The URL can be used to link to this page

Home My WebLink AboutAgenda Report - June 7, 2023 C-20I T ( C) F ?Z10 I C_ALI FOR N IA COUNCIL COMMUNICATION AGENDA ITEM C• M0 AGENDA TITLE: Adopt a Resolution Accepting Funds from San Joaquin County Health Commission, operating and doing business as Health Plan of San Joaquin (HPSJ) in the amount of $3,000,000 and Appropriate $3,000,000 for a Transitional and Supportive Housing Project at Main Street and Authorize the City Manager to Execute the MOU and Business Associates Agreement MEETING DATE: June 07, 2023 PREPARED BY: Community Development Director RECOMMENDED ACTION: Adopt a resolution accepting funds from San Joaquin County Health Commission, operating and doing business as Health Plan of San Joaquin (HPSJ) in the amount of $3,000,000 and appropriate $3,000,000 for a transitional and supportive housing project at Main Street and authorize the City Manager to execute the MOU and Business Associates Agreement. BACKGROUND INFORMATION: On November 4, 2020, the City Council adopted the San Joaquin Community Response to Homelessness — 2020 San Joaquin Strategic Plan (Strategic Plan). The Strategic Plan includes goals and strategies developed from community feedback, which includes increasing access and reducing barriers to homeless crisis response services and ensure households experiencing homelessness have access to affordable housing. With the Access Center Project moving forward and the Temporary Access Center currently open for operation, the need for transitional and supportive housing in Lodi is even more apparent. In accordance with the American Rescue Plan Act (ARPA) of 2021, Department of Health Care Service (DHCS) developed a Medi -Cal Home and Community -Based Services (HCBS) Spending Plan detailing a series of initiatives to enhance, expand and strengthen HCBS in California. The Housing and Homelessness Incentive Program (HHIP) is one of the HCBS Transition Initiatives and is intended to support the delivery and coordination of health and housing services for Medi - Cal members statewide. HHIP is intended to bolster housing and homelessness -focused efforts and investments at local levels, with the aim of building or expanding capacity and partnerships to connect Medi -Cal members to needed housing services and achieving progress in reducing and preventing homelessness. As part of these efforts to meet HHIP program priorities and measures, HPSJ is partnering with local partners and organizations which deliver housing, or supportive services to Medi -Cal members who are homeless or at risk of homelessness. When City Staff became aware of this potential funding opportunity, they began discussions with HPSJ and submitted a proposal to purchase an existing hotel and convert 40 +/- units to transitional and supportive housing units. The project would allow for individuals that have jobs or other steady income (SS, SSDI, VA, etc.) to be housed in a transitional setting with continued APPROVED: �_ -- 1 -_ Stephen Schwabauer, City Manager Adopt Resolution Accepting and Appropriate Funds from HPSJ June 07, 2023 Page 2 of 2 wraparound services until they are able to progress to other permanent housing opportunities. After the second round of funding became available, HPSJ staff presented the Lodi proposal to their Board and it was approved and $3,000,000 was awarded to the project on April 26, 2023. Funds must be fully expended by the end of the 2023 calendar year, Staff are working diligently to move the project forward timely. Staff recommends that the City Council adopt a resolution accepting funds from San Joaquin County Health Commission, operating and doing business as HPSJ in the amount of $3,000,000 and appropriate $3,000,000 for a transitional and supportive housing project at Main Street and authorize the City Manager to execute the MOU and Business Associates Agreement. FISCAL IMPACT: The HPSJ grant will provide $3,000,000 in funds for the Acquisition and development of transitional and affordable housing. FUNDING AVAILABLE- Revenue: 35500000.56005 $3,000,000 Expenditures: 35599000.77020 $3,000,000 Andrew Keys Andrew Keys, Deputy City Manager/Internal Services Director < � 1. - " �tc �-) � John. Della Monica, Jr. Comi unity Development Direltor Attachments: 1. HPSJ MOU and BAA Agreement 2. Capital Improvement Plan — Transitional Housing Project Signature: amjr� /lip Email: akeys@lodi.gov Health Plan of San Joaquin MEMORANDUM OF UNDERSTANDING BETWEEN HEALTH PLAN OF SAN JOAQUIN AND CITY OF LODI THIS MEMORANDUM OF UNDERSTANDING ("MOU") is made and entered into the th day of June2023 by and between the SAN JOAQUIN COUNTY HEALTH COMMISSION, operating and doing business as HEALTH PLAN OF SAN JOAQUIN ("HPSJ"), a local initiative established under Section 5-7100 of the Ordinance Code of San Joaquin County, with a principal place of business at 7751 South Manthey Road, French Camp, CA 95231-9802 and City of Lodi, a municipal corporation ("CITY"), with a principal place of business at 221 W. Pine Street. P.O. Box 3006, Lodi, California 95241-1910. HPSJ and CITY may each be referred to herein as "Party" or collectively the "Parties." RECITALS WHEREAS, the Parties desire to enter into this MOU to establish guidelines for a cooperative working relationship between HPSJ and City of Lodi for successful implementation of incentive payments linked to the Housing and Homelessness Incentive Program ("HHIP") for the City of Lodi; WHEREAS, in accordance with the American Rescue Plan Act ("ARPA") of 2021, DHCS developed a Medi -Cal Home and Community -Based Services ("HCBS") Spending Plan detailing a series of initiatives to enhance, expand and strengthen HCBS in California. The HHIP is one of the HCBS Transition Initiatives and is intended to support the delivery and coordination of health and housing services for Medi -Cal members statewide. HHIP is intended to bolster housing and homelessness -focused efforts and investments at local levels, with the aim of building or expanding capacity and partnerships to connect Medi -Cal members to needed housing services and achieving progress in reducing and preventing homelessness; WHEREAS, DHCS established required submissions and deliverables for managed care plans in participating counties to identify current state, priorities, investments, and monitor progress for HHIP; and will be distributing incentives for plans to oversee and administer payment for HHIP project(s); WHEREAS, as part of efforts to meet HHIP program priorities and measures, HPSJ will partner with local partners and organizations which deliver housing, or supportive services to Medi -Cal members who are homeless or at risk of homelessness; WHEREAS, the CITY provides housing, or supportive services to address homelessness or housing insecurity for HPSJ Medi -Cal members; HPSJ /City of Lodi CONFIDENTIAL Page 1 of 10 Effective 05/XX/2023 Health Planei- of San Joaquin WHEREAS, CITY's project(s) have been identified as an investment activity based on the CITY's HHIP initial project submission; and WHEREAS, HPSJ is responsible for oversight and administration of payments to the provider consistent with the terms of the HHIP. AGREEMENT NOW, THEREFORE, the Parties hereby agree as follows: 1) EFFECTIVE DATE AND TERM a. This MOU shall be effective June 7, 2023 and will continue through and including March 31, 2024 or dates determined by the Department of Health Care Services (DHCS), unless otherwise terminated by either Party to this MOU as prescribed in paragraph 12. 2) SCOPE OF WORK The CITY is responsible for the implementation of and compliance with the project description as set forth in their HHIP Program application, which is attached as Exhibit A and incorporated here by reference, including reporting of incremental achievement of milestones and objectives. The CITY shall promptly notify the plan of any material change in information submitted in support of the project(s) or the HHIP program application, including changes in organizational leadership, business operations, and financial standing. The plan is responsible for overseeing the project(s), specifically to monitor and verify milestone achievement and administering payments consistent with the terms of the project(s) or the HHIP program application, any terms imposed as a condition of state or federal approval of the HHIP program, and any subsequent DHCS guidance related to HHIP. 3) RESPONSIBILITIES OF CITY CITY shall provide the following: a. Assist HPSJ in identifying key details for investments including but not limited to populations served, services and activities, community needs, required funding, lead entities, milestones, and timing. b. Commit to identified HHIP projects, complete required application and documents and accept incentive funding for specified investments in support of the provision of housing and homelessness related services to HPSJ Medi -Cal members. HPSJ /City of Lodi CONFIDENTIAL Page 2 of 10 Effective 05/XX/2023 Health Plan of San Joaquin c. Utilize HHIP incentive funding solely for identified and agreed upon investments and activities and for carrying out project activities and milestones as set forth in approved projects. d. Cooperate and facilitate engagement and implementation activities in support of HHIP program goals and measures. e. Perform tasks necessary to projects or milestones for HHIP. The CITY shall document and provide HPSJ with information necessary to demonstrate incremental progress in for HHIP program goals and measures in a file or format as specified by HPSJ. f. Promptly notify HPSJ of any material change in information including changes in organizational leadership, business operations, and financial standing. g. Make efforts to establish data sharing agreements as applicable to enable timely exchange of member information and delivery of services. h. CITY shall ensure eligibility to receive the funds and non -duplication with other federal or state funding sources. i. Agree to comply with all applicable state and federal laws and regulations, MOU requirements, DHCS guidance, including All Plan Letters (APLs) and Policy Letters (PLs), and contractual terms and conditions as imposed by DHCS. j. CITY shall make all premises, facilities, equipment, books, records, papers, and contracts, computer systems available for inspection, examination or copying for purposes of an audit or monitoring. 