Master Purchase Agreement

THIS MASTER PURCHASE AGREEMENT (THE "AGREEMENT") GOVERN CUSTOMER’S ACCESS AND USE OF IMPRIVATA’S SERVICES, UNLESS CUSTOMER HAS FULLY EXECUTED A MASTER AGREEMENT WITH IMPRIVATA IN WHICH CASE SUCH MASTER AGREEMENT GOVERNS, OR UNLESS CUSTOMER HAS FULLY EXECUTED AN END USER LICENSE AGREEMENT (“EULA”) WITH AN AUTHORIZED IMPRIVATA RESELLER FOR THE PROVISION OF IMPRIVATA SERVICES, IN WHICH CASE THAT EULA GOVERNS AND RELATED QUESTIONS ABOUT THE TERMS OF THE SUBSCRIPTION SHOULD BE DIRECTED TO THE AUTHORIZED IMPRIVATA RESELLER. CAPITALIZED TERMS HAVE THE DEFINITIONS SET FORTH HEREIN. BY ACCEPTING THIS AGREEMENT, EITHER BY: (1) CLICKING A BOX INDICATING ACCEPTANCE; (2) EXECUTING A QUOTE THAT REFERENCES THIS AGREEMENT; OR (3) USING IMPRIVATA’S SERVICES, CUSTOMER AGREES TO THE TERMS OF THIS AGREEMENT.

Customer and Imprivata may be referred to in this Agreement individually as a “party” or jointly as the “parties.” Imprivata may update or make changes to these terms from time to time. Imprivata encourages Customer to periodically review and check this Agreement for updates to stay informed about the terms that govern Customer’s use of the Services. Customer’s continued use of the Services after Imprivata makes any changes is deemed to be an acceptance of those changes.

The parties agree as follows:

1. DEFINITIONS

Unless otherwise defined in the Order Form, the following terms shall have the following meanings:

"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. "Control" means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

"Customer" means the Customer identified on the Order Form to which this MPA is attached.

"Customer Data" means the Audit Log Data (as defined in the Order Form) and other electronic data and information submitted to the Services by Customer and Customer’s Users.

"Documentation" means Imprivata’s online user guides, documentation, Specifications (as defined in an Order Form or an attached Addendum), and help and training materials, as updated from time to time, accessible via Imprivata’s website or through the portal of the applicable Service.

"Imprivata" means Imprivata, Inc., successor in interest to, FairWarning Technologies LLC, its parent and its affiliates.

"Order Form" means a purchasing document, quote or other similar document, such as a purchase order or statement of work (“SOW”), in connection with a purchase under this Agreement. By entering into an Order Form hereunder, an Affiliate agrees to be bound by the terms of this Agreement as if it were an original party hereto.

"Services" means the products and services that are ordered by Customer under an Order Form and made available by Imprivata, including the SaaS Services (as defined in the Order Form), and Managed Services (as defined in the Order Form), as described in the Order Form, Documentation, and the Addenda attached hereto, if such services are ordered by Customer pursuant to an Order Form. For avoidance of doubt, the Services do not include and Imprivata does not provide professional services, onsite services or otherwise, unless expressly agreed to in a separate statement of work or Order Form executed by the parties.

"User" means an individual who is authorized by Customer or an Affiliate of Customer to use a Service, for whom Customer has ordered the Service, and to whom Customer (or Imprivata at Customer’s request) has supplied a user identification and password. Users may include, for example, Customer’s or its Affiliates’ employees, consultants, contractors and agents, and third parties with which Customer transacts business. If Customer is a healthcare facility, for the avoidance of doubt, Users includes outpatient clinics, ambulatory surgical/care centers, ancillary service providers, outreach clients, clinics, non-acute and acute care services, offices of physicians and other caregivers who have privileges at, provide services at, or are affiliated with Customer’s facility.

2. IMPRIVATA RESPONSIBILITIES

2.1. Provision of Services. Imprivata will make the Services available to Customer pursuant to this Agreement and the applicable Order Forms and use commercially reasonable efforts to make the Services that are SaaS Services available to Users 24 hours a day, 7 days a week, except for: (i) planned downtime (of which Imprivata shall give at least 8 hours electronic notice and which Imprivata shall schedule to the extent practicable during the weekend hours between 6:00 p.m. Friday and 3:00 a.m. Monday Eastern time), and (ii) any unavailability caused by circumstances beyond Imprivata’s reasonable control, including, for example, a Force Majeure Event (as prescribed in Section 12.4). Imprivata will be responsible for its personnel, including employees and contractors, that perform any Services pursuant to this Agreement.

2.2. Protection of Customer Data. Imprivata will maintain administrative, physical, and technical safeguards designed to protect the security, confidentiality and integrity of Customer Data, as described in the Documentation. Imprivata has implemented and will maintain during the term written information security policies, disaster recovery and business continuity policies required under applicable law and in accordance with industry standards. Upon request, and no more than once per year, Imprivata agrees to provide to Customer a copy of Imprivata’s Soc 2 – Type 2 audit report as available.

3. USE OF SERVICES

3.1. Licenses. Subject to the terms and conditions of this Agreement, Imprivata grants Customer, during the term, a limited, non-exclusive, non-transferable, non-sublicenseable license to: (i) access and use the Services solely for Customer’s internal business purposes; and (ii) permit Users to access and use the Services solely for the benefit of Customer and the operation of Customer’s business. Customer agrees that its license to the Services is neither contingent upon the delivery of any future functionality or features nor dependent upon any oral or written comments made by Imprivata with respect to future functionality or features.

3.2. Customer Responsibilities. Customer will (a) be responsible for its Affiliates’ and their respective Users’ compliance with this Agreement and all Order Forms, (b) be responsible for the accuracy, quality and legality of Customer Data and the means by which Customer acquired Customer Data, (c) use commercially reasonable efforts to prevent unauthorized access to or use of Services, and notify Imprivata promptly of any such unauthorized access or use, (d) use Services only in accordance with the Documentation and applicable laws and government regulations, (e) be responsible for the Customer Systems (as defined in the Order Form) through which the Services are accessed; and (f) comply with terms of service of non-Imprivata applications with which Customer uses Services. The Services do not replace the need for Customer to maintain regular back-up procedures with respect to Customer Data.

3.3. Usage Restrictions. Customer will not (a) make any Service or the Documentation available to, or use any Service or the Documentation for the benefit of, anyone other than Customer or its Users (and, with respect to Users, only in conjunction with their performance of services under Customer’s control and involving the review of information pertaining to their performance of such services), (b) sell, resell, sublicense, distribute, rent or lease any Service or any portion thereof, including the Documentation or include any Service in a service bureau, time sharing or outsourcing offering; (c) use commercially reasonable measures to ensure Customer’s use of the Services do not store or transmit code, files, scripts, agents or programs intended to do harm, including, for example, viruses, worms, time bombs and Trojan horses, (d) interfere with or disrupt the integrity or performance of any Service or third-party data contained therein, (e) attempt to gain unauthorized access to any Service or its related systems or networks, (f) copy a Service or any part, feature, function or user interface thereof, (g) access any Service in order to build a competitive product or service, (h) reverse engineer any Service, in whole or in part, nor use any methods to gain access to the source code or infrastructure of the Services, in whole or in part, or (i) access or use any Service in order to benchmark the Services, or any portion thereof, or Imprivata’s performance of the Services. Customer shall not provide any competitor of Imprivata (including any employee or contractor of such competitor) with access to or use of the Services, including by read-only access, direct access through a User identification and password information, or otherwise.

3.4. Professional Services. In the instance Customer purchases professional services to be performed by Imprivata, Customer may be required to sign an SOW detailing the project specifications for such services. Services may include, but are not limited to, the request for Imprivata to implement and operate the Services on behalf of Customer (“Managed Services”), additional maintenance and support (as opposed to any standard maintenance and support already included), any installation, migration or implementation services, and any additional consultancy or professional services (collectively, the "Professional Services"). The completion time for any Professional Services to be performed under this document, and any milestones, shall be dependent on Imprivata’s receipt of all Customer assets and specifications necessary for the project, in addition to Imprivata receiving an Order Form, as requested by Imprivata. The completion deadline will start from the date of delivery of all such assets and specifications, not the date of Imprivata’s receipt of the signed Order Form. Customer acknowledges that delays in providing assets or specifications at the request of Imprivata for such Professional Services may delay the completion of the Professional Services. Imprivata shall not be faulted for delays caused by Customer’s failure to reasonably cooperate. Unless otherwise agreed in writing, any unused Professional Services will expire one year from the date of the Order Form, at which point Imprivata will be under no obligation to perform any additional services under the applicable Order Form. Notwithstanding the foregoing, no credit/refund will be issued for any unused Professional Services.

3.5 Service Support.

3.5.1 In General. Services are made available with standard support for no additional charge. Customer may purchase premier level support for an additional fee as set forth in the applicable Order Form. Standard support is made available in accordance with the terms and conditions set forth in the Service Level Agreement as described in Exhibit A of this Agreement.

3.5.2 Exclusions. Notwithstanding the foregoing, Imprivata will have no obligation to support: (a) services, hardware, or software provided by anyone other than Imprivata; (b) Services issues caused by Customer’s negligence, abuse, or misapplication; or (c) Customer’s use of Services other than as specified in the Documentation.

4. FEES AND PAYMENT FOR SERVICES

4.1. Fees. Customer will pay all fees and invoices as specified in Order Forms. Except as otherwise specified herein or in an Order Form, payment obligations are non-cancelable and fees paid are non-refundable.

4.2. Suspension of Service and Acceleration. If any undisputed amount owed by Customer under this Agreement for the Services is thirty (30) or more days overdue (or ten (10) or more days overdue in the case of amounts Customer has authorized Imprivata to charge to Customer’s ACH account), Imprivata may, without limiting its other rights and remedies, (a) charge late interest at the rate of 0.5% of the outstanding balance or the maximum rate permitted by applicable law, whichever is lower; and/or (b) suspend the Services to Customer until such amounts are paid in full. If such amounts are sixty (60) or more days overdue, then Imprivata may accelerate Customer’s unpaid fee obligations under such agreements so that all such obligations become immediately due and payable. Imprivata will give Customer at least ten (10) days’ prior notice that Customer’s account is overdue, in accordance with Section 11.3 (Notices), before suspending Services to Customer.

