HomeMy WebLinkAboutAgreement A-17-467-1 with CDPH.pdfSTD 213A County of Fresno
Page 2 16-10370, A01
III.Exhibit A – Scope of Work, is replaced in its entirety with Exhibit A, A01 – Scope of Work.
All references to Exhibit A – Scope of Work in this agreement and any exhibits hereto shall hereinafter be deemed
to read Exhibit A, A01 – Scope of Work.
IV.Exhibit A, Attachment I – Definitions of Terms, is replaced in its entirety with Exhibit A, Attachment I, A01 –
Definitions of Terms.
All references to Exhibit A, Attachment I – Definitions of Terms, in this agreement and any exhibits hereto shall
hereinafter be deemed to read Exhibit A, Attachment I, A01 – Definitions of Terms.
V.Exhibit B – Budget Detail and Payment Provisions, is replaced in its entirety with Exhibit B, A01 – Budget Detail
and Payment Provisions.
All references to Exhibit B – Budget Detail and Payment Provisions, in this agreement and any exhibits hereto
shall hereinafter be deemed to read Exhibit B, A01 – Budget Detail and Payment Provisions.
VI.Exhibit D – HIPAA Business Associate Addendum, is replaced in its entirety with Exhibit D, A01 – HIPAA
Business Associate Addendum.
All references to Exhibit D – HIPAA Business Associate Addendum, in this agreement and any exhibits hereto
shall hereinafter be deemed to read Exhibit D, A01 – HIPAA Business Associate Addendum.
VII.Exhibit F – Security Requirements, Protections, and Confidentiality Checklist, is replaced in its entirety with Exhibit
F, A01 - Security Requirements, Protections, and Confidentiality Checklist.
All references to Exhibit F– Security Requirements, Protections, and Confidentiality Checklist, in this agreement
and any exhibits hereto shall hereinafter be deemed to read Exhibit F, A01 – Security Requirements, Protections,
and Confidentiality Checklist.
VIII.Exhibit G – Sample - Plan for Transporting Confidential ADAP Client Files POLICY & PROCEDURE, is replaced
in its entirety with Exhibit G, A01 – Plan for Transporting Confidential ADAP Client Files.
All references to Exhibit G – Sample - Plan for Transporting Confidential ADAP Client Files POLICY &
PROCEDURE, in this agreement and any exhibits hereto shall hereinafter be deemed to read Exhibit G, A01 –
Plan for Transporting Confidential ADAP Client Files.
County of Fresno
16-10370, A01
Page 1 of 14
Exhibit A
Scope of Work
July 1, 2016 through June 30, 2020
1.Service Overview
California Health and Safety Code (HSC) §131019 designates the California Department
of Public Health (CDPH), Center for Infectious Diseases, Office of AIDS (OA) as the lead
agency within the state responsible for coordinating state programs, services and
activities related to Human Immunodeficiency Virus (HIV) and Acquired
Immunodeficiency Syndrome (AIDS).
The Contractor agrees to provide CDPH/OA, the services described herein for the
provision of the AIDS Drug Assistance Program (ADAP) and Pre-Exposure Prophylaxis
Assistance Program (PrEP-AP) enrollment services, which includes the ADAP
Medication Program and Health Insurance Assistance Programs, and OA’s PrEP-AP.
This contract agreement will be in effect for four consecutive fiscal years (FY) beginning
in FY 2016-17 through FY 2019-20 (July 1, 2016 – June 30, 2020).
Refer to Exhibit A-I “Definitions of Terms” to review definitions of acronyms and other
contract related terms and references.
2.Service Location
The services shall be performed at the County of Fresno Department of Public Health,
located at 1221 Fulton Street, Fresno, CA 93721.
3.Service Hours
The services shall be provided during normal Contractor working hours as defined by the
enrollment site.
4.Project Representatives
A.The project representatives during the term of this agreement will be:
California Department of Public Health
Sandra Robinson, Branch Chief
Telephone: (916) 449-5942
Fax: (916) 449-5859
Email: Sandra.Robinson@cdph.ca.gov
County of Fresno
Sal Quintero, Chairman
Telephone: (559) 600-3000
Fax: (559) 600-1609
Email: district3@co.fresno.ca.us
County of Fresno
16-10370, A01
Page 2 of 14
Exhibit A
Scope of Work
July 1, 2016 through June 30, 2020
B. Direct all inquiries to:
California Department of Public Health
P.O. Box 997426, MS 7704
Sacramento, CA 95899-7426
ADAP Call Center
Hours: Monday – Friday 8 a.m. to 5 p.m.
Telephone: (844) 421-7050
Fax: (844) 421-8008
PrEP-AP Contact
Cynthia Reed-Aguayo
Telephone: (916) 449-5791
Fax: (916) 449-5859
Email: Cynthia.Reed-Aguayo@cdph.ca.gov
County of Fresno
1221 Fulton Street
Fresno, CA 93721
Site Contact
Stephanie Garcia, Program Supervisor
Telephone: (559) 600-3434
Fax: (559) 600-7601
Email: stephaniegarcia@co.fresno.ca.us
C. Either party may make changes to the information above by giving written notice to
the other party. Said changes shall not require an amendment to this agreement.
County of Fresno
16-10370, A01
Page 3 of 14
Exhibit A
Scope of Work
July 1, 2016 through June 30, 2020
5.Services to be Performed
A)Major Function, Task and Activities
The Contractor shall:
Enrollment Site Requirements: Time Line Responsible
Party
Performance Measure and/or
Deliverables
A.1. ADAP ES Contact Requirement:
Maintain an ADAP Enrollment Site (ES) Contact to ensure
compliance with the requirements of this contract agreement on
behalf of the ADAP ES and facilitate required information
exchange between the ES, CDPH/OA/ADAP, and
CDPH/OA/ADAP’s contracted CDPH/OA/ADAP Enrollment
System (AES).
Throughout the
life of the
contract.
Authorized Site
Administrator
ADAP Site Contact Name and contact
information must be identified in Section
4B. Provide written notice to the
assigned ADAP Advisor/PrEP-AP
Advisor immediately of any changes to
the ADAP ES Contact.
A.2. Nondiscrimination Requirements:
Comply with the provisions as stated in Exhibit H,
“Nondiscrimination Clause” (STD 17A).” The ADAP ES shall not
unlawfully discriminate against any employee or applicant for
employment because of race, religion, color, national origin,
ancestry, physical handicap, medical condition, marital status,
age, sex, or sexual orientation.
Must be
maintained
through the life
of the contract.
Authorized Site
Administrator/
Agency’s EEO
Officer
Authorized Site Administrator and/or
EEO Officer Name and contact
information must be identified in Section
4A.
County of Fresno
16-10370, A01
Page 4 of 14
Exhibit A
Scope of Work
July 1, 2016 through June 30, 2020
A.3. Information Privacy and Security Requirements:
All personnel conducting ADAP/PrEP-AP enrollment services
must abide by all applicable laws and CDPH/OA/ADAP and
PrEP-AP guidelines regarding confidentiality of ADAP and PrEP-
AP client eligibility files and protected health information when
accessing or submitting client data.
Must be
maintained
through the life
of the contract.
i.Ensure compliance with the provisions as stated in
Exhibit D, “HIPAA Business Associate Addendum (CDPH
HIPAA BAA 6-16).
ii.Ensure that all EWs employed by or volunteering at the
ES are issued/assigned an Agency email address.
*To ensure client confidentiality, ADAP EWs are prohibited
from using a personal email address (i.e. gmail, yahoo, etc.)
for ADAP related correspondence.
Contractor
shall also
continue to
extend the
protections of
these
provisions to
protected
health
information
upon
termination or
expiration of
the agreement
until its return
or destruction.
At the time of
ADAP EW
activation and
throughout the
life of the
contract.
ADAP ES
Contact
Authorized Site
Administrator/
Site Contact
Notify the assigned ADAP or PrEP-AP
Advisor immediately by phone call plus
email or fax when a potential breach has
occurred. EWs may be deactivated if
more than two potential breaches occur
within a calendar year. ESs may also be
deactivated if potential breaches are
committed by more than two EWs in a
calendar year.
Verified when ADAP Enrollment
Worker(s) (EWs) email address is
provided to the assigned
CDPH/OA/ADAP Advisor.
County of Fresno
16-10370, A01
Page 5 of 14
Exhibit A
Scope of Work
July 1, 2016 through June 30, 2020
•Ensure compliance with the provisions as stated in
“Exhibit E, “Notice of Privacy Practices”, and ensure
that the notice is posted at the ES.
•Review and sign the “Agreement by
Employee/Contractor to Comply with Confidentiality
Requirements (CDPH 8689)” form (Exhibit I).
•Ensure that only certified ADAP EWs have access to
ADAP client eligibility file information, unless
otherwise authorized by law. Please refer to the
following ADAP Confidentiality tables located under
the Information flow charts for Community-Based
Organizations, Health Care Provider, and Local Public
Health Departments that pertains to your ADAP ES:
https://www.cdph.ca.gov/Programs/CID/DOA/Pages/
OA_adap_resourcespage.aspx
Must be
maintained
through the life
of the contract.
Annually.
ADAP ES
Contact
ADAP ES
Contact and
ADAP EW(s)
Indicate compliance on the “Security
Requirements, Protections, and
Confidentiality Checklist”, Exhibit F.
Submit completed CDPH Form 8689
form via the AES.
iii.EWs are required to ask a minimum of three security
questions when confirming client identity from an
incoming phone call prior to disclosing any PHI.
iv.EWs are prohibited from disclosing and must employ
reasonable measures to protect their EW ID, AES
password, or any other identifier/passcode which may
compromise client confidentiality.
Must be
maintained
through the life
of the contract.
ADAP ES
Contact and
ADAP EW(s)
Notify the assigned ADAP Advisor
immediately when a potential breach has
occurred.
