The URL can be used to link to this page

Home My WebLink About2024, Interlocal Datashare Agreement, Dept. of Social & Health Services ly+sni,,ro� ware7e INTERLOCAL DATASHARE AGREEM ENT DSHS Agreement Number: Department of Soda! &Health Services 2491-5 860 Transforming lives Washington Connection This Agreement is by and between the State of Washington Department Program Contract Number: of Social and Health Services (DSHS) and the Contractor identified Contractor Contract Number below, and is issued pursuant to the Interlocal Cooperation Act, chapter 39.34 RCW. l CONTRACTOR NAME CONTRACTOR doing business as(DBA) City of Auburn CONTRACTOR ADDRESS WASHINGTON UNIFORM DSHS INDEX NUMBER BUSINESS IDENTIFIER(UBI) 25 W Main St Auburn, WA 98002 171-000-010 22473 CONTRACTOR CONTACT CONTRACTOR TELEPHONE CONTRACTOR FAX CONTRACTOR E-MAIL ADDRESS Kent Hay (253)294-6429 khay@auburnwa.gov DSHS ADMINISTRATION DSHS DIVISION DSHS CONTRACT CODE Economic Services Community Services Division 3067DS-91 Administration DSHS CONTACT NAME AND TITLE DSHS CONTACT ADDRESS Shannon Williams 6909 Crosswind Blvd Administrator Kennewick, WA 99336-6699 DSHS CONTACT TELEPHONE DSHS CONTACT FAX DSHS CONTACT E-MAIL ADDRESS (509)202-5335 Click here to enter text. shannon.williams@dshs.wa.gov IS THE CONTRACTOR A SUBRECIPIENT FOR PURPOSES OF THIS CONTRACT? CFDA NUMBER(S) No AGREEMENT START DATE AGREEMENT END DATE MAXIMUM AGREEMENT AMOUNT 06/01/2024 05/31/2029 No Payment EXHIBITS. The following Exhibits are attached and are incorporated into this Agreement by reference: ® Data Security: Exhibit A—Data Security Requirements ❑ Exhibits(specify): The terms and conditions of this Agreement are an integration and representation of the final, entire and exclusive understanding between the parties superseding and merging all previous agreements, writings, and communications, oral or otherwise regarding the subject matter of this Agreement, between the parties. The parties signing below represent they have read and understand this Agreement, and have the authority to execute this Agreement, This Agreement shall be bindinq on DSHS only upon signature by DSHS. CONTRACTOR SIGNATURE PR TED NAME AND TITLE DATE SIGNED --0 kr-- 4rA SIGNAT..A PRINTED NAM(A D TITLE DATE SIGNED Michelle Malmoe, Contracts Officer 5/17/2024 DSHS/ESA/Community Services Division DSHS Central Contract Services 3067DS-91 Washington Connection DS Interlocal(1-10-2024) Page 1 DSHS General Terms and Conditions m. "Regulation" means any federal, state, or local regulation, rule, or ordinance. n. "Secured Area" means an area to which only authorized representatives of the entity possessing the Confidential Information have access. Secured Areas may include buildings, rooms or locked storage containers (such as a filing cabinet) within a room, as long as access to the Confidential Information is not available to unauthorized personnel. o. "Subcontract" means any separate agreement or contract between the Contractor and an individual or entity ("Subcontractor") to perform all or a portion of the duties and obligations that the Contractor is obligated to perform pursuant to this Contract. p. "Tracking" means a record keeping system that identifies when the sender begins delivery of Confidential Information to the authorized and intended recipient, and when the sender receives confirmation of delivery from the authorized and intended recipient of Confidential Information. q. "Trusted Systems" include only the following methods of physical delivery: (1) hand-delivery by a person authorized to have access to the Confidential Information with written acknowledgement of receipt; (2) United States Postal Service ("USPS") first class mail, or USPS delivery services that include Tracking, such as Certified Mail, Express Mail or Registered Mail; (3) commercial delivery services (e.g. FedEx, UPS, DHL)which offer tracking and receipt confirmation; and (4) the Washington State Campus mail system. For electronic transmission, the Washington State Governmental Network(SGN) is a Trusted System for communications within that Network. r. "WAC" means the Washington Administrative Code. All references in this Contract to WAC chapters or sections shall include any successor, amended, or replacement regulation. Pertinent WAC chapters or sections can be accessed at http://apps.leg.wa.gov/wac/. 2. Amendment. This Contract may only be modified by a written amendment signed by both parties. Only personnel authorized to bind each of the parties may sign an amendment. 3. Assignment. The Contractor shall not assign this Contract or any Program Agreement to a third party without the prior written consent of DSHS. 4. Billing Limitations. a. DSHS shall pay the Contractor only for authorized services provided in accordance with this Contract. b. DSHS shall not pay any claims for payment for services submitted more than twelve (12) months after the calendar month in which the services were performed. c. The Contractor shall not bill and DSHS shall not pay for services performed under this Contract, if the Contractor has charged or will charge another agency of the state of Washington or any other party for the same services. 