Managed Services Appendix
Imprivata, Inc. (“Imprivata”) will provide the managed services (“Managed Services”) as further described herein to you (“Customer”) during the course of the Subscription Term for which Customer has paid the applicable fees and pursuant to the Master Cloud Services Agreement. Terms not otherwise defined herein shall be defined as set forth in the Master Cloud Services Agreement. The descriptions that follow apply only to the Managed Services offered directly from Imprivata. Imprivata’s authorized resellers may offer different service options and should be contacted for information specific to their policies.
Managed Services
Imprivata may provide certain Managed Services for Imprivata Cloud Services purchased by Customer pursuant to the Agreement by means of Imprivata professional services staff, engineers, project managers, implementation engineers, deployment specialists, clinical workflow specialists, business analysts and other specialists (“Administrator(s)”) as applicable and further described herein.
Imprivata offers eight (8) Managed Services packages for the Cloud Services: (i) Mobile Management Services; (ii) FairWarning Managed Privacy Services; (iii) FairWarning Managed Privacy Services LITE; (iv) FairWarning Drug Diversion Monitoring Services; (v) FairWarning Advisory Services; (vi) Privileged Access Management Services; (vii) Vendor/Customer Privileged Access Management Services and (viii) Mobile Managed Services. Imprivata will provide Customer the applicable Managed Services purchased by Customer (as indicated on the Imprivata Order Form or its equivalent if purchasing through an authorized reseller) as further described below:
Mobile Management Services Package MS-MGMT-MOBILE-MAM-SUB
- Implementation Services
- Establish and test API connections to Customer’s mobile device management (“MDM”) solution via the Imprivata GroundControl console.
- Configure and test device settings and GroundControl workflows.
- Provide additional project support in proportion to the following deployment sizes:
- Small (2,499 devices or fewer) – Per subscription year:
- Forty (40) hours of remote project management.
- Two (2) days of onsite workflow specialist support.
- Four (4) days of onsite go-live, hardware deployment and end user support.
- Medium (2,500 – 19,999 devices) – Per subscription year:
- Sixty (60) hours of remote project management.
- Three (3) days of onsite workflow specialist support.
- Six (6) days of onsite go-live, hardware deployment and end user support.
- Large (20,000 devices or more) – Per subscription year:
- Ninety (90) hours of remote project management.
- Four (4) days of onsite workflow specialist support.
- Eight (8) days of onsite go-live, hardware deployment and end user support.
- Small (2,499 devices or fewer) – Per subscription year:
- Education subscription
- For two (2) participants:
- Unlimited access to all virtual education class offerings.
- Individual seats accessing all content in the Imprivata Learning Center.
- Access to certifications across all product offerings.
- Unlimited access to all refresher virtual training.
- For two (2) participants:
- Direct administration of Imprivata system
- Proactively monitor critical events and activity logs to alert Customer’s team to any changes needed as well as facilitate remediation and any required support.
- Monitor utilization and adoption metrics to ensure the broadest and most consistent end-user adoption and intervene to gather user feedback as needed.
- Implement configuration changes to address Customer’s evolving needs, including during MDM migrations and installation of proof-of-concept environments to allow testing of requested features and enhancements.
- Deliver new workflow automation rules and updates to existing workflow rules, including any testing and training required.
- Change management: Imprivata system configuration
- Interpret architecture, system, and workflow changes for configuration, testing, and implementation work required.
- Review change requests weekly for potential impact to GroundControl and other Imprivata mobile solutions. GroundControl and such Imprivata mobile solutions are collectively referred to herein as “Imprivata Mobile Solutions.”
- Respond to unanticipated needs for changes and help to actively remediate any impact to Imprivata Mobile Solutions caused by changes to architectural components integrated with the Imprivata system.
- Imprivata Customer Support Escalation management
- Create support cases on behalf of the Customer and follow up with status reports on each case as needed, on a weekly basis.
- Automatically escalate issues based on agreed upon thresholds regarding case status, priority, age, etc. Summarize status, outcomes, and next steps following escalations.
- Customer help desk escalation handling
- Train Customer help desk staff to optimize front-line user and Customer’s own support service level agreements (SLAs) on Imprivata-related cases.
- Receive end user issues escalated through Customer’s help desk for troubleshooting, determining root cause, and reaching a resolution.
- Application & Architectural relationship management
- Schedule and run checkpoint calls with application and architectural teams with interdependencies between the Imprivata Mobile Solution and other systems or infrastructures including preparation and completion of action items and follow-ups needed.
- Serve as the Customer stakeholders’ central point of contact for system/application needs and supportability review.
- Product Advocacy
- Monitor advance-notice internal release documentation and alerts Customer to product enhancements that benefit their unique needs or objectives.
- Develop plans for implementing new features.
- Facilitate engagement with Imprivata development team for controlled availability and beta programs, and to provide advanced insight into product roadmap.
- Communications
- Customer is responsible for attending the following meetings:
- No less frequently than semi-annually, hold strategic (steering) stakeholder meetings with Customer sponsor(s) at director-level or above with the authority to approve strategic priorities and resource commitments.
- No less frequently than bi-monthly (every two weeks), hold operational- or project-level stakeholder meetings with Customer application subject-matter experts, system administrators, and IT staff impacted by Imprivata solutions.
- Customer is responsible for attending the following meetings:
Case Priority Classification
- Administrators will be responsible for determining the case priority of the issue according to the case priority definitions set forth in the table below. The Administrator shall notify the Customer of the assigned case priority classification. Based on the priority level, the Customer’s responsibilities are also set forth below:
Priority Definition & Customer Responsibilities Priority 1 – Critical production system down An Imprivata production system is down. Major functionality is not available for a broad number of users. No alternative solution or workaround is currently available. For example, an appliance does not function in a production environment and business is severely impacted.
Customer Instructions: Contact Imprivata Customer Support directly for fastest response (Customer Support will work directly with the assigned Administrator).
Customer Responsibilities: Customer shall assign a named IT resource on a full-time on-call basis to assist and coordinate as needed until the issue is resolved.Priority 2 – Major impact A major function or feature is failing. The issue severely restricts usability within a production environment. Project deployment is delayed. No alternative solution or workaround is currently available.
Customer Instructions: Create a case for the Administrator (the Administrator may escalate if additional assistance is needed).
Customer Responsibilities: Customer shall assign a named IT resource on a full-time on-call basis to assist and coordinate as needed until the issue is resolved.Priority 3 – General issue A minor flaw has been detected and usability is generally unaffected, moderately affected, or impacts a small number of users. A workaround may be available.
Customer Instructions: Create a case for the Administrator.
Customer Responsibilities: Administrator will advise if coordination from Customer IT staff is required.Priority 4 – Question or minor impact Instructions or information are requested regarding existing product functionality.
Customer Instructions: Create a case for the Administrator.
Customer Responsibilities: Administrator will advise if coordination from Customer IT staff is required.Service Level Response Times
- Initial response times are determined by the priority of the issue as set forth in the table below. Initial Response times are calculated from when Imprivata receives the initial case submission.
Priority Initial Response Time Priority 1 Customer should contact Imprivata Customer Support directly Priority 2 Initial Administrator response within 2 business hours Priority 3 Initial Administrator response within 1 business day Priority 4 Initial Administrator response within 2 business days - Customer Obligations
- Access to Network. Customer shall provide technical access as further set forth below to Customer’s computer network. Such access shall be provided through a generic user account to be shared by the Administrator staff and individual reports accessed by customer at will via the Imprivata Customer Connect gatekeeper installation.
- Customer shall provide the following technical access to Administrators utilizing its IT staff and resources:
- Imprivata Customer Connect Access
- Gatekeeper or Nexus Installation on dedicated endpoint or virtual desktop access from which all required systems can be accessed.
