The URL can be used to link to this page

Home My WebLink AboutP-22-503 Agreement ESO Solutions Inc.pdf DocuSign Envelope ID:B0026E4D-5EC7-4B8B-94E4-E85B5D3D3DDC P-22-503 REGISTRY SOFTWARE MAINTENANCE AGREEMENT This Agreement(this "Agreement') is made effective as of August 23, 2022 (the "Effective Date"), by and between the County of Fresno, a political subdivision of the State of("Licensee" or "County"), and ESO Solutions, Inc., a Texas corporation (including its controlled affiliates,the "Company'), located at 11500 Alterra Parkway, Suite 100, Austin, Texas 78758. BACKGROUND Company has a background in developing and maintaining general-purpose and trauma-specific registry software products and modules for use in connection with hospital and regulatory operations. The Company currently licenses its products and provide services to the Licensee, and Licensee desires that the Company provide maintenance for such products and services. In consideration of the covenants, agreements and promises set forth below, and for other good and valuable consideration,the receipt and sufficiency of which is hereby acknowledged, the parties, intending to be legally bound, hereby agree as follows. TERMS 1. SERVICES/DELIVERABLES. a. Software Products. The Company agrees to provide maintenance for the software, including the ESO Data Driller Tool,the DI Report Writer for the Trauma Registry, and the Web Portal (or access thereto) and related materials in the quantities indicated (collectively,the "Software Products")to the Licensee as set forth in this Agreement. b. Maintenance and Support Services. Company agrees to provide Licensee the maintenance and support services described on Appendix A("Maintenance Services"). 2. FEES&COSTS. The specific Maintenance Services to be provided by Company to Licensee, and the fees (and any specific terms)for the same, (the "Fees") are set forth in Appendix C to this Agreement. The total compensation paid for services provided pursuant to this Agreement shall not exceed $5,300 per year. The total compensation paid for services provided for the total possible two-year term of this Agreement shall not exceed $10,600. The Fees are non- cancelable and non-refundable, except in the event of termination by Licensee as set forth in Section 3.b herein. Company shall invoice Licensee on an annual basis, and Licensee shall pay all invoices within 30 days of receipt of Company's invoice. Fees for Maintenance Services and other annually recurring items shall increase by 3% each year this Agreement is in effect. The Fees are exclusive of all taxes and credit card processing fees, if applicable. Unless and until Licensee provides the Company a tax exemption certificate, Licensee will be responsible for and will remit(or will promptly reimburse the Company for) all taxes of any kind, including sales, use, Page 1 of 21 DocuSign Envelope ID:B0026E4D-5EC7-4B8B-94E4-E85B5D3D3DDC P-22-503 duty, customs, withholding, property, value-added, and other similar federal, state or local taxes (other than taxes based on the Company's income) related to this Agreement. 3. TERM/TERMINATION. a. Term. The term of this Agreement(the "Term'] commences on the Effective Date and continues for a period of one year(or any longer period provided in an Addendum). Thereafter, the Term will renew for one successive one-year period (each, a "Renewal Term'j unless written notice is provided at least 60 days prior to the anniversary of the Effective Date. Any such termination may be effective as to the entire Agreement, or as to any Affiliate or entire facility using Software Products under this Agreement. b. Termination for Cause. Other than a party's election not to renew this Agreement pursuant to Section 3(a) herein,this Agreement may be terminated at any time upon the breach by the other party, if such breach continues for a period of 30 days after written notice to the breaching party, and the breach is not cured, or immediately, if such breach is not subject to cure. c. Non-Allocation of Funds. The terms of this Agreement, and the services to be provided hereunder, are contingent on the approval of funds by the appropriating government agency. Should sufficient funds not be allocated,the services provided may be modified, or this Agreement terminated by Licensee, at any time without penalty by giving the Company thirty (30) days advance written notice. d. Effect of Termination. Upon termination,the Company shall have no obligation to provide the Software Products or Maintenance Services or any other services under this Agreement to the Licensee, and Licensee shall have no obligation to pay for the same. If this Agreement is terminated for cause by: (a) Licensee, then Company shall refund to Licensee within 45 days any prepayment made by Licensee under this Agreement for licenses, services or products not yet provided by Company, or(b) Company,then Company may retain any amounts prepaid by Licensee through the effective date of the termination. 4. RELATIONSHIP OF PARTIES. It is understood by the parties that the Company is an independent contractor with respect to the Licensee, and not an employee of the Licensee. The Licensee will not provide fringe benefits, including health insurance benefits, paid vacation, or any other employee benefit, for the benefit of the Company. 5. LICENSING;SUBSCRIPTIONS. The Software Products are property of Company and/or its suppliers and licensors. a. License. If a Software Product is designated as "licensed" on the applicable Quote ("Licensed Software Products'), then Company grants to Licensee a perpetual but limited, non-exclusive, non-transferable, non-assignable, non-sublicensable, revocable, royalty-free license and right to use the Software Products,subject to Licensee's compliance with the Use Restrictions and other limitations contained in this Agreement. Page 2 of 21 DocuSign Envelope ID:B0026E4D-5EC7-4B8B-94E4-E85B5D3D3DDC P-22-503 b. Subscription. If a Software Product or Other Service is designated as "subscription" or "recurring" or otherwise periodic,then Licensee may access and use such Software Products and Other Services, in accordance with the access and volume limitations set forth thereon, subject to Licensee's compliance with the Use Restrictions and other limitations contained in this Agreement. c. Use Restrictions. Licensee shall not make any reproductions, copies, or electronic transmittals of any portion of the Software Products, including but not limited to any program files, configuration files, system files, instruction manuals, screen captures, user's manuals, on-line help files, or any other materials, without the prior written consent of the Company; except that for Licensed Software Products, Licensee may make network system backups of the installed system and a single backup copy of the installation media or file provided by the Company, in each case solely for its internal archival or backup purposes. Licensee shall install Licensed Software Products only on as many networks, workstations or computers as is indicated in this Agreement. Except as provided in this Agreement or as otherwise authorized by ESO, Licensee has no right to, and shall not: (a) decompile, reverse engineer, disassemble, print, copy or display the Software Products or otherwise reduce the Software Products to a human-perceivable form in whole or in part; (b) publish, release, rent, lease, loan, sell, distribute or transfer the Software Products to another person or entity; (c) reproduce the Software Products for the use or benefit of anyone other than Licensee; (d) alter, modify or create derivative works based upon the Software Products either in whole or in part; or (e) use or permit the use of the Software Products for commercial time-sharing arrangements or providing service bureau, data processing, rental, or other services to any third party(other than an applicable Affiliate). The provisions of this section shall survive the termination of this Agreement. 6. WARRANTY. During the Term of the Maintenance Services under this Agreement, the Company warrants to the Licensee that all Software Products and maintenance updates provided by the Company to the Licensee under this Agreement will perform substantially in accordance with their written materials and other documentation provided by the Company to the Licensee, in each case, provided the Licensee has complied with the system resource and configuration requirements. EXCEPT AS OTHERWISE PROVIDED IN THIS SECTION 6, ESO DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, PERFORMANCE, SUITABILITY, TITLE, NON-INFRINGEMENT, OR ANY IMPLIED WARRANTY ARISING FROM STATUTE, COURSE OF DEALING, COURSE OF PERFORMANCE, OR USAGE OF TRADE. EXCEPT AS EXPRESSLY PROVIDED IN THIS SECTION 6, CUSTOMER ACCEPTS THE SOFTWARE PRODUCTS AND SERVICES "AS-IS" AND "AS AVAILABLE". 