The URL can be used to link to this page

Home My WebLink About31970Agreement No. 16-659 MEDI-CAL PRIVACY & SECURITY AGREEMENT NO.: 16 -~ MEDI-CAL PRIVACY AND SECURITY AGREEMENT BETWEEN the California Department of Health Care Services and the County of Fresno ' Department of _s_oc_ial_S_erv_ic_e_s __ _ PREAMBLE The Department of Health Care Services (DHCS) and the County of _Fr_es_no __ _ Department of s oc ial services (County Department) enter into this Medi-Cal Privacy and Security Agreement (Agreement) in order to ensure the privacy and security of Medi-Cal Personally Identifiable Information (Pll). DHCS receives federal funding to administer California's Medicaid Program (Medi-Cal). The County Department assists in the administration of Medi-Cal , in that DHCS and the County Department access DHCS eligibility information for the purpose of determining Medi-Cal eligibility. This Agreement covers the County of Fres no , Department of s oci al services workers, who assist in the administration of Medi-Cal; and access , use, or disclose Medi-Cal Pll . DEFINITIONS For t he p u rpo se of this Ag reemen t , t he following terms me an : 1. "Assist in the administration of the Medi -Cal program" means performing administrative functions on behalf of Medi-Cal, such as determining eligibility for, or enrollment in, or the amount of, public benefits, and collecting Medi-Cal Pll for such purposes, to the extent such activities are authorized by law. 2. "Breach" refers to actual loss, loss of control , compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access , or any similar term referring to situations where persons other than authorized users and for other than authorized purposes have access or potential access to Medi-Cal Pll , wheth e r electronic, paper, verbal, or recorded. 3 . "County Worker" means those county employees , contractors, subcontractors, vendors and agents performing any functions for the County that require access to and/or use of Medi-Cal Pll and that are authorized by the County to access and use Medi-Cal Pl I . 4 . "Medi-Cal Pll" is information directly obtained in the course of performing an administrative function on behalf of Medi-Cal that can be used alone, or in conjunction with any other information , to identify a specific individual. Pll includes any information that can be used to search for or identify individuals , or can be 1 MEDI-CAL PRIVACY & SECURITY AGREEMENT NO.: 16 -~ used to access their files, such as name, social security number, date of birth , driver's license number or identification number. Pll may be electronic, paper, verbal, or recorded . 5 . "Security Incident" means the attempted or successful unauthorized access , use , disclosure, modification , or destruction of Medi-Cal Pll, or interference with system operations in an information system which processes Medi-Cal Pll that is under the control of the County or County's Statewide Automated Welfare System (SAWS) Consortium, or a contractor, subcontractor or vendor of the County . 6. "Secure Areas" means any area where: a . County Workers assist in the administration of Medi-Cal; b. County Workers use or d isclose Medi-Cal Pll ; or c. Medi-Cal Pll is stored in paper or electronic format. AGREEMENTS NOW THEREFORE, DHCS and County De partment mutually agree as follows: I. PRIVACY AND CONFIDENTIALITY A. The County Department worke rs covered by this Agreement (County Workers) may use o r disclose Medi-Cal Pll only as pe rmitted in t his Agreement and only to assist in the administration of Med i-Cal in accordance with Welfare and Institutions Code section 14100 .2 and 42 Code of Federal Regulations section 431 .300 et.seq., or as required by law. Disclosures, which are required by law, such as a court order, or are made with the explicit written authorization of the Medi-Cal client , are allowable . Any other use or disclosure of Medi-Cal Pll requires the express approval in writing of DHCS. No County Worker shall duplicate, disseminate or disclose Medi-Cal Pll except as allowed in this Agreement. B . Pursuant to this Agreement, County Workers may only use Medi-Cal Pll to perform administrative functions related to determining eligibility for individuals applying for Medi-Cal. C . Access to Medi-Cal Pll shall be restricted to County Workers who need to perform their official duties to assist in the administration of Medi-Cal. D. County Workers who access, disclose or use Medi-Cal Pll in a manner or for a purpose not authorized by this Agreement may be subject to c ivil and criminal sanctions contained in applicable federal and state statutes. 