SYSTEM DATA AGREEMENT FOR FREE OR REDUCEDPRICE SCHOOL LUNCH OR BREAKFAST BETWEEN BLANK AND SAN DIEGO COUNTY HEALTH HUMAN SERVICES AGENCY FOR CALWIN DATA EXTRACT OF CONFIDENTIAL FILES I ParticipantsThe Health and Human Services Agency HHSA and BLANK are entering into this System Data Agreement SDA for CalWIN Data extract of Confidential Files II Administration of SDA Each party identifies the following individual to serve as the authorized administrative representative for that party Any party may change its administrative representative by notifying the other party in writing of such change Any such change will become effective upon the receipt of such notice by the other party to this SDA Notice of the authorized representative should be sent to each party as follows County of San Diego Health Human Services Agency 1255 Imperial Ave Suite 446 San Diego CA 92101 619 3382313 Attn Charline Khoury Chief Eligibility Operations BLANKNAME ADDRESS PHONE NUMBER EMAIL ADDRESS CONTACT PERSON CONTACT PERSON EMAIL ADDRESS III PurposeThe purpose of this agreement is for BLANK to provide HHSA a listing of the children currently enrolled at BLANK and to set the parameters and responsibilities for this agreement This SDA is also to meet the provisions of the US Federal Child Nutrition and WIC Reauthorization Act of 1989 202b 1 This act allows a designated school food authority to certify a student as eligible for a free or reducedprice school lunch or breakfast without further application by directly communicating with the appropriate local agency to obtain documentation of students status as a member of a CalFresh household IV Requirements for Match A BLANK Requirements BLANK staff provide school records of children enrolled in the BLANK Those children who are in households that receive CalFresh will be so indicated by the match to confirm eligibility for a free or reduced school lunchbreakfast B HHSA Requirements HHSA will provide BLANK a match from CalWIN of System Data Agreement Data Extract Updated 042016 BLANK Page 1 of 34 children that are eligible to receive CalFresh in the report month V IndemnityCounty of San Diego shall not be liable for and BLANK shall defend and indemnify County and the employees and agents of County collectively County Parties against any and all claims demands liability judgments awards fines mechanics liens or other liens labor disputes losses damages expenses charges or costs of any kind or character including attorneys fees and court costs hereinafter collectively referred to as Claims related to this SDA and arising either directly or indirectly from any act error omission or negligence ofBLANK or its contractors licensees agents servants or employees including without limitation Claims caused by the concurrent negligent act error or omission whether active or passive of County Parties BLANK shall have no obligation however to defend or indemnify County Parties from a Claim if it is determined by a court of competent jurisdiction that such Claim was caused by the sole negligence or willful misconduct of County Parties VI Insurance See Exhibit A Prior to execution of this SDA BLANK must obtain at its own cost and expense and keep in force and effect during the term of this agreement including all extensions the insurance specified in Exhibit A Insurance Requirements attached hereto VII Conformance With Rules And Regulations BLANK shall be in conformity with all applicable federal State County and local laws rules and regulations current and hereinafter enacted including facility and professional licensing andor certification laws and keep in effect any and all licenses permits notices and certificates as are required BLANK shall further comply with all laws applicable to wages and hours of employment occupational safety and to fire safety health and sanitation VIII Permits and Licenses BLANK certifies that it possesses and shall continue to maintain or shall cause to be obtained and maintained at no cost to the County all approvals permissions permits licenses and other forms of documentation required for it and its employees to comply with all existing foreign or domestic statutes ordinances and regulations or other laws that may be applicable to performance of services hereunder The County reserves the right to reasonably request and review all such applications permits and licenses prior to the commencement of any services hereunder IX Specific Warranty of Security and Privacy BLANK warrants that the application software provides security and privacy for the system and its data where security is defined as protection of software and data from natural or humancaused hazards and unauthorized access and manipulation and privacy is defined as protection of personal data from System Data Agreement Data Extract Updated 042016 BLANK Page 2 of 34 unauthorized access or disclosure and contains mechanisms to assure integrity of the Countys data against destruction loss or unauthorized alteration The County hereby acknowledges that fundamental security privacy and integrity controls are provided by the application software while differentiating operational mechanisms for protecting data integrity such as regular data backups performed by its personnel from these internal controls BLANK warrants only that data privacy provided by the software performs as described in the specifications Notwithstanding the foregoing BLANK cannot warrant that another partys backup software will perform properly X Protection ofCounty ConfidentialInformation and Data System Subject to the disclosure requirements of the Public Records Act California Government Code Section 6250 6268 all reports information data statistics forms procedures systems studies and any other communication or information given to or prepared or assembled by BLANK under this agreement shall be kept confidential shall not be made available to any individual or organization byBLANK without the prior written approval of County XI Systems and Network Security At all times during the term of this Agreement BLANK shall provide all services and use all resources related thereto in a secure manner and in accordance with the Countys security requirements including the prevention and detection of fraud abuse or other inappropriate use or access of systems networks andor data by all appropriate means including network management and maintenance applications and tools and the use of appropriate encryption technologies In connection therewith i any attempts by BLANK personnel to circumvent network security measures or to access or use resources that are not specifically authorized for the BLANK use in performing under this agreement and ii access to County computer resources or data by unauthorized persons via the BLANK access User IDs will constitute misuse of the Countys computer andor data resources In no event shall BLANK actions or inaction result in any situation that is less secure than the security BLANK then provides for its own systems and data In addition all BLANK personnel including personnel of any subcontractors shall be subject to and shall at all times conform to the Countys laws rules and requirements for the protection of premises materials equipmentand personnel as they may be disclosed to BLANK in writing Any violations or disregard of these rules shall be cause for denial of access by such personnel to the Countys property systems networks andor data XII Access to County Information As used herein the term County Data shall mean in or on any media or form of any kind i all data and summarized data related to the County its citizens or the BLANK services that is in the possession of the County and all data concerning or indexing such data regardless of whether or not owned by the County generated or compiled by the County or provided by its citizens including data that is in the Countys databases or otherwise in the System Data Agreement Data Extract Updated 042016 BLANK Page 3 of 34 Countys possession at any time and ii all other County records data files input materials reports forms and other such items that may be received computed developed used or stored by BLANK or by any of its subcontractors in the performance of BLANK duties under this Agreement XIII Confidentiality The use or disclosure of information concerning HHSA applicants and recipients will be limited to use by designated BLANK staff for the items listed below Information will not be released to any other agencies except as specified in Welfare Institutions Code 10850 108502 and 141002 that describes the use of confidential records HHSA records fall within the description of confidential records BLANK recognizes that unauthorized release of confidential information may make the individual guilty of a misdemeanor under Welfare Institutions Code 10850 or 141002 It may lead to criminal or civil liability for the individual The Welfare Institutions Codes stated above restrict the type and amount of information that may be released Written consent of the applicant or recipient will be required in order to release information specified under W I Code 108502 It further states that written authorization shall be dated and signed by each recipient and shall expire one year from the date of execution Under W I Code 10850 108502 and 141002 confidential records used by BLANK staff will be for 1 Utilize information provided by HHSA from CalWIN to identify children who are in households that receive CalFresh to confirm eligibility for a free or reducedprice school