The URL can be used to link to this page

Home My WebLink AboutAgreements/Contracts - GRIS (005)K 19-092 I 44-- I i42shr'aptart S,;rtt COUNTY PROGRAM AGREEMENT DSHS Agreement Number 1963-57191 [� Department Of Social 1 &xealthServices Community Residential Services Transforming lives This Program Agreement is by and between the State of Washington Department of Administration or Division Social and Health Services (DSHS) and the County identified below, and is issued in Agreement Number conjunction with a County and DSHS Agreement On General Terms and Conditions, which is incorporated by reference. County Agreement Number P1# 200012501 DSHS ADMINISTRATION DSHS DIVISION DSHS INDEX NUMBER DSHS CONTRACT CODE Developmental Disabilities Division of Developmental 1221 1756CP-63 Admin Disabilities DSHS CONTACT NAME AND TITLE DSHS CONTACT ADDRESS Olga Lutsyk 1620 S Pioneer Way Case Manager Moses Lake, WA 98837 DSHS CONTACT TELEPHONE DSHS CONTACT FAX DSHS CONTACT E-MAIL Click here to enter text. Click here to enter text. lutsyko@dshs.wa.gov COUNTY NAME COUNTY ADDRESS Grant County PO Box 1057 GRANT COUNTY - 01 Moses Lake, WA 98837 COUNTY FEDERAL EMPLOYER IDENTIFICATION COUNTY CONTACT NAME NUMBER Gail Goodwin 91-6001319 COUNTY CONTACT TELEPHONE COUNTY CONTACT FAX COUNTY CONTACT E-MAIL (509) 764-2644 (509) 765-4124 ggoodwin@grantcountywa.gov IS THE COUNTY A SUBRECIPIENT FOR PURPOSES OF THIS PROGRAM CFDA NUMBERS AGREEMENT? No PROGRAM AGREEMENT START DATE PROGRAM AGREEMENT END DATE MAXIMUM PROGRAM AGREEMENT AMOUNT 07/01/2019 06/30/2021 Fee For Service Chapters 388-101 and 388-101D WAC are incorporated into this Contract by reference. EXHIBITS. The following Exhibits are attached and are incorporated into this Contract by reference: ® Exhibits (specify): Exhibit A – Data Security Requirements Exhibit B - Residential Training; Supported Living Exhibit C – Rate Schedule Exhibit D – DDA Polices, DRW Agreement and DDA Guiding Values Exhibit E – Training Feedback Form By their signatures below, the parties agree to the terms and conditions of this County Program Agreement and all documents incorporated by reference. No other understandings or representations, oral or otherwise, regarding the subject matter of this Program Agreement shall be deemed to exist or bind the parties. The parties signing below certify that they are authorized to sign this Program Agree ent COUNTY SIGNATURE(S) PRINTED NAME(S) AND TITLE(S) DATE(S) SIGNED Tom Taylor, BOCC Chair Cindy Carter, BOCC Vice -Chair W2-'�ln W�— V Richard Stevens, BOCC Member DSHS SIGNATU PRINTED NAME AND TITLE DATE SIGNED Seanna Woodard -ROM Page 1 DSHS Central Contract Services 1756CP Community Residential Services (05-22-2019) Special Terms and Conditions Definitions. The words and phrases listed below, as used in this Program Agreement, shall each have the following definitions: a. "Authorized Personnel" means DDA, RCS or other regulatory staff. b. "Case Manager" means the DSHS or DDA Case Resource Manager, social worker or other DSHS staff assigned to a Client. c. "Client" means a person whom DSHS has determined financially and programmatically eligible to receive services and for whom specific services have been authorized. d. "DDA" means the Developmental Disabilities Administration within the Department of Social and Health Services. e. "Exhibit C" is the document generated by the Rates unit from the Developmental Disabilities (RRDD) payment database. The Exhibit C displays detailed client daily rate information and effective dates on every client currently served by the County under this Program Agreement. A new Exhibit C is created in conjunction with and approved by the County and DDA every time a client is added, deleted or changes in supports require modification to the Clients daily rates. f. "Positive Behavior Support" means an approach to addressing challenging behavior that focuses on changing the physical and interpersonal environment and supporting a person's skill development so that they are able to get their needs met without having to resort to challenging behavior. Positive behavior support must be emphasized in all services funded by DDA for persons with developmental disabilities. g. "Residential Professional Services" means services provided to a DDA Client. Services may be rendered by, but not limited to a licensed: Nurse; Physician; Psychiatrist; Therapist; Counselor; Dentist; or other licensed agents, which has the legal authority to render an opinion or conduct treatment. h. "Provider One" means the Washington State Medicaid Management and Information System which is the payment system used for all Medicaid services. i. "SSP" means the State Supplementary Payment that is a state paid cash assistance program for certain Clients of DDA. "Service Plan" means a Person Centered Service Plan (PCSP) which is a person -centered written plan for long term care service delivery which identifies ways to meet the Client's needs with the most appropriate services as described in chapters 388-101 and 388-101 D WAC and/or RCW 74.39A. 2. Expectations: a. The County/Contractor shall be either licensed and/or certified, and contracted as is required by law. b. All services shall be provided in a way that promotes the benefits outlined in the DDA Guiding Values, as referenced in Exhibit D. The County shall: (1) Allow the Client to select preferred services; (2) Facilitates the delivery of those services; and (3) Services shall be provided as stated in chapter 388-823 WAC and 388-101 D WAC in a way that: (a) Respects the client's right to privacy and dignity; Page 2 DSHS Central Contract Services 1756CP Community Residential Services (05-22-2019) Special Terms and Conditions (b) Supports initiative, autonomy and independence in making life choices; and (c) Is free from harm, coercion and restraint. c. The County must emphasize Positive Behavior Support Principles in the provision of all services to Clients. Positive Behavior Support is based on respect, dignity, and personal choice. Statement of Work. The County/Contractor shall provide the services and staff, necessary for or incidental to the performance of work to provide Supported Living, Group Home, or Group Training Home instruction and support services for Clients of DDA in accordance with chapter 388-101 WAC, chapter 388-101 D WAC and Exhibit D. a. Supported Living. (1) "Supported living" means instruction, supports and services provided to clients who are age 18 years or older living in their own homes, which are owned, rented, or leased by the client or their legal representative. Providers are certified under chapter 388-101 WAC. b. Residential Professional Services are provided by service provider staff and are included as part of the daily residential rate. These residential professional services are part of the residential supports that enhance the ability of a Client to live an integrated and meaningful life. These services include residential chronic nursing supports, language translators, habilitation dialectical behavioral therapy, and behavioral habilitation. Subcontracting of residential professional services requires prior written approval by DDA. c. When a Client's service needs change, the County/Contractor shall comply with the following non- emergent and emergent situations: (1) The County may make a written request for a meeting or revised assessment with the DDA Case Manager to evaluate Client needs and service plan. The County may also request consultation from the department. DDA shall meet with the County or revise the assessment within thirty (30) working days of receiving the written request (2) In