2 MEDI-CAL PRIVACY & SECURITY AGREEMENT NO .: 16-~ II. PERSONNEL CONTROLS The County Department agrees to advise County Workers who have access to Medi-Cal Pll, of the confidentiality of the information, the safeguards required to protect the information, and the civil and criminal sanctions for non-compliance contained in applicable federal and state laws. For that purpose, the County Department shall implement the following personnel controls: A. Employee Training. Train and use reasonable measures to ensure compliance with the requirements of this Agreement by County Workers, including, but not limited to: 1. Provide initial privacy and security awareness training to each new County Worker within 30 days of employment and; 2. Thereafter, provide annual refresher training or reminders of the privacy and security safeguards in this Agreement to all County Workers. Three or more security reminders per year are recommended; 3. Maintain records indicating each County Worker's name and the date on which the privacy and security awareness training was completed; 4. Retain training records for a period of three years after completion of the training. B. Employee Discipline. 1. Provide documented sanction policies and procedures for County Workers who fail to comply with privacy policies and procedures or any provisions of these requirements. 2. Sanction policies and procedures shall include termination of employment when appropriate. C. Confidentiality Statement. Ensure that all County Workers sign a confidentiality statement. The statement shall be signed by County Workers prior to accessing Medi-Cal Pll and annually thereafter. Signatures may be physical or electronic. The signed statement shall be retained for a period of three years. The statement shall include at a minimum: 1. General Use; 2. Security and Privacy Safeguards; 3. Unacceptable Use; and 3 MEDI-CAL PRIVACY & SECURITY AGREEMENT NO.: 16 -~ 4 . Enforcement Policies. D. Background Screening. 1 . Conduct a background screening of a County Worker before they may access Medi-Cal Pll. 2 . The background screening should be commensurate with the risk and magnitude of harm the employee could cause . More thorough screening shall be done for those employees who are authorized to bypass significant technical and operational security controls . 3 . The County Department shall retain each County Worker's background screening documentation fo r a period of three years following conclusion of employment relationship . Ill. MANAGEMENT OVERSIGHT AND MONITORING To ensure compliance with the privacy and security safeguards in this Agreement the county shall perform the following: A. Conduct periodic privacy and security review of work activity by County Workers, including random sampling of work product. Examples include , but are not limited to , access to case files or other activities related to the handling of Medi-Cal Pll. B. The periodic privacy and security reviews must be performed or overseen by management level personnel who are knowledgeable and experienced in the areas of privacy and information security in the administration of the Medi-Cal program, and the use or disclosure of Medi-Cal Pll. IV. INFORMATION SECURITY AND PRIVACY STAFFING The County agrees to : A. Designate information security and privacy officials who are accountable for compliance with these and all other applicable requirements stated in this Agreement. B. Assign county workers to be responsible for administration and monitoring of all security related controls stated in this Agreement. 4 MEDI-CAL PRIVACY & SECURITY AGREEMENT NO .: 16 -~ V. PHYSICAL SECURITY The County Department shall ensure Medi-Cal Pll is used and stored in an area that is physically safe from access by unauthorized persons at all times. The County Department agrees to safeguard Medi-Cal Pll from loss, theft, or inadvertent disclosure and, therefore, agrees to: A. Secure all areas of the County Department facilities where County Workers assist in the administration of Medi-Cal and use, disclose , or store Medi-Cal Pll. B. These areas shall be restricted to only allow access to authorized individuals by using one or more of the following: 1. Properly coded key cards 2. Authorized door keys 3. Official identification C. Issue identification badges to County Workers. D. Require County Workers to wear these badges where Medi-Cal Pll is used, disclosed, or stored. E. Ensure each physical location, where Medi-Cal Pll is used, disclosed, or stored, has procedures and controls that ensure an individual who is terminated from access to the facility is promptly escorted from the facility by an authorized employee and access is revoked. F. Ensure there are security guards or a monitored alarm system at all times at the County Department facilities and leased facilities where 500 or more individually identifiable records of Medi-Cal Pll is used, disclosed, or stored. Video surveillance systems are recommended. G. Ensure data centers with servers, data storage devices, and/or critical network infrastructure involved in the use, storage, and/or processing of Medi-Cal Pll have perimeter security and physical access controls that limit access to only authorized County Workers. Visitors to the data center area must be escorted at all times by authorized County Workers. H. Store paper records with Medi-Cal Pll in locked spaces, such as locked file cabinets, locked file rooms, locked desks, or locked offices in facilities which