Master Services Agreement by and between UnitedHealthcare Services, Inc. and Innovation Specialists, LLC d/b/a 2nd.MD dated December 19, 2016
CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENTS, MARKED BY [***], HAS BEEN OMITTED BECAUSE ACCOLADE, INC. HAS DETERMINED THE INFORMATION IS NOT MATERIAL.
MASTER SERVICES AGREEMENT
This Master Services Agreement (“Agreement”) is made as of December 19, 2016 (the “Effective Date”), between:
United HealthCare Services, Inc., a Minnesota corporation with offices at 9900 Bren Road East, Minnetonka, MN 55343 (“Customer”), on behalf of itself and its Affiliates; and
Innovation Specialists, LLC d/b/a 2nd.MD, a Texas limited liability company with principal offices at 1300 Post Oak Boulevard, Suite 725, Houston, Texas 77056 (“Vendor”).
Any Affiliate of Customer may execute a SOW hereunder and in such case, all obligations of, and references to, Customer in this Agreement shall instead refer to such Affiliate. For purposes of this Agreement, “Affiliate” means any entity directly or indirectly controlled by, controlling, or under common control with Customer.
Section 1. Services
Section 1.1 Description of Services. Vendor shall provide to Customer the services (“Services”) as specified in statements of work to this Agreement that are signed by the parties from time to time in a form substantially similar as attached hereto as Exhibit A (“SOWs” or “Statements of Work”). SOWs and any and all other documents referenced as a part of this Agreement are hereby incorporated by reference into this Agreement. SOWs shall constitute the only authorization for Vendor to take any action that will result in expense to or otherwise on behalf of Customer. Customer does not guarantee Vendor any particular amount of work under this Agreement. The Services shall be performed at the locations identified in the SOW, or if not identified, from such location specified by Customer. Vendor shall not use subcontractors without Customer’s prior written consent. Vendor shall provide the Services in accordance with the service levels set forth on in the applicable Order or SOW (“Service Levels”). In the event that a Service Level has not been met, Vendor shall: (i) perform a root-cause analysis to identify the cause of such failure; (ii) promptly correct such failure within the timeframe set forth in the applicable SOW; and (iii) provide Customer with a written report detailing the cause of, and procedure for correcting, such failure within [***] after such Service Level failure has occurred. [***].
Section 1.2 Additional Exhibit Terms. Vendor agrees to comply with the requirements outlined in the following Exhibits attached to this Agreement, which are fully incorporated herein by reference.
Exhibit A – Form of Statement of Work
Exhibit B – Certificate of Compliance for Contractors and Suppliers
Exhibit C – Price List
Exhibit D – HIPAA and GLBA (Business Associate Agreement)
Exhibit E – Standard Contractual Clauses
Exhibit F – Security
Exhibit G – Background Investigations
Exhibit H – Medicare Advantage Regulatory Requirements Appendix
Exhibit I – Master Community & State Appendix
Exhibit J – Exchange Regulatory Appendix
Section 1.3 Personnel.
(A) General Requirements. The parties are independent contractors and nothing in this Agreement or otherwise shall be deemed or construed to create any other relationship, including one of employment, joint venture or agency. Vendor shall be solely responsible for any taxes of any type, including central, state or local tax, employment, withholding or reporting tax, social security taxes, workers’ compensation taxes or costs, unemployment compensation taxes or costs, or any other taxes or charges, provident fund, gratuity, bonus, workmen’s compensation, employee state insurance, other employment law deductions, or private insurance, related to Vendor’s or Vendor’s personnel’s receipt of compensation and performance of Services under this Agreement. Vendor has withheld properly all federal, state and local employment taxes from the wages of its employees and otherwise has conducted and will conduct itself not as an individual or individuals but as a legal entity separate from the persons actually performing the Services pursuant to this Agreement. In addition, Vendor agrees to inform all of its employees performing the Services that they are employees solely of Vendor, and are not eligible to any of Customer’s employee benefit plans, incentive, compensation or other employee programs or policies. Vendor will be solely responsible for compliance with immigration and visa laws and requirements, including compliance with the Immigration and Reform Control Act of 1986 (IRCA) with respect to Vendor employees and contractors. Vendor represents and warrants that all Vendor personnel (1) will hold appropriate and valid visas or other work authorizations for the jurisdiction in which such individuals will be working, each of which will be valid for a period at least equal to the anticipated duration of each such individual’s assignment to the Customer account, and (2) will not be provided by Vendor with any technology or information in violation of any export laws of the U.S. or any other relevant country. Vendor will provide, at no cost to Customer, adequate levels of training and education for Vendor personnel, so that they are properly educated, trained and fully qualified with respect to the Services they are to perform.
CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENTS, MARKED BY [***], HAS BEEN OMITTED BECAUSE ACCOLADE, INC. HAS DETERMINED THE INFORMATION IS NOT MATERIAL.
(B) Attrition; Removal. Vendor will use commercially reasonable efforts to keep the attrition rate to a reasonably low level. Notwithstanding the transfer, attrition or other turnover of Vendor personnel, Vendor remains obligated to perform the Services without degradation (including in accordance with applicable Service Levels) and in accordance with the terms of this Agreement. If Customer determines in good faith that the continued assignment of any Vendor personnel to Customer’s account is not in Customer’s best interests, then Customer may give Vendor written notice to that effect. After receipt of such notice, Vendor will promptly remove the person in question from Customer’s account and from any Customer facilities and will replace that person with another person of suitable ability and qualifications. Vendor retains the sole right to hire and fire Vendor personnel, and will be solely responsible for oversight of Vendor personnel and any decision to fire any Vendor personnel.
(C) Key Personnel. Each Statement of Work will set forth: (1) the names of all Vendor personnel performing Services under such Statement of Work, (2) the location of each such person, (3) whether a person is designated as “key” (“Key Vendor Personnel”), and (4) with respect to Key Vendor Personnel, the period of time such personnel will be assigned to performing the Services. Vendor will not assign any Key Vendor Personnel to the account of any Customer competitor while such individual is assigned to Customer’s account and for a period of six months following the date that such individual is removed from, or ceases to provide any services in connection with, Customer’s account.
(D) Background Checks and Compliance. Vendor will comply with the applicable requirements of Exhibit G (Background Investigations) before assigning an individual to perform Services. Further, Vendor will cause all Vendor personnel to (1) comply with Customer requests, rules and regulations, and policies regarding safety and health and personal and professional conduct while on site at Customer facilities, (2) comply with applicable requirements of the Vendor Code of Conduct (as defined in Section 5.12), and (3) otherwise conduct themselves in a professional and businesslike manner.
Section 1.4 Subcontracting and Offshoring.
(A) Subcontracting. Vendor may not subcontract any of its obligations under this Agreement without Customer’s prior written approval, which will not be unreasonably withheld (subject to Section 1.4(B)). Vendor will remain responsible for obligations, services and functions performed by subcontractors to the same extent as if such obligations, services and functions were performed by Vendor employees, and for purposes of this Agreement such work will be deemed work performed by Vendor. Vendor will be Customer’s sole point of contact regarding the Services, including with respect to payment. Vendor will not disclose Customer Confidential Information to a subcontractor unless and until such subcontractor has agreed in writing to protect the confidentiality of such Confidential Information in a manner substantially equivalent to that required of Vendor under this Agreement.
CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENTS, MARKED BY [***], HAS BEEN OMITTED BECAUSE ACCOLADE, INC. HAS DETERMINED THE INFORMATION IS NOT MATERIAL.
(B) Offshoring. Before providing any component of the Services from a location outside of the United States, Vendor must obtain Customer’s written approval, which may be withheld by Customer in its sole discretion. Before entering into a subcontract for work to be performed outside of the United States, Vendor must provide to Customer a description of the scope and material terms (other than financial) of the proposed subcontract. Customer will have the right to approve or disapprove of any such subcontracts and subcontractors in its sole discretion.
Section 2. Pricing and Payment Terms
Section 2.1 Fees. All charges for the Services are set forth in the applicable Statement of Work. Customer will not be required to pay Vendor any amounts for the Services other than (A) the charges in the applicable Statement of Work, and (B) reimbursable expenses, subject to Section 2.3. The parties agree and acknowledge that, except as set forth in the applicable Statement of Work, the charges will be inclusive of, and not subject to adjustment to account for, any inflation or cost of living increases or fluctuation in any currency exchange rates. [***]. Vendor is solely responsible for managing its resources so as to provide the Services in compliance with applicable Service Levels and the other terms of this Agreement and each applicable Statement of Work.
Section 2.2 Expenses; Taxes. All pass-through or out-of-pocket expenses for which Customer is responsible must be expressly identified in the applicable Statement of Work. If a Statement of Work provides that Customer will reimburse Vendor for travel expenses, Vendor will obtain Customer’s prior written approval for travel and all travel will be consistent with Customer’s Travel and Expense Policy, which is available for Vendor to review at http://www.unitedhealthgroup.com/suppliers/default.aspx?. Customer will not be responsible for the payment or reimbursement of expenses not expressly identified as a Customer responsibility in the applicable Statement of Work. With respect to services or materials paid for on a pass-through expenses basis, Customer reserves the right to obtain such services or materials directly from a third party or designate the third party source for such services or materials. Vendor will use commercially reasonable efforts to minimize the amount of pass-through and out-of- pocket expenses. Customer will be responsible for the payment of any sales or use taxes levied on Services provided under this Agreement. Each party will be responsible for any personal property taxes on property it owns or leases, for franchise and privilege taxes on its business, and for taxes based on its net income or gross receipts.
Section 2.3 Invoicing and Payment. Vendor will invoice Customer on a monthly basis in arrears, unless otherwise set forth in the applicable Statement of Work. Vendor’s rates under any Statement of Work may not exceed those set forth on Exhibit C (Price List). As directed by Customer, Vendor will establish an electronic vendor account through the third party internet-based platform specified by Customer, through which Vendor will submit invoices to and receive purchase orders from Customer (the “eProcurement System”). In addition, Vendor will be responsible for any fees or charges imposed on Vendor associated with the eProcurement System, and will not pass such fees or charges through to Customer. If Customer has established an eProcurement System applicable to this Agreement, Customer will not be required to pay any invoice unless Vendor has submitted such invoice through the eProcurement System. Undisputed invoices will be due and payable by Customer within [***] after invoice receipt, or, in the case of invoices submitted outside of the eProcurement System, within [***] after invoice receipt. Customer’s payment of any invoice will not be construed as acceptance of the underlying Services. Vendor will provide invoices with sufficient detail to enable Customer to identify the SOW to which the fees pertain and, for Services provided on a time and materials basis, the invoice will contain the name of the individual performing the Services as well as the number of hours spent performing the Services.
Section 2.4 Disputed Fees; Set-Off. Customer may withhold payment of particular charges that Customer disputes in good faith, pending the resolution of such dispute, provided that Customer provides Vendor with written notice of the amounts being withheld and the reason for withholding such amounts. With respect to any amount to be paid by Customer under this Agreement, Customer may deduct from such amount any amount that Vendor is obligated to pay or credit to Customer.
Section 3. Confidentiality
Section 3.1 Confidentiality Obligations. During the term of this Agreement, from time to time, either party may disclose (the “Disclosing Party”) or make available to the other party (the “Receiving Party”), whether orally, electronically or in physical form, confidential or proprietary information concerning the Disclosing Party and/or its business, products or services in connection with this Agreement (together, “Confidential Information”). Confidential Information of Customer includes, without limitation, business plans, health plan relationships, acquisition plans, systems architecture, information systems, technology, data, computer programs and codes, processes, methods, operational procedures, finances, budgets, policies and procedures, customer, employee, provider, member, patient and beneficiary information, claims information, vendor information (including agreements, software and products), product plans, projections, analyses, plans or results, the existence of any business dealings or agreements between Customer and Vendor, and any other information which is normally and reasonably considered confidential. Each party agrees that during the term of this Agreement and thereafter: (a) it will use Confidential Information belonging to the Disclosing Party solely for the purpose(s) of this Agreement; and (b) it will not disclose Confidential Information belonging to the Disclosing Party to any third party (other than the Receiving Party’s employees, contractors and/or professional advisors on a need-to-know basis who are bound by obligations of nondisclosure and limited use at least as stringent as those contained herein) without first obtaining the Disclosing Party’s written consent. Upon request by the Disclosing Party, the Receiving Party will return all copies of any Confidential Information to the Disclosing Party. Vendor hereby agrees that every individual person who performs under this Agreement shall execute the appropriate documents to undertake obligations of confidentiality consistent with the terms set forth herein. Vendor hereby agrees to provide evidence and/or copies of such duly executed documents to Customer upon request.
Section 3.2 Confidentiality Exclusions. For purposes hereof, Confidential Information will not include any information that the Receiving Party can establish by convincing written evidence: (a) was independently developed by the Receiving Party without use of or reference to any Confidential Information belonging to the Disclosing Party; (b) was acquired by the Receiving Party from a third party having the legal right to furnish same to the Receiving Party without disclosure restrictions; or (c) was at the time in question (whether at disclosure or thereafter) generally known by or available to the public (through no fault of the Receiving Party).
Section 3.3 Required Disclosures. These confidentiality obligations will not restrict any disclosure required by order of a court or any government agency, provided that the Receiving Party gives prompt notice to the Disclosing Party of any such order and reasonably cooperates with the Disclosing Party at the Disclosing Party’s request and expense to resist such order or to obtain a protective order.
Section 3.4 Customer Data. [***].
Section 3.5 Injunctive Relief. The parties acknowledge and agree that the disclosure of Confidential Information may result in irreparable harm for which there is no adequate remedy at law. The parties therefore agree that the Disclosing Party may be entitled to seek an injunction in the event the Receiving Party violates or threatens to violate the provisions of this Section 3, and that no bond will be required. This remedy will be in addition to any other remedy available at law or equity.
Section 3.6 HIPAA and GLBA. Vendor understands and acknowledges that Exhibit D (HIPAA and GLBA) attached hereto will apply in the event Vendor provides Services to Customer pursuant to which Vendor has access to, receives from, creates, or receives on behalf of Customer Protected Health Information, or Vendor has access to, creates, receives, maintains or transmits on behalf of Customer Electronic Protected Health Information (as those terms are defined under the privacy or security regulations issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and Subtitle D of the Health Information Technology for Economic and Clinical Health Act provisions of the American Recovery and Reinvestment Act of 2009 (“ARRA”)), and/or nonpublic personal information, as defined under the Gramm-Leach-Bliley Act and implementing regulations (“GLBA”), during the performance of its obligations under this Agreement.
Section 3.7 EU Data Protection. If the Services involve the creation, processing, retention, deletion, use or disclosure of personal data (as that term is defined under the EU Data Protection Directive), including of Customer employees and other individuals (“Personal Data”), then Vendor will comply, and will require that its personnel and subcontractors comply, with all applicable requirements of the EU Data Protection Directive, including, without limitation, ensuring that transfers of Personal Data to third countries are made only in accordance with the following: (a) the transfer is to a jurisdiction deemed by the European Commission to have an adequate level of protection; (b) the transfer is subject to contractual provisions approved by the European Commission such as, by way of example only, the Standard Contractual Clauses attached as Exhibit E, which the parties hereby adopt and incorporate into this Agreement by this reference; or (c) pursuant to a framework deemed adequate and approved by the European Commission. For purposes of this Agreement, the “EU Data Protection Directive” means Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and any legislation implementing or revising such directive in applicable EU member states.
Section 3.8 Customer IT Systems Security. Vendor acknowledges and agrees that its access to Customer’s information technology systems will be subject to the provisions of Exhibit F (Security).
Section 4. Work Product and Customer Property
Section 4.1 [***].
Section 4.2 Customer Property. [***].
Section 4.3 Residual Knowledge. Nothing contained in this Agreement will restrict a party from the use of any general ideas, concepts, know-how, methodologies, processes, technologies, algorithms or techniques retained in the unaided mental impressions of such party’s personnel relating to the Services which either party, individually or jointly, develops or discloses under this Agreement, provided that in doing so such party does not breach its obligations under Section 3 or infringe the intellectual property rights of the other party or third parties who have licensed or provided materials to the other party.
Section 5. Representations and Warranties; Compliance with Laws
Section 5.1 General Warranties. Vendor represents and warrants to Customer that: (a) it is duly incorporated and validly existing under applicable laws and in good standing in applicable business locations as required; (b) it has all necessary right, title, license and authority to enter into and perform its obligations under this Agreement; (c) Vendor has appropriate agreements with its employees and Customer-approved subcontractors to allow it to provide the Services in accordance with the terms of this Agreement; and (d) the person signing this Agreement (including each attachment) on behalf of Vendor has full authority to bind Vendor to the terms and conditions hereof.
Section 5.2 Performance Warranties. Vendor represents and warrants to Customer that: (a) the Services performed and the work created under this Agreement will conform with all applicable laws, industry standards and Customer’s instructions and specifications; (b) Vendor will provide the Services in a workmanlike, professional, and ethical manner; (c) the Services performed and the Work Product created under this Agreement will not infringe the copyrights, patents, trade secrets or other intellectual property or other rights of any third party; (d) performing the Services will not conflict with any other agreements to which Vendor is a party; and (e) Vendor will not use any of its own proprietary materials in the Work Product without Customer’s prior written permission and an appropriate perpetual license to Customer.
