The URL can be used to link to this page

Home My WebLink About32164Agreement No. 15-332 State of California-Health and Human Services Agency California Department of Public Health VITAL RECORDS BUSINESS INTELUGENCE SYSTEM {VRBIS) DATA USE AND DISCLOSURE AGREEMENT This Data Use And Disclosure Agreement (hereinafter referred to as "Agreement") sets forth the information privacy and security requirements that the County of Fresno Local Health Department (hereinafter "Data Recipient") is obligated to follow with respect to all Vital Records Business Intelligence System (VRBIS) data, and other personal and confidential information, (as each of these types of data and information are defined herein), disclosed to Data Recipient by the California Department of Public Health (CDPH). (Such VRBIS data and other personal and confidential information are also referred to herein collectively as "Protected Data.") This Agreement covers Protected Data in any medium (paper, electronic, oral) the Protected Data exist in. By entering into this Agreement, CDPH and Data Recipient desire to protect the privacy and provide for the security of all Protected Data in compliance with all state and federal laws applicable to the Protected Data. Permission to receive, use and disclose Protected Data requires execution of this Agreement that describes the terms, conditions and limitations of Data Recipient's collection, use, and disclosure of the Protected Data. I. Supersession: This Agreement supersedes any prior VRBIS Participation Agreement entered into between CDPH and Data Recipient. II. Definitions: For purposes of this Agreement, the following definitions shall apply: A Breach: "Breach" means: 1. The acquisition, access, use, or disclosure of Protected Data, in any medium (paper, electronic, oral), in violation of any state or federal law or in a manner not permitted under this Agreement, that compromises the privacy, security, or integrity of the information. For purposes of this definition, "compromises the privacy, security or integrity of the information" means to pose a significant risk of financial, reputational, or other harm to an individual or individuals; or 2. The same as the definition of "breach of the security of the system" set forth in California Civil Code Section 1798.29(f). B. Confidential Information: "Confidential Information" means information that: 1. Does not meet the definition of "public records" set forth in California Government Code Section 6252, subdivision (e), or is exempt from disclosure under any of the provisions of Section 6250, et seq. of the California Government Code or any other applicable state or federal laws; or 2. Meets the definition of "confidential public health record" set forth in California Health and Safety Code Section 121035, subdivision (c); or 3. Is contained in documents, files, folders, books, or records that are clearly labeled, marked, or designated with the word "confidential" by CDPH. C. Disclosure: "Disclosure" means the release, transfer, provision of, access to, or divulging in any other manner of information. D. Vital Records Business Intelligence System (VRBIS) Data: "VRBIS data" means all California birth, death, and fetal death vital records data in and from the VRBIS database supported and maintained by CDPH. VRBIS data specifically includes information contained in or extracted from the following: Page 1 of 13 State of California -Health and Human Services Agency California Department of Public Health VITAL RECORDS BUSINESS INTELLIGENCE SYSTEM (VRBIS) DATA USE AND DISCLOSURE AGREEMENT 1. Statewide and County-Specific California birth and death data indices and files compiled by the State Registrar pursuant to California Health and Safety Code (H&SC) sections 1 02230 and 102231. 2. Birth Certificate and automated birth registration social and medical data collected pursuant to H&SC sections 102425, 102425.1, and 102426. 3. Death and Fetal Death Certificate social and medical data collected pursuant to H&SC sections 1 02875 and 103025. E. Personal Information: "Personal Information" means information that: 1. By itself, directly identifies, or uniquely describes an individual; or 2. Creates a substantial risk that it could be used in combination with other information to indirectly identify or uniquely describe an individual, or link an individual to the other information; or 3. Meets the definition of "personal information" set forth in California Civil Code section 1798.3, subdivision (a); or 4. Is one of the data elements set forth in California Civil Code section 1798.29, subdivisions (g)(1 ), or (2); or 5. Meets the definition of "medical information" set forth in either California Civil Code section 1798.29, subdivision (h)(2) or California Civil Code section 56.05, subdivision U); or 6. Meets the definition of "health insurance information" set forth in California Civil Code section 1798.29, subdivision (h)(3). F. Protected Data: "Protected Data" means data that consists of one or more of the following types of information: 1. "VRBIS Data", as defined above; or 2. "Confidential Information", as defined above; or 3. "Personal Information", as defined above. G. Security Incident: "Security Incident" means: 1. An attempted breach; or 2. The attempted or successful modification or destruction of Protected Data, in violation of any state or federal law or in a manner not permitted under this Agreement; or 3. The attempted or successful modification or destruction of, or interference with, Data Recipient's system operations in an information technology system, that negatively impacts the confidentiality, availability or integrity of Protected Data, or hinders or makes impossible Data Recipient's receipt, collection, creation, storage, transmission or use of Protected Data by Data Recipient pursuant to this Agreement. Page 2 of 13 State of California -Health and Human Services Agency California Department of Public Health VITAL RECORDS BUSINESS INTELLIGENCE SYSTEM (VRBIS) DATA USE AND DISCLOSURE AGREEMENT H. Use: "Use" means the sharing, employment, application, utilization, examination, or analysis of information. Iff. Background and Purpose: The CDPH and its Director, designated in statute as the State Registrar, pursuant to Division 102 of the California Health and Safety Code (H&SC), is charged with the duties of registering, maintaining, indexing and issuing certified copies of, all California Birth, Death, and Fetal Death records. As part of these activities, the State Registrar operates the VRBIS database. VRBIS is a secure, web based electronic solution for the State Registrar to store California's vital records data and to permit Local Health Departments to access such data for purposes of official government business including epidemiologic analysis, surveillance, and program evaluation, as directed by the Local Health Officer, following all applicable Jaws and regulations concerning vital record data. IV. Legal Authority for Use and Disclosure of Protected Data: The legal authority for CDPH to collect, use, and disclose Protected Data, and for Data Recipient to receive and use Protected Data is as follows: A General Legal Authority: 1. California Information Practices Act: a. California Civil Code section 1798.24(e), provides in part as follows: "No agency may disclose any personal information in a manner that would fink the information disclosed to the individual to whom it pertains unless the information is disclosed, as follows: To a person, or to another agency where the transfer is necessary for the transferee agency to perform its constitutional or statutory duties, and the use is compatible with a purpose for which the information was collected ... " B. Specific Legal Authority: Vital Records Collection, Use, and Dissemination 1. Division 1 02 of the H&SC designates that the Director of CDPH is the State Registrar and such duties include the registration, preservation, and dissemination of all of California's birth, death and marriage records. 2. H&SC section 102230 designates that the State Registrar"shaff arrange and permanently preserve the [vital records] certificates in a systematic manner and shalf prepare and maintain comprehensive and continuous indices of all certificates registered. Further, H&SC section 102230 designates that the State Registrar, at his or her discretion, may release comprehensive birth and death indices to a government agency. A government agency that obtains indices shall not self or release the index or a portion of its contents to another person except as necessary for official government business and shall not post the indices or any portion thereof on the Internet. 