The URL can be used to link to this page

Home My WebLink AboutAgreements/Contracts - GRIS (002)K19-098 vv �o Grant County Vendor Agreement Agreement Period: July 1, 2019 —June 30, 2021 Organization Name: Goodwill Industries of the Inland Northwest Vendor Contact Person: Darlene Morrison, Contracts Manager Email: dmorrison@giin.org Telephone: (509) 444-2392 Signatory Authority: Clark Brekke, President & CEO Email: clarkb@giin.org Address: E. 130 Third Spokane, WA 99202 Telephone: IRS Tax No. (Employer I.D.) 91-0597006 Qualified Provider Services Individual Supported Employment Group Supported Employment Additional terms of this agreement are set out in and governed by the following which are incorporated herein by reference: General Terms and Conditions — Exhibit A Special Terms and Conditions — Exhibit B Data Security — Exhibit C RECEIVED JUN 2 0 2019 �'W"tiIISSIONERS BOARD OF COUNTY COMMISSIONERS �tt� Tom Taylor, Chair Date 1 �k �r Cindy Carter, ice -Chair Date Richard Stevens, Member ate Attest: 4of . Vasquez Dathe Board ApproveT to for j Z q/1q Kevin McCrae Date Deputy Prosecuting Attorney Goodwill Industries of the Inland Northwest Clark Brekke, President & CEO Date GRANT INTEGRATED SERVICES DEVELOPMENTAL DISABILITIES I j Gail Goodwin, Program Director Date EXHIBIT A to `tvt� �_ G 9_e GENERAL TERMS AND CONDITIONS ADULT PROGRAMS �f The County hereby appoints and the Vendor hereby accepts the Grant County Developmental Disabilities and/or its designee as the County's representative for the purpose of administering the provisions of this vendor agreement with regard to those services purchased by funds conveyed to the Vendor by the County. This includes the County's right to inspection of facilities and records, to receive and act on all reports and documents related to this vendor agreement, to request and receive information from the Vendor to approve budget revisions and payment changes to assess the general performance in accordance with Federal, State and local law, to approve the entering into of subcontracts, and to administer any other right granted to the County under this agreement not expressly reserved to the County (Board of Commissioners). The Vendor is accountable to the County only with regard to those services specified in this agreement for which the County remunerates the Vendor. I. EXTENT OF AGREEMENT This vendor agreement contains all the terms and conditions agreed upon by the parties. No other understandings, oral or otherwise regarding the subject matter of this agreement shall be deemed to exist or to bind any of the parties hereto. In the event of an inconsistency, the order of precedence is as follows: 1. Federal laws and regulations 2. State laws and regulations 3. DSHS General Terms and Conditions 4. DSHS County Program Agreement with Grant County 5. Applicable DSHS and/or DDA Policies 6. Criteria for Evaluation 7. Statement of Work - this agreement 8. Special Terms and Conditions - this agreement 9. General Terms and Conditions -- this agreement 10. Any Document incorporated in this agreement by reference. II. LICENSING AND PROGRAM STANDARDS The Vendor agrees to comply with all applicable Federal, State, County or Municipal standards for licensing certification and operation of facilities and program, and accreditation and licensing of individuals, and any other applicable standard or criteria. The loss of any required accreditation license or other certificate shall be promptly reported to Grant County Developmental Disabilities. III. RELATIONSHIP OF THE PARTIES The parties intend that an independent Vendor/County relationship will be created by this document. No agent, employee or representative of the Vendor shall be deemed to be an employee, agent, representative of the County for any purpose, and the employees of the Vendor are not entitled to any of the benefits the County provides for County employees. The Vendor will be solely and entirely responsible for its acts and for the acts of its agents, employees, or otherwise during the performance of this agreement. Grant County Vendor Agreement July 1, 2019 —June 30, 2021 Exhibit A RECEIVED JUN 2 4 2019 GRA�r, OMppISS10NERS EXHIBIT A IV. INDEMNIFICATION The Vendor does release, indemnify and promise to defend and save harmless the County, its elected officials, administrators, employees and agents from and against any and all liability, loss, damages, expense, action, and claims including cost and reasonable attorney's fees incurred by the County, its elected officials, administrators, employees and agents in defense thereof, asserting or arising directly or indirectly on account of or out of the performance of services pursuant to this Agreement. In making such assurances, the Vendor specifically agrees to indemnify and hold harmless the County from any and all bodily injury claims brought by employees of the Vendor and expressly waives its immunity under the Industrial Insurance Act as to those claims, which are brought against the County. Provide however, this paragraph does not purport to indemnify the County against the liability for damages arising out of bodily injuries to person or damages caused by or resulting from the sole negligence of the County, its elected officials, officers, employees and agents. V. STANDARDS FOR FISCAL ACCOUNTABILITY The Vendor agrees to maintain books, record document reports, and accounting procedures and practices which accurately reflect all direct and indirect costs and revenues related to the performance of this agreement. Such books and other documents specified above shall be maintained in a manner consistent with Generally Accepted Accounting Principles (GAAP). The Vendor shall retain the books, documents and other items specified for a period of five (5) years after expiration or termination of this agreement. The Vendor's fiscal management system shall: A. Provide for systematic accumulation, filing and retention of timely reports for DSHS/ADSA/DDA and or federal audits and/or as may be required by the County. B. Provide accurate, current and complete disclosure of the services provided, costs thereof and amounts received and expended pursuant to this agreement C. Provide a separate accounting by source of all funds related to performance of this agreement. D. Be capable of effective and efficient processing of all the fiscal matters, including proof of adequate protection against insolvency. E. Have the ability to pay for all expenses incurred during the Agreement period, including services that have been provided under the Agreement but paid after termination. VI. RECORDS All books, records, documents, receipts and other data pertaining to the performance of this agreement shall be subject at all reasonable times to inspection, review, or audit by County personnel and other personnel duly authorized by the County, the Department of Social and Health Services, the Office of the State Auditor and other officials so authorized by law. 2 Grant County Vendor Agreement July 1, 2019 — June 30, 2021 Exhibit A EXHIBIT A VII. REVIEW AND EVALUATION Vendors agree to cooperate and participate in the County's review and evaluation process. Biennial review and evaluation procedures will be conducted to ensure program and fiscal reviews test for accountability and effective use of funds. Vendors will be notified in advance of any planned review, and/or evaluation site visits; however, the County reserves the right to conduct on-site visits without prior notification to the Vendor, as deemed necessary. Copies of the review and program evaluation instruments will be provided to the Vendor upon written request. IIX. CORRECTIVE ACTION The Vendor is required to meet all of the general and special terms and conditions in the agreement and to perform at the service level specified in the Statements of Work, unless otherwise agreed to in writing by both parties. Should the County identify a violation of the agreement or a performance deficiency, the Vendor must submit a corrective action plan within 14 days from the written notice by the County. The County will approve or disapprove the Vendors corrective action plan, in writing within 14 days of receipt of the plan. If the plan is satisfactory, follow up will be required from the Vendors to ensure the deficiency is corrected. If subsequent efforts by the Vendor do not correct the deficiency, or the Vendor does not complete a corrective action plan within 30 days, or the County deems the plan unsatisfactory, the County will take the necessary corrective action to ensure the integrity of the agreement. Such action may include, but is not limited to reduction of payment or termination in whole or in part of the agreement. IX. GRIEVANCE AND COMPLAINT PROCEDURES A. The Vendor shall have both an employee and client grievance procedure and a complaint procedure; both procedures shall be in writing and include time lines for filing a grievance or a complaint. A grievance procedure shall include explanation to clients and others in accordance with Necessary Supplemental Accommodations (NSA) Policy 5.02, process for negotiating conflict, availability of advocates, and mediation by an unbiased third party, prohibit retaliation and be provided in a manner and/or language that the person can understand. B. A complaint procedure is developed for compliance with federal law regarding discrimination (e.g. sexual harassment, sex, race, or disabled person). Such procedures should include time lines for response or action, and shall be available to any individual requesting a copy. C. Individuals wishing to file a discrimination complaint shall be directed to file directly with the DSHS Office of Equal Opportunity, the Washington State Human Rights Council, or a court of law. The grievance process should include informal and formal resolution of the problem. The County shall be notified if a grievance requires formal arbitration. The County reserves the right to review and approve the Vendors' grievances, complaints and procedures. Grant County Vendor Agreement July 1, 2019 — June 30, 2021 Exhibit A EXHIBIT A X. CREDENTIALS AND MINIMUM REQUIREMENTS A. Background/Criminal History Check: A background/criminal history clearance is required every three years for all employees, subcontractors and/or volunteers who may have unsupervised access to vulnerable DSHS clients, in accordance with RCW 43.43.830, RCW 43.43.845, RCW 74.15.030, and Chapter 388 WAC. If the entity reviewing the application