HomeMy WebLinkAbout110314_ca05i0
Consent A ends
615 Sheridan Streef
Port Townsend, WA 98368
www.JeffersonCountyPubl!cHealth.org
October 17, 2014
JEFFERSON COUNTY
BOARD OF COUNTY COMMISSIONERS
AGENDA REQUEST
TO: Board of County Commissioners
Philip Morley, County Administrator
FROM: Jean Baldwin, JCPH Director
DATE: I v D / . 51 2D +
SUBJECT: Agenda Item —Contract Amendment to Washington Connect
Datashare; November 14, 2014 — November 30, 2019;
STATEMENT OF ISSUE:
Jefferson County Public Health requests Board approval of the Amendment to an existing agency agreement
with DSHS for access to online federal, state, and local services through Washington Connection benefit
portal; November 14, 2014 — November 30, 2019.
ANALYSIS/ STRATEGIC GOALS /PRO'S and CON'S:
Washington Connection is a web -based benefit portal providing educational and application materials for a
broad array of services and benefits. JCPH is a Washington Connection Partner Assisting Agency. This
Amendment edits and add language to the existing agreement. The Amendment deletes langua the
General Terms and Conditions by removing #23 through #31 of the HIPPA Compliance section
the Special Terms and Conditions by adding a new definition and Childcare elements to the Statement of
Work; Removes interpretations and Property Rights; Adds Contractor Information stipulation. rye
FISCAL IMPACT /COST BENEFIT ANALYSIS:
There is no fiscal impact.
RECOMMENDATION:
JCPH management request approval of the Amendment to Agency Agreement with DSHS for Washington
Connection Datashare; November 14, 2014 — November 30, 2019.
REVIEWED BY:
Philip Morley,_ untyAdm 1strator
Community Health
Developmental Disabilities
360 -385 -9400
360 -385 -9401 (f)
Date
Always working for a safer and healthier community
Environmental Health
Water Quality
360 -385 -9444
(f) 360 - 379 -4487
M
, 0 DSHS Central Contract Services r""NM
>CO Page 1
6024PF Contract Amendment (3- 31 -06) Ic(fcrson Co. Prosecut il DPA
David Alvarez, Chief
DSHS CONTRACT NUMBER:
CONTRACT AMENDMENT
1391 -72916
�¢t
DEPARTF `OF Washington Connection Datashare
7r W °� o s,arc
SCYI
Amendment No. 01
SERVICCESLTH
Revised
This Contract Amendment is between the State of Washington Department of
Contract Number
Social and Health Services (DSHS) and the Contractor identified below.
Tcroogract,
r Cont ract Number
CONTRACTOR NAME
CONTRACTOR doing business as (DBA)
Jefferson County
Jefferson County Public Health
CONTRACTOR ADDRESS
WASHINGTON UNIFORM
DSHS INDEX NUMBER
BUSINESS IDENTIFIER (UBI)
615 Sheridan St
Port Townsend, WA 98368-
161 - 001 -169
1223
CONTRACTOR CONTACT
CONTRACTOR TELEPHONE
CONTRACTOR FAX
CONTRACTOR E -MAIL ADDRESS
Jean Baldwin
(360) 385 -9408
I 360) 385 -9401
ibaldwin@co.jefferson.wa.us
DSHS ADMINISTRATION
DSHS DIVISION
DSHS CONTRACT CODE
Economic Services Administration
Community Services Division
3067DS -91
DSHS CONTACT NAME AND TITLE
DSHS CONTACT ADDRESS
Stephanie Hill
PO Box 45440
Program Administrator
Olympia, WA 98504 -5440
DSHS CONTACT TELEPHONE
DSHS CONTACT FAX DSHS CONTACT E -MAIL ADDRESS
360 725-4666
360 725 -4905 hillsr dshs.wa. ov
IS THE CONTRACTOR A SUBRECIPIENT FOR PURPOSES OF THIS CONTRACT?
CFDA NUMBERS
No
AMENDMENT START DATE
CONTRACT END DATE
11/14/2014
11/30/2019
PRIOR MAXIMUM CONTRACT AMOUNT
AMOUNT OF INCREASE OR DECREASE
TOTAL MAXIMUM CONTRACT AMOUNT
$0.00
$0.00
$0.00
REASON FOR AMENDMENT:
CHANGE OR CORRECT CONTRACT TERMS OR SOW, SEE PAGE TWO
ATTACHMENTS. When the box below is marked with an X, the following Exhibits are attached and are incorporated into
this Contract Amendment by reference:
❑ Additional Exhibits (specify
This Contract Amendment, including all Exhibits and other documents incorporated by reference, contains all of the terms
and conditions agreed upon by the parties as changes to the original Contract. No other understandings or
representations, oral or otherwise, regarding the subject matter of this Contract Amendment shall be deemed to exist or
bind the parties. All other terms and conditions of the original Contract remain in full force and effect. The parties signing
below warrant that they have read and understand this Contract Amendment, and have authority to enter into this Contract
Amendment.
CONTRACTOR SIGNATURE -
PRINTED NAME AND TITLE
DATE SIGNED
DSHS SIGNATURE
PRINTED NAME AND TITLE
DATE SIGNED
Ramona Bushnell, Contracts Officer
DSHS/ESA/Comm unity Services Division
, 0 DSHS Central Contract Services r""NM
>CO Page 1
6024PF Contract Amendment (3- 31 -06) Ic(fcrson Co. Prosecut il DPA
David Alvarez, Chief
This Contract between the State of Washington Department of Social and Health Services (DSHS) and the
Contractor is hereby amended as follows:
1. The following sections of the DSHS General Terms and Conditions in the original contract are hereby
deleted and no longer in effect in this data sharing agreement:
Removal of #23 through #31 HIPAA Compliance
2. The Special Terms and Conditions are replaced in its entirety beginning on page three (3).
Specific changes include the following:
a. Addition of new definition #1.d. Contractor Contact as referenced on page one of this agreement
b. Addition of Childcare elements to #3 Statement of Work, c. Data Access or Transfer, (2), f through
h
c. Removal of #9 Interpretation and #10 Property Rights
d. Addition of new Special Term and Condition #9, Contractor Information
All other terms and conditions of this Contract remain in full force and effect.
DSHS Central Contract Services Page 2
6024PF Contract Amendment (3- 31 -06)
Special Terms and Conditions
Definitions Specific to Special Terms: The words and phrases listed below, as used in this
Contract, shall each have the following definitions:
a. "Applicant(s)" means individuals submitting an application, a renewal or reporting a change for
benefits or services.
"Assisting Agency" means the Contractor of this agreement and, community or faith based
organizations, tribal, city, or county municipalities who provide trained employees or volunteers to
help applicants complete and submit online applications through Washington Connection. These
agencies must sign a Data Share Agreement with DSHS and each employee and volunteer of the
agency with access to Applicant information must complete a DSHS non - disclosure form. Any
reference to Assisting Agency includes the Assisting Agency's employees, agents, officers,
subcontractors, third party contractors, volunteers, or directors.
c. "Authorized Representative" means someone designated by the Applicant to talk with DSHS about
his/her benefits. This individual is authorized to act on the Applicant's behalf for eligibility purposes.
d. "Contractor Contact" referenced on page one of this agreement, means the person who handles
the day -to -day duties related to this agreement. This person may or may not be the one who signs
this agreement on behalf of the Contractor.
e. "Data' means the information that is exchanged as described by this Agreement that is specifically
protected by law which may impose penalties for wrongful disclosure. This includes protected
health information under the HIPAA Privacy Rule.
f. "ESA" means Economic Services Administration.
g. "SAW" means SecureAccess Washington. SAW is a single sign -on application gateway created by
Washington State's Department of Information Services to access government services accessible
via the Internet.
h. "Washington Connection" means the web -based benefit portal that provides access to a broad
array of federal, state and local services and benefits to address basic needs.
2. Purpose
The purpose of this agreement is to allow the Contractor to assist Washington applicants to complete
an online application to provide more effective access to available federal, state and local services
through the Washington Connection benefit portal and carry out other activities designed to help them
maintain eligibility. This agreement also includes assisting contractors that submit paper applications
to DSHS.
3. Statement of Work
The Contractor shall provide the services and staff, and otherwise do all things necessary for or
incidental to the performance of work, as set forth below:
a. The Assisting Agency listed on page one of this Data Share Agreement is the Contractor, and
DSHS is the Data Provider in this agreement. In exchange for the receipt of information, the
DSHS Central Contract Services Page 3
6024PF Contract Amendment (3- 31 -06)
Contractor agrees to abide by the terms and conditions in this agreement.
