Governor and Executive Council Agenda item PDF - 2026-03-04 - agenda 21

Meeting Date

2026-03-04

Attachment Kind Label

Agenda item PDF

Attachment Relation

cross_meeting_reference

Agenda Numbers

21

Agency Names

Department Of Information Technology

Parent Meeting Title

Governor and Executive Council meeting - 2026-03-04

ai

Lorl A. Weaver

CommiMioacr

Katja S. Fox

Director

STATE OF NEW HAMPSHIRE

DEPARTMENT OF HEALTH AND HUMAN SERVICES

DIVISION FOR BEHA VIORAl HEALTH

129 PLEASANT STREET, CONCORD, NH 03301

603-271-9S44 1^0^52-3345 Ext. 9544

Fax:603-271.4332 TDD Access: 1-800-735-2964 www.dhhs.nh.gov

May 15.2024

His Excellency, Governor Christopher T. Sununu

and the Honorable Council

State House

Concord, New Hampshire 03301

REQUESTED ACTION

Authorize the Department of Health and Human Services, Division for Behavioral Health,

to enter into a contract with Growth Partners. LLC (VC# 319255). Lincoln, NE, In the amount of

$599,992 for a statewide certification program that maintains nationally recognized standards for

recovery residences, with the option to renew for up to five (5) additional years, effective July 1,

2024, upon Governor and Council approval through June 30,2026.100% Other Funds (Governor

Commission).

Funds are available in the following account for State Fiscal Year 2025 and are anticipated

to be available in State Fiscal Year 2026, upon the availability and continued appropriation of

funds in the future operating budget, with the authority to adjust budget line items within the price

limitation and encumbrances between state fiscal years through the Budget Office, if needed and

justified.

05-95-92-920510-33820000 HEALTH AND SOCIAL SERVICES, HEALTH AND HUMAN SVCS DEPT

OF, HHS: DIV FOR BEHAVIORAL HEALTH, BUREAU OF DRUG & ALCOHOL SVCS, GOVERNOR

COMMISSION FUNDS (100% Other Funds)

State Fiscal

Year

Class /

Account

Class Title Job Number Total Amount

2025 102-500731 Contracts for Opr Svc 92058505 $299,998

2026 102-500731 Contracts for Opr Svc 92058505 $299,994

Total $599,992

EXPLANATION

The purpose of this request is to implement and maintain a statewide system of recovery

supportive housing that meets the needs of people in early recovery from substance use

disorders, and coordinates with other social and community service agencies to address the

social determinants of health. Pursuant to NH RSA 172-8:2, Provision of Services: Acceptance

Into Treatment, the Department is required to designate an entity to serve as the certifying body

for a voluntary certification program for recovery residences.

Approximately 25 recovery homes will be certified and approximately 85 existing certified

recovery homes will be recertified between July 1, 2024 through June 30. 2026.

The Contractor will certify that recovery residences statewide meet the National Alliance

for Recovery Residences Standards for safe, ethical, quality operation which focuses on

His Excellency, Governor Christopher T. Sununu

and the Honorable Council

residents' well-being using social model recovery practices. The Contractor will establish and

maintain a certification process that upholds industry best practices: supports a safe, healthy, and

effective recovery environment; evaluates residence's ability to assist individuals in achieving

long-term recovery goals; protects residents against unreasonable and unfair practices; and

verifies good standing with local, state, and federal laws, regulations, and ordinances. Services

will include providing outreach to non-certified residences, targeted technical assistance to

owners and operators who are willing to establish recovery residences, and ongoing support for

owners and operators throughout the certification and re-certification processes. In addition, the

Contractor will maintain a process to receive and investigate complaints regarding non-

compliance with Standards.

Recovery housing is an essential need for many people In early recovery from substance

use disorders. Research has demonstrated that recovery housing is associated with a variety of

positive outcomes for residents, including decreased substance use, reduced likelihood of return

to use. lower rates of incarceration, higher income, irKreased employment, and improved family

relationships (Substance Abuse and Mental Health Sen/ices Administration. Best Practices for

Recovery Housing. Publication No. PEP23-10-,00-002. Rockville, MD: Office of Recovery,

Substance Abuse and Mental Health Services Administration, 2023). This Agreement provides

accountability and accessibility to meet this need and expands on available certified recovery

residences in underserved geographical areas, and for underserved populations in New

Hampshire.

The Department will monitor services through regularly scheduled meetings and review of

quarterly reports and other required documents to track contract deliverables and ensurecontinual performance quality, assess progress, and adjust program delivery and policy based on

challenges and barriers encountered and successful outcomes.

The Department selected the Contractor through a competitive bid process using a

Request for Proposals (RFP) that was posted on the Department's website from February 6,2024

through March 15, 2024. The Department received three (3) responses that were reviewed and

scored by a team of qualified individuals. The Scoring Sheet is attached.

As referenced In Exhibit A, Revisions to Standard Agreement Provisions, of the attached

agreement, the parties have the option to extend the agreement for up to five (5) additional years,

contingent upon satisfactory delivery of services, available funding, agreement of the parties, and

Governor and Council approval.

Should the Governor and Council not authorize this request, New Hampshire may not

have a documented certification process that ensures individuals in need of recovery housing are

provided with a safe environment that meets national standards, supports residents' recovery and

connects them to community resources.

Area served: Statewide.

■ In the event that the Other Funds become no longer available, General Funds will not be

requested to support this program.

Respectfully submitted.

Lori A. Weaver

^ Commissioner

The Deportment of Health and Human Seroices' Mission is to join communities and families

in providing opportunities for citizens to achieve health and independence.

New Hampshire Department of Health and Human Services

Division of Finance and Procurement

Bureau of Contracts and Procurement

Scoring Sheet

Project ID# IrFP-2025-DBH-OI-CERTI

Project Title Certifying Body for NH Recovery Residences

Maximum

Points

Available Growth Partners

Magnolia

Recovery

Residences

Coalition

New Hampshire

Coalition of

Recovery

Residences

(NHCORR)

Technical

Q1 Experience 125

1

110 70 115

Q2 Certification Services

Approach 175 145 100 130

Q3 Complaint Services

Approach 175 135 125 135

Q4 Website ' 75 60 25 50

Q5 Advisory Board 125 120 100 50

Q6 Capacity 75 50 25 45

Subtotal • Technical 750 620 445 525

If a Vendor fail to achieve the minimum Technical score stated within the RFP, it will receive

no further consideration from the evaluation team and the Vendor's Cost Proposal will

Cost

Vendor Budget Narrative

Evaluation 50 25 N/A 33

Vendor Cost 200 200 N/A 200

Subtotal • Cost 250 225 N/A 233

TOTAL POINTS 1000 845 445 758

TOTAL PROPOSED VENDOR COST $599,992 N/A 1 $600,000

Reviewer Name

Debra Dettor

[KellyKeefe

^iKristyMacDonald

^iJennifer Olson

5 CJ Jewkes

Michael Walsh

Title

Community Development

Administrator

jucerisingUnit Chief

|program Specialist

Information Technology Manager \

DolT IT Lead, Supporting DHHS

Finance Administrator

DocuSign Envelope ID: 926339FO-D4E7-4B34-A1A8-3FA15EE5088B

Subject: Certifying Body for NH Recovery Residences {RFP-202^DBH-01-CERTI-01)

FORM NUMBER P-37 (version 2/23/2023)

Notice: This agreement and all of its attachments shall become public upon submission to Governor and

Executive Council for approval. Any information that is private, confidential or proprietary must

be clearly identified to the agency and agreed to in writing prior to signing the contract.

1.

AGREEMENT

The State of New Hampshire and the Contractor hereby mutually agree as follows:

GENERAL PROVISIONS

IDENTIFICATION.

1.1 State Agency Name

New Hampshire Department of Health and. Human Services

1.2 State Agency Address

129 Pleasant Street

Concord, NH 03301-3857

1.3 Contractor Name

Growth Partners, LLC

1.4 Contractor Address

1900 B Street, Lincoln, NE, 68502

1.5 Contractor Phone

Number

(402) 730-4864

1.6 Account Unit and Class

TED

1.7 Completion Date

6/30/26

1.8 Price Limitation

S599,992

1.9 Contracting Officer for State Agency

Robert W. Moore, Director

1.10 State Agency Telephone Number

(603) 271-9631

1.11 Contractor Signature 5/15/2024

Doeu3lon«d by:

Jt/p

1.12 Name and Title of Contractor Signatory

7eff Barr

coo

1.13 State Agency Signature 5/15/2024

I>oeuSign»d by:

1.14 Name and Title of State Agency Signatory

katja S..FOX

Director

1.15 Approvatby fHe N.H. Departfnent of Administration, Division of Personnel (if applicable)

By: Director, On:

1.16 Approval by the Attorney General (Form, Substance and Execution) (ifapplicable)

DoeuSign^d by:

0„:5/1S/2024

1.17 Approval by the Governor and Executive Council (if applicable)

G&C Item number: G&C Meeting Date:

Contractor Initials

Date

DocuSign Envelope ID: 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

2. SERVICES TO BE PERFORMED. The Stale of New

Hampshire, acting through the agency identified in block l.i

("State"), engages contractor identified in block 1.3 ("Contractor")

to perform, and the Contractor shall perform, the work or sale of

goods, or both, identified and more particularly described in the

attached EXHIBIT B which is incorporated herein by reference

("Services").

3. EFFECTIVE DATE/COMPLETION OF SERVICES.

3.1 Notwithstanding any provision of this Agreement to the

contrary, and subject to the approval of the Governor and

Executive Council of the State of New Hampshire, if applicable,

this Agreement, and all obligations of the parties hereunder, shall

become effective on the date the Governor and Executive Council

approve this Agreement, unless no such approval is required, in

which case the Agreement shall become effective on the date the

Agreement is signed by the Slate Agency as shown in block 1.13

("Effective Date").

3.2 If the Contractor commences the Services prior to the Effective

Date, all Services performed by the Contractor prior to the

Effective Date shall be performed at the sole risk of the Contractor,

and in the event that this Agreement does not become effective, the

State shall have no liability to the Contractor, including without

limitation, any obligation to pay the Contractor for any costs

incurred or Services performed.

3.3 Contractor must complete all Services by the Completion Date

specified in block 1.7.

4. CONDITIONAL NATURE OF AGREEMENT.

Notwithstanding any provision of this Agreement to the contrary,

all obligations of the State hereunder, including, without limitation,

the continuance of payments hereunder, are contingent upon the

availability and continued appropriation of funds. In no event shall

the Stale be liable for any payments hereunder in excess of such

available appropriated fiinds. In the event of a reduction or

termination of appropriated funds by any state or federal legislative

or executive action that reduces, eliminates or otherwise modifies

the appropriation or availability of funding for this Agreement and

the Scope for Services provided in EXHIBIT B, in whole or in part,

the State shall have the right to withhold payment until such funds

become available, if ever, and shall have the right to reduce or

terminate the Services under this Agreement immediately upon

giving the Contractor notice of such reduction or termination. The

State shall not be required to transfer funds from any other account

or source to the Account identified in block 1.6 in the event flmds

in that Account are reduced or unavailable.

5. CONTRACT PRICE/PRICE LIMITATION/ PAYMENT.

5.1 The contract price, method of payment, and terms of payment

are identified and more particularly described in EXHIBIT C

which is incorporated herein by reference.

5.2 Notwithstanding any provision in this Agreement to the

contrary, and notwithstanding unexpected circumstances, in no

event shall the total of all payments authorized, or actually made

hereunder, exceed the Price Limitation set forth in block 1.8. The

payment by the State of the contract price shall be the only and the

complete reimbursement to the Contractor for all expenses, of

whatever nature incurred by the Contractor in the performance

hereof, and shall be the only and the complete compensation to the

Contractor for the Services.

5.3 The State reserves the right to offset from any amounts

otherwise payable to the Contractor under this Agreement those

liquidated amounts required or permitted by N.H. RSA 80:7

through RSA 80:7-c or any other provision of law.

5.4 The State's liability under this Agreement shall be limited to

monetary damages not to exceed the total fees paid. The Contractor

agrees that it has an adequate remedy at law for any breach of this

Agreement by the State and hereby waives any right to specific

performance or other equitable remedies against the State.

6. COMPLIANCE BY CONTRACTOR WITH LAWS AND

REGULATIONS/EQUAL EMPLOYMENT

OPPORTUNITY.

6.1 In connection with the performance of the Services, the

Contractor shall comply with all applicable statutes, laws,

regulations, and orders of federal, state, county or municipal

authorities which impose any obligation or duty upon the

Contractor, including, but not limited to, civil rights and equal

employment opportunity laws and the Governor's order on Respect

and Civility in the Workplace, Executive order 2020-01. In

addition, if this Agreement is funded in any part by monies of the

United States, the Contractor shall comply with all federal

executive orders, rules, regulations and statutes, and with any rules,

regulations and guidelines as the State or the United States issue to

implement these regulations. The Contractor shall also comply

with all applicable intellectual property laws.

6.2 During the term of this Agreement, the Contractor shall not

discriminate against employees or applicants for employment

because of age, sex, sexual orientation, race, color, marital status,

physical or mental disability, religious creed, national origin,

gender identity, or gender expression,-and-will take affirmative

action to prevent such discrimination, unless exempt by state or

federal law. The Contractor shall ensure any subcontractors

comply with these nondiscrimination requirements.

6.3 No payments or transfers of value by Contractor or its

representatives in connection with this Agreement have or shall be

made which have the purpose or effect of public or commercial

bribery, or acceptance of or acquiescence in extortion, kickbacks,

or other unlawful or improper means of obtaining business.

6.4. The Contractor agrees to permit the State or United States

access to any of the Contractor's books, records and accounts for

the purpose of ascertaining compliance with this Agreement and

all rules, regulations and orders pertaining to the covenants, terms

and conditions of this Agreement.

7. PERSONNEL.

7.1 The Contractor shall at its own expense provide all personnel

necessary to perform the Services. The Contractor warrants that all

personnel engaged in the Services shall be qualified to perform the

Ser\'ices, and shall be properly licensed and otherwise authorized

to do so under all applicable laws.

7.2 The Contracting Officer specified in block 1.9, or any

successor, shall be the State's point of contact pertaining to this

Agreement.

Contractor Initials

D3te57W2t)24

DocuSign Envelope ID: 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

8. EVENT OF DEFAULT/REMEDIES.

8.1 Any one or more of the following acts or omissions of the

Contractor shall constitute an event of default hereunder ("Event

of Default"):

8.1.1 failure to perform the Services satisfactorily or on schedule;

8.1.2 failure to submit any report required hereunder; and/or

8.1.3 failure to perform any other covenant, term or condition of

this Agreement.

8.2 Upon the occurrence of any Event of Default, the State may

take any one, or more, or all, of the following actions:

8.2.1 give the Contractor a written notice specifying the Event of

Default and requiring it to be remedied within, in the absence of a

greater or lesser specification of time, thirty (30) calendar days

from the date of the notice; and if the Event of Default is not timely

cured, terminate this Agreement, effective two (2) calendar days

af\er giving the Contractor notice of termination;

8.2.2 give the Contractor a written notice specifying the Event of

Default and suspending all payments to be made under this

Agreement and ordering that the portion of the contract price which

would otherwise accrue to the Contractor during the period from

the date of such notice until such time as the State determines that

the Contractor has cured the Event of Default shall never be paid

to the Contractor;

8.2.3 give the Contractor a written notice specifying the Event of

Default and set off against any other obligations the State may owe

to the Contractor any damages the State suffers by reason of any

Event of Default; and/or

8.2.4 give the Contractor a written notice specifying the Event of

Default, treat the Agreement as breached, terminate the Agreement

and pursue any of its remedies at law or in equity, or both.

9. TERMINATION.

9.1 Notwithstanding paragraph 8, the State may, at its sole

discretion, terminate the Agreement for any reason, in whole or in

part, by thirty (30) calendar days written notice to the Contractor

that the State is exercising its option to terminate the Agreement.

9.2 In the event of an early termination of this Agreement for any

reason other than the completion of the Services, the Contractor

shall, at the State's discretion, deliver to the Contracting Officer,

not later than fifteen (15) calendar days after the date of

termination, a report ("Termination Report") describing in detail

all Services performed, and the contract price earned, to and

including the date of termination. In addition, at the State's

discretion, the Contractor shall, within fifteen (15) calendar days

of notice of early termination, develop and submit to the State a

transition plan for Services under the Agreement.

10. PROPERTY OWNERSHIP/DISCLOSURE.

lO.I As used in this Agreement, the word "Property" shall mean

all data, information and things developed or obtained during the

perfprmance of, or acquired or developed by reason of, this

Agreement, including, but not limited to, all studies, reports, files,

formulae, surveys,. maps, charts, sound recordings, video

recordings, pictorial reproductions, drawings, analyses, graphic

representations, computer programs, computer printouts, notes,

letters, memoranda, papers, and documents, all whether finished or

unfinished.

10.2 All data and any Property which has been received from the

State, or purchased with funds provided for that purpose under this

Agreement, shall be the property of the State, and shall be returned

to the State upon demand or upon termination of this Agreement

for any reason.

10.3 Disclosure of data, information and other records shall be

governed by N.H. RSA chapter 91-A and/or other applicable law.

Disclosure requires prior written approval of the State.

11. CONTRACTOR'S RELATION TO THE STATE. In the

performance of this Agreement the Contractor is-in all respects an

independent contractor, and is neither an agent nor an employee of

the State. Neither the Contractor nor any of its officers, employees,

agents or members shall have authority to bind the State or receive

any benefits, workers' compensation or other emoluments

provided by the State to its employees.

12. ASSIGNMENT/DELEGATION/SUBCONTRACTS.

12.1 Contractor shall provide the State written notice at least fifteen

(15) calendar days before any proposed assignment, delegation, or

other transfer of any interest in this Agreement. No such

assignment, delegation, or other transfer shall be effective without

the written consent of the Slate.

12.2 For purposes of paragraph 12, a Change of Control shall

constitute assignment. "Change of Control" means (a) merger,

consolidation, or a transaction or series of related transactions in

which a third party, together with its affiliates, becomes the direct

or indirect owner of fifty percent (50%) or more of the voting

shares or similar equity interests, or combined voting power of the

Contractor, or (b) the sale of all or substantially all of the assets of

the Contractor.

12.3 None of the Services shall be subcontracted by the Contractor

without prior written notice and consent of the State.

12.4 The State is entitled to copies of all subcontracts and

assignment agreements and shall not be bound by any provisions

contained in a subcontract or an assignment agreement to which it

is not a party.

13. INDEMNIFICATION. The Contractor shall indemnify,

defend, and hold harmless the State, its officers, and employees

from and against all actions, claims, damages, demands,

judgments, fines, liabilities, losses, and other expenses, including,

without limitation, reasonable attorneys' fees, arising out of or

relating to this Agreement directly or indirectly arising from death,

personal injury, property damage, intellectual property

infringement, or other claims asserted against the State, its officers,

or employees caused by the acts or omissions of negligence,

reckless or willful misconduct, or fraud by the Contractor, its

employees, agents, or subcontractors. The State shall not be liable

for any costs incurred by the Contractor arising under this

paragraph 13. Notwithstanding the foregoing, nothing herein

contained shall be deemed to constitute a waiver of the State's

sovereign immunity, which immunity is hereby reserved to. the

Slate. This covenant in paragraph 13 shall survive the termination

of this Agreement.

Contractor Initials

Date571572t)24

DocuSign Envelope ID; 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

14. INSURANCE.

14.1 The Contractor shall, at its sole expense, obtain and

continuously maintain in force, and shall require any subcontractor

or assignee to obtain and maintain in force, the following

insurance:

14.1.1 commercial general liability insurance against all claims of

bodily injury, death or property damage, in amounts of not less than

$1,000,000 per occurrence and $2,000,000 aggregate or excess;

and

14.1.2 special cause of loss coverage form covering all Property

subject to subparagraph 10.2 herein, in an amount not less than

80% of the whole replacement value of the Property.

14.2 The policies described in subparagraph 14.1 herein shall be on

policy forms and endorsements approved for use in the State of

New Hampshire by the N.H. Department of Insurance, and issued

by insurers licensed in the State of New Hampshire.

14.3 The Contractor shall furnish to the Contracting Officer

identified in block 1.9, or any successor, a certificate(s) of

insurance for all insurance required under this Agreement. At the

request of the Contracting Officer, or any successor, the Contractor

shall provide certificate(s) of insurance for all renewal(s) of

insurance required under this Agreement. The certificate(s) of

insurance and any renewals thereof shall be attached and are

incorporated herein by reference.

15. WORKERS' COMPENSATION.

15.1 By signing this agreement, the Contractor agrees, certifies and

warrants that the Contractor is in compliance with or exempt from,

the requirements of N.H. RSA chapter 281-A ("Workers'

Compensation ").