are multi-use meaning that there are County Department and non-County Department functions in one building in work areas that are not securely segregated from each other. It is recommended that all Medi-Cal Pll be locked up when unattended at any time, not just within multi-use facilities . I. The County shall have policies that include, based on applicable risk factors, a description of the circumstances under which the County Workers 5 MEDI-CAL PRIVACY & SECURITY AGREEMENT NO.: 16 -~ can transport Medi-Cal Pll, as well as the physical security requirements during transport. A County that chooses to permit its County Workers to leave records unattended in vehicles must include provisions in its policies to provide the Medi-Cal Pll is stored in a non-visible area such as a trunk , that the vehicle is locked, and under no circumstances permit Medi-Cal Pll be left unattended in a vehicle overnight or for other extended periods of time. J. The County Department shall have policies that indicate County Workers are not to leave records with Medi-Cal Pll unattended at any time in airplanes , buses, trains, etc., including baggage areas . This should be included in training due to the nature of the risk . VI. TECHNICAL SECURITY CONTROLS A. Workstation/Laptop Encryption. All workstations and laptops, which use, store and/or process Medi-Cal Pll , must be encrypted using a FIPS 140-2 certified algorithm 128 bit or higher, such as Advanced Encryption Standard (AES). The encryption sol ution must be full disk. It is encouraged, when available and when feasible, that the encryption be 256 bit. B. Server Security. Servers containing unencrypted Medi-Cal Pll must have sufficient administrative , physical, and technical controls in place to protect that data, based upon a ris k assessment/syste m security re vi e w. It is recommended to follow the guidelines documented in the latest revision of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. C. Minimum Necessary. Only the minimum necessary amount of Medi-Cal Pll required to perform required business functions may be accessed, copied, downloaded, or exported. D. Mobile Device and Removable Media . All electronic files , which contain Medi-Cal Pll data, must be encrypted when stored on any mobile device or removable media (i.e . USB drives, CD/DVD, smartphones, tablets, backup tapes etc .). Encryption must be a FIPS 140-2 certified algorithm 128 bit or higher, such as AES . It is encouraged, when available and when feasible , that the encryption be 256 bit. E. Antivirus Software. All workstations, laptops and other systems, which process and/or store Medi-Cal Pll, must install and actively use an anti-virus software solution . Anti-virus software should have automatic updates for definitions scheduled at least daily. 6 MEDI-CAL PRIVACY & SECURITY AGREEMENT NO .: 16 -~ F. Patch Management. 1. All workstations, laptops and other systems, which process and/or store Medi-Cal Pll, must have critical security patches applied, with system reboot if necessary. 2. There must be a documented patch management process that determines installation timeframe based on risk assessment and vendor recommendations. 3. At a maximum, all applicable patches deemed as critical must be installed within 30 days of vendor release. It is recommended that critical patches which are high risk be installed within seven days. 4 . Applications and systems that cannot be patched within this time frame, due to significant operational reasons, must have compensatory controls implemented to minimize risk. G. User IDs and Password Controls. 1. All users must be issued a unique user name for accessing Medi-Cal Pll. 2 . Username must be promptly disabled, deleted, or the password changed upon the transfer or termination of an employee, at maximum within 24 hours. 3. Passwords are not to be shared . 4. Passwords must be at least eight characters. 5. Passwords must be a non-dictionary word. 6. Passwords must not be stored in readable format on the computer or server. 7. Passwords must be changed every 90 days or less. It is recommended that passwords be required to be changed every 60 days or less . 8. Passwords must be changed if revealed or compromised. 9. Passwords must be composed of characters from at least three of the following four groups from the standard keyboard: a . Upper case letters (A-Z) b. Lower case letters (a-z) c . Arabic numerals (0-9) d. Special characters 7 MEDI-CAL PRIVACY & SECURITY AGREEMENT NO .: 16 -~ H. User Access. In conjunction with DHCS, management should exercise control and oversight, of the function of authorizing individual user access to Social Security Administration (SSA) data, Medi-Cal Eligibility Data System (MEDS), and over the process of issuing and maintaining access control numbers , IDs, and passwords . I. Data Destruction. When no longer needed, all Medi-Cal Pll must be cleared, purged, or destroyed consistent with NIST SP 800-88 , Guidelines for Media Sanitization, such that the Medi-Cal Pll cannot be retrieved . J . System Timeout . The systems providing access to Medi-Cal Pll must provide an automatic timeout, requiring re-authentication of the user session after no more than 20 minutes of inactivity. K . Warning Banners . The systems providing access to Medi-Cal Pll must display a warning banner stating , at a minimum : 1 . Data is confidential ; 2. Systems are logged; 3 . System use is for business purposes only, by authoriz ed users; and 4 . Users shall log off the system immediately if they do not agree with these requirements . L. System Logging. 