Skip navigation

News Articles

This site contains over 2,000 news articles, legal briefs and publications related to for-profit companies that provide correctional services. Most of the content under the "Articles" tab below is from our Prison Legal News site. PLN, a monthly print publication, has been reporting on criminal justice-related issues, including prison privatization, since 1990. If you are seeking pleadings or court rulings in lawsuits and other legal proceedings involving private prison companies, search under the "Legal Briefs" tab. For reports, audits and other publications related to the private prison industry, search using the "Publications" tab.

For any type of search, click on the magnifying glass icon to enter one or more keywords, and you can refine your search criteria using "More search options." Note that searches for "CCA" and "Corrections Corporation of America" will return different results. 


 

Vermont DOC Contract Summary With Centurion 2015

Download original document:
Brief thumbnail
This text is machine-read, and may contain errors. Check the original document to verify accuracy.
STATE OF VERMONT CONTRACT SUMMARY AND CERTIFICATION---- --- ---- Form AA-14 (8/22/11)
Note: All sections are required. Incomplete forms will be returned to department.

I. CONTRACT INFORMATION:
Agency/Department:

AHS/ Department of Corrections
Contract #: 29960
Amendment#:
Centurion of Vermont, LLC
VISION Vendor No:
1447 Peachtree St., Suite 500, Atlanta, GA 30309
Starting Date:
9/15/2015
1/31/2018
Amendment Date:
Ending Date:
Summary of agreement or amendment: EHR for Comprehensive Healthservices for Inmates.
Vendor Name:
Vendor Address:

II. FINANCIAL INFORMATION
Maximum Payable:
$1 ,023,463

Prior Maximum:

Current Amendment:

Cumulative amendments:

$

-r

Business Unit(s): ; 03420;
notes: program
II. PERFORMANCE INFORMATION

$

Prior Contract# (If Renewal):
$

% Cumulative Change:

J

VISION Account(s): ; 3480004070,507500

m.

I G-Fund

100%

S-Fund

%

%

F-Fund

□

~ Yes

Does this Agreement include Performance Measures tied to Outcomes and/or financial reward/penalties?
Estimated
Funding Split:

%

GC-Fund

%

No

Other

%

PUBLIC COMPETITION

The agency has taken reasonable steps to control the price of the contract or procurement grant and to allow qualified organizations to compete for the
work authorized by this contract. The agency has done this through :

0

~ Standard bid or RFP

Simplified Bid

D Qualification Based Selection

D Sole Sourced

IV. TYPE OF AGREEMENT & PERFORMANCE INFORMATION
D Service ~ Personal Service D Architect/Engineer
Check all that apply:
~ Information Technology
D Other, describe:
V. SUITABILITY FOR CONTRACT FOR SERVICE

I

D

Statutory

D Construction D Marketing

If this is a Personal Service contract, does this agreement meet all 3 parts of the "ABC" definition of independent
□
□ n1a
Contractor? (See Bulletin 3.5) IfNO, then Contractor must be paid through Payroll
No
VI. CONTRACTING PLAN APPLICABLE:
~
Are one or more contract or terms & conditions provisions waived under a pre-approved Contracting Plan?
D Yes
No
VII. CONFLICT OF :INTEREST

~Yes

By signing below, I certify that no person able to control or influence award of this contract had a pecuniary interest in its award or performance, either
personally or through a member of his or her household, family, or business.

D

~ No

Yes

I there an "appearance" ofa conflict of interest so that a reasonable person may conclude that this party was selected for
improper reason : (If yes, explain)

VIII. PRIOR APPROVALS REQUIRED OR REQUESTED

~ Yes

0
0

No
No

[8J Yes

□

No

□
□
[8J

[8J No
[8J No

[8J Yes

Yes
Yes
Yes

0

Agreement must be approved by the Attorney General under 3 VSA §311 (a)( 10) (personal service)
I request the Attorney General review this agreement as to form
No, already performed by in-house AAG or counsel:
(initial)
Agreement must be approved by the Comm. ofDII; for IT hardware, software or services and Telecommunications over
$100,000
Agreement must be approved by the CMO; for Marketing services over $15,000
Agreement must be approved by Comm. Human Resources (privatization and retiree contracts)
Agreement must be approved by the Secretary of Administration

No

,.- 1r, ' ; / I ,t

IX. AGENCY/DEPARTMENT BEAD C.ERTIFICATIQN; APPROVAL
I have made reaso'Jble inqui

() (

f

",.,,,.,r. ,,.

~ of the

..............

~,➔ 1 / ,,

Ag~~~ad

O'ate

Approval by Attorney General

Date

CIO

Date

above information:

-'itfa~1'/½1/s
ate

""""'

'

CMO

-

a1 il 1/

)rw; /~ ~

Agency Secretary or Other D~

-

rt~ ent Head (if required)

Date

Approved by Commissioner of Human Resources

Date

Secretary of Administration

Agency/Department:

AHS/ Department of Corrections

Vendor Name:

Centurion of Vermont, LLC

Vendor Address:

1447 Peachtree St., Suite 500, Atlanta, GA 30309

Starting Date:

9/15/2015

Summary of agreement or amendment:

Maximum Payable:

$1,023,463

Current Amendment:

$

Business Unit(s : ; 03420;

Contract#: 29960

Amendment#:

VISION Vendor No:

Ending Date:

1/31/2018

Amendment Date:

EHR for Comprehensive Healthservices for Inmates.

Prior Contract# (If Renewal):
Cumulative amendments:

% Cumulative Change:

$

%

- not

f8I

Does this Agreement include Performance Measures tied to Outcomes 'and/or financial reward/penalties?
Estimated
Funding Split:

G-Fund 100%

%

S-Fund

F-Fund

%

GC-Fund

%

Yes

Other

%

The agency has taken reasonable steps to control the price of the contract or procurement grant and to allow qualified organizations to compete for the
work authorized by this contract. The agency has done this through:

0

f8I Standard bid or RFP

f8I Yes

D

D n/a

No

Simplified Bid

D Sole Sourced

D Qualification Based Selection

D

Statutory

Ifthis is aPerso
Contractor?

By signing below, I certify that no person able to control or influence award of this contract had a pecuniary interest in its award cir performance, either
personally or through a member of his or her household, family, or business.

D

Yes

f8I

No

18l' Yes
181 Yes

0
0

No
No

181

Yes

0

No

D
D
181

Yes
Yes
Yes

f8I
f8I
0

No
No
No

CJ( \\tl'

l s !here an "appearance" of a conflict of interest so that a reasonable person may conclude that this party was selected for
improper reasons: (lf yes, explain)

Agreement must be approved by the Attorney General under 3 VSA §31 l(a)(I0) (personal service)
I request the Attorney General review this agreement as to fonn
No, already performed by in-house AAG or counsel: _ _ ____ (initial)
Agreement must be approved by the Comm. ofDII; for IT hardware, software or services and Telecommunications over
$100,000
Agreement must be approved by the CMO; for Marketing services over $15,000
Agreement must be approved by Comm. Human Resources (privatization and retiree contracts)
Agreement must be approved by the Secretary of Administration

E-SIGNEO,,by Jonathan C Provost
on 2015'09-1 0 10:55:16 GMT

0

E-SIGNED by Barbara Cormier
on'20'15•09-1 0 17 :51:31 GMT

E.SIGNEO by Jack Green
E-SIGN ED by John Hunl
E,SlcfNEiD by Linda Mo; se
E..~ IGNE.O by Aimee Pope
on,201 5-09-10 19:24:01 GMT on@15;P9-18 16:54:17 GMT on 2,0~5-09-28 14:30:4 1 GMT on·2(l15,;P9-29 18;27:50 GMT

State of Vermont
Department of Corrections
103 South Main Street
Waterbury, VT 05671-1001
www.doc.state.vt.us

[phone]
[fax]
[fax]

Agency of Human Services

802-241-2442
802-951-5017
802-951-5086

MEMORANDUM
To:

Justin Johnson, Secretary of Administration

Thru: Hal Cohen, Secre~
From: Andrew~

, Agency of Human Services

d ~issioner, Department of Corrections

Date: August 11, 2015
Re:

Centurion of Vermont, LLC, Contract #29960

Background:
In August 2014, the VDOC released an RFP for inmate health services. Attached for your reference is the
original memo dated December 8, 2014 that accompanied the correctional health services contract with
Centurion of Vermont, LLC that commenced on February 1, 2015. As this memo states, VDOC had initially
included an Electronic Health Record (EHR) as part of the RFP; however, based on concerns that the EHR
would pose a risk of a delay to the entire contract given the potential length of time required for the DII review
process including a lengthy Independent Review, the decision was made to establish a separate Centurion EHR
contract or "carve out" of the EHR to expedite the health services contract routing. The decision as it happened
was a good one as the EHR contract has encountered many obstacles and delays which will ultimately result in
a 'go live' date that will narrowly precede the closing of the Correct Care Solutions (VDOC's prior health
services contractor) $0 contract extension that secured the use of its Electronic Records Management
Administrator (ERMA) which the Department has been using in lieu of its anticipated EHR. The hard set end
date for ERMA is January 31, 2016. It is imperative that the new EHR be ready prior to that date.
Bidding Process
The DOC solicited bids from qualified vendors for the provision of a range of health services for inmates. We
placed a strong· emphasis on the vendor's inclusion of technology applications specifically an EHR that would
be sufficient to meet all aspects of needs (care coordination, continuity and linkages during transitions of care).
The cost of the EHR was included as part of the vendor's bid. VDOC further required that the EHR be HIP AA
compliant; meet 2014 Meaningful Use Criteria; electronic medication administration capacity (eMAR) and has
the potential for linkages/interfaces with. other State information platforms including VITL. Centurion chose
CorrecTek, Inc. based on the company's ability to meet our basic EHR needs and its willingness to agree with
requirements that will ensure the system conforms to the State's needs for an effective, high performing EHR
system.

~

YERMONT

Performance Measures
Over the past several months, VDOC, Centurion, CorrecTek (the EHR vendor), AHS IT and DII have worked
diligently to ensure that the EHR contract meets all federal and state HIT standards and requirements as well as
meeting VDOC's specific requirements for generating reports, improving quality, measuring outcomes and
tracking information as these relate to our own Triple Aims; improving the experience of care, improving the
health of our populations, and reducing per capita costs of health care. Inherent in all of these is VDOC's
requirement for a system that supports the assessment and measurement of contactor performance. The EHR
contract requires that the vendor provide services in multiple areas including but not limited to:
1.
2.
3.
4.
5.

Milestone Deliverables that must be met by specific due dates;
Project Management Plan with adequate oversight and staffing;
Comprehensive implementation plan as part of the project plan;
Training and Education Plan and;
Data Conversion and Migration Plan.

A retainage of 10% will be held back for e~ch deliverable and will not be released by VDOC until the
contractor's completion of all deliverables.
-

-

EHR Contract Year

Estimated Cost per Year

Year 1-- CY 16

$793,504
'

Year2-CY 17

$78,558

Year 3-CY 18

$100,476

Reserved for Change Orders & Additional
Costs for Hosting/Microsoft Licensing Fees

$50,925

---

-

-

~.~

-

---

-

-

-

~

i

.
I

, Total EHR Cost
-

~

-

-

-- -

--

-

$1,023,463

I

Attachments:
1) Original health services contract memo with Centurion of VT, LLC dated 12/8/14
2) Centurion of Vermont, LLC Contract #29960

State ofVermont
Department of Corrections
103 South Main Street
Waterbury, VT 05671-1001
www.doc.state.vt.us

[phone]
[fax]
[fax]

802-241-2442
802-951-5017
802-951-5086

Agency of Human Services

MEMORANDUM

To:

Justin Johnson, Secretary of Administration

E-SIGNED by Michael Clasen
on 2015-09-29 18:32:49 GMT

Thru: Hal Cohen, Secrefary, Agency of Human Services

From: Andrew~ d~ssioner, Department of Corrections
Date: August 11, 2015
Re:

Centurion of Vermont, LLC, Contract #29960

Background:
In August 2014, the VDOC released an RFP for inmate health services. Attached for your reference is the
original" memo dated December 8, 2014 that accompanied the correctional health services contract with
Centurion of Vermont, LLC that commenced on February 1, 2015. As this memo states, VDOC had initially
included an Electronic Health Record (EHR) as part of the RFP; however, based on concerns that the EHR
would pose a risk of a delay to the entire contract given the potential length of time required for the DII review
process including a lengthy Independent Review, the decision was made to establish a separate Centurion EHR
contract or "carve out" of the EHR to expedite the health services contract routing. The decision as it happened
was a good one as the EHR contract has encountered many obstacles and delays which will ultimately result in
a 'go live' date that will narrowly precede the closing of the Correct Care Solutions (VDOC's prior health
services contractor) $0 contract extension that secured the use of its Electronic Records Management
Administrator (ERMA) which the Department has been using in lieu of its anticipated EHR. The hard set end
· date for ERMA is January 31, 2016. It is imperative that the new EHR be ready prior to that date.
Bidding Process
The DOC solicited bids from qualified vendors for the provision of a range of health services for inmates. We
placed a strong· emphasis on the vendor's inclusion of technology applications specifically an EHR that would
be sufficient to meet all aspects of needs (care coordination, continuity and linkages during transitions of care).
The cost of the EHR was included as part of the vendor's bid. VDOC further required that the EHR be HIPAA
compliant; meet 2014 Meaningful Use Criteria; electronic medication administration capacity (eMAR) and has
the potential for linkages/interfaces with. other State information platforms including VITL. Centurion chose
CorrecTek, Inc. based on the company's ability to meet our basic EHR needs and its willingness to agree with
requirements that will ensure the system conforms to the State's needs for an effective, high performing EHR
system.

~YERMONT

Performance Measures
Over the past several months, VDOC, Centurion, CorrecTek (the EHR vendor), AHS IT and DII have worked
diligently to ensure that the EHR contract meets all federal and state HIT standards and requirements as well as
meeting VDOC's specific requirements for generating reports, improving quality, measuring outcomes and
tracking information as these relate to our own Triple Aims; improving the experience of care, improving the
health of our populations, and reducing per capita costs of health care. Inherent in all of these is VDOC's
requirement for a system that supports the assessment and measurement of contactor performance. The EHR
contract requires that the vendor provide services in multiple areas including but not limited to:
1.
2.
3.
4.
5.

Milestone Deliverables that must be met by specific due dates;
Project Management Plan with adequate oversight and staffing;
Comprehensive implementation plan as part of the project plan;
Training and Education Plan and;
Data Conversion and Migration Plan.

A retainage of 10% will be held back for e~ch deliverable and will not be released by VDOC until the
contractor's completion of all deliverables.
,.
. ..
.. ---·-- ..
.. - -- . . .. .. - .. .. .
- .. -•
... Contract
. . Year
..
..
... . . ;Es~!ll-~t~d Cost I?~! Y~a.r_ ··-- .,
.. ·- EHR
-- ..
,

~

-

.. • • •• r •• -

--

'

Year 1-., CY 16

[

$793,504
. ,

:

I

Year2-CY 17

;

'

'

·.

$78,558

..

--- --

..

Year3-CY 18

$!00,476

'

Reserved for Change Orders & Additional ;
Costs for Hosting/Microsoft Licensing Fees :
.. -.. -. .. !
•·
''

.

•

1

:
i

- ·- -·

...

4 ••

· Total EHR Cost
.... ..

.., . ••--u • •

' ••

· ·

· -~

u

~

• u• •

'
!

$50,925

-

~

'

-

i
i

$1,023,463

:

'~· ... ' .

.

..

I

..

-

-·-. ~---~··· . . .

~

.. .. ....

- - -- -

.

Attachments:
1) Original health services contract memo with Centurion of VT, LLC dated 12/8/14
2) Centurion of Vermont, LLC Contract #29960

..

.

-

. . ..

--·

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 1 of 67
Contract#29960

1. Parties. This is a contract for personal services between the State of Vermont, Department of
· Corrections (hereafter called "State''), and Centurion of Vermont, LLC, with a principal place of
business in 1539 Spring Hill Road, Suite 600, Vienna, VA 22182 (hereafter called "Contractor").
The Contractor's form of business organization is a Vermont limited liability company. The
Contractor's local address is 5430 Waterbury-Stowe Road, Rt. l00N Building 1, Ground Floor
Waterbury Center, VT 05677. It is the Contractor's responsibility to contact the Vermont
Department of Taxes to determine if, by law, the Contractor is required to have a Vermont
Department of Taxes Business Account Number.
2. Subject Matter. The subject matter of this contract is services generally on the subject of
development, implementation, software, support and maintenance, and hosting of an Electronic
Health Record ("EHR") System. Detailed services to be provided by the Contractor are described
in Attachment A.
3. Maximum Amount. In consideration of the services to be performed by Contractor, the State
agrees to pay Contractor, in accordance with the payment provisions specified in Attachment B, a
sum not to exceed $1,023,463.
4. Contract Term. The period of Contractor's performance shall begin on 9/15/2015 and end on
1/31/2018, with the option of two one-year extension periods by mutual agreement of the Parties.
Year One is defined as 9/15/2015 up through and including 1/31/2016. Year Two is defined as
2/1/2016 up through and including 1/31/17. Year Three is defined as 2/1/17 up through and
including 1/31/18. Optional Year Four is defined as 2/1/18 up through and including 1/31/19.
Optional Year Five is defined as 2/1/19 up through and including 1/31/20.
5. Prior Approval .
If approval by the Attorney General's Office, Secretary of Administration, DII
CIO/Commissioner, or Chief Marketing Officer is required, (under current law, bulletins, and
interpretations), neither this contract nor any amendment to it is binding until it has been approved
by such persons.
•
•
•
•

Approval
Approval
Approval
Approval

by the Attorney General's Office is required.
by the Secretary of Administration is required.
by the CIO/Commissioner ofDII is required.
by the CMG/Marketing Services is not required.

6. Amendment. No changes, modifications, or amendments in the terms and conditions of this
contract shall be effective unless reduced to writing, numbered and signed by the duly authorized
representative of the State and Contractor.
7. Termination. This contract may be cancelled by either party by giving written notice at least 90
days in advance.
8. Attachments. This contract consists of 67 pages including the following attachments, which are
incorporated herein:
Attachment A - Specifications of Work to be Performed
Attachment B - Payment Provisions
Attachment C - Customary State Contract provisions

Page 2 of 67
Contract#29960 ·

STATE OF VERMONT
CONTRACT FOR SERVICES

Attachment D - Other Provisions
Attachment E - Business Associate Agreement
Attachment F - Customary Contract Provisions of the Agency of Human Services
Attachment G - Interface Attachments
The order of pr~cedence of documents shall be as follows:
1).
2).
3).
4).
5).
6).
7).
8).

This document
Attachment D
Attachment C
Attachment A
Attachment B
Attachment E
Attachment F
Attachment G

WE THE UNDERSIGNED PARTIES AGREE TO BE BOUND BY THIS CONTRACT.

BY THE STATE OF VERMONT:
Date:

/i} /2- 2- / /
l

r

f-'><? /)

BY Centurion of Vermont, LLC:
Date:

Jo/J~/4:5C>Jo

Signature: _ _:~=-- -- -===-

Signature: ~

Name: Andrew Pallito

Name: Steven H. Wheeler

~

Title: Commissioner
Agency/Dept.:
Agency of Human Services
Department of Corrections

AHS Revised 07/21/08

Title: Chief Executive Officer
Phone: (703) 749-4600
Email: swheeler@mhm-services.com

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 3 of 67
Contract#29960

ATTACHMENT A
SPECIFICATIONS OF WORK TO BE PERFORMED
A. SERVICE DESCRIPTION

1. Contractor shall provide the following services for the State: Contractor shall configure,
implement, support, maintain and host an Electronic Health Record System ("EHR") for
State. In addition, Contractor shall train State staff in addition to its own staff in the usage of
the Electronic Health Record.
2. In accordance with Attachment C, Section 15, the State hereby acknowledges that Contractor
is not in the business of developing, licensing, implementing or hosting an EHR system and,
therefore, approves Contractor's use of the following subcontractors for performance of all
or portions of this Contract: CorrecTek, Inc. ("CORRECTEK") and Kalleo Technologies,
LLC ("KALLEO").
3. Contractor may not use additional subcontractors to perform work under this Agreement
without the prior written approval of the State.
4. Contractor shall be responsible for directing and supervising each of its subcontractors and
any other person performing any of the Work under an agreement with Contractor.
Contractor has provided to the State a list of all subcontractors and subcontractors'
subcontractors, together with the identity of those subcontractors' workers compensation
insurance providers. Contractor shall be responsible and liable to the State for all acts or
omissions of subcontractors and any other person performing any of the Services under an
agreement with Contractor or any subcontractor.
5. Project Management Methodology
The Contractor will ensure a tool acceptable to the State is used to ensure the project paces
correctly and all deliverables are met. Regular activity reports will be provided to all
stakeholders. Weekly status meetings may be held to ensure there are no issues with
communication.
The Contractor shall provide a Project Management Team that may be comprised of
Contractor staff, subcontractors' staff or both. The Project Manager shall have experience
implementing system-wide electronic health record systems. At least one member of the
Project Management Team will have three (3) years' experience implementing the
subcontractor's EHR in correctional environments. At least one member of the team will
possess a Master's Degree in IT Management.
6. Work to be Performed
The Contractor agrees to perform all of the requirements of the Scope of Work outlined below:
• Provide a Project Manager for the work associated with the implementation of this system .
• Provide an Escrow Agreement.
• Provide a Project Management Plan.
• Provide a Data Conversion and Migration Plan, complete the migration process, and
convert legacy data for use in the Electronic Health Record.
• Provide a Staffing Plan.
• Provide a Risk Management Plan, and Security Controls Document.
• Provide a Change Management Plan including targeted written and oral communication for
a smooth implementation.

