News Articles
This site contains over 2,000 news articles, legal briefs and publications related to for-profit companies that provide correctional services. Most of the content under the "Articles" tab below is from our Prison Legal News site. PLN, a monthly print publication, has been reporting on criminal justice-related issues, including prison privatization, since 1990. If you are seeking pleadings or court rulings in lawsuits and other legal proceedings involving private prison companies, search under the "Legal Briefs" tab. For reports, audits and other publications related to the private prison industry, search using the "Publications" tab.
For any type of search, click on the magnifying glass icon to enter one or more keywords, and you can refine your search criteria using "More search options." Note that searches for "CCA" and "Corrections Corporation of America" will return different results.
Vermont DOC Contract Summary With Centurion 2015
Document text
STATE OF VERMONT CONTRACT SUMMARY AND CERTIFICATION---- --- ---- Form AA-14 (8/22/11) Note: All sections are required. Incomplete forms will be returned to department. I. CONTRACT INFORMATION: Agency/Department: AHS/ Department of Corrections Contract #: 29960 Amendment#: Centurion of Vermont, LLC VISION Vendor No: 1447 Peachtree St., Suite 500, Atlanta, GA 30309 Starting Date: 9/15/2015 1/31/2018 Amendment Date: Ending Date: Summary of agreement or amendment: EHR for Comprehensive Healthservices for Inmates. Vendor Name: Vendor Address: II. FINANCIAL INFORMATION Maximum Payable: $1 ,023,463 Prior Maximum: Current Amendment: Cumulative amendments: $ -r Business Unit(s): ; 03420; notes: program II. PERFORMANCE INFORMATION $ Prior Contract# (If Renewal): $ % Cumulative Change: J VISION Account(s): ; 3480004070,507500 m. I G-Fund 100% S-Fund % % F-Fund □ ~ Yes Does this Agreement include Performance Measures tied to Outcomes and/or financial reward/penalties? Estimated Funding Split: % GC-Fund % No Other % PUBLIC COMPETITION The agency has taken reasonable steps to control the price of the contract or procurement grant and to allow qualified organizations to compete for the work authorized by this contract. The agency has done this through : 0 ~ Standard bid or RFP Simplified Bid D Qualification Based Selection D Sole Sourced IV. TYPE OF AGREEMENT & PERFORMANCE INFORMATION D Service ~ Personal Service D Architect/Engineer Check all that apply: ~ Information Technology D Other, describe: V. SUITABILITY FOR CONTRACT FOR SERVICE I D Statutory D Construction D Marketing If this is a Personal Service contract, does this agreement meet all 3 parts of the "ABC" definition of independent □ □ n1a Contractor? (See Bulletin 3.5) IfNO, then Contractor must be paid through Payroll No VI. CONTRACTING PLAN APPLICABLE: ~ Are one or more contract or terms & conditions provisions waived under a pre-approved Contracting Plan? D Yes No VII. CONFLICT OF :INTEREST ~Yes By signing below, I certify that no person able to control or influence award of this contract had a pecuniary interest in its award or performance, either personally or through a member of his or her household, family, or business. D ~ No Yes I there an "appearance" ofa conflict of interest so that a reasonable person may conclude that this party was selected for improper reason : (If yes, explain) VIII. PRIOR APPROVALS REQUIRED OR REQUESTED ~ Yes 0 0 No No [8J Yes □ No □ □ [8J [8J No [8J No [8J Yes Yes Yes Yes 0 Agreement must be approved by the Attorney General under 3 VSA §311 (a)( 10) (personal service) I request the Attorney General review this agreement as to form No, already performed by in-house AAG or counsel: (initial) Agreement must be approved by the Comm. ofDII; for IT hardware, software or services and Telecommunications over $100,000 Agreement must be approved by the CMO; for Marketing services over $15,000 Agreement must be approved by Comm. Human Resources (privatization and retiree contracts) Agreement must be approved by the Secretary of Administration No ,.- 1r, ' ; / I ,t IX. AGENCY/DEPARTMENT BEAD C.ERTIFICATIQN; APPROVAL I have made reaso'Jble inqui () ( f ",.,,,.,r. ,,. ~ of the .............. ~,➔ 1 / ,, Ag~~~ad O'ate Approval by Attorney General Date CIO Date above information: -'itfa~1'/½1/s ate """"' ' CMO - a1 il 1/ )rw; /~ ~ Agency Secretary or Other D~ - rt~ ent Head (if required) Date Approved by Commissioner of Human Resources Date Secretary of Administration Agency/Department: AHS/ Department of Corrections Vendor Name: Centurion of Vermont, LLC Vendor Address: 1447 Peachtree St., Suite 500, Atlanta, GA 30309 Starting Date: 9/15/2015 Summary of agreement or amendment: Maximum Payable: $1,023,463 Current Amendment: $ Business Unit(s : ; 03420; Contract#: 29960 Amendment#: VISION Vendor No: Ending Date: 1/31/2018 Amendment Date: EHR for Comprehensive Healthservices for Inmates. Prior Contract# (If Renewal): Cumulative amendments: % Cumulative Change: $ % - not f8I Does this Agreement include Performance Measures tied to Outcomes 'and/or financial reward/penalties? Estimated Funding Split: G-Fund 100% % S-Fund F-Fund % GC-Fund % Yes Other % The agency has taken reasonable steps to control the price of the contract or procurement grant and to allow qualified organizations to compete for the work authorized by this contract. The agency has done this through: 0 f8I Standard bid or RFP f8I Yes D D n/a No Simplified Bid D Sole Sourced D Qualification Based Selection D Statutory Ifthis is aPerso Contractor? By signing below, I certify that no person able to control or influence award of this contract had a pecuniary interest in its award cir performance, either personally or through a member of his or her household, family, or business. D Yes f8I No 18l' Yes 181 Yes 0 0 No No 181 Yes 0 No D D 181 Yes Yes Yes f8I f8I 0 No No No CJ( \\tl' l s !here an "appearance" of a conflict of interest so that a reasonable person may conclude that this party was selected for improper reasons: (lf yes, explain) Agreement must be approved by the Attorney General under 3 VSA §31 l(a)(I0) (personal service) I request the Attorney General review this agreement as to fonn No, already performed by in-house AAG or counsel: _ _ ____ (initial) Agreement must be approved by the Comm. ofDII; for IT hardware, software or services and Telecommunications over $100,000 Agreement must be approved by the CMO; for Marketing services over $15,000 Agreement must be approved by Comm. Human Resources (privatization and retiree contracts) Agreement must be approved by the Secretary of Administration E-SIGNEO,,by Jonathan C Provost on 2015'09-1 0 10:55:16 GMT 0 E-SIGNED by Barbara Cormier on'20'15•09-1 0 17 :51:31 GMT E.SIGNEO by Jack Green E-SIGN ED by John Hunl E,SlcfNEiD by Linda Mo; se E..~ IGNE.O by Aimee Pope on,201 5-09-10 19:24:01 GMT on@15;P9-18 16:54:17 GMT on 2,0~5-09-28 14:30:4 1 GMT on·2(l15,;P9-29 18;27:50 GMT State of Vermont Department of Corrections 103 South Main Street Waterbury, VT 05671-1001 www.doc.state.vt.us [phone] [fax] [fax] Agency of Human Services 802-241-2442 802-951-5017 802-951-5086 MEMORANDUM To: Justin Johnson, Secretary of Administration Thru: Hal Cohen, Secre~ From: Andrew~ , Agency of Human Services d ~issioner, Department of Corrections Date: August 11, 2015 Re: Centurion of Vermont, LLC, Contract #29960 Background: In August 2014, the VDOC released an RFP for inmate health services. Attached for your reference is the original memo dated December 8, 2014 that accompanied the correctional health services contract with Centurion of Vermont, LLC that commenced on February 1, 2015. As this memo states, VDOC had initially included an Electronic Health Record (EHR) as part of the RFP; however, based on concerns that the EHR would pose a risk of a delay to the entire contract given the potential length of time required for the DII review process including a lengthy Independent Review, the decision was made to establish a separate Centurion EHR contract or "carve out" of the EHR to expedite the health services contract routing. The decision as it happened was a good one as the EHR contract has encountered many obstacles and delays which will ultimately result in a 'go live' date that will narrowly precede the closing of the Correct Care Solutions (VDOC's prior health services contractor) $0 contract extension that secured the use of its Electronic Records Management Administrator (ERMA) which the Department has been using in lieu of its anticipated EHR. The hard set end date for ERMA is January 31, 2016. It is imperative that the new EHR be ready prior to that date. Bidding Process The DOC solicited bids from qualified vendors for the provision of a range of health services for inmates. We placed a strong· emphasis on the vendor's inclusion of technology applications specifically an EHR that would be sufficient to meet all aspects of needs (care coordination, continuity and linkages during transitions of care). The cost of the EHR was included as part of the vendor's bid. VDOC further required that the EHR be HIP AA compliant; meet 2014 Meaningful Use Criteria; electronic medication administration capacity (eMAR) and has the potential for linkages/interfaces with. other State information platforms including VITL. Centurion chose CorrecTek, Inc. based on the company's ability to meet our basic EHR needs and its willingness to agree with requirements that will ensure the system conforms to the State's needs for an effective, high performing EHR system. ~ YERMONT Performance Measures Over the past several months, VDOC, Centurion, CorrecTek (the EHR vendor), AHS IT and DII have worked diligently to ensure that the EHR contract meets all federal and state HIT standards and requirements as well as meeting VDOC's specific requirements for generating reports, improving quality, measuring outcomes and tracking information as these relate to our own Triple Aims; improving the experience of care, improving the health of our populations, and reducing per capita costs of health care. Inherent in all of these is VDOC's requirement for a system that supports the assessment and measurement of contactor performance. The EHR contract requires that the vendor provide services in multiple areas including but not limited to: 1. 2. 3. 4. 5. Milestone Deliverables that must be met by specific due dates; Project Management Plan with adequate oversight and staffing; Comprehensive implementation plan as part of the project plan; Training and Education Plan and; Data Conversion and Migration Plan. A retainage of 10% will be held back for e~ch deliverable and will not be released by VDOC until the contractor's completion of all deliverables. - - EHR Contract Year Estimated Cost per Year Year 1-- CY 16 $793,504 ' Year2-CY 17 $78,558 Year 3-CY 18 $100,476 Reserved for Change Orders & Additional Costs for Hosting/Microsoft Licensing Fees $50,925 --- - - ~.~ - --- - - - ~ i . I , Total EHR Cost - ~ - - -- - -- - $1,023,463 I Attachments: 1) Original health services contract memo with Centurion of VT, LLC dated 12/8/14 2) Centurion of Vermont, LLC Contract #29960 State ofVermont Department of Corrections 103 South Main Street Waterbury, VT 05671-1001 www.doc.state.vt.us [phone] [fax] [fax] 802-241-2442 802-951-5017 802-951-5086 Agency of Human Services MEMORANDUM To: Justin Johnson, Secretary of Administration E-SIGNED by Michael Clasen on 2015-09-29 18:32:49 GMT Thru: Hal Cohen, Secrefary, Agency of Human Services From: Andrew~ d~ssioner, Department of Corrections Date: August 11, 2015 Re: Centurion of Vermont, LLC, Contract #29960 Background: In August 2014, the VDOC released an RFP for inmate health services. Attached for your reference is the original" memo dated December 8, 2014 that accompanied the correctional health services contract with Centurion of Vermont, LLC that commenced on February 1, 2015. As this memo states, VDOC had initially included an Electronic Health Record (EHR) as part of the RFP; however, based on concerns that the EHR would pose a risk of a delay to the entire contract given the potential length of time required for the DII review process including a lengthy Independent Review, the decision was made to establish a separate Centurion EHR contract or "carve out" of the EHR to expedite the health services contract routing. The decision as it happened was a good one as the EHR contract has encountered many obstacles and delays which will ultimately result in a 'go live' date that will narrowly precede the closing of the Correct Care Solutions (VDOC's prior health services contractor) $0 contract extension that secured the use of its Electronic Records Management Administrator (ERMA) which the Department has been using in lieu of its anticipated EHR. The hard set end · date for ERMA is January 31, 2016. It is imperative that the new EHR be ready prior to that date. Bidding Process The DOC solicited bids from qualified vendors for the provision of a range of health services for inmates. We placed a strong· emphasis on the vendor's inclusion of technology applications specifically an EHR that would be sufficient to meet all aspects of needs (care coordination, continuity and linkages during transitions of care). The cost of the EHR was included as part of the vendor's bid. VDOC further required that the EHR be HIPAA compliant; meet 2014 Meaningful Use Criteria; electronic medication administration capacity (eMAR) and has the potential for linkages/interfaces with. other State information platforms including VITL. Centurion chose CorrecTek, Inc. based on the company's ability to meet our basic EHR needs and its willingness to agree with requirements that will ensure the system conforms to the State's needs for an effective, high performing EHR system. ~YERMONT Performance Measures Over the past several months, VDOC, Centurion, CorrecTek (the EHR vendor), AHS IT and DII have worked diligently to ensure that the EHR contract meets all federal and state HIT standards and requirements as well as meeting VDOC's specific requirements for generating reports, improving quality, measuring outcomes and tracking information as these relate to our own Triple Aims; improving the experience of care, improving the health of our populations, and reducing per capita costs of health care. Inherent in all of these is VDOC's requirement for a system that supports the assessment and measurement of contactor performance. The EHR contract requires that the vendor provide services in multiple areas including but not limited to: 1. 2. 3. 4. 5. Milestone Deliverables that must be met by specific due dates; Project Management Plan with adequate oversight and staffing; Comprehensive implementation plan as part of the project plan; Training and Education Plan and; Data Conversion and Migration Plan. A retainage of 10% will be held back for e~ch deliverable and will not be released by VDOC until the contractor's completion of all deliverables. ,. . .. .. ---·-- .. .. - -- . . .. .. - .. .. . - .. -• ... Contract . . Year .. .. ... . . ;Es~!ll-~t~d Cost I?~! Y~a.r_ ··-- ., .. ·- EHR -- .. , ~ - .. • • •• r •• - -- ' Year 1-., CY 16 [ $793,504 . , : I Year2-CY 17 ; ' ' ·. $78,558 .. --- -- .. Year3-CY 18 $!00,476 ' Reserved for Change Orders & Additional ; Costs for Hosting/Microsoft Licensing Fees : .. -.. -. .. ! •· '' . • 1 : i - ·- -· ... 4 •• · Total EHR Cost .... .. .., . ••--u • • ' •• · · · -~ u ~ • u• • ' ! $50,925 - ~ ' - i i $1,023,463 : '~· ... ' . . .. I .. - -·-. ~---~··· . . . ~ .. .. .... - - -- - . Attachments: 1) Original health services contract memo with Centurion of VT, LLC dated 12/8/14 2) Centurion of Vermont, LLC Contract #29960 .. . - . . .. --· STATE OF VERMONT CONTRACT FOR SERVICES Page 1 of 67 Contract#29960 1. Parties. This is a contract for personal services between the State of Vermont, Department of · Corrections (hereafter called "State''), and Centurion of Vermont, LLC, with a principal place of business in 1539 Spring Hill Road, Suite 600, Vienna, VA 22182 (hereafter called "Contractor"). The Contractor's form of business organization is a Vermont limited liability company. The Contractor's local address is 5430 Waterbury-Stowe Road, Rt. l00N Building 1, Ground Floor Waterbury Center, VT 05677. It is the Contractor's responsibility to contact the Vermont Department of Taxes to determine if, by law, the Contractor is required to have a Vermont Department of Taxes Business Account Number. 2. Subject Matter. The subject matter of this contract is services generally on the subject of development, implementation, software, support and maintenance, and hosting of an Electronic Health Record ("EHR") System. Detailed services to be provided by the Contractor are described in Attachment A. 3. Maximum Amount. In consideration of the services to be performed by Contractor, the State agrees to pay Contractor, in accordance with the payment provisions specified in Attachment B, a sum not to exceed $1,023,463. 4. Contract Term. The period of Contractor's performance shall begin on 9/15/2015 and end on 1/31/2018, with the option of two one-year extension periods by mutual agreement of the Parties. Year One is defined as 9/15/2015 up through and including 1/31/2016. Year Two is defined as 2/1/2016 up through and including 1/31/17. Year Three is defined as 2/1/17 up through and including 1/31/18. Optional Year Four is defined as 2/1/18 up through and including 1/31/19. Optional Year Five is defined as 2/1/19 up through and including 1/31/20. 5. Prior Approval . If approval by the Attorney General's Office, Secretary of Administration, DII CIO/Commissioner, or Chief Marketing Officer is required, (under current law, bulletins, and interpretations), neither this contract nor any amendment to it is binding until it has been approved by such persons. • • • • Approval Approval Approval Approval by the Attorney General's Office is required. by the Secretary of Administration is required. by the CIO/Commissioner ofDII is required. by the CMG/Marketing Services is not required. 6. Amendment. No changes, modifications, or amendments in the terms and conditions of this contract shall be effective unless reduced to writing, numbered and signed by the duly authorized representative of the State and Contractor. 7. Termination. This contract may be cancelled by either party by giving written notice at least 90 days in advance. 8. Attachments. This contract consists of 67 pages including the following attachments, which are incorporated herein: Attachment A - Specifications of Work to be Performed Attachment B - Payment Provisions Attachment C - Customary State Contract provisions Page 2 of 67 Contract#29960 · STATE OF VERMONT CONTRACT FOR SERVICES Attachment D - Other Provisions Attachment E - Business Associate Agreement Attachment F - Customary Contract Provisions of the Agency of Human Services Attachment G - Interface Attachments The order of pr~cedence of documents shall be as follows: 1). 2). 3). 4). 5). 6). 7). 8). This document Attachment D Attachment C Attachment A Attachment B Attachment E Attachment F Attachment G WE THE UNDERSIGNED PARTIES AGREE TO BE BOUND BY THIS CONTRACT. BY THE STATE OF VERMONT: Date: /i} /2- 2- / / l r f-'><? /) BY Centurion of Vermont, LLC: Date: Jo/J~/4:5C>Jo Signature: _ _:~=-- -- -===- Signature: ~ Name: Andrew Pallito Name: Steven H. Wheeler ~ Title: Commissioner Agency/Dept.: Agency of Human Services Department of Corrections AHS Revised 07/21/08 Title: Chief Executive Officer Phone: (703) 749-4600 Email: swheeler@mhm-services.com STATE OF VERMONT CONTRACT FOR SERVICES Page 3 of 67 Contract#29960 ATTACHMENT A SPECIFICATIONS OF WORK TO BE PERFORMED A. SERVICE DESCRIPTION 1. Contractor shall provide the following services for the State: Contractor shall configure, implement, support, maintain and host an Electronic Health Record System ("EHR") for State. In addition, Contractor shall train State staff in addition to its own staff in the usage of the Electronic Health Record. 2. In accordance with Attachment C, Section 15, the State hereby acknowledges that Contractor is not in the business of developing, licensing, implementing or hosting an EHR system and, therefore, approves Contractor's use of the following subcontractors for performance of all or portions of this Contract: CorrecTek, Inc. ("CORRECTEK") and Kalleo Technologies, LLC ("KALLEO"). 3. Contractor may not use additional subcontractors to perform work under this Agreement without the prior written approval of the State. 4. Contractor shall be responsible for directing and supervising each of its subcontractors and any other person performing any of the Work under an agreement with Contractor. Contractor has provided to the State a list of all subcontractors and subcontractors' subcontractors, together with the identity of those subcontractors' workers compensation insurance providers. Contractor shall be responsible and liable to the State for all acts or omissions of subcontractors and any other person performing any of the Services under an agreement with Contractor or any subcontractor. 5. Project Management Methodology The Contractor will ensure a tool acceptable to the State is used to ensure the project paces correctly and all deliverables are met. Regular activity reports will be provided to all stakeholders. Weekly status meetings may be held to ensure there are no issues with communication. The Contractor shall provide a Project Management Team that may be comprised of Contractor staff, subcontractors' staff or both. The Project Manager shall have experience implementing system-wide electronic health record systems. At least one member of the Project Management Team will have three (3) years' experience implementing the subcontractor's EHR in correctional environments. At least one member of the team will possess a Master's Degree in IT Management. 6. Work to be Performed The Contractor agrees to perform all of the requirements of the Scope of Work outlined below: • Provide a Project Manager for the work associated with the implementation of this system . • Provide an Escrow Agreement. • Provide a Project Management Plan. • Provide a Data Conversion and Migration Plan, complete the migration process, and convert legacy data for use in the Electronic Health Record. • Provide a Staffing Plan. • Provide a Risk Management Plan, and Security Controls Document. • Provide a Change Management Plan including targeted written and oral communication for a smooth implementation. STATE OF VERMONT CONTRACT FOR SERVICES • • • • • • • • • • • Page 4 of67 Contract#29960 Provide a Communications Plan. Provide a Network Design, System Design, and Technical Documentation. Provide an IT System Security Plan, including Security Controls Audit Document and an IT Risk Assessment, based on SSAE-16 SOC 2 and Federally required Security Policy. This plan includes event management and monitoring functionality according to Information Technology Infrastructure Library version 3 (ITIL v3), or equivalent best practices, and TIA 942 standards. Provide a Requirements Traceability Matrix and Work Breakdown Structure. Provide and adhere to a detailed Testing Plan, incorporating the CorrecTek, Inc. standard Show and Tell process. Provide a Training Plan, Training materials, and train State staff. Deliver a system that is secure and confidential and meets all of the requirements listed within this Contract. Deliver system and services that are compliant with Federal and State Regulations, including the Health Insurance Portability and Accountability Act of 1996 (HIP AA). Deliver a system and service that meet all applicable state and federal audit requirements. Ensure a one-year Warranty Period is provided by the EHR manufacturer after Go-Live date. Provide a Post Implementation Review, including Post Implementation Evaluation. 