15.2 To the extent the Contractor is subject to the requirements of

N.H. RSA chapter 281-A, Contractor shall maintain, and require

any subcontractor or assignee to secure and maintain, payment of

Workers' Compensation in connection with activities which the

person proposes to undertake pursuant to this Agreement. The

Contractor shall furnish the Contracting Officer identified in block

1.9, or any successor,; proof of Workers' Compensation in the

manner described in N.H. RSA chapter 281 -A and any applicable

renewal{s) thereof, which shall be attached and are incorporated

herein by reference. The State shall not be responsible for payment

of any Workers' Compensation premiums or for any other claim or

benefit for Contractor, or any subcontractor or employee of

Contractor, which might arise under applicable State of New

Hampshire Workers' Compensation laws in connection with the

performance of the Services under this Agreement.

18. AMENDMENT. This Agreement may be amended, waived or

discharged only by an instrument in writing signed by the parties

hereto and only after approval of such amendment, waiver or

discharge by the Governor and Executive Council of the State of

New Hampshire unless no such approval is required under the

circumstances pursuant to State law, rule or policy.

19. CHOICE OF LAW AND FORUM.

19.1 This Agreement shall be governed, interpreted and construed

in accordance with the laws of the State of New Hampshire except

where the Federal supremacy clause requires otherwise. The

wording used in this Agreement is the wording chosen by the

parties to express their mutual intent, and no rule of construction

shall be applied against or in favor of any party.

19.2 Any actions arising out of this Agreement, including the

breach or alleged breach thereof, may not be submitted to binding

arbitration, but must, instead, be brought and maintained in the

Merrimack County Superior Court of New Hampshire which shall

have exclusive jurisdiction thereof.

20. CONFLICTING TERMS. In the event of a conflict between

the terms of this P-37 form (as modified in EXHIBIT A) and any

other portion of this Agreement including any attachments thereto,

the terms of the P-37 (as modified in EXHIBIT A) shall control.

21. THIRD PARTIES. This Agreement is being entered into for

the sole benefit of the parties hereto, and nothing herein, express or

implied, is intended to or will confer any legal or equitable right,

benefit, or remedy of any nature upon any other person.

22. HEADINGS. The headings throughout the Agreement are for

reference purposes only, and the words contained therein shall in

no way be held to explain, modify, amplify or aid in the

interpretation, construction or meaning of the provisions of this

Agreement.

23. SPECIAL PROVISIONS. Additional or modifying

provisions set forth in the attached EXHIBIT A are incorporated

herein by reference.

24. FURTHER ASSURANCES. The Contractor, along with its

agents and affiliates, shall, at its own cost and expense, execute any

additional documents and take such further actions as may be

reasonably required to carry out the provisions of this Agreement

and give efTect to the transactions contemplated hereby.

16. WAIVER OF BREACH. A State's failure to enforce its rights

with respect to any single or continuing breach of this Agreement

shall not act as a waiver of the right of the State to later enforce any

such rights or to enforce any other or any subsequent breach.

17. NOTICE. Any notice by a party hereto to the other party shall

be deemed to have been duly delivered or given at the time of

mailing by certified mail, postage prepaid, in a United States Post

Office addressed to the parties at the addresses given in blocks 1.2

and 1.4, herein.

25. SEVERABILITV. In the event any of the provisions of this

Agreement are held by a court of competent jurisdiction to be

contrary to any state or federal law, the remaining provisions of

this Agreement will remain in full force and effect.

26. ENTIRE AGREEMENT. This Agreement, which may be

executed in a number of counterparts, each of which shall be

deemed an original, constitutes the entire agreement and

understanding between the parties, and supersedes all prior

agreements and understandings with respect to the subject matter

hereof.

Contractor Initials

Date*

DocuSign Envelope ID; 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

New Hampshire Department of Health and Human Services

Certifying Body for NH Recovery Residences

EXHIBIT A

Revisions to Standard Agreement Provisions

1. Revisions to Form P-37, General Provisions

1.1. Paragraph 3, Subparagraph 3.1, Effective Date/Completion of Services, is

amended as follows:

3.1. Notwithstanding any provision of this Agreement to the contrary, and

subject to the approval of the Governor and Executive Council of the

State of New Hampshire, this Agreement, and all obligations of the

parties hereunder, shall become effective on July 1, 2024 ("Effective.

Date").

1.2. Paragraph 3, Effective Date/Completion of Services, is amended by deleting

subparagraph 3.3 in its entirety and replacing it as follows:

3.3. Contractor must complete all Services by the Completion Date specified

in block 1.7. The parties may extend the Agreement for up to five (5.)

additional years from the Completion Date, contingent upon satisfactory

delivery of services, available funding, agreement of the parties, and

approval of the Governor and Executive Council.

1.3. Paragraph 12, Assignment/Delegation/Subcontracts, is amended by adding

subparagraph 12.5 as follows:

12.5. Subcontractors are subject to the same contractual conditions as the

Contractor and the Contractor is responsible to ensure subcontractor

compliance with those conditions. The Contractor shall have written

agreements with all subcontractors, specifying the work to be performed,

and if applicable, a Business Associate Agreement in accordance with

the Health Insurance Portability and Accountability Act. Written

agreements shall specify how corrective action shall be managed. The

Contractor shall manage the subcontractor's performance on an ongoing

basis and take corrective action as necessary. The Contractor shall

annually provide the State with a list of all subcontractors provided for

under this Agreement and notify the State of any inadequate

subcontractor performance.

-0$

RFP-2025-DBH-01-CERTI-01 A-1.2 Contractor Initials

5/15/2024

Growth Partners, LLC Date

7.14.23

DocuSign Envelope ID; 926339F0-D4E7-4B34-A1A8-3FA15Ee5B88B

New Hampshire Department of Health and Human Services

Certifying Body for NH Recovery Residences

EXHIBIT B

Scope of Services

1. Statement of Work

1.1. The Contractor must establish and implement a statewide certification program for

recovery residences in New Hampshire that maintains nationally recognized standards

(hereinafter referred to as the New Hampshire Partnership for Recoveiy Residences

(NHPRR)). The Contractor must ensure the NHPRR;

1.1.1. Upholds industry best practices and supports a safe, healthy, and effective

recovery environment:

1.1.2. Evaluates the residence's ability to assist persons in achieving long-term

recovery goals;

1.1.3. Protects residents of recovery residences against unreasonable and unfair

practices in setting and collecting fee payments; and

1.1.4. Verifies good standing with regard to local, state, and federal laws and any

regulations and ordinances Including, but not limited to, building, maximum

occupancy, fire safety arid sanitation codes.

1.2. Certification of Recovery Residences

1.2.1. The Contractor must Implement and maintain a process for recovery

residences to become certified as a Social Model recovery residence

(hereinafter referred- to as certified recovery residence). The Contractor

must ensure the certification process complies with:

1.2.1.1. National Alliance for Recovery Residences (NARR) Standards

(hereinafter "Standards"), including any amendments to current

Standards;

1.2.1.2. All applicable state and federal laws and regulations, including,

but not limited to NH RSA 172-B:2; and

1.2.1.3. All applicable standards, ordinances, codes, and other

requirements indicated by local authorities, including, but not

limited, to:

1.2.1.3.1. Building, occupancy, fire, and sanitation codes.

1.2.1.3.2. Health and safety standards.

1.2.1.3.3. Non-discrimination.

1.2.1.3.4. Fair Housing.

1.2.2. The Contractor must develop application and re-application templates,

tailored to each of the NARR Recovery Residence Levels of Support

(certification levels).

1.2.3. The Contractor must implement, and maintain a process for receiving,

processing, and responding to applications from prospective recovery

residence owners and/or operators. The Contractor must ensure the

application process includes, but is not limited to the following steps; p.

RFP-2025-DBH-01-CERTI-01 B-2.0 Contractor Initials

5/15/2024Growth Partners, LLC. Date

DocuSign Envelope ID: 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

New Hampshire Department of Health and Human Services

Certifying Body for NH Recovery Residences

EXHIBIT B

1.2.3.1. Step 1 - Notification of Interest: The Contractor must ensure

recovery residence owners and/or operators can initiate the

certification process for their residence through a Notification of

Interest form that can be completed electronically and submitted

via email or through the owner/operator portal on the NHPRR

website, detailed in Section 1.5.

1.2.3.2. Step 2 • Preliminary Conversation: The Contractor must

engage recovery residence owners and/or operators who

complete Step 1, via telephone and/or email, to discuss the

program and process. The preliminary conversation must include,

but is not limited to:

1.2.3.2.1. Overview of application process and requirements.

1.2.3.2.2.. Identification of potential challenges, concems,

and/or questions that need to be addressed before

the owner and/or operator will be ready to move

forward with certification.

1.2.3.2.3. Information on funding opportunities and streams to

help recovery residence owners and/or operators,

who' face financial barriers to aligning with the

certification criteria overcome those obstacles.

1.2.3.2.4. Overview of requisite materials to begin next steps.

1.2.3.2.5. Confirmation of the intent to proceed with the

certification process. -

1.2.3.2.6. Scheduling of the Virtual Inventory Visit, detailed

below, as applicable.

1.2.3.3. Step 3 - Virtual Inventory Visit: The Contractor must meet with

the recovery residence owners and/or operators who confirm their

intent to proceed (applicant) to formally begin the certification

process, as applicable. The Contractor must ensure the Virtual

Inventory Visit includes, but is not limited to:

1.2.3.3.1. Introduction of NHPRR and residence leadership.

1.2.3.3.2. Explanation and review of the Social Model

philosophy and NARR Standards.

1.2.3.3.3. Determination of the appropriate certification level for

the residence, using NARR resources and resources

developed in collaboration with the Department.

1.2.3.3.4. Access to and overview of:

1.2.3.3.4.1. Program policies and procedures.

1.2.3.3.4.2. The Recovery Residence Certification

Guidance Manual, as detailed in

Section 1.2.9. (&RFP-2025-DBH-01-CERTI-01 B-2.0 Contractor Initials

Growth Partners. LLC. Date

DocuSign Envelope ID: 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

New Hampshire Department of Health and Human Services

Certifying Body for NH Recovery Residences

EXHIBIT B

1.2.3.3.5. Identification of potential challenges to certification

and development of mitigation plans to address and

resolve challenges.

1.2.3.3.6. Onboarding applicants to the NHPRR owner and/or

operator web-pprtal, which includes training to

familiarize applicants with the portal so they can

begin the certification process with confidence.

1.2.3.4. Step 4 - Provision of Application: The Contractor must provide

the applicant with an electronic copy of the appropriate

application, based on the certification level determined during the

Virtual Inventory Visit.

1.2.3.5. Step 5 - Application Completion: The Contractor must:

1.2.3.5.1. Review and assist the applicant with application

completion and submission;

1.2.3.5.2. Provide support and targeted training and technical

assistance (T/TA) to the applicant, as needed, to

resolve any missing information; and

1.2.3.5.3. Connect applicants to certified recovery residence

owners and/or operators to provide peer mentoring

on the application process, as appropriate.

1.2.3.6. Step 6 - Follow-up: The Contractor must follow-up with the

applicant in-person or virtually regarding the completion of the

application and, must provide technical assistance to the

applicant, as needed, to complete the application, meet NARR

Standards, and identify and discuss any issues or deficiencies.

1.2.3.7. Step 7 - Application Review: The Contractor must review the

submitted application to ensure it is complete and complies with

all requirements. If the application is incomplete or otherwise non-

compliant, the Contractor must work with the applicant to create

a plan to become compliant with all requirements.

1.2.3.8. Step 8 - Verification Visit: The Contractor must schedule an in-

person visit to the residence to verify all standards have been met.

The Contractor must ensure the Verification Visit includes, but is

not limited to:

1.2.3.8.1. Walkthrough and inspection of the residence.

1.2.3.8.2. Interviews with house leadership.

1.2.3.8.3. Interviews with house residents, as appropriate, and

with their permission.

1.2.3.8.4. Securing attestation from each owner and/or

operator, government agency, or credentialed

inspector that the house meets health ancL^gfety

RFP-2025-DBH-01-CERTI-01 B-2.0 Conlraclor Initials

Growth Partners, LLC. Date

DocuSign Envelope ID: 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

New Hampshire Department of Health and Human Services

Certifying Body for NH Recovery Residences

EXHIBIT B

standards, codes, ordinances, and other

requirements as indicated by local authorities.

1.2.3.8.5. Obtaining a signed Code of Ethics from the owner

and/or operator.

1.2.3.9. Step 9 - Certification Granted: The Contractor must onboard the

newly certified owner and/or operator, which includes but is not

limited to providing:

1.2.3.9.1. Electronic or paper copies of all finalized certification

materials, which includes the certification expiration

date and steps for recertification.

1.2.3.9.2. An introduction to the Certified Owner/Operator

Network.

1.2.3.9.3. An invoice for the certification fee.

1.2.3.9.4. A form to gather feedback regarding the application

process from the newly certified owner and/or

operator.

1.2.3.10. Step 10 - Ongoing Support and Guidance: The Contractor

must follow up with owners and/or operators, as needed to ensure

certification standards are met and maintained.

1.2.4. The Contractor must implement and maintain a process for certified

recovery residence owners and/or operators to recertify residences. The

Contractor must ensure the recertification process includes, but is not

limited to the following steps:

1.2.4.1. Step 1 - Notice of Renewal.

1.2.4.2. Step 2 - Recertification Application provision, completion,

submission, and review.

1.2.4.3. Step 3 - Onsite Visit.

1.2.4.4. Step4-Feedback Report.

1.2.4.5. Step 5 - Certification Granted.

1.2.4.6. Step 6-Ongoing Support and Guidance.

1.2.5. The Contractor must ensure any changes to the application processes

identified above are reviewed and approved by the Department prior to

implementation.

1.2.6. The Contractor must ensure application processes are secure and meet all

information security and privacy requirements, as set by the Department,

and in accordance with the Department's Information Security

Requirements.

1.2.7. The Contractor must collaborate with the Department to develop a process

to track application progress, certification status, and compliangg of

residences. The Contractor must ensure tracking includes, but is npt [igiited

RFP-2025-OBH-01-CERTI-01 B-2.0 Contractor Initials.

5/15/2024

Growth Partners, LLC. Date

DocuSign Envelope ID: 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

New Hampshire Department of Health and Human Services

Certifying Body for NH Recovery Residences

EXHIBIT B

to:

1.2.7.1. Recovery residences identified and provided with information

regarding the certification process.

1.2.7.2. Certified recovery residences, including, but not limited to the

following information for each certified house:

1.2.7.2.1. Name, address, and contact inforrnation of the

recovery residence and its owner and/or operator.

1.2.7.2.2. Date of certification and/or recertification and

expiration date.

1.2.7.2.3. Population(s) served.

1.2.7.2.4. Overall bed capacity.

1.2.7.2.5. Current number of beds available.

1.2.7.3. Suspension and revocation of certification, as applicable,

including, but not limited to:

1.2.7.3.1. Date of suspension or revocation.

1.2.7.3.2. Name, address, and contact information of the

recovery residence and its owner and/or operator.

1.2.7.3.3. Reason(s) for suspension or revocation.

1.2.7.4. Other information as requested by the Department.

1.2.8. The Contractor must collaborate with the Department-to develop policies

and procedures for the certification and recertification process. The

Contractor must ensure policies and procedures are approved by the

Department prior to implementation and must, at a minimum:

1.2.8.1. Clearly define:

1.2.8.1.1. Recruitment and retention of recovery residences;

1.2.8.1.2. Application, submission, and review requirements;

1.2.8.1.3. Requirements for certification, provisional

certification, conditional certification, and

recertification;

1.2.8.1.4. Conditions and process{es) for certification

suspension and revocation;

1.2.8.1.5. Roles and responsibilities of the Contractor;

1.2.8.1.6. Roles and. responsibilities of owners and/or

' operators;

1.2.8.1.7. Complaint procedure and process; and

1.2.8.1.8. Standardized assessment tools to be used

throughout the certification process; and /—

RFP-2025-D8H-01-CERTI-01 B-2.0 Contractor Initials

5/15/2024

Growth Partners, LLC. Dale

DocuSIgn Envelope ID: 926339F0-D4E7-4B34-A1A8-3FA15EE5B888

New Hampshire Department of Health and Human Services

Certifying Body for NH Recovery Residences

EXHIBIT B

1.2.8.2. Ensure:

1.2.8.2.1. Fair, equitable, and.unbiased services for each

•recovery residence; and

1.2.8.2.2. Compliance with all applicable state and federal laws

and regulations, health and safety standards,

ordinances, and codes as developed, revised, and

updated, including, but not limited to those identified

above.

1.2.9. The Contractor must develop a comprehensive Recovery Residence

Certification Guidance Manual for recovery residence owners and/or

operators seeking certification. The Contractor must ensure the manual is

reviewed and approved by the Department, prior to implementation and

includes, but is not limited to, the following information:

1.2.9.1. Overview of the certification, recertification, suspension, and

revocation processes.

1.2.9.2. Overview of the requirements and criteria for certification.

1.2.9.3. Steps to obtaining and maintaining certification.

1.2.9.4. Roles and responsibilities of the Contractor and of owners and/or

operators as they relate to the certification process.

1.2.9.5. NARR Standards and levels of recovery housing for Social Model

recovery residences.

1.2.9.6. Copy{s) of assessment tools.

1.2.9.7. List of potential funding sources and grants available for recovery

residences seeking certification.

1.2.9.8. List of available T/TA.

1.2.10. The Contractor must work with certified recovery residence owners and/or

operators, and the Department, as appropriate, when lapses In standards

and best practices, identified in Section 1.2.1, are identified within certified

recovery residences. The Contractor" must:

1.2.10.1. Identify and address the underlying causes to prevent future

occurrences;

1.2.10.2. Establish and maintain open channels of communication among

staff, residents, and owners and/or operators to ensure concerns

can be raised without fear of reprisal; and

1.2.10.3. Conduct comprehensive monitoring strategies, as appropriate,

that flag deviations from established standards. Strategies may

include, but are not limited to:

1.2.10.3.1. Regular Recovery Capital Assessments (RECSP),

providing quantitative data on • the recovery

C—DS

RFP-2025-DBH-01-CERTI-01 B-2.0 Contractor Inttidls

Growth Partners, LLC. Dale

DocuSign Envelope ID: g26339F0-D4E7-4B34-A1A6-3FA15EE5B88B

New Hampshire Department of Heajth and Human Services

Certifying Body for NH Recovery Residences

EXHIBIT B

environment's effectiveness and highlighting areas

that may need attention.

1.2.10.3.2. Routine audits.

1.2.10.3.3. Resident feedback mechanisms.

1.2.10.3.4. Staff self-assessments

1.2.11. The Contractor must categorize and address lapses in standards and best

practices, using a tiered approach that Includes, but is not limited to:

1.2.11.1. Tierl: Minor Infractions: Deviations from best oractices that do

not immediately Impact resident safety or well-being. Minor

infractions will be addressed, internally, through targeted T/TA.

1.2.11.2. Tier 2: Moderate Issues: Potential implications for resident safety

or the quality of care but are not immediate threats. Moderate

issues will be addressed through internal corrective measures

and will be documented and reported to the Department, within a

timeframe and a format approved by the Department.

1.2.11.3. Tier 3: Serious Infractions: Infractions that oose immediate risks

to resident safety or signify a significant breach of operational,

standards, require immediate action. The Contractor must notify

the Department within onis (1) day of a Tier 3 Lapse being

identified.,1.2.12. The Contractor must manage and rectify lapses in standards as follows:

1.2.12.1. Immediate Response and Assessment: Assessing the extent

and impact of the deviation from standards and gathering all

relevant information and context surrounding the lapse;I

1.2.12.2. Root Cause Analysis: Conducting a thorough investigation,

including, but not limited to:

1.2.12.2.1. Reviewing procedures.

1.2.12.2.2. Inten/iewing staff and residents, as applicable.

1.2.12.2.3. Analyzing any systemic issues that may' have

contributed to the problem;

1.2.12.3. Correction Action Plan (CAP) Development: Developing a

comprehensive CAP in collaboration with the owner and/or

operator, as needed. The Contractor agrees that the CAP:

1.2.12.3.1. Must:

1.2.12.3.1.1. Outline specific steps to rectify the

current lapse; and

1.2.12.3.1.2. Include measures to prevent similar

issues in the future; and

1.2.12.3.2. May include, but is not limited to: /■—

RFP-2025-DBH-01-CERTI-01 B-2.0 Contractor Initials

5/15/2024Growth Partners. LLC. Date

DocuSign Envelope ID: 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

New Hampshire Department of Health and Human Services

Certifying Body for NH Recovery Residences

EXHIBIT B

1.2.12.3.2.1. Revising policies and procedures, as

appropriate.

1.2.12.3.2.2. Enhancing training program, as

appropriate."