7. INSURANCE. ESO agrees to maintain commercial general liability, errors and omission and cyber- liability/data breach insurance in amounts determined by ESO, but in no event less than $1,000,000 per claim/$2,000,000 aggregate. 8. INDEMNIFICATION. Subject to the Limitation of Liability below: Page 3 of 21 DocuSign Envelope ID:B0026E4D-5EC7-4B8B-94E4-E85B5D3D3DDC P-22-503 a. the Company shall defend and indemnify Licensee from any damages, costs, liabilities, expenses (including reasonable attorney's fees and costs) ("Damages") as to any third-party claim or action alleging that the Software Products delivered pursuant to this Agreement infringe or misappropriate any third party's patent, copyright,trade secret, or other intellectual property rights enforceable in the applicable jurisdiction (each, an "Indemnified Claim"). If Licensee makes an Indemnified Claim under this Section or if the Company determines that an Indemnified Claim may occur,the Company shall at its option: (a) obtain a right for Licensee to continue using such Software Product(s); (b) modify such Software Product(s)to make it a non-infringing equivalent or(c) replace such Software Product(s) with a non-infringing equivalent. If(a), (b), or(c) above are not reasonably practicable, either party may, at its option,terminate this Agreement. Notwithstanding the foregoing,the Company shall have no obligation hereunder for any claim resulting or arising from (x) Licensee's breach of this Agreement; (y) modifications made to the Software Product(s)that were not performed or provided by or on behalf of the Company or(z)the unreasonable and unforeseeable combination, operation or use by Licensee (and/or anyone acting on Licensee's behalf) of the Software Product(s)in connection with any other product or service (the combination orjoint use of which causes the alleged infringement). This section 8 states the Company's sole obligation and liability, and Licensee's sole remedy, for potential or actual intellectual property infringement by the Software Product(s). The provisions of this Section 8 shall survive the termination or expiration of this Agreement. 9. LIMITATION ON LIABILITY. NEITHER THE COMPANY NOR LICENSEE SHALL BE LIABLE TO THE OTHER FOR ANY CONSEQUENTIALINDIRECT, PUNITIVE, OR INCIDENTAL DAMAGES, INCLUDING CLAIMS FOR DAMAGES FOR LOST PROFITS, GOODWILL, USE OF MONEY, INTERRUPTED OR IMPAIRED USE OF THE SOFTWARE, AVAILABILITY OF DATA, STOPPAGE OF WORK OR IMPAIRMENT OF OTHER ASSETS RELATING TO THIS AGREEMENT. EXCLUDING CLAIMS FOR INDEMNIFICATION OF INTELLECTUAL PROPERTY, PURSUANT TO SECTION 8.A OF THIS AGREEMENT, THE COMPANY'S MAXIMUM AGGREGATE LIABILITY FOR ALL CLAIMS OF LIABILITY ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT (INCLUDING ANY BUSINESS ASSOCIATE AGREEMENT RELATING HERETO, NOTWITHSTANDING ANY LIMITING OR CONTRARY PROVISION THEREIN), SHALL NOT EXCEED THREE TIMES FEES PAID BY(OR ON BEHALF OF) LICENSEE WITHIN THE PRECEDING 12-MONTH PERIOD UNDER THE APPLICABLE SALES ORDER OR SERVICE GIVING RISE TO THE CLAIM. THE FOREGOING LIMITATIONS, EXCLUSIONS, DISCLAIMERS SHALL APPLY REGARDLESS OF WHETHER THE CLAIM FOR SUCH DAMAGES IS BASED IN CONTRACT, WARRANTY, STRICT LIABILITY, NEGLIGENCE, TORT OR OTHERWISE. INSOFAR AS APPLICABLE LAW PROHIBITS ANY LIMITATION HEREIN, THE PARTIES AGREE THAT SUCH LIMITATION SHALL BE AUTOMATICALLY MODIFIED, BUT ONLY TO THE EXTENT SO AS TO MAKE THE LIMITATION PERMITTED TO THE FULLEST EXTENT POSSIBLE UNDER SUCH LAW. THE PARTIES AGREE THAT THE LIMITATIONS SET FORTH HEREIN ARE AGREED ALLOCATIONS OF RISK CONSTITUTING IN PART THE CONSIDERATION FOR THE COMPANY'S SOFTWARE PRODUCTS AND SERVICES TO LICENSEE, AND SUCH LIMITATIONS WILL APPLY NOTWITHSTANDING THE FAILURE OF THE ESSENTIAL PURPOSES OF ANY LIMITED REMEDY AND EVEN IF A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LIABILITIES. THIS SECTION SHALL SURVIVE EXPIRATION OR TERMINATION OF THE AGREEMENT. so. CONFIDENTIALITY. "Confidentiaiinformation" refers to the following items: (a) any document marked "Confidential"; (b) any information orally designated as "Confidential" at the time of disclosure, provided the disclosing party confirms such designation in writing within five business Page 4 of 21 DocuSign Envelope ID:B0026E4D-5EC7-4B8B-94E4-E85B5D3D3DDC P-22-503 days; (c)the Software Product(s) and documentation, whether or not designated confidential; (d) the Company's security controls, policies, procedures, audits, or other information concerning the Company's internal security posture; (e) any other nonpublic, sensitive information which constitutes a trade secret; and (f) Data which does not comprise Protected Health Information ("PHP), as defined in 45 C.F.R. §160.103. Notwithstanding the foregoing, Confidential Information does not include information that: (i) is in the other party's possession at the time of disclosure free of duty of non-disclosure; (ii) is independently developed without use of or reference to Confidential Information; (iii) becomes known publicly, before or after disclosure, other than as a result of the receiving party's improper action or inaction; (iv) is approved for release in writing by the disclosing party; or (v) PHI (which is exclusively governed Section 11, herein, and by the Business Associate Agreement attached hereto as Appendix C). Each party shall use Confidential Information of the other party solely to fulfill the terms of this Agreement (the "Purpose"). Each party shall (a) ensure that its employees or contractors are bound by confidentiality obligations no less restrictive than those contained herein, and (b) not disclose Confidential Information to any other third party(excluding Licensee subcontractors)without prior written consent from the disclosing party. Without limiting the generality of the foregoing, the receiving party shall protect Confidential Information with the same degree of care it uses to protect its own confidential information of similar nature and importance, but with no less than reasonable care. A receiving party shall promptly notify the disclosing party of any misuse or misappropriation of Confidential Information of which it is aware or should be aware. With respect to each item of Confidential Information, the obligations of nondisclosure will terminate three years after the date of disclosure; provided that, such obligations related to Confidential Information constituting the Company's trade secrets shall continue so long as such information remains subject to trade secret protection pursuant to applicable law. Upon termination of this Agreement, a party shall return all copies of Confidential Information to the other or certify the destruction thereof. This Agreement does not transfer ownership of Confidential Information or grant a license thereto. Notwithstanding anything in this Section 10 to the contrary, the parties expressly acknowledge that Confidential Information may be disclosed if such Confidential Information is required to be disclosed by law, a lawful public records request, orjudicial order, provided that prior to such disclosure, written notice of such required disclosure shall be given promptly and without unreasonable delay by the receiving party in order to give the disclosing party the opportunity to object to the disclosure and/or to seek a protective order. The receiving party shall reasonably cooperate in this effort. If the disclosing party does not respond to that written notice within 3 business days, the receiving party shall have the right to disclose the Confidential information. 11. HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT. a. The parties to this Agreement shall be in strict conformance with all applicable Federal and State of California laws and regulations, including but not limited to Sections 5328, 10850, and 14100.2 et seq. of the Welfare and Institutions Code, Sections 2.1 and 431.300 et seq. of Title 42, Code of Federal Regulations (CFR), Section 56 et seq. of the California Civil Code and the Health Insurance Portability and Accountability Act(HIPAA), including but not limited to Section 1320 D et seq. of Title 42, United States Code (USC) and its implementing regulations, including, but not limited to Title 45, CFR, Sections 142, 160, 162, and 164, The Health Information Technology for Economic and Clinical Health Act(HITECH) regarding the Page 5 of 21 DocuSign Envelope ID:B0026E4D-5EC7-4B8B-94E4-E85B5D3D3DDC P-22-503 confidentiality and security of patient information, and the Genetic Information Nondiscrimination Act(GINA) of 2008 regarding the confidentiality of genetic information. Except as otherwise provided in this Agreement, COMPANY, as a Business Associate of COUNTY, may use or disclose Protected Health Information (PHI)to perform functions, activities or services for or on behalf of COUNTY, as specified in this Agreement, provided that such use or disclosure shall not violate the Health Insurance Portability and Accountability Act (HIPAA), USC 1320d et seq. The uses and disclosures of PHI may not be more expansive than those applicable to COUNTY, as the "Covered Entity" under the HIPAA Privacy Rule (45 CFR 164.500 et seq.), except as authorized for management, administrative or legal responsibilities of the Business Associate. b. COMPANY, including its subcontractors and employees, shall protect,from unauthorized access, use, or disclosure of names and other identifying information, including genetic information, concerning persons receiving services pursuant to this Agreement, except where permitted in order to carry out data aggregation purposes for health care operations [45 CFR Sections 164.504 (e)(2)(i), 164.504 (3)(2)(ii)(A), and 164.504 (e)(4)(i)] This pertains to any and all persons receiving services pursuant to a COUNTY funded program. This requirement applies to electronic PHI. COMPANY shall not use such identifying information or genetic information for any purpose other than carrying out COMPANY'S obligations under this Agreement. c. COMPANY, including its subcontractors and employees, shall not disclose any such identifying information or genetic information to any person or entity, except as otherwise specifically permitted by this Agreement, authorized by Subpart E of 45 CFR Part 164 or other law, required by the Secretary, or authorized by the client/patient in writing. In using or disclosing PHI that is permitted by this Agreement or authorized by law, COMPANY shall make reasonable efforts to limit PHI to the minimum necessary to accomplish intended purpose of use, disclosure or request. d. For purposes of the above sections, identifying information shall include, but not be limited to name, identifying number, symbol, or other identifying particular assigned to the individual, such as finger or voice print, or photograph. e. For purposes of the above sections, genetic information shall include genetic tests of family members of an individual or individual, manifestation of disease or disorder of family members of an individual, or any request for or receipt of, genetic services by individual or family members. Family member means a dependent or any person who is first, second, third, or fourth degree relative. f. COMPANY shall provide access, at the request of COUNTY, and in the time and manner designated by COUNTY,to PHI in a designated record set(as defined in 45 CFR Section 164.501), to an individual or to COUNTY in order to meet the requirements of 45 CFR Section 164.524 regarding access by individuals to their PHI. With respect to individual requests, access shall be provided within thirty (30) days from request. Access may be extended if COMPANY cannot provide access and provides individual with the reasons for the delay and the date when access may be granted. PHI shall be provided in the form and format requested by the individual or COUNTY. COMPANY shall make any amendment(s)to PHI in a designated record set at the request of COUNTY or individual, and in the time and manner designated by COUNTY in accordance with 45 CFR Section 164.526. COMPANY shall provide to COUNTY or to an individual, in a time and manner designated by Page 6 of 21 DocuSign Envelope ID:B0026E4D-5EC7-4B8B-94E4-E85B5D3D3DDC P-22-503 COUNTY, information collected in accordance with 45 CFR Section 164.528, to permit COUNTY to respond to a request by the individual for an accounting of disclosures of PHI in accordance with 45 CFR Section 164.528. g. COMPANY shall report to COUNTY, in writing, any knowledge or reasonable belief that there has been unauthorized access, viewing, use, disclosure, security incident, or breach of unsecured PHI not permitted by this Agreement of which it becomes aware, immediately and without reasonable delay and in no case later than two (2) business days of discovery. Immediate notification shall be made to COUNTY's Information Security Officer and Privacy Officer and COUNTY's DPH HIPAA Representative, within two (2) business days of discovery. The notification shall include, to the extent possible,the identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, disclosed, or breached. COMPANY shall take prompt corrective action to cure any deficiencies and any action pertaining to such unauthorized disclosure required by applicable Federal and State Laws and regulations. COMPANY shall investigate such breach and is responsible for all notifications required by law and regulation or deemed necessary by COUNTY and shall provide a written report of the investigation and reporting required to COUNTY's Information Security Officer and Privacy Officer and COUNTY's DPH HIPAA Representative. This written investigation and description of any reporting necessary shall be postmarked within the thirty(30) working days of the discovery of the breach to the addresses below: Department of Public Health Department of Public Health Internal Services Department HIPAA Representative Privacy Officer I.T. Services Division (559) 600-6439 (559) 600-6405 (559) 600-5800 P.O. Box 11867 P.O. Box 11867 333 W. Pontiac Way Fresno, CA 93775 Fresno, CA 93775 Clovis, CA 93612 h. COMPANY shall make their internal practices, books, and records relating to the use and disclosure of PHI received from COUNTY, or created or received by the COMPANY on behalf of COUNTY, in compliance with HIPAA's Privacy Rule, including, but not limited to the requirements set forth in Title 45, CFR, Sections 160 and 164. COMPANY shall make its internal practices, books, and records relating to the use and disclosure of PHI received from COUNTY, or created or received by the COMPANY on behalf of COUNTY, available to the United States Department of Health and Human Services (Secretary) upon demand. COMPANY shall cooperate with the compliance and investigation reviews conducted by the Secretary. PHI access to the Secretary must be provided during the COMPANY'S normal business hours, however, upon exigent circumstances access at any time must be granted. Upon the Secretary's compliance or investigation review, if PHI is unavailable to COMPANY and in possession of a Subcontractor, it must certify efforts to obtain the information to the Secretary. i. Safeguards. COMPANY shall implement administrative, physical, and technical safeguards as required by the HIPAA Security Rule, Subpart C of 45 CFR 164,that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI, including electronic PHI, that it creates, receives, maintains or transmits on behalf of COUNTY and to prevent unauthorized access, viewing, use, disclosure, or breach of PHI other than as provided for by this Agreement. COMPANY shall conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidential, integrity and availability of electronic Page 7 of 21 DocuSign Envelope ID:B0026E4D-5EC7-4B8B-94E4-E85B5D3D3DDC P-22-503 PHI. COMPANY shall develop and maintain a written information privacy and security program that includes administrative, technical and physical safeguards appropriate to the size and complexity of COMPANY'S operations and the nature and scope of its activities. Upon COUNTY's request, COMPANY shall provide COUNTY with information concerning such safeguards. COMPANY shall implement strong access controls and other security safeguards and precautions in order to restrict logical and physical access to confidential, personal (e.g., PHI) or sensitive data to authorized users only. Said safeguards and precautions shall include the following administrative and technical password controls for all systems used to process or store confidential, personal, or sensitive data: 1. Passwords must not be: A. Shared or written down where they are accessible or recognizable by anyone else; such as taped to computer screens, stored under keyboards, or visible in a work area; B. A dictionary word; or C. Stored in clear text. 2. Passwords must be: A. Eight(8) characters or more in length; B. Changed every ninety(90) days; C. Changed immediately if revealed or compromised; and D. Composed of characters from at least three (3) of the following four (4) groups