emergency situations in which an action or the continued presence of a Client endangers the health, safety and/or personal property of other Clients, those working with the Client, the Client him/herself, or other citizens of the community, the County shall notify department to request assistance. Regardless of the time of day or night, the DDA Field Services Office shall provide a response and assistance as soon as possible until the County and the DDA Field Services representative can meet to discuss alternative supports. DDA Regional Administrator will identify emergency contact outside of business hours. This information will be shared with the County. (3) If further assistance is needed, then, on the first working day after initiating a verbal request for such assistance, the County shall confirm in writing to the DDA Field Services representative the nature of the emergency, the need for immediate assistance, and the specific type of assistance being requested. (4) DDA will respond to the emergency request within one business day of the request. A written decision will be sent to the service provider within five working days of the emergency request. (5) When an emergency circumstance cannot be resolved in a way that is mutually agreeable to both the County and the DDA Field Services representative, either the County or DSHS may Page 3 DSHS Central Contract Services 1756CP Community Residential Services (05-22-2019) Special Terms and Conditions discontinue services to the Client from the County. Whichever party makes the decision to discontinue services shall provide notice in writing to the other party specifying its reasons for termination. In either case, DSHS shall remove the Client from the Counties Program Agreement within seventy-two (72) hours of giving or receiving the initial written notice of the emergency situation. d. The County has the right to refuse services to a Client when the County has determined and documented that the Client's needs cannot be met by the County, or the refusal of services would be in the best interest of the Client or in the best interests of other Clients. Before terminating services to the Client, the County must notify DDA, the Client and the Client's legal representative in writing no less than ten (10) working days before terminating services. e. The County will retain the following documentation: (1) Records as required under chapter 388-101 WAC, chapter 388-101 D WAC; and (2) Copies of records as prescribed in chapter 246-840 WAC, Protocol for Delegated Nursing Care Tasks to Non -licensed Personnel in Community Residential Programs. f. The County agrees to follow all standards of certifications and Program Agreement compliance for DDA Clients who receive SSP and to use those funds to pay for residential services purchased from the County. DSHS will ensure the Service Plan is in place for these DDA Clients. DSHS will monitor to ensure County compliance is provided as described in this Contract. g. For Clients funded through State Supplemental Payment, the County is exempt from meeting the requirements of DDA Policy 6.04. However, if staff add-on is needed for Clients funded through SSP, the County may submit a staff add-on request. The County must use a tracking document for verification of add-on provided for Clients funded through SSP. 4. Consideration. Total consideration payable to County for performance of the work under this Program Agreement shall be based on the following: a. This Program Agreement is a fee for service Client Service Contract. DSHS shall pay the County the rate per Client as indicated in Exhibit C, for Group Homes, Group Training Home and/or Supported living residential instruction and support services, in accordance with chapter 388-101 WAC and Chapter 388-101 D WAC. With the written agreement between the two parties, the parties may increase or decrease the maximum Clients served by signing a revised Exhibit C. Any revised Exhibit C is incorporated into this Program Agreement by reference. b. In the event of a legislatively mandated vendor rate change, the rate(s) shall be adjusted accordingly and shall be incorporated into this Contract on the date the rate(s) become effective. 5. Billing and Payment. a. The County shall bill for authorized services using the ProviderOne Payment system which is the state of Washington's Medicaid management system. b. Billing instructions are located at https://www.hca.wa.gov/billers-providers/claims-and- billing/professional-rates-and-billing-guides. c. The County shall accept the reimbursement rate established by DDA as full compensation for all services under the Program Agreement. The County must not require additional compensation from or on behalf of a client for any or all contracted residential services, except as allowed in DDA Policy, 6.02 Rate Setting for Supported Living, Group Training Homes and Group Home. Page 4 DSHS Central Contract Services 1756CP Community Residential Services (05-22-2019) Special Terms and Conditions d. If DSHS pays the County for services authorized but not provided by the County the amount paid shall be considered to be an overpayment. e. DSHS shall only reimburse or pay for services which are authorized and within the scope of Community Residential Services. f. DSHS will pay for the ISS staff completing Nurse Delegation Curriculum training. g. DSHS will pay up to the standard rate for Hepatitis shots for the County's staff, current standard rate is set at $250 dollars per series of three (3) injections, as requested by County. h. Payment shall be considered timely if made by DSHS within thirty (30) days after receipt of properly completed claims. Payment shall be sent to the address designated by County. L If this Program Agreement is terminated for any reason, DSHS shall pay for only those services authorized and provided through the date of termination. 5. Cost Report Requirements. Per DDA Policy 6.04 Residential Programs Billing, Payment and Cost Reporting: a. The service provider must submit an annual cost report to DDA by March 3151 covering the previous calendar year. For cost reports not received by the March 31 st date the department will withhold the administrative portion of the reimbursement until a completed cost report is received and accepted by DDA unless an extension has been granted. b. If a service provider's Program Agreement is terminated before the end of the calendar year, the service provider must submit a final cost report to DDA no more than 90 days after the Program Agreement termination. The cost report must cover the months the Program Agreement was in effect for that calendar year. DDA uses the final cost report to determine a settlement for the contracted period. c. The Department may withhold all or part of a service provider's payment if the service provider has given a 30 -day notice to terminate their Program Agreement. DDA may release a withheld payment after the cost report and settlement have been determined complete by DDA and no settlement is due. d. The Department may withhold all or part of a service provider's payment if the service provider's Program Agreement has been terminated for convenience or cause. DDA may release a withheld payment after the cost report and settlement have been determined complete by DDA and no settlement is due. 7. Quality Assurance and Improvement. The County will not limit access of DDA staff and representatives to Client's homes for the purpose of Quality Assurance monitoring and improvement. The County is expected to actively collaborate with DDA staff to address quality improvement issues and identify needed training or Technical Assistance. 