HomeMy WebLinkAboutAgreement A-11-336-2 with BIT.pdf
- 1 - COUNTY OF FRESNO
Fresno, CA
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
AMENDMENT II TO AGREEMENT
THIS AMENDMENT, hereinafter referred to as Amendment II, is made and entered into
this__________ day of __________________, 2017, by and between the COUNTY OF FRESNO,
a Political Subdivision of the State of California, hereinafter referred to as “COUNTY”, and BIT
CALIFORNIA LLC dba DOCUMENT FULFILLMENT SERVICES, a California
corporation, whose address is 2930 Ramona Avenue, Suite 100, Sacramento, CA 95826 hereinafter
referred to as “CONTRACTOR”.
W I T N E S S E T H:
WHEREAS, the parties entered into that certain Agreement, identified as COUNTY
Agreement No. A-11-336, effective July 1 , 2011, and COUNTY Amendment I, effective March 10,
2015, hereinafter referred to collectively as COUNTY’s Agreement No. A-11-336; and
WHEREAS, the Department of Social Services (DSS) engaged the CONTRACTOR for the
purpose of providing CalWIN (California Work Opportunity and Responsibility to Kids
Information Network) correspondence to DSS clients through printing and mailing services; and
WHEREAS, sixteen (16) CalWIN counties contract with CONTRACTOR to provide
CalWIN client correspondence; and
WHEREAS, COUNTY desires the ability to also conduct mass mailings to clients who are
not in the CalWIN system; and
WHEREAS, CONTRACTOR has the qualified personnel, facilities and resources to provide
timely correspondence to clients through printing and mailing necessary documents; and
WHEREAS, CONTRACTOR is able to coordinate with DSS to provide such services; and
WHEREAS, the parties desire to amend County Agreement No. A-11-336 regarding
changes as stated below and restate the Agreement in its entirety.
NOW, THEREFORE, in consideration of their mutual promises, covenants and conditions,
hereinafter set forth, the sufficiency of which is acknowledged, the parties agree as follows:
1. That existing COUNTY Agreement No. A-11-336, Section Two (2), Page Two (2),
beginning on Line Eleven (11) with the word “Term” and ending on Page Two (2), Line Seventeen
(17) with the word “Agreement” be deleted in its entirety and the following inserted in its place:
- 2 - COUNTY OF FRESNO
Fresno, CA
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
“This Agreement shall become effective on the 1st day of July 2011 and shall terminate
on the 30th day of June 2018. This Agreement may be extended for one (1) subsequent twelve (12)
month period upon the written approval of both parties no later than thirty (30) days prior to June
30, 2018. The DSS Director, or designee, is authorized to execute such written approval on behalf
of COUNTY based on CONTRACTOR’s satisfactory performance.”
2. That existing COUNTY Agreement No. A-11-336, Section Four (4), Page Three (3),
beginning on Line Seventeen (17) with the word “In” and ending on Page Three (3), Line Nineteen
(19) with the word “Agreement.” be deleted in its entirety and the following inserted in its place:
“In no event shall compensation for services performed under this Agreement be in
excess of Twenty-One Million, One Hundred Seventy-Three Thousand, Two Hundred Eighty-Six
and No/100 Dollars ($21,173,286) during the eight-year term of this Agreement.”
3. That all references in existing COUNTY Agreement No. A-11-336 to “Revised Exhibit
A” shall be changed to read “Exhibit A-1,” attached hereto and incorporated herein by this
reference.
4. That all references in existing COUNTY Agreement No. A-11-336 to “Revised Exhibit
B” shall be changed to read “Exhibit B-1,” attached hereto and incorporated herein by this
reference.
5. That all references in existing COUNTY Agreement No. A-11-336 to “Revised Exhibit
D” shall be changed to read “Exhibit D-1,” attached hereto and incorporated herein by this
reference.
6. The parties agree that this Amendment II is sufficient to amend COUNTY Agreement
No. A-11-336, and that upon execution of this Amendment II, the original Agreement, Amendment
I, and Amendment II together shall be considered the Agreement.
The Agreement, as hereby amended, is ratified and continued. All provisions, terms,
covenants, conditions and promises contained in the Agreement and not amended herein shall
remain in full force and effect. This Amendment II shall become effective on July 1, 2017.
///
///
Exhibit A-1
Page 1 of 4
SUMMARY OF SERVICES
ORGANIZATION: BIT California LLC dba Document Fulfillment Services
ADDRESS: 910 Riverside Parkway, Suite 40, West Sacramento, CA 95605
CONTACT: Eric Bambury, President/CEO
SERVICES: CalWIN/VACS/MISCELLANEOUS Printing and Mailing Services
CONTRACT
PERIOD: July 1, 2011 to June 30, 2012, with seven (7) auto-renewals through June
30, 2019
MAXIMUM
AGREEMENT
COMPENSATION: $21,173,286
CONTRACTOR shall provide CalWIN (California Work Opportunity and Responsibility to
Kids Information Network), Ventura Automated Collections System (VACS), and other
miscellaneous client correspondence printing and mailing services for the Department of Social
Services (DSS).
PROJECT DESCRIPTION: The CalWIN system is a Windows-based system used by
Department staff in determining eligibility and benefit levels for public assistance programs.
Daily transactions by EWs automatically generate correspondence including Notices of Actions,
forms, applications and other client correspondence. The correspondence must be processed and
rendered to the United States Postal Service (USPS) within the same day, in time for next day
delivery to the addressee.
Social Services Accounts Receivable (SSAR) uses VACS, a Windows-based system, to report
and bill clients for Social Services overpayments. Monthly transactions generated by CalWIN
are evaluated via the VACS system which generates collection notices and other correspondence
for clients. The correspondence must be processed and rendered to USPS within the same day, in
time for next day delivery to the addressee.
CONTRACTOR SHALL BE RESPONSIBLE FOR THE FOLLOWING:
1. Obtain print data files from the CalWIN system vendor, Enterprise Services, LLC
(formerly known as HP Enterprise Services LLC) and from the COUNTY DSS for the
VACS system or other miscellaneous mailings, process client correspondence for next
day delivery. The standard business practice for CalWIN is to produce print data files
five (5) days a week from Monday through Friday; CONTRACTOR must be available to
receive a secure electronic file transfer on a daily basis (Tuesday through Saturday).
Exhibit A-1
Page 2 of 4
Contractor shall notify designated COUNTY DSS staff by phone and email of any print
data file delays within 24 hours.
