Common use of Physical Security Clause in Contracts

Physical Security. The Contractor shall ensure PII is used and stored in an area that is physically safe from access by unauthorized persons at all times. The Contractor agrees to safeguard PII from loss, theft, or inadvertent disclosure and, therefore, agrees to: a. Secure all areas of the Contractor’s facilities where Contractor Staff assist in the administration of their program and use, disclose, or store PII. b. These areas shall be restricted to only allow access to authorized individuals by using one or more of the following: i. Properly coded key cards ii. Authorized door keys iii. Official identification c. Issue identification badges to Contractor Staff. d. Require Contractor Staff to wear these badges where PII is used, disclosed, or stored. e. Ensure each physical location, where PII is used, disclosed, or stored, has procedures and controls that ensure an individual who is terminated from access to the facility is promptly escorted from the facility by an authorized employee and access is revoked. f. Ensure there are security guards or a monitored alarm system at all times at the Contractor facilities and leased facilities where five hundred (500) or more individually identifiable records of PII is used, disclosed or stored. Video surveillance are recommended. g. Ensure data centers with servers, data storage devices, and/or critical network infrastructure involved in the use, storage, and/or processing of PII have perimeter MA-063-24010922 May 23, 2024 DocuSignDocuSign EnvelopeEnvelope ID:ID: security and physical access controls that limit access to only authorized Contractor Staff. Visitors to the data center area must be escorted at all times by authorized Contractor Staff. h. Store paper records with PII in locked spaces, such as locked file cabinets, locked file rooms, locked desks, or locked offices in facilities which have multi-use functions in one building in work areas that are not securely segregated from each other. It is recommended that all PII be locked up when unattended at any time, not just within multi-use facilities. i. The Contractor shall have policies that include, based on applicable risk factors, a description of the circumstances under which the Contractor Staff can transport PII, as well as the physical security requirements during transport. A Contractor that chooses to permit its staff to leave records unattended in vehicles must include provisions in its policies to ensure the PII is stored in a non-visible area such as a trunk, that the vehicle is locked, and under no circumstances permit PII be left unattended in a vehicle overnight or for other extended periods of time. j. The Contractor shall have policies that indicate Contractor Staff are not to leave records with PII unattended at any time in airplanes, buses, trains, etc., including baggage areas. This should be included in training due to the nature of the risk. k. Use all reasonable measures to prevent non-authorized personnel and visitors from having access to, control of, or viewing PII.

Physical Security. The Contractor shall ensure PII Pll is used and stored in an area that is physically safe from access by unauthorized persons at all times. The Contractor agrees to safeguard PII Pll from loss, theft, or inadvertent disclosure and, therefore, agrees to:: Exhibit N_Privacy & Security Agreement._rev 08.2021 a. Secure all areas of the Contractor’s facilities where Contractor Staff assist in the administration of their the pertinent County program and use, disclose, or store PIIPll. b. These areas shall be restricted to only allow access to authorized individuals by using one or more of the following: i. Properly coded key cards ii. Authorized door keys iii. Official identification c. Issue identification badges to Contractor Staff. d. Require Contractor Staff to wear these badges where PII is used, disclosed, or stored. e. Ensure each physical location, where PII is used, disclosed, or stored, has procedures and controls that ensure an individual who is terminated from access to the facility is promptly escorted from the facility by an authorized employee and access is revoked. f. Ensure there are security guards or a monitored alarm system at all times at the Contractor facilities and leased facilities where five hundred (500) or more individually identifiable records of PII is used, disclosed or stored. Video surveillance are recommended. g. Ensure data centers with servers, data storage devices, and/or critical network infrastructure involved in the use, storage, and/or processing of PII have perimeter MA-063-24010922 May 23, 2024 DocuSignDocuSign EnvelopeEnvelope ID:ID: security and physical access controls that limit access to only authorized Contractor Staff. Visitors to the data center area must be escorted at all times by authorized Contractor Staff. h. g. Store paper records with PII in locked spaces, such as locked file cabinets, locked file rooms, locked desks, or locked offices in facilities which have multi-use functions in one building in work areas that are not securely segregated from each other. It is recommended that all PII be locked up when unattended at any time, not just within multi-use facilities. i. h. The Contractor shall have policies that include, based on applicable risk factors, a description of the circumstances under which the Contractor Staff can transport PII, as well as the physical security requirements during transport. A Contractor that chooses to permit its staff to leave records unattended in vehicles must include provisions in its policies to ensure the PII is stored in a non-visible area such as a trunk, that the vehicle is locked, and under no circumstances permit PII be left unattended in a vehicle overnight or for other extended periods of time. j. i. The Contractor shall have policies that indicate Contractor Staff are not to leave records with PII unattended at any time in airplanes, buses, trains, etc., including baggage areas. This should be included in training due to the nature of the risk. k. j. Use all reasonable measures to prevent non-authorized personnel and visitors from having access to, control of, or viewing PII.

