NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 1 of 44
Master Agreement #: AR2488
Contractor:
SHI INTERNATIONAL CORP.
Participating Entity: STATE OF TENNESSEE
The following products or services are included in this contract portfolio:
x All products and services listed in the SHI International NASPO Cloud Solutions program
catalogs/price lists.
Master Agreement Terms and Conditions:
1. Scope: This addendum covers Cloud Solutions led by the State of Utah for use by state
agencies and other entities located in Tennessee authorized by that State’s statutes to
utilize State contracts with the prior approval of the State’s Chief Procurement Official.
2. Participation: This NASPO ValuePoint Master Agreement may be used by all state
agencies, institutions of higher education, political subdivisions and other entities authorized
to use statewide contracts in the State of Tennessee. Issues of interpretation and eligibility
for participation are solely within the authority of the State Chief Procurement Official.
3. Access to Cloud Solutions Services Requires State CIO Approval: Unless otherwise
stipulated in this Participating Addendum, specific services accessed through the NASPO
ValuePoint cooperative Master Agreements for Cloud Solutions by state executive branch
agencies are subject to the authority and prior approval of the State Chief Information
Officer’s Office. The State Chief Information Officer means the individual designated by the
state Governor within the Executive Branch with enterprise-wide responsibilities for
leadership and management of information technology resources of a state.
4. Primary Contacts: The primary contact individuals for this Participating Addendum are as
follows (or their named successors):
Contractor
Name:
Elaine Williams
Address:
290 Davidson Avenue, Somerset, NJ 08873
Telephone:
(615) 691-2551
Fax:
(888) 764-8889
Email:
Elaine_williams@shi.com
Participating Entity
Name:
Simeon Ayton
Address:
312 Rosa L. Parks Avenue, Nashville, TN 37243
Telephone:
615 532-0110
Fax:
615 741-0684
Email:
Simeon.Ayton@tn.gov
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 2 of 44
5. PARTICIPATING ENTITY MODIFICATIONS OR ADDITIONS TO THE MASTER
AGREEMENT
These modifications or additions apply only to actions and relationships within the Participating
Entity.
Participating Entity must check one of the boxes below.
[ ] No changes to the terms and conditions of the Master Agreement are required.
[X] The following changes are modifying or supplementing the Master Agreement terms and
conditions.
This Participating Addendum with Tennessee State specific terms and conditions are attached
below as Attachments A, B, C, D, E, and F and in the event of a conflict, take precedence over
the NASPO Value Point Master Contract # AR2488 terms and conditions.
6. Subcontractors: All contactors, dealers, and resellers authorized in the State of Tennessee,
as shown on the dedicated Contractor (cooperative contract) website, are approved to
provide sales and service support to participants in the NASPO ValuePoint Master
Agreement. The contractor’s dealer participation will be in accordance with the terms and
conditions set forth in the aforementioned Master Agreement.
7. Orders: Any order placed by a Participating Entity or Purchasing Entity for a product and/or
service available from this Master Agreement shall be deemed to be a sale under (and
governed by the prices and other terms and conditions) of the Master Agreement unless the
parties to the order agree in writing that another contract or agreement applies to such
order.
IN WITNESS WHEREOF, the parties have executed this Addendum as of the date of execution
by both parties below.
Participating Entity:
Contractor: SHI International Corp
Signature:
Signature:
Name:
Name: Kristina Mann
Title:
Title: Senior Lead Contracts Specialist
Date:
Date: 09/16/2020
[Additional signatures may be added if required by the Participating Entity]
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 3 of 44
For questions on executing a participating addendum, please contact:
NASPO ValuePoint
Cooperative Development Coordinator:
Shannon Berry
Telephone:
775-720-3404
Email:
Please email fully executed PDF copy of this document
to
to support documentation of participation and posting
in appropriate data bases.
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 4 of 44
Attachment A
State of Tennessee
(“State,” “Participating Entity,” or “Purchasing Entity”)
NASPO ValuePoint Cloud Solutions 2016-2026
All references to “Contract” hereinbelow shall collectively
refer to the “Master Contract”, “Participating Addendum”,
and “Supplemental Terms and Conditions”
Supplemental Terms and Conditions
Standard Terms and Conditions
1. Required Approvals. The State is not bound by this Contract until it is duly approved by the
Parties and all appropriate State officials in accordance with applicable Tennessee laws and
regulations. Depending upon the specifics of this Contract, this may include approvals by the
Commissioner of Finance and Administration, the Commissioner of Human Resources, the
Comptroller of the Treasury, and the Chief Procurement Officer. Approvals shall be evidenced by
a signature or electronic approval.