1.2.12.3.2.3. Making changes to oversight and

monitoring processes;

1.2.12.4. Training and Support: Implementing targeted training sessions

and support mechanisms for staff and management Involved in

the lapse;

1.2.12.5. Monitoring and follow-up: Monitoring the effectiveness of and

ensuring compliance with the CAP. The Contractor agrees that

monitoring and follow-up may include, but is not limited to:

1.2.12.5.1. Scheduled check-ins and feedback sessions.

1.2.12.5.2. Additional audits.

1.2.12.5.3. Use of metrics and indicators to track progress;

1.2.12.6. Documentation and Communication: Maintaining detailed

records of the lapse and open communication with all applicable

stakeholders. The Contractor must ensure documentation

includes, but Is not limited to:

1.2.12.6.1. Tier of lapse, as identified above.

1.2.12.6.2. Investigation findings.

1.2.12.6.3. Correction action taken, as applicable.

1.2.12.6.4. Results of follow-up and monitoring; and

1.2.12.7. Review, Train, and Update: Reviewing of and training on

standards and practices, which may include, but are not limited

to:

1.2.12.7.1. Revising certification criteria.

1.2.12.7.2. Enhancing quality assurance processes.,

1.2.12.7.3. Updating training programs to incorporate lessons

learned.

1.i2.13. The-Contractor must monitor maintenance of Standards and best practices

to inform ongoing improvement efforts using the following strategies:

1.2.13.1. Identifying the prevalence and incidence of types of complaints,

concerns, and.grievances received to determine T/TA needs;

1.2.13.2. Periodically evaluating the ability of recovery residences to assist

residents in developing recovery capital and achieving long-term

recovery goals;

C"*OS

i-v^tK 11-u I a-zv uoniracior iniiiais

5/15/2024

Growth Partners. LLC. Date

DocuSign Envelope ID: 926339F'0-D4E7-4B34-A1A8-3FA15EE5B88B

New Hampshire Department of Health and Human Services

Certifying Body for NH Recovery Residences

EXHIBIT B

1.2.13.3. Encouraging residents to actively participate in feedback

mechanisms to identify trends, address concerns quickly, and

help owners and/or operators adapt services to meet residents'

needs; and

1.2.13.4. Using certification renewal as an opportunity for thorough review

and reflection on the previous year.

1.2.14. The Contractor must provide in-person and virtual informational sessions for

recovery residence owners and/or operators to learn about the benefits of,,. and process for, becoming a certified recovery residence. The Contractor

must ensure sessions include the following information:

1.2.14.1. Benefits of becoming certified;

1.2.14.2. Program description and high-level overview of the certification

process;

1.2.14.3. Information on NARR, including its Standards and levels of

recovery housing for Social Model, recovery houses;

1.2.14.4. Definitions and descriptions of:

1.2.14.4.1. Safe and effective recovery houses; and

1.2.14.4.2. The Social Model for Recovery;

1.2.14.5. Certification process support available to owners and/or

operators; and

1.2.14.6. Details of the Contractor's organization, including, but not limited

to:

1.2.14.6.1. Mission.

1.2.14.6.2. Vision.,

1.2.14.6.3. Advisory Board and staff members.

1.2.14.6.4. Contact information.

1.2.15. The Contractor must provide in-person and remote technical assistance that

supports owners and/or operators in meeting and maintaining certification

standards. The Contractor must ensure technical assistance includes, but

is not limited to:

1.2.15.1. Providing consultation for the development of recovery residence

policies and procedures.

1.2.15.2. Best practices in the operation of recovery residences.

1.2.15.3. Addressing specific needs for service populations.

1.2.15.4. Additional support as identified throughout the certification, re-

certification, suspension, and revocation processes.

1.2.16. The Contractor must provide in-person and remote training opportunities to

owners and/or operators. The Contractor must ensure topics inckjcte? but

RFP-2025-DBH-01-CERTI-01 B-2.0 Contractor Initials

5/15/2024

Growth Partners, LLC. Dale

DocuSign Envelope ID; 926339F0.D4E7-4B34-A1A8-3FA15EE5B88B

New Hampshire Department of Health and Human Services

Certifying Body for NH Recovery Residences

EXHIBIT B

are not limited to:

1.2.16.1. Understanding and complying with local, state and federal laws

and regulations including, but not limited to:

1.2.16.1.1. Building, occupancy, fire, and sanitation codes.

1.2.16.1.2. Health and safety standards.

1.2.16.1.3. Non-discrimination.

1;2.16.1.4. Fair Housing.

1.2.16.2. Cultural effectiveness.

1.2.16.3. Understanding and supporting multiple recovery pathways.

1.2.16.4. Working with, and providing accommodations. for, unique

populations and residents with disabilities or other special needs.

1.2.16.5. Toxicology and drug testing.

1.2.16.6. Medication for Addiction Treatment/Medication Assisted

Recovery (MAT/MAR) and safe medication management.

1.2.16.7. Naloxone administration.

1.2.16.8. Good neighbor practices.

1.2.17. The Contractor must provide owners and/or operators support and

assistance to establish relationships with substance use disorder (SUD)

service access points to ensure the availability of community-based

supports and services to house residents, including, but not limited to:

1.2.17.1. NH Doorways.

1.2.17.2. Recovery Community Organizations and Centers.

1.2.17.3. Regional Public Health Networks.

1.2.18. The Contractor must conduct a recovery residence gaps analysis to identify

underserved areas and populations in New Hampshire using surveys,

professional networks, publicly available data, community needs

assessments, and Geographic Information System (GIS) data.

1.2.19. The Contractor must collaborate with the Department and Identified

stakeholders to review findings of the gaps analysis and utilize information

to develop:

1.2.19.1. Targeted interventions that address gaps.

1.2.19.2. Effective strategies to engage non-certified and potential recovery

residences.

1.2.20. The Contractor must engage and collaborate with community partners,

using community-based participatory research approaches, to identify and

refer new and existing recovery residences that are'not currently certified,

as well as prospective recovery residence owner/operators who may og^may

~ " mj^nitynot be considering certification. The Contractor must work with Cc

RFP-2025-DBH-01-CERTI-01 B-2.0 Contractor Initials

5/15/2024.

Growth Partners, LLC. Date

DocuSign Envelope ID: 926339F0-O4E7-4B34-A1A8-3FA15EE5B88B

New Hampshire Department of Health and Human Services

Certifying Body for NH Recovery Residences

EXHIBIT B

partners which may include, but are not limited to:

1.2.20.1. Recovery Community Organizations.

1.2.20.2. Recovery Friendly Workplaces.

1.2.20.3. Substance Use Disorder Treatment Providers.

1.2.20.4. Regional Public Health Networks.

1.2.20.5. NH DoonA/ays.

1.2.20.6. Peer Support Advocacy Groups.

1.2.20.7. State and Local Government Agencies.

1.2.20.8. Hospitals.

1.2.20.9. Primary Care Providers.

1.2.20.10.Social Work Organizations.

1.2.21. The Contractor must work to retain certified recovery residences using

structured feedback mechanisms for certified recovery residence owners

and/or operators to share experiences and suggestions. The Contractor

must ensure retention efforts:

1.2.21.1. Allow for both anonymous and attributed feedback;

1.2.21.2. Foster continuous quality improvement;

1.2.21.3. Value each residence's contribution to the broader recovery

comrnunity;

1.2.21.4. Identify and address challenges or needs experienced by owners

and/or operators; and

1.2.21.5. Include, but not be limited to the following activities:

1.2.21.5.1. Surveys.

1.2.21.5.2. Focus Groups.

1.2.21.5.3. Facilitated Peer Networking.

1.2.22. The Contractor must develop a public engagement campaign, in

collaboration with the Department, that positively challenges perceived

assumptions and influences approaches involving recovery residences,

certification, and the Social Model. Campaign activities may include, but are

not lirnited to:

1.2.22.1. Speaking engagements.

1.2.22.2. Presentations.

1.2.22.3. Print, digital, and social marketing communications.

1.2.23. The Contractor must maintain an accurate and up-tOrdate listing of available

beds by certification level. The Contractor must ensure information is

available on the NHPRR website and easily accessible to individual^t«eed

h&RFP-2025-DBH-01-CERTI-01 8-2.0 Contractor Initials ^

5/15/2024Growth Partners.'LLC. Dale

DocuSign Envelope ID: 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

New Hampshire Department of Health and Human Services

Certifying Body for NH Recovery Residences

EXHIBIT B

of recovery housing.

1.2.24. The Contractor must maintain current knowledge of NARR Standards and

best practices.

1.2.25. The Contractor must ensure the certification, re-certification, suspension,

and revocation processes are consistently applied and followed.

1.2.26. The Contractor must compile resources related to certification, best-

practices, and other applicable items for owners, operators, and residents

of certified recovery residences.

1.2.27. The Contractor must ensure all materials created through this Agreement

are reviewed and approved by the Department prior to dissemination.

1.3. Addressino Concerns and Complaints:

1.3.1. The Contractor must implement a process to receive, investigate and

address concerns and complaints from owners, operators, and residents of

certified recovery residences.

1.3.2. The Contractor must ensure residents, staff, and other individuals have

multiple ways to communicate complaints to NHPRR, including:

1.3.2.1. Electronic submission via the Contractor's secure website; •

1.3.2.2. Dedicated phone number;

1.3.2.3. Paper form;

1.3.2.4. Email; and

1.3.2.5. Personal contact with designated NHPRR staff.

1.3.3. The Contractor must designate a primary and backup staff person to receive

and review each complaint as it is received. The Contractor must ensure the

review process includes, but Is not limited to determining:

1.3.3.1. Who the complaint came from, which may include, but is not

limited to:

1.3.3.1.1. Residents.

1.3.3.1.2. Owner and/or operators.

1.3.3.1.3. Staff.

1.3.3.1.4. Neighbors.

1.3.3.2. Nature and urgency of the complaint.

1.3.3.3. Individuals and/or residence(s) involved in the complaint.

1.3.4. The Contractor must open a case file, upon receipt of a complaint, to

document and track activities throughout the Investigation and resolution

process.

1.3.5. The Contractor must determine the severity of the complaint, assign a

priority level, and notify appropriate entities within timelines approvetHsy the

RFP-2025-DBH-01-CERTI-01 B-2.0 Contractor Initials

5/15/2024

Growth Partners, LLC. Date '

OocuSign Envelope ID; 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

New Hampshire Department of Health and Human Services

Certifying Body for NH Recovery Residences

EXHIBIT B

Department, as follows:

1.3.5.1. Urgent: Complaints that indicate an imrhediate danger to health

or safety. The Contractor must escalate complaints categorized

as urgent by immediately contacting:

1.3.5.1.1. The Department;

1.3.5.1.2. The complainant; and

1.3.5.1.3. Appropriate authority(ies), which may include, but are

not limited to:

1.3.5.1.3.1. Law enforcement agencies.

'1.3.5.1.3.2. Local authorities.

1.3.5.1.3.3. The New Hampshire Department of

Justice;

1.3.5.2. High Priority: Complaints that involve important issues but do not

pose immediate threats to health or safety. The Contractor must:

1.3.5.2.1. Ensure High Priority complaints include, but are not

limited to:

1.3.5.2.1.1. Potential for future health or safety

issues.

1.3.5.2.1.2. Unsound management or financial

practices.

1.3.5.2.1.3. Violations of ethical. issues, rules,

and/or regulations;

1.3.5.2.2. Follow up with complainants within one (1) business

day to acknowledge receipt of the complaint;

1.3.5.2.3. Collect and document additional Information, as

needed, to determine the nature and type of

complaint; and

1.3.5.2.4. Document the complaint and notify the Department

within one (1) business day of contact with

complainant and documenting additional information,

as applicable; and

1.3.5.3. Moderate Priority: Complaints that involve disagreements,

disputes, or dissatisfactions, but no apparent violations of state or

NARR certification standards or ethics. The Contractor must:

1.3.5.3.1. Follow up with complainants within two (2) business

days to acknowledge receipt of the complaint;

1.3.5.3.2. Collect any additional Information needed to

determine the nature and type of complaint; and

n;RFP-2025-DBH-Oi-CERTI-01 B-2.0 Contractor Initials

5/15/2024

Growth Partners, LLC. Date

DocuSign Envelope ID: 926339F0-D4E7-4B34'A1AB-3FA15EE5B88B

New Hampshire Department of Health and Human Services

Certifying Body for NH Recovery Residences

EXHIBIT B

1.3.5.3.3. Document the complaint and notify the Department

within two (2) business days of contact with

complainant and documenting additional information,

as applicable.

1.3.6. • The Contractor must provide written notification to the Department, in a

format approved by the Department, of all complaints that meet the following

conditions:

1.3.6.1. Complaints based on the complainant's first-hand knowledge

regarding the allegation(s);

1.3.6.2. Complaints concerning the health of residents and safety of the

recovery residence;

1.3.6.3. Complaints concerning the management of the recovery

residence, including but hot limited to:

1.3.6.3.1. Environment of the residence.

1.3.6.3.2. Financial procedures.

1.3.6.3.3. Staffing.

1.3.6.3.4. Rules and regulations of the residence.

1.3.6.3.5. Recovery support environment.

1.3.6.3.6. Any other concerns affecting the complainant;

1.3.6.4. Complaints concerning illegal activities or threats; and

1.3.6.5. Other complaints, as identified by the Department.

1.3.7. For complaints that require investigation, the Contractor must:

1.3.7.1. Provide the complainant with a single point of contact throughout

the investigation process;

1.3.7.2. Interview complainant and other parties, as appropriate;

1.3.7.3. Collect additional information, as applicable;

1.3.7.4. Review residence rules and policies, NARR Code of Ethics and

Standards, local ordinances, and other information as applicable;

1.3.7.5. Collaborate with the Department and identified external agencies,

as appropriate;

1.3.7.6. Seek input from Subject Matter Experts, as appropriate;

1.3.7.7. Thoroughly document all aspects of the investigation; and

1.3.7.8. -Protect the confidentiality of the complainant. f

1.3.8. The Contractor must provide weekly written status updates of all

investigations to the Department, throughout the investigation process,

including, but not limited to:

RFP-2025-DBH-01-CERTI-01 B-2,0 Contractorlnitials

5/15/2024

Growth Partners. LLC. Dale

OocuSign Envelope ID; 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

New Hampshire Department of Health and Human Services

Certifying Body for NH Recovery Residences

EXHIBIT B.1.3.8.1. Investigation finding{s), including facts and evidence to support

conclusions.

1.3.8.2. Referral{s) made to appropriate authorities, if applicable.

1.3.8.3. Action(s) taken to resolve or mitigate the issue, including any

corrective action plan developed, if applicable.

1.3.8.4. ^Resolution status, if applicable.

1.3.8.5. Date of resolution, If applicable.

1.3.9. The Contractor must notify the Department, in writing, within one (1) "day of

any residence{s) whose certification is revoked. The Contractor must ensure

notification includes, but is not limited to:

1.3.9.1. Owner and/or operator name.

1.3.9.2. Name and address of the recovery residence.

1.3.10. The Contractor must ensure all information regarding concems and

complaints are transmitted to the Department and to the applicable recovery

residence owner/operators in a secure format that meets all information

security and privacy requirements as set by the Department and in

accordance with the Department's Information Security Requirements./

1.3.11. The Contractor must collaborate with the Department to develop complaint

policies and procedures. The Contractor must ensure policies, include, but

are not limited to:

1.3.11.1. How concerns and complaints are received, filed, investigated,

and resolved.

1.3.11.2. Fair, equitable and unbiased review, investigation and resolution

of all identified concerns, complaints, and grievances.

1.3.11.3. Ensuring confidentiality of the individual(s) filing a complaint or

grievance and protection of the filer from retribution, intimidation,

and/or negative consequences.

1.3.11.4. Ensuring members of the Advisory Board are not involved in

addressing concerns and complaints.

1.3.12. The Contractor must distribute the concerns and complaints policy and

procedures to all certified recovery residence owners and/or operators and

ensure:

1.3.12.1. The policy and procedures are posted in an area easily accessible

by staff and residents: and

1.3.12.2. Are reviewed with staff and residents as part of the onboarding or

intake process, and as needed to ensure awareness and

understanding.

1.3.13. The Contractor must ensure all certified recovery residence owners and/or

operators have internal grievance procedures, that: C—US

RFP-2025-DBH-01-CERTI-01 B-2.0 Contraclor Initials. 5/15/2024Growth Partners. LLC. Dale

DocuSign Envelope ID; 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

New Hampshire Department of Health and Human Services

Certifying Body for NH Recovery Residences

EXHIBIT B

1.3.13.1. Include the process for filing complaints, concerns, and

grievances with the residence and NHPRR;

1.3.13.2. Are reviewed with all staff and residents:

1.3.13.3. Are posted in a visible and easily accessible area of the

residence; and

1.3.13.4. Are posted on the residence website.

1.3.14. The Contractor must encourage certified recovery residences to practice

being good neighbors by prominently posting easy-to-use means for

community members and neighbors to communicate concerns and request

responses on their websites.

1.3.15. The Contractor must analyze trends and patterns in complaint data to

proactively reduce or prevent some types of complaints.

1.3.16. The Contractor must develop responsive, data-driven T/TA and related

information and supports for recovery residence owner and/or operators and

residents.

1.3.17. The Contractor must maintain ethical standards and ensure impartial,

transparent, and accountable processes for addressing concerns and

complaints within recovery residences.

1.3.18.- The Contractor must ensure all staff involved in the complaint resolution

process receive comprehensive training on the following topics:

1.3.18.1. Ethical conduct;

1.3.18.2. Best practices for mediation; and

1.3.18.3. Adherence to regulatory guidelines and certification standards.

1.3.19. The Contractor must ensure Advisory Board members, described in Section

1.4., are not involved in addressing concerns or complaints.

1 A. Advisory Board

1.4.1. The Contractor must develop and maintain an Advisory Board to support

the goals and objectives of this Agreement. The Contractor must ensure the

Advisory Board, at a minimum, provides guidance and consultation to

ensure:

1.4.1.1. Services are provided ethically, equitably, impartially, and without"

bias;

1.4.1.2. Decisions are made in the best interest of the NHPRR and

individuals served through the Program; and

1.4.1.3. Compliance with all applicable state and federal laws and

regulations, health and safety standards, and codes.

1.4.2. The Contractor must ensure the Advisory Board has a diverse membership

that considers cultural, demographic, and geographic makeup, including,

but not limited to: C—05

RFP-2025-DBH-01-CERTI-01 B-2.0 Contractor Initials

S/15/2024Growth Partners, LLC. Date

DocuSign Envelope ID; 926339F0-D4E7-4B34-A1A^3FA15EE5B88B

New Hampshire Department of Health and Human Services

Certifying Body for NH Recovery Residences

EXHIBIT B

1.4.2.1. Individuals with lived experience as a recovery" residence

resident.

1.4.2.2.' Family members of Individuals in recovery.

1.4.2.3. Community members.

1.4.2.4. Recovery Community Organizations.

1.4.2.5. Behavioral healthcare providers.

1.4.2.6. Individuals from the Government and business sector.

1.4.3. The Contractor must ensure Advisory Board members, described above,

are not involved with the provision of services for this Agreement, including,

but not limited to:

1.4.3.1. Certification of recovery residences.

1.4.3.2. Concerns, complaint, and grievance processes Involving

recovery residences.

1.4.4. The Contractor must ensure conflicts of interest are recognized and.

disclosed, ensuring Advisory Board members, with a conflicting interest,

avoid influencing the operation of the organization by any direct or indirect

means.

1.4.5. The Contractor must collaborate with the Department to establish a conflict-

of-interest policy for the Advisory Board, staff members, and other key

personnel to adhere to. The Contractor must ensure the conflict-of-interest

policy includes, but is not limited to:

1.4.5.1. A statement about an individual's duty to disclose any conflicts or

possible conflicts of interest.

1.4.5.2. The process for identifying, disclosing, and managing conflicts of

interest, including a recusal process when a conflict is found.

1.4.5.3. A disclosure statement that is signed by all Advisory Board

members and staff members, including the Program Director and

other key personnel, annually.

1.5. Website and Social Media

1.5.1. The Contractor must host and maintain a public-facing website that

includes, but is not limited to the following information:

1.5.1.1. Details of the Contractor, including, but not limited to:

1.5.1.1.1. Mission.

1.5.1.1.2. - Vision.

1.5.1.1.3. Advisory Board and staff members.

1.5.1.1.4. Contact information.

1.5.1.2. Certification, recertification and application policies_jjgand

processes.,

RFP-2025-DBH-01-CERTI-01 B-2.d Contractor Initials ^

5/15/2024Growth Partners, LLC. Date ^

DocuStgn Envelope ID: 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

New Hampshire Department of Health and Human Services

Certifying Body for NH Recovery Residences

EXHIBIT B

1.5.1.3. Grievance procedure and process.

1.5.1.4. NARR standards and levels of recovery housing.

1.5.1.5. Resources related to certification, best-practices, and other

applicable items for recovery residence owners and/or operators

and house residents.

1.5.1.6. Information on each certified recovery residence, including, but

not limited to:

1.5.1.6.1. Location.

1.5.1.6.2. Contact information.

1.5.1.6.3. Population served.

1.5.1.6.4. Overall bed capacity.

1.5.2. The Contractor must provide the Department with an initial website plan

within 10 days of the Effective Date of this Agreement. The Contractor must:

1.5.2.1.- Ensure the plan includes, but is not limited to layout, landing

pages, and related content..