7. Requirements The Contractor shall provide a system and items for the system that includes all of the requirements listed: 1 2 3 4 5 6 General Requirements Contractor shall provide the hosted CorrecTek Electronic Health Record (EHR) System The system shall conform to State security standards and protocols. A list of the Agency of Human Service security policies can be found at http ://humanservices. vermont. gov /policy-legislation/policies/0 5-informationtechnology-and-electronic-communications-policies/ and a list of State of Vermont security policies can be found at http://dii.vermont.gov/policy/policy. The system will be fully integrated into the system qf care and will interface with DOC's Offender Management System in a manner that will ensure continuity of care and maximize care coordination efforts to ensure that sustainability efforts can be realized, and performance-based accountability can be driven. The system shall have the ability to interoperate with State partners, through the use of interfaces as defined in the CONSTRUCTION, CONFIGURATION, AND UNIT TESTING section of this contract. The EHR shall improve the coordination of care by enhancing interoperability between Vermont DOC and external partners in care. The system shall have the ability to communicate with and share data with other external systems through a variety of communication protocols, including but not limited to, Web Services, TCP/IP Port Communication, File Transfer, SFTP, HL7 2.x, C-CDA, Tab Delimited Files, and many more. Contractor is willing to work with the State and partner applications involved to determine the best method of communicating and sharing data to meet the business needs presented.. The system shall provide ad-hoc reporting capabilities using all data fields in the EHR to create all needed reports. Ad-hoc reporting will utilize a graphical user interface that does not require that users te need to know specific coding languages in order to run reports as required by the State. STATE OF VERMONT CONTRACT FOR SERVICES 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Page 5 of 67 Contract#29960 The system shall be able to export datasets in formats including but not limited to excel, comma delimited, and fixed width. The system shall include role based permissions to allow access to staff based on State approved functions to access State data. The system shall have spell check for free text fields for commonly used words. The system should provide drop-downs with selections, if possible, to eliminate errors in typing. The system shall include an Administration module that allows non-technical staff to establish new user permissions and to change existing permissions. The system shall be highly configurable so that established processes and data elements can be modified. The system shall have the ability for reporting needs to export to Microsoft Excel and Word. The system shall have the ability to perform a drill down search for data elements contained in the Electronic Health Record System as defined by the State. Any additional drill down search requirements identified by the State that are not contained in the system will require a Change Order. The system shall provide its own document storage and retrieval component as defined by the State. The system shall utilize the state of Vermont Simple Mail Transfer Protocol (SMTP) relay for all email notifications. The system shall support task related ticklers/reminders currently contained in the Electronic Health Record System. Any specific requirements identified by the State that are-is not contained in the Electronic Health Record System will require a Change Order. The contractor shall convert legacy data to populate the new system. This shall include the department's medical record data, which is currently accessed through ERMA, detailed in the Data Migration and Configuration section. The system shall have a separate testing and production environments. The contractor shall provide, submit and execute a training plan for the system per the Training Plan and Training Materials section. The system shall have data fields populated from the OMS interface to view individual inmate exact daily housing designation (cell and restriction level specific). 21 The system shall identify the user making any entry into the database. The system shall have the ability for designated users to reset users' passwords as well as the ability for admins to reset users' passwords. The system shall allow authorized users to assign labels/alerts to offenders for easy 23 recognition of special case needs, including but not limited to Serious Functional Impairments, and Prison Rape Elimination Act (PREA) Standards The system shall produce all reports as presented to the State. Any additional reporting requirements identified by the State that are not contained in the system will require a 24 Change Order. Portions of the reports should be auto filled from the database and shall allow text be entered by a user. The System shall provide fields, as defined by the State, required for the continuous quality improvement (CQI) program based on the National Commission on Correctional Health (NCCHC) essential and important standards for same, as well as selected 25 measures from National Commission on Quality Assurance-Health Evaluation Data Information Set (NCQA-HEDIS), the Centers for Medicaid and Medicare Services (CMS). 22 STATE OF VERMONT CONTRACT FOR SERVICES Page 6 of67 Contract#29960 The system shall track requests for Americans with Disabilities Act (ADA) accommodations .. Data Exchanges The system shall be able to process and import data including, but not limited to, a 27 comma separated file format or other file format. The system shall be configurable for 15 minute increment, daily, weekly, or monthly 28 scheduled imports from external data sources or timeframes currently contained in the Electronic Health Record System. The system shall allow the secure transmission of selected files/information to community/outside entities. All Personal Identifiable Information (PII) and Personal 29 Health Information (PHI) data at rest shall be in an encrypted format. The minimum encryption level is AES 128 encryption that is FIPS140-2 validated. 26 Performance requirements The system shall be in operation 24 hours a day every day except as described in the Service Level Agreement. The system shall have 99.98% uptime except as outlined in the Service Levels and 31 Support section. If the proper hardware and network infrastructure is in place from the State, the system 32 shall handle up to 66 concurrent users and 200 total users using the system at various times. The Contactor shall provide Transactional Response Times for the system in the following areas: Individual Offender Record Look-ups; Queries; Standard Reports; 33 Complex Reports; Custom and Ad-Hoc Reports. Contractor shall not be liable for transaction response times if the State experiences a failure of any kind in its broad-band connection. 30 Health Services Requirements The system shall meet the criteria for 2014 Meaningful Use (MU) Ambulatory Criteria. Criteria can be found at 34 http://www.cins.gov/Regulations-andGuidance/Legislation/EHRincenti vePrograms/Stage 2.html and htto://www.Q'no.Q:ov/fdsvs/oke/FR-201 2-09-04/odf/2012-20982.ocif The System shall be compliant with all current (2008 and 2014) and future NCCHC 35 standards for jails and prisons. 36 37 38 39 40 The system shall integrate physical, behavioral, mental, pharmacy, dietary, and lab functions in a single system. These features and functions shall be present in the initial system; if requested by the State and not already contained within the vendor's system then a change order shall be required by the State. The System shall meet the criteria for an electronic medication administration record (eMAR) The system shall maintain an electronic inventory process (e-MAR) to ensure the availability of daily, stock medication and other necessary and commonly prescribed medications. The System shall meet the 2014 Edition EHR Certification General Criterion. These criterion can be found at htto ://healthcare.nist. gov/use testimr/finalized reaui.rements.html The system shall meet the NCCHC standards P-D-04 and MH-D-04 for computerized STATE OF VERMONT CONTRACT FOR SERVICES 41 42 43 44 45 46 47 48 Page 7 of 67 Contract#29960 provider order entry. The system shall have data fields populated from the OMS interface to notify users of items including, but not limited to, Special Needs, Alerts, Holds, Medical or Mental Health Conditions or Accommodations, in accordance with P-E-03 and MH-E-03. The system shall have data fields to input, store, and, if applicable, import data for documentation of health benefit plan information including, but not limited to, the name of the insurer, coverage type, group/policy number, expiration date, and other information necessary for filing a claim if applicable, or determining health coverage upon release as defined by the State. Any additional requirements identified by the State that are not contained in the system will require a Change Order. The systems shall store, display and permit changes in the appropriate movement code (M-Code) to ensure that inmates for whom transfer would interfere with treatment planning or whose medical or mental health condition would be negatively affected are not transferred without approval of medical or mental health in accordance with NCCHC standards P-E-10 and MH-E-08. The system shall have data fields to input and store CQI, operational efficiency, and Pay for Performance (P4P) program data. The system shall utilize a standardized workflow to increase patient care and decrease errors. In addition to the standard system reports, the system shall allow users to create automated reports as agreed upon by the State and the Contractor. Laboratory Requirements The systems shall display the laboratory tests and values/results received in human readable format The systems shall attribute, associate, or link a laboratory test and value/result with a laboratory order and patient record. 49 The systems shall store laboratory tests and values/results. The systems shall electronically receive and incorporate clinical laboratory tests and values/results in accordance with the standard specified in§ 170.205G) and, at a 50 minimum, the version of the standard specified in §170.207(c)(2). The systems shall display all the information for a test report that complies with CMS regulations found at 42 CFR 493.1291(c)(l) through (7). Pharmacy Requirements The system shall allow authorized users to adjust notifications provided for drug-drug 52 and drug-allergy interaction checks. The system shall allow users to electronically check if drugs are in a formulary or 53 preferred drug list. The system shall maintain an active medication list and allow a user to electronically 54 record, modify, and retrieve a patient's active medication list as well as medication history for longitudinal care. The system shall maintain active medication allergy list and allow a user to 55 electronically record, modify, and retrieve a patient's active medication allergy list as well as medication allergy history for longitudinal care The systems shall meet the 2014 criteria for Computerized provider order entry (CPOE) 56 available to staff for the purpose of electronically recording, changing and accessing pharmacy and pharmaceutical data. 51 STATE OF VERMONT CONTRACT FOR SERVICES Page 8 of 67 Contract#29960 The system shall use an identification method, including but not limited to bar codes, for 57 connecting to data files to monitor medication use for safety and utilization of inventory. 58 The system shall track medications dispensed and refused by offenders. Programs & Services Requirements The system shall track attendance_at healthcare related appointments; individual or 59 group. The system shall allow authorized users to enter and maintain offender scheduling for 60 assigned appointments and programs The system shall be able to produce profile alerts for special medical and mental health needs. The system shall have the ability to store and retrieve all inmate information related to 62 medical, mental health, and psycho-social status from booking through release. The system shall be able to store and retrieve inmate health data to be used in the daily 63 management of the inmate, including but not limited to housing, program, work, and· contact restrictions. The system shall allow authorized users to enter and maintain data, including wait list 64 data, for an aooointment or program. Care Coordination/ Management Requirements The system shall provide or allow the user to define data fields and category information 65 related to Care Coordination/Management. 61 Grievance Tracking and Management Requirements The system shall allow the user to document and track.healthcare related offender grievances for inmates in a correctional facility. The system shall allow authorized users to enter information into each step of the 67 Department's grievance process. The system shall allow authorized users to sort and generate reports on grievances based 68 on different categories from data within the EHR; including but not limited to subject, site and staff member. The system shall provide a configurable work flow that assigns a grievance and/or sends 69 an email alert to a user that is responsible for ensuring that the grievance is completed within set time frames and; will send an alert to all authorized staff. 66 Scheduling Requirements 70 The system shall have a scheduling function for the correctional facilities. The system shall provide tracking of all offender activities including, but not limited to, 71 healthcare appointments and attendance at treatment programs, and provide an alert if there is a scheduling conflict. The system shall be able to allow users to view schedules for the entire facility or 72 specific inmates by day, month or year. The system shall maintain detailed records of all internal and external scheduled and 73 unscheduled movements of offenders. Other Requirements 74 Contractor shall provide service using the Unanticipated Time and Management Table STATE OF VERMONT CONTRACT FOR SERVICES 75 76 77 78 81 7. Page 9 of 67 Contract#29960 contained in Attachment B to project costs (per hour) for items that are required in the future, but are not included as part of the contract. Data shall be entered into the contractor's EHR in accordance with AHS and Vermont's statutes on use of electronic health records and destruction or retention of paper originals. Contractor Staff shall sign an Equipment and Data Use Agreement as provided by the State of Vermont. Contractor shall provide security audits of the application, including audit logs and reporting as required by Federal and State law. Contractor shall provide a security audit of the data center at which the system shall be hosted, including but not limited to SSAE-16 SOC 2, NIST 800-53 R4 and IRS-1075 auditing. The Contractor represents and warrants that it has implemented and it shall maintain during the term of this Contract the highest industry standard administrative, technical, and physical safeguards and controls consistent with NIST Special Publication 800-53 (version 4 or higher) and Federal Information Processing Standards Publication 200 and designed to (i) ensure the security and confidentiality of State Data; (ii) protect against any anticipated security threats or hazards to the security or integrity of the State Data; and (iii) protect against unauthorized access to or use of State Data. Such measures shall include at a minimum: (1) access controls on information systems, including controls to authenticate and permit access to State Data only to authorized individuals and controls to prevent the Contractor employees from providing State Data to unauthorized individuals who may seek to obtain this information (whether through fraudulent means or otherwise); (2) industry-standard firewall protection; (3) encryption of electronic State Data while in transit from the Contractor networks to external networks; (4) measures to store in a secure fashion all State Data which shall include multiple levels of authentication; (5) dual control procedures, segregation of duties, and pre-employment criminal background checks for employees with responsibilities for or access to State Data; (6) measures to ensure that the State Data shall not be altered or corrupted without the prior written consent of the State; (7) measures to protect against destruction, loss or damage of S_tate Data due to potential environmental hazards, such as fire and water damage; (8) staff training to implement the information security measures; and (9) monitoring of the security of any portions of the Contractor systems that are used in the provision of the services against intrusion on a twenty-four (24) hour a day basis. Contractor shall provide a complete system data dictionary using the State's Data Dictionary Template to effectively document all data elements that are to be stored in the database. Accessing the EHR database by any software or application other than those provided or approved by the Contractor is strictly prohibited MILESTONES If State determines that a milestone deliverable required under this Contract does not meet, or otherwise conform to, the State's requirements as set forth in this Contract, then State shall provide Contractor with a notice describing the nonconformance of the deliverable. Contractor shall have thirty (30) days from the date it receives State's notice of the nonconformance to make the deliverable meet or otherwise conform to the State's requirements at no additional cost to State. If the State does not notify the Contractor within thirty (30) days after presentation of non-conformant deliverable, then the Contractor shall be able to invoice for said deliverable. Thereafter, should State identify a deliverable is non-conformant with the requirements, then the State shall have the right to request conformance within thirty (30) days. Contractor shall have thirty (30) days from the date it receives State's request and STATE OF VERMONT CONTRACT FOR SERVICES Page 10 of 67 Contract#29960 notification of the nonconformance to conform to the State's requirements and this change shall be at no additional cost to State. Contractor's failure to meet a deliverable will not be considered as a breach if the cause of the delay in the deliverable was attributed in whole or in part to the State or a third-party software vendor to which the EHR must interface This process of acceptance can be used by the State for each and every deliverable or redeliverable milestone. The EHR Client/Server Go-Live Date shall be when the EHR is put into production for use at all locations listed in the Service Delivery & Activities section. It is the responsibility of the State to have all eight (8) locations identified ready for Go-Live on a simultaneous date. Contractor shall complete the following deliverables on the due dates. Due Dates for Milestone Deliverables may be changed upon the request of the Contractor and acce_p·t ance b1y the Stat e. ID# 1 2 3 4 Milestone/Deliverable Description Phase 1: Project Kick-Off Kick Off Meeting Delivery of Initial Project Plan Data Conversion and Migration Plan Staffing Plan Phase 2: Network Readiness 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Security Plan Risk Assessment Security Controls Document Risk Management Plan Change Management Plan Organizational Change Management Plan Communications Plan Disaster Recovery Plan IT Risk Assessment Security Controls Audit Requirements Traceability Matrix Functional Design Technical Specifications and Network Diagram Phase 3: Interface Development/Database Configuration Complete onsite assessments of facilities to gather workflow and data requirements utilized in the database configuration Estimated Timeframe From Contract Execution 0-30 days after contract execution 0-30 days after contract execution 0-30 days after contract execution 0-30 days after contract execution 31 - 89 days after contract execution 31 31 31 31 31 31 - 89 days - 89 days - 89 days - 89 days - 89 days - 89 days after contract execution after contract execution after contract execution after contract execution after contract execution after contract execution 31 31 31 31 31 - 89 days - 89 days - 89 days - 89 days - 89 days after contract execution after contract execution after contract execution after contract execution after contract execution 31 - 89 days after contract execution 31 - 89 days after contract execution 90 - 239 Days after contract execution 91 - 239 Days after contract execution STATE OF VERMONT CONTRACT FOR SERVICES Page 11 of 67 Contract#29960 process. 19 Delivery of EHR Base System and User Acceptance Test SignOff on Base System to Ensure Successful Installation 91 - 239 Days after contract execution *Actual timeframe will vary according to 20 Delivery of OMS Interface (As Defined in the Document "CorrecTek OMS Interface Guide") 21 Delivery of Pharmacy Interface (As Defined in the Document "CorrecTek Pharmacy Interface Guide") 22 Delivery of Lab Interface (As Defined in the Document "CorrecTek Lab Interface Guide") 23 Delivery of Radiology Interface (As Defined in the Document "CorrecTek Radiology Interface Guide") 24 25 26 27 28 Data Extraction from Legacy DOC System (ERMA) Map Data Elements - Delivery of Data Conversion Plan Submit Mapped Data Elements for review - Delivery of Data Mapping Document Completed data conversion State sign-off of the final configuration elements required before CorrecTek configuration efforts begin. Approval of Facility Assessment Summary other system vendors. ALL INTERFACES THAT WILL BE REQUIRED AT THE TIME OF GOLIVE MUST BE COMPLETED NO LATER THAN 30 DAYS PRIOR TO TRAINING. 90-209 *Actual timeframe will vary according to other system vendors. ALL INTERFACES THAT WILL BE REQUIRED AT THE TIME OF GOLIVE MUST BE COMPLETED NO LATER THAN 30 DAYS PRIOR TO TRAINING. 90-209 *Actual timeframe will vary according to other system vendors. ALL INTERFACES THAT WILL BE REQUIRED AT THE TIME OF GOLIVE MUST BE COMPLETED NO LATER THAN 30 DAYS PRIOR TO TRAINING. 90-209 *Actual timeframe will vary according to other system vendors. ALL INTERFACES THAT WILL BE REQUIRED AT THE TIME OF GOLIVE MUST BE COMPLETED NO LATER THAN 30 DAYS PRIOR TO TRAINING. 90-209 91 - 239 Days after contract execution 91 - 239 Days after contract execution 91 - 239 Days after contract execution 91-239 Days after contract extension 91 - 23 9 Days after contract execution STATE OF VERMONT CONTRACT FOR SERVICES Page 12 of 67 Contract#29960 document. 29 30 31 32 33 34 35 36 37 38 39 40 Construction, Configuration, and Unit Test Summary Delivery of Draft Acceptance Test Plan ("ATP"). The standard CorrecTek Show and Tell Process will be utilized. Provide an informational demo for User Acceptance Testers to equip them for the Show and Tell Sessions. Delivery of SSAE-16 and 80053 R4 certification to the State. Unit Test Results - Delivery of completed ATP' s from Construction Phase. Summaries for each CorrecTek Show and Tell session will be provided. Integration and System Test Plan - State signoff on the Acceptance Test Plan of EHR. Necessary changes that are identified during the Show and Tell sessions will be addressed and demonstrated to the State. Finalize Data Configuration based on elements approved by the State in the Facility Assessment Summary document. Delivery of final, configured database Documentation Plan - Delivery of draft Training Manual. CorrecTek standard training resources will be utilized. Phase 4: Training Schedule and Chart Prep Delivery of Training Plan (Curriculum, Final Manual, and Training Schedule) Schedule Training Users complete training questionnaire (provided by CorrecTek) Delivery of Chart Prep 91 - 23 9 Days after contract execution 91 - 239 Days after contract execution 91 - 239 Days after contract execution 91 - 239 Days after contract execution 91 - 239 Days after contract execution 91 - 239 Days after contract execution 91 - 239 Days after contract execution 91 - 239 Days after contract execution 230 -239 days after contract execution 231 -239 days after contract execution 231 -239 days after contract execution 231 -239 days after contract execution 234 -239 days after contract execution ST ATE OF VERMONT CONTRACT FOR SERVICES Page 13 of 67 Contract#29960 Training. Phase 5: Onsite Training and Go-Live Conduct training sessions for all end users 41 42 241 - 270 days after contract execution Implementation/Go-Live Date Documentation - Delivery of System and User Manuals Initiate One-year Warranty Period Phase 6: Post Go-Live Post Go-Live Onsite Assessments 512 additional development hours for future/undetermined interfaces which might include VITL, EKG machine, and Medicare/Medicaid Provide annual SSAE-16 SOC 2 and 800-53 R4 Compliance certification to the State Post Implementation Evaluation and Certification 43 44 45 46 47 48 8. 240 - 270 days after contract execution 244 - 270 days after contract execution 245 - 270 days after contract execution 246 - 270 days after contract execution 300+ days after contract execution 300 days after contract execution 300+ days after contract execution 300+ days after contr~ct execution 300+ days after contract execution Service Delivery & Activities: The Contractor shall not connect to any state internal networks, or require the use of stateowned computer equipment, other than necessary for users to access the system to complete the scope of work in this Contract. This shall not exclude the Contractor from connecting the EHR with the State's Virtual Private Network (VPN) tunnel between the Electronic Health Record and the State maintained Active Directory so that the system can perform. authentication of ~sers. The Contractor will use subcontractor facilities to complete the work, unless otherwise noted. State will negotiate all necessary license agreements with subcontractors separate and apart from this Contract. 