Loading...
Res 13-01 Authorizing a Contract with Emergicon LLCRESOLUTION OF !WN COUNCIL OF ! OF AUTHORIZING! TO EXECUTE ., CONTRACT WITH EMERGICON, L.L.C. FOR AUTOMATED AMBULANCE BILLING AND ACCOUVTS,-VEC'KAV4,BLE WHEREAS, Westlake desires to provide proficient ambulance billing and accounts receivable services; and WHEREAS, the Town Council finds that the proposed service agreement provides sound financial stewardship consistent with goals and objectives within the adopted strategic plan; and WHEREAS, the Town Council finds that the passage of this Resolution is in the best interest of the Town. NOW, . !' BE IT RESOLVED BY THE TOWN! OF ! OF WESTLAKE, TEXAS: SEC'TI®N 1: That, all matters stated in the Recitals hereinabove are found to be true and correct and are incorporated herein by reference as if copied in their entirety. SECTION 2: The Town Council of the Town of Westlake hereby approves the contract with Emergicon, L.L.C. for a fee eleven percent (11%), for providing Automated Ambulance Billing and Accounts Receivable Services, attached as Exhibit "A", and further authorizes the Town Manager to execute the agreement on behalf of the Town of Westlake, Texas. SEC'TI®N 3: If any portion of this Resolution shall, for any reason, be declared invalid by any court of competent jurisdiction, such invalidity shall not affect the remaining provisions hereof and the Council hereby determines that it would have adopted this Resolution without the invalid provision. Resolution 13-01 Page 1 of 2 SECTION 4: That this resolution shall become effective from and after its date of passage. ATTEST: Kell EdwaMs, Town Secretary L. own,,Attorney z� aeLl Latera L. Wheat, Mayor— own Manaaer 13-01 Page 2 of 2 Emergicon, L.L.C. Con adentiality and Private Health Information 1 i ' This Business Associate Agreement (this "B.A. Agreement"), dated January 20__L',is entered into by and between Emergicon, L.L.C., with an address at P.O. Box 180446 Dallas, Texas 75218 (the "Business Associate") and the Town of Westlake, Texas, with an address3 Village Circle, Suite 202, Westlake, Texas 76262 (the "Covered Entity") (each a "Party" and collectively the "Parties"). Business Associate will carry out its obligations to protect the privacy and security of protected health information ("PHP') under this Agreement in compliance with the applicable provisions of Public Law 104-191 of August 21, 1996, known as the Health Insurance Portability and Accountability Act of 1996, Subtitle F — Administrative Simplification, Sections 261, et seq., as amended ("HIPAA"), and with Public Law 111-5 of February 17, 2009, known as the American Recovery and Reinvestment Act of 2009, Title XII, Subtitle D — Privacy, Sections 13400, et seq., the Health Information Technology and Clinical Health Act, as amended ("the HITECH Act"). In conformity therewith, Business Associate shall use or disclose PHI only if such use or disclosure is in compliance with each applicable requirement of the HIPAA Privacy Regulations found at 45 CFR 164.504(e) and shall comply with the HIPAA Security Regulations made directly applicable to business associates under the HITECH Act. Business Associate will protect the privacy and security of any personally identifiable PHI that is collected, processed or learned as a result of the services provided to Covered Entity and Business Associate agrees that it will: Not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; 2. Use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement; 3. Mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of this Agreement; 4. Report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware; EMERGICON BUSINESS ASSOCIATE AGREEMENT Page 1 Resolution 13-01 5. Ensure that any agents or subcontractors to whom Business Associate provides PHI, or who have access to PHI created or received by Business Associate on behalf of Covered Entity, agrees to the same restrictions and conditions that apply to Business Associate with respect to such PHI; b. Make PHI available to Covered Entity and to an individual who has a right of access within 30 days of the request, as required under HIPAA. To the extent that the PHI is maintained in an electronic health record, Business Associate shall provide the individual with a copy of such information in electronic format, as required by the HITECH Act; 7. Incorporate any amendments to PHI when notified to do so by Covered Entity; 8. Provide an accounting of all uses or disclosures of PHI made by Business Associate within 60 days, as required under the HIPAA and the HITECH Act; 9. Make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary of the Department of Health and Human Services for purposes of determining Business Associate's and Covered Entity's compliance with HIPAA and the HITECH Act; 10. At the termination of this Agreement, return or destroy all PHI received from, or created or received by Business Associate on behalf of Covered Entity, and if return is infeasible, the protections of this Agreement will extend to such PHI; 11. Restrict the disclosure of PHI to a health plan for purposes of carrying out payment or healthcare operations if Covered Entity authorizes or requests Business Associate to do so; 12. Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of e -PHI that it creates, receives, maintains or transmits on behalf of Covered Entity; 13. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the HIPAA Security Rule; 14. Report to Covered Entity any security incident (as defined by the HIPAA Security Rule) which Business Associate becomes aware of, and the steps it has taken to mitigate any potential security compromise that may have occurred, and provide a report to Covered Entity of any loss of data or other information system compromise as a result of the incident; EMERGICON BUSINESS ASSOCIATE AGREEMENT Page 2 Resolution 13-01 15. Notify Covered Entity of a breach of unsecured PHI following Business Associate's discovery of a breach without unreasonable delay and in no case later than 60 calendar days after discovery, and provide to Covered Entity: (a) the identification of each individual whose unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, or disclosed during the breach; and (b) any other available information that Covered Entity is required to include in notification to affected individuals; 16. Secure all PHI in accordance with the technologies and methodologies specified by guidance from the Secretary of HHS, issued pursuant to the HITECH Act; and 17. Assist Covered Entity in complying with its Red Flag Rule obligations by: (a) implementing policies and procedures to detect relevant Red Flags (as defined under 16 C.F.R. §681.2); (b) taking all steps necessary to comply with the policies and procedures of Covered Entity's Identity Theft Prevention Program; (c) ensuring that any agent or third party who performs services on its behalf in connection with covered accounts of Covered Entity agrees to implement reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft; and (d) alerting Covered Entity of any red flag incident (as defined by the Red Flag Rules) of which it becomes aware, the steps it has taken to mitigate any potential harm that may have occurred, and provide a report to Covered Entity of any threat of identity theft as a result of the incident. The specific uses and disclosures of PHI that may be made by Business Associate on behalf of Covered Entity include: 1. The preparation of invoices to patients, carriers, insurers and others responsible for payment or reimbursement of the services provided by Covered Entity to its patients; 2. Preparation of reminder notices and documents pertaining to collections of overdue accounts; 3. Performing data aggregation for Covered Entity; 4. The submission of supporting documentation to carriers, insurers and other payers to substantiate the healthcare services provided by Covered Entity to its patients or to appeal denials of payment for same; Uses required for the proper management of Business Associate as a business associate, and 6. Other uses or disclosures of PHI as permitted by HIPAA. Not withstanding any other provisions of this Agreement, if either party knows of a pattern of activity or practice of the other party that constitutes a material breach or violation of the other party's obligations under this Agreement, that party shall take reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful either: terminate the EMERGICON BUSINEss ASSOCIATE AGREEMENT Page 3 Resolution 13-01 Agreement, if feasible; or if termination is infeasible, report the problem to the Secretary of the Department of Health and Human Services. Agreed to this ?:8ih day of , - 2016. 0.�'n Town of Westlake, Texas By: Print Name: Tom BVmer Print Title: Town Manager Date: Public IP address: Emergicon, L.L. IM o'B -. C) - � a B - Print Name: Christopher Turner Print Title: President & CEO Date: 0 ('9 EMERGICON BUSINESS ASSOCIATE AGREEMENT Page 4 Resolution 13-01 . �ITUM AM This document is an addendum to the Service Agreement between Emergicon, L.L.C. and the Town of Westlake. It is understood that the following software is being purchased from ESO Solutions by The Town of Westlake through a Service Agreement with Emergicon, L.L.C. QUOTE LITE ITEMS .. ..,, ePCIR uitevv,'QuahttManaggement 1001 84,495.00 10-00% S4,045-60 Quick,Speak Z00 100.0D% $0.00 I e c R,, Mobile i � 2.00 $695_m 1 %Q_Gtr� $1,25.00 Inter %z Monitor oo S3,99500 6^-00t $3,593V I3 teffac Bilrenq -cio v?t&,995.00 1L>53 00% E 80.00 I Set -vices - T<'ahiitig I 1.00 995.w%6:t -Fere=rices - Training Travel Costs l :ir5 j $50000 i $500.00 subtotai $15,5-8G Discount 33.28`s Total Price $10,387-00 Emergicon agrees to pay the above mentioned software fees to ESO Solutions as well as provide two (2) fully rugged mobile computers acceptable to the Town of Westlake. The contract between ESO Solutions and the Town of Westlake will automatically renew annually according to the ESO Solutions Software License Agreement. Emergicon will pay ESO Solutions on the contract renewal date for the full annual subscription fee. Cancellation fees Should the Town of Westlake terminate Emergicon's Service Agreement or ESO's Subscription Agreement within twelve (12) months of the date of this Addendum, The Town of Westlake will be responsible for full payment to Emergicon of a cancellation fee equal to the total cost ($10,387.00). Emergicon will invoice the Town of Westlake upon written notice of cancellation and payment will be due 30 days from cancellation date. Compensation In consideration for providing the agreed upon billing services in the Service Agreement and ESO Pro Suite detailed above, the Town of Westlake will amend Section 2.02 of the Service Agreement to pay Emergicon eleven percent (11%) of the total amount collected on the Account. EMERGIC , , L.L.C. Y: Name: Christopher Turner Title: President & CEO Date: ) (. /%4r .' - "` .. Town of Westlake By: _ Name: Tom r Title: Townager es t Date: ql 1-'; EMERGICON SERVICE AGREEMENT—ADDENDUM A Page 1 This Subscription Agreement (the "Agreement") is made as of the first date written below (the "Effective Date") by and between ESO SOLUTIONS, INC., a Texas corporation with its principal place of business at 9020 N Capital of Texas Hwy, Building H-300, Austin, Texas 78759 ("ESO"), and Westlake Fire Dept., with its principal place of business at 3 ) Village Circle, Suite #202, Westlake, Texas 76262 ("Customer") WHEREAS, ESO is in the business of providing software services (the "Services") to businesses and municipalities; and WHEREAS, Customer desires to obtain these Services from ESO, all upon the terms and conditions set forth herein; NOW, THEREFORE, for and in consideration of the agreement made, and the payments to be made by Customer, the parties mutually agree to the following: 1. Services. ESO agrees to provide Customer the Services selected by Customer on Exhibit A attached hereto and incorporated by reference hereof. Customer agrees that Services purchased hereunder are neither contingent on the delivery of any future functionality or features, nor dependent on any oral or written public comments made by ESO regarding future functionality or features. 