STATE OF VERMONT
CONTRACT FOR SERVICES
•
•
•

•
•
•
•
•
•
•
•

Page 4 of67
Contract#29960

Provide a Communications Plan.
Provide a Network Design, System Design, and Technical Documentation.
Provide an IT System Security Plan, including Security Controls Audit Document and an
IT Risk Assessment, based on SSAE-16 SOC 2 and Federally required Security Policy.
This plan includes event management and monitoring functionality according to
Information Technology Infrastructure Library version 3 (ITIL v3), or equivalent best
practices, and TIA 942 standards.
Provide a Requirements Traceability Matrix and Work Breakdown Structure.
Provide and adhere to a detailed Testing Plan, incorporating the CorrecTek, Inc. standard
Show and Tell process.
Provide a Training Plan, Training materials, and train State staff.
Deliver a system that is secure and confidential and meets all of the requirements listed
within this Contract.
Deliver system and services that are compliant with Federal and State Regulations,
including the Health Insurance Portability and Accountability Act of 1996 (HIP AA).
Deliver a system and service that meet all applicable state and federal audit requirements.
Ensure a one-year Warranty Period is provided by the EHR manufacturer after Go-Live
date.
Provide a Post Implementation Review, including Post Implementation Evaluation.

7. Requirements
The Contractor shall provide a system and items for the system that includes all of the
requirements listed:

1

2

3

4

5

6

General Requirements
Contractor shall provide the hosted CorrecTek Electronic Health Record (EHR) System
The system shall conform to State security standards and protocols. A list of the Agency
of Human Service security policies can be found at
http ://humanservices. vermont. gov /policy-legislation/policies/0 5-informationtechnology-and-electronic-communications-policies/ and a list of State of Vermont
security policies can be found at http://dii.vermont.gov/policy/policy.
The system will be fully integrated into the system qf care and will interface with DOC's
Offender Management System in a manner that will ensure continuity of care and
maximize care coordination efforts to ensure that sustainability efforts can be realized,
and performance-based accountability can be driven.
The system shall have the ability to interoperate with State partners, through the use of
interfaces as defined in the CONSTRUCTION, CONFIGURATION, AND UNIT
TESTING section of this contract. The EHR shall improve the coordination of care by
enhancing interoperability between Vermont DOC and external partners in care.
The system shall have the ability to communicate with and share data with other external
systems through a variety of communication protocols, including but not limited to, Web
Services, TCP/IP Port Communication, File Transfer, SFTP, HL7 2.x, C-CDA, Tab
Delimited Files, and many more. Contractor is willing to work with the State and
partner applications involved to determine the best method of communicating and
sharing data to meet the business needs presented..
The system shall provide ad-hoc reporting capabilities using all data fields in the EHR to
create all needed reports. Ad-hoc reporting will utilize a graphical user interface that
does not require that users te need to know specific coding languages in order to run
reports as required by the State.

STATE OF VERMONT
CONTRACT FOR SERVICES

7
8
9
10
11

12
13

14
15
16
17
18
19
20

Page 5 of 67
Contract#29960

The system shall be able to export datasets in formats including but not limited to excel,
comma delimited, and fixed width.
The system shall include role based permissions to allow access to staff based on State
approved functions to access State data.
The system shall have spell check for free text fields for commonly used words. The
system should provide drop-downs with selections, if possible, to eliminate errors in
typing.
The system shall include an Administration module that allows non-technical staff to
establish new user permissions and to change existing permissions.
The system shall be highly configurable so that established processes and data elements
can be modified.
The system shall have the ability for reporting needs to export to Microsoft Excel and
Word.
The system shall have the ability to perform a drill down search for data elements
contained in the Electronic Health Record System as defined by the State. Any
additional drill down search requirements identified by the State that are not contained in
the system will require a Change Order.
The system shall provide its own document storage and retrieval component as defined
by the State.
The system shall utilize the state of Vermont Simple Mail Transfer Protocol (SMTP)
relay for all email notifications.
The system shall support task related ticklers/reminders currently contained in the
Electronic Health Record System. Any specific requirements identified by the State that
are-is not contained in the Electronic Health Record System will require a Change Order.
The contractor shall convert legacy data to populate the new system. This shall include
the department's medical record data, which is currently accessed through ERMA,
detailed in the Data Migration and Configuration section.
The system shall have a separate testing and production environments.
The contractor shall provide, submit and execute a training plan for the system per the
Training Plan and Training Materials section.
The system shall have data fields populated from the OMS interface to view individual
inmate exact daily housing designation (cell and restriction level specific).

21 The system shall identify the user making any entry into the database.
The system shall have the ability for designated users to reset users' passwords as well as
the ability for admins to reset users' passwords.
The system shall allow authorized users to assign labels/alerts to offenders for easy
23 recognition of special case needs, including but not limited to Serious Functional
Impairments, and Prison Rape Elimination Act (PREA) Standards
The system shall produce all reports as presented to the State. Any additional reporting
requirements identified by the State that are not contained in the system will require a
24
Change Order. Portions of the reports should be auto filled from the database and shall
allow text be entered by a user.
The System shall provide fields, as defined by the State, required for the continuous
quality improvement (CQI) program based on the National Commission on Correctional
Health (NCCHC) essential and important standards for same, as well as selected
25
measures from National Commission on Quality Assurance-Health Evaluation Data
Information Set (NCQA-HEDIS), the Centers for Medicaid and Medicare Services
(CMS).

22

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 6 of67
Contract#29960

The system shall track requests for Americans with Disabilities Act (ADA)
accommodations ..
Data Exchanges
The system shall be able to process and import data including, but not limited to, a
27
comma separated file format or other file format.
The system shall be configurable for 15 minute increment, daily, weekly, or monthly
28 scheduled imports from external data sources or timeframes currently contained in the
Electronic Health Record System.
The system shall allow the secure transmission of selected files/information to
community/outside entities. All Personal Identifiable Information (PII) and Personal
29
Health Information (PHI) data at rest shall be in an encrypted format. The minimum
encryption level is AES 128 encryption that is FIPS140-2 validated.
26

Performance requirements
The system shall be in operation 24 hours a day every day except as described in the
Service Level Agreement.
The system shall have 99.98% uptime except as outlined in the Service Levels and
31
Support section.
If the proper hardware and network infrastructure is in place from the State, the system
32 shall handle up to 66 concurrent users and 200 total users using the system at various
times.
The Contactor shall provide Transactional Response Times for the system in the
following areas: Individual Offender Record Look-ups; Queries; Standard Reports;
33 Complex Reports; Custom and Ad-Hoc Reports. Contractor shall not be liable for
transaction response times if the State experiences a failure of any kind in its broad-band
connection.
30

Health Services Requirements
The system shall meet the criteria for 2014 Meaningful Use (MU) Ambulatory Criteria.
Criteria can be found at
34 http://www.cins.gov/Regulations-andGuidance/Legislation/EHRincenti vePrograms/Stage 2.html and
htto://www.Q'no.Q:ov/fdsvs/oke/FR-201 2-09-04/odf/2012-20982.ocif
The System shall be compliant with all current (2008 and 2014) and future NCCHC
35 standards for jails and prisons.

36

37
38

39
40

The system shall integrate physical, behavioral, mental, pharmacy, dietary, and lab
functions in a single system. These features and functions shall be present in the initial
system; if requested by the State and not already contained within the vendor's system
then a change order shall be required by the State.
The System shall meet the criteria for an electronic medication administration record (eMAR)
The system shall maintain an electronic inventory process (e-MAR) to ensure the
availability of daily, stock medication and other necessary and commonly prescribed
medications.
The System shall meet the 2014 Edition EHR Certification General Criterion. These
criterion can be found at
htto ://healthcare.nist. gov/use testimr/finalized reaui.rements.html
The system shall meet the NCCHC standards P-D-04 and MH-D-04 for computerized

STATE OF VERMONT
CONTRACT FOR SERVICES

41

42

43

44
45
46

47
48

Page 7 of 67
Contract#29960

provider order entry.
The system shall have data fields populated from the OMS interface to notify users of
items including, but not limited to, Special Needs, Alerts, Holds, Medical or Mental
Health Conditions or Accommodations, in accordance with P-E-03 and MH-E-03.
The system shall have data fields to input, store, and, if applicable, import data for
documentation of health benefit plan information including, but not limited to, the name
of the insurer, coverage type, group/policy number, expiration date, and other
information necessary for filing a claim if applicable, or determining health coverage
upon release as defined by the State. Any additional requirements identified by the State
that are not contained in the system will require a Change Order.
The systems shall store, display and permit changes in the appropriate movement code
(M-Code) to ensure that inmates for whom transfer would interfere with treatment
planning or whose medical or mental health condition would be negatively affected are
not transferred without approval of medical or mental health in accordance with NCCHC
standards P-E-10 and MH-E-08.
The system shall have data fields to input and store CQI, operational efficiency, and Pay
for Performance (P4P) program data.
The system shall utilize a standardized workflow to increase patient care and decrease
errors.
In addition to the standard system reports, the system shall allow users to create
automated reports as agreed upon by the State and the Contractor.
Laboratory Requirements
The systems shall display the laboratory tests and values/results received in human
readable format
The systems shall attribute, associate, or link a laboratory test and value/result with a
laboratory order and patient record.

49 The systems shall store laboratory tests and values/results.
The systems shall electronically receive and incorporate clinical laboratory tests and
values/results in accordance with the standard specified in§ 170.205G) and, at a
50
minimum, the version of the standard specified in §170.207(c)(2).
The systems shall display all the information for a test report that complies with CMS
regulations found at 42 CFR 493.1291(c)(l) through (7).
Pharmacy Requirements
The system shall allow authorized users to adjust notifications provided for drug-drug
52
and drug-allergy interaction checks.
The system shall allow users to electronically check if drugs are in a formulary or
53
preferred drug list.
The system shall maintain an active medication list and allow a user to electronically
54 record, modify, and retrieve a patient's active medication list as well as medication
history for longitudinal care.
The system shall maintain active medication allergy list and allow a user to
55 electronically record, modify, and retrieve a patient's active medication allergy list as
well as medication allergy history for longitudinal care
The systems shall meet the 2014 criteria for Computerized provider order entry (CPOE)
56 available to staff for the purpose of electronically recording, changing and accessing
pharmacy and pharmaceutical data.

51

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 8 of 67
Contract#29960

The system shall use an identification method, including but not limited to bar codes, for

57 connecting to data files to monitor medication use for safety and utilization of inventory.
58 The system shall track medications dispensed and refused by offenders.
Programs & Services Requirements

The system shall track attendance_at healthcare related appointments; individual or

59 group.

The system shall allow authorized users to enter and maintain offender scheduling for

60 assigned appointments and programs

The system shall be able to produce profile alerts for special medical and mental health
needs.
The system shall have the ability to store and retrieve all inmate information related to
62 medical, mental health, and psycho-social status from booking through release.
The system shall be able to store and retrieve inmate health data to be used in the daily
63 management of the inmate, including but not limited to housing, program, work, and·
contact restrictions.
The system shall allow authorized users to enter and maintain data, including wait list
64
data, for an aooointment or program.
Care Coordination/ Management Requirements
The system shall provide or allow the user to define data fields and category information
65 related to Care Coordination/Management.

61

Grievance Tracking and Management Requirements

The system shall allow the user to document and track.healthcare related offender
grievances for inmates in a correctional facility.
The system shall allow authorized users to enter information into each step of the
67 Department's grievance process.
The system shall allow authorized users to sort and generate reports on grievances based
68 on different categories from data within the EHR; including but not limited to subject,
site and staff member.
The system shall provide a configurable work flow that assigns a grievance and/or sends
69 an email alert to a user that is responsible for ensuring that the grievance is completed
within set time frames and; will send an alert to all authorized staff.

66

Scheduling Requirements

70 The system shall have a scheduling function for the correctional facilities.
The system shall provide tracking of all offender activities including, but not limited to,
71 healthcare appointments and attendance at treatment programs, and provide an alert if
there is a scheduling conflict.
The system shall be able to allow users to view schedules for the entire facility or
72 specific inmates by day, month or year.
The system shall maintain detailed records of all internal and external scheduled and
73
unscheduled movements of offenders.
Other Requirements
74 Contractor shall provide service using the Unanticipated Time and Management Table

STATE OF VERMONT
CONTRACT FOR SERVICES

75
76
77

78

81

7.

Page 9 of 67
Contract#29960

contained in Attachment B to project costs (per hour) for items that are required in the
future, but are not included as part of the contract.
Data shall be entered into the contractor's EHR in accordance with AHS and Vermont's
statutes on use of electronic health records and destruction or retention of paper
originals.
Contractor Staff shall sign an Equipment and Data Use Agreement as provided by the
State of Vermont.
Contractor shall provide security audits of the application, including audit logs and
reporting as required by Federal and State law.
Contractor shall provide a security audit of the data center at which the system shall be
hosted, including but not limited to SSAE-16 SOC 2, NIST 800-53 R4 and IRS-1075
auditing. The Contractor represents and warrants that it has implemented and it shall
maintain during the term of this Contract the highest industry standard administrative,
technical, and physical safeguards and controls consistent with NIST Special Publication
800-53 (version 4 or higher) and Federal Information Processing Standards Publication
200 and designed to (i) ensure the security and confidentiality of State Data; (ii) protect
against any anticipated security threats or hazards to the security or integrity of the State
Data; and (iii) protect against unauthorized access to or use of State Data. Such
measures shall include at a minimum: (1) access controls on information systems,
including controls to authenticate and permit access to State Data only to authorized
individuals and controls to prevent the Contractor employees from providing State Data
to unauthorized individuals who may seek to obtain this information (whether through
fraudulent means or otherwise); (2) industry-standard firewall protection; (3) encryption
of electronic State Data while in transit from the Contractor networks to external
networks; (4) measures to store in a secure fashion all State Data which shall include
multiple levels of authentication; (5) dual control procedures, segregation of duties, and
pre-employment criminal background checks for employees with responsibilities for or
access to State Data; (6) measures to ensure that the State Data shall not be altered or
corrupted without the prior written consent of the State; (7) measures to protect against
destruction, loss or damage of S_tate Data due to potential environmental hazards, such as
fire and water damage; (8) staff training to implement the information security measures;
and (9) monitoring of the security of any portions of the Contractor systems that are used
in the provision of the services against intrusion on a twenty-four (24) hour a day basis.
Contractor shall provide a complete system data dictionary using the State's Data
Dictionary Template to effectively document all data elements that are to be stored in the
database. Accessing the EHR database by any software or application other than those
provided or approved by the Contractor is strictly prohibited
MILESTONES
If State determines that a milestone deliverable required under this Contract does not meet, or
otherwise conform to, the State's requirements as set forth in this Contract, then State shall
provide Contractor with a notice describing the nonconformance of the deliverable. Contractor
shall have thirty (30) days from the date it receives State's notice of the nonconformance to
make the deliverable meet or otherwise conform to the State's requirements at no additional
cost to State. If the State does not notify the Contractor within thirty (30) days after
presentation of non-conformant deliverable, then the Contractor shall be able to invoice for
said deliverable. Thereafter, should State identify a deliverable is non-conformant with the
requirements, then the State shall have the right to request conformance within thirty (30)
days. Contractor shall have thirty (30) days from the date it receives State's request and

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 10 of 67
Contract#29960

notification of the nonconformance to conform to the State's requirements and this change
shall be at no additional cost to State. Contractor's failure to meet a deliverable will not be
considered as a breach if the cause of the delay in the deliverable was attributed in whole or in
part to the State or a third-party software vendor to which the EHR must interface
This process of acceptance can be used by the State for each and every deliverable or redeliverable milestone. The EHR Client/Server Go-Live Date shall be when the EHR is put into
production for use at all locations listed in the Service Delivery & Activities section. It is the
responsibility of the State to have all eight (8) locations identified ready for Go-Live on a
simultaneous date. Contractor shall complete the following deliverables on the due dates. Due
Dates for Milestone Deliverables may be changed upon the request of the Contractor and
acce_p·t ance b1y the Stat e.
ID#

1
2
3

4

Milestone/Deliverable
Description
Phase 1: Project Kick-Off
Kick Off Meeting
Delivery of Initial Project Plan
Data Conversion and Migration
Plan
Staffing Plan
Phase 2: Network Readiness

5
6
7
8
9
10
11
12
13

14
15
16
17

18

Security Plan
Risk Assessment
Security Controls Document
Risk Management Plan
Change Management Plan
Organizational Change
Management Plan
Communications Plan
Disaster Recovery Plan
IT Risk Assessment
Security Controls Audit
Requirements Traceability
Matrix
Functional Design
Technical Specifications and
Network Diagram
Phase 3: Interface
Development/Database
Configuration
Complete onsite assessments of
facilities to gather workflow
and data requirements utilized
in the database configuration

Estimated Timeframe From Contract
Execution
0-30 days after contract execution
0-30 days after contract execution
0-30 days after contract execution
0-30 days after contract execution

31 - 89 days after contract execution
31
31
31
31
31
31

- 89 days
- 89 days
- 89 days
- 89 days
- 89 days
- 89 days

after contract execution
after contract execution
after contract execution
after contract execution
after contract execution
after contract execution

31
31
31
31
31

- 89 days
- 89 days
- 89 days
- 89 days
- 89 days

after contract execution
after contract execution
after contract execution
after contract execution
after contract execution

31 - 89 days after contract execution
31 - 89 days after contract execution

90 - 239 Days after contract execution

91 - 239 Days after contract execution

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 11 of 67
Contract#29960

process.

19

Delivery of EHR Base System
and User Acceptance Test SignOff on Base System to Ensure
Successful Installation

91 - 239 Days after contract execution

*Actual timeframe will vary according to
20

Delivery of OMS Interface (As
Defined in the Document
"CorrecTek OMS Interface
Guide")

21

Delivery of Pharmacy Interface
(As Defined in the Document
"CorrecTek Pharmacy Interface
Guide")

22

Delivery of Lab Interface (As
Defined in the Document
"CorrecTek Lab Interface
Guide")

23

Delivery of Radiology Interface
(As Defined in the Document
"CorrecTek Radiology Interface
Guide")

24
25
26
27

28

Data Extraction from Legacy
DOC System (ERMA)
Map Data Elements - Delivery
of Data Conversion Plan
Submit Mapped Data Elements
for review - Delivery of Data
Mapping Document
Completed data conversion
State sign-off of the final
configuration elements required
before CorrecTek configuration
efforts begin. Approval of
Facility Assessment Summary

other system vendors.
ALL INTERFACES THAT WILL BE
REQUIRED AT THE TIME OF GOLIVE MUST BE COMPLETED NO
LATER THAN 30 DAYS PRIOR TO
TRAINING.
90-209
*Actual timeframe will vary according to
other system vendors.
ALL INTERFACES THAT WILL BE
REQUIRED AT THE TIME OF GOLIVE MUST BE COMPLETED NO
LATER THAN 30 DAYS PRIOR TO
TRAINING.
90-209
*Actual timeframe will vary according to
other system vendors.
ALL INTERFACES THAT WILL BE
REQUIRED AT THE TIME OF GOLIVE MUST BE COMPLETED NO
LATER THAN 30 DAYS PRIOR TO
TRAINING.
90-209
*Actual timeframe will vary according to
other system vendors.
ALL INTERFACES THAT WILL BE
REQUIRED AT THE TIME OF GOLIVE MUST BE COMPLETED NO
LATER THAN 30 DAYS PRIOR TO
TRAINING.
90-209
91 - 239 Days after contract execution
91 - 239 Days after contract execution
91 - 239 Days after contract execution
91-239 Days after contract extension

91 - 23 9 Days after contract execution

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 12 of 67
Contract#29960

document.

