The URL can be used to link to this page

Home My WebLink About32120Exhibit A Program Specifications County of Fresno Contract Number:15-92089 Page 1 Service Overview The California Department of Health Care Services (hereafter referred to as DHCS or Department) administers the Mental Health Services Act,Projects for Assistance in Transition from Homelessness (PATH)and Community Mental Health Services Grant (MHBG)programs and oversees county provision of community mental health services provided with realignment funds. Contractor (hereafter referred to as County in this Exhibit)must meet certain conditions and requirements to receive funding for these programs and community mental health services.This Agreement,which is County's performance contract,as required by Welfare and Institutions Code (W&l)sections 5650(a),5847,and Title 9,California Code of Regulations (CCR),section 3310,sets forth conditions and requirements that County must meet in order to receive this funding.This Agreement does not cover federal financial participation or State general funds as they relate to Medi-Cal services provided through the Mental Health Plan Contracts.County agrees to comply with all of the conditions and requirements described herein. DHCS shall monitor this Agreement to ensure compliance with applicable federal and State law and applicable regulations (W&l §§5610 and 5651.) Service Location The services shall be performed at appropriate sites as described in this contract. Service Hours The services shall be provided during times required by this contract. Project Representatives A.The project representatives during the term of this Agreement will be: Department of Health Care Services Contract Manager:Dina Kokkos-Gonzales Telephone:(916)552-9055 Fax:(916)440-7620 Email:Dina.Kokkos@dhcs.ca.gov B.Direct all inquiries to: Contractor Name Contract Manager:Dawan Utecht Telephone:(559)600-9193 Fax:(559)600-7674 Email:dutecht@co.fresno.ca.us 5. Exhibit A Program Specifications County of Fresno Contract Number:15-92089 Page 2 Department of Health Care Services Contractor's Name Mental Health Services Division/Program Attention:Dawan Utecht Policy Unit 4441 E.Kings Canyon Attention:Dee Taylor Fresno,CA 93702 1500 Capitol Avenue,MS 2702 P.O.Box Number 997413 Sacramento,CA,95899-7413 Telephone:(916)552-9536 Telephone:(559)600-9193 Fax:(916)440-7620 Fax:(559)600-7674 Email:Dee.Taylor@dhcs.ca.gov Email:dutecht@co.fresno.ca.us C.Either party may make changes to the information above by giving written notice to the other party.Said changes shall not require an amendment to this Agreement. Services to be Performed County shall adhere to the program principles and,to the extent funds are available,County shall provide the array of treatment options in accordance with Welfare and Institutions Code sections 5600.2 through 5600.9,inclusive. A.GENERAL REQUIREMENTS FOR AGREEMENT County shall comply with all of the requirements Section A.1 of this Provision for all County mental health programs,including those specified in Sections B, C and D.County shall provide all of the data and information specified in Section A.2 to the extent that the data and information is required for each of the County mental health programs,including those specified in Sections B, C and D of this Provision,for which it receives federal or State funds. 1) W&l section 5651 provides specific assurances,listed below,that must be included in this Agreement.County shall: a.Comply with the expenditure requirements of W&l Section 17608.05, b.Provide services to persons receiving involuntary treatment as required by Part 1 (commencing with Section 5000)and Part 1.5 (commencing with Section 5585)of Division 5 of the Welfare and Institution Code, c.Comply with all of the requirements necessary for Medi-Cal reimbursement for mental health treatment services and case management programs provided to Medi-Cal eligible individuals,including,but not limited to,the provisions set forth in Chapter 3 (commencing with Section 5700)of the Welfare and Institutions Code,and submit cost reports and other data to DHCS in the form and manner determined by the DHCS, d.Ensure that the Local Mental Health Advisory Board has reviewed and approved procedures ensuring citizen and professional involvement at all stages of the planning process pursuant to W&l section 5604.2, e.Comply with all provisions and requirements in law pertaining to patient rights, County of Fresno Contract Number:15-92089 Page 3 Exhibit A Program Specifications f.Comply with all requirements in federal law and regulation pertaining to federally funded mental health programs, g.Provide all data and information set forth in Sections 5610,5664 and 5845(d)(6)of the Welfare and Institutions Code, h. If the County elects to provide the services described in Chapter 2.5 (commencing with Section 5670)of Division 5 of the Welfare and Institution Code,comply with guidelines established for program initiatives outlined in this chapter,and i.Comply with all applicable laws and regulations for all services delivered,including all laws,regulations,and guidelines of the Mental Health Services Act. 2)County shall comply with all data and information submission requirements specified in this Agreement. a.County shall provide all applicable data and information required by federal and/or State law in order to receive any funds to pay for its mental health programs and services, including but not limited to its MHSA programs,PATH grant (if the County receives funds from this grant)or MHBG grant.These federal and State laws include,Title 42,United States Code,sections 290cc-21 through 290cc-35 and 300x through 300x-9,inclusive, W&l sections 5610 and 5664 and the regulations that implement,interpret or make specific,these federal and State laws and any DHCS-issued guidelines that relate to the programs or services. b.County shall comply with the reporting requirements set forth in Division 1 of Title 9 of the California Code of Regulations (CCR)and any other reporting requirements for which County receives federal or State funding source for mental health programs. County shall submit complete and accurate information to DHCS including,but not limited,to the following: i.Client and Service Information (CSI)System Data (See Subparagraph c of this Paragraph) ii.MHSA Quarterly Progress Reports,as specified in Title 9,CCR,section 3530.20. MHSA Quarterly Progress Reports provide the actual number of clients served by MHSA-funded program.Reports are submitted on a quarterly basis. iii.Full Service Partnership Performance Outcome data,as specified in Title 9,CCR, section 3530.30. iv.Consumer Perception Survey data,as specified in Title 9,CCR,section 3530.40. v.County shall submit the Annual Mental Health Services Act Revenue and Expenditure Report to DHCS and the Mental Health Services Oversight and Accountability Commission (MHSOAC),pursuant to W&l section 5899(a)and Title 9, CCR,section 3510 and DHCS-issued guidelines. c.County shall submit CSI data to DHCS, in accordance with the requirements set forth in the DHCS'CSI Data Dictionary.County shall: County of Fresno Contract Number:15-92089 Page 4 Exhibit A Program Specifications i.Report monthly CSI data to DHCS within 60 calendar days after the end of the month in which services were provided. ii.Report within 60 calendar days or be in compliance with an approved plan of correction the DHCS's CSI Unit. iii.Make diligent efforts to minimize errors on the CSI error file. iv. Notify DHCS 90 calendar days prior to any change in reporting system and/or change of automated system vendor. d. In the event that DHCS or County determines that changes requiring a change in County's or DHCS'obligation must be made relating to either the DHCS'or County's information needs due to federal or state law changes or business requirements,both the DHCS and County agree to provide notice to the other party as soon as practicable prior to implementation.This notice shall include information and comments regarding the anticipated requirements and impacts of the projected changes.DHCS and County agree to meet and discuss the design,development,and costs of the anticipated changes prior to implementation. e. If applicable to a specific federal or State funding source covered by this Agreement, County shall require each of its subcontractors to submit a fiscal year-end cost report, due to DHCS no later than December 31 following the close of the fiscal year,in accordance with applicable federal and State laws regulations and DHCS-issued guidelines. f. If applicable to a specific federal or State funding source covered by this Agreement, County shall comply with W&l section 5751.7 and ensure that minors are not admitted into inpatient psychiatric treatment with adults.If the health facility does not have specific separate housing arrangements,treatment staff,and treatment programs designed to serve children or adolescents it must request a waiver of this requirement from DHCS as follows: i. If this requirement creates an undue hardship on County,County may request a waiver of this requirement.County shall submit the waiver request on Attachment I of this Agreement,to DHCS. ii.DHCS shall review County's waiver request and provide a written notice of approval or denial of the waiver.If County's waiver request is denied,it shall comply with the provision of W&l section 5751.7. iii.County shall submit,the waiver request to DHCS at the time County submits this Agreement,signed by County,to DHCS for execution.County shall complete Attachment I,including responses to items 1 through 4 and attach itto this Agreement.See Exhibit A,Attachment I,entitled "Request For Waiver"of this Agreement for additional submission information. Execution of this Agreement shall not constitute approval of any waiver submitted pursuant to this section. County of Fresno Contract Number:15-92089 Page 5 Exhibit A Program Specifications Any waiver granted in the prior fiscal year's contract shall be deemed to continue until either party chooses to discontinue it.Execution of this contract shall continue independently of the waiver review and approval process. iv. In unusual or emergency circumstances,when County needs to request waivers after the annual Performance Contract has been executed,these requests should be sent immediately to:Licensing and Certification Section,Program Oversight and Compliance Branch,California Department of Health Care Services,P.O.Box 997413,MS 2703,Sacramento,CA 95899-7413,Phone:(916)319-0985. v.Each admission of a minor to a facility that has an approved waiver shall be reported to the Local Mental Health Director. g.If County chooses to participate in the Assisted Outpatient Treatment program (AOT) Demonstration Project Act of 2002 it shall be required to comply with all applicable statutes including,but not limited to, W&l sections 5345 through 5349.5,inclusive.In addition,County shall submit to DHCS any documents that DHCS requests as part of its statutory responsibilities in accordance with DHCS Letter No.:03-01 dated March 20, 2003. h.For all mental health funding sources received by County that require submission of a cost report,County shall submit a fiscal year-end cost report by December 31st following the close of the fiscal year in accordance with County's existing or future mental health programs applicable federal and State law.State law includes at least W&l section 5705,applicable regulations and DHCS-issued guidelines.The cost report shall be certified by the mental health director and one of the following:the County mental health departments chief financial officer (or equivalent),and individual who has delegated authority to sign for,and reports directly to the county mental health department's chief financial officer (or equivalent),or the county's auditor-controller (or equivalent).Data submitted shall be full and complete.The County shall also submit a reconciled cost report certified by the mental health director and the county's auditor-controller as being true and correct,no later than 18 months after the close of the following fiscal year. If the County does not submit the cost reports by the reporting deadlines or does not meet the other requirements,DHCS shall request a plan of correction with specific timelines (W&l §5897 (d)). If County does not submit cost reports by the reporting deadlines or the County does not meet the other requirements,DHCS may,after a hearing held with no less than 20 days-notice to the county mental health director (W&l § 5655)withhold payments from the MHS Fund until the County is in compliance with W&l section 5664. B.THE MENTAL HEALTH SERVICES ACT PROGRAM 1)Program Description Proposition 63,which created the Mental Health Services Act (MHSA),was approved by the voters of California on November 2,2004.The Mental Health Services (MHS)Fund,which provides funds to counties for the implementation of its MHSA programs,was established pursuant to W&l section 5890.The MHSA was designed to expand California's public mental health programs and services through funding received by a one percent tax on incomes in excess of $1 million.Counties use this funding for projects and programs for prevention and early intervention,community services and supports,workforce development County of Fresno Contract Number:15-92089 Page 6 Exhibit A Program Specifications and training,innovation,plus capital facilities and technological needs through mental health projects and programs.The State Controller distributes MHS Funds to the counties to plan for and provide mental health programs and other related activities outlined in a county's three-year program and expenditure plan or annual update.MHS Funds are distributed by the State Controller's Office to the counties on a monthly basis. DHCS shall monitor County's use of MHS Funds to ensure that the county meets the MHSA and MHS Fund requirements.(W&l section 5651(c).) 2)Issue Resolution Process County shall have an Issue Resolution Process (Process)to handle client disputes related to the provision of their mental health services.The Process shall be completed in an expedient and appropriate manner.County shall develop a log to record issues submitted as part of the Process.The log shall contain the date the issue was received;a brief synopsis of the issue;the final issue resolution outcome;and the date the final issue resolution was reached. 3)Revenue and Expenditure Report Countyshall submit its Revenue and ExpenditureReport (RER)byDecember 31st following the close of the fiscal year in accordance with W&l sections 5705 and 5899,regulations and DHCS-issued guidelines.The RER shall be certified by the mental health director and the County's auditor-controller (or equivalent),using the DHCS-issued certification form.Data submitted shall be full and complete. If County does not submit the RER by the reporting deadlines or the RER does not meet the requirements,DHCS shall request a plan of correction with specific timelines (W&l § 5897(d)).If the RER is not timely submitted,or does not meet the requirements,DHCS may,after a hearing held with no less than 20 days-notice to the county mental health director (withhold payments from the MHS Fund until the County submits a complete RER. (WIC 5655,9 CCR 3510(c). 4)Distribution and Use of Local Mental Health Services Funds: a.W&l section 5891 provides that,commencing July 1,2012, on or beforethe 15th dayof each month,pursuant to a methodology provided by DHCS,the State Controller shall distribute to County's Local Mental Health Service Fund,established by County pursuant to W&l section 5892(f),all unexpended and unreserved funds on deposit as of the last day of the prior month in the Mental Health Services Fund for the provision of specified programs and other related activities. b.County shall allocate the monthly Local MHS Fund in accordance with W&l section 5892 as follows : i.Twenty percent of the funds shall be used for prevention and early intervention (PEI) programs in accordance with Part 3.6 of Division 5 of the Welfare and Institutions Code (commencing with Section 5840).The expenditure for PEI may be increased by County if DHCS determines that the increase will decrease the need and cost for additional services to severely mentally ill persons in County by an amount at least commensurate with the proposed increase. County of Fresno Contract Number:15-92089 Page 7 Exhibit A Program Specifications ii.The balance of funds shall be distributed to County's mental health programs for services to persons with severe mental illnesses pursuant to Part 4 of Division 5 of the Welfare and Institutions Code (commencing with Section 5850),for the children's system of care and Part 3 of Division 5 of the Welfare and Institutions Code (commencing with Section 5800),for the adult and older adult system of care. iii.Five percent of the total funding for the County's mental health programs established pursuant to Part 3 of Division 5 of the Welfare and Institutions Code (commencing with Section 5800),Part 3.6 of Division 5 of the Welfare and Institutions Code (commencing with Section 5840),and Part 4 of Division 5 of the Welfare and Institutions Code (commencing with Section 5850)shall be utilized for innovative programs in accordance with W&l sections 5830,5847 and 5848. iv.Programs for services pursuant to Part 3 of Division 5 of the Welfare and Institutions Code (commencing with Section 5800),and Part 4 of Division 5 of the Welfare & Institutions Code (commencing with Section 5850)may include funds for technological needs and capital facilities,human resource needs,and a prudent reserve to ensure services do not have to be significantly reduced in years in which revenues are below the average of previous years.The total allocation for these purposes shall not exceed 20 percent of the average amount of funds allocated to County for the previous five years. v.Allocations in Subparagraphs i.through iii.above,include funding for annual planning costs pursuant to W&l section 5848.The total of these costs shall not exceed five percent of the total annual revenues received for the Local MHS Fund. The planning costs shall include moneys for County's mental health programs to pay for the costs of having consumers,family members,and other stakeholders participate in the planning process and for the planning and implementation required for private provider contracts to be significantly expanded to provide additional services. c.County shall use Local MHS Fund monies to pay for those portions of the mental health programs/services for children and adults for which there is no other source of funds available.(W&l §§5813.5(b),5878.3(a)and 9 CCR 3610(d). d.County shall only use Local MHS Funds to expand mental health services.These funds shall not be used to supplant existing state or county funds utilized to provide mental health services.These funds shall only be used to pay for the programs authorized in W&l section 5892.These funds may not be used to pay for any other program and may not be loaned to County's general fund or any other County fund for any purpose.(W&l §5891.) e.All expenditures for County mental health programs shall be consistent with a currently approved three-year program and expenditure plan or annual update pursuant to W&l section 5847.(W&l §5892(g).) 5)Three-Year Program and Expenditure Plan and Annual Updates: a.County shall prepare and submit a three-year program and expenditure plan,and annual updates,adopted by County's Board of Supervisors,to the Mental Health Services Oversight and Accountability Commission (MHSOAC) and the Department of Health Care Services (DHCS)within 30 calendar days after adoption.The three-year program and expenditure plan and annual updates shall include all of the following: County of Fresno Contract Number:15-92089 Page 8 Exhibit A Program Specifications i. A program for Prevention and Early Intervention (PEI) in accordance with Part 3.6 of Division 5 of the Welfare and Institutions Code (commending with Section 5840). ii. A program for services to children in accordance with Part 4 of Division 5 of the Welfare and Institutions Code (commencing with Section 5850),to include a wraparound program pursuant to Chapter 4 of Part 6 of Division 9 of the Welfare and Institutions Code (commencing with Section 18250),or provide substantial evidence that it is not feasible to establish a wraparound program in the County. iii.A program for services to adults and seniors in accordance with Part 3 of Division 5 of the Welfare and Institutions Code (commencing with Section 5800). iv. A program for innovations in accordance with Part 3.2 of Division 5 of the Welfare and Institutions Code (commencing with Section 5830).Counties shall expend funds for their innovation programs upon approval by the Mental Health Services Oversight and Accountability Commission. v. A program for technological needs and capital facilities needed to provide services pursuant to Part 3 of Division 5 of the Welfare and Institutions Code (commencing with Section 5800),Part 3.6 of Division 5 of the Welfare and Institutions Code (commencing with Section 5840),and Part 4 of Division 5 of the Welfare and Institutions Code (commencing with Section 5850).All plans for proposed facilities with restrictive settings shall demonstrate that the needs of the people to be served cannot be met in a less restrictive or more integrated setting. vi.Identification of shortages in personnel to provide services pursuant to the above programs and the additional assistance needed from the education and training programs established pursuant to Part 3.1 of Division 5 of the Welfare and Institutions Code (commencing with Section 5820)and Title 9,CCR,section 3830(b). vii.Establishment and maintenance of a prudent reserve to ensure the County program will continue to be able to serve children,adults,and seniors that it is currently serving pursuant to Part 3 of Division 5 of the Welfare and Institutions Code (commencing with Section 5800),Part 3.6 of Division 5 of the Welfare and Institutions Code (commencing with Section 5840),and Part 4 of Division 5 of the Welfare and Institutions Code (commencing with Section 5850),during years in which revenues for the MHS Fund are below recent averages adjusted by changes in the state population and the California Consumer Price Index. viii.Certification by County's mental health director,which ensures that County has complied with all pertinent regulations,laws,and statutes of the MHSA,including stakeholder participation and non-supplantation requirements. ix.Certification by County's Mental Health Director and County's Auditor-Controller that the County has complied with any fiscal accountability requirements as directed by DHCS,and that all expenditures are consistent with the requirements of the MHSA. County shall include services in the programs described in Subparagraphs 5.a.i.through 5.a.v.,inclusive,to address the needs of transition age youth between the ages of 16 County of Fresno Contract Number:15-92089 Page 9 Exhibit A Program Specifications years old to 25 years old,including the needs of transition age foster youth pursuant to W&l section 5847(c). c.County shall prepare expenditure plans for the programs described in Subparagraphs 5.a.i.through 5.a.v.,inclusive,and annual expenditure updates.Each expenditure plan update shall indicate the number of children,adults,and seniors to be served,and the cost per person.(W&l §5847(e)). d.County's three-year program and expenditure plan and annual updates shall include reports on the achievement of performance outcomes for services pursuant to the Adult and Older Adult Mental Health System of Care Act,Prevention and Early Intervention, and the Children's Mental Health Services Act funded by the MHS Fund and established jointly by DHCS and the MHSOAC,in collaboration with the California Mental Health Director's Association.(W&l §5848(c)).County contracts with providers shall include the performance goals from the County's three-year program and expenditure plan and annual updates that apply to each provider's programs and services. e.County's three-year program and expenditure plan and annual update shall consider ways to provide services that are similar to those established pursuant to the Mentally III Offender Crime Reduction Grant Program.Funds shall not be used to pay for persons incarcerated in state prison or parolees from state prisons.(W&l §5813.5(f)) 6)Planning Requirements and Stakeholder Involvement: a.County shall develop its three-year program and expenditure plan and annual update with local stakeholders,including adults and seniors with severe mental illness,families of children,adults,and seniors with severe mental illness,providers of services,law enforcement agencies,education,social services agencies,veterans,representatives from veterans organizations,providers of alcohol and drug services,health care organizations,and other important interest.Counties shall demonstrate a partnership with constituents and stakeholders throughout the process that includes meaningful stakeholder involvement on mental health policy,program planning,and implementation, monitoring,quality improvement,evaluation,and budget allocations.County shall prepare and circulate a draft plan and update for review and comment for at least 30 calendar days to representatives of stakeholders interest and any interested party who has requested a copy of the draft plans.(W&l §5848(a)) b.County's mental health board,established pursuant to W&l section 5604,shall conduct a public hearing on the County's draft three-year program and expenditure plan and annual updates at the close of the 30 calendar day comment period.Each adopted three-year program and expenditure plan or annual update shall summarize and analyze substantive recommendations and describe substantive changes to the three-year program and expenditure plan and annual updates.The County's mental health board shall review the adopted three-year program and expenditure plan and annual updates and make recommendations to County's mental health department for amendments. (W&l §5848(b)and Title 9,CCR,§3315.) 7)County Requirements for Handling MHSA Funds a.County shall place all funds received from the State MHS Fund into a Local MHS Fund. The Local MHS Fund balance shall be invested consistent with other County funds and County of Fresno Contract Number:15-92089 Page 10 Exhibit A Program Specifications the interest earned on the investments shall be transferred into the Local MHS Fund. (W&l §5892(f).) b.The earnings on investment of these funds shall be available for distribution from the fund in future years.(W&l §5892 (f).) c.Other than funds placed in a reserve in accordance with an approved plan,any funds allocated to County which it has not spent for the authorized purpose within the three years shall revert to the State.County may retain MSHA Funds for capital facilities, technological needs,or education and training for up to 10 years before reverting to the State.(W&l §5892(h).) d.When accounting for all receipts and expenditures of MHSA funds,County must adhere to uniform accounting standards and procedures that conform to the Generally Accepted Accounting Principles (GAAP),as prescribed by the State Controller in Title 2, CCR,Div. 2, Ch. 2,Subchapter 1,Accounting Procedures for Counties,sections 901- 949,and a manual,which is currently entitled "Accounting Standards and Procedures for Counties"and available at http://www.sco.ca.gov/pubs_guides.html.(Government Code section 30200) 8)Department Compliance Investigations: DHCS may investigate County's performance of the Mental Health Services Act related provisions of this Agreement and compliance with the provisions of the Mental Health Services Act,and relevant regulations.In conducting such an investigation DHCS may inspect and copy books,records,papers,accounts,documents and any writing as defined by Evidence Code Section 250 that is pertinent or material to the investigation of the County.For purposes of this Paragraph "provider"means any person or entity that provides services,goods,supplies or merchandise,which are directly or indirectly funded pursuant to MHSA. (Gov.Code §§11180, 11181,11182 and W&l Code §14124.2.) 9)County Breach,Plan of Correction and Withholding of State Mental Health Funds: a.If DHCS determines that County is out-of-compliance with the Mental Health Services Act related provisions of this Agreement,DHCS may request that County submit a plan of correction,including a specific timeline to correct the deficiencies,to DHCS.(W&l § 5897(d).) b. In accordance with Welfare and Institutions Code Section 5655,if DHCS considers County to be substantially out-of-compliance with any provision of the Mental Health Services Act or relevant regulations,including all reporting requirements,the director shall order County to appear at hearing before the Director or the Director's designee to show cause why the Department should not take administrative action.County shall be given twenty at least (20)day notice before the hearing. c. If the Director determines that there is or has been a failure,in a substantial manner,on the part of County to comply with any provision of this code,any regulations including reporting,and that administrative sanctions are necessary,the Department may invoke any,or any combination of,the following sanctions: i.Withhold part or all state mental health funds from County;and/or County of Fresno Contract Number:15-92089 Page 11 Exhibit A Program Specifications ii.Require County to enter into negotiations with DHCS to agree on a plan for County to address County's non-compliance.(W&l §5655.) C.PROJECTS FOR ASSISTANCE IN TRANSITION FROM HOMELESSNESS (PATH) PROGRAM (Title 42,United States Code,sections 290cc-21 through 290cc-35, inclusive) Pursuant to Title 42,United State Code,sections 290cc-21 through 290cc-35,inclusive,the State of California has been awarded federal homeless funds through the federal McKinney Projects for Assistance in Transition from Homelessness (PATH)formula grant.The PATH grant funds community based outreach,mental health and substance abuse referral/treatment,case management and other support services,as well as a limited set of housing services for the homeless mentally ill. While county mental health programs serve thousands of homeless persons with realignment funds and other local revenues,the PATH grant augments these programs by providing services to approximately 8,300 additional persons annually.The county determines its use of PATH funds based on county priorities and needs. If County wants to receive PATH funds,it shall submit its RFA responses and required documentation specified in DHCS'Request for Application (RFA).County shall complete its RFA responses in accordance with the instructions,enclosures and attachments available on the DHCS website at: http://www.dhcs.ca.gov/services/MH/Paqes/PATH.aspx. If County applied for and DHCS approved its request to receive PATH grant funds,the RFA, County's RFA responses and required documentation,and DHCS'approval constitute provisions of this Agreement and are incorporated by reference herein.County shall comply with all provisions of the RFA and the County's RFA responses in order to receive its PATH grant funds. D.COMMUNITY MENTAL HEALTH SERVICES GRANT (MHBG)PROGRAM (Title 42,United States Code section 300x-1 et seq.) DHCS awards federal Community Mental Health Services Block Grant funds (known as Mental Health Block Grant (MHBG)) to counties in California.The county mental health agencies provide a broad array of mental health services within their mental health system of care (SOC)programs.These programs provide services to the following target populations:children and youth with serious emotional disturbances (SED),adults and older adults with serious mental illnesses (SMI). The MHBG funds provide the counties with a stable,flexible,and non-categorical funding base that the counties can use to develop innovative programs or augment existing programs within their SOC.The MHBG funds also assist the counties in providing an appropriate level of community mental health services to the most needy individuals inthe target populations who have a mental health diagnosis,and/or individuals who have a mental health diagnosis with a co-occurring substance abuse disorder. If County wants to receive MHBG funds, itshall submit its RFA responses and required documentation specified in DHCS' RFA.County shall complete its RFA responses in County of Fresno Contract Number:15-92089 Page 12 Exhibit A Program Specifications accordance with the instructions,enclosures and attachments available on the DHCS website at: http://www.dhcs.ca.gov/services/MH/Paqes/MHBG.aspx. If County applied for and DHCS approved its request to receive MHBG grant funds,the RFA,County's RFA responses and required documentation,and DHCS'approval constitute provisions of this Agreement and are incorporated by reference herein.County shall comply with all provisions of the RFA and the County's RFA responses in order to receive its MHBG grant funds. E.SPECIAL TERMS AND CONDITIONS 1.Audit and Record Retention (Applicable to agreements in excess of $10,000) a.County and/or Subcontractor(s)shall maintain books,records,documents,and other evidence,accounting procedures and practices,sufficient to properly support all direct and indirect costs of whatever nature claimed to have been incurred in the performance of this Agreement,including any matching costs and expenses.The foregoing constitutes "records"for the purposes of this provision. b.County's and/or Subcontractor's facility or office or such part thereof as may be engaged in the performance of this Agreement and his/her records shall be subject at all reasonable times to inspection,audit,and reproduction. c.County agrees that DHCS,the Department of General Services,the Bureau of State Audits,or their designated representatives including the Comptroller General of the United States shall have the right to review and copy any records and supporting documentation pertaining to the performance of this Agreement.County agrees to allow the auditor(s)access to such records during normal business hours and to allow interviews of any employees who might reasonably have information related to such records.Further,County agrees to include a similar right of the State to audit records and interview staff in any subcontract related to performance of this Agreement. d.County and/or Subcontractor(s)shall preserve and make available his/her records (1) for a period of three years from the date of final payment under this Agreement,and (2) for such longer period,if any,as is required by applicable statute,by any other provision of this Agreement,or by subparagraphs (1) or (2)below. 