2. Term. The Tenn of this Agreement shall commence on the Effective Date and shall terminate one year after the Effective Date. The Agreement shall automatically renew for successive renewal terms of one year, unless one party gives the other party written notice that the Agreement will not renew, at least thirty (30) days prior to the end of the current Term. a. Subscription Fees. Customer has chosen to have Emergicon with its principal place of business at PO Box 180446, Dallas, Texas 75218 ("Billing Agenf') pay all or a portion of the ESO Subscription and/or One- time Fees on its behalf as indicated in Exhibit A. In the event that Billing Agent does not pay the Subscription and/or One-time Fees on behalf of Customer, and Customer chooses to continue receiving ESO Services, then Customer shall be responsible for any outstanding fees. The Subscription Fees are invoiced annually in advance. ESO may evaluate Customer's usage and adjust Customer's invoice based on changes in Customer usage as indicated in Exhibit A. b. Payment of Invoices. Customer shall pay the full amount of invoices within thirty (30) days of receipt (the "Due Date"). Customer is responsible for providing complete and accurate billing and contact information to ESO and to notify ESO of any changes to such information. c. Disputed Invoices. If Customer in good faith disputes a portion of an invoice, Customer shall remit to ESO, by the Due Date, full payment of the undisputed portion of the invoice. In addition, Customer must submit written documentation: (i) identifying the disputed amount, (ii) an explanation as to why the Customer believes this amount is incorrect, (iii) what the correct amount should be, and (iv) written evidence supporting Customer's claim. If Customer does not notify ESO of a disputed invoice by the Due Date, Customer shall have waived its right to dispute that invoice. Any disputed amounts determined by ESO to be payable shall be due within ten (10) days of such determination. a. Termination by Customer for Cause. If ESO fails to perform a material obligation under this Agreement and does not remedy such failure within thirty (30) days following written notice from Customer ("ESO Resolution 13-01 Default"), Customer may terminate this Agreement without incurring further liability, except for the payment of all accrued but unpaid Subscription Fees. If ESO is unable to provide Service(s) for ninety (90) consecutive days due to a Force Majeure event as defined in Section 16a, Force Majeure, Customer may terminate the affected Service(s) without liability to ESO. b. Termination by ESO for Customer Default. ESO may terminate this Agreement with no further liability if (i) Customer fails to pay for Services as required by this Agreement and such failure remains uncorrected for five (5) days following written notice from ESO, or (ii) Customer fails to perform any other material obligation under this Agreement and does not remedy such failure within fifteen (15) days following written notice from ESO (collectively referred to as "Customer Default"). In the event of a Customer Default, ESO shall have the right to (i) terminate this Agreement; (ii) suspend all Services being provided to Customer; (iii) terminate the right to use the Software on the web and/or mobile devices; (iv) apply interest to the amount past due, at the rate of one and one-half percent (11/2%) (or the maximum legal rate, if less) of the unpaid amount per month; (v) offset any amounts that are owed to Customer by ESO against the past due amount then owed to ESO; and/or (vi) take any action in connection with any other right or remedy ESO may have under this Agreement, at law or in equity. If ESO terminates this Agreement due to a Customer Default, Customer shall remain liable for all accrued Subscription Fees and other charges. In addition, Customer agrees to pay ESO's reasonable expenses (including attorney and collection fees) incurred in enforcing ESO's rights in the event of a Customer Default. 5. Delivery of Data upon Expiration or Termination of Agreement. If Customer requests its data within thirty (30) days of expiration of this Agreement, or the termination of this Agreement pursuant to Section 4a above, ESO shall deliver to Customer its data, in machine readable format, on DVD or CD, at Customer's option. Customer shall reimburse ESO for the cost of the media on which Customer's data is delivered to Customer. If Customer wants the data to be delivered in a medium other than DVD or CD, ESO shall make reasonable and good faith efforts to accommodate Customer, provided that Customer supplies the medium on which the data is to be provided and shall pay for any additional cost incurred by ESO in accommodating this request. 6. System Maintenance. In the event ESO determines that it is necessary to interrupt the Services or that there is a potential for Services to be interrupted for the performance of system maintenance, ESO will use good -faith efforts to notify Customer prior to the performance of such maintenance and will schedule such maintenance during non -peak hours (midnight to 6 a.m. Central Standard Time). In no event shall interruption of Services for system maintenance constitute a failure of performance by ESO. 7. Access to Internet. Customer has sole responsibility for obtaining, maintaining, and securing its connections to the Internet, and ESO makes no representations to Customer regarding the reliability, performance or security of any particular network or provider. 8. Mobile Software. If Customer elects to use ESO's mobile Software (the "Software"), the provisions of this Section shall apply. a. Use of Software. Subject to the terms, conditions and restrictions in this Agreement and in exchange for the Mobile Software Interface Fees and/or Subscription Fees, ESO hereby grants to Customer non- exclusive, world-wide, non -transferable rights, for the Term of this Agreement, to use and copy (for installation and backup purposes only) the Software to the units for which the Mobile Software Interface has been purchased. b. Ownership and Restrictions. This Agreement does not convey any rights of ownership in or title to the Software or any copies thereof. All right, title and interest in the Software and any copies or derivative works thereof shall remain the property of ESO. Customer will not: (i) disassemble, reverse engineer or modify the Software; (ii) allow any third party to use the Software; (iii) use the Software as a component in any product or service provided by Customer to a third party; (iv) transfer, sell, assign, or otherwise convey the Software; (v) remove any proprietary notices placed on or contained within the Software; or (vi) copy N Resolution 13-01 the Software except for backup purposes. Customer agrees to keep the Software free and clear of all claims, liens, and encumbrances. c. Mobile Software Interface Fee. The Mobile Software Interface Fee is non-refundable. The Software shall be deemed accepted upon delivery to Customer. 9. Support acrd Updates. During the term of this Agreement, ESO shall provide to Customer the support services and will meet the service levels as set forth in Exhibit B attached hereto and incorporated hereof. ESO will also provide Updates to Customer, in accordance with Exhibit B. 10. Other Services. Upon request by Customer, ESO may provide services related to the Software other than the standard support described above at ESO's then -current labor rates. This may include on-site consultation, customization, and initial technical assistance and training for the purpose of installing the Software and training selected personnel on the use and support of the Software. ESO shall undertake reasonable efforts to accommodate any written request by Customer for such professional services. 11. Title. ESO hereby represents and warrants to Customer that ESO is the owner of the Software or otherwise has the right to grant to Customer the rights set forth in this Agreement. In the event of a breach or threatened breach of the foregoing representation and warranty, Customer's sole remedy shall be to require ESO to either: (i) procure, at ESO's expense, the right to use the Software, or (ii) replace the Software or any part thereof that is in breach and replace it with Software of comparable functionality that does not cause any breach. 12. Indemnification by Customer. Customer will defend and indemnify ESO from any and all claims brought against ESO by third parties and will hold ESO harmless from all corresponding losses incurred by ESO arising out of or related to (i) Customer's misuse of the Services and/or Software, (ii) any services provided by Customer to third parties, or (iii) Customer's negligence, inaction or omission in connection with the services it provides to third parties. 13. Limitation of Liability. NOTWITHSTANDING ANY OTHER PROVISION HEREOF, NEITHER PARTY SHALL BE LIABLE TO THE OTHER PARTY OR ANY THIRD PARTY FOR ANY INDIRECT, CONSEQUENTIAL, INCIDENTAL, RELIANCE, SPECIAL, EXEMPLARY OR PUNITIVE DAMAGES (INCLUDING BUT NOT LIMITED TO DAMAGES FOR LOST PROFITS, LOST REVENUES OR COST OF PURCHASING REPLACEMENT SERVICES) ARISING OUT OF OR RELATING TO T141S AGREEMENT. ADDITIONALLY, ESO SHALL NOT BE LIABLE TO CUSTOMER FOR ANY ACTUAL DAMAGES IN EXCESS OF THE AGGREGATE AMOUNT THAT ESO HAS, PRIOR TO SUCH TIME, COLLECTED FROM CUSTOMER WITH RESPECT TO SERVICES DELIVERED HEREUNDER. FURTHERMORE, IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER, EITHER IN CONTRACT OR IN TORT, FOR PROTECTION FROM UNAUTHORIZED ACCESS OF CUSTOMER DATA OR FROM UNAUTHORIZED ACCESS TO OR ALTERATION, THEFT OR DESTRUCTION OF CUSTOMER DATA FILES, PROGRAMS, PROCEDURE OR INFORMATION NOT CONTROLLED BY ESO, THROUGH ACCIDENT OR FRAUDULENT MEANS OR DEVICES. 14. Acknowledgements and Disclaimer of Warranties. Customer acknowledges that ESO cannot guarantee that there will never be any outages in ESO's network and that no credits shall be given in the event Customer's access to ESO's network is interrupted. UNLESS OTHERWISE SPECIFIED HEREIN, ESO MAKES NO WARRANTY TO CUSTOMER OR ANY OTHER PERSON OR ENTITY, WHETHER EXPRESS, IMPLIED OR STATUTORY, AS TO THE DESCRIPTION, QUALITY, MERCHANTABILITY, COMPLETENESS OR FITNESS FOR A PARTICULAR PURPOSE, OF ANY SERVICE OR SOFTWARE PROVIDED HEREUNDER OR DESCRIBED HEREIN, OR AS TO ANY OTHER MATTER (INCLUDING WITHOUT LIMITATION THAT THERE WILL BE NO IMPAIRMENT OF DATA), ALL OF WHICH WARRANTIES BY ESO ARE HEREBY EXCLUDED AND DISCLAIMED, TOT MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW. Resolution 13-01 15. Confidential Information. "Confidential Information" shall mean all information disclosed in writing by one party to the other party that is clearly marked "CONFIDENTIAL" or "PROPRIETARY" by the disclosing party at the time of disclosure or which reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Confidential Information does not include any information that (i) was already known by the receiving party free of any obligation to keep it confidential at the time of its disclosure; (ii) becomes publicly known through no wrongful act of the receiving party; (iii) is rightfully received from a third person without knowledge of any confidential obligation; (iv) is independently acquired or developed without violating any of the obligations under this Agreement; or (v) is approved for release by written authorization of the disclosing party. A recipient of Confidential Information shall not disclose the information to any person or entity except for the recipients and/or its employees, contractors and consultants who have a need to know such Confidential Information. The recipient may disclose Confidential Information pursuant to a judicial or governmental request, requirement or order; provided that the recipient shall take all reasonable steps to give prior notice to the disclosing party. Confidential Information shall not be disclosed to any third party without the prior written consent of the owner of the Confidential Information. The recipient shall use Confidential Information only for purposes of this Agreement and shall protect