2. Print correspondence in nine (9) different languages in the event that correspondence
needs to be mailed in the client's primary language (as identified by the CalWIN/VACS
systems). The nine (9) languages include: English, Spanish, Russian, Chinese,
Vietnamese, Hmong, Laotian, Bosnian and Farsi. Additional languages may be supported
by CalWIN/VACS during the course of the Agreement.
3. Include inserts with correspondence as requested by COUNTY DSS. Inserts may be
supplied by COUNTY DSS and/or produced by CONTRACTOR. Should
CONTRACTOR produce inserts for COUNTY DSS, IT enhancements/changes fees are
applicable. CONTRACTOR must receive written approval from COUNTY DSS prior to
producing inserts, and maintain email receipts of approval. CONTRACTOR shall retain
insert print data files for a minimum of thirty (30) business days for disaster recovery
purposes and shall destroy print data files after the specified retention period.
4. Retain print data files for a minimum of thirty (30) business days for disaster recovery
purposes and shall destroy print data files after the specified retention period.
5. Immediately notify COUNTY DSS of any correspondence errors and/or delays in
rendering correspondence to USPS for next day delivery.
COUNTY DSS CalWIN Contacts:
Debbie Aguila, Senior Systems and Procedures Analyst
PO Box 1912, Fresno, CA 93718-1912
pkongbouakhay@co.fresno.ca.us (559) 600-2201
Lao Mouanoutoua, Systems and Procedures Analyst
PO Box 1912, Fresno, CA 93718-1912
lvmouanoutoua@co.fresno.ca.us (559) 600-2219
COUNTY DSS VACS Contact:
Stacey Sandoval, Finance Chief
PO Box 1912, Fresno, CA 93718-1912
stsandoval@co.fresno.ca.us (559) 600-2823
6. Submit daily reports on errors for 100 or more pieces within a single mailing. In addition
to the daily reports, CONTRACTOR shall submit a monthly report of total errors Exhibit
B-1, page 3) for each month in which errors occurred.
7. Submit Monthly invoice, Fresno County spreadsheet, and monthly Client Postage
Summary, Client Consumption, Client Work Order Activity, and Client Work Order
Summary reports, including, if applicable, information on special mailings. These reports
Exhibit A-1
Page 3 of 4
are produced from Document Fulfillment Services system and should match all
correspondence quantities identified by the CalWIN system. The reports shall include the
following:
a. Number of images printed during the day/month.
b. Number of sheets during the day/month.
c. Number of legal size sheets during the day/month.
d. Number of household mail pieces during the day/month.
e. Number of mail pieces broken out by weight and rate during the day/month.
f. Number of inserts during the day/month.
g. Number of returned envelopes during the day/month.
h. Number of mail pieces in English during the day/month.
i. Number of mail pieces in all other languages during the day/month.
8. Provide services identified in the Sacramento County Revised Request for Proposal
RFP7434.
9. Invoice COUNTY DSS for initial postage deposit 45 days prior to due date.
10. Meter all client correspondence on DFS postage meters in Sacramento.
11. Guarantee 100% of COUNTY DSS mail pieces receive the pre-sorted discount rates
offered by the USPS and inform COUNTY DSS within 5 business days in writing of any
applicable USPS rate changes.
12. Notify COUNTY DSS if postage balance falls below $80,000 or an amount that would
cause an interruption in services.
13. Provide COUNTY DSS, a $5,000 postage reserve account. Mail will be held until
payment is received if needed.
COUNTY DSS Postage Contacts:
Cynthia Witrago, Staff Analyst
PO Box 1912, Fresno, CA 93718-1912
cwitrac@co.fresno.ca.us (559) 600-2334
DSS Invoices Mailbox
DSSinvoices@co.fresno.ca.us (559) 600-2300
14. Collaborate with COUNTY to resolve problems and exchange services information. Meet
with COUNTY as needed.
Exhibit A-1
Page 4 of 4
COUNTY DSS SHALL BE RESPONSIBLE FOR THE FOLLOWING:
1. Provide CONTRACTOR with a one (1) day notice should COUNTY DSS produce data
on the CalWIN/VACS systems during days outside of the COUNTY DSS's standard
business operation days.
2. Provide CONTRACTOR with a 15-day notice for County-requested stuffers, inserts, or
special mailings.
3. Maintain a postage deposit of $240,000, the equivalent of approximately three-month’s
postage.
4. Maintain sufficient funding in postage account with CONTRACTOR to avoid a zero
balance. This may include periodic advance payments via ACH (automated clearing
house) or standard check to ensure timely deposit of funds.
5. Collaborate with CONTRACTOR to resolve problems and exchange services
information. Meet with CONTRACTOR as needed.
Exhibit B-1
Page 1 of 3
BUDGET SUMMARY
ORGANIZATION: BIT California LLC dba Document Fulfillment Services
SERVICES: CalWIN/VACS/MISCELLANEOUS Printing and Mailing Services
CONTRACT
PERIOD: July 1, 2011 to June 30, 2012, with seven (7) auto-renewals through June
30, 2019
MAXIMUM
AGREEMENT
COMPENSATION: $21,173,286
PAYMENT BASIS FOR PRINTING AND MAILING:
CONTRACTOR shall be reimbursed for CalWIN printing and mailing services at the following
rates:
July 1, 2011 to June 30, 2019
SERVICES COST
*Initial Set Up (first year only) No Charge
**Price per Image – B/W $0.0426
*** Price per Image – Color $0.11
Inserts by Machine – per 1,000
(includes folding) $5.00
Inserts by Hand – per 1,000
(includes folding) $10.00
IT Changes / Enhancement – per Hour $85.00
Other Services: Householding Services
(combining correspondence to same case
number)
No Charge
CONTRACTOR shall credit COUNTY should the following occur:
Errors involving 100 or more pieces in a
single mailing $0.04 per piece
Invoice containing typographical and/or
mathematical errors $500 per invoice
Exhibit B-1
Page 2 of 3
*Initial set-up charge includes all costs associated with letter design/layout, fine-tuning,
programming, and testing.
**Price per image includes cost of materials (paper, envelopes) and cost of processing
(pickup/courier service, receiving and batching data, printing, folding, inserting, presorting,
delivery to USPS). The price per image shall equal one side of printed page and shall include all
applicable sales tax.
***Price per color image shall include a quick search and locate mechanism, e.g. software and
viewer to do lookups and searches by certain criteria. The price per color image shall equal one
side of printed page and shall include all applicable sales tax.
