IMPRIVATA EMR MANAGEMENT SYSTEM LICENSE AGREEMENT
Under this EMR Management System License Agreement (the “Agreement”), Imprivata, Inc., a Delaware corporation, with its principal place of business at 20 CityPoint, 6th floor, 480 Totten Pond Rd., Waltham, MA 02451 (“Imprivata”), Imprivata hereby agrees to provide to you (“Customer” or “you”) the proprietary electronic medical records (“EMR”) software as described herein (collectively, the “Imprivata System” or “System”) through a third-party hosting provider providing services to Customer (“Provider”) on the terms set forth in this Agreement. By accessing and using the System you (either you as an individual or, if the System will be used by an entity, on behalf of that entity) represent and agree that you have the capacity and authority to bind yourself or, if applicable, the applicable entity, to the terms of this Agreement and agree to be bound by the terms of this Agreement. If you do not agree to the terms of this Agreement, you may not access and use the System. This Agreement is effective as of the date Customer accesses the System (“Effective Date”). Any terms and conditions in a purchase order (or in any similar document) which are in addition to, or conflict or are inconsistent with these terms are hereby rejected and superseded by the terms contained herein. The System is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties.
- TERM. The term of this Agreement shall commence on and be effective as of the Effective Date set forth above and continue for a period of three (3) years from the first day of the month immediately following the Effective Date (the “Initial Term”). The Initial Term shall be renewed automatically for successive periods of three (3) years (each such period, a “Renewal Period” and, together with the Initial Term, the “Term”) unless a party provides the other party with written notice, delivered at least sixty (60) days before the end of the Initial Term or the then-current Renewal Period, as applicable, of its intent not to renew the Agreement for any subsequent Renewal Periods.
- FEES AND PAYMENT. Imprivata shall sell to Customer and Customer shall purchase from Imprivata the Imprivata System and/or Managed Services (defined below and further described in Exhibit A) as set forth in the applicable Imprivata Quote (or its equivalent if purchasing through an authorized reseller). Imprivata will invoice Customery as set forth on the Imprivata Quote. Customer will pay invoices within 30 days of each invoice date. All purchases are non-cancellable and non-refundable. Imprivata may withhold shipments and cease providing any services until past-due payments are made. Late payments are subject to a charge of the lesser of 1.5% per month or the maximum allowed by law during such time as any payment is late as well as collection costs, including reasonable collection and attorney’s fees. Prices do not include, and Customer shall be responsible for, all applicable taxes of any kind due in respect of the transactions contemplated by this Agreement, except taxes on Imprivata's net income. “Imprivata Quote” or “Quote” means the supplemental document issued by Imprivata, which specifies the System, Managed Services and any other software, services and/or hardware which may be purchased by you, and the price associated with each.
- INSTALLATION, SECURITY AND SUPPORT OF THE SYSTEM.
- Obligations of Imprivata.
- Imprivata will provide the System for Customer’s use in accordance with the terms of this Agreement.
- Imprivata will assist Customer in transferring data from Customer’s EMR into the System according to the data format specified by Imprivata in the Documentation (defined below).
- Imprivata will provide System support and will respond promptly to Customer’s reasonable written support requests. Three (3) requests for remote System support will be processed per week without any additional fee, via Support Ticket submission in Imprivata Tool.
- During the Term of this Agreement, Imprivata shall access and monitor System usage metrics, including the: (A) number of files uploaded, (B) number of accesses stored, (C) number of suspicious accesses, (D) number of explanations, (E) number of employees and patients, (F) number of access events investigated, (G) number of inappropriate access events found according to the System’s logic, and (H) number of users of the System, in order to troubleshoot System issues and provide proactive support to Customer.
- Imprivata will provide reasonable support to enable Customer to extract data from its EMR system and load such data into the Imprivata System.
- Imprivata may engage a third party to implement the System for Customer.
- Obligations of Customer.
- In order to begin use of the System, Customer must follow the instructions contained in the Documentation. For purposes of this Agreement, “Documentation” means any operator and user manuals, training materials, implementation guides, technical materials and other materials provided by Imprivata or Provider. Customer must provide IT support to assist with the System installation process and respond within a reasonable time frame.
- Customer will have the right to assign such number of usernames to Customer Personnel (defined below) as may be required to utilize the System for the purposes set forth herein (collectively, “Authorized Users”). Customer will maintain, and ensure their Authorized Users maintain, the access credentials required to access the System in order to prevent unauthorized connections to the System by third parties as well as the security of the data contained thereon using commercially reasonable precautions and in accordance with applicable Laws and as set forth herein (including with encryption). For purposes of this Agreement, “Laws” means all federal, state and local laws, statutes, rules, codes, directives, regulations and ordinances including HIPAA and other privacy laws, as applicable. For purposes of this Agreement, “HIPAA” means the Health Insurance Portability and Accountability Act of 1996, as may be amended from time to time. Customer shall not provide Imprivata with any access to individually identifiable health information or PHI, except through standard secure transfer protocol to the Imprivata hosted appliance to perform data analytics. For purposes of this Agreement, individually identifiable health information and “PHI” shall have the meanings as defined in HIPAA. Customer must comply with HIPAA and other applicable Laws governing the collection and management of Customer data, and Customer’s transmission, storage and processing of data by means of the System.