County of Fresno
16-10370, A01
Page 6 of 14
Exhibit A
Scope of Work
July 1, 2016 through June 30, 2020
A.4. ADAP ES Information Technology/Equipment
Requirements:
i.Ensure internet access and equipment and the ability to
scan and upload the ADAP/PrEP-AP applicant/client
eligibility documents to the AES secure enrollment
system.
By the go-live
date and to be
maintained
through the life
of the contract.
Authorized Site
Administrator
and ADAP ES
Contact
All client enrollments must occur
electronically via the AES secure
enrollment system.
ii.Only desktop computers are to be used to conduct ADAP
enrollment services. The use of laptop computers or
other hand held electronic devices are strictly prohibited
for use in ADAP/PrEP-AP client enrollment.
By the go-live
date and to be
maintained
through the life
of the contract.
ADAP ES
Contact
Indicate compliance on the “Security
Requirements, Protections, and
Confidentiality Checklist”, Exhibit F.
iii.Ensure fax machines and CDPH/OA/ADAP fax/scanners
are used to upload and submit ADAP/PrEP-AP
applications or receive correspondence which may
include confidential client information are located in a
secure area.
By the go-live
date and to be
maintained
through the life
of the contract.
ADAP ES
Contact
Indicate compliance on the “Security
Requirements, Protections, and
Confidentiality Checklist”, Exhibit F.
A.5. Quality Requirements
i.In order to ensure adequate service capacity and to maintain
a high degree of customer service, enrollment sites are
required to be adequately staffed to provide assistance to
clients via in-person appointments, secure e-mails, or over
the telephone within a reasonable time frame. Capacity
assessments should be constructed from reasonable
projections based on historical enrollments.
To be
maintained
throughout the
life of the
contract.
Authorized Site
Administrator
and ADAP ES
Contact
Failure to maintain adequate service
levels may result in OA transitioning
clients to neighboring enrollment sites.
EWs/ESs whom are continuously
unresponsive may be deactivated and
precluded from performing ADAP
enrollment services.
County of Fresno
16-10370, A01
Page 7 of 14
Exhibit A
Scope of Work
July 1, 2016 through June 30, 2020
ii.ADAP EWs and ESs will be held to quality standards and
metrics. Please reference the ADAP Resource page found
here
https://www.cdph.ca.gov/Programs/CID/DOA/Pages/OA_ad
ap_resourcespage.aspx for current year Quality
Performance Metrics. EWs are required to maintain an
enrollment performance level of at least 95 percent
accuracy for ADAP/PrEP-AP eligibility documentation and
enrollment. ESs are required to maintain a minimum
performance level of 90 percent.
CDPH/OA/ADAP will conduct secondary review on ADAP
applications and a random sample size of PrEP applications.
Applications with errors will be considered defective and will
count against the performance level of the ADAP EW/ES.
ADAP EW/ES quality will be factored by dividing the number
of defective applications by the total number of applications
processed.
To be
maintained
through the life
of the contract.
Authorized Site
Administrator
and ADAP ES
Contact
CDPH/OA/ADAP will continuously
monitor performance levels throughout
the life of the contract. The first year
following the deployment of the AES will
serve as a transition period during which
OA will concentrate on evaluation and
providing technical assistance.
If after the first quarter following the initial
one year transition period, an ADAP
EW(s)/ES has an error rate that exceeds
the quality standard, the Site Contact
must submit a Corrective Action Plan to
the ADAP and/or PrEP Advisor for
approval within 30 days of the finding.
If an ADAP EW(s)/ ES remains deficient
for a second consecutive quarter,
CDPH/OA/ADAP may suspend the
EW(s)/ES for inaccurate ADAP/PrEP-AP
applications processed during the
quarter.
If an ADAP EW(s)/ES remains deficient
for a third consecutive quarter, the
EW(s)/ES may be deactivated and will
no longer be allowed to perform
ADAP/PrEP-AP enrollment.
County of Fresno
16-10370, A01
Page 8 of 14
Exhibit A
Scope of Work
July 1, 2016 through June 30, 2020
A.6. Conduct Requirements:
ADAP EWs are required to conduct themselves with a high
degree of professionalism and integrity. Site Contacts are
required to ensure that no ADAP EW is employed by, nor
receives any financial compensation (including gifts or any other
type of incentive) from a participating ADAP pharmacy and that
no ADAP/PrEP-AP client enrollment is conducted at any
participating ADAP pharmacy location.
Additional examples of misconduct include, but are not limited to:
i.Knowingly and willfully enrolling clients with inaccurate or
false documentation.*
ii.Insubordination and/or non-compliance with
CDPH/OA/ADAP staff requests.
iii.Verbally abusive or use of derogatory language.
iv.Unresponsive to CDPH/OA/ADAP staff and/or client
inquiries.
v.Conducting unauthorized off-site ADAP/PrEP-AP enrollment.
vi.Transporting files without having a transportation plan
approved by CDPH/OA/ADAP staff.
vii.Violating or otherwise not adhering to any requirement
stipulated in this scope of work.
*Knowingly providing inaccurate or false documentation may be
in violation of various Penal Code laws and may be subject to
violations of the California False Claims Act, which prohibits any
person or entity from knowingly making or using a false
statement or document to obtain money, property, or services
from the State. (See California Government Code section 12650
et. seq.)
To be
maintained
through the life
of the contract.
ADAP ES
Contact and
EW (s)
Notify the ADAP/PrEP-AP Advisor when
instances of misconduct are identified.
Site Contacts may be required to submit
a Corrective Action Plan.
CDPH/OA/ADAP staff to address
occurrences of misconduct.
EWs who engage in misconduct may be
subject to temporary or permanent
suspension of ADAP EW status.
County of Fresno
16-10370, A01
Page 9 of 14
Exhibit A
Scope of Work
July 1, 2016 through June 30, 2020
A.7. Training and Technical Assistance Requirements:
i.Ensure all new ADAP EWs have successfully completed new
ADAP EW training provided by CDPH/OA/ADAP prior to
enrolling or re-certifying ADAP/PrEP-AP clients.
ii.Ensure all existing and new enrollment workers complete
training on the AES.
To be
maintained
through the life
of the contract.
ADAP ES
Contact
Report to the assigned ADAP/PrEP-AP
Advisor, site staff who will be registering
for required ADAP EW trainings.
iii.Ensure compliance with the requirements written in the
ADAP “California State ADAP Guidelines,” “California State
PrEP-AP Guidelines” and ADAP Management Memos.
To be
maintained
through the life
of the contract.
ADAP ES
Contact and
ADAP EW(s)
iv.Ensure existing ADAP EWs maintain active status by
participating in required annual recertifying ADAP EW
trainings and/or other required ad hoc trainings provided by
CDPH/OA/ADAP in order to maintain ADAP certification to
continue conducting ADAP/PrEP-AP enrollment functions.
To be
maintained
through the life
of the contract.
ADAP ES
Contact
Notify ADAP EWs to recertify 30 days
prior to the recertification end date.
v.Ensure the ADAP ES has representation/participation on
all monthly CDPH/OA ADAP EW calls.
Monthly
through the life
of the contract.
ADAP ES
Contact
Must ensure ADAP ES participation for
90 percent of these calls. Must contact
the ADAP Advisor, if unable to
participate on a call to discuss the topics
covered.
County of Fresno
16-10370, A01
Page 10 of 14
Exhibit A
Scope of Work
July 1, 2016 through June 30, 2020
A.8. ADAP Enrollment Tracking Requirements:
i.Ensure all ADAP EWs are identified and have a site
specific ADAP EW ID number issued by the
CDPH/OA/ADAP AES.
To be
maintained
through the life
of the contract.
ADAP ES
Contact
This site specific ADAP EW ID number
may only be used by the ADAP EW to
whom it is assigned for enrollment
activities at this site.
ii.Report any changes in site specific ADAP EWs’ status
(e.g., job duties, relocation, separation, etc.) that will alter
the ADAP EW(s) ability to enroll clients, including the de-
activation of any ADAP EW ID numbers.
Within 24
hours of the
change.
ADAP ES
Contact
Report addition/deletion/changes to
ADAP EW(s) to the CDPH/OA/ADAP
EBM and/or the assigned ADAP/PrEP-
AP Advisor.
A.9. Transportation Plan Requirements:
Ensure that no ADAP/PrEP-AP client eligibility documentation,
records, files, etc., will be transported to or from the ADAP ES.
To be
maintained
through the life
of the contract.
ADAP ES
Contact
See “Plan for Transporting Confidential
ADAP Client Files”, Exhibit G.
Exception to this restriction may be approved by CDPH/OA for
the following reasons:
i.Client disability; or,
ii.Remote distance requires ADAP EW to meet with client
outside of the ADAP ES; or,
iii.The entire ADAP ES is moving to a new address/location.
Ensure that no ADAP/PrEP-AP client enrollment files will be
transported until CDPH/OA/ADAP provides written approval of
the site’s specific transportation plan.
30 days prior
to the need for
transporting
any ADAP
client
enrollment
documents/
files.
ADAP ES
Contact
Submit a written request to the assigned
ADAP/PrEP-AP Advisor which justifies
the necessity for transporting ADAP or
PrEP-AP client enrollment
document/files. The request must also
identify the specific procedure to be
followed to safeguard the confidentiality
of the ADAP/PrEP-AP client documents
being transported, as well as who will be
responsible/accountable for site’s
specific procedure(s). See “Plan for
Transporting Confidential ADAP Client
Files”, Exhibit G.
County of Fresno
16-10370, A01
Page 11 of 14
Exhibit A
Scope of Work
July 1, 2016 through June 30, 2020
A.10. Administrative Requirements
i.Notify the assigned ADAP Advisor if the site wishes to
change from an open site (one which serves any
individual who wishes to enroll) to a closed site (one
which serves only agency-affiliated individuals) or vice
versa.
ii.Notify the assigned ADAP/PrEP-AP Advisor if the site
plans to no longer provide ADAP/PrEP-AP enrollment
services.