lunchbreakfast The participants understand that in questionable situations the BLANK staff will seek HHSA agreement prior to releasing any information and that this request will be in written form A BLANK will provide HHSA a list of employees designated to access CalWIN data specified in III B above B BLANK will maintain a physically secure storage place for all writtenelectronic formats of data of information gained from HHSA to prevent access by unauthorized persons C BLANK acknowledges that clearances made through the match shall be only for the administration of information that is necessary to determine eligibility to identify children who are in households that receive CalFresh to confirm eligibility for a free or reducedprice school lunchbreakfast D BLANK agrees that designated employees will not access their own case assistance data or those of any friend relative business relation personal acquaintance they may know E In the event that any unauthorized access to or use of confidential data by System Data Agreement Data Extract Updated 042016 BLANK Page 4 of 34 any BLANK employee BLANK shall take disciplinary action against the employee up to and including termination BLANK shall notify HHSA when an employee is subject to such disciplinary action F BLANK agrees that all individually identifiable information furnished by or obtained through the match will be destroyed by shredding or a similar method of destruction once the use for the information has ended G BLANK agrees to allow the HHSA signatory or authorized representative as the operating agency for CalWIN to make onsite inspections to ensure that the terms of this agreement are being met H BLANK agrees not to release confidential information which includes individual identifying information such as address name etc to outside agencies or persons that do not fall under Welfare and Institutions Codes 10850 or 141002 This information may be released under W I Code 108502 if a properly executed written release of information is obtained by HHSA or BLANK Any written releases obtained by BLANK must be maintained in a file for audit purposes I BLANK agrees to submit a Summary of Policy form for each newly designated staff member who will access and use the information other than for statistical purposes as allowed under W I Code 10850 108502 and 141002 Copies of each statement must be received by HHSA three 3 days before the designated staff member accesses the information The copies will be retained by HHSA as part of this agreement J BLANK agrees to provide updates to HHSA within ten 10 workdays for any designated staff for whom access is being deleted or work location is being changed Strict adherence to the criteria stated in items A through J must be followed Confidential client information may only be accessed by designated staff when the applicable conditions stated in items A through J have been met XIV Organization The duties to administer supervise and monitor the administration and determination for BLANK under these agreements belongs solely to the BLANK The duties to administer supervise and monitor CalWIN data access and security belongs solely to the HHSA As part of this agreement BLANK and HHSA agree to cooperate within regulatory authority so that the BLANK may locate or apprehension the recipient is within such official duties and HHSA may carry out regulatory and security responsibilities for CalWIN matches XV Contractors ConfidentialRecords Any reports information data statistics forms procedures systems studies and System Data Agreement Data Extract Updated 042016 BLANK Page 5 of 34 any other communication or information given to or prepared or assembled by San Diego County under this agreement will be kept confidential and shall not be made available to any individual or organization by County without the prior writtenapproval of BLANK XVI Standards Both HHSA and BLANK shall maintain an organizational structure and sufficient staff within any budgetary constraints to efficiently and effectively administer and supervise the functions and responsibilities set out in this agreement XVII HHSA Responsibilities and Duties HHSA will ensure that all approved processes and instructions are followed to ensure the requested information is provided to authorize BLANK staff XVIII Governing Law This SDA shall be governed interpreted construed and enforced in accordance with the laws of the State of California XIX Third Party Beneficiaries Excluded This SDA is intended solely for the benefit of the County and BLANK Any benefit to any third party is incidental and does not confer on any third party to this SDA any rights whatsoever regarding the performance of this SDA Any attempt to enforce provisions of this SDA by third parties is specifically prohibited XX Amendments to SDA Any party may propose amendments to this SDA by providing written notice of such amendments to the other party This SDA may only be amended by a written amendment signed by both parties XXI Severability If any terms provisions of this SDA or the application thereof to any person or circumstance shall to any extent be held invalid or unenforceable the remainder of this SDA or the application of such term and provision to persons or circumstances other than those as to which it is held invalid or unenforceable shall not be affected thereby and every other term and provision of this SDA shall be valid and enforceable shall not be affected thereby and every other term and provision of this SDA shall be valid and enforced to the maximum extent permitted by law XXII Full Agreement This SDA represents the full and entire agreement between the parties and supersedes any prior written or oral agreements that may have existed XXIII Scope of SDA This SDA only applies to the program described herein and does not set forth any additional current or future obligations or agreements between the parties except System Data Agreement Data Extract Updated 042016 BLANK Page 6 of 34 that the parties may by written amendment amend the scope of this SDA XXIV Joint Responsibilities Each agency shall ensure staff is conforming to this agreement and applicable state and federal laws and regulations by supervising auditing and reviewing procedures Revisions will be made as needed to ensure adherence XXV CalWIN Confidential Information By signing below HHSA grants information of children that are eligible to receive CalFresh to authorized BLANK staff and BLANK accepts the responsibilities for such information as outlined in this agreement and in applicable federal and state laws regulations and directives XXVII Live Well San Diego Vision The County of San Diego Health and Human Service Agency agreements support Live Well San Diego Live Well San Diego LWSD developed by the County of San Diego is a comprehensive innovative regional vision that combines the efforts of partners inside and outside County government to help all residents be healthy safe and thriving All HHSA partners to this agreement to the extent feasible are expected to advance this vision which was implemented in a phased approach The first phase Building Better Health was adopted by the Board of Supervisors in 2010 and focuses on improving the health of residents and supporting healthy choices The second phase Living Safely seeks to ensure residents are protected from crime and abuse neighborhoods are safe and communities are resilient to disasters and emergencies The third and final phase Thriving was adopted in 2014 and focuses on promoting a region in which residents can enjoy the highest quality of life Information about LWSD can be found on the Countys website and a website designated to the vision httpwwwsdcountycagovhhsaprogramssdlivewellsandiegoindexhtml and httpwwwLiveWellSDorg XXVIII Term This SDA shall become effective on the date all of the parties have signed this SDA This agreement shall continue unless terminated by mutual agreement andor by state andor federal directive andor breach of confidentiality XXIX Termination For Convenience The County may by written notice stating the extent and effective date terminate this SDA for convenience in whole or in part at any time XXX Counterparts System Data Agreement Data Extract Updated 042016 BLANK Page 7 of 34 This SDA may be executed in any number of separate counterparts each of which shall be deemed an original but all of which when taken together shall constitute one and the same instrument XXXI BLANK shall comply with the information privacy and security provisions contained in Exhibit B Dated County of San Diego Health Human Services Agency By Dated Other Party By System Data Agreement Data Extract Updated 042016 BLANK Page 8 of 34 EXHIBIT A INSURANCE REQUIREMENTS Without limiting Contractors indemnification obligations to County Contractor shall provide at its sole expense and maintain for the duration of this Contract or as may be further required herein insurance against claims for injuries to persons or damages to property which may arise from or in connection with the performance of the work hereunder and the results of the work by the Contractor his agents representatives employees or subcontractors 1 Minimum Scope of Insurance Coverage shall be at least as broad as A Commercial General Liability Occurrence form Insurance Services Office form CG0001 B Automobile Liability covering all owned nonowned hired auto Insurance Services Office form CA0001 C Workers Compensation as required by State of California and Employers Liability Insurance D