1) If this Agreement is completely or partially terminated,the records relating to the work terminated shall be preserved and made available for a period of three years from the date of any resulting final settlement. 2) If any litigation, claim,negotiation,audit,or other action involving the records has been started before the expiration of the three-year period,the records shall be retained until completion of the action and resolution of all issues which arise from it, or until the end of the regular three-year period,whichever is later. e.County and/or Subcontractor(s)shall comply with the above requirements and be aware of the penalties for violations of fraud and for obstruction of investigation as set forth in Public Contract Code §10115.10,if applicable. f.County and/or Subcontractor(s)may, at its discretion,following receipt of final payment under this Agreement,reduce its accounts,books,and records related to this Agreement to microfilm,computer disk, CD ROM, DVD, or other data storage medium.Upon request by an authorized representative to inspect,audit or obtain copies of said records,County and/or Subcontractor(s)must supply or make available applicable devices,hardware,and/or software necessary to view,copy,and/or print said records. County of Fresno Contract Number:15-92089 Page 13 Exhibit A Program Specifications Applicable devices may include,but are not limited to,microfilm readers and microfilm printers,etc. g.County shall,if applicable,comply with the Single Audit Act and the audit reporting requirements set forth in OMB Circular A-133. 2.Dispute Resolution Process a. A Contractor/County grievance exists whenever there is a dispute arising from DHCS' action in the administration of an Agreement.If there is a dispute or grievance between County and DHCS,County must seek resolution using the procedure outlined below. 1)County should first informally discuss the problem with the DHCS Program Contract Manager.If the problem cannot be resolved informally,County shall direct its grievance together with any evidence,in writing,to the program Branch Chief.The grievance shall state the issues in dispute,the legal authority or other basis for County's position and the remedy sought.The Branch Chief shall render a decision within ten (10)working days after receipt of the written grievance from County.The Branch Chief shall respond in writing to County indicating the decision and reasons therefore.If County disagrees with the Branch Chief's decision,County may appeal to the second level. 2)When appealing to the second level,County must prepare an appeal indicating the reasons for disagreement with Branch Chiefs decision.County shall include with the appeal a copy of the County's original statement of dispute along with any supporting evidence and a copy of the Branch Chief's decision.The appeal shall be addressed to the Deputy Director of the division in which the branch is organized within ten (10)working days from receipt of the Branch Chiefs decision.The Deputy Director of the division in which the branch in organized or his/her designee shall meet with County to review the issues raised.A written decision signed by the Deputy Director of the division in which the branch is organized or his/her designee shall be directed to County within twenty (20) workings days of receipt of the County's second level appeal. b. If County wishes to appeal the decision of the Deputy Director of the division in which the branch is organized or his/her designee,County shall follow the procedures set forth in Health and Safety Code Section 100171. c.Unless otherwise stipulated in writing by DHCS,all dispute,grievance and/or appeal correspondence shall be directed to the DHCS Program Contract Manager. d.There are organizational differences within DHCS'funding programs and the management levels identified in this dispute resolution provision may not apply in every contractual situation.When a grievance is received and organizational differences exist, County shall be notified in writing by the DHCS Program Contract Manager of the level, name,and/or title of the appropriate management official that is responsible for issuing a decision at a given level. 3.Novation a. If County proposes any novation agreement,DHCS shall act upon the proposal within 60 days after receipt of the written proposal.DHCS may review and consider the proposal, consult and negotiate with County,and accept or reject all or part of the proposal. Acceptance or rejection of the proposal may be made orally within the 60-day period and confirmed in writing within five days of said decision.Upon written acceptance of the proposal,DHCS will initiate an amendment to this Agreement to formally implement the approved proposal. NOT APPLICABLE County ofFresno Contract Number:15-92089 Page 1 Exhibit A,Attachment I Request for Waiver Request for Waiver Pursuant To Section 5751.7 of the Welfare and Institutions Codes hereby requests a waiver for the following public or private health facilities pursuant to Section 5751.7 of the Welfare and Institutions Code for the term of this contract.These are facilities where minors may be provided psychiatric treatment with nonspecific separate housing arrangements,treatment staff,and treatment programs designed to serve minors.However,no minor shall be admitted for psychiatric treatment into the same treatment ward as an adult receiving treatment who is in the custody of any jailor for a violent crime,is a known registered sex offender,or has a known history of, or exhibits inappropriate sexual or other violent behavior which would present a threat to the physical safety of others. The request for waiver must include,as an attachment,the following: 1.A description of the hardship to the County/City due to inadequate or unavailable alternative resources that would be caused by compliance with the state policy regarding the provision of psychiatric treatment to minors. 2.The specific treatment protocols and administrative procedures established by the County/City for identifying and providing appropriate treatment to minors admitted with adults. 3.Name,address,and telephone number of the facility •Number of the facility's beds designated for involuntary treatment •Type of facility,license(s),and certification(s)held (including licensing and certifying agency and license and certificate number) • A copy of the facility's current license or certificate and description of the program, including target population and age groups to be admitted to the designated facility. 4. The County Board of Supervisors'decision to designate a facility as a facilityfor evaluation and treatment pursuant to Welfare and Institutions Codes 5150,5585.50,and 5585.55. Execution of this Agreement shall not constitute approval of this waiver.Full execution of this contract will continue independently of the waiver review and approval process. Any waiver granted in the prior fiscal year's Agreement shall be deemed to continue until either party chooses to discontinue it. To rescind the county's designation of a designated facility,the county shall send a letter to the Department on official letterhead signed by the County Mental Health Director or his or her designee indicating that the county no longer designates the particular facility.If not otherwise specified by the host county in the letter to the Department,the discontinuance shall be effective the date the letter to the Department is postmarked and the facility shall no longer be approved as a designated facility as of this date. County of Fresno 15-92089 Page 1 Exhibit B Funds Provision Budget Contingency Clause A. It is mutually agreed that if the Budget Act of the current year and/or any subsequent years covered under this Agreement does not appropriate sufficient funds for the program,this Agreement shall be of no further force and effect.In this event,DHCS shall have no liabilityto pay any funds whatsoever to County of Fresno or to furnish any other considerations under this Agreement and County of Fresno shall not be obligated to perform any provisions of this Agreement. B. If funding for any fiscal year is reduced or deleted by the Budget Act for purposes of this program,DHCS shall have the option to either cancel this Agreement with no liability occurring to DHCS,or offer an agreement amendment to County of Fresno to reflect the reduced amount. GTC610 EXHIBIT C GENERAL TERMS AND CONDITIONS 1.APPROVAL:This Agreement is of no force or effect until signed by both parties and approved by the Department of General Services,if required.Contractor may not commence performance until such approval has been obtained. 2.AMENDMENT:No amendment or variation of the terms of this Agreement shall be valid unless made in writing,signed by the parties and approved as required.No oral understanding or Agreement not incorporated in the Agreement is binding on any of the parties. 3.ASSIGNMENT:This Agreement is not assignable by the Contractor,either in whole or in part,without the consent of the State in the form of a formal written amendment. 4. AUDIT:Contractor agrees that the awarding department,the Department of General Services, the Bureau of State Audits,or their designated representative shall have the right to review and to copy any records and supporting documentation pertaining to the performance of this Agreement.Contractor agrees to maintain such records for possible audit for a minimum of three (3) years after final payment, unless a longer period of records retention is stipulated. Contractor agrees to allow the auditor(s)access to such records during normal business hours and to allow interviews of any employees who might reasonably have information related to such records. Further,Contractor agrees to include a similar right of the State to audit records and interview staff in any subcontract related to performance of this Agreement.(Gov. Code §8546.7,Pub. Contract Code §10115 et seq.,CCR Title 2,Section 1896). 5.INDEMNIFICATION:Contractor agrees to indemnify,defend and save harmless the State, its officers, agents and employees from any and all claims and losses accruing or resulting to any and all contractors,subcontractors,suppliers,laborers,and any other person, firm or corporation furnishing or supplying work services, materials, or supplies in connection with the performance of this Agreement, and from any and all claims and losses accruing or resulting to any person, firm or corporation who may be injured or damaged by Contractor in the performance of this Agreement. 6. DISPUTES:Contractor shall continue with the responsibilities under this Agreement during any dispute. 7.TERMINATION FOR CAUSE:The State may terminate this Agreement and be relieved of anypaymentsshould the Contractorfail to performthe requirementsof this Agreementat the time and in the manner herein provided. In the event of such termination the State may proceed with the work in any manner deemed proper by the State. All costs to the State shall be deducted from any sum due the Contractor under this Agreement and the balance,if any, shall be paid to the Contractor upon demand. 8. INDEPENDENT CONTRACTOR. Contractor, and the agents and employees of Contractor, in the performance of this Agreement, shall act in an independent capacity and not as officers or employees or agents of the State. 9. RECYCLING CERTIFICATION: The Contractor shall certify in writing under penalty of perjury, the minimum,if not exact,percentage of post consumer material as defined in the Public Contract Code Section 12200,in products, materials, goods, or supplies offered or sold to the State regardless of whether the product meets the requirements of Public Contract Code Section 12209.With respect to printer or duplication cartridges that comply with the requirements of Section 12156(e),the certification required by this subdivision shall specify that the cartridges so comply (Pub.Contract Code §12205). 10.NON-DISCRIMINATION CLAUSE: During the performance of this Agreement, Contractor and its subcontractors shall not unlawfully discriminate,harass, or allow harassment against any employee or applicant for employment because of sex, race, color, ancestry, religious creed, national origin, physical disability (including HIV and AIDS), mental disability, medical condition (e.g., cancer), age (over 40), marital status, and denial of family care leave. Contractor and subcontractors shall insure that the evaluation and treatment of their employees and applicants for employment are free from such discrimination and harassment.Contractor and subcontractors shall comply with the provisions of the Fair Employment and Housing Act (Gov. Code §12990 (a-f) et seq.) and the applicable regulations promulgated thereunder (California Code of Regulations, Title 2, Section 7285 et seq.). The applicable regulations of the Fair Employment and Housing Commission implementing Government Code Section 12990 (a-f), set forth in Chapter 5 of Division 4 of Title 2 of the California Code of Regulations, are incorporated into this Agreement by reference and made a part hereof as if set forth in full.Contractor and its subcontractors shall give written notice of their obligations under this clause to labor organizations with which they have a collective bargaining or other Agreement. Contractor shall include the nondiscrimination and compliance provisions of this clause in all subcontracts to perform work under the Agreement. 11.CERTIFICATION CLAUSES:The CONTRACTOR CERTIFICATION CLAUSES contained in the document CCC 307 are hereby incorporated by reference and made a part of this Agreement by this reference as if attached hereto. 12.TIMELINESS:Time is of the essence in this Agreement. 13.COMPENSATION:The consideration to be paid Contractor,as provided herein, shall be in compensation for all of Contractor's expenses incurred in the performance hereof,including travel,per diem,and taxes,unless otherwise expressly so provided. 14.GOVERNING LAW:This contract is governed by and shall be interpreted in accordance with the laws of the State of California. 15.ANTITRUST CLAIMS:The Contractor by signing this agreement hereby certifies that if these services or goods are obtained by means of a competitive bid, the Contractor shall comply with the requirements of the Government Codes Sections set out below. a. The Government Code Chapter on Antitrust claims contains the following definitions: 1) "Public purchase"means a purchase by means of competitive bids of goods, services, or materials by the State or any of its political subdivisions or public agencies on whose behalf the Attorney General may bring an action pursuant to subdivision (c)of Section 16750 of the Business and Professions Code. 2) "Public purchasing body" means the State or the subdivision or agency making a public purchase.Government Code Section 4550. b. In submitting a bid to a public purchasing body, the bidder offers and agrees that if the bid is accepted,it will assign to the purchasing body all rights, title, and interest in and to all causes of action it may have under Section 4 of the Clayton Act (15 U.S.C. Sec.15)or under the Cartwright Act (Chapter 2 (commencing with Section 16700)of Part 2 of Division 7 of the Business and Professions Code),arising from purchases of goods,materials,or services by the bidder for sale to the purchasing body pursuant to the bid.Such assignment shall be made and become effective at the time the purchasing body tenders final payment to the bidder. Government Code Section 4552. c. If an awarding body or public purchasing body receives,either through judgment or settlement,a monetary recovery for a cause of action assigned under this chapter,the assignor shall be entitled to receive reimbursement for actual legal costs incurred and may, upon demand, recover from the public body any portion of the recovery,including treble damages,attributable to overcharges that were paid by the assignor but were not paid by the public body as part of the bid price, less the expenses incurred in obtaining that portion of the recovery.Government Code Section 4553. d.Upon demand in writing by the assignor,the assignee shall,within one year from such demand,reassign the cause of action assigned under this part if the assignor has been or may have been injured by the violation of law for which the cause of action arose and (a) the assignee has not been injured thereby,or (b) the assignee declines to file a court action for the cause of action.See Government Code Section 4554. 16.CHILD SUPPORT COMPLIANCE ACT: For any Agreement in excess of $100,000,the contractor acknowledges in accordance with Public Contract Code 7110,that: a. The contractor recognizes the importance of child and family support obligations and shall fully comply with all applicable state and federal laws relating to child and family support enforcement,including,but not limited to,disclosure of information and compliance with earnings assignment orders,as provided in Chapter 8 (commencing with section 5200)of Part 5 of Division 9 of the Family Code;and b. The contractor,to the best of its knowledge is fully complying with the earnings assignment orders of all employees and is providing the names of all new employees to the New Hire Registry maintained by the California Employment Development Department. 17.UNENFORCEABLE PROVISION:In the event that any provision of this Agreement is unenforceable or held to be unenforceable,then the parties agree that all other provisions of this Agreement have force and effect and shall not be affected thereby. 18.PRIORITY HIRING CONSIDERATIONS:If this Contract includes services in excess of $200,000,the Contractor shall give priority consideration in filling vacancies in positions funded by the Contract to qualified recipients of aid under Welfare and Institutions Code Section 11200 in accordance with Pub.Contract Code §10353. 19.SMALL BUSINESS PARTICIPATION AND DVBE PARTICIPATION REPORTING REQUIREMENTS: a.If for this Contract Contractor made a commitment to achieve small business participation, then Contractor must within 60 days of receiving final payment under this Contract (or within such other time period as may be specified elsewhere in this Contract)report to the awarding department the actual percentage of small business participation that was achieved.(Govt. Code §14841.) b.If for this Contract Contractor made a commitment to achieve disabled veteran business enterprise (DVBE)participation,then Contractor must within 60 days of receiving final payment under this Contract (or within such other time period as may be specified elsewhere in this Contract)certify in a report to the awarding department:(1) the total amount the prime Contractor received under the Contract;(2) the name and address of the DVBE(s)that participated in the performance of the Contract:(3) the amount each DVBE received from the prime Contractor;(4)that all payments under the Contract have been made to the DVBE;and (5) the actual percentage of DVBE participation that was achieved.A person or entity that knowingly provides false information shall be subject to a civil penalty for each violation.(Mil. &Vets.Code §999.5(d);Govt.Code §14841.) 20.LOSS LEADER: If this contract involves the furnishing of equipment,materials,or supplies then the following statement is incorporated:It is unlawful for any person engaged in business within this state to sell or use any article or product as a "loss leader'" as defined in Section 17030 of the Business and Professions Code.(PCC 10344(e).) \\santacruz\mhsa\MHSA\Contracts and ProgramsWIHSA - State Performance Agreement\FY 15-16X4 Exhibit C GTC-610.doc County of Fresno 15-92089 Page 1 of 7 Exhibit D Information Confidentiality and Security Requirements 1.Definitions.For purposes of this Exhibit,the following definitions shall apply: A.Public Information:Information that is not exempt from disclosure under the provisions of the California Public Records Act (Government Code sections 6250-6265)or other applicable state or federal laws. B.Confidential Information:Information that is exempt from disclosure under the provisions of the California Public Records Act (Government Code sections 6250-6265)or other applicable state or federal laws. C.Sensitive Information:Information that requires special precautions to protect from unauthorized use,access,disclosure,modification,loss,or deletion.Sensitive Information may be either Public Information or Confidential Information.It is information that requires a higher than normal assurance of accuracy and completeness.Thus,the key factor for Sensitive Information is that of integrity.Typically,Sensitive Information includes records of agency financial transactions and regulatory actions. D.Personal Information:Information that identifies or describes an individual,including,but not limited to,their name,social security number,physical description,home address,home telephone number,education,financial matters,and medical or employment history.It is DHCS' policy to consider all information about individuals private unless such information is determined to be a public record.This information must be protected from inappropriate access,use,or disclosure and must be made accessible to data subjects upon request.Personal Information includes the following: Notice-triggering Personal Information:Specific items of personal information (name plus Social Security number,driver license/California identification card number,or financial account number) that may trigger a requirement to notify individuals if it is acquired by an unauthorized person.For purposes of this provision,identity shall include,but not be limited to name,identifying number, symbol,or other identifying particular assigned to the individual,such as finger or voice print or a photograph.See Civil Code sections 1798.29 and 1798.82. 2.Nondisclosure.The Contractor and its employees,agents,or subcontractors shall protect from unauthorized disclosure any Personal Information,Sensitive Information,or Confidential Information (hereinafter identified as PSCI). 3.The Contractor and its employees,agents,or subcontractors shall not use any PSCI for any purpose other than carrying out the Contractor's obligations under this Agreement. 4.The Contractor and its employees,agents,or subcontractors shall promptly transmit to the DHCS Program Contract Manager all requests for disclosure of any PSCI not emanating from the person who is the subject of PSCI. 5.The Contractor shall not disclose,except as otherwise specifically permitted by this Agreement or authorized by the person who is the subject of PSCI,any PSCI to anyone other than DHCS without prior written authorization from the DHCS Program Contract Manager,except if disclosure is required by State or Federal law. DHCS ICSR2/15 Exhibit D Information Confidentiality and Security Requirements County of Fresno 15-92089 Page 2 of 7 6.The Contractor shall observe the following requirements: A.Safeguards.The Contractor shall implement administrative,physical,and technical safeguards that reasonably and appropriately protect the confidentiality,integrity,and availability of the PSCI, including electronic PSCI that it creates,receives,maintains,uses,or transmits on behalf of DHCS.Contractor shall develop and maintain a written information privacy and security program that includes administrative,technical and physical safeguards appropriate to the size and complexity of the Contractor's operations and the nature and scope of its activities,Including at a minimum the following safeguards: 1)Personnel Controls a.Employee Training.All workforce members who assist in the performance of functions or activities on behalf of DHCS,or access or disclose DHCS PSCI,must complete information privacy and security training,at least annually,at Business Associate's expense.Each workforce member who receives information privacy and security training must sign a certification,indicating the member's name and the date on which the training was completed.These certifications must be retained for a period of six (6)years following contract termination. b.Employee Discipline.Appropriate sanctions must be applied against workforce members who fail to comply with privacy policies and procedures or any provisions of these requirements,including termination of employment where appropriate. c.Confidentiality Statement.All persons that will be working with DHCS PHI or PI must sign a confidentiality statement that includes,at a minimum,General Use,Security and Privacy Safeguards,Unacceptable Use,and Enforcement Policies.The statement must be signed by the workforce member prior to access to DHCS PHI or PI.The statement must be renewed annually.The Contractor shall retain each person's written confidentiality statement for DHCS inspection for a period of six (6)years following contract termination. d.Background Check.Before a member of the workforce may access DHCS PHI or PI, a thorough background check of that worker must be conducted,with evaluation of the results to assure that there is no indication that the worker may present a risk to the security or integrity of confidential data or a risk for theft or misuse of confidential data. The Contractor shall retain each workforce member's background check documentation for a period of three (3)years following contract termination. 2)Technical Security Controls a.Workstation/Laptop encryption.All workstations and laptops that process and/or store DHCS PHI or PI must be encrypted using a FIPS 140-2 certified algorithm which is 128bit or higher,such as Advanced Encryption Standard (AES). The encryption solution must be full disk unless approved by the DHCS Information Security Office. b.Server Security.Servers containing unencrypted DHCS PHI or PI must have sufficient administrative,physical,and technical controls in place to protect that data,based upon a risk assessment/system security review. DHCS ICSR 2/15 County of Fresno 15-92089 Page 3 of 7 Exhibit D Information Confidentiality and Security Requirements c.Minimum Necessary.Onlythe minimum necessary amount of DHCS PHI or PI required to perform necessary business functions may be copied, downloaded, or exported. d.Removable media devices.All electronic files that contain DHCS PHI or PI data must be encrypted when stored on any removable media or portable device (i.e. USB thumb drives, floppies,CD/DVD,smartphones,backup tapes etc.). Encryption must be a FIPS 140-2 certified algorithm which is 128bit or higher,such as AES. e.Antivirus software.All workstations,laptops and other systems that process and/or store DHCS PHI or PI must install and actively use comprehensive anti-virus software solution with automatic updates scheduled at least daily. f.Patch Management.All workstations,laptops and other systems that process and/or store DHCS PHI or PI must have critical security patches applied,with system reboot if necessary.There must be a documented patch management process which determines installation timeframe based on risk assessment and vendor recommendations.At a maximum,all applicable patches must be installed within 30 days of vendor release. g.User IDs and Password Controls.All users must be issued a unique user name for accessing DHCS PHI or PI.Username must be promptly disabled,deleted,or the password changed upon the transfer or termination of an employee with knowledge of the password,at maximum within 24 hours.Passwords are not to be shared.Passwords must be at least eight characters and must be a non-dictionary word.Passwords must not be stored in readable format on the computer.Passwords must be changed every 90 days, preferably every 60 days.Passwords must be changed if revealed or compromised. Passwords must be composed of characters from at least three of the following four groups from the standard keyboard: •Upper case letters (A-Z) •Lower case letters (a-z) •Arabic numerals (0-9) •Non-alphanumeric characters (punctuation symbols) h.Data Destruction.When no longer needed,all DHCS PHI or PI must be cleared,purged, or destroyed consistent with NIST Special Publication 800-88,Guidelines for Media Sanitization such that the PHI or PI cannot be retrieved. i.System Timeout.The system providing access to DHCS PHI or PI must provide an automatic timeout,requiring re-authentication of the user session after no more than 20 minutes of inactivity. j.Warning Banners.All systems providing access to DHCS PHI or PI must display a warning banner stating that data is confidential,systems are logged,and system use is for business purposes only by authorized users.User must be directed to log off the system if they do not agree with these requirements. k.System Logging.The system must maintain an automated audit trail which can identify the user or system process which initiates a request for DHCS PHI or PI,or which alters DHCS PHI or PI.The audit trail must be date and time stamped,must log both successful and failed accesses,must be read only,and must be restricted to authorized users.If DHCS ICSR 2/15 County of Fresno 15-92089 Page 4 of 7 Exhibit D Information Confidentiality and Security Requirements DHCS PHI or PI is stored in a database,database logging functionality must be enabled. Audit trail data must be archived for at least 3 years after occurrence. I.Access Controls.The system providing access to DHCS PHI or PI must use role based access controls for all user authentications,enforcing the principle of least privilege. m.Transmission encryption.All data transmissions of DHCS PHI or PI outside the secure internal network must be encrypted using a FIPS 140-2 certified algorithm which is 128bit or higher,such as AES.Encryption can be end to end at the network level, or the data files containing PHI can be encrypted.This requirement pertains to any type of PHI or PI in motion such as website access,file transfer,and E-Mail. n.Intrusion Detection.All systems involved in accessing,holding,transporting,and protecting DHCS PHI or PI that are accessible via the Internet must be protected by a comprehensive intrusion detection and prevention solution. 3)Audit Controls a.System Security Review.All systems processing and/or storing DHCS PHI or PI must have at least an annual system risk assessment/security review which provides assurance that administrative,physical,and technical controls are functioning effectively and providing adequate levels of protection.Reviews should include vulnerability scanning tools. b.Log Reviews.All systems processing and/or storing DHCS PHI or PI must have a routine procedure in place to review system logs for unauthorized access. c.Change Control.All systems processing and/or storing DHCS PHI or PI must have a documented change control procedure that ensures separation of duties and protects the confidentiality,integrity and availability of data. 4)Business Continuity /Disaster Recovery Controls a.Emergency Mode Operation Plan.Contractor must establish a documented plan to enable continuation of critical business processes and protection of the security of electronic DHCS PHI or PI in the event of an emergency.Emergency means any circumstance or situation that causes normal computer operations to become unavailable for use in performing the work required under this Agreement for more than 24 hours. b.Data Backup Plan.Contractor must have established documented procedures to backup DHCS PHI to maintain retrievable exact copies of DHCS PHI or PI.The plan must include a regular schedule for making backups,storing backups offsite, an inventory of backup media,and an estimate of the amount of time needed to restore DHCS PHI or PI should it be lost. At a minimum,the schedule must be a weekly full backup and monthly offsite storage of DHCS data. 5)Paper Document Controls a.Supervision of Data.DHCS PHI or PI in paper form shall not be left unattended at any time,unless it is locked in a file cabinet,file room,desk or office.Unattended means that DHCS ICSR 2/15 County of Fresno 15-92089 Page 5 of 7 Exhibit D Information Confidentiality and Security Requirements information is not being observed by an employee authorized to access the information. DHCS PHI or PI in paper form shall not be left unattended at any time in vehicles or planes and shall not be checked in baggage on commercial airplanes. b.Escorting Visitors.Visitors to areas where DHCS PHI or PI is contained shall be escorted and DHCS PHI or PI shall be kept out of sight while visitors are in the area. c.Confidential Destruction.DHCS PHI or PI must be disposed of through confidential means,such as cross cut shredding and pulverizing. d.Removal of Data.DHCS PHI or PI must not be removed from the premises of the Contractor except with express written permission of DHCS. e.Faxing.Faxes containing DHCS PHI or PI shall not be left unattended and fax machines shall be in secure areas.Faxes shall contain a confidentiality statement notifying persons receiving faxes in error to destroy them.Fax numbers shall be verified with the intended recipient before sending the fax. f.Mailing.Mailings of DHCS PHI or PI shall be sealed and secured from damage or inappropriate viewing of PHI or PI to the extent possible.Mailings which include 500 or more individually identifiable records of DHCS PHI or PI in a single package shall be sent using a tracked mailing method which includes verification of delivery and receipt,unless the prior written permission of DHCS to use another method is obtained. B.Security Officer.The Contractor shall designate a Security Officer to oversee its data security program who will be responsible for carrying out its privacy and security programs and for communicating on security matters with DHCS. Discovery and Notification of Breach Notice to DHCS: (1) To notify DHCS immediately upon the discovery of a suspected security incident that involves data provided to DHCS by the Social Security Administration.This notification will be by telephone call plus email or fax upon the discovery of the breach.