(1) Anyone at the Contractor agency with access to Data will be required to read and complete a
non - disclosure agreement annually. The Contractor must maintain these forms and make them
available for inspection.
(2) When Contractors use Washington Connection for applications, DSHS will work with them to:
(a) Establish access to the DSHS Washington Connection and online application.
(b) Establish a Washington Connection SAW account with either an Employee or a Supervisor
access level:
Employee Access allows the individual to view, edit and submit applications when the
employee has provided direct access with the application through Washington
Connection as part of their work at the Assisting Agency.
Supervisor Access includes all functions of the Employee Access plus the ability to:
view, edit and submit all applications associated with employees assigned to the
supervisor in the Washington Connection profile; add, modify, and delete employees;
reassign applications between employees under the same supervisor, and request a
summary page of all application status (submitted or incomplete) associated with the
Assisting Agency.
(3) Consent Form and Use Limitation
(a) The Contractor must obtain a Consent form via Washington Connection with an e- signature
from the Applicant before accessing any Applicant Information. The Contractor must keep
any written DSHS consent form obtained from the Applicant onsite and provide them for
inspection upon request.
DSHS and the Contractor may need to share additional information to provide services,
but at no time should the Consent be interpreted to:
(A) Designate the Contractor as an "Authorized Representative"
(B) Allow DSHS to share Applicant information not needed for the purposes under this
agreement
(C) Allow DSHS to disclose documents or information from the Applicant's files or
records for other purposes outside the scope of this agreement
b. Description of Data
Data is limited to:
(a) application data
(b) defined display of household benefit information available through the Washington
Connection query system
c. Data Access or Transfer
DSHS Central Contract Services Page 4
6024PF Contract Amendment (3- 31 -06)
(1) If applications are received through Washington Connection and the Applicant has indicated
consent to share application data, a Contractor may view and print applications, reviews and
change of circumstances forms saved or submitted through Washington Connection for 90
calendar days from the last activity day. Application statuses, "submitted" or "not submitted ",
are also available for 90 calendar days from the last activity day. Contractors submitting paper
applications have no ability to view them online.
(2) If the correct client identification number or negative client identification number (includes a
minus sign before the number) is entered into the Washington Connection query system, the
successful query will result in the display of the following information for the listed head of
household if that person is not registered in the Address Confidentiality Program (ACP):
(a) Application Status
A = approved
P = Pending
D = Denied
M = Pending Spend -down (with base period and remaining amount)
(b) Eligibility history (12 month rolling) from DSHS and /or HCA
(c) Benefit amount for cash and food assistance programs only
(d) Number in the household associated with cash, food and medical benefits
(e) Benefit end date for each certification period (cash, food, medical, and childcare)
(f) Child's name receiving childcare services
(g) Childcare provider name for each child
(h) Copayment amount for each child
(3) Requirements for Access
(a) Access to Data shall be limited to staff (including employees and volunteers) whose duties
specifically require access to such Data in the performance of their assigned duties. Prior
to making Data available to its staff, Contractor shall notify all such staff of the Use and
Disclosure requirements.
(b) All staff accessing the data shall sign a Nondisclosure of Confidential Information form, or
its replacement, each year and agree to adhere to the use and disclosure requirements.
The signed, original form and a regularly updated list of staff with access to the Data shall
be maintained by the Contractor and submitted to the Data Provider upon request.
(c) The Contractor must remind staff annually of nondisclosure requirements and make
available to DSHS upon request evidence that they have reminded all staff with access to
Applicant data of the limitations, use or publishing of data.
(d) The Contractor must immediately notify the DSHS contact person listed on page one when
DSHS Central Contract Services Page 5
6024PF Contract Amendment (3- 31 -06)
any staff with access to the Data is terminated from employment or when his or her job
duties no longer require access to Data.
d. Limitations on Use of Data
If the Data and analyses generated by the Contractor contain Confidential Information about DSHS
Applicants, then any and all reports utilizing these Data shall be subject to review and approval by
the Data Provider prior to publication in any medium or presentation in any forum.
4. Data Security
a. Violations of the Nondisclosure provisions of this agreement may result in criminal or civil penalties.
Violation is a gross misdemeanor under RCW 74.04.060, punishable by imprisonment of not more
than one year and/or a fine not to exceed five thousand dollars. Sanctions also may apply under
other state and federal law, including civil and criminal penalties for violations of the HIPAA Privacy
and Security rules.
b. The Contractor shall take reasonable precautions to secure against unauthorized physical and
electronic access to Applicant Information. Data shall be protected in a manner that prevents
unauthorized persons, including the general public, from access by computer, remote terminal, or
other means.
c. Contractor shall notify the DSHS contact designated on the contract verbally and in writing of the
compromise or suspected compromise of the security or privacy of data within one (1) business
day and to work with DSHS to assess additional steps to be taken. The Contractor shall be
responsible to comply with legal requirements, provide notification of clients as needed and for any
costs associated mitigating the breach.
6. Confidentiality and Nondisclosure
a. Both parties may use Personal Information and other information or Data gained by reason of this
Agreement only for the purposes of this Agreement.
b. The data to be shared under this agreement is confidential in nature and is subject to state and
federal confidentiality requirement that bind the Contractor, its employees, and its subcontractors to
protect the confidentiality of the personal information contained in ESA data. Contractors may use
personal data and other data gained by reason of this agreement only for the purpose of this
agreement.
c. The Contractor shall maintain the confidentiality of personal data in accordance with state and
federal laws, and shall have adequate policies and procedures in place to ensure compliance with
confidentiality requirements, including restrictions on re- disclosure.
d. The Contractor agrees to keep Applicant information according to DSHS policy and procedures:
http7 / /asd dshs wa qov /rpau /rpau- adminpoIicy.htm.
(1) Neither party shall link the Data with Personal Information or individually identifiable data from
any other source nor re- disclose or duplicate the Data unless specifically authorized to do so in
this Agreement or by the prior written consent of the other party.
6. Consideration
There is no cost to either party as each will pay for its own costs to perform this contract.
DSHS central Contract Services Page 6
6024PF Contract Amendment (3- 31 -06)
Payment
a. The Contractor will receive the information provided under this agreement at no charge. Each
party shall be responsible for any expenses incurred in providing or receiving information.
The Contractor is responsible for any costs associated with accessing Applicant data. This
includes any costs for hardware /software upgrades, and costs to improve any systems or
processors that will enable the Contractor to access the data.
8. Disputes
Either party may submit a request for resolution of a Contract dispute (rates set by law, regulation or
DSHS policy are not disputable). The requesting party shall submit a written statement identifying the
issue(s) in dispute and the relative positions of the parties. A request for a dispute resolution must
include the Contractors name, address, and Contract number, and be mailed to the address listed
below within 30 calendar days after the party could reasonably be expected to have knowledge of the
issue in dispute.
DSHS /Community Services Division
PO Box 45470
Olympia, WA 98504 -5470
Attn, Contracts Unit
9. Contractor Information
The Contractor shall forward to the DSHS Contact person named on page 1 of this Contract (or
successor) within ten (10) working days, any information concerning the Contractor's contact person.
This would be the person who handles the daily operations regarding this contract. Changes include a
change of contractor business name, contractor contact name, address, telephone number, fax
number, e-mail address, business status and /or names of staff who are current state employees.
DSHS Central Contract Services Page 7
6024PF Contract Amendment (3- 31 -06)
INTERLOCAL DATASHARE
1DSHS 391 -7 Agreement 916 Number
1391 -72916
(� ¢b
TRENT OF
�
Cli
JC 7' ... CC AGREEMENT
Washington Connection
Program Contract Number:
is by and between the State of Washington Department
This Agreement
of Social and Health Services (DSHS) and the Contractor identified Contractor contract Number:
below, and is issued pursuant to the Interlocal Cooperation Act, chapter
39.34 RCW.
CONTRACTOR NAME CONTRACTOR doing business as (DBA)
Jefferson Count Jefferson Count Public Health
CONTRACTOR ADDRESS WASHINGTON UNIFORM DSHS INDEX NUMBER
BUSINESS IDENTIFIER (UBI)
615 Sheridan St 161 - 001 -169 1223
Port Townsend, WA 98368 -
CONTRACTOR CONTACT CONTRACTOR TELEPHONE CONTRACTOR FAX CONTRACTOR E -MAIL ADDRESS
Jean Baldwin 360 385 -9408 360 385 -9401 jbaidwin@co.jefferson.wa.us
DSHS ADMINISTRATION DSHS DIVISION DSHS CONTRACT CODE
Economic Services Community Services Division 3067DS -91
Administration DSHS CONTACT ADDRESS
DSHS CONTACT NAME AND TITLE
Stephanie Hill PO Box 45440
Pro ram Administrator OI m ia, WA 98504 -5440
DSHS CONTACT FAX DSHS CONTACT E -MAIL ADDRESS
DSHS CONTACT TELEPHONE
1
360 725 -4666 360 725 -4905 hillsr dshs.wa. ov
IS THE CONTRACTOR A SUBRECIPIENT FOR PURPOSES OF THIS CONTRACT? CFDA NUMBER(S)
No
AGREEMENT START DATE AGREEMENT END DATE MREEMENT AMOUNT
05/01 /2013 04/30/2018
EXHIBITS. The following Exhibits are attached and are incorporated into this Agreement by reference:
® Data Security: Exhibit A — Data Security Requirements
❑ Exhibits (specify):
The terms and conditions of this Agreement are an integration and representation of the final, entire and exclusive
understanding between the parties superseding and merging all previous agreements, writings, and communications, oral
the subject matter of this Agreement, between the parties The parties signing below represent
or otherwise regarding
they have read and understand this Agreement, and have the authority to execute this Agreement. This Agreement shall
be bindin on DSHS onl on si ature b DSHS.