9. Milestone Descriptions a. PROJECT PLAN AND OVERSIGHT The Contractor shall deliver to the State a Project Management Plan. The Project Management Plan delivered by the Contractor shall incorporate the scope of work, deliverables, and all requirements outlined in the Contract and shall include the following: • Staffing assignments for contract tasks including names, percentage of time assigned to project and any other applicable information. STATE OF VERMONT CONTRACT FOR SERVICES Page 14 of 67 Contract#29960 • A plan showing critical events, dependencies and decision points during the course of the Contract. Any tool(s) used by Contractor for such purposes shall produce information of a type and in a manner and format that will support reporting in compliance with the State's requirement to the extent such requirements are described in the Scope of Work and shall be accessible using software currently used by the State of Vermont (i.e. Word, Excel, Project or Visio). · • The Contractor shall create and deliver a comprehensive implementation plan as part of the project plan. • Training and Education Plan; • Data Conversion and Migration Plan; The State shall give final approval to the Project Management Plan. Implementation of the Project Management Plan shall not commence prior to State approval. b. STAFFING • The Contractor shall provide a qualified Project Manager, as described in the Project Management Methodology, to manage this project. The Project Manager will serve as the technical lead dedicated to the project, specifically identified with overall responsibility for the implementation and transition from design, and implementation to operation of this system. This person shall be responsible for coordinating implementation activities and for allocating implementation team resources. This person shall be available until the turnover to the State has been successfully completed. • The Contractor shall provide and maintain qualified personnel and staffing to enable the deliverables to be provided in accordance with the Contract. • The Contractor shall replace any of the key staff of Contractor with a person of equivalent experience, knowledge and talent, if the need arises. • The Contractor shall provide State with ready access to all members of the Project Management Team. • Project Management Team shall be reachable by phone and email during business hours during the project implementation and during all go-live hours: • The Contractor shall participate in meetings in person or by conference call as required. A minimum of bi-weekly status update calls are required (separate from the Project Status Reporting requirement). Subcontractors part of the Project Management Team shall participate in meetings by conference call as required. • The State shall provide one (1) Project Manager to manage the project. • The State shall provide one (1) Subject Matter Expert capable of describing the semantics of the existing data; to act as a consultant to mapping the source data to the target data model, scoping of their data, migration effort, business rule validation and testing; and assisting with testing and final system validation. c. IMPLEMENTATION PLAN The Contractor shall provide a detailed implementation plan that includes: • The technical, business and informational steps in sequential order for implementing the EHR system. ~TATE OF VERMONT CONTRACT FOR SERVICES Page 15 of 67 Contract#29960 • Details of all known obstacles and plans for avoidance, which are defined as an event that prevented a task to be completed within the schedule project timeline. • Include in the Project Plan advice to the State on proceedings to assist State in avoiding obstacles in implementation. • Staffing and organizational steps for the State to ensure a smooth transition of implementation. • A Communication Plan that details how State should approach communications to all interested parties using Contractor's Electronic Health Record implementation experience. d. CHANGE MANAGEMENT PLAN The Contractor shall provide a Change Management Plan. The Change Management Plan shall include a process for handling changes and a method to audit and track changes. All changes shall be communicated in the bi-weekly project meetings. The Change Management Plan shall contain the following: • A process to follow; • A decision log to track, monitor and report on any change. e. COMMUNICATIONS MANAGEMENT PLAN The Contractor shall provide a Communications Management Plan. The Communications Management Plan shall include the following: • What information will be communicated to the State, including the level of detail and format; • How the information will be communicated, including but not limited to meetings, email, telephone, web portal, or a combination of these mediums; and • When information will be distributed, including the frequency of project communications both formal and informal f. PROJECT STATUS MEETINGS AND REPORTS The Contractor shall have a project status meeting monthly, or more frequently as needed, with the State's project manager and project director and/or delegate(s). The Contractor shall provide minutes of the meeting, which will include reporting of decisions, action items and list of participants. Contractor shall e-mail minutes to the State within four (4) working days after the meeting. The Contractor shall submit monthly Project Status Reports to the State. A report format shall be submitted to the State for approval within fourteen (14) days after the effective date of the contract. Once the State approves the format of the report, it shall be used. The Contractor shall include the following in the monthly Project Status Report: identification of all tasks completed, incomplete, or behind schedule in the previous month, reasons given for tasks being behind schedule; all tasks planned for the coming month; an outline for percent completed, resources assigned to tasks; the status of any issues, risks, and corrective actions; and possible solutions being explored and status of research. The Project Status Report shall have a clearly defined coding scheme. STATE OF VERMONT CONTRACT FOR SERVICES Page 16 of 67 Contract#29960 g. REQUIREMENTS AND VALIDATION DOCUMENTATION No modification or subtraction of a requirement shall be allowed without final approval by the State. The requirements are outlined in the requirements section. Any modification or subtraction to a requirement shall be subject to a change order process as defined by the State. Reasons for changes to the requirements may include but are not limited to: • In response to any potential Legislative (Federal and/or State) actions/initiatives, for example regarding Health Care Reform, as it pertains to Corrections; • In response to any production problems as identified by the State. · • Enhancement of software, data load or other system functionality to respond to unanticipated circumstances identified by the State. Such "unanticipated circumstances" shall be submitted to Contractor on a State provided Change Request Form. • Design and testing of the system may generate ideas for enhancements which, if added, could provide insight into changes in practices and processes, improve efficiency, and capture more value from the system; and • Providing dashboards, reporting and other business-user driven functionality. The Contractor shall ensure a tracking mechanism in which the statu~ of each requirement is tracked to completion of the project is provided. h. IT SYSTEM SECURITY PLAN The Contractor shall provide a security document outlining the security plan used for hosting and the description of the EHR system's user profiles and permissions. Security plan shall be provided to the State for approval and provide a Risk Assessment Report based on the Risk Management Plan. The Risk Assessment report examines the implementation for risk exposure with respect to the project schedule, budget, resources, external dependencies and technical/security risks. Access to State Data will clearly be defined and cataloged in a document as part of the Security Plan. A list of the. Agency of Human Service security policies can be found at http://humanservices.vermont.gov/policv-lecislation/policies/05-informationtechno]ogy-and-electronic-communications-policies/ and a list of State of Vermont security policies can be found at http:i/dii.vermont.gov/poUcy/policy. i. CONSTRUCTION, CONFIGURATION, AND UNIT TESTING Contractor shall construct or configure system forms and reports. The requirements for each of these items shall be gathered .during the Project Kick off Phase and finalized during the Interface Development/Database Configuration Phase. The list of those items to be constructed or configured as part of this Contract are as follows: • Completed intake/receiving screening form; • Health assessment form; • Progress (SOAP) notes of all significant findings, diagnoses, treatments and referrals; • Provider orders; • Signed documentation that the ADA policy has been explained to the inmate; • Accommodations requested by and offered to inmates with special needs; • Results of screenings and assessments and treatment plans developed to address substance abuse and addiction issues; STATE OF VERMONT CONTRACT FOR SERVICES • • • • • • • • • • • • • • • • • • Page 17 of 67 Contract#29960 Inmate requests for health services, including illnesses and injuries; Medication administration records; Reports of laboratory, radiology and other diagnostic studies; Informed consent and refusal forms; Release of information forms; Place, date and time of health encounters; The health providers name and title; Hospital reports and discharge summaries; Intra-system and inter-system transfer summaries; Specialized treatment plans and evidence of review and revision of treatment plans at regular and appropriate intervals; Consultation forms; Health Services reports; Immunization records, if applicable; Inmate medical grievance forms; Documentation of all medical, dental and mental health services provided, whether from inside or outside the facility; Any assessment of suicide or self-harm risk, or assessment of special observation status; Documentation of discussion by the treatment team related to this inpiate; and Documentation of any significant discussion or consultation of or by other medical or mental health professionals, family members, or specialty providers. Contractor shall construct and configure Data Interfaces in order for the State to share State Data with its partners based on the technical specs provided in the attached Interface Guides. The requirements for each extract will be defined in an Interconnection Security Agreement as is used by the State. The Interconnection Security Agreement includes, but is not limited to, the fields of data required, the date and time of the extract, the type of file to be exchanged, if the exchange of data is bi-directional and security parameters needed to transfer the data. The list of Data Interfaces to be constructed as part of this contract is as follows: • Radiology • OMS: Offender Management System • Pharmacy • Lab Contractor shall construct and configure optional Data Interfaces to prioritized by the State using the optional billing hours at a rate defined·in the Unanticipated Time and Management Table. The list of optional Data Interfaces to be constructed as part of this contract is as follows: • VITL: Vermont Information Technology Leaders/Vermont Health Exchange • EKG machine • MMIS: Medicaid Medicare Information System • VHIE: Vermont ~ealth Information Exchange Any additional Data Interface requests shall be subject to a Change Order process. STATE OF VERMONT CONTRACT FOR SERVICES Page 18 of 67 Contract#29960 j. DATA MIGRATION AND CONFIGURATION The Contractor shall ensure completion of the migration process and shall convert all applicable data and any related support documentation necessary to carry on operations as approved by the State. This data shall include State data with a volume that could exceed one (1) Terabyte (TB), but is not expected to exceed that volume. In any event, if Contractor finds that the volume of the State's data as measured prior to migration exceeds 10% of the estimated volume, a Change Order will be required. The migration process shall at all times adhere to HIP AA requirements, as well as requirements of all applicable Vermont State Statutes to secure data in motion and at rest. The Contractor's migration of the data shall not negatively impact existing ERMA functionality, performance or response quality. • Contractor shall ensure the preparation of and the provision of written Data Profiling Reports to the State that include, but are not limited to, information outlining conformance to the agreed upon field mapping and import data structures, record counts for the number of records successfully imported into the CorrecTek system, record counts for the number of records not successfully imported into the CorrecTek system, and reasons for the non-imported records failed to import. When importing data into the CorrecTek system, the process will use unique patient and record IDs supplied by the other vendor for matching imported data. Contractor shall ensure review of the exported data to confirm the export format, field format, and field sizes match the import data structures and the agreed upon field mapping. Contractor will provide written documentation outlining conformance to the agreed upon field mapping and import data structures. • The Contractor shall ensure preparation of and the provision of a written Migration Plan that details all the steps necessary to complete the migration using the Data Profiling Reports and the agreed-upon data migration business rules. The Migration Plan shall contain a Data Mapping document that maps existing ERMA data to the new EHR data repositories schema, including crosswalks for standardization of coded values, the data initially identified to be converted, the associated action taken, problems encountered, resolution of problems, and final results. The Contractor shall ensure the Migration Plan identifies all data that must be manually scrubbed in the source system, before the migration is attempted. The Contractor shall identify in the Migration Plan and archival plans if deemed necessary by the State. • The Contractor shall ensure end user tools are supplied as part of the CorrecTek System to apply the data migration business rules and convert the data to the new EHR format using the Migration Plan as a blueprint. The Contractor shall ensure configuration of the end user tools (CorrecTek System Data Conversion Import Routines) so that, when the process is run end-to-end, a complete written Migration Results Report is produced. The Migration Results Report shall identify what specific data did not migrate successfully. The Migration Results Report shall be used by the Contractor and the State to measure and document the migration process. This process shall be repeated until the State determines the outcome is satisfactory. This process · shall consist of iterations of conditioning, mapping, and transformation of the data until there is a data error percentage that the State accepts. State shall be responsible for completing the data import tasks using end user tools. • Contractor may request the use of a State subject matter expert to resolve, any issues or questions that arise in the migration process to the satisfaction of the State and STATE OF VERMONT CONTRACT FOR SERVICES Page 19 of 67 Contract#29960 document in the Migration Results Report. If State requires, Contractor shall provide the tools and the process needed for State authorized personnel to perform manual data review and r~-entry. Contractor shall ensure that the migration system shall be completely configurable using externalized data parameters rather than requiring coding changes and no hard-coding is authorized. Throughout the con.figuration step, Contractor shall monitor the system and shall provide status reports showing data entry progress and highlighting remaining work at project status meeting monthly, or more frequently as needed. k. Network Design, System Design, and Technical Documentation . . The Contractor shall provide Network, System and Technical Design documentation to include the following: • CorrecTek Cloud Architecture • Connectivity • Security • Fault Tolerance • Backups and Disaster Recovery • Supported Client Hardware • Supported Procedures I. SYSTEM AND USER ACCEPTANCE TESTING The Contractor shall ensure "show and tell" sessions where the user acceptance process will occur. These will be sessions lead by the Project Management Team and attended by the Contractor and State project team. Through these interactive sessions, testing of the application configuration and data validation will be conducted. · The State users will validate that the system meets the Contract requirements from these sessions according to the process in the milestones section of the Contract. m. TRAINING PLAN AND TRAINING MATERIALS The Contractor shall ensure development and delivery to the State of a training plan that includes training sessions and training documents and materials throughout implementation of the EHR with a goal of I 00% user adoption rate. The training materials and approach shall include sufficient information for trainees to accurately and efficiently perform role-based EHR-related tasks. Contractor shall ensure that onsite training is provided. Training will be provided as close to the launch date as possible because experience has shown that a short time frame allows people to adapt to the new system more quickly. Training shall include the following: • Role-specific Electronic Health Record Training sessions; • End user training at each location prior to go-live at dates and times as defined by the State and coordinated with those providing the training. • Training Materials including but not limited to user guides, administrative guides, course outlines, and training syllabi; and, • Permission Level (ADMIN) appropriate training. n. SYSTEM AND TECHNICAL USER DOCUMENTATION STATE OF VERMONT CONTRACT FOR SERVICES Page 20 of 67 Contract#29960 The Contractor shall ensure development, maintenance, electronic storage, and distribution of documentation as required by the State for every phase of the EHR project. The Contractor shall continue to maintain all documentation throughout the term of the Contract, per the requirements section, while supporting the State's ability to access, review, and modify documentation if needed. Documentation is to include the following: • User Manuals; • Training Manuals; • System Documentation The Contractor shall provide updates to these documents as they relate to the EHR, the hosting environment, and as any additional patches or upgrades are made to the system to be used as final copies in a Microsoft Word or PDF format. o. POST IMPLEMENTATION REVIEW The Contractor shall continue to meet via conference call weekly, or as determined by the State, to review the implementation of the system (the "Post Implementation Review") for sixty (60) days. The Contractor shall, at the end of the Post Implementation Review, resolve or transfer all issues identified in the Post Implementation Reporting to the DOC staff. Contractor support thereafter will be per the terms of Service Level and Support. p. POST IMPLEMENTATION REPORTING The Contractor shall conduct a comprehensive evaluation of the EHR and its operations, and shall produce a Post Implementation Completion report within sixty (60) days postimplementation. This report shall include, but not be limited to: • Contractor report on the technical, functional and informational aspects of the EHR in regard to stability, productivity and efficiency as defined by the State; • Contractor recommended processes that shall meet specific requirement in implementation, but following that phase may be modified/enhanced for better efficiencies post-implementation; • Contractor review of the implementation and recommendation on how best to leverage State processes and knowledge from the EHR project which may be utilized for other future projects; and · • Contractor recommended changes to the Maintenance and Support plan for State including, but not limited to, adjustments from findings learned during implementation, go-live and period of post implementation up until the time of the report. Annually, on the anniversary of the go live date, the Contractor, in conjunction with any necessary subcontractors, shall review with the State the current status of the EHR, any suggested process modifications or enhancements suggested using a Post Implementation Evaluation Report. This report, including at a minimum the information listed above, shall also include the following items: • Lessons learned; • EHR user satisfaction; STATE OF VERMONT CONTRACT FOR SERVICES Page 21 of 67 Contract#29960 • The current status of the EHR; and • Ongoing issues within the EHR, including resolution and responsibility for each issue. q. SERVICE LEVEL AND SUPPORT As requested by the State, the Contractor shall provide the State with technical support and consultation through CorrecTek by way of telephone, bulletin boards and other electronic means to assist the State in the resolution of any problems encountered by the State in the operation, configuration, implementation and support seven (7) days per week, twenty-four (24) hours per day. Such support shall include efforts by the EHR manufacturer to verify, diagnose and correct any errors and defects in the EHR in accordance with the service levels, support and escalation procedures set forth in this Contract. Technical Support shall be available to the State in respect to the EHR software for the duration of this Contract contingent upon payment of applicable Support and Upgrade Fees as are set forth in Attachment B of this Contract. The Contractor shall ensure software upgrades to the EHR. User Acceptance Test period as provided in this Contract will be provided for State testing of software upgrades to the EHR. The Contractor, by itself or using its third party suppliers, shall provide the State with technical support services for EHR in accordance with the following terms and conditions: EHR will have at least 99.98% availability each calendar month ("Uptime Commitment).For the purposes of this calculation, EHR will be deemed to be "Unavailable" to the extent that all users c~ot access EHR or EHR will not accept connections. EHR will not be deemed Unavailable for any downtime or outages excluded from such calculation by reason of the exceptions set forth below. The Hosting Vendor records and data will be the basis for all Service Level (SLA) calculations and determinations. The availability of the EHR for a given month will be calculated a~cording to the following formula (referred to herein as the "Availability"): Where: Total minutes in the month =TMM; Total Minutes in the month Unavailable =TMU; and Availability= [(TMM-TMU) /TMM]. Service Level Uptime Exceptions EHR will not be considered to be unavailable for any outage that results from any maintenance performed by the Contractor of which the State is notified in at least 72 hours in advance; during the State's implementation period; during the Contractor's then-current standard maintenance windows (collectively referred to herein as "Scheduled Maintenance"); or as a result of the State's request outside of the normally scheduled maintenance. EHR will not be considered unavailable for any outage due to the State's Data or application programming, acts or omissions by the State, failures of equipment or facilities provided by the State, network unavailability or bandwidth limitations outside of the Hosting Vendor's network; Scheduled Maintenance Routine Maintenance: the Contractor shall perform maintenance on a monthly scheduled basis within a 4-hour maintenance window to occur on a weekend between 12:00am and 8:00am. A six week (45 calendar days) notice shall be provided in advance of any such maintenance activity. STATE OF VERMONT CONTRACT FOR SERVICES Page 22 of67 Contract#29960 Routine Maintenance may require service to be suspended during the maintenance period. Scheduled maintenance periods will be excluded from Uptime calculations for availability provided however, that any time in excess of four (4) hours for any single maintenance event shall be included in Uptime calculations for availability. Emergency Maintenance: Under certain circumstances the Contractor may need to perform emergency maintenance, such as security patch installation or hardware replacement. The Contractor may not be able to provide the State with advanced notice in case of emergency maintenance. The duration of service Unavailability, due to emergency maintenance, will be excluded from the Uptime calculations for availability provided however, that any time in excess of four (4) hours for any single maintenance event shall be included in Uptime calculations for availability. User Acceptance Testing: Each major release shall provide for a one (1) month User Acceptance Testing (UAT) period. A copy of the State's deployed infrastructure and database shall be made available for testing purposes. The State shall test and report any severity 1, 2 or 3 issues caused by the new release. Major Releases: Typically there shall be at least one (1) major release a year, however may be scheduled up to four (4) times a year. A User Acceptance Testing period shall be provided for all major releases. Cutover to the new major release will occur on the scheduled date unless severity 1, 2, 3 or 4 issues are known to exist. Minor Releases: The minor releases are monthly maintenance to the system as needed. Items included in the minor release may be any priority (defined below) 2 or 3 items which did not get released in the major release. The minor release is accomplished during the weekly maintenance window. The EHR manufacturer shall communicate to the State updated Documentation and release notes. Not all minor releases require User Acceptance Testing. It is at the discretion of the Contractor whether an acceptance test period is warranted. Hot Fixes: The hot fix is reserved for repairing a catastrophic issue within the system. The system sends a notice 24 hours in advance to all the States' end users in the system prior to shut down. A notice shall be sent prior to shut down to give users of the system sufficient time to save work and gracefully exit any work in progress. Custom documents or any custom work that requires a product build will be included in the next major/minor release after acceptance testing has been completed. Service Level Remedies The parties hereby agree that the State shall pay a varied service charge based upon different levels of performance b.y the Contractor, as set forth in the table below. Under no circumstances shall the payment of a service credit or refund hereunder relieve the Contractor of its obligation to address and fix system defects or other performance issues pertaining to a service level requirement. The State shall have the right to terminate this Contract for cause whenever