from the standard keyboard: i. Upper case letters (A-Z); ii. Lower case letter (a-z); iii. Arabic numerals (0-9) and iv. Non-alphanumeric characters (punctuation symbols). COMPANY shall implement the following security controls on each workstation or portable computing device (e.g., laptop computer) containing confidential, personal, or sensitive data: 1. Network-based firewall and/or personal firewall; 2. Continuously updated anti-virus software; and 3. Patch management process including installation of all operating systems/software vendor security patches. COMPANY shall utilize a commercial encryption solution that has received FIPS 140-2 validation to encrypt all confidential, personal, or sensitive data stored on portable electronic media (including, but not limited to, compact disks and thumb drives) and on portable computing devices (including, but not limited to, laptop and notebook computers). Page 8 of 21 DocuSign Envelope ID:B0026E4D-5EC7-4B8B-94E4-E85B5D3D3DDC P-22-503 COMPANY shall not transmit confidential, personal, or sensitive data via e-mail or other internet transport protocol unless the data is encrypted by a solution that has been validated by the National Institute of Standards and Technology(NIST) as conforming to the Advanced Encryption Standard (AES)Algorithm. COMPANY must apply appropriate sanctions against its employees who fail to comply with these safeguards. COMPANY must adopt procedures for terminating access to PHI when employment of employee ends. j. Mitigation of Harmful Effects. COMPANY shall mitigate,to the extent practicable, any harmful effect that is suspected or known to COMPANY of an unauthorized access, viewing, use, disclosure, or breach of PHI by COMPANY or its subcontractors in violation of the requirements of these provisions. COMPANY must document suspected or known harmful effects and the outcome. k. COMPANY'S Subcontractors. COMPANY shall ensure that any of their contractors, including subcontractors, if applicable,to whom COMPANY provide PHI received from or created or received by COMPANY on behalf of COUNTY, agree to the same restrictions, safeguards, and conditions that apply to COMPANY with respect to such PHI and to incorporate, when applicable, the relevant provisions of these provisions into each subcontract or sub-award to such agents or subcontractors. I. Employee Training and Discipline. COMPANY shall train and use reasonable measures to ensure compliance with the requirements of these provisions by employees who assist in the performance of functions or activities on behalf of COUNTY under this Agreement and use or disclose PHI and discipline such employees who intentionally violate any provisions of these provisions, including termination of employment. m. Termination Clause. Upon COUNTY's knowledge of a material breach of these provisions by a COMPANY, COUNTY shall either: 1. Provide an opportunity for the COMPANY to cure the breach or end the violation and terminate this Agreement if COMPANY does not cure the breach or end the violation within the time specified by COUNTY; or 2. Immediately terminate this Agreement if a COMPANY has breached a material term of these provisions and cure is not possible. 3. If neither cure nor termination is feasible,the COUNTY's Privacy Officer shall report the violation to the Secretary of the U.S. Department of Health and Human Services. n.Judicial or Administrative Proceedings. COUNTY may terminate this Agreement in accordance with the terms and conditions of this Agreement as written hereinabove, if: (1) a COMPANY is found guilty in a criminal proceeding for a violation of the HIPAA Privacy or Security Laws or the HITECH Act; or (2) a finding or stipulation that a COMPANY has violated a privacy or security standard or requirement of the HITECH Act, HIPAA or other security or privacy laws in an administrative or civil proceeding in which the COMPANY is a party. o. Effect of Termination. Upon termination or expiration of this Agreement for any reason, COMPANY shall return or destroy all PHI received from COUNTY(or created or received by COMPANY on behalf of COUNTY)that COMPANY still maintains in any form and shall retain no copies of such PHI. If return or destruction of PHI is not feasible, it shall continue to extend the protections of these provisions to such information, and limit further use of such PHI to those purposes that make the return or destruction of such PHI infeasible. This provision shall apply to Page 9 of 21 DocuSign Envelope ID:B0026E4D-5EC7-4B8B-94E4-E85B5D3D3DDC P-22-503 PHI that is in the possession of subcontractors or agents, if applicable, of COMPANY. If COMPANY destroy the PHI data, a certification of date and time of destruction shall be provided to the COUNTY by COMPANY. p. Disclaimer. COUNTY makes no warranty or representation that compliance by COMPANY with these provisions,the HITECH Act, HIPAA or the HIPAA regulations will be adequate or satisfactory for COMPANY'S own purposes or that any information in COMPANY'S possession or control, or transmitted or received by COMPANY, is or will be secure from unauthorized access, viewing, use, disclosure, or breach. COMPANY is solely responsible for all decisions made by COMPANY regarding the safeguarding of PHI. q. Amendment. The parties acknowledge that Federal and State laws relating to electronic data security and privacy are rapidly evolving and that amendment of these provisions may be required to provide for procedures to ensure compliance with such developments. The parties specifically agree to take such action as is necessary to amend this agreement in order to implement the standards and requirements of HIPAA,the HIPAA regulations, the HITECH Act and other applicable laws relating to the security or privacy of PHI. COUNTY may terminate this Agreement upon thirty(30) days written notice in the event that COMPANY do not enter into an amendment providing assurances regarding the safeguarding of PHI that COUNTY in its sole discretion, deems sufficient to satisfy the standards and requirements of HIPAA,the HIPAA regulations and the HITECH Act. r. No Third-Party Beneficiaries. Nothing express or implied in the terms and conditions of these provisions is intended to confer, nor shall anything herein confer, upon any person other than COUNTY or COMPANY and their respective successors or assignees, any rights, remedies, obligations or liabilities whatsoever. s. Interpretation. The terms and conditions in these provisions shall be interpreted as broadly as necessary to implement and comply with HIPAA,the HIPAA regulations and applicable State laws. The parties agree that any ambiguity in the terms and conditions of these provisions shall be resolved in favor of a meaning that complies and is consistent with HIPAA and the HIPAA regulations. t. Regulatory References. A reference in the terms and conditions of these provisions to a section in the HIPAA regulations means the section as in effect or as amended. u. Survival. The respective rights and obligations of COMPANY as stated in this Section shall survive the termination of this Agreement. v. No Waiver of Obligations. No change, waiver or discharge of any liability or obligation hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing or other obligation or shall prohibit enforcement of any obligation on any other occasion. w. Public Health Exception Extended. 1. The HIPAA Privacy Rule creates a special rule for a subset of public health activities whereby HIPAA cannot preempt state law if, "[t]he provision of state law, including state procedures established under such law, as applicable, provides for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention." (45 C.F.R. § 16O.2O3(c) [HITECH Act, § 13421, sub. (a)].) ; Page 10 of 21 DocuSign Envelope ID:B0026E4D-5EC7-4B8B-94E4-E85B5D3D3DDC P-22-503 2. 2) Public To the extent a disclosure or use of information received under this agreement may also be considered a disclosure or use of"Protected Health Information" (PHI) of an individual, as that term is defined in Section 160.103 of Title 45, Code of Federal Regulations,the following Privacy Rule provisions apply to permit such data disclosure and/or use by COUNTY and COMPANY, without the consent or authorization of the individual who is the subject of the PHI: A. HIPAA cannot preempt state law if, "[t]he provision of state law, including state procedures established under such law, as applicable, provides for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention." (45 C.F.R. § 160.203(c) [HITECH Act, § 13421, sub. (a)].)]; B. A covered entity may disclose PHI to a "public health authority" carrying out public health activities authorized by law; (45 C.F.R. § 164.512(b).); C. A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law." (Title 45 C.F.R. §§ 164.502 (a)(1)(vii), 164.512(a))(1).) 