HomeMy WebLinkAboutAgreements/Contracts - RenewGRANT COUNTY
COMMISSIONERS AGENDA MEETING REQUEST FORM
(Must be submitted to the Clerk of the Board by 12:00pm on Thursday)
REQUESTING DEPARTMENT: Renew
REQUEST SUBMITTED BY: Linze Greenwalt
CONTACT PERSON ATTENDING ROUNDTABLE: Dell Anderson
CONFIDENTIAL INFORMATION: ❑YES ® NO
DArE:11.07.24
PHONE:X5470
111110r1�1=1100miM1111111111
,
l 1 r r
®Agreement / Contract
❑AP Vouchers
❑Appointment / Reappointment
--- -- - ----
❑ARPA Related
❑ Bids / RFPs / Quotes Award
❑ Bid Opening Scheduled
❑ Boards / Committees
❑ Budget
❑Computer Related
❑County Code
❑Emergency Purchase
❑Employee Rel.
❑ Facilities Related
❑ Financial
❑ Funds
❑ Hearing
❑ Invoices / Purchase Orders
❑ Grants — Fed/State/County
❑ Leases
❑ MOA / MOU
El Minutes
❑Ordinances
❑Out of State Travel
El Petty Cash
❑ Policies
❑ Proclamations
❑ Request for Purchase
❑ Resolution
❑Recommendation
El Professional Serv/Consultant
❑Support Letter
❑Surplus Req.
❑Tax Levies
❑Thank You's
❑Tax Title Property
❑WSLCB
EI-1-
Contract between Washington State Department of Corrections and Grant County
dba Renew to provide Drug Offender Sentencing Alternative assessments.
Contract No K13553. Contract term: 10/16/24 - 10/15/25.
If necessary, was this document reviewed by accounting? ❑ YES ❑ NO W N/A
If necessary, was this document reviewed by legal? * YES ❑ NO ❑ N/A
DATE OF ACTION: I �' �2 Z
APPROVE: DENIED ABSTAIN
D1:
D2:
D3:
DEFERRED OR CONTINUED TO:
WITHDRAWN:
NOV 0 9 S24
4/23/24
y g
STA
Washin ton State
p
De artment of Corrections
Contract No. K13553
T hl ae Cco init I at(C tt is entered into between the Washington State Department of Corrections
hereinafter referred to as "Department" or "DOC," and Grant County Renew, Grant Behavioral Health and
Wellness, hereinafter referred to as "Contractor," for the express purposes set forth in the following
provisions of this Contract. Department and Contractor may be collectively referred to as the "Parties" or
individually as a "Party."
WHEREAS the purpose of this Contract is for Contractor to provide Drug Offender Sentencing
Alternative assessments ("DOSA Assessments"); and
WHEREAS this is a Client Services Contract authorized under RCW 39.26.125 and RCW 72.10.030.
NOW THEREFORE, in consideration of the terms and conditions contained herein, or attached
and incorporated and made a part hereof, Department and Contractor agree as follows:
I. CONTRACT TERM
Regardless of the date of execution, the initial term of this Contract, and subsequent extensions or
contractions thereto, shall commence and expire on the dates set forth below, unless earlier
terminated as provided herein.
Commencement Date
Expiration Date
Contract Term
October 16, 2024
October 15, 2025
II. RIGHTS AND OBLIGATIONS
All rights and obligations of the Parties to this Contract shall be subject to and governed by the
special terms and conditions contained in the text of this Contract instrument, Medical General
Terms and Conditions attached hereto as Attachment A, Scope of Work attached hereto as Attachment
B, Business Associate Agreement attached hereto as Attachment C, and Data Security Requirements
attached hereto as Attachment D.
III. COMPENSATION AND PAYMENT
A. Amount of Compensation. Total compensation including expenses payable to Contractor for
satisfactory performance of the work under this Contract shall not exceed $176,000 per fiscal
year. Total compensation is $228.75 per DOSA Assessment.
Compensation is contingent upon Contractor meeting the performance standards and
attaining the outcome measures for the contracted services that are detailed in Attachment B.
Scope of Work. Any additional services provided by the Contractor must have the prior written
approval of the Department.
Washington State K13553 Page 1 of 4
Department of Corrections 24RAD
B. Time of Payment. Payment shall be considered timely if made by the Department within thirty
(30) days after receipt of properly completed invoices. Payment shall be sent to the address
designated by the Contractor. The Department may, at its sole discretion, terminate the
Contract or withhold payments claimed by the Contractor for services rendered if the
Contractor fails to satisfactorily comply with any term or condition of this Contract.
C. Method of Payment. Compensation for services rendered shall be payable upon submittal of
properly completed invoices. The Contractor shall submit invoices to the Contract Manager
together with a detailed statement of the Contract services performed for which the Contractor
is seeking compensation.
D. Invoices Required. Requests for payment under this Contract shall be submitted by the
Contractor on Invoices (State Form A-19) prepared in the manner prescribed by the
Department. These invoices shall include such information as is necessary for the Department
to determine the exact nature of all expenditures. Each invoice will clearly indicate that it is for
the services rendered in performance under this Contract.
IV. CONTRACT REPRESENTATIVES
A. The Department's Contract Manager for this Contract shall be Richard Reninger,
richard.reninger@docl.wa.gov, (360) 819-6479. The Contract Manager shall be responsible for
monitoring the performance of the Contractor, the approval of actions by the Contractor,
approval for payment of billings and expenses submitted by the Contractor, and the acceptance
of any reports by the Contractor.
B. The Contractor's representative for this Contract shall be Linze Greenwalt,
Igreenwalt@g_rantcountywa. gov, (509) 765-9239 who will be the contact person for all
communications regarding the conduct of work under this Contract.
C. Either party may change its Contract Manager by providing written notice to the other party
of the change, including the name, title, phone number, and email address of the new Contract
Manager. Notification by email is acceptable.
V. COMPLIANCE WITH APPLICABLE LAWS
Throughout the performance of this Contract, Contractor shall comply with all applicable federal,
state, and local laws, rules, regulations, ordinances, codes, orders, and proclamations.
VI. SURVIVAL
The rights and obligations of either Party that by their nature would continue beyond the
expiration or termination of this Contract shall survive termination or expiration of this Contract.
VII. INTERPRETATION OF CONTRACT
A. Order of Precedence. In the event of an inconsistency in this Contract, unless otherwise
provided herein, the inconsistency shall be resolved by giving precedence in the following
order:
Washington State K13553 Page 2 of 4
Department of Corrections 24RAD
Applicable federal and state of Washington statutes and regulations
Special terms and conditions contained in this basic Contract instrument
Any other provision, term, or material incorporated herein by reference or otherwise
incorporated
B. Entire Agreement. This Contract including referenced schedules represents all the terms and
conditions agreed upon by the Parties. No other understanding or representations, oral or
otherwise, regarding the subject matter of this Contract shall be deemed to exist or to bind any
of the Parties hereto.
C. Conformance. If any provision of this Contract violates any statute or rule of law of the state
of Washington, it is considered modified to conform to that statute or rule of law.
D. Counterparts. This Contract may be executed in duplicate originals and, for all purposes, each
duplicate shall be deemed an original copy of the Contract signed by each Party.
E. Approval. This Contract shall be subject to the written approval of the Department's
authorized representative and shall not be binding until so approved. The Contract may be
altered, amended, or waived only by a written amendment executed by both Parties.
[THE REMAINDER OF THIS PAGE IS INTENTIONALLY LEFT BLANK]
Washington State K13553 Page 3 of 4
Department of Corrections 24RAD
Docusign Envelope ID-. 92EOF5AC-F791-4CE6-8FCF-E4A37B7DO9E7
THIS CONTRACL consisting Of fOUT (4) pages and foiir (4) attachments, is executed by the Persons
signing below who warrant that they have the authoritY to execute, the Contract.
RE N E VV
1-41
Cindy Carter
Wrin-ted Name)
Chair
(Title)
L
(Date)
DEPARTMEW OF CORRECT IONS
e-DocuSigned by:
Da,rjt 9;4jfA irr
"---&BF3FE-637E-&B-40
5- t sat re
Darvl Huntsinger
(Printed Name)
Contracts AdministTator
(Title)
3/7/2025
Approved as do Form: -niji Contract format was appyoved by the Office of Ithe Att-cirney Geiteral. Apprcival on file'.
Washlntort State K135,53 Page 4 c
Department of C-orrections
214RAD
WASHINGTON STATE
DEPARTMENT OF CORRECTIONS
MEDICAL GENERAL TERMS AND CONDITIONS
1. DEFINITIONS
ATTACHMENT A
The definitions used in the Offender Health Plan are incorporated by reference herein. As used throughout
this Contract, the terms defined in the OHP and the following terms herein have the meanings herein or
therein set forth.
1.1. "Contracts Administrator" means the Administrator of the DOC's Contracts and Legal
Affairs office, or delegate.
1.2. "Contracts and Legal Affairs" means the Department of Corrections (DOC) headquarters
contracting office, or successor section or office.
1.3. "DOC" or "Department" means the Department of Corrections (DOC) of Washington
State, any division, section, office, unit, or other entity of the DOC, or any of the officers or
other officials lawfully representing the DOC.
1.4. "DSHS" means Department of Social and Health Services.
1.5. "Healthcare Practitioner" means an individual or firm licensed or certified to actively
engage in a regulated health profession.
1.6. "Health Profession" means those licensed or regulated professions set forth in
18.120.020(4) RCW.
1.7. "Healthcare Facility" means any hospital, hospice care center, licensed or certified
Healthcare facility, health maintenance organization regulated under Chapter 48.46 RCW,
federally qualified health maintenance organization, federally approved renal dialysis
center or facility, or federally approved blood bank.
1.8. "Healthcare Services" means medical, dental, mental health care services.
1.9. "Minority Business Enterprise", "Minority -Owned Business Enterprise", or "MBE" means
a business organized for profit, performing a commercially useful function, which is
owned and controlled by one or more minority individuals, and which is certified by the
OMWBE.
1.10. "Offender Health Plan" means the document published by the DOC that defines and
describes the health and mental health care services that are medically necessary and
available to Incarcerated Individuals, as well as the services that are limited.
1.11. "OMWBE" means the Office of Minority and Women's Business Enterprises of
Washington State.
Washington State K13553 Page 1 of 25
Department of Corrections Attachment A 24RAD
1.12. "Provider" as used in this Contract means the legal entity providing healthcare under this
Contract. It shall include any Subcontractor retained by the Provider as permitted under
the terms of this Contract. The Provider is not an employee or agent of the DOC. Provider,
as used in the OHP, means the individual Healthcare practitioner in the employ of the
Provider.
1.13. "Secretary" means the Secretary of the Department of Corrections and delegates
authorized in writing to act on Secretary's behalf.
1.14. "Subcontractor" means one not in the employment of the Provider, who is performing all
or part of those services under this Contract under a separate Contract with the Provider.
The terms "Subcontractor" and "Subcontractors" mean Subcontractors) in any tier.
1.15. "Women's Business Enterprise", "Women -owned Business Enterprise", or "WBE" means
a business organized for profit, performing a commercially useful function.
2. ADVANCE PAYMENTS PROHIBITED
In compliance with RCW 43.88.160, no payments in advance of or in anticipation of goods or services to be
provided under this contract shall be made by the Department.
3. AGENCY
No party shall make any representations or warranties or incur any liability on behalf of the other. No party
is the agent, representative or partner of the other party. The parties agree that Provider is an independent
contractor, that neither Provider nor its employees, subcontractors and/or agents are employees of DOC
and that DOC shall not, on their behalf: withhold income or other taxes; provide Industrial Insurance;
participate in group insurance plans which may be available to employees of DOC; participate in or
contribute to any public employees retirement system; accumulate vacation leave or sick leave; or provide
unemployment compensation coverage. Neither Provider nor its employees, subcontractors and/or agents
are employees of DOC, and accordingly, none of them are entitled to any of the compensation, benefits,
rights, or privileges of employees of DOC.
4. AMENDMENTS AND MODIFICATIONS
4.1. Amendments and modifications to this contract shall not be binding unless they are in
writing and signed by personnel authorized to bind each of the parties.
4.2. Changes in the rate of compensation must be signed by both parties and shall not be
effective until the first day of the month following the last date of signature of the
amendment or until the effective date of the amendment if later than the date of last
signature.
4.3. The Secretary may, at any time, by written notification to the Provider, and without notice
to any guarantor or surety, unilaterally amend the scope of work to be performed under
the Contract, the period of performance, or the compensation to be paid to the Provider.
Washington State K13553 Page 2 of 25
Department of Corrections Attachment A 24RAD
These unilateral changes shall be effective as set forth in the amendment or upon signature
by the Contracts Administrator, if no date has been set forth.
4.4. The Provider will be deemed to have accepted any such unilateral amendment unless,
within fifteen (15) calendar days after the date the amendment is signed by the Contracts
Administrator, the Provider notifies the Contract Manager, in writing, of its non-
acceptance of such unilateral change. The Provider and the Department will then use good
faith efforts to negotiate an amendment acceptable to both parties.
4.5. Failure to reach agreement shall constitute a dispute concerning a question of fact within
the meaning of the Disputes provision contained in this Contract. However, nothing in this
provision shall excuse the Provider from proceeding with the Contract as amended.
Provider must continue to provide the contracted services, including any unilaterally
amended services, during any period of non -acceptance or negotiation of a unilateral
amendment.
5. AMERICANS WITH DISABILITIES ACT (ADA)
The Provider must comply with the Americans with Disabilities Act (ADA), which provides
comprehensive civil rights protection to individuals with disabilities in the areas of employment, public
accommodations, state and local government services, and telecommunications. (See Americans with
Disabilities Act .(ADA) of 1990, Public Law 101-336, also referred to as the "ADA" 28 CFR Part 35.)
6. ASSIGNMENT
Neither this contract, nor any claim arising under this contract, shall be transferred or assigned by the
Provider without prior written consent of the Department.
7. ATTORNEYS' FEES
In the event of litigation or other action brought to enforce contract terms, each party agrees to bear its own
attorney fees and costs.
8. CONFIDENTIALITY/ SAFEGUARDING OF INFORMATION
8.1. "Confidential Information" as used in this section includes:
8.1.1. All material provided to the Provider by the Department that is designated as
"confidential" by the Department;
8.1.2. All material produced by the Provider that is designated as "confidential" by the
Department;
8.1.3. All personal information in the possession of the Provider that may not be
disclosed under state or federal law. "Personal information" includes, but is not
limited to, information related to a person's name, health, finances, education,
business, use of government services, addresses, telephone numbers, social
security number, driver's license number and other identifying numbers, and
Washington State K13553 Page 3 of 25
Department of Corrections Attachment A 24RAD
"Protected Health Information" under the federal Health Insurance Portability
and Accountability Act of 1996 (HIPAA); and
8.1.4. All Category 3 and Category 4 information based on the classification categories
developed by the Washington State Office of the Chief Information Officer.