Contractor's successive or accumulated service level failures amount to "Chronic UnderPerformance", which is defined as Contractor's failure to meet the EHR Uptime Commitment: (i) for any three (3) months within a rolling 12-month period; or (i) any single month where EHR Uptime is lower than 95%. The Contractor shall ensure that Hosting Vendor provide monthly Availability Audits to the State, within five (5) business days following the end of each month upon go-live. In the event there is a dispute, Contractor shall make available to the State an electronic version of all raw data used to create the SLA report each month in either of the following formats, EXCEL or PLAIN STATE OF VERMONT CONTRACT FOR SERVICES Page 23 of67 Contract#29960 TEXT. The State reserves the right to measure Availability and Response times independently, review tools, and calculations of SLA metrics. If the Availability of EHR for a given month is lower than the applicable Uptime Commitment of 99.98%, (based on a thirty (30) day month, 43,200 minutes), then monetary refund will be due to the State, and shall be reflected as a credit in the Contractor's invoice for Hosting fees, Support and Maintenance. The foliowing service credit schedule, calculated as a percentage of the combined refund monthly fees for Hosting and Support and Maintenance fees, shall apply in favor of the State: Availability of EHR for a given month 99.98% to 100% 98% or higher but lower than Applicable refund for such Month 0% 5% 99.98% 95% or higher but lower than 98% Lower than 95% Note: Uptime%= 100 X ((43200downtime mins) / 43,200) 10% 100% - Uptime % In the event that the State is not current with respect to any undisputed post-implementation . payme~t obligations when the unavailability occurs, refund will not be applicable for such month or months. To receive monetary refund, State will apply refund to the next hosting payment. If there are no remaining hosting payments, the State must submit a written request, via email or letter, to the Contractor within sixty (60) days of the end of the month in which Hosting Vendor failed to meet the Uptime Commitment. System Support and Issue Response • The Contractor shall provide support for the EHR through CorrecTek according to the severity of the issue and not in the order in which the issue was received or logged. Below is the Issue Reporting Process: • The Contractor shall ensure support that is available for the State to log any queries, incidents and enhancements. Communication from State to the Contractor can be telephone. The Contractor shall provide operation support twenty-four (24) hours a day and seven (7) days a week to the State through a dedicated number. • The Contractor shall ensure technical support staff to log the request on behalf of the State. • The Contractor shall ensure technical support staff to prioritize the identified problems and enhancement requests. • The Contractor shall ensure technical support staff to contact the State to provide progress and time lines for each request. At the time of the State's initial call, users may be asked to provide: • Contact name, company name and location; • The type of browser (with release version); • Telephone number and alternate method of contact (i.e. a pager number or email address); Page 24 of 67 Contract#29960 STATE OF VERMONT CONTRACT FOR SERVICES • • A concise description of State's problem or question; and The circumstances under which the problem does or does not occur Hosting support will be as follows: Service Level Monitoring (SLM) metrics for all service tickets. This will provide metrics that can be viewed in real-time or on a historical basis to see how Contractor is meeting established performance goals. Time to First Contact (TFC). This is the amount of time between the initial reporting of the issue by an end user to the Help Desk to the initial contact made by a support engineer to the affected user( s). For example if a call is placed to the Help Desk at 8am and a Kalleo support engineer contacts the user at 9am the TFC would be 1 hour. The TFC shall be within 48 hours for low priority issues (affecting one user, does not impede user from job functions), within 8 hours of medium priority issues (affecting a few users, problem has a workaround or will not cause major job impediments right away), within 2 hours of high priority issues (affects many users, problem is impeding some work but users are still able to do some functions), and within 30 minutes of critical priority issues (affects all users, problem is causing complete EHR outage). Time to Proposed Resolution (TPR). This is the amount of time between the initial contact by a support engineer and the initial proposal for resolution. In many cases this may be just a few minutes (after the engineer has gathered enough data to have a good idea of what to do) or it could be longer if the engineer is going to need to do some research into the issue. TPR shall be within 72 hours for low priority issues within 48 hours, for medium priority issues within 8 hours, for high priority issues, and within 1 hour for critical priority issues. Application Support: Measurements will be based on the time taken for a Help Desk operative to answer a call. Calls that receive an automatic response, or placed into a queuing system, will be deemed not to have been answered. In the table below, the standard resolution time is not based on issues resulting from the State's loss of broadband connection. Priority Pl Critical Context A Service Failure which, in the reasonable opinion of the State: constitutes a: loss of • the Service which prevents all or a large group of End Users from working (i.e. total loss of service); has a critical impact • on the activities of the State; causes significant • Initial Response 5 minutes Standard Resolution Time 2 hours STATE OF VERMONT CONTRACT FOR SERVICES Page 25 of 67 Contract#29960 financial loss and/or disruption to the State; or results in any • material loss or corruption of State Data. Failure of the • Service to provide user authentication service. P2 Major P3 Medium A Service Failure comprising of a partial loss of service or service disruption affecting most users (i.e. Users cannot utilize object or module contained in the Licensed Software) A Service Failure comprising a flaw which is cosmetic and, as such, does not undermine the End User's confidence in the Services (i.e. spelling error). This does not include change requests. 30 minutes 8 hours 30 minutes As part of minor releases Defined Support Levels The Contractor shall ensure the State is provided with Support Levels 1, 2 & 3 as further defined below: "Level 1 Support" includes providing first-call line support to the State whereby the Contractor ensures for technical support staff to be available to answer technical inquiries from State's staff regarding Electronic Health Record. "Level 2 Support" includes providing technical support to the State in which the technical support staff: (a) perform problem isolation and replication; (b) aid in developing solutions for problems that are not the result of EHR functionality errors; and (c) in the case of an EHR functionality error identify the source of the error, create a reproducible test case and document the details of the error for resolution. "Level 3 Support" includes efforts to provide the State's staff with fixes, patches and/or workarounds for the EHR functionality errors only. The Contractor shall follow the escalation procedure below. Issue Escalation Procedure A detailed communication and escalation procedure will be supplied to the State. The Contractor shall ensure for technical support staff to be the first contact in the escalation process. STATE OF VERMONT CONTRACT FOR SERVICES Page 26 of67 Contract#29960 After speaking with the technical staff, if the State feels additional escalation is required, the Operations Contact may be contacted. Management of the Contract The State will conduct formal quarterly performance monitoring meetings with the Contractor. Performance monitoring meetings will be conducted remotely via video conferencing, or in person, for the life of this contract. Failure to meet Service Level Agreement The Contractor agrees to provide for the response to support calls within the agreed timelines. If the Contractor fails to respond to provide for the support calls that result in the users inability to use the system in whole or in part within the agreed timelines, then the State shall have the right to apply service level monetary refund performance remedies as outlined in the Contract. r. The Hosting Environment 1. The Contractor shall manage the project where the EHR vendor shall install their software in an environment hosted by Kalleo (http://www2.kalleo.net/). The contractor hosted solution shall provide a maximum Recovery Point Objective (RPO) of no greater than 24 hours and a maximum Recovery Time Objective (RTO) of no greater than 4 hours in a disaster recovery event and shall provide a maximum RPO of no greater than 10 minutes and RTO of no greater than 2 hours for incidents within the hosting facility. The contractor shall provide the State with two (2) environments: (1) production environment; (2) test environment. The test environments shall mirror the production environment, except in the capacity of users, and shall also be utilized for training by the State. 2. The specifics of the Contractor's hosting partner's service level performance requirements shall be made available to the State's Department oflnformation and Innovation with-in 15 days after signing of this contract. Failure to provide documentation will hold this written contract in breach. 3. Further, the State will have the option,. in its sole discretion, of selecting an alternative hosting provider. It shall give the Contractor not less than 90 days' notice of its desire to do so and will provide the Contractor the reasonable cooperation required for such a transition. 4. Any third party hosting environment on which the State's System is hosted shall meet the requirements of this Contract. The State will have no direct contractual relationship with the hosting provider, nor any obligation to manage the Contractor's relationship with a hosting provider. Requirements herein for State access to the hosting platform shall be for compliance monitoring purposes only and shall in no way relieve the Contractor of its obligations with respect to managing its agreement with the hosting provider or in meeting the requirements of this Contract. 5. The Contractor shall ensure extract of full SQL Backups from the database once per day, differential SQL Backups every 2 hours, and transaction logs every 10 minutes. Onsite File Backups (including SQL Backup files, differentials, and transaction logs) will be backed up each night to an onsite storage network. Offsite File Backups will be backed up each night to a "hardened" offsite storage facility. Backup copies will be stored and transferred using at least 256bit encryption and offsite copies will be stored more than 500 miles away. The System will include the capability to maintain all data according to State-defined records STATE OF VERMONT CONTRACT FOR SERVICES Page 27 of67 Contract#29960 retention guidelines (i.e. record schedule). General schedules can be found at: http://vcrmont-archives.org/records/schedu.les/general/ or upon request. Specific retention disposition orders can be found at: http://vermontarchives.org/records/schedules/orders/ or upon request. All offender data will be retained for a minimum of 10 years. It is the responsibility of the State to notify the Contractor if there is a change in policy. 6. The Contractor shall provide the State with its Security Policy, not incorporated herein. The Contractor shall provide the State not less than thirty (30) days advance written notice of any changes to its Security Policy and all changes shall meet the requirements of the States security standards. The Contractor shall provide a Disaster Recovery (DR) plan for the State that describes the essentials in a disaster recovery scenario (e.g., loss of the primary hosting site) for approval by the State. The DR plan shall meet the needs of the State's business requirements and shall be consistent with the State Department of Information and Innovation's Enterprise DR Requirements prior to the State final acceptance for Go-Live. The DR plan shall include but not be limited to: • Integrate the plan for the EHR with the State's Continuity Operations Plan; • Identify the risks, impacts and mitigation of potential disaster events • Communications plan in the event of a DR occurrence 1. 11. 111. Specify a communications matrix to be used from onset to conclusion of a disaster event Process description of who does what and when in a DR scenario Identify and prioritize the business and service delivery functions to be restored in response to a disaster event; 1v. Identify the exit criteria to be used to determine the successful resumption of business and service delivery functions; • Architecture and location of the DR facility and Mirror • Triggers causing a DR action • List of most likely DR scenarios (i.e., use cases) and identify the criteria to be used to activate contingency plans; • Service Levels in Attachment A • Specify the approach to training Contractor and State personnel to effectively execute the Disaster Recovery and Business Continuity Plan; • Identify proposed subcontracts, as appropriate, with entities that shall provide support to the Contractor in a disaster event; • Detail the procedures for effecting periodic changes to the Disaster Recovery Plan; • Detail on how the Contractor performs back-ups of State-owned data. 7. After Outage analysis meetings and documentation • In the event of a disaster at the hosting facility, the State's System operations will be restored within 4 hours of the incident. Once a Disaster has occurred, the Contractor shall provide an Outage Report detailing the disaster recovery process involved in restoring the State's System, as specified in The Contractor's Hosting Environment, STATE OF VERMONT CONTRACT FOR SERVICES Page 28 of67 Contract#29960 section 9, of this Contract, within 30 days of the disaster event. "Disaster" shall mean an unplanned event that causes a loss of Search, Retrieval, Registration and Updating of State records for a period greater than 30 minutes. Any disaster beyond 30 minutes shall trigger and meet the Fail Safe Principal where the Contractor ensures that if the system is in a failed state it does not reveal any sensitive information or leave any access controls open for attacks. 8. Testing and Auditing The Contractor shall run quarterly penetration tests using the Hosting vendor's thirdparty security vendor, report results as a deliverable to the State. The Contractor shall establish a method of evaluating computer and network security by simulating an attack on a computer system or network from external and internal threats. The State may conduct Non-intrusive network audits, including but not limited to basic port scans with 24 hours' notice. More intrusive network and physical audits may be conducted on or off site with 48 hours' notice as determined by the State and approved by Contractor. Contractor shall approve and secure access from hosting facility within 5 business days. The Contractor shall provide the following: • The Contractor shall have a third party perform methodology-based penetration testing quarterly as requested and paid for by the State and shall provide results of that testing to the State as authorized by the State in Attachment C. • The Contractor shall cause an SSAE 16 SOC 2 audit report to be conducted annually. The audit results and the Contractor's plan for addressing or resolution of the audit results shall be shared with the State within sixty (60) days of the Contractor's receipt of the audit results. Further, on an annual basis, within 90 days of the end of the Contractor's fiscal year, the Contractor shall transmit its annual audited financial statements to the State. • Contractor shall request any FBI CJIS reported items from hosting provider regarding network security plans, controls and risk assessment and provide any reported items to the State every three (3) years. • The Contractor shall host the State's Electronic Health Record within the 48 contiguous states of the United States of America. • The Contractor shall log all security-related incidents and save audit trails for six (6) years. Contractor will provide a monthly report summarizing the incidents reported during the month by Severity Level, and their resolution, and root cause determinations for each. • In addition to the audit requirements of Attachment C, Contractor will maintain and cause its permitted contractors to maintain a complete audit trail of all transactions and activities, financial and non-financial, in connection with this Contract. Contractor will provide to the State, its internal or external auditors, clients, inspectors, regulators and other designated representatives, at reasonable times (and in the case of State or federal regulators, at any time required by such regulators) access to Contractor personnel and to any and all Contractor facilities or where the required information, data and records are maintained, for the purpose of performing audits and inspections (including unannounced and random audits) of Contractor and/or Contractor personnel and/or any or all of the records, data and information applicable to this Contract. At a minimum, such audits, inspections and access shall be conducted to the extent permitted or required by any laws applicable to the State STATE OF VERMONT CONTRACT FOR SERVICES Page 29 of 67 Contract#29960 or Contractor (or such higher or more rigorous standards, if any, as State or Contractor applies to its own similar businesses, operations or activities), to (i) verify the accuracy of charges and invoices; (ii) verify the integrity of State Data and examine the systems that process, store, maintain, support and transmit that data; (iii) examine and verify Contractor's and/or its permitted contractors' operations and security procedures and controls; (iv) examine and verify Contractor's and/or its permitted contractors' disaster recovery planning and testing, business resumption and continuity planning and testing, contingency arrangements and insurance coverage; and (v) examine Contractor's and/or its permitted contractors' performance. of the Services including audits of: (1) practices and procedures; (2) systems, communications and information technology; (3) general controls and physical and data/information security practices and procedures; (4) quality initiatives and quality assurance, (5) contingency and continuity planning, disaster recovery and back-up procedures for processes, resources and data; (6) Contractor's and/or its permitted contractors' efficiency and costs in performing Services; (7) compliance with the terms of this Contract and applicable laws, and (9) any other matters reasonably requested by the State. Contractor shall provide and cause its permitted contractors to provide full cooperation to such auditors, inspectors, regulators and representatives in connection with audit functions and with regard to examinations by regulatory authorities, including the installation and operation of audit software.. The Contractor shall not delete, modify or purge data and customizations, in whole or in part, intentionally or unintentionally at the completion of this Contract until all of the following are met: (1) sixty (60) days have passed; (2) Contractor has provided all data hosted to the State; and (3) data integrity has been verified by the State. s. DATA PORTABILITY; ACCESS TO STATE DATA Contractor's hosting service includes performing daily back-ups of the State's data. If the State requests a copy of these back-ups, a copy shall be available to the State and individuals as authorized by the State. In order to obtain the back-ups, the State shall need to provide a server to store the back-ups. 1. Termination Assistance Upon nearing the end of the final term of this Contract, and without respect to either the cause or time of such termination, the Contractor shall take all reasonable and prudent measures to facilitate the transition to a successor provider, to the extent required by the State. The primary activities in this turnover are focused on transition planning to ensure operational readiness for the State and/or successor provider. This includes both a knowledge transfer period, and the turnover of the solution and supporting services to the State and/or successor provider. The State shall sign-off on each defined transition milestone to ensure that all transition Deliverables (set forth below), and exit criteria are fully executed based on agre_ed upon Contract terms. Upon the sooner of a date specified in a notice of termination from either party, or within 90 days of Contract expiration, the Contractor shall: Deliverable 1 - Develop a System Turnover Plan at no additional cost to the State. The Solution Turnover Plan shall include, at minimum: • Proposed approach to Turnover. • Tasks and subtasks for Turnover. STATE OF VERMONT CONTRACT FOR SERVICES Page 30 of 67 Contract#29960 • Schedule for Turnover. • Entrance and exit criteria. • Readiness walkthrough process. • Documentation update procedures during Turnover. • Description of Contractor coordination activities that will occur during the Turnover Phase that will be implemented to ensure continued functionality of the Solution and services as deemed appropriate by the State. Deliverable 2 - Develop a Solution Requirements Statement at no additional cost that would be required by the State and/or successor provider to fully take over the Solution, technical, and business functions outlined in the Contract. The Statement shall also include an estimate of the number, type, and salary of personnel required to perform the other functions of the project work, implemented solution, and all supporting services. The Statement shall be separated by type of activity of the personnel. The Statement shall include all facilities and any other resources required to operate the Solution, including, but not limited to: • Telecommunications networks. • Office space. • Hardware. • Software. • Other technology. The Statement shall be based on the Contractor's experience in the operation of the Solution and shall include actual Contractor resources devoted to operations activities. Deliverable 3 - Develop and submit a Transition Plan including, at minimum: • Proposed approach to transition. • Proposed approach for conducting a knowledge transfer from the Contractor to the State or successor provider. • Proposed approach for consolidating applicable sections from the Contractor's Turnover Plan into the transition planning activity. • Tasks and activities for transition. • Personnel and level of effort in hours. • Completion date. • Transition Milestones. • Entrance and exit criteria. • Schedule for transition. • Production program and documentation update procedures during transition. • Readiness walkthrough. • Parallel test procedures. • Provider training. • Interface testing. STATE OF VERMONT CONTRACT FOR SERVICES Page 31 of 67 Contract#29960 The Contractor shall execute the Transition Plan and activities at no additional cost. The Contactor agrees, after receipt of a notice of termination, and except as otherwise directed by the State, the Contactor shall: 1. Stop work under the Contract on the date? and to the extent, specified in the notice; 2. Immediately deliver to the State all State Data and historical project records in a form acceptable to the State, and copies of all subcontracts and all third party contracts executed in connection with the performance of the Services; 3. Place no further orders or subcontracts for Services, except as may be necessary for completion of such portion of the work under the Contract that is not terminated as specified in writing by the State; 4. Assign, to the extent applicable or as the State may require, all subcontracts and all third party contracts executed in connection with the performance of the Services to the State or a successor provider, as the State may require; 5. Perform, as the State may require, such knowledge transfer and other services as are required to allow the Services to continue without interruption or adverse effect and to facilitate orderly migration and transfer of the services to the successor provider; 6. Complete performance of such part of the work as shall not have been terminated; and 7. Take such action as may be necessary, or as the State may direct, for the protection and preservation of the property related to this Contract which is in the possession of the Contractor and in which the State has or may acquire an interest and to transfer that property to the State or a successor provider. Contractor acknowledges that, if it were to breach, or threaten to breach, its obligation to provide the State with the foregoing assistance, the State would be immediately and .irreparably harmed and monetary compensation would not be measurable or adequate. In such circumstances, the State shall be entitled to obtain such injunctive, declaratory or other equitable relief as the State deems necessary to prevent such breach or threatened breach, without the requirement of posting any bond and Contractor waives any right it may have to allege or plead or prove that the State is not entitled to injunctive, declaratory or other equitable relief. If the court should find that Contractor has breached (or attempted or threatened to breach) any such obligations, Contractor agrees that without any additional findings of irreparable injury or other conditions to injunctive or any equitable relief, Contractor will not oppose the entry of an order compelling its performance and restraining Contractor from any further breaches (or attempted or threatened breaches). 