Physical Security. The Contractor shall ensure PII is used and stored in an area that is physically safe from access by unauthorized persons at all times. The Contractor agrees to safeguard PII from loss, theft, or inadvertent disclosure and, therefore, agrees to: a. Secure all areas of the Contractor’s facilities where Contractor Staff assist in the administration of their program and use, disclose, or store PII. b. These areas shall be restricted to only allow access to authorized individuals by using one or more of the following: i. Properly coded key cards ii. Authorized door keys iii. Official identification c. Issue identification badges to Contractor Staff. d. Require Contractor Staff to wear these badges where PII is used, disclosed, or stored. e. Ensure each physical location, where PII is used, disclosed, or stored, has procedures and controls that ensure an individual who is terminated from access to the facility is promptly escorted from the facility by an authorized employee and access is revoked. f. Ensure there are security guards or a monitored alarm system at all times at the Contractor facilities and leased facilities where five hundred (500) or more individually identifiable records of PII is used, disclosed or stored. Video surveillance are recommended. g. Ensure data centers with servers, data storage devices, and/or critical network infrastructure involved in the use, storage, and/or processing of PII have perimeter MA-063-24010922 May 23, 2024 DocuSignDocuSign EnvelopeEnvelope ID:ID: security and physical access controls that limit access to only authorized Contractor Staff. Visitors to the data center area must be escorted at all times by authorized Contractor Staff. h. Store paper records with PII in locked spaces, such as locked file cabinets, locked file rooms, locked desks, or locked offices in facilities which have multi-use functions in one building in work areas that are not securely segregated from each other. It is recommended that all PII be locked up when unattended at any time, not just within WDM0922-A2 Page 4 of 14 January 9, 2025 multi-use facilities. i. The Contractor shall have policies that include, based on applicable risk factors, a description of the circumstances under which the Contractor Staff can transport PII, as well as the physical security requirements during transport. A Contractor that chooses to permit its staff to leave records unattended in vehicles must include provisions in its policies to ensure the PII is stored in a non-visible area such as a trunk, that the vehicle is locked, and under no circumstances permit PII be left unattended in a vehicle overnight or for other extended periods of time. j. The Contractor shall have policies that indicate Contractor Staff are not to leave records with PII unattended at any time in airplanes, buses, trains, etc., including baggage areas. This should be included in training due to the nature of the risk. k. Use all reasonable measures to prevent non-authorized personnel and visitors from having access to, control of, or viewing PII.

Physical Security. The Contractor shall ensure PII is used and stored in an area that is physically safe from access by unauthorized persons at all times. The Contractor agrees to safeguard PII from loss, theft, or inadvertent disclosure and, therefore, agrees to: a. Secure all areas of the Contractor’s facilities where Contractor Staff assist in the administration of their program and use, disclose, or store PII. b. These areas shall be restricted to only allow access to authorized individuals by using one or more of the following: i. Properly coded key cards ii. Authorized door keys iii. Official identification c. Issue identification badges to Contractor Staff. d. Require Contractor Staff to wear these badges where PII is used, disclosed, or stored. e. Ensure each physical location, where PII is used, disclosed, or stored, has procedures and controls that ensure an individual who is terminated from access to the facility is promptly escorted from the facility by an authorized employee and access is revoked. f. Ensure there are security guards or a monitored alarm system at all times at the Contractor facilities and leased facilities where five hundred (500) or more individually identifiable records of PII is used, disclosed or stored. Video surveillance are recommended. g. Ensure data centers with servers, data storage devices, and/or critical network infrastructure involved in the use, storage, and/or processing of PII have perimeter MA-063-24010922 May 23, 2024 DocuSignDocuSign EnvelopeEnvelope ID:ID: security and physical access controls that limit access to only authorized Contractor Staff. Visitors to the data center area must be escorted at all times by authorized Contractor Staff. h. Store paper records with PII in locked spaces, such as locked file cabinets, locked file rooms, locked desks, or locked offices in facilities which have multi-use functions in one building in work areas that are not securely segregated from each other. It is recommended that all PII be locked up when unattended at any time, not just within WKW0722-A2 Page 4 of 14 January 8, 2025 multi-use facilities. i. The Contractor shall have policies that include, based on applicable risk factors, a description of the circumstances under which the Contractor Staff can transport PII, as well as the physical security requirements during transport. A Contractor that chooses to permit its staff to leave records unattended in vehicles must include provisions in its policies to ensure the PII is stored in a non-visible area such as a trunk, that the vehicle is locked, and under no circumstances permit PII be left unattended in a vehicle overnight or for other extended periods of time. j. The Contractor shall have policies that indicate Contractor Staff are not to leave records with PII unattended at any time in airplanes, buses, trains, etc., including baggage areas. This should be included in training due to the nature of the risk. k. Use all reasonable measures to prevent non-authorized personnel and visitors from having access to, control of, or viewing PII.