5. Compliance with Applicable Law and Washington State Requirements. a. Applicable Law. Throughout the performance of this Agreement, Contractor shall comply with all federal, state, and local laws, regulations, and executive orders to the extent they are applicable to this Agreement. b. Civil Rights and Nondiscrimination. Contractor shall comply with all federal and state civil rights and nondiscrimination laws, regulations, and executive orders to the extent they are applicable to DSHS Central Contract Services 3067DS-91 Washington Connection DS interlocal(1-10-2024) Page 3 DSHS General Terms and Conditions (1) Allowing access only to staff that have an authorized business requirement to view the Confidential Information. (2) Physically Securing any computers, documents, or other media containing the Confidential Information. (3) Ensure the security of Confidential Information transmitted via fax (facsimile) by: (a) Verifying the recipient phone number to prevent accidental transmittal of Confidential Information to unauthorized persons. (b) Communicating with the intended recipient before transmission to ensure that the fax will be received only by an authorized person. (c) Verifying after transmittal that the fax was received by the intended recipient. (4) When transporting six (6) or more records containing Confidential Information, outside a Secured Area, do one or more of the following as appropriate: (a) Use a Trusted System. (b) Encrypt the Confidential Information, including: i. Encrypting email and/or email attachments which contain the Confidential Information. ii. Encrypting Confidential Information when it is stored on portable devices or media, including but not limited to laptop computers and flash memory devices. Note: If the DSHS Data Security Requirements Exhibit is attached to this contract, this item, 6.b.(4), is superseded by the language contained in the Exhibit. (5) Send paper documents containing Confidential Information via a Trusted System. (6) Following the requirements of the DSHS Data Security Requirements Exhibit, if attached to this contract. c. Upon request by DSHS, at the end of the Contract term, or when no longer needed, Confidential Information shall be returned to DSHS or Contractor shall certify in writing that they employed a DSHS approved method to destroy the information. Contractor may obtain information regarding approved destruction methods from the DSHS contact identified on the cover page of this Contract. d. Paper documents with Confidential Information may be recycled through a contracted firm, provided the contract with the recycler specifies that the confidentiality of information will be protected, and the information destroyed through the recycling process. Paper documents containing Confidential Information requiring special handling (e.g. protected health information) must be destroyed on-site through shredding, pulping, or incineration. e. Notification of Compromise or Potential Compromise. The compromise or potential compromise of Confidential Information must be reported to the DSHS Contact designated on the contract within one (1) business day of discovery. Contractor must also take actions to mitigate the risk of loss and comply with any notification or other requirements imposed by law or DSHS. 7. Debarment Certification. The Contractor, by signature to this Contract, certifies that the Contractor is not presently debarred, suspended, proposed for debarment, declared ineligible, or voluntarily excluded DSHS Central Contract Services 3067DS-91 Washington Connection DS Interlocal(1-10-2024) Page 5 DSHS General Terms and Conditions • 16. Contract Renegotiation, Suspension, or Termination Due to Change in Funding. If the funds DSHS relied upon to establish this Contract or Program Agreement are withdrawn, reduced or limited, or if additional or modified conditions are placed on such funding, after the effective date of this contract but prior to the normal completion of this Contract or Program Agreement: a. At DSHS's discretion, the Contract or Program Agreement may be renegotiated under the revised funding conditions. b. At DSHS's discretion, DSHS may give notice to Contractor to suspend performance when DSHS determines that there is reasonable likelihood that the funding insufficiency may be resolved in a timeframe that would allow Contractor's performance to be resumed prior to the normal completion date of this contract. (1) During the period of suspension of performance, each party will inform the other of any conditions that may reasonably affect the potential for resumption of performance. (2) When DSHS determines that the funding insufficiency is resolved, it will give Contractor written notice to resume performance. Upon the receipt of this notice, Contractor will provide written notice to DSHS informing DSHS whether it can resume performance and, if so, the date of resumption. For purposes of this subsubsection, "written notice" may include email. (3) If the Contractor's proposed resumption