29

30

31

32

33

34

35

36

37

38
39
40

Construction, Configuration,
and Unit Test Summary Delivery of Draft Acceptance
Test Plan ("ATP"). The
standard CorrecTek Show and
Tell Process will be utilized.
Provide an informational demo
for User Acceptance Testers to
equip them for the Show and
Tell Sessions.
Delivery of SSAE-16 and 80053 R4 certification to the State.
Unit Test Results - Delivery of
completed ATP' s from
Construction Phase. Summaries
for each CorrecTek Show and
Tell session will be provided.
Integration and System Test
Plan - State signoff on the
Acceptance Test Plan of EHR.
Necessary changes that are
identified during the Show and
Tell sessions will be addressed
and demonstrated to the State.
Finalize Data Configuration
based on elements approved by
the State in the Facility
Assessment Summary
document.
Delivery of final, configured
database
Documentation Plan - Delivery
of draft Training Manual.
CorrecTek standard training
resources will be utilized.
Phase 4: Training Schedule
and Chart Prep
Delivery of Training Plan
(Curriculum, Final Manual, and
Training Schedule)
Schedule Training
Users complete training
questionnaire (provided by
CorrecTek)
Delivery of Chart Prep

91 - 23 9 Days after contract execution

91 - 239 Days after contract execution

91 - 239 Days after contract execution

91 - 239 Days after contract execution

91 - 239 Days after contract execution

91 - 239 Days after contract execution

91 - 239 Days after contract execution

91 - 239 Days after contract execution

230 -239 days after contract execution
231 -239 days after contract execution
231 -239 days after contract execution
231 -239 days after contract execution
234 -239 days after contract execution

ST ATE OF VERMONT
CONTRACT FOR SERVICES

Page 13 of 67
Contract#29960

Training.
Phase 5: Onsite Training and
Go-Live
Conduct training sessions for all
end users

41
42

241 - 270 days after contract execution

Implementation/Go-Live Date
Documentation - Delivery of
System and User Manuals
Initiate One-year Warranty
Period
Phase 6: Post Go-Live
Post Go-Live Onsite
Assessments
512 additional development
hours for future/undetermined
interfaces which might include
VITL, EKG machine, and
Medicare/Medicaid
Provide annual SSAE-16 SOC
2 and 800-53 R4 Compliance
certification to the State
Post Implementation Evaluation
and Certification

43
44

45

46

47
48

8.

240 - 270 days after contract execution

244 - 270 days after contract execution
245 - 270 days after contract execution
246 - 270 days after contract execution
300+ days after contract execution
300 days after contract execution

300+ days after contract execution

300+ days after contr~ct execution
300+ days after contract execution

Service Delivery & Activities:
The Contractor shall not connect to any state internal networks, or require the use of stateowned computer equipment, other than necessary for users to access the system to complete
the scope of work in this Contract. This shall not exclude the Contractor from connecting the
EHR with the State's Virtual Private Network (VPN) tunnel between the Electronic Health
Record and the State maintained Active Directory so that the system can perform.
authentication of ~sers. The Contractor will use subcontractor facilities to complete the work,
unless otherwise noted.
State will negotiate all necessary license agreements with subcontractors separate and apart
from this Contract.

9. Milestone Descriptions
a. PROJECT PLAN AND OVERSIGHT
The Contractor shall deliver to the State a Project Management Plan. The Project Management
Plan delivered by the Contractor shall incorporate the scope of work, deliverables, and all
requirements outlined in the Contract and shall include the following:
•

Staffing assignments for contract tasks including names, percentage of time assigned to
project and any other applicable information.

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 14 of 67
Contract#29960

•

A plan showing critical events, dependencies and decision points during the course of
the Contract. Any tool(s) used by Contractor for such purposes shall produce
information of a type and in a manner and format that will support reporting in
compliance with the State's requirement to the extent such requirements are described
in the Scope of Work and shall be accessible using software currently used by the State
of Vermont (i.e. Word, Excel, Project or Visio).
·

•

The Contractor shall create and deliver a comprehensive implementation plan as part of
the project plan.

•

Training and Education Plan;

•

Data Conversion and Migration Plan;

The State shall give final approval to the Project Management Plan. Implementation of the
Project Management Plan shall not commence prior to State approval.
b. STAFFING

•

The Contractor shall provide a qualified Project Manager, as described in the Project
Management Methodology, to manage this project. The Project Manager will serve as the
technical lead dedicated to the project, specifically identified with overall responsibility for
the implementation and transition from design, and implementation to operation of this
system. This person shall be responsible for coordinating implementation activities and for
allocating implementation team resources. This person shall be available until the turnover
to the State has been successfully completed.

•

The Contractor shall provide and maintain qualified personnel and staffing to enable the
deliverables to be provided in accordance with the Contract.

•

The Contractor shall replace any of the key staff of Contractor with a person of equivalent
experience, knowledge and talent, if the need arises.

•

The Contractor shall provide State with ready access to all members of the Project
Management Team.

•

Project Management Team shall be reachable by phone and email during business hours
during the project implementation and during all go-live hours:

•

The Contractor shall participate in meetings in person or by conference call as required. A
minimum of bi-weekly status update calls are required (separate from the Project Status
Reporting requirement). Subcontractors part of the Project Management Team shall
participate in meetings by conference call as required.

•

The State shall provide one (1) Project Manager to manage the project.

•

The State shall provide one (1) Subject Matter Expert capable of describing the semantics
of the existing data; to act as a consultant to mapping the source data to the target data
model, scoping of their data, migration effort, business rule validation and testing; and
assisting with testing and final system validation.

c. IMPLEMENTATION PLAN

The Contractor shall provide a detailed implementation plan that includes:
•

The technical, business and informational steps in sequential order for implementing
the EHR system.

~TATE OF VERMONT
CONTRACT FOR SERVICES

Page 15 of 67
Contract#29960

•

Details of all known obstacles and plans for avoidance, which are defined as an event
that prevented a task to be completed within the schedule project timeline.

•

Include in the Project Plan advice to the State on proceedings to assist State in
avoiding obstacles in implementation.

•

Staffing and organizational steps for the State to ensure a smooth transition of
implementation.

•

A Communication Plan that details how State should approach communications to all
interested parties using Contractor's Electronic Health Record implementation
experience.

d. CHANGE MANAGEMENT PLAN

The Contractor shall provide a Change Management Plan. The Change Management Plan shall
include a process for handling changes and a method to audit and track changes. All changes
shall be communicated in the bi-weekly project meetings. The Change Management Plan shall
contain the following:
•

A process to follow;

•

A decision log to track, monitor and report on any change.

e. COMMUNICATIONS MANAGEMENT PLAN

The Contractor shall provide a Communications Management Plan. The Communications
Management Plan shall include the following:
•

What information will be communicated to the State, including the level of detail and
format;

•

How the information will be communicated, including but not limited to meetings,
email, telephone, web portal, or a combination of these mediums; and

•

When information will be distributed, including the frequency of project
communications both formal and informal

f. PROJECT STATUS MEETINGS AND REPORTS
The Contractor shall have a project status meeting monthly, or more frequently as needed,
with the State's project manager and project director and/or delegate(s). The Contractor shall
provide minutes of the meeting, which will include reporting of decisions, action items and list
of participants. Contractor shall e-mail minutes to the State within four (4) working days after
the meeting. The Contractor shall submit monthly Project Status Reports to the State. A report
format shall be submitted to the State for approval within fourteen (14) days after the effective
date of the contract. Once the State approves the format of the report, it shall be used.
The Contractor shall include the following in the monthly Project Status Report: identification
of all tasks completed, incomplete, or behind schedule in the previous month, reasons given
for tasks being behind schedule; all tasks planned for the coming month; an outline for percent
completed, resources assigned to tasks; the status of any issues, risks, and corrective actions;
and possible solutions being explored and status of research. The Project Status Report shall
have a clearly defined coding scheme.

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 16 of 67
Contract#29960

g. REQUIREMENTS AND VALIDATION DOCUMENTATION

No modification or subtraction of a requirement shall be allowed without final approval by the
State. The requirements are outlined in the requirements section. Any modification or
subtraction to a requirement shall be subject to a change order process as defined by the State.
Reasons for changes to the requirements may include but are not limited to:
•

In response to any potential Legislative (Federal and/or State) actions/initiatives, for
example regarding Health Care Reform, as it pertains to Corrections;

•

In response to any production problems as identified by the State. ·

•

Enhancement of software, data load or other system functionality to respond to
unanticipated circumstances identified by the State. Such "unanticipated
circumstances" shall be submitted to Contractor on a State provided Change Request
Form.

•

Design and testing of the system may generate ideas for enhancements which, if added,
could provide insight into changes in practices and processes, improve efficiency, and
capture more value from the system; and

•

Providing dashboards, reporting and other business-user driven functionality.

The Contractor shall ensure a tracking mechanism in which the statu~ of each requirement is
tracked to completion of the project is provided.
h. IT SYSTEM SECURITY PLAN

The Contractor shall provide a security document outlining the security plan used for hosting
and the description of the EHR system's user profiles and permissions. Security plan shall be
provided to the State for approval and provide a Risk Assessment Report based on the Risk
Management Plan. The Risk Assessment report examines the implementation for risk exposure
with respect to the project schedule, budget, resources, external dependencies and
technical/security risks. Access to State Data will clearly be defined and cataloged in a
document as part of the Security Plan. A list of the. Agency of Human Service security policies
can be found at http://humanservices.vermont.gov/policv-lecislation/policies/05-informationtechno]ogy-and-electronic-communications-policies/ and a list of State of Vermont security
policies can be found at http:i/dii.vermont.gov/poUcy/policy.
i. CONSTRUCTION, CONFIGURATION, AND UNIT TESTING

Contractor shall construct or configure system forms and reports. The requirements for each of
these items shall be gathered .during the Project Kick off Phase and finalized during the
Interface Development/Database Configuration Phase. The list of those items to be constructed
or configured as part of this Contract are as follows:
• Completed intake/receiving screening form;
• Health assessment form;
• Progress (SOAP) notes of all significant findings, diagnoses, treatments and referrals;
• Provider orders;
• Signed documentation that the ADA policy has been explained to the inmate;
• Accommodations requested by and offered to inmates with special needs;
• Results of screenings and assessments and treatment plans developed to address
substance abuse and addiction issues;

STATE OF VERMONT
CONTRACT FOR SERVICES

•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•

Page 17 of 67
Contract#29960

Inmate requests for health services, including illnesses and injuries;
Medication administration records;
Reports of laboratory, radiology and other diagnostic studies;
Informed consent and refusal forms;
Release of information forms;
Place, date and time of health encounters;
The health providers name and title;
Hospital reports and discharge summaries;
Intra-system and inter-system transfer summaries;
Specialized treatment plans and evidence of review and revision of treatment plans at
regular and appropriate intervals;
Consultation forms;
Health Services reports;
Immunization records, if applicable;
Inmate medical grievance forms;
Documentation of all medical, dental and mental health services provided, whether
from inside or outside the facility;
Any assessment of suicide or self-harm risk, or assessment of special observation
status;
Documentation of discussion by the treatment team related to this inpiate; and
Documentation of any significant discussion or consultation of or by other medical or
mental health professionals, family members, or specialty providers.

Contractor shall construct and configure Data Interfaces in order for the State to share State
Data with its partners based on the technical specs provided in the attached Interface Guides.
The requirements for each extract will be defined in an Interconnection Security Agreement as
is used by the State. The Interconnection Security Agreement includes, but is not limited to,
the fields of data required, the date and time of the extract, the type of file to be exchanged, if
the exchange of data is bi-directional and security parameters needed to transfer the data. The
list of Data Interfaces to be constructed as part of this contract is as follows:
•

Radiology

•

OMS: Offender Management System

•

Pharmacy

•

Lab

Contractor shall construct and configure optional Data Interfaces to prioritized by the State
using the optional billing hours at a rate defined·in the Unanticipated Time and Management
Table. The list of optional Data Interfaces to be constructed as part of this contract is as
follows:
•

VITL: Vermont Information Technology Leaders/Vermont Health Exchange

•

EKG machine

•

MMIS: Medicaid Medicare Information System

•

VHIE: Vermont ~ealth Information Exchange

Any additional Data Interface requests shall be subject to a Change Order process.

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 18 of 67
Contract#29960

j. DATA MIGRATION AND CONFIGURATION

The Contractor shall ensure completion of the migration process and shall convert all
applicable data and any related support documentation necessary to carry on operations as
approved by the State. This data shall include State data with a volume that could exceed one
(1) Terabyte (TB), but is not expected to exceed that volume. In any event, if Contractor finds
that the volume of the State's data as measured prior to migration exceeds 10% of the
estimated volume, a Change Order will be required. The migration process shall at all times
adhere to HIP AA requirements, as well as requirements of all applicable Vermont State
Statutes to secure data in motion and at rest.
The Contractor's migration of the data shall not negatively impact existing ERMA
functionality, performance or response quality.
•

Contractor shall ensure the preparation of and the provision of written Data Profiling
Reports to the State that include, but are not limited to, information outlining
conformance to the agreed upon field mapping and import data structures, record
counts for the number of records successfully imported into the CorrecTek system,
record counts for the number of records not successfully imported into the CorrecTek
system, and reasons for the non-imported records failed to import. When importing
data into the CorrecTek system, the process will use unique patient and record IDs
supplied by the other vendor for matching imported data. Contractor shall ensure
review of the exported data to confirm the export format, field format, and field sizes
match the import data structures and the agreed upon field mapping. Contractor will
provide written documentation outlining conformance to the agreed upon field
mapping and import data structures.

•

The Contractor shall ensure preparation of and the provision of a written Migration
Plan that details all the steps necessary to complete the migration using the Data
Profiling Reports and the agreed-upon data migration business rules. The Migration
Plan shall contain a Data Mapping document that maps existing ERMA data to the new
EHR data repositories schema, including crosswalks for standardization of coded
values, the data initially identified to be converted, the associated action taken,
problems encountered, resolution of problems, and final results. The Contractor shall
ensure the Migration Plan identifies all data that must be manually scrubbed in the
source system, before the migration is attempted. The Contractor shall identify in the
Migration Plan and archival plans if deemed necessary by the State.

•

The Contractor shall ensure end user tools are supplied as part of the CorrecTek
System to apply the data migration business rules and convert the data to the new EHR
format using the Migration Plan as a blueprint. The Contractor shall ensure
configuration of the end user tools (CorrecTek System Data Conversion Import
Routines) so that, when the process is run end-to-end, a complete written Migration
Results Report is produced. The Migration Results Report shall identify what specific
data did not migrate successfully. The Migration Results Report shall be used by the
Contractor and the State to measure and document the migration process. This process
shall be repeated until the State determines the outcome is satisfactory. This process ·
shall consist of iterations of conditioning, mapping, and transformation of the data until
there is a data error percentage that the State accepts. State shall be responsible for
completing the data import tasks using end user tools.

•

Contractor may request the use of a State subject matter expert to resolve, any issues or
questions that arise in the migration process to the satisfaction of the State and

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 19 of 67
Contract#29960

document in the Migration Results Report. If State requires, Contractor shall provide
the tools and the process needed for State authorized personnel to perform manual data
review and r~-entry.
Contractor shall ensure that the migration system shall be completely configurable using
externalized data parameters rather than requiring coding changes and no hard-coding is
authorized. Throughout the con.figuration step, Contractor shall monitor the system and shall
provide status reports showing data entry progress and highlighting remaining work at project
status meeting monthly, or more frequently as needed.

k. Network Design, System Design, and Technical Documentation . .
The Contractor shall provide Network, System and Technical Design documentation to
include the following:
• CorrecTek Cloud Architecture
• Connectivity
• Security
• Fault Tolerance
• Backups and Disaster Recovery
• Supported Client Hardware
• Supported Procedures
I. SYSTEM AND USER ACCEPTANCE TESTING
The Contractor shall ensure "show and tell" sessions where the user acceptance process will
occur. These will be sessions lead by the Project Management Team and attended by the
Contractor and State project team. Through these interactive sessions, testing of the
application configuration and data validation will be conducted. ·
The State users will validate that the system meets the Contract requirements from these
sessions according to the process in the milestones section of the Contract.
m. TRAINING PLAN AND TRAINING MATERIALS
The Contractor shall ensure development and delivery to the State of a training plan that
includes training sessions and training documents and materials throughout implementation of
the EHR with a goal of I 00% user adoption rate. The training materials and approach shall
include sufficient information for trainees to accurately and efficiently perform role-based
EHR-related tasks. Contractor shall ensure that onsite training is provided. Training will be
provided as close to the launch date as possible because experience has shown that a short time
frame allows people to adapt to the new system more quickly. Training shall include the
following:
•

Role-specific Electronic Health Record Training sessions;

•

End user training at each location prior to go-live at dates and times as defined by the
State and coordinated with those providing the training.

•

Training Materials including but not limited to user guides, administrative guides,
course outlines, and training syllabi; and,

•

Permission Level (ADMIN) appropriate training.

n. SYSTEM AND TECHNICAL USER DOCUMENTATION

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 20 of 67
Contract#29960

The Contractor shall ensure development, maintenance, electronic storage, and distribution of
documentation as required by the State for every phase of the EHR project. The Contractor
shall continue to maintain all documentation throughout the term of the Contract, per the
requirements section, while supporting the State's ability to access, review, and modify
documentation if needed. Documentation is to include the following:
•

User Manuals;

•

Training Manuals;

•

System Documentation

The Contractor shall provide updates to these documents as they relate to the EHR, the hosting
environment, and as any additional patches or upgrades are made to the system to be used as
final copies in a Microsoft Word or PDF format.
o. POST IMPLEMENTATION REVIEW

The Contractor shall continue to meet via conference call weekly, or as determined by the
State, to review the implementation of the system (the "Post Implementation Review") for
sixty (60) days.
The Contractor shall, at the end of the Post Implementation Review, resolve or transfer all
issues identified in the Post Implementation Reporting to the DOC staff. Contractor support
thereafter will be per the terms of Service Level and Support.
p. POST IMPLEMENTATION REPORTING

The Contractor shall conduct a comprehensive evaluation of the EHR and its operations, and
shall produce a Post Implementation Completion report within sixty (60) days postimplementation. This report shall include, but not be limited to:
•

Contractor report on the technical, functional and informational aspects of the EHR
in regard to stability, productivity and efficiency as defined by the State;

•

Contractor recommended processes that shall meet specific requirement in
implementation, but following that phase may be modified/enhanced for better
efficiencies post-implementation;

•

Contractor review of the implementation and recommendation on how best to
leverage State processes and knowledge from the EHR project which may be
utilized for other future projects; and
·

•

Contractor recommended changes to the Maintenance and Support plan for State
including, but not limited to, adjustments from findings learned during
implementation, go-live and period of post implementation up until the time of the
report.

Annually, on the anniversary of the go live date, the Contractor, in conjunction with any
necessary subcontractors, shall review with the State the current status of the EHR, any
suggested process modifications or enhancements suggested using a Post Implementation
Evaluation Report. This report, including at a minimum the information listed above, shall also
include the following items:
•

Lessons learned;

•

EHR user satisfaction;

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 21 of 67
Contract#29960

•

The current status of the EHR; and

•

Ongoing issues within the EHR, including resolution and responsibility for each
issue.

q. SERVICE LEVEL AND SUPPORT
As requested by the State, the Contractor shall provide the State with technical support and
consultation through CorrecTek by way of telephone, bulletin boards and other electronic
means to assist the State in the resolution of any problems encountered by the State in the
operation, configuration, implementation and support seven (7) days per week, twenty-four
(24) hours per day. Such support shall include efforts by the EHR manufacturer to verify,
diagnose and correct any errors and defects in the EHR in accordance with the service levels,
support and escalation procedures set forth in this Contract. Technical Support shall be
available to the State in respect to the EHR software for the duration of this Contract
contingent upon payment of applicable Support and Upgrade Fees as are set forth in
Attachment B of this Contract.
The Contractor shall ensure software upgrades to the EHR. User Acceptance Test period as
provided in this Contract will be provided for State testing of software upgrades to the EHR. The
Contractor, by itself or using its third party suppliers, shall provide the State with technical support
services for EHR in accordance with the following terms and conditions:
EHR will have at least 99.98% availability each calendar month ("Uptime Commitment).For
the purposes of this calculation, EHR will be deemed to be "Unavailable" to the extent that all
users c~ot access EHR or EHR will not accept connections. EHR will not be deemed
Unavailable for any downtime or outages excluded from such calculation by reason of the
exceptions set forth below. The Hosting Vendor records and data will be the basis for all Service
Level (SLA) calculations and determinations. The availability of the EHR for a given month will
be calculated a~cording to the following formula (referred to herein as the "Availability"):
Where: Total minutes in the month =TMM;
Total Minutes in the month Unavailable =TMU; and Availability= [(TMM-TMU) /TMM].
Service Level Uptime Exceptions
EHR will not be considered to be unavailable for any outage that results from any maintenance
performed by the Contractor of which the State is notified in at least 72 hours in advance; during
the State's implementation period; during the Contractor's then-current standard maintenance
windows (collectively referred to herein as "Scheduled Maintenance"); or as a result of the State's
request outside of the normally scheduled maintenance.
EHR will not be considered unavailable for any outage due to the State's Data or application
programming, acts or omissions by the State, failures of equipment or facilities provided by the
State, network unavailability or bandwidth limitations outside of the Hosting Vendor's network;
Scheduled Maintenance
Routine Maintenance: the Contractor shall perform maintenance on a monthly scheduled basis
within a 4-hour maintenance window to occur on a weekend between 12:00am and 8:00am. A six
week (45 calendar days) notice shall be provided in advance of any such maintenance activity.

