only to the extent that Contractor creates , receives , maintains , transmits , uses or discloses PHI or ePHI on the Department's behalf, or provides services , arranges , performs or assists in the performance of funct ions or activities on behalf of the Department that are included in the definition of "business associate " in 45 C.F .R. 160.103 whe re the provision of the service invo lves the disclosure of PHI or ePHI from the Department, including but not limited to , utilization review , quality assurance , or benefit management. To the extent Contractor performs these services , functions , and activities on behalf of Department, Contractor is the Business Associate of the Department , acting on the Department's behalf. The Department and Contractor are each a party to this Agreement and are collectively referred to as the "parties ." B. The Department wishes to disclose to Contractor certain information pursuant to the terms of this Agreement , some of which may constitute Protected Health Information ("PHI "), including protected health information in electron ic media ("ePHI "), under federal law, to be used or disclosed in the course of providing services and activities as set forth in Sect ion 1.A. of Exhibit G-1 of this Agreement. This information is hereafter referred to as "Department PHI ". C . The purpose of th is Exhibit G-1 is to protect the privacy and security of the PHI and ePHI that may be created , received , maintained , transmitted , used or disclosed pursuant to this Agreement, and to comply with certa in standards and requirements of HIPAA, the HITECH Act , and the HIPAA regulations , including , but not limited to , the requirement that the Department must enter into a contract containing Department of Behavioral Health (Fresno County) Contract Number : 14-90316 Page 3 specific requirements with Contractor prior to the disclosure of PHI to Contractor, as set forth in 45 CFR Parts 160 and 164 and the HITECH Act. To the extent that data is both PHI or ePHI and Personally Identifying Information , both Exhibit G-2 (including Attachment B, the SSA Agreement between SSA , CHHS and DHCS , referred to in Exhibit G-2) and this Exhibit G-1 shall apply . D. The terms used in this Exhibit G-1, but not otherwise defined , shall have the same meanings as those terms have in the HIPAA regulations . Any reference to statutory or regulatory language shall be to such language as in effect or as amended . 2. Definitions. A. Breach shall have the meaning given to such term under HIPAA, the HITECH Act , and the HIPAA regulations. B. Business Associate shall have the meaning given to such term under HIPAA , the HITECH Act , and the HIPAA regulations . C. Covered Entity shall have the meaning given to such term under HIPAA, the HITECH Act , and the HIPAA regulations . D. Department PHI shall mean Protected Health Information or Electronic Protected Health Information , as defined below, accessed by Contractor in a database maintained by the Department, received by Contractor from the Department or acquired or created by Contractor in connection with performing the functions , activit ies and services on behalf of the Department as specified in Section 1.A. of Exhibit G-1 of this Agreement. The terms PHI as used in this document shall mean Department PHI. E. Electronic Health Records shall have the meaning given to such term in the HITECH Act , includ ing , but not limited to , 42 U.S .C . Section 17921 and implementing regulations . F. Electronic Protected Health Information (ePHI) means individually identifiable health information transmitted by electronic media or maintained in electronic media , including but not limited to electronic media as set forth under 45 CFR section 160 .103 . G. Individually Identifiable Health Information means health information , including demograph ic information collected from an individual , that is created or received by a health care provider, health plan , employer or health care clearinghouse , and relates to the past, present or future Department of Behavioral Health (Fresno County) Contract Number : 14-90316 Page 4 physical or mental health or condition of an i ndividual , the provision of health care to an individual , or the past, present, or future payment for the provision of health care to an individual, that identifies the individual or where there is a reasonable basis to believe the information can be used to identify the individual , as set forth under 45 CFR Section 160.103. H . Privacy Rule shall mean the HIPAA Regulations that are found at 45 CFR Parts 160 and 164, subparts A and E. I. Protected Health Information (PHI) means individually identifiable health information that is transmitted by electronic media , maintained in electronic med ia , or is transmitted or mainta i ned in any other form or medium , as set forth under 45 CFR Section 160.103 and as defined under HIPAA. J. Required by law, as set forth under 45 CFR Section 164.103, means a mandate contained in law that compels an entity to make a use or disclosure of PHI that is enforceable in a court of law. This includes , but is not limited to , court orders and court-ordered warrants , subpoenas or summons issued by a court , grand jury , a governmental or tribal inspector general , or an administrative body authorized to require the production of information , and a civil or an authorized investigative demand. It also includes Medicare conditions of participation with respect to health care providers participating in the program , and statutes or regulations that require the production of i nformation , including statutes or regulations that require such information if payment is sought under a government program providing public benefits . K. Secretary means the Secretary of the U .S . Department of Health and Human Services ("HHS") or the Secretary's designee . L. Security Incident means the attempted or successful unauthorized access , use , disclosure , modification , or destruction of Department PHI , or confidential data util ized by Contractor to perform the services , functions and activities on behalf of Department as set forth in Section 1.A. of Exhibit G -1 of this Agreement ; or interference with system operations in an information system that processes , maintains or stores Department PHI. M . Security Rule shall mean the HIPAA regulations that are found at 45 CFR Parts 160 and 164. N . Unsecured PHI shall have the meaning given to such term under the Department of Behavioral Health (Fresno County) Contract Number : 14-90316 Page 5 HITECH Act, 42 U.S .C. Section 17932(h), any guidance issued by the Secretary pursuant to such Act and the HIPAA regulations . 3. Terms of Agreement. A. Permitted Uses and Disclosures of Department PHI by Contractor. Except as otherwise indicated in this Exhibit G-1 , Contractor may use or disclose Department PHI only to perform functions , activities or services specified in Section 1.A of Exhibit G-1 of this Agreement , for, or on behalf of the Department , provided that such use or disclosure would not violate the HIPAA regulations or the limitations set forth in 42 CFR Part 2 , or any other applicable law, if done by the Department. Any such use or disclosure , if not for purposes of treatment activities of a health care provider as defined by the Privacy Rule, must, to the extent practicable , be limited to the limited data set, as defined in 45 CFR Section 164 .514(e)(2), or, if needed , to the minimum necessary to accomplish the intended purpose of such use or disclosure , in compliance with the HITECH Act and any guidance issued pursuant to such Act , and the HIPAA regulations . B. Specific Use and Disclosure Provisions . Except as otherwise indicated in this Exhibit G-1 , Contractor may : 1) Use and Disclose for Management and Administration . Use and disclose Department PHI for the proper management and administration of the Contractor's business , provided that such disclosures are required by law , or the Contractor obta ins reasonable assurances from the person to whom the information is disclosed , in accordance w ith section D(?) of this Exhibit G-1 , that it will remain confidential and will be used or further disclosed only as required by law or for the purpose for which it was disclosed to the person , and the person notifies the Contractor of any instances of which it is aware that the confidential ity of the information has been breached . 2) Provision of Data Aggregation Services . Use Department PHI to provide data aggregation serv ices to the Department to the extent requested by the Department and agreed to by Contractor. Data aggregation means the combin ing of PHI created or received by the Contractor, as the Business Associate , on behalf of the Department Department of Behavioral Health (Fresno County ) Contract Number: 14-90316 Page 6 with PHI rece ived by the Business Associate in its capacity as the Business Associate of another covered entity, to permit data analyses that relate to the health care operations of the Department C . Prohibited Uses and Disclosures 1) Contractor shall not disclose Department PHI about an individual to a health plan for payment or health care operations purposes if the Department PHI pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full and the individual requests such restriction , in accordance with 42 U .S . C . Section 17935(a) and 45 CFR Section 164 .522(a). 2) Contractor shall not d i rectly or i ndirectly receive remuneration in exchange for Department PHI. D. Responsibilities of Contractor Contractor agrees : 1) Nondisclosure. Not to use or disclose Department PHI other than as permitted or required by th is Agreement or as required by law, including but not limited to 42 CFR Part 2 . 2) Compliance with the HIPAA Security Rule . To implement administrative , physical , and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Department PHI , including electronic PHI , that it creates , receives , maintains, uses or transm its on behalf of the Department, in compliance with 45 CFR Sections 164.308 , 164.310 and 164.312 , and to prevent use or d isclosure of Department PHI other than as provided for by th is Agreement. Contractor shall implement reasonable and appropriate policies and procedures to comply with the standards , implementation specifications and othe r requirements of 45 CFR Section 164, subpart C , in compliance with 45 CFR Section164 .316 . Contractor shall develop and maintain a written information privacy and security program that includes administrative , technical and physical safeguards appropriate to the size and complexity of the Contractor's operations and the nature and scope of its activities , and which incorporates the requirements of section 3 , Security , below. Contractor will provide the Department with its current and updated policies upon request. 3) Security. Contractor shall take any and all steps necessary to ensure .33 Department of Behavioral Health (Fresno County) Contract Number : 14-90316 Page 7 the continuous security of all computerized data systems containing PHI and/or PI , and to protect paper documents containing PHI and/or Pl. These steps shall include, at a minimum : • a . Complying with all of the data system security precautions listed in Attachment A, Data Security Requirements ; b . Achieving and maintaining compliance with the HIPAA Security Rule (45 CFR Parts 160 and 164), as necessary in conducting operations on behalf of DHCS under this Agreement; and c. Providing a level and scope of security that is at least comparable to the level and scope of security established by the Office of Management and Budget in OMB Circular No . A-130 , Appendix Ill-Security of Federal Automated Information Systems, which sets forth guidelines for automated information systems in Federal agencies . 4) Security Officer . Contractor shall designate a Security Officer to oversee its data security program who shall be responsible for carrying out the requirements of this section and for communicating on security matters with the Department. 5) Mitigation of Harmful Effects. To mitigate, to the extent practicable , any harmful effect that is known to Contractor of a use or disclosure of Department PHI by Contractor or its subcontractors in violation of the requirements of this Exhibit G. 6) Reporting Unauthorized Use or Disclosure. To report to Department any use or disclosure of Department PHI not provided for by this Exhibit G of which it becomes aware . 7) Contractor's Agents and Subcontractors . a . To enter into written agreements with any agents, including subcontractors and vendors to whom Contractor provides Department PHI , that impose the same restrictions and conditions on such agents, subcontractors and vendors that apply to Contractor with respect to such Department PHI under this Exhibit G , and that require compliance with all applicable provisions of HIPAA, the HITECH Act and the HIPAA regulations , including the requirement that any agents , subcontractors or vendors implement reasonable and appropriate administrative, physical, and technical .34 Department of Behavioral Health (Fresno County) Contract Number : 14-90316 Page 8 safeguards to protect such PHI. As required by HIPAA, the HITECH Act and the HIPAA regulations, including 45 CFR Sections 164 .308 and 164.314, Contractor shall incorporate , when applicable , the relevant provisions of this Exhibit G-1 into each subcontract or subaward to such agents , subcontractors and vendors , including the requ irement that any security incidents or breaches of unsecured PHI be reported to Contractor. b . In accordance with 45 CFR Section 164.504(e)(1)(ii), upon Contractor's knowledge of a material breach or violation by its subcontractor of the agreement between Contractor and the subcontractor, Contractor shall : i) Provide an opportunity for the subcontractor to cure the breach or end the violation and terminate the agreement if the subcontractor does not cure the breach or end the violation within the time specified by the Department; or ii) Immediately terminate the agreement if the subcontractor has breached a material term of the agreement and cure is not possible . 8) Availability of Information to the Department and Individuals to Provide Access and Information: a . To provide access as the Department may require , and in the time and manner designated by the Department (upon reasonable notice and during Contractor's normal business hours) to Department PHI in a Designated Record Set , to the Department (or, as directed by the Department), to an Individual , in accordance with 45 CFR Section 164.524. Designated Record Set means the group of records maintained for the Department health plan under this Agreement that includes medical , dental and billing records about individuals ; enrollment , payment , claims adjudication , and case or medical management systems ma intained for the Department health plan for which Contractor is providing services under this Agreement ; or those records used to make decisions about individuals on behalf of the Department. Contractor shall use the forms and processes developed by the Department for th is purpose and shall respond to requests Department of Behavioral Health (Fresno County) Contract Number: 14-90316 Page 9 for access to records transmitted by the Department within fifteen (15) calendar days of receipt of the request by producing the records or verifying that there are none . b . If Contractor maintains an Electronic Health Record with PHI , and an individual requests a copy of such information in an electronic format, Contractor shall provide such information in an electronic format to enable the Department to fulfill its obligations under the HITECH Act, including but not limited to , 42 U.S . C . Section 17935(e) and the HIPAA regulations. 9) Amendment of Department PHI . To make any amendment(s) to Department PHI that were requested by a patient and that the Department directs or agrees should be made to assure compliance with 45 CFR Section 164 .526 , in the time and manner designated by the Department , with the Contractor being given a minimum of twenty (20) days within which to make the amendment. 1 0) Internal Practices. To make Contractor's internal practices , books and records relating to the use and disclosure of Department PHI available to the Department or to the Secretary , for purposes of determining the Department's compliance with the HIPAA regulations . If any information needed for this purpose is in the exclusive possession of any other entity or person and the other entity or person fails or refuses to furnish the information to Contractor, Contractor shall provide written notification to the Department and shall set forth the efforts it made to obtain the information. 11) Documentation of Disclosures . To document and make available to the Department or (at the direction of the Department) to an individual such disclosures of Department PHI , and information related to such disclosures , necessary to respond to a proper request by the subject Individual for an accounting of disclosures of such PHI, in accordance with the HITECH Act and its implementing regulations , including but not limited to 45 CFR Section 164 .528 and 42 U.S.C. Section 17935( c). If Contractor maintains electronic health records for the Department as of January 1, 2009 and later, Contractor must provide an accounting of disclosures , including those disclosures for treatment, payment or health care operations. The electronic accounting of disclosures shall be for disclosures during the three years prior to the request for an accounting . Department of Behavioral Health (Fresno County) Contract Number : 14-90316 Page 10 12) Breaches and Security Incidents. During the term of this Agreement, Contractor agrees to implement reasonable systems for the discovery and prompt reporting of any breach or security incident, and to take the following steps: a . Initial Notice to the Department. (1) To notify the Department immediately by telephone call or email or fax upon the discovery of a breach of unsecured PHI in electronic media or in any other media if the PHI was , or is reasonably believed to have been, accessed or acquired by an unauthorized person. (2) To notify the Department within 24 hours (one hour if SSA data) by email or fax of the discovery of any suspected security incident, intrusion or unauthorized access , use or disclosure of PHI in violation of this Agreement or this ExhibitG-1 , or potential loss of confidential data affecting this Agreement. A breach shall be treated as discovered by Contractor as of the first day on which the breach is known , or by exercising reasonable diligence would have been known , to any person (other than the person committing the breach) who is an employee , officer or other agent of Contractor. Notice shall be provided to the Information Protection Unit , Office of HIPAA Compliance. If the incident occurs after business hours or on a weekend or holiday and involves electronic PHI , notice shall be provided by calling the Information Protection Unit (916.445.4646, 866-866-0602) or by emailing pr ivacyofficer@dhcs .ca .gov). Notice shall be made using the DHCS "Privacy Incident Report" form , including all information known at the time . Contractor shall use the most current version of this form , which is posted on the DHCS Information Security Officer website (www.dhcs .ca .gov, then select "Privacy" in the left column and then "Business Partner" near the middle of the page) or use this link: http://www.dhcs .ca .gov/formsandpubs/laws/priv/Pages/DH CSBusinessAssociatesOnly .aspx Upon discovery of a breach or suspected security incident, intrusion or unauthorized access , use or disclosure of Department PHI , Contractor shall take : i) Prompt corrective action to mitigate any risks or damages involved with the breach and to protect the Department of Behavioral Health (Fresno County) Contract Number: 14-90316 Page 11 operating environment; and ii) Any action pertaining to such unauthorized disclosure required by applicable Federal and State laws and regulations . b. Investigation and Investigation Report. To immediately investigate such suspected security incident, security incident, breach, or unauthorized access , use or disclosure of PHI . Within 72 hours of the discovery, Contractor shall submit an updated "Privacy Incident Report" containing the information marked with an asterisk and all other applicable information listed on the form, to the extent known at that time , to the Information Protection Unit. c. Complete Report. To provide a complete report of the investigation to the Department Program Contract Manager and the Information Protection Unit within ten (1 0) working days of the discovery of the breach or unauthorized use or disclosure. The report shall be submitted on the "Privacy Incident Report" form and shall include an assessment of all known factors relevant to a determination of whether a breach occurred under applicable provisions of HIPAA, the HITECH Act, and the HIPAA regulations . The report shall also include a full , detailed corrective action plan , including information on measures that were taken to halt and/or contain the improper use or disclosure . If the Department requests information in addition to that listed on the "Privacy Incident Report" form , Contractor shall make reasonable efforts to provide the Department with such information. If, because of the circumstances of the incident, Contractor needs more than ten (1 0) working days from the discovery to submit a complete report, the Department may grant a reasonable extension of time , in which case Contractor shall submit periodic updates until the complete report is submitted. If necessary, a Supplemental Report may be used to submit revised or additional information after the completed report is submitted , by submitting the revised or additional information on an updated "Privacy Incident Report" form . The Department will review and approve the determination of whether a breach occurred and whether individual notifications and a corrective action plan are required . Department of Behavioral Health (Fresno County) Contract Number: 14-90316 Page 12 d. Responsibility for Reporting of Breaches. If the cause of a breach of Department PHI is attributable to Contractor or its agents , subcontractors or vendors, Contractor is responsible for all required reporting of the breach as specified in 42 U .S .C . section 17932 and its implementing regulations , including notification to media outlets and to the Secretary (after obtaining prior written approval of DHCS). If a breach of unsecured Department PHI involves more than 500 residents of the State of California or under its jurisdiction , Contractor shall first notify DHCS , then the Secretary of the breach immediately upon discovery of the breach . If a breach involves more than 500 California residents , Contractor shall also provide , after obtaining written prior approval of DHCS , notice to the Attorney General for the State of California , Privacy Enforcement Section . If Contractor has reason to believe that duplicate reporting of the same breach or incident may occur because its subcontractors , agents or vendors may report the breach or incident to the Department in addition to Contractor, Contractor shall notify the Department, and the Department and Contractor may take appropriate action to prevent duplicate reporting . e. Responsibility for Notification of Affected Individuals. If the cause of a breach of Department PHI is attributable to Contractor or its agents , subcontractors or vendors and notification of the affected individuals is required under state or federal law, Contractor shall bear all costs of such notifications as well as any costs associated with the breach . In addition , the Department reserves the right to require Contractor to notify such affected individuals, which notifications shall comply with the requirements set forth in 42U .S .C . section 17932 and its implementing regulations , including , but not limited to , the requirement that the notifications be made without unreasonable delay and in no event later than 60 calendar days after discovery of the breach . The Department Privacy Officer shall approve the time, manner and content of any such notifications and their review and approval must be obtained before the notifications are made . The Department will provide its review and approval expeditiously and without unreasonable delay . f. Department Contact Information. To direct communications to the above referenced Department staff, Department Program Contract Manaaer See the Exhibit A , Scope of Work for Program Contract Manager information Department of Behavioral Health (Fresno County) Contract Number : 14-90316 Page 13 the Contractor shall initiate contact as indicated herein . The Department reserves the right to make changes to the contact information below by giving written notice to the Contractor . Said changes shall not require an amendment to this Addendum or the Agreement to which it is incorporated . DHCS Privacy Officer DHCS Information Security Officer Information Protection Unit Information Security Officer c/o : Office of HIPAA DHCS Information Security Office Compliance Department of P.O . Box 997413 , MS 6400 Health Care Services Sacramento , CA 95899-7 413 P.O . Box 997413 , MS 4722 Sacramento , CA 95899-7 413 Email : iso@dhcs .ca .gov (916) 445-4646 ; (866) 866 - 0602 Telephone: ITSD Service Desk (916) 440-7000 ; (800) 579 - Email : 0874 grivac~officer@dhcs .ca .gov Fax : (916)440-5537 Fax : (916) 440-7680 13) Termination of Agreement. In accordance with Section 13404(b) of the HITECH Act and to the extent required by the HIPAA regulations , if Contractor knows of a material breach or violation by the Department of this Exhibit G-1, it shall take the following steps : WT\ Department of Behavioral Health (Fresno County) Contract Number : 14-90316 Page 14 a . Provide an opportunity for the Department to cure the breach or end the violation and terminate the Agreement if the Department does not cure the breach or end the violation with in the time specified by Contractor ; or b . Immed iately terminate the Agreement if the Department has breached a material term of the Exhibit G-1 and cure is not poss ible . 