HomeMy WebLinkAboutCONSENT Salish BHO amend 1 Therapeutic courts JEFFERSON COUNTY
BOARD OF COUNTY COMMISSIONERS
AGENDA REQUEST
TO: Board of Commissioners
FROM: Rebecca Marriott, Therapeutic Courts Coordinator
DATE: J,,t(` s, Z c c
RE: Salish Behavioral Health Organization Contract Amendment
STATEMENT OF ISSUE:
The original contract with Salish Behavioral Health Organization provided for$10,000 in
funding.The contract amendment from the Salish Behavioral Health Organization provides for
an additional $5,000 of funding for this calendar year for a total of$15,000.
ANALYSIS:
These reimbursement funds are to be used for incentives in Jefferson County Therapeutic
Courts.
FISCAL IMPACT:
This contract amendment would provide $5,000 in additional revenue for Therapeutic Courts
for this calendar year.
RECOMMENDATION Approve agreement
REVIEWED BY:
411 -: 11,. 10.701 --710c
Jos a.Peters,County Administrator Date
CONTRACT REVIEW FORM Clear Form
(INSTRUCTIONS ARE ON THE NEXT PAGE)
CONTRACT WITH: Salish Behavioral Health Organziation Contract No: KC-416-24 A
Contract For:. Jefferson County Therapeutic Courts l Crin: December 31,2024-December 31,2025
COUNTY DEPARTMENT: Jefferson County Superior Court
Contact Person: Rebecca Marriott
Contact Phone: 360-385-9369
Contact email: rmarriott@co.jefferson.wa.us
AMOUNT: $5,000 PROCESS: Exempt from Bid Process
Revenue: $5,000 Cooperative Purchase
Expenditure: $5.000 Competitive Sealed Bid
Matching Funds Required: Small Works Roster
Sources(s)of Matching Funds Vendor List Bid
Fund# , RFP or RFQ
Munis Org/Obj ✓ Other:
APPROVAL STEPS:
STEP 1: DEPARTMENT('F.RTIFIES��'(�1\ WIT�3.5>.OtiO AND CH'P I�4 .23 RCW.
CERTIFIED: ■ N/A: /% i``//
Signature Dat
STEP 2: DEPARTMENT CERTIFIES THE PERSON PROPOSED FOR CONTRACTING WITH THE
COUNTY (CONTRACTOR) HAS NOT BEEN DEBARRED BY ANY FEDERA , STATE, OR LOCAL
AGENCY.
CERTIFIED: ❑■ N/A: 1//ka- 1-70--€(-e;;A-4nI 2>
Signature Da
STEP 3: RISK MAC kGEMENT REVIEW(will be added electronically through Laserfiche):
Electronically approved by Risk Management on 7/18/2025.
STEP 4: PROSECUTING ATTORNEY REVIEW(will be added electronically through Laserfiche):
Electronically approved as to form by PAO on 7/17/2025.
Contract amendment.
STEP 5: DEPARTMENT MAKES REVISIONS & RESUBMITS TO RISK MANAGEMENT AND
PROSECUTING ATTORNEY(IF REQUIRED).
STEP 6:CONTRACTOR SIGNS
STEP 7: SUBMIT TO BOCC FOR APPROVAL
1
Revision 2000-09-02
KC-416-24 A
CFDA# N/A
CONTRACT AMENDMENT
A
This CONTRACT AMENDMENT is made and entered into between SALISH
BEHAVIORAL HEALTH ORGANIZATION, through Kitsap County, as its administrative
entity, a political subdivision of the State of Washington, with its principal offices at 614
Division Street, Port Orchard, Washington 98366, hereinafter "SBHO", and Jefferson
County Superior Court, hereinafter "CONTRACTOR."
In consideration of the mutual benefits and covenants contained herein, the parties
agree that their Contract, numbered as Kitsap County Contract No. KC-416-24 and
executed on November 25, 2024, shall be amended as follows:
1 . Page 1 shall be amended as follows:
Contract Amount is increased by $5,000, increasing the contract total
from $10,00 to $15,000.
2. Contract end date is extended from December 31, 2024 to December 31,
2025. Amended contract period January 1 , 2024 — December 31, 2025.
3. Attachment C: Budget is deleted entirely and replaced as attached.
4. If this Contract Amendment extends the expiration date of the Contract,
then the Contractor shall provide an updated certificate of insurance
evidencing that any required insurance coverages are in effect through the
new contract expiration date. The Contractor shall submit the certificate of
insurance to:
Program Lead, Salish Behavioral Health Organization
Kitsap County Department of Human Services
614 Division Street, MS-23
Port Orchard, WA 98366.
Upon receipt, the Human Services Department will ensure submission of
all insurance documentation to the Risk Management Division, Kitsap
County Department of Administrative Services.
5. Except as expressly provided in this Contract Amendment, all other terms
and conditions of the original Contract, and any subsequent amendments,
addenda or modifications thereto, remain in full force and effect.
This amendment shall be effective upon January 1, 2025
DATED or ADOPTED this day of , 2025
JEFFERSON COUNTY WASHINGTON
Board of County Commissioners
Jefferson County, Washington
By:
Heidi Eisenhour,Chair Date
By:
Greg Brotherton, Commissioner Date
By:
Greg Brotherton, Commissioner Date
SEAL:
ATTEST:
Carolyn Gallaway, CMC Date
Clerk of the Board
Approved as to form only:
C July 17,2025
Philip C. Hunsucker Date
Chief Civil Deputy Prosecuting Attorney
DATED or ADOPTED this day of , 2025.
BOARD OF COUNTY COMMISSIONERS
KITSAP COUNTY, WASHINGTON
CHRISTINE ROLFES, Chair
ORAN ROOT, Commissioner
KATHERINE T. WALTERS, Commissioner
ATTEST:
Dana Daniels, Clerk of the Board
Attachment C: Budget
Budget Summary
Contractor: Jefferson County Superior Court
Contract No: KC-416-24-A
Contract Period: 1/1/24-12/31/25
Expenditure Current
Contract Period: 1/1/24-12/31/24
Criminal Justice Treatment Account $10,000
Period Total $10,000
Contract Period: 1/1/25-12/31/25
Criminal Justice Treatment Account $5,000
Period Total $5,000
Budget Total $15,000
Available Budget: Cost reimbursement
All rates are all-inclusive.
ATTACHMENT E: DATA USE, SECURITY AND CONFIDENTIALITY
1 Definitions
The definitions below apply to this Attachment:
1.1 "Authorized User" means an individual or individuals with an authorized business need to access
HCA's Confidential Information under this Contract.
1.2 "Breach" means the unauthorized acquisition, access, use, or disclosure of Data shared under
this Contract that compromises the security, confidentiality or integrity of the Data.
1.3 "Business Associate" means a Business Associate as defined in 45 CFR 160.103, who performs
or assists in the performance of an activity for or on behalf of HCA, a Covered Entity that involves
the use or disclosure of protected health information (PHI). Any reference to Business Associate in
this DSA includes Business Associate's employees, agents, officers, Subcontractors, third party
contractors, volunteers, or directors.
1.4 Business Associate Agreement" means the HIPAA Compliance section of this Exhibit and
includes the Business Associate provisions required by the U.S. Department of Health and Human
Services, Office for Civil Rights.
1.5 "Covered Entity" means HCA, which is a Covered Entity as defined in 45 C.F.R. § 160.103, in its
conduct of covered functions by tis health care components.
1.6 "Data" means the information that is disclosed or exchanged as described by this Contract. For
purposes of this Attachment, Data means the same as "Confidential Information."
1.7 "Designated Record Set" means a group of records maintained by or for a Covered Entity, that
is: the medical and billing records about Individuals maintained by or for a covered health care
provider; the enrollment, payment, claims adjudication, and case or medical management record
systems maintained by or for a health plan; or Used in whole or part by or for the Covered Entity to
make decisions about Individuals.
1.8 "Disclosure" means the release, transfer, provision of, access to, or divulging in any other
manner of information outside the entity holding the information.
1.9 "Electronic Protected Health Information (ePHI)" means Protected Health Information that is
transmitted by electronic media or maintained as described in the definition of electronic media at
45 C.F.R. § 160.103.
1.10 "Hardened Password" after July 1, 2019 means a string of characters containing at least three of
the following character classes: upper case letters; lower case letters; numerals; and special
characters, such as an asterisk, ampersand or exclamation point.
1.10.1 Passwords for external authentication must be a minimum of 10 characters long.
1.10.2 Passwords for internal authentication must be a minimum of 8 characters long.
1.10.3 Passwords used for system service or service accounts must be a minimum of 20
characters long.
V2025
1.11 "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, as amended,
together with its implementing regulations, including the Privacy Rule, Breach Notification Rule,
and Security Rule. The Privacy Rule is located at 45 C.F.R. Part 160 and Subparts A and E of 45
C.F.R. Part 164. The Breach Notification Rule is located in Subpart D of 45 C.F.R. Part 164. The
Security Rule is located in 45 C.F.R. Part 160 and Subparts A and C of 45 C.F.R. Part 164.
1.12 "HIPAA Rules" means the Privacy, Security, Breach Notification, and Enforcement Rules at45
C.F.R. Parts 160 and Part 164.
1.13 "Medicare Data Use Requirements" refers to the four documents attached and incorporated into
this Exhibit as Schedules 1, 2, 3, and 4 that set out the terms and conditions Contractor must
agree to for the access to and use of Medicare Data for the Individuals who are dually eligible in
the Medicare and Medicaid programs.
1.14 "Minimum Necessary" means the least amount of PHI necessary to accomplish the purpose for
which the PHI is needed.
1.15 "Portable/Removable Media" means any Data storage device that can be detached or removed
from a computer and transported, including but not limited to: optical media (e.g. CDs, DVDs);USB
drives; or flash media (e.g. CompactFlash, SD, MMC).
1.16 "Portable/Removable Devices" means any small computing device that can be transported,
including but not limited to: handhelds/PDAs/Smartphones; Ultramobile PC's, flash memory
devices (e.g. USB flash drives, personal media players); and laptops/notebook/tablet computers. If
used to store Confidential Information, devices should be Federal Information Processing
Standards (FIPS) Level 2 compliant.
1.17 "PRISM" means the DSHS secure, web-based clinical decision support tool that shows
administrative data for each Medicaid Client and is organized to identify care coordination
opportunities.
1.18 "Protected Health Information" or "PHI" has the same meaning as in HIPAA except that it in this
Contract the term includes information only relating to individuals.
1.19 "ProviderOne" means the Medicaid Management Information System, which is the State's
Medicaid payment system managed by HCA.
1.20 "Security Incident" means the attempted or successful unauthorized access, use, disclosure,
modification or destruction of information or interference with system operations in an information
system.
1.21 "Tracking" means a record keeping system that identifies when the sender begins delivery of
Confidential Information to the authorized and intended recipient, and when the sender receives
confirmation of delivery from the authorized and intended recipient of Confidential Information.
1.22 "Transmitting" means the transferring of data electronically, such as via email, SFTP,web-
services, AWS Snowball, etc.
1.23 "Transport" means the movement of Confidential Information from one entity to another, or within
an entity, that: places the Confidential Information outside of a Secured Area or system (such as a
local area network); and is accomplished other than via a Trusted System.
V2025
1.24 "Trusted System(s)" means the following methods of physical delivery: (1) hand-
delivery by a person authorized to have access to the Confidential Information with
written acknowledgement of receipt; (2) United States Postal Service ("USPS") first
class mail, or USPS delivery services that include Tracking, such as Certified Mail,
Express Mail or Registered Mail; (3) commercial delivery services (e.g. FedEx, UPS,
DHL) which offer tracking and receipt confirmation; and (4) the Washington State
Campus mail system. For electronic transmission, the Washington State Governmental
Network (SGN) is a Trusted System for communications within that Network.
1.25 "U.S.C." means the United States Code. All references in this Exhibit to U.S.C.
chapters or sections will include any successor, amended, or replacement
statute. The U.S.C. may be accessed at http://uscode.house.gov/
1.26 "Unique User ID" means a string of characters that identifies a specific user
and which, in conjunction with a password, passphrase, or other mechanism,
authenticates a user to an information system.
1.27"Use" includes the sharing, employment, application, utilization, examination, or analysis,
of Data.
2 Data Classification
2.1 The State classifies data into categories based on the sensitivity of the data pursuant to
the Security policy and standards promulgated by the Office of the state of Washington
Chief Information Officer. (See Section 4 of this Exhibit, Data Security, of Securing IT
Assets Standards No. 141.10 in the State Technology Manual at
https://ocio.wa.gov/policies/141-securing- information-technology-assets/14110-securing-
information-technology-assets.)
The Data that is the subject of this Contract is classified as Category 4—Confidential
Information Requiring Special Handling. Category 4 Data is information that is specifically
protected from disclosure and for which:
2.1.1 Especially strict handling requirements are dictated, such as by statutes,
regulations, or agreements;
2.1.2 Serious consequences could arise from unauthorized disclosure, such as
threats to health and safety, or legal sanctions.
3 Purpose
3.1 This Exhibit E covers all data sharing, collection, maintenance, and Use of Data by
Contractor for work performed under the Contract.
4 PRISM Access — N/A
V2025
5 Constraints on Use of Data
5.1 This Contract does not constitute a release of the Data for the Contractor's discretionary
use. Contractor must use the Data received or accessed under this Contract only to carry
out the purpose of this Contract. Any ad hoc analyses or other use or reporting of the Data
is not permitted without SBHASO's and HCA's prior written consent.
5.2 Data shared under this Contract includes data protected by 42 C.F.R. Part 2. In
accordance with 42 C.F.R. § 2.32, this Data has been disclosed from records protected by
federal confidentiality rules (42 C.F.R. Part 2). The federal rules prohibit Receiving Party
from making any further disclosure of the Data that identifies a patient as having or having
had a substance use disorder either directly, by reference to publicly available information,
or through verification of such identification by another person unless further disclosure is
expressly permitted by the written consent of the individual whose information is being
disclosed or as otherwise permitted by42C.F.R. Party 2. A general authorization for the
release of medical or other information is NOT sufficient for this purpose (42 C.F.R. §
2.31). The federal rules restrict any use of the SUD Data to investigate or prosecute with
regard to a crime any patient with a substance use disorder, except as provided at 42
C.F.R. § 2.12(c)(5) and § 2.65.
5.2.1 The information received including Behavioral Health Supplemental
Data is also protected by federal law, including 42 C.F.R. Part 2,
Subpart D, § 2.53, which requires HCA, SBHASO and their
Subcontractors to:
5.2.1.1 Maintain and destroy the patient identifying information in a
manner consistent with the policies and procedures
established under 42 C.F.R. §2.16;
5.2.1.2 Retain records in compliance with applicable federal,
state, and local record retention laws; and
5.2.1.3 Comply with the limitations on disclosure and Use in 42
C.F.R. Part 2, Subpart D, § 2.53(d).
5.3 Any disclosure of Data contrary to this Contract is unauthorized and
is subject to penalties identified in law.
5.4 The Contractor must comply with the Minimum Necessary Standard, which
means that Contractor will use the least amount of PHI necessary to
accomplish the Purpose of this Contract.
5.4.1 Contractor must identify:
5.4.2 Those persons or classes of persons in its workforce who need
access to PHI to carry out their duties; and
V2025
5.4.3 For each such person or class of persons, the category or
categories of PHI to which access is needed and any conditions
appropriate to such access.
5.4.4 Contractor must implement policies and procedures that limit the
PHI disclosed to such persons or classes of persons to the
amount reasonably necessary to achieve the purpose of the
disclosure, in accordance with this Contract.
6 Security of Data
6.1 Data Protection
6.1.1 The Contractor must protect and maintain all Confidential
Information gained by reason of this Contract, information that is
defined as confidential under state or federal law or regulation, or
Data that HCA has identified as confidential, against unauthorized
use, access, disclosure, modification or loss. This duty requires the
Contractor to employ reasonable security measures, which include
restricting access to the Confidential Information by:
6.1.1.1 Allowing access only to staff that have an authorized
business requirement to view the Confidential Information.
6.1.1.2 Physically securing any computers, documents, or other
media containing the Confidential Information
6.2 Data Security Standards
6.2.1 Contractor must comply with the Data Security Requirements set
out in this section and the Washington OCIO Security Standard,
141.10, which will include any successor, amended, or
replacement regulation (https://ocio.wa.gov/policies/141-securinq-
information-technology-assets/14110-securing-information-
technology-assets.) The Security Standard 141.10 is hereby
incorporated by reference into this Contract.
6.2.2 Data Transmitting
6.2.2.1 When transmitting Data electronically, including via
email, the Data must be encrypted using NIST 800-
series approved algorithms
(http://csrc.nist.gov/publications/PubsSPs.html). This
includes transmission over the public internet.
6.2.2.2 When transmitting Data via paper documents, the
Contractor must use a Trusted System.