4.3. Taxes. Imprivata’s fees do not include any taxes, levies, duties or similar governmental assessments of any nature, including, for example, value-added, sales, hosting, use or withholding taxes, assessable by any jurisdiction whatsoever (collectively, “Taxes”). Customer is responsible for paying all Taxes associated with Customer’s purchases hereunder. If Imprivata has the legal obligation to pay or collect Taxes for which Customer is responsible under this Section 4.3, Imprivata will invoice Customer and Customer will pay that amount unless Customer provides Imprivata with a valid tax exemption certificate authorized by the appropriate taxing authority. For clarity, Imprivata is solely responsible for taxes assessable against Imprivata based on its income, property and employees.

5. PROPRIETARY RIGHTS AND LICENSES

5.1. Reservation of Rights. Subject to the limited rights expressly granted hereunder, Imprivata and its licensors reserve all of Imprivata’s and its licensors’ right, title and interest in and to the Services, including all of Imprivata’s and its licensors’ related intellectual property rights. No rights are granted to Customer hereunder other than as expressly set forth herein. For avoidance of doubt, the Services are licensed not sold.

5.2. Customer Data. Imprivata shall own all rights, title, and interests in and to the de-identified and anonymized data derived from the Customer Data, and all data derived from or generated from Customer’s and its Users’ use of the Services that do not specifically identify Customer or an individual User, including all usage statistics, analytic data, benchmarking data and data that relates to the performance or functionality of the Services (“Usage Data”). Customer grants Imprivata and its Affiliates a license to use, host, copy, transmit and display Customer Data during the term of this Agreement and as necessary or useful for Imprivata to provide, update, and improve the Services. Imprivata agrees that all uses of Customer Data and Usage Data shall be in accordance with applicable law and is for Imprivata’s internal business purposes only, subject to the confidentiality obligations set forth herein. Imprivata does not sell data to any third party. Subject to the limited licenses granted herein, Imprivata acquires no right, title or interest from Customer or its licensors under this Agreement in or to Customer Data.

5.3. License by Customer to Use Feedback. Customer grants to Imprivata and its Affiliates a worldwide, perpetual, irrevocable, royalty-free license to use and incorporate into the Services any suggestion, enhancement request, recommendation, correction or other feedback provided by Customer or Users relating to the operation of the Services.

5.4. Federal Government End Use Provisions. Imprivata provides the Services, including related software and technology, for ultimate federal government end use solely in accordance with the following: Government technical data and software rights related to the Services include only those rights customarily provided to the public as defined in this Agreement. This customary commercial license is provided in accordance with FAR 12.211 (Technical Data) and FAR 12.212 (Software) and, for Department of Defense transactions, DFAR 252.227-7015 (Technical Data – Commercial Items) and DFAR 227.7202-3 (Rights in Commercial Computer Software or Computer Software Documentation). If a government agency has a need for rights not granted under these terms, it must negotiate with Imprivata to determine if there are acceptable terms for granting those rights, and a mutually acceptable written addendum specifically granting those rights must be included in any applicable agreement.

6. CONFIDENTIALITY

6.1. Definition of Confidential Information. “Confidential Information” means all information disclosed by a party ("Disclosing Party") to the other party (“Receiving Party”), whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Confidential Information specifically includes, but is not limited to, the following:

  1. Customer Confidential Information includes Customer Data;
  2. Imprivata Confidential Information includes the Services and Documentation; and
  3. Confidential Information of each party includes the terms and conditions of this Agreement and all Order Forms (including pricing), as well as business and marketing plans, technology and technical information, product plans and designs, and business processes disclosed by such party.

However, Confidential Information does not include any information that (i) is or becomes generally known to the public without breach of any obligation owed to the Disclosing Party, (ii) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party, (iii) is received from a third party without breach of any obligation owed to the Disclosing Party, or (iv) was independently developed by the Receiving Party without use of or reference to Confidential Information of the Disclosing Party.

6.2. Protection of Confidential Information. The Receiving Party (i) will use the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (but not less than reasonable care), (ii) will not use any Confidential Information of the Disclosing Party for any purpose outside the scope of this Agreement, and (iii) except as otherwise authorized by the Disclosing Party in writing, will limit access to Confidential Information of the Disclosing Party to those of its and its Affiliates’ employees and contractors who need that access for purposes consistent with this Agreement and who have signed confidentiality agreements with the Receiving Party containing protections no less stringent than those herein; provided, however, that Customer shall prevent access to Imprivata Confidential Information by any of such otherwise permitted persons who are engaged in a business or activity which involves the design, development, marketing and/or distribution of products and/or services which are or could be competitive with the Services. Customer will promptly notify Imprivata if Customer discovers that any person or entity has improperly accessed Imprivata Confidential Information. Neither party will disclose the terms of this Agreement or any Order Form to any third party other than its Affiliates, legal counsel and accountants without the other party’s prior written consent, provided that a party that makes such permitted disclosure will remain responsible for the permitted third party’s compliance with this Section.

6.3. Compelled Disclosure. The Receiving Party may disclose Confidential Information of the Disclosing Party to the extent compelled by law to do so, provided the Receiving Party gives the Disclosing Party prior notice of the compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party's cost, if the Disclosing Party wishes to contest the disclosure. If the Receiving Party is compelled by law to disclose the Disclosing Party’s Confidential Information as part of a civil proceeding to which the Disclosing Party is a party, and the Disclosing Party is not contesting the disclosure, the Disclosing Party will reimburse the Receiving Party for its reasonable cost of compiling and providing secure access to that Confidential Information.

6.4. Business Associate Agreement. To the extent applicable to the Services provided to Customer, Imprivata agrees to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 (PL 104-91), the HITECH Act provisions of the American Recovery and Reinvestment Act of 2009 (PL 111-5) and regulations enacted by the United States Department of Health and Human Services at 45 C.F.R. Parts 160 – 164 solely as it relates to the performance of Imprivata’s obligations hereunder. In that regard, Imprivata further agrees to comply with the provisions of the Business Associate Agreement executed by the parties in connection with this Agreement. In the event of conflict between the Business Associate Agreement and any provision of this Agreement, the terms of the Business Associate Agreement shall control.

7. REPRESENTATIONS, WARRANTIES, EXCLUSIVE REMEDIES AND DISCLAIMERS

7.1. Representations. Each party represents that (i) it has validly entered into this Agreement and has the legal power to do so; and (ii) it will comply with the laws, rules and regulations applicable to its business and obligations under this Agreement.

7.2. Imprivata Warranties. Imprivata warrants that the Services will perform materially in accordance with the applicable “Specifications” as expressly set forth and identified as “Specifications” on an Order Form or in an attached Addendum. For any breach of an above warranty, Customer’s exclusive remedies are those described in Sections 10.3 (Termination) and 10.4 (Refund or Payment upon Termination). Imprivata’s warranties shall not be effective and Imprivata shall have no obligation or liability to Customer if (i) the Services are not substantially used in accordance with the Documentation; (ii) the Services have been altered, modified or revised by Customer or any other entity engaged by Customer without Imprivata’s written approval; or (iii) the Services are inoperable for any other cause within Customer’s control. Imprivata does not warrant or support third party software or services, except as expressly specified in a warranty stated in an Order Form.

7.3. Disclaimers. EXCEPT AS EXPRESSLY PROVIDED HEREIN, NEITHER PARTY MAKES ANY WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, AND EACH PARTY SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW. FREE TRIAL AND BETA SERVICES ARE PROVIDED “AS IS,” EXCLUSIVE OF ANY WARRANTY WHATSOEVER. EACH PARTY DISCLAIMS ALL LIABILITY AND INDEMNIFICATION OBLIGATIONS FOR ANY HARM OR DAMAGES CAUSED BY ANY THIRD-PARTY HOSTING PROVIDERS. IMPRIVATA DOES NOT WARRANT THAT THE SERVICES WILL BE PROVIDED UNINTERRUPTED OR ERROR-FREE. THE SERVICES ARE A MONITORING AND ADMINISTRATIVE TOOL DESIGNED TO ENABLE CUSTOMER IN THE MANAGEMENT OF CUSTOMER’S BUSINESS OPERATIONS. IMPRIVATA DOES NOT GUARANTEE THAT USE OF THE SERVICES WILL ENSURE THAT THE CUSTOMER SYSTEMS SHALL BE SECURE OR THAT ALL INTRUSIONS OR BREACHES WILL BE DETECTED. IMPRIVATA DOES NOT PROVIDE LEGAL OR SECURITY ADVICE. IMPRIVATA MAKES NO WARRANTIES REGARDING THE RESULTS OBTAINED THROUGH USE OF THE SERVICES, AND IMPRIVATA SHALL HAVE NO LIABILITY FOR ANY CLAIM ARISING FROM ANY USE OF ANY INFORMATION PROVIDED OR RESULTS.

7.4. Insurance. Throughout the term of this Agreement (and, with respect to any policies that are written on a “claims made” basis, for the first three (3) years after any termination of this Agreement), Imprivata shall obtain and thereafter maintain, at Imprivata’s sole cost and expense:

  1. a commercial general liability insurance policy in an annual coverage amount of not less than one million dollars ($1,000,000) per occurrence or claim and two million dollars ($2,000,000) in the aggregate, for claims made related to Imprivata’s performance under this Agreement and all Order Forms;
  2. umbrella liability insurance coverage with an annual limit of not less than two million dollars ($2,000,000); and
  3. workers compensation to the extent applicable to the Services in the amounts required in accordance with applicable laws.
  4. “cyber liability” insurance (including technology errors and omissions coverage and cyber liability coverage) having an annual aggregate coverage limit of not less than five million dollars ($5,000,000) .

Upon Customer’s request from time to time, Imprivata will make available to Customer current certificates of insurance confirming the existence of the insurance coverage described above. All of such insurance policies are subject to such restrictions, exclusions, limitations, and conditions as may be contained therein.