- At minimum, one directory account with Administrator permissions, for system access and configuration, testing, and administration
- Endpoint access to an approved web browser user account and endpoint access to Imprivata Admin UI.
Imprivata FairWarning Managed Privacy Services (MPS) MS-MGMT-FW-MPS-SUB
- Common Terms used in MPS Engagements.
- “Access” generally refers to the act of a computer user of the Customer in accessing electronic Protected Health Information (“ePHI”) within an electronic health record (“EHR”) or other application(s) maintained by Customer.
- “Access Review” refers to the review of Customer’s computer system user(s) who have accessed a patient’s EHR and/or other clinical applications. This may involve identifying all users who accessed the record at issue or identifying whether a specific user accessed the record.
- “Communication Plan” means the communication plan to inform the Customer’s own employees/workforce of (1) the increased monitoring activities being configured and (2) what the organizational policies are for acceptable use and unacceptable behavior regarding Access to Customer’s applications containing ePHI.
- “Enforced Policies” (also known as “Behavioral Analytics”) are reports (1) with specific criteria designed to detect specific activities or behavior, that (2) can be scheduled and will automatically alert or “trigger” when that specific criterion is met.
- “Investigation” means examination of the Access by a computer user of Customer (e.g., an employee or contractor) that was identified as potentially not business related during the review of a triggered Enforced Policy, including documenting the examination in the Investigation section of the Imprivata Patient Privacy Intelligence Platform.
- “Special Alert” means an Enforced Policy created for a specific situation or event (e.g., for a high-profile patient that is in the hospital).
- “Validation Request” means the written request that Imprivata sends to Customer’s management personnel after review of a triggered Enforced Policy, when the preliminary review by Imprivata failed to identify a likely business reason for the Access.
- MPS Specifications.
- Foundation Building Services:
- Provide a Requirement Checklist covering select subject areas deemed essential to the success of the Imprivata Patient Privacy Intelligence Program for Customer’s review of its existing policies.
- Establish the following (where applicable):
- Standardized workflows
- Proven validation process
- Communication and education plan
- Customized communication and education materials
- Guidance on documentation of decisions around the deployment of Imprivata Patient Privacy Intelligence
- Completion: The completion time for any professional services, including but not limited to implementation, installation, or migration (for this paragraph, the “Services”) to be performed under a Order Form, and any milestones, shall be dependent on Imprivata’s receipt of all Customer assets and specifications necessary for the project, in addition to Imprivata receiving a valid signed Order Form or processing, as requested by Imprivata. The completion deadline will start from the date of delivery of all such assets and specifications, not the date of Imprivata’s receipt of the signed Order Form. Customer acknowledges that delays in providing assets or specifications at the request of Imprivata for such Managed Services may delay the completion of the Services. Imprivata shall not be faulted for delays caused by Customer’s failure to reasonably cooperate.
- Alert Monitoring Services:
- Depending on the service level/sku selected, Imprivata MPS staff will configure up to a specified number Enforced Policies (automated alerts) —i.e., the “Enforced Policy Limit”— from a menu of available Enforced Policies, as set forth in Section D below, at the suggested rate of one Enforced Policy every 10 - 13 weeks or another schedule mutually agreed upon. After the initial four (4) Enforced Policies have been configured, additional Enforced Policies may be purchased from a menu of available Enforced Policies. Any additional Enforced Policies configured must be agreed upon in advance and in writing.
- Apply specific filters to the Enforced Policies where applicable and available to reduce the number of false positives alerts.
- Provide recommendations to the Customer on staff education and awareness initiatives.
- Provide trending results of positive findings (i.e., confirmed inappropriate Access) from triggered Enforced Policies.
- Provide or assist Customer with governance and compliance effectiveness reporting.
- Upon written request by Customer no more than twice per month, provide MPS interpretation assistance with Access Reviews based on specific inquiries or complaints. Customer must submit a MPS Ad-Hoc Request form to request MPS interpretation of an Access Review, and such Access Review shall be limited in scope to no more than a six (6) month time period.
- In accordance with the MPS Service Level Agreement below, promptly notify Customer’s designated contact personnel upon discovery of suspected inappropriate Access by a computer user of Customer.
- Document reviews and investigations of triggered Enforced Policies in the Imprivata PPI platform.
- Validate a Customer computer user’s Access if a business reason cannot be determined.
- Provide continuous PPI monitoring of the Customer’s software applications delivering data to Imprivata PPI platform technology through the use of Enforced Policies configured by the Imprivata MPS staff. Continuous PPI monitoring occurs as such data is received daily from Customer’s software applications on a going forward basis and does not include monitoring of time periods prior to the daily receipt.
- Education subscription
- For two (2) participants:
- Unlimited access to all virtual education class offerings.
- Individual seats accessing all content in the Imprivata Learning Center.
- Access to certifications across all product offerings.
- Unlimited access to all refresher virtual training.
- For two (2) participants:
- Foundation Building Services:
- Customer Responsibilities.
- Provide the Imprivata MPS staff with copies of the Customer’s policy(ies) covering the select subject areas identified by Imprivata for review.
- Work with the Imprivata MPS staff to identify the appropriate Customer management personnel for incorporation into the MPS standardized workflows and validation processes.
- Work with the Imprivata MPS staff to finalize the communications plan for Customer’s organization.
- Execute and deliver either a communication and education plan (as created by Imprivata with Customer’s assistance) or an equivalent plan that has been mutually agreed upon in writing.
- Ensure timely management response in validating suspicious or inappropriate access (within two business days).
- When notified by the Imprivata MPS staff, review and close all documented reviews and investigations of triggered Enforced Policies. This includes responsibility for determining if the investigation is a confirmed incident and if it is a reportable “Breach” as defined under state or federal law.
- Carry out any required patient and/or government notifications.
- Carry out appropriate sanctions as indicated by investigations of triggered Enforced Policies investigated by the Imprivata MPS staff.
- Follow recommended education and awareness initiatives either (i) as recommended by the Imprivata MPS staff based on trending of positive findings from review of triggered Enforced Policies or (ii) in equivalent measures mutually agreed upon in writing.
- Provide IT support as required (e.g., data feeds, adding additional data fields to extracts, etc.).
- Other actions reasonably suggested by the Imprivata MPS staff and mutually agreed upon in writing.
- MPS Service Level Agreement
- Except as otherwise set forth herein, Enforced Policies triggered and received by Imprivata Managed Services Staff between 9 am Mon and 12 pm Fri, Eastern Time, will be reviewed within 24 hours.
- Except as otherwise set forth herein, Enforced Policies triggered and received by Imprivata Managed Services Staff between 12 pm Fri and 9 am Mon, Eastern Time, will be reviewed by 5 pm Tuesday.
- Any Investigations into potential inappropriate Access will be completed and documented by the Imprivata Managed Services Staff within 3-5 business days of receipt, contingent upon Customer’s management response to Validation Request within 2 days.
- Notification of Customer representative by Imprivata Managed Services Staff upon completion of any Investigations into inappropriate Access.
- Completion of Access Reviews within 7 business days of receipt.
- Implementation of the number of Enforced Policies that were purchased in your initial Order Form (“EP Limit”).
- In the event of a widespread natural disaster or similar emergency affecting Imprivata or the Customer, SLAs may be negatively impacted.
- Service Levels set forth above are dependent upon Imprivata Managed Services Staff timely receipt of data. In the event of a delay or suspension of data received by the Imprivata Managed Services Staff, Imprivata Managed Services Staff will work in good faith with the Customer to agree upon Service Levels extended in proportion with such delay or suspension.
Imprivata FairWarning Managed Privacy Services LITE (MPS LITE) MS-MGMT-FW-MPS-LITE-SUB
- Common Terms used in MPS Engagements.