Confidential Information from disclosure using the same degree of care used to protect its own Confidential Information, but in no event less than a reasonable degree of care. Confidential Information shall remain the property of the disclosing party and shall be returned to the disclosing party or destroyed upon request of the disclosing party. Because monetary damages may be insufficient in the event of a breach or threatened breach of the foregoing provisions, the affected party may be entitled to seek an injunction or restraining order in addition to such other rights or remedies as may be available under this Agreement, at law or in equity, including but not limited to monetary damages. a. Force Majeure. Neither party shall be liable to the other, nor deemed in default under this Agreement if and to the extent that such party's performance of this Agreement is delayed or prevented by reason of Force Majeure, which is defined to mean an event that is beyond the reasonable control of the affected party and occurs without such party's fault or negligence. b. Entire Agreement. This Agreement, including all exhibits, addenda and any Business Associate Agreement (as that term is used in the Health Insurance Portability and Accountability Act and related regulations) hereto, constitutes the entire agreement between the parties and supersedes all prior and contemporaneous agreements, proposals or representations, written or oral, concerning its subject matter. No modification, amendment, or waiver of any provision of this agreement shall be effective unless in writing and signed by the party against whom the modification, amendment or waiver is asserted. c. Governing Law. This Agreement shall be governed by the laws of the State of Texas without regard to choice or conflict of law rules. d. Arbitration. Any controversy or claim arising out of or relating to this Agreement, or a breach of this Agreement, shall be finally settled by arbitration in Austin, Texas, and shall be resolved under the laws of the State of Texas. The arbitration shall be conducted before a single arbitrator, who may be a private arbitrator, in accordance with the commercial rules and practices of the American Arbitration Association then in effect. Any award, order or judgment pursuant to such arbitration shall be deemed final and binding and may be enforced in any court of competent jurisdiction. The arbitrator may, as part of the arbitration award, permit the substantially prevailing party to recover all or part of its attorney's fees and other out-of- pocket costs incurred in connection with such arbitration. All arbitration proceedings shall be conducted on a confidential basis. 11 Resolution 13-01 e. No Press Releases without Consent. Neither party may use the other party's name or ' trademarks, nor issue any publicity or public statements concerning the other party or the existence or content of this Agreement, without the other party's prior written consent. Notwithstanding, Customer agrees that ESO may use Customer's name and logo in ESO sales presentations, without Customer's prior written consent, during the Tenn of this Agreement, but only for the purposes of identifying the Customer as a customer of ESO. Likewise, Customer may use ESO's name and logo to identify ESO as a vendor or provider for Customer. f. Aggregate Data Reporting. Customer hereby grants ESO the right to collect data for aggregate reporting purposes, but in no event shall ESO disclose Protected Health Information ("PHI") unless permitted by law. Moreover, ESO will not identify Customer without Customer's consent. g. Compliance with Laws. Both parties shall comply with and give all notices required by all applicable federal, state and local laws, ordinances, rules, regulations and lawful orders of any public authority bearing on the performance of this Agreement. h. Waiver. No failure or delay by either party in exercising any right under this Agreement shall constitute a waiver of that right. i. Severability. If any provision of this Agreement is held by a court of competent jurisdiction to be contrary to law, the provision shall be modified by the court and interpreted so as best to accomplish the objectives of the original provision to the fullest extent permitted by law, and the remaining provisions of this Agreement shall remain in effect. j. Notices. All notices and other communications hereunder shall be in writing and shall be deemed to have been duly given as of the date of delivery or confirmed facsimile or email transmission. Notices must be delivered or sent to the parties' respective addresses set forth above. k. Taxes. Unless otherwise required by law, Customer is responsible for and will remit (or will reimburse ESO for) all taxes of any kind, including sales, use, duty, customs, withholding, property, value-added, and other similar federal, state or local taxes (other than taxes based on ESO's income) assessed in comiection with the Services and/or Software provided to Customer under this Agreement. IN WITNESS WHEREOF, the parties have executed this Agreement as of the first written below. ESO SOLUTIONS B Title: President/CEO Date: Telephone: 866.766.9471 x 1022 Email: chris.dillie*esosolutions.com CUSTOMER Z By: Name: Title: t—i lre, (Lt, i'e+ Date: Telephone: 7 voi Email: Resolution 13-01 Customer hereby selected the following ESO Services, at the fees indicated: Emergicon will provide the following products: • ESO ePCR Annual Subscription (1) • ESO Pro Mobile Application (2) ® Cardiac Monitor Interface (1) ® Billing Interface (1) ® Onsite Training (1) • Training Travel Expense (1) I Resolution 13-01 I 12141um This Exhibit describes the software support services ("Support Services") that ESO will provide and the service levels that ESO will meet. 1. Definitions. Unless defined otherwise herein, capitalized terms used in this Exhibit shall have the same meaning as set forth in the Agreement. (a) "Customer Service Representative" shall be the person at ESO designated by ESO to receive notices of Errors encountered by Customer that Customer's Administrator has been unable to resolve. (b) "Error" means any failure of the Software to conform in any material respect with its published specifications. (c) "Error Correction" means a bug fix, patch, or other modification or addition that brings the Software into material conformity with its published performance specifications. (d) "Priority A Error" means an Error that renders the Software inoperable or causes a complete failure of the Software. (e) "Priority B Error" means an Error that substantially degrades the performance of the Software or materially restricts Customer's use of the Software. (f) "Priority C Error" means an Error that causes only a minor impact on Customer's use of the Software. (g) "Update" means any new commercially available or deployable version of the Software, which may include Error Corrections, enhancements or other modifications, issued by ESO from time to time to its Customers. (h) "Normal Business Hours" means 8:00 am to 5:00 pm Monday through Friday, Central Time Zone. 2. Customer Obligations. Customer will provide at least one administrative, employee (the "Administrator" or "Administrators") who will handle all requests for first -level support from Customer's employees with respect to the Software. Such support is intended to be the "front line" for support and information about the Software to Customer's employees. ESO will provide training, documentation, and materials to the Administrators to enable the Administrators to provide technical support to Customer's employees. The Administrators will refer any Errors to ESO's Customer Service Representative that the Administrators cannot resolve, pursuant to Section 3 below; and the Administrators will assist ESO in gathering information to enable ESO to identify problems with respect to reported Errors. 3. Support Services. (a) Scope. As further described herein, the Support Services consist of. (i) Error Corrections that the Administrator is unable to resolve and (ii) periodic delivery of Error Corrections and Updates. The Support Services will be available to Customer during normal business hours, to the extent practicable. Priority A Errors encountered outside normal business hours may be communicated to the Customer Service Representative via telephone or email. Priority B and C Errors encountered outside normal business hours shall be communicated via email. (b) Procedure. (i) Report ofError. In reporting any Error, the Customer's Administrator will describe to ESO's Customer Service Representative the Error in reasonable detail and the circumstances under which the Error occurred or is occurring; the Administrator will initially classify the Error as a Priority A, B or C Error. ESO reserves the right to reclassify the Priority of the Error. (ii) Efforts Required. ESO shall exercise commercially reasonable efforts to correct any Error reported by the Administrator in accordance with the priority level assigned to such Error by the Administrator. Errors shall be communicated to ESO's Customer Service Representative after hours as indicated below, depending on the priority level of the Error. In the event of an Error, ESO will within the time periods set forth below, depending upon the priority level of the Error, commence verification of the Error; and, upon verification, will commence Error Correction. ESO will work diligently to verify the Error and, once an Error has been verified, and until an Error Correction has been provided to the Administrator, shall use Resolution 13-01 commercially reasonable, diligent efforts to provide a workaround for the Error as soon as reasonably C� practicable. ESO will provide the Administrator with periodic reports on the status of the Error Correction on the frequency as indicated below. Priority of Communicating Error to Time in Which ESO Frequency of Periodic Error ESO outside Normal Will Commence Status Reports Business Hours Verification Priority A Telephone or email Within 8 hours of Every 4 hours until notification resolved Priority B Email Within I business day Every 6 hours until of notification resolved Priority C Email Within two calendar Every week until resolved weeks of notification 4. ESO Server Administration. ESO is responsible for maintenance of Server hardware. Server administration includes: (a) Monitoring and Response (b) Service Availability Monitoring (c) Backups (d) Maintenance (i) Microsoft Patch Management (ii) Security patches to supported applications and related components (iii) Event Log Monitoring (iv) Log File Maintenance (v) Drive Space Monitoring (e) Security (f) Virus Definition& Prevention (g) Firewall M Resolution 13-01 M0111 This Agreement (this "Agreement") is made and entered into as of the contract execution date by and between ESO Solutions Inc., ("Business Associate") a State of Texas corporation, and Westlake Fire Dept. ("Covered Entity"). WHEREAS, Business Associate acknowledges that Covered Entity has in its possession data that contains individual identifiable health information as defined by Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191 ("HIPAA") and the regulations promulgated thereunder; and WHEREAS, Business Associate and Covered Entity are parties to an agreement (the "Service Agreement"), pursuant to which the fulfillment of the Parties' obligations thereunder necessitates the exchange of, or access to, data including individual identifiable health information, NOW, THEREFORE, in consideration of the mutual promises and covenants hereinafter contained, the Parties agree as follows: Terms used, but not otherwise defined, in this Agreement shall have the meanings set forth below. 1.1 "HHS Transaction Standard Regulation" means the Code of Federal Regulations ("CFR") at Title 45, Sections 160 and 162. 1.2 "Individual" means the subject of PHI or, if deceased, his or her personal representative. 1.3. "Parties" shall mean the Covered Entity and Business Associate. (Covered Entity and Business Associate, individually, may be referred to as a "Party.") 