8. Client Resource Reporting. The County agrees to report to the Client's Case Manager when they become aware that a Client's resources reach $1,700.00 or more on the first moment (midnight) of the month. Resources include cash on hand and any other funds and are calculated based on checks written by that date. Items received in a month become a resource on the first moment (midnight) of the following month. Counties are exempt from this requirement for Clients receiving Healthcare Workers with Disabilities benefits. 9. Duty to Disclose Business Transactions. a. Under 42 Code of Federal Regulations (CFR) 455.104, the County is required to provide disclosures Page 5 DSHS Central Contract Services 1766CP Community Residential Services (05-22-2019) Special Terms and Conditions from individuals with ownership interest, managing employees, and those with a controlling interest. The State must obtain certain disclosures from providers and complete screenings to ensure the State does not pay federal funds to excluded person or entities. Contractor must complete and submit a Medicaid Provider Disclosure Statement, DSHS Form 27-094. Under 42 CFR 455.104(c) (1), disclosures must be provided: (1) When the prospective County/Contractor submits their initial application; (2) When the prospective County/Contractor signs the contract; (3) Upon request of the Department at Program Agreement revalidation/renewal; (4) Within thirty-five (35) days after any change in ownership of the Contractor entity. b. Failure to submit the requested information may cause the Department to refuse to enter into an agreement or contract with the Contractor or to terminate existing agreements. The State will recover any payments made to a disclosing entity that fails to disclose ownership or control information, as required by 42 CFR 455.104. c. Under 42 CFR 455.105(b), within thirty-five (35) days of the date of a request by the Secretary of the U.S. Department of Health and Human Services or DSHS, Contractor must submit full and complete information related to Contractor's business transactions that include: (1) The ownership of any subcontractor with whom the Contractor has had business transactions totaling more than $25,000 during the twelve (12) month period ending on the date of the request; and (2) Any significant business transactions between the Contractor and any wholly owned supplier, or between the Contractor and any subcontractor, during the five (5) year period ending on the date of the request. d. Failure to comply with requests made under this term may result in denial of payments until the requested information is disclosed. See 42 CFR 455.105(c). 10. Provider Screenings. a. The State must ensure the Department does not pay federal funds to excluded persons or entities. States are also required to check for the death of an individual provider, agency owner or authorized official prior to contracting. The required ownership and control information for individuals with ownership interest of 5% or more, officers and managing employees will be obtained from the Medicaid Provider Disclosure Statement and checked against all required federal exclusion lists, and the Social Security Death Master List, prior to finalizing a contract/Program Agreement. b. The Contractor will report any change in ownership, managing employees, and/or those with a controlling interest to the Department within 35 days of such a change so that these individuals can be screened against the required federal exclusion lists as well as the Social Security Death Master List. 11. State or Federal Audit Requests. The Contractor is required to respond to State or Federal audit requests for records or documentation, within the timeframe provided by the requestor. The Contractor must provide all records requested to either State or Federal agency staff or their designees. 12. False Claims Act Education Compliance. Federal law requires any entity receiving annual Medicaid payments of $5 million or more to provide education regarding federal and state false claims laws for all of its employees, contractors and/or agents. Page 6 DSHS Central Contract Services 1756CP Community Residential Services (05-22-2019) Special Terms and Conditions If Contractor receives at least $5 million or more in annual Medicaid payments under one or more provider identification number(s), the Contractor is required to establish and adopt written policies for all employees, including management, and any contractor or agent of the entity, including detailed information about both the federal and state False Claims Acts and other applicable provisions of Section 1902(a)(68) of the Social Security Act. The law requires the following: Contractor must establish written policies to include detailed information about the False Claims Act, including references to the Washington State False Claims Act; a. Policies regarding the handling and protection of whistleblowers; b. Policies and procedures for detecting and preventing fraud, waste, and abuse; c. Policies and procedures must be included in an existing employee handbook or policy manual, but there is no requirement to create an employee handbook if none already exists. 13. Duty to Report Suspected Abuse, Improper use of Restraint, Abandonment, Neglect or Personal or Financial Exploitation of a Vulnerable Adult. Service provider administrators, owners, employees, contractors, and volunteers who have reasonable cause to believe there has been abuse, improper use of restraint, neglect, personal or financial exploitation, or abandonment of a client must follow the requirements of Chapters 26.44 RCW and 74.34 RCW and make a report to the Department of Social and Health Services (DSHS). The report shall be made to the Department's current state abuse hotline or online reporting tool. The Contractor must also report all suspected instances to DDA, per DDA policy 6.12. If the notice to DDA was verbal then it must be followed up by written notification per policy 6.12. Further, when required by RCW 74.34.035, the Contractor and the Contractor's employees must immediately make a report to the appropriate law enforcement agency. 14. Background Check. The signatory for this contract/Program Agreement agrees to undergo and successfully complete a DSHS criminal history background check conducted by DSHS every three years or more often as required by program rule or as otherwise stated in the contract/Program Agreement, and as required under RCW 43.20A.710, RCW 43.43.830 through 43.43.842. If the County/Contractor has owners, administrators, subcontractors, employees or volunteers who may have unsupervised access to Clients in the course of performing the work under this Contract/Program Agreement, the Contractor shall require those owners, administrators, subcontractors, employees or volunteers to successfully complete a criminal history background check prior to any unsupervised access and at least every three years thereafter or more often if required by program rule or as otherwise stated in the contract/Program Agreement. The County/Contractor must maintain documentation of successful completion of required background checks. 15. Death of Clients. The County/Contractor shall report all deaths of DSHS Clients receiving services under this Contract/Program Agreement to DDA per DDA policy 6.12. The Contractor shall follow up with written notification of the Client's death to DDA per DDA policy 6.12. 