date is not acceptable to DSHS and an acceptable date cannot be negotiated, DSHS may terminate the contract by giving written notice to Contractor. The parties agree that the Contract will be terminated retroactive to the date of the notice of suspension. DSHS shall be liable only for payment in accordance with the terms of this Contract for services rendered prior to the retroactive date of termination. c. DSHS may immediately terminate this Contract by providing written notice to the Contractor. The termination shall be effective on the date specified in the termination notice. DSHS shall be liable only for payment in accordance with the terms of this Contract for services rendered prior to the effective date of termination. No penalty shall accrue to DSHS in the event the termination option in this section is exercised. 17. Waiver. Waiver of any breach or default on any occasion shall not be deemed to be a waiver of any subsequent breach or default. Any waiver shall not be construed to be a modification of the terms and conditions of this Contract. Only the CCLS Chief or designee has the authority to waive any term or condition of this Contract on behalf of DSHS. Additional General Terms and Conditions— Interlocal Agreements: 18. Disputes. Both DSHS and the Contractor("Parties") agree to work in good faith to resolve all conflicts at the lowest level possible. However, if the Parties are not able to promptly and efficiently resolve, through direct informal contact, any dispute concerning the interpretation, application, or implementation of any section of this Agreement, either Party may reduce its description of the dispute in writing, and deliver it to the other Party for consideration. Once received, the assigned managers or designees of each Party will work to informally and amicably resolve the issue within five (5) business days. If managers or designees are unable to come to a mutually acceptable decision within five (5) business days, they may agree to issue an extension to allow for more time. If the dispute cannot be resolved by the managers or designees, the issue will be referred through each Agency's respective operational protocols, to the Secretary of DSHS ("Secretary") and the Contractor's DSHS Central Contract Services 3067DS-91 Washington Connection DS Interlocal(1-10-2024) Page 7 I I DSHS General Terms and Conditions pass-through entity; (2) Maintain internal controls that provide reasonable assurance that the Contractor is managing federal awards in compliance with laws, regulations, and provisions of contracts or grant agreements that could have a material effect on each of its federal programs; (3) Prepare appropriate financial statements, including a schedule of expenditures of federal awards; (4) Incorporate 2 CFR Part 200, Subpart F audit requirements into all agreements between the Contractor and its Subcontractors who are subrecipients; (5) Comply with the applicable requirements of 2 CFR Part 200, including any future amendments to 2 CFR Part 200, and any successor or replacement Office of Management and Budget (OMB) Circular or regulation; and (6) Comply with the Omnibus Crime Control and Safe streets Act of 1968, Title VI of the Civil Rights Act of 1964, Section 504 of the Rehabilitation Act of 1973, Title II of the Americans with Disabilities Act of 1990, Title IX of the Education Amendments of 1972, The Age Discrimination Act of 1975, and The Department of Justice Non-Discrimination Regulations, 28 C.F.R. Part 42, Subparts C.D.E. and G, and 28 C.F.R. Part 35 and 39. (Go to https://ojp.gov/about/offices/ocr.htm for additional information and access to the aforementioned Federal laws and regulations.) b. Single Audit Act Compliance. If the Contractor is a subrecipient and expends $750,000 or more in federal awards from any and/or all sources in any fiscal year, the Contractor shall procure and pay for a single audit or a program-specific audit for that fiscal year. Upon completion of each audit, the Contractor shall: (1) Submit to the DSHS contact person the data collection form and reporting package specified in 2 CFR Part 200, Subpart F, reports required by the program-specific audit guide (if applicable), and a copy of any management letters issued by the auditor; (2) Follow-up and develop corrective action for all audit findings; in accordance with 2 CFR Part 200, Subpart F; prepare a "Summary Schedule of Prior Audit Findings" reporting the status of all audit findings included in the prior audit's schedule of findings and questioned costs. c. Overpayments. If it is determined by DSHS, or during the course of a required audit, that the Contractor has been paid unallowable costs under this or any Program Agreement, DSHS may require the Contractor to reimburse DSHS in accordance with 2 CFR Part 200. 