elects to hire or retain an individual after receiving notice that the applicant has a conviction for an offense that would disqualify the applicant from having unsupervised access to vulnerable adults as defined in Chapter 74.34 RCW, Grant County DD shall deny payment for any subsequent services rendered by the disqualified individual provider. The DSHS Background Check Central Unit (BCCU) must be utilized to obtain background clearance. B. Sufficient Policies and Procedures for Establishment and Maintenance of Adequate Internal Control Systems: The Vendor will maintain written policy procedural manuals for information systems, personnel, and accounting/finance in sufficient detail such that operations can continue should staffing changes or absences occur. C. Qualified Service Provider: The County will assure that all vendors meet qualifications as outlined in the DDA Policy 6.13, Program Provider Qualifications. XI. PROTECTION OF INDIVIDUAL RIGHTS The Vendor shall prominently display all posters required by DSHS or other relevant information regarding human rights. A complete catalog of the required posters can be obtained by contacting DSHS. In addition the Vendor must have comprehensive written policies and/or procedures to protect the rights of all individuals, including but not limited to the following: A. Section 504 of the Rehabilitation Act of 1973 and all requirements imposed by or pursuant to the Section. B. Title VI of the Civil Rights Act of 1964 (P.L. 88-352) and all requirements imposed by or pursuant to the Regulation of the Department of Health and Human Services, (DHHS) (CFR 45 Part 80) issued pursuant to the title. C. Confidentiality of client records pursuant to RCW 71A.14.070 or RCW 34.05 require a signed Release of Information for client files, and a signed Oath of Confidentiality form for staff. D. Americans with Disabilities Act of 1990 (ADA) and all requirements imposed by or pursuant to this law, including CFR 29 Part 1630. E. Background Check Laws and Regulations, RCW 43.43.830 and 845 and RCW 74.15.03 and 74.34 and/or WAC 388.06 regarding employee background checks and DSHS Policy. F Protection of clients from abuse as required by the Developmental Disabilities Administration Policy. G. Client grievances. 4 Grant County Vendor Agreement July 1, 2019 —June 30, 2021 Exhibit A EXHIBIT A XII. NON-DISCRIMINATION IN EMPLOYMENT A. Grant County is an Equal Opportunity Employer. B. The Vendor agrees that it shall not discriminate against any employee or applicant for employment on the grounds of race, creed, color, sex, religion, national origin, marital status, age (40+), disability, sexual orientation, Vietnam veteran or disabled veteran status, HIV/AIDS or AIDS related illnesses. This requirement does not apply, however, to a religious corporation, association, educational institution or society with respect to the employment individuals or a particular religion to perform work connected with the carrying on by such corporation, association, educational institution or society of its activities. C. The Vendor and sub -vendors shall take affirmative action to ensure that employees are employed and treated during employment without discrimination because of their race, creed, color, religion, sex, national origin, creed, marital status, age (40+), disability, sexual orientation, Vietnam veteran or disabled veteran status, HIV/AIDS or AIDS related illnesses. Such action shall include but not be limited to the following: Employment, upgrading, demotion, or transfer; recruitment or recruitment selection for training; including apprenticeships and volunteer. XIII. NON DISCRIMINATION IN SERVICES The Vendor shall not, on the grounds of race, creed, color, sex, religion, national origin, marital status, age (40+), disability, sexual orientation, Vietnam or disabled veteran status, HIV/AIDS or AIDS related illnesses: A. Deny any individual any services or other benefits provided under this agreement. B. Provide any service(s) or other benefits to an individual, which, are different, or are provided in a different manner from those provided to others under this agreement, any contract or any subcontract. C. Subject an individual to segregation or separate treatment in any matter related to his or her receipt of any services (s) or other benefits provided under this agreement. D. Deny any individual an opportunity to participate in any program provided by this agreement, any contract or any subcontracts through the provision of services otherwise, or afford an opportunity to do so which is different from the afforded others under this agreement. The Vendors in determining: 1. The types of services or other benefits to be provided, or 2. The class of individuals to whom or the situation in which, such services or other benefits will be provided, or 3. The class of individuals to be afforded an opportunity to participate in any services or other benefits, will not utilize criteria or methods of administration which have the effect of subjecting individual to discrimination because of their race, creed, color, sex, religion, national origin, marital status, age (40+), disability, sexual orientation, Vietnam or disabled veteran status, HIV/AIDS or AIDS related illnesses; or have the effect of defeating or substantially impairing accomplishment of the objectives of this agreement in respect to Grant County Vendor Agreement July 1, 2019 — June 30, 2021 Exhibit A EXHIBIT A individuals having a particular race, creed, color, sex, religion, national origin, marital status, age (40+), disability, sexual orientation, Vietnam or disabled veteran status, HIV/AIDS or AIDS related illness. XIV. FAIR HEARING PROCEDURE The Vendor shall establish a system through which recipients of services may present grievances about the operation of the services. The Vendor shall advise recipients of the grievance procedure and further advise each applicant for, or recipient of services, that they have the right to obtain a fair hearing should they feel that any of the following are true: 1) they have been wrongfully denied services; 2) services were wrongfully terminated; 3) determination of eligibility for services has not been made with reasonable promptness. Such hearings shall be conducted in accordance with such arrangements or procedures as required by DSHS as outlined in the DSHS General Terms and Conditions. XV. INCIDENT AND ABUSE REPORTING A. The Vendor shall immediately notify the County of any incident involving injury or health or safety issues in connection with or during the provision of services authorized or required by this agreement. Written notice shall be given to the County by the next working day. B. The Vendor is a mandated reporter under RCW 74.34.020(14) and must comply with reporting requirements described in RCW 74.34.035, .040, and Chapter 26.44 RCW. If the County is notified by DSHS that a subcontractor's staff member is cited or on the registry for a substantiated finding, then the associated staff will be prohibited from providing services under this Agreement. Policy 5.13 (Protection from Abuse) and Policy 6.08 (Incident Management and MandateReporting Requirements for County and County Contracted Providers) will be followed. XVI. GENERAL BUDGET PROVISIONS The Vendor agrees to the following standards in satisfactorily performing the terms and conditions of this contract: A. Payment for services shall be made on a fee-for-service basis unless otherwise specified in this agreement. B. No payment shall be made for any services rendered by the Vendor except for services within the scope of this agreement, and all funds received must be used for services as identified in the Statements of Work contained in this agreement, C. Except as provided in Section XVII - Reduction in Funding, or otherwise specified in Exhibit B, all budget revisions shall be treated as agreement modifications. 6 Grant County Vendor Agreement July 1, 2019 — June 30, 2021 Exhibit A EXHIBIT A XVII. REDUCTION IN FUNDING In the event that funding to the County from State, Federal, or other sources is withdrawn, reduced, or limited in any way after the effective date of this agreement, and prior to its normal completion, the Count may summarily terminate this agreement as to the funds withdrawn, reduced, or limited notwithstanding any other termination provision of this agreement. If the level of funding withdrawn, reduced or limited is so great that the Board of Grant County Commissioners or the Vendor deem that the continuation of the program covered by this agreement is no longer in the best interest of the citizens of Grant County, the County or Vendor may summarily terminate this agreement in whole or in part notwithstanding any other termination provisions of this agreement. Termination under this section shall be effective upon receipt of written notice by the non -terminating party. The County agrees to notify the vendor of notification from the funding source of any reduction in funding by State, Federal or other sources. The Vendor agrees that upon receipt of such notice it shall develop a plan to take appropriate and reasonable action to reduce its spending of the affected funds so that expenditures do not exceed the funding level which would result if said proposed reduction became effective. XVIII. STANDARDS FOR PROGRAM ACCOUNTABILITY The Vendor agrees to maintain program records and reports including statistical information, and to make such records available for inspection by the County and funding agencies or the designee or either in order for the County and the funding agencies to be assured that program services remain consistent with the terms of this agreement. Further the Vendor agrees to provide written statistical information to Grant County Developmental Disabilities pursuant to the timelines and manner prescribed in the Agreement. Such required information shall include only information which is reasonably related to services purchased by funds awarded under this Agreement, and as specified in the attached Statement of Work, and for as otherwise maybe requested by the County as it concerns compliance with DSHS requirements. XIX. CONFIDENTIALITY A. The Vendor shall not use publish, transfer, sell or otherwise disclose any Confidential Information gained by reason of the Agreement for any purpose that is not directly connected with the performance of the services contemplated hereunder except: 1. As provide by law; or, 