- “Access” generally refers to the act of a computer user of the Customer in accessing electronic Protected Health Information (“ePHI”) within an electronic health record (“EHR”) or other application(s) maintained by Customer.
- “Access Review” refers to the review of Customer’s computer system user(s) who have accessed a patient’s EHR and/or other clinical applications. This may involve identifying all users who accessed the record at issue or identifying whether a specific user accessed the record.
- “Communication Plan” means the communication plan to inform the Customer’s own employees/workforce of (1) the increased monitoring activities being configured and (2) what the organizational policies are for acceptable use and unacceptable behavior regarding Access to Customer’s applications containing ePHI.
- “Enforced Policies” (also known as “Behavioral Analytics”) are reports (1) with specific criteria designed to detect specific activities or behavior, that (2) can be scheduled and will automatically alert or “trigger” when that specific criterion is met.
- “Investigation” means examination of the Access by a computer user of Customer (e.g., an employee or contractor) that was identified as potentially not business related during the review of a triggered Enforced Policy, including documenting the examination in the Investigation section of the Imprivata Patient Privacy Intelligence Platform.
- “Special Alert” means an Enforced Policy created for a specific situation or event (e.g., for a high-profile patient that is in the hospital).
- “Validation Request” means the written request that Imprivata sends to Customer’s management personnel after review of a triggered Enforced Policy, when the preliminary review by Imprivata failed to identify a likely business reason for the Access.
- “Alert Limits” are filters enabling alerts to be scored for likelihood of policy violation/false-positive designation, for focus on top-ranked alerts and closure of alerts outside of the limits.
- MPS Specifications.
- Foundation Building Services:
- Provide a Requirement Checklist covering select subject areas deemed essential to the success of the Imprivata Patient Privacy Intelligence Program for Customer’s review of its existing policies.
- Establish the following (where applicable):
- Standardized workflows
- Proven validation process
- Communication and education plan
- Communication and education materials
- Completion: The completion time for any professional services, including but not limited to implementation, installation, or migration (for this paragraph, the “Services”) to be performed under a Order Form, and any milestones, shall be dependent on Imprivata’s receipt of all Customer assets and specifications necessary for the project, in addition to Imprivata receiving a valid signed Order Form or processing, as requested by Imprivata. The completion deadline will start from the date of delivery of all such assets and specifications, not the date of Imprivata’s receipt of the signed Order Form. Customer acknowledges that delays in providing assets or specifications at the request of Imprivata for such Managed Services may delay the completion of the Services. Imprivata shall not be faulted for delays caused by Customer’s failure to reasonably cooperate.
- Alert Monitoring Services:
- Imprivata will configure up to four (4) Enforced Policies (automated alerts) —i.e., the “Enforced Policy Limit”— from a menu of available Enforced Policies for MPS LITE, as set forth in Section D below, at the suggested rate of one Enforced Policy every 10-12 weeks. MPS LITE is not eligible for the purchase of additional Enforced Policies beyond the four (4) included with the package. Each Enforced Policy counts toward the limit as applied to a single data source. Whenever possible, data sources will be combined to apply to a single Enforced Policy.
- Apply Alert Limits to the Enforced Policies where applicable and available, to a maximum of ten (10) alerts per Enforced Policy, per week.
- A trend threshold and distinct count threshold will be used on trend-based Enforced Policies to manage alert volume and accuracy.
- Provide recommendations to the Customer on staff education and awareness initiatives.
- Provide or assist Customer with one (1) governance and compliance effectiveness reporting portfolio per month, with a maximum of five (5) governance reports chosen from the Governance Report Library.
- Upon written request by Customer no more than once per month, provide MPS interpretation assistance with Access Reviews based on specific inquiries or complaints. Customer must submit a MPS Ad-Hoc Request form to request MPS interpretation of an Access Review, and such Access Review shall be limited in scope to no more than a six (6) month time period.
- In accordance with the MPS Service Level Agreement below, promptly notify Customer’s designated contact personnel upon discovery of suspected inappropriate Access by a computer user of Customer.
- Document reviews and investigations of triggered Enforced Policies in the Imprivata PPI platform.
- Provide continuous PPI monitoring of the Customer’s software applications delivering data to Imprivata PPI platform technology through the use of Enforced Policies configured by the Imprivata MPS staff. Continuous PPI monitoring occurs as such data is received daily from Customer’s software applications on a going forward basis and does not include monitoring of time periods prior to the daily receipt.
- Education subscription
- For two (2) participants:
- Unlimited access to all virtual education class offerings.
- Individual seats accessing all content in the Imprivata Learning Center.
- Access to certifications across all product offerings.
- Unlimited access to all refresher virtual training.
- For two (2) participants:
- Foundation Building Services:
- Customer Responsibilities.
- Continuous monitoring of the Customer’s applications delivering data to Imprivata PPI platform technology to ensure receipt of all data necessary for proactive monitoring.
- Provide the Imprivata MPS staff with copies of the Customer’s policy(ies) covering the select subject areas identified by Imprivata.
- Work with the Imprivata MPS staff to identify the appropriate Customer management personnel for incorporation into the MPS standardized workflows and validation processes.
- Work with the Imprivata MPS staff to finalize the communications plan for Customer’s organization.
- Execute and deliver either a communication and education plan (as created by Imprivata with Customer’s assistance) or an equivalent plan that has been mutually agreed upon in writing.
- Ensure timely management response in validating suspicious or inappropriate access (within two business days).
- When notified by the Imprivata MPS staff, review and close all documented reviews and investigations of triggered Enforced Policies. This includes responsibility for determining if the investigation is a confirmed incident and if it is a reportable “Breach” as defined under state or federal law.
- Carry out any required patient and/or government notifications.
- Carry out appropriate sanctions as indicated by investigations of triggered Enforced Policies investigated by the Imprivata MPS staff.
- Follow recommended education and awareness initiatives either (i) as recommended by the Imprivata MPS staff based on trending of positive findings from review of triggered Enforced Policies or (ii) in equivalent measures mutually agreed upon in writing.
- Provide IT support as required (e.g., data feeds, adding additional data fields to extracts, etc.).
- Other actions reasonably suggested by the Imprivata MPS staff and mutually agreed upon in writing.
- MPS Service Level Agreement
- Except as otherwise set forth herein, Enforced Policies triggered and received by Imprivata Managed Services Staff between 9 am Mon and 12 pm Fri, Eastern Time, will be reviewed within 24 hours.
- Except as otherwise set forth herein, Enforced Policies triggered and received by Imprivata Managed Services Staff between 12 pm Fri and 9 am Mon, Eastern Time, will be reviewed by 5 pm Tuesday.
- Any Investigations into potential inappropriate Access will be completed and documented by the Imprivata Managed Services Staff within 3-5 business days of receipt, contingent upon Customer’s management response to Validation Request within 2 days.
- Notification of Customer representative by Imprivata Managed Services Staff upon completion of any Investigations into inappropriate Access.
- Completion of Access Reviews within 7 business days of receipt.
- Implementation of the number of Enforced Policies that were purchased in your initial Order Form (“EP Limit”).
- In the event of a widespread natural disaster or similar emergency affecting Imprivata or the Customer, SLAs may be negatively impacted.
- Service Levels set forth above are dependent upon Imprivata Managed Services Staff timely receipt of data. In the event of a delay or suspension of data received by the Imprivata Managed Services Staff, Imprivata Managed Services Staff will work in good faith with the Customer to agree upon Service Levels extended in proportion with such delay or suspension.
Imprivata FairWarning Drug Diversion Monitoring Services (DDM) MS-MGMT-FW-DDM-SUB
- Common Terms used in DDM Engagements.