22. Termination. a. Default. If for any cause, either party fails to fulfill its obligations under this Agreement in a timely and proper manner, or if either party violates any of the terms and conditions contained in this Agreement, then the aggrieved party will give the other party written notice of such failure or violation. The responsible party will be given 15 working days to correct the violation or failure. If the failure or violation is not corrected, this Agreement may be terminated immediately by written notice from the aggrieved party to the other party. b. Convenience. Either party may terminate this Interlocal Agreement for any other reason by providing 30 calendar days' written notice to the other party. DSHS Central Contract Services 3067DS-91 Washington Connection DS Interlocal(1-10-2024) Page 9 Special Terms and Conditions 1. Definitions Specific to Special Terms: The words and phrases listed below, as used in this Contract, shall each have the following definitions: a. "Applicant(s)" means individuals submitting an application, a renewal or reporting a change for benefits or services. b. "Assisting Agency" means community or faith based organizations, tribal, city, or county municipalities who provide trained employees or volunteers to help applicants complete and submit online applications through Washington Connection. These agencies must sign a Data Share Agreement with DSHS and each employee and volunteer of the agency with access to Applicant information must complete a DSHS non-disclosure form. Any reference to Assisting Agency includes the Assisting Agency's employees, agents, officers, subcontractors, third party contractors, volunteers, or directors. c. "Authorized Representative" means someone designated by the Applicant to talk with DSHS about his/her benefits. This individual is authorized to act on the Applicant's behalf for eligibility purposes. d. "Contractor Contact", referenced on page one of this agreement, means the person who handles the day-to-day duties related to this agreement. This person may or may not be the one who signs this agreement on behalf of the Contractor. e. "Data" means the information that is exchanged as described by this Agreement that is specifically protected by law which may impose penalties for wrongful disclosure. This includes protected health information under the HIPAA Privacy Rule. f. "ESA" means Economic Services Administration. g. "SAW" means SecureAccess Washington. SAW is a single sign-on application gateway created by Washington State's Department of Information Services to access government services accessible via the Internet. h. "Washington Connection" means the web-based benefit portal that provides access to a broad array of federal, state and local services and benefits to address basic needs. 2. Purpose—To allow an Assisting Agency to help Washington residents complete an online application to provide more effective access to available federal, state and local services through the Washington Connection benefit portal and carry out other activities designed to help them maintain eligibility. This agreement also includes contractors that submit paper applications to DSHS. 3. Statement of Work—The Contractor shall provide the services and staff, and otherwise do all things necessary for or incidental to the performance of work, as set forth below: a. The Assisting Agency listed on page one of this Data Share Agreement is the Contractor, and DSHS is the Data Provider in this agreement. In exchange for the receipt of information, the Contractor agrees to abide by the terms and conditions in this agreement. (1) Anyone at the Contractor agency with access to Data will be required to read and complete a non-disclosure agreement annually. The Contractor must maintain these forms and make them available for inspection. (2) When Contractors use Washington Connection for applications, DSHS will work with them to: (a) Establish access to the DSHS Washington Connection and online application. DSHS Central Contract Services 3067DS-91 Washington Connection DS Interlocal(1-10-2024) Page 11 Special Terms and Conditions household if that person is not registered in the Address Confidentiality Program (ACP): (a) Application Status A = approved P = Pending D = Denied M = Pending Spenddown (with base period and remaining amount) (b) Eligibility history(3 month rolling)from DSHS and/or HCA (c) Benefit amount for cash and food assistance programs only (d) Number in the household associated with cash, food and medical benefits (e) Benefit end date for each certification period (cash, food, medical, and childcare) (f) Child's name receiving childcare services (g) Childcare provider name for each child (h) Copayment amount for each child (i) Gross earned income (3) Requirements for Access (a) Access to Data shall be limited to staff(including employees and volunteers)whose duties specifically require access to such Data in the performance of their assigned duties. Prior to making Data available to its staff, Contractor shall notify all such staff of the Use and Disclosure requirements. (b) All staff accessing the data shall sign a Nondisclosure of Confidential Information form, or its replacement, each year and agree to adhere to the use and disclosure requirements. The signed, original form and a regularly updated list of staff with access to the Data shall be maintained by the