3. Pursuant to H&SC section 1 02430(a), the second section of the certificate of five birth as specified in subdivision (b) of H&SC section 102425, the electronic fife of birth information collected pursuant to subparagraphs (B) to (F), inclusive, of paragraph (2) of subdivision (a) of H&SC section 102426, and the second section of the certificate of fetal death as specified in H&SC section 103025, are confidential; however, access to this information is authorized for the following: focal registrar's staff and focal health department staff (when approved by the focal registrar or focal health officer, respectively) and the county coroner. Page 3 of 13 State of California -Health and Human Services Agency California Department of Public Health VITAL RECORDS BUSINESS INTELLIGENCE SYSTEM (VRBIS) DATA USE AND DISCLOSURE AGREEMENT 4. Pursuant to H&SC section 103526(c)(2)(C), authorized copies of birth and death certificates may be obtained by a representative of another governmental agency, as provided by law, who is conducting official business. C. Health Insurance Portability and Accountability Act (HIPAA) Authority: 1. CDPH HIPAA Status: CDPH is a "hybrid entity" for purposes of applicability of the federal regulations entitled, "Standards for Privacy of Individually Identifiable Health Information," ("Privacy Rule") (Title 45, Code of Federal Regulations, Parts 160, 162, and 164) promulgated pursuant to HIPAA (Title 42, United States Code, Sections 1320d -1320d-8). None of the CDPH programs that collect, use, or disclose Protected Data pursuant to this Agreement have been designated by CDPH as HIPAA-covered "health care components" of CDPH. (Title 45, Code of Federal Regulations, Section 164.504(c)(3)(iii).) 2. Parties Are "Public Health Authorities: CDPH and Data Recipient are each a "public health authority" as that term is defined in the Privacy Rule. (Title 45, Code of Federal Regulations, Sections 164.501 and 164.512(b)(1)(i).) 3. Protected Data Use and Disclosure Permitted by HIPAA: To the extent a disclosure or use of Protected Data is a disclosure or use of "Protected Health Information" (PHI) of an individual, as that term is defined in Section 160.103 of Title 45, Code of Federal Regulations, the following Privacy Rule provisions apply to permit such Protected Data disclosure and/or use by CDPH and Data Recipient, without the consent or authorization of the individual who is the subject of the PHI: a. The HIPAA Privacy Rule creates a special rule for a subset of public health disclosures whereby HIPAA cannot preempt state law if, "[t]he provision of state law, including state procedures established under such law, as applicable, provides for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention." (Title 45, Code of Federal Regulations, Section 160.203(c).) [NOTE: See Sections IV .A and IV.B, above.]; b. A covered entity may disclose PHI to a "public health authority" carrying out public health activities authorized by law; (Title 45, Code of Federal Regulations, Section 164.512(b).); and c. Other, non-public health-specific provisions of HIPAA may also provide the legal basis for all or specific Protected Data uses and disclosures. V. Disclosure Restrictions: The Data Recipient, and its employees or agents, shall protect from unauthorized disclosure any Protected Data. The Data Recipient shall not disclose, except as specifically permitted by this Agreement, any Protected Data to anyone other than CDPH, except if disclosure is allowed or required by state or federal law. VI. Use and VRBIS Access Restrictions: The Data Recipient, and its employees or agents, shall not use any Protected Data for any purpose other than carrying out the Data Recipient's obligations under the statute set forth in Section IV, above, or as otherwise allowed or required by state or federal law. CDPH will provide a unique username and password for each individual accessing the VRBIS secured database, on behalf of Data Recipient. Data Recipient shall be responsible for identifying one primary individual to be granted access. Data Recipient may request that a second individual be granted access to act as backup for the primary individual, or if workload constraints warrant a second individual's access. Data Recipient may submit a request to CDPH for a third VRBIS access usemame and password, with documentation justifying the need. These requests will be considered on a case-by-case Page 4 of 13 State of California -Health and Human SeNices Agency California Department of Public Health VITAL RECORDS BUSINESS INTELLIGENCE SYSTEM (VRBIS) DATA USE AND DISCLOSURE AGREEMENT basis, and will take into consideration Data Recipient's business case for need as well as the limitations and burden of an additional user in VRBIS. If there are personnel changes to the Data Recipient's user account designees, Data Recipient shall immediately notify the CDPH VRBIS contact identified in Section Xli(E}, below, upon which time that user account shall be cancelled. VII. Safeguards: Data Recipient shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the privacy, confidentiality, security, integrity, and availability of Protected Data, including electronic or computerized Protected Data. The Data Recipient shall develop and maintain a written information privacy and security program that includes administrative, technical and physical safeguards appropriate to the size and complexity of the Data Recipient's operations and the nature and scope of its activities in performing its legal obligations and duties (including performance of its duties and obligations under this Agreement), and which incorporates the requirements of Section VIII, Security, below. Data Recipient shall provide CDPH with Data Recipient's current and updated policies. VIII. Security: The Data Recipient shall take all steps necessary to ensure the continuous security of all computerized data systems containing Protected Data. These steps shall include, at a minimum: A. Complying with all of the data system security precautions listed in the Data Recipient Data Security Standards set forth in Attachment A to this Agreement; B. Providing a level and scope of security that is at least comparable to the level and scope of security established by the Office of Management and Budget (OMB) in OMB Circular No. A-130, Appendix Ill -Security of Federal Automated Information Systems, which sets forth guidelines for automated information systems in Federal agencies; and In case of a conflict between any of the security standards contained in any of the aforementioned sources of security standards, the most stringent shall apply. The most stringent means that safeguard which provides the highest level of protection to Protected Data from breaches and security incidents. IX. Security Officer: The Data Recipient shall designate a Security Officer to oversee its compliance with this Agreement and for communicating with CDPH on matters concerning this Agreement. X. Training: The Data Recipient shall provide training on its obligations under this Agreement, at its own expense, to all of its employees who assist in the performance of Data Recipient's obligations under this Agreement, or otherwise use or disclose Protected Data. A. The Data Recipient shall require each employee who receives training to sign a certification, indicating the employee's name and the date on which the training was completed. B. The Data Recipient shall retain each employee's written certifications for CDPH inspection for a period of three years following contract termination. XI. Employee Discipline: Data Recipient shall discipline such employees and other Data Recipient workforce members who intentionally violate any provisions of this Agreement, including, if warranted, by termination of employment. XII. Breach and Security Incident Responsibilities: A. Notification to CDPH of Breach or Security Incident: The Data Recipient shall notify CDPH immediately by telephone call plus e-mail or fax upon the discovery of a breach (as defined in this Page 5 of 13 State of California -Health and Human Services Agency California Department of Public Health VITAL RECORDS BUSINESS INTELLIGENCE SYSTEM (VRBIS) DATA USE AND DISCLOSURE AGREEMENT Agreement), or within 24 hours by e-mail or fax of the discovery of any security incident (as defined in this Agreement). Notification shall be provided to the VRBJS