14) Sanctions and/or Penalties . Contractor understands that a failure to comply with the provisions of HIPAA, the HITECH Act and the HIPAA regulations that are applicable to Contractors may result in the imposition of sanctions and/or penalties on Contractor under HIPAA, the HITECH Act and the HIPAA regulations. E. Obligations of the Department. The Department agrees to : 1) Permission by Individuals for Use and Disclosure of PHI . Provide the Contractor with any changes in , or revocation of, permission by an Individual to use or disclose Department PHI , if such changes affect the Contractor's permitted or required uses and disclosures . 2) Notification of Restrictions . Notify the Contractor of any restriction to the use or disclosure of Department PHI that the Department has agreed to in accordance with 45 CFR Section 164 .522 , to the extent that such restr iction may affect the Contractor 's use or disclosure of PHI. 3) Requests Conflicting with HIPAA Rules . Not request the Contractor to use or d isclose Department PHI in any manner that would not be permissible under the HIPAA regulations if done by the Department. 4) Notice of Privacy Practices . Provide Contractor with the web link to the Notice of Privacy Practices that DHCS produces in accordance with 45 CFR Section 164 .520 , as well as any changes to such notice . Visit the DHCS website to view the most current Notice of Privacy Practices at: http ://www.dhcs.ca.gov/formsandpubs/laws/priv/Pages/NoticeofPrivacy Practices .aspx or the DHCS website at www.dhcs .ca .gov (select "Privacy in the right column and "Notice of Privacy Practices " on the right side of the page). Department of Behavioral Health (Fresno County) Contract Number : 14-90316 Page 15 F. Audits, Inspection and Enforcement If Contractor is the subject of an audit, compliance review , or complaint investigation by the Secretary or the Office for Civil Rights , U.S. Department of Health and Human Services , that is related to the performance of its obligations pursuant to th is HIPAA Business Associate Exhibit G-1 ,Contractor shall immediately notify the Department. Upon request from the Department, Contractor shall provide the Department with a copy of any Department PHI that Contractor, as the Business Associate , provides to the Secretary or the Office of Civil Rights concurrently with providing such PHI to the Secretary . Contractor is responsible for any civ il penalties assessed due to an audit or investigation of Contractor, in accordance with 42 U.S . C . Section 17934(c). G. Termination. 1) Term. The Term of this Exhibit G-1 shall extend beyond the termination of the Agreement and shall terminate when all Department PHI is destroyed or returned to the Department , in accordance with 45 CFR Section 164 .504(e)(2)(ii)(J). 2) Termination for Cause . In accordance with 45 CFR Section 164.504(e)(1 )(iii), upon the Department's knowledge of a material breach or violation of this Exhibit G-1 by Contractor, the Department shall : a. Provide an opportunity for Contractor to cure the breach or end the violat ion and terminate this Agreement if Contractor does not cure the breach or end the violation within the time specified by the Department; or b . Immediately terminate th is Agreement if Contractor has breached a material term of this Exhibit G-1 and cure is not possible . THE REST OF THIS PAGE IS INTENTIONALLY BLANK Department of Behavioral Health (Fresno County) Contract Number : 14-90316 Page 16 EXHIBIT G-2 Privacy and Security of Personal Information and Personally Identifiable Information Not Subject to HIPAA 1. Recitals. A. In addition to the Privacy and Security Rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) the Department is subject to various other legal and contractual requirements with respect to the personal information (PI) and personally identifiable information (PII) it maintains . These include : 1) The California Information Practices Act of 1977 (California Civil Code §§1798 et seq .), 2) The Agreement between the Social Security Administration (SSA) and the Department, known as the Information Exchange Agreement (lEA), which incorporates the Computer Matching and Privacy Protection Act Agreement (CMPPA) between the SSA and the California Health and Human Services Agency . The lEA, including the CMPPA is attached to this Exhibit Gas Attachment B and is hereby incorporated in this Agreement. 3) Title 42 Code of Federal Regulations , Chapter I, Subchapter A, Part 2 . B. The purpose of this Exhibit G-2 is to set forth Contractor's privacy and security obligations with respect to PI and Pll that Contractor may create , receive , maintain , use , or disclose for or on behalf of Department pursuant to this Agreement. Specifically this Exhibit applies to PI and Pll which is not Protected Health Information (PHI) as defined by HIPAA and therefore is not addressed in Exhibit G-1 of this Agreement, the HIPAA Business Associate Addendum ; however, to the extent that data is both PHI or ePHI and Pll, both Exhibit G-1 and this Exhibit G-2 shall apply. C. The lEA Agreement referenced in A.2) above requires the Department to extend its substantive privacy and security terms to subcontractors who receive data provided to DHCS by the Social Security Administration . If Contractor receives data from DHCS that includes data provided to DHCS by the Social Security Administration , Contractor must comply with the following specific sections of the I EA Agreement: E. Security Procedures , F. Contractor/Agent Responsibilities , and G . Safeguarding and Reporting Responsibilities for Personally Identifiable Information ("PII "), and in Attachment 4 to the lEA, Electronic Information Exchange Security Requirements , Guidelines and Procedures for Federal, State and Local Department of Behavioral Health (Fresno County) Contract Number : 14-90316 Page 17 Agencies Exchanging Electronic Information with the Social Security Administration . Contractor must also ensure that any agents, including a subcontractor, to whom it provides DHCS data that includes data provided by the Social Security Administration , agree to the same requirements for privacy and security safeguards for such confidential data that apply to Contractor with respect to such information . D. The terms used in this Exhibit G-2 , but not otherwise defined, shall have the same meanings as those terms have in the above referenced statute and Agreement. Any reference to statutory, regulatory, or contractual language shall be to such language as in effect or as amended . 2. Definitions. A. "Breach" shall have the meaning given to such term under the lEA and CMPPA. It shall include a "PIIIoss" as that term is defined in the CMPPA. B . "Breach of the security of the system " shall have the meaning given to such term under the California Information Practices Act, Civil Code section 1798 .29(f). C. "CMPPA Agreement" means the Computer Matching and Privacy Protection Act Agreement between the Social Security Administration and the California Health and Human Services Agency (CHHS). D. "Department PI " shall mean Personal Information , as defined below, accessed in a database maintained by the Department, received by Contractor from the Department or acquired or created by Contractor in connection with performing the functions , activities and services specified in this Agreement on behalf of the Department. E. "lEA" shall mean the Information Exchange Agreement currently in effect between the Social Security Administration (SSA) and the California Department of Health Care Services (DHCS). F. "Notice-triggering Personal Information " shall mean the personal information identified in Civil Code section 1798 .29 whose unauthorized access may trigger notification requirements under Civil Code section 1798 .29. For purposes of this provision, identity shall include, but not be limited to , name , address , email address , identifying number, symbol , or other identifying particular assigned to the individual, such as a finger or voice print, a photograph or a biometric identifier. Notice-triggering Personal Information includes PI in electronic, paper or any other medium . Department of Behavioral Health (Fresno County) Contract Number : 14-90316 Page 18 G . "Personally Identifiable Information " (PII) shall have the meaning given to such term in the lEA and CMPPA. H. "Personal Information " (PI) shall have the meaning given to such term in California Civil Code Section 1798.3(a). I. "Required by law" means a mandate contained in law that compels an entity to make a use or disclosure of PI or PII that is enforceable in a court of law. This includes , but is not limited to , court orders and court-ordered warrants , subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general , or an administrative body authorized to require the production of information, and a civil or an authorized investigative demand . It also includes Medicare conditions of participation with respect to health care providers participating in the program, and statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits . J . "Security Incident" means the attempted or successful unauthorized access , use , disclosure , modification , or destruction of PI, or confidential data utilized in complying with this Agreement; or interference with system operations in an information system that processes , maintains or stores Pl. 3. Terms of Agreement A. Permitted Uses and Disclosures of Department PI and Pll by Contractor Except as otherwise indicated in this Exhibit G-2 , Contractor may use or disclose Department PI only to perform functions , activities or services for or on behalf of the Department pursuant to the terms of this Agreement provided that such use or disclosure would not violate the California Information Practices Act (CIPA) if done by the Department. B. Responsibilities of Contractor Contractor agrees : 1) Nondisclosure. Not to use or disclose Department PI or Pll other than as permitted or required by this Agreement or as required by applicable state and federal law. Department of Behavioral Health (Fresno County) Contract Number : 14-90316 Page 19 2) Safeguards. To implement appropriate and reasonable administrative , technical , and physical safeguards to protect the security , confidentiality and integrity of Department PI and PI I, to protect against anticipated threats or hazards to the security or integrity of Department PI and PI I, and to prevent use or disclosure of Department PI or PII other than as provided for by this Agreement. Contractor shall develop and maintain a written information privacy and security program that include administrative , technica l and physical safeguards appropriate to the size and complexity of Contractor's operations and the nature and scope of its activities , which incorporate the requirements of section 3 , Security , below . Contractor will provide DHCS with its current policies upon request. 3) Security. Contractor shall take any and all steps necessary to ensure the continuous security of all computerized data systems containing PHI and/or PI , and to protect paper documents contain ing PHI and/or Pl. These steps shall include , at a minimum : a. Complying with all of the data system security precautions listed in Attachment A , Bus iness Associate Data Security Requirements ; b. Providing a level and scope of security that is at least comparable to the level and scope of security established by the Office of Management and Budget in OMS Circular No . A- 130, Appendix Ill -Security of Federal Automated Information Systems , which sets forth guidelines for automated information systems in Federal agencies ; and c . If the data obtained by Contractor from DHCS includes Pll , Contractor shall also comply with the substantive privacy and security requirements in the Computer Matching and Privacy Protection Act Agreement between the SSA and the California Health and Human Services Agency (CHHS) and in the Agreement between the SSA and DHCS , known as the Information Exchange Agreement , which are attached as Attachment B and incorporated into this Agreement. The specific sections of the lEA with substantive privacy and security requirements to be complied with are sections E , F, and G , and in Attachment 4 to the lEA, Electronic Information Exchange Security Requirements , Guidelines and Procedures for Federal , State and Local Agencies Exchanging Electronic Information w ith the SSA. Contractor also agrees to ensure that any agents , including a subcontractor to whom it provides Department of Behavioral Health (Fresno County) Contract Number: 14-90316 Page 20 DHCS Pll , agree to the same requirements for privacy and security safeguards for confidential data that apply to Contractor with respect to such information. 4) Mitigation of Harmful Effects. To mitigate , to the extent practicab le, any harmful effect that is known to Contractor of a use or disclosure of Department PI or Pll by Contractor or its subcontractors in violation of this Exhibit G-2 . 5) Contractor's Agents and Subcontractors. To impose the same restrictions and conditions set forth in this Exhibit G-2 on any subcontractors or other agents with whom Contractor subcontracts any activities under this Agreement that involve the disclosure of Department PI or PII to the subcontractor. 6) Availability of Information to DHCS. To make Department PI and PII available to the Department for purposes of oversight, inspection , amendment, and response to requests for records , injunctions , judgments, and orders for production of Department PI and PI I. If Contractor receives Department Pll , upon request by DHCS , Contractor shall prov ide DHCS with a list of all employees , contractors and agents who have access to Department Pll , including employees , contractors and agents of its subcontractors and agents . 7) Cooperation with DHCS. With respect to Department PI , to cooperate with and assist the Department to the extent necessary to ensure the Department's compliance with the applicable terms of the CIPA including , but not limited to , accounting of disclosures of Department PI , correction of errors in Department PI , production of Department PI , disclosure of a security breach involving Department PI and notice of such breach to the affected individual(s). 8) Confidentiality of Alcohol and Drug Abuse Patient Records. Contractor agrees to comply with all confidentiality requirements set forth in Title 42 Code of Federal Regulations, Chapter I, Subchapter A , Part 2 . Contractor is aware that criminal penalties may be imposed for a v iolation of these confidentiality requirements . 9) Breaches and Security Incidents. During the term of this Agreement, Contractor agrees to implement reasonable systems for the d iscovery and prompt reporting of any breach or security incident , and to take the following steps : a. In itial Notice to the Department. (1) To notify the Department Department of Behavioral Health (Fresno County) Contract Number: 14-90316 Page 21 immediately by telephone call or email or fax upon the discovery of a breach of unsecured Department PI or PII in electronic media or in any other media if the PI or Pll was , or is reasonably believed to have been , accessed or acquired by an unauthorized person , or upon discovery of a suspected security incident involving Department Pll . (2) To notify the Department within one (1) hour by email or fax if the data is data subject to the SSA Agreement; and within 24 hours by email or fax of the discovery of any suspected security incident, intrusion or unauthorized access , use or disclosure of Department PI or Pll in violation of this Agreement or this Exhibit G-1 or potential loss of confidential data affecting this Agreement. A breach shall be treated as discovered by Contractor as of the first day on which the breach is known , or by exercising reasonable diligence would have been known , to any person (other than the person committing the breach) who is an employee , officer or other agent of Contractor . b. Notice shall be provided to the Information Protection Unit, Office of HIPAA Compliance. If the incident occurs after business hours or on a weekend or holiday and involves electronic Department PI or Pll, notice shall be provided by calling the Department Information Security Officer. Notice shall be made using the DHCS "Privacy Incident Report" form , including all information known at the time . Contractor shall use the most current version of this form, which is posted on the DHCS Information Security Officer website (www.dhcs .ca .gov, then select "Privacy" in the left column and then "Business Partner" near the middle of the page) or use this link : http ://www .dhcs .ca .gov/formsandpubs/laws/priv/Pages/DHCS BusinessAssociatesOnly.aspx . c. Upon discovery of a breach or suspected security incident, intrusion or unauthorized access, use or disclosure of Department PI or Pll , Contractor shall take : i. Prompt corrective action to mitigate any risks or damages involved with the breach and to protect the operating environment; and ii .Any action pertaining to such unauthorized disclosure required by applicable Federal and State laws and regulations . Department of Behavioral Health (Fresno County) Contract Number : 14-90316 Page 22 d. Investigation and Investigation Report. To immediately investigate such suspected security incident , security incident, breach , or unauthorized access , use or disclosure of PHI. Within 72 hours of the discovery , Contractor shall submit an updated "Privacy Incident Report" containing the information marked with an asterisk and all other applicable information listed on the form , to the extent known at that time , to the Department Information Security Officer . e. Complete Report . To provide a complete report of the investigation to the Department Program Contract Manager and the Information Protection Unit within ten (1 0) working days of the discovery of the breach or unauthorized use or disclosure . The report shall be submitted on the "Privacy Inc ident Report" form and shall include an assessment of all known factors relevant to a determination of whether a breach occurred . The report shall also include a full , detailed corrective action plan , including information on measures that were taken to halt and/or contain the improper use or disclosure . If the Department requests information in addition to that listed on the "Privacy Incident Report" form , Contractor shall make reasonable efforts to provide the Department with such information . If, because of the circumstances of the inc ident, Contractor needs more than ten (1 0) work ing days from the discovery to submit a complete report , the Department may grant a reasonable extension of time , in which case Contractor shall submit periodic updates until the complete report is submitted. If necessary , a Supplemental Report may be used to submit revised or additional information after the completed report is submitted , by submitting the revised or additional information on an updated "Privacy Incident Report" form. The Department will review and approve the determination of whether a breach occurred and whether ind ividual notifications and a corrective action plan are required . f. Responsibility for Reporting of Breaches. If the cause of a breach of Department PI or Pll is attributable to Contractor or its agents , subcontractors or vendors , Contractor is respons ible for all required reporting of the breach as specified in CIPA, section 1798 .29and as may be required under the I EA. Contractor shall bear all costs of required Department Program Contract See the Exhibit A , Scope of Work for Program Contract Manager information Department of Behavioral Health (Fresno County) Contract Number : 14-90316 Page 23 notifications to individuals as well as any costs associated with the breach . The Privacy Officer shall approve the time , manner and content of any such notifications and their review and approval must be obtained before the notifications are made . The Department will provide its review and approval expeditiously and without unreasonable delay. g. If Contractor has reason to believe that duplicate reporting of the same breach or incident may occur because its subcontractors , agents or vendors may report the breach or incident to the Department in addition to Contractor, Contractor shall notify the Department, and the Department and Contractor may take appropriate action to prevent dupl icate reporting . h. Department Contact Information . To direct communications to the above referenced Department staff, the Contractor shall initiate contact as ind icated herein . The Department reserves the right to make changes to the contact information below by giving written notice to the Contractor. Said changes shall not require an amendment to this Addendum or the Agreement to which it is incorporated . DHCS Privacy Officer DHCS Information Security Officer Information Protection Unit Information Security Officer c/o: Office of HIPAA DHCS Information Security Office Compliance Department of P.O . Box 997413 , MS 6400 Health Care Services Sacramento , CA 95899-7413 P.O . Box 997413 , MS 4722 Sacramento , CA 95899-7413 (916) 445-4646 Email: iso@dhcs .ca .gov Email : Telephone : ITSD Service Desk (2rivac~officer@dhcs .ca .gov (916) 440-7000 or Telephone : (916) 445-4646 (800) 579-087 4 10) Designation of Individual Responsible for Security Contractor shall designate an individual , (e .g., Security Officer), to oversee its data security program who shall be responsible for carrying out the requirements of this Exhibit G-2 and for communicating on security matters with the Department. Department of Behavioral Health (Fresno County) Contract Number: 14-90316 Page 24 EXHIBIT G-3 Miscellaneous Terms and Conditions Applicable to Exhibit G 1) Disclaimer . The Department makes no warranty or representation that compliance by Contractor with this Exhibit G , HIPAA or the HIPAA regulations will be adequate or satisfactory for Contractor's own purposes or that any information in Contractor's possession or control, or transmitted or received by Contractor, is or will be secure from unauthorized use or disclosure . Contractor is solely responsible for all decisions made by Contractor regarding the safeguarding of the Department PHI, PI and PI I. 2) Amendment. The parties acknowledge that federal and state laws relating to electronic data security and privacy are rapidly evolving and that amendment of this Exhibit G may be required to provide for procedures to ensure compliance with such developments. The parties specifically agree to take such action as is necessary to implement the standards and requirements of HIPAA, the HITECH Act, and the HIPAA regulations , and other applicable state and federal laws . Upon either party's request, the other party agrees to promptly enter into negotiations concerning an amendment to this Exhibit G embodying written assurances consistent with the standards and requirements of HIPAA, the HITECH Act, and the HIPAA regulations, and other applicable state and federal laws . The Department may terminate this Agreement upon thirty (30) days written notice in the event: a) Contractor does not promptly enter into negotiations to amend this Exhibit G when requested by the Department pursuant to this section ; or b) Contractor does not enter into an amendment providing assurances regarding the safeguarding of Department PHI that the Department deems is necessary to satisfy the standards and requirements of HIPAA and the HIPAA regulations. 