HomeMy WebLinkAboutItem #04 Approval of Health Data Exchange Participation Agreement between the Ocoee Fire Department and ESO Solutions t �
ocoee
florida
AGENDA ITEM COVER SHEET
Meeting Date: September 1, 2015
Item # L
Reviewed By: t/'v'
._
Contact Name: John Miller, Fire Chief Department Director: < J
Contact Number: 407-905-3140 City Manager: �-
Subject Approval of Health.Data Exchange Participation Agreem- t between the Ocoee Fire
Department and ESO Solutions. F'
Background Summary:
The agreement being presented for approval is an agreement between the Ocoee Fire Department and ESO
Solutions for services to be provided allowing an exchange of patient information and demographical data
between the Ocoee Fire Department and the local participating hospitals. This exchange network is known as the
Health Data Exchange (HDE). The data retrieved from the hospitals can be used to track patient information
following treatment provided by the Ocoee Fire Department. This information can be used to identify training
needs and ensure appropriate treatment was given. This information can also be used to improve the
department's quality assurance program. This exchange also provides patient information that the department
may not have been able to obtain while conducting patient care. This additional information will assist with
billing requirements, if the Ocoee Fire Department transported the patient.
Issue:
This sharing of data between the Ocoee Fire Department and the participating local hospitals that our patients are
transported to will allow us to improve our quality assurance program. This information can be used to enhance
our training program. Quality assurance personnel with the Ocoee Fire Department will be able to quickly assess
information from the hospital to verify patient outcomes and recommend future training based on patient care
and outcome.
Recommendations
Staff recommends the approval of the HDE agreement as a means to improve the Ocoee Fire Department's
quality assurance program and improve EMS training programs.
Attachments:
Attached is a copy of the HDE participation agreement. This is the latest version following changes made at the
request of the City Attorney's office.
Financial Impact:
The financial impact for the first three years of service will be $0. The cost of this service has been covered by
the Office of the Orange County Medical Director through a grant. Following the third year the financial impact
will be $2500 per year.
Type of Item: (please mark with an "x")
Public Hearing For Clerk's Dept Use:
Ordinance First Reading X Consent Agenda
Ordinance Second Reading Public Hearing
Resolution Regular Agenda
X Commission Approval
Discussion&Direction
Original Document/Contract Attached for Execution by City Clerk
Original Document/Contract Held by Department for Execution
Reviewed by City Attorney N/A
Reviewed by Finance Dept. NS/6A N/A
Reviewed by 0 N/A
2
HEALTH DATA EXCHANGE
PARTICIPATION AGREEMENT
This Participation Agreement(the"Agreement")is entered into this day of ,2015(the"Effective Date"),by
and between ESO Solutions,Inc.,a Texas corporation with its principal place of business at 9020 N Capital of Texas Highway,Building II-
300,Austin,Texas 78759("ESO"),and the City of Ocoee,a municipal corporation existing under the laws of the state of Florida,for the Ocoee
Fire Department(the"Participant"),with its principal place of business at 563 S.Bluford Ave.,Ocoee,Florida 34761 (each a"Parry"and
collectively the"Parties").
WHEREAS, ESO is in the business of providing Health Data Exchange ("HDE") services (the "Services") to businesses and
municipalities which provide emergency patient care;
WHEREAS,Participant seeks to share medical data specific to emergency medical services and receive outcome data back;
NOW,THEREFORE,the Parties,intending to be bound,agree as follows:
1. Defined Terms.
Except as otherwise specified herein,all capitalized terms used in this Agreement shall have the meanings set forth below. Any capitalized
term not defined below shall have the meaning provided by HIPAA. In the event of any conflict between the following definitions and HIPAA,
HIPAA shall govern.
(a) "Participant"means any Covered Entity participating,contributing,using and/or disclosing Shared Patient Information.
(b) "Patient"means an individual who: (i)meets certain Shared Record Eligibility Requirements,and(ii)has received or is currently
seeking Health Services from one or more of the Participants. For purposes of this Agreement,the term"Patient"shall be construed
to include covered beneficiaries of a Participant that is a Health Plan.
(c) "Protected Health Information"or"PHI"shall have the meaning set forth in HIPAA. PHI may include,but is not limited to,written
and electronic information relating to the diagnosis, treatment, tests, prognosis, admission, discharge, transfer, prescription,
eligibility,claims and other data implicitly or explicitly identifying a Patient to whom items,services,coverage or reimbursement is
provided by a Participant,and which information is provided,stored or accessed by a Participant. All references herein to PHI shall
be construed to include electronic PHI,or ePHI,as that term is defined by HIPAA.
(d) "Shared Patient Information"means those specific data elements about Patients and Health Services that are provided electronically
for purposes of inclusion in the Shared Record.
(e) "Shared Record"means the Shared Patient Information, including PHI and other data,maintained by ESO and contributed to and
utilized by the Participants.
2. Services. ESO shall provide to Participant,during the Term,the Services,including such services and products as may be identified on
Exhibit A. The Services are provided through ESO's proprietary software that is hosted and operated by ESO over the Internet(the
"Software"). For purposes of this Agreement, the Services shall permit Participant to receive outcome data back from participating
hospitals.
3. Term.
a. The Term of this Agreement shall commence on the Effective Date and shall terminate one year after the Effective Date("Initial
Term"). THE AGREEMENT SHALL AUTOMATICALLY RENEW FOR SUCCESSIVE RENEWAL TERMS OF ONE YEAR,
UNLESS ONE PARTY GIVES THE OTHER PARTY WRITTEN NOTICE THAT THE AGREEMENT WILL NOT RENEW,AT
LEAST THIRTY(30)DAYS PRIOR TO THE END OF THE CURRENT TERM.
b. The subscription start date("Subscription Date")shall commence on the first date the HDE Services of the first receiving hospital
connected to Participant operate in a live production environment ("Go-Live"). The length of the subscription period shall be
coterminous with the Term of the Agreement.