4) RESPONSIBILITIES OF HPSJ HPSJ shall provide the following: a. Support partnerships between social service agencies, counties, and public health agencies, and public and community-based housing agencies in support of the following HHIP program goals and as efforts to address homelessness. b. Oversee project(s), including monitoring and verifying milestone achievement and administering payments consistent with the terms of the project(s) or the HHIP submission, and any subsequent state, federal, or DHCS guidance. c. Collect and evaluate information related to the CITY's project(s) for the purposes of ensuring progress toward the business provider's goals and objectives, program achievement and reporting to DHCS. HPSJ /City of Lodi CONFIDENTIAL Page 3 of 10 Effective 05/XX/2023 Health Plan%+/ of San Joaquin d. HPSJ will report to the DHCS on the project status in accordance with required HHIP submissions and deliverables and as required by DHCS. e. HPSJ is responsible for the administration of HHIP funds as set forth in section 5 below. 5) FUNDING a. HPSJ will make incremental payments on agreed upon projects or investments as outlined in Exhibit A. HPSJ will initiate processing of payments to the CITY upon receipt of MOU, all required documents, and updates. b. The specified projects will be deemed complete and fully funded only when milestones as set forth in approved project(s) have been met. c. There is no guarantee of funding. This program may be subject to recoupment for reasons including but not limited to: failure to participate, failure to engage in minimum level of efforts, or any overpayment as identified by HPSJ. d. The plan may adjust milestone measurement and related payments as needed and may delay payment for non -reporting or non-compliance with program terms. The plan will not make any milestone payment until all past due reporting is complete. Proposed funding as outlined within Exhibit A is based on information known and available to HPSJ and may be modified in accordance with payments made by DHCS and new developments. 6) LIAISON The plan and CITY will each designate a liaison(s) to serve as a point of contact of activities performed related to this MOU. 7) MOU MONITORING The plan and CITY will meet on a mutually agreed upon frequency, or upon request to monitor the performance of each Parties' responsibilities related to this MOU. 8) REPRESENTATIONS Both Parties make the following representations, which are agreed to be material to and form a part of the inducement for this MOU: a. HPSJ and the City of Lodi have the support staff and facilities necessary to provide the services described in this MOU; and HPSJ /City of Lodi CONFIDENTIAL Page 4 of 10 Effective 05/XX/2023 Health Plane= of San Joaquin b. HPSJ and the City of Lodi have the expertise and authority to provide the services described above. 9) ASSIGNMENT This MOU is not assignable. 10) COMPENSATION Each Party will be responsible for its own costs and fees. 11) INDEMNIFICATION Each Party agrees that it shall indemnify, defend and hold harmless the other Party, its agents, elected officials, appointed officials, officers, volunteers, authorized representatives, and employees from any and all losses, liabilities, costs, expenses, charges, damages, claims, liens, and causes of actions, or whatsoever kind of nature, including, but not limited to, reasonable attorney's fees, which are in any manner directly or indirectly caused, occasioned or contributed to in whole or in part, through any act, omission, fault, or negligence, whether active or passive, of said Party or said Party's officers, agents, employees, or authorized representatives, which relates in any manner to this MOU, any work to be performed by said Party arising from the operation of this MOU, of any authorized delegated to said Party under this MOU, except those injuries or damages that are the result of willful acts or the sole negligence of the other Party, its officers, agents, or employees. 12) TERMINATION This MOU may be terminated for the following reasons: a. For Cause. If any Party materially breaches the terms of this MOU, the other Party shall have the following alternative remedies: Immediately terminate this MOU. ii. All other remedies provided by law. b. For Convenience. Either Party to this MOU may for any reason or no reason terminate this MOU at any time by giving the other Party thirty (30) days written notice of such termination. Termination shall have no effect upon the rights and obligations of the Parties arising out of any transaction occurring prior to the effective date of such termination. c. Non -Appropriation. HPSJ reserves the right to terminate this MOU in the event insufficient funds are appropriated or budgeted for this MOU in any fiscal year. Upon HPSJ /City of Lodi CONFIDENTIAL Page 5 of 10 Effective 05/XX/2023 Health Plan of San Joaquin such termination, thirty (30) days written notice will notify Parties that such an action is required by the HPSJ. If this MOU is completely or partially terminated, the records or data relating to the work terminated shall be transferred to HPSJ within five (5) working days and be permanently removed from CITY's electronic system. 13) NOTICES Notices to be given by one Party to the other under this MOU shall be given in writing by email, personal delivery, by certified mail, return receipt requested, or express delivery service at the addresses specified below. Notices delivered personally shall be deemed received upon receipt; mailed or expressed notices shall be deemed received four (4) days after deposit. A Party may change the address to which notice is to be given by giving notice as provided above. If to CITY, to: If to HPSJ, to: Attn: Stephen Schwabauer, City Manager Attn: Chief Compliance Officer City of Lodi Health Plan of San Joaquin 221 W. Pine Street 7751 South Manthey Road P.O. Box 3006 French Camp, CA 95231-9802 Lodi, CA 95241-1910 eMail: PrivacvOfficer(c4hosi.conl eMail: sschwabauer@lodi.gov Copy to: irh ne 1odi. ov 14) SOLE AGREEMENT This MOU, including all attachments hereto, contains the entire agreement between the Parties relating to the services, rights, obligations and covenants contained herein and assumed by the Parties respectively. No inducements, representations or promises have been made, other than those recited in this MOU. No oral promise, modification, change or inducement shall be effective or given any force or effect. 15) MODIFICATIONS OF MOU This MOU may only be modified in writing, signed by the Parties in interest at the time of the modification. 16) CONFIDENTIALITY a. The plan and provider collaboration in support of project(s) may require the exchange of confidential or proprietary information ("Confidential Information") as may be identified by either Party. The plan and provider agree to abide by processes and requirements applicable to the exchange of either's respective Confidential HPSJ /City of Lodi CONFIDENTIAL Page 6 of 10 Effective 05/XX/2023 Health Plan of San Joaquin Information, in accordance with applicable state or federal law. CITY shall adhere to all HIPAA regulations outlined in HIPAA Business Associate Agreement attached as Exhibit B. b. The Parties shall comply and require its officers, employees, agents, and/or subcontractors to comply with the provisions of Welfare and Institutions Code Section 10850 which requires the confidentiality of applications and records concerning individuals receiving public social services to insure that: The applications and records of all individuals made or kept by a public officer or agency in connection with the administration of the provisions of the Welfare and Institutions Code relating to any form of public social services for which grants in aid are received by the State or Federal Government will be confidential and will not be open to examination for any purpose not directly connected with the administration of public social services or as required by law; and ii. No person will publish or disclose, or use or permit, or cause to be published, disclosed, or used, any Confidential Information pertaining to an applicant or recipient of public social services. iii. The Parties shall inform all officers, employees, agents and/or subcontractors of the above requirements and that any person knowingly and intentionally violating the provisions of State law is guilty of a misdemeanor. 17) GOVERNING LAW Both Parties shall observe and comply with all applicable County, State and Federal laws, ordinances, rules and regulations now in effect or hereafter enacted, each of which are hereby made a part hereof and incorporated herein by reference. This MOU shall be governed by and construed in accordance with California Law to the extent not preempted by applicable federal law. Venue for any proceeding shall be the appropriate federal or state superior court in San Joaquin County, CA. 18) NONDISCRIMINATION The Parties agree to be bound by the law related to Nondiscrimination in State and Federally Assisted Programs. 19) CONFLICTS OF INTEREST Both Parties shall observe and comply with all Government Codes and the following: a. The Parties have read and are aware of the provisions of Sections 1090 et seq. and 87100 et seq. of the Government Code relating to conflict of interest of public officers and employees and agree to be bound thereby. The Parties certify that they are unaware of any financial or economic interest of any public officer or employee HPSJ /City of Lodi CONFIDENTIAL Page 7 of 10 Effective 05/XX/2023 Health Plan of San Joaquin relating to this MOU. It is further understood and agreed that if such a financial interest does exist at the inception of this MOU, the Parties may immediately terminate this MOU by giving written notice thereof. b. The Parties certify that its employees and officers of its governing body shall avoid any actual or potential conflicts of interest and that no officer or employee who exercises any functions or responsibilities in connection with this MOU shall have any personal financial interest or benefits which either directly or indirectly arises from this MOU. c. The Parties shall establish safeguards to prohibit its employees or its officers from using their positions for a purpose that could result in private gain or that gives the appearance of being motivated for private gain for themselves or others, particularly those with whom they have family or business ties. 20) RELATIONSHIP OF PARTIES The Parties agree that in undertaking the obligations provided under this MOU, each shall act as independent contractors and not as employees or related entities on behalf of the other Party. 