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 22 of67
Contract#29960

Routine Maintenance may require service to be suspended during the maintenance period.
Scheduled maintenance periods will be excluded from Uptime calculations for availability
provided however, that any time in excess of four (4) hours for any single maintenance event shall
be included in Uptime calculations for availability.
Emergency Maintenance: Under certain circumstances the Contractor may need to perform
emergency maintenance, such as security patch installation or hardware replacement. The
Contractor may not be able to provide the State with advanced notice in case of emergency
maintenance. The duration of service Unavailability, due to emergency maintenance, will be
excluded from the Uptime calculations for availability provided however, that any time in excess
of four (4) hours for any single maintenance event shall be included in Uptime calculations for
availability.
User Acceptance Testing: Each major release shall provide for a one (1) month User
Acceptance Testing (UAT) period. A copy of the State's deployed infrastructure and database
shall be made available for testing purposes. The State shall test and report any severity 1, 2 or 3
issues caused by the new release.
Major Releases: Typically there shall be at least one (1) major release a year, however may be
scheduled up to four (4) times a year. A User Acceptance Testing period shall be provided for all
major releases. Cutover to the new major release will occur on the scheduled date unless severity
1, 2, 3 or 4 issues are known to exist.
Minor Releases: The minor releases are monthly maintenance to the system as needed. Items
included in the minor release may be any priority (defined below) 2 or 3 items which did not get
released in the major release. The minor release is accomplished during the weekly maintenance
window. The EHR manufacturer shall communicate to the State updated Documentation and
release notes. Not all minor releases require User Acceptance Testing. It is at the discretion of the
Contractor whether an acceptance test period is warranted.
Hot Fixes: The hot fix is reserved for repairing a catastrophic issue within the system. The
system sends a notice 24 hours in advance to all the States' end users in the system prior to shut
down. A notice shall be sent prior to shut down to give users of the system sufficient time to save
work and gracefully exit any work in progress. Custom documents or any custom work that
requires a product build will be included in the next major/minor release after acceptance testing
has been completed.
Service Level Remedies
The parties hereby agree that the State shall pay a varied service charge based upon different
levels of performance b.y the Contractor, as set forth in the table below. Under no circumstances
shall the payment of a service credit or refund hereunder relieve the Contractor of its obligation to
address and fix system defects or other performance issues pertaining to a service level
requirement. The State shall have the right to terminate this Contract for cause whenever
Contractor's successive or accumulated service level failures amount to "Chronic UnderPerformance", which is defined as Contractor's failure to meet the EHR Uptime Commitment: (i)
for any three (3) months within a rolling 12-month period; or (i) any single month where EHR
Uptime is lower than 95%.
The Contractor shall ensure that Hosting Vendor provide monthly Availability Audits to the
State, within five (5) business days following the end of each month upon go-live. In the event
there is a dispute, Contractor shall make available to the State an electronic version of all raw data
used to create the SLA report each month in either of the following formats, EXCEL or PLAIN

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 23 of67
Contract#29960

TEXT. The State reserves the right to measure Availability and Response times independently,
review tools, and calculations of SLA metrics.
If the Availability of EHR for a given month is lower than the applicable Uptime Commitment
of 99.98%, (based on a thirty (30) day month, 43,200 minutes), then monetary refund will be due
to the State, and shall be reflected as a credit in the Contractor's invoice for Hosting fees, Support
and Maintenance. The foliowing service credit schedule, calculated as a percentage of the
combined refund monthly fees for Hosting and Support and Maintenance fees, shall apply in favor
of the State:
Availability of EHR for a given
month

99.98% to 100%
98% or higher but lower than

Applicable refund
for such Month
0%
5%

99.98%
95% or higher but lower than 98%
Lower than 95%
Note: Uptime%= 100 X ((43200downtime mins) / 43,200)

10%
100% - Uptime %

In the event that the State is not current with respect to any undisputed post-implementation .
payme~t obligations when the unavailability occurs, refund will not be applicable for such
month or months.
To receive monetary refund, State will apply refund to the next hosting payment. If there are
no remaining hosting payments, the State must submit a written request, via email or letter, to
the Contractor within sixty (60) days of the end of the month in which Hosting Vendor failed
to meet the Uptime Commitment.
System Support and Issue Response
• The Contractor shall provide support for the EHR through CorrecTek according to the
severity of the issue and not in the order in which the issue was received or logged.
Below is the Issue Reporting Process:
• The Contractor shall ensure support that is available for the State to log any queries,
incidents and enhancements. Communication from State to the Contractor can be
telephone. The Contractor shall provide operation support twenty-four (24) hours a day
and seven (7) days a week to the State through a dedicated number.
• The Contractor shall ensure technical support staff to log the request on behalf of the
State.
• The Contractor shall ensure technical support staff to prioritize the identified problems
and enhancement requests.
• The Contractor shall ensure technical support staff to contact the State to provide
progress and time lines for each request.
At the time of the State's initial call, users may be asked to provide:
• Contact name, company name and location;
• The type of browser (with release version);
• Telephone number and alternate method of contact (i.e. a pager number or email
address);

Page 24 of 67
Contract#29960

STATE OF VERMONT
CONTRACT FOR SERVICES

•
•

A concise description of State's problem or question; and
The circumstances under which the problem does or does not occur

Hosting support will be as follows:
Service Level Monitoring (SLM) metrics for all service tickets. This will provide metrics that
can be viewed in real-time or on a historical basis to see how Contractor is meeting established
performance goals.

Time to First Contact (TFC). This is the amount of time between the initial reporting of the
issue by an end user to the Help Desk to the initial contact made by a support engineer to the
affected user( s). For example if a call is placed to the Help Desk at 8am and a Kalleo support
engineer contacts the user at 9am the TFC would be 1 hour. The TFC shall be within 48 hours
for low priority issues (affecting one user, does not impede user from job functions), within 8
hours of medium priority issues (affecting a few users, problem has a workaround or will not
cause major job impediments right away), within 2 hours of high priority issues (affects many
users, problem is impeding some work but users are still able to do some functions), and
within 30 minutes of critical priority issues (affects all users, problem is causing complete
EHR outage).
Time to Proposed Resolution (TPR). This is the amount of time between the initial contact by
a support engineer and the initial proposal for resolution. In many cases this may be just a few
minutes (after the engineer has gathered enough data to have a good idea of what to do) or it
could be longer if the engineer is going to need to do some research into the issue. TPR shall
be within 72 hours for low priority issues within 48 hours, for medium priority issues within 8
hours, for high priority issues, and within 1 hour for critical priority issues.
Application Support:
Measurements will be based on the time taken for a Help Desk operative to answer a call.
Calls that receive an automatic response, or placed into a queuing system, will be deemed not
to have been answered.

In the table below, the standard resolution time is not based on issues resulting from the State's
loss of broadband connection.
Priority

Pl
Critical

Context

A Service Failure which,
in the reasonable opinion
of the State:
constitutes a: loss of
•
the Service which prevents
all or a large group of End
Users from working (i.e.
total loss of service);
has a critical impact
•
on the activities of the
State;
causes significant
•

Initial
Response

5 minutes

Standard
Resolution Time

2 hours

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 25 of 67
Contract#29960

financial loss and/or
disruption to the State; or
results in any
•
material loss or corruption
of State Data.
Failure of the
•
Service to provide user
authentication service.

P2 Major

P3
Medium

A Service
Failure comprising of a
partial loss of service
or service disruption
affecting most users
(i.e. Users cannot
utilize object or
module contained in
the Licensed
Software)
A Service Failure
comprising a flaw which is
cosmetic and, as such,
does not undermine the
End User's confidence in
the Services (i.e. spelling
error). This does not
include change requests.

30 minutes

8 hours

30 minutes

As part of minor
releases

Defined Support Levels
The Contractor shall ensure the State is provided with Support Levels 1, 2 & 3 as further
defined below:
"Level 1 Support" includes providing first-call line support to the State whereby the
Contractor ensures for technical support staff to be available to answer technical inquiries from
State's staff regarding Electronic Health Record.
"Level 2 Support" includes providing technical support to the State in which the technical
support staff: (a) perform problem isolation and replication; (b) aid in developing solutions for
problems that are not the result of EHR functionality errors; and (c) in the case of an EHR
functionality error identify the source of the error, create a reproducible test case and
document the details of the error for resolution.
"Level 3 Support" includes efforts to provide the State's staff with fixes, patches and/or
workarounds for the EHR functionality errors only. The Contractor shall follow the escalation
procedure below.
Issue Escalation Procedure
A detailed communication and escalation procedure will be supplied to the State.
The Contractor shall ensure for technical support staff to be the first contact in the escalation
process.

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 26 of67
Contract#29960

After speaking with the technical staff, if the State feels additional escalation is required, the
Operations Contact may be contacted.
Management of the Contract
The State will conduct formal quarterly performance monitoring meetings with the Contractor.
Performance monitoring meetings will be conducted remotely via video conferencing, or in
person, for the life of this contract.
Failure to meet Service Level Agreement
The Contractor agrees to provide for the response to support calls within the agreed timelines.
If the Contractor fails to respond to provide for the support calls that result in the users
inability to use the system in whole or in part within the agreed timelines, then the State shall
have the right to apply service level monetary refund performance remedies as outlined in the
Contract.

r. The Hosting Environment
1. The Contractor shall manage the project where the EHR vendor shall install their software in
an environment hosted by Kalleo (http://www2.kalleo.net/). The contractor hosted solution
shall provide a maximum Recovery Point Objective (RPO) of no greater than 24 hours and a
maximum Recovery Time Objective (RTO) of no greater than 4 hours in a disaster recovery
event and shall provide a maximum RPO of no greater than 10 minutes and RTO of no
greater than 2 hours for incidents within the hosting facility. The contractor shall provide the
State with two (2) environments: (1) production environment; (2) test environment. The test
environments shall mirror the production environment, except in the capacity of users, and
shall also be utilized for training by the State.
2. The specifics of the Contractor's hosting partner's service level performance requirements
shall be made available to the State's Department oflnformation and Innovation with-in 15
days after signing of this contract. Failure to provide documentation will hold this written
contract in breach.
3. Further, the State will have the option,. in its sole discretion, of selecting an alternative
hosting provider. It shall give the Contractor not less than 90 days' notice of its desire to do
so and will provide the Contractor the reasonable cooperation required for such a transition.
4. Any third party hosting environment on which the State's System is hosted shall meet the
requirements of this Contract. The State will have no direct contractual relationship with the
hosting provider, nor any obligation to manage the Contractor's relationship with a hosting
provider. Requirements herein for State access to the hosting platform shall be for
compliance monitoring purposes only and shall in no way relieve the Contractor of its
obligations with respect to managing its agreement with the hosting provider or in meeting
the requirements of this Contract.
5. The Contractor shall ensure extract of full SQL Backups from the database once per day,
differential SQL Backups every 2 hours, and transaction logs every 10 minutes. Onsite File
Backups (including SQL Backup files, differentials, and transaction logs) will be backed up
each night to an onsite storage network. Offsite File Backups will be backed up each night to
a "hardened" offsite storage facility. Backup copies will be stored and transferred using at
least 256bit encryption and offsite copies will be stored more than 500 miles away. The
System will include the capability to maintain all data according to State-defined records

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 27 of67
Contract#29960

retention guidelines (i.e. record schedule). General schedules can be found at:
http://vcrmont-archives.org/records/schedu.les/general/ or upon request. Specific
retention disposition orders can be found at: http://vermontarchives.org/records/schedules/orders/ or upon request. All offender data will be retained
for a minimum of 10 years. It is the responsibility of the State to notify the Contractor if
there is a change in policy.
6. The Contractor shall provide the State with its Security Policy, not incorporated herein. The
Contractor shall provide the State not less than thirty (30) days advance written notice of any
changes to its Security Policy and all changes shall meet the requirements of the States
security standards. The Contractor shall provide a Disaster Recovery (DR) plan for the State
that describes the essentials in a disaster recovery scenario (e.g., loss of the primary hosting
site) for approval by the State. The DR plan shall meet the needs of the State's business
requirements and shall be consistent with the State Department of Information and
Innovation's Enterprise DR Requirements prior to the State final acceptance for Go-Live.
The DR plan shall include but not be limited to:
•

Integrate the plan for the EHR with the State's Continuity Operations Plan;

•

Identify the risks, impacts and mitigation of potential disaster events

•

Communications plan in the event of a DR occurrence
1.

11.
111.

Specify a communications matrix to be used from onset to conclusion of a
disaster event
Process description of who does what and when in a DR scenario
Identify and prioritize the business and service delivery functions to be
restored in response to a disaster event;

1v. Identify the exit criteria to be used to determine the successful resumption of
business and service delivery functions;
•

Architecture and location of the DR facility and Mirror

•

Triggers causing a DR action

•

List of most likely DR scenarios (i.e., use cases) and identify the criteria to be used to
activate contingency plans;

•

Service Levels in Attachment A

•

Specify the approach to training Contractor and State personnel to effectively execute
the Disaster Recovery and Business Continuity Plan;

•

Identify proposed subcontracts, as appropriate, with entities that shall provide support
to the Contractor in a disaster event;

•

Detail the procedures for effecting periodic changes to the Disaster Recovery Plan;

•

Detail on how the Contractor performs back-ups of State-owned data.

7. After Outage analysis meetings and documentation
•

In the event of a disaster at the hosting facility, the State's System operations will be
restored within 4 hours of the incident. Once a Disaster has occurred, the Contractor
shall provide an Outage Report detailing the disaster recovery process involved in
restoring the State's System, as specified in The Contractor's Hosting Environment,

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 28 of67
Contract#29960

section 9, of this Contract, within 30 days of the disaster event. "Disaster" shall mean
an unplanned event that causes a loss of Search, Retrieval, Registration and Updating
of State records for a period greater than 30 minutes. Any disaster beyond 30 minutes
shall trigger and meet the Fail Safe Principal where the Contractor ensures that if the
system is in a failed state it does not reveal any sensitive information or leave any
access controls open for attacks.
8. Testing and Auditing
The Contractor shall run quarterly penetration tests using the Hosting vendor's thirdparty security vendor, report results as a deliverable to the State. The Contractor shall
establish a method of evaluating computer and network security by simulating an attack
on a computer system or network from external and internal threats. The State may
conduct Non-intrusive network audits, including but not limited to basic port scans with
24 hours' notice. More intrusive network and physical audits may be conducted on or off
site with 48 hours' notice as determined by the State and approved by Contractor.
Contractor shall approve and secure access from hosting facility within 5 business days.
The Contractor shall provide the following:
•

The Contractor shall have a third party perform methodology-based penetration
testing quarterly as requested and paid for by the State and shall provide results of
that testing to the State as authorized by the State in Attachment C.

•

The Contractor shall cause an SSAE 16 SOC 2 audit report to be conducted annually.
The audit results and the Contractor's plan for addressing or resolution of the audit
results shall be shared with the State within sixty (60) days of the Contractor's receipt
of the audit results. Further, on an annual basis, within 90 days of the end of the
Contractor's fiscal year, the Contractor shall transmit its annual audited financial
statements to the State.

•

Contractor shall request any FBI CJIS reported items from hosting provider
regarding network security plans, controls and risk assessment and provide any
reported items to the State every three (3) years.

•

The Contractor shall host the State's Electronic Health Record within the 48
contiguous states of the United States of America.

•

The Contractor shall log all security-related incidents and save audit trails for six (6)
years. Contractor will provide a monthly report summarizing the incidents reported
during the month by Severity Level, and their resolution, and root cause
determinations for each.

•

In addition to the audit requirements of Attachment C, Contractor will maintain and
cause its permitted contractors to maintain a complete audit trail of all transactions
and activities, financial and non-financial, in connection with this Contract.
Contractor will provide to the State, its internal or external auditors, clients,
inspectors, regulators and other designated representatives, at reasonable times (and
in the case of State or federal regulators, at any time required by such regulators)
access to Contractor personnel and to any and all Contractor facilities or where the
required information, data and records are maintained, for the purpose of performing
audits and inspections (including unannounced and random audits) of Contractor
and/or Contractor personnel and/or any or all of the records, data and information
applicable to this Contract. At a minimum, such audits, inspections and access shall
be conducted to the extent permitted or required by any laws applicable to the State

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 29 of 67
Contract#29960

or Contractor (or such higher or more rigorous standards, if any, as State or
Contractor applies to its own similar businesses, operations or activities), to (i) verify
the accuracy of charges and invoices; (ii) verify the integrity of State Data and
examine the systems that process, store, maintain, support and transmit that data; (iii)
examine and verify Contractor's and/or its permitted contractors' operations and
security procedures and controls; (iv) examine and verify Contractor's and/or its
permitted contractors' disaster recovery planning and testing, business resumption
and continuity planning and testing, contingency arrangements and insurance
coverage; and (v) examine Contractor's and/or its permitted contractors' performance.
of the Services including audits of: (1) practices and procedures; (2) systems,
communications and information technology; (3) general controls and physical and
data/information security practices and procedures; (4) quality initiatives and quality
assurance, (5) contingency and continuity planning, disaster recovery and back-up
procedures for processes, resources and data; (6) Contractor's and/or its permitted
contractors' efficiency and costs in performing Services; (7) compliance with the
terms of this Contract and applicable laws, and (9) any other matters reasonably
requested by the State. Contractor shall provide and cause its permitted contractors to
provide full cooperation to such auditors, inspectors, regulators and representatives in
connection with audit functions and with regard to examinations by regulatory
authorities, including the installation and operation of audit software.. The
Contractor shall not delete, modify or purge data and customizations, in whole or in
part, intentionally or unintentionally at the completion of this Contract until all of the
following are met: (1) sixty (60) days have passed; (2) Contractor has provided all
data hosted to the State; and (3) data integrity has been verified by the State.
s. DATA PORTABILITY; ACCESS TO STATE DATA

Contractor's hosting service includes performing daily back-ups of the State's data. If the
State requests a copy of these back-ups, a copy shall be available to the State and individuals
as authorized by the State. In order to obtain the back-ups, the State shall need to provide a
server to store the back-ups.
1. Termination Assistance
Upon nearing the end of the final term of this Contract, and without respect to either the cause
or time of such termination, the Contractor shall take all reasonable and prudent measures to
facilitate the transition to a successor provider, to the extent required by the State. The
primary activities in this turnover are focused on transition planning to ensure operational
readiness for the State and/or successor provider. This includes both a knowledge transfer
period, and the turnover of the solution and supporting services to the State and/or successor
provider. The State shall sign-off on each defined transition milestone to ensure that all
transition Deliverables (set forth below), and exit criteria are fully executed based on agre_ed
upon Contract terms. Upon the sooner of a date specified in a notice of termination from
either party, or within 90 days of Contract expiration, the Contractor shall:
Deliverable 1 - Develop a System Turnover Plan at no additional cost to the State. The
Solution Turnover Plan shall include, at minimum:

• Proposed approach to Turnover.
• Tasks and subtasks for Turnover.

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 30 of 67
Contract#29960

• Schedule for Turnover.
• Entrance and exit criteria.
• Readiness walkthrough process.
• Documentation update procedures during Turnover.
• Description of Contractor coordination activities that will occur during the Turnover Phase
that will be implemented to ensure continued functionality of the Solution and services as
deemed appropriate by the State.
Deliverable 2 - Develop a Solution Requirements Statement at no additional cost that would

be required by the State and/or successor provider to fully take over the Solution, technical,
and business functions outlined in the Contract. The Statement shall also include an estimate
of the number, type, and salary of personnel required to perform the other functions of the
project work, implemented solution, and all supporting services. The Statement shall be
separated by type of activity of the personnel. The Statement shall include all facilities and any
other resources required to operate the Solution, including, but not limited to:
• Telecommunications networks.
• Office space.
• Hardware.
• Software.
• Other technology.
The Statement shall be based on the Contractor's experience in the operation of the
Solution and shall include actual Contractor resources devoted to operations activities.
Deliverable 3 - Develop and submit a Transition Plan including, at minimum:

• Proposed approach to transition.
• Proposed approach for conducting a knowledge transfer from the Contractor to the State or
successor provider.
• Proposed approach for consolidating applicable sections from the Contractor's Turnover
Plan into the transition planning activity.
• Tasks and activities for transition.
• Personnel and level of effort in hours.
• Completion date.
• Transition Milestones.
• Entrance and exit criteria.
• Schedule for transition.
• Production program and documentation update procedures during transition.
• Readiness walkthrough.
• Parallel test procedures.
• Provider training.
• Interface testing.