Physical Security. The Contractor LCSA shall ensure PII Medi-Cal Pll is used and stored in an area that is physically safe from access by unauthorized persons at all timesduring working hours and non-working hours. The Contractor LCSA agrees to safeguard PII Medi-Cal Pll from loss, theft, or inadvertent disclosure and, therefore, agrees to: a. A. Secure all areas of the Contractor’s LCSA facilities where Contractor Staff assist in the administration of their program LCSA Workers use or disclose Medi-Cal Pll. The LCSA shall ensure these secured areas are only accessed by authorized individuals with properly coded key cards, authorized door keys or access authorization; and use, disclose, or store PIIaccess to premises is by official identification. b. These areas shall be restricted to only allow access to authorized individuals by using one or more of the following: i. Properly coded key cards ii. Authorized door keys iii. Official identification c. B. Issue identification LCSA Workers badges to Contractor Staff. d. Require Contractor Staff and require LCSA Workers to wear these badges at the LCSA facilities where PII Medi-Cal Pll is stored or used, disclosed, or stored. e. C. Ensure each physical location, where Medi-Cal PII is used, disclosed, used or stored, has procedures and controls that ensure an individual individual, who is terminated from access to the facility is promptly escorted from the facility by an authorized employee and access is revoked. f. D. Ensure there are security guards or a monitored alarm system at all times with or without security cameras 24 hours a day, seven days a week at the Contractor LCSA facilities and leased facilities where five hundred (500) or more individually identifiable records a large volume of PII Medi- Cal Pll is used, disclosed or stored. Video surveillance are recommended. g. E. Ensure data centers with servers, data storage devices, and/or and critical network infrastructure involved in the use, storage, and/or processing use or storage of Medi-Cal PII have perimeter MA-063-24010922 May 23, 2024 DocuSignDocuSign EnvelopeEnvelope ID:ID: security and physical access controls that limit access to only authorized Contractor StaffInformation Technology (IT) staff. Visitors to the data center area must be escorted by authorized IT staff at all times by authorized Contractor Stafftimes. h. F. Store paper records with Medi-Cal PII in locked spaces, such as locked file cabinets, locked file rooms, locked desks, desks or locked offices in facilities which have are multi-use use, meaning that there are LCSA and non- LCSA functions in one building in work areas that are not securely segregated from each other. It is recommended that all PII be locked up when unattended at any time, not just within multi-use facilities. i. The Contractor shall have policies that include, based on applicable risk factors, a description of the circumstances under which the Contractor Staff can transport PII, as well as the physical security requirements during transport. A Contractor that chooses to permit its staff to leave records unattended in vehicles must include provisions in its policies to ensure the PII is stored in a non-visible area such as a trunk, that the vehicle is locked, and under no circumstances permit PII be left unattended in a vehicle overnight or for other extended periods of time. j. The Contractor LCSA shall have policies that indicate Contractor Staff LCSA Workers are not to leave records with PII Medi-Cal Pll unattended at any time in vehicles or airplanes and not to check such records in baggage on commercial airplanes, buses, trains, etc., including baggage areas. This should be included in training due to the nature of the risk. k. G. Use all reasonable measures to prevent non-authorized personnel and visitors from having access to, control of, or viewing Medi-Cal PII.

Physical Security. The Contractor shall ensure PII is used and stored in an area that is physically safe from access by unauthorized persons at all times. The Contractor agrees to safeguard PII from loss, theft, or inadvertent disclosure and, therefore, agrees to: a. Secure all areas of the Contractor’s facilities where Contractor Staff assist in the administration of their program and use, disclose, or store PII. b. These areas shall be restricted to only allow access to authorized individuals by using one or more of the following: i. Properly coded key cards ii. Authorized door keys iii. Official identification c. Issue identification badges to Contractor Staff. d. Require Contractor Staff to wear these badges where PII is used, disclosed, or stored. e. Ensure each physical location, where PII is used, disclosed, or stored, has procedures and controls that ensure an individual who is terminated from access to the facility is promptly escorted from the facility by an authorized employee and access is revoked. f. Ensure there are security guards or a monitored alarm system at all times at the Contractor facilities and leased facilities where five hundred (500) or more individually identifiable records of PII is used, disclosed or stored. Video surveillance are recommended. g. Ensure data centers with servers, data storage devices, and/or critical network infrastructure involved in the use, storage, and/or processing of PII have perimeter MA-063-24010922 May 23, 2024 DocuSignDocuSign EnvelopeEnvelope ID:ID: security and physical access controls that limit access to only authorized Contractor Staff. Visitors to the data center area must be escorted at all times by authorized Contractor Staff. h. Store paper records with PII in locked spaces, such as locked file cabinets, locked file rooms, locked desks, or locked offices in facilities which have multi-use functions in one building in work areas that are not securely segregated from each other. It is recommended that all PII be locked up when unattended at any time, not just within CJP2321-A2 Page 4 of 14 January 30, 2025 multi-use facilities. i. The Contractor shall have policies that include, based on applicable risk factors, a description of the circumstances under which the Contractor Staff can transport PII, as well as the physical security requirements during transport. A Contractor that chooses to permit its staff to leave records unattended in vehicles must include provisions in its policies to ensure the PII is stored in a non-visible area such as a trunk, that the vehicle is locked, and under no circumstances permit PII be left unattended in a vehicle overnight or for other extended periods of time. j. The Contractor shall have policies that indicate Contractor Staff are not to leave records with PII unattended at any time in airplanes, buses, trains, etc., including baggage areas. This should be included in training due to the nature of the risk. k. Use all reasonable measures to prevent non-authorized personnel and visitors from having access to, control of, or viewing PII.