21) SIGNATURE AUTHORITY Each Party represents that they have full power and authority to enter into and perform this MOU, and the person signing this MOU on behalf of each Party has been properly authorized and empowered to enter into this MOU_ [Signatures to Follow] HPSJ /City of Lodi CONFIDENTIAL Page 8 of 10 Effective 05/XX/2023 Health Plan of San Joaquin IN WITNESS TO WHICH, each Party to this MOU has signed this MOU upon the date indicated, and agrees, for itself, its employees, officers, partners and successors, to be fully bound by all terms and conditions of this MOU. San Joaquin County Health Commission, dba Health Plan of San Joaquin By: Name: Title: Date: City of Lodi, a municipal corporation By: Name: Stephen Schwabauer Title: City Manager Date: ATTEST: Olivia Nashed, City Clerk APPROVED AS TO FORM: Janice D. Magdich, City Attorney K - [Remainder of this page intentionally left blank.] HPSJ /City of Lodi CONFIDENTIAL Page 9 of 10 Effective 05/XX/2023 Health Plane' of San Joaquin EXHIBIT A CITY (Legal Name City of Lodi CITY Tax 94-6000361 Identification Number: Copy of W-9 (Y/N) Y Project Name & City of Lodi — Development of Transitional and Supportive Housing Description: Funding requested to establish transition and supportive housing by providing 44 rentable units to serve approximately 350 members for transitional and long-term supportive housing through the HHIP Program Year 2. To add, this will increase access and reduce barriers to homeless crisis and ensure households experiencing homelessness or at risk of homelessness has access to affordable housing solutions. Project City of Lodi — Development of Transitional and Supportive Housing Timeline/Milestones May 2023: Execute Memorandum of Understanding between HPSJ/City of Lodi May -July 2023: Design and construction documentation complete and acquisition completed August -October 2023: Rehabilitation of building completed November — December 2023: Residents move -in and all invoices submitted to the City for final payments Total Proposed $3,000,000 Funding: Distribution of June 2023: $1,500,000 Proposed Funding: October 2023: $1,500,000 HPSJ /City of Lodi CONFIDENTIAL Page 10 of 10 Effective 05/XX/2023 Health Plan6l�- of San Joaquin EXHIBIT B HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ("BAA" or "Agreement"), effective _ th Day of June, 2023 ("Effective Date"), is entered into by and between San Joaquin County Health Commission, operating and doing business as Health Plan of San Joaquin, a local initiative established under Section 5-7100 of the Ordinance Code of San Joaquin County ("HPSJ"), and City of Lodi, a municipal corporation ("Business Associate"). HPSJ and Business Associate may each be referred to herein as "Party" or collectively as "Parties." RECITALS WHEREAS, HPSJ is a health care service plan licensed under the California Knox - Keene Health Care Service Plan Act of 1975, with a principal place of business at 7751 S. Manthey Road, French Camp, CA 95231. WHEREAS, HPSJ is contracted with the California Department of Health Care Services ("DHCS") to provide certain services to Medi -Cal beneficiaries and to arrange for the provision of certain health care services (the "Medi -Cal Contract"). WHEREAS, Business Associate is a an organization/service provider which provides housing and homeless to HPSJ members with a principal place of business at 221 W. Pine Street P.O. Box 3006, Lodi, California 95241-1910. WHEREAS, HPSJ and Business Associate intend to engage in a Memorandum of Understanding ("MOU"), which may require the use or disclosure of Protected Health Information ("PHI") on behalf of HPSJ in the performance of the services described in such MOU (the "Services"). WHEREAS, HPSJ and Business Associate are committed to complying with the Health Information Portability and Accountability Act of 1996 ("HIPAA") and the Health Information Technology for Economic and Clinical Health Act (the "HITECH Act") and any regulations promulgated thereunder (collectively, the "HIPAA Rules"), as well as any applicable confidentiality requirements under California law. WHEREAS, HPSJ is also required to incorporate certain provisions of the Medi - Cal Contract into this BAA and impose certain restrictions and conditions on Business Associate with respect to PHI under the Medi -Cal Contract. WHEREAS, Business Associate acting on DHCS' behalf provides services or arranges, performs or assists in the performance of functions or activities on behalf of DHCS, and may create, receive, maintain, transmit, aggregate, use or disclose PHI (collectively, "use or disclose PHI") in order to fulfill Business Associate's obligations under the Medi -Cal Contract. HPSJ /City of Lodi CONFIDENTIAL Page t of 21 Effective June 7. 2023 Health Plane of San Joaquin AGREEMENT NOW THEREFORE, in consideration of the mutual promises below and the exchange of information pursuant to this BAA, and to comply with all applicable legal requirements for the protection of the exchanged infonnation, the Parties agree as follows: Definitions. Terms used but not otherwise defined in this BAA shall have the same meaning as set forth in HIPAA, the HITECH Act, and the HIPAA Rules. Those terms include but are not limited to: Breach, Data, Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Required by Law, Secretary of the U.S. Department of Health and Human Services, Subcontractor, Unsecured Protected Health Information, and Use. Specific definitions are as follows: (a) BAA. "BAA" shall mean this Business Associate Agreement, including the preamble and recitals. (b) BusinessAssocicrte. "Business Associate" shall have the meaning given to such term in 45 CFR 160.103, and with respect to this BAA, shall mean the Business Associate named in the first paragraph of this BAA. (c) CFR. "CFR" shall mean the Code of Federal Regulations. (d) Confidential In?fnrmation. "Confidential Information" shall mean any and all non- public, medical, financial and personal information in whatever form (written oral, visual, or electronic) possessed or obtained by either party. Confidential Information shall include all information which (i) either party has labeled in writing as confidential, (ii) is identified at the time of disclosure as confidential, (iii) is commonly regarded as confidential in the health care industry, or (iv) is Protected Health Information as defined by HIPAA. (e) Covered Entity. "Covered Entity" shall generally have the same meaning as the term "covered entity" at 45 CFR 160.103, and in reference to the party to this Agreement, shall mean California Department of Corrections and Rehabilitation, California Correctional Health Care Services (HPSJ). (i) Electronic Protected Ilealth Information or Electronic PHI. "Electronic Protected Health Information or Electronic PHI" shall have the meaning given to such term under the Privacy Rule and the Security Rule, including, but not limited to, 45 CFR 160.103, as applied to the information that Business Associate creates, receives, maintains, or transmits form or on behalf of HPSJ. Electronic PHI shall include Personal Information as defined in California Civil Code Section 17988.80. (g) HIPAA Rules. "HIPAA Rules" shall mean the Privacy, Security, Breach Notification and Enforcement Rules at 45 CFR Parts 160 and 164. (h) Privacy Rule. "Privacy Rule" shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and 164. HPSJ /City of Lodi CONFIDENTIAL Page 2 of 21 Effective June 7, 2023 Health Plan10 of San Joaquin (i) Protected Health Information or PHI. "Protected Health Infonnation" or "PHI" shall have the same meaning as the term "protected health information" in 45 CFR 160.103, limited to the information that Business Associate creates, receives, maintains, or transmits from or on behalf of HPSJ. PHI shall include Personal Information as defined in California Civil Code Section 1798.80. 0) Fecarifv Incident. "Security Incident" shall have the same meaning given to such term under the Security Rule, including but not limited to, 45 CFR 164.304. (k) Security Rule. "Security Rule" shall mean the Security Standards at 45 CFR Parts 160 and 164. 