2. Portability of Data Following Contract Termination In the event the hosting subcontractor goes out of business before the end of this Contract, Contractor will ensure that this vendor delivers all data to the State upon the State's written request. Should the Contract be terminated by the State, the State shall be entitled to an export of State Data, without charge, upon the written request of the State and upon termination of this Contract. There will be no charge if the Hosting Vendor provides the data via shipping an external hard drive. The export process shall at all times adhere to HIP AA requirements securing data in motion and at rest. Following Contract termination, the State STATE OF VERMONT CONTRACT FOR SERVICES Page 32 of 67 Contract#29960 shall retain ownership of all database information, including specific client-level data and aggregate data sets. The State owns all of the data and records stored within the Solution. Contractor shall possess no lien or other such rights to the data. Contractor shall ensure that Kalleo's data transfer, storage, and retrieval procedures shall protect the original data from alteration. Contractor shall ensure that the data shall be delivered in a comma delimited format unless another State authorized format is determined by Kalleo for the full range of State data and shall be transmitted to the State through secure means as approved by the State. Data shall include a data dictionary. With the exception of State's Perpetual License, Contractor shall have no obligation to maintain or provide any State Data and shall thereafter, unless legally prohibited, delete all State Data in its systems or otherwise i~ its possession or under its control. · ·3. Source Code Escrow Agreement Prior to Go-Live, the Contractor shall ensure that a software source code escrow agreement is entered into in a form acceptable to the State. At a minimum, the source code escrow agreement shall provide for the deposit of the Software source code documentation with Iron Mountain and that upon the voluntary or involuntary filing of bankruptcy, or any other insolvency proceeding, dissolution, or discontinuance of support of the EHR System, for any reason, all rights, title, and interests in the Software source code and all associated Software source code documentation, for the sole purpose of the State's support and maintenance of the Software. 4. Records Retention The System will include the capability to maintain all data according to State-defined records retention guidelines (i.e. record schedule). General schedules can be found at: http://vennont-archives.org/records/schedules/ general/. Specific retention disposition orders can be found at: http://vermont-arch.ives.org/records/schedules/orders/. Medical Records must be maintained for 10 years in accordance with the Medical Records Disposition Schedule. 5. Access to State Data Within ten (10) business days of a request by State, the Contractor will make available to State a complete and secure (i.e. encrypted and appropriately authenticated) download file of State Intellectual Property and State Data in a format acceptable to State including all schema and transformation definitions and/or delimited text files with documented, detailed schema definitions along with attachments in their native format. Provided, however, in the event the Contractor ceases conducting business in the normal course, becomes insolvent,· makes a general assignment for the benefit of creditors, suffers or permits the appointment of a receiver for its business or assets or avails itself of or becomes subject to any proceeding under the Federal Bankruptcy Act or any statute of any state relating to insolvency or the protection of rights of creditors, the Contractor shall immediately return all State Intellectual Property and State Data to State control; including, but not limited to, making all necessary access to applicable remote systems available to the State for purposes of downloading all State Data. The Contractor's policies regarding the retrieval of data upon the termination of services have been made available to the State upon execution of this Contract under separate cover. STATE OF VERMONT CONTRACT FOR SERVICES Page 33 of 67 Contract#29960 The Contractor shall provide the State with not less than thirty (30) days advance written notice of any material amendment or modification of such policies. t. SECURITY BREACHES; SECURITY BREACH REPORTING The Contractor shall have policies and procedures in place for the effective management of Security Breaches, as defined below. In addition to the requirements set forth in any applicable Business Associate Agreement as may be attached to this Contract, in the event of any actual or suspected security breach the Contractor either suffers or learns of that either compromises or could compromise State Data (including, as applicable, PII, PHI or ePHI) in any format or media, whether encrypted or unencrypted (for example, but not limited to: physical trespass on a secure facility; intrusion or hacking or other brute force attack on any State environment; loss or theft of a PC, laptop, desktop, tablet, smartphone, removable data storage device or other portable device; loss or theft of printed materials; or failure of security policies) (collectively, a "Security Breach"), the Contractor shall immediately determine the nature and extent of the Security Breach, contain the incident by stopping the unauthorized practice, recover records, shut down the system that was breached, revoke access and/or correct weaknesses in physical security. Contractor shall analyze and document the incident and provide the required notices, as set forth below. The Contractor acknowledges that in the performance of its obligations under this Contract, it will be a "data collector" pursuant to Chapter 62 of Title 9 of the Vermont Statutes (9 V.S.A. §2430(3)) and that, in accordance with 9 V.S.A. § 2435(b)(2), Contractor shall immediately notify appropriate State personnel of such Security Breach. The Contractor's report shall identify: (i) the nature of the Security Breach; (ii) the State Data used or disclosed; (iii) who made the unauthorized use or received the unauthorized disclosure; (iv) what the Contractor has done or shall do to mitigate any deleterious effect of the unauthorized use or disclosure; and (v) what corrective action the Contractor has taken or shall take to prevent future similar unauthorized use or disclosure. The Contractor shall provide such other information, including a written report, as reasonably requested by the State. The Contractor agrees to comply with all applicable laws, as such laws may be amended from time to time (including, but not limited to, Chapter 62 of Title 9 of the Vermont Statutes and all applicable State and federal laws, rules or regulations) that require notification in the event of unauthorized release of personally-identifiable information or other event requiring notification. In the event of a breach of any of the Contractor's security obligations ("Notification Event"), the Contractor agrees to fully cooperate with the State, assume responsibility for such notice if the State determines it to be appropriate under the circumstances of any particular Security Breach, and assume all costs associated with a Security Breach and Notification Event, including but not limited to, notice, outside investigation and services (including mailing, call center, forensics, counsel and/or crisis management), and/or credit monitoring, in the sole determination of the State. In addition to any other indemnification obligations in this Contract, the Contractor shall fully indemnify and save harmless the State from any costs, loss or damage to the State resulting from a Security Breach or the unauthorized disclosure of State Data by the Contractor, its officers, agents, employees, and subcontractors. STATE OF VERMONT CONTRACT FOR SERVICES Page 34 of 67 Contract#29960 u. PROGRAM ADMINISTRATION AND EVALUATION 1. Performance Measures: The Contractor shall maintain the system so that offender record searches of "lock ups," data queries and workflow reports will be returned in a timely manner that will not impede end user workflow. The State shall maintain a broad-band connection at each location. Contractor shall not be liable for transaction response times if the State experiences a failure of any kind in its broad-band connection. Transaction Response Times: The Contractor shall maintain the system so that offender record searches or "look ups", on average, be returned in less than IO-seconds and data queries in less than 45seconds. Standard daily workflow reports as outlined in the requirements will be returned in a timely manner that will not impede end user workflow; within 2 minutes. Reports that analyze a large amount of data over a wide range of time, return times will vary based on report criteria and are outside the scope of these response times. Reports that analyze a large amount of data over a wide range of time can be scheduled using the CorrecTek batch report engine t<? reduce return times. The· State shall maintain a broad-band connection at each location. Contractor shall not be liable for transaction response times if the State experiences a failure of any kind in its broadband connection or hosting services, issues that may be related to user error or training issues, reports run by non-designated staff, or hardware limitations. The State reserves the right to measure Availability and Response times independently, review tools, and calculations of SLA metrics. v. SURVIVAL Except as otherwise provided, any obligations and duties which by their nature extend beyond the expiration or termination of this Agreement, shall survive the expiration or termination of this Agreement. w. SEVERABILITY If any provision of this Agreement is found to be invalid or unenforceable, such provision shall be severed from this Agreement while not affecting the validity or enforceability of the remaining provisions, which shall remain in full force and effect. x. NOTICES Contractor shall send all notices regarding system maintenance, software upgrades and/or emergency downtime to the State's appointed contact via email. Notwithstanding anything to the contrary in the Contract Documents, all notices must be given in accordance with the terms of this paragraph and shall be sent to the addresses set forth below or such addresses as may be provided from time to time. Each of the Parties agree that if any notices are sent to the State via electronic mail or facsimile transmission, and such notices require an approval, consent, express or implied, or other affirmative action from State, then, in addition, the Parties shall provide a hard copy of such notice to State, either via hand delivery, certified mail or overnight courier. STATE OF VERMONT CONTRACT FOR SERVICES Page 35 of67 Contract#29960 If to the State: State of Vermont: EHR Project Manager Department of Corrections Agency of Human Services 103 South Main Street Waterbury, VT 05671 If to the Contractor: Centurion of Vermont, LLC Steven H. Wheeler 1593 Spring Hill Road, Suite 610 Vienna, VA 22182 STATE OF VERMONT CONTRACT FOR SERVICES Page 3~ of 67 Contract#29960 1. Contact Information The State's Prim.a!):'. Contact: Cheryl Burcham Project Manager Agency of Human Services 103 South Main Street Waterbury, VT 05671 Cheryl. Burcham@state. vt. us The State's Seconda!):'. Contact: Debra Kobus Medical Services Contract Administrator Department of Corrections 103 South Main Street Waterbury, VT 05671 Debra.Kobus@state.vt.us The State's DOC Onerations Contact: Delores Burroughs-Biron Director of Medical Services Department of Corrections 103 South Main Street Waterbury, VT 05671 Dee.BurroughsBiron@state. vt. us The State's Technical Lead Contact: Lucas Herring Information Technology Manager Agency of Human Services 103 South Main Street Waterbury, VT 05671 Lucas.Herring@state. vt. us 802-505-0564 The Contractor's Prima!):'. Contact: Christie Nader Sr. Director, IT Centurion 1593 Spring Hill Rd, #600 Vienna, VA 22182 cnader@centurionmcare.com The Contractor's Secondan: Contact: Karthik Elangovan Manager, Application Development Centurion 1593 Spring Hill Rd, #600 Vienna, VA 22182 kelangovan@mhmservices.com The Contractor's Technical Lead Contact: Matt Wurth, CTO CorrecTek 1640 McCracken Boulevard Paducah, Kentucky 42001 mwurth@correctek.com The Contractor's O{!erations Contact: Theresa Randall 5430 Waterbury Stowe Rd Bldg # 1, Ground Floor Waterbury Center, VT 05677 trandall@CenturionVT .com Page 37 of 67 Contract#29960 STATE OF VERMONT CONTRACT FOR SERVICES ATTACHMENT B CONTRACT FOR SERVICES PAYMENT PROVISIONS The maximum dollar amount payable under this Contract is not intended as any form of a guaranteed amount. The Contractor will be paid for products delivered or services actually performed as specified in Attachment A, up to the maximum allowable amount specified on page 1 of this Contract. State of Vermont payment terms are Net 30 days from date of an error-free invoice, and all payments against this contract shall comply with the State's payment terms. The payment schedule for delivered products, or rates for services performed, and any additional reimbursements, are included in this attachment. The following provisions specifying payments are: MILESTONE DELIVERABLES The State shall pay Contractor a fixed price payment to Contractor upon State acceptance of each payment deliverable according to the cost schedule below. The maximum amount for .the Milestone Deliverables of the Contract will not exceed $1 ,023,463. The cost of annual Support and Maintenance, and Hosting, will be paid as outlined below. A retainage of 10% is held back from each deliverable and upon completion of all deliverables, Contractor shall submit a single invoice for release of the full amount of retainage withheld. ID# Estimated Timeframe From Contract Execution Milestone/Deliverable Description Upon Contract Execution 0-30 days after contract execution 0-30 days after contract execution 0-30 days after contract execution 0-30 days after contract execution CorrecTek License Phase 1: Project KicJ{-Off 1 2 3 4 Kick Off Meeting Delivery of Initial Project Plan Data Conversion and Migration Plan Staffing Plan Phase 2: Network Readiness 5 Security Plan 6 Risk Assessment 7 Security Controls Document 8 Risk Management Plan I I 31 - 89 days after contract execution 31 - 89 days after contract execution 31 - 89 days after contract execution 31 - 89 days after contract execution 31 - 89 days after contract execution Invoice Amount 10% Retainage Amount %of Total $130,672 $13,067 20% $65,336 $6,534 10% Payment included with Phase3 STATE OF VERMONT CONTRACT FOR SERVICES 9 Change Management Plan 10 Organizational Change Management Plan 11 Communications Plan 12 Disaster Recovery Plan 13 IT Risk Assessment 14 Security Controls Audit 15 Requirements Traceability Matrix 16 Functional Design 17 Technical Specifications and Network Diagram Phase 3: Interface Development/Database Configuration 18 19 Complete onsite assessments of facilities to gather workflow and data requirements utilized in the database configuration process. Delivery of EHR Base System and User Acceptance Test Sign-Off on Base System to Ensure Successful Installation Page 38 of 67 Contract#29960 31 - 89 days after contract execution 31 - 89 days after contract execution 31 - 89 days after contract execution 31 - 89 days after contract execution 31 - 89 days after contract execution 31 - 89 days after contract execution 31 - 89 days after contract execution 31 - 89 days after contract execution 31 - 89 days after contract execution 90 - 239 Days after contract execution 91 - 23 9 Days after contract execution 91 - 239 Days after contract execution '*Actual timeframe will 20 Delivery of OMS Interface (As Defined in the Document "CorrecTek OMS Interface Guide") *Actual timeframe will 21 Delivery of Pharmacy Interface (As Defined in the Document "CorrecTek Pharmacy Interface Guide") 22 Delivery of Lab Interface (As Defined in the Document "CorrecTek Lab Interface Guide") vary according to other system vendors. 90-209 vary according to other system vendors. 90-209 *Actual timeframe will vary according to other system vendors. 90-209 $248,277 $24,828 38% STATE OF VERMONT CONTRACT FOR SERVICES 23 24 25 26 27 28 29 30 31 32 33 Delivery of Radiology Interface (As Defined in the Document "CorrecTek Radiology Interface Guide") Data Extraction from Legacy DOC System (ERMA) Map Data Elements Delivery of Data Conversion Plan Submit Mapped Data Elements for review Delivery of Data Mapping Document Completed data conversion State sign-off of the final configuration elements required before CorrecTek configuration efforts begin. Approval of Facility Assessment Summary document. Construction, Configuration, and Unit Test Summary - Delivery of Draft Acceptance Test Plan ("ATP"). The standard CorrecTek Show and Tell Process will be utilized. Provide an informational demo for User Acceptance Testers to equip them for the Show and Tell Sessions. Delivery of SSAE-16 SOC 2 certification to the State. Unit Test Results Delivery of completed ATP's from Construction Phase. Summaries for each CorrecTek Show and Tell session will be provided. Integration and System Test Plan - State signoff on the Acceptance Test Plan of EHR. Necessary changes that are identified during the Show and Tell sessions will Page 39 of 67 Contract#29960 *Actual timeframe will vary according to other system vendors. 90-209 91 - 239 Days after contract execution 91 - 239 Days after contract execution 91 - 239 Days after contract execution 91-239 Days after contract extension 91 - 239 Days after contract execution 91 - 239 Days after contract execution 91 - 239 Days after contract execution 91 - 239 Days after contract execution 91 - 239 Days after contract execution 91 - 239 Days after contract execution STATE OF VERMONT CONTRACT FOR SERVICES Page 40 of 67 Contract#29960 be addressed and demonstrated to the State. 34 35 36 37 38 39 40 41 42 43 44 Finalize Data Configuration based on elements approved by the State in the Facility Assessment Summary document. Delivery of final, configured database Documentation Plan Delivery of draft Training Manual. CorrecTek standard training resources will be utilized. Phase 4: Training Schedule and Chart Prep Delivery of Training Plan (Curriculum, Final Manual, and Training Schedule) Schedule Training Users complete training questionnaire (provided by CorrecTek) Delivery of Chart Prep Training. Phase 5: Onsite Training and Go-Live Conduct training sessions for all end users Implementation/Go-Live Date Documentation - Delivery of System and User Manuals Initiate One-year Warranty Period Phase 6: Post Go-Live 45 46 Post Go-Live Onsite Assessments 512 additional development hours for future/undetermined interfaces which might include VITL, EKG 91 - 239 Days after contract execution 91 - 23 9 Days after contract execution 91 - 239 Days after contract execution 230 -239 days after contract execution $52,269 $5,227 8% $65,336 $6,534 10% $91,470 $9,147 14% 231 -239 days after contract execution 231 -239 days after contract execution 231 -239 days after contract execution 234 -239 days after contract execution 240 - 270 days after contract execution 241 -270 days after contract execution 244 - 270 days after contract execution 245 - 270 days after contract execution 246 - 270 days after contract execution 300+ days after contract execution 300 days after contract execution 3 00+ days after contract execution STATE OF VERMONT CONTRACT FOR SERVICES Page 41 of 67 Contract#29960 machine, and Medicare/Medicaid 47 48 Provide annual SSAE-16 SOC 2 and 800-53 R4 300+ days after contract Compliance certification to execution the State Post Implementation 300+ days after contract Evaluation and Certification execution Upon receipt of all Retainage Payment Contract Deliverables $65,360 ANNUAL SUPPORT AND MAINTENANCE FEES: System Maintenance and Operations System Annual Support & Maintenance Year 2 (Warranty Period): Cost $0 System Annual Support & Maintenance Year 3: $18,000 $18,000 Contractor shall invoice for full amount at one year anniversary of the Go Live date System Annual Support & Maintenance (Optional Year 4): $18,000 $18,000 Contractor shall invoice for full amount upon the start of the Current Service Period System Annual Support & Maintenance (Optional Year 5): $18,000 $18,000 Contractor shall invoice for full amount upon the start of the Current Service Period Invoice Payable Date $0 HOSTING FEES: Hosting fees are based on a 20GB per user flat fee, with a $1 per GB overage fee, and Microsoft licensing costs evaluated in relation to the previous service period, based on 66 workstations (PCs, laptops and tablets) and 180 users. Maximum payment shall not to exceed a 5% increase over the previous payment period assuming the same number of users and the same number of workstations (PCs, laptops and tablets). Contractor shall provide an invoice with detailed billing information related to each of the separate hosting fees. System Hosting Fees I I I Cost per year Invoice Maximum Payment for 12month Service I Invoice Date Page 42 of 67 Contract#29960 STATE OF VERMONT CONTRACT FOR SERVICES Period Construction and Configuration Hosting Period (Year 1) Microsoft Licensing Fees System Hosting Fees Year 2: Pro-rated per month Pro-rated per month Yearly billing Based on evaluation of costs, not to exceed $3,300 per month. Contractor shall invoice the State once the Application is available to State users in the Hosting environment. If system's go-live date occurs before the end of this payment period, the pro-rated amount equal to the amount of months remaining in Year 1 shall be credited by Contractor to Year 2 System Hosting $39,600 Fees. Based on evaluation of costs, not to exceed $2934 per month. Contractor shall invoice the State once the Application is available to State users in the Hosting environment. If system's go-live date occurs before the end of this payment perio~, the pro-rated amount equal to the amount of months remaining in Year 1 $35208 shall be paid. Based on evaluation of costs, not to exceed a 5% increase bver previous period Contractor shall invoice for full amount upon implementation (Go $41,580 Live date) of STATE OF VERMONT CONTRACT FOR SERVICES Page 43 of 67 Contract#29960 system Microsoft Licensing Fees Year 2 Pro-rated per month Yearly billing Based on evaluation of costs, tnot to exceed a 5% increase !Over previous period Based on.evaluation of costs, not to exceed a 5% increase over previous period Contractor shall invoice for full amount upon implementation (Go Live date) of $36,968 system System Hosting Fees Year 3: Contractor shall invoice for full amount upon the start of the Current Service Period on the anniversary of $43,659 the Go Live date Microsoft Licensing Fees Year 3 Contractor shall invoice for full amount upon the start of the Current Service Period on the aru_iiversary of $38,817 the Go Live date Pro-rated per month Yearly billing Based on evaluation of costs, not to exceed a 5% increase over previous period Based on evaluation of costs, not to exceed a 5% increase over previous period System Hosting Fees (Optional Year 4): Contractor shall invoice for full amount upon the start of the Current $45840 Service Period System Hosting Fees (Optional Year 5): Contractor shall invoice for full amount upon the start of the Current $40,760 Service Period Contractor shall invoice for full amount upon the start of the Current $48,132 Service Period Microsoft Licensing Fees Year (Optional Year 5) Contractor shall invoice for full amount upon_the start of the Current $42,798 Service Period Microsoft Licensing Fees Year (Optional Year 4) Pro-rated per month Yearly billing Pro-rated per month Based on evaluation of costs, not to exceed a 5% increase over previous period Based on evaluation of costs, not to exceed a 5% increase over previous period Based on evaluation of costs, not to exceed a 5% increase over previous period Page 44 of 67 Contract#29960 STATE OF VERMONT CONTRACT FOR SERVICES Unanticipated Time & Management Table: Examples of possible Change Order options: Additional Training Additional Software Module or Functionality not included in original Requirements Directives that change from time to time, which do not match up with Software's then-current functionality Creation of interfaces not defined in the contract. Fee $75/per hour. Contractor will scope out the effort and provide State with a Quote. $75/per hour. Contractor will scope out the effort and provide State with a Quote. $75/per hour for configuration services and/or $125 for development services. Contractor will scope out the effort and provide State with a Quote. $125/per hour. Contractor will scope out the effort and provide State with a Quote. The State will only make payment for the deliverables as defined in this Contract and will not be responsible for additional expenses or costs of the Contractor. 