Cyber Security Liability 2 Minimum Limits of Insurance Contractor shall maintain limits no less than A Commercial General Liability including Premises Operations Products and Completed Operations Contractual Liability and Independent Contractors Liability 1000000 per occurrence for bodily injury personal injury and property damage The Project Specific Aggregate limit shall be 2000000 B Automobile Liability 1000000 each accident for bodily injury and property damage C Employers Liability 1000000 each accident for bodily injury or disease Coverage shall include a waiver of subrogation endorsement in favor of County of San Diego D Cyber Security Liability Coverage for both electronic and nonelectronic data breach with an aggregate limit of not less than 1000000 Coverage shall apply to data breach for ThirdParty Liability encompassing judgments or settlement and defense costs arising out of litigation due to a data breach and data breach response costs for customer notification and credit monitoring service fees System Data Agreement Data Extract Updated 042016 BLANK Page 9 of 34 3 Deductibles and SelfInsured Retentions Any deductible or selfinsured retention must be declared to and approved by the County Risk Management At the option of the County either the insurer shall reduce or eliminate such deductibles or selfinsured retentions as respects the County or the Contractor shall provide a financial guarantee satisfactory to the County guaranteeing payment of losses and related investigations claim administration and defense expenses 4 Other Insurance Provisions The general liability automobile liability and professional liability policies are to contain or be endorsed to contain the following provisions A Additional Insured Endorsement Does not apply to professional liability Any general liability policy provided by Contractor shall contain an additional insured endorsement applying coverage to the County of San Diego the members of the Board of Supervisors of the County and the officers agents employees and volunteers of the County individually and collectively B Primary Insurance Endorsement For any claims related to this Contract the Contractors insurance coverage shall be primary insurance as respects the County the members of the Board of Supervisors of the County and the officers agents employees and volunteers of the County individually and collectively Any insurance or selfinsurance maintained by the County its officers officials employees or volunteers shall be excess of the Contractors insurance and shall not contribute with it C Notice of Cancellation Notice of Cancellation shall be in accordance with policy provisions D Severability of Interest Clause Coverage applies separately to each insured except with respect to the limits of liability and that an act or omission by one of the named insureds shall not reduce or avoid coverage to the other named insureds GENERAL PROVISIONS 5 Qualifying Insurers All required policies of insurance shall be issued by companies which have been approved to do business in the State of California by the State Department of Insurance and which hold a current policy holders alphabetic and financial size category rating of not less than A VII according to the current Bests Key Rating guide or a company of equal financial stability that is approved in writing by County Risk Management 6 Evidence of Insurance Prior to commencement of this Contract but in no event later than the Effective Date of System Data Agreement Data Extract Updated 042016 BLANK Page 10 of 34 the Contract Contractor shall furnish the County with certificates of insurance and amendatory endorsements effecting coverage required by this clause Contractor shall furnish a summary of the relevant terms provisions and conditions of the insurance policy to County Thereafter copies of renewal certificates and amendatory endorsements effecting coverage shall be furnished to the County within thirty days of the expiration of the coverage If any of the terms provisions or conditions as summarized by the County are changed revised summaries shall be furnished to County within thirty days of the expiration of the term of any required policy Contractor shall permit County at all reasonable times to inspect and review any required policies of insurance 7 Failure to Obtain or Maintain Insurance Countys Remedies Contractors failure to provide insurance specified or failure to furnish certificates of insurance amendatory endorsements and policy summaries or failure to make premium payments required by such insurance shall constitute a material breach of the Contract and County may at its option terminate the Contract for any such default by Contractor provided that the same is not cured within thirty 30 days of Contractors receipt of notice from the County specifying the nature of the claimed default 8 No Limitation of Obligations The foregoing insurance requirements as to the types and limits of insurance coverage to be maintained by Contractor and any approval of said insurance by the County are not intended to and shall not in any manner limit or qualify the liabilities and obligations otherwise assumed by Contractor pursuant to the Contract including but not limited to the provisions concerning indemnification 9 Review of Coverage County retains the right at any time to review the coverage form and amount of insurance required herein and may request Contractor to obtain insurance reasonably sufficient in coverage form and amount to provide adequate protection against the kind and extent of risk which exists at the time a change in insurance is required 10 SelfInsurance Contractor may with the prior written consent of County Risk Management fulfill some of all of the insurance requirements contained in third Contract under a plan of selfinsurance Contractor shall only be permitted to utilized such selfinsurance if in the opinion of County Risk Management Contractors i net worth and ii reserves for payment of claims of liability against Contractor are sufficient to adequately compensate for the lack of other insurance coverage required by this Contract Contractors utilization of selfinsurance shall not in any way limit liabilities assumed by Contractor under the Contract 11 Claims Made Coverage If coverage is written on a claims made basis the Certificate of Insurance shall clearly so state In addition to the coverage requirements specified above such policy shall provide that System Data Agreement Data Extract Updated 042016 BLANK Page 11 of 34 A The policy retroactive date coincides with or precedes Contractors commencement of work under the Contract including subsequent policies purchased as renewals or replacements B Contractor will make every effort to maintain similar insurance during the required extended period of coverage following expiration of the Contract including the requirement of adding all additional insureds C If insurance is terminated for any reason Contractor shall purchase an extended reporting provision of at least two years to report claims arising in connection with the Contract D The policy allows for reporting of circumstances or incidents that might give rise to future claims 12 Subcontractors Insurance Contractor shall require that any and all Subcontractors hired by Contractor are insured in accordance with this Contract If any Subcontractors coverage does not comply with the foregoing provisions Contractor shall defend and indemnify the County from any damage loss cost or expense including attorney fees incurred by County as a result of Subcontractors failure to maintain required coverage Remainder of this page blank System Data Agreement Data Extract Updated 042016 BLANK Page 12 of 34 EXHIBIT B ARTICLE 14 INFORMATION PRIVACY AND SECURITY PROVISIONS A This Article is intended to protect the privacy and security of specified County information that Contractor may receive access or transmit under this Agreement The County information covered under this Article consists of 1 Protected Health Information PHI as defined under the Health Insurance Portability and Accountability Act of 1996 Public Law 104191 HIPAA and 2 Personal Information PI as defined under the California Civil Code Section 17983 Personal information may include data provided to the County by the State of California or by the Social Security Administration and 3 Personally Identifiable Information PII as defined under the Information Exchange Agreement IEA between the State of California and the Social Security Administration SSA which incorporates the Computer Matching and Privacy Protection Agreement CMPPA between the SSA and the State of Californias Health and Human Services Agency B This Article consists of the following parts 1 Article 141 Business Associate Agreement which provides for the privacy and security of PHI as required by HIPAA 2 Article 142 Privacy and Security of PI and PII which provides for the privacy and security of PIPII in accordance with a The Agreement between the County and the State and thereby the State and the Social Services Administration with regards to protection of PI and PII This includes the IEA and the CMPPA to the extent the Contractor accesses receives or transmits PIPII under these Agreements and b Civil Code Sections 17983 and 179829 also known as the California Information Practices Act CIPA Although CIPA does not apply to the County or its contractors directly the County is required to extend CIPA terms to contractors if they use County PIPII to accomplish a