(2) To notify DHCS within 24 hours by email or fax of the discovery of unsecured PHI or PI in electronic media or in any other media if the PHI or PI was,or is reasonably believed to have been,accessed or acquired by an unauthorized person,any suspected security incident,intrusion or unauthorized access,use or disclosure of PHI or PI in violation of this Agreement and this Addendum,or potential loss of confidential data affecting this Agreement.A breach shall be treated as discovered by the contractor as of the first day on which the breach is known, or by exercising reasonable diligence would have been known,to any person (other than the person committing the breach)who is an employee,officer or other agent of the contractor.. Notice shall be provided to the DHCS Program Contract Manager,the DHCS Privacy Officer and the DHCS Information Security Officer. If the incident occurs after business hours or on a weekend or holiday and involves data provided to DHCS by the Social Security Administration, notice shall be provided by calling the DHCS EITS Service Desk.Notice shall be made using the "DHCS Privacy Incident Report"form,including all information known at the time.The contractor shall use the most current version of this form,which is posted on the DHCS Privacy Office website (www.dhcs.ca.gov,then select "Privacy"in the left column and then DHCS ICSR 2/15 Exhibit D Information Confidentiality and Security Requirements County of Fresno 15-92089 Page 6 of 7 "Business Use"near the middle of the page)or use this link: http://www.dhcs.ca.gov/formsandpubs/laws/priv/Paqes/DHCSBusinessAssociatesOnly.aspx C.Upon discovery of a breach or suspected security incident,intrusion or unauthorized access,use or disclosure of PHI or PI,the Contractor shall take: 1)Prompt corrective action to mitigate any risks or damages involved with the breach and to protect the operating environment and 2) Any action pertaining to such unauthorized disclosure required by applicable Federal and State laws and regulations. D.Investigation of Breach.The Contractor shall immediately investigate such security incident, breach,or unauthorized use or disclosure of PSCI.If the initial report did not include all of the requested information marked with an asterisk,then within seventy-two (72)hours of the discovery,The Contractor shall submit an updated "DHCS Privacy Incident Report"containing the information marked with an asterisk and all other applicable information listed on the form, to the extent known at that time,to the DHCS Program Contract Manager,the DHCS Privacy Officer, and the DHCS Information Security Officer: E.Written Report.The Contractor shall provide a written report of the investigation to the DHCS Program Contract Manager,the DHCS Privacy Officer,and the DHCS Information Security Officer, if all of the required information was not included in the DHCS Privacy Incident Report, within ten (10)working days of the discovery of the breach or unauthorized use or disclosure.The report shall include,but not be limited to,the information specified above,as well as a full,detailed corrective action plan,including information on measures that were taken to halt and/or contain the improper use or disclosure. F.Notification of Individuals.The Contractor shall notify individuals of the breach or unauthorized use or disclosure when notification is required under state or federal law and shall pay any costs of such notifications,as well as any costs associated with the breach.The DHCS Program Contract Manager,the DHCS Privacy Officer,and the DHCS Information Security Officer shall approve the time,manner and content of any such notifications. 7.Affect on lower tier transactions.The terms of this Exhibit shall apply to all contracts,subcontracts, and subawards,regardless of whether they are for the acquisition of services,goods,or commodities. The Contractor shall incorporate the contents of this Exhibit into each subcontract or subaward to its agents,subcontractors,or independent consultants. 8.Contact Information.To direct communications to the above referenced DHCS staff,the Contractor shall initiate contact as indicated herein.DHCS reserves the right to make changes to the contact information below by giving written notice to the Contractor.Said changes shall not require an amendment to this Exhibit or the Agreement to which it is incorporated. DHCS Program Contract Manager DHCS Privacy Officer DHCS Information Security Officer DHCS ICSR 2/15 Exhibit D Information Confidentiality and Security Requirements County of Fresno 15-92089 Page 7 of 7 See the Scope of Work Privacy Officer Information Security Officer exhibit for Program c/o Office of Legal Services DHCS Information Security Office Contract Manager Department of Health Care Services P.O.Box 997413,MS 6400 information P.O.Box 997413,MS 0011 Sacramento,CA 95899-7413 Email:privacvofficer(5)dhcs.ca.aov Sacramento,CA 95899-7413 Email:isotcSdhcs.ca.aov Telephone:ITSD Help Desk Telephone:(916)445-4646 (916)440-7000 or (800)579-0874 Audits and Inspections.From time to time,DHCS may inspect the facilities,systems,books and records of the Contractor to monitor compliance with the safeguards required in the Information Confidentiality and Security Requirements (ICSR)exhibit.Contractor shall promptly remedy any violation of any provision of this ICSR exhibit.The fact that DHCS inspects,or fails to inspect,or has the right to inspect,Contractor's facilities,systems and procedures does not relieve Contractor of its responsibility to comply with this ICSR exhibit. DHCS ICSR 2/15 EXHIBIT E County of Fresno 15-92089 Page 1 PRIVACY AND INFORMATION SECURITY PROVISIONS This Exhibit E is intended to protect the privacy and security of specified Department information that Contractor may access,receive,or transmit under this Agreement.The Department information covered under this Exhibit E consists of: (1)Protected Health Information as defined under the Health Insurance Portability and Accountability Act of 1996,Public Law 104-191 ("HIPAA")(PHI):and (2)Personal Information (PI)as defined under the California Information Practices Act (CIPA),at California Civil Code Section 1798.3.Personal Information may include data provided to the Department by the Social Security Administration. Exhibit E consists of the following parts: 1.Exhibit E-1,HIPAA Business Associate Addendum,which provides for the privacy and security of PHI. 2.Exhibit E-2,which provides for the privacy and security of PI in accordance with specified provisions of the Agreement between the Department and the Social Security Administration,known as the Information Exchange Agreement (IEA) and the Computer Matching and Privacy Protection Act Agreement between the Social Security Administration and the California Health and Human Services Agency (Computer Agreement)to the extent Contractor access,receives,or transmits PI under these Agreements.Exhibit E-2 further provides for the privacy and security of PI under Civil Code Section 1798.3(a)and 1798.29. 3.Exhibit E-3,Miscellaneous Provision,sets forth additional terms and conditions that extend to the provisions of Exhibit E in its entirety. County of Fresno 15-92089 Page 2 EXHIBIT E-1 HIPAA Business Associate Addendum Recitals. A. A business associate relationship under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 ("HIPAA"),the Health Information Technology for Economic and Clinical Health Act, Public Law 111-005 ("the HITECH Act"), 42 U.S.C.Section 17921 et seq.,and their implementing privacy and security regulations at 45 CFR Parts 160 and 164 ("the HIPAA regulations")between Department and Contractor arises only to the extent that Contractor creates,receives, maintains,transmits,uses or discloses PHI orePHI on the Department's behalf,or provides services,arranges,performs or assists in the performance of functions or activities on behalf of the Department that are included in the definition of "business associate"in 45 C.F.R. 160.103 where the provision of the service involves the disclosure of PHI or ePHI from the Department,including but not limited to, utilization review,quality assurance,or benefit management.To the extent Contractor performs these services,functions,and activities on behalf of Department,Contractor is the Business Associate of the Department, acting on the Department's behalf.The Department and Contractor are each a party to this Agreement and are collectively referred to as the "parties." B.The Department wishes to disclose to Contractor certain information pursuant to the terms of this Agreement,some of which may constitute Protected Health Information ("PHI"),including protected health information in electronic media ("ePHI"),under federal law, to be used or disclosed in the course of providing services and activities as set forth in Section 1 .A.of Exhibit E-1 of this Agreement.This information is hereafter referred to as "Department PHI". C.The purpose of this Exhibit E-1 is to protect the privacy and security of the PHI and ePHI that may be created,received,maintained, transmitted,used or disclosed pursuant to this Agreement,and to comply with certain standards and requirements of HIPAA,the HITECH Act,and the HIPAA regulations,including,but not limited to,the requirement that the Department must enter into a contract containing County of Fresno 15-92089 Page 3 specific requirements with Contractor prior to the disclosure of PHI to Contractor,as set forth in 45 CFR Parts 160 and 164 and the HITECH Act. To the extent that data is both PHI or ePHI and Personally Identifying Information,both Exhibit E-2 (including Attachment B,the SSA Agreement between SSA,CHHS and DHCS,referred to in Exhibit E-2)and this Exhibit E-1 shall apply. D.The terms used in this Exhibit E-1,but not otherwise defined,shall have the same meanings as those terms have in the HIPAA regulations.Any reference to statutory or regulatory language shall be to such language as in effect or as amended. Definitions. A.Breach shall have the meaning given to such term under HIPAA, the HITECH Act,and the HIPAA regulations. B.Business Associate shall have the meaning given to such term under HIPAA,the HITECH Act,and the HIPAA regulations. C.Covered Entity shall have the meaning given to such term under HIPAA,the HITECH Act,and the HIPAA regulations. D.Department PHI shall mean Protected Health Information or Electronic Protected Health Information,as defined below,accessed by Contractor in a database maintained by the Department,received by Contractor from the Department or acquired or created by Contractor in connection with performing the functions,activities and services on behalf of the Department as specified in Section 1 .A.of Exhibit E-1 of this Agreement. The terms PHI as used in this document shall mean Department PHI. E.Electronic Health Records shall have the meaning given to such term in the HITECH Act,including,but not limited to, 42 U.S.C.Section 17921 and implementing regulations. F.Electronic Protected Health Information (ePHI)means individually identifiable health information transmitted by electronic media or maintained in electronic media,including but not limited to electronic media as set forth under 45 CFR section 160.103. G. Individually Identifiable Health Information means health information, including demographic information collected from an individual,that is created or received by a health care provider,health plan,employer or health care clearinghouse,and relates to the past,present or future County of Fresno 15-92089 Page 4 physical or mental health or condition of an individual,the provision of health care to an individual, or the past,present,or future payment for the provision of health care to an individual,that identifies the individual or where there is a reasonable basis to believe the information can be used to identify the individual,as set forth under 45 CFR Section 160.103. H.Privacy Rule shall mean the HIPAA Regulations that are found at 45 CFR Parts 160 and 164,subparts A and E. I.Protected Health Information (PHI)means individually identifiable health information that is transmitted by electronic media,maintained in electronic media,or is transmitted or maintained in any other form or medium,as set forth under 45 CFR Section 160.103 and as defined under HIPAA. J.Required by law,as set forth under 45 CFR Section 164.103,means a mandate contained in law that compels an entity to make a use or disclosure of PHI that is enforceable in a court of law.This includes,but is not limited to,court orders and court-ordered warrants,subpoenas or summons issued by a court,grand jury, a governmental or tribal inspector general,or an administrative body authorized to require the production of information,and a civil or an authorized investigative demand.It also includes Medicare conditions of participation with respect to health care providers participating in the program,and statutes or regulations that require the production of information,including statutes or regulations that require such information if payment is sought under a government program providing public benefits. K.Secretary means the Secretary of the U.S.Department of Health and Human Services ("HHS")or the Secretary's designee. L.Security Incident means the attempted or successful unauthorized access,use,disclosure,modification,or destruction of Department PHI, or confidential data utilized by Contractor to perform the services, functions and activities on behalf of Department as set forth in Section 1 .A.of Exhibit E-1 of this Agreement;or interference with system operations in an information system that processes,maintains or stores Department PHI. M.Security Rule shall mean the HIPAA regulations that are found at 45 CFR Parts 160 and 164. N.Unsecured PHI shall have the meaning given to such term under the County of Fresno 15-92089 Page 5 HITECH Act, 42 U.S.C.Section 17932(h),any guidance issued by the Secretary pursuant to such Act and the HIPAA regulations. 3.Terms of Agreement. A.Permitted Uses and Disclosures of Department PHI by Contractor. Except as otherwise indicated in this Exhibit E-1,Contractor may use or disclose Department PHI only to perform functions,activities or services specified in Section I.Aof Exhibit E-1 of this Agreement,for,or on behalf of the Department,provided that such use or disclosure would not violate the HIPAA regulations or the limitations set forth in 42 CFR Part 2,or any other applicable law, if done by the Department.Any such use or disclosure,if not for purposes of treatment activities of a health care provider as defined by the Privacy Rule,must,to the extent practicable,be limited to the limited data set,as defined in 45 CFR Section 164.514(e)(2), or, if needed,to the minimum necessary to accomplish the intended purpose of such use or disclosure,in compliance with the HITECH Act and any guidance issued pursuant to such Act,and the HIPAA regulations. B.Specific Use and Disclosure Provisions.Except as otherwise indicated in this Exhibit E-1,Contractor may: 1)Use and Disclose for Management and Administration.Use and disclose Department PHI for the proper management and administration of the Contractor's business,provided that such disclosures are required by law,or the Contractor obtains reasonable assurances from the person to whom the information is disclosed,in accordance with section D(7) of this Exhibit E-1,that it will remain confidential and will be used or further disclosed only as required by law or for the purpose for which it was disclosed to the person,and the person notifies the Contractor of any instances of which it is aware that the confidentiality of the information has been breached. 2)Provision of Data Aggregation Services.Use Department PHI to provide data aggregation services to the Department to the extent requested by the Department and agreed to by Contractor.Data aggregation means the combining of PHI created or received by the Contractor,as the Business Associate,on behalf of the Department County of Fresno 15-92089 Page 6 with PHI received by the Business Associate in its capacity as the Business Associate of another covered entity,to permit data analyses that relate to the health care operations of the Department C.Prohibited Uses and Disclosures 1)Contractor shall not disclose Department PHI about an individual to a health plan for payment or health care operations purposes if the Department PHI pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full and the individual requests such restriction,in accordance with 42 U.S.C.Section 17935(a)and 45 CFR Section 164.522(a). 2)Contractor shall not directly or indirectly receive remuneration in exchange for Department PHI. D.Responsibilities of Contractor Contractor agrees: 1)Nondisclosure.Not to use or disclose Department PHI other than as permitted or required by this Agreement or as required by law, including but not limited to 42 CFR Part 2. 2)Compliance with the HIPAA Security Rule.To implement administrative,physical,and technical safeguards that reasonably and appropriately protect the confidentiality, integrity,and availability of the Department PHI,including electronic PHI,that it creates, receives,maintains,uses or transmits on behalf of the Department,in compliance with 45 CFR Sections 164.308,164.310 and 164.312, and to prevent use or disclosure of Department PHI other than as provided for by this Agreement.Contractor shall implement reasonable and appropriate policies and procedures to comply with the standards,implementation specifications and other requirements of 45 CFR Section 164,subpart C, in compliance with 45 CFR Section164.316.Contractor shall develop and maintain a written information privacy and security program that includes administrative, technical and physical safeguards appropriate to the size and complexity of the Contractor's operations and the nature and scope of its activities,and which incorporates the requirements of section 3, Security,below.Contractor will provide the Department with its current and updated policies upon request. 3)Security.Contractor shall take any and all steps necessary to ensure County of Fresno 15-92089 Page 7 the continuous security of all computerized data systems containing PHI and/or PI,and to protect paper documents containing PHI and/or PI.These steps shall include,at a minimum: a.Complying with all of the data system security precautions listed in Attachment A,Data Security Requirements; b.Achieving and maintaining compliance with the HIPAA Security Rule (45 CFR Parts 160 and 164),as necessary in conducting operations on behalf of DHCS under this Agreement;and c.Providing a level and scope of security that is at least comparable to the level and scope of security established by the Office of Management and Budget in OMB Circular No. A-130,Appendix III-Security of Federal Automated Information Systems,which sets forth guidelines for automated information systems in Federal agencies. 4)Security Officer.Contractor shall designate a Security Officer to oversee its data security program who shall be responsible for carrying out the requirements of this section and for communicating on security matters with the Department. 5)Mitigation of Harmful Effects.To mitigate, to the extent practicable, any harmful effect that is known to Contractor of a use or disclosure of Department PHI by Contractor or its subcontractors in violation of the requirements of this Exhibit E. 6)Reporting Unauthorized Use or Disclosure.To report to Department any use or disclosure of Department PHI not provided for by this Exhibit E of which it becomes aware. 7)Contractor's Agents and Subcontractors. a. To enter into written agreements with any agents,including subcontractors and vendors to whom Contractor provides Department PHI,that impose the same restrictions and conditions on such agents,subcontractors and vendors that apply to Contractor with respect to such Department PHI under this Exhibit E,and that require compliance with all applicable provisions of HIPAA,the HITECHAct and the HIPAA regulations,including the requirement that any agents,subcontractors or vendors implement reasonable and appropriate administrative,physical,and technical County of Fresno 15-92089 Page 8 safeguards to protect such PHI. As required by HIPAA,the HITECH Act and the HIPAA regulations,including 45 CFR Sections 164.308 and 164.314,Contractor shall incorporate,when applicable,the relevant provisions of this Exhibit E-1 into each subcontract or subaward to such agents,subcontractors and vendors,including the requirement that any security incidents or breaches of unsecured PHI be reported to Contractor. b. In accordance with 45 CFR Section 164.504(e)(1 )(ii),upon Contractor's knowledge of a material breach or violation by its subcontractor of the agreement between Contractor and the subcontractor,Contractor shall: i)Provide an opportunity for the subcontractor to cure the breach or end the violation and terminate the agreement if the subcontractor does not cure the breach or end the violation within the time specified by the Department;or ii)Immediately terminate the agreement if the subcontractor has breached a material term of the agreement and cure is not possible. 8)Availability of Information to the Department and Individuals to Provide Access and Information: a.To provide access as the Department may require,and in the time and manner designated by the Department (upon reasonable notice and during Contractor's normal business hours)to Department PHI in a Designated Record Set,to the Department (or,as directed by the Department),to an Individual, in accordance with 45 CFR Section 164.524.Designated Record Set means the group of records maintained for the Department health plan under this Agreement that includes medical,dental and billing records about individuals;enrollment,payment, claims adjudication,and case or medical management systems maintained for the Department health plan for which Contractor is providing services under this Agreement;or those records used to make decisions about individuals on behalf of the Department.Contractor shall use the forms and processes developed by the Department for this purpose and shall respond to requests County of Fresno 15-92089 Page 9 for access to records transmitted by the Department within fifteen (15)calendar days of receipt of the request by producing the records or verifying that there are none. b.If Contractor maintains an Electronic Health Record with PHI,and an individual requests a copy of such information in an electronic format,Contractor shall provide such information in an electronic format to enable the Department to fulfill its obligations under the HITECH Act,including but not limited to,42 U.S.C.Section 17935(e)and the HIPAA regulations. 9)Amendment of Department PHI.To make any amendment(s)to Department PHI that were requested by a patient and that the Department directs or agrees should be made to assure compliance with 45 CFR Section 164.526,in the time and manner designated by the Department,with the Contractor being given a minimum of twenty (20)days within which to make the amendment. 10)Internal Practices.To make Contractor's internal practices,books and records relating to the use and disclosure of Department PHI available to the Department or to the Secretary,for purposes of determining the Department's compliance with the HIPAA regulations.If any information needed for this purpose is in the exclusive possession of any other entity or person and the other entity or person fails or refuses to furnish the information to Contractor,Contractor shall provide written notification to the Department and shall set forth the efforts it made to obtain the information. 11)Documentation of Disclosures.To document and make available to the Department or (at the direction of the Department)to an individual such disclosures of Department PHI,and information related to such disclosures,necessary to respond to a proper request by the subject Individual for an accounting of disclosures of such PHI, in accordance with the HITECH Act and its implementing regulations,including but not limited to 45 CFR Section 164.528 and 42 U.S.C.Section 17935(c).If Contractor maintains electronic health records for the Department as of January 1,2009 and later,Contractor must provide an accounting of disclosures,including those disclosures for treatment,payment or health care operations.The electronic accounting of disclosures shall be for disclosures during the three years prior to the request for an accounting. County of Fresno 15-92089 Page 10 12)Breaches and Security Incidents.During the term of this Agreement,Contractor agrees to implement reasonable systems for the discovery and prompt reporting of any breach or security incident,and to take the following steps: a.Initial Notice to the Department.(1)To notify the Department immediately by telephone call or email or fax upon the discovery of a breach of unsecured PHI in electronic media or in any other media if the PHI was,or is reasonably believed to have been,accessed or acquired by an unauthorized person.(2)To notify the Department within 24 hours (one hour if SSA data)by email or fax of the discovery of any suspected security incident,intrusion or unauthorized access,use or disclosure of PHI in violation of this Agreement or this Exhibit E-1T or potential loss of confidential data affecting this Agreement.A breach shall be treated as discovered by Contractor as of the first day on which the breach is known,or by exercising reasonable diligence would have been known, to any person (other than the person committing the breach)who is an employee,officer or other agent of Contractor. Notice shall be provided to the Information Protection Unit, Office of HIPAA Compliance.If the incident occurs after business hours or on a weekend or holiday and involves electronic PHI,notice shall be provided by calling the Information Protection Unit (916.445.4646,866-866-0602) or by emailing privacyofficer@dhcs.ca.gov).Notice shall be made using the DHCS "Privacy Incident Report" form, including all information known at the time.Contractor shall use the most current version of this form,which is posted on the DHCS Information Security Officer website (www.dhcs.ca.gov,then select "Privacy" in the left column and then "Business Partner"near the middle of the page) or use this link: http://www.dhcs.ca.gov/formsandpubs/laws/priv/Paqes/DH CSBusinessAssociatesOnly.aspx Upon discovery of a breach or suspected security incident, intrusion or unauthorized access,use or disclosure of Department PHI,Contractor shall take: i)Prompt corrective action to mitigate any risks or damages involved with the breach and to protect the operating environment;and County of Fresno 15-92089 Page 11 ii) Any action pertaining to such unauthorized disclosure required by applicable Federal and State laws and regulations. Investigation and Investigation Report.To immediately investigate such suspected security incident,security incident,breach,or unauthorized access,use or disclosure of PHI .Within 72 hours of the discovery, Contractor shall submit an updated "Privacy Incident Report"containing the information marked with an asterisk and all other applicable information listed on the form,to the extent known at that time,to the Information Protection Unit. Complete Report.To provide a complete report of the investigation to the Department Program Contract Manager and the Information Protection Unit within ten (10)working days of the discovery of the breach or unauthorized use or disclosure.The report shall be submitted on the "Privacy Incident Report"form and shall include an assessment of all known factors relevant to a determination of whether a breach occurred under applicable provisions of HIPAA,the HITECH Act,and the HIPAA regulations.The report shall also include a full,detailed corrective action plan,including information on measures that were taken to halt and/or contain the improper use or disclosure.If the Department requests information in addition to that listed on the "Privacy Incident Report" form,Contractor shall make reasonable efforts to provide the Department with such information.If, because of the circumstances of the incident,Contractor needs more than ten (10)working days from the discovery to submit a complete report,the Department may grant a reasonable extension of time,in which case Contractor shall submit periodic updates until the complete report is submitted.If necessary,a Supplemental Report may be used to submit revised or additional information after the completed report is submitted,by submitting the revised or additional information on an updated "Privacy Incident Report" form. The Department will review and approve the determination of whether a breach occurred and whether individual notifications and a corrective action plan are required. County of Fresno 15-92089 Page 12 d.Responsibility for Reporting of Breaches.If the cause of a breach of Department PHI is attributable to Contractor or its agents,subcontractors or vendors, Contractor is responsible for all required reporting of the breach as specified in 42 U.S.C.section 17932 and its implementing regulations, including notification to media outlets and to the Secretary (after obtaining priorwrittenapproval of DHCS).If a breach of unsecured Department PHI involves more than 500 residents of the State of California or under its jurisdiction,Contractor shall first notifyDHCS, then the Secretary of the breach immediately upon discovery of the breach.If a breach involves more than 500 California residents,Contractor shall also provide,after obtainingwritten priorapproval of DHCS, notice to the Attorney General for the State of California, Privacy Enforcement Section.If Contractor has reason to believe that duplicate reporting of the same breach or incident may occur because its subcontractors,agents or vendors may report the breach or incidentto the Department in addition to Contractor,Contractor shall notify the Department, and the Department and Contractor may take appropriate action to prevent duplicate reporting. e.Responsibility for Notification of Affected Individuals.If the cause of a breach of Department PHI is attributable to Contractor or its agents,subcontractors or vendors and notification of the affected individuals is required under state or federal law,Contractor shall bear all costs of such notifications as well as any costs associated with the breach.In addition,the Department reserves the right to require Contractor to notify such affected individuals,which notifications shall comply with the requirements set forth in 42U.S.C.section 17932 and its implementing regulations, including,but not limited to, the requirement that the notifications be made without unreasonable delay and in no event later than 60 calendar days after discovery of the breach.The Department Privacy Officershall approve the time,manner and content of any such notifications and their review and approval must be obtained before the notifications are made.The Department will provide its review and approval expeditiously and without unreasonable delay. f.Department Contact Information.To direct communications to the above referenced Department staff, County of Fresno 15-92089 Page 13 the Contractor shall initiate contact as indicated herein.The Department reserves the right to make changes to the contact information below by giving written notice to the Contractor.Said changes shall not require an amendment to this Addendum or the Agreement to which it is incorporated. Department DHCS Privacy Officer DHCS Information Security Program Contract Officer Manager See the Exhibit A,Information Protection Unit Information Security Officer Scope of Work for c/o:Office of HIPAA DHCS Information Security Office Program Contract Compliance Department of P.O.Box 997413,MS 6400 Manager Health Care Services Sacramento,CA 95899-7413 information P.O.Box 997413,MS 4722 Sacramento,CA 95899-7413 Email:iso(5)dhcs.ca.gov (916)445-4646;(866)866- 0602 Telephone:ITSD Service Desk (916) 440-7000;(800)579- Email:0874 privacvofficer(a>dhcs.ca.gov Fax:(916)440-5537 Fax:(916)440-7680 13)Termination of Agreement.In accordance with Section 13404(b) of the HITECH Act and to the extent required by the HIPAA regulations,if Contractorknowsofa materialbreach or violation by the Department ofthis Exhibit E-1,itshall take the following steps: County of Fresno 15-92089 Page 14 a.Provide an opportunity for the Department to cure the breach or end the violation and terminate the Agreement if the Department does not cure the breach or end the violation within the time specified by Contractor;or b.Immediately terminate the Agreement if the Department has breached a material term of the Exhibit E-1 and cure is not possible. 14)Sanctions and/or Penalties.Contractor understands that a failure to comply with the provisions of HIPAA,the HITECHAct and the HIPAA regulations that are applicable to Contractors may result in the imposition of sanctions and/or penalties on Contractor under HIPAA, the HITECH Act and the HIPAA regulations. Obligations of the Department. The Department agrees to: 1)Permission by Individuals for Use and Disclosure of PHI.Provide the Contractor with any changes in,or revocation of,permission by an Individual to use or disclose Department PHI, if such changes affect the Contractor's permitted or required uses and disclosures. 2)Notification of Restrictions.Notify the Contractor of any restriction to the use or disclosure of Department PHI that the Department has agreed to in accordance with 45 CFR Section 164.522,to the extent that such restriction may affect the Contractor's use or disclosure of PHI. 3)Requests Conflicting with HIPAA Rules.Not request the Contractor to use or disclose Department PHI in any manner that would not be permissible under the HIPAA regulations if done by the Department. 4)Notice of Privacy Practices.Provide Contractor with the web link to the Notice of Privacy Practices that DHCS produces in accordance with 45 CFR Section 164.520,as well as any changes to such notice. Visit the DHCS website to view the most current Notice of Privacy Practices at: http://www.dhcs.ca.qov/formsandpubs/laws/priv/Paqes/NoticeofPrivacy Practices.aspx or the DHCS website at www.dhcs.ca.gov (select "Privacy inthe rightcolumn and "Noticeof Privacy Practices"on the right side of the page). County of Fresno 15-92089 Page 15 F.Audits,Inspection and Enforcement If Contractor is the subject of an audit,compliance review,or complaint investigation by the Secretary or the Office for Civil Rights,U.S.Department of Health and Human Services,that is related to the performance of its obligations pursuant to this HIPAA Business Associate Exhibit E-1,Contractor shall immediately notify the Department.Upon request from the Department, Contractor shall provide the Department with a copy of any Department PHI that Contractor,as the Business Associate,provides to the Secretary or the Office of Civil Rights concurrently with providing such PHI to the Secretary. Contractor is responsible for any civil penalties assessed due to an audit or investigation of Contractor,in accordance with 42 U.S.C.Section 17934(c). G.Termination. 1)Term.The Term of this Exhibit E-1 shall extend beyond the termination of the Agreement and shall terminate when all Department PHI is destroyed or returned to the Department,in accordance with 45 CFR Section 164.504(e)(2)(ii)(J). 