16. Drug -Free Workplace. The County/Contractor agrees he or she and all employees or volunteers shall not use or be under the influence of alcohol, marijuana, illegal drugs, and/or any substances that impact the Contractor's ability to perform duties under this Contract. 17. Execution and Waiver. This Contract/Program Agreement shall be binding on DSHS only upon signature by DSHS with an Authorized Countersignature. Only the Contracting Officer or the Contracting Officer's designee has authority to waive any provision of this Contract on behalf of DSHS. 18. Significant Change in Client's Condition. The County/Contractor agrees to report any significant change in the Client's condition within twenty-four (24) hours to the Client's Case Manager. 19. Additional Client Rights: DSHS Central Contract Services 1756CP Community Residential Services (05-22-2019) Page 7 Special Terms and Conditions a. In compliance with Title VI of the Civil Rights Act of 1964, and consistent with RCW 2.42.010, RCW 2.43.010, and RCW 49.60.010, the County/Contractor shall ensure that Limited English Proficient (LEP) Clients have access to a certified, or, if non -certifiable language, to an otherwise qualified language interpreter, who has successfully passed the DSHS language test; the Contractor shall also ensure that DSHS Clients have access to documents translated into the Client's primary language. To request a qualified interpreter, you must register at https://hcauniversal.com/new-real.a.uester- reaistration/ or email schedulingaaulsonline.net. For additional information, visit their Provider FAQs page. b. In compliance with the Americans with Disabilities Act (ADA) of 1990, and consistent with RCW 2.42.010 and RCW 49.60.010, the Contractor shall ensure that deaf, deaf -blind, or hard of hearing Clients have access to the services of an interpreter certified by the National Association of the Deaf (NAD) as a Sign Language Interpreter, or a qualified interpreter having a Registry of Interpreters for the Deaf (RID). 20. Bribes and Kickbacks. Federal law stipulates that Medicaid participants be offered free choice among qualified providers, therefore any exclusive relationship between the County/Contractor and any other Medicaid service is prohibited. 21. Disputes. Disputes shall be determined by a dispute resolution process. a. Requesting dispute resolution: The request for contract dispute resolution by either party shall: (1) Be submitted to DDA in writing and include the County/Contractor's name, address and the DSHS contract number for this contract; (2) Be sent by certified mail or other method providing a signed receipt to the sender to prove delivery to and receipt by DDA, to the following address; Residential Services Program Manager Developmental Disabilities Administration PO Box 45310 Olympia, Washington 98504-5310 (3) Be received by the Program Manager no later than twenty-eight (28) calendar days after the contract expiration or termination. (4) Identify in writing the spokesperson for the County/Contractor, if other than the County/Contractor's signatory. b. Content of the dispute request: The party requesting a dispute resolution shall submit a statement that: (1) Identifies the issue(s) in dispute; (2) Identifies the relative positions of the parties; and (3) Requests resolution through the current DDA processes. c. Action on the request: (1) DDA shall notify the non -requesting party that the request has been made, notify both parties of Page 8 DSHS Central Contract Services 1756CP Community Residential Services (05-22-2019) Special Terms and Conditions the dispute resolution process to be followed, and manage the process to its conclusion. (2) The County/Contractor shall provide pertinent information as requested by the person assigned to resolve the dispute. d. Contractor and DSHS agree that, the existence of a dispute notwithstanding, they will continue without delay to carry out all their respective responsibilities under this Agreement that are not affected by the dispute. 22. Policies. Policies listed in Exhibit D can be located at https://www.dshs.wa.gov/dda/policies-and- rules/policy-manual. In the event that it is necessary for DDA to update or change Exhibit D due to major impact change during the contract period; the County/Contractor will be notified in advance of the change and given the opportunity to provide feedback, the revised Policy with agreed upon changes made by stakeholders and DDA will be incorporated into this Program Agreement without the requirement of an amendment. Page 9 DSHS Central Contract Services 1756CP Community Residential Services (05-22-2019) Exhibit A Exhibit A— Data Security Requirements Definitions. The words and phrases listed below, as used in this Exhibit, shall each have the following definitions: a. "AES" means the Advanced Encryption Standard, a specification of Federal Information Processing Standards Publications for the encryption of electronic data issued by the National Institute of Standards and Technology (http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf). b. "Authorized Users(s)" means an individual or individuals with a business need to access DSHS Confidential Information, and who has or have been authorized to do so. c. "Category 4 Data" is data that is confidential and requires special handling due to statutes or regulations that require especially strict protection of the data and from which especially serious consequences may arise in the event of any compromise of such data. For purposes of this contract, data classified as Category 4 refers to data protected by: the Health Insurance Portability and Accountability Act (HIPAA). d. "Cloud" means data storage on servers hosted by an entity other than the Contractor and on a network outside the control of the Contractor. Physical storage of data in the cloud typically spans multiple servers and often multiple locations. Cloud storage can be divided between consumer grade storage for personal files and enterprise grade for companies and governmental entities. Examples of consumer grade storage would include !Cloud, Dropbox, Box.com, and many other entities. Enterprise cloud vendors include Microsoft Azure, Amazon Web Services, 0365, and Rackspace. e. "Encrypt" means to encode Confidential Information into a format that can only be read by those possessing a "key"; a password, digital certificate or other mechanism available only to authorized users. Encryption must use a key length of at least 128 bits (256 preferred and required to be implemented by 6/30/2020) for symmetric keys, or 2048 bits for asymmetric keys. When a symmetric key is used, the Advanced Encryption Standard (AES) must be used if available. f. "Hardened Password" means a string of at least eight characters containing at least three of the following four character classes: Uppercase alphabetic, lowercase alphabetic, numeral, and special characters such as an asterisk, ampersand, or exclamation point. g. "Mobile Device" means a computing device, typically smaller than a notebook, which runs a mobile operating system, such as iOS, Android, or Windows Phone. Mobile Devices include smart phones, most tablets, and other form factors. h. "Multi -factor Authentication" means controlling access to computers and other IT resources by requiring two or more pieces of evidence that the user is who they claim to be. These pieces of evidence consist of something the user knows, such as a password or PIN; something the user has such as a key card, smart card, or physical token; and something the user is, a biometric identifier such as a fingerprint, facial scan, or retinal scan. "PIN" means a personal identification number, a series of numbers which act as a password for a device. Since