- “Access” generally refers to the act of a computer user accessing controlled substances, and other monitored substances, within an automated dispensing machine (ADM).
- “Access Review” refers to the review of Customer’s computer system user(s) who have accessed controlled substances, or other monitored substances.
- “Communication Plan” means the communication plan to inform the Customer’s own employees/workforce of (1) the increased monitoring activities being configured and (2) what the organizational policies are for acceptable use and unacceptable behavior regarding Access of Controlled/monitored Substances.
- “Enforced Policies” (also known as “Behavioral Analytics”) are reports (1) with specific criteria designed to detect specific activities or behavior, that (2) can be scheduled and will automatically alert or “trigger” when that specific criterion is met.
- “Investigation” means examination of the Access by a computer user of Customer (e.g., an employee or contractor) that was identified as potentially not business related during the review of a triggered Enforced Policy, including documenting the examination in the Investigation section of the Imprivata Drug Diversion Intelligence Platform.
- “Special Alert” means an Enforced Policy created for a specific situation or event (e.g., for a suspected diversion).
- “Validation Request” means the written request that Imprivata sends to Customer’s management personnel after review of a triggered Enforced Policy, when the preliminary review by Imprivata failed to identify a likely business reason for the Access.
- Managed Services Specifications.
- Foundation Building Services:
- Provide a Requirement Checklist covering select subject areas deemed essential to the success of the Imprivata Drug Diversion Intelligence Program for Customer’s review of its existing policies.
- Establish the following (where applicable):
- Standardized workflows
- Proven validation process
- Communication and education plan
- Customized communication and education materials
- Guidance on documentation of decisions around the deployment of Imprivata Drug Diversion Intelligence
- Completion: The completion time for any professional services, including but not limited to implementation, installation, or migration (for this paragraph, the “Services”) to be performed under a Order Form, and any milestones, shall be dependent on Imprivata’s receipt of all Customer assets and specifications necessary for the project, in addition to Imprivata receiving a valid signed Order Form or processing, as requested by Imprivata. The completion deadline will start from the date of delivery of all such assets and specifications, not the date of Imprivata’s receipt of the signed Order Form. Customer acknowledges that delays in providing assets or specifications at the request of Imprivata for such Managed Services may delay the completion of the Services. Imprivata shall not be faulted for delays caused by Customer’s failure to reasonably cooperate.
- Alert Monitoring Services:
- Depending on the service level/sku selected, Imprivata Managed Services staff will configure up to a specified number Enforced Policies (automated alerts) —i.e., the “Enforced Policy Limit”— from a menu of available Enforced Policies at the suggested rate of one Enforced Policy every 10 - 13 weeks or another schedule mutually agreed upon. After the initial four (4) Enforced Policies have been configured, additional Enforced Policies may be purchased from a menu of available Enforced Policies. Any additional Enforced Policies configured must be agreed upon in advance and in writing.
- Apply specific filters to the Enforced Policies where applicable and available to reduce the number of false positives alerts.
- Provide recommendations to the Customer on staff education and awareness initiatives.
- Provide trending results of positive findings (i.e., confirmed inappropriate Access) from triggered Enforced Policies.
- Provide or assist Customer with governance and compliance effectiveness reporting.
- Upon written request by Customer no more than twice per month, provide DDM interpretation assistance with Access Reviews based on specific inquiries or complaints. Customer must submit a DDM Ad-Hoc Request form to request DDM interpretation of an Access Review, and such Access Review shall be limited in scope to no more than a six (6) month time period.
- In accordance with the DDM Service Level Agreement below, promptly notify Customer’s designated contact personnel upon discovery of suspected inappropriate Access by a computer user of Customer.
- Document reviews and investigations of triggered Enforced Policies in the Imprivata DDM platform.
- Provide continuous Drug Diversion Intelligence monitoring of the Customer’s software applications delivering data to Imprivata Drug Diversion Intelligence Platform technology through the use of Enforced Policies configured by the Imprivata Managed Services staff. Continuous DDM monitoring occurs as such data is received daily from Customer’s software applications on a going forward basis and does not include monitoring of time periods prior to the daily receipt.
- Education subscription
- For two (2) participants:
- Unlimited access to all virtual education class offerings.
- Individual seats accessing all content in the Imprivata Learning Center.
- Access to certifications across all product offerings.
- Unlimited access to all refresher virtual training.
- For two (2) participants:
- Foundation Building Services:
- Customer Responsibilities.
- Provide the Imprivata Managed Services staff with copies of the Customer’s policy(ies) covering the select subject areas identified by Imprivata for review.
- Work with the Imprivata Managed Services staff to identify the appropriate Customer management personnel for incorporation into the Managed Services standardized workflows and validation processes.
- Work with the Imprivata Managed Services staff to finalize the communications plan for Customer’s organization.
- Execute and deliver either a communication and education plan (as created by Imprivata with Customer’s assistance) or an equivalent plan that has been mutually agreed upon in writing.
- Ensure timely management response in validating suspicious or inappropriate access (within two business days).
- When notified by the Imprivata Managed Services staff, review and close all documented reviews and investigations of triggered Enforced Policies. This includes responsibility for determining if the investigation is a confirmed incident and if it is a reportable “Breach” as defined under state or federal law.
- Carry out any required patient and/or government notifications.
- Carry out appropriate sanctions as indicated by investigations of triggered Enforced Policies investigated by the Imprivata Managed Services staff.
- Follow recommended education and awareness initiatives either (i) as recommended by the Imprivata Managed Services staff based on trending of positive findings from review of triggered Enforced Policies or (ii) in equivalent measures mutually agreed upon in writing.
- Provide IT support as required (e.g., data feeds, adding additional data fields to extracts, etc.).
- Other actions reasonably suggested by the Imprivata Managed Services staff and mutually agreed upon in writing.
- DDM Service Level Agreement
- Except as otherwise set forth herein, Behavioral Analytics triggered and received by Imprivata Managed Services Staff between 9 am Mon and 12 pm Fri, Eastern Time, will be reviewed within 24 hours.
- Except as otherwise set forth herein, Behavioral Analytics triggered and received by Imprivata Managed Services Staff between 12 pm Fri and 9 am Mon, Eastern Time, will be reviewed by 5 pm Tuesday.
- Any Investigations into potential inappropriate Access will be completed and documented by the Imprivata Managed Services Staff within 5-8 business days of receipt, contingent upon Customer’s management response to Validation Request within 2 days.
- Notification of Customer representative by Imprivata Managed Services Staff upon completion of any Investigations into inappropriate Access.
- Completion of Access Reviews within 7 business days of receipt.
- Implementation of up to the number of behavioral analytics purchased in the Order Form (“EP Limit”).
- In the event of a widespread natural disaster or similar emergency effecting Imprivata or the Customer, SLAs may be negatively impacted.
- Service Levels set forth above are dependent upon Imprivata Managed Services Staff timely receipt of data. In the event of a delay or suspension of data received by the Imprivata Managed Services Staff, Imprivata Managed Services Staff will work in good faith with the Customer to agree upon Service Levels extended in proportion with such delay or suspension.
Imprivata FairWarning Advisory Services MS-ADVIS-FW-SUB
- Common Terms used in Imprivata FairWarning Advisory Services Engagements.
- “Access” generally refers to the act of a computer user of the Customer in accessing electronic Protected Health Information (“ePHI”) within an electronic health record (“EHR”) or other application(s) maintained by Customer.
- “Communication Plan” means the communication plan to inform the Customer’s own employees/workforce of (1) the increased monitoring activities being configured and (2) what the organizational policies are for acceptable use and unacceptable behavior regarding Access to Customer’s applications containing ePHI.
- “Enforced Policies” (also known as “Behavioral Analytics”) are reports (1) with specific criteria designed to detect specific activities or behavior, that (2) can be scheduled and will automatically alert or “trigger” when that specific criteria is met.
