hospital utilization management request for...

HMS Confidential and Proprietary Information The information contained in this Request for Proposal is confidential and proprietary to HMS and is to be used by

the recipient solely for the purpose of responding to this RFP. This RFP will be returned to HMS procurement representative upon demand. All information included in the response shall remain confidential and be used

solely for the purpose of this Request for Proposal.

Hospital Utilization Management Request for Proposal

March 7, 2017

Permedion, Inc. 350 Worthington Rd.

Westerville, OH 43082

Confidential and Proprietary

PERMEDION INC.

Request for Proposal

2

This Request for Proposal (RFP) has been prepared by Health Management Systems, Inc. (HMS) and is being given to you to provide you with an opportunity to respond with your Follow-Up for collection capabilities, in consideration of your agreement to treat it as confidential. The information enclosed in this RFP is proprietary to HMS and should be treated as confidential. HMS is not conveying any ownership to any party by disclosing this information. By accepting this document, you agree that you will treat this information as confidential, you will not allow any other person or entity to see it or use it, and you will not use it in any way other than to prepare the requested response. You will return this document, and all copies you have made to HMS should you decline to submit a proposal or upon request by HMS.

PERMEDION INC.


3

TABLE OF CONTENTS

1. Introduction ...................................................................................................................... 4

2. Proposal Instructions and Administration .......................................................................... 6

3. Response Format and Pricing Information ......................................................................... 9

4. Scope of Services and Current State ................................................................................ 10

5. Supplier Profile & Questions ............................................................................................ 12

PERMEDION INC.


4

INTRODUCTION

1.1 RFP Objective and Project Overview This document serves as a request for firms to submit a proposal in response to the

requirements described herein to Health Management Systems, Inc. (HMS) This Request for

Proposal (RFP) is to assist Permedion with Utilization Management tasks on behalf of the State

of Ohio per the Request for Proposal ODMR1617-1021 for a Hospital Utilization Management

Program upon HMS award of a contract to supply these services as the Prime Contractor.

All instructions required for completion of proposals are included in this RFP. Vendors must comply with the instructions exactly as they are stated herein to facilitate HMS’s review and timely evaluation of the supplier.

1.2 Corporate Overview

Permedion, a wholly owned subsidiary of HMS, is a URAC-accredited, QIO-like entity. Permedion provides independent utilization and external medical review for both state government and private clients across the country to help ensure that inpatient and outpatient services are medically necessary, billed appropriately, and of the highest quality.

Our clients include Medicaid, state insurance departments, state medical boards, correctional departments, and other state agencies. Our panel includes RNs, certified coding specialists, biostatisticians, clinical staff, legal experts, and more than 600 board-certified, actively practicing physicians and allied health professionals nationwide representing every specialty recognized by the American Board of Medical Specialties—as well as many subspecialties. These clinicians review medical records, documentation and claims to identify utilization and coding/billing errors resulting in inappropriate payment to providers.

1.3 Background The purpose of the utilization review (UR) contract is to attain measurable improvement in the appropriate utilization (or, measurable true reduction in inappropriate utilization) of Medicaid services, specifically inpatient and outpatient hospital services for the Fee for Service (FFS) population, while recovering reimbursement from providers of inappropriate Medicaid services. One product of utilization review will be the recovery of Medicaid reimbursement made for services which were not medically necessary, were not performed in the most appropriate setting, or were otherwise not provided or billed in accordance with the Ohio Administrative

PERMEDION INC.


5

Code (OAC) Rules found in Chapter 5160. The other product of utilization review will be the Prior Authorization for Ohio Medicaid’s new Behavioral Health Redesign services. Prior Authorization must be obtained from ODM or its designee by the provider before services are rendered or the items are delivered. This service is projected to require review for the next two years, along with additional behavioral health services after pre-set limits are reached. As the incumbent vendor performing this scope of work since 1985, Permedion-HMS endeavors to continue to assist ODM with its mission of providing high-quality, cost-effective, accessible healthcare. We are, therefore, seeking a supplier to support us in this task.

PERMEDION INC.


6

PROPOSAL INSTRUCTIONS AND ADMINISTRATION

2.1 Overview This RFP was developed to provide you with the necessary information to prepare a response and provide all requested information. This section outlines the administrative procedures and guidelines for preparing your proposal.

2.2 Liability The issuance of this document and the receipt of information in response to this document will not cause HMS to incur any liability or obligation to you, financial or otherwise. HMS assumes no obligation to reimburse or in any way compensate you for expenses incurred in connection with your response to this RFP.

2.3 Use and Disclosure of Information HMS reserves the right to use information submitted in response to this document in any manner it may deem appropriate in evaluating the fitness of the services proposed. Materials submitted by the Supplier that are considered confidential must be clearly marked as such. In the event that confidentiality cannot be afforded, the Supplier will be notified and will be permitted to withdraw its proposal.

The information contained in this RFP is proprietary to HMS. All Suppliers, in consideration of being given this opportunity, agree to treat all the information contained in this RFP as confidential in accordance to the signed Non-Disclosure Agreements. The information is to be used by each Supplier only for the purpose of preparing a proposal in response to this request. The information in this RFP may not be used or shared with any other parties for any other purpose, without first obtaining HMS’s prior written consent. If you need to disclose any RFP information to a third party in order to prepare your proposal, contact Lynn Langenberg, the Single Point of Contact (SPOC), at the address in the next section. If requested, Supplier will return HMS’s confidential information.

2.45 Bid Protocol and Contact Information HMS’s Single Point of Contact (SPOC) for this event is

Lynn Langenberg Health Management Systems, Inc. 5615 High Point Drive Irving, TX 75038 P: 469.284.3417 [email protected]

mailto:[email protected]

PERMEDION INC.


7

To ensure timely and adequate consideration of your proposal, suppliers are asked to limit all contact, whether verbal or written, pertaining to this RFP, to Lynn Langenberg, the SPOC, at the address provided above for the duration of this bid process. Failure to remain focused will compound the complexity of this project and may jeopardize our ability to meet the timeline. Your full support is greatly appreciated. Proposals should be submitted by email to Lynn Langenberg by 12 p.m. CST on the date specified in the Timetable Section below. (NOTE: HMS’s email system is unable to accept “.zip” files, so please do not send any.)

Permedion, at its sole discretion, may elect to return responses received after the deadline.

Formal presentations, web presentations, or conference calls may be scheduled after receipt of proposals; and may include both high-level and detailed technical sessions. Permedion may request clarification of the proposal, or additional supplemental information. Permedion reserves the right to reject any proposal or, at its discretion, to solicit additional responses. Permedion may also accept or reject portions of a proposal. Following an evaluation period, Permedion may choose to negotiate with one or more Supplier(s). Any acceptance of a proposal is contingent upon the execution of a written agreement and Permedion shall not be contractually bound to any Supplier prior to the execution of such written agreement. Pricing information supplied with the response to this RFP must be valid up and through the base term of the ODM Prime Contract awarded to Permedion-HMS. The Prime Contract term is currently defined in the ODM RFP as July 1, 2017 through June 30, 2019 with two, 2-year extensions. Pricing for any awarded extensions will be renegotiated. Suppliers should be prepared to incorporate all statements made in their proposal into the final subcontract. If you provide information in response to this RFP that you are unwilling to incorporate into the final subcontract, mark all such information in BOLD CAPS. Please note that such exclusion will be taken into consideration as part of the evaluation process. Supplier review and be prepared to accept the Terms and Conditions of HMS’s Master Service Agreement. This RFP represents the best effort of Permedion, to document its requirements. Permedion reserves the right to adjust the specifications or scope of effort stated in this RFP. In the event that any modifications become necessary, all Suppliers will be notified via the COMBA website

PERMEDION INC.


8

of an addendum to this RFP. HMS reserves the right to cancel the RFP at any time during the RFP process.

2.5 Timetable This document is the first step in the process. Following is the anticipated schedule for the selection process. Table 1: RFP Project Timetable

Event Due Date Deadline

RFP Released 3/8/2017Submit RFP Questions 3/10/2017 3:00 PM EST

RFP Proposals Due 3/17/2017 5:00 PM CSTRFP Proposal Award 3/21/2017

*Answers to RFP Questions will be provided to all RFP Respondents on 3/13/17.

HMS reserves the right to modify any part of this schedule.

PERMEDION INC.


9

Response, Format and Pricing Information

3.1 Response to SOW

Please respond to the RFP via email with a separate document/file (do not send PDF’s) that fully describes how your products and services meet the requirements of the Scope of Services. Responses should be limited to 10 pages and data must include the following:

1. A detailed description of your products and services including how you will address all portions of the SOW.

2. Answers to all included and attached questions and questionnaires (attachments 1-5).

3. The pricing should represent the total cost of performing the scope of work to meet all requirements and include costs of all services that are mentioned in the proposal including implementation, staffing, proposed actions and support costs. Please submit a monthly fixed fee.

4. A description of any improvement over the stated specifications. The advantages, reasons, best practices, and cost effectiveness associated with these improvements should be clearly stated. The implementation of these improvements in terms of additional costs should be explained when providing pricing information.

5. Attest that you are currently, and will remain throughout the contract duration, a certified Minority Business Enterprise (MBE), and supply a current copy of your MBE certification letter to HMS as instructed in the Suppliers Profile & Questions section below.

6.5. Attest that you have read, understand and meet and are in compliance with all of the requirements and all terms and conditions, including FAR Clauses, if any, and flowdowns, as set forth in the RFP found here: https://procure.ohio.gov/proc/viewProcOpps.asp?oppID=13312

Completed Vendor Provided Information forms

Commented [TS1]: Replaced with Vendor Information Attach #1

https://procure.ohio.gov/proc/viewProcOpps.asp?oppID=13312

PERMEDION INC.


10

Scope of Services

4.1 Project Overview

Permedion-HMS is seeking a subcontractor to perform retrospective review on hospital inpatient claims and prior authorization on behavioral health claims for ACT and IHBT services. Please note that the anticipated Contract term begin date is July 1, 2017, but will be coterminous with the Permedion-HMS Prime Contract begin date if different from the anticipated date.

4.2 Project Scope

4.2.1 Retrospective Review

Retrospective Review is the post payment review of claims for proper coding, level of care, medical necessity and quality of care. The claims are selected by the Prime Contractor, Permedion Inc., in coordination with ODM, based upon, but not limited to, the following current target areas:

1. Billing Errors: This target consists of inpatient admissions which have either the admission source or the patient disposition (discharge status) coded incorrectly. 2. Readmissions: This target looks at claims that include readmissions within one day, and within 30 days of the initial admission. 3. Target Diagnostic Related Groups (DRG): This target consists of looking at DRGs that represent a potential for upcoding or other billing errors, or higher than expected utilization. 4. Medical Necessity and Short Lengths of Stay: This target consists of claims with significantly short lengths of stay based on the DRG and/or primary diagnosis for any diagnosis or procedure; claims for procedures which have significantly higher denial rates due to medical necessity concerns and have short lengths of stay; and selected claims with short lengths of stay. 5. Compliance: This target consists of procedures that require pre-certification for which there was no pre-certification number indicated on the claim (when/if the pre-certification is reinstated by ODM). 6. Outpatient/Ambulatory: This target consists of incorrect coding/number of units, billing issues and inappropriate hospital setting.

PERMEDION INC.


11

7. Bill audit: This target reviews DRG-exempt facility claims once a year for accuracy of billing itemized charges.

Permedion will perform the claims selection and deliver any volume exceeding 1,600 reviews to the Supplier to perform retrospective review. The supplier should expect a minimum volume of 100 reviews, not expected to exceed 300 reviews, monthly. Volume revision to be reviewed and assessed annually. The reviews must be completed by an Ohio Licensed Registered Nurse. Their license must be active and unrestricted. Additionally, the nurse should a minimum of 3 years of experience in an Acute Care Hospital (LTACH). The list will be provided on the first Monday of each month for action during the following month. The supplier will be responsible for utilizing the Permedion-HMS proprietary system to validate the diagnosis and procedure codes and other qualifying review factors used to determine whether the inpatient acute hospital level of care was necessary, based on the intensity of services provided and/or the severity of the patient’s illness. The supplier will also be required to review each case for accuracy and completeness, according to American Hospital Association Coding Clinic guidelines, and confirm that the medical record supports the coding submitted. The nurse reviewers/Certified Coding Specialists (CCS) will have electronic access to the Coding Clinics. Validation of additional claims information that may determine the DRG assignment (e.g. discharge status or age) may be required. In addition, the nurse/CCS will review the chart for the sequencing of DRG codes by following coding guidelines to make a determination. Once correct codes are determined and clinical questions are resolved by physician reviewers, the correct codes and billing information are processed through a DRG grouper appropriate for the time period of the claim to determine whether a change in the DRG assignment is warranted.

If a change is warranted, a determination letter must be submitted to the provider through our proprietary system. It will include billed diagnoses/procedure codes, the new correct code, pertinent claim details, and a complete rational for the changes.

If the DRG review determines that the case was coded and billed appropriately, no further action will be required.

Clinical issues, such as whether the correct principle diagnosis is identified or whether secondary diagnoses are substantiated, are referred to physician reviewers for a determination. All clinical issues identified by nurse reviewers/CCSs (appropriateness of setting, change in diagnosis, etc.) are reviewed by one of our panel of more than 120 Ohio-licensed physicians. These physicians review the records and provide independent assessment of nurse reviewer’s or CCS’s determination. The supplier will be expected to complete the assigned reviews within 30 days of receipt unless otherwise instructed. Failure to complete reviews timely may result in disciplinary action, up to and

including, termination of the Subcontract.

PERMEDION INC.


12

Supplier Unit Lead may consult with Permedion Service Line Manager as needed to achieve appropriate claims resolution. The supplier will be responsible for providing standard inventory reporting and other general reporting on a monthly basis.

4.2.2 Prior Authorization of Behavioral Health Services

Prior Authorization (PA) is the review of services before they are rendered or the items are delivered, granting the provider authority to provide care. Ohio Medicaid’s new Behavioral Health Redesign services require prior authorization for Assertive Community Treatment (ACT) and Intensive Home Based Treatment (IHBT) services for the next two years. Additional services may require prior authorization after pre-set limits are reached (see service type listing below). PA reviewers must be proficient in mental health or addiction services, depending on the type of service requested, review, and provider type. The Supplier is expected to hire and or contract with an LISW or LPCC credentialed staff to fulfill this scope of work.

The following services must receive PA before the services can be delivered: 1. Assertive Community Treatment - for adults; 2. Intensive Home Based Treatment - for children; and 3. Substance Use Disorder (SUD) Partial Hospitalization.

The following services require PA after ODM-specified limits are reached: 1. Psychiatric Diagnostic Evaluations; 2. Psychological Testing; 3. Screening Brief Intervention and Referral to Treatment (SBIRT); 4. Alcohol or Drug Assessment; 5. Mental Health Nursing Services; 6. SUD Nursing Services; and 7. SUD Residential.

For ACT/IHBT services, OAC 5160:27-## and OAC 5160:27-## (rules to be released early 2017) must be used to evaluate qualified provider types requesting the service, medical necessity and level of care. For substance use services, the American Society of Addiction Medicine (ASAM) guidelines for alcohol and drug treatment services must be used to evaluate medical necessity and level of care. For mental health services, guidelines set forth by the American Psychiatrist Association, American Psychologist Association, American Academy of Child and Adolescent Psychiatry, Centers for Medicare and Medicaid Services (CMS) and American Medical Association guidance for Current Procedural (CPT)/Healthcare Common Procedure Coding Systems (HCPCS) must be used to evaluate medical necessity and level of care.

PERMEDION INC.


13

Permedion, in conjunction with ODM will provide the Supplier with the appropriate system access in order to review the PA’s upon receipt. The expected volume for the ACT and IHBT PA’s is estimated at 2,700 per year. (Note: These services are new to ODM and its providers. As a result the volume is an estimate.) The supplier will be responsible for utilizing the Permedion-HMS proprietary system to log all requests for prior authorization, determinations, physician referrals, appeals and requests for hearings. The supplier will also be subjected to internal quality control (IQC) scores on individual reviewers and provide education and training to providers as needed and related to the scope of work. The supplier will be expected to complete the assigned ACT and or IHBT reviews within 48 hours of receipt; 72 hours is allotted for all other PA types. Failure to complete reviews timely may result in

disciplinary action, up to and including, termination of the Subcontract. Supplier Unit Lead may consult with Permedion Service Line Manager as needed to achieve appropriate claims resolution. The supplier will be responsible for providing standard inventory reporting and other general reporting on a monthly basis

PERMEDION INC.


14

SUPPLIER PROFILE & QUESTIONS

5.1 Company Information

1. Provide the full name and address of your corporate headquarters and full contact information of the primary contact for this RFP.

2. What would be the legal entity that would be doing business with HMS?

3. How long has your company been in business? How long have you been providing the services outlined in this RFP

4. How many employees are in your company?

5. Is your company a public or privately held organization?

6. How many customers do you have?

7. Is your company an Ohio certified MBE organization? (Please provide a copy of your certification letter.)

8. What types of background checks do you run on your employees? (Copies may be required upon award.)

5.2 Financial Information 9. Attach financial and cash flow statements for the past three years as a separate document upon

receipt of the RFP. Publicly held companies should provide SEC Filings and Prospectus. Privately held companies should provide audited financial statements (consolidated Balance Sheet, Consolidated Statement of Operations, Dunn and Bradstreet Comprehensive Report). The report should be current; however, it is acceptable to submit a reported dated May 2014.

10. What was your annual sales volume in 2013? 2014?

11. Provide a listing of any significant acquisitions, divestitures or “change of control” that have occurred in the last two years or are anticipated will occur within the next 12 months.

12. Provide a listing of any entity that controls 10% or more of your company.

13. Is your company SAS 70 compliant?

PERMEDION INC.


15

14. If so, provide a copy of your most recent SAS 70 report.

15. If the Company is publicly traded, attach the most recent 10-K. 16. Report any publicly traded debt and your company’s bond rating related to that debt.

17. Has your company ever filed for bankruptcy?

18. Provide a statement of capability with regard to your company's current financial strength and

its financial capacity to perform this work long term; comment on any recent or upcoming / planned changes in ownership.

5.3 Insurance Requirements – see Master Service Agreement

Supplier shall agree that if the insurance requirements set by the State of Ohio under the prime contract currently exceed the coverages listed above or thereafter increase, supplier shall meet or exceed the requirements as set by the State of Ohio and shall furnish to HMS satisfactory evidence thereof at any time HMS requests such documentation.

19. Do you meet the insurance requirements outlined above? If not, what are the limits?

5.4 Claims Evaluation Capabilities

20. Please describe your claims evaluation capabilities.

21. Please list similar, utilization management work experience and scope synopsis, not to exceed 500 words. (A Statement of Work can be supplied to augment this requirement.)

22. What portion of your internal capacity is currently being utilized?

23. How do you facilitate document QA?

5.5 Account Management

24. Please describe your e-Invoicing capabilities (attach diagram as necessary.)

PERMEDION INC.


16

25. Will any portion of the work be outsourced to a third party?

26. A Unit Supervisor is required for this procurement, please provide a resume for the intended key personnel. (Attestation of staff hire and intended merits/attributes will suffice.)

5.6 Security

27. Please complete Vendor Risk Assessment Questionnaire (see separate email attachment/file included in email).

28. If awarded the business, are you willing to sign a Business Associate Agreement as part of the Subcontract Agreement? Yes or No.