8.2. The Provider must comply with HIPAA, which is a Federal law that sets national
standards of how health care plans, health care clearinghouses, and most health care
providers protect the privacy of a patient's health information.
8.3. In the event Provider participates on a DOC Quality Assurance or Peer Review committee,
unless required by law, Provider shall keep all documents, including complaints and
incident reports, created specifically for, collected, and maintained for such review
confidential.
8.4. The Provider shall comply with all state and federal laws related to the use, sharing,
transfer, sale, or disclosure of Confidential Information. The Provider shall use
Confidential Information solely for the purposes of this Contract and shall not use, share,
transfer, sell or disclose any Confidential Information to any third party except with the
prior written consent of the DOC or as may be required by law. The Provider shall take all
necessary steps to assure that Confidential Information is safeguarded to prevent
unauthorized use, sharing, transfer, sale or disclosure of Confidential Information or
violation of any state or federal laws related thereto. Upon request, the Provider shall
provide the DOC with its policies and procedures on confidentiality. The DOC may
require changes to such policies and procedures as they apply to this Contract whenever
the DOC reasonably determines that changes are necessary to prevent authorized
disclosures. The Provider shall make the changes within the time period specified by the
DOC. Upon request, the Provider shall immediately return to the DOC any Confidential
Information that the DOC reasonably determines has not been adequately protected by the
Provider against unauthorized disclosure.
8.5. The Provider shall notify the DOC within one (1) working day of any unauthorized use or
disclosure of any Confidential Information and shall take necessary steps to mitigate the
harmful effects of such use or disclosure.
8.6. Any breach of this provision may result in termination of the contract and the demand for
return of all Confidential Information. The Provider agrees to indemnify and hold
harmless the DOC for any damages related to the Provider's unauthorized use or
disclosure of Confidential Information.
8.7. The Provider agrees to abide by all present and future federal and state laws and
regulations in maintaining the confidentiality of DOC files and records, including Criminal
History Record Information (CHRI). In the event CHRI is provided to the Provider, the
Provider shall also abide by all present and future DOC rules and regulations governing
the use of CHRI.
8.8. The Provider may use information related to incarcerated individuals gained by reason of
this Contract only to perform work under the terms of this Contract. The Provider shall
Washington State K13553 Page 4 of 25
Department of Corrections Attachment A 24RAD
not disclose, transfer, or sell any such information to any party, except as provided by law,
or with the prior written consent of the Department, Individual, or Individual's personal
representative.
8.9. The provisions of this section shall survive any termination or expiration of this Contract.
9. CONFLICTS OF INTEREST
9.1. Provider represents and warrants to DOC that neither the Provider, nor any of its affiliates
or authorized subcontractors, nor any of their employees, has, shall have, or shall:
9.1.1. Acquire, any contractual, financial, business or other interest, direct or indirect,
that would conflict in any manner or degree with Provider's performance of its
duties and responsibilities to DOC, or to individuals under the jurisdiction of DOC
or their friends and family under this Contract, or otherwise create an appearance
of impropriety with respect to this Contract.
9.1.2. Use the authority provided or to be provided under this Contract to improperly
obtain financial gain for Provider, any of its Affiliates, any of their employees, or
any member of the immediate family of any such employee.
9.1.3. Use any DOC Confidential Information acquired in connection with this Contract
to obtain financial gain for Provider, any of its Affiliates, any of their employees,
or any member of the immediate family of any such employee.
9.1.4. Accept anything of value based on an understanding that the actions of Provider,
any such Affiliates or any such employees on behalf of DOC would be influenced
thereby; and neither Provider nor any of its Affiliates shall attempt to influence
any DOC employee by the direct or indirect offer of anything of value.
9.1.5. Pay or agree to pay any person, other than bona fide employees working solely for
Provider or such Affiliates or any of Provider's subcontractors, any fee,
commission, percentage, brokerage fee, contingent fee, gift or any other
consideration, that is contingent upon or resulting from the award or execution of
this Contract. If Provider fails to comply with this Section, DOC shall have the
right to either cancel this Contract without liability to DOC or, in DOC's discretion,
recover from Provider the full amount of such commission, percentage, brokerage
fee, contingent fee, gift or other consideration.
9.2. Notwithstanding any determination by the Executive Ethics Board or other tribunal, the
Department may, in its sole discretion, by written notice to the Provider, terminate this
Contract if it is found after due notice and examination by the Contracts Administrator
that there is a violation of the Ethics in Public Service Act, Chapter 42.52 RCW; or any
similar statute involving the Provider in the procurement of or performance under this
Contract.
10. CONSTRUCTION
Nothing in this Contract shall be construed to create a right enforceable by or in favor of any third party.
Washington State K13553 Page 5 of 25
Department of Corrections Attachment A 24RAD
11. COPYRIGHT PROVISIONS
11.1. To the extent permitted by Title 17 of the United States Code, Provider's work product is
deemed a work for hire and all copyrights in such work product are the property of DOC.
In the event it is determined that any work product is not a work for hire under United
States law, Provider hereby assigns to DOC all copyrights to such works when and as
created.
11.2. The Department shall receive prompt written notice of each claim of infringement received
by the Provider with respect to any data delivered under this Contract. The Department
shall have the right to modify or remove any restrictive markings placed upon the data by
the Provider.
12. COVENANT AGAINST CONTINGENT FEES
12.1. The Provider warrants that no person or selling agency has been employed or retained to
solicit or secure this Contract upon an agreement or understanding for a commission,
percentage, brokerage, or contingent fee, excepting bona fide employees or bona fide
established agents maintained by the Provider for the purpose of securing business.
12.2. The Department shall have the right, in the event of breach of this clause by the Provider,
to annul this Contract without liability or, in its discretion, to deduct from the contract
price or consideration or recover by other means the full amount of such commission,
percentage, brokerage, or contingent fee. The provisions of this section shall survive any
termination or the expiration of this Contract.
13. DISALLOWED CHARGES/ DUPLICATE CHARGES/ OVERPAYMENT REFUNDS
13.1. MEDICAID. Provider is not allowed to charge Department for a Medicaid service. If
Department has erroneously paid for a Medicaid service charged by Provider, that
payment is considered an overpayment and shall be deducted from Provider's future
payments by Department.
13.2. EXCESS OR DUPLICATE CHARGES. Provider warrants that the cost charged for services under
the terms of this Contract are not in excess of the cost charged to other entities for the same
service(s) nor are they a duplicate payment. If the charges are determined to be in excess
of those costs charged to other entities or a duplicate charge, Department is entitled to an
overpayment refund for the excess or duplicate charges.
13.3. ERRONEOUS PAYMENTS OR OVERPAYMENTS. If Provider realizes DOC has paid any duplicate,
excess, or otherwise erroneous payment or overpayment, Provider will notify DOC
promptly. DOC might learn of an erroneous payment or overpayment from Provider, from
internal review of claims, or otherwise.
13.4. REFUND REQUESTS BY DEPARTMENT. DOC will request in writing that Provider refund the
amount of any erroneous payment or overpayment. If Provider does not make the refund
within thirty (30) days of that notification and does not contest it, DOC may deduct the
erroneous or overpaid amount from any payments otherwise due to Provider (whether in
Washington State K13553 Page 6 of 25
Department of Corrections Attachment A 24RAD
relation to the same Incarcerated Individual patient or not) and take such other action as it
may consider appropriate. In the event ProviderOne is utilized for billing and payment,
recoupment is accomplished through reprocessing the claim.
13.5. REFUND APPEAL PROCESS. If Provider does not agree with Department's determination that
an erroneous payment or overpayment has been made, Provider shall send a letter stating
why they disagree with the determination along with any supporting documentation to:
Health Services Contracts, Claims and Benefits Unit
PO Box 41107
Olympia, WA 98504
DOC will review the information provided and issue a decision.
13.6. TIME LIMITS FOR REFUND REQUESTS.
13.6.1. GENERAL. Requests for refunds must be made within twelve (12) months of the
erroneous payment or overpayment, except as provided in 14.6.2. below.
13.6.2. EXCEPTIONS. Refund requests may be made at any time under the following
circumstances:
a. FRAUD. The erroneous payment or overpayment occurred, in part, due to
fraud.
b. THIRD -PARTY. A third party has paid or will pay the same claim, and that
party will not pay the Department.
14. DISPUTES
The parties shall cooperate to resolve any dispute pertaining to this Contract efficiently, as timely as
practicable, and at the lowest possible level with authority to resolve such dispute. If, however, a dispute
persists and cannot be resolved, it may be escalated within each organization. In such situation, upon
notice by either party, each party, within five (5) business days shall reduce its description of the dispute
to writing and deliver it to the other party. The receiving party then shall have three (3) business days to
review and respond in writing. In the event that the parties cannot then agree on a resolution of the dispute,
the parties shall schedule a conference between the respective senior managers of each organization to
attempt to resolve the dispute. In the event the parties cannot agree, either party may resort to court to
resolve the dispute.
15. ELIGIBILITY FOR MEDICAL ASSISTANCE
Provider acknowledges that some Incarcerated Individuals provided services under this Contract may
meet eligibility requirements to receive services under the Department of Social and Health Services'
("DSHS") medical assistance programs as authorized under Section 1905 of Title XIX of the Social Security
Act and chapter 74.09 RCW. When the Incarcerated Individual's eligibility is certified by DSHS, a medical
coupon will be provided to the Provider. The Provider will bill and be reimbursed pursuant to chapter
74.09 RCW, in accordance with the rates and benefits established by DSHS. The Provider shall accept such
Washington State K13553 Page 7 of 25
Department of Corrections Attachment A 24RAD
reimbursement provided by DSHS as full compensation for services provided. No additional compensation
for services provided Incarcerated Individuals meeting eligibility requirements shall be sought from or
paid by the Incarcerated Individual or the DOC. Provider agrees that certification of DSHS eligibility or
Programs coverage will most likely exceed thirty days and therefore agrees that payment will be
considered timely when made by the Department within ninety (90) days from date of properly completed
invoice.
16. EQUALITY IN COMPENSATION
16.1. Provider must ensure that similarly employed individuals in its workforce are
compensated as equals, consistent with the following:
Employees are similarly employed if the individuals work for the same employer, the
performance of the job requires comparable skill, effort, and responsibility, and the jobs
are performed under similar working conditions. Job titles alone are not determinative of
whether employees are similarly employed.
Provider may allow differentials in compensation for its workers based in good faith on
any of the following:
16.1.1. A seniority system, a merit system, a system that measures earnings by quantity
or quality of production, a bona fide job -related factor or factors, or a bona fide
regional difference in compensation levels.
16.1.2. A bona fide job -related factor or factors may include, but not be limited to,
education, training, or experience, that is: consistent with business necessity, not
based on or derived from a gender -based differential, and accounts for the entire
differential.
16.1.3. A bona fide regional difference in compensation level must be: consistent with
business necessity, not based on or derived from a gender -based differential, and
account for the entire differential.
16.2. This Contract may be terminated if the Department or the Department of Enterprise
Services determines that Provider is not in compliance with this provision.
17. FEDERAL IMMIGRATION REFORM AND CONTROL ACT (IRCA)
During the performance of this Contract, the Provider shall comply with all requirements of the federal
Immigration Reform and Control Act (IRCA) and any regulations adopted by the Department of Justice
Bureau of Immigration and Naturalization Services to implement the IRCA. The provisions of this
paragraph shall be in addition to any other requirements set forth in the text of the Contract.
18. GOVERNING LAW
The Contract, and all the rights and duties of the parties arising from or relating in any way to the subject
matter of this Contract or the transaction(s) contemplated by it, shall be governed by, construed and
enforced only in accordance with the Laws of the State of Washington (excluding any conflict of laws
Washington State K13553 Page 8 of 25
Department of Corrections Attachment A 24RAD
provisions that would refer to and apply the substantive laws of another jurisdiction). Any claim against
DOC shall be initiated by Provider within one (1) year after the claim arises or be barred. Any suit or
proceeding relating to this Contract shall be brought only in the State courts located in Thurston County,
Washington. The parties each consent to the sole and exclusive personal jurisdiction and venue of the state
courts located in Thurston County, Washington.
19. HEALTH AND SAFETY
19.1. POLICIES, PROCEDURES, AND PROTOCOLS. For all work performed under this Contract, and
at all times while on Department premises, Provider shall abide by Department policies,
procedures, and protocols concerning health and safety on Department premises.
19.2. BLOODBORNE PATHOGENS. Provider shall ensure that all personnel assigned to Department
sites is trained in the requirements of Chapter 296-823 WAC, bloodborne pathogens.
Further, the Provider shall provide all such personnel with protections from blood borne
and other body fluid diseases that meet or exceed the WAC standards for such protection.
If Provider is a health care provider whose duties include the medical or physical care of
individuals or emergency or medical treatment of employees, Provider shall abide by the
requirements of Chapter 296-823 WAC as well as standard medical practice.
20. HIPAA COMPLIANCE AND RELEASE OF INCARCERATED INDIVIDUAL INFORMATION
20.1. While the Department's medical clinics are not HIPAA covered entities, provisions in
HIPAA authorize the exchange of Protected Health Information (PHI), without patient
consent, between Department and community healthcare providers.
"A covered health care provider may, without consent, use or disclose protected
Health information to carry out treatment, payment or health care operations if. .
. the covered health care provider created or received the protected health care
information in the course of providing health care to an individual who is an
inmate. " CFR § 164.506(2)(ii)
In addition, specific HIPAA provisions cover disclosure of protected health information to
correctional facilities without consent where a patient is under lawful custody. CFR §
164.512(k)(5).
"A covered entity may disclose to a correctional institution or a law enforcement
official having lawful custody of an inmate or other individual protected health
information about such inmate or individual, if the correctional institution or
such law enforcement official represents that such protected health information is
necessary for:
(A) The provision of health care to such individuals;
(B) The health and safety of such individuals or other inmates;
(C) The health and safety of the officers or employees or others at the
correctional institution;
(D) The health and safety of such individuals and officers or other persons
responsible for the transporting of inmates or their transfer from one
Washington State K13553 Page 9 of 25
Department of Corrections Attachment A 24RAD
21.
institution, facility, or setting to another;
(E) Law enforcement on the premises of the correctional institution; and
(F) The administration and maintenance of the safety, security, and good
order of the correctional institution.
A covered entity may reasonably rely on the representation of correctional officials that
protected health information is needed for the purposes described in CFR § 164.512(k).
CFR § 164.514(h).
20.2. To provide quality health care for Incarcerated Individuals who are patients and assure
continuity of care, community healthcare providers and Department staff must exchange
health care information. Department staff must make pertinent information from DOC
patient's health records available to community providers treating them. In turn,
community providers must give Department staff information necessary to support
discharge planning, follow-up care and treatment, and payment of claims for services
rendered. All of this information can be exchanged without patient consent under HIPAA
privacy rules and the Washington State Health Records Act.
20.3. Incarcerated Individuals are under the jurisdiction of the DOC, and access to Incarcerated
Individual patient records is limited to DOC medical staff, designated DOC personnel, or
another HIPAA covered entity for the purposes of continuity of care or continued
treatment. Incarcerated Individual medical record information is strictly prohibited from
transfer to "patient portals" or to family members of an Incarcerated Individual.