6.2.3 Protection of Data. The Contractor agrees to store and protect Data
as described.
V2025
6.2.3.1 Data at Rest:
6.2.3.1.1 Data will be encrypted with NIST 800-series
approved algorithms. Encryption keys will be
stored and protected independently of the data.
Access to the Data will be restricted to
Authorized Users through the use of access
control lists, a Unique User ID, and a Hardened
Password, or other authentication mechanisms
which provide equal or greater security, such
as biometrics or smart cards. Systems that
contain or provide access to Confidential
Information must be located in an area that is
accessible only to authorized personnel, with
access controlled through use of a key, card
key, combination lock, or comparable
mechanism.
6.2.3.2 Data stored on Portable/Removable Media or Devices
6.2.3.2.1 Confidential Information provided by
SBHASO or HCA on Removable Media will
be encrypted with NIST 800-series
approved algorithms. Encryption keys will
be stored and protected independently of
the Data.
6.2.3.2.2 HCA's Data must not be stored by the
Contractor on Portable Devices or Media unless
specifically authorized within the Contract. If so
authorized, the Contractor must protect the
Data by:
6.2.3.2.2.1 Encrypting with NIST 800-series
approved algorithms. Encryption keys
will be stored and protected
independently of the data;
6.2.3.2.2.2 Controlling access to the devices with
a Unique User ID and Hardened
Password or stronger authentication
method such as a physical token or
biometrics;
6.2.3.2.2.3 Keeping devices in locked storage
when not in use;
6.2.3.2.2.4 Using check-in/check-out procedures
when devices are shared;
6.2.3.2.2.5 Maintaining an inventory of devices;
V2025
and
6.2.3.2.2.6 Ensuring that when being transported
outside of a Secured Area, all devices
containing Data are under the physical
control of an Authorized User.
6.2.3.3 Paper Documents. Any paper records containing
Confidential Information must be protected by storing the
records in a Secured Area that is accessible only to
authorized personnel. When not in use, such records must
be stored in a locked container, such as a file cabinet,
locking drawer, or safe, to which only authorized persons
have access.
6.2.4 Data Segregation
6.2.4.1 HCA Data received under this Contract must be
segregated or otherwise distinguishable from non-HCA
Data. This is to ensure that when no longer needed by
the Contractor, all of HCA's Data can be identified for
return or destruction. It also aids in determining whether
HCA's Data has or may have been compromised in the
event of a security breach.
6.2.4.2 HCA's Data must be kept in one of the following ways:
6.2.4.2.1 On media (e.g. hard disk, optical disc, tape, etc.)
which contains only HCA Data;
6.2.4.2.2 In a logical container on electronic media, such as
a partition or folder dedicated to HCA's Data;
6.2.4.2.3 In a database that contains only HCA Data;
6.2.4.2.4 Within a database— HCA data must be
distinguishable from non- HCA Data by the value of
a specific field or fields within database records;
6.2.4.2.5 Physically segregated from non-HCA Data in a drawer,
folder, or other container when stored as physical
paper documents.
6.2.4.3 When it is not feasible or practical to segregate HCA's Data from
non-HCA data, both HCA's Data and the non-HCA data with
which it is commingled must be protected as described in this
Exhibit.
6.3 Data Disposition
V2025
6.3.1 Upon request by SBHASO or HCA, at the end of the Contract term,
or when no longer needed, Confidential Information/Data must be
returned to HCA or disposed of as set out below, except as required
to be maintained for compliance or accounting purposes.
6.3.2 Media are to be destroyed using a method documented
within NIST 800-88
(http://csrc.nist.gov/publications/PubsSPs.html).
6.3.3 For Data stored on network disks, deleting unneeded Data is sufficient
as long as the disks remain in a Secured Area and otherwise meet the
requirements listed in Section 4.b.iii, above. Destruction of the Data as
outlined in this section of this Exhibit may be deferred until the disks
are retired, replaced, or otherwise taken out of the Secured Area.
7 Data Confidentiality and Non-Disclosure
7.1 Data Confidentiality.
7.1.1 The Contractor will not use, publish, transfer, sell or otherwise
disclose any Confidential Information gained by reason of this
Contract for any purpose that is not directly connected with the
purpose of this Contract,except:
7.1.1.1 as provided by law; or
7.1.1.2 with the prior written consent of the person or personal
representative of the person who is the subject of the
Confidential Information.
7.2 Non-Disclosure of Data
7.2.1 The Contractor will ensure that all employees or Subcontractors who
will have access to the Data described in this Contract (including both
employees who will use the Data and IT support staff) are instructed
and aware of the use restrictions and protection requirements of this
Attachment before gaining access to the Data identified herein. The
Contractor will ensure that any new employee is made aware of the
use restrictions and protection requirements of this Attachment before
they gain access to the Data.
7.2.2 The Contractor will ensure that each employee or Subcontractor who
will access the Data signs a non-disclosure of confidential information
agreement regarding confidentiality and non-disclosure requirements of
Data under this Contract. The Contractor must retain the signed copy
of employee non-disclosure agreement in each employee's personnel
file for a minimum of six years from the date the employee's access to
the Data ends. The Contractor will make this documentation available
V2025
to SBHASO or HCA upon request.
7.3 Penalties for Unauthorized Disclosure of Data
7.3.1 The Contractor must comply with all applicable federal and state
laws and regulations concerning collection, use, and disclosure of
Personal Information and PHI. Violation of these laws may result in
criminal or civil penalties or fines.
7.3.2 The Contractor accepts full responsibility and liability for any
noncompliance with applicable laws or this Contract by itself,
its employees, and its Subcontractors.
8 Data Shared with Subcontractors
If Data access is to be provided to a Subcontractor under this Contract, the
Contractor must include all of the Data security terms, conditions and requirements
set forth in this Attachment in any such Subcontract.
However, no subcontract will terminate the Contractor's legal responsibility to HCA
for any work performed under this Contract nor for oversight of any functions and/or
responsibilities it delegates to any subcontractor. Contractor must provide an
attestation by January 31, each year that all Subcontractor meet, or continue to meet,
the terms, conditions, and requirements in this Attachment.
9 Data Breach Notification
9.1 The Breach or potential compromise of Data must be reported to the
SBHASO Privacy Officer at iclausonAkitsap.gov and to the SBHASO
Contract Manager at ikron(c kitsap.gov within five (5) business days of
discovery. If the Contractor does not have full details, it will report what
information it has, and provide full details within fifteen (15) business days
of discovery. To the extent possible, these reports must include the
following:
9.1.1 The identification of each non-Medicaid Individual whose PHI
has been or may have been improperly accessed, acquired,
used, or disclosed;
9.1.2 The nature of the unauthorized use or disclosure, including
a brief description of what happened, the date of the
event(s), and the date of discovery;
9.1.3 A description of the types of PHI involved;
9.1.4 The investigative and remedial actions the Contractor or its
Subcontractor took or will take to prevent and mitigate harmful
effects, and protect against recurrence;
9.1.5 Any details necessary for a determination of the potential
V2025
harm to Individuals whose PHI is believed to have been used
or disclosed and the steps those Individuals should take to
protect themselves; and
9.1.6 Any other information SBHASO or HCA reasonably requests.
9.2 The Contractor must take actions to mitigate the risk of loss and comply with
any notification or other requirements imposed by law or HCA including but
not limited to 45 C.F.R. Part 164,Subpart D; RCW 42.56.590; RCW
19.255.010; or WAC 284-04-625.
9.3 The Contractor must notify SBHASO in writing, as described in 9.1 above,
within two (2) business days of determining notification must be sent to non-
Medicaid Individuals.
9.4 At SBHASO's or HCA's request, the Contractor will provide draft Individual
notification to HCA at least five (5) business days prior to notification, and
allow HCA an opportunity to review and comment on the notifications.
9.5 At SBHASO's or HCA's request, the Contractor will coordinate its
investigation and notifications with HCA and the Office of the state of
Washington Chief Information Officer (OCIO), as applicable.
10 HIPAA Compliance
The Contractor is a "Business Associate" of SBHASO as defined in the HIPAA Rules.
10.1 HIPAA Point of Contact. The point of contact for the Contractor for all
required HIPAA-related reporting and notification communications from
this Section and all required Data Breach Notification from Section 9, is:
Salish Behavioral Health Administrative Services Organization
Attention: Ileea Clauson, Privacy Officer
614 Division St., MS-23
Port Orchard, WA 98366
Telephone: (360) 337-4833
Email: IClauson@kitsap.gov
10.2 Compliance. Contractor must perform all Contract duties, activities, and tasks
in compliance with HIPAA, the HIPAA Rules, and all attendant regulations as
promulgated by the U.S. Department of Health and Human Services, Office
for Civil Rights, as applicable.
10.3 Use and Disclosure of PHI. Contractor is limited to the following permitted
and required uses or disclosures of PHI:
10.3.1 Duty to Protect PHI. Contractor must protect PHI from, and will use
appropriate safeguards, and comply with Subpart C of 45 C.F.R.
V2025
Part 164, Security Standards for the Protection of Electronic Protect
Health Information, with respect to ePHI, to prevent unauthorized
Use or disclosure of PHI for as long as the PHI is within Contractor's
possession and control, even after the termination or expiration of
this Contract.
10.3.2 Minimum Necessary Standard. Contractor will apply the HIPAA
Minimum Necessary standard to any Use or disclosure of PHI
necessary to achieve the purposes of this Contractor. See 45
C.F.R. § 164.514(d)(2) through (d)(5).
10.3.3 Disclosure as Part of the Provision of Services. Contractor will only
Use or disclose PHI as necessary to perform the services specified
in this Contract or as required by law, and will not Use or disclose
such PHI in any manner that would violate Subpart E of 45 C.F.R.
Part 164, Privacy of Individually Identifiable Health Information, if
done by Covered Entity, except for the specific Uses and disclosures
set forth below.
10.3.4 Use for Proper Management and Administration. Contractor may
Use PHI for the proper management and administration of the
Contractor or to carry out the legal responsibilities of the Contractor.
10.3.5 Disclosure for Proper Management and Administration. Contractor
may disclosure PHI for the proper management and administration of
Contractor, subject to HCA approval, or to carry out the legal
responsibilities of the Contractor, provided the disclosures are
required by law, or Contractor obtains reasonable assurances from
the person to whom the information is disclosed that the information
will remain confidential and used or further disclosed only as
required by law or for the purposes for which it was disclosed to the
person, and the person notifies Contractor of any instances of which
it is aware in which the confidentiality of the information has been
Breached.
10.3.6 Impermissible Use or Disclosure of PHI. Contractor must report to the
HIPAA Point of Contact, in writing, all Uses or disclosures of PHI not
provided for by this Contract within five (5) business days of
becoming aware of the unauthorized Use or disclosure of PHI,
including Breaches of unsecured PHI as required at 45 C.F.R. §
164.410, Notification by a Business Associate, as well as any Security
Incident of which Contractor becomes aware. Upon request by
SBHASO or HCA, Contractor will mitigate, to the extent practicable,
any harmful effect resulting from the impermissible Use or disclosure.
10.3.7 Failure to Cure. If SBHASO learns of a pattern or practice of the
Contractor that constitutes a violation of Contractor's obligations under
the term of this Attachment and reasonable steps by the Contractor do
V2025
not end the violation, SBHASO may terminate this Contract, if feasible.
In addition, if Contractor learns of a pattern or practice of its
Subcontractor(s) that constitutes a violation of Contractor's obligations
under the terms of their contract and reasonable steps by the
Contractor do not end the violation, Contractor must terminate the
Subcontract, if feasible.
10.3.8 Termination for Cause. Contractor authorizes immediate termination of
this Contract by SBHASO, if SBHASO determines Contractor has
violated a material term of this Business Associate Agreement.
SBHASO may, at its sole option, offer Contractor an opportunity to cure
a violation of this Business Associate Agreement before exercising a
termination for cause.
10.3.9 Consent to Audit. Contractor must give reasonable access to PHI, its
internal practices, records, books, documents, electronic data, and/or
all other business information received from, or created, received by
Contractor on behalf of SBHASO or HCA, to the Secretary of the
United States Department of Health and Human Services (DHHS)
and/or to HCA for use in determining compliance with HIPAA privacy
requirements.
10.3.10 Obligations of Business Associate upon Expiration or Termination.
Upon expiration or termination of this Contract for any reason, with
respect to PHI received from SBHASO or HCA, or created,
maintained, or received by Contractor, or any Subcontractors, on
behalf of SBHASO or HCA, Contractor must:
10.3.10.1 Retain only that PHI which is necessary for Contractor
to continue its proper management and administration or to
carry out its legal responsibilities;
10.3.10.2 Return to SBHASO or HCA or destroy the
remaining PHI that the Contractor or any
Subcontractors still maintain in any form;
10.3.10.3 Continue to use appropriate safeguards and comply with
Subpart C of45 C.F.R. Part 164, Security Standards for
Protection of Electronic Protected Health Information, with
respect to ePHI to prevent Use or disclosure of the PHI, other
than as provided for in this Section, for as long as Contractor or
any Subcontractor retains PHI;
10.3.10.4 Not Use or disclose the PHI retained by Contractor or any
Subcontractors other than for the purposes for which such PHI
was retained and subject to the same conditions section out in
Section 9.3, Use and Disclosure of PHI, that applied prior to
termination; and
V2025
10.3.10.5 Return to SBHASO or HCA or destroy the PHI
retained by Contractor, or any Subcontractors, when it is
no longer needed by Contractor for its proper
management and administration or to carry out its legal
responsibilities.
10.3.11 Survival. The obligations of Contractor under this Section will
survive the termination or expiration of the Contract.
10.4 Individual Rights.
10.4.1 Accounting of Disclosures.
10.4.1.1 Contractor will document all disclosures, except those
disclosures that are exempt under 45 C.F.R. § 164.528, of
PHI and information related to such disclosures.
10.4.1.2 Within ten (10) business days of a request from SBHASO or
HCA, Contractor will make available to HCA the information in
Contractor's possession that is necessary for HCA to respond
in a timely manner to a request for an accounting of
disclosures of PHI by the Contractor. See 45 C.F.R. §§
164.504(e)(2)(ii)(G) and 164.528(b)(1).
10.4.1.3 At the request of SBHASO or HCA, or in response to a request
made directly to the Contractor by an Individual, Contractor will
respond, in a timely manner and in accordance with HIPAA
and the HIPAA Rules, to requests by Individuals for an
accounting of disclosures of PHI.
10.4.1.4 Contractor record keeping procedures will be sufficient to
respond to a request for an accounting under this section for
the ten (10) years prior to the date on which the accounting was
requested.
10.4.2 Access.
10.4.2.1 Contractor will make available PHI that it holds that is part of
a Designated Record Set when requested by HCA or the
Individual as necessary to satisfy HCA's obligations under 45
C.F.R. § 164.524, Access of Individuals to Protected Health
Information.
10.4.2.2 When the request is made by the Individual to the Contractor or
if SBHASO or HCA ask the Contractor to respond to a request,
the Contractor must comply with requirements in 45 C.F.R. §
164.524, Access of Individuals to Protected Health Information,
on form, time and manner of access. When the request is made
by HCA, the Contractor will provide the records to HCA within
ten (10) business days.
V2025
10.4.3 Amendment.
10.4.3.1 If SBHASO or HCA amends, in whole or in part, a record or PHI
contained in an Individual's Designated Record Set and
SBHASO or HCA has previously provided the PHI or record that
is the subject of the amendment to Contractor, then SBHASO
will inform Contractor of the amendment pursuant to 45 C.F.R.
§ 164.526(c)(3), Amendment of Protected Health Information.
10.4.3.2 Contractor will make any amendments to PHI in a Designated
Record Set as directed by SBHASO or HCA or as necessary
to satisfy SBHASO's and HCA's obligations under 45 C.F.R.§
164.526, Amendment of Protected Health Information.
10.5 Subcontracts and other Third Party Agreements. In accordance with 45
C.F.R. §§ 164.502(e)(1)(ii), 164.504(e)(1)(i), and 164.308(b)(2), Contractor
must ensure that any agents, Subcontractors, independent contractors, or
other third parties that create, receive, maintain, or transmit PHI on
Contractor's behalf, enter into a written contract that contains the same terms,
restrictions, requirements, and conditions as the HIPAA compliance
provisions in this Contract with respect to such PHI. The same provisions
must also be included in any contracts by a Contractor's Subcontractor with
its own business associates as required by 45 C.F.R. §§ 164.314(a)(2)(b) and
164.504(e)(5).
10.6 Obligations. To the extent the Contractor is to carry out one or more of
HCA's obligation(s) under Subpart E of 45 C.F.R. Part 164, Privacy of
Individually Identifiable Health Information,Contractor must comply with all
requirements that would apply to HCA in the performance of such
obligation(s).