2)Termination for Cause.In accordance with 45 CFR Section 164.504(e)(1)(iii),upon the Department's knowledge of a material breach or violation of this Exhibit E-1 by Contractor,the Department shall: a.Provide an opportunity for Contractor to cure the breach or end the violation and terminate this Agreement if Contractor does not cure the breach or end the violation within the time specified by the Department;or b.Immediately terminate this Agreement if Contractor has breached a material term of this Exhibit E-1 and cure is not possible. THE REST OF THIS PAGE IS INTENTIONALLY BLANK County of Fresno 15-92089 Page 16 EXHIBIT E-2 Privacy and Security of Personal Information and Personally Identifiable Information Not Subject to HIPAA 1.Recitals. A. In addition to the Privacy and Security Rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)the Department is subject to various other legal and contractual requirements with respect to the personal information (PI)and personally identifiable information (Pll)it maintains.These include: 1)The California Information Practices Act of 1977 (California Civil Code §§1798 et seq.), 2)The Agreement between the Social Security Administration (SSA) and the Department,known as the Information Exchange Agreement (IEA),which incorporates the Computer Matching and Privacy Protection Act Agreement (CMPPA)between the SSA and the California Health and Human Services Agency.The IEA, including the CMPPA is attached to this Exhibit E as Attachment B and is hereby incorporated in this Agreement. 3) Title 42 Code of Federal Regulations,Chapter I,Subchapter A,Part 2. B.The purpose of this Exhibit E-2 is to set forth Contractor's privacy and security obligations with respect to PI and Pll that Contractor may create, receive,maintain,use,or disclose for or on behalf of Department pursuant to this Agreement.Specifically this Exhibit applies to PI and Pll which is not Protected Health Information (PHI)as defined by HIPAA and therefore is not addressed in Exhibit E-1 of this Agreement,the HIPAA Business Associate Addendum;however,to the extent that data is both PHI or ePHI and Pll,both Exhibit E-1 and this Exhibit E-2 shall apply. C.The IEA Agreement referenced in A.2)above requires the Department to extend its substantive privacy and security terms to subcontractors who receive data provided to DHCS by the Social Security Administration.If Contractor receives data from DHCS that includes data provided to DHCS by the Social Security Administration,Contractor must comply with the following specific sections of the IEA Agreement:E.Security Procedures, F.Contractor/Agent Responsibilities,and G.Safeguarding and Reporting Responsibilities for Personally Identifiable Information ("Pll"),and in Attachment 4 to the IEA,Electronic Information Exchange Security Requirements,Guidelines and Procedures for Federal,State and Local County of Fresno 15-92089 Page 17 Agencies Exchanging Electronic Information with the Social Security Administration.Contractor must also ensure that any agents,including a subcontractor,to whom it provides DHCS data that includes data provided by the Social Security Administration,agree to the same requirements for privacy and security safeguards for such confidential data that apply to Contractor with respect to such information. D.The terms used in this Exhibit E-2,but not otherwise defined,shall have the same meanings as those terms have in the above referenced statute and Agreement.Any reference to statutory,regulatory,or contractual language shall be to such language as in effect or as amended. Definitions. A."Breach"shall have the meaning given to such term under the IEA and CMPPA.It shall include a "Pll loss"as that term is defined in the CMPPA. B."Breach of the security of the system"shall have the meaning given to such term under the California Information Practices Act,Civil Code section 1798.29(f). C. "CMPPA Agreement"means the Computer Matching and Privacy Protection Act Agreement between the Social Security Administration and the California Health and Human Services Agency (CHHS). D."Department PI"shall mean Personal Information,as defined below, accessed in a database maintained by the Department,received by Contractor from the Department or acquired or created by Contractor in connection with performing the functions,activities and services specified in this Agreement on behalf of the Department. E."IEA"shall mean the Information Exchange Agreement currently in effect between the Social Security Administration (SSA)and the California Department of Health Care Services (DHCS). F. "Notice-triggering Personal Information"shall mean the personal information identified in Civil Code section 1798.29 whose unauthorized access may trigger notification requirements under Civil Code section 1798.29.For purposes of this provision, identity shall include,but not be limited to,name,address,email address,identifying number,symbol,or other identifying particular assigned to the individual,such as a finger or voice print, a photograph or a biometric identifier.Notice-triggering Personal Information includes PI in electronic,paper or any other medium. County of Fresno 15-92089 Page 18 G."Personally Identifiable Information" (Pll)shall have the meaning given to such term in the IEA and CMPPA. H."Personal Information"(PI)shall have the meaning given to such term in California Civil Code Section 1798.3(a). I."Required by law"means a mandate contained in law that compels an entity to make a use or disclosure of PI or Pll that is enforceable in a court of law.This includes,but is not limited to,court orders and court-ordered warrants,subpoenas or summons issued by a court,grand jury, a governmental or tribal inspector general,or an administrative body authorized to require the production of information,and a civil or an authorized investigative demand.It also includes Medicare conditions of participation with respect to health care providers participating in the program,and statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits. J."Security Incident"means the attempted or successful unauthorized access,use,disclosure,modification,or destruction of PI,or confidential data utilized in complying with this Agreement;or interference with system operations in an information system that processes,maintains or stores PI. Terms of Agreement A.Permitted Uses and Disclosures of Department PI and Pll by Contractor Except as otherwise indicated in this Exhibit E-2,Contractor may use or disclose Department PI only to perform functions, activities or services for or on behalf of the Department pursuant to the terms of this Agreement provided that such use or disclosure would not violate the California Information Practices Act (CIPA)if done by the Department. B.Responsibilities of Contractor Contractor agrees: 1)Nondisclosure.Notto use or disclose Department PI or Pll other than as permitted or required by this Agreement or as required by applicable state and federal law. County of Fresno 15-92089 Page 19 2)Safeguards.To implement appropriate and reasonable administrative,technical,and physical safeguards to protect the security,confidentiality and integrity of Department PI and Pll, to protect against anticipated threats or hazards to the security or integrity of Department PI and Pll,and to prevent use or disclosure of Department PI or Pll other than as provided for by this Agreement.Contractor shall develop and maintain a written information privacy and security program that include administrative, technical and physical safeguards appropriate to the size and complexity of Contractor's operations and the nature and scope of its activities,which incorporate the requirements of section 3, Security,below.Contractor will provide DHCS with its current policies upon request. 3)Security.Contractor shall take any and all steps necessary to ensure the continuous security of all computerized data systems containing PHI and/or PI,and to protect paper documents containing PHI and/or PI.These steps shall include,at a minimum: a.Complying with all of the data system security precautions listed in Attachment A,Business Associate Data Security Requirements; b.Providing a level and scope of security that is at least comparable to the level and scope of security established by the Office of Management and Budget in OMB Circular No. A- 130,Appendix III-Security of Federal Automated Information Systems,which sets forth guidelines for automated information systems in Federal agencies;and c. If the data obtained by Contractor from DHCS includes Pll, Contractor shall also comply with the substantive privacy and security requirements in the Computer Matching and Privacy Protection Act Agreement between the SSA and the California Health and Human Services Agency (CHHS)and in the Agreement between the SSA and DHCS,known as the Information Exchange Agreement,which are attached as Attachment B and incorporated into this Agreement.The specific sections of the IEA with substantive privacy and security requirements to be complied with are sections E, F, and G,and in Attachment 4 to the IEA,Electronic Information Exchange Security Requirements,Guidelines and Procedures for Federal,State and Local Agencies Exchanging Electronic Information with the SSA.Contractor also agrees to ensure that any agents,including a subcontractor to whom it provides County of Fresno 15-92089 Page 20 DHCS Pll,agree to the same requirements for privacy and security safeguards for confidential data that apply to Contractor with respect to such information. 4)Mitigation of Harmful Effects.To mitigate,to the extent practicable,any harmful effect that is known to Contractor of a use or disclosure of Department PI or Pll by Contractor or its subcontractors in violation of this Exhibit E-2. 5)Contractor's Agents and Subcontractors.To impose the same restrictions and conditions set forth in this Exhibit E-2 on any subcontractors or other agents with whom Contractor subcontracts any activities under this Agreement that involve the disclosure of Department PI or Pll to the subcontractor. 6)Availability of Information to DHCS.To make Department PI and Pll available to the Department for purposes of oversight, inspection,amendment,and response to requests for records, injunctions,judgments,and orders for production of Department PI and Pll. If Contractor receives Department Pll,upon request by DHCS,Contractor shall provide DHCS with a list of all employees, contractors and agents who have access to Department Pll, including employees,contractors and agents of its subcontractors and agents. 7)Cooperation with DHCS.With respect to Department PI, to cooperate with and assist the Department to the extent necessary to ensure the Department's compliance with the applicable terms of the CIPA including,but not limited to,accounting of disclosures of Department PI,correction of errors in Department PI,production of Department PI,disclosure of a security breach involving Department PI and notice of such breach to the affected individual(s). 8)Confidentiality of Alcohol and Drug Abuse Patient Records. Contractor agrees to comply with all confidentiality requirements set forth in Title 42 Code of Federal Regulations,Chapter I,Subchapter A,Part 2.Contractor is aware that criminal penalties may be imposed for a violation of these confidentiality requirements. 9)Breaches and Security Incidents.During the term of this Agreement,Contractor agrees to implement reasonable systems for the discovery and prompt reporting of any breach or security incident,and to take the following steps: a.Initial Notice to the Department.(1)To notify the Department County of Fresno 15-92089 Page 21 immediately by telephone call or email or fax upon the discovery of a breach of unsecured Department PI or Pll in electronic media or in any other media if the PI or Pll was,or is reasonably believed to have been,accessed or acquired by an unauthorized person,or upon discovery of a suspected security incident involving Department Pll. (2) To notify the Department within one (1)hour by email or fax if the data is data subject to the SSA Agreement;and within 24 hours by email or fax of the discovery of any suspected security incident,intrusion or unauthorized access,use or disclosure of Department PI or Pll in violation of this Agreement or this Exhibit E-1 or potential loss of confidential data affecting this Agreement.A breach shall be treated as discovered by Contractor as of the first day on which the breach is known, or by exercising reasonable diligence would have been known,to any person (other than the person committing the breach)who is an employee,officer or other agent of Contractor. b.Notice shall be provided to the Information Protection Unit, Office of HIPAA Compliance.If the incident occurs after business hours or on a weekend or holiday and involves electronic Department PI or Pll,notice shall be provided by calling the Department Information Security Officer. Notice shall be made using the DHCS "Privacy Incident Report" form, including all information known at the time.Contractor shall use the most current version of this form,which is posted on the DHCS Information Security Officer website (www.dhcs.ca.gov,then select "Privacy"in the left column and then "Business Partner"near the middle of the page)or use this link: http://www.dhcs.ca.gov/formsandpubs/laws/priv/Pages/DHCS BusinessAssociatesOnlv.aspx. c. Upon discovery of a breach or suspected security incident, intrusion or unauthorized access,use or disclosure of Department PI or Pll,Contractor shall take: i.Prompt corrective action to mitigate any risks or damages involved with the breach and to protect the operating environment;and ii.Any action pertaining to such unauthorized disclosure required by applicable Federal and State laws and County of Fresno 15-92089 Page 22 regulations. d.Investigation and Investigation Report.To immediately investigate such suspected security incident,security incident,breach,or unauthorized access,use or disclosure of PHI.Within 72 hours of the discovery,Contractor shall submit an updated "Privacy Incident Report"containing the information marked with an asterisk and all other applicable information listed on the form,to the extent known at that time,to the Department Information Security Officer. e.Complete Report.To provide a complete report of the investigation to the Department Program Contract Manager and the Information Protection Unit within ten (10)working days of the discovery of the breach or unauthorized use or disclosure.The report shall be submitted on the "Privacy Incident Report"form and shall include an assessment of all known factors relevant to a determination of whether a breach occurred.The report shall also include a full,detailed corrective action plan,including information on measures that were taken to halt and/or contain the improper use or disclosure.If the Department requests information in addition to that listed on the "Privacy Incident Report"form,Contractor shall make reasonable efforts to provide the Department with such information.If,because of the circumstances of the incident,Contractor needs more than ten (10)working days from the discovery to submit a complete report,the Department may grant a reasonable extension of time, in which case Contractor shall submit periodic updates until the complete report is submitted.If necessary,a Supplemental Report may be used to submit revised or additional information after the completed report is submitted,by submitting the revised or additional information on an updated "Privacy Incident Report" form.The Department will review and approve the determination of whether a breach occurred and whether individual notifications and a corrective action plan are required. f.Responsibility for Reporting of Breaches.If the cause of a breach of Department PI or Pll is attributable to Contractor or its agents,subcontractors or vendors,Contractor is responsible for all required reporting of the breach as specified in CIPA,section 1798.29and as may be required under the IEA.Contractor shall bear all costs of required g- County of Fresno 15-92089 Page 23 notifications to individuals as well as any costs associated with the breach.The Privacy Officer shall approve the time, manner and content of any such notifications and their review and approval must be obtained before the notifications are made.The Department will provide its review and approval expeditiously and without unreasonable delay. If Contractor has reason to believe that duplicate reporting of the same breach or incident may occur because its subcontractors,agents or vendors may report the breach or incident to the Department in addition to Contractor, Contractor shall notify the Department,and the Department and Contractor may take appropriate action to prevent duplicate reporting. Department Contact Information.To direct communications to the above referenced Department staff,the Contractor shall initiate contact as indicated herein.The Department reserves the right to make changes to the contact information below by giving written notice to the Contractor.Said changes shall not require an amendment to this Addendum or the Agreement to which it is incorporated. Department Program Contract DHCS Privacy Officer DHCS Information Security Officer See the Exhibit A,Scope of Work for Program Contract Manager information Information Protection Unit c/o:Office of HIPAA Compliance Department of Health Care Services P.O.Box 997413,MS 4722 Sacramento,CA 95899-7413 (916)445-4646 Email: privacvofficer(5)dhcs.ca.gov Telephone:(916)445-4646 Information Security Officer DHCS Information Security Office P.O.Box 997413,MS 6400 Sacramento,CA 95899-7413 Email:iso(Q>dhcs.ca.gov Telephone:ITSD Service Desk (916)440-7000 or (800)579-0874 10)Designation of Individual Responsible for Security Contractor shall designate an individual, (e.g.,Security Officer),to oversee its data security program who shall be responsible for carrying out the requirements of this Exhibit E-2 and for communicating on security matters with the Department. County of Fresno 15-92089 Page 24 EXHIBIT E-3 Miscellaneous Terms and Conditions Applicable to Exhibit E 1)Disclaimer.The Department makes no warranty or representation that compliance by Contractor with this Exhibit E, HIPAA or the HIPAA regulations will be adequate or satisfactory for Contractor's own purposes or that any information in Contractor's possession or control,or transmitted or received by Contractor,is or will be secure from unauthorized use or disclosure.Contractor is solely responsible for all decisions made by Contractor regarding the safeguarding of the Department PHI, PI and Pll. 2)Amendment.The parties acknowledge that federal and state laws relating to electronic data security and privacy are rapidly evolving and that amendment of this Exhibit E may be required to provide for procedures to ensure compliance with such developments.The parties specifically agree to take such action as is necessary to implement the standards and requirements of HIPAA,the HITECH Act,and the HIPAA regulations,and other applicable state and federal laws.Upon either party's request,the other party agrees to promptly enter into negotiations concerning an amendment to this Exhibit E embodying written assurances consistent with the standards and requirements of HIPAA,the HITECH Act,and the HIPAA regulations,and other applicable state and federal laws.The Department may terminate this Agreement upon thirty (30)days written notice in the event: a)Contractor does not promptly enter into negotiations to amend this Exhibit E when requested by the Department pursuant to this section;or b)Contractor does not enter into an amendment providing assurances regarding the safeguarding of Department PHI that the Department deems is necessary to satisfy the standards and requirements of HIPAA and the HIPAA regulations. 3)Judicial or Administrative Proceedings.Contractor will notify the Department ifit is named as a defendant in a criminal proceeding for a violation of HIPAA or other security or privacy law.The Department may terminate this Agreement if Contractor is found guilty of a criminal violation of HIPAA.The Department may terminate this Agreement ifa finding or stipulation that the Contractor has violated any standard or requirement of HIPAA,or other security or privacy laws is made in any administrative or civil proceeding in which the Contractor is a party or County of Fresno 15-92089 Page 25 has been joined.DHCS will consider the nature and seriousness of the violation in deciding whether or not to terminate the Agreement. 4)Assistance in Litigation or Administrative Proceedings.Contractor shall make itself and any subcontractors,employees or agents assisting Contractor in the performance of its obligations under this Agreement, available to the Department at no cost to the Department to testify as witnesses,or otherwise,in the event of litigation or administrative proceedings being commenced against the Department,its directors, officers or employees based upon claimed violation of HIPAA, or the HIPAA regulations,which involves inactions or actions by the Contractor,except where Contractor or its subcontractor,employee or agent is a named adverse party. 5) No Third-Party Beneficiaries.Nothing express or implied in the terms and conditions of this Exhibit E is intended to confer,nor shall anything herein confer,upon any person other than the Department or Contractor and their respective successors or assignees,any rights,remedies, obligations or liabilities whatsoever. 6)Interpretation.The terms and conditions in this Exhibit E shall be interpreted as broadly as necessary to implement and comply with HIPAA,the HITECH Act,and the HIPAA regulations.The parties agree that any ambiguity in the terms and conditions of this Exhibit E shall be resolved in favor of a meaning that complies and is consistent with HIPAA,the HITECH Act and the HIPAA regulations,and,if applicable, any other relevant state and federal laws. 7)Conflict.In case of a conflict between any applicable privacy or security rules,laws,regulations or standards the most stringent shall apply.The most stringent means that safeguard which provides the highest level of protection to PHI, PI and Pll from unauthorized disclosure.Further,Contractor must comply within a reasonable period of time with changes to these standards that occur after the effective date of this Agreement. 8)Regulatory References.A reference in the terms and conditions of this Exhibit E to a section in the HIPAA regulations means the section as in effect or as amended. 9)Survival.The respective rights and obligations of Contractor under Section 3,Item D of Exhibit E-1,and Section 3,Item B of Exhibit E-2, Responsibilities of Contractor,shall survive the termination or expiration of this Agreement. County of Fresno 15-92089 Page 26 10)No Waiver of Obligations.No change,waiver or discharge of any liabilityor obligation hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing or other obligation, or shall prohibit enforcement of any obligation,on any other occasion. 11)Audits,Inspection and Enforcement.From time to time, and subject to all applicable federal and state privacy and security laws and regulations,the Department may conduct a reasonable inspection of the facilities,systems,books and records of Contractor to monitor compliance with this Exhibit E.Contractor shall promptly remedy any violation of any provision of this Exhibit E.The fact that the Department inspects,or fails to inspect,or has the right to inspect,Contractor's facilities,systems and procedures does not relieve Contractor of its responsibility to comply with this Exhibit E.The Department's failure to detect a non-compliant practice,or a failure to report a detected non- compliant practice to Contractor does not constitute acceptance of such practice or a waiver of the Department's enforcement rights under this Agreement,including this Exhibit E. 12)Due Diligence.Contractor shall exercise due diligence and shall take reasonable steps to ensure that it remains in compliance with this Exhibit E and is in compliance with applicable provisions of HIPAA,the HITECH Act and the HIPAA regulations,and other applicable state and federal law,and that its agents,subcontractors and vendors are in compliance with their obligations as required by this Exhibit E. 13)Term.The Term ofthis Exhibit E-1 shall extend beyond the terminationof the Agreement and shall terminate when all Department PHI is destroyed or returned to the Department,in accordance with 45 CFR Section 164.504(e)(2)(iiXI).and"wnen a"Department PI and Pll is destroyed in accordance with Attachment A. 14)Effect of Termination.Upon termination or expiration of this Agreement for any reason,Contractor shall return or destroy all Department PHI, PI and Pll that Contractor still maintains in any form,and shall retain no copies of such PHI, PI or Pll.If return or destruction is not feasible, Contractor shall notify the Department of the conditions that make the return or destruction infeasible,and the Department and Contractor shall determine the terms and conditions under which Contractor may retain the PHI, PI or Pll.Contractor shall continue to extend the protections of this ExhibitE to such Department PHI, PI and Pll, and shall limit further use of such data to those purposes that make the return or destruction of such data infeasible.This provision shall apply to Department PHI, PI and Pll that is in the possession of subcontractors or agents of Contractor. 1.Personnel Controls Attachment A Data Security Requirements County of Fresno 15-92089 Page 27 A.Employee Training.All workforce members who assist in the performance of functions or activities on behalf of the Department,or access or disclose Department PHI or PI must complete information privacy and security training,at least annually,at Contractor's expense. Each workforce member who receives information privacy and security training must sign a certification,indicating the member's name and the date on which the training was completed.These certifications must be retained for a period of six (6)years following termination of this Agreement. B.Employee Discipline.Appropriate sanctions must be applied against workforce members who fail to comply with privacy policies and procedures or any provisions of these requirements,including termination of employment where appropriate. C.Confidentiality Statement.All persons that will be working with Department PHI or PI must sign a confidentiality statement that includes, at a minimum,General Use,Security and Privacy Safeguards, Unacceptable Use,and Enforcement Policies.The statement must be signed by the workforce member priorto access to Department PHI or PI. The statement must be renewed annually.The Contractor shall retain each person's written confidentiality statement for Department inspection for a period of six (6)years following termination of this Agreement. D.Background Check.Before a member of the workforce may access Department PHI or PI, a background screening of that worker must be conducted.The screening should be commensurate with the risk and magnitude of harm the employee could cause,with more thorough screening being done for those employees who are authorized to bypass significant technical and operational security controls. The Contractor shall retain each workforce member's background check documentation for a period of three (3)years. 2.Technical Security Controls A.Workstation/Laptop encryption.All workstations and laptops that store Department PHI or PI either directly or temporarily must be encrypted using a FIPS 140-2 certified algorithm which is 128bit or higher,such as County of Fresno 15-92089 Page 28 Advanced Encryption Standard (AES).The encryption solution must be full disk unless approved by the Department Information Security Office. B.Server Security.Servers containing unencrypted Department PHI or PI must have sufficient administrative,physical,and technical controls in place to protect that data,based upon a risk assessment/system security review. C.Minimum Necessary.Only the minimum necessary amount of Department PHI or PI required to perform necessary business functions may be copied, downloaded,or exported. D.Removable media devices.All electronic files that contain Department PHI or PI data must be encrypted when stored on any removable media or portable device (i.e. USB thumb drives,floppies,CD/DVD, Blackberry, backup tapes etc.).Encryption must be a FIPS 140-2 certified algorithm which is 128bit or higher,such as AES. E.Antivirus software.All workstations,laptops and other systems that process and/or store Department PHI or PI must install and actively use comprehensive anti-virus software solution with automatic updates scheduled at least daily. F.Patch Management.All workstations,laptops and other systems that process and/or store Department PHI or PI must have critical security patches applied,with system reboot if necessary.There must be a documented patch management process which determines installation timeframe based on risk assessment and vendor recommendations.At a maximum, all applicable patches must be installed within 30 days of vendor release.Applications and systems that cannot be patched withinthis time frame due to significant operational reasons must have compensatory controls implemented to minimize risk until the patches can be installed. Applications and systems that cannot be patched must have compensatory controls implemented to minimize risk,where possible. G.User IDs and Password Controls.All users must be issued a unique user name for accessing Department PHI or PI.Usemame must be promptly disabled,deleted,or the password changed upon the transfer or termination of an employee with knowledge of the password.Passwords are not to be shared.Passwords must be at least eight characters and must be a non- dictionary word.Passwords must not be stored in readable format on the computer.Passwords must be changed at least every 90 days,preferably every 60 days.Passwords must be changed if revealed or compromised. Passwords must be composed of characters from at least three of the following four groups from the standard keyboard: County of Fresno 15-92089 Page 29 1)Upper case letters (A-Z) 2)Lower case letters (a-z) 3)Arabic numerals (0-9) 4)Non-alphanumeric characters (punctuation symbols) H.Data Destruction.When no longer needed,all Department PHI or PI must be wiped using the Gutmann or US Department of Defense (DoD)5220.22-M (7 Pass)standard,or by degaussing.Media may also be physically destroyed in accordance with NIST Special Publication 800-88.Other methods require prior written permission of the Department Information Security Office. I.System Timeout.The system providing access to Department PHI or PI must provide an automatic timeout,requiring re-authentication of the user session after no more than 20 minutes of inactivity. J.Warning Banners.All systems providing access to Department PHI or PI must display a warning banner stating that data is confidential,systems are logged,and system use is for business purposes only by authorized users.User must be directed to log off the system if they do not agree with these requirements. K.System Logging.The system must maintain an automated audit trail which can identify the user or system process which initiates a request for Department PHI or PI, or which alters Department PHI or PI.The audit trail must be date and time stamped,must log both successful and failed accesses,must be read only,and must be restricted to authorized users. If Department PHI or PI is stored in a database,database logging functionality must be enabled.Audit trail data must be archived for at least 3 years after occurrence. L.Access Controls.The system providing access to Department PHI or PI must use role based access controls for all user authentications,enforcing the principle of least privilege. M.Transmission encryption.All data transmissions of Department PHI or PI outside the secure internal network must be encrypted using a FIPS 140-2 certified algorithm which is 128bit or higher,such as AES. Encryption can be end to end at the network level, or the data files containing Department PHI can be encrypted.This requirement pertains to any type of Department PHI or PI in motion such as website access,file transfer,and E-Mail. County of Fresno 15-92089 Page 30 N.Intrusion Detection.All systems involved in accessing,holding, transporting,and protecting Department PHI or PI that are accessible via the Internet must be protected by a comprehensive intrusion detection and prevention solution. Audit Controls A.System Security Review.Contractor must ensure audit control mechanisms that record and examine system activity are in place.All systems processing and/or storing Department PHI or PI must have at least an annual system risk assessment/security review which provides assurance that administrative,physical,and technical controls are functioning effectively and providing adequate levels of protection. Reviews should include vulnerability scanning tools. B.Log Reviews.All systems processing and/or storing Department PHI or PI must have a routine procedure in place to review system logs for unauthorized access. C.Change Control.All systems processing and/or storing Department PHI or PI must have a documented change control procedure that ensures separation of duties and protects the confidentiality,integrity and availability of data. County of Fresno 15-92089 Page 31 4.Business Continuity /Disaster Recovery Controls A.Emergency Mode Operation Plan.Contractor must establish a documented plan to enable continuation of critical business processes and protection of the security of Department PHI or PI held in an electronic format in the event of an emergency.Emergency means any circumstance or situation that causes normal computer operations to become unavailable for use in performing the work required under this Agreement for more than 24 hours. B.Data Backup Plan.Contractor must have established documented procedures to backup Department PHI to maintain retrievable exact copies of Department PHI or PI.The plan must include a regular schedule for making backups,storing backups offsite,an inventory of backup media,and an estimate of the amount of time needed to restore Department PHI or PI should it be lost. At a minimum,the schedule must be a weekly full backup and monthly offsite storage of Department data. 5.Paper Document Controls A.Supervision of Data.Department PHI or PI in paper form shall not be left unattended at any time,unless it is locked in a file cabinet,file room,desk or office.Unattended means that information is not being observed by an employee authorized to access the information.Department PHI or PI in paper form shall not be left unattended at any time in vehicles or planes and shall not be checked in baggage on commercial airplanes. B.Escorting Visitors.Visitors to areas where