2. Modification and Amendment. This Contract may be modified only by a written amendment
signed by all Parties and approved by all applicable State officials.
3. Subject to Funds Availability. The Contract is subject to the appropriation and availability of State
or federal funds. In the event that the funds are not appropriated or are otherwise unavailable,
the State reserves the right to terminate this Contract upon written notice to the Contractor. The
State’s exercise of its right to terminate this Contract shall not constitute a breach of Contract by
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 5 of 44
the State. Upon receipt of the written notice, the Contractor shall cease all work associated with
the Contract. If the State terminates this Contract due to lack of funds availability, the Contractor
shall be entitled to compensation for all “non-returnable” or “non-cancellable” goods, (“Special
Order”) and all conforming goods requested and accepted by the State and for all satisfactory
and authorized services completed as of the termination date. Should the State exercise its right
to terminate this Contract due to unavailability of funds, the Contractor shall have no right to
recover from the State any actual, general, special, incidental, consequential, or any other
damages of any description or amount.
4. Termination for Convenience. The State may terminate this Contract for convenience without
cause and for any reason. The State shall give the Contractor at least thirty (30) days written
notice before the termination date. The Contractor shall be entitled to compensation for all
Special Order goods and all conforming goods delivered and accepted by the State or for
satisfactory, authorized services completed as of the termination date. In no event shall the State
be liable to the Contractor for compensation for any goods not requested by the State or for any
services not requested by the State by the Contractor. In no event shall the State’s exercise of its
right to terminate this Contract for convenience relieve the Contractor of any liability to the State
for any damages or claims arising under this Contract.
5. Termination for Cause. If the Contractor fails to properly perform its obligations under this
Contract in a timely or proper manner, or if the Contractor materially violates any terms of this
Contract (“Breach Condition”),the State shall have the right to immediately terminate the Contract.
In the event of a Breach Condition, the State shall have all other remedies available under this
Contract, at law, or in equity..
6. Assignment and Subcontracting. The Contractor shall not assign this Contract or enter into a
subcontract for any of the goods or services provided under this Contract without the prior written
approval of the State. Notwithstanding any use of the approved subcontractors, the Contractor
shall be the prime contractor and responsible for compliance with all terms and conditions of this
Contract. The State reserves the right to request additional information or impose additional
terms and conditions before approving an assignment of this Contract in whole or in part or the
use of subcontractors in fulfilling the Contractor’s obligations under this Contract.
7. Conflicts of Interest. The Contractor warrants that no part of the Contractor’s compensation shall
be paid directly or indirectly to an employee or official of the State of Tennessee as wages,
compensation, or gifts in exchange for acting as an officer, agent, employee, subcontractor, or
consultant to the Contractor in connection with any work contemplated or performed under this
Contract.
The Contractor acknowledges, understands, and agrees that this Contract shall be null and void if
the Contractor is, or within the past six (6) months has been, an employee of the State of
Tennessee or if the Contractor is an entity in which a controlling interest is held by an individual
who is, or within the past six (6) months has been, an employee of the State of Tennessee.
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 6 of 44
8. Nondiscrimination. The Contractor hereby agrees, warrants, and assures that no person shall be
excluded from participation in, be denied benefits of, or be otherwise subjected to discrimination
in the performance of this Contract or in the employment practices of the Contractor on the
grounds of handicap or disability, age, race, creed, color, religion, sex, national origin, or any
other classification protected by federal or state law. The Contractor shall, upon request, show
proof of nondiscrimination and shall post in conspicuous places, available to all employees and
applicants, notices of nondiscrimination.
9. Prohibition of Illegal Immigrants. The requirements of Tenn. Code Ann. § 12-3-309 addressing
the use of illegal immigrants in the performance of any contract to supply goods or services to the
state of Tennessee, shall be a material provision of this Contract, a breach of which shall be
grounds for monetary and other penalties, up to and including termination of this Contract.
a) The Contractor agrees that the Contractor shall not knowingly utilize the services of an
illegal immigrant in the performance of this Contract and shall not knowingly utilize the
services of any subcontractor who will utilize the services of an illegal immigrant in the
performance of this Contract. The Contractor shall reaffirm this attestation, in writing, by
submitting to the State a completed and signed copy of the document at Attachment D,
upon request during the Term. If the Contractor is a party to more than one contract with
the State, the Contractor may submit one attestation that applies to all contracts with the
State. All Contractor attestations shall be maintained by the Contractor and made
available to State officials upon request.
b) Prior to the use of any subcontractor in the performance of this Contract, and upon
request thereafter, during the Term, the Contractor shall obtain and retain a current,
written attestation that the subcontractor shall not knowingly utilize the services of an
illegal immigrant to perform work under this Contract and shall not knowingly utilize the
services of any subcontractor who will utilize the services of an illegal immigrant to
perform work under this Contract. Attestations obtained from subcontractors shall be
maintained by the Contractor and made available to State officials upon request.