1.5.2.2. Collaborate with the Department to review, refine, and finalize the

plan.

1.5.2.3. Ensure the website adheres to the NH DolT and Security

requirements, prior to launch.

1.5.3. The Contractor must work with the Department's Communications Bureau

to ensure that any social media or website designed, created, or managed

on behalf of the Department meets all Department and NH DolT website

/ ' and social media requirements and policies.

1.5.4. The Contractor agrees Protected Health Information (PHI), Personally

Identifiable Information (Pll), or other Confidential Information solicited

either by social media or the website that is maintained, stored or captured

must not be further disclosed unless expressly provided in the Contract. The

solicitation or disclosure of PHI, PH, or other Confidential Information is

subject to the terms of the Department's Information Security Requirements

Exhibit, the Business Associate Agreement signed by the parties, and all

applicable Department and federal law, rules, 'and agreements. Unless

specifically required by the Agreement and unless clear notice is provided

to users of the website or social media, the Contractor agrees that site

visitation must not be tracked, disclosed or used for website or social media

analytics or marketing.

1.5.5. State of New Hampshire's Website Copyright

1.5.5.1. All right, title and interest in the State WWW site, including

copyright to all Data and information, shall remain with the State

of New Hampshire. The State of New Hampshire shall also retain

all right, title and interest in any user interfaces and corqguter

instructions embedded within the WWW pages. All WWW i^ges

RFP-2025-DBH-01-CERTI-01 B-2,0 Conlractor Initials,

Growth Partners, LLC. Date

DocuSign Envelope ID; 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

New Hampshire Department of Health and Human Services

Certifying Body for NH Recovery Residences

EXHIBITS

1.6.

and any other Data or information shall, where applicable, display

the State of New Hampshire's copyright.

The Contractor must collaborate with the Department to practice continual quality

improvement throughout all NHPRR processes. The Contractor must ensure that

quality improvement efforts include, but are not limited to:

1.6.1. Conducting regular reviews of all procedures and outcomes.

1.6.2. Identifying areas for enhancement. ^

1.6.3. Implementing correction actions as needed.

The Contractor must participate in meetings with the Department, monthly, or as

otherwise requested by the Department to review contract performance, enhance

contract management, improve results, and adjust program delivery and policy based

on challenges and barriers encountered and successful outcomes.

The Contractor may be required to participate in on-site reviews conducted by the

Department on a semi-annual basis, or as otherwise requested by the Department.

The Contractor must ensure all written materials, developed through this Agreement,

are reviewed and approved by the Department prior to dissemination.

Workolan

1.7.

1.8.

1.9.

1.10.

1.10.1. The Contractor must adhere to the following Certification Program

Framework Workplan and, In collaboration with the Department, provide an

updated and modified Work Plan if required, within 30 days from the

Effective Date of this Agreement.

Initial Setup and Foundation Buildmg (Months 1-4)

Establish Certification Program Framework (Months 1-2). Collaborate with the

Department to define and establish program standards, policies, and procedures.

o Create Recovery Residence Certification Guidance Manual for

Department approval (Months 2-4). Compile a comprehensive guide to

recovery residence certification, including certification criteria, the application

process, and support resources. This will require content development, input

from NARR and local authorities, and publication tools.

o Develop and Implement Application and Review Process (Months 1-3).

Establish a thorough review process and designate staff for application

evaluation. This will require IT development for the application portal, training

for review team members, and process management tools.

o Implement a Tracking System for Certification Status (Development

during months 2-3, Implementation during month 4 and onward). Develop

a database to track the certification status, application progress, and

compliance of residences. This will require database software, IT support, and

training for staff on system usage.

Website Development (Months 1-4).

RFP-2025-DBH-01-CERTI-01

Growth Partners, LLC.

B-2.0

Contractor Initials

Date

5/15/2024

DocuSign Envelope ID: 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

New Hampshire Department of Health and Human Services

Certifying Body for NH Recovery Residences

EXHIBIT B

o Front-end (Month 1). Design and develop the public-facing website, focusing

on user experience, accessibility, and compliance with the Department's

standards. This phase includes creating the site architecture, designing the

user interface, and developing content for the certification program, including

policies, processes, and guidance.

o Web Portal (Month 1). Develop web portal for applications, integrating it •

seamlessly with the website. This involves setting up secure login

mechanisms, application forms, and database connectivity for application

tracking and management!

o Ensure Compliance with Privacy and Security Standards. Contractor will

implement security measures for the application portal and data storage, in line

with the Department's Information Security Protocol Requirements. This will

require cybersecurity tools, IT security specialists, and compliance auditors.

Set Up T/TA (Month 3, ongoing). Develop training modules on NARR Standards,

local regulations, and the application process. Implement scheduling and delivery

mechanisms for T/TA.

Review and Approve Policies and Procedures with the Department (Months 1-4,

ongoing). Conduct meetings with the Department to review, adjust, and approve all

developed policies and procedures, including reporting tools and processes for

quarterly and ad hoc reports.

Engagement with Owner/Operators During Transition (Months 2-4, ongoing).

Engage with existing certified owner/operators to affirm the continued importance of

their insights and feedback on what is going well and what are areas for improvement.

Advisory Board. Initial meeting with Advisory Board members during the first 30

days. Develop a conflict-of-interest policy and channels for members to disclose any

conflicts of interest within the first 60 days.

Retain Existing Certified Residences. Implementing a comprehensive support

system that offers continual education, quality improvement programs, and proactive

recertification support, ensuring that the certification is seen not just as a compliance

achievement bufas a commitment to ongoing excellence.

Operational Deployment and Community Engagement (Months 5-8)

• Certification Process Monitoring and Support. Conduct a comprehensive review of

the existing application process and make adaptations, as appropriate. Review

activities could include surveying certified owner/operators on their experience with

the application process, reviewing existing and inherited materials, and experience

building relationships with certified residences over time. s..

• Retain Existing Certified Residences (Month 1, ongoing). Conduct surveys with

owners and leadership, allowing for the identification of potential areas for

improvement and ensuring that the program remains responsive and relevant to the

needs of certified residences. Facilitate a feedback loop where operators can share

experiences and suggestions to foster a collaborative environment, empowering them

to contribute actively to the broader recovery community.

'id-

DS

RFP-2025-DBH^1-CERTI-01

Gtx5wth Partners, LLC.

B-2.0

Contractor Initials

Date

5/15/2024

DocuSign Envelope ID: 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

New Hampshire Department of Health and Human Services

Certifying Body for NH Recovery Residences

EXHIBIT B

Identification of Noncertified Residences (Months 3-6). Collaborate with recovery

partners to identify noncertified residences and seek their input. This involves

conducting surveys and focus groups to pinpoint specific obstacles.

Identification of geographic and population service gaps. Collaborate with

recovery partners to perform data collection to assess community needs, availability,

and accessibility;

Evaluation,-.Expansion, and Enhancement (Months 9-12, ongoing).

Conduct annual review (Month 12). Review Contractor processes using data and

feedback collected over the past year. Review any enhancements that have been

implemented.

Engage non-certified residences. Strategies include simplifying the path to

certification through supportive measures, streamlined processes, and providing

access to resources. Engaging stakeholders, including treatment providers, local

governments, and community organizations, to promote the value of certification will

play a crucial role in this strategy.

Address geographic and population service gaps. Evaluate needs, availability,

and accessibility data with Advisory Board members to identify population and service

gaps and develop tailored mitigation strategies. Strategies may include advocacy,

directing funding, and providing T/TA.

Application. Streamline and/or enhance the application process through the

development and refining of clear, concise guidance materials for applicants. Training

certification specialists on the new application process, focusing on providing

educational support to applicants.

1.11. Staffino

1.11.1. The Contractor must recruit and maintain sufficient staff necessary to

perform and carry out all of the functions, requirements, roles and

duties identified this Agreement. The Contractor must ensure staff

' includes, but is not limited to, the following positions located in New

Hampshire:

1.11.1.1. One (1), PTE Program Director; and

1.11.1.2. One (1), 0.5 PTE Program Assistant.

1.11.2. The Contractor must notify the Department in writing of changes in key

personnel and provide, within five (5) business days to the Department,

updated resumes that clearly indicate the staff member is employed by the

Vendor. Key personnel are those staff members for whom at least 10% of

their work time is spent on this scope of services.

1.11.3. The Contractor must notify the Department in writing within one (1) month

of hire when a new administrator, coordinator, or any staff person essential

to carrying out this scope of services is hired to work in the prograrru^The

Contractor must ensure notification includes a copy of the newly hfredstaff

I

RFP-2025-OBH-01-CERTI-01 B-2.0 Contractor Initials ^——

5/15/2024Growth Partners, LLC. Date

DocuSign Envelope ID; 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

New Hampshire Department of Health and Human Services

Certifying Body for NH Recovery Residences

EXHIBIT B

member's resume, which clearly indicates the staff member is employed by

the Contractor.

1.11.4. The Contractor must notify the Department in writing within 10 business

days, when there is not sufficient staffing to perform all required

services for more than one (1) month.

1.12. Reporting

1.12.1. Certification Program Reporting:

1.12.1.1. The Contractor must submit quarterly reports to the Department,

which include, but are not limited to:.

1.12.1.1.1. Number of recovery houses provided with

informational sessions.

1.12.1.1.2. Number of recovery houses that have applied for

certification and the status of each application.

1.12.1.1.3. Number of recovery houses certified.

1.12.1.1.4. Number, name, and address(s) of recovery house(s)

with certifications that have expired, lapsed, or been

revoked;

1.12.1.1.5. Number of trainings delivered, including, but not

limited to:

1.12.1.1.5.1. Training date and title.

1.12.1.1.5.2. Number of individuals attending.

1.12.1.1.5.3. Names of Recovery house(s) in

attendance.

-1.12.1.1.6. Number of technical assistance (TA) sessions

provided to certified recovery houses, including, but

not limited to:

1.12.1.1.6.1. Session date{s) and topic(s).

1.12.1.1.6.2. Recovery house(s) receiving TA.

1.12.2. Concerns and Complaints Services Reporting:

1.12.2.1. The Contractor must submit quarterly reports to the Department,

which include, but are not limited to:

1.12.2.1.1. A description of each reported concern, complaint, or

grievance against a certified recovery house that

includes, but is not limited to:

1.12.2.1.1.1. Date received.

1.12.2.1.1.2. Recovery house involved.

1.12.2.1.1.3. Nature of the concern, compiawt, or

grievance. |

RFP-2025-DBH-01-CERTI-01 B-2.0 Contractor IniUals

5/15/2024Growth Partners. LLC. Dale

DocuSign Envelope ID; 92633gF0-D4E7-4B34-A1Ae-3FA15EE5B88B

New Hampshire Department of Health and Human Services

Certifying Body for NH Recovery Residences

EXHIBIT B

1.12.2.1.1.4. Whether or not an investigation was

conducted.

1.12.2.1.1.5. Action taken and result of

investigation; as applicable.

1.12.2.1.1.6. Description of resolution.

1.12.2.2. The Contractor must provide key data in a format and at a

frequency specified by the Department.

1.12.2.3. The Contractor may be required to provide other key data and

metrics to the Department in a format specified by the

Department.

1.13. Background Checks

1.13.1. Prior to permitting any individual to provide services under this Agreement, the

Contractor must ensure that said individual has undergone;

1.13.1.1. A criminal background check, at the Contractor's expense, and has no

convictions for crimes that represent evidence of behavior that could

endanger individuals served under this Agreement; and

1.13.1.2. For staff providing direct services in New Hampshire, a name search

of the Department's Bureau of Elderly and Adult Services (BEAS)

State Registry, pursuant to RSA 161-F:49, with results indicating no

evidence of behavior that could endanger individuals served under this

Agreement.

1.14. Confidential Data

1.14.1. The Contractor must meet all information security and privacy requirements

as set by the Department and in accordance with the Department's

Information Security Requirements Exhibit as referenced below.

1.14.2. The Contractor must ensure any individuals involved in delivering services

through this Agreement contract sign an attestation agreeing to access,

view, store, and discuss Confidential Data in accordance with federal and

state laws and regulations and the Department's Information Security

Requirements Exhibit; The Contractor must ensure said individuals have a

justifiable business need to access confidential data. The Contractor must

provide attestations upon Department request.

1.15. Privacy Impact Assessment

1.15.1. Upon request, the Contractor must allow and assist the Department in

conducting a Privacy Impact Assessment (PIA) of its

system(s)/application(s)/web portal(s)/website{s) or Department

system(s)/application(s)/web portal(s)/website(s) hosted by the Contractor,

if Personally Identifiable Information (Pll) is collected, used, accessed,

shared, or stored. To conduct the PIA the Contractor must provide the

Department access to applicable systems and documentation sufficient to

allow the Department to assess, at minimum, the following: os

RFP-2025.DBH-01-CERTI^1 B-2.0 Contractor Initials

5/15/2024Growth Partners, LLC. Date

DocuSign Envelope ID: 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B •

«

New Hampshire Department of Health and Human Services

Certifying Body for NH Recovery Residences

EXHIBIT B

1.15.1.1. How PI! is gathered and stored;

1.15.1.2. Who will have access to Pll;

1.15.1.3. How Pll will be used in the system;

1.15.1.4. How individual consent will be achieved and revoked; and

1.15.1.5. Privacy practices.

1.15.2. The Department may conduct follow-up PIAs In the event there are either

significant process changes or new technologies impacting the collection,

processing or storage of Pll.

1.16. Contract End-of-Life Transition Services

1.16.1. General Requirements

1.16.1.1. If applicable, upon termination or expiration of the Agreement

the parties agree to cooperate in good faith to effectuate a

smooth secure transition of the Services from the Contractor to

the Department and, if applicable, the Contractor engaged by

the Department to assume the Services previously performed

by the Contractor (for this section the new Contractor shall be

known as "Recipient"). Ninety (90) days prior to the end-of the

contract or unless otherwise specified by the Department, the

Contractor must begin working.with the Department and if

applicable, the new Recipient to develop a Data Transition

Plan (DTP). The Department shall provide the DTP template to

the Contractor.

1.16.1.2. The Contractor must use reasonable efforts to assist the

Recipient, in connection with the transition from the

performance of Services by the Contractor and its End Users

to the performance of such Services. This may include

assistance with the secure transfer of records (electronic and

hard copy), transition of historical data (electronic and hard

copy), the transition of any such Service from the hardware,

software, network and telecommunications equipment and

internet-related information technology infrastructure ("Internal

IT Systems") of Contractor to the Internal IT Systems of the

Recipient and cooperation with and assistance to any third-

party consultants engaged by Recipient in connection with the

Transition Services.

1.16.1.3. If a system, database, hardware, software, and/or software

licenses (Tools) was purchased or created to manage, track,

and/or store Department Data in relationship to this contract,

said Tools will be inventoried and returned to the Department,

along with the inventory document, once transition of

Department Data is complete.

1.16.1.4. The internal planning of the Transition Services^ys the

Contractor and its End Users shall be provided the

RFP-2025-DBH-01-CERTI-01 B-2.0 Contractor Initials

5/15/2024GroNVth Partners, LLC. Date

DocuSign Envelope ID; 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

New Hampshire Department of Health and Human Services

Certifying Body for NH Recovery Residences

EXHIBITS

• Department and if applicable the Recipient in a timely manner.

Any such Transition Services shall be deemed to be Services

for purposes of this Agreement.

1.16.1.5. Should the data Transition extend beyond the end of the

Agreement, the Contractor agrees that the Information

Security Requirements, and If applicable, the Department's

Business Associate Agreement terms and conditions remain in

effect until the Data Transition is accepted as complete by the

Department.

1.16.1.6. In the event where the Contractor has comingled Department

Data and the destruction or Transition of said data is not

feasible, the Department and Contractor will jointly evaluate

regulatory and professional standards for retention

requirements prior to destruction, refer to the terms and

conditions of the Department's DHHS Information Security

Requirements Exhibit.

1.16.2. Completion of Transition Services

1.16.2.1. Each service orTransition phase shall be deemed completed

(and the Transition process finalized) at the end of 15 business

days after the product, resulting from the Service, is delivered

to the Department and/or the Recipient in accordance with the

mutually agreed upon Transition plan, unless within said 15

business day term the Contractor notifies the Department of an

Issue requiring additional time to complete said product.

1.16.2.2. Once all parties agree the data has been migrated the

Contractor will have 30 days to destroy the data per the terms

and conditions of the Department's Information Security

Requirements Exhibit.

1.16.3. Disagreement over Transition Services Results

1.16.3.1. In the event the Department is not satisfied with the results of

the Transition.Service, the Department shall notify the

Contractor, in writing, stating the reason for the lack of

satisfaction, within 15 business days of the final product or at

any time during the data Transition process. The Parties shall

discuss the actions to be taken to resolve the disagreement or

issue. If an agreement is not reached, at any time the

Department shall be entitled to initiate actions In accordance

with the Agreement.

2. Exhibits Incorporated

2.1. The Contractor must manage all confidential data related to this Agreement in

accordance with the terms of Exhibit D, DHHS Information Security Requirements.> OS

2.2. The Contractor must use and disclose Protected Health Information in compli; ingg^with

RFP-2025-DBH-01-CERTI-01 ' B-2.0 Contractor Initials

5/15/2024Growth Partners. LLC. Date

OocuSign Envelope ID: 926339F0-D4E7-4B34-A1A8-3FA15EESB8dB

New Hampshire Department of Health and Human Services

Certifying Body for NH Recovery Residences

EXHIBIT 8

the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule)

(45 CFR Parts 160 and 164) under the Health Insurance Portability and Accountability

Act (HIPAA) of 1996, and in accordance with the attached Exhibit E, Business

Associate Agreement, which has been executed by the parties.

3. Additional Terms

3.1. Impacts Resulting from Court Orders or Legislative Changes

3.1.1. The Contractor agrees that, to the extent future state or federal legislation

or court orders may have an impact on the Services described herein, the

State has the right to modify Service priorities and expenditure requirements

under this Agreement so as to achieve compliance therewith.

3.2. Federal Civil Rights Laws Compliance: Culturally and Linguistically Appropriate

Programs and Services

3.2.1. The Contractor must submit:

3.2.1.1. A detailed description of the language assistance services,

within ten (10) days of the Effective Date of the Agreement,

to be provided to ensure meaningful access to programs,

and/or services to individuals with limited English proficiency;

individuals who are deaf or have hearing loss; Individuals

who are blind or have low vision; and individuals who have

speech challenges.

3.2.1.2. A written attestation, within 45 days of the Effective Date of

the Agreement and annually thereafter, that all personnel

involved the provision of services to individuals under this

Agreement have completed, within the last 12 months, the

Contractor Required Training Video on Civil Rights-related

Provisions in DHHS Procurement Processes, which is

accessible -on the Department's website

(https://www,dhhs.nh.gov/doing-business-dhhs/civil-right-

compliance-dhhs-vendors); and

3.2.1.3. The Department's Federal Civil Rights Compliance Checklist

within ten (10) days of the Effective Date of the Agreement.

The Federal Civil Rights Compliance Checklist must have

been completed within the last 12 months and is accessible

on the Department's website

(https://www.dhhs.nh.gov/doing-business-dhhs/civil-right-

compliance-dhhs-vendors).

3.3. Credits and Copyright Ownership

3.3.1. All documents, notices, pressreleases, research reports and other materials

prepared during or resulting from the performance of the services of the

Agreement must include the following statement, "The preparation of this

(report, document etc.) was financed under an Contract with the State of

New Hampshire, Department of Health and Human Sen/ices, with funds

provided in part by the State of New Hampshire and/or such otheHuPfding

1RFP-2025-DBH-01-CERTI-01 B-2.0 Contractof Initials ^

5/15/2024

Growth Partners. LLC. Dale

DocuSign Envelope ID: 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

New Hampshire Department of Health and Human Services

Certifying Body for NH Recovery Residences

EXHIBIT B

sources as were available or required, e.g., the United States Department

of Health and Human Services."

3.3.2. All materials produced or purchased under the Agreement must have prior

approval from the Department before printing, production, distribution or

use.

3.3.3. The Department must retain copyright ownership for any and all original

materials produced, including, but not limited to;

3.3.3.1. Brochures.

3.3.3.2. Resource directories.

3.3.3.3. Protocols or guidelines.

3.3.3.4. Posters.

3.3.3.5. Reports.

3.3.4. The Contractor must not reproduce any materials produced under the

Agreement without prior written approval from the Department.

4. Records

4.1. The Contractor must keep records that include, but are not limited to:

4.1.1. Books, records, documents and other electronic or physical data evidencing

and reflecting all costs and other expenses incurred by the Contractor in the

performance of the Contract, and all income received or collected by the

Contractor.

4.1.2. All records must be maintained in accordance with accounting procedures and

practices, which sufficiently and properly reflect all such costs and expenses,

and which are acceptable to the Department, and to include, without limitation,

all ledgers, books, records, and original evidence of costs such as purchase

requisitions and orders, vouchers, requisitions for materials, inventories,

valuations of in-kind contributions, labor time cards, payrolls, and other records

requested or required by the Department.