PAYMENT BASIS FOR POSTAGE:
COUNTY shall pay for postage in advance to include an initial deposit of $240,000.
CONTRACTOR shall invoice COUNTY for actual postage in arrears. CONTRACTOR shall
ensure that postage costs are billed at the pre-sorted discount rates offered by the USPS. All
postage reserve funds will be reconciled monthly and reported on the Postage Summary report.
All postage reserve funds will be carried forward into each term. CONTRACTOR shall
reimburse COUNTY the remainder of postage deposit at the termination of this Agreement
within 45 days of the last day of mailing services provided.
Charge for postage shall be at the USPS Commercial First-Class Mail 3-Digit Rate, subject to
increases and/or decreases by the USPS.
NOTE: County contracting procedures require a maximum amount payable. The maximum
amount is based upon a high estimate of the total number of services to be provided and images
to be printed during the term of the Agreement. There is no guarantee to purchase a minimum
quantity of images or services. All dollar amounts listed below have been estimated. The actual
costs may vary from amounts listed.
Fiscal Year 2011-12: $1,966,735 (Includes Postage Deposit)
Fiscal Year 2012-13: $2,033,201
Fiscal Year 2013-14: $2,395,129
Fiscal Year 2014-15: $2,822,735
Fiscal Year 2015-16: $2,822,735
Fiscal Year 2016-17: $2,822,735
Fiscal Year 2017-18: $3,155,008
Fiscal Year 2018-19: $3,155,008
Total Maximum
Compensation: $21,173,286
The maximum amounts allowable under this Agreement shall be as follows:
Printing and Mailing Services: $8,469,314
Postage: $12,703,972 (including $240,000 Postage Deposit)
The postage deposit in the amount of $240,000 minus any outstanding postage invoices will be
refunded by CONTRACTOR to COUNTY within 45 days of the last day of mailing services
provided.
Exhibit B-1
Page 3 of 3
MONTHLY ERROR REPORT
ORGANIZATION: BIT California LLC dba Document Fulfillment Services
REPORT MONTH/YEAR: _____________________________________
ERRORS: CONTRACTOR shall credit COUNTY for errors not remedied by
CONTRACTOR’s quality control involving 100 or more pieces from a single mailing at the rate
of $0.04 per piece. This shall include client correspondence mailed after the target mailing date.
NOTE: It is not necessary to submit this error report when there have been fewer than 100
unremedied errors.
ERROR DETAIL:
Date
Mailed
Work
Order
Number
Date
Processed
Unique
Identifier
Number
Description Number of
Pieces
Number of
Inserts
Included
Postage
Used
Total
Credit to
DSS
Credit Total: ____________________
COMPLETED BY: __________________________ TITLE: _____________________
PHONE: ____________________________ DATE: ______________________
Agreement No.16-659
MEDI-CAL PRIVACY & SECURITY AGREEMENT NO.: 16 -~
MEDI-CAL PRIVACY AND SECURITY AGREEMENT BETWEEN the California
Department of Health Care Services and the
County of Fresno ,Department of _S_oc_ia_1S_erv_ic_e_s _
PREAMBLE
The Department of Health Care Services (DHCS) and the County of Fresno ,
Department of Social Services (County Department) enter into this Medi-Cal Privacy
and Security Agreement (Agreement)in order to ensure the privacy and security of
Medi-Cal Personally Identifiable Information (PII).
DHCS receives federal funding to administer California's Medicaid Program
(Medi-Cal).The County Department assists in the administration of Medi-Cal,in that
DHCS and the County Department access DHCS eligibility information for the purpose
of determining Medi-Cal eligibility.
This Agreement covers the County of Fresno ,Department of
Social Services workers, who assist in the administration of Medi-Cal; and access,
use, or disclose Medi-Cal PI!.
DEFINITIONS
For the purpose of this Agreement, the following terms mean:
1."Assist in the administration of the Medi-Cal program"means performing
administrative functions on behalf of Medi-Cal, such as determining eligibility for,or
enrollment in, or the amount of, public benefits, and collecting Medi-Cal PII for
such purposes,to the extent such activities are authorized by law.
2. "Breach"refers to actual loss,loss of control, compromise, unauthorized
disclosure, unauthorized acquisition, unauthorized access, or any similar term
referring to situations where persons other than authorized users and for other
than authorized purposes have access or potential access to Medi-Cal PII,whether
electronic, paper, verbal, or recorded.
3. "County Worker" means those county employees, contractors, subcontractors,
vendors and agents performing any functions for the County that require access to
and/or use of Medi-Cal PII and that are authorized by the County to access and
use Medi-Cal PI!.
4. "Medi-Cal PII" is information directly obtained in the course of performing an
administrative function on behalf of Medi-Cal that can be used alone,or in
conjunction with any other information, to identify a specific individual. PII includes
any information that can be used to search for or identify individuals,or can be
1
Exhibit D-1
MEDI-CAL PRIVACY &SECURITY AGREEMENT NO.:16 - ~
used to access their files, such as name, social security number, date of birth,
driver's license number or identification number. PII may be electronic,paper,
verbal, or recorded.
5."Security Incident" means the attempted or successful unauthorized access,use,
disclosure,modification, or destruction of Medi-Cal PII, or interference with system
operations in an information system which processes Medi-Cal PII that is under the
control of the County or County's Statewide Automated Welfare System (SAWS)
Consortium, or a contractor,subcontractor or vendor of the County.
6."Secure Areas" means any area where:
a. County Workers assist in the administration of Medi-Cal;
b. County Workers use or disclose Medi-Cal PII; or
c.Medi-Cal PII is stored in paper or electronic format.
AGREEMENTS
NOW THEREFORE,DHCS and County Department mutually agree as follows:
I. PRIVACY AND CONFIDENTIALITY
A. The County Department workers covered by this Agreement (County
Workers) may use or disclose Medi-Cal PIIonly as permitted in this
Agreement and only to assist in the administration of Medi-Cal in
accordance with Welfare and Institutions Code section 14100.2 and 42
Code of Federal Regulations section 431.300 et.seq., or as required by law.
Disclosures, which are required by law,such as a court order,or are made
with the explicit written authorization of the Medi-Cal client, are allowable.
Any other use or disclosure of Medi-Cal PII requires the express approval in
writing of DHCS. No County Worker shall duplicate, disseminate or disclose
Medi-Cal PIIexcept as allowed in this Agreement.
B. Pursuant to this Agreement,County Workers may only use Medi-Cal PII to
perform administrative functions related to determining eligibility for
individuals applying for Medi-Cal.