Physical Security. The Contractor shall ensure PII is used and stored in an area that is physically safe from access by unauthorized persons at all times. The Contractor agrees to safeguard PII from loss, theft, or inadvertent disclosure and, therefore, agrees to: a. Secure all areas of the Contractor’s facilities where Contractor Staff assist in the administration of their program and use, disclose, or store PII. b. These areas shall be restricted to only allow access to authorized individuals by using one or more of the following: i. Properly coded key cards ii. Authorized door keys iii. Official identification c. Issue identification badges to Contractor Staff. d. Require Contractor Staff to wear these badges where PII is used, disclosed, or stored. e. Ensure each physical location, where PII is used, disclosed, or stored, has procedures and controls that ensure an individual who is terminated from access to the facility is promptly escorted from the facility by an authorized employee and access is revoked. f. Ensure there are security guards or a monitored alarm system at all times at the Contractor facilities and leased facilities where five hundred (500) or more individually identifiable records of PII is used, disclosed or stored. Video surveillance are recommended. g. Ensure data centers with servers, data storage devices, and/or critical network infrastructure involved in the use, storage, and/or processing of PII have perimeter MA-063-24010922 May 23, 2024 DocuSignDocuSign EnvelopeEnvelope ID:ID: security and physical access controls that limit access to only authorized Contractor Staff. Visitors to the data center area must be escorted at all times by authorized Contractor Staff. h. Store paper records with PII in locked spaces, such as locked file cabinets, locked file rooms, locked desks, or locked offices in facilities which have multi-use functions in one building in work areas that are not securely segregated from each other. It is recommended that all PII be locked up when unattended at any time, not just within multi-use facilities.. DocuSign Envelope ID: C1699981-367A-4E93-B66A-CA0849068709 DocuSign Envelope ID: 81A5495A-230D-4264-8358-EB12B24A8B8D DocuSign Envelope ID: 8FC5ECED-4536-49EB-A4AB-9CA23D0B1D81 i. The Contractor shall have policies that include, based on applicable risk factors, a description of the circumstances under which the Contractor Staff can transport PII, as well as the physical security requirements during transport. A Contractor that chooses to permit its staff to leave records unattended in vehicles must include provisions in its policies to ensure the PII is stored in a non-visible area such as a trunk, that the vehicle is locked, and under no circumstances permit PII be left unattended in a vehicle overnight or for other extended periods of time. j. The Contractor shall have policies that indicate Contractor Staff are not to leave records with PII unattended at any time in airplanes, buses, trains, etc., including baggage areas. This should be included in training due to the nature of the risk. k. Use all reasonable measures to prevent non-authorized personnel and visitors from having access to, control of, or viewing PII.