4.2. During the term of this Agreement and the period for retention hereunder, the

Department, the United States Department of Health and Human Services, and any of

their designated representatives must have access to all reports and records

maintained pursuant to the Agreement for purposes of audit, examination, excerpts

and transcripts.

4.3. If, upon review of the Final Expenditure Report the Department must disallow any

expenses claimed by the Contractor as costs hereunder, the Department retains the

right, at its discretion, to deduct the amount of such expenses as are disallowed or to

recover such sums from the Contractor.

r—OS

rfp-2025-dbh-oi-(;erti-oi b-2,u uontractor initials

5/15/2024

Growth Partners, LLC. Date

DocuSign Envelope ID; 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

RFP-2025-DBH-01-CERTI-01 Exhibit B-1 DOIT Workbook

APPLICATION REQUIREMENTS

State Requirements

Req # Requirement Description CriticalityResponse Example.Response; CENERAL SPECIFICATIONS '

Al.l

Ability to access data using open standards

access protocok

M

Growth Partners (CP) uses COTS software for

website development, email communications,

data processing and general office activities.

GP does not possess any specially developed

software for its use. As a result, all functions

are standard and offer interoperability.

The solution being proposed will use a

commercial off the shelf (COTS) software

that utilizes XML, HTML and SQL all of

which leverage open standards to allow for

interoperability and continued quality.

■

Data is available in commonly used format

over which no entity has exclusive control,

with the exception of National or International

standards. Data is not subject to any

copyright, patent, trademark or other trade

secret regulation.

Growth Partners (GP) uses COTS software for

website development,,email comrhunications,

data processing and general office activities.

GP does not possess any specially developed

software for its use. As a result, all functions

are standard and offer interoperability.

As represented in Al.l by utilizing open

standards our solution is compliant with

this requirement.

A1.2 M GP data and/or information is not subject to

any copyright, patent, trademark or other

trade secret regulation. However, data

analysis is traditionally owned by the client

and not Growth Partners.

/

A1.3

Web-based compatible and in conformance

with the following W3C standards: HTML5,

CSS 2.1, XML 1.1 M

Website are designed and conform to the

indicated standards.

The web based component of this solution

conforms to w3c standards in our case

specifically leveraging HTML5, XML and

SOAP

APPLICATION SECURITY \

5/15/2024

DocuSign Envelope ID: 926339F0-D4E7-4834-A1A8-3FA15EE5B88B

RFP-2025-DBH-01-CERTI-01 Exhibit B-1 DOIT Workbook

A2.1

Verify the identity or authenticate all of the

system client applications before allowing use

of the system to prevent access to

inappropriate or confidential data or services. M

All COTS formats require assignment by the

GP Chief Operating Officer (COO) to restrict

access to applications and data.

In addition, hardware (laptops) and COTS

require username/password protections and

emails are encrypted.

Utilizing our COTS solution will require the

user to validate their identify through a

user name and password provided after

information is obtained to create the users

account.

A2.2

Verify the identity and authenticate all of the

system's human users before allowing them to

use its capabilities to prevent access to

inappropriate or confidential data or services. M

Access to GP COTS and data is controlled by

the COO. The COO follows contractual

requirements imposed by all clients which

includes state authorizations.

Based on the role based access controls

within the COTS solution we will ensure

the users have access only to the data that

the State authorizes.

A2.3

A2.4

Enforce unique user names.

Comply with the Department's Password

Standard and DolT's statewide User Account

and Password Policy, when developing,

establishing, and enforcing system

Administrative (privileged) and End User (non-

privileged) accounts. Should a requirement

conflict reside between the two documents

the more restrictive requirement must be

followed.

M

M

Access to COTS does require unique

uscrnames/passwords for all end users

including state and GP staff, and authorized

website users requiring login.

The COTS solution combined with our

logical access procedure to create user

accounts ensures the unique user name.

COTS formats require username/password

protections. This includes the admin level for

application updates, upgrades and

maintenance activities, and the end users of

the COTS. If non-compliance is discovered it is

and will be corrected immediately. Password

will at a minimum include IS characters with

requirements to use special characters,

numbers and upper and lower case letters. In

addition, a password cannot be repeated until

after 20 other passwords have been used.

The COTS solution will comply with the

requirements as listed in the Department's

Password Standard and NH OolT's

Password Policy.

5/15/2024

DocuSign Envelope ID: 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

RFP-2025-0BH-01-CERT1-01 Exhibit B-1 DOIT Workbook

A2.8

Provide the ability to limit the number of

people that can grant or change

authorizations. M

All GP authorizations can only be granted by

the COO. As a backup to the COO, the Chief

Executive Officer (CEO) can provide

authorizations.

Based on State approval the system will

allow for up to 3 administrators to support

granting or changing permissions.

A2.10

The application shall not store authentication

credentials or sensitive data in its code. M

GP does not store username/passwords or

data within its code.

All authentication credentials are

encrypted utilizing the Advanced

Encryption Standard (AES)

A2.11

Log all attempted accesses that fail

identification, authentication and

authorization requirements. M

Websites and portals track login attempts

including failed attempts.

The system in compliance with failed

attempt policy automatically logs all failed

attempts to result in a lockout. See A2.4

A2.13

All logs must be kept for one (1) year, unless

protected health information is entered

into/stored in the system or product, then all

audit logs must be kept for six (6) years for

HIPPA compliance.

M

Websites and portal developments include tog

retentions which are kept for a minimum of 1

year, and if PHI information is stored then six

years.

The COTS solution will maintain logs for 1

years

A2.14

The application must allow a human user to

explicitly terminate a session. No remnants of

the prior session should then remain. M

Users have the ability to terminate sessions. The COTS solution allows for the

termination of the user account which will

result in the termination of access.

A2.15

Do not use Software and System Services for

anything other than they are designed for.

M

GP staff's use of COTS and IT platforms, and

their access to them, is for the sole purpose of

meeting contractual obligations and

requirements.

The solution will be implemented at the

direction of the department to meet the

requirements of the contract.

A2.16

The application Data shall be protected from

unauthorized use when at rest.

M

GPs' COTS including data storage and

transmission, is conducted within

username/password protection and

encryption methods. Systems will protect the

data when in use and at rest.

The COTS solution will encrypt data in

transit and at rest coupled with role based

access permissions the application data

will be protected at rest

5/15/2024

DocuSign Envelope ID; 926339F0-O4E7-4B34-A1A8-3FA15EE5B88B

RFP-2025-D8H-01-CERTI-01 Exhibit B-1 DOIT Workbook

A2.17

The application shall keep any sensitive Data

or communications private from unauthorized

individuals and programs. M

GPs' COTS including data storage and

transmission is conducted within

username/password protection and

encryption methods.

See A2.16

A2.18

Subsequent application enhancements or

upgrades shall not remove or degrade security

requirements.

M

Upgrades and enhancements to COTS and

cybersecurity maintain or improve the level of

security as dictated by the state. The level of

security will not be downgraded.

The COTS solution and subsequent

upgrades will maintain or enhance security

requirements in partnership and

communication with the State.

A2.19

Utilize change management documentation

and procedures.

M

GP follows industry standards to comply with

change management procedures and

documentations throughout the term of their

contracts.

The COTS solution will follow industry best

practices for change management and the

configuration administrators will

document all changes made to production

after final user acceptance of the changes.

A2.20

Web Services: The service provider shall use

Web services exclusively to interface with the

State's data in near real time when possible.

M

GP does not employ COTS that interact with

client data systems outside of the parameters

of exporting data for analysis, i.e.. Excel.

The COTS solution will not utilize web

services to interface with the State's data

systems; however the solution will be able

to export the information into CSV, Excel

or similar functions and provide the

information to the State for ingestion.

<ri

5/15/2024

DocuSign Envelope ID: 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

RFP-2025-DBH-01-CERTI-01 Exhibit B-1 DOIT Workbook

A2.21

Logs must be configured using "fail-safe"

configuration. Audit logs must contain the

following minimum information:

1. User IDs (of all users who have access to the

system)

2. Date and time stamps

3. Changes made to system configurations

4. Addition of new users

5. New users level of access

6. Files accessed (including users)

7. Access to systems, applications and data

8. Access trail to systems and applications

(successful and unsuccessful attempts)

9. Security events

M

GPs' COO and GP IT contractor maintain audit

logs that effectively document: User IDs, date

and time stamps, changes to system

configurations, new users added or users

deleted, access levels of users, files and data

accessible to users including access to

systems, applications and data sources,

attempts to access systems both successful

and failed, and security events within systems,

applications and data points.

The COTS solution will be able to maintain

the following information either In a log or

separate documentation:

1. User IDs (of all users who have access to

the system)

2. Date and time stamps

3. Changes made to system configurations

4. Addition of new users

5. New users level of access

6. Files accessed (including users)

7. Access to systems, applications and data

8. Access trail to systems and applications

(successful and unsuccessful attempts)

9. Security events

n;

5/15/2024

DocuSign Envelope 10; 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

RFP-2025-DBH-01-CERTI-01 Exhibit B-1 DOIT Workbook

TESTING REQUIREMENTS

State Requirements

Req # Requirement Description CriticalityResponse Example Response

APPLICATION SECURITY TESTING

Tl.l

All components of the Software shall be

reviewed and tested to ensure they protect

the Department and State's web site and its

related Data assets. M

Systems are protected by EDR AV and

vulnerability scans. Penetration testing is

conducted on an annual basis.

As this is a COTS solution the components

of the software that will be reviewed and

tested will focus on the configuration of

the system to meet the business and

technical requirements of the solution.

T1.2

The Vendor shall be responsible for providing

documentation of security testing, as

appropriate. Tests shall focus on the technical,

administrative and physical security controls

that have been designed into the System

architecture in order to provide the necessary

confidentiality, integrity and availability.

M

GP will provide reports on administrative and

security controls on request and our IT

contractor has the tools necessary to

complete these tests.

The COTS solution has published

documentation to address the technical,

administrative and physical security

controls available upon request.

T1.3

Provide evidence that supports the fact that

Identification and Authentication testing has

been recently accomplished; supports

obtaining information about those parties

attempting to log onto a system or application

for security purposes and the validation of

users.

M

Working in conjunction with our

programmers and IT contractor, logs for

testing and login history are available for

review.

This is addressed via logs associated with

login attempts

5/15/2024

DocuSign Envelope ID: 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

RFP-2025-DBH-01-CERTI-01 Exhibit B-1 DOIT Workbook

T1.4

Test for Access Control; supports the

management of permissions for logging onto a

computer or network.

M

All COTS formats require username/password

protections. This includes the admin level for

application updates, upgrades and

maintenance activities, and the end users of

the COTS. In addition, all staff computers are

password protected and emails are encrypted.

If non-compliance is discovered it will be

corrected immediately.

See A2.4

T1.5

Test for encryption; supports the encoding of

data for security purposes, and for the ability

to access the data in a decrypted format from

required tools.

M

AH COTS formats require username/password

protections. This includes the admin level for

application updates, upgrades, and

maintenance activities, and the end users of

the COTS. In addition, all staff computers are

password protected and emails are encrypted.

If non-compliance is discovered it will be

corrected immediately.

GPs' COTS including data storage and

transmission is conducted within

username/password protection and

encryption methods.

See A2.4andA2.16

T1.6

Test the Intrusion Detection; supports the

detection of illegal entrance into a computer

system.

GP will continue to upgrade its abilities to

prevent intrusions. This includes its current

and ongoing testing to prevent intrusions.

SeeTl.2

M

T1.8

Test the User Management feature; supports

the administration of computer, application

and network accounts within an organization. M

GP tests related user management

applications and network accounts.

See A2.4, this process is tested each time

an account is activated or de-activated

=D5"

5/15/2024

DocuSign Envelope ID; 926339F0-D4E7-4B34-A1Aa-3FA15EE5B88B

RFP-2025-DBH-01-CERTI-01 Exhibit B-1 DOIT Workbook

T1.9

Test Role/Privilege Management; supports the

granting of abilities to users or groups of users

of a computer, application or network. M

Roles and privileges are authorized by the

COO and IT Contractor. GP tests access to

hardware (computers), COT applications and

networks used.

This will be accomplished after final

configuration and account creation has

been completed and validated by the

department

Tl.lO

Test Audit Trail Capture and Analysis; supports

the identification and monitoring of activities

within an application or system. M

Growth Partners maintains records of audit

trail capture and analysis in addition to testing

the audit trails.

The COTS solution has an internal testing

plan for ensuring the audit trail logs are in

place.

Tl.ll

Test Input Validation; ensures the application

is protected from buffer overflow, cross-site

scripting, SQL injection, and unauthorized

access of files and/or directories on the server.

M

Growth Partners tests input validations with

specific attentions to ensure the application is

protected from buffer overflows, cross-site

scripting, SQL injection and unauthorized

accesses.

The COTS solution has an internal testing

plan and is covered contractually to

protect against the items listed

T.1.12

For web applications, ensure the application

has been tested and hardened to prevent

critical application security flaws. (At a

minimum, the application shall be tested

against all flaws outlined in the Open Web

Application Security Project (OWASP) Top Ten

(http://www.owasp.org/index.php/OWASP_T

op_Ten_Project).

M

Growth Partners continues to test web

applications prior to going live. At a minimum,

OWASP standards will be met.

The COTS solution has an internal testing

plan for ensuring the audit trail logs are in

place.

T1.13

Provide the State with validation of 3rd party

security reviews-performed on the application

and system environment. The review may

include a combination of vulnerability

scanning, penetration testing, static analysis

of the source code, and expert code review

(please specify proposed methodology in the

comments field).

M

We have 3rd party vendors for conducting

scans if requested.

The 3rd party scans can be provided upon

request. These reports are a sub-contract

component with the COTS solution being

employed on this solution.

5/15/2024

DocuSign Envelope ID; 926339F0-D4E7-4B34-A1A&.3FA15EE5B88B

RFP-2025-DBH-01-CERTI-01 Exhibit B-1 DOIT Workbook

T1.14

Prior to the System being moved into

production, the Vendor shall provide results of

all security testing to the Department of

Information Technology for review and

acceptance.

M

We have 3rd party vendors for conducting

scans if requested.

As the COTS solution maintains FedRamp

Moderate certification all testing was

completed in order to maintain

compliance. It is anticipated that testing

of the configuration will be accomplished

prior to production use.

T1.15

Vendor shall provide documented procedure

for migrating application modifications from

the User Acceptance Test Environment to the

Production Environment.

M

GP will provided a plan to move from testing

to live production.

All configurations will be accomplished in a

single environment and approved to be

implemented on demand. No migration

will be performed for this COTS solution.... - -

STANDARD TESTING 1

T2.1

The Vendor must test the software and the

system using an industry standard and State

approved testing methodology. M

We have 3rd party vendors for conducting

scans if requested.

See T1.14

T2.2

The Vendor must perform application stress

testing and tuning. M

We have 3rd party vendors that can test stress

loads against crashes.

SeeT1.14

T2.3

The Vendor must provide documented

procedure for how to sync Production with a

specific testing environment. M

GP will provided a plan to move from testing

to live production.

SeeT1.14

T2.4

The vendor must define and test disaster

recovery procedures. M

We have 3rd party vendors to test disaster

recovery procedures.

SeeT1.14

5/15/2024

DocuSign Envelope ID: 926339F0-D4E7-4B34-A1Aa-3FA15EE5B88B

RFP-2025-DBH-01-CERTI-01 Exhibit B-1 DOIT Workbook

HOSTING-CLOUD REQUIREMENTS

State Requirements

Req # Requirement Description CriticalityResponse Example Response

-.. - - - -

OPERATIONS

Hl.l

Vendor shall provide an ANSI/TIA-942 Tier 3

Data Center or equivalent. A tier 3 data

center requires 1) Multiple independent

distribution paths serving the IT equipment, 2)

All IT equipment must be dual-powered and

fully compatible with the topology of a site's

architecture and 3)Concurrently maintainable

site infrastructure with expected availability of

99.982%.

M

Growth Partners uses AWS for system hosting.See T1.14

H1.2

Vendor shall maintain a secure hosting

environment providing all necessary

hardware, software, and Internet bandwidth

to manage the application and support users

with permission based logins.

M

Growth Partners uses AWS for system hosting.SeeT1.14

H1.3

The Data Center must be physically secured -

restricted access to the site to personnel with

controls such as biometric, badge, and.others

security solutions. Policies for granting access

must be in place and followed. Access shall

only be granted to those with a need to

perform tasks in the Data Center.

M

Growth Partners uses AWS for system hosting.SeeT1.14

H1.4

Vendor shall install and update all server

patches, updates, and other utilities within 60

days of release from the manufacturer.

M

Growth Partners uses AWS for system hosting.SeeT1.14

H1.5

Vendor shall monitor System, security, and

application logs. M

Growth Partners uses AWS for system hosting.SeeTl. 14

>1 'US

5/15/2024

DocuSign Envelope ID; 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

RFP-2025-DBH-01-CERTI-01 Exhibit B-1 DOIT Workbook

H1.6

Vendor shall manage the sharing of data

resources. M

Growth Partners uses AWS for system hosting.SeeT1.14

H1.7

Vendor shall manage daily backups, off-site

data storage, and restore operations. M

Growth Partners uses AWS for system hosting.Daily backups will be performed nightly

per sub-contract with COTS solution

H1.8

The Vendor shall monitor physical hardware.

M

Growth Partners uses AWS for system hosting.See T1.14

H1.9

Remote access shall be customized to the

State's business application. In instances

where the State requires access to the

application or server resources not in the

DMZ, the Vendor shall provide remote

desktop connection to the server through

secure protocols such as a Virtual Private

Network (VPN).

M

Growth Partners uses AWS for system hosting

and can provide access to the state upon

request.

The COTS solution will be a cloud based

solution accessible based on the role

based access permissions configured as

part of the project based on the State's

requirements.

r *. ■ - - -.. DISASTERRECOVERY " ■ 1

H2.1

Vendor shall have documented disaster

recovery plans that address the recovery of

lost State data as well as their own. Systems

shall be architected to meet the defined

recovery needs.

M

In progress with Control Map and GP will keep

up to date.

In addition, data is backed up on daily basis

with back ups made every hour if changes are

made within the data. This can be conducted

to previous 6 months.

SeeT1.14

H2.2

The disaster recovery plan shall identify

appropriate methods for procuring additional

hardware in the event of a component failure.

In most instances, systems shall offer a level of

redundancy so the loss of a drive or power

supply will not be sufficient to terminate

services however, these failed components

will have to be replaced.

M

The disaster recovery plan is in progress with

Control Map and GP and is expected to be

finalized July 1, 2024.

Growth Partners rents space from AWS which

meets the cited requirements.

Growth Partners, through its IT contractor,

also has access to 3rd party vendors to

provide necessary hardware if needed.

See T1.14

5/15/2024

DocuSign Envelope ID: 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

RFP-2025-DBH-01-CERTI-01 Exhibit B-1 DOIT Workbook

H2.3

Vendor shall adhere to a defined and

documented back-up schedule and procedure.

M

In progress with Control Map and GP will keep

up to date.

In addition, data is backed up on daily basis

with back ups are made every hour if changes

are made within the data. This can be

conducted to previous 6 months.

See H1.7

H2.4

Back-up copies of data are made for the

purpose of facilitating a restore of the data in

the event of data loss or System failure. M

On daily basis, back ups are made every hour

if changes are made within the data. This can

be conducted to previous 6 months.

See H1.7

H2.5

Scheduled backups of all servers must be

completed regularly. The minimum

acceptable frequency is differential backup

daily, and complete backup weekly.

M

On daily basis, back ups are made every hour

if changes are made within the data. This can

be conducted to previous 6 months.

SeeHl.7

H2.6

Tapes or other back-up media tapes must be

securely transferred from the site to another

secure location to avoid complete data loss

with the loss of a facility.

M

If the state requires tapes or other back-up

media tapes. Growth Partners will secure the

necessary resources.

SeeHl.7

H2.7

Data recovery - In the event that recovery

back to the last backup is not sufficient to

recover State Data, the Vendor shall employ

the use of database logs in addition to backup

media in the restoration of the database(s) to

afford a much closer to real-time recovery. To

do this, logs must be moved off the volume

containing the database with a frequency to

match the business needs.

M

Procedures are in progress with Control Map

and GP will keep up to date.

All data recovery is managed via the

backup and restore process

" ^'HOSTING SECURITY |

H3.2 If State data Is hosted on multiple servers,

data exchanges between and among servers

must be encrypted.

n/a Not applicable. Data is not stored on multiple

servers.

All data is encrypted and at rest regardless

of number of servers.

D

5/15/2024

DocuSign Envelope ID; 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

RFP-2025-DBH-01-CERTI-01 Exhibit B-1 DOIT Workbook

H3.4 All components of the infrastructure shall be

reviewed and tested to ensure they protect

the State's hardware, software, and its related

data assets. Tests shall focus on the technical,

administrative and physical security controls

that have been designed into the System

architecture in order to provide

confidentiality, integrity and availability.