1. The Contractor shall submit invoices on their standard billhead. All invoices shall contain the contract number, a clear description of the invoice period for which payment is requested,. a description of all work performed during the invoice period, Contractor's signature, any applicable amount of retainage withheld, and the total invoice amount due. Contracte>r invoices may be mailed or e-mailed to: Debra Kobus Contract Manager Vermont Department of Corrections 103 South Main Street Waterbury, VT 05671 2. State will remit Payment to: Financial Comptroller CENTURION of Vermont, LLC 1593 Spring Hill Road, Suite 610 Vienna, VA 22182 3. The State shall not be responsible for expenses of the Contractor that are not covered under this Contract. 4. The Contractor specified in this Contract is the primary Contractor and is solely responsible for fulfillment of the contract with the State. The State will only make contract payments to the primary Contractor. STATE OF VERMONT CONTRACT FOR SERVICES Page 45 of67 Contract#29960 5. Invoices submitted more than 90 days after the month of service or completion of an accepted deliverable may not be honored, except for additional charges agreed to by the Parties. STATE OF VERMONT CONTRACT FOR SERVICES Page 46 of 67 Contract#29960 ATTACHMENT C STANDARD STATE PROVISIONS FOR CONTRACTS AND GRANTS 1. Entire Agreement: This Agreement, whether in the form of a Contract, State Funded Grant, or Federally Funded Grant, represents the entire agreement between the parties on the subject matter. All prior agreements, representations, statements, negotiations, and understandings shall have no effect. 2. Applicable Law: This Agreement will be governed by the laws of the State of Vermont. 3. Definitions: For purposes of this Attachment, "Party" shall mean the Contractor, Grantee or Subrecipient, with whom the State of Vermont is executing this Agreement and consistent with the form of the Agreement. 4. Appropriations: If this Agreement extends into more than one fiscal year of the State (July 1 to June 30), and if appropriations are insufficient to support this Agreement, the State may cancel at the end of the fiscal year, or otherwise upon the expiration of existing appropriation authority. In the case that this Agreement is a Grant that is funded in whole or in part·by federal funds, and in the event federal funds become unavailable or reduced, the State may suspend or cancel this Grant immediately, and the State shall have no obligation to pay Subrecipient from State revenues. 5. No Employee Benefits For Party: The Party understands that the State will not provide any individual retirement benefits, group life insurance, group health and dental insurance, vacation or sick leave, workers compensation or other benefits or services available to State employees, nor will the state withhold any state or federal taxes except as required under applicable tax laws, which shall be determined in advance of execution of the Agreement. The Party understands that all tax returns required by the Internal Revenue Code and the State of Vermont, including but not limited to income, withholding, sales and use, and rooms and meals, must be filed by the Party, and information as to Agreement income will be provided by the State of Vermont to the Internal Revenue Service and the Vermont Department of Taxes. 6. Independence, Liability: The Party will act in an independent capacity and not as officers or employees of the State. The Party shall defend the State and its officers and employees against all claims or suits arising in whole or in part from any act or omission of the Party or of any agent of the Party. The State shall notify the Party in the event of any such claim or suit, and the Party shall immediately retain counsel and otherwise provide a complete defense against the entire claim or suit. After a final judgment or settlement the Party may request recoupment of specific defense costs and may file suit in Washington Superior Court requesting recoupment. The Party shall be entitled to recoup costs only upon a showing that such costs were entirely umelated to the defense of any claim arising from an act or omission of the Party. The Party shall indemnify the State and its officers and employees in the event that the State, its officers or employees become legally obligated to pay any damages or losses arising from any act or omission of the Party. 7. Insurance: Before commencing work on this Agreement the Party must provide certificates of insurance to show that the following minimum coverages are in effect. It is the responsibility of the Party to maintain current certificates of insurance on file with the state through the term of the Agreement. No warranty is made that the coverages and limits listed herein are adequate to cover and protect the interests of the Party for the Party's operations. These are solely minimums that have been established to protect the interests of the State. . STATE OF VERMONT CONTRACT FOR SERVICES Page 47 of 67 Contract#29960 Worke-rs Compensation: With respect to all operations performed, the Party shall carry workers' compensation insurance in accordance with the laws of the State of Vermont. General Liability and Property Damage: With respect to all operations performed under the contract, the Party shall carry general liability insurance having all major divisions of coverage including, but not limited to: Premises - Operations Products and Completed Operations Personal Injury Liability Contractual Liability The policy shall be on an occurrence form and limits shall not be less than: $1,000,000 Per Occurrence $1,000,000 General Aggregate $1,000,000 Products/Completed Operations Aggregate $ 50,000 Fire/ Legal/Liability Party shall name the State of Vermont and its officers and employees as additional insureds for liability arising out of this Agreement. Automotive Liability: The Party shall carry automotive liability insurance covering all motor vehicles, including hired and non-owned coverage, used in connection with the Agreement. Limits of coverage shall not be less than: $1,000,000 combined single limit. Party shall name the State of Vermont and its officers and employees as additional insureds for liability arising out of this Agreement. 8. Reliance by the State on Representations: All payments by the State under this Agreement will be made in reliance upon the accuracy of all prior representations by the Party, including but not limited to bills, invoices, progress reports and other proofs of work. 9. Requirement to Have a Single Audit: In the case that this Agreement is a Grant that is funded in whole or in part by federal funds, the Subrecipient will complete the Subrecipient Annual Report annually within 45 days after its fiscal year end, informing the State of Vermont whether or not a Single Audit is required for the prior fiscal year. If a Single Audit is required, the Subrecipient will submit a copy of the audit report to the granting Party within 9 months. If a single audit is not required, only the Subrecipient Annual Report is required. For fiscal years ending before December 25, 2015, a Single Audit is required if the subrecipient expends $500,000 or more in federal assistance during its fiscal year and must be conducted in accordance with 0MB Circular A-133. For fiscal years ending on or after December 25, 2015, a Single Audit is required if the subrecipient expends $750,000 or more in federal assistance during its fiscal year and must be conducted in accordance with 2 CFR Chapter I, Chapter II, Part 200, Subpart F. The Subrecipient Annual Report is required to be submitted within 45 days, whether or not a Single Audit is required. 10. Records Available for Audit: The Party shall maintain all records pertaining to performance under this agreement. "Records" means any written or recorded information, regardless of physical form or characteristics, which is produced or acquired by the Party in the performance of this agreement. Records produced or acquired in a machine readable electronic format shall be maintained in that format. The records described shall be made available at reasonable times during the period of STATE OF VERMONT CONTRACT FOR SERVICES Page 48 of 67 Contract#29960 the Agreement and for three years thereafter or for any period required by law for inspection by any authorized representatives of the State or Federal Government. If any litigation, claim, or audit is started before the expiration of the three year period, the records shall be retained until all litigation, claims or audit findings involving the records have been resolved. 11. Fair Employment Practices and Americans with Disabilities Act: Party agrees to comply with the requirement of Title 21 V.S.A. Chapter 5, Subchapter 6, relating to fair employment practices, to the full extent applicable. Party shall also ensure, to the full extent required by the Americans with Disabilities Act of 1990, as amended, that qualified individuals with disabilities receive equitable access to the services, programs, and activities provided by the Party under this Agreement. Party further agrees to include this provision in all subcontracts. 12. Set Off: The State may s~t off any sums which the Party owes the State against any sums due the Party under this Agreement; provided, however, that any set off of amounts due the State of Vermont as taxes shall be in accordance with the procedures more specifically provided hereinafter. 13. Taxes Due to the State: a. Party understands and acknowledges responsibility, if applicable, for compliance with State tax laws, including income tax withholding for employees performing services within the State, payment of use tax on property used within the State, corporate and/or personal income tax on income earned within the State. b. Party certifies under the pains and penalties of perjury that, as of the date the Agreement is signed, the Party is in good standing with respect to, or in full compliance with, a plan to pay any and all taxes due the State of Vermont. c. Party understands that final payment under this Agreement may be withheld if the Commissioner of Taxes determines that the Party is not in good standing with respect to or in full compliance with a plan to pay any and all taxes due to the State of Vermont. d. Party also understands the State may set off taxes-(and related penalties, interest and fees) due to the State of Vermont, but only if the Party has failed to make an appeal within the time allowed by law, or an appeal has been taken and finally determined and the Party has no further legal recourse to contest the amounts due. 1,4. Child Support: (Applicable if the Party is a natural person, not a corporation or partnership.) Party states that, as of the date the Agreement is signed, he/she: a. is not under any obligation to pay child support; or b. is under such an obligation and is in good standing with respect to that obligation; or c. has agreed to a payment plan with the Vermont Office of Child Support Services and is in full compliance with that plan. Party makes this statement with regard to support owed to any and all children residing in Vermont. In addition, if the Party is a resident of Vermont, Party makes this statement with regard to support owed to any and all children residing in any other state or territory of the United States. 15. Sub-Agreements: Party shall not assign, subcontract or subgrant the performance of this Agreement or any portion thereof to any other Party without the prior written approval of the State. Party also agrees to include in all subcontract or subgrant agreements a tax certification in accordance with paragraph 13 above. STATE OF VERMONT CONTRACT FOR SERVICES Page 49 of67 Contract#29960 16. No Gifts or Gratuities: Party shall not give title or possession of anything of substantial value (including property, currency, travel and/or educ·ation programs) to any officer or employee of the State during the term of this Agreement. 17. Copies: All written reports prepared under this Agreement will be printed using both sides of the paper. 18. Certification Regarding Debarment: Party certifies under pains and penalties of perjury that, as of the date that this Agreement is signed, neither Party nor Party's principals (officers, directors, owners, or partners) are presently debarred, suspended, proposed for debarment, declared ineligible or excluded from participation in federal programs, or programs supported in whole or in part by federal funds. Party further certifies under pains and penalties of perjury that, as of the date that this Agreement is signed, Party is not presently debarred, suspended, nor named on the State's debarment list at: http://bgs. vermont. gov /purchasing/debarment 19. Certification Regarding Use of State Funds: In the case that Party is an employer and this Agreement is a State Funded Grant in excess of $1,001, Party certifies that none of these State fun:ds will be used to interfere with or restrain the exercise of Party's employee's rights with respect to unionization. 20. Internal Controls: In the case that this Agreement is an award that is funded in whole or in part by Federal funds, in accordance with 2 CFR Part II, §200.303, the Party must establish and maintain effective internal control over the Federal award to provide reasonable assurance that the Party is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the award. These internal controls should be in compliance with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States and the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 21. Mandatory Disclosures: In the case that this Agreement is an award funded in whole or in part by Federal funds, in accordance with 2CFR Part II, §200.113, Party must disclose, in a timely manner, in writing to the State, all violations of Federal criminal law involving fraud, bribery, or gratuity violations potentially affecting the Federal award. Failure to make required disclosures may result in the imposition of sanctions which may include disallowance of costs incurred, withholding of payments, termination of the Agreement, suspension/debarment, etc. 22. Conflict of Interest: Party must disclose in writing any potential conflict of interest in accordance with Uniform Guidance §200.112, Bulletin 5 Section IX and Bulletin 3.5 Section IV.B. State of Vermont, Attachment C; ABS-Revised 03/01/2015 STATE OF VERMONT CONTRACT FOR SERVICES Page 50 of67 Contract#29960 ATTACHMENT D OTHER PROVISIONS 1. OWNERSHIP AND LICENSE IN DELIVERABLES 1.1 State Intellectual Property; State Intellectual Property; User Name. The State shall retain all right, title and interest in and to (i) all content and all property, data and information furnished by or ori behalf of the State or any agency, commission or board thereof, and to all information that is created under this Contract, including, but not limited to, all data that is generated under this Contract as a result of the use by Contractor, the State or any third party of any technology systems or knowledge bases that are developed for the State and used by Contractor hereunder, and all other rights, tangible or intangible; and (ii) all State trademarks, trade names, logos artd other State identifiers, Internet uniform resource locators, State user name or names, Internet addresses and e-mail addresses obtained or developed pursuant to this Contract (collectively, "State Intellectual Prope1ty"). Contractor may not use State Intellectual Property for any purpose other than as specified in this Contract. Upon expiration or termination of this Contract, Contractor shall return or destroy all State Intellectual Property and all copies thereof, and Contractor shall have no further right or license to such State Intellectual Property. Contractor acquires no rights or licenses, including, without limitation, intellectual property rights or licenses, to use State Intellectual Property for its own purposes. In no event shall the Contractor claim any security interest in State Intellectual Property. 1.2 Work Product. All Work Product shall belong exclusively to the State, with the State having the sole and exclusive right to apply for, obtain, register, hold and renew, in its own name and/or for its own benefit, all patents and copyrights, and all applications and registrations, renewals and continuations thereof and/or any and all other appropriate protection. To the extent exclusive title and/or complete and exclusive ownership rights in and to any Work Product may not originally vest in the State by operation of law or otherwise as contemplated hereunder, Contractor shall immediately upon request, unconditionally and irrevocably assign, transfer and convey to the State all right, title and interest therein. "Work Product" means any tangible or intangible ideas, inventions, improvements, modifications, discoveries, development, customization, configuration, methodologies or processes, designs, models, drawings, photographs, reports, formulas, algorithms, patterns, devices, compilations, databases, computer programs, work of authorship, specifications, operating instructions, procedures manuals or other documentation, technique, know-how, secret, or intellectual property right whatsoever or any interest therein (whether patentable or not patentable or registerable under copyright or similar statutes or subject to analogous protection), that is specifically made, conceived, discovered or reduced to practice by Contractor, either solely or jointly with others, pursuant to this Contract. Work Product does not include Contractor Intellectual Property or third party intellectual property. To the extent delivered under this Contract, upon full payment to Contractor in accordance with Attachment B, and subject to the terms and conditions contained herein, Contractor hereby (i) assigns to State all rights in and to all Deliverables, except to the extent they include any Contractor Intellectual Property; and (ii) grants to State a perpetual, non-exclusive, irrevocable, royalty-free license to use for State's internal business purposes, any Contractor Intellectual Property included in the Deliverables in connection with its use of the Deliverables and, subject to the State's obligations with respect to Confidential Information, authorize STATE OF VERMONT CONTRACT FOR SERVICES Page 51 of 67 Contract#29960 others to do the same on the State's behalf. Except for the foregoing license grant, Contractor or its licensors retain all rights in and to all Contractor Intellectual Property. The Contractor shall not sell or copyright a Deliverable without explicit permission from the State. If the Contractor is operating a system or application on behalf of the State of Vermont, then the Contractor shall not make information entered into the system or application available for uses by any other party than the State of Vermont, without prior authorization by the State. Nothing herein shall entitle the State to pre-existing Contractor Intellectual Property or Contractor Intellectual Property developed outside of this Contract with no assistance from State. 2. CONFIDENTIALITY AND NON-DISCLOSURE; SECURITY BREACH REPORTING 2.1 Confidentiality of Contractor Information. The Contractor acknowledges and agrees that this Contract and any and all Contractor information obtained by the State in connection with this Contract are subject to the State of Vermont Access to Public Records Act, 1 V.S.A. § 315 et seq. The State will not disclose information for which a reasonable claim of exemption can be made pursuant to 1 V .S.A. § 317(c), including, but not limited to, trade secrets, proprietary information or financial information, including any formulae, plan, pattern, process, tool, mechanism, compound, procedure, production data, or compilation of information which is not patented, which is known only to the Contractor, and which gives the Contractor an opportunity to obtain business advantage over competitors who do not know it or use it. The State shall immediately notify Contractor of any request made under the Access to Public Records Act, or any request or demand by any court, governmental agency or other person asserting a demand or request for Contractor information. Contractor may, in its discretion, seek an appropriate protective order, or otherwise defend any right it may have to maintain the confidentiality of such information under applicable State law within three .business days of the State's receipt of any such request. Contractor agrees that it will not make any claim against the State if the State makes available to the public any information in accordance with the Access to Public Records Act or in response to a binding order from a court or governmental body or agency compelling its production. Contractor shall indemnify the State for any costs or expenses incurred by the State, including, but not limited -to, attorneys' fees awarded in acco.rdance with 1 V.S.A. § 320, in connection with any action brought in connection with Contractor's attempts to prevent or unreasonably delay public disclosure of Contractor's information. The State agrees that (a) it will use the Contractor information only as may be necessary in the course of performing duties, receiving services or exercising rights under this Contract; (b) it will provide at a minimum the same care to avoid disclosure or unauthorized use of Contractor information as it provides to protect its own similar confidential and proprietary information; (c) except as required by the Access to Records Act, it will not disclose such information orally or in writing to any third party unless that third party is subject to a written confidentiality agreement that contains restrictions and safeguards at least as restrictive as those contained in this Contract; (d) it will take all reasonable precautions to protect the Contractor's information; and (e) it will not otherwise appropriate such information to its own use or to the use of any other person or entity. Page 52 of67 Contrac(#29960 STATE OF VERMONT CONTRACT FOR SERVICES Contractor may affix an appropriate legend to Contractor information that is provided under this Contract to reflect the Contractor's determination that any such information is a trade secret, proprietary information or financial information at time of delivery or disclosure. 2.2 Confidentiality of State Information. In performance of this Contract, and any exhibit or schedule hereunder, the Party acknowledges that certain State Data (as defined below), to which the Contractor may have access may contain individual federal tax information, personal protected health information and other individually identifiable information protected by State or federal law. In addition to the provisions of this Section, the Party shall execute the HIP AA Business Associate Agreement attached as Attachment E. Before receiving or controlling State Data, the Contractor will have an information security policy that protects its systems and processes and media that may contain State Data from internal and external security threats and State Data from unauthorized disclosure, and will have provided a copy of such policy to the State. State Data shall not be stored, accessed from, or transferred to any location outside the United States. Unless otherwise instructed by the State, Contractor agrees to _keep confidential all information received and collected by Contractor in connection with this Contract ("State Data"). The Contractor agrees not to publish, reproduce, or otherwise divulge any State Data in whole or in part, in any manner or form or authorize or permit others to do so. Contractor will take reasonable measures as are necessary to restrict access to State Data in the Contractor's possession to only those employees on its staff who must have the information on a "need to know" basis. The Contractor shall use State Data only for the purposes of and in accordance with this Contract. The Contractor shall provide at a minimum the same care to avoid disclosure or unauthorized use of State Data as it provides to protect its O)-Vll similar confidential and proprietary information. The Contractor shall promptly notify the State of any request or demand by any court, governmental agency or other person asserting a demand or request for State Data to which the Contractor or any third party hosting service of the Contractor may have access, so that the State may seek an appropriate protective order. 3 CONTRACTOR'S REPRESENTATIONS AND WARRANTIES 3.1 General Representations and Warranties. covenants that: The Contractor represents, warrants and (i) The Contractor has all requisite power and authority to execute, deliver and perform its obligations under this Contract and the execution, delivery and performance of this Contract by the Contractor has been duly authorized by the Contractor. (ii) There is no outstanding litigation, arbitrated matter or other dispute to which the Contractor is a party which, if decided unfavorably to the Contractor, would reasonably be expected to have a material adverse effect on the Contractor's ability to fulfill its obligations under this Contract. (iii) The Contractor will comply with all laws applicable to its performance of the services and otherwise to the Contractor in connection with its obligations under this Contract. (iv) The Contractor has the right to use under valid and enforceable agreements all intellectual property reasonably necessary for and related to delivery of the services and provision of STATE OF VERMONT CONTRACT FOR SERVICES Page 53 of 67 Contract#29960 the deliverables as set forth in this Contract and none of the deliverables or other materials or technology provided by the Contractor to the State will infringe upon or misappropriate the intellectual property rights of any third party. (v) The Contractor has adequate resources to fulfill its obligations under this Contract. (vi) Contractor has no past state or federal violations, convictions or suspensions relating to miscoding of employees in NCCI job codes for purposes of differentiating between independent contractors and employees. 