12. NOTICES. The persons and their addresses having authority to give and receive notices under this Agreement include the following: COUNTY COMPANY COUNTY OF FRESNO ESO Solutions, Inc. Director of Internal Services/CIO Contracts 333 W. Pontiac Way 11500 Alterra Parkway, Suite 100 Clovis, CA 93612 Austin,TX 78758 ISDContracts@FresnoCountyCA.gov contracts@eso.com All notices between the Licensee and Company provided for or permitted under this Agreement must be in writing and delivered either by personal service, by first-class United States mail, by email to the address listed above, or by an overnight commercial courier service. A notice delivered by personal service is effective upon service to the recipient. A notice delivered by first-class United States mail is effective three Licensee business days after deposit in the United States mail, postage prepaid, addressed to the recipient. A notice delivered by an overnight commercial courier service is effective one COUNTY business day after deposit with the overnight commercial courier service, delivery fees prepaid, with delivery instructions given for next day delivery, addressed to the recipient. A notice delivered by email is effective when transmission to the recipient is completed (but, if such transmission is completed outside of Licensee business hours,then such delivery shall be deemed to be effective at the next beginning of a Licensee business day), provided that the sender maintains a machine record of the completed transmission. For all claims arising out of or related to this Agreement, nothing in this section establishes, waives, or modifies any claims presentation requirements or procedures provided by law, including but not limited to the Government Claims Act(Division 3.6 of Title 1 of the Government Code, beginning with section 810). Page 11 of 21 DocuSign Envelope ID:B0026E4D-5EC7-4B8B-94E4-E85B5D3D3DDC P-22-503 13. SEVERABILITY. If any provisions of this Agreement shall be held to be invalid, or unenforceable for any reason, the remaining provisions shall continue to be valid and enforceable. If a court finds that any provision of this Agreement is invalid or unenforceable, but that by limiting such provision it would become valid or enforceable, then such provision shall be deemed to be written, construed, and enforced as so limited. 14. FORCE MAJEURE. If a Party is delayed in performance due to riots, wars, terrorist acts,fires, accidents, explosions, natural disasters, or epidemics, then the time allowed for performance shall be extended on a day-for-day basis.The delayed Party promptly will provide written notice of any such event causing a delay in performance, which notice will describe the basis for the delay, the estimated duration, and the steps being taken to mitigate the delay. 15. WAIVER,AMENDMENT,ASSIGNMENT. No amendment, assignment or waiver of this Agreement or its term and conditions is valid unless it is in writing, specifically refers to this Agreement, and is signed by authorized representatives of both parties. Any amendment or waiver will be limited to the specific situation for which it is given. No other action or failure to act(including inspection, failure to inspect, acceptance of late deliveries, or acceptance of or payment for any Products) will constitute a waiver of any rights. This Section 14 shall survive any termination or expiration of this Agreement and will continue to bind the parties and their successors and assigns. 16. ENTIRE AGREEMENT. This Agreement contains the entire agreement of the parties as subject to matter herein and may not be amended, waived, or modified in any way, except if the amendment is made in writing and is signed by both parties. 17. COMPLIANCE WITH LAWS. Company and Licensee shall comply with all laws, ordinances, codes, rules, regulations, and licensing requirements that are applicable to the conduct of its operations and the performance of this Agreement, including those of federal, state, and local agencies having jurisdiction and/or authority. Company represents and warrants that(a) it has not been convicted of a criminal offense related to healthcare, (b) it is not currently under sanction, exclusion, or investigation (civil or criminal by a federal or state enforcement, regulatory, administrative, or licensing agency or otherwise ineligible for federal or state program participation), and (c) it is not currently listed on the General Service Administration List of Parties Excluded from the Federal Procurement and Non-Procurement Programs. 18. GOVERNING LAW. Venue for any action arising out of or related to this Agreement shall only be in Fresno County, California.The rights and obligations of the parties and all interpretation and performance of this Agreement shall be governed in all respects by the laws of the State of California. 19. DISCLOSURE OF SELF-DEALING TRANSACTIONS This provision is only applicable if the Company is operating as a corporation (a for-profit or non- profit corporation) or if during the term of the Agreement, the Company changes its status to operate as a corporation. Page 12 of 21 DocuSign Envelope ID:B0026E4D-5EC7-4B8B-94E4-E85B5D3D3DDC P-22-503 Members of the Company's Board of Directors shall disclose any self-dealing transactions that they are a party to while Company is providing goods or performing services under this Agreement. A self-dealing transaction shall mean a transaction to which the Company is a party and in which one or more of its directors has a material financial interest. Members of the Board of Directors shall disclose any self-dealing transactions that they are a party to by completing and signing a Self-Dealing Transaction Disclosure Form, attached as Attachment A and incorporated herein by reference, and submitting it to the Licensee prior to commencing with the self-dealing transaction or immediately thereafter. 20. AUDITS AND INSPECTIONS: The Company shall at any time during business hours, and not to exceed once per year, make available to the Licensee for examination all of its records and data with respect to the matters covered by this Agreement. The Company shall, upon request by the COUNTY, permit the COUNTY to audit and inspect all of such records and data necessary to ensure COMPANY'S compliance with the terms of this Agreement. Notwithstanding the foregoing and except to the extent required by applicable law, in no event shall the Licensee or its auditor be permitted to view, access, or retain (or potentially view, access, or retain) information which Company reasonably determines: i) is a risk to the security of its software if exposed; ii) pertains to its software or services and is proprietary,trade secret, or protected by copyright law; or iii) constitutes the protected information of Company's other customers, including but not limited to Protected Health Information, as defined by applicable federal law. If this Agreement exceeds ten thousand dollars ($10,000.00), the Company shall be subject to the examination and audit of the California State Auditor for a period of three (3) years after final payment under contract (Government Code Section 8546.7). ORDER OF PRECEDENCE. In the event of any conflict between this Agreement, Quotes, Addenda or other attachments incorporated herein, the following order of precedence will govern: (1) terms above; (2)the applicable Addendum, with most recent Addendum taking precedence over earlier ones; (3) a Quote, and (4) any ESO policy posted online, including without limitation its privacy policy. No amendments incorporated into this Agreement after execution hereof will amend such General Terms and Conditions unless it specifically states its intent to do so and cites the section or sections amended. 