10.7 Liability. Within ten (10) business days, Contractor must notify the HIPAA
Point of Contact of any complaint, enforcement or compliance action
initiated by the Office for Civil Rights based on an allegation of violation of
the HIPAA Rules and must inform HCA of the outcome of that action.
Contractor bears all responsibility for any penalties, fines or sanctions
imposed against the Contractor for violations of the HIPAA Rules and for
any imposed against its Subcontractors or agents for which it is found liable.
10.8 Miscellaneous Provisions.
10.8.1 Regulatory References. A reference in this Contract to a
section in the HIPAA Rules means the section as in effect or
amended.
10.8.2 Interpretation. Any ambiguity in this Exhibit will be interpreted to
permit compliance with the HIPAA Rules.
11 Inspection
V2025
SBHASO and HCA reserve the right to monitor, audit, or investigate the use of
Personal Information and PHI of Individuals collected, used, or acquired by
Contractor during the terms of this Contract. All SBHASO and HCA
representatives conducting onsite audits of Contractor agree to keep confidential
any patient-identifiable information which may be reviewed during the course of
any site visit or audit.
12 Indemnification
The Contractor must indemnify and hold SBHASO and HCA and its employees
harmless from any damages related to the Contractor's or Subcontractor's
unauthorized use or release of Personal Information or PHI of Individuals.
V2025
h: An official website of the United States government.Here's how you know>
Visit our tips page to learn how to best use the Exclusions Database.If you experience technical difficulties,please email the webmaster at webmaster@oig.hhs.gov.
Exclusions Search Results: Entities
No Results were found for
Jefferson County Superior Court
If no results are found,this individual or entity(if it is an entity search)is not currently excluded.Print this Web page for your
documentation
Search Again
Search conducted 1/8/2025 7:26:55 PM EST on OIG LEIE Exclusions database.
Source data updated on 12/10/2024 7:00:00 AM EST
Return to Search
SALISH BEHAVIORAL HEALTH ADMINISTRATIVE SERVICES ORGANIZATION
STANDARD CONTRACT
Contract Number: KC-416-24
Contractor: Jefferson County Superior Court
Amount: $10,000
Contract Term: January 1, 2024 — December 31, 2024
CFDA#: NA
Purpose: This contract is entered into for the purpose of ensuring the provision of
substance use treatment and recovery support services of Jefferson County.
This contract is made between Jefferson County Superior Court (hereinafter
"Contractor") and the Salish Behavioral Health Administrative Services Organization
(hereinafter "SBHASO"). This notification of contract, including all material incorporated
by reference, contains all terms and conditions agreed to by the parties hereto. No
other understandings, oral or otherwise, regarding the subject matter of this agreement
shall be deemed to exist or to bind any of the parties hereto. The Kitsap County
Department of Human Services shall act as administrator of this contract on behalf of
the SBHASO.
The rights and obligations of the parties shall be subject to, and governed by, the terms
and conditions contained herein and by the Statement of Work, General Agreement,
Special Terms and Conditions, Business Associate Agreement and the Budget/Rate
Sheet. In the event of any inconsistency in this notification of contract, including the
items incorporated herein by reference, the inconsistency shall be resolved by giving
precedence in the following order: (1) General Agreement; (2) Special Terms and
Conditions; (3) Statement of Work; (4) Budget/Rate Sheet.
As evidenced by signatures hereon, the parties accept the terms and conditions of this
contract.
JEFFERSON COUNTY WASHINGTON CONTRACTOR:
Board of County Commissioners Jefferson County Superior Court
Jefferson County, Washington
By: 6 /0 7/2y By: w
.....___ ,,,A....._____
Kate ean, Chair Date Brandon Mack, Superior Court Judge
1��� / I attest that I have the authority to sign this
By: contract on behalf of Jefferson County
B potherton, Commissioner Date Superior
Court.
��- l / Date: IV ( 2'Ll
By: 7/2 Heidi Eisenhour, Commissioner Date
SEAL: ��,,,,,0,,,..,,,,, ,
FF .R a olv ,,,,,
s 4//0..0.-1;;Iiss;o°o\
_ •c, 2�:-z. =
•
ATTEST: T%R`'
�' 0,4:�V• .....••;c0f•'s
y, ...H1NC'e 0.6 /D
/ ��e_ti
� /7 /21
(72
Caroly Galla ay, CMC Date
Clerk o the :oard
Approved as to form only:
irs„
O. C October 7, 2024
Philip C. Hunsucker Date
Chief Civil Deputy Prosecuting Attorney
1
GENERAL AGREEMENT
SECTION I. CONTRACTOR REQUIREMENTS
Contractor agrees to perform the services as set forth in the Statement of Work
Attachment B, as attached herein.
A. Authority
Contractor possesses legal authority to apply for the funds covered under this
contract.
B. Assignment/Subcontract
1. Contractor shall not assign its rights and/or duties under this contract
without the prior written consent of the SBHASO.
2. Contractor shall obtain written approval for assignment from the Contract
Administrator prior to entering into any subcontract for the performance of
any services contemplated by this contract; provided, however, that
approval shall not be unreasonably withheld.
a. In the event that the Contractor enters into any subcontract
agreement funded with money from this contract, the Contractor is
responsible for subcontractor:
o Compliance with applicable terms and conditions of this
contract;
o Compliance with all applicable law; and.
o Provision of insurance coverage for its activities.
C. Limitations on Payments
1. Contractor shall pay no wages in excess of the usual and accustomed
wages for personnel of similar background, qualifications and experience.
2. Contractor shall pay no more than reasonable market value for equipment
and/or supplies.
3. Any cost incurred by Contractor over and above the year-end sums set
out in the budgets shall be at Contractor's sole risk and expense.
D. Compliance with Laws
1. Contractor shall comply with all applicable provisions of the Americans
with Disabilities Act and all regulations interpreting or enforcing such act.
3
2. Contractor shall comply with all applicable federal, state and local statutes,
regulations, rules and ordinances. Applicable laws and regulations
include, but are not limited to:
a. Title XIX and Title XXI of the Social Security Act.
b. Title VI of the Civil Rights Act of 1964.
c. Title IX of the Education Amendments of 1972, regarding any
education programs and activities.
d. The Age Discrimination Act of 1975.
e. The Rehabilitation Act of 1973.
f. The Budget Deficit Reduction Act of 2005.
g. The Washington Medicaid False Claims Act and the Federal False
Claims Act (FCA).
h. The Health Insurance Portability and Accountability Act (HIPPA).
i. The American Recovery and Investment Act (ARRA).
j. The Patient Protection and Affordable Care Act (PPACA or ACA).
k. The Health Care and Education Reconciliation Act.
I. The Mental Health Parity and Addiction Equity Act (MHPAEA) and
final rule.
m. 21 C.F.R. Food and Drugs, Chapter 1 Subchapter C — Drugs —
General.
n. 42 C.F.R. Subchapter A, Part 2- Confidentiality of Alcohol and Drug
Abuse Patient Records.
o. 42 C.F.R. Subchapter A, Part 8 — Certification of Opioid Treatment
Programs.
p. 45 C.F.R. Part 96 Block Grants.
q. 45 C.F.R § 96.126 Capacity of Treatment for Intravenous
Substance Abusers who Receive Services under Block Grant
funding.
r. Chapter 70.02 RCW Medical Records — Health Care Information
Access and Disclosure.
s. Chapter 71.05 RCW Mental Illness.
t. Chapter 71.24 RCW Community Mental Health Services Act.
u. Chapter 71.34 RCW Mental Health Services for Minors.
v. Chapter 246-341 WAC.
w. Chapter 43.20A RCW Department of Social and Health Services.
x. Senate Bill 6312 (Chapter 225. Laws of 2014) State Purchasing of
Mental Health and Chemical Dependency Treatment Services.
y. All federal and State professional and facility licensing and
accreditation requirements/standards that apply to services
performed under the terms of this Contract.
z. Reporting of abuse as required by RCW 26.44.030.
aa. Federal Drug and Alcohol Confidentiality Laws in 42 C.F.R. Part 2.
bb. Copeland Anti-Kickback Act.
cc. Davis-Bacon Act.
dd. Byrd Anti-Lobbying Amendment.
4
ee. Any services provided to an individual enrolled in Medicaid are
subject to applicable Medicaid rules.
3. Contractor shall comply with SBHASO policies, procedures and practices.
4. Contractor will not discriminate against any employee or applicant for
employment because of race, color, creed, marital status, religion, sex,
sexual orientation, national origin, Vietnam era or disabled veteran's
status, age, the presence of any sensory, mental or physical disability;
provided, that the prohibition against discrimination in employment
because of disability shall not apply if the particular disability prevents the
individual from performing the essential functions of his or her employment
position, even with reasonable accommodation. Such action shall include,
but not be limited to, the following: employment, upgrading, demotion, or
transfer; recruitment or recruitment advertising; lay-off or termination, rates
of pay or other forms of compensations, and selection for training,
including apprenticeship.
E. Indemnification
To the fullest extent permitted by law, Contractor shall indemnify, defend and
hold harmless the Salish Behavioral Health Administrative Services Organization,
Kitsap County, Jefferson County and Clallam County, and the elected and
appointed officials, officers, employees and agents of each of them, from and
against all claims resulting from or arising out of the performance of this contract,
whether such claims arise from the acts, errors or omissions of Contractor, its
subcontractors, third parties, the Salish Behavioral Health Administrative
Services Organization, Kitsap County, Jefferson County or Clallam County, or
anyone directly or indirectly employed by any of them or anyone for whose acts,
errors or omissions any of them may be liable. "Claim" means any loss, claim,
suit, action, liability, damage or expense of any kind or nature whatsoever,
including but not limited to attorneys' fees and costs, attributable to personal or
bodily injury, sickness, disease or death, or to injury to or destruction of property,
including the loss of use resulting therefrom. Contractor's duty to indemnify,
defend and hold harmless includes but is not limited to claims by Contractor's or
any subcontractor's officers, employees or agents. Contractor's duty, however,
does not extend to claims arising from the sole negligence or willful misconduct
of the Salish Behavioral Health Administrative Services Organization, Kitsap
County, Jefferson County or Clallam County, or the elected and appointed
officials, officers, employees and agents of any of them. For the purposes of this
indemnification provision, Contractor expressly waives its immunity under Title 51
of the Revised Code of Washington and acknowledges that this waiver was
mutually negotiated by the parties. This provision shall survive the expiration or
termination of this contract.
5
F. Insurance
1. For the duration of the contract and until all work specified in the contract
is completed, Contractor shall maintain in effect all insurance as required
herein. Work under this contract shall not commence until evidence of all
required insurance and bonding is provided to the SBHASO. Evidence of
such insurance shall consist of a completed copy of the Certificate of
Insurance, signed by the insurance agent for the Contractor and returned
to
Program Lead, Salish Behavioral Health Administrative Services
Organization
Kitsap County Department of Human Services
614 Division Street, MS-23
Port Orchard, WA 98366.
2. The Contractor's insurer shall have a minimum A.M. Best's Rating of A-
VII.
3. Coverage shall include the following terms and conditions:
a. The policy shall be endorsed and certificate shall reflect that the
SBHASO and Clallam, Jefferson and Kitsap Counties are named
as an additional insureds on the Contractor's General Liability
Policy with respect to the activities under this Contract.
b. The policy shall provide and the certificate shall reflect that the
insurance afforded applies separately to each insured against
which a claim is made or a suit is brought except with respect to the
limits of the Contractor's liability.
c. The policy shall be endorsed and the certificate shall reflect that the
insurance afforded therein shall be primary insurance and any
insurance or self-insurance carried by Kitsap County on behalf of
the SBHASO shall be excess and not contributory insurance to that
provided by the Contractor.
d. If for any reason, any material change occurs in the coverage
during the course of this contract, such changes shall not become
effective until forty-five (45) days after Kitsap County Risk
Management has received written notice of changes.
e. SBHASO and Clallam, Jefferson and Kitsap Counties have no
obligation to report occurrences unless a claim is filed with the
SBHASO; and SBHASO or Clallam, Jefferson or Kitsap Counties
have no obligation to pay premiums.
6
4. The Contractor shall insure that every officer, director, or employee who is
authorized to act on behalf of the Contractor for the purpose of receiving
or depositing funds into program accounts or issuing financial documents,
checks or other instruments of payment for program costs shall be bonded
to provide protection against loss.
a. Fidelity bonding secured pursuant to this contract must have
coverage of$100,000 or the highest planned advance or
reimbursement for the program year, whichever is greater.
b. If requested, the Contractor will provide a copy of the bonding
instrument or a certification of the same from the bond issuing
agency.
5. Workers' Compensation and Employer Liability. The Contractor will
maintain workers' compensation insurance as required by Title 51,
Revised Code of Washington, and will provide evidence of coverage to the
Kitsap County Risk Management Division. If the contract is for over
$50,000, then the Contractor will also maintain employer liability coverage
with a limit of not less than $1 million.
6. The Contractor shall have insurance coverage and limits as follows:
a. Comprehensive Liability
Comprehensive General Liability Insurance and Comprehensive
Automobile Liability Insurance with limits of not less than:
COVERAGE LIMITS OF LIABILITY
Comprehensive General Liability Insurance
a. Bodily Injury Liability $1,000,000 each
occurrence
b. Property Damage Liability $1,000,000 each
occurrence
OR
c. Combined Bodily Injury/Property $2,000,000 aggregate
Damage Liability
Comprehensive Automobile Liability Insurance
a. Bodily Injury Liability $1,000,000 each
person
$1,000,000 each
occurrence
b. Property Damage Liability $1,000,000 each
occurrence
7
COVERAGE LIMITS OF LIABILITY
OR
c. Combined Single Limit Coverage of $2,000,000
b. Professional Liability Insurance with limits of not less than:
Professional Liability Insurance $1,000,000 each occurrence
G. Conflict of Interest
Contractor agrees to avoid organizational conflict of interest and the Contractor's
employees will avoid personal conflict of interest and the appearance of conflict
of interest in disbursing contract funds for any purpose and in the conduct of
procurement activities.
H. Documentation
1. Contractor shall maintain readily accessible records and documents
sufficient to provide an audit trail needed by the SBHASO to identify the
receipt and expenditure of funds under this contract, and to keep on
record all source documents such as time and payroll records, mileage
reports, supplies and material receipts, purchased equipment receipts,
and other receipts for goods and services.
2. The Contractor is required to maintain property record cards and property
identification tabs as may be directed by SBHASO codes and changes
thereto. This applies only to property purchased from funds under this
contract specifically designated for such purchases. Ownership of
equipment purchased with funds under this contract so designated for
purchase shall rest in the SBHASO and such equipment shall be so
identified.
3. The Contractor shall provide a detailed record of all sources of income for
any programs it operates pursuant to this contract, including state grants,
fees, donations, federal funds and others for funds outlined in appropriate
addenda. Expenditure of all funds payable under this contract must be in
accordance with the approved Statement of Work.
4. The SBHASO shall have the right to review the financial and service
components of the program as established by the Contractor by whatever
means are deemed expedient by the SBHASO, or their respective
delegates. Such review may include, but is not limited to, with reasonable
notice, on-site inspection by SBHASO agents or employees, inspection of
8
all records or other materials which the SBHASO deems pertinent to this
contract and its performance, except those deemed confidential by law.
5. All property and patent rights, including publication rights, and other
documentation, including machine-readable media, produced by the
Contractor in connection with the work provided for under this contract
shall vest in the SBHASO. The Contractor shall not publish any of the
results of this contract work without the advance written permission of the
SBHASO. Such material will be delivered to the SBHASO upon request.
SECTION II. RELATIONSHIP OF THE PARTIES
The parties intend that an independent contractor relationship will be created by this
contract, and the conduct and control of the services will lie solely with the Contractor.
No official, officer, agent, employee, or servant of the Contractor shall be, or deemed to
be, an official, officer, employee, servant, or otherwise of the SBHASO for any purpose;
and the employees of the Contractor are not entitled to any of the benefits the SBHASO
provides for SBHASO employees. It is understood that the SBHASO does not agree to
use Contractor exclusively. Contractor will be solely and entirely responsible for its acts
and for the acts of its officials, officers, agents, employees, servants, subcontractors, or
otherwise during the performance of this agreement.
In the performance of the services herein contemplated, Contractor is an independent
contractor with the authority to control and direct the performance of the details of the
work, SBHASO being interested only in the results obtained. However, the work
contemplated herein must meet the approval of the SBHASO and shall be subject to
SBHASO's general right of inspection and supervision to secure the satisfactory
completion thereof.
In the event that any of the Contractor's officials, officers, employees, agents, servants
or otherwise, carry on activities or conduct themselves in any manner which may either
jeopardize the funding of this agreement or indicate said officials, officers, employees,
agents or servants are unfit to provide those services as set forth within, the Contractor
shall be responsible for taking adequate measures to prevent said official, officer,
employee, agent or servant from performing or providing any of the services as called
for within.