Provide at
least 30-days’
notice for the
requested
change of
status.
Within at least
60 days of the
site
deactivation
date.
ADAP ES
Contact
ADAP ES
Contact/
Authorized
Agency
Administrator
Written Request required (may be
submitted by email) to ADAP/PrEP-AP
Advisor.
Written Notification required (may be
submitted by email) and submission of
an ADAP/PrEP-AP transportation plan to
the site’s designated ADAP Advisor
assuring the secure transfer of hard copy
ADAP/PrEP-AP client files. See page 1,
item 1) Service Overview, paragraph 3.
A.11. ADAP Fiscal Requirements
i.Ensure ADAP funds are used exclusively to cover costs
related to ADAP in accordance with Health and Safety
Code §120956(b).
ii.Ensure compliance with the federal HRSA Ryan White
HIV/AIDS Program requirements, polices, and National
Monitoring Standards.
iii.Ensure funds received from OA are not used for
unallowable expenses as defined by the Ryan White
National Monitoring Standards.
To be
maintained
through the life
of the contract.
Within five
business days
of request.
ADAP ES
Contact/
Authorized
Agency
Administrator
Within five business days, upon request,
submit to OA for review budget and
expense reports with sufficient detail to
ensure compliance with section A.11.
In the event of an audit or upon request
by CDPH, ESs must be able to
adequately show that these contractual
requirements have been met.
County of Fresno
16-10370, A01
Page 12 of 14
Exhibit A
Scope of Work
July 1, 2016 through June 30, 2020
A.12. PrEP Fiscal Requirements
i.Ryan White funds are prohibited for the use of PrEP
enrollment services.
ii.EWs who conduct PrEP enrollment are precluded from
being 100 percent funded by Ryan White funds.
To be
maintained
through the life
of the contract.
Within five
business days.
ADAP ES
Contact/
Authorized
Agency
Administrator
Within 15 business days, upon request,
ESs are required to submit
documentation of all EWs performing
PrEP enrollment with a budget detail
indicating how each EW is funded.
A.13. Auditing Requirements
i.Facilitate CDPH/OA/ADAP site visit requests, including
but not limited to receiving or providing required
documentation/information as requested by the assigned
ADAP/PrEP-AP Advisor. Act as liaison between the site,
ADAP/PrEP-AP Advisor, ADAP EW(s), and LHJ
Coordinator (if applicable) in activities related to the site
visit.
As needed
during normal
working hours.
ADAP Site
Contact/Author
ized Agency
Administrator
Respond to written notifications and
requests for information initiated by
CDPH/OA/ADAP personnel.
ii.Ensure that CDPH/OA/ADAP staff, authorized
CDPH/OA/ADAP representatives and/or other state and
federal agencies are granted access to all ADAP client
eligibility files and any other documentation related to this
contract agreement for audit purposes.
As needed
during normal
working hours.
Within five
business days.
ADAP Site
Contact/Author
ized Agency
Administrator
Within five business days, respond to
written and in-person requests for ADAP
client files made by CDPH/OA/ADAP
personnel.
iii.Develop and submit required Corrective Action Plan
(CAP) when required based on results of ADAP site
visit/federal or state program audit.
As needed.
ADAP Site
Contact/Author
ized Agency
Administrator
CAP is to be submitted to the assigned
ADAP/PrEP-AP Advisor by the
timeframe identified in the letter
indicating the CAP is required.
County of Fresno
16-10370, A01
Page 13 of 14
Exhibit A
Scope of Work
July 1, 2016 through June 30, 2020
iv.Maintain hard copy ADAP/PrEP-AP client files/records,
created prior to July 1, 2016 for four years (the current
year, plus three prior years)
To be
maintained
through the life
of the contract.
ADAP ES
Contact
As needed, records will be made
available to view within the timeframe
provided by the federal or state auditors.
At contract termination or expiration,
Protected Health Information must be
returned or retained in accordance with
Exhibit D, “HIPAA Business Associate
Addendum (CDPH HIPAA BAA 6-16)”.
A.14. Grievance Requirements
i.Ensure that ADAP/PrEP-AP clients are made aware of,
and have access to, the CDPH/OA/ADAP Grievance
procedures, and form as outlined in the California State
ADAP/PrEP-AP Guidelines.
Upon initial
and annual re-
enrollments of
ADAP clients
and annual re-
enrollment of
PrEP-AP
clients.
ADAP ES
Contact and/or
ADAP/PrEP-
AP EW (s)
CDPH/OA/ADAP will verify, via review of
the ADAP/PrEP-AP Client Satisfaction
Survey.
ii.Upon client request, assist ADAP/PrEP-AP clients in the
completion and submission of an ADAP/PrEP-AP
grievance form and related documents. Assistance may
also include providing the mailing address and contact
information for ADAP/PrEP-AP Advisors and/or other
CDPH/OA/ADAP Contractors, and/or the submission of
the completed grievance form and related documents to
CDPH/OA/ADAP.
As needed.
ADAP/PrEP-
AP ES Contact
and/or
ADAP/PrEP-
AP EW (s)
Notify the assigned ADAP/PrEP-AP
Advisor immediately if assistance is
needed with the CDPH/OA/ADAP/PrEP-
AP grievance process.
County of Fresno
16-10370, A01
Page 14 of 14
Exhibit A
Scope of Work
July 1, 2016 through June 30, 2020
A.15. Performance Requirements
i.Enrollment workers are required to vigorously pursue
enrollment into health care coverage for which clients
may be eligible (e.g., Medicaid, Medicare, employer-
sponsored health insurance coverage, and/or other
private health insurance to comply with federal and state
payer of last resort requirements.
iii.EWs are required to proactively conduct outreach to
clients, by utilizing the AES dashboard to identify clients
who have an eligibility expiration date within 30 days.
EWs must document the client outreach in the case
notes.
To be
maintained
through the life
of the contract.
ADAP ES
Contact and/or
ADAP/PrEP-
AP EW (s)
Upon initial enrollment and annual re-
enrollment. Enrollment workers are
required to assess client’s eligibility for
other third-party coverage based on
eligibility documents provided. All eligible
individuals must apply.
Outreach attempts and any client
interaction as a result of said outreach
must be clearly documented in the client
case notes available through AES.
County of Fresno
16-10370, A01
Page 1 of 2
Exhibit A, Attachment I
Definition of Terms
i.AIDS Drug Assistance Program (ADAP) – Established in 1987 to help ensure that eligible,
HIV positive uninsured and under-insured individuals have access to medication on the
ADAP formulary through the Medication Program and Health Insurance Assistance
Programs. ADAP provides medication, premium payment, and medical out of pocket
payment assistance.
ii.ADAP Advisor – Office of AIDS ADAP staff assigned to a Local Health Jurisdiction or
ADAP Enrollment Site for monitoring and technical assistance.
iii.Enrollment Worker (EW) – Enrollment Site staff certified to provide enrollment services for
ADAP and the Pre-Exposure Prophylaxis Assistance Program (PrEP-AP). EWs will have
access to ADAP/PrEP-AP enrollment data.
iv.Enrollment Site (ES) - A public health department, clinic, community based organization
(CBO), or local government agency where an individual can apply for ADAP or PrEP-AP
services.
v.Enrollment Site Contact – Ensures the requirements of this contract agreement are
adhered to, including but not limited to the participation in monthly EW calls. Act as the
primary contact for OA, the OA service contractors, and Enrollment Site staff.
vi.ADAP Enrollment System (AES) – ADAP’s online system used for enrolling clients in
ADAP and the PrEP-AP.
vii.California Department of Public Health (CDPH) – is the lead agency in California providing
detection, treatment, prevention and surveillance of public health issues.
viii.Closed Site – An enrollment site that only serves applicants/clients associated with their
entity.
ix.Community Based Organization (CBO) – Non-profit 501(3)(c) entities that operate within a
single local community.
x.Fiscal Year (FY) – July 1 through June 30.
xi.Contractor – An approved enrollment site managed by a non-profit organization to provide
ADAP/PrEP-AP enrollment services.
xii.Insurance Benefits Manager (IBM) – Service contractor that manages and processes
health insurance premium payments for clients enrolled in both ADAP’s Medication
Program and Insurance Assistance Programs.
xiii.Local Health Jurisdiction (LHJ) – One of 58 counties and three cities (Pasadena, Long
Beach, and Berkeley) in the state of California.
xiv.Medical Benefits Manager (MBM) – Service contractor that manages and processes
outpatient medical out of pocket payments for clients enrolled in ADAP’s Insurance
County of Fresno
16-10370, A01
Page 2 of 2
Exhibit A, Attachment I
Definition of Terms
Assistance Programs and approved PrEP related medical costs for clients enrolled in the
PrEP-AP.
xv.Office of AIDS (OA) – Has lead responsibility for coordinating state programs, services,
and activities relating to HIV/AIDS as designated by California Health and Safety Code
Section 131019.
xvi.OA Health Insurance Premium Payment (OA-HIPP) – Pays for health insurance premiums
and medical out of pocket costs for eligible clients co-enrolled in ADAP’s Medication
Program.
xvii.OA Medicare Part D Premium Payment Program – Pays for Medicare Part D premiums for
clients co-enrolled in ADAP’s Medication Program.
xviii.Open Site – An enrollment site that serves all CDPH medication assistance
applicants/clients.
xix.Pharmacy Benefits Manager (PBM) – Service contractor administering the ADAP
statewide pharmacy network and providing pharmaceutical services for ADAP and PrEP-
AP clients.
xx.Pre-Exposure Prophylaxis Assistance Program (PrEP) Advisor - Office of AIDS staff
assigned to provide technical assistance associated with PrEP- AP.
xxi.PrEP-AP – PrEP-AP will cover 1) costs for HIV PrEP-related medical services for
uninsured individuals who are enrolled in a drug manufacturer’s PrEP medication
assistance program, and 2) for insured individuals, both of the following: (a) the cost of
medication copays, coinsurance, and deductibles for the prevention of HIV infection after
the individual's insurance is applied and, if eligible, after the drug manufacturer’s
medication assistance program’s contributions are applied, and b) medical copays,
coinsurance, and deductibles for PrEP-related medical services.