Project Manager, the CDPH Privacy Officer, and the CDPH Chief Information Security Officer, using the contact information listed in Section XII (E), below. If the breach or security incident occurs after business hours or on a weekend or holiday and involves Protected Data in electronic or computerized form, notification to CDPH shall be provided by calling the CDPH Information Technology Service Desk at the telephone numbers listed in Section XII (E), below. For purposes of this section, breaches and security incidents shall be treated as discovered by Data Recipient as of the first day on which such breach or security incident is known to the Data Recipient, or, by exercising reasonable diligence would have been known to the Data Recipient. Data Recipient shall be deemed to have knowledge of a breach or security incident if such breach or security incident is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach or security incident, who is an employee or agent of the Data Recipient. Data Recipient shall take: 1. Prompt corrective action to mitigate any risks or damages involved with the breach or security incident and to protect the operating environment; and 2. Any action pertaining to a breach required by applicable federal and state laws, including, specifically, California Civil Code Section 1798.29. B. Investigation of Breach: The Data Recipient shall immediately investigate such breach or security incident, and within 72 hours of the discovery, shall inform the VRBIS Project Manager, the CDPH Privacy Officer, and the CDPH Chief Information Security Officer of: 1. What data elements were involved and the extent of the data involved in the breach, including, specifically, the number of individuals whose personal information was breached; and 2. A description of the unauthorized persons known or reasonably believed to have improperly used the Protected Data and/or a description of the unauthorized persons known or reasonably believed to have improperly accessed or acquired the Protected Data, or to whom it is known or reasonably believed to have had the Protected Data improperly disclosed to them; and 3. A description of where the Protected Data is believed to have been improperly used or disclosed; and 4. A description of the probable causes of the breach or security incident; and 5. Whether California Civil Code Section 1798.29 or any other federal or state laws requiring individual notifications of breaches have been triggered. C. Written Report: The Data Recipient shall provide a written report of the investigation to the CDPH VRBJS Project Contact, the CDPH Privacy Officer, and the CDPH Chief Information Security Officer within five working days of the discovery of the breach or security incident. The report shall include, but not be limited to, the information specified above, as well as a full, detailed corrective action plan, including information on measures that were taken to halt and/or contain the breach or security incident, and measures to be taken to prevent the recurrence of such breach or security incident. D. Notification to Individuals: If notification to individuals whose information was breached is required under state or federal law, and regardless of whether Data Recipient is considered only a custodian Page 6 of 13 State of California -Health and Human Services Agency California Department of Public Health VITAL RECORDS BUSINESS INTELLIGENCE SYSTEM (VRBIS) DATA USE AND DISCLOSURE AGREEMENT and/or non-owner of the Protected Data, Data Recipient shall, at its sole expense, and at the sole election of CDPH, either: ·· 1. Make notification to the individuals affected by the breach (including substitute notification), pursuant to the content and timeliness provisions of such applicable state or federal breach notice laws. The CDPH Privacy Officer shall approve the time, manner and content of any such notifications, prior to the transmission of such notifications to the individuals; or 2. Cooperate with and assist CDPH in its notification (including substitute notification) to the individuals affected by the breach. E. CDPH Contact Information: To direct communications to the above referenced CDPH staff, the Data Recipient shalf initiate contact as indicated herein. CDPH reserves the right to make changes to the contact information below by giving written notice to the Data Recipient. Said changes shall not require an amendment to this Agreement. CDPH Chief Information CDPH VRBIS Project Contact CDPH Privacy Officer Security Officer (and CDPH IT Service Desk) CA-VRBIS Project Privacy Officer Chief Information Security Officer Support Desk I Laura Lund Privacy Office, Office of Legal Information Security Office, 1501 Capitol Ave. MS 5101 Services, CDPH CDPH, MS 6302 P.O. Box 997410 1415 L Street, Suite 500 P.O. Box 997377 Sacramento, CA 95899-7410 Sacramento, CA 95814 Sacramento, CA 95899-7377 Laura.Lund@cdgh.ca.gov grivac~(a).cdgh.ca.gov cdghiso@cdgh.ca.gov Telephone: (916) 552-8113 Telephone: (877) 421-9634 Telephone: IT Service Desk (916) 440-7000 or (800) 579-0874 XIII. Indemnification: Data Recipient shall indemnify, hold harmless and defend CDPH from and against any and all claims, losses, liabilities, damages, costs and other expenses (including attorneys' fees) that result from or arise directly or indirectly out of or in connection with any negligent act or omission or willful misconduct of Data Recipient, its officers, employees or agents relative to the Protected Data, including without limitation, any violations of Data Recipient's responsibilities under this Agreement. XIV. Term of Agreement: This Agreement shall remain in effect for three (3) years after the last signature date in the signature block below. After three (3) years, this Agreement will expire without further action. If the parties wish to extend this Agreement, they may do so by reviewing, updating, and reauthorizing this Agreement. The newly signed agreement should explicitly supersede this Agreement, which should be referenced by Agreement Number and date in Section I of the new Agreement. If one or both of the parties wish to terminate this Agreement prematurely, they may do so upon 30 days advanced notice. CDPH may also terminate this Agreement pursuant to Section XV or XVII, below. XV. Termination for Cause: A Termination Ugon Breach: A breach by Data Recipient of any provision of this Agreement, as determined by CDPH, shall constitute a material breach of the Agreement and grounds for immediate termination of the Agreement by CDPH. At its sole discretion, CDPH may give Data Recipient 30 days to cure the breach. Page 7 of 13 State of California -Health and Human Services Agency California Department of Public Health VITAL RECORDS BUSINESS INTELLIGENCE SYSTEM (VRBIS) DATA USE AND DISCLOSURE AGREEMENT B. Judicial or Administrative Proceedings: Data Recipient will notify CDPH if it is named as a defendant in a criminal proceeding related to a violation of this Agreement. CDPH may terminate the Agreement if Data Recipient is found guilty of a criminal violation related to a violation of this Agreement. CDPH may terminate the Agreement if a finding or stipulation that the Data Recipient has violated any security or privacy laws is made in any administrative or civil proceeding in which the Data Recipient is a party or has been joined. XVI. Return or Destruction of Protected Data on Expiration or Termination: On expiration or termination of the agreement between Data Recipient and CDPH for any reason, Data Recipient shall return or destroy the Protected Data. If return or destruction is not feasible, Data Recipient shall explain to CDPH why, in writing, to the VRBIS Project Manager, the CDPH Privacy Officer, and the CDPH Chief Information Security Officer, using the contact information listed in Section XIII (E), above. A Retention Required by Law: If required by state or federal law, Data Recipient may retain, after expiration or termination, Protected Data for the time specified as necessary to comply with the law. B. Obligations Continue Until Return or Destruction: Data Recipient's obligations under this Agreement shall continue until Data Recipient destroys the Protected Data or returns the Protected Data to CDPH; provided however, that on expiration or termination of the Agreement, Data Recipient shall not further use or disclose the Protected Data except as required by state or federal law. C. Notification of Election to Destroy Protected Data: If Data Recipient elects to destroy the Protected Data, Data Recipient