SECTION III. MODIFICATION
No change, addition or erasure of any portion of this agreement shall be valid or binding
upon either party. There shall be no modification of this agreement, except in writing,
executed with the same formalities as this present instrument. Either party may request
that the contract terms be renegotiated when circumstances, which were neither
foreseen nor reasonably foreseeable by the parties at the time of contracting, arise
during the period of performance of this contract. Such circumstances must have a
9
substantial and material impact upon the performance projected under this contract and
must be outside of the control of either party.
SECTION IV. TERMINATION
A. Failure to Perform
This contract may be terminated, in whole, or in part, without limiting remedies,
by either party to this contract if the other party materially fails to perform in
accordance with the terms of this contract. In this event, the aggrieved party
shall deliver ten (10) working days advance written notification to the other party
specifying the performance failure and the intent to terminate.
B. Without Cause
Either party to this contract may elect to terminate this contract without cause by
delivering a ninety (90) day written notice of intent to terminate to the other party.
C. Funding
The SBHASO may unilaterally terminate or negotiate modification of this contract
at any time if its federal, or state grants are suspended, reduced, or terminated
before or during this contract period, or if federal or state grant terms and
regulations change significantly.
In the event of early contract termination initiated by either party for whatever
reason, the Contractor is only entitled to costs incurred prior to the time of
contract termination.
SECTION V. LEGAL REMEDIES
Nothing in this contract shall be construed to limit either party's legal remedies including,
but not limited to, the right to sue for damages or specific performance should either
party materially violate any of the terms of this contract. Failure to act on any default
shall not constitute waiver of rights on such default or on any subsequent default.
SECTION VI. VENUE AND CHOICE OF LAW
Any action at law, suit in equity, or other judicial proceeding for the enforcement of this
contract or any provision thereof shall be instituted only in the courts of the State of
Washington, County of Kitsap. It is mutually understood and agreed that this contract
10
shall be governed by the laws of the State of Washington, both as to its interpretation
and performance.
SECTION VII. WAIVER
No official, officer, employee, or agent of SBHASO has the power, right, or authority to
waive any of the conditions or provisions of this contract. No waiver of any breach of
this agreement shall be held to be a waiver of any other or subsequent breach. All
remedies afforded in this agreement or at law shall be taken and construed as
cumulative, that is, in addition to every other remedy provided herein or by law. The
failure of the SBHASO to enforce at any time any of the provisions of this contract, or to
require at any time performance by Contractor of any provisions hereof, shall in no way
be construed to be a waiver of such provisions, or in any way affect the validity of this
contract or any part, hereof, or the right of SBHASO to thereafter enforce each and
every provision.
SECTION VIII. NOTICES
All notices called for or provided for in this contract shall be in writing and must be
served on the party either personally or by certified mail and shall be deemed served
when deposited in the United States mail. Such notice shall be made to:
Rebecca Marriot Jolene Kron, Administrator
Superior Court Administrator Kitsap County Human Services
P.O. Box 1220 614 Division St., MS-23
Port Townsend, WA 98368 Port Orchard, WA 98366-4676
SECTION IX. PAYMENTS
A. All payments to be made by Kitsap County, on behalf of the SBHASO, under this
agreement shall be made to: Jefferson County Superior Court, City of Port
Townsend, County of Jefferson, Sate of Washington.
B. This contract shall not exceed the amount set forth in the contract
compensation/rate sheet, Attachment C. Contractor agrees to participate in and
be bound by determinations arising out of the SBHASO's disallowed cost
resolution process.
>>
SECTION X. DURATION
The Contractor is authorized to commence January 1, 2024 providing services
pursuant to this contract. This agreement shall terminate on December 31, 2024,
unless terminated sooner as provided herein.
SECTION XI. WHOLE AGREEMENT
This instrument embodies the whole agreement of the parties. There are no promises,
terms, conditions, or obligations other than those contained herein; and this contract
shall supersede all previous communications, representations, or agreements, either
verbal or written, between parties.
SECTION XII. SEVERABILITY
It is understood and agreed by the parties that if any part, term, or provision of this
contract is held by the courts to be illegal or in conflict with any law of the state where
made, the validity of the remaining portions or provisions shall not be affected, and the
rights and obligations of the parties shall be construed and enforced as if this contract
did not contain the particular part, term, or provision held to be invalid.
SECTION XIII. ATTACHMENTS. The parties acknowledge that the following
attachments, which are attached to this Contract, are expressly incorporated by this
reference:
Attachment A— Special Terms and Conditions
Attachment B — Statement of Work
Attachment C— Budget/Rate Sheet
Attachment D— Business Associate Agreement
Attachment E — Data Security and Confidentiality
Attachment F — Certification Regarding Lobbying
Attachment G — Debarment Certification
The rights and obligations of the parties shall be subject to, and governed by, the terms
and conditions contained herein and by the Statement of Work, General Agreement,
Special Terms and Conditions, Business Associate Agreement and the Budget. In the
event of any inconsistency in this notification of contract, including the items
incorporated herein by reference, the inconsistency shall be resolved by giving
precedence in the following order: (1) General Agreement; (2) Special Terms and
Conditions; (3) Statement of Work; (4) Budget/Rate Sheet.
12
ATTACHMENT A: SPECIAL TERMS AND CONDITIONS
Section II. CONTRACTOR REQUIREMENTS
A. PROGRAM REQUIREMENTS
1. General
a. Contractor shall adhere to established SBHASO protocols for determining
eligibility for services consistent with this contract.
b. Contractor shall participate in training when requested by SBHASO on
behalf of the HCA. Exceptions must be in writing and include a plan for
how the required information shall be provided to them.
c. Contractor shall not differentiate or discriminate in providing services to
clients because of race, color, religion, national origin, ancestry, age,
marital status, gender identity, sexual orientation, physical, sensory or
mental handicap, socioeconomic status, or participation in publicly
financed programs of health care services, or any other basis prohibited
by law. Contractor shall render services to clients in the same location, in
the same manner, in accordance with the same standards, and within the
same time availability regardless of payor.
d. Contract shall provide Individuals with access to translated information
and interpreter services as described in the Materials and Information
Section of this Contract.
e. Contractor agrees to comply with the appointment wait time standards of
this Contract. SBHASO shall monitor for timely access and require
corrective action if Contractor fails to comply with appointment wait time
standards.
f. Contractor shall respond in a full and timely manner to law enforcement
inquiries regarding an individual's eligibility to possess a firearm under
RCW 9.41.040(2)(a)(ii).
Contractor shall report new commitment data within twenty-four
(24) hours.
2. Quality Improvement
a. Contractors receiving GFS or FBG funds shall cooperate with SBHASO
or HCA-sponsored Quality Improvement (QI) activities.
b. Contractor shall adequately document services provided to Individuals for
all delegated activities including QI, Utilization Management, and
Individual Rights and Protections.
c. Contractor shall implement a Grievance process that complies with WAC
182-538C-110.
d. Contractor shall make information available to Individuals regarding their
right to a Grievance or Appeal in the case of:
Denial or termination of service related to medical
necessity determinations
ii. Failure to act upon a request for services with reasonable
promptness.
iii. Termination of this Contract shall not be grounds for an
appeal, Administrative Hearing, or a Grievance for the
Individual if similar services are immediately available in
the service area.
e. Contractor shall comply with Chapter 71.32 RCW (Mental Health
Advance Directives)
f. Contract shall use the Integrated Co-Occurring Disorder Screen Tool
(GAIN-SS found at https://www.hca.wa.govbillers-providers-
partners/behavioral-health-recovery/gain-ss). Contractor shall provide
training for staff that will be using the tool(s)to address the screening and
assessment process, the tool and quadrant placement. This process is
subject to Corrective Action if not implemented and maintained
throughout the period of contract performance.
g. Contractor shall report Critical Incidents involving individuals receiving
SBHASO funded services in accordance with SBHASO Critical Incident
Reporting Policy and Procedure.
3. Program Integrity
a. Contractor shall have and comply with policies and procedures that guide
its officers, employees and agents to comply with Program Integrity
requirements.
b. Contractor shall investigate and disclose to HCA immediately upon
becoming aware of any person in their employment who has been
convicted of a criminal offense related to that person's involvement under
Medicare, Medicaid, or Title XX of the Social Security Act since the
inception of those programs.
c. Contractor shall have a Fraud, Waste and Abuse program which includes:
A process to inform officers, employees, agents and
subcontractors about the False Claims Act.
ii. Administrative procedures to detect and prevent Fraud,
waste and abuse, and a mandatory compliance plan.
iii. Standards of conduct that articulate the Contractor's
commitment to comply with all applicable federal and state
standards.
iv. The designation of a compliance officer and compliance
committee that is accountable to senior management.\
v. Training for all affected parties.
vi. Effective lines of communication between the compliance
officer and the Contractor's staff.
vii. Enforcement of standards through well-publicized
disciplinary policies.
viii. Provision for internal monitoring and auditing.
ix. Provision for prompt response to detected violations, and
for development of corrective action initiatives.
d. Contractor shall subrogate, to the state of Washington for all criminal, civil
and administrative action recoveries undertaken by any government
entity, including, but not limited to, all claims the Contractor has or may
have against any entity or individual that directly or indirectly receives
funds under this Contract.
For the purpose of this section, "subrogation" means the
right of any state of Washington government entity or local
law enforcement to stand in the place of a Contractor or
Individual in the collection against a third party.
e. Contractor shall conduct criminal background checks and maintain
related policies and procedures and personnel files consistent with the
requirements in Chapter 43.43 RCW and, Chapter 246-341 WAC.
f. Contractor shall participate in the SBHASO Credentialing and
Recredentialing process as indicated by SBHASO Policies and
Procedures.
i. Contractor credentialing files are confidential and are scanned
into a secure imaging system. This document retrieval system is
protected by user ID and password to prevent unauthorized
access. These files are protected from discovery and may not be
reproduced or distributed, except for confidential peer review and
credentialing purposes consistent with state laws.
ii. When the SBHASO has reached a credentialing decision, the
Contractor will be notified in writing, within 60 calendar days of the
decision date. The credentialing determination notification will
specify the range of actions that may be taken by the Contractor,
including the appeal process.
iii. The Contractor has the right to:
a. Review information submitted to support their
credentialing application.
b. Correct erroneous information.
c. Receive the status of their credentialing or
recredentialing application, upon request.
d. Appeal the credentialing decision to the Credentialing
Committee in writing within 60 days from the date the
decision is communicated. Any appeals will be reviewed
by the Credentialing Committee; a determination will be
made within 30 calendar days of receipt and written notice
will be sent. There will be no subsequent appeal to this
final decision.
iv. If Contractor loses their accreditation, licenses, or any
other essential credentialing requirements (e.g. Liability
Insurance) prior to the re-credentialing period, they must
notify the SBHASO in writing within 15 calendar days.
v. Re-Credentialinq: Contractor re-credentialing is performed
at minimum every 36 months or as indicated by SBHASO.
g. Contractor shall complete monthly Exclusion Checks for all employees,
volunteers, and all individuals identified on the Disclosure of Ownership
Form to include:
i. Office of Inspector General— https://exclusions.oiq.hhs.gov/
ii. System for Award Management—
https://www.sam.gov/SAM/paqes/public/searchRecords/search.isf
iii. Washington State—https://www.hca.wa.gov/billers-providers-
partners/apple-health-medicaid-providers/provider-termination-
and-exclusion-list
• HCA Medicaid and DSHS social services list.
h. Contractor shall submit an attestation of completion of all Exclusion
checks to SBHASO by the last business day of the month.
i. Information about Individuals, including their medical records, shall be
kept confidential in a manner consistent with state and federal laws and
Regulations.
j. SBHASO may pursue contract termination as outlined in General Terms
and Conditions, Failure to Perform, if Contractor becomes excluded from
participation in the Medicaid program.
4. Care Coordination and Priority Populations
a. Contractor shall provide discharge planning services which shall, at a
minimum,
i. Coordinate a community-based discharge plan for each Individual
served under this Contract, beginning at intake. Discharge
planning shall apply to all Individuals regardless of length of stay
or whether they complete treatment.
ii. Coordinate exchange of assessment, admission, treatment
progress, and continuing care information with the referring entity.
Contact with the referral agency shall be made within the first
week of residential treatment.
iii. Establish referral relationships with assessment entities,
outpatient providers, vocational or employment services, and
courts which specify aftercare expectations and services,
including procedure for involvement of entities making referrals in
treatment activities.
iv. Coordinate, as needed, with DBHR prevention services,
vocational services, housing services and supports, and other
community resources and services that may be appropriate,
including the DCYF, and the DSHS Economic Services
Administration including Community Service Offices (CSOs),
Tribal governments and non-Tribal Indian Healthcare Providers.
b. Contractor shall develop and implement processes to enable information
and data sharing to support Care Coordination, consistent with this
Contract.
c. Priority admission to residential treatment must be given to the priority
populations identified in this contract.
d. Contractor shall coordinate services to financially eligible individuals who
are in need of medical services.
5. Health Information Systems
Contractor shall establish and maintain a health information system that complies
with the requirements of OCIO Security Standard 141.10, and the Data, Security
and Confidentiality Exhibit, and provides the information necessary to meet
Contractor's obligations under this Contract. OCIO Security Standards are
available at: https://ocio.wa.gov.
6. Records Retention
Records retention during the term of this Contract is for ten (10) years following
termination or expiration of this Contract, or if any audit, claim, litigation, or other
legal action involving the records is started before expiration of the ten (10)year
period. The records shall be retained until completion and resolution of all issues
arise there from or until the end of the ten (10) year period, whichever is later.
7. Public Records
All records required to be maintained by this Contract or by state law, except
medical, treatment and personnel records, shall be considered to be public
records and maintained in accordance with applicable laws. Medical and
treatment records shall be confidential and shall not be published or open to
public inspection except that such records may be inspected by the Director of
the Health Care Authority, or designee; and Contract Administrator for the
purpose of program review, monitoring and comparative cost studies.
B. FISCAL REQUIREMENTS AND MONITORING
1. Withhold of Payment
Failure of the Contractor to comply with the terms of this Contract shall give the
SBHASO the right to withhold payment of any further funds under this Contract
2. Reimbursement
In the event that it is determined that any funds were distributed under color of
this contract, which violate the terms and conditions herein, such sums shall be
reimbursed to the SBHASO upon written demand. Neither payment of any funds
under color of this contract, nor any action of the SBHASO or its officials, officers,
agents or employees, prior to the discovery of the violation, shall constitute a
waiver thereof.
3. Right to Hearing
All notices shall be given in writing specifying the reasons for such demands,
reimbursement, termination, or amendment or such other actions contemplated
in this Contract and the Contractor shall have the right to a hearing within ten
(10) days from such determination before the SBHASO Executive Board for
determination of the action and prior to commencement of any civil litigation, by
the Contractor.
4. Monitoring
a. SBHASO conducts on-going monitoring of Contractor's performance
under this Contract. If deficiencies are identified in Contractor's
performance, SBHASO will follow the Corrective Action process defined
in Section G. In addition to on-going monitoring:
i. SBHASO shall conduct Contractor review which shall include at
least one (1) onsite visit every three (3) years to each contractor
site providing state funded or FBG funded treatment services
during the period of performance of this contract in order to
monitor and document compliance with requirements.
ii. SBHASO shall ensure that Contractor has complied with data
submission requirements established by HCA for all services
funded under the Contract.
iii. SBHASO shall ensure that Contractor updates patient funding
information when the funding source changes.
iv. SBHASO requires Contractor to identify funding sources
consistent with the Payments and Sanctions Section of this
Contract, FBG reporting requirements, and the rules for payer
responsibility found in the table, "How do providers identify the
correct payer" within the Apple Health Mental Health Services
Billing Guide" which is available on the Health Care Authority's
website (https://www.hca.wa.gov)
iv. SBHASO shall maintain written or electronic records of all
Contractor monitoring activities and make them available to HCA
upon request.
5. Audit Requirements
a. Contractor shall comply with all applicable required audits including to
conduct a facility inspection, and the federal Office of Management and
Budget (OMB) Super Circular 2 C.F.R. 200.501 and 45 C.R.R 75.501
audits.
i. SBHASO shall submit a copy of the OMB audit performed by the
State Auditor to the HCA Contact within ninety (90) days of receipt
by the SBHASO of the completed audit.
a. If Contractor is subject to OMB Super Circular audit, the
SBHASO shall require a copy of the completed Single
Audit and ensure corrective action is taken for any audit
finding, per OMB Super Circular requirements
b. If Contractor is not subject to OMB Super Circular audit,
the SBHASO shall perform Contractor monitoring in
compliance with federal requirements.