Section 5.3 Viruses; Disabling Codes. Vendor warrants that any and all computer code and/or software created or modified for, or otherwise supplied to Customer: (A) contains only what is stated in the documentation provided; (B) is free of any open source code, spyware, and any master access key (ID, password, trap door, trojan horse, back door, etc.) to the system, and (C) immediately prior to its delivery to Customer, has been checked for and deemed free of any and all computer viruses and/or other destructive code using a regularly updated, industry-standard software package designed for such purpose (for example, the most current version of Symantec Norton Antivirus) and has been inspected by Vendor’s authorized personnel. In the event any computer code and/or software created or modified for, or otherwise supplied to Customer contains destructive code, then, in addition to any other remedies available to Customer, at Customer’s request, Vendor will, at no cost to Customer:
(1) restore to the fullest extent possible any and all data lost by Customer as a result of the destructive code, and
(2) provide and install a new copy of the computer code and/or software without the presence of destructive code.
Section 5.4 Pass-Through of Third Party Warranties. If third party software or hardware is acquired hereunder, Vendor agrees to pass through to Customer all warranties from such third party software vendors, in addition to the warranties provided in this Agreement.
Section 5.5 Additional Warranties; Disclaimer. Other warranties pertaining to the services or deliverables may be set forth in an applicable Statement of Work. OTHER THAN AS PROVIDED IN THIS AGREEMENT OR ANY STATEMENT OF WORK, THERE ARE NO EXPRESS WARRANTIES AND THERE ARE NO IMPLIED WARRANTIES, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Section 5.6 Compliance with Laws. Vendor shall comply with all applicable federal, state, county, and local laws, orders, rules, ordinances, regulations, and codes, including without limitation Vendor’s obligations as an employer regarding the health, safety and payment of its employees. Vendor’s compliance shall also include identifying and procuring the required permits, certificates, approvals, and inspections in Vendor’s performance under this Agreement. In addition, Vendor certifies and represents its compliance with the federal laws set forth in Exhibit B, to the extent applicable. Vendor will promptly notify Customer of any change of status with regard to these certifications and representations. These certifications and representations are material statements of fact upon which Customer has relied with respect to this Agreement.
Section 5.7 Payment Card Industry. To the extent that Vendor, in the course of providing Services, stores, processes, transmits or otherwise obtains cardholder data, or performs any activities regulated by the Payment Card Industry (“PCI”) Security Standards Council, Vendor shall comply with the most current version of the PCI Data Security Standard, the PIN Transaction Security Standard, the Payment Application Data Security Standard, the Point-to-Point Encryption Solution Requirements and Testing Procedures, any other applicable program or requirement that is published and/or otherwise mandated by applicable card networks or the PCI Security Standards Council.
Section 5.8 Medicare Advantage. Vendor will comply with the terms of the Medicare Advantage Regulatory Requirements Appendix attached hereto as Exhibit H when performing administrative services or providing products under this Agreement that relate to Medicare Advantage Benefit Plans, as defined in Exhibit H (Medicare Advantage Regulatory Requirements Appendix).
Section 5.9 Other Government Requirements. Vendor will comply with all applicable federal and state legal and regulatory requirements, including but not limited to those set forth in Exhibit I (Master Community & State Appendix) when performing services or providing products under this Agreement that relate to Medicaid and other state government regulated programs, and Exhibit J (Exchange Regulatory Appendix) when performing services or providing products under this Agreement that relate to public Exchanges (as defined in Exhibit J).
Section 5.10 Conflict of Interest.
(A) Vendor hereby represents and warrants to Customer that:
(1) There is no conflict of interest between Vendor’s other contracts, business relationships, revenue-sharing arrangements or other business activities, if any, and the Services to be provided to Customer pursuant to this Agreement, and Vendor will ensure that no such conflict arises during the term of this Agreement (which includes, but is in no way limited to, use of another’s confidential and proprietary information). Accordingly, Vendor agrees that it may not perform duties for any third party, if Vendor believes its duties to such third party may result in a conflict of interest relative to Vendor’s work for Customer, unless Vendor first notifies Customer in writing of the possible conflict of interest and obtains written consent from an authorized representative of Customer.
(2) Vendor will not use for the benefit of Customer any confidential information acquired from any third party and subject to a duty of confidentiality to such third party.
(3) Unless previously disclosed in writing to an authorized representative of Customer, (a) Vendor has not, for at least [***] before the Effective Date, acted as or been paid for services as a consultant, employee or in any other capacity, to any governmental entity with respect to procurement by such governmental entity of health insurance coverage or an administrative services agreement, or (b) participated in any capacity on behalf of a governmental entity in a decision-making capacity in connection with the procurement of health insurance coverage, administrative services agreement or any related services.
(B) Vendor agrees that during the term of this Agreement Vendor will not act as or be paid for services as a consultant for any governmental entity with respect to procurement of such governmental entity’s health insurance coverage or administrative services agreement. It is understood by the parties that Customer does not have the exclusive right to Vendor’s services.
Section 5.11 Utilization of MWVBE Suppliers. As used in this Agreement, “MWVBE Supplier” means a supplier who maintains a valid certification as a minority, women, or veteran (veteran, disabled veteran, service-disabled) business enterprise from any of the following organizations: (A) the National Minority Supplier Development Council (NMSDC), (B) the Women’s Business Enterprise National Council (WBENC), (C) the US Department of Veteran Affairs, or (D) any other third party certification organization approved in advance by Customer. Vendor agrees to provide MWVBE Suppliers with the maximum practicable opportunity to participate in any subcontracts or orders it may award in connection with this Agreement. Vendor will report on a quarterly basis, or as otherwise requested by Customer, the level of MWVBE Supplier participation in this Agreement.
Section 5.12 Additional Compliance Requirements. Vendor agrees to comply with the Anticorruption Policy and Vendor Code of Conduct, which may be found at http://www.unitedhealthgroup.com/suppliers/default.aspx?.
Section 6. Insurance
Section 6.1 Required Coverage. During the term of this Agreement, Vendor will obtain and maintain, at its sole cost and expense, the insurance in the types and minimum amounts outlined below or as required by applicable law, whichever is greater, and any such additional insurance necessary to insure against claims that may arise from or in connection with its obligations under this Agreement, whether such obligations are performed by or on behalf of the Vendor:
|Coverage Type||Minimum Limits of Liability|
|Commercial General Liability|
|Worker’s Compensation||In accordance with the laws of the country, state, or province, or territory exercising jurisdiction over employees|
|Employer’s Liability (including “Stop Gap” Liability where applicable)|
|Professional Liability / Errors & Omissions Liability|
Section 6.2 Insurance Ratings. Subject to the Vendor’s right to self-insure coverage as set forth below, insurance shall be issued by insurance companies authorized to conduct business within the jurisdiction in which Services are provided, with a minimum A.M. Best rating of A- VII in the current edition of Best’s Key Rating Guide.
Section 6.3 Additional Insurance Requirements. In the event that any insurance required by this Agreement is written on a claims-made basis, such insurance will have a policy retroactive date that coincides with or predates the Effective Date. Vendor will continue coverage, through either policy renewals or the purchase of an extended reporting period for not less than [***], beginning at the time obligations under this Agreement have been completed. Commercial general liability will include Customer and its Affiliates as additional insured(s) with respect to liability arising out of the Services. Professional liability / errors and omissions liability will provide coverage for liability for loss or damage due to an act, error, omission, or negligence arising from the Services. Cyber liability insurance will provide coverage for liability for damages claimed by third parties arising from data destruction, extortion, theft, hacking, and denial of service attacks impacting Vendor’s operations. Vendor may arrange any required insurance under separate policies for the full minimum limits of liability required, or by a combination of underlying policies and an umbrella or excess liability policy. Any umbrella or excess liability insurance policy will be adequate to satisfy the insurance requirements of this Agreement. Vendor may, with Customer’s prior approval (which shall not be unreasonably withheld), elect to self-insure, in whole or in part, in the amounts and types of insurance required herein. Vendor will (i) maintain a separate reserve or trust for its self- insurance, (ii) provide to Customer a copy of the most recent evaluation of its self-insurance funds prepared by an independent actuary, (iii) warrant that its self-insurance fund will comply with applicable laws and regulations, and (iv) fund its self-insurance funds in accordance with the recommendations of the independent actuary and assure that funds are available at all times to pay claims in the amounts required by this Section 6. The funding of deductibles and self-insured retentions, if any, maintained by Vendor are the sole responsibility of Vendor, including any deductibles or self-insured retentions applicable to claims involving Customer.
Section 6.4 Waiver of Subrogation. Except where prohibited by law, Vendor agrees to waive all rights of subrogation, including any rights of its insurers, against Customer and its Affiliates, under the commercial general liability, automobile liability, workers’ compensation, and employer’s liability coverage, with respect to losses, damages, claims, suits, or demands, however caused.
Section 6.5 Certificates of Insurance. On or before the Effective Date, and upon Customer’s request thereafter, Vendor will provide certificate(s) of insurance providing evidence that Vendor has complied with the insurance requirements set forth in this Agreement. Vendor will give [***] prior written notice to Customer in the event of any cancellation of the insurance required hereunder.
Section 6.6 Notices. In the case of loss or damage or other event involving Customer or its Affiliates that requires notice or other action under the terms of any insurance coverage specified in this Section 6, Vendor will be solely responsible to take such action. Vendor will provide Customer with contemporaneous notice and with such other information as Customer may request regarding the event.
Section 6.7 Subcontractors. Except to the extent (i) otherwise stated in this Agreement, or (ii) agreed by Customer in writing, Vendor shall require, in writing, that each subcontractor adhere to the same insurance requirements as outlined in this Agreement. Vendor may (1) insure any subcontractors under its own policies, or (2) modify the applicable subcontractor’s insurance requirements, with the agreement that any deficiencies in such policies shall be borne by Vendor.
Section 6.8 Limits of Liability. All insurance required of Vendor to provide coverage to Customer and its Affiliates as additional insureds [***]. Such additional insured coverage will apply to [***]. The availability or unavailability of insurance coverage shall not limit, modify or otherwise impact Vendor’s other obligations and liabilities under this Agreement. Vendor’s obligation to maintain the insurance stipulated in this Section 6 shall be in addition to, and not in lieu of, Vendor’s other obligations hereunder, and Vendor’s liability to Customer shall not be limited to the amount of coverage required hereunder. Vendor’s insurance will apply separately to each insured against whom a claim is made or lawsuit is brought, except with respect to the insurer’s limits of liability.
Section 7. Indemnification
To the maximum extent allowed by law, Vendor will defend, indemnify and hold harmless Customer and its directors, officers, employees, and agents (collectively, the “Indemnitees”), from and against any and all claims, losses, damages, suits, fees, judgments, costs and expenses (collectively referred to as “Claims”), including attorneys’ fees incurred in responding to such Claims, that the Indemnitees may suffer or incur arising out of or in connection with: (a) Vendor’s breach of warranty or damages due to Vendor’s negligence or willful misconduct; (b) any allegation that the Indemnitees’ use of any goods or services (including without limitation any computer code and Work Product) created for or provided to Customer in connection with this Agreement constitutes an infringement, contributory infringement or violation of any patent, copyright, trade secret, trademark, or other third party intellectual property right or a misappropriation of a trade secret or other personal rights of a third party; (c) any breach by Vendor of its: (i) confidentiality obligations; (ii) obligations to comply with laws; (iii) obligations under Exhibit D or Exhibit F (if applicable); or (iv) obligation to pay any compensation, fees, salary, bonuses, mandatory or fringe employee benefits, social security, taxes or other withholdings which are alleged to be owed in respect of any personnel or contractors of Vendor; (d) any personal injury (including death) or damage to property resulting from Vendor, Vendor personnel or its agents’ acts or omissions; and (e) Vendor’s introduction of any unauthorized material, including without limitation, a “computer virus” or other contaminant into Customer’s environment. The Indemnitees will give prompt notice of any Claim to Vendor, and Vendor will defend the Indemnitees at the Indemnitees’ request. Vendor may settle, at its sole expense, any Claim for which Vendor is responsible under this Section 7 provided that such settlement shall not limit, unduly interfere, or otherwise adversely affect the rights granted herein, Vendor’s obligations under this Agreement, or impose any additional liability or obligation on Customer or does not contain an unconditional and full release of the Indemnitees’ in respect of such Claim. Customer reserves the right to participate in the defense and/or settlement of any Claim. [***].
Section 8. Liability
Section 8.1 Waiver of Damages. SUBJECT TO SECTION 8.2, IN NO EVENT, WHETHER IN CONTRACT OR IN TORT (INCLUDING BREACH OF WARRANTY, NEGLIGENCE AND STRICT LIABILITY IN TORT), WILL A PARTY BE LIABLE FOR INDIRECT OR CONSEQUENTIAL, EXEMPLARY, PUNITIVE OR SPECIAL DAMAGES, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN ADVANCE.
Section 8.2 Exceptions; Cumulative Remedies. The limitations set forth in Section 8.1 will not apply with respect to: [***]. The remedies specified in this Agreement are cumulative and in addition to any remedies available at law or in equity.
Section 9. Organizational Resiliency and Force Majeure
Section 9.1 Resiliency Planning. Vendor will, at its sole expense, establish and maintain an organizational resilience program designed to protect physical, intangible, environmental and human assets critical to Vendor’s provision of the Services. Vendor’s organizational resilience program will identify and address significant hazards or threats that may impact the Services or Vendor’s critical assets. Vendor’s organizational resilience program will include, to the extent applicable, (i) risk assessments and controls, (ii) written business continuity plans for the Services and supporting facilities, (iii) written disaster recovery plans for critical technology and systems infrastructure, and (iv) corporate crisis management response protocols, as necessary to enable continued performance under this Agreement if any event (including a corporate crisis, technological accident, or human- caused event) should cause a material disruption of the Services or pose a significant threat to Vendor’s critical assets. Vendor’s organizational resilience program will be consistent with industry standards and best practices relevant to the healthcare industry, with any standards imposed on Vendor or Customer by a relevant regulatory authority, and with the specific requirements (if any) set forth in the applicable Statement of Work. Vendor will provide its organizational resilience program documentation (or relevant components thereof) to Customer for review at Customer’s request, within [***] of Customer’s request. In addition, Vendor will make available for discussion its personnel who are responsible for the organizational resilience program. Statements of Work under this Agreement may specify different obligations with respect to Vendor’s organizational resilience program or specific aspects of that program. These different obligations will apply to the Services or products provided under the applicable Statement of Work only, and will not be construed to apply to any other Statement of Work.
Section 9.2 Testing; Resiliency Reviews. Vendor will periodically update relevant components of its organizational resilience program to address changes to Vendor’s critical assets, the Services, and relevant regulatory requirements or private sector standards for organizational resiliency and corporate preparedness. In addition, Vendor will test the operability of all components of its organizational resilience program at least [***] (and more frequently, if required under a Statement of Work or under the terms of the relevant business continuity plan or disaster recovery plan) to confirm that such plans are fully operational. Vendor will functionally test disaster recovery plans for critical technology and systems infrastructure at least [***] and provide the results of such test to Customer at its request. At Customer’s request, Vendor will certify to Customer in writing that all components of Vendor’s organizational resilience program (specifically including business continuity plans and disaster recovery plans) are fully operational. At Customer’s request (no more than [***]), Vendor will participate in a resiliency review and will meet with Customer and provide Customer with all information (including detailed business continuity plans and disaster recovery plans) reasonably necessary for Customer to review Vendor’s organizational resilience program. If at any time Customer reasonably determines that Vendor is materially non-compliant with the organizational resiliency requirements set forth herein or in the applicable Statement of Work, or if Vendor fails to meet its obligations with respect to testing, certification, or participation in the resiliency review [***].
Section 9.3 Implementation of Resiliency Plans. Upon the occurrence of any event that disrupts the provision of Services, Vendor will promptly implement the relevant components of its organizational resilience program (including relevant business continuity plans and disaster recovery plans) and will restore the disrupted Services within the earliest of: (a) the timeframes required in the relevant recovery/continuity plan, (b) the timeframes required in the applicable Statement of Work or elsewhere in this Agreement, or (c) otherwise as necessary to continue to meet applicable Service Levels. Vendor will not increase its charges or charge Customer any usage fees with respect to the implementation of any component of Vendor’s organizational resilience program. Whenever any event, including a Force Majeure Event, causes Vendor to allocate limited resources between or among Vendor’s customers, Vendor will not give any other customers priority over Customer, subject to the Service Levels or recovery time objectives set forth in this Agreement and any applicable Statement of Work.
Section 9.4 Force Majeure.
(A) As used in this Agreement, a “Force Majeure Event” means an act of God, riot, civil disorder, or any other similar event beyond the reasonable control of a party, provided that the event is not caused, directly or indirectly, by such party. Notwithstanding the foregoing, no event will be considered a Force Majeure Event if and to the extent that the nonperforming party could have (1) prevented the event (or any resulting defaults or delays in performance) by taking reasonable precautions, or (2) circumvented the event (or any resulting defaults or delays in performance) through the use of alternate sources, workaround plans or other means (in the case of Vendor, including by meeting its obligations with respect to developing, maintaining and implementing an organizational resilience program as described in this Section 9 or an applicable Statement of Work).
(B) Subject to Section 9.5, in the case of a Force Majeure Event the nonperforming party will be excused from further performance or observance of the obligation(s) so affected for as long as such circumstances prevail and such party continues to use commercially reasonable efforts to recommence performance to whatever extent possible without delay. Any party so delayed in its performance will promptly notify the party to whom performance is due by telephone and in writing and will describe at a reasonable level of detail the circumstances causing such default or delay.
Section 9.5 Alternate Source; Termination Rights.
(A) With respect to Critical Services (as defined below), if the performance of all or a portion of such Critical Services is prevented or delayed (including by a Force Majeure Event) for more than [***], then Customer may procure such Services from an alternate source [***]. As used in this Agreement, “Critical Services” means those specific Services identified in the applicable Statement of Work as “critical,” [***]. The timeframes set forth in this paragraph may, for any or all components of the Services, be superseded by more specific requirements set forth in the applicable Statement of Work.