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 31 of 67
Contract#29960

The Contractor shall execute the Transition Plan and activities at no additional cost.
The Contactor agrees, after receipt of a notice of termination, and except as otherwise directed
by the State, the Contactor shall:
1. Stop work under the Contract on the date? and to the extent, specified in the notice;
2. Immediately deliver to the State all State Data and historical project records in a form
acceptable to the State, and copies of all subcontracts and all third party contracts
executed in connection with the performance of the Services;
3. Place no further orders or subcontracts for Services, except as may be necessary for
completion of such portion of the work under the Contract that is not terminated as
specified in writing by the State;
4. Assign, to the extent applicable or as the State may require, all subcontracts and all
third party contracts executed in connection with the performance of the Services to
the State or a successor provider, as the State may require;
5. Perform, as the State may require, such knowledge transfer and other services as are
required to allow the Services to continue without interruption or adverse effect and
to facilitate orderly migration and transfer of the services to the successor provider;
6. Complete performance of such part of the work as shall not have been terminated;
and
7. Take such action as may be necessary, or as the State may direct, for the protection
and preservation of the property related to this Contract which is in the possession of
the Contractor and in which the State has or may acquire an interest and to transfer
that property to the State or a successor provider.
Contractor acknowledges that, if it were to breach, or threaten to breach, its obligation to
provide the State with the foregoing assistance, the State would be immediately and
.irreparably harmed and monetary compensation would not be measurable or adequate. In
such circumstances, the State shall be entitled to obtain such injunctive, declaratory or other
equitable relief as the State deems necessary to prevent such breach or threatened breach,
without the requirement of posting any bond and Contractor waives any right it may have to
allege or plead or prove that the State is not entitled to injunctive, declaratory or other
equitable relief. If the court should find that Contractor has breached (or attempted or
threatened to breach) any such obligations, Contractor agrees that without any additional
findings of irreparable injury or other conditions to injunctive or any equitable relief,
Contractor will not oppose the entry of an order compelling its performance and restraining
Contractor from any further breaches (or attempted or threatened breaches).
2. Portability of Data Following Contract Termination
In the event the hosting subcontractor goes out of business before the end of this Contract,
Contractor will ensure that this vendor delivers all data to the State upon the State's written
request. Should the Contract be terminated by the State, the State shall be entitled to an
export of State Data, without charge, upon the written request of the State and upon
termination of this Contract. There will be no charge if the Hosting Vendor provides the data
via shipping an external hard drive. The export process shall at all times adhere to HIP AA
requirements securing data in motion and at rest. Following Contract termination, the State

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 32 of 67
Contract#29960

shall retain ownership of all database information, including specific client-level data and
aggregate data sets. The State owns all of the data and records stored within the Solution.
Contractor shall possess no lien or other such rights to the data.
Contractor shall ensure that Kalleo's data transfer, storage, and retrieval procedures shall
protect the original data from alteration. Contractor shall ensure that the data shall be
delivered in a comma delimited format unless another State authorized format is determined
by Kalleo for the full range of State data and shall be transmitted to the State through secure
means as approved by the State. Data shall include a data dictionary. With the exception of
State's Perpetual License, Contractor shall have no obligation to maintain or provide any
State Data and shall thereafter, unless legally prohibited, delete all State Data in its systems
or otherwise i~ its possession or under its control.
·
·3. Source Code Escrow Agreement
Prior to Go-Live, the Contractor shall ensure that a software source code escrow agreement
is entered into in a form acceptable to the State. At a minimum, the source code escrow
agreement shall provide for the deposit of the Software source code documentation with Iron
Mountain and that upon the voluntary or involuntary filing of bankruptcy, or any other
insolvency proceeding, dissolution, or discontinuance of support of the EHR System, for any
reason, all rights, title, and interests in the Software source code and all associated Software
source code documentation, for the sole purpose of the State's support and maintenance of
the Software.
4. Records Retention
The System will include the capability to maintain all data according to State-defined
records retention guidelines (i.e. record schedule). General schedules can be found at:
http://vennont-archives.org/records/schedules/ general/. Specific retention disposition orders
can be found at: http://vermont-arch.ives.org/records/schedules/orders/. Medical Records
must be maintained for 10 years in accordance with the Medical Records Disposition
Schedule.
5. Access to State Data
Within ten (10) business days of a request by State, the Contractor will make available to
State a complete and secure (i.e. encrypted and appropriately authenticated) download file of
State Intellectual Property and State Data in a format acceptable to State including all
schema and transformation definitions and/or delimited text files with documented, detailed
schema definitions along with attachments in their native format. Provided, however, in the
event the Contractor ceases conducting business in the normal course, becomes insolvent,·
makes a general assignment for the benefit of creditors, suffers or permits the appointment of
a receiver for its business or assets or avails itself of or becomes subject to any proceeding
under the Federal Bankruptcy Act or any statute of any state relating to insolvency or the
protection of rights of creditors, the Contractor shall immediately return all State Intellectual
Property and State Data to State control; including, but not limited to, making all necessary
access to applicable remote systems available to the State for purposes of downloading all
State Data.
The Contractor's policies regarding the retrieval of data upon the termination of services
have been made available to the State upon execution of this Contract under separate cover.

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 33 of 67
Contract#29960

The Contractor shall provide the State with not less than thirty (30) days advance written
notice of any material amendment or modification of such policies.
t. SECURITY BREACHES; SECURITY BREACH REPORTING

The Contractor shall have policies and procedures in place for the effective management of
Security Breaches, as defined below.
In addition to the requirements set forth in any applicable Business Associate Agreement as
may be attached to this Contract, in the event of any actual or suspected security breach the
Contractor either suffers or learns of that either compromises or could compromise State
Data (including, as applicable, PII, PHI or ePHI) in any format or media, whether encrypted
or unencrypted (for example, but not limited to: physical trespass on a secure facility;
intrusion or hacking or other brute force attack on any State environment; loss or theft of a
PC, laptop, desktop, tablet, smartphone, removable data storage device or other portable
device; loss or theft of printed materials; or failure of security policies) (collectively, a
"Security Breach"), the Contractor shall immediately determine the nature and extent of the
Security Breach, contain the incident by stopping the unauthorized practice, recover records,
shut down the system that was breached, revoke access and/or correct weaknesses in
physical security. Contractor shall analyze and document the incident and provide the
required notices, as set forth below.
The Contractor acknowledges that in the performance of its obligations under this Contract,
it will be a "data collector" pursuant to Chapter 62 of Title 9 of the Vermont Statutes (9
V.S.A. §2430(3)) and that, in accordance with 9 V.S.A. § 2435(b)(2), Contractor shall
immediately notify appropriate State personnel of such Security Breach.
The Contractor's report shall identify: (i) the nature of the Security Breach; (ii) the State
Data used or disclosed; (iii) who made the unauthorized use or received the unauthorized
disclosure; (iv) what the Contractor has done or shall do to mitigate any deleterious effect of
the unauthorized use or disclosure; and (v) what corrective action the Contractor has taken or
shall take to prevent future similar unauthorized use or disclosure. The Contractor shall
provide such other information, including a written report, as reasonably requested by the
State.
The Contractor agrees to comply with all applicable laws, as such laws may be amended
from time to time (including, but not limited to, Chapter 62 of Title 9 of the Vermont
Statutes and all applicable State and federal laws, rules or regulations) that require
notification in the event of unauthorized release of personally-identifiable information or
other event requiring notification. In the event of a breach of any of the Contractor's
security obligations ("Notification Event"), the Contractor agrees to fully cooperate with the
State, assume responsibility for such notice if the State determines it to be appropriate under
the circumstances of any particular Security Breach, and assume all costs associated with a
Security Breach and Notification Event, including but not limited to, notice, outside
investigation and services (including mailing, call center, forensics, counsel and/or crisis
management), and/or credit monitoring, in the sole determination of the State.
In addition to any other indemnification obligations in this Contract, the Contractor shall
fully indemnify and save harmless the State from any costs, loss or damage to the State
resulting from a Security Breach or the unauthorized disclosure of State Data by the
Contractor, its officers, agents, employees, and subcontractors.

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 34 of 67
Contract#29960

u. PROGRAM ADMINISTRATION AND EVALUATION
1. Performance Measures:
The Contractor shall maintain the system so that offender record searches of "lock ups," data
queries and workflow reports will be returned in a timely manner that will not impede end
user workflow. The State shall maintain a broad-band connection at each location.
Contractor shall not be liable for transaction response times if the State experiences a failure
of any kind in its broad-band connection.
Transaction Response Times:
The Contractor shall maintain the system so that offender record searches or "look
ups", on average, be returned in less than IO-seconds and data queries in less than 45seconds. Standard daily workflow reports as outlined in the requirements will be
returned in a timely manner that will not impede end user workflow; within 2 minutes.
Reports that analyze a large amount of data over a wide range of time, return times will
vary based on report criteria and are outside the scope of these response times.
Reports that analyze a large amount of data over a wide range of time can be scheduled
using the CorrecTek batch report engine t<? reduce return times. The· State shall
maintain a broad-band connection at each location. Contractor shall not be liable for
transaction response times if the State experiences a failure of any kind in its broadband connection or hosting services, issues that may be related to user error or training
issues, reports run by non-designated staff, or hardware limitations.
The State reserves the right to measure Availability and Response times independently,
review tools, and calculations of SLA metrics.
v. SURVIVAL
Except as otherwise provided, any obligations and duties which by their nature extend
beyond the expiration or termination of this Agreement, shall survive the expiration or
termination of this Agreement.

w. SEVERABILITY
If any provision of this Agreement is found to be invalid or unenforceable, such provision shall
be severed from this Agreement while not affecting the validity or enforceability of the
remaining provisions, which shall remain in full force and effect.
x. NOTICES
Contractor shall send all notices regarding system maintenance, software upgrades and/or
emergency downtime to the State's appointed contact via email. Notwithstanding anything to
the contrary in the Contract Documents, all notices must be given in accordance with the
terms of this paragraph and shall be sent to the addresses set forth below or such addresses as
may be provided from time to time. Each of the Parties agree that if any notices are sent to
the State via electronic mail or facsimile transmission, and such notices require an approval,
consent, express or implied, or other affirmative action from State, then, in addition, the
Parties shall provide a hard copy of such notice to State, either via hand delivery, certified
mail or overnight courier.

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 35 of67
Contract#29960

If to the State:

State of Vermont:
EHR Project Manager
Department of Corrections
Agency of Human Services
103 South Main Street
Waterbury, VT 05671

If to the Contractor:

Centurion of Vermont, LLC
Steven H. Wheeler
1593 Spring Hill Road, Suite 610
Vienna, VA 22182

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 3~ of 67
Contract#29960

1. Contact Information
The State's Prim.a!):'. Contact:
Cheryl Burcham
Project Manager
Agency of Human Services
103 South Main Street
Waterbury, VT 05671
Cheryl. Burcham@state. vt. us

The State's Seconda!):'. Contact:
Debra Kobus
Medical Services Contract
Administrator
Department of Corrections
103 South Main Street
Waterbury, VT 05671
Debra.Kobus@state.vt.us

The State's DOC Onerations Contact:
Delores Burroughs-Biron
Director of Medical Services
Department of Corrections
103 South Main Street
Waterbury, VT 05671
Dee.BurroughsBiron@state. vt. us

The State's Technical Lead Contact:
Lucas Herring
Information Technology
Manager
Agency of Human Services
103 South Main Street
Waterbury, VT 05671
Lucas.Herring@state. vt. us
802-505-0564

The Contractor's Prima!):'. Contact:
Christie Nader
Sr. Director, IT
Centurion
1593 Spring Hill Rd, #600
Vienna, VA 22182
cnader@centurionmcare.com

The Contractor's Secondan: Contact:
Karthik Elangovan
Manager, Application
Development
Centurion
1593 Spring Hill Rd, #600
Vienna, VA 22182
kelangovan@mhmservices.com
The Contractor's Technical Lead
Contact:
Matt Wurth, CTO
CorrecTek
1640 McCracken Boulevard
Paducah, Kentucky 42001
mwurth@correctek.com

The Contractor's O{!erations Contact:
Theresa Randall
5430 Waterbury Stowe Rd
Bldg # 1, Ground Floor
Waterbury Center, VT 05677
trandall@CenturionVT .com

Page 37 of 67
Contract#29960

STATE OF VERMONT
CONTRACT FOR SERVICES
ATTACHMENT B
CONTRACT FOR SERVICES
PAYMENT PROVISIONS

The maximum dollar amount payable under this Contract is not intended as any form of a guaranteed
amount. The Contractor will be paid for products delivered or services actually performed as specified in
Attachment A, up to the maximum allowable amount specified on page 1 of this Contract. State of
Vermont payment terms are Net 30 days from date of an error-free invoice, and all payments against this
contract shall comply with the State's payment terms. The payment schedule for delivered products, or
rates for services performed, and any additional reimbursements, are included in this attachment. The
following provisions specifying payments are:
MILESTONE DELIVERABLES

The State shall pay Contractor a fixed price payment to Contractor upon State acceptance of each
payment deliverable according to the cost schedule below. The maximum amount for .the Milestone
Deliverables of the Contract will not exceed $1 ,023,463. The cost of annual Support and Maintenance,
and Hosting, will be paid as outlined below. A retainage of 10% is held back from each deliverable and
upon completion of all deliverables, Contractor shall submit a single invoice for release of the full amount
of retainage withheld.

ID#

Estimated Timeframe
From Contract
Execution

Milestone/Deliverable
Description

Upon Contract
Execution
0-30 days after contract
execution
0-30 days after contract
execution
0-30 days after contract
execution
0-30 days after contract
execution

CorrecTek License
Phase 1: Project KicJ{-Off
1
2
3
4

Kick Off Meeting
Delivery of Initial Project
Plan
Data Conversion and
Migration Plan
Staffing Plan
Phase 2: Network
Readiness

5

Security Plan

6

Risk Assessment

7

Security Controls
Document

8

Risk Management Plan

I
I

31 - 89 days after
contract execution

31 - 89 days after
contract execution
31 - 89 days after
contract execution
31 - 89 days after
contract execution
31 - 89 days after
contract execution

Invoice
Amount

10%
Retainage
Amount

%of
Total

$130,672

$13,067

20%

$65,336

$6,534

10%

Payment
included
with
Phase3

STATE OF VERMONT
CONTRACT FOR SERVICES

9

Change Management Plan

10

Organizational Change
Management Plan

11

Communications Plan

12

Disaster Recovery Plan

13

IT Risk Assessment

14

Security Controls Audit

15

Requirements Traceability
Matrix

16

Functional Design

17

Technical Specifications
and Network Diagram
Phase 3: Interface
Development/Database
Configuration

18

19

Complete onsite
assessments of facilities to
gather workflow and data
requirements utilized in the
database configuration
process.
Delivery of EHR Base
System and User
Acceptance Test Sign-Off
on Base System to Ensure
Successful Installation

Page 38 of 67
Contract#29960

31 - 89 days after
contract execution
31 - 89 days after
contract execution
31 - 89 days after
contract execution
31 - 89 days after
contract execution
31 - 89 days after
contract execution
31 - 89 days after
contract execution
31 - 89 days after
contract execution
31 - 89 days after
contract execution
31 - 89 days after
contract execution
90 - 239 Days after
contract execution

91 - 23 9 Days after
contract execution

91 - 239 Days after
contract execution

'*Actual timeframe will

20

Delivery of OMS Interface
(As Defined in the
Document "CorrecTek
OMS Interface Guide")

*Actual timeframe will

21

Delivery of Pharmacy
Interface (As Defined in the
Document "CorrecTek
Pharmacy Interface Guide")

22

Delivery of Lab Interface
(As Defined in the
Document "CorrecTek Lab
Interface Guide")

vary according to other
system vendors.
90-209

vary according to other
system vendors.
90-209

*Actual timeframe will
vary according to other
system vendors.
90-209

$248,277

$24,828

38%

STATE OF VERMONT
CONTRACT FOR SERVICES

23

24

25

26

27

28

29

30

31

32

33

Delivery of Radiology
Interface (As Defined in the
Document "CorrecTek
Radiology Interface
Guide")
Data Extraction from
Legacy DOC System
(ERMA)
Map Data Elements Delivery of Data
Conversion Plan
Submit Mapped Data
Elements for review Delivery of Data Mapping
Document
Completed data conversion
State sign-off of the final
configuration elements
required before CorrecTek
configuration efforts begin.
Approval of Facility
Assessment Summary
document.
Construction,
Configuration, and Unit
Test Summary - Delivery
of Draft Acceptance Test
Plan ("ATP"). The standard
CorrecTek Show and Tell
Process will be utilized.
Provide an informational
demo for User Acceptance
Testers to equip them for
the Show and Tell Sessions.
Delivery of SSAE-16 SOC
2 certification to the State.
Unit Test Results Delivery of completed
ATP's from Construction
Phase. Summaries for each
CorrecTek Show and Tell
session will be provided.
Integration and System Test
Plan - State signoff on the
Acceptance Test Plan of
EHR. Necessary changes
that are identified during the
Show and Tell sessions will

Page 39 of 67
Contract#29960

*Actual timeframe will
vary according to other
system vendors.
90-209
91 - 239 Days after
contract execution
91 - 239 Days after
contract execution
91 - 239 Days after
contract execution
91-239 Days after
contract extension

91 - 239 Days after
contract execution

91 - 239 Days after
contract execution

91 - 239 Days after
contract execution
91 - 239 Days after
contract execution

91 - 239 Days after
contract execution

91 - 239 Days after
contract execution

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 40 of 67
Contract#29960

be addressed and
demonstrated to the State.

34

35

36

37
38
39
40

41
42
43
44

Finalize Data Configuration
based on elements approved
by the State in the Facility
Assessment Summary
document.
Delivery of final,
configured database
Documentation Plan Delivery of draft Training
Manual. CorrecTek
standard training resources
will be utilized.
Phase 4: Training
Schedule and Chart Prep
Delivery of Training Plan
(Curriculum, Final Manual,
and Training Schedule)
Schedule Training
Users complete training
questionnaire (provided by
CorrecTek)
Delivery of Chart Prep
Training.
Phase 5: Onsite Training
and Go-Live
Conduct training sessions
for all end users
Implementation/Go-Live
Date
Documentation - Delivery
of System and User
Manuals
Initiate One-year Warranty
Period

Phase 6: Post Go-Live
45

46

Post Go-Live Onsite
Assessments
512 additional development
hours for
future/undetermined
interfaces which might
include VITL, EKG

91 - 239 Days after
contract execution
91 - 23 9 Days after
contract execution
91 - 239 Days after
contract execution

230 -239 days after
contract execution

$52,269

$5,227

8%

$65,336

$6,534

10%

$91,470

$9,147

14%

231 -239 days after
contract execution
231 -239 days after
contract execution
231 -239 days after
contract execution
234 -239 days after
contract execution
240 - 270 days after
contract execution
241 -270 days after
contract execution
244 - 270 days after
contract execution
245 - 270 days after
contract execution
246 - 270 days after
contract execution
300+ days after contract
execution
300 days after contract
execution
3 00+ days after contract
execution

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 41 of 67
Contract#29960

machine, and
Medicare/Medicaid

47

48

Provide annual SSAE-16
SOC 2 and 800-53 R4
300+ days after contract
Compliance certification to execution
the State
Post Implementation
300+ days after contract
Evaluation and Certification execution
Upon receipt of all
Retainage Payment
Contract Deliverables

$65,360

ANNUAL SUPPORT AND MAINTENANCE FEES:
System Maintenance and Operations
System Annual Support & Maintenance
Year 2 (Warranty Period):

Cost
$0

System Annual Support & Maintenance
Year 3:

$18,000

$18,000 Contractor shall invoice for full
amount at one year
anniversary of the Go Live
date

System Annual Support & Maintenance
(Optional Year 4):

$18,000

$18,000

Contractor shall invoice for full
amount upon the start of the
Current Service Period

System Annual Support & Maintenance
(Optional Year 5):

$18,000

$18,000

Contractor shall invoice for full
amount upon the start of the
Current Service Period

Invoice

Payable Date

$0

HOSTING FEES:
Hosting fees are based on a 20GB per user flat fee, with a $1 per GB overage fee, and Microsoft licensing
costs evaluated in relation to the previous service period, based on 66 workstations (PCs, laptops and
tablets) and 180 users. Maximum payment shall not to exceed a 5% increase over the previous payment
period assuming the same number of users and the same number of workstations (PCs, laptops and
tablets). Contractor shall provide an invoice with detailed billing information related to each of the
separate hosting fees.
System Hosting
Fees

I

I
I

Cost per
year

Invoice

Maximum
Payment
for 12month
Service

I

Invoice Date

Page 42 of 67
Contract#29960

STATE OF VERMONT
CONTRACT FOR SERVICES
Period

Construction and
Configuration
Hosting Period (Year
1)

Microsoft Licensing
Fees

System Hosting Fees
Year 2:

Pro-rated
per month

Pro-rated
per month

Yearly
billing

Based on evaluation of costs,
not to exceed $3,300 per
month.

Contractor shall
invoice the State
once the
Application is
available to State
users in the Hosting
environment. If
system's go-live
date occurs before
the end of this
payment period, the
pro-rated amount
equal to the amount
of months
remaining in Year 1
shall be credited by
Contractor to Year
2 System Hosting
$39,600 Fees.

Based on evaluation of costs,
not to exceed $2934 per
month.

Contractor shall
invoice the State
once the
Application is
available to State
users in the Hosting
environment. If
system's go-live
date occurs before
the end of this
payment perio~, the
pro-rated amount
equal to the amount
of months
remaining in Year 1
$35208 shall be paid.