Contractor and submitted to the Data Provider upon request. (c) The Contractor must remind staff annually of nondisclosure requirements and make available to DSHS upon request evidence that they have reminded all staff with access to Applicant data of the limitations, use or publishing of data. (d) The Contractor must immediately notify the DSHS contact person listed on page one when any staff with access to the Data is terminated from employment or when his or her job duties no longer require access to Data. d. Limitations on Use of Data If the Data and analyses generated by the Contractor contain Confidential Information about DSHS Applicants, then any and all reports utilizing these Data shall be subject to review and approval by the Data Provider prior to publication in any medium or presentation in any forum. DSHS Central Contract Services 3067DS-91 Washington Connection DS Interlocal(1-10-2024) Page 13 Special Terms and Conditions b. The data to be shared under this agreement is confidential in nature and is subject to state and federal confidentiality requirement that bind the Contractor, its employees, and its subcontractors to protect the confidentiality of the personal information contained in ESA data. Contractors may use personal data and other data gained by reason of this agreement only for the purpose of this agreement. c. The Contractor shall maintain the confidentiality of personal data in accordance with state and federal laws, and shall have adequate policies and procedures in place to ensure compliance with confidentiality requirements, including restrictions on re-disclosure. d. Neither party shall link the Data with Personal Information or individually identifiable data from any other source nor re-disclose or duplicate the Data unless specifically authorized to do so in this Agreement. 7. Consideration There is no cost to either party as each will pay for its own costs to perform this contract. 8. Payment a. The Contractor will receive the information provided under this agreement at no charge. Each party shall be responsible for any expenses incurred in providing or receiving information. b. The Contractor is responsible for any costs associated with accessing Applicant data. This includes any costs for hardware/software upgrades, and costs to improve any systems or processors that will enable the Contractor to access the data. 9. Compensation a. The Contractor shall not charge the applicant for services or time rendered while assisting with application, renewal, or reporting changes to the Department of Social and Health Services b. If the applicant requests additional services not included herewith, these services may be subject to fees and should be authorized in writing and signed by the applicant and Contractor under the auspice of separate agreement. 10. Disputes Either party may submit a request for resolution of a Contract dispute (rates set by law, regulation or DSHS policy are not disputable). The requesting party shall submit a written statement identifying the issue(s) in dispute and the relative positions of the parties. A request for a dispute resolution must include the Contractors name, address, and Contract number, and be mailed to the address listed below within 30 calendar days after the party could reasonably be expected to have knowledge of the issue in dispute. DSHS/Community Services Division PO Box 45470 Olympia, WA 98504-5470 Attn. Contracts Unit 11. Contractor Information The Contractor shall forward to the DSHS Contact person named on page one (1) of this contract(or DSHS Central Contract Services 3067DS-91 Washington Connection DS Interlace!(1-10-2024) Page 15 I I Exhibit A— Data Security Requirements 1. Definitions. The words and phrases listed below, as used in this Exhibit, shall each have the following definitions: a. "AES" means the Advanced Encryption Standard, a specification of Federal Information Processing Standards Publications for the encryption of electronic data issued by the National Institute of Standards and Technology (http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf). b. "Authorized Users(s)" means an individual or individuals with a business need to access DSHS Confidential Information, and who has or have been authorized to do so. c. "Business Associate Agreement" means an agreement between DSHS and a contractor who is receiving Data covered under the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996. The agreement establishes permitted and required uses and disclosures of protected health information (PHI) in accordance with HIPAA requirements and provides obligations for business associates to safeguard the information. d. "Category 4 Data" is data that is confidential and requires special handling due to statutes or regulations that require especially strict protection of the data and from which especially serious consequences may arise in the event of any compromise of such data. Data classified as Category 4 includes but is not limited to data protected by: the Health Insurance Portability and Accountability Act (HIPAA), Pub. L. 104-191 