5.7 Quality

29.28. Provide a thorough description of your company’s quality control procedures and ability to deliver error-free services. Include a written summary of your company’s commitment to quality via Six Sigma, Total Quality Management, or other methods.

30.29. Please describe performance standards that are used to measure accuracy, timeliness, and customer satisfaction.

5.8 Implementation

31.30. Please describe your implementation process and your ongoing management of the program.

Thank you for your participation in this process and for considering doing business

with HMS.

Commented [TS2]: Remove – in MSA

HMS Confidential and Proprietary Information The information contained in this Request for Proposal is confidential and proprietary to HMS and is to be used by

the recipient solely for the purpose of responding to this RFP. This RFP will be returned to HMS procurement representative upon demand. All information included in the response shall remain confidential and be used

solely for the purpose of this Request for Proposal.

Hospital Utilization Management Request for Proposal

March 7, 2017

Permedion, Inc. 350 Worthington Rd.

Westerville, OH 43082

Confidential and Proprietary

PERMEDION INC.


2

This Request for Proposal (RFP) has been prepared by Health Management Systems, Inc. (HMS) and is being given to you to provide you with an opportunity to respond with your Follow-Up for collection capabilities, in consideration of your agreement to treat it as confidential. The information enclosed in this RFP is proprietary to HMS and should be treated as confidential. HMS is not conveying any ownership to any party by disclosing this information. By accepting this document, you agree that you will treat this information as confidential, you will not allow any other person or entity to see it or use it, and you will not use it in any way other than to prepare the requested response. You will return this document, and all copies you have made to HMS should you decline to submit a proposal or upon request by HMS.

PERMEDION INC.


3

TABLE OF CONTENTS

1. Introduction ........................................................................................................................... 4

2. Proposal Instructions and Administration ............................................................................. 6

3. Response Format and Pricing Information ............................................................................ 9

4. Scope of Services and Current State ................................................................................... 10

5. Supplier Profile & Questions ............................................................................................... 12

PERMEDION INC.


4

INTRODUCTION

1.1 RFP Objective and Project Overview This document serves as a request for firms to submit a proposal in response to the

requirements described herein to Health Management Systems, Inc. (HMS) This Request for

Proposal (RFP) is to assist Permedion with Utilization Management tasks on behalf of the State

of Ohio per the Request for Proposal ODMR1617-1021 for a Hospital Utilization Management

Program upon HMS award of a contract to supply these services as the Prime Contractor.

All instructions required for completion of proposals are included in this RFP. Vendors must comply with the instructions exactly as they are stated herein to facilitate HMS’s review and timely evaluation of the supplier.

1.2 Corporate Overview

Permedion, a wholly owned subsidiary of HMS, is a URAC-accredited, QIO-like entity. Permedion provides independent utilization and external medical review for both state government and private clients across the country to help ensure that inpatient and outpatient services are medically necessary, billed appropriately, and of the highest quality.

Our clients include Medicaid, state insurance departments, state medical boards, correctional departments, and other state agencies. Our panel includes RNs, certified coding specialists, biostatisticians, clinical staff, legal experts, and more than 600 board-certified, actively practicing physicians and allied health professionals nationwide representing every specialty recognized by the American Board of Medical Specialties—as well as many subspecialties. These clinicians review medical records, documentation and claims to identify utilization and coding/billing errors resulting in inappropriate payment to providers.

1.3 Background The purpose of the utilization review (UR) contract is to attain measurable improvement in the appropriate utilization (or, measurable true reduction in inappropriate utilization) of Medicaid services, specifically inpatient and outpatient hospital services for the Fee for Service (FFS) population, while recovering reimbursement from providers of inappropriate Medicaid services. One product of utilization review will be the recovery of Medicaid reimbursement made for services which were not medically necessary, were not performed in the most appropriate

PERMEDION INC.


5

setting, or were otherwise not provided or billed in accordance with the Ohio Administrative Code (OAC) Rules found in Chapter 5160. The other product of utilization review will be the Prior Authorization for Ohio Medicaid’s new Behavioral Health Redesign services. Prior Authorization must be obtained from ODM or its designee by the provider before services are rendered or the items are delivered. This service is projected to require review for the next two years, along with additional behavioral health services after pre-set limits are reached. As the incumbent vendor performing this scope of work since 1985, Permedion-HMS endeavors to continue to assist ODM with its mission of providing high-quality, cost-effective, accessible healthcare. We are, therefore, seeking a supplier to support us in this task.

PERMEDION INC.


6

PROPOSAL INSTRUCTIONS AND ADMINISTRATION

2.1 Overview This RFP was developed to provide you with the necessary information to prepare a response and provide all requested information. This section outlines the administrative procedures and guidelines for preparing your proposal.

2.2 Liability The issuance of this document and the receipt of information in response to this document will not cause HMS to incur any liability or obligation to you, financial or otherwise. HMS assumes no obligation to reimburse or in any way compensate you for expenses incurred in connection with your response to this RFP.

2.3 Use and Disclosure of Information HMS reserves the right to use information submitted in response to this document in any manner it may deem appropriate in evaluating the fitness of the services proposed. Materials submitted by the Supplier that are considered confidential must be clearly marked as such. In the event that confidentiality cannot be afforded, the Supplier will be notified and will be permitted to withdraw its proposal.

The information contained in this RFP is proprietary to HMS. All Suppliers, in consideration of being given this opportunity, agree to treat all the information contained in this RFP as confidential in accordance to the signed Non-Disclosure Agreements. The information is to be used by each Supplier only for the purpose of preparing a proposal in response to this request. The information in this RFP may not be used or shared with any other parties for any other purpose, without first obtaining HMS’s prior written consent. If you need to disclose any RFP information to a third party in order to prepare your proposal, contact Lynn Langenberg, the Single Point of Contact (SPOC), at the address in the next section. If requested, Supplier will return HMS’s confidential information.

2.45 Bid Protocol and Contact Information HMS’s Single Point of Contact (SPOC) for this event is

Lynn Langenberg Health Management Systems, Inc. 5615 High Point Drive Irving, TX 75038 P: 469.284.3417 [email protected]


PERMEDION INC.


7

To ensure timely and adequate consideration of your proposal, suppliers are asked to limit all contact, whether verbal or written, pertaining to this RFP, to Lynn Langenberg, the SPOC, at the address provided above for the duration of this bid process. Failure to remain focused will compound the complexity of this project and may jeopardize our ability to meet the timeline. Your full support is greatly appreciated. Proposals should be submitted by email to Lynn Langenberg by 12 p.m. CST on the date specified in the Timetable Section below. (NOTE: HMS’s email system is unable to accept “.zip” files, so please do not send any.)

Permedion, at its sole discretion, may elect to return responses received after the deadline.

Formal presentations, web presentations, or conference calls may be scheduled after receipt of proposals; and may include both high-level and detailed technical sessions. Permedion may request clarification of the proposal, or additional supplemental information. Permedion reserves the right to reject any proposal or, at its discretion, to solicit additional responses. Permedion may also accept or reject portions of a proposal. Following an evaluation period, Permedion may choose to negotiate with one or more Supplier(s). Any acceptance of a proposal is contingent upon the execution of a written agreement and Permedion shall not be contractually bound to any Supplier prior to the execution of such written agreement. Pricing information supplied with the response to this RFP must be valid up and through the base term of the ODM Prime Contract awarded to Permedion-HMS. The Prime Contract term is currently defined in the ODM RFP as July 1, 2017 through June 30, 2019 with two, 2-year extensions. Pricing for any awarded extensions will be renegotiated. Suppliers should be prepared to incorporate all statements made in their proposal into the final subcontract. If you provide information in response to this RFP that you are unwilling to incorporate into the final subcontract, mark all such information in BOLD CAPS. Please note that such exclusion will be taken into consideration as part of the evaluation process. Supplier review and be prepared to accept the Terms and Conditions of HMS’s Master Service Agreement. This RFP represents the best effort of Permedion, to document its requirements. Permedion reserves the right to adjust the specifications or scope of effort stated in this RFP. In the event that any modifications become necessary, all Suppliers will be notified via the COMBA website

PERMEDION INC.


8

of an addendum to this RFP. HMS reserves the right to cancel the RFP at any time during the RFP process.

2.5 Timetable This document is the first step in the process. Following is the anticipated schedule for the selection process. Table 1: RFP Project Timetable

Event Due Date Deadline

RFP Released 3/8/2017Submit RFP Questions 3/10/2017 3:00 PM EST

RFP Proposals Due 3/17/2017 5:00 PM CSTRFP Proposal Award 3/21/2017

*Answers to RFP Questions will be provided to all RFP Respondents on 3/13/17.

HMS reserves the right to modify any part of this schedule.

PERMEDION INC.


9

Response, Format and Pricing Information

3.1 Response to SOW

Please respond to the RFP via email with a separate document/file (do not send PDF’s) that fully describes how your products and services meet the requirements of the Scope of Services. Responses should be limited to 10 pages and data must include the following:

1. A detailed description of your products and services including how you will address all portions of the SOW.

2. Answers to all included and attached questions and questionnaires (attachments 1-5).

3. The pricing should represent the total cost of performing the scope of work to meet all requirements and include costs of all services that are mentioned in the proposal including implementation, staffing, proposed actions and support costs. Please submit a monthly fixed fee.

4. A description of any improvement over the stated specifications. The advantages, reasons, best practices, and cost effectiveness associated with these improvements should be clearly stated. The implementation of these improvements in terms of additional costs should be explained when providing pricing information.

5. Attest that you are currently, and will remain throughout the contract duration, a certified Minority Business Enterprise (MBE), and supply a current copy of your MBE certification letter to HMS as instructed in the Suppliers Profile & Questions section below.

6.5. Attest that you have read, understand and meet and are in compliance with all of the requirements and all terms and conditions, including FAR Clauses, if any, and flowdowns, as set forth in the RFP found here: https://procure.ohio.gov/proc/viewProcOpps.asp?oppID=13312

7. Completed Vendor Provided Information forms

Comment [TS1]: Replaced with Vendor Information Attach #1

https://procure.ohio.gov/proc/viewProcOpps.asp?oppID=13312

PERMEDION INC.


10

Scope of Services

4.1 Project Overview

Permedion-HMS is seeking a subcontractor to perform retrospective review on hospital inpatient claims and prior authorization on behavioral health claims for ACT and IHBT services. Please note that the anticipated Contract term begin date is July 1, 2017, but will be coterminous with the Permedion-HMS Prime Contract begin date if different from the anticipated date.

4.2 Project Scope

4.2.1 Retrospective Review

Retrospective Review is the post payment review of claims for proper coding, level of care, medical necessity and quality of care. The claims are selected by the Prime Contractor, Permedion Inc., in coordination with ODM, based upon, but not limited to, the following current target areas:

1. Billing Errors: This target consists of inpatient admissions which have either the admission source or the patient disposition (discharge status) coded incorrectly. 2. Readmissions: This target looks at claims that include readmissions within one day, and within 30 days of the initial admission. 3. Target Diagnostic Related Groups (DRG): This target consists of looking at DRGs that represent a potential for upcoding or other billing errors, or higher than expected utilization. 4. Medical Necessity and Short Lengths of Stay: This target consists of claims with significantly short lengths of stay based on the DRG and/or primary diagnosis for any diagnosis or procedure; claims for procedures which have significantly higher denial rates due to medical necessity concerns and have short lengths of stay; and selected claims with short lengths of stay. 5. Compliance: This target consists of procedures that require pre-certification for which there was no pre-certification number indicated on the claim (when/if the pre-certification is reinstated by ODM). 6. Outpatient/Ambulatory: This target consists of incorrect coding/number of units, billing issues and inappropriate hospital setting.

PERMEDION INC.


11

7. Bill audit: This target reviews DRG-exempt facility claims once a year for accuracy of billing itemized charges.

Permedion will perform the claims selection and deliver any volume exceeding 1,600 reviews to the Supplier to perform retrospective review. The supplier should expect a minimum volume of 100 reviews, not expected to exceed 300 reviews, monthly. Volume revision to be reviewed and assessed annually. The reviews must be completed by an Ohio Licensed Registered Nurse. Their license must be active and unrestricted. Additionally, the nurse should a minimum of 3 years of experience in an Acute Care Hospital (LTACH). The list will be provided on the first Monday of each month for action during the following month. The supplier will be responsible for utilizing the Permedion-HMS proprietary system to validate the diagnosis and procedure codes and other qualifying review factors used to determine whether the inpatient acute hospital level of care was necessary, based on the intensity of services provided and/or the severity of the patient’s illness. The supplier will also be required to review each case for accuracy and completeness, according to American Hospital Association Coding Clinic guidelines, and confirm that the medical record supports the coding submitted. The nurse reviewers/Certified Coding Specialists (CCS) will have electronic access to the Coding Clinics. Validation of additional claims information that may determine the DRG assignment (e.g. discharge status or age) may be required. In addition, the nurse/CCS will review the chart for the sequencing of DRG codes by following coding guidelines to make a determination. Once correct codes are determined and clinical questions are resolved by physician reviewers, the correct codes and billing information are processed through a DRG grouper appropriate for the time period of the claim to determine whether a change in the DRG assignment is warranted.

If a change is warranted, a determination letter must be submitted to the provider through our proprietary system. It will include billed diagnoses/procedure codes, the new correct code, pertinent claim details, and a complete rational for the changes.

If the DRG review determines that the case was coded and billed appropriately, no further action will be required.

Clinical issues, such as whether the correct principle diagnosis is identified or whether secondary diagnoses are substantiated, are referred to physician reviewers for a determination. All clinical issues identified by nurse reviewers/CCSs (appropriateness of setting, change in diagnosis, etc.) are reviewed by one of our panel of more than 120 Ohio-licensed physicians. These physicians review the records and provide independent assessment of nurse reviewer’s or CCS’s determination. The supplier will be expected to complete the assigned reviews within 30 days of receipt unless otherwise instructed. Failure to complete reviews timely may result in disciplinary action, up to and

including, termination of the Subcontract.

PERMEDION INC.


12

Supplier Unit Lead may consult with Permedion Service Line Manager as needed to achieve appropriate claims resolution. The supplier will be responsible for providing standard inventory reporting and other general reporting on a monthly basis.

4.2.2 Prior Authorization of Behavioral Health Services

Prior Authorization (PA) is the review of services before they are rendered or the items are delivered, granting the provider authority to provide care. Ohio Medicaid’s new Behavioral Health Redesign services require prior authorization for Assertive Community Treatment (ACT) and Intensive Home Based Treatment (IHBT) services for the next two years. Additional services may require prior authorization after pre-set limits are reached (see service type listing below). PA reviewers must be proficient in mental health or addiction services, depending on the type of service requested, review, and provider type. The Supplier is expected to hire and or contract with an LISW or LPCC credentialed staff to fulfill this scope of work.

The following services must receive PA before the services can be delivered: 1. Assertive Community Treatment - for adults; 2. Intensive Home Based Treatment - for children; and 3. Substance Use Disorder (SUD) Partial Hospitalization.

The following services require PA after ODM-specified limits are reached: 1. Psychiatric Diagnostic Evaluations; 2. Psychological Testing; 3. Screening Brief Intervention and Referral to Treatment (SBIRT); 4. Alcohol or Drug Assessment; 5. Mental Health Nursing Services; 6. SUD Nursing Services; and 7. SUD Residential.

For ACT/IHBT services, OAC 5160:27-## and OAC 5160:27-## (rules to be released early 2017) must be used to evaluate qualified provider types requesting the service, medical necessity and level of care. For substance use services, the American Society of Addiction Medicine (ASAM) guidelines for alcohol and drug treatment services must be used to evaluate medical necessity and level of care. For mental health services, guidelines set forth by the American Psychiatrist Association, American Psychologist Association, American Academy of Child and Adolescent Psychiatry, Centers for Medicare and Medicaid Services (CMS) and American Medical Association guidance for Current Procedural (CPT)/Healthcare Common Procedure Coding Systems (HCPCS) must be used to evaluate medical necessity and level of care.

PERMEDION INC.


13

Permedion, in conjunction with ODM will provide the Supplier with the appropriate system access in order to review the PA’s upon receipt. The expected volume for the ACT and IHBT PA’s is estimated at 2,700 per year. (Note: These services are new to ODM and its providers. As a result the volume is an estimate.) The supplier will be responsible for utilizing the Permedion-HMS proprietary system to log all requests for prior authorization, determinations, physician referrals, appeals and requests for hearings. The supplier will also be subjected to internal quality control (IQC) scores on individual reviewers and provide education and training to providers as needed and related to the scope of work. The supplier will be expected to complete the assigned ACT and or IHBT reviews within 48 hours of receipt; 72 hours is allotted for all other PA types. Failure to complete reviews timely may result in

disciplinary action, up to and including, termination of the Subcontract. Supplier Unit Lead may consult with Permedion Service Line Manager as needed to achieve appropriate claims resolution. The supplier will be responsible for providing standard inventory reporting and other general reporting on a monthly basis

PERMEDION INC.


14

SUPPLIER PROFILE & QUESTIONS

5.1 Company Information

1. Provide the full name and address of your corporate headquarters and full contact information of the primary contact for this RFP.

2. What would be the legal entity that would be doing business with HMS?

3. How long has your company been in business? How long have you been providing the services outlined in this RFP

4. How many employees are in your company?

5. Is your company a public or privately held organization?

6. How many customers do you have?

7. Is your company an Ohio certified MBE organization? (Please provide a copy of your certification letter.)

8. What types of background checks do you run on your employees? (Copies may be required upon award.)

5.2 Financial Information 9. Attach financial and cash flow statements for the past three years as a separate document upon

receipt of the RFP. Publicly held companies should provide SEC Filings and Prospectus. Privately held companies should provide audited financial statements (consolidated Balance Sheet, Consolidated Statement of Operations, Dunn and Bradstreet Comprehensive Report). The report should be current; however, it is acceptable to submit a reported dated May 2014.

10. What was your annual sales volume in 2013? 2014?

11. Provide a listing of any significant acquisitions, divestitures or “change of control” that have occurred in the last two years or are anticipated will occur within the next 12 months.

12. Provide a listing of any entity that controls 10% or more of your company.

PERMEDION INC.


15

13. Is your company SAS 70 compliant?

14. If so, provide a copy of your most recent SAS 70 report.

15. If the Company is publicly traded, attach the most recent 10-K. 16. Report any publicly traded debt and your company’s bond rating related to that debt.

17. Has your company ever filed for bankruptcy?

18. Provide a statement of capability with regard to your company's current financial strength and

its financial capacity to perform this work long term; comment on any recent or upcoming / planned changes in ownership.

5.3 Insurance Requirements – see Master Service Agreement

Supplier shall agree that if the insurance requirements set by the State of Ohio under the prime contract currently exceed the coverages listed above or thereafter increase, supplier shall meet or exceed the requirements as set by the State of Ohio and shall furnish to HMS satisfactory evidence thereof at any time HMS requests such documentation.

19. Do you meet the insurance requirements outlined above? If not, what are the limits?

5.4 Claims Evaluation Capabilities

20. Please describe your claims evaluation capabilities.

21. Please list similar, utilization management work experience and scope synopsis, not to exceed 500 words. (A Statement of Work can be supplied to augment this requirement.)

22. What portion of your internal capacity is currently being utilized?

23. How do you facilitate document QA?

5.5 Account Management

24. Please describe your e-Invoicing capabilities (attach diagram as necessary.)

PERMEDION INC.