Department PHI or PI is contained shall be escorted and Department PHI or PI shall be kept out of sight while visitors are in the area. C.Confidential Destruction.Department PHI or PI must be disposed of through confidential means,such as cross cut shredding and pulverizing. D.Removal of Data.Only the minimum necessary Department PHI or PI may be removed from the premises of the Contractor except with express written permission of the Department.Department PHI or PI shall not be considered "removed from the premises"ifit is only being transported from one of Contractor's locations to another of Contractors locations. E.Faxing.Faxes containing Department PHI or PI shall not be left unattended and fax machines shall be in secure areas.Faxes shall contain a confidentiality statement notifying persons receiving faxes in County of Fresno 15-92089 Page 32 error to destroy them.Fax numbers shall be verified with the intended recipient before sending the fax. F.Mailing.Mailings containing Department PHI or PI shall be sealed and secured from damage or inappropriate viewing of such PHI or PI to the extent possible.Mailings which include 500 or more individually identifiable records of Department PHI or PI in a single package shall be sent using a tracked mailing method which includes verification of delivery and receipt,unless the prior written permission of the Department to use another method is obtained. £*Wibi'+£_ INFORMATION EXCHANGE AGREEMENT BETWEEN THE SOCIAL SECURITY ADMINISTRATION (SSA) AND THE CALIFORNIA DEPARTMENT OF HEALTH CARE SERVICES (STATE AGENCY) A.PURPOSE:The purpose of this Information Exchange Agreement ("IEA")isto establish terms,conditions,and safeguards under which SSA will disclose tothe State Agency certain information,records,or data(herein"data")to assistthe StateAgencyin administering certain federally funded state-administered benefit programs (including state-funded state supplementary payment programs under Title XVI ofthe Social Security Act)identified in this IEA. By enteringintothis IEA,the StateAgencyagreesto complywith: • the terms and conditions set forth in the Computer Matching and Privacy Protection Act Agreement ("CMPPA Agreement")attached as Attachment 1,governing the State Agency's useofthedata disclosed from SSA's PrivacyActSystemof Records;and • all other terms and conditions set forth in this IEA. B.PROGRAMS AND DATA EXCHANGE SYSTEMS:(1) TheStateAgency willusethe data received or accessed from SSA under this IEA for the purpose of administering the federally funded,state-administered programs identified in Table 1 below. In Table 1,the State Agency has identified:(a)each federally funded,state-administered program thatit administers;and(b)eachSSAdata exchange system to which theStateAgency needs access in order to administerthe identified program. The list of SSA's data exchange systemsis attached as Attachment 2: TABLE 1 FEDERALLY FUNDED BENEFIT PROGRAMS Program SSA Data Exchange System (s) [X]Medicaid BENDEX/SDXVEVS/SVES/SOLQ/SVESI-Citizenship /Quarters of Coverage/Prisoner Query Q Temporary Assistance to Needy Families (TANF) O Supplemental Nutrition Assistance Program (SNAP-formally Food Stamps)' •Unemployment Compensation (Federal) •Unemployment Compensation (State) •State Child Support Agency •Low-Income Home Energy Assistance Program (LI-HEAP) n Workers Compensation •Vocational Rehabilitation Services ^ •Foster Care (IV-E) •State Health Insurance Program (S-CHIP) • Women, Infants and Children (W.I.C.) [X]Medicare Savings Programs (MSP)LIS File [X]Medicare 1144 (Outreach)Medicare 1144 Outreach File •OtherFederally Funded,State-Administered Programs (ListBelow) Program SSA Data Exchange System(s) (2) The State Agency will use each identified data exchange system only for the purpose of administeringthe specificprogramfor whichaccess to the dataexchange system is provided. SSA data exchange systems are protected by the Privacy Act and federal law prohibits the use of SSA's datafor anypurpose otherthanthepurpose ofadministering the specific program for which such data is disclosed. In particular, the State Agency will use: (a)the tax return data disclosed by SSA only to determine individual eligibility for, or the amount of, assistance under a state plan pursuant to Section 1137 programs and child support enforcement programs in accordance with 26 U.S.C. §6103(1)(8);and (b) the citizenship status data disclosed by SSA under the Children's Health Insurance Program Reauthorization Act of 2009, Pub. L.111-3,only for the purpose of determining entitlement to Medicaid and CHIP program for new applicants. The State Agency also acknowledges that SSA's citizenship data maybe lessthan 50percent current. Applicants for SSNsreport their citizenship data at the time they apply for their SSNs; there is no obligation for an individual to report to SSA a change in his or her immigration status until he or she files a claim for benefits. PROGRAM QUESTIONNAIRE:Prior to signing this IEA, the State Agency will complete and submit to SSA a program questionnaire for each of the federally funded, state- administered programs checked in Table 1 above. SSA will not disclose any data under this IEA until it has received and approved the completed program questionnaire for each of the programs identified in Table 1 above. #» D.TRANSFER OF DATA:SSA will transmit the data to the State Agency under this IEA using the data transmission method identified in Table 2 below: TABLE 2 TRANSFER OF DATA ~ Q Data will be transmitted directly between SSA andthe State Agency. [X]Data will be transmitted directly between SSA and the California Office of Technology (State Transmission/Transfer Component ("STC"))by the File Transfer Management System, a secure mechanism approved by SSA. The STC will serve as the conduit between SSA and the State Agency pursuant to the State STC Agreement. O Data will be transmitted directly between SSA andthe Interstate Connection Network ("ICON"). ICON is a wide area telecommunications network connecting state agencies that administer the state unemployment insurance laws. When receiving data through ICON, the State Agency will comply with the "Systems Security Requirements for SSA Web Access to SSA Information Through the ICON,"attached as Attachment 3. E.SECURITY PROCEDURES:The State Agency will comply with limitations on use, treatment,and safeguarding of data under the Privacy Act of 1974 (5 U.S.C.552a),as amended by the Computer Matching and Privacy Protection Act of 1988,related Office of Management and Budget guidelines,the Federal Information Security Management Act of 2002 (44 U.S.C. § 3541, et seq.), and related National Institute of Standards and Technology guidelines. In addition, the State Agencywill comply with SSA's "Information System Security Guidelines for Federal, State andLocal Agencies Receiving Electronic Information from the Social Security Administration,"attached as Attachment 4.For any tax return data, the State Agency will also comply with the "Tax Information Security Guidelines for Federal, State and Local Agencies," Publication 1075,published by the Secretary of the Treasury and available at the following Internal Revenue Service (IRS)website: http://www.irs.gov/pub/irs-pdf/pl075.pdf.This IRS Publication 1075 is incorporated by reference into this IEA. F.CONTRACTOR/AGENT RESPONSIBILITIES:The State Agency will restrict access to the data obtained from SSA to only those authorized State employees,contractors,and agents who need such data to perform their official duties in connection with purposes identified in this IEA. At SSA's request, the State Agency will obtain from each of its contractors and agents a current list of the employees of its contractors and agents who have access to SSA data disclosedunder thisIEA. The StateAgencywill require its contractors, agents, and all employees of such contractorsor agents withauthorized access to the SSA data disclosed under this IEA, to complywith the terms and conditions set forth in this IEA, and not to duplicate, disseminate, or disclose such data without obtaining SSA's prior written approval. In addition, the State Agency will comply with the limitations on use, duplication, and redisclosure of SSA data set forth in Section IX.of the CMPPA Agreement,especially with respect to its contractors and agents. >m% G.SAFEGUARDING AND REPORTING RESPONSIBILITIES FOR PERSONALLY IDENTIFIABLE INFORMATION ("PII"): 1. TheState Agency willensurethatits employees,contractors,and agents: a. properly safeguardPII furnishedby SSAunder this IEA from loss, theft or inadvertent disclosure; b. understandthattheyare responsible for safeguarding thisinformationat all times, regardless ofwhetherornotthe State employee,contractor,or agentis athisorher regular duty station; c. ensurethatlaptopsandother electronic devices/media containing PII are encrypted and/or password protected; d. send emails containing PII only if encryptedor if to and from addresses that are secure;and e. limit disclosure ofthe information anddetailsrelatingtoa PII loss onlyto thosewith a need to know. 2. If an employee ofthe State Agency oran employee oftheStateAgency's contractor or agent becomes aware of suspected or actualloss of PII, he or she must immediately contactthe State Agency official responsible for Systems Security designated belowor hisorher delegate.ThatState Agency official ordelegatemust men notifythe SSA Regional OfficeContactandtheSSA Systems Security Contact identifiedbelow. If,for anyreason,theresponsibleState Agency officialor delegateis unableto notify theSSA Regional Office ortheSSA Systems Security Contactwithin1hour,the responsible State Agency official or delegate must call SSA's Network Customer Service Center ("NCSC")at 410-965-7777 or tollfreeat 1-888-772-6661 toreport the actualor suspectedloss. TheresponsibleStateAgencyofficialordelegatewill use the worksheet, attached as Attachment 5,to quickly gatherand organize information about the incident. The responsibleStateAgency official or delegate mustprovideto SSA timelyupdatesas any additional information about the loss of PII becomes available. 3. SSA will make the necessary contactwithinSSA to file a formalreport in accordance with SSA procedures. SSA will notifythe Departmentof Homeland Security's United States Computer Emergency ReadinessTeam if loss or potential loss of PII related to a data exchange under this IEA occurs. 4.If the State Agency experiences a loss or breach of data, it will determine whether or not to provide notice to individuals whose data has been lost of breached and bear any costs associated with the notice or any mitigation. H.POINTS OF CONTACT: FOR SSA San Francisco Regional Office: Ellery Brown Data Exchange Coordinator Frank Hagel Federal Building 1221 Nevin Avenue Richmond CA 94801 Phone:(510)970-8243 Fax:(510)970-8101 Email:Ellery.Brown@ssa.gov Systems Issues: Pamela Riley Office of Earnings,Enumeration & Administrative Systems DIVES/Data Exchange Branch 6401 Security Boulevard Baltimore,MD 21235 Phone: (410)965-7993 Fax:(410)966-3147 Email:Pamela.Riley@ssa.gov FOR STATE AGENCY Agreement Issues: Manuel Urbina Chief,Security Unit Policy Operations Branch Medi-Cal Eligibility Division 1501 Capitol Avenue, MS 4607 Sacramento,CA 95814 Phone:(916)650-0160 Email:Manuel.Urbina@dhcs.ca.gov Data Exchange Issues: GuyFortson Office of Electronic Information Exchange GD10 East High Rise 6401 Security Boulevard Baltimore,MD 21235 Phone:(410)597-1103 Fax:(410)597-0841 Email:guy.fortson@ssa.gov Systems Security Issues: Michael G.Johnson Acting Director Office of Electronic Information Exchange Office of Strategic Services 6401 Security Boulevard Baltimore,MD 21235 Phone:(410)965-0266 Fax: (410)966-0527 Email:Michael.G.Johnson@ssa.gov Technical Issues: Fei Collier Chief, Application Support Branch Information Technology Services Division 1615 Capitol Ave, MS 6100 Sacramento,CA 95814 Phone:(916)440-7036 Email:Fei.Collier@dhcs.ca.gov DURATION:The effective date of this IEA is January 1, 2010. This IEA will remain in effect for as long as: (1)a CMPPAAgreementgoverning this IEAis in effect betweenSSA and the State or the StateAgency; and (2) the State Agency submits a certification in accordance with Section J. below at least 30 days before the expiration and renewal of such CMPPA Agreement. J.CERTIFICATION AND PROGRAM CHANGES:At least 30 days before the expiration and renewal of the State CMPPAAgreementgoverningthis IEA,the State Agency will certify in writing to SSA that:(I)it is incompliance with the terms and conditions of this IEA; (2) the data exchange processes under this IEA have been and will be conducted without change; and (3) it will, upon SSA's request, provide audit reports or other documents that demonstrate review and oversightactivities.If there aresubstantive changes inany of the programs or data exchange processes listed in this IEA, the parties will modify the IEA in accordance with Section K.below and the State Agency will submit for SSA's approval new program questionnaires under Section C. above describing such changes prior to using SSA's data to administer such new or changed program. K.MODIFICATION:Modificationstothis IEAmust be in writingand agreed to by the parties. L.TERMINATION:The parties may terminatethis IEA at any time upon mutual written consent. In addition, either party may unilaterallyterminate this IEA upon 90 days advance written notice to the other party. Such unilateral termination will be effective 90 days after the date of the notice, or at a later date specified in the notice. SSA may immediately and unilaterally suspend the data flow under this IEA, or terminate this IEA,if SSA, in its sole discretion,determines that the State Agency (including its employees,contractors,and agents) has: (1) made an unauthorized use or disclosure of SSA- supplied data; or (2) violated or failed to follow the terms and conditions of this IEA or the CMPPA Agreement. M.INTEGRATION:This IEA, including all attachments,constitutes the entire agreement of the parties with respect to its subject matter. There have been no representations,warranties, or promises made outside of this IEA. This IEA shall take precedence over any other document that may be in conflict with it. ATTACHMENTS 1-CMPPA Agreement 2 - SSA Data Exchange Systems 3- SystemsSecurity Requirements forSSAWebAccessto SSAInformation Through ICON 4 -Information System Security Guidelines for Federal,State and Local Agencies Receiving Electronic Information from the Social Security Administration 5 -PEI Loss Reporting Worksheet P/ N.SSA AUTHORIZED SIGNATURE:The signatory below warrants and represents that he or she has the competent authority on behalf of SSA to enter into the obUgations set forth in this IEA. .SOCIAL SECURiTY ADMINISTRATION Michael Q.Gallagher Assistant Deputy Corrrfnissioner for Budget, Financeand Management Date s/ja/gy O.REGIONAL AND STATE AGENCY SIGNATURES: SOCIAL SECURITY ADMINISTRATION REGION IX Peter D. Spencer( San Francisco Regional Commissioner /o/ac?JDf Date THE CALIFORNIA DEPARTMENT OF HEALTH CARE SERVICES The signatory below warrants and represents thathe orshehas the competent authority on behalf of the State Agencyto enter intothe obligationsset forth in this IEA. TobyDrjfugr ChiefDeputy Director,Health Care Programs Date >:w 2015 IEA Certification of Compuance (IEA-F) CERTIFICATION OF COMPLIANCE FOR THE INFORMATION EXCHANGE AGREEMENT BETWEEN THE SOCIAL SECURITY ADMINISTRATION (SSA) AND THE CALIFORNIA DEPARTMENT OF HEALTH CARE SERVICES (STATE AGENCY) (StateAgency Level) In accordancewith the terms of the InformationExchange Agreement (IEA/F)between SSAand the State Agency,the State Agency,through its authorized representative,hereby certifies that, as of the date of this certification: 1.TheState Agency isin compliance withthetermsand conditions of the IEA/F. 2. The State Agency has conducted thedata exchange processes under the IEA/F without change,exceptas modified in accordance withthe IEA/F. 3.The State Agency will continue to conduct the data exchange processes under the IEA/F without change,except asmaybe modified in accordance withthe IEA/F. 4.Upon SSA's request,the State Agency will provide audit reports or other documents that demonstrate compliance with the review and oversight activities required under the IEA/Fandthe governing Computer Matching and Privacy Protection Act Agreement. 5. In compliance with the requirements of the "Electronic Information Exchange Security Requirements and Procedures for State and Local Agencies Exchanging Electronic Information withthe Social Security Administration,"(last updated April 2014) Attachment 4tothe IEA/F,as periodically updated by SSA,the State Agency hasnot made any changes in the following areas that could potentially affect the security of SSA data: •General System Security Design and Operating Environment • System Access Control •Automated Audit Trail • Monitoringand Anomaly Detection •Management Oversight •Data and Communications Security •Contractors of Electronic Information Exchange Partners The State Agency will submit an updated Security Design Plan at least 30 days prior to making any changes to the areas listed above and provide updated contractor employee lists before allowing new employees'access to SSA provided data. 2015 IEA Certification of Compliance (IEA-F) 6. TheState Agency agrees thatuseof computer technology to transferthe dataismore economical,efficient, and fasterthan using a manual process. As such, the State Agency- will continue to utilize data exchange to obtain data it needs to administer the programs for which it is authorized under the IEA/F. Further, before directing an individual to an SSA field officeto obtain data,the State Agency will verify that the information it submitted toSSAviadata exchanges iscorrect,andverifywiththe individual thatthe information he/she supplied is accurate.Theuseof electronic data exchange expedites programadministrationand limitsSSAfield office traffic. The signatory below warrants and represents thatheor sheisa representative oftheState Agency duly authorized to make this certification onbehalfofthe State Agency. DEPARTMENT OF HEALTH CARE SERVICES OF CALIFORNIA Toby Douglas Director Date ATTACHMENT 1 COMPUTER MATCHING AND PRIVACY PROTECTION ACT AGREEMENT Model CMPPA Agreement COMPUTER MATCHING AND PRIVACY PROTECTION ACT AGREEMENT BETWEEN THE SOCIAL SECURITY ADMINISTRATION AND THE HEALTH AND HUMAN SERVICES AGENCY OF CALIFORNIA I. Purpose and Legal Authority A.Purpose This Computer Matching and Privacy Protection Act (CMPPA)Agreement between theSocialSecurity Administration (SSA)andthe California Health and HumanServicesAgency(State Agency)sets forth the termsand conditions governing disclosures of records,information,or data (collectively referred to herein as "data")made by SSA to the State Agency that administers federally funded benefit programs,including those under various provisions ofthe Social Security Act (Act),such as section 1137 (42 U.S.C.§1320b-7),as well as the state-funded state supplementary payment programs underTitleXVIof the Act. The terms and conditions of this Agreement ensure that SSA makes such disclosures of data, and the State Agency usessuch disclosed data, in accordance with the requirements of the Privacy Act of 1974,as amended by the CMPPA of 1988,5 U.S.C.§552a. Under section 1137 of the Act,theState Agency is required to use an income and eligibility verification system to administer specified federally funded benefit programs,including the state-funded state supplementary payment programs under Title XVI of the Act.To assist the State Agency in determining entitlement to and eligibility for benefits under those programs,aswellas other federally funded benefit programs,SSA discloses certain data about applicants (and in limited circumstances,members ofan applicant's household),forstate benefits from SSA Privacy Act Systems of Records (SOR)and verifies the Social Security numbers (SSN) of the applicants. B. Legal Authority SSA's authorityto disclosedata and the StateAgency's authorityto collect, maintain,andusedata protected under SSASORsfor specified purposes is: • Sections 1137,453, and 1106(b) of theAct (42 U.S.C. §§ 1320b-7,653, and 1306(b)) (income and eligibility verification data); • 26 U.S.C. § 6103(I)(7)and (8) (tax return data); • Section 202(x)(3)(B)(iv)of theAct(42 U.S.C.§ 402(x)(3)(B)(iv)) (prisoner data); •Section 1611(e)(l)(I)(iii)of the Act (42 U.S.C.§1382(e)(l)(I)(iii) (Supplemental Security Income (SSI)); •Section 205(r)(3)of the Act (42 U.S.C.§405(r)(3))and the Intelligence Reform and Terrorism Prevention Actof 2004,Pub.L.108-458, §7213(a)(2)(death data); •Sections 402,412,421,and 435 of Pub.L.104-193 (8 U.S.C.§§1612, 1622,1631,and 1645)(quarters of coverage data); • Children's Health Insurance Program Reauthorization Actof 2009 (CHIPRA),Pub.L.111-3 (citizenship data);and •Routine use exception to the Privacy Act,5 U.S.C.§552a(b)(3)(data necessary to administer other programs compatible with SSA programs). This Agreement further carries out section 1106(a)of the Act (42 U.S.C.§1306), the regulations promulgated pursuant to that section (20 C.F.R.Part 401),the Privacy Actof 1974 (5 U.S.C.§552a),as amended by the CMPPA,related Office' of Management and Budget (OMB)guidelines,the Federal Information Security Management Act of 2002 (FISMA)(44 U.S.C.§3541,et seq.),and related National Institute of Standards and Technology (NIST)guidelines,which provide the requirements that the State Agency must follow with regard to use,treatment, and safeguarding of data. II.Scope A.The State Agency will comply with the terras and conditions of this Agreement and the Privacy Act, as amended by the CMPPA. B. The State Agency will execute oneor more Information Exchange Agreements (IEA)with SSA,documenting additional terms and conditions applicable to those specific data exchanges,including the particular benefit programs administered by the State Agency,the data elements that will be disclosed,and the data protection requirements implemented to assist theState Agency in the administration of those programs. C. TheState Agency willusetheSSA data governed by this Agreement to determine entitlement and eligibility of individuals foroneor more of the following programs: 1.Temporary Assistance to Needy Families (TANF)programunderPartA of Title IV of the Act; 2.Medicaid provided underan approved Stateplanor an approved waiver under Title XIX of the Act; 3. State Children's Health Insurance Program (CHIP) under Title XXI of theAct, asamendedby the Children's HealthInsurance Program Reauthorization Act of 2009; 4.Supplemental Nutritional Assistance Program (SNAP)under the Food Stamp Actof 1977 (7 U.S.C.§2011,et seq.); 5.Women,Infants and Children Program (WIC)under the Child Nutrition Act of 1966(42 U.S.C.§1771,etseq.); 6.Medicare Savings Programs (MSP)under 42 U.S.C.§1396a(10)(E); 7.Unemployment Compensation programs provided under a state law described insection3304 of theInternal Revenue Code of 1954; 8.Low Income Heating and Energy Assistance (LIHEAP or home energy grants) program under 42 U.S.C.§ 8621; 9.State-administered supplementary payments of the type described in section 1616(a)of the Act; 10.Programs under a plan approved under Titles I,X,XIV,or XVI of the Act; 11.Foster Care and Adoption Assistance under TitleIVof the Act; 12.Child Support Enforcement programs under section453of theAct (42 U.S.C.§653); 13.Other applicable federally funded programs administered by the State Agency underTitlesI,IV,X,XIV,XVI,XVIII,XIX,XX,and XXI of the Act;and 14.Any other federally funded programs administered by the State Agency that are compatible with SSA's programs. D.The State Agency will ensure that SSA data disclosed for the specific purpose of administering a particular federally funded benefit program is used only to administer that program. III.Justification and Expected Results A.Justification This Agreement and related data exchanges with the State Agency are necessary for SSAto assist the State Agency inits administration of federally funded benefit programsby providingthe datarequiredto accuratelydetermine entitlement and eligibility of individuals for benefits provided under these programs.SSA uses computer technology to transfer thedata because itis more economical,efficient, and faster thanusingmanual processes. B.Expected Results TheState Agency will use thedata provided bySSAto improve public service and program efficiency and integrity.The useofSSA dataexpedites the application process and ensures that benefits are awarded onlyto applicants that satisfytheStateAgency's program criteria.A cost-benefit analysisforthe exchange made under this Agreement is not required in accordance with the determination bytheSSA Data Integrity Board (DIB)to waive such analysis pursuant to 5 U.S.C. § 552a(u)(4)(B). IV.Record Description A. Systems of Records SSA SORs used for purposes of the subject data exchanges include: .60-0058-Master Files of SSN Holders and SSN Applications; •60-0059 -Earnings Recording and Self-Employment Income System; • 60-0090 - MasterBeneficiaryRecord; •60-0103 -Supplemental Security Income Record (SSR)and Special Veterans Benefits (SVB); •60-0269-Prisoner Update Processing System (PUPS);and .60-0321 -Medicare PartD and PartD Subsidy File. The State Agencywillonly use the taxreturndata containedin SOR 60-0059 (Earnings Recording and Self-Employment Income System)in accordance with 26 U.S.C.§6103. B.Data Elements Data elements disclosed in computer matching governed by this Agreement are Personally Identifiable Information (PII)from specified SSA SORs,including names,SSNs,addresses,amounts,and other information related to SSA benefits • and earnings information. Specificlistingsof data elements areavailableat: http://www.ssa.gov/dataexchange/ C.Number of Records Involved The number of records for each program covered under this Agreement is equal to the number ofTitleII,Title XVI,orTitle XVIII recipients resident inthe Slate as recorded in SSA's Annual Statistical Supplement foundon the Internet at: http://www.ssa.gov/policy/docs/statcomps/ This number will fluctuate during the term of this Agreement,corresponding to the number ofTitle II,Title XVI,and Title XVIII recipients added to,or deleted from,SSA databases. V.Notice and Opportunity to Contest Procedures A. Notice to Applicants TheState Agency willnotifyall individuals whoapplyfor federally funded, state-administered benefits under the Act that any data they provide are subject to verification through computermatchingwithSSA. TheState Agency andSSA will provide such notice through appropriate language printed on application forms or separate handouts. B.Notice to Beneficiaries/Recipients/Annuitants The State Agency will provide notice to beneficiaries,recipients,and annuitants under the programs covered by this Agreement informing them of ongoing computer matching with SSA.SSA will provide such notice through publication in the Federal Register and periodic mailings to all beneficiaries,recipients,and annuitants describing SSA's matching activities. C.Opportunity to Contest The State Agency will not terminate,suspend,reduce,deny,or take other adverse action against an applicant for or recipient of federally funded,state-administered benefits based on data disclosed bySSA from itsSORs until the individual is notified in writing of the potential adverse action and provided an opportunity to contest the planned action."Adverse action"means any action that results ina termination,suspension,reduction,or final denial of eligibility,payment,or benefit.Such notices will: 1.Inform the individual of the match findings and the opportunity to contest these findings; 2.Give the individual until the expiration of any time period established for the relevant program by a statute or regulation for the individual to respond to the notice,If no such time period is established by a statute or regulation for the program,a 30-day period will be provided.The time period begins on the date on which notice is mailed or otherwise provided to the individual to respond;and 3.Clearly state that,unless the individual responds to the notice in the required timeperiod,theState Agency will conclude that theSSAdataare correct and. will effectuate the threatened action or otherwise make the necessary adjustment to the individual's benefit or entitlement. VI.Records Accuracy Assessment and Verification Procedures Pursuant to 5 U.S.C. § 552a(p)(l)(A)(ii), SSA's DIB has determined that theState Agency may useSSA's benefit data without independent verification.SSA has independently assessed the accuracy of its benefits data to be more than 99 percent accurate when the benefit record is created. Prisoner and death data,someof which isnot independently verified by SSA,does not have the same degree of accuracy as SSA's benefit data. Therefore, the State Agency must independently verify these data through applicable State verification procedures and the notice and opportunity to contest procedures specified in Section Vof this Agreement before taking any adverse action against any individual. Based on SSA's Office of Quality Performance "FY 2009 Enumeration Quality Review Report #2—The 'Numident'(January 2011),"the SSA Enumeration System database (the Master Files of SSN Holders and SSN Applications System)used for SSN matching is 98 percent accurate for records updated by SSA employees. Individuals applying for SSNs report their citizenship status at the time they apply for their SSNs.There is no obligation for an individual to report to SSA a change in his or her immigration status until he or she files for a Social Security benefit.The State Agency must independently verify citizenship data through applicable State verification procedures and the notice and opportunity to contest procedures specified in Section Vof this Agreement before taking any adverse action against any individual. VII.Disposition and Records Retention of Matched Items A.The State Agency will retain all data received from SSA to administer programs governed by this Agreement only for the required processing times for the applicable federally funded benefit programs and will then destroy all such data. B.The State Agency may retain SSA data in hardcopy to meet evidentiary requirements,provided that they retire such data in accordance with applicable state laws governingthe State Agency's retention of records. C.The State Agency may use any accretions,deletions,or changes to the SSA data governed by this Agreement to update their master files of federally funded, state-administered benefit program applicants and recipients and retain such master files in accordance with applicable state laws governing the State Agency's retention of records. D.The State Agency may not create separate files or records comprised solely of the data provided by SSA to administer programs governed by this Agreement. E.SSA will delete electronic data input files received from the State Agency after it processes the applicable match. SSA will retire its data in accordance with the Federal Records Retention Schedule (44 U.S.C.§3303a). VIII.Security Procedures The State Agency will comply with the security and safeguarding requirements of the PrivacyAct,as amended bythe CMPPA,related OMB guidelines,FISMA,related NIST guidelines,and the current revision of Internal Revenue Service (IRS) Publication 1075,Tax Information Security Guidelines for Federal,State and Local Agencies,available at http://www.irs.gov.In addition,the State Agency will have in place administrative,technical,and physical safeguards forthe matched dataand results of such matches.Additional administrative,technical,and physical security requirements governing all data SSA provides electronically to the State Agency, including specific guidance on safeguarding and reporting responsibilities for PII,are set forth in the IEAs. IX.Records Usage,Duplication,and Redisclosure Restrictions A.The State Agency will use and access SSA data and the records created using that data only for the purpose of verifying eligibility for the specific federally funded benefit programs identified in the IEA. B.The State Agency will comply with the following limitations on use,duplication, and redisclosure of SSA data: 1. TheState Agency will not use or redisclose the data disclosed bySSAfor any purpose other than to determine eligibility for, or the amount of, benefits under the state-administered income/health maintenance programs identified in this Agreement. 2. The State Agencywillnotextract informationconcerningindividualswhoare neitherapplicantsfor, nor recipientsof, benefitsunder the state-administered • income/health maintenance programs identified in this Agreement.In limited circumstances thatare approved bySSA, theStateAgencymayextract information aboutan individual otherthanthe applicant/recipient whenthe applicant/recipient has provided identifying information aboutthe individual andthe individual's income or resources affectthe applicant's/recipient's eligibility for such program. 3. The State Agency will not disclose to an applicant/recipient information about another individual(i.e.,an applicant's householdmember)withoutthe written consent from the individual to whom the informationpertains. 4. TheState Agency willusethe Federal tax information (FTI)disclosed bySSA only to determine individualeligibility for, or the amount of, assistanceunder a state plan pursuant to section 1137 programs and child support enforcement programsin accordance with26 U.S.C. §6103(1)(7)and (8). The State Agency receiving FTI will maintain all FTI from IRS in accordance with 26 U.S.C. §6103(p)(4)and theIRS Publication1075. Contractorsand agents acting on behalf of the State Agency will only have access to tax return data where specifically authorized by 26 U.S.C. § 6103 and the current revision IRS Publication 1075. 5. 7. The State Agency will use the citizenship status data disclosed by SSA under CHIPRA,Pub.L.111-3,only for the purpose of determining entitlement to Medicaid and CHIP programs for new applicants. The State Agency will restrict access to the data disclosed by SSA to only those authorized State employees,contractors,and agents who need such data to perform their official duties in connection with the purposes identified in this Agreement. TheState Agency will enter intoa written agreement with each of its contractors and agents who need SSA data to perform their official duties whereby such contractor or agent agrees to abide by all relevant Federal laws, restrictions on access,use,and disclosure,and security requirements in this Agreement.The State Agency will provide its contractors and agents with copies of this Agreement,related IEAs, and all related attachments before initial disclosure of SSA data to such contractors and agents.Prior to signing this Agreement,and thereafter at SSA's request,the State Agency will obtain from its contractors and agents a current list of the employees of such contractors and agents with access toSSAdataand provide suchlists to SSA. 8. The State Agency's employees,contractors,and agents who access,use,or disclose SSA data in a manner or purpose not authorized by this Agreement may be subject to civil and criminal sanctions pursuant to applicable Federal statutes. 