C.Access to Medi-Cal PIIshall be restricted to County Workers who need to
perform their official duties to assist in the administration of Medi-Cal.
2
D. County Workers who access,disclose or use Medi-Cal PII in a manner or
for a purpose not authorized by this Agreement may be subject to civil and
criminal sanctions contained in applicable federal and state statutes.
Exhibit D-1
MEDI-CAL PRIVACY & SECURITY AGREEMENT NO.:16 - ~
II. PERSONNELCONTROLS
The County Department agrees to advise County Workers who have access to
Medi-Cal PII,of the confidentiality of the information, the safeguards required to
protect the information,and the civil and criminal sanctions for non-compliance
contained in applicable federal and state laws. For that purpose,the County
Department shall implement the following personnel controls:
A.Employee Training.Train and use reasonable measures to ensure
compliance with the requirements of this Agreement by County Workers,
including,but not limited to:
1.Provide initial privacy and security awareness training to each new
County Worker within 30 days of employment and;
2. Thereafter,provide annual refresher training or reminders of the privacy
and security safeguards in this Agreement to all County Workers. Three
or more security reminders per year are recommended;
3.Maintain records indicating each County Worker's name and the date on
which the privacy and security awareness training was completed;
4.Retain training records for a period of three years after completion of the
training.
B.Employee Discipline.
1. Provide documented sanction policies and procedures for County
Workers who fail to comply with privacy policies and procedures or any
provisions of these requirements.
2. Sanction policies and procedures shall include termination of employment
when appropriate.
C.Confidentiality Statement.Ensure that all County Workers sign a
confidentiality statement. The statement shall be signed by County Workers
prior to accessing Medi-Cal PII and annually thereafter. Signatures may be
physical or electronic.The signed statement shall be retained for a period of
three years.
The statement shall include at a minimum:
1.General Use;
2.Security and Privacy Safeguards;
3. Unacceptable Use;and
3
Exhibit D-1
MEDI-CAL PRIVACY & SECURITY AGREEMENT NO.:16 - ~
4. Enforcement Policies.
D.Background Screening.
1.Conduct a background screening of a County Worker before they may
access Medi-Cal PII.
2. The background screening should be commensurate with the risk and
magnitude of harm the employee could cause. More thorough screening
shall be done for those employees who are authorized to bypass
significant technical and operational security controls.
3.The County Department shall retain each County Worker's background
screening documentation for a period of three years following conclusion
of employment relationship.
III. MANAGEMENTOVERSIGHTAND MONITORING
To ensure compliance with the privacy and security safeguards in this
Agreement the county shall perform the following:
A.Conduct periodic privacy and security review of work activity by County
Workers, including random sampling of work product. Examples include,
but are not limited to, access to case files or other activities related to the
handling of Medi-Cal PII.
B. The periodic privacy and security reviews must be performed or overseen
by management level personnel who are knowledgeable and experienced in
the areas of privacy and information security in the administration of the
Medi-Cal program,and the use or disclosure of Medi-Cal PII.
The County agrees to:
IV. INFORMATIONSECURITYAND PRIVACYSTAFFING
A.Designate information security and privacy officials who are accountable for
compliance with these and all other applicable requirements stated in this
Agreement.
B.Assign county workers to be responsible for administration and monitoring
of all security related controls stated in this Agreement.
4
Exhibit D-1
MEDI-CAL PRIVACY & SECURITY AGREEMENT NO.: 16 -_10_
v.PHYSICAL SECURITY
The County Department shall ensure Medi-Cal PIIis used and stored in an area
that is physically safe from access by unauthorized persons at all times. The
County Department agrees to safeguard Medi-Cal PIIfrom loss,theft, or
inadvertent disclosure and, therefore, agrees to:
A. Secure all areas of the County Department facilities where County Workers
assist in the administration of Medi-Cal and use, disclose, or store Medi-Cal
PII.
B. These areas shall be restricted to only allow access to authorized
individuals by using one or more of the following:
1. Properly coded key cards
2. Authorized door keys
3. Official identification
C. Issue identification badges to County Workers.
D. Require County Workers to wear these badges where Medi-Cal PIIis used,
disclosed, or stored.
E. Ensure each physical location,where Medi-Cal PII is used, disclosed, or
stored, has procedures and controls that ensure an individual who is
terminated from access to the facility is promptly escorted from the facility
by an authorized employee and access is revoked.
F.Ensure there are security guards or a monitored alarm system at all times at
the County Department facilities and leased facilities where 500 or more
individually identifiable records of Medi-Cal PII is used, disclosed, or stored.
Video surveillance systems are recommended.
G. Ensure data centers with servers,data storage devices, and/or critical
network infrastructure involved in the use, storage, and/or processing of
Medi-Cal PII have perimeter security and physical access controls that limit
access to only authorized County Workers.Visitors to the data center area
must be escorted at all times by authorized County Workers.
H. Store paper records with Medi-Cal PII in locked spaces, such as locked file
cabinets, locked file rooms,locked desks,or locked offices in facilities which
are multi-use meaning that there are County Department and non-County
Department functions in one building in work areas that are not securely
segregated from each other. It is recommended that all Medi-Cal PII be
locked up when unattended at any time, not just within multi-use facilities.
I.The County shall have policies that include, based on applicable risk
factors, a description of the circumstances under which the County Workers
5
Exhibit D-1
MEDI-CAL PRIVACY & SECURITY AGREEMENT NO.:16 -_10_
can transport Medi-Cal PII, as well as the physical security requirements
during transport. A County that chooses to permit its County Workers to
leave records unattended in vehicles must include provisions in its policies
to provide the Medi-Cal PII is stored in a non-visible area such as a trunk,
that the vehicle is locked, and under no circumstances permit Medi-Cal PII
be left unattended in a vehicle overnight or for other extended periods of
time.
J. The County Department shall have policies that indicate County Workers
are not to leave records with Medi-Cal PII unattended at any time in
airplanes, buses, trains, etc., including baggage areas. This should be
included in training due to the nature of the risk.
VI. TECHNICALSECURITYCONTROLS
A.Workstation/Laptop Encryption.All workstations and laptops, which use,
store and/or process Medi-Cal PII, must be encrypted using a FIPS 140-2
certified algorithm 128 bit or higher, such as Advanced Encryption Standard
(AES). The encryption solution must be full disk. It is encouraged, when
available and when feasible, that the encryption be 256 bit.