M Growth Partners follows best practices for IT

security including frequent software patching,

anti virus, and tests against OWASP's top ten.

All security controls are tested and

addressed via the item T1.14

H3.7 All servers and devices must have event

logging enabled. Logs must be protected

with access limited to only authorized

administrators. Logs shall include System,

Application, Web and Database logs.

M Logging is enabled and logs are protected with

security protocols and back-ups.

All security controls are tested and

addressed via the item T1.14

H3.8 Operating Systems (OS) and Databases (DB)

shall be built and hardened in accordance with

guidelines set forth by CIS, NIST or NSA.

M All OS are patched and patched frequently.

We are working toward NIST CSF compliance.

All security controls are tested and

addressed via the item T1.14

-

SERVICE LEVEL AGREEMENT ■ 1

H4.1 The Vendor's System support and

maintenance shall commence upon the "

Effective Date and extend through the end of -

the Contract term, and any extensions

thereof.

M Agreed, GPs' IT contractor and COTS

applications will be maintained throughout

the duration of the contract.

The COTS solution will be maintained,

operated and supported per the contract

terms.

H4.2 The vendor shall maintain the hardware and

Software in accordance with the

specifications, terms, and requirements of the

Contract, including providing, upgrades and

fixes as required.

M Agreed, GPs' IT contractor and COTS

applications will be maintained throughout

the duration of the contract. Required

improvements identified by the state will be

immediately addressed.

The COTS configuration may be changed as

needed to meet the State's requirements.

5/15/2024

DocuSign Envelope ID; 926339F0-O4E7-4B34-A1A8-3FA15EE5B88B

RFP-2025-DBH-01-CERTI-01 Exhibit B-1 DOIT Workbook

H4.3 The vendor shall repair or replace the

hardware or software, or any portion thereof,

so that the System operates in accordance

with the Specifications, terms, and

requirements of the Contract.

M Agreed, GPs contractor and COTS applications

will be maintained throughout the duration of

the contract. Required improvements

identified by the state will be immediately

addressed.

Since the solution is dependent upon the

COTS solution proposed any replacement

of the software would require a change

order and amendment to the contract.

H4.4 All hardware and software components of the

Vendor hosting infrastructure shall be fully

supported by their respective manufacturers

at all times. Ail critical patches for operating

systems, databases, web services, etc., shall

be applied within sixty (60) days of release by

their respective manufacturers.

M Growth Partners uses AWS for system hosting.This will follow the COTS solutions

roadmaps for patches in alignment with

item T1.14

H4.5 The State shall have unlimited access, via

phone or Email, to the Vendor technical

support staff between the hours of 8:30am to

5:00pm- Monday through Friday EST.

M GPs IT and website contractors are located in

the Central Standard Time zone (CST).

Through contractual obligations, they are

accessible during normal business hours, CST.

The proposal will include technical support

for the State between 8:30am and 5:00pm

EST Monday through Friday.

5/15/2024

DocuSign Envelope ID; 926339F0-O4E7-4B34-A1A8-3FA15EE5B88B

RFP-2025-OBH-01-CERTI-01 Exhibit B-1 DOIT Workbook

H4.6 The Vendor shall conform to the specific

deficiency class as described: o Class A

Deficiency - Software - Critical, does not allow

System to operate, no work around, demands

immediate action; Written Documentation -

missing significant portions of information or

unintelligible to State; Non Software - Services

were inadequate and require re-performance

of the Service.

o Class B Deficiency - Software -

important, does not stop operation and/or

there is a work around and user can perform

tasks; Written Documentation - portions of

information are missing but not enough to

make the document unintelligible; Non

Software - Services were deficient, require

reworking, but do not require re-performance

of the Service.

o Class C Deficiency - Software - minimal,

cosmetic in nature) minimal effect on System,

low priority and/or user can use System;

Written Documentation - minimal changes

required and of minor editing nature; Non

Software - Services require only minor

reworking and do not require re-performance

of the Service.

M GP acknowledges and will conform to the

cited classes of deficiency:

Class A Deficiency • system is not available or

is not performing the function agreed upon

during production go live

Class B Deficiency - COTS configuration issue

with a workaround not impacting system

utilization, but requires attention to resolve

manual workaround.

Class C Deficiency - COTS configuration that

has minimum impact on the function. Would

be de prioritized to complete remediation on

Class B and Class A deficiencies.

The proposed solution will be a COTS

solution and thus the solution will be able

to comply with the following:

Class A Deficiency - system is not available

or is not performing the function agreed

upon during production go live

Class B Deficiency - COTS configuration

issue with a workaround not impacting

system utilization, but requires attention

to resolve manual workaround..

Class C Deficiency - COTS configuration

that has minimum impact on the function.

Would be de prioritized to complete

remediation on Class B and Class A

deficiencies.

5/15/2024

DocuSign Envelope ID: 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

RFP-2025-DBH-01-CERTI-01 Exhibit B-1 DOIT Workbook

H4.7 As part of the maintenance agreement,

ongoing support issues shall be responded to

according to the following:

a. Class A Deficiencies - The Vendor shall have

available to the State on-call telephone

assistance, with issue tracking available to the

State, eight (8) hours per day and five {S) days

a week with an email / telephone response

within two (2) hours of request; or the Vendor

shall provide support on-site or with remote

diagnostic Services, within four (4) business

hours of a request;

b. Class B & C Deficiencies -The State shall

notify the Vendor of such Deficiencies during

regular business hours and the Vendor shall

respond back within four (4) hours of

notification of planned corrective action; The

Vendor shall repair or replace Software, and

provide maintenance of the Software in

accordance with the Specifications, Terms and

Requirements of the Contract.

M GP acknowledges and will conform to the

cited classes of deficiency time tables.

The proposed solution will be able to

provide response times as described

herein.

H4.8 The hosting server for the State shall be

available twenty-four (24) hours a day, 7 days

a week except for during scheduled

maintenance.

M The COTS solution will be available 24 hours a

day and 7 days a week except during

maintenance activities.

The COTS solution will be available 24

hours a day and 7 days a week; however

support will be available as described in

H4.5

H4.9 A regularly scheduled maintenance window

shall be identified (such as weekly, monthly,

or quarterly) at which time all relevant server

patches and application upgrades shall be

applied.

M GP employs IT and web domain contractors all

of which provide regular maintenance.

Maintenance windows will comply with State

standards.

The COTS solution has full failover

functionality allowing for maintenance to

occur without impact to the business

functionality.

5/15/2024

DocuSign Envelope ID: 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

RFP-2025-D8H.01-CERTI-01 Exhibit B-1 DOIT Workbook

H4.10 If The Vendor is unable to meet the uptime

requirement. The Vendor shall credit State's

account in an amount based upon the

following formula: (Total Contract Item

Price/365) x Number of Days Contract Item

Not Provided. The State must request this

credit in writing.

M If GP is unable to meet any uptime

requirements the state will be immediately

notified and informed of problem and

intended solution. GP agrees to the

compensation formula.

Agreed for any uptime requirement not

met for the COTS solution included in the

proposal.

H4.13 The Vendor shall maintain a record of the

activities related to repair or maintenance

activities performed for the State and shall

report quarterly on the following: Server up

time; All change requests implemented,

including operating system patches; All critical

outages reported including actual issue and

resolution; Number of deficiencies reported

by class with initial response time as well as

time to close.

M GP and its contractors will track

repair/maintenance activities and report out

at the required intervals.

The COTS solution will not be able to

provide the details identified herein. The

proposed.solution will be able upon

request to provide documentation

surrounding configurations changes that

were completed in production through the

change management process, see A2.19.

H4.14 The Vendor will give two-business days prior

notification to the State Project Manager of all

changes/updates and provide the State with

training due to the upgrades and changes.^

M GP will provided notification within 2 business

days to the State of all changes/updates and if

necessary, training needed for upgrades.

Following the change management

process see item A2.19 notification will be

provided prior to implementation in

production and training shall be

performed either via in-person, video

computer based training, and/or in

documentation.

5/15/2024

DocuSign Envelope 10:926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

RFP-2025-OBH-01-CERT!-01 Exhibit B-1 DOIT Workbook

SUPPORT & MAINTENANCE REQUIREMENTS

State Requirements

Req # Requirement Description CriticalityResponse Example Response

SUPPORT & MAINTENANCE REQUIREMENTS

Sl.l

The Vendor's System support and

maintenance shall commence upon the

Effective Date and extend through the end of

the Contract term, and any extensions

thereof.

M

GP employs IT related contractors and/or

providers. Their services will be afforded to

the state for the duration of the contract

including extensions.

Agreed

S1.3

Repair Software, or any portion thereof, so.

that the System operates in accordance with

the Specifications, terms, and requirements of

the Contract.

M

As needed, IT and the web domain contractor

resources will be used to conduct upgrades

and fixes to the systems.

Based on assigned deficiencies the support

team will resolve the issue and obtain

acceptance following standard change

management practices.

S1.6

The Vendor shall make available to the State

the latest program updates, general

maintenance releases, selected functionality

releases, patches, and Documentation that

are generally offered to its customers, at no

additional cost.

M

As part of the regularly scheduled reporting to

DHHS, available IT related updates,

maintenance activities, system upgrades will

be included.

These documents will be provided based

on their availability from the third-party

COTS solution.

S1.7

For all maintenance Services calls. The Vendor

shall ensure the following information will be

collected and maintained: 1) nature of the

Deficiency; 2) current status of the Deficiency;

3) action plans, dates, and times; 4) expected

and actual completion time; 5) Deficiency

resolution information, 6) Resolved by, 7)

Identifying number i.e. work order number, 8)

Issue identified by;

M

In conjunction with SI.6, the eight listed items

will be included within the reporting of any

deficiencies.

Agreed

5/15/2024

DocuSign Envelope ID: 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

RFP-2025-DBH-01-CERTI-01 Exhibit B-1 DOIT Workbook

S1.8

The Vendor must work with the State to

identify and troubleshoot potentially large-

scale System failures or Deficiencies by

collecting the following information: 1) mean

time between reported Deficiencies with the

Software; 2) diagnosis of the root cause of the

problem;.and 3) identification of repeat calls

or repeat Software problems.

M

GP will develop a standard documentation

form that communicates tasks Sl.l - S.1.9 for

all reported deficiencies.

The proposed solution and support will be

able to diagnose root cause as needed as

well as problem management to address

repeat calls or configuration issues.

51.15

The State shall provide the Vendor with a

personal secure FTP site to be used by the

State for uploading and downloading files if

applicable.

M

Understood agreed

51.16 The hosting server for the State shall be

available twenty-four (24) hours a day, 7 days

a week except for during scheduled

maintenance.

M

Growth Partners uses AWS for system hosting.See H4.8

5/15/2024

DocuSign Envelope ID: 926339F0-D4E7^B34-A1A8-3FA15EE5B88B

RFP-2025-DBH-01-CERTI-01 Exhibit B-1 DOIT Workbook

PROJECT MANAGEMENT

State Requirements

Req# Requirement Description CriticalityResponse Example Response

PROJECT MANAGEMENT

Pl.l

Vendor shall participate in an Initial kick-off

meeting to initiate the Project. M

GP will coordinate with the State to schedule

and participate in a project kick-off meeting.

Agreed

P1.2

Vendor shall provide Project Staff as specified

in the RFA.

M

Project Staff are included in the RFP proposal

and specifically within Appendices D •

Technical Response to Questions and

Appendix E - Program Staff. Resumes, job

descriptions and expected FTEs are also

included.

Agreed

P1.3

Vendor shall submit a finalized Work Plan

within ten (10) days after Contract award and

approval by Governor and Council. The Work

Plan shall include, without limitation, a

detailed description of the Schedule, tasks.

Deliverables, milestones/critical events, task

dependencies, vendors and state resources

required and payment Schedule. The plan

shall be updated no less than every two

weeks.

M

GP provided an estimated work plan with

deliverables as part of the RFP submission.

Updates to the work plan will be made after

10 days of contract start date, and will be

updated every two weeks after contract start

state.

Agreed

P1.4

Vendor shall provide detailed bi-weekly status

reports on the progress of the Project, which

will include expenses incurred year to date. M

GP will provide status reports every two

weeks. While expenses incurred will be

included, expenses will only be updated in

conjunction with monthly invoices.

This proposal includes a weekly update for

status reports that will include risks,

actions, decisions. A monthly financial

expense report will be provided.

5/15/2024

DocuSign Envelope ID: 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

RFP-2025-DBH-01-CERTI-01 Exhibit B-1 DOIT Workbook

P1.5

All user, technical, and System Documentation

as well as Project Schedules, plans, status

reports, and correspondence must be

maintained as project documentation. (Define

how- WORD format- on-Line, in a common

library or on paper). M

GP will maintain documentation of plan

schedules, plans, status reports and

correspondence related to the project.

Documentation will be available to the state

at agreed upon intervals or upon request.

Documentation format will typically be

provided in Microsoft applications (Word,

Excel, etc.) or other user friendly applications!

GP also uses white board technologies for

which the state will be granted access.

This proposal includes standard project

management principles and deliverables to

include schedules, plans, reports, risks,

actions, issues, decisions and financials

and we can support utilizing the State

project management solution or provide

our own at the State's direction.

P1.6

Vendor shall provide a full time Project

Manager assigned to the project.

M

GP has identified a Director for the project

and will be employed at 1.0 FTE toward the

project. The person identified has accepted

the position as a contingent hire. If awarded

the contract, the contingent hire will begin

employment prior to the contract start date to

become orientated to GP processes.

Agreed

P1.7

The Vendor Project Manager, and relevant key

staff, shall every three (3) months, beginning

in the first month of the Contract, travel to

Concord, NH to meet with project

representatives from DHHS and the NHID to

review past quarter performance and

upcoming quarter Plan of Operations. Virtual

meetings may be permitted if approved by

DHHS.

M

GPs' Director for the project will meet in-

person for all quarterly meetings. Other

relevant key staff can also attend, but will

request virtual attendance.

All staff will be work remotely for the

duration of this contract

P1.8

The Vendor's project manager is also expected

to host other important meetings, assign

contractor staff to those meetings as

appropriate and provide an agenda for each

meeting.

M

GPs Director for the project will host other

meetings designated by DHHS and create

agendas for each within the constraints of the

budget.

Agreed

5/1S/2024

DocuSign Envelope ID; 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

RFP-2025-DBH-01-CERTI-01 Exhibit B-1 DOIT Workbook

P1.9

Meeting minutes will be documented and

maintained electronically by the contractor

and distributed within 24 hours after the

meeting. Key decisions along with Closed,

Active and Pending issues will be included in

this document as well.

M

GP will provide a standardized meeting

agenda and standardized format to document

minutes for all meetings. This will include key

decisions, documented issues that are closed,

active, and pending. Minutes will be made

available within 24 hours of meeting closure.

Agreed.

• 5/15/2024

DocuSign Envelope ID; 926339F0-D4E7-4B34.A1A8-3FA15EE5B88B

New Hampshire Department of Health and Human Services

Certifying Body for NH Recovery Residences

EXHIBIT C

Pavment Terms

1. This Agreement is funded by:

1.1. 100% Other funds (Governor Commission).

2. For the purposes of this Agreement the Department has identified:

2.1. The Contractor as a Subrecipient, in accordance with 2 CFR 200.331.

3. Payment shall be on a cost reimbursement basis for actual expenditures

incurred in the fulfillment of this Agreement, and shall be in accordance with

the approved line items, as specified in Exhibit C-1, Budget.

4. The Contractor shall submit an invoice with supporting documentation to the

Department no later than the fifteenth (15th) working day of the month following

the month in which the services were provided. The Contractor shall ensure

each invoice:

4.1. Includes the Contractor's Vendor Number issued upon registering with

New Hampshire Department of Administrative Services.

4.2. Is submitted in a form that is provided by or otherwise acceptable to the

Department.

4.3. Identifies and requests payment for allowable costs incurred in the

previous month.

4.4. Includes supporting documentation of allowable costs with each invoice

that may include, but are not limited to, time sheets, payroll records,

receipts for purchases, and proof of expenditures, as applicable.

4.5. Is net any other revenue received towards the services billed in fullfillment

of this agreement.

4.6. Includes information requested by the Department verifying allocation or

offset based on revenue received.

4.7. Is completed, dated and returned to the Department with the supporting

documentation for allowable expenses to initiate payment.

4.8. Is assigned an electronic signature, includes supporting documentation,

and is emailed to dbhinvoicesbdas@dhhs.nh.qov or mailed to:

Financial Manager

Department of Health and Human Services

129 Pleasant Street

Concord, NH 03301

5. The Department shall make payments to the Contractor within thirty (30) days

of receipt of each invoice and supporting documentation for authorized

expenses, subsequent to approval of the submitted invoice.

RFP-2025-DBH-01-CERTI-01 C-2.1 Conlractor Initials.2=

5/15/2024

Growth Partners, LLC Dale

DocuSign Envelope ID: 926339F0-D4E7-4834-A1A8-3FA15EE5B88B

New Hampshire Department of Health and Human Services

Certifying Body for NH Recovery Residences

EXHIBIT C

6. The final invoice and supporting documentation for authorized expenses shall

be due to the Department no later than forty (40) days after the contract

completion date specified in Form P-37, General Provisions Block 1.7

Completion Date.

7. Notwithstanding Paragraph 18 of the General Provisions Form P-37, changes

limited to adjusting amounts within the price limitation and adjusting

encumbrances between State Fiscal Years and budget class lines through the

Budget Office may be made by written agreement of both parties, without

obtaining approval of the Governor and Executive Council, if needed and

justified.

8. Audits

8.1.The Contractor must email an annual audit to dhhs.act@dhhs.nh.gov if

any of the following conditions exist:

8.1.1. Condition A - The Contractor expended $750,000 or more in

federal funds received as a subrecipient pursuant to 2 CFR Part

200, during the most recently completed fiscal year.

8.1.2. Condition B - The Contractor is subject to audit pursuant to the

requirements of NH RSA 7:28, lll-b.

8.1.3. Condition C - The Contractor is a public company and required

by Security and Exchange Commission (SEC) regulations to

submit an annual financial audit.

8.2. If Condition A exists, the Contractor shall submit an annual Single

Audit performed by an independent Certified Public Accountant (CPA)

to dhhs.act@dhhs.nh.gov within 120 days after the close of the

Contractor's fiscal year, conducted in accordance with the

requirements of 2 CFR Part 200, Subpart F of the Uniform

Administrative Requirements, Cost Principles, and Audit

Requirements for Federal awards.

8.2.1. The Contractor shall submit a copy of any Single Audit findings

and any associated corrective action plans. The Contractor

shall submit quarterly progress reports on the status of

implementation of the corrective action plan.

8.3. If Condition B or Condition C exists, the Contractor shall submit an

annual financial audit performed by an independent CPA within 120

days after the close of the Contractor's fiscal year.

8.4. Any Contractor that receives an amount equal to or greater than

$250,000 from the Department during a single fiscal year, regardless

of the funding source, may be required, at a minimum, to submit annual

financial audits performed by an independent CPA upon request.

RFP-2025-DBH-01-CERTI-01 C-2.1 Contractor Initials

5/15/2024

Growth Partners. LLC Dale

DocuSign Envelope ID: 926339F0-D4E7-4B34'A1A8-3FA15EE5B88B

New Hampshire Department of Health and Human Services

Certifying Body for NH Recovery Residences

EXHIBIT C

8.5. In addition to, and not in any way in limitation of obligations of the

Agreement, it is understood and agreed by the Contractor that the

Contractor shall be held liable for any state or federal audit exceptions

and shall return to the Department all payments made under the

Agreement to which exception has been taken, or which have been

disallowed because of such an exception.

RFP-2025-DBH-01-CERTI-01 C-2.1 Contractor initials

5/15/2024

Growrth Partners. LLC Date

OecuSlon EnvMap* 10:02S3MF<KME7-4834-A1AS>3FA1SEESBUe

C-1. Budget

New Hampshire Department of Health and Human Services

Contractor Name: Growth Partners. LLC,

Budget Request for Certifying Body for NH Recovery Residences.

indirect Cost Rate (if applicable) 10.00%

Line Item

Program Cost - Funded

by DHHS

SPY 26

Anticipated Revenue

from Fees

SFY 26

Program Cost • Funded

by DHHS

SFY 26

Anticipated Revenue

from Fees

SFY 26

1. Salary &Waaes $214,050 $18,162 $220,472 - $22,727

2. Frinoe Benefits SO $0 $0 $0

3. Consultants $15,600 $0 $11,000 $0

4. Equipment

Indirect cost rate cannot be applied to equipment costs per 2

CFR 200.1 and Aooendix IV to 2 CFR 200.