(B) With respect to Non-Critical Services (as defined below), if the performance of all or a portion of such Non-Critical Services is prevented or delayed (including by a Force Majeure Event) for more than [***], then Customer may procure such Services from an alternate source[***]. As used in this Agreement, “Non-Critical Services” means all Services that are not Critical Services. The timeframes set forth in this paragraph may, for any or all components of the Services, be superseded by more specific requirements set forth in the applicable Statement of Work.
(C) If the performance of any Services is prevented or delayed (including by a Force Majeure Event) for more than [***] (in the case of Critical Services) or [***] (in the case of Non-Critical Services), then Customer will have the option to terminate this Agreement or any impacted Statement of Work [***]. The timeframes set forth in this paragraph may, for any or all components of the Services, be superseded by more specific requirements set forth in the applicable Statement of Work.
Section 10. Term and Termination
Section 10.1 Agreement Term and Termination. This Agreement shall commence and be effective as of the date above and shall continue until (a) terminated by Customer at any time with or without cause, upon written notice to Vendor without any charge, liability, or obligation whatsoever, except for payment for Services performed by Vendor specified in a SOW but not yet paid for by Customer; or (b) terminated by either party if the other party materially breaches or defaults on any of the provisions of this Agreement, and such breach is not cured within [***] after the breaching party receives written notice. Termination of this Agreement shall not impact any signed SOWs then in effect, which shall continue in effect until completed or otherwise terminated under Section 10.2 or Section 10.3, and shall be governed by the terms of this Agreement while in effect.
Section 10.2 SOW Termination for Convenience. The term of an SOW shall be as outlined thereunder. Upon [***] Customer may, for its own convenience and with or without cause, terminate any SOW, in whole or in part, without any charge, liability or obligation whatsoever except for payment for Services performed by Vendor but not yet paid for by Customer.
Section 10.3 SOW Termination for Cause. If either party materially breaches or defaults on any of the provisions of any SOW, and such breach is not cured within [***] after the breaching party receives written notice, then in addition to all other rights and remedies of law or equity or otherwise, the injured party shall have the right to terminate any SOW(s) impacted by such breach without any obligation or liability, at any time thereafter.
Section 10.4 Termination for Change of Control. Notwithstanding anything to the contrary in this Agreement or SOW, Customer may terminate this Agreement and/or a SOW without further liability, upon [***] in the event of a Change of Control of Vendor. For purposes of this Agreement, “Change in Control” means (a) the acquisition by any person, entity or group, within the meaning of Section 13(d)(3) or 14(d)(2) of the Securities Exchange Act of 1934, as amended (the “Exchange Act”), of beneficial ownership (as defined in the Exchange Act) of 20% or more of the outstanding shares of common stock of Vendor or the combined voting power of Vendor’s then-outstanding voting securities in a single transaction or series of related transactions; (b) a change in 50% or more of the directors of Vendor in any 12 month period; (c) a reorganization, merger, consolidation or share exchange in which the shareholders of Vendor immediately prior to such transaction hold less than 51% of the outstanding shares of Vendor after such transaction; (d) the sale (in a single transaction or a series of related transactions) of either: (i) all or substantially all of the assets of Vendor, or (ii) the assets which are provided to Customer hereunder or used to provide Services to Customer hereunder; or (e) the first purchase under any tender offer or exchange offer pursuant to which shares of Vendor common stock or other voting securities are purchased.
Section 10.5 Insolvency. Either party will have the right to immediately, or with such written notice as such party deems reasonable, terminate this Agreement and any SOWs in the event the other party: (a) ceases to do business as a going concern; (b) becomes subject to any bankruptcy or insolvency proceeding under federal or state statute (and if the proceeding is involuntary, it is not dismissed within 60 days of its commencement); (c) becomes insolvent or becomes subject to direct control by a trustee, receiver or similar authority; (d) has wound up, dissolved or liquidated, voluntarily or otherwise; (d) makes a general assignment for the benefit of its creditors; or (e) takes any action authorizing or in furtherance of any of the foregoing.
Section 10.6 Effect of Termination. Upon expiration or termination of this Agreement (or any SOW, as applicable) each party shall, upon the request of the other: (a) return all papers, materials and properties of the other held by such party; and (b) provide reasonable assistance in the termination of this Agreement, as may be necessary for the orderly, non-disrupted business continuation of each party. In no event will Vendor inhibit in any way Customer’s attempt to effect a smooth transition. At Customer’s option, upon termination of this Agreement or a Statement of Work for any reason, Vendor will: (1) certify to Customer in writing that all Confidential Information of Customer has been returned or destroyed, as required under this Agreement [***].
Section 10.7 Survival. Customer and Vendor’s respective obligations hereunder which by their nature would continue beyond the termination of this Agreement or expiration of any SOW, shall survive. This includes, by way of example but not limited to, the obligations provided under the Sections or Exhibits with the following headings: "CONFIDENTIALITY", “INDEMNIFICATION", any warranty by Vendor, Exhibit D (HIPAA and GLBA), Exhibit H (Medicare Advantage Regulatory Requirements Appendix), Exhibit I (Master Community & State Appendix), and Exhibit J (Exchange Regulatory Appendix).
Section 11. Assignment; Divestiture.
Vendor may not assign this Agreement or any SOW, or any of Vendor’s rights (except the right to receive payments hereunder) or duties under this Agreement, without the prior written consent of Customer. Any attempted assignment without Customer’s consent will be void. Customer may freely assign all or any part of this Agreement, without the consent of Vendor, either: (a) to an Affiliate; or (b) incidental to a sale, transfer or other disposition by Customer or an Affiliate of all or substantially all of the assets of that component of Customer’s business or its Affiliate's business having the benefit of the goods and/or services under this Agreement. In the event Customer either: (a) acquires any entity which has entered into an Agreement with Vendor, or (b) acquired any goods or services from Vendor under a separate agreement within any twelve (12) months prior to the Effective Date, Vendor shall in both cases, upon Customer notice, execute any documents necessary to allow such goods and services to be governed by this Agreement, and any price adjustments shall be made immediately on a go forward basis. All benefits under this Agreement shall accrue and inure to each party's valid and legal heirs, successors and assigns. From time to time, Customer (or its Affiliates) may divest some or all interests in certain business units or Affiliates. Following the divestiture, at Customer’s request, Vendor will continue to provide Services to such divested business unit or entity under the terms of this Agreement and any applicable SOWs (including for the then-current charges) for 24 months, or any shorter period specified by Customer.
Section 12. Export Related to Services
Vendor shall not, absent proper authorization and licensing, if applicable, from all United States agencies having jurisdiction, including without limitation the United States Bureau of Industry and Security (United States Department of Commerce) and the United States Department of State, and from any other relevant jurisdiction that requires any license or other government approval, Export any Item in the course of performing the Services hereunder. Customer makes no representations as to whether or under what conditions any Item supplied by Customer may be Exported. For purposes of this Section, “Item” means any data, technology, commodity or other item, including without limitation, computer software, computer hardware, or telecommunications hardware or software or encryption device or algorithm, and “Export” means “export,” “release,” or “reexport,” as those terms are defined in 15 Code of Federal Regulations §734.2(b), as such regulation may be amended and in effect from time to time.
Section 13. Record Keeping and Audit
Vendor agrees to maintain accurate and complete records relating to the provision of Services under this Agreement. If Vendor has a formal records management program which includes a documented and compliant records retention schedule (based on applicable federal, state and industry recordkeeping requirements) and a corresponding employee training program, during the term of this Agreement and for [***] following the expiration or termination of this Agreement, Vendor will apply records retention practices in the normal course of business according to the retention periods set forth in Vendor’s records retention schedule. If Vendor does not maintain a documented and compliant records retention schedule, then Vendor will maintain records relating to the provision of Services under this Agreement for a period of [***] from the creation of the applicable record, except to the extent that Customer may require a longer or shorter retention period for specific categories of records. Vendor agrees that, during the term of this Agreement and for a period of [***] after the expiration or termination of this Agreement or the applicable Statement of Work, as appropriate, Customer or its designee(s) may, at any time upon not less than [***] notice to Vendor, (i) examine the books and records of Vendor (and its subcontractors hereunder, if any) related to Vendor’s and any of its subcontractors’ performance under this Agreement, and (ii) verify the integrity of Customer data and examine the systems that process, store, secure, support, and transmit that data (“Audit”). Vendor will cooperate fully, and cause its subcontractors to cooperate fully, with any such Audit(s) and will provide all books, records, data and other documentation reasonably requested by Customer. Customer may make copies of such documentation. The Audit(s) will be conducted during normal business hours, and at Customer’s expense; provided however if such Audit reveals overcharges to Customer, Vendor will bear the cost of such Audit.
Section 14. Entire Agreement; Order of Precedence.
This Agreement contains the entire understanding of the parties and may be amended only by a writing signed by the parties. This Agreement (including its Exhibits), and any SOWs placed hereunder shall constitute the entire agreement between Customer and Vendor. In the event of a conflict between the terms and conditions of this Agreement and the terms and conditions of any Statement of Work, the terms and conditions of this Agreement will control, unless the Statement of Work makes specific reference to the Section of this Agreement that is to be amended in the Statement of Work. Any exceptions expressly agreed upon in writing by Customer (or an applicable Affiliate) and Vendor under a particular Statement of Work will apply only for purposes of that Statement of Work, and will not be deemed to in any way amend, modify, cancel, or waive the provisions of this Agreement or any other Statement of Work. Notwithstanding the foregoing, no Statement of Work or any provision thereof will be effective to: (A) decrease any limitation of liability, reduce the scope of recoverable damages, or restrict or eliminate exceptions to the limitation of liability; (B) expand, eliminate or restrict the scope of any indemnity obligations set forth in this Agreement or any Exhibit hereto; or (C) waive, settle or resolve any claims or disputes between the Parties. Any amendment or modification to this Agreement or any duly executed SOW hereunder shall not be valid, enforceable, or binding on the parties unless such amendment or modification (a) is a written instrument duly executed by the authorized representatives of both parties and (b) references this Agreement and any SOW, if applicable, and identifies the specific sections contained therein which are amended or modified. No amendment or modification shall adversely affect vested rights or causes of action that have accrued prior to the effective date of such amendment or modification. The terms and conditions of the Exhibits and any SOW hereunder are integral parts of this Agreement and are fully incorporated herein by this reference. No conflicting or supplemental pre-printed provisions on Vendor and Customer forms (including without limitation shrink wrap terms, terms on purchase orders or invoices) shall be binding on the parties.
Section 15. Choice of Law/Venue
This Agreement and the rights and obligations of the parties hereunder shall be construed in accordance with and governed by the laws of the State of Minnesota, excluding its conflict of laws principles and excluding the Uniform Computer Information Transactions Act (UCITA) as may be enacted, amended, or modified by the various states. The parties hereby agree that the United Nations Convention on Contracts for the International Sale of Goods will not apply to this Agreement or any related transaction between the parties. The parties irrevocably and unconditionally consent to venue in Hennepin County, Minnesota (and hereby waive any claims of forum non conveniens with respect to such venue) and to the non-exclusive jurisdiction of competent Minnesota state courts in Hennepin County or federal courts in the District of Minnesota for all litigation which may be brought with respect to the terms of, and the transactions and relationships contemplated by, this Agreement. The parties further consent to the jurisdiction of any state court located within a district that encompasses assets of a party against which a judgment has been rendered for the enforcement of such judgment against the assets of such party.
Section 16. Use of Name and Publicity
Vendor will not have any right to use the names, logos, trademarks, trade names, or other marks of Customer or any of its Affiliates (collectively, the “Customer Marks”), including in connection with any advertising, sales promotions, press releases and other publicity matters, unless and until each use is approved in advance and in writing by the UnitedHealth Group Chief Communications Officer. Customer may withdraw its permission for Vendor to use any of the Customer Marks at any time at its sole discretion by giving written notice to Vendor.
Section 17. Severability
If any provision of this Agreement is held to be invalid or unenforceable by a court of competent jurisdiction, then the remaining portions of this Agreement shall be construed as if not containing such provision, and all other rights and obligations of the parties shall be construed and enforced accordingly.
Section 18. Notices
All notices, approvals, waivers, and other communications under this Agreement (other than routine operational communications), will be in writing and will be deemed duly given (A) when delivered by hand, (B) one business day after being given to an express courier with a reliable system for tracking delivery, or (C) four business days after the date of mailing, when mailed by United States mail, registered or certified mail, return receipt requested, postage prepaid, and addressed as follows:
|Notices to Customer:||Notices to Vendor:|
|Attn: Legal Department||Attn: Jason Melton|
|UnitedHealth Group||Innovation Specialists, LLC d/b/a 2nd.MD|
|9900 Bren Road East||1300 Post Oak Blvd., Suite 725|
|MN008-T502||Houston, TX 77056|
|Minnetonka, MN 55343|
|With a copy to:||With a copy to:|
|Attn: Enterprise Sourcing & Procurement||Attn: Legal|
|UnitedHealth Group||Innovation Specialists, LLC d/b/a 2nd.MD|
|9900 Bren Road East||1300 Post Oak Blvd., Suite 725|
|MN008-W240||Houston, TX 77056|
|Minnetonka, MN 55343|
Section 19. Non-Solicitation
During the term of this Agreement and for a period of [***] thereafter, neither Customer nor Vendor will directly or indirectly solicit or seek to procure (other than by general advertising) the employment of: (A) in the case of Customer, any Vendor employee engaged in the provision of the Services; and (B) in the case of Vendor, any Customer personnel.
Section 20. No Waiver
No waiver or failure to exercise any option, right, or privilege under the terms of this Agreement on any occasion or occasions shall be construed to be a waiver of the same or any other option, right or privilege on any other occasion.
Section 21. Third Party Beneficiaries.
This Agreement is entered into solely between, and may be enforced only by, Customer and Vendor. This Agreement will not be deemed to create any rights in third parties or to create any obligations of a party to any third parties, other than in and to Customer’s Affiliates receiving Services hereunder.
(SIGNATURE PAGE TO FOLLOW)
|ACCEPTED AND AGREED:|
|UNITED HEALTHCARE SERVICES, INC.||INNOVATION SPECIALISTS, LLC D/B/A 2ND.MD|
|By:||/s/ Eric J Noyes||By:||/s/ Jason Melton|
|(Authorized Signature)||(Authorized Signature)|
|Name:||Eric J Noyes||Name:||Jason Melton|
|(Print or Type)||(Print or Type)|
|Title:||Sr. Director||Title:||Chief Executive Officer|
ORM OF STATEMENT OF WORK
STATEMENT OF WORK NO.
This is Statement of Work (“SOW”) No. to the MASTER SERVICES AGREEMENT dated etween: [***] (the “Agreement”),
United HealthCare Services, Inc., (“Customer”) on behalf of itself and its Affiliates; and
Innovation Specialists, LLC d/b/a 2nd.MD (“Vendor”). All capitalized terms not otherwise defined in this SOW will have the meanings assigned to them in the Agreement. Unless modified herein, all terms in the Agreement shall remain unchanged and in full force and effect.
|1.||CUSTOMER SEGMENT(S) RECEIVING SERVICES:|
|2.||PURPOSE AND HIGH-LEVEL SCOPE OF SERVICES:|
|3.||DETAILED DESCRIPTION OF SERVICES:|
|7.||FEES: [Select from Fixed-Bid or Time & Materials options below, delete both Option headings, text of non- choice and this note]|
Based on the above tasks and assumptions, Vendor will perform the Services and provide the Work Product for a fixed price of [insert $] which will be invoiced [insert payment schedule].
If Customer terminates this SOW prior to delivery of all Work Product, the charges will be prorated at the time of termination and Customer agrees to pay for Services through the termination date. Applicable federal, state and local taxes are not included in the estimated charges.
Option 2: Time & Materials
Vendor will perform the Services and provide the Work Product at an hourly rate of [insert rate $]. Customer will be charged only for the actual hours provided by Vendor in performing the Services and providing the Work Product. Vendor estimates the total number of hours to complete the Services to be [insert # hours] for an estimated funding requirement of [insert $]. The total fees incurred by Customer under this SOW shall not exceed [insert same $ as estimated funding requirement] without Customer’s prior written consent.
If Customer terminates this SOW, Customer agrees to pay Vendor for actual hours worked by Vendor in performing the Services prior to the date of termination.