County of Fresno
16-10370, A01
Page 1 of 3
Exhibit B
Budget Detail and Payment Provisions
1. Payments
A.In no event shall CDPH/OA/ADAP pay the Contractor for services performed prior to
the commencement date or after the expiration of this Agreement.
B.For services satisfactorily rendered, CDPH/OA/ADAP agrees to compensate the
Contractor for actual services provided in accordance with the amounts specified in
Exhibit B, Section E., Amounts Payable.
C.Payments shall be processed by CDPH/OA/ADAP no later than the end of the
quarter dates noted below.
First Quarter: July 1 – September 30
Payment no later than: November 30
Second Quarter: October 1 – December 31
Payment no later than: February 28
Third Quarter: January 1 – March 31
Payment no later than: May 31
Fourth Quarter: April 1 – June 30
Payment no later than: August 31
(FINAL) Supplemental: July 1 – June 30
Payment no later than: August 31
D.Payments shall:
1)Be calculated based on current ADAP and PrEP-AP client enrollment data as
provided by the ADAP Enrollment System to determine the number of
ADAP/PrEP-AP services provided at each enrollment site.
2)Identify the payment period and/or performance period covered.
3)Itemize ADAP/PrEP-AP services for the payment period in the same level of
detail as indicated in Section E Amounts Payable. Subject to the terms of this
agreement, payment will only be made for those services expressly identified in
this agreement as approved by CDPH/OA/ADAP.
E.Amounts Payable
All ADAP enrollment sites with a minimum of one ADAP or PrEP-AP enrollment per
fiscal year (FY) will receive a floor amount with additional payment(s) per FY for
performing the following ADAP/PrEP-AP services complete with all required forms and
verifying documentation. Enrollment sites will be paid a fee for services performed.
The following documents and any subsequent updates are not attached, but are
incorporated herein and made a part hereof by this reference. CDPH will maintain on
County of Fresno
16-10370, A01
Page 2 of 3
Exhibit B
Budget Detail and Payment Provisions
file, all documents referenced herein and any subsequent updates, as required by
program directives. CDPH shall provide the Contractor with copies of said documents
and any periodic updates thereto, under separate cover.
1)ADAP Resource Page found here:
https://www.cdph.ca.gov/Programs/CID/DOA/Pages/OA_adap_resourcespage.aspx
2.Budget Contingency Clause
A.It is mutually agreed that if the Budget Act of the current year and/or any subsequent
years covered under this Agreement does not appropriate sufficient funds for the
program, this Agreement shall be of no further force and effect. In this event, the
State shall have no liability to pay any funds whatsoever to the Contractor, or to
furnish any other considerations under this Agreement and Contractor shall not be
obligated to perform any provisions of this Agreement.
B.If funding for any FY is reduced or deleted by the Budget Act for purposes of this
program, the State shall have the option to either cancel this Agreement with no
liability occurring to the State, or offer an agreement amendment to the Contractor to
reflect the reduced amount.
C.In the event of early termination or cancellation, the Contractor shall be entitled to
compensation for services performed satisfactorily under this agreement and
expenses incurred up to the date of termination or cancellation and any non-
cancelable obligations incurred in support of this agreement.
3.Prompt Payment Clause
Payment will be made in accordance with, and within the time specified in, Government
Code Chapter 4.5, commencing with Section 927.
4.Timely Final Payment
A.Final payment shall be processed no more than sixty (60) calendar days following
the expiration or termination date of this agreement, unless a later or alternate
deadline is agreed to in writing by the program contract manager.
B.CDPH/OA/ADAP shall make payment to the Contractor quarterly in arrears for costs
associated with the provision of ADAP enrollment services at the ADAP Enrollment
Site in the local health jurisdiction (LHJ), under this contract agreement. Payment to
the Contractor will be contingent upon receipt and execution of this contract
agreement and the provision of ADAP/PrEP-AP enrollment services (as verified by
CDPH/OA/ADAP through the AES data).
C.This contract agreement is subject to any additional restrictions, limitations, or
conditions enacted by the Congress or the State Legislature, which may affect the
provisions, terms, or funding of this contract agreement in any manner.
County of Fresno
16-10370, A01
Page 3 of 3
Exhibit B
Budget Detail and Payment Provisions
5.Recovery of Overpayments
A.Contractor agrees that payments based upon the terms of this agreement or an audit
finding and/or an audit finding that is appealed and upheld, will be recovered by
CDPH/OA/ADAP by CDPH/OA/ADAP withholding payments or withholding a portion
of payment for services performed until the amount of overpayment has been
resolved.
If the Contractor has filed a valid appeal regarding the report of audit findings, recovery
of the overpayments will be deferred until a final administrative decision on the appeal
has been reached.
County of Fresno
16-10370, A01
Page 1 of 14
Exhibit D
HIPAA Business Associate Addendum
CDPH HIPAA BAA 6-16
I.Recitals
A.The underlying contract (Agreement), to which this HIPAA Business Associate Addendum is attached
to and made a part of, has been determined to constitute a business associate relationship under the
Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”), the Health
Information Technology for Economic and Clinical Health Act, Public Law 111-005 ('the HITECH Act"),
42 U.S.C. section 17921 et seq., and their implementing privacy and security regulations at 45 CFR
Parts 160 and 164 (“the HIPAA regulations”).
B.The Department of Public Health (“CDPH”) wishes to disclose to Business Associate certain
information pursuant to the terms of the Agreement, some of which may constitute Protected Health
Information (“PHI”), including protected health information in electronic media (“ePHI”), under federal
law, and personal information ("PI") under state law.
C.As set forth in the Agreement, Contractor, here and after, is the Business Associate of CDPH acting on
CDPH' behalf and provides services, arranges, performs or assists in the performance of functions or
activities on behalf of CDPH and creates, receives, maintains, transmits, uses or discloses PHI and PI.
CDPH and Business Associate are each a party to the Agreement and are collectively referred to as
the "parties.”
D.The purpose of this Addendum is to protect the privacy and security of the PHI and PI that may be
created, received, maintained, transmitted, used or disclosed pursuant to the Agreement, and to
comply with certain standards and requirements of HIPAA, the HITECH Act and the HIPAA regulations,
including, but not limited to, the requirement that CDPH must enter into a contract containing specific
requirements with Contractor prior to the disclosure of PHI to Contractor, as set forth in 45 CFR Parts
160 and 164 and the HITECH Act.
E.The terms used in this Addendum, but not otherwise defined, shall have the same meanings as those
terms have in the HIPAA regulations. Any reference to statutory or regulatory language shall be to
such language as in effect or as amended.
II.Definitions
A.Breach shall have the meaning given to such term under HIPAA, the HITECH Act, and the HIPAA
regulations.
B.Business Associate shall have the meaning given to such term under HIPAA, the HITECH Act, and the
HIPAA regulations.
C.Covered Entity shall have the meaning given to such term under HIPAA, the HITECH Act, and the
HIPAA regulations.
D.Electronic Health Record shall have the meaning given to such term in the HITECH Act, including, but
not limited to, 42 U.S.C Section 17921 and implementing regulations.
E.Electronic Protected Health Information (ePHI) means individually identifiable health information
transmitted by electronic media or maintained in electronic media, including but not limited to electronic
media as set forth under 45 CFR section 160.103.
F.Individually Identifiable Health Information means health information, including demographic information
collected from an individual, that is created or received by a health care provider, health plan, employer
County of Fresno
16-10370, A01
Page 2 of 14
Exhibit D
HIPAA Business Associate Addendum
CDPH HIPAA BAA 6-16
or health care clearinghouse, and relates to the past, present or future physical or mental health or
condition of an individual, the provision of health care to an individual, or the past, present, or future
payment for the provision of health care to an individual, that identifies the individual or where there is a
reasonable basis to believe the information can be used to identify the individual, as set forth under 45
CFR section 160.103.
G.Privacy Rule shall mean the HIPAA Regulation that is found at 45 CRF Parts 160 and 164.
H.Personal Information shall have the meaning given to such term in California Civil Code sectionS
1798.3 and 1798.29..
I.Protected Health Information means individually identifiable health information that is transmitted by
electronic media, maintained in electronic media, or is transmitted or maintained in any other form or
medium, as set forth under 45 CFR section 160.103.
J.Required by law, as set forth under 45 CFR section 164.103, means a mandate contained in law that
compels an entity to make a use or disclosure of PHI that is enforceable in a court of law. This
includes, but is not limited to, court orders and court-ordered warrants, subpoenas or summons issued
by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized
to require the production of information, and a civil or an authorized investigative demand. It also
includes Medicare conditions of participation with respect to health care providers participating in the
program, and statutes or regulations that require the production of information, including statutes or
regulations that require such information if payment is sought under a government program providing
public benefits.
K.Secretary means the Secretary of the U.S. Department of Health and Human Services ("HHS") or the
Secretary's designee.
L.Security Incident means the attempted or successful unauthorized access, use, disclosure,
modification, or destruction of PHI or PI, or confidential data that is essential to the ongoing operation of
the Business Associate’s organization and intended for internal use; or interference with system
operations in an information system.
M.Security Rule shall mean the HIPAA regulation that is found at 45 CFR Parts 160 and 164.
N.Unsecured PHI shall have the meaning given to such term under the HITECH Act, 42 U.S.C. section
17932(h), any guidance issued pursuant to such Act and the HIPAA regulations.