2. Permitted Uses and Disclosures. Specific Use and Disclosure Provisions. Except as otherwise indicated in this BAA, Business Associate may: (a) Use and disclose for management and administration. Use and disclose PHI for the proper management and administration of the Business Associate provided that such disclosures are required by law, or the Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it was aware that the confidentiality of the information has been breached. (b) Provision o fData.4 r re ation Services. Use PHI to provide data aggregation services to HPSJ. Data aggregation means the combining of PHI created or received by the Business Associate on behalf of HPSJ with PHI received by the Business Associate in its capacity as the Business Associate of another covered entity, to permit analyses that relate to the health care operations of HPSJ. (c) Other Use. Except as otherwise indicated in the Medi -Cal Contract, Business Associate may use or disclose PHI, inclusive of de -identified data derived from such PHI, only to perform functions, activities or services specified in this BAA on behalf of DHCS, provided that such use or disclosure would not violate HIPAA or other applicable laws if done by DHCS. Prohibited Uses and Disclosures. Specific Prohibitions on Disclosures. Except as otherwise indicated in this Agreement Business Associate may not: (a) Use or disclosure ofPFll for payment. Business Associate shall not disclose PHI about an individual to a health plan for payment or health care operations purposes if the PHI pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full and the individual requests such restriction, in accordance with 42 U.S.C. section 17935(a) and 45 CFR section 164.522(a). (b) Sell or Exchange PHI for Ren7unercrtion. Business Associate shall not directly or indirectly receive remuneration in exchange for PHI, except with the prior written consent of HPSJ and as permitted by 42 U.S.C. section 17935(d) (2). (c) Compliance with Other Applicable Law. To the extent that other state and/or federal laws provide additional, stricter HPSJ /City of Lodi CONFIDENTIAL Page 3 of 21 Effective June 7, 2023 Health Plan of San Joaquin and/or more protective (collectively, more protective) privacy and/or security protections to PHI or other confidential information covered under this Agreement beyond those provided through HIPAA, Business Associate agrees: a. To comply with the more protective of the privacy and security standards set forth in applicable state or federal laws to the extent such standards provide a greater degree of protection and security than HIPAA or are otherwise more favorable to the individuals whose information is concerned; and b. To treat any violation of such additional and/or more protective standards as a breach or security incident, as appropriate. (d) Stricter Protections M�U A 1 . Examples of laws that provide additional and/or stricter privacy protections to certain types of PHI and/or confidential information, as defined in the Recitals and Section 1 of this Agreement, include, but are not limited to the Information Practices Act, California Civil Code sections 1798-1798.78, Confidentiality of Alcohol and Drug Abuse Patient Records, 42 CFR Part 2, Welfare and Institutions Code section 5328, and California Health and Safety Code section 11845.5. (e) QSO Requiremenls. If Business Associate is a Qualified Service Organization ("QSO") as defined in 42 CFR section 2.11, Business Associate agrees to be bound by and comply with subdivisions (2)(i) and (2)(ii) under the definition of QSO in 42 CFR section 2.1 l . 4. Obligations of Business Associate. Business Associate agrees: (a) Nondisclosure. Not to use or disclose PHI other than as permitted or required by this Agreement or as required by law. (b) Sad ug ands. To implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI, including electronic PHI, that it creates, receives, maintains, uses or transmits on behalf of HPSJ in compliance with 45 CFR sections 164.308, 164.310 and 165.312, and to prevent use or disclosure of PHI other than as provided for by this Agreement. Business Associate shall implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications and other requirements of 45 CFR section 164, subpart C, in compliance with 45 CFR section 164.316. Business Associate shall develop and maintain a written information policy and security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the Business Associate's operations and the nature of the scope of its activities, and which incorporates the requirements of section (c), Security below. Business Associate will provide HPSJ with its current and updated policies. (c) Securi . To take any and all steps necessary to ensure the continuous security of all computerized data systems containing PHI and/or personally identifiable information (PII), and to protect documents containing PHI and/or Pli. These steps shall include, at a minimum: HPSJ /City of Lodi CONFIDENTIAL Page 4 of 21 Effective June 7, 2023 Health Plan of San Joaquin i. To comply with all data system security precautions listed in, Business Associate Data Security Requirements, attached hereto as Attachment "1" and made part hereof by this reference. ii. To achieve and maintaining compliance with the HIPAA Security Rule (45 CFR Parts 160 and 164), as necessary in conducting operations on behalf of HPSJ under this Agreement. iii. To provide a level and scope of security that is at least comparable to the level and scope of security established by the Office of Management and Budget in OMB Circular No. A-130, Appendix III -Security of Federal Automated Information Systems, which sets forth guidelines for automated information systems in Federal agencies; and iv. In case of a conflict between any of the security standards contained in any of these enumerated sources of security standards, the most stringent shall apply. The most stringent means that safeguard which provides the highest level of protection to PHI from unauthorized disclosure. Further, Business Associate must comply with changes to these standards that occur after the effective date of this Agreement. V. Business Associate shall designate a Security Officer to oversee its data security program who shall be responsible for carrying out the requirements of this section and for communicating on security matters with HPSJ. (d) Mifrgafion of ffarmidE kas. To mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate and its subcontractors in violation of the requirements of this Agreement. (e) Subcontractors. Duty of Business Associate to Comply with HIPAA When Associating with Agents and Subcontractors. i. Business Associate shall notify DHCS immediately upon the discovery of a suspected breach or security incident that involves SSA data. This notification will be provided by email upon discovery of the breach. If Business Associate is unable to provide notification by email, then Business Associate shall provide notice by telephone to DHCS. Business Associate shall provide, upon request by DHCS, a list of all employees and agents and employees who have access to such data, including employees and agents of its agents, to DHCS. ii. Business Associate shall enter written agreements with any agents, including subcontractors and vendors, to whom Business Associates provides PHI or PII received from or created or received by Business Associate on behalf of HPSJ, that impose the same restrictions and conditions on such agents, subcontractors and vendors that apply to Business Associate with respect to such PHI and PII under this Agreement and that comply with all applicable provisions of HIPAA, the HITECH Act, the HIPAA regulations, and the Final Omnibus Rule, including the requirement that any agents, subcontractors or vendors implement reasonable and appropriate administrative, physical, and technical safeguards to protect such PHI and PII. Business Associates are directly liable under the HPSJ /City of Lodi CONFIDENTIAL Page 5 of 21 Effective June 7, 2023 Health Plan of San Joaquin HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law. A Business Associate also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate. Business Associate shall incorporate, when applicable, the relevant provisions of this Agreement into each subcontract or sub award to such agents, subcontractors, and vendors, including the requirements that any security incidents or breaches of unsecured PHI or PII be reported to Business Associate. iii. In accordance with 45 CFR section 164.504(e)(1)(ii), upon Business Associate's knowledge of a material breach or violation by its subcontractor of the agreement between Business Associate and the subcontractor. iv. Business Associate shall: a. Provide an opportunity for the subcontractor to cure the breach or end the violation and terminate the agreement if the subcontractor does not cure or end the violation within the time specified by HPSJ; or b. Immediately terminate the agreement if the subcontractor has breached a material term of the agreement and cure is not possible. (f) Availability of InIbrmatioin to HP&I and indh4duals. To provide access and information: HPSJ may require Business Associate to deliver to HPSJ (or as directed by HPSJ to another individual or entity) PHI in a designated Record Set upon reasonable notice in the time and manner designated by HPSJ and during Business Associate's normal business hours in accordance with 45 CFR section 164.524. Designated Record Set means the group of records maintained for HPSJ that includes medical, dental, and billing records about individuals; enrollment, payment, claims adjudication, and case or medical management systems maintained for HPSJ health plans; or those records used to make decisions about individuals on behalf of HPSJ. Business Associate shall use the forms and processes developed by HPSJ for this purpose and shall respond to request for access to records transmitted by HPSJ within fifteen (15) calendar days of receipt of the request by producing the records or verifying that there are none. ii. If Business Associate maintains an Electronic Health Record with PHI and a copy of such information is requested in an electronic format, Business Associate shall provide such information in an electronic format to enable HPSJ to fulfill its obligations under the HITECH Act, including but not limited to 42 U.S.0 section 17935(e). iii. If Business Associate receives data from HPSJ that was provided to HPSJ by the Social Security Administration, upon request by HPSJ Business Associate shall provide HPSJ with a list of all employees, contractors, and agents who have access to the Social Security data, including employees, contractors, and HPSJ /City of Lodi CONFIDENTIAL Page 6 of 21 Effective June 7, 2023 Health PlanOi�- of San Joaquin agents of its subcontractors and agents. (g) Amendment ol'PHI. To make any amendment(s) to PHI that HPSJ directs or agrees to pursuant to 45 CFR section 165.526, in the time and manner designated by HPSJ. (h) Internal Practices. To make Business Associate's internal practices, books and records available to HPSJ, DHCS, or to the Secretary of the U.S. Department of Health and Human Services relating to the use and disclosure of PHI received from HPSJ or created or received by Business Associate on behalf of HPSJ in a time and manner designated by HPSJ or by the Secretary of the U.S. Department of Health and Human Services for purposes of determining HPSJ compliance with the HIPAA regulations. If