HomeMy WebLinkAbout320171
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
AGREEMENT NO.11-336-1
AMENDMENT I TO AGREEMENT
THIS AMENDMENT,hereinafter referred toas Amendment I,is made and entered into
this 10th day of March ,2015,by and between the COUNTY OF FRESNO,
a Political Subdivision of the State of California,hereinafter referred toas "COUNTY",and BIT
CALIFORNIA LLC dba DOCUMENT FULFILLMENT SERVICES,a for-profit corporation,
whoseaddressis 910 Riverside Parkway, Suite40, West Sacramento, CA 95605 hereinafter
referred to as "CONTRACTOR".
WITNESSETH:
WHEREAS,the parties entered intothat certain Agreement, identified as COUNTY
Agreement No.A-11-336,effectiveJuly 1,2011,hereinafterreferredto as the "Agreement";and
WHEREAS,the Department of Social Services (DSS)engaged the CONTRACTOR for the
purpose of providing CalWIN (California Work Opportunity and Responsibility to Kids
Information Network)correspondence to DSS clients through printing and mailing services; and
WHEREAS 18 CalWIN counties contract with CONTRACTOR to provide CalWIN client
correspondence;and
WHEREAS,CONTRACTOR has the qualified personnel, facilities and resources to provide
timely CalWINcorrespondenceto clientsthroughprintingand mailing necessary documents;and
WHEREAS,CONTRACTOR is able to coordinatewith DSS to provide such services;and
WHEREAS,the parties desire to amend the Agreement No.A-11-336 regarding changes as
stated below and restate the Agreement in its entirety.
NOW, THEREFORE, in consideration of their mutual promises, covenants and conditions,
hereinafterset forth, the sufficiency of which is acknowledged,the parties agree as follows:
1.That existingCOUNTY Agreement No.A-11-336,SectionTwo (2), PageTwo (2),
beginning on Line Fourteen (14)with the word "This"and ending on Page Two (2),Line Fifteen
(15)withtheword"forth" bedeletedin its entirety andthe following insertedin its place:
"This Agreement shall automatically be extended for five (5) additional twelve (12)
month periods upon the same terms and conditions herein set forth."
2. Thatexisting COUNTY Agreement No.A-11-336,Section Four (4), PageThree(3),
1 -COUNTY OF FRESNO
Fresno,CA
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
beginning on Line Seventeen (17)with the word "In"and ending on Page Three (3), Line Nineteen
(19) with the word "Agreement"be deleted in its entirety and the following inserted in its place:
"In no event shall compensation for services performed under this Agreement be in
excess of Fourteen Million,Eight Hundred Sixty-Three Thousand,Two Hundred and Seventy and
No/100 Dollars ($14,863,270)during the six year term of this Agreement."
3.That existing COUNTY Agreement No.A-11-336,Section Four (4),Page Four (4),
beginning on Line Five (5)with the word "All"and ending on Page Four (4), Line Six (6) with the
word "Exhibit B" be deleted in its entirety and the following inserted in its place:
"All postage reserve funds will be reconciled monthly and reported to COUNTY."
4. That all references in existing COUNTY Agreement No.A-11-336 to "Exhibit A" shall
be changed to read "Revised Exhibit A," attached hereto and incorporated herein by this reference.
5. That all references in existing COUNTY Agreement No.A-11-336 to "Exhibit B" shall
be changed to read "Revised Exhibit B," attached hereto and incorporated herein by this reference.
6. That existing COUNTY Agreement No.A-11-336,Section Five (5), Page Five (5),
beginning on Line Five (5) with the word "3115 N Millbrook" and ending on Page Five (5), Line
Six (6) with the word "Analyst" be deleted in its entirety and the following inserted in its place:
"DSS Invoices Mailbox at DSSInvoices@co.fresno.ca.us with a copy sent to DSS IT
Invoices at DSSITInvoices@co.fresno.ca.us."
7. That all references in existing COUNTY Agreement No.A-11-336 to "Exhibit D" shall
be changed to read"RevisedExhibitD,"attached heretoand incorporated hereinbythis reference.
8. The parties agree that this Amendment I is sufficient to amend COUNTY Agreement
No.A-11-336,and that upon execution of this Amendment I, the original Agreement and
Amendment I together shall be considered the Agreement.
The Agreement, as hereby amended, is ratified and continued. All provisions, terms,
covenants, conditions and promises contained in the Agreement and not amended herein shall
remain in full force and effect.This Amendment I shall become effective upon execution on the day
first hereinabove written.
///
- 2 -COUNTY OF FRESNO
Fresno,CA
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
IN WITNESS WHEREOF,the parties hereto have executed this Amendment I to
Agreement No.A-11-336 as of the day and year first hereinabove written.
ATTEST:
CONTRACTOR:
BIT CALIFORNIA LLC dba DOCUMENT
FULFILLMENT SERVICES
By
Print Name:^TgVF £»ftyu.
Title:•pqgs>V3eoW tto
Chairman of the Board,or
President,or any Vice President
Date:\/xs/tp^
By S^lJ^SNWJUlys,
Print Name:£~QTC ^fiQn&U&y
Title:C4rO
Secretary (of Corporation),or
any Assistant Secretary,or
Chief Financial Officer,or
any Assistant Treasurer
COUNTY OF FRESNO
)eborah A.Poochigian,Chai
Board of Supervisors
BERNICE E.SEIDEL,Clerk
Board of Supervisors
By ^>H^laa^-^Oua\v^^M
PLEASE SEE ADDITIONAL
SIGNATURE PAGE ATTACHED
Mailing Address:
910 Riverside Parkway.Suite 40
West Sacramento,CA 95605
Phone No.:(916)374-9002
Contact:Steve Shill,Owner/General Manager
COUNTY OF FRESNO
Fresno.CA
APPROVED AS TO LEGAL FORM:
DANIEL C. CEDERBORG, COUNTY COUNSEL 2
3
4 By __ ~~~~~~~~~~~44~
5 APP VEDAS TO ACCOUNTING ..... ,.,,.,.
6 VICKI CROW, C.P.A., AUDITOR-0
TREASURER-TAX COLLECTOR
7
8
9 By -----\:Qa~...-4--4 ---6-Z....l.-C..-~~P....,/--
10 ·· ' rr-
11 DEPARTMENT OF SOCIAL SERVICES
12 REVIEWED AND RECOMMENDED FOR APPROVAL:
13
14 By~-4~~~~~~----------
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Fund/Subclass:
Organization:
Account/Program:
Account/Program:
0001/10000
56107004
7268/0 ($9,013,962)
7294/0 ($5,849,308)
-4-COUNTY OF FRESNO
Fresno, CA
Revised Exhibit A
Page 1 of 4
CAL WINN ACS PRINTING AND MAILING SERVICES INCLUDING POSTAGE
SUMMARY OF SERVICES
ORGANIZATION: BIT California LLC dba Document Fulfillment Services
ADDRESS:
CONTACT:
SERVICES:
CONTRACT
PERIOD:
MAXIMUM
910 Riverside Parkway, Suite 40, West Sacramento, CA 95605
Steve Shill, General Manager, (916) 374-9002
CalWINN ACS Printing and Mailing Services
July 1, 2011 to June 30, 2012, with five (5) auto-renewals through June 30, 2017
AGREEMENT
COMPENSATION: $14,863,270
CONTRACTOR shall provide CalWIN (California Work Opportunity and Responsibility to Kids
Information Network) and Ventura Automated Collections System (VACS) client correspondence
printing and mailing services for the Department of Social Services (DSS).
PROJECT DESCRIPTION: The CalWIN system is a Windows-based system used by Eligibility Workers
(EWs) in determining eligibility and benefit levels for public assistance programs. Daily transactions by
EWs automatically generate correspondence including Notices of Actions, forms, applications and other
client correspondence. The correspondence must be processed and rendered to the United States Postal
Service (USPS) within the same day, in time for next day delivery to the addressee.
Social Services Accounts Receivable (SSAR) uses V ACS, a Windows-based system, to report and bill
clients for Social Services overpayments. Monthly transactions generated by CalWIN are evaluated via
the V ACS system which generates collection notices and other correspondence for clients. The
correspondence must be processed and rendered to USPS within five (5) business days to allow timely
delivery of this correspondence.
CONTRACTOR SHALL BE RESPONSIBLE FOR THE FOLLOWING:
1. Obtain print data files from the Cal WIN system vendor, Hewlett-Packard, and from the COUNTY
DSS for the VACS system, and process client correspondence for next day delivery. The standard
business practice for Cal WIN is to produce print data files five (5) days a week from Monday
through Friday; CONTRACTOR must be available to receive a secure electronic file transfer on a
daily basis (Tuesday through Saturday). Contractor shall notify designated COUNTY DSS staff by
phone and email of any print data file delays within 24 hours.
2. Print correspondence in nine (9) different languages in the event that correspondence needs to be
mailed in the client's primary language (as identified by the CalWINN ACS systems). The nine (9)
languages include: English, Spanish, Russian, Chinese, Vietnamese, Hmong, Laotian, Bosnian and
Farsi. Additional languages may be supported by CalWINN ACS during the course of the
Agreement.
Revised Exhibit A
Page 2 of 4
3. Include inserts with correspondence as requested by COUNTY DSS. Inserts may be supplied by
COUNTY DSS and/or produced by CONTRACTOR. Should CONTRACTOR produce inserts for
COUNTY DSS, IT enhancements/changes fees are applicable. CONTRACTOR must receive written
approval from COUNTY DSS prior to producing inserts, and maintain email receipts of approval.
CONTRACTOR shall retain insert print data files for a minimum of thirty (30) business days for
disaster recovery purposes and shall destroy print data files after the specified retention period.
4. Retain print data files for a minimum of thirty (30) business days for disaster recovery purposes and
shall destroy print data files after the specified retention period.
5. Immediately notify COUNTY DSS of any correspondence errors and/or delays in rendering
correspondence to USPS for next day delivery.
COUNTY DSS CaiWIN Contacts:
Mo Klinkby, Senior Systems and Procedures Analyst
PO BOX 1912
Fresno, CA 93718
mklinkby@co.fresno.ca.us, ph. (559) 600-2243
Lao Mouanoutoua, Systems and Procedures Analyst
PO BOX 1912
Fresno, CA 93718
lvmouanoutoua@co.fresno.ca.us, ph. (559) 600-2219
COUNTY DSS V ACS Contact:
Joel Bugay, Finance Chief
PO BOX 1912
Fresno, CA 93 718
jbugay@co.fresno.ca.us, ph. (559) 600-2823
6. Submit daily reports on errors for 1 00 or more pieces within a single mailing. In addition to the
daily reports, CONTRACTOR shall submit a monthly report of total errors (Revised Exhibit B, page
3) for each month in which errors occurred.
7. Submit Daily Service Activity Reports, Monthly Invoice Report, and Monthly Client Work Order
Activity Report. These reports are produced from Document Fulfillment Services System, and are
currently provided to other contracted counties as indicated in Document Fulfillment Services'
Response to the Revised Request for Proposal No. RFP7434. The reports shall include the
following:
a. Number of images printed during the day/month.
b. Number of sheets during the day/month.
c. Number of legal size sheets during the day/month.
d. Number of household mail pieces during the day/month.
e. Number of mail pieces broken out by weight and rate during the day/month.
f. Number of inserts during the day/month.
g. Number of returned envelopes during the day/month.
h. Number of mail pieces in English during the day/month.