The terms and conditions contained in this SOW constitute the parties’ complete understanding and agreement relating to the subject matter hereof. Notwithstanding anything to the contrary in the Agreement or elsewhere, in the event of a conflict between this SOW and the Agreement, the Agreement will control. No other terms and conditions, beyond those contained herein, will be valid unless mutually agreed to by Customer and Vendor in a writing signed by authorized representatives of each party.
|ACCEPTED AND AGREED:|
|UNITED HEALTHCARE SERVICES, INC.||INNOVATION SPECIALISTS, LLC D/B/A 2ND.MD|
|(Authorized Signature)||(Authorized Signature)|
|(Print or Type)||(Print or Type)|
CERTIFICATE OF COMPLIANCE FOR CONTRACTORS AND SUPPLIERS
Vendor certifies and represents that it is, as of the Effective Date, and shall remain throughout the term of the Agreement in compliance with the following federal laws, to the extent applicable to Vendor and the Services:
|52.204-9||Jan 2011||Personal Identify Verification of Contractor Personnel|
|52.222-21||Feb 1999||Prohibition of Segregated Facilities|
|52.222-26||Mar 2007||Equal Opportunity|
|52.222-35||Sep 2010||Equal Opportunity for Veterans|
|52.222-36||Oct 2010||Affirmative Action for Workers with Disabilities|
|52.222-37||Sep 2010||Employment Reports on Veterans|
|52.222-40||Dec 2010||Notification of Employee Rights Under the National Labor Relations Act|
|52.222-50||Feb 2009||Combating Trafficking in Persons|
|52.223-18||Aug 2011||Encouraging Contractor Policies to Ban Text Messaging While Driving|
|52.244-6||Dec 2010||Subcontracts for Commercial Items|
|252 ###-###-####||Dec 1991||Disclosure of Information|
|2.||Contract Value > $150,000.|
If the total fees under the Agreement, including all SOWs executed pursuant to the Agreement, exceed an aggregate total of $150,000, then Vendor shall comply with the Laws listed in Section 1 above and the following:
|52.219-8||Jan 2011||Utilization of Small Business Concerns|
|3.||Contract Value > $5 Million.|
If the total fees under the Agreement, including all SOWs executed pursuant to the Agreement, exceed an aggregate total of $5,000,000, then Vendor shall comply with the Laws listed in Section 1 above and the following:
|52.203-13||Apr 2010||Contractor Code of Business Ethics and Conduct|
This contractor and subcontractor shall abide by the requirements of 41 CFR 60- 1.4(a), 60-300.5(a) and 60-741.5(a). These regulations prohibit discrimination against qualified individuals based on their status as protected veterans or individuals with disabilities, and prohibit discrimination against all individuals based on their race, color, religion, sex, or national origin. Moreover, these regulations require that covered prime contractors and subcontractors take affirmative action to employ and advance in employment individuals without regard to race, color, religion, sex, national origin, protected veteran status or disability.
To the extent applicable, the employee notice requirements set forth in 29 C.F.R. Part 471, Appendix A to Subpart A, are hereby incorporated by reference into this contract.
|Consulting Services||Hourly Rate/Discount off List|
HIPAA and GLBA
(BUSINESS ASSOCIATE AGREEMENT)
The parties hereby agree as follows:
1.1 All capitalized terms used in this Exhibit not otherwise defined in this Exhibit have the meanings established in either the Agreement or for purposes of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended and supplemented by HITECH, as each is amended from time to time (collectively, “HIPAA”). To the extent a term is defined in both the Agreement and in this Exhibit or in HIPAA, the definition in this Exhibit or in HIPAA, shall govern.
1.2 “Affiliate” shall have the meaning ascribed to it in the Agreement. If the term “Affiliate” is not defined in the Agreement, then “Affiliate” shall mean, for purposes of this Exhibit, any subsidiary of UnitedHealth Group Inc.
1.3 “Breach” means the acquisition, access, use or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI as defined, and subject to the exclusions set forth, in 45 C.F.R. § 164.402.
1.4 “Breach Rule” means the federal breach regulations, as amended from time to time, issued pursuant to HIPAA and codified at 45 C.F.R. Part 164 (Subpart D).
1.5 “Compliance Date” means the later of September 23, 2013 or the effective date of the Agreement.
1.6 “Electronic Protected Health Information” or “ePHI” means PHI that is transmitted or maintained in Electronic Media.
1.7 “HITECH” means Subtitle D of the Health Information Technology for Economic and Clinical Health Act provisions of the American Recovery and Reinvestment Act of 2009, 42 U.S.C. §§ 17921-17954, and all associated existing and future implementing regulations, when and as each is effective.
1.8 “PHI” means Protected Health Information, as defined in 45 C.F.R. § 160.103, and is limited to the Protected Health Information received from, or received, maintained, created or transmitted on behalf of, Customer (for itself and/or applicable Covered Entity customers) by Vendor in performance of the Services.
1.9 “Privacy Rule” means the federal privacy regulations, as amended from time to time, issued pursuant to HIPAA and codified at 45 C.F.R. Parts 160 and 164 (Subparts A & E).
1.10 “Security Rule” means the federal security regulations, as amended from time to time, issued pursuant to HIPAA and codified at 45 C.F.R. Parts 160 and 164 (Subparts A & C).
1.11 “Services” as used in this Exhibit, means, to the extent and only to the extent they involve the receipt, creation, maintenance, transmission, use or disclosure of PHI, the services provided by Vendor to Customer as set forth in the Agreement.
|2.||RESPONSIBILITIES OF VENDOR|
With regard to its use and/or disclosure of PHI, Vendor agrees to:
2.1 not use and/or further disclose PHI except as necessary to provide the Services, as permitted or required by this Exhibit, and in compliance with each applicable requirement of 45 C.F.R. § 164.504(e), or as otherwise Required by Law; provided that, to the extent Vendor is to carry out a Covered Entity’s obligations under the Privacy Rule, Vendor will comply with the requirements of the Privacy Rule that apply to that Covered Entity in the performance of those obligations.
2.2 implement and use appropriate administrative, physical and technical safeguards and, as of the Compliance Date, comply with applicable Security Rule requirements with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this Exhibit, including at a minimum, but in any event not limited to, any safeguards set forth in the Agreement or other applicable contracts or agreements between the parties. For the avoidance of doubt, the requirements set forth in the Agreement or other applicable contracts or agreements between the parties do not limit in any way whatsoever Vendor’s obligations under this Section 2.2 to comply with applicable Security Rule requirements.
2.3 without unreasonable delay, and in any event on or before [***] after its discovery by Vendor, report to Customer in writing: (i) any use or disclosure of PHI not provided for by this Exhibit of which it becomes aware in accordance with 45 C.F.R. § 164.504(e)(2)(ii)(C); and/or (ii) any Security Incident of which Vendor becomes aware in accordance with 45 C.F.R. § 164.314(a)(2)(i)(C).
2.4 without unreasonable delay, and in any event on or before [***] after its Discovery by Vendor, notify Customer of any incident that involves an unauthorized acquisition, access, use or disclosure of PHI, even if Vendor believes the incident will not rise to the level of a Breach. The notification shall include, to the extent possible, and shall be supplemented on an ongoing basis with: (i) the identification of all individuals whose Unsecured PHI was or is believed to have been involved; (ii) all other information required for or requested by Customer (or the applicable Covered Entity) to perform a risk assessment in accordance with 45 C.F.R. § 164.402 with respect to the incident to determine whether a Breach of Unsecured PHI occurred; and (iii) all other information reasonably necessary to provide notice to the applicable Covered Entities individuals, HHS and/or the media, all in accordance with the Breach Rule. Notwithstanding the foregoing, in Customer’s sole discretion and in accordance with its directions, and without limiting in any way any other remedy available to Customer at law, equity or contract, including but not limited to any rights or remedies the Customer may have under the Agreement, Vendor [***].
2.5 in accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2), ensure that any subcontractors of Vendor that create, receive, maintain or transmit PHI on behalf of Vendor agree, in writing, to the same restrictions and conditions on the use and/or disclosure of PHI that apply to Vendor with respect to that PHI, including complying with the applicable Security Rule requirements with respect to ePHI; provided that, in any event Vendor shall require its subcontractors (and shall require those subcontractors to require their subcontractors) to report to Vendor any use or disclosure of PHI or Security Incident required to be reported under Sections 2.3 and 2.4 on or before [***] after its discovery by any of those subcontractors.
2.6 make available its internal practices, books and records relating to the use and disclosure of PHI to the Secretary for purposes of determining the applicable Covered Entity’s compliance with the Privacy Rule.
2.7 document, and within [***] after receiving a written request from Customer, make available to Customer information necessary for Customer or its applicable Covered Entity customer to make an accounting of disclosures of PHI about an Individual or, when and as requested by Customer, make that information available directly to an Individual, all in accordance with 45 C.F.R. § 164.528 and, as of the later of the date compliance is required by final regulations or the effective date of the Agreement, 42 U.S.C. § 17935(c).
2.8 provide access to Customer, within [***] after receiving a written request from Customer, to PHI in a Designated Record Set about an Individual, or when and as requested by Customer, provide that access directly to an Individual, all in accordance with the requirements of 45 C.F.R. § 164.524, including as of the Compliance Date, providing or sending a copy to a designated third party and providing or sending a copy in electronic format in accordance with 45 C.F.R. § 164.524.
2.9 to the extent that the PHI in Vendor’s possession constitutes a Designated Record Set, make available, within [***] after a written request by Customer, PHI for amendment and incorporate any amendments to the PHI as requested by Customer, all in accordance with 45 C.F.R. § 164.526.
2.10 accommodate reasonable requests for confidential communications in accordance with 45 C.F.R. § 164.522(b), as requested by Customer or as directed by the Individual to whom the PHI relates.
2.11 notify Customer in writing within [***] after Vendor’s receipt directly from an Individual of any request for an accounting of disclosures, access to or amendment of PHI or for confidential communications as contemplated in Sections 2.7-2.10.
2.12 request, use and/or disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure; provided, that Vendor shall comply with 45 C.F.R. §§ 164.502(b) and 164.514(d) as of the Compliance Date.
2.13 not directly or indirectly receive remuneration in exchange for any PHI as prohibited by 45 C.F.R. § 164.502(a)(5)(ii) as of the Compliance Date.
2.14 not make or cause to be made any communication about a product or service that is prohibited by 45 C.F.R. §§ 164.501 and 164.508(a)(3) as of the Compliance Date.
2.15 not make or cause to be made any written fundraising communication that is prohibited by 45 C.F.R. § 164.514(f) as of the Compliance Date.
2.16 mitigate, to the extent practicable, any harmful effect that is known to Vendor of a use or disclosure of PHI by Vendor that is not permitted by the requirements of this Exhibit.
2.17 comply with all applicable federal, state and local laws and regulations.
2.18 not use, transfer, transmit or otherwise send or make available, any PHI outside of the geographic confines of the United States of America without Customer’s advance written consent.
2.19 Government Program Requirements. To the extent that Vendor receives, uses or discloses PHI pertaining to Individuals enrolled in managed care plans through which Customer or one or more of its affiliates participate in government funded health care programs, receipt, use and disclosure of the PHI pertaining to those individuals shall comply with the applicable program requirements.
2.20 Privacy and Safeguards for NPI. Vendor understands and acknowledges that to the extent it is a nonaffiliated third party under GLBA that creates or receives NPI from or on behalf of Customer or an Affiliate, Vendor and its authorized representatives: (i) shall not use or disclose NPI for any purpose other than to perform its obligations under the Agreement; (ii) shall implement appropriate administrative, technical, and physical safeguards designed to ensure the security and confidentiality of the NPI, protect against any anticipated threats or hazards to the security or integrity of the NPI and protect against unauthorized access to or use of the NPI that could result in substantial harm or inconvenience to any consumer; and (iii) shall, for as long as Vendor has NPI, provide and maintain appropriate safeguards for the NPI in compliance with this Exhibit and the GLBA.
|3.||OTHER PERMITTED USES AND DISCLOSURES OF PHI|
Unless otherwise limited in this Exhibit, in addition to any other uses and/or disclosures permitted or required by this Exhibit, Vendor may:
3.1 use and disclose PHI, if necessary, for proper management and administration of Vendor or to carry out the legal responsibilities of Vendor, provided that the disclosures are Required by Law or any third party to which Vendor discloses PHI for those purposes provides written assurances in advance that: (i) the information will be held confidentially and used or further disclosed only for the purpose for which it was disclosed to the third party or as Required by Law; and (ii) the third party promptly will notify Vendor of any instances of which it becomes aware in which the confidentiality of the information has been breached.
|4.||TERMINATION AND COOPERATION|
4.1 Termination. If Customer knows of a pattern or practice of Vendor that constitutes a material breach or violation of this Exhibit then Customer may provide written notice of the breach or violation to Vendor and Vendor must cure the breach or end the violation on or before [***] after receipt of the written notice. If Vendor fails to cure the breach or end the violation within the specified timeframe, Customer may terminate this Exhibit and the Agreement. Customer also may terminate this Exhibit and the Agreement to the extent that any of Customer’s applicable Covered Entity customers terminates its agreement with Customer.
4.2 Effect of Termination or Expiration. Within [***] after the expiration or termination for any reason (or to any extent) of the Agreement and/or this Exhibit, Vendor shall return or destroy all applicable PHI, if feasible to do so, including all applicable PHI in possession of Vendor’s subcontractors. To the extent return or destruction of the PHI is not feasible, Vendor shall notify Customer in writing of the reasons return or destruction is not feasible and, if Customer agrees, may retain the PHI subject to this Section 4.2. Under any circumstances, Vendor shall extend any and all protections, limitations and restrictions contained in this Exhibit to Vendor’s use and/or disclosure of any applicable PHI retained after the expiration or termination (to any extent) of the Agreement and/or this Exhibit, and shall limit any further uses and/or disclosures solely to the purposes that make return or destruction of the PHI infeasible.
4.3 Cooperation. Each party shall cooperate in good faith in all respects with the other party in connection with any request by a federal or state governmental authority for additional information and documents or any governmental investigation, complaint, action or other inquiry.
5.1 Construction of Terms. The terms of this Exhibit to the extent they are unclear, shall be construed to allow for compliance by the applicable Covered Entity and Customer with HIPAA.
5.2 Survival. Sections 4.2, 4.3, 5.1, 5.2, and 5.3 shall survive the expiration or termination for any reason of the Agreement and/or of this Exhibit.
5.3 No Third Party Beneficiaries. Nothing in this Exhibit shall confer upon any person other than the parties and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
STANDARD CONTRACTUAL CLAUSES
Data Processing Agreement Supplemental Terms and Conditions (Standard Contractual Clauses (processors))
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, these terms and conditions are entered into between
(i) United HealthCare Services, Inc., a Minnesota corporation with offices at 9900 Bren Road East, Minnetonka, MN 55343, on behalf of itself and its subsidiaries ("UHS") ("Data Exporter"), and
(ii) Innovation Specialists, LLC d/b/a 2nd.MD, with offices at 1300 Post Oak Blvd., Suite 725, Houston, Texas 77056 (the "Data Importer").
each a "Party", and together the "Parties"
|A||Data Importer provides services to UHS and or various of its subsidiaries outside the European Economic Area (EEA) (the "Services"). For the purpose of these Clauses, Data Importer is receiving Personal Data, as defined in Attachment 1, as part of the performance of services as a Data Importer, and UHS shall transfer Personal Data to Data Importer as Data Exporter.|
|B||The Parties agree that all processing and movement of Personal Data, performed as part of or otherwise in connection with the Services shall be governed by these Clauses which are hereby incorporated into all agreements between the Data Importer and UHS or its subsidiaries and governing the Services, if any.|
|C||The Parties have therefore agreed on the following Contractual Clauses (the "Clauses") in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the Data Exporter to the Data Importer of the Personal Data specified in Attachment 1.|
Processing of Personal Data
For the purposes of this Attachment 1:
|(a)||'applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the Processing of Personal Data applicable to a Controller in the Member State in which the Data Exporter is established;|
|(b)||'Controller' means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of Personal Data;|
|(c)||'Data Exporter' means United HealthCare Services, Inc. (“data exporter”), on behalf of itself and its Affiliates;|
|(d)||'Data Importer' means Innovation Specialists, LLC d/b/a 2nd.MD;|
|(e)||'Directive' means Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the Processing of Personal Data and on the free movement of such data|
|(f)||'Personal Data' means any information relating to an identified or identifiable natural person ('Data Subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;|
|(g)||'Process/Processing', means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;|
|(h)||'Processor' means a natural or legal person, public authority, agency or any other body which processes Personal Data on behalf of the Controller;|
|(i)||'Special Categories of data' means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health, sex life, criminal convictions, and actual or alleged criminal offences;|
|(j)||'Subprocessor' means any Processor engaged by the Data Importer or by any other Subprocessor of the Data Importer who agrees to receive from the Data Importer or from any other Subprocessor of the Data Importer Personal Data exclusively intended for Processing activities to be carried out on behalf of the Data Exporter after the transfer in accordance with his instructions, the terms of this Exhibit and the terms of the relevant written subcontract;|
|(k)||'Supervisory Authority' means a public authority responsible for monitoring the application within its territory of the provisions adopted by a Member State pursuant to the Directive;|
|(l)||'technical and organisational security measures' means those measures aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing.|
|2.||DETAILS OF THE TRANSFERS|
The details of the transfers of Personal Data are specified in Appendix 1 which forms an integral part of this Exhibit.