16

25. Will any portion of the work be outsourced to a third party?

26. A Unit Supervisor is required for this procurement, please provide a resume for the intended key personnel. (Attestation of staff hire and intended merits/attributes will suffice.)

5.6 Security

27. Please complete Vendor Risk Assessment Questionnaire (see separate email attachment/file included in email).

28. If awarded the business, are you willing to sign a Business Associate Agreement as part of the Subcontract Agreement? Yes or No.

5.7 Quality

29.28. Provide a thorough description of your company’s quality control procedures and ability to deliver error-free services. Include a written summary of your company’s commitment to quality via Six Sigma, Total Quality Management, or other methods.

30.29. Please describe performance standards that are used to measure accuracy, timeliness, and customer satisfaction.

5.8 Implementation

31.30. Please describe your implementation process and your ongoing management of the program.

Thank you for your participation in this process and for considering doing business

with HMS.

Comment [TS2]: Remove – in MSA

Question name

CSFQ-1

CSFQ-10

CSFQ-100

CSFQ-101

CSFQ-102

CSFQ-103

CSFQ-104

CSFQ-105

CSFQ-106

CSFQ-107

CSFQ-108

CSFQ-109

CSFQ-11

CSFQ-110

CSFQ-111

CSFQ-112

CSFQ-113

CSFQ-114

CSFQ-115

CSFQ-116

CSFQ-117

CSFQ-118

CSFQ-119

CSFQ-12

CSFQ-120

CSFQ-121

CSFQ-122

CSFQ-123

CSFQ-124CSFQ-125CSFQ-126CSFQ-127CSFQ-128CSFQ-129CSFQ-13CSFQ-130CSFQ-131CSFQ-132CSFQ-133CSFQ-134CSFQ-135CSFQ-136CSFQ-137CSFQ-138

CSFQ-139CSFQ-14

CSFQ-140CSFQ-141CSFQ-142CSFQ-143CSFQ-144CSFQ-145CSFQ-146CSFQ-147CSFQ-148CSFQ-149CSFQ-15

CSFQ-150CSFQ-151CSFQ-152

CSFQ-153

CSFQ-154CSFQ-155CSFQ-156CSFQ-157CSFQ-158CSFQ-159

CSFQ-16

CSFQ-160CSFQ-161CSFQ-162CSFQ-163CSFQ-164CSFQ-165CSFQ-166CSFQ-167CSFQ-168


CSFQ-171CSFQ-172CSFQ-173CSFQ-174

CSFQ-175

CSFQ-176

CSFQ-177

CSFQ-178

CSFQ-179

CSFQ-18

CSFQ-180CSFQ-181CSFQ-182CSFQ-183CSFQ-184CSFQ-185CSFQ-186CSFQ-187CSFQ-188CSFQ-189

CSFQ-19CSFQ-190CSFQ-191CSFQ-192CSFQ-193CSFQ-194CSFQ-195

CSFQ-196CSFQ-197

CSFQ-198CSFQ-199

CSFQ-2CSFQ-20





CSFQ-219

CSFQ-22CSFQ-220CSFQ-221CSFQ-222CSFQ-223CSFQ-224CSFQ-225CSFQ-226CSFQ-227CSFQ-228CSFQ-229CSFQ-23CSFQ-230

CSFQ-231CSFQ-232

CSFQ-233CSFQ-234

CSFQ-235CSFQ-236CSFQ-237CSFQ-238CSFQ-239




CSFQ-253CSFQ-254



CSFQ-260

CSFQ-261

CSFQ-262CSFQ-263CSFQ-264CSFQ-265CSFQ-266CSFQ-267CSFQ-268CSFQ-269CSFQ-27CSFQ-270CSFQ-271CSFQ-272CSFQ-273CSFQ-274CSFQ-275CSFQ-276





CSFQ-291

CSFQ-292CSFQ-293CSFQ-294CSFQ-295CSFQ-296CSFQ-297CSFQ-298CSFQ-299

CSFQ-3CSFQ-30

CSFQ-31

CSFQ-32CSFQ-33

CSFQ-34CSFQ-35CSFQ-36CSFQ-37CSFQ-38


CSFQ-47


CSFQ-56

CSFQ-57


CSFQ-60


CSFQ-69


CSFQ-77


CSFQ-83


CSFQ-92

CSFQ-93


CSFQ-98CSFQ-99

Control question

Does the organization has a formal information protection program based on an accepted industry

framework that is reviewed and updated as needed?

Default and unnecessary system accounts are removed, disabled, or otherwise secured (e.g., the

passwords are changed and privileges are reduced to the lowest levels of access?)

Are security contacts appointed by name for each major organizational area or business unit?

Does capital planning and investment requests include the resources needed to implement the

security program, and the organization ensures the resources are available for expenditure as

Are the organizations information protection and risk management programs reviewed and updated

Is the individual responsible for information security in the organization qualified for the role?

Are security contacts formally appointed in writing for each major organizational area or business

Is an information security management committee chartered and active?

Are annual risk assessments performed by an independent organization?

Are security activities (e.g., implementing controls, correcting nonconformities) coordinated in advance

and communicated across the entire organization?

Are security requirements for information systems identified in mission/business processes and

resources allocated as part capital planning and investment control processes in a discrete budget line

Does an internal security information sharing mechanism exist to communicate nonconformities and

lessons learned to senior management?

Are account managers are notified when users access rights change (e.g., termination, change in

position) and modify the users account accordingly?

Are security plans that meet applicable requirements developed for information systems that are

periodically reviewed and communicated to relevant stakeholders?

Does the organizations security lead meets with business area/organizational unit security contacts on

a monthly or near monthly basis?

Is access to the organizations information and systems by external parties not permitted until due

diligence has been conducted, the appropriate controls have been implemented, and a

Are remote access connections between the organization and external parties encrypted?

Is access granted to external parties limited to the minimum necessary and granted only for the

Does due diligence of the external party include interviews, document review, checklists, certification

reviews (e.g. HITRUST)ÿor other remote means?

Are remote access connections with external parties monitored on an ongoing basis?

Is a standard agreement with third parties defined and includes the required security controls in

accordance with the organizations security policies?

Are the specific limitations of access, arrangements for compliance auditing, penalties, and the

requirement for notification of 3rd party personnel transfers and terminations identified in the

Does the covered ensure PHI is safeguarded for a period of 50 years following the death of the

Do user registration and de-registration procedures, at a minimum, communicate relevant policies to

users, check authorization prior to granting access, address termination and transfer, and Does the covered entity document compliance with the notice requirements by retaining copies of the

notices issued by the covered entity for a period of 6 years and, if applicable, any written

acknowledgements of receipt of the notice or documentation of good faith efforts to obtain such written

Does the covered entity document restrictions in writing and formally maintain such writing, or an

electronic copy of such writing, as an organizational record for a period of six (6) years?Does the covered entity document and maintain the designated record sets that are subject to access

by individuals and the titles of the persons or office responsible for receiving and processing requests

for access by individuals as organizational records for a period of six (6) years?Does the covered entity document and maintain accountings of disclosure as organizational records

for a period of six (6) years, including the information required for disclosure, the written accounting

provided to the individual, and the titles of the persons or offices responsible for receiving and

Has the organization formally appointed a data protection officer responsible for the privacy of covered When required, is consent obtained before any protected information (e?g? about a patient) is Is covered information encrypted using a method appropriate to the medium anywhere it is stored, or Are records with sensitive personal information protected during transfer to organizations lawfully Are acceptable use agreements signed by all employees before being allowed access to information Are computer login banners displayed outlining the terms and conditions of access and must be Are users given a written statement of their access rights, which they are required to sign stating they Does the organization provide notice that the employees actions may be monitored, and that the Are employees informed in writing of the organization's sanction policy for security violations?Does management approve the use of information assets and takes appropriate action when Are annual compliance reviews conducted by security or audit individuals?Are the results and recommendations of the reviews documented and approved by management?Are automated compliance tools used when possible?Are third party independent compliance assessments performed every two years?Is an inventory of assets maintained?Does the information lifecycle manage the secure use, transfer, exchange, and disposal of IT-related

Does the asset inventory also include the owner of the information asset, categorizes the information

asset according to criticality and information classification (see 07.d), and identifies protection Are group, shared or generic accounts and passwords (e.g., for first-time log-on) not used?

Are rules defined to describe user responsibilities and acceptable behavior regarding information

system usage, including at a minimum rules for email, Internet, mobile devices and social media Is HIV-related information subject to special requirements such as labeling and handling consistent Is visitor and third party support access recorded and supervised unless previously approved?Are areas where covered information is stored or processed controlled and restricted to authorized Are repairs documented and the documentation retained?Is a visitor log maintained for at least 3 months?Are physical authentication controls used to authorize and validate access?Is an audit trail of all physical access maintained?Is visible identification of employees, visitors, contractors and third parties required to clearly identify Are physical access rights reviewed every 90 days and updated accordingly?Are user identities verified in person before a designated individual or office to receive a hardware

Do doors to internal secure areas lock automatically, implement a door delay alarm, and are equipped Are inventories of physical access devices performed annually?Are combinations and keys changed when lost or stolen?

Are intrusion detection systems (e.g., alarms and surveillance equipment) installed on all external

doors and accessible windows and monitored in real time?

Does the organization actively monitors unoccupied areas at all times and sensitive and restricted

areas in real time as appropriate for the area?Are fire extinguishers and detectors installed according to applicable laws and regulations?Are fire prevention and suppression mechanisms, including workforce training, provided?Are master power and emergency power off switches appropriately installed, protected and Are water detection mechanisms in place with master shutoff valves accessible, working and known?Are fire suppression and detection systems supported by an independent energy source?Are passwords changed for default system accounts, at first login following the issuance of a secure

temporary password, when there is a suspected compromise, and no less than every ninety (90) days

for regular accounts or 60 days for privileged (i.e., administrator accounts)?

IS maintenance controlled and conducted by authorized personnel in accordance with supplier-

recommended intervals, insurance policies and the organizations maintenance program?Is covered information cleared from equipment prior to maintenance unless explicitly authorized?Following maintenance, are security controls checked and verified?Are records of maintenance maintained?Are tools for maintenance approved, controlled, monitored and periodically checked?Are media containing diagnostic and test programs checked for malicious code prior to use?Is electronic and physical media containing covered information securely destroyed (or the information Is a secure audit record created for all activities on the system (create, read, update, delete) involving Do audit records include the unique user ID, unique data subject ID, function performed, and date/time

Do the activities of privileged users (administrators, operators, etc.) include the success/failure of the

event, the account involved, the processes involved, and additional information about the event?Are identification codes used in conjunction with passwords protected?Are logs of messages sent and received maintained including the date, time, origin and destination of

Is auditing always available while the system is active and tracks key events, success/failed data

access, system security configuration changes, privileged or utility use, and any alarms raised?Are audit records retained for 90 days and archived for 1 year?Are audit logs maintained for management activities, system and application startup/shutdown/errors, Do perimeter devices additionally log packet denials?

Are all disclosures of covered information within or outside of the organization logged including type of

disclosure, date/time of the event, recipient, and sender?

Do Information systems alert a designated individual or office and take appropriate action in response

to an audit processing failure or storage capacity issue?

Are all applicable legal requirements related to monitoring authorized access and unauthorized access

Are automated systems deployed throughout the organizations environment used to monitor key

events and analyze system logs, the results of which are reviewed regularly?

Does monitoring include privileged operations, authorized access, unauthorized access attempts, and

Are users made aware of the organization's password requirements?

Do the auditing and monitoring systems employed by the organization support audit reduction and Are automated systems used to review monitoring activities of security systems (e.g., IPS/IDS) and Are alerts generated for technical personnel to analyze and investigate suspicious activity or Do automated systems support near real-time analysis and alerting of events (e.g., malicious code, Do automated systems support selective processing of audit records?Does monitoring include inbound and outbound communications and file integrity monitoring?Is the information system able to protect against an individual from falsely denying performance of a Does the organization analyze and correlates audit records across different repositories and correlates Is access to system audit tools and audit trails protected and controlled to prevent unauthorized Is authorized access and unauthorized access attempts to the audit systems and audit trails logged

Is covered or critical business information left unattended or available for unauthorized individuals to

access including on desks, printers, copiers, fax machines, and computer monitors?Are the organizations system clocks set to an agreed standard and synchronize daily and at system Is time data is protected and controlled from unauthorized access?Are Logs for external-facing technologies (e.g. wireless, firewalls, DNS) onto a log server located on Is separation of duties used to limit the risk of unauthorized or unintentional modification of information Is no single person able to access, modify, or use information systems without authorization or Do job descriptions define duties and responsibilities that support the separation of duties across

Are individuals responsible for administering access limited to the minimum necessary and these

individuals cannot access audit functions related to these controls?Are development, testing and production functions separated among multiple individuals/groups?

Do Service Level Agreements (SLAs) or contracts with an agreed service arrangement address

liability, service definitions, security controls, and other aspects of services management?Does the organization develop, disseminate and annually review/update a list of current service

Is the information protection program is formally documented and actively monitored, reviewed and

updated to ensure program objectives continue to be met?Is covered or critical information is protected when using internal or external (e.g., USPS) mail

Does the organization address information security and other business considerations when acquiring

systems or services including maintaining security during transitions and continuity following a failure Are the results of monitoring activities of third party services compared against the Service Level Are regular progress meetings conducted as required by the SLA to review reports, audit trails,

Are network services periodically audited to ensure that providers implement the required security

features and meet the requirements agreed with management, including new and existing regulations?Do third parties coordinate, manage and communicate changes to their services provided to the Are third party service changes evaluated to identify the potential impacts before implementation?

Are anti-virus and anti-spyware installed, operating and updated on all devices to conduct periodic

scans of the system to identify and remove unauthorized software?Are audit logs of the scans maintained?Are scans for malicious software performed on boot and every 12 hours?Is malicious code that is identified blocked, quarantined and an alert sent to the administrators?Does the organization specify the networks and network services to which users are authorized Is anti-malware centrally managed and cannot be disabled by the users?Is centrally managed, up-to-date anti-spam implemented at the entry/exit points of the network and on

Are user functionality (including user interface services [e.g., Web services]) separated from

information system management (e.g., database management systems) functionality?Are users made aware and trained not to install unauthorized software from external networks (e.g., Is file sharing disabled on wireless enabled devices?Are vendor defaults for wireless access points changed prior to authorizing the implementation of the Are wireless access points configured with strong encryption (WPA at a minimum)?Are wireless access points placed in secure locations?Are firewalls configured to deny or control any traffic from a wireless environment into the covered data

Are quarterly scans performed to identify unauthorized wireless access points?

Does the organization determine who is allowed access to specific networks and network services and

specifies the means of access allowed, including specific ports, protocols and services?Does a current network diagram exist and is it updated whenever there are network changes and no Are all network devices identified and authenticated prior to establishing a connection?Are firewall, router and network connection changes approved and tested prior to implementing the Do firewalls restrict inbound and outbound traffic to the minimum necessary?Does the organizations DNS provide additional authentication and integrity verification assurances?Is the impact of the loss of network service to the business is defined?Is an IDS implemented and operating on the network perimeter and other key points and is updated on Are firewall and router configuration standards defined and implemented and are reviewed every 6 Are MAC address authentication and static IP addresses implemented?Are quarterly networks scans performed to identify unauthorized components/devices?Does the organization identify and manage the external information systems that may be used by Does the organization utilize firewalls from at least 2 different vendors that employ stateful packet

Is a DMZ established with all database(s), servers and other system components storing or processing

covered information placed behind it to limit external network traffic to the internal network?Do information systems perform data origin authentication and data integrity verification on DNS

Does the organization use at least 2 DNS servers located on different subnets, which are

geographically separated and perform different roles (internal and external)?Are agreed services provided by a network service provider/manager formally managed and monitored

Does The organization formally authorize and document the characteristics of each connection from

an information system to other information systems outside the organization?Do formal agreements with external information system providers include specific obligations for Is removable media restricted, must be registered before use, and must be encrypted?Does the organization protect and control media containing sensitive information during transport Is digital and non-digital media requiring restricted use and the specific safeguards used to restrict

Are authorized individuals prohibited from using external information systems unless they can verify

security controls are adequate and have an approved connection or processing agreement?Are removable storage devices sanitized prior to connecting such devices to the information system?Does the organization securely dispose media with sensitive information?Are logging and audit trails of disposal operations maintained?Is media labeled, encrypted and handled according to its classification?Is the status and location of unencrypted covered information maintained and monitored?Are records of data transfers maintained?Are inventory and disposition records of media maintained?Does the organization formally address multiple safeguards before allowing the use of information

Is remote (external) access to the organizations information assets and access to external information

assets (for which the organization has no control) based on clearly defined terms and conditions?Are applications developed by the organization based on secure coding guidelines to prevent common Is multi-factor authentication implemented for all remote access to the organizations network?

Do applications that store, process or transmit covered information undergo automated application

vulnerability testing by a qualified party on an annual basis?Are system and information integrity requirements reviewed and updated annually?Is encryption used to protect covered information on mobile/removable media and across

Is key management implemented based on specific roles and responsibilities and in consideration of

national and international regulations, restrictions and issues?Are encryption keys and the equipment to generate, store and archive keys protected against

Is a formal key management system defined and implemented consistent with federal and industry-

recognized guidelines to securely manage secret/private keys and public keys issued by trusted Are keys limited to a period of time not to exceed one year?Are specific mechanisms in place to recover information in the event encryption keys are lost?

Are only authorized administrators allowed to implement approved upgrades to software, applications

and program libraries based on business requirements and the security implications of the release?Are applications and operating systems successfully tested for usability, security and impact prior to Are authorized accounts for remote maintenance disabled/deactivated when not in use?

Does the organization use its configuration control program to maintain control of all implemented

software and system documentation and archive prior versions of implemented software and system

Where software development is outsourced, are formal contracts in place to address the ownership

and security of the code and application?

Where software development is outsourced, is the development process monitored by the organization

and includes independent security and code reviews?Are technical vulnerabilities identified, evaluated for risk and corrected in a timely manner?Does a hardened configuration standard exists for all system components?Is a technical vulnerability management program in place to monitor, assess, rank, and remediate Are internal and external vulnerability assessments performed by a qualified individual on a quarterly Are patches tested and evaluated before they are installed?Is the technical vulnerability management program evaluated on a quarterly basis?Are systems appropriately hardened (e.g., configured with only necessary and secure services, ports Are encrypted, VPN solutions (or private lines) implemented for employee, contractor or third party Is a formal security incident response program established to respond, report (without fear of Is there a point of contact for reporting information security events?Does the organization implement an insider threat program that includes a cross-discipline insider Do workforce members cooperate with federal or state investigations or disciplinary proceedings?Does the organization take disciplinary action against workforce members that fail to cooperate with Does the organization provide a process/mechanism to anonymously report security issues?Does the security incident response program include roles, responsibilities and tools for handling,

Are reports and communications made without unreasonable delay and no later than 60 days after the

discovery of an incident, unless otherwise stated by law enforcement orally or in writing, and include Do all employees, contractors and third party users receive mandatory incident response training?Are intrusion detection/information protection system (IDS/IPS) alerts utilized for reporting information

Is network equipment checked for unanticipated dial-up capabilities?Does the organization adhere to the HITECH Act requirements for responding to a data breach (of Is a duress alarm provided and responded to accordingly whereby a person under duress can indicate Are incidents (or a sample of incidents) reviewed to identify necessary improvement to the security Does the security incident response program accounts and prepares the organization for a variety of Is there a point of contact for coordinating information security event responses?