c) The Contractor shall maintain records for all personnel used in the performance of this
Contract. Contractor’s records shall be subject to review and random inspection at any
reasonable time upon reasonable notice by the State.
d) The Contractor understands and agrees that failure to comply with this section will be
subject to the sanctions of Tenn. Code Ann. § 12-3-309 for acts or omissions occurring
after its effective date.
e) For purposes of this Contract, "illegal immigrant" shall be defined as any person who is
not: (i) a United States citizen; (ii) a Lawful Permanent Resident; (iii) a person whose
physical presence in the United States is authorized; (iv) allowed by the federal
Department of Homeland Security and who, under federal immigration laws or
regulations, is authorized to be employed in the U.S.; or (v) is otherwise authorized to
provide services under the Contract.
10. Records. The Contractor shall maintain documentation for all charges under this Contract. The
books, records, and documents of the Contractor, for work performed or money received under
this Contract, shall be maintained for a period of five (5) full years from the date of the final
payment and shall be subject to audit at any reasonable time and upon reasonable notice by the
State, the Comptroller of the Treasury, or their duly appointed representatives. The financial
statements shall be prepared in accordance with generally accepted accounting principles.
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 7 of 44
11. Monitoring. The Contractor’s activities conducted and records maintained pursuant to this Contract
shall be subject to monitoring and evaluation by the State, the Comptroller of the Treasury, or their
duly appointed representatives.
12. Progress Reports. The Contractor shall submit brief, periodic, progress reports to the State as
requested.
13. Strict Performance. Failure by any Party to this Contract to require, in any one or more cases,
the strict performance of any of the terms, covenants, conditions, or provisions of this Contract
shall not be construed as a waiver or relinquishment of any term, covenant, condition, or
provision. No term or condition of this Contract shall be held to be waived, modified, or deleted
except by a written amendment signed by the Parties.
14. Limitation of State’s Liability. The State shall have no liability except as specifically provided in
this Contract. In no event will the State be liable to the Contractor or any other party for any lost
revenues, lost profits, loss of business, decrease in the value of any securities or cash position,
time, goodwill, or any indirect, special, incidental, punitive, exemplary or consequential damages
of any nature, whether based on warranty, contract, statute, regulation, tort (including but not
limited to negligence), or any other legal theory that may arise under this Contract or otherwise.
The State’s total liability under this Contract (including any exhibits, schedules, amendments or
other attachments to the Contract) or otherwise shall under no circumstances exceed the
Estimated Liability. This limitation of liability is cumulative and not per incident.
15. Limitation of Contractor’s Liability.
In accordance with Tenn. Code Ann. § 12-3-701, the
Contractor’s liability for all claims arising under this Contract shall be limited to an amount equal
to two (2) times the Estimated Liability amount detailed in Special Terms and Conditions Item 2
and as may be amended, PROVIDED THAT in no event shall this Section limit the liability of the
Contractor for: (i) intellectual property or any Contractor indemnity obligations for infringement for
third-party intellectual property rights; (ii) any claims covered by any specific provision in the
Contract providing for liquidated damages; or (iii) any claims for intentional torts, criminal acts,
fraudulent conduct, or acts or omissions that result in personal injuries or death. For clarity,
except as otherwise expressly set forth in this Section, Contractor’s indemnification obligations
and other remedies available under this Contract are subject to the limitations on liability set forth
in this Section.
16. Hold Harmless. The Contractor agrees to indemnify and hold harmless the State of Tennessee
as well as its officers, agents, and employees from and against any and all claims, liabilities,
losses, and causes of action which may arise, accrue, or result to any person, firm, corporation,
or other entity which may be injured or damaged as a result of acts, omissions, or negligence on
the part of the Contractor, its employees, or any person acting for or on its or their behalf relating
to this Contract. The Contractor further agrees it shall be liable for the reasonable cost of
attorneys’ fees, court costs, expert witness fees, and other litigation expenses for the State to
enforce the terms of this Contract.
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 8 of 44
In the event of any suit or claim, the Parties shall give each other immediate notice and provide
all necessary assistance to respond. The failure of the State to give notice shall only relieve the
Contractor of its obligations under this Section to the extent that the Contractor can demonstrate
actual prejudice arising from the failure to give notice. This Section shall not grant the Contractor,
through its attorneys, the right to represent the State in any legal matter, as the right to represent
the State is governed by Tenn. Code Ann. § 8-6-106.
