Loading...
The URL can be used to link to this page
Your browser does not support the video tag.
Home
My WebLink
About
041513_ca05
C~rr~sent At;cnda 4ynN ra4 ~~~`~'~RS ~I"'~T ~+C~LTNT"Y ~i~3LI+C HE.ALTI~ ~~~ h,,;;, fi~ 5 Shcrlran Strut ~ r.rt Townsend o Washington ~ ~~368 www.j effe rsor}co~s my p u b l fiche ai t h. o rg April 4, 201.3 ]EFFFRSQN CC3~~~ BQAR~ ~3F ~aUN~`Y C~31-~MI5~Il31VERS AG~NU-~1 REQt1EST ~fD: B©ard cif C~a~r~~y Cam~m~niss~araers Philip Morley Caun~ Ad~m~r~istra~or fRaM: dean ~alidwin,, director S4J~,IECT: Agenda ftem - Agency Agreement with the Department of Socai and i~eaitl1 Services for ~Ilashington Connection, data Share Agreement; May ~, 213 - Aprii 31, 20.8; _p_ 5TAT~M~N~' {3F ISSUE: Jefferson County PLtbiic Health requests Soard approvai of the Agency Agreement with the Department of Socia9 and ~iealth Services for Washington Connection, data Share Agreement; May 1, 2[l1~ - Aprli ~~, 2~~~; '~` AI~ALYSIS~S~'R-4TECIC CQALSAPRQ'S ~md CU[V'S: Washington Connection is a web based benefit portal where people can (earn about and apply for a broad array of services and 'benel=lts online, JCPH is a Uashington Connection Partner Assisting Agencyr JCPH, with the use of the CHIPFtA Technology Grant equipment, wili~ assist families applying far healthcare by using the Washington Connection a free and secure website portal,. This contract is centered around H~PAA compliance and protected health information. FISCAL IMi~ACT1Ca5T BEIVEI`~`~' Al1lAL1lSIS:. This contract has no fiscal impact on the department, REC[}NI'i~EiN QA7IQN: ~CPi-I management request approval cif the Agency Agreement with the Department of Social and I~ealth Services for Washington Connection, Data Share Agreement, 'May 1, 2f~13 -April 31, 2818; -0- /~r~~ Phi Orley, Gou Ads inistrato`t; Date COMMUNITY HEALTH ~~~~I~ HEALTH ENVIRONMENTAL HEALTH QEVELOPMENTAL bISA81LITIES 'WATER QUALITY MAIN: (35[}) 385-944Q AEYVdi~ W(1R141NG FQR A SAFER AND MAIN: (364) 385-94A4 FAX: {360} 385-44©1 NEIILTHIER COMMUNITY FAX: i36~) 379-4487 INT~RL~CAL ~ATASHAR~ DSHSAgreernen#Number. 1391-72916 otrnKr~'~r.~~c7F ' SES~YILE.a R #~'11A1 'I,~iPaShl61~~O~"1 CCitlt~f:C'~IQI'! This Agreement is by and bet'w'een the State of Washing~tan i~epartrrlent Program Can#rac# Number. Of SQCiaa and Hlealt:h ~eIVICeS 4DS~5} and thi~ Contractor Iden$Ifl~f~ Con#ractor Con#ract Number: beifllN, and €S ISSU~d 'purSLPant to the lnterlOCal CoDperat9on ACt, Chapter CONTRACTC)R NAME CQNTRACTOR cuing husiness as (DBA) Jefferson Count Jefferson Count Public Health CDNTRACTO'Ft ADt7RESS WASHINGTON UNIFC7RM DSHS INDEX NUMBER ~ BUSINESS IDENTIFIER (UBG} 615 Sheridan St 161-~01-169 1223 Port Townsend, 1A 98368- CdNTRACTdit CONTACT CoNTRACTC7R TELEPHONE CdNTRACTO~i FAK CONTRRCTOR E-P~1AIL ADDRESS Jean Baldwin 3E0} 385-9408 36f} 385-94(31 `baldwin@co.~effersan.wa.us DSHS ADMiN1STRATIC7N DSHS DIVISION DSHS CONTRACT CCiDE Econorn%c Services Cc~mra~unity Services ®ivision 3067175-91 Administration - - ~3SHS CONTACT NF+ME ANt3 TITLE DSHS CONTACT ADDRESS Stephanie Hill PU P3ox 454417 Pro rarr~ Adrrainistrator - Ql m, ia, WA 98504-544(7... DS;'#'S CONTACT TELEPHONE DSHS C4JNTACT FAX DSHS CONTACT E-MARL ADDRESS 36Q 725-4666 36t3 725-4905 hilisr dshs.wa. ov IS THE CdNTRACT4R A SL)BRECIPIENT ; OR PLlRPDSES OF THIS CdNTRACT7 CFDA NIJMBER(S~ N o -- ACF#tiENb'ENT START DALE ,4GREEMENT END DATE MASCIMfIM AGR>=EtVIENT AMdUNT a~~al~zal~ fl4130}20~~ so oa ~X!f fIBiTSs TF#e f~-'41t~wing P`xhibits are attached aead are }rucc~rporated rPta tE~ds Agreemert by reference. 'data Security: Ext#ibt A ~- Data Security Requiret~#er~ts Ext#ibits {specify}: -The terms and conditions of this AcJreePnent are an integration and representation of the final, entire and exci~asive ' understanding between the parties superseding and merging ail previous agreements, writings, and communications, oral or othel'v,~°se regarding the s#abject matter of this Agreemenf, between the parties. The parties signing below represent d and understand this Agreement, and have the authority to execute this Agreement. This agreement shall they have rea be hlndin on C3SH5 on9 a on si nature b [~51-15. CONTRACTdR SIGNRTURE PRINTED NAME AND TdTt_E DATE SIGNED DSHS SIGNATURE PRINTED NAME AND TITLE E]AT€ SIGNED 'Ramona BushneiP, Contracts Officer [.~`~~'~~,~~~`.l~{liTafTlLinit'~ ~2~Vi•uES ~}IVISIOn ~p~rc~~~e~ as ~ fc~~m ~n.~yn L3SFVS Central Con#ract Services nnec4ion DS lnterloaa9 {$-i8-12} '~,~,~ ,~„rv~ ~,~ r Page 1 3G&7D5-~# Washington C• _ ~.~~x,g~ 3efferson Co. Prr~se~:utor~',~ {J€fice pSHS General Terms and Conditions 1, pefintions. The words and phrases listed below, as used in this Contract, shall each have the following definitions: a. "Central Contract Services"' means the ~SHS central headquarters contracting office, or successor section or offrce. b. "Confidential Information" or "data" means information that is exempt €rom disclosure to the public or other unauthorized persons under 'RCW 42.56 or other federal or state laws. Confidential Information includes, but is nat limited to, Personal Information. c, "Contract" or "Agreement" means the entire written agreement between DSHS and the Contractor, including any Exhibits, documents, or materials incorporated by reference. The parties may execute this contract in multiple counterparts, each of which is deemed an original and ail of which constitute only one agree=went. E-rrtaii or Facsimile transmission of a signed copy of this contract shall be the same as delivery of an original. d. ".Contracts Administrator°' rraeans the manager, or successor, of Central Contract Services or successor section or office. e. `°Contractor" means the individual ar entity performing services pursuant to this Contract and includes the Contractor's owners, members„ officers, directors, partners, employees, andlor agents, unless otherwise stated in this Contract. For purposes of any perrrtitted Subcontract, "Contractor'' includes any Subcontractor and its owners, members, officers, directors, partners, employees, andlor agents.. f. "I3ebarment'" means an action taken by a Federal agency or official to exclude a person or business entity from participating in transactions involving certain federal funds. g ``C~SHS'° or the "Cepartment" means the state of Washington ^epartrnent of Social and Health Services and its employees and authorized agents. h '°Encrypt" means to encode Confidential. Information into a format that can only be read by those possessing a „key"~ a password, digital certificate or other mechanism available only to authorized users. Encryption must use a key length of at least 1 Z8 bits. i. "Personal Information" means information identifiable to any person, including, but nat limited to, information that relates to a person"s name, health, finances, education, business, use or receipt of governmental services or other activities, addresses, telephone nurrfibers, Social Security Numbers, driver license numbers, other identifying numbers, and any financial identifiers. "Plhysicafily Secure" meads that access is restricted through physical means to authorized individuals only. k. "Program Agreement" means an agreement between the Contractor and fi~SfiS containing special terms and conditions, including a statement of work to 'be performed by the Contractor and payment to be made by aSHS. "F2CUV" means fhe 'Revised Code of Vlfashington. All references in this Contract to RCW chapters or sections shall include any successor, amended, or replacement statute. Pertinent RGW chapters can be accessed at http:llapps.ieg.wa.govlrcwl. m. "Regulation" means any federal, state„ or locafi regulation, rule, or ordinance. C~SHS Cents?Contract Services Page 2 3fJ~7DS-91 Washis?gtan Gnnnection ~S Inteslacal (9-18-12) laSHS General Terms and Conditions n. "Secured Area" means an aces to which only authorized representatives of the entity possessing the Gonfidential information have access. Secured Areas may include buildings, rooms or hocked storage containers [such as a filing cabinet} within a room, as long as access to the Confidential information is not available to unauthorized personnel.. o, °'Subcontract" means any separate agreement or contract between the Contractor and an individual or entity 4"Su'bcontractvr"} to perform all or a portion of the duties and obligations that the