8. MUTUAL INDEMNIFICATION

8.1. Indemnification by Imprivata. Imprivata will defend Customer against any claim, demand, suit or proceeding made or brought against Customer by a third party alleging: (1) that the use of a Purchased Service in accordance with this Agreement infringes or misappropriates such third party’s intellectual property rights or violates applicable law; and (2) Imprivata’s gross negligence or willful misconduct (a “Claim Against Customer”), and will indemnify Customer from any damages, attorney fees and costs finally awarded against Customer as a result of, or for amounts paid by Customer under a court-approved settlement of, a Claim Against Customer, provided Customer (a) promptly gives Imprivata written notice of the Claim Against Customer, (b) gives Imprivata sole control of the defense and settlement of the Claim Against Customer (except that Imprivata may not settle any Claim Against Customer unless it unconditionally releases Customer of all liability), (c) gives Imprivata all reasonable assistance, at Imprivata’s expense; and (d) the Claim Against Customer does not arise in connection with the combination, operation, or use of the Services with third party software services or other products or materials not furnished or authorized by Imprivata, failure by Customer to timely implement any updates made available to Customer by or on behalf of Imprivata, or Customer or Customer’s Users violation of this Agreement. If Imprivata receives information about an infringement or misappropriation claim related to a Service, Imprivata may in its discretion and at no cost to Customer (i) modify the Service so that it no longer infringes or misappropriates, without breaching Imprivata’s warranties under Section 7.2 (Imprivata Warranties), (ii) obtain a license for Customer’s continued use of that Service in accordance with this Agreement, or (iii) terminate Customer’s subscriptions for that Service upon thirty (30) days’ written notice and refund Customer any prepaid fees covering the remainder of the term of the terminated subscriptions. The above defense and indemnification obligations do not apply to the extent a Claim Against Customer arises from third party software (including on a contributory basis) or Customer’s breach of this Agreement. This Section 8.1 states Imprivata’s sole liability to Customer and Customer’s exclusive remedy against Imprivata with respect to intellectual property claims.

8.2. Indemnification by Customer. Customer will defend Imprivata against any claim, demand, suit or proceeding made or brought against Imprivata by a third party in connection with the results of Customer’s use of the Services, Customer Data, or alleging that Customer Data or Customer’s use of any Service in breach of this Agreement or any Order Form, infringes or misappropriates such third party’s intellectual property rights or violates applicable law (a “Claim Against Imprivata”), and will indemnify Imprivata from any damages, attorney fees and costs finally awarded against Imprivata as a result of, or for any amounts paid by Imprivata under a court-approved settlement of, a Claim Against Imprivata, provided Imprivata (a) promptly gives Customer written notice of the Claim Against Imprivata, (b) gives Customer sole control of the defense and settlement of the Claim Against Imprivata (except that Customer may not settle any Claim Against Imprivata unless it unconditionally releases Imprivata of all liability), and (c) gives Customer all reasonable assistance, at Customer’s expense. The above defense and indemnification obligations do not apply to the extent a Claim Against Imprivata arises from Imprivata’s material breach of this Agreement.

8.3. Exclusive Remedy. This Section 8 states the indemnifying party’s sole liability to, and the indemnified party’s exclusive remedy against, the other party for any type of claim described in this Section 8.

9. LIMITATION OF LIABILITY

9.1. Limitation of Liability. NEITHER PARTY'S LIABILITY RELATED TO THIS AGREEMENT, INCLUDING ANY DOCUMENTS AND ORDER FORMS EXECUTED IN CONNECTION HEREWITH WILL EXCEED THE AMOUNT PAID BY CUSTOMER HEREUNDER IN THE 12 MONTHS PRECEDING THE FIRST EVENT GIVING RISE TO THE LIABILITY. THE ABOVE LIMITATIONS WILL APPLY WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY.

9.2. Exclusion of Consequential and Related Damages. IN NO EVENT WILL EITHER PARTY HAVE ANY LIABILITY TO THE OTHER PARTY FOR ANY BUSINESS INTERRUPTION, LOSS OF DATA, LOST PROFITS, LOST REVENUES OR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, COVER OR PUNITIVE DAMAGES, WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY, EVEN IF A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

9.3. Exclusions. Notwithstanding the foregoing, the above limitations will not apply to claims arising from breaches of a party’s confidentiality obligations (except with respect to Customer Data which is subject to Section 9.4), a party’s fraud or willful misconduct, or breaches of Sections 3.2 (Customer Responsibilities), 3.3 (Usage Restrictions), 5 (Proprietary Rights and Licenses), or 8 (Mutual Indemnification).

9.4. Data Breach Limitation. Notwithstanding the limitations set forth in Section 9.1 (Limitation of Liability), the disclaimers in Section 9.2 (Exclusion of Consequential and Related Damages), and Section 9.3 (Exclusions), Imprivata will be liable to Customer for Customer’s documented, reasonable, out of pocket direct costs and expenses incurred by Customer as a result of an unauthorized use or disclosure of Customer Data (solely with respect to Customer Data that is personal data or protected health information, each as defined under applicable laws), including government fines and penalties assessed against Customer as a result of Imprivata’s breach of its obligations hereunder, costs or notifications, and one-year of credit monitoring, up to an aggregate amount not to exceed $3,000,000.00. NOTWITHSTANDING ANYTHING IN THE AGREEMENT TO THE CONTRARY, THIS SECTION 9.4 SETS FORTH CUSTOMER’S EXCLUSIVE REMEDY AND THE SOLE AND COMPLETE LIABILITY OF IMPRIVATA WITH RESPECT TO DAMAGES, PENALTIES, COSTS, EXPENSES, OR LOSSES ARISING FROM THE UNAUTHORIZED USE OR DISCLOSURE OF CUSTOMER DATA.

10. TERM AND TERMINATION

10.1. Term of Agreement. This Agreement commences on the Order Form Effective Date of the first Order Form entered into by Customer and Imprivata. It may be terminated by either party for cause as prescribed in Section 10.3 below or, if the terms of all subscriptions under Order Forms issued hereunder have expired or have been terminated, upon 30 days’ prior written notice.

10.2. Term of Services. The term of each subscription for the Services shall be as specified in the applicable Order Form.

10.3. Termination for Cause. A party may terminate this Agreement and all Order Forms issued hereunder for material breach of the terms of this Agreement or such Order Forms either (i) upon thirty (30) days’ written notice to the other party of (including the specifics of the other party’s material breach) if such breach remains uncured at the expiration of such period, or (ii) if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors, and if involuntarily filed against such party such petition or other proceeding is not withdrawn or discharged within sixty (60) days after notice thereof from the other party.

10.4. Refund or Payment upon Termination. If this Agreement is terminated by Customer in accordance with Section 10.3 (Termination), Imprivata will refund Customer any prepaid fees covering the remainder of the term of all Order Forms after the effective date of termination. If this Agreement is terminated: (i) by Imprivata in accordance with Section 10.3, (ii) by Imprivata because undisputed fees owed by Customer are thirty (30) or more days overdue, or (iii) any termination by Customer other than pursuant to Section 10.3, Customer will pay to Imprivata any unpaid fees covering the remainder of the term of all Order Forms. In no event will termination relieve Customer of Customer’s obligation to pay any fees payable to Imprivata for the period prior to the effective date of termination.

10.5. Customer Data Portability and Deletion. Upon request by Customer made within thirty (30) days after the effective date of termination or expiration of this Agreement, Imprivata will make Customer Data available to Customer for export or download as provided in the Documentation. After that thirty (30)-day period, Imprivata will have no obligation to maintain or provide Customer Data, and will thereafter delete or destroy all copies of Customer Data in Imprivata’s systems or otherwise in Imprivata’s possession or control as provided in the Documentation, unless legally prohibited.

10.6. Surviving Provisions. The following Sections will survive any termination or expiration of this Agreement:

3.2 Customer Responsibilities     9.1 Limitation of Liability
3.3 Usage Restrictions     9.2 Exclusion of Consequential and Related Damages
4 Fees and Payment for Service     10.4 Refund or Payment upon Termination
5 Proprietary Rights and Licenses 10.5     10.5 Customer Data Portability and Deletion
6 Confidentiality     11 Governing Law, Notices and Jurisdiction
7.3 Disclaimers     12 General Provisions
8 Mutual Indemnification      

 

11. GOVERNING LAW; NOTICES AND JURISDICTION

11.1. Governing Law. This Agreement shall be governed exclusively by the internal laws of the State of Delaware without regard to its conflicts of laws rules.

11.2. Notices. Except as otherwise specified in this Agreement, all notices, permissions and approvals hereunder shall be (a) in writing, (b) given via: (i) personal delivery, (ii) certified mail, return receipt requested, (iii) Federal Express, DHL or other reputable expedited courier service, or (iv) email (provided email shall not be sufficient for notices of termination or an indemnifiable claim), and (c) deemed given only upon actual receipt or rejection of delivery (provided, however, that notices, permissions and approvals given via email outside of the normal business hours of the addressee shall not be deemed given until the commencement of the addressee’s next business day). Billing-related notices to Customer shall be addressed to the relevant billing contact designated by Customer. All other notices to Customer shall be addressed to the relevant Services system administrator designated by Customer. Notices shall be delivered to the addresses set forth in the Order Form.

11.3. Waiver of Jury Trial. FOR ALL EQUITABLE PROCEEDINGS, THE PARTIES HEREBY EXPRESSLY WAIVE ANY AND ALL RIGHT TO A TRIAL BY JURY WITH RESPECT TO ANY EQUITABLE RELIEF BEING SOUGHT. THE PRECEDING SENTENCE SHALL NOT LIMIT THE PARTIES' RIGHTS TO SUBSEQUENTLY BRING SEPARATE ACTIONS OR PROCEEDINGS SEEKING DAMAGES OR OTHER NON-EQUITABLE RELIEF.

12. GENERAL PROVISIONS

12.1. Entire Agreement and Order of Precedence. This Agreement is the entire agreement between Customer and Imprivata regarding Customer’s use of Services and supersedes all prior and contemporaneous agreements, proposals or representations, written or oral, concerning its subject matter; provided, however, that this Agreement does not supersede any Business Associate Agreement signed by and between the parties relating to the parties’ obligations under HIPAA. No modification, amendment, or waiver of any provision of this Agreement will be effective unless in writing and signed by both parties. The parties agree that any term or condition stated in Customer’s purchase order or in any other of Customer’s order documentation (excluding Order Forms) is void. In the event of any conflict or inconsistency among the following documents, the order of precedence shall be: (1) any Business Associate Agreement signed by and between the parties relating to the parties’ obligations under HIPAA, (2) the applicable Order Form, (3) this Agreement (including all attached Addendums), and (4) the Documentation.

12.2. Assignment. Neither party may assign any of its rights or obligations hereunder, whether by operation of law or otherwise, without the other party’s prior written consent (not to be unreasonably withheld); provided, however, either party may assign this Agreement in its entirety (including all Order Forms), without the other party’s consent to its Affiliate or in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets. Notwithstanding the foregoing, if a party is acquired by, sells substantially all of its assets to, or undergoes a change of control in favor of, a direct competitor of the other party, then such other party may terminate this Agreement (including all Order Forms) upon written notice. In the event of such a termination, Imprivata will refund to Customer any prepaid maintenance and support fees covering the remainder of the term of all subscriptions. Subject to the foregoing, this Agreement will bind and inure to the benefit of the parties, their respective successors and permitted assigns.