III.Terms of Agreement
A.Permitted Uses and Disclosures of PHI by Business Associate
Permitted Uses and Disclosures. Except as otherwise indicated in this Addendum, Business
Associate may use or disclose PHI only to perform functions, activities or services specified in the
Agreement, for, or on behalf of CDPH, provided that such use or disclosure would not violate the
HIPAA regulations, if done by CDPH. Any such use or disclosure must, to the extent practicable, be
limited to the limited data set, as defined in 45 CFR section 164.514(e)(2), or, if needed, to the
minimum necessary to accomplish the intended purpose of such use or disclosure, in compliance with
the HITECH Act and any guidance issued pursuant to such Act, and the HIPAA regulations.
County of Fresno
16-10370, A01
Page 3 of 14
Exhibit D
HIPAA Business Associate Addendum
CDPH HIPAA BAA 6-16
1.Specific Use and Disclosure Provisions. Except as otherwise indicated in this Addendum,
Business Associate may:
a.Use and disclose for management and administration. Use and disclose PHI for the proper
management and administration of the Business Associate provided that such disclosures are
required by law, or the Business Associate obtains reasonable assurances from the person to
whom the information is disclosed that it will remain confidential and will be used or further
disclosed only as required by law or for the purpose for which it was disclosed to the person,
and the person notifies the Business Associate of any instances of which it is aware that the
confidentiality of the information has been breached.
b.Provision of Data Aggregation Services. Use PHI to provide data aggregation services to
CDPH. Data aggregation means the combining of PHI created or received by the Business
Associate on behalf of CDPH with PHI received by the Business Associate in its capacity as the
Business Associate of another covered entity, to permit data analyses that relate to the health
care operations of CDPH.
B.Prohibited Uses and Disclosures
1.Business Associate shall not disclose PHI about an individual to a health plan for payment or health
care operations purposes if the PHI pertains solely to a health care item or service for which the
health care provider involved has been paid out of pocket in full and the individual requests such
restriction, in accordance with 42 U.S.C. section 17935(a) and 45 CFR section 164.522(a).
2.Business Associate shall not directly or indirectly receive remuneration in exchange for PHI, except
with the prior written consent of CDPH and as permitted by 42 U.S.C. section 17935(d)(2).
C.Responsibilities of Business Associate
Business Associate agrees:
1.Nondisclosure. Not to use or disclose Protected Health Information (PHI) other than as permitted
or required by the Agreement or as required by law.
2.Safeguards. To implement administrative, physical, and technical safeguards that reasonably and
appropriately protect the confidentiality, integrity, and availability of the PHI, including electronic
PHI, that it creates, receives, maintains, uses or transmits on behalf of CDPH, in compliance with
45 CFR sections 164.308, 164.310 and 164.312, and to prevent use or disclosure of PHI other than
as provided for by the Agreement. Business Associate shall implement reasonable and appropriate
policies and procedures to comply with the standards, implementation specifications and other
requirements of 45 CFR section 164, subpart C, in compliance with 45 CFR section 164.316.
Business Associate shall develop and maintain a written information privacy and security program
that includes administrative, technical and physical safeguards appropriate to the size and
complexity of the Business Associate’s operations and the nature and scope of its activities, and
which incorporates the requirements of section 3, Security, below. Business Associate will provide
CDPH with its current and updated policies.
3.Security. To take any and all steps necessary to ensure the continuous security of all
computerized data systems containing PHI and/or PI, and to protect paper documents containing
PHI and/or PI. These steps shall include, at a minimum:
County of Fresno
16-10370, A01
Page 4 of 14
Exhibit D
HIPAA Business Associate Addendum
CDPH HIPAA BAA 6-16
a.Complying with all of the data system security precautions listed in Attachment A, the Business
Associate Data Security Requirements;
b.Achieving and maintaining compliance with the HIPAA Security Rule (45 CFR Parts 160 and
164), as necessary in conducting operations on behalf of CDPH under the Agreement;
c.Providing a level and scope of security that is at least comparable to the level and scope of
security established by the Office of Management and Budget in OMB Circular No. A-130,
Appendix III - Security of Federal Automated Information Systems, which sets forth guidelines
for automated information systems in Federal agencies; and
d.In case of a conflict between any of the security standards contained in any of these
enumerated sources of security standards, the most stringent shall apply. The most stringent
means that safeguard which provides the highest level of protection to PHI from unauthorized
disclosure. Further, Business Associate must comply with changes to these standards that
occur after the effective date of the Agreement.
e.Business Associate shall designate a Security Officer to oversee its data security program who
shall be responsible for carrying out the requirements of this section and for communicating on
security matters with CDPH.
D.Mitigation of Harmful Effects. To mitigate, to the extent practicable, any harmful effect that is known
to Business Associate of a use or disclosure of PHI by Business Associate or its subcontractors in
violation of the requirements of this Addendum.
E.Business Associate’s Agents and Subcontractors.
1.To enter into written agreements with any agents, including subcontractors and vendors, to whom
Business Associate provides PHI or PI received from or created or received by Business Associate
on behalf of CDPH, that impose the same restrictions and conditions on such agents,
subcontractors and vendors that apply to Business Associate with respect to such PHI and PI under
this Addendum, and that comply with all applicable provisions of HIPAA, the HITECH Act and the
HIPAA regulations.
2.In accordance with 45 CFR section 164.504(e)(1)(ii), upon Business Associate’s knowledge of a
material breach or violation by its subcontractor of the agreement between Business Associate and
the subcontractor, Business Associate shall:
a.Provide an opportunity for the subcontractor to cure the breach or end the violation and
terminate the agreement if the subcontractor does not cure the breach or end the violation
within the time specified by CDPH; or
b.Immediately terminate the agreement if the subcontractor has breached a material term of the
agreement and cure is not possible.
F.Availability of Information to CDPH and Individuals. To provide access and information:
1.To provide access as CDPH may require, and in the time and manner designated by CDPH (upon
reasonable notice and during Business Associate’s normal business hours) to PHI in a Designated
Record Set, to CDPH (or, as directed by CDPH), to an Individual, in accordance with 45 CFR
section 164.524. Designated Record Set means the group of records maintained for CDPH that
County of Fresno
16-10370, A01
Page 5 of 14
Exhibit D
HIPAA Business Associate Addendum
CDPH HIPAA BAA 6-16
includes medical, dental and billing records about individuals; enrollment, payment, claims
adjudication, and case or medical management systems maintained for CDPH health plans; or
those records used to make decisions about individuals on behalf of CDPH. Business Associate
shall use the forms and processes developed by CDPH for this purpose and shall respond to
requests for access to records transmitted by CDPH within fifteen (15) calendar days of receipt of
the request by producing the records or verifying that there are none.
2.If Business Associate maintains an Electronic Health Record with PHI, and an individual requests a
copy of such information in an electronic format, Business Associate shall provide such information
in an electronic format to enable CDPH to fulfill its obligations under the HITECH Act, including but
not limited to, 42 U.S.C. section 17935(e).
3.If Business Associate receives data from CDPH that was provided to CDPH by the Social Security
Administration, upon request by CDPH, Business Associate shall provide CDPH with a list of all
employees, contractors and agents who have access to the Social Security data, including
employees, contractors and agents of its subcontractors and agents.
G.Amendment of PHI. To make any amendment(s) to PHI that CDPH directs or agrees to pursuant to
45 CFR section 164.526, in the time and manner designated by CDPH.
H.Internal Practices. To make Business Associate’s internal practices, books and records relating to the
use and disclosure of PHI received from CDPH, or created or received by Business Associate on behalf
of CDPH, available to CDPH or to the Secretary of the U.S. Department of Health and Human Services
in a time and manner designated by CDPH or by the Secretary, for purposes of determining CDPH’
compliance with the HIPAA regulations. If any information needed for this purpose is in the exclusive
possession of any other entity or person and the other entity or person fails or refuses to furnish the
information to Business Associate, Business Associate shall so certify to CDPH and shall set forth the
efforts it made to obtain the information.
I.Documentation of Disclosures. To document and make available to CDPH or (at the direction of
CDPH) to an Individual such disclosures of PHI, and information related to such disclosures, necessary
to respond to a proper request by the subject Individual for an accounting of disclosures of PHI, in
accordance with the HITECH Act and its implementing regulations, including but not limited to 45 CFR
section 164.528 and 42 U.S.C. section 17935(c). If Business Associate maintains electronic health
records for CDPH as of January 1, 2009, Business Associate must provide an accounting of
disclosures, including those disclosures for treatment, payment or health care operations, effective with
disclosures on or after January 1, 2014. If Business Associate acquires electronic health records for
CDPH after January 1, 2009, Business Associate must provide an accounting of disclosures, including
those disclosures for treatment, payment or health care operations, effective with disclosures on or
after the date the electronic health record is acquired, or on or after January 1, 2011, whichever date is
later. The electronic accounting of disclosures shall be for disclosures during the three years prior to
the request for an accounting.
J.Breaches and Security Incidents. During the term of the Agreement, Business Associate agrees to
implement reasonable systems for the discovery and prompt reporting of any breach or security
incident, and to take the following steps:
1.Notice to CDPH. (1) To notify CDPH immediately by telephone call plus email or fax upon the
discovery of a breach of unsecured PHI or PI in electronic media or in any other media if the PHI or
PI was, or is reasonably believed to have been, accessed or acquired by an unauthorized person,
or upon the discovery of a suspected security incident that involves data provided to CDPH by the
County of Fresno
16-10370, A01
Page 6 of 14
Exhibit D
HIPAA Business Associate Addendum
CDPH HIPAA BAA 6-16
Social Security Administration. (2) To notify CDPH within 24 hours by email or fax of the
discovery of any suspected security incident, intrusion or unauthorized access, use or disclosure of
PHI or PI in violation of the Agreement and this Addendum, or potential loss of confidential data
affecting the Agreement. A breach shall be treated as discovered by Business Associate as of the
first day on which the breach is known, or by exercising reasonable diligence would have been
known, to any person (other than the person committing the breach) who is an employee, officer or
other agent of Business Associate.