PINS are typically only four to six characters, PINS are usually used in conjunction with another factor of authentication, such as a fingerprint. !. "Portable Device" means any computing device with a small form factor, designed to be transported from place to place. Portable devices are primarily battery powered devices with base computing resources in the form of a processor, memory, storage, and network access. Examples include, but are not limited to, mobile phones, tablets, and laptops. Mobile Device is a subset of Portable Device. Page 10 DSHS Central Contract Services 1756CP Community Residential Services (05-22-2019) Exhibit A "Portable Media" means any machine readable media that may routinely be stored or moved independently of computing devices. Examples include magnetic tapes, optical discs (CDs or DVDs), flash memory (thumb drive) devices, external hard drives, and internal hard drives that have been removed from a computing device. k. "Secure Area" means an area to which only authorized representatives of the entity possessing the Confidential Information have access, and access is controlled through use of a key, card key, combination lock, or comparable mechanism. Secure Areas may include buildings, rooms or locked storage containers (such as a filing cabinet or desk drawer) within a room, as long as access to the Confidential Information is not available to unauthorized personnel. In otherwise Secure Areas, such as an office with restricted access, the Data must be secured in such a way as to prevent access by non -authorized staff such as janitorial or facility security staff, when authorized Contractor staff are not present to ensure that non -authorized staff cannot access it. "Trusted Network" means a network operated and maintained by the Contractor, which includes security controls sufficient to protect DSHS Data on that network. Controls would include a firewall between any other networks, access control lists on networking devices such as routers and switches, and other such mechanisms which protect the confidentiality, integrity, and availability of the Data. m. "Unique User ID" means a string of characters that identifies a specific user and which, in conjunction with a password, passphrase or other mechanism, authenticates a user to an information system. 2. Authority. The security requirements described in this document reflect the applicable requirements of Standard 141.10 (https:Hocio.wa.gov/policies) of the Office of the Chief Information Officer for the state of Washington, and of the DSHS Information Security Policy and Standards Manual. Reference material related to these requirements can be found here: https://www.dshs.wa.gov/fsa/central-contract- services/keeping-dshs-client-information-private-and-secure, which is a site developed by the DSHS Information Security Office and hosted by DSHS Central Contracts and Legal Services. 3. Administrative Controls. The Contractor must have the following controls in place: a. A documented security policy governing the secure use of its computer network and systems, and which defines sanctions that may be applied to Contractor staff for violating that policy. b. If the Data shared under this agreement is classified as Category 4 data, the Contractor must be aware of and compliant with the applicable legal or regulatory requirements for that Category 4 Data. c. If Confidential Information shared under this agreement is classified as Category 4 data, the Contractor must have a documented risk assessment for the system(s) housing the Category 4 Data. 4. Authorization, Authentication, and Access. In order to ensure that access to the Data is limited to authorized staff, the Contractor must: Page 11 DSHS Central Contract Services 1756CP Community Residential Services (05-22-2019) Exhibit A a. Have documented policies and procedures governing access to systems with the shared Data b. Restrict access through administrative, physical, and technical controls to authorized staff. c. Ensure that user accounts are unique and that any given user account logon ID and password combination is known only to the one employee to whom that account is assigned. For purposes of non -repudiation, it must always be possible to determine which employee performed a given action on a system housing the Data based solely on the logon ID used to perform the action d. Ensure that only authorized users are capable of accessing the Data. e. Ensure that an employee's access to the Data is removed immediately: (1) Upon suspected compromise of the user credentials. (2) When their employment, or the contract under which the Data is made available to them, is terminated. (3) When they no longer need access to the Data to fulfill the requirements of the contract. f. Have a process to periodically review and verify that only authorized users have access to systems containing DSHS Confidential Information g. When accessing the Data from within the Contractor's network (the Data stays within the Contractor's network at all times), enforce password and logon requirements for users within the Contractor's network, including: (1) A minimum length of 8 characters, and containing at least three of the following character classes: uppercase letters, lowercase letters, numerals, and special characters such as an asterisk, ampersand, or exclamation point. (2) That a password does not contain a user's name, logon ID, or any form of their full name. (3) That a password does not consist of a single dictionary word. A password may be formed as a passphrase which consists of multiple dictionary words. (4) That passwords are significantly different from the previous four passwords. Passwords that increment by simply adding a number are not considered significantly different. h. When accessing Confidential Information from an external location (the Data will traverse the Internet or otherwise travel outside the Contractor's network), mitigate risk and enforce password and logon requirements for users by employing measures including: (1) Ensuring mitigations applied to the system don't allow end-user modification. (2) Not allowing the use of dial-up connections. (3) Using industry standard protocols and solutions for remote access. Examples would include RADIUS and Citrix. (4) Encrypting all remote access traffic from the external workstation to Trusted Network or to a component within the Trusted Network. The traffic must be encrypted at all times while traversing any network, including the Internet, which is not a Trusted Network. Page 12 DSHS Central Contract Services 1756CP Community Residential Services (05-22-2019) Exhibit A (5) Ensuring that the remote access system prompts for re -authentication or performs automated session termination after no more than 30 minutes of inactivity. (6) Ensuring use of Multi -factor Authentication to connect from the external end point to the internal end point. All Contractors must be in compliance by 6/30/2020. i. Passwords or PIN codes may meet a lesser standard if used in conjunction with another authentication mechanism, such as a biometric (fingerprint, face recognition, iris scan) or token (software, hardware, smart card, etc.) in that case: (1) The PIN or password must be at least 5 letters or numbers when used in conjunction with at least one other authentication factor (2) Must not be comprised of all the same letter or number (11111, 22222, aaaaa, would not be acceptable) (3) Must not contain a `run' of three or more consecutive numbers (12398, 98743 would not be acceptable) j. If the contract specifically allows for the storage of Confidential Information on a Mobile Device, passcodes used on the device must: (1) Be a minimum of six alphanumeric characters. (2) Contain at least three unique character classes (upper case, lower case, letter, number). (3) Not contain more than a three consecutive character run. Passcodes consisting of 12345, or abcd12 would not be acceptable. k. Render the device unusable after a maximum of 10 failed logon attempts. 