3) Judicial or Administrative Proceedings . Contractor will notify the Department if it is named as a defendant in a criminal proceeding for a violation of HIPAA or other security or privacy law. The Department may terminate this Agreement if Contractor is found guilty of a criminal violation of HIPAA. The Department may terminate this Agreement if a finding or stipulation that the Contractor has violated any standard or requirement of HIPAA, or other security or privacy laws is made in any administrative or civil proceeding in which the Contractor is a party or Ct Department of Behavioral Health (Fresno County) Contract Number : 14-90316 Page 25 has been joined . DHCS will consider the nature and seriousness of the violation in deciding whether or not to terminate the Agreement. 4) Assistance in Litigation or Administrative Proceedings . Contractor shall make itself and any subcontractors , employees or agents assisting Contractor in the performance of its obligations under this Agreement, available to the Department at no cost to the Department to testify as witnesses , or otherwise , in the event of litigation or administrative proceedings being commenced against the Department, its directors , officers or employees based upon claimed violation of HIPAA, or the HIPAA regulations , which involves inactions or actions by the Contractor, except where Contractor or its subcontractor, employee or agent is a named adverse party . 5) No Third-Party Beneficiaries . Nothing express or implied in the terms and conditions of th is Exhibit G is intended to confer, nor shall anything herein confer, upon any person other than the Department or Contractor and their respective successors or assignees , any rights, remedies , obligations or liabilities whatsoever. 6) Interpretation . The terms and cond it ions in this Exhibit G shall be interpreted as broadly as necessary to implement and comply with HIPAA, the HITECH Act , and the HIPAA regulations . The parties agree that any ambiguity in the terms and conditions of this Exhibit G shall be resolved in favor of a mean ing that complies and is consistent with HIPAA, the HITECH Act and the HIPAA regulations , and , if applicable , any other relevant state and federal laws . 7) Conflict. In case of a conflict between any applicable privacy or security rules , laws , regulations or standards the most stringent shall apply . The most stringent means that safeguard which provides the highest level of protection to PHI , PI and Pll from unauthorized disclosure . Further, Contractor must comply within a reasonable period of time with changes to these standards that occur after the effective date of this Agreement. 8) Regulatory References . A reference in the terms and conditions of this Exhib it G to a section in the HIPAA regulations means the section as in effect or as amended . 9) Survival. The respective rights and obligations of Contractor under Section 3 , Item D of Exhibit G-1 , and Section 3 , Item B of Exhibit G-2 , Responsibilities of Contractor, shall survive the termination or expiration of this Agreement. Department of Behavioral Health (Fresno County) Contract Number: 14-90316 Page 26 1 0) No Waiver of Obligations . No change , waiver or discharge of any liability or obligation hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing or other obligation , or shall prohibit enforcement of any obligation , on any other occasion . 11) Audits, Inspection and Enforcement. From time to time , and subject to all applicable federal and state privacy and security laws and regulations , the Department may conduct a reasonable inspection of the facilities , systems , books and records of Contractor to monitor compliance with this Exhibit G . Contractor shall promptly remedy any violation of any provision of this Exhibit G . The fact that the Department inspects , or fails to inspect, or has the right to inspect, Contractor's facilities , systems and procedures does not relieve Contractor of its responsibility to comply with this Exhibit G . The Department's failure to detect a non -compliant practice , or a failure to report a detected non- compliant practice to Contractor does not constitute acceptance of such practice or a waiver of the Department's enforcement rights under this Agreement, including this Exhibit G. 12) Due Diligence. Contractor shall exercise due diligence and shall take reasonable steps to ensure that it remains in compliance with this Exhibit G and is in compliance with applicable provisions of HIPAA, the HITECH Act and the HIPAA regulations, and other applicable state and federal law, and that its agents , subcontractors and vendors are in compliance with their obligations as required by this Exhibit G . 13) Term. The Term of this Exhibit G-1 shall extend beyond the termination of the Agreement and shall terminate when all Department PHI is destroyed or returned to the Department, in accordance with 45 CFR Section 164.504(e)(2)(ii)(l), and when all Department PI and Pll is destroyed in accordance with Attachment A 14) Effect of Termination . Upon termination or expiration of this Agreement for any reason , Contractor shall return or destroy all Department PHI , PI and PII that Contractor still maintains in any form , and shall retain no copies of such PHI , PI or PI I. If return or destruction is not feasible , Contractor shall notify the Department of the conditions that make the return or destruction infeasible , and the Department and Contractor shall determine the terms and conditions under which Contractor may retain the PHI , PI or PI I. Contractor shall continue to extend the protections of this Exhibit G to such Department PHI , PI and Pll , and shall limit further use of such data to those purposes that make the return or destruction of such data infeasible . This provision shall apply to Department PHI , PI and Pll that is in the possession of subcontractors or agents of Contractor. Department of Behavioral Health (Fresno County) Contract Number: 14-90316 Page 27 Attachment A Data Security Requirements 1. Personnel Controls A Employee Training . All workforce members who assist in the performance of functions or activities on behalf of the Department, or access or d isclose Department PHI or PI must complete information privacy and security tra ining , at least annually , at Contractor's expense . Each workforce member who receives information privacy and security training must sign a certification , indicating the member's name and the date on which the training was completed . These certifications must be retained for a period of s ix (6) years following termination of this Agreement. B. Employee Discipline . Appropriate sanctions must be applied against workforce members who fail to comply with privacy policies and procedures or any prov isions of these requirements , including termination of employment where appropriate . C. Confidentiality Statement. All persons that will be working with Department PHI or PI must sign a confidentiality statement that includes , at a minimum , General Use , Security and Privacy Safeguards , Unacceptable Use , and Enforcement Policies . The statement must be signed by the workforce member prior to access to Department PHI or Pl. The statement must be renewed annually . The Contractor shall retain each person 's written confidentiality statement for Department inspection for a period of six (6) years following termination of this Agreement. D. Background Check . Before a member of the workforce may access Department PHI or PI , a background screening of that worker must be conducted . The screening should be commensurate with the risk and magnitude of harm the employee could cause , with more thorough screen ing being done fo r those employees who are authorized to bypass significant technical and operational security controls . The Contractor shall retain each workforce member's background check documentation for a period of three (3) years . 2. Technical Security Controls A Workstation/Laptop encryption. All workstations and laptops that store Department PHI or PI either directly or temporarily must be encrypted using a FIPS 140-2 certified algorithm wh ich is 128bit or higher, such as Department of Behavioral Health (Fresno County) Contract Number : 14-90316 Page 28 Advanced Encryption Standard (AES). The encryption solution must be full disk unless approved by the Department Information Security Office . B. Server Security . Servers containing unencrypted Department PHI or PI must have sufficient admin istrative , physical , and technical controls in place to protect that data , based upon a risk assessmenUsystem security review . C. Minimum Necessary . Only the minimum necessary amount of Department PHI or PI required to perform necessary business functions may be copied , downloaded , or exported . D. Removable media devices . All electronic files that contain Department PHI or PI data must be encrypted when stored on any removable media or portable device (i.e . USB thumb drives , flopp ies , CD/DVD , Blackberry , backup tapes etc .). Encryption must be a FIPS 140-2 certified algorithm which is 128bit or higher, such as AES . E. Antivirus software . All workstations , laptops and other systems that process and/or store Department PHI or PI must install and actively use comprehensive anti-virus software solution with automatic updates scheduled at least daily . F. Patch Management. All workstations , laptops and other systems that process and/or store Department PHI or PI must have critical security patches applied , with system reboot if necessary . There must be a documented patch management process which determines installation timeframe based on ri sk assessment and vendor recommendations . At a maximum , all applicable patches must be installed within 30 days of vendor release . Appl ications and systems that cannot be patched within this time frame due to sign ificant operational reasons must have compensatory controls implemented to min imize risk until the patches can be installed . Applications and systems that cannot be patched must have compensatory controls implemented to min imize risk , where possible . G . User IDs and Password Controls. All users must be issued a unique user name for access ing Department PHI or Pl. Username must be promptly disabled , deleted , or the password changed upon the transfer or term ination of an employee with knowledge of the password . Passwords are not to be shared . Passwords must be at least eight characters and must be a non- dictionary word. Passwords must not be stored in readable format on the computer. Passwords must be changed at least every 90 days , preferably every 60 days . Passwords must be changed if revealed or compromised . Passwords must be composed of characters from at least three of the following four groups from the standard keyboard : Department of Behavioral Health (Fresno County) Contract Number : 14-90316 Page 29 1) Upper case letters (A-Z) 2) Lower case letters (a -z) 3) Arabic numerals (0-9) 4) Non-alphanumeric characters (punctuation symbols) H . Data Destruction . When no longer needed , all Department PHI or PI must be wiped using the Gutmann or US Department of Defense (DoD) 5220 .22 -M (7 Pass) standard , or by degaussing . Media may also be physically destroyed in accordance with NIST Special Publication 800-88. Other methods require prior written permission of the Department Information Security Office . I. System Timeout. The system prov iding access to Department PHI or PI must provide an automatic timeout , requiring re -authentication of the user session after no more than 20 minutes of inactivity. J. Warning Banners . All systems providing access to Department PHI or PI must display a warning banner stating that data is confidential, systems are logged , and system use is for business purposes only by authorized users. User must be d irected to log off the system if they do not agree with these requirements . K. System Logging . The system must maintain an automated audit trail which can identify the user or system process which initiates a request for Department PHI or PI , or which alters Department PHI or Pl. The audit trail must be date and time stamped , must log both successful and failed accesses, must be read only , and must be restricted to authorized users . If Department PHI or PI is stored in a database , database logging functionality must be enabled . Audit trail data must be archived for at least 3 years after occurrence . L. Access Controls . The system providing access to Department PHI or PI must use role based access controls for all user authentications , enforcing the principle of least privilege . M. Transmission encryption . All data transmissions of Department PHI or PI outside the secure internal network must be encrypted using a FIPS 140-2 certified algorithm which is 128bit or higher, such as AES . Encryption can be end to end at the network level , or the data files containing Department PHI can be encrypted . This requirement pertains to any type of Department PH I or PI in motion such as website access , file transfer, and E-Mail. Department of Behavioral Health (Fresno County) Contract Number : 14-90316 Page 30 N . Intrusion Detection . All systems involved in accessing , holding , transporting , and protecting Department PHI or PI that are accessible via the Internet must be protected by a comprehensive intrusion detection and prevention solution . 3. Audit Controls A. System Security Review . Contractor must ensure audit control mechanisms that record and examine system activity are in place . All systems processing and/or storing Department PHI or PI must have at least an annual system risk assessment/security review which provides assurance that admin istrative , physical , and technical controls are functioning effectively and providing adequate levels of protection . Reviews should include vulnerability scanning tools. B. Log Reviews . All systems processing and/or storing Department PHI or PI must have a routine procedure in place to review system logs for unauthorized access . C . Change Control . All systems processing and/or storing Department PHI or PI must have a documented change control procedure that ensures separation of duties and protects the confidentiality , integrity and availability of data. Department of Behavioral Health (Fresno County) Contract Number: 14-90316 Page 31 4. Business Continuity I Disaster Recovery Controls A. Emergency Mode Operation Plan . Contractor must establish a documented plan to enable continuation of critical business processes and protection of the security of Department PHI or PI held in an electronic format in the event of an emergency . Emergency means any circumstance or situat ion that causes normal computer operations to become unavailable for use in performing the work required under this Agreement for more than 24 hours . B. Data Backup Plan . Contractor must have established documented procedures to backup Department PHI to maintain retrievable exact copies of Department PHI or Pl. The plan must include a regular schedule for making backups , storing backups offsite , an inventory of backup media , and an estimate of the amount of time needed to restore Department PHI or PI should it be lost. At a minimum , the schedule must be a weekly full backup and monthly offsite storage of Department data . 5. Paper Document Controls A. Supervision of Data . Department PHI or PI in paper form shall not be left unattended at any time , unless it is locked in a file cabinet, file room , desk or office . Unattended means that information is not being observed by an employee authorized to access the information . Department PHI or PI in paper form shall not be left unattended at any time in vehicles or planes and shall not be checked in baggage on commercial airplanes . B. Escorting Visitors. Visitors to areas where Department PHI or PI is contained shall be escorted and Department PHI or PI shall be kept out of sight while visitors are in the area . C . Confidential Destruction . Department PHI or PI must be disposed of through confidential means , such as cross cut shredding and pulverizing . D. Removal of Data . Only the minimum necessary Department PHI or PI may be removed from the premises of the Contractor except with express written permiss ion of the Department. Department PHI or PI shall not be considered "removed from the premises" if it is only being transported from one of Contractor's locations to another of Contractors locations . E. Faxing . Faxes containing Department PHI or PI shall not be left unattended and fax machines shall be in secure areas. Faxes shall contain a confidential ity statement notifying persons receiving faxes in Department of Behavioral Health (Fresno County) Contract Number : 14-90316 Page 32 error to destroy them . Fax numbers shall be verified with the intended recipient before sending the fax . F. Mailing . Mailings containing Department PHI or PI shall be sealed and secured from damage or inappropriate viewing of such PHI or PI to the extent possible . Mailings which include 500 or more individually identifiable records of Department PHI or PI in a single package shall be sent using a tracked mailing method which includes verification of delivery and receipt, unless the prior written permission of the Department to use another method is obtained . IWIAI&W4 FiWIIfiiAW.Ni ¥ ttC W = • INFORMATION EXCHANGE AGREEMENT BETWEEN THE SOCIAL SECURITY ADMINISTRATION (SSA) AND THE CALIFORNIA DEPARTME:NT OF HEALtH CARE SERVICES (STATE AGENCY) A. PURPOSE: The purpose of this In for mation Excha ng e Agreement ("lEA") is to establish terms, conditions, and safeguards under which SSA will disclose to the State Agency certain information, records, or data (herein "data") to assist the State Agency in administering certain federally funded state~administered benefit pl'ogra ms (including state~funded state supplementary payment programs undet·Title XVI of the Social Security Act) identified in this lEA. By entering into this lEA, the State Agency agrees to comply with: • the terms and conditions set forth in the Computer Ma tching and Privacy Ptotection Act Agreement ("CMPP A Agreement") attached as Attachment 1, governing the State Agency's use of the data disclosed from SSA's Privacy Act System of Records; and • all other terms and cond itions set forth in this IEA. B. PROGRAMS AND DATA EXCHANGE SYSTEMS! (1) The State Agency will use the data received or accessed from SSA under this IBA fur the purpose of administering the federally funded ~ state-administered programs identified in Table 1 below, In T~ble 1 ~ the State Agency has identified: (a) each federally funded, state-adm inistered program that lt administers; and (b) each SSA data exchange system to which the State Agency needs access in order to administer the ident ified program. The list of SSA's data exchange systems is attached as Attachment 2: TABLEt FEDERALLY FUNPE:D BENEFIT PROGRAMS Program SSA Data Exchange System(s) [X] Medicaid BENDEX/SDX/EVS/SVES{SOLQ!SVES !·Citizenship /Quarters of Coverage/Prisoner Query 0 Temporary Assistance to Needy Families (TANF) 0 Supplemental Nutrition Assistance Program (SNAP-formally Food Stamps) 0 Unemployment Compensation (Federal) 0 Unemployment Compensation (State) 0 State Chlld Support Agency 0 Low-Income Home Energy Assistance Program (LI-HEAP) 0 Workers Compensation 0 Vocational Rehabll1tation Services 1 ,. D Foster Care (IV-E) 0 State Health Insurance Program (S·CHIP) 0 Women, Infants and Children (W.I.C.) [X] Medicare Savings Programs (MSP) LIS File [X] Medicare 1144 (Outreach) Medicare 1144 Outreach File 0 Other Federally Funded, State-Administered Programs (List Be( ow) Program SSA Data Exchange System(s) (2) The State Agency will use each identified data exchange system only for the purpose of administering the specific program for which access to the data exchange system is provided . SSA data exchange systems are protected by the Privacy Act and federal law prohibits the use of SSA's data for any purpose other than the purpose ofadministedng the specific program for which such data is disclosed. In particular, the State Agency will use: (a) the tax return data disclosed by SSA only to determine individual eligibility for, or the amotmt of, assistance 1.111der a state plan pursuant to Section 1137 programs and child sup.port enforcement programs in accordance with 26 U.S.C. § 6103(1)(8); and (b) the citizenship status data disclosed by SSA under the Children's Health Insurance Program Reauthorization Act of2009, Pub. L. 111-3, only for the purpose of determining entitlement to Medicaid and CHIP program for new applicants. The State Agency also acknowledges that SSA's citizenship data may be less than 50 percent current. Applicants for SSNs report their citizenship data at the time they .apply for their SSNs; there is no obligation for an individual to report to SSA a change in his or her immigration status until he o1· she files a claim for benefits. C. PROGRAM QUESTIONNAIRE: Prior to signing this lEA, the State Agency will complete and submit to SSA a program questionnaire for each of the federally funded., state- administered programs checked in Table 1 above. SSA will not disclose any data under this lEA until it has received and approved the completed program questionnaire for each of the programs identified in Table 1 above. 2 D. TRANSFER OF DATA: SSA will transmit the data to the State Agency under this lEA using the data transmission method identified in Table 2 below: TABLE2 TRAN SF ER OF D'A TA 0 Data will be transmitted directly between SSA and the State Agency. · [X] Data will be transmitted directly between SSA and the California Office of Technology (State Transmission!rransfer Component ("STC")) by the File Transfer Management System, a secure mechanism approved by SSA. The STC will serve as the conduit between SSA and the State Agency pursuant to the State STC Agreement . D Data will be transmitted directly between SSA and the Interstate Connection Network ("ICON"). ICON is a wide area telecommunications network connecting state agencies that administer the state unemployment insurance laws. When receiving data through ICON, the State Agency will comply with the "Systems Security Requirements for SSA Web Access to SSA Information Through the ICON," attached as Attachment 3. E. SECU RITY PRO CEDURES: The State Agency will comply with limitations on use, treatment, and safeguarding of data under the Privacy Act of 1974 (5 U.S.C. 552a), as amended by the Computer Matching and Privacy Protection Act of 1988, related Office of Management and Budget guidelines, the Federal Information Sectu·ity Management Act of 2002 (44 U.S.C. § 3541, et seq.), and related National Instit-ute of Standards and Technology guidelines, In addition, the State Agency will comply with SSA's "Information System Security Guidelines for Federal, State and Local Agencies Receiving Electronicinformation from the Social Security Administration," attached as Attac hm ent 4. For any tax return data, the State Agency will also comply with the "Tax Information Security Guidelines for Federal, State and Local Agencies," Publication 1075, pl..lblished by the Secretary of the Treasury and available at the following Internal Revemle Service (IRS) website: ht.t.P.://www.irs·,gov/pub/irs~pdf/pl075 .pdf. This IRS Publication 1075 is incorporated by reference into tbis LEA. F. CONT RAC TOR/AGENT RESP ONSIBILITIES: The State Agency will restrict access to the data obtained from SSA to only those authorized State employees, contractors, and agents who need such data to perform their official duties in connection with pm·poses identified in this lEA. At SSA's request, the State Agency will obtain from each ofits contractors and agents a current list of the employees of its contractors and agents who have access to SSA data disclosed under this lEA. The State Agency willr@quire itl'l contractors, agents, and all employees of such contractors or agents with authorized access to the SSA data disclosed under this IBA, to comply with the terms and conditions set forth in this IBA, and not to duplicate, dissem inate, or disclose such data without obtaining SSA's prior written approval. In addition, the State Agency will comply with the limitations on use 1 duplication, and redisc losure of SSA data set forth in Section IX. of the CMPPA Agreement, especially with respect to its contractors and agents. 