17. Statewide Contract Reports. All reports shall be submitted electronically in Microsoft Excel format.
Reports shall include the ability to sort or summarize data in accordance with the Contract
Administrator's specifications. All reports shall be provided at no additional cost to the State.
a) Quarterly Reports: Contractor(s) will submit quarterly reports to the Contract Administrator no
later than ten (10) days after the end of the State's quarter (e.g. a fiscal year quarter 2 report
for October - December is due no later than January 10th). At the Contract Administrator's
sole discretion, the State may extend the time allowed to complete quarterly reports.
Quarterly reports shall provide statistical data on all purchases under this Contract by State
Agencies, including State Agencies of the judicial or legislative branch, local governmental
entities in the State of Tennessee, including but not limited to educational institutions, local
governmental authorities, quasi-governmental bodies ("Other Governmental Bodies"), and
certain not-for-profit entities under Tenn. Code Ann. § 33-2-1001. At minimum, the quarterly
report's statistical data shall be detailed and broken down by line item to include:
1. Edison contract number
2. Contract line item number
3. Invoice date
4. Invoice number
5. Supplier part number
6. Item or bundle description
7. Quantity purchased
8. Unit of measure
9. Unit of measure description
10. Name of State Agency, Other Governmental Body or not-for-profit entity
11. Identity of purchaser: State entity or non-State entity
12. State Agency location
13. Unit/Contract price per line item
14. List price as listed in supplier's catalog if catalog item
15. Subtotals for each category above
16. Grand totals for each category above
b) Diversity Business and Subcontractor Usage Reports: The Contractor shall submit monthly
reports of returns, credits, savings, net purchases, and percent of net purchases by
subcontractors, small business enterprises, and businesses owned by minorities, women,
persons with disabilities, and Tennessee service-disabled veterans. Such reports shall be
submitted to the State of Tennessee Governor's Office of Diversity Business Enterprise in the
TN Diversity Software available online at:
https://tn.diversitysoftware.com/FrontEnd/StartCertification.asp?TN=tn&XID=9810.
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 9 of 44
c) Custom Reports: When requested by the State, the Contractor shall submit custom
reports to the Contract Administrator within thirty (30) days of the request.
18. HIPAA Compliance. The State and Contractor shall comply with obligations under the Health
Insurance Portability and Accountability Act of 1996 (“HIPAA”), Health Information Technology for
Economic and Clinical Health (“HITECH”) Act and any other relevant laws and regulations
regarding privacy (collectively the “Privacy Rules”). The obligations set forth in this Section shall
survive the termination of this Contract.
a) Contractor warrants to the State that it is familiar with the requirements of the Privacy
Rules, and will comply with all applicable requirements in the course of this Contract.
b) Contractor warrants that it will cooperate with the State, including cooperation and
coordination with State privacy officials and other compliance officers required by the
Privacy Rules, in the course of performance of the Contract so that both parties will be in
compliance with the Privacy Rules.
c) The State and the Contractor will sign documents, including but not limited to business
associate agreements, as required by the Privacy Rules and that are reasonably
necessary to keep the State and Contractor in compliance with the Privacy Rules. This
provision shall not apply if information received or delivered by the parties under this
Contract is NOT “protected health information” as defined by the Privacy Rules, or if the
Privacy Rules permit the parties to receive or deliver the information without entering into
a business associate agreement or signing another document.
d) The Contractor will indemnify the State and hold it harmless for any violation by the
Contractor or its subcontractors of the Privacy Rules. This includes the costs of
responding to a breach of protected health information, the costs of responding to a
government enforcement action related to the breach, and any fines, penalties, or
damages paid by the State because of the violation.
19. Tennessee Consolidated Retirement System. Subject to statutory exceptions contained in Tenn.
Code Ann. §§ 8-36-801, et seq., the law governing the Tennessee Consolidated Retirement
System (“TCRS”), provides that if a retired member of TCRS, or of any superseded system
administered by TCRS, or of any local retirement fund established under Tenn. Code Ann. §§ 8-
35-101, et seq., accepts State employment, the member's retirement allowance is suspended
during the period of the employment. Accordingly and notwithstanding any provision of this
Contract to the contrary, the Contractor agrees that if it is later determined that the true nature of
the working relationship between the Contractor and the State under this Contract is that of
“employee/employer” and not that of an independent contractor, the Contractor, if a retired
member of TCRS, may be required to repay to TCRS the amount of retirement benefits the
Contractor received from TCRS during the Term.
20. Tennessee Department of Revenue Registration. The Contractor shall comply with all applicable
registration requirements contained in Tenn. Code Ann. §§ 67-6-601 – 608. Compliance with
applicable registration requirements is a material requirement of this Contract.