function on the Countys behalf and 3 Article 143 Data Security Requirements and 4 Article 144 Miscellaneous 141 BUSINESS ASSOCIATE AGREEMENT 1411 Recitals 14111 This Business Associate Agreement BAA constitutes a Business Associate relationship under the Health Insurance Portability and Accountability Act of 1996 Public Law 104191 the Health Information Technology for Economic and Clinical Health Act Public Law 111005 42 USC section 17921 et seq and their System Data Agreement Data Extract Updated 042016 BLANK Page 13 of 34 implementing privacy and security regulations at 45 CFR Parts 160 and 164 These provisions shall hereafter be collectively referred to as HIPAA 14112 The County of San Diego County wishes to disclose to the Contractor certain information pursuant to the terms of this BAA some of which may constitute PHI including PHI in electronic media ePHI under Federal law 14113 As set forth in this BAA Contractor hereafter is the Business Associate of County acting on Countys behalf and providing services or performing or assisting in the performance of activities on behalf of County which include creation receipt maintenance transmittal use or disclosure of PHI County and Contractor are each a party to this BAA and are collectively referred to as the parties 14114 The purpose of this BAA is to protect the privacy and security of the PHI and PI that may be created received maintained transmitted used or disclosed pursuant to this Agreement and to comply with HIPAA including but not limited to the requirement that County shall enter into a contract containing specific requirements with Contractor prior to the disclosure of PHI to Contractor as set forth in HIPAA 1412 Definitions Terms used but not otherwise defined in this BAA shall have the same meaning as those terms as are defined in 45 Code of Federal Regulations CFR section 160103 and 164501 All regulatory references in this BAA are to Title 45 of the CFR unless otherwise specified 14121 Breach shall have the same meaning given to such term under HIPAA 14122 Business Associate shall have the same meaning as the term under HIPAA and in reference to the party to this agreement shall mean the Contractor 14123 County shall mean that part of County designated as the hybrid entity subject to the Standards for Privacy of Individually Identifiable Health Information set forth in sections 160 and Part 164 Subparts A and E and those parts of County designated as Business Associates of other entities subject to the Standards for Privacy of Individually Identifiable Health Information set forth in Parts 160 and 164 Subparts A and E 14124 County PHI shall have the same meaning as Protected Health Information PHI below specific to PHI received from or created maintained transmitted used disclosed or received by Contractor or its agents on behalf of County under this Agreement 14125 Covered Entity shall generally have the same meaning as the term covered entity at section 160103 and in reference to the party to this BAA shall mean County System Data Agreement Data Extract Updated 042016 BLANK Page 14 of 34 14126 Individual shall have the same meaning as the term individual in section 164501 and shall include a person who qualifies as a personal representative in accordance with section 164502g 14127 Protected Health Information PHI shall have the same meaning as the term protected health information in section 164501 and is limited to information created or received by Contractor from or on behalf of County 14128 Required by law shall have the same meaning as the term required by law in section 164501 14129 Secretary shall mean the Secretary of the United States Department of Health and Human Services or his or her designee 141210 Security incident means the attempted or successful unauthorized access use disclosure modification or destruction of County PHI or interference with system operations in an information system that processes maintains or stores County PHI 141211 Unsecured PHI shall have the meaning given to such term under HIPAA and 42 USC section 17932h and any guidance issued pursuant to such regulations 1413 Responsibilities of Contractor 14131 Permitted Uses and Disclosures of County PHI by Contractor Contractor shall only use County PHI as required by the Contract or as required by Law Any such use or disclosure shall to the extent practicable be limited to the limited data set as defined in section 1645122 or if needed to the minimum necessary to accomplish the intended purpose of such use or disclosure in compliance with HIPAA 141311 Except as otherwise limited in this Contract Contractor may use or disclose County PHI on behalf of or to provide services to County for the purposes outlined in Exhibit A if such use or disclosure of PHI would not violate HIPAA if done by County 141312 Except as otherwise limited in the Contract Contractor may use County PHI to provide Data Aggregation services to County as permitted by sections 164504e2iB 14132 Prohibited Uses and Disclosures 141321 Contractor shall not disclose County PHI to a health plan for payment or health care operations purposes if County PHI pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full and the Individual requests such restriction in accordance with 42 USC section 17935a and HIPAA System Data Agreement Data Extract Updated 042016 BLANK Page 15 of 34 141322 Contractor shall not directly or indirectly receive remuneration in exchange for County PHI except with the prior written consent of County and as permitted by 42 USC section 17935d2 14133 Safeguards 141331 Contractor shall comply with HIPAA regarding any and all operations conducted on behalf of County under this Contract and shall use appropriate safeguards that comply with HIPAA to prevent the unauthorized use or disclosure of County PHI 141332 Contractor shall develop and maintain a written information privacy and security program that complies with HIPAA and that includes administrative physical and technical safeguards appropriate to the size and complexity of the Contractors operations and the nature and scope of its activities 14134 Security Contractor shall ensure the continuous security of all computerized data systems and paper documents containing County PHI These steps shall include at a minimum 141341 Comply with all Standards put forth in Article 143 Data Security Requirements 141342 Achieve and maintain compliance with HIPAA and 141343 Provide a level and scope of security that is at least comparable to the level and scope of security established by the Office of Management and Budget in OMB Circular No A130 Appendix III Security of Federal Automated Information Systems which sets forth guidelines for automated information systems in Federal agencies 14135 Mitigation of Harmful Effects Contractor shall mitigate to the extent practicable any harmful effect that is known to Contractor of a use or disclosure of County PHI by Contractor or its agents including a subcontractor andor in violation of the requirements of the Contract 14136 Contractors Agents and Subcontractors Contractor shall ensure that any agent including a subcontractor to whom it provides County PHI imposes the same conditions on such agents that apply to Contractor with respect to County PHI under this BAA and that comply with all applicable provisions of HIPAA including requirements that such agents implement reasonable and appropriate administrative physical and technical safeguards to protect County PHI Contractor shall incorporate when applicable the relevant provisions of this BAA into each subcontract or subaward to such agents including the requirement that any security System Data Agreement Data Extract Updated 042016 BLANK Page 16 of 34 incidents or breaches of unsecured County PHI be reported to Contractor 141361 In accordance with section 164504e1ii upon Contractors knowledge of a material breach or violation by its subcontractor of the agreement between Contractor and the subcontractor Contractor shall 141362 Provide an opportunity for the subcontractor to end the violation and terminate the agreement if the subcontractor does not end the violation within the time specified by County or 141363 Immediately terminate the agreement if the subcontractor has violated a material term of the agreement and cure is not possible 14137 Availability of Information to County Contractor shall provide access to County PHI at the request of County in the time and manner designated by County pursuant to section 164526 141371 Contractor shall use the forms and processes developed by County for this purpose and shall respond to all requests for access to records requested by County within fortyeight 48 hours of receipt of request by producing records or verifying there are none 141372 Contractor shall make internal practices books and records relating to the use and disclosure of County PHI received from or created or received by Contractor on behalf of County available to County or at the request of County to the Secretary in a time and manner designated by County or the Secretary 14138 Cooperation with County Contractor will cooperate and assist County to the extent necessary to ensure Countys compliance with the applicable terms of HIPAA such as but not limited to 141381 Amendment of County PHI Contractor shall make any required amendments to County PHI that were requested by an Individual in accordance with HIPAA Contractor additionally shall make any amendments to County PHI as County directs or agrees to make pursuant to section 