6. Federal Block Grant
a. FBG funds may not be used to pay for services provided prior to the
execution of Contract, or to pay in advance of service delivery. Contract
and amendments must be in writing and executed by both parties prior to
any services being provided.
b. FBG fee-for-service, set rate, performance-based, Cost Reimbursement,
and lump sum Contracts shall be based on reasonable costs.
c. Contractor must receive an independent audit if the Contractor expends a
total of$750,000 or more in federal awards from any and/or all sources in
any state fiscal year. Contractor shall submit to the SBHASO the data
collection form and reporting package specified in 2 C.F.R. Part 200,
Subpart F, reports required by the program-specific audit guide (if
applicable), and a copy of any management letters issued by the auditor
within ten (10) days of audit reports being competed and received by
Contractor. SBHASO shall follow up with any corrective actions for
Contractor audit findings in accordance with 2 D.F.R. Part 200, Subpart F.
SBHASO shall retain documentation of all Contractor monitoring
activities; and, upon request by HCA, shall immediately make all audits
and/or monitoring documentation available to the HCA.
d. SBHASO shall conduct and/or make arrangements for an annual fiscal
review of each Contractor receiving FBG funds, regardless of
reimbursement methodology (i.e.: fee-for-service, set rate, performance-
based or cost reimbursement contracts), and shall provide HCA with
documentation of these annual fiscal reviews upon request. The annual
fiscal review shall ensure that:
Expenditures are accounted for by revenue source.
ii. No expenditures were made for items identified in the
Payment and Sanctions Section of this Contract.
iii. Expenditures are made only for the purposed stated in this
Contract, and for services that were actually provided.
e. Contractor shall participate in the peer review process when requested by
the HCA. (42 U.S.C. 300x-53(a) and 45 C.F.R. 96.136). The MHBG and
SABG requires an annual peer review by individuals with expertise in the
field of drag abuse treatment (for SABG) and individuals with expertise in
the field of mental health treatment (for MHBG). At least five percent
(5%)of treatment providers will be reviewed.
f. FBG funds may not be used, directly or indirectly, to purchase, prescribe,
or provide marijuana or treatment using marijuana. Treatment in this
context includes the treatment of opioid use disorder. FBG funds also
cannot be provided to any individual or organization that permits
marijuana use for the purposes of treating substance use or mental
disorders. See, e.g., 45 C.F.R. § 75.300(a), 21 U.S.C. §§ 812(c)(10) and
841 (prohibiting the possession, manufacture, sale, purchase or
distribution of marijuana). This prohibition does not apply to those
providing such treatment in the context of clinical research permitted by
the DEA and under the Federal Drug Administration (FDA)-approved
investigational new drug application where the article being evaluated is
marijuana or a constituent thereof that is otherwise a banned substance
under federal law.
7. Suspension, Debarment and Lobbying
The Contractor shall certify, on a separate for(Attachment F), that it is not
presently debarred, suspended, proposed for debarment, declared ineligible, or
voluntarily excluded from covered transactions by any Federal department or
agency. Contractor shall actively monitor its employees for excluded status in
accordance with SBHASO Policies and Procedures. The Contractor, on a
separate form (Attachment G), will certify that it does not use Federal funds for
lobbying purposes.
C. REPORTING REQUIREMENTS
1. Data Reporting Requirements
a. Contractor shall comply with add data reporting requirements
promulgated by the Health Care Authority (HCA), including the Service
Encounter Reporting Instructions (SERI) and the SBHASO Data
Dictionary. Contractor shall provide data to the SBHASO as needed for
performance improvement or other projects.
b. Data shall be uploaded into the SBHASO data system within 30 days of
the end of the month in which services were delivered.
D. BILLING PROCEDURES
The Contractor shall be paid within the limits established within Attachment C:
Budget/Rate Sheet. Any costs incurred by the Contractor over and above the total sums
set out in Attachment C: Budget/Rate Sheet, shall be at the Contractor's sole risk and
expense.
The Contractor shall submit invoices for payment no later than 30 calendar days
following the end of month that service was provided. Invoices for psychiatric inpatient
treatment may be submitted within 90 calendar days following the end of month of
discharge.
The SBHASO shall pay the Contractor monthly for services identified in the Statement of
Work of this Contract, subject to the availability of funds from the Health Care Authority
and Contractor's compliance with this Contract. Such payment shall be made within
thirty (30) days of the SBHASO's receipt of an invoice from the Contractor.
E. FAITH BASED ORGANIZATIONS (FBO)
1. SBHASO requires FBO to meet the requirements of 42 C.F.R. Part 54 as follows:
a. Individuals requesting or receiving SUD services shall be provided with a
choice of SUD treatment providers.
b. The FBO shall facilitate a referral to an alternative provider within a
reasonable time frame when requested by the recipient of services.
c. The FBO shall report to the SBHASO all referrals made to alternative
providers.
d. The FBO shall provide Individuals with a notice of their rights.
e. The FBO shall provide Individuals with a summary of services that
includes any religious activities.
f. Funds received from the FBO must be segregated in a manner consistent
with federal Regulations.
g. No funds may be expended for religious activities.
F. Indemnification
Contractor agrees to hold harmless HCA and its employees, and all Individuals served
under the terms of this Contract in the event of non-payment by the SBHASO.
Contractor further agrees to indemnify and hold harmless HCA and its employees
against all injuries, deaths, losses, damages, losses, damages, claims, suits, liabilities,
judgments, costs and expenses which may in any manner accrue against HCA or its
employees through the intentional misconduct, negligence, or omission of SBHASO, its
agents, officers, employees or contractors.
G. Corrective Action Process
The SBHASO conducts reviews of Contractors. During the course of any review
conducted, if performance is below Contract standards, the SBHASO will request that
the Contractor provide a Corrective Action Plan. SBHASO will work with Contractor staff
in creating Corrective Action Plans, when requested.
If the Contract Administrator finds indications of ongoing potential non-compliance during
the contract monitoring processes or learns that the Contractor, or its subcontractors,
are out of compliance with any of the terms or conditions of this Contract, the follow
process will be pursued.
1. Informal Meeting
Informal process wherein the Administrator alerts the appropriate Contractor's
staff of the potential non-compliance and an agreeable solution is reached.
2. Official Verbal Notification
If the informal meeting does not result in resolution, the SBHSO will contact the
Contractor for the purpose of official verbal notification of possible non-
compliance to establish a date when representatives of the SBHASO and the
Contractor shall meet and discuss areas of contention and attempt to resolve the
issues.
3. Written Summary
Within five (5)working days of such verbal notification, the SBHASO will provide
the Contractor representative a written summary of the areas of non-compliance
or potential non-compliance by certified mail. Notice shall be sent to the
individual identified in the General Agreement.
4. Discussion
Within twenty (20) days of the date of the written notification, a discussion
between SBHASO and Contractor staff shall be conducted to address areas of
non-compliance or potential non-compliance.
5. Withhold Payments
If the SBHASO and the Contractor cannot agree upon a resolution within ten (10)
working days of the discussion described in the previous paragraph, the
SBHASO shall withhold contract payments related to the area(s) of non-
compliance or potential non-compliance, unless a written, time-limited extension
of the period to agree upon corrective action is issued by the SBHASO.
ATTACHMENT B: STATEMENT OF WORK-Criminal Justice Treatment Account(CJTA)
1. In RSAs where funding is provided, the Contractor shall be responsible for treatment and
Recovery Support Services using specific eligibility and funding requirements for CJTA
in accordance with RCW 71.24.580 and RCW 2.30.030. CJTA funds must be clearly
documented and reported in accordance with section 9.3.1.8.
2. The Contractor shall implement any local CJTA plans developed by the CJTA panel and
approved by HCA and/or the CJTA Panel established in 71.24.580(5)(b).
3. CJTA Funding Guidelines:
a. In accordance with RCW 2.30.040, if CJTA funds are managed by a Drug Court,
then it is required to provide a dollar-for-dollar participation match for services to
Individuals who are receiving services under the supervision of a drug court.
b. The provision of SUD treatments services and treatment support services for
non-violent offenders within a drug court program may be continued for 180
calendar days following graduation from the drug court program.
c. No more than 10 percent of the total CJTA funds can be used for the following
support services combined:
i. Transportation; and
ii. Child Care Services.
4. The contractor may not use more than 30 percent of their total annual allocation for
providing treatment services in jail.
5. Court contracts may not provide any direct services.
6. Services that can be provided using CJTA funds are:
a. Brief Intervention (any level, assessment not required);
b. Acute Withdrawal Management (ASAM Level 3.2WM);
c. Sub-Acute Withdrawal Management (ASAM Level 3.2WM)
d. Outpatient Treatment (ASAM Level 1);
e. Intensive Outpatient Treatment (ASAM Level 2.1);
f. Opiate Treatment Program (ASAM Level 1);
g. Case Management (ASAM Level 1.2);
h. Intensive Inpatient Residential Treatment(ASAM Level 3.5);
i. Long-term Care Residential Treatment (ASAM Level 3.3);
j. Recovery House Residential Treatment (ASAM Level 3.1);
k. Assessment (to include Assessments done while in jail);
I. Interim Services;
m. Community Outreach;
n. Involuntary Commitment Investigations and Treatment;
o. Room and Board (Residential Treatment Only);
p. Transportation
q. Childcare Services;
r. Urinalysis;
s. Treatment in a jail may include:
i. Engaging individuals in SUD treatment;
ii. Referral to SUD services;
iii. Administration of Medications for the treatment of Opioid Use Disorder
(MOUD)to include the following
a. Screening for medications for MOUD
b. Cost of medications for MOUD
c. Administration of medications for MOUD
iv. Coordinating care;
v. Continuity of care; and
vi. Transition planning.
t. Employment services and job training;
u. Relapse prevention
v. Family/marriage education;
w. Peer-to-peer services, mentoring and coaching;
x. Self-help and support groups;
y. Housing support services (rent and/or deposits);
z. Life skills;
aa. Spiritual and faith-based support;
bb. Education; and
cc. Parent education and child development.
7. The County CJTA Committee shall participate with SBHASO and with the local
legislative authority for the county to facilitate the planning requirement as described in
RCW 71.24.580(6).
8. MAT in Therapeutic Courts
Per RCW 71.24.580, "If a region or county uses criminal justice treatment account funds
to support a therapeutic court, the therapeutic court must allow the use of all medications
approved by the federal food and drug administration for the treatment of opioid use
disorder as deemed medically appropriate for a participant by a medical professional. If
appropriate medication-assisted treatment resources are not available or accessible
within the jurisdiction, the Health Care Authority's designee for assistance must assist
the court with acquiring the resource."
a. The Contractor, under the provisions of this contractual agreement, will abide by
the following guidelines related to CJTA and Therapeutic Courts:
i. The Contractor must have policy and procedures allowing Participants
at any point in their course of treatment to seek FDA-approved
medication for any substance use disorder and ensuring the agency will
provide or facilitate the induction of any prescribed FDA approved
medications for any substance use disorder.
ii. The Contractor must have policy and procedures in place ensuring they
will not deny services to Enrollees who are prescribed any of the
Federal Drug Administration (FDA) approved medications to treat all
substance use disorders.
iii. The Contractor may not have policies and procedures in place that
mandate titration of any prescribed FDA approved medications to treat
any substance use disorder, as a condition of participants being
admitted into the program, continuing in the program, or graduating
from the program, with the understanding that decisions concerning
medication adjustment are made solely between the participant and
their prescribing provider.
iv. The Contractor must notify the SBHASO if it discovers that a CJTA
funded Therapeutic program is practicing any of the following:
a) Requiring discontinuation, titration, or alteration of their medication
regimen as a precluding factor in admittance into a Therapeutic
Court program;
b) Requiring participants already in the program discontinue MOUD
in order to be in compliance with program requirements;
c) Requiring discontinuation, titration, or alteration of their MOUD
medication regimen as a necessary component of meeting
program requirements for graduation from a Therapeutic Court
program.
b. All decisions regarding an individual's amenability and appropriateness for
MOUD will be made by the individual in concert with the Individuals medical
professional.
9. CJTA Quarterly Progress Report
a. The Contractor will submit a CJTA Quarterly Progress Report within thirty (30)
calendar days of the state fiscal quarter end using the reporting template. CJTA
Quarterly Progress Report must include the following program elements:
i. Number of Individuals served under CJTA funding for that time period;
ii. Barriers to providing services to the criminal justice population;
iii. Strategies to overcome the identified barriers;
iv. Training and technical assistance needs;
v. Success stories or narratives from Individuals receiving CJTA services;
and
vi. If a therapeutic court provides CJTA funded services: the number of
admissions of Individuals into the program who were either already on
medications for opioid use disorder, referred to a prescriber of
medications for opioid use disorder, or were provided information
regarding medications for opioid use disorder.
ATTACHMENT C: BUDGET
Budget Summary
Contractor: Jefferson County Superior Court
Contract No: KC-416-24
Contract Period: January 1,2024-December 31,2024
Expenditure Current Budget
Budget Period: 1/1/24-12/31/24
Criminal Justice Treatment Account $ 10,000.00
Budget Total $ 10,000.00
Contract Total $ 10,000.00
ATTACHMENT D: BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (this "Agreement") is effective as of the 1st day of January, 2024
("Effective Date") by and between SALISH BEHAVIORAL HEALTH-ADMINISTRATIVE SERVICES
ORGANIZATION (SBHASO) and Jefferson County Superior Court (Contractor) (individually, a "Party" and,
collectively,the"Parties").
A. The Parties wish to enter into this Agreement to comply with the administrative simplification
section of the Health Insurance Portability and Accountability Act of 1996 and its implementing
regulations,as may be amended from time to time (collectively, "HIPAA").
B. SBHASO is a behavioral health-administrative services organization,a Business Associate of certain
upstream Covered Entities ("Upstream Covered Entities"), and a lawful holder of Part 2
Information, as defined below, as provided under the Confidentiality of Alcohol and Drug Abuse
Patient Records regulations at 42 CFR Part 2 ("Part 2"). SBHASO also formerly was a Covered Entity
and may continue to Use, Disclose, and maintain PHI from when it was a Covered Entity.
C. The Parties have entered into one or more arrangements (collectively, the "Service Contract")
under which Contractor will provide certain services to SBHASO that may involve Contractor
creating, receiving, maintaining, or transmitting PHI, as defined below, and Contractor may be
considered a Subcontractor Business Associate of SBHASO under HIPAA and a subcontractor of a
lawful holder under Part 2.
NOW,THEREFORE,in consideration of the Parties'continuing obligations under the Service Contract,their
compliance with HIPAA and Part 2,and other good and valuable consideration,the receipt and sufficiency
of which is hereby acknowledged,the Parties agree to this Agreement.
I. DEFINITIONS. Except as otherwise defined in this Agreement, capitalized terms in this Agreement
shall have the definitions set forth in HIPAA. "Individual" shall have the same meaning as the term
"Individual" in 45 CFR§ 160.103 and shall include a person who qualifies as a personal representative
in accordance with 45 CFR § 164.502(g). "Part 2 Information" means alcohol abuse, drug abuse, or
substance use disorder information covered by Part 2. "PHI"shall have the same meaning as the term
"Protected Health Information" that is created, received, maintained, or transmitted by Contractor
from or on behalf of SBHASO. PHI includes, without limitation, Electronic PHI, mental health
information,sexually transmitted disease information,and Part 2 Information. "PII"means personally
identifiable information as defined under Washington law.
II. PERMITTED USES AND DISCLOSURES BY CONTRACTOR.
2.1 Performance of Service Contract. Contractor may use and disclose PHI and PII to perform
functions, activities,or services for,or on behalf of,SBHASO as specified in the Service Contract
as long as the use or disclosure would not violate HIPAA, Part 2, and state and federal laws
(collectively,"Law"), if done by Salish BH-ASO or an Upstream Covered Entity.
2.2 Management; Administration; Legal Responsibilities. Contractor may use PHI and PII for its
proper management and administration and to fulfill its legal responsibilities,as long as the uses
are permitted under Law for an Upstream Covered Entity, SBHASO, and Contractor.
2.3 Required by Law. Except as otherwise limited in this Agreement, Contractor may disclose PHI
and PII as Required by Law. Contractor shall: (i) to the extent permitted by Law, immediately
notify SBHASO prior to the disclosure; (ii) cooperate with SBHASO in making any disclosures
Required by Law,including efforts to challenge or limit the disclosure; and(iii) provide a copy of
all information disclosed relating to this Agreement or the Service Contract.
1
2.4 De-Identified Information. Contractor may not use or disclose PHI or PII to create de-identified
information or Limited Data Sets or to otherwise anonymize or aggregate PHI or PII for its own
use or disclosure, without prior, express,written approval from SBHASO.
2.5 Minimum Necessary. Contractor shall make all reasonable efforts to access, use, disclose, or
request only the minimum necessary amount of PHI or PII to accomplish the intended,permitted
purpose of the access, use, disclosure, or request. Contractor shall comply with SBHASO's
policies and procedures concerning minimum necessary requirements. The Parties shall
collaborate in determining what quantum of information constitutes the"minimum necessary"
amount for Contractor to accomplish its intended purposes.