shall certify in writing, to the VRBIS Project Manager, the CDPH Privacy Officer, and the CDPH Chief Information Security Officer, using the contact information listed in Section XIII (E), above, that the Protected Data has been destroyed. XVII. Amendment: The parties acknowledge that federal and state laws relating to information security and privacy are rapidly evolving and that amendment of this Agreement may be required to provide for procedures to ensure compliance with such laws. The parties specifically agree to take such action as is necessary to implement new standards and requirements imposed by regulations and other applicable laws relating to the security or privacy of Protected Data. Upon CDPH request, Data Recipient agrees to promptly enter into negotiations with CDPH concerning an amendment to this Agreement embodying written assurances consistent with new standards and requirements imposed by regulations and other applicable laws. CDPH may terminate this Agreement upon 30-days written notice in the event: A Data Recipient does not promptly enter into negotiations to amend this Agreement when requested by CDPH pursuant to this section; or B. Data Recipient does not enter into an amendment providing assurances regarding the safeguarding of Protected Data that CDPH in its sole discretion deems sufficient to satisfy the standards and requirements of applicable laws and regulations relating to the security or privacy of Protected Data. XVIII. Assistance in Litigation or Administrative Proceedings: Data Recipient shall make itself and any employees or agents assisting Data Recipient in the performance of its obligations under this Agreement, available to CDPH at no cost to CDPH to testify as witnesses, or otherwise, in the event of litigation or administrative proceedings being commenced against CDPH, its director, officers or employees based upon claimed violation of laws relating to security and privacy, which involves inactions or actions by the Data Recipient, except where Data Recipient or its employee or agent is a named adverse party. Page 8 of 13 State of California-Health and Human Services Agency California Department of Public Health VITAL RECORDS BUSINESS INTELLIGENCE SYSTEM (VRBIS) DATA USE AND DISCLOSURE AGREEMENT XIX. Disclaimer: CDPH makes no warranty or representation that compliance by Data Recipient with this Agreement will be adequate or satisfactory for Data Recipient's own purposes or that any information in Data Recipient's possession or control, or transmitted or received by Data Recipient, is or will be secure from unauthorized use or disclosure. Data Recipient is solely responsible for all decisions made by Data Recipient regarding the safeguarding of Protected Data. XX. Transfer of Rights: Data Recipient has no right and shall not subcontract, delegate, assign, or otherwise transfer or delegate any of its rights or obligations under this Agreement to any other person or entity. Any such transfer of rights shall be null and void. XXI. No Third-Party Beneficiaries: Nothing expressed or implied in the terms and conditions of this Agreement is intended to confer, nor shall anything herein confer, upon any person other than CDPH or Data Recipient and their respective successors or assignees, any rights, remedies, obligations or liabilities, whatsoever. XXII. Interpretation: The terms and conditions in this Agreement shall be interpreted as broadly as necessary to implement and comply with regulations and applicable State and Federal laws. The parties agree that any ambiguity in the terms and conditions of this Agreement shall be resolved in favor of a meaning that complies and is consistent with federal and state laws. XXIII. Survival: The respective rights and obligations of Data Recipient under Sections VII, VIII and XII of this Agreement shall survive the termination or expiration of this Agreement . XXIV. Entire Agreement: This Agreement constitutes the entire agreement between CDPH and Data Recipient. Any and all modifications of this Agreement must be in writing and signed by all parties. Any oral representations or agreements between the parties shall be of no force or effect. XXV. Severability: The invalidity in whole or in part of any provisions of this Agreement shall not void or affect the validity of any other provisions of this Agreement. XXVI. Signatures: IN WITNESS, WHEREOF, the Parties have executed this Agreement as follows: On behalf of the Data Recipient, the County of Fresno Local Health Department, the undersigned individual hereby attests that he or she is authorized to enter into this Agreement and agrees to abide by and enforce all the terms specified herein. Deborah A. Poochigian (Name of Representative of the Local Health Department) ATTEST: BERNICE E. SEIDEL, Clerk Board of Supervisors B~~~ coett Page 9 of 13 State of California -Health and Human Services Agency California Department of Public Health VITAL RECORDS BUSINESS INTELLIGENCE SYSTEM (VRBIS) DATA USE AND DISCLOSURE AGREEMENT On behalf of CDPH, the undersigned individual hereby attests that he or she is authorized to enter into this Agreement and agrees to all the terms specified herein. (Name of CDPH Representative) (Title) (Signature) (Date) Page 10 of 13 Attachment A Data Recipient Data Security Standards 1. General Security Controls a. Confidentiality Statement. All persons that will be working with Protected Data must sign a confid~ntiality statement. The statement must include at a minimum, General Use, Security and Pnvacy Safeguards, Unacceptable Use, and Enforcement Policies. The statement must be signed by the workforce member prior to access to Protected Data. The statement must be renewed annually. The Data Recipient shall retain each person's written confidentiality statement for CDPH inspection for a period of three years following contract termination. b. Workstation/Laptop encryption. All workstations and laptops that process and/or store Protected Data must be encrypted using a FIPS 140-2 certified algorithm, such as Advanced Encryption Standard {AES), with a 128bit key or higher. The encryption solution must be full disk unless approved by the CDPH Information Security Office. c. Server Security. Servers containing unencrypted Protected Data must have sufficient administrative, physical, and technical controls in place to protect that data, based upon a risk assessment/system security review. d. Minimum Necessary. Only the minimum necessary amount of Protected Data required to perform necessary business functions may be copied, downloaded, or exported. e. Removable media devices. All electronic files that contain Protected Data must be encrypted when stored on any removable media or portable device {i.e., USB thumb drives, floppies, CD/DVD, Blackberry, back-up tapes, etc.). Must be encrypted using a FIPS 140-2 certified algorithm, such as AES, with a 128bit key or higher. f. Antivirus software. All workstations, laptops, and other systems that process and/or store Protected Data must install and actively use a comprehensive anti-virus software solution with automatic updates scheduled at least daily. g. Patch Management. All workstations, laptops, and other systems that process and/or store Protected Data must have security patches applied, with system reboot if necessary. There must be a documented patch management process which determines installation timeframe based on risk assessment and vendor recommendations. At a maximum, all applicable patches must be installed within 30 days of vendor release. h. User IDs and Password Controls. All users must be issued a unique user name for accessing Protected Data. Username must be promptly disabled, deleted, or the password changed upon the transfer or termination of an employee with knowledge of the password. Passwords: are not to be shared; must be at least eight characters; must be a non- dictionary word; must not be stored in readable format on the computer; must be changed every 60 days; must be changed if revealed or compromised and must be composed of characters from at least three of the following four groups from the standard keyboard: • Upper case letters {A-Z); • Lower case letters {a-z); • Arabic numerals {0-9); and • Non-alphanumeric characters (punctuation symbols). i. Data Sanitization. All Protected Data must be sanitized using NJST Special Publication 800-88 standard methods for data sanitization when the CDPH PSCI is no longer needed. 