2. In the case of Personal Information, as provided by law or with the prior written consent of the person or personal representative of the person who is the subject of the Personal Information. B. The Vendor shall protect and maintain all Confidential Information gained by reason of this Agreement against unauthorized use, access, disclosure, modification or loss. This duty requires the Vendor to employ reasonable security measures, which include restricting access to the Confidential Information by; 1. Allowing access only to staff that have an authorized business requirement to view the Confidential Information; 2. Physical Securing any computers, documents, or other media containing the Confidential Information; 7 Grant County Vendor Agreement July 1, 2019 — June 30, 2021 Exhibit A EXHIBIT A 3. Ensuring the security of Confidential Information transmitted via fax (facsimile) by verifying the recipient phone number to prevent accidental transmittal of Confidential Information to unauthorized person; 4. When transporting six (6) to one hundred forty nine (149) records containing Confidential Information outside a Secure Area, one or more of the following as appropriate; a. Using a Trusted System, or b. Encrypting the Confidential Information, including; i. Email and/or email attachments. ii. Confidential Information when it is stored on portable devices or media, including but not limited to laptop computers and flash memory devices. C. To the extent allowed by law, at the end of the Agreement term or when no longer needed, the parties shall certify in writing the destruction of the Confidential information upon written request by the County. D. Paper documents with Confidential Information may be recycled through a contracted firm, provided the contract with the recycler specifies that the confidentiality of information will be protected and the information destroyed through the recycling process. Paper documents containing Confidential Information requiring special handling (e.g. protected health information) must be destroyed through shredding, pulping, or incineration. E. The compromise or potential compromise of Confidential Information must be reported to the Grant County DD Coordinator within 3 working days of discovery for breaches of less than 500 persons' protected data. The Vendor must also take actions to mitigate the risk of loss and comply with any notification or other requirements imposed by law. F. Definitions: CONFIDENTIAL INFORMATION- means information that is exempt from disclosure to the public or other unauthorized persons under RCW 42.56 or other federal or state laws. Confidential information includes, but not limited to, Personal Information. ENCRYPT- means to encode Confidential Information into a format that can only be read by those possessing a "key": a password, digital certificate or other mechanism available only to authorized user. Encryption must use a key length of at least 128 bits. HARDENED PASSWORD- means a string of at least eight characters containing at least one alphabetic character, at least one number and at least one special character such as an asterisk, ampersand or exclamation point. PERSONAL INFORMATION- means information identifiable to any person including, but not limited to, information that relates to a person's name, health, finance, education, business, use or receipt of governmental services or other activities, addresses, telephone numbers, Social Security Numbers, driver's license numbers other identifying numbers, and any financial identifiers. PHYSICALLY SECURE- means that access is restricted through physical means to authorized Grant County Vendor Agreement July 1, 2019 — June 30, 2021 Exhibit A EXHIBIT A individuals only. SECURED AREA- means an area to which only authorized representatives of the entity possessing the Confidential Information have access. Secured Areas may include buildings, rooms, or locked storage containers (such as a filing cabinet) within a room, as long as access to the Confidential Information is not available to unauthorized personnel. TRUSTED SYSTEMS- include only the following methods of physical delivery: 1. Hand -delivery by a person authorized to have access to the Confidential Information with written acknowledgement of receipt; 2. United States Postal Service first class mail, or USPS delivery services that include Tracking, such as Certified Mail, Express Mail or Registered Mail; 3. Commercial delivery services (e.g. FedEx, UPS, DHSL) which offer tracking and receipt confirmation; and 4. The Washington State Campus mail system. For electronic transmission, the Washington State Government Network (SGN) is a Trusted System for Communications within that Network. UNIQUE USER ID- means a string of characters that identifies a specific user and which, in conjunction with a password, passphrase or other mechanism, authenticates a user to an information system. XX. INSPECTION AND INFORMATION The Vendor shall furnish reports, statements, records, dates and other information to the County, State, Federal or other funding agencies at such times and on such forms as are specified by the Agreement. Any additional information required by the County, State, Federal Government or other funding agency, notice of which has been received by the County during the effective term of this Agreement, will be derived in a cooperative effort between the County and the Vendor. XXI. ASSIGNMENT The Vendor shall not assign or subcontract for any work described in the attached Statements of Work without written consent of the County, unless specified in the Statements of Work or the Budget; provided that the foregoing shall apply only to work funded by federal, state or county funds awarded by this agreement. All applicable contractor requirements will be passed on in the event that subcontract is executed. In any event, the County and DSHS reserve the right to inspect and approve any sub -contracting document, and the Vendor agrees to provide access to that sub -contract document no later than 20 days prior to the start date of such sub -contract. 9 Grant County Vendor Agreement July 1, 2019 —June 30, 2021 Exhibit A EXHIBIT A XXII. MODIFICATION Either party may request changes in this agreement; however, no changes or additions to this agreement shall be valid or binding upon either party unless such changes or addition be in writing, and executed by both parties. XXIII. SEVERABILITY A. It is understood and agreed by the parties hereto that if any part of provision of this agreement is held by the courts to be illegal, the validity of the remaining provisions shall not be affected and the rights and obligations of the parties shall be construed and enforced as if the agreement did not contain the particular provision beheld to be invalid. B. Provided, that if deletion of the invalid provision substantially alters the intent, purpose of effect of the agreement or constitutes a failure of consideration, this agreement may be rescinded or terminated by either party. C. Provided, that nothing herein contained shall be construed as giving precedence to provisions of this agreement, over any provision of the law. XXIV. AGREEMENT TERMINATION If either party hereto fails to comply with the terms and conditions of this agreement, the other party may pursue such remedies as are legally available including but not limited to, the termination of their agreement in the manner specified herein. A. Termination by County for Cause - The County may terminate this Agreement in whole or in part for a substantial and material breach thereof by the Vendor upon ten (10) days written notice of termination: Provided, that unless the notice of such breach of agreement is such that immediate termination is clearly necessary to protect the public interest, the County prior to termination shall endeavor to work with the Vendor to remedy such breach following the Corrective Action process included in this agreement. B. Termination by Vendor for Cause - The Vendor may terminate this agreement in whole or in part for a substantial and material breach thereof by the County upon ten (10) days written notice of termination. Terminations and other Grounds - This agreement may also be terminated in whole or in part by mutual written agreement of the parties. XXV. TERMINATION AND CLOSE-OUT Following completion of the agreement or in the event that this agreement is terminated in whole or in part for any reason, other than the normal completion of the Agreement, the following provisions shall apply: A. Upon written request by the Vendor, the County shall make or arrange for payment to the Vendor of allowable reimbursable costs not covered by previous payment. B. The Vendor shall submit within thirty (30) days after the date of expiration of this Agreement all financial, performance and other reports required by the agreement, and in addition will cooperate in a program audit by the County or its designee. 10 Grant County Vendor Agreement July 1, 2019 — June 30, 2021 Exhibit A EXHIBIT A XXVI. COVENANT AGAINST CONTINGENT FEES The Vendor warrants that no person or selling agency has been employed or retained to solicit or secure this agreement upon an agreement or understanding or a commission, percentage, brokerage or contingent fee, excepting bona fide established commercial or selling agency maintained by the Vendor for the purpose of securing business. The County shall have the right, in the event of breach of this clause by the Vendor, to annul this agreement without liability or in its discretion, to deduct from the agreement price or consideration or otherwise recover the full amount of such commission, percentage brokerage or contingent fee. XXVII. NON -ASSIGNABILITY OF CLAIMS No claim arising under this agreement shall be transferred or assigned by the Vendor. XXVIII. APPLICABILITY OF LAW This agreement has been and shall be construed as having been delivered within the State of Washington, and it is mutually understood and agreed by each party hereto that this agreement shall be governed by laws of the State of Washington, both as to interpretation and performance. XIX. INSURANCE AND BONDING The Vendor agrees to carry for the duration of this agreement insurance and bonding as specified in the Special Terms and Conditions of this agreement. XXX. ASSIGNMENT OF CLAIMS The Vendor will agree to assign to Grant County its Medicaid billing right for services to clients eligible under the Developmental Disabilities Administration Home and Community based Waivers Title XIX programs under a Department of Social and Health Services provider agreement. XXXI. DSHS (Disability Rights of Washington DRV) ACCESS AGREEMENT The Washington Protection & Advocacy, Inc. (WPAS) February 27, 2001 Access Agreement with DDA, is incorporated herein by reference. XXXII. DEBARMENT CERTIFICATION The Vendor by signature to this Agreement, certifies that the Vendor is not presently debarred, suspended, proposed for debarment, declared ineligible, or voluntarily excluded from participating in this Agreement by any Federal department or agency. 