4. Subscription Fees,Invoices and Payment Terms.
a. Subscription Fees. Participant shall pay to ESO the fees for the Services as described in Exhibit A(the"Subscription Fees"). ESO
shall have the option to increase pricing,except during the Initial Term,as long as it provides at least sixty(60)days'notice of such
increase to Participant prior to automatic renewal under Section 3 above.
b. Invoices;Payment of Invoices. Participant shall be invoiced as explained in Exhibit A on the Subscription Date. Participant shall
pay invoices received from ESO within thirty(30)days of receipt(the"Due Date").
c. Disputed Invoices. If Participant in good faith disputes any portion of an ESO invoice,Participant shall submit to ESO,by no later
than thirty(30)days following the Due Date,full payment of the undisputed portion of the invoice together with a written explanation
identifying and substantiating the disputed amount(including any documentation supporting its position). If Participant does not
report a dispute within thirty(30)days following the Due Date of the applicable invoice,that invoice shall be deemed accepted and
Participant shall have waived its right to dispute it. Any disputed amounts determined or agreed to be payable to ESO shall be due
within ten(10)days of the Parties'agreement resolving the dispute.
5. Termination.
a. Termination by Participant for ESO Default. If ESO fails to perform a material obligation under this Agreement and does not remedy
such failure within thirty (30) days following written notice from Participant ("ESO Default"), Participant may terminate this
Agreement without any further liability except for the payment of all accrued but unpaid Subscription Fees owed through the effective
date of termination. If ESO is unable to provide Service(s)for ninety(90)consecutive days due to a Force Majeure event as defined
in Section 14a,Force Majeure, Participant may terminate the affected Service(s)without liability to ESO.
b. Termination by ESO for Participant Default. ESO may terminate this Agreement with no further liability if(i)excluding disputed
invoices under Section 4.c.,Participant fails to make payment as required under this Agreement and such failure remains uncorrected
for thirty(30) days following written notice from ESO, (ii) Participant fails to perform any other material obligation under this
Agreement and does not remedy such failure within thirty(30)days following written notice from ESO(hereinafter collectively
referred to as"Participant Default"). In the event of a Participant Default,ESO shall have the right to(i)terminate this Agreement;
(ii)suspend all Service(s)being provided to Participant,(iii)terminate the right to use the Software,(iv)apply interest to the amount
past due,at the rate of one and one-half percent(11/2%)(or the maximum legal rate,if less)of the unpaid amount per month,(v)offset
any amounts that are owed to Participant by ESO against the past due amount then owed to ESO, and/or(vi)take any action in
connection with any other right or remedy ESO may have under this Agreement,at law or in equity. If this Agreement is terminated
due to a Participant Default,Participant shall remain liable for all Subscription Fees owed through the effective date of termination
for the Services provided through such date.
6. System Maintenance. In the event ESO determines that it is necessary to interrupt the Services or that there is a potential for the Services
to be interrupted for the performance of system maintenance,ESO will use commercially reasonable efforts to notify Participant prior to
the performance of such maintenance.Routine maintenance will be scheduled during non-peak hours(midnight to 6 a.m.CST). In no
event shall interruption for system maintenance constitute a failure of performance by ESO.
7. Access to Internet. Participant has sole responsibility for obtaining,maintaining,and securing its connections to the Internet,and ESO
makes no representations to Participant regarding the reliability,performance or security of any particular network or provider.
8. Use and Support of Services;Software Rights.
a. Support and Updates. During the term,ESO shall provide to Participant the support services and will meet the service levels as set
forth on Exhibit B attached hereto.
b. Other Services. Upon the written request by Participant,ESO may provide services related to the Software other than the standard
support,at ESO's then-current rates or as otherwise negotiated by the Parties. This may include on-site consultation,configuration,
and initial technical assistance and training on the use and support of the Software.
c. Software Ownership and Restrictions. This Agreement does not convey any rights of ownership in or title to the Software associated
with the Services. All right,title and interest in the Software and any copies or derivative works thereof will remain the property of
ESO. Participant will not: (a)copy,disassemble,reverse engineer or modify the Software;(b)allow any unaffiliated third party to
use the Software;(c)use the Software as a component in any product or service provided by Participant to a third party;(d)transfer,
sell,assign,or otherwise convey the Software;or(e)remove any proprietary notices placed on or contained within the Software.
Participant will keep the Software free and clear of all claims,liens,and encumbrances.
d. Title. ESO hereby represents and warrants to Participant that ESO is the owner of the Software or otherwise has the right to grant to
Participant the rights set forth in this Agreement. In the event of any breach or threatened breach of the foregoing representation and
warranty,Participant's sole remedy shall be for ESO,at its option and expense,to:(i)procure the right to continue using the Software,
(ii)replace or modify the Software to avoid a breach,such replacement or modification shall be substantially and materially similar
to the replaced or modified Software.
ESO Solutions,Inc.
Participation Agreement 092214
Page 2 of 13
9. Indemnification. TO THE EXTENT ALLOWED UNDER FLORIDA LAW,PARTICIPANT AGREES TO DEFEND,INDEMNIFY,
AND HOLD ESO HARMLESS FROM ANY AND ALL CLAIMS BROUGHT AGAINST ESO ARISING FROM PARTICIPANT'S
NEGLIGENT ACTS OR OMISSIONS.Participant does not waive its right to sovereign immunity under Florida law.