2. System Security Controls Page 11 of 13 a. System Timeout. The system must provide an automatic timeout, requiring re- authentication of the user session after no more than 20 minutes of inactivity. b. Warning Banners. All systems containing Protected Data must display a warning banner stating that data is confidential, systems are logged, and system use is for business purposes only. User must be directed to Jog off the system if they do not agree with these requirements. c. System Logging. The system must maintain an automated audit trail which can identify the user or system process which initiates a request for Protected Data, or which alters Protected Data. The audit trail must be date and time stamped, must log both successful and failed accesses, must be read only, and must be restricted to authorized users. If Protected Data is stored in a database, database Jogging functionality must be enabled. Audit trail data must be archived for at least three years after occurrence. d. Access Controls. The system must use role based access controls for all user authentications, enforcing the principle of least privilege. e. Transmission encryption. All data transmissions of Protected Data outside the secure internal network must be encrypted using a FIPS 140-2 certified algorithm, such as AES, with a 128bit key or higher. Encryption can be end to end at the network level, or the data files containing Protected Data can be encrypted. This requirement pertains to any type of Protected Data in motion such as website access, file transfer, and e-mail. f. Intrusion Detection. All systems involved in accessing, holding, transporting, and protecting Protected Data that are accessible via the Internet must be protected by a comprehensive intrusion detection and prevention solution. 3. Audit Controls a. System Security Review. All systems processing and/or storing Protected Data must have at least an annual system risk assessment/security review which provides assurance that administrative, physical, and technical controls are functioning effectively and providing adequate levels of protection. Reviews shall include vulnerability scanning tools. b. Log Reviews. All systems processing and/or storing Protected Data must have a routine procedure in place to review system Jogs for unauthorized access. c. Change Control. All systems processing and/or storing Protected Data must have a documented change control procedure that ensures separation of duties and protects the confidentiality, integrity and availability of data. 4. Business Continuity/Disaster Recovery Controls a. Disaster Recovery. Data Recipient must establish a documented plan to enable continuation of critical business processes and protection of the security of electronic Protected Data in the event of an emergency. Emergency means any circumstance or situation that causes normal computer operations to become unavailable for use in performing the work required under this agreement for more than 24 hours. b. Data Backup Plan. Data Recipient must have established documented procedures to back-up Protected Data to maintain retrievable exact copies of Protected Data. The plan must include a regular schedule for making backups, storing backups offsite, an inventory of back-up media, and the amount of time to restore Protected Data should it be lost. At a minimum, the schedule must be a weekly full backup and monthly offsite storage of CDPH data. Page 12 of 13 5. Paper Document Controls a. Supervision of Data. Protected Data in paper form shall not be left unattended at any time, unless it is locked in a file cabinet, file room, desk or office. Unattended means that information is not being observed by an employee authorized to access the information. Protected Data in paper form shall not be left unattended at any time in vehicles, planes, trains, or any other modes of transportation and shall not be checked in baggage on commercial airplanes. b. Escorting Visitors. Visitors to areas where Protected Data is contained shall be escorted and CDPH PHI shall be kept out of sight while visitors are in the area. c. Confidential Destruction. Protected Data must be disposed of through confidential means, using NIST Special Publication 800-88 standard methods for data sanitization when the CDPH PSCI is no longer needed. d. Removal of Data. Protected Data must not be removed from the premises of the Data Recipient except with express written permission of CDPH. e. Faxing. Faxes containing Protected Data shall not be left unattended and fax machines shall be in secure areas. Faxes shall contain a confidentiality statement notifying persons receiving faxes in error to destroy them. Fax numbers shall be verified with the intended recipient before sending. f. Mailing. Protected Data shall only be mailed using secure methods. Large volume mailings of CDPH PHI shall be by a secure, bonded courier with signature required on receipt. Disks and other transportable media sent through the mail must be encrypted with a CDPH-approved solution, such as a solution using a vendor product specified on the CSSI. Page 13 of 13 FRESNO COUNTY, DEPARTMENT OF PUBLIC HEALTH CONFIDENTIALITY REQUIREMENTS WORKER ACKNOWLEDGEMENT AND AGREEMENT I. INTRODUCTION All persons working with Fresno County Department of Public Health (DPH) will observe and receive private and confidential information concerning DPH clients/consumers, their families, and their life experiences and situations. This information can include, but isn't necessarily limited to, medical, mental health, social, financial, and educational information. All persons working with DPH are required, either by law or by terms of their employment with Fresno County, to protect the confidentiality of client/consumer information. For the purposes of this agreement, a person is working with DPH if he/she is an employee, a volunteer, is assigned to a DPH program through an educational program, or is appointed by the Fresno County Board of Supervisors to a board or committee requiring contact with DPH client/consumer information. Such persons will hereinafter be referred to in this agreement as "DPH personnel". All DPH personnel must read and sign this Worker Acknowledgement and Agreement and agree to protect the confidentiality of DPH client/consumer information. II. LAWS PERTAINING TO CONFIDENTIALITY DPH recognizes that each client/consumer has a right to privacy and security safeguards granted by the Constitution and laws of California and the laws of the United States. That means each client/consumer, regardless of their citizenship status or age, has a right to have their private, confidential information protected from unauthorized disclosure. The manner in which client/consumer information is protected is set forth in State and Federal confidentiality laws and regulations, including but not limited to: Civil Code§ 56 et seq.; Evidence Code §§990 et seq., 1010 et seq.; Welfare & Institutions Code §§827, 4514, 5328, 10850, 14100-2; Health & Safety Code §§11812, 45 C.F.R. Sections 142, 160, 162, and 164, 120975 et seq., 123115; Penal Code §1203.05, 42 U.S.C. §§ 1320d et seq. (HIPAA) 11845.5. A violation of these laws can result in criminal prosecution, civil liability, and termination of employment. III. DPH POLICY REGARDING CONFIDENTIALITY As a matter of policy and in compliance with Federal and State Law, all DPH personnel must know the DPH policies and procedures regarding confidential information, including Protected Health Information as defined by HIP AA, that are necessary and appropriate to carry out his/her function for DPH. DPH personnel must also exercise extreme care in his/her use of confidential information obtained from clients/consumers, case records, fellow workers; records and employees of other agencies; and from any other source. DPH personnel are to refrain from seeking confidential information on client/consumers if that information is not necessary to carry out his/her work. Commentary regarding clients/consumers as recorded in case records shall be limited to formal discussions that are pertinent to the provision of services to clients/consumers and/or to the formal training of workers. All DPH personnel shall make reasonable efforts to limit requests for and disclosures of protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. Participation in "gossip sessions" at any time with anyone regarding clients/consumers and/or records is contrary to DPH policy and to the law. Handling vital or case records or other documents which contain client/consumer information in such a way that the document is open to view by others is also