B.Server Security.Servers containing unencrypted Medi-Cal PII must have
sufficient administrative,physical,and technical controls in place to protect
that data, based upon a risk assessment/system security review. It is
recommended to follow the guidelines documented in the latest revision of
the National Institute of Standards and Technology (NIST) Special
Publication (SP) 800-53, Security and Privacy Controls for Federal
Information Systems and Organizations.
C.Minimum Necessary.Only the minimum necessary amount of Medi-Cal
PII required to perform required business functions may be accessed,
copied, downloaded, or exported.
D.Mobile Device and Removable Media.All electronic files, which contain
Medi-Cal PII data, must be encrypted when stored on any mobile device or
removable media (Le. USB drives,CD/DVD,smartphones, tablets, backup
tapes etc.). Encryption must be a FIPS 140-2 certified algorithm 128 bit or
higher, such as AES.It is encouraged, when available and when feasible,
that the encryption be 256 bit.
E.Antivirus Software.All workstations, laptops and other systems,which
process and/or store Medi-Cal PII,must install and actively use an anti-virus
software solution. Anti-virus software should have automatic updates for
definitions scheduled at least daily.
6
Exhibit D-1
MEDI-CAL PRIVACY & SECURITY AGREEMENT NO.:16 -.2£...._
F.Patch Management.
1. All workstations, laptops and other systems, which process and/or store
Medi-Cal PII, must have critical security patches applied, with system
reboot if necessary.
2. There must be a documented patch management process that
determines installation timeframe based on risk assessment and vendor
recommendations.
3, At a maximum, all applicable patches deemed as critical must be
installed within 30 days of vendor release. It is recommended that
critical patches which are high risk be installed within seven days.
4. Applications and systems that cannot be patched within this time frame,
due to significant operational reasons, must have compensatory controls
implemented to minimize risk.
G.User IDs and Password Controls.
1. All users must be issued a unique user name for accessing Medi-Cal PII,
2. Username must be promptly disabled, deleted, or the password changed
upon the transfer or termination of an employee, at maximum within 24
hours.
3. Passwords are not to be shared.
4. Passwords must be at least eight characters.
5. Passwords must be a non-dictionary word.
6. Passwords must not be stored in readable format on the computer or
server.
7.Passwords must be changed every 90 days or less. It is recommended
that passwords be required to be changed every 60 days or less.
8. Passwords must be changed if revealed or compromised,
9. Passwords must be composed of characters from at least three of the
following four groups from the standard keyboard:
a. Upper case letters (A-Z)
b.Lower case letters (a-z)
c. Arabic numerals (0-9)
d. Special characters
7
Exhibit D-1
MEDI-CAL PRIVACY &SECURITY AGREEMENT NO.:16 -~
H.User Access.In conjunction with DHCS, management should exercise
control and oversight, of the function of authorizing individual user access to
Social Security Administration (SSA) data,Medi-Cal Eligibility Data System
(MEDS), and over the process of issuing and maintaining access control
numbers, IDs, and passwords.
I.Data Destruction.When no longer needed, all Medi-Cal PII must be
cleared, purged, or destroyed consistent with NIST SP 800-88,Guidelines
for Media Sanitization,such that the Medi-Cal PII cannot be retrieved.
J.System Timeout.The systems providing access to Medi-Cal PII must
provide an automatic timeout,requiring re-authentication of the user session
after no more than 20 minutes of inactivity.
K.Warning Banners.The systems providing access to Medi-Cal PII must
display a warning banner stating, at a minimum:
1. Data is confidential;
2. Systems are logged;
3. System use is for business purposes only, by authorized users; and
4. Users shall log off the system immediately if they do not agree with
these requirements.
L.System Logging.
1. The systems which provide access to Medi-Cal PII must maintain an
automated audit trail that can identify the user or system process which
initiates a request for Medi-Cal PII,or alters Medi-Cal PII.
2. The audit trail shall:
a.Be date and time stamped;
b.Log both successful and failed accesses;
c.Be read-access only; and
d. Be restricted to authorized users.
8
3. If Medi-Cal PII is stored in a database,database logging functionality
shall be enabled.
4. Audit trail data shall be archived for at least three years from the
occurrence.
Exhibit D-1
MEDI-CAL PRIVACY & SECURITY AGREEMENT NO.:16 -~
M.Access Controls.The system providing access to Medi-Cal PII shall use
role based access controls for all user authentications, enforcing the
principle of least privilege.
N.Transmission Encryption.
1. All data transmissions of Medi-Cal PII outside of a secure internal
network must be encrypted using a FIPS 140-2 certified algorithm that is
128 bit or higher, such as AES or TLS. It is encouraged, when available
and when feasible, that 256 bit encryption be used.
2. Encryption can be end to end at the network level, or the data files
containing Medi-Cal PII can be encrypted.
3. This requirement pertains to any type of Medi-Cal PII in motion such as
website access, file transfer, and email.
O.Intrusion Prevention.All systems involved in accessing, storing,
transporting, and protecting Medi-Cal PII, which are accessible through the
Internet, must be protected by an intrusion detection and prevention
solution.
VII. AUDITCONTROLS
A.System Security Review.
1. The County Department must ensure audit control mechanisms are in
place.
2. All systems processing and/or storing Medi-Cal PII must have at least an
annual system risk assessment/security review that ensures
administrative, physical, and technical controls are functioning effectively
and provide an adequate level of protection.
3. Reviews should include vulnerability scanning tools.
B.Log Reviews.All systems processing and/or storing Medi-Cal PII must
have a process or automated procedure in place to review system logs for
unauthorized access.
C.Change Control.All systems processing and/or storing Medi-Cal PII must
have a documented change control process that ensures separation of
duties and protects the confidentiality, integrity and availability of data.
D.Anomalies.When the county or DHCS suspects MEDS usage anomalies,
the county will work with DHCS to investigate the anomalies and report
conclusions of such investigations and remediation to DHCS.
9
Exhibit D-1
MEDI-CAL PRIVACY & SECURITY AGREEMENT NO.:16 -_10_
VIII. BUSINESS CONTINUITY I DISASTER RECOVERY CONTROLS
A.Emergency Mode Operation Plan.The County Department must
establish a documented plan to enable continuation of critical business
processes and protection of the security of Medi-Cal PII kept in an electronic
format in the event of an emergency.Emergency means any circumstance
or situation that causes normal computer operations to become unavailable
for use in performing the work required under this Agreement for more than
24 hours. It is recommended that counties conduct periodic disaster
recovery testing,including connectivity exercises conducted with DHCS, if
requested.