Following an incident, are audit trails and evidence secured, system and data access controlled,

emergency actions documented, actions reported to management, and system and control integrity For unauthorized disclosures of covered information, is a log maintained and annually submitted to the Is the incident response plan communicated to the appropriate individuals throughout the Are testing exercises planned, coordinated, executed and documented periodically, at least annually?

Is an incident response support resource available to offer advice and assistance to users of

information systems for the handling and reporting of security incidents in a timely manner?Are unauthorized remote access connections to the organizations network and information systems Are Incidents promptly reported to the appropriate authorities and outside parties (e.g., FedCIRC,

Can the organization recover and restore business operations and establish an availability of

information in the time frame required by the business objectives and without a deterioration of the

Does the contingency program address required capacity, identify critical missions and business

functions, define recovery objectives and priorities, and identify roles and responsibilities?Are copies of the business continuityÿplans distributedÿto key contingency personnel?Are alternative storage and processing sites identified, at a sufficient distance from the primary facility, Are emergency power and telecommunications available at the main site?Are the organizations employees provided with crisis management awareness and training?Are business continuity plans tested and updated annually?Are business continuity plans stored in a remote location?Are alternate telecommunications services sufficiently separate from the primary service provider Are independent audits conducted at least annually to determine whether the information protection

program is approved by executive management, communicated to stakeholders, adequately

resourced, conforms to relevant legislation or regulations and other business requirements, and

adjusted as needed to ensure the program continues to meet defined objectives?

Are remote administration sessions authorized, encrypted, and employ increased security measures?

Are firewalls used to maintain segregation between internal wired, internal wireless, and external

network segments (e.g., the Internet) including DMZs and enforce access control policies for each of

Is the organizations network logically and physically segmented by a defined security perimeter and

traffic is controlled based on functionality required and classification of the data/systems?Are any public-facing Web applications, application-level firewalls implemented to control traffic?Is each network access point or telecommunication service, network traffic controlled in accordance

with the organization?s access control policy through firewall and other network-related restrictions,

including the denial of network traffic by default, permit by exception?

Is transmitted information secured and, at a minimum, encrypted over open, public networks?Are exceptions to the traffic flow policy documented and reviewed annually?Are remote devices establishing a non-remote connection not allowed to communicate with external Is the ability of users to connect to the internal network restricted according to the access control

Do firewalls validate source/destination addresses and hide internal directory services and IP Are access control rules and rights for each user or group of users for each application are clearly Are unique IDs required for all types of users (employees, contractors, third parties, etc.)?Are users who performed privileged functions (e.g., system administration) using separate accounts Are shared and generic user IDs approved and only used when activities do not need to be traced to Are multi-factor authentication methods used in accordance with organizational policy, e.g., for remote Is authentication data not stored after authorization (even if encrypted)?Where tokens are provided for multi-factor authentication, is in person verification required prior to Does help desk support require user identification for any transaction that has information security

Does the password management system require individual user IDs and passwords; force a password

change at initial log-on; does not display passwords when entered; and changes vendor-supplied Does the password management system enforces all password policy requirements, including the

protection of passwords at rest or in transit; storage of password files separate from application data;

quality passwords; password changes; and the prevention of password re-use?Are access rights to applications and application functions limited to the minimum necessary using Are users and service providers are given a clear statement of the business requirements for controls Are access rights from an application to other applications controlled?Are outputs from application systems handling covered information limited to the minimum necessary Is covered information encrypted when stored in non-secure areas and, if not encrypted at rest, the Are actions that can be performed without identification and authentication permitted by exception?Is copy, move, print (and print screen), and storage of sensitive data prohibited when accessed Is the sensitivity of applications/systems explicitly identified and documented by the application/system

Unless the risk is identified and accepted by the data owner; are sensitive systems isolated (physically

or logically) from non-sensitive applications/systems?

Are mobile computing devices protected at all times by access controls, encryption, virus protections,

host-based firewalls, secure configuration, and physical protections?

Are personnel using mobile computing devices trained on the risks, the controls implemented, and

their responsibilities? (e.g., shoulder surfing, physical protections)?Does the organization monitor for unauthorized connection of mobile devices?Does the access authorization process addresses requests for access, changes to access, removal of

Are specially configured mobile devices issued for personnel travelling to high risk locations and are

checked for malware and physical tampering upon return?

Are teleworking activities only authorized if security arrangements and controls that comply with

relevant security policies and organizational requirements are in place?Are personnel who telework trained on the risks, the controls implemented, and their responsibilities?Prior to authorizing teleworking, Is the physical security of the teleworking site evaluated and any Does the organization provide suitable equipment (e.g., storage devices, networking equipment) that is Is additional insurance to address the risks of teleworking provided?Are user security roles and responsibilities clearly defined and communicated?Are criticality/sensitivity risk designations for the roles within the organization assigned with Does the organization have an information security workforce improvement program?

Does the organization ensure plans for security testing, training and monitoring activities are

developed, implemented, maintained and reviewed for consistency with the risk management strategy

Are access controls are consistently managed for all systems and applications in networked and

distributed environments based on the classification ofand risks tothe information stored, processed, or Are users briefed on their security roles/responsibilities, and agree to conform with the terms and Is an individual or dedicated team assigned to manage the information security of the organizations Are non-employees provided the organizations data privacy and security policy prior to accessing Is acceptable usage defined and usage explicitly authorized?Is training on the organizations security policies and procedures, including operations security, Does security awareness training include the recognition and reporting of potential indicators of an Do employees sign acceptance/acknowledgement of their security responsibilities?

Do personnel with significant security responsibilities, e.g., system administrators, receive specialized

education and training on their roles and responsibilities prior to access the organizations systems and

Do Information security personnel, including organizational security points of contact (POCs), receive

specialized security education and training?Are sanctions fairly applied to employees following violations of the information security policies once a Is access authorization, e.g., access requests, approvals and provisioning, segregated among multiple Is a list of employees involved in security incidents maintained with the resulting outcome from the Is a contact in HR appointed to handle security incidents involving employees?Do disciplinary actions include possible license, registration, or certification denial or revocation?

Upon termination or changes in employment for employees, contractors or third party users, are

physical and logical access rights and associated materials (e?g?, passwords, keycards, keys)

For instances of increased risk, physical and logical access are rights immediately removed or

modified following employee, contractor or third party user termination?Does the organization maintain and update a formal, comprehensive program to manage the risk Are information safeguards applied unnecessarily?Has the organization implemented a formal methodology for tracking risk assessments and risk Does the organization perform risk assessments in a consist way and at planned intervals, or when Does the organization update the results of a formal, comprehensive risk assessment every two (2) Are user identities are verified prior to establishing accounts?Do risk assessments include the evaluation of multiple factors that may impact security as well as the Are risks and nonconformities identified, evaluated, and appropriate corrective actions implemented?

Does the covered entity mitigate any harmful effect that is known to the covered entity of a use or

disclosure of PHI by the covered entity or its business associates, in violation of its policies and

Is a risk treatment plan that identifies risks and nonconformities, corrective actions, resources,

responsibilities and priorities for managing information security risks regularly reviewed and updated?

Are the objectives, scope, importance, goals and principles for the organizations security program

identified and supported by a controls framework that considers legislative, regulatory, contractual Are the security policies regularly reviewed, updated and communicated throughout the organization?Does the owner of the security policies review, update, and approve the policies annually?Do the security policy reviews consider all appropriate elements that could impact the organizations

Is a senior-level information security official appointed and responsible for ensuring security processes

are in place and evaluating and accepting security risks?Does a management-level individual or group reviews the effectiveness of the information security

Answer <yes/no>

If the control question is deemed not in scope, please put

N/A and indicate why:

Additional Comments

Control category

Information Protection Program

Access Controls











Access Controls



Third Party Assurance







Data Protection and Privacy

Access Controls





Data Protection and PrivacyData Protection and PrivacyData Protection and PrivacyData Protection and PrivacyAccess ControlsAccess ControlsAccess ControlsAudit Logging and MonitoringEducation, Training, and AwarenessIncident ManagementConfiguration ManagementConfiguration ManagementConfiguration ManagementConfiguration ManagementVulnerability ManagementVulnerability Management

Vulnerability ManagementAccess Controls

Education, Training, and AwarenessData Protection and PrivacyPhysical and Environmental SecurityPhysical and Environmental SecurityPhysical and Environmental SecurityPhysical and Environmental SecurityPhysical and Environmental SecurityPhysical and Environmental SecurityPhysical and Environmental SecurityPhysical and Environmental SecurityAccess Controls

Physical and Environmental SecurityPhysical and Environmental SecurityPhysical and Environmental Security

Physical and Environmental Security

Physical and Environmental SecurityPhysical and Environmental SecurityPhysical and Environmental SecurityPhysical and Environmental SecurityPhysical and Environmental SecurityPhysical and Environmental Security

Password Management

Physical and Environmental SecurityPhysical and Environmental SecurityPhysical and Environmental SecurityPhysical and Environmental SecurityPhysical and Environmental SecurityPhysical and Environmental SecurityPhysical and Environmental SecurityAudit Logging and MonitoringAudit Logging and Monitoring

Audit Logging and MonitoringPassword ManagementAudit Logging and Monitoring

Audit Logging and MonitoringAudit Logging and MonitoringAudit Logging and MonitoringAudit Logging and Monitoring

Audit Logging and Monitoring





Password Management

Audit Logging and MonitoringAudit Logging and MonitoringAudit Logging and MonitoringAudit Logging and MonitoringAudit Logging and MonitoringAudit Logging and MonitoringAudit Logging and MonitoringAudit Logging and MonitoringAudit Logging and MonitoringAudit Logging and Monitoring

Access ControlsAudit Logging and MonitoringAudit Logging and MonitoringAudit Logging and MonitoringAudit Logging and MonitoringAudit Logging and MonitoringAudit Logging and Monitoring

Audit Logging and MonitoringAudit Logging and Monitoring

Third Party AssuranceThird Party Assurance

Information Protection ProgramAccess Controls

Third Party AssuranceThird Party AssuranceThird Party Assurance

Third Party AssuranceThird Party AssuranceThird Party Assurance

Endpoint ProtectionEndpoint ProtectionEndpoint ProtectionEndpoint ProtectionNetwork ProtectionEndpoint ProtectionEndpoint Protection

Endpoint ProtectionEducation, Training, and AwarenessEndpoint ProtectionWireless SecurityWireless SecurityWireless SecurityWireless Security

Wireless Security

Network ProtectionNetwork ProtectionNetwork ProtectionNetwork ProtectionNetwork ProtectionNetwork ProtectionNetwork ProtectionNetwork ProtectionNetwork ProtectionNetwork ProtectionNetwork ProtectionNetwork ProtectionNetwork Protection

Network ProtectionNetwork Protection


Network ProtectionNetwork ProtectionPortable Media SecurityPortable Media SecurityPortable Media Security

Network ProtectionPortable Media SecurityPhysical and Environmental SecurityPhysical and Environmental SecurityPortable Media SecurityPortable Media SecurityPortable Media SecurityPortable Media SecurityTransmission Protection

Transmission ProtectionVulnerability ManagementAccess Controls

Vulnerability ManagementVulnerability ManagementTransmission Protection

Transmission ProtectionTransmission Protection

Transmission ProtectionTransmission ProtectionTransmission Protection

Configuration ManagementConfiguration ManagementAccess Controls

Configuration Management


Third Party AssuranceVulnerability ManagementVulnerability ManagementVulnerability ManagementVulnerability ManagementVulnerability ManagementVulnerability ManagementVulnerability ManagementAccess ControlsIncident ManagementIncident ManagementIncident ManagementIncident ManagementIncident ManagementIncident ManagementIncident Management

Incident ManagementIncident ManagementIncident Management

Access ControlsIncident ManagementIncident ManagementIncident ManagementIncident ManagementIncident Management

Incident ManagementIncident ManagementIncident ManagementIncident Management

Incident ManagementAccess ControlsIncident Management

Business Continuity and Disaster Recovery

Business Continuity and Disaster RecoveryBusiness Continuity and Disaster RecoveryBusiness Continuity and Disaster RecoveryBusiness Continuity and Disaster RecoveryBusiness Continuity and Disaster RecoveryBusiness Continuity and Disaster RecoveryBusiness Continuity and Disaster RecoveryBusiness Continuity and Disaster Recovery

Information Protection ProgramAccess Controls

Network Protection


Network ProtectionNetwork ProtectionNetwork ProtectionNetwork ProtectionNetwork Protection

Network ProtectionAccess ControlsAccess ControlsAccess ControlsAccess ControlsAccess ControlsAccess ControlsAccess ControlsAccess Controls

Password Management

Password ManagementAccess ControlsAccess ControlsAccess ControlsAccess ControlsAccess ControlsAccess ControlsAccess ControlsNetwork Protection

Network Protection

Mobile Device Security

Mobile Device SecurityMobile Device SecurityAccess Controls

Mobile Device Security

Mobile Device SecurityMobile Device SecurityMobile Device SecurityMobile Device SecurityMobile Device SecurityInformation Protection ProgramInformation Protection ProgramInformation Protection Program


Access ControlsInformation Protection ProgramInformation Protection ProgramInformation Protection ProgramInformation Protection ProgramEducation, Training, and AwarenessEducation, Training, and AwarenessEducation, Training, and Awareness

Education, Training, and Awareness

Education, Training, and AwarenessThird Party AssuranceAccess ControlsThird Party AssuranceThird Party AssuranceRisk Management

Access Controls

Access ControlsRisk ManagementRisk ManagementRisk ManagementRisk ManagementRisk ManagementAccess ControlsRisk ManagementRisk Management

Risk Management

Risk Management

Information Protection ProgramInformation Protection ProgramInformation Protection ProgramInformation Protection Program

Information Protection ProgramInformation Protection Program

ATTACHMENT 1

IMPORTANT: If the RFP specified a maximum page limit for vendor proposals\bids, the attachment of

any required certifications, other documents, or additional pages needed to fully provide the information

requested here will NOT be counted against that page limit.

Vendors must provide all information 1. ODM RFP/RLB# and TITLE: ____________________________________________________

2. Proposal Due Date: ___________________

3. Vendor Name: (legal name of vendor – person or organization – to whom contract/purchase payments

will be made:

4. Vendor Corporate Address:

5. Vendor Remittance Address: (or “same” if same as number 4. above)

6. Print or type the following information for the vendor’s representative/contact person authorized to

answer questions on the proposal/bid:

Vendor Representative Name and Title: ____________________________________________

Vendor’s Representative Phone # and Email Address: _________________________________

7. Is this vendor an Ohio certified MBE? Yes____ No____. If yes, attach a copy of current certification to

proposal/bid. If ODM has specified the RFP/RLB is an opportunity exclusively for MBEs, failure to

attach a copy of current certification may result in disqualification.

8. Vendor agrees to comply with the requirement to maintain a complete affirmative action plan and

affirm they will be in compliance with ORC § 125.111 prior to being awarded a contract.

ATTACHMENT 2

Vendor and Grantee Ethics Certification

1. As a vendor or grantee doing business with* or receiving grants from the State of Ohio, I certify on

behalf of (Name of vendor or grantee) that:

(1) I have reviewed and understand Ohio ethics and conflict of interest laws, as found in Chapter 102 and

Sections 2921.42 and 2921.43 of the Ohio Revised Code;

(2) I acknowledge that our organization is not excluded from entering into a contract with ODM due to

restrictions related to the federal debarment list, unresolved findings under ORC § 9.24 and unfair labor

findings pursuant to ORC § 121.23; and

(3) I acknowledge that failure to comply with this certification, is, by itself, grounds for termination of

this contract or grant with the State of Ohio.

_____________________________________ ______________________

Signature of authorized agent Date

*”Doing business with” includes all contracts for goods and services, excluding purchases made using the

State of Ohio’s Payment Card Program that cost less than $1,000.

2. I have read the ODM Model Contract attached to the RFP/RLB, and if awarded a contract, I will

not_______(or) I will______ request changes to the standard language, and have marked the requested

changes and returned the model document with this proposal for consideration by ODM. (If changes are

requested, ODM will review those changes if you are the selected vendor. All requested changes to model

contract language are subject to ODM approval.)

NOTE: Item 3 below is not applicable and not required when the subject ODM procurement opportunity

is offered only to State Term Schedule Vendors.)

3. I ________________________, (authorized vendor representative) hereby affirm that this proposal

accurately represents the capabilities and qualifications of ____________________(vendor’s name), and I

hereby affirm that the cost(s) bid to ODM for the performance of services and/or provision of goods

covered in this proposal in response to the ODM RFP/RLB/other purchase opportunity is a firm fixed

price, inclusive of all incidental as well as primary costs. (Failure to provide the proper affirming

signature on this item may result in the disqualification of your proposal\bid.)

4. I _______________________________________, (authorized vendor representative) hereby attest

that I understand that any and all information included in this proposal is not confidential and/or trade

secret information (as defined in the RFP or where found in an RLB document) and that the proposal

submission may be posted in its entirety on the Internet for public viewing. Following submission to

ODM, all proposals submitted may become part of the public record. ODM reserves the right to

disqualify any vendor whose proposal is found to contain such prohibited personal information. The

vendor affirms that they shall be solely responsible for any and all information disclosed in the proposal

submission and any or all information released by ODM in a public records request(s).

ATTACHMENT 3

Location of Business and Offshore Declaration Form

Location of Business Declaration: Vendors responding to any ODM RFP/RLB (etc.) must certify that

no public funds shall be spent on services provided/performed offshore by completing, signing, and

returning the “Location of Business Form,” which is the final section of this attachment. FAILURE TO

PROPERLY COMPLETE, SIGN AND RETURN THIS FORM MAY RESULT IN

DISQUALIFICATION OF THE VENDOR FROM CONSIDERATION FOR AWARD OF THIS

ODM CONTRACT.

Pursuant to Governor’s Executive Order 2011-12K (www.governor.ohio.gov), no public funds shall be

spent on services provided offshore. This form serves as a certification of compliance with this policy and

required disclosures. Please answer the following questions about the project or service you are seeking to

perform for or the funding for which you are applying from the Ohio Department of Medicaid:

1. Name/Principal location of business of subcontractor(s):

(Name) (Address, City, State, Zip)


2. Name/Location(s) where services will be performed by subcontractor(s)

________________________________ __________________________


2. Name/Location(s) where state data will be stored, accessed, tested, maintained or backed-up by

subcontractor(s):

________________________________ __________________________


3. Name/Location(s) where state data will be stored, accessed, tested, maintained or backed-up by

subcontractor(s):

________________________________ __________________________


4. Name/Location(s) where services will be changed or shifted to be performed by subcontractor(s):

________________________________ __________________________


By signing below, I hereby certify and affirm that I have reviewed, understand, and will abide by the

Governor’s Executive Order 2011-12K. I attest that no funds provided by ODM for this project or any

other agreement will be used to purchase services provided outside the United States or to contract with a

subcontractor who will use the funds to purchase services provided outside the United States. I will

promptly notify ODM if there is a change in the location where any of the services relating to this project

will be performed. If I am signing this on behalf of a company, business, or organization, I hereby

acknowledge that I have the authority to make this certification on behalf of that entity.