11 Grant County Vendor Agreement July 1, 2019 — June 30, 2021 Exhibit A 1 EXHIBIT B SPECIAL TERMS AND CONDITIONS ADULT DAY PROGRAM SERVICES INDIVIDUAL EMPLOYMENT, GROUP SUPPORTED EMPLOYMENT, AND COMMUNITY INCLUSION SERVICES I. DEFINITIONS: BARS — DDA Budget and Accounting Reporting System CLIENT- A person with a developmental disability as defined in chapter 388-823 WAC who is currently eligible and active with the Developmental Disabilities Administration or is an identified Preadmission Screening and Resident Review Client. CMIS - Client Management Information System CRM — DDA Case Resource Manager CSA — County Service Authorization DAY PROGRAM -Services provided to Clients as a result of this Vendor Agreement. DSHS- Department of Social and Health Services DDA - Developmental Disabilities Administration, a subunit of the Department of Social and Health Services. DVR - Division of Vocational Rehabilitation GCDD - Grant County Developmental Disabilities, a county department. HCBS — Medicaid Home and Community Based Services RFQ -- Request for Qualifications, Requirements by Grant County Developmental Disabilities to compile a list of vendors to provide day program services. II. PURPOSE This agreement governs participation in Day Program Services administered by Grant County under contract with the Developmental Disabilities Administration, Department of Social and Health Services, State of Washington, (DDA/DSHS). The Day Program Services provide individualized supports in a variety of programs for people with developmental disabilities. In addition, GCDD reserves the option of utilizing the Vendor Agreement for allocation of funds for services to special education graduates or other special populations as the need arises. The approved services eligible for ftmding under the Vendor Agreement include: • Community Inclusion • Individual Supported Employment • Group Supported Employment Grant County Vendor Agreement July 1, 2019 — June 30, 2021 Exhibit B EXHIBIT B III. INCORPORATED DOCUMENTS This Agreement consists of Exhibits A and B as applicable Statements of Work. IV. SERVICES PROVIDED IN ACCORDANCE WITH LAW, RULE AND REGULATION All services provided under this contract will be in accordance with the following where applicable: 71A.14, 74.15, 74.34, 43.43 and 26.44 RCW; WAC 388-845 and 850; WAC 828; Rehabilitation Act; plus implementing regulations and DDA Policies: • 4.11 County Services for Working Age Adults • 5.01 Background Check Authorization • 5.02 Necessary Supplemental Accommodation • 5.06 Clients Rights • 5.13 Protection from Abuse: Mandatory Reporting • 5.14 Positive Behavior Support • 5.15 Restrictive Procedures • 5.17 Physical Intervention Techniques • 6.08 Incident Management and Reporting Required for County and County Contracted Providers • 6.13 Provider Qualifications for Employment and Day Program Services • Current Criteria for Evaluation — Bars Category 568.60 V. ELIGIBILITY AND PLACEMENT Pursuant to WAC 388-823(Eligibility) and WAC 388-825(Service Rules), DDA/DSHS determines individual eligibility and refers persons for services delivered under the Vendor Agreement. Only persons referred by DDA/DSHS are eligible for services to be reimbursed under this agreement. Direct Client services provided without authorization are not reimbursable under this Vendor Agreement. VI. STATEMENT OF WORK The vendor shall provide the services and staff, and otherwise do all things necessary for, or incidental to the performance of work as set forth below. Grant County shall: A. Communicate information from the DDA region regarding disapproval of any staff employed by the vendor; B. Inform and include the vendor in the discharge planning of individuals leaving institutions and returning to the community who need program funding; C. Inform the vendor of individuals who have had their waiver status changed; D. Work with the vendor when referring individuals for services; E. Work with the vendor when terminating services; Grant County Vendor Agreement July 1, 2019 — June 30, 2021 Exhibit B !_W41111.3 M M_.9 F. Inform the Vendor of service changes for Clients through Planned Action Notice(s); F. Work with the vendor in planning on-site evaluations; G. Enroll the Vendor on the list of qualified vendors eligible to provide day program services in Grant County and distribute this list to DDA/DSHS; H. Review the Vendor for compliance with this agreement as the County deems appropriate. I. Reimburse the Vendor, the unit rates set in the Vendor agreement. The billings shall be submitted on a format provided by the County within the time frame specified by the County. Reimbursement will, be only for those individuals and the rates assigned on the Vendors CMIS Schedule. The County is under no obligation to pay the Vendor in the event that the Vendor provides day program services to individuals who are determined not eligible by DDA/DSHS; J. Reissue a current CMIS Schedule to the Vendor whenever there is a change in status of the Vendors services status, including the addition of referred eligible Clients, the removal of a Client, or a change in the specific unit rate assigned a particular Client, as determined by DDA/DSHS and Grant County and reported on the CMIS Schedule; K. Review the County Service Authorizations from DDA to authorize reimbursement to the Vendor and for data collection and quality assurance; and L. Monitor total expenditures under the Day Program Services in Grant County to ensure the services rendered do not exceed the total county allocation received from DDA/DSHS. Grant County is not responsible for Client eligibility or referral and does not guarantee any level or subsequent payment to a qualified Vendor. The Vendor shall: A. Work with Grant County when individuals are referred for services. B. Work with Grant County and the DDA region to document planned services in the Individual's Support Plan; C. Work with Grant County regarding service termination; D. Work with Grant County when undergoing an onsite evaluation; E. Take necessary and reasonable steps to comply with BARS; F. Provide Day Program services to eligible Clients when referred by DDA/DSHS, in accordance with all applicable DDA policies, DDA County Guidelines, and applicable Federal regulations and applicable state statutes and regulations, other state statutes, administrative codes and policies. These are to be the basis of all aspects of services delivery, system capacity building and implementation of the Agreement. Individualized services for each Client shall be provided as directed in the County Service Authorization form, and at the unit rate and number of units prescribed therein and stated on the CMIS Schedule; Grant County Vendor Agreement July 1, 2019 — June 30, 2021 Exhibit B EXHIBIT B G. If qualified as a DVR CRP, Vendor will use Division of Vocational Rehabilitation funding resources for all individuals who meet DVR Eligibility criteria prior to utilizing Grant County funding, if appropriate for the person; H. Maintain books, records, documents, County Service Authorizations and other materials relevant to the provisions of services under this agreement, which, are adequate to document the scope and nature of the services provided. These materials shall be available at all reasonable times for review, inspection, or audit by personnel duly authorized by the County, DSHS, or the Office of the State Auditor. The Vendor shall retain these materials for five (5) years after settlement or termination of this agreement; I. Submit for reimbursement monthly the billing forms as provided or required by the County, including the CMIS forms; J. Submit reports as defined in the Statements of Work; K. Maintain insurance liability coverage in the amounts of $1,000,000.00 for general and professional liability, and $500,000 for automobile liability, unless providing services under the Community Protection Statement of Work; and L. Ensure that staff are 18 year of age or older. Agency must have a training plan that meets the requirements of DDA Policy 6.13. Additional training should be provided to meet the needs of the Clients. Examples of such training include task/job analysis, follow -along support, co-worker support, job modification, restructuring, functional analysis, positive behavior supports, and use of natural supports. M. Employment and day services must adhere to the Home and Community Based settings requirements of 42 CFR 441 530(a)(1), including; 1. The setting is integrated in and supports full access to the greater community; 2. Ensures the individual receives services in the community to the same degree of access as individuals not receiving Medicaid HCBS; 3. Provides opportunities to seek employment and work in competitive integrated settings; and; 4. Identifying settings that isolate people from the broader community or that have the effect of isolating individuals from the broader community of individuals who do not receive Medicaid HCB services. These settings are presumed not to be home and community based. N. Grant County will evaluate and review services delivered by vendors to reasonably assure compliance and quality. Grant County will conduct at least one on-site visit during the biennium. O. Grant County will maintain written documentation of all evaluations, recommendations, and corrective action plans for each vendor. Copies will be provided to DDA upon request. P. Fees: 1. Approval of fees is the responsibility of the DDA. 4 Giant County Vendor Agreement July 1, 2019 — June 30, 2021 Exhibit B EXHIBIT B 2. The DDA sets limitations on the Hourly Rate for each direct service. The current rates are as follows: a. Individual Employment services - $75.00 per hour b. Group Supported Employment services - $65.00 per hour c. Community Inclusion services - $35.00 per hour Q. The vendor will provide Client support services that include one or more of the following program outcomes: 1. COMMUNITY INCLUSION a. Monthly Community Inclusion support hours will be based on the Client's Community Inclusion service level per WAC 388-828-9310 for all Clients who began receiving Community Inclusion services July 1, 2011 and forward, and will be in accordance with the DSHS Community Inclusion Billable Activities(httl)s://www.dshs.wa.gov/dda/county-best:practice ). b. To ensure health and safety, promote positive image and relationships in the community, increase competence and individualized skill -building, and achieve other expected benefits of Community Inclusion. Community Inclusion services will occur individually or in a group of no more than two (2) or three (3) individuals with similar interests and needs. c. Community Inclusion activities must meet four simple criteria: 1. Individualized based on Client's needs. 