12.3. Miscellaneous. The parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the parties. There are no third-party beneficiaries under this Agreement. No failure or delay by either party in exercising any right under this Agreement will constitute a waiver of that right. If any provision of this Agreement is held by a court of competent jurisdiction to be contrary to law, the provision will be deemed null and void, and the remaining provisions of this Agreement will remain in effect. Under no circumstances will Imprivata issue any press releases, case studies, or similar materials without Customer’s prior written approval; provided, that Imprivata shall be permitted to verbally identify Customer as a purchaser of the Services as long as no Confidential Information is disclosed and such identification will not represent an endorsement of Imprivata or the Services.

12.4. Force Majeure. Neither party shall be responsible for failures of its obligations under this Agreement or any Order Forms to the extent that such failure is due to causes beyond such party’s control, including, but not limited to, acts of God, war, terrorism or threat thereof, acts of any government or agency thereof, fire, flood, earthquake, explosions, epidemics, quarantine restrictions, strikes or other labor problem (other than one involving such party’s employees), lockouts, embargoes, civil unrest, severe weather conditions, delay in transportation, computer, telecommunications, Internet service provider or hosting facility failures or delays involving hardware, software or power systems not within Imprivata’s possession or reasonable control, denial of service attacks, incompatibility of Customer’s equipment or software with the Services, acts or omissions of vendors or suppliers, transportation and telecommunications difficulties (each, a “Force Majeure Event”); provided, however, that Customer’s obligation to timely make payment of all fees for Services may be temporarily delayed during the event, but shall not be excused or further delayed by this clause.

 

 

Exhibit A — Service Level Agreement

Support is available via phone, email, or chat within the application. Our coverage hours are 7:00 AM to 6:00 PM EST. For Level 1 Priority issues only, please refer to the table below for coverage hours.

Coverage Hours     Support Initial Response Time for Level 1 Priority Issues
Monday through Friday 7 AM to 6 PM EST     Response within two (2) hours by a qualified support technician
Saturday and Sunday 8 AM to 4 PM EST     Response within eight (8) hours by a qualified support technician
Major US Holidays     Response within sixteen (16) hours by a qualified support technician

 

Support Team Target Response Times Related to Software Problems

Imprivata will use commercially reasonable efforts to respond to each case within the target times described in the table below, depending on the severity level set on the case.

Severity and Problem Type     Priority     Response Time     Work Around
Critical — Critical production issues affecting all users, complete application failure preventing its use, Cerner connectivity.     Level 1     See above table     2 Days
Major — Persistent issue affecting many users, major functionality loss which produces inaccurate information.     Level 2     3 Days     5 Days
Minor — Solution performance issues, but does not prevent the use of the system or software.     Level 3     5 Days     10 Days
Low — Inquiries about technical issues, information requests on application, configuration, or installations.     Level 4     As appropriate     As appropriate

 

* Please note that time commitments do not apply if the problem is caused by the customer or another software application (e.g., incorrect permission sets, denials of platform API access, etc.)

Managed Privacy Services – Service Level Agreement (SLAs)

  1. Enforced Policies triggered between 9 am Mon and 12 pm Fri, Eastern Time, will be reviewed within 24 hours.
  2. Enforced Policies triggered between 12 pm Fri and 9 am Mon, Eastern Time, will be reviewed by 5 pm Tuesday.
  3. Customer may request the FairWarning® Managed Services Staff run custom reports, such as patient complaints or suspicious users (“Ad Hoc Reports”), no more than 6 Ad Hoc reports per month. Any additional Ad Hoc Reports requested by the Customer will be subject to additional fees.
  4. Any Investigations into potential inappropriate Access will be completed and documented by the FairWarning® Managed Services Staff within 3-5 business days, contingent upon Customer’s management response to Validation Request within 2 days.
  5. Notification of Customer representative by FairWarning® Managed Services Staff upon completion of any Investigations into inappropriate Access.
  6. Completion of Access Reviews within 7 business days.
  7. Implementation of the number of Enforced Policies that were purchased in your initial order form (“EP Limit”).
  8. In the event of a widespread natural disaster or similar emergency effecting FairWarning® or the Customer, SLAs may be negatively impacted.

Holiday Hours: Each year, the below holidays will be exempt (i.e., not included in the calculations) for the response times listed above. The FairWarning MPS team will perform their scheduled review of the alerts the next business day after the holiday. If a holiday falls on a weekend, FairWarning MPS personnel will have either the Friday before or the following Monday off instead. FairWarning will notify Customers in advance each calendar year regarding the exact timing of the holidays being observed.

  • New Year’s Day
  • Memorial Day
  • Independence Day
  • Labor Day
  • Thanksgiving
  • Day After Thanksgiving
  • Christmas Eve
  • Christmas
  • New Year’s Eve

Drug Diversion Services - Service Level Agreements (SLAs)

  1. Behavioral Analytics triggered between 9 am Mon and 12 pm Fri, Eastern Time, will be reviewed within 24 hours.
  2. Behavioral Analytics triggered between 12 pm Fri and 9 am Mon, Eastern Time, will be reviewed by 5 pm Tuesday.
  3. Customer may request the FairWarning® Managed Services Staff run custom reports, such as patient complaints or suspicious users (“Ad Hoc Reports”), no more than 6 Ad Hoc reports per month. Any additional Ad Hoc Reports requested by the Customer will be subject to additional fees.
  4. Any Investigations into potential inappropriate Access will be completed and documented by the FairWarning® Managed Services Staff within 5-8 business days, contingent upon Customer’s management response to Validation Request within 2 days.
  5. Notification of Customer representative by FairWarning® Managed Services Staff upon completion of any Investigations into inappropriate Access.
  6. Completion of Access Reviews within 7 business days.
  7. Implementation of up to the number of behavioral analytics purchased in the Order Form (“EP Limit”).
  8. In the event of a widespread natural disaster or similar emergency effecting FairWarning® or the Customer, SLAs may be negatively impacted.

Holiday Hours: Each year, the below holidays will be exempt (i.e., not included in the calculations) for the response times listed above. The FairWarning Managed Services team will perform their scheduled review of the alerts the next business day after the holiday. If a holiday falls on a weekend, FairWarning Managed Services personnel will have either the Friday before or the following Monday off instead. FairWarning will notify Customers in advance each calendar year regarding the exact timing of the holidays being observed.

  • New Year’s Day
  • Memorial Day
  • Independence Day
  • Labor Day
  • Thanksgiving
  • Day After Thanksgiving
  • Christmas Eve
  • Christmas
  • New Year’s Eve

 

Addendum A – PPI LICENSED PLATFORM

I. SaaS Services Detail. SaaS Services include a “Base License” and a “Data Source License” as follows:

A. Base License: The Base License includes access to the SaaS Services for analytics, custom user and patient access reporting, automated alerts, centralized investigation documentation repository, and graphical governance dashboard reporting for alerts and investigations.

  1. 1. Includes User and Patient Identity Data Sources (up to three total, if available):
    • Active Directory
    • Advanced Patient Identity Data
    • Authoritative User Identity Data
  2. Unless otherwise provided in the applicable Order Form, the Base License includes up to 4.0 TB of storage for Customer’s retained active and archived data, supporting the Data Sources purchased.

B. Data Source License(s): Data Source Licenses are purchased on a per-source basis for each third-party data source that Customer wants to monitor (e.g., third party EMR providers) using the Imprivata PPI Platform and using Imprivata’s scripts specific (when available) to the particular third-party data source.

C. Support & Maintenance: Imprivata will provide the SaaS Services in the manner as described at in the applicable Service Level Agreement, and as may be attached to a specific Order Form.

D. Completion: The completion time for any professional services, including but not limited to implementation, installation, or migration (for this paragraph, the “Services”) to be performed under an Order Form, and any milestones, shall be dependent on Imprivata’s receipt of all Customer assets and specifications necessary for the project, in addition to Imprivata receiving a valid signed Order Form or processing, as requested by Imprivata. The completion deadline will start from the date of delivery of all such assets and specifications, not the date of Imprivata’s receipt of the signed Order Form. Customer acknowledges that delays in providing assets or specifications at the request of Imprivata for such Services may delay the completion of the Services. Imprivata shall not be faulted for delays caused by Customer’s failure to reasonably cooperate.

II. Licensed Platform Specifications.

A. Core Functionality: The Licensed Platform provides Customers with the ability to monitor and report on computerized access to the Customer’s applications and systems (“Customer Systems”) based on the audit log data and other data source files (as further described herein) provided by Customer to Imprivata in connection with the applicable Order Form (“Audit Log Data”). The Licensed Platform also provides the ability to perform specialized queries and research incidents related to the Customer Systems. The Licensed Platform works in conjunction the Audit Log Data generated in the Customer’s Systems. For avoidance of doubt, the Services are based on Audit Log Data that Customer provides to Imprivata and Imprivata does not directly access Customer Systems to provide the Services. The Licensed Platform is commonly used by healthcare providers to demonstrate best industry practices relating to HIPAA sections 164.306, 164.308, and 164.312 related to the auditing of systems that access protected health information, streamlining incident investigations, and detecting reasonably anticipated incidents. Specific features include:

  1. Streamlined HIPAA patient investigation across all applications in Customer environment;
  2. Streamlined user investigation across all such applications;
  3. Ad hoc incident investigation for use by Customer’s Chief Privacy Officer, auditors, and systems analysts;
  4. Category searches by patient name, medical record number, patient id, user name, TCP/IP addresses, and other security-related information;
  5. Ad hoc incident investigation for use by Customer’s information security personnel; and
  6. Support for any applications and systems (or data sources) that generate audit information in a text format that can be read using the data source file standards described below; and Support for authoritative identity information on users and patients from applications and sources that generate such data in a text format that can be read using the data source file standards described below.

B. Dependency: The analytics and reports available are dependent upon the Audit Log Data delivered from the Customer’s third-party software applications to the Licensed Platform.