any information needed for this purpose is in the exclusive possession of any other entity or person and the other entity or person fails or refuses to furnish the information to Business Associate, Business Associate shall so certify to HPSJ and shall set forth the efforts it made to obtain the information. (i) Documentation of' Unauthorized Disclosures. To document and make available to HPSJ or at the direction of HPSJ such unauthorized disclosures of PHI within 14 calendar days of the request in the form and manner requested by HPSJ, and information related to such disclosures, necessary to respond to a proper request by the subject individual for an accounting of disclosures of PHI, in accordance with the HITECH Act and its implementing regulations, including but not limited to 45 CFR section 164.528 and 42 U.S.C. section 17935. (j) Breaches and Information Sec-urity Incidents. During the term of this Agreement, Business Associate agrees to implement reasonable systems for the discovery and prompt reporting of any breach or information security incident, and to take the following steps: (k) Notice to HPSJ. i. To notify HPSJ immediately upon the discovery of a confirmed information security incident that involves the data subject to this Business Associate Agreement. This notification will be by telephone call plus email or fax upon confirmation of discovery of the information security incident. ii. To notify HPSJ within 24 hours by email or fax of the discovery of unsecured PHI or PIT in electronic media or in any other media if the PHI or PII was or is reasonably believed to have been accessed or acquired by an unauthorized person, any suspected security incident, intrusion or unauthorized access, use or disclosure of PHI or PII in violation of this Agreement and this Agreement, or potential loss of confidential data affecting this Agreement. A breach shall be treated as discovered by Business Associate as of the first day on which the breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the breach) who is an employee, officer or other agent of Business Associate. iii. Notice shall be provided to the HPSJ Program Contract Manager, the HPSJ Privacy Officer and the HPSJ Information Security Officer. If the incident occurs after business hours or on a weekend or holiday, notice shall be provided HPSJ /City of Lodi CONFIDENTIAL Page 7 of 21 Effective June 7, 2023 Health Plan of San Joaquin by calling the HPSJ ITSD Service Desk immediately. Notice shall be made using the "HPSJ Information Security Incident Report" form (ISIR), attached hereto as Attachment "2" to this Agreement, including all information known at the time, and emailed to the HPSJ Privacy Office at PiU(i�HPSJ.COM. iv. Upon discovery of a breach or suspected security incident, intrusion or unauthorized access, use or disclosure of PHI or PII, Business Associate shall take: a. Prompt corrective action to mitigate any risks or damages involved with the breach and to protect the operating environment; and b. Any action pertaining to such unauthorized disclosure required by applicable Federal and State laws and regulations. (1) Investigation andInvestigalion Report. Investigation. To immediately investigate such security incident, breach, or unauthorized access, use or disclosure of PHI or PII and the ISIR did not include all the requested information, then within 72 hours of the discovery, Business Associate shall submit an updated ISIR containing the information marked with an asterisk and all other applicable information listed on the ISIR known at the time, to the HPSJ Program Contract Manager, the HPSJ Privacy Officer, and the HPSJ Information Security Officer. ii. Complete Reporl. To provide a complete report of the investigation to the HPSJ Program Contract Manager, the HPSJ Privacy Officer, and the HPSJ information Security Officer within ten (10) working days of the discovery of the breach or unauthorized use or disclosure. If all the required information was not included in either the initial report or the Investigation Report, then a separate Complete Report must be submitted. The report shall be submitted on the HPSJ Information Security Incident Report form and shall include an assessment of all known factors relevant to a determination of whether a breach occurred under applicable provisions of HIPAA, the HITECH Act, the HIPAA regulations and/or state law. The report shall also include a full, detailed corrective action plan, including information on measures that were taken to halt and/or contain the improper use or disclosure. If HPSJ or DHCS request information in addition to that listed on the HPSJ Information Security Incident Report form, Business Associate shall make reasonable efforts to provide HPSJ or DHCS with such information. If necessary, a Supplemental Report may be used to submit revised or additional information after the completed report is submitted, by submitting the revised or additional information on an updated "HPSJ Information Security Incident Report" form. HPSJ will review and approve or disapprove the determination of whether a breach occurred, is reportable to the appropriate entities, if individual notifications are required, and the corrective action plan. iii. Dei-idenlfificalion ofIndividualr. If the cause of a breach of PHI or PII is attributable to Business Associate or its subcontractors, agents or vendors, HPSJ /City of Lodi CONFIDENTIAL Page 8 of 21 Effective June 7. 2023 Health Plan��- of San Joaquin Business Associate shall notify individuals of the breach or unauthorized use disclosure when notification is required under state or federal law and shall pay any costs of such notifications, as well as any cost associated with the breach. The notifications shall comply with requirements set forth in 42 O.S.C. section 17932 and implementing regulations, including, but not limited to, the requirement that the notifications be made without unreasonable delay and in no event later than 60 calendar days. The HPSJ Program Contract Manager, the HPSJ Privacy Officer, and the HPSJ Information Security Officer shall approve the time, manner and content of any such notifications and their review and approval must be obtained before the notifications are made. (m)ReWonsihiliiy for Reporting of Breaches. If the cause of a breach PHI or PII is attributable to Business Associate or its agents, subcontractors or vendors, Business Associate is responsible for all required reporting of the breach as specified in 42 U.S.S. Section 17932 and its implementing regulations, including notifications to media outlets and to the Secretary of the U.S. Department of Health and Human Services. If a breach of unsecured PHI involves more than 500 residents of the State of California or its jurisdiction and Business Associate has reason to believe that duplicate reporting of the same breach or incident to HPSJ in addition to Business Associate may occur, Business Associate shall notify HPSJ, and HPSJ and Business Associate may take appropriate action to prevent duplicate reporting. The breach reporting requirements of this paragraph in addition to the reporting requirements set forth in Section 4(i), above. (n) HPSJ Contact Information. To direct communications to the above referenced HPSJ staff, the Contractor shall initiate contact as indicated herein. HPSJ reserves the right to make changes to the contact information below by giving written notice to the Contractor. Said changes shall not require an amendment to this Agreement or the Agreement to which it is incorporated. HPSJ Program Contract Manager HPSJ Privacy Officer See the Scope of Work Chief Compliance Officer & Privacy Officer exhibit for Program Health Plan of San Joaquin Contract Manager 7751 South Manthey Rd. Information French Camp, CA 95231-9802 _.com Email: PIU@hpsi.com (o) Training Requirement. In accordance with HPSJ policy, all personnel assigned by the Contractor or any of its subcontractors pursuant to the underlying Agreement who access HPSJ systems shall complete Privacy Awareness and Information Security Awareness Training that is required of all individuals who may access PHI or PII before being provided credentials to access such information. (p) Termination .of&reemenf. In accordance with Section 13404 (b) of the HITECH Act and to the extent required by the HIPAA regulations, if Business Associate knows of a material breach or violation by HPSJ of this Agreement, the Business Associates shall take HPSJ /City of Lodi CONFIDENTIAL Page 9 of 21 Effective June 7. 2023 Health PlanOiv of San Joaquin the following steps: Provide an opportunity for HPSJ to cure the breach or end the violation and terminate the Agreement if HPSJ does not cure the breach or end the violation within the time specified by Business Associate; or ii. Immediately terminate the Agreement if HPSJ has breached a material term of the Agreement and cure is not possible. iii. Due Diligence. Business Associate shall exercise and shall take reasonable steps to ensure that it remains in compliance with this Agreement and is in compliance with applicable provisions of HIPAA, the HITECH Act, and the HIPAA regulations and that its agents, subcontractors and vendors are in compliance with their obligations as required by this Agreement. iv. Sanctions and/or Penalties. Business Associates understands that a failure to comply with the provisions of HIPAA, the HITECH Act, and the HIPAA regulations that are applicable to Business Associates may result in the imposition of sanctions and/or penalties on Business Associate under HIPAA the HITECH Act and the HIPAA regulations. 