- Customer shall maintain connections for the System as specified in the Documentation and as specified from time to time by Imprivata upon written notice to the Customer. Customer is solely responsible for any conditions, whether internal network conditions or otherwise, that may adversely affect the operation of the System, the third party cloud hosting environment, the ability of the personnel of Imprivata to provide services to Customer, Customer personnel’s use of the System, or any other person using the System under the Customer License (defined below). Customer shall comply with all applicable Laws in performing its activities and obligations in connection with this Agreement.
- Customer shall ensure Authorized Users will save, protect and maintain data on Customer’s own storage system which shall not be part of the System. In the event there is any actual or suspected misuse of the System that impacts Customer data, Authorized User credentials or System integrity, Customer shall immediately report such event to Imprivata in writing as instructed in Section 19.
- Customer must use, and shall ensure each Authorized User uses, reasonable care to avoid transmitting any virus, spyware, ransomware, or other malware to Customer’s System. Customer must contact Imprivata immediately if it believes the security of any Authorized User’s account or the System has been compromised.
- Customer is responsible for obtaining all necessary rights and permissions to enable, and grants such rights and permissions to, Imprivata, and its contractors and subcontractors to use, provide, store and process Customer data in the System. This includes Customer making necessary disclosures and obtaining consent, if required, before providing individuals’ information, including personal or other regulated information in such data.
- Obligations of Imprivata.
- CLOUD ENVIRONMENT FUNCTIONALITY.
- The System will connect to servers outside of Customer’s network for purposes of storing and maintaining data, updating System code, verifying that Customer’s Authorized Users have the appropriate credentials (i.e., has a valid account), and/or reporting usage metrics to a Imprivata server.
- Customer must backup its data outside of the System. While the System strives to maintain the integrity of Customer data, Customer acknowledges that its use of the System does not, by itself, constitute compliance with the HIPAA Security Rules requirements such as those related to emergency planning, disaster recovery planning, and creation and maintenance of retrievable exact copies of electronic PHI.
- Customer must encrypt data used in connection with the System both in transit and at rest. Particularly because that data stored in the Provider’s cloud hosting environment, or that Customer or Authorized Users transmit to or from the System, both in transit and at rest. Customer agrees that Imprivata is not liable under this Agreement for a security breach that involves the loss of confidentiality, integrity or availability of Customer’s data to the extent the loss would not have occurred but for Customer’s failure to comply with this subsection.
- The System shall not be used by Customer as a data repository.
- HIPAA COMPLIANCE. The parties acknowledge that Customer’s arrangement with Imprivata for the provision of the System hereunder may be subject to Laws relating to the confidentiality, privacy and security of patient information under applicable Laws, including without limitation, the HIPAA, relating to the privacy and security of confidential health information, and any final regulations or rules promulgated by the U.S. Department of Health and Human Services thereunder.
- SYSTEM LICENSE AND PERMITTED USE BY CUSTOMER.
- Subject to the terms of this Agreement, Customer is hereby granted a non-exclusive, non-transferable and limited right to allow its Authorized Users to use the Imprivata System and Documentation during the Term of this Agreement solely to manage Customer electronic medical records.
- At all times, the System shall remain the sole and exclusive property of Imprivata, and Imprivata or the Provider, owns all rights, title, interests, including all intellectual property rights thereto and in all modifications, adaptations, enhancements and derivative works thereof whether made by Imprivata, Customer or jointly. Except as expressly permitted hereunder, Customer shall not transfer, license, sublicense, assign, distribute, translate, reverse engineer, decompile, disassemble, or modify the System or duplicate the System or portions thereof, or allow any affiliate, related party, or third party to access the System or do any of the foregoing. Upon termination or expiration of this Agreement for any reason, Customer will cease, and will ensure the Customer Personnel (defined below) cease, all use of the System. Imprivata reserves all rights in the System not expressly granted. For purposes of this Agreement “Customer Personnel” means: (i) the employees of Customer; and (ii) Customer’s third party contractors who are providing services to Customer in the ordinary course of Customer’s business and pursuant to a written agreement that binds them to confidentiality and information technology security obligations that are at least as restrictive as those set forth herein. Notwithstanding the foregoing, Customer remains fully liable to Imprivata for all breaches of this Agreement by Customer Personnel and any other activity of Customer Personnel with respect to the System and this Agreement.
- Customer will have the right to assign such number of usernames to Authorized Users as may be required to utilize the System for the purposes set forth herein. Usernames and passwords will be assigned to specific individuals as Authorized Users and no sharing of usernames and passwords is permitted. Customer shall be solely responsible for any unauthorized use of the System, usernames and passwords by any Authorized Users.
- REPAIR AND MAINTENANCE. The System shall be maintained only by Imprivata or a Imprivata approved third-party. Imprivata shall be responsible for repair or replacement costs due to defective components or peripherals. Customer shall be responsible for repair or replacement costs resulting from ordinary wear and tear, misuse, neglect, faulty installation or alterations or repairs made by anyone other than Imprivata, unless such repairs are authorized in advance, in writing, by Imprivata.
- ANNUAL DISCLOSURES.