1. Number of mail pieces in all other languages during the day/month.
8. Provide services identified in the Revised Request for Proposal RFP7434.
9. Invoice COUNTY DSS for initial postage deposit 45 days prior to due date.
Revised Exhibit A
Page 3 of4
I 0. Meter all CalWINN ACS client correspondence on DFS postage meters in Sacramento.
11. Guarantee 100% of COUNTY DSS mail pieces receive the pre-sorted discount rates offered by the
USPS and inform COUNTY DSS within 5 business days of any applicable USPS rate changes.
12. Provide monthly Postage Summary report for postage costs, including but not limited to weight, rate,
pieces, job type etc. to COUNTY DSS.
13. Notify COUNTY DSS if postage balance falls below $80,000 or an amount that would cause an
interruption in services.
14. Provide COUNTY DSS, a $5,000 postage reserve account. Mail will be held until payment is
received if needed.
COUNTY DSS Postage Contacts:
Jennifer Kish, Staff Analyst
PO BOX 1912
Fresno, CA 93 718
jkish@co.fresno.ca. us
Phone: (559) 600-2334
Fax: (559) 600-2357
DSS Invoices Mailbox
PO BOX 1912
Fresno, CA 93 718
DSSinvoices@co.fresno.ca.us
Phone: (559) 600-2300
Fax: (559) 600-2357
COUNTY DSS SHALL BE RESPONSIBLE FOR THE FOLLOWING:
1. Provide CONTRACTOR with a one (1) day notice should COUNTY DSS produce data on the
CalWINN ACS systems during days outside of the COUNTY DSS's standard business operation
days.
2. Provide CONTRACTOR with a 15 day notice for County requested stuffers/inserts.
Revised Exhibit A
Page 4 of 4
3. Maintain a postage deposit of $240,000, the equivalent of approximately three-month's postage.
4. Maintain sufficient funding in postage account with CONTRACTOR to avoid a zero balance. This
may include periodic advance payments via ACH (automated clearing house) or standard check to
ensure timely deposit of funds.
5. Collaborate with CONTRACTOR to resolve problems and exchange services information. Meet
with CONTRACTOR as needed.
BUDGET SUMMARY
Revised Exhibit B
Page 1 of 4
ORGANIZATION: BIT California LLC dba Document Fulfillment Services
SERVICES: CalWINN ACS Printing and Mailing Services
CONTRACT
PERIOD: July 1, 2011 to June 30, 2012, with five (5) auto-renewals through June 30, 2017
MAXIMUM
AGREEMENT
COMPENSATION: $14,863,270
PAYMENT BASIS FOR PRINTING AND MAILING:
CONTRACTOR shall be reimbursed for Cal WIN printing and mailing services at the following rates:
*Initial Set Up (first year only)
**Price per Image -B/W
***Price per Image -Color
Inserts by Machine -per 1,000
(includes folding)
Inserts by Hand -per 1 ,000
(includes folding)
IT Changes/Enhancement per hour
CONTRACTOR shall credit COUNTY should the following occur:
Errors involving 1 00 or more
pieces in a single mailing
Invoice containing typographical and/or mathematical
errors
No Charge
$0.0426
$0.11
$5.00
$10.00
$85.00
No charge
$0.04 per piece
$500 per invoice
Revised Exhibit B
Page 2 of 4
*Initial set-up charge includes all costs associated with letter design/layout, fine-tuning, programming,
and testing.
**Price per image includes cost of materials (paper, envelopes) and cost of processing (pickup/courier
service, receiving and hatching data, printing, folding, inserting, presorting, delivery to USPS). The
price per image shall equal one side of printed page and shall include all applicable sales tax.
***Price per color image shall include a quick search and locate mechanism, e.g., software and
viewer to do look-ups and searches by certain criteria. The price per color image shall equal one side of
printed page and shall include all applicable sales tax.
PAYMENT BASIS FOR POSTAGE:
COUNTY shall pay for postage in advance to include an initial deposit of $240,000. CONTRACTOR
shall invoice COUNTY for actual postage in arrears. CONTRACTOR shall ensure that postage costs
are billed at the pre-sorted discount rates offered by the USPS. All postage reserve funds will be
reconciled monthly and reported on Budget Summary. All postage reserve funds will be carried forward
into each term. CONTRACTOR shall reimburse COUNTY the remainder of postage deposit at the
termination ofthis Agreement.
Charge for postage shall be at the USPS Commercial First-Class Mail 3-Digit Rate, subject to increases by
the USPS.
NOTE: County contracting procedures require a maximum amount payable. The maximum amount is
based upon a high estimate of the total number of services to be provided and images to be printed
during the term of the Agreement. There is no guarantee to purchase a minimum quantity of images or
services. All dollar amounts listed below have been estimated. The actual costs may vary from amounts
listed.
BUDGET SUMMARY
Fiscal Year 2011-12: $1,966,735 (Includes Postage Deposit)
Fiscal Year 2012-13: $2,033,201
Fiscal Year 2013-14: $2,395,129
Fiscal Year 2014-15: $2,822,735
Fiscal Year 2015-16: $2,822,735
Fiscal Year 2016-17: $2,822,735
Total Maximum
Compensation: $14,863,270
The maximum amounts allowable under this Agreement shall be as follows:
Printing and Mailing: $5,849,308
Postage: $8,773,962
Postage Deposit: $240,000
Revised Exhibit B
Page 3 of 4
The postage deposit in the amount of $240,000 minus any outstanding postage invoices will be refunded
by CONTRACTOR to the Department between August 5, 2017 and August 10,2017.
CALWINNACS PRINTING AND MAILING SERVICES
MONTHLY ERROR REPORT
Revised Exhibit B
Page 4 of 4
ORGANIZATION: BIT CALIFORNIA LLC dba DOCUMENT FULFILLMENT SERVICES
REPORT MONTHNEAR: ________ _
ERRORS: CONTRACTOR shall credit COUNTY for errors not remedied by CONTRACTOR's
quality control involving 100 or more pieces from a single mailing at the rate of $0.04 per piece.