_______________________________________ _______________________________

Signature Date

________________________________________ ________________________________

Entity Name Address (Principal place of business)

________________________________________ ________________________________

Printed name of individual authorized City, State, Zip

to sign on behalf of entity

ATTACHMENT 4

Vendor Rick Questionnaire – Separate Excel Document

ATTACHMENT 5

Supplier – Master Service Agreement BAA Template – separate Word Document

© HMS 2004-2017 01182017 Supplier Master Services Agreement

1

SUPPLIER MASTER SERVICES AGREEMENT This SUPPLIER MASTER SERVICES AGREEMENT (“Agreement”) is entered into on this ___ day of _______________, 20____ (“Effective Date”) between PERMEDION, INC., a New York corporation, on behalf of itself, its parent and its corporate affiliates, (collectively “Permedion”), and [SUPPLIER NAME], a [CORPORATION/LLC/OTHER ENTITY], (“Supplier”), (PERMEDION and Supplier may each be referred to as a “Party,” and collectively, as the “Parties”), with reference to the following: WHEREAS, PERMEDION is engaged in the business of performing third party liability identification and recovery services, program integrity services, fraud, waste and abuse services, consulting services and other cost containment and other services for various government-sponsored and other health care programs and commercial entities; and WHEREAS, in connection therewith, PERMEDION wishes to retain Supplier to perform services in support of the services PERMEDION provides for its various clients (“PERMEDION Clients”), pursuant to applicable the terms of the contracts (“Prime Contract”) between PERMEDION and such PERMEDION clients; and WHEREAS, Supplier is willing and able to render said services, as described in this Agreement hereto; NOW, THEREFORE, in consideration of the mutual terms, conditions and covenants set forth herein, the parties agree as follows: 1. Supplier’s Services. Supplier agrees to render services to PERMEDION in accordance with each Statement(s) of Work (SOW), a form for which is attached hereto as Exhibit 1, including any terms included in any applicable PERMEDION Prime Contract and the applicable RFP to be attached thereto and which shall be incorporated into this Agreement by reference. Such Statements of Work shall be attached hereto as Exhibit(s) and incorporated by reference. Supplier shall have sole responsibility for performance of the designated services as set forth in each Statement of Work and incorporated herein by reference. Supplier shall comply with all required and applicable provisions contained in the PERMEDION agreement(s) with its client(s) that are applicable to the services provided under each Statement of Work. Any automation processes developed by Supplier under this Agreement or any SOW must be reviewed and approved by PERMEDION IT and Security departments before implementation. Any applicable flow-down provisions shall be set forth in each applicable Statement of Work. Supplier agrees and acknowledges that by entering this Agreement and any SOW that PERMEDION does not guarantee of any particular or minimum volume or any guarantee that any work will be assigned. 2. a. Compensation. In consideration of those services, PERMEDION shall pay


2

Supplier in accordance with the Payment Schedule set forth in each Statement of Work and incorporated herein by reference. Supplier agrees that such rates shall be inclusive of all taxes and governmental fees and charges of any kind, and that such rates shall not increase during any term (Initial Term or any Renewal Term) of this Agreement or of each Statement of Work unless approved in writing and in advance by PERMEDION. The fees outlined in each Statement of Work represent full and sole reimbursement for duties performed. No additional charges, including pass through and out-of-pocket expenses, will be reimbursed except as outlined in each Statement of Work or as agreed to in writing by the Parties.

b. Manner of Payment & Invoicing. PERMEDION uses the Ariba Network (“Ariba”), and Supplier will be required to enter into an Ariba agreement with Ariba, Inc. and to otherwise comply with the terms set forth in Exhibit 4, and to use the Ariba Network to submit invoices to PERMEDION. The Contractor will not be permitted to send any invoices to PERMEDION outside of the Ariba Network for review or payment, except as permitted in writing by PERMEDION. The Contractor will use Ariba to provide PERMEDION with invoices setting forth in sufficient detail specific products or services provided. PERMEDION will pay undisputed invoices by check or wire transfer, in its discretion, within thirty (30) days of receipt by PERMEDION through Ariba. If the Contractor fails to comply with the requirements of this Section and Exhibit 4, PERMEDION shall in its discretion be entitled to reject any invoice. In the event that there are disputed charges on the Supplier’s invoice, PERMEDION may, at its option, (i) request that a revised invoice be sent, and/or (ii) timely pay all undisputed amounts and evaluate Supplier’s claim for the disputed portion. If PERMEDION deems the request to be reasonable, PERMEDION will reconsider the charges. 3. a. Status as Independent Contractors. This Agreement shall not constitute, create, or otherwise imply an employment, joint venture, partnership, agency or similar arrangement, and nothing contained herein shall be construed as providing for the sharing of profits or losses arising from the efforts of either or both of the Parties hereto. Nor shall this Agreement be construed to create or support any entitlement by Supplier, as a third-party beneficiary to a contract or otherwise, to enforcement of or benefit from any contract between PERMEDION and another person or entity. Each Party to this Agreement shall act as an independent contractor, and neither Party shall have the power to act for or bind the other Party except as expressly provided for herein. Supplier assumes sole responsibility for determining the manner and means of performance hereunder, provided that Supplier complies with its obligations under this Agreement to meet the Performance Standards set forth in this Agreement (as defined below). b. Ineligible for Employee Benefits. Supplier and its employees shall not be eligible for any benefit available to employees of PERMEDION, including, but not limited to, workers compensation insurance, state disability insurance, unemployment insurance, group health and life insurance, vacation pay, sick pay, severance pay, bonus plans, pension plans, savings plans or the like. c. Payroll Taxes. No income, social security, state disability or other federal or state payroll tax will be deducted from payments made to Supplier under this Agreement. Supplier agrees to pay all state and federal taxes and other levies and charges as they become due on account of monies paid to Supplier hereunder, and to defend, indemnify and hold


3

PERMEDION harmless from and against any and all liability resulting from any failure to do so. 4. Term. This Agreement shall be effective as of the Effective Date provided herein, and shall continue in effect for [NUMBER OF MONTHS] (XX) months (the “Initial Term”), unless otherwise terminated or earlier terminated as provided in Paragraph 5 below. The Parties agree that PERMEDION may renew this Agreement for additional terms of [NUMBER OF MONTHS] (XX) months (the “Renewal Term”) upon PERMEDION’s provision of written notice to Supplier, no less than thirty (30) days prior to the expiration of the Agreement or Renewal Term. If no such notice is provided, this Agreement shall automatically renew on a month-to-month basis until terminated or renewed in accordance with the terms of this Agreement. 5. Termination. Either Party shall have the right to terminate this Agreement if the other Party is in default of any obligation hereunder and such default is not cured within thirty (30) days of receipt of a notice from the non-defaulting Party specifying such default. For purposes of this Agreement, “default” shall mean: (i) breach of any material term of this Agreement; (ii) an organizational conflict of interest is encountered due to Supplier’s financial interests or business dealings which cannot be avoided, resolved or sufficiently mitigated to permit continued performance of this Agreement; or (iii) Supplier fails to adhere to the Performance Standards set forth in this Agreement or each Statement of Work, or otherwise fails to satisfactorily perform any requirement, obligation, term, or duty under this Agreement. PERMEDION may also terminate this Agreement immediately, in whole or in part, without prior notice if: (i) any PERMEDION client directs PERMEDION to terminate the Supplier’s services; (ii) the Supplier fails to perform its duties consistent with the Performance Standards described herein; or (iii) the Supplier violates any state or federal law, rule, regulation, required certification, or executive order. PERMEDION may terminate this Agreement, in whole or in part, for convenience with at least thirty (30) days’ notice to Supplier. In the event that this Agreement or a Statement of Work is terminated for any reason, PERMEDION shall pay Supplier the fee specified in each Statement of Work for any work PERMEDION determines has been satisfactorily performed 6. Termination of Services and Return of PERMEDION/Client Property. Upon the expiration or earlier termination of this Agreement, Supplier shall immediately cease to perform the services hereunder, and shall deliver promptly to PERMEDION, but no longer than ten (10) calendar days after the date performance of services has ceased, all data, including all PHI as that term is defined in the BAA, and all property (including all data, files, documents, or records of any kind in any form, format, or medium, electronic or otherwise), furnished to Supplier by PERMEDION or an PERMEDION client or otherwise relating to the business, work and services of PERMEDION, and to any Work Product (as defined below), patents or copyrights covered by this Agreement. Such property shall include, but not be limited to, all hardware, software, or other tangible items furnished or supplied to Supplier by PERMEDION or any PERMEDION client for purposes of performing work under this Agreement, including written, graphical, electronic, and recorded material, and any copies, abstracts or summaries thereof. The Supplier shall submit a letter certified by an authorized agent or official of the Supplier, to the removal of all such PERMEDION/client property from its possession and the destruction and/or return of such PERMEDION/client property to PERMEDION within ten (10) days. Supplier must acknowledge and provide a Certificate of Destruction and must complete destruction and return any documents with a written inventory of any documents returned to


4

PERMEDION. An inventory of all such hardware, software, or other tangible items furnished or supplied to Supplier by PERMEDION or its client for purposes of performing work under this Agreement will be identified in writing to Supplier at such time as the property is furnished to Supplier. 7. Changes. PERMEDION may, at any time by written order, make changes in the Supplier’s work within the general scope of the Statement of Work, including the issuance of additional Statement(s) of Work or supplementary task orders which shall become part of this Agreement once signed by all Parties. If any change under this section causes an increase or decrease in the Supplier’s cost of, or time required for, the performance of any part of the work, the Parties shall negotiate an equitable adjustment to the compensation payable hereunder, and this Agreement shall be modified in writing accordingly. In addition, the parties agree to negotiate in good faith to revise this Agreement in the event of (i) legislation or action by a court of competent jurisdiction or any other government entity that affects this Agreement; (ii) changes in the available funding for this Agreement; or (iii) other changes reasonably requested and deemed necessary by PERMEDION to make this Agreement consistent with PERMEDION’s obligations to its clients. 8. Standard of Performance. Supplier (i) warrants and represents that it possesses the special skill and professional competence, expertise and experience to undertake the obligations imposed by this Agreement; (ii) agrees to perform in a diligent, workmanlike, efficient, competent and skillful manner commensurate with the highest professional standards; and (iii) agrees to devote such time as is necessary to perform the services required under this Agreement and (iv) agrees to meet the Service Level Agreements set forth in each Statement of Work (“Performance Standards”). Failure of Supplier to meet these Performance Standards shall constitute grounds for termination of this Agreement as a default. Supplier agrees to remove and replace any of its personnel who, in the sole judgment of PERMEDION or the client, is not performing a responsibility at an acceptable level. 9. Client Interface. Supplier shall not contact, communicate, or interface directly with any PERMEDION client without prior written approval from PERMEDION. Supplier shall submit all documents and deliverables to the appropriate point of contact as directed by PERMEDION. Supplier will not be permitted to discuss with any PERMEDION client any matters related to this Agreement without the written consent of PERMEDION. Supplier shall not be permitted to have its name displayed on any deliverables or other work product produced under this Agreement. Supplier agrees that it will not participate in meetings or engage in any communication with the client regarding this Agreement, or any issues relating to those agreements outside the presence of PERMEDION without the advance written consent of PERMEDION. Supplier shall not use its name or any variation thereof in any communication, oral, written or otherwise, with any entity other than PERMEDION pursuant this Agreement. 10. Conflicts of Interest. Supplier warrants and represents that (i) the work hereunder will not create an actual, potential, or apparent conflict of interest with any other work it is now performing or may in the future perform, (ii) Supplier is not presently subject to any agreement with a competitor or potential competitor of PERMEDION or with any other Party that will prevent Supplier from performing in full accordance with this Agreement and (iii) Supplier is not subject to any statute, regulation, ordinance, rule, order, sanction, contract, or other restriction that will limit its ability to perform the obligations under this Agreement. The Parties


5

agree that Supplier shall be free to accept other work during the term hereof; provided, however, that such other work shall not interfere with the provision of services hereunder, and further provided that, without the prior written consent of PERMEDION, Supplier shall not accept other work with any competitor of PERMEDION that creates a conflict of interest with PERMEDION. 11. Proprietary & Confidential Information. Supplier acknowledges that it may have access to and become acquainted with confidential and other information proprietary to PERMEDION, including, but not limited to, information concerning PERMEDION, its operations, customers, business and financial condition, proprietary software and materials as well as information with respect to which PERMEDION has an obligation to maintain confidentiality (collectively referred to herein as "Proprietary Information" or “Confidential Information”). Supplier understands and agrees that any and all information, data, documents, files, medical or other records, and materials disclosed to it, in whatever form maintained, whether paper, electronic or otherwise, may contain Proprietary Information. Supplier covenants that all information, data, documents, files, medical and/or other records, and materials gathered, used by, or disclosed to the other party for the purpose of this Agreement or for any other purpose during the term of or related to this Agreement, will be regarded as Proprietary information, and shall only be provided to or shared with the receiving party’s employees who have a need to know in order to perform functions pursuant this Agreement, and will not be disclosed to or discussed with third parties at any time, including after the termination of this Agreement. Proprietary Information may be disclosed by Supplier (i) when directed by PERMEDION to an affiliated party or entity; (ii) to any other person with PERMEDION’s written consent; or (iii) if required by law, as that concept is defined with respect to disclosure of Protected Health Information (“PHI”), as defined in federal regulations implementing the Privacy and Security Rules at 45 C.F.R. § 164.103. If disclosure is required by law, Supplier shall provide immediate verbal notice to PERMEDION and follow up within five (5) calendar days with written notification to PERMEDION. Supplier agrees to return or destroy the other Party’s Proprietary Information in its possession within ten (10) business days of termination or expiration of this Agreement. Notwithstanding the foregoing, the obligation to return or destroy such Proprietary Information does not extend to automatically generated computer back-up or archival copies generated in the ordinary course of the Supplier’s information systems procedures, provided that Supplier shall make no further use of such copies and shall extend the protections of this Agreement to such Proprietary Information for so long as that Party maintains such Proprietary Information. 12. Restrictive Covenant. During the term of this Agreement, Supplier will not, without the prior written consent of PERMEDION, directly compete with PERMEDION in the Recovery and Cost Containment Space. “Recovery and Cost Containment Space” means PERMEDION’s cost containment, pre and post payment program integrity services, fraud, waste and abuse detection services, billing, claims recovery, and insurance identification and verification services for commercial payers and government agencies, including but not limited to, Medicaid, Medicaid managed care organizations, state child support agencies, and federal government health and human services agencies. Subject to the foregoing, this section does not prohibit Supplier from engaging in any line of business that Supplier is presently engaged in, specifically does not affect Supplier’s ability to contract with providers or payers of healthcare services, and does and shall not restrict Supplier’s ability to provide to third parties the same or similar services which Supplier provides to PERMEDION hereunder. Penalties for breach of this section shall include all available remedies at law or equity, including but not limited to,


6

termination of this Agreement at PERMEDION’s sole discretion. 13. a. Work Product. Supplier agrees that all work product, inventions, discoveries, ideas, concepts, designs, specifications, reports, data, software, information systems, processes, standard operating procedure (“SOP”) documents in any form or format, methods, formulas and techniques, as well as improvements thereof or know-how related thereto (collectively “Work Product”), which are first discovered, developed, or created by Supplier in the performance of this Agreement shall be the sole property of PERMEDION. Supplier agrees that all such Work Product shall from inception be considered “works made for hire” and shall be the exclusive property of PERMEDION or its designee, and Supplier hereby expressly waives any right or interest it may have therein. In the event that any of the Work Product is not considered work made for hire, Supplier hereby assigns all rights in and title to that Work Product to PERMEDION, and Supplier agrees to provide, without additional compensation, such assistance as may reasonably be required by PERMEDION in obtaining patents and copyrights for such Work Product in any and all countries, and in enforcing any PERMEDION rights and interests relating to such Work Product or to any patents or copyrights resulting therefrom, including without limitation the execution by Supplier of all applications, assignments and other instruments as PERMEDION may request. Supplier’s pre-existing intellectual property shall remain the sole property of Supplier unless the pre-existing intellectual property was developed during a previous contract with PERMEDION; provided, however, that to the extent the Supplier incorporates such intellectual property into any materials delivered to PERMEDION or prepared related to the Services performed for PERMEDION, Supplier hereby grants to PERMEDION a royalty-free, non-exclusive license to use such intellectual property for the purposes of this Agreement and/or to allow PERMEDION to carry out the purposes of the contracts between PERMEDION and its clients.. b. No Restriction on Use or Disclosure. Supplier warrants and represents that all of the Work Product, findings and recommendations disclosed to PERMEDION during the course of this Agreement may lawfully be disclosed by Supplier and, except as otherwise required under HIPAA rules, are not subject to any patent, license agreement, confidentiality agreement, trade secret law or any other restriction on use by or disclosure to PERMEDION. 14. Indemnification. Supplier shall indemnify and hold PERMEDION, its officers, employees, and agents harmless from and against any and all claims, losses, liabilities or expenses (including without limitation attorneys' fees) which may arise, in whole or in part, out of (i) bodily injury to any person (including injury resulting in death) or damage to property arising out of Supplier’s performance of this Agreement, (ii) any claim that any Deliverable or any other Work Product delivered under this Agreement, or use thereof by PERMEDION or Client, infringes any patent, copyright, trademark, trade secret or other proprietary right of any third party, (iii) the negligence or willful misconduct of Supplier, its employees, agents, or subcontractors; or (iv) a breach by the Supplier of its obligations under this Agreement. 15. Insurance. Supplier agrees to carry, for the term of this Agreement, the following insurance in the amounts indicated with insurance carriers that are licensed in the state(s) where the services will be performed and that have an A.M. Best rating of at least A-VII, a Standard & Poor’s rating of at least AA, or a Moody’s rating of at least Aa2:

a. Commercial General Liability with the following minimum coverage:


7

$2,000,000 General Aggregate Limit other than

Products/Completed Operations

$2,000,000 Products/Completed Operations Aggregate Limit

$1,000,000 Personal & Advertising Injury Limit

$1,000,000 Each Occurrence Limit

$500,000 Fire Damage Limit (any one fire)

b. Cyber Liability insurance coverage (to include Network Security liability,

privacy liability, and loss of data) with the following minimum coverage:

$20,000,000 Per claim and in the aggregate

c. If a motor vehicle is used to provide services or products, the Supplier must

have vehicle liability insurance, for bodily injury and property damage as required by law. on any auto including owned, hired and non-owned vehicles used in Supplier‘s business.

d. Workers’ disability compensation, disability benefit or other similar

employee benefit act with minimum statutory limits or with minimum coverage of $1,000,000 per claim, whichever amount is greater. If coverage is provided by a state fund or if Supplier has qualified as a self-insurer, separate certification must be furnished to PERMEDION to verify that coverage is in the state fund or that Supplier has approval to be a self-insurer. Such citing of a policy of insurance must include a listing of the states where that policy's coverage is applicable and must contain a provision or endorsement providing that the insurers' rights of subrogation are waived. This provision shall not be applicable where prohibited or limited by the laws of the jurisdiction in which the work is to be performed.

e. Employers liability insurance with the following minimum coverage:

$100,000 each accident

$100,000 each employee by disease

$500,000 aggregate disease

f. Professional Liability Insurance (Errors and Omissions coverage) with the

following minimum coverage:

$4,000,000.00 each occurrence

$4,000,000.00 annual aggregate


8

g. Excess liability insurance with the following minimum coverage: $1,000,000 per claim and in the aggregate

Each such insurance policy (except for workers’ compensation and employers liability) shall name PERMEDION as an additional insured. Supplier shall furnish certificates evidencing any and all such insurance within fifteen (15) days of executing this Agreement. No reduction in coverage or cancellation of policies shall be effected without first giving PERMEDION thirty (30) days written notice. 16. Compliance. Supplier represents that it is not presently suspended or debarred or proposed for suspension or debarment by any government agency. Supplier shall provide immediate notice to PERMEDION followed up by written notice within two (2) business days upon knowledge that it is proposed for debarment or suspension by any government agency. Supplier agrees to comply with all federal, state and local statutes, regulations, ordinances and rules as well as any PERMEDION corporate compliance policies and procedures relating, directly or indirectly, to Supplier's performance hereunder, including but not limited to all applicable laws pertaining to equal employment opportunity and procurement integrity as well as conflict of interest avoidance and mitigation. Supplier shall comply with all applicable provisions of the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act (Division A, Title XIII, and Division B, Title IV, of Pub. L. No. 111-5) (which was part of the American Recovery and Reinvestment Act of 2009 (“ARRA”)) and relevant implementing regulations, including the Standards for Privacy of Individually Identifiable Health Information, codified at 45 C.F.R. Part 160 and Part 164, Subparts A and E (the “Privacy Rule”), the Security Standards for the Protection of Electronic Protected Health Information, codified at 45 C.F.R. Part 160 and Part 164, Subparts A and C (the “Security Rule”), and the final omnibus rule related to breach notification for unsecured protected health information at 45 C.F.R. Parts 160 and 164 (the “Breach Notification Rule”). Supplier shall have an appointed Chief Security Officer and conduct staff training on HIPAA compliance as directed by the Secretary of Health and Human Services. Supplier shall have an appointed Compliance and Privacy Officer directly involved in the oversight and operation of Supplier’s Compliance Program. All notice requirements shall comply with each applicable provision of Section 13400 of Subtitle D (Privacy) of ARRA and related guidance issued by the Secretary of Health and Human Services from time to time. Supplier shall comply with the provisions of 201 CMR 17.00, Standards for the Protection of Personal Information of Residents of the Commonwealth to the extent the regulation is applicable to Supplier and this Agreement Supplier agrees to execute and be bound by the terms and conditions imposed by the Business Associate Agreement attached as Exhibit 2 and incorporated herein as if fully set forth, and the Code of Conduct Attestation attached hereto as Exhibit 3 and incorporated herein as if fully set forth. Contractor agrees to abide by PERMEDION Code of Conduct and any other PERMEDION policies as provided, as updated from time to time, for the duration of this Agreement. The most current version of the PERMEDION Code of Conduct is maintained on PERMEDION internet site at all times. The PERMEDION electronic learning system contains the current training material for: Fraud, Waste, and Abuse; Code of Conduct; and General Compliance Training.