|3.||THIRD-PARTY BENEFICIARY CLAUSE|
|3.1||The Data Subject can enforce against the Data Exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6.1 and 6.2, Clause 7, Clause 8.2, and Clauses 9 to 12 as third-party beneficiary.|
|3.2||The Data Subject can enforce against the Data Importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8.2, and Clauses 9 to 12, in cases where the Data Exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the Data Exporter, in which case the Data Subject can enforce them against such entity.|
|3.3||The Data Subject can enforce against the Subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8.2, and Clauses 9 to 12, in cases where both the Data Exporter and the Data Importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the Data Exporter, in which case the Data Subject can enforce them against such entity. Such third-party liability of the Subprocessor shall be limited to its own Processing operations under this Exhibit.|
|3.4||The parties do not object to a Data Subject being represented by an association or other body if the Data Subject so expressly wishes and if permitted by national law.|
|4.||OBLIGATIONS OF THE DATA EXPORTER|
The Data Exporter agrees and warrants:
|(a)||that the Processing, including the transfer itself, of the Personal Data has been carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the Data Exporter is established) and does not violate the relevant provisions of that State;|
|(b)||that it has instructed and throughout the duration of the Personal Data Processing services will instruct the Data Importer to Process the Personal Data transferred only on the Data Exporter's behalf and in accordance with the applicable data protection law and this Exhibit;|
|(c)||that the Data Importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;|
|(d)||that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing, and that these measures ensure a level of security appropriate to the risks presented by the Processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;|
|(e)||that it will ensure compliance with the security measures;|
|(f)||that, if the transfer involves Special Categories of data, the Data Subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of the Directive;|
|(g)||to forward any notification received from the Data Importer or any Subprocessor pursuant to Clause 5(b) and Clause 8.3 to the Supervisory Authority if the Data Exporter decides to continue the transfer or to lift the suspension;|
|(h)||to make available to the Data Subjects upon request a copy of this Exhibit, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with this Exhibit, unless this Appendix 1 or the Agreement contain commercial information, in which case it may remove such commercial information;|
|(i)||that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a Subprocessor providing at least the same level of protection for the Personal Data and the rights of the Data Subject as the Data Importer under this Exhibit; and|
|(j)||that it will ensure compliance with Clause 4(a) to (i).|
|5.||OBLIGATIONS OF THE DATA IMPORTER|
The Data Importer agrees and warrants:
|(a)||to Process the Personal Data only on behalf of the Data Exporter and in compliance with its instructions and this Exhibit; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the Data Exporter of its inability to comply, in which case the Data Exporter is entitled to suspend the transfer of data and/or terminate the Agreement;|
|(b)||that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the Data Exporter and its obligations under the Agreement and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by this Exhibit, it will promptly notify the change to the Data Exporter as soon as it is aware, in which case the Data Exporter is entitled to suspend the transfer of data and/or terminate the Agreement;|
|(c)||that it has implemented the technical and organisational security measures specified in Appendix 2 before Processing the Personal Data transferred;|
|(d)||that it will promptly notify the Data Exporter about:|
|(i)||any legally binding request for disclosure of the Personal Data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;|
|(ii)||any accidental or unauthorised access; and|
|(iii)||any request received directly from a Data Subject without responding to that request, unless it has been otherwise authorised to do so;|
|(e)||to deal promptly and properly with all inquiries from the Data Exporter relating to its Processing of the Personal Data subject to the transfer and to abide by the advice of the Supervisory Authority with regard to the Processing of the data transferred;|
|(f)||at the request of the Data Exporter to submit its data Processing facilities for audit of the Processing activities covered by this Exhibit which shall be carried out by the Data Exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the Data Exporter, where applicable, in agreement with the Supervisory Authority;|
|(g)||to make available to the Data Subject upon request a copy of this Exhibit, or any existing contract for subprocessing, unless this Exhibit or the contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the Data Subject is unable to obtain a copy from the Data Exporter;|
|(h)||that, in the event of subprocessing, it has previously informed the Data Exporter and obtained its prior written consent;|
|(i)||that the Processing services by the Subprocessor will be carried out in accordance with Clause 11; and|
|(j)||to send promptly a copy of any Subprocessor agreement it concludes under this Exhibit to the Data Exporter.|
|6.1||The parties agree that any Data Subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or Subprocessor is entitled to receive compensation from the Data Exporter for the damage suffered.|
|6.2||If a Data Subject is not able to bring a claim for compensation in accordance with paragraph 6.1 against the Data Exporter, arising out of a breach by the Data Importer or its Subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the Data Exporter has factually disappeared or ceased to exist in law or has become insolvent, the Data Importer agrees that the Data Subject may issue a claim against the Data Importer as if it were the Data Exporter, unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract or by operation of law, in which case the Data Subject can enforce its rights against such entity.|
|6.3||The Data Importer may not rely on a breach by a Subprocessor of its obligations in order to avoid its own liabilities.|
|6.4||If a Data Subject is not able to bring a claim against the Data Exporter or the Data Importer referred to in paragraphs 6.1 and 6.2, arising out of a breach by the Subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the Data Exporter and the Data Importer have factually disappeared or ceased to exist in law or have become insolvent, the Subprocessor agrees that the Data Subject may issue a claim against the Subprocessor with regard to its own processing operations under this Exhibit as if it were the Data Exporter or the Data Importer, unless any successor entity has assumed the entire legal obligations of the Data Exporter or Data Importer by contract or by operation of law, in which case the Data Subject can enforce its rights against such entity. The liability of the Subprocessor shall be limited to its own processing operations under this Exhibit.|
the Data Subject can enforce its rights against such entity. The liability of the Subprocessor shall be limited to its own processing operations under this Exhibit.
|7.||Mediation and jurisdiction|
|7.1||The Data Importer agrees that if the Data Subject invokes against it third-party beneficiary rights and/or claims compensation for damages under this Exhibit, the Data Importer will accept the decision of the Data Subject:|
|(a)||to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;|
|(b)||to refer the dispute to the courts in the Member State in which the Data Exporter is established.|
|7.2||The parties agree that the choice made by the Data Subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.|
|8.||CO-OPERATION WITH SUPERVISORY AUTHORITIES|
|8.1||The Data Exporter agrees to deposit a copy of this contract with the Supervisory Authority if it so requests or if such deposit is required under the applicable data protection law.|
|8.2||The parties agree that the Supervisory Authority has the right to conduct an audit of the Data Importer and of any Subprocessor which has the same scope and is subject to the same conditions as would apply to an audit of the Data Exporter under the applicable data protection law.|
|8.3||The Data Importer shall promptly inform the Data Exporter about the existence of legislation applicable to it or any Subprocessor preventing the conduct of an audit of the Data Importer, or any Subprocessor, pursuant to paragraph 8.2. In such a case the Data Exporter shall be entitled to take the measures foreseen in Clause 5(b).|
This Exhibit shall be governed by English law.
|10.||VARIATION OF CONTRACT|
The parties undertake not to vary or modify this Exhibit. This does not preclude the parties from adding clauses on business-related issues where required as long as they do not contradict the Exhibit.
|11.1||The Data Importer shall not subcontract any of its Processing operations performed on behalf of the Data Exporter under this Exhibit without the prior written consent of the Data Exporter. Where the Data Importer subcontracts its obligations under this Exhibit, with the consent of the Data Exporter, it shall do so only by way of a written agreement with the Subprocessor which imposes the same obligations on the Subprocessor as are imposed on the Data Importer under this Exhibit. Where the Subprocessor fails to fulfil its data protection obligations under such written agreement the Data Importer shall remain fully liable to the Data Exporter for the performance of the Subprocessor's obligations under such agreement.|
|11.2||The prior written contract between the Data Importer and the Subprocessor shall also provide for a third- party beneficiary clause as laid down in Clause 3 for cases where the Data Subject is not able to bring the claim for compensation referred to in paragraph 6.1 against the Data Exporter or the Data Importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the Data Exporter or Data Importer by contract or by operation of law. Such third-party liability of the Subprocessor shall be limited to its own processing operations under this Exhibit.|
|11.3||The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 11.1 shall be governed by English law.|
|11.4||The Data Exporter shall keep a list of subprocessing agreements concluded under this Exhibit and notified by the Data Importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the Data Exporter's Supervisory Authority.|
|12.||OBLIGATION AFTER THE TERMINATION OF PERSONAL DATA PROCESSING SERVICES|
|12.1||The parties agree that on the termination of the provision of data Processing services, the Data Importer shall, at the choice of the relevant Data Exporter, return all the Personal Data transferred and the copies thereof to the Data Exporter or shall destroy all the Personal Data and certify to the Data Exporter that it has done so, unless legislation imposed upon the Data Importer prevents it from returning or destroying all or part of the Personal Data transferred. In that case, the Data Importer warrants that it will guarantee the confidentiality of the Personal Data transferred and will not actively Process the Personal Data transferred any more.|
|12.2||The Data Importer warrants that upon request of the Data Exporter and/or of the Supervisory Authority, it will submit its data Processing facilities for an audit of the measures referred to in paragraph 12.1.|
The Data Exporter is a healthcare services and information technology company.
The Data Importer is a company undertaking data processing activities.
The Personal Data transferred may concern the following categories of Data Subjects:
|1.||Customers of the Data Exporter and personnel employed by or working on behalf of such customers.|
|2.||Persons whose data are relevant to contracts for health care entered into by customers with the Data Exporter.|
Categories of data
The Personal Data transferred may concern the following categories of data:
Special Categories of data
The Personal Data transferred concern the following special categories of data:
Members book and attend a virtual consultation with a specialist using the 2nd.MD application which is downloadable through their Apple or Android phone or tablet device (the “App”). During the consultation, the specialist will capture information relating to the Member’s condition and the outcome of the consultation. This will be recorded securely in the App and will not be shared with the data exporter without the Member’s consent.
Technical and Organisational Security Measures
The Data Importer has implemented a suitable set of information security controls including policies, practices, procedures and organizational structures to protect the confidentiality, integrity and availability of personal data entrusted to it and to protect against unauthorised or accidental access, change, loss or destruction, unauthorised transmission or other unauthorised processing as well as other misuse. Furthermore, the Data Importer has a security assessment program where periodic independent assessments are undertaken with an aim to ensure continual effectiveness.
The technical/ organizational security measures implemented by the Data Importer in accordance with Clause 4(c) of this Exhibit are as set out below (as amended and updated from time to time by the Data Importer):
With regard to organizational protection the Data Importer undertakes to apply at least the following measures:
|·||The security measures set forth in Exhibit F (Security) and Exhibit D (HIPAA and GLBA – Business Associate Agreement) to the Agreement to which these Standard Contractual Clauses are attached.|
Personnel Security (Human Resources Security)
|·||The security measures set forth in Exhibit F (Security) and Exhibit G (Background Investigations) D.|
Business Continuity Planning
|·||The measures set forth in Exhibit F (Security) and Section 9 of the Agreement to which these Standard Contractual Clauses are attached.|
Physical & Environmental Security
|·||The security measures set forth in Exhibit F (Security) to the Agreement to which these Standard Contractual Clauses are attached.|
With regard to technical protection the Data Importer undertakes to apply at least the following measures:
|·||Access rights will be granted based on job role, terminated upon transfer or termination. Maintain a strong password policy requiring a minimum length, complexity, password expiration and account lockout upon multiple failed logon attempts. Workstations will be protected with boot passwords, hard drive encryption and antivirus, as well as other applicable security measures set forth in Exhibit F (Security) to the Agreement to which these Standard Contractual Clauses are attached.|
|·||In addition to the other applicable security measures set forth in Exhibit F (Security) to the Agreement to which these Standard Contractual Clauses are attached, access rights will be granted based on job role, terminated upon transfer or termination. Maintain a strong password policy requiring a minimum length, complexity, password expiration and account lockout upon multiple failed logon attempts. [***].|
|·||In addition to the other applicable security measures set forth in Exhibit F (Security) to the Agreement to which these Standard Contractual Clauses are attached, the production network will be protected by firewalls. Strict ingress / egress rules will be configured to restrict communications between servers to only those the application requires. The production network will be monitored by an intrusion detection system and administrators will receive security alerts. All network access will be logged. [***].|
The requirements of this Exhibit are applicable if and to the extent that: (1) Vendor accesses Customer Information Systems (as defined below); or (2) Vendor creates, has access to, or receives from or on behalf of Customer any Customer Information (as defined below) in electronic format. The requirements set forth in this Exhibit are in addition to, and do not substitute for: (i) any of Vendor’s other obligations under the Agreement, including any Exhibits or applicable Statements of Work; and (ii) any requirements imposed upon Vendor by applicable law. To the extent that any requirements set forth in this Exhibit conflict with other requirements under the Agreement (including any Exhibits or applicable Statements of Work), then the requirement most protective of Customer, in Customer’s reasonable determination, shall apply.
1. Definitions. The following terms shall have the meanings as set forth below:
1.1 “Confidential Information” has the meaning set forth in the Agreement.
1.2 “Customer” means United Healthcare Services, Inc.
1.3 “Customer Information” means any Confidential Information of Customer that includes or is comprised of any of the following:
(a) Protected health information (i.e., any information that would be termed “protected health information” under the provisions of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations);
(b) Non-public personal information (i.e., any information that would be termed “non-public personal information” under the Federal Gramm-Leach-Bliley Act, any related state statutes, and any related federal or state regulations);
(c) Personal data (i.e., any information relating to an identified or identifiable natural person, as further defined under the European Union Directive 95/46/EC and each EU member state's implementing laws, including any regulations and codes of conduct issued under such laws);
(d) Cardholder data, as that term is defined in the most current version of the Payment Card Industry (PCI) Data Security Standard; or
(e) Other personal information (i.e., other personally identifiable information about individuals, or information that can be used to identify individuals, the disclosure and/or use of which is restricted by applicable federal or state law, including social security numbers).
1.4 “Customer Information Systems” means information systems resources supplied or operated by Customer or its contractors, including without limitation, network infrastructure, computer systems, workstations, laptops, hardware, software, databases, storage media, proprietary applications, printers, and internet connectivity that are owned, controlled or administered by or on behalf of Customer.
1.5 “HITRUST” means the Health Information Trust Alliance.
1.6 “HITRUST CSF” or “CSF” means the HITRUST common security framework against which Vendor’s security program will be assessed, validated and certified. The common security framework is comprised of a common set of information security requirements with standardized assessment and reporting processes accepted and adopted by healthcare organizations.
1.7 “HITRUST CSF Certification” means a CSF third-party validated report with certification, which certification has been issued by HITRUST based on testing performed by an independent CSF assessor and reviewed, approved and certified by HITRUST.
1.8 “HITRUST CSF Self-Assessment Report” means the report issued by HITRUST upon its validation of the self-assessment conducted by Vendor using the standard methodology, requirements, and tools provided under HITRUST’s CSF Assurance Program.
1.9 “HITRUST CSF Validated Report” means a CSF third-party validated report, issued by an authorized CSF assessor based on on-location testing.
1.10 “Independent Certification/Attestation” means: (a) a HITRUST CSF Certification; or (b) an alternative certification (e.g., EHNAC, SOC 2 Type 2, or ISO27001) designed to document and measure performance against control objectives that map to applicable HITRUST CSF requirements, controls, and control specifications and/or other relevant standards (“Alternative Certification”), as approved by Customer pursuant to Section 3.4 and described in Attachment 2.
1.11 “Mitigate” means Vendor has deployed security controls as necessary to reduce the adverse effects of threats and reduce risk exposure to a level reasonably acceptable by Customer.
1.12 “Remediation” or “Remediate”, as applicable, means that Vendor has completely resolved a security exposure or Security Incident, such that the vulnerability no longer poses a risk to Customer Information Systems or Vendor Processing Resources, as applicable.
1.13 “Security Incident” means the unauthorized access, use, disclosure, modification, or destruction of Customer Information or access to or interference with the operations of any Customer Information Systems or Vendor Processing Resources. Security Incidents are classified as follows:
(a) “High Severity” or severity 1 (severe impact) means [***].
(b) “Medium Severity” or severity 2 (major impact) means [***].
(c) “Low Severity” or severity 3 (moderate impact) means [***].
1.14 “Services” has the meaning set forth in the Agreement. If the term “Services” is not defined in the Agreement, then Services means any services or functions provided by Vendor to Customer under the Agreement.
1.15 “Vendor Processing” means any information collection, storage or processing performed by Vendor or its subcontractors that: (i) directly or indirectly supports the Services or functions now or hereafter furnished to Customer; and (ii) involves the storage, processing, use or creation of, or access to, any Customer Information.
1.16 “Vendor Processing Resources” means information processing resources supplied or operated by Vendor, including without limitation, network infrastructure, computer systems, workstations, laptops, hardware, software, databases, storage media, printers, proprietary applications, Internet connectivity, printers and hard copies which are used, either directly or indirectly, in support of Vendor Processing.
2.1 Security Program. Vendor shall maintain a comprehensive security program under which Vendor documents, implements and maintains the physical, administrative, and technical safeguards necessary to: (a) comply with applicable law; and (b) protect the confidentiality, integrity, availability, and security of Vendor Processing Resources and Customer Information. Vendor’s security program shall be consistent with the requirements of this Exhibit and shall be designed to ensure compliance with the provisions of applicable law, including without limitation the Health Information Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), the Payment Card Industry Data Security Standards (PCI DSS), and Sarbanes-Oxley (SOX).
2.2 Vendor Security Contact. Vendor shall designate [***] to serve as Vendor’s points of contact for Customer on all security issues. Vendor’s Security Representatives shall be responsible for overseeing compliance with this Exhibit. Vendor shall maintain [***] for the Security representatives’ roles, and will replace a Security Representative within [***] should an individual serving as one of the Security Representatives change roles or no longer be employed by Vendor. Within [***] of the Effective Date and within [***] of identifying a new individual to serve in such role, Vendor will provide Customer with the name and title of, and the [***] contact information (including email and phone number) for the Security Representatives.
2.3 Policies and Procedures. Vendor shall maintain written security management policies and procedures to identify, prevent, detect, contain, and correct violations of measures taken to protect the confidentiality, integrity, availability, or security of Vendor Processing Resources and/or Customer Information. Such policies and procedures shall: (a) assign specific data security responsibilities and accountabilities to specific role(s); (b) include a formal risk management program which includes periodic risk assessments; and (c) provide an adequate framework of controls that safeguard Vendor Processing Resources, Customer Information Systems and Customer Information. Vendor shall provide such policies and procedures to Customer for review upon Customer’s request at any time during the Term.
2.4 Subcontractors. To the extent that any Vendor subcontractor accesses Customer Information Systems or creates, has access to, or receives from or on behalf of Customer any Customer Information in electronic format, Vendor shall enter into a written agreement with such subcontractor [***].
2.5 IT Change and Configuration Management. In addition to any specific requirements set forth in the applicable Statement of Work, Vendor shall employ reasonable processes, consistent with industry best practices, for change management, code inspection, repeatable builds, separation of development and production environments, and testing plans. Code inspections must include a comprehensive process to identify vulnerabilities and malicious code, including but not limited to logic-bombs, sniffers, and backdoors. In addition, Vendor shall ensure that processes are documented and implemented for vulnerability management, patching, and verification of system security controls prior to their connection to production networks.