21. Debarment and Suspension. The Contractor certifies, to the best of its knowledge and belief, that
it, its current and future principals, its current and future subcontractors and their principals:
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 10 of 44
a) are not presently debarred, suspended, proposed for debarment, declared ineligible, or
voluntarily excluded from covered transactions by any federal or state department or
agency;
b) have not within a three (3) year period preceding this Contract been convicted of, or had
a civil judgment rendered against them from commission of fraud, or a criminal offense in
connection with obtaining, attempting to obtain, or performing a public (federal, state, or
local) transaction or grant under a public transaction; violation of federal or state antitrust
statutes or commission of embezzlement, theft, forgery, bribery, falsification, or
destruction of records, making false statements, or receiving stolen property;
c) are not presently indicted or otherwise criminally or civilly charged by a government entity
(federal, state, or local) with commission of any of the offenses detailed in section b. of
this certification; and
d) have not within a three (3) year period preceding this Contract had one or more public
transactions (federal, state, or local) terminated for cause or default.
The Contractor shall provide immediate written notice to the State if at any time it learns that
there was an earlier failure to disclose information or that due to changed circumstances, its
principals or the principals of its subcontractors are excluded, disqualified, or presently fall under
any of the prohibitions of sections a-d.
22. Force Majeure. “Force Majeure Event” means fire, flood, earthquake, elements of nature or acts
of God, wars, riots, civil disorders, rebellions or revolutions, acts of terrorism or any other similar
cause beyond the reasonable control of the Party except to the extent that the non-performing
Party is at fault in failing to prevent or causing the default or delay, and provided that the default
or delay cannot reasonably be circumvented by the non-performing Party through the use of
alternate sources, workaround plans or other means. A strike, lockout or labor dispute shall not
excuse either Party from its obligations under this Contract. Except as set forth in this Section,
any failure or delay by a Party in the performance of its obligations under this Contract arising
from a Force Majeure Event is not a default under this Contract or grounds for termination. The
non-performing Party will be excused from performing those obligations directly affected by the
Force Majeure Event, and only for as long as the Force Majeure Event continues, provided that
the Party continues to use diligent, good faith efforts to resume performance without delay. The
occurrence of a Force Majeure Event affecting Contractor’s representatives, suppliers,
subcontractors, customers or business apart from this Contract is not a Force Majeure Event
under this Contract. Contractor will promptly notify the State of any delay caused by a Force
Majeure Event (to be confirmed in a written notice to the State within one (1) day of the inception
of the delay) that a Force Majeure Event has occurred, and will describe in reasonable detail the
nature of the Force Majeure Event. If any Force Majeure Event results in a delay in Contractor’s
performance longer than thirty (30) days, the State may, upon notice to Contractor: (a) cease
payment of the fees for the affected obligations until Contractor resumes performance of the
affected obligations; or (b) immediately terminate this Contract or any purchase order, in whole or
in part, without further payment except for fees then due and payable. Contractor will not
increase its charges under this Contract or charge the State any fees other than those provided
for in this Contract as the result of a Force Majeure Event.
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 11 of 44
23. Governing Law. This Contract shall be governed by and construed in accordance with the laws
of the State of Tennessee, without regard to its conflict or choice of law rules. The Tennessee
Claims Commission or the state or federal courts in Tennessee shall be the venue for all claims,
disputes, or disagreements arising under this Contract. The Contractor acknowledges and
agrees that any rights, claims, or remedies against the State of Tennessee or its employees
arising under this Contract shall be subject to and limited to those rights and remedies available
under Tenn. Code Ann. §§ 9-8-101 - 408.
24. Severability. If any terms and conditions of this Contract are held to be invalid or unenforceable
as a matter of law, the other terms and conditions of this Contract shall not be affected and shall
remain in full force and effect. The terms and conditions of this Contract are severable.
25. Headings. Section headings of this Contract are for reference purposes only and shall not be
construed as part of this Contract.
26. Incorporation of Additional Documents. Each of the following documents is included as a part of
this Contract by reference. In the event of a discrepancy or ambiguity regarding the Contractor’s
duties, responsibilities, and performance under this Contract, these items shall govern in order of
precedence below:
a. any amendment to this Contract, with the latter in time controlling over any earlier
amendments;
b. this Contract with any attachments or exhibits (excluding the items listed at subsections
c. through f., below);
c. any clarifications of or addenda to the Contractor’s proposal seeking this Contract;
d. the State solicitation, as may be amended, requesting responses in competition for this
Contract;
e. any technical specifications provided to proposers during the procurement process to
award this Contract; and
f. the Contractor’s response seeking this Contract.