Notice shall be provided to the CDPH Program Contract Manager, the CDPH Privacy Officer and
the CDPH Information Security Officer. If the incident occurs after business hours or on a weekend
or holiday and involves electronic PHI, notice shall be provided by calling the CDPH ITSD Service
Desk. Notice shall be made using the “CDPH Privacy Incident Report” form, including all
information known at the time. Business Associate shall use the most current version of this form,
which is posted on the CDPH Privacy Office website (www.CDPH.ca.gov,
Upon discovery of a breach or suspected security incident, intrusion or unauthorized access, use or
disclosure of PHI or PI, Business Associate shall take:
a.Prompt corrective action to mitigate any risks or damages involved with the breach and to
protect the operating environment; and
b.Any action pertaining to such unauthorized disclosure required by applicable Federal and State
laws and regulations.
2.Investigation and Investigation Report. To immediately investigate such security incident,
breach, or unauthorized access, use or disclosure of PHI or PI. Within 72 hours of the discovery,
Business Associate shall submit an updated “CDPH Privacy Incident Report” containing the
information marked with an asterisk and all other applicable information listed on the form, to the
extent known at that time, to the CDPH Program Contract Manager, the CDPH Privacy Officer, and
the CDPH Information Security Officer:
3.Complete Report. To provide a complete report of the investigation to the CDPH Program
Contract Manager, the CDPH Privacy Officer, and the CDPH Information Security Officer within ten
(10)working days of the discovery of the breach or unauthorized use or disclosure. The report shall
be submitted on the “CDPH Privacy Incident Report” form and shall include an assessment of all
known factors relevant to a determination of whether a breach occurred under applicable provisions
of HIPAA, the HITECH Act, the HIPAA regulations and/or state law. The report shall also include a
full, detailed corrective action plan, including information on measures that were taken to halt and/or
contain the improper use or disclosure. If CDPH requests information in addition to that listed on
the ”CDPH Privacy Incident Report” form, Business Associate shall make reasonable efforts to
provide CDPH with such information. If necessary, a Supplemental Report may be used to submit
revised or additional information after the completed report is submitted, by submitting the revised
or additional information on an updated “CDPH Privacy Incident Report” form. CDPH will review
and approve the determination of whether a breach occurred and individual notifications are
required, and the corrective action plan.
4.Notification of Individuals. If the cause of a breach of PHI or PI is attributable to Business
Associate or its subcontractors, agents or vendors, Business Associate shall notify individuals of the
breach or unauthorized use or disclosure when notification is required under state or federal law
and shall pay any costs of such notifications, as well as any costs associated with the breach. The
notifications shall comply with the requirements set forth in 42 U.S.C. section 17932 and its
implementing regulations, including, but not limited to, the requirement that the notifications be
County of Fresno
16-10370, A01
Page 7 of 14
Exhibit D
HIPAA Business Associate Addendum
CDPH HIPAA BAA 6-16
made without unreasonable delay and in no event later than 60 calendar days. The CDPH
Program Contract Manager, the CDPH Privacy Officer, and the CDPH Information Security Officer
shall approve the time, manner and content of any such notifications and their review and approval
must be obtained before the notifications are made.
5.Responsibility for Reporting of Breaches. If the cause of a breach of PHI or PI is attributable to
Business Associate or its agents, subcontractors or vendors, Business Associate is responsible for
all required reporting of the breach as specified in 42 U.S.C. section 17932 and its implementing
regulations, including notification to media outlets and to the Secretary. If a breach of unsecured
PHI involves more than 500 residents of the State of California or its jurisdiction, Business
Associate shall notify the Secretary of the breach immediately upon discovery of the breach. If
Business Associate has reason to believe that duplicate reporting of the same breach or incident
may occur because its subcontractors, agents or vendors may report the breach or incident to
CDPH in addition to Business Associate, Business Associate shall notify CDPH, and CDPH and
Business Associate may take appropriate action to prevent duplicate reporting. The breach
reporting requirements of this paragraph are in addition to the reporting requirements set forth in
subsection 1, above.
6.CDPH Contact Information. To direct communications to the above referenced CDPH staff, the
Contractor shall initiate contact as indicated herein. CDPH reserves the right to make changes to
the contact information below by giving written notice to the Contractor. Said changes shall not
require an amendment to this Addendum or the Agreement to which it is incorporated.
CDPH Program
Contract Manager
CDPH Privacy Officer CDPH Information Security Officer
See the Scope of Work
exhibit for Program
Contract Manager
information
Privacy Officer
Privacy Office, c/o Office of Legal
Services
California Department of Public
Health
1415 L Street, 5th Floor
Sacramento, CA 95814
Email: privacy@cdph.ca.gov
Telephone: (877) 421-9634
Chief Information Security Officer
Information Security Office
California Department of Public
Health
P.O. Box 997413, MS 6302
Sacramento, CA 95899-7413
Email: cdphiso@cdph.ca.gov
Telephone: IT Service Desk
(916)440-7000 or
(800)579-0874
County of Fresno
16-10370, A01
Page 8 of 14
Exhibit D
HIPAA Business Associate Addendum
CDPH HIPAA BAA 6-16
K.Termination of Agreement. In accordance with Section 13404(b) of the HITECH Act and to the extent
required by the HIPAA regulations, if Business Associate knows of a material breach or violation by
CDPH of this Addendum, it shall take the following steps:
1.Provide an opportunity for CDPH to cure the breach or end the violation and terminate the
Agreement if CDPH does not cure the breach or end the violation within the time specified by
Business Associate; or
2.Immediately terminate the Agreement if CDPH has breached a material term of the Addendum and
cure is not possible.
L.Due Diligence. Business Associate shall exercise due diligence and shall take reasonable steps to
ensure that it remains in compliance with this Addendum and is in compliance with applicable
provisions of HIPAA, the HITECH Act and the HIPAA regulations, and that its agents, subcontractors
and vendors are in compliance with their obligations as required by this Addendum.
M.Sanctions and/or Penalties. Business Associate understands that a failure to comply with the
provisions of HIPAA, the HITECH Act and the HIPAA regulations that are applicable to Business
Associate may result in the imposition of sanctions and/or penalties on Business Associate under
HIPAA, the HITECH Act and the HIPAA regulations.
IV.Obligations of CDPH
CDPH agrees to:
A.Notice of Privacy Practices. Provide Business Associate with the Notice of Privacy Practices that
CDPH produces in accordance with 45 CFR section 164.520, as well as any changes to such notice.
B.Permission by Individuals for Use and Disclosure of PHI. Provide the Business Associate with any
changes in, or revocation of, permission by an Individual to use or disclose PHI, if such changes affect
the Business Associate’s permitted or required uses and disclosures.
C.Notification of Restrictions. Notify the Business Associate of any restriction to the use or disclosure
of PHI that CDPH has agreed to in accordance with 45 CFR section 164.522, to the extent that such
restriction may affect the Business Associate’s use or disclosure of PHI.
D.Requests Conflicting with HIPAA Rules. Not request the Business Associate to use or disclose PHI
in any manner that would not be permissible under the HIPAA regulations if done by CDPH.
V.Audits, Inspection and Enforcement
A.From time to time, CDPH may inspect the facilities, systems, books and records of Business Associate
to monitor compliance with the Agreement and this Addendum. Business Associate shall promptly
remedy any violation of any provision of this Addendum and shall certify the same to the CDPH Privacy
Officer in writing. The fact that CDPH inspects, or fails to inspect, or has the right to inspect, Business
Associate’s facilities, systems and procedures does not relieve Business Associate of its responsibility
to comply with this Addendum, nor does CDPH’:
County of Fresno
16-10370, A01
Page 9 of 14
Exhibit D
HIPAA Business Associate Addendum
CDPH HIPAA BAA 6-16
1.Failure to detect or
2.Detection, but failure to notify Business Associate or require Business Associate’s remediation of
any unsatisfactory practices constitute acceptance of such practice or a waiver of CDPH’
enforcement rights under the Agreement and this Addendum.
B.If Business Associate is the subject of an audit, compliance review, or complaint investigation by the
Secretary or the Office of Civil Rights, U.S. Department of Health and Human Services, that is related
to the performance of its obligations pursuant to this HIPAA Business Associate Addendum, Business
Associate shall notify CDPH and provide CDPH with a copy of any PHI or PI that Business Associate
provides to the Secretary or the Office of Civil Rights concurrently with providing such PHI or PI to the
Secretary. Business Associate is responsible for any civil penalties assessed due to an audit or
investigation of Business Associate, in accordance with 42 U.S.C. section 17934(c).
VI.Termination
A.Term. The Term of this Addendum shall commence as of the effective date of this Addendum and
shall extend beyond the termination of the Agreement and shall terminate when all the PHI provided by
CDPH to Business Associate, or created or received by Business Associate on behalf of CDPH, is
destroyed or returned to CDPH, in accordance with 45 CFR 164.504(e)(2)(ii)(I).
B.Termination for Cause. In accordance with 45 CFR section 164.504(e)(1)(ii), upon CDPH’ knowledge
of a material breach or violation of this Addendum by Business Associate, CDPH shall:
1.Provide an opportunity for Business Associate to cure the breach or end the violation and terminate
the Agreement if Business Associate does not cure the breach or end the violation within the time
specified by CDPH; or
2.Immediately terminate the Agreement if Business Associate has breached a material term of this
Addendum and cure is not possible.
C.Judicial or Administrative Proceedings. Business Associate will notify CDPH if it is named as a
defendant in a criminal proceeding for a violation of HIPAA. CDPH may terminate the Agreement if
Business Associate is found guilty of a criminal violation of HIPAA. CDPH may terminate the
Agreement if a finding or stipulation that the Business Associate has violated any standard or
requirement of HIPAA, or other security or privacy laws is made in any administrative or civil
proceeding in which the Business Associate is a party or has been joined.