INDEMNIFICATION
21.1. To the fullest extent permitted by law, Provider shall indemnify, defend, and hold
harmless State, agencies of State and all officials, agents, and employees of State, from and
against all claims for injuries or death arising out of or resulting from the performance of
the Contract. "Claim" as used in this Contract, means any financial loss, claim, suit, action,
damage, or expense, including but not limited to attorney's fees, attributable for bodily
injury, sickness, disease, or death, or injury to or destruction of tangible property including
loss of use resulting therefrom.
21.2. Provider's obligation to indemnify, defend and hold harmless includes any claim by
Providers' agents, employees, representatives, or any subcontractor or its employees.
21.3. Provider expressly agrees to indemnify, defend, and hold harmless the State for any claim
arising out of or incident to Provider's or any subcontractor's performance or failure to
perform the Contract. Provider's obligation to indemnify, defend, and hold harmless the
State shall not be eliminated or reduced by any actual or alleged concurrent negligence of
State or its agents, agencies, employees, and officials.
21.4. Provider waives its immunity under Title 51 RCW to the extent it is required to indemnify,
defend, and hold harmless State and its agencies, officials, agents, or employees.
21.5. The provisions of this paragraph shall not apply to any act or omission by the Provider for
which the Department, in the text of this Contract, has agreed to defend and hold the
Washington State K13553 Page 10 of 25
Department of Corrections Attachment A 24RAD
Provider harmless. The provisions of this section shall survive any termination or the
expiration of this Contract.
22. INDUSTRIAL INSURANCE COVERAGE
Provider shall comply with the provisions of Title 51 RCW, Industrial Insurance. Department will not be
responsible for payment of industrial insurance premiums or for any other claim or benefit for Provider,
or any subcontractor, or employee of Provider, which might arise under these industrial insurance laws
during performance of duties and services under this Contract.
23. INFORMATION TECHNOLOGY ACCESSIBILITY COMPLIANCE
Provider hereby warrants that any technology provided under this Agreement currently complies, and will
continue to comply, with Washington State Office of Chief Information Officer ("OCIO") Policy 188
(http://ocio.wa.gov/policy/accessibility) and Minimum Accessibility Standard 188.10
(http://ocio.wa.gov/policy/minimum-accessibility-standard). Provider agrees to promptly respond to and
resolve any complaint brought to its attention regarding accessibility of its products or services. Provider
further agrees to indemnify and hold harmless the Washington State Department of Corrections from any
claim arising out of Provider's failure to comply with the aforesaid requirements.
24. INSURANCE
24.1. REQUIRED COVERAGES. At Provider's sole cost and expense, Provider shall procure and
maintain in effect from and after the Effective Date and for the duration of the Contract the
insurance coverages described in the attached Attachment AM. Insurance may be
maintained with one or more carriers, each of which must: (a) be authorized to do business
in the State of Washington or be eligible surplus lines insurers acceptable to DOC and
having agents in Washington upon which service of process may be made; and (b) have a
financial strength rating of A- or better and a financial size category of A-XIII or better,
each as reported in the most recent edition of Best's Insurance Reports (or any successor or
replacement rating agency). Any insurance or self-insurance available to DOC shall be in
excess of, and non-contributing with, any insurance that Provider is required to procure
and maintain. Provider hereby waives its right of subrogation with respect to DOC, and
each policy must include a waiver of subrogation in favor of DOC and the State. Provider's
insurance policies shall apply on a primary basis. To the extent that claims are paid under
any insurance coverage resulting in a reduction of the remaining coverage amounts,
Provider shall procure additional insurance as needed to continually meet and maintain
the coverage amounts set forth on Attachment A(1).
24.2. ADDITIONAL INSUREDS AND EVIDENCE OF COVERAGE. By endorsement to all liability
policies, except for the Professional Liability/Errors & Omissions and Cyber Liability
insurance and Industrial Insurance, DOC and the State shall be named as additional
insureds for all liability arising from this Contract. On or before the Effective Date,
thereafter upon each insurance policy renewal, and otherwise promptly following DOC's
request from time -to -time, Provider shall provide DOC Contract Manager with certificates
of insurance, together with copies of all applicable endorsements (by endorsement cross -
liability of all insureds), evidencing Provider's compliance with the requirements set forth
in this Contract. If at any time during the period when insurance is required by this
Washington State K13553 Page 11 of 25
Department of Corrections Attachment A 24RAD
Contract, an insurer fails to comply with the requirements of this Contract, as soon as
Provider has knowledge of any such failure, Provider shall immediately notify DOC and
immediately replace such insurance with insurance meeting this Contract requirements
set forth herein. Within ten (10) business days following Provider's receipt of DOC's
written request, Provider shall provide (or cause to be provided) to DOC a certified copy
of any insurance policies that are required under this Contract.
24.3. CLAIMS -MADE COVERAGE. If and to the extent any insurance coverage required under this
Contract is purchased on a "claims -made" basis, such insurance must: (a) cover the acts or
omissions of Provider and any subcontractors, as applicable, up through and including the
date that this Contract has terminated and any Transition Periods have expired; and (b) be
continuously maintained by Provider, with full prior acts coverage, for at least six (6) years
beyond the date that this Contract has terminated and any Transition Periods have
expired.
24.4. NOTICE OF CANCELLATION. Provider shall procure (or cause to be procured)
endorsement(s) to its insurance policies that identify DOC as a scheduled party to receive
written notice thirty (30) days in advance of the cancellation of any insurance required
hereunder.
24.5. SUBCONTRACTOR INSURANCE. If Provider elects to have an approved subcontractor provide
any Services to DOC, prior to providing any such Services, Provider must furnish to DOC
a certified copy of the applicable insurance policy or policies reflecting coverages of the
type and amount agreed upon by Provider and DOC. Additionally, if an approved
subcontractor provides Support and Maintenance Services, Provider's insurance policies
must specifically cover all of such subcontractor's Support and Maintenance Services, and
Provider must provide documentation from the applicable underwriter, acceptable to
DOC in its sole discretion, confirming such coverage.
25. LICENSING AND ACCREDITATION STANDARDS
The Provider shall comply with all applicable local, state, and federal licensing and accrediting standards,
required by law and necessary in the performance of this Contract.
26. LIMITATION OF CONTRACTING AUTHORITY
Only the Secretary, Secretary's designee, or Contracts Administrator shall have the express, implied, or
apparent authority to alter, amend, modify, or waive any clause or condition of this contract. Furthermore,
any alteration, amendment, modification, or waiver or any clause or condition of this contract is not
effective or binding unless made in writing and signed by the Secretary, Secretary's designee, or Contracts
Administrator.
27. MAINTENANCE OF RECORDS
27.1. The Provider shall maintain such records as required by the Provider's Healthcare
professional practices and as necessary to accurately reflect the treatment provided. These
records shall be subject at all reasonable times to inspection, review, or audit by personnel
duly authorized by the Department.
Washington State K13553 Page 12 of 25
Department of Corrections Attachment A 24RAD
27.2. During the term of this Contract and for six (6) years following its termination or
expiration, the Provider shall maintain, and provide, at no additional cost, DOC or its
designee, the Washington State Joint Legislative Audit and Review Committee, the Office
of the State Auditor, and federal and state officials so authorized by law, in order to
monitor and evaluate performance, compliance, and quality assurance under this contract,
with reasonable access to Provider's records sufficient to:
27.2.1. Document performance of all services required by this Contract; and
27.2.2. Substantiate the Provider's statement of its organization's structure, tax status,
capabilities, performance and principals; and
27.2.3. Demonstrate accounting procedures, practices, and records, which sufficiently
and properly document the Provider's invoices to DOC and all expenditures made
by the Provider to perform as required by this Contract.
27.3. If any litigation, claim, or audit is started before the expiration of the six (6) year period,
the records shall be retained until all litigation, claims, or audit findings involving the
records have been resolved.
27.4. Should an audit, conducted under the authority of this section, disclose that the Provider
has been paid by the Department in excess of the agreed upon costs (overpayment), or has
been reimbursed by the Department for direct or indirect costs which are disallowed as a
result of that audit, then, the Provider shall, upon demand by the Department, repay such
overpayment or reimbursement to the Department without requiring further legal action
by the Department.
27.5. Incarcerated Individuals are under the jurisdiction of the DOC, and access to Incarcerated
Individual patient information is limited to DOC medical staff, designated DOC personnel,
or another HIPAA covered entity for the purposes of continuity of care or continued
treatment. Third parties, including "patient portals" or family members of an Incarcerated
Individual, are strictly prohibited from accessing or sharing an Incarcerated Individual's
patient information.
27.6. The provisions of this section shall survive termination or expiration of this Contract.
28. NATIONAL PRACTITIONER DATA BANK (NPDB)
Within five (5) calendar days after Provider provides a Healthcare Practitioner to the Department, the
Healthcare Practitioner must furnish his or her social security number (SSN) to the Department, in a secure
manner prescribed by the Department, so that the Department can enroll the Healthcare Practitioner in the
NPDB, at no cost to the Healthcare Practitioner or the Provider. The Healthcare Practitioner must telephone
the Department at (360) 725-8715 or (360) 725-8718, Monday through Friday, between 7:30 a.m. and 5:00
p.m. (PST), to orally convey his or her SSN. Once enrolled, the Department will not retain a written copy
of the Provider's SSN.
Department will, on a continuous basis, monitor licenses of enrolled Healthcare Practitioner for adverse
findings. Department will thoroughly investigate any adverse findings reported by the NPDB after which
Washington State K13553 Page 13 of 25
Department of Corrections Attachment A 24RAD
action against the Healthcare Practitioner and/or Provider may be taken.
29. NATIONAL PROVIDER IDENTIFIER (NPI)
During the term of this Contract the Provider will provide to DOC a list by assigned National Provider
Identifiers of individual health care providers (Entity Type 1) and organizational health care providers
(Entity Type 2) providing services under this Contract. This list will be updated by Provider as necessary.
30. NO CONSTRUCTION AGAINST DRAFTER
The parties agree that any principle of construction or rule of Law that provides that an agreement shall
be construed against the drafter of the agreement in the event of any inconsistency or ambiguity in such
agreement shall not apply to the terms and conditions of this Contract.
31. NONDISCRIMINATION
31.1. During the term of this Contract, Contractor, including any subcontractor, shall not
discriminate on the bases enumerated at RCW 49.60.530(3). In addition, Contractor,
including any subcontractor, shall give written notice of this nondiscrimination
requirement to any labor organizations with which Contractor, or subcontractor, has a
collective bargaining or other agreement.
31.2. Contractor, including any subcontractor, shall cooperate and comply with any Washington
state agency investigation regarding any allegation that Contractor, including any
subcontractor, has engaged in discrimination prohibited by this Contract pursuant to RCW
49.60.530(3).
31.3. Notwithstanding any provision to the contrary, Agency may suspend Contractor,
including any subcontractor, upon notice of a failure to participate and cooperate with any
state agency investigation into alleged discrimination prohibited by this Contract,
pursuant to RCW 49.60.530(3). Any such suspension will remain in place until Agency
receives notification that Contractor, including any subcontractor, is cooperating with the
investigating state agency. In the event Contractor, or subcontractor, is determined to have
engaged in discrimination identified at RCW 49.60.530(3), Agency may terminate this
Contract in whole or in part, and Contractor, subcontractor, or both, may be referred for
debarment as provided in RCW 39.26.200. Contractor or subcontractor may be given a
reasonable time in which to cure this noncompliance, including implementing conditions
consistent with any court -ordered injunctive relief or settlement agreement.
31.4. Notwithstanding any provision to the contrary, in the event of Contract termination or
suspension for engaging in discrimination, Contractor, subcontractor, or both, shall be
liable for contract damages as authorized by law including, but not limited to, any cost
difference between the original contract and the replacement or cover contract and all
administrative costs directly related to the replacement contract, which damages are
distinct from any penalties imposed under Chapter 49.60, RCW. Agency shall have the
right to deduct from any monies due to Contractor or subcontractor, or that thereafter
become due, an amount for damages Contractor or subcontractor will owe Agency for
default under this provision.
Washington State K13553 Page 14 of 25
Department of Corrections Attachment A 24RAD
32. PRICING
32.1. In the event ProviderOne fee schedules are utilized for this contract, Department fee
schedules and reimbursement methodologies are applicable.
32.2. In the event unique pricing is based on mutual negotiation between Department and
Provider, the negotiated price is applicable.
33. PRISON RAPE ELIMINATION ACT OF 2003 (PREA)
The Department has zero tolerance for all forms of sexual abuse and sexual harassment of any
individual under Department jurisdiction. PREA requirements shall apply to any person having
contact with individuals under Department jurisdiction. This includes, but is not limited to,
contractors and contractor's owners, members, officers, directors, partners, employees, agents,
volunteers, and/or subcontractors. Additional information regarding PREA, including resources
such as policies, forms, reports, laws, and regulations, may be found at the following website
maintained by the Department: www.doc.wa.gov/corrections/prea/
34. PROVIDER REPRESENTATIONS AND WARRANTIES.
Provider makes each of the following representations and warranties as of the effective date of this Contract
and at the time of performance pursuant to this Contract. If, at any time during the performance of this
Contract, Provider cannot make such representations and warranties, Provider shall not perform and shall,
within' three (3) business days notify DOC, in writing, of such breach.
34.1. QUALIFIED TO DO BUSINESS. Provider represents and warrants that Provider is (a) in good
standing; (b) qualified to do business in the State of Washington; and (c) registered with
the Washington State Department of Revenue and the Washington Secretary of State.
34.2. TAXES. Provider represents and warrants that Provider is current, in full compliance, and
has paid all applicable taxes owed to the State of Washington.
34.3. LICENSES; CERTIFICATIONS; AUTHORIZATIONS; & APPROVALS. Provider represents and
warrants that Provider possesses and shall keep current during the term of this Contract
all required licenses, certifications, permits, authorizations, and approvals necessary for
Provider's proper performance of this Contract.
34.4. SUSPENSION & DEBARMENT. Provider represents and warrants that neither Provider nor its
principals or affiliates presently are nor have ever been debarred, suspended, proposed for
debarment, declared ineligible, or voluntarily excluded from participation in any
governmental contract by any governmental department or agency within the United
States.
34.5. WAGE VIOLATIONS. Provider represents and warrants that during the term of this Contract
and the three (3) year period immediately preceding the award of the Contract, Provider
has not been determined, by a final and binding citation and notice of assessment issued
by the Washington Department of Labor and Industries or through a civil judgement
Washington State K13553 Page 15 of 25
Department of Corrections Attachment A 24RAD
entered by a court of limited or general jurisdiction, to be in willful violation of any
provision of Washington state wage laws set forth in RCW 49.46, 49.48, or 49.52.