1.4 "Privacy Rule" shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E. 1.5 "PHI" shall have the same meaning as the term "protected health information in 45 CFR § 160.103, limited to the information created or received by Business Associate from or on behalf of the Covered Entity. 1.6 "Required By Law" shall have the same meaning as "required by law" in 45 CFR § 164.501. 1.7 "Secretary" shall mean the Secretary of the Department of Health and Human Services or his designee. M1430, tant,'a" 2.1 Obligations and Activities of Business Associate. Business Associate agrees as follows: (a) not to use or further disclose PHI other than as pennitted or required by this Agreement or as Required By Law; (b) to establish, maintain, and use appropriate safeguards to prevent use or disclosure of the PHI other than as permitted herein; (c) to report to Covered Entity any use, access or disclosure of the PHI not provided for by this Agreement, or any misuse of the PHI, including but not limited to systems compromises of which 9 Resolution 13-01 it becomes aware, and to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result thereof; (d) to enforce and maintain appropriate policies, procedures, and access control mechanisms to ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information. The access and privileges granted to any such agent shall be the minimum necessary to perform the assigned functions; (e) to provide access, at the request of Covered Entity, and in the time and manner reasonable designated by Covered Entity, to PHI in a Designated Record Set (as defined in the Privacy Rule), to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR § 164.524; (f) to make any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR § 164.526 at the request of Covered Entity or an Individual, and in the time and manner reasonably requested by Covered Entity; (g) to make internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Covered Entity, or at the request of the Covered Entity to the Secretary, in a time and manner reasonably requested by Covered Entity or designated by the Secretary, for purposes of the Secretary determining Covered Entity's compliance with the Privacy Rule; (h) to document such disclosures of PHI, and information related to such disclosures, as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528-- (i) to provide to Covered Entity or an Individual, in a time and manner reasonably requested by Covered Entity, information collected in accordance with Section 2.1(i) above to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528; to promptly notify Covered Entity of all actual or suspected instances of deliberate unauthorized attempts (both successful and unsuccessful) to access PHI; (k) to maintain and enforce policies, procedures and processes to protect physical access to hardware, software and/or media containing PHI (e.g., hardcopy, tapes, removable media, etc. ) against unauthorized physical access during use, storage, transportation, disposition and /or destruction; (1) to ensure that access controls in place to protect PHI and processing resources from unauthorized access are controlled by two -factor identification and authentication: a user ID and a Token, Password or Biometrics. 2.2 Disclosures Required By Law. In the event that Business Associate is required by law to disclose PHI, Business Associate will immediately provide Covered Entity with written notice and provide Covered Entity an opportunity to oppose any request for such PHI or to take whatever action Covered Entity deems appropriate. 2.3 Specific Use and Disclosure Provisions. (a) Except as otherwise limited in this Agreement, Business Associate may use PHI only to carry out the legal responsibilities of the Business Associate under the Service Agreement. (b) Except as otherwise limited in this Agreement, Business Associate may only disclose PHI (i) as Required By Law, or (ii) in the fulfillment of its obligations under the Service Agreement and provided that Business Associate has first obtained (A) the consent of Covered Entity for such disclosure, (B) reasonable assurances from the person to whom the information is disclosed that the PHI will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and (C) reasonable assurances from the person to [U# Resolution 13-01 whom the information is disclosed that such person will notify the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. 2.4 Obligations of Covered Entity. (a) Covered Entity shall notify Business Associate of any limitations in its notice of privacy practices of Covered Entity in accordance with 45 CFR §164.520, to the extent that such limitation may affect Business Associate's use or disclosure of PHI. (b) Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate's use or disclosures of PHI. (c) Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR §164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI. (d) For any PHI received by Covered Entity from Business Associate on behalf of a third party or another covered entity, Covered Entity agrees to be bound to the obligations and activities of Business Associate enumerated in Section 2.1 as if, and to the same extent, Covered Entity was the named Business Associate hereunder. 2.5 Permissible Requests by Covered Entity. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by the Covered Entity. Upon request, Business Associate shall make available to Covered Entity any and all documentation relevant to the safeguarding of PHI including but not limited to current policies and procedures, operational manuals and/or instructions, and/or employment and/or third party agreements. 3.1 Government Healthcare Program Representations. Business Associate hereby represents and warrants to Covered Entity, its shareholders, members, directors, officers, agents, or employees that Business Associate has not been excluded or has not been served a notice of exclusion or has not been served with a notice of proposed exclusion, or has not committed any acts which are cause for exclusion from participation in, or had any sanctions, or civil or criminal penalties imposed under, any federal or state healthcare program, including, but not limited to, Medicare or Medicaid, and has not been convicted, under federal or state law (including without limitation a plea of nolo contendere or participation in a first offender deterred adjudication or other arrangement whereby ajudgment of conviction has been withheld), of a criminal offense related to (a) the neglect or abuse of a patient, (b) the delivery of an item or service, including the performance of management or administrative services related to the delivery of an item or service, under a federal or state healthcare program, (c) fraud, theft, embezzlement, breach of fiduciary responsibility, or other financial misconduct in connection with the delivery of a healthcare item or service or with respect to any act or omission in any program operated by or financed in whole or in party by any federal, state or local government agency, (d) the unlawful, manufacture, distribution, prescription, or dispensing of a controlled substance, or (e) interference with or obstruction of any investigation into any criminal offense described in (a) through (d) above. Business Associate II Resolution 13-01 further agrees to notify Covered Entity immediately after Business Associate becomes aware that the foregoing representation and warranty may be inaccurate or may be incorrect. 3.2 Security Procedures. Each Party shall employ security procedures that comply with HIPAA and all other applicable state and federal laws and regulations (collectively, the "Law") and that are commercially reasonable, to ensure that transactions, notices, and other information that are electronically created, communicated, processed, stored, retained or retrieved are authentic, accurate, reliable, complete and confidential. Moreover, each Party shall, and shall require any agent or subcontractor involved in the electronic exchange of data to: (a) require its agents and subcontractors to provide security for all data that is electronically exchanged between Covered Entity and Business Associate; (b) provide, utilize, and maintain equipment, software, services and testing necessary to assure the secure and reliable transmission and receipt of data containing PHI; (c) maintain and enforce security management policies and procedures and utilize mechanisms and processes to prevent, detect, record, analyze, contain and resolve unauthorized access attempts to PHI or processing resources; (d) maintain and enforce polices and guidelines for workstation use that delineate appropriate use of workstations to maximize the security of data containing PHI; (e) maintain and enforce policies, procedures and a formal program for periodically reviewing its processing infrastructure for potential security vulnerabilities; (f) implement and maintain, and require its agents and subcontractors to implement and maintain, appropriate and effective administrative, technical and physical safeguards to protect the security, integrity and confidentiality of data electronically exchanged between Business Associate and Covered Entity, including access to data as provided herein. Each Party and its agents and subcontractors shall keep all security measures current and shall document its security measures implemented in written policies, procedures or guidelines, which it will provide to the other Party upon the other Party's request. 4.1 Obligations of the Parties. Each of the Parties agrees that for the PHI, (a) it will not change any definition, data condition or use of a data element or segment as proscribed in the HHS Transaction Standard Regulation. (b) it will not add any data elements or segments to the maximum denied data set as proscribed in the HHS Transaction Standard Regulation. (c) it will not use any code or data elements that are either marked "not used" in the HHS Standard's implementation specifications or are not in the HHS Transaction Standard's implementation specifications. (d) it will not change the meaning or intent of any of the HHS Transaction Standard's implementation specifications. 12 Resolution 13-01 4.2 Incorporation of Modifications to HHS Transaction Standards. Each of the Parties agrees and understands that from time -to -time, HHS may modify and set compliance dates for the MIS Transaction Standards. Each of the Parties agrees to incorporate by reference into this Agreement any such modifications or changes. 4.3 Business Associate Obligations. (a) Business Associate shall not submit duplicate transmissions unless so requested by Covered Entity. (b) Business Associate shall only perform those transactions that are authorized by Covered Entity. Furthermore, Business Associate assumes all liability for any damage, whether direct or indirect, to the electronic data or to Covered Entity's systems caused by Business Associate's unauthorized use of such transactions. (c) Business Associate shall hold Covered Entity harmless from any claim, loss or damage of any kind, whether direct or indirect, whether to person or property, arising out of or related to (1) Business Associate's use or unauthorized disclosure of the electronic data; or (2) Business Associate's submission of data, including but not limited to the submission of incorrect, misleading, incomplete or fraudulent data. (d) Business Associate agrees to maintain adequate back-up files to recreate transmissions in the event that such recreations become necessary. Back-up tapes shall be subject to this Agreement to the same extent as original data. (e) Business Associate agrees to trace lost or indecipherable transmissions and make reasonable efforts to locate and translate the same. Business Associate shall bear all costs associated with the recreation of incomplete, lost or indecipherable transmissions if such loss is the result of an act or omission of Business Associate. (f) Business Associate shall maintain, for seven (7) years, true copies of any source documents from which it produces electronic data. (g) Except encounter data furnished by Business Associate to Covered Entity, Business Associate shall not (other than to correct errors) modify any data to which it is granted access under this Agreement or derive new data from such existing data. Any modification of data is to be recorded, and a record of such modification is to be retained by Business Associate for a period of seven (7) years. (h) Business Associate shall not disclose security access codes to any third party in any manner without the express written consent of Covered Entity. Business Associate furthermore acknowledges that Covered Entity may change such codes at any time without notice. Business Associate shall assume responsibility for any damages arising from its disclosure of the security access codes or its failure to prevent any third party use of the system without the express written consent of Covered Entity. (i) Business Associate shall maintain general liability coverage, including coverage for general commercial liability, for a limit of not less than one million dollars, as well as other coverage as Covered Entity may require, to compensate any parties damaged by Business Associate's negligence. Business Associate shall provide evidence of such coverage in the form of a certificate of insurance and agrees to notify Covered Entity and/or HOI immediately of any reduction or cancellation of such coverage. 