27. Iran Divestment Act. The requirements of Tenn. Code Ann. § 12-12-101, et seq., addressing
contracting with persons as defined at Tenn. Code Ann. §12-12-103(5) that engage in investment
activities in Iran, shall be a material provision of this Contract. The Contractor certifies, under
penalty of perjury, that to the best of its knowledge and belief that it is not on the list created
pursuant to Tenn. Code Ann. § 12-12-106.
28. Major Procurement Contract Sales and Use Tax. Pursuant to Tenn. Code Ann. § 4-39-102 and
to the extent applicable, the Contractor and the Contractor’s subcontractors shall remit sales and
use taxes on the sales of goods or services that are made by the Contractor or the Contractor’s
subcontractors and that are subject to tax.
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 12 of 44
29. Confidentiality of Records. Strict standards of confidentiality of records and information shall be
maintained in accordance with applicable state and federal law. All material and information,
regardless of form, medium or method of communication, provided to the Contractor by the State
or acquired by the Contractor on behalf of the State that is regarded as confidential under state or
federal law shall be regarded as “Confidential Information.” Nothing in this Section shall permit
Contractor to disclose any Confidential Information, regardless of whether it has been disclosed
or made available to the Contractor due to intentional or negligent actions or inactions of agents
of the State or third parties. Confidential Information shall not be disclosed except as required or
permitted under state or federal law. Contractor shall take all necessary steps to safeguard the
confidentiality of such material or information in conformance with applicable state and federal
law.
Special Terms and Conditions
1. Conflicting Terms and Conditions. Should any of these special terms and conditions conflict with
any other terms and conditions of this Contract, the special terms and conditions shall be
subordinate to the Contract’s other terms and conditions.
2. Estimated Liability. The total purchases of any goods or services under the Contract are not
known. The State estimates the purchases during the Term shall be twenty-five million dollars
($25,000,000) (“Estimated Liability”). This Contract does not grant the Contractor any exclusive
rights. The State does not guarantee that it will buy any minimum quantity of goods or services
under this Contract. Subject to the terms and conditions of this Contract, the Contractor will only
be paid for goods or services provided under this Contract after a purchase order is issued to
Contractor by the State or as otherwise specified by this Contract.
3. Travel Compensation. The Contractor shall not be compensated or reimbursed for travel time,
travel expenses, meals, or lodging.
4. Invoice Requirements. The Contractor shall invoice the State only for goods delivered and
accepted by the State or services satisfactorily provided at the amounts stipulated above.
Contractor shall invoice each State user agency (“Customer”) directly, and that agency shall pay
the vendor directly, with the funds coming from that agency’s budget. Contractor shall submit
invoices and necessary supporting documentation, no more frequently than once a month, and
no later than thirty (30) days after goods or services have been provided to the following address:
State Agency Billing Address, as set forth in the applicable order
a. Each invoice, on Contractor’s letterhead, shall clearly and accurately detail all of the
following information (calculations must be extended and totaled correctly):
(1) Invoice number (assigned by the Contractor);
(2) Invoice date;
(3) Contract number (assigned by the State);
(4) Customer account name: State Agency & Division Name;
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 13 of 44
(5) Customer account number (assigned by the Contractor to the above-referenced
Customer);
(6) Contractor name;
(7) Contractor Tennessee Edison registration ID number;
(8) Contractor contact for invoice questions (name, phone, or email);
(9) Contractor remittance address;
(10) Description of delivered goods or services provided and invoiced, including
identifying information as applicable;
(11) Number of delivered or completed units, increments, hours, or days as applicable, of
each good or service invoiced;
(12) Applicable payment methodology of each good or service invoiced;
(13) Amount due for each compensable unit of good or service; and
(14) Total amount due for the invoice period.
b. Contractor’s invoices shall:
(1) Only include charges for goods delivered or services provided as described in herein
and in accordance with payment terms and conditions;
(2) Only be submitted for goods delivered or services completed and shall not include
any charge for future goods to be delivered or services to be performed;
(3) Not include Contractor’s taxes, which includes without limitation Contractor’s sales
and use tax, excise taxes, franchise taxes, real or personal property taxes, or income
taxes; and
(4) Include shipping or delivery charges only as authorized in this Contract.
c. The timeframe for payment (or any discounts) begins only when the State is in
receipt of an invoice that meets the minimum requirements herein.
5. Prerequisite Documentation. The Contractor shall not invoice the State under this Contract until
the State has received the following, properly completed documentation.
a. The Contractor shall complete, sign, and present to the State the "Authorization
Agreement for Automatic Deposit Form" provided by the State. By doing so, the
Contractor acknowledges and agrees that, once this form is received by the State,
payments to the Contractor, under this or any other contract the Contractor has with the
State of Tennessee, may be made by ACH; and
c. The Contractor shall complete, sign, and return to the State the State-provided W-9 form.