as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), 45 CFR Parts 160 and 164; the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. §1232g; 34 CFR Part 99; Internal Revenue Service Publication 1075 (https://www.irs.gov/pub/irs-pdf/p1075.pdf); Substance Abuse and Mental Health Services Administration regulations on Confidentiality of Alcohol and Drug Abuse Patient Records, 42 CFR Part 2; and/or Criminal Justice Information Services, 28 CFR Part 20. e. "Cloud" means data storage on servers hosted by an entity other than the Contractor and on a network outside the control of the Contractor. Physical storage of data in the cloud typically spans multiple servers and often multiple locations. Cloud storage can be divided between consumer grade storage for personal files and enterprise grade for companies and governmental entities. Examples of consumer grade storage would include iTunes, Dropbox, Box.com, and many other entities. Enterprise cloud vendors include Microsoft Azure, Amazon Web Services, and Rackspace. f. "Encrypt" means to encode Confidential Information into a format that can only be read by those possessing a "key"; a password, digital certificate or other mechanism available only to authorized users. Encryption must use a key length of at least 256 bits for symmetric keys, or 2048 bits for asymmetric keys. When a symmetric key is used, the Advanced Encryption Standard (AES) must be used if available. g. "FedRAMP" means the Federal Risk and Authorization Management Program (see www.fedramp.gov), which is an assessment and authorization process that federal government agencies have been directed to use to ensure security is in place when accessing Cloud computing products and services. h. "Hardened Password" means a string of at least eight characters containing at least three of the following four character classes: Uppercase alphabetic, lowercase alphabetic, numeral, and special characters such as an asterisk, ampersand, or exclamation point. DSHS Central Contract Services 3067DS-91 Washington Connection DS Interlocal(1-10-2024) Page 17 which defines sanctions that may be applied to Contractor staff for violating that policy. b. If the Data shared under this agreement is classified as Category 4, the Contractor must be aware of and compliant with the applicable legal or regulatory requirements for that Category 4 Data. c. If Confidential Information shared under this agreement is classified as Category 4, the Contractor must have a documented risk assessment for the system(s) housing the Category 4 Data. 4. Authorization, Authentication, and Access. In order to ensure that access to the Data is limited to authorized staff, the Contractor must: a. Have documented policies and procedures governing access to systems with the shared Data. b. Restrict access through administrative, physical, and technical controls to authorized staff. c. Ensure that user accounts are unique and that any given user account logon ID and password combination is known only to the one employee to whom that account is assigned. For purposes of non-repudiation, it must always be possible to determine which employee performed a given action on a system housing the Data based solely on the logon ID used to perform the action. d. Ensure that only authorized users are capable of accessing the Data. e. Ensure that an employee's access to the Data is removed immediately: (1) Upon suspected compromise of the user credentials. (2) When their employment, or the contract under which the Data is made available to them, is terminated. (3) When they no longer need access to the Data to fulfill the requirements of the contract. f. Have a process to periodically review and verify that only authorized users have access to systems containing DSHS Confidential Information. g. When accessing the Data from within the Contractor's network (the Data stays within the Contractor's network at all times), enforce password and logon requirements for users within the Contractor's network, including: (1) A minimum length of 8 characters, and containing at least three of the following character classes: uppercase letters, lowercase letters, numerals, and special characters such as an asterisk, ampersand, or exclamation point. (2) That a password does not contain a user's name, logon ID, or any form of their full name. (3) That a password does not consist of a single dictionary word. A password may be formed as a passphrase which consists of multiple dictionary words. (4) That passwords are significantly different from the previous four passwords. Passwords that increment by simply adding a number are not considered significantly different. h. When accessing Confidential Information from an external location (the Data will traverse the Internet or otherwise travel outside the Contractor's network), mitigate risk and enforce password and logon requirements for users by employing measures including: DSHS Central Contract Services 3067DS-91 Washington Connection DS Interlocal(1-10-2024) Page 19 I � authenticated to the network using a Unique User ID and Hardened