3.2 Contractor's Performance Warranties. Contractor represents and warrants to the State that: (i) All deliverables will be free from material errors and shall perform in accordance with the specifications therefor. (ii) Each and all of the services shall be performed in a timely, diligent, professional and workpersonlike manner, in accordance with the highest professional or technical standards applicable to such services, by qualified persons with the technical skills, training and experience to perform such services in the planned environment. At its own expense and without limiting any other rights or remedies of the State hereunder, the Contractor shall re-perform any services that the State has determined to be unsatisfactory in its reasonable discretion, or the Contractor shall refund that portion of the fees attributable to each such deficiency. (iii) All Deliverables supplied by the Contractor to the State shall be transferred free and clear of any and all restrictions on the conditions of transfer, modification, licensing, sublicensing and free and clear of ariy and all lines, claims, mortgages, security interests, liabilities and encumbrances or any kind. (iv) Any time software is delivered to the State, whether delivered via electronic media or the internet, no portion of such software or the media upon which it is stored or delivered will have any type of software routine or other element which is designed to facilitate unauthorized access to or intrusion upon; or unrequested disabling or erasure of; or unauthorized interference with the operation of any hardware, software, data or peripheral equipment of or utilized by the State. Notwithstanding the foregoing, Contractor assumes no responsibility for the State's negligence or failure to protect data from viruses, or any unintended modification, destruction or disclosure. 3.3 Software Warranty. Contractor warrants that the Software shall perform in accordance with the Contract for a period of one (1) year commencing on the Go-Live Date. In the event of any defect arising during this warranty period, Contractor shall ensure that such performance problems are corrected promptly, and at no additional cost to the State, following receipt of written notice from State of such defect. 3.4 Limitation on Disclaimer. The express warranties set forth in this Contract shall he in lieu of all other warranties, express or implied. 3.5 Effect of Breach of Warranty. If, at any time during the term of this Contract, the results of Contractor's work fail to perform according to any warranty of Contractor under this Contract, STATE OF VERMONT CONTRACT FOR SERVICES Page 54 of 67 Contract#29960 the State shall promptly notify Contractor in writing of such alleged nonconformance, and Contractor shall provide at no additional cost of any kind to the State, the maintenance required. 4 INDEMNIFICATION Notwithstanding anything to the contrary set forth in Attachment C of this Contract, Contractor shall have no obligation to defend or indemnify the State for claims alleging that the State's use of the EHR software licensed by Correctek infringes a U.S. copyright or misappropriates a third party trade secret. · 5 PROFESSIONAL LIABILITY INSURANCE COVERAGE In addition to the insurance required in Attachment C to this Contract, before commencing work on this Contract and throughout the term of this Contract, Contractor shall have the obligation to ensure that the software provider (CorrecTek) and any subcontractor to CorrecTek has Technology Professional Liability coverage including 1st party breach coverage with limits not less $1,000,000 per claim, $1,000,000 policy aggregate and 1st party breach coverage of $250,000 per incident. Contractor will provide the State with evidence of this coverage within 2 weeks of the Contract start and annually thereafter for the term of the Contract. This obligation will transfer and continue should Centurion elect to use other subcontractors for these services. 6 SOVEREIGN IMMUNITY The Contractor acknowledges that the State reserves all immunities, defenses, rights or actions arising out of the State's sovereign status or under the Eleventh Amendment to the United States Constitution. No waiver of any such immunities, defenses, rights or actions shall be implied or otherwise deemed to exist by reason of the State's entry into this Contract. 7 DISPUTE RESOLUTION 7.1 Governing Law; Jurisdiction. The Contractor agrees that this Contract shall be governed by and construed in accordance with the laws of the State of Vermont and that any action or proceeding brought by either the State or the Contractor in connection with this Contract shall be brought and enforced in the Superior Court of the State of Vermont, Civil Division, Washington Unit. The Contractor irrevocably submits to the jurisdiction of such court in respect of any such action or proceeding. The State shall not be liable for attorneys' fees in any proceeding. 7.2 Contractor Default. The Contractor shall be in default under this Contract if Contractor commits any material breach of any covenant, warranty, obligation or certification under this Contract, fails to perform the Services in conformance with the specifications and warranties provided in this Contract, or clearly manifests an intent not to perform future obligations under this Contract, and such breach or default is not cured, or such manifestation of an intent not to perform is not corrected by reasonable written assurances of performance within thirty (30) days after delivery of the State's notice period, or such longer period as the State may specify in such notice. 7.3 State Default. State shall be in default under this Contract if State commits any material breach or default of any covenant, warranty, or obligation under this Contract and State fails to STATE OF VERMONT CONTRACT FOR SERVICES Page 55 of 67 Contract#29960 cure such failure within thirty (30) business days after delivery of Contractor's notice or such longer period as Contractor may specify in such notice. 7.4 Trial by Jury. The Contractor acknowledges and agrees that public policy prohibits the State from agreeing to arbitration and/or from waiving any right to a trial by jury. 7.5 Continuity of Performance. In the event of a dispute between the Contractor and the State, each party will continue to perform its obligations under this Contract during the resolution of such dispute unless and until this Contract is terminated in accordance with its terms. 8 REMEDIESFORDEFAULT In the event either party is in default under this Contract, the non-defaulting party may, at its option, pursue any or all of the remedies available to it under this Contract, including termination for cause, and at law or in equity. 9 TERMINATION 9.1 Return of Property. Upon termination of this Contract for any reason whatsoever, Contractor shall immediately deliver to State all State Intellectual P~operty and State Data (including without limitation any Deliverables for which State has made payment in whole or in part), that are in the possession or under the control of Contractor in whatever stage of development and form of recordation such State property is expressed or embodied at that time. 9.2 No Waiver of Remedies. No delay or failure to exercise any right, power or remedy accruing to either party upon breach or default by the other under this Contract shall impair any such right, power or remedy, or shall be construed as a waiver of any such right, power or remedy, nor shall any waiver of a single· breach or default be deemed a waiver of any subsequent breach or default. All waivers must be in writing. 9.3 Contractor Bankruptcy. Contractor acknowledges that if Contractor, as a debtor in possession, or a trustee in bankruptcy in a case under Section 365(n) of Title 11, United States Code (the "Bankruptcy Code"), rejects this Contract, the State may elect to retain its rights under this Contract as provided in Section 365(n) of the Bankruptcy Code. Upon written request of the State to Contractor or the Bankruptcy Trustee, Contractor or such Bankruptcy Trustee shall not interfere with the rights of the State as provided in this Contract, including the right to obtain the State Intellectual Property. 10 STATE FACILITIES 10.1 During the term of this Contract, the State may make available to Contractor space in any State facility applicable to the Services, subject to the conditions that Contractor: (i) shall only use such space solely and exclusively for and in support of the Services; (ii) shall not use State facilities to provide goods or services to or for the benefit of any third party; (iii) shall comply with the leases, security, use and rules and agr~ements applicable to the State facilities; (iv) shall not use State facilities for any unlawful purpose; (v) shall comply with all policies and procedures governing access to and use of State facilities that are provided to Contractor in writing; (vi) instruct Contractor personnel not to photograph or record, duplicate, disclose, transmit or communicate any State information, materials, data or other items, tangible or intangible, obtained or available as a result of permitted use of State facilities; and (vii) return STATE OF VERMONT CONTRACT FOR SERVICES Page 56 of67 Contract#29960 such space to the State in the same condition it was in at the commencement of this Contract, ordinary wear and tear excepted. State facilities will be made available to Contractor on an "AS IS, WHERE IS" basis, with no warranties whatsoever. 10.2 Contractor Facilities. Contractor will be responsible for procuring, managing, maintaining and otherwis~ making available all Contractor Resources necessary to provide the Services in accordance with the Requirements hereunder. Contractor will seek and obtain the State's prior written approval for any relocation of any Contractor Facilities at, from or through which the Services are provided and shall mitigate any impact to the State. Any such relocation shall be without additional cost to the State. No Contractor Facility providing Services pursuant to this Contract shall be located outside the United States. 11 CONFLICTS OF INTEREST Contractor agrees that during the term of this Contract, its performance shall be solely in the best interest of the State. Contractor will not perform services for any person or entity which has also contracted with the State of Vermont in connection with the same project, without express written consent of the State. Contractor shall fully disclose, in writing, any such conflicts of interest, including the nature and extent of the work to be performed for any other person or entity so that the State may be fully informed prior to giving any consent. Contractor agrees that the failure to disclose any such conflicts shall be deemed an event of default under this Contract, and this Contract shall be terminable immediately. 12 MISCELLANEOUS 12.1 Taxes. Most State purchases are not subject to federal or state sales or excise taxes and must be invoiced tax free. An exemption certificate will be furnished upon request covering taxable items. 12.2 Force Majeure. Neither the State nor the Contractor shall be liable to the other for any failure or delay of performance of any obligations hereunder to the extent such failure or delay shall have been wholly or principally caused by acts o_r events beyond its reasonable control making it illegal or impossible to perform their obligations under this Contract, including without limitation, acts of God, acts of civil or military authority, fires, floods, earthquakes or other natural disasters, war or riots, provided however, that the foregoing shall not be applicable to (x) any obligation of such party to pay monies under this Agreement, or (y) any indemnity obligations of such party under this Agreement. If a party asserts Force Majeure as an excuse for failure to perform the party's obligation, then the nonperforming party must prove that it made all reasonable efforts to remove, eliminate or minimize such cause of delay or damages, diligently pursued performance of its obligations under this Contract, substantially fulfilled all non-excused obligations, and timely notified the other party of the likelihood or actual occurrence of an event described in this paragraph. 12.3 Marketing. Neither party to this Contract shall refer to the other party in any publicity materials, information pamphlets, press releases, research reports, advertising, sales promotions, trade shows, or marketing materials or similar communications to third parties except with the prior written consent of such party prior to release. STATE OF VERMONT CONTRACT FOR SERVICES Page 57 of 67 Contract#29960 ATTACHMENT E BUSINESS ASSOCIATE AGREEMENT This business associate agreement ("agreement") is entered into by and between the State of Vermont Agency of Human Services, operating by and. through its Department of Corrections ("covered entity") and Centurion of Vermont, LLC ("business associate") as of 09/15/2015 ("effective date"). This agreement supplements and is made a part of the contract/grant to which it is attached. Covered Entity and Business Associate enter into this Agreement to comply with standards promulgated under the Health Insurance Portability and Accountability Act of 1996 ("HIP AA"), including the Standards for the Privacy of Individually Identifiable Health Information, at 45 CFR Parts 160 and 164 ("Privacy Rule"), and the Security Standards, at 45 CFR Parts 160 and 164 ("Security Rule"), as amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act (HITECH), and any associated federal rules and regulations. The parties agree as follows: 1. Definitions. All capitalized terms used but not otherwise defined in this Agreement have the meanings set forth in 45 CFR Parts 160 and 164 as amended by HITECH and associated federal rules and regulations. "Agent" means those person(s) who are agents(s) of the Business Associate, in accordance with the Federal common law of agency, as referenced in 45 CFR § 160.402(c). "Breach" means the acquisition, access, use or disclosure of protected health information (PHI) which compromises the security or privacy of the PHI, except as excluded in the definition of Breach in 45 CFR § 164:402. "Business Associate shall have the meaning given in 45 CFR § 160.103. "Individual" includes a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g). "Protected Health Information" or PHI shall have the meaning given in 45 CFR § 160.103, limited to the information created or received by Business Associate from or on behalf of Agency. "Security Incident" means any known successful or unsuccessful attempt by an authorized or unauthorized individual to inappropriately use, disclose, modify, access, or destroy any information or interference with system operations in an information system. "Services" includes all work performed by the Business Associate for or on behalf of Covered Entity that requires the use and/or disclosure of protected health information to perform a business associate function described in 45 CFR § 160.103 under the definition of Business Associate. "Subcontractor" means a person or organization to whom a Business Associate delegates a function, activity or service, other than in the capacity of a member of the workforce of the Business Associate. For purposes of this Agreement, the term Subcontractor includes Subgrantees. STATE OF VERMONT CONTRACT FOR SERVICES Page 58 of 67 Contract#29960 2. Identification and Disclosure of Privacy and Security Offices. Business Associate and Subcontractors shall provide, within ten (10) days of the execution of this agreement, written notice to the Covered Entity's contract/grant manager the names and contact information of both the HIP AA Privacy Officer and HIP AA Security Officer. This information must be updated any time either of these contacts changes. 3. Permitted and Required Uses/Disclosures of PHI. 3.1 Except as limited in this Agreement, Business Associate may use or disclose PHI to perform Services, as specified in the underlying grant or contract with Covered Entity. The uses and disclosures of Business Associate are limited to the minimum necessary, to complete the tasks or to provide the services associated with the terms of the underlying agreement. Business Associate shall not use or disclose PHI in any manner that would constitute a violation of the Privacy Rule if used or disclosed by Covered Entity in that manner. Business Associate may not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law. 3 .2 Business Associate may make PHI available to its employees who need access to perform Services provided that Business Associate makes such employees aware of the use and disclosure restrictions in this Agreement and binds them to comply with such restrictions. Business Associate may only disclose PHI for the purposes authorized by this Agreement: (a) to its agents artd Subcontractors in accordance with Sections 9 and 17 or, (b) as otherwise permitted by Section 3. 3 .3 Business Associate shall be directly liable under HIP AA for impermissible uses and disclosures of the PHI it handles on behalf of Covered Entity, and for impermissible uses and disclosures, by Business Associate's Subcontractor(s), of the PHI that Business Associate handles on behalf of Covered Entity and that it passes on to Subcontractors. 4. Business Activities. Business Associate may use PHI received in its capacity as a Business Associate to Covered Entity if necessary for Business Associate's proper management and administration or to carry out its legal responsibilities. Business Associate may disclose PHI received in its capacity as Business Associate to Covered Entity for Business Associate's proper management and administration or to carry out its legal responsibilities if a disclosure is Required by Law or if Business Associate obtains reasonable written assurances via a written agreement from the person to whom the information is to be disclosed that the PHI shall remain confidential and be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the Agreement requires the person or entity to notify Business Associate, within two (2) business days (who .in turn will notify Covered Entity within two (2) business days after receiving notice of a Breach as specified in Section.6.1 ), in writing of any Breach of Unsepured PHI of which it is aware. Uses and disclosures of PHI for the purposes identified in Section 3 must be of the minimum amount of PHI necessary to accomplish such purposes. 5. Safeguards. Business Associate, its Agent(s) and Subcontractor(s) shall implement and use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for by this Agreement. With respect to any PHI that is maintained in or transmitted by electronic media, Business Associate-or its Subcontractor(s) shall comply with 45 CFR sections 164.308 (administrative safeguards), 164.310 (physical safeguards), 164.312 (technical safeguards) and 164.316 (policies and procedures and documentation requirements). Business Associate or its Agent(s) and Subcontractor(s) shall identify in writing upon request from Covered Entity all of the safeguards that it uses to prevent impermissible uses or disclosures of PHI. STATE OF VERMONT CONTRACT FOR SERVICES 6. Page 59 of 67 Contract#29960 Documenting and Reporting Breaches. 6.1 Business Associate shall report to Covered Entity any Breach of Unsecured PHI, including Breaches reported to it by a Subcontractor, as soon as it (or any of its employees or agents) becomes aware of any such Breach, and in no case later than two (2) business days after it (or any of its employees or agents) becomes aware of the Breach, except when a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security. 6.2 Business Associate shall provide Covered Entity with the names of the individuals whose Unsecured PHI has been, or is reasonably believed to have been, the subject of the Breach and any other available information that is required to be given to the affected individuals, as set forth in 45 CFR § 164.404(c), and, if requested by Covered Entity, information necessary for Covered Entity to investigate the impermissible use or disclosure. Business Associate shall continue to provide to Covered Entity information concerning the Breach as it becomes available to it. Business Associate shall require its Subcontractor(s) to agree to these same terms and conditions. 6.3 When Business Associate determines that an impermissible acquisition, use or disclosure of PHI by a member of its workforce is not a Breach, as that term is defined in 45 CFR § 164.402, and therefore does not necessitate notice to the impacted individual(s), it shall document its assessment of risk, conducted as set forth in 45 CFR § 402(2). When requested by Covered Entity, Business Associate shall make its risk assessments available to Covered Entity. It shall also provide Covered Entity with 1) the name of the person(s) making the assessment, 2) a brief summary of the facts, and 3) a brief statement of the reasons supporting the determination of low probability that the PHI had been compromised. When a breach is the responsibility of a member of its Subcontractor's workforce, Business Associate shall either 1) conduct its own risk assessment and draft a summary of the event and assessment or 2) require its Subcontractor to conduct the assessment and draft a summary of the event. In either case, Business Associate shall make these assessments and reports available to Covered Entity. 6.4 Business Associate shall require, by contract, a Subcontractor to report to Business Associate and Covered Entity any Breach of which the Subcontractor becomes aware, no later than two (2) business days after becomes aware of the Breach. 7. Mitigation and Corrective Action. Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to it of an impermissible use or disclosure of PHI, even if the impermissible use or disclosure does not constitute a Breach. Business Associate shall draft and carry out a plan of corrective action to address any incident of impermissible use or disclosure of PHI. If requested by Covered Entity, Business Associate shall make its mitigation and corrective action plans available to Covered Entity. Business Associate shall require a Subcontractor to agree to these same terms and conditions. 8. Providing Notice of Breaches. 8.1 If Covered Entity determines that an impermissible acquisition, access, use or disclosure of PHI for which one of Business Associate's employees or agents was responsible constitutes a Breach as defined in 45 CFR § 164.402, and if requested by Covered Entity, Business Associate shall provide notice to the individual(s) whose PHI has been the subject of the Breach. When requested to provide notice, Business Associate shall consult with Covered Entity about the STATE OF VERMONT CONTRACT FOR SERVICES Page 60 of 67 Contract#29960 timeliness, content and method of notice, and shall receive Covered Entity's approval concerning these elements. The cost of notice and related remedies shall be borne by Business Associate. 8.2 If Covered Entity or Business Associate determines that an impermissible acquisition, access, use or disclosure of PHI by a Subcontractor of Business Associate constitutes a Breach as defined in 45 CFR § 164.402, and if requested by Covered Entity or Business Associate, Subcontractor shall provide notice to the individual(s) whose PHI has been the subject of the Breach. When Covered Entity requests that Business Associate or its Subcontractor provide notice, Business Associate shall either 1) consult with Covered Entity about the specifics of the notice as set forth in section 8 .1, above, or 2) require, by contract, its Subcontractor to consult with Covered Entity about the specifics of the notice as set forth in section 8.1 8.3 The notice to affected individuals shall be provided as soon as reasonably possible and in no case later than 60 calendar days after Business Associate reported the Breach to Covered Entity. 8.4 The notice to affected individuals shall be written in plain language and shall include, to the extent possible, 1) a brief description of what happened, 2) a description of the types of Unsecured PHI that were involved in the Breach, 3) any steps individuals can take to protect themselves from potential harm resulting from the Breach, 4) a brief description of what the Business Associate is doing to investigate the Breach, to mitigate harm to individuals and to protect against further Breaches, and 5) contact procedures for individuals to ask questions or obtain additional information, as set forth in 45 CFR § 164.404(c). 8.5 Business Associate shall notify individuals of Breaches as specified in 45 CFR § 164.404(d) (methods of individual notice). In addition, when a Breach involves more than 500 residents of Vermont, Business Associate shall, if requested by Covered Entity, notify prominent media outlets serving Vermont, following the requirements set forth in 45 CFR § 164.406. 9. Agreements with Subcontractors. Business Associate shall enter into a Business Associate Agreement with any Subcontractor to whom it provides PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity in which the Subcontractor agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such PHI. Business Associate must enter into this Business Associate Agreement before any use by or disclosure of PHI to such agent. The written agreement must identify Covered Entity as a direct and intended third party beneficiary with the right to enforce any breach of the agreement concerning the use or disclosure of PHI. Business Associate shall provide a copy of the Business Associate Agreement it enters into with a subcontractor to Covered Entity upon request. Business associate may not make any disclosure of PHI to any Subcontractor without prior written consent of Covered Entity. 