2. Integrated with other individuals without disabilities in the community. 3. Activities that are typically experienced by the general public in their local community; accessible by public transit or a reasonable commute from the Client's home. 4. Ability to contribute and develop relationships with community members who are not paid staff. d. Community Inclusion services will focus on activities that assist individuals to participate in activities that promote individualized skill development, independent living and community integration. Activities must provide individuals with opportunities to develop personal relationships with others and to be part of their local communities, to learn, practice and apply life skills that promote greater independence and community inclusion. i. A Client receiving Community Inclusion services will not receive employment support simultaneously. ii. Support to participate in segregated or isolating activities with no opportunities to develop relationships with community members, and/or specialized activities will not be reimbursed. Grant County Vendor Agreement July 1, 2019 —June 30, 2021 Exhibit B EXHIBIT B ii. A Client receiving Community Inclusion services may, at any time, choose to leave Community Inclusion to pursue employment support. iii. Person -centered planning will be used to develop an individual Community Inclusion plan. Planning must include all interested parties, i.e. DDA case managers, friends, family, natural supports, etc. The plan must incorporate the individual's choice, reflecting integrations, natural supports, and promoting the individual's rights and self-determination. Plans will have goals with measurable outcomes. Plans will be reviewed and signed off by the Client every six (6) months (or sooner should the need arise) and updated annually or as goals change. All updated plans will be sent to the County for review. Plans and supporting documentation demonstrating participant inclusion in the planning process must be included in the Client's file. Documentation must clearly state that a copy of the person -centered plan was provided to the Case Resource Manager, participant, County and/or guardian if any. iv. Community Inclusion is assigned in contact hour increments. A reimbursable hour is at least fifty (50) minutes of direct service. Clients will receive no less than one (1) face to face contact each month. v. If an individual does not use the hours, an Exception to Agreement Form must be filled out and sent to Grant County DD with a clear explanation as to the why the individual's hours were not accessed. vi. Up to two (2) hours per assessment may be used to plan and gather resources for the Assessment meeting. Time spent at the assessment is considered billable hours. vii. All Community Inclusion must be appropriate and specific to each person as identified in the person -centered planning process. No billable services will be provided that are regularly provided by family or residential providers, such as shopping. All billable activities must reflect plan goals. viii. Billable activities may include volunteer experience, assisting in recreation, leisure, and social activities of the Client's own choosing. ix. All billable services must be provided on an individual basis with no more than three people with disabilities together at any time or location. Services must be varied and provided in the community where other community members participate in the same type of activities. x. Transportation facilitated or provided by the vendor may be included in billable hours of service provided the Client is present. Staff time required to travel to the Client is also allowable. Billable hours do not include return travel to the office. Travel to the client's home is billable, regardless of whether client is home. 6 Grant County Vendor Agreement July 1, 2019 — June 30, 2021 Exhibit B EXHIBIT B xi. Client semi-annual reports must include the following: • Current Community Inclusion plan date and goals with measurable outcomes; • Steps taken to achieve goals and outcomes for the time period; • Other funding sources accessed; • Naturally supported hours and activities. If this number is zero, the agency must document the steps taken to increase naturally supported time and events; and • Number of services hours received from the provider. xii. Semi-annual reports must be signed by the Client or guardian and be received by Grant County no later than 30 -days following June 30 and December 31 of each year. 3. INDIVIDUAL SUPPORTED EMPLOYMENT a. Individual employment services are part of a Client's pathway to employment and are tailored to meet individual needs, interest, abilities, and promote career development. Jobs will be integrated in typical community employment settings. All services will assist a person with developmental disabilities obtain and continue integrated, individual employment at or above the state's minimum wage in the general workforce. Billable services may include intake, discovery, assessment, job preparation, job marketing, job supports, record keeping, and supports to maintain employment. Clients in an employment program will be supported to work towards a living wage. A living wage is the amount needed to enable an individual to meet or exceed his/her living expenses. Clients should be supported to average twenty (20) hours of community work per week or eighty-six (86) hours per month; however, each person's preferred hours of employment should be taken into consideration. The amount of service a Client receives will be based on his/her demonstrated need, acuity level and work history per WAC 388-828. b. The Client's DDA PCSP is the driver for service. Person -centered planning must be used to develop an individual employment support plan as a pathway to employment. Planning must include all interested parties, DDA case manager, friends, parents, teaches, etc. The plan will incorporate individual choice, reflecting integration, natural supports and promoting individual rights and self- determination. Plans will have goals with measurable outcomes, and will be reviewed and signed off by the Client every six (6) months and updated annually or as goals change. Plans and supporting documentation demonstrating Client participation in the person -centered planning process must be included in the Client file. c. All Clients will have an Individualized Employment or Community Inclusion plan to identify Client's preferences. Minimum plan requirements are outlined in the reference document, "Criteria for an Evaluation." A signed copy of the Client's 7 Grant County Vendor Agreement July 1, 2019 —June 30, 2021 Exhibit B EXHIBIT B Individualized plan will be provided to the Client, their CRM, guardian and other's as appropriate. d. Semi-annual progress reports that describe the outcomes of activities will be signed by the Client (or guardian if applicable) and provided by the vendor to the Client, County, their CRM, guardian, and others appropriate. e. All employment must occur in typical work sites for non -disabled workers. f. Billable employment supports include, but are not limited to, identification of resources necessary for transportation, job restructuring, work materials or adaptation of work routines, work environment modifications, job counseling, training of co-workers and training of employers. Follow along services are those activities undertaken by the vendor on behalf of the Client to facilitate j ob retention or continued employment. g. All Client's will be contacted by their service provider according to Client need and at least once per month. i. For Individual Employment where the service provider is also the Client's employer, long term funding will remain available to the service provider/employer for six months after the employee/DDA Client's date of hire. At the end of the six month period, if the DDA Client continues to need support on the job, another service provider who is not the employer of record must provide the support unless Grant County issues prior written approval for the service provider to continue to provide long-term supports if needed. j. Individual Employment staff hours must be attributed to the "Individual Employment and Billable Activity Phase(s)". 