- Upon the Effective Date, and on each anniversary of the Effective Date thereafter during the Term of this Agreement, Customer shall provide to Imprivata in writing the estimated number of Customer Personnel that will be accessing Customer’s EMR system beginning at the then-current Contract Year (duplicate credentials excluded) (the “Annual Estimate”). For purposes of calculating Customer’s usage and the Annual Estimate, the parties shall count Customer Personnel that access Customer’s EMR system that produce an audit log entry in Customer’s EMR system. The current Annual Estimate is set forth on the Quote. Each twelve (12) month period beginning on the first day of the month immediately following the Effective Date and ending one (1) year thereafter, or an anniversary of the first day of the month immediately following the Effective Date, during the Term of this Agreement shall be known as a “Contract Year.”
- In the event there is an increase of more than ten percent (10%) in the number of Customer Personnel that are accessing Customer’s EMR system, the Annual Fee shall be proportionally adjusted for the then-current Contract Year. Any additional fee for such additional Customer Personnel shall be added to the Annual Fee due and payable to Imprivata in accordance with the terms of this Agreement.
- TAXES. Customer will be responsible for paying those taxes, if any, associated with its use of the System, which taxes shall exclude any taxes based on Imprivata’s income, employment or withholding taxes for Imprivata’s personnel.
- DISCLAIMER OF WARRANTIES:
- Imprivata will not be responsible for damage to the System resulting from any (i) deviation from Imprivata's installation or operating instructions provided with respect to the System, (ii) installation of the System in a manner which is inconsistent with Imprivata's instructions, (iii) alteration or modification of the System in any manner, (iv) misuse, neglect or abuse of the System, (v) service of the System by anyone other than Imprivata or an Imprivata authorized third-party, or (iv) other improper application, installation or operation of the System.
- The System does not cause and cannot eliminate occurrences of the events in which there is unauthorized access to Customer’s EMR or the System fails to prevent an event that it is not intended to avert (collectively, “Events”). Imprivata makes no guaranty or warranty that the System will detect or avert such Events or the consequences therefrom. Accordingly, Imprivata does not undertake any risk that Customer’s EMR, may be subject to loss if such an Event occurs. The allocation of such risk remains with Customer, not Imprivata. Insurance, if any, covering such risk shall be obtained by Customer. Imprivata shall have no liability for loss or damage due directly or indirectly to Events. Customer shall look exclusively to its insurer and not to Imprivata to pay Customer in the event of any such loss or damage. Customer releases and waives for itself and its insurer all subrogation and other rights to recover from Imprivata arising as a result of paying any claim for loss or damage of Customer or another person. Imprivata has no responsibility for claims based on non-Imprivata products or services, including cloud services provided by Provider.
- THE SYSTEM IS PROVIDED TO CUSTOMER SOLELY ON AN “AS IS” AND “AS AVAILABLE” BASIS WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, OR STATUTORY, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT OR ANY WARRANTY THAT MAY ARISE THROUGH A COURSE OF DEALING. IMPRIVATA DOES NOT WARRANT THAT THE IMPRIVATA SYSTEM, OR ANY COMPONENT OF THE SYSTEM, WILL OPERATE UNINTERRUPTED OR ERROR-FREE.
- If applicable law requires a warranty notwithstanding this limitation, then the warranty is made for a period of thirty (30) days from the date the warranty is deemed to have been made by law. Specifically, but without limitation, Imprivata does not warrant that the System will be uninterrupted or completely secure.
- LIMITATION OF LIABILITY: EXCEPTING ONLY IN THE EVENT OF A BREACH BY YOU OF SECTION 6 (“SYSTEM LICENSE AND PERMITTED USE BY CUSTOMER”) OR A BREACH BY EITHER PARTY OF SECTION 14 (“CONFIDENTIAL INFORMATION”), NEITHER PARTY IS LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY OR PUNITIVE DAMAGES OR LOST PROFITS, FORESEEABLE OR UNFORESEEABLE, OF ANY KIND (INCLUDING, WITHOUT LIMITATION, LOSS OF GOODWILL, LOST OR DAMAGED DATA OR SOFTWARE, LOSS OF USE OF PRODUCTS, OR DOWNTIME) ARISING FROM THE SALE, DELIVERY OR USE OF THE APPLIANCES, PERFORMANCE OF ANY SERVICES OR ANY OTHER ACT, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IMPRIVATA'S MAXIMUM LIABILITY TO YOU, WHETHER BASED ON WARRANTY, CONTRACT, TORT (INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, WILL NOT EXCEED THE FEES PAID AND PAYABLE BY YOU DURING THE PRECEDING TWELVE MONTH PERIOD. MONETARY DAMAGES AS LIMITED BY THIS SECTION SHALL SERVE AS YOUR SOLE AND EXCLUSIVE REMEDY FOR ANY CLAIM UNDER THIS AGREEMENT FOR WHICH AN EXCLUSIVE REMEDY IS NOT PROVIDED, AND AS YOUR SOLE AND EXCLUSIVE ALTERNATIVE REMEDY SHOULD ANY EXCLUSIVE REMEDY HEREUNDER BE FOUND TO FAIL OF ITS ESSENTIAL PURPOSE. NO LIMITATION AS TO DAMAGES FOR PERSONAL INJURY IS HEREBY INTENDED.