34.6. CIVIL RIGHTS. Provider represents and warrants that Provider complies with all applicable
requirements regarding civil rights. Such requirements prohibit discrimination against
individuals based on their status as protected veterans or individuals with disabilities, and
prohibit discrimination against all individuals based on their race, color, religion, sex,
sexual orientation, gender identity, or national origin.
34.7. EXECUTIVE ORDER 18-03 — WORKERS' RIGHTS. Provider represents and warrants that
Provider does NOT require its employees, as a condition of employment, to sign or agree
to mandatory individual arbitration clauses or class or collective action waivers. Provider
further represents and warrants that, during the term of this Contract, Provider shall not,
as a condition of employment, require its employees to sign or agree to mandatory
individual arbitration clauses or class or collective action waivers.
34.8. WASHINGTON SMALL BUSINESS. If Contract was awarded to Provider based on Provider's
small business status, then Provider represents and warrants that Provider qualifies as a
Washington Small Business as defined in RCW 39.26.010.
34.9. CERTIFIED VETERAN -OWNED BUSINESS. If Contract was awarded to Provider based on
Provider's veteran -owned status, then Provider represents and warrants that Provider
qualifies as a Certified Veteran -Owned Business as defined and set for in Provider's
Bidder's Certification.
34.10. PUBLIC CONTRACTS AND PROCUREMENT FRAUD. Provider represents and warrants that,
within the three (3) year period prior to this Contract, neither Provider nor its principals
or affiliates: (a) have been convicted of or had a civil judgment rendered against them for
commission of fraud or a criminal offence in connection with obtaining, attempting to
obtain, or performing a public (federal, state or local) contract or Purchase Order under a
public contract; (b) have been in violation of federal or state antitrust statutes or
commission of embezzlement, theft, forgery, bribery, falsification or destruction of records,
making false statements or receiving stolen property; (c) are presently indicted for or
otherwise criminally or civilly charged by a government entity (federal, state or local) with
commission of any of the offense enumerated in subsection (b) of this provision; or (d) had
one or more public contracts (federal, state or local) terminated for cause or default.
34.11. PROCUREMENT ETHICS & PROHIBITION ON GIFTS. Provider represents and warrants that
Provider complies fully with all applicable procurement ethics restrictions of RCW
42.52.150 including, but not limited to, restrictions against Provider providing gifts or
anything of economic value, directly or indirectly, to DOC employees.
34.12. WASHINGTON's ELECTRONIC BUSINESS SOLUTION (WEBS). Provider represents and warrants
that Provider is registered in Washington's Electronic Business Solution (WEBS),
Washington's contract registration system and that, all of Provider's information therein
is current and accurate and that throughout the term of this Contract, Provider shall
maintain an accurate profile in WEBS.
Washington State K13553 Page 16 of 25
Department of Corrections Attachment A 24RAD
34.13. WASHINGTON" S STATEWIDE PAYEE DESK. Provider represents and warrants that Provider is
registered with Washington's Statewide Payee Desk, which registration is a condition to
payment.
34.14. ADVERTISING AND ENDORSEMENT. Provider understands and acknowledges that neither
DOC nor the State of Washington are endorsing Provider's Goods and/or Services or
suggesting that such Goods and/or Services are the best or only solution to their needs.
Accordingly, Provider further represents and warrants that Provider shall make no
reference to DOC or the State of Washington in any promotional material without the prior
written consent of DOC.
34.15. CONTINGENT FEES. Provider represents and warrants that no person or selling agent has
been employed or retained to solicit or secure this Contract upon an agreement or
understanding for a commission, percentage, brokerage, or contingent fee, excepting bona
fide employees or bona fide established agents as defined in the Federal Acquisition
Regulations.
34.16. FINANCIALLY SOLVENT. Provider represents and warrants that Provider has not
commenced bankruptcy proceedings and that there are no judgment, liens, or
encumbrances of any kind affecting title to any Goods and/or Services that are the subject
of this Contract.
34.17. OPERATIONAL CAPABILITY. Provider represents and warrants that Provider has the
operational and financial capability to perform the Contract.
35. PUBLIC RECORDS ACT
35.1. This Contract and all records associated with the performance of this Contract shall be
available from the Department for inspection and copying by the public when required by
the Public Records Act, Chapter 42.56 RCW (the "Act").
35.2. If records in the custody of the Provider are needed by the Department to respond to a
request under the Act, as determined by the Department, the Provider agrees to make them
promptly available to the Department. Upon request by the Department, the Provider
further agrees to provide a detailed index of records associated with its performance of the
contract. This index will allow for more efficient and accurate identification of potentially
responsive records.
35.3. If the Provider considers any portion of any record associated with the Provider's
performance under this Contract to be protected from disclosure under law, the Provider
shall clearly identify the specific information that it claims to be confidential or proprietary
when the records are provided to the Department in response to a public records request.
The Department retains sole discretion in the appropriateness and application of
withholdings and redactions on all records.
35.4. If the Department receives a request under the Act to inspect or copy information
identified by the Provider as confidential or proprietary and the Department determines
that release of the information is required by the Act or otherwise is appropriate, the
Washington State K13553 Page 17 of 25
Department of Corrections Attachment A 24RAD
Department's sole obligation shall be to notify the Provider (a) of the request and (b) of the
date that such information will be released to the requester unless the Provider obtains a
court order to enjoin that disclosure pursuant to RCW 42.56.540. If the Provider fails to
timely obtain a court order enjoining disclosure, the Department will release the requested
information on the date specified with whatever withholdings and redactions it deems
proper.
35.5. The Department is not obligated to claim any exemption from disclosure under the Act on
behalf of the Provider. The Department shall not be liable to the Provider for releasing
records not clearly identified by the Provider as confidential or proprietary. The
Department shall not be liable to the Provider for releasing any records in compliance with
this section, in compliance with the Act, or in compliance with an order of a court of
competent jurisdiction.
36. PUBLICITY
The Provider agrees to submit to Department all advertising and publicity matters relating to this Contract
wherein Department's name is mentioned or language used from which the connection of Department's
name may, in the Department's judgment, be inferred or implied. Provider agrees not to publish or use
such advertising and publicity matters without the prior written consent of Department.
37. REGISTRATION WITH DEPARTMENT OF REVENUE
The Provider shall complete registration with the Washington State Department of Revenue and be
responsible for payment of all taxes due on payments made under this Contract.
38. REGISTRATION WITH PROVIDERONE
In the event ProviderOne is utilized for this contract, the Provider shall complete enrollment at
https://www.hca.wa. gov/billers-providers-partners/apple-health-medicaid-providers/enroll-provider.
Provider is responsible for any costs, including registration fees, associated with ProviderOne enrollment.
39. RETIREMENT BENEFIT SUSPENSION — PUBLIC EMPLOYEES RETIREMENT SYSTEM
(PERS)
39.1. The Provider certifies by signing this Contract that that the Provider, or any employee,
agent, subcontractor working under this contract is not a Public Employee Retirement
System (PERS) retiree who retired early under the Public Employees Retirement System
(PERS) RCW 41.40.630(3); and if it is found that the retiree did retire early under the PERS,
the retiree's retirement benefits may be suspended for the duration of this Contract.
39.2. Further, if a person working under this contract is a PERS retiree, the Provider agrees to
notify the Department of Retirement Systems (DRS), regarding the execution of this
Contract, failure to do so is considered a material breach and may subject the Provider to
damages. In addition, the Provider certifies that the retiree does not have a beneficial
interest in this Contract as defined in the Executive Ethics Board's Advisory Opinion 97-
07.
Washington State K13553 Page 18 of 25
Department of Corrections Attachment A 24RAD
40. RIGHTS AND REMEDIES
The rights and remedies of the Department provided in this Contract shall not be exclusive and are in
addition to any other rights and remedies provided by law.
41. SITE SECURITY
For all work performed under this Contract, and at all times while on Department premises, Provider shall
comply with Department policies, procedures, and security requirements related to the custody of
Individuals and the safe and secure operation of the facility. Such policies, procedures, and requirements
include, but are not limited to, background checks, fingerprinting, photographs for identification purposes,
and searches of person and property.
42. SUBCONTRACTING
42.1. Neither the Provider nor any Subcontractor shall enter into subcontracts for any of the
work contemplated under this Contract without first obtaining the written approval of the
Contracts Administrator. If the Department approves subcontracting, the Provider shall
maintain written procedures related to subcontracting, as well as copies of all subcontracts
and records related to subcontracts. For cause, the Department in writing may:
42.1.1. Require the Provider to amend its subcontracting procedures as they relate to this
Contract;
42.1.2. Prohibit the Provider from subcontracting with a particular person or entity; or
42.1.3. Require the Provider to rescind or amend a subcontract.
42.2. In no event shall the existence of any subcontract operate to release or reduce the liability
of the Provider to the Department for any breach in the performance of the Provider's
duties. Additionally, the Provider is responsible for ensuring that all terms, conditions,
assurances, and certifications set forth in this Contract are carried forward to any
subcontracts.
42.3. Provider shall submit reports in a form, system, or format to be provided by the
Department, at reasonable intervals prescribed by the Department, regarding work under
this Contract performed by Subcontractors and the portion of contract funds expended for
work performed by Subcontractors, including, but not limited to, diverse businesses.
43. SUBCONTRACTOR PAYMENTS REPORTING
43.1. If Provider utilizes subcontractors in the performance of this Contract, then this Contract
is subject to compliance tracking using the State's business diversity management system,
Access Equity (B2Gnow). Access Equity is web -based and can be accessed at the Office of
Minority and Women's Business Enterprises at https://omwbe.diversitycompliance.com/.
Provider and all Subcontractors shall report and confirm receipt of payments received by
the Provider and made to each Subcontractor through Access Equity. The Provider may
Washington State K13553 Page 19 of 25
Department of Corrections Attachment A 24RAD
contact docclacontracts@docl.wa.gov for technical assistance in using the Access Equity
system. DOC reserves the right to withhold payments from the Provider for non-
compliance with this section. For purposes of this section, Subcontractor means any
subcontractor working on the Contract, at any tier, and regardless of status as certified
women or minority owned business entity (WMBE) or Non-WMBE.
43.2. The Provider shall:
43.2.1. Register and enter all required Subcontractor information into Access Equity no
later than 15 days after DOC creates the Contract Record.
43.2.2. Complete the required Contract Compliance Training (two (2) one -hour online
sessions) no later than 20 days after the parties execute this contract. The training
may be found at: his://omwbe.diversitycompliance.com/.
43.2.3. Report the amount and date of all payments received from DOC, and paid to
Subcontractors, no later than 10 days from issuance of each payment from DOC to
the Provider, unless otherwise specified in writing by DOC, except that the
Provider shall mark as "Final" and report the final Subcontractor payment(s) into
Access Equity no later than thirty (30) days after the final payment is due the
Subcontractors) under the Contract, with all payment information entered no
later than sixty (60) days after June 30th (end of fiscal year) of the year received
from DOC.
43.2.4. Monitor contract payments and respond promptly to any requests or instructions
from DOC or system -generated messages to check or provide information in
Access Equity.
43.2.5. Coordinate with Subcontractors, or DOC when necessary, to resolve promptly any
discrepancies between reported and received payments.
43.2.6. Respond to reasonable requests from DOC for additional information to be
provided electronically through Access Equity.
43.2.7. Require each Subcontractor to: (i) register in Access Equity and complete the
required user training; (ii) verify the amount and date of receipt of each payment
from the Provider or a higher tier Subcontractor, if applicable, through Access
Equity; (iii) report payments made to any lower tier Subcontractors, if any, in the
same manner as specified herein; (iv) respond promptly to any requests or
instructions from the Provider or system -generated messages to check or provide
information in Access Equity; and (v) coordinate with Provider, or DOC when
necessary, to resolve promptly any discrepancies between reported and received
payments.
43.3. Utilization of Small and Diverse Businesses
This contract contains an aspirational 5% Small and Diverse Business Goal, involving any
of the following categories of businesses:
• OMWBE certified businesses
• Veteran Owned Businesses (VOB)
• Small, Mini or Micro businesses (Small Businesses)
Washington State K13553 Page 20 of 25
Department of Corrections Attachment A 24RAD
Provider is expected to make genuine efforts to meet or exceed the above aspirational goals
in this contract. Provider may count their own participation and any participation from
subcontractors towards aspirational goals on this contract.
44. TAXES
All payments accrued on account of payroll taxes, unemployment contributions, any other taxes, insurance,
or other expenses for the Provider or the Provider's staff shall be the sole responsibility of the Provider.
45. TB TESTING
The Provider must, at his/her expense, provide evidence of a negative TB test within the past year, or
documentation of clearance from an appropriate healthcare provider if Provider has a history of a positive
test within the last year, prior to treating Incarcerated Individuals and shall provide evidence of a negative
test result annually thereafter.
46. TERMINATION
46.1. BY PROVIDER. The Provider may terminate this Contract by giving the Department
written notice of such termination. No such termination shall be effective until sixty (60)
days after the Department has received the Provider's written notice of termination, or
until such later date as established by the Provider in the Provider's written notice of
termination. Provider shall mail or deliver the Provider's written notice of termination to
the Contracts Administrator. If the Provider terminates the Contract, the Department shall
be liable only for payment in accordance with the terms of this Contract for services
rendered prior to the effective date of termination.
46.2. BY DEPARTMENT FOR CAUSE. The Secretary may, by written notice, terminate this
Contract in whole or in part, for failure of the Provider to perform any of the Contract
provisions. In such event, the Provider shall be liable for damages as authorized by law,
including, but not limited to, any cost difference between the original Contract and the
replacement or cover Contract and all administrative costs directly related to the
replacement Contract, i.e., cost of the competitive bidding, mailing, advertising, and staff
time. If it is determined for any reason that the Provider was not in default or that the
default was beyond Provider's or Subcontractor's control, fault or negligence, then the
Termination for Default shall convert to Termination for Convenience.
In the alternative, the Department upon written notice may allow the Provider a specific
period of time in which to correct the non-compliance. During the corrective -action time
period, the Department may suspend further payment to the Provider in whole or in part,
or may restrict the Provider's right to perform duties under this Contract. Failure by the
Provider to take timely corrective action shall allow the Department to terminate the
Contract.
46.3. BY DEPARTMENT FOR CONVENIENCE. The Secretary or designee may terminate this
Contract, in whole or in part, when it is in the best interests of the Department. The
Department shall give the Provider written notice of termination at least five (5) days in
advance of the effective termination date. When a contract is terminated for convenience,
Washington State K13553 Page 21 of 25
Department of Corrections Attachment A 24RAD
the Department shall only pay, in accordance with the terms of this Contract, for services
rendered prior to the effective date of termination.
46.4. BY DEPARTMENT FOR NON -AVAILABILITY OF FUNDS. If the funds the Department
relied upon to establish this Contract are withdrawn or reduced, or if new or modified
conditions are placed on such funds, the Secretary may terminate this Contract
immediately. If this Contract is so terminated, the Department shall be liable only for
payment in accordance with the terms of this Contract for services rendered prior to the
effective date of termination.