contrary to DPH policy and the law. No unauthorized person is permitted to accompany any DPH worker in interviews with clients/consumers, whether these interviews take place on our work site, in client/consumer's home, or elsewhere. Violation of this policy can result in disciplinary action and shall be grounds for dismissal ofDPH personnel and termination of employment for DPH employees. IV. ACKNOWLEDGEMENT AND AGREEMENT I hereby acknowledge that I have read, and/or have had read to me, the above information regarding confidentiality. I understand and accept my responsibilities under this agreement, and will use all information pertaining to DPH clients/consumers in a professional and confidential manner. I further understand that failure to protect client/consumer information from unauthorized disclosure constitutes a breach of ethics and a violation ofDPH policy and of State and Federal Law. I further understand that violation of this policy can result in disciplinary action, shall be grounds for my immediate dismissal and, ifl am a DPH employee, can result in termination of my employment. Name (please print) Signature Title Date WITNESS: Signature Title Date CCC-307 CERTIFICATION I, the official named below, CERTIFY UNDER PENALTY OF PERJURY that I am duly authorized to legally bind the prospective Contractor to the clause(s) listed below. This certification is made under the laws of the State of California. Contractor/Bidder Firm Name (Printed) Federal ID Number County of Fresno 4-6000-512 Deborah A. Poochigian, Board of Supervisors Executed in the County of Fresno TRACTOR CERTIFICATION CLAUSES 1. STATEMENT OF COMPLIANCE: Contractor has, unless exempted, complied with the nondiscrimination program requirements. (Gov. Code §12990 (a-f) and CCR, Title 2, Section 81 03) (Not applicable to public entities.) 2. DRUG-FREE WORKPLACE REQUIREMENTS: Contractor will comply with the requirements of the Drug-Free Workplace Act of 1990 and will provide a drug-free workplace by taking the following actions: a. Publish a statement notifying employees that unlawful manufacture, distribution, dispensation, possession or use of a controlled substance is prohibited and specifying actions to be taken against employees for violations. b. Establish a Drug-Free Awareness Program to inform employees about: 1) the dangers of drug abuse in the workplace; 2) the person's or organization's policy of maintaining a drug-free workplace; 3) any available counseling, rehabilitation and employee assistance programs; and, 4) penalties that may be imposed upon employees for drug abuse violations. c. Every employee who works on the proposed Agreement will: 1) receive a copy of the company's drug-free workplace policy statement; and, 2) agree to abide by the terms of the company's statement as a condition of employment on the Agreement. Failure to comply with these requirements may result in suspension of payments under the Agreement or termination of the Agreement or both and Contractor may be ineligible for award of any future State agreements if the department determines that any of the following has occurred: the Contractor has made false certification, or violated the certification by failing to carry out the requirements as noted above. (Gov. Code §8350 et seq.) 3. NATIONAL LABOR RELATIONS BOARD CERTIFICATION: Contractor certifies that no more than one ( 1) final unappealable finding of contempt of court by a Federal court has been issued against Contractor within the immediately preceding two-year period because of Contractor's failure to comply with an order of a Federal court, which orders Contractor to comply with an order of the National Labor Relations Board. (Pub. Contract Code §I 0296) (Not applicable to public entities.) 4. CONTRACTS FOR LEGAL SERVICES $50,000 OR MORE-PRO BONO REQUIREMENT: Contractor hereby certifies that contractor will comply with the requirements of Section 6072 of the Business and Professions Code, effective January I, 2003. Contractor agrees to make a good faith effort to provide a minimum number of hours of pro bono legal services during each year of the contract equal to the lessor of 30 multiplied by the number of full time attorneys in the firm's offices in the State, with the number of hours prorated on an actual day basis for any contract period of less than a full year or 1 0% of its contract with the State. Failure to make a good faith effort may be cause for non-renewal of a state contract for legal services, and may be taken into account when determining the award of future contracts with the State for legal services. 5. EXPATRIATE CORPORATIONS: Contractor hereby declares that it is not an expatriate corporation or subsidiary of an expatriate corporation within the meaning of Public Contract Code Section 1 0286 and 1 0286.I, and is eligible to contract with the State of California. 6. SWEATFREE CODE OF CONDUCT: a. All Contractors contracting for the procurement or laundering of apparel, garments or corresponding accessories, or the procurement of equipment, materials, or supplies, other than procurement related to a public works contract, declare under penalty of perjury that no apparel, garments or corresponding accessories, equipment, materials, or supplies furnished to the state pursuant to the contract have been laundered or produced in whole or in part by sweatshop labor, forced labor, convict labor, indentured labor under penal sanction, abusive forms of child labor or exploitation of children in sweatshop labor, or with the benefit of sweatshop labor, forced labor, convict labor, indentured labor under penal sanction, abusive forms of child labor or exploitation of children in sweatshop labor. The contractor further declares under penalty of perjury that they adhere to the Sweatfree Code of Conduct as set forth on the California Department of Industrial Relations website located at www.dir.ca.gov, and Public Contract Code Section 6108. b. The contractor agrees to cooperate fully in providing reasonable access to the contractor's records, documents, agents or employees, or premises if reasonably required by authorized officials of the contracting agency, the Department of Industrial Relations, or the Department of Justice to determine the contractor's compliance with the requirements under paragraph (a). 7. DOMESTIC PARTNERS: For contracts over $100,000 executed or amended after January 1, 2007, the contractor certifies that contractor is in compliance with Public Contract Code section 10295.3. DOING BUSINESS WITH THE STATE OF CALIFORNIA The following laws apply to persons or entities doing business with the State of California. 1. CONFLICT OF INTEREST: Contractor needs to be aware of the following provisions regarding current or former state employees. If Contractor has any questions on the status of any person rendering services or involved with the Agreement, the awarding agency must be contacted immediately for clarification. Current State Employees (Pub. Contract Code § 1041 0): 1). No officer or employee shall engage in any employment, activity or enterprise from which the officer or employee receives compensation or has a financial interest and which is sponsored or funded by any state agency, unless the employment, activity or enterprise is required as a condition of regular state employment. 2). No officer or employee shall contract on his or her own behalf as an independent contractor with any state agency to provide goods or services. Former State Employees (Pub. Contract Code §10411): 1). For the two-year period from the date he or she left state employment, no former state officer or employee may enter into a contract in which he or she engaged in any of the negotiations, transactions, planning, arrangements or any part of the decision-making process relevant to the contract while employed in any capacity by any state agency. 