13 Resolution 13-01 Business Associate agrees to conduct testing with Covered Entity to ensure delivery of files that are HIPAA-AS Compliant and to accommodate Covered Entity's specific business requirements. 4.4 Confidential and Proprietary Information (a) Proprietary Information Business Associate acknowledges that it will have access to certain proprietary information used in Covered Entity's business. Covered Entity's proprietary information derives its commercial value from the fact that it is not available to competitors or any third parties, and the disclosure of this information would or could impair Covered Entity's competitive position or otherwise prejudice its ongoing business. Business Associate agrees to treat as confidential, and shall not use for its own commercial purpose or any other purpose, Covered Entity's proprietary information. Business Associate shall safeguard Covered Entity's proprietary information against disclosure except as may be expressly permitted herein. Such proprietary information includes, but is not limited to, confidential information concerning the business operations or practices of Covered Entity, including specific technology processes or capabilities. 5.1 Indemnification. Each Party agrees to indemnify the other for any damages, costs, expenses or liabilities, including legal fees and costs, arising from or related to a breach of such Party's obligations hereunder. 5.2 Term and Termination. (a) Term. The Term of this Agreement shall be effective as of the date first written above, and shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Section. (b) Termination for Cause. Upon a material breach by Business Associate of it obligation hereunder, Covered Entity may (i) terminate this Agreement and the Service Agreement; and (ii) report the violation to the Secretary. (c) Effect of Termination. (i) Except as provided in paragraph 5.2(c)(ii), upon termination of this Agreement, for any reason, Business Associate shall return or destroy all PM received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI. (ii) In the event that Business Associate determines that returning the PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon Covered Entity's agreement that return or destruction of PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and IE Resolution 13-01 disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. 5.3 Disputes. Any controversy or claim arising out of or relating to the Agreement will be finally settled by compulsory arbitration in accordance with the Commercial Arbitration Rules of the American Arbitration Association ("AAA"), except for injunctive relief as described below. 5.4 Injunctive Relief. Notwithstanding any rights or remedies provided for in Section 5.3, Covered Entity retains all rights to seek injunctive relief to prevent the unauthorized use of disclosure of PHI by Business Associate or any agent, contractor or third party that received PHI from Business Associate. 5.5 Regulatory References. A reference in this Agreement to a section in the Privacy Rule means the section as in effect or as amended. 001MENTIMMMINITIT-M The Parties agree to take such action as is necessary to amend this Agreement from time to time to the extent necessary for Covered Entity to comply with the requirements of HIPAA and its regulations. All amendments to this agreement shall be in writing and signed by both parties. 5.7 Survival. The respective rights and obligations of Business Associate and Covered Entity under Sections 4.4, 5.1 and 5.2(c) of this Agreement shall survive the termination of this Agreement. 5.8 Limitation of Damages. Other than liabilities under Section 5.1, neither party shall be liable to the other for any special, incidental, exemplary, punitive or consequential damages arising from or as a result of any delay, omission, or error in the electronic transmission or receipt of any information pursuant to this Agreement, even if the other Party has been advised of the possibility of such damages. 5.9 Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the Privacy on IN Resolution 13-01 This Subscription Agreement (the "Agreement") is made as of the first date written below (the "Effective Date") by and between ESO SOLUTIONS, INC., a Texas corporation with its principal place of business at 9020 N Capital of Texas Hwy, Building II -300, Austin, Texas 78759 ("ESO"), and Westlake Fire Dept., with its principal place of business at 3 Village Circle, Suite #202, Westlake, Texas 76262 ("Customer"). WHEREAS, ESO is in the business of providing software services (the "Services") to businesses and municipalities; and WHEREAS, Customer desires to obtain these Services from ESO, all upon the terms and conditions set forth herein; NOW, THEREFORE, for and in consideration of the agreement made, and the payments to be made by Customer, the parties mutually agree to the following: 1. Services. ESO agrees to provide Customer the Services selected by Customer on Exhibit A attached hereto and incorporated by reference hereof. Customer agrees that Services purchased hereunder are neither contingent on the delivery of any future functionality or features, nor dependent on any oral or written public comments made by ESO regarding future functionality or features. 2. Term. The Term of this Agreement shall commence on the Effective Date and shall terminate one year after the Effective Date. The Agreement shall automatically renew for successive renewal terms of one year, unless one party gives the other party written notice that the Agreement will not renew, at least thirty (30) days prior to the end of the current Term. 3. Subscription Fees, Invoices and Payment Terms. Subscription Fees. Customer has chosen to have Emergicon with its principal place of business at PO Box 180446, Dallas, Texas 75218 (`Billing_ Agent") pay all or a portion of the ESO Subscription and/or One- time Fees on its behalf as indicated in Exhibit A. In the event that Billing Agent does not pay the Subscription and/or One-time Fees on behalf of Customer, and Customer chooses to continue receiving ESO Services, then Customer shall be responsible for any outstanding fees. The Subscription Fees are invoiced annually in advance. ESO may evaluate Customer's usage and adjust Customer's invoice based on changes in Customer usage as indicated in Exhibit A. b. Payment of Invoices. Customer shall pay the full amount of invoices within thirty (30) days of receipt (the "Due Date"). Customer is responsible for providing complete and accurate billing and contact information to ESO and to notify ESO of any changes to such information. c. Disputed Invoices. If Customer in good faith disputes a portion of an invoice, Customer shall remit to ESO, by the Due Date, full payment of the undisputed portion of the invoice. In addition, Customer must submit written documentation: (i) identifying the disputed amount, (ii) an explanation as to why the Customer believes this amount is incorrect, (iii) what the correct amount should be, and (iv) written evidence supporting Customer's claim. If Customer does not notify ESO of a disputed invoice by the Due Date, Customer shall have waived its right to dispute that invoice. Any disputed amounts determined by ESO to be payable shall be due within ten (10) days of such determination. 4. Termination. a. Termination by Customer for Cause. If ESO fails to perform a material obligation under this Agreement and does not remedy such failure within thirty (30) days following written notice from Customer ("ESO Default"), Customer may terminate this Agreement without incurring further liability, except for the payment of all accrued but unpaid Subscription Fees. If ESO is unable to provide Service(s) for ninety (90) consecutive days due to a Force Majeure event as defined in Section 16a, Force Majeure, Customer may terminate the affected Service(s) without liability to ESO. b. Termination by ESO for Customer Default. ESO may terminate this Agreement with no further liability if (i) Customer fails to pay for Services as required by this Agreement and such failure remains uncorrected for five (5) days following written notice from ESO, or (ii) Customer fails to perform any other material obligation under this Agreement and does not remedy such failure within fifteen (15) days following written notice from ESO (collectively referred to as "Customer Default"). In the event of a Customer Default, ESO shall have the right to (i) terminate this Agreement; (ii) suspend all Services being provided to Customer; (iii) terminate the right to use the Software on the web and/or mobile devices; (iv) apply interest to the amount past due, at the rate of one and one-half percent (1'/2%) (or the maximum legal rate, if less) of the unpaid amount per month; (v) offset any amounts that are owed to Customer by ESO against the past due amount then owed to ESO; and/or (vi) take any action in connection with any other right or remedy ESO may have under this Agreement, at law or in equity. If ESO terminates this Agreement due to a Customer Default, Customer shall remain liable for all accrued Subscription Fees and other charges. In addition, Customer agrees to pay ESO's reasonable expenses (including attorney and collection fees) incurred in enforcing ESO's rights in the event of a Customer Default. 5. Delivery of Data upon Expiration or Termination of Agreement. If Customer requests its data within thirty (30) days of expiration of this Agreement, or the termination of this Agreement pursuant to Section 4a above, ESO shall deliver to Customer its data, in machine readable format, on DVD or CD, at Customer's option. Customer shall reimburse ESO for the cost of the media on which Customer's data is delivered to Customer. If Customer wants the data to be delivered in a medium other than DVD or CD, ESO shall make reasonable and good faith efforts to accommodate Customer, provided that Customer supplies the medium on which the data is to be provided and shall pay for any additional cost incurred by ESO in accommodating this request. 6. System Maintenance. In the event ESO determines that it is necessary to interrupt the Services or that there is a potential for Services to be interrupted for the performance of system maintenance, ESO will use good -faith efforts to notify Customer prior to the performance of such maintenance and will schedule such maintenance during non -peak hours (midnight to 6 a.m. Central Standard Time). In no event shall interruption of Services for system maintenance constitute a failure of performance by ESO. 7. Access to Internet. Customer has sole responsibility for obtaining, maintaining, and securing its connections to the Internet, and ESO makes no representations to Customer regarding the reliability, performance or security of any particular network or provider. 