CONTRACT SIG Uon' PRINTED NAME AND Ty(�E�( DATE SIGNED
I^
DSHS SIGNAT E
PRINTED ME AND TITLE
DATE SIGNED
�7 JJ
Yll
Ramona Bushnell, Contracts Officer
DSHS/ESA/Community Services Division
Cl >
L ��
I Approved as to form only:
, � s�
DSHS Central Contract Services Page 1
3067DS -91 Washington Connection DS Interlocal (9 -1 &12) (j,L 'fwyY 1
Jefferson Co. ProsecutorU Office
DSHS General Terms and Conditions
Definitions. The words and phrases listed below, as used in this Contract, shall each have the
following definitions:
a. "Central Contract Services" means the DSHS central headquarters contracting office, or successor
section or office.
b. "Confidential Information" or "Data" means information that is exempt from disclosure to the public
or other unauthorized persons under RCW 42.56 or other federal or state laws. Confidential
Information includes, but is not limited to, Personal Information.
C. "Contract" or "Agreement" means the entire written agreement between DSHS and the Contractor,
including any Exhibits, documents, or materials incorporated by reference. The parties may execute
this contract in multiple counterparts, each of which is deemed an original and all of which
constitute only one agreement. E -mail or Facsimile transmission of a signed copy of this contract
shall be the same as delivery of an original.
d. "Contracts Administrator" means the manager, or successor, of Central Contract Services or
successor section or office.
e. "Contractor' means the individual or entity performing services pursuant to this Contract and
includes the Contractor's owners, members, officers, directors, partners, employees, and /or agents,
unless otherwise stated in this Contract. For purposes of any permitted Subcontract, "Contractor"
includes any Subcontractor and its owners, members, officers, directors, partners, employees,
and /or agents.
f. "Debarment" means an action taken by a Federal agency or official to exclude a person or business
entity from participating in transactions involving certain federal funds.
g. "DSHS" or the "Department" means the state of Washington Department of Social and Health
Services and its employees and authorized agents.
"Encrypt" means to encode Confidential Information into a format that can only be read by those
possessing a "key ", a password, digital certificate or other mechanism available only to authorized
users. Encryption must use a key length of at least 128 bits.
"Personal Information" means information identifiable to any person, including, but not limited to,
information that relates to a person's name, health, finances, education, business, use or receipt of
governmental services or other activities, addresses, telephone numbers, Social Security Numbers,
driver license numbers, other identifying numbers, and any financial identifiers.
j. "Physically Secure" means that access is restricted through physical means to authorized
individuals only.
k. "Program Agreement" means an agreement between the Contractor and DSHS containing special
terms and conditions, including a statement of work to be performed by the Contractor and payment
to be made by DSHS.
I. "RCW" means the Revised Code of Washington. All references in this Contract to RCW chapters or
sections shall include any successor, amended, or replacement statute. Pertinent RCW chapters
can be accessed at http: / /apps.leg.wa.gov /rcw /.
m. "Regulation" means any federal, state, or local regulation, rule, or ordinance.
DSHS Central Contract Services Page 2
3067DS -91 Washington Connection DS Interlocal (9- 18 -12)
DSHS General Terms and Conditions
n. "Secured Area" means an area to which only authorized representatives of the entity possessing
the Confidential Information have access. Secured Areas may include buildings, rooms or locked
storage containers (such as a filing cabinet) within a room, as long as access to the Confidential
Information is not available to unauthorized personnel.
o. "Subcontract' means any separate agreement or contract between the Contractor and an individual
or entity ( "Subcontractor") to perform all or a portion of the duties and obligations that the Contractor
is obligated to perform pursuant to this Contract.
p. "Tracking" means a record keeping system that identifies when the sender begins delivery of
Confidential Information to the authorized and intended recipient, and when the sender receives
confirmation of delivery from the authorized and intended recipient of Confidential Information.
q. "Trusted Systems" include only the following methods of physical delivery: (1) hand - delivery by a
person authorized to have access to the Confidential Information with written acknowledgement of
receipt; (2) United States Postal Service ( "USPS ") first class mail, or USPS delivery services that
include Tracking, such as Certified Mail, Express Mail or Registered Mail; (3) commercial delivery
services (e.g. FedEx, UPS, DHL) which offer tracking and receipt confirmation; and (4) the
Washington State Campus mail system. For electronic transmission, the Washington State
Governmental Network (SGN) is a Trusted System for communications within that Network.
r. "WAC" means the Washington Administrative Code. All references in this Contract to WAC
chapters sections
sections llcaln be accessed at http:/ /apps. eg wa.gov /wac/ replacement regulation. Pertinent
WAC chapters
2. Amendment. This Contract may only be modified by a written amendment signed by both parties. Only
personnel authorized to bind each of the parties may sign an amendment.
3. Assignment. The Contractor shall not assign this Contract or any Program Agreement to a third party
without the prior written consent of DSHS.
4. Billing Limitations.
a. DSHS shall pay the Contractor only for authorized services provided in accordance with this
Contract.
b. DSHS shall not pay any claims for payment for services submitted more than twelve (12) months
after the calendar month In which the services were performed.
c. The Contractor shall not bill and DSHS shall not pay for services performed under this Contract, if
the Contractor has charged or will charge another agency of the state of Washington or any other
party for the same services.
5. Compliance with Applicable Law. At all times during the term of this Contract, the Contractor shall
comply with all applicable federal, state, and local laws and regulations, including but not limited to,
nondiscrimination laws and regulations.
g. Confidentiality.
a. The Contractor shall not use, publish, transfer, sell or otherwise disclose any Confidential
Information gained by reason of this Contract for any purpose that is not directly connected with
Contractor's performance of the services contemplated hereunder, except:
DSHS Central Contract Services Page 3
3067DS -91 Washington Connection DS Interlocal (9- 18-12)
DSHS General Terms and Conditions
(1) as provided by law; or,
(2) in the case of Personal Information, with the prior written consent of the person or personal
representative of the person who is the subject of the Personal Information.
The Contractor shall protect and maintain all Confidential Information gained by reason of this
Contract against unauthorized use, access, disclosure, modification or loss. This duty requires the
Contractor to employ reasonable security measures, which include restricting access to the
Confidential Information by:
(1) Allowing access only to staff that have an authorized business requirement to view the
Confidential Information.
(2) Physically Securing any computers, documents, or other media containing the Confidential
Information.
(3) Ensure the security of Confidential Information transmitted via fax (facsimile) by:
(a) Verifying the recipient phone number to prevent accidental transmittal of Confidential
Information to unauthorized persons.
(b) Communicating with the intended recipient before transmission to ensure that the fax will be
received only by an authorized person.
(c) Verifying after transmittal that the fax was received by the intended recipient.
(4) When transporting six (6) or more records containing Confidential Information, outside a
Secured Area, do one or more of the following as appropriate:
(a) Use a Trusted System.
(b) Encrypt the Confidential Information, including:
i. Encrypting email and /or email attachments which contain the Confidential Information.
ii. Encrypting Confidential Information when it is stored on portable devices or media,
including but not limited to laptop computers and flash memory devices.
Note: If the DSHS Data Security Requirements Exhibit is attached to this contract, this
item, 6.b.(4), is superseded by the language contained in the Exhibit.
(5) Send paper documents containing Confidential Information via a Trusted System.
(6) Following the requirements of the DSHS Data Security Requirements Exhibit, if attached to this
contract.