III. OBLIGATIONS AND ACTIVITIES OF CONTRACTOR.
3.1 Compliance with this Agreement. Notwithstanding anything to the contrary,Contractor agrees
to not use or further disclose PHI or PII other than as permitted or required by this Agreement
or as Required by Law.
3.2 Safeguards. Contractor agrees to: (i) use appropriate safeguards to prevent use or disclosure
of PHI and PII other than as provided for by this Agreement; (ii) implement the administrative,
physical, and technical safeguards of the Security Standards for the Protection of Electronic
Protected Health Information (the "Security Rule") that reasonably and appropriately protect
the confidentiality, integrity, and availability of any PHI; (iii) comply with those requirements
under the Security Rule that apply to Business Associates; and (iv) implement appropriate
safeguards to protect Part 2 Information.
3.3 Notification.
3.3.1 Impermissible Use or Disclosure. Contractor shall report to SBHASO any use or
disclosure of PHI or PII not permitted under this Agreement, regardless of whether the
use or disclosure rises to the level of a Breach.
3.3.2 Security Incident. Contractor shall report to SBHASO any Security Incident of which
Contractor becomes aware, regardless of whether the Security Incident rises to the level
of a Breach. This Agreement constitutes notification of"unsuccessful"Security Incidents
that do not present a risk to PHI or PII such as: (i) "pings" on an information system
firewall; (ii) port scans; and (iii) attempts to log on to an information system or enter a
database with an invalid password or user name.
3.3.3 Breach Notification. Contractor shall report any Breach of Unsecured PHI, as required
by the Notification of a Breach of Unsecured Protected Health Information Standards
(the"Breach Notification Rule").
3.3.4 Part 2 Information. Contractor shall report to SBHASO unauthorized uses, disclosures,
or breaches of Part 2 Information.
3.3.5 Reporting Requirements. Contractor shall make the report as soon as practical and in
any event within five (5) business days of Contractor's discovery of one of the events
described in Sections 3.3.1, 3.3.2, 3.3.3, and 3.3.4 (each, an "Event"). Contractor shall
supplement the information provided in the report as it becomes available. An Event
shall be treated as discovered by Contractor as of the first day on which the Event is
known to Contractor or,through the exercise of reasonable diligence,would have been
known to Contractor.
3.3.6 Content of Notification. Contractor shall provide: (i) information as required by the
Breach Notification Rule and to fully inform SBHASO of each Event;and(ii)any additional
2
information requested by SBHASO. At a minimum,the report of an Event shall include,
to the extent possible:
(a) The identification of each Individual whose PHI or PII has been, or is reasonably
believed by Contractor to have been, accessed, acquired, used, or disclosed during
or as a result of the Event;
(b) A brief description of what happened, including the date of the Event and the date
of discovery of the Event;
(c) A description of the types of PHI or PII involved in the Event (such as whether full
name, Social Security number, date of birth, home address, account number,
diagnosis, disability code,or other types of information were involved);
(d) Any steps Individuals should take to protect themselves from potential harm
resulting from the Event;
(e) A brief description of what Contractor is doing to investigate the Event,to mitigate
harm to Individuals, and to protect against any further Events; and
(f) Contact procedures for SBHASO or Individuals to ask questions or learn additional
information, which shall include a toll-free telephone number, an e-mail address,
Web site,or postal address.
3.4 Subcontractors. Contractor shall ensure any Subcontractor whom Contractor permits to create,
receive,maintain,or transmit PHI or PII on behalf of Contractor or SBHASO,agrees in writing: (i)
to the same restrictions and conditions that apply through this Agreement to Contractor; and
(ii) to comply with the requirements of the Security Rule that apply to Business Associates.
Contractor shall not permit a Subcontractor to create, receive, maintain, or transmit PHI or PII
unless Contractor has performed adequate due diligence on the Subcontractor and found
Subcontractor's safeguards appropriate.
3.5 Restrictions. Contractor agrees to comply with any requests for restrictions on certain uses and
disclosures of PHI or PII of which SBHASO informs Contractor.
3.6 Access. At the request of SBHASO, within ten (10) business days, unless a shorter time period
is requested, in the manner, form, and format requested by SBHASO, Contractor shall make
available PHI and PII so that SBHASO or an Upstream Covered Entity may respond to an
Individual's request for access to PHI and PII in accordance with the Standards for Privacy of
Individually Identifiable Health Information (the "Privacy Rule") and other Law. In the event an
Individual requests from Contractor access to PHI or PII, Contractor,to the extent permitted by
Law, shall forward the request to SBHASO within two (2) business days.
3.7 Amendment. At the request of SBHASO in a reasonable time and manner and in the form and
format requested by SBHASO,Contractor shall make amendments to PHI and PII so that SBHASO
or an Upstream Covered Entity may respond to an Individual's request for an amendment by
SBHASO in accordance with the Privacy Rule and other Law. In the event an Individual requests
from Contractor any amendments,to the extent permitted by Law,Contractor shall forward the
request to SBHASO within two (2) business days.
3.8 Accounting of Disclosures. Contractor shall document any disclosures that are required to be
in an accounting of disclosures under the Privacy Rule and, upon request, shall provide
information required to be included in an accounting of disclosures to SBHASO to permit
SBHASO or an Upstream Covered Entity to comply with the Privacy Rule and other Law. In the
event an Individual requests from Contractor, an accounting of disclosures, to the extent
permitted by law,Contractor shall forward the request to Salish BH-ASO within two(2)business
days.
3
3.9 Disclosures to the Secretary. Contractor agrees that it will make its internal practices, books,
and records available to the Secretary of the United States Department of Health and Human
Services (the "Secretary"), for the purpose of determining an Upstream Covered Entity's,
SBHASO's or Contractor's compliance with HIPAA, and to SBHASO for the purpose of
determining Contractor's compliance with this Agreement, HIPAA, and other Law, in a time and
manner designated by the Secretary or SBHASO. Contractor: (i) immediately shall notify Salish
BH-ASO of any requests from the Secretary pertaining to an investigation of an Upstream
Covered Entity's, SBHASO's, or Contractor's compliance with HIPAA; (ii) cooperate with Salish
BH-ASO in responding to the Secretary's request; and (iii) provide to SBHASO a copy of all
documents provided to the Secretary.
3.10 Part 2 Information.
3.10.1 Part 2 Obligations of Contractor. To the extent that, in performing services for or on
behalf of SBHASO under the Service Contract, Contractor uses, discloses, maintains, or
transmits Part 2 Information, Contractor acknowledges and agrees that it: (i) is fully
bound by Part 2; (ii)with respect to Part 2 Information received by SBHASO pursuant to
an authorization or consent, will limit its use and disclosure of Part 2 Information to
Payment and Health Care Operations purposes;and(iii)if necessary,will resist in judicial
proceedings any efforts to obtain access to Part 2 Information except as permitted by
Part 2.
3.10.2 Notice. 42 CFR Part 2 prohibits unauthorized disclosure of these records.
3.10.3 Redisclosure. Contractor shall not redisclose Part 2 Information to a third party unless
the third party is a contract agent of Contractor helping Contractor provide services
under the Service Contract and only as long as the agent further discloses Part 2
Information only back to Contractor or SBHASO.
3.10.4 Compliance. Contractor acknowledges that any unauthorized disclosure of Part 2
Information may be a federal criminal offense.
3.11 Sexually Transmitted Disease Information Notice. With respect to sexually transmitted disease
information: This information has been disclosed to you (Contractor) from records whose
confidentiality is protected by state law. State law prohibits you from making any further
disclosure of it without the specific written authorization for the release of medical or other
information is NOT sufficient for this purpose.
3.12 Covered Entity Obligations. To the extent that Contractor is to carry out one or more of Covered
Entity obligations under the Privacy Rule,Contractor shall comply with the requirements of the
Privacy Rule that apply to a Covered Entity in the performance of the obligations.
3.13 On-Site Services. Contractor agrees that, while present at any SBHASO facility and/or when
accessing SBHASO's computer networks, it and all of its Workforce,agents,and Subcontractors
at all times will comply with any network access and other security practices, policies, and
procedures established by SBHASO including,without limitation,those established pursuant to
HIPAA.
3.14 No Sale of PHI. Contractor agrees that it will not directly or indirectly receive remuneration in
exchange for any PHI or PII without: (a)the written authorization of each applicable Individual,
except when expressly permitted by the Privacy Rule; and (b) the advance written permissions
of SBHASO.
4
3.15 No Impermissible Marketing or Fundraising Communication. Contractor agrees that it will not
engage in Marketing or fundraising communications that would not be permitted by SBHASO or
an Upstream Covered Entity under HIPAA.
3.16 Mitigation. Contractor agrees to mitigate,to the extent practicable, any harmful effect that is
known to Contractor of a use or disclosure of PHI or PII by Contractor in breach of this
Agreement,failure to comply with applicable Law,and any Event,as defined in Section 3.3.
3.17 Compliance with Applicable Law. Contractor shall comply with applicable Law. Contractor shall
not act or fail to act in a manner that causes SBHASO to not be in compliance with applicable
Law.
IV. OBLIGATIONS OF SBHASO. SBHASO shall not request Contractor to act in a manner that is not
permissible under HIPAA.
V. TERM AND TERMINATION.
5.1 Term. The term of this Agreement shall be effective as of the Effective Date and shall terminate
upon the expiration or termination of the Service Contract.
5.2 Termination. Upon SBHASO's knowledge of a material breach by Contractor of its obligations
under this Agreement,SBHASO may notify Contractor,and Contractor shall have thirty(30)days
from receipt of that notice to cure the breach or end the violation. Notwithstanding anything
to the contrary in the Service Contract, if Contractor fails to cure the breach or end the violation
within the designated time period, then SBHASO immediately may terminate the Service
Contract upon notice.
5.3 Effect of Termination.
5.3.1 Return or Destruction. Except as provided in 5.3.2,upon termination of this Agreement,
Contractor,within ten (10)days, shall return or destroy all PHI and PII. Any destruction
shall be in a manner consistent with HIPAA and related guidance. This provision also
shall apply to PHI and PII that is in the possession of agents or Subcontractors of
Contractor. Neither Contractor nor its agents or Subcontractors shall retain copies of
the PHI. Upon request, Contractor shall provide a certificate of appropriate destruction
of the PHI and PII.
5.3.2 Continued Protections. In the event that Contractor determines that returning or
destroying the PHI and PII is infeasible, Contractor shall provide within ten (10) days to
SBHASO notification of the conditions that make return or destruction infeasible of PHI
and PII. Upon mutual agreement of the Parties that return or destruction of PHI is
infeasible and to the extent Contractor retains knowledge of the PHI and PII, Contractor
shall extend the protections of this Agreement to the PHI and PII and limit further uses
and disclosures of the PHI and PII to those purposes that make the return or destruction
infeasible,for as long as Contractor maintains,or retains knowledge of,the PHI or PII.
VI. MISCELLANEOUS.
6.1 Indemnification Obligation. Notwithstanding anything to the contrary in the Service Contract,
Contractor will indemnify, defend at SBHASO's request, and hold harmless SBHASO, its
Workforce, County Authorities Executive Committee, Advisory Board, partners, agents, and
Subcontractors(collectively"SBHASO Indemnified Parties")from and against any and all claims,
actions, investigations, proceedings, losses, liability, damages, costs, and expenses (including
attorneys' fees, costs of defense, and costs of investigation, mitigation, remediation, and
notification)incurred or suffered by an SBHASO Indemnified Party(collectively,"Damages")that
5
arise out of, result from,allege, or relate to any of the following: (i) Contractor's breach of this
Agreement, including any breach of any representation or warranty; (ii) any Event reported by
Contractor under this Agreement; (iii) any violation of Law by or caused by Contractor or its
Workforce, agents, or Subcontractors; or(iv) any negligent act or omission, willful misconduct,
strict liability,or fraud by or of Contractor or its Workforce,agents, or Subcontractors.
6.2 Coverage of Costs. In addition, and without limitation of Supplier's obligations under Section
6.1, Supplier will pay the reasonable costs incurred by SBHASO and any affected Upstream
Covered Entities in connection with the following items with respect to any Event: (a) any
investigation to determine the cause of an Event, including forensic consultations; (b) legal
advice regarding an Event; (c) provision of notification of an Event to affected Individuals,
applicable government, relevant industry self-regulatory agencies, and the media; (d) provision
of credit monitoring and/or identity theft services to affected Individuals; (e)operation of a call
center to respond to questions from Individuals; and (f) other reasonable mitigation efforts as
deemed necessary or appropriate by SBHASO and any affected Upstream Covered Entity.
6.3 Process for Indemnification. SBHASO will notify Contractor of any Damages for which it seeks
indemnification. Upon a SBHASO request for defense, Contractor will use counsel reasonably
satisfactory to the SBHASO Indemnified Parties to defend each claim related to the Damages
and will keep the SBHASO Indemnified Parties informed of the status of the defense of each of
the Damages. SBHASO will give Contractor reasonable assistance, at Contractor's expense, as
Contractor may reasonably request. SBHASO will provide Contractor the opportunity to assume
sole control over defense and settlement, as long as Contractor will not consent to the entry of
any judgment or enter into any settlement without the SBHASO Indemnified Parties' prior
written consent,which will not be unreasonably withheld. Any SBHASO Indemnified Party may
participate in the defense at its own expense. Contractor's duty to defend is independent of its
duty to indemnify,to mitigate,or to cover costs.
6.4 Not Limited by Insurance Coverage. Contractor's indemnification, mitigation, coverage of
costs,and defense obligations will not be limited in any manner whatsoever by any required or
other insurance coverage maintained by Contractor.
6.5 No Limitations on Liability. Notwithstanding any other provision of this Agreement or the
Service Contract, in no event will any exclusions, disclaimers, waivers, or limitations of any
nature whatsoever apply to any damages, liability, rights, or remedies arising from or in
connection with: (i) Contractor's indemnification and defense obligations under this
Agreement; (ii) Contractor's breach of this Agreement, including any breach of any
representation or warranty; (iii) any Event reported by Contractor; (iv) any violation of Law by
or caused by Contractor or its Workforce, agents,or Subcontractors; or(v) any negligent act or
omission,willful misconduct,strict liability,or fraud by or of Contractor or its Workforce,agents,
or Subcontractors.
6.6 Ownership of Information. The Parties agree that Contractor shall not have an ownership
interest in PHI or PII or any derivations of the PHI or PII.
6.7 Insurance. Contractor shall maintain appropriate and adequate insurance coverage, including
cyber insurance, to cover Contractor's obligations pursuant to this Agreement. Contractor's
cyber insurance shall be no less than one million dollars ($1,000,000) per occurrence. Upon
request, Contractor shall provide evidence of insurance coverage.
6.8 Equitable and Injunctive Relief. The Parties acknowledge that the use or disclosure of PHI or
PII in a manner inconsistent with this Agreement may cause SBHASO and its Upstream Covered
6
Entities irreparable damage and that SBHASO and its Upstream Covered Entities shall have the
right to equitable and injunctive relief,without having to post bond,to prevent the unauthorized
use or disclosure of PHI or PII and to damages as are occasioned by an Event in addition to other
remedies available at law or in equity. SBHASO's and Upstream Covered Entities' remedies
under this Agreement and the Service Contract shall be cumulative, and the exercise of any
remedy shall not preclude the exercise of any other.
6.9 Third Party Beneficiaries. Notwithstanding anything to the contrary in the Service Contract or
this Agreement, Individuals who are the subject of PHI shall be third party beneficiaries to this
Agreement. Subject to the foregoing, nothing in this Agreement shall confer upon any person
other than the Parties and their respective successors or assigns, any rights, remedies,
obligations,or liabilities whatsoever.
6.10 Interpretation. This Agreement shall be interpreted in a manner consistent with the Parties'
intent to comply with HIPAA, Part 2, and other Law. Any ambiguity of this Agreement shall be
resolved in favor of a meaning that permits the Parties to comply with HIPAA, Part 2, and other
Law. In the event of an inconsistency between the provisions of this Agreement and mandatory
provisions of HIPAA, HIPAA shall control. In the event of any inconsistency between this
Agreement and the Service Contract or any other agreement between the Parties,the terms of
this Agreement shall control. Nothing in this Agreement shall be construed as a waiver of any
legal privilege or protection, including for trade secrets or confidential commercial information.
6.11 Survival. The obligations of Contractor under Sections 3.2, 3.3, 3.6, 3.8, 3.10, 3.11, 3.14, 3.16,
5.3,6.1,6.2,6.3,6.4,6.6,6.8,and 6.9 of this Agreement shall survive the expiration,termination,
or cancellation of this Agreement,the Service Contract, and/or the business relationship of the
Parties, and shall continue to bind Contractor, its Workforce, agents, employees,
subcontractors,successors, and assigns as set forth in this Agreement.