Contractor is obligated to perform pursuant tQ this Gontract. p. "Tracking" means a record lteeping~ system that identifies when the sender begins delivery of Gonfidential lnfocmation to the authorized and intended'. recipient, and when the sender receives confirmation of delivery from the authorized and intended recipient of Gonfidential' Information. q. Trusted Systems" include only the following methods of physical delivery: (~ }hand-delivery by a person authorized to have access to the Gonfidential Information with written. acknowledgement of receipt; (2} United States Postal Service ~`"t~SI~S"} first class mail, or tJSPS delivery services that include Tracking, such as Certified Mail, Express Mai[ or Registered Mail; (3} commercial delivery services ~e.g. FedEx, UPS, C~Ht_) which offer tracking and receipt confirmation; and ~~&} the Washington State Campus mail system. For electronic transmission, the Washington State Governmental 'Netwarlt ~SGIV} is a Trusted System for communications within that Network. r. „WAC" rr~eans the -Jl{ashington Administrative Cade. All references in this Contract to WAG chapters ar sections shall include any successor, amended, or replacement regulation. Pertinent WAG chapters ar sections can he accessed at http:ffapps.leg.wa.govfwacf. Amendmen#. This Gontract may only be modified by a written amendment signed t,y both parties. Unly personnel authorized to hind each of the parties may sign an ar~nendment. 3, Assignment. The Contractor shall not assign this Gontract or any Program Agreement to a third party without the prior written consent of ~SHS. ~. billing Lirriitations. a. ~Sl°iS shall pay the Contractor only for authorized services prov%ded in accordance with this Contract. b. aSl~1S shall oat pay any claims far payrraent for services submitted more than twelve {1 ~} months after the calendar month in which the services were performed, c. The Contractor shall not hilR and C7SHS shall oat pay for services performed under this Contract, if the Contractor has charged or will charge another agency of the state of Washington or any other party far the same services.. 5. Compliance with Applicable taw. At all times during the term of this Contract, the Contractor shall comply with all applicable federal, state, and local laws and regulations, including but not limited to, nondiscrimination laws and regulations. 6. Confidentiality. a. The Contractor shall' oat use, publish, transfer, sell or otherwise disclose any Gonfidential Information gained by reason of this Gontract for any purpose that is not directly connected with Contractor's performance of the services contemplated 'hereunder, except: bSF~S Centsa9 contract Services Page ~ 3C+5?~S-J1 v'Jashingtran Connection pS lnterlaca! {9-7 &12] pSHS General Terms and Cc~nditians (1) as provided by lave; or, ~2} in the case of Personal information, with the prior written consent of tl,e person or personal representative of the person who is the sula~ect of the Personal lnft~rmation. b. The Contractor shall protect and maintain all Confidential Information gained by reason of this Contract against unauthorized use, access, disclosure, modification or ions. This duty requires the Contractor to ernplay reasonable security measures, which include restricting access to the Confidential Informations bye [1} Allowing access only to staff that have an authorized business requirement to view the Confidential information, ~2} Physically Securing any computers, documents, or other media containing the Confidential Information. ~3} Ensure the security of Confidential Information transmitted via fax (facsimile) by: ta} Verifying the recipient phone number to prevent accidental transmittal of Ganfidential 6nformatan to unauthorized persons. fib} Cornmunicating with the intended recipient before transrnissian to ensure that the fax will be received only by an authorized person. ~c} Verifying after transmittal that the fax was received by the intended recipient. C~7 Vllhen transporting six (6} or mere records containing Confidential Information, outside a Secured Area, do one or mere of the following as appropriate: ~a} lase a Trusted System. (b3 Encrypt the Confidential Information, including: i. Encrypting email' andJor entail attachments which contain the Confidential Information. ii. Encrypting Confidential Information when it is stored an portab'Ie devices or media, including but not limited to laptop computers and flash memory devices. Dote: If the DSHS Data Security Requirements Exhibit is attached to this contract, this item, 6.b.~4}, is superseded l}y the language contained in the Exhibit. fib) Send paper documents containing Confidential information via a Trusted System. ~F} Following the requirements of the DSHS data Security Requirements Exhibit, if attached to this contract. c. Upon request by l7SHS, at the end of the Contract term, ar when no longer needed, Confidential information shall be returned to DSHS or Contractor shall. certify in writing that they employed a 151-1S approved method to destt"oy the information. Contractor may r~btain information regarding approved destruction methods from the DSHS contact identified on the cover page of this Contract, d. 'Paper documents with Ganfidential I~nfarmatian may be recycled through a contracted firm, provided the contract with tl7e recycler specifies that the confidentiality of information will be protected, and the information destroyed' through the recycling process. Paper documents containing Confidential DSHS Central Contract Services Page 4 3067U5-~J1 Wastsingtan Cannect9an DS interlocal ~9-18~12J DSHS General Terms and Conditions lnfarmation requiring special. handling {e.g. protected heaEth intormation) must be destroyed an--site through shredding, pulping, or incineration, e. Notikication of Compromise ar ~'otential CorrtprQrraise. The comprarnise tar potential compromise of Confidential Information must be reported to the DSHS Contact designated on the contract within one (1) business day of discovery. Contractor roust also take actions to mitigate the risk of loss and cotmply with any notification or other requirements imposed by Iaw or DSH'S. ~'. ®ebarment certiffcation• The Contractor, by signature to this Contract, certifies that the Contractor is not presently debarred, suspended, proposed for debarment, declared ineligible, or voluntarily excluded by ,any federal department or agency firom participating in transactions (Qebarred}, The Contractor also agrees to include the above requirerraent in any and all Subcontracts into which it enters. The Contractor shall irnmediately notify QS1dS if, during the term of this Contract, Contractor becomes Debarred. 17S'~S may immediately terminate this Contract by providing Contractor written. notice if Contractor becomes Debarred during the term hereof. 8. Governing ~.aw and Venue.. This Contract shall be Construed and interpreted in accordance with the laws of the state of UVashington and the venue of any action brought hereunder shall be in Superior Court for Thurston County. g, independent ~Contractar, The parties intend that an independent contractor relationship will be created by this Contract. The Contractor and his or her employees or agents performing under this Contract are not employees ar agents of the I~epartnaent, The Contractor, his or her employees, or agents g the this Contract will not hold himselflherself out as, nor claim to be, an officer or er#ormin un er p employee of 'Department by reason taereof, nor will the Contractor, his or last employees, or agent make any claim of right, privi'iege or benefit that would accrue to such officer ar employee. 10. Inspection. The Contractor sha11, at no cost, provide DSHS and the Office of the State Auditor with reasonable access to Contractor's place of business, Contractor's records, and 1~5HS client records, wherever located, These inspection rights are contended to allow DSHS and the ©ffice of the State Auditor to monitor,. audit, and evaluate the Contractor's performance and Compliance with applicable laws, regulations, and these Contract terms. These inspection rights shall survive for six {fi} years following this Contract's termination ar expiration. 