164526 These amendments shall be made in the time and manner designated by County and in no more than twenty 20 days 141382 Documentation of Disclosures Contractor shall document disclosures of County PHI respond to a request by an Individual for an accounting of disclosures of County PHI and make these disclosures available to County or to an Individual at Countys request in accordance with HIPAA including but not limited to sections 164528 and 42 USC System Data Agreement Data Extract Updated 042016 BLANK Page 17 of 34 section 17935 and in the time and manner designated by County 1413821 If Contractor maintains electronic health records as of January 2009 Contractor shall provide an accounting of disclosures including those for Treatment Payment and Healthcare Operations TPO effective January 2014 If Contractor acquires electronic health records for County after January 1 2009 Contractor shall provide an accounting of disclosures including those for TPO effective with disclosures on or after the date the electronic health record is acquired or on or after January 1 2011 whichever date is later 1413822 The electronic accounting of disclosures shall include the three 3 years prior to the request for an accounting Contractor shall provide to County or an Individual in the time and manner designated by County but no more than sixty 60 calendar days accounting of disclosures necessary to meet requirements in section 164528 14139 Access to County PHI Contractor shall provide Individuals access and copies of their County PHI as required by HIPAA to include 141391 If the Contractor maintains County PHI in an Electronic Health Record and an Individual requests a copy of such information in an electronic format Contractor shall provide the information in an electronic format as required under HIPAA 141310 Reporting of Unauthorized Use or Disclosure Contractor shall implement reasonable systems for the discovery of and prompt reporting to County of any use or disclosure or suspected use or disclosure of County PHI not provided for by the Contract andor any transmission of unsecured County PHI and to take the following steps 1413101 Contractor shall provide all reports of Unauthorized Uses or Disclosures simultaneously to County Contracting Officers Representative and Agency Privacy Officer 1413102 Initial Report 14131021 Contractor shall notify County immediately by telephone call plus email upon the discovery of a breach of unsecured County PHI in electronic media or in any other media System Data Agreement Data Extract Updated 042016 BLANK Page 18 of 34 if County PHI was or is reasonably believed to have been accessed or acquired by an unauthorized person or upon the discovery of a suspected security incident that involves data provided to County by the Social Security Administration 14131022 Contractor shall notify County by email within twentyfour 24 hours of the discovery of any suspected security incident or breach of County PHI in violation of this BAA or potential loss of confidential data affecting this BAA 14131023 A suspected security incident or breach shall be treated as discovered by Contractor as of the first day the breach or security incident is known even if it is not confirmed or by exercising reasonable diligence would have known to any person other than the person committing the breach who is an employee officer or other agent of Contractor 14131024 Reporting shall additionally include emailing of the County Privacy Incident Report form within twentyfour 24 hours of any above incident to include all information known at the time of the notification Contractor shall use the most current version of this form which is posted on Countys website wwwcosdcomplianceorg 1413103 Corrective Action Upon discovery of a breach or suspected security incident intrusion or unauthorized access use or disclosure of County PHI Contractor shall take prompt corrective action to mitigate any risks or damages involved with the breach and to protect the operating environment and any action pertaining to such unauthorized disclosure required by applicable Federal and State laws and regulations 1413104 Investigation and Investigation Report Contractor shall immediately investigate such security incident breach or unauthorized access use or disclosure of County PHI Within seventytwo 72 hours of the discovery Contractor shall submit an updated County Privacy Incident Report 1413105 Complete Report Contractor shall provide a complete report of the investigation within five 5 working days of System Data Agreement Data Extract Updated 042016 BLANK Page 19 of 34 the discovery of the breach or unauthorized use or disclosure The report shall be submitted on Countys Privacy Incident Report form and shall include an assessment of all known factors relevant to a determination of whether a breach occurred under applicable provisions of HIPAA and applicable state law The report shall also include a full detailed corrective action plan including information on measures that were taken to halt andor contain the improper use or disclosure If County requests information in addition to that listed on the Privacy Incident Report form Contractor shall make reasonable efforts to provide County with such information County will review and approve the determination of whether a breach occurred Individual notifications are required and the corrective action plan is adequate 1413106 Responsibilities for Notification of Breaches If County determines that the cause of a breach of County PHI is attributable to Contractor or its subcontractors agents or vendors Contractor shall notify individuals of the breach or unauthorized use or disclosure when notification is required under Federal or State law and shall pay any costs of such notifications as well as any costs associated with the breach The notifications shall comply with the requirements set forth in 42 USC section 17932 and its implementing regulations including but not limited to the requirements that 14131061 Notifications be made to Individuals without unreasonable delay and in no event later than sixty 60 calendar days from the date the breach was discovered County shall approve the time manner and content of any such notifications before notifications are made 14131062 Notifications be made to media outlets and to the Secretary if a breach of unsecured County PHI involves more than fivehundred 500 residents of the State of California or its jurisdiction County shall approve the time manner and content of any such notifications before notifications are made 141311 Designation of Individuals 1413111 Contractor shall designate a Privacy Officer to oversee its data privacy program who shall be responsible for carrying out the requirements of this System Data Agreement Data Extract Updated 042016 BLANK Page 20 of 34 section and for communicating on Privacy matters with County 1413112 Contractor shall designate a Security Officer to oversee its data security program who shall be responsible for carrying out the requirements of this section and for communicating on Security matters with County 1414 Responsibilities of County 14141 County shall provide Contractor with the Notice of Privacy Practices that County produces in accordance with section 164520 as well as any changes to such notice 14142 County shall provide Contractor with any changes in or revocation of permission by Individual to use or disclose County PHI if such changes affect Contractors permitted or required uses and disclosures 14143 County shall notify Contractor of any restriction to the use or disclosures of County PHI that County has agreed to in accordance with section 164522 14144 County shall not request Contractor to use or disclose County PHI in any manner that would not be permissible under HIPAA if done by County 142 PRIVACY AND SECURITY OF PERSONAL INFORMATION AND PERSONALLY IDENTIFIABLE INFORMATION 1421 Recitals 14211 In addition to the Privacy and Security Rules under HIPAA the County is subject to various other legal and contractual requirements with respect to the Personal Information PI and Personally Identifiable Information PII it maintains These include the 142111 California Information Practices Act CIPA of 1977 California Civil Code section 1798 et seq 142112 The Agreement between the Social Security Administration SSA and the State of California known as the Information Exchange Agreement IEA which incorporates the Computer Matching and Privacy Protection Act Agreement CMPPA between the SSA and the California Health and Human Services Agency and 142113 Title 42 Code of Federal Regulations Chapter 1 Subchapter A Part 2 System Data Agreement Data Extract Updated 042016 BLANK Page 21 of 34 14212 The purpose of this Article 142 is to set forth Contractors Privacy and Security obligations with respect to PI and PII that the Contractor may create receive maintain use or disclose for or on behalf of County pursuant to this Agreement Specifically this Article applies to PI and PII which is not Protected Health Information PHI as defined by HIPAA and therefore is not addressed in Article 141 the Business Associate Agreement of this Contract To the extent that data is both PHI and PI or both PHI and PII both Sections 141 and 142 apply 14213 The IEA Agreement requires County to extend the IEAs terms to contractors who receive data provided to County from the SSA or data provided to County from the SSA through the State of California If contractor receives such data from County Contractor must comply