$0 $0 $0 $0

S.(a) SupDiies • Educational $0 $0 $0 $0

S.(b) Supplies • Lab $0 $0 $0 $0

S.(c) SuDoiies • Pharmacy $0 $0. $0 $0

S.(d) Supplies - Medical $0 $0 $0 $0

S.(e) Supplies Office $4,325 $0 $3,000 $0

6. Travel $6,000 $0 $6,000 $0

7. Software $9,000 $0 $9,000 $0

8. (a) Other - Marlcetina/ Communications $4,450 $0 $4,450 $0

8. (b) Other • Education and Training $2,000 $0 $2,000 $0

8. (c) Other • Other (specify belowl $0 $0 $0 $0

Ottier (Current Exoenses) $14,800 $0 $14,300 $0

Ofher (Occuoencv) $2,500 $0 ' $2,500 $0

Ottier fpfease soecifv} $0 $0 $0 $0

Ottier (please soecifv) $0 $0 $0 SO

9. Subreo'prenf Confracfs $0 $0 $0 $0

Total Direct Costs $272,725 $18,162 $272,722 $22,727

Total Indirect Costs $27,273 $1,816 $27,272 $22,723

Subfofa/s $299,998 $20,000 $299,994 $25,000

TOTAL Program Cost - Funded by DHHS $699,892

RFP-MZS^BH^I^ERTt-OI

Contractor Initials;

S/lS/2024

Date:

DocuSign Envelope ID; 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

New Hampshire Department of Health and Human Services

Exhibit D

DHHS Information Security Requirements

A. Definitions

The following terms may be reflected and have the described meaning in this document:

1. "Breach" means the loss of control, compromise, unauthorized disclosure,

unauthorized acquisition, unauthorized access, or any similar term referring to

situations where persons other than authorized users and for an other than authorized

purpose have access or potential access to personally identifiable information,

whether physical or electronic. With regard to Protected Health Information," Breach"

shall have the same meaning as the term "Breach" in section 164.402 of Title 45,

Code of Federal Regulations.

2. "Computer Security Incident" shall have the same meaning "Computer Security

Incident" in section two (2) of NIST Publication 800-61, Computer Security Incident

Handling Guide, National Institute of Standards and Technology, U.S. Department of

Commerce.,

3. "Confidential Information" or "Confidential Data" means all confidential information

disclosed by one party to the other such as all medical, health, financial, public

assistance benefits and personal information including without limitation. Substance

Abuse Treatment Records, Case Records, Protected Health Information and

Personally Identifiable Information.

Confidential Information also includes any and all information owned or managed by

the State of NH - created, received from or on behalf of the Department of Health and

Human Services (DHHS) or accessed in the course of performing contracted services

- of which collection, disclosure, protection, and disposition is governed by state or

federal law or regulation. This information includes, but is not limited to Protected

Health Information (PHI), Personal Information (PI), Personal Financial Information

(PFI), Federal Tax Information (FTI), Social Security Numbers (SSN), Payment Card

Industry (PCI), and or other sensitive and confidential information.

4. "End User" means any person or entity (e.g., contractor, contractor's employee,

business associate, subcontractor, other downstream user, etc.) that receives DHHS

data or derivative data in accordance with the terms of this Contract.

5. "HIPAA" means the Health Insurance Portability and Accountability Act of 1996 and

the regulations promulgated thereunder.

6. "Incident" means an act that potentially violates an explicit or implied security policy,

which includes attempts (either failed or successful) to gain unauthorized access to a

system or its data, unwanted disruption or denial of service, the unauthorized use of

a system for the processing or storage of data; and changes to system hardware,

firmware, or software characteristics without the owner's knowledge, instruction, or

consent. Incidents include the loss of data through theft or device misplacement, loss-DS

Contractor Initials

V5. Last update 10/09/18 5/15/2024Page 1 of 9 D^te

OocuSign Envelope ID; 926339F0-D4E7-4B34.A1A8-3FA15EE5B88B

New Hampshire Department of Health and Human Services

Exhibit D

DHHS Information Security Requirements

or misplacement of hardcopy documents, and misrouting of physical or electronic

mail, all of which may have the potential to put the data at risk of unauthorized access,

use, disclosure, modification or destruction.

7. "Open Wireless Network" means any network or segment of a network that is not

designated by the State of New Hampshire's Department of Information Technology

or delegate as a protected network (designed, tested, and approved, by means of the

State, to transmit) will be considered an open network and not adequately secure for

the transmission of unencrypted PI, PFI, PHI or confidential DHHS data.

8. "Personal Information" (or "PI") means information which can be used to distinguish

or trace an individual's identity, such as their name, social security number, personal

Information as defined in New Hampshire RSA 359-C:19. biometric records, etc.,

alone, or when combined with other personal or identifying information which is linked

or linkable to a specific individual, such as date and place of birth, mother's maiden

name, etc.. 9. "Privacy Rule" shall mean the Standards for Privacy of Individually Identifiable Health

Information at 45 C.F.R. Parts 160 and 164, promulgated under HIPAA by the United

States Department of Health and Human Services.

10. "Protected Health Information" (or "PHI") has the same meaning as provided in the

definition of "Protected Health Information" in the HIPAA Privacy Rule at 45 C.F.R. §

160.103.

11. "Security Rule" shall mean the Security Standards for the Protection of Electronic

Protected Health Information at 45 C.F.R. Part 164, Subpart C, and amendments

thereto.

12. "Unsecured Protected Health Information" means Protected Health Information that is

not secured by a technology standard that renders Protected Health Information

unusable, unreadable, or indecipherable to unauthorized individuals and is developed

or endorsed by a standards developing organization that is accredited by the

American National Standards Institute.

I. RESPONSIBILITIES OF DHHS AND THE CONTRACTOR

A. Business Use and Disclosure of Confidential Information.

1. The Contractor must not use, disclose, maintain or transmit Confidential Information

except as reasonably necessary as outlined under this Contract. Further, Contractor,

including but not limited to all its directors, officers, employees and agents, must not

use, disclose, maintain or transmit PHI in any manner that would constitute a violation

of the Privacy and Security Rule.

Contractor Initials

a

V5. Last update 10/09/18. 5/15/2024Page 2 of 9 Date

DocuSign Envelope ID: 926339F0-O4E7-4B34.A1A8-3FA15EE5B88B

New Hampshire Department of Health and Human Services

Exhibit D

DHHS Information Security Requirements

2. The Contractor must not disclose any Confidential Information in response to a request

for disclosure on the basis that it is required by law, in response to a subpoena, etc.,

without first notifying DHHS so that DHHS has an opportunity to consent or object to

the disclosure.

3. If DHHS notifies the Contractor that DHHS has agreed to be bound by additional

restrictions over and above those uses or disclosures or security safeguards of PHI

pursuant to the Privacy and Security Rule, the Contractor must be bound by such

additional restrictions and must not disclose PHI in violation of such additional

restrictions and must abide by any additional security safeguards.

4. The Contractor agrees that DHHS Data or derivative there from disclosed to an End

User must only be used pursuant to the terms of this Contract.

5. The Contractor agrees DHHS Data obtained under this Contract may not be used for

any other purposes that are not indicated in this Contract.

6. The Contractor agrees to grant access to the data to the authorized representatives of

DHHS for the purpose of inspecting to confirm compliance with the terms of this

Contract.

II. METHODS OF SECURE TRANSMISSION OF DATA

1. Application Encryption. If End User is transmitting DHHS data containing Confidential

Data between applications, the Contractor attests the applications have been evaluated

by an expert knowledgeable in cyber security and that said application's encryption

capabilities ensure secure transmission via the internet.

2. Computer Disks and Portable Storage Devices. End User may not use computer disks

or portable storage devices, such as a thumb drive, as a method of transmitting DHHS

data.

3. Encrypted Email. End User may only employ email to transmit Confidential Data if email

is encrypted and being sent to and being received by email addresses of persons

authorized to receive such information.

4. Encrypted Web Site. If End User is employing the Web to transmit Confidential Data, the

secure socket layers (SSL) must be used and the web site must be secure. SSL encrypts

data transmitted via a Web site.

5. File Hosting Services, also known as File Sharing Sites. End User may not use file hosting

services, such as Dropbox or Google Cloud Storage, to transmit Confidential Data.

6. Ground Mail Service. End User may only transmit Confidential Data via ce/t/77ed ground

mail within the continental U.S. and when sent to a named individual.

7. Laptops and PDA. If End User is employing portable devices to transmit Confidential Data

said devices must be encrypted and password-protected.

Contractor Initials

V5. Last update 10/09/18 5/15/2024Page 3 of 9

DocuSign Envelope ID; 926339F0-D4E7-4834.A1A8-3FA15EE5B88B

New Hampshire Department of Health and Human Services

Exhibit D

DHHS Information Security Requirements

8. Open Wireless Networks. End User may not transmit Confidential Data via an open

wireless network. End User must employ a virtual private network (VPN) when remotely

transmitting via an open wireless network.

9. Remote User Communication. If End User is employing remote communication to access

or transmit Confidential Data, a virtual private network (VPN) must be installed on the End

User's mobile device(s) or laptop from which information will be transmitted or accessed.

10. SSH File Transfer Protocol (SFTP), also known as Secure File Transfer Protocol. If End

User is employing an SFTP to transmit Confidential Data. End User will structure the

Folder and access privileges to prevent inappropriate disclosure of information. SFTP

folders and sub-folders used for transmitting Confidential Data will be coded for 24-hour

auto-deletion cycle (i.e. Confidential Data will be deleted every 24 hours).

11. Wireless Devices. If End User is transmitting Confidential Data via wireless devices, all

data must be encrypted to prevent inappropriate disclosure of information.

RETENTION AND DISPOSITION OF IDENTIFIABLE RECORDS

The Contractor will only retain the data and any derivative of the data for the duration of this

Contract. After such time, the Contractor will have 30 days to destroy the data and any

derivative in whatever form it may exist, unless, otherwise required by law or permitted under

this Contract. To this end, the parties must:

A. Retention

1. The Contractor agrees it will not store, transfer or process data collected in

connection with the services rendered under this Contract outside of the United

States. This physical location requirement shall also apply in the implementation of

cloud computing, cloud service or cloud storage capabilities, and includes backup

data and Disaster Recovery locations.

2. The Contractor agrees to ensure proper security monitoring capabilities are in place

to detect potential security events that can impact State of NH systems and/or

Department confidential information for contractor provided systems.

3. The Contractor agrees to provide security awareness and education for its End

Users in support of protecting Department confidential information.

4. The Contractor agrees to retain all electronic and hard copies of Confidential Data

in a secure location and identified in section IV. A.2

5. The Contractor agrees Confidential Data stored in a Cloud must be in a

FedRAMP/HITECH compliant solution and comply with all applicable statutes and

regulations regarding the privacy and security. All servers and devices must have

currently-supported and hardened operating systems, the latest anti-viral,

antihacker, anti-spam, anti-spyware, and anti-malware utilities. The environment, as

a whole, must have aggressive intrusion-detection and firewall protection.

Contractor Initials

a

V5. Last update 10/09/18 ^ 5/15/2024Page 4 of 9 —

DocuSign Envelope ID; 926339F0-O4E7-4B34-A1A8-3FA15EE5B88B

New Hampshire Department of Health and Human Services

Exhibit D

DHHS Information Security Requirements

6. The Contractor agrees to and ensures its complete cooperation with the State's

Chief Information Officer in the detection of any security vulnerability of the hosting

infrastructure.

B. Disposition

1. If the Contractor will maintain any Confidential Information on its systems (or its sub

contractor systems), the Contractor will maintain a documented process for securely

disposing of such data upon request or contract termination; and will obtain written

certification for any State of New Hampshire data destroyed by the Contractor or

any subcontractors as a part of ongoing, emergency, and or disaster recovery

operations. When no longer in use, electronic media containing State of New

Hampshire data shall be rendered unrecoverable via a secure wipe program in

accordance with industry-accepted standards for secure deletion and media

sanitlzation, or otherwise physically destroying the media (for example, degaussing)

as described in NISI Special Publication 800-88, Rev 1, Guidelines for Media

Sanitlzation, National Institute of Standards and Technology, U. S. Department of

Commerce. The Contractor will document and certify in writing at time of the data

destruction, and will provide written certification to the Department upon request.

The written certification will include all details necessary to demonstrate data has

been properly destroyed and validated. Where applicable, regulatory and

professional standards for retention requirements will be jointly evaluated by the

State and Contractor prior to destruction.

2. Unless otherwise specified, within thirty (30) days of the termination of this Contract,

Contractor agrees to destroy all hard copies of Confidential Data using a secure

method such as shredding.

3. Unless otherwise specified, within thirty (30) days of the termination of this Contract,

Contractor agrees to completely destroy all electronic Confidential Data by means

of data erasure, also known as secure data wiping.

IV. PROCEDURES FOR SECURITY

A. Contractor agrees to safeguard the DHHS Data received under this Contract, and any

derivative data or files, as follows;

1. The Contractor will maintain proper security controls to protect Department confidential

Information collected, processed, managed, and/or stored in the delivery of contracted

services.

2. The Contractor will maintain policies and procedures to protect Department confidential

information throughout the information lifecycle, where applicable, (from creation,

transformation, use, storage and secure destruction) regardless of the media used to

store the data (i.e., tape, disk, paper, etc.).

-DSC~tlo

Contractor Initials

V5. Last update 10/09/18 5/15/2024

OocuSign Envelope ID; 926339F0-D4E7-4B34.A1A8-3FA15EE5B88B

New Hampshire Department of Health and Human Services

Exhibit D

DHHS Information Security Requirements

3. The Contractor will maintain appropriate authentication and access controls to

contractor systems that collect, transmit, or store Department confidential information

where applicable.

4. The Contractor will ensure proper security monitoring capabilities are in place to detect

potential security events that can impact State of NH systems and/or Department

confidential information for contractor provided systems.

5. The Contractor will provide regular security awareness and education for its End Users

in support of protecting Department confidential information.

6. If the Contractor will be sub-contracting any core functions of the engagement

supporting the services for State of New Hampshire, the Contractor will maintain a

program of an internal process or processes that defines specific security expectations,

and monitoring compliance to security requirements that at a minimum match those for

the Contractor, including breach notification requirements.

7. The Contractor will work with the Department to sign and comply with all applicable

State of New Hampshire and Department system access and authorization policies and

procedures, systems access forms, and computer use agreements as part of obtaining

and maintaining access to any Department system(s). Agreements will be completed

and signed by the Contractor and any applicable sub-contractors prior to system access

being authorized.

8. If the Department determines the Contractor is a Business Associate pursuant to 45

CFR 160.103, the Contractor will execute a HIPAA Business Associate Agreement

(BAA) with the Department and is responsible for maintaining compliance with the

agreement.

9. The Contractor will work with the Department at its request to complete a System

Management Sun/ey. The purpose of the survey is to enable the Department and

Contractor to monitor for any changes in risks, threats, and vulnerabilities that may

occur over the life of the Contractor engagement. The survey will be completed

annually, or an alternate time frame at the Departments discretion with agreement by

the Contractor, or the Department may request the survey be completed when the

scope of the engagement between the Department and the Contractor changes.

10. The Contractor will not store, knowingly or unknowingly, any State of New Hampshire

or Department data offshore or outside the boundaries of the United States unless prior

express written consent is obtained from the Information Security Office leadership

member within the Department.

11. Data Security Breach Liability. In the event of any security breach Contractor shall make

efforts to investigate the causes of the breach, promptly take measures to prevent

Contractor Initials

V6. Last update 10/09/18 5/15/2024

Date

DocuSign Envelope ID: 926339F0-D4E7-4B34.A1A8-3FA15EE5888B

New Hampshire Department of Health and Human Services

Exhibit D

DHHS Information Security Requirements

future breach and minimize any damage or loss resulting from the breach. The State

shall recover from the Contractor all costs of response and recovery from

the breach, including but not limited to; credit monitoring services, mailing costs and

costs associated with website and telephone call center seivices necessary due to the

breach.

12. Contractor must, comply with all applicable statutes and regulations regarding the

privacy and security of Confidential Information, and must in all other respects maintain

the privacy and security of PI and PHI at a level and scope that is not less than the level

and scope of requirements applicable to federal agencies, including, but not limited to.

provisions of the Privacy Act of 1974 (5 U.S.C. § 552a), DHHS Privacy Act Regulations

(45 C.F.R. §5b), HIPAA Privacy and Security Rules (45 C.F.R. Parts 160 and 164) that

govern protections for individually identifiable health information and as applicable

under State law.

13. Contractor agrees to establish and maintain appropriate administrative, technical, and

physical safeguards to protect the confidentiality of the Confidential Data and to prevent

unauthorized use or access to it. The safeguards must provide a level and scope of

security that is not less than the level and scope of security requirements established

by the State of New Hampshire, Department of Information Technology. Refer to

Vendor Resources/Procurement at https://www.nh.gov/doit/vendor/index.htm for the

Department of Information Technology policies, guidelines, standards, and

procurement information relating to vendors.

14. Contractor agrees to maintain a documented breach notification and incident response

process. The Contractor will notify the State's Privacy Officer and the State's Security

Officer of any security breach immediately, at the email addresses provided in Section

VI. This includes a confidential information breach, computer security incident, or

suspected breach which affects or includes any State of New Hampshire systems that

connect to the State of New Hampshire network.

15. Contractor must restrict access to the Confidential Data obtained under this Contract

to only those authorized End Users who need such DHHS Data to perform their official

duties in connection with purposes identified in this Contract.

16. The Contractor must ensure that all End Users:

a. comply with such safeguards as referenced in Section IV A. above, implemented

to protect Confidential Information that is furnished by DHHS under this Contract

from loss, theft or inadvertent disclosure.

b. safeguard this information at all times.

c. ensure that laptops and other electronic devices/media containing PHI, PI, or

PFI are encrypted and password-protected.

Contractor Initials

V5. Last update 10/09/18 5/15/2024Page 7 of 9 Date

DocuSign Envelope ID; 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

New Hampshire Department of Health and Human Services

Exhibit D

DHHS Information Security Requirements

d. send emails containing Confidential Information only if encrvpted and being sent

to and being received by email addresses of persons authorized to receive such

information.

e. limit disclosure of the Confidential Information to the extent permitted by law.

f. Confidential Information received under this Contract and individually identifiable

data derived from DHHS Data, must be stored in an area that is physically and

technologically secure.from access by unauthorized persons during duty hours

as well as non-duty hours (e.g., door locks, card keys, biometric identifiers, etc.).

g. only authorized End Users may transmit the Confidential Data, including any

derivative files containing personally identifiable information, and in all cases,

such data must be encrypted at all times when in transit, at rest, or when stored

on portable media as required in section IV above.

h. in all other instances Confidential Data must be maintained, used and disclosed

using appropriate safeguards, as determined by a risk-based assessment of the

circumstances involved.

i. understand that their user credentials (user name and password) must not be

shared with anyone. End Users will keep their credential information secure.

This applies to credentials used to access the site directly or indirectly through a

third party application.

Contractor is responsible for oversight and compliance of their End Users. DHHS

reserves the right to conduct onsite inspections to monitor compliance with this Contract,

including the privacy and security requirements provided in herein, HIPAA, and other

applicable laws and Federal regulations until such time the Confidential Data is disposed

of in accordance with this Contract.

V. LOSS REPORTING

The Contractor must notify the State's Privacy Officer and Security Officer of any Security

Incidents and Breaches immediately, at the email addresses provided in Section VI.

The Contractor must further handle and report Incidents and Breaches involving PHI in

accordance with the agency's documented Incident Handling and Breach Notification

procedures and in accordance with 42 C.F.R. §§ 431.300 - 306. In addition to. and

notwithstanding, Contractor's compliance with all applicable obligations and procedures.

Contractor's procedures must also address how the Contractor will:

1. Identify Incidents:

2. Determine if personally identifiable information is involved in Incidents;

3. Report suspected or confirmed Incidents as required in this Exhibit or P-37;

-DS

Contractor Initials

V5. Last update 10/09/18 5/15/2024

DocuSign Envelope ID; 926339F0-O4E7-4B34-A1A8-3FA15EE5B88B

New Hampshire Department of Health and Human Services

Exhibit D

DHHS Information Security Requirements

4. Identify and convene a core response group to determine the risk level of Incidents and

determine risk-based responses to Incidents; and

5. Determine whether Breach notification is required, and, if so, identify appropriate Breach

notification methods, timing, source, and contents from among different options, and

bear costs associated with the Breach notice as well as any mitigation measures.

Incidents and/or Breaches that implicate PI must be addressed and reported, as applicable,

in accordance with NH RSA 359-C:20.

VI. PERSONS TO CONTACT

A. DHHS Privacy Officer:

DHHSPrivacyOfficer@dhhs.nh.gov B.

DHHS Security Officer:

DHHSInformationSecurityOffice@dhhs.nh.gov

Contractor Initials

V5. Last update 10/09/18 5/15/2024

DocuSign Envelope 10; 92633gF0-D4E7-4B34-A1A8-3FA15EE5B88B

New Hampshire Department of Health and Human

Exhibit E

BUSINESS ASSOCIATE AGREEMENT

The Contractor identified in Section 1.3 of the General Provisions of the Agreement (Form P-37)

("Agreement"), and any of its agents who receive use or have access to protected health

information (PHI), as defined herein, shall be referred to as the "Business Associate." The State

of New Hampshire, Department of Health and Human Services, "Department" shall be referred

to as the "Covered Entity," The Contractor and the Department are collectively referred to as "the

parties."