3 I j j i 1 l I I l l I ! ' I G. SAFEGUARDING AND REPORTING RESPONSffiiLITIES FOR PERSONALLY IDENTIFIABLE INFORMATION ("PII"): 1, The State Agency will ensure that its employees, contractors, and agents: a. properly safeguard PII furnished by SSA under this lEA from loss, theft or inadvertent disclosure; b. ·understand that they are responsible for safeguarding this information at all times, regardless of whether or not the State employee, contractor, or agent is at his or her regular duty station; c. ensure that laptops and other electronic devices/media containing PII are encrypted and/or password protected; d. send emails containing PII only if encrypted or if to and from addresses that are secure; and e. limit disclosure of the information and details relating to a PII loss only to those with a need to know. 2. If an employee of the State Agency or an employee of the State Agency's contractor or . agent becomes aware of s'Uspected or actual loss ofPII, he or she must immediately contact the State Agency official responsible for Systems Security designated be low or his or her delegate. That State Agency official or delegate must then notify the SSA Regional Office Contact and the SSA Systems Security Contact identified below. If, for any reason, the responsible State Agency official or delegate is unable to notify the SSA Regional Office or the SSA Systems Security Contact within 1 hour, the responsible State Agency official or delegate must call SSA's Network Customer Service Center ("NCSC") at 410~965~ 7777 or toll free at 1-888~ 772-6661 to report the actual. or suspected loss. The responsible State Agency official or delegate will use the worksheet, attached as Attachment 5, to quickly gather and organize information about the incident. The responsible State Agency official or delegate must provide to SSA timely updates as any additional information about the loss ofPII becomes available. 3. SSA will make the necessary contact within SSA to file a formal report in accordance with SSA procedures. SSA will notify the Department of Homeland Security's United States Computer Emergency Readiness Team if loss or potential loss of PII related to a data exchange under this lEA occurs. 4. Ifthe State Agency experiences a loss or breach of data, it will determine whether or not to provide notice to individuals whose· data has been lost of breached and bear any costs associated with the notice or any mitigation. 4 : ! H. P OINT S OF CONTACT: F OR SSA San Francisco Regional Office: Ellery Brown Data Exchange Coordinator Frank Hagel Federal Building 1221 Nevin Avenue Richmond CA 94801 Phone: (51 0) 970~8243 Fax: (51 0) 970~8101 Email: Ellery.Brown@ssa.gov Systems Issues: Pame la Riley Office of Earnings, Enumeration & Administrative Systems DIVES/Data Exchange Branch 6401 Security Boulevard Baltimore, MD 21235 Phone: (410) 965-7993 Fax: (410) 966-3147 Email: Pamela.Riley@ssa.gov FOR STATE AGENCY Agreement I ss ues: Manuel Urbina Chief, Security Unit Policy Operations Branch Medi~Cal Eligibility Division 1501 Capitol Avenue, MS 4607 Sacramento, CA 95814 Phone: (916) 650-0160 Email: Manuel.Urbina@dhcs.ca.gov Data Exc hange Iss u es: Guy Fortson Office of Electronic Information Exchange GD1 0 East High Rise 6401 Security Boulevard Baltimore, MD 21235 Phone: (410) 597-1103 Fax: (410) 597-0841 Email: guy .fortson@ssa.gov Systems Security Issues : Michael G. Johnson Acting Director Office of Electronic Infonnation Excha11ge Office of Strategic Services 6401 Security Boulevard Bal timore, MD 21235 Phone: (410) 965-0266 Fax: (410) 966-0527 Email: Michael.G.Jolmson@ssa .gov Tec hn ica l Issues : Fei Collier Chief, Application Support Branch Information Technology Services Division 1615 Capitol Ave, MS 6100 Sacramento, CA 95814 Phone: (916) 440-7036 Email: Fei.Collier@dhos.ca,gov I. D'URAT ION: The effective date ofthis IEA is January 1, 2010. This IEA will remain in effect for as long as ·; (1) a CMPPA Agreement governing this IEA is in effect between SSA and the State or the State Agency; and (2) the State Agency submits a certification in accordance with Section J. below at least 30 days before the expiration and renewal of such CMPP A Agreement. 5 J. CERTIFICATION AND PROGRAM CHANGES: At least 30 days before the expiration and renewal ofthe State CMPPA Agreement governing this lEA, the State Agency will certify in writing to SSA that: ( 1) it is in compliance with the terms and conditions of this lEA; (2) the data exchange processes under this TEA have been and will be conducted without change; and (3) it will, upon SSA's request, provide audit reports or other doctunents that demonstrate roview and oversight activities, If there are substantive changes in any of the programs or data exchange processes listed in this IEA, the parties will modify the IEA in accordance with Section K. below and the State Agency will submit for SSA's approval new program questionnaires under Section C. above describing such changes prior to using SSA's data to administer such new or changed program. K. MOD IFICATI ON: Mod ifications to this lEA must be in writing and agreed to by the parties. L. TERMINATI ON: The parties may terminate this lEA at any time upon mutual written consent. In addition, either party may unilaterally terminate this lEA upon 90 clays advance written notice to the other party. Suoh unilateral termination win be effective 90 days after the date of the notice, or at a later date specified in the notice. SSA may immediately and tmilaterally suspend the data flow under this lEA, o1· terminate this IEA, if SSA, in its sole discretion, determines that the State Agency (including its employees, contractors, and agents) has: (1) made an unauthorized use or disclosure ofSSA- supplied data; or (2) violated or failed to follow the terms and conditions of this lEA or the CMPPA Agreement. M. INTEG RA TI ON: This IEA, including all attachments, constitutes the entire agreement of the parties with respect to its subject matter. There have been 'no representations, warranties) or promises made outside of this IEA. This lEA shall take precedence over any other document that may be in conflict with it. ATTACHMENTS 1 -CMPP A Agroement · 2 -SSA Data Exchange Systems 3 -Systems Security Requirements for SSA Web Access to SSA Information Through ICON 4 -Information System Security Guidelines for Federal, State and Local Agencies Receiving Electronic Information from the Social Security Administration 5 -PII Loss Reporting Worksheet 6 I _C:: ,/ '•' N. SSA AUTH ORI ZED SIGNATURE: The signatory below warrants and represents that he or she has the competent authority on behalf of SSA to enter into the obligations set forth in this lEA. SOCIAL SECURlTYAl)MINISTRATION 7 0. REGIONAL AN D STATE AGENCY SIGNATURES: SOCIAL SECURITY ADMINISTRATION REGION IX Peter D. Spencer San Francisco Regi na l Commiss ioner ~~/:2 c,) tJ 7 THE CALIFORNIA DEPARTMENT OF HEAL TIT CARR SRRV!CES The signatory below warrants and represents that h 1' she has the competent authority 011 beha lf ofthe State A · to enter into the . 1gations set forth in this IEA. th Care Programs tt Date 8 l ... 2012 lEA CERT IFICATION OF COMPLIANCE (lEA-F) CERTIFICATION OF COMPLIANCE FOR THE INFORMATION EXCHANGE AGREEMENT BETWEEN THE SOCIAL SECURITY ADMJNISTRATION (SSA) AND THE CALIFORNIA DEPARTMENT OF HEALTH CARE SERVICES (STATE AGENCY) (State Agency Level) In accordance with the terms of the Infom1ation Exchange Agreement (IE A/F) between SSA and the State Agency, the State Agency, through its authorized representative, hereby certifies that, as of the date of this certification: 1. The State Agency is in compliance with the terms and conditions of the IEA/F; 2. The State Agency has conducted the data exchange processes under the IEA/F without change, except as modified in accordance with the IEA/F; 3. The State Agency will continue to conduct the data exchange processes under the IEA/F without change, except as may be modified in accordance with the IEA/F; 4. Upon SSA's request, the State Agency will provide audit repotts or other documents that demonstrate compliance with the teview and oversight activities required under the IEA/F and the governing Computer Matching and Pii ,vacy Protection Act Agreement; and 5. In compliance with the requirements of the "Electronic Information Exchange Security Requirements, Guidelines, and Procedures for State and Local Agencies Exchanging Electronic Informatiotl with t11e Social Security Administration," Attachment 4 to the IEA/F, as periodically updated by SSA, the State Agency has not made any changes in the following areas that could potent ially affect the security of SSA data: • General System Security Design and Operating Envlromnent • System Access Control • Automated Audit Trail • Monitoring and Anomaly Detection • Management Oversight • Data and Communications Security The State Agency will submit an updated Security Design Plan at least 30 days prior to making any changes to the areas listed above. 2012\EA CERTIFICATION OF COMPLIANCE (lEA-F) The signatory below warrants and represents that he or she is a representative of the State Agency duly authorized to make this certification on behalf of the State Agency. DEPARTMENT OF HEALTH CARE SERVICES OF CALIFOllNIA Toby Dou as Director Date d!~u~ 2 ATTACHMENT 1 COMPUTER MATCHING AND PRIVACY PROTECTION ACT AGREEMENT Model CMPPA Agreement COMPUTER MATCHING AND PRJV ACY PROTECTION ACT AGREEMENT BETWEEN THE SOCIAL SECURITY ADMINISTRATION AND THE HEALTII AND HUMAN SERV1CES AGENCY OF CALIFORNIA I. Purpose and Legal Authority A. Purpose This Computer Matching and Privacy Protection Act (CMPPA) Agreement between the Social Security Administration (SSA) and the California Health and Human Services Agency (State Agency), sets forth the terms and conditions governing disclosures of records, information, or data (collectively referred to herein "data") made by SSA to the State Agency that administers federally funded benefit programs under various provisions of the Social Security Act (Act), such as section 1137 (42 U .. S.C. § 1320b~7), includin.g the state·funded state supplementary payment programs under title XVI of the Act. The terms arl.d conditions of this Agreement ensure that SSA makes such disclos\.lres of data, and the State Agency uses such disclosed data, in accordance with the requirem~nts of the Privacy Act of 1974, as amended by the Com.puter Matching and Privacy Protection Act of 1988, 5 U.S .C. § 552a. Under section 113 7 of the Act, the State Agency is required to use an income and eligibility verification system to administer specified federally funded beneftt programs, including the state-funded state supplementary payment programs under title XVI of the Act. To assist the State Agency in detennining entitlement to and eligibility fol' benefits under those programs , as well as other federally funded benefit programs, SSA discloses certain data about applicants for state benefits from SSA Privacy Act Systems of Records (SOR) and verifies the Social Security numbers (SSN) of the applicants . B. Legal Authority SSA's authority to disclose data and the State Agency's authority to collect, malntain,_ and use data protected tn1der SSA SORs for specified purposes is : • Sections 1137,453, and 1106(b) ofthe Act (42 U.S.C. §§ 1320b~7. 653, and 1306(b )) (income and eligibility verification data); • 26 U.S.C. § 6103(1)(7) and (8) (tax rerum data); • Section 202(x)(3}(B)(iv) of the Act (42 U.S.C . § 40l(x)(3)(B)(iv)) (prisoner data); • Section 1611 (e)(l)(I)(iii) of the Act (42 U.S. C.§ 1382(e)(l)(I)(iii) (SSI); • Section 205(r)(3) of the Act (42 U.S.C. § 405(r)(3)) and the Intelligence Reform and Terrorism Prevention Act of 2004, Pub. L. 108-458 , § 7213(a)(2) (death data); • Sections 402,412,42 1, and 435 of Pub. L. 104·193 (8 U.S.C. §§ 1612, 1622, 1631, and 1645) (quarters of coverag e data); • ChUdren's Health Insurance Program Reauthorization Act o£2009, Pub . L. 111-3 (citizenship data); and • Routine use exception to the Privacy Act , 5 U.S.C. § 552a(b)(3) (data necessary to admin ister other programs compatible with SSA programs). 2 This Agreement further carries out section 1106(a) oftbe Act (42 U.S.C. § 1306), the l'egulations promulgated pursuant to that section (20 C.P.R. Part 401 ), the Privacy Act of 1974 (5 U.S.C. § 552a), as amended by the CMPPA, related Office of Management and Budget (OMB) guidelines, tbe Federal Information Security Management Act of2002 (FISMA) (44 U.S.C. § 3541, et seq .)~ and related National Institute of Standards and Technology (NIST) guidelines, which provide the requirements that the State Agency must follow with regard to use , treatmentf and safeguarding of data . II. Scope A. The State Agency will comply with the terms and conditions of this Agreement and the Privacy Act, as amended by the CMPP A. B. The State Agency will execute one or more Information Exchange Agreements (lEA) with SSA, documenting additional terms and conditions applicable to those specifLc data exchanges, Including the particular benefit programs administered by the State Agency, the data elements that will be disclosed, and the data protection requirements implemented to assist the State Agency in the administration of those. programs . C. The State Agency will use the SSA data governed by this Agreement to determine entitlement and eligibility ofindividuals for one or more of the following programs : 1. Temporary Assistance to Needy Families (T ANF) program under Part A of title IV ofthe Act ; 2. Medicaid provided under an app.roved State plan or an approved waiver under title XIX of the Act; 3. State Children's Health Insurance Program (CHIP) under title XXI of the Act, as amended by the Children's Health Insurance Program Reauthorization Act of2009; 4. Supplemental Nutritional Assistance Program (SNAP) under the Food Stamp Act of 1977 (7 U.S. C.§ 2011, et seq.); I I I l ! I j I l l . 5. Women, Infants and Children Program (WIC) under the Child Nutrition Act of 1966 (42 U.S . C. § 1771, et seq.); 6. Medicare Savings Programs (MSP) under 42 U.S.C. § 1396a(l0)(E); 3 7. Unemployment Compensation programs provided under a state law described in section 3304 ofthe Internal Revenue Code of 1954; 8. Low Income Heating and Energy Assistance (LIHEAP or home energy grants) program unoer . 42 U .S.C. § 862 1; 9. State-administered supplementary payments of the type described in section 16 16(a) ofthe Act; 10. Programs under a plan approved under titles r, X, XIV or XVI of the Act; 11. Foster Care and Adoption Assistance under title IV of the Act; 12 . Child Support Enforcement programs under section 453 of the Act (42 u.s.c. § 653); 13. Other applicable federally funded programs admlnistered by the State Agency under titles I, IV 1 X, XIV, XVI , XVIII, XIX , XX and XXI of the Act; and 14. Any other federally funded programs administered by the State Agency that are compatible with SSNs programs. D. The State Agency will ensure that SSA data disclosed fo r the specific purpose of ad.tninistering a particular federally funded benefit program is used only to administer that program. III. Justification and Expected Results A. Justification This Agreement and related data exchanges with the Stat e Agency are necessary for SSA to assist the State Agency in its adm inistration offederally funded benefit programs by providing the data required to accurately determine entitlement and eligibility of individuals for benefits provided under these program.<:. SSA uses computer technology to transfer the data because it is more economical, efficient, and faster than using manual processes. B. Expected Results The State Agency will use the data provided by SSA to improve public service and program efficiency and integrity. The use of SSA data expedites the application. process and ensures that benefits are awarded only to applicants that satisfy the State Agency 's program criteria . A cost-benefit analysis for the exc.hange made under this Agreement is li.Ot required in accordance with the determination by the SSA Data Integr ity Board (DIB) to waive such analysis pursuant to 5 U .S.C . § 552a(u)(4)(B). IV. Record Description A. Systems of Records SSA SORs used for purposes of the subject data exchanges include: • 60-0058 --Master Files of SSN Holders and SSN Applications (accessib1e through EVS, SVES , or Qua1ters of Coverage Query data systems); • 60-0059 --Earnings Recording and Self-Employment Income System (accessible through BEND EX, SVES, or Quarters of Coverage Query data systems); • 60-0090 --Master Beneficiary Record (accessible through BEND EX or SVES data systems); • 60-0103 --Supplemental Security Income Record (SSR) and Special Veterans Bene.fits (SVB) (accessible through SDX or SVES data systems); • 60-0269 --Prisoner Update Processing System (PUPS) (accessible through SVES or Prisoner Query data systems). • 60-0321 --Medicare Part D and Part D Subsidy File The State Agency will only use the tax return data contained in SOR 60-0059 (Earnings Recording and Self-Employment Income System) in accordance with 26 u.s.c . § 6103 . B. Data Elements Data elements disclosed in computer matching governed by this Agreement are Personally Identifiable Information (PII) from specified SSA SORs , including names, SSNs, addresses, amounts, and other information related to SSA benefits, and earnings information. Specific listings of data elements are available at : ht tp;//Yf'NW.SSa.g QY/g j?Si C. Number of Records Involved 4 The number of records for each program covered under this Agreement is equal to the number of title Il, title XVI, or title XVIII recipients resident in the State as recorded in SSA 's Annual Statistical SJlpplement found on the Internet at: http:/lwww..s s a .go~Lpo!lcy/dog§LstatcRrnpg This number will fluctuate during the term of this Agreement, corresponding to the number of title II, title XVI, and title XVIII recipients added to, or deleted from, SSA databases during the term of this Agreement. 5 V. Notice and Opportunity to Contest Procedures A. Notice to Applicants The State Agency will notify all individuals who apply for federally funded, state-administered benefits under the Act that any data they provide are subject to verification through computer matching with SSA. The State Agency and SSA will provide such notice through appropriate language printed on application forms or separate handouts . B. Notice to Beneftciaries!Recipients/Annuitants ··· .. The State Agency will provide notice to beJleficiaries, recipients, and annuitants under the programs covered by this Agreement informing them of ongoing computer matching with SSA. SSA will provide such notice through publication in the Federal Register and periodic mailings to all beneficiaries~ recipients, and annuitants describing SSA's matching activities. C. Opportunity to Contest The State Agency will not tem1ioate, suspend, reduce~ denyt or take other adverse action against an applicant fo1· or recip ient of federally funded, state-administered benefits based on data disclosed by SSA from its SORs until the individual is notified in writing of the potential adverse action and provided an opportunity to contest the planned action. "Adverse act ion '' means any action that results in a termination, suspension, reduction , or final denial of-eligibility, payment, or benefit. Such not ices will: 1. Inform the individual of the ma tch fmdings and the opportunity to contest these findings; 2. Give the individual until the expiration of any time period established for the relevant program by a statute or regulation for the individual to respond to the notice. If no such time period is established by a statute or regulation for the program, a 30-day period will be provided. The time period hegins on the date on which notice is mailed or otherwise provided to the individual to respond; and 3. Clearly state that , unless the individual responds to the notice in the required time period, the State Agency will cohclude that the SSA data are correct and will effectuate the threatened ac tion or otherwise make the necessary adjustment to the individual 's benefit or entitlement. VI. Records Accuracy Assessment and Verification Procedures The State Agency may use SSA's benefit data without independent verification. SSA has independently assessed the accuracy of its benefits data to be more than 99 percentacct1rate when they are created. Pris .oner and death data, some or which is not independet1tly verified by SSA, does not have the same degree of accuracy as SSA's benefit data. Therefore, the State Agency tnustindependently verify these data through applicable State verification procedures and the notice and opportunity to contest procedure..<; specified in Section V of this Agreement before taking any adverse action against any individual. 6 SSNs citizenship data may be less than 50 percent current. Applicants for SSNs report their citizenship status at the time they apply for their SSNs. There is no obligation for an individual to report to SSA a change in his or her immigration status until he or she files a claim for benefits. VII. Disposition and Records Retention ofMatclted Items A. The State Agency will retain all data received from SSA to administer programs governed by this Agreement only for the required processing times for the applicable federa.lly funded benefit programs and will then destroy all such data. B. The State Agency may retain SSA data. in hardcopy to meet evidentiary requirements~ provided that they retire such data in accordance with applicable state laws governing the State Agency's retention of records. C. The State Agency may use any accretions, deletions, or changes to the SSA data governed by this Agreement to update their master files of federally funded, state~admlnistered benefit program app.Jicants and recipients and retain such master files in accordance with applicable state laws governing the State Agency's retention ofrecords. D. The State Agency may not create separate files or records comprised solely of the data provided by SSA to administer programs governed by this Agreement. E. SSA will delete eleci'l:onic data input files received from the State Agency after it processes the applicable match. SSA will retire its data in accordance with the Federal Records Retention Schedule (44 U.S.C. § 3303a). VUI. Security Procedures The State Agency will comply with the security and safeguarding requirements of the Privacy Act, as amended by the CMPPA, related OMB guidelines, FISMA, related 7 NIST guidelines, and the current revision of IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies and Entitles, available at .hllP://www.irs.gov. In addition, the State Agency will have in place administrative, technical, and physical safeguards for the matched data and results of such matches. Additional administrative, technical, and physical security requirements governing aU data SSA provides electronically to the State Agency, including specific guidance on safeguarding and reporting responsibilities for PIT, are set :tbrth in the IEAs. IX. Records Usage, Duplication, and Redisclosure Restrictions A. The State Agency wUI use and access SSA data and the records created ustng that data o.nly for the purpose of verifying eligibility for the specific federally funded benefit programs identified in the lEA. B. The State Agency will cornplywith the following limitations on use, duplication, and redisclosure of SSA data: 1, The State Agency will not use or redisclose the data disclosed by SSA for any purpose other than to determine eligibility for, or the amount of, benefits under the state-administered income/health maintenance programs identified in this Agreement. 2. The State Agency will not use the data disclosed by SSA to extract ·information concerning individuals who are neither applicants for, nor recipients of, benefits under the state-ad.tuinistered income/health maintenance programs identiJied in this Agreement. 3. The State Agency will use the Federal tax information (FTI) disclosed by _ SSA only to determine individual eligibility for, or the amount of, assistance under a state plan pursuant to section 113 7 programs and child support enforcement progratns in accordance with 26 U.S.C. § 6103(1)(7) and (8). The State Agency receiving FTI will maintain all F11 from IRS ill accordance with 26 U.S.C . § 61 03(p)(4) and the IRS Publication 1075. Contractors and agents acting on behalf of the State Agency will only have access to tax return data where specifically authorized by 26 U.S.C. § 6103 and the IRS Publication 1075. 4. The State Agency will use the citizenship status data disclosed by SSA tmder the Children's Health Insurance Program Reauthorization Act of 2009l Pub. L. 111-3, only for the purpose of determining entitlement to Medicaid and CHTP programs for new applicants. 5. The State Agency will restrict access to the data disclosed by SSA to only those authorized State employees, contractors, and agents who need such data to perform their official duties in connection with the purposes identified in this Agreement. 6. The State Agency will enter into a written agreement with each of its contractors and agents who need SSA data to perfonn their official duties whereby ·such contractor or agent agrees to abide by all relevant Federal laws, restrictions on access, use, and disclosure, and security requirements in this Agreement. The State Agency will provide its contractors and agents with copies of this Agreement, related IEAs, and all related attachments before initial disclosure of SSA data to such contractors and agents. Prior to signing this Agreement, andthe.reafter at SSNs request, the State Agency will obtain from its contractors and agents a current list of the employees of such contractors and agents with access to SSA data. and provide such lists to SSA. 7. The State Agency's employees, contractors , and agents who access, use, or disclose SSA data in a manner or purpose not authorized by this Agreement may be subject to civU and criminal sanctions pursuant to applicable Federal statutes. 