5, Obligations of HPSJ. HPSJ agrees: (a) Notice of Privacy Practices. To provide Business Associate with the Notice of Privacy Practices that HPSJ produces in accordance with 45 CFR section 164.520, as well as any changes to such notice. The most current HPSJ Notice of Privacy Practices is attached to this Agreement as Attachment "3" . (b) Permission by Individuals for Use and Disclosure of PHI. To provide the Business Associate with any changes in, or revocation of, permission by an individual to use or disclose PHI, if such changes affect the Business Associate's permitted or required uses and disclosures. (c) Notification of Restrictions. To notify the Business Associate of any restriction to the use or disclosure of PHI that HPSJ has agreed to in accordance with 45 CFR section 164.522, to the extent that such restriction may affect the Business Associate's use or disclosure of PHI. (d) Requests Conflicting with. HIPAA Rules. Not request the Business Associate to use or disclose PHI in a manner that would not be permissible under the HIPAA regulations if done by HPSJ. 6. Audits, Inspections, and Enforcement. (a) Inspection. From time to time, on a frequency of at least annually or more frequent than annually if HPSJ determines there is good cause, or at any point in time for DHCS, HPSJ or DHCS may inspect the facilities, systems, books and records of Business Associate to monitor compliance with this Agreement. Business Associate shall promptly remedy any violation of any provisions of this Agreement and shall certify the same to the HPSJ Privacy Officer in writing. Whether or how HPSJ or HPSJ /City of Lodi CONFIDENTIAL Page 10 of 21 Effective June 7, 2023 Health Plan of San Joaquin DHCS exercise this provision shall not in any respect relieve the Business Associate of its responsibilities to comply with this Agreement. The fact that HPSJ inspects, or fails to inspect, or has the right to inspect, Business Associate's facilities, systems and procedures does not relieve Business Associate of its responsibility to comply with this Agreement, nor does HPSJ's or DHCS' failure to detect or failure to notify Business Associate or require Business Associate's remediation of any unsatisfactory practices constitute acceptance of such practice or a waiver of HPSJ or DHCS enforcement rights under this Agreement. (b) Notificaiinrr_ Reguiremerrl. If Business Associate is the subject of an audit, compliance review, or complaint investigation by the Secretary of the Office of Civil Rights, U.S. Department of Health and Human Services, that is related to the performance of its obligations pursuant to this HIPAA Business Associate Agreement, Business Associate shall notify HPSJ and provide HPSJ with a copy of any PHI or PII that Business Associate provides to the Secretary of the Office of Civil Rights concurrently by providing such PHI or PII to the Secretary of the U.S. Department of Health and Human Services. Business Associate is responsible for any civil penalties assessed against the Business Associate due to an audit or investigation of the Business Associate, in accordance with 42 U.S.C. section 17934 (c). 7. Termination. (a) Term. The term of this HIPAA Business Associate Agreement shall commence as of the effective date of the MOU to which it attaches and shall extend beyond the termination of the contract and shall terminate when all the PHI provided by HPSJ to Business Associate or created or received by Business Associate on behalf of HPSJ is destroyed or returned to HPSJ in accordance with 45 CFR 164.504(e) (2) (ii) (1). Any extensions or renegotiations of this Agreement shall be reviewed by both parties. (b) Termination for Caisse. In accordance with 45 CFR section 164.504(e) (1) (ii), upon HPSJ knowledge of material breach or violation of this Agreement by Business Associate, HPSJ shall: i. Provide an opportunity for Business Associate to cure the breach or end the violation and terminate this Agreement if Business Associate does not cure the breach or end the violation within the time specified by HPSJ; or ii. Immediately terminate this Agreement if Business Associate has breached a material term of this Agreement and cure is not possible. (c) Judicial orAdministrative Proceedrn s. Business Associate will notify HPSJ if it is named as a defendant in a criminal proceeding for a violation of HIPAA. HPSJ may terminate this Agreement if Business Associate is found guilty of a criminal violation of HIPAA. HPSJ may terminate this Agreement if a finding or stipulation that the Business Associate has violated any standard or requirement of HIPAA or other security or privacy laws in any administrative or civil proceeding in which the Business Associate is a party or has been joined. HPSJ /City of Lodi CONFIDENTIAL Page l l of 21 Effective June 7, 2023 Health PIa4/ of San Joaquin (d) Effect of T'erminalion. Upon termination or expiration of this Agreement for any reason, Business Associate shall return or destroy all PHI received from HPSJ (or created or received by Business Associate on behalf of HPSJ) that Business Associate still maintains in any form and shall retain no copies of such PHI. If return or destruction is not feasible, Business Associate shall notify HPSJ of the conditions under which Business Associate may retain the PHI. Business Associate shall continue to extend the protections of this Agreement to such PHI and shall limit further use of such PHI to those purposes that make the return or destruction of such PHI infeasible. This provision shall apply to the PHI that is in the possession of subcontractors or agents of Business Associate. 8. Miscellaneous Provisions. (a) Disclaimer. HPSJ makes no warranty or representation that compliance by Business Associate with this Agreement, HIPAA, or the HIPAA regulations will be adequate or satisfactory for Business Associate's own purposes or that any information in Business Associate's possession or control, or transmitted or received by Business Associate, is or will be secure from unauthorized use or disclosure. Business Associate is solely responsible and accountable for all decisions made by Business Associate or its subcontractors regarding the safeguarding of PHI. (b) Compliance wilh DHCS a ligations. To the extent Business Associate is to carry out an obligation of DHCS under 45 CFR Part 164, Subpart E, comply with the requirements of the subpart that apply to DHCS in the performance of such obligation. (c) Amendment. The parties acknowledge that federal and state laws relating to electronic data security and privacy are rapidly evolving and that amendment of this Agreement may be required to provide for procedures to ensure compliance with such developments. Any provision of this Agreement which conflicts with current or future applicable Federal or State laws is hereby amended to conform to the provisions of those laws. Such amendment of this Agreement shall be effective on the effective date of the laws necessitating it and shall be binding on the parties even though such amendment may not have been reduced to writing and formally agreed upon and executed by the parties. The parties specifically agree to take such action as is necessary to implement the standards and requirements of HIPAA, the HITECH Act, the HIPAA regulations and other applicable state laws relating to the security or privacy of PHI. Upon HPSJ request, Business Associate agrees to promptly enter into negotiations with HPSJ concerning an amendment to this Agreement embodying written assurances consistent with the standards and requirements of HIPAA, the HITECH Act, the HIPAA regulations or other applicable state requirements of HIPAA, the HITECH Act, the HIPAA regulations or other applicable state laws. HPSJ may terminate this Agreement upon thirty (30) days written notice in the event: i. Business Associate fails to promptly enter into an amendment to this Agreement when requested by HPSJ pursuant to this Section; or ii. Business Associate fails to enter into an amendment to this Agreement HPSJ /City of Lodi CONFIDENTIAL Page 12 of 21 Effective June 7, 2023 Health Plan of San Joaquin providing assurances regarding the safeguarding of PHI that HPSJ in its sole discretion, deems sufficient to satisfy the standards and requirements of HIPAA and the HIPAA regulations. (d) Assistance in Litigation or Administrative Proceedings. Business Associate shall make itself and any subcontractors, employees or agents assisting in Business Associate in the performance of its obligations under this Agreement available to it at no cost to HPSJ and/or DHCS to testify as witnesses or otherwise in the event of litigation or administrative proceedings being commenced against HPSJ or DHCS, its directors, officers or employees based upon claimed violation of HIPAA, the HIPAA regulations, or other laws relating to security and privacy which involves inactions or actions by the Business Associate, except where Business Associate or its subcontractor, employee or agent is a named adverse party. (e) No Third -Party Beneficiaries. Nothing express or implied in the terms and conditions of this Agreement is intended to confer, nor shall anything herein confer upon any person other than HPSJ or Business Associate and their respective successors or assignees any rights, remedies, obligations or liabilities whatsoever. (f) Interpretation. The terms and conditions in this Agreement shall be interpreted as broadly as necessary to implement and comply with HIPAA, the HITECH Act, the HIPAA regulations and applicable state laws. The parties agree that any ambiguity in the terms and conditions of this Agreement shall be resolved in favor of a meaning that complies and is consistent with HIPAA, the HITECH Act, and the HIPAA regulations. (g) Governing Law. This BAA shall be governed by and construed in accordance with the laws of the state of California to the extent not preempted by HIPAA, the HITECH Act, the HIPAA Rules or other applicable federal law. The laws of the State of California shall apply to the interpretation of this BAA, or in case of any disagreement between the parties, without regard to any conflicts of law provisions to the contrary; the venue of any proceedings shall be the appropriate federal or state court in San Joaquin County, CA. (h) Independent Contractors. Business Associate and HPSJ are independent contractors and this BAA shall not establish any relationship of partnership, joint venture, employment, franchise, or agency between Business Associate and HPSJ. Neither Business Associate nor HPSJ will have the power to bind the other or incur obligations on the other party's behalf without the other party's prior written consent, except as otherwise expressly provided in this BAA. (i) Conflicts. In the event that any terms of this BAA are inconsistent with the terms of the Agreement(s), then the terms of this BAA shall control. This BAA supersedes any prior BAA between the parties and those portions of any Agreement between the parties that involve the disclosure of PHI by HPSJ to Business Associate. 