21. SIGNATURES. This Agreement may be executed in one or more counterparts. Each counterpart will be an original, and all such counterparts will constitute a single instrument. Electronic signatures on this Agreement or on any Addendum (or copies of signatures sent via electronic means) are the equivalent of handwritten signatures. [signature page follows] Page 13 of 21 DocuSign Envelope ID:B0026E4D-5EC7-4B8B-94E4-E85B5D3D3DDC P-22-503 IN WITNESS WHEREOF, and intending to be legally bound hereby, the parties have caused their duly authorized officers to execute this contract as of the month, day, and year first above written. COMPANY: LICENSEE: ESO Solutions, Inc. County of Fresno DocuSigned by: Digitally signed by Gary Gary Cornuelle By: M oir By:Cornuelle D07ee:2022.11.0415:07:00 (signature) Name: Robert Munden Name: Gary Cornuelle (print name) (print name) Title: chief Legal & compliance officer-Title: Purchasing Manager (print title) (print title) FOR ACCOUNTING USE ONLY: Fund: 0001 Subclass: 10000 Dept.: 5620 Acct.: 7309 Page 14 of 21 DocuSign Envelope ID:B0026E4D-5EC7-4B8B-94E4-E85B5D3D3DDC P-22-503 APPENDIX A Maintenance and Support Plan ESO's software is backed by our commitment to providing exceptional customer support and timely technical support services. ESO has full-time customer support staff members that are solely dedicated to providing medical registry, database and system support. Our staff of developers, medical registry product managers, software trainers, and support services coordinators combine to provide high level support to our client base. Support services can be used to assist in a variety of support situations including installation,troubleshooting, assistance with the use of the product, distribution, central site process, and many other services. Technical support questions are typically handled in the order ESO receives them. Support Process ESO directs technical inquiries to the appropriate team members. ESO's support staff is equipped to handle a wide variety of support requests and follow Standard Operating Procedures(SOPs)for escalating support incidents to appropriate technical staff, including development staff. ESO's Product and Support Services Coordinator conducts meetings with technical support staff to review open issues for timely resolution. ESO maintains several support channels for our customers including email via support.di@eso.com for lower priority cases with a minimum of 3 business day response. For Critical or higher priorities,please call the 866- 766-9471 option 3, option 3, option to be connected with an agent, lfbusy,you can leave a voicemail and we will call you back within one hour. Support can be reached through these channels during normal business hours of 8.•30am -8.•00pm EST. Escalation &Priority Levels Customer will report all Errors to ESO via e-mail (support.di@eso.com)or by telephone (866-766-9471, option #3). ESO shall exercise commercially reasonable efforts to correct any Error reported by Customer in accordance with the priority level reasonably assigned to such Error by ESO. Severity 1 Error: ESO shall (i)commence Error Correction promptly; (ii) provide an Initial Response within four hours; (iii) initiate Management Escalation promptly; and (iv) provide Customer with a Status Update within four hours if ESO cannot resolve the Error within four hours. Severity 2 Error: ESO shall (i) commence Error Correction promptly; (ii) provide an Initial Response within eight hours; (iii) initiate Management Escalation within 48 hours if unresolved; and (iv) provide Customer with a Status Update within forty-eight hours if ESO cannot resolve the Error within forty-eight hours. Severity 3 Error: ESO shall (i) commence Error Correction promptly; (ii) provide an Initial Response within three business days; and (iii) provide Customer with a Status Update within seven calendar days if ESO cannot resolve the Error within seven calendar days. Severity 4 Error: ESO shall (i) provide an Initial Response within seven calendar days. Definitions "Enhancement" means a modification, addition or new release of the Software that when added to the Software, materially changes its utility, efficiency,functional capability or application. Page 15 of 21 DocuSign Envelope ID:B0026E4D-5EC7-4B8B-94E4-E85B5D3D3DDC P-22-503 "E-mail Support" means ability to make requests for technical support assistance by e-mail at anytime concerning the use of the then-current release of Software. "Error" means an error in the Software,which significantly degrades performance of such Software as compared to ESO's then-published Documentation. "Error Correction" means the use of reasonable commercial efforts to correct Errors. "Fix" means the repair or replacement of object code for the Software or Documentation to remedy an Error. "Initial Response" means the first contact by a Support Representative after the incident is logged and a ticket generated.This may include an automated e-mail response depending on when the incident is first communicated. "Management Escalation" means the notification of ESO management following the incomplete resolution of an Error to which an initial Workaround or Fix has been applied, "Severity 1 Error" means an Error which renders the Software completely inoperative (e.g., a User cannot access the Software due to unscheduled downtime or an Outage). "Severity 2 Error" means an Error in which Software is still operable; however, one or more significant features or functionality are unavailable (e.g., a User cannot access a core component of the Software). "Severity 3 Error" means any other error that does not prevent a User from accessing a significant feature of the Software(e.g., User is experiencing latency in reports). "Severity 4 Error" means any error related to Documentation or a Customer Enhancement request. "Status Update" means if the initial Workaround or Fix cannot resolve the Error, notification of the Customer regarding the progress of the Workaround or Fix. "Online Support" means information available through ESO's website (www.eso.com), including frequently asked questions and bug reporting via Live Chat. "Support Representative"shall be ESO employee(s)or agent(s)designated to receive Error notifications from Customer. "Update" means an update or revision to Software,typically for Error Correction. "Upgrade" means a new version or release of Software or a particular component of Software, which improves the functionality, or which adds functional capabilities to the Software and is not included in an Update. Upgrades may include Enhancements. "Workaround" means a change in the procedures followed or data supplied by Customer to avoid an Error without substantially impairing Customer's use of the Software. Software Subscription Services As part of ESO's Software Subscription Services, clients are provided with: • Software Enhancements. o Semi-annual capability or feature upgrades to the hospital and Central-Site software. o Support of all non-fee based national trauma initiatives and annual coding updates(as required). o Upgrades, as required,for maintaining compatibility with Microsoft applications (Windows, web and server related software)and compatibility with applicable database software. Page 16 of 21 DocuSign Envelope ID:B0026E4D-5EC7-4B8B-94E4-E85B5D3D3DDC P-22-503 • Custom software maintenance services for existing software (if applicable). This does not include change or feature requests for customer elements. Software enhancements/upgrades are provided with installation instructions such that clients can perform and manage the installations in accordance with their own needs and priorities. Notes/exceptions: • Data migration services, if required, are handled separately and not covered by software subscription services. • States-specific modifications or requirements are not covered by Software Subscription unless ESO is the State software supplier. Technical and Registry Application Support ESO support personnel will provide first-line technical and Registry application support to our user base. Support services for these users will include: 1. Support via telephone or e-mail. 2. Technical and application support staff assists with application trouble shooting,guidance related to the software application,and answering questions related to program capabilities. 3. Initial installation is fully supported in accordance with the license quote. Installation of enhancements/upgrades to previously/currently-installed software is performed by the client, but ESO will provided support to the extent the installation instructions require explanation or adaptation. 4. Semi-annual capability updates. 5. Maintenance of documentation as well as training and support materials as prepared by ESO resulting from system modifications covered by maintenance services. 6. Bug fixes of ESO-developed application code, and integration of minor software patches. Technical and Report Writer Application Support Report Writer support services additionally include: 1. Updates to the Report Writer for the inclusion of newly defined industry-specific data points. 2. Complimentary Report.Writing Services during ACS Site Visits for trauma clients. 