Physical Security. The Contractor shall ensure PII is used and stored in an area that is physically safe from access by unauthorized persons at all times. The Contractor agrees to safeguard PII from loss, theft, or inadvertent disclosure and, therefore, agrees to: a. Secure all areas of the Contractor’s facilities where Contractor Staff assist in the administration of their program and use, disclose, or store PII. b. These areas shall be restricted to only allow access to authorized individuals by using one or more of the following: i. Properly coded key cards ii. Authorized door keys iii. Official identification c. Issue identification badges to Contractor Staff. d. Require Contractor Staff to wear these badges where PII is used, disclosed, or stored. e. Ensure each physical location, where PII is used, disclosed, or stored, has procedures and controls that ensure an individual who is terminated from access to the facility is promptly escorted from the facility by an authorized employee and access is revoked. f. Ensure there are security guards or a monitored alarm system at all times at the Contractor facilities and leased facilities where five hundred (500) or more individually identifiable records of PII is used, disclosed or stored. Video surveillance are recommended. g. Ensure data centers with servers, data storage devices, and/or critical network infrastructure involved in the use, storage, and/or processing of PII have perimeter MA-063-24010922 May 23, 2024 DocuSignDocuSign EnvelopeEnvelope ID:ID: security and physical access controls that limit access to only authorized Contractor Staff. Visitors to the data center area must be escorted at all times by authorized Contractor Staff. h. Store paper records with PII in locked spaces, such as locked file cabinets, locked file rooms, locked desks, or locked offices in facilities which have multi-use functions in one building in work areas that are not securely segregated from each other. It is #MA-063-25010752 Page 4 of 14 April 9, 2025 recommended that all PII be locked up when unattended at any time, not just within multi-use facilities. i. The Contractor shall have policies that include, based on applicable risk factors, a description of the circumstances under which the Contractor Staff can transport PII, as well as the physical security requirements during transport. A Contractor that chooses to permit its staff to leave records unattended in vehicles must include provisions in its policies to ensure the PII is stored in a non-visible area such as a trunk, that the vehicle is locked, and under no circumstances permit PII be left unattended in a vehicle overnight or for other extended periods of time. j. The Contractor shall have policies that indicate Contractor Staff are not to leave records with PII unattended at any time in airplanes, buses, trains, etc., including baggage areas. This should be included in training due to the nature of the risk. k. Use all reasonable measures to prevent non-authorized personnel and visitors from having access to, control of, or viewing PII.

Physical Security. The Contractor shall ensure PII is used and stored in an area that is physically safe from access by unauthorized persons at all times. The Contractor agrees to safeguard PII from loss, theft, or inadvertent disclosure and, therefore, agrees to: a. Secure all areas of the Contractor’s facilities where Contractor Staff assist in the administration of their program and use, disclose, or store PII. b. These areas shall be restricted to only allow access to authorized individuals by using one or more of the following: i. Properly coded key cards ii. Authorized door keys iii. Official identification c. Issue identification badges to Contractor Staff. d. Require Contractor Staff to wear these badges where PII is used, disclosed, or stored. e. Ensure each physical location, where PII is used, disclosed, or stored, has procedures and controls that ensure an individual who is terminated from access to the facility is promptly escorted from the facility by an authorized employee and access is revoked. f. Ensure there are security guards or a monitored alarm system at all times at the Contractor facilities and leased facilities where five hundred (500) or more individually identifiable records of PII is used, disclosed or stored. Video surveillance are recommended. g. Ensure data centers with servers, data storage devices, and/or critical network infrastructure involved in the use, storage, and/or processing of PII have perimeter MA-063-24010922 May 23, 2024 DocuSignDocuSign EnvelopeEnvelope ID:ID: security and physical access controls that limit access to only authorized Contractor Staff. Visitors to the data center area must be escorted at all times by authorized Contractor Staff. h. Store paper records with PII in locked spaces, such as locked file cabinets, locked file rooms, locked desks, or locked offices in facilities which have multi-use functions in DocuSign Envelope ID: 9AF40527-22C4-4230-B711-536D5ED76CF0 one building in work areas that are not securely segregated from each other. It is recommended that all PII be locked up when unattended at any time, not just within multi-use facilities. i. The Contractor shall have policies that include, based on applicable risk factors, a description of the circumstances under which the Contractor Staff can transport PII, as well as the physical security requirements during transport. A Contractor that chooses to permit its staff to leave records unattended in vehicles must include provisions in its policies to ensure the PII is stored in a non-visible area such as a trunk, that the vehicle is locked, and under no circumstances permit PII be left unattended in a vehicle overnight or for other extended periods of time. j. The Contractor shall have policies that indicate Contractor Staff are not to leave records with PII unattended at any time in airplanes, buses, trains, etc., including baggage areas. This should be included in training due to the nature of the risk. k. Use all reasonable measures to prevent non-authorized personnel and visitors from having access to, control of, or viewing PII.