10. Limitation of Liability.NOTWITHSTANDING ANY OTHER PROVISION HEREOF,NEITHER PARTY SHALL BE LIABLE TO
THE OTHER PARTY OR ANY THIRD PARTY FOR ANY INDIRECT,CONSEQUENTIAL,INCIDENTAL,RELIANCE,SPECIAL,
EXEMPLARY OR PUNITIVE DAMAGES (INCLUDING BUT NOT LIMITED TO DAMAGES FOR LOST PROFITS, LOST
REVENUES OR COST OF PURCHASING REPLACEMENT SERVICES) ARISING OUT OF OR RELATING TO THIS
AGREEMENT. ADDITIONALLY,ESO SHALL NOT BE LIABLE TO PARTICIPANT FOR ANY ACTUAL DAMAGES IN EXCESS
OF THE AGGREGATE AMOUNT THAT ESO HAS, PRIOR TO SUCH TIME, COLLECTED FROM PARTICIPANT WITH
RESPECT TO SERVICES DELIVERED HEREUNDER. FURTHERMORE,IN NO EVENT SHALL EITHER PARTY BE LIABLE
TO THE OTHER, EITHER IN CONTRACT OR IN TORT, FOR PROTECTION FROM UNAUTHORIZED ACCESS OF
PARTICIPANT DATA OR FROM UNAUTHORIZED ACCESS TO OR ALTERATION, THEFT OR DESTRUCTION OF
PARTICIPANT DATA FILES, PROGRAMS, PROCEDURES OR INFORMATION NOT CONTROLLED BY ESO, THROUGH
ACCIDENT OR FRAUDULENT MEANS OR DEVICES. THIS SECTION SHALL SURVIVE ANY TERMINATION OR
EXPIRATION OF THIS AGREEMENT. EACH PARTY ACKNOWLEDGES THAT THIS LIMITATION OF LIABILITY WAS
SPECIFICALLY BARGAINED FOR AND IS ACCEPTABLE TO PARTICIPANT. FURTHER, EACH PARTY'S WILLINGNESS
TO AGREE TO THE LIMITATIONS CONTAINED IN THIS SECTION WAS MATERIAL TO ENTERING INTO THIS
AGREEMENT.
11. Acknowledgements and Disclaimer of Warranties. Participant acknowledges that ESO cannot guarantee that there will never be any
outages in ESO's network and that no credits shall be given in the event Participant's access to ESO's network is interrupted. PHI IS
PROVIDED SOLELY"AS IS." THE SERVICES ARE PROVIDED"AS IS." UNLESS OTHERWISE SPECIFIED HEREIN, ESO
MAKES NO REPRESENTATION OR WARRANTY TO PARTICIPANT OR ANY OTHER PERSON OR ENTITY, WHETHER
EXPRESS, IMPLIED OR STATUTORY, AS TO THE DESCRIPTION, QUALITY, MERCHANTABILITY, COMPLETENESS OR
FITNESS FOR A PARTICULAR PURPOSE, OF ANY SERVICE OR SOFTWARE PROVIDED HEREUNDER OR DESCRIBED
HEREIN,OR AS TO ANY OTHER MATTER(INCLUDING WITHOUT LIMITATION THAT THERE WILL BE NO IMPAIRMENT
OF DATA OR THAT SERVICES WILL BE UNINTERRUPTED OR ERROR FREE),ALL OF WHICH WARRANTIES BY ESO ARE
HEREBY EXCLUDED AND DISCLAIMED,TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW.
PARTICIPANT ACKNOWLEDGES THAT THE BENEFITS OF HDE DEPEND ON OTHER HEALTHCARE PROVIDERS
PARTICIPATING. PARTICIPANT ACKNOWLEDGES THAT ESO DOES NOT GUARANTEE THAT ANY PARTICULAR EMS
AGENCY, HOSPITAL, HIE, OR OTHER HEALTHCARE PROVIDER WILL AGREE TO PARTICIPATE. ESO DOES NOT
GUARANTEE THAT IT WILL PROVIDE DATA FROM ANY PARTICULAR PROVIDER ABSENT THAT PROVIDER'S
CONSENT.
12. Confidential Information.
a. "Confidential Information"shall mean all information disclosed orally or in writing by one party("Disclosing Party")to the other
party ("Receiving Party")related to the technology, intellectual property assets, financial or business plans and affairs, financial
statements, internal management tools and systems,operations,or business plans of the Disclosing Party or a third party that has
been identified as confidential or that by the nature of the information or the circumstances surrounding disclosure should reasonably
be treated as confidential,provided such information is clearly marked"CONFIDENTIAL"or"PROPRIETARY"upon delivery,or
for verbal information,provided the Disclosing Party identifies the information as confidential at the time disclosed and provides a
written summary of such information to the Receiving Party within fifteen (15) days of such verbal disclosure. Confidential
Information does not include any information that(i)was already known by the Receiving Party free of any obligation to keep it
confidential at the time of its disclosure;(ii)becomes publicly known through no act or fault of the Receiving Party;(iii)is rightfully
received from a third person without knowledge of any confidential obligation;(iv)is independently acquired or developed without
violating any of the obligations under this Agreement;or(v)is approved for release by written authorization of the Disclosing Party.
b. A Receiving Party,upon receipt of Confidential Information,shall not directly or indirectly disclose,divulge,publish,disseminate,
use,reproduce,copy,or create derivative works of or permit access to any Confidential information except as authorized under this
Agreement or otherwise required by law. Each Party shall use Confidential Information only for purposes set forth in this Agreement
and shall use reasonable and appropriate safeguards to protect Confidential Information from disclosure using the same degree of
care used to protect its own Confidential Information,but in no event less than a commercially reasonable degree of care. Confidential
Information shall remain the property of the Disclosing Party and shall be returned to the Disclosing Party or destroyed upon request
of the Disclosing Party in accordance with the terms of this Agreement.
13. Permitted Uses and Disclosures of PHI.
a. Participant agrees to access,use and disclose the Shared Record in accordance with applicable State and federal law,including but
not limited to 45 C.F.R.Section 164.506(c).
ESO Solutions,Inc.
Participation Agreement 092214
Page 3 of 13
b. Participant agrees not to access,use or disclose the Shared Record to compete with any other Participant and/or to solicit patients
from any other Participant.
c. Participant agrees to utilize hospital outcome data for its internal quality improvement and collection process only. Participant will
not use hospital outcome data to compare the performance between hospitals without written authorization from participating
hospitals and ESO.
d. Participant agrees to notify ESO immediately upon confirmation of a data breach or significant security threat and cooperate with
ESO to investigate,remediate and respond to such breach or security threat.
e. Participant grants ESO the right to collect and store its data for aggregate reporting purposes,but in no event shall ESO disclose PHI
unless permitted by law. Moreover,ESO will not identify Participant without Participant's consent.