6.12 Amendment. This Agreement may be amended or modified only in a writing signed by the
Parties. The Parties agree that they will negotiate amendments to this Agreement to conform
to any changes in HIPAA and Part 2.
6.13 Assignment. Neither Party may assign its respective rights and obligations under this
Agreement without the prior written consent of the other Party.
6.14 Independent Contractor. None of the provisions of this Agreement are intended to create, nor
will they be deemed to create, any relationship between the Parties other than that of
independent parties contracting with each other solely for the purposes of effecting the
provisions of this Agreement and any other agreements between the Parties evidencing their
business relationship. No agency relationship is deemed created by this Agreement.
6.15 Governing Law. To the extent this Agreement is not governed exclusively by HIPAA, Part 2, or
other Law, it will be governed by and construed in accordance with the laws of the State of
Washington.
6.16 No Waiver. No change,waiver,or discharge of any liability or obligation under this Agreement
on any one or more occasions shall be deemed a waiver of performance of any continuing or
other obligation,or shall prohibit enforcement of any obligation,on any other occasion.
6.17 Severability. In the event that any provision of this Agreement is held by a court of competent
jurisdiction to be invalid or unenforceable, the remainder of the provisions of this Agreement
will remain in full force and effect.
7
6.18 Notice. Any notification required in this Agreement shall be made in writing to the
representative of the Party who signed this Agreement or the person currently serving in that
representative's position with the other Party.
6.19 Entire Agreement. This Agreement constitutes the entire understanding of the Parties with
respect to its subject matter and supersedes all prior agreements,oral or written.
8
ATTACHMENT E: DATA USE, SECURITY AND CONFIDENTIALITY
1 Definitions
The definitions below apply to this Attachment:
1.1 "Authorized User" means an individual or individuals with an authorized business need to access
HCA's Confidential Information under this Contract.
1.2 "Breach" means the unauthorized acquisition, access, use, or disclosure of Data shared under
this Contract that compromises the security, confidentiality or integrity of the Data.
1.3 "Business Associate" means a Business Associate as defined in 45 CFR 160.103, who performs
or assists in the performance of an activity for or on behalf of HCA, a Covered Entity that involves
the use or disclosure of protected health information (PHI). Any reference to Business Associate in
this DSA includes Business Associate's employees, agents, officers, Subcontractors, third party
contractors, volunteers, or directors.
1.4 Business Associate Agreement" means the HIPAA Compliance section of this Exhibit and
includes the Business Associate provisions required by the U.S. Department of Health and Human
Services, Office for Civil Rights.
1.5 "Covered Entity" means HCA, which is a Covered Entity as defined in 45 C.F.R. § 160.103, in its
conduct of covered functions by tis health care components.
1.6 "Data" means the information that is disclosed or exchanged as described by this Contract. For
purposes of this Attachment, Data means the same as "Confidential Information."
1.7 "Designated Record Set" means a group of records maintained by or for a Covered Entity, that
is: the medical and billing records about Individuals maintained by or for a covered health care
provider; the enrollment, payment, claims adjudication, and case or medical management record
systems maintained by or for a health plan; or Used in whole or part by or for the Covered Entity to
make decisions about Individuals.
1.8 "Disclosure" means the release, transfer, provision of, access to, or divulging in any other
manner of information outside the entity holding the information.
1.9 "Electronic Protected Health Information (ePHI)" means Protected Health Information that is
transmitted by electronic media or maintained as described in the definition of electronic media at
45 C.F.R. § 160.103.
1.10 "Hardened Password" after July 1, 2019 means a string of characters containing at least three of
the following character classes: upper case letters; lower case letters; numerals; and special
characters, such as an asterisk, ampersand or exclamation point.
1.10.1 Passwords for external authentication must be a minimum of 10 characters long.
1.10.2 Passwords for internal authentication must be a minimum of 8 characters long.
1.10.3 Passwords used for system service or service accounts must be a minimum of 20
characters long.
1.11 "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, as amended,
together with its implementing regulations, including the Privacy Rule, Breach Notification Rule,
and Security Rule. The Privacy Rule is located at 45 C.F.R. Part 160 and Subparts A and E of 45
C.F.R. Part 164. The Breach Notification Rule is located in Subpart D of 45 C.F.R. Part 164. The
Security Rule is located in 45 C.F.R. Part 160 and Subparts A and C of 45 C.F.R. Part 164.
1.12 "HIPAA Rules" means the Privacy, Security, Breach Notification, and Enforcement Rules at45
C.F.R. Parts 160 and Part 164.
1.13 "Medicare Data Use Requirements" refers to the four documents attached and incorporated into
this Exhibit as Schedules 1, 2, 3, and 4 that set out the terms and conditions Contractor must
agree to for the access to and use of Medicare Data for the Individuals who are dually eligible in
the Medicare and Medicaid programs.
1.14 "Minimum Necessary" means the least amount of PHI necessary to accomplish the purpose for
which the PHI is needed.
1.15 "Portable/Removable Media" means any Data storage device that can be detached or removed
from a computer and transported, including but not limited to: optical media (e.g. CDs, DVDs);USB
drives; or flash media (e.g. CompactFlash, SD,MMC).
1.16 "Portable/Removable Devices" means any small computing device that can be transported,
including but not limited to: handhelds/PDAs/Smartphones; Ultramobile PC's, flash memory
devices (e.g. USB flash drives, personal media players); and laptops/notebook/tablet computers. If
used to store Confidential Information, devices should be Federal Information Processing
Standards (FIPS) Level 2 compliant.
1.17 "PRISM" means the DSHS secure, web-based clinical decision support tool that shows
administrative data for each Medicaid Client and is organized to identify care coordination
opportunities.
1.18 "Protected Health Information" or"PHI" has the same meaning as in HIPAA except that it in this
Contract the term includes information only relating to individuals.
1.19 "ProviderOne" means the Medicaid Management Information System, which is the State's
Medicaid payment system managed by HCA.
1.20 "Security Incident" means the attempted or successful unauthorized access, use, disclosure,
modification or destruction of information or interference with system operations in an information
system.
1.21 "Tracking" means a record keeping system that identifies when the sender begins delivery of
Confidential Information to the authorized and intended recipient, and when the sender receives
confirmation of delivery from the authorized and intended recipient of Confidential Information.
1.22 "Transmitting" means the transferring of data electronically, such as via email, SFTP,web-
services, AWS Snowball, etc.
1.23 "Transport" means the movement of Confidential Information from one entity to another, or within
an entity, that: places the Confidential Information outside of a Secured Area or system (such as a
local area network); and is accomplished other than via a Trusted System.
1.24 "Trusted System(s)" means the following methods of physical delivery: (1)
hand-delivery by a person authorized to have access to the Confidential
Information with written acknowledgement of receipt; (2) United States Postal
Service ("USPS")first class mail, or USPS delivery services that include
Tracking, such as Certified Mail, Express Mail or Registered Mail; (3)
commercial delivery services (e.g. FedEx, UPS, DHL)which offer tracking
and receipt confirmation; and (4)the Washington State Campus mail system.
For electronic transmission, the Washington State Governmental Network
(SGN) is a Trusted System for communications within that Network.
1.25 "U.S.C." means the United States Code. All references in this Exhibit
to U.S.C. chapters or sections will include any successor, amended, or
replacement statute. The U.S.C. may be accessed at
http://uscode.house.gov/
1.26 "Unique User ID" means a string of characters that identifies a
specific user and which, in conjunction with a password, passphrase,
or other mechanism, authenticates a user to an information system.
1.27 "Use" includes the sharing, employment, application, utilization, examination,
or analysis, of Data.
2 Data Classification
2.1 The State classifies data into categories based on the sensitivity of the data
pursuant to the Security policy and standards promulgated by the Office of
the state of Washington Chief Information Officer. (See Section 4 of this
Exhibit, Data Security, of Securing IT Assets Standards No. 141.10 in the
State Technology Manual at https://ocio.wa.gov/policies/141-securing-
information-technology-assets/14110-securing-information-technology-
assets.)
The Data that is the subject of this Contract is classified as Category 4—
Confidential Information Requiring Special Handling. Category 4 Data is
information that is specifically protected from disclosure and for which:
2.1.1 Especially strict handling requirements are dictated, such as by
statutes, regulations, or agreements;
2.1.2 Serious consequences could arise from unauthorized
disclosure, such as threats to health and safety, or legal
sanctions.
3 PRISM Access- N/A
4 Constraints on Use of Data
4.1 This Contract does not constitute a release of the Data for the Contractor's
discretionary use. Contractor must use the Data received or accessed under
this Contract only to carry out the purpose of this Contract. Any ad hoc
analyses or other use or reporting of the Data is not permitted without
SBHASO's and HCA's prior written consent.
4.2 Data shared under this Contract includes data protected by 42 C.F.R. Part
2. In accordance with 42 C.F.R. § 2.32, this Data has been disclosed from
records protected by federal confidentiality rules (42 C.F.R. Part 2). The
federal rules prohibit Receiving Party from making any further disclosure of
the Data that identifies a patient as having or having had a substance use
disorder either directly, by reference to publicly available information, or
through verification of such identification by another person unless further
disclosure is expressly permitted by the written consent of the individual
whose information is being disclosed or as otherwise permitted by42
C.F.R. Party 2. A general authorization for the release of medical or other
information is NOT sufficient for this purpose (42 C.F.R. § 2.31). The federal
rules restrict any use of the SUD Data to investigate or prosecute with regard
to a crime any patient with a substance use disorder, except as provided at 42
C.F.R. § 2.12(c)(5) and § 2.65.
4.2.1 The information received under subsection 7.7 of the Contract is also
protected by federal law, including 42 C.F.R. Part 2, Subpart D, §
2.53, which requires HCA and their Subcontractors to:
4.2.1.1 Maintain and destroy the patient identifying information in
a manner consistent with the policies and procedures
established under 42 C.F.R. §2.16;
4.2.1.2 Retain records in compliance with applicable federal,
state, and local record retention laws; and
4.2.1.3 Comply with the limitations on disclosure and Use in 42
C.F.R. Part 2, Subpart D, § 2.53(d).
4.3 Any disclosure of Data contrary to this Contract is unauthorized and
is subject to penalties identified in law.
4.4 The Contractor must comply with the Minimum Necessary Standard, which
means that Contractor will use the least amount of PHI necessary to
accomplish the Purpose of this Contract.
4.4.1 Contractor must identify:
4.4.2 Those persons or classes of persons in its workforce who need
access to PHI to carry out their duties; and
4.4.3 For each such person or class of persons, the category or
categories of PHI to which access is needed and any conditions
appropriate to such access.
4.4.4 Contractor must implement policies and procedures that limit the
PHI disclosed to such persons or classes of persons to the
amount reasonably necessary to achieve the purpose of the
disclosure, in accordance with this Contract.
5 Security of Data
5.1 Data Protection
5.1.1 The Contractor must protect and maintain all Confidential
Information gained by reason of this Contract, information that is
defined as confidential under state or federal law or regulation, or
Data that HCA has identified as confidential, against unauthorized
use, access, disclosure, modification or loss. This duty requires the
Contractor to employ reasonable security measures, which include
restricting access to the Confidential Information by:
5.1.1.1 Allowing access only to staff that have an authorized
business requirement to view the Confidential
Information.
5.1.1.2 Physically securing any computers, documents, or other
media containing the Confidential Information.
5.2 Data Security Standards
5.2.1 Contractor must comply with the Data Security Requirements set
out in this section and the Washington OCIO Security Standard,
141.10, which will include any successor, amended, or
replacement regulation (https://ocio.wa.gov/policies/141-securing-
information-technology-assets!14110-securing-information-
technology-assets.)The Security Standard 141.10 is hereby
incorporated by reference into this Contract.
5.2.2 Data Transmitting
5.2.2.1 When transmitting Data electronically, including via
email, the Data must be encrypted using NIST 800-
series approved algorithms
(http://csrc.nist.gov/publications/PubsSPs.html). This
includes transmission over the public internet.
5.2.2.2 When transmitting Data via paper documents, the
Contractor must use a Trusted System.
5.2.3 Protection of Data. The Contractor agrees to store and protect Data
as described.
5.2.3.1 Data at Rest:
5.2.3.1.1 Data will be encrypted with NIST 800-series
approved algorithms. Encryption keys will be
stored and protected independently of the
data. Access to the Data will be restricted to
Authorized Users through the use of access
control lists, a Unique User ID, and a
Hardened Password, or other authentication
mechanisms which provide equal or greater
security, such as biometrics or smart cards.
Systems that contain or provide access to
Confidential Information must be located in
an area that is accessible only to authorized
personnel, with access controlled through
use of a key, card key, combination lock, or
comparable mechanism.
5.2.3.2 Data stored on Portable/Removable Media or Devices
5.2.3.2.1 Confidential Information provided by
SBHASO or HCA on Removable Media
will be encrypted with NIST 800-series
approved algorithms.
Encryption keys will be stored and protected
independently of the Data.
5.2.3.2.2 HCA's Data must not be stored by the
Contractor on Portable Devices or Media
unless specifically authorized within the
Contract. If so authorized, the Contractor
must protect the Data by:
a. Encrypting with NIST 800-series
approved algorithms. Encryption keys
will be stored and protected
independently of the data;
b. Controlling access to the devices with
a Unique User ID and Hardened
Password or stronger authentication
method such as a physical token or
biometrics;
c. Keeping devices in locked storage
when not in use;
d. Using check-in/check-out
procedures when devices are
shared;
e. Maintaining an inventory of devices;
and
f. Ensuring that when being transported
outside of a Secured Area, all devices
containing Data are under the
physical control of an Authorized
User.
5.2.3.3 Paper Documents. Any paper records containing
Confidential Information must be protected by storing the
records in a Secured Area that is accessible only to
authorized personnel. When not in use, such records
must be stored in a locked container, such as a file
cabinet, locking drawer, or safe, to which only authorized
persons have access.
5.2.4 Data Segregation
5.2.4.1 HCA Data received under this Contract must be
segregated or otherwise distinguishable from non-HCA
Data. This is to ensure that when no longer needed by
the Contractor, all of HCA's Data can be identified for
return or destruction. It also aids in determining
whether HCA's Data has or may have been
compromised in the event of a security breach.
5.2.4.2 HCA's Data must be kept in one of the following ways:
5.2.4.2.1 On media (e.g. hard disk, optical disc,
tape, etc.)which contains only HCA Data;
5.2.4.2.2 In a logical container on electronic media,
such as a partition or folder dedicated to
HCA's Data;
5.2.4.2.3 In a database that contains only HCA Data;
5.2.4.2.4 Within a database — HCA data must be
distinguishable from non- HCA Data by the
value of a specific field or fields within
database records;
5.2.4.2.5 Physically segregated from non-HCA Data
in a drawer, folder, or other container when
stored as physical paper documents.
5.2.4.3 When it is not feasible or practical to segregate
HCA's Data from non-HCA data, both HCA's Data
and the non-HCA data with which it is commingled
must be protected as described in this Exhibit.
5.3 Data Disposition
5.3.1 Upon request by SBHASO or HCA, at the end of the Contract
term, or when no longer needed, Confidential Information/Data
must be returned to HCA or disposed of as set out below, except
as required to be maintained for compliance or accounting
purposes.
5.3.2 Media are to be destroyed using a method
documented within NIST 800-88
(http://csrc.nist.gov/publications/PubsSPs.html).
5.3.3 For Data stored on network disks, deleting unneeded Data is
sufficient as long as the disks remain in a Secured Area and
otherwise meet the requirements listed in Section 4.b.iii, above.
Destruction of the Data as outlined in this section of this Exhibit
may be deferred until the disks are retired, replaced, or otherwise
taken out of the Secured Area.
6 Data Confidentiality and Non-Disclosure
6.1 Data Confidentiality.
6.1.1 The Contractor will not use, publish, transfer, sell or otherwise
disclose any Confidential Information gained by reason of this
Contract for any purpose that is not directly connected with the
purpose of this Contract,except:
6.1.1.1 as provided by law; or
6.1.1.2 with the prior written consent of the person or personal
representative of the person who is the subject of the
Confidential Information.
6.2 Non-Disclosure of Data
6.2.1 The Contractor will ensure that all employees or Subcontractors
who will have access to the Data described in this Contract
(including both employees who will use the Data and IT support
staff) are instructed and aware of the use restrictions and
protection requirements of this Attachment before gaining access
to the Data identified herein. The Contractor will ensure that any
new employee is made aware of the use restrictions and protection
requirements of this Attachment before they gain access to the
Data.
6.2.2 The Contractor will ensure that each employee or Subcontractor who
will access the Data signs a non-disclosure of confidential
information agreement regarding confidentiality and non-disclosure
requirements of Data under this Contract. The Contractor must
retain the signed copy of employee non-disclosure agreement in
each employee's personnel file for a minimum of six years from the
date the employee's access to the Data ends. The Contractor will
make this documentation available to SBHASO or HCA upon
request.