This shall include client correspondence mailed after the target mailing date.
NOTE: It is not necessary to submit this error report when there have been fewer than 100
unremedied errors.
ERROR DETAIL:
Date Work Date Uni~ue Number Number Postaae Total Mailed Order Processed Identifier Description of of Use Credit Number Number Pieces Inserts to
Included DSS
Credit Total:-------
COMPLETED BY:----------TITLE:------------
PHONE NO: _____________ __ DATE: ___________________ __
Revised Exhibit D
AGREEMENT NO. 14-075
AGREEMENT NO.: 13-10
MEDI-CAL PRIVACY AND SECURITY AGREEMENT BETWEEN
the California Department of Health Care Services and the ·
County of Fresno, Department of Social Services
PREAMBLE
The Department of Health Care Services (DHCS) and the County of Fresno,
Department of Social Services (County Department) enter into this Medi-Cal Data
Privacy and Security Agreement (Agreement) in order to ensure the privacy and
security of Medi-Cal Personally Identifiable Information (PII).
DHCS receives federal funding to administer California's Medicaid Program
(Medi-Cal). The County Department assists in the administration of Medi-Cal, in that
DHCS and the County Department access DHCS eligibility information for the purpose
of determining Medi-Cal eligibility.
This Agreement covers the County of Fresno, Department of Social Services workers,
who assist in the administration of Medi-Cal; and access, use, or disclose Medi-Cal Pll.
DEFINITIONS
For the purpose of this Agreement, the following terms mean:
1. "Assist in the administration of the Medi-Cal program" means performing
administrative functions on behalf of Medi-Cal, such as determining eligibility for, or
enrollment in, or the amount of, public benefits, and collecting Medi-Cal Pll for
such purposes, to the extent such activities are authorized by law.
2. "Breach" refers to actual loss, loss of control, compromise, unauthorized
disclosure, unauthorized acquisition, unauthorized access, or any similar term
referring to situations where persons other than authorized users and for other
than authorized purposes have access or potential access to Medi-Cal PI I, whether
physical, electronic, or in spoken work or recording.
3. "County Worker" means those county employees, contractors, subcontractors,
vendors and agents performing job functions for the County that require access to
and/or use of Medi-Cal Pll and that are authorized by the County to access and
use Medi-Cal Pll.
4. "Medi-Cal Pll" is information directly obtained in the course of performing an
administrative function on behalf of Medi-Cal that can be used alone, or in
conjunction with any other information, to identify a specific individual. Pll includes
any information that can be used to search for or identify individuals, or can be
1
AGREEMENT NO.: 13-10
used to access their files, such as name, social security number, date of birth,
driver's license number or identification number. Pll may be electronic or paper;
and
5. "Security Incident" means the attempted or successful unauthorized access, use,
disclosure, modification, or destruction of Medi-Cal Pll, or interference with system
operations in an information system which processes Medi-Cal Pll that is under the
control of the County or County's SAWS Consortium, or a contractor,
subcontractor or vendor of the County.
AGREEMENTS
NOW THEREFORE, DHCS and County Department mutually agree as follows:
I. PRIVACY ANP CONFIDENTIALITY
A The County Department workers covered by this Agreement (County
Workers) may use or disclose Medi-Cal Pll only as permitted in this
Agreement and only to assist in the administration of Medi-Cal in
accordance with Welfare and Institutions Code section 14100.2 and 42
Code of Federal Regulations section 431.300 et.seq., or as required by law.
Disclosures, which are required by law, such as a court order, or are made
with the explicit written authorization of the Medi-Cal client, are allowable.
Any other use or disclosure of Medi-Cal Pll requires the express approval in
writing of DHCS. No County Worker shall duplicate, disseminate or disclose
Medi-Cal Pll except as allowed in this Agreement.
B. Pursuant to this Agreement, County Workers may use Medi-Cal Pll only to
perform administrative functions related to determining eligibility for
individuals applying for Medi-Cal.
C. Access to Medi-Cal Pll shall be restricted to only County Workers, who need
the Medi-Cal Pll to perform their official duties to assist in the administration
of Medi-Cal.
D. County Workers, who access, disclose or use Medi-Cal Pll in a manner or
for a purpose not authorized by this Agreement may be subject to civil and
criminal sanctions contained in applicable federal and state statutes.
II. PERSONNEL CONTROLS
The County Department agrees to advise County Workers, who have access to
Medi-Cal Pll of the confidentiality of the information, the safeguards required to
protect the information, and the civil and criminal sanctions for non-compliance
contained in applicable federal and state laws. For that purpose, the County
Department shall:
2
AGREEMENT NO.: 13-10
A. Employee Training. Train and use reasonable measures to ensure
compliance with the requirements of this Agreement by County Workers,
who assist in the administration of Medi-Cal and use or disclose Medi-Cal
Pll, including;
1. Provide privacy and security awareness training to each new County
Worker within 30 days of employment and thereafter, provide ongoing
refresher training or reminders of the privacy and security safeguards in
this Agreement to all County Workers, who assist in the administration of
Medi-Cal and use or disclose Medi-Cal Pll at least annually;
2. Maintain records indicating each County Worker's name and the date on
which the privacy and security awareness training was completed;
3. Retain the most recent training records for a period of three years after
completion of the training.
B. Employee Discipline. Apply appropriate sanctions against workforce
members, who fail to comply with privacy policies and procedures or any
provisions of these requirements, including termination of employment
where appropriate.
C. Confidentiality Statement. Ensure that all County Workers, who assist in
the administration of Medi-Cal, and use or disclose Medi-Cal Pll, sign a
confidentiality statement. The statement shall include at a minimum,
General Use, Security and Privacy Safeguards, Unacceptable Use, and
Enforcement Policies. The statement shall be signed by County Workers
prior to accessing Medi-Cal Pll and the most recent version shall be
retained for a period of three years.