5. Protection of Data. The Contractor agrees to store Data on one or more of the following media and protect the Data as described: a. Hard disk drives. For Data stored on local workstation hard disks, access to the Data will be restricted to Authorized User(s) by requiring logon to the local workstation using a Unique User ID and Hardened Password or other authentication mechanisms, which provide equal or greater security, such as biometrics or smart cards. b. Network server disks. For Data stored on hard disks mounted on network servers and made available through shared folders, access to the Data will be restricted to Authorized Users through the use of access control lists which will grant access only after the Authorized User has authenticated to the network using a Unique User ID and Hardened Password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Data on disks mounted to such servers must be located in an area, which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. For DSHS Confidential Information stored on these disks, deleting unneeded Data is sufficient as long as the disks remain in a Secure Area and otherwise meet the requirements listed in the above paragraph. Destruction of the Data, as outlined below in Section 8 Data Disposition, may be deferred until the disks are retired, replaced, or otherwise taken out of the Secure Area. c. Optical discs (CDs or DVDs) in local workstation optical disc drives. Data provided by DSHS on optical discs which will be used in local workstation optical disc drives and which will not be transported out of a Secure Area. When not in use for the contracted purpose, such discs must be Page 13 DSHS Central Contract Services 1756CP Community Residential Services (05-22-2019) Exhibit A Stored in a Secure Area. Workstations which access DSHS Data on optical discs must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism d. Optical discs (CDs or DVDs) in drives or jukeboxes attached to servers. Data provided by DSHS on optical discs which will be attached to network servers and which will not be transported out of a Secure Area. Access to Data on these discs will be restricted to Authorized Users through the use of access control lists which will grant access only after the Authorized User has authenticated to the network using a Unique User ID and Hardened Password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Data on discs attached to such servers must be located in an area, which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. e. Paper documents. Any paper records must be protected by storing the records in a Secure Area, which is only accessible to authorized personnel. When not in use, such records must be stored in a Secure Area.. f. Remote Access. Access to and use of the Data over the State Governmental Network (SGN) or Secure Access Washington (SAW) will be controlled by DSHS staff who will issue authentication credentials (e.g. a Unique User ID and Hardened Password) to Authorized Users on Contractor's staff. Contractor will notify DSHS staff immediately whenever an Authorized User in possession of such credentials is terminated or otherwise leaves the employ of the Contractor, and whenever an Authorized User's duties change such that the Authorized User no longer requires access to perform work for this Contract. g. Data storage on portable devices or media. (1) Except where otherwise specified herein, DSHS Data shall not be stored by the Contractor on portable devices or media unless specifically authorized within the terms and conditions of the Contract. If so authorized, the Data shall be given the following protections:: (a) Encrypt the Data. (b) Control access to devices with a Unique User ID and Hardened Password or stronger authentication method such as a physical token or biometrics. (c) Manually lock devices whenever they are left unattended and set devices to lock automatically after a period of inactivity, if this feature is available. Maximum period of inactivity is 20 minutes. (d) Apply administrative and physical security controls to Portable Devices and Portable Media by: L Keeping them in a Secure Area when not in use, ii. Using check-in/check-out procedures when they are shared, and iii. Taking frequent inventories. (2) When being transported outside of a Secure Area, Portable Devices and Portable Media with DSHS Confidential Information must be under the physical control of Contractor staff with authorization to access the Data, even if the Data is encrypted. h. Data stored for backup purposes. Page 14 DSHS Central Contract Services 1756CP Community Residential Services (05-22-2019) Exhibit A (1) DSHS Confidential Information may be stored on Portable Media as part of a Contractor's existing, documented backup process for business continuity or disaster recovery purposes. Such storage is authorized until such time as that media would be reused during the course of normal backup operations. If backup media is retired while DSHS Confidential Information still exists upon it, such media will be destroyed at that time in accordance with the disposition requirements below in Section 8 Data Disposition. (2) Data may be stored on non-portable media (e.g. Storage Area Network drives, virtual media, etc.) as part of a Contractor's existing, documented backup process for business continuity or disaster recovery purposes. If so, such media will be protected as otherwise described in this exhibit. If this media is retired while DSHS Confidential Information still exists upon it, the data will be destroyed at that time in accordance with the disposition requirements below in Section 8 Data Disposition i. Cloud storage. DSHS Confidential Information requires protections equal to or greater than those specified elsewhere within this exhibit. Cloud storage of Data is problematic as neither DSHS nor the Contractor has control of the environment in which the Data is stored. For this reason: (1) DSHS Data will not be stored in any consumer grade Cloud solution, unless all of the following conditions are met: (a) Contractor has written procedures in place governing use of the Cloud storage and Contractor attest to the contact listed in the contract and keep a copy of that attestation for your records in writing that all such procedures will be uniformly followed. (b)The Data will be Encrypted while within the Contractor network. (c) The Data will remain Encrypted during transmission to the Cloud. (d) The Data will remain Encrypted at all times while residing within the Cloud storage solution. (e) The Contractor will possess a decryption key for the Data, and the decryption key will be possessed only by the Contractor. (f) The Data will not be downloaded to non -authorized systems, meaning systems that are not on the contractor network (g) The Data will not be decrypted until downloaded onto a computer within the control of an Authorized User and within either the DSHS or Contractor's network. (2) Data will not be stored on an Enterprise Cloud storage solution unless either: (a) The Cloud storage provider is treated as any other Sub -Contractor, and agrees in writing to all of the requirements within this exhibit; or, (b) The Cloud storage solution used is HIPAA compliant. (3) If the Data includes protected health information covered by the Health Insurance Portability and Accountability Act (HIPAA), the Cloud provider must sign a Business Associate Agreement prior to Data being stored in their Cloud solution. System Protection. To prevent compromise of systems which contain DSHS Data or through which that Data passes: Page 15 DSHS Central Contract Services 1756CP Community Residential Services (05-22-2019) Exhibit A a. Systems containing DSHS Data must have all security patches or hotfixes applied within 3 months of being made available. b. The Contractor will have a method of ensuring that the requisite patches and hotfixes have been applied within the required timeframes. c. Systems containing DSHS Data shall have an Anti-Malware application, if available, installed. d. Anti-Malware software shall be kept up to date. The product, its anti-virus engine, and any malware database the system uses, will be no more than one update behind current. 