B.Data Centers.Data centers with servers, data storage devices, and critical
network infrastructure involved in the use,storage and/or processing of
Medi-Cal PII, must include environmental protection such as cooling, power,
and fire prevention,detection,and suppression.
C.Data Backup Plan.
1.The County Department shall have established documented procedures
to backup Medi-Cal PII to maintain retrievable exact copies of Medi-Cal
PII.
2. The documented backup procedures shall contain a schedule which
includes incremental and full backups.
3.The procedures shall include storing backups offsite.
4. The procedures shall ensure an inventory of backup media. It is
recommended that the county periodically test the data recovery
process.
IX. PAPER DOCUMENT CONTROLS
A.Supervision of Data.Medi-Cal PII in paper form shall not be left
unattended at any time, unless it is locked in a file cabinet,file room,desk or
office.Unattended means that information may be observed by an
individual not authorized to access the information.
B.Data in Vehicles.The County shall have policies that include, based on
applicable risk factors, a description of the circumstances under which the
County Workers can transport Medi-Cal PII,as well as the physical security
requirements during transport.A County that chooses to permit its County
Workers to leave records unattended in vehicles must include provisions in
its policies to provide the Medi-Cal PII-is stored in a non-visible area such as
a trunk, that the vehicle is locked, and under no circumstances permit Medi-
10
Exhibit D-1
MEDI-CAL PRIVACY &SECURITY AGREEMENT NO.:16 -~
Cal PII be left unattended in a vehicle overnight or for other extended
periods of time.
C.Public Modes of Transportation.Medi-Cal PII in paper form shall not be
left unattended at any time in airplanes,buses, trains,etc., including
baggage areas. This should be included in training due to the nature of the
risk.
D.Escorting Visitors.Visitors to areas where Medi-Cal PII is contained shall
be escorted, and Medi-Cal PII shall be kept out of sight while visitors are in
the area.
E.Confidential Destruction.Medi-Cal PII must be disposed of through
confidential means, such as cross cut shredding or pulverizing.
F.Removal of Data.Medi-Cal PII must not be removed from the premises of
County Department except for justifiable business purposes.
G.Faxing.
1. Faxes containing Medi-Cal PII shall not be left unattended and fax
machines shall be in secure areas.
2.Faxes shall contain a confidentiality statement notifying persons
receiving faxes in error to destroy them and notify the sender.
3. Fax numbers shall be verified with the intended recipient before sending
the fax.
H.Mailing.
1. Mailings containing Medi-Cal PI! shall be sealed and secured from
damage or inappropriate viewing of PI! to the extent possible.
2. Mailings that include 500 or more individually identifiable records
containing Medi-Cal PI! in a single package shall be sent using a tracked
mailing method that includes verification of delivery and receipt.
X.NOTIFICATION AND INVESTIGATION OF BREACHES AND SECURITY
INCIDENTS
During the term of this Agreement, the County Department agrees to implement
reasonable systems for the discovery and prompt reporting of any Breach or
Security Incident,and to take the following steps:
11
Exhibit D-1
MEDI-CAL PRIVACY &SECURITY AGREEMENT NO.:16 -_10_
A.Initial Notice to DHCS:
Immediately upon discovery of a suspected security incident that involves
data provided to DHCS by the SSA,the county shall notify DHCS by email
or telephone.
Within one working day of discovery, the county shall notify DHCS by
email or telephone of unsecured PHI or PI,if that PHI or PI was,or is,
reasonably believed to have been accessed or acquired by an unauthorized
person, any suspected security incident,intrusion,or unauthorized access,
use, or disclosure of Medi-Cal PII in violation of this Agreement,or potential
loss of confidential data affecting this Agreement. Notice shall be made
using the "DHCS Privacy Incident Report" (PIR) form,including all
information known at the time. The County Department shall use the most
current version of this form,which is posted on the DHCS Privacy Office
website (www.dhcs.ca.gov.select "Privacy & HIPAA"and then "County
Use") or use this link:
http://www.dhcs.ca.gov/formsandpubs/laws/priv/Pages/CountiesOnly.aspx.
Initial, Investigation, and Completed PIRs are submitted to the DHCS
Privacy Office and the DHCS Information Security Office.
A breach shall be treated as discovered by the County Department as of the
first day on which the breach is known, or by exercising reasonable
diligence would have been known, to any person (other than the person
committing the breach),who is an employee, officer or other agent of the
County Department. Notice shall be provided to the DHCS Privacy Office
and the DHCS Information Security Office.
Upon discovery of a breach, security incident,intrusion, or unauthorized
access,use, or disclosure of Medi-Cal PII, the County Department shall
take:
1. Prompt corrective action to mitigate any risks or damages involved with
the breach and to protect the operating environment; and
2. Any action pertaining to such unauthorized disclosure required by
applicable Federal and State laws and regulations.
B.Investigation and Investigative Report.The county shall immediately
investigate breaches and security incidents involving Medi-Cal PII,and,if
the initial PIR did not include all of the information marked with an asterisk,
or if new or updated information is available,submit an updated PIR within
72 hours of the discovery. The updated PIR shall include all of the
information marked with an asterisk, and all other applicable information
listed on the form,to the extent known at that time.
12
Exhibit D-1
MEDI-CAL PRIVACY & SECURITY AGREEMENT NO.:16 - ~
C.Complete Report.If all of the required information was not included in
either the initial report,or the investigation report, then a separate complete
report must be submitted within ten working days of the discovery. The
Complete Report of the investigation shall include an assessment of all
known factors relevant to a determination of whether a breach occurred
under applicable provisions of HIPAA, the HITECH Act, the HIPAA
regulations and/or state law. The report shall also include a full, detailed
corrective action plan, including information on measures that were taken to
halt and/or contain the improper use or disclosure.If DHCS requests
information in addition to that listed on the PIR,the County Department shall
make reasonable efforts to provide DHCS with such information. If
necessary, a Supplemental Report may be used to submit revised or
additional information after the Completed Report is submitted,by
submitting the revised or additional information on an updated PIR. DHCS
will review and approve or disapprove the determination of whether a
breach occurred, and if individual notifications and corrective action plans
are required.
D.Notification of Individuals.When applicable state or federal law requires
DHCS to notify individuals of a breach or unauthorized disclosure of their
Medi-Cal PII, the following provisions apply: If the cause of the breach is
attributable to the County Department or its subcontractors,agents or
vendors, the County Department shall pay any costs of such notifications,
as well as any and all costs associated with the breach. The notifications
shall comply with the requirements set forth in California Civil Code Section
1798.29, and 42 U.S.C. section 17932,and its implementing regulations,
including but not limited to the requirement that the notifications be made
without unreasonable delay and in no event later than 60 calendar days.