46.5. IMMEDIATE TERMINATION IN GENERAL. This subsection controls if it conflicts with
subsection 39.2. Department may terminate this Agreement immediately and without
advance notice if it determines that:
46.5.1. The practices of the Provider or any practitioner pose an immediate danger to the
health or safety of Incarcerated Individuals; or
46.5.2. The Provider or any practitioner is arrested for, charged with, or indicted for any
felony; or
46.5.3. The license, certification, or registration of the Provider or practitioner to practice
in any jurisdiction is revoked, suspended, limited, or put on probation; or
46.5.4. Reduction of allotments by the Governor pursuant to 43.88.110(20) RCW; or
46.5.5. Reduction by the Legislature of appropriated funds; or
46.5.6. When, in the opinion of the Secretary, continuing the agreement would seriously
disrupt or prevent substantial performance of the operations or activities of the
Department.
47. TERMINATION PROCEDURES
47.1. Upon termination of this contract the Department shall pay to the Provider the agreed
upon price, if separately stated, for completed work and services accepted by the
Department, and the amount agreed upon by the Provider and the Department for:
47.1.1. Completed work and services for which no separate price is stated;
47.1.2. Partially completed work and services;
47.1.3. Other property or services that are accepted by the Department; and
47.1.4. The protection and preservation of property, unless the termination is for default,
in which case the Contracts Administrator shall determine the extent of the
liability of the Department. Failure to agree with such determination shall be a
dispute within the meaning of the "Disputes" clause of this contract. The
Department may withhold from any amounts due the Provider such sum as the
Washington State K13553 Page 22 of 25
Department of Corrections Attachment A 24RAD
Contracts Administrator determines to be necessary to protect the Department
against potential loss or liability.
47.2. The rights and remedies of the Department provided in this "Termination Procedures"
provision shall not be exclusive and are in addition to any other rights and remedies
provided by law or under this Contract. After receipt of a notice of termination, and except
as otherwise directed by the Notice, the Provider shall:
47.2.1. Stop work under the contract on the date, and to the extent specified, in the notice;
47.2.2. Place no further orders or subcontracts for materials, services, or facilities except
as may be necessary for completion of such portion of the work under the contract
that is not terminated;
47.2.3. Assign to the Department, in the manner, at the times, and to the extent directed
by the Department, all of the rights, title, and interest of the Provider under the
orders and subcontracts so terminated, in which case the Department has the right,
at its discretion, to settle or pay any or all claims arising out of the termination of
such orders and subcontracts;
47.2.4. Settle all outstanding liabilities and all claims arising out of such termination of
orders and subcontracts, with the approval or ratification of the Department to the
extent Department may require, which approval or ratification shall be final for all
the purposes of this clause;
47.2.5. Transfer title to the Department and deliver in the manner, at the times, and to the
extent directed by the Department any property which, if the contract had been
completed, would have been required to be furnished to the Department;
47.2.6. Complete performance of such part of the work as shall not have been terminated
by the Department; and
47.2.7. Take such action as may be necessary, or as the Department may direct, for the
protection and preservation of the property related to this Contract, which is in
the possession of the Provider and in which the Department has or may acquire
an interest.
48. THIRD -PARTY BENEFICIARIES
The Contract entered into between the Parties is for the sole benefit of the Parties hereto and their respective
successors and assigns and nothing herein, express or implied, is intended to or shall confer on any other
person or entity any legal or equitable right, benefit, or remedy of any nature under or by reason of this
Contract.
49. TREATMENT OF PROPERTY
49.1. The Department, in addition to any other rights provided in this Contract, may require the
Provider to deliver to the Department any property specifically produced or acquired for
Washington State K13553 Page 23 of 25
Department of Corrections Attachment A 24RAD
the performance of such part of this Contract as has been terminated. In all such cases, this
"Treatment of Property" provision shall apply.
49.2. Title to all property furnished by the Department shall remain in the Department. Title to
all property furnished by the Provider, for the cost of which the Provider is entitled to be
reimbursed as a direct item of cost under this Contract, shall pass to and vest in the
Department upon delivery of such property by the Provider. Title to other property, the
cost of which is reimbursable to the Provider under this Contract, shall pass to and vest in
the Department upon i) issuance for use of such property in the performance of this
Contract, or ii) commencement of use of such property in the performance of this Contract,
or iii) reimbursement of the cost thereof by the Department in whole or in part, whichever
first occurs.
49.3. Any property of the Department furnished to the Provider shall, unless otherwise
provided herein or approved by the Department, be used only for the performance of this
Contract.
49.4. The Provider shall be responsible for any loss or damage to Department property that
results from the negligence of the Provider or the failure of the Provider to maintain and
administer that property in accordance with sound management practices.
49.5. If any Department property is lost, destroyed or damaged, the Provider shall immediately
notify the Department and shall take all reasonable steps to protect the property from
further damage.
49.6. The Provider shall surrender all Department property to the Department prior to
settlement upon completion, termination, or cancellation of this Contract.
49.7. All equipment purchased by the Provider for the Provider's use under the terms of this
Contract, that as defined in this Contract provision, is actually owned by the Department,
shall be shipped or delivered to the institution/location designated by the Contract
Manager for tagging and entry into DOC's Capital Asset Management System (CAMS)
before distribution to the Provider for use.
50. UTILIZATION OF MINORITY -OWNED AND WOMEN -OWNED BUSINESSES
50.1. During the performance of this Contract, the Provider shall comply with Chapter 39.19
RCW, as now existing or hereafter amended, any rule adopted under Chapter 39.19 by
OMWBE and/or any policy or regulation adopted by the Department to effect agency
compliance with Chapter 39.19 RCW.
50.2. If the Provider fails to comply with any contract requirements relative to the utilization of
minority and/or women -owned businesses, the Department may take any or all such
actions available to the Department under Chapter 39.19 RCW.
50.3. If the Provider prevents or interferes with any Subcontractor's compliance with Chapter
39.19 RCW or submits false or fraudulent information to the Department regarding
Washington State K13553 Page 24 of 25
Department of Corrections Attachment A 24RAD
compliance, the Provider shall be subject to a fine not to exceed one thousand dollars
($1,000) in addition to any other penalties or sanctions prescribed by law.
51. WAIVER
No delay or omission by a party to exercise any right occurring upon any non-compliance or default by the
other party with respect to any of the terms of this Contract shall impair any such right or power or be
construed to be a waiver thereof. A waiver by any of the parties of any of the covenants, conditions, or
agreements to be performed by the other shall not be construed to be a waiver of any succeeding breach
thereof or of any covenant, condition or agreement herein contained.
52. RECAPTURE OF FUNDS
52.1. In the event that the Provider fails to perform this Contract in accordance with state laws
and/or the provisions of this Contract, the Department reserves the right to recapture funds
in an amount to compensate the Department for the noncompliance in addition to any
other remedies available at law or in equity.
52.2. Repayment by the Provider of funds under this recapture provision shall occur within the
time period specified by the Department. In the alternative, the Department may recapture
such funds from payments due under this Contract.
52.3. Such right of recapture shall exist for a period not to exceed six (6) years following Contract
termination. In the event that the Department is required to institute legal proceedings to
enforce the recapture provision, the Department shall be entitled to its costs thereof,
including attorneys' fees.
Washington State K13553 Page 25 of 25
Department of Corrections Attachment A 24RAD
ATTACHMENT A(1)
REQUIRED INSURANCE COVERAGES
Required
Type
of Annual
Coverage•Aggregate
YES
Commercial The policy must include a waiver of subrogation in
$1,000,000 $2,000,000
General Liability favor of DOC.
Professional
YES
Liability/Errors &
$2,000,000
$2,000,000
The policy must include a waiver of subrogation in
Omissions
favor of DOC.
The policy shall be written to meet the statutory
requirements for the state in which the work is to be
Industrial
performed, including occupational disease. The
YES
Insurance
Per state law
Per state law
policy must include a waiver of subrogation in
(Workers
requirements
requirements
favor of DOC. The policy shall cover all Provider's
Compensation)
employees, including as may be required of an
"employer" as defined in Title 51 RCW, and shall be
in full compliance with Title 51 RCW.
Each Accident:
$1,000,000
Employer's
• Disease, Each
YES
Liability
Employee:
N/A
$1,000,000
• Disease, Policy
Limit: $1,000,000
For Industrial Insurance, Employer's Liability,
YES
Umbrella or
$2,000,000
$2,000,000
Commercial General Liability and Business
Excess Liability
Automobile Liability coverages. The policy must
include a waiver of subrogation in favor of DOC.
YES
Business
Automobile
$1,000,000
$2,000,000
The policy must include a waiver of subrogation in
Liability
favor of DOC.
Coverage shall be sufficiently broad to respond to
the duties and obligations as is undertaken by
Provider in this agreement and shall include, but
not be limited to, claims involving infringement of
intellectual property, including but not limited to
infringement of copyright, trademark, trade dress,
invasion of privacy violations, information theft,
YES
Cyber Liability
$2,000,000
$2,000,000
damage to or destruction of electronic information,
release of private information, alteration of
electronic information, extortion and network
security. The policy shall provide coverage for
breach response costs as well as regulatory fines
and penalties as well as credit monitoring expenses
with limits sufficient to respond to these
obligations. The policy must include a waiver of
subrogation. in favor of DOC.
The Policy shall include, or be endorsed to include,
Technology
property damage liability coverage for damage to,
YES
Professional
$2,000,000
$2,000,000
alteration of, loss of, or destruction of electronic
Liability
data and/or information "property" of the Agency
in the care, custody, or control of the Provider.
Washington State K13553 Page 1 of 2
Department of Corrections Attachment A(1) 24RAD
ATTACHMENT AM
REQUIRED INSURANCE COVERAGES
Washington State K13553 Page 2 of 2
Department of Corrections Attachment A(1) 24RAD
ATTACHMENT B
SCOPE OF WORK
This contractual agreement between Department and Contractor is entered into for the provision of
substance abuse disorder treatment services. Contractor will provide DOSA Assessments to individuals
referred by the Department ("Clients"). All DOSA Assessments provided will be consistent with all
applicable legal and regulatory standards.
DOSA ASSESSMENTS:
Referrals for DOSA Assessments will be submitted by the court and dispatched by DOC. Department staff
will forward the court order to the Contractor based on geographic location.
Upon receipt of the court order, Contractor will complete a Substance Use Disorder Assessment, Drug
Offender Sentencing Alternative Examination Report (DOC Form 14-179), and Substance Use Disorder
Compound Release of Confidential Information (DOC Form 14-172) as per WAC 388-805 and RCW
9.94A.660.
These completed forms shall be provided to the sentencing court, prosecutor, defense attorney and
Department designated review staff within ten (10) business days of receipt of a valid court ordered request
for a DOSA Assessment. Copies of these same documents and court order shall be sent to the DOC Records
Coordinator at DOC Headquarters and the Department's contracted residential provider within the same
timeframe.
All required DOC forms are available at the following DOC website and/or upon request:
httl2s:lldoc.wa.gov/information/`records/forms.htm
DEPARTMENT RESPONSIBILITIES
A. STANDARDS
DOC may review quality of programming by conducting site visits and apply quality assurance
standards providing feedback to the contractor.
B. DOSA ASSESSMENT
The Department's Division of Offender Change, through the Substance Abuse Administrator, shall
define the parameters of the DOSA Assessment services to be delivered and the nature and scope
of the duties to be performed by the Contractor or any sub -contractor, as allowed in this contract.
CONTRACTOR RESPONSIBILITIES
A. STAFF CREDENTIALS AND CURRICULUM
By executing this agreement, the Contractor agrees to ensure their staff has appropriate and current
credentials and are oriented and trained on the assessments and curriculum prior to service
delivery.
B. PERFORMANCE STANDARDS
1. Ensures all Contractor's staff receive a Background Check and meet the RCW and WAC
Training requirements.
Washington State K13553 Page 1 of 2
Department of Corrections Attachment B 24RAD
2. Gives PREA/Sexual Misconduct training to their staff who have access to clients under the
Department's supervision.
3. Ensures client assessment, admission, treatment activities and discharge data are reflected, as
specified by the Department.
4. Provides documentation regarding the timely resolution of any Department audit or quality
assurance findings.
5. Return action plan for resolution of the audit finding with the proposed dates of completion
within one (1) week of receipt of the Department's audit.
C. SERVICE DELIVERY
1. Ensure all forms required for a DOSA Assessment are complete. This includes ensuring that
the Client signs all necessary forms related to consent and release for medical information prior
to admitting Client into treatment. If Client fails to sign a necessary form, the Contractor will
notify the DOC Clinical Supervisor and DOC Community Corrections Officers as soon as
possible but no later than 72 hours after Client's refusal.
2. At the time of intake, the Contractor will obtain a Release of Information ("ROI") to the DOC.
Additionally, Clients shall also sign a ROI to the sentencing court.
3. Ensure that all substance abuse treatment and other services delivered are consistent with
WAC 388-805 and the Department's direction.
4. Cooperate in any research and/or program evaluation projects/studies initiated by the
Department to support ongoing treatment program improvement.
D. NON-COMPLIANCE REPORTING REQUIREMENTS
Contractor shall report to the DOC supervising CCO via telephone not more than 24 hours from
obtaining information of any of the following:
• Client has any absence or any failure to report
• Client fails to maintain abstinence
• Client reports any new arrest
• Client leaves the program against program advice or is discharged for any rule violation
• Client fails to make acceptable progress in any part of the treatment plan
JOINT RESPONSIBILITIES
A. CLIENT INFORMATION
Contractor may request Client's most recent substance use disorder assessment and discharge
summary from the DOC Records Coordinator. The Contractor will need to provide Client's full
name, DOC# or date of birth, a mailing address, and a properly signed consent for disclosure. No
assessments will be sent via fax. Please allow at least 24 hours for a response. If records exist,
Contractor will be notified upon receipt and again when the records are mailed to Contractor. If
there are no records for Client, Contractor will receive an e mail from the Substance Abuse Records
unit notifying you of this.
Washington State K13553 Page 2 of 2
Department of Corrections Attachment B 24RAD
ATTACHMENT C
BUSINESS ASSOCIATE AGREEMENT
Preamble: This section of the Contract is the Business Associate Agreement as required by HIPAA.
1. Definitions.
a. "Business Associate," as used in this Contract, means the "Contractor" and generally has the
same meaning as the term "business associate" at 45 CFR 160.103. Any reference to Business
Associate in this Contract includes Business Associate's employees, agents, officers,
Subcontractors, third party contractors, volunteers, or directors.
b. "Business Associate Agreement" means this HIPAA Compliance section of the Contract and
includes the Business Associate provisions required by the U.S. Department of Health and
Human Services, Office for Civil Rights.