9

Contractor agrees to complete assigned trainings in the PERMEDION electronic learning system. All Supplier employees who perform services for PERMEDION shall in addition to completing the PERMEDION compliance and security trainings, shall execute such agreements as requested by PERMEDION affirming their agreement to maintain the confidentiality of data and non-disclosure obligations. Supplier agrees to maintain monthly employee/agent training completion scores of > 95% completion, for the duration of Agreement or any Statement of Work. If during any rolling twelve month period, Supplier's training completion score is below 95% for any two (2) months, whether consecutive or non-consecutive, Supplier acknowledges that an automatic reduction of 2% to fees paid to Supplier for the applicable months' services will be imposed. The 2% reduction shall be assessed and remain in place until such time as the training completion scores once again meet or exceed the 95% requirement. Supplier’s failure to adhere to the provisions of this Paragraph, and Exhibits 2 and 3, shall be a material breach of this Agreement to be determined in PERMEDION’s sole discretion, and upon such breach, PERMEDION shall have the right to immediately terminate this Agreement. PERMEDION reserves the right to an on-site audit of the Supplier premises and to audit Supplier practices, procedures and protocols to ensure compliance with the foregoing and this Agreement. Supplier shall respond to PERMEDION request for responses for PERMEDION Client attestations, PERMEDION Client audits, PERMEDION internal audits or any other audit within seven (7) business days unless a shorter time period is required by the PERMEDION Client or Prime Contract, or as necessary for PERMEDION’s urgent business needs. Supplier shall provide copies of any materials reasonably requested by PERMEDION. Supplier agrees that it will (i) not directly or indirectly employ, or make use of, any children or forced labor; (ii) comply with the minimum employment age limit defined by national law or by International Labor Organization (“ILO”) Convention 138, whichever is higher; and (iii) provide its personnel with adequate resources and facilities, including a workplace environment free from harassment consistent with United States law, to perform the work under this Agreement; (iv) maintain reasonable working hours and days off for its personnel based on industry norms; (v) pay fair and timely compensate such personnel; and (vi) exercise fair employment practices in accordance with United States laws; and (vii) comply, if applicable, with the enacted interim and Final Rule, laws, and regulations pursuant to FAR Case 2013-001; Federal Acquisition Regulation; Ending Trafficking in Persons, 78 Fed. Reg. 59317 (Sept. 26, 2013). The U.S. Government’s final anti-human trafficking rule amending the Federal Acquisition Regulation (FAR) provisions went into effect on March 2, 2015 (Federal Acquisition Regulation, “Ending Trafficking in Persons,” 80 Fed. Reg. 4967 (codified at 48 C.F.R. pts. 1, 2, 9, 12, 22, 42 and 52) (the “Final Rule”). 17. Representations and Warranties.

a. By PERMEDION. PERMEDION represents and warrants to Supplier that it is a U.S. owned entity that has the authority to enter into this Agreement, and that the execution, delivery and performance by PERMEDION of this Agreement does not violate any law, license, permit, or other agreement to which it is a party or bound.

b. By Supplier. represents and warrants to PERMEDION that it is a [type of

business entity], [100% owned by a U.S. domestic corporation], that has the authority to enter into this Agreement, and that the execution, delivery and performance by Supplier of this


10

Agreement does not violate any law, license, permit, or other agreement to which it is a party or bound.

c. Supplier Services. Supplier represents and warrants to PERMEDION that all work

performed by or on behalf of Supplier by its employees, contractors, agents, and/or affiliates, under this Agreement or statements of work, will be performed by personnel within the United States and under the direct control of a U.S. domestic corporation and will be subject to U.S. law and regulations related to the protection of medical and other sensitive information including, but not limited to, the terms of the Business Associate Agreement attached to this Agreement. Supplier further agrees that it (i) will assure all work performed under this Agreement that involves the use, receipt, or disclosure of PHI is performed by companies that are, and the employees of which are, subject to U.S. law, including, but not limited to HIPAA, and (ii) shall be performed in an environment and under circumstances that meet the standards of federal regulations at 45 C.F.R. Parts 160 and 164, with respect to the handling of PHI and implementation of physical, administrative, and technical safeguards to protect such PHI from unauthorized use or disclosure. Supplier will not, without the express, written permission of PERMEDION, utilize personnel of any other entity that is not its direct or indirect subsidiary to perform the services contemplated by this Agreement (i.e. excluding ordinary course vendors, such as telecom providers, and other vendors that do not obtain access to PHI in the ordinary course of business and that furnish services to Supplier that are generally supportive of Supplier’s business operations as a whole and are not limited to support of work performed for PERMEDION), and will execute an agreement substantially identical to the Business Associate Agreement attached hereto with any subsidiary company, employees of which are utilized to perform any such work.

18. Location of Services. Notwithstanding any other provision of this Agreement, If PERMEDION has provided written approval for Supplier to perform services outside of the United States, PERMEDION may immediately request that the location of services be moved to a location within the United States, where such services are the subject of any portion of an applicable Statement of Work in the event that (i) a State or United States federal law, or a contractual provision by which PERMEDION is bound and/or which is insisted upon by an PERMEDION client as a condition of maintaining a contractual relationship with PERMEDION renders it unlawful or contractually impermissible for PERMEDION to utilize off-shore resources of Supplier for performance of such services, and (ii) Supplier has been given the opportunity to transition and provide such services in the U.S. (i.e. using U.S. personnel and resources) at Supplier’s U.S. pre-existing pricing for such services (i.e. pricing previously agreed to by PERMEDION for such kind of work). Nothing in this Paragraph 18 shall be construed to prevent either party from terminating the affected portion of the applicable Statement of Work if Supplier is not able to comply with a request by PERMEDION to move services within the United States. 19. Dispute Resolution. In the event of a dispute arising under or in connection with this Agreement or any Statement of Work, the Parties agree that each Party’s respective project manager will work diligently and in good faith to promptly resolve the dispute. If the project managers fail to resolve any dispute within thirty (30) days after both Parties first became aware of the dispute, the dispute shall be elevated to the Senior Vice President or higher level of PERMEDION at PERMEDION’ discretion, and the equivalent level of executive responsible for Supplier’s performance of this Agreement, and such individuals from both Parties will diligently attempt to resolve the dispute. If the dispute remains unresolved ten (10)


11

business days after elevation of the dispute as provided in this section, the Parties may elect to continue efforts to resolve the dispute through further discussions, provided that either Party may at such time elect to pursue alternative dispute resolution, or to pursue any of its rights available under this Agreement, law, or equity. 20. Miscellaneous. a. Survival. The obligations assumed by Supplier pursuant to Paragraphs 11 (Proprietary & Confidential Information), 12 (Restrictive Covenant), 13 (Work Product), 14 (Indemnification), 16 (Compliance), 20.b (Attorneys’ Fees), 20.d (Governing Law; Venue), 20.i (Records; Inspection), and 20.l (Publicity), and Exhibits 2 (Business Associate Agreement) and 3 (Code of Conduct Attestation) hereof shall survive the expiration or earlier termination of this Agreement. b. Attorneys' Fees. In the event suit is brought to enforce or interpret any part of this Agreement, the prevailing Party shall be entitled to recover as an element of the costs of suit, and not as damages, reasonable attorneys' fees to be fixed by the Court. c. Waiver, Modification and Amendment. No provision of this Agreement may be waived unless in writing, signed by all of the Parties hereto. Waiver of any one provision of this Agreement shall not be deemed to be a continuing waiver or a waiver of any other provision. This Agreement may be modified or amended only by a written agreement executed by all of the Parties hereto. d. Governing Law; Venue. This Agreement shall be governed and construed in accordance with the laws of the State of Texas, without regard to conflict of law principles. The parties agree that the sole venue for legal actions related to this Agreement shall be the State and Federal courts for Dallas County, Texas. e. Assignment; Subcontracting. Excluding the use of ordinary course vendors by Supplier (i.e. vendors, such as telecom providers, and other vendors that do not obtain access to PHI in the ordinary course of business and that furnish services to Supplier that are generally supportive of Supplier’s business operations as a whole and are not limited to support of work performed for PERMEDION), neither this Agreement nor any duties or obligations hereunder shall be assigned, transferred, or subcontracted by the Supplier without the prior written approval of PERMEDION. Supplier shall provide PERMEDION with a copy of the proposed and final copies of the Supplier agreement for any proposed Supplier for review as part of the approval of the Supplier. Any approved lower tier Supplier must agree to all of the terms and conditions in this Agreement. f. Employment Eligibility Verification. Within fifteen (15) days of executing this Agreement or of the commencement of services hereunder, whichever occurs sooner, Supplier will have enrolled in and verified the work eligibility status of all of its employees through the E-Verify program, including all employees who will perform work under this Agreement. Supplier shall not knowingly employ or contract with an unauthorized alien as that term is defined in 8 U.S.C § 1324a. Supplier shall not retain an employee or contract with a person that the Supplier learns is an unauthorized alien.


12

g. Background Checks. Supplier shall conduct a background check on all employees who will perform work under this Agreement prior to their initial employment with Supplier or prior to assignment to perform services under this Agreement and must check the Healthcare Sanctions and Global Sanctions, Prohibited Parties, and Enforcements lists prior to initial employment and monthly thereafter for the term of this Agreement. The manner and scope of the background check, as well as Supplier’s internal communication or other use of the results, is a matter within the sole discretion of Supplier, provided, however, that any such background check shall include, at a minimum, the following items for PERMEDION to review: US Employees:

Healthcare Sanctions A series of databases that satisfies the minimum requirement for sanctions screenings as set forth in several of the OIG Compliance Program Guidelines

Prohibited Parties Reveals known terrorists, specifically designated nationals, narcotics traffickers and other sanctioned persons.

Global Sanctions and Enforcements List

Identifies prohibited, restricted and sanctioned individuals supporting compliance with the FDIC, FFIEC, US PATRIOT Act and SOX

National Sex Offender Database

Includes registered sex offender information in all 50 states, the District of Columbia, Puerto Rico and Guam

Education Any education information listed on the employment application with a minimum of a high school diploma

Employment Verification and References

The applicants previous 2-3 employers

Criminal records Except where prohibited by law, the past seven years to include Federal, national, state and county records

Civil Records Except where prohibited by law, the past seven years to include Federal, national, state and county records

Drug Screening A 9 panel urine or hair screen

Credit Checks When applicable the applicants credit history is reviewed

Professional Licensing The candidate’s claimed licenses are verified to determine if they are in good standing to include confirming the validity and revealing disciplinary actions

Once the background process is complete, the designated Supplier personnel will adjudicate the results based on the findings. Results including but not limited to; misdemeanor criminal convictions, unverifiable education and employment verification, and inaccurate information listed on the employment application shall result in the individual Supplier employee being precluded from performing services for PERMEDION pursuant this Agreement. Additionally, results such as; felony criminal convictions or a failed drug screen will automatically disqualify a Supplier employee from performing services for PERMEDION pursuant this Agreement. Supplier will attest in writing that compliance with all requirements of this section are met at the


13

time Supplier proposes an employee to PERMEDION through the Supplier staffing list, or other similar mechanism as approved by PERMEDION. h. Notices. All notices under this Agreement will be in writing and will be delivered by personal service, facsimile or certified mail, postage prepaid, or overnight courier to such address as may be designated from time to time by the relevant Party, which initially shall be the addresses set forth below: If to PERMEDION: Semone Neuman Executive Vice President 5615 High Point Drive Irving, TX 75038 Telephone Number: (214) 453-3000 E-mail address: [email protected] With a copy to: Health Management Systems, Inc.

Attn: Legal Dept. 5615 High Point Drive

Irving, Texas 75039 If to Supplier: [NAME] [TITLE] [ADDRESS1] [ADDRESS2] Telephone Number: (XXX) XXX-XXXX Facsimile Number: (XXX) XXX-XXXX E-mail address: [email protected] Any notice sent by certified mail will be deemed to have been given five (5) days after the date on which it is mailed. All other notices will be deemed given when received. No objection may be made to the manner of delivery of any notice actually received in writing by an authorized agent of a Party. i. Records; Inspection. Supplier shall maintain books, records, and documents in accordance with accounting procedures and practices that sufficiently and properly reflect the services rendered and funds expended in connection with this Agreement. Within forty-eight (48) hours of PERMEDION’ notice to Supplier, all books, records, documents, or other materials associated with this Agreement shall be subject to reasonable inspection, review, or audit by PERMEDION and/or its client(s) and their designees, during Supplier’s usual business hours. Supplier shall retain all financial and other records pertaining to its work under this Agreement for six (6) years after the termination or expiration of this Agreement or the conclusion of any audit pertaining to this Agreement, whichever is later, except that such retention requirement



14

shall not apply to records containing protected health information or other confidential information that Supplier is obligated to destroy or return to PERMEDION or its client under the provisions of this Agreement or the Business Associate Agreement attached hereto. Supplier agrees to maintain accurate and complete records relating to the provision of Services under this Agreement. Supplier will maintain records relating to the provision of Services under this Agreement for a period of six (6) years from the creation of the applicable record, except to the extent that PERMEDION may require a longer or shorter retention period for specific categories of records. Only upon PERMEDION’s advance written direction may Supplier destroy any hard copy records even if they have been successfully imaged by the Supplier. In the event that PERMEDION permits destruction of hard copy records, the records shall be destroyed by the Supplier under secure destruction practices and Supplier will provide a Certificate of Destruction. j. Relationship Manager. Within ten days (10) after the execution of this Agreement, each Party shall designate in writing a Relationship Manager to serve as the other Party’s primary contact concerning the performance, obligations, and activities of the Parties under this Agreement, including receipt of any notices of dispute or escalation of any issues for prompt resolution under this Agreement, as necessary. Each Party shall be entitled to replace its Relationship Manager by providing written notice to the other Party. The Vendor Relationship Manager is responsible for providing a complete Supplier Vendor Staffing List, in a form to be approved by PERMEDION, to the PERMEDION Relationship Manager within fifteen (15) business days of the Effective Date of this Agreement and thereafter must be updated and submitted to the PERMEDION Relationship Manager when any changes occur within one (1) business day of any change. k. Partial Invalidity. If any provision of this Agreement is held by a court of competent jurisdiction to be invalid, void or unenforceable, the remaining provisions shall nevertheless continue in full force without being impaired or invalidated in any manner. l. Publicity. No news release, public announcement, advertisement, or any other form of publicity concerning this Agreement may be issued by Supplier nor may Supplier communicate with any client of PERMEDION regarding PERMEDION and/or PERMEDION's performance pursuant to this Agreement without the prior review and written approval by PERMEDION of such proposed publicity or communication. m. Entire Agreement. This Agreement and its attached Exhibits contain the entire agreement and understanding of the parties with respect to the subject matter hereof, and supersedes and replaces any and all prior discussions, representations and understandings, whether oral or written, and shall be binding upon, and inure to the benefit of the parties and their permitted successors and assigns. IN WITNESS WHEREOF, the Parties have executed this Agreement through their duly authorized representatives. Health Management Systems, Inc.

Supplier


15

By

[NAME] [TITLE] [ADDRESS1] [ADDRESS2] [PHONE]

Date:

By Tax ID #: [XXXXXXX]


Date:


16

EXHIBIT 1 PLACEHOLDER FOR INITIAL SOW OR SOW TEMPLATE (MAY NEED TO CHANGE THE EXHIBIT NUMBERS IF NONE)

© HMS 2004-2017 01182017 Master Services Agreement

Exhibit 2

Business Associate Agreement This BUSINESS ASSOCIATE AGREEMENT (“BAA” or “Agreement”), including Schedules A and B, attached hereto and incorporated herein, is entered into on this _______ day of ____________________ 20____ (“Effective Date”) between Health Management Systems, Inc., on behalf of itself and its subsidiaries and affiliates, (hereinafter referred to as "PERMEDION") and [Business Associate] (hereinafter referred to as “Business Associate”). (PERMEDION and Business Associate may each be referred to as a “Party,” and collectively, as the “Parties.”) PERMEDION and Business Associate are Parties to the underlying Supplier Master Services Agreement] ("Underlying Agreement") into which this BAA is incorporated as Exhibit 2, that contains express and implied mutual promises and covenants that in some instances will require the use or disclosure of Protected Health Information (“PHI”) (defined below) pursuant to the terms of this Agreement.

In consideration of the Parties’ continuing obligations as set forth in the Underlying Agreement, and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree to the following:

I. Background and Purpose

(a) PERMEDION and Business Associate have entered into the Underlying

Agreement, pursuant to which Business Associate will furnish certain services to PERMEDION pursuant one or more of PERMEDION's contracts with its clients.

