San Francisco City Contract Compliance: HSA, DPH, and MOHCD Subrecipient Requirements

San Francisco’s Contract Ecosystem

San Francisco contracts with hundreds of nonprofit organizations to deliver health services, social services, housing programs, and community development. Three city departments dominate nonprofit contracting: the Human Services Agency (HSA) for social services, the Department of Public Health (DPH) for health and behavioral health, and the Mayor’s Office of Housing and Community Development (MOHCD) for affordable housing and community development. Each department maintains its own compliance framework, reporting systems, and monitoring practices.

For nonprofits, a San Francisco city contract is not a simple grant - it is a contractual relationship with compliance obligations that can approach the complexity of a federal direct award. Understanding the specific requirements of each contracting department before pursuing city funding is essential. The compliance burden is manageable with proper systems, but it is a shock for organizations accustomed to simpler foundation grant reporting.

SF Supplier: The Registration Gateway

All organizations seeking San Francisco city contracts must register in the SF Supplier portal. Registration involves providing organizational information, tax documentation, insurance certificates, and various compliance certifications. The process typically takes 2 to 4 weeks to complete.

Key requirements include general liability insurance meeting city minimums, workers’ compensation coverage, and for some contracts, professional liability insurance. The city’s insurance requirements are non-negotiable - if your coverage does not meet the minimums, you cannot execute the contract.

SF Supplier also hosts RFP and RFQ notices for upcoming procurement opportunities. Monitor the portal regularly and sign up for notifications in relevant service categories. Most nonprofit service contracts are awarded through competitive procurement with defined evaluation criteria.

HSA Contracts: Social Services Compliance

HSA contracts with nonprofits for homeless services (shelters, navigation centers, permanent supportive housing), family support, CalWORKs employment services, CalFresh (food assistance) outreach, and aging and adult services. The compliance framework includes:

Client-level data reporting. HSA requires nonprofits to enter client data into city databases - most notably the Homeless Management Information System (HMIS) for homeless services. This is not aggregate reporting; it is individual-level data entry for every client served, including demographics, service encounters, housing status, and outcomes. Staff must be trained on the data systems, and data quality is monitored.

Quarterly fiscal reports. HSA requires detailed quarterly expenditure reports that reconcile with the contract budget. Line-item variances above specified thresholds require written explanation. Budget modifications during the contract period require prior approval from the HSA program manager.

Outcomes measurement. HSA contracts specify performance targets - number of clients served, housing placements, employment outcomes, service completion rates. Nonprofits report against these targets quarterly, and performance affects contract renewal decisions. Consistently missing targets can trigger corrective action plans or contract non-renewal.

Monitoring visits. HSA conducts annual monitoring visits for most contracts. Monitors review fiscal records, client files, programmatic documentation, personnel files, and facility compliance. Findings are documented, and nonprofits must submit corrective action plans for any deficiencies within specified timelines.

DPH Contracts: Health Services and HIPAA

DPH contracts with nonprofits for primary care, behavioral health, substance use treatment, HIV/AIDS services, maternal and child health, and community health programs. The compliance framework adds health-specific requirements on top of the standard fiscal and programmatic obligations.

HIPAA compliance. Nonprofits contracting with DPH for health services become business associates under HIPAA. This triggers a comprehensive set of privacy and security requirements: staff HIPAA training (annual), business associate agreements, policies and procedures for PHI access and disclosure, electronic PHI security protocols (encryption, access controls, audit logs), breach notification procedures, and minimum necessary standards. DPH monitors HIPAA compliance as part of its subrecipient oversight.

Medi-Cal billing. For contracts involving Medi-Cal reimbursable services, nonprofits must comply with California’s Medi-Cal billing standards, documentation requirements, and audit trail obligations. Medi-Cal billing generates its own compliance layer - improper billing can trigger overpayment recovery and sanctions.

Clinical documentation. Behavioral health contracts require clinical documentation that meets DHCS (Department of Health Care Services) standards - progress notes, treatment plans, assessments, and discharge summaries in formats that satisfy both clinical best practice and billing requirements.

Data systems. DPH behavioral health contractors use the AVATAR system for clinical documentation and billing. Learning and maintaining AVATAR proficiency is a practical requirement for any nonprofit entering the DPH behavioral health contract space.