9. The State Agency will conduct triennial compliance reviews ofits contractor(s)and agent(s)no later than three years after the initial approval of the security certification toSSA. TheState Agency willshare documentation of its recurring compliance reviews with its contractor(s)and agent(s)with SSA.The State Agency will provide documentation to SSA during its scheduled compliance and certification reviews or upon request. C.The State Agency will not duplicate ina separate file or disseminate,without prior written permission from SSA,the data governed by this Agreement for any purpose other than to determine entitlement to,or eligibility for,federally funded benefits.The State Agency proposing the redisclosure must specify in writing to - SSAwhatdataare being disclosed,to whom,and the reasons thatjustify the redisclosure. SSA willnotgive permissionforsuch redisclosureunlessthe redisclosure is required by law or essential to the conduct of the matching programand authorized undera routine use. To the extentSSA approves the requested redisclosure,theStateAgencywill ensure thatanyentity receiving the redisclosed datawill comply with the procedures and limitations onuse, duplication,and redisclosure of SSAdata,aswellas all administrative,technical, and physical security requirements governing all data SSA provides electronically to theState Agency including specific guidance on safeguarding and reporting responsibilities for PII,as set forth in this Agreement and the accompanying IEAs. X.Comptroller General Access The Comptroller General (the Government Accountability Office)may have access to all records of the State Agency that the Comptroller General deems necessary to monitor and verify compliance with this Agreement in accordance with 5 U.S.C. §552a(o)(l)(K). XI.Duration,Modification,and Termination oftheAgreement A.Duration 1.This Agreement is effective from January 1,2015 (Effective Date)through June30, 2016 (Expiration Date). 2.In accordance with the CMPPA,SSA will:(a)publish a Computer Matching Notice in the Federal Register at least 30 days prior to the Effective Date;(b)send required notices tothe Congressional committees of jurisdiction under 5 U.S.C.§552a(o)(2)(A)(i)at least 40 days prior to the Effective Date;and (c)send the required report to OMB at least 40 days prior to the Effective Date. 3.Within 3 months prior the Expiration Date,theSSADIB may,without additional review,renew this Agreement fora period notto exceed 12 months,pursuant to5 U.S.C.§552a(o)(2)(D),if: •the applicable data exchange will continue without any change;and • SSA and the State Agency certify totheDIBinwritingthat the applicable data exchange has been conducted in compliance with this Agreement. 4.If either SSAor the State Agency does not wish to renew this Agreement,it must notify the other party ofits intent not to renew at least 3 months prior to the Expiration Date. B.Modification Any modification tothis Agreement mustbe inwriting,signedby both parties, and approved by the SSA DIB. 10 C.Termination The parties may terminate this Agreement at any time upon mutual written consent of both parties.Either party may unilaterally terminate this Agreement upon 90 days advance written notice to the other party;such unilateral termination will be effective 90 days after the date of the notice,or ata later date specified in the notice. SSA may immediately and unilaterally suspend the data flow or terminate this Agreement if SSA determines,in its sole discretion,that the State Agency has violated or failed to comply with this Agreement. XII.Reimbursement In accordance with section 1106(b)of the Act,the Commissioner of SSA has determined not to charge the State Agency the costs of furnishing the electronic data from the SSA SORs under this Agreement. XIII.Disclaimer SSA is not liable for any damages or loss resulting from errors in the data provided tothe State Agency under any IEAs governed by this Agreement.Furthermore,SSA is not liable for any damages or loss resulting from the destruction of any materials or data providedby theState Agency. XIV.Points of Contact A.SSA Point of Contact Regional Office Dolores Dunnachie,Director San Francisco Regional Office,Center for Programs Support 1221 Nevin Avenue Richmond CA 94801 Phone:(510)970-8444 Fax: (510)970-8101 Dolores.DunnachieOssa.gov B.State Agency Point of Contact Sonia Herrera California Health and Human Services Agency 1600 Ninth Street Sacramento,CA 95814 Phone: (916) 654-3459 Fax: 916-440-5001 Sonia.Herrera(5)chhs,ca.gov 11 12 XV.SSA and Data Integrity Board Approval of Model CMPPA Agreement The signatories below warrant and represent that they have the competent authority on behalf of SSA to approve the model of this CMPPA Agreement. SOCIAL SECURITY ADMINISTRATION o Dawn S. Wiggins Deputy Executive Director Office of PrivacyandDisclosure Office of the General Counsel Date I certify that the SSA Data Integrity Board approved the model of this CMPPA Agreement. Kirsten J.Moncada/ Chair SSA DataIntegrity Board 1-1-1I' Date ]jJU L 13 XVI.Authorized Signatures The signatories below warrant and represent that they have the competent authority onbehalfof their respective agency to enter into the obligations set forth in this Agreement. SOCIAL SECURITY ADMINISTRATION V^^^r^^>*-^--)^-^-g^ G^ceJyiL Kim Regional Commissioner San Francisco Date 4H- HEALTH AND HUMAN SERVICES AGENCY Diana S.Dooley Secretary Date Jff JSPlf ATTACHMENT 2 AUTHORIZED DATA EXCHANGE SYSTEM(S) Attachment 2 Authorized Data Exchange System(s) BEER (Beneficiary Earnings Exchange Record):Employer data for the last calendar year. BENDEX (Beneficiary and Earnings Data Exchange):Primary source for Title II eligibility, benefit and demographic data. LIS (Low-Income Subsidy):Data from the Low-Income Subsidy Application for Medicare Part D beneficiaries —used for Medicare Savings Programs (MSP). Medicare 1144 (Outreach):Lists of individuals on SSA roles,who may be eligible for medical assistance for:payment of the cost of Medicare cost-sharing under the Medicaid program pursuant to Sections 1902(a)(10)(E)and 1933 of the Act;transitional assistance under Section 1860D-31(f)of the Act; or premiums and cost-sharing subsidies for low-income individuals under Section 1860D-14 of the Act. PUPS (Prisoner Update Processing System):Confinement data received from over 2000 state and local institutions (such as jails,prisons, or other penal institutions or correctional facilities)~ PUPS matches the received data with the MBR and SSR benefit data and generates alerts for review/action. QUARTERS OF COVERAGE (QC):Quarters of Coverage data as assigned and described under Title II of the Act - The term "quarters of coverage"is also referred to as "credits" or "Social Security credits"in various SSA public information documents,as well as to refer to "qualifying quarters" to determine entitlement to receive Food Stamps. SDX (SSI State Data Exchange):Primary source of Title XVI eligibility,benefit and demographic data as well as data for Title VIII Special Veterans Benefits (SVB). SOLQ/SOLQ-I (State On-line Query/State On-line Query-Internet):A real-time online system that provides SSN verification and MBR and SSR benefit data similar to data provided through SVES. Attachment 2 SVES (State Verification and Exchange System):A batch system that provides SSN verification,MBR benefit information,and SSR information through a uniform data response based on authorized user-initiated queries. The SVES types are divided into five different responses as follows: SVES I: SVES I/Citizenship* SVES II: SVES III: SVES IV: This batch provides strictly SSN verification. This batch provides strictly SSN verification and citizenship data. This batch provides strictly SSN verification and MBR benefit information This batch provides strictly SSN verification and SSR/SVB. This batch provides SSN verification,MBR benefit information,and SSR/SVB information,which represents all available SVES data. *Citizenship status data disclosed by SSA under the Children's Health Insurance Program Reauthorization Act of 2009,Pub. L 111-3 is only for the purpose of determining entitlement to Medicaid and CHIPprogram for new applicants. ATTACHMENT 3 OMITTED SENSITIVE DOCUMENT ATTACHMENT 4 ELECTRONIC INFORMATION EXCHANGE SECURITY REQUIREMENTS AND PROCEDURES This document is SENSITIVE and should not be released to the publicwithout priorauthorization from DHCS. USA Hill V/STfc? %11 HI I * ELECTRONIC INFORMATION EXCHANGE SECURITY REQUIREMENTS AND PROCEDURES FOR STATE AND LOCAL AGENCIES EXCHANGING ELECTRONIC INFORMATION WITH THE SOCIAL SECURITY ADMINISTRATION SENSITIVE DOCUMENT VERSION 6.0.2 April 2014 Table of Contents 1.Introduction 2.Electronic Information Exchange Definition 3.Roles and Responsibilities 5.Systems Security Requirements 5.1 Overview 5.2 General System Security Design and Operating Environment 5.4 Automated Audit Trail 5.5 Personally Identifiable Information 5.6 Monitoring and Anomaly Detection 5.7 Management Oversight and Quality Assurance 5.8 Data and Communications Security 5.9 Incident Reporting 5.10 Security Awareness and Employee Sanctions 5.11 Contractors of Electronic Information Exchange Partners 6.General-Security Certification and Compliance Review Programs 6.1 The Security Certification Program 6.2 Documenting Security Controls in the Security Design Plan 6.2.1 When the SDP and Risk Assessment are Reouired 6.3 The Certification Process 6.4 The Compliance Review Program and Process 6.5.1 EIEP Compliance Review Participation 6.5.2 Verification of Audit Samples 6.6 Scheduling the Onsite Review 7.Additional Definitions 8.Regulatory References 9.Frenuentlv Asked Questions 10.Diagrams Flow Chart of the PIS Certification Process Flow Chart of the OTS Compliance Review Process Compliance Review Decision Matrix RECEIVING ELECTRONIC INFORMATION FROM THE SOCIAL SECURITY ADMINISTRATION 1.Introduction O The law requires the Social Security Administration (SSA)to maintain oversight and assure the protection of information it provides to its Electronic Information Exchange Partners (EIEP).EIEPs are entities that have information exchange agreements with SSA. The overall aim of this document is twofold.First,to ensure that SSA can properly certify EIEPs as compliant by the SSA security requirements,standards,and procedures expressed in this document before we grant access to SSA information in a production environment.Second,to ensure that EIEPs continue to adequately safeguard electronic information provided to them by SSA. This document (which SSA considers SENSITIVE1 and should only be shared with those who need it to ensure SSA-provided information is safeguarded),describes the security requirements,standards, and procedures EIEPs must meet and implement to obtain information from SSA electronically.This document helps EIEPs understand criteria that SSA uses when evaluating and certifying the system design and security features used for electronic access to SSA-provided information. The addition,elimination,and modification of security control factors determine which level of security and due diligence SSA requires for the EIEPto mitigate risks.The emergence of new threats,attack methods,and the availability of new technology warrants frequent reviews and revisions to our System Security Requirements (SSR).Consequently,EIEPs should expect SSA's System Security Requirements to evolve in concert with the industry. EIEPs must comply with SSA's most current SSRs to gain access to SSA-provided data.SSA will work with its partners to resolve deficiencies that occur subsequent to,and after,approval for access if updates to our security requirements cause an agency to be uncompliant.EIEPs may proactively ensure their ongoing compliance with the SSRs by periodically requesting the most current SSR package from their SSA contact.Making periodic adjustments is often necessary. 2.Electronic Information Exchange Definition O For discussion purposes herein,Electronic Information Exchange (EIE)is any electronic process in which SSA discloses information under its control to any third party for any purpose,without the specific consent of the subject individual or agent acting on his or her behalf.EIE involves individual data transactions and data files processed within the systems of parties to electronic information sharing agreements with SSA.These processes include direct terminal access or DTA to SSA systems,batch processing,and variations thereof (e.g.,online query)regardless of the systematic method used to accomplish the activity or to interconnect SSA with the EIEP. 1 Sensitivedata -"any information,the loss, misuse, or unauthorizedaccess to or modification of which couldadverselyaffectthe national interest or the conduct of Federal programs,or the privacy to which individuals are entitled under 5 U.S.C.Section 552a (The Privacy Act),but that has not been specifically authorized undercriteriaestablishedbyan Executive Orderor an Act of Congress to be kept classified in the interest of national defense or foreign policy but is to be protected in accordance withthe requirements of the Computer Security Actof 1987 (P.L.100-235)." 3.Roles and Responsibilities The SSA Office of Information Security (OIS)has agency-wide responsibility for interpreting, developing,and implementing security policy;providing security and integrity review requirements for all major SSA systems;managing SSA's fraud monitoring and reporting activities;developing and disseminating security training and awareness materials;and providing consultation and support for a variety of agency initiatives.SSA's security reviews ensure that external systems receiving information from SSA are secure and operate in a manner consistent with SSA's Information Technology (IT)security policies and in compliance with the terms of electronic information sharing agreements executed by SSA with outside entities.Within the context of SSA's security policies and the terms of electronic information sharing agreements with SSA's EIEPs,OIS exclusively conducts and brings to closure initial security certifications and periodic security compliance reviews of EIEPs that process,maintain, transmit,or store SSA-provided information in accordance with pertinent Federal requirements which include the following (see also Regulatory References): a.The Federal Information Security Management Act (FISMA)requires the protection of "Federal information in contractor systems,including those systems operated by state and local governments." b.The Social Security Administration requires EIEPs to adhere to the policies,standards, procedures,and directives published in this Systems Security Requirements (SSR) document. Personally Identifiable Information (PII),covered under several Federal laws and statutes,is information about an individual including,but not limited to,personal identifying information including the Social Security Number (SSN). The data (last 4 digits of the SSN)that SSA provides to its EIEPs for purposes of the Help America Vote Act (HAVA)does not identify a specific individual;therefore,is not "PII" as defined by the Act. However,SSA is diligent in discharging its responsibility for establishing appropriate administrative,technical,and physical safeguards to ensure the security,confidentiality,and availability of its records and to protect against any anticipated threats or hazards to their security or integrity. NOTE:Disclosure of Federal Tax Information (FTI)is limited to certain Federal agencies and state programs supported by federal statutes under Sections 1137, 453,and 1106 of the Social Security Act.For information regarding safeguards for protecting FTI,consult IRS Publication 1075,Tax Information Security Guidelines for Federal,State,and Local Agencies. The SSA Regional Data Exchange Coordinators (DECs)serve as a bridge between SSA and state EIEPs. In the security arena,DECs assist OIS in coordinating data exchange security review activities with state and local EIEPs;e.g.,they provide points of contact with state agencies, assist in setting up security reviews, etc.DECs are also the first points of contact for states if an employee of a state agency or an employee of a state agency's contractor or 4 agent becomes aware of a suspected or actual loss of SSA-provided Personally Identifiable Information (PII). 4.General Systems Security Standards O EIEPs that request and receive information electronically from SSA must comply with the following general systems security standards concerning access to and control of SSA- provided information. NOTE:EIEPs may not create separate files or records comprised solely of the information provided by SSA. a.EIEPs must ensure that means,methods,and technology used to process,maintain, transmit,or store SSA-provided information neither prevents nor impedes the EIEP"s ability to •safeguard the information in conformance with SSA requirements, •efficiently investigate fraud,data breaches,or security events that involve SSA-provided information,or •detect instances of misuse or abuse of SSA-provided information For example,utilization of cloud computing may have the potential to jeopardize an EIEPs compliance with the terms of their agreement or SSA's associated system security requirements and procedures. b.EIEPs must use the electronic connection established between the EIEP and SSA only in support of the current agreement(s)between the EIEP and SSA. c. EIEPs must use the software and/or devices provided to the EIEP only in support of the current agreement(s)between the EIEP and SSA. d. SSA prohibits modifying any software or devices provided to the EIEPs by SSA. e. EIEPs must ensure that SSA-provided information is not processed,maintained, transmitted,or stored in or by means of data communications channels,electronic devices,computers,or computer networks located in geographic or virtual areas not subject to U.S.law. f.EIEPs must restrict access to the information to authorized users who need it to perform their official duties. NOTE:Contractors and agents (hereafter referred to as contractors)of the EIEP who process,maintain,transmit,or store SSA-provided information are held to the same security requirements as employees of the EIEP.Refer to the section Contractors of Electronic Information Exchange Partners in the Systems Security Requirements for additional information. g.EIEPs must store information received from SSA in a manner that,at all times, is physically and electronically secure from access by unauthorized persons. h.The EIEP must process SSA-provided information under the immediate supervision and control of authorized personnel. i.EIEPs must employ both physical and technological safeguards to prevent unauthorized retrieval of SSA-provided information via computer,remote terminal, or other means. j. EIEPs must have formal PII incident response procedures.When faced with a security incident caused by malware,unauthorized access,software issues,or acts of nature,the EIEP must be able to respond in a manner that protects SSA-provided information affected by the incident. k. EIEPs must have an active and robust employee security awareness program,which is mandatory for all employees who access SSA-provided information. I.EIEPs must advise employees with access to SSA-provided information of the confidential nature of the information,the safeguards required to protect the information,and the civil and criminal sanctions for non-compliance contained in the applicable Federal and state laws. m. At its discretion,SSA or its designee must have the option to conduct onsite security reviews or make other provisions to ensure that EIEPs maintain adequate security controls to safeguard the information we provide. 5.Systems Security Requirements O 5.1 Overview O SSAmust certify that the EIEP has implemented controls that meet the requirements and work as intended,before we will authorize initiating transactions to and from SSA through batch data exchange processes or online processes such as State Online Query (SOLQ) or Internet SOLQ (SOLQ-I). The Technical Systems Security Requirements (TSSRs)address management, operational,and technical aspects of security safeguardsto ensure only the authorized disclosure and use of SSA-provided information by SSA's EIEPs. SSA recommends that the EIEP develop and publish a comprehensive Systems Security Policy document that specifically addresses: •the classification of information processed and stored within the network, •administrative controls to protect the information stored and processed within the network, •access to the various systems and subsystems within the network, •Security Awareness Training, •Employee Sanctions Policy, •Incident Response Policy,and •the disposal of protected information and sensitive documents derived from the system or subsystems on the network. SSA's systems security requirements represent the current state-of-the-practice security controls,safeguards,and countermeasures required for Federal information systems by Federal regulations,statutes,standards,and guidelines.Additionally,SSA's systems security requirements also include organizationally defined interpretations,policies,and procedures mandated by the authority of the Commissioner of Social Security in areas when or where other cited authorities may be silent or non-specific. 5.2 General System Security Design and Operating Environment O EIEPs must provide descriptions and explanations of their overall system design, configuration,security features,and operational environment and include explanations of how they conform to SSA's requirements.Explanations must include the following: o Descriptions of the operating environment(s)in which the EIEP will utilize,maintain, and transmit SSA-provided information o Descriptions of the business process(es)in which the EIEP will use SSA-provided information o Descriptions of the physical safeguards employed to ensure that unauthorized personnel cannot access SSA-provided information and details of how the EIEP keeps audit information pertaining to the use and access to SSA-provided information and associated applications readily available o Descriptions of electronic safeguards,methods,and procedures for protecting the EIEP's network infrastructure and for protecting SSA-provided information while in transit,in use within a process or application,and at rest (stored or not in use) o Descriptions of how the EIEP prevents unauthorized retrieval of SSA-provided information by computer,remote terminal,or other means,including descriptions of security software other than access control software (e.g.,security patch and anti- malware software installation and maintenance,etc.) o Descriptions of how the configurations of devices (e.g.,servers,workstations, and portable devices)involving SSA-provided information comply with recognized industry standards and SSA's system security requirements o Description of how the EIEP implements adequate security controls (e.g.,passwords enforcing sufficient construction strength to defeat or minimize risk-based identified vulnerabilities) 5.3 System Access Control EIEPs must utilize and maintain technological (logical)access controls that limit access to SSA-provided information and associated transactions and functions to only those users, processes acting on behalf of authorized users,or devices (including other information systems)authorized for such access based on their official duties or purpose(s).EIEPs must employ a recognized user access security software package (e.g.RAC-F, ACF-2, TOP SECRET) or a security software design which is equivalent to such products.The access control software must utilize personal identification numbers (PIN)and passwords or Biometric identifiers in combination with the user's system identification code (userlD). The access control software must employ and enforce (1)PIN/password,and/or (2) PIN/biometric identifier,and/or (3)SmartCard/biometric identifier,etc.,for authenticating users). Depending on the computing platform (e.g.,client/server (PC),mainframe)and the access software implementation,the terms "PIN"and "user system identification code (userlD)"may be, for practical purposes,synonymous.For example,the PIN/password combination may be required for access to an individual's PC after which,the userlD/password combination may be required for access to a mainframe application.A biometric identifier may supplant one element in the pair of those combinations.SSA strongly recommends Two-Factor Authentication. The EIEP's implementation of the control software must comply with recognized industry standards.Password policies should enforce sufficient construction strength (length and complexity)to defeat or minimize risk-based identified vulnerabilities and ensure limitations for password repetition. Technical controls should enforce periodic password changes based on a risk-based standard (e.g.,maximum password age of 90 days, minimum password age of 3 - 7 days) and enforce automatic disabling of user accounts that have been inactive for a specified period of time (e.g.,90 days). The EIEP's password policies must also require more stringent password construction (e.g., passwords greater than eight characters in length requiring upper and lower case letters, numbers, and special characters;password phrases)for the user accounts of persons, processes, or devices whose functions require access privileges inexcess of those of ordinary users. EIEPs must have management control and oversight of the function of authorizing individual user access to SSA-provided information and to oversee the process of issuing and managing access control PINs,passwords,biometric identifiers,etc. foraccess to the EIEP's system. The EIEP's systems access rules must cover least privilege and individual accountability. The EIEP's rules should include procedures for access to sensitive information and transactions and functions related to it.Procedures should include control of transactions by permissions module,the assignment and limitation ofsystem privileges,disabling accounts of separated employees (e.g.,within 24 hours),individual accountability,work at home,dial-up access,and connecting to the Internet. 5.4 Automated Audit Trail SSA requires EIEPs to implement and maintain a fully automated audit trail system (ATS).The system must be capable of creating,storing,protecting,and efficiently retrieving and collecting records identifying the individual user who initiates a request for information from SSA or accesses SSA-provided information.At a minimum,individual audit trail records must contain the data needed (including date and time stamps)to associate each query transaction or access to SSA-provided information with its initiator, their action,if any,and the relevant business purpose/process (e.g.,SSN verification for Medicaid).Each entry in the audit file must be stored as a separate record,not overlaid by subsequent records.The Audit Trail System must create transaction files to capture all input from interactive internet applications which access or query SSA-provided information. If a State Transmission Component (STC)handles and audits the EIEP's transactions with SSA,the EIEP is responsible for ensuring that the STC's audit capabilities meet SSA's requirements for an automated audit trail system.The EIEP must also establish a process to obtain specific audit information from the STC regarding the EIEP's SSA transactions. Access to the audit file must be restricted to authorized users with a "need to know." Audit file data must be unalterable (read-only)and maintained for a minimum of three (preferably seven)years.Information in the audit file must be retrievable by an automated method.EIEPs must have the capability to make audit file information available to SSA upon request.EIEPs must back-up audit trail records on a regular basis to ensure their availability.EIEPs must apply the same level of protection to backup audit files that apply to the original files. If the EIEP retains SSA-provided information in a database (e.g.,Access database, SharePoint,etc.),or if certain data elements within the EIEP's system indicate to users that SSA verified the information,the EIEP's system must also capture an audit trail record of users who viewed SSA-provided information stored within the EIEP's system. The retrieval requirements for SSA-provided information at rest and the retrieval requirements for regular transactions are identical. 5.5 Personally Identifiable Information (PII) PII is any information about an individual maintained by an agency,including (1) any information that can be used to distinguish or trace an individual's identity, such as name,social security number,date and place of birth,mother's maiden name,or biometric records;and (2) any other information that is linked or linkable to an individual,such as medical,educational,financial,and employment information.An item such as date and place of birth,mother's maiden name,or father's surname is PII,regardless of whether combined with other data. SSA defines a PII loss as a circumstance when SSA has reason to believe that information on hard copy or in electronic format,which contains PII provided by SSA, left the EIEP's custody or the EIEP disclosed it to an unauthorized individual or entity. PII loss is a reportable incident (refer to Incident Reporting). If a PII loss involving SSA-provided information occurs or is suspected,the EIEP must be able to quantify the extent of the loss and compile a complete list of the individuals potentially affected by the incident (refer to Incident Reporting). 5.6 Monitoring and Anomaly Detection O SSA recommends that EIEPs use an Intrusion Protection System (IPS)or an Intrusion Detection System (IDS).The EIEP must establish and/or maintain continuous monitoring of its network infrastructure and assets to ensure the following: o The EIEP's security controls continue to be effective over time o Only authorized individuals,devices,and processes have access to SSA- provided information o The EIEP detects efforts by external and internal entities,devices,or processes to perform unauthorized actions (i.e.,data breaches,malicious attacks,access to network assets,software/hardware installations,etc.)as soon as they occur o The necessary parties are immediately alerted to unauthorized actions performed by external and internal entities,devices,or processes o Upon detection of unauthorized actions,measures are immediately initiated to prevent or mitigate associated risk o In the event of a data breach or security incident,the EIEP can efficiently determine and initiate necessary remedial actions o The trends,patterns,or anomalous occurrences and behavior in user or network activity that may be indicative of potential security issues are readily discernible The EIEP's system must includethe capabilityto prevent employees from unauthorized browsing ofSSA records. SSAstrongly recommends the use of a transaction-driven permission module design,whereby employees are unable to initiate transactions not associated with the normal business process.If the EIEP uses such a design,they then need anomaly detection to detect and monitor employee's unauthorized attempts to gain access to SSA-provided information and attempts to obtain information from SSA for clients not in the EIEP's client system.The EIEP should employ measures to ensure the permission module's integrity.Users should not be able to create a boguscase and subsequently delete it in such a way that it goes undetected. If the EIEP's design does not currently use a permission module and is not transaction- driven,until at least one ofthese security features exists, the EIEP must develop and implement compensating security controls to deter employees from browsing SSA records.These controls must include monitoring and anomaly detection features,either systematic,manual, or a combinationthereof. Such features must includethe capabilityto detect anomalies in the volume and/or type of transactions or queries requested or initiated by individuals and include systematic or manual procedures for verifying that requests and queries of SSA-provided information comply with valid official business purposes.The system must also produce reports that allow management and/or supervisors to monitoruser activity,such as the following: 10 •User ID Exception Reports: This type of report captures information about users who enter incorrect user IDs when attempting to gain access to the system or to the transaction that initiates requests for information from SSA,including failed attempts to enter a password. •Inquiry Match Exception Reports: This type of report captures information about users who may be initiating transactions for SSNs that have no client case association within the EIEP's system (the EIEP's management should review 100 percent of these cases). •System Error Exception Reports: This type of report captures information about users who may not understand or may be violating proper procedures for access to SSA-provided information. •Inquiry Activity Statistical Reports: This type of report captures information about transaction usage patterns among authorized users and is a tool which enables the EIEP's management to monitor typical usage patterns in contrast to extraordinary usage patterns. The EIEP must have a process for distributing these monitoring and exception reports to appropriate local managers/supervisors or to local security officers. The process must ensure that only those whose responsibilities include monitoring anomalous activity of users,to include those who have exceptional system rights and privileges, use the reports. 5.7 Management Oversight and Quality Assurance O The EIEP must establish and/or maintain ongoing management oversight and quality assurance capabilitiesto ensure that only authorized employees have access to SSA- provided information.They mustensure ongoing compliance with the terms ofthe EIEP's electronic information sharing agreement with SSAand the SSRs established for access to SSA-provided information.The entity responsible for management oversight must consist of one or more of the EIEP's management officials whose job functions include responsibility to ensurethat the EIEP only grants access to the appropriate employees and position types which require SSA-provided information to do their jobs. The EIEP must ensure that employees granted access to SSA-provided information receive adequate training on the sensitivity ofthe information,associatedsafeguards, operating procedures,and the penalties for misuse. SSA recommends that EIEPs establish the following job functions and require that employees tasked with these job functions do notalsoshare the same job functions as personnel who request or use information from SSA. •Perform periodicself-reviewsto monitor the EIEP's ongoing usage of SSA- provided information. •Perform random sampling of work activity that involves SSA-provided information to determine if the access and usage comply with SSA's requirements. 11 5.8 Data and Communications Security O EIEPs must encrypt PII and SSA-provided information when transmitting across dedicated communications circuits between its systems,intrastate communications between its local office locations,and on the EIEP's mobile computers,devices and removable media.The EIEP's encryption methods should align with the Standards established by the National Institute of Standards and Technology (NIST).SSA recommends the Advanced Encryption Standard (AES)or triple DES (Data Encryption Standard 3),if AES is unavailable,encryption method for securing SSA-provided information during transport. Files encrypted for external users (when using tools such as Microsoft WORD encryption,)require a key length of nine characters.We also recommend that the key (also referred to as a password)contain both special characters and a number.SSA requires that the EIEP deliver the key so that the key does not accompany the media. The EIEP must secure the key when not in use or unattended. SSA discourages the use of the public Internet for transmission of SSA-provided information.If however,the EIEP uses the public Internet or other electronic communications,such as emails and faxes to transmit SSA-provided information,they must use a secure encryption protocol such as Secure Socket Layer (SSL)or Transport Layer Security (TLS). SSA also recommends 256-bit encryption protocols or more secure methods such as Virtual Private Network technology.The EIEP should only send data to a secure address or device to which the EIEP can control and limit access to only specifically authorized individuals and/or processes.SSA recommends that EIEPs use Media Access Control (MAC)Filtering and Firewalls to protect access points from unauthorized devices attempting to connect to the network. EIEPs should not retain SSA-provided information any longer than business purpose(s)dictate.The Information Exchange Agreement with SSA stipulates a time for data retention.The EIEP should delete,purge,destroy,or return SSA-provided information when the business purpose for retention no longer exists. The EIEPmay not save or create separate files comprised solely of information provided by SSA. The EIEP may apply specific SSA-provided information to the EIEP's matched record from a preexisting data source.Federal law prohibits duplication and redisclosure of SSA-provided information without written approval. The prohibition applies to both internal and external sources who do not have a "need-to-know2."SSA recommends that EIEPs use either Trusted Platform Module (TPM)or Hardware Security Module (HSM)technology solutions to encrypt data at rest on hard drives and other data storage media. EIEPs must prevent unauthorized disclosure of SSA-provided information after they complete processing and after the EIEP no longer requires the information.The EIEP's operational processes must ensure that no residual SSA-provided information remains on the hard drives of user's workstations after the user exits the application(s)that use SSA-provided information. If the EIEP must send a computer,hard drive, or other computing or storage device offsite for repair, the EIEP must have a non-disclosure clause in their contract with the vendor.If the EIEP used the item in connection with a business process that involved SSA-provided information and the vendor will retrieve or may view SSA-provided information during servicing, SSA reserves the right to inspect "Need-to-know -access to the information must be necessary for the conduct of one's official duties. 12 the EIEP's vendor contract.The EIEP must remove SSA-provided information from electronic devices before sending it to an external vendor for service.SSA expects the EIEP to render it unrecoverable or destroy the electronic device if they do not need to recover the data.The same applies to excessed,donated,or sold equipment placed into the custody of another organization. To sanitize media,the EIEP should use one of the following methods: •Overwriting Overwrite utilities can only be used on working devices.Overwriting is appropriate only for devices designed for multiple reads and writes.The EIEP should overwrite disk drives, magnetic tapes,floppy disks,USB flash drives,and other rewriteable media.The overwrite utility must completely overwrite the media.SSA recommends the use of purging media sanitization to make the data irretrievable and to protect data against laboratory attacks or forensics.Please refer to Definitions for more information regarding Media Sanitization).Reformatting the media does not overwrite the data. •Degaussing Degaussing is a sanitization method for magnetic media (e.g.,disk drives,tapes, floppies,etc.).Degaussing is not effective for purging non-magnetic media (e.g., optical discs).Degaussing requires a certified tool designed for particular types of media.Certification of the tool is required to ensure that the magnetic flux applied to the media is strong enough to render the information irretrievable.The degaussing process must render data on the media irretrievable by a laboratory attack or laboratory forensic procedures (refer to Definitions for more information regarding Media Sanitization). •Physical destruction Physical destruction is the method when degaussing or over-writing cannot be accomplished (for example, CDs,floppies,DVDs,damaged tapes,hard drives, damaged USB flash drives, etc.).Examples of physical destruction include shredding, pulverizing,and burning. State agencies may retain SSA-provided information in hardcopy only if required to fulfill evidentiary requirements,provided the agencies retire such data in accordance with applicable state laws governing retention of records. The EIEP must control print media containing SSA-providedinformation to restrict its access to authorized employees who need such access to perform their official duties.EIEPs must destroy print media containing SSA-provided information in a secure manner when it is no longer required for business purposes. The EIEP should destroy paper documentsthat contain SSA-provided information by burning,pulping,shredding, macerating,or other similar means that ensure the information is unrecoverable. NOTE:Hand tearing or lining through documents to obscure information does not meet SSA's requirements for appropriate destruction of PII. The EIEP must employ measures to ensure that communications and data furnished to SSA contain no viruses or other malware. Special Note:If SSA-provided information will be stored in a commercial 13 cloud,please provide the name and address of the cloud provider.Also, please describe the security features contractually required of the cloud provider to protect SSA-provided information. 5.9 Incident Reporting O SSA requires EIEPs to develop and implement policies and procedures to respond to data breaches or PII loses.You must explain how your policies and procedures conform to SSA's requirements.The procedures must include the following information: If the EIEP experiences or suspects a breach or loss of PII or a security incident, which includes SSA-provided information,they must notify the State official responsible for Systems Security designated in the agreement.That State official or delegate must then notify the SSA Regional Office Contact and the SSA Systems Security Contact identified in the agreement If, for any reason,the responsible State official or delegate is unable to notify the SSA Regional Office or the SSA Systems Security Contact within one hour,the responsible State Agency official or delegate must report the incident by contacting SSA's National Network Service Center (NNSC)toll free at 877-697-4889 (select "Security and PII Reporting" from the options list). The EIEP willprovide updates as they become available to the SSA contact,as appropriate.Refer to the worksheet provided in the agreement to facilitate gathering and organizing information about an incident. The EIEP must agree to absorb all costs associated with notification and remedial actions connected to security breaches,if SSA determines that the risk presented by the breach or security incident requires the notification of the subject individuals.SSA recommends that EIEPs seriously consider establishing incident response teams to address PII breaches. 5.10 Security Awareness and Employee Sanctions O The EIEP must designate a department or party to take the responsibility to provide ongoing security awareness training for employees who access SSA-provided information.Training must include: o The sensitivity of SSA-provided information and address the Privacy Act and other Federal and state laws governing its use and misuse o Rules of behavior concerning use and security in systems processing SSA-provided information o Restrictions on viewing and/or copying SSA-provided information o The employee's responsibility for proper use and protection of SSA-provided information including its proper disposal o Security incident reporting procedures o Basic understanding of procedures to protect the network from malware attacks 14 o Spoofing,Phishing,and Pharming scam prevention o The possible sanctions and penalties for misuse of SSA-provided information SSA requires the EIEP to provide security awareness training to all employees and contractors who access SSA-provided information.The training should be annual, mandatory,and certified by the personnel who receive the training.SSA also requires the EIEP to certify that each employee or contractor who views SSA-provided data also certify that they understand the potential criminal and administrative sanctions or penalties for unlawful disclosure. 5.11 Contractors of Electronic Information Exchange Partners O As previously stated in The General Systems Security Standards,contractors of the EIEP must adhere to the same security requirements as employees of the EIEP.The EIEP is responsible for the oversight of its contractors and the contractor's compliance with the security requirements.The EIEP will enter into a written agreement with each of its contractors and agents who need SSA data to perform their official duties, whereby such contractors or agents agree to abide by all relevant Federal laws, restrictions on access,use,disclosure,and the security requirements in this Agreement. The EIEP's employees,contractors,and agents who access,use,or disclose SSA data in a manner or purpose not authorized by this Agreement may be subject to both civil and criminal sanctions pursuant to applicable Federal statutes.The EIEP will provide its contractors and agents with copies of this Agreement,related IEAs,and all related attachments before initial disclosure of SSA data to such contractors and agents.Prior to signing this Agreement,and thereafter at SSA's request,the EIEP will obtain from its contractors and agents a current list of the employees of such contractors and agents with access to SSA data and provide such lists to SSA. The EIEP must be able to provide proof of the contractual agreement If the contractor processes, handles, or transmits information provided to the EIEP by SSA or has authority to perform on the EIEP's behalf, the EIEP should clearly state the specific roles and functions of the contractor.The EIEP will provide SSA written certification that the contractor is meeting the terms of the agreement,including SSA security requirements. The certification will be subject to our final approval before redisclosing our information. The EIEP must also require that contractors who will process,handle,or transmit information provided to the EIEP by SSA sign an agreement with the EIEP that obligates the contractor to follow the terms of the EIEP's data exchange agreement with SSA. The EIEP or the contractor must provide a copy of the data exchange agreement to each of the contractor's employees before disclosing data and make certain that the contractor's employees receivethe same security awareness training as the EIEP's employees. The EIEP should maintain awareness-training records for the contractor's employees and require the same annual certification procedures. The EIEP will be required to conduct the review of contractors and is responsible for ensuring compliance of its contractors with security and privacy requirements and limitations. Assuch, the EIEP will subject the contractor to ongoing security compliance 15 reviews that must meet SSA standards.The EIEP will conduct compliance reviews at least triennially commencing no later than three (3)years after the approved initial security certification to SSA;and must provide SSA with written documentation of recurring compliance reviews,with the contractor,subject to our approval. If the EIEP's contractor will be involved with the processing,handling,or transmission of information provided to the EIEP by SSA offsite from the EIEP,the EIEP must have the contractual option to perform onsite reviews of that offsite facility to ensure that the following meet SSA's requirements: o safeguards for sensitive information o computer system safeguards o security controls and measures to prevent,detect,and resolve unauthorized access to,use of,and redisclosure of SSA-provided information o continuous monitoring of the EIEP contractors'network infrastructures and assets 6.General —Security Certification and Compliance Review Programs O SSA's security certification and compliance review programs are distinct processes.The certification program is a one-time process when an EIEP initially requests electronic access to SSA-provided information.The certification process entails two rigorous stages intended to ensure that technical,management,and operational security measures work as designed.SSA must ensure that the EIEPs fully conform to SSA's security requirements and satisfy both stages of the certification process before SSA will permit online access to its data in a production environment. The compliance review program,however,ensures that the suite of security measures implemented by an EIEP to safeguard SSA-provided information remains in full compliance with SSA's security standards and requirements.The compliance review program applies to both online and batch access to SSA-provided information.Under the compliance review program, EIEPs are subject to ongoing and periodic security reviews by SSA. 6.1 The Security Certification Program O The security certification process applies to EIEPs that seek online electronic access to SSA information and consists of two general phases: •Phase One: The Security Design Plan (SDP)phase is a formal written plan authored by the EIEP to comprehensively document its technical and non-technical security controls to safeguard SSA-provided information (refer to Documenting Security Controls in the Security Design Plan).+ NOTE:SSA may have legacy EIEPs (EIEPs not certified under the current process)who have not prepared an SDP.OIS strongly recommends that these EIEPs prepare an SDP. The EIEP's preparation and maintenance of a current SDP will aid them in determining potential compliance issues prior to reviews,assuring continued compliance with SSA's security requirements,and providing for 16 more efficient security reviews. Phase 2: The SSA Onsite Certification phase is a formal onsite review conducted by SSA to examine the full suite of technical and non-technical security controls implemented by the EIEPto safeguard data obtained from SSA electronically (refer to The Certification Process^ 6.2 Documenting Security Controls in the Security Design Plan (SDP)O 6.2.1 When the SDP and Risk Assessment are Required O EIEPs must submit an SDP and a security risk assessment (RA)for evaluation when one or more of the following circumstances apply.The RA must be in electronic format.It must include discussion of the measures planned or implemented to mitigate risks identified by the RA and (as applicable)risks associated with the circumstances below: •to obtain approval for requested access to SSA-provided information for an initial agreement •to obtain approval to reestablish previously terminated access to SSA-provided data •to obtain approval to implement a new operating or security platform that will involve SSA-provided information •to obtain approval for significant changes to the EIEP's organizational structure, technical processes,operational environment,data recovery capabilities,or security implementations planned or made since approval of their most recent SDP or of their most recent successfully completed security review •to confirm compliance when one or more security breaches or incidents involving SSA-provided information occurred since approval of the EIEP's most recent SDP or of their most recent successfully completed security review •to document descriptions and explanations of measures implemented as the result of a data breach or security incident •to document descriptions and explanations of measures implemented to resolve non-compliancy issue(s) •to obtain a new approval after SSA revoked approval of the most recent SDP SSA may require a new SDP if changes occurred (other than those listed above)that may affect the terms of the EIEP's information sharing agreement with SSA. SSA will not approve the SDP or allow the initiation of transactions and/or access to SSA-provided information before the EIEP complies with the SSRs. An SDP must satisfactorily document the EIEP's compliance with all of SSA's SSRs in order to provide the minimum level of security acceptable to SSAfor its EIEP's access to SSA-provided information. EIEP's must correct deficiencies identified through the evaluation of the SDP and submit a revised SDP that incorporates descriptions and explanations of the measures implemented to 17 eliminate the deficiencies. SSAcannot grant access to SSA-provided information until the EIEP corrects the deficiencies,documents the SDP, and SSA approves the revisions.The EIEP will communicate the implementation of corrective actions to SSA on a regular basis. SSA will withhold final approval until the EIEP can rectify all deficiencies. SSA may revoke the approval of the EIEP's SDP and its access to SSA-provided information ifwe learn the EIEP is non-compliant with one or more SSRs. The EIEP must submit a revised SDP, which incorporates descriptions and explanations of the measures the EIEP will implement to resolve the non-compliance issue(s).The EIEP must communicate the progress of corrective action(s)to SSA on a regular basis.SSA will consider the EIEPin non-compliant status until resolution of the issue(s),the EIEP's SDP documents the corrections,and we approve the SDP. If, within a reasonable time as determined by SSA, the EIEP is unable to rectify a deficiency determined by SSA to present a substantial risk to SSA-provided information or to SSA, SSA will withhold approval of the SDP and discontinue the flow of SSA-provided information. NOTE:EIEPs that function only as an STC,transferring SSA-provided information to other EIEPs must,per the terms of their agreements with SSA,adhere to SSA's System Security Requirements (SSR)and exercise their responsibilities regarding protection of SSA-provided information. 6.3 The Certification Process O Once the EIEP has successfully satisfied Phase 1,SSA will conduct an onsite certification review.The objective of the onsite review is to ensure the EIEP's non-technical and technical controls safeguard SSA-provided information from misuse and improper disclosure and that those safeguards function and work as intended. At its discretion,SSA may request that the EIEP participate in an onsite review and compliance certification of their security infrastructure. The onsite review may address any or all of SSA's security requirements and include,when appropriate: a demonstration of the EIEP's implementation of each requirement random sampling of audit records and transactions submitted to SSA a walkthrough of the EIEP's data center to observe and document physical security safeguards a demonstration of the EIEP's implementation of electronic exchange of data with SSA discussions with managers/supervisors examination of management control procedures and reports (e.g.,anomaly detection reports,etc.) demonstration of technical tools pertaining to user access control and if appropriate, browsing prevention,specifically: o If the design is based on a permission module or similar design,or it is transaction driven,the EIEP will demonstrate how the system triggers requests for information from SSA. 18 o If the design is based on a permission module,the EIEP will demonstrate how the process for requests for SSA-provided information prevent SSNs not present in the EIEP's system from sending requests to SSA. We will attempt to obtain information from SSA using at least one,randomly created,fictitious number not known to the EIEPs system. During a certification or compliance review,SSA or a certifier acting on its behalf,may request a demonstration of the EIEP's audit trail system (ATS)and its record retrieval capability.The certifier may request a demonstration of the ATS'capability to track the activity of employees who have the potential to access SSA-provided information within the EIEP's system.The certifier may request more information from those EIEPs who use an STC to handle and audit transactions.We will conduct a demonstration to see how the EIEP obtains audit information from the STC regarding the EIEP's SSA transactions. If an STC handles and audits an EIEP's transactions,SSA requires the EIEP to demonstrate both their own in-house audit capabilities and the process used to obtain audit information from the STC. If the EIEP employs a contractor who processes,handles,or transmits the EIEP's SSA- provided information offsite,SSA,at its discretion,may include the contractor's facility in the onsite certification review.The inspection may occur with or without a representative of the EIEP. Upon successful completion of the onsite certification exercise,SSA will authorize electronic access to production data by the EIEP.SSA will provide written notification of its certification to the EIEP and all appropriate internal SSA components. The following is a high-level flow chart of the OIS Certification Process: (Kickoff Meeting to discuss certification process with EIEP 1 c Request SDP 1 r •Evaluate SDP for approval 1 Conduct onsite review 1 c Certify the EIEP 19 O 6.5 The Compliance Review Program and Process O Similar to the certification process,the compliance review program entails a rigorous process intended to ensure that EIEPs who receive electronic information from SSA are in full compliance with the Agency's security requirements and standards.As a practice,SSA attempts to conduct compliance reviews following a two to five year periodic review schedule.However,as circumstances warrant,a review may take place at any time.Three prominent examples that would trigger an ad hoc review are: • a significant change in the outside EIEP's computing platform • a violation of any of SSA's systems security requirements •an unauthorized disclosure of SSA information by the EIEP The following is a high-level flow chart of the OIS Compliance Review Process:O C Make risked-based selection of target I Determine method of review I Gather background information r Set review date I Conduct compliance review I Finalize review documentation I Monitor findings SSA may conduct onsite compliance reviews and include both the EIEP's main facility and a field office. SSA may, also at its discretion,request that the EIEP participate in an onsite compliance review of their security infrastructure to confirm the implementation of SSA's security requirements. 20 The onsite review may address any or all of SSA's security requirements and include,where appropriate: a demonstration of the EIEP's implementation of each requirement random sampling of audit records and transactions submitted to SSA a walkthrough of the EIEP's data center to observe and document physical security safeguards a demonstration of the EIEP's implementation of online exchange of data with SSA discussions with managers/supervisors examination of management control procedures and reports (e.g.anomaly detection reports,etc.) demonstration of technical tools pertaining to user access control and,if appropriate, browsing prevention: o If the design uses a permission module or similar design,or is transaction driven,the EIEP will demonstrate how the system triggers requests for information from SSA. o If the design uses a permission module,the EIEP will demonstrate the process used to request SSA-provided information and prevent the EIEP's system from processing SSNs not present in the EIEP's system.We can accomplish this by attempting to obtain information from SSA using at least one,randomly created,fictitious number not known to the EIEP's system. SSA may,at its discretion,perform an onsite or remote review for reasons including,but not limited to the following: the EIEP has experienced a security breach or incident involving SSA-provided information the EIEP has unresolved non-compliancy issue(s) to review an offsite contractor's facility that processes SSA-provided information the EIEP is a legacy organization that has not yet been through SSAs security certification and compliance review programs the EIEP requested that SSA perform an IV & V (Independent Verification and Validation review) During the compliance review,SSA,or a certifier acting on its behalf,may request a demonstration of the system's audit trail and retrieval capability.The certifier may request a demonstration of the system's capability for tracking the activity of employees who view SSA- provided information within the EIEP's system.The certifier may request EIEPs that have STCs that handle and audit transactions with SSA to demonstrate the process used to obtain audit information from the STC. If an STC handles and audits the EIEP's transactions with SSA,we may require the EIEP to demonstrate both their in-house audit capabilities and the processes used to obtain audit information from the STC regarding the EIEP's transactions with SSA. 21 If the EIEP employs a contractor who will process,handle,or transmit the EIEP's SSA-provided information offsite,SSA,at its discretion,may include in the onsite compliance review an onsite inspection of the contractor's facility.The inspection may occur with or without a representative of the EIEP.The format of the review in routine circumstances (i.e.,the compliance review is not being conducted to address a special circumstance,such as a disclosure violation)will generally consist of reviewing and updating the EIEP's compliance with the systems security requirements described above in this document.At the conclusion of the review,SSA will issue a formal report to appropriate EIEP personnel.The Final Report will address findings and recommendations from SSA's compliance review,which includes a plan for monitoring each issue until closure. NOTE:SSA handles documentation provided for compliance reviews as sensitive information.The information is only accessible to authorized individuals who have a need for the information as it relates to the EIEP's compliance with its electronic information sharing agreement with SSA and the associated system security requirements and procedures.SSA will not retain the EIEP's documentation any longer than required.SSA will delete,purge,or destroy the documentation when the retention requirement expires. The following is a high-level example of the analysis that aids SSA in making a preliminary determination as to which review format is appropriate.We may also use additional factors to determine whether SSA will perform an onsite or remote compliance review. •High/Medium Risk Criteria o undocumented closing of prior review finding(s) o implementation of technical/operational controls that affect security of SSA-provided information (e.g.implementation of new data access method) o PII breach •Low Risk Criteria o no prior review finding(s)or prior finding(s)documented as closed o no implementation of technical/operational controls that impact security of SSA-provided information (e.g.implementation of new data access method) o no PII breach 6.5.1 EIEP Compliance Review Participation O SSA may request to meet with the following persons during the compliance review: • a sample of managers and/or supervisors responsible for enforcing and monitoring ongoing compliance to security requirements and procedures to assess their level of training to monitor their employee's use of SSA-provided information,and for reviewing reports and taking necessary action •the individuals responsible for performing security awareness and employee sanction functions to learn how you fulfill this requirement • a sample of the EIEP's employees to assess their level of training and understanding of the requirements and potential sanctions applicable to the use and misuse of SSA-provided information 22 •the individual(s)responsible for management oversight and quality assurance functions to confirm how your agency accomplishes this requirement •additional individuals as deemed appropriate by SSA 6.5.2 Verification of Audit Samples O Prior to or during the compliance review,SSA will present to the EIEP a sampling of transactions previously submitted to SSA for verification.SSA requires the EIEP to verify whether each transaction was,per the terms of their agreement with SSA,legitimately submitted by a user authorized to do so. SSA requires the EIEP to provide a written attestation of the transaction review results.The document must provide: •confirmation that each sample transaction located in the EIEP's audit file submitted by its employee(s)was for legitimate and authorized business purposes •an explanation for each sample transaction located in the EIEP's audit file(s) determined to have been unauthorized •an explanation for each sample transaction not found in the EIEP's ATS When SSA provides the sample transactions to the EIEP,detailed instructions will be included.Only an official responsible for the EIEP is to provide the attestation. 6.6 Scheduling the Onsite Review O SSA will not schedule the onsite review until we approve the EIEP's SDP.SSA will send approval notification via email.There is no prescribed period for arranging the subsequent onsite review (certification review for an EIEP requesting initial access to SSA-provided information for an initial agreement or compliance review for other EIEPs).Unless there are compelling circumstances precluding it,the onsite review will follow as soon as reasonably possible. However,the scheduling of the onsite review may depend on additional factors including: •the reason for submission of a plan •the severity of security issues,if any •circumstances of the previous review,if any •SSA workload considerations Although the scheduling of the review is contingent upon approval of the SDP, SSA may perform an onsite review prior to approval if we determine that it is necessary to complete our evaluation of a plan. 23 (THIS PAGE HAS BEEN LEFT BLANK INTENTIONALLY) 24 7.Additional Definitions O Back Button: Refers to a button on a web browser's toolbar,the backspace button on a computer keyboard,a programmed keyboard button or mouse button,etc., that returns a user to a previously visited web page or application screen. Breach: Refers to actual loss,loss of control,compromise,unauthorized disclosure, unauthorized acquisition,unauthorized access,or any similar term referring to situations where unauthorized persons have access or potential access to PII or Covered Information,whether physical,electronic,or in spoken word or recording. Browsing: Requests for or queries of SSA-provided information for purposes not related to the performance of official job duties. Choke Point: The firewall between a local network and the Internet is a choke point in network security,because any attacker would have to come through that channel,which is typically protected and monitored. Cloud Computing: The term refers to Internet-based computing derived from the cloud drawing representing the Internet in computer network diagrams.Cloud computing providers deliver on-line and on-demand Internet services. Cloud Services normally use a browser or Web Server to deliver and store information. Cloud Computing (NIST SP 800-145 Excerpt): Cloud computing is a model for enabling ubiquitous,convenient,on-demand network access to a shared pool of configurable computing resources (e.g.,networks,servers,storage,applications, and services)that can be rapidly provisioned and released with minimal management effort or service provider interaction.Thiscloud model is composed offive essential characteristics,three service models,and four deployment models. Essential Characteristics: On-demand self-service - A consumer can unilaterally provision computing capabilities,such as server time and network storage,as needed automatically without requiring human interaction with each service provider. Broad network access - Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., 25 mobile phones,tablets,laptops,and workstations). Resource pooling - The provider's computing resources are pooled to serve multiple consumers using a multi-tenant model,with different physical and virtual resources dynamically assigned and reassigned according to consumer demand.There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g.,country,state,or datacenter).Examples of resources include storage,processing,memory,and network bandwidth. Rapid elasticity -Capabilities can be elastically provisioned and released,in some cases automatically,to scale rapidly outward and inward commensurate with demand.To the consumer,the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time. Measured service - Cloud systems automatically control and optimize resource use by leveraging a metering capabilityl at some level of abstraction appropriate to the type of service (e.g., storage,processing,bandwidth,and active user accounts).Resource usage can be monitored, controlled,and reported,providing transparency for both the provider and consumer of the utilized service. Service Models: Software as a Service (SaaS)-The capability provided to the consumer is to use the provider's applications running on a cloud infrastructure2.The applications are accessible from various client devicesthrough either a thin client interface, such as a web browser (e.g.,web-based email),or a program interface. The consumer does not manage or control the underlyingcloud infrastructure includingnetwork, servers,operating systems,storage,or even individualapplication capabilities, with the possible exception of limited user-specific application configuration settings. Platform as a Service (PaaS)-The capability provided to the consumer isto deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries,services,and tools supported by the provider.3 The consumer does not manage or control the underlying cloud infrastructure including network,servers,operating systems,or storage, but hascontrol overthe deployedapplicationsand possibly configurationsettingsforthe application-hosting environment. Infrastructure as a Service (laaS)-The capability provided to the consumer is to provision processing,storage, networks,and other fundamental computingresources where the consumer isable to deploy and run arbitrary software,which can include operating systems and applications.Theconsumer does not manage or controlthe underlying cloudinfrastructure but hascontrolover operating systems, storage, and deployedapplications;and possibly limited control of select networking components (e.g., host firewalls). 