C. Data Source File Standards: The Audit Log Data for use with the Imprivata software will be created by Customer or the Customer Systems as text files with one event per record (i.e., per line in the file) according to the following standards:

  1. Pipe delimited fields (with “|” constituting a “pipe”): Either carat (“^”) or comma (“,”) delimited, but comma delimited files must be enclosed by quotes;
  2. Fixed width fields – null fields must be filled with spaces;
  3. For sources that output XML, like McKesson STAR, the XML output does not need to be changed (i.e., the Licensed Platform shall work with XML files for which the associated definition file is provided);
  4. Single header record, in the same format as the data, at the beginning of the file, with the header record containing the field names;
  5. File definition table required;
  6. File unique naming convention is required; and
  7. Date fields must follow a four (4) digit year format

D. Binary Formats (not included): Highly specialized application data sources in binary formats are not included under the standard Order Form (unless otherwise set forth therein), will be priced separately upon Customer request, and may require professional services (and be subject to the associated incremental fees) for implementation.

E. Firewall, Router, and Windows Server Data: Can be supported by the Licensed Platform but will be considered and priced separately upon Customer’s request and may require additional services.

III. Customer Responsibilities for Licensed Platform.

A. Customer shall provide a secured virtual private network (“VPN”) connection over the Internet and through a network connection which can send the Audit Log Data via secure transfer methods (SFTP or SCP) for the data transfer and end user access to the Imprivata data center.

B. Customer is responsible for supplying the Audit Log Data for the applications to be monitored, as further described in the Licensed Platform Specifications above. Customer is responsible for the quality and integrity of the Audit Log Data and other data or information delivered to Imprivata.

C. Customer shall have established Transport Layer Security (“TLS”) for all of the Customer domains with the domains of Imprivata within fifteen (15) days of Contract Effective Date.

D. Customer shall provide information and assistance in the form and format required in the Licensed Platform Specifications above. Specifically, Customer shall provide IT resources in a timely manner, as reasonably requested by Imprivata, in order to assist Imprivata with the installation and configuration of the Licensed Platform.

IV. Recommended Storage Capacity for the Licensed Platform.

A. Imprivata recommends as a best practice to retain the most recent twelve (12) months of live audit data in the Licensed Platform database, with the next twenty-four (24) rolling months of data to be archived as non-live data that can be restored as needed. Under this 12/24 guideline, audit data older than thirty-six (36) months will be automatically and permanently deleted from the database, consistent with the NIST SP 800-88 Rev. 1 standard.

B. The storage capacity included in Customer’s initial purchase of the Imprivata Patient Privacy Intelligence solution (“Initial Deployment Scope”) is based upon pre-engagement data usage factors that Customer has provided for its unique EHR/IT environment and policy requirements. These include, for example, the number of monitored users, the expected volume of data to be delivered, and whether Customer desires a data retention capacity exceeding or less than the 12/24 data retention guideline (collectively, “Baseline Usage Factors”).

C. Customer’s actual consumption of storage space may vary during the first year of deployment, and Customer will need to plan for additional storage as needed. Imprivata provides monthly trending reports that will assist in this planning.

D. Material Change Conditions: The recommended storage configuration may not be adequate to support the standard 12/24 data retention guideline (or a customized data retention requirement specified in an initial Order Form) if Customer experiences a material change to the Baseline Usage Factors. These material changes (to be measured by comparing actual production data against the Baseline Usage Factors initially provided to Imprivata) may include:

  1. Material Change to Monitored User Base - a greater than 10% increase in the number of employees or other monitored users due to expansion, acquisition, or merger;

     

  2. Material Changes to Data Source Volumes - Examples include:
    1. For high-volume data sources (e.g., Epic, Cerner, and McKesson Paragon), the addition of such data source, the replacement of a non-high volume data source with a high-volume data source, the use of a data-extraction script that is not Imprivata Ready certified, the addition of “modules” or “data triggers,” or the addition of monitored facility(ies), monitored users, or monitored user location(s).
    2. The addition of firewall, router, or Windows server data.

E. Customer Options: As Customer’s storage retention needs evolve, or if they exceed the Initial Deployment Scope, Customer may purchase additional storage services from Imprivata under additional Order Form(s).

V. Change-of-Scope Fee Adjustments.

A. General: Imprivata does not set pricing based on traditional “seat licenses,” and the fees prescribed in an Order Form are quoted and agreed to based, at least in part, upon certain assumptions and statistics provided by Customer to Imprivata. As is documented in each Order Form and Renewal Order Form, Customer shall represent and warrant to the accuracy of Customer’s number of employees and number of licensed beds (as applicable) at the time such Order Form is executed (“Initial Base Statistics”). Customer understands and acknowledges that material increases in any of the Initial Base Statistics will materially change the scope of engagement and service cost to Imprivata. Customer thus expressly agrees that in the event that one or more of the Initial Base Statistics increases by more than ten percent (10%) during the term of that Order Form (including any Renewal Terms) Imprivata shall have the right to increase or decrease the recurring subscription service fees identified in that Order Form (“Subject Annual Fees”) by a corresponding percentage in accordance with the methodology described below. Customer shall promptly remit payment for such adjusted Subject Annual Fees; provided that (i) Customer shall receive at least three months’ advance notice before any such fee adjustments take effect, and (ii) such adjustments shall be applied prospectively and not retroactively.

B. Methodology:

  1. Measurement Dates & Periods: Beginning with the initial term of an Order Form and during any subsequent renewal terms, upon each half-year anniversary of the initial Contract Effective Date (each such half-year anniversary being a “Measurement Date”), Imprivata will review the then-current value of the applicable Base Statistics through any information provided to Imprivata (which Customer agrees to provide upon request) and also through any publicly-available information sources. If any then-current value of a Base Statistic on a Measurement Date has increased by ten percent (10%) or more over the corresponding Initial Base Statistic, then Imprivata shall provide Customer with written notice that all Subject Annual Fees to be paid by Customer for the next annual subscription period shall be increased by the greatest percentage increase in a then-current Base Statistic as compared to the applicable Initial Base Statistic. The equivalent increased Subject Annual Fees shall be due for each subsequent year of the Order Form (including any renewals thereof) unless and until either subsequently adjusted under this provision or the parties agree in writing to reset the Initial Base Statistic values.
  2. Validation Period: After receiving written notice of any such increase in Subject Annual Fees, Customer shall have 30 days to review Imprivata’s findings of the then-current values for the Base Statistics. The parties shall work in good faith to validate those values and eliminate any misleading increases, decreases, or omissions that do not fairly and reasonably represent a change in the scope of the engagement. For any validated changes in Base Statistics that are not reasonably in dispute, Imprivata shall promptly notify Customer of the corresponding changes to the Subject Annual Fees, which shall be due and payable on the next anniversary of the Contract Effective Date.
  3. Subsequent Increases and Decrease in Base Statistics: If the Subject Annual Fees have been increased under the above process, then all Subject Annual Fees to be paid by Customer for next annual subscription period commencing after each Measurement Date shall be equal to one plus the greatest net percentage increase in the then-current Base Statistics as compared to the applicable value for the Initial Base Statistics; provided, however, that in no event may the Subject Annual Fees be reduced to an amount less than the corresponding initial Subject Annual Fees set forth in the Initial Order Form or a Renewal Order Form. For clarity, once the initial 10% increase threshold has been exceeded, applying the net percentage increase will allow for subsequent decreases in the Base Statistics to reduce the upcoming Subject Annual Fees, but never below the floor of the initial Subject Annual Fees.

VI. Usage Limits; Right to Verify Use

Services are subject to usage limits as specified in the MPA and the applicable Order Form(s). Upon Imprivata’s request and within thirty (30) days of such request, an officer of Customer shall submit written verification of its compliance with any usage and scope limits of the Services. At any time during the term of the MPA, but no more than once per year, Imprivata may conduct a review of Customer’s records and systems data and/or request information and documentation necessary to verify Customer’s compliance with the usage and scope limits of the Services and with the terms of the MPA. If Customer has exceeded the applicable usage limits of the Services, Customer will be invoiced for the difference, along with interest at the rate of 0.75% per month, which shall be payable within thirty (30) days of such invoice. If the deficiency is greater than five percent (5.0%) of the amount paid during the period under review, Customer shall pay the reasonable expenses associated with such review, in addition to the actual deficiency plus interest at the rate of 0.75% per month. If the review instead reveals that Customer has overpaid for Services through no fault of Customer, then Imprivata shall promptly issue a credit to Customer equal to the corresponding overpayment during the review period, and such credit shall be applied to Customer’s next invoice due.

 

Addendum B – MANAGED PRIVACY SERVICES (MPS)

I. Common Terms used in MPS Engagements.

A. “Access” generally refers to the act of a computer user of the Customer in accessing electronic Protected Health Information (“ePHI”) within an electronic health record (“EHR”) or other application(s) maintained by Customer.

B. “Access Review” refers to the review of Customer’s computer system user(s) who have accessed a patient’s EHR and/or other clinical applications. This may involve identifying all users who accessed the record at issue or identifying whether a specific user accessed the record.

C. “Communication Plan” means the communication plan to inform the Customer’s own employees/workforce of (1) the increased monitoring activities being configured and (2) what the organizational policies are for acceptable use and unacceptable behavior regarding Access to Customer’s applications containing ePHI.

D. “Enforced Policies” (also known as “Behavioral Analytics”) are reports (1) with specific criteria designed to detect specific activities or behavior, that (2) can be scheduled and will automatically alert or “trigger” when that specific criteria is met.

E. “Investigation” means examination of the Access by a computer user of Customer (e.g., an employee or contractor) that was identified as potentially not business related during the review of a triggered Enforced Policy, including documenting the examination in the Investigation section of the Imprivata Patient Privacy Intelligence Platform.

F. “Special Alert” means an Enforced Policy created for a specific situation or event (e.g., for a high-profile patient that is in the hospital).

G. “Validation Request” means the written request that Imprivata sends to Customer’s management personnel after review of a triggered Enforced Policy, when the preliminary review by Imprivata failed to identify a likely business reason for the Access.

II. MPS Specifications.

A. Implementation Services:

  1. Review of Customer’s existing policies covering select subject areas deemed essential to the success of the Imprivata Patient Privacy Intelligence Program with suggestions for improvement/updates:
  2. Establish the following (where applicable):
    1. Standardized workflows
    2. Proven validation process
    3. Communication and education plan
    4. Customized communication and education materials
    5. Guidance on documentation of decisions around the deployment of Imprivata Patient Privacy Intelligence
  3. Completion: The completion time for any professional services, including but not limited to implementation, installation, or migration (for this paragraph, the “Services”) to be performed under an Order Form, and any milestones, shall be dependent on Imprivata’s receipt of all Customer assets and specifications necessary for the project, in addition to Imprivata receiving a valid signed Order Form or processing, as requested by Imprivata. The completion deadline will start from the date of delivery of all such assets and specifications, not the date of Imprivata’s receipt of the signed Order Form. Customer acknowledges that delays in providing assets or specifications at the request of Imprivata for such Services may delay the completion of the Services. Imprivata shall not be faulted for delays caused by Customer’s failure to reasonably cooperate.