The DHCS Privacy Office shall approve the time, manner and content of
any such notifications and their review and approval must be obtained
before notifications are made.DHCS may elect to assign responsibility for
such notification to the County Department. In the event DHCS assigns
notification responsibility to the County Department, DHCS shall provide the
County Department with the appropriate direction and procedures to ensure
notice is provided pursuant to applicable law. If the cause of the breach is
attributable to DHCS, DHCS shall pay any costs associated with such
notifications. If there is any question as to whether DHCS or the County
Department is responsible for the breach, DHCS and the County
Department shall jointly determine responsibility for purposes of allocating
the costs of such notices.
E.Responsibility for Reporting of Breaches when Required by State or
Federal Law.If the cause of a breach of Medi-Cal PII is attributable to the
County Department or its agents, subcontractors or vendors, the County
Department is responsible for reporting the breach and all costs associated
with the breach. If the cause of the breach is attributable to DHCS, DHCS is
responsible for reporting the breach and for all costs associated with the
13
Exhibit D-1
MEDI-CAL PRIVACY &SECURITY AGREEMENT NO.:16 -~
breach. When applicable law requires the breach be reported to a federal or
state agency or that notice be given to media outlets,DHCS and the County
Department shall coordinate to ensure such reporting is in compliance with
applicable law and to prevent duplicate reporting, and to jointly determine
responsibility for purposes of allocating the costs of such reports,if any.
F.DHCS Contact Information.To direct communications to the above
referenced DHCS staff, the County Department shall initiate contact as
indicated herein. DHCS reserves the right to make changes to the contact
information below by giving written notice to the County Department. Said
changes shall not require an amendment to this Agreement to which it is
incorporated.
DHCS Privacy Office
DHCS Information Security
Office
DHCS Privacy Office DHCS Information Security Office
c/o:Office of HIPAA Compliance MS 6400
MS 4722 P.O.Box 997413
P.O. Box 997413 Sacramento,CA 95899-7413
Sacramento,CA 95899-7413
Email:[2rivacyofficer@dhcs.ca.go Email:
Y..iso@dhcs.ca.gov
Telephone:Telephone:
(916) 445-4646 or EITS Service Desk
(866) 866-0602 (916) 440-7000 or
(800) 579-0874
XI. COMPLIANCE WITH SSA AGREEMENT
The County Department agrees to comply with substantive privacy and security
requirements in the Computer Matching and Privacy Protection Act Agreement
between the SSA and the California Health and Human Services Agency
(CHHS) and in the Agreement between SSA and DHCS,known as the
Information Exchange Agreement (lEA),which are appended and hereby
incorporated in to this Agreement (Exhibit A).The specific sections of the lEA
with substantive privacy and security requirements,which are to be complied
with by the County Department are in the following sections: E,Security
Procedures;F,Contractor/Agent Responsibilities;G,Safeguarding and
Reporting Responsibilities for PII,and in Attachment 4,Electronic Information
Exchange Security Requirements and Procedures for State and Local Agencies
14
Exhibit D-1
MEDI-CAL PRIVACY & SECURITY AGREEMENT NO.:16 -~
Exchanging Electronic Information with SSA. If there is any conflict between a
privacy and security standard in these sections of the lEA and a standard in this
Agreement,the most stringent standard shall apply. The most stringent
standard means the standard which provides the greatest protection to Medi-
Cal PII.
If SSA changes the terms of its agreement(s) with DHCS, DHCS will,as soon
as reasonably possible after receipt, supply copies to CWDA as well as the
DHCS proposed target date for compliance. For a period of 30 days,DHCS
will accept input from CWDA on the proposed target date and make
adjustments,if appropriate. After the 30 day period,DHCS will submit the
proposed target date to SSA, which will be subject to adjustment by
SSA. Once a target date for compliance is determined by SSA, DHCS will
supply copies of the changed agreement to the CWDA and the Counties, along
with the compliance date expected by SSA. If a County is not able to meet the
SSA compliance date,it must submit Corrective Action Plan (CAP) to DHCS
for review and approval at least 30 days prior to the SSA compliance date.Any
potential County resource issues may be discussed with DHCS through a
collaborative process in developing their CAP.
XII. COMPLIANCE WITH DEPARTMENT OF HOMELAND SECURITY
AGREEMENT
The County Department agrees to comply with substantive privacy and security
requirements in the Computer Matching Agreement (CMA) Between the
Department of Homeland Security, United States Citizenship and Immigration
Services (DHS-USCIS) and the California Department of Health Care Services
(CA-DHCS), known as the CMA, which is appended and hereby incorporated in
to this Agreement (Exhibit B). If there is any conflict between a privacy and
security standard in the CMA and a standard in this Agreement, the most
stringent standard shall apply. The most stringent standard means the
standard which provides the greatest protection to Medi-Cal PII.
If DHS-USCIS changes the terms of its agreement(s) with DHCS, DHCS will,
as soon as reasonably possible after receipt, supply copies to CWDA as well as
the DHCS proposed target date for compliance. For a period of 30 days,
DHCS will accept input from CWDA on the proposed target date and make
adjustments,if appropriate.After the 30 day period, DHCS will submit the
proposed target date to DHS-USCIS, which will be subject to adjustment by
DHS-USCIS. Once a target date for compliance is determined by DHS-USCIS,
DHCS will supply copies of the changed agreement to the CWDA and the
Counties,along with the compliance date expected by DHS-USCIS.If a
County is not able to meet the DHS-USCIS compliance date, it must
submit Corrective Action Plan (CAP) to DHCS for review and approval at least
30 days prior to the DHS-USCIS compliance date. Any potential County
resource issues may be discussed with DHCS through a collaborative process
in developing their CAP.
15
Exhibit D-1
MEDI-CAL PRIVACY &SECURITY AGREEMENT NO.:16 - ~
XIII. COUNTY DEPARTMENT'S AGENTS AND SUBCONTRACTORS
The County Department agrees to enter into written agreements with any
agents,including subcontractors and vendors, to whom County Department
provides Medi-Cal PII received from or created or received by County
Department in performing functions or activities related to the administration of
Medi-Cal that impose the same restrictions and conditions on such agents,
subcontractors and vendors that apply to the County Department with respect
to Medi-Cal PII, including restrictions on disclosure of Medi-Cal PII and the use
of appropriate administrative,physical, and technical safeguards to protect
such Medi-Cal PII. The County Department shall incorporate,when applicable,
the relevant provisions of this Agreement into each subcontract or subaward to
such agents, subcontractors and vendors, including the requirement that any
breach, security incident, intrusion, or unauthorized access, use, or disclosure
of Medi-Cal PII be reported to the County Department.