D.Effect of Termination. Upon termination or expiration of the Agreement for any reason, Business
Associate shall return or destroy all PHI received from CDPH (or created or received by Business
Associate on behalf of CDPH) that Business Associate still maintains in any form, and shall retain no
copies of such PHI. If return or destruction is not feasible, Business Associate shall notify CDPH of the
conditions that make the return or destruction infeasible, and CDPH and Business Associate shall
determine the terms and conditions under which Business Associate may retain the PHI. Business
Associate shall continue to extend the protections of this Addendum to such PHI, and shall limit further
use of such PHI to those purposes that make the return or destruction of such PHI infeasible. This
provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate.
VII. Miscellaneous Provisions
A.Disclaimer. CDPH makes no warranty or representation that compliance by Business Associate with
this Addendum, HIPAA or the HIPAA regulations will be adequate or satisfactory for Business
County of Fresno
16-10370, A01
Page 10 of 14
Exhibit D
HIPAA Business Associate Addendum
CDPH HIPAA BAA 6-16
Associate’s own purposes or that any information in Business Associate’s possession or control, or
transmitted or received by Business Associate, is or will be secure from unauthorized use or disclosure.
Business Associate is solely responsible for all decisions made by Business Associate regarding the
safeguarding of PHI.
B.Amendment. The parties acknowledge that federal and state laws relating to electronic data security
and privacy are rapidly evolving and that amendment of this Addendum may be required to provide for
procedures to ensure compliance with such developments. The parties specifically agree to take such
action as is necessary to implement the standards and requirements of HIPAA, the HITECH Act, the
HIPAA regulations and other applicable laws relating to the security or privacy of PHI. Upon CDPH’
request, Business Associate agrees to promptly enter into negotiations with CDPH concerning an
amendment to this Addendum embodying written assurances consistent with the standards and
requirements of HIPAA, the HITECH Act, the HIPAA regulations or other applicable laws. CDPH may
terminate the Agreement upon thirty (30) days written notice in the event:
1.Business Associate does not promptly enter into negotiations to amend this Addendum when
requested by CDPH pursuant to this Section; or
2.Business Associate does not enter into an amendment providing assurances regarding the
safeguarding of PHI that CDPH in its sole discretion, deems sufficient to satisfy the standards and
requirements of HIPAA and the HIPAA regulations.
C.Assistance in Litigation or Administrative Proceedings. Business Associate shall make itself and
any subcontractors, employees or agents assisting Business Associate in the performance of its
obligations under the Agreement, available to CDPH at no cost to CDPH to testify as witnesses, or
otherwise, in the event of litigation or administrative proceedings being commenced against CDPH, its
directors, officers or employees based upon claimed violation of HIPAA, the HIPAA regulations or other
laws relating to security and privacy, which involves inactions or actions by the Business Associate,
except where Business Associate or its subcontractor, employee or agent is a named adverse party.
D.No Third-Party Beneficiaries. Nothing express or implied in the terms and conditions of this
Addendum is intended to confer, nor shall anything herein confer, upon any person other than CDPH or
Business Associate and their respective successors or assignees, any rights, remedies, obligations or
liabilities whatsoever.
E.Interpretation. The terms and conditions in this Addendum shall be interpreted as broadly as
necessary to implement and comply with HIPAA, the HITECH Act, the HIPAA regulations and
applicable state laws. The parties agree that any ambiguity in the terms and conditions of this
Addendum shall be resolved in favor of a meaning that complies and is consistent with HIPAA, the
HITECH Act and the HIPAA regulations.
F.Regulatory References. A reference in the terms and conditions of this Addendum to a section in the
HIPAA regulations means the section as in effect or as amended.
G.Survival. The respective rights and obligations of Business Associate under Section VI.D of this
Addendum shall survive the termination or expiration of the Agreement.
H.No Waiver of Obligations. No change, waiver or discharge of any liability or obligation hereunder on
any one or more occasions shall be deemed a waiver of performance of any continuing or other
obligation, or shall prohibit enforcement of any obligation, on any other occasion.
County of Fresno
16-10370, A01
Page 11 of 14
Exhibit D
HIPAA Business Associate Addendum
CDPH HIPAA BAA 6-16
Attachment A
Business Associate Data Security Requirements
I.Personnel Controls
A.Employee Training. All workforce members who assist in the performance of functions or
activities on behalf of CDPH, or access or disclose CDPH PHI or PI must complete information
privacy and security training, at least annually, at Business Associate’s expense. Each workforce
member who receives information privacy and security training must sign a certification, indicating
the member’s name and the date on which the training was completed. These certifications must
be retained for a period of six (6) years following contract termination.
B.Employee Discipline. Appropriate sanctions must be applied against workforce members who fail
to comply with privacy policies and procedures or any provisions of these requirements, including
termination of employment where appropriate.
C.Confidentiality Statement. All persons that will be working with CDPH PHI or PI must sign a
confidentiality statement that includes, at a minimum, General Use, Security and Privacy
Safeguards, Unacceptable Use, and Enforcement Policies. The statement must be signed by the
workforce member prior to access to CDPH PHI or PI. The statement must be renewed annually.
The Contractor shall retain each person’s written confidentiality statement for CDPH inspection for a
period of six (6) years following contract termination.
D.Background Check. Before a member of the workforce may access CDPH PHI or PI, a thorough
background check of that worker must be conducted, with evaluation of the results to assure that
there is no indication that the worker may present a risk to the security or integrity of confidential
data or a risk for theft or misuse of confidential data. The Contractor shall retain each workforce
member’s background check documentation for a period of three (3) years following contract
termination.
II.Technical Security Controls
A.Workstation/Laptop encryption. All workstations and laptops that process and/or store CDPH
PHI or PI must be encrypted using a FIPS 140-2 certified algorithm which is 128bit or higher, such
as Advanced Encryption Standard (AES). The encryption solution must be full disk unless
approved by the CDPH Information Security Office.
B.Server Security. Servers containing unencrypted CDPH PHI or PI must have sufficient
administrative, physical, and technical controls in place to protect that data, based upon a risk
assessment/system security review.
C.Minimum Necessary. Only the minimum necessary amount of CDPH PHI or PI required to perform
necessary business functions may be copied, downloaded, or exported.
D.Removable media devices. All electronic files that contain CDPH PHI or PI data must be
encrypted when stored on any removable media or portable device (i.e. USB thumb drives, floppies,
CD/DVD, Blackberry, backup tapes etc.). Encryption must be a FIPS 140-2 certified algorithm
which is 128bit or higher, such as AES.
County of Fresno
16-10370, A01
Page 12 of 14
Exhibit D
HIPAA Business Associate Addendum
CDPH HIPAA BAA 6-16
E.Antivirus software. All workstations, laptops and other systems that process and/or store CDPH
PHI or PI must install and actively use comprehensive anti-virus software solution with automatic
updates scheduled at least daily.
F.Patch Management. All workstations, laptops and other systems that process and/or store CDPH
PHI or PI must have critical security patches applied, with system reboot if necessary. There must
be a documented patch management process which determines installation timeframe based on
risk assessment and vendor recommendations. At a maximum, all applicable patches must be
installed within 30 days of vendor release.
G.User IDs and Password Controls. All users must be issued a unique user name for accessing
CDPH PHI or PI. Username must be promptly disabled, deleted, or the password changed upon
the transfer or termination of an employee with knowledge of the password, at maximum within 24
hours. Passwords are not to be shared. Passwords must be at least eight characters and must be
a non-dictionary word. Passwords must not be stored in readable format on the computer.
Passwords must be changed every 90 days, preferably every 60 days. Passwords must be
changed if revealed or compromised. Passwords must be composed of characters from at least
three of the following four groups from the standard keyboard:
•Upper case letters (A-Z)
•Lower case letters (a-z)
•Arabic numerals (0-9)
•Non-alphanumeric characters (punctuation symbols)
H.Data Destruction. When no longer needed, all CDPH PHI or PI must be wiped using the Gutmann
or US Department of Defense (DoD) 5220.22-M (7 Pass) standard, or by degaussing. Media may
also be physically destroyed in accordance with NIST Special Publication 800-88. Other methods
require prior written permission of the CDPH Information Security Office.
I.System Timeout. The system providing access to CDPH PHI or PI must provide an automatic
timeout, requiring re-authentication of the user session after no more than 20 minutes of inactivity.
J.Warning Banners. All systems providing access to CDPH PHI or PI must display a warning
banner stating that data is confidential, systems are logged, and system use is for business
purposes only by authorized users. User must be directed to log off the system if they do not agree
with these requirements.
K.System Logging. The system must maintain an automated audit trail which can identify the user
or system process which initiates a request for CDPH PHI or PI, or which alters CDPH PHI or PI.
The audit trail must be date and time stamped, must log both successful and failed accesses, must
be read only, and must be restricted to authorized users. If CDPH PHI or PI is stored in a
database, database logging functionality must be enabled. Audit trail data must be archived for at
least 3 years after occurrence.
L.Access Controls. The system providing access to CDPH PHI or PI must use role based access
controls for all user authentications, enforcing the principle of least privilege.
County of Fresno
16-10370, A01
Page 13 of 14
Exhibit D
HIPAA Business Associate Addendum
CDPH HIPAA BAA 6-16
M.Transmission encryption. All data transmissions of CDPH PHI or PI outside the secure internal
network must be encrypted using a FIPS 140-2 certified algorithm which is 128bit or higher, such as
AES. Encryption can be end to end at the network level, or the data files containing PHI can be
encrypted. This requirement pertains to any type of PHI or PI in motion such as website access, file
transfer, and E-Mail.