- INTELLECTUAL PROPERTY CLAIMS. Imprivata will defend you from and against third party claims (and will pay any resulting damages, costs or liabilities awarded by a court of final jurisdiction) arising solely from a claim that the System infringes any United States or European Union patent or any copyright rights (in or of countries that are signatories to the Berne Convention) of a third party. Imprivata's obligation is subject to your compliance with the following procedures: (a) you will promptly notify Imprivata in writing of any claim or the commencement of any suit, action, proceeding or threat that you believe will result in losses for which you will be entitled to defense, provided however, that the failure to give such prompt written notice shall not affect the indemnification provided hereunder except to the extent that such failure shall have actually prejudiced Imprivata; (b) you will tender to Imprivata (and its insurer) full authority to defend or settle any such claim; and (c) you shall cooperate in the defense of such claim. Imprivata has no obligation to indemnify you in connection with any settlement made without Imprivata's prior written consent. Imprivata will defend you against any such claim brought against you by counsel retained at Imprivata's own expense and of Imprivata's own choosing. You shall be permitted to monitor the defense of any such claim with counsel of your choosing at your sole cost and expense. Imprivata shall have no obligation to indemnify you for infringement claims arising in whole or in part from (1) designs, specifications or modifications originated or requested by you, (2) the combination of the System or any part thereof with other equipment, software or products not supplied by Imprivata if such infringement or misappropriation would not have occurred but for such combination, or (3) your failure to install an update, where same would have avoided such claim. You will indemnify and hold Imprivata harmless from and against claims that are the subject of clauses (1)-(3). In the event that the use or sale of any of the System is enjoined or, in Imprivata's judgment may be enjoined, Imprivata will either: (i) procure for you the right to continue to use the System, (ii) replace the infringing portion of the System with a functionally equivalent product or modify it so that it becomes non-infringing, or (iii) terminate your access to the infringing or misappropriating System and, reimburse you for any prepaid fees for the term-based System licenses on a pro-rata basis. Upon Imprivata's fulfillment of the alternatives set out in this section, Imprivata shall be relieved of any further obligation or liability to you as a result of any such infringement or misappropriation. THIS SECTION STATES IMPRIVATA'S ENTIRE LIABILITY TO YOU AND YOUR SOLE REMEDY FOR ANY INFRINGEMENT CLAIMS CONCERNING THE SYSTEM.
- TITLE AND OWNERSHIP. Customer expressly acknowledges that it is receiving a limited license from Imprivata as set forth herein. Except for the rights expressly granted to Customer herein, all title, rights and interest in and to the System, and all intellectual property rights contained therein and created under this Agreement shall at all times solely and exclusively remain with Imprivata. Customer agrees that no proprietary materials created in connection with this Agreement are “works made for hire” as that term is used in connection with the U.S. Copyright Act. To the extent that, by operation of law, Customer owns any intellectual property rights in such proprietary materials, Customer hereby irrevocably assigns and transfers to Imprivata all rights, title and interest in such proprietary materials. To the extent that, by operation of law, any Customer Personnel owns any intellectual property rights in such proprietary materials, Customer shall obtain all such rights and, immediately upon obtaining them, hereby irrevocably assigns and transfers to Imprivata all rights, title and interest in such proprietary materials. Imprivata expressly reserves all rights not expressly granted to Customer hereunder.
- CONFIDENTIAL INFORMATION.
- During this Agreement, each party may have access to information that is considered confidential by the other. This information may include, but is not limited to, proprietary materials, technology, know-how, procedures, processes, protocols, specifications, usage metrics, strategic plans, designs, systems, software object code and source code, documentation, sales and marketing plans, results of testing, customer information, financial information, product information, proposed business arrangements, methods of operation and compilations of data (“Confidential Information”). During the Term, Customer will share with Imprivata the de-identified scripts used to extract data from Customer’s EMR through the System, which shall not be deemed Confidential Information of a party under this Agreement.
- Each party shall use the other’s Confidential Information only for the purposes of this Agreement. Each party shall maintain the confidentiality of the other party’s Confidential Information in the same manner in which it protects its own Confidential Information of like kind, but in no event shall either party take less than reasonable precautions to prevent the unauthorized disclosure or use of the other party's Confidential Information. Neither party shall export, disseminate or otherwise transfer, in writing, orally and/or electronically, the other party’s Confidential Information outside of the United States.
- Each party is permitted to disclose the other party’s Confidential Information to its employees, contractors and other third parties (“Recipients”) on a need to know basis only, provided that such Recipients have contractual or legal confidentiality obligations to that party no less stringent than those contained in this Agreement. Each party shall be and remain fully liable and responsible for its Recipients’ unauthorized disclosure or use of the other party’s Confidential Information.
- Each party is permitted to disclose the other party’s Confidential Information as legally required in response to a court order, subpoena, administrative proceeding and/or similar legal process; provided that it gives the other party reasonable notice of the request, and an opportunity to defend and/or attempt to limit or prevent the disclosure of its Confidential Information. Imprivata is also permitted to use aggregated, de-identified System data and usage metrics for its own business purposes, including but not limited to system maintenance, performance and security monitoring and enhancement.
- The confidentiality provisions of this Agreement do not apply to information that is or becomes generally available or known to the public through no act or omission of the receiving party; was received lawfully from a third party through no breach of any obligation of confidentiality owed to the disclosing party; or created by a party independently of its access to or use of the other party’s Confidential Information.
- Upon termination of this Agreement, each party shall return the other party’s Confidential Information and shall not use the other party’s Confidential Information for its own, or any third party’s, benefit. The provisions of this Section shall survive termination of this Agreement for so long as the Confidential Information remains confidential.