2.6 Change Notifications. In addition to any specific requirements and subject to any specific conditions set forth in the Agreement or the applicable Statement of Work, Vendor shall provide Customer with at least [***] prior written notice of any relevant material changes that will negatively impact security, to Vendor’s information technology infrastructure, facilities, or resources associated with information security governance and oversight, security, network, and infrastructure operations and any key personnel responsible for ensuring a secure environment spanning Vendor, any of its subcontractors, and Customer.
2.7 Data Retention. Vendor shall not retain any Customer data following completion of the applicable Services, except to the extent: (a) required by law; (b) required pursuant to Exhibit H (Medicare Advantage Regulatory Requirements Appendix); or (c) expressly required by Customer in writing. At Customer’s request, Vendor shall certify to Customer in writing that all Customer data has been returned or destroyed, as required under this Agreement.
|3.||Security Assessment and Independent Certification Requirements|
3.1 Applicability. Vendor is required to demonstrate to Customer, through an Independent Certification / Attestation as further set forth in this Section 3, that Vendor has in place appropriate controls to protect Customer Information.
3.2 Security Assessment. [***] Vendor shall have completed a security assessment conducted by Customer’s Information Risk Management department (“Security Assessment”). The Security Assessment may: (a) rely on the Independent Certification/Attestation Vendor provided to Customer; or (b) be in addition to the Independent Certification/Attestation, in Customer’s sole discretion. In addition, Customer may require additional Security Assessments in connection with Statements of Work for new or additional Services. Any remediation requirements identified during a Security Assessment will be documented and tracked using a tool provided by Customer (e.g., a vendor portal or spreadsheet). Vendor will complete such remediation requirements within the agreed upon timeframes. Material remediation requirements may also be set forth in Attachment 1 or the applicable Statement of Work. [***].
3.3 Independent Certification / Attestation – HITRUST CSF Certification. Vendor shall have, as of the Effective Date, and shall maintain through the period described in Section 3.6, a HITRUST CSF Certification. To the extent that Vendor does not have a HITRUST CSF Certification as of the Effective Date, or is the process of obtaining a HITRUST CSF Certification, the requirements of Section 3.4 or Section 3.5, as applicable, shall apply. In order to meet the requirements of this Exhibit, the scope of all assessment, review, testing, validation and certification activities under Vendor’s HITRUST CSF Certification must include all Vendor Processing Resources and Vendor Processing, as well as applicable Vendor facilities used in connection with the provision of the Services.
3.4 Independent Certification / Attestation – Other. Subject to Customer’s prior written consent, which may be withheld or conditioned in Customer’s sole discretion, Vendor may meet the requirements of this Section 3 by obtaining and maintaining an Alternative Certification. To the extent that Customer approves the use of an Alternative Certification, the approved Alternative Certification and a description of the relevant control objectives or similar requirements shall be set forth in Attachment 2.
3.5 HITRUST CSF Implementation Requirements. To the extent that Vendor has not obtained a HITRUST CSF Certification (and Customer has not approved the use of an Alternative Certification), then: (a) the requirements of Section 3.7 shall apply; and (b) Vendor shall (i) complete and provide to Customer a HITRUST CSF Self-Assessment Report, (ii) obtain and provide to Customer a HITRUST CSF Validated Report, and (iii) obtain and provide to Customer a HITRUST CSF Certification by the respective deadlines set forth in Attachment 3. Vendor’s failure to meet the foregoing requirements shall be deemed to be a material breach of the Agreement. If Vendor has begun the process of obtaining a HITRUST CSF Certification before the Effective Date, then Vendor represents and warrants to Customer that all corrective action plans that are necessary to obtain a HITRUST CSF Validated Report and/or HITRUST CSF Certification and that have been identified to Vendor prior to the Effective Date are included in Attachment 3.
3.6 Independent Certification / Attestation Timing Requirements. To the extent that an Independent Certification/Attestation is required under this Exhibit, Vendor shall maintain such Independent Certification/Attestation (and continue to meet the applicable requirements of this Exhibit regarding such Independent Certification/Attestation) until the later of: (a) the expiration or earlier termination of the Agreement; or (b) Vendor no longer maintains (including in archived or secure storage) or has access to, any Customer Information.
3.7 Interim Requirements. Until such time as Vendor obtains either a HITRUST CSF Certification or an Alternative Certification approved by Customer, the requirements of Attachment 4 shall apply.
3.8 Reporting of Findings. Upon Customer’s request, Vendor shall report to Customer any findings and associated corrective action plans identified during a self-assessment or any third party assessment, including any assessment related to Vendor’s Independent Certification / Attestation. Vendor will provide Customer with any further information associated with such findings, as reasonably requested by Customer.
|4.||Security Monitoring and Response|
4.1 Mitigation and Remediation of Security Exposures. Vendor will Mitigate or Remediate any High Severity security exposure or finding discovered by Customer or Vendor within [***] from the time Vendor becomes aware of the exposure or finding. Vendor will Mitigate or Remediate any Medium Severity or Low Severity security exposure or finding discovered by Customer or Vendor within [***] from the time Vendor becomes aware of the exposure or finding. With respect to security exposures that are Mitigated (but not Remediated), Vendor must Remediate such security exposures within [***] after being Mitigated (in the case of High Severity exposures) and [***] after being Mitigated (in the case of Medium Severity exposures), and [***] after being Mitigated (in the case of Low Severity exposures). If Vendor fails to Mitigate or Remediate any security exposure or finding within the required timeframe: [***].
4.2 Incident Response. Vendor shall maintain formal processes to detect, identify, report, respond to, Mitigate, and Remediate Security Incidents in a timely manner.
4.3 Incident Notification. Vendor shall notify Customer in writing within [***] of any Security Incident(s) which result in, or which Vendor reasonably believes may result in, unauthorized access to, modification of, or disclosure of Customer Information, Customer Information Systems or other Customer applications. Vendor shall provide Customer with a written Remediation plan within [***] of the Security Incident. Notwithstanding the notice provisions of the Agreement, Vendor shall send all notifications and written communications required under this Section to Customer at ***@***.
4.4 Incident Remediation. Upon becoming aware of a Security Incident, Vendor will assign a severity level (i.e., High Severity, Medium Severity or Low Severity) based on the definitions set forth in this Exhibit. Vendor will reclassify the Severity Level of any Security Incident upon Customer’s reasonable request. Vendor will Mitigate or Remediate any High Severity Security Incident within [***] from the time Vendor becomes aware of the incident. Vendor will Mitigate or Remediate any Medium Severity or Low Severity Security Incident within [***] from the time Vendor becomes aware of the incident. With respect to Security Incidents that are Mitigated (but not Remediated), Vendor must Remediate such Security Incidents within [***] after being Mitigated (in the case of High Severity incidents) and [***] after being Mitigated (in the case of Medium Severity incidents), and [***] after being Mitigated (in the case of Low Severity incidents). If Vendor fails to Mitigate or Remediate any Security Incident within the required timeframe: [***].
4.5 Site Outage. Vendor shall promptly report to Customer any Vendor site outages where such outage may impact Customer or Vendor’s ability to fulfill its obligations to Customer.
|5.||Hosting, Virtualization Services, and Data Aggregation|
5.1 Limits on Shared Hosting and Virtualization. Vendor shall not utilize (nor permit any subcontractor to utilize) any shared hosting or virtualized “cloud” hosting arrangements in support of Customer without Customer’s prior written approval.
5.2 Co-Mingled or Aggregated Data. Vendor shall not [***] Customer Information or any Confidential Information of Customer (including, for example, program code, database scripts, data extracts, process flows, calculations, macros, and business logic) [***] without Customer’s prior written approval. Vendor will obtain Customer’s prior written approval of each Vendor (or subcontractor) data center in which Customer Information is stored or processed.
5.3 Logical and Physical Segregation. Vendor shall physically and/or logically segregate Customer data from data of other Vendor customers.
|6.||Licenses; Software Development|
6.1 No License Granted. Nothing in this Exhibit grants to Vendor, either expressly or by implication, any right or license to access or use for any purpose any Customer Information, Customer Information Systems, or any software in Customer’s computing environments. This Exhibit does not transfer to Vendor title of any ownership rights or rights in patents, copyrights, trademarks and trade secrets included in Customer Information Systems.
6.2 Software Usage. Vendor shall not attempt to copy, alter, decompile, reverse engineer, or disassemble any of the software programs contained in Customer Information Systems.
6.3 Software Development. If the Services include the development of software product(s), including web applications, for Customer, such software shall be developed and maintained in accordance with the development methodology specified by Customer. Such software shall satisfy the appropriate Customer information security policies and guidelines that are furnished by Customer to Vendor (which are incorporated herein by reference). Vendor shall comply with any instructions, guidelines or minimum compliance controls that are furnished by Customer to Vendor (which are incorporated herein by reference) to enable Customer to comply with SOX and/or other applicable laws and regulations. To the extent that Vendor uses internally-developed software or web applications to provide the Services, even if such items are not developed exclusively for Customer, then (a) Vendor shall insure that such items comply with any instructions, guidelines or minimum compliance controls that are furnished by Customer to Vendor (which are incorporated herein by reference) to enable Customer to comply with applicable laws and regulations, and (b) Vendor will provide Customer with such information as is reasonably necessary for Customer to confirm that applicable compliance controls are in place.
7. Audit. Notwithstanding anything to the contrary in the Agreement, Vendor will provide to Customer, its auditors (including internal audit staff and external auditors), inspectors, regulators and other representatives as Customer may from time to time designate in writing, access [***] to any facility or part of a facility at which either Vendor or any of its subcontractors is performing Vendor Processing or which contains Vendor Processing Resources, and to data and records relating to Vendor Processing, Vendor Processing Resources, and information security for the purpose of performing audits and inspections of Vendor and any of its subcontractors to (a) verify the integrity of Customer Information and examine the systems that process, store, secure, support and transmit Customer Information; (b) verify Vendor’s and its subcontractors’ compliance with the requirements of this Exhibit, and (c) review general controls and security practices and procedures. Vendor will cooperate fully with Customer or its designees in connection with audit functions and with regard to examinations by regulatory authorities. Customer’s auditors and other representatives will comply with Vendor’s reasonable security requirements in the performance of such audit.
8. Amendments. Notwithstanding anything to the contrary set forth in the Agreement, Customer may amend this Exhibit by providing at least [***] prior written notice to Vendor if Customer reasonably determines that such amendment is necessary for Customer to comply with the Standards for Privacy of Individually Identifiable Health Information or the Security Standards for the Protection of Electronic Protected Health Information (both of which are set forth at 45 CFR Parts 160 and 164) or any other federal, state or local law, regulation, ordinance, or requirement relating to the confidentiality, integrity, availability, or security of Customer Information.
Security Assessment Remediation Requirements
¨ Not applicable.
|#||Remediation Requirement||Completion Criteria||Implementation Date|
|Independent||[***]||[***]||No later than [***]|
|Review of||be performed [***] in order to||from the Effective Date of|
|Information||provide reasonable assurance||of this MSA|
|Security||that security practices and|
|operations are effective.|
(add rows as necessary)
Alternative Certification Requirements
¨ Not applicable.
Customer approves and consents to the SOC 2 Type II submitted by Vendor as an Alternative Certification in compliance with Section 3.3 of this Exhibit E (Security), until such time that Vendor obtains the SOC 2 Type 2 report mapped with HITRUST CSF. Vendor shall maintain such Alternative Certification in compliance with this Agreement at all times.
Furthermore, Vendor is in the process of obtaining SOC 2 Type 2 report mapped with HITRUST CSF. The controls tested during this process, as well as in future assessments, as part of the SOC 2 Type II shall cover all of the HITRUST controls in the then current mapping principles to HITRUST CSF or as otherwise communicated to Vendor in writing during the term of this Agreement. The current version can be found at: https://hitrustalliance.net/csf-rmf-related-documents/ OR https://hitrustalliance.net/soc2/]. Vendor will obtain the SOC 2 Type 2 report mapped with HITRUST CSF no later than [***] from the Effective Date of this MSA. Vendor will provide Customer with a copy of the SOC 2 Type 2 report mapped with HITRUST CSF documentation, along with any supporting documentation requested of Vendor, within [***] of receipt from the certifying authority. Vendor shall maintain its certification in compliance with this Agreement at all times.
HITRUST CSF Implementation Plan
x Not applicable.
|HITRUST CSF Self-Assessment Report||[[***] after the Effective Date]|
|HITRUST CSF Validated Report||[[***] after the Effective Date]|
|HITRUST CSF Certification||[[***] after the Effective Date]|
|2.||Corrective Action Plans.|
x Not applicable.
|1.||Definitions. The following terms shall have the meanings as set forth below:|
1.1 “Device” means equipment or electronic media on which Customer Information is accessed, stored or processed, including without limitation storage drives or tapes, removable drives or media (to the extent permitted by Customer), desktop and laptop computers, tablets, and mobile devices.
1.2 “Vendor Personnel” will mean employees, contractors or agents of Vendor, or of its subcontractors, who provide Services (or any component thereof) to Customer.
|2.||Security Management (Infrastructure Protection)|
Vendor shall maintain industry standard procedures to protect Vendor Processing Resources, including, at a minimum:
|(a)||Formal security programs (e.g., policies, standards, processes);|
|(b)||Content aware solutions (i.e., data loss prevention) to discover, monitor, and protect data during transit/at rest across network, storage, and endpoint systems;|
|(c)||Processes for becoming aware of and maintaining security patches and fixes;|
|(d)||Router filters, firewalls, and other mechanisms to restrict access to the Vendor Processing Resources, including without limitation, all local site networks that may be accessed via the Internet (whether or not such sites transmit information);|
|(e)||Resources used for mobile access to Customer Information Systems shall be protected against attack and penetration through the use of firewalls, malware detection/prevention, and encryption; and|
|(f)||Processes to prevent, detect, and eradicate malicious code (e.g., viruses) and to notify Customer of instances of malicious code detected on Vendor Processing Resources that may affect Customer Information or Customer Information Systems. Notwithstanding the notice provisions of the Agreement, Vendor shall send all notifications and written communications required under this Section to Customer at ***@***.|
3.1 General Requirements. Vendor shall maintain appropriate safeguards and controls and exercise due diligence to protect Customer Information and Vendor Processing Resources against unauthorized access, use, and/or disclosure, considering all of the factors and/or requirements listed below. In the event of any conflict or inconsistency between relevant requirements, Vendor shall protect the Customer Information and Vendor Processing Resources in accordance with [***]:
|(a)||Federal and state legal and regulatory requirements;|
|(b)||Information technology and healthcare industry best practices (e.g., HITRUST Common Security Framework);|
|(c)||Sensitivity of the data;|
|(d)||Relative level and severity of risk of harm should the integrity, confidentiality, availability or security of the data be compromised, as determined by Vendor as part of an overall risk management program;|
|(e)||Customer’s data security requirements, as set forth in this Exhibit, the due diligence process and/or in the Agreement; and|
|(f)||Any further information security requirements which are included in a Statement of Work or equivalent document which is attached to or relates to the Agreement.|
3.2 Internal Risk Assessment. Vendor shall periodically [***] evaluate its processes and systems to ensure continued compliance with obligations imposed by law, regulation or contract with respect to the confidentiality, integrity, availability, and security of Customer Information and Vendor Processing Resources. Vendor shall document the results of these evaluations and any remediation activities taken in response to such evaluations, and provide a copy to Customer, upon Customer’s request.
3.3 Internal Records. Vendor shall maintain mechanisms to capture, record, and examine information relevant to Security Incidents and other security-related events. In response to such events, Vendor shall take appropriate action to address and remediate identified vulnerabilities to Customer Information and Vendor Processing Resources, including as set forth in this Exhibit.
3.4 Vulnerability Assessment and Patch Management. Vendor shall provide Customer with the results of external vulnerability testing, internal infrastructure vulnerability testing, and application vulnerability testing. Vendor will perform (and, at Customer’s request, allow Customer to perform) penetration tests of applicable Vendor environments, including perimeter vulnerability testing, internal infrastructure vulnerability testing, and application testing. Vendor shall also ensure that appropriate patches and security updates are applied in accordance with OEM recommendations or (subject to Customer’s prior written approval) industry standards and best practices. Vendor shall provide process documentation and assessment results to Customer upon Customer’s request.
3.5 Audit and Attestation Practices. Vendor shall provide to Customer [***] information on its audit processes, procedures and controls, including a report on any findings and remediation efforts. If Vendor has not, as of the Effective Date, obtained a HITRUST CSF Certification or an Alternative Certification approved by Customer to permanently substitute for the HITRUST CSF Certification, then Vendor shall provide Customer an interim Alternative Certification. Vendor shall provide such Alternative Certification as of the Effective Date and [***] thereafter until (a) Vendor obtains a HITRUST CSF Certification approved by Customer, or (b) the Agreement expires or is terminated.
3.6 Vendor Locations. Unless previously authorized by Customer in writing, all work performed by Vendor related to the Agreement shall be performed from the Vendor location(s) designated in the Agreement and/or relevant Statement of Work(s).
4.1 Access to Customer Information. Vendor shall require that Vendor Personnel who have, or may be expected to have, access to Customer Information or Customer Information Systems comply with the provisions of the Agreement, including this Exhibit and any confidentiality agreement(s) or Business Associate Agreement(s) binding upon Vendor. Vendor will remain responsible for any breach of this Exhibit by Vendor Personnel.