with the IEA Agreement 1422 Definitions The terms used in this Article 142 shall have the same meaning as those terms have in the above referenced statues and agreements Any reference to statutory regulatory or contractual language shall be to such language currently in effect or as amended 14221 Breach shall have the same meaning given to such term under the IEA and CMPPA It shall include a PII loss as defined in the CMPPA and both a Breach of the security of the system and a Notice Triggering Personal Information event as identified in CIPA Civil Code section 179829 14222 County shall mean that part of County designated as the hybrid entity subject to the Standards for Privacy of Individually Identifiable Health Information set forth in and those parts of County designated as Contractors of other entities subject to the Standards for Privacy of Individually Identifiable Health Information as set forth in Part 160 and Part 164 Subparts A and E 14223 County PIIPI shall have the same meaning as Personally Identifiable InformationPersonal Information as below specific to PIIPI received by Contractor from County or acquired or created by Contractor in connection with performing the functions activities and services specified in this Article 142 on behalf of County 14224 Individual shall generally have the same meaning as the term individual in Title 45 Code of Federal Regulations Section 164501 and shall include a person who qualifies as a personal representative in accordance with Section 164502g 14225 Personal Information shall have the same meaning given to such term in CIPA section 17983a 14226 Personally Identifiable Information PII shall have the same meaning given to such term in the IEA and the CMPPA 14227 Required by law shall have the same meaning as the term required by law in 45 CFR section 164501 System Data Agreement Data Extract Updated 042016 BLANK Page 22 of 34 14228 Security incident means the attempted or successful unauthorized access use disclosure modification or destruction of County PIIPI or confidential data or interference with system operations of an information system 1423 Responsibilities of Contractor 14231 Permitted Uses and Disclosures of County PIIPI by Contractor Contractor shall only use County PIIPI to perform functions activities or services for or on behalf of County pursuant to this Contract provided that such use or disclosure does not violate any applicable Federal or State law or regulation 142311 Confidentiality of Alcohol and Drug Abuse records Contractor shall comply with all confidentiality requirements set forth in Title 42 Code of Federal Regulations Chapter 1 Subchapter A Part 2 as applicable 14232 Prohibited Uses and Disclosures Contractor shall not use or disclose County PIIPI other than as permitted or required by the Contract or as permitted or required by Law 14233 Safeguards 142331 Contractor shall use appropriate and reasonable administrative technical and physical safeguards to protect the security confidentiality and integrity of County PIIPI and to prevent use or disclosure of County PIIPI other than as provided for by this Contract 142332 Contractor shall develop and maintain a written information privacy and security program that includes administrative physical and technical safeguards appropriate to the size and complexity of the Contractors operations and the nature and scope of its activities 14234 Security Contractor shall take any and all steps necessary to ensure the continuous safety of all data systems containing County PIIPI The Contractor shall at a minimum 142341 Comply with all of the data system security precautions listed in Article 143 Data Security Requirements 142342 Provide a level and scope of security that is at least comparable to the level and scope of security established by the Office of Management and Budget in OMB Circular No A130 Appendix III Security of Federal Automated Information Systems which sets forth guidelines for automated information systems in Federal agencies and System Data Agreement Data Extract Updated 042016 BLANK Page 23 of 34 142343 If the data includes County PII Contractor shall also comply with the Privacy and Security requirements in the CMPPAA and the IEA 14235 Mitigation of Harmful Effects To mitigate to the extent practicable any harmful effect that is known to Contractor of a use or disclosure of County PIIPI by Contractor or its agents in violation of this Article 142 14236 Contractors Agents or Subcontractors Contractor shall ensure that any agent including a subcontractor that creates receives maintains or transmits County PIIPI on behalf of the Contractor shall adhere to the same restrictions conditions and requirements that apply to the Contractor Contractor shall incorporate when applicable the relevant provisions of this Article 142 into each subcontract or subaward to such agents subcontractors and vendors including the requirements related to security incidents or breaches of unsecured County PII PI 14237 Availability of Information Contractor shall make County PIIPI available to County for purposes of oversight inspection amendment and response to request for records injunctions judgments and orders for production of County PIIPI Contractor shall provide a list of all employees contractors and agents who have access to County PIIPI including employees and agents of its subcontractors and agents at the request of County Contractor shall provide any requested records to County within fortyeight 48 hours of such request 142371 Internal Practices Contractor shall make internal practices books and records relating to the use and disclosure of County PIIPI received from or created or received by Contractor on behalf of County available to County in a time and manner designated by County Confidentiality shall not prevent County its agents or any other governmental entity from accessing such records if that access is legally permissible under the applicable Federal or State regulations 14238 Cooperation with County Contractor will cooperate and assist County in the time and manner designated by County to ensure Countys compliance with applicable Federal and State laws and regulations such as but not limited to CIPA Contractors cooperation shall include but is not limited to accounting of disclosures correction of errors production disclosures of a security breach and notice of such breach to affected individuals that involve County PIIPI and Contractor 14239 Reporting of Breaches and Security Incidents Contractor shall implement reasonable systems for the discovery of prompt System Data Agreement Data Extract Updated 042016 BLANK Page 24 of 34 reporting to County of and prompt corrective action regarding any use or disclosure or suspected use or disclosure of County PIIPI not provided for by the Contract andor any transmission of unsecured County PIIPI and shall take the following steps 142391 Contractor shall make all reporting of breaches and security incidents simultaneously to County Contracting Officers Representative and Agency Privacy Officer 142392 Initial Reporting 1423921 Reporting shall be immediate by both telephone and email upon the discovery of a breach of unsecured County PIIPI in electronic media or in any other media if County PIIPI was or is reasonably believed to have been accessed or acquired by an unauthorized person or upon the discovery of a suspected security incident that involves data provided to County by the Social Security Administration 1423922 Reporting shall be within twentyfour 24 hours by email of the discovery of any suspected security incident intrusion or unauthorized access use or disclosure of County PII PI in violation of this Article 142 or potential loss of confidential data affecting this Article 142 1423923 A breach or suspected security incident shall be treated as discovered by Contractor as of the first day on which the breach is known even if not confirmed or by exercising reasonable diligence would have been known to any person other than the person committing the breach who is an employee officer or other agent of the Contractor 1423924 Reporting shall additionally include emailing of the County Privacy Incident Report form within twentyfour 24 hours of any above incident to include all information known at the time of the notification Contractor shall use the most current version of this form which is posted on Countys website wwwcosdcomplianceorg 142393 Corrective Action Upon discovery of a breach or suspected security incident intrusion or unauthorized access use or disclosure of County PIIPI Contractor System Data Agreement Data Extract Updated 042016 BLANK Page 25 of 34 shall take prompt corrective action to mitigate any risks or damages involved with the breach and to protect the operating environment and any action pertaining to such unauthorized disclosure required by applicable Federal and State laws and regulations 142394 Investigation and Investigation Report Contractor shall immediately investigate such security incident or breach Within seventytwo 72 hours of the discovery Contractor shall submit an updated County Privacy Incident Report 142395 Complete Report Contractor shall provide a complete report of the investigation within five 5 working days of the discovery of the breach or unauthorized use or disclosure The report shall be submitted on Countys Privacy Incident Report form and shall include an assessment of all known factors relevant to a determination of whether a breach occurred under applicable