14. General Provisions.
a. Force Majeure. Neither Party shall be liable to the other,nor deemed in default under this Agreement if and to the extent that such
Party's performance of this Agreement is delayed or prevented by reason of Force Majeure,which is defined to mean an event that
is beyond the reasonable control of the affected Party and occurs without such Party's fault or negligence.
b. Entire Agreement. This Agreement,including all schedules,exhibits,addenda and any Business Associate Agreement(as that term
is used in the Health Insurance Portability and Accountability Act and related regulations)(see Exhibit C)are incorporated herein by
reference, and constitute the entire agreement between the Parties and supersedes all prior and contemporaneous agreements,
proposals or representations,written or oral,concerning its subject matter. No modification,amendment,or waiver of any provision
of this agreement shall be effective unless in writing and signed by the Party against whom the modification,amendment or waiver
is asserted.
c. Governing Law. This Agreement shall be governed by the laws of the State of Florida without regard to choice or conflict of law
rules.
d. Arbitration. Any controversy or claim arising out of or relating to this Agreement,or a breach of this Agreement, shall be finally
settled by arbitration in the State of Florida and shall be resolved under the laws of the State of Florida. The arbitration shall be
conducted before a single arbitrator,who may be a private arbitrator, in accordance with the commercial rules and practices of the
American Arbitration Association then in effect. Any award,order or judgment pursuant to such arbitration shall be deemed final
and binding and may be enforced in any court of competent jurisdiction. The arbitrator may,as part of the arbitration award,permit
the substantially prevailing Party to recover all or part of its attorney's fees and other out-of-pocket costs incurred in connection with
such arbitration. All arbitration proceedings shall be conducted on a confidential basis. The Parties knowingly, voluntarily, and
irrevocably waive their right to a trial by jury.
e. No Press Releases without Consent. Neither Party may use the other Party's name or trademarks,nor issue any publicity or public
statements concerning the other Party or the existence or content of this Agreement,without the other Party's prior written consent.
Notwithstanding,Participant agrees that ESO may use Participant's name and logo in ESO sales presentations,without Participant's
prior written consent,during the Term of this Agreement,but only for the purposes of identifying the Participant as a customer of
ESO. Likewise,Participant may use ESO's name and logo to identify ESO as a vendor of Participant.
f. Compliance with Laws. Both Parties shall comply with and give all notices required by all applicable federal,state and local laws,
ordinances,rules,regulations and lawful orders of any public authority bearing on the performance of this Agreement.
g. Waiver. No failure or delay by either party in exercising any right under this Agreement shall constitute a waiver of that right. If
Participant has made any change to the Agreement that Participant did not bring to ESO's attention in a way that is reasonably
calculated to put ESO on notice of the change,the change shall not become part of the Agreement.
h. Severability. If any provision of this Agreement is held by a court of competent jurisdiction to be contrary to law,the provision shall
be modified by the court and interpreted so as best to accomplish the objectives of the original provision to the fullest extent permitted
by law,and the remaining provisions of this Agreement shall remain in effect.
i. Taxes and Fees. This Agreement is exclusive of all taxes and fees.
j. Independent Contractor. Nothing in this Agreement shall be construed to create:(i)a partnership,joint venture or other joint business
relationship between the Parties or any of their affiliates;or(ii)a relationship of employer and employee between the Parties. ESO
is an independent contractor and not an agent of Participant.
k. Counterparts; Execution. This Agreement and any amendments hereto may be executed by the Parties individually or in any
combination,in one or more counterparts,each of which shall be an original and all of which shall together constitute one and the
same agreement. Execution and delivery of this Agreement and any amendments by the Parties shall be legally valid and effective
ESO Solutions,Inc.
Participation Agreement 092214
Page 4 of 13
through:(i)executing and delivering the paper copy of the document,(ii)transmitting the executed paper copy of the documents by
facsimile transmission or electronic mail in "portable document format" (".pdf) or other electronically scanned format, or(iii)
creating,generating,sending,receiving or storing by electronic means this Agreement and any amendments,the execution of which
is accomplished through use of an electronic process and executed or adopted by a Party with the intent to execute this Agreement
(i.e."electronic signature"through a process such as DocuSign®). In making proof of this Agreement,it shall not be necessary to
produce or account for more than one such counterpart executed by the Party against whom enforcement of this Agreement is sought.
1. Notice. All notices,requests,demands and other communications required or permitted to be given or made under this Agreement
shall be in writing,shall be effective upon receipt or attempted delivery,and shall be sent by(i)personal delivery;(ii)certified or
registered United States mail,return receipt requested;(iii)overnight delivery service with proof of delivery,or(iv)fax. Notices
shall be sent to the addresses on page 1 of this Agreement. No Party to this Agreement shall refuse delivery of any notice hereunder.
[Signature Page Follows]
ESO Solutions,Inc.
Participation Agreement 092214
Page 5 of 13
IN WITNESS WHEREOF,the undersigned expressly agree and warrant that they are authorized to sign and enter into this
Agreement on behalf of the Party for which they sign and have executed this Agreement on the Effective Date first written
above.
ESO SOLUTIONS,INC.: OCOEE FIRE DEPARTMENT:
[Signature] [Signature]
Chris Dillie
[Printed Name] [Printed Name]
President&CEO
[Title] [Title]
[Date] [Date]
ESO Solutions,Inc.