Password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Data on disks mounted to such servers must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. For DSHS Confidential Information stored on these disks, deleting unneeded Data is sufficient as long as the disks remain in a Secure Area and otherwise meet the requirements listed in the above paragraph. Destruction of the Data, as outlined below in Section 8 Data Disposition, may be deferred until the disks are retired, replaced, or otherwise taken out of the Secure Area. c. Optical discs (CDs or DVDs) in local workstation optical disc drives. Data provided by DSHS on optical discs which will be used in local workstation optical disc drives and which will not be transported out of a Secure Area. When not in use for the contracted purpose, such discs must be Stored in a Secure Area. Workstations which access DSHS Data on optical discs must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. d. Optical discs (CDs or DVDs) in drives or jukeboxes attached to servers. Data provided by DSHS on optical discs which will be attached to network servers and which will not be transported out of a Secure Area. Access to Data on these discs will be restricted to Authorized Users through the use of access control lists which will grant access only after the Authorized User has authenticated to the network using a Unique User ID and Hardened Password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Data on discs attached to such servers must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. e. Paper documents. Any paper records must be protected by storing the records in a Secure Area which is only accessible to authorized personnel. When not in use, such records must be stored in a Secure Area. f. Remote Access. Access to and use of the Data over the State Governmental Network (SGN) or Secure Access Washington (SAW)will be controlled by DSHS staff who will issue authentication credentials (e.g. a Unique User ID and Hardened Password) to Authorized Users on Contractor's staff. Contractor will notify DSHS staff immediately whenever an Authorized User in possession of such credentials is terminated or otherwise leaves the employ of the Contractor, and whenever an Authorized User's duties change such that the Authorized User no longer requires access to perform work for this Contract. g. Data storage on portable devices or media. (1) Except where otherwise specified herein, DSHS Data shall not be stored by the Contractor on portable devices or media unless specifically authorized within the terms and conditions of the Contract. If so authorized, the Data shall be given the following protections: (a) Encrypt the Data. (b) Control access to devices with a Unique User ID and Hardened Password or stronger authentication method such as a physical token or biometrics. DSHS Central Contract Services 3067DS-91 Washington Connection DS Interlocal(1-10-2024) Page 21 (f) The Data will not be downloaded to non-authorized systems, meaning systems that are not on either the DSHS or Contractor networks. (g) The Data will not be decrypted until downloaded onto a computer within the control of an Authorized User and within either the DSHS or Contractor's network. (2) Data will not be stored on an Enterprise Cloud storage solution unless either: (a) The Cloud storage provider is treated as any other Sub-Contractor, and agrees in writing to all of the requirements within this exhibit; or, (b) The Cloud storage solution used is FedRAMP certified. (3) If the Data includes protected health information covered by the Health Insurance Portability and Accountability Act (HIPAA), the Cloud provider must sign a Business Associate Agreement prior to Data being stored in their Cloud solution. 6. System Protection. To prevent compromise of systems which contain DSHS Data or through which that Data passes: a. Systems containing DSHS Data must have all security patches or hotfixes applied within 3 months of being made available. b. The Contractor will have a method of ensuring that the requisite patches and hotfixes have been applied within the required timeframes. c. Systems containing DSHS Data shall have an Anti-Malware application, if available, installed. d. Anti-Malware software shall be kept up to date. The product, its anti-virus engine, and any malware database the system uses, will be no more than one update behind current. 7. Data Segregation. a. DSHS Data must be segregated or otherwise distinguishable from non-DSHS data. This is to ensure that when no longer needed by the Contractor, all DSHS Data can be identified for return or destruction. It also aids in determining whether DSHS Data has or may have been compromised in the event of a security breach. As such, one or more of the following methods will be used for data segregation. (1) DSHS Data will be kept on media (e.g. hard disk, optical disc, tape, etc.)which will contain no non-DSHS Data. And/or, (2) DSHS Data will be stored in a logical container on electronic media, such as a partition or folder dedicated to DSHS Data. And/or, (3) DSHS Data will be stored in a database which will contain no non-DSHS data. And/or, (4) DSHS Data will be stored within a database and will be distinguishable from non-DSHS data by the value of a specific field or fields within database records. (5) When stored as physical paper documents, DSHS Data will be physically segregated from non- DSHS data in a drawer, folder, or other container. DSHS Central Contract Services 3067DS-91 Washington Connection DS Interlocal(1-10-2024) Page 23 e / = y c c / \ a. E E \ = b = E 0 / co o . E \ 0 -0 / e > • E E � £ 2 \ / .