Based on evaluation of costs,
not to exceed a 5% increase
bver previous period

Contractor shall
invoice for full
amount upon
implementation (Go
$41,580 Live date) of

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 43 of 67
Contract#29960

system

Microsoft Licensing
Fees Year 2

Pro-rated
per month
Yearly
billing

Based on evaluation of costs,
tnot to exceed a 5% increase
!Over previous period
Based on.evaluation of costs,
not to exceed a 5% increase
over previous period

Contractor shall
invoice for full
amount upon
implementation (Go
Live date) of
$36,968 system

System Hosting Fees
Year 3:

Contractor shall
invoice for full
amount upon the
start of the Current
Service Period on
the anniversary of
$43,659 the Go Live date

Microsoft Licensing
Fees Year 3

Contractor shall
invoice for full
amount upon the
start of the Current
Service Period on
the aru_iiversary of
$38,817 the Go Live date

Pro-rated
per month
Yearly
billing

Based on evaluation of costs,
not to exceed a 5% increase
over previous period
Based on evaluation of costs,
not to exceed a 5% increase
over previous period

System Hosting Fees
(Optional Year 4):

Contractor shall
invoice for full
amount upon the
start of the Current
$45840 Service Period

System Hosting Fees
(Optional Year 5):

Contractor shall
invoice for full
amount upon the
start of the Current
$40,760 Service Period
Contractor shall
invoice for full
amount upon the
start of the Current
$48,132 Service Period

Microsoft Licensing
Fees Year (Optional
Year 5)

Contractor shall
invoice for full
amount upon_the
start of the Current
$42,798 Service Period

Microsoft Licensing
Fees Year (Optional
Year 4)

Pro-rated
per month
Yearly
billing

Pro-rated
per month

Based on evaluation of costs,
not to exceed a 5% increase
over previous period
Based on evaluation of costs,
not to exceed a 5% increase
over previous period

Based on evaluation of costs,
not to exceed a 5% increase
over previous period

Page 44 of 67
Contract#29960

STATE OF VERMONT
CONTRACT FOR SERVICES

Unanticipated Time & Management Table:
Examples of possible Change Order options:
Additional Training

Additional Software Module or Functionality not included in
original Requirements
Directives that change from time to time, which do not match
up with Software's then-current functionality

Creation of interfaces not defined in the contract.

Fee
$75/per hour. Contractor will
scope out the effort and
provide State with a Quote.
$75/per hour. Contractor will
scope out the effort and
provide State with a Quote.
$75/per hour for configuration
services and/or $125 for
development services.
Contractor will scope out the
effort and provide State with a
Quote.
$125/per hour. Contractor will
scope out the effort and
provide State with a Quote.

The State will only make payment for the deliverables as defined in this Contract and will not be
responsible for additional expenses or costs of the Contractor.
1. The Contractor shall submit invoices on their standard billhead. All invoices shall contain the
contract number, a clear description of the invoice period for which payment is requested,. a
description of all work performed during the invoice period, Contractor's signature, any applicable
amount of retainage withheld, and the total invoice amount due. Contracte>r invoices may be
mailed or e-mailed to:
Debra Kobus
Contract Manager
Vermont Department of Corrections
103 South Main Street
Waterbury, VT 05671
2. State will remit Payment to:
Financial Comptroller
CENTURION of Vermont, LLC
1593 Spring Hill Road, Suite 610
Vienna, VA 22182
3. The State shall not be responsible for expenses of the Contractor that are not covered under this
Contract.
4. The Contractor specified in this Contract is the primary Contractor and is solely responsible for
fulfillment of the contract with the State. The State will only make contract payments to the
primary Contractor.

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 45 of67
Contract#29960

5. Invoices submitted more than 90 days after the month of service or completion of an accepted
deliverable may not be honored, except for additional charges agreed to by the Parties.

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 46 of 67
Contract#29960
ATTACHMENT C
STANDARD STATE PROVISIONS
FOR CONTRACTS AND GRANTS

1. Entire Agreement: This Agreement, whether in the form of a Contract, State Funded Grant, or

Federally Funded Grant, represents the entire agreement between the parties on the subject matter. All
prior agreements, representations, statements, negotiations, and understandings shall have no effect.

2. Applicable Law: This Agreement will be governed by the laws of the State of Vermont.
3. Definitions: For purposes of this Attachment, "Party" shall mean the Contractor, Grantee or
Subrecipient, with whom the State of Vermont is executing this Agreement and consistent with the
form of the Agreement.
4. Appropriations: If this Agreement extends into more than one fiscal year of the State (July 1 to June
30), and if appropriations are insufficient to support this Agreement, the State may cancel at the end of
the fiscal year, or otherwise upon the expiration of existing appropriation authority. In the case that
this Agreement is a Grant that is funded in whole or in part·by federal funds, and in the event federal
funds become unavailable or reduced, the State may suspend or cancel this Grant immediately, and
the State shall have no obligation to pay Subrecipient from State revenues.
5. No Employee Benefits For Party: The Party understands that the State will not provide any
individual retirement benefits, group life insurance, group health and dental insurance, vacation or
sick leave, workers compensation or other benefits or services available to State employees, nor will
the state withhold any state or federal taxes except as required under applicable tax laws, which shall
be determined in advance of execution of the Agreement. The Party understands that all tax returns
required by the Internal Revenue Code and the State of Vermont, including but not limited to income,
withholding, sales and use, and rooms and meals, must be filed by the Party, and information as to
Agreement income will be provided by the State of Vermont to the Internal Revenue Service and the
Vermont Department of Taxes.
6. Independence, Liability: The Party will act in an independent capacity and not as officers or
employees of the State.
The Party shall defend the State and its officers and employees against all claims or suits arising in
whole or in part from any act or omission of the Party or of any agent of the Party. The State shall
notify the Party in the event of any such claim or suit, and the Party shall immediately retain counsel
and otherwise provide a complete defense against the entire claim or suit.
After a final judgment or settlement the Party may request recoupment of specific defense costs and
may file suit in Washington Superior Court requesting recoupment. The Party shall be entitled to
recoup costs only upon a showing that such costs were entirely umelated to the defense of any claim
arising from an act or omission of the Party.
The Party shall indemnify the State and its officers and employees in the event that the State, its
officers or employees become legally obligated to pay any damages or losses arising from any act or
omission of the Party.
7. Insurance: Before commencing work on this Agreement the Party must provide certificates of
insurance to show that the following minimum coverages are in effect. It is the responsibility of the
Party to maintain current certificates of insurance on file with the state through the term of the
Agreement. No warranty is made that the coverages and limits listed herein are adequate to cover and
protect the interests of the Party for the Party's operations. These are solely minimums that have been
established to protect the interests of the State.

. STATE OF VERMONT
CONTRACT FOR SERVICES

Page 47 of 67
Contract#29960

Worke-rs Compensation: With respect to all operations performed, the Party shall carry workers'
compensation insurance in accordance with the laws of the State of Vermont.
General Liability and Property Damage: With respect to all operations performed under the
contract, the Party shall carry general liability insurance having all major divisions of coverage
including, but not limited to:

Premises - Operations
Products and Completed Operations
Personal Injury Liability
Contractual Liability
The policy shall be on an occurrence form and limits shall not be less than:
$1,000,000 Per Occurrence
$1,000,000 General Aggregate
$1,000,000 Products/Completed Operations Aggregate
$ 50,000 Fire/ Legal/Liability
Party shall name the State of Vermont and its officers and employees as additional insureds for
liability arising out of this Agreement.
Automotive Liability: The Party shall carry automotive liability insurance covering all motor
vehicles, including hired and non-owned coverage, used in connection with the Agreement. Limits
of coverage shall not be less than: $1,000,000 combined single limit.

Party shall name the State of Vermont and its officers and employees as additional insureds for
liability arising out of this Agreement.
8. Reliance by the State on Representations: All payments by the State under this Agreement will be
made in reliance upon the accuracy of all prior representations by the Party, including but not limited
to bills, invoices, progress reports and other proofs of work.
9. Requirement to Have a Single Audit: In the case that this Agreement is a Grant that is funded in
whole or in part by federal funds, the Subrecipient will complete the Subrecipient Annual Report
annually within 45 days after its fiscal year end, informing the State of Vermont whether or not a
Single Audit is required for the prior fiscal year. If a Single Audit is required, the Subrecipient will
submit a copy of the audit report to the granting Party within 9 months. If a single audit is not
required, only the Subrecipient Annual Report is required.

For fiscal years ending before December 25, 2015, a Single Audit is required if the subrecipient
expends $500,000 or more in federal assistance during its fiscal year and must be conducted in
accordance with 0MB Circular A-133. For fiscal years ending on or after December 25, 2015, a
Single Audit is required if the subrecipient expends $750,000 or more in federal assistance during its
fiscal year and must be conducted in accordance with 2 CFR Chapter I, Chapter II, Part 200, Subpart
F. The Subrecipient Annual Report is required to be submitted within 45 days, whether or not a
Single Audit is required.
10. Records Available for Audit: The Party shall maintain all records pertaining to performance under
this agreement. "Records" means any written or recorded information, regardless of physical form or
characteristics, which is produced or acquired by the Party in the performance of this
agreement. Records produced or acquired in a machine readable electronic format shall be maintained
in that format. The records described shall be made available at reasonable times during the period of

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 48 of 67
Contract#29960

the Agreement and for three years thereafter or for any period required by law for inspection by any
authorized representatives of the State or Federal Government. If any litigation, claim, or audit is
started before the expiration of the three year period, the records shall be retained until all litigation,
claims or audit findings involving the records have been resolved.

11. Fair Employment Practices and Americans with Disabilities Act: Party agrees to comply with the
requirement of Title 21 V.S.A. Chapter 5, Subchapter 6, relating to fair employment practices, to the
full extent applicable. Party shall also ensure, to the full extent required by the Americans with
Disabilities Act of 1990, as amended, that qualified individuals with disabilities receive equitable
access to the services, programs, and activities provided by the Party under this Agreement. Party
further agrees to include this provision in all subcontracts.
12. Set Off: The State may s~t off any sums which the Party owes the State against any sums due the
Party under this Agreement; provided, however, that any set off of amounts due the State of Vermont
as taxes shall be in accordance with the procedures more specifically provided hereinafter.
13. Taxes Due to the State:
a. Party understands and acknowledges responsibility, if applicable, for compliance with State
tax laws, including income tax withholding for employees performing services within the
State, payment of use tax on property used within the State, corporate and/or personal income
tax on income earned within the State.
b. Party certifies under the pains and penalties of perjury that, as of the date the Agreement is
signed, the Party is in good standing with respect to, or in full compliance with, a plan to pay
any and all taxes due the State of Vermont.
c. Party understands that final payment under this Agreement may be withheld if the
Commissioner of Taxes determines that the Party is not in good standing with respect to or in
full compliance with a plan to pay any and all taxes due to the State of Vermont.
d. Party also understands the State may set off taxes-(and related penalties, interest and fees) due
to the State of Vermont, but only if the Party has failed to make an appeal within the time
allowed by law, or an appeal has been taken and finally determined and the Party has no
further legal recourse to contest the amounts due.

1,4. Child Support: (Applicable if the Party is a natural person, not a corporation or partnership.) Party
states that, as of the date the Agreement is signed, he/she:
a. is not under any obligation to pay child support; or
b. is under such an obligation and is in good standing with respect to that obligation; or
c. has agreed to a payment plan with the Vermont Office of Child Support Services and is in full
compliance with that plan.
Party makes this statement with regard to support owed to any and all children residing in Vermont.
In addition, if the Party is a resident of Vermont, Party makes this statement with regard to support
owed to any and all children residing in any other state or territory of the United States.

15. Sub-Agreements: Party shall not assign, subcontract or subgrant the performance of this Agreement
or any portion thereof to any other Party without the prior written approval of the State. Party also
agrees to include in all subcontract or subgrant agreements a tax certification in accordance with
paragraph 13 above.

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 49 of67
Contract#29960

16. No Gifts or Gratuities: Party shall not give title or possession of anything of substantial value
(including property, currency, travel and/or educ·ation programs) to any officer or employee of the
State during the term of this Agreement.
17. Copies: All written reports prepared under this Agreement will be printed using both sides of the
paper.
18. Certification Regarding Debarment: Party certifies under pains and penalties of perjury that, as of
the date that this Agreement is signed, neither Party nor Party's principals (officers, directors, owners,
or partners) are presently debarred, suspended, proposed for debarment, declared ineligible or
excluded from participation in federal programs, or programs supported in whole or in part by federal
funds.
Party further certifies under pains and penalties of perjury that, as of the date that this Agreement is
signed, Party is not presently debarred, suspended, nor named on the State's debarment list at:
http://bgs. vermont. gov /purchasing/debarment
19. Certification Regarding Use of State Funds: In the case that Party is an employer and this
Agreement is a State Funded Grant in excess of $1,001, Party certifies that none of these State fun:ds
will be used to interfere with or restrain the exercise of Party's employee's rights with respect to
unionization.
20. Internal Controls: In the case that this Agreement is an award that is funded in whole or in part by
Federal funds, in accordance with 2 CFR Part II, §200.303, the Party must establish and maintain
effective internal control over the Federal award to provide reasonable assurance that the Party is
managing the Federal award in compliance with Federal statutes, regulations, and the terms and
conditions of the award. These internal controls should be in compliance with guidance in "Standards
for Internal Control in the Federal Government" issued by the Comptroller General of the United
States and the "Internal Control Integrated Framework", issued by the Committee of Sponsoring
Organizations of the Treadway Commission (COSO).
21. Mandatory Disclosures: In the case that this Agreement is an award funded in whole or in part by
Federal funds, in accordance with 2CFR Part II, §200.113, Party must disclose, in a timely manner, in
writing to the State, all violations of Federal criminal law involving fraud, bribery, or gratuity
violations potentially affecting the Federal award. Failure to make required disclosures may result in
the imposition of sanctions which may include disallowance of costs incurred, withholding of
payments, termination of the Agreement, suspension/debarment, etc.
22. Conflict of Interest: Party must disclose in writing any potential conflict of interest in accordance
with Uniform Guidance §200.112, Bulletin 5 Section IX and Bulletin 3.5 Section IV.B.
State of Vermont, Attachment C; ABS-Revised 03/01/2015

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 50 of67
Contract#29960
ATTACHMENT D
OTHER PROVISIONS

1. OWNERSHIP AND LICENSE IN DELIVERABLES
1.1 State Intellectual Property; State Intellectual Property; User Name. The State shall retain
all right, title and interest in and to (i) all content and all property, data and information
furnished by or ori behalf of the State or any agency, commission or board thereof, and to all
information that is created under this Contract, including, but not limited to, all data that is
generated under this Contract as a result of the use by Contractor, the State or any third party
of any technology systems or knowledge bases that are developed for the State and used by
Contractor hereunder, and all other rights, tangible or intangible; and (ii) all State trademarks,
trade names, logos artd other State identifiers, Internet uniform resource locators, State user
name or names, Internet addresses and e-mail addresses obtained or developed pursuant to this
Contract (collectively, "State Intellectual Prope1ty").

Contractor may not use State Intellectual Property for any purpose other than as specified in
this Contract. Upon expiration or termination of this Contract, Contractor shall return or
destroy all State Intellectual Property and all copies thereof, and Contractor shall have no
further right or license to such State Intellectual Property.
Contractor acquires no rights or licenses, including, without limitation, intellectual property
rights or licenses, to use State Intellectual Property for its own purposes. In no event shall the
Contractor claim any security interest in State Intellectual Property.
1.2 Work Product. All Work Product shall belong exclusively to the State, with the State having
the sole and exclusive right to apply for, obtain, register, hold and renew, in its own name
and/or for its own benefit, all patents and copyrights, and all applications and registrations,
renewals and continuations thereof and/or any and all other appropriate protection. To the
extent exclusive title and/or complete and exclusive ownership rights in and to any Work
Product may not originally vest in the State by operation of law or otherwise as contemplated
hereunder, Contractor shall immediately upon request, unconditionally and irrevocably assign,
transfer and convey to the State all right, title and interest therein.

"Work Product" means any tangible or intangible ideas, inventions, improvements,
modifications, discoveries, development, customization, configuration, methodologies or
processes, designs, models, drawings, photographs, reports, formulas, algorithms, patterns,
devices, compilations, databases, computer programs, work of authorship, specifications,
operating instructions, procedures manuals or other documentation, technique, know-how,
secret, or intellectual property right whatsoever or any interest therein (whether patentable or
not patentable or registerable under copyright or similar statutes or subject to analogous
protection), that is specifically made, conceived, discovered or reduced to practice by
Contractor, either solely or jointly with others, pursuant to this Contract. Work Product does
not include Contractor Intellectual Property or third party intellectual property.
To the extent delivered under this Contract, upon full payment to Contractor in accordance
with Attachment B, and subject to the terms and conditions contained herein, Contractor
hereby (i) assigns to State all rights in and to all Deliverables, except to the extent they include
any Contractor Intellectual Property; and (ii) grants to State a perpetual, non-exclusive,
irrevocable, royalty-free license to use for State's internal business purposes, any Contractor
Intellectual Property included in the Deliverables in connection with its use of the Deliverables
and, subject to the State's obligations with respect to Confidential Information, authorize

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 51 of 67
Contract#29960

others to do the same on the State's behalf. Except for the foregoing license grant, Contractor
or its licensors retain all rights in and to all Contractor Intellectual Property.
The Contractor shall not sell or copyright a Deliverable without explicit permission from the
State.
If the Contractor is operating a system or application on behalf of the State of Vermont, then
the Contractor shall not make information entered into the system or application available for
uses by any other party than the State of Vermont, without prior authorization by the State.
Nothing herein shall entitle the State to pre-existing Contractor Intellectual Property or
Contractor Intellectual Property developed outside of this Contract with no assistance from
State.

2. CONFIDENTIALITY AND NON-DISCLOSURE; SECURITY BREACH REPORTING

2.1 Confidentiality of Contractor Information. The Contractor acknowledges and agrees
that this Contract and any and all Contractor information obtained by the State in connection
with this Contract are subject to the State of Vermont Access to Public Records Act, 1 V.S.A.
§ 315 et seq. The State will not disclose information for which a reasonable claim of
exemption can be made pursuant to 1 V .S.A. § 317(c), including, but not limited to, trade
secrets, proprietary information or financial information, including any formulae, plan, pattern,
process, tool, mechanism, compound, procedure, production data, or compilation of
information which is not patented, which is known only to the Contractor, and which gives the
Contractor an opportunity to obtain business advantage over competitors who do not know it
or use it.
The State shall immediately notify Contractor of any request made under the Access to Public
Records Act, or any request or demand by any court, governmental agency or other person
asserting a demand or request for Contractor information. Contractor may, in its discretion,
seek an appropriate protective order, or otherwise defend any right it may have to maintain the
confidentiality of such information under applicable State law within three .business days of
the State's receipt of any such request. Contractor agrees that it will not make any claim
against the State if the State makes available to the public any information in accordance with
the Access to Public Records Act or in response to a binding order from a court or
governmental body or agency compelling its production. Contractor shall indemnify the State
for any costs or expenses incurred by the State, including, but not limited -to, attorneys' fees
awarded in acco.rdance with 1 V.S.A. § 320, in connection with any action brought in
connection with Contractor's attempts to prevent or unreasonably delay public disclosure of
Contractor's information.
The State agrees that (a) it will use the Contractor information only as may be necessary in the
course of performing duties, receiving services or exercising rights under this Contract; (b) it
will provide at a minimum the same care to avoid disclosure or unauthorized use of Contractor
information as it provides to protect its own similar confidential and proprietary information;
(c) except as required by the Access to Records Act, it will not disclose such information
orally or in writing to any third party unless that third party is subject to a written
confidentiality agreement that contains restrictions and safeguards at least as restrictive as
those contained in this Contract; (d) it will take all reasonable precautions to protect the
Contractor's information; and (e) it will not otherwise appropriate such information to its own
use or to the use of any other person or entity.

Page 52 of67
Contrac(#29960

STATE OF VERMONT
CONTRACT FOR SERVICES

Contractor may affix an appropriate legend to Contractor information that is provided under
this Contract to reflect the Contractor's determination that any such information is a trade
secret, proprietary information or financial information at time of delivery or disclosure.
2.2 Confidentiality of State Information. In performance of this Contract, and any exhibit or
schedule hereunder, the Party acknowledges that certain State Data (as defined below), to
which the Contractor may have access may contain individual federal tax information,
personal protected health information and other individually identifiable information protected
by State or federal law. In addition to the provisions of this Section, the Party shall execute
the HIP AA Business Associate Agreement attached as Attachment E. Before receiving or
controlling State Data, the Contractor will have an information security policy that protects its
systems and processes and media that may contain State Data from internal and external
security threats and State Data from unauthorized disclosure, and will have provided a copy of
such policy to the State. State Data shall not be stored, accessed from, or transferred to any
location outside the United States.
Unless otherwise instructed by the State, Contractor agrees to _keep confidential all information
received and collected by Contractor in connection with this Contract ("State Data"). The
Contractor agrees not to publish, reproduce, or otherwise divulge any State Data in whole or in
part, in any manner or form or authorize or permit others to do so. Contractor will take
reasonable measures as are necessary to restrict access to State Data in the Contractor's
possession to only those employees on its staff who must have the information on a "need to
know" basis. The Contractor shall use State Data only for the purposes of and in accordance
with this Contract. The Contractor shall provide at a minimum the same care to avoid
disclosure or unauthorized use of State Data as it provides to protect its O)-Vll similar
confidential and proprietary information.
The Contractor shall promptly notify the State of any request or demand by any court,
governmental agency or other person asserting a demand or request for State Data to which the
Contractor or any third party hosting service of the Contractor may have access, so that the
State may seek an appropriate protective order.
3

CONTRACTOR'S REPRESENTATIONS AND WARRANTIES
3.1 General Representations and Warranties.
covenants that:

The Contractor represents, warrants and

(i)

The Contractor has all requisite power and authority to execute, deliver and perform its
obligations under this Contract and the execution, delivery and performance of this
Contract by the Contractor has been duly authorized by the Contractor.