- Imprivata FairWarning Advisory Services Specifications.
- Application Configuration:
- Configure and test Enforced Policies to address areas of risk and unique Customer use cases for proactive monitoring and risk mitigation.
- Conduct application overviews for new end users and new feature training when applicable to facilitation meaningful use of application and optimal utilization of application.
- Establish optimal alert review and investigation generation workflows, quality, and accuracy.
- Educate and provide communication standards to end users.
- Create, schedule, and set up email notifications for governance reports, governance portfolios, and governance dashboards to provide summary of monitoring efforts and potential high-risk areas.
- Create and share end user dashboards for each user or group of users for a high-level overview of program.
- Tailor end user reports for a variety of use cases.
- Instruct users on how to create alert views for themselves or their group.
- Apply intelligent filters/machine learning to eligible Enforced Policies, and fine-tune/tailor configuration to decrease alert volume and alert fatigue.
- Optimization of the Platform:
- Advise on newly available features and enhancements for the Managed Services for optimal utilization.
- Provide ongoing alignment between current and available reports as Customer’s report library expands and is updated with new releases of the Services.
- Review the Behavioral Analytics menu to assist in selecting the optimal Data Compromise, Data Exfiltration, & Cyber Security Threats enforced policy options, and advise alignment with industry best practices.
- Services Advisor:
- Provide Customer a designated Administrator who will serve as an expert on the Managed Services and Customer’s central point of contact with a connection to the larger Imprivata FairWarning community. The Administrator will:
- Provide consultation on best end user practices.
- Review Enforced Policies to ensure downward alert trending indicates increasing compliance in user behavior.
- Gather and deliver industry research and best practices and lessons learned at-scale within the broader Imprivata FairWarning customer base, to accelerate the maturity of customer programs and processes.
- No less frequently than bi-monthly (every two weeks), hold operational- or project-level stakeholder meetings with the Customer subject-matter experts, system administrators/IT staff, and/or privacy/pharmacy program operational and/or leadership staff.
- Facilitate semi-annual strategy meetings with Customer’s operational and executive stakeholders to ensure measurable achievement of targeted business outcomes.
- Monitor release notices and documentation to alert Customer of product enhancements that benefit their unique needs or objectives.
- Facilitate engagement with Imprivata product teams during controlled availability and beta programs, and to provide advanced insight into product roadmap.
- Provide Customer a designated Administrator who will serve as an expert on the Managed Services and Customer’s central point of contact with a connection to the larger Imprivata FairWarning community. The Administrator will:
- Education subscription
- For two (2) participants:
- Unlimited access to all virtual education class offerings.
- Individual seats accessing all content in the Imprivata Learning Center.
- Access to certifications across all product offerings.
- Unlimited access to all refresher virtual training.
- For two (2) participants:
- Application Configuration:
- Customer Responsibilities.
- Provide the Administrator with copies of the Customer’s policy(ies) covering the select subject areas identified by Imprivata for review.
- Work with the Administrator to identify the appropriate Customer management personnel for incorporation into the standardized workflows, education initiatives and quarterly strategy meetings.
- Work with the Administrator to finalize the Communications Plan for Customer’s organization.
- Execute and deliver either a communication and education plan (as created by Imprivata with Customer’s assistance) or an equivalent plan that has been mutually agreed upon in writing.
- Follow recommended education and awareness initiatives as recommended by the Administrator.
- Provide IT support as required to provision, enable, and secure the required access, rights, and privileges for the Administrator to perform the duties outlined herein.
- Ensure adequate representation, attendance and participation from Customer staff as needed for bi-monthly operational- or project-level staff meetings and semi-annual strategy meetings with operational and executive stakeholders.
- Other actions reasonably suggested by the Administrator and/or mutually agreed upon in writing.
Privileged Access Management (PAM) Services MS-MGMT-iPAM-SUB
- Configuration of Imprivata system
- On a quarterly basis:
- Depending upon the software and licenses owned, test operating procedures, including but not limited to break-the-glass, restore from backup, migration to another supported database.
- On a monthly basis:
- Perform periodic maintenance data clean-up procedures, including the import and/or removal of assets or records.
- On a weekly basis:
- Monitor the health of internal and/or third-party new user onboarding, provisioning and deprovisioning processes as built during implementation phase.
- Review audit logs, alerts, and reports for Customer’s ease of navigation and use of the data.
- On a quarterly basis:
- Imprivata Customer Support Escalation management
- Create support cases on behalf of the Customer and follow up with status reports on each case as needed, on a weekly basis.
- Automatically escalate issues based on agreed upon thresholds regarding case status, priority, age, etc. Summarize status, outcomes, and next steps following escalations.
- Platform optimization
- On a bi-monthly basis, schedule and facilitate meetings with Customer’s operational staff to consult and advise Customer regarding best practices for use and maintenance of Imprivata system, and advise Customer of new features and enhancements released or pending release.
- On a quarterly basis, monitor and manage general configuration settings including retention, file share, mail, backup, and licensing.
- On annual basis, apply periodic version updates to the Imprivata system software per each node.
- Education subscription
- For two (2) participants:
- Unlimited access to all virtual education class offerings.
- Individual seats accessing all content in the Imprivata Learning Center.
- Access to certifications across all product offerings.
- Unlimited access to all refresher virtual training.
- For two (2) participants:
Vendor/Customer Privileged Access Management (VPAM formerly known as Enterprise Access and CPAM formerly known as Customer Connect) Services MS-MGMT-VPAM-SUB/MS-MGMT-CPAM-SUB
- Configuration Services
- On a quarterly basis:
- Depending upon the software and licensing owned, test operating procedures, including but not limited to DR, restore from backup, migration to another supported database.
- On a monthly basis:
- Perform periodic maintenance data clean-up procedures, including the import and/or removal of vendors/customers/applications.
- On a weekly basis:
- Monitor the health of internal and/or third-party new vendor/customer onboarding, provisioning and deprovisioning processes as built during implementation phase.
- Review audit logs, alerts, and reports for Customer’s ease of navigation and use of the data.
- On a quarterly basis:
- Technical and Operational Services
- Remote Administration Services: White Onboarding Services and Administrative optimization services by an Onboarding Specialist and Managed Services engineer in customer environment as required
- Bulk Imports: Bulk import of application information as required
- Server Migration: Support of Server Migrations as required
- DNS Changes: DNS Changes as needed
- PAM Integrations: Assistance with configuring PAM integration as needed
- Custom Reporting: Managed Services Engineer’s to provide custom reporting as required.
- Development and Validation Services
- Health Checks: Imprivata will provide biannual health checks ahead of upgrades and findings will be accounted for in annual optimization plan
- Response to Vulnerability Scans: Managed Services will triage and complete any necessary evaluation against security scans
- Database Manipulation: Managed Services engineers will update database configuration as required
- Environment Merges: Managed Services engineers will migrate application information from Source to Destination server as needed
- Imprivata Resourcing and Management Imprivata will provide a Program Manager that will be responsible for the following tasks:
- Manage the scheduling of Imprivata resources during the period of engagement including a dedicated White Glove Onboarding Specialist, Dedicated Managed Services Engineer and Managed Services Architect
- Prior to the start of the engagement, the Customer will designate a primary point of contact for communications relative to the engagement and will have the authority to act on behalf of the Customer in all matters regarding the engagement, including:
- Managing the Customer’s personnel and responsibilities for the engagement
- Serving as the interface between Customer departments participating in the engagement
- Helping resolve issues and, if necessary, escalating issues within the Customer’s organization
- Imprivata Customer Support Escalation Management
- Create support cases on behalf of the Customer and follow up with status reports on each case as needed, on a weekly basis.