The taxpayer identification number on the W-9 form must be the same as the
Contractor's Federal Employer Identification Number or Social Security Number
referenced in the Contractor’s Edison registration information.
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 14 of 44
6. State Ownership of Goods. The State shall have ownership, right, title, and interest in all goods
provided by Contractor under this Contract including full rights to use the goods and transfer title
in the goods to any third parties.
7. Intellectual Property Indemnity. The Contractor agrees to indemnify and hold harmless the State
of Tennessee as well as its officers, agents, and employees from and against any and all claims
or suits which may be brought against the State concerning or arising out of any claim of an
alleged patent, copyright, trade secret or other intellectual property infringement. In any such
claim or action brought against the State, the Contractor shall satisfy and indemnify the State for
the amount of any settlement or final judgment, and the Contractor shall be responsible for all
legal or other fees or expenses incurred by the State arising from any such claim. The State shall
give the Contractor notice of any such claim or suit, however, the failure of the State to give such
notice shall only relieve Contractor of its obligations under this Section to the extent Contractor
can demonstrate actual prejudice arising from the State’s failure to give notice. This Section shall
not grant the Contractor, through its attorneys, the right to represent the State of Tennessee in
any legal matter, as provided in Tenn. Code Ann. § 8-6-106.
8. Additional lines, items, or options. At its sole discretion, the State may make written requests to
the Contractor to add lines, items, or options that are needed and within the Scope but were not
included in the original Contract. Such lines, items, or options will be added to the Contract
through a Memorandum of Understanding (“MOU”), not an amendment.
a. After the Contractor receives a written request to add lines, items, or options, the Contractor
shall have ten (10) business days to respond with a written proposal. The Contractor’s written
proposal shall include:
(1) The effect, if any, of adding the lines, items, or options on the other goods or services
required under the Contract;
(2) Any pricing related to the new lines, items, or options;
(3) The expected effective date for the availability of the new lines, items, or options; and
(4) Any additional information requested by the State.
b. The State may negotiate the terms of the Contractor’s proposal by requesting revisions to the
proposal.
c. To indicate acceptance of a proposal, the State will sign it. The signed proposal shall
constitute a MOU between the Parties, and the lines, items, or options shall be incorporated
into the Contract as if set forth verbatim.
d. Only after a MOU has been executed shall the Contractor perform or deliver the new lines,
items, or options.
9. Software License Warranty. Contractor grants a license to the State to use all Contractor owned
software provided under this Contract in the course of the State’s business and purposes. All
third-party owned software shall be subject to the terms and conditions of the third-party owned
software license.
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 15 of 44
10. Software Support and Maintenance Warranty. Contractor shall provide to the State all software
upgrades, modifications, bug fixes, or other improvements in its software provided to the
Contractor from the OEM, that it makes generally available to its customers.
11. Extraneous Terms and Conditions. Contractor shall fill all orders submitted by the State under
this Contract. No purchase order, invoice, or other documents associated with any sales, orders,
or supply of any good or service under this Contract shall contain any terms or conditions other
than as set forth in the Contract. Any such extraneous terms and conditions shall be void, invalid
and unenforceable against the State. Any refusal by Contractor to supply any goods or services
under this Contract conditioned upon the State submitting to any extraneous terms and conditions
shall be a material breach of the Contract and constitute an act of bad faith by Contractor.
12. Comptroller Audit Requirements
a. Upon reasonable notice and at any reasonable time, the Contractor and
Subcontractor(s) agree to allow the State, the Comptroller of the Treasury, or their
duly appointed representatives to perform information technology control audits of
the Contractor and all Subcontractors used by the Contractor. Contractor will
maintain and cause its Subcontractors to maintain a complete audit trail of all
transactions and activities in connection with this Contract. Contractor will provide
to the State, the Comptroller of the Treasury, or their duly appointed
representatives access to Contractor and Subcontractor(s) personnel for the
purpose of performing the information technology control audit.
The information technology control audit may include a review of general controls
and application controls. General controls are the policies and procedures that
apply to all or a large segment of the Contractor’s or Subcontractor’s information
systems and applications and include controls over security management, access
controls, configuration management, segregation of duties, and contingency
planning. Application controls are directly related to the application and help
ensure that transactions are complete, accurate, valid, confidential, and available.
The audit shall include the Contractor’s and Subcontractor’s compliance with the
State’s Enterprise Information Security Policies and all applicable requirements,
laws, regulations or policies.
The audit may include interviews with technical and management personnel,
physical inspection of controls, and review of paper or electronic documentation.