8 C. The State Agency will not duplicate in a separate file or disseminate, without prior written permission from SSA, the data governed by this Agreement for any purpose other than to determine entitlement to, or eligibility for, federally funded benefits. The State Agency proposing the redisclosure must specify in writing to SSA what data are being disclosed, to whom, and the reasons that justify the redisclosure. SSA will not give permission for such redisclosure unless the redisclosure is required by law or essential to the conduct of the matching program and autho.rized under a routine use. X. Comptroller Gtneral Access The Comptroller General (the Government Accountability Office) may have access to all records of the State Agency that tbe Comptroller General deems necessary to monitor and verify compliance with this Agreement in accol'dance with 5 U.S.C. § 552a(o)(l)(K). XI. Duration, Modification, and Termination of the Agreement A. Duration 1. This Agreement is effective from July l, 2012 (Effective Date) through December 31, 2013 (Expiration Date). 2. In accordance with the CMPPA, SSA will: (a) publish a Computer Matching Notice in the Federal Register at least 30 days prior to the 9 Effective Date; (b) send required notices to the Congressional committees of jurisdiction. under 5 U.S.C. § 552a(o)(2)(A)(i) at least 40 days prior to the Effective Date; and (c) send the required report to the OMB at least 40 days prior to the Effective Date. 3. Within 3 mouths prior the Expiration Date, the SSA DIB may, without additional review, renew this Agreement for a period not to exceed 12 months, pursuant to 5 U.S.C. § 552a(o)(2)(D), if: • the applicable data exchange will continue without any change~ and • SSA and the State Agency certify to the DIB in writing that the applicable data exchange has been conducted in compliance with this Agreement. 4 . If either SSA or the State Agency does not wish to renew this Agreement, it must notify the other party of its intent not to renew at least 3 months prior to the Expiration Date. B. Modification Any modification to this Agreement must be in writing, signed by both parties , and approved by the SSA DIB. C. Termination The patties may terminate this Agreement at any time upon mutual written consent of both parties. Either party may unilaterally terminate this Agreement upon 90 days advance written notice to the other party; such unilateral termination will be effective 90 days after the date of the notice, or at a later date specified in the notice. SSA may immediately and unilaterally suspend the data t1ow ot· terntinate this Agreement if SSA determines~ in its sole discretion, that the State Age11cy has violated or failed to comply with this Agreement. XII. Reimbursement In accordance with section 11 06(b) of the Act, the Commissioner of SSA has determined not to charge the State Agency the costs of furnishing the electronic data from the SSA SORs under this Agreement. 10 XIII. Disdaimer SSA is not liable for any damages or loss resulting from errors in the data provided to the State Agency under any lEAs governed by this Agreement. Furthermore, SSA is not liable for any damages or loss resulting from the destruction of any materials or data provided by the State Agency. XIV. Points of Contact A. SSA Point of Contact Regional Offi.ce Martin White, Director San Francisco Regional Office, Center for Programs Support 1221 Nevin Ave Richmond CA 9480 1 Phone: (510) 970-8243/Fax: (510) 970-8101 Martin. White@ssa.gov B. State Agency Point of Contact Sonia Herrera Health and Human Services Agency 1600 Ninth Street, Room 460 Sacramento, CA 95814 Phone: (916) 654-3459/Fax: (916) 44w5001 sher.rera@chhs.ca.gov XV. SSA and Data Integrity Board Approval of Model CMPPA Agreement The signatories below warrant and represent that they have the competent authority on behalf of SSA to approve the model of this CMPPA Agreement. SOCIAL SECURITY ADMINISTRATION rfbU/ ··re~ ~l ~1 /_ ~ wn~ Deputy Executive Director Office of Privacy and Disclosure Office ofthe General Counsel I cettify that the SSA Data Integrity Board approved the model of this CMP'PA Agreement. Daniel F. Callahan Chair SSA Data Integrity Board I ,., I .... . ' / ~·.X ...::·· .. ..; .. .f..,.. .,. Date XVI. Authorized Signatures The signatories below warrant and represent that they have the competent authority on behalf of their respective agencies to enter into the obligations set forth in this Agreement. It ~I SOCIAL SECURITY ADMINISTRATION HEALTH AND HUMAN SERVICES AGENCY Diana S. Dooley Secretary ~ j'7r/W1l Date I 12 91 ATTACHMENT 2 AUTHORIZED DATA EXCHANGE SYSTEM(S) Attachment 2 Authorized Data Exchange System(s) BEER (Beneficiary Earnings Exchange Record): Employer data for the last calendar year. BENDEX (Beneficiary and Earnings Data Exchange): Primary source for Title II eligibility, benefit and demographic data . LIS (Low-Income Subsidy): Data from the Low-Income Subsidy Application for Medicare Part D beneficiaries --used for Medicare Sav ing s Programs (MSP). Medicare 1144 (Outreach): Lists of individuals on SSA roles, who may be eligible for medical assistance for: payment of the cost of Medicare cost-sharing under the Medicaid program pursuant to Sections 1902(a)(l O)(E) and 193 3 of the Act; transitional assistance under Section 1860D-31 (f) of the Act; or premiums and cost-sharing subsidies for low-income individuals under Section 1860D-14 of th e Act. PUPS (Prisoner Update Processing System): Confinement data received from over 2000 state and local institutions (such as jails, prisons , or other penal institutions or correctional facilities)-- PUPS matches the received data with the MBR and SSR benefit data and generates alerts for review/action. QUARTERS OF COVERAGE (QC): Quarters of Coverage data as assigned and described under Title II of the Act --The term "quarters of coverage" is also referred to as "credits" or "Social Security credits" in variou s SSA public information documents , as well as to refer to "qualifying quarters" to determine entitlement to receive Food Stamps . SDX (SSI State Data Exchange): Primary source of Title XVI eligibility, benefit and demographic data as well as data for Title VIII Special Veterans Benefits (SVB). SOLQ/SOLQ-I (State On-line Query/State On-line Query-Internet): A real-time online system that provides SSN verification and MBR and SSR benefit data similar to data provided through SVES. Attachment 2 SVES (State Verification and Exchange System): A batch system that provides SSN verification, MBR benefit information, and SSR information through a uniform data response based on authorized user-initiated queries. The SVES types are divided into five different responses as follows: SVES I: SVES 1/Citizenship* SVES II: SVES III: SVES IV: This batch provides strictly SSN verification. This batch provides strictly SSN verification and citizenship data. This batch provides strictly SSN verification and MBR benefit information This batch provides strictly SSN verification and SSRJSVB. This batch provides SSN verification, MBR benefit information, and SSR/SVB information, which represents all available SVES data. *Citizenship status data disclosed by SSA under the Children's Health Insurance Program Reauthorization Act of 2009, Pub. L. 111-3 is only for the purpose of determining entitlement to Medicaid and CHIP program for new applicants . 2 ATTACHMENT 3 OMITTED ¢>1 ATTACHMENT 4 ELECTRONIC INFORMATION EXCHANGE SECURITY REQUIREMENTS AND PROCEDURES ELECTRONIC INFORMATION EXCHANGE SECURITY REQUIREMENTS AND PROCEDURES FOR STATE AND LOCAL AGENCIES EXCHANGING ELECTRONIC INFORMATION WITH THE SOCIAL SECURITY ADMINISTRATION SENSITIVE DOCUMENT VERSION 6.0 APRIL 23, 2012 ELECTRONIC INFORMATION EXCHANGE SECURITY REQUIREMENTS AND PROCEDURES FOR STATE AND LOCAL AGENCIES EXCHANGING ELECTRONIC INFORMATION WITH THE SOCIAL SECURITY ADMINISTRATION Table of Contents 1. Introduction 2. Electronic Information Exchange (EIEl Definition 3. Roles and Responsibilities 4. General Systems Security Standards 5. Systems Security Requirements 5.1 Overview 5.2 General System S~curity Design and Operating Environment 5.3 System Access Control 5.4 Automated Audit Trail 5.5 Personally Identifiable Information CPU) 5.6 Monitoring and Anomaly Detection 5.7 Management Oversight and Quality Assurance 5.8 Data and Communications Security 5.9 Incident Reporting 5.10 Security Awareness and Employee Sanctions 5.11 Contractors of Electronic Information Exchange Partners 6. General--Security Certification and Compliance Review Programs 6.1 The Security Certification Program 6.2 Documenting Security Controls in the Security Design Plan (SOP) 6.2.1 When the SOP and RA are Required 6.3 The Certification Process 6.4 The Compliance Review Program and Process 6.5.1 EIEP Compliance Review Participation 6.5.2 V~rification of Audit Samples 6.6 Scheduling the Onsite Review 7. Additional Definitions 8. Regulatory References 9. Frequently Asked Questions 10. Diagrams Flow Chart of the OIS Certification Process Flow Chart of the OIS Compliance Review Process Compliance Review Decision Matrix 2 1. Introduction 0 ELECTRONIC INFORMATION EXCHANGE SECURITY REQUIREMENTS AND PROCEDURES FOR STATE AND LOCAL AGENCIES RECEIVING ELECTRONIC INFORMATION FROM THE SOCIAL SECURITY ADMINISTRATION The Social Security Administration (SSA) Is required by law to maintain oversight and assure the protection of Information It has prov ided to Its 'electronic information exchange partners' (EIEP)s. EIEPs are entitles that have established an electronic Information sharing agreement with the agency. The overall aim of this document Is twofold. First, to ensure that EIEPs are properly certified as compliant by SSA to SSA security requirements, standards, and procedures expressed In this document, prior to being granted access to SSA Information In a production environmenti second, to ensure that EIEPs adequately safeguard electronic information provided to them by SSA. This document (which Is considered SENSITIVE by SSA and must be handled accordingly), describes the security requirements which must be met including, SSA's standards and procedures which must be Implemented by outside entitles (state and local agencies) In order to obtain information from SSA electronically. This document assists outside entitles In understanding the criteria that SSA will use when evaluating and certifying the system design, and security features used for electronic access to SSA-provlded information. 1t also provides the framework and general procedures for SSA's security compliance review program intended to ensure, on a periodic basis, conformance to SSA's security requirements by outside entitles. The addition, elimination, and modification of security controls, etc , are predicated upon factors which Impact the level of security and due diligence required for mitigating risks, e.g., the emergence of new threats and attack methods, the availability of new security technologies, etc. System security requirements (SSR) are, therefore, periodically reviewed and revised. Accordingly, over time, the SSRs may be subject to change. The EIEP must comply with SSA's most current SSRs for access to SSA-provided data. However, SSA will work with its partners in the EIEPs' resolution of any deficiencies which occur subsequent to previous approval for access as the result of updated SSRs. Additionally, EIEPs may proactively ensure their ongoing compliance with the SSRs by periodically requesting the most current SSR package from their SSA contact and making such adjustments as may be necessary. 2. Electronic Information Exchange (EIE) Definition 0 For discussion purposes herein, EIE Is any electronic process in which Information under SSA control is disclosed to any third party for program or non-program purposes, without the specific consent of the owner of that Information. EIE Involves Individual data transactions and data files that are processed with in the programmatic systems of either or all parties to electronic Information sharing agreements with SSA. This Includes direct terminal access (DTA) to SSA systems, batch processing, and variations thereof (e.g., online query) regardless of the systematic method used to accomplish the activity or to Interconnect SSA with the EIEP. 3 3. Roles and Responsibilities 0 ·, - The SSA Office of Information Security (OIS) has agency-wide responsibility for Interpreting, developing, and implementing security policy; providing security and Integrity review requirements for all major SSA systems; managing SSA's fraud monitoring and reporting activities, developing and disseminating security training and awareness materials, and providing consultation and support for a variety of agency Initiatives. SSA's security reviews ensure that external systems receiving Information from SSA are secure and operate In a manner that is consistent with SSA's Information Technology (IT) security policies and in compliance with the terms of electronic information sharing agreements executed by SSA and the outside entity. Within the context of SSA's security policies and the terms of electronic information sharing agreements with SSA's EIEPs, OIS exclusively conducts and brings to closure Initial security certifications and periodic security compliance reviews of EIEPs that process, maintain, transmit, or store SSA-provlded data In accordance with pertinent Federal requirements which include the following (refer to References): a. The Federal Information Security Management Act (FISMA) requires the protection of "Federal Information In contractor systems, including those systems operated by state and local governments". b. SSA policies, standards, procedures, and directives . Privacy Information Is information about an Individual including, but not limited to, personal Identifying Information Including the social security number (SSN). The data (last 4 digits of the SSN) provided by SSA to its EIEPs for purposes of the Help America Vote Act (HAVA) does not Identify a specific Individual and, therefore, Is not 'Privacy Information' as defined by the Act, However, SSA Is diligent In discharging Its responsibility for establishing aooroprlate adm i nistrative, technical, and physical safeguards to ensure the security, confidentiality, and availability of Its records and to protect against any anticipated threats or hazards to the·ir security or Integrity. Therefore, although the information provided HAVA Is not, by definition, 'Privacy Information' and as such, does not require that SSA conduct compliance reviews of entitles to which it provides information for purposes of HAVA; SSA does require that those organizations adhere to the terms of their electronic Information sharing agreements with SSA. NOTE: Disclosure of Federal Tax Information (FTI) is limited to certain Federal agencies and state programs supported by federal statutes under section 1137 of the Social Security Act. For information regarding safeguards for protecting FTI, consult IRS Publication 1075, Tax Information Security Guidelines For Federal, State, and Local Agencies. SSA regional Da.ta Exchange Coordinators (DECs) are the bridge between SSA and state EIEPs. As such, In the security arena, DECs will assist OIS in coordinating data exchange security review activities with state and local EIEPs; e.g., providing points .of contact with state agencies, assisting in setting up security reviews, etc. DECs are also the first points of contact for states If an employee of a state agency or an employee of a state agency's contractor or agent becomes aware of suspected or actual loss of SSA -provlded personally Identifiable Information (PII). 4 a . 4. General Systems Security Standards · 0 EIEPs that request and receive information electronically from SSA must comply with the following general systems security standards concerning access to and control of SSA-provlded Information. NOTE: EIEPs may not create separate files or records comprised solely of the information provided by SSA. a. EIEPs must ensure that means, methods, and technology by which SSA-provided Information Is processed, maintained, transmitted, or stored neither prevent nor impede the EIEP's ability to: • safeguard the Information In conformance to SSA requirements; • efficiently Investigate fraud, breach, or security events that involve SSA -provlded data, or Instances of misuse of SSA-provlded data. For example, utilization of cloud computing may have the potential to jeopardize an EIEP's compliance with the terms of their agreement or SSA's associated system security requirements and procedures. b. The electronic connection established between the EIEPs and SSA must be used only in support of the current agreement(s) between the EIEPs and SSA. c. The software and/or devices provided to the EIEPs by SSA must be used only In support of the current agreement(s) between the EIEPs and SSA. d. EIEPs are prohibited from modifying any software or devices provided to the EIEPs by SSA. e. EIEPs must ensure that SSA-provlded data Is not processed, maintained, transmitted, or stored in or by means of data communications channels, electronic devices, computers, computer networks, etc. that are located in geographic or virtual areas not subject to U.S. law. f. EIEPs must restrict access to the information to authorized users who need it to perform their official duties. NOTE: Contractors and agents (hereafter referred to as contractors) of the EIEP who process, maintain, transmit, or store SSA-provided data are held to the same security requirements as are employees of the EIEP. Refer to the section 'Contractors of Electronic Information Exchange Partners' in the 'Systems SecuritY Requirements' for additional information. g. Information received from SSA must be stored in a manner that, at all times, Is physically and electronically secure from access by unauthorized persons. h. SSA-provlded Information must be processed under the immediate supervision and control of authorized personnel. I. EIEPs must employ both physical and technological safeguards to ensure against unauthorized retrieval of SSA-provided Information by means of computer, remote terminal, or other means. j. EIEPs must have In place formal PII incident response procedures. When faced with a security incident whether caused by malware, unauthorized access, software Issues, or acts of nature, etc., EIEP must be abLe to respond In a manner that protects SSA-provlded Information affected by the incident . 5 k, EIEPs must have an actl~e and robust employee security awareness program that Is mandatory for all employees who may have access to SSA-provlded Information. I. EIEP employees with access to SSA provided Information must be advised of the confidentiality of the Information, the safeguards required to protect the Information, and the civil and criminal sanctions for non-compliance contained In the applicable Federal and state laws. m. At Its discretion, SSA or Its designee, must have the option to conduct on site security rev iews or make other provisions, to ensure that EIEPs maintain adequate security controls to safeguard the Information we provide. 5. Systems Security Requirements 0 5.1 Overview 0 Following Is a discussion of SSRs that must be met by Its EIEPs. SSA must certify that controls to meet the requirements have been Implemented and working as Intended, before it will authorize Initiating transactions to and from SSA through batch data exchange processes or online processes such as State Online Query (SOLQ) or Internet SOLQ. The SSRs address management, operational, and technical aspects of security regarding the confidentiality, Integrity, and availability of SSA-provlded Information used, maintained, transmitted, or stored by SSA's EIEPs. SSRs are represe·ntatlve of the current state-of-the-practice security controls, safeguards, and countermeasures required for Federal Information systems by Federal regulations and statutes, congressional mandates, etc., Including but not limited to the Privacy Act of 1974, the Federal Information Security Management Act (FISMA), etc. and recommended by standards and guidelines established by NIST, etc. 5.2 General System Security Design and Operating Environment 0 The EIEP must provide descriptions and explanations of their overall system design, configuration, security features, and operational environment and Include discussions of how they conform to SSA's requirements. Discussion must also Include: • Description of the operating envlronment(s) In which SSA-provided data Is to be utilized, maintained, and transmitted • Description of the business process(es) In which SSA-provided information Is to be used • Physical safeguards employed to ensure that unauthorized personnel cannot access SSA- provlded data and that audit Information pertaining to use of and access to SSA-provided Information and the EIEP's associated applications is readily available • Electronic safeguards, methods, and procedures for protecting the EIEP's netWork Infrastructure and for protecting SSA-provided data while In transit, In use Within a process or application, at rest (stored or not In use); preventing unauthorized retrieval of SSA-provlded Information by computer, remote terminal, or other means; including descriptions of security software other than access control software (e.g., security patch and antl-malware software installation and maintenance, etc.) 6 • Descriptions of how the configurations of devices (e.g., servers, workstations, portable devices) Involving SSA-provlded Information Is In compliance with recognized Industry standards, SSA's SSRs, and implements adequate security controls (e.g., passwords enforcing sufficient construction strength to defeat .or minimize risk-based Identified vulnerabilities). 5.3 System Access Control 0 EIEPs must utilize and maintain technological (logical) access controls that limit access to SSA-provlded information and associated transactions and functions to only those users, processes acting on behalf of authorized users, or devices (Including other Information systems) authorized for such access based on their official duties or purpose(s), EIEPs must employ a recognized user access security software package (e.g. RAC-F, ACF-2, TOP SECRET) or a security software design which Is at minimum equivalent to such products. The access control software must utilize personal Identification numbers (PIN) and passwords or biometric Identifiers In combination with the user's system Identification code (useriD), etc. (e.g., the access. control software must employ and enforce (1) PIN/password, and/or (2) PIN/biometric identifier, and/or (3) SmartCard/ biometric Identifier, etc., for authentication of users). Depending upon the computing platform (e.g., client/server (PC), mainframe) and the access software Implementation, the terms "PIN" and "user system Identification code (useriD)" may be, for practical purposes, synonymous. For example, the PIN/password combination may be required for access to an Individual's PC after which, the useriD/password combination may be required for access to a mainframe application. (A biometric Identifier may supplant one element In the pair of those combinations). Implementation of the control software must be In compliance with recognized industry standards. For example, password policies should enforce sufficient construction strength (length and complexity) to defeat or minimize risk-based Identified vulnerabilities, ensure limitations for password repetition; technical controls should enforce periodic password changes based on a risk-based standard (e.g., maximum password age of 30-45 days, minimum password age of 3-7 days), enforce automatic disabling of user accounts that have been Inactive for a specified period of time (e.g., 45 days); etc. The EIEP's password policies must also require more stringent password construction (e.g.1 passwords greater than eight characters in length requiring upper and lower case letters, numbers, and special characters; password phrases) for the user accounts of persons, processes, or devices whose functions require access privileges In excess of those of ordinary users. EIEPs must have management control and oversight of the function of authorizing Individual user access to SSA-provlded information and over the process of Issuing and managing access control PINs, passwords, biometric Identifiers, etc. for access to the EIEP's system. The EIEPs' systems access rules must cover such matters as least privilege and Individual accountability regarding access to sensitive Information and associated transactions and functlons 1 control of transactions by permissions modules, the assignment and limitation of system privileges, disabling accounts of separated employees (e.g., within 24 hours), Individual accountability, work at home, dial-up access, and connecting to the Internet. 7 5 .4 Automated Audit Trail 0 EIEPs that receive Information electronically from SSA are required to Implement and maintain a fully automated audit trail system (ATS). The system must, at a minimum, be capable of creating, storing, protecting, and efficiently retrieving and collecting records identifying the Individual user that Initiates a request for Information from SSA or accesses SSA-provlded data. At a minimum, Individual audit trail records must contain the data needed (Including date and time stamps) to associate each query transaction or access to SSA-provlded information w ith its Initiator, their action, If any, and the relevant business purpose/process (e.g., SSN verification for driver license, etc.). Each entry In the audit file must be stored as a separate record, not overlaid by subsequent records. Transaction flies must be created to capture all input from Interactive Internet applications which access or query SSA-provided data. EIEPs whose transactions with SSA are handled AND audited by an STC (e.g., State Transmission Component) are responsible for ensuring that the STC's audit capabilities meet SSA's requirements for an automated audit trail system. The EIEP must also establish a process by which the EIEP Is able to efficiently obtain audit information from the STC regarding the EIEP's SSA transactions. Access to the audit file must be restricted to authorized users with a "need to know" and audit file data must be unalterable (read only) and maintained for a minimum of three (preferably seven) years. Information in the audit file must be retrievable by an automated method and capable of being made available to SSA upon request. Audit trail records must be backed up on a regular basis to ensure their availability. Backup audit files must have the same level of protection as that applied to the original flies . If SSA -provlded Informati on is retained by the EIEP (e.g., Access database, Share Po int, etc.), or If certain data elements within the EIEP's system will Indicate to users that the Information has been verified by SSA, the EIEP's system must also capture an audit trail record of any user who views SSA-provlded Information stored within the EIEP's system. The audit trail requirements for these inquiry transactions are the same as those outlined above for the EIEP's transactions requesting or access i ng Information directly from SSA. 5.5 Personally Identifiable Infonnation (PII) 0 Pills defined as any i nformation which can be used to distinguish or trace an Individual's Identity, such as their name, social security number, biometric records, etc., alone or when combined with other personal or Identifying Information which Is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc. PII/oss Is defined as a circumstance wherein SSA has reason to believe that information on hard copy or In electron ic format which contains PI! provided by SSA to an EIEP, has left the EIEP's custody or has been disclosed by the EIEP to an unauthorized Individual or entity. PII loss Is a reportable Incident (refer to Incident Reporting). If a PII loss Involving SSA-provlded data occurs or Is suspected, the EIEP must be able to quantify the extent of the loss and compile a complete list of the Individuals potentially affected Incident (refer to Incident Reporting). 8 5 .6 Monitoring and Anomaly Detection 0 The EIEP must establish and/or maintain continuous monitoring of Its network Infrastructure and assets to ensure · that: • Implemented security controls continue to be effective over time • only authorized Individuals, devices, and processes have access to SSA-provlded I nformatlon • efforts by external and internal entitles, devices, or processes to perform unauthorized actions (i .e., data breaches, malicious attacks, access to network assets, software/hardware Installations, etc.) are detected as soon as they occur • the necessary parties are Immediately alerted to unauthorized actions performed by external and internal entities, devices, or processes • upon detection of unauthorized actions, measures are Immediately Initiated to prevent or mitigate associated risk • in the event of a data breach or security incident, the necessary remedial actions can be efficiently determined and i nitiated • trends, patterns, or anomalous occurrences and behavior in user or network activity that may be indicative of potential security Issues are more readily dlscernable The EIEP's system must include the capability to prevent employees from browsing SSA records (e.g., utilize a permission module and/or employ a system design which is transaction-driven, whereby employees are unable to lnitlate transactions). If such a design Is used, the EIEP then needs only minimal additional monitoring and anomaly detection (detect and monitor employees' attempts to gain access to SSA-provided data to which they are not authorized and attempts to obtain Information from SSA for clients not in the EIEP's client system). However, measures must exist to prevent circumvention of the permission module (e.g., creation of a bogus case and subsequently deleting it in such a way that it goes undetected). If the EIEP's design does not currently utilize a permission module and Is not transaction- driven, until at least one of these security features is Implemented, the EIEP must develop and implement compensating security controls to deter their employees from browsing SSA records. These controls must include monitoring and anomaly detection features, either systematic, manual, or a combination thereof. Such features must include the capability to detect anomalies in the volume and/or type of transactions or queries requested or initiated by individuals and include systematic or manual procedures for verifying that requests for and queries of SSA-provlded Information are In compliance with valid official business purposes. The system must also pr oduce reports providing management and/or supervisors with the capability to appropriately monitor user activity, such as: • User ID Exception Reports: This type of report captures information about users who enter incorrect user IDs when attempting to gain access to the system or to the transaction that initiates requests for information from SSA, including failed attempts to enter a password. • Inquiry Match Exception Reports: 9 This type of report captures information about users who may be initiating transactions for SSNs that have no client case association within the EIEP's system (100 percent of these cases must be reviewed by the EIEP's management). • System Error Exception Reports: This type of report captures Information about users who may not understand or be following proper procedures for access to SSA-provided Information. • Inquiry Activity Statistical Reports: This type of report captures Information about transaction usage patterns among authorized users and is a tool which would enable the EIEP's management to monitor typical usage patterns In contrast to extraordinary usage. The EIEP must have a process for distributing these monitoring and exception reports to appropriate local managers/supervison;; or to local security officers to ensure that the reports are used by those whose responsibilities Include monitoring anomalous activity of users Including those who have been granted exceptional system rights and prlvfleges. 5.7 Management Oversight and Quality Assurance 0 The EIEP must establish and/or maintain ongoing management oversight and quality assurance capabilities to ensure that only authorized employees have access to SSA-provlded Information and to ensure that there Is ongoing compliance with the terms of the EIEP's electronic Information sharing agreement with SSA and the SSRs established by SSA for access to and use of SSA-provlded data by EIEPs. The management oversight function must consist of one or more of the EIEP's management officials whose job functions Include responsibility for assuring that access to and use of SSA-provlded information Is appropriate for each employee position type for which access is granted. The EIEP must assure that employees granted access to SSA-provlded Information receive adequate training on the sensitivity of the Information, associated safeguards, procedures that must be followed and the penalties for misuse. Although not required, It is recommended that EIEPs establish the following functions and require that they be performed by employees whose job functions are separate from those who request or use Information from SSA: • Performing periodic self-revfews to monitor the EIEP's ongoing usage of SSA-provided Information. • Random sampling of work activity involving SSA-provlded Information to determine whether the access and usage comply with SSA's requirements. 5.8 Data and Cornmunications Security 0 EIEPs must encrypt all PII and SSA-provlded Information when It Is transmitted across dedicated communications circuits between Its systems, Included in Intrastate communications among Its local office locations, and resident on the EIEP's mobile computers/devices and removable media, etc. The encryption method employed must meet 10 acceptable standards as designated by the National Institute of Standards and Technology (NIST). The recommended encryption method for securing SSA-provided data during transport Is the Advanced Encryption Standard (AES) or triple DES (Data Encryption Standard 3) if AES is unavailable. Fifes encrypted for external users (when using tools such as Microsoft WORD encryption, etc.) requ ire a key length of 9 characters. Although not required, it Is recommended that the key (also referred to as a password) contain both a number and a special character . However, it Is required that the key be delivered in a manner wherein the key does not accompany the media. Also, the key must be secured when unattended or not in use. It is recommended that the public Internet not be used for transmission of SSA-provlded information. If It Is, however, Internet and all other electronic communications (e.g., emails and FAXes) conta i ning SSA-provlded Information must, at minimum, utilize Secure Socket Layer (SSL) and 256 -bit encryption protocols or more secure methods such as Virtual Private Network technology. Additionally, the data must be transmitted only to a secure address or device (I.e., an address or device to which access Is controlled and limited to only specifically authorized Individuals and/or processes). EIEPs may retain SSA-provlded data for only the business purpose(s) and period of time stipulated In the EIEP's Information Exchange Agreement with SSA. SSA-provlded Information Is to be deleted, purged, destroyed, or returned to SSA when the purpose for which the Information was obtained has been completed. The ElEP may not save or create separate files comprised solely of Information provided by SSA. The EIEP may, however, apply specific SSA-provlded data to the EIEP's matched record (I.e., specified data obtained from SSA wh ich matches that in the EIEP's preexisting record). Duplication and redisclosure of SSA-provlded Information within or outside the EIEP without the written approval of SSA Is prohibited. EIEPs must prevent unauthorized disclosure of SSA-provlded data after processing has been completed and also after the data Is no longer required by the EIEP. The EIEP's operational processes must ensure that no residual SSA -provlded data remains on the hard drives of users' workstations after the user has exited the appllcatlon(s) In which SSA-provlded data was utilized. In cases where a PC, hard drive, or other computing or storage dev ice on which SSA-provlded Information res ided will be sent offslte from the EIEP for repair and Its Information must be retrievable, the EIEP's repair contract must Include a requirement for non-disclosure of SSA-provlded data by the servicing vendor. SSA-provlded Information must be completely removed from, rendered unrecoverable, or destroyed on any electronic device or media (e.g., hard drives, removable storage devices, etc.) prior to the device or media being serviced by an external vendor (when the data need not be recovered), excessed, sold, .or placed In the custody of another organization. To sanitize media, one of the following methods must be used: • Overwriting Overwrite utilities can only be used on working devices. The media to be overwritten must be designed for multiple reads and w r ites. This includes disk drives, magnetic tapes, floppies, USB flash drives, etc. The overwrite utility must completely overwrite the media by the purging. type of media sanitization to make the data irretrievable by a laboratory attack or laboratory forens ic procedures (refer to Definitions for more Information regarding Media Sanitization). Reformatting the media does not overwrite the data. II • Degaussing Degaussing Is a sanitization method for magnetic media (e.g., disk drives, tapes, floppies, etc.). Degaussing Is not effective for purging non-magnetic media (e.g., optical discs). Degaussing must be performed with a certified tool designed for the media being degaussed. Certification of the tool is required to ensure that the magnetic flux applied to the media is strong enough to render the Information Irretrievable. The degaussing process must rend~r data on the media Irretrievable by a laboratory attack or laboratory forensic procedures (refer to Definitions for more information regard i ng Media Sanitization). • Physical destruction Physical destruction is the method which must be used when degaussing or over-writing cannot be accomplished (for example, CDs, floppies, DVDs, damaged tapes, hard drives, damaged USB flash drives, etc.). Examples of physical destruction include shredding, pulverizing, and burning. State agencies may retain SSA-provlded data In hardcopy If it Is required to fulfill ev identiary requirements, provided the agenc ies retire such data In accordance with applicable state laws governing state agencies' retention of records. The EIEP must ensure that print media containing SSA-provlded data is controlled to restrict its access to only authorized employees who need such access to perform their official duties and must have in place secure processes by which print media containing SSA -provlded data Is destroyed when It Is no longer required. Paper documents containing SSA-provided data must be destroyed by burning, pulping, shredding, macerating, or other similar means that ensures that the Information cannot be recovered. NOTE: Hand tearing or lining through documents to obscure information does not meet SSA's requirements for appropriate destruction of PII). The EIEP must employ measures to ensure that communications and data furnished to SSA contain no viruses or other malware. 5.9 Incident Reporting 0 The EIEP must develop and Implement policies and procedures for responding to the breach or loss of PI! and explain how they conform to SSA's requirements. The procedures must Include the following Information: If the EIEP experiences or suspects a breach or loss of PII or 9 security Incident which includes SSA-provided data, they must notify the United States Computer Emergency Readiness Team (US-CERT) within one hour of discovering the incident. The EIEP must also notify the SSA Systems Security contact named in the agreement. If within 1 hour the EIEP has been unable to make contact with that person, the EIEP must call SSA's National Network Service Center (NNSC) toll free at 877-697-4889 (select "Security and PII Reporting" from the options list). The EIEP will provide updates as they become available to SSA contact, as appropriate. Refer to the worksheet provided In the agreement to facilitate gathering and organizing information about an Incident. The EIEP must agree that If SSA determines that the risk presented by the breach or security Incident requires the notification of the Individuals whose Informati on Is Involved and/or remedial action, the EIEP will perform those actions without cost to SSA. 12 a a 5.10 Security Awareness and Employee Sanctions 0 The EIEP must establish and/or maintain an ongoing function that Is responsible for providing security awareness training for employees granted access to SSA-provlded Information. Training must include discussion of: • The sensitivity of SSA-provlded Information and address the Privacy Act and other Federal and state laws governing Its use and misuse • Rules of behavior concerning use of and security In systems processing SSA-provlded data • Restrictions on viewing and/or copying SSA-provided Information • The employees' responsibility for proper use and protection of SSA-provided Information Including Its proper disposal • Security Incident reporting procedures • The possible sanctions and penalties for r,nlsuse of SSA-provlded Information. The EIEP must provide security awareness training periodically or. as needed, and have In place administrative procedures for sanctioning employees who violate laws governing the use and misuse of SSA-provlded data through unauthorized or unlawful use or disclosure of SSA- provlded Information. 5.11 Contractors of Electronic Information Exchange Partners 0 As previously stated, In The General Systems Security Standards, contractors of the EIEP are held to the same security requirements as are employees of the EIEP. As such, the EIEP Is responsible for oversight and compliance of their contractors with SSA's security requirements. The EIEP must be able to provide proof of the contractual agreement between Itself and Its contractors (e.g., copy of their contract, etc.) who are authorized by the EIEP to perform on Its behalf and who have access to or are Involved in the processing, handling, transmission, etc. of Information provided to the EIEP by SSA. The EIEP must also explain the role of those contractors within the EIEP's operations. The EIEP must also require that their contractors who will have access to or be involved in the processing, handling, transmission, etc. of Information provided to the EIEP by SSA, sign an agreement with the EIEP that obligates the contractor to follow the terms of the EIEP's data exchange agreement with SSA. The EIEP must provide Its contractors a copy of the data exchange agreement between the EIEP and SSA and related attachments before any disclosure by the EIEP of SSA-provlded Information to the EIEP's contractor/agent. If the ElEP's contractor will be Involved with the processing, handling, transmission, etc. of Information provided to the EIEP by SSA offsite from the EIEP, the EIEP must have the contractual option to perform onslte reviews of that offslte facility to ensure that the following meet SSA's requirements: • safeguards for sensitive Information • computer system safeguards • security controls and measures to prevent, detect, and resolve unauthorized access to, use of; and redisclosure of SSA-provided Information 13 IDO • continuous monitoring of the EIEP contractors' network Infrastructures and assets 6. General --Security Certification and Compliance Review Programs 0 SSA's security certification and compl i ance review programs are two distinct programs with the same objective. The certification program is a one-time process associated exclusively with an EIEP's initial request for electron ic access to SSA-provlded information or an Initial change to online access. The certification process enta il s two rigorous stages Intended to ensure that technical, management, and operational security measures Implemented by EIEPs fully conform to SSA's security requirements and are working as Intended. EIEPs must satisfy both stages of the certification process before SSA will perm it online access to Its data rn a production environment. The compliance review program, however, is Intended to ensure that the suite of security measures Implemented by an EIEP to safeguard SSA-provlded data remains In -full compliance with SSA's security standards and requirements . The compliance review program Is applicable to online access to SSA-provlded data as well as batch processes . Under the compl iance review program, EIEPs are subject to ongoing periodic secur ity reviews by SSA that are regularly scheduled or ad hoc . 6.1 The Security Certification Program 0 The security certification process applies to EIEPs that seek online electronic access to SSA Information and consists of two general phases: • Phase One: The Security Des ign Plan (SDP) phase wherein a formal written plan Is authored by the EIEP to comprehensively document Its technical and non-technical security controls to safeguard SSA-provlded Information (refer to Documenting Securitv Controls in the Security Design Plan). NOTE: SSA may have legacy EIEPs (EIEPs not certified under the current process) who have not prepared an SOP. OIS strongly recommends that these EIEPs prepare an SOP. The EIEPs' preparation and maintenance of a current SOP will aid them in determining potential compliance issues prior to reviews, assuring continued compliance with SSA's security requirements, and providin-g for more efficient security reviews. • Phase 2: SSA Onslte Cert ifi cat ion phase whereIn a formal onsite review Is conducted by SSA to examine the full suite of technical and non-technical security controls Implemented by the EIEP to safeguard data obtained from SSA electronically (refer to The Certification Process). 6.2 Documenting Security Controls in the Security Design Plan (SOP) 0 6.2.1 When the SOP and RA are Required 0 EIEPs must submit to SSA an SDP and a security risk assessment (RA) for evaluation when one or more of the following circumstances apply. The RA must be In an electronic format 14 I II I and Include discussion of the measures planned or Implemented to mitigate risks Identified by the RA and (as applicab le) r isks associated with the circumstances below: • to obtain approval for requested Initial access to SSA-provlded Information for an in itial agreement • to obta in approval to reestablish pr eviously terminated access to SSA-p rovided data • when Implementi ng a new operat i ng or secur ity platform In which SSA-provided data wil l be Involved • significant changes to the EIEP 's organ izational structure, technical processes, operat ional environment, data recovery capabilit ies, or security Implementations are planned or have been made since approval of the i r most recent SOP or of their most recent successfully completed security review • one or more security breaches or Incidents Involving SSA -provlded data have occurred since approval of the EIEP's most recent SDP or of the i r most recent successfully completed secur ity rev iew • to document descriptions and explanations of measures Implemented as the resu lt of a data breach or security Incident • to document descri ptions and explana t ions of measures Implemented to resolve non - compliancy lssue(s) • when approval of the SDP has been revoked TheRA may also be requ i red If changes (othe r than those listed above) that may impact the terms of the EIEP's data shar i ng agreement with SSA have occurred. The SDP must be approved by SSA prior to the initiation of transactions and/or access to SSA-provided information by the EIEP. An SOP must satisfacto ril y document the EIEP's compliance with all of SSA's SSRs In order to provide the m in imum level of secur ity acceptable to SSA for Its EIEPs' access to SSA-provlded Information. Deficiencies identified through the evaluat ion of the SDP must be corrected by the EIEP and a revised SOP wh ich Incorporates descr iptions and exp lanations of the measures implemented to eliminate the deficie ncies must be subm itted . Unt il the deficiencies have been corrected and documented In Its SOP , and the SDP Is approved_, the EIEP w i ll not be granted access to SSA-provlded Information or ce rti fied fo r electron ic receipt of the information. The progress of corrective lmplementation(s) must be communicated to SSA on a regular basis. If, with in a reasonable time as determ i ned by SSA, the EIEP is unab le to rectify a deficiency determined by SSA to present an untenable r isk to SSA-prov lded Information or the agency, approval of the SOP Will be Withheld . If, at any time subsequent to approval of Its SDP the EIEP Is found to be In non-compliance with one or more SSRs, SSA may revoke approva l of the EIEP's access to SSA-provided data . A revised SOP which Inco r porates descriptions and explanations of the measures implemented to reso lve the non-comp li ance lssue(s) must be subm itted. The progress of corrective lmplementatlon(s) must be commun icated to SSA on a regular bas is. Until resolution of the lssue(s) has been accomp li shed and documented in Its SDP, and the SOP is app roved, the EIEP w i ll be In non-comp l iance with SSA's SSRs . If, w ithin a reasonable time as determi ned by SSA, the EIEP is unable to rectify a deficiency determined by SSA to present an untenable 15 ·1 I I I 1 ! I t1 'I , risk to SSA-provlded Information or to SSA, approval of the SOP will be withheld and the flow of SSA-provlded Information to the EIEP may be discontinued. NOTE: EIEPs that function only as an STC, transferring SSA-provided data to other EIEPs must, per the terms of their agreements with SSA, adhere to SSA's System Security Requirements (SSR) and exercise their responsibilities regarding protection of SSA-provided information. 