4. GROUP SUPPORTED EMPLOYMENT a. Group Support Employment is part of an individual's pathway to integrated jobs in typical community employment. These services are intended to be short term and offer ongoing supervised employment for groups of no more than eight (8) workers with disabilities in the same setting. The service outcome is sustained paid employment leading to further career development in integrated employment at, or above minimum wage. Activities should include intake, discovery, assessment, job preparation, job marketing, job supports, record keeping and support to maintain a job. Examples include enclaves, mobile crews, and other business models employing small groups of people with disabilities in an integrated employment in community settings. b. Person centered planning will be used to develop a group supported employment support plan as a pathway to employment. Planning must include all interested parties, DDA case manager, friends, parents, teachers, etc. This plan will incorporate the individual choice, reflecting integration, natural supports, and promoting the individuals' rights and self-determination. Plans will have goals with measurable outcomes. Plans will use language that is respectful of an individual, 8 Grant County Vendor Agreement July 1, 2019 — June 30, 2021 Exhibit B EXHIBIT B is positive, and focuses on the Client's abilities, not disabilities. Plans will be reviewed and signed off by the Client every six (6) months, and updated annually or as goals change. Plans and supporting documentation, including participants in the person centered planning process must be included in Client files. c. Clients must have a documented and demonstrated need for ongoing supervision and support in the number of service hours per month they can expect to receive. Any changes must be communicated to the Client prior to the change taking place. The amount of service a Client receives should be based on his/her demonstrated need and acuity level. d. Planning will include transition to more inclusionary employment service and review of barriers to such transitions. All individuals must receive at least minimum wage and be working towards a living wage. All jobs paying less then minimum wage by any payment means, for example, commission or Federal Sub - minimum wage certificate must have County approval. e. Employment supports may include but are not limited to, identification of resources necessary for transportation; job restructuring, work materials or adaptation of work routine, work environment modifications identification of job counseling needs, training of co-workers to provide support and train/support to employers and resources necessary for transportation; job restructuring, work materials or adaptation of work routine, work environment modifications identification of job counseling needs, training of co-workers to provide support and train/support to employers and support in social communication and self-care. f. Job Retention service is those activities undertaken by the vendor on behalf of an individual to facilitate job retention or continued employment. i. Functional assessments and positive behavior support plans need to be completed whenever necessary to focus on changing the environment and skill deficits that contribute to the person' problem behavior. A supportive environment helps a person meet his/her needs through positive expression instead of needing to resort to challenging behaviors to get the environment to respond. Skill development and improvement help increase a person's status and confidence. Positive behavior support uses functional assessment to help build respectful support plans. j. If a Client is underemployed (less than 20 hours per week) 9 months from date of acceptance or employment, a meeting must be held before the ninth (9th) month. The vendor will include in this meeting, the Client, parents/guardians, DDA case manager, County and any other interested party as agreed upon by the parties. The goal of the meeting will be to assess and develop a plan to proceed with goals, assigned responsibilities and time frames. Monthly payment maybe held until meeting is completed. k. Group Client semi- annual reports will include the following: • Current employment plan date and goals with measurable outcomes. • Steps taken to achieve goals and outcomes for time period 9 Grant County Vendor Agreement July 1, 2019 — June 30, 2021 Exhibit B EXHIBIT B • Salary or hourly wage rate and benefits • Number of hours worked weekly or monthly. • Number of service hours received from the provider • If unemployed or under employed, reports will include job development sites and potential employers. 1. Semi-annual reports must be signed by the Client or guardian and received by the County no later than the 30th of the month following date due. in. For Group Supported Employment, Clients must have paid work or paid training. The total number of direct service staff hours provided to the group should be equal to or greater than the group's collective amount of individual support monthly base hours. If the direct staff hours are less than the collective amount, then the provider will be reimbursed only for the number of hours actually provided. The collective group's individual hours should be the minimum staff hours delivered to support the group. n. All Clients will be contacted by their service provider according to Client need, and at least once a month. VII. ADMINISTRATION OF BILLABLE ACTIVITIES A. It is an expectation that all Clients access DVR funding as a resource. Client services shall not be reimbursed under this agreement when the same services are paid for under the Rehabilitation Act of 1973 by DVR, Public Law 94-142 or any other source of public or private funding. B. A claim for each individual is made on the CMIS system by indicating the number of services units delivered to each individual listed and the fee per unit. Units are defined as: 1. An "hour" is at least fifty (50) minutes of direct service. Partial hours to the quarter may be recorded. C. The Employment Phases & Billable Activities document defines the individual Client services that DDA and Grant County reimburses. That document is located on the DSHS DDA County Best Practices Web site at https://www.dshs.wa.gov/dda/county-best-practices. D. The Community Inclusion Billable Activities document defines the individual Client services DDA and Grant County reimburses. That document is located on the DSHS DDA County Best Practices Web site at https://www.dshs.wa.gov/dda/county-best-practices. E. If the vendor bills and is paid fees for services that DSHS or Grant County later finds were not delivered or not delivered in accordance with Program Agreement standards, DSHS or Grant County will recover the fees for those services and the vendor will fully cooperate during the recovery. VIII. REIMBURSEMENT The obligation of the County to provide reimbursement is contingent upon receipt of funds from DDA/DSHS for this purpose. Reimbursement for services rendered will be according to the following: 10 Grant County Vendor Agreement July 1, 2019 — June 30, 2021 Exhibit B EXHIBIT B A. All reimbursement for Day Program Services will be fee for service. Unit rates will be those appearing on the CMIS schedule. B. Each Vendor providing authorized services will be issued a CMIS schedule that outlines the individual Client for whom the County has record of authorization designating the Vendor as the Service provider for the Client. The CMIS schedule will list all eligible Clients assigned to that Vendor for services, along with each Client's effective date, program, and the rate of reimbursement for each Client and the available number of units for the Client. C. Clients paying for their services with Direct Payment Program payments will be listed on the CMIS schedule without a reimbursement or unit rates. D. The Vendor shall submit to the County monthly billings, on a format provided by the County, based on the reimbursement rate times the number of services units provided. Such billings will be submitted no later than the 8th day of the month following the month in which services were rendered. E. Reimbursement will be provided only for those services authorized for individuals listed in the Vendors most recent CMIS schedule, verified by a valid County Service Authorization form from DDA/DSHS for this purpose. F. Client services paid for under the Rehabilitation Act of 1973 (DVR, P.L. 94-142 (Public Education), or are being funded under the Plan for Achieving Self Support (PASS) or Impairment Related Work Expense (IRWE) will not be reimbursed or any other source of public or private funding. IX. SERVICE DELIVERY The Vendor shall: A. Assure that services for persons with developmental disabilities must be provided with attention to their health and safety. The services provider shall comply with all state regulations and all local ordinances on fire, health, and safety standards wherever the services are delivered. This applies to the environment and program content. B. Notify the County and provide copies of any Critical Incident reports filed with DDA within (3) working days. C. Maintain emergency contact and medical information on all Clients. D. Comply with all applicable federal, state, and local fire health, and safety regulations, which include, but are not limited to: 1. Federal and State- Occupational Safety and Health Act of 1970 (OSHA -84 USC 1590, 29 CFR 1910-1926); 2.Washington Industrial Safety and Health Act (WISHA -RCW 49.17, WAC 296-024 and 296-62), 3. State Fire Code RCW 19.27. 11 Grant County Vendor Agreement July 1, 2019 — June 30, 2021 Exhibit B EXHIBIT C Exhibit C — Data Security Requirements 1. Definitions. The words and phrases listed below, as used in this Exhibit, shall each have the following definitions: a. "AES" means the Advanced Encryption Standard, a specification of Federal Information Processing Standards Publications for the encryption of electronic data issued by the National Institute of Standards and Technology (http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf). b. "Authorized Users(s)" means an individual or individuals with a business need to access DSHS Confidential Information, and who has or have been authorized to do so. C. "Category 4 Data" is data that is confidential and requires special handling due to statutes or regulations that require especially strict protection of the data and from which especially serious consequences may arise in the event of any compromise of such data. For purposes of this contract, data classified as Category 4 refers to data protected by: the Health Insurance Portability and Accountability Act (HIPAA). d. "Cloud" means data storage on servers hosted by an entity other than the Contractor and on a network outside the control of the Contractor. Physical storage of data in the cloud typically spans multiple servers and often multiple locations. Cloud storage can be divided between consumer grade storage for personal files and enterprise grade for companies and governmental entities. Examples of consumer grade storage would include iCloud, Dropbox, Box.com, and many other entities. Enterprise cloud vendors include Microsoft Azure, Amazon Web Services, 0365, and Rackspace. e. "Encrypt" means to encode Confidential Information into a format that can only be read by those possessing a "key"; a password, digital certificate or other mechanism available only to authorized users. Encryption must use a key length of at least 128 bits (256 preferred and required to be implemented by 6/30/2020) for symmetric keys, or 2048 bits for asymmetric keys. When a symmetric key is used, the Advanced Encryption Standard (AES) must be