7. Data Segregation. a. DSHS category 4 data must be segregated or otherwise distinguishable from non-DSHS data. This is to ensure that when no longer needed by the Contractor, all DSHS Data can be identified for return or destruction. It also aids in determining whether DSHS Data has or may have been compromised in the event of a security breach. As such, one or more of the following methods will be used for data segregation (1) DSHS Data will be kept on media (e.g. hard disk, optical disc, tape, etc.) which will contain no non- DSHS Data. (2) DSHS Data will be stored in a logical container on electronic media, such as a partition or folder dedicated to DSHS Data. (3) DSHS Data will be stored in a database which will contain no non-DSHS data. And/or, (4) DSHS Data will be stored within a database and will be distinguishable from non-DSHS data by the value of a specific field or fields within database records. (5) When stored as physical paper documents, DSHS Data will be physically segregated from non- DSHS data in a drawer, folder, or other container. b. When it is not feasible or practical to segregate DSHS Data from non-DSHS data, then both the DSHS Data and the non-DSHS data with which it is commingled must be protected as described in this exhibit. 8. Data Disposition. When the contracted work has been completed or when the Data is no longer needed, except as noted above in Section 5.b, Data shall be returned to DSHS or destroyed. Media on which Data may be stored and associated acceptable methods of destruction are as follows: Data stored on: Will be destroyed by: Server or workstation hard disks, or Using a "wipe" utility which will overwrite the Data at least three (3) times using either random or single Removable media (e.g. floppies, USB flash drives, character data, or portable hard disks) excluding optical discs Degaussing sufficiently to ensure that the Data cannot be reconstructed, or Phvsically destroying the disk Paper documents with sensitive or Confidential Recycling through a contracted firm, provided the Information contract with the recycler assures that the confidentiality of Data will be protected. Page 16 DSHS Central Contract Services 1756CP Community Residential Services (05-22-2019) Exhibit A 9. Notification of Compromise or Potential Compromise. The compromise or potential compromise of DSHS shared Data must be reported to the DSHS Contact designated in the Contract within one (1) business day of discovery. If no DSHS Contact is designated in the Contract, then the notification must be reported to the DSHS Privacy Officer at dshsprivacyofficer@dshs.wa.gov. Contractor must also take actions to mitigate the risk of loss and comply with any notification or other requirements imposed by law or DSHS. 10. Data shared with Subcontractors. If DSHS Data provided under this Contract is to be shared with a subcontractor, the Contract with the subcontractor must include all of the data security provisions within this Contract and within any amendments, attachments, or exhibits within this Contract. If the Contractor cannot protect the Data as articulated within this Contract, then the contract with the sub -Contractor must be submitted to the DSHS Contact specified for this contract for review and approval. Page 17 DSHS Central Contract Services 1756CP Community Residential Services (05-22-2019) Paper documents containing Confidential Information requiring special handling (e.g. protected health information On-site shredding, pulping, or incineration Optical discs (e.g. CDs or DVDs) Incineration, shredding, or completely defacing the readable surface with a coarse abrasive Magnetic tape De aussin , incinerating or crosscut shreddin 9. Notification of Compromise or Potential Compromise. The compromise or potential compromise of DSHS shared Data must be reported to the DSHS Contact designated in the Contract within one (1) business day of discovery. If no DSHS Contact is designated in the Contract, then the notification must be reported to the DSHS Privacy Officer at dshsprivacyofficer@dshs.wa.gov. Contractor must also take actions to mitigate the risk of loss and comply with any notification or other requirements imposed by law or DSHS. 10. Data shared with Subcontractors. If DSHS Data provided under this Contract is to be shared with a subcontractor, the Contract with the subcontractor must include all of the data security provisions within this Contract and within any amendments, attachments, or exhibits within this Contract. If the Contractor cannot protect the Data as articulated within this Contract, then the contract with the sub -Contractor must be submitted to the DSHS Contact specified for this contract for review and approval. Page 17 DSHS Central Contract Services 1756CP Community Residential Services (05-22-2019) Exhibit B Residential Training Training Services 23. Purpose. The purpose of this Exhibit is to allow the Contractor to provide DDA Residential Training and certification for Community Residential Service Provider per chapter 74.39A RCW and chapter 388-829 WAC. 24. Qualifications. Contractor and/or their staff who provide DDA Residential Training and certification for Community Residential Service providers must: a. Complete train the trainer course offered by DDA; and b. Meet trainer qualifications per chapter 74.39A RCW and chapter 388-829 WAC. 25. Statement of Work. The Contractor shall provide the services and staff, and otherwise do all things necessary for or incidental to the performance of work as set forth below: a. The Contractor shall maintain DDA approved trainer(s). b. The Contractor shall provide training; testing and certification to DSHS contracted Community Residential Service and will provide the following services: (1) Provide DDA Residential Training for Community Residential service provider staff utilizing a DSHS approved curriculum according to chapter 74.39A RCW, and chapter 388-829 WAC. (2) The Contractor agrees to use the most current posted edition of DDA approved 40 hour curriculum and material for DDA Residential Training. (3) The Contractor shall arrange for training facilities, offering the training and testing in an environment conducive to taking a test (e.g. temperature, light, noise level, privacy, etc.). The Contractor is responsible for finding and paying for training sites. DSHS facilities may be used for the trainings when available. (4) The Contractor agrees to award a DSHS certificate of completion to students who successfully pass the competency test provided by DSHS. (5) The Contractor agrees to give students a student evaluation form prior