3. Free Report Writer training classes(Module 1&2)that are available several times each year. Documentation: ESO's software comes with application and technical documentation. Technical documentation also includes appendices describing data formats,screen layouts, menu choices,field names,widths, export formats, and other technical capabilities. In addition, ESO has additional documentation to assist with the installation and configuration of the system. Page 17 of 21 DocuSign Envelope ID:B0026E4D-5EC7-4B8B-94E4-E85B5D3D3DDC P-22-503 Software Support Services: ESO provides a full range of software support services. Our direct software support services entail a high level of service and are sufficient for ensuring the ongoing operations of a central site; however, ESO is also able to help in a number of value-added projects. ESO's experience in custom systems makes us efficient in such projects because we can share our experiences and insights gained from working on dozens of other successful registry systems. In addition, ESO also can provide direct one-on-one services and customized application development maintenance on an individual basis and has done so for hundreds of hospitals throughout the country. ESO will, when unavoidable or expedient for it, provide support services via remote access of client systems;ESO conducts remote access solely through GoToAssist attended sessions. Support Services not covered by Standard Support: 1. Training -the ESO help desk is not to be used as a replacement for training for the trauma registry application or for any of its features and functions. 2. 3rd Party Product Support. - ESO is not responsible for trouble shooting Microsoft products or any other product not provided directed by ESO; ESO will provide client with compatibility requirements and necessary system settings. 3. Remote access,Wide Area Network or CITRIX support.--the software license provided and supported is based on local area network use. 4. Data loss or corruption as a result of client error(inadvertently deleting files)or as a result of hospital IT system deficiency(like insufficient anti-virus protection). 5. Application Server Migrations - ESO is not responsible to move existing installed software to new servers unless the move was requested/required by ESO. 6. NTDB data mapping, validation, data analysis and data processing. Note: ESO offers enhanced services to cover these aforementioned items as an additional and upgraded service offering. 7. Report Development -ESO is not responsible for writing and/or developing ad hoc reports(queries, gathers or coded variables)for users. 8. Client's infrastructure or Network Issue - ESO is a software vendor and therefore, we don't have the obligation as a software vendor to troubleshoot and evaluate client networks. We provide the specifications needed for proper hardware and software installation and continued configuration, but don't provide "free" network analysis and troubleshooting as part of standard maintenance. 9. State Specific customization and data submission requirements - Unless ESO is the State's Central Site Registry Vendor, ESO has no way of accurately estimating the effort to make annual software updates for State requirements and therefore, ESO cannot provide a "fixed fee" estimate related to any potential changes designed or mandated by the State. 10. Security and technology assessments - ESO will complete a reasonably security/technology questionnaire or assessment in connection with the implementation of a new product, but any subsequent assessments or questionnaires that require more than one hour to complete will incur charges at ESO's then-current consulting services rate. Page 18 of 21 DocuSign Envelope ID:B0026E4D-5EC7-4B8B-94E4-E85B5D3D3DDC P-22-503 APPENDIX B HIPAA BUSINESS ASSOCIATE ADDENDUM Licensee and ESO Solutions, Inc. ("Business Associate")agree that this HIPAA Business Associate Addendum is entered into for the benefit of Licensee, which is a covered entity under the Privacy Standards ("Covered Entity"). Pursuant to the Registry Software License & Maintenance Agreement(the "Agreement") into which this HIPAA Business Associate Addendum (this "Addendum") has been incorporated, Business Associate may perform functions or activities involving the use and/or disclosure of PHI on behalf of the Covered Entity, and therefore, Business Associate may function as a business associate. Business Associate,therefore, agrees to the following terms and conditions. 1. Scope. This Addendum applies to and is hereby automatically incorporated into all present and future agreements and relationships, whether written, oral or implied, between Covered Entity and Business Associate, pursuant to which PHI is created, maintained, received or transmitted by Business Associate from or on behalf of Covered Entity in any form or medium whatsoever. 2. Definitions. For purposes of this Addendum,the terms used herein, unless otherwise defined,shall have the same meanings as used in the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), or the Health Information Technology for Economic and Clinical Health Act("HITECH"), and any amendments or implementing regulations, (collectively"HIPAA Rules"). 3. Compliance with Ai3plicable Law.The parties acknowledge and agree that, beginning with the relevant effective date, Business Associate shall comply with its obligations under this Addendum and with all obligations of a business associate under HIPAA, HITECH,the HIPAA Rules, and other applicable laws and regulations, as they exist at the time this Addendum is executed and as they are amended,for so long as this Addendum is in place. 4. Permissible Use and Disclosure of PHI. Business Associate may use and disclose PHI as necessary to carry out its duties to a Covered Entity pursuant to the terms of the Agreement and as required by law. Business Associate may also use and disclose PHI (i)for its own proper management and administration, and (ii)to carry out its legal responsibilities. If Business Associate discloses Protected Health Information to a third party for either above reason, prior to making any such disclosure, Business Associate must obtain: (i) reasonable assurances from the receiving party that such PHI will be held confidential and be disclosed only as required by law or for the purposes for which it was disclosed to such receiving party; and (ii)an agreement from such receiving party to immediately notify Business Associate of any known breaches of the confidentiality of the PHI. 5. Limitations on Use and Disclosure of PHI. Business Associate shall not, and shall ensure that its directors, officers, employees, subcontractors, and agents do not, use or disclose PHI in any manner that is not permitted by the Agreement or that would violate Subpart E of 45 C.F.R. 164("Privacy Rule") if done by a Covered Entity.All uses and disclosures of, and requests by, Business Associate for PHI are subject to the minimum necessary rule of the Privacy Rule. 6. Required Safeguards to Protect PHI. Business Associate shall use appropriate safeguards, and comply with Subpart C of 45 C.F.R. Part 164 ("Security Rule")with respect to electronic PHI,to prevent the use or disclosure of PHI other than pursuant to the terms and conditions of this Addendum. 7. Reporting to Covered Entity. Business Associate shall report to the affected Covered Entity without unreasonable delay: (a)any use or disclosure of PHI not provided for by the Agreement of which it becomes aware; (b)any breach of unsecured PHI in accordance with 45 C.F.R.Subpart D of 45 C.F.R. 164 ("Breach Notification Rule"); and (c)any security incident of which it becomes aware. With regard to Security Incidents caused by or occurring to Business Associate, Business Associate shall cooperate with the Covered Entity's investigation, analysis, notification and mitigation activities, and except for Security Page 19 of 21 DocuSign Envelope ID:B0026E4D-5EC7-4B8B-94E4-E85B5D3D3DDC P-22-503 Incidents caused by Covered Entity,shall be responsible for reasonable costs incurred by the Covered Entity for those activities. Notwithstanding the foregoing, Covered Entity acknowledges and shall be deemed to have received advanced notice from Business Associate that there are routine occurrences of: (i) unsuccessful attempts to penetrate computer networks or services maintained by Business Associate; and (ii) immaterial incidents such as "pinging" or"denial of services" attacks. 8. Mitigation of Harmful Effects. Business Associate agrees to mitigate,to the extent practicable, any harmful effect of a use or disclosure of PHI by Business Associate in violation of the requirements of the Agreement, including, but not limited to, compliance with any state law or contractual data breach requirements. 