- TERMINATION AND DEFAULT. This Agreement, and Customer’s possession and use of the System, shall automatically terminate upon the expiration of the Term. In addition, Imprivata shall have the right to terminate this Agreement upon written notice to Customer if Customer breaches this Agreement or any terms of use or service that accompany Customer’s use or any Authorized User’s use of the System through Provider, and does not cure such breach within thirty (30) days following receipt of written notice thereof from Imprivata. Imprivata may terminate this Agreement immediately upon written notice of a breach by Customer of Sections 4, 6, 14 or 16 hereunder.
- OPERATION OF SYSTEM. The System, including all components thereof, shall be operated by Customer and Authorized Users only in accordance with the Documentation. Customer will be responsible for safekeeping all components of the System. Customer will be responsible for any losses Imprivata incurs in connection with the loss or theft of the System, or a lost or stolen component of the System, including without limitation, replacement cost that is attributable to the gross negligence or intentional misconduct of Customer or its Authorized Users.
- ASSIGNMENT. This Agreement is binding upon and inures to the benefit of the parties, their successors and permitted assigns. Neither party may assign or transfer its rights hereunder without the other party’s prior written consent, provided that Imprivata may assign this Agreement in connection with a merger or consolidation or the sale of all or substantially all of its assets or stock.
- GOVERNING LAW AND JURISDICTION. This Agreement and the rights and obligations of the parties will be governed by and construed in accordance with the laws of the Commonwealth of Massachusetts in the United States. The United Nations Convention on Contracts for the International Sale of Goods and the Uniform Computer Information Transactions Act (UCITA) as adopted by any state are specifically excluded from application hereunder. Notwithstanding the foregoing, Imprivata may seek injunctive or other equitable relief, wherever it deems appropriate, to protect or enforce its rights hereunder, in addition to any remedies available to Imprivata at law.
- 19. NOTICE. All notices under this Agreement must be in writing and sent either by hand delivery; certified mail, return receipt requested; overnight courier; email; or by facsimile (with a confirming copy by certified mail or overnight courier) and will be effective when received by such party, or refused by such party, at the address for notice given at the end of this Agreement or such other address as will have been provided in writing.
For Imprivata, such notice shall be provided to:
Imprivata, Inc.
Attn: Legal Department
20 CityPoint, 6th floor
480 Totten Pond Rd.
Waltham, MA 02451 - ACTS BEYOND CONTROL. Neither party shall be held responsible for any delay, damages or failure of performance to the extent such delay, damages or failure is caused in whole or in part by fire, explosion, power failures, strikes or other labor disputes, water, earthquake, acts of God, elements, war, civil disturbances, acts of civil or military authorities, acts of terrorism, acts or omissions, unauthorized use of Imprivata’s services, or any other causes beyond a party’s reasonable control, whether or not similar to the foregoing.
- MISCELLANEOUS. This Agreement, including the exhibits attached and incorporated hereto, sets forth the final, complete, and entire agreement between the parties with respect to its subject matter, and supersedes and replaces any prior or contemporaneous agreements, whether written or oral, regarding such subject matter. No additional or different terms on any purchase order or other ordering document of Customer shall have any effect on this Agreement, and all such additional or different terms are hereby expressly excluded from this Agreement by the parties. This Agreement cannot be changed except pursuant to a written amendment signed by both parties. No failure by a party to exercise any power, right, privilege or remedy under this Agreement, and no delay on the part of a party in exercising any power, right, privilege or remedy under this Agreement, shall operate as a waiver of such power, right, privilege or remedy. No waiver shall be effective unless it is in writing and signed by an authorized representative of the waiving party, and any such waiver shall only be applicable to the specific instance referenced in such writing. The relationship between the parties hereto is that of independent contractors, and no agency, partnership, joint venture, employment or franchise relationship between the parties is created hereunder. The parties hereto agree that any rule of construction to the effect that ambiguities are to be resolved against the drafting party shall not be applied in the interpretation of this Agreement. All payment obligations of Customer, and any provisions which by their terms contemplate continuing effectiveness, shall survive any termination or expiration of this Agreement. If any part of this Agreement shall be held to be void or unenforceable, such part will be treated as severable, leaving valid the remainder of this Agreement notwithstanding the part or parts found to be void or unenforceable. Nothing in this Agreement shall be deemed to create any right or benefit in any person not a party hereto. Customer agrees that nothing in this Agreement shall be deemed to prevent Imprivata at any time from entering into any similar or other business relationship of any kind with any third party for any purpose. All definitions contained in this Agreement apply to both their singular and plural forms, as the context may require. The terms “herein”, “hereunder”, and “hereof” refer to this Agreement.
- Upon the successful installation of the System and subject to Customer’s prior written approval of the content, Imprivata may refer to Customer, either directly or indirectly, for purposes of media releases, public announcements or public disclosures relating to this Agreement.
Exhibit A
Imprivata EMR Management System Managed Services
Imprivata will provide to Customer the managed services (“Managed Services”) as further described herein for which Customer has paid the applicable fees and for the term as set forth in Customer’s Imprivata Quote.
A. Imprivata EMR Management System Managed Services Packages
- Imprivata Managed Privacy Services (MPS)
- Common Terms used in MPS Engagements.
- “Access” generally refers to the act of a computer user of the Customer in accessing electronic Protected Health Information (“ePHI”) within an electronic health record (“EHR”) or other application(s) maintained by Customer.
- “Access Review” refers to the review of Customer’s computer system user(s) who have accessed a patient’s EHR and/or other clinical applications. This may involve identifying all users who accessed the record at issue or identifying whether a specific user accessed the record.
- “Communication Plan” means the communication plan to inform the Customer’s own employees/workforce of (1) the increased monitoring activities being configured and (2) what the organizational policies are for acceptable use and unacceptable behavior regarding Access to Customer’s applications containing ePHI.
- “Saved Searches” are reports (1) configured by specific, customizable criteria designed to detect specific activities or behavior, that (2) can be scheduled and will automatically alert or “create a task” when that specific criteria is met.
- “Investigation” means examination of the Access by a computer user of Customer (e.g., an employee or contractor) that was identified as potentially not business related during the review of a triggered Saved Search, including documenting the examination in the Investigation section of the Imprivata System.
- “Special Alert” means a Saved Search created for a specific situation or event (e.g., for a high-profile patient that is in the hospital).
- “Validation Request” means the written request that Imprivata sends to Customer’s management personnel after review of a triggered Saved Search, when the preliminary review by Imprivata failed to identify a likely business reason for the Access.
- MPS Specifications.
- Foundation Building Services:
- Provide a Requirement Checklist covering select subject areas deemed essential to the success of the Imprivata Privacy Monitoring Program for Customer’s review of its existing policies.
- Establish the following (where applicable):
- Standardized workflows
- Proven validation process
- Communication and education plan
- Customized communication and education materials
- Guidance on documentation of decisions around the deployment of Imprivata System
- Completion: The completion time for any professional services, including but not limited to implementation, installation, or migration (for this paragraph, the “Services”) to be performed under a Quote, and any milestones, shall be dependent on Imprivata’s receipt of all Customer assets and specifications necessary for the project, in addition to Imprivata receiving a valid signed Quote or processing, as requested by Imprivata. The completion deadline will start from the date of delivery of all such assets and specifications, not the date of Imprivata’s receipt of the signed Quote. Customer acknowledges that delays in providing assets or specifications at the request of Imprivata for such Services may delay the completion of the Services. Imprivata shall not be faulted for delays caused by Customer’s failure to reasonably cooperate.
- Alert Monitoring Services:
- Depending on the service level/sku selected, Imprivata MPS staff will configure up to a specified number Saved Searches (automated alerts) —i.e., the “Saved Search Limit”— from a menu of available Saved Searches at the suggested rate of one Saved Search every 10 - 13 weeks or another schedule mutually agreed upon. After the initial four (4) Saved Searches have been configured, additional Saved Searches may be purchased from a menu of available Saved Searches. Any additional Saved Searches configured must be agreed upon in advance and in writing.
- Apply workflow optimizations and application functionality to the Saved Searches where applicable and available to reduce the number of false positives alerts.
- Provide recommendations to the Customer on staff education and awareness initiatives.
- Provide reporting and analytics of positive findings (i.e., confirmed inappropriate Access) from triggered Saved Searches.
- Provide or assist Customer with governance and compliance effectiveness reporting. Upon written request by Customer no more than twice per month, provide MPS interpretation assistance with Access Reviews based on specific inquiries or complaints. Customer must submit a MPS Ad-Hoc Request form to request MPS interpretation of an Access Review, and such Access Review shall be limited in scope to no more than a six (6) month time period.
- In accordance with the MPS Service Level Agreement below, promptly notify Customer’s designated contact personnel upon discovery of suspected inappropriate Access by a computer user of Customer.
- Document reviews and investigations of triggered Saved Searches in the Imprivata System.
- Validate a Customer computer user’s Access if a business reason cannot be determined.
- Provide continuous privacy monitoring of the Customer’s software applications delivering data to Imprivata System technology through the use of Saved Searches configured by the Imprivata MPS staff.
- Foundation Building Services:
- Customer Responsibilities.
- Provide the Imprivata MPS staff with copies of the Customer’s policy(ies) covering the select subject areas identified by Imprivata for review.
- Work with the Imprivata MPS staff to identify the appropriate Customer management personnel for incorporation into the MPS standardized workflows and validation processes.
- Work with the Imprivata MPS staff to finalize the communications plan for Customer’s organization.
- Execute and deliver either a communication and education plan (as created by Imprivata with Customer’s assistance) or an equivalent plan that has been mutually agreed upon in writing.
- Ensure timely management response in validating suspicious or inappropriate access (within two business days).
- When notified by the Imprivata MPS staff, review and close all documented reviews and investigations of triggered Saved Searches. This includes responsibility for determining if the investigation is a confirmed incident and if it is a reportable “Breach” as defined under state or federal law.
- Carry out any required patient and/or government notifications.
- Carry out appropriate sanctions as indicated by investigations of triggered Saved Searches investigated by the Imprivata MPS staff.
- Follow recommended education and awareness initiatives either (i) as recommended by the Imprivata MPS staff based on trending of positive findings from review of triggered Saved Searches or (ii) in equivalent measures mutually agreed upon in writing.
- Provide IT support as required (e.g., data feeds, adding additional data fields to extracts, etc.).
- Other actions reasonably suggested by the Imprivata MPS staff and mutually agreed upon in writing.
- MPS Service Level Agreement
- Except as otherwise set forth herein, Saved Searches triggered and received by Imprivata® Managed Services Staff between 9 am Mon and 12 pm Fri, Eastern Time, will be reviewed within 24 hours.
- Except as otherwise set forth herein, Saved Searches triggered and received by Imprivata® Managed Services Staff between 12 pm Fri and 9 am Mon, Eastern Time, will be reviewed by 5 pm Tuesday.
- Any Investigations into potential inappropriate Access will be completed and documented by the Imprivata® Managed Services Staff within 3-5 business days of receipt, contingent upon Customer’s management response to Validation Request within 2 days.
- Notification of Customer representative by Imprivata® Managed Services Staff upon completion of any Investigations into inappropriate Access.
- Completion of Access Reviews within 7 business days of receipt.
- Implementation of the number of Saved Searches that were purchased in your initial Quote (“SS Limit”).
- In the event of a widespread natural disaster or similar emergency effecting Imprivata® or the Customer, SLAs may be negatively impacted.
- Service Levels set forth above are dependent upon Imprivata® Managed Services Staff timely receipt of data. In the event of a delay or suspension of data received by the Imprivata® Managed Services Staff, Imprivata ® Managed Services Staff will work in good faith with the Customer to agree upon Service Levels extended in proportion with such delay or suspension.
- Common Terms used in MPS Engagements.
- Imprivata Advisory Services
- Common Terms used in Imprivata Advisory Services Engagements.
- “Access” generally refers to the act of a computer user of the Customer in accessing electronic Protected Health Information (“ePHI”) within an electronic health record (“EHR”) or other application(s) maintained by Customer.
- “Communication Plan” means the communication plan to inform the Customer’s own employees/workforce of (1) the increased monitoring activities being configured and (2) what the organizational policies are for acceptable use and unacceptable behavior regarding Access to Customer’s applications containing ePHI.
- “Saved Searches” are reports (1) configured by specific, customizable criteria designed to detect specific activities or behavior, that (2) can be scheduled and will automatically alert or “create a task” when that specific criteria is met.
- Imprivata Advisory Services Specifications.
- Application Configuration:
- Configure and test Saved Searches to address areas of risk and unique Customer use cases for proactive monitoring and risk mitigation.
- Conduct application overviews for new end users and new feature training when applicable to facilitation meaningful use of application and optimal utilization of application.
- Establish optimal alert review and investigation generation workflows, quality, and accuracy.
- Educate and provide communication standards to end users.
- Create, schedule, and set up governance/ analytic reporting.
- Customize end user dashboards for each user or group of users for a high-level overview of program.
- Tailor end user searches for a variety of use cases.
- Instruct users on how to create task views for themselves or their group.
- Apply specific filters and application functionality to the Saved Searches where applicable and available to reduce the number of false positives alerts.
- Optimization of the Platform:
- Advise on newly available features and enhancements for the services for optimal utilization.
- Review the Saved Search menu to assist in selecting the optimal Saved Search monitoring options and advise alignment with industry best practices.
- Services Advisor:
- Provide Customer a designated contact (the “Advisor”) who will serve as an expert on the services and Customer’s central point of contact with a connection to the larger Imprivata community. The Advisor will:
- Provide consultation on best end user practices.
- Review Saved Searches to ensure downward alert trending indicates increasing compliance in user behavior.
- Gather and deliver industry research and best practices and lessons learned at-scale within the broader Imprivata System customer base, to accelerate the maturity of customer programs and processes.
- No less frequently than bi-monthly (every two weeks), hold operational- or project-level stakeholder meetings with the Customer subject-matter experts, system administrators/IT staff, and/or privacy/pharmacy program operational and/or leadership staff.
- Facilitate semi-annual strategy meetings with Customer’s operational and executive stakeholders to ensure measurable achievement of targeted business outcomes.
- Monitor release notices and documentation to alert Customer of product enhancements that benefit their unique needs or objectives.
- Facilitate engagement with Imprivata product teams during controlled availability and beta programs, and to provide advanced insight into product roadmap.
- Provide Customer a designated contact (the “Advisor”) who will serve as an expert on the services and Customer’s central point of contact with a connection to the larger Imprivata community. The Advisor will:
- Application Configuration:
- Customer Responsibilities.
- Provide the Advisor with copies of the Customer’s policy(ies) covering the select subject areas identified by Imprivata for review.
- Work with the Advisor to identify the appropriate Customer management personnel for incorporation into the standardized workflows, education initiatives and quarterly strategy meetings.
- Work with the Advisor to finalize the Communications Plan for Customer’s organization.
- Execute and deliver either a communication and education plan (as created by Imprivata with Customer’s assistance) or an equivalent plan that has been mutually agreed upon in writing.
- Follow recommended education and awareness initiatives as recommended by the Advisor.
- Provide IT support as required to provision, enable, and secure the required access, rights, and privileges for the Advisor to perform the duties outlined herein.
- Ensure adequate representation, attendance and participation from Customer staff as needed for bi-monthly operational- or project-level staff meetings and semi-annual strategy meetings with operational and executive stakeholders.
- Other actions reasonably suggested by the Advisor and/or mutually agreed upon in writing.
- Common Terms used in Imprivata Advisory Services Engagements.
B. Project Conditions.
- The Customer will designate an appropriate named IT / Privacy resource (“Managed Services Lead”) as the principal point of contact throughout the engagement. The Managed Services Lead’s responsibilities include: scheduling and planning of the Customer’s resources, coordination of project meetings and requirements gathering sessions, point of contact for escalations and problem and conflict resolution management.
- Imprivata Managed Services are performed between the business hours of 8:00 AM and 5:00 PM local Customer time Monday through Friday, excluding normally observed holidays. The observed holidays will be specified in the Imprivata Support and Learning Center, which shall include real-time notifications. The Imprivata Managed Services team will perform their scheduled review of the alerts the next business day after the holiday. Managed Services provided outside these times will be agreed-upon in writing by both parties in advance and may be subject to additional fees.
C. Usage Limits and Change-of-Scope Fee Adjustments for Imprivata EMR Management System Managed Services Packages
- Usage Limits for Managed Privacy Services and Advisory Services
- Managed Services are subject to usage limits as specified in the Agreement and the applicable Quote. Upon Imprivata’s request and within thirty (30) days of such request, an officer of Customer shall submit written verification of its compliance with any usage and scope limits of the Managed Services. At any time during the term, but no more than once per year, Imprivata may conduct a review of Customer’s records and systems data and/or request information and documentation necessary to verify Customer’s compliance with the usage and scope limits of the Managed Services and with the terms of the Agreement. If Customer has exceeded the applicable usage limits of the Managed Services, Customer will be invoiced for the difference, along with interest at the rate of 0.75% per month, which shall be payable within thirty (30) days of such invoice. If the deficiency is greater than five percent (5.0%) of the amount paid during the period under review, Customer shall pay the reasonable expenses associated with such review, in addition to the actual deficiency plus interest at the rate of 0.75% per month. If the review instead reveals that Customer has overpaid for Managed Services through no fault of Customer, then Imprivata shall promptly issue a credit to Customer equal to the corresponding overpayment during the review period, and such credit shall be applied to Customer’s next invoice due.
- Change-of-Scope Fee Adjustments for Managed Privacy Services and Advisory Services.
- General: Imprivata does not set pricing based on traditional “seat licenses,” and the fees prescribed in a Quote are quoted and agreed to based, at least in part, upon certain assumptions and statistics provided by Customer to Imprivata. As is documented in each Quote and Renewal Quote, Customer shall represent and warrant to the accuracy of Customer’s number of employees and number of licensed beds, or number of unique users of the Imprivata System (as applicable) at the time such Quote is executed (“Initial Base Statistics”). Customer understands and acknowledges that material increases in any of the Initial Base Statistics will materially change the scope of engagement and service cost to Imprivata. Customer thus expressly agrees that in the event that one or more of the Initial Base Statistics increases by more than ten percent (10%) during the term of that Quote (including any Renewal Terms) Imprivata shall have the right to increase or decrease the recurring subscription service fees identified in that Quote (“Subject Annual Fees”) by a corresponding percentage in accordance with the methodology described below. Customer shall promptly remit payment for such adjusted Subject Annual Fees; provided that (i) Customer shall receive at least three months’ advance notice before any such fee adjustments take effect, and (ii) such adjustments shall be applied prospectively and not retroactively.
- Methodology:
- Measurement Dates & Periods: Beginning with the initial term of a Quote and during any subsequent renewal terms, upon each half-year anniversary of the initial Contract Effective Date (each such half-year anniversary being a “Measurement Date”), Imprivata will review the then-current value of the applicable Base Statistics through any information provided to Imprivata (which Customer agrees to provide upon request) and also through any publicly-available information sources. If any then-current value of a Base Statistic on a Measurement Date has increased by ten percent (10%) or more over the corresponding Initial Base Statistic, then Imprivata shall provide Customer with written notice that all Subject Annual Fees to be paid by Customer for the next annual subscription period shall be increased by the greatest percentage increase in a then-current Base Statistic as compared to the applicable Initial Base Statistic. The equivalent increased Subject Annual Fees shall be due for each subsequent year of the Quote (including any renewals thereof) unless and until either subsequently adjusted under this provision or the parties agree in writing to reset the Initial Base Statistic values.
- Validation Period: After receiving written notice of any such increase in Subject Annual Fees, Customer shall have 30 days to review Imprivata’s findings of the then-current values for the Base Statistics. The parties shall work in good faith to validate those values and eliminate any misleading increases, decreases, or omissions that do not fairly and reasonably represent a change in the scope of the engagement. For any validated changes in Base Statistics that are not reasonably in dispute, Imprivata shall promptly notify Customer of the corresponding changes to the Subject Annual Fees, which shall be due and payable on the next anniversary of the Contract Effective Date.
- Subsequent Increases and Decrease in Base Statistics: If the Subject Annual Fees have been increased under the above process, then all Subject Annual Fees to be paid by Customer for next annual subscription period commencing after each Measurement Date shall be equal to one plus the greatest net percentage increase in the then-current Base Statistics as compared to the applicable value for the Initial Base Statistics; provided, however, that in no event may the Subject Annual Fees be reduced to an amount less than the corresponding initial Subject Annual Fees set forth in the Initial Quote or a Renewal Quote. For clarity, once the initial 10% increase threshold has been exceeded, applying the net percentage increase will allow for subsequent decreases in the Base Statistics to reduce the upcoming Subject Annual Fees, but never below the floor of the initial Subject Annual Fees.