(ii)

There is no outstanding litigation, arbitrated matter or other dispute to which the
Contractor is a party which, if decided unfavorably to the Contractor, would reasonably be
expected to have a material adverse effect on the Contractor's ability to fulfill its
obligations under this Contract.

(iii)

The Contractor will comply with all laws applicable to its performance of the services and
otherwise to the Contractor in connection with its obligations under this Contract.

(iv)

The Contractor has the right to use under valid and enforceable agreements all intellectual
property reasonably necessary for and related to delivery of the services and provision of

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 53 of 67
Contract#29960

the deliverables as set forth in this Contract and none of the deliverables or other materials
or technology provided by the Contractor to the State will infringe upon or misappropriate
the intellectual property rights of any third party.
(v)

The Contractor has adequate resources to fulfill its obligations under this Contract.

(vi)

Contractor has no past state or federal violations, convictions or suspensions relating to
miscoding of employees in NCCI job codes for purposes of differentiating between
independent contractors and employees.

3.2 Contractor's Performance Warranties. Contractor represents and warrants to the State that:

(i)

All deliverables will be free from material errors and shall perform in accordance with the
specifications therefor.

(ii)

Each and all of the services shall be performed in a timely, diligent, professional and
workpersonlike manner, in accordance with the highest professional or technical standards
applicable to such services, by qualified persons with the technical skills, training and
experience to perform such services in the planned environment. At its own expense and
without limiting any other rights or remedies of the State hereunder, the Contractor shall
re-perform any services that the State has determined to be unsatisfactory in its reasonable
discretion, or the Contractor shall refund that portion of the fees attributable to each such
deficiency.

(iii)

All Deliverables supplied by the Contractor to the State shall be transferred free and clear
of any and all restrictions on the conditions of transfer, modification, licensing,
sublicensing and free and clear of ariy and all lines, claims, mortgages, security interests,
liabilities and encumbrances or any kind.

(iv)

Any time software is delivered to the State, whether delivered via electronic media or the
internet, no portion of such software or the media upon which it is stored or delivered will
have any type of software routine or other element which is designed to facilitate
unauthorized access to or intrusion upon; or unrequested disabling or erasure of; or
unauthorized interference with the operation of any hardware, software, data or peripheral
equipment of or utilized by the State. Notwithstanding the foregoing, Contractor assumes
no responsibility for the State's negligence or failure to protect data from viruses, or any
unintended modification, destruction or disclosure.

3.3 Software Warranty. Contractor warrants that the Software shall perform in accordance with
the Contract for a period of one (1) year commencing on the Go-Live Date. In the event of
any defect arising during this warranty period, Contractor shall ensure that such performance
problems are corrected promptly, and at no additional cost to the State, following receipt of
written notice from State of such defect.
3.4 Limitation on Disclaimer. The express warranties set forth in this Contract shall he in lieu of
all other warranties, express or implied.
3.5 Effect of Breach of Warranty. If, at any time during the term of this Contract, the results of
Contractor's work fail to perform according to any warranty of Contractor under this Contract,

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 54 of 67
Contract#29960

the State shall promptly notify Contractor in writing of such alleged nonconformance, and
Contractor shall provide at no additional cost of any kind to the State, the maintenance
required.
4

INDEMNIFICATION

Notwithstanding anything to the contrary set forth in Attachment C of this Contract, Contractor
shall have no obligation to defend or indemnify the State for claims alleging that the State's use of
the EHR software licensed by Correctek infringes a U.S. copyright or misappropriates a third
party trade secret.
·
5

PROFESSIONAL LIABILITY INSURANCE COVERAGE

In addition to the insurance required in Attachment C to this Contract, before commencing work
on this Contract and throughout the term of this Contract, Contractor shall have the obligation to
ensure that the software provider (CorrecTek) and any subcontractor to CorrecTek has
Technology Professional Liability coverage including 1st party breach coverage with limits not
less $1,000,000 per claim, $1,000,000 policy aggregate and 1st party breach coverage of $250,000
per incident. Contractor will provide the State with evidence of this coverage within 2 weeks of
the Contract start and annually thereafter for the term of the Contract. This obligation will transfer
and continue should Centurion elect to use other subcontractors for these services.
6

SOVEREIGN IMMUNITY

The Contractor acknowledges that the State reserves all immunities, defenses, rights or actions
arising out of the State's sovereign status or under the Eleventh Amendment to the United States
Constitution. No waiver of any such immunities, defenses, rights or actions shall be implied or
otherwise deemed to exist by reason of the State's entry into this Contract.
7

DISPUTE RESOLUTION
7.1 Governing Law; Jurisdiction. The Contractor agrees that this Contract shall be governed
by and construed in accordance with the laws of the State of Vermont and that any action or
proceeding brought by either the State or the Contractor in connection with this Contract
shall be brought and enforced in the Superior Court of the State of Vermont, Civil Division,
Washington Unit. The Contractor irrevocably submits to the jurisdiction of such court in
respect of any such action or proceeding. The State shall not be liable for attorneys' fees in
any proceeding.
7.2 Contractor Default. The Contractor shall be in default under this Contract if Contractor
commits any material breach of any covenant, warranty, obligation or certification under this
Contract, fails to perform the Services in conformance with the specifications and warranties
provided in this Contract, or clearly manifests an intent not to perform future obligations
under this Contract, and such breach or default is not cured, or such manifestation of an
intent not to perform is not corrected by reasonable written assurances of performance within
thirty (30) days after delivery of the State's notice period, or such longer period as the State
may specify in such notice.
7.3 State Default. State shall be in default under this Contract if State commits any material
breach or default of any covenant, warranty, or obligation under this Contract and State fails to

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 55 of 67
Contract#29960

cure such failure within thirty (30) business days after delivery of Contractor's notice or such
longer period as Contractor may specify in such notice.
7.4 Trial by Jury. The Contractor acknowledges and agrees that public policy prohibits the State
from agreeing to arbitration and/or from waiving any right to a trial by jury.
7.5 Continuity of Performance. In the event of a dispute between the Contractor and the State,
each party will continue to perform its obligations under this Contract during the resolution of
such dispute unless and until this Contract is terminated in accordance with its terms.
8

REMEDIESFORDEFAULT

In the event either party is in default under this Contract, the non-defaulting party may, at its
option, pursue any or all of the remedies available to it under this Contract, including termination
for cause, and at law or in equity.
9

TERMINATION
9.1 Return of Property. Upon termination of this Contract for any reason whatsoever, Contractor
shall immediately deliver to State all State Intellectual P~operty and State Data (including
without limitation any Deliverables for which State has made payment in whole or in part),
that are in the possession or under the control of Contractor in whatever stage of development
and form of recordation such State property is expressed or embodied at that time.
9.2 No Waiver of Remedies. No delay or failure to exercise any right, power or remedy
accruing to either party upon breach or default by the other under this Contract shall impair
any such right, power or remedy, or shall be construed as a waiver of any such right, power
or remedy, nor shall any waiver of a single· breach or default be deemed a waiver of any
subsequent breach or default. All waivers must be in writing.
9.3 Contractor Bankruptcy. Contractor acknowledges that if Contractor, as a debtor in
possession, or a trustee in bankruptcy in a case under Section 365(n) of Title 11, United
States Code (the "Bankruptcy Code"), rejects this Contract, the State may elect to retain its
rights under this Contract as provided in Section 365(n) of the Bankruptcy Code. Upon
written request of the State to Contractor or the Bankruptcy Trustee, Contractor or such
Bankruptcy Trustee shall not interfere with the rights of the State as provided in this
Contract, including the right to obtain the State Intellectual Property.

10 STATE FACILITIES
10.1 During the term of this Contract, the State may make available to Contractor space in any
State facility applicable to the Services, subject to the conditions that Contractor: (i) shall only
use such space solely and exclusively for and in support of the Services; (ii) shall not use State
facilities to provide goods or services to or for the benefit of any third party; (iii) shall comply
with the leases, security, use and rules and agr~ements applicable to the State facilities; (iv)
shall not use State facilities for any unlawful purpose; (v) shall comply with all policies and
procedures governing access to and use of State facilities that are provided to Contractor in
writing; (vi) instruct Contractor personnel not to photograph or record, duplicate, disclose,
transmit or communicate any State information, materials, data or other items, tangible or
intangible, obtained or available as a result of permitted use of State facilities; and (vii) return

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 56 of67
Contract#29960

such space to the State in the same condition it was in at the commencement of this Contract,
ordinary wear and tear excepted. State facilities will be made available to Contractor on an
"AS IS, WHERE IS" basis, with no warranties whatsoever.
10.2 Contractor Facilities. Contractor will be responsible for procuring, managing,
maintaining and otherwis~ making available all Contractor Resources necessary to provide the
Services in accordance with the Requirements hereunder. Contractor will seek and obtain the
State's prior written approval for any relocation of any Contractor Facilities at, from or
through which the Services are provided and shall mitigate any impact to the State. Any such
relocation shall be without additional cost to the State. No Contractor Facility providing
Services pursuant to this Contract shall be located outside the United States.
11 CONFLICTS OF INTEREST
Contractor agrees that during the term of this Contract, its performance shall be solely in the best
interest of the State. Contractor will not perform services for any person or entity which has also
contracted with the State of Vermont in connection with the same project, without express written
consent of the State. Contractor shall fully disclose, in writing, any such conflicts of interest,
including the nature and extent of the work to be performed for any other person or entity so that
the State may be fully informed prior to giving any consent. Contractor agrees that the failure to
disclose any such conflicts shall be deemed an event of default under this Contract, and this
Contract shall be terminable immediately.
12 MISCELLANEOUS
12.1 Taxes. Most State purchases are not subject to federal or state sales or excise taxes and
must be invoiced tax free. An exemption certificate will be furnished upon request covering
taxable items.
12.2 Force Majeure. Neither the State nor the Contractor shall be liable to the other for any
failure or delay of performance of any obligations hereunder to the extent such failure or delay
shall have been wholly or principally caused by acts o_r events beyond its reasonable control
making it illegal or impossible to perform their obligations under this Contract, including
without limitation, acts of God, acts of civil or military authority, fires, floods, earthquakes or
other natural disasters, war or riots, provided however, that the foregoing shall not be
applicable to (x) any obligation of such party to pay monies under this Agreement, or (y) any
indemnity obligations of such party under this Agreement. If a party asserts Force Majeure as
an excuse for failure to perform the party's obligation, then the nonperforming party must
prove that it made all reasonable efforts to remove, eliminate or minimize such cause of delay
or damages, diligently pursued performance of its obligations under this Contract, substantially
fulfilled all non-excused obligations, and timely notified the other party of the likelihood or
actual occurrence of an event described in this paragraph.
12.3 Marketing. Neither party to this Contract shall refer to the other party in any publicity
materials, information pamphlets, press releases, research reports, advertising, sales
promotions, trade shows, or marketing materials or similar communications to third parties
except with the prior written consent of such party prior to release.

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 57 of 67
Contract#29960

ATTACHMENT E
BUSINESS ASSOCIATE AGREEMENT
This business associate agreement ("agreement") is entered into by and between the State of
Vermont Agency of Human Services, operating by and. through its Department of Corrections
("covered entity") and Centurion of Vermont, LLC ("business associate") as of 09/15/2015
("effective date"). This agreement supplements and is made a part of the contract/grant to which it
is attached.

Covered Entity and Business Associate enter into this Agreement to comply with standards promulgated
under the Health Insurance Portability and Accountability Act of 1996 ("HIP AA"), including the
Standards for the Privacy of Individually Identifiable Health Information, at 45 CFR Parts 160 and 164
("Privacy Rule"), and the Security Standards, at 45 CFR Parts 160 and 164 ("Security Rule"), as amended
by Subtitle D of the Health Information Technology for Economic and Clinical Health Act (HITECH),
and any associated federal rules and regulations.
The parties agree as follows:
1.
Definitions. All capitalized terms used but not otherwise defined in this Agreement have the
meanings set forth in 45 CFR Parts 160 and 164 as amended by HITECH and associated federal rules and
regulations.

"Agent" means those person(s) who are agents(s) of the Business Associate, in accordance with the
Federal common law of agency, as referenced in 45 CFR § 160.402(c).
"Breach" means the acquisition, access, use or disclosure of protected health information (PHI) which
compromises the security or privacy of the PHI, except as excluded in the definition of Breach in 45 CFR
§ 164:402.
"Business Associate shall have the meaning given in 45 CFR § 160.103.
"Individual" includes a person who qualifies as a personal representative in accordance with 45 CFR §
164.502(g).
"Protected Health Information" or PHI shall have the meaning given in 45 CFR § 160.103, limited to the
information created or received by Business Associate from or on behalf of Agency.
"Security Incident" means any known successful or unsuccessful attempt by an authorized or
unauthorized individual to inappropriately use, disclose, modify, access, or destroy any information or
interference with system operations in an information system.
"Services" includes all work performed by the Business Associate for or on behalf of Covered Entity that
requires the use and/or disclosure of protected health information to perform a business associate function
described in 45 CFR § 160.103 under the definition of Business Associate.
"Subcontractor" means a person or organization to whom a Business Associate delegates a function,
activity or service, other than in the capacity of a member of the workforce of the Business Associate.
For purposes of this Agreement, the term Subcontractor includes Subgrantees.

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 58 of 67
Contract#29960

2.
Identification and Disclosure of Privacy and Security Offices. Business Associate and
Subcontractors shall provide, within ten (10) days of the execution of this agreement, written notice to the
Covered Entity's contract/grant manager the names and contact information of both the HIP AA Privacy
Officer and HIP AA Security Officer. This information must be updated any time either of these contacts
changes.
3.

Permitted and Required Uses/Disclosures of PHI.
3.1 Except as limited in this Agreement, Business Associate may use or disclose PHI to perform
Services, as specified in the underlying grant or contract with Covered Entity. The uses and
disclosures of Business Associate are limited to the minimum necessary, to complete the tasks or
to provide the services associated with the terms of the underlying agreement. Business Associate
shall not use or disclose PHI in any manner that would constitute a violation of the Privacy Rule if
used or disclosed by Covered Entity in that manner. Business Associate may not use or disclose
PHI other than as permitted or required by this Agreement or as Required by Law.
3 .2
Business Associate may make PHI available to its employees who need access to perform
Services provided that Business Associate makes such employees aware of the use and disclosure
restrictions in this Agreement and binds them to comply with such restrictions. Business
Associate may only disclose PHI for the purposes authorized by this Agreement: (a) to its agents
artd Subcontractors in accordance with Sections 9 and 17 or, (b) as otherwise permitted by Section
3.
3 .3
Business Associate shall be directly liable under HIP AA for impermissible uses and
disclosures of the PHI it handles on behalf of Covered Entity, and for impermissible uses and
disclosures, by Business Associate's Subcontractor(s), of the PHI that Business Associate handles
on behalf of Covered Entity and that it passes on to Subcontractors.

4.
Business Activities. Business Associate may use PHI received in its capacity as a Business
Associate to Covered Entity if necessary for Business Associate's proper management and administration
or to carry out its legal responsibilities. Business Associate may disclose PHI received in its capacity as
Business Associate to Covered Entity for Business Associate's proper management and administration or
to carry out its legal responsibilities if a disclosure is Required by Law or if Business Associate obtains
reasonable written assurances via a written agreement from the person to whom the information is to be
disclosed that the PHI shall remain confidential and be used or further disclosed only as Required by Law
or for the purpose for which it was disclosed to the person, and the Agreement requires the person or
entity to notify Business Associate, within two (2) business days (who .in turn will notify Covered Entity
within two (2) business days after receiving notice of a Breach as specified in Section.6.1 ), in writing of
any Breach of Unsepured PHI of which it is aware. Uses and disclosures of PHI for the purposes
identified in Section 3 must be of the minimum amount of PHI necessary to accomplish such purposes.
5.
Safeguards. Business Associate, its Agent(s) and Subcontractor(s) shall implement and use
appropriate safeguards to prevent the use or disclosure of PHI other than as provided for by this
Agreement. With respect to any PHI that is maintained in or transmitted by electronic media, Business
Associate-or its Subcontractor(s) shall comply with 45 CFR sections 164.308 (administrative safeguards),
164.310 (physical safeguards), 164.312 (technical safeguards) and 164.316 (policies and procedures and
documentation requirements). Business Associate or its Agent(s) and Subcontractor(s) shall identify in
writing upon request from Covered Entity all of the safeguards that it uses to prevent impermissible uses
or disclosures of PHI.

STATE OF VERMONT
CONTRACT FOR SERVICES

6.

Page 59 of 67
Contract#29960

Documenting and Reporting Breaches.
6.1 Business Associate shall report to Covered Entity any Breach of Unsecured PHI, including
Breaches reported to it by a Subcontractor, as soon as it (or any of its employees or agents)
becomes aware of any such Breach, and in no case later than two (2) business days after it (or any
of its employees or agents) becomes aware of the Breach, except when a law enforcement official
determines that a notification would impede a criminal investigation or cause damage to national
security.
6.2 Business Associate shall provide Covered Entity with the names of the individuals whose
Unsecured PHI has been, or is reasonably believed to have been, the subject of the Breach and any
other available information that is required to be given to the affected individuals, as set forth in
45 CFR § 164.404(c), and, if requested by Covered Entity, information necessary for Covered
Entity to investigate the impermissible use or disclosure. Business Associate shall continue to
provide to Covered Entity information concerning the Breach as it becomes available to it.
Business Associate shall require its Subcontractor(s) to agree to these same terms and conditions.
6.3 When Business Associate determines that an impermissible acquisition, use or disclosure of
PHI by a member of its workforce is not a Breach, as that term is defined in 45 CFR § 164.402,
and therefore does not necessitate notice to the impacted individual(s), it shall document its
assessment of risk, conducted as set forth in 45 CFR § 402(2). When requested by Covered
Entity, Business Associate shall make its risk assessments available to Covered Entity. It shall
also provide Covered Entity with 1) the name of the person(s) making the assessment, 2) a brief
summary of the facts, and 3) a brief statement of the reasons supporting the determination of low
probability that the PHI had been compromised. When a breach is the responsibility of a member
of its Subcontractor's workforce, Business Associate shall either 1) conduct its own risk
assessment and draft a summary of the event and assessment or 2) require its Subcontractor to
conduct the assessment and draft a summary of the event. In either case, Business Associate shall
make these assessments and reports available to Covered Entity.
6.4 Business Associate shall require, by contract, a Subcontractor to report to Business Associate
and Covered Entity any Breach of which the Subcontractor becomes aware, no later than two (2)
business days after becomes aware of the Breach.

7.
Mitigation and Corrective Action. Business Associate shall mitigate, to the extent practicable,
any harmful effect that is known to it of an impermissible use or disclosure of PHI, even if the
impermissible use or disclosure does not constitute a Breach. Business Associate shall draft and carry out
a plan of corrective action to address any incident of impermissible use or disclosure of PHI. If requested
by Covered Entity, Business Associate shall make its mitigation and corrective action plans available to
Covered Entity. Business Associate shall require a Subcontractor to agree to these same terms and
conditions.

8.

Providing Notice of Breaches.
8.1 If Covered Entity determines that an impermissible acquisition, access, use or disclosure of
PHI for which one of Business Associate's employees or agents was responsible constitutes a
Breach as defined in 45 CFR § 164.402, and if requested by Covered Entity, Business Associate
shall provide notice to the individual(s) whose PHI has been the subject of the Breach. When
requested to provide notice, Business Associate shall consult with Covered Entity about the

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 60 of 67
Contract#29960

timeliness, content and method of notice, and shall receive Covered Entity's approval concerning
these elements. The cost of notice and related remedies shall be borne by Business Associate.
8.2 If Covered Entity or Business Associate determines that an impermissible acquisition, access,
use or disclosure of PHI by a Subcontractor of Business Associate constitutes a Breach as defined
in 45 CFR § 164.402, and if requested by Covered Entity or Business Associate, Subcontractor
shall provide notice to the individual(s) whose PHI has been the subject of the Breach. When
Covered Entity requests that Business Associate or its Subcontractor provide notice, Business
Associate shall either 1) consult with Covered Entity about the specifics of the notice as set forth
in section 8 .1, above, or 2) require, by contract, its Subcontractor to consult with Covered Entity
about the specifics of the notice as set forth in section 8.1
8.3 The notice to affected individuals shall be provided as soon as reasonably possible and in no
case later than 60 calendar days after Business Associate reported the Breach to Covered Entity.
8.4 The notice to affected individuals shall be written in plain language and shall include, to the
extent possible, 1) a brief description of what happened, 2) a description of the types of Unsecured
PHI that were involved in the Breach, 3) any steps individuals can take to protect themselves from
potential harm resulting from the Breach, 4) a brief description of what the Business Associate is
doing to investigate the Breach, to mitigate harm to individuals and to protect against further
Breaches, and 5) contact procedures for individuals to ask questions or obtain additional
information, as set forth in 45 CFR § 164.404(c).
8.5 Business Associate shall notify individuals of Breaches as specified in 45 CFR § 164.404(d)
(methods of individual notice). In addition, when a Breach involves more than 500 residents of
Vermont, Business Associate shall, if requested by Covered Entity, notify prominent media outlets
serving Vermont, following the requirements set forth in 45 CFR § 164.406.