9. Agreements by Third Parties. Business Associate shall enter into an agreement with any subcontractor of Business Associate that creates, receives, maintains or transmits PHI on behalf of Business Associate. Pursuant to such agreement,the subcontractor shall agree to be bound by the same or greater restrictions, conditions, and requirements that apply to Business Associate under this Addendum with respect to such PHI. 10. Access to PHI. Within five business days of a request by a Covered Entity for access to PHI about an individual contained in a Designated Record Set, Business Associate shall make available to the Covered Entity such PHI for so long as such information is maintained by Business Associate in the Designated Record Set, as required by 45 C.F.R. 164.524. In the event any individual delivers directly to Business Associate a request for access to PHI, Business Associate shall within five(5) business days forward such request to the Covered Entity. 11. Amendment of PHI. Within five business days of receipt of a request from a Covered Entity for the amendment of an individual's PHI or a record regarding an individual contained in a Designated Record Set(for so long as the PHI is maintained in the Designated Record Set), Business Associate shall provide such information to the Covered Entity for amendment and incorporate any such amendments in the PHI as required by 45 C.F.R. 164.526. In the event any individual delivers directly to Business Associate a request for amendment to PHI, Business Associate shall within five business days forward such request to the Covered Entity. 12. Documentation of Disclosures. Business Associate agrees to document disclosures of PHI and information related to such disclosures as would be required for a Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. 164.528 and HITECH. 13. Accounting of Disclosures.Within five business days of notice by a Covered Entity to Business Associate that it has received a request for an accounting of disclosures of PHI, Business Associate shall make available to a Covered Entity information to permit the Covered Entity to respond to the request for an accounting of disclosures of PHI, as required by 45 C.F.R. 164.528 and HITECH. 14. Other Obli ations.To the extent that Business Associate is to carry out one or more of a Covered Entity's obligations under the Privacy Rule, Business Associate shall comply with such requirements that apply to the Covered Entity in the performance of such obligations. 15. Judicial and Administrative Proceedinas. In the event Business Associate receives a subpoena, court or administrative order or other discovery request or mandate for release of PHI,the affected Covered Entity shall have the right to control Business Associate's response to such request, provided that,such control does not have an adverse impact on Business Associate's compliance with existing laws. Business Associate shall notify the Covered Entity of the request as soon as reasonably practicable, but in any event within seven business days of receipt of such request. 16. Availability of Books and Records. Business Associate hereby agrees to make its internal practices, books, and records available to the Secretary of the Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules. Page 20 of 21 DocuSign Envelope ID:B0026E4D-5EC7-4B8B-94E4-E85B5D3D3DDC P-22-503 17. Breach of Contract by Business Associate. In addition to any other rights a party may have in the Agreement,this Addendum or by operation of law or in equity, either party may: i) immediately terminate the Agreement if the other party has violated a material term of this Addendum; or ii) at the non-breaching party's option, permit the breaching party to cure or end any such violation within the time specified by the non-breaching party.The non-breaching party's option to have cured a breach of this Addendum shall not be construed as a waiver of any other rights the non-breaching party has in the Agreement,this Addendum or by operation of law or in equity. 18. Effect of Termination of Agreement. Upon the termination of the Agreement or this Addendum for any reason, Business Associate shall return to a Covered Entity or, at the Covered Entity's direction, destroy all PHI received from the Covered Entity that Business Associate maintains in any form, recorded on any medium, or stored in any storage system.This provision shall apply to PHI that is in the possession of Business Associate, subcontractors, and agents of Business Associate. Business Associate shall retain no copies of the PHI. Business Associate shall remain bound by the provisions of this Addendum, even after termination of the Agreement or Addendum, until such time as all PHI has been returned or otherwise destroyed as provided in this Section. For the avoidance of doubt, de-identified Licensee Data shall not be subject to this provision. 19. Junctive Relief. Business Associate stipulates that its unauthorized use or disclosure of PHI while performing services pursuant to this Addendum would cause irreparable harm to a Covered Entity, and in such event,the Covered Entity shall be entitled to institute proceedings in any court of competent jurisdiction to obtain damages and injunctive relief. 20. Owner of PHI. Under no circumstances shall Business Associate be deemed in any respect to be the owner of any PHI created or received by Business Associate on behalf of a Covered Entity. 21. Safe uards and Appropriate Use of Protected Health Information. Covered Entity is responsible for implementing appropriate privacy and security safeguards to protect its PHI in compliance with HIPAA. Without limitation, it is Covered Entity's obligation to: (i) not include PHI in information Covered Entity submits to technical support personnel through a technical support request or to community support. forums. In addition, Business Associate does not act as, or have the obligations of a Business Associate under the HIPAA Rules with respect to Licensee Data once it is sent to or from Covered Entity outside Business Associate's Software over the public Internet; and (ii) implement privacy and security safeguards in the systems, applications, and software Covered Entity controls, configures and connects to Business Associate's Software. 22. Third Party Rights.The terms of this Addendum do not grant any rights to any parties other than Business Associate and the Covered Entity. 23. Signatures.The signatures to the Agreement(or the document evidencing the parties' adoption thereof) indicate agreement hereto and shall be deemed signatures hereof, whether manual, electronic or facsimile. Page 21 of 21 Attachment A P-22-503 SELF-DEALING TRANSACTION DISCLOSURE FORM In order to conduct business with the County of Fresno (hereinafter referred to as "County'), members of a contractor's board of directors (hereinafter referred to as "County Contractor"), must disclose any self-dealing transactions that they are a party to while providing goods, performing services, or both for the County. A self-dealing transaction is defined below: "A self-dealing transaction means a transaction to which the corporation is a party and in which one or more of its directors has a material financial interest" The definition above will be utilized for purposes of completing this disclosure form. INSTRUCTIONS (1) Enter board member's name,job title (if applicable), and date this disclosure is being made. (2) Enter the board member's company/agency name and address. (3) Describe in detail the nature of the self-dealing transaction that is being disclosed to the County.At a minimum, include a description of the following: a. The name of the agency/company with which the corporation has the transaction; and b. The nature of the material financial interest in the Corporation's transaction that the board member has. (4) Describe in detail why the self-dealing transaction is appropriate based on applicable provisions of the Corporations Code. (5) Form must be signed by the board member that is involved in the self-dealing transaction described in Sections (3) and (4). Attachment A P-22-503 (1)Company Board Member Information: Name: Date: Job Title: (2)Company/Agency Name and Address: (3)Disclosure(Please describe the nature of the self-dealing transaction you are a party to): (4) Explain why this self-dealing transaction is consistent with the requirements of Corporations Code 5233(a): (5)Authorized Signature Signature: Date: