1ST AMENDMENT TO THE SERVICES AGREEMENT BETWEEN BOTTOMLINE TECHNOLOGIES, INC. AND BANK OF AMERICA, N.A. Supplier Name: Bottomline Technologies, Inc. Agreement Number: CW136262 Supplier Address: 325 Corporate Drive Portsmouth, NH 03801 United States...
Exhibit 10.19
1ST AMENDMENT TO THE SERVICES AGREEMENT BETWEEN BOTTOMLINE TECHNOLOGIES, INC. AND BANK OF AMERICA, N.A. | ||||||
Supplier Name: | Bottomline Technologies, Inc. | Agreement Number: | CW136262 | |||
Supplier Address: | 000 Xxxxxxxxx Xxxxx Xxxxxxxxxx, XX 00000 Xxxxxx Xxxxxx |
Addendum Number: | CW242592 | |||
Supplier Telephone: | 0-000-000-0000 | Addendum Effective Date: | 9/29/2010 |
This Amendment, made and entered into this 29th day of September, 2010, by and between BOTTOMLINE TECHNOLOGIES, INC. (the subcontractor, hereinafter referred to as “Tech”) and BANK OF AMERICA, N.A. (the business associate, hereinafter referred to as “Bank”).
WITNESSETH:
WHEREAS, Tech and Bank entered into that certain Services Agreement by and between Tech and Bank effective the 9th day of September 2009, inclusive of the Business Associate attached as SCHEDULE H Addendum (“Addendum”) to the Services Agreement; and
WHEREAS, the American Recovery and Reinvestment Act of 2009, Public Law 111-005, was signed into law on February 17, 2009 and includes provisions relating to the privacy and security of protected health information (“PHI”) in Title XIII, known as the “Health Information Technology for Economic and Clinical Health Act” (“HITECH Act”); and
WHEREAS, with the passage of the HITECH Act, there are additional obligations and compliance requirements imposed upon the Bank and Tech; and
WHEREAS, under its business associate agreements with the Covered Entities, Bank is required to obtain contractual assurances from its subcontractors who receive or obtain PHI of the Covered Entities in the course of providing services to Bank that they will safeguard the PHI in accordance with applicable requirements under the HIPAA Regulations and the HITECH Act; and
WHEREAS, the parties desire to amend the Addendum by adding the provision more fully set out below to comply with the regulatory changes.
NOW, THEREFORE, in consideration of the premises hereof and the mutual benefits to be derived hereby, the Addendum is hereby amended by adding the following provisions as follows:
The Business Associate Addendum (or any underlying agreement between the parties incorporating such provisions) is amended to add the following:
A. | Definitions: |
1. Breach means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy or Security Rule that compromises the security or privacy of the PHI, as defined in 45 C.F.R. §164.402 or that constitutes a breach of information security regarding PHI under applicable state law.
B. | Obligations of Tech effective February 17, 2010: |
1. Training. Tech shall provide appropriate training to its employees regarding Breaches and mitigation of potential damage.
2. Minimum Necessary. In requesting, using or disclosing PHI, Tech will use the minimum necessary amount of information in accordance with § 13405(b) of HITECH and any implementing regulations adopted thereunder.
3. Detecting Breaches. Tech agrees to exercise reasonable diligence to detect Breaches of PHI.
4. Reporting Breaches. In addition to its obligations under § 4 of the Addendum, Tech agrees to implement a thorough process for investigating Breach reports and mitigating potential damage. Tech shall implement a security-breach notification plan. Tech shall provide Bank with notification of a Breach without reasonable delay, but in no case later than ten (10) days following the day Breach is discovered or by exercise of reasonable diligence would have been discovered by Tech. To the extent the information is available, notice to Bank shall include the following:
i. | identification of the individuals whose PHI has been, or is reasonably believed by Tech to have been, accessed, acquired or disclosed during the Breach; |
ii. | brief description of what happened, including the date of the Breach and the date of the discovery of the Breach; |
iii. | description of the types of PHI that were involved in the Breach (such as whether the full name, social security number, date of birth, home address, account number, diagnosis, or other types of information were involved); |
iv. | any steps individuals the subject of the Breach should take to protect themselves from potential harm that may result from the Breach; and, |
v. | a brief description of what Tech is doing to investigate the Breach, to mitigate the harm to the individuals, and to protect against further Breaches. |
- 2 -
5. Indemnification/Limitation of Liability: Tech acknowledges and agrees that its indemnity obligation pursuant to Section 13.1 of the Agreement as well as the exceptions to limitations of liability set forth in Section 14.3 of the Agreement apply to its obligations set forth in this Addendum.
6. Electronic Health Records and Designated Record Sets. The parties acknowledge that PHI provided to Bottomline consists solely of information about how a claim to a health plan payer was adjudicated and the payment amount calculated. Bank represents and warrants that it does not provide, and Tech represents and warrants that it does not maintain, Electronic Health Records, as the term is defined in Section 13400 of the HITECH Act, or Designated Record Sets and, in the case of Tech, it does not store or index any information by “patient” or allow search of any PHI by patient name or ID.
C. Relationship of the Parties: Nothing in this Amendment is intended to create an agency relationship between the parties.
D. Inconsistencies: In the event of any inconsistencies in the terms of the Business Associate Addendum and this Amendment, the terms of this Amendment shall control with respect to the provisions set out herein.
E. All Other Provisions: Except as to the terms amended by this Amendment, all other terms and conditions of the Agreement and the Addendum are declared by the parties to be in full force and effect, and except as otherwise provided in this Amendment, all defined terms used in this Amendment shall have the meanings set forth for such terms in the Addendum.
F. Further Amendments: The parties acknowledge that further amendments to the Business Associate Addendum may be necessary from time to time to comply with requirements of applicable federal and state laws and regulations.
- 3 -
IN WITNESS WHEREOF, the parties have caused this Amendment to be executed by their duly authorized representatives this 29th day of September, 2010.
Bank | Tech | |||||||
Bank of America, N.A. | Bottomline Technologies (de), Inc. | |||||||
/s/ Xxxx Xxxxxx |
10-7-2010 |
/s/ Xxxx Xxxxxx |
9-30-10 | |||||
Signature | Date | Signature | Date | |||||
Xxxx Xxxxxx |
Xxxx Xxxxxx | |||||||
(Printed Name) | (Printed Name) | |||||||
VP, Sourcing Manager |
VP, Global Controller | |||||||
(Title) | (Title) |
- 4 -