C. "Breach" means the acquisition, access, use, or disclosure of Protected Health Information in a
manner not permitted under the HIPAA Privacy Rule which compromises the security or
privacy of the Protected Health Information, with the exclusions and exceptions listed in 45
CFR 164.402.
d. "Covered Entity" means DOC, a Covered Entity as defined at 45 CFR 160.103, in its conduct of
covered functions by its health care components.
e. "Designated Record Set" means a group of records maintained by or for a Covered Entity, that
is: the medical and billing records about Individuals maintained by or for a covered health care
provider; the enrollment, payment, claims adjudication, and case or medical management
record systems maintained by or for a health plan; or Used in whole or part by or for the
Covered Entity to make decisions about Individuals.
f . "Electronic Protected Health Information (EPHI)" means Protected Health Information that is
transmitted by electronic media or maintained in any medium described in the definition of
electronic media at 45 CFR 160.103.
g. "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-
191, as modified by the American Recovery and Reinvestment Act of 2009 ("ARRA"), Sec.
13400—13424, H.R. 1 (2009) (HITECH Act).
h. "HIPAA Rules" means the Privacy, Security, Breach Notification, and Enforcement Rules at 45
CFR Parts 160 and Part 164.
i. "Individual(s)" means the person(s) who is the subject of PHI and includes a person who
qualifies as a personal representative in accordance with 45 CFR 164.502(g).
State of Washington K13553 Page 1 of 7
Department of Corrections Attachment C 24RAD
j. "Minimum Necessary" means the least amount of PHI necessary to accomplish the purpose
for which the PHI is needed.
k. "Protected Health Information (PHI)" means individually identifiable health information
created, received, maintained or transmitted by Business Associate on behalf of a health care
component of the Covered Entity that relates to the provision of health care to an Individual;
the past, present, or future physical or mental health or condition of an Individual; or the past,
present, or future payment for provision of health care to an Individual. 45 CFR 160.103. PHI
includes demographic information that identifies the Individual or about which there is
reasonable basis to believe can be used to identify the Individual. 45 CFR 160.103. PHI is
information transmitted or held in any form or medium and includes EPHI. 45 CFR 160.103.
PHI does not include education records covered by the Family Educational Rights and Privacy
Act, as amended, 20 USCA 1232g(a)(4)(B)(iv) or employment records held by a Covered Entity
in its role as employer.
1. "Security Incident" means the attempted or successful unauthorized access, use, disclosure,
modification or destruction of information or interference with system operations in an
information system.
In. "Subcontractor" as used in this HIPAA Compliance section of the Contract (in addition to its
definition in the General Terms and Conditions) means a Business Associate that creates,
receives, maintains, or transmits Protected Health Information on behalf of another Business
Associate.
n. "Use" includes the sharing, employment, application, utilization, examination, or analysis, of
PHI within an entity that maintains such information.
2. Compliance. Business Associate shall perform all Contract duties, activities and tasks in
compliance with HIPAA, the HIPAA Rules, and all attendant regulations as promulgated by the
U.S. Department of Health and Human Services, Office of Civil Rights.
3. Use and Disclosure of PHI. Business Associate is limited to the following permitted and required
uses or disclosures of PHI:
a. Duty to Protect PHI. Business Associate shall protect PHI from, and shalt use appropriate
safeguards, and comply with Subpart C of 45 CFR Part 164 (Security Standards for the
Protection of Electronic Protected Health Information) with respect to EPHI, to prevent the
unauthorized Use or disclosure of PHI other than as provided for in this Contract or as
required by law, for as long as the PHI is within its possession and control, even after the
termination or expiration of this Contract.
b. Minimum Necessary Standard. Business Associate shall apply the HIPAA Minimum
Necessary standard to any Use or disclosure of PHI necessary to achieve the purposes of this
Contract. See 45 CFR 164.514 (d)(2) through (d)(5).
State of Washington K13553 Page 2 of 7
Department of Corrections Attachment C 24RAD
c. Disclosure as Part of the Provision of Services. Business Associate shall only Use or disclose
PHI as necessary to perform the services specified in this Contract or as required by law, and
shall not Use or disclose such PHI in any manner that would violate Subpart E of 45 CFR Part
164 (Privacy of Individually Identifiable Health Information) if done by Covered Entity, except
for the specific uses and disclosures set forth below.
d. Use for Proper Management and Administration. Business Associate may Use PHI for the
proper management and administration of the Business Associate or to carry out the legal
responsibilities of the Business Associate.
e. Disclosure for Proper Management and Administration. Business Associate may disclose PHI
for the proper management and administration of Business Associate or to carry out the legal
responsibilities of the Business Associate, provided the disclosures are required by law, or
Business Associate obtains reasonable assurances from the person to whom the information is
disclosed that the information will remain confidential and used or further disclosed only as
required by law or for the purposes for which it was disclosed to the person, and the person
notifies the Business Associate of any instances of which it is aware in which the confidentiality
of the information has been Breached.
f. Impermissible Use or Disclosure of PHI. Business Associate shall report to DOC in writing all
Uses or disclosures of PHI not provided for by this Contract within one (1) business day of
becoming aware of the unauthorized Use or disclosure of PHI, including Breaches of
unsecured PHI as required at 45 CFR 164.410 (Notification by a Business Associate), as well as
any Security Incident of which it becomes aware. Upon request by DOC, Business Associate
shall mitigate, to the extent practicable, any harmful effect resulting from the impermissible
Use or disclosure.
g. Failure to Cure. If DOC learns of a pattern or practice of the Business Associate that constitutes
a violation of the Business Associate's obligations under the terms of this Contract and
reasonable steps by DOC do not end the violation, DOC shall terminate this Contract, if
feasible. In addition, If Business Associate learns of a pattern or practice of its Subcontractors
that constitutes a violation of the Business Associate's obligations under the terms of their
contract and reasonable steps by the Business Associate do not end the violation, Business
Associate shall terminate the Subcontract, if feasible.
h. Termination for Cause. Business Associate authorizes immediate termination of this Contract
by DOC, if DOC determines that Business Associate has violated a material term of this
Business Associate Agreement. DOC may, at its sole option, offer Business Associate an
opportunity to cure a violation of this Business Associate Agreement before exercising a
termination for cause.
i. Consent to Audit. Business Associate shall give reasonable access to PHI, its internal practices,
records, books, documents, electronic data and/or all other business information received
State of Washington K13553 Page 3 of 7
Department of Corrections Attachment C 24RAD
from, or created or received by Business Associate on behalf of DOC, to the Secretary of DHHS
and/or to DOC for use in determining compliance with HIPAA privacy requirements.
j. Obligations of Business Associate Upon Expiration or Termination. Upon expiration or
termination of this Contract for any reason, with respect to PHI received from DOC, or created,
maintained, or received by Business Associate, or any Subcontractors, on behalf of DOC,
Business Associate shall:
k. Retain only that PHI which is necessary for Business Associate to continue its proper
management and administration or to carry out its legal responsibilities;
1. Return to DOC or destroy the remaining PHI that the Business Associate or any Subcontractors
still maintain in any form;
m. Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164
(Security Standards for the Protection of Electronic Protected Health Information) with respect
to Electronic Protected Health Information to prevent Use or disclosure of the PHI, other than
as provided for in this Section, for as long as Business Associate or any Subcontractors retain
the PHI;
n. Not Use or disclose the PHI retained by Business Associate or any Subcontractors other than
for the purposes for which such PHI was retained and subject to the same conditions set out in
the "Use and Disclosure of PHI" section of this Contract which applied prior to termination;
and
o. Return to DOC or destroy the PHI retained by Business Associate, or any Subcontractors, when
it is no longer needed by Business Associate for its proper management and administration or
to carry out its legal responsibilities.
p. Survival. The obligations of the Business Associate under this section shall survive the
termination or expiration of this Contract.
4. Individual Rights. Accounting of Disclosures.
a. Business Associate shall document all disclosures, except those disclosures that are exempt
under 45 CFR 164.528, of PHI and information related to such disclosures.
b. Within ten (10) business days of a request from DOC, Business Associate shall make available
to DOC the information in Business Associate's possession that is necessary for DOC to
respond in a timely manner to a request for an accounting of disclosures of PHI by the Business
Associate. See 45 CFR 164.504(e)(2)(ii)(G) and 164.528(b)(1).
c. At the request of DOC or in response to a request made directly to the Business Associate by
an Individual, Business Associate shall respond, in a timely manner and in accordance with
State of Washington K13553 Page 4 of 7
Department of Corrections Attachment C 24RAD
HIPAA and the HIPAA Rules, to requests by Individuals for an accounting of disclosures of
PHI.
d. Business Associate record keeping procedures shall be sufficient to respond to a request for an
accounting under this section for the six (6) years prior to the date on which the accounting
was requested.
5. Access.
a. Business Associate shall make available PHI that it holds that is part of a Designated Record
Set when requested by DOC or the Individual as necessary to satisfy DOC's obligations under
45 CFR 164.524 (Access of Individuals to Protected Health Information).
b. When the request is made by the Individual to the Business Associate or if DOC asks the
Business Associate to respond to a request, the Business Associate shall comply with
requirements in 45 CFR 164.524 (Access of Individuals to Protected Health Information) on
form, time and manner of access. When the request is made by DOC, the Business Associate
shall provide the records to DOC within ten (10) business days.
6. Amendment.
a. If DOC amends, in whole or in part, a record or PHI contained in an Individual's Designated
Record Set and DOC has previously provided the PHI or record that is the subject of the
amendment to Business Associate, then DOC will inform Business Associate of the amendment
pursuant to 45 CFR 164.526(c)(3) (Amendment of Protected Health Information).
b. Business Associate shall make any amendments to PHI in a Designated Record Set as directed
by DOC or as necessary to satisfy DOC's obligations under 45 CFR 164.526 (Amendment of
Protected Health Information).
7. Subcontracts and other Third Party Agreements. In accordance with 45 CFR 164.502(e)(1)(ii),
164.504(e)(1)(i), and 164.308(b)(2), Business Associate shall ensure that any agents, Subcontractors,
independent contractors or other third parties that create, receive, maintain, or transmit PHI on
Business Associate's behalf, enter into a written contract that contains the same terms, restrictions,
requirements, and conditions as the HIPAA compliance provisions in this Contract with respect to
such PHI. The same provisions must also be included in any contracts by a Business Associate's
Subcontractor with its own business associates as required by 45 CFR 164.314(a)(2)(b) and
164.504(e)(5).
8. Obligations. To the extent the Business Associate is to carry out one or more of DOC's obligation(s)
under Subpart E of 45 CFR Part 164 (Privacy of Individually Identifiable Health Information),
Business Associate shall comply with all requirements that would apply to DOC in the
performance of such obligation(s).
State of Washington K13553 Page 5 of 7
Department of Corrections Attachment C 24RAD
9. Liability. Within ten (10) business days, Business Associate must notify DOC of any complaint,
enforcement or compliance action initiated by the Office for Civil Rights based on an allegation of
violation of the HIPAA Rules and must inform DOC of the outcome of that action. Business
Associate bears all responsibility for any penalties, fines or sanctions imposed against the Business
Associate for violations of the HIPAA Rules and for any imposed against its Subcontractors or
agents for which it is found liable.
10. Breach Notification.
a. In the event of a Breach of unsecured PHI or disclosure that compromises the privacy or
security of PHI obtained from DOC or involving DOC clients, Business Associate will take all
measures required by state or federal law.
b. Business Associate will notify DOC within one (1) business day by telephone and in writing of
any acquisition, access, Use or disclosure of PHI not allowed by the provisions of this Contract
or not authorized by HIPAA Rules or required by law of which it becomes aware which
potentially compromises the security or privacy of the Protected Health Information as defined
in 45 CFR 164.402 (Definitions).
c. Business Associate will notify the DOC Contact shown on the cover page of this Contract
within one (1) business day by telephone or e-mail of any potential Breach of security or
privacy of PHI by the Business Associate or its Subcontractors or agents. Business Associate
will follow telephone or e-mail notification with a faxed or other written explanation of the
Breach, to include the following: date and time of the Breach, date Breach was discovered,
location and nature of the PHI, type of Breach, origination and destination of PHI, Business
Associate unit and personnel associated with the Breach, detailed description of the Breach,
anticipated mitigation steps, and the name, address, telephone number, fax number, and e-
mail of the individual who is responsible as the primary point of contact. Business Associate
will address communications to the DOC Contact. Business Associate will coordinate and
cooperate with DOC to provide a copy of its investigation and other information requested by
DOC, including advance copies of any notifications required for DOC review before
disseminating and verification of the dates notifications were sent.
d. If DOC determines that Business Associate or its Subcontractors) or agent(s) is responsible for
a Breach of unsecured PHI:
(1) requiring notification of Individuals under 45 CFR § 164.404 (Notification to
Individuals), Business Associate bears the responsibility and costs for notifying the
affected Individuals and receiving and responding to those Individuals' questions or
requests for additional information;
(2) requiring notification of the media under 45 CFR § 164.406 (Notification to the media),
Business Associate bears the responsibility and costs for notifying the media and
receiving and responding to media questions or requests for additional information;
State of Washington K13553 Page 6 of 7
Department of Corrections Attachment C 24RAD
(3) requiring notification of the U.S. Department of Health and Human Services Secretary
under 45 CFR § 164.408 (Notification to the Secretary), Business Associate bears the
responsibility and costs for notifying the Secretary and receiving and responding to
the Secretary's questions or requests for additional information; and;
(4) DOC will take appropriate remedial measures up to termination of this Contract.
11. Miscellaneous Provisions.
a. Regulatory References. A reference in this Contract to a section in the HIPAA Rules means the
section as in effect or amended.
b. Interpretation. Any ambiguity in this Contract shall be interpreted to permit compliance with
the HIPAA Rules.
State of Washington K13553 Page 7 of 7
Department of Corrections Attachment C 24RAD
ATTACHMENT D
DATA SECURITY REQUIREMENTS
1. Definitions. The words and phrases listed below, as used in this Exhibit, shall each have the
following definitions:
a. "AES" means the Advanced Encryption Standard, a specification of Federal Information
Processing Standards Publications for the encryption of electronic data issued by the National
Institute of Standards and Technology (NIST).
b. "Authorized Users (s)"means an individual or individuals with a business need to access DOC
Confidential Information, and who has or have been authorized to do so.