Participation Agreement 092214
Page 6 of 13
EXHIBIT A
Annual Subscription Fee Schedule
Participant hereby selected the following Services,at the fees indicated:
List Price Total Price Line Item Description
HOE*ESO OCR Connection 1.00 $2:500.00 $2.500.00 Annually Recurring Fee
Grand Total 1;2,500.00
PAYMENT TERMS AND PAYMENT MILESTONES
The Orange County Office of the Medical Director,with its principal place of administration at 2002-A E.Michigan Street,
Orlando,Florida 32806 ("Orange County")has agreed to pay for three(3) years of the annually recurring Subscription
Fee above. In the event Participant desires to continue receiving Services after the third year,ongoing annual Subscription
Fees will be paid by Participant to ESO annually in advance;provided that,it is after the Subscription Date.In the event
the Orange County does not pay for the Subscription Fees or any portion thereof and Participant wants to continue receiving
Services,then the fee shall be Participant's sole responsibility.
ESO Solutions,Inc.
Participation Agreement 092214
Page 7 of 13
EXHIBIT B
Support Services and Service Levels
This Exhibit describes the software support services("Support Services")that ESO will provide and the service levels that ESO will meet.
1. Definitions.
Unless defined otherwise herein,capitalized terms used in this Exhibit shall have the same meaning as set forth in the Agreement.
(a) "Customer Service Representative" shall be the person at ESO designated by ESO to receive notices of Errors encountered by
Participant that Participant's Administrator has been unable to resolve.
(b) "Error"means any failure of the Software to conform in any material respect with its published specifications.
(c) "Error Correction"means a bug fix,patch,or other modification or addition that brings the Software into material conformity with
its published performance specifications.
(d) "Priority A Error"means an Error that renders the Software inoperative or causes a complete failure of the Software.
(e) "Priority B Error"means an Error that substantially degrades the performance of the Software or materially restricts Participant's
use of the Software.
(f) "Priority C Error"means an Error that causes only a minor impact on Participant's use of the Software.
(g) "Update" means any new commercially available or deployable version of the Software, which may include Error Corrections,
enhancements or other modifications,issued by ESO from time to time to its Participants.
(h) "Normal Business Hours"means 8:00 am to 5:00 pm Monday through Friday,Central Time Zone.
2. Participant Obligations.
Participant will provide at least one administrative employee(the"Administrator"or"Administrators")who will handle all requests for first-
level support from Participant's employees with respect to the Software. Such support is intended to be the "front line" for support and
information about the Software to Participant's employees. ESO will provide training,documentation,and materials to the Administrators to
enable the Administrators to provide technical support to Participant's employees. The Administrators will refer any Errors to ESO's
Participant Service Representative that the Administrators cannot resolve,pursuant to Section 3 below;and the Administrators will assist ESO
in gathering information to enable ESO to identify problems with respect to reported Errors.
3. Support Services.
(a) Scope.As further described herein,the Support Services consist of:(i)Error Corrections that the Administrator is unable to resolve,
and(ii)periodic delivery of Error Corrections and Updates. The Support Services will be available to Participant during normal
business hours,to the extent practicable. Priority A Errors encountered outside normal business hours may be communicated to the
Participant Service Representative via telephone or email. Priority B and C Errors encountered outside normal business hours shall
be communicated via email.
(b) Procedure.
(i) Report of Error. In reporting any Error, the Participant's Administrator will describe to ESO's Participant Service
Representative the Error in reasonable detail and the circumstances under which the Error occurred or is occurring; the
Administrator will initially classify the Error as a Priority A,B or C Error. ESO reserves the right to reclassify the Priority of
the Error.
(ii) Efforts Required. ESO shall exercise commercially reasonable efforts to correct any Error reported by the Administrator in
accordance with the priority level assigned to such Error by the Administrator. Errors shall be communicated to ESO's
Participant Service Representative after hours as indicated below,depending on the priority level of the Error. In the event of
an Error,ESO will within the time periods set forth below,depending upon the priority level of the Error,commence verification
of the Error;and,upon verification,will commence Error Correction. ESO will work diligently to verify the Error and,once an
Error has been verified,and until an Error Correction has been provided to the Administrator,shall use commercially reasonable,
diligent efforts to provide a workaround for the Error as soon as reasonably practicable. ESO will provide the Administrator
with periodic reports on the status of the Error Correction on the frequency as indicated below.
Priority of Error Communicating Error to Time in Which ESO Will Frequency of Periodic Status
ESO outside Normal Commence Verification Reports
Business Hours
ESO Solutions,Inc.
Participation Agreement 092214
Page 8 of 13
Priority A Telephone or email Within 8 hours of notification Every 4 hours until resolved
Priority B Email Within 1 business day of Every 6 hours until resolved
notification
Priority C Email Within two calendar weeks of Every week until resolved
notification
4. ESO Server Administration.
(a) ESO is responsible for maintenance of Server hardware.Server administration includes:
(i) Monitoring and Response
(ii) Service Availability Monitoring
(iii) Backups
(iv) Maintenance
A. Microsoft Patch Management
B. Security patches to supported applications and related components
C. Event Log Monitoring
D. Log File Maintenance
E. Drive Space Monitoring
(v) Security
(vi) Virus Definition&Prevention
(vii) Firewall
ESO Solutions,Inc.
Participation Agreement 092214
Page 9 of 13
EXHIBIT C
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement ("Agreement") is entered into by and between ESO Solutions, Inc. ("Vendor"), a Texas
corporation,and("Covered Entity"),as of the Effective Date of the Subscription Agreement,for the purpose of setting forth Business Associate
Agreement terms between Covered Entity and Vendor. Covered Entity and Vendor each are referred to as a"Party"and collectively as the
"Parties." This Agreement shall commence on the Effective Date set forth above.