11, AAaintenance of Retards. The Contractor shall maintain records relating to this Contract and the performance of the services described herein. The retards conclude, but are not limited to, accounting procedures and practices, which sufficiently and properly reflect all direct and indirect costs of any nature expended in the performance of this Contract. All records and other material relevant to this Contract shall be retained fior six {6} years after expiration or termination of this Contract. 'VLrithout agreeing that litigation or claims are legally authorized, if any litigation, clairra, ar audit is started before the expiration of the six (6} year period, the records shall be retained until all litigation, claims, or audit findings involving the records have been resolved. 12. ^rder of precedence. Rn the event of any inconsistency or conflict between the General Terms and Conditions and the Special Terms and Conditions of this Contract or any Program Agreement;. the inconsistency or conflict shall be resolved by giving precedence to these General Terms and Conditions, Terms or conditions that are rr~ore restrictive, specific, or partiCUlar than those Contained in the General Terms and Conditions shall rant be construed as being inconsistent or in conflict. 13. Severaia%lity. if any term or condition of this Contract is held invalid by any court, the remainder of the Contract remains valid and in full force and effect. ^St#S Cen4ra~ Gantr~ct 5ervi~es Page 5 3~67'bS-91 Washington Conr€ectlon G}S interlt~cal {9-a 8-12} R7SH5 General berms and Conditions 14, ~u~vability. The terms and conditions contained in this Contract or any Program Agreement. which, by their sense and context, are intended to survive the expiration or termination of the particular agreement shall survive. Surviving terms include, but are not limited to: Billing E~imtations; Confidentiality, Disputes; Indemnification and Hold Harmless, Inspection, Maintenance af'~ecords, lVatice of Qverpayment, Qwnership of Material, Termination for Default, Termination Procedure, and Treatment of Property. 15~ ~errninat#~-~ Que to Qhange in l=anding. 1f the funds DSHS relied upon to establish this Contract or Program Agreement are with~mmediatel terrninla el~this C n1 adCtibnalrovidindifwr~ten nfotl~ioce to the laced on such funding, DSHS may y y P g Contractor. The termination shall be effective on the date specified in the termination notice. 16. VNaiver.'VV'aiver of any breach or default an any occasion shall not be deemed to be a waiver of any subsequent breach or default. Any waiver s'ha9l not be construed to be a modification of the terms and conditions of this Contract. Qnly the DSHS Contracts Administrator or designee bass the authority to waive any term or condition of this Contract on behalf of DSHS. Additional General Terms and Conditions - IrEterlacal Agreements: 1T. []is~putes. Disputes shall 'be determined by a pispute Board. Bach party to this Agreement shall appoint one mernbec to the Dispute Board. The rr~embers so appointed shall jointly appoint an additional member to the Dispute Board. The Dispute Board shall review the facts, Agreement terms, and applicable statutes and rules and make a determination of the dispute. As an alternative to this process, either party may request intervention by the Governor, as provided by RCIN 43.1 ~.33~1, in which event the Governor's process shall control. Participation in either dispute process shall precede any judicial orquasi-judicial action and shall be the final administrative remedy available to the parties. 1$, lriaid Harmless. a, The Contractor shall be responsible far and shall bald DSHS harmless from all claims, loss, Liability, damages, or fines arising out of or relating to the Contractor's, or any Subcontractor"s, performance or failure to perform this Agreemient, or the acts or omissions of the Contractor or any Subcontractor. DSHS shall be responsible far and shall hold the Contractor harmless from all claims, loss, liability, damages, or fines arising out of or rely#ing to DSHS' performance or failure to perform this Agreement. }~. The Contractor waives its Immunity under Title 51 RC~JU' to the extent it is required to indemnify, defend, and hold harmless the State and its agencies, officials, agents, or employees. 1 g. Qwnership of ~dateriai. hllaterial created by the Contractor and paid for by DSHS as a part of this Contract shall be owned by DSHS anal shall be "vvorlt made for hire" as defined by Title 17 USCA, Section '141. This material includes, but is not 'i~imited ta: books; computer programs; documents, films; pamphlets; reports; sound reproductions; studies; surveys; tapes; andJor training materials, Material which the Contractor uses to perform the Contract but is not created for or paid for by DShI'S is awned by the Contractor and is not "work made four hire"; however, DSHS shall have a ,perpetual license to use this material for DSHS internal purposes at no charge to DSHS„ provided that such license shall be limited to the extent which the Contractor has a right to grant such a license. ~{?, 5ularecipler~ts. a. General. If the Contractor is a subrecipient of federal awards as defined by Office of Management aryd' Budget ~QMB} Circular A-133 and. this Agreerrlent, the Contractor shall: C~SHS CenFeak Contract Serv~wes Page 6 3(}6'7E]5-91 ;.Nashingion Cnnnecti~r~ r3S 9nterlocaC (918-123 DSHS General fieirms aa~d Canditicans ~1 } Maintain records that identify, in its accounts, a6l federal awards received and expended and the federal programs under which they were received, by Ca#alog of Federal Domestic Assistance (CFDA} title and number, award number and year, name of the federal agency, and name of the pass-through entity; ~2} Maintain infernal controls that provide reasonable assurance that the Contractor is managing federal awards in compliance with laws,. regulations, and provisions of contracts or grant agreements that could have a material effect on each of its federal programs; (3} Prepare appropriate financial statements, including a schedule of expenditures of federal awards; (~}) Incorporate C7MB Circular A-133 audit requirements into all agreements between the Contractor and its Subcontractors who are subrecipsents; (5} Gomply with any future amendments to 4MB Gircular A-133 and any successor or replacement Gircular or regulation; ~~} Gomply with the applicable requirements of either 2 GFR, Part 225 (©IVIB Gircular A-g7} or 2 CFR, Part 239 (QN3B Gircular A-122}, and any successor or replacement Circular or regulation; and (7} Gomply witi+l the Omnibus Grime Control and Safe streets Act of 1966, Title VI of the Civil Rights Act of 1964, Section 5fJ4 of the rehabilitation Act of 1973, Title BI of the Americans with C?isabilities Act of 1996, Title l7C of the education Amendments of 1972., The Age Discrimination Act of 1975, and The Department of Justice NonyDiscrimination Regulations, 28 G.F.R, Part 42, Subparts G.'D.~. and G, and 28 G.F.R. Part 35 and 39, ~Go to www.a~p.usdo.~av~ocrl far additiona4 information and access to the aforer~ientioned Federal. laws and regulations.} b. Single Audit Act Corripliance. if the Contractor is a subrecip"sent and expends $549,f7Df~ or mare in federal awards from any andlor all sources in any fiscal year, the Contractor shall procure and pay for a single audit or a program specific audit for that fiscal year. Upon completion of each audit, the Contractor shall: (1 } Submit to the DSI~S contact person the data collection. form and reporting package specified in OMS Gircular A-133„ reports required by the program-specific audit guide (if applicable}, and a copy of any management letters issued by the auditor; (2} Follow-up and develop carrectiue action for' aCi audit findings; in accordance with C}MS Circular A-133,. prepare a"'Summary Schedule of Prior Audit Findings.=, c, c]verpayments. If it is determined by DSHS, or during the course of a required audit, that the Contractor has been paid unallowable costs under this or any Program Agreement, DSFIS may require the Contractor to reimburse DSHS in accordance with either 2 CFR, Part 225 BOMB Gircular p,-$7} or 2 GFR„ Part 239 kt~ME3 Circular A~122}. 