used if available. f. "Hardened Password" means a string of at least eight characters containing at least three of the following four character classes: Uppercase alphabetic, lowercase alphabetic, numeral, and special characters such as an asterisk, ampersand, or exclamation point. g. "Mobile Device" means a computing device, typically smaller than a notebook, which runs a mobile operating system, such as iOS, Android, or Windows Phone. Mobile Devices include smart phones, most tablets, and other form factors. h. "Multi -factor Authentication" means controlling access to computers and other IT resources by requiring two or more pieces of evidence that the user is who they claim to be. These pieces of evidence consist of something the user knows, such as a password or PIN; something the user has such as a key card, smart card, or physical token; and something the user is, a biometric identifier such as a fingerprint, facial scan, or retinal scan. "PIN" means a personal identification number, a series of numbers which act as a password for a device. Since PINs are typically only four to six characters, PINS are usually used in conjunction with another factor of authentication, such as a fingerprint. Grant County Vendor Agreement July 1, 2019 — June 30, 2021 Exhibit C EXHIBIT C L "Portable Device" means any computing device with a small form factor, designed to be transported from place to place. Portable devices are primarily battery powered devices with base computing resources in the form of a processor, memory, storage, and network access. Examples include, but are not limited to, mobile phones, tablets, and laptops. Mobile Device is a subset of Portable Device. j. "Portable Media" means any machine readable media that may routinely be stored or moved independently of computing devices. Examples include magnetic tapes, optical discs (CDs or DVDs), flash memory (thumb drive) devices, external hard drives, and internal hard drives that have been removed from a computing device. k. "Secure Area" means an area to which only authorized representatives of the entity possessing the Confidential Information have access, and access is controlled through use of a key, card key, combination lock, or comparable mechanism. Secure Areas may include buildings, rooms or locked storage containers (such as a filing cabinet or desk drawer) within a room, as long as access to the Confidential Information is not available to unauthorized personnel. In otherwise Secure Areas, such as an office with restricted access, the Data must be secured in such a way as to prevent access by non -authorized staff such as janitorial or facility security staff, when authorized Contractor staff are not present to ensure that non -authorized staff cannot access it. I. "Trusted Network" means a network operated and maintained by the Contractor, which includes security controls sufficient to protect DSHS Data on that network. Controls would include a firewall between any other networks, access control lists on networking devices such as routers and switches, and other such mechanisms which protect the confidentiality, integrity, and availability of the Data. m. "Unique User ID" means a string of characters that identifies a specific user and which, in conjunction with a password, passphrase or other mechanism, authenticates a user to an information system. 2. Authority. The security requirements described in this document reflect the applicable requirements of Standard 141.10 (https:Hocio.wa.goy/policies) of the Office of the Chief Information Officer for the state of Washington, and of the DSHS Information Security Policy and Standards Manual. Reference material related to these requirements can be found here: https•//www dshs wa gov/fsa/central-contract-services/kegping-dshs-client-information-private- and-secure, which is a site developed by the DSHS Information Security Office and hosted by DSHS Central Contracts and Legal Services. 3. Administrative Controls. The Contractor must have the following controls in place: a. A documented security policy governing the secure use of its computer network and systems, and which defines sanctions that may be applied to Contractor staff for violating that policy. b. If the Data shared under this agreement is classified as Category 4 data, the Contractor must be aware of and compliant with the applicable legal or regulatory requirements for that Category 4 Data. c. If Confidential Information shared under this agreement is classified as Category 4 data, the Contractor must have a documented risk assessment for the system(s) housing the Category 4 Data. 2 Grant County Vendor Agreement July 1, 2019 — June 30, 2021 Exhibit C 4. EXHIBIT C Authorization, Authentication, and Access. In order to ensure that access to the Data is limited to authorized staff, the Contractor must: a. Have documented policies and procedures governing access to systems with the shared Data. b. Restrict access through administrative, physical, and technical controls to authorized staff. C. Ensure that user accounts are unique and that any given user account logon ID and password combination is known only to the one employee to whom that account is assigned. For purposes of non -repudiation, it must always be possible to determine which employee performed a given action on a system housing the Data based solely on the logon ID used to perform the action. d. Ensure that only authorized users are capable of accessing the Data. e. Ensure that an employee's access to the Data is removed immediately: (1) Upon suspected compromise of the user credentials. (2) When their employment, or the contract under which the Data is made available to them, is terminated. (3) When they no longer need access to the Data to fulfill the requirements of the contract. f. Have a process to periodically review and verify that only authorized users have access to systems containing DSHS Confidential Information. g. When accessing the Data from within the Contractor's network (the Data stays within the Contractor's network at all times), enforce password and logon requirements for users within the Contractor's network, including: (1) A minimum length of 8 characters, and containing at least three of the following character classes: uppercase letters, lowercase letters, numerals, and special characters such as an asterisk, ampersand, or exclamation point. (2) That a password does not contain a user's name, logon ID, or any form of their full name. (3) That a password does not consist of a single dictionary word. A password may be formed as a passphrase, which consists of multiple dictionary words. (4) That passwords are significantly different from the previous four passwords. h. When accessing Confidential Information from an external location (the Data will traverse the Internet or otherwise travel outside the Contractor's network), mitigate risk and enforce password and logon requirements for users by employing measures including: (1) Ensuring mitigations applied to the system do not allow end-user modification. Examples would include but not be limited to installing key loggers, malicious software, or any software that will compromise DSHS data. (2) Not allowing the use of dial-up connections. 3 Grant County Vendor Agreement July 1, 2019 — June 30, 2021 Exhibit C EXHIBIT C (3) Using industry standard protocols and solutions for remote access. Examples include, but are not limited to RADIUS Microsoft Remote Desktop (RDP) and Citrix. (4) Encrypting all remote access traffic from the external workstation to Trusted Network or to a component within the Trusted Network. The traffic must be encrypted at all times while traversing any network, including the Internet, which is not a Trusted Network. (5) Ensuring that the remote access system prompts for re -authentication or performs automated session termination after no more than 30 minutes of inactivity. (6) Ensuring use of Multi -factor Authentication to connect from the external end point to the internal end point. All Contractors must be in compliance by 6/30/2020. i. Passwords or PIN codes may meet a lesser standard if used in conjunction with another authentication mechanism, such as a biometric (fingerprint, face recognition, iris scan) or token (software, hardware, smart card, etc.) in that case: (1) The PIN or password must be at least 5 letters or numbers when used in conjunction with at least one other authentication factor (2) Must not be comprised of all the same letter or number (11111, 22222, aaaaa, would not be acceptable) (3) Must not contain a "run" of three or more consecutive numbers (12398, 98743 would not be acceptable) If the contract specifically allows for the storage of Confidential Information on a Mobile Device, passcodes used on the device must: (1) Be a minimum of six alphanumeric characters. (2) Contain at least three unique character classes (upper case, lower case, letter, number). (3) Not contain more than a three consecutive character run. Passcodes consisting of 12345, or abcd12 would not be acceptable. k. Render the device unusable after a maximum of 10 failed logon attempts. 