9.
Agreements with Subcontractors. Business Associate shall enter into a Business Associate
Agreement with any Subcontractor to whom it provides PHI received from Covered Entity or created or
received by Business Associate on behalf of Covered Entity in which the Subcontractor agrees to the
same restrictions and conditions that apply through this Agreement to Business Associate with respect to
such PHI. Business Associate must enter into this Business Associate Agreement before any use by or
disclosure of PHI to such agent. The written agreement must identify Covered Entity as a direct and
intended third party beneficiary with the right to enforce any breach of the agreement concerning the use
or disclosure of PHI. Business Associate shall provide a copy of the Business Associate Agreement it
enters into with a subcontractor to Covered Entity upon request. Business associate may not make any
disclosure of PHI to any Subcontractor without prior written consent of Covered Entity.
10.
Access to PHI. Business Associate shall provide access to PHI in a Designated Record Set to
Covered Entity or as directed by Covered Entity to an Individual to meet the requirements under 45 CFR
§ 164.524. Business Associate shall provide such access in the time and manner reasonably designated
by Covered Entity. Within three (3) business days, Business Associate shall forward to Covered Entity
for handling any request for access to PHI that Business Associate directly receives from an Individual.
11.
Amendment of PHI. Business Associate shall make any amendments to PHI in a Designated
Record Set that Covered Entity directs or agrees to pursuant to 45 CFR § 164.526, whether at the request
of Covered Entity or an Individual. Business Associate shall make such amendments in the time and
manner reasonably designated by Covered Entity. Within three (3) business days, Business Associate

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 61 of 67
Contract#29960

shall forward to Covered Entity for handling any request for amendment to PHI that Business Associate
directly receives from an Individual.
12.
Accounting of Disclosures. Business Associate shall document disclosures of PHI and all
information related to such disclosures as would be required for Covered Entity to respond to a request by
an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528. Business
Associate shall provide s:uch information to Covered Entity or as directed by Covered Entity to an
Individual, to permit Covered Entity to respond to an accounting request. Business Associate shall
provide such information in the time and manner reasonably designated by Covered Entity. Within three
(3) business days, Business Associate shall forward to Covered Entity for handling any accounting
request that Business Associate directly receives from an Individual.
13.
Books and Records. Subject to the attorney-client and other applicable legal privileges, Business
Associate shall make its internal practices, books, and records (including policies and procedures and
PHI) ·relating to the use and disclosure of PHI received from Covered Entity or created or received by
Business Associate on behalf of Covered Entity available to the Secretary in the time and manner
designated by the Secretary. Business Associate shall make the same information available to Covered
Entity, upon Covered Entity's request, in the time and manner reasonably designated by Covered Entity
so that Covered Entity may determine whether Business Associate is in compliance with this Agreement.
14.

Termination.

14.1 This Agreement commences on the Effective Date and shall remain in effect until
terminated by Covered Entity or until all of the PHI provided by Covered Entity to Business
Associate or created ·or received by Business Associate on behalf of Covered Entity is destroyed or
returned to Covered Entity subject to Section 18.8.
14.2 If Business Associate breaches any material term of this Agreement, Covered Entity may
either: (a) provide an opportunity for Business Associate to cure the breach and Covered Entity
may terminate the contract or grant without liability or penalty if Business Associate does not cure
the breach within the time ~pecified by Covered Entity; or (b) immediately terminate the contract
or grant without liability or penalty if Covered Entity believes that cure is not reasonably possible;
or (c) if neither-termination nor cure are feasible, Covered Entity shall report the breach to the
Secretary. Covered Entity has the right to seek to cure any breach by Business Associate and this
right, regardless of whether Covered Entity cures such breach, does not lessen any right or remedy
available to Covered Entity at law, in equity, or under the contract or grant, nor does it lessen
Business Associate's responsibility for such breach or its duty to cure such breach.
15.

Return/Destruction of PHI.

15 .1 Business Associate in connection with the expiration or termination of the contract or grant
shall return or destroy, at the discretion of the Covered Entity, all PHI received from Covered
Entity or created or received by Business Associate on behalf of Covered Entity pursuant to this
contract or grant that Business Associate still maintains in any form or medium (including
electronic) within thirty (30) days after such expiration or termination. Business Associate shall
not retain any copies of the PHI. Business Associate shall certify in writing for Covered Entity (1)
when all PHI has been returned or destroyed and (2) that Business Associate does not continue to
maintain any PHI. Business Associate is to provide this certification during this thirty (30) day
period.

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 62 of 67
Contract#29960

15.2 Business Associate shall provide to Covered Entity notification of any conditions that
Business Associate believes make the return or destruction of PHI infeasible. If Covered Entity
agrees that return or destruction is infeasible, Business Associate shall extend the protections of
this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes
that make the return or destruction infeasible for so long as Business Associate maintains such
PHI. This shall also apply to all Agents and Subcontractors of Business Associate.
16.
Penalties and Training. Business Associate understands that: (a) there may be civil or criminal
penalties for misuse or misappropriation of PHI and (b) violations of this Agreement may result in
notification by Covered Entity to law enforcement officials and regulatory, accreditation, and licensure
organizations. If requested by Covered Entity, Business Associate shall participate in training regarding
the use, confidentiality, and security of PHI.
17.
Security Rule Obligations. The following provisions of this section apply to the extent that
.Business Associate creates, r~ceives, maintains or transmits Electronic PHI on behalf of Covered Entity.

17.1 Business Associate shall implement and use administrative, physical, and technical
safeguards in compliance with 45 CFR sections 164.308, 164.310, and 164.312 with respect'to the
Electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity.
Business Associate shall identify in writing upon request from Covered Entity all of the
safeguards that it uses to protect such Electronic PHI.
17.2 Business Associate shall ensure that any Agent and Subcontractor to whom it provides
Electronic PHI agrees in a written agreement to implement and use administrative, physical, and
technical safeguards that reasonably and appropriately protect the Confidentiality, Integrity and
Availability of the Electronic PHI. Business Associate must enter into this written agreement
before any use or disclosure of Electronic PHI by such Agent or Subcontractor. The written
agreement must identify Covered Entity as a direct and intended third party beneficiary with the
right to enforce any breach of the agreement concerning the use or disclosure of Electronic PHI.
Business Associate shall provide a copy of the written agreement to Covered Entity upon request.
Business Associate may not make any disclosure of Electronic PHI to any Agent or Subcontractor
without the prior written consent of Covered Entity.
17.3 Business Associate shall report in writing to Covered Entity any Security Incident
pertaining to such Electronic PHI (whether involving Business Associate or an Agent or
Subcontractor). Business Associate shall provide this written report as soon as it becomes aware
of any such Security Incident, and in no case later than two (2) business days after it becomes
aware of the incident. Business Associate shall provide Covered Entity with the information
necessary for Covered Entity to investigate any such Security Incident.
17.4 Business Associate shall comply with any reasonable policies and procedures Covered
Entity implements to obtain compliance under the Security Rule.
18.

Miscellaneous.

18.1 In the event of any conflict or inconsistency between the terms of this Agreement and the
terms of the contract/grant, the terms of this Agreement shall govern with respect to its subject
matter. Otherwise, the terms of the contract/grant continue in effect.

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 63 of 67
Contract#29960

18.2 Business Associate shall cooperate with Covered Entity to amend this Agreement from
time to time as is necessary for Covered Entity to comply with the Privacy Rule, the Security
Rule, or any other standards promulgated under HIP AA.
18.3 Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply
with the Privacy Rule, Security Rule, or any other standards promulgated under HIP AA.
18.4 In addition to applicable Vermont law, the parties shall rely on applicable federal law (e.g.,
HIP AA, the Privacy Rule and Security Rule, and the HIP AA omnibus final rule) in construing the
meaning and effect of this Agreement.
18.5 As between Business Associate and Covered Entity, Covered Entity owns all PHI provided
by Covered Entity to Business Associate or created or received by Business Associate on behalf of
Covered Entity.
18.6 Business Associate shall abide by the terms and conditions of this Agreement with respect
to all PHI it receives from Covered Entity or creates or receives on behalf of Covered Entity even
if some of that information relates to specific services for which Business Associate may not be a
"Business Associate" of Covered Entity under the Privacy Rule.
18. 7 Business Associate is prohibited from directly or indirectly receiving any remuneration in
exchange for an individual's PHI. Business Associate will refrain from marketing activities that
would violate HIP AA, including specifically Section 13406 of the HITECH Act. Reports or data
containing the PHI may not be sold without Agency's or the affected individual's writte.n consent.
18.8 The provisions of this Agreement that by their terms encompass continuing rights or
responsibilities shall survive the expiration or termination of this Agreement. For example: (a) the
provisions of this Agreement shall continue to apply if Covered Entity det~rmines that it would be
~nfeasible for Business Associate to return or destroy PHI as provided in Section 14.2 and (b) the
obligation of Business Associate to provide an accounting of disclosures as set forth in Section 11
survives the expiration or termination of this Agreement with respect to accounting requests, if
any, made after such expiration or termination.

(Rev: 5/04/15)

Page 64 of 67
Contract#29960

STATE OF VERMONT
CONTRACT FOR SERVICES
ATTACHMENT F

AGENCY OF HUMAN SERVICES' CUSTOMARY CONTRACT PROVISIONS
1. Agency of Human Services - Field Services Directors will share oversight with the department
(or field office) that is a party to the contract for provider performance using outcomes, processes,
terms and conditions agreed to under this contract.
2. 2-1-1 Data Base: The Contractor providing a health or human services within Vermont, or near
the border that is readily accessible to residents of Vermont, will provide relevant descriptive
information regarding its agency, programs and/or contact and will adhere to the
"Inclusion/Exclusion" policy of Vermont's United WayNermont 211. If included, the Contractor
will provide accurate and up to date information to their data base as needed. The
"Inclusion/Exclusion" policy can be found at www.vermont211.org
3. Medicaid Program Contractors:
Inspection of Records: Any contracts accessing payments for services through the Global
Commitment to Health Waiver and Vermont Medicaid program must fulfill state and federal legal
requirements to enable the Agency of Human Services (AHS), the United States Department of
Health and Human Services (DHHS) and the Government Accounting Office (GAO) to:
Evaluate through inspection or other means the quality, appropriateness, and timeliness of
services performed; and Inspect and audit any financial records of such Contractor or
subcontractor.
Subcontracting for Medicaid Services: Having a subcontract does not terminate the.Contractor,
receiving funds under Vermont's Medicaid program, from its responsibility to ensure that all
activities under this agreement are carried out. Subcontracts must specify the activities and
reporting responsibilities of the Contractor or subcontractor and provide for revoking delegation or
imposing other sanctions if the Contractor or subcontractor's performance is inadequate. The
Contractor agrees to make available upon request to the Agency of Human Services; the ·
Department of Vermont Health Access; the Department of Disabilities, Aging and Independent
Living; and the Center for Medicare and Medicaid Services (CMS) all contracts and subcontracts
between the Contractor and service providers.
Medicaid Notification ofTennination Requirements: Any Contractor accessing payments for
services under the Global Commitment to Health Waiver and Medicaid programs who terminates
their practice will follow the Department of Vermont Health Access, Managed Care Organization
enrollee notification requirements.
Encounter Data: Any Contractor accessing payments for services through the Global Commitment
to Health Waiver and Vermont Medicaid programs must provide encounter data to the Agency of
Human Services and/or its departments and ensure that it can be linked to enrollee eligibility files
maintained by the State.
Federal Medicaid System Security Requirements Compliance: All contractors and subcontractors
must provide a security plan, risk assessment, and security controls review document within three
months of the start date of this agreement (and update it annually thereafter) to support audit
compliance with 45CFR95.621 subpart F, ADP (Automated Data Processing) System Security
Requirements and Review Process.
4. Non-discrimination Based on National Origin as evidenced by Limited English Proficiency.
The Contractor agrees to comply with the non-discrimination requirements of Title VI of the Civil
Rights Act of 1964, 42 USC Section 2000d, et seq., and with the federal guidelines promulgat~d

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 65 of 67
Contract#29960

pursuant to Executive Order 13166 of 2000, which require that contractors and subcontractors
receiving federal funds must assure that persons with limited English proficiency can meaningfully
access services. To the extent the Contractor provides assistance to individuals with limited
English proficiency through the use of oral or written translation or interpretive services in
compliance with this requirement, such individuals cannot be required to pay for such services.
5. Voter Registration. When designated by the Secretary of State, the Contractor agrees to become
a voter registration agency as defined by 17 V.S.A. §2103 (41), and to comply with the
requirements of state and federal law pertaining to such agencies.
6. Drug Free Workplace Act. The Contractor will assure a drug-free workplace in accordance with
45 CFR Part 76.
1. Privacy and Security Standards.
Protected Health Information: The Contractor shall maintain the privacy and security of all
individually identifiable health information acquired by or provided to it as a part of the
performance of this contract. The Cont~actor shall follow federal and state law relating to privacy
and security of individually identifiable health information as applicable, including the Health
Insurance Portability and Accountability Act (HIP AA) and its federal regulations.
Substance Abuse Treatment Information: The confidentiality of any alcohol and drug abuse
treatment information acquired by or provided to the Contractor or subcontractor shall be
maintained in compliance with any applicable state or federal laws or regulations and specifically
set out in 42 CFR Part 2.
Other Confidential Consumer Information: The Contractor agrees to comply with the
requirements of AHS Rule No. 08-048 concerning access to information. The Contractor agrees to
comply with any applicable Vermont State Statute, including but not limited to 12 VSA § 1612 and
any applicable Board of Health confidentiality regulations. The Contractor shall ensure that all of
its employees and subcontractors performing services under this agreement understand the
sensitive nature of the information that they may have access to and sign an affirmation of
understanding regarding the information's confidential and non-public nature.
Social Security numbers: The Contractor agrees to comply with all applicable Vermont State
Statutes to assure protection and security of personal information, including protection from
identity theft as outlined in Title 9, Vermont Statutes Annotated, Ch. 62.
2. Abuse Registry. The Contractor agrees not to employ any individual, use any volunteer, or
otherwise provide reimbursement to any individual in the performance of services connected with
this agreement, who provides care, custody, treatment, transportation, or supervision to children or
vulnerable adults if there is a substantiation of abuse or neglect or exploitation against that
individual. The Contractor will check the Adult Abuse Registry in the Department of Disabilities,
Aging and Independent Living. Unless the Contractor holds a valid child care license or
registration from the Division of Child Development, Department for Children and Families, the
Contractor s_hall also check the Central Child Protection Registry. (See 33 V.S.A. §4919(a)(3) &
33 V.S.A. §691 l(c)(3)).
3. Reporting of Abuse, Neglect, or Exploitation. Consistent with provisions of 33 V.S.A. §4913(a)
and §6903, any agent or employee of a Contractor who, in the performance of services connected
with this agreement, has contact with clients or is a caregiver and who has reasonable cause to
believe that a child or vulnerable adult has been abused or neglected as defined in Chapter 49 or
abused, neglected, or exploited as defined in Chapter 69 of Title 33 V.S.A. shall make a report
involving children to the Commissioner of the Department for Children and Families within 24

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 66 of 67
Contract#29960

hours or a report involving vulnerable adults to the Division of Licensing and Protection at the
Department of Disabilities, Aging, and Independent Living within 48 hours. This requirement
applies except in those instances where particular roles and functions are exempt from reporting
under state and federal law. Reports involving children shall contain the information required by
33 V.S.A. §4914. Reports involving vulnerable adults shall contain the information required by 33
V.S.A. §6904. The Contractor will ensure that its agents or employees receive training on the
reporting of abuse or neglect to children and abuse, neglect or exploitation of vulnerable adults.

4. Intellectual Property/Work Product Ownership. All data, technical information, materials first
gathered, originated, developed, prepared, or obtained as a condition of this agreement and used in
the performance of this agreement - including, but not limited to all reports, surveys, plans, charts,
literature, brochures, mailings, recordings (video or audio), pictures, drawings, analyses, graphic
representations, software computer programs and accompanying documentation and printouts,
notes and memoranda, written procedures and documents, which are prepared for or obtained
specifically for this agreement - or are a result of the services required under .this grant - shall be
considered "work for hire" and remain the property of the State of Vermont, regardless of the state
of completion - unless otherwise specified in this agreement. Such items shall be delivered to the
State of Vermont upon 3 0 days' notice by the State. With respect to software computer programs
and/ or source codes first developed for the State, all the work shall be considered "work for hire,"
i.e., the State, not the Contractor or subcontractor, shall have full and complete ownership of all
software computer programs, documentation and/or source codes developed.
The Contractor shall not sell or copyright a work product or item produced under this agreement
without explicit permission from the State.
If the Contractor is operating a system or application on behalf of the State of Vermont, then the
Contractor shall not make information entered into the system or application available for uses by
any other party than the State of Vermont, without prior authorization by the State. Nothing herein
shall entitle the State to pre-existing Contractor's materials.
5. Security and Data Transfers. The State shall work with the Contractor to ensure compliance with
all applicable State and Agency of Human Services' policies and standards, especially those related
to privacy and security. The State will advise the Contractor of any new policies, procedures, or
protocols developed during the term of this agreement as they are issued and will work with the
Contractor to implement any required.
The Contractor will ensure the physical and data security associated with computer equipment including desktops, notebooks, and other portable devices - used in connection with this
agreement. The Contractor will also assure that any media or mechanism used to store or transfer
data to or from the State includes industry standard security mechanisms such as continually up-todate malware protection and encryption. The Contractor will make every reasonable effort to
ensure media or data files transferred to the State are virus and spyware free. At the conclusion of
this agreement and after successful delivery of the data to the State, the Contractor shall securely
delete data (including archival backups) from the Contractor's equipment that contains individually
identifiable records, in accordance with standards adopted by the Agency of Human Services.
6. Computing and Communication: The Contractor shall select, in consultation with the Agency of
Human Services' Information Technology unit, one of the approved methods for secure access to
the State's systems and data, if required. Approved methods are based on the type of work
performed by the Contractor as part of this agreement. Options include, but are not limited to:
1. Contractor's provision of certified computing equipment, pedpherals and mobile devices, on a
separate Contractor's network with separate internet access. The Agency of Human
Services' accounts may or may not be provided.

STATE OF VERMONT
CONTRACT FOR SERVICES

Page 67 of 67
Contract#29960

2. State supplied and managed equipment and accounts to access state applications and data,
including State issued active directory accounts and application specific accounts, which
follow the National Institutes of Standards and Technology (NIST) security and the Health
Insurance Portability & Accountability Act (HIP AA) standards.
The State will not supply e-mail accounts to the Contractor.
7. Lobbying. No federal funds under this agreement may be used to influence or attempt to influence
an officer or employee of any agency, a member of Congress, an officer or employee of Congress,
or an employee of a member of Congress in connection with the awarding of any federal contract,
continuation, renewal, amendments other than federal appropriated funds.
8 . . Non-discrimination. The Contractor will prohibit discrimination on ·the basis of age under the
Age Discrimination Act of 19.75, on the basis of handicap under section 504 of the Rehabilitation
Act of 1973, on the basis of sex under Title IX of the Education Amendments of 1972, or on the
basis of race, color or national origin under Title VI of the Civil Rights Act of 1964. No person
shall on the grounds of sex (including, in the case of a woman, on the grounds that the woman is
pregnant) or on the grounds of religion, be excluded from participation in, be denied the benefits
of, or be subjected to discrimination, to include sexual harassment, under any program or activity
supported by state and/or federal funds.
The Contractor will also not refuse, withhold from or deny to any person the benefit of services,
facilities, goods, privileges, advantages, or benefits of public accommodation on the basis of
disability, race~ creed, color, national origin, marital status, sex, sexual orientation or gender
identity under Title 9 V.s.A: Chapter 139.
9. Environmental Tobacco Smoke. Public Law 103-227, also known as the Pro-children Act of
1994 (Act), requires that smoking not be permitted in any portion of any indoor facility owned or
leased or contracted for by an entity and used routinely or regularly for the provision of health,
child care, early childhood development services, education or library services to children under
the age of 18, if the services are funded by federal programs either directly or through state or local
governments, by federal grant, contract, loan or loan guarantee. The law also applies to children's
services that are provided in indoor facilities that are constructed, operated, or maintained with
such Federal funds.
The law does not apply to children's services provided in private residences; portions of facilities
used for inpatient drug or alcohol treatment; service providers whose sole source of applicable
federal funds is Medicare or Medicaid; or facilities where Women, Infants, & Children (WIC)
coupons are redeemed.
Failure to comply with the provisions of the law may result in the imposition of a civil monetary
penalty of up to $1,000 for each violation and/or the imposition of an administrative compliance
order on the responsible entity.
Contractors are prohibited from promoting the use of tobacco products for all clients. Facilities
supported by state and federal funds are prohibited from making tobacco products available to
mmors.
Attachment F - Revised AHS 12110110