10. Access to PHI. Business Associate shall provide access to PHI in a Designated Record Set to Covered Entity or as directed by Covered Entity to an Individual to meet the requirements under 45 CFR § 164.524. Business Associate shall provide such access in the time and manner reasonably designated by Covered Entity. Within three (3) business days, Business Associate shall forward to Covered Entity for handling any request for access to PHI that Business Associate directly receives from an Individual. 11. Amendment of PHI. Business Associate shall make any amendments to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 CFR § 164.526, whether at the request of Covered Entity or an Individual. Business Associate shall make such amendments in the time and manner reasonably designated by Covered Entity. Within three (3) business days, Business Associate STATE OF VERMONT CONTRACT FOR SERVICES Page 61 of 67 Contract#29960 shall forward to Covered Entity for handling any request for amendment to PHI that Business Associate directly receives from an Individual. 12. Accounting of Disclosures. Business Associate shall document disclosures of PHI and all information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528. Business Associate shall provide s:uch information to Covered Entity or as directed by Covered Entity to an Individual, to permit Covered Entity to respond to an accounting request. Business Associate shall provide such information in the time and manner reasonably designated by Covered Entity. Within three (3) business days, Business Associate shall forward to Covered Entity for handling any accounting request that Business Associate directly receives from an Individual. 13. Books and Records. Subject to the attorney-client and other applicable legal privileges, Business Associate shall make its internal practices, books, and records (including policies and procedures and PHI) ·relating to the use and disclosure of PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity available to the Secretary in the time and manner designated by the Secretary. Business Associate shall make the same information available to Covered Entity, upon Covered Entity's request, in the time and manner reasonably designated by Covered Entity so that Covered Entity may determine whether Business Associate is in compliance with this Agreement. 14. Termination. 14.1 This Agreement commences on the Effective Date and shall remain in effect until terminated by Covered Entity or until all of the PHI provided by Covered Entity to Business Associate or created ·or received by Business Associate on behalf of Covered Entity is destroyed or returned to Covered Entity subject to Section 18.8. 14.2 If Business Associate breaches any material term of this Agreement, Covered Entity may either: (a) provide an opportunity for Business Associate to cure the breach and Covered Entity may terminate the contract or grant without liability or penalty if Business Associate does not cure the breach within the time ~pecified by Covered Entity; or (b) immediately terminate the contract or grant without liability or penalty if Covered Entity believes that cure is not reasonably possible; or (c) if neither-termination nor cure are feasible, Covered Entity shall report the breach to the Secretary. Covered Entity has the right to seek to cure any breach by Business Associate and this right, regardless of whether Covered Entity cures such breach, does not lessen any right or remedy available to Covered Entity at law, in equity, or under the contract or grant, nor does it lessen Business Associate's responsibility for such breach or its duty to cure such breach. 15. Return/Destruction of PHI. 15 .1 Business Associate in connection with the expiration or termination of the contract or grant shall return or destroy, at the discretion of the Covered Entity, all PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity pursuant to this contract or grant that Business Associate still maintains in any form or medium (including electronic) within thirty (30) days after such expiration or termination. Business Associate shall not retain any copies of the PHI. Business Associate shall certify in writing for Covered Entity (1) when all PHI has been returned or destroyed and (2) that Business Associate does not continue to maintain any PHI. Business Associate is to provide this certification during this thirty (30) day period. STATE OF VERMONT CONTRACT FOR SERVICES Page 62 of 67 Contract#29960 15.2 Business Associate shall provide to Covered Entity notification of any conditions that Business Associate believes make the return or destruction of PHI infeasible. If Covered Entity agrees that return or destruction is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible for so long as Business Associate maintains such PHI. This shall also apply to all Agents and Subcontractors of Business Associate. 16. Penalties and Training. Business Associate understands that: (a) there may be civil or criminal penalties for misuse or misappropriation of PHI and (b) violations of this Agreement may result in notification by Covered Entity to law enforcement officials and regulatory, accreditation, and licensure organizations. If requested by Covered Entity, Business Associate shall participate in training regarding the use, confidentiality, and security of PHI. 17. Security Rule Obligations. The following provisions of this section apply to the extent that .Business Associate creates, r~ceives, maintains or transmits Electronic PHI on behalf of Covered Entity. 17.1 Business Associate shall implement and use administrative, physical, and technical safeguards in compliance with 45 CFR sections 164.308, 164.310, and 164.312 with respect'to the Electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity. Business Associate shall identify in writing upon request from Covered Entity all of the safeguards that it uses to protect such Electronic PHI. 17.2 Business Associate shall ensure that any Agent and Subcontractor to whom it provides Electronic PHI agrees in a written agreement to implement and use administrative, physical, and technical safeguards that reasonably and appropriately protect the Confidentiality, Integrity and Availability of the Electronic PHI. Business Associate must enter into this written agreement before any use or disclosure of Electronic PHI by such Agent or Subcontractor. The written agreement must identify Covered Entity as a direct and intended third party beneficiary with the right to enforce any breach of the agreement concerning the use or disclosure of Electronic PHI. Business Associate shall provide a copy of the written agreement to Covered Entity upon request. Business Associate may not make any disclosure of Electronic PHI to any Agent or Subcontractor without the prior written consent of Covered Entity. 17.3 Business Associate shall report in writing to Covered Entity any Security Incident pertaining to such Electronic PHI (whether involving Business Associate or an Agent or Subcontractor). Business Associate shall provide this written report as soon as it becomes aware of any such Security Incident, and in no case later than two (2) business days after it becomes aware of the incident. Business Associate shall provide Covered Entity with the information necessary for Covered Entity to investigate any such Security Incident. 17.4 Business Associate shall comply with any reasonable policies and procedures Covered Entity implements to obtain compliance under the Security Rule. 18. Miscellaneous. 18.1 In the event of any conflict or inconsistency between the terms of this Agreement and the terms of the contract/grant, the terms of this Agreement shall govern with respect to its subject matter. Otherwise, the terms of the contract/grant continue in effect. STATE OF VERMONT CONTRACT FOR SERVICES Page 63 of 67 Contract#29960 18.2 Business Associate shall cooperate with Covered Entity to amend this Agreement from time to time as is necessary for Covered Entity to comply with the Privacy Rule, the Security Rule, or any other standards promulgated under HIP AA. 18.3 Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the Privacy Rule, Security Rule, or any other standards promulgated under HIP AA. 18.4 In addition to applicable Vermont law, the parties shall rely on applicable federal law (e.g., HIP AA, the Privacy Rule and Security Rule, and the HIP AA omnibus final rule) in construing the meaning and effect of this Agreement. 18.5 As between Business Associate and Covered Entity, Covered Entity owns all PHI provided by Covered Entity to Business Associate or created or received by Business Associate on behalf of Covered Entity. 18.6 Business Associate shall abide by the terms and conditions of this Agreement with respect to all PHI it receives from Covered Entity or creates or receives on behalf of Covered Entity even if some of that information relates to specific services for which Business Associate may not be a "Business Associate" of Covered Entity under the Privacy Rule. 18. 7 Business Associate is prohibited from directly or indirectly receiving any remuneration in exchange for an individual's PHI. Business Associate will refrain from marketing activities that would violate HIP AA, including specifically Section 13406 of the HITECH Act. Reports or data containing the PHI may not be sold without Agency's or the affected individual's writte.n consent. 18.8 The provisions of this Agreement that by their terms encompass continuing rights or responsibilities shall survive the expiration or termination of this Agreement. For example: (a) the provisions of this Agreement shall continue to apply if Covered Entity det~rmines that it would be ~nfeasible for Business Associate to return or destroy PHI as provided in Section 14.2 and (b) the obligation of Business Associate to provide an accounting of disclosures as set forth in Section 11 survives the expiration or termination of this Agreement with respect to accounting requests, if any, made after such expiration or termination. (Rev: 5/04/15) Page 64 of 67 Contract#29960 STATE OF VERMONT CONTRACT FOR SERVICES ATTACHMENT F AGENCY OF HUMAN SERVICES' CUSTOMARY CONTRACT PROVISIONS 1. Agency of Human Services - Field Services Directors will share oversight with the department (or field office) that is a party to the contract for provider performance using outcomes, processes, terms and conditions agreed to under this contract. 2. 2-1-1 Data Base: The Contractor providing a health or human services within Vermont, or near the border that is readily accessible to residents of Vermont, will provide relevant descriptive information regarding its agency, programs and/or contact and will adhere to the "Inclusion/Exclusion" policy of Vermont's United WayNermont 211. If included, the Contractor will provide accurate and up to date information to their data base as needed. The "Inclusion/Exclusion" policy can be found at www.vermont211.org 3. Medicaid Program Contractors: Inspection of Records: Any contracts accessing payments for services through the Global Commitment to Health Waiver and Vermont Medicaid program must fulfill state and federal legal requirements to enable the Agency of Human Services (AHS), the United States Department of Health and Human Services (DHHS) and the Government Accounting Office (GAO) to: Evaluate through inspection or other means the quality, appropriateness, and timeliness of services performed; and Inspect and audit any financial records of such Contractor or subcontractor. Subcontracting for Medicaid Services: Having a subcontract does not terminate the.Contractor, receiving funds under Vermont's Medicaid program, from its responsibility to ensure that all activities under this agreement are carried out. Subcontracts must specify the activities and reporting responsibilities of the Contractor or subcontractor and provide for revoking delegation or imposing other sanctions if the Contractor or subcontractor's performance is inadequate. The Contractor agrees to make available upon request to the Agency of Human Services; the · Department of Vermont Health Access; the Department of Disabilities, Aging and Independent Living; and the Center for Medicare and Medicaid Services (CMS) all contracts and subcontracts between the Contractor and service providers. Medicaid Notification ofTennination Requirements: Any Contractor accessing payments for services under the Global Commitment to Health Waiver and Medicaid programs who terminates their practice will follow the Department of Vermont Health Access, Managed Care Organization enrollee notification requirements. Encounter Data: Any Contractor accessing payments for services through the Global Commitment to Health Waiver and Vermont Medicaid programs must provide encounter data to the Agency of Human Services and/or its departments and ensure that it can be linked to enrollee eligibility files maintained by the State. Federal Medicaid System Security Requirements Compliance: All contractors and subcontractors must provide a security plan, risk assessment, and security controls review document within three months of the start date of this agreement (and update it annually thereafter) to support audit compliance with 45CFR95.621 subpart F, ADP (Automated Data Processing) System Security Requirements and Review Process. 4. Non-discrimination Based on National Origin as evidenced by Limited English Proficiency. The Contractor agrees to comply with the non-discrimination requirements of Title VI of the Civil Rights Act of 1964, 42 USC Section 2000d, et seq., and with the federal guidelines promulgat~d STATE OF VERMONT CONTRACT FOR SERVICES Page 65 of 67 Contract#29960 pursuant to Executive Order 13166 of 2000, which require that contractors and subcontractors receiving federal funds must assure that persons with limited English proficiency can meaningfully access services. To the extent the Contractor provides assistance to individuals with limited English proficiency through the use of oral or written translation or interpretive services in compliance with this requirement, such individuals cannot be required to pay for such services. 5. Voter Registration. When designated by the Secretary of State, the Contractor agrees to become a voter registration agency as defined by 17 V.S.A. §2103 (41), and to comply with the requirements of state and federal law pertaining to such agencies. 6. Drug Free Workplace Act. The Contractor will assure a drug-free workplace in accordance with 45 CFR Part 76. 1. Privacy and Security Standards. Protected Health Information: The Contractor shall maintain the privacy and security of all individually identifiable health information acquired by or provided to it as a part of the performance of this contract. The Cont~actor shall follow federal and state law relating to privacy and security of individually identifiable health information as applicable, including the Health Insurance Portability and Accountability Act (HIP AA) and its federal regulations. Substance Abuse Treatment Information: The confidentiality of any alcohol and drug abuse treatment information acquired by or provided to the Contractor or subcontractor shall be maintained in compliance with any applicable state or federal laws or regulations and specifically set out in 42 CFR Part 2. Other Confidential Consumer Information: The Contractor agrees to comply with the requirements of AHS Rule No. 08-048 concerning access to information. The Contractor agrees to comply with any applicable Vermont State Statute, including but not limited to 12 VSA § 1612 and any applicable Board of Health confidentiality regulations. The Contractor shall ensure that all of its employees and subcontractors performing services under this agreement understand the sensitive nature of the information that they may have access to and sign an affirmation of understanding regarding the information's confidential and non-public nature. Social Security numbers: The Contractor agrees to comply with all applicable Vermont State Statutes to assure protection and security of personal information, including protection from identity theft as outlined in Title 9, Vermont Statutes Annotated, Ch. 62. 2. Abuse Registry. The Contractor agrees not to employ any individual, use any volunteer, or otherwise provide reimbursement to any individual in the performance of services connected with this agreement, who provides care, custody, treatment, transportation, or supervision to children or vulnerable adults if there is a substantiation of abuse or neglect or exploitation against that individual. The Contractor will check the Adult Abuse Registry in the Department of Disabilities, Aging and Independent Living. Unless the Contractor holds a valid child care license or registration from the Division of Child Development, Department for Children and Families, the Contractor s_hall also check the Central Child Protection Registry. (See 33 V.S.A. §4919(a)(3) & 33 V.S.A. §691 l(c)(3)). 3. Reporting of Abuse, Neglect, or Exploitation. Consistent with provisions of 33 V.S.A. §4913(a) and §6903, any agent or employee of a Contractor who, in the performance of services connected with this agreement, has contact with clients or is a caregiver and who has reasonable cause to believe that a child or vulnerable adult has been abused or neglected as defined in Chapter 49 or abused, neglected, or exploited as defined in Chapter 69 of Title 33 V.S.A. shall make a report involving children to the Commissioner of the Department for Children and Families within 24 STATE OF VERMONT CONTRACT FOR SERVICES Page 66 of 67 Contract#29960 hours or a report involving vulnerable adults to the Division of Licensing and Protection at the Department of Disabilities, Aging, and Independent Living within 48 hours. This requirement applies except in those instances where particular roles and functions are exempt from reporting under state and federal law. Reports involving children shall contain the information required by 33 V.S.A. §4914. Reports involving vulnerable adults shall contain the information required by 33 V.S.A. §6904. The Contractor will ensure that its agents or employees receive training on the reporting of abuse or neglect to children and abuse, neglect or exploitation of vulnerable adults. 4. Intellectual Property/Work Product Ownership. All data, technical information, materials first gathered, originated, developed, prepared, or obtained as a condition of this agreement and used in the performance of this agreement - including, but not limited to all reports, surveys, plans, charts, literature, brochures, mailings, recordings (video or audio), pictures, drawings, analyses, graphic representations, software computer programs and accompanying documentation and printouts, notes and memoranda, written procedures and documents, which are prepared for or obtained specifically for this agreement - or are a result of the services required under .this grant - shall be considered "work for hire" and remain the property of the State of Vermont, regardless of the state of completion - unless otherwise specified in this agreement. Such items shall be delivered to the State of Vermont upon 3 0 days' notice by the State. With respect to software computer programs and/ or source codes first developed for the State, all the work shall be considered "work for hire," i.e., the State, not the Contractor or subcontractor, shall have full and complete ownership of all software computer programs, documentation and/or source codes developed. The Contractor shall not sell or copyright a work product or item produced under this agreement without explicit permission from the State. If the Contractor is operating a system or application on behalf of the State of Vermont, then the Contractor shall not make information entered into the system or application available for uses by any other party than the State of Vermont, without prior authorization by the State. Nothing herein shall entitle the State to pre-existing Contractor's materials. 5. Security and Data Transfers. The State shall work with the Contractor to ensure compliance with all applicable State and Agency of Human Services' policies and standards, especially those related to privacy and security. The State will advise the Contractor of any new policies, procedures, or protocols developed during the term of this agreement as they are issued and will work with the Contractor to implement any required. The Contractor will ensure the physical and data security associated with computer equipment including desktops, notebooks, and other portable devices - used in connection with this agreement. The Contractor will also assure that any media or mechanism used to store or transfer data to or from the State includes industry standard security mechanisms such as continually up-todate malware protection and encryption. The Contractor will make every reasonable effort to ensure media or data files transferred to the State are virus and spyware free. At the conclusion of this agreement and after successful delivery of the data to the State, the Contractor shall securely delete data (including archival backups) from the Contractor's equipment that contains individually identifiable records, in accordance with standards adopted by the Agency of Human Services. 6. Computing and Communication: The Contractor shall select, in consultation with the Agency of Human Services' Information Technology unit, one of the approved methods for secure access to the State's systems and data, if required. Approved methods are based on the type of work performed by the Contractor as part of this agreement. Options include, but are not limited to: 1. Contractor's provision of certified computing equipment, pedpherals and mobile devices, on a separate Contractor's network with separate internet access. The Agency of Human Services' accounts may or may not be provided. STATE OF VERMONT CONTRACT FOR SERVICES Page 67 of 67 Contract#29960 2. State supplied and managed equipment and accounts to access state applications and data, including State issued active directory accounts and application specific accounts, which follow the National Institutes of Standards and Technology (NIST) security and the Health Insurance Portability & Accountability Act (HIP AA) standards. The State will not supply e-mail accounts to the Contractor. 7. Lobbying. No federal funds under this agreement may be used to influence or attempt to influence an officer or employee of any agency, a member of Congress, an officer or employee of Congress, or an employee of a member of Congress in connection with the awarding of any federal contract, continuation, renewal, amendments other than federal appropriated funds. 8 . . Non-discrimination. The Contractor will prohibit discrimination on ·the basis of age under the Age Discrimination Act of 19.75, on the basis of handicap under section 504 of the Rehabilitation Act of 1973, on the basis of sex under Title IX of the Education Amendments of 1972, or on the basis of race, color or national origin under Title VI of the Civil Rights Act of 1964. No person shall on the grounds of sex (including, in the case of a woman, on the grounds that the woman is pregnant) or on the grounds of religion, be excluded from participation in, be denied the benefits of, or be subjected to discrimination, to include sexual harassment, under any program or activity supported by state and/or federal funds. The Contractor will also not refuse, withhold from or deny to any person the benefit of services, facilities, goods, privileges, advantages, or benefits of public accommodation on the basis of disability, race~ creed, color, national origin, marital status, sex, sexual orientation or gender identity under Title 9 V.s.A: Chapter 139. 9. Environmental Tobacco Smoke. Public Law 103-227, also known as the Pro-children Act of 1994 (Act), requires that smoking not be permitted in any portion of any indoor facility owned or leased or contracted for by an entity and used routinely or regularly for the provision of health, child care, early childhood development services, education or library services to children under the age of 18, if the services are funded by federal programs either directly or through state or local governments, by federal grant, contract, loan or loan guarantee. The law also applies to children's services that are provided in indoor facilities that are constructed, operated, or maintained with such Federal funds. The law does not apply to children's services provided in private residences; portions of facilities used for inpatient drug or alcohol treatment; service providers whose sole source of applicable federal funds is Medicare or Medicaid; or facilities where Women, Infants, & Children (WIC) coupons are redeemed. Failure to comply with the provisions of the law may result in the imposition of a civil monetary penalty of up to $1,000 for each violation and/or the imposition of an administrative compliance order on the responsible entity. Contractors are prohibited from promoting the use of tobacco products for all clients. Facilities supported by state and federal funds are prohibited from making tobacco products available to mmors. Attachment F - Revised AHS 12110110