C. "Business Associate Agreement" means an agreement between DOC and a contractor who is
receiving Data covered under the Privacy and Security Rules of the Health Insurance
Portability and Accountability Act of 1996. The agreement establishes permitted and required
uses and disclosures of protected health information (PHI) in accordance with HIPAA
requirements and provides obligations for business associates to safeguard the information.
d. "Category 3 Data" is Confidential information is information that is specifically protected from
either release or disclosure by law. This includes, but is not limited to:
1. Personal information as defined in RCW 42.56.590 and RCW 19.255.10.
2. Information about public employees as defined in RCW 42.56.250.
3. Lists of individuals for commercial purposes as defined in RCW 42.56.070
4. Information about the infrastructure and security of computer and telecommunication
networks as defined in RCW 42.56.420.
e. "Category 4 Data" is data that is confidential and requires special handling due to statutes or
regulations that require especially strict protection of the data and from which especially
serious consequences may arise in the event of any compromise of such data. Data classified
as Category 4 includes but is not limited to data protected by: the Health Insurance Portability
and Accountability Act (HIPAA), Pub. L. 104-191 as amended by the Health Information
Technology for Economic and Clinical Health Act of 2009 (HITECH), 45 CFR Parts 160 and 164;
the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. §1232g; 34 CFR Part 99;
Internal Revenue Service Publication 1075 (https://www.irs.gov/pub/irs-pdf/p1075.pdf);
Substance Abuse and Mental Health Services Administration regulations on Confidentiality of
Alcohol and Drug Abuse Patient Records, 42 CFR Part 2; and/or Criminal Justice Information
Services, 28 CFR Part 20.
f. "Cloud" means data storage on servers hosted by an entity other than the Contractor and on a
network outside the control of the Contractor. Physical storage of data in the cloud typically
spans multiple servers and often multiple locations. Cloud storage can be divided between
consumer grade storage for personal files and enterprise grade for companies and
governmental entities. Examples of consumer grade storage would include iTunes, Dropbox,
State of Washington K13553 Page 1 of 12
Department of Corrections Attachment D 24RAD
Box.com, and many other entities. Enterprise cloud vendors include Microsoft Azure, Amazon
Web Services, and Rackspace.
g. "Encrypt" means to encode Confidential Information into a format that can only be read by
those possessing a "key"; a password, digital certificate or other mechanism available only to
authorized users. Encryption must use a key length of at least 256 bits for symmetric keys, or
2048 bits for asymmetric keys. When a symmetric key is used, the Advanced Encryption
Standard (AES) must be used if available.
h. "FedRAMP" means the Federal Risk and Authorization Management Program (see
www.fedramp.gov), which is an assessment and authorization process that federal
government agencies have been directed to use to ensure security is in place when accessing
Cloud computing products and services.
i. "Hardened Password" means a string of at least eight characters containing at least three of
the following four character classes: Uppercase alphabetic, lowercase alphabetic, numeral, and
special characters such as an asterisk, ampersand, or exclamation point.
j. "Mobile Device" means a computing device, typically smaller than a notebook, which runs a
mobile operating system, such as iOS, Android, or Windows Phone. Mobile Devices include
smart phones, most tablets, and other form factors.
k. "'Multi -factor Authentication" means controlling access to computers and other IT resources
by requiring two or more pieces of evidence that the user is who they claim to be. These pieces
of evidence consist of something the user knows, such as a password or PIN; something the
user has such as a key card, smart card, or physical token; and something the user is, a
biometric identifier such as a fingerprint, facial scan, or retinal scan. "PIN" means a personal
identification number, a series of numbers which act as a password for a device. Since PINs
are typically only four to six characters, PINs are usually used in conjunction with another
factor of authentication, such as a fingerprint.
1. "Portable Device" means any computing device with a small form factor, designed to be
transported from place to place. Portable devices are primarily battery powered devices with
base computing resources in the form of a processor, memory, storage, and network access.
Examples include, but are not limited to, mobile phones, tablets, and laptops. Mobile Device
is a subset of Portable Device.
M. "Portable Media" means any machine readable media that may routinely be stored or moved
independently of computing devices. Examples include magnetic tapes, optical discs (CDs or
DVDs), flash memory (thumb drive) devices, external hard drives, and internal hard drives
that have been removed from a computing device.
n. "Secure Area" means an area to which only authorized representatives of the entity possessing
the Confidential Information have access, and access is controlled through use of a key, card
key, combination lock, or comparable mechanism. Secure Areas may include buildings, rooms
or locked storage containers (such as a filing cabinet or desk drawer) within a room, as long as
access to the Confidential Information is not available to unauthorized personnel. In otherwise
Secure Areas, such as an office with restricted access, the Data must be secured in such a way
State of Washington K13553 Page 2 of 12
Department of Corrections Attachment D 24RAD
as to prevent access by non -authorized staff such as janitorial or facility security staff, when
authorized Contractor staff are not present to ensure that non -authorized staff cannot access
it.
o. "Trusted Network" means a network operated and maintained by the Contractor, which
includes security controls sufficient to protect DOC Data on that network. Controls would
include a firewall between any other networks, access control lists on networking devices such
as routers and switches, and other such mechanisms which protect the confidentiality,
integrity, and availability of the Data.
p. "Unique User ID" means a string of characters that identifies a specific user and which, in
conjunction with a password, passphrase or other mechanism, authenticates a user to an
information system.
q. "Biometric identifier" means any information, regardless of how it is captured, converted,
stored, or shared, based on an individual's retina or iris scan, fingerprint, voiceprint, DNA, or
scan of hand or face geometry, except when such information is derived from:
(i) Writing samples, written signatures, photographs, human biological samples used for valid
scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions
such as height, weight, hair color, or eye color;
(ii) Donated organ tissues or parts, or blood or serum stored on behalf of recipients or potential
recipients of living or cadaveric transplants and obtained or stored by a federally designated
organ procurement agency;
(iii) Information captured from a patient in a health care setting or information collected, used,
or stored for health care treatment, payment, or operations under the federal health insurance
portability and accountability act of 1996; or
(iv) X-ray, roentgen process, computed tomography, magnetic resonance imaging (MRI),
positron emission tomography (PET) scan, mammography, or other image or film of the
human anatomy used to diagnose, develop a prognosis for, or treat an illness or other medical
condition or to further validate scientific testing or screening.
2. Authority. The security requirements described in this document reflect the applicable
requirements of Standard 141.10 (https:Hocio.wa.gov/policies) of the Office of the Chief
Information Officer for the state of Washington, WA DOC Policy 280.310 — Information Technology
Security; WA DOC Policy 280.515 — Data Classification and Sharing; the terms and conditions set
forth in this Agreement; and all applicable state and federal laws in its treatment of WA DOC Data.
3. Administrative Controls. The Contractor must have the following controls in place:
a. A documented security policy governing the secure use of its computer network and systems,
and which defines sanctions that may be applied to Contractor staff for violating that policy.
b. Any data center security controls must meet or exceed those expected by the Federal
Information Security Management Act (FISMA) for low to moderate impact systems as
described in FIPS 199 and 200, and in the most current release of National Institute of Standards
State of Washington K13553 Page 3 of 12
Department of Corrections Attachment D 24RAD
and Technology (NIST) Special Publications SP800- 53, including all other referenced NIST
publications.
c. Contractor warrants that all data collected, processed, routed, and/or stored by or through the
service, or third -party service providers, remains at all times within the United States.
d. If the Data shared under this agreement is classified as Category 4, the Contractor must be
aware of and compliant with the applicable legal or regulatory requirements for that Category
4 Data.
e. If Confidential Information shared under this agreement is classified as Category 4, the
Contractor must have a documented risk assessment for the systems) housing the Category 4
Data.
4. Authorization, Authentication, and Access. In order to ensure that access to the Data is limited
to authorized staff, the Contractor must:
a. Have documented policies and procedures governing access to systems with the shared Data.
b. Restrict access through administrative, physical, and technical controls to authorized staff.
c. Ensure that user accounts are unique and that any given user account logon ID and password
combination is known only to the one employee to whom that account is assigned. For
purposes of non -repudiation, it must always be possible to determine which employee
performed a given action on a system housing the Data based solely on the logon ID used to
perform the action.
d. Ensure that only authorized users are capable of accessing the Data.
e. Ensure that an employee's access to the Data is removed immediately:
(1) Upon suspected compromise of the user credentials.
(2) When their employment, or the contract under which the Data is made available to them,
is terminated.
(3) When they no longer need access to the Data to fulfill the requirements of the contract.
f. Have a process to periodically review and verify that only authorized users have access to
systems containing DOC Confidential Information.
g. When accessing the Data from within the Contractor's network (the Data stays within the
Contractor's network at all times), enforce password and logon requirements for users within
the Contractor's network, including:
(1) A minimum length of 8 characters, and containing at least three of the following character
classes: uppercase letters, lowercase letters, numerals, and special characters such as an
asterisk, ampersand, or exclamation point.
State of Washington K13553 Page 4 of 12
Department of Corrections Attachment D 24RAD
(2) That a password does not contain a user's name, logon ID, or any form of their full name.
(3) That a password does not consist of a single dictionary word. A password may be formed
as a passphrase which consists of multiple dictionary words.
(4) That passwords are significantly different from the previous four passwords. Passwords
that increment by simply adding a number are not considered significantly different.
h. When accessing Confidential Information from an external location (the Data will traverse the
Internet or otherwise travel outside the Contractor's network), mitigate risk and enforce
password and logon requirements for users by employing measures including:
(1) Ensuring mitigations applied to the system don't allow end -user modification.
(2) Not allowing the use of dial -up connections.
(3) Using industry standard protocols and solutions for remote access. Examples would
include RADIUS and Citrix.
(4) Encrypting all remote access traffic from the external workstation to Trusted Network or
to a component within the Trusted Network networks (using key lengths of 128 bits or
greater) Algorithm modules validated by the National Institute of Standards and
Technology (NISI) Cryptographic Module Validation Program (CMVP) are required. The
traffic must be encrypted at all times while traversing any network, including the Internet,
which is not a Trusted Network.
(5) Ensuring that the remote access system prompts for re -authentication or performs
automated session termination after no more than 20 minutes of inactivity.
(6) Ensuring use of Multi -factor Authentication to connect from the external end point to the
internal end point. Authentication mechanisms must meet or exceed those described in the
most recent version of NIST SP 800-63 for information requiring assurance level 3 or
higher. One of the authentication factors should be provided by a device separate from the
computer gaining access.
(7) Ensuring all system and service accounts use Enterprise Active Directory or a similar
centralized authentication and authorization mechanism. If authentication methods such
as SQL authentication are required by the system, Contractor uses credentials secured
during transmission through encrypted sessions such as TLS1.2 (or greater) or IPSec, and
in storage using a secure hash method validated by the National Institute of Standards and
Technology (NISI). Within 72 hours of a request from DOC, Contractor must provide
documentation showing how the credentials are secured during all transmissions using
encrypted sessions such as TLS or IPSec, and in storage using a secure hash method
validated by the National Institute of Standards and Technology (NIST).
i. Passwords or PIN codes may meet a lesser standard if used in conjunction with another
authentication mechanism, such as a biometric (fingerprint, face recognition, iris scan) or token
(software, hardware, smart card, etc.) in that case:
State of Washington K13553 Page 5 of 12
Department of Corrections Attachment D 24RAD
(1) The PIN or password must be at least 5 letters or numbers when used in conjunction with
at least one other authentication factor
(2) Must not be comprised of all the same letter or number (11111, 22222, aaaaa, would not be
acceptable)
(3) Must not contain a "run" of three or more consecutive numbers (12398, 98743 would not
be acceptable)
j. If the contract specifically allows for the storage of Confidential Information on a Mobile
Device, passcodes used on the device must:
(1) Be a minimum of six alphanumeric characters.
(2) Contain at least three unique character classes (upper case, lower case, letter, number).
(3) Not contain more than a three consecutive character run. Passcodes consisting of 12345, or
abcd12 would not be acceptable.
k. Render the device unusable after a maximum of 10 failed logon attempts.
1. Ensure the system/service supports single sign -on for state government employees, and
external users by integrating the system's authentication mechanisms with the Washington
State Enterprise Active Directory and Secure Authentication Gateways (post listeners are
typically used for processing the gateway host headers).
m. Utilize application authentication controls that are consistent with those described in the most
recent version of NIST SP 800-63 for information requiring assurance level 2 or higher.
5. Protection of Data. The Contractor agrees to store Data on one or more of the following media
and protect the Data as described:
a. Hard disk drives. For Data stored on local workstation hard disks, access to the Data will be
restricted to Authorized User(s) by requiring logon to the local workstation using a Unique
User ID and Hardened Password or other authentication mechanisms which provide equal or
greater security, such as biometrics or smart cards.
b. Network server disks. For Data stored on hard disks mounted on network servers and made
available through shared folders, access to the Data will be restricted to Authorized Users
through the use of access control lists which will grant access only after the Authorized User
has authenticated to the network using a Unique User ID and Hardened Password or other
authentication mechanisms which provide equal or greater security, such as biometrics or
smart cards. Data on disks mounted to such servers must be located in an area which is
accessible only to authorized personnel, with access controlled through use of a key, card key,
combination lock, or comparable mechanism.
For DOC Confidential Information stored on these disks, deleting unneeded Data is sufficient
as long as the disks remain in a Secure Area and otherwise meet the requirements listed in the
State of Washington K13553 Page 6 of 12
Department of Corrections Attachment D 24RAD
above paragraph. Destruction of the Data, as outlined below in Section 8 Data Disposition,
may be deferred until the disks are retired, replaced, or otherwise taken out of the Secure Area.
c. Optical discs (CDs or DVDs) in local workstation optical disc drives. Data provided by DOC
on optical discs which will be used in local workstation optical disc drives and which will not
be transported out of a Secure Area. When not in use for the contracted purpose, such discs
must be Stored in a Secure Area. Workstations which access DOC Data on optical discs must
be located in an area which is accessible only to authorized personnel, with access controlled
through use of a key, card key, combination lock, or comparable mechanism.
d. Optical discs (CDs or DVDs) in drives or jukeboxes attached to servers. Data provided by
DOC on optical discs which will be attached to network servers and which will not be
transported out of a Secure Area. Access to Data on these discs will be restricted to Authorized
Users through the use of access control lists which will grant access only after the Authorized
User has authenticated to the network using a Unique User ID and Hardened Password or
other authentication mechanisms which provide equal or greater security, such as biometrics
or smart cards. Data on discs attached to such servers must be located in an area which is
accessible only to authorized personnel, with access controlled through use of a key, card key,
combination lock, or comparable mechanism.
e. Paper documents. Any paper records must be protected by storing the records in a Secure
Area which is only accessible to authorized personnel. When not in use, such records must be
stored in a Secure Area.
f. Remote Access. Access to and use of the Data over the State Governmental Network (SGN)
or Secure Access Washington (SAW) will be controlled by DOC staff who will issue
authentication credentials (e.g. a Unique User ID and Hardened Password) to Authorized
Users on Contractor's staff. Contractor will notify DOC staff immediately whenever an
Authorized User in possession of such credentials is terminated or otherwise leaves the employ
of the Contractor, and whenever an Authorized User's duties change such that the Authorized
User no longer requires access to perform work for this Contract.
g. Data storage on portable devices or media.
(1) Except where otherwise specified herein, DOC Data shall not be stored by the Contractor
on portable devices or media unless specifically authorized within the terms and
conditions of the Contract. If so authorized, the Data shall be given the following
protections:
(a) Encrypt the Data.
(b) Control access to devices with a Unique User ID and Hardened Password or stronger
authentication method such as a physical token or biometrics.
(c) Manually lock devices whenever they are left unattended and set devices to lock
automatically after a period of inactivity, if this feature is available. Maximum period
of inactivity is 20 minutes.
State of Washington K13553 Page 7 of 12
Department of Corrections Attachment D 24RAD
(d) Apply administrative and physical security controls to Portable Devices and Portable
Media by:
i. Keeping them in a Secure Area when not in use,
ii. Using check-in/check-out procedures when they are shared, and
iii. Taking frequent inventories.
(2) When being transported outside of a Secure Area, Portable Devices and Portable Media
with DOC Confidential Information must be under the physical control of Contractor staff
with authorization to access the Data, even if the Data is encrypted.
h. Data stored for backup purposes.
(1) DOC Confidential Information may be stored on Portable Media as part of a Contractor's
existing, documented backup process for business continuity or disaster recovery
purposes. Such storage is authorized until such time as that media would be reused during
the course of normal backup operations. If backup media is retired while DOC
Confidential Information still exists upon it, such media will be destroyed at that time in
accordance with the disposition requirements below in Section 8 Data Disposition.
(2) Data may be stored on non -portable media (e.g. Storage Area Network drives, virtual
media, etc.) as part of a Contractor's existing, documented backup process for business
continuity or disaster recovery purposes. If so, such media will be protected as otherwise
described in this exhibit. If this media is retired while DOC Confidential Information still
exists upon it, the data will be destroyed at that time in accordance with the disposition
requirements below in Section 8 Data Disposition.
i. Cloud storage. DOC Confidential Information requires protections equal to or greater than
those specified elsewhere within this exhibit. Cloud storage of Data is problematic as neither
DOC nor the Contractor has control of the environment in which the Data is stored. For this
reason:
(1) DOC Data will not be stored in any consumer grade Cloud solution, unless all of the
following conditions are met:
(a) Contractor has written procedures in place governing use of the Cloud storage and
Contractor attests in writing that all such procedures will be uniformly followed.
(b) The Data will be Encrypted while within the Contractor network.
(c) The Data will remain Encrypted during transmission to the Cloud.
(d) The Data will remain Encrypted at all times while residing within the Cloud storage
solution.
(e) The Contractor will possess a decryption key for the Data, and the decryption key will
be possessed only by the Contractor and/or DOC.
State of Washington K13553 Page 8 of 12
Department of Corrections Attachment D 24RAD
(f) The Data will not be downloaded to non -authorized systems, meaning systems that
are not on either the DOC or Contractor networks.
(g) The Data will not be decrypted until downloaded onto a computer within the control
of an Authorized User and within either the DOC or Contractor's network.
(2) Data will not be stored on an Enterprise Cloud storage solution unless either:
(a) The Cloud storage provider is treated as any other Sub -Contractor, and agrees in
writing to all of the requirements within this exhibit; or,
(b) The Cloud storage solution used is FedRAMP certified.
(3) If the Data includes protected health information covered by the Health Insurance
Portability and Accountability Act (HIPAA), the Cloud provider must sign a Business
Associate Agreement prior to Data being stored in their Cloud solution.
6. System Protection. To prevent compromise of systems which contain DOC Data or through which
that Data passes:
a. Systems containing DOC Data must have all security patches or hotfixes applied within 3
months of being made available.
b. The Contractor will have a method of ensuring that the requisite patches and hotfixes have
been applied within the required timeframes.
c. Systems containing DOC Data shall have an Anti-Malware application, if available, installed.
d. Anti-Malware software shall be kept up to date. The product, its anti -virus engine, and any
malware database the system uses, will be no more than one update behind current. These
anti-malware practices must meet or exceed those described in NIST SP800-40.
e. The architecture must provide continuous monitoring of both internal and external activity for
anomalies and identify, report, and defend against security intrusions before data is
compromised.
f. Contractor shall conduct penetration tests at least once every 24 months, system vulnerability
assessments at least monthly, and application vulnerability assessments prior to the
production release of any changes to source code.
g. Contractor has implemented application/system development practices consistent with the
current version of NIST SP800-64 for low to moderate impact systems, and warrants the
software does not contain any of the Open Web Application Security project (OWASP) top 10
vulnerabilities — https://www.owasp.org/index.ph Main Page
h. Contractor has a practice of systematic collection, monitoring, alerting, maintenance, retention,
and disposal of security event logs and application audit trails. Logs and audit trails are
written to an area inaccessible to system users and are protected from editing. At a minimum
the logs and audit trails will provide historical details on all transactions within the system that
State of Washington K13553 Page 9 of 12
Department of Corrections Attachment D 24RAD
7.
are necessary to reconstruct activities. Including recording; type of event, date, time, account
identification and machine identifiers for each logged transaction. Audit and log files can be
analyzed by type in order to find emerging issues or trends. Contractor has settings triggering
an immediate notification to appropriate system administrators for severe incidents. Logs are
secured against unauthorized changes. At a minimum, logs must be retained for a period of 6
months.
Data Segregation.
a. DOC Data must be segregated or otherwise distinguishable from non-DOC data. This is to
ensure that when no longer needed by the Contractor, all DOC Data can be identified for return
or destruction. It also aids in determining whether DOC Data has or may have been
compromised in the event of a security breach. As such, one or more of the following methods
will be used for data segregation.
(1) DOC Data will be kept on media (e.g. hard disk, optical disc, tape, etc.) which will contain
no non-DOC Data. And/or,
(2) DOC Data will be stored in a logical container on electronic media, such as a partition or
folder dedicated to DOC Data. And/or,
(3) DOC Data will be stored in a database which will contain no non-DOC data. And/or,
(4) DOC Data will be stored within a database and will be distinguishable from non-DOC data
by the value of a specific field or fields within database records.
(5) When stored as physical paper documents, DOC Data will be physically segregated from
non-DOC data in a drawer, folder, or other container.
b. When it is not feasible or practical to segregate DOC Data from non-DOC data, then both the
DOC Data and the non-DOC data with which it is commingled must be protected as described
in this exhibit.
8. Data Disposition. When the contracted work has been completed or when the Data is no longer
needed, except as noted above in Section 5.b, Data shall be returned to DOC or destroyed. Media
on which Data may be stored and associated acceptable methods of destruction are as follows:
Data stored on: Will be destroyed by:
Server or workstation hard disks, or Using a "wipe" utility which will overwrite the
Data at least three (3) times using either random or
Removable media (e.g. floppies, USB flash single character data, or
drives, portable hard disks) excluding
optical discs Degaussing sufficiently to ensure that the Data
cannot be reconstructed, or
Phvsicallv destroving the disk
State of Washington K13553 Page 10 of 12
Department of Corrections Attachment D 24RAD
Paper documents with sensitive or
Confidential Information
Recycling through a contracted firm, provided the
contract with the recycler assures that the
confidentiality of Data will be protected.
Paper documents containing Confidential
Information requiring special handling
(e.g. protected health information)
On -site shredding, pulping, or incineration
Optical discs (e.g. CDs or DVDs)
Incineration, shredding, or completely defacing
the readable surface with a coarse abrasive
Magnetic tape
Degaussing, incinerating or crosscut shredding
Cloud Storage (e.g. Azure, AWS, GCP)
Using a Crypto shredding utility
9. Notification of Compromise or Potential Compromise. Contractor shall implement incident
response practices consistent with NIST SP 800-61. The actual compromise of DOC Data must be
reported to the DOC Contact designated in the Contract within three (3) business days of discovery.
If no DOC Contact is designated in the Contract, then the notification must be reported to the DOC
Contracts and Legal Affairs office at docclacontracts@docl.wa.gov. Contractor must also take
actions to mitigate the risk of loss and comply with any notification or other requirements imposed
by law or DOC.
10. Data shared with Subcontractors. If DOC Data provided under this Contract is to be shared with
a subcontractor, the Contract with the subcontractor must include all of the data security provisions
within this Contract and within any amendments, attachments, or exhibits within this Contract. If
the Contractor cannot protect the Data as articulated within this Contract, then the contract with
the sub -Contractor must be submitted to the DOC Contact specified for this contract for review
and approval.
11. System Audit Requirements. Contractor has completed a recent independent security audit by a
SOC 2 Type 2 accredited firm of their development and operational practices, or that an
independent security audit by an accredited firm will be completed within 6 months after contract
execution. This audit must include vulnerability assessments, and penetration tests, and confirm
compliance with the security requirements herein. The audit should include any specific data
center facility where the service is deployed, and all failover facilities unless those facilities provide
their own SOC 2 Type 2 audit.
12. Disaster Recovery. Contractor shall document, test and maintain a disaster recovery plan
including an alternate facility to assure the system/service is recovered within 24 hours of a force
majeure event. The recovery plan must protect against more than 24 hours of DOC data being lost.
13. Records Maintenance. The parties to this Agreement shall each maintain books, records,
documents, and other evidence which sufficiently and properly reflect all direct and indirect costs
expended by either party in the performance of the services described herein, if any. These records
shall be subject to inspection, review, or audit by personnel of both parties, other personnel duly
authorized by either party, the Office of the State Auditor, and federal officials so authorized by
law. All books, records, documents, and other material relevant to this Agreement will be retained
State of Washington K13553 Page 11 of 12
Department of Corrections Attachment D 24RAD
for six (6) years after expiration and the Office of the State Auditor, federal auditors, and any
persons duly authorized by the parties shall have full access and the right to examine any of these
materials during this period.
14. Rights in Data. Unless otherwise provided in the Research Agreement, this Agreement will not be
construed to effect any transfer of right or license to the embodiments of the Washington DOC's
Data, except to the limited extent necessary to carry out the responsibilities specified herein.
Commercialization of DOC Category 3 or Category 4 data, or sharing of DOC data with third
parties without the written permission of DOC is strictly prohibited under these terms.
15. Insurance Requirements. If this agreement involves the Contractor collecting, storing, creating,
altering, processing, transmitting, routing, or handling any DOC Category 3 or Category 4 data,
then Contractor shall obtain and maintain for the duration of the Contract, at Contractor's expense,
the following insurance coverages which the parties agree are unaffected by any limitation of
liability language within this Agreement.
a. Technology Professional Liability (errors and omissions)
The Contractor shall maintain Technology Professional Liability (errors and omissions)
insurance, to include coverage of claims involving infringement of intellectual property.
This shall include but is not limited to infringement of copyright, trademark, trade dress,
invasion of privacy violations, information theft, damage to or destruction of electronic
information, release of private information, alteration of electronic information, extortion,
network security, regulatory defense (including fines and penalties), and notification costs.
The coverage limits must be at least $1,000,000 per covered claim without sublimit, and
$2,000,000 annual aggregate.
b. Crime and Employee Dishonesty
The Contractor shall maintain Employee Dishonesty and (when applicable) Inside/Outside
Money and Securities coverages for property owned by the State of Washington in the
care, custody, and control of Contractor, to include electronic theft and fraud protection.
The coverage limits must be at least $1,000,000 per covered claim without sublimit,
$2,000,000 annual aggregate.
c. Cyber Risk Liability Insurance
The Contractor shall maintain coverage for Cyber Risk Liability, including information
theft, computer and data loss replacement or restoration, release of private information,
alteration of electronic information, notification costs, credit monitoring, forensic
investigation, cyber extortion, crises management, public relations expenses, regulatory
defense (including fines and penalties), network security, and liability to third parties from
failure(s) of contractor to handle, manage, store, and control personally identifiable
information belonging to others. The policy must include full prior acts coverage. The
coverage limits must be at least $1,000,000 per covered claim without sublimit, $2,000,000
annual aggregate.
State of Washington K13553 Page 12 of 12
Department of Corrections Attachment D 24RAD
Outlook
RE: Department of Corrections Contract - No K13553
From Tom Gaines <tgaines@grantcountywa.gov>
Date Thu 10/31/2024 8:49 AM
To Linze Greenwalt <Ireenwalt@grantcountywa.gov>
Cc Kirk Eslinger <keslinger@grantcountywa.gov>; Rebekah M. Kaylor <rmkaylor@grantcountywa.gov>
Linze,
Insurance and IT are both good to go here; we have no issues. Thanks
Tom Gaines
Director, Grant County, WA
Central Services Department
tgaines@grantcount)3 a.gov
509-754-2011 Ext 3276
Serve the Public, Be Exceptional, Ei# y Life
From: Tom Gaines
Sent: Tuesday, October 29, 2024 2:22 PM
To: Linze Greenwalt <Igreenwalt@grantcountywa.gov>
Cc: Kirk Eslinger <keslinger@grantcountywa.gov>
Subject: Re: Department of Corrections Contract - No K13553
Appendix D is going to take a few days. I'll be back with you soon.
Sent from my Phone
On Oct 29, 2024, at 11:08 AM, Linze Greenwalt .alf't H
wrote:
Good morning!
We have this DOC contract that Rebekah reviewed and had her notes
below regarding the insurance. Will you please take a look at it?
Thanks,
Linze
From: Rebekah M. Kaylor <rrnkaylor@g antcount$a,�v>
Sent: Thursday, October 24, 202410:11 AM
To: Linze Greenwalt <irewait=a--o�!,nt}3;�jAja.o=i>
Subject: RE: Department of Corrections Contract - No K13553
Good Morning,
am good with this contract.
Have you had Tom or Kirk review the insurance piece including Attachment A(1) and
confirmed with Shane our insurance broker regarding this? I will also note that the Data
Security Requirements (Attachment D) include Insurance Requirements at paragraph 15.
Also has TS reviewed Attachment D, Data Security Requirements?
didn't see
Regards,
Rebekah Kaylor
Chief Deputy Prosecuting Attorney (Civil/Appellate)
Grant County Prosecuting Attorney's Office
PO Box 37
Ephrata, WA 98823
Phone: 509.754.2011 x3950
Fax: 509.754.6574
rmkaylor agrantcountywa.gov
<image002.jpg>
The contents of this e-mail message, including any attachments, are intended solely for the use of the person or entity to whom the e-
mail was addressed. It contains information that may be protected by attorney -client privilege, work -product, or other privileges, and
may be restricted from disclosure by applicable state and federal law. If you are not the intended recipient of this message, be advised
that any dissemination, distribution, or use of the contents of this message is strictly prohibited. If you received this message in error,
please contact the sender by reply e-mail. Please also permanently delete all copies of the original e-mail and any attached
documentation. Please be advised that any reply to this e-mail may be considered a public record and be subject to disclosure upon
request.
From: Linze Greenwalt < r enwc—!'l� =gran co T\ a. o= >
�a n
Sent: Tuesday, October 22, 2024 11:24 AM
To: Rebekah M. Kaylor <r ml ayl r rantcc��n t������a.go >
- Hx.,m
Subject: Department of Corrections Contract - No K13553
Hi there,
Attached a new contract with Department of Corrections. We have worked
with DOC for a long time completing DOSAs (Drug Offender Sentencing
Alternative Assessments). If we can please add this to your lineup for review.
Thanks!
Thanks,
Linze Greenwalt <irnageoo3.png>
Contracts Coordinator
Ph: 509.765.9239
840 E Plum St ; Moses Lake, WA
E-MAIL CONFIDENTIALITY NOTICE:
The contents of this e-mail and any attachments are intended solely for the addressee(s) and may contain
confidential and/or legally privileged information. If you are not the intended recipient of this message or if this
message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete
this message and any attachments. If you are not the intended recipient, you are notified that any use,
dissemination, distribution, copying or storage of this message or any attachment is strictly prohibited.
<K13553_Signature Insurance_Certificate_Requ.pdf>