D. Background Check. Conduct a background screening of a County Worker
before a County Worker may access DHCS PI I. The screening should be
commensurate with the risk and magnitude of harm the employee could
cause, with more thorough screening being done for those employees, who
are authorized to bypass significant technical and operational security
controls. The County Department shall retain each County Worker's most
recent background check documentation for a period of three years.
Ill. MANAGEMENT OVERSIGHT AND MONITORING
The County Department agrees to:
A. Establish and maintain ongoing management oversight and quality
assurance for monitoring workforce compliance with the privacy and
security safeguards in this Agreement when using or disclosing Medi-Cal
PI I.
3
AGREEMENT NO.: 13-10
B. Ensure ongoing management oversight including periodic self-assessments
and random sampling of work activity by County Workers, who assist in the
administration of Medi-Cal and use or disclose Medi-Cal Pll. DHCS shall
provide the County Department with information on the Medi-Cal Eligibility
Data System (MEDS) usage anomalies for investigation and follow-up.
C. Ensure these management oversight and monitoring activities are
performed by County Workers, whose job functions are separate from
those, who use or disclose Medi-Cal PIJ as part of their routine duties.
IV. INFORMATION SECURITY AND PRIVACY STAFFING
The County agrees to:
A Designate information security and privacy officials who are accountable for
compliance with these and all other applicable requirements stated in this
agreement.
B. Assign county workers to be responsible for administration and monitoring
of all security related controls stated in this Agreement.
V. PHYSICAL SECURITY
The County Department shall ensure Medi-Cal PJI is used and stored in an area
that is physically safe from access by unauthorized persons during working
hours and non-working hours. The County Department agrees to safeguard
Medi-Cal Pll from loss, theft, or inadvertent disclosure and, therefore, agrees to:
A. Secure all areas of the County Department facilities where County Workers
assist in the administration of Medi-Cal and use or disclose Medi-Cal Pll.
The County Department shall ensure these secured areas are only
accessed by authorized individuals with properly coded key cards,
authorized door keys or access authorization; and access to premises is by
official identification.
B. Issue County Workers, who assist in the administration of Medi-Cal
identification badges and require County Workers to wear these badges at
the County Department facilities where Medi-Cal PJI is stored or used.
C. Ensure each physical location, where Medi-Cal Pll is used or stored, has
procedures and controls that ensure an individual, who is terminated from
access to the facility is promptly escorted from the facility by an authorized
employee and access is revoked.
D. Ensure there are security guards or a monitored alarm system with or
without security cameras 24 hours a day, seven days a week at the County
4
AGREEMENT NO.: 13-10
Department facilities and leased facilities where a large volume of Medi-Cal
Pll is stored.
E. Ensure data centers with servers, data storage devices, and critical network
infrastructure involved in the use or storage of Medi-Cal Pll have perimeter
security and access controls that limit access to only authorized Information
Technology (IT) staff. Visitors to the data center area must be escorted by
authorized IT staff at all times.
F. Store paper records with Medi-Cal Pll in locked spaces, such as locked file
cabinets, locked file rooms, locked desks or locked offices in facilities which
are multi-use, meaning that there are County Department and non-County
Department functions in one building in work areas that are not securely
segregated from each other. The County Department shall have policies
that indicate County Workers are not to leave records with Medi-Cal Pll
unattended at any time in vehicles or airplanes and not to check such
records in baggage on commercial airplanes.
G. Use all reasonable measures to prevent non-authorized personnel and
visitors from having access to, control of, or viewing Medi-Cal PI I.
VI. TECHNICAL SECURITY CONTROLS
A. Workstation/Laptop encryption. All workstations and laptops, which store
Medi-Cal Pll either directly or temporarily, must be encrypted using a FIPS
140-2 certified algorithm 128bit or higher, such as Advanced Encryption
Standard (AES). The encryption solution must be full disk.
B. Server Security. Servers containing unencrypted Medi-Cal Pll must have
sufficient administrative, physical, and technical controls in place to protect
that data, based upon a risk assessment/system security review.
C. Minimum Necessary. Only the minimum necessary amount of Medi-Cal
Pll required to perform necessary business functions may be copied,
downloaded, or exported.
D. Removable media devices. All electronic files, which contain Medi-Cal Pll
data, must be encrypted when stored on any removable media or portable
device (i.e. USB thumb drives, floppies, CD/DVD, smartphones, backup
tapes etc.). Encryption must be a FIPS 140-2 certified algorithm 128bit or
higher, such as AES.
E. Antivirus software. All workstations, laptops and other systems, which
process and/or store Medi-Cal Pll, must install and actively use
comprehensive anti-virus software solution with automatic updates
scheduled at least daily.
5
AGREEMENT NO.: 13-10
F. Patch Management. All workstations, laptops and other systems, which
process and/or store Medi-Cal Pll, must have critical security patches
applied, with system reboot if necessary. There must be a documented
patch management process that determines installation timeframe based on
risk assessment and vendor recommendations. At a maximum, all
applicable patches deemed as high risk must be installed within 30 days of
vendor release. Applications and systems that cannot be patched within
this time frame, due to significant operational reasons, must have
compensatory controls implemented to minimize risk.
G. User IDs and Password Controls. All users must be issued a unique user
name for accessing Medi-Cal Pit. Username must be promptly disabled,
deleted, or the password changed upon the transfer or termination of an
employee with knowledge of the password, at maximum within 24 hours.