0) Assignment. Business Associate shall not assign either its obligations or benefits under this BAA without the expressed written consent of HPSJ, which shall be at the sole discretion of HPSJ. Given the nature of this BAA, neither subcontracting nor HPSJ /City of Lodi CONFIDENTIAL Page 13 of 21 Effective June 7, 2023 Health Plane of San Joaquin assignment by the Business Associate is anticipated and the use of those terms herein does not indicate permission to assign or subcontract has been granted. (k) In(lemnification. In addition to any indemnities set forth in the Agreement(s), Business Associate shall indemnify and defend HPSJ from and against any and all claims, losses, damages, expenses or other liabilities, including reasonable attorney's fees, incurred as a result of any breach of any representation, warranty, covenant, agreement or other obligation expressly contained herein by Business Associate, its employees, agents, Subcontractors or other representatives. Business Associate acknowledges and agrees that the confidentiality requirements herein apply to all its employees, agents and representatives and subcontractors. Business Associate assumes responsibility and liability for any damages or claims, including state and federal administrative proceedings and sanctions, against HPSJ, including costs and attorney's fees, resulting from the breach by Business Associate of the confidentiality requirements of this BAA. (l) ffLective Jute wid Survival. This Agreement shall be agreed to and effective upon execution of the MOU to which this BAA is attached as an Exhibit and is incorporated by reference thereto. However, the obligations of Business Associate under this Agreement shall survive the termination of the MOU. (m) No Waiver of Obligations_ No change, waiver or discharge of any liability or obligation hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing or other obligation or shall prohibit enforcement of any obligation on any other occasion. (n) Monitorinir. As applicable, Business Associate shall comply with monitoring requirements of HPSJ's contracts with regulator(s) or any other monitoring requests by HPSJ's regulator(s). (o) Notices. Notices to be given by one Party to the other under this BAA shall be given in writing by email, personal delivery, by certified mail, return receipt requested, or express delivery service at the addresses specified below. Notices delivered personally shall be deemed received upon receipt; mailed or expressed notices shall be deemed received four (4) days after deposit. A Party may change the address to which notice is to be given by giving notice as provided above. If to Business Partner, to: If to HPSJ, to: Attn: Stephen Schwabauer, City Manager Attn: Chief Compliance Officer City of Lodi Health Plan of San Joaquin 221 W. Pine Street 7751 South Manthey Road P.O. Box 3006 French Camp, CA 95231-9802 Lodi, CA 95241-1910 eMail: PIU@hpsj.com eMail: sschwabauer@lodi.gov Copy to: irhyne rc,lodi.gov [Signatures to follow.] HPSJ /City of Lodi CONFIDENTIAL Page 14 of 21 Effective June 7. 2023 Health Plano of San Joaquin INTENDING TO BE LEGALLY BOUND, the parties hereto have caused this BAA to be executed by their duly authorized representatives. San Joaquin County Health Commission, City of Lodi, a municipal corporation dba Health Plan of San Joaquin By:, Name: Title: Date: By: Name: Title: Date: ATTEST: Olivia Nashed, City Clerk APPROVED AS TO FORM: Janice D. Magdich, City Attorney KL [Remainder of this page is intentionally left blank.] HPSJ /City of Lodi CONFIDENTIAL Page 15 of 21 Effective June 7. 2023 Health Plan of San Joaquin ATTACHMENT "1" BUSINESS ASSOCIATE DATA SECURITY REQUIREMENTS 1. PERSONNEL CONTROLS. (a) Training. All workforce members, whether employees, independent contractors or subcontractors of Business Associate who assist in the performance of functions or activities on behalf of HPSJ, or access or disclose HPSJ PHI or PTI on HPSJ systems must complete information privacy and security training at least annually at Business Associate's expense. Each workforce member who receives information privacy and security training must sign a certification indicating the member's name and the date on which the training was completed. These certifications must be retained for a period of six (6) years following contract termination. (b) Discipline. Appropriate sanctions must be applied against workforce members who fail to comply with privacy policies and procedures or any provisions of these requirements, including termination of employment or work assignment, whether by employment or contract where appropriate. (c) C.'onfldenti IAi Statement. All persons that will be working with HPSJ PHI or PII must sign a confidentiality statement that includes, at a minimum, General Use Security and Privacy Safeguards. Unacceptable Use, and Enforcement Policies. The statement must be signed by the workforce member prior to access to HPSJ PHI or PII. The statement must be renewed annually. The Contractor shall retain each person's written confidentiality statement for HPSJ inspection for a period of six (6) years following contract termination. (d) Background Check. Before a member of the workforce may access HPSJ PHI or PII, a thorough background check of that workforce member must be conducted, with evaluation of the results to assure that there is no indication that the workforce member may present a risk to the security or integrity of confidential data or a risk for theft or misuse of confidential data. The Contractor shall retain each workforce member's background check documentation for a period of three (3) years following contract termination. 2. TECHNICAL SECURITY CONTROLS. (a) Safeguards: Business Associate shall use safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI and other confidential data and comply, where applicable, with subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by this Agreement. Such safeguards shall be based on applicable Federal Information Processing Standards (FIPS) Publication 199 protection levels. (b) Workstaflonllgptop enciyptio All workstations and laptops that process and/or store HPSJ PHI or PI must be encrypted using a FIPS 140-2 Annex A certified algorithm which is 256 bit or higher, such as Advanced Encryption Standard (AES). The encryption solution must be full disk unless approved by the HPSJ Information Security Office. HPSJ /City of Lodi CONFIDENTIAL Page 16 of 21 Effective June 7. 2023 Health Plan of San Joaquin (c) Server Security. Servers containing unencrypted HPSJ PHI or PII must have appropriate administrative, physical, and technical controls in place to protect that data, based upon a risk assessment/system security review. (d) Minimum Necessary Only the in inimum necessary amount of HPSJ PHI or PII required to perform necessary business functions may be copied, downloaded, or exported. (e) Removable media devices, Per NIST 800-53 controls, all electronic files that contain HPSJ PHI or PII data must be encrypted when stored on any removable media or portable device (i.e. USB thumb drives, floppies, CD/DVD, smartphones, backup tapes etc.). Encryption must be a FLPS 140-2 Annex A listed certified algorithm such as AES, which is 256 bit or higher per HPSJ standards. (f) Antivirus .sojt"tiiwre. All workstations, laptops and other systems that process and/or store HPSJ PHI or PII must install and actively use comprehensive anti-virus software solution with automatic updates scheduled at least daily and keep virus software up-to- date. (g) Patch Marra niertt. All workstations, laptops and other systems that process and/or store HPSJ PHI or PII must have critical security patches applied, with system reboot if necessary. There must be a documented patch management process which determines installation timeframe based on risk assessment and vendor recommendations. At a maximum, all applicable patches must be installed within 30 days of vendor release. Business Associate shall apply security patches and upgrades, and keep virus software up- to-date, on all systems on which PHI and other confidential information may be used. (h) user IDs and Password Controls. All users must be issued a unique username for accessing HPSJ PHI or PII. Usernames must be promptly disabled, deleted, or the password changed upon the transfer or termination of an employee with knowledge of the password within 24 hours. Passwords are not to be shared. Passwords must be at least eight characters and must be a non -dictionary word. Passwords must not be stored in readable format on the computer. Passwords must be changed every 90 days and preferably every 60 days. Passwords must be changed if revealed or compromised. Passwords must be composed of characters from at least three of the following four groups from the standard keyboard: Upper case letters (A -Z) ii. Lower case letters (a -z) iii. Arabic numerals (0-9) iv. Non -alphanumeric characters (punctuation symbols) (i) Data Destruction, When no longer needed, all HPSJ PHI or PII must be cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization such that the PHI or Pl cannot be retrieved. HPSJ /City of Lodi CONFIDENTIAL Page 17 of 21 Effective June 7, 2023 Health Plan of San Joaquin (j) System Timeout. The system providing access to HPSJ PHI or PII must provide an automatic timeout, requiring re -authentication of the user session after no more than 20 minutes of non -activity. (k) Warning Banners. All systems providing access to HPSJ PHI or PII must display a warning banner stating that data is confidential, systems are logged, and system use is for business purposes only by authorized users. User must be directed to log off the system if they do not agree with these requirements. (1) S .stem Logging. The system must maintain an automated audit trail which can identify the user or system process which initiates a request for HPSJ PHI or PII, or which alters HPSJ PHI or PII. The audit trail must be date and time stamped, must log both successful and failed attempts at access, must be read only, and must be restricted to authorized users. If HPSJ PHI or PII is stored in a database, database logging functionality must be enabled. Audit trail data must be archived for at least 3 years after occurrence. (m)Access Controls. The system providing access to HPSJ PHI or PII must use role -based access controls for all user authentications, enforcing the principle of least privilege. (n) Transmission encryption. All data transmissions of HPSJ PHI or PII outside the secure internal network must be encrypted using a FLPS 140-2 certified algorithm which is 256 bit or higher, such as AES. Encryption can be end-to-end at the network level, or the data files containing PHI can be encrypted. This requirement pertains to any type of PHI or PII in motion such as website access, file transfer, and E -Mail. In addition, Business Associate shall maintain, at a minimum, the most current industry standards for transmission and storage of PHI and other confidential information. (o) Intrusion Detteflon. All systems involved in accessing, holding, transporting, and protecting HPSJ PHI or PII that are accessible via the Internet must be protected by a comprehensive intrusion detection and prevention solution. 