C. Upon request by DSHS, at the end of the Contract term, or when no longer needed, Confidential
Information shall be returned to DSHS or Contractor shall certify in writing that they employed a
DSHS approved method to destroy the information. Contractor may obtain information regarding
approved destruction methods from the DSHS contact identified on the cover page of this Contract.
d. Paper documents with Confidential Information may be recycled through a contracted firm, provided
the contract with the recycler specifies that the confidentiality of information will be protected, and
the information destroyed through the recycling process. Paper documents containing Confidential
DSHS Central Contract Services Page 4
3067DS -91 Washington Connection DS Interlocal (9- 18 -12)
DSHS General Terms and Conditions
Information requiring special) handling (. .g protected health information) must be destroyed on -site
through shredding, pulping, or
e. Notification of Compromise or Potential Compromise. The compromise or potential compromise of
Confidential Information must be reported to the DSHS Contact designated on the contract within
one (1) business day of discovery. Contractor must also take actions to mitigate the risk of loss and
comply with any notification or other requirements imposed by law or DSHS.
7. Debarment Certification. The Contractor, by signature to this Contract, certifies that the Contractor is
not presently debarred, suspended, proposed for debarment, declared ineligible, or voluntarily excluded
by any Federal department or agency from participating in transactions (Debarred). The Contractor also
agrees to include the above requirement in any and all Subcontracts into which it enters. The
Contractor shall immediately notify DSHS if, during the term of this Contract, Contractor becomes
Debarred. DSHS may immediately terminate this Contract by providing Contractor written notice if
Contractor becomes Debarred during the term hereof.
$
laws Governing h Contract shall
of the sta e of Washingtonand thevenueo construed accordance
f any actiohereunder brought hereunder shall ben Superior
Court for Thurston County.
g, independent Contractor. The parties intend that an independent contractor relationship will be created
by this Contract. The Contractor and his or her employees or agents performing under this Contract are
not employees or agents of the Department. The Contractor, his or her employees, or agents
performing under this Contract will not hold himself /herself out as, nor claim to be, an officer or
employee of the Department by reason hereof, nor will the Contractor, his or her employees, or agent
make any claim of right, privilege or benefit that would accrue to such officer or employee.
10. Inspection. The Contractor shall, at no cost, provide DSHS and the Office of the State Auditor with
reasonable access to Contractor's place of business, Contractor's records, and DSHS client records,
wherever located. These inspection rights are intended to allow DSHS and the Office of the State
Auditor to monitor, audit, and evaluate the Contractor's performance and compliance with applicable
laws, regulations, and these Contract terms. These inspection rights shall survive for six (6) years
following this Contract's termination or expiration.
11. Maintenance of Records. The Contractor shall maintain records relating to this Contract and the
performance of the services described herein. The records include, but are not limited to, accounting
procedures and practices, which sufficiently and properly reflect all direct and indirect costs of any
nature expended in the performance of this Contract. All records and other material relevant to this
Contract shall be retained for six (6) years after expiration or termination of this Contract.
Without agreeing that litigation or claims are legally authorized, if any litigation, claim, or audit is started
before the expiration of the six (6) year period, the records shall be retained until all litigation, claims, or
audit findings involving the records have been resolved.
12. Order of Precedence. In the event of any inconsistency or conflict between the General Terms and
Conditions and the Special Terms and Conditions of this Contract or any Program Agreement, the
inconsistency or conflict shall be resolved by giving precedence to these General Terms and
Conditions. Terms or conditions that are more restrictive, specific, or particular than those contained in
the General Terms and Conditions shall not be construed as being Inconsistent or in conflict.
13. Severability. If any term or condition of this Contract is held invalid by any court, the remainder of the
Contract remains valid and in full force and effect.
DSHS central contract Services Page 5
3067DS -91 Washington connection DS Interlocal (9- 18 -12)
DSHS General Terms and Conditions
14. Survivability. The terms and conditions contained in this Contract or any Program Agreement which,
by their sense and context, are intended to survive the expiration or termination of the particular
agreement shall survive. Surviving terms include, but are not limited to: Billing Limitations;
Confidentiality, Disputes; Indemnification and Hold Harmless, Inspection, Maintenance of Records,
Notice of Overpayment, Ownership of Material, Termination for Default, Termination Procedure, and
Treatment of Property.
15. Termination Due to Change in Funding. If the funds DSHS relied upon to establish this Contract or
Program Agreement are may immediately terminate this Contract providindifwri tennnotice to the laced
on such funding, DSHS may Y Y g
Contractor. The termination shall be effective on the date specified in the termination notice.
16. Waiver. Waiver of any breach or default on any occasion shall not be deemed to be a waiver of any
subsequent breach or default. Any waiver shall not be construed to be a modification of the terms and
conditions of this Contract. Only the DSHS Contracts Administrator or designee has the authority to
waive any term or condition of this Contract on behalf of DSHS.
Additional General Terms and Conditions — Interlocal Agreements:
17. Disputes. Disputes shall be determined by a Dispute Board. Each party to this Agreement shall
appoint one member to the Dispute Board. The members so appointed shall jointly appoint an
additional member to the Dispute Board. The Dispute Board shall review the facts, Agreement terms,
and applicable statutes and rules and make a determination of the dispute. As an alternative to this
process, either party may request intervention by the Governor, as provided by RCW 43.17.330, in
which event the Governor's process shall control. Participation in either dispute process shall precede
any judicial or quasi - judicial action and shall be the final administrative remedy available to the parties.
18. Hold Harmless.
a. The Contractor shall be responsible for and shall hold DSHS harmless from all claims, loss, liability,
damages, or fines arising out of or relating to the Contractor's, or any Subcontractor's, performance
or failure to perform this Agreement, or the acts or omissions of the Contractor or any
Subcontractor. DSHS shall be responsible for and shall hold the Contractor harmless from all
claims, loss, liability, damages, or fines arising out of or relating to DSHS' performance or failure to
perform this Agreement.
b. The Contractor waives its immunity under Title 51 RCW to the extent it is required to indemnify,
defend, and hold harmless the State and its agencies, officials, agents, or employees.
19. ownership of Material. Material created by the Contractor and paid for by DSHS as a part of this
Contract shall be owned by DSHS and shall be "work made for hire" as defined by Title 17 USCA,
Section 101. This material includes, but is not limited to: books; computer programs; documents; films;
pamphlets; reports; sound reproductions, studies; surveys; tapes; and/or training materials. Material
which the Contractor uses to perform the Contract but is not created for or paid for by DSHS is owned
by the Contractor and is not "work made for hire "; however, DSHS shall have a perpetual license to use
this material for DSHS internal purposes at no charge to DSHS, provided that such license shall be
limited to the extent which the Contractor has a right to grant such a license.
20. Subrecipients.
a. General. If the Contractor
A-133 and
is phis lt of federal the Contractor defi defined by Office of Management
and Budget (OMB)
DSHS Central Contract Services Page 6
3067DS -91 Washington Connection DS Interlocal (9- 18 -12)
DSHS General Terms and Conditions
(1) Maintain records that identify, in its accounts, all federal awards received and expended and the
federal programs under which they were received, by Catalog of Federal Domestic Assistance
(CFDA) title and number, award number and year, name of the federal agency, and name of the
pass- through entity;
(2) Maintain internal controls that provide reasonable assurance that the Contractor is managing
federal awards in compliance with laws, regulations, and provisions of contracts or grant
agreements that could have a material effect on each of its federal programs;
(3) Prepare appropriate financial statements, including a schedule of expenditures of federal
awards;
(4) Incorporate OMB Circular A -133 audit requirements into all agreements between the Contractor
and its Subcontractors who are subrecipients,
(5) Comply with any future amendments to OMB Circular A -133 and any successor or replacement
Circular or regulation;
(6) Comply with the applicable requirements of either 2 CFR, Part 225 (OMB Circular A -87) or 2
CFR, Part 230 (OMB Circular A -122), and any successor or replacement Circular or regulation;
and
(7) Comply with the Omnibus Crime Control and Safe streets Act of 1968, Title VI of the Civil Rights
Act of 1964, Section 504 of the Rehabilitation Act of 1973, Title II of the Americans with
Disabilities Act of 1990, Title IX of the Education Amendments of 1972, The Age Discrimination
Act of 1975, and The Department of Justice Non - Discrimination Regulations, 28 C.F.R. Part 42,
Subparts C.D.E. and G, and 28 C.F.R. Part 35 and 39. (Go to www.oip.us oi.gov/ocr/ for
additional information and access to the aforementioned Federal laws and regulations.)
b. Single Audit Act Compliance. If the Contractor is a subrecipient and expends $500,000 or more in
federal awards from any and/or all sources in any fiscal year, the Contractor shall procure and pay
for a single audit or a program- specific audit for that fiscal year. Upon completion of each audit, the
Contractor shall:
(1) Submit to the DSHS contact person the data collection form and reporting package specified in
OMB Circular A -133, reports required by the program- specific audit guide (if applicable), and a
copy of any management letters issued by the auditor;
(2) Follow-up and develop Summary Schedule of o Prior 111 audit findings; in accordance with OMB Circular
A -133, prepare
D. Overpayments. If it is determined by DSHS, or during the course of a required audit, that the
Contractor has been paid unallowable costs under this or any Program Agreement, DSHS may
require the Contractor to reimburse DSHS in accordance with either 2 CFR, Part 225 (OMB Circular
A -87) or 2 CFR, Part 230 (OMB Circular A -122).