MOHCD Contracts: Housing and Prevailing Wage

MOHCD contracts with nonprofits for affordable housing development, housing counseling, community development, and neighborhood stabilization. The compliance framework adds construction-specific and housing-regulatory requirements.

Prevailing wage. MOHCD contracts involving construction, rehabilitation, or maintenance of affordable housing must comply with prevailing wage requirements. California’s Department of Industrial Relations (DIR) sets state prevailing wages; federally funded projects must also comply with Davis-Bacon Act wage rates. Contractors and subcontractors submit certified payroll records, and workers must be paid at or above the applicable wage for their trade classification. Prevailing wage violations trigger penalties and can jeopardize the contract.

Davis-Bacon. For projects using federal funds (CDBG, HOME, HOPWA), Davis-Bacon Act compliance is required. This includes posting wage determinations at the work site, submitting weekly certified payroll, and ensuring that all covered workers receive the applicable wage rate. Davis-Bacon requirements layer on top of California prevailing wage - the higher rate applies when both are in effect.

Affordability covenants. MOHCD-funded housing projects carry affordability restrictions that bind the property for 55 years or longer. Nonprofits operating affordable housing under MOHCD funding must maintain compliance with income restrictions, rent limits, and annual reporting requirements for the duration of the covenant.

Environmental review. Federally funded MOHCD projects require environmental review under NEPA (National Environmental Policy Act) before construction can begin. This review process can add months to project timelines and must be completed before costs are incurred.

SF-Specific Requirements Beyond Federal Minimums

San Francisco city contracts impose several requirements that exceed or differ from standard federal subrecipient obligations:

Equal Benefits Ordinance. Contractors must provide equal benefits to employees with domestic partners as they provide to employees with spouses.

First Source Hiring. Certain contracts require the nonprofit to participate in the First Source Hiring program, which gives economically disadvantaged San Francisco residents priority consideration for new positions.

Local Business Enterprise (LBE) participation. Some contracts include LBE participation goals for subcontracting.

Insurance requirements. City insurance minimums often exceed what small nonprofits carry, requiring policy upgrades before contract execution.

Reporting frequency. SF departments generally require more frequent reporting than federal direct grants - monthly or quarterly versus semi-annual.

Building Compliance Infrastructure

A nonprofit pursuing or holding SF city contracts needs:

Dedicated compliance staff. The reporting volume from an HSA or DPH contract requires dedicated administrative capacity. Budget for this staff time in your contract proposal - underbidding on administration guarantees compliance failures.

Data system proficiency. HMIS, AVATAR, and other city-mandated data systems require trained staff and ongoing data quality management. Factor training time into your implementation plan.

Fund-level accounting. Each city contract gets its own fund code with separate revenue and expense tracking. City fiscal reports must reconcile with your general ledger.

Document retention. City contracts typically require document retention for 5 to 7 years after contract completion. Maintain organized files (fiscal records, client records if applicable, personnel records, monitoring correspondence) that can be produced on request.

Insurance management. Monitor insurance coverage continuously to ensure it meets city minimums. A lapsed policy can halt contract payments and trigger default provisions.

The compliance burden is real, but it is also predictable. Organizations that build the infrastructure before pursuing city contracts can manage the requirements efficiently. Organizations that win contracts and then scramble to build compliance systems face a difficult first year.

DEFINITION

Business associate

Under HIPAA, an entity that performs functions or activities on behalf of a covered entity (like DPH) that involve the use or disclosure of protected health information. Nonprofit contractors providing health services under DPH contracts are typically business associates and must comply with HIPAA privacy and security requirements.

DEFINITION

Prevailing wage

The hourly wage, benefits, and overtime pay required on public works projects. California's DIR sets state prevailing wages; the federal Davis-Bacon Act sets rates for federally funded construction. MOHCD contracts involving construction typically require compliance with applicable prevailing wage laws.

DEFINITION

SF Supplier

The City and County of San Francisco's vendor registration and procurement portal. Nonprofits must register in SF Supplier to bid on city contracts and receive payments.

DEFINITION

Subrecipient monitoring

The process by which a pass-through entity (like an SF city department) reviews and evaluates a subrecipient's compliance with award terms, applicable regulations, and program requirements. Includes desk reviews, site visits, fiscal audits, and performance assessment.