2'f. Termii~atian. Default. If for any cause, either party faits to fulfill its obligations under this Agreement in a timely and proper mariner, or if either party violates any of the terms and conditions contained in this Agreement, then the aggrieved party will give the other party written notice of such faikure or violation. The responsible party will be given 15 working days to correct the violation or failure. If the fails~ire or violation is not corrected, this Agreement may be terminated immediately by written DSHS Central Cantrac4 Services Page 7 3Q~7~S-81 washington Cc]nne~tivn pS Interlocal €g_'18-32y DSI~S General Terms and C©ndiitior~s notice frarn the aggrieved party to the ether party. b. Convenience. Either party may Terminate this lnterlocal Agreement for any other reason Ioy providing 3f7 calendar days' written notice to the other party. c. Payment far Performance. If this Interlocal Agreement is terminated for any reason, aSh-lS shall only pay far performance rendered or costs incurred in accordance with the terms of this Agreement and prior to the effective date of termination, 22. Treatment of Ctent Property. unless otherwise provided, the Contractor shall ensure that any adult client receiving services from the Contractor has unrestric#ed access to the client's personal property, The Contractor shall not. interfere with any adult client's ownership, possession; or use of the client's property. The Contractor shall provide clients under age eighteen (18}with. reasonable access #a their personal property that is appropriate to the client's age, develaprraent, and needs, lJpan termination. of the Contract, the Contractor shall immediately release to the client andlor the client's guardian or custodian all of the client's personal property. MIPAA Compliance. 23. L3efinitic~ns. a. "'easiness Associate," as used in this Contract,. means the "Contractor" and generally has the same meaning as the term "business associate" at 45 C1rR 16Ci.1Q3. Any reference to Business Associate In this Contract ancludes Business Assc~clate's employees, agents, officers, subcontractors, third party contractors, volunteers, or directors. b, "Covered Entity" means CSHS, a Covered l=ntity as defined at 45 CFR. 1~C~.103, yin its conduct of covered functions by its health care components, ,e c. "Designated. Record Set means a group of records maintained by or for a. Covered ntity, t at Is: the medical and billing records about Individuals maintained by ar for a covered health care provider; the enrollment, payment, claims adjudication, and case mr medical rrlanagernent record systems maintained by or for a health plan, or used in whole ar part by or for the Covered Entity to moire decisions about Individuals. d. "Electronic Protected Health lrrforrnation ~EPHI}" means protected health information that is transmitted by electronic media or maintained in any medium described in the definition of electronic media at 45 GFR 162.103. e, '"H1PAA" means the Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191, as modified by the American Recovery and Reinvestment Act of 2(~C39 ("ARRA"}, Sec. 134t?0 - 16424, H.R. 1 ~20D9} ~HITECH Act} f. "HIPAA Rules" means the Privacy., Security, Breach Notification,. and Enforcement Rules at 45 CI=R Parts 169 and 'Part 164. g "1ndividual(s}„ means the persons} who is the subject of PHl and includes a person who qualifies as a personal representative in accordance with 45 CFR 164.602~g}• h. "`Minimum Necessary" means the least amount of PHI necessary to accomplish the purpose for which the PHI is needed. i, "Protected Health 1nformatian {P11•~41I}" means individually identifiable health information created, ©5HS Central Can#raCl Services Page 8 3~J67D5-g1 U"Jasl°ringtes~ Cen~ecicn DS Inderl©Lal ~9-18-12j ~}SHS General Ter-a~s and Conditions received, maintained or transmitted by Business Associate on behalf of a health care component of the Covered Entity that relates to the provision of health care to an individual; the past, present, or future physical or mental health ar condition of an Individual; ar the paste present, ar future payment for provision of health care to an Individual. 45 CFR 160.1 ~~. PHI includes demographic information that identifies the Individual or about which there is reasonable basis to believe can be used to identify the Individual, 46 CFR 160.103. PHI is information transmitted or held in any form ar medium and includes EP}-IV. 45 CFR 160.103. PHi does not include education records covered by the Family Educational Rights and Privacy Act, as amended, 20 USCA 1232g~a}(4}{B}(iv} ar emp'ioyrnent records held by a Covered Entity in its role as employer. "Subcontractor" as used in this Contract means a Business associate that creates, receives, maintains, or transmits protected health information on behalf of another Business Associate. k. "lJse" includes the sharing, employment, application, utilisation, examination, or analysis, of PI-VI within an entity that. maintains such information.. ~~. Compliance. Business Associate steal! perform all Contract duties, activities and tasks in compliance with HIPAA, the HIPAA Rules, and all attendant regulations as promulgated by the t~.5. Department of Health and Duman 'Services, office of Civil Rights. 25, Use and Qisclostere o~ PHI. Business Associate is limited to the following permitted and required uses ar disclosures of PHI: a, Duty to Protect PHI. Business Associate shall protect PHI from, and shall use appropriate safeguards„ and comply with Subpart C of 46 CFR Part 164 {,Security Standards for the Protection of Electronic Protected Health Information} with respect to EPHI, to prevent the unauthorised use or disclosure of PHI other than as provided for in this Contract or as required by law, for as long as the PFVV is within its possession and control, even. after the termination. ar expiration of this Contract, b, IVlinimum Necessary Standard. Business Associate shall apply the HIPAA lVlinimum Necessary standard to any use or disclosure of PHI necessary to achieve the purposes of this Contract. See 4b CFR 164.514 {d}[2} through (d}~S}. c. Disclosure as Part of the Provision of Services. Business Associate shall only use or disclose PH'i as necessary to perform the services specified in this Contract or as required by law, and shall not use or disclose such PV--II in any manner that would violate Subpart E of 45 CFR Park 164 (Privacy of Individually Identifiable Health information} if done by Covered Entity., except for the specific uses and disclosures set farkh below. d. 'Use for Proper fVlanageanent and Administration. Business Associate may use PHI far the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate, e. Disclosure tar Proper hllanagement and Administration. Business Associate may disclose PHI far the proper management and administration of Business Associate or to carry out the legal responsibilities of the Business Associate, provided the disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that. the information will remain confidential and used or further disclosed only as required by law or for the purposes far which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. f, impermissible Use or Disclosure of PHI tiSNS Central Gorstract Services 3067C3S-93 Washington C©nnectlon DS Interlocal [g-18-12) Business Associate shall report to DSHS in writing all Page 9 C75Fi5 Gt:neral Terms and Conditions uses tar disclosures of PHI not provided for by this Contract within one {1} lousiness day of becoming aware of the unauthorized use or disclosure t}f PHi, including breaches of unsecured PF~I as required at 45 CPR 164.41 g (Notification by a Business Associate}, as web! as any security incident of which ~it becomes aware. Upon request by ©SHS, Business Associate shall mitigate, to the extent practicable, any harmful effect resulting from the impermissible use or disclosure. g. Failure to Cure. if C]SNS learns of a pattern or practice of the Business Associate that constitutes a violation of the Business Associate's obligations under the terms of this Contract and reasonable steps by pSl-iS da not end the violation, aSHS shall terminate this Contract, if feasible. In addition, if Business Associate learns of a pattern tar practice of its subcontractors that constitutes a violation of the'Business Associate's obligations under the terms of their contract and reasanaiole steps by t;he Business Associate do not enr~ the violation, Business Associate shall terminate the subcontract„ if feasible. h, Termination fvr Cause. Business Associate authorizes immediate termination of this Contract by DS~S„ if DSHS determines that business Associate has violated a material term. DSHS may, at its sole option„ offer Business Associate an opportunity to cure a violation before exercising a termination for cause. i,. Consent to Audit. Business Associate shall give reasonable access to PHI„ its internal practices, records, books, documents, electronic data andlar all other business information received from, or created or received by Business Associate on behalf of DSHS, to the Secretary of DNNS andJor to pStiS for use in determining compliance with HiPAA privacy requirements. j. pbligations of Business Associate 'l~pon Bxpiratian or Termination. Upon expiration or termination of this Contract for any reason, with respect to P Hl received from DS'HS, or created, maintained, or received by Business Associate, ar any subcontractors, on behalf taf DSHS, Business Associate shall: ~1 } Retain only that PHl which is necessary for Business Associate to continue its proper management and administration ar to carry out its legal responsibilities; {2} Return to DSNS or destroy the rerrlaining Phli~ that the Business Associate ar any subcontractors still maintain in any form; {3} Continue to use appropriate safeguards and comply with Subpart C of 45 CPR Part 164 Security Standards for the Protection of lFlectronic Protected Health information} with respect to electronic protected health inftarmatityn to prevent use or disclosure of the 'PHI, other than as provided for yin this Section, for as long as Business Associate or any subcontractors retain the P~II; (4} Not use or disclose the PHl retained by Business Associate or any subcontractors other than far the purposes for which such PHi was retained and subject to the same conditions set out in ttae "l_ise and Gisciosure of PHi" section of this Contract which applied prior to termination, and (5} Return to DSHS or destroy the PHl retained by Business Associate, or any subcontractors, when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities. k. Survival. The obligations of the Business Associate under this section shall survive the termination or expiration of this Contract. 26, individual Rights. pSliS Centra9 Gantract Services 3~~7175-91 Washington Connectipn ^S Interlacal {9-1812) Wage 1(} DSHS General Terms and ~c~nditivns a. Accounting of Disclosures. (1 } Business Associate shall document all disclosures of PHI and information related to such disclosures. ~2} Within ten ~1D) business days of a request from DSHS, Business Associate shall make available to psHS the information in Business Associate's possession that is necessary for DSHS to respond in a timely manner to a request far an accounting of disclosures of PHI by the Business Associate. see 4~ CFR 1~4.~{~4~e}(2)(ii}(G} and 16~.52$(b}(1}. ~3} At the request of DSHS or in response to a request made directly to the Business Associate by an individual, 'Business Associate shall respond, in a timely manner and in accordance with HIPA~+ and the H'IPAA Rules, to requests by Individual's for an accounting of disclosures of PHI. ~4} Business Associate record keeping procedures shall be sufficient to respond to a request for an accounting under this section for the six ~~6} years prior to the date on which the accounting was requested. b. ,Access (1} Business Associate shall make available PH! that it holds that is part of a Designated Record Set when requested by DsHS or tare Individual as necessary to satisfy DSHS's obligations under 45 CFR 164.52Q AAccess of Individuals to Protected Health Information}. (2) When the request is made by the individual to the Business Associate or if DSHS asks the Business Associate to respond to a request, the Business Associate shall cornp9y with requirements in ~5 CFR 1~~.524 (Access of ~lndividuals to Protected Health Information} on form, time and manner of access. When the request. is made by DSHS, the Business Associate shall provide thae records to DsHS within ten ~1t]} business days. c. Amendment. (1 } If ^sHS amends, in whole or in part, a record or PHI contained in an Individual's Designated Record set and DSHS has previously provided' the PHi or record that is the subject of the amendment to Business Associate, then DsHS will inform Business Associate of the amendment pursuant to 45 CFR. 164.b2~{c}(3} (Amendment of Protected Health Information}. (2} Business Associate shall make any amendments to PHI in a Designated Record set as directed by DSFiS or as necessary to satisfy DsHS's obligations under 45 CFR 164.~2~ (Amendment of Protected Health Information}. 27. 5ubcc~rrtracts and other Third Party -4greerrients, In accordance with 45 CFR 1 S4.b0~2(e}~1 }iii}, 164.5~4~e}(1 }(iy, and 164.3t38(b}~2}, Business Associate shall ensure that any agents,. sulacontractors, independent contractors or other third parties that create, receive, maintain, or transmit PHI on Business Associate`s behalf,. enter into a written contract that contains the same terms, restrictions, requirements, and conditions as the hIIPAA compliance provisions in this Contract with respect to such pH1. The same provisions must also be included in any contracts by a business associate's subcon#ractor witty its own business associates as required by 45 CFR 164.314~a}(2}(b) and 1 ~4.5E?4(e}~5j . fig, Qbligations. To the extent the Business Associate is to carry out one or more of DsHS's obligation(s) under Subpart E of 4~ CFR Part 1~4 Privacy of Individually Identifiable Health Information}, Business Associate shall comply with ail requirements that would apply to DSHS in the perforrrrance of such E7Sti5 Central G©~tract Services Rage ~ t 3Q579~S-91 Washirigtnr~ CQr~neciio€~ oS Bnlerlcacal {9-18-12} pSHS General Terms acrd Canditians obligations}, 29. Latxility. Within ten (1 {t} business days, Business Associate must notify DSHS of any complaint, enforcement or compliance action initiated by the Office far Civil Rights 'based on an allegation of violation of the l-tIPAA Rules and must inform DSF~~ of the outcome of that action. Business Associate bears afl responsibility for any penalties, fines or sanctions imposed against the Business Associate for violations of the F-IIPAA Rules and for any imposed against its subcontractors or agents for which it is found liable. 3E3F, ~3rea~ch Nt~titicatian. a. In the event of a breach of unsecured F~HI or disclosure that compromises the privacy or security of PHl obtained from D SHS or involving DSl~S clients, Business Associate will take all measures required by state or federal claw. }~. Business F+ssociate will notify DSHS within one {1}business day by telephone and in writing of any acquisition, access, use or disclosure of PHI not allowed by the provisions of this Contract or not authorized by HIPAA Rules or required by law of which it becomes aware which potentially compromises the security or privacy of the protected health information as defined in 4~ CFR 1 ~64.~kgZ Definitions}. Business Associate will notify the I~SFiS Contact shown on the cover page of this Contract within one (1) business day by telephone ore-mail. of any potential breach of security or privacy of PHI by the Business Associate or its subcontractors or agents. Business Associate will follow telephone ar e-mail notification with a faxed or other written explanation of the iJreach, to include the following: date and tune of the breach, date breach was discovered, location and nature of the PHI, type of breach, origination and destination of PHI, Business Associate unit and personnel associated with the breach, detailed description of the breach, anticipated mitigation steps, and the name, address, telephone number, fax number, and e-raaail of the individual who is responsible as the primary point of contact. Business Associate will address communications to the DSHS Contact. Business ,Associate wi'l'l coordinate and cooperate with DSHS to provide a copy of its investigation and other information requested by DSHS, including advance copies of any notifications required for DSHS review before disseminating and verification of the dates notifications were sent. d. If DSHS determines that Business Associate or its subcontractors} or agent{s} is responsible for a breach.. of unsecured PHI: {1 } requiring notification of Individuals under 4~ CFR § 164.44 (Notification to Individuals), Business Associate bears the responsibility and costs for notifying the affected Individuals and receiving and responding to these Individua'ls' questions or requests for additional information, ~2} requiring notification of the media under 45 Cf=R § 164.446 Notification to the media), Business Associate bears the responsibility and costs for notifying the media and receiving and responding to media questions or requests for additional information; 43} requiring notification of the t~.S. Department of Health and Human Services Secretary under 45 CFR ~ 164.48 Notification to the Secretary), Business Associate hears the responsibility and costs for notifying the Secretary and receiving and responding to the Secretary's questions or requests for additional information;. and ~4} DSHS will take appropriate remedial measures up to termination of this contract. 31, Miscetlaneous Previsions. QSNS ~erttral Contract Seruic~:s 30f7QS-~1 Washington Connection qS intericrcal [9-1 &-12} 'Page 12 pSHS General Terms ar~d Conditions a, Regulatory References. A reference in this Contract to a section in the HII~AA Rules means the section as to effect or amended. b, interpretation, Any ambiguity in this Contract sha(i be interpreted to perrrrit compliance with the HV ~I~P+ F~ules. oSHS Central Contract Services Page f 3 3457C]5-91 Washington Connection DS lnterlocal (918-12) Special Terms and conditions 1. L3efinitiv~s Specific to Special Terms: Ttie words and phrases listed below, as used in this Cortitract, shall each have the following definitions: a. "Applicants}" means individuals submitting an application, a renewal car reporting a change for benefits or services. b. "Assisting Agency„ means community or faith, based organizations, tribalr city, or county municipalities who provide trained employees car volunteers to help applicants complete and submit online applications through. Washington Connection. These agencies must sign a Data Share Agreement with DSHS and each employee and volunteer of the agency with access to Applicant information must complete a ^SHS non-disclosure form. Any reference to Assisting Agency includes the Assisting Agency's employees, agents, officers, subcontractors, third party contractors, volunteers, ar directors.. c. `"Au#horized Representative" means someone designated by the Applicant to taut with DSHS about hislher benefits. This individual is authorized to act on the Applicant's behalf for eligibility purpcases. d. ".Data' means the information that is exchanged as described by this Agreement that is spectfically protected by law which rraay impose penalties for wrongful disclosure. This includes protected health information under the N1PAA Privacy Rule. e. "ESA" means Economic Services Administration. f. `"Sp,W" means SecureAccess Washington. SAW is a single sign~on application gateway created by Washington State"s Department of Information Services to access government services accessible via the Internet. g "'Washington Connection" means the web-based benefit partal~ that provides access to a broad array of federal, state and loco! services and benefits to address basic needs. ~, 'purpose To allawv an Assisting Agency to help Washington residents complete an online application. to provide more effective access to available federal, state and local services through the Washington Connection benefit ports! and carry out other activities designed to help them maintain eligibility. This agreement also includes contractors that submit paper applications to DSI~S. ~. Statement of'Wor~ The Contractor shall provide the services and staff, and otherwise do all things necessary for or incidental to the performance of work, as set forth below: a. The Assisting Agency listed on page one of this Data Share Agreement is the Contractor, and DSHS is the Data Provider in this agreement. !gin exchange for the receipt of information, the Contractor agrees to abide by the terms and conditions in this agreement. (1 } Anyone at the Contractor agency with access to ^ata wi1C be required to read and complete a non-disclosure agreement annually.. The Contractor must maintain these forms and make them available for inspection. ~~} When Ccantractors use Washington Connection for applications, DSI-IS will work with them to: {a~ Establish access to the DSHS Washington Connection and online application. D5H5 Gentsal contract Servicc;s Page 14 3467flS-94 'Washington GQnnectian D5 4ntertocal {J-18-" 2) Special Terrr~s and Conditions (b} Establish a 1J11ashington Cannectian SALN account with either an Frrmpfayee or a Supervisor access level: employee Access allows the individual to view, edit and submit applications when the er~rployee has provided direct access with the application tk~raugh Wast~ingtan Connection as part of Their work at the Assisting Agency. Supervisor Access includes all functions of the Frrroplayee Access plus the ability to: view, edit and submit. a!! applications associated with employees assigned to the supervisor in the Washington Connection profile; add, modify, and delete emplayees; reassign applications between employees under the same supervisrar, and request a summary page of all application status submitted ar incomplete) associated. with the Assisting A;genty. ~3} Consent Form and lase Limitation {a} The Contractor must obtain a Cans~:nt form via Washington Gannection with an e-signature from the Applicant before accessing any Applicant lnforrnatian. The Contractor trust keep any written 'DSFiS consent farm obtained from the ApplVoant onsite and.. provide them far inspection upon request. QSF1S and the Contractor may need to share additional information to provide services, but at na tune should the Consent be interpreted ta: (A} Designate the Contractor as an "Authorized Representative", ~~} AlVow DS1-15 to share Applicant information not needed for the ,purposes under this agreement (C} Allow DS~S to disclose documents or information from the Applicant's hies ar retards for other purposes outside the scope of this agreement b. Description of Data Data ss limited to: Via} application data {b} defined display of household benefit information available through the Washington Connection query system c. Data Access or Transfer fit} 1f applications are rete~ived through Vllashington Connection and the Applicant has indicated consent to share application data, a Contractor may vview and print applications, reviews and change of circumstances forms saved or submitted through Wasl~ingtorr Connection for 9Q calendar days from t17e last activity day. Application statuses, "submitted" ar "not submitted", are also available for 90 calendar days from the last activity day. Contractors submitting paper applications have no ability to view them online. ~2} if the correct information is entered into the Wash~ngtan Connection query system., the successful query will result in the display of the following information for tl'~e listed head of house'hald if that person is not registered in the Address Confidentiality Program (ACP}: t]S~tS Cenral Lentract Services Page 15 3C787i}5 n1 t,Nashington tonreCtkon DS inter!~caC 49-18-12] Spe~iaal Terrr~s and Condifiians (a} p,pplication Status A p approved P =Parading. D =Denied M~ =Pending Spenddawn with base period and remaining asxaounty (b} Eligibility history ~1 ~ month rallingy from DSHS andlor HCA Vic} Benefit amount fear cash and food assistance programs only td} Number in the household associated with each program receiving benefits (ey Senafit end date for each certification period (3} Requirements far Access Via} Access to Data shall 'be limited to staff (including employees and volunteers) whose duties specifically require access to such Data in the performance of their assigned duties. Prior to making Data available to its staff, Contractor shall notify all such staff of the Use and Disclosure requirements.. Eby All staff accessing the data shall sign a Nondisclosure of Confidential Information farm, or its replacement, each year and agree to adhere to the use and disclosure requirements. The signed, original farm and a regularly updated list of staff with access to the Data shall be maintained by the Contractor and submitted to the Data Provider upon request. (cy The. Contractor must remind staff annually of nondisclosure requirements and make available to DSHS upon request evidence that they have reminded all staff with access to p,pplicant data of the limitations, use or publishing of data. (d} The Contractor must immediately notify the DSHS contact person listed on page one when any staff with access to the ^ata is terminated from employment or when his ar has jab duties no longer require access to Data. d. Limitations on Use of Data If the Data and analyses generated by the Contractor contain Confidential Information about DSHS Applicants, then any and all! repasts utilizing thane Data shall be subject to review and approval by the Data Provider prior to publication in any medium or presentation in any forum. 4. Data Security a. Violations of the Nondisclosure previsions of this agreement may result in criminal os civil penalties. Violation is a gross misdemeanor under RCW 74.04.0~{~, punishable by imprisonment of not more than one year andlor a fine net to exceed five thousand dollars. Sanctions also may apply under other state and federal law, including civil and criminal penalties for violations of the HIPAA Privacy and Security rules. 97545 Centraa Contract Services Page ~~ 3L}67E}S-9ti Washington Cvnnectlon 975 Eroterlocal f9°~8-12) Special Terms and Conditions ~. The Contractor shall take reasonable precautions to secure against unauthorized physical and e6ectronic access to Applicant Information. Data shall be protected in a manner that prevents unauthorized persons, including the genera9 pub9ic, from access toy computer, remote terminal, or other rr~eans, c, Contractor shall notify the DSHS contact designated on the contract verbally and in writing of the compromise ar suspected compromise of the security or privacy of data within one ~'-) business day and to wort with DSl-lS to assess additional steps to be taken, The Contractor shall be responsible to corrrply with legal requirements, provide notification of clients as needed and far any costs associated mitigating the breach. 5. Confidentiality and IVondKSC~vsure a. Both parties may use F'ersona- information and other information or Data gained by reason of this Agreement only for the purposes of this Agreement. b. The data to be shared under this agreement is confidential in nature and is subject to state and federal confidentiality require~uent that bind the Contractor, its employees, and its subcontractors to protect the confidentiality of the personal information contained in ESA data. Contractors may use personal data and ether data gained by reason of this agreement only for the purpose of this agreement. c. The Contractor shall mairttair~ the confidentiality of personal data in accordance with state and federal laws, and shah have adequate policies and procedures in place to ensure carrtpliance with confidentiality requirements, including restrictions on rewdisclasure. d, 'the Contractor agrees to keep Applicant information according to DSHS ,policy and procedures: htt ~llasd.dshs,wa. ovlr a~lr au-admin olio .htm. ~~ ~ Neither party shall link the Data with personals I'nformatian ar individually identifiable data from any other source nor re~disc~lose or duplicate the Data unless specifically authorized to do so in this Agreement or by the prier written consent of the other party. fi, Consideration There is no cost to either party as each will pay for its own costs to perform this contract. 7. Payrnertt a. The Contractor gill receive the information provided under this agreement at no charge. lwach party shall be responsible for any expenses incurred in providing or receiving information. b. ~Clne Contractor is responsible for any costs associated with accessing Applicant data. Phis includes any costs far hardwarelsoftware upgrades, and costs to improve any systems ar processors that will enable the Gontractor to access the data. D~~iS Central Cvntravt Servives Page 17 3[367~S-gt Washington Gflnnectivn DS lnterlvcaE {9-~8-12} Special Terms arsd Cartditians 8. Disputes dither party may submit a request far resolution of a Contract dispute gates set by law, regulation or flSHS po4icy are not disputable}. The requesting party shall submit a written statement identifying the issues} in dispute and the relative positions of the parties, A request for a dispute resolution must include the C©ntractors name, address, and Contract number, and be mailed to the address listed below within 3t] calendar days after the party could reasonably be expected to have knowledge of the issue in dispute. pSHSICommunity Services Division P~7 Box 4547 Cd{ympia, V'i1A 9$54-54~~ Attn. Contracts 'nit 9, ir~terpretatnn Any ambiguity in this Agreement will be resolved in flavor of a meaning that permits Covered l=ntity to comply with the privacy 'Rule, the electronic Transactions. Standards, or any other requirement under 1-i41'AA. 'III. Property lrtights AII~ Pl-il will be and remain the exclusive property of Covered Entity. Business Associate agrees that it acquires no title or rights to the PI-li, including any deµidentified information, as a result of this Agreement. ~SHS Central Corriract Servsces ~,~~~ .~~ ~~:87t~S•9t Washington Connection ~S Inter6acal {9-18-i2) Special Terms ar~d Conditions Exhibit A -data Security Requirements pefini#ios'ss. The words and phrases listed below, as used in this exhibit, steal! each have the following definitions: a. "Authorized Users}" means an individual or indiuiduais with an authorized business requirement to access 17SH5 Confidential Information. }~. Nkiardened Password" means a string of at least eight characters containing at least one alphabetic character, at least one number and at least one special character such as an asterisk, ampersand or exclarraation point. c. "Unique User i®'" means a string of characters that identifies a specific user and which, in conjunction with a password, passphrase or other mechanism, authenticates a user to an information system. ~. data Transport. When transporting OSHS Confidential information e6ectronically, including via email, the pats will be protected by: a. Transporting the data within the (State ~ouernmental Network} SGIr1 or Contractor's internal network., or; b. I=ncrypting any pate that will be in transit outside the SGN or Contractor"s internal network. This i~nc1udes transit Doer the public Internet. 3. protection at pate. The Contractor agrees to store Data on one or more of the fallowing media and prated the Data as described; a. Hard, disk dries, pate stored an local workstation hard disks. Access to the Data gill be restricted to Authorized User(sy by requiring logon to the focal workstation using a Unique User ID and l-tardened Password or other authentication mechanisms which provide equal. or greater security, such as biometrics or smart. cards. E~tetwork server desks. t~ata stored on hard disks mounted on network servers and made available through shared folders. Access to the Data will) be restricted to Authorized Users through the use of access control. lists which will grant access only after the Authorized User has authenticated to the network using a Unique User ID and Hardened Password or other authentication mechanisms which provideequal or greater security, such as biometrics or smart cards. Data on disks mounted to such servers must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism, For Y3SHS Confidential Information stared on these disks, deleting unneededData is sufficient as long as the disks remain in a Secured Area and otherwise meet the requirements listed in the shove paragraph. 'pestruction of the Data as outlined in Section 5. Data Disposition may be deferred until the disks are retired, replaced, or otherwise taken Drat of the Secured Area, ~3SHS Ceniral GantsacE Ser+riCes Page 19 3~r7C]$-91 Washnngtan C©nneG[ian f~S I~sterkocal {9-~8-tZ~ Special 1f,arrr~s and Conditions c. C3pticat discs [CB]s or DV[3s) in local workstation optical disc drives. Data provided by DS'HS on optical discs which will be used in loca'I workstation optical disc drives and which wile no# iae transported out of a Secured Area. When not in use for the contracted purpose, such discs must be locked in a drawer, cabinet or other container to which only Authorized Users have the key, combination or mechanism required to access the contents of the container. Workstations which access DSHS Data on optical discs must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. d. pptical discs tCQs or E~V1]s~ in drives or jukeboxes attached to servers. Data provided by DSl-~S on optical discs which will be attached to network servers and which will not be transported out of a Secured Area. Access to Data on these discs will be restricted to Authorized Users through the use of access control lists which will grant access only after the Authorized User has authenticated to the network using a Unique User IUD and 'Hardened Password or other authentication rnechanism~s which provide equal or greater security, such as biometrics or smart cards. Data on discs attached to such servers must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lack, or comparable mechan+sm. e. paper docurr~ents. Any paper records must be protected by staring the records in a Secured Area which is only accessible to authorized personnel. When not in use, such records must be stared in a locked container, such as a fate cabinet, locking drawer, or safe, to which only authorized persons have access. Remote access. Access to and use of the Data over the State Governmental Network {SGN} or Secure Access Washington ~SA'IN~ wild be controlled by DSHS staff who will issue authentication credentials ~e.g. a Unique User lD and 'Hardened Password) to Authorized Users on Contractor staff. Contractor will notify DSHS staff immediately whenever an Authorized User in possession of such credentials is terminated or otherwise leaves the emp'!oy of the Contractor, and whenever an Authorized User's duties change such that the Authorized User no longer requires access to perform work for this Contract.. g. Data storage oin portab[e devices or media. (1) Except where otherwise specifeed hereon, DSHS Data shall not be stored by the Contractor on portable devices or media unless specifically authorized with'sn the terms and conditions of the Contract. if so authorized, the Data shall be given the following protections: ~a} Encrypt the Data with a key length of at least 128 bits (b) Control access to devices with a Unique User 1D and Hardened Password or stronger authentication method such as a physical token or biometrics. (c} ivlanually lock devices whenever they are left unattended and set devices to lock automatically after a period of inactivity, ifi this feature is available lVlaximum period of inactivity is 20 minutes. Physically Secure the portable devices} andlor media by {d} Keeping them in locked storage when not in use fie) Using check-inlcheck-out procedures when they are shared, and D5f-{5 Cent~a! Contract Services Page ~4 3~67r75-91 V~~Iashingtan Connection pS lnterlpcal (9-18-12} Special Perms and Conditions ~f} °Faking frequent inventories [2} 1JIPherh being transported outside of a Secured Area, portable devices anal media with DSHS Confidential Information must be under the physical control of Contractor staff with authorization to access the Data. (S) Portable devices include, but are not limited toy smart phones, tablets, flash memory devices ~e g, >,95~3 flash drives, personal media players), portable hard disks, and Iaptoplnotebooklnetboak computers if those computers may be transported outside of a Secured Area. (4} Portable media includes, but is not limited to; optical rrxedia (e.g. CDs, DVDs}, magnetic media (e.g. floppy disks, tape}, or hash media te.g. Compact lash, SD, MNiC}. h. pate stored for baclt~p purposes.. (1 } DSHS data may be stored on portable media as part of a Contractor's existing, documented backup process for business continuity or disaster recovery purposes.. Such storage is authorized until such time as tl'~at media would be reused during the course of normal backup operations, If backup media is retired while DSHS Confidential Information still exists upon it, such media will be destroyed at that time in accordance with the disposition requirements in Section 5. Data Disposition ~~} pSI~kS Data may be stored on non-portable media (e.g. Storage Area Network drives, virtue! media, etc-} as part of a Contractor's existing, documented backup process for business continuity or disaster recovery purposes. If 50, such media will be protected as otherwise described in this exhibit. If this media is retired while DSHS Confidential Information still exists upon it, the data will be destroyed at that time in accordance with the disposition requirements in Section 5. Data Disposition.. ~.. pate $egre~atior~. a. pSHS Data must be segregated or otherwise distinguishable from non-DSHS data. This is to ensure that when no longer needed by the Contractor, all DSHS Data can be identified for return or destruction. It also aids in determining whether DSHS Data has or may have been compromised in the event of a security breach. As such, one or more of the following methods will be used for data segregation. b, pSHS Data will be kept on media te.g. hard disk, optical disc, tape, etc.} which will contain no nonR DSHS Data. Andlar,. c. DSHS Data will be stored in a logical container on electronic media, such as a partition or folder dedicated to DSHS Data. Andfor, d. DSHS Data will be stored in a database which will contain no non-DSHS data. Andlor, e. DSHS Data will be stared within a database and wi11 be distinguishable from non-DSHS data by the vague of a specific field or fields within database records. Vtfhen stored as physical paper documents, DSHS Data will be physically segregated from nan- DSHS data in a drawer, folder, or other container. C~SHS G~ntr~~ Gantr~ct 5enrioes Pale 2i 3[]67DS-99 U'dashengts~n Gonn~etion r~S 6nter4ncal {9-~ 8-12) 5peciat Terms and Conditions g. 1NDen it is not feasible or practical to segregate DSHS Data from non-DSHS data, then both the DSHS Data and tle non~DSHS data with which it is commingled must be protected as described in this exhibit. ~, meta pispasition. When the contracted wont 'has been completed or when no longer needed, except as Hated in 4.b above, Data shall be returned fo DSHS or destroyed. Media on which Data may be stored and associated acceptable methods of destruction are as follows: data stored vn; I~11'ill be destra ed b _-___.__t=__ _ Server or workstation hard disks, or Using a "wipe" utility which will overwrite the Data at least three (3} times using either random or single 'Removable media ~e.g. floppies, USB flash drives, character data, or portable hard disksy excluding optical discs Degaussing sufficiently to ensure that the Data cannot be reconstructed, or the disk Paper documents with sensitive or Confidential -- - Recycling through a contracted firm provided the Information contract with the recycler assures that the confidentiality of Data will be protected Paper documents containing Confidential Bnformation On-site shredding, pulping, or incineration requiring special Dandling i;e.g. protected health information} C1p#ical discs (e.g. CDs or DVDs} - `Incineration; shredding, or completely defacing the readable surface with a coarse abrasive Magnetic tape ~ Degaussing, incinerating or crosscut shredding G. Notification of Corraprorr~ise or Potential Compromise. 'f`he compromise or potential compromise of DSHS shared Data must be reported to tie DSHS Contact designated in the Contract within one (1} business day of discovery. If no DSHS Contact is designated in the Contract, then the notification must be reported to the DSHS Privacy C)fficer at dshsprivacyofficer@dshs.wa.t~ov, Contractor must also take actions to mitigate the risk of 'Goss and comply with any notification or other requirements imposed by law or DSHS. '~, pate shared with Subcontractors. if DSHS Data provided under this Contract is to be shared with a subcontractor, the Gontract with the subcontractor must include all of the data security provisions within this Contract and within any amendments, attachments, or exhibits within this Contract. If the Contractor cannot prefect the Data as articulated within this Contract, then the contract with the sub- Contractormust be submitted to the DSHS Contact specified for this contract for review and approval. ^5HS Centra3 C~ntraeE Services Paps 22 30E7DS-91 ',Nasttinglon Co~nectsora [~S lnterEocal (9-18-12)