Physical Security. The Contractor shall ensure PII is used and stored in an area that is physically safe from access by unauthorized persons at all times. The Contractor agrees to safeguard PII from loss, theft, or inadvertent disclosure and, therefore, agrees to: a. Secure all areas of the Contractor’s facilities where Contractor Staff assist in the administration of their program and use, disclose, or store PII. b. These areas shall be restricted to only allow access to authorized individuals by using one or more of the following: i. Properly coded key cards ii. Authorized door keys iii. Official identification c. Issue identification badges to Contractor Staff. d. Require Contractor Staff to wear these badges where PII is used, disclosed, or stored. e. Ensure each physical location, where PII is used, disclosed, or stored, has procedures and controls that ensure an individual who is terminated from access to the facility is promptly escorted from the facility by an authorized employee and access is revoked. f. Ensure there are security guards or a monitored alarm system at all times at the Contractor facilities and leased facilities where five hundred (500) or more individually identifiable records of PII is used, disclosed or stored. Video surveillance are recommended. g. Ensure data centers with servers, data storage devices, and/or critical network infrastructure involved in the use, storage, and/or processing of PII have perimeter MA-063-24010922 May 23, 2024 DocuSignDocuSign EnvelopeEnvelope ID:ID: security and physical access controls that limit access to only authorized Contractor Staff. Visitors to the data center area must be escorted at all times by authorized Contractor Staff. h. Store paper records with PII in locked spaces, such as locked file cabinets, locked file rooms, locked desks, or locked offices in facilities which have multi-use functions in one building in work areas that are not securely segregated from each other. It is recommended that all PII be locked up when unattended at any time, not just within WMR1022-A2 Page 4 of 14 January 14, 2025 Docusign Envelope ID: 720A06B8-0B1D-4BC0-90D5-335032640F9D multi-use facilities. i. The Contractor shall have policies that include, based on applicable risk factors, a description of the circumstances under which the Contractor Staff can transport PII, as well as the physical security requirements during transport. A Contractor that chooses to permit its staff to leave records unattended in vehicles must include provisions in its policies to ensure the PII is stored in a non-visible area such as a trunk, that the vehicle is locked, and under no circumstances permit PII be left unattended in a vehicle overnight or for other extended periods of time. j. The Contractor shall have policies that indicate Contractor Staff are not to leave records with PII unattended at any time in airplanes, buses, trains, etc., including baggage areas. This should be included in training due to the nature of the risk. k. Use all reasonable measures to prevent non-authorized personnel and visitors from having access to, control of, or viewing PII.

Physical Security. WKW0722 -A1 Page 4 of 18 September 18, 2023 DocuSign Envelope ID: DC0B82C5-AF7E-4998-B860-0DAF084A6DDE The Contractor shall ensure PII Pll is used and stored in an area that is physically safe from access by unauthorized persons at all times. The Contractor agrees to safeguard PII Pll from loss, theft, or inadvertent disclosure and, therefore, agrees to: a. Secure all areas of the Contractor’s facilities where Contractor Staff assist in the administration of their program and use, disclose, or store PIIPll. b. These areas shall be restricted to only allow access to authorized individuals by using one or more of the following: i. Properly coded key cards ii. Authorized door keys iii. Official identification c. Issue identification badges to Contractor Staff. d. Require Contractor Staff to wear these badges where PII is used, disclosed, or stored. e. Ensure each physical location, where PII is used, disclosed, or stored, has procedures and controls that ensure an individual who is terminated from access to the facility is promptly escorted from the facility by an authorized employee and access is revoked. f. Ensure there are security guards or a monitored alarm system at all times at the Contractor facilities and leased facilities where five hundred (500) or more individually identifiable records of PII is used, disclosed or stored. Video surveillance are recommended. g. Ensure data centers with servers, data storage devices, and/or critical network infrastructure involved in the use, storage, and/or processing of PII have perimeter MA-063-24010922 May 23, 2024 DocuSignDocuSign EnvelopeEnvelope ID:ID: security and physical access controls that limit access to only authorized Contractor Staff. Visitors to the data center area must be escorted at all times by authorized Contractor Staff. h. Store paper records with PII in locked spaces, such as locked file cabinets, locked file rooms, locked desks, or locked offices in facilities which have multi-use functions in one building in work areas that are not securely segregated from each other. It is recommended that all PII be locked up when unattended at any time, not just within multi-use facilities.. WKW0722 -A1 Page 5 of 18 September 18, 2023 DocuSign Envelope ID: DC0B82C5-AF7E-4998-B860-0DAF084A6DDE i. The Contractor shall have policies that include, based on applicable risk factors, a description of the circumstances under which the Contractor Staff can transport PII, as well as the physical security requirements during transport. A Contractor that chooses to permit its staff to leave records unattended in vehicles must include provisions in its policies to ensure the PII is stored in a non-visible area such as a trunk, that the vehicle is locked, and under no circumstances permit PII be left unattended in a vehicle overnight or for other extended periods of time. j. The Contractor shall have policies that indicate Contractor Staff are not to leave records with PII unattended at any time in airplanes, buses, trains, etc., including baggage areas. This should be included in training due to the nature of the risk. k. Use all reasonable measures to prevent non-authorized personnel and visitors from having access to, control of, or viewing PII.