1. The systems which provide access to Medi-Cal Pll must maintain an automated audit trail that can identify the user or system process which initiates a request for Medi-Cal Pll, or alters Medi-Cal Pll . 2. The audit trail shall : a. Be date and time stamped; b. Log both successful and failed accesses; c . Be read-access only; and d . Be restricted to authorized users. 3 . If Medi-Cal Pll is stored in a database, database logging functionality shall be enabled . 4. Audit trail data shall be archived for at least three years from the occurrence. 8 MEDI-CAL PRIVACY & SECURITY AGREEMENT NO .: 16 -~ M . Access Controls. The system providing access to Medi-Cal Pll shall use role based access controls for all user authentications , enforcing the principle of least privilege . N . Transmission Encryption. 1 . All data transmissions of Medi-Cal Pll outside of a secure internal network must be encrypted using a FIPS 140-2 certified algorithm that is 128 bit or higher, such as AES or TLS. It is encouraged , when available and when feasible , that 256 bit encryption be used . 2. Encryption can be end to end at the network level , or the data files containing Medi-Cal Pll can be encrypted. 3. This requirement pertains to any type of Medi-Cal Pll in motion such as website access, file transfer, and email. 0 . Intrusion Prevention. All systems involved in accessing , storing, transporting , and protecting Medi-Cal Pll , wh ich are accessible through the Internet, must be protected by an intrusion detection and prevention solution . VII . AUDIT CONTROLS A. System Security Review. 1 . The County Department must ensure audit control mechanisms are in place . 2 . All systems processing and/or storing Medi-Cal Pll must have at least an annual system risk assessment/security review that ensures administrative, physical, and technical controls are functioning effectively and provide an adequate level of protection . 3. Reviews should include vulnerability scanning tools. B . Log Reviews. All systems processing and/or storing Medi-Cal Pll must have a process or automated procedure in place to review system logs for unauthorized access. C. Change Control. All systems processing and/or storing Medi-Cal Pll must have a documented change control process that ensures separation of duties and protects the confidentiality, integrity and availability of data. D. Anomalies. When the county or DHCS suspects MEDS usage anomalies, the county will work with DHCS to investigate the anomalies and report co nclusions of such investigations and re mediation to DHCS. 9 MEDI-CAL PRIVACY & SECURITY AGREEMENT NO .: 16 -~ VIII. BUSINESS CONTINUITY I DISASTER RECOVERY CONTROLS A. Emergency Mode Operation Plan . The County Department must establish a documented plan to enable continuation of critical business processes and protection of the security of Medi-Cal Pll kept in an electronic format in the event of an emergency. Emergency means any circumstance or situation that causes normal computer operations to become unavailable for use in performing the work required under this Agreement for more than 24 hours. It is recommended that counties conduct periodic disaster recovery testing, including connectivity exercises conducted with DHCS, if requested . B. Data Centers. Data centers with servers, data storage devices, and critical network infrastructure involved in the use, storage and/or processing of Medi-Cal Pll, must include environmental protection such as cooling, power, and fire prevention, detection , and suppression. C. Data Backup Plan . 1. The County Department shall have established documented procedures to backup Medi-Cal Pll to maintain retrievable exact copies of Medi-Cal Pll. 2. The documented backup procedures shall contain a schedule which includes incremental and full backups. 3. The procedures shall include storing backups offsite . 4 . The procedures shall ensure an inventory of backup media . It is recommended that the county periodically test the data recovery process . IX. PAPER DOCUMENT CONTROLS A. Supervision of Data. Medi-Cal Pll in paper form shall not be left unattended at any time, unless it is locked in a file cabinet, file room, desk or office. Unattended means that information may be observed by an individual not authorized to access the information. B. Data in Vehicles. The County shall have policies that include , based on applicable risk factors, a description of the circumstances under which the County Workers can transport Medi-Cal Pll , as well as the physical security requirements during transport. A County that chooses to permit its County Workers to leave records unattended in vehicles must include provisions in its policies to provide the Medi-Cal Pll-is stored in a non -visible area such as a trunk, that the vehicle is locked , and under no circumstances permit Medi - 10 MEDI-CAL PRIVACY & SECURITY AGREEMENT NO .: 16 -~ Cal Pll be left unattended in a vehicle overnight or for other extended periods of time. C . Public Modes of Transportation. Medi-Cal Pll in paper form shall not be left unattended at any time in airplanes , buses, trains, etc ., including baggage areas. This should be included in training due to the nature of the risk . D . Escorting Visitors. Visitors to areas where Medi-Cal Pll is contained shall be escorted, and Medi-Cal Pll shall be kept out of sight while visitors are in the area . E. Confidential Destruction. Medi-Cal Pll must be disposed of through confidential means, such as cross cut shredding or pulverizing. F. Removal of Data . Medi-Cal Pll must not be removed from the premises of County Department except for justifiable business purposes. G . Faxing. 1. Faxes containing Medi-Cal Pll shall not be left unattended and fax machines shall be in secure areas . 2. Faxes shall contain a confidentiality statement notifying persons receiving faxes in error to destroy them and notify the sender. 3. Fax numbers shall be verified with the intended recipient before sending the fax. H. Mailing. 1. Mailings containing Medi-Cal Pll shall be sealed and secured from damage or inappropriate viewing of Pll to the extent possible. 2. Mailings that include 500 or more individually identifiable records containing Medi-Cal Pll in a single package shall be sent using a tracked mailing method that includes verification of delivery and receipt. X. NOTIFICATION AND INVESTIGATION OF BREACHES AND SECURITY INCIDENTS During the term of this Agreement, the County Department agrees to implement reasonable systems for the discovery and prompt reporting of any Breach or Security Incident, and to take the following steps : 11 MEDI-CAL PRIVACY & SECURITY AGREEMENT NO.: 16 -~ A. Initial Notice to DHCS: Immediately upon discovery of a suspected security incident that involves data provided to DHCS by the SSA, the county shall notify DHCS by email or telephone. Within one working day of discovery, the county shall notify DHCS by email or telephone of unsecured PHI or Pl, if that PHI or Pl was, or is, reasonably believed to have been accessed or acquired by an unauthorized person, any suspected security incident, intrusion, or unauthorized access, use, or disclosure of Medi-Cal Pll in violation of this Agreement, or potential loss of confidential data affecting this Agreement. Notice shall be made using the "DHCS Privacy Incident Report" (PIR) form, including all information known at the time. The County Department shall use the most current version of this form, which is posted on the DHCS Privacy Office website (www.dhcs.ca.gov, select "Privacy & HIPAA" and then "County Use") or use this link: http://www.dhcs.ca.gov/formsandpubs/laws/priv/Pages/CountiesOnly.aspx. Initial, Investigation, and Completed PIRs are submitted to the DHCS Privacy Office and the DHCS Information Security Office . A breach shall be treated as discovered by the County Department as of the first day on which the breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the breach), who is an employee, officer or other agent of the County Department. Notice shall be provided to the DHCS Privacy Office and the DHCS Information Security Office. Upon discovery of a breach, security incident, intrusion, or unauthorized access, use, or disclosure of Medi-Cal Pll, the County Department shall take: 1. Prompt corrective action to mitigate any risks or damages involved with the breach and to protect the operating environment; and 2. Any action pertaining to such unauthorized disclosure required by applicable Federal and State laws and regulations. B. Investigation and Investigative Report. The county shall immediately investigate breaches and security incidents involving Medi-Cal Pll, and, if the initial PIR did not include all of the information marked with an asterisk, or if new or updated information is available, submit an updated PIR within 72 hours of the discovery. The updated PIR shall include all of the information marked with an asterisk, and all other applicable information listed on the form, to the extent known at that time. 12 MEDI-CAL PRIVACY & SECURITY AGREEMENT NO .: 16 -~ C. Complete Report. If all of the required information was not included in either the initial report, or the investigation report, then a separate complete report must be submitted within ten working days of the discovery. The Complete Report of the investigation shall include an assessment of all known factors relevant to a determination of whether a breach occurred under applicable provisions of HIPAA, the HITECH Act, the HIPAA regulations and/or state law. The report shall also include a full, detailed corrective action plan, including information on measures that were taken to halt and/or contain the improper use or disclosure. If DHCS requests information in addition to that listed on the PIR, the County Department shall make reasonable efforts to provide DHCS with such information. If necessary, a Supplemental Report may be used to submit revised or additional information after the Completed Report is submitted, by submitting the revised or additional information on an updated PIR. DHCS will review and approve or disapprove the determination of whether a breach occurred, and if individual notifications and corrective action plans are required. D. Notification of Individuals. When applicable state or federal law requires DHCS to notify individuals of a breach or unauthorized disclosure of their Medi-Cal Pll, the following provisions apply: If the cause of the breach is attributable to the County Department or its subcontractors, agents or vendors, the County Department shall pay any costs of such notifications, as well as any and all costs associated with the breach. The notifications shall comply with the requirements set forth in California Civil Code Section 1798.29, and 42 U.S.C. section 17932, and its implementing regulations, including but not limited to the requirement that the notifications be made without unreasonable delay and in no event later than 60 calendar days. The DHCS Privacy Office shall approve the time, manner and content of any such notifications and their review and approval must be obtained before notifications are made. DHCS may elect to assign responsibility for such notification to the County Department. In the event DHCS assigns notification responsibility to the County Department, DHCS shall provide the County Department with the appropriate direction and procedures to ensure notice is provided pursuant to applicable law. If the cause of the breach is attributable to DHCS, DHCS shall pay any costs associated with such notifications. If there is any question as to whether DHCS or the County Department is responsible for the breach, DHCS and the County Department shall jointly determine responsibility for purposes of allocating the costs of such notices. E. Responsibility for Reporting of Breaches when Required by State or Federal Law. If the cause of a breach of Medi-Cal Pll is attributable to the County Department or its agents, subcontractors or vendors, the County Department is responsible for reporting the breach and all costs associated with the breach. If the cause of the breach is attributable to DHCS, DHCS is responsible for reporting the breach and for all costs associated with the 13 MEDI-CAL PRIVACY & SECURITY AGREEMENT NO .: 16 -~ breach. When applicable law requires the breach be reported to a federal or state agency or that notice be given to media outlets, DHCS and the County Department shall coordinate to ensure such reporting is in compliance with applicable law and to prevent duplicate reporting, and to jointly determine responsibility for purposes of allocating the costs of such reports, if any . F. DHCS Contact Information . To direct communications to the above referenced DHCS staff, the County Department shall initiate contact as indicated herein. DHCS reserves the right to make changes to the contact information below by giving written notice to the County Department. Said changes shall not require an amendment to this Agreement to which it is incorporated. DHCS Privacy Office DHCS Information Security Offi ce DHCS Privacy Office DHCS Information Security Office c/o : Office of HIPAA Compliance MS 6400 MS 4722 P .O. Box 997413 P.O. Box 997413 Sacramento, CA 95899-741 3 Sacramento, CA 95899-741 3 Email: 12rivacyofficer@dh cs.ca.go Email : Y. iso@dhcs.c a.gov Telephone : Telephone: (916) 445-4646 or EITS Service Desk (866) 866 -0602 (916) 440-7000 or (800) 579-087 4 XI. COMPLIANCE WITH SSA AGREEMENT The County Department agrees to comply with substantive privacy and security requirements in the Computer Matching and Privacy Protection Act Agreement between the SSA and the California Health and Human Services Agency (CHHS) and in the Agreement between SSA and DHCS , known as the Information Exchange Agreement (IEA), which are appended and hereby incorporated in to this Agreement (Exhibit A). The specific sections of the IEA with substantive privacy and security requirements, which are to be complied with by the County Department are in the following sections : E, Security Procedures; F, Contractor/Agent Responsibilities; G, Safeguarding and Reporting Responsibilities for Pll, and in Attachment 4, Electronic Information Exchange Security Require m e nts and Procedures for State and Local Agenci es 14 MEDI-CAL PRIVACY & SECURITY AGREEMENT NO .: 16 -~ Exchanging Electronic Information with SSA. If there is any conflict between a privacy and security standard in these sections of the IEA and a standard in this Agreement, the most stringent standard shall apply. The most stringent standard means the standard which provides the greatest protection to Medi- cal Pll. If SSA changes the terms of its agreement(s) with DHCS, DHCS will, as soon as reasonably possible after receipt, supply copies to CWDA as well as the DHCS proposed target date for compliance. For a period of 30 days, DHCS will accept input from CWDA on the proposed target date and make adjustments, if appropriate. After the 30 day period, DHCS will submit the proposed target date to SSA, which will be subject to adjustment by SSA. Once a target date for compliance is determined by SSA, DHCS will supply copies of the changed agreement to the CWDA and the Counties, along with the compliance date expected by SSA. If a County is not able to meet the SSA compliance date, it must submit Corrective Action Plan (CAP) to DHCS for review and approval at least 30 days prior to the SSA compliance date. Any potential County resource issues may be discussed with DHCS through a collaborative process in developing their CAP . XII. COMPLIANCE WITH DEPARTMENT OF HOMELAND SECURITY AGREEMENT The County Department agrees to comply with substantive privacy and security requirements in the Computer Matching Agreement (CMA) Between the Department of Homeland Security, United States Citizenship and Immigration Services (DHS-USCIS) and the California Department of Health Care Services (CA-DHCS), known as the CMA, which is appended and hereby incorporated in to this Agreement (Exhibit B). If there is any conflict between a privacy and security standard in the CMA and a standard in this Agreement, the most stringent standard shall apply. The most stringent standard means the standard which provides the greatest protection to Medi-Cal Pll. If DHS-USCIS changes the terms of its ag reement(s) with DHCS, DHCS will , as soon as reasonably possible after receipt, supply copies to CWDA as well as the DHCS proposed target date for compliance . For a period of 30 days, DHCS will accept input from CWDA on the proposed target date and make adjustments , if appropriate. After the 30 day period , DHCS will submit the proposed target date to DHS-USCIS, which will be subject to adjustment by DHS -USCIS . Once a target date for compliance is determined by DHS -USCIS, DHCS will supply copies of the changed agreement to the CWDA and the Counties, along with the compliance date expected by DHS-USCIS . If a County is not able to meet the DHS-USCIS compliance date, it must submit Corrective Action Plan (CAP) to DHCS for review and approval at least 30 days prior to the DHS-USCIS compliance date. Any potential County resource issues may be discussed with DHCS through a collaborative process in developing their CAP . 15 MEDI-CAL PRIVACY & SECURITY AGREEMENT NO .: 16 -~ XIII. COUNTY DEPARTMENT'S AGENTS AND SUBCONTRACTORS The County Department agrees to enter into written agreements with any agents, including subcontractors and vendors, to whom County Department provides Medi-Cal Pll received from or created or received by County Department in performing functions or activities related to the administration of Medi-Cal that impose the same restrictions and conditions on such agents, subcontractors and vendors that apply to the County Department with respect to Medi-Cal Pll, including restrictions on disclosure of Medi-Cal Pll and the use of appropriate administrative, physical, and technical safeguards to protect such Medi-Cal Pll. The County Department shall incorporate, when applicable , the relevant provisions of this Agreement into each subcontract or subaward to such agents , subcontractors and vendors , including the requirement that any breach , security incident, intrusion , or unauthorized access , use, or disclosure of Medi-Cal Pll be reported to the County Department. XIV . ASSESSMENTS AND REVIEWS In order to enforce this Agreement and ensure compli ance with its provisions, the County Department agrees to allow DHCS to inspect the facilities , systems, books, and records of the County Department, with reasonable notice from DHCS , in order to perform assessments and reviews. Such inspections shall be scheduled at times that take into account the operational and staffing demands . The County Department agrees to promptly remedy any violation of any provision of this Agreement and certify the same to the DHCS Privacy Office and DHCS Information Security Office in writing, or to enter into a written corrective action plan with DHCS containing deadlines for achieving compliance with specific provisions of this Agreement. XV. ASSISTANCE IN LITIGATION OR ADMINISTRATIVE PROCEEDINGS In the event of litigation or administrative proceedings involving DHCS based upon claimed violations by the County Department of the privacy or security of Medi-Cal Pll, or federal or state laws or agreements concerning privacy or security of Medi-Cal Pll , the County Department shall make all reasonable effort to make itself and County Workers assisting in the administration of Medi-Cal and using or disclosing Medi-Cal Pll available to DHCS at no cost to DHCS to testify as witnesses . DHCS shall also make all reasonable efforts to make itself and any subcontractors, agents, and employees available to the County Department at no cost to the County Department to testify as witnesses, in the event of litigation or administrative proceed ings involving the County Department based upon claimed violations by DHCS of the privacy or security of Medi-Cal Pll, or state or federal laws or agreements concerning privacy or security of Medi-Cal Pll. 16 MEDI-CAL PRIVACY & SECURITY AGREEMENT NO.: 16 -...!.£...._ XVI. AMENDMENT OF AGREEMENT DHCS and the County Department acknowledge that federal and state laws relating to data security and privacy are rapidly evolving and that amendment of this Agreement may be required to provide for procedures to ensure compliance with such developments. Upon request by DHCS, the County Department agrees to promptly enter into negotiations concerning an amendment to this Agreement as may be needed by developments in federal and state laws and regulations. DHCS may terminate this Agreement upon thirty (30) days written notice if the County Department does not promptly enter into negotiations to amend this Agreement when requested to do so, or does not enter into an amendment that DHCS deems necessary. XVII. TERMINATION This Agreement shall terminate on September 1, 2019, regardless of the date the Agreement is executed by the parties. The parties can agree in writing to extend the term of the Agreement ; county requests for an extension must be justified to and accepted by DHCS and limited to no more than a three-month extension. Such an extension may, upon county request and DHCS approval, be renewed for one additional three month period . Regardless of the extension status, all provisions of this Agreement that provide restrictions on disclosures of Medi-Cal Pll and that provide administrative, technical, and physical safeguards for the Medi-Cal Pll in the County Department's possession shall continue in effect beyond the termination of the Agreement, and shall continue until the Medi-Cal Pll is destroyed or returned to DHCS. XVIII. TERMINATION FOR CAUSE Upon DHCS' knowledge of a material breach or violation of this Agreement by the County Department, DHCS may provide an opportunity for the County Department to cure the breach or end the violation and may terminate this Agreement if the County Department does not cure the breach or end the violation within the time specified by DHCS. This Agreement may be terminated immediately by DHCS if the County Department has breached a material term and DHCS determines, in its sole discretion, that cure is not possible or available under the circumstances. Upon termination of this Agreement, the County Department must destroy all Pll in accordance with Section VII, above. The provisions of this Agreement governing the privacy and security of the Pll shall remain in effect until all Pll is destroyed and DHCS receives a certificate of destruction. 17 MEDI-CAL PRIVACY & SECURITY AGREEMENT NO.: 16 -..!£__ XIX. SIGNATORIES The signatories below warrant and represent that they have the competent authority on behalf of their respective agencies to enter into the obligations set forth in this Agreement. The authorized officials whose signatures appear below have committed their respective agencies to the terms of this Agreement. The contract is effective on the day the final signature is obtained. For the County of_F_re_s_n_o _____ Department of _S_o_c_i_a_I _s_e_rv_ic_e_s __ _ E: ~~~ (Signature) Ernest Buddy Mendes (Name) For the Department of Health Care Services, Jennifer Kent (Name) 18 (Date) Chairman, Board of Supervisors (Title) ATTEST: 12.. (2..'1 / l(o (Date) ' Director (Title) MEDI-CAL PRIVACY & SECURITY AGREEMENT NO .: 16 -~ Exhibit A Computer Matching and Privacy Protection Act Agreement between SSA and CHHS, and Information Exchange Agreement between SSA and DHCS with Attachment "Electronic Information Exchange Security Requirements for State and Local Agencies Exchanging Electronic Information with SSA." These are sensitive documents that are provided separately to the County's privacy and security officer. Exhibit B Computer Matching Agreement between the Department of Homeland Security, United States Citizenship and Immigration Services (DHS-USCIS) and The California Department of Health Care Services (CA-DHCS). This is a sensitive document that is provided separately to the County's privacy and security officer. 19 1 IN WITNESS WHEREOF, the parties hereto have executed this Agreement. 2 ATTEST: 3 COUNTY OF FRESNO 4 5 BERNICE E. SEIDEL, Clerk Board of Supervisors 6 7 8 By See page 18 for Attestation 9 APPROVED AS TO LEGAL FORM: 10 DANIEL C. CEDERBORG, COUNTY COUNSEL 11 12 13 14 15 16 18 19 20 21 22 23 24 25 26 27 28 (~f/},~. '//" ./ /1 // B~ll t 1,t l . Ai/PROVED AS TO ACCO iG FORM: VICKI CROW , C.P.A., AUDITOR-CONTROLLER/ TREASURER-TAX COLLECTOR REVIEWED AND RECOMMENDED FOR APPROVAL: Fund/Subclass: NIA Organization: 5610700 l Account/Program: NIA DEN:jk -2 0 -Fr e s no , CA