21. Termination.
a. Default. If for any cause, either party fails to fulfill its obligations under this Agreement in a timely
and proper manner, or if either party violates any of the terms and conditions contained in this
Agreement, then the aggrieved party will give the other party written notice of such failure or
violation. The responsible party will be given 15 working days to correct the violation or failure. I
the failure or violation is not corrected, this Agreement may be terminated immediately by written
DSHS Central contract Services Page 7
3067DS -91 Washington connection DS Interlocal (9- 16 -12)
DSHS General Terms and Conditions
notice from the aggrieved party to the other party.
b. Convenience. Either party may terminate this Interlocal Agreement for any other reason by
providing 30 calendar days' written notice to the other party.
c. Payment for Performance. If this Interlocal Agreement is terminated for any reason, DSHS shall
only pay for performance rendered or costs incurred in accordance with the terms of this Agreement
and prior to the effective date of termination.
22. Treatment of Client Property. Unless otherwise provided, the Contractor shall ensure that any adult
client receiving services from the Contractor has unrestricted access to the client's personal property.
The Contractor shall not interfere with any adult client's ownership, possession, or use of the client's
property. The Contractor shall provide clients under age eighteen (18) with reasonable access to their
personal property that is appropriate to the client's age, development, and needs. Upon termination of
the Contract, the Contractor shall immediately release to the client and/or the client's guardian or
custodian all of the client's personal property.
HIPAA Compliance.
23. Definitions.
a. "Business Associate," as used in this Contract, means the "Contractor' and generally has the same
meaning as the term "business associate' at 45 CFR 160.103. Any reference to Business
Associate in this Contract includes Business Associate's employees, agents, officers,
subcontractors, third party contractors, volunteers, or directors.
b. "Covered Entity" means DSHS, a Covered Entity as defined at 45 CFR 160.103, in its conduct of
covered functions by its health care components.
c. "Designated Record Set" means a group of records maintained by or for a Covered Entity, that is:
the medical and billing records about Individuals maintained by or for a covered health care
provider; the enrollment, payment, claims adjudication, and case or medical management record
systems maintained by or for a health plan; or used in whole or part by or for the Covered Entity to
make decisions about Individuals.
d. "Electronic Protected Health Information (EPHI)" means protected health information that is
transmitted by electronic media or maintained in any medium described in the definition of
electronic media at 45 CFR 162.103.
e. "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, Pub, L. 104 -191, as
modified by the American Recovery and Reinvestment Act of 2009 ( "ARRA "), Sec. 13400 — 13424,
H.R. 1 (2009) (HITECH
f. "HIPAA Rules" means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR
Parts 160 and Part 164.
g. "Individual(s)" means the person(s) who is the subject of PHI and includes a person who qualifies
as a personal representative in accordance with 45 CFR 164.502(g).
h. "Minimum Necessary" means the least amount of PHI necessary to accomplish the purpose for
which the PHI is needed.
"Protected Health Information (PHI)" means individually identifiable health information created,
DSHS Central Contract Services Page 8
3067DS -91 Washington Connection DS Interlocal (9- 18 -12)
DSHS General Terms and Conditions
received, maintained or transmitted by Business Associate on behalf of a health care component of
the Covered Entity that relates to the provision of health care to an Individual; the past, present, or
future physical or mental health or condition of an Individual; or the past, present, or future payment
for provision of health care to an Individual. 45 CFR 160.103. PHI includes demographic
information that identifies the Individual or about which there is reasonable basis to believe can be
used to identify the Individual. 45 CFR 160.103. PHI is information transmitted or held in any form
or medium and includes EPHI. 45 CFR 160.103. PHI does not include education records covered
by the Family Educational Rights and Privacy Act, as amended, 20 USCA 1232g(a)(4)(B)(iv) or
employment records held by a Covered Entity in its role as employer.
j, ,Subcontractor" as used in this Contract means a Business Associate that creates, receives,
maintains, or transmits protected health information on behalf of another Business Associate.
k. "Use, includes the sharing, employment, application, utilization, examination, or analysis, of PHI
within an entity that maintains such information.
24. Compliance. Business Associate shall perform all Contract duties, activities and tasks in compliance
with HIPAA, the HIPAA Rules, and all attendant regulations as promulgated by the U.S. Department of
Health and Human Services, Office of Civil Rights.
25. Use and Disclosure of PHI. Business Associate is limited to the following permitted and required uses
or disclosures of PHI:
a. Duty to Protect PHI. Business ith Subs art C of 45 CFR Part H64r(Securty Stalndards or he Protection
safeguards, and comply p
of Electronic Protected Health Information) with respect to EPHI, to prevent the unauthorized use or
disclosure of PHI other than as provided for in this Contract or as required by law, for as long as the
PHI is within its possession and control, even after the termination or expiration of this Contract.
b stands d o any use o Standard.
disclosure oftPHI necessary to achieve the epurposesnof this Contract See
45 CFR 164.514 (d)(2) through (d)(5).
Disclosure as Part of the Provision of Services. Business Associate shall only use or disclose PHI
as necessary to perform the services specified in this Contract or as required by law, and shall not
use or disclose such PHI in any manner that would violate Subpart E of 45 CFR Part 164 (Privacy
of Individually Identifiable Health Information) if done by Covered Entity, except for the specific uses
and disclosures set forth below.
d. Use for Proper Management and Administration. Business Associate may use PHI for the proper
management and administration of the Business Associate or to carry out the legal responsibilities
Of the Business Associate.
e. Disclosure for Proper Management and Administration. Business Associate may disclose PHI for
the proper management and administration of Business Associate or to carry out the legal
responsibilities of the Business Associate, provided the disclosures are required by law, or
Business Associate obtains reasonable assurances from the person to whom the information is
disclosed that the information will remain confidential and used or further disclosed only as required
by law or for the purposes for which it was disclosed to the person, and the person notifies the
Business Associate of any instances of which it is aware in which the confidentiality of the
information has been breached.
f. Impermissible Use or Disclosure of PHI
DSHS Central contract Services
3067DS -91 Washington Connection DS Interlocal (9- 18 -12)
Business Associate shall report to DSHS in writing all
Page 9
DSHS General Terms and Conditions
uses or disclosures of PHI not provided for by this Contract within one (1) business day of
becoming aware of the unauthorized use or disclosure of PHI, including breaches of unsecured PHI
as required at 45 CFR 164.410 (Notification by a Business Associate), as well as any security
incident of which it becomes aware. Upon request by DSHS, Business Associate shall mitigate, to
the extent practicable, any harmful effect resulting from the impermissible use or disclosure.
g. Failure to Cure. If DSHS learns of a pattern or practice of the Business Associate that constitutes a
violation of the Business Associate's obligations under the terms of this Contract and reasonable
steps by DSHS do not end the violation, DSHS shall terminate this Contract, if feasible. In addition,
If Business Associate learns of a pattern or practice of its subcontractors that constitutes a violation
of the Business Associate's obligations under the terms of their contract and reasonable steps by
the Business Associate do not end the violation, Business Associate shall terminate the
subcontract, if feasible.
h. Termination for Cause. Business Associate authorizes immediate termination of this Contract by
DSHS, if DSHS determines that Business Associate has violated a material term. DSHS may, at its
sole option, offer Business Associate an opportunity to cure a violation before exercising a
termination for cause.
Consent to Audit. Business Associate shall give reasonable access to PHI, its internal practices,
records, books, documents, electronic data and /or all other business information received from, or
created or received by Business Associate on behalf of DSHS, to the Secretary of DHHS and /or to
DSHS for use in determining compliance with HIPAA privacy requirements.
j. Obligations of Business Associate Upon Expiration or Termination. Upon expiration or termination
of this Contract for any reason, with respect to PHI received from DSHS, or created, maintained, or
received by Business Associate, or any subcontractors, on behalf of DSHS, Business Associate
shall:
(1) Retain only that PHI which is necessary for Business Associate to continue its proper
management and administration or to carry out its legal responsibilities;
(2) Return to DSHS or destroy the remaining PHI that the Business Associate or any
subcontractors still maintain in any form;
(3) Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164
(Security Standards for the Protection of Electronic Protected Health Information) with respect to
electronic protected health information to prevent use or disclosure of the PHI, other than as
provided for in this Section, for as long as Business Associate or any subcontractors retain the
PHI,
(4) Not use or disclose the PHI retained by Business Associate or any subcontractors other than for
the purposes for which such PHI was retained and subject to the same conditions set out in the
"Use and Disclosure of PHI" section of this Contract which applied prior to termination, and
(5) Return to DSHS or destroy the PHI retained by Business Associate, or any subcontractors,
when it is no longer needed by Business Associate for its proper management and
administration or to carry out its legal responsibilities.
k. Survival. The obligations of the Business Associate under this section shall survive the termination
or expiration of this Contract.
26, Individual Rights.
DSHS Central Contract Services Page 10
3067DS -91 Washington Connection DS Interlocal (9- 18 -12)
DSHS General Terms and Conditions
a. Accounting of Disclosures.
(1) Business Associate shall document all disclosures of PHI and information related to such
disclosures.
(2) Within ten (10) business days of a request from DSHS, Business Associate shall make available
to DSHS the information in Business Associate's possession that is necessary for DSHS to
respond in a timely manner to a request )(rj n accounting of disclosures of PHI by the Business
Associate. See 45 CFR 164.504 e 2 ii G and 164.528(b)(1).
(3) At the request of DSHS or in response to a request made directly to the Business Associate by
an individual, Business Associate shall respond, in a timely manner and in accordance with
HIPAA and the HIPAA Rules, to requests by Individuals for an accounting of disclosures of PHI.
(4) Business Associate record keeping procedures shall be sufficient to respond to a request for an
accounting under this section for the six (6) years prior to the date on which the accounting was
requested.
b. Access
(1) Business Associate shall make available PHI that it holds that is part of a Designated Record
Set when requested by DSHS or the Individual as necessary to satisfy DSHS's obligations
under 45 CFR 164.524 (Access of Individuals to Protected Health Information).
(2) When the request is made by the individual to the Business Associate or if DSHS asks the
Business Associate to respond to a request, the Business Associate shall comply with
requirements in 45 CFR 164.524 (Access of Individuals to Protected Health Information) on
form, time and manner of access. When the request is made by DSHS, the Business Associate
shall provide the records to DSHS within ten (10) business days.
c. Amendment.
(1) If DSHS amends, in whole or in part, a record or PHI contained in an Individual's Designated
Record Set and DSHS has previously provided the PHI or record that is the subject of the
amendment to Business Associate, then DSHS will inform Business Associate of the
amendment pursuant to 45 CFR 164.526(c)(3) (Amendment of Protected Health Information).
(2) Business Associate shall make any amendments to PHI in a Designated Record Set as directed
by DSHS or as necessary to satisfy DSHS's obligations under 45 CFR 164.526 (Amendment of
Protected Health Information).
27, Subcontracts and other Third Party Agreements. In accordance with 45 CFR 164.502(e)(1)(ii),
164.504(e)(1)(i), and 164.308(b)(2), Business Associate shall ensure that any agents, subcontractors,
independent contractors or other third parties that create, receive, maintain, or transmit PHI on
Business Associate's behalf, enter into a written contract that contains the same terms, restrictions,
requirements, and conditions as the HIPAA compliance provisions in this Contract with respect to such
PHI. The same provisions must also be included in any contracts by a business associate's
subcontractor with its own business associates as required by 45 CFR 164.314(a)(2)(b) and
164.504(e)(5) .
28, Obligations. To the extent the Business Associate is to carry out one or more of DSHS's obligation(s)
under Subpart E of comply CFR all (Privacy of
that Individually
applydtonDSHS in the performancce)ofBsuchess
Associate shall comply
DSHS Central Contract Services Page 11
3067DS -91 Washington Connection DS Interlocal (9- 18 -12)
DSHS General Terms and Conditions
obligation(s).
29. Liability. Within ten (11 0) business days, Business Associate must notify DSHS of any complaint,
enforcement or compliance action initiated by the Office for Civil Rights based on an allegation of
violation of the HIPAA Rules and must inform DSHS of the outcome of that action. Business Associate
bears all responsibility for any penalties, fines or sanctions imposed against the Business Associate for
violations of the HIPAA Rules and for any imposed against its subcontractors or agents for which it is
found liable.
30. Breach Notification.
a. In the event of a breach of unsecured PHI or disclosure that compromises the privacy or security of
PHI obtained from DSHS or involving DSHS clients, Business Associate will take all measures
required by state or federal law.
b. Business Associate will notify DSHS within one (1) business day by telephone and in writing of any
acquisition, access, use or disclosure of PHI not allowed by the provisions of this Contract or not
authorized by HIPAA Rules or required by law of which it becomes aware which potentially
compromises the security or privacy of the protected health information as defined in 45 CFR
164.402 (Definitions).
C. Business Associate will notify the DSHS Contact shown on the cover page of this Contract within
one (1) business day by telephone or e -mail of any potential breach of security or privacy of PHI by
the Business Associate or its subcontractors or agents. Business Associate will follow telephone or
e -mail notification with a faxed or other written explanation of the breach, to include the following:
date and time of the breach, date breach was discovered, location and nature of the PHI, type of
breach, origination and destination of PHI, Business Associate unit and personnel associated with
the breach, detailed description of the breach, anticipated mitigation steps, and the name, address,
telephone number, fax number, and e-mail of the individual who is responsible as the primary point
of contact. Business Associate will address communications to the DSHS Contact. Business
Associate will coordinate and cooperate with DSHS to provide a copy of its investigation and other
information requested by DSHS, including advance copies of any notifications required for DSHS
review before disseminating and verification of the dates notifications were sent.
d. If DSHS determines that Business Associate or its subcontractor(s) or agent(s) is responsible for a
breach of unsecured PHI:
(1) requiring notification of Individuals under 45 CFR § 164.404 (Notification to Individuals),
Business Associate bears the responsibility and costs for notifying the affected Individuals and
receiving and responding to those Individuals' questions or requests for additional information;
(2) requiring notification of the media under 45 CFR § 164.406 (Notification to the media), Business
Associate bears the responsibility and costs for notifying the media and receiving and
responding to media questions or requests for additional information;
(3) requiring notification of the U.S. Department of Health and Human Services Secretary under 45
CFR § 164.408 (Notification to the Secretary), Business Associate bears the responsibility and
costs for notifying the Secretary and receiving and responding to the Secretary's questions or
requests for additional information; and
(4) DSHS will take appropriate remedial measures up to termination of this contract.
31. Miscellaneous Provisions.
DSHS Central Contract Services page 12
3067DS -91 Washington Connection DS Interlocal (9- 18 -12)
DSHS General Terms and Conditions
a. Regulatory References. A reference in this Contract to a section in the HIPAA Rules means the
section as in effect or amended.
b. Interpretation. Any ambiguity in this Contract shall be interpreted to permit compliance with the
HIPAA Rules.
DSHS Central Contract Services Page 13
3067DS -91 Washington Connection DS Interlocal (9- 18 -12)
Special Terms and Conditions
Definitions Specific to Special Terms: The words and phrases listed below, as used in this Contract,
shall each have the following definitions:
a. "Applicant (s)" means individuals submitting an application, a renewal or reporting a change for
benefits or services.
b. "Assisting Agency" means community or faith based organizations, tribal, city, or county
municipalities who provide trained employees or volunteers to help applicants complete and submit
online applications through Washington Connection. These agencies must sign a Data Share
Agreement with DSHS and each employee and volunteer of the agency with access to Applicant
information must complete a DSHS non - disclosure form. Any reference to Assisting Agency
includes the Assisting Agency's employees, agents, officers, subcontractors, third party contractors,
volunteers, or directors.
c. "Authorized Representative" means someone designated by the Applicant to talk with DSHS about
his/her benefits. This individual is authorized to act on the Applicant's behalf for eligibility purposes.
d. "Data" means the information that is exchanged as described by this Agreement that is specifically
protected by law which may impose penalties for wrongful disclosure. This includes protected
health information under the HIPAA Privacy Rule.
e. "ESA" means Economic Services Administration.
f
"SAW" means SecureAccess Washington. SAW is a single sign -on application gateway created by
Washington State's Department of Information Services to access government services accessible
via the Internet.
g. "Washington Connection" means the web -based benefit portal that provides access to a broad
array of federal, state and local services and benefits to address basic needs.
2. Purpose To allow an Assisting Agency to help Washington residents complete an online application
to provide more effective access to available federal, state and local services through the Washington
Connection benefit portal and cant' out other activities designed to help them maintain eligibility. This
agreement also includes contractors that submit paper applications to DSHS.
3. Statement of Work The Contractor shall provide the services and staff, and otherwise do all things
necessary for or incidental to the performance of work, as set forth below:
a. The Assisting Agency listed on page one of this Data Share Agreement is the Contractor, and
DSHS is the Data Provider in this agreement. In exchange for the receipt of information, the
Contractor agrees to abide by the terms and conditions in this agreement.
(1) Anyone at the Contractor agency with access to Data will be required to read and complete a
non - disclosure agreement annually. The Contractor must maintain these forms and make them
available for inspection.
(2) When Contractors use Washington Connection for applications, DSHS will work with them to:
(a) Establish access to the DSHS Washington Connection and online application.
DSHS Central Contract Services Page 14
3067DS -91 Washington Connection DS Interlocal (9- 18 -12)
Special Terms and Conditions
(b) Establish a Washington Connection SAW account with either an Employee or a Supervisor
access level:
Employee Access allows the individual to view, edit and submit applications when the
employee has provided direct access with the application through Washington
Connection as part of their work at the Assisting Agency.
Supervisor Access includes all functions of the Employee Access plus the ability to:
view, edit and submit all applications associated with employees assigned to the
supervisor in the Washington Connection profile; add, modify, and delete employees;
reassign applications between employees under the same supervisor, and request a
summary page of all application status (submitted or incomplete) associated with the
Assisting Agency.
(3) Consent Form and Use Limitation
(a) The Contractor must obtain a Consent form via Washington Connection with an e- signature
from the Applicant before accessing any Applicant Information. The Contractor must keep
any written DSHS consent form obtained from the Applicant onsite and provide them for
inspection upon request.
DSHS and the Contractor may need to share additional information to provide services,
but at no time should the Consent be interpreted to:
(A) Designate the Contractor as an "Authorized Representative'
(B) Allow DSHS to share Applicant information not needed for the purposes under this
agreement
(C) Allow DSHS to disclose documents or information from the Applicant's files or
records for other purposes outside the scope of this agreement
b. Description of Data
Data is limited to:
(a) application data
(b) defined display of household benefit information available through the Washington
Connection query system
c. Data Access or Transfer
(1) If applications are received through Washington Connection and the Applicant has indicated
consent to share application data, a Contractor may view and print applications, reviews and
change of circumstances forms saved or submitted through Washington Connection for 90
calendar days from the last activity day. Application statuses, "submitted" or "not submitted ",
are also available for 90 calendar days from the last activity day. Contractors submitting paper
applications have no ability to view them online.
(2) If the correct information is entered into the Washington Connection query system, the
successful query will result in the display of the following information for the listed head of
household if that person is not registered in the Address Confidentiality Program (ACP):
DSHS Central Contract Services Page 15
3067DS -91 Washington Connection DS Interlocal (9- 16 -12)
Special Terms and Conditions
(a) Application Status
A = approved
P = Pending
D = Denied
M = Pending Spenddown (with base period and remaining amount)
(b) Eligibility history (12 month rolling) from DSHS and /or HCA
(c) Benefit amount for cash and food assistance programs only
(d) Number in the household associated with each program receiving benefits
(e) Benefit end date for each certification period
(3) Requirements for Access
(a) Access to Data shall be limited to staff (including employees and volunteers) whose duties
specifically require access to such Data in the performance of their assigned duties. Prior to
making Data available to its staff, Contractor shall notify all such staff of the Use and
Disclosure requirements.
(b) All staff accessing the data shall sign a Nondisclosure of Confidential Information form, or its
replacement, each year and agree to adhere to the use and disclosure requirements. The
signed, original form and a regularly updated list of staff with access to the Data shall be
maintained by the Contractor and submitted to the Data Provider upon request.
(c) The Contractor must remind staff annually of nondisclosure requirements and make
available to DSHS upon request evidence that they have reminded all staff with access to
Applicant data of the limitations, use or publishing of data.
(d) The Contractor must immediately notify the DSHS contact person listed on page one when
any staff with access to the Data is terminated from employment or when his or her job
duties no longer require access to Data.
d. Limitations on Use of Data
If the Data and analyses generated by the Contractor contain Confidential Information about DSHS
Applicants, then any and all reports utilizing these Data shall be subject to review and approval by
the Data Provider prior to publication in any medium or presentation in any forum.
4. Data Security
a. Violations of the Nondisclosure provisions of this agreement may result in criminal or civil penalties.
Violation is a gross misdemeanor under RCW 74.04.060, punishable by imprisonmentpopfy of more
than one year and /or a fine not to exceed five thousand dollars. Sanctions also may a under
other state and federal law, including civil and criminal penalties for violations of the HIPAA Privacy
and Security rules.
DSHS Central Contract Services Page 16
3067DS -91 Washington Connection DS Interlocal (9- 18 -12)
Special Terms and Conditions
b. The Contractor shall take reasonable precautions to secure against unauthorized physical and
electronic access persons, ppldudinlg the gelneral public, from access by computer, remote mote terminal, or
unauthorized
other means.
C. Contractor shall notify the DSHS contact designated on the contract verbally and in writing of the
compromise or suspected compromise of the security or privacy of data within one (1) business day
and to work with DSHS requirements, additional steps
of clients as needed and for a y croesponsible
to comply with legal P
associated mitigating the breach.
Confidentiality and Nondisclosure
a. Both parties may use Per o purposes of this and other information or Data gained by reason of this
Agreement only for the p P Agreement.
b. The data to be shared and? ghat bind the Contractor, its is emp oyeessand subject
its state and to
federal confidentiality requirement
protect the confidentiality of the personal information contained in ESA data. Contractors may use
personal data and other data gained by reason of this agreement only for the purpose of this
agreement.
c. The Contractor shall maintain the confidentiality of personal data in accordance with state and
federal laws, and shall have adequate policies and procedures in place to ensure compliance with
confidentiality requirements, including restrictions on re- disclosure.
d. The Contractor agrees to keep Applicant information according to DSHS policy and procedures:
htt '. /lasd.dshs.wa. gy/rpau/rl2au-adminpolicy.htm.
(1) Neither party shall link the Data with Personal Information or individually identifiable data from
any other source nor the i cl e or do coicatet the Data
other party. specifically authorized to do so in
this Agreement or by prior
g. Consideration
There is no cost to either party as each will pay for its own costs to perform this contract.
Payment
a. The Contractor will receive the information provided under this agreement at no charge. Each party
shall be responsible for any expenses incurred in providing or receiving information.
b. The Contractor is responsible for any costs associated with accessing Applicant data. This includes
any costs for hardware /software upgrades, and costs to improve any systems or processors that
will enable the Contractor to access the data.
DSHS Central Contract Services Page 17
3067DS -91 Washington Connection DS lnterlocal (9- 18 -12)
Special Terms and Conditions
8. Disputes
Either party may submit a request for resolution of a Contract dispute (rates set by law, regulation or
DSHS policy are not disputable). The requesting party shall submit a written statement identifying the
issue(s) in dispute and the relative positions of the parties. A request for a dispute resolution must
include the Contractors name, address, and Contract number, and be mailed to the address listed
below within 30 calendar days after the party could reasonably be expected to have knowledge of the
issue in dispute.
DSHS /Community Services Division
PO Box 45470
Olympia, WA 98504 -5470
Attn. Contracts Unit
g. Interpretation
Any ambiguity in this Agreement will be resolved in favor of a meaning that permits Covered Entity to
comply with the Privacy Rule, the Electronic Transactions Standards, or any other requirement under
HIPAA.
10. Property Rights
All PHI will be and remain the exclusive property of Covered Entity. Business Associate agrees that it
acquires no title or rights to the PHI, including any de- identified information, as a result of this
Agreement.
DSHS Central Contract Services Page 18
3067DS -91 Washington Connection DS Interlocal (9- 18 -12)
2.
3.
Special Terms and Conditions
Exhibit A — Data Security Requirements
Definitions. The words and phrases listed below, as used in this Exhibit, shall each have the following
definitions:
a. "Authorized User(s)" means an individual or individuals with an authorized business requirement to
access DSHS Confidential Information.
b. "Hardened Password" means a string of at least eight characters containing at least one alphabetic
character, at least one number and at least one special character such as an asterisk, ampersand
or exclamation point.
c. "Unique User ID" means a string of characters that identifies a specific user and which, in
conjunction with a password, passphrase or other mechanism, authenticates a user to an
information system.
Data Transport. When transporting DSHS Confidential Information electronically, including via email,
the Data will be protected by:
a. Transporting the Data within the (State Governmental Network) SGN or Contractor's internal
network, or;
b. Encrypting any Data that will be in transit outside the SGN or Contractor's internal network. This
includes transit over the public Internet.
Protection of Data. The Contractor agrees to store Data on one or more of the following media and
protect the Data as described:
a. Hard disk drives. Data stored on local workstation hard disks. Access to the Data will be
restricted to Authorized User(s) by requiring logon to the local workstation using a Unique User ID
and Hardened Password or other authentication mechanisms which provide equal or greater
security, such as biometrics or smart cards -
b. Network server disks. Data stored on hard disks mounted on network servers and made available
through shared folders. Access to the Data will be restricted to Authorized Users through the use of
access control lists which will grant access only after the Authorized User has authenticated to the
network using a Unique User ID and Hardened Password or other authentication mechanisms
which provide equal or greater security, such as biometrics or smart cards. Data on disks mounted
to such servers must be located in an area which is accessible only to authorized personnel, with
access controlled through use of a key, card key, combination lock, or comparable mechanism.
For DSHS Confidential Information stored on these disks, deleting unneeded Data is sufficient as
long as the disks remain in a Secured Area and otherwise meet the requirements listed in the
above paragraph. Destruction of the Data as outlined in Section 5. Data Disposition may be
deferred until the disks are retired, replaced, or otherwise taken out of the Secured Area.
DSHS Central Contract Services
3067DS -91 Washington Connection DS Interlocal (9- 18 -12)
Page 19
Special Terms and Conditions
C. Optical discs (CDs or DVDs) in local workstation optical disc drives. Data provided by DSHS
on optical discs which will be used in local workstation optical disc drives and which will not be
transported out of a Secured Area. When not in use for the contracted purpose, such discs must be
locked in a drawer, cabinet or other container to which only Authorized Users have the key,
combination or mechanism required to access the contents of the container. Workstations which
access DSHS Data on optical discs must be located in an area which is accessible only to
authorized personnel, with access controlled through use of a key, card key, combination lock, or
comparable mechanism.
d. Optical discs (CDs or DVDs) in drives or jukeboxes attached to servers. Data provided by
DSHS on optical discs which will be attached to network servers and which will not be transported
out of a Secured Area. Access to Data on these discs will be restricted to Authorized Users through
the use of access control lists which will grant access only after the Authorized User has
authenticated to the network using a Unique User ID and Hardened Password or other
authentication mechanisms which provide equal or greater security, such as biometrics or smart
cards. Data on discs attached to such servers must be located in an area which is accessible only
to authorized personnel, with access controlled through use of a key, card key, combination lock, or
comparable mechanism.
e. Paper documents. Any paper records must be protected by storing the records in a Secured Area
which is only accessible to authorized personnel. When not in use, such records must be stored in
a locked container, such as a file cabinet, locking drawer, or safe, to which only authorized persons
have access.
f. Remote Access. Access to and use of the Data over the State Governmental Network (SGN) or
Secure Access Washington (SAW) will be controlled by DSHS staff who will issue authentication
credentials (e.g. a Unique User ID and Hardened Password) to Authorized Users on Contractor
staff. Contractor will notify DSHS staff immediately whenever an Authorized User in possession of
such credentials is terminated or otherwise leaves the employ of the Contractor, and whenever an
Authorized User's duties change such that the Authorized User no longer requires access to
perform work for this Contract.
g. Data storage on portable devices or media.
(1) Except where otherwise specified herein, DSHS Data shall not be stored by the Contractor on
portable devices or media unless specifically authorized within the terms and conditions of the
Contract. If so authorized, the Data shall be given the following protections:
(a) Encrypt the Data with a key length of at least 128 bits
(b) Control access to devices with a Unique User ID and Hardened Password or stronger
authentication method such as a physical token or biometrics.
(c) Manually lock devices whenever they are left unattended and set devices to lock
automatically after a period of inactivity, if this feature is available. Maximum period of
inactivity is 20 minutes.
Physically Secure the portable device(s) and /or media by
(d) Keeping them in locked storage when not in use
(e) Using check -in /check -out procedures when they are shared, and
DSHS Central Contract Services - Page 20
3067DS -91 Washington Connection DS Interlocal (9- 18 -12)
Special Terms and Conditions
(f) Taking frequent inventories
(2) When being transported outside of a Secured Area, portable devices and media with DSHS
Confidential Information must be under the physical control of Contractor staff with authorization
to access the Data.
(3) Portable devices include, but are not limited to; smart phones, tablets, flash memory devices
(e.g. USB flash drives, personal media players), portable hard disks, and
laptop /notebook/netbook computers if those computers may be transported outside of a
Secured Area.
(4) Portable media includes, but is not limited
flash media (e.g ;C optical
Fldia ( .g. Ds, DVDs), magnetic media
(e.g. floppy disks, tape),
h. Data stored for backup purposes.
(1) DSHS data may be stored on portable media as part of a Contractor's existing, documented
backup process for business continuity or disaster recovery purposes. Such storage is
authorized until such time as that media would be reused during the course of normal backup
operations. If backup media is retired while DSHS Confidential Information still exists upon it,
such media will be destroyed at that time in accordance with the disposition requirements in
Section 5. Data Disp osition
(2) DSHS Data may be stored on non - portable media (e.g. Storage Area Network drives, virtual
media, etc.) as part of a Contractor's existing, documented backup process for business
continuity or disaster recovery purposes. If so, such media will be protected as otherwise
described in this exhibit. If this media is retired while DSHS Confidential Information still exists
upon it, the data will be destroyed at that time in accordance with the disposition requirements in
Section 5. Data Disposition.
4, Data Segregation.
a. DSHS Data must be segregated or otherwise distinguishable from non -DSHS data. This is to
ensure that when no longer needed by the Contractor, all DSHS Data can be identified for return or
destruction. It also aids in determining whether DSHS Data has or may have been compromised in
the event of a security breach. As such, one or more of the following methods will be used for data
segregation.
b, DSHS Data will be kept on media (e.g. hard disk, optical disc, tape, etc.) which will contain no non -
DSHS Data. And /or,
C. S Data DSHS store And/or,
a logical container on electronic media, such as a partition or folder
dedicated
d. DSHS Data will be stored in a database which will contain no non -DSHS data. And /or,
e. DSHS Data will be stored within a database and will be distinguishable from non -DSHS data by the
value of a specific field or fields within database records.
f. When stored as physical paper documents, DSHS Data will be physically segregated from non -
DSHS data in a drawer, folder, or other container.
DSHS Central Contract Services Page 21
3067DS -91 Washington Connection DS Interlocal (9- 16 -12)
Special Terms and Conditions
When it is not feasible or practical to segregate DSHS Data from non -DSHS data, then both the
DSHS Data and the non -DSHS data with which it is commingled must be protected as described in
this exhibit.
5. Data Disposition. When the contracted work has been completed or when no longer needed, except
as noted in 4.b above, Data shall be returned to DSHS or destroyed. Media on which Data may be
stored and associated acceptable methods of destruction are as follows:
Data stored on: Will be destro ed h%,'
Server or workstation hard disks, or Using a "wipe" utility which will overwrite the Data at
least three (3) times using either random or single
Removable media (e.g. floppies, USB flash drives, character data, or
portable hard disks) excluding optical discs
Degaussing sufficiently to ensure that the Data cannot
be reconstructed, or
the disk
Paper documents with sensitive or Confidential I Recycling through a contracted firm provided the
Information contract with the recycler assures that the
confidentiality of Data will be protected.
per documents containing Confidential Information On -site shredding, pulping, or i
requiring special handling (e.g. protected health
information
Incineration, shredding, or com
Optical discs (e.g. CDs or DVDs) readable surface with a coarse
or crosscut
Notification of Compromise or Potential Compromise. The compromise or potential compromise of
DSHS shared Data must be reported to the DSHS Contact designated in the Contract within one (1)
business day of discovery. If no DSHS Contact is designated in the Contract, then the notification must
be reported to the DSHS Privacy Officer at dshsprivacyofficer @dshs.wa.gov. Contractor must also
take actions to mitigate the risk of loss and comply with any notification or other requirements imposed
by law or DSHS.
Data shared with Subcontractors. If DSHS Data provided under this Contract is to be shared with a
subcontractor, the Contract with the subcontractor must include all of the data security provisions within
this Contract and within any amendments, attachments, or exhibits within this Contract. If the
Contractor cannot protect the Data as articulated within this Contract, then the contract with the sub -
Contractor must be submitted to the DSHS Contact specified for this contract for review and approval.
DSHS Central Contract Services - Page 22
3067DS -91 Washington Connection DS Iniedocal (9- 18 -12)