4.2 Security Awareness. Vendor shall ensure that Vendor Personnel remain aware of industry standard security practices, and their responsibilities for protecting the Customer Information. Vendor shall provide information security awareness training and education to all Vendor Personnel upon hire, during the on-boarding process, and annually thereafter. Such information security awareness education and training shall address the responsibilities related to the Services provided to Customer. Customer may, at its option, review the content of, and request modifications to, the training curriculum. Vendor shall accommodate all of Customer’s reasonable requests in this regard. Participation in such training by Vendor Personnel shall be mandatory and Vendor shall track attendance and, at Customer’s request, provide a confirmation that all Vendor Personnel have completed such training. Vendor’s information security awareness training shall include, but not be limited to:
|(a)||Protection against malicious software (such as viruses);|
|(b)||Appropriate password protection and password management practices;|
|(c)||Appropriate use of workstations and computer system accounts;|
|(d)||HIPAA and HITECH requirements, including the Privacy Rule and Security Rule;|
|(e)||Vendor’s information security policies;|
|(f)||Any applicable acceptable use policies;|
|(g)||Relevant obligations set forth in the Agreement; and|
|(h)||Procedures for reporting Security Incidents.|
4.3 Sanction Policy. Vendor shall maintain a sanction policy to address violations of Vendor’s internal security requirements or security requirements which are imposed on Vendor by law, regulation, or contract.
4.4 Supervision of Workforce. Vendor shall maintain processes for authorizing and supervising Vendor Personnel and for monitoring access to Customer Information, Customer Information Systems and/or Vendor Processing Resources.
Vendor shall maintain appropriate physical security controls (including facility and environmental controls) to prevent unauthorized physical access to Vendor Processing Resources and areas in which Customer Information is stored or processed. Where practicable, this obligation shall include controls to physically protect hardware (e.g., lockdown devices). Vendor shall adopt and implement a written facility security plan which documents such controls and the policies and procedures through which such controls will be maintained. Vendor shall maintain appropriate records of maintenance performed on Vendor Processing Resources and on the physical control mechanisms used to secure Vendor Processing Resources. Vendor shall obtain Customer’s prior written approval before moving storage or processing of Customer Information, or Vendor Personnel who have access to Customer Information or Customer Information Systems, to any location not previously authorized by Customer. Vendor agrees and acknowledges that any such relocation may require updates to any applicable Independent Attestation/Certification, and Vendor will not complete any such relocation until such updates have been completed.
|6.||Security Monitoring and Response|
6.1 Incident Response. Vendor shall maintain formal processes to detect, identify, report, respond to, Mitigate, and Remediate Security Incidents in a timely manner.
6.2 Incident Notification. Vendor shall notify Customer in writing within [***] of any Security Incident(s) which result in, or which Vendor reasonably believes may result in, unauthorized access to, modification of, or disclosure of Customer Information, Customer Information Systems or other Customer applications. Vendor shall provide Customer with a written Remediation plan within [***] of the Security Incident. Notwithstanding the notice provisions of the Agreement, Vendor shall send all notifications and written communications required under this Section to Customer at ***@***.
6.3 Incident Remediation. Upon becoming aware of a Security Incident, Vendor will assign a severity level (i.e., High Severity, Medium Severity or Low Severity) based on the definitions set forth in this Exhibit. Vendor will reclassify the Severity Level of any Security Incident upon Customer’s reasonable request. Vendor will Mitigate or Remediate any High Severity Security Incident within [***] from the time Vendor becomes aware of the incident. Vendor will Mitigate or Remediate any Medium Severity or Low Severity Security Incident within [***] from the time Vendor becomes aware of the incident. With respect to Security Incidents that are Mitigated (but not Remediated), Vendor must Remediate such Security Incidents within [***] after being Mitigated (in the case of High Severity incidents) and [***] after being Mitigated (in the case of Medium Severity incidents), and [***] after being Mitigated (in the case of Low Severity incidents). If Vendor fails to Mitigate or Remediate any Security Incident within the required timeframe: [***].
6.4 Site Outage. Vendor shall promptly report to Customer any Vendor site outages where such outage may impact Customer or Vendor’s ability to fulfill its obligations to Customer.
|7.||Data and Communications Security|
7.1 Exchange of Customer Information. Vendor shall utilize a method of transmitting Customer Information electronically that limits the unauthorized access to and/or modification of such information.
7.2 Data Retention. Vendor shall not retain any Customer data following completion of the applicable Services, except to the extent (a) required by law, (b) required pursuant to Exhibit H (Medicare Advantage Regulatory Requirements Appendix), or (c) expressly required by Customer in writing. Subject to the foregoing, Vendor shall ensure that following the completion of the applicable Services, the Customer data used in connection with such Services is Securely Deleted in accordance with Vendor’s records retention policy, which shall be developed by Vendor and reviewed by Customer. At Customer’s request, Vendor shall certify to Customer in writing that all Customer data has been destroyed as required hereunder. As used herein, “Securely Deleted” (or “Securely Delete”) means that (i) hard copy materials are destroyed and cannot be reconstructed (e.g., shredded);
(ii) electronic files are deleted and overwritten to a level sufficient to ensure that they cannot be retrieved or reconstructed and that any Customer data contained in the files is rendered unreadable, unusable and indecipherable; and (iii) Devices are physically destroyed, degaussed or overwritten in accordance with NIST Special Publication 800-88. Vendor shall Securely Delete any Customer data provided by Customer but not required by Vendor for performance of the applicable Services promptly after Vendor discovers that such data is not needed, provided, however, that if such prompt deletion would require Vendor to reallocate resources and impact Vendor’s ability to meet Service Level requirements or deadlines established by Customer, then Customer and Vendor will work together to establish a schedule for such deletion.
7.3 Encryption. Vendor shall ensure that all Customer data containing Customer Information whether stored (i.e., “data at rest”) or that Vendor transmitted (i.e., “data in motion”) over the public internet is encrypted using valid encryption processes. Full disk encryption must be implemented on any desktop or laptop computer on which Customer data is stored or processed. Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices. Valid encryption processes for data in motion are those which comply, as appropriate [***]: (a) NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800- 77, Guide to IPsec VPNs, or (b) the requirements of applicable data security and/or privacy laws in the country from which the Customer Information originates, or (c) other which are Federal Information Processing Standards (FIPS) 140-2 validated. Vendor shall maintain such encryption for all transmissions by Vendor of Customer data via public networks (e.g., the Internet). Such transmissions include, but are not limited to:
|(i)||Sessions between web browsers and web servers;|
|(ii)||Email containing Customer Information (including passwords);|
|(iii)||Transfer of files via the Internet (e.g., FTP);|
|(iv)||Laptop / desktop encryption;|
|(v)||Mobile Device encryption; and|
|(vi)||Removable storage media encryption (e.g., thumb drive, external hard drives, writable CD drives, backup tapes).|
7.4 Protection of Systems, Devices and Storage Media. With respect to all Vendor systems or Devices containing Customer data, Vendor shall ensure all reasonable, industry-standard measures are taken to physically secure such Devices to prevent any unauthorized disclosure while in transit and while at rest. Vendor shall ensure that all Devices on which Customer data was stored or processed are Securely Deleted before such Devices are used for any other purpose. No Device on which Customer data was stored or processed may be sold, donated, discarded, or otherwise disposed of or used by any organization unless such Device has been Securely Deleted. All media on which Customer data is stored shall be protected against unauthorized access or modification. Vendor shall maintain reasonable and appropriate processes and mechanisms to maintain accountability and tracking of the receipt, removal and transfer of Devices, including certification of the Device being Securely Deleted.
7.5 Data Integrity. Vendor shall maintain processes to prevent unauthorized or inappropriate modification of Customer Information, for both data in transit and data at rest.
8.1 Identification and Authentication. All access to any Customer Information or any Vendor Processing Resources shall be Identified and Authenticated as defined in this Section. “Identification” (or “Identify,” as the context requires) refers to processes which establish the identity of the person or entity requesting access to Customer Information and/or Vendor Processing Resources. “Authentication” (or “Authenticate,” as the context requires) refers to processes which validate the purported identity of the requestor. For access to Customer Information or Vendor Processing Resources, Vendor shall require Authentication by the use of an individual, unique user ID and an individual password or other appropriate Authentication technique approved by Customer in writing. Vendor shall obtain written approval from Customer prior to using digital certificates as part of Vendor’s Identification or Authorization processes. Vendor shall maintain procedures to ensure the protection, integrity, and soundness of all passwords created by Vendor and/or used by Vendor in connection with the Agreement.
8.2 Account Administration. Vendor shall maintain appropriate processes for requesting, approving, and administering accounts and access privileges for Vendor Processing Resources and Customer Information. These processes shall be required for both Customer-related accounts and Vendor’s internal accounts for Vendor Processing Resources, and shall include procedures for granting and revoking emergency access to Vendor Processing Resources and Customer Information. All access by Vendor Personnel to Customer Information Systems shall be subject to prior approval by Customer and shall follow Customer standard policies and procedures.
8.3 Access Control. Vendor shall maintain appropriate access control mechanisms to prevent all access to Customer Information and/or Vendor Processing Resources, except by (a) specified users expressly authorized by Customer and (b) Vendor Personnel who have a “need to access” to perform a particular function in support of Vendor Processing. The access and privileges granted shall be limited to the minimum necessary to perform the assigned functions. Vendor shall maintain processes to ensure that Vendor Personnel access to Customer Information is revoked no later than [***] upon termination and [***] in the case of involuntary termination. Vendor shall maintain appropriate mechanisms and processes for detecting, recording, analyzing, and resolving unauthorized attempts to access Customer Information or Vendor Processing Resources. If Vendor Personnel change roles or for any other reason no longer require access to Customer Information Systems, Vendor will notify Customer within [***]. In the case of involuntary termination, Vendor will notify Customer within [***]. Notwithstanding the notice provisions of the Agreement, Vendor shall send all notifications and written communications required under this Section to Customer at [***].
8.4 Personal Devices and Removable Media. Vendor shall ensure the Vendor Personnel will not be permitted to, and will not, utilize personal computing equipment for accessing Customer Information Systems or processing Customer Information. Vendor shall monitor and prevent Customer data from being sent via social media or personal email accounts. Vendor shall restrict access to, and the use of removable media, such as USB ports, writable optical media, portable hard drives, and other removable media. Vendor may not (and shall cause Vendor Personnel to not) use any such removable media to store or transfer Customer Information without Customer’s prior written approval.
Vendor shall only have access to Customer Information Systems authorized by Customer and shall use such access solely for providing Services to Customer. Vendor shall not attempt to access any applications, systems or data which Customer has not authorized Vendor to access or which Vendor does not need to access in order to perform Services for Customer. Vendor further agrees to access such applications, data and systems solely to the extent minimally necessary to provide Services to Customer. Vendor's attempt to access any applications, data or systems in violation of the terms in this Section shall be a material breach of the Agreement.
Vendor shall, at its own expense, perform a background investigation on each individual assigned to perform Services under the Agreement which will involve: (i) unescorted access to any Customer facility, (ii) direct access or connectivity to any Customer Information Systems (as defined in Exhibit F), (iii) access to protected health information or non-public personal information, or (iv) driving on behalf of Customer (collectively, “High Access Services”).
Prior to the assignment of any individual to perform High Access Services, Vendor shall provide Customer with written confirmation that a background investigation have been successfully completed and passed in accordance with the requirements set forth below. Vendor shall be responsible for obtaining any necessary consent from such individuals to permit Customer full access to the background investigation reports. Vendor agrees to keep all such reports for a period of at least [***] past the last date the individual was assigned to Customer.
Vendor shall not permit any former employee of Customer, UnitedHealth Group, or any of their Affiliates to perform High Access Services without the prior written approval of the UnitedHealth Group Employee Relations department.
Should Vendor become aware, at any time during an individual’s assignment for Customer, that the individual is disqualified from performing High Access Services, Vendor shall immediately remove such individual from his or her assignment with Customer and shall notify Customer in writing within [***] of gaining such knowledge.
Customer reserves the right to regularly audit Vendor to determine whether the terms set forth herein are being completed to the satisfaction of Customer. Should Vendor fail to comply with any term of this Exhibit, Vendor shall, upon written request from Customer, pay to Customer a penalty of [***] per occurrence (i.e., per individual), which amounts Customer, at its sole discretion, may offset against sums otherwise owed to Vendor. Notwithstanding anything to the contrary in the Agreement or otherwise, this remedy is cumulative and in addition to any remedies available at law or in equity.
Nothing contained in this Agreement shall be construed to create any obligation on the part of Customer to disclose to Vendor, or to any individual, the reasons for its determination to terminate, or to decline, the assignment of an individual, or share any information obtained through a background investigation, except to the extent required by law.
Vendor shall meet the requirements of the Fair Credit Reporting Act, any regulations issued thereunder, and any other applicable state and federal laws.
Background Investigation Requirements:
|1.||Background investigations shall include:|
|•||Social Security Number (SSN) trace verification (including disclosure of all other names by which the individual has been known and a check for validity, a suspicious issuance date or a deceased person result);|
|•||System for Award Management (SAM) database for debarment from federal programs;|
|•||Office of Foreign Assets Control Specially Designated Nationals (SDN) List;|
|•||Felony and misdemeanor convictions filed at federal, state, and county government levels for the individual’s home, school and work addresses for the previous seven year period, including participation in court-ordered programs, deferred adjudication, probation and parole;|
|•||the US Department of Justice National Sex Offender Public Website (NSOPW); and|
|•||The following investigations, as applicable:|
|In the event the assignment requires:||…the background investigation must include:|
|Driving on behalf of Customer||Motor Vehicle history in state of current licensure, state of residence, and state of assignment, if different.|
|Licensed health professional||FACIS Level 3 search|
|Educational degrees, licenses, or professional certifications required for the position||Verifications of such degrees / licenses / certifications|
|2.||Vendor Assignment Screening Matrix|
Vendor shall make an initial determination as to whether an individual to be assigned to perform High Access Services has passed or failed the background investigation, or requires further review, in accordance with the following screening matrix:
|If the background investigations results in a discrepancy or a positive hit, as applicable, consult this matrix and the legend below:|
|Year 1||Year 2||Year 3||Year 4||Year 5||Year 6||Year 7|
|Misdemeanor Involving Theft, Fraud, Drugs or Violence||F||F||F||R||R||R||R|
|DMV – Major Violation(s)*||F||F||F||R||R||R||R|
|DMV – Minor Violation(s)*||R||R||P||P||P||P||P|
|FACIS Level 3 *||R||R||R||R||R||R||R|
* = If applicable to the position
F = FAIL
P = PASS
R = Requires evaluation and approval by Customer’s Employee Relations Department (HRdirect).
DMV – Minor Violation(s) = Any moving violation other than a Major Violation, as defined below.
DMV – Major Violation(s) = Hit and run, negligent homicide, reckless driving, careless driving, driving while license is suspended or revoked, driving while intoxicated, driving under the influence, and/or possession of open container of alcoholic beverage.
|3.||Drug Free Workplace Policy|
Vendor is committed to protecting the safety, health, and well-being of its employees and all people who come into contact with its workplace(s) and property, and/or use its products and services. Recognizing that drug abuse poses a direct and significant threat to this goal, Vendor is committed to ensuring a drug-free working environment for all of its employees. Vendor will implement and enforce a policy that prohibits the illicit use, possession, sale, conveyance, distribution, or manufacture of illegal drugs, intoxicants, or controlled substances in any amount or in any manner.
MEDICARE ADVANTAGE REGULATORY REQUIREMENTS APPENDIX
VENDOR – DELEGATED ENTITY
THIS MEDICARE ADVANTAGE REGULATORY REQUIREMENTS APPENDIX (this “Exhibit”) supplements and is made part of the Agreement.
This Exhibit applies to the administrative services performed and products provided by Vendor pursuant to the Agreement as such services and products relate to Medicare Advantage Benefit Plans. In the event of a conflict between this Exhibit and other appendices or any provision of the Agreement, the provisions of this Exhibit shall control except: (1) with regard to Benefit Plans outside the scope of this Exhibit; or (2) as required by applicable law.
For purposes of this Exhibit, the following terms shall have the meanings set forth below.
2.1 Benefit Plan: A certificate of coverage, summary plan description, or other document or agreement, whether delivered in paper, electronic, or other format, under which a Payer is obligated to provide coverage of Covered Services for a Customer.
2.2 CMS Contract: A contract between the Centers for Medicare & Medicaid Services (“CMS”) and a Medicare Advantage Organization for the provision of Medicare benefits pursuant to the Medicare Advantage Program under Title XVIII, Part C of the Social Security Act.
2.3 Covered Service: A health care service or product for which a Customer is entitled to receive coverage from a Payer, pursuant to the terms of the Customer’s Benefit Plan with that Payer.
2.4 Customer: For the purposes of this Exhibit, Customer means a person eligible and enrolled to receive coverage from a Payer for Covered Services.
2.5 Medicare Advantage Benefit Plans: Benefit Plans sponsored, issued or administered by a Medicare Advantage Organization as part of the Medicare Advantage program or as part of the Medicare Advantage program together with the Prescription Drug program under Title XVIII, Part C and Part D, respectively, of the Social Security Act (as those program names may change from time to time).
2.6 Medicare Advantage Customer or MA Customer: A Customer eligible for and enrolled in a Medicare Advantage Benefit Plan that is covered under the Agreement.
|2.7||Medicare Advantage Organization or MA Organization: For purposes of this Exhibit, MA Organization is:|
(a) UnitedHealthcare Insurance Company or one of its affiliates that has entered into a contract with CMS for the purpose of offering a Benefit Plan to MA Customers; or (b) Payer.
2.8 Payer: An entity obligated to a Customer to provide reimbursement for Covered Services under the Customer’s Benefit Plan.