6.3 Penalties for Unauthorized Disclosure of Data
6.3.1 The Contractor must comply with all applicable federal and state
laws and regulations concerning collection, use, and disclosure of
Personal Information and PHI. Violation of these laws may result
in criminal or civil penalties or fines.
6.3.2 The Contractor accepts full responsibility and liability for
any noncompliance with applicable laws or this Contract by
itself, its employees, and its Subcontractors.
7 Data Shared with Subcontractors
If Data access is to be provided to a Subcontractor under this Contract, the
Contractor must include all of the Data security terms, conditions and requirements
set forth in this Attachment in any such Subcontract.
However, no subcontract will terminate the Contractor's legal responsibility to HCA
for any work performed under this Contract nor for oversight of any functions and/or
responsibilities it delegates to any subcontractor. Contractor must provide an
attestation by January 31, each year that all Subcontractor meet, or continue to meet,
the terms, conditions, and requirements in this Attachment.
8 Data Breach Notification
8.1 The Breach or potential compromise of Data must be reported to the
SBHASO Privacy Officer at IClauson@kitsap.gov.and to the SBHASO
Contract Manager at Sjlewiskitsap.qov within five (5) business days of
discovery. If the Contractor does not have full details, it will report what
information it has, and provide full details within fifteen (15) business days
of discovery. To the extent possible, these reports must include the
following:
8.1.1 The identification of each non-Medicaid Individual whose PHI has
been or may have been improperly accessed, acquired, used, or
disclosed;
8.1.2 The nature of the unauthorized use or disclosure, including a
brief description of what happened, the date of the event(s), and
the date of discovery;
8.1.3 A description of the types of PHI involved;
8.1.4 The investigative and remedial actions the Contractor or its
Subcontractor took or will take to prevent and mitigate harmful
effects, and protect against recurrence;
8.1.5 Any details necessary for a determination of the potential harm to
Individuals whose PHI is believed to have been used or disclosed
and the steps those Individuals should take to protect themselves;
and
8.1.6 Any other information SBHASO or HCA reasonably requests.
8.2 The Contractor must take actions to mitigate the risk of loss and comply with
any notification or other requirements imposed by law or HCA including but
not limited to 45 C.F.R. Part 164,Subpart D; RCW 42.56.590; RCW
19.255.010; or WAC 284-04-625.
8.3 The Contractor must notify SBHASO in writing, as described in 8.a above,
within two (2) business days of determining notification must be sent to non-
Medicaid Individuals.
8.4 At SBHASO's or HCA's request, the Contractor will provide draft Individual
notification to HCA at least five (5) business days prior to notification, and
allow HCA an opportunity to review and comment on the notifications.
8.5 At SBHASO's or HCA's request, the Contractor will coordinate its
investigation and notifications with HCA and the Office of the state of
Washington Chief Information Officer(OCIO), as applicable.
9 HIPAA Compliance
This section of the Attachment is the Business Associate Agreement (BAA) required
by HIPAA. The Contractor is a "Business Associate" of SBHASO as defined in the
HIPAA Rules.
9.1 HIPAA Point of Contact. The point of contact for the Contractor for all
required HIPAA-related reporting and notification communications from
this Section and all required Data Breach Notification from Section 8, is:
Salish Behavioral Health Administrative Services Organization
Attention: Ileea Clauson, Privacy Officer
614 Division St., MS-23
Port Orchard, WA 98366
Telephone: (360) 337-4833
Email: IClauson@kitsap.gov
9.2 Compliance. Contractor must perform all Contract duties, activities, and
tasks in compliance with HIPAA, the HIPAA Rules, and all attendant
regulations as promulgated by the U.S. Department of Health and Human
Services, Office for Civil Rights, as applicable.
9.3 Use and Disclosure of PHI. Contractor is limited to the following permitted
and required uses or disclosures of PHI:
9.3.1 Duty to Protect PHI. Contractor must protect PHI from, and will use
appropriate safeguards, and comply with Subpart C of 45 C.F.R.
Part 164, Security Standards for the Protection of Electronic Protect
Health Information, with respect to ePHI, to prevent unauthorized
Use or disclosure of PHI for as long as the PHI is within Contractor's
possession and control, even after the termination or expiration of
this Contract.
9.3.2 Minimum Necessary Standard. Contractor will apply the HIPAA
Minimum Necessary standard to any Use or disclosure of PHI
necessary to achieve the purposes of this Contractor. See 45
C.F.R. § 164.514(d)(2)through(d)(5).
9.3.3 Disclosure as Part of the Provision of Services. Contractor will only
Use or disclose PHI as necessary to perform the services specified
in this Contract or as required by law, and will not Use or disclose
such PHI in any manner that would violate Subpart E of 45C.F.R.
Part 164, Privacy of Individually Identifiable Health Information, if
done by Covered Entity, except for the specific Uses and disclosures
set forth below.
9.3.4 Use for Proper Management and Administration. Contractor may
Use PHI for the proper management and administration of the
Contractor or to carry out the legal responsibilities of the Contractor.
9.3.5 Disclosure for Proper Management and Administration. Contractor
may disclosure PHI for the proper management and administration of
Contractor, subject to HCA approval, or to carry out the legal
responsibilities of the Contractor, provided the disclosures are
required by law, or Contractor obtains reasonable assurances from
the person to whom the information is disclosed that the information
will remain confidential and used or further disclosed only as
required by law or for the purposes for which it was disclosed to the
person, and the person notifies Contractor of any instances of which
it is aware in which the confidentiality of the information has been
Breached.
9.3.6 Impermissible Use or Disclosure of PHI. Contractor must report to
the HIPAA Point of Contact, in writing, all Uses or disclosures of
PHI not provided for by this Contract within five (5) business days
of becoming aware of the unauthorized Use or disclosure of PHI,
including Breaches of unsecured PHI as required at 45 C.F.R. §
164.410, Notification by a Business Associate, as well as any
Security Incident of which Contractor becomes aware. Upon
request by SBHASO or HCA, Contractor will mitigate, to the extent
practicable, any harmful effect resulting from the impermissible Use
or disclosure.
9.3.7 Failure to Cure. If SBHASO learns of a pattern or practice of the
Contractor that constitutes a violation of Contractor's obligations
under the term of this Attachment and reasonable steps by the
Contractor do not end the violation, SBHASO may terminate this
Contract, if feasible. In addition, if Contractor learns of a pattern or
practice of its Subcontractor(s)that constitutes a violation of
Contractor's obligations under the terms of their contract and
reasonable steps by the Contractor do not end the violation,
Contractor must terminate the Subcontract, if feasible.
9.3.8 Termination for Cause. Contractor authorizes immediate termination
of this Contract by SBHASO, if SBHASO determines Contractor has
violated a material term of this Business Associate Agreement.
SBHASO may, at its sole option, offer Contractor an opportunity to
cure a violation of this Business Associate Agreement before
exercising a termination for cause.
9.3.9 Consent to Audit. Contractor must give reasonable access to PHI,
its internal practices, records, books, documents, electronic data,
and/or all other business information received from, or created,
received by Contractor on behalf of SBHASO or HCA, to the
Secretary of the United States Department of Health and Human
Services (DHHS)and/or to HCA for use in determining compliance
with HIPAA privacy requirements.
9.3.10 Obligations of Business Associate upon Expiration or Termination.
Upon expiration or termination of this Contract for any reason, with
respect to PHI received from SBHASO or HCA, or created,
maintained, or received by Contractor, or any Subcontractors, on
behalf of SBHASOcrHCA, Contractor must:
9.3.10.1 Retain only that PHI which is necessary for Contractor
to continue its proper management and administration
or to carry out its legal responsibilities;
9.3.10.2 Return to SBHASO or HCA or destroy the
remaining PHI that the Contractor or any
Subcontractors still maintain in any form;
9.3.10.3 Continue to use appropriate safeguards and comply with
Subpart C of 45 C.F.R. Part 164, Security Standards for
Protection of Electronic Protected Health Information, with
respect to ePHI to prevent Use or disclosure of the PHI,
other than as provided for in this Section, for as long as
Contractor or any Subcontractor retains PHI;
9.3.10.4 Not Use or disclose the PHI retained by Contractor or any
Subcontractors other than for the purposes for which
such PHI was retained and subject to the same
conditions section out in Section 9.3, Use and Disclosure
of PHI, that applied prior to termination; and
9.3.10.5 Return to SBHASO or HCA or destroy the PHI
retained by Contractor, or any Subcontractors,
when it is no longer needed by Contractor for its
proper management and administration or to carry
out its legal responsibilities.
9.3.11 Survival. The obligations of Contractor under this Section will
survive the termination or expiration of the Contract.
9.4 Individual Rights.
9.4.1 Accounting of Disclosures.
9.4.1.1 Contractor will document all disclosures, except those
disclosures that are exempt under 45 C.F.R. §
164.528, of PHI and information related to such
disclosures.
9.4.1.2 Within ten (10) business days of a request from
SBHASO or HCA, Contractor will make available to
HCA the information in Contractor's possession that is
necessary for HCA to respond in a timely manner to a
request for an accounting of disclosures of PHI by the
Contractor. See 45 C.F.R. §§ 164.504(e)(2)(ii)(G) and
164.528(b)(1).
9.4.1.3 At the request of SBHASO or HCA, or in response to a
request made directly to the Contractor by an Individual,
Contractor will respond, in a timely manner and in
accordance with HIPAA and the HIPAA Rules, to
requests by Individuals for an accounting of disclosures
of PHI.
9.4.1.4 Contractor record keeping procedures will be sufficient to
respond to a request for an accounting under this section
for the ten (10) years prior to the date on which the
accounting was requested.
9.4.2 Access.
9.4.2.1 Contractor will make available PHI that it holds that is
part of a Designated Record Set when requested by
HCA or the Individual as necessary to satisfy HCA's
obligations under 45 C.F.R. § 164.524, Access of
Individuals to Protected Health Information.
9.4.2.2 When the request is made by the Individual to the
Contractor or if SBHASO or HCA ask the Contractor to
respond to a request, the Contractor must comply with
requirements in 45 C.F.R. § 164.524, Access of
Individuals to Protected Health Information, on form, time
and manner of access. When the request is made by
HCA, the Contractor will provide the records to HCA
within ten (10) business days.
9.4.3 Amendment.
9.4.3.1 If SBHASO or HCA amends, in whole or in part, a record
or PHI contained in an Individual's Designated Record
Set and SBHASO or HCA has previously provided the
PHI or record that is the subject of the amendment to
Contractor, then SBHASO will inform Contractor of the
amendment pursuant to 45 C.F.R. § 164.526(c)(3),
Amendment of Protected Health Information.
9.4.3.2 Contractor will make any amendments to PHI in a
Designated Record Set as directed by SBHASO or HCA
or as necessary to satisfy SBHASO's and HCA's
obligations under 45 C.F.R.§ 164.526, Amendment of
Protected Health Information.
9.5 Subcontracts and other Third Party Agreements. In accordance with 45
C.F.R. §§ 164.502(e)(1)(ii), 164.504(e)(1)(i), and 164.308(b)(2), Contractor
must ensure that any agents, Subcontractors, independent contractors, or
other third parties that create, receive, maintain, or transmit PHI on
Contractor's behalf, enter into a written contract that contains the same terms,
restrictions, requirements, and conditions as the HIPAA compliance
provisions in this Contract with respect to such PHI. The same provisions
must also be included in any contracts by a Contractor's Subcontractor with
its own business associates as required by 45 C.F.R. §§ 164.314(a)(2)(b) and
164.504(e)(5).
9.6 Obligations. To the extent the Contractor is to carry out one or more of
HCA's obligation(s) under Subpart E of 45 C.F.R. Part 164, Privacy of
Individually Identifiable Health Information,Contractor must comply with all
requirements that would apply to HCA in the performance of such
obligation(s).
9.7 Liability. Within ten (10) business days, Contractor must notify the HIPAA
Point of Contact of any complaint, enforcement or compliance action
initiated by the Office for Civil Rights based on an allegation of violation of
the HIPAA Rules and must inform HCA of the outcome of that action.
Contractor bears all responsibility for any penalties, fines or sanctions
imposed against the Contractor for violations of the HIPAA Rules and for
any imposed against its Subcontractors or agents for which it is found liable.
9.8 Miscellaneous Provisions.
9.8.1 Regulatory References. A reference in this Contract to a
section in the HIPAA Rules means the section as in effect or
amended.
9.8.2 Interpretation. Any ambiguity in this Exhibit will be interpreted to
permit compliance with the HIPAA Rules.
10 Inspection
SBHASO and HCA reserve the right to monitor, audit, or investigate the use of
Personal Information and PHI of Individuals collected, used, or acquired by
Contractor during the terms of this Contract. All SBHASO and HCA
representatives conducting onsite audits of Contractor agree to keep confidential
any patient-identifiable information which may be reviewed during the course of
any site visit or audit.
11 Indemnification
The Contractor must indemnify and hold SBHASO and HCA and its employees
harmless from any damages related to the Contractor's or Subcontractor's
unauthorized use or release of Personal Information or PHI of Individuals.
ATTACHMENT F: CERTIFICATION REGARDING LOBBYING
The undersigned certifies, to the best of his or her knowledge and believe, that:
(1) No Federal appropriated funds have been paid or will be paid, by or on behalf of
the undersigned, to any person for influencing or attempting to influence an officer or
employee of an agency, a Member of Congress, an officer or employee of Congress or
an employee of a Member of Congress in connection with the awarding of any Federal
contract, the making of any Federal grant, the making of any Federal loan, the entering
into of any cooperative agreement, and the extension, continuation, renewal,
amendment, or modification of any Federal contract, grant, loan, or cooperative
agreement.
(2) If any funds other than Federal appropriated funds have been paid or will be paid
to any person for influencing or attempting to influence an officer or employee of any
agency, a Member of Congress, an officer or employee of Congress, or an employee of
a Member of Congress in connection with this Federal contract, grant, loan, or
cooperative agreement, the undersigned shall complete and submit Standard Form-
LLL, "Disclosure Form to Report Lobbying," in accordance with its instructions.
(3) The undersigned shall require that the language of this certification be included in
the award documents for all subawards at all tiers (including subcontracts, subgrants
and contracts under grants, loans, and cooperative agreements) and that all
subrecipients shall certify and disclose accordingly.
This certification is a material representation of fact upon which reliance was placed
when this transaction was made or entered into. Submission of this certification is a
prerequisite for making or entering into this transaction imposed by section 1352, title
31, U.S. Code. Any person who fails to file the required certification shall be subject to
a civil penalty of not less than $10,000 and not more than $100,000 for each such
failure.
Contractor Organization
d Z Va'-f
Signature of Certifying Official ate
ATTACHMENT G: CERTIFICATION REGARDING DEBARMENT, SUSPENSION,
AND OTHER RESPONSIBILITY MATTERS Primary Covered Transactions 45 CFR 76
1. The prospective primary participant certifies to the best of its knowledge
and belief, that it and its principles:
a. Are not presently debarred, suspended, proposed for debarment,
declared ineligible, or voluntarily excluded by any Federal
department or agency;
b. Have not within a three-year period preceding this proposal been
convicted of or had a civil judgment rendered against them for
commission of fraud or a criminal offense in connections with
obtaining, attempting to obtain, or performing a public (Federal,
State or local) transaction or contract under a public transaction;
violation of Federal or State antitrust statutes or commission of
embezzlement, theft, forgery, bribery, falsification or destruction of
records, making false statement, or receiving stolen property;
c. Are not presently indicted for or otherwise criminally or civilly
charges by a governmental entity (Federal, State or local) with
commission of any of the offenses enumerated in paragraph 1.b. of
this certification; and
d. Have not within a three-year period preceding this
application/proposal had one or more public transactions (Federal,
State or local) terminated for cause or default.
2. Where the prospective primary participants are unable to certify to any of
the statements in this certification, such prospective participant shall
attach an explanation to this proposal.
This Certification is executed by the person(s) signing below who warrant they
have authority to execute this Certification.
CONTRACTOR:
71- ____ c,-. \ ____,
Name: (3,-„..,aa „ a,-k—
cv e-i,..'o,-- (o d r !- Iv d
Title:
Date: l%-L/2`(
6/26/24,2:29 PM OIG Search Results
W- An official website of the United States government.Here's how you know>
Visit our tips page to learn how to best use the Exclusions Database.If you experience technical difficulties,please email the webmaster at webmaster@oig.hhs.gov.
Exclusions Search Results: Entities
No Results were found for
Jefferson County Superior Court
If no results are found,this individual or entity(if it is an entity search)is not currently excluded.Print this Web page for your
documentation
Search Again
Search conducted 6/26/2024 5:29:55 PM EST on OIG LEIE Exclusions database.
Source data updated on 6/10/2024 8:00:00 AM EST
Return to Search
https://exclusions.oig.hhs.gov/SearchResults.aspx 1/1