B. Alert Monitoring Services:

  1. Depending on the service level/sku selected, Imprivata MPS staff will configure up to a specified number Enforced Policies (automated alerts) —i.e., the “Enforced Policy Limit”— at the suggested rate of one Enforced Policy every 10 - 13 weeks or another schedule mutually agreed upon. After the initial four (4) Enforced Policies have been configured, additional Enforced Policies may be purchased from a menu of available Enforced Policies. Any additional Enforced Policies configured must be agreed upon in advance and in writing.
  2. Apply specific filters to the Enforced Policies where applicable and available to reduce the number of false positives alerts.
  3. Provide recommendations to the Customer on staff education and awareness initiatives.
  4. Provide trending results of positive findings (i.e., confirmed inappropriate Access) from triggered Enforced Policies.
  5. Provide or assist Customer with governance and compliance effectiveness reporting.
  6. Upon written request by Customer, provide assistance with Access Reviews based on specific inquiries or complaints.
  7. In accordance with the Service Level Agreements (SLAs), promptly notify Customer’s designated contact personnel upon discovery of suspected inappropriate Access by a computer user of Customer.
  8. Document reviews and investigations of triggered Enforced Policies in the Imprivata PPI platform.
  9. Validate a Customer computer user’s Access if a business reason cannot be determined.
  10. Provide continuous PPI monitoring of the Customer’s software applications delivering data to Imprivata PPI platform technology through the use of Enforced Policies configured by the Imprivata MPS staff.

III. Customer Responsibilities.

A. Provide the Imprivata MPS staff with copies of the Customer’s policy(ies) covering the select subject areas identified by Imprivata for review.

B. Work with the Imprivata MPS staff to identify the appropriate Customer management personnel for incorporation into the MPS standardized workflows and validation processes.

C. Work with the Imprivata MPS staff to finalize the communications plan for Customer’s organization.

D. Execute and deliver either a communication and education plan (as created by Imprivata with Customer’s assistance) or an equivalent plan that has been mutually agreed upon in writing.

E. Ensure timely management response in validating suspicious or inappropriate access (within two business days).

F. When notified by the Imprivata MPS staff, review and close all documented reviews and investigations of triggered Enforced Policies. This includes responsibility for determining if the investigation is a confirmed incident and if it is a reportable “Breach” as defined under state or federal law.

G. Carry out any required patient and/or government notifications.

H. Carry out appropriate sanctions as indicated by investigations of triggered Enforced Policies investigated by the Imprivata MPS staff.

I. Follow recommended education and awareness initiatives either (i) as recommended by the Imprivata MPS staff based on trending of positive findings from review of triggered Enforced Policies or (ii) in equivalent measures mutually agreed upon in writing.

J. Provide IT support as required (e.g., data feeds, adding additional data fields to extracts, etc.).

K. Other actions reasonably suggested by the Imprivata MPS staff and mutually agreed upon in writing.

IV. Change-of-Scope Fee Adjustments.

A. General: Imprivata does not set pricing based on traditional “seat licenses,” and the fees prescribed in an Order Form are quoted and agreed to based, at least in part, upon certain assumptions and statistics provided by Customer to Imprivata. As is documented in each Order Form and Renewal Order Form, Customer shall represent and warrant to the accuracy of Customer’s number of employees and number of licensed beds (as applicable) at the time such Order Form is executed (“Initial Base Statistics”). Customer understands and acknowledges that material increases in any of the Initial Base Statistics will materially change the scope of engagement and service cost to Imprivata. Customer thus expressly agrees that in the event that one or more of the Initial Base Statistics increases by more than ten percent (10%) during the term of that Order Form (including any Renewal Terms) Imprivata shall have the right to increase or decrease the recurring subscription service fees identified in that Order Form (“Subject Annual Fees”) by a corresponding percentage in accordance with the methodology described below. Customer shall promptly remit payment for such adjusted Subject Annual Fees; provided that (i) Customer shall receive at least three months’ advance notice before any such fee adjustments take effect, and (ii) such adjustments shall be applied prospectively and not retroactively.

B. Methodology:

  1. Measurement Dates & Periods: Beginning with the initial term of an Order Form and during any subsequent renewal terms, upon each half-year anniversary of the initial Contract Effective Date (each such half-year anniversary being a “Measurement Date”), Imprivata will review the then-current value of the applicable Base Statistics through any information provided to Imprivata (which Customer agrees to provide upon request) and also through any publicly-available information sources. If any then-current value of a Base Statistic on a Measurement Date has increased by ten percent (10%) or more over the corresponding Initial Base Statistic, then Imprivata shall provide Customer with written notice that all Subject Annual Fees to be paid by Customer for the next annual subscription period shall be increased by the greatest percentage increase in a then-current Base Statistic as compared to the applicable Initial Base Statistic. The equivalent increased Subject Annual Fees shall be due for each subsequent year of the Order Form (including any renewals thereof) unless and until either subsequently adjusted under this provision or the parties agree in writing to reset the Initial Base Statistic values.
  2. Validation Period: After receiving written notice of any such increase in Subject Annual Fees, Customer shall have 30 days to review Imprivata’s findings of the then-current values for the Base Statistics. The parties shall work in good faith to validate those values and eliminate any misleading increases, decreases, or omissions that do not fairly and reasonably represent a change in the scope of the engagement. For any validated changes in Base Statistics that are not reasonably in dispute, Imprivata shall promptly notify Customer of the corresponding changes to the Subject Annual Fees, which shall be due and payable on the next anniversary of the Contract Effective Date.
  3. Subsequent Increases and Decrease in Base Statistics: If the Subject Annual Fees have been increased under the above process, then all Subject Annual Fees to be paid by Customer for next annual subscription period commencing after each Measurement Date shall be equal to one plus the greatest net percentage increase in the then-current Base Statistics as compared to the applicable value for the Initial Base Statistics; provided, however, that in no event may the Subject Annual Fees be reduced to an amount less than the corresponding initial Subject Annual Fees set forth in the Initial Order Form or a Renewal Order Form. For clarity, once the initial 10% increase threshold has been exceeded, applying the net percentage increase will allow for subsequent decreases in the Base Statistics to reduce the upcoming Subject Annual Fees, but never below the floor of the initial Subject Annual Fees.

V. Usage Limits; Right to Verify Use

Services are subject to usage limits as specified in the MPA and the applicable Order Form(s). Upon Imprivata’s request and within thirty (30) days of such request, an officer of Customer shall submit written verification of its compliance with any usage and scope limits of the Services. At any time during the term of the MPA, but no more than once per year, Imprivata may conduct a review of Customer’s records and systems data and/or request information and documentation necessary to verify Customer’s compliance with the usage and scope limits of the Services and with the terms of the MPA. If Customer has exceeded the applicable usage limits of the Services, Customer will be invoiced for the difference, along with interest at the rate of 0.75% per month, which shall be payable within thirty (30) days of such invoice. If the deficiency is greater than five percent (5.0%) of the amount paid during the period under review, Customer shall pay the reasonable expenses associated with such review, in addition to the actual deficiency plus interest at the rate of 0.75% per month. If the review instead reveals that Customer has overpaid for Services through no fault of Customer, then Imprivata shall promptly issue a credit to Customer equal to the corresponding overpayment during the review period, and such credit shall be applied to Customer’s next invoice due.

 

Addendum C – CLOUD SECURITY PLATFORM

I. Platform Specifications.

Imprivata for Salesforce:

  • allows for the archiving of Event Monitoring files produced by Salesforce,
  • supports forensic investigations of Salesforce access activity,
  • provides for continuous monitoring with alerts and filtering,
  • produces flexible, multi-criteria reporting with filtering, and
  • is a platform for investigations, legal documentation and governance reporting

II. Installation & Configuration; Provision of Services & Support & Maintenance.

A. Installation & Configuration. Imprivata will install and configure the Cloud Security Platform (“Licensed Platform”) for Customer’s use. No Customer-specific customizations are required.

B. Data Source License(s): Services are purchased on a per-data source basis for each third- party data source that Customer wants to monitor (e.g., Salesforce, O365, etc.).

C. Storage. Unless otherwise provided in the applicable Order Form, the Cloud Security Platform license includes up to 1.0 TB of storage for Customer’s retained active and archived data, supporting the Data Sources purchased.

D. Support & Maintenance: Imprivata will provide the SaaS Services in the manner as described in the applicable Service Level Agreement, and as may be attached to a specific Order Form.

III. Customer Responsibilities.

A. Customer is responsible for providing complete and accurate billing and contact information to Imprivata and for notifying Imprivata of any changes to such information by both telephone and in writing.

B. Customer shall establish Transport Layer Security (“TLS”) for all of the Customer domains with the domains of Imprivata within fifteen (15) days of contract effective date of the applicable Order Form.

IV. Data Retention; Recommended Storage Capacity for the Cloud Security Platform.

A. Data Retention. Unless specified otherwise in an Order Form, Imprivata will retain the Event Monitoring files delivered to the Cloud Security Platform for the duration of the engagement, including any renewal terms.

B. Archiving – Best Practice. Imprivata recommends as a best practice to retain the most recent twelve (12) months of live audit data in the Cloud Security Platform database, with the next twenty-four (24) rolling months of data to be archived as non-live data that can be restored as needed. Under this 12/24 guideline, audit data older than thirty-six (36) months will be automatically and permanently deleted from the database, consistent with the NIST SP 800-88 Rev. 1 standard.

C. Customer Options: As Customer’s data storage and retention needs evolve, Customer may purchase additional storage Services from Imprivata under additional Order Form(s).

 

Addendum D – DDI LICENSED PLATFORM

I. SaaS Services Detail.

SaaS Services include a “Base License” and a “Data Source License” as follows:

A. Base License: The Base License includes access to the SaaS Services for analytics, custom user and patient access reporting, automated alerts, centralized investigation documentation repository, and graphical governance dashboard reporting for alerts and investigations.

  1. Includes User and Patient Identity Data Sources (up to three total, if available):
    • Active Directory
    • Advanced Patient Identity Data
    • Authoritative User Identity Data
  2. 2. Unless otherwise provided in the applicable Order Form, the Base License includes up to 4.0 TB of storage for Customer’s retained active and archived data, supporting the Data Sources purchased.