to the end of each testing session, collect them upon completion, and send the original student evaluation form, within two (2) weeks of completing the course, to the Regional Resource Manager assigned to the agency. See Billing and Payment section for detailed requirements. (6) The Contractor agrees to reissue copies of the training certificates to students for up to six (6) years at no additional costs, if requested. c. In addition, the Contractor shall: (1) Maintain records of training completion for six (6) years for each student, including copies of completed roster. The Contractor will provide a process for students to obtain a reissued Certificate of Completion. (2) Allow DSHS access to Contractor's records regarding DDA Residential Training to verify compliance with this Contract. (3) Report training data to DDA in DDA -identified timeframes. Page 18 DSHS Central Contract Services 1756CP Community Residential Services (05-22-2019) Exhibit B (4) Allow DSHS to observe training sessions with or without prior arrangement. d. DSHS shall and reserves the right to do the following: (1) Provide DDA Residential Training course curriculum for use in training DSHS contracted Supported Living provider staff. (2) Create an evaluation form for students to evaluate such topics as, but not limited to the quality of the training, curriculum, the trainer abilities, and location of training. (3) Request access to Contractor records to verify compliance with this Contract without prior notice. 26. Consideration. a. Total consideration payable to the Contractor for satisfactory performance of the work performed under this Contract is as follows: (1) Reimbursement for potential trainers to attend the five day "Train -the -Trainer" session will be $600 dollars per trainer. (2) The reimbursement to Contractor delivering training shall be $210 per student for students who complete the training required to take the DDA Residential Training. (3) One-time fee of $6,000 for development of a skills acquisition lab upon receipt of signed attestation b. If the Contractor assigns a trainer who does not meet the qualifications identified in Section 2. Qualifications, above, the amount paid to the Contractor will be considered an overpayment. In addition to the training fee paid to the Contractor, the state's costs for trainee wages will also be recouped from the Contractor as the trainee certificate will not be valid. 27. Billing and Payment. a. Consideration for services rendered shall be payable upon receipt of a properly completed billing form which must be submitted to the Regional Resource Manager for your area of service by the Contractor monthly. Billing forms shall be submitted by the tenth day of the month following the training month when the training was completed. b. Reimbursement for 40 -hour DDA Residential Service Curriculum "Train -the -Trainer" session will be authorized through ProviderOne payment system. The invoice request must include a completed DDA Residential Provider Training roster for all trainings being billed. The payment shall be in accordance with the terms of this Contract. c. Payment for agency trainer to provide a 40 -hour DDA Residential Service Curriculum using the Department approved training will be made through the ProviderOne payment system. The agency trainer must submit a completed roster and student evaluation with the payment request to the Regional Resource Manager. d. Payment shall be considered timely if made by DSHS within thirty (30) days after receipt and acceptance of properly completed invoices. DSHS may, at its sole discretion, withhold payment claimed by the Contractor for services rendered if Contractor fails to satisfactorily comply with any term or condition of this Contract. Page 19 DSHS Central Contract Services 1756CP Community Residential Services (05-22-2019) Exhibit D DDA Community Residential Services and Support DDA Policy Client Service Contract This Exhibit contains the following policies and agreements: DDA and CRP (Certified community residential service provider) agreement regarding WPAS' access rights Policy Title: DDA Policy 4.02 Community Residential Services: Referral, Acceptance and Change of Residential Providers DDA Policy 5.01 Background Check Authorizations DDA Policy 5.08 Individual Instruction and Support Plan (IISP) and Risk Summary DDA Policy 5.14 Positive Behavior Support DDA Policy 5.15 Use of Restrictive Procedures DDA Policy 5.16 Use of Psychoactive Medications DDA Policy 5.17 Physical Intervention Techniques DDA Policy 5.21 Positive Behavior Support DDA Policy 6.02 Rate Setting for Residential Programs DDA Policy 6.04 Residential Programs Cost Reporting DDA Policy 6.07 Possession of Weapons in DDA Funded Community Residential Programs DDA Policy 6.09 Supporting End of Life Decisions for Clients Receiving DDA Residential Services DDA Policy 6.11 Residential Allowance Requests DDA Policy 6.12 Incident Management and Reporting Requirements for Residential Services Providers DDA Policy 6.19 Residential Medication Management DDA Policy 15.03 Community Protection Standards for Employment Program Services DDA Policy 15.04 Standards for Community Protection Residential Services (CPRS) DDA Policy 15.05 Community Protection Program Exit Criteria DDA Guiding Values: The DDA Guiding Values can be located at: https://www dshs.wa.gov/sites/default/files/DDA/dda/documents/DDA%20Guiding%20Values%2OBooklet.pdf Disability Rights of Washington (DRW) Agreement: The following access agreement regarding "Disability Rights of Washington (DRW) rights and responsibilities can be located at: https://www.dshs.wa.gov/sites/default/files/DDA/dda/documents/WPAS.pdf Page 20 DSHS Central Contract Services 1756CP Community Residential Services (05-22-2019) Exhibit C Supported Living/Group Home -Exhibit C revision #: Contractor Name Contract No. Region Process Date No. of Clients (excluding SSP funded) The undersigned herby affirm that the following are the agreed upon number of clients and reimbursement rates associated with the indicated contract and contract peric sheet revision supersedes all previous rate sheets as of the effective date. Page 21 DSHS Central Contract Services 1756CP Community Residential Services (05-22-2019) Contractor Signature Date Signed DSHS Regional Administrator or Designee Date Sign a b c d e f 9 h i I j k I I m n o p q r s t u v Program Name Provider P1 ID Client Name Client P1 ID Rate Effective Date ISS Tier Rate ISS Daily Tier Rate Prof Svs Hrs PCD 1 Prof Svs Hrly Rate 1 Prof Svs Hrs PCD 2 Prof Svs Hrly Rate 2 ISS Prof Svs Daily Rate ISS CRST Tier Rate ISS Hold Harmless Rate Total ISS Daily Rate Admin Tier Rate Admin Hold Harmles Admin CRST Tier Rate Transp. Rate Other Non- ISS Rates Total Non - ISS Daily Rate Total Daily Rate — -- Example only. Actual Rate Sheet will be completed for Clients being served. SAMPLE ONLY Page 21 DSHS Central Contract Services 1756CP Community Residential Services (05-22-2019) Exhibit E COMMUNITY RESIDENTAIL TRAINING PARTICIPANT EVALUATION DATE OF TRAINING: NAME OF COURSE: TRAINER NAME 1. Here are three things I learned today. 1. 2. 3. 2. One thing I will do differently in the future as a result of this training: 3. Something that surprised me: Low high 4. The material was relevant to my job. 1 2 3 4 5. The material was well presented and held my interest. 1 2 3 4 6. The presenter was knowledgeable. 1 2 3 4 7. The presenter was respectful. 1 2 3 4 8. My favorite thing about this training: 9. Please contact me: (optional) Name: Phone: Email: Page 22 DSHS Central Contract Services 1756CP Community Residential Services (05-22-2019)