5. Protection of Data. The Contractor agrees to store Data on one or more of the following media and protect the Data as described: a. Hard disk drives. For Data stored on local workstation hard disks, access to the Data will be restricted to Authorized User(s) by requiring logon to the local workstation using a Unique User ID and Hardened Password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. b. Network server disks. For Data stored on hard disks mounted on network servers and made available through shared folders, access to the Data will be restricted to Authorized Users through the use of access control lists which will grant access only after the Authorized User has authenticated to the network using a Unique User ID and Hardened Password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart 4 Grant County Vendor Agreement July 1, 2019 — June 30, 2021 Exhibit C EXHIBIT C cards. Data on disks mounted to such servers must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. For DSHS Confidential Information stored on these disks, deleting unneeded Data is sufficient as long as the disks remain in a Secure Area and otherwise meet the requirements listed in the above paragraph. Destruction of the Data, as outlined below in Section 8 Data Disposition, may be deferred until the disks are retired, replaced, or otherwise taken out of the Secure Area. c. Optical discs (CDs or DVDs) in local workstation optical disc drives. Data provided by DSHS on optical discs which will be used in local workstation optical disc drives and which will not be transported out of a Secure Area. When not in use for the contracted purpose, such discs must be Stored in a Secure Area. Workstations which access DSHS Data on optical discs must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. d. Optical discs (CDs or DVDs) in drives or jukeboxes attached to servers. Data provided by DSHS on optical discs which will be attached to network servers and which will not be transported out of a Secure Area. Access to Data on these discs will be restricted to Authorized Users through the use of access control lists which will grant access only after the Authorized User has authenticated to the network using a Unique User ID and Hardened Password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Data on discs attached to such servers must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. e. Paper documents. Any paper records must be protected by storing the records in a Secure Area which is only accessible to authorized personnel. When not in use, such records must be stored in a Secure Area. f. Remote Access. Access to and use of the Data over the State Governmental Network (SGN) or Secure Access Washington (SAW) will be controlled by DSHS staff who will issue authentication credentials (e.g. a Unique User ID and Hardened Password) to Authorized Users on Contractor's staff. Contractor will notify DSHS staff immediately whenever an Authorized User in possession of such credentials is terminated or otherwise leaves the employ of the Contractor, and whenever an Authorized User's duties change such that the Authorized User no longer requires access to perform work for this Contract. g. Data storage on portable devices or media. (1) Except where otherwise specified herein, DSHS Data shall not be stored by the Contractor on portable devices or media unless specifically authorized within the terms and conditions of the Contract. If so authorized, the Data shall be given the following protections: (a) Encrypt the Data. (b) Control access to devices with a Unique User ID and Hardened Password or stronger authentication method such as a physical token or biometrics. Grant County Vendor Agreement July 1, 2019 —June 30, 2021 Exhibit C EXHIBIT C (c) Manually lock devices whenever they are left unattended and set devices to lock automatically after a period of inactivity, if this feature is available. Maximum period of inactivity is 20 minutes. (d) Apply administrative and physical security controls to Portable Devices and Portable Media by: i. Keeping them in a Secure Area when not in use, ii. Using check-in/check-out procedures when they are shared, and iii. Taking frequent inventories. (2) When being transported outside of a Secure Area, Portable Devices and Portable Media with DSHS Confidential Information must be under the physical control of Contractor staff with authorization to access the Data, even if the Data is encrypted. h. Data stored for backup purposes. (1) DSHS Confidential Information may be stored on Portable Media as part of a Contractor's existing, documented backup process for business continuity or disaster recovery purposes. Such storage is authorized until such time as that media would be reused during the course of normal backup operations. If backup media is retired while DSHS Confidential Information still exists upon it, such media will be destroyed at that time in accordance with the disposition requirements below in Section 8 Data Disposition. (2) Data may be stored on non-portable media (e.g. Storage Area Network drives, virtual media, etc.) as part of a Contractor's existing, documented backup process for business continuity or disaster recovery purposes. If so, such media will be protected as otherwise described in this exhibit. If this media is retired while DSHS Confidential Information still exists upon it, the data will be destroyed at that time in accordance with the disposition requirements below in Section 8 Data Disposition. i. Cloud storage. DSHS Confidential Information requires protections equal to or greater than those specified elsewhere within this exhibit. Cloud storage of Data is problematic as neither DSHS nor the Contractor has control of the environment in which the Data is stored. For this reason: (1) DSHS Data will not be stored in any consumer grade Cloud solution, unless all of the following conditions are met: (a) Contractor has written procedures in place governing use of the Cloud storage and Contractor attest to the contact listed in the contract and keep a copy of that attestation for your records in writing that all such procedures will be uniformly followed. (b) The Data will be encrypted while within the Contractor network. (c) The Data will remain encrypted during transmission to the Cloud. (d) The Data will remain encrypted at all times while residing within the Cloud storage solution. Grant County Vendor Agreement July 1, 2019 —June 30, 2021 Exhibit C EXHIBIT C (e) The Contractor will possess a decryption key for the Data, and the decryption key will be possessed only by the Contractor. (f) The Data will not be downloaded to non -authorized systems, meaning systems that are not on the contractor network. (g) The Data will not be decrypted until downloaded onto a computer within the control of an Authorized User and within the contractor's network. (2) Data will not be stored on an Enterprise Cloud storage solution unless either: (a) The Cloud storage provider is treated as any other Sub -Contractor, and agrees in writing to all of the requirements within this exhibit; or, (b) The Cloud storage solution used is HIPAA compliant. (3) If the Data includes protected health information covered by the Health Insurance Portability and Accountability Act (HIPAA), the Cloud provider must sign a Business Associate Agreement prior to Data being stored in their Cloud solution. 6. System Protection. To prevent compromise of systems which contain DSHS Data or through which that Data passes: a. Systems containing DSHS Data must have all security patches or hotfixes applied within 3 months of being made available. b. The Contractor will have a method of ensuring that the requisite patches and hotfixes have been applied within the required timeframes. c. Systems containing DSHS Data shall have an Anti-Malware application, if available, installed. d. Anti-Malware software shall be kept up to date. The product, its anti-virus engine, and any malware database the system uses, will be no more than one update behind current. 7. Data Segregation. a. DSHS category 4 data must be segregated or otherwise distinguishable from non-DSHS data. This is to ensure that when no longer needed by the Contractor, all DSHS Data can be identified for return or destruction. It also aids in determining whether DSHS Data has or may have been compromised in the event of a security breach. As such, one or more of the following methods will be used for data segregation. (1) DSHS Data will be kept on media (e.g. hard disk, optical disc, tape, etc.) which will contain no non-DSHS Data. (2) DSHS Data will be stored in a logical container on electronic media, such as a partition or folder dedicated to DSHS Data. (3) DSHS Data will be stored in a database which will contain no non-DSHS data. And/or, 7 Grant County Vendor Agreement July 1, 2019 — June 30, 2021 Exhibit C EXHIBIT C (4) DSHS Data will be stored within a database and will be distinguishable from non-DSHS data by the value of a specific field or fields within database records. (5) When stored as physical paper documents, DSHS Data will be physically segregated from non-DSHS data in a drawer, folder, or other container. b. When it is not feasible or practical to segregate DSHS Data from non-DSHS data, then both the DSHS Data and the non-DSHS data with which it is commingled must be protected as described in this exhibit. 8. Data Disposition. When the contracted work has been completed or when the DSHS Data is no longer needed, except as noted above in Section 5.b, DSHS Data shall be returned to DSHS or destroyed. Media on which Data may be stored and associated acceptable methods of destruction are as follows: Data stored on: Will be destroyed by: Server or workstation hard disks, or Using a "wipe" utility which will overwrite the Data at least three (3) times Removable media (e.g. floppies, USB using either random or single character flash drives, portable hard disks) excluding data, or optical discs Degaussing sufficiently to ensure that the Data cannot be reconstructed, or Physically destroying the disk Paper documents with sensitive or Confidential Information Recycling through a contracted firm, provided the contract with the recycler assures that the confidentiality of Data will be rotected. Paper documents containing Confidential Information requiring special handling On-site shredding, pulping, incineration, or contractor (e.g. protected health information) Optical discs (e.g. CDs or DVDs) Incineration, shredding, or completely defacing the readable surface with a coarse abrasive Magnetic tape Degaussing, incinerating or crosscut shredding 9. Notification of Compromise or Potential Compromise. The compromise or potential compromise of DSHS shared Data must be reported to the DSHS Contact designated in the Contract within one (1) business day of discovery. If no DSHS Contact is designated in the Contract, then the notification must be reported to the DSHS Privacy Officer at dshsprivacyofficer@dshs.wa.gov. Contractor must also take actions to mitigate the risk of loss and comply with any notification or other requirements imposed by law or DSHS. 8 Grant County Vendor Agreement July 1, 2019 —June 30, 2021 Exhibit C EXHIBIT C 10. Data shared with Subcontractors. If DSHS Data provided under this Contract is to be shared with a subcontractor, the Contract with the subcontractor must include all of the data security provisions within this Contract and within any amendments, attachments, or exhibits within this Contract. If the Contractor cannot protect the Data as articulated within this Contract, then the contract with the sub -Contractor must be submitted to the DSHS Contact specified for this contract for review and approval. 9 Grant County Vendor Agreement July 1, 2019 —June 30, 2021 Exhibit C