6.3 The Certification Process 0 Once the EIEP has successfully satisfied Phase 1, SSA will conduct an onslte certification review. The objective of the onslt~ review will be to ensure by SSA's examination and the EIEP's demonstration that the non-technical and technical controls implemented by the EIEP to safeguard Social Security-provided data from misuse and Improper disclosure are fully functioning and working as Intended. At its discretion, SSA may request that the EIEP participate In an onslte review and compliance certification of their security Infrastructure and Implementation of SSA's security requ i rements. The onslte review may address any or all of SSA's security requirements and Include, where appropr1ate: • a demonstration of the EIEP's Implementation of each requirement • random sampling of audit records and transactions submitted to SSA • a walkthrough of the EIEP's data center to observe and document physical security safeguards • a demonstration of the EIEP's implementation of electronic exchange of data with SSA • discussions with managers/supervisors • examination of management control procedures and reports (e.g., anomaly detection reports, etc.) • demonstration of technical tools pertaining to user access control and, If appropriate, browsing prevention, specifically: o If the design is based on a permission module or similar design, or Is transaction driven, the EIEP will demonstrate how the system triggers requests for Information from SSA. o If the design Is based on a permission module, the EIEP will demonstrate the process by which requests for SSA-provlded information are prevented for SSNs not present In the EIEP's system (e.g.; by attempting to obtain Information from SSA using at least one, randomly created, fictitious number not known to the EIEP's system). During a certification or compliance review, SSA or a certifier acting on Its behalf, may request a demonstration of the EIEP's audit trail system (ATS) and Its record retrieval capability. The certifier may request a demonstration of the ATS' capability to track the activity of employees that have the potential to access SSA-suppiled Information within the EIEP's system. Additionally, the certifier may request those EIEPs whose transactions with 16 SSA are hand led AND aud ited by an STC to demonstrate the process(es) by which the EIEP obtains audit Information from the STC regarding the EIEP's SSA transactions. EIEPs whose transactions With SSA are handled AND audited by an STC will be requ ired to demonstrate both their own In-house aud it capabilities AND the process(es) by wh i ch the EIEP obtains aud it Information from the STC regarding the EIEP's transactions with SSA. · If the EIEP employs a contractor who will be Involved with the processing, handling, transmission, etc. of the EIEP's SSA-provlded Information offslte from the EIEP, SSA, at Its discretion, may Include In the onsite certification review an onslte Inspection of the contractor's facility. The Inspection may occur with or without a representative of the EIEP. Upon successful complet ion of.the onslte certification exercise, SSA will authorize electronic access to production data by the EIEP. SSA will provide written notification of Its certificat i on to the EIEP as well as all appropriate Internal components. The following Is a high-level flow chart of the OIS Certification Process: 0 6 .5 The compliance Review Program and Proce ss 0 Similar to the certificat ion process, the comp liance review program entails a rigorous process intended to ensure that EIEPs currently receiv ing electronic Information from SSA are In full compliance with the Agency 's secur ity requirements and standards. As a practice, SSA attempts to conduct compliance reviews following a 3 to 5 year periodic review schedule. However, as circumstances warrant, a review may take place at anytime. Three prominent examples that would trigger an ad hoc review are: • a significant change in the outside EIEP's computing platform • a violation of any of SSA's systems security requirements 17 tn~ • an unauthorized disclosure of SSA Information by the EIEP The following Is a high-level flow chart of the OIS Compliance Review Process: 0 SSA may, at Its discretion, conduct compliance reviews onsite at the EIEPs' site, including a f ield office location, If appropriate. SSA may, also at its discretion, request that the EIEP participate In an onsite compliance review of their security Infrastructure and Implementation of SSA's security requirements . The onsite review may address any or all of SSA's security requirements and include, where appropriate: • a demonstration of the EIEP 's Implementation of each requirement • random sampling of audit records and transactions submitted to SSA • a walkthrough of the EIEP's data center to observe and document physical security safeguards • a demonstration of the EIEP's Implementation of online exchange of data with SSA • discussions with managers/supervisors 18 .. i ,,/ • • examination of management control procedures and reports (e.g., anomaly detection reports, etc.) demonstration of technical tools pertaining to user access control and, If appropriate browsing prevention, specifically: . . ' o If the design Is based on a permission module or si milar design, or Is transaction driven, the EIEP will demonstrate how the system triggers requests for Information from SSA. o If the design is based on a permission module, the EIEP will demonstrate the process by which requests for SSA-provlded Information are prevented for SSNs not present In the EIEP's system (e.g.; by attempting to obtain Information from SSA using at least one, randomly created, fictitious number not known to the EIEP's system). SSA may also, at its discretion, perform an ad hoc onslte or remote review for reasons Including but not limited to the following: • the EIEP has experienced a security breach or incident involving SSA-provlded data • the EIEP has unresolved non-compliancy lssue(s) • to rev iew an EIEP's offslte (relative to the E~EP) contractor's facilities Involving SSA- provided data · · · · · · • the EIEP Is a legacy organization that has not yet been through SSA's security cert ification and compliance review programs • the EIEP has requested that an IV & V (Independent Verification and Validat ion review) be performed by SSA Dur i ng th·e compliance review, SSA, or a certifier acting on Its behalf, may request a demonstration of the system's audit trail and retrieval capability. The certifier may request a demonstration of the system's capability for tracking the activity of employees that are permitted to view SSA-provided Information within the EIEP's system. Additionally, the certifier may request those EIEPs whose transactions with SSA are handled AND audited by an STC to demonstrate the process(es) by which the EIEP obtains audit Information from the STC regarding the EIEP's SSA transactions. EIEPs whose transactions with SSA are handled AND audited by an STC may be required to demonstrate both their own In-house audit capabilities AND the process(es) by which the EIEP obtains audit Information from the STC regarding the EIEP's transactions w ith SSA. If the EIEP employs a contractor who will be Involved with the processing, handling, transmission, etc. of the EIEP's SSA -provlded In formation offslte from the EIEP, SSA, at Its discretion, may Include in the onsite compliance review an onslte Inspection of the contractor's facility. The Inspection may occur with or without a representative of the EIEP. However, manpower limitations or fiscal constraints could drive an alternative approach, such as teleconferencing. In any event, the format of the review In routine circumstances (I.e., the comp/l~mce review Is not being conducted to address a special circumstance, such as a disclosure violat ion, etc.) will generally consist of reviewing and updating the EIEP's compliance with the systems secur ity requ i rements described above In this document. At the conclusion of the review, SSA will Issue a formal report to appropriate EIEP personnel. Findings and recommendations from SSA's compliance review, If any, will be discussed In Its report and monitored for closure. 19 ~~. NOTE: Documentation provided SSA by the EIEP for compliance reviews is considered sensitive and is, therefore, handled accordingly by SSA. E.g., the information is accessible to only authorized individuals who have a need for the i'nformation as it relates to compliance of the EIEP with its electronic Information sharing agreement with SSA and SSA 's associated system security requirements and procedures. Additionally, the EIEP's documentation is retained for only as long as required and Is deleted, purged, or destroyed when the requirement for which the information was obtained has expired. The following Is a high-level example of the analysis that aids In making preliminary decisions as to which review format may be most appropriate. Various additional factors may also be factored lri determining whether SSA performs an onslte or remote compliance review. • High/Medium Risk Criteria o undocumented clos i ng of prior review flnding(s) o implementation of technical/operational controls that impact security of SSA provided data (e.g., Implementation of new data access method, etc.) o reported PII breach • Low Risk Criteria o no prior review flndlng(s) or prior findlng(s) documented as closed o no Implementation of technical/operational controls that Impact security of SSA provided data (e.g., Implementation of new data access method, etc.) o no reported PII breach 6.5.1 EIEP Compliance Review Participation 0 During the compliance review SSA may request to meet with the following: • a sample of managers and/or supervisors responsible for enforcing and monitoring ongoing compliance to security requ i rements and procedures to assess their level of training to monitor their employee's use of SSA-provlded Information, and for reviewing reports and taking necessary action • the Individuals responsible for security awareness and employee sanction functions and request an explanation of how these responsibilities are performed • a sample of the EIEP's employees to assess their level of training and understanding of the requirements and potential sanctions applicable to the use and misuse of SSA-prov ided Information • the lndivldual(s) responsible for management oversight and quality assurance · functions and request a description of how these responsibilities will be carried out • additional Individuals as deemed appropriate by SSA 6.5.2 Verification of Audit Samples 0 Prior to or during the compliance review, SSA will present to the EIEP a sampling of transactions previously submitted to SSA for verification. The EIEP Is required to 20 I "I'J verify whether each transaction was, per the terms of their agreement with SSA, legitimately subm itted by a user authorized to do so. The EIEP must provide SSA a written attestation of the results of the EIEP's review of the transactions. The document must provide: • confirmation for each sample transaction located In the EIEP's audit flle(s) and determined to have been submitted by Its employee(s) for legitim ate and authorized bus in ess purposes • an explanation for each sample transaction located in the EIEP's aud it flle(s) determ i ned to have been unauthorized • an explanation for each sample transaction not found In the EIEP's ATS When the sample transactions are provided to the EIEP, detailed Instructions will be Included. Only an official responsible for the EIEP Is to provide the attestation. 6.6 Scheduling the Onsite Review 0 The SDP must be approved before Its associated onsite review Is scheduled. Notification of the approval of a plan will be sent via email. Although there Is no prescribed time frame for arranging the subsequent ons lte review (certification review for an EIEP requesting Initial access to SSA-provided information for an Initial agreement or compliance review for other EIEPs), unless there are compelling circumstances precluding It, the onslte review will follow as soon as reasonably possible. · However, the scheduling of the onsite review may depend on additional factors Including: • the reason for submiss ion of a plan • the severity of secur ity Issues if any • circumstances of the previous review If any • SSA workload considerations Although the schedu li ng of the review Is contingent upon approval of the SDP, In extreme ci rcumstances , SSA may, at Its discretion, perform an onsite review prior to approval if determined necessa r y by SSA for complet i on of the evaluation of a plan. (THE REST OF THIS PAGE HAS BEEN LEFT BLANK INTENTIONALLY) 21 lOr 7. Additional Definitions 0 Back Button; Refers to a button on a web browser's toolbar, the backspace button on a computer keyboard, a programmed keyboard button or mouse button, etc ., that returns a user to a previously v isited web page or application screen. Breach: Refers to actual loss, loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for other than authorized purposes have access or potential access to PI! or Covered Information, whether phys ical, electronic, or In spoken word or recording. Browsing: Requests for or queries of SSA -provlded data for purposes not related to the performance of official job duties. Choke Point: The firewall between a local network and the Internet is cons idered a choke point in network security, because any attacker would have to come through that channel, which Is typically protected and monitored. Cloud Computing: The term refers to Internet-based comput ing and Is derived from the cloud drawing representing the Internet In computer network d iagrams. Cloud computing providers deliver on -demand online computing resources (e.g., services, software applications, data storage, and Information) accessible to their customers by means of a web service or browser . Cloud Drive: A cloud drive Is a Web-based service that provides storage space on a remote server. CfoudAudit: CloudAudlt Is a specification that provides cloud computing service providers a standard way to present and share detailed, automated statistics about performance and security. Commingling: The process by which an EIEP adjoins specific SSA-provlded data to specific preexisting EIEP information according to a particular data-matching scheme. Degaussing: Degaussing Is the method of us i ng a degausser (i.e., a device that generates a magnetic field) In order to disrupt magentlcally recorded Information. Degaussing can be effect ive for purging damaged media and media with exceptionally large storage capacities. Degauss i ng is not effective for purging non-magnetic media (e.g., opt ical discs). Dial-up: Sometimes used synonymously with dial-in, refers to digital data transmission over the wires of a local telephone network. Function: One or more persons or organizational components assigned to serve a particular purpose, or perform a particular role . Also, the purpose, activity, or role assigned to one or more persons or organizational components. 22 Hub; As It relates to electronic data exchange with SSA, a hub is an organization which perf~rms as an electronic Information distribution and/or collection po i nt (and may also be referred to as a state Transmission Component or STC). ICON: Interstate Connection Network (various entitles use 'Connectivity' rather than 'Connection') IV &V: Independent Verification and Validation Legacy System: A term usually referring to a corporate or organizational computer system or network that utilizes outmoded programming languages, software, and/or hardware that ty-pically no longer receive support from the original vendors or developers . Manual Transaction: An operation (also referred to as a 'user-Initiated transaction ') which Is initiated at the volition of a user rather than system-generated within an automated process. Example: A user enters a client's Information including the client's SSN on an input screen and presses the 'ENTER' key to acknowledge that Input of data has been completed. A new screen appears with multiple options wh ich include 'VERIFY SSN' and 'CONTINUE'. The user has the option to verify the client's SSN or perform alternative actions. Media Sanitization : Disposal: Refers to the d iscarding (e.g., recycling) of media that contains no sensitive or confidential data. • Clearing: This type of media sanitization Is considered to be adequate for protecting Information from a robust keyboard attack. Clearing must prevent retrieval of Information by data, disk, or file recovery utilities . Clearing must be resistant to keystroke recovery attempts executed from standard Input devices and from data scavenging tools. For example, overwriting Is an acceptable method for clearing media. Deleting Items, however, Is not sufflclenffor clearing. This process may Include overwriting all addressable locations of the data, as well as its logical storage location (e.g., its file allocation table). The aim of the overwriting process is to replace or obfuscate existing Information with random data . Most rewriteab/e media may be cleared by a single overwrite. This method of sanitization cannot be utilized on unwrlteable or damaged media. • Purging: This type of med ia san itization Is a process that protects information from a laboratory attack. The terms clearing and purging are sometimes considered synonymous. However, for some media, clearing is not sufficient for purging (I.e., protecting data from a laboratory attack). Although most rewrlteab/e media may be cleared by a single overwrite, purging may require multiple rewrites using different characters-for each write cycle. This Is because a laboratory attack involves threats with the capability to employ non-standard assets (e.g., specialized hardware) to attempt data recovery on media outside of that media's normal operating environment. Degaussing is also an example of an acceptable method for purging magnetic media. If purging media Is not a viable method for sanitization, the media should be destroyed. 23 IUl • Destruction: Physical destruction of media Is the most effective form of sanitization. Methods of destruction Include burning, pulverizing, and shredding. Any residual medium should be able to withstand a laboratory attack. Permission module: A utility or subprogram within an application which automatically enforces the relationship of a request for or query of SSA-provided data to an authorized process or transaction legitimately Initiated; e.g., verification of an SSN for issuance of a driver license which can be triggered only · automatically from within a state's driver license application, requests for information from SSA by an EIEP's employee which cannot be Initiated unless the EIEP's client system has a record containing the SSN of the Individual for which Information is sought, etc. Screen Scraping: Screen scraping is normally associated with the programmatic collection of visual data from a source. Originally, screen scraping referred to the practice of reading text data from a computer display terminal's screen. This was generally done by reading the terminal's memory through Its auxiliary port, or by connecting the terminal output port of one computer system to an Input port on another. The term screen scraping is also commonly used to refer to the bidirectional exchange of data. A screen scraper might connect to a legacy system via Tel net, emulate the keystrokes needed to navigate the legacy user interface, process the resulting display output, extract the desired data, and pass It on to-a modern system. More modern screen scraping techniques include capturing the bitmap data from a screen and running It through an optical character reader engine, or in the case of graphical user Interface applications, querying the graphical controls by programmatically obtaining references to their underlying programming objects. Security Breach: An act from outside an organization that bypasses or contravenes security policies, practices, or procedures. Security Incident: A fact or event wh·lch signifies the possibility that a breach of security may be taking place, or may have taken place. All threats are security incidents, but not all security Incidents are threats. Security Violation: An act from within an organization that bypasses or contravenes security policies, practices, or procedures. Sensitive data: Information such as PII and Information provided by SSA to an EIEP, the loss, misuse, or unauthorized access to or modification of which, could adversely affect the national Interest or the conduct of Federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (the Privacy Act), but that has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified Jn the interest of national defense or foreign policy but Is to be protected In accordance with the requirements of the Computer Security Act of 1987 (P.L.l00-235). 24 {(( SMDS (Switched Multimegabit Data Service (SMDS): SMDS Is a telecommunications service that provides connectlonless, high-performance, packet- switched data transport. Although not a protocol, It supports standard protocols and communications Interfaces using current technology. SSA-provided data/Information: Synonymous with 'SSA-supplled data/Information', defines Information under the control of SSA provided to an external entity under the terms of an Information exchange agreement with SSA. The following are examples of SSA-provlded data/Information Information: • SSA's response to a request from an EIEP for Information from SSA (e.g., date of death) • SSA's response to a query from an EIEP for verification of an SSN SSA data/information: This Is term, sometimes used Interchangeably with 'SSA-provlded data/information', denotes Information under the control of SSA provided to an external entity under the terms of an Information exchange agreement with SSA. However, 'SSA data/information' also Includes Information provided to the EIEP by a source other than SSA, but which Is attested by the EIEP to have been verified by SSA, or is coupled with data from SSA as to the accuracy of the Information. The following are examples of SSA Information: • SSA's response to a request from an EIEP for Information from SSA (e.g., date of death) • SSA's response to a query from an EIEP for verification of an SSN • Display by the EIEP of SSA's response to a query for verification of an SSN and the associated SSN provided by SSA • Display by the EIEP of SSA's response to a query for verification of an SSN and the associated SSN provided to the EIEP by a source other than SSA • Electronic records that contain only SSA's response to a query for verification of an SSN and the associated SSN whether provided to the EIEP by SSA or a source other than SSA SSN: Social Security Number STC: A State Transmission Component Is an organization which performs as an electronic Information distribution and/or collection point for one or more other entitles (and may also be referred to as a hub). System-generated transaction: A transaction automatically triggered by an automated system process. Example: A user enters a client's Information Including the client's SSN on an Input screen and presses the 'ENTER' key to acknowledge that Input of data has been completed. An automated process then matches the SSN against the user's organization's database and when no match Is found, automatically sends an electronic request for verification of the SSN to SSA. Systems process: Refers to a software program module that runs in the background within an automated batch, online, or other process. 