The parties agree, to comply with the Health Insurance Portability and Accountability Act, Public

Law 104-191, the Standards for Privacy and Security of Individually Identifiable Health

Information, 45 CFR Parts 160, 162, and 164 (HIPAA), provisions of the HITECH Act, Title XIII,

Subtitle D, Parts 1&2 of the American Recovery and Reinvestment Act of 2009, 42 USC 17934,

et sec., applicable to business associates, and as applicable, to be bound by the provisions of

the Confidentiality of Substance Use Disorder Patient Records, 42 USC s. 290 dd-2, 42 CFR Part

2, (Part 2), as any of these laws and regulations may be amended from time to time.

(1) Definitions

a. The following terms shall have the same meaning as defined in HIPAA, the HITECH

Act, and Part 2, as they may be amended from time to time:

"Breach," "Designated Record Set," "Data Aggregation," Designated Record

Set," "Health Care Operations," "HITECH Act," "Individual," "Privacy Rule,"

"Required by law," "Security Rule," and "Secretary."

b. Business Associate Agreement, (BAA) means the Business Associate Agreement

that includes privacy and confidentiality requirements of the Business Associate

working with PHI and as applicable, Part 2 record(s) on behalf of the Covered Entity

under the Agreement.

c. "Constructively Identifiable," means there is a reasonable basis to believe that the

information could be used, alone or in combination with other reasonably available

information, by an anticipated recipient to identify an individual who is a subject of

the information.

d. "Protected Health Information" ("PHI") as used in the Agreement and the BAA,

means protected health information defined in HIPAA 45 CFR 160.103, limited to

the information created, received, or used by Business Associate from or on behalf

of Covered Entity, and includes any Part 2 records, if applicable, as defined below.

e. "Part 2 record" means any patient "Record," relating to a "Patient," and "Patient

Identifying Information," as defined in 42 CFR Part 2.11.

f. "Unsecured Protected Health Information" means protected health information that

is not secured by a technology standard that renders protected health information

unusable, unreadable, or indecipherable to unauthorized individuals and is

developed or endorsed by a standards developing organization that is accredited

by the American National Standards Institute.

(2) Business Associate Use and Disclosure of Protected Health Information

a. Business Associate shall not use, disclose, maintain, store, or transmit Protected

Health Information (PHI) except as reasonably necessary to provide the services

outlined under the Agreement. Further, Business Associate, including b^BtfJt

Exhibit E I

Contractor Initials ^Business Associate Agreement

5/15/2024

Date

V2.0

OocuSign Envelope ID; 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

New Hampshire Department of Health and Human

Exhibit E

limited to all its directors, officers, employees, and agents, shall protect any PHI as

required by HiPPA and 42 CFR Part 2, and not use, disclose, maintain, store, or

transmit PHI in any manner that would constitute a violation of HIPAA or 42 CFR

Part 2.

b. Business Associate may use or disclose PHI. as applicable;

I. For the proper management and administration of the BusinessAssociate;

II. As required by law, according to the terms set forth in paragraph c. and d. below;

III. According to the HIPAA minimum necessary standard;

IV. For data aggregation purposes for the health care operations of the Covered

Entity; and

V. Data that is de-identified or aggregated and remains constructively identifiable

may not be used for any purpose outside the performance of the Agreement.

c. To the extent Business Associate is permitted under the BAA or the Agreement to

disclose PHI to any third party or subcontractor prior to making any disclosure, the

Business Associate must obtain, a business associate agreement or other

agreement with the third party or subcontractor, that complies with HIPAA and

ensures that all requirements and restrictions placed on the Business Associate as

part of this BAA with the Covered Entity, are included in those business associate

agreements with the third party or subcontractor.

d. The Business Associate shall not, disclose any PHI in response to a request or

demand for disclosure, such as by a subpoena or court order, on the basis that it

is required by law, without first notifying Covered Entity so that Covered Entity can

determine how to best protect the PHI. If Covered Entity objects to the disclosure,

the Business Associate agrees to refrain from disclosing the PHI and shall

cooperate with the Covered Entity in any effort the Covered Entity undertakes to

contest the request for disclosure, subpoena, or other legal process. If applicable

relating to Part 2 records, the Business Associate shall resist any efforts to access

part 2 records in any judicial proceeding.

(3) Obligations and Activities of Business Associate

a. Business Associate shall implement appropriate safeguards to prevent

unauthorized use or disclosure of all PHI in accordance with HIPAA Privacy Rule

and Security Rule with regard to electronic PHI, and Part 2. as applicable.

b. The Business Associate shall immediately notify the Covered Entity's Privacy

Officer at the following email address, DHHSPrivacyOfficer@dhhs.nh.gov after the

Business Associate has determined that any use or disclosure not provided for by

its contract, including any known or suspected privacy or security incident or breach

has occurred potentially exposing or compromising the PHI. This includes

inadvertent or accidental uses or disclosures or breaches of unsecured protected

health information.

c. In the event of a breach, the Business Associate shall comply with the terms of this

Business Associate Agreement, all applicable state and federal laws and

regulations and any additional requirements of the Agreement.

d. The Business Associate shall perform a risk assessment, based on the information

available at the time it becomes aware of any known or suspected privaeyoor

Exhibit E

Contractorlnitials

Business Associate Agreement

5/15/2024

Date

V2.0

DocuSign Envelope ID; 926339F0-D4E7-4B34-A1AS-3FA15EE5B88B

New Hampshire Department of Health and Human

Exhibit E

security breach as described above and communicate the risk assessment to the

Covered Entity. The risk assessment shall include, but not be limited to:

I. The nature and extent of the protected health information involved, including the

types of identifiers and the likelihood of re-identification;

II. The unauthorized person who accessed, used, disclosed, or received the

protected health information;

III. Whether the protected health information was actually acquired or viewed; and

IV. How the risk of loss of confidentiality to the protected health information

has been mitigated.

e. The Business Associate shall complete a risk assessment report at the conclusion

of its incident or breach investigation and provide the findings in a written report to

the Covered Entity as soon as practicable after the conclusion of the Business

Associate's investigation.

f. Business Associate shall make available all of its internal policies and procedures,

books and records relating to the use and disclosure of PHI received from, or

created or received by the Business Associate on behalf of Covered Entity to the

US Secretary of Health and Human Services for purposes of determining the

Business Associate's and the Covered Entity's compliance with HIPAA and the

Privacy and Security Rule, and Part 2, if applicable.

g. Business Associate shall require all of its business associates that receive, use or

have access to PHI under the BAA to agree in writing to adhere to the same

restrictions and conditions on the use and disclosure of PHI contained herein.

h. Within ten (10) business days of receipt of a written request from Covered Entity,

Business Associate shall make available during normal business hours at its offices

all records, books, agreements, policies and procedures relating to the use and

disclosure of PHI to the Covered Entity, for purposes of enabling Covered Entity to

determine Business Associate's compliance "with the terms of the BAA and the

Agreement.

i. Within ten (10) business days of receiving a written request from Covered Entity,

Business Associate shall provide access to PHI in a Designated Record Set to the

Covered Entity, or as directed by Covered Entity, to an individual in order to meet

the requirements under 45 CFR Section 164.524.

j. Within ten (10) business days of receiving a written request from Covered Entity for

an amendment of PHI or a record about an individual contained in a Designated

Record Set, the Business Associate shall make such PHI available to Covered

Entity for amendment and incorporate any such amendment to enable Covered

Entity to fulfill its obligations under 45 CFR Section 164.526.

k. Business Associate shall document any disclosures of PHI and information related

to any disclosures as would be required for Covered Entity to respond to a request

by an individual for an accounting of disclosures of PHI in accordance with 45 CFR

Section 164.528.

I. Within ten (10) business days of receiving a written request from Covered Entity for

a request for an accounting of disclosures of PHI, Business Associate shall make

available to Covered Entity such information as Covered Entity may require to fulfill

its obligations to provide an accounting of disclosures with respect to

Exhibit E 1 JpContractor Initials ^

Business Associate Agreement

5/15/2024

Date

V2.0

DocuSign Envelope ID: 926339F0-D4E7-4B34.A1A8-3FA15EE5B88B

New Hampshire Department of Health and Human

Exhibit E

accordance with 45 CFR Section 164.528.

m. In the event any individual requests access to, amendment of. or accounting of PHI

directly from the Business Associate, the Business Associate shall within five (5)

business days forward such request to Covered Entity. Covered Entity shall have

the responsibility of responding to forwarded requests. However, if fonwarding the

individual's request to Covered Entity would cause Covered Entity or the Business

Associate to violate HIPAA and the Privacy and Security Rule, the Business

Associate shall instead respond to the individual's request as required by such law

and notify Covered Entity of such response as soon as practicable.

n. Within thirty (30) business days of termination of the Agreement, for any reason,

the Business Associate shall return or destroy, as specified by Covered Entity, all

PHI received from or created or received by the Business Associate in connection

with the Agreement, and shall not retain any copies or back-ups of such PHI in any.

form or platform.

VI. If return or destruction is not feasible, or the disposition ofthePHI has been

otherwise agreed to in the Agreement, or if retention is governed by state

or federal law. Business Associate shall continue to extend the protections

of the Agreement, to such PHI and limit further uses and disclosures of such

PHI to those purposes that make the return or destruction infeasible for as

long as the Business Associate maintains such PHI. If Covered Entity, in its

sole discretion, requires that the Business Associate destroy any or all PHI,

the Business Associate shall certify to Covered Entity that the PHI has been

destroyed.

(4) Obligations of Covered Entity

a. Covered Entity shall post a current version of the Notice of the Privacy Practices

on the Covered Entity's website;

https://www.dhhs.nh.gov/oos/hipaa/publications.htm in accordance with 45 CFR

Section 164.520.

b.. Covered Entity shall promptly notify Business Associate of any changes in, or

revocation of permission provided to Covered Entity by individuals whose PHI may

be used or disclosed by Business Associate under this BAA, pursuant to 45 CFR

Section 164.506 or 45 CFR Section 164.508.

c. Covered entity shall promptly notify Business Associate of any restrictions on the

use or disclosure of PHI that Covered Entity has agreed to in accordance with 45

CFR 164.522, to the extent that such restriction may affect Business Associate's

use or disclosure of PHI.

(5) Termination of Agreement for Cause

a. In addition to the General Provisions (P-37) of the Agreement, the Covered Entity

may immediately terminate the Agreement upon Covered Entity's knowledge of a

material breach by Business Associate of the Business Associate Agreement. The

Covered Entity may either immediately terminate the Agreement or provide an

opportunity for Business Associate to cure the alleged breach within a timeframe

specified by Covered Entity.

(6) Miscellaneous

a. Definitions, Laws, and Regulatory References. All laws and regulationspjsfeld.Exhibit E

litiale NContractor Initials

Business Associate Agreement

Page4of5 5/15/2024

Date

V2.0

DocuSign Envelope ID: 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

New Hampshire Department of Health and Human

Exhibit E

herein, shall refer to those laws and regulations as amended from time to time. A

reference in the Agreement, as amended to include this Business Associate

Agreement, to a Section in HIPAA or 42 Part 2, means the Section as in effect or

as amended.

b. Change in law - Covered Entity and Business Associate agree to take such action

as is necessary from time to time for the Covered Entity and/or Business Associate

to comply with the changes in the requirements of HIPAA. 42 CFR Part 2 other

applicable federal and state law.

c. Data OwnershlD - The Business Associate acknowledges that it has no ownership

rights with respect to the PHI provided by or created on behalf of Covered Entity.

d. Interpretation - The parties agree that any ambiguity in the BAA and the

Agreement shall be resolved to permit Covered Entity and the Business Associate

to comply with HIPAA and 42 CFR Part 2.

e. Segregation - If any term or condition of this BAA or the application thereof to any

person(s) or circumstance is held invalid, such invalidity shall not affect other terms

or conditions which can be given effect without the invalid term or condition; to this

end the terms and conditions of this BAA are declared severable.

f. Survival - Provisions in this BAA regarding the use and disclosure of PHI, return

or destruction of PHI, extensions of the protections of the BAA in section (3) g. and

(3) n.l., and the defense and indemnification provisions of the General Provisions

(P-37) of the Agreement, shall survive the termination of the BAA.

IN WITNESS WHEREOF, the parties hereto have duly executed this Business Associate

Agreement.

Department of Health and Human Services Grovrth Partners, LLC

The State

DoeuSiBn«d by;

Name of the Contractor

OocuSlgntd by:

Signature of Authorized RepresentativeSignature of Authorized Representative

Katja S. FOX Jeff Barr

Name of Authorized Representative Name of Authorized Representative

Di rector coo

Title of Authorized Representative Title of Authorized Representative

5/15/2024 5/15/2024

Date Date

Exhibit E

Business Associate Agreement

V2.0

Contractorlnitials

Date

5/15/2024

DocuSign Envelope ID: 926339F0-D4E7^B34-A1A8-3FA15EE5B88B

State of New Hampshire

Department of State

CERTIFICATE

1, David M. Scanlan, Secrelar>' ofSlate of the Slate of New Hampshire, do hereby certify ihai GROWTH PARTNERS, LLC is

a Nebraska Limited Liabilit>' Company registered to transact business in New Hampshire on July 02, 2020.1 further certify' that all

fees and documents required by the Secretary of State's office have been received and is in good standing as far as this office is

concerned.

Business ID; 845612

Certificate Number: 0006689596

%

IN TESTIMONY WHEREOF,

I hereto set my hand and cause to be affixed

the Seal of the State of New Hampshire,

this 15th day of MavA.D. 2024.

David M. Scanlan

Secretarj' of State

DocuSign Envelope ID: 926339F0-D4E7-4B34-A1A8-3FA15EE5B88B

CERTIFICATE OF AUTHORITY

I. Laurie Barger Sutter, hereby cerlify.that:

1.1 am the Chief Execulve pWic^^ Partners. LLC; and

is a trMe cppy. pf a rrieeting of the Directors.duly called and held,bh April 3 2024

at vftrtiich a quorum of^e pi/ectprs were presehl arid voting.

Qp^fating.Gfficerjs duly authorized.on behalf of Growth Partners. LLCitb eritif"

state of New Hampshire and any of its agericies.or departments and

further IS authorized to execute any anlall dbcuments. agreements and other Jnstmments, and anyamendments, reviisions.r'or modifications thereto, which,may iri.his/her judgment'be desirable or necessarv'to

effect the purpose of>this vote; •

that said vote has not beeh.-amerided or repealed and remains in full force.ahd effect as of thedate of the contracycpnt/actarnendmentte "which this certificate is attached. t^is'^uthority waS: valid thirty (30)

'■®'".ains; valjd;fdr thirty (^ from the date pflhts Certificate of Authority; J furthefpethat It IS understood thaUt,h® State of New Hampshire vvill rely on this certificateas evidence that the pefsbri(s) listedabove currenUy. occupy.th.e positiq,n{s) indicated and that they have, full authority to bind, the cprpbratibh. To the^extent that there are apy y,mjte on the-authority oTany listed -individual to bind the corporation ih' contracts'with the

State of New Hampshim; ail such limitetipnslaretexpteissly stated" herein. •

Dated: May 15. 2024

Signature of Elected pfRcerr

Name:'Laurie"torger;Sutter ^Title; Chief Executive Officer

Rev. 03/24/20

-DocuSign Envelope ID: 926339F0-D4E7-4B34-A1A8.3FA15EE5B88B

/XCORD CERTIFICATE OF LIABILITY INSURANCE DATE (MM/OOAYYY)

4/3/2024

THIS CERTIFICATE IS ISSUED AS A MATTER OF INFORMATION ONLY AND CONFERS NO RIGHTS UPON THE CERTIFICATE HOLDER. THIS

CERTIFICATE DOES NOT AFFIRMATIVELY OR NEGATIVELY AMEND. EXTEND OR ALTER THE COVERAGE AFFORDED BY THE POLICIES

BELOW. THIS CERTIFICATE OF INSURANCE DOES NOT CONSTITUTE A CONTRACT BETWEEN THE ISSUING INSURER(S), AUTHORIZED

REPRESENTATIVE OR PRODUCER, AND THE CERTIFICATE HOLDER.

IMPORTANT: If the certificate holder is an ADDITIONAL INSURED, the policy(les) must have ADDITIONAL INSURED provisions or be endorsed.

If SUBROGATION IS WAIVED, subject to the terms and conditions of the policy, certain policies may require an endorsement. A statement on

this certificate does not confer rights to the certificate holder In lieu of such endorsement($).

PRODUCER

Williams Insurance, Inc.

2127A Winthrop Ave

Lincoln NE 68502

CONTACT

NAME:

nur tin 402-802-9966 («. No):

Ai^RFssr au$tin(3}williams.insure

INSURER/S) AFFORDING COVERAGE NAIC*

INSURER A: Travelers Casualty Ins Co of America 19046

INSURED GROWffAR^I

Growth Partners. LLC

Laurie Sutter

1900 8 St.

Lincoln NE 68502

INSURERS: The Travelers Prooertv Casualty Ins Co of America 25674

MSURER c: Standard Fire Ins Co 19070

INSURER 0:

INSURER E;

INSURER F:

COVERAGES CERTIFICATE NUMBER: 290804951 REVISION NUMBER:

THIS IS TO CERTIFY THAT THE POLICIES OF INSURANCE LISTED BELOW HAVE BEEN ISSUED TO THE INSURED NAMED ABOVE FOR THE POLICY PERIOD

INDICATED. NOTWITHSTANDING ANY REQUIREMENT. TERM OR CONDITION OF ANY CONTRACT OR OTHER DOCUMENT WITH RESPECT TO WHICH THIS

CERTIFICATE MAY BE ISSUED OR MAY PERTAIN. THE INSURANCE AFFORDED BY THE POLICIES DESCRIBED HEREIN IS SUBJECT TO ALL THE TERMS.

EXCLUSIONS AND CONDITIONS OF SUCH POLICIES. LIMITS SHOWN MAY HAVE BEEN REDUCED BY PAID CLAIMS.

INSR

LTR TYPE OF INSURANCE POLICY NUMBER

POLICY EFF

fMM/DDfYYYY)

POLICY EXP

(MM/ODfYYYY) LIMITS 1

A X COMMERCIAL GE NERAL UABILITY

E 1 X 1 OCCUR

680-9P082S41-23 8/3/2023 8/3/2024 EACH OCCURRENCE S 1.000,000

1 CLAIMS-MAC PREMISES (Ea occurrence) S 300.000

MEO EXP (Ar^y one person) SS.OOO

PERSONAL & ADV INJURY S 1.000.000

GEra AGGREGATE UMIT APPLIES PER: GENERAL AGGREGATE S 2,000.000

—•

POLICY 1 1 |l0C

OTHER;

PRODUCTS - COMP/OP AGG 3 2,000.000

s

A AUTOMOBILE LIABILrrr i 680-9P082341-23 8/3/2023 6/3/2024 COMBINED SINGLE LIMIT

(Ea accident) $1,000,000

X

ANY AUTO BODILY INJURY (Per person) s

OWNED

AUTOS ONLY

HIRED

AUTOS ONLY X

SCHEDULED

AUTOS

NON-OWNEO

AUTOS ONLY

BODILY INJURY (Per acdderrl)s

PROPERTY DAMAGE

(Per accidentl s

s

B IT UMBRELLA LlAB

EXCESS LlAB

1 X OCCUR

CLAIMS-MADE

CUP-0X487723-23 8/3/2023 8/3/2024 EACHCXXURRENCE $1,000,000

AGGREGATE s

t DEO 1 * 1 RETENTIONS isnnn s

c WORKERS COMPENSATION

AND EMPLOYERS'LIABILfTY

ANYPROPRIETOfWARTNER/EXEOfTIVE rvi

OFFICER/MEMBEREXCLU0EO7 ^

(Mandatory In NH)

If y«s. describe under

DESCRIPTION OF OPERATIONS below

N f A

UB-2R393326-23 8/3/2023 8/3/2024 Y 1 PER OTH-

^ 1 STATUTE ER

e.L EACH ACCIDENT S 1.000.000

E-L DISEASE - EA EMPLOYEE $1,000,000

E.L. DISEASE - POLICY LIMIT $1,000,000

DESCRIPTION OF OPERATIONS 1 LOCATIONS / VEHICLES (ACORD 101, Additional Rtmarfct Schodult, may ba atuchad if mort apaca Is rtqulrad)

state of New Hampshire

Department of Health and Human Services

129 Pleasant Street

Concord NH 03301-3857

1

SHOULD ANY OF THE ABOVE DESCRIBED POLICIES BE CANCELLED BEFORE

THE EXPIRATION DATE THEREOF, NOTICE WILL BE DELIVERED IN

ACCORDANCE WITH THE POLICY PROVISIONS.

AUTHORIZED REPRESENTATIVE

ACORD 25(2016/03) The ACORD name and logo are registered marks of ACORD