Passwords are not to be shared. Passwords must be at least eight
characters and must be a non-dictionary word. Passwords must not be
stored in readable format on the computer. Passwords must be changed
every 90 days, preferably every 60 days. Passwords must be changed if
revealed or compromised. Passwords must be composed of characters
from at least three of the following four groups from the standard keyboard:
• Upper case letters (A-Z)
• Lower case letters (a-z)
• Arabic numerals (0-9)
• Non-alphanumeric characters (punctuation symbols)
H. User Access. Exercise management control and oversight, in conjunction
with DHCS, of the function of authorizing individual user access to Social
Security Administration (SSA) data, MEDS, and over the process of issuing
and maintaining access control numbers and passwords.
I. Data Destruction. When no longer needed, all Medi-Cal Pit must be wiped
using the Gutmann or U.S. Department of Defense (DoD) 5220.22-M (7
Pass) standard, or by degaussing. Media may also be physically destroyed
in accordance with NlST Special Publication 800-88.
J. System Timeout. The system providing access to Medi-Cal Pit must
provide an automatic timeout, requiring re-authentication of the user session
after no more than 20 minutes of inactivity.
K. Warning Banners. All systems providing access to Medi-Cal Pit must
display a warning banner stating that data is confidential, systems are
logged, and system use is for business purposes only by authorized users.
User must be directed to log off the system if they do not agree with these
requirements.
L. System Logging. The system must maintain an automated audit trail that
can identify the user or system process, initiates a request for Medi-Cal Pll,
6
AGREEMENT NO.: 13-10
or alters Medi-Cal PI I. The audit trail must be date and time stamped, must
log both successful and failed accesses, must be read only, and must be
restrictedto_authorized users. If Medi-Cal PII is stored in a database,
database logging functionality must be enabled. Audit trail data must be
archived for at least three years after occurrence.
M. Access Controls. The system providing access to Medi-Cal Pll must use
role based access controls for all user authentications, enforcing the
principle of least privilege.
N. Transmission encryption. All data transmissions of Medi-Cal Pll outside
the secure internal network must be encrypted using a FIPS 140-2 certified
algorithm that is 128bit or higher, such as AES. Encryption can be end to
end at the network level, or the data files containing Medi-Cal Pll can be
encrypted. This requirement pertains to any type of Medi-Cal Pll in motion
such as website access, file transfer, and E-Mail.
0. Intrusion Detection. All systems involved in accessing, holding,
transporting, and protecting Medi-Cal Pll, which are accessible through the
Internet, must be protected by a comprehensive intrusion detection and
prevention solution.
VII. AUDIT CONTROLS
A. System Security Review. The County Department must ensure audit
control mechanisms that record and examine system activity are in place.
All systems processing and/or storing Medi-Cal Pit must have at least an
annual system risk assessment/security review that ensures administrative,
physical, and technical controls are functioning effectively and provide an
adequate levels of protection. Reviews should include vulnerability
scanning tools.
B. Log Reviews. All systems processing and/or storing Medi-Cal Pll must
have a routine procedure in place to review system logs for unauthorized
access.
C. Change Control. All systems processing and/or storing Medi-Cal Pit must
have a documented change control procedure that ensures separation of
duties and protects the confidentiality, integrity and availability of data.
D. Anomalies. Investigate anomalies in MEDS usage identified by DHCS and
report conclusions of such investigations and remediation to DHCS.
7
AGREEMENT NO.: 13-10
VIII. BUSINESS CONTINUITY I DISASTER RECOVERY CONTROLS
A Emergency Mode Operation Plan. The County Department must establish
a documented plan to enable continuation of critical business processes and
protection of the security of Medi-Cal Pll kept in an electronic format in the
event of an emergency. Emergency means any circumstance or situation
that causes normal computer operations to become unavailable for use in
performing the work required under this Agreement for more than
24 hours.
B. Data Centers. Data centers with servers, data storage devices, and critical
network infrastructure involved in the use or storage of Medi-Cal Pll, must
include sufficient environmental protection such as cooling, power, and fire
prevention, detection, and suppression.
C. Data Backup Plan. The County Department must have established
documented procedures to backup Medi-Cal Pll to maintain retrievable
exact copies of Medi-Cal PI I. The plan must include a regular schedule for
making backups, storing backups offsite, an inventory of backup media, and
an estimate of the amount of time needed to restore Medi-Cal Pll should it
be lost. At a minimum, the schedule must be a weekly full backup and
monthly offsite storage of Medi-Cal data.
IX. PAPER DOCUMENT CONTROLS
A Supervision of Data. Medi-Cal Pll in paper form shall not be left
unattended at any time, unless it is locked in a file cabinet, file room, desk or
office. Unattended means that information is not being observed by an
employee authorized to access the information. Medi-Cal Pll in paper form
shall not be left unattended at any time in vehicles or planes and shall not
be checked in baggage on commercial airplanes.
B. Escorting Visitors. Visitors to areas where Medi-Cal Pll is contained shall
be escorted and Medi-Cal Pll shall be kept out of sight while visitors are in
the area.
C. Confidential Destruction. Medi-Cal Pll must be disposed of through
confidential means, such as cross cut shredding and pulverizing.
D. Removal of Data. Medi-Cal Pll must not be removed from the premises of
County Department except for identified routine business purposes or with
express written permission of DHCS.
E. Faxing. Faxes containing Medi-Cal Pll shall not be left unattended and fax
machines shall be in secure areas. Faxes shall contain a confidentiality
statement notifying persons receiving faxes in error to destroy them. Fax
numbers shall be verified with the intended recipient before sending the fax.
8
AGREEMENT NO.: 13-10
F. Mailing. Mailings containing Medi-Cal Pll shall be sealed and secured from
damage or inappropriate viewing of Pll to the extent possible. Mailings that
include 500 or more individually identifiable records containing Medi-Cal Pll
in a single package shall be sent using a tracked mailing method that
includes verification of delivery and receipt, unless the prior written
permission of DHCS to use another method is obtained.