- Automatically escalate issues based on agreed upon thresholds regarding case status, priority, age, etc. Summarize status, outcomes, and next steps following escalations.
- Platform Optimization
- On a bi-monthly basis, schedule and facilitate meetings with Customer’s operational staff to consult and advise Customer regarding best practices for use and maintenance of Imprivata system, and advise Customer of new features and enhancements released or pending release.
- On a quarterly basis, monitor and manage general configuration settings including retention, file share, mail, backup, and licensing.
- On annual basis, apply periodic version updates to the Imprivata system software per each node.
- Education subscription
- For two (2) participants:
- Unlimited access to all virtual education class offerings.
- Individual seats accessing all content in the Imprivata Learning Center.
- Access to certifications across all product offerings.
- Unlimited access to all refresher virtual training.
- For two (2) participants:
- Case Priority Classification
Administrators will be responsible for determining the case priority of the issue according to the case priority definitions set forth in the table below. The Administrator shall notify the Customer of the assigned case priority classification. Based on the priority level, the Customer’s responsibilities are also set forth below.
Priority Definition & Customer Responsibilities Priority 1 – Critical production system down An Imprivata production system is down. Major functionality is not available for a broad number of users. No alternative solution or workaround is currently available. For example, an appliance does not function in a production environment and business is severely impacted.
Customer Instructions: Contact Imprivata Customer Support directly for fastest response (Customer Support will work directly with the assigned Administrator).
Customer Responsibilities: Customer shall assign a named IT resource on a full-time on-call basis to assist and coordinate as needed until the issue is resolved.
Priority 2 – Major impact A major function or feature is failing. The issue severely restricts usability within a production environment. Project deployment is delayed. No alternative solution or workaround is currently available.
Customer Instructions: Create a case for the Administrator (the Administrator may escalate if additional assistance is needed).
Customer Responsibilities: Customer shall assign a named IT resource on a full-time on-call basis to assist and coordinate as needed until the issue is resolved.
Priority 3 – General issue A minor flaw has been detected and usability is generally unaffected, moderately affected, or impacts a small number of users. A workaround may be available.
Customer Instructions: Create a case for the Administrator.
Customer Responsibilities: Administrator will advise if coordination from Customer IT staff is required.
Priority 4 – Question or minor impact Instructions or information are requested regarding existing product functionality.
Customer Instructions: Create a case for the Administrator.
Customer Responsibilities: Administrator will advise if coordination from Customer IT staff is required.
- Service Level Response Times
Initial response times are determined by the priority of the issue as set forth in the table below. Initial Response times are calculated from when Imprivata receives the initial case submission.
Priority Initial Response Time Priority 1 Customer should contact Imprivata Customer Support directly Priority 2 Initial Administrator response within 2 business hours Priority 3 Initial Administrator response within 1 business day Priority 4 Initial Administrator response within 2 business days
- Customer Obligations
- Customer Administrator staff will approve/deny vendor access requests for their applicants, Imprivata remote administrators will not approve or deny access as that function should fall on the customer administrator and/or application owners of the vendor.
- Access to Network. Customer shall provide technical access as further set forth below to Customer’s computer network. Such access shall be provided through a generic user account to be shared by the Administrator staff and individual reports accessed by customer at will via the Imprivata CPAM (formerly known as Customer Connect) gatekeeper installation.
- Customer shall provide the following technical access to Administrators utilizing its IT staff and resources:
- Imprivata CPAM (formerly known as Customer Connect) Access.
- Gatekeeper on a dedicated endpoint or nexus connection to server from which all required systems can be accessed.
- At minimum, one directory account with Administrator permissions, for system access and configuration, testing, and administration
- Communications
- Customer is responsible for scheduling and holding the following meetings:
- No less frequently than quarterly, hold strategic (steering) stakeholder meetings with Customer sponsor(s) at director-level or above with the authority to approve strategic priorities and resource commitments.
- No less frequently than bi-monthly (every two weeks), hold operational- or project-level stakeholder meetings with Customer application subject-matter experts, system administrators, and IT staff impacted by Imprivata solutions.
- Customer is responsible for scheduling and holding the following meetings:
Mobile Managed Services Package MS-MGMT-MOBILE-SUB
- Education subscription
- For two (2) participants:
- Unlimited access to all virtual education class offerings.
- Individual seats accessing all content in the Imprivata Learning Center.
- Access to certifications across all product offerings.
- Unlimited access to all refresher virtual training.
- For two (2) participants:
- Direct administration of Imprivata system
- Proactively monitor critical events and activity logs to alert Customer’s team to any changes needed as well as facilitate remediation and any required support.
- Monitor utilization and adoption metrics to ensure the broadest and most consistent end-user adoption and intervene to gather user feedback as needed.
- Implement configuration changes to address Customer’s evolving needs, including during MDM migrations and installation of proof-of-concept environments to allow testing of requested features and enhancements.
- Deliver new workflow automation rules and updates to existing workflow rules, including any testing and training required.
- Change management: Imprivata system configuration
- Interpret architecture, system, and workflow changes for configuration, and testing.
- Review change requests weekly for potential impact to GroundControl and other Imprivata mobile solutions. GroundControl and such Imprivata mobile solutions are collectively referred to herein as “Imprivata Mobile Solutions.”
- Respond to unanticipated needs for changes and help to actively remediate any impact to Imprivata Mobile Solutions caused by changes to architectural components integrated with the Imprivata system.
- Imprivata Customer Support Escalation management
- Create support cases on behalf of the Customer and follow up with status reports on each case as needed, on a weekly basis.
- Automatically escalate issues based on agreed upon thresholds regarding case status, priority, age, etc. Summarize status, outcomes, and next steps following escalations.
- Customer help desk escalation handling
- Train Customer help desk staff to optimize front-line user and Customer’s own support service level agreements (SLAs) on Imprivata-related cases.
- Receive end user issues escalated through Customer’s help desk for troubleshooting, determining root cause, and reaching a resolution.
- Application & Architectural relationship management
- Schedule and run checkpoint calls with application and architectural teams with interdependencies between the Imprivata Mobile Solution and other systems or infrastructures including preparation and completion of action items and follow-ups needed.
- Serve as the Customer stakeholders’ central point of contact for system/application needs and supportability review.
- Product Advocacy
- Monitor advance-notice internal release documentation and alerts Customer to product enhancements that benefit their unique needs or objectives.
- Develop plans for implementing new features.
- Facilitate engagement with Imprivata development team for controlled availability and beta programs, and to provide advanced insight into product roadmap.
- Communications
- Customer is responsible for attending the following meetings:
- No less frequently than semi-annually, hold strategic (steering) stakeholder meetings with Customer sponsor(s) at director-level or above with the authority to approve strategic priorities and resource commitments.
- No less frequently than bi-monthly (every two weeks), hold operational- or project-level stakeholder meetings with Customer application subject-matter experts, system administrators, and IT staff impacted by Imprivata solutions.
- Customer is responsible for attending the following meetings:
- Case Priority Classification
Administrators will be responsible for determining the case priority of the issue according to the case priority definitions set forth in the table below. The Administrator shall notify the Customer of the assigned case priority classification. Based on the priority level, the Customer’s responsibilities are also set forth below:
Priority Definition & Customer Responsibilities Priority 1 – Critical production system down An Imprivata production system is down. Major functionality is not available for a broad number of users. No alternative solution or workaround is currently available. For example, an appliance does not function in a production environment and business is severely impacted.
Customer Instructions: Contact Imprivata Customer Support directly for fastest response (Customer Support will work directly with the assigned Administrator).
Customer Responsibilities: Customer shall assign a named IT resource on a full-time on-call basis to assist and coordinate as needed until the issue is resolved.
Priority 2 – Major impact A major function or feature is failing. The issue severely restricts usability within a production environment. Project deployment is delayed. No alternative solution or workaround is currently available.
Customer Instructions: Create a case for the Administrator (the Administrator may escalate if additional assistance is needed).
Customer Responsibilities: Customer shall assign a named IT resource on a full-time on-call basis to assist and coordinate as needed until the issue is resolved.
Priority 3 – General issue A minor flaw has been detected and usability is generally unaffected, moderately affected, or impacts a small number of users. A workaround may be available.
Customer Instructions: Create a case for the Administrator.
Customer Responsibilities: Administrator will advise if coordination from Customer IT staff is required.
Priority 4 – Question or minor impact Instructions or information are requested regarding existing product functionality.
Customer Instructions: Create a case for the Administrator.
Customer Responsibilities: Administrator will advise if coordination from Customer IT staff is required.
- Service Level Response Times
Initial response times are determined by the priority of the issue as set forth in the table below. Initial Response times are calculated from when Imprivata receives the initial case submission.
Priority Initial Response Time Priority 1 Customer should contact Imprivata Customer Support directly Priority 2 Initial Administrator response within 2 business hours Priority 3 Initial Administrator response within 1 business day Priority 4 Initial Administrator response within 2 business days
- Customer Obligations
- Access to Network. Customer shall provide technical access as further set forth below to Customer’s computer network. Such access shall be provided through a generic user account to be shared by the Administrator staff and individual reports accessed by customer at will via the Imprivata Customer Connect gatekeeper installation.
- Customer shall provide the following technical access to Administrators utilizing its IT staff and resources:
- Imprivata Customer Connect Access
- Gatekeeper or Nexus Installation on dedicated endpoint or virtual desktop access from which all required systems can be accessed.
- At minimum, one directory account with Administrator permissions, for system access and configuration, testing, and administration
- Endpoint access to an approved web browser user account and endpoint access to Imprivata Admin UI.
Project Conditions
- The Customer will designate an appropriate named IT / Privacy / Pharmacy resource (“Managed Services Lead”) as the principal point of contact throughout the engagement. The Managed Services Lead’s responsibilities include: scheduling and planning of the Customer’s resources, coordination of project meetings and requirements gathering sessions, point of contact for escalations and problem and conflict resolution management.
- Imprivata Managed Services are performed between the business hours of 8:00 AM and 5:00 PM local Customer time Monday through Friday, excluding normally observed holidays. The observed holidays will be specified in the Imprivata Support and Learning Center, which shall include real-time notifications. The Imprivata Managed Services team will perform their scheduled review of the alerts the next business day after the holiday. Managed Services provided outside these times will be agreed-upon in writing by both parties in advance and may be subject to additional fees.
Term of Managed Services
- The term of each subscription for the applicable Managed Services package shall be as specified in the applicable Order Form and unless earlier terminated as provided herein, shall automatically renew for successive one (1)-year periods (each a “Renewal Term”), until such time as a party provides the other party with written notice of termination; provided, however, that: (a) such notice be given no fewer than thirty (30) days prior to the last day of the then-current term; and, (b) any such termination shall be effective as of the date that would have been the last day of the then-current Renewal Term.
Usage Limits, Change-of-Scope Fee Adjustments, and Enforced Policy Menus for Imprivata FairWarning Packages
- Change-of-Scope Fee Adjustments for FairWarning Managed Privacy Services, FairWarning Managed Privacy Services LITE, FairWarning Drug Diversion Monitoring Services, and FairWarning Advisory Services.
- General: Imprivata does not set pricing based on traditional “seat licenses,” and the fees prescribed in an Order Form are quoted and agreed to based, at least in part, upon certain assumptions and statistics provided by Customer to Imprivata. As is documented in each Order Form and renewal Order Form, Customer shall represent and warrant to the accuracy of Customer’s number of unique individual user IDs across all data sources monitored by the FairWarning System (“Data Source User”) at the time such Order Form is executed (“Initial Base Statistics”). Customer understands and acknowledges that material increases in any of the Initial Base Statistics will materially change the scope of engagement and service cost to Imprivata. Customer thus expressly agrees that in the event that one or more of the Initial Base Statistics increases by more than ten percent (10%) during the term of that Order Form (including any Renewal Terms) Imprivata shall have the right to increase the recurring subscription service fees identified in that Order Form (“Subject Annual Fees”) by a corresponding percentage in accordance with the methodology described below. Customer shall promptly remit payment for such adjusted Subject Annual Fees; provided that (i) Customer shall receive at least two months’ advance notice before any such fee adjustments take effect, and (ii) such adjustments shall be applied prospectively and not retroactively.
- Methodology:
- Measurement Dates & Periods: Beginning with the initial term of an Order Form and during any subsequent renewal terms, upon each half-year anniversary of the initial contract effective date (each such half-year anniversary being a “Measurement Date”), Imprivata will review the then-current value of the applicable Base Statistics through any information provided to Imprivata (which Customer agrees to provide upon request) and also through any publicly-available information sources. If any then-current value of a Base Statistic on a Measurement Date has increased by ten percent (10%) or more over the corresponding Initial Base Statistic, then Imprivata shall provide Customer with written notice that all Subject Annual Fees to be paid by Customer for the next annual subscription period shall be increased by the greatest percentage increase in a then-current Base Statistic as compared to the applicable Initial Base Statistic. The equivalent increased Subject Annual Fees shall be due for each subsequent year of the Order Form (including any renewals thereof) unless and until either subsequently adjusted under this provision or the parties agree in writing to reset the Initial Base Statistic values.
- Validation Period: After receiving written notice of any such increase in Subject Annual Fees, Customer shall have 30 days to review Imprivata’s findings of the then-current values for the Base Statistics. The parties shall work in good faith to validate those values and eliminate any misleading increases, decreases, or omissions that do not fairly and reasonably represent a change in the scope of the engagement. For any validated changes in Base Statistics that are not reasonably in dispute, Imprivata shall promptly notify Customer of the corresponding changes to the Subject Annual Fees, which shall be due and payable on the next anniversary of the contract effective date.
- Subsequent Increases in Base Statistics: If the Subject Annual Fees have been increased under the above process, then all Subject Annual Fees to be paid by Customer for next annual subscription period commencing after each Measurement Date shall be equal to one plus the greatest net percentage increase in the then-current Base Statistics as compared to the applicable value for the Initial Base Statistics.
- Enforced Policy Menus for FairWarning Managed Privacy Services, FairWarning Managed Privacy Services LITE, and FairWarning Drug Diversion Monitoring Services
- FairWarning Managed Privacy Services Enforced Policy Menu
DATA COMPROMISE
Enforced Policy Definition Coworker Snooping Monitoring for user access to medical records of patients who work in the same user department. Household Snooping Monitoring for user access to medical records of patients who live at the same household address. Manager Snooping Monitoring for user access to medical records of a patient who is their manager. Guarantor Information Modification Monitoring for a user to modify the medical records of their own patient guarantor information. Break-the-Glass (BTG) Blank Override Reason Monitoring for users who perform the Break-the-Glass event and fail to provide an override reason. Patient of Interest/ VIP/ Temporary VIP Monitoring for user access to an identified patient of interest or VIP/ temporary VIP. Expired Patient of Interest Monitoring for user access to an expired (deceased) patient of interest based on an average User ID threshold. Self-Modification Monitoring for a user to modify their own medical records. Persons of Interest Captures access to high profile patients, including actors, singers, athletes, and politicians, who are listed in a public database. Requires the implementation of the POI table. Anomalous Workflow Detection Detects anomalies among a users daily workflow. Pediatric Departments accessing Adult Patients Monitoring for users who are accessing the medical records of adult patients (over 18 years old) and work in identified pediatric departments. Predominantly Female Departments accessing Male Patients Monitoring for users who are accessing the medical records of male patients (over 1 year old) and work in identified predominantly female departments. DATA EXFILTRATION
Enforced Policy Definition Deceased Demographic Access Monitoring for user access to Demographic Events of an expired (deceased) patient. High Access of Employees Monitoring for users who access a higher number of Customer employees than their peers. Peer group defined as users with the same User Department and Title. High View/ Print Demographics Monitoring for users who access or print a higher number of Demographic events than their peers. Peer group defined as users with the same User Department and Title. High Access of Demographics of Patients Under 12 Monitoring for users who access or print a higher number of Demographic events for patients under 12 than their peers. Peer group defined as users with the same User Department and Title. High Access of Demographics of Patients Over 65 MMonitoring for users who access or print a higher number of Demographic events for patients over 65 than their peers. Peer group defined as users with the same User Department and Title. Unusually High User Activity Monitoring for users who access a higher number of patient medical records than their peers. Peer group defined as users with the same User Department and Title. High View/ Print Insurance Information Monitoring for users who access or print a higher number of Insurance events than their peers. Peer group defined as users with the same User Department and Title. High View/ Print Specific Information (configurable) Monitoring for users who access or print a higher number of configured events than their peers. Peer group defined as users with the same User Department and Title. CYBERSECURITY THREATS
Enforced Policy Definition Access After Hours (Clinic or Department Specific) Monitoring for user access to patient medical records outside of approved business hours. Simultaneous Log-in Monitoring for user access performed on different work station IDs within five seconds of each other. Failed Log-In Attempts Monitoring for a user who fails to log-in; can be configured for failure after X amount of times. OTHER INFORMATION SECURITY THREATS
Enforced Policy Definition Monitoring on Leave Employees Monitoring for user access to patient medical records with a user status of on leave. Access After Termination Monitoring for user access to patient medical records after termination.
- Managed Privacy Services LITE Enforced Policy Menu
DATA COMPROMISE
Enforced Policy Definition Coworker Snooping Monitoring for user access to medical records of patients who work in the same user department. Household Snooping Monitoring for user access to medical records of patients who live at the same household address. Manager Snooping Monitoring for user access to medical records of a patient who is their manager. Patient of Interest Monitoring for user access to an identified patient of interest or VIP/ temporary VIP. Self-Modification Monitoring for a user to modify their own medical records. Anomalous Workflow Detection Detects anomalies among a users daily workflow. DATA EXFILTRATION
Enforced Policy Definition High Access of Employees Monitoring for users who access a higher number of Customer employees than their peers. Peer group defined as users with the same User Department and Title. High View/ Print Demographics Monitoring for users who access or print a higher number of Demographic events than their peers. Peer group defined as users with the same User Department and Title. High Access of Demographics of Patients Under 12 Monitoring for users who access or print a higher number of Demographic events for patients under 12 than their peers. Peer group defined as users with the same User Department and Title. High Access of Demographics of Patients Over 65 MMonitoring for users who access or print a higher number of Demographic events for patients over 65 than their peers. Peer group defined as users with the same User Department and Title. High View/ Print Insurance Information Monitoring for users who access or print a higher number of Insurance events than their peers. Peer group defined as users with the same User Department and Title. CYBERSECURITY THREATS
Enforced Policy Definition Access After Hours (Clinic or Department Specific) Monitoring for user access to patient medical records outside of approved business hours. OTHER INFORMATION SECURITY THREATS
Enforced Policy Definition Access After Termination Monitoring for user access to patient medical records after termination.
- Drug Diversion Monitoring Services Enforced Policy Menu
ANOMALOUS BEHAVIOR DETECTION
Enforced Policy Definition Unusual Access of Controlled Substances Monitoring for users who dispense a higher number of Controlled Substances than their peers. Peer group defined as users with the same User Department and Title. Unusual Waste Documentation Monitoring for users who waste a higher number of Controlled Substances than their peers. Peer group defined as users with the same User Department and Title. Abnormal Discrepancy Creation Monitoring for users who create a higher number of Controlled Substance Discrepancies than their peers. Peer group defined as users with the same User Department and Title. Unusual Behavior by Waste Witness Monitoring for users who act as a witness for waste of Controlled Substances significant more than their peers. Peer group defined as users with the same User Department and Title. Abnormal Override Activity Monitoring for users who dispense a higher number of Controlled Substances on Override than their peers. Peer group defined as users with the same User Department and Title. Abnormal Cancel Activity Monitoring for users who cancel a higher number of Controlled Substances transactions than their peers. Peer group defined as users with the same User Department and Title. Unusual Access of High-Risk Medications Monitoring for users who dispense a higher number of High-Risk Medications than their peers. Peer group defined as users with the same User Department and Title. Abnormal Access of Specific Patient Information Monitoring for users who access or print a higher number of configured events than their peers. Peer group defined as users with the same User Department and Title. Excessive Patient Additions Monitoring for users who manually add patients to the ADS significantly more than their peers. Peer group defined as users with the same User Department and Title. TARGETED DIVERSION MONITORING
Enforced Policy Definition Inventory Discrepancies Monitoring for Inventory Discrepancies of Controlled Substances accessed in the ADS. Excessive Waste Quantity Monitoring for users who waste the full quantity of the Controlled Substance that was dispensed. Deceased/Discharged Patient Access Monitoring for users who dispense Controlled Substances for deceased or discharged patients. High-Risk Department Monitoring Monitoring for users who access medications within a High-Risk Department, as configured by the customer. High-Risk Patient Population Monitoring Monitoring for users who access medications for High-Risk Patients, as configured by the customer. COMPROMISED SECURITY MONITORING
Enforced Policy Definition Access After Termination Monitoring for user access to the ADS after the user has been terminated. Access by Inactive/On Leave Employees Monitoring for user access to the ADS while the user is identified as Inactive or On Leave. Simultaneous Station Access Monitoring for user access performed on different ADS Device ID’s within 5 seconds of each other.
- FairWarning Managed Privacy Services Enforced Policy Menu
Imprivata Obligations
- Imprivata shall use all appropriate safeguards to prevent the use or disclosure of Customer data or other information from Customer’s network, other than as permitted under this Appendix and in furtherance of the Imprivata’s obligations under the Appendix;
- Imprivata shall promptly report any lost or stolen identification and passwords and shall insure that all terminated Administrator(s) return to Imprivata all identification and passwords prior to such Administrator(s)’ departure;
- Imprivata shall instruct the Administrator(s) that access to Customer’s computer network shall be limited to the minimum that it is necessary to perform the services under this Appendix;
- Imprivata will maintain the confidentiality of any user ID, password or other access control device provided by Customer to Imprivata and will not disclose such access control device to any third party, except as expressly authorized by Customer;
- Imprivata will not attempt to access any data or systems which are not necessary for Imprivata’s authorized purposes as set forth in this Appendix or in other written instructions to Imprivata by Customer and will terminate access to such data or systems whenever Imprivata ceases to have a need to know such data or systems;
- Imprivata will not tamper with, compromise, or attempt to circumvent or bypass any security pertaining to Customer’s systems, electronic or otherwise;
- Imprivata will take reasonable precautions not to allow entry of any virus or any other contaminant, including, but not limited to, codes, commands, or instructions that may be used to access, alter, delete, damage or disable the data, systems or other software or property;
- Imprivata will not install or download any unauthorized software;
- Imprivata will maintain the confidentiality of any data and/or systems to which it has access and will use such data and/or systems only as expressly authorized by this Appendix or in other written instructions to Imprivata; and
- Imprivata will notify Customer in the event Imprivata suspects that its network connection or any data or systems to which it has access have been compromised or in the event Imprivata suspects or knows of a breach of any of the foregoing.