For any audit issues identified, the Contractor and Subcontractor(s) shall provide a
corrective action plan to the State within 30 days from the Contractor or
Subcontractor receiving the audit report.
Each party shall bear its own expenses incurred while conducting the information
technology controls audit.
b. For any Software as a Service (SaaS), Infrastructure as a Service (IaaS), or
Platform as a Service (PaaS) models provided by the Contractor where the State
will use the Subcontractor’s applications or data centers to store or process State
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 16 of 44
financial or other data the Subcontractor shall be subject to an annual System and
Organization Controls (SOC) 2 Type 2 examination engagement or a SOC 1 Type 2
examination engagement by a qualified and reputable CPA firm in accordance with
the standards of the American Institute of Certified Public Accountants.
The scope of the SOC 2 Type 2 examination for SaaS models must include the
security, availability, confidentiality, and processing integrity Trust Services Criteria.
The scope of the SOC 2 Type 2 examination for IaaS and PaaS models must
include the security, availability, and confidentiality Trust Services Criteria. The
scope of the SOC 1 Type 2 examination must include a review of internal control
over financial reporting that is relevant to the Subcontractor’s scope of work.
The Contractor shall assist the State with obtaining a complete, unredacted version
of the SOC 1 Type 2 examination report and SOC 2 Type 2 examination report
upon request from the State. For any examination issues or exceptions described
in the SOC 1 Type 2 examination report or SOC 2 Type 2 examination report, upon
request from the State, the Contractor shall assist the State with obtaining
corrective action plans from the Subcontractor that describe how the Subcontractor
will correct the issues or exceptions.
In the event the CPA firm issues a modified opinion on the SOC examination report,
meaning that the opinion is qualified, adverse, or disclaimed, the Contractor will
assist the State with obtaining in writing the Subcontractor’s plan to correct the
issues that caused the modified opinion. The Contractor must assist the State with
having the Subcontractor demonstrate to the State that the issues have been
corrected prior to the commencement of the next scheduled SOC examination.
If the scope of the most recent SOC examination report does not include all of the
current State fiscal year, upon request from the State, the Contractor must provide
assistance to the State with obtaining a letter from the Subcontractor stating
whether the Subcontractor made any material changes to their control environment
since the prior SOC examination and, if so, whether the changes, in the opinion of
the Subcontractor, would negatively affect the auditor’s opinion in the most recent
SOC examination report.
No additional funding shall be allocated for these audits as they are included in the
Estimated Liability of this Contract.
The State and Comptroller of the Treasury must approve any exceptions to this
requirement.
13. Contractor Hosted Services Confidential Data, Audit, and Other Requirements.
The following provisions shall only apply if an order expressly says that they apply to such
order.
a. “Confidential State Data” is defined as data deemed confidential by State or Federal
statute or regulation. The Contractor shall protect Confidential State Data as
follows:
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 17 of 44
(1) The Contractor shall ensure that all Confidential State Data is housed in the
continental United States, inclusive of backup data.
(2) The Contractor shall encrypt Confidential State Data at rest and in transit using
the current version of Federal Information Processing Standard (“FIPS”) 140 -2
validated encryption technologies.
(3) The Contractor and the Contractor’s processing environment containing
Confidential State Data shall either (1) be in accordance with at least one of the
following security standards: (i) International Standards Organization (“ISO”)
27001; (ii) Federal Risk and Authorization Management Program (“FedRAMP”);
or (2) be subject to an annual engagement by a CPA firm in accordance with
the standards of the American Institute of Certified Public Accountants
(“AICPA”) for a System and Organization Controls for service organizations
(“SOC”) Type II audit. The State shall approve the SOC audit control
objectives. The Contractor shall provide proof of current ISO certification or
FedRAMP authorization for the Contractor and Subcontractor(s), or provide the
State with the Contractor’s and Subcontractor’s annual SOC Type II audit report
within 30 days from when the CPA firm provides the audit report to the
Contractor or Subcontractor. The Contractor shall submit corrective action
plans to the State for any issues included in the audit report within 30 days after
the CPA firm provides the audit report to the Contractor or Subcontractor.
If the scope of the most recent SOC audit report does not include all of the
current State fiscal year, upon request from the State, the Contractor must
provide to the State a letter from the Contractor or Subcontractor stating
whether the Contractor or Subcontractor made any material changes to their
control environment since the prior audit and, if so, whether the changes, in the
opinion of the Contractor or Subcontractor, would negatively affect the auditor’s
opinion in the most recent audit report.
No additional funding shall be allocated for these certifications, authorizations,
or audits as these are included in the Estimated Liability of this Contract.
Contractor shall meet all applicable requirements of the most current version of
Internal Revenue Service Publication