3.1 MA Organization Accountability; Delegated Activities. Vendor acknowledges and agrees that MA Organization oversees and is accountable to CMS for any functions and responsibilities described in the CMS Contract and applicable Medicare Advantage regulations, including those that MA Organization has delegated to Vendor under the Agreement. In addition to the other provisions of this Exhibit, the following shall apply with respect to any functions and responsibilities under the CMS Contract that MA Organization has delegated to Vendor pursuant to the Agreement:
(a) Vendor shall perform or arrange for the provision of those delegated activities set forth in the Agreement.
|(b)||Vendor shall comply with any reporting responsibilities as set forth in the Agreement.|
(c) If MA Organization has delegated to Vendor any activities related to the credentialing of health care providers, Vendor must comply with all applicable CMS requirements for credentialing, including but not limited to the requirement that the credentials of medical professionals must either be reviewed by MA Organization, or the credentialing process must be reviewed, preapproved, and audited on an ongoing basis by MA Organization.
(d) If MA Organization has delegated to Vendor the selection of health care providers to be participating providers in MA Organization’s Medicare Advantage network, or the selection of contractors or subcontractors to perform services under the CMS Contract, MA Organization retains the right to approve, suspend or terminate the participation status of such health care providers and the agreements with such contractors or subcontractors.
(e) Vendor acknowledges that MA Organization shall monitor Vendor’s performance of delegated activities on an ongoing basis. Such monitoring activities may include site visits and periodic audits. If CMS or MA Organization determines that Vendor has not performed satisfactorily, or has failed to meet all reporting and disclosure requirements in a timely manner, MA Organization may revoke any or all of the delegated activities and reporting requirements. Vendor shall cooperate with MA Organization regarding the transition of any delegated activities or reporting requirements that have been revoked by MA Organization.
4.1 Data. Vendor shall submit to MA Organization risk adjustment data as defined in 42 CFR 422.310(a) if applicable. By submitting data to MA Organization, Vendor represents to MA Organization, and upon MA Organization’s request, shall certify in writing, that the data is accurate, complete, and truthful, based on Vendor’s best knowledge, information and belief.
4.2 Customer Protection. Vendor agrees that in no event, including but not limited to, non-payment by Vendor or MA Organization, insolvency of Vendor or MA Organization, or breach of the Agreement, shall Vendor bill, charge, collect a deposit from, seek compensation, remuneration or reimbursement from, or have any recourse against any MA Customer or person (other than MA Organization) acting on behalf of the MA Customer for any fees that are the legal obligation of MA Organization under the CMS Contract.
4.3 Eligibility. Vendor agrees to immediately notify MA Organization in the event Vendor is or becomes excluded from participation in any federal or state health care program under Section 1128 or 1128A of the Social Security Act. Vendor shall not employ or contract for the provision of health care services, utilization review, medical social work or administrative services and products, (collectively “Eligibility Services”), with or without compensation, with any individual or entity that is or becomes excluded from participation in any federal or state health care program under Section 1128 or 1128A of the Social Security Act. Vendor shall review the (1) Department of Health and Human Services Officer of Inspector General List of Excluded Individuals and Entities and (2) the System for Award Management (SAM), a portal for the Federal Procurement System, (and any successor lists) prior to the hiring or contracting of any new employee, temporary employee, volunteer, consultant, governing body member or subcontractor for the provision of Eligibility Services. Vendor must continue to review these lists on a monthly basis thereafter to ensure that none of these persons or entities are excluded or become excluded from participation in federal programs.
4.4 Laws. Vendor shall comply with all applicable federal and Medicare laws, regulations, and CMS instructions, including but not limited to: (a) federal laws and regulations designed to prevent or ameliorate fraud, waste, and abuse, including but not limited to, applicable provisions of federal criminal law, the False Claims Act (31 U.S.C. §3729 et seq.), and the anti-kickback statute (§1128B of the Social Security Act); and (b) HIPAA administrative simplification rules at 45 CFR Parts 160, 162, and 164.
4.5 Federal Funds. Vendor acknowledges that MA Organization receives federal payments under the CMS Contract and that payments Vendor receives from or on behalf of MA Organization are, in whole or in part, from federal funds. Vendor is therefore subject to certain laws that are applicable to individuals and entities receiving federal funds.
4.6 CMS Contract. Vendor shall perform the services and provide the products set forth in the Agreement in a manner consistent with and in compliance with MA Organization’s contractual obligations under the CMS Contract.
(a) Maintenance; Privacy and Confidentiality; Customer Access. Vendor shall maintain records and information related to services performed and products provided by Vendor under the Agreement, in an accurate and timely manner. Vendor shall maintain such records for the longer of the following periods:
(i) in the case of records containing information related to the medical loss ratio information reported to CMS by the MA Organization, including, for example, information related to incurred claims and quality improvement activities, at least [***] from the date such medical loss ratio information is reported to CMS by the MA Organization, or
(ii) in the case of all records, at least [***] from the final date of the CMS Contract period in effect at the time the records were created, or such longer period as required by law.
Vendor shall safeguard MA Customer privacy and confidentiality, including but not limited to the privacy and confidentiality of any information that identifies a particular MA Customer, and shall comply with all federal and state laws regarding confidentiality and disclosure of medical records or other health and enrollment information, including the requirements established by MA Organization and the Medicare Advantage program, as applicable.
(b) Government Access to Records. Vendor acknowledges and agrees that the Secretary of Health and Human Services, the Comptroller General, or their designees shall have the right to audit, evaluate and inspect any pertinent books, contracts, computer or other electronic systems (including medical records), patient care documentation and other records and information belonging to Vendor that involve transactions related to the CMS Contract. This right shall extend through the longer of the following periods:
(i) in the case of records containing information related to the medical loss ratio information reported to CMS by the MA Organization, including, for example, information related to incurred claims and quality improvement activities, at least [***] from the date such medical loss ratio information is reported to CMS by the MA Organization, or
(ii) in the case of all records, at least [***] from the later of the final date of the CMS Contract period in effect at the time the records were created or the date of completion of any audit, or longer in certain instances described in the applicable Medicare Advantage regulations.
For the purpose of conducting the above activities, Vendor shall make available its premises, physical facilities and equipment, records relating to the services performed and the products provided under the Agreement, and any additional relevant information CMS may require.
(c) MA Organization Access to Records. Vendor shall grant MA Organization or its designees such audit, evaluation, and inspection rights identified in subsection 4.7(b) as are necessary for MA Organization to comply with its obligations under the CMS Contract. Whenever possible, MA Organization will give Vendor reasonable notice of the need for such audit, evaluation or inspection, and will conduct such audit, evaluation or inspection at a reasonable time and place.
4.8 Subcontracts. If Vendor has any arrangements, in accordance with the terms of the Agreement, with affiliates, subsidiaries or any other subcontractors, directly or through another person or entity, to perform any of the services or provide any products Vendor is obligated to perform or provide under the Agreement that are the subject of this Exhibit, Vendor shall ensure that all such arrangements are in writing, duly executed, and include all the terms contained in this Exhibit. Vendor shall provide proof of such to MA Organization upon request. In addition, Vendor agrees to oversee and monitor, on an ongoing basis, the services Vendor has subcontracted to another person or entity. Vendor further agrees to promptly amend its agreements with such subcontractors, in a manner consistent with the changes made to this Exhibit by MA Organization, to meet any additional CMS requirements that may apply to the performance of the services or the provision of the products.
4.9 Offshoring. Unless previously authorized by MA Organization in writing, all services provided by Vendor pursuant to the Agreement that are subject to this Exhibit must be performed within the United States, the District of Columbia, or the United States territories.
If MA Organization authorizes Vendor in writing to perform Medicare-related services that involve Medicare beneficiary protected health information (“PHI”) pursuant to the Agreement at locations outside of one of the fifty United Sates, the District of Columbia, or one of the United States Territories (American Samoa, Guam, Northern Marianas, Puerto Rico and Virgin Islands), the following provisions apply:
(a) Vendor represents and warrants to MA Organization that Vendor has in place and will comply with policies and procedures to ensure that all PHI and other personal information remains secure. Vendor will provide written evidence of the policies and procedures upon MA Organization’s request.
(b) Vendor will provide prior written notice to MA Organization of (a) any material change in the Medicare-related services that involve PHI that Vendor performs offshore, (b) any material change in Vendor’s policies and procedures to ensure that all PHI and other personal information remains secure, and
(c) any material change in the tools and systems used by Vendor to ensure that all PHI and other personal information remains secure.
(c) Vendor is prohibited from receiving access to any PHI or other personal information that is not associated with its contractual relationship with MA Organization. If Vendor receives access to PHI or other personal information of MA Organization’s members that is not associated with Vendor’s contractual relationship with MA Organization, Vendor will immediately notify MA Organization that it has received such access, return all PHI or personal information accessed by Vendor, and destroy any such PHI or personal information that remains in Vendor’s possession after doing so (i.e. copies, electronic records, back-ups or temporary files).
(d) Vendor’s services under the Agreement may be terminated [***] upon discovery of a significant security breach.
|(e)||Vendor authorizes MA Organization or its designee to conduct an audit of Vendor [***].|
(f) Vendor acknowledges and agrees that MA Organization will use the results of its audit of Vendor to evaluate the continuation of MA Organization’s relationship with Vendor.
(g) Vendor authorizes MA Organization or its designee to share the results of audits of Vendor with CMS.
5.1 Regulatory Amendment. MA Organization may unilaterally amend this Exhibit to comply with applicable laws and regulations and the requirements of applicable regulatory authorities, including but not limited to CMS. MA Organization shall provide written notice to Vendor of such amendment and its effective date. Unless such laws, regulations or regulatory authority(ies) direct otherwise, the signature of Vendor will not be required in order for the amendment to take effect.
MASTER COMMUNITY & STATE APPENDIX
THIS MASTER COMMUNITY & STATE APPENDIX (this “Exhibit”) supplements and is made part of the Agreement. This Exhibit applies with respect to the provision of services Vendor provides for any Customer health plan Affiliate administering a Medicaid or other state-specific (“State”) government funded and regulated program (“State Program”). In the event of a conflict between this Exhibit and other appendices or any provision of the Agreement, the provisions of this Exhibit shall control except with regard to benefit plans outside the scope of this Exhibit or unless otherwise required by law or applicable State regulatory agency. Vendor will comply with the following requirements to the extent applicable to Vendor’s performance of services under the Agreement.
Capitalized terms used but not defined in this Exhibit shall have the meaning assigned to them in the Agreement or other applicable appendix.
1. Regulatory Approval and Filing. In the event Customer is required to file the Agreement with federal, state or local governmental authorities, Customer shall be responsible for filing the Agreement with such authorities as required by any applicable law or regulation. If following any such filing, the governmental authority requests changes to the Agreement, Vendor agrees to cooperate with Customer in preparing the response to the governmental authority.
2. Compliance with Law and Government Contracts. Vendor and Customer agree to comply with all applicable federal, State, and local laws, rules, and regulations in connection with the performance of their obligations under the Agreement. All tasks under the Agreement also must be performed in accordance with the requirements of applicable contracts between any Customer Affiliate and State and/or federal regulatory agencies. Customer will provide or otherwise communicate such requirements to Vendor. Vendor shall ensure all agents, employees, assigns and subcontractors, if any, that are involved in providing services under the Agreement also comply with this Section.
3. Delegation and Oversight. In compliance with the delegation and oversight obligations imposed on Customer Affiliates under their contracts with State and/or federal regulatory agencies, Customer reserves the right to revoke any functions or activities delegated to Vendor under the Agreement, if in the reasonable judgment of Customer or an applicable Customer Affiliate, Vendor’s performance under the Agreement does not comply with obligations under applicable government contracts. This right shall be in addition to Customer’s termination rights under the Agreement.
4. Press Release; Marketing; Advertising; Use of Name and Trademarks. Except as otherwise set forth in the Agreement, Vendor shall not publicly use the name, logo, trademark, trade name, or other marks of Customer without Customer’s prior written consent. The parties mutually agree to provide, at a minimum, at least [***] and opportunity to comment on all press releases, advertisements or other media statements and communications regarding the Agreement, the services or the business relationship between the parties. A party shall obtain the other party’s written consent prior to any publication or use of such materials or communications. Nothing herein shall be construed to create a right or license to make copies of any copyrighted materials.
5. Offshoring. Unless previously authorized in writing by the appropriate Customer health plan Affiliate and State governing agency, if required, all work performed under the Agreement shall be performed from location(s) in the 50 United States. If Vendor receives authorization pursuant to this Section 5 to offshore certain obligations under the Agreement, Customer will provide, and Vendor shall comply with, all applicable offshoring regulations, requirements or restrictions, including any applicable security controls. The parties agree that any offshoring restrictions or requirements may be updated at any time to comply with applicable law and any other requirements.
6. Subcontracts. To the extent required by any regulatory agency governing any Medicare or Medicaid or other governmental benefit plans (or as may be set forth in an appendix) or any accrediting agency, Vendor shall provide advance notice to Customer and obtain Customer’s consent prior to any subcontracting of any of its responsibilities under the Agreement.
7. Regulatory Amendment. Customer may unilaterally amend this Exhibit to comply with applicable regulatory requirements required under law. Upon Customer’s notification of such changes, Customer will provide notice to Vendor. If such regulatory amendment materially affects the position of either party or renders it illegal for a party to continue to perform under the Agreement in a manner consistent with the parties’ intent, then the parties shall negotiate further amendments to this Exhibit or the Agreement as necessary to correct any inequities, to the greatest extent possible.
8. Effect of Termination or Expiration. Within [***] after the expiration or termination for any reason (or to any extent) of the Agreement and/or this Exhibit, Vendor shall return or destroy all applicable PHI, if feasible to do so, including all applicable PHI in possession of Vendor’s agents or subcontractors. To the extent return or destruction of the PHI is not feasible, Vendor shall notify Customer in writing of the reasons return or destruction is not feasible and, if Customer agrees, may retain the PHI subject to this section. Under any circumstances, Vendor shall extend any and all protections, limitations and restrictions contained in this Exhibit to Vendor’s use and/or disclosure of any applicable PHI retained after the expiration or termination (to any extent) of the Agreement and/or this Exhibit, and shall limit any further uses and/or disclosures solely to the purposes that make return or destruction of the PHI infeasible.
EXCHANGE REGULATORY APPENDIX
THIS EXCHANGE REGULATORY APPENDIX (this “Exhibit”) supplements and is made part of the Agreement and shall survive termination of the Agreement to the extent it or applicable law imposes continuing obligations.
Customer is operating as a certified Qualified Health Plan Issuer (“QHP Issuer”) in one or more public Health Care Exchanges (“Exchange”) created under the terms of the Federal Patient Protection and Affordable Care Act (“PPACA”) and any implementing State law. Customer may be delegating certain of its QHP Issuer's activities, reporting responsibilities, and/or other obligations, to Vendor.
This Exhibit applies solely to the services performed and provided with respect to any Exchange business delegated by United to Vendor pursuant to the Agreement. In the event of a conflict between this Exhibit and other appendices or any provision of the Agreement, the provisions of this Exhibit shall control, except as required by applicable law. Terms in this Agreement shall be as defined in PPACA, as supplemented by any applicable State Exchange law.
This Exhibit is intended to comply with Exchange laws and substantive requirements.
1. The delegated activities and reporting responsibilities are set forth in the Agreement to which this Exhibit is attached. To the extent such delegated activities and reporting responsibilities serve Exchange business, they are designated as “QHP Services”.
2. Vendor acknowledges and agrees that Customer may revoke the delegated activities and reporting standards of Vendor or specify other remedies, for the respective Exchange, in instances where the U.S. Department of Health and Human Services (“HHS”), a State Exchange regulator, or Customer determines that such parties have not performed satisfactorily. To the extent that HHS or a State Exchange regulator directs the revocation, Customer shall provide immediate written notice of such to Vendor, and such revocation shall become effective as directed by HHS or the State Exchange regulator. Vendor shall cooperate with Customer regarding the transition of any QHP Services that have been revoked by United.
3. Vendor must comply with all applicable laws and regulations relating to the standards specified in 45 CFR § 156.340, as it may be amended from time to time, and all other Federal and/or State laws relevant to Customer’s Exchange business being serviced.
4. Vendor must permit access by the Secretary of HHS and the Office of Inspector General or their designees, in the case of Federally Facilitated Exchange (“FFE”) business, or comparable State regulators, in the case of State Exchange business, in connection with their right to evaluate through audit, inspection, or other means, to Vendor's books, contracts, computers, or other electronic systems, including medical records and documentation, relating to the Customer’s obligations as a QHP Issuer in accordance with Federal standards under 45 CFR §156.340, as it may be amended from time to time, with all records retained for at least [***] from the final date of the Agreement period or such lesser period which may be specified in State law for State Exchanges.
5. If submitting FFE data is involved, Vendor is bound by the terms of Customer’s agreement between Qualified Health Plan Issuer and The Centers for Medicare and Medicaid Services or any applicable trading partners or comparable State Exchange agreement, to test its software, and receive Customer’s approval of software as being in the proper format and compatible with the FFE or the applicable State system.
6. If any State Exchange or HHS for FFEs requires additional specific provisions to be in Customer’s agreement with any delegated or downstream entity, they will be provided to Vendor by Customer and are incorporated herein by reference or by attaching a copy of such provisions to this Exchange Regulatory Exhibit.
7. If Vendor delegates any QHP Services to a downstream entity (as such term is defined in 45 C.F.R. § 156.20), Vendor shall provide written advance notification to Customer of such delegated activities and reporting responsibilities before the applicable effective date of the delegation under federal regulations, Vendor shall bind the downstream entity to all the terms of this Exhibit, including providing for revocation of the delegated activities.