Physical Security. The Contractor shall ensure PII Pll is used and stored in an area that is physically safe from access by unauthorized persons at all times. The Contractor agrees to safeguard PII Pll from loss, theft, or inadvertent disclosure and, therefore, agrees to: a. Secure all areas of the Contractor’s facilities where Contractor Staff assist in the administration of their program and use, disclose, or store PIIPll. b. These areas shall be restricted to only allow access to authorized individuals by using one or more of the following: i. Properly coded key cards ii. Authorized door keys iii. Official identification c. Issue identification badges to Contractor Staff. d. Require Contractor Staff to wear these badges where PII is used, disclosed, or stored. e. Ensure each physical location, where PII is used, disclosed, or stored, has procedures and controls that ensure an individual who is terminated from access to the facility is promptly escorted from the facility by an authorized employee and access is revoked. f. Ensure there are security guards or a monitored alarm system at all times at the Contractor facilities and leased facilities where five hundred (500) 500 or more individually identifiable records of PII Medi-Cal Pll is used, disclosed disclosed, or stored. Video surveillance systems are recommended. g. Ensure data centers with servers, data storage devices, and/or critical network infrastructure involved in the use, storage, and/or processing of PII have perimeter MA-063-24010922 May 23, 2024 DocuSignDocuSign EnvelopeEnvelope ID:ID: security and physical access controls that limit access to only authorized Contractor Staff. Visitors to the data center area must be escorted at all times by authorized Contractor Staff. Video surveillance systems are recommended. h. Store paper records with PII in locked spaces, such as locked file cabinets, locked file rooms, locked desks, or locked offices in facilities which have multi-use functions meaning that there are Contractor and non-Contractor functions in one building in work areas that are not securely segregated from each other. It is recommended that all PII be locked up when unattended at any time, not just within multi-use facilities. i. The Contractor shall have policies that include, based on applicable risk factors, a description of the circumstances under which the Contractor Staff can transport PII, as well as the physical security requirements during transport. A Contractor that chooses to permit its staff to leave records unattended in vehicles must include provisions in its policies to ensure the PII is stored in a non-visible area such as a trunk, that the vehicle is locked, and under no circumstances permit PII be left unattended in a vehicle overnight or for other extended periods of time. j. The Contractor shall have policies that indicate Contractor Staff are not to leave records with PII unattended at any time in airplanes, buses, trains, etc., including baggage areas. This should be included in training due to the nature of the risk. k. j. Use all reasonable measures to prevent non-authorized personnel and visitors from having access to, control of, or viewing PII.

Physical Security. The Contractor shall ensure PII is used and stored in an area that is physically safe from access by unauthorized persons at all times. The Contractor agrees to safeguard PII from loss, theft, or inadvertent disclosure and, therefore, agrees to: a. Secure all areas of the Contractor’s facilities where Contractor Staff assist in the administration of their program and use, disclose, or store PII. b. These areas shall be restricted to only allow access to authorized individuals by using one or more of the following: i. Properly coded key cards ii. Authorized door keys iii. Official identification c. Issue identification badges to Contractor Staff. d. Require Contractor Staff to wear these badges where PII is used, disclosed, or stored. e. Ensure each physical location, where PII is used, disclosed, or stored, has procedures and controls that ensure an individual who is terminated from access to the facility is promptly escorted from the facility by an authorized employee and access is revoked. f. Ensure there are security guards or a monitored alarm system at all times at the Contractor facilities and leased facilities where five hundred (500) or more individually identifiable records of PII is used, disclosed or stored. Video surveillance are recommended. g. Ensure data centers with servers, data storage devices, and/or critical network infrastructure involved in the use, storage, and/or processing of PII have perimeter MA-063-24010922 May 23, 2024 DocuSignDocuSign EnvelopeEnvelope ID:ID: security and physical access controls that limit access to only authorized Contractor Staff. Visitors to the data center area must be escorted at all times by authorized Contractor Staff. h. Store paper records with PII in locked spaces, such as locked file cabinets, locked file rooms, locked desks, or locked offices in facilities which have multi-use functions in one building in work areas that are not securely segregated from each other. It is Docusign Envelope ID: 7489E300-8AF1-4335-9329-A29008757313 recommended that all PII be locked up when unattended at any time, not just within multi-use facilities. i. The Contractor shall have policies that include, based on applicable risk factors, a description of the circumstances under which the Contractor Staff can transport PII, as well as the physical security requirements during transport. A Contractor that chooses to permit its staff to leave records unattended in vehicles must include provisions in its policies to ensure the PII is stored in a non-visible area such as a trunk, that the vehicle is locked, and under no circumstances permit PII be left unattended in a vehicle overnight or for other extended periods of time. j. The Contractor shall have policies that indicate Contractor Staff are not to leave records with PII unattended at any time in airplanes, buses, trains, etc., including baggage areas. This should be included in training due to the nature of the risk. k. Use all reasonable measures to prevent non-authorized personnel and visitors from having access to, control of, or viewing PII.