8. Mobile Software. If Customer elects to use ESO's mobile Software (the "Software"), the provisions of this Section shall apply. a. Use of Software. Subject to the terms, conditions and restrictions in this Agreement and in exchange for the Mobile Software Interface Fees and/or Subscription Fees, ESO hereby grants to Customer non- exclusive, world-wide, non -transferable rights, for the Term of this Agreement, to use and copy (for installation and backup purposes only) the Software to the units for which the Mobile Software Interface has been purchased. b. Ownership and Restrictions. This Agreement does not convey any rights of ownership in or title to the Software or any copies thereof. All right, title and interest in the Software and any copies or derivative works thereof shall remain the property of ESO. Customer will not: (i) disassemble, reverse engineer or modify the Software; (ii) allow any third party to use the Software; (iii) use the Software as a component in any product or service provided by Customer to a third party; (iv) transfer, sell, assign, or otherwise convey the Software; (v) remove any proprietary notices placed on or contained within the Software; or (vi) copy Resolution 13-01 Page 2 of 15 the Software except for backup purposes. Customer agrees to keep the Software free and clear of all claims, liens, and encumbrances. c. Mobile Software Interface Fee. The Mobile Software Interface Fee is non-refundable. The Software shall be deemed accepted upon delivery to Customer. 9. Support and Updates. During the term of this Agreement, ESO shall provide to Customer the support services and will meet the service levels as set forth in Exhibit B attached hereto and incorporated hereof ESO will also provide Updates to Customer, in accordance with Exhibit B. 10. Other Services. Upon request by Customer, ESO may provide services related to the Software other than the standard support described above at ESO's then -current labor rates. This may include on-site consultation, customization, and initial technical assistance and training for the purpose of installing the Software and training selected personnel on the use and support of the Software. ESO shall undertake reasonable efforts to accommodate any written request by Customer for such professional services. 11. Title. ESO hereby represents and warrants to Customer that ESO is the owner of the Software or otherwise has the right to grant to Customer the rights set forth in this Agreement. In the event of a breach or threatened breach of the foregoing representation and warranty, Customer's sole remedy shall be to require ESO to either: (i) procure, at ESO's expense, the right to use the Software, or (ii) replace the Software or any part thereof that is in breach and replace it with Software of comparable functionality that does not cause any breach. 12. Indemnification by Customer. Customer will defend and indemnify ESO from any and all claims brought against ESO by third parties and will hold ESO harmless from all corresponding losses incurred by ESO arising out of or related to (i) Customer's misuse of the Services and/or Software, (ii) any services provided by Customer to third parties, or (iii) Customer's negligence, inaction or omission in connection with the services it provides to third parties. 13. Limitation of Liability. NOTWITHSTANDING ANY OTHER PROVISION HEREOF, NEITHER PARTY SHALL BE LIABLE TO THE OTHER PARTY OR ANY THIRD PARTY FOR ANY INDIRECT, CONSEQUENTIAL, INCIDENTAL, RELIANCE, SPECIAL, EXEMPLARY OR PUNITIVE DAMAGES (INCLUDING BUT NOT LIMITED TO DAMAGES FOR LOST PROFITS, LOST REVENUES OR COST OF PURCHASING REPLACEMENT SERVICES) ARISING OUT OF OR RELATING TO THIS AGREEMENT. ADDITIONALLY, ESO SHALL NOT BE LIABLE TO CUSTOMER FOR ANY ACTUAL DAMAGES IN EXCESS OF THE AGGREGATE AMOUNT THAT ESO HAS, PRIOR TO SUCH TIME, COLLECTED FROM CUSTOMER WITH RESPECT TO SERVICES DELIVERED HEREUNDER. FURTHERMORE, IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER, EITHER IN CONTRACT OR IN TORT, FOR PROTECTION FROM UNAUTHORIZED ACCESS OF CUSTOMER DATA OR FROM UNAUTHORIZED ACCESS TO OR ALTERATION, THEFT OR DESTRUCTION OF CUSTOMER DATA FILES, PROGRAMS, PROCEDURE OR INFORMATION NOT CONTROLLED BY ESO, THROUGH ACCIDENT OR FRAUDULENT MEANS OR DEVICES. 14. acknowledgements and Disclaimer of Warranties. Customer acknowledges that ESO cannot guarantee that there will never be any outages in ESO's network and that no credits shall be given in the event Customer's access to ESO's network is interrupted. UNLESS OTHERWISE SPECIFIED HEREIN, ESO MAKES NO WARRANTY TO CUSTOMER OR ANY OTHER PERSON OR ENTITY, WHETHER EXPRESS, IMPLIED OR STATUTORY, AS TO THE DESCRIPTION, QUALITY, MERCHANTABILITY, COMPLETENESS OR FITNESS FOR A PARTICULAR PURPOSE, OF ANY SERVICE OR SOFTWARE PROVIDED HEREUNDER OR DESCRIBED HEREIN, OR AS TO ANY OTHER MATTER (INCLUDING WITHOUT LIMITATION THAT THERE WILL BE NO IMPAIRMENT OF DATA), ALL OF WHICH WARRANTIES BY ESO ARE HEREBY EXCLUDED AND DISCLAIMED, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW. Resolution 13-01 Page 3 of 15 15. Confidential Information. "Confidential Information" shall mean all information disclosed in writing by one party to the other party that is clearly marked "CONFIDENTIAL" or "PROPRIETARY" by the disclosing party at the time of disclosure or which reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Confidential Information does not include any information that (i) was already known by the receiving party free of any obligation to keep it confidential at the time of its disclosure; (ii) becomes publicly known through no wrongful act of the receiving party; (iii) is rightfully received from a third person without knowledge of any confidential obligation; (iv) is independently acquired or developed without violating any of the obligations under this Agreement; or (v) is approved for release by written authorization of the disclosing party. A recipient of Confidential Information shall not disclose the information to any person or entity except for the recipients and/or its employees, contractors and consultants who have a need to know such Confidential Information. The recipient may disclose Confidential Information pursuant to a judicial or governmental request, requirement or order; provided that the recipient shall take all reasonable steps to give prior notice to the disclosing party. Confidential Information shall not be disclosed to any third party without the prior written consent of the owner of the Confidential Information. The recipient shall use Confidential Information only for purposes of this Agreement and shall protect Confidential Information from disclosure using the same degree of care used to protect its own Confidential Information, but in no event less than a reasonable degree of care. Confidential Information shall remain the property of the disclosing party and shall be returned to the disclosing party or destroyed upon request of the disclosing party. Because monetary damages may be insufficient in the event of a breach or threatened breach of the foregoing provisions, the affected party may be entitled to seek an injunction or restraining order in addition to such other rights or remedies as may be available under this Agreement, at law or in equity, including but not limited to monetary damages. 16. General Provisions. a. Force Maieure. Neither party shall be liable to the other, nor deemed in default under this Agreement if and to the extent that such party's performance of this Agreement is delayed or prevented by reason of Force Majeure, which is defined to mean an event that is beyond the reasonable control of the affected party and occurs without such party's fault or negligence. b. Entire Agreement. This Agreement, including all exhibits, addenda and any Business Associate Agreement (as that term is used in the Health Insurance Portability and Accountability Act and related regulations) hereto, constitutes the entire agreement between the parties and supersedes all prior and contemporaneous agreements, proposals or representations, written or oral, concerning its subject matter. No modification, amendment, or waiver of any provision of this agreement shall be effective unless in writing and signed by the party against whom the modification, amendment or waiver is asserted. Governing_ Law. This Agreement shall be governed by the laws of the State of Texas without regard to choice or conflict of law rules. d. Arbitration. Any controversy or claim arising out of or relating to this Agreement, or a breach of this Agreement, shall be finally settled by arbitration in Austin, Texas, and shall be resolved under the laws of the State of Texas. The arbitration shall be conducted before a single arbitrator, who may be a private arbitrator, in accordance with the commercial rules and practices of the American Arbitration Association then in effect. Any award, order or judgment pursuant to such arbitration shall be deemed final and binding and may be enforced in any court of competent jurisdiction. The arbitrator may, as part of the arbitration award, permit the substantially prevailing party to recover all or part of its attorney's fees and other out-of- pocket costs incurred in connection with such arbitration. All arbitration proceedings shall be conducted on a confidential basis. Resolution 13-01 Page 4 of 15 e. No Press Releases without Consent. Neither party may use the other party's name or trademarks, nor issue any publicity or public statements concerning the other party or the existence or content of this Agreement, without the other party's prior written consent. Notwithstanding, Customer agrees that ESO may use Customer's name and logo in ESO sales presentations, without Customer's prior written consent, during the Term of this Agreement, but only for the purposes of identifying the Customer as a customer of ESO. Likewise, Customer may use ESO's name and logo to identify ESO as a vendor or provider for Customer. f. Aggregate Data Reporting. Customer hereby grants ESO the right to collect data for aggregate reporting purposes, but in no event shall ESO disclose Protected Health Information ("PHI") unless permitted by law. Moreover, ESO will not identify Customer without Customer's consent. g. Compliance with Laws. Both parties shall comply with and give all notices required by all applicable federal, state and local laws, ordinances, rules, regulations and lawful orders of any public authority bearing on the performance of this Agreement. h. Waiver. No failure or delay by either party in exercising any right under this Agreement shall constitute a waiver of that right. i. Severability. If any provision of this Agreement is held by a court of competent jurisdiction to be contrary to law, the provision shall be modified by the court and interpreted so as best to accomplish the objectives of the original provision to the fullest extent permitted by law, and the remaining provisions of this Agreement shall remain in effect. j. Notices. All notices and other communications hereunder shall be in writing and shall be deemed to have been duly given as of the date of delivery or confirmed facsimile or email transmission. Notices must be delivered or sent to the parties' respective addresses set forth above. k. Taxes. Unless otherwise required by law, Customer is responsible for and will remit (or will reimburse ESO for) all taxes of any kind, including sales, use, duty, customs, withholding, property, value-added, and other similar federal, state or local taxes (other than taxes based on ESO's income) assessed in connection with the Services and/or Software provided to Customer under this Agreement. IN WITNESS WHEREOF, the parties have executed this Agreement as of the first written below. ES® SOLUTION, IItC. CUSTOMER By: _ y: Name: Chris Dillie Dame: Thomas E. Brymer Title: President/CEO Date: Telephone: 866.766.9471 x 1022 Email: chris.dillie@esosolutions.com Title: Town Manager Date: �l ` -1 12) Telephone: ZAO .cJl 2-C) Email: Resolution 13-01 Page 5 of 15 Customer hereby selected the following ESO Services, at the fees indicated: Emergicon will provide the following products: ® ESO ePCR Annual Subscription (1) ® ESO Pro Mobile Application (2) ® Cardiac Monitor Interface (1) ® Billing Interface (1) ® Onsite Training (1) ® Training Travel Expense (1) Resolution 13-01 Page 6 of 15 This Exhibit describes the software support services ("Support Services") that ESO will provide and the service levels that ESO will meet. 1. Definitions. Unless defined otherwise herein, capitalized terms used in this Exhibit shall have the same meaning as set forth in the Agreement. (a) "Customer Service Representative" shall be the person at ESO designated by ESO to receive notices of Errors encountered by Customer that Customer's Administrator has been unable to resolve. (b) "Error" means any failure of the Software to conform in any material respect with its published specifications. (c) "Error Correction" means a bug fix, patch, or other modification or addition that brings the Software into material conformity with its published performance specifications. (d) "Priority A Error" means an Error that renders the Software inoperable or causes a complete failure of the Software. (e) "Priority B Error" means an Error that substantially degrades the performance of the Software or materially restricts Customer's use of the Software. (f) "Priority C Error" means an Error that causes only a minor impact on Customer's use of the Software. (g) "Update" means any new commercially available or deployable version of the Software, which may include Error Corrections, enhancements or other modifications, issued by ESO from time to time to its Customers. (h) "Normal Business Hours" means 8:00 am to 5:00 pm Monday through Friday, Central Time Zone. 2. Customer Obligations. Customer will provide at least one administrative employee (the "Administrator" or "Administrators") who will handle all requests for first -level support from Customer's employees with respect to the Software. Such support is intended to be the "front line" for support and information about the Software to Customer's employees. ESO will provide training, documentation, and materials to the Administrators to enable the Administrators to provide technical support to Customer's employees. The Administrators will refer any Errors to ESO's Customer Service Representative that the Administrators cannot resolve, pursuant to Section 3 below; and the Administrators will assist ESO in gathering information to enable ESO to identify problems with respect to reported Errors. 3. Support Services. (a) Scope. As further described herein, the Support Services consist of. (i) Error Corrections that the Administrator is unable to resolve and (ii) periodic delivery of Error Corrections and Updates. The Support Services will be available to Customer during normal business hours, to the extent practicable. Priority A Errors encountered outside normal business hours may be communicated to the Customer Service Representative via telephone or email. Priority B and C Errors encountered outside normal business hours shall be communicated via email. (b) Procedure. (i) Report of Error. In reporting any Error, the Customer's Administrator will describe to ESO's Customer Service Representative the Error in reasonable detail and the circumstances under which the Error occurred or is occurring; the Administrator will initially classify the Error as a Priority A, B or C Error. ESO reserves the right to reclassify the Priority of the Error. (ii) Efforts Required. ESO shall exercise commercially reasonable efforts to correct any Error reported by the Administrator in accordance with the priority level assigned to such Error by the Administrator. Errors shall be communicated to ESO's Customer Service Representative after hours as indicated below, depending on the priority level of the Error. In the event of an Error, ESO will within the time periods set forth below, depending upon the priority level of the Error, commence verification of the Error; and, upon verification, will commence Error Correction. ESO will work diligently to verify the Error and, once an Error has been verified, and until an Error Correction has been provided to the Administrator, shall use Resolution 13-01 Page 7 of 15 commercially reasonable, diligent efforts to provide a workaround for the Error as soon as reasonably practicable. ESO will provide the Administrator with periodic reports on the status of the Error Correction on the frequency as indicated below. Priority of Communicating Error to Time in Which ESO Frequency of Periodic Error ESO outside Normal Will Commence Status Reports Business Hours Verification Priority A Telephone or email Within 8 hours of Every 4 hours until notification resolved Priority B Email Within 1 business day Every 6 hours until of notification resolved Priority C Email Within two calendar Every week until resolved weeks of notification 4. ESO Server Administration. ESO is responsible for maintenance of Server hardware. Server administration includes: (a) Monitoring and Response (b) Service Availability Monitoring (c) Backups (d) Maintenance (i) Microsoft Patch Management (ii) Security patches to supported applications and related components (iii) Event Log Monitoring (iv) Log File Maintenance (v) Drive Space Monitoring (e) Security (f) Virus Definition & Prevention (g) Firewall Resolution 13-01 Page 8 of 15 r I M 20 11 r This Agreement (this "Agreement") is made and entered into as of the contract execution date by and between ESO Solutions Inc., ("Business Associate") a State of Texas corporation, and Westlake Fire Dept. ("Covered Entity"). WHEREAS, Business Associate acknowledges that Covered Entity has in its possession data that contains individual identifiable health information as defined by Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191 ("HIPAA") and the regulations promulgated thereunder; and WHEREAS, Business Associate and Covered Entity are parties to an agreement (the "Service Agreement"), pursuant to which the fulfillment of the Parties' obligations thereunder necessitates the exchange of, or access to, data including individual identifiable health information, NOW, THEREFORE, in consideration of the mutual promises and covenants hereinafter contained, the Parties agree as follows: 113013101 !, Terms used, but not otherwise defined, in this Agreement shall have the meanings set forth below. 1.1 "HHS Transaction Standard Regulation" means the Code of Federal Regulations ("CFR") at Title 45, Sections 160 and 162. 1.2 "Individual" means the subject of PHI or, if deceased, his or her personal representative. 1.3. "Parties" shall mean the Covered Entity and Business Associate. (Covered Entity and Business Associate, individually, may be referred to as a "Party.") 1.4 "Privacy Rule" shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E. 1.5 "PHI" shall have the same meaning as the term "protected health information in 45 CFR § 160.103, limited to the information created or received by Business Associate from or on behalf of the Covered Entity. 1.6 "Required By Law" shall have the same meaning as "required by law" in 45 CFR § 164.501. 1.7 "Secretary" shall mean the Secretary of the Department of Health and Human Services or his designee. ARTICLE -C-4-11TYL-DJUM 2.1 Obligations and Activities of Business Associate. Business Associate agrees as follows: (a) not to use or further disclose PHI other than as permitted or required by this Agreement or as Required By Law; (b) to establish, maintain, and use appropriate safeguards to prevent use or disclosure of the PHI other than as permitted herein; (c) to report to Covered Entity any use, access or disclosure of the PHI not provided for by this Agreement, or any misuse of the PHI, including but not limited to systems compromises of which Resolution 13-01 Page 9 of 15 it becomes aware, and to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result thereof, (d) to enforce and maintain appropriate policies, procedures, and access control mechanisms to ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information. The access and privileges granted to any such agent shall be the minimum necessary to perform the assigned functions; (e) to provide access, at the request of Covered Entity, and in the time and manner reasonable designated by Covered Entity, to PHI in a Designated Record Set (as defined in the Privacy Rule), to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR § 164.524; (f) to make any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR § 164.526 at the request of Covered Entity or an Individual, and in the time and manner reasonably requested by Covered Entity; (g) to make internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Covered Entity, or at the request of the Covered Entity to the Secretary, in a time and manner reasonably requested by Covered Entity or designated by the Secretary, for purposes of the Secretary determining Covered Entity's compliance with the Privacy Rule; (h) to document such disclosures of PHI, and information related to such disclosures, as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528; (i) to provide to Covered Entity or an Individual, in a time and manner reasonably requested by Covered Entity, information collected in accordance with Section 2.1(i) above to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR §164.528; (j) to promptly notify Covered Entity of all actual or suspected instances of deliberate unauthorized attempts (both successful and unsuccessful) to access PHI; (k) to maintain and enforce policies, procedures and processes to protect physical access to hardware, software and/or media containing PHI (e.g., hardcopy, tapes, removable media, etc. ) against unauthorized physical access during use, storage, transportation, disposition and /or destruction; (1) to ensure that access controls in place to protect PHI and processing resources from unauthorized access are controlled by two -factor identification and authentication: a user ID and a Token, Password or Biometrics. 2.2 Disclosures Required By Law. In the event that Business Associate is required by law to disclose PHI, Business Associate will immediately provide Covered Entity with written notice and provide Covered Entity an opportunity to oppose any request for such PHI or to take whatever action Covered Entity deems appropriate. 2.3 Specific Use and Disclosure Provisions. (a) Except as otherwise limited in this Agreement, Business Associate may use PHI only to carry out the legal responsibilities of the Business Associate under the Service Agreement. (b) Except as otherwise limited in this Agreement, Business Associate may only disclose PHI (i) as Required By Law, or (ii) in the fulfillment of its obligations under the Service Agreement and provided that Business Associate has first obtained (A) the consent of Covered Entity for such disclosure, (B) reasonable assurances from the person to whom the information is disclosed that the PHI will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and (C) reasonable assurances from the person to Resolution 13-01 Page 10 of 15 whom the information is disclosed that such person will notify the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. 2.4 Obligations of Covered Entity. (a) Covered Entity shall notify Business Associate of any limitations in its notice of privacy practices of Covered Entity in accordance with 45 CFR §164.520, to the extent that such limitation may affect Business Associate's use or disclosure of PHI. (b) Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate's use or disclosures of PHI. (c) Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR §164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI. (d) For any PHI received by Covered Entity from Business Associate on behalf of a third party or another covered entity, Covered Entity agrees to be bound to the obligations and activities of Business Associate enumerated in Section 2.1 as if, and to the same extent, Covered Entity was the named Business Associate hereunder. 2.5 Permissible Reauests by Covered Entitv. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by the Covered Entity. 2.6 Policy and Procedure Review. Upon request, Business Associate shall make available to Covered Entity any and all documentation relevant to the safeguarding of PHI including but not limited to current policies and procedures, operational manuals and/or instructions, and/or employment and/or third party agreements. 3.1 Government Healthcare Program Representations. Business Associate hereby represents and warrants to Covered Entity, its shareholders, members, directors, officers, agents, or employees that Business Associate has not been excluded or has not been served a notice of exclusion or has not been served with a notice of proposed exclusion, or has not committed any acts which are cause for exclusion from participation in, or had any sanctions, or civil or criminal penalties imposed under, any federal or state healthcare program, including, but not limited to, Medicare or Medicaid, and has not been convicted, under federal or state law (including without limitation a plea of nolo contendere or participation in a first offender deterred adjudication or other arrangement whereby a judgment of conviction has been withheld), of a criminal offense related to (a) the neglect or abuse of a patient, (b) the delivery of an item or service, including the performance of management or administrative services related to the delivery of an item or service, under a federal or state healthcare program, (c) fraud, theft, embezzlement, breach of fiduciary responsibility, or other financial misconduct in connection with the delivery of a healthcare item or service or with respect to any act or omission in any program operated by or financed in whole or in party by any federal, state or local government agency, (d) the unlawful, manufacture, distribution, prescription, or dispensing of a controlled substance, or (e) interference with or obstruction of any investigation into any criminal offense described in (a) through (d) above. Business Associate Resolution 13-01 Page 11 of 15 further agrees to notify Covered Entity immediately after Business Associate becomes aware that the foregoing representation and warranty may be inaccurate or may be incorrect. 3.2 Security Procedures. Each Party shall employ security procedures that comply with HIPAA and all other applicable state and federal laws and regulations (collectively, the "Law") and that are commercially reasonable, to ensure that transactions, notices, and other information that are electronically created, communicated, processed, stored, retained or retrieved are authentic, accurate, reliable, complete and confidential. Moreover, each Party shall, and shall require any agent or subcontractor involved in the electronic exchange of data to: (a) require its agents and subcontractors to provide security for all data that is electronically exchanged between Covered Entity and Business Associate; (b) provide, utilize, and maintain equipment, software, services and testing necessary to assure the secure and reliable transmission and receipt of data containing PHI; (c) maintain and enforce security management policies and procedures and utilize mechanisms and processes to prevent, detect, record, analyze, contain and resolve unauthorized access attempts to PHI or processing resources; (d) maintain and enforce polices and guidelines for workstation use that delineate appropriate use of workstations to maximize the security of data containing PHI; (e) maintain and enforce policies, procedures and a formal program for periodically reviewing its processing infrastructure for potential security vulnerabilities; (f) implement and maintain, and require its agents and subcontractors to implement and maintain, appropriate and effective administrative, technical and physical safeguards to protect the security, integrity and confidentiality of data electronically exchanged between Business Associate and Covered Entity, including access to data as provided herein. Each Party and its agents and subcontractors shall keep all security measures current and shall document its security measures implemented in written policies, procedures or guidelines, which it will provide to the other Party upon the other Party's request. ARTICLE 4 4.1 Obligations of the Parties. Each of the Parties agrees that for the PHI, (a) it will not change any definition, data condition or use of a data element or segment as proscribed in the HHS Transaction Standard Regulation. (b) it will not add any data elements or segments to the maximum denied data set as proscribed in the HHS Transaction Standard Regulation. (c) it will not use any code or data elements that are either marked "not used" in the HHS Standard's implementation specifications or are not in the HHS Transaction Standard's implementation specifications. (d) it will not change the meaning or intent of any of the HHS Transaction Standard's implementation specifications. Resolution 13-01 Page 12 of 15 4.2 Incorporation of Modifications to HHS Transaction Standards. Each of the Parties agrees and understands that from time -to -time, HHS may modify and set compliance dates for the HHS Transaction Standards. Each of the Parties agrees to incorporate by reference into this Agreement any such modifications or changes. 4.3 Business Associate Obligations. (a) Business Associate shall not submit duplicate transmissions unless so requested by Covered Entity. (b) Business Associate shall only perform those transactions that are authorized by Covered Entity. Furthermore, Business Associate assumes all liability for any damage, whether direct or indirect, to the electronic data or to Covered Entity's systems caused by Business Associate's unauthorized use of such transactions. (c) Business Associate shall hold Covered Entity harmless from any claim, loss or damage of any kind, whether direct or indirect, whether to person or property, arising out of or related to (1) Business Associate's use or unauthorized disclosure of the electronic data; or (2) Business Associate's submission of data, including but not limited to the submission of incorrect, misleading, incomplete or fraudulent data. (d) Business Associate agrees to maintain adequate back-up files to recreate transmissions in the event that such recreations become necessary. Back-up tapes shall be subject to this Agreement to the same extent as original data. (e) Business Associate agrees to trace lost or indecipherable transmissions and make reasonable efforts to locate and translate the same. Business Associate shall bear all costs associated with the recreation of incomplete, lost or indecipherable transmissions if such loss is the result of an act or omission of Business Associate. (f) Business Associate shall maintain, for seven (7) years, true copies of any source documents from which it produces electronic data. (g) Except encounter data furnished by Business Associate to Covered Entity, Business Associate shall not (other than to correct errors) modify any data to which it is granted access under this Agreement or derive new data from such existing data. Any modification of data is to be recorded, and a record of such modification is to be retained by Business Associate for a period of seven (7) years. (h) Business Associate shall not disclose security access codes to any third party in any manner without the express written consent of Covered Entity. Business Associate furthermore acknowledges that Covered Entity may change such codes at any time without notice. Business Associate shall assume responsibility for any damages arising from its disclosure of the security access codes or its failure to prevent any third party use of the system without the express written consent of Covered Entity. (i) Business Associate shall maintain general liability coverage, including coverage for general commercial liability, for a limit of not less than one million dollars, as well as other coverage as Covered Entity may require, to compensate any parties damaged by Business Associate's negligence. Business Associate shall provide evidence of such coverage in the form of a certificate of insurance and agrees to notify Covered Entity and/or HOI immediately of any reduction or cancellation of such coverage. Resolution 13-01 Page 13 of 15 (j) Business Associate agrees to conduct testing with Covered Entity to ensure delivery of files that are HIPAA-AS Compliant and to accommodate Covered Entity's specific business requirements. 4.4 Confidential and Proprietary Information (a) Proprietary Information Business Associate acknowledges that it will have access to certain proprietary information used in Covered Entity's business. Covered Entity's proprietary information derives its commercial value from the fact that it is not available to competitors or any third parties, and the disclosure of this information would or could impair Covered Entity's competitive position or otherwise prejudice its ongoing business. Business Associate agrees to treat as confidential, and shall not use for its own commercial purpose or any other purpose, Covered Entity's proprietary information. Business Associate shall safeguard Covered Entity's proprietary information against disclosure except as may be expressly permitted herein. Such proprietary information includes, but is not limited to, confidential information concerning the business operations or practices of Covered Entity, including specific technology processes or capabilities. •� t 5.1 Indemnification. Each Party agrees to indemnify the other for any damages, costs, expenses or liabilities, including legal fees and costs, arising from or related to a breach of such Party's obligations hereunder. 5.2 Term and Termination. (a) Term. The Term of this Agreement shall be effective as of the date first written above, and shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Section. (b) Termination for Cause. Upon a material breach by Business Associate of it obligation hereunder, Covered Entity may (i) terminate this Agreement and the Service Agreement; and (ii) report the violation to the Secretary. (c) Effect of Termination. (i) Except as provided in paragraph 5.2(c)(ii), upon termination of this Agreement, for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI. (ii) In the event that Business Associate determines that returning the PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon Covered Entity's agreement that return or destruction of PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and Resolution 13-01 Page 14 of 15 disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. 5.3 Disputes. Any controversy or claim arising out of or relating to the Agreement will be finally settled by compulsory arbitration in accordance with the Commercial Arbitration Rules of the American Arbitration Association ("AAA"), except for injunctive relief as described below. 5.4 Injunctive Relief. Notwithstanding any rights or remedies provided for in Section 5.3, Covered Entity retains all rights to seek injunctive relief to prevent the unauthorized use of disclosure of PHI by Business Associate or any agent, contractor or third party that received PHI from Business Associate. 5.5 Regulatory References. A reference in this Agreement to a section in the Privacy Rule means the section as in effect or as amended. 5.6 Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time to the extent necessary for Covered Entity to comply with the requirements of HIPAA and its regulations. All amendments to this agreement shall be in writing and signed by both parties. 5.7 Survival. The respective rights and obligations of Business Associate and Covered Entity under Sections 4.4, 5.1 and 5.2(c) of this Agreement shall survive the termination of this Agreement. 5.8 Limitation of Damages. Other than liabilities under Section 5. 1, neither party shall be liable to the other for any special, incidental, exemplary, punitive or consequential damages arising from or as a result of any delay, omission, or error in the electronic transmission or receipt of any information pursuant to this Agreement, even if the other Party has been advised of the possibility of such damages. 5.9 Interrnretation. Rule. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the Privacy Resolution 13-01 Page 15 of 15