B. Data Source License(s): Data Source Licenses are purchased on a per-source basis for each third-party data source that Customer wants to monitor (e.g., third party EMR providers) using the Imprivata DDI Platform and using Imprivata’s scripts specific (when available) to the particular third-party data source.

C. Support & Maintenance: Imprivata will provide the SaaS Services in the manner as described in the applicable Service Level Agreement, and as may be attached to a specific Order Form.

D. Completion: The completion time for any professional services, including but not limited to implementation, installation, or migration (for this paragraph, the “Services”) to be performed under an Order Form, and any milestones, shall be dependent on Imprivata’s receipt of all Customer assets and specifications necessary for the project, in addition to Imprivata receiving a valid signed Order Form or processing, as requested by Imprivata. The completion deadline will start from the date of delivery of all such assets and specifications, not the date of Imprivata’s receipt of the signed Order Form. Customer acknowledges that delays in providing assets or specifications at the request of Imprivata for such Services may delay the completion of the Services. Imprivata shall not be faulted for delays caused by Customer’s failure to reasonably cooperate.

II. Licensed Platform Specifications.

A. Core Functionality: The Licensed Platform provides Customers with the ability to monitor and report on computerized access to the Customer’s applications and systems (“Customer Systems”) based on the audit log data and other data source files (as further described herein) provided by Customer to Imprivata in connection with the applicable Order Form (“Audit Log Data”). The Licensed Platform also provides the ability to perform specialized queries and research incidents related to the Customer Systems. The Licensed Platform works in conjunction the Audit Log Data generated in the Customer’s Systems. For avoidance of doubt, the Services are based on Audit Log Data that Customer provides to Imprivata and Imprivata does not directly access Customer Systems to provide the Services. The Licensed Platform is commonly used by healthcare providers to demonstrate best industry practices relating to HIPAA sections 164.306, 164.308, and 164.312 related to the auditing of systems that access protected health information, streamlining incident investigations, and detecting reasonably anticipated incidents. Specific features include:

  1. Streamlined patient investigation across all applications in Customer environment;
  2. Streamlined user investigation across all such applications;
  3. Ad hoc incident investigation for use by Customer’s Pharmacy Director, auditors, and systems analysts;
  4. Category searches by patient name, medical record number, patient id, user name, TCP/IP addresses, and other security-related information;
  5. Support for any applications and systems (or data sources) that generate audit information in a text format that can be read using the data source file standards described below; and Support for authoritative identity information on users and patients from applications and sources that generate such data in a text format that can be read using the data source file standards described below.

B. Dependency: The analytics and reports available are dependent upon the Audit Log Data delivered from the Customer’s third-party software applications to the Licensed Platform.

C. Data Source File Standards: The Audit Log Data for use with the Imprivata software will be created by Customer or the Customer Systems as text files with one event per record (i.e., per line in the file) according to the following standards:

  1. Pipe delimited fields (with “|” constituting a “pipe”): Either carat (“^”) or comma (“,”) delimited, but comma delimited files must be enclosed by quotes;
  2. Fixed width fields – null fields must be filled with spaces;
  3. For sources that output XML, like McKesson STAR, the XML output does not need to be changed (i.e., the Licensed Platform shall work with XML files for which the associated definition file is provided);
  4. Single header record, in the same format as the data, at the beginning of the file, with the header record containing the field names;
  5. File definition table required;
  6. File unique naming convention is required; and
  7. Date fields must follow a four (4) digit year format

D. Binary Formats (not included): Highly specialized application data sources in binary formats are not included under the standard Order Form (unless otherwise set forth therein), will be priced separately upon Customer request, and may require professional services (and be subject to the associated incremental fees) for implementation.

E. Firewall, Router, and Windows Server Data: Can be supported by the Licensed Platform but will be considered and priced separately upon Customer’s request and may require additional services.

III. Customer Responsibilities for Licensed Platform.

A. Customer shall provide a secured virtual private network (“VPN”) connection over the Internet and through a network connection which can send the Audit Log Data via secure transfer methods (SFTP or SCP) for the data transfer and end user access to the Imprivata data center.

B. Customer is responsible for supplying the Audit Log Data for the applications to be monitored, as further described in the Licensed Platform Specifications above. Customer is responsible for the quality and integrity of the Audit Log Data and other data or information delivered to Imprivata.

C. Customer shall have established Transport Layer Security (“TLS”) for all of the Customer domains with the domains of Imprivata within fifteen (15) days of Contract Effective Date.

D. Customer shall provide information and assistance in the form and format required in the Licensed Platform Specifications above. Specifically, Customer shall provide IT resources in a timely manner, as reasonably requested by Imprivata, in order to assist Imprivata with the installation and configuration of the Licensed Platform.

IV. Recommended Storage Capacity for the Licensed Platform.

A. Imprivata recommends as a best practice to retain the most recent twelve (12) months of live audit data in the Licensed Platform database, with the next twenty-four (24) rolling months of data to be archived as non-live data that can be restored as needed. Under this 12/24 guideline, audit data older than thirty-six (36) months will be automatically and permanently deleted from the database, consistent with the NIST SP 800-88 Rev. 1 standard.

B. The storage capacity included in Customer’s initial purchase of the Imprivata Patient Privacy Intelligence solution (“Initial Deployment Scope”) is based upon pre-engagement data usage factors that Customer has provided for its unique EHR/IT environment and policy requirements. These include, for example, the number of monitored users, the expected volume of data to be delivered, and whether Customer desires a data retention capacity exceeding or less than the 12/24 data retention guideline (collectively, “Baseline Usage Factors”).

C. Customer’s actual consumption of storage space may vary during the first year of deployment, and Customer will need to plan for additional storage as needed. Imprivata provides monthly trending reports that will assist in this planning.

D. Material Change Conditions: The recommended storage configuration may not be adequate to support the standard 12/24 data retention guideline (or a customized data retention requirement specified in an initial Order Form) if Customer experiences a material change to the Baseline Usage Factors. These material changes (to be measured by comparing actual production data against the Baseline Usage Factors initially provided to Imprivata) may include:

  1. Material Change to Monitored User Base - a greater than 10% increase in the number of employees or other monitored users due to expansion, acquisition, or merger;

     

  2. Material Changes to Data Source Volumes - Examples include:
    1. For high-volume data sources (e.g., Epic, Cerner, and McKesson Paragon), the addition of such data source, the replacement of a non-high volume data source with a high-volume data source, the use of a data-extraction script that is not Imprivata Ready certified, the addition of “modules” or “data triggers,” or the addition of monitored facility(ies), monitored users, or monitored user location(s).
    2. The addition of firewall, router, or Windows server data.

E. Customer Options: As Customer’s storage retention needs evolve, or if they exceed the Initial Deployment Scope, Customer may purchase additional storage services from Imprivata under additional Order Form(s).

V. Change-of-Scope Fee Adjustments.

A. General: Imprivata does not set pricing based on traditional “seat licenses,” and the fees prescribed in an Order Form are quoted and agreed to based, at least in part, upon certain assumptions and statistics provided by Customer to Imprivata. As is documented in each Order Form and Renewal Order Form, Customer shall represent and warrant to the accuracy of Customer’s number of employees and number of licensed beds (as applicable) at the time such Order Form is executed (“Initial Base Statistics”). Customer understands and acknowledges that material increases in any of the Initial Base Statistics will materially change the scope of engagement and service cost to Imprivata. Customer thus expressly agrees that in the event that one or more of the Initial Base Statistics increases by more than ten percent (10%) during the term of that Order Form (including any Renewal Terms) Imprivata shall have the right to increase or decrease the recurring subscription service fees identified in that Order Form (“Subject Annual Fees”) by a corresponding percentage in accordance with the methodology described below. Customer shall promptly remit payment for such adjusted Subject Annual Fees; provided that (i) Customer shall receive at least three months’ advance notice before any such fee adjustments take effect, and (ii) such adjustments shall be applied prospectively and not retroactively.

B. Methodology:

  1. Measurement Dates & Periods: Beginning with the initial term of an Order Form and during any subsequent renewal terms, upon each half-year anniversary of the initial Contract Effective Date (each such half-year anniversary being a “Measurement Date”), Imprivata will review the then-current value of the applicable Base Statistics through any information provided to Imprivata (which Customer agrees to provide upon request) and also through any publicly-available information sources. If any then-current value of a Base Statistic on a Measurement Date has increased by ten percent (10%) or more over the corresponding Initial Base Statistic, then Imprivata shall provide Customer with written notice that all Subject Annual Fees to be paid by Customer for the next annual subscription period shall be increased by the greatest percentage increase in a then-current Base Statistic as compared to the applicable Initial Base Statistic. The equivalent increased Subject Annual Fees shall be due for each subsequent year of the Order Form (including any renewals thereof) unless and until either subsequently adjusted under this provision or the parties agree in writing to reset the Initial Base Statistic values.
  2. Validation Period: After receiving written notice of any such increase in Subject Annual Fees, Customer shall have 30 days to review Imprivata’s findings of the then-current values for the Base Statistics. The parties shall work in good faith to validate those values and eliminate any misleading increases, decreases, or omissions that do not fairly and reasonably represent a change in the scope of the engagement. For any validated changes in Base Statistics that are not reasonably in dispute, Imprivata shall promptly notify Customer of the corresponding changes to the Subject Annual Fees, which shall be due and payable on the next anniversary of the Contract Effective Date.
  3. Subsequent Increases and Decrease in Base Statistics: If the Subject Annual Fees have been increased under the above process, then all Subject Annual Fees to be paid by Customer for next annual subscription period commencing after each Measurement Date shall be equal to one plus the greatest net percentage increase in the then-current Base Statistics as compared to the applicable value for the Initial Base Statistics; provided, however, that in no event may the Subject Annual Fees be reduced to an amount less than the corresponding initial Subject Annual Fees set forth in the Initial Order Form or a Renewal Order Form. For clarity, once the initial 10% increase threshold has been exceeded, applying the net percentage increase will allow for subsequent decreases in the Base Statistics to reduce the upcoming Subject Annual Fees, but never below the floor of the initial Subject Annual Fees.