Physical Security. The Contractor shall ensure PII is used and stored in an area that is physically safe from access by unauthorized persons at all times. The Contractor agrees to safeguard PII from loss, theft, or inadvertent disclosure and, therefore, agrees to: a. Secure all areas of the Contractor’s facilities where Contractor Staff assist in the administration of their program and use, disclose, or store PII. b. These areas shall be restricted to only allow access to authorized individuals by using one or more of the following: i. Properly coded key cards ii. Authorized door keys iii. Official identification c. Issue identification badges to Contractor Staff. d. Require Contractor Staff to wear these badges where PII is used, disclosed, or stored. e. Ensure each physical location, where PII is used, disclosed, or stored, has procedures and controls that ensure an individual who is terminated from access to the facility is promptly escorted from the facility by an authorized employee and access is revoked. f. Ensure there are security guards or a monitored alarm system at all times at the Contractor facilities and leased facilities where five hundred (500) or more individually identifiable records of PII is used, disclosed or stored. Video surveillance are is recommended. g. Ensure data centers with servers, data storage devices, and/or critical network infrastructure involved in the use, storage, and/or processing of PII have perimeter MA-063-24010922 May 23, 2024 DocuSignDocuSign EnvelopeEnvelope ID:ID: security and physical access controls that limit access to only authorized Contractor Staff. Visitors to the data center area must be escorted at all times by authorized Contractor Staff. h. Store paper records with PII in locked spaces, such as locked file cabinets, locked file rooms, locked desks, or locked offices in facilities which have multi-use functions in one building in work areas that are not securely segregated from each other. It is recommended that all PII be locked up when unattended at any time, not just within multi-use facilities. i. The Contractor shall have policies that include, based on applicable risk factors, a description of the circumstances under which the Contractor Staff can transport PII, as well as the physical security requirements during transport. A Contractor that chooses to permit its staff to leave records unattended in vehicles must include provisions in its policies to ensure the PII is stored in a non-visible area such as a trunk, that the vehicle is locked, and under no circumstances permit PII be left unattended in a vehicle overnight or for other extended periods of time. j. The Contractor shall have policies that indicate Contractor Staff are not to leave records with PII unattended at any time in airplanes, buses, trains, etc., including baggage areas. This should be included in training due to the nature of the risk. k. Use all reasonable measures to prevent non-authorized personnel and visitors from having access to, control of, or viewing PII.

Physical Security. The Contractor shall ensure PII is used and stored in an area that is physically safe from access by unauthorized persons at all times. The Contractor agrees to safeguard PII from loss, theft, or inadvertent disclosure and, therefore, agrees to: a. Secure all areas of the Contractor’s facilities where Contractor Staff assist in the administration of their program and use, disclose, or store PII. b. These areas shall be restricted to only allow access to authorized individuals by using one or more of the following: i. Properly coded key cards ii. Authorized door keys iii. Official identification c. Issue identification badges to Contractor Staff. d. Require Contractor Staff to wear these badges where PII is used, disclosed, or stored. e. Ensure each physical location, where PII is used, disclosed, or stored, has procedures and controls that ensure an individual who is terminated from access to the facility is promptly escorted from the facility by an authorized employee and access is revoked. f. Ensure there are security guards or a monitored alarm system at all times at the Contractor facilities and leased facilities where five hundred (500) or more individually identifiable records of PII is used, disclosed or stored. Video surveillance are recommended. g. Ensure data centers with servers, data storage devices, and/or critical network infrastructure involved in the use, storage, and/or processing of PII have perimeter MA-063-24010922 May 23, 2024 DocuSignDocuSign EnvelopeEnvelope ID:ID: security and physical access controls that limit access to only authorized Contractor Staff. Visitors to the data center area must be escorted at all times by authorized Contractor Staff. h. Store paper records with PII in locked spaces, such as locked file cabinets, locked file rooms, locked desks, or locked offices in facilities which have multi-use functions in one building in work areas that are not securely segregated from each other. It is WGM0719-A3 Page 4 of 14 July 9, 2024 recommended that all PII be locked up when unattended at any time, not just within multi-use facilities. i. The Contractor shall have policies that include, based on applicable risk factors, a description of the circumstances under which the Contractor Staff can transport PII, as well as the physical security requirements during transport. A Contractor that chooses to permit its staff to leave records unattended in vehicles must include provisions in its policies to ensure the PII is stored in a non-visible area such as a trunk, that the vehicle is locked, and under no circumstances permit PII be left unattended in a vehicle overnight or for other extended periods of time. j. The Contractor shall have policies that indicate Contractor Staff are not to leave records with PII unattended at any time in airplanes, buses, trains, etc., including baggage areas. This should be included in training due to the nature of the risk. k. Use all reasonable measures to prevent non-authorized personnel and visitors from having access to, control of, or viewing PII.