3. AUDIT CONTROLS. (a) Suslem Security Review. All systems processing and/or storing HPSJ PHI or PII must have at least an annual system risk assessment/security review which provides assurance that administrative, physical, and technical controls are functioning effectively and providing adequate levels of protection. Reviews should include vulnerability scanning tools. (b) Log Reviews, Business Continzda,, and Disaster Recovery Controls. All systems processing and/or storing HPSJ PHI or PTI must have a routine procedure in place to review system logs for unauthorized access. (c) Change Control. All systems processing and/or storing HPSJ PHI or PII must have a documented change control procedure that ensures separation of duties and protects the confidentiality, integrity and availability of data. HPSJ /City of Lodi CONFIDENTIAL Page 18 of 21 Effective June 7, 2023 Health Plan of San Joaquin 4. BUSINESS CONTINUITY AND DISASTER RECOVERY CONTROLS. (a) Emergency Mode operation Plan. Contractor must establish a documented plan to enable continuation of critical business processes and protection of the security of electronic HPSJ PHI or PiI in the event of an emergency. Emergency means any circumstance or situation that causes normal computer operations to become unavailable for use in performing the work required under this Agreement for more than 24 hours. (b) Dula Backup Plan. Contractor must have established documented procedures to backup HPSJ PHI to maintain retrievable exact copies of HPSJ PHI or PII. The plan must include a regular schedule for making backups, storing backups offsite, an inventory of backup media, and an estimate of the amount of time needed to restore HPSJ PHI or PII should it be lost. At a minimum, the schedule must be a weekly full backup and monthly offsite storage of HPSJ data. 5. PAPER DOCUMENT CONTROLS. (a) Apervision of Data. HPSJ PHI or PII in paper form shall not be left unattended at any time, unless it is locked in a file cabinet, file room, desk or office. Unattended means that information is not being observed by an employee authorized to access the information. HPSJ PHI or PII in paper form shall not be left unattended at any time in vehicles or planes and shall not be checked in baggage on commercial airplanes. (b) Escorlipag Visitors, Where applicable, visitors to areas where HPSJ PHI or PII is contained shall be escorted and HPSJ PHI or PII shall be kept out of sight while visitors are in the area. (c) Confidential Destruction. HPSJ PHI or PII must be disposed of through confidential means, such as cross -cut shredding and pulverizing. (d) Removal of Data, HPSJ PHI or PII must not be removed from the premises of the Contractor except with express written permission of HPSJ. (e) Faxing. Faxes containing HPSJ PHI or PII shall not be left unattended and fax machines shall be in secure areas. Faxes shall contain a confidentiality statement notifying persons receiving faxes in error to destroy them. Fax numbers shall be verified with the intended recipient before sending the fax. (f) Mailing. Mailings of HPSJ PHI or PII shall be sealed and secured from damage or inappropriate viewing of PHI or PII to the extent possible. Mailings which include 500 or more individually identifiable records of HPSJ PHI or PII in a single package shall be sent using a tracked mailing method which includes verification of delivery and receipt, unless the prior written permission of HPSJ to use another method is obtained. HPSJ /City of Lodi CONFIDENTIAL Page 19 of 21 Effective June 7, 2023 Health PlanOc- of San Joaquin ATTACHMENT "2" HPSJ Information Security Incident Report Form HPSJ /City of Lodi CONFIDENTIAL Page 20 of 21 Effective June 7, 2023 Health Plans - of San Joaquin ATTACHMENT "Y' HPSJ Notice of Privacy Practices HPSJ /City of Lodi CONFIDENTIAL Page 21-of21 Effective June 7. 2023 Capital Improvement Plan FY 2022-2023 Project Title: Reimagined Housing I Munis Project Code: Section I: Description District Nos: Citywide Project Length June 30-2024 Priority High The City of Lodi Community Development Department is looking to acquire an existing hotel and convert it to transitional and supportive housing. We anticipate 40 (+/-) units with 24/7 onsite management and security. The project would allow for individuals that have jobs or other steady income (SS, SSDI, VA, etc.) to be housed in a transitional setting with continued wraparound services until they are able to progress to other permanent housing opportunities. Justification/factor driving project On April 26, 2023 Health Plan of San Joaquin Board awarded the City of Lodi $3 million for this project Additional Information Section II: Estimated Project Costs Expenditure Contracts Prior Years $ FY 21/22 FY 22/23 Estimate Budget $ 3,000,000 FY 23/24 FY 24/25 FY 25/26 FY 26/27 Future Yrs $ $ Total 3,000,000 $ - Total Capital Costs $ $ - $ 3,000,000 $ $ 3,000,000 $ - $ - $ - $ - Section III: Funding Sources/Methods of Financing Funding Source(s) Prior Years 355 - Community Grants $ Total Project Financing $ - FY 21/22 FY 22/23 FY 23/24 Estimate Budget $ 3,000,000 FY 24/25 FY 25/26 FY 26/27 Future Yrs $ $ - $ Total 3,000,000 3,000,000 $ - $ 3,000,000 $ - $ - $ - $ - RESOLUTION NO. 2023-116 A RESOLUTION OF THE LODI CITY COUNCIL ACCEPTING FUNDS FROM SAN JOAQUIN COUNTY HEALTH COMMISSION, OPERATING AND DOING BUSINESS AS HEALTH PLAN OF SAN JOAQUIN (HPSJ); APPROPRIATING FUNDS FOR A TRANSITIONAL AND SUPPORTIVE HOUSING PROJECT AT MAIN STREET; AND AUTHORIZING THE CITY MANAGER TO EXECUTE THE MEMORANDUM OF UNDERSTANDING AND BUSINESS ASSOCIATES AGREEMENT ------------------------------------------------------------------------ ------------------------------------------------------------------------ WHEREAS, on November 4, 2020, the City Council adopted the San Joaquin Community Response to Homelessness — 2020 San Joaquin Strategic Plan (Strategic Plan); and WHEREAS, in accordance with the American Rescue Plan Act (ARPA) of 2021, DHCS developed a Medi -Cal Home and Community -Based Services (HCBS) Spending Plan detailing a series of initiatives to enhance, expand and strengthen HCBS in California. The Housing and Homelessness Incentive Program (HHIP) is one of the HCBS Transition Initiatives and is intended to support the delivery and coordination of health and housing services for Medi -Cal members statewide. HHIP is intended to bolster housing and homelessness -focused efforts and investments at local levels, with the aim of building or expanding capacity and partnerships to connect Medi -Cal members to needed housing services and achieving progress in reducing and preventing homelessness; and WHEREAS, DHCS established required submissions and deliverables for managed care plans in participating counties to identify current state, priorities, investments, and monitor progress for HHIP; and will be distributing incentives for plans to oversee and administer payment for HHIP project(s); and WHEREAS, as part of efforts to meet HHIP program priorities and measures, HPSJ will partner with local partners and organizations which deliver housing, or supportive services to Medi -Cal members who are homeless or at risk of homelessness; and WHEREAS, the City of Lodi submitted a proposal for acquisition of a hotel for development of a transitional and supportive housing project to HPSJ; and WHEREAS, HPSJ Board approved and awarded $3,000,000 on April 26, 2023 towards the project submitted. NOW, THEREFORE, BE IT RESOLVED that the Lodi City Council does hereby accept funds from San Joaquin County Health Commission, operating and doing business as Health Plan of San Joaquin (HPSJ) in the amount of $3,000,000; and BE IT FURTHER RESOLVED that the Lodi City Council does hereby appropriate funds in the amount of $3,000,000 for a transitional and supportive housing project at Main Street to revenue account 35500000.56005 and expenditure account 35599000-77020; and BE IT FURTHER RESOLVED that the Lodi City Council does hereby authorize the City Manager to execute the MOU and Business Associates Agreement; and BE IT FURTHER RESOLVED, pursuant to Section 6.3q of the City Council Protocol Manual (adopted 11/6/19, Resolution No. 2019-223), the City Attorney is hereby authorized to make minor revisions to the above -referenced document(s) that do not alter the compensation or term, and to make clerical corrections as necessary. Dated: June 07, 2023 I hereby certify that Resolution No. 2023-116 was passed and adopted by the City Council of the City of Lodi in a regular meeting held June 7, 2023 by the following votes: AYES: COUNCIL MEMBERS — Bregman, Craig, Nakanishi, and Mayor Hothi NOES: COUNCIL MEMBERS — Yepez ABSENT: COUNCIL MEMBERS — None ABSTAIN: COUNCIL MEMBERS — None OLIVIA NASHED City Clerk 2023-116