X. NOTIFICATION AND INVESTIGATION OF BREACHES AND SECURITY
INCIDENTS
During the term of this PSA, the County Department agrees to implement
reasonable systems for the discovery and prompt reporting of any Breach or
Security Incident, and to take the following steps:
A. Initial Notice to DHCS. (1) To notify DHCS immediately by telephone call
plus email or fax upon the discovery of a breach of unsecured Medi-Cal PII
in electronic media or in any other media if the Pll was, or is reasonably
believed to have been, accessed or acquired by an unauthorized person, or
upon the discovery of a suspected security incident that involves data
provided to DHCS by the SSA. (2) To notify DHCS within 24 hours by
email or fax of the discovery of any breach, security incident, intrusion, or
unauthorized access, use, or disclosure of Medi-Cal Pll in violation of this
Agreement and this Addendum, or potential loss of confidential data
affecting this Agreement. A breach shall be treated as discovered by the
County Department as of the first day on which the breach is known, or by
exercising reasonable diligence would have been known, to any person
(other than the person committing the breach), who is an employee, officer
or other agent of the County Department. Notice shall be provided to the
DHCS Program Contract Manager, the DHCS Privacy Officer and the
DHCS Information Security Officer. If the incident occurs after business
hours or on a weekend or holiday and involves electronic Pll, notice shall be
provided by calling the DHCS ITSD Service Desk. Notice shall be made
using the "DHCS Privacy Incident Report" form, including all information
known at the time. The County Department shall use the most current
version of this form, which is posted on the DHCS Privacy Office website
(www.dhcs.ca.gov, then select "Privacy" in the left column and then "County
Use" near the middle of the page) or use this link:
http://www.dhcs.ca.gov/formsandpubs/laws/priv/Pages/CountiesOnly.aspx
Upon discovery of a breach, security incident, intrusion, or unauthorized
access, use, or disclosure of Medi-Cal Pll, the County Department shall
take:
1. Prompt corrective action to mitigate any risks or damages involved with
the breach and to protect the operating environment; and
9
AGREEMENT NO.: 13-10
2. Any action pertaining to such unauthorized disclosure required by
applicable Federal and State laws and regulations.
B. Investigation and Investigative Report. To immediately investigate a
breach, security incident, intrusion, or unauthorized access, use, or
disclosure of Medi-Cal PI I, within 72 hours of the discovery, the County
Department shall submit an updated "DHCS Privacy Incident Report"
containing the information marked with an asterisk and all other applicable
information listed on the form, to the extent known at that time, to the DHCS
Program Contract Manager, the DHCS Privacy Officer, and the DHCS
Information Security Officer.
C. Complete Report. To provide a complete report of the investigation to the
DHCS Program Contract Manager, the DHCS Privacy Officer, and the
DHCS Information Security Officer within ten working days of the discovery
of a breach, security incident, intrusion, or unauthorized access, use, or
disclosure. The report shall be submitted on the "DHCS Privacy Incident
Report" form and shall include an assessment of all known factors relevant
to a determination of whether a breach occurred under applicable provisions
of HIPAA, the HITECH Act, the HIPAA regulations and/or state law. The
report shall also include a full, detailed corrective action plan, including
information on measures that were taken to halt and/or contain the improper
use or disclosure. If DHCS requests information in addition to that listed on
the "DHCS Privacy Incident Report" form, County Department shall make
reasonable efforts to provide DHCS with such information. If necessary, a
Supplemental Report may be used to submit revised or additional
information after the completed report is submitted, by submitting the
revised or additional information on an updated "DHCS Privacy Incident
Report" form. DHCS will review and approve the determination of whether a
breach occurred and individual notifications are required, and the corrective
action plan.
D. Notification of Individuals. When applicable state or federal law requires
DHCS to notify individuals of a breach or unauthorized disclosure of their
Medi-Cal Pll, the following provisions apply: If the cause of the breach is
attributable to the County Department or its subcontractors, agents or
vendors, the County Department shall pay any costs of such notifications,
as well as any and all costs associated with the breach. The notifications
shall comply with the requirements set forth in California Civil Code Section
1798.29, and 42 U.S.C. section 17932, and its implementing regulations,
including but not limited to the requirement that the notifications be made
without unreasonable delay and in no event later than 60 calendar days.
The DHCS Program Manager, the DHCS Privacy Officer and the DHCS
Information Security Officer shall approve the time, manner and content of
any such notifications and their review and approval must be obtained
before notifications are made. DHCS may elect to assign responsibility for
such notification to the County Department. In the event DHCS assigns
10
AGREEMENT NO.: 13-10
notification responsibility to the County Department, DHCS shall provide the
County Department with the appropriate direction and procedures to ensure
notice is provided pursuant to applicable law. If the cause of the breach is
attributable to DHCS, DHCS shall pay any costs associated with such
notifications. If there is any question as to whether DHCS or the County
Department is responsible for the breach, DHCS and the County
Department shall jointly determine responsibility for purposes of allocating
the costs of such notices.
E. Responsibility for Reporting of Breaches when Required by State or
Federal Law. If the cause of a breach of Medi-Cal Pll is attributable to the
County Department or its agents, subcontractors or vendors, the County
Department is responsible for reporting the breach and all costs associated
with the breach. If the cause of the breach is attributable to DHCS, DHCS is
responsible for reporting the breach and for all costs associated with the
breach. When applicable law requires the breach be reported to a federal or
state agency or that notice be given to media outlets, DHCS and the County
Department shall coordinate to ensure such reporting is in compliance with
applicable law and to prevent duplicate reporting, and to jointly determine
responsibility for purposes of allocating the costs of such reports, if any.
F. DHCS Contact Information. To direct communications to the above
referenced DHCS staff, the County Department shall initiate contact as
indicated herein. DHCS reserves the right to make changes to the contact
information below by giving written notice to the County Department. Said
changes shall not require an amendment to this Addendum or the
Agreement to which it is incorporated.