(b) Business Associate, in the course of its work for PERMEDION, will frequently perform duties on behalf of PERMEDION that will require the use or disclosure of PHI.

(c) PERMEDION, as a business associate of its clients (which are Covered Entities, as defined below), has contractual obligations to its clients to protect the privacy and security of PHI received from such Covered Entities. PERMEDION is thus subject to and must comply with the provisions of the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act (Division A, Title XIII, and Division B, Title IV, of Pub. L. No. 111-5) (which was part of the American Recovery and Reinvestment Act of 2009 (“ARRA”) and relevant implementing regulations, including the Privacy Rule (defined below), the Security Rule (defined below), and the Breach Notification Rule (defined below). PERMEDION is further contractually required to pass such statutory and regulatory obligations on to its subcontractors, agents, and vendors, including entities such as Business Associate.

(d) ___________constitutes a Business Associate of PERMEDION (as such term is

defined in the Code of Federal Regulations (“Regulations" or "C.F.R."), see 45 C.F.R § 160.103) and wishes to commence and/or continue its business relationship with PERMEDION.

(e) The Parties mutually intend that this Agreement between them will assure

compliance with PERMEDION’s Business Associate Agreements with its clients,


as well as with applicable provisions of law and regulation pertaining to the responsibilities of Business Associates of Covered Entities and the obligations that are properly imposed upon and undertaken by “downstream” subcontractors, vendors, or agents of such Business Associates.

(f) This Agreement replaces any existing Agreement or other terms and conditions

entered into or agreed upon by the parties governing their respective rights and obligations under HIPAA, as amended, and/or its implementing rules and regulations.

II. Definitions

Terms used, but not otherwise defined, in this Agreement shall, as applicable, have the same meaning as the definitions for such terms in the federal regulations implementing HIPAA, as amended by HITECH provisions of ARRA, which is published in the C.F.R. at Title 45, Parts 160 and 164, as amended from time to time.

(a) “Breach” shall have the meaning given to such term in 45 C.F.R. § 164.402.

(b) “Breach Notification Rule” shall mean the final omnibus rule related to breach notification for unsecured protected health information at 45 C.F.R. Parts 160 and 164.

(c) “Business Associate” shall have the meaning given to such term in 45 C.F.R. § 160.103.

(d) “Covered Entity” shall have the meaning given to such term in 45 C.F.R. § 160.103.

(e) “Designated Record Set” shall have the meaning given to such term under the Privacy Rule at 45 C.F.R. § 164.501.

(f) “Discovery” shall mean the first day on which an event is known to Business Associate (including any person, other than the individual committing the breach, that is an employee, officer, or other agent of Business Associate), or should reasonably have been known to Business Associate, to have occurred.

(g) "Electronic Health Record" shall have the meaning given to such term in Section

13400 of the HITECH Act (42 U.S.C. § 17921).

(h) "Electronic Protected Health Information" or "EPHI" shall have the same meaning given to such term under the Security Rule at 45 C.F.R. § 160.103, including, but not limited to protected health information in electronic form that is created, received, maintained, or transmitted by the health care component of a Covered Entity.

(i) “HIPAA” or “Health Insurance Portability and Accountability Act of 1996” are those provisions set forth in Public Law 104-191 and its implementing rules and regulations.


(j) “HITECH Act” or “HITECH” or “Health Information Technology for Economic and Clinical Health Act” are those provisions set forth in Title XIII of the ARRA of 2009, Public Law 111-5 as enacted on February 17, 2009 and its implementing regulations.

(k) “Individual” shall have the meaning given to such term under the Privacy Rule at 45 C.F.R. § 160.103, and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).

(l) “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information, codified at 45 C.F.R. Part 160 and Part 164, Subparts A and E.

(m)“Protected Health Information” or “PHI” shall have the meaning given to such term under the Privacy and Security Rules at 45 C.F.R. § 160.103, limited to the information created or received by Business Associate from or on behalf of PERMEDION, which PERMEDION received from a Covered Entity.

(n) “Required by Law” shall have the meaning given to such term under the Privacy Rule at 45 C.F.R. § 164.103.

(o) “Secretary” shall mean the Secretary of the Department of Health and Human Services or his or her designee.

(p) “Security Breach” shall have the same meaning given to the term “breach of security” in Section 13407 of HITECH provisions of ARRA (42 U.S.C. § 17937).

(q) “Security Breach Compliance Date” means the date that is thirty (30) days after the Secretary published interim final regulations to carry out the provisions of Section 13402 of Subtitle D (Privacy) of ARRA, which date is September 24, 2009.

(r) “Security Incident” shall have the meaning given to such phrase under the Security Rule at 45 C.F.R. § 164.304.

(s) “Security Rule” shall mean the Security Standards for the Protection of Electronic Protected Health Information, codified at 45 C.F.R. Part 160 and Part 164, Subparts A and C.

(t) “Subcontractor” shall have the meaning given to such term under in 45 C.F.R. § 160.103.

(u) “Unsecured Protected Health Information” shall have the meaning given to such phrase under the Breach Notification Rule at 45 C.F.R. § 164.402.

(v) Other terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in have the same meaning as the definitions for such


terms in the federal regulations implementing HIPAA, as amended by HITECH provisions of ARRA (which is published in the C.F.R. at Title 45, Parts 160 and 164), and/or the Privacy, Security, Enforcement & Breach Notification Final Omnibus Rule, as such rules and provisions are amended from time to time (collectively, the “HIPAA Rules”).

III. Obligations and Activities of Business Associate

(a) Business Associate agrees not to use or disclose Protected Health Information

other than as permitted by this BAA or as required by law. Business Associate acknowledges that, as of the Effective Date of this Agreement, it shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. § 1320d-5 and § 1320d-6 (as amended from time to time), for failure to comply with any of the use and disclosure requirements of this Agreement and any guidance issued by the Secretary from time to time with respect to such use and disclosure requirements.

(b) Business Associate agrees that beginning on the Effective Date of this

Agreement or the Security Breach Compliance Date, it will report to PERMEDION any Security Incidents required by HIPAA or HITECH, Security Breach of Unsecured PHI, or any use or disclosure of PHI not provided for by this Agreement without unreasonable delay, and in no case later than (1) one (1) business day after the Discovery of a Breach, or, (2) the time period required in any applicable underlying PERMEDION client contract(s). Such notice shall include the identification of each individual whose Unsecured PHI has been or is reasonably believed by Business Associate, to have been, accessed, acquired, or disclosed during such Breach. In addition, Business Associate shall provide any additional information reasonably requested by PERMEDION for purposes of investigating the Breach. Business Associate’s notification of a Breach under this Section III(b) shall comply in all respects with each applicable provision of Section 13400 of Subtitle D (Privacy) of ARRA, 45 C.F.R. § 164.410, and any related guidance issued by the Secretary from time to time.

(c) Business Associate agrees that in accordance with 45 C.F.R. § 164.314(a)(2), it will comply with the applicable requirements of Part 164, Subpart C, including but not limited to (1) ensuring that any Subcontractors that create, receive, maintain, or transmit electronic protected health information on behalf of Business Associate agree to comply with the applicable requirements of Part 164, Subpart C by entering into a contract or other arrangement that complies with the HIPAA Rules, and (2) reporting to PERMEDION any Security Incident of which it becomes aware, including breaches of unsecured protected health information as required by 45 C.F.R. § 164.410.

(d) Business Associate agrees to mitigate, to the extent practicable, any harmful effect of any use or disclosure that is known to Business Associate to have occurred in violation of the terms of this BAA, including but not limited to compliance with all mitigation factors and other provisions listed at 45 C.F.R. § 160.408.

(e) Business Associate agrees to ensure that any of its agents or subcontractors to

whom Business Associate provides Protected Health Information received from,


or created or received by Business Associate on behalf of PERMEDION, agree to the same restrictions and conditions that apply through this BAA to Business Associate with respect to such PHI, and agree to implement reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of Electronic Protected Health Information that it creates, receives, maintains, or transmits. With respect to Electronic Protected Health Information, Business Associate shall implement and comply with (and ensure that its subcontractors and agents implement and comply with) the security standards set forth at 45 C.F.R. § 164.306, administrative safeguards set forth at 45 C.F.R. § 164.308, the physical safeguards set forth at 45 C.F.R. § 164.310, the technical safeguards set forth at 45 C.F.R. § 164.312, and the policies and procedures set forth at 45 C.F.R. § 164.316 to reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of PERMEDION. Business Associate acknowledges that, as of the Effective Date of this Agreement, (i) the foregoing safeguard, policies and procedures requirements shall apply to Business Associate in the same manner that such requirements apply to PERMEDION, and (ii) Business Associate may be liable under the civil and criminal enforcement provisions set forth in 42 U.S.C. § 1320d-5 and § 1320d-6, as amended from time to time, for failure to comply with the safeguard, policies and procedures requirements and any guidance issued by the Secretary from time to time with respect to such requirements.

(f) Business Associate agrees that it shall keep such records and submit such compliance reports, in such manner and containing such information, as the Secretary may determine to be necessary to enable the Secretary to ascertain whether PERMEDION or Business Associate has complied or is complying with the applicable administrative simplification provisions, in accordance with 45 C.F.R. § 160.310(a).

(g) Business associate agrees that it shall cooperate with PERMEDION and the

Secretary in the event that the Secretary undertakes an investigation or compliance review of the policies, procedures, or practices of PERMEDION or Business Associate to determine whether PERMEDION or Business Associate is complying with the applicable administrative simplification provisions, in accordance with 45 C.F.R. § 160.310(b).

(h) Business Associate agrees that it shall:

(1) In accordance with 45 C.F.R. § 160.310(c)(1), permit access by the Secretary during normal business hours to its facilities, books, records, accounts, and other sources of information, including protected health information, that are pertinent to ascertaining compliance with the applicable administrative simplification provisions. If the Secretary determines that exigent circumstances exist, such as when documents may be hidden or destroyed, Business Associate must permit access by the Secretary at any time and without notice.

(2) In accordance with 45 C.F.R. § 160.310(c)(2), if any information required of Business Associate under 45 C.F.R. § 160.310(c) is in the exclusive possession of any other agency, institution, or person and the other


agency, institution, or person fails or refuses to furnish the information, Business Associate must so certify and set forth all efforts it has made to obtain the information.

(i) Business Associate agrees to make internal practices, books, and records,

including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of PERMEDION, available to PERMEDION and/or to the Secretary of the United States Department of Health and Human Services, within ten (10) business days of receiving such request, or at such other time as may be designated by the Secretary, for purposes of the Secretary determining PERMEDION's and/or Business Associate’s compliance with the Rule and the HITECH provisions of ARRA and related guidance as issued by the Secretary from time to time.

(j) Business Associate agrees that in accordance with 45 C.F.R. § 164.502(a)(4), it shall disclose protected health information (1) when required by the Secretary under Part 160, Subpart C to investigate or determine the Business Associate’s compliance with the HIPAA Rules, or (2) to PERMEDION, an Individual (or Individual’s designee), as necessary to satisfy PERMEDION’s obligations under 45 C.F.R. § 164.524(c)(2)(ii) and (3)(ii) with respect to an individual’s request for an electronic copy of PHI.

(k) Business Associate agrees to document such disclosures of Protected Health

Information and information related to such disclosures as would be required for PERMEDION to respond to a request by an Individual or an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528 and the HITECH provisions of ARRA and related guidance as issued by the Secretary from time to time.

(l) Business Associate agrees to provide to PERMEDION or the Individual to whom

PHI relates, upon request and within ten (10) business days of receiving such request, information collected in accordance with Section III(k) of this BAA and sufficient to constitute or permit PERMEDION to provide, a response to a request by the Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528. In addition, with respect to information contained in an Electronic Health Record, Business Associate shall document, and maintain such documentation for three (3) years from date of disclosure, such disclosures as would be required for PERMEDION to respond to a request by an Individual for an accounting of disclosures of information contained in an Electronic Health Record, as required by Section 13405(c) of Subtitle D (Privacy) of ARRA (42 U.S.C. § 17935), and related regulations issued by the Secretary from time to time.

(m) Business Associate agrees to provide access to PERMEDION or an Individual, as requested by or directed by PERMEDION, respectively, to Health Information in a Designated Record Set within ten (10) business days of such request, to meet the requirements under 45 C.F.R. §164.524 and Section 13405(e) of Subtitle D (Privacy) of ARRA (42 U.S.C. § 17935(e)), and related guidance issued by the Secretary from time to time.


(n) Business Associate agrees to promptly make any amendment(s) to Protected Health Information in a Designated Record Set that PERMEDION directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of PERMEDION or an Individual to whom the PHI pertains.

(o) Business Associate agrees, in accordance with 45 C.F.R. § 164.502(a)(5)(ii), that

it shall not sell any PHI received from PERMEDION, except pursuant to written authorization and consent provided by PERMEDION to Business Associate that complies with the requirements of 45 C.F.R. § 164.508(a)(4).

(p) Business Associate agrees, in accordance with 45 C.F.R. § 160.316, that it shall

not threaten, intimidate, coerce, harass, discriminate against, or take any other retaliatory action against any individual or other person for (1) filing a complaint under 45 C.F.R. § 160.306, (2) testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing under this part, or (3) opposing any act or practice made unlawful by the HIPAA Rules, provided the individual or person has a good faith belief that the practice opposed is unlawful, and the manner of opposition is reasonable and does not involve a disclosure of PHI in violation of Part 164, Subpart E.

IV. Permitted Uses and Disclosures by Business Associate

(a) Business Associate may use and/or disclose Protected Health Information provided or made available from PERMEDION only (1) to complete any and all services agreed to pursuant to the Underlying Agreement between the parties (and any corresponding Statement(s) of Work, as applicable), or (2) to perform functions, activities, or services for, or on behalf of PERMEDION as specified in the Underlying Agreement, provided that such use or disclosure would not violate the HIPAA Rules if done by PERMEDION, violate the terms of this Agreement, or violate the policies or procedures of PERMEDION.

.

(b) Except as otherwise limited in this BAA, Business Associate acknowledges that it shall request from PERMEDION and disclose to its affiliates, agents and subcontractors or other third parties, only (i) the information contained in a “Limited Data Set,” as such term is defined at 45 C.F.R. § 164.514(e)(2), or, (ii) if needed by Business Associate, the minimum necessary PHI to accomplish the intended purpose of such requests or disclosures. In all cases, Business Associate shall request and disclose Protected Health Information only in a manner that is consistent with this Agreement, all relevant HIPAA Rules, and guidance issued by the Secretary from time to time.

(c) Except as otherwise limited in this BAA, Business Associate may disclose

Protected Health Information for the management, prosecution, or defense of any legal proceeding which involves Business Associate (including but not limited to the disclosure of such PHI and/or ePHI to any law firm or expert that may be retained by or otherwise represent or assist Business Associate in any such lawsuit). Business Associate shall notify PERMEDION prior to such disclosure, and shall obtain reasonable


assurances from the person or entity to whom the information is disclosed that (i) it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and (ii) the person or entity shall notify the Business Associate of any instances of which it is aware in which the confidentiality of the Protected Health Information has been breached.

(d) Except as otherwise limited in this BAA or the Underlying Agreement,

Business Associate may, in accordance with 45 C.F.R. § 164.502(e)(1)(ii), disclose Protected Health Information to a business associate that is a subcontractor and may allow the subcontractor to create, receive, maintain, or transmit Protected Health Information on its behalf, only if Business Associate obtains satisfactory assurances, through a business associate agreement that satisfies 45 C.F.R. § 164.504(e)(1)(i), that the subcontractor will appropriately safeguard the information. (1) In accordance with 45 C.F.R. § 164.504(e)(1)(iii), in the event that

Business Associate learns or knows of a pattern of activity or practice of a subcontractor that presently constitutes or previously constituted a material breach of the subcontractor’s obligation under the business associate agreement providing for the disclosure of PHI, Business Associate shall (A) promptly notify PERMEDION of such activity or practice, and (B) take prompt, reasonable steps to cure the breach or end the violation, as follows: A. Provide an opportunity for subcontractor to cure the breach or end

the violation within ten (10) days of receiving notice of the breach and/or violation. If such action does not successfully bring about cure of the breach or an end to the violation within the time specified by the Parties, Business Associate may terminate the BAA and the Underlying Agreement under which the subcontractor has access to, uses or discloses PHI on behalf of Business Associate and/or PERMEDION; or

B. Immediately terminate the BAA and the Underlying Agreement under which the subcontractor has access to, uses or discloses PHI on behalf of Business Associate and/or PERMEDION, if cure of the breach or causing the violation to end is not possible; or

C. If neither termination nor cure is feasible, Business Associate, under direction from PERMEDION, shall report the violation to the Secretary, as required by the HIPAA Rules, or other applicable laws, rules, or regulations.

(e) Except as otherwise limited in this BAA or the Underlying Agreement,

Business Associate may use Protected Health Information to provide Data


Aggregation services relating to the health care operations of PERMEDION as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).

(f) Business Associate may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1).

V. Obligations of PERMEDION

(a) PERMEDION shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of Protected Health Information.

(b) PERMEDION shall notify Business Associate of any restriction to the use or

disclosure of Protected Health Information that PERMEDION has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of Protected Health Information.

(c) Permissible Requests by PERMEDION. PERMEDION shall not request

Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by PERMEDION, except that this restriction is not intended, and shall not be construed, to limit Business Associate's capacity to use or disclose Protected Health Information for the proper management and administration of the Business Associate or to provide Data Aggregation services to Client, as provided for and expressly permitted under Section IV.(b), (d), and (e) of this BAA.

VI. Term and Termination

(a) Term. The Term of this BAA shall be effective on the Effective Date provided

herein, and shall terminate when the contractual or other relationship between PERMEDION and Business Associate that involves or requires the receipt, creation, use, and/or disclosure of PHI by or to the Business Associate is terminated or ceases to exist, whichever is earlier.

(b) Termination for Cause. Upon PERMEDION obtaining knowledge of or reason to believe that a pattern of activity or practice by Business Associate that constitutes a material breach or violation of Business Associate’s obligations under this BAA, PERMEDION shall:

(1) Provide an opportunity for Business Associate to cure the breach or end

the violation within ten (10) days of receiving notice of the breach and/or violation. If such action does not successfully bring about cure of the breach or an end to the violation within the time specified by the Parties, PERMEDION may terminate this BAA and the Underlying Agreement under which the Business Associate has access to, uses or discloses PHI on behalf of PERMEDION; or


(2) Immediately terminate this BAA and the Underlying Agreement under which the Business Associate has access to, uses or discloses PHI on behalf of PERMEDION, if cure of the breach or causing the violation to end is not possible; or

(3) If neither termination nor cure is feasible, PERMEDION shall report the violation to the Secretary, as required by the HIPAA Rules, or other applicable laws, rules, or regulations.

(c) Obligations of Business Associate Upon Termination

(1) Except as provided in paragraph (2) of this subsection, upon termination

of this BAA for any reason, Business Associate shall return to PERMEDION or destroy all Protected Health Information received from PERMEDION, or created, maintained, or received by Business Associate on behalf of PERMEDION. This provision shall also apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the Protected Health Information.

(2) In the event that return or destruction of any Protected Health Information

is not feasible, Business Associate shall extend the protections of this BAA to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information.