26 Deployment Models: Private cloud -The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g.,business units). It may be owned,managed,and operated by the organization,a third party,or some combination of them,and it may exist on or off premises. Community cloud -The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g.,mission,security requirements,policy,and compliance considerations).It may be owned,managed,and operated by one or more of the organizations in the community,a third party,or some combination of them,and it may exist on or off premises. Public cloud -The cloud infrastructure is provisioned for open use by the general public.It may be owned,managed,and operated by a business,academic,or government organization,or some combination of them.It exists on the premises of the cloud provider. Hybrid cloud -The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private,community,or public)that remain unique entities,but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds). 1 Typically this is done on a pay-per-use or charge-per-use basis. 2 A cloud infrastructure is the collection of hardware and software that enables the five essential characteristicsofcloudcomputing.Thecloudinfrastructure can beviewedascontainingboth a physical layerand an abstraction layer.The physical layerconsists ofthe hardware resources that are necessary to supportthe cloudservicesbeing provided,and typically includes server,storage and networkcomponents. Theabstractionlayerconsistsofthe softwaredeployedacrossthe physical layer,which manifeststhe essential cloud characteristics.Conceptually the abstraction layer sits above the physicallayer. 3 This capability does not necessarily precludethe useofcompatible programming languages,libraries, services,and tools from other sources. Cloud Drive: A cloud drive is a Web-based service that provides storage space on a remote server. Cloud Audit: Cloud Audit is a specification developed at Cisco Systems,Inc.that provides cloud computing service providers a standard way to present and share detailed,automated statistics about performance and security. 27 Commingling: Commingling is the creation of a common database or repository that stores and maintains both SSA-provided and preexisting EIEP PII. Degaussing: Degaussing is the method of using a "special device"(i.e.,a device that generates a magnetic field)in order to disrupt magnetically recorded information.Degaussing can be effective for purging damaged media and media with exceptionally large storage capacities.Degaussing is not effective for purging non-magnetic media (e.g.,optical discs). Dial-up: Sometimes used synonymously with dial-in,refers to digital data transmission over the wires of a local telephone network. Function: One or more persons or organizational components assigned to serve a particular purpose,or perform a particular role.The purpose,activity,or role assigned to one or more persons or organizational components. Hub: As it relates to electronic data exchange with SSA,a hub is an organization, which serves as an electronic information conduit or distribution collection point.The term Hub is interchangeable with the terms "StateTransmission Component,""State Transfer Component,"or "STC." ICON: Interstate Connection Network (various entities use 'Connectivity'rather than 'Connection') IV &V: Independent Verification and Validation Legacy System: A term usually referring to a corporate or organizational computer system or network that utilizes outmoded programming languages,software,and/or hardware that typically no longer receives support from the original vendors or developers. Manual Transaction: A user-initiated operation (also referred to as a "user-initiated transaction"). This is the opposite of a system-generated automated process. Example: A user enters a client's information including the client's SSN and presses the "ENTER"key to acknowledge that input of data is complete.A new screen appears with multiple options,which include "VERIFY SSN"and 28 "CONTINUE".The user has the option to verify the client's SSN or perform alternative actions. Media Sanitization: •Disposal:Refers to the discarding (e.g.,recycling)of media that contains no sensitive or confidential data. •Clearing:This type of media sanitization is adequate for protecting information from a robust keyboard attack.Clearing must prevent retrieval of information by data,disk,or file recovery utilities.Clearing must be resistant to keystroke recovery attempts executed from standard input devices and from data scavenging tools.For example,overwriting is an acceptable method for clearing media.Deleting items,however,is not sufficient for clearing. This process may include overwriting all addressable locations of the data,as well as its logical storage location (e.g.,its file allocation table).The aim of the overwriting process is to replace or obfuscate existing information with random data.Most rewriteable media may be cleared by a single overwrite. This method of sanitization is not possible on un-writeable or damaged media. •Purging:This type of media sanitization is a process that protects information from a laboratory attack.The terms clearing and purging are sometimes synonymous.However,for some media,clearing is not sufficient for purging (i.e.,protecting data from a laboratory attack). Although most re-writeable media requires a single overwrite,purging may require multiple rewrites using different characters for each write cycle. This is because a laboratory attack involves threats with the capability to employ non-standard assets (e.g.,specialized hardware)to attempt data recovery on media outside of that media's normal operating environment. Degaussing is also an example of an acceptable method for purging magnetic media.The EIEP should destroy media if purging is not a viable method for sanitization. »Destruction:Physical destruction of media is the most effective form of sanitization.Methods of destruction include burning,pulverizing,and shredding.Any residual medium should be able to withstand a laboratory attack. Permission module: A utility or subprogram within an application,which automatically enforces the relationship of a request for or query of SSA-provided information to an authorized process or transaction before initiating a transaction.For example,requests for verification of an SSN for issuance of a driver's license happens automatically from within a state driver's license application.The System will not allow a user to request information from SSA unless the EIEP's client system contains a record of the subject individual's SSN. Screen Scraping: 29 Screen scraping is normally associated with the programmatic collection of visual data from a source.Originally,screen scraping referred to the practice of reading text data from a computer display terminal's screen.This involves reading the terminal's memory through its auxiliary port,or by connecting the terminal output port of one computer system to an input port on another.The term screen scraping is synonymous with the term bidirectional exchange of data. A screen scraper might connect to a legacy system via Telnet,emulate the keystrokes needed to navigate the legacy user interface,process the resulting display output,extract the desired data,and pass it on to a modern system. More modern screen scraping techniques include capturing the bitmap data from a screen and running it through an optical character reader engine,or in the case of graphical user interface applications,querying the graphical controls by programmatically obtaining references to their underlying programming objects. Security Breach: An act from outside an organization that bypasses or violates security policies, practices,or procedures. Security Incident: A security incident happens when a fact or event signifies the possibility that a breach of security may be taking place,or may have taken place.All threats are security incidents,but not all security incidents are threats. Security Violation: An act from within an organization that bypasses or disobeys security policies,practices,or procedures. Sensitive data: Any information,the loss,misuse,or unauthorized access to or modification of which could adversely affect the national interest of the conduct of federal programs,or the privacy to which individuals are entitled under section 552a of title 5, United States Code (the Privacy Act),but which has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept secret in the interest of national defense or foreign policy. SMDS (Switched Multimegabit Data Service (SMDS): SMDS is a telecommunications service that provides connectionless,high- performance,packet-switched data transport.Although not a protocol,it supports standard protocols and communications interfaces using current technology. SSA-provided data/information: Synonymous with "SSA-supplied data/information."Defines information under the control of SSA that is provided to an external entity under the terms of an information exchange agreement with SSA. The following are examples of 30 SSA-provided data/information: • SSA's response to a request from an EIEPfor information from SSA (e.g.,date of death) • SSA's response to a query from an EIEP for verification of an SSN SSA data/information: This term,sometimes used interchangeably with "SSA-provided data/information", denotes information under the control of SSA that is provided to an external entity under the terms of an information exchange agreement with SSA.However,"SSA data/information"also includes information provided to the EIEP by a source other than SSA,but which the EIEP attests to that SSA verified it,or the EIEP couples the information with data from SSA as to to certify the accuracy of the information.The following are examples of SSA information: •SSA's response to a request from an EIEP for information from SSA (e.g.,date of death) •SSA's response to a query from an EIEP for verification of an SSN •Display by the EIEP of SSA's response to a query for verification of an SSN and the associated SSN provided by SSA •Display by the EIEP of SSA's response to a query for verification of an SSN and the associated SSN provided to the EIEP by a source other than SSA •Electronic records that contain only SSA's response to a query for verification of an SSN and the associated SSN whether provided to the EIEP by SSA or a source other than SSA SSN: Social Security Number STC: A State Transmission/Transfer Component is an organization that performs as an electronic information conduit or collection point for one or more other entities (also referred to as a hub). System-generated transaction: A transaction automatically triggered by an automated system process. Example:A user enters a client's information including the client's SSN on an input screen and presses the "ENTER"key to acknowledge that input of data is complete.An automated process then matches the SSN against the organization's database and when the systems finds no match,automatically sends an electronic request for verification of the SSN to SSA. 31 Systems process: The Term "Systems Process"refers to a software program module that runs in the background within an automated batch,online,or other process. Third Party: This term pertains to an entity (person or organization)provided access to SSA- provided information by an EIEP or other SSA business partner for which one or more of the following apply: • is not stipulated access to SSA-provided information by an information-sharing agreement between an EIEP and SSA •has no information-sharing agreement with SSA •SSA does not directly authorize access to SSA-provided information Transaction-driven: This term pertains to an automatically initiated online query of or request for SSA information by an automated transaction process (e.g.,driver license issuance,etc.).The query or request will only occur the automated process meets prescribed conditions. Uncontrolled transaction: This term pertains to a transaction that falls outside a permission module.An uncontrolled transaction is not subject to a systematically enforced relationship between an authorized process or application and an existing client record. (THE REST OF THIS PAGE HAS BEEN LEFT BLANK INTENTIONALLY) 32 8.Regulatory References O Federal Information Processing Standards (FIPS)Publications Federal Information Security Management Act of 2002 (FISMA) Homeland Security Presidential Directive (HSPD-12) National Institute of Standards and Technology (NIST)Special Publications Office of Management and Budget (OMB)Circular A-123,Management's Responsibility for Internal Control Office of Management and Budget (OMB)Circular A-130,Appendix III, Management of Federal Information Resources Office of Management and Budget (OMB) Memo M-06-16,Protection of Sensitive Agency Information,June 23,2006 Office of Management and Budget (OMB)Memo M-07-16,Memorandum for the Heads of Executive Departments and Agencies May 22,2007 Office of Management and Budget (OMB)Memo M-07-17,Safeguarding Against and Responding to the Breach of Personally Identifiable Information,May 22, 2007 Privacy Act of 1974 (THE REST OF THIS PAGE HAS BEEN LEFT BLANK INTENTIONALLY) 33 9.Frequently Asked Questions O (Click links for answers or additional information) 1. Q:What is a breach of data? A:Refer also to Security Breach,Security Incident,and Security Violation. 2. Q:What is employee browsing? A:Requests for or queries of SSA-provided information for purposes not related to the performance of official job duties 3.Q:Okay,so the SDP was submitted.Can the Onsite Review be scheduled now? A:Refer to Scheduling the Onsite Review. 4.Q:What is a "Permission Module"? A: A utility or subprogram within an application,which automatically enforces the relationship of a request for or query of SSA-provided information to an authorized process or transaction before initiating a transaction.For example,if requests for verification of an SSN for issuance of a driver's license happens automatically from within a state driver's license application.The System will not allow a user to request information from SSA unless the EIEP's client system contains a record of the subject individual's SSN. 5. Q:What is meant by Screen Scraping? A:Screen scraping is normally associated with the programmatic collection of visual data from a source.Originally,screen scraping referred to the practice of reading text data from a computer display terminal's screen.This involves reading the terminal's memory through its auxiliary port,or by connecting the terminal output port of one computer system to an input port on another.The term screen scraping is synonymous with the term bidirectional exchange of data. A screen scraper might connect to a legacy system via Telnet, emulate the keystrokes needed to navigate the legacy user interface,process the resulting display output,extract the desired data,and pass it on to a modern system. More modern screen scraping techniques include capturing the bitmap data from a screen and running it through an optical character reader engine,or in the case of graphical user interface applications,querying the graphical controls by programmatically obtaining references to their underlying programming objects. Q:When does an EIEP have to submit an SDP? A:Refer to When the SDP and RA are Required. Q:Does an EIEP have to submit an SDP when the agreement is 34 renewed? The EIEP does not have to submit an SDP because the agreement between the EIEP and SSA was renewed.There are,however, circumstances that require an EIEP to submit an SDP.Refer to When the SDP and RA are Required. Is it acceptable to save SSA data with a verified indicator on a (EIEP)workstation if the EIEP uses an encrypted hard drive?If not, what options does the agency have? There is no problem with an EIEP saving SSA-provided information on the encrypted hard drives of computers used to process SSA data if the EIEP retains the information only as provided for in the EIEP's data-sharing agreement with SSA.Refer to Data and Communications Security. 9. Q:Does SSA allow EIEPs to use caching of SSA-provided information on the EIEP's workstations? A:Caching during processing is not a problem.However,SSA-provided information must clear from the cache when the user exits the application.Refer to Data and Communications Security. 10. Q:What does the term "interconnections to other systems"mean? A: As used in SSA's system security requirements document,the term "interconnections"is the same as the term "connections." 11.Q: Is it acceptable to submit the SDP as a .PDF file? A: No, it is not.The document must remain editable. 12. Q: Should the EIEP write the SDPfrom the standpoint of my agency's SVES access itself,or from the standpoint of access to all data provided to us by SSA? A:The SDP is to encompass your agency's electronic access to SSA- provided information as per the electronic data sharing agreement between your agency and SSA. Refer to Developing the SDP. 13. Q: If we have a "transaction-driven"system,do we still need a permission module?If employees cannot initiate a query to SSA, why would we need the permission module? A:"Transaction driven"basically means that queries automatically submit requests (and it might depend on the transaction). Depending on the system's design,queries might not be automatic or it may still permit manual transactions.A system may require manual transactions to correct an error.SSA does not prohibit manual transactions if an ATS properly tracks such transactions.If a "transaction-driven"system permits any type of alternate access;it still requires a permission module, even ifit restricts users from performing manual transactions.If the system does nor require the user to be in a particular application or the query to be for an existing record in the EIEP's system before the system will allowa query to go through to SSA, it would still need a permission module. 14.Q:What is an Onsite Compliance Review? 35 A:The Onsite Compliance Review is the process wherein SSA performs periodic site visits to its Electronic Information Exchange Partners (EIEP)to certify whether the EIEP's technical,managerial,and operational security measures for protecting data obtained electronically from SSA continue to conform to the terms of the EIEP's data sharing agreements with SSA and SSA's associated system security requirements and procedures.Refer to the Compliance Review Program and Process. 15.Q:What are the criteria for performing an Onsite Compliance Review? A:The following are criteria for performing the Onsite Compliance Review: • EIEP initiating new access or new access method for obtaining information from SSA • EIEP's cyclical review (previous review was performed remotely) • EIEP has made significant change(s)in its operating or security platform involving SSA-provided information EIEP experienced a breach of SSA-provided personally identifying information (PII) •EIEP has been determined to be high-risk Refer also to the Review Determination Matrix. 16.Q:What is a Remote Compliance Review? A:The Remote Compliance Review is when SSA conducts the meetings remotely (e.g.,via conference calls). SSA schedules conference calls with its EIEPs to determine whether the EIEPs technical,managerial, and operational security measures for protecting data obtained electronically from SSA continue to conform to the terms of the EIEP's data sharing agreements with SSA and SSA's associated system security requirements and procedures.Refer to the Compliance Review Program and Process. 17. Q: What are the criteria for performing a Remote Compliance Review? A:The EIEP must satisfy the following criteria to qualify for a Remote Compliance Review: EIEP's cyclical review (SSA's previous review yielded no findings or the EIEP satisfactorily resolved cited findings) •EIEP has made no significant change(s)in its operating or security platform involving SSA-provided information • EIEP has not experienced a breach of SSA-provided personally identifiable information (PII)since its previous compliance review. SSA rates the EIEP as a low-risk agency or state 36 Refer also to the Review Determination Matrix 37 ATTACHMENT 5 WORKSHEET FOR REPORTING LOSS OR POTENTIAL LOSS OF PERSONALLY IDENTIFIABLE INFORMATION ATTACHMENT 5 Worksheet for Reporting Loss or Potential Loss of Personally Identifiable Information 1.Information about the individual making the report to the NCSC: 09/27/06 Name: Position: Deputy Commissioner Level Organization: Phone Numbers: Work:Cell:Home/Other: E-mail Address: Check one of the following: Management Official Security Officer Non-Management 2.Information about the data that was lost/stolen: Describe what was lost or stolen (e.g., case file,MBR data): Which element(s)of Pll did the data contain? Name Bank Account Info SSN Medical/Health Information Date of Birth Benefit Payment Info Place of Birth Mother's Maiden Name Address Other (describe): Estimated volume of records involved: 3. How was the data physically stored, packaged and/or contained? Paper or Electronic?(circle one): If Electronic,what type of device? Laptop Tablet Backup Tape Blackberry Workstation Server CD/DVD Blackberry Phone # Hard Drive Floppy Disk USB Drive Other (describe): ATTACHMENT 5 09/27/06 Additional Questions if Electronic: Yes No Not Sure a. Was the device encrypted? b. Was the device password protected? c.If a laptop or tablet, was a VPN SmartCard lost? Cardholder's Name: Cardholder's SSA logon PIN: Hardware Make/Model: Hardware Serial Number: Additional Questions if Paper: Yes No Not Sure a.Was the information in a locked briefcase? b.Was the information in a locked cabinet or drawer? c.Was the information in a locked vehicle trunk? d.Was the information redacted? e.Other circumstances: 4. If the employee/contractor who was in possession of the data or to whom the datawas assigned is not the personmaking the reportto the NCSC (aslistedin #1),information about this employee/contractor: Name: Position: Deputy Commissioner Level Organization: Phone Numbers: Work:Cell:Home/Other: E-mail Address: 5.Circumstances of the loss: a.When was it lost/stolen? b. Briefdescription of how the loss/theftoccurred: c.When wasit reported to SSA management official (date and time)? 6.Have anyotherSSA components been contacted?If so,who?(Include deputy commissioner level,agencylevel,regional/associate level component names) ATTACHMENT 5 09/27/06 7.Which reports have been filed?(include FPS,local police,and SSA reports) Report Filed Yes No Report Number Federal Protective Service Local Police Yes No SSA-3114 (Incident Alert) SSA-342 (Report of Survey) Other (describe) 8.Other pertinent information (include actions under way, as well as any contacts with other agencies,law enforcement or the press): CCC-307 CERTIFICATION I, the official named below, CERTIFY UNDER PENALTY OF PERJURY that I am duly authorized to legally bind the prospective Contractor to the clause(s) listed below. This certification is made under the laws of the State of California. Contractor/Bidder Firm Name (Printed) County of Fresno Printed Name and Title of Person S: ing Deborah A. Poochigian, Chairma 'Board of Supervisors ATTEST: Federal ID Number 94-6000512 BERNICE E. SEIDEL, Clerk Board of Supervisors . '\ Executed in the County of Fresno TRACTOR CERTIFICATION CLAUSES 1. STATEMENT OF COMPLIANCE: Contractor has, unless exempted, complied with the nondiscrimination program requirements. (Gov. Code §12990 (a-f) and CCR, Title 2, Section 81 03) (Not applicable to public entities.) 2. DRUG-FREE WORKPLACE REQUIREMENTS: Contractor will comply with the requirements of the Drug-Free Workplace Act of 1990 and will provide a drug-free workplace by taking the following actions: a. Publish a statement notifying employees that unlawful manufacture, distribution, dispensation, possession or use of a controlled substance is prohibited and specifying actions to be taken against employees for violations. b. Establish a Drug-Free Awareness Program to inform employees about: 1) the dangers of drug abuse in the workplace; 2) the person's or organization's policy of maintaining a drug-free workplace; 3) any available counseling, rehabilitation and employee assistance programs; and, 4) penalties that may be imposed upon employees for drug abuse violations. c. Every employee who works on the proposed Agreement will: 1) receive a copy of the company's drug-free workplace policy statement; and, 2) agree to abide by the terms of the company's statement as a condition of employment on the Agreement. Failure to comply with these requirements may result in suspension of payments under the Agreement or termination of the Agreement or both and Contractor may be ineligible for award of any future State agreements if the department determines that any of the following has occurred: the Contractor has made false certification, or violated the certificationby failingto carry out the requirementsas noted above. (Gov. Code §8350et seq.) 3.NATIONAL LABOR RELATIONS BOARD CERTIFICATION:Contractor certifies that no more than one (1) final unappealable finding of contempt of court by a Federal court has been issued against Contractor within the immediately preceding two-year periodbecauseof Contractor's failure to complywithan orderof a Federalcourt,which ordersContractorto comply with an order of the National LaborRelations Board.(Pub. Contract Code §10296)(Not applicable to public entities.) 4.CONTRACTS FOR LEGAL SERVICES $50.000 OR MORE-PRO BONO REQUIREMENT:Contractor hereby certifies that contractor will comply with the requirements of Section 6072 of the Businessand Professions Code, effective January 1, 2003. Contractoragreesto make a goodfaith effortto provide a minimum number of hoursof probonolegal services during eachyearofthe contract equal to the lessorof 30 multiplied bythe number of full time attorneys inthe firm's officesinthe State,withthe numberof hoursproratedon an actualdaybasisforanycontractperiodof lessthana full year or 10%of its contract with the State. Failure to makea goodfaitheffortmaybe causefor non-renewal of a statecontractfor legal services,andmaybetakeninto account when determining the awardof future contracts with the State for legal services. 5.EXPATRIATE CORPORATIONS:Contractor hereby declares that it is not an expatriate corporation or subsidiary ofan expatriate corporation within the meaning of Public Contract Code Section 10286 and 10286.1, and is eligible to contract with the State of California. 6.SWEATFREE CODE OF CONDUCT: a. All Contractors contracting for the procurement or laundering of apparel, garments or corresponding accessories,orthe procurement of equipment,materials,or supplies,other than procurement related toa public works contract,declare under penalty of perjury that no apparel,garments or corresponding accessories,equipment,materials,or supplies furnished tothe state pursuant to the contract have been laundered or produced in whole orin part by sweatshop labor,forced labor,convict labor,indentured labor under penal sanction,abusive forms of child laboror exploitationof children in sweatshop labor,or withthebenefitof sweatshop labor,forced labor,convict labor,indentured labor under penal sanction,abusive forms of child labor or exploitation of children in sweatshop labor. The contractor further declares under penalty of perjury that they adhere to the Sweatfree Code of Conduct as set forth on the California Department of Industrial Relations website located at www.dir.ca.gov.and Public Contract Code Section 6108. b. The contractor agrees to cooperate fully in providing reasonable access to the contractor's records,documents,agents or employees,or premises if reasonably required by authorized officials of the contracting agency,the Department of Industrial Relations, or the Departmentof Justiceto determinethe contractor's compliancewith the requirements under paragraph (a). 7.DOMESTIC PARTNERS:For contracts over $100,000 executed or amended after January 1,2007,the contractor certifies that contractoris in compliance withPublic Contract Code section 10295.3. DOING BUSINESS WITH THE STATE OF CALIFORNIA The following laws apply to personsor entities doing business withthe State of California. 1.CONFLICT OF INTEREST:Contractor needs to be aware of the following provisions regarding current or former state employees.If Contractor hasany questions onthe status ofany person rendering services or involved withthe Agreement,the awarding agencymust be contacted immediatelyfor clarification. Current State Employees (Pub. Contract Code §10410): 1).Noofficeror employee shall engage inany employment,activity or enterprise from whichthe officeror employee receives compensation or hasa financial interestand which is sponsored or funded byanystate agency,unless the employment,activity or enterpriseis required as a conditionof regular state employment. 2).Noofficeror employee shallcontracton his or herownbehalfas an independent contractor with any state agency to provide goods or services. Former State Employees (Pub. Contract Code §10411): 1).Forthe two-year period from the date heorsheleftstate employment,no former state officer or employee may enter into a contract in which heorshe engaged inanyofthe negotiations,transactions,planning,arrangements oranypartofthe decision-making process relevant to the contract while employed in any capacity byanystate agency. 2).For the twelve-month period from the date heor she left state employment,no former stateofficeror employee mayenterintoa contract withanystateagencyifhe or shewas employed by that state agency ina policy-making position in the same general subject area asthe proposed contract within the 12-month period prior tohisorher leaving state service. If Contractor violates any provisions of above paragraphs,suchactionby Contractor shall render this Agreement void. (Pub. Contract Code §10420) Membersof boards and commissionsare exemptfromthis section if they do not receive payment other than payment of each meeting of the board or commission,payment for preparatory time and payment for per diem.(Pub.Contract Code §10430 (e)) 2.LABOR CODE/WORKERS'COMPENSATION:Contractor needs to be aware of the provisions which require every employer to be insured against liability for Worker's Compensation orto undertake self-insurance in accordance withthe provisions,and Contractoraffirms to comply with such provisions beforecommencingthe performance of the work of this Agreement. (Labor Code Section 3700) 3.AMERICANS WITH DISABILITIES ACT:Contractor assures the State that it complies withthe Americans with Disabilities Act (ADA)of 1990,which prohibits discriminationon the basis of disability,as well as all applicable regulations and guidelinesissued pursuant to the ADA.(42 U.S.C.12101 et seq.) 4.CONTRACTOR NAME CHANGE:An amendment is required to change the Contractor's nameas listedonthis Agreement.Uponreceiptof legal documentation of the name change the State will process the amendment.Payment of invoices presented with a new name cannot be paid prior to approval of said amendment. 5.CORPORATE QUALIFICATIONS TO DO BUSINESS IN CALIFORNIA: a.When agreements areto be performed inthe state by corporations,the contracting agencies will be verifying that the contractor is currently qualified to do business in California in order to ensure that all obligations due to the state are fulfilled. b."Doing business"is defined in R&TC Section 23101 as actively engaging in any transaction forthe purpose of financial or pecuniary gainor profit.Although thereare some statutory exceptions to taxation,rarely will a corporate contractor performing within the state not be subject to the franchise tax. c.Both domestic and foreign corporations (those incorporated outside of California)must be in good standing in order to be qualified to do business in California.Agencies will determine whether a corporation isin good standing by calling the Office ofthe Secretary of State. 6.RESOLUTION:A county,city,district,orother local public body must provide the State with a copy ofa resolution,order,motion,or ordinance of the local governing body which by law has authority to enter into an agreement,authorizing execution of the agreement. 7.AIR OR WATER POLLUTION VIOLATION:Under the State laws, the Contractor shall not be:(1)in violation of any order or resolution not subject to review promulgated by the State Air Resources Board or an air pollution control district;(2)subject to cease and desist order not subject to review issued pursuant to Section 13301 ofthe Water Codefor violationof waste discharge requirementsor discharge prohibitions; or (3) finally determined to be in violation of provisions of federal law relating to air or water pollution. 8. PAYEE DATA RECORD FORM STD.204: This form must be completed by all contractorsthat are not another stateagency or other governmentalentity. AGREEMENT BETWEEN THE COUNTY OF FRESNO AND STATE OF CALIFORNIA No •15-92089 Term:July 1.2015 through June 30.2016 APPROVED AS TO LEGAL FORM: DANIELC. CEDERBORG,COUNTYCOUNSEL By: APPROVED AS TO ACCOUNTING FORM: VICKI CROW,C.P.A..AUDITOR-CONTROLLER/ TREASURER-TAX COLLECTOR I •>kdByr/.CU (-U REVIEWED AND RECOMMENDED FOR APPROVAL: Dawan Utecht,Director Department of Behavioral Health