DHCS Program Contract DHCS Privacy Officer DHCS Information
Manager Security Officer
Program Integrity and Security Unit Privacy Officer Information Security Officer
Policy Operations Branch c/o: Office of HIPAA Compliance DHCS Information Security
Medi-Cal Eligibility Division DHCS Privacy Office, MS 4722 Office, MS 6400
1501 Capitol Avenue, MS 4607 P.O. Box 997413 P.O. Box 997413
P.O. Box 997417 Sacramento, CA 95899-7413 Sacramento, CA 95899-7413
Sacramento, CA 95899-7417
Email: Email: iso@dhcs.ca.gov
Telephone: (916) 552-9200 privacyofficer@dhcs.ca.gov Fax: (916) 440-5537
Telephone: (916) 445-4646 Telephone:
Fax: (916) 440-7680 ITSD Service Desk
(916) 440-7000 or
(800) 579-0874
11
AGREEMENT NO.: 13-10
XI. COMPLIANCE WITH SSA AGREEMENT
The County Department agrees to comply with substantive privacy and security
requirements in the Computer Matching and Privacy Protection Act Agreement
between SSA and the California Health and Human Services Agency (CHHS)
and in the Agreement between SSA and DHCS, known as the Information
Exchange Agreement (lEA), which are appended and hereby incorporated into
this Agreement (Exhibit A). The specific sections of the lEA with substantive
privacy and security requirements, which are to be complied with by the County
Department are in the following sections: E, Security Procedures; F.
Contractor/Agent Responsibilities; G, Safeguarding and Reporting
Responsibilities for Pll, and in Attachment 4, Electronic Information Exchange
Security Requirements, Guidelines, and Procedures for Federal, State and
Local Agencies Exchanging Electronic Information with SSA. If there is any
conflict between a privacy and security standard in these sections of the I EA
and a standard in this Agreement, the most stringent standard shall apply. The
most stringent standard means the standard which provides the greatest
protection to Medi-Cal Pll.
XII. COUNTY DEPARTMENT'S AGENTS AND SUBCONTRACTORS
The County Department agrees to enter into written agreements with any
agents, including subcontractors and vendors, to whom County Department
provides Medi-Cal Pll received from or created or received by County
Department in performing functions or activities related to the administration of
Medi-Cal that impose the same restrictions and conditions on such agents,
subcontractors and vendors that apply to County Department with respect to
Medi-Cal Pll, including restrictions on disclosure of Medi-Cal Pll and the use of
appropriate administrative, physical, and technical safeguards to protect such
Medi-Cal Pll. The County Department shall incorporate, when applicable, the
relevant provisions of this PSA into each subcontract or subaward to such
agents, subcontractors and vendors, including the requirement that any breach,
security incident, intrusion, or unauthorized access, use, or disclosure of
Medi-Cal Pll be reported to the County Department.
XIII. ASSESSMENTS AND REVIEWS
In order to enforce this Agreement and ensure compliance with its provisions,
the County Department agrees to allow DHCS to inspect the facilities, systems,
books, and records of the County Department, with reasonable notice from
DHCS, in order to perform assessments and reviews. Such inspections shall
be scheduled at times that take into account the operational and staffing
demands. The County Department agrees to promptly remedy any violation of
any provision of this Agreement and certify the same to the DHCS Privacy
Officer and DHCS Information Security Officer in writing, or to enter into a
written corrective action plan with DHCS containing deadlines for achieving
compliance with specific provisions of this Agreement.
12
AGREEMENT NO.: 13-10
XIV. ASSISTANCE IN LITIGATION OR ADMINISTRATIVE PROCEEDINGS
In the event of litigation or administrative proceedings involving DHCS based
upon claimed violations by the County Department of the privacy or security of
Medi-Cal Pll, or federal or state laws or agreements concerning privacy or
security of Medi-Cal Pll, the County Department shall make all reasonable effort
to make itself and County Workers assisting in the administration of Medi-Cal
and using or disclosing Medi-Cal Pll available to DHCS at no cost to DHCS to
testify as witnesses. DHCS shall also make all reasonable efforts to make itself
and any subcontractors, agents, and employees available to the County
Department at no cost to the County Department to testify as witnesses, in the
event of litigation or administrative proceedings involving the County
Department based upon claimed violations by DHCS of the privacy or security
of Medi-Cal Pll, or state or federal laws or agreements concerning privacy or
security of Medi-Cal Pll.
XV. AMENDMENT OF AGREEMENT
DHCS and the County Department acknowledge that federal and state laws
relating to data security and privacy are rapidly evolving and that amendment of
this PSA may be required to provide for procedures to ensure compliance with
such developments. Upon request by DHCS, the County Department agrees to
promptly enter into negotiations concerning an amendment to this PSA as may
be needed by developments in federal and state laws and regulations. DHCS
may terminate this PSA upon thirty (30) days written notice if the County
Department does not promptly enter into negotiations to amend this PSA when
requested to do so, or does not enter into an amendment that DHCS deems
necessary.
XVI. TERMINATION
This PSA shall terminate three years after the date it is executed, unless the
parties agree in writing to extend its term. All provisions of this PSA that
provide restrictions on disclosures of Medi-Cal Pll and that provide
administrative, technical, and physical safeguards for the Medi-Cal Pll in the
County Department's possession shall continue in effect beyond the
termination of the PSA, and shall continue until the Medi-Cal Pll is destroyed or
returned to DHCS.
XVII. TERMINATION FOR CAUSE
Upon DHCS' knowledge of a material breach or violation of this Agreement by
the County Department, DHCS may provide an opportunity for the County
Department to cure the breach or end the violation and may terminate this
Agreement if the County Department does not cure the breach or end the
violation within the time specified by DHCS. This Agreement may be terminated
13