provisions of Federal and State law The report shall also include a full detailed corrective action plan including information on measures that were taken to halt andor contain the improper use or disclosure If County requests information in addition to that listed on the Privacy Incident Report form Contractor shall make reasonable efforts to provide County with such information County will review and approve the determination of whether a breach occurred individual notifications are required and the corrective action plan is adequate 142396 Responsibility for Reporting Breaches If County determines that the cause of a breach of County PIIPI is attributable to Contractor or its subcontractors agents or vendors Contractor is responsible for all required reporting as specified under CIPA section 179829a and as may be required under IEA as well as any other Federal or State law and shall pay any costs of such notifications as well as any costs associated with the breach County shall approve the time manner and content of any such notifications and Countys review and approval must be obtained before the notifications are made If the Contractor believes duplicate reporting of the same breach or incident may occur because its subcontractors or agents may report the breach or incident to County as well Contractor shall notify County and may take action to prevent duplicate reporting System Data Agreement Data Extract Updated 042016 BLANK Page 26 of 34 142310 Designation of Individuals Contractor shall appoint Privacy and Security officials who are accountable for compliance with this Article and for communicating Privacy and Security matters to County 143 DATA SECURITY REQUIREMENTS Contractor shall ensure the continuous security of all computerized data systems and paper documents containing County PHI andor County PIIPI These steps shall include at a minimum 1431 Personnel Controls Contractor shall ensure all workforce members who assist in the performance of functions or activities on behalf of County or access or disclose County PHI andor County PIIPI shall 14311 Have undergone a thorough Contractor background check with evaluation of the results to assure that there is no indication that the worker may present a risk to the security privacy or integrity of County PHI andor County PIIPI prior to the workforce member obtaining access to County PHI andor County PIIPI The Contractor shall retain each workforce members Contractor background check documentation for a period of three 3 years following contract termination 14312 Complete privacy and security training at least annually at Contractors expense Each workforce member who receives information privacy and security training shall sign a certification indicating the workforce members name and the date on which the training was completed These certifications shall be retained for a period of six 6 years following contract termination and shall be available to County upon request Sign a confidentiality statement that includes at a minimum General Use Security and Privacy Safeguards Unacceptable Use and Enforcement Policies The statement shall be signed by the workforce member prior to access to County PHI andor County PII PI and shall be renewed annually The Contractor shall retain each persons written confidentiality statement for County inspection for a period of six 6 years following contract termination 14313 Be appropriately sanctioned if they fail to comply with security and privacy policies and procedures including termination of employment when appropriate 1432 Physical Security Controls Contractor shall safeguard County PHI andor County PIIPI from loss theft inadvertent disclosure and therefore shall 14321 Ensure County PHI andor County PIIPI is used and stored in an area that is physically safe from access by unauthorized persons during both working hours and nonworking hours 14322 Secure all areas of Contractor facilities where Contractor workers use or disclose County PHI andor County PIIPI The Contractor shall System Data Agreement Data Extract Updated 042016 BLANK Page 27 of 34 ensure that these secured areas are only accessed by authorized individuals with properly coded key cards authorized door keys or other access authorization and access to premises is by official identification 14323 Issue workers who assist in the administration of County PHI andor County PIIPI identification badges and require workers to wear badges at facilities where County PHI andor County PIIPI is stored or used 14324 Ensure each location where County PHI andor County PIIPI is used or stored has procedures and controls that ensure an individual whose access to the facility is terminated 143241 Is promptly escorted from the facility by an authorized employee and 143242 Immediately has their access revoked to any and all County PHI andor County PIIPI 14325 Ensure there are security guards or a monitored alarm system twentyfour 24 hours a day seven 7 days a week at facilities where County PHI andor County PIIPI is stored 14326 Ensure data centers with servers data storage devices and critical network infrastructure involved in the use or storage of County PHI andor County PIIPI have perimeter security and access controls that limit access to only authorized Information Technology Staff Visitors to the data center area must be escorted by authorized IT staff at all times 14327 Store paper records with County PHI andor County PIIPI in locked spaces in any facilities that are multiuse meaning that there are County PHI andor County PIIPI functions and Contractor functions in one building in work areas that are not securely segregated The contractor shall have policies that state workers shall not leave records with County PHI andor County PIIPI unattended at any time in cars or airplanes and shall not check County PHI andor County PIIPI on commercial flights and 14328 Use all reasonable means to prevent nonauthorized personnel and visitors from having access to control of or viewing County PHI andor County PIIPI 1433 Technical Controls Contractor shall ensure 14331 All workstations copiers and laptops that process andor store County PHI andor County PIIPI shall 143311 Be encrypted using a FIPS 1402 certified algorithm which is 128bit or higher such as Advanced Encryption Standard AES The encryption solution shall be full disk and 143312 Install and actively use comprehensive antivirus software solution with automatic updates scheduled at least daily System Data Agreement Data Extract Updated 042016 BLANK Page 28 of 34 14332 Have critical security patches applied with system reboot if necessary There shall be a documented patch management process which determines installation timeframe based on risk assessment and vendor recommendations All applicable patches shall be installed within thirty 30 days of vendor release 14333 All servers containing unencrypted County PHI andor County PIIPI shall have sufficient administrative physical and technical controls in place to protect that data based upon a risk assessmentsystem security review 14334 Only the minimum necessary amount of County PHI andor County PIIPI required to perform necessary business functions may be copied downloaded or exported 14335 All electronic files that contain County PHI andor County PIIPI shall be encrypted when stored on any removable media or portable device ie flash drives cameras mobile phones CDDVD backup media etc Encryption shall be a FIPS 1402 certified algorithm which is 128bit or higher such as AES 14336 All users shall be issued a unique user name for accessing County PHI andor County PIIPI Username shall be promptly disabled deleted or the password changed upon the transfer or termination of an employee with knowledge of the password at maximum within twentyfour 24 hours 143361 Passwords shall be 1433611 At least eight characters 1433612 A nondictionary word 1433613 Changed at least every ninety 90 days 1433614 Changed immediately if revealed or compromised and 1433615 Composed of characters from at least three of the following four groups from the standard keyboard 14336151 Upper case letters AZ 14336152 Lower case letters az 14336153 Arabic numerals 09 14336154 Nonalphanumeric characters punctuation symbols 143362 Passwords shall not be shared and shall not be stored in readable format on the computer 14337 Appropriate management control and oversight in conjunction with County of the function of authorizing individual user access to County System Data Agreement Data Extract Updated 042016 BLANK Page 29 of 34 PHI andor County PIIPI and over the process of maintaining access controls numbers and passwords 14338 When no longer needed all County PHI andor County PIIPI shall be wiped using the Gutmann or US Department of Defense DoD 522022M 7 Pass standard or by degaussing Media may also be physically destroyed in accordance with NIST Special Publication 80088 14339 All systems providing access to transport of or storage of County PHI andor County PIIPI shall 143391 Provide an automatic timeout requiring reauthentication of the user session after no more than twenty 20 minutes of inactivity 143392 Display a warning banner stating that data is confidential systems are logged and system use is for business purposes only by authorized users Users must be directed to log off the system if they do not agree with these requirements 143393 Maintain an automated audit trail that identifies the user or system process which initiates a request for County PHI andor County PIIPI or which alters