( C \ \ E \ U ■ « R \ 5 _ 0 _ O \ 0 \ o 0 \ co U § o C (0 > / 3 / c 0 \ % I 0 - 0 COZ \ f ❑ p 02 u \ § \ Z e o o 6 _ % k L. 7 / } • ) \ CO c 0 \ ± 0 2 20 O � > > \ a) g f $ k \ 2 - 6 O CO1.1 $ COo .Q / \ \ ƒ / Cr) E ° c O @ ° \ § .. .. Z £\ .o 3 \ \ f \ > 2 _ \ E \ m [ ® § t / \ \ 2 O. 0 3 O [ g ■ \ g e \ \ ° / # - k \ 0 2 § E « 0 $ ) E w ® E C / \ \ / = 0 3$ > \ = g ± '7 cr- -V 0 c E a) co a e ° a) % n O 5 E 7 / / ¢ / � / ) 2 v \ ƒ / £ Z E / C 0. = • .o \ el,1 k = © CO \ / ❑ ❑ ❑ § .\ IZ \ \ R E » © -0CIS 0 9 ° k § 0 E0 9 » § - ° / < 3 § § C ° co ® o § CA > % - - / G \ o \ Q -0 0 C / \ 2 U k Oct / / c as k \ � \ Cl) C 0 1- C N 0 \ \ ❑ ❑ ❑ - C G U = f ° ° 2 0 °\ 10 Z � $ k \ . > _ \ Cl) .- a % CO 5 ° z ? / ci R w ¥ E E co < o » Z I ' J e re o C 0 C 0 / ■ 0 G E § 0 0 ° « � @ o Z Z E / § $ \ 0 f 45 � \ / / 0. = Z a $ 0 _ LU • 0 0 k § \ -' \ .0 = 3 q 0 k / \ \ 0 \ Z -0 - \ \ \ ) ± \ 9 $ $ ? Csi 0 \ \ 0 \ \§ 5 as a \ / f 6 § w \ o n ® e E o _ / § \ J k ƒ \ \ / .\ •p § § \ $ 7 i A \f; = Z o L = = o c 3 o $ = b ƒ \ » / \ / \ c) \ 0 •. .1i5 c o e 0 t G m t 2 / 2 C 2 e @ 7 O 2 j e - =m ) $ ƒ co / @ co co a e o § E § f y \ § \ ( �� k % \ \ \ § / k k $ 3 \ b £ % o $ j u) E . . o co L G 2 E s m 2 < < < / 7 3 c o m 00 .3 N 7 4- '0 C O > O Ti) a) _C C 0) Ll C • N 8 (o j E -0 >> (7) c E U N co 0 L Q a 7 C 0 > .-00 0 -0 ❑ ....a0 > E E U) C > 7 C 0 O c .L O V) Q C E FO 0 0 1 Q CC co (o L O ;� 'C C o_ O C o c L L O a) 0 O O O j V) �t, o Q Z co > a) 0T L ❑ UO I, N 0 ❑ I a) �: 0 as •- C U co0 0 CI a) C ,_ U 0} E Z co U C a)III co cp. C d s. 0 0 c.. — E O 0) o L o � Y O 7 03 v 70 OV._ LL Q OX c O > C ,(o jOp a w U N Oi L. C (3O O y C (..) O C if.) • (h a) 0 (a = o .0 Z �s c O U 0 _ C 0 ❑ U 0 -• Z d O W' CO Tins 0) 03 > > W >, c (cn E o a) .a E to 0 a � D a g o p CL ,O 00 E2 w a) >' m 7 c -0 �> a) o U �' r+ N 0 C -C -E 2a) C c 'L C p a•+ a) a.W c m -0 co O Ta Uo WO E71 W 00 •L U O O > i h —, Cf)" $ U a ,-..i a 'cr) > � L a) C ; • c° >- < W c`� f� , 0 . � U) Zco , O ( O0 03 1 o 0 .� 0 a o -5 m c (o -0 a) .0 to E _ • c 0 ULJW ❑ (o Z o N 00 -c Fn c 2 (n O e m R c m ro 6i 0 V `_. c No L ❑ ❑ ❑ L 7 W O V 0 C O i Q U ate) m 0 Z O .c O.. I-- > c -0 •� U) co- + a) 0 "= a) 7 co p • E E co Q o Z 0 m OL cc a) asC 0 C :t- W ,d; c U o - O O c O i ? N a) E > u) N C a U a 0 Z ® ® ® ,. 0 03 (o H c V 0 _ (o f -0 0 CO 0 o Cl) c c a c a) L ❑ > a) O >' a) co ) ,- >, 0- 0 � 7 0 0 0 (o "0 Q - 0 Z N >' O C c C f° a) o L L 7 O w N 0 0 0. O 0 ', ,_ c _c 0 U u H o o m O w t p R N p W `F- O a) as w c I— 0 E N •c - U) a tow a) O E D L E ° 72 7 v) C o u) - LL > „-9 a ai a 8 U ,- Z m W W •� p c N a) c U Z ix a c c C O Z I- > 3 . ID co •L C 0 o O I� ` 1.11 O N 0- "= co C O " 0 (6 0 7 O OC 0 fir_- 7 U try (6 O N O 0) 0 o C Z O (o VU) co 0 > > a) (a > H co fA d • e U co W U 2 iL ❑ V) Z. < < < U (n 0 p N U ❑ \J C N joW UT ° o �° 0 O o ca E CL �J a W WcC �, ° 0 `� o 0 C Z ^ Z (B cc C — U ,../ W W 2O ro O m 0 CC ZZ O C L It �1I- U) RCC Q _Z Q a)/� O L J J a,cc; U d L iQ Ja) W UC 0 .� iy�I- coy U V a LL. L co O v 0 w w W a.) �J D Ts co L a C O C ca u) p �; O a) w o 2 0 U W 0 C C) U 0 = p Q 0 y Q r) ii L.L. v Q Q O 'p bm Q C U) O a; 4- a) J O W e W W O i o w co w ci C O a) 2 C a C N Q o E. 0) CO —co o o C) w 0)) 3 w o L o Z w cn N 'N ❑ O C ¢ m y0 � W w '� L � W0 U = wpm r o .0 o C — p CI `S Pa F J� Z .-F.. ..-7 L p 41 Z 8 O Z to Q 7 co F45 ¢ C� W cOC Q v W O 0 — Z D Q �y L a, Z U, C c Z Cie U \ R0 W 0r whAg]I 3 - 0 a. --. a) o 0 CT) a¢ `. CO al s 0 Q ccl) O c6 Q a)W . cct Q .� w OV Q NV c � t U) C Q `� co N ° = N C O (!) ram.+ Q Qcn - ❑ .0 O p O 'er ❑ � O 4 • — = L L (� Z as O W to O ij C v t O o OUcri 4 a Z N w L Q. w C@ a w a VI d C c� cn O — L as O th N W O a) a) < u) - a) cn Q a) o ❑ cnD d . � 1J ZUO OQ 'a C c 0 a) Z UQ ❑tC O O C 75 t\1Ut Z C.) .+,_ 6 N "O ) W a)w p pn 2 ^ a > O= D w cq Y EL2 43 CO 00 • ccs ca • = o ° C Z za i- 0o O z a) %z 0 a)co o O C XXV 0 OrO d 0 E .-. 0 LL ... i . O O w�+U) RI C ••• 2= ° C t o V 07 Q a) -203 .c7) UT C.) U +_ O> 0W U ° O a No 0 1-> as. Q '_ 0 Ca 0 a,= �' o L a` O o O N wW O a) ae � ¢ o 0 C O U coNO RUO U < V z° F-} W C O 0 LL, • Ny OQN W O >' a) U `= w T.U@ Q 0 `4_ 7W W ON 0CI O c Q C Q � co co co 0 D co a) a) Z O ❑ O Z O ❑ O Z V co:U 4- co a) Z Z 4._ U) W I 1-.,1 O L 0 Ix oai a) c) zW W �. U) U d p d a) Q Q < m o L a- cU w co vz a)co fl- } cl 2 M .0 ° o W Q co CD Q a) i C W e3 O_ a) ~ O 4- 2' \ O C = ZOt ^ +� C O O ~ ZOO C O O ZM C O < VO U c s N D U v Q w N U s F- v W O� O «� n m �i z M z 0 0 z 0 o M co c 0 0 z C p M = z I- CNi p z O p 'U = kn O p es = "n O V co 0 z x El III aN W � U ❑❑ N U � dN U ❑❑ ink aN (n — a u) O0