2). For the twelve-month period from the date he or she left state employment, no former state officer or employee may enter into a contract with any state agency if he or she was employed by that state agency in a policy-making position in the same general subject area as the proposed contract within the 12-month period prior to his or her leaving state service. If Contractor violates any provisions of above paragraphs, such action by Contractor shall render this Agreement void. (Pub. Contract Code § 1 0420) Members of boards and commissions are exempt from this section if they do not receive payment other than payment of each meeting of the board or commission, payment for preparatory time and payment for per diem. (Pub. Contract Code § 10430 (e)) 2. LABOR CODE/WORKERS' COMPENSATION: Contractor needs to be aware ofthe provisions which require every employer to be insured against liability for Worker's Compensation or to undertake self-insurance in accordance with the provisions, and Contractor affirms to comply with such provisions before commencing the performance of the work of this Agreement. (Labor Code Section 3700) 3. AMERICANS WITH DISABILITIES ACT: Contractor assures the State that it complies with the Americans with Disabilities Act (ADA) of 1990, which prohibits discrimination on the basis of disability, as well as all applicable regulations and guidelines issued pursuant to the ADA. (42 U.S.C. 12101 et seq.) 4. CONTRACTOR NAME CHANGE: An amendment is required to change the Contractor's name as listed on this Agreement. Upon receipt oflegal documentation of the name change the State will process the amendment. Payment of invoices presented with a new name cannot be paid prior to approval of said amendment. 5. CORPORATE QUALIFICATIONS TO DO BUSINESS IN CALIFORNIA: a. When agreements are to be performed in the state by corporations, the contracting agencies will be verifying that the contractor is currently qualified to do business in California in order to ensure that all obligations due to the state are fulfilled. b. "Doing business" is defined in R&TC Section 23101 as actively engaging in any transaction for the purpose of financial or pecuniary gain or profit. Although there are some statutory exceptions to taxation, rarely will a corporate contractor performing within the state not be subject to the franchise tax. c. Both domestic and foreign corporations (those incorporated outside of California) must be in good standing in order to be qualified to do business in California. Agencies will determine whether a corporation is in good standing by calling the Office of the Secretary of State. 6. RESOLUTION: A county, city, district, or other local public body must provide the State with a copy of a resolution, order, motion, or ordinance of the local governing body which by law has authority to enter into an agreement, authorizing execution of the agreement. 7. AIR OR WATER POLLUTION VIOLATION: Under the State laws, the Contractor shall not be: ( 1) in violation of any order or resolution not subject to review promulgated by the State Air Resources Board or an air pollution control district; (2) subject to cease and desist order not subject to review issued pursuant to Section 13301 of the Water Code for violation of waste discharge requirements or discharge prohibitions; or (3) finally determined to be in violation of provisions of federal law relating to air or water pollution. 8. PAYEE DATA RECORD FORM STD. 204: This form must be completed by all contractors that are not another state agency or other governmental entity. GTC 610 EXHIBITC GENERAL TERMS AND CONDITIONS I. APPROVAL: This Agreement is of no force or effect until signed by both parties and approved by the Department of General Services, if required. Contractor may not commence performance until such approval has been obtained. 2. AMENDMENT: No amendment or variation of the terms of this Agreement shall be valid unless made in writing, signed by the parties and approved as required. No oral understanding or Agreement not incorporated in the Agreement is binding on any of the parties. 3. ASSIGNMENT: This Agreement is not assignable by the Contractor, either in whole or in part, without the consent of the State in the form of a formal written amendment. 4. AUDIT: Contractor agrees that the awarding department, the Department of General Services, the Bureau of State Audits, or their designated representative shall have the right to review and to copy any records and supporting documentation pertaining to the performance of this Agreement. Contractor agrees to maintain such records for possible audit for a minimum of three (3) years after final payment, unless a longer period of records retention is stipulated. Contractor agrees to allow the auditor(s) access to such records during normal business hours and to allow interviews of any employees who might reasonably have information related to such records. Further, Contractor agrees to include a similar right of the State to audit records and interview staff in any subcontract related to performance of this Agreement. (Gov. Code §8546.7, Pub. Contract Code §10115 et seq., CCR Title 2, Section 1896). 5. INDEMNIFICATION: Contractor agrees to indemnify, defend and save harmless the State, its officers, agents and employees from any and all claims and losses accruing or resulting to any and all contractors, subcontractors, suppliers, laborers, and any other person, firm or corporation furnishing or supplying work services, materials, or supplies in connection with the performance of this Agreement, and from any and all claims and losses accruing or resulting to any person, firm or corporation who may be injured or damaged by Contractor in the performance of this Agreement. 6. DISPUTES: Contractor shall continue with the responsibilities under this Agreement during any dispute. 7. TERMINATION FOR CAUSE: The State may terminate this Agreement and be relieved of any payments should the Contractor fail to perform the requirements of this Agreement at the time and in the manner herein provided. In the event of such termination the State may proceed with the work in any manner deemed proper by the State. All costs to the State shall be deducted from any sum due the Contractor under this Agreement and the balance, if any, shall be paid to the Contractor upon demand. 8. INDEPENDENT CONTRACTOR: Contractor, and the agents and employees of Contractor, in the performance of this Agreement, shall act in an independent capacity and not as officers or employees or agents of the State. 9. RECYCLING CERTIFICATION: The Contractor shall certify in writing under penalty of perjury, the minimum, if not exact, percentage of post consumer material as defined in the Public Contract Code Section I2200, in products, materials, goods, or supplies offered or sold to the State regardless ofwhether the product meets the requirements of Public Contract Code Section I 2209. With respect to printer or duplication cartridges that comply with the requirements of Section 12I56(e), the certification required by this subdivision shall specify that the cartridges so comply (Pub. Contract Code §I 2205). IO. NON-DISCRIMINATION CLAUSE: During the performance ofthis Agreement, Contractor and its subcontractors shall not unlawfully discriminate, harass, or allow harassment against any employee or applicant for employment because of sex, race, color, ancestry, religious creed, national origin, physical disability (including HIV and AIDS), mental disability, medical condition (e.g., cancer), age (over 40), marital status, and denial of family care leave. Contractor and subcontractors shall insure that the evaluation and treatment of their employees and applicants for employment are free from such discrimination and harassment. Contractor and subcontractors shall comply with the provisions of the Fair Employment and Housing Act (Gov. Code §12990 (a-f) et seq.) and the applicable regulations promulgated thereunder (California Code of Regulations, Title 2, Section 7285 et seq.). The applicable regulations of the Fair Employment and Housing Commission implementing Government Code Section 12990 (a-f), set forth in Chapter 5 of Division 4 of Title 2 ofthe California Code of Regulations, are incorporated into this Agreement by reference and made a part hereof as if set forth in full. Contractor and its subcontractors shall give written notice of their obligations under this clause to labor organizations with which they have a collective bargaining or other Agreement. Contractor shall include the nondiscrimination and compliance provisions of this clause in all subcontracts to perform work under the Agreement. 11. CERTIFICATION CLAUSES: The CONTRACTOR CERTIFICATION CLAUSES contained in the document CCC 307 are hereby incorporated by reference and made a part of this Agreement by this reference as if attached hereto. 12. TIMELINESS: Time is of the essence in this Agreement. 13. COMPENSATION: The consideration to be paid Contractor, as provided herein, shall be in compensation for all of Contractor's expenses incurred in the performance hereof, including travel, per diem, and taxes, unless otherwise expressly so provided. 