XIV.ASSESSMENTS AND REVIEWS
In order to enforce this Agreement and ensure compliance with its provisions,
the County Department agrees to allow DHCS to inspect the facilities,systems,
books, and records of the County Department, with reasonable notice from
DHCS, in order to perform assessments and reviews.Such inspections shall
be scheduled at times that take into account the operational and staffing
demands. The County Department agrees to promptly remedy any violation of
any provision of this Agreement and certify the same to the DHCS Privacy
Office and DHCS Information Security Office in writing, or to enter into a written
corrective action plan with DHCS containing deadlines for achieving
compliance with specific provisions of this Agreement.
XV.ASSISTANCE IN LITIGATION OR ADMINISTRATIVE PROCEEDINGS
In the event of litigation or administrative proceedings involving DHCS based
upon claimed violations by the County Department of the privacy or security of
Medi-Cal PII, or federal or state laws or agreements concerning privacy or
security of Medi-Cal PII,the County Department shall make all reasonable effort
to make itself and County Workers assisting in the administration of Medi-Cal
and using or disclosing Medi-Cal PIIavailable to DHCS at no cost to DHCS to
testify as witnesses. DHCS shall also make all reasonable efforts to make itself
and any subcontractors,agents, and employees available to the County
Department at no cost to the County Department to testify as witnesses, in the
event of litigation or administrative proceedings involving the County
Department based upon claimed violations by DHCS of the privacy or security
of Medi-Cal PII, or state or federal laws or agreements concerning privacy or
security of Medi-Cal PII.
16
Exhibit D-1
MEDI-CAL PRIVACY &SECURITY AGREEMENT NO.:16 -~
XVI. AMENDMENT OF AGREEMENT
DHCS and the County Department acknowledge that federal and state laws
relating to data security and privacy are rapidly evolving and that amendment of
this Agreement may be required to provide for procedures to ensure
compliance with such developments. Upon request by DHCS,the County
Department agrees to promptly enter into negotiations concerning an
amendment to this Agreement as may be needed by developments in federal
and state laws and regulations. DHCS may terminate this Agreement upon
thirty (30) days written notice if the County Department does not promptly enter
into negotiations to amend this Agreement when requested to do so, or does
not enter into an amendment that DHCS deems necessary.
XVII. TERMINATION
This Agreement shall terminate on September 1, 2019, regardless of the date
the Agreement is executed by the parties. The parties can agree in writing to
extend the term of the Agreement; county requests for an extension must be
justified to and accepted by DHCS and limited to no more than a three-month
extension. Such an extension may,upon county request and DHCS approval,
be renewed for one additional three month period. Regardless of the extension
status, all provisions of this Agreement that provide restrictions on disclosures
of Medi-Cal PII and that provide administrative, technical, and physical
safeguards for the Medi-Cal PII in the County Department's possession shall
continue in effect beyond the termination of the Agreement, and shall continue
until the Medi-Cal PII is destroyed or returned to DHCS.
XVIII. TERMINATION FOR CAUSE
Upon DHCS' knowledge of a material breach or violation of this Agreement by
the County Department, DHCS may provide an opportunity for the County
Department to cure the breach or end the violation and may terminate this
Agreement if the County Department does not cure the breach or end the
violation within the time specified by DHCS. This Agreement may be terminated
immediately by DHCS if the County Department has breached a material term
and DHCS determines, in its sole discretion, that cure is not possible or
available under the circumstances. Upon termination of this Agreement, the
County Department must destroy all PII in accordance with Section VII, above.
The provisions of this Agreement governing the privacy and security of the PII
shall remain in effect until all PII is destroyed and DHCS receives a certificate
of destruction.
17
Exhibit D-1
MEDI-CAL PRIVACY &SECURITY AGREEMENT NO.:16 - ~
XIX.SIGNATORIES
The signatories below warrant and represent that they have the competent
authority on behalf of their respective agencies to enter into the obligations set
forth in this Agreement.
The authorized officials whose signatures appear below have committed their
respective agencies to the terms of this Agreement. The contract is effective
on the day the final signature is obtained.
For the County Of_F_r_e_s_n_o Department of Social Services
£_~~~
(Signature)(Date)
Ernest Buddy Mendes Chairman,Board of Supervisors
(Title)(Name)
For the Department of Health Care Services,
(~(Date)
Jennifer Kent Director
(Name)(Title)
ATTEST:
18
Exhibit D-1
MEDI-CAL PRIVACY &SECURITY AGREEMENT NO.:16 -_10_
Exhibit A
Computer Matching and Privacy Protection Act Agreement between SSA and CHHS,
and Information Exchange Agreement between SSA and DHCS with Attachment
"Electronic Information Exchange Security Requirements for State and Local Agencies
Exchanging Electronic Information with SSA."These are sensitive documents that are
provided separately to the County's privacy and security officer.
Exhibit B
Computer Matching Agreement between the Department of Homeland Security,
United States Citizenship and Immigration Services (DHS-USCIS) and The California
Department of Health Care Services (CA-DHCS). This is a sensitive document that is
provided separately to the County's privacy and security officer.
19
Exhibit D-1
7
- 20 -
1 IN WITNESS WHEREOF,the parties hereto have executed this Agreement.
2 ATTEST:
3 COUNTY OF FRESNO
4
5 BERNICE E. SEIDEL, Clerk
Board of Supervisors
6
10
11
12
13
14
15
16
8 By See page 18 for Attestation
9 APPROVED AS TO LEGAL FORM:
DANIEL C. CEDERBORG, COUNTY COUNSEL
//'/11?/1 Ii!IIBf#'-/·,l!1;U(,.r{/&{'".'yt,'17,£,t _.
I /'1
AlpPROVEDAS TO ACCOWTING FORM:
VICKI CROW, c.P.A., AUDITOR-CONTROLLER!
TREASURER-TAX COLLECTOR
18
19
20
21
22
23
24
25
26
27
28
REVIEWED AND RECOMMENDED FOR
APPROVAL:
Fund/Subclass:N/A
Organization: 56107001
Account/Program:N/A
DEN:jk
Fresno, CA
Exhibit D-1