N.Intrusion Detection. All systems involved in accessing, holding, transporting, and protecting CDPH
PHI or PI that are accessible via the Internet must be protected by a comprehensive intrusion
detection and prevention solution.
III.Audit Controls
A.System Security Review. All systems processing and/or storing CDPH PHI or PI must have at
least an annual system risk assessment/security review which provides assurance that
administrative, physical, and technical controls are functioning effectively and providing adequate
levels of protection. Reviews should include vulnerability scanning tools.
B.Log Reviews. All systems processing and/or storing CDPH PHI or PI must have a routine
procedure in place to review system logs for unauthorized access.
C.Change Control. All systems processing and/or storing CDPH PHI or PI must have a documented
change control procedure that ensures separation of duties and protects the confidentiality, integrity
and availability of data.
IV.Business Continuity / Disaster Recovery Controls
A.Emergency Mode Operation Plan. Contractor must establish a documented plan to enable
continuation of critical business processes and protection of the security of electronic CDPH PHI or
PI in the event of an emergency. Emergency means any circumstance or situation that causes
normal computer operations to become unavailable for use in performing the work required under
the Agreement for more than 24 hours.
B.Data Backup Plan. Contractor must have established documented procedures to backup CDPH
PHI to maintain retrievable exact copies of CDPH PHI or PI. The plan must include a regular
schedule for making backups, storing backups offsite, an inventory of backup media, and an
estimate of the amount of time needed to restore CDPH PHI or PI should it be lost. At a minimum,
the schedule must be a weekly full backup and monthly offsite storage of CDPH data.
V.Paper Document Controls
A.Supervision of Data. CDPH PHI or PI in paper form shall not be left unattended at any time,
unless it is locked in a file cabinet, file room, desk or office. Unattended means that information is
not being observed by an employee authorized to access the information. CDPH PHI or PI in paper
form shall not be left unattended at any time in vehicles or planes and shall not be checked in
baggage on commercial airplanes.
B.Escorting Visitors. Visitors to areas where CDPH PHI or PI is contained shall be escorted and
CDPH PHI or PI shall be kept out of sight while visitors are in the area.
C.Confidential Destruction. CDPH PHI or PI must be disposed of through confidential means, such
as cross cut shredding and pulverizing.
County of Fresno
16-10370, A01
Page 14 of 14
Exhibit D
HIPAA Business Associate Addendum
CDPH HIPAA BAA 6-16
D.Removal of Data. CDPH PHI or PI must not be removed from the premises of the Contractor
except with express written permission of CDPH.
E.Faxing. Faxes containing CDPH PHI or PI shall not be left unattended and fax machines shall be
in secure areas. Faxes shall contain a confidentiality statement notifying persons receiving faxes in
error to destroy them. Fax numbers shall be verified with the intended recipient before sending the
fax.
F.Mailing. Mailings of CDPH PHI or PI shall be sealed and secured from damage or inappropriate
viewing of PHI or PI to the extent possible. Mailings which include 500 or more individually
identifiable records of CDPH PHI or PI in a single package shall be sent using a tracked mailing
method which includes verification of delivery and receipt, unless the prior written permission of
CDPH to use another method is obtained.
Exhibit F, A01
Security Requirements, Protections, and Confidentiality Checklist
Site Name: -'---'C...,o .... 1 .... 1.un-4.t..,,y'---'-o .... f..._,L:..E .... r-1ae~s ... n~o,;...._ ________ Site Number: J DD J
The Contractor shall complete and return this checklist with the signed copy of the contract
agreement. To complete this checklist, the authorized agency administrator or representative
attests by checking the boxes adjacent to the statement and signing this checklist that the
ADAP Enrollment Site meets, and shall continue to meet throughout the life of the contract
(July 1, 2016 -June 30, 2020), the requirements as identified in the Scope of Work which
includes those identified below:
The Contractor has reviewed and attests that the contracting agency or organization
1. meets the requirements as written in the "Nondiscrimination Clause (OCP-1)" STD 17A
form and has a process in place to deal with discrimination complaints.
The Contractor can ensure the administrative, physical and technical safeguards of
2. protected health information as required in the CDPH HIPAA BAA 6-16, HIPAA Business
Associate Addendum.
Breaches of.confidential clie11t informati<;m ,ri1ustb¢ immediately iepdited to CDPHIOAIADAP. In the space
: below, please '[def?tify the process (find individual/s) your agency or organization has in place to report
breaches of ADAP .clients'protected liealthorpersonal-irifofmatioii. · .• · -.. •
2.a.
3 . The ADAP Notice of Privacy Practices is posted in an area at the ADAP Enrollment Site
that is accessible and visible to ADAP applicants/clients.
The Contractor has internet access and scanning and uploading capabilities to allow for
4. the creation of electronic ADAP client files within the designated ADAP 's Enrollment
Benefits Management secure web-based enrollment system.
5. The Contractor has desktop computers with internet access available for all site personnel
(shared or individual) who will be performing ADAP enrollm~nt services.
The Contractor has fax machine/s and scanner/s used to transmit and/or received ADAP
6. client enrollment information/documentation located in a secure area at this ADAP
Enrollment Site.
All of the requirements listed above must be met in order to become an ADAP Enrollment Site.
Sa] Quintero
Print Name of Authorized Agency Representative
Si~
Chajrperson
Title
9J l S) [y;'
Date
ATTEST:
BERNICE E. SEIDEL
Clerk of the Board of Supervisors
County of Fresno , State of California
Bv o\U:, ,c~ Deputy
Page 1 of 3
Exhibit G
Plan for Transporting Confidential ADAP Client Files
Enrollment Site Number: Enrollment Site Contact:
Address of New Location (where client files are
being transferred to):
Enrollment Site Name:
Current Enrollment Site Address:
Enrollment Site Telephone Number:
Enrollment Site Fax Number:
Date Client Files will be Transferred:
Please submit the completed Document Transfer Plan to your CDPH ADAP Advisor.
Your advisor will contact you after the Document Transfer Plan has been reviewed/approved.
Acknowledge ADAP Policy for Transferring Client Files:
It is the policy of [Insert Name of Enrollment Site], ADAP, to ensure that any transfer of ADAP
documentation will be safe, secured and implemented in accordance with CDPH ADAP confidentiality
and security requirements for safeguarding the confidentiality of protected health information. ADAP
Eligibility Workers (EWs) will implement reasonable and appropriate administrative, technical, and
physical measures to safeguard protected health information from any intentional or unintentional use
or disclosure that might violate County, State or Federal privacy regulations, Health and Safety Code,
and in accordance with the ADAP Site Agreement for years 2016 – 2020, Exhibit D, HIPAA Business
Associate Addendum and Exhibit G, Plan for Transporting Confidential ADAP Client Files.
Why are client files being transferred?
□Relocation of the ADAP Enrollment Site to a new office/location
□Providing in-home client enrollment services when a client is unable to travel to the ADAP
Enrollment Site
□Relocating ADAP files to a new location for storage purposes
□Closure of an ADAP Enrollment Site.
Note: If files are being transferred for a reason not listed above, please contact your ADAP
Advisor
1.How many client files will be transferred?
Page 2 of 3
2.Describe the methods that will be used to secure client files when being transferred (e.g.,
locked container, by vehicle/trunk, no stops on way to new location, etc.)
3.Which site staff person/s will supervise the security and transfer of client files as they are
moved to the new location? Will a vendor be utilized? If so, please explain.
4.Please describe where and how the client files will be stored at their new location.
5.In this section, outline, step-by-step, the process that will be followed in the transferring of
client files to their new location. Attach an additional page if necessary.
________________________________________ _______________________________
SIGNATURE OF SITE CONTACT/AGENCY ADMINISTRATOR DATE SIGNED
Page 3 of 3
Additional Comments:
Slale of Ca ll forn la-Heallh and Human Services Agency Ca lifornia Oepanmenl of Pubijc Heallh
Coniracts and Purchasin g Ser,;ces Section
Darfur Contracting Act
Pursuant to Public Contract Code (PCC) sections 104 7 5-10481, the Darfur Contracting Act's intent is to
preclude State agencies from contracting with scrutinized companies that do business in the African nation of
Sudan. A scrutinized company is a company doing specified types of business in Sudan as defined in PCC
section 104 76. Scrutinized companies are ineligible to, and cannot, contract with a State agency for goods or
services (PCC section 104 77(a)) unless obtaining permission from the Department of General Services
according to the criteria set forth in PCC section 10477(b).
Therefore, to be eligible to contract with the California Department of Public Health, please initial ,onEfofthe :toiiov:iiil'd :Wt~f ii~t~~!;i'r.~S~~:~-i'j~i~fohtr$.!~t.~~:~~~:_~~-a.iflp_~Hq~;~_Ei19.~: · .. ·· · ·
1. ~
Initials
2 .
Initials
3 .
Initials
CERTIFICATION
We do not currently have , or we have not had within the previous
three years, business activities or other operations outside of the United States.
OR
We are a scrutinized company as defined in Public Contract Code
section 10476, but we have received written permission from the Department of General
Services (DGS) to submit a bid or proposal pursuant to Public Contract Code section
10477(b) or submit a contracVpurchase order. A copy of the written permission from
DGS is included with our bid, proposal or contracUpurchase order.
OR
We currently have, or we have had within the previous three years,
business activities or other operations outside of the United States,
but we certify below that we are not a scrutinized company
as defined in Public Contract Code section 10476.
I, the official named below, CERTIFY UNDER PENALTY OF PERJURY that I am duly authorized to legally bind this
company to the clause listed above. This certification is made under the laws of the State of California.
Company Name (Printed)
f Fresno
By (Authorized Signature)
Date Executed
CDPH 9067 (7/17)
Federal ID Number
94-6000-512
ors
Executed in the County and State of
Fres California
ATTEST:
BERNICE E. SEIDEL
Clerk of the Board of Supervisors
Count of Fresno , S le of California