14. GOVERNING LAW: This contract is governed by and shall be interpreted in accordance with the laws ofthe State of California. 15. ANTITRUST CLAIMS: The Contractor by signing this agreement hereby certifies that if these services or goods are obtained by means of a competitive bid, the Contractor shall comply with the requirements of the Government Codes Sections set out below. a. The Government Code Chapter on Antitrust claims contains the following definitions: 1) "Public purchase" means a purchase by means of competitive bids of goods, services, or materials by the State or any of its political subdivisions or public agencies on whose behalf the Attorney General may bring an action pursuant to subdivision (c) of Section 16750 of the Business and Professions Code. 2) "Public purchasing body" means the State or the subdivision or agency making a public purchase. Government Code Section 4550. b. In submitting a bid to a public purchasing body, the bidder offers and agrees that if the bid is accepted, it will assign to the purchasing body all rights, title, and interest in and to all causes of action it may have under Section 4 of the Clayton Act (15 U.S.C. Sec. 15) or under the Cartwright Act (Chapter 2 (commencing with Section 16700) of Part 2 of Division 7 of the Business and Professions Code), arising from purchases of goods, materials, or services by the bidder for sale to the purchasing body pursuant to the bid. Such assignment shall be made and become effective at the time the purchasing body tenders final payment to the bidder. Government Code Section 4552. c. If an awarding body or public purchasing body receives, either through judgment or settlement, a monetary recovery for a cause of action assigned under this chapter, the assignor shall be entitled to receive reimbursement for actual legal costs incurred and may, upon demand, recover from the public body any portion of the recovery, including treble damages, attributable to overcharges that were paid by the assignor but were not paid by the public body as part of the bid price, less the expenses incurred in obtaining that portion of the recovery. Government Code Section 4553. d. Upon demand in writing by the assignor, the assignee shall, within one year from such demand, reassign the cause of action assigned under this part if the assignor has been or may have been injured by the violation of law for which the cause of action arose and (a) the assignee has not been injured thereby, or (b) the assignee declines to file a court action for the cause of action. See Government Code Section 4554. 16. CHILD SUPPORT COMPLIANCE ACT: For any Agreement in excess of$100,000, the contractor acknowledges in accordance with Public Contract Code 711 0, that: a. The contractor recognizes the importance of child and family support obligations and shall fully comply with all applicable state and federal laws relating to child and family support enforcement, including, but not limited to, disclosure of information and compliance with earnings assignment orders, as provided in Chapter 8 (commencing with section 5200) of Part 5 of Division 9 of the Family Code; and b. The contractor, to the best of its knowledge is fully complying with the earnings assignment orders of all employees and is providing the names of all new employees to the New Hire Registry maintained by the California Employment Development Department. 17. UNENFORCEABLE PROVISION: In the event that any provision of this Agreement is unenforceable or held to be unenforceable, then the parties agree that all other provisions of this Agreement have force and effect and shall not be affected thereby. 18. PRIORITY HIRING CONSIDERATIONS: Ifthis Contract includes services in excess of $200,000, the Contractor shall give priority consideration in filling vacancies in positions funded by the Contract to qualified recipients of aid under Welfare and Institutions Code Section 11200 in accordance with Pub. Contract Code§ 10353. 19. SMALL BUSINESS PARTICIPATION AND DVBE PARTICIPATION REPORTING REQUIREMENTS: a. If for this Contract Contractor made a commitment to achieve small business participation, then Contractor must within 60 days of receiving final payment under this Contract (or within such other time period as may be specified elsewhere in this Contract) report to the awarding department the actual percentage of small business participation that was achieved. (Govt. Code § 14841.) b. If for this Contract Contractor made a commitment to achieve disabled veteran business enterprise (DVBE) participation, then Contractor must within 60 days of receiving final payment under this Contract (or within such other time period as may be specified elsewhere in this Contract) certify in a report to the awarding department: (1) the total amount the prime Contractor received under the Contract; (2) the name and address of the DVBE(s) that participated in the performance of the Contract; (3) the amount each DVBE received from the prime Contractor; (4) that all payments under the Contract have been made to the DVBE; and (5) the actual percentage ofDVBE participation that was achieved. A person or entity that knowingly provides false information shall be subject to a civil penalty for each violation. (Mil. & Vets. Code§ 999.5(d); Govt. Code§ 14841.) 20. LOSS LEADER: If this contract involves the furnishing of equipment, materials, or supplies then the following statement is incorporated: It is unlawful for any person engaged in business within this state to sell or use any article or product as a "loss leader" as defined in Section 17030 of the Business and Professions Code. (PCC 10344(e).) C:\Users\kscharnhorst\AppData\Locai\Microsoft\ Windows\ Temporary Internet Files\Content.Outlook\N 17V I LFF\GTC-61 O.doc State of California-Health and Human Services Agency Cal~ornia Department of Public Health Contracts and Purchasing Services Section Darfur Contracting Act Pursuant to Public Contract Code (PCC) sections 10475-10481, the Darfur Contracting Act's intent is to preclude State agencies from contracting with scrutinized companies that do business in the African nation of Sudan. A scrutinized company is a company doing specified types of business in Sudan as defined in PCC section 10476. Scrutinized companies are ineligible to, and cannot, contract with a State agency for goods or services (PCC section 1 0477(a)) unless obtaining permission from the Department of General Services according to the criteria set forth in PCC section 10477(b). Therefore, to be eligible to contract with the California Department of Public Health, please initial one of the following three paragraphs and complete the certification below: 1. 2. 3. DAP Initials Initials Initials CERTIFICATION We do not currently have, or we have not had within the previous three years, business activities or other operations outside of the United States. OR We are a scrutinized company as defined in Public Contract Code section 10476, but we have received written permission from the Department of General Services (DGS) to submit a bid or proposal pursuant to Public Contract Code section 1 0477(b) or submit a contract/purchase order. A copy of the written permission from DGS is included with our bid, proposal or contract/purchase order. OR We currently have, or we have had within the previous three years, business activities or other operations outside of the United States, but we certify below that we are not a scrutinized company as defined in Public Contract Code section 10476. I, the official named below, CERTIFY UNDER PENALTY OF PERJURY that I am duly authorized to legally bind this company to the clause listed above. This certification is made under the laws of the State of California. Company Name (Printed) County of Fresno Poochigian, Chairman, Board of Supervisors Federa/10 Number 94-6000-512 ATTEST: BERNICE E. SEIDEL, Cieri< Board of Supervisors Byd~~ 0 u Executed in the County and State of Fresno, CA CDPH 9067 (4/09) AGREEMENT BETWEEN THE COUNTY OF FRESNO AND THE STATE OF CALIFORNIA No.: CA DPH, HHS Agency Vital Records Business Intelligence System (VRBIS) Data Use and Disclosure Agreement APPROVED AS TO LEGAL FORM: DANIEL C. CEDERBORG, COUNTY COUNSEL APPROVED AS TO ACCOUNTING FORM: VICKI CROW, C.P.A., AUDITOR-CONTROLLER/ TREASURER -TAX COLLECTOR By ();e-, [LL CJI REVIEWED AND RECOMMENDED FOR APPROVAL: n,'J ~- By ____ ~~~~~--~~~~~~----D~vidYom~ ta" Director Department of Public Health Fund/Subclass: Organization#: Revenue: ks 0001/10000 56201505 Term: July 14, 2015-July 14,2018