25 Third Party: This term pertains to an entity (person or organization) provided access to SSA-provlded Information by an EIEP or other SSA business partner for which one or more of the following apply: • Is not stipulated access to SSA-provlded data by an Information-sharing agreement between an EIEP and SSA • has no Information-sharing agreement with SSA • Is not directly authorized by SSA for access to SSA-provided data Transaction-driven: This term pertains to an automatically initiated online query of or request for SSA Information by an automated transaction process (e.g., driver license Issuance, etc;.). The query or request will only occur if prescribed conditions are met within the automated process. Uncontrolled transaction: This term pertains to a transaction that Is not controlled by a permission module (I.e., not subject to a systematically enforced relationship to an authorized process or application or an existing client record). (THE REST OF THIS PAGE HAS BEEN LEFT BLANK INTENTIONALLY) 26 If\ 8, Regulatory References 0 Federal Information Processing Standards (FIPS) Publications Federa l Information Security· Management Act of 2002 (FISMA) Homeland Security Presidential Directive (HSPD-12) National Institute of Standards and Technology (NIST) Special Publications Office of Management and Budget (OMB) Circular A-123, Management's Responsibility for Internal Control Office of Management and Budget (OMB) Circular A-130, Appendix III, Management of Federal Information Resources Office of Management and Budget (OMB) Memo M-06-16, Protection of Sensitive Agency Information, June 23, 2006 Office. of Management and Budget (OMB) Memo M-07 -16, Memorandum for the Heads of Executive Departments and Agencies, May 22, 2007 Office of Management and Budget (OMB) Memo M-07-17, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007 Privacy Act of 1974 (THE REST OF THIS PAGE HAS BEEN LEFT BLANK INTENTIONALLY) 27 114- 9. Frequently Asl<ed Questions 0 (Click links for answers or additional information) 1. Q: What Is a breach of data? A: Refer also to Security Breach, Secur ity Incident, and .Security VIolation. 2. Q: What Is employee brows in g? A : Click hyperllnk 3. Q: Okay, so the SDP was subm itted . Can the Onslte Rev iew be scheduled now? A: Refer to Sc heduling the Ons lte Review . 4. Q: What Is a 'Perm ission Module'? A: Click hyperllnk 5. Q: What Is meant by Screen Scraping? A: Click hyperllnk 6. Q: When does an SDP have to be submitted? A: Refer to When the SDP and RA are Required . 7. Q: Does an SDP have to be subm itted when the agreement Is renewed? A: The SDP does not have to be submitted beca1:1se the agreement between the EIEP and SSA was renewed . There are, howeve r , circumstances that require an SOP to be submitted. Refer to When the SDP and · RA are Re~. 8. Q: Is It acceptable to save SSA data w ith a verified Indicator on a (EIEP) workstation as long as the hard drive Is encrypted? If not, what options does the agency have? A: There Is no problem with an EIEP saving SSA -provlded information to the encrypted hard drives of computers processing the data provided the information Is retained only as provided for In the EIEP's data-sharing agreement with SSA . Refer to Data and Communicati ons Secur ity . 9. Q: Is caching of SSA-provided data on EIEP workstations allowed? A: Caching during process i ng is not a problem . However, SSA-prov lded data must be cleared from the cache when the user exits the application In which the data was used or accessed . Refer to Data and Communi cations Security. 10. Q: What Is meant by "Interconnections to other systems"? A: As used In SSA's system security r equirements document, the term "Interconnections" Is synonymous with "connect ions". 11. Q: Is It acceptable to submit the SOP as a PDF file? A: No, It Is not. 12. Q: Should the SOP be written from the standpoint of my agency 's SVES access Itself, or from the standpo i nt of access to all data provided to us by SSA? A: The SDP Is to encompass your agency's electronic access to SSA-provided data as per the electronic data sharing agreement between your agency and SSA. Refer to Develop i ng the SDP. 15. Q : Does having a "transaction -driven" system mean that employees cannot Initiate a query to SSA and that a permiss ion module Is not needed? A: Not necessarily. "Transaction driven" bas ically means that queries, etc. are submitted automatically (and It m ight depend on the transact ion). Depending on the system 28 II(' Implementation, queries might not be automatic or, If they are, manual transactions nilght still be permitted (for example, when something needs to be corrected). Also \1 I even If a transaction-driven" system Is Implemented In such a way that manual transactions cannot be performed,· If the system does not require the user to be In a particular application and/or the query to be for an existing record in the EIEP's system before the system will allow a query to go through to SSA, It would still need a permission module. 16. Q: What Is an Onslte Compliance Review? A: The Onslte Compliance Review Is the process wherein SSA performs periodic site visits to Its Electronic Information Exchange Partners (EIEP) to certify whether the EIEP's technical, managerial, and operational security measures for protecting data obtained electronically from SSA continue to conform to the terms of the EIEPs' data sharing agreements with SSA and SSA's associated system security requirements and procedures. Refer to the Compliance Review Program and Process. 17. Q: What are the criteria for performing an Onsite Compliance Review? A: The following are criteria for performing the Onslte Compliance Review: • EIEP initiating new access or new access method for obtaining Information from SSA • EIEP's cyclical review (previous review was performed remotely) • EIEP has made significant change(s) in Its operating or security platform involving SSA-provlded data • EIEP experienced a breach of SSA-provided personally identifying Information (PII) • EIEP has been determined to be high-risk Refer also to the Review Determination Matrix. 18. Q: What Is a Remote Compliance Review? A: The Remote Compliance Review is the process wherein SSA conducts periodic meetings remotely (e.g., via conference calls) with Its EIEPs to determine whether the EIEP's technical, managerial, and operational security measures for protecting data obtained electronrcally from SSA continue to conform to the terms of the EIEPs' data sharing agreements with SSA and SSA's associated system security requirements and procedures. Refer to the Compliance Review Program and Process. 19. Q: What are the criteria for performing a Remote Compliance Review? A: Each of the following criteria must be satisfied for performing the Remote Compliance Review: • EIEP's cyclical review (previous review was performed onslte without findings or Issues for which findings were cited have been satisfactorily resolved). • EIEP has made no significant change(s) In Its operating or security platform Involving SSA-provlded data. • EIEP has not experienced a breach of SSA-provlded personally Identifying Information (PII) since Its previous compliance review. • EIEP has been determined to be low-risk Refer also to the Review Determination Matrix 29 lifo (This page blank) 0 30 ATTACHMENT 5 WORKSHEET FOR REPORTING LOSS OR POTENTIAL LOSS OF PERSONALLY IDENTIFIABLE INFORMATION It~ ATTACHMENT 5 Worksheet for Reporting Loss or Potential Loss of Personally Identifiable Information 1. Information about the individual malting the report to the NCSC: Name: I Position: I Deputy Commissioner Level Organization: I Phone Numbers: Work: I I Cell: I I Home/Other: I E-mail Address: I Check one of the following: Management Official I I Security Officer I I Non-Management 2. Information about the data that was lost/stolen: Describe what was lost or stolen (e.g., case file, MBR data): Which element(s) ofPII did the data contain? Name Bank Account Info SSN Medical/Health Information Date of Birth Benefit Payment Info Place of Birth Mother's Maiden Name Address Other (describe): Estimated volume of records involved: 3. How was the data physically stored, pacl\.aged and/or contained? Paper or Electronic? (circle one): IfEI h ectromc, w at type o fd ' ? evlCe Laptop Tablet Backup Tape Blackberry 09/27/06 I I Workstation Server CD/DVD Blackberry Phone # Hard Drive Floppy Disk USB Drive Other (describe): ATTACHMENT 5 09/27/06 Additional Questions ifElectronic· Yes No Not Sure a. Was the device encrypted? b. Was the device password protected? c. If a lapto_p or tablet, was a VPN SmartCard lost? Cardholder's Name: Cardholder's SSA logon PIN: Hardware Make/Model: Hardware Serial Number: Additional Questions if Paper: Yes NQ Not Sure a. Was the information in a locked briefcase? b. Was the information in a locked cabinet or drawer? c. Was the information in a locked vehicle trunk? d. Was the information redacted? e. Other circumstances: 4. If the employee/contractor who was in possession of the data or to whom the data was assigned is not the person making the report to the NCSC (as listed in #1), information about this employee/contractor: Name: I Position: I Deputy Commissioner Level Organization: I Phone Numbers: Work: I I Cell: I I Home/Other: I E-mail Address: I 5. Circumstances of the loss: a. When was it lost/stolen?. b. Brief description of how the loss/theft occurred: c. When was it reported to SSA management official (date and time)? 6. Have any other SSA components been contacted? Ifso, who? (Include deputy commissioner level, agency level, regional/associate level component names) 12b ATTACHMENT 5 09/27/06 7. Which reports have been filed? (include FPS, local police, and SSA reports) Report Filed Yes No Report Number Federal Protective Service Local Police Yes No SSA-3114 (Incident Alert) SSA-342 (Report of Survey) Other (describe) 8. Other pertinent information (include actions under way , as well as any contacts with other agencies, law enforcement or the press): I 'l I RECERTIFICATION OF THE COMPUTER MATCHING AGREEMENT BETWEEN THE SOCIAL SECURITY ADMINISTRATION (SSA) AND THE HEALTH AND HUMAN SERVICES AGENCY OF CALIFORNIA (STATE AGENCY) SSA Match #6003 Under the applicable provisions of the Privacy Act of 1974, amended by t11e Computer Matching and Privacy Protection Act (CMPPA) of 1988, 5 U.S.C. * 552a(o)(2), a computer matching agreement will remain in effect for a period not to exceed 18 months. Within 3 months prior to tht: expiration of such computer matching agreemt:nt, however, the Data Integrity Board (DIB) may, without additional review , renew the computer matching agreement for a current, ongoing matching program for a period not to exceed 12 additional months if: 1. such program will be conducted without any changes; and 2. each party to the agreement certifies to th e DIB in writing that the program has been conducted in compliance with the agreement. The following match meets the conditions for renewal by this recertification : I. TITLE OF MATCH: Computer Matching and Privacy Protection Act Agrt:emcnl Between the Social Security Administration and the Health and Human Services Agency of California (Match #6003) II. PARTIES TO THE MATCH: Recipient Agency: The Health and Human St:rvices of Califomia (State Agency) Source Agency: Social Security Administration (SSA) III. PURPOSE OF THE AGREEMENT: This CMPPA Agrt:cment between SSA and the State AgetH.:y, Sl.!ts forth the terms and conditions govern ing disclosures of records, information , or data (collectively rcf~.:rred to herein ''data") made by SSA to th~; State Agency that administers federally funded benefit programs under various provisions ofthe Social Security Act (Act), such as section 1137 (42 U.S.C. § 1320b -7 ), including the state-funded state supplementary payment prognuns u11dl.!r title XVI of the Act. Under section 1137 of the Act, the State Agency is required to usc an incornr; and eligibility verification system to aclrninislt!r specified federally funded benefi t programs, including the state-funded state supplementary pHyment programs under title XVI of the Act. To as.<;ist the State Agency in determining entitlement to and eligibility for benefits under those progr ams, as well as other feder ally funded benefit programs, SSA discloses certain data about applicants for ·state bt:ncfits from SSA Privacy Act Sy!items of Records and verifies the Social Secur ity numbers of the applicants. IV. ORIGINAL EFFECTIVE AND EXPIRATION DATES OF THE MATCH: Effective Date : Expiration Date: July I, 2012 December 31, 2013 V. RENEWAL AND NEW EXPIRATION DATES: Renewal Date: January I, 2014 New Expiration Date: December 31, 20 ·14 VI. CHANGES: By this recertification, SSA and the Stale Agency make the following non-substantive changes to lhe computer matching agreement: In Article XIV, "Points of Contact,'' information under subsection A., "SSA Point of Contact, Regional Office," should he deleted in its entirety and replaced with thc following: Dolores Dunnachic, Director San Francisco Regional Offict:, Center for Prog"rams Support 1221 Nevin Ave Richmond CA 9480 l Phone: (510) 970-8444/Fax: (51 0) 970-H l 01 Dolorcs.Dunnw:.:hie@ssa.gov 2 i t i j .j I i i I 3 Socia l Sec urit y Administration Source Agency Certification: As the authoriz~d r~presentutiw of the source agt::m:y named above, I certify that ~ ( 1) the subject matching program was conducted in compliance with the existing compute r matching agreement between Lhc partie:;; and (2) the subject matching program will continue without any change for an addi tional 12 months, subjt!ct to the approval of the Dulcl lnll!grily Board of the Soc.:iul Scctirity Administration. Grace M .. Kim Regional Commissioner San Francisco Date I \ ) t."" \ t....? Data Integrity 13oarcl Certification : As Chair of th~:: Data Integrity Board or the source agency named above, [certify that: (1) the subject matching program was conduclctl in compliance with the existing computer matching agreement between the parties; and (2) the subject match ing program will continue without ftny chcll1gt! for un additional 12 months. I _ ilP;·t1GtZri.Yltu_~L-~ .Klr~I~"T1 J. Mnnc~ (~ DlllU lnl.c::gfity Board Date _ ._!./{li' \I :2 __ _ ! I I ! ' I ; I ! ! 4 Health and Human Services Agency of California Rel:irient Agenl:y Certification: As the authorized representative of the recipient agency named above, I certify that: (I) the subject matching program was conducted in compliance with the !;!X isting computer matching agreement between the parties; and (2) the subject matching program will continue without any change for an additionu112 months, subject to the ttpproval of the Data lmegrit y Board of the Social Se<.:urity Administration. Diana S. Dooley , Secrelury Date~ 3o{ .Wl3 ; i I I ·I I ' I CCC-307 CERTIFICATION I, the official named below, CERTIFY UNDER PENALTY OF PERJURY that I am duly authorized to legally bind the prospective Contractor to the clause(s) listed below. This certification is made under the laws of the State of California . - Contractor/Bidder Firm N am e (Printed) Federal ID N umber County of Fresno 94-6000512 ATTEST: By ~YCr~~ BERNICE E. SEIDEL , Clerk Board of Supervisors Printed Name and Title of Perscf; Signing By ~ASLVN ~sh Deborah A. Poochigian, Chairman , Board of Supervis ors Dep 3f Date Exe cuted I Ex ecuted in the C ounty of '1/11}15" Fr es no CONTRACTOR CERTIFICATION CLAUSES 1. STATEMENT OF COMPLIANCE: Contractor has , unless exempted, complied with the nondiscrimination program requirements. (Gov. Code§ 12990 (a-f) and CCR, Title 2 , Section 81 03) (Not applicable to public entities.) 2 . DRUG-FREE WORKPLACE REQUIREMENTS: Contractor will comply with the requirements ofthe Drug-Free Workplace Act of 1990 and will provide a drug-free workplace by taking the following actions : a. Publish a statement notifying emplo yees that unlawful manufacture, distribution , dispensation, possession or use of a controlled substance is prohibited and specifying actions to be taken against employees for violations . b. Establish a Drug-Free Awareness Program to inform employees about: 1) the dangers of drug abuse in the workplace ; 2) the person's or organization's polic y of maintaining a drug-free workplace; 3) any available counseling , rehabilitation and employee assistance programs; and , 4) penalties that may be imposed upon emplo yees for drug abuse violations . c. Every employee who works on the proposed Agreement will : 1) receive a copy of the company's drug-free workplace policy statement; and , 2) agree to abide by the terms of the company's statement as a condition of employment on the Agreement. Failure to comply with these requirements may result in suspension of payments under the Agreement or termination of the Agreement or both and Contractor may be ineligible for award of any future State agreements if the department determines that any of the following has occurred : the Contractor has made false certification , or violated the I certification by failing to carry out the requirements as noted above. (Gov . Code §8350 et seq.) 3. NATIONAL LABOR RELATIONS BOARD CERTIFICATION: Contractor certifies that no more than one ( 1) final unappealable finding of contempt of court by a Federal court has been issued against Contractor within the immediately preceding two-year period because of Contractor's failure to comply with an order of a Federal court, which orders Contractor to comply with an order of the National Labor Relations Board. (Pub. Contract Code § 1 0296) (Not applicable to public entities.) 4. CONTRACTS FOR LEGAL SERVICES $50,000 OR MORE-PRO BONO REQUIREMENT: Contractor hereby certifies that contractor will comply with the requirements of Section 6072 of the Business and Professions Code, effective January 1, 2003. Contractor agrees to make a good faith effort to provide a minimum number of hours of pro bono legal services during each year of the contract equal to the lessor of 30 multiplied by the number of full time attorneys in the firm's offices in the State, with the number of hours prorated on an actual day basis for any contract period of less than a full year or 10% of its contract with the State. Failure to make a good faith effort may be cause for non-renewal of a state contract for legal services, and may be taken into account when determining the award of future contracts with the State for legal services. 5. EXPATRIATE CORPORATIONS : Contractor hereby declares that it is not an expatriate corporation or subsidiary of an expatriate corporation within the meaning of Public Contract Code Section 10286 and 10286.1, and is eligible to contract with the State of California. 6. SWEATFREE CODE OF CONDUCT: a. All Contractors contracting for the procurement or laundering of apparel, garments or corresponding accessories, or the procurement of equipment, materials , or supplies, other than procurement related to a public works contract, declare under penalty of perjury that no apparel, garments or corresponding accessories , equipment, materials, or supplies furnished to the state pursuant to the contract have been laundered or produced in whole or in part by sweatshop labor , forced labor, convict labor, indentured labor under penal sanction, abusive forms of child labor or exploitation of children in sweatshop labor, or with the benefit of sweatshop labor , forced labor , convict labor, indentured labor under penal sanction, abusive forms of child labor or exploitation of children in sweatshop labor. The contractor further declares under penalty of perjury that they adhere to the Sweatfree Code of Conduct as set forth on the California Department of Industrial Relations website located at www.dir.ca.gov , and Public Contract Code Section 6108. b. The contractor agrees to cooperate fully in providing reasonable access to the contractor's records, documents , agents or employees, or premises if reasonably required by authorized officials of the contracting agency, the Department of Industrial Relations, or the Department of Justice to determine the contractor's compliance with the requirements under paragraph (a). 7. DOMESTIC PARTNERS: For contracts over $100 ,000 executed or amended after January 1, 2007, the contractor certifies that contractor is in compliance with Public Contract Code section 10295 .3 . DO ING B USINESS WITH THE STATE OF CALIFO RNIA The following laws apply to persons or entities doing business with the State of California. 1. CONFLICT OF INTEREST: Contractor needs to be aware ofthe following provisions regarding current or former state employees. If Contractor has any questions on the status of any person rendering services or involved with the Agreement, the awarding agency must be contacted immediately for clarification. Current State Employees (Pub. Contract Code § 1041 0): 1). No officer or employee shall engage in any employment, activity or enterprise from which the officer or employee receives compensation or has a financial interest and which is sponsored or funded by any state agency , unless the employment , activity or enterprise is required as a condition of regular state employment. 2). No officer or employee shall contract on his or her own behalf as an independent contractor with any state agency to provide goods or services. Former State Employees (Pub . Contract Code § 10411 ): 1). For the two-year period from the date he or she left state employment, no former state officer' or employee may enter into a contract in which he or she engaged in any of the negotiations, transactions, planning , arrangements or any part of the decision-making process relevant to the contract while employed in any capacity by any state agency. 2). For the twelve-month period from the date he or she left state employment, no former state officer or employee may enter into a contract with any state agency if he or she was employed by that state agency in a policy-making position in the same general subject area as the proposed contract within the 12-month period prior to his or her leaving state service. If Contractor violates any provisions of above paragraphs , such action by Contractor shall render this Agreement void . (Pub. Contract Code § 1 0420) Members of boards and commissions are exempt from this section ifthey do not receive payment other than payment of each meeting of the board or commission, payment for preparatory time and payment for per diem . (Pub. Contract Code §10430 (e)) 2. LABOR CODE/WORKERS' COMPENSATION: Contractor needs to be aware of the provisions which require every employer to be insured against liability for Worker's Compensation or to undertake self-insurance in accordance with the provisions , and Contractor affirms to comply with such provisions before commencing the performance of the work of this Agreement. (Labor Code Section 3700) 3. AMERICANS WITH DISABILITIES ACT: Contractor assures the State that it complies with the Americans with Disabilities Act (ADA) of 1990, which prohibits discrimination on the basis of disability, as well as all applicable regulations and guidelines issued pursuant to the ADA. (42 U.S .C . 12101 et seq.) 4. CONTRACTOR NAME CHANGE: An amendment is required to change the Contractor's name as listed on this Agreement. Upon receipt of legal documentation of the name change the State will process the amendment. Payment of invoices presented with a new name cannot be paid prior to approval of said amendment. 5. CORPORATE QUALIFICATIONS TO DO BUSINESS IN CALIFORNIA: a. When agreements are to be performed in the state by corporations , the contracting agencies will be verifying that the contractor is currently qualified to do business in California in order to ensure that all obligations due to the state are fulfilled. b. "Doing business" is defined in R&TC Section 23101 as actively engaging in any transaction for the purpose of financial or pecuniary gain or profit. Although there are some statutory exceptions to taxation, rarely will a corporate contractor performing within the state not be subject to the franchise tax. c. Both domestic and foreign corporations (those incorporated outside of California) must be in good standing in order to be qualified to do business in California. Agencies will determine whether a corporation is in good standing by calling the Office of the Secretary of State. 6. RESOLUTION: A county , city, district , or other local public body must provide the State with a copy of a resolution , order, motion , or ordinance of the local governing body which by law has authority to enter into an agreement, authorizing execution of the agreement. 7 . AIR OR WATER POLLUTION VIOLATION : Under the State laws, the Contractor shall not be: (1) in violation of any order or resolution not subject to review promulgated by the State Air Resources Board or an air pollution control district ; (2) subject to cease and desist order not subject to review issued pursuant to Section 13301 of the Water Code for violation of waste discharge requirements or discharge prohibitions; or (3) finally determined to be in violation of provisions of federal law relating to air or water pollution. 8. PAYEE DATA RECORD FORM STD . 204: This form must be completed by all contractors that are not another state agency or other governmental entity . AGREEMENT BETWEEN THE COUNTY OF FRESNO AND STATE OF CALIFORNIA No .: 14-90316 Term: July 1, 2014 through June 30, 2015 APPROVED AS TO LEGAL FORM : DANIEL C . CEDERBORG, COUNTY COUNSEL By:~rk£ ~~ , a::: APPROVED AS TO ACCOUNTING FORM: VICKI CROW, C.P .A., AUDITOR-CONTROLLER/ TREASURER-TAX COLLECTOR REVIEWED AND RECOMMENDED FOR APPROVAL: By~~ Dawan Utecht, Director Department of Behavioral Health