County PHI andor County PII PI The audit trail shall be date and time stamped shall log both successful and failed accesses shall be read only and shall be restricted to authorized users If County PHI andor County PII PI is stored in a database database logging functionality shall be enabled Audit trail data shall be archived for at least three 3 years after occurrence and shall be available to County upon request 143394 Use role based access controls for all users enforcing the principle of least privilege 143395 Be protected by a comprehensive intrusion detection and prevention solution if they are accessible via the internet 143310 All data transmissions of County PHI andor County PIIPI outside the secure internal network shall be encrypted using a FIPS 1402 certified algorithm which is 128bit or higher such as AES Encryption can be end to end at the network level or the data files containing County PHI andor County PIIPI can be encrypted This requirement pertains to any type of County PIIPI in motion such as website access file transfer and EMail 1434 Audit Controls Contractor shall ensure 14341 All systems processing andor storing County PHI andor County PIIPI shall have at least an annual system risk assessmentsecurity review which provides assurance that administrative physical and technical controls are functioning effectively and providing adequate levels of protection Reviews should include vulnerability scanning tools System Data Agreement Data Extract Updated 042016 BLANK Page 30 of 34 14342 All systems processing andor storing County PHI andor County PIIPI shall have a routine procedure in place to review system logs for unauthorized access 14343 All systems processing andor storing County PHI andor County PIIPI shall have a documented change control procedure that ensures separation of duties and protects the confidentiality integrity and availability of data 14344 Investigate anomalies in usage of County PHI andor County PIIPI identified by County and report conclusions of such investigations and remediations to County 1444 Business Continuity Disaster Recovery Controls 14441 Contractor shall establish a documented plan to enable continuation of critical business processes and protection of the security of electronic County PHI andor County PIIPI in the event of an emergency Emergency means any circumstance or situation that causes normal computer operations to become unavailable for use in performing the work required under this Agreement for more than twentyfour 24 hours 14442 Contractor shall ensure Data Centers with servers data storage devices and critical network infrastructure involved in the use or storage of County PHI or PIIPI must include sufficient environmental protection such as cooling power fire prevention detection and suppression 14443 Contractor shall have established documented procedures to backup County PHI andor County PIIPI to maintain retrievable exact copies of County PHI andor County PIIPI The plan shall include a regular schedule for making backups storing backups offsite an inventory of backup media and an estimate of the amount of time needed to restore County PHI andor County PIIPI should it be lost At a minimum the schedule shall be a weekly full backup and monthly offsite storage of County data 1435 Paper Document Controls Contractor shall ensure 14351 County PHI andor County PIIPI in paper form shall not be left unattended at any time unless it is locked in a file cabinet file room desk or separate office inside a larger office Unattended means that information is not being observed by an employee authorized to access the information County PHI andor County PIIPI in paper form shall not be left unattended at any time in vehicles and shall not be checked in baggage during commercial flights 14352 Visitors to areas where County PHI andor County PIIPI are contained shall be escorted and County PHI andor County PIIPI shall be kept out of sight while visitors are in the area System Data Agreement Data Extract Updated 042016 BLANK Page 31 of 34 14353 County PHI andor County PIIPI shall be disposed of through confidential means such as cross cut shredding and pulverizing 14354 County PHI andor County PIIPI shall not be removed from the premises of the Contractor except for identified routine business purposes or with express written permission of County 14355 Faxes containing County PHI andor County PIIPI shall not be left unattended and fax machines shall be in secure areas Fax cover sheets shall contain a confidentiality statement instructing persons receiving faxes in error to destroy them Fax numbers shall be verified with the intended recipient before sending the fax 14356 Mailings of County PHI andor County PIIPI shall be sealed and secured from damage or inappropriate viewing of County PHI andor County PIIPI to the extent possible Mailings which include 500 or more individually identifiable records of County PHI andor County PIIPI in a single package shall be sent using a tracked mailing method which includes verification of delivery and receipt unless the prior written permission of Countys HHSA Privacy Officer to use another method is obtained 14357 Contractor shall mitigate to the extent practicable any harmful effect that is known to Contractor of a use or disclosure of County PHI andor County PIIPI by Contractor or its agents including a subcontractor andor in violation of the requirements of the Contract 144 MISCELLANEOUS 144111 Disclaimer County makes no guarantee that compliance with this agreement will be satisfactory for the Contractors own purposes 144112 Amendment The Parties agree to take action as necessary to amend this Article 14 from time to time as is necessary for County to comply with the requirements of any and all applicable other Federal or State laws and regulations 144113 Judicial or Admin Proceedings Contractor will notify County if it is named as a defendant in any criminal civil or administrative proceeding for a violation of any applicable security or privacy law 144114 Assistance in Litigation or Admin Proceedings Contractor shall make itself and any of its agents available at no cost to County to testify or otherwise in the event of litigation or administrative proceedings commenced against County its directors officers or employees based on claimed violations of any applicable confidentiality privacy or security law or regulation whether Federal or State if that litigation or proceeding involves actions of Contractor or its agents except those where Contractor or its Agents are named as an adverse party System Data Agreement Data Extract Updated 042016 BLANK Page 32 of 34 144115 Interpretation Any ambiguity in this Article 14 shall be resolved in favor of a meaning that permits County to comply with the applicable Federal or State law or regulation 144116 Conflict If a conflict between any of the standards contained in any of these enumerated sources of standards is found Contractor shall follow the most stringent standard The most stringent means that safeguard which provides the highest level of protection to County PHI andor County PIIPI from unauthorized disclosure 144117 Regulatory References All references in this Article 14 to any regulation or law mean the regulation or law currently in effect including those legal and regulatory changes that occur after the effective date of this Agreement 144118 Survival The respective rights and obligations of Contractor and Contractor under this Article 14 shall survive the termination of the Contract 144119 No Waiver of Obligations No change waiver or discharge of any liability or obligation hereunder or any one or more occasions shall be deemed a waiver of performance of any continuing or other obligation or shall prohibit enforcement of any obligation an any other occasion 1441110 Due Diligence Contractor shall exercise due diligence and shall take reasonable steps to ensure that it remains in compliance with this Article 14 and is in compliance with all applicable Federal and State laws and regulations and that its agents subcontractors and vendors are in compliance with their obligations as required by this Article 14 1441111 Effect of Termination Upon termination of the Contract for any reason with respect to any and all County PHI andor County PIIPI received from County or created or received by Contractor on behalf of County 14411111 Contractor shall return or destroy all County PHI andor County PIIPI and retain no copies of County PHI andor County PIIPI except County PHI andor County PIIPI necessary for Contractor to continue its proper management and administration or to carry out its legal responsibilities as mutually agreed upon by the Parties 14411112 Upon mutual agreement of the Parties that return or destruction of County PHI andor County PIIPI is infeasible Contractor shall extend the protections of this Article to such County PHI andor County PIIPI for so long as Contractor maintains such County PHI andor County PIIPI 14411113 Contractor shall return to County or destroy as determined by County County PHI andor County PIIPI retained by Contractor when it is no longer needed by Contractor for its proper management and administration or to carry out its legal responsibilities System Data Agreement Data Extract Updated 042016 BLANK Page 33 of 34 14411114 This provision shall apply to County PHI andor County PIIPI that is in the possession of subcontractors or agents of Contractor System Data Agreement Data Extract Updated 042016 BLANK Page 34 of 34