VI. Usage Limits; Right to Verify Use

Services are subject to usage limits as specified in the MPA and the applicable Order Form(s). Upon Imprivata’s request and within thirty (30) days of such request, an officer of Customer shall submit written verification of its compliance with any usage and scope limits of the Services. At any time during the term of the MPA, but no more than once per year, Imprivata may conduct a review of Customer’s records and systems data and/or request information and documentation necessary to verify Customer’s compliance with the usage and scope limits of the Services and with the terms of the MPA. If Customer has exceeded the applicable usage limits of the Services, Customer will be invoiced for the difference, along with interest at the rate of 0.75% per month, which shall be payable within thirty (30) days of such invoice. If the deficiency is greater than five percent (5.0%) of the amount paid during the period under review, Customer shall pay the reasonable expenses associated with such review, in addition to the actual deficiency plus interest at the rate of 0.75% per month. If the review instead reveals that Customer has overpaid for Services through no fault of Customer, then Imprivata shall promptly issue a credit to Customer equal to the corresponding overpayment during the review period, and such credit shall be applied to Customer’s next invoice due.

 

Addendum E – DRUG DIVERSION SERVICES (DDS)

I. Common Terms used in Managed Services Engagements.

A. “Access” generally refers to the act of a computer user of the Customer in accessing electronic Protected Health Information (“ePHI”) within an electronic health record (“EHR”) or other application(s) maintained by Customer.

B. “Access Review” refers to the review of Customer’s computer system user(s) who have accessed a patient’s EHR and/or other clinical applications. This may involve identifying all users who accessed the record at issue or identifying whether a specific user accessed the record.

C. “Communication Plan” means the communication plan to inform the Customer’s own employees/workforce of (1) the increased monitoring activities being configured and (2) what the organizational policies are for acceptable use and unacceptable behavior regarding Access to Customer’s applications containing ePHI.

D. “Enforced Policies” (also known as “Behavioral Analytics”) are reports (1) with specific criteria designed to detect specific activities or behavior, that (2) can be scheduled and will automatically alert or “trigger” when that specific criteria is met.

E. “Investigation” means examination of the Access by a computer user of Customer (e.g., an employee or contractor) that was identified as potentially not business related during the review of a triggered Enforced Policy, including documenting the examination in the Investigation section of the Imprivata Drug Diversion Intelligence Platform.

F. “Special Alert” means an Enforced Policy created for a specific situation or event (e.g., for a high-profile patient that is in the hospital).

G. “Validation Request” means the written request that Imprivata sends to Customer’s management personnel after review of a triggered Enforced Policy, when the preliminary review by Imprivata failed to identify a likely business reason for the Access.

II. Managed Services Specifications.

A. Implementation Services:

  1. Review of Customer’s existing policies covering select subject areas deemed essential to the success of the Imprivata Drug Diversion Intelligence Program with suggestions for improvement/updates:
  2. Establish the following (where applicable):
    1. Standardized workflows
    2. Proven validation process
    3. Communication and education plan
    4. Customized communication and education materials
    5. Guidance on documentation of decisions around the deployment of Imprivata Patient Privacy Intelligence
  3. Completion: The completion time for any professional services, including but not limited to implementation, installation, or migration (for this paragraph, the “Services”) to be performed under an Order Form, and any milestones, shall be dependent on Imprivata’s receipt of all Customer assets and specifications necessary for the project, in addition to Imprivata receiving a valid signed Order Form or processing, as requested by Imprivata. The completion deadline will start from the date of delivery of all such assets and specifications, not the date of Imprivata’s receipt of the signed Order Form. Customer acknowledges that delays in providing assets or specifications at the request of Imprivata for such Services may delay the completion of the Services. Imprivata shall not be faulted for delays caused by Customer’s failure to reasonably cooperate.

     

B. Alert Monitoring Services:

  1. Depending on the service level/sku selected, Imprivata Managed Services staff will configure up to a specified number Enforced Policies (automated alerts) —i.e., the “Enforced Policy Limit”— at the suggested rate of one Enforced Policy every 10 - 13 weeks or another schedule mutually agreed upon. After the initial four (4) Enforced Policies have been configured, additional Enforced Policies may be purchased from a menu of available Enforced Policies. Any additional Enforced Policies configured must be agreed upon in advance and in writing.
  2. Apply specific filters to the Enforced Policies where applicable and available to reduce the number of false positives alerts.
  3. Provide recommendations to the Customer on staff education and awareness initiatives.
  4. Provide trending results of positive findings (i.e., confirmed inappropriate Access) from triggered Enforced Policies.
  5. Provide or assist Customer with governance and compliance effectiveness reporting.
  6. Upon written request by Customer, provide assistance with Access Reviews based on specific inquiries or complaints.
  7. In accordance with the Service Level Agreements (SLAs), promptly notify Customer’s designated contact personnel upon discovery of suspected inappropriate Access by a computer user of Customer.
  8. Document reviews and investigations of triggered Enforced Policies in the Imprivata PPI platform.
  9. Validate a Customer computer user’s Access if a business reason cannot be determined.
  10. Provide continuous DDI monitoring of the Customer’s software applications delivering data to Imprivata DDI platform technology through the use of Enforced Policies configured by the Imprivata Managed Services staff.

III. Customer Responsibilities.

A. Provide the Imprivata Managed Services staff with copies of the Customer’s policy(ies) covering the select subject areas identified by Imprivata for review.

B. Work with the Imprivata Managed Services staff to identify the appropriate Customer management personnel for incorporation into the Managed Services standardized workflows and validation processes.

C. Work with the Imprivata Managed Services staff to finalize the communications plan for Customer’s organization.

D. Execute and deliver either a communication and education plan (as created by Imprivata with Customer’s assistance) or an equivalent plan that has been mutually agreed upon in writing.

E. Ensure timely management response in validating suspicious or inappropriate access (within two business days).

F. When notified by the Imprivata Managed Services staff, review and close all documented reviews and investigations of triggered Enforced Policies. This includes responsibility for determining if the investigation is a confirmed incident and if it is a reportable “Breach” as defined under state or federal law.

G. Carry out any required patient and/or government notifications.

H. Carry out appropriate sanctions as indicated by investigations of triggered Enforced Policies investigated by the Imprivata Managed Services staff.

I. Follow recommended education and awareness initiatives either (i) as recommended by the Imprivata Managed Services staff based on trending of positive findings from review of triggered Enforced Policies or (ii) in equivalent measures mutually agreed upon in writing.

J. Provide IT support as required (e.g., data feeds, adding additional data fields to extracts, etc.).

K. Other actions reasonably suggested by the Imprivata Managed Services staff and mutually agreed upon in writing.

IV. Change-of-Scope Fee Adjustments.

A. General: Imprivata does not set pricing based on traditional “seat licenses,” and the fees prescribed in an Order Form are quoted and agreed to based, at least in part, upon certain assumptions and statistics provided by Customer to Imprivata. As is documented in each Order Form and Renewal Order Form, Customer shall represent and warrant to the accuracy of Customer’s number of employees and number of licensed beds (as applicable) at the time such Order Form is executed (“Initial Base Statistics”). Customer understands and acknowledges that material increases in any of the Initial Base Statistics will materially change the scope of engagement and service cost to Imprivata. Customer thus expressly agrees that in the event that one or more of the Initial Base Statistics increases by more than ten percent (10%) during the term of that Order Form (including any Renewal Terms) Imprivata shall have the right to increase or decrease the recurring subscription service fees identified in that Order Form (“Subject Annual Fees”) by a corresponding percentage in accordance with the methodology described below. Customer shall promptly remit payment for such adjusted Subject Annual Fees; provided that (i) Customer shall receive at least three months’ advance notice before any such fee adjustments take effect, and (ii) such adjustments shall be applied prospectively and not retroactively.

B. Methodology:

  1. Measurement Dates & Periods: Beginning with the initial term of an Order Form and during any subsequent renewal terms, upon each half-year anniversary of the initial Contract Effective Date (each such half-year anniversary being a “Measurement Date”), Imprivata will review the then-current value of the applicable Base Statistics through any information provided to Imprivata (which Customer agrees to provide upon request) and also through any publicly-available information sources. If any then-current value of a Base Statistic on a Measurement Date has increased by ten percent (10%) or more over the corresponding Initial Base Statistic, then Imprivata shall provide Customer with written notice that all Subject Annual Fees to be paid by Customer for the next annual subscription period shall be increased by the greatest percentage increase in a then-current Base Statistic as compared to the applicable Initial Base Statistic. The equivalent increased Subject Annual Fees shall be due for each subsequent year of the Order Form (including any renewals thereof) unless and until either subsequently adjusted under this provision or the parties agree in writing to reset the Initial Base Statistic values.
  2. Validation Period: After receiving written notice of any such increase in Subject Annual Fees, Customer shall have 30 days to review Imprivata’s findings of the then-current values for the Base Statistics. The parties shall work in good faith to validate those values and eliminate any misleading increases, decreases, or omissions that do not fairly and reasonably represent a change in the scope of the engagement. For any validated changes in Base Statistics that are not reasonably in dispute, Imprivata shall promptly notify Customer of the corresponding changes to the Subject Annual Fees, which shall be due and payable on the next anniversary of the Contract Effective Date.
  3. Subsequent Increases and Decrease in Base Statistics: If the Subject Annual Fees have been increased under the above process, then all Subject Annual Fees to be paid by Customer for next annual subscription period commencing after each Measurement Date shall be equal to one plus the greatest net percentage increase in the then-current Base Statistics as compared to the applicable value for the Initial Base Statistics; provided, however, that in no event may the Subject Annual Fees be reduced to an amount less than the corresponding initial Subject Annual Fees set forth in the Initial Order Form or a Renewal Order Form. For clarity, once the initial 10% increase threshold has been exceeded, applying the net percentage increase will allow for subsequent decreases in the Base Statistics to reduce the upcoming Subject Annual Fees, but never below the floor of the initial Subject Annual Fees.

V. Usage Limits; Right to Verify Use

Services are subject to usage limits as specified in the MPA and the applicable Order Form(s). Upon Imprivata’s request and within thirty (30) days of such request, an officer of Customer shall submit written verification of its compliance with any usage and scope limits of the Services. At any time during the term of the MPA, but no more than once per year, Imprivata may conduct a review of Customer’s records and systems data and/or request information and documentation necessary to verify Customer’s compliance with the usage and scope limits of the Services and with the terms of the MPA. If Customer has exceeded the applicable usage limits of the Services, Customer will be invoiced for the difference, along with interest at the rate of 0.75% per month, which shall be payable within thirty (30) days of such invoice. If the deficiency is greater than five percent (5.0%) of the amount paid during the period under review, Customer shall pay the reasonable expenses associated with such review, in addition to the actual deficiency plus interest at the rate of 0.75% per month. If the review instead reveals that Customer has overpaid for Services through no fault of Customer, then Imprivata shall promptly issue a credit to Customer equal to the corresponding overpayment during the review period, and such credit shall be applied to Customer’s next invoice due.