VII. State Law

If state law applicable to the relationship between Business Associate and PERMEDION contains additional or more stringent requirements than federal law for Business Associates regarding any aspect of privacy or security, then Business Associate agrees to comply with the additional or more stringent standard contained in applicable state law.

VIII. Miscellaneous

(a) Regulatory References. A reference in this BAA to a section in the HIPAA Rules means the section as is presently in effect or amended.

(b) Amendment. This BAA may only be modified through a writing signed by the

Parties and, thus, no oral modification hereof shall be permitted. PERMEDION and Business Associate agree to take such action as is necessary to amend this BAA from time to time as is necessary for PERMEDION to comply with the requirements of HIPAA or the Privacy, Security or Breach Notification Rules.

(c) Indemnification. Business Associate agrees to defend, indemnify and hold

PERMEDION harmless from and against any and all penalties, claims, losses, liabilities or expenses (including without limitation attorneys' fees) which may arise, in whole or in part, out of a breach or violation by the Business Associate


of its obligations under this BAA, the HIPAA Rules, or applicable law, rules, or regulations.

(d) Survival. The respective rights and obligations of Business Associate pursuant

to this Agreement shall survive the termination of this Agreement. (e) Interpretation. Any ambiguity in this Agreement shall be resolved to permit

PERMEDION comply with the HIPAA Rules. (f) Notice.

a. To PERMEDION. Any notice or reporting required under this BAA to be given to PERMEDION shall be made in writing to:

David Alexander Chief Compliance Officer 5615 High Point Drive Irving, Texas 75038 972-894-8841 [email protected]

b. To Business Associate. Any notice or reporting required under this

BAA to be given to Business Associate shall be made in writing to:

Name: Title: Address1: Address2: Phone: Email: Fax:

* * * * * *

IN WITNESS WHEREOF, PERMEDION and Business Associate have caused this Business

Associate Agreement to be executed by duly authorized officers.

Health Management Systems, Inc.

Business Associate

By


Date:

By

Name: Title: Address1: Address2: Phone:

Date:



Schedule “A” to Business Associate Agreement Massachusetts Standards for the Protection of Personal Information

Pursuant to this Schedule A, PERMEDION incorporates and Business Associate agrees to abide by the Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts, 201 CMR 17.00.

In addition to the requirements set forth in the Schedule A, Business Associate further agrees to: (i) Implement and maintain appropriate technical security measures for personal information as required by 201 CMR 17.00; including, but not limited: (a) Encrypting all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly; and (b) Prohibiting the transfer of personal information to any portable device unless such transfer has been approved in advance by PERMEDION; provided further that any such personal information to be transferred to a portable device must be encrypted; and (ii) Implement and maintain a Written Information Security program as required by 201 CMR 17.00.

The Business Associate Agreement, as amended by this Schedule A, shall apply equally to PHI, ePHI and “Personal information.” "Personal information" means a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account; provided, however, that "Personal information" shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.


Schedule “B” to Business Associate Agreement

Business Continuity, Disaster Recovery and Security Requirements

Business Continuity and Disaster Recovery Definitions:

1. Business Continuity Plan means the plan for emergency response, backup operations, and post-disaster recovery steps that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation.

2. Disaster Recovery Plan means the plan that defines the resources, actions, tasks and data required to manage the business recovery process in the event of a business interruption. This plan is designed to assist in restoring the business process within the stated disaster recovery goals.

3. Data Center means the central computing facility that houses the business systems for an organization including network, server, storage and security systems necessary for operating the business.

Requirements:

1. A documented Business Continuity Plan for business functions must be created, updated annually, maintained, and tested on an annual basis. The Business Continuity Plan shall be submitted to PERMEDION within thirty (30) days of execution of this Agreement and annually thereafter for review and approval.

2. The Business Continuity Plan must be stored off-site in a secure location.

3. The Business Continuity Plan must contain notification procedures to alert

PERMEDION of service disruptions including off-hour and weekend coverage.

4. PERMEDION must be allowed access to the annual test results in order to be remain current on any deficiencies discovered in the Business Continuity Plan that would adversely affect PERMEDION.

5. A documented Disaster Recovery Plan for information technology must be created,

updated annually, maintained and tested on an annual basis.

6. The Disaster Recovery Plan must be stored off-site in a secure location.

7. The Disaster Recovery Plan must have notification procedures to alert PERMEDION of service disruptions including off-hour and weekend coverage.

8. The Data Center must maintain a back-up site(s).

9. Information must be backed-up on a regular basis.


10. Backed-up information must be stored encrypted.

11. Backed-up information must be stored in a secure off-site facility.

12. Contracts for outsourced services must include Disaster Recovery and Business

Continuity requirements consistent with this Schedule B.

13. PERMEDION must be must be allowed access to the annual test results in order to remain current on any deficiencies discovered in the Disaster Recovery Plan that would or could adversely affect PERMEDION.

Information Security

1. A documented information security function and/or program supported by executive management must exist.

2. An information security officer must be assigned.

3. The information security function/program must establish security policies and

standards that are enforced through automated systems and administrative procedures that are maintained and updated as needed.

4. A documented process must exist to report security issues affecting PERMEDION to

PERMEDION’s Chief Security Officer.

5. An on-going and documented security awareness program must be established and communicated to all users to make them aware of the confidentiality of information, the company’s security policies, standards, and good security practices.

6. A documented security incident response plan must exist to ensure incidents are

tracked, monitored, and investigated until closure is achieved. Personnel Security

1. Employees, temporary personnel and other users are required to have a national criminal background check, a local background check and a financial background check.

2. Employees, temporary personnel and other users are required to sign confidentiality

and non-disclosure agreements.

3. Disciplinary measures for violations must be included in the Information Security and Privacy Program.

Privacy

1. A documented privacy function and/or program supported by executive management must exist.


2. The privacy function/program must establish confidentiality policies which are maintained and updated as needed.

3. A privacy officer must be assigned.

4. A documented process must exist to report privacy issues affecting PERMEDION PHI

and ePHI to the PERMEDION’s Privacy Officer.

5. An on-going and documented privacy awareness program must be established for all users, including agents and subcontractors, to make them aware of company information and protecting its confidentiality.

6. Privacy awareness information must be distributed to all users on a periodic basis.

7. Mandatory privacy training must be documented and validated for all users on a

periodic basis.

8. A documented privacy incident response plan must exist to ensure that incidents are tracked, monitored, investigated and reported internally and to PERMEDION until remediation and closure is achieved.

Regulations, Law & Contracts

1. The Business Associate must remain in compliance with HIPAA and state privacy and security regulations.

2. Business Associate must have a documented process to evaluate the privacy and

security controls for its agents, subcontractors and outsourced services prior to entering into any such approved subcontracts. Any such subcontracts shall contain privacy and security requirements and protections as set forth in the Security Addendum.

3. A documented information classification scheme must be utilized to ensure proper

protection, use and destruction.

4. A documented policy and process must exist with regard to the removal or destruction of Confidential Information, including PHI and ePHI. When appropriate, confidential information, including PHI and ePHI, must be deleted or destroyed using a NIST-approved process when no longer needed.

5. The removal or destruction process must meet Department of Defense requirements

when PERMEDION information is accessed, used, disclosed or handled by Business Associate or its agents and subcontractors.

6. Confidential information, including PHI and ePHI, must be maintained at all times in

systems located within the United States. Access Control Systems & Administration


1. Access to Confidential Information, including PHI and ePHI, must be restricted to individuals that have a business need and access control mechanisms must be implemented that limit access to confidential information.

2. Security administration procedures must include procedures for access requests for a

new user, changing access, prompt deletion of users involving terminations, user transfers and periodic verification of users and access rights.

3. All user access requests must be documented with management approval including

privileged users.

4. User access must be defined by job roles to ensure segregation of duties.

5. User access must be logged and tracked to an individual for accountability.

6. User IDs must be locked after 3 consecutive unsuccessful login attempts.

7. User IDs must be disabled after 90 days or less of inactivity.

8. All default supplied user IDs must be disabled, renamed, or deleted wherever possible.

9. System IDs must be documented describing their functions and risks.

10. System IDs must be required to have passwords and documented risk analysis if password change frequency is not enforced.

11. System ID passwords must be stored securely.

12. System IDs are not allowed to be scripted into the application.

13. System IDs must not be able to be accessed by an individual user for interactive use.

14. All vendor-supplied default passwords must be changed.

15. Passwords must be issued to users in a secure manner and be changed at first login.

16. Passwords cannot be displayed on screens and on reports.

17. All users must be issued a unique user name for accessing PERMEDION PHI or PI.

Username must be promptly disabled, deleted, or the password changed upon the transfer or termination of an employee with knowledge of the password, at maximum within 24 hours. Passwords are not to be shared. Passwords must be at least eight characters and must be a non-dictionary word. Passwords must not be stored in readable format on the computer. Passwords must be changed every 60 days and privileged accounts must be changed every 30 days. Passwords must be changed if revealed or compromised. Passwords must be composed of characters from at least three of the following four groups from the standard keyboard:

Upper case letters (A-Z) Lower case letters (a-z) Arabic numerals (0-9)


Non-alphanumeric characters (punctuation symbols)

18. Passwords must be encrypted in transmission and storage.

19. All production systems and application resources must be changed through an enforced and documented change management process which includes appropriate reviews, testing and management approvals.

20. There must exist a segregation of duties between change management, developer and

infrastructure staff.

21. Developers must not be able to update production resources without proper change management procedures for production updates/fixes.

22. Production, test and development environments must be physically and/or logically

separated.

23. Production information must not be used in development and test environments.

24. Production code and systems must not be allowed undocumented changes or updates.

25. There are must be application security controls to ensure external users can access

only information for which they have an authorized business need. Cryptography

1. Confidential information, including PHI and ePHI, must be encrypted during storage on handhelds, laptops, and removable media with FIPS 140-2 compliant encryption protocols.

2. Confidential information, including PHI and ePHI, must be encrypted during

transmission over public or untrusted networks, including email transmissions, with FIPS 140-2 compliant encryption protocols.

3. Business to business communications with confidential information, including PHI and

ePHI, must be encrypted. Operations and Network Security

1. A documented patch management process must exist and be enforced.

2. Documented network diagrams must exist.

3. Documented remote access policies must exist and be enforced.

4. A three-tiered architecture must be deployed to isolate web applications from production information in the “internal” network.

5. Firewalls must be implemented and configured to deny all except authorized

documented business services.


6. Intrusion detection systems must be implemented for critical components of the

network.

7. Third party penetration tests must be conducted from outside and within the network. Penetration test must occur at least annually, and must be performed by a national independent third party. Results must be provided to PERMEDION Security.

8. New server deployment procedures must ensure implementation of security

configuration settings.

9. Documented processes must exist to periodically verify security configuration settings.

10. A documented problem management system must exist.

11. Workstations that access confidential information must automatically blank the screen and suspend the session or log-off after a fifteen (15) minute period of inactivity.

12. Audit logs must be implemented on all systems storing or processing critical or

confidential information.

13. All significant computer security relevant events must be securely logged.

14. Audit logs must be retained for a minimum of 12 months.

15. Audit logs must be protected from unauthorized access and resistant to attacks including deactivation, modification or deletion.

16. Audit logs must be reviewed in a timely manner.

Physical Security

17. A documented physical security function and/or program must exist.

18. The physical security function/program must establish physical security policies and be enforced through automated systems and administrative procedures.

19. Any known HIGH risk physical security vulnerabilities affecting PERMEDION must be

communicated to PERMEDION’s Chief Security Officer.

20. Employees must be required to wear identification badges at all times in sensitive facilities.

21. Facility access logs must be retained for at least twelve (12) months and be reviewed

as needed.

22. Visitors must be required to be identified, sign in, wear temporary visitor badges and be escorted in facilities containing PERMEDION data.

23. An auditable and documented inventory of physical information technology assets

must exist in case of loss or theft.


24. Confidential information, including PHI and ePHI, stored on removable media must be

secured with restricted access to those with a business need.

25. Data center access to sensitive areas, such as a computer room, must require two levels of authentication.

26. The Data center facility must be equipped and maintained with fire

detection/suppression, surge and brown-out, air conditioning, and other computing environment protection systems necessary to assure continued service for critical computer systems.

27. Data center and other sensitive facilities access must be periodically reviewed to

ensure that access is still valid.

28. All servers storing or processing confidential information must be located in a secure data center or equivalent secure facility.

Risk Assessments

1. To comply with HIPAA requirements, PERMEDION reserves the right to perform annual security risk assessments against Subcontractor in-scope environments that support PERMEDION business functions.

2. For findings noted during a risk assessment, 'Critical' findings must be remediated within a 30 days, 'High' findings must be remediated within 60 days, 'Medium' findings must be remediated in 90 days, and 'Low' findings must be remediated in 120 days.

3. Failure to remediate within the allotted time period may constitute a breach of a material term of this Agreement for which PERMEDION may terminate the Agreement and/or any SOW’s, in whole or in part, pursuant Section 5.

Changes

PERMEDION may change the above business continuity, disaster recovery, and security requirements by providing new requirements in writing to Supplier/ Business Associate. Supplier/Business Associate shall comply with such new security requirements within thirty (30) days after receipt of notice. In the event Vendor's compliance with the new requirements materially increases Supplier/Business Associate’s cost to provide services under one or more of the PERMEDION – Supplier Contracts, Supplier/Business Associate shall notify PERMEDION of the amount Supplier/Business Associate believes is necessary to reimburse Supplier/Business Associate for its actual and reasonable additional costs. If PERMEDION elects not to reimburse Supplier/Business Associate for such costs, then PERMEDION may terminate this Agreement and/or any or all of the PERMEDION – Supplier Contracts, in whole or in part, by sending written notice to Supplier/Business Associate indicating which PERMEDION – Supplier Contract is being terminated and the effective date of termination. Such termination shall be without charge to PERMEDION, except that PERMEDION shall pay for all services under such terminated contract(s) that were properly rendered until the effective date of termination.


Exhibit 3 -- HMS Holdings Corp.

Code of Conduct Attestation

The HMS Code of Conduct is applicable to HMS Holdings Corp. and all of its subsidiaries (collectively “HMS” or

the “Company”), employees, officers, directors, contractors, contingent workers and business affiliates. I

understand, as a member of one or more of the above groups, that it is my obligation to comply with the law, this

Code, and all applicable Company policies and contractual obligations. By signing this form or clicking on the

attestation button, I attest that I have read, understand, and will abide by the HMS Holdings Corp. Code of Conduct.

I accept I have an affirmative duty to report all suspected illegal or unethical conduct, including violations of law,

this Code, Company policies and contractual obligations. I am aware of my anonymous reporting option through the

Compliance Hotline at 1-800-640-3416 or hms.com/hotline. I understand the Company maintains a strict non-

retaliation policy for good-faith reporting of actual or potential illegal or unethical conduct in violation of the Code.

I will carry out my personal responsibilities for the Company in accordance with this Code, the applicable laws and

regulations and the Company’s policies and contracts.

I attest that I am not aware at this time of any violation of the Company’s Code of Conduct or of law which I have

not previously reported. I affirm I have met my personal obligations regarding accurate and timely reporting of (but

not limited to) potential or actual personal conflicts of interest, professional credential changes, exclusions, political

campaign contributions and/or Company stock activity as mandated in the Code and applicable to me.

I CERTIFY THAT I AM IN COMPLIANCE WITH ALL HMS POLICIES AND

PROCEDURES, INCLUDING THOSE THAT REQUIRE ME TO REPORT ANY

SUSPECTED OR ACTUAL NON-COMPLIANCE.

Name Date

Signature


EXHIBIT 4

HMS/PERMEDION (“HMS”) Procure to Pay Policy and Terms

HMS requires Suppliers to facilitate invoicing and payment through the Ariba, Inc. Ariba Network

(“Ariba”) and may require purchase and sale transactions under the Agreement by electronically

transmitting and receiving data through Ariba. The following are requirements of facilitating such

transactions:

1. HMS and Supplier will electronically transmit and/or receive invoices and payment

through Ariba and may also electronically transmit and/or receive other purchase and sale

information and related contract and other documents (collectively, “Documents”) to and from

the other Party through Ariba.

2. Ariba Agreement - Supplier agrees to enter into an Ariba agreement with Ariba, Inc.,

at Supplier’s sole expense, in order to transmit and receive Documents to and from HMS. Ariba

pricing can be found on the Ariba site at:

http://www.ariba.com/suppliermembership/smp_pricing.cfm

3. System Operations - HMS and Supplier, each at its own expense, shall arrange for

the provision and maintenance of equipment, software, Ariba services and testing necessary to

transmit and receive Documents effectively and reliably.

4. Security Procedures - HMS and Supplier shall be responsible for using security

procedures that are reasonably sufficient to ensure that all transmissions of Documents are

authorized and to protect its business records and data from improper access.

5. Signatures - Unless otherwise agreed to by the Parties, the purchase order number (if

and as issued by HMS) shall constitute HMS’s electronic signature and consent to any order

and the Supplier’s invoice number shall constitute Supplier’s electronic signature and consent to

provide the licensed products and/or other services. Each Party agrees that the HMS purchase

order number or the Supplier invoice number, as issued by the respective Party, shall be

sufficient to verify that such Party originated the document. Neither Party shall disclose to any

unauthorized person the purchase order number or the invoice number and the provision of the

invoice number by Supplier shall certify that the providing individual has the authority to enter

into the purchase order contract. The Parties acknowledge and agree that the issuance of a

purchase order or invoice number shall be valid and enforceable as to the signing Party to the

same extent as an inked original signature, (ii) these documents shall constitute “original”

documents when printed from electronic files and records established and maintained by either

Party in the normal course of business.

6. Garbled Transmissions - If any transmitted Document is received in an incomplete,

unintelligible or garbled form, the receiving Party shall promptly notify the originating Party (if

identifiable from the Document received) in a reasonable manner. In the absence of such a

notice, the originating Party’s records of the contents of such Document shall control.

7. Validity and Enforceability - Agreement of these procure-to-pay terms evidences the

mutual intent of the Parties to create binding process for invoice submission and payment and

other purchase and sale obligations pursuant to the electronic transmission and receipt of

Documents specifying certain of the applicable terms.


8. Signed Document - Any Document properly transmitted pursuant to these procure-to-

pay terms shall be considered, in connection with any transaction, or the Agreement, to be a

“writing” or “in writing”, and any such Document containing, or to which there is affixed, a

signature (“Signed Document”) shall be deemed for all purposes (a) to have been “signed” and

(b) to constitute an “original” when printed from electronic files or records established and

maintained in the normal course of business.

9. Course of Dealing - The conduct of the Parties pursuant to these procure-to-pay

terms, including the use of Signed Documents properly transmitted pursuant to these terms,

shall, for all purposes, evidence a course of dealing and a course of performance accepted by

the Parties in furtherance of these procure-to-pay terms, and with any invoice or other

transaction.

10. Validity - HMS and Supplier agree not to contest the validity or enforceability of

Signed Documents under the provisions of any applicable law relating to whether or not certain

agreements are to be in writing or signed by the Party to be bound thereby. Signed Documents,

if introduced on paper in any judicial, arbitration, mediation or administrative proceeding, shall

be valid to the same extent and under the same conditions as other business records originated

and maintained in documentary form. Neither Party shall contest the admissibility of copies of

Signed Documents under either, the business records exception to the hearsay rule, or the best

evidence rule on the basis that the Signed Documents were not originated or maintained in

documentary form or on any other basis.