WHEREAS, Covered Entity, owns, operates, manages, performs services for, otherwise are affiliated with or are themselves a
Covered Entity as defined in the federal regulations at 45 C.F.R. Parts 160 and 164(the"Privacy Standards")promulgated pursuant to the
Health Insurance Portability and Accountability Act of 1996("HIPAA")and the Health Information Technology for Economic and Clinical
Health Act of 2009("HITECH");
WHEREAS,pursuant to HIPAA and HITECH,the U.S.Department of Health&Human Services("HHS")promulgated the Privacy
Standards and the security standards at 45 C.F.R.Parts 160 and 164(the"Security Standards")requiring certain individuals and entities subject
to the Privacy Standards and/or the Security Standards to protect the privacy and security of certain individually identifiable health information
("Protected Health Information"or"PHI"),including electronic protected health information("EPHI');
WHEREAS, the Parties wish to comply with Privacy Standards and Security Standards as amended by the HHS regulations
promulgated on January 25,2013,entitled the"Modifications to the HIPAA Privacy, Security, Enforcement,and Breach Notification Rules
Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act,"as such
may be revised or amended by HHS from time to time:
WHEREAS,in connection with Vendor's performance under its agreement(s)or other documented arrangements between Vendor
and Covered Entity, whether in effect as of the Effective Date or which become effective at any time during the term of this Agreement
(collectively"Business Arrangements"),Vendor may provide services for,or on behalf of,Covered Entity that require Vendor to use,disclose,
receive,access,create,maintain and/or transmit health information that is protected by state and/or federal law;and
WHEREAS,Vendor and Covered Entity desire that Vendor obtain access to PHI and EPHI in accordance with the terms specified
herein;
NOW,THEREFORE, in consideration of the mutual promises set forth in this Agreement and the Business Arrangements, and
other good and valuable consideration,the sufficiency and receipt of which are hereby severally acknowledged,the Parties agree as follows:
1. Vendor Obligations.
In accordance with this Agreement and the Business Arrangements, Vendor may use, disclose, access, create,maintain,transmit,
and/or receive on behalf of Covered Entity health information that is protected under applicable state and/or federal law, including without
limitation,PHI and EPHI. All capitalized terms not otherwise defined in this Agreement shall have the meanings set forth in the regulations
promulgated by HHS in accordance with HIPAA and HITECH,including the Privacy Standards and Security Standards(collectively referred
to hereinafter as the"Confidentiality Requirements"). All reference to PHI herein shall be construed to include EPHI. PHI shall mean only
that PHI Vendor uses, discloses, accesses, creates, maintains, transmits and/or receives for or on behalf of Covered Entity pursuant to the
Business Arrangements. The Parties hereby acknowledge that the definition of PHI includes"Genetic Information"as set forth at 45 C.F.R.
§160.103. To the extent Vendor is to carry out an obligation of Covered Entity under the Confidentiality Requirements,Vendor shall comply
with the provision(s) of the Confidentiality Requirements that would apply to Covered Entity (as applicable) in the performance of such
obligations(s).
2. Use of PHI.
Except as otherwise required by law,Vendor shall use PHI in compliance with this Agreement and 45 C.F.R.§164.504(e). Vendor
agrees not to use PHI in a manner that would violate the Confidentiality Requirements if the PHI were used by Covered Entity in the same
manner. Furthermore,Vendor shall use PHI for the purpose of performing services for,or on behalf of, Covered Entity as such services are
defined in the Business Arrangements. In addition,Vendor may use PHI(i)as necessary for the proper management and administration of
Vendor or to carry out its legal responsibilities;provided that such uses are permitted under federal and applicable state law,and(ii)to provide
data aggregation services relating to the health care operations of the Covered Entity as defined by 45 C.F.R. § 164.501. Covered Entity also
authorizes Vendor to collect and store its data for aggregate reporting, but in no event shall Vendor disclose PHI unless permitted by law.
Moreover,Vendor will not identify Covered Entity without consent. Covered Entity authorizes Vendor to de-identify PHI it receives from
Covered Entity. All de-identification of PHI must be performed in accordance with the Confidentiality Requirements,specifically 45 C.F.R.
§164.514(b).
3. Disclosure of PHI.
ESO Solutions,Inc.
Participation Agreement 092214
Page 10 of 13
3.1 Subject to any limitations in this Agreement, Vendor may disclose PHI to any third party as necessary to perform its
obligations under the Business Arrangements and as permitted or required by applicable law. Vendor agrees not to disclose
PHI in a manner that would violate the Confidentiality Requirements if the PHI was disclosed by the Covered Entity in the
same manner. Further,Vendor may disclose PHI for the proper management and administration of Vendor;provided that:
(i)such disclosures are required by law;or(ii)Vendor:(a)obtains reasonable assurances from any third party to whom the
PHI is disclosed that the PHI will be held confidential and used and disclosed only as required by law or for the purpose
for which it was disclosed to third party, and(b) requires the third party to agree to immediately notify Vendor of any
instances of which it is aware that PHI is being used or disclosed for a purpose that is not otherwise provided for in this
Agreement or for a purpose not expressly permitted by the Confidentiality Requirements. Vendor shall report to Covered
Entity any use or disclosure of PHI not permitted by this Agreement of which it becomes aware. Such report shall be made
within five(5)business days of Vendor becoming aware of such use or disclosure.
3.2 If Vendor uses or contracts with any agent,including a subcontractor(collectively"Subcontractors")that uses,discloses,
accesses, creates, receives, maintains or transmits PHI on behalf of Vendor, Vendor shall require all Subcontractors to
agree in writing to the same restrictions and conditions that apply to Vendor under this Agreement. In addition to Vendor's
obligations under Section 9, Vendor agrees to mitigate, to the extent practical and unless otherwise requested by the
Covered Entity, any harmful effect that is known to Vendor and is the result of a use or disclosure of PHI by Vendor or
any Subcontractor in violation of this Agreement. Additionally,Vendor shall ensure that all disclosures of PHI by Vendor
and its Subcontractors comply with the principle of"minimum necessary use and disclosure,"(i.e.,in accordance with
45 C.F.R.§164.502(b),only the minimum PHI that is necessary to accomplish the intended purpose may be disclosed).
4. Individual Rights Regarding Designated Record Sets.
If Vendor maintains a Designated Record Set on behalf of Covered Entity,Vendor shall:(i)provide access to and permit inspection
and copying of PHI by Covered Entity under conditions and limitations required under 45 C.F.R. §164.524,as it may be amended from time
to time;and(ii)amend PHI maintained by Vendor as required by Covered Entity. Vendor shall respond to any request from Covered Entity
for access by an individual within ten(10)business days of such request and shall make any amendment requested by Covered Entity within
twenty(20)business days of such request. Any information requested under this Section 4 shall be provided in a form or format requested,if
it is readily producible in such form or format. Vendor may charge a reasonable fee based upon Vendor's labor costs in responding to a request
for electronic information(or a cost-based fee for the production of non-electronic media copies). Vendor shall notify Covered Entity within
ten(10)business days of receipt of any request for access or amendment by an individual.
5. Accounting of Disclosures.
Vendor shall make available to Covered Entity within ten(10)business days of a request by Covered Entity the information required
for an accounting of disclosures of PHI in accordance with 45 C.F.R. §164.528(or such shorter time as may be required by state or federal
law). Such accounting must be provided without cost if it is the first accounting requested within any twelve(12)month period. For subsequent
accountings within the same twelve(12)month period,Vendor may charge a reasonable fee based upon Vendor's labor costs in responding to
a request for electronic information(or a cost-based fee for the production of non-electronic media copies)only after Vendor informs Covered
Entity and Covered Entity informs the individual in advance of the fee, and the individual is afforded an opportunity to withdraw or modify
the request. Such accounting obligations shall survive termination or expiration of this Agreement and with respect to any disclosure,whether
on or before the termination of this Agreement,shall continue for a minimum of seven(7)years following the date of such disclosure.
6. Withdrawal of Authorization.
If the use or disclosure of PHI under this Agreement is based upon an individual's specific authorization regarding the use of his or
her PHI, and: (i)the individual revokes such authorization in writing; (ii)the effective date of such authorization has expired; or(iii) the
authorization is found to be defective in any manner that renders it invalid for whatever reason,then Vendor agrees, if it has received notice
from Covered Entity of such revocation or invalidity,to cease the use and disclosure of any such individual's PHI except to the extent Vendor
has relied on such use or disclosure,or where an exception under the Confidentiality Requirements expressly applies.
7. Records and Audit.
Vendor shall make available to HHS or its agents its internal practices,books,and records relating to the compliance of Vendor and
Covered Entity with the Confidentiality Requirements, such internal practices, books and records to be provided in the time and manner
designated by HHS or its agents.
8. Implementation of Security Standards;Notice of Security Incidents.
Vendor will comply with the Security Standards and,by way of example and not limitation,use appropriate safeguards to prevent
the use or disclosure of PHI other than as expressly permitted under this Agreement. In accordance with the Security Standards,Vendor will
implement administrative,physical,and technical safeguards that protect the confidentiality,integrity and availability of the PHI that it uses,
discloses,accesses,creates,receives,maintains or transmits. To the extent feasible,Vendor will use commercially reasonable efforts to ensure
ESO Solutions,Inc.
Participation Agreement 092214
Page 11 of 13
that the technology safeguards used by Vendor to secure PHI will render such PHI unusable, unreadable and indecipherable to individuals
unauthorized to acquire or otherwise have access to such PHI.Vendor will promptly report to Covered Entity any Security Incident of which
it becomes aware;provided,however,that Covered Entity acknowledges and shall be deemed to have received notice from Vendor that there
are routine occurrences of: (i)unsuccessful attempts to penetrate computer networks or services maintained by Vendor; and(ii)immaterial
incidents such as"pinging"or"denial of services"attacks. At the request of Covered Entity,Vendor shall identify:the date of the Security
Incident,the scope of the Security Incident,Vendor's response to the Security Incident,and to the extent permitted by law,the identification
of the party responsible for causing the Security Incident,if known.
9. Data Breach Notification and Mitigation.
9.1 HIPAA Data Breach Notification and Mitigation. Vendor agrees to implement reasonable systems for the discovery and
prompt reporting of any"breach"of"unsecured PHI"as those terms are defined by 45 C.F.R. §164.402("HIPAA Breach"). The Parties
acknowledge and agree that 45 C.F.R.§§164.404 and 164.410,as describe below in this Section 9.1,govern the determination of the date of a
HIPAA Breach. In the event of any conflict between this Section 9.1 and the Confidentiality Requirements,the more stringent requirements
shall govern. Following the discovery of a HIPAA Breach,Vendor will notify Covered Entity immediately and in no event later than five(5)
business days after Vendor discovers such HIPAA Breach unless Vendor is prevented from doing so by 45 C.F.R. §164.412 concerning law
enforcement investigations. For purposes of reporting a HIPAA Breach to Covered Entity,the discovery of a HIPAA Breach shall occur as of
the first day on which such HIPAA Breach is known to Vendor or, by exercising reasonable diligence,would have been known to Vendor.
Vendor will be considered to have had knowledge of a HIPAA Breach if the HIPAA Breach is known,or by exercising reasonable diligence
would have been known,to any person(other than the person committing the HIPAA Breach)who is an employee,officer or other agent of
Vendor. No later than ten(10)business days following a HIPAA Breach,Vendor shall provide Covered Entity with sufficient information to
permit Covered Entity to comply with the HIPAA Breach notification requirements set forth at 45 C.F.R. §164.400 et.seq.This Section 9.1
shall survive the expiration or termination of this Agreement and shall remain in effect for so long as Vendor maintains PHI.
9.2 Data Breach Notification and Mitigation Under Other Laws. In addition to the requirements of Section 9.1,Vendor agrees
to implement reasonable systems for the discovery and prompt reporting of any breach of individually identifiable information(including,but
not limited to,PHI and referred to hereinafter as "Individually Identifiable Information")that, if misused, disclosed, lost or stolen would
trigger an obligation under one or more State data breach notification laws(each a"State Breach")to notify the individuals who are the subject
of the information. Vendor agrees that in the event any Individually Identifiable Information is lost,stolen,used or disclosed in violation of
one or more State data breach notification laws,Vendor shall promptly:(i)notify Covered Entity within five(5)business days of such misuse,
disclosure,loss or theft;and(ii)cooperate and assist Covered Entity with any investigation into any State Breach or alleged State Breach.This
Section 9.2 shall survive the expiration or termination of this Agreement and shall remain in effect for so long as Vendor maintains PHI or
Individually Identifiable Information.
10. Obligations of Covered Entity.
10.1 Notification Requirement. Covered Entity shall notify Vendor of:
a. Any limitation(s)in Covered Entity's notice of privacy practices in accordance with 45 CFR 164.520 to the extent
that such changes may affect Vendor's use or disclosure of PHI;
b. Any changes in,or revocation of,permission by Individual to use or disclose PHI,to the extent that such changes may
affect Vendor's use or disclosure of PHI;and
c. Any restriction to the use or disclosure if PHI that Covered Entity has agreed to in accordance with 45 CFR 164.522,
to the extent that such restriction may affect Vendor's use or disclosure of PHI.
10.2 Permissible Requests. Covered Entity agrees that it will not request Vendor to use or disclose PHI in any manner that
would not be permissible under the Confidentiality Requirements if done by Covered Entity.
11. Terms and Termination.
11.1 Termination. This Agreement shall remain in effect until terminated in accordance with the terms of this Section 11;
provided,however,that termination shall not affect the respective obligations or rights of the Parties arising under this Agreement prior to the
effective date of termination,all of which shall continue in accordance with their terms.
11.2 Termination with Cause. Either Party may immediately terminate this Agreement if either of the following events have
occurred and are continuing to occur:
a. Vendor or Covered Entity fails to observe or perform any material covenant or obligation contained in this Agreement
for ten(10)business days after written notice of such failure has been given;or
ESO Solutions,Inc.
Participation Agreement 092214
Page 12 of 13
b. Vendor or Covered Entity violates any provision of the Confidentiality Requirement or applicable federal or state
privacy law relating to its obligations under this Agreement.
11.3 May Terminate Business Arrangements in Event of for Cause Termination. Termination of this Agreement for either of
the two reasons set forth in Section 11.2 above shall be cause for immediate termination of any Business Arrangement pursuant to which
Vendor uses,discloses,accesses,receives,creates,or transmits PHI for or on behalf of Covered Entity.
11.4 Termination Upon Conclusion of Business Arrangements. Upon the expiration or termination of all Business
Arrangements,either Covered Entity or Vendor may terminate this Agreement by providing written notice to the other Party.
11.5 Return of PHI Upon Termination. Upon termination of this Agreement for any reason,Vendor agrees either to return all
PHI or to destroy all PHI received from Covered Entity that is in the possession or control of Vendor or its Subcontractors. In the case of PHI
for which it is not feasible to return or destroy,Vendor shall extend the protection of this Agreement to such PHI and limit further uses and
disclosure of such PHI. Vendor shall comply with other applicable state or federal law, which may require a specific period of retention,
redaction,or other treatment of such PHI. This Section 11.5 shall survive the expiration or termination of this Agreement and shall remain in
effect for so long as Vendor maintains PHI.
12. No Warranty.
PHI IS PROVIDED SOLELY ON AN"AS IS"BASIS. THE PARTIES DISCLAIM ALL OTHER WARRANTIES,EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE.
13. Ineligible Persons.
Vendor represents and warrants to Covered Entity that its directors, officers, and key employees: (i) are not currently excluded,
debarred,or otherwise ineligible to participate in the federal health care programs as defined in 42 U.S.C.§ 1320a-7b(f)of any state healthcare
program(collectively,the"Healthcare Programs");(ii)have not been convicted of a criminal offense related to the provision of healthcare
items or services but have not yet been excluded,debarred,or otherwise declared ineligible to participate in the Healthcare Programs;and(iii)
are not under investigation or otherwise aware of any circumstances which may result in Vendor being excluded from participation in the
Healthcare Programs(collectively,the"Warranty of Non-exclusion"). Vendor representations and warranties underlying the Warranty of
Non-exclusion shall be ongoing during the term, and Vendor shall immediately notify Covered Entity of any change in the status of the
representations and warranties set forth in this Section 13. Any breach of this Section 13 shall give Covered Entity the right to terminate this
Agreement immediately.
14. Equitable Relief.
The Parties understand and acknowledge that any disclosure or misappropriation of any PHI in violation of this Agreement will cause
irreparable harm,the amount of which may be difficult to ascertain,and therefore agree that either Party shall have the right to apply to a court
of competent jurisdiction for specific performance and/or an order restraining and enjoining any such further disclosure or breach and for such
other relief deemed appropriate. Such right shall be in addition to the remedies otherwise available at law or in equity.
15. Entire Agreement.
This Agreement constitutes the complete agreement between Vendor and Covered Entity relating to the matters specified in this
Agreement and supersedes all prior representations or agreements, whether oral or written with respect to such matters. In the event of any
conflict between the terms of this Agreement and the terms of the Business Arrangements or any such later agreement(s),the terms of this
Agreement shall control unless the terms of such Business Arrangements are more strict with respect to PHI and comply with the Confidentiality
Requirements,or the Parties specifically otherwise agree in writing. No oral modification or waiver of any of the provisions of this Agreement
shall be binding on either Party to this Agreement;provided,however that upon the enactment of any law,regulation,court decision or relevant
government publication and/or interpretive guidance or policy that a Party believes in good faith will adversely impact the use or disclosure of
PHI under this Agreement,that Party may amend the Agreement to comply with such law,regulation,court decision or government publication,
guidance or policy by delivering a written amendment to the other Party which shall be effective thirty(30)calendar days after receipt. No
obligation on either Party to enter into any transaction is to be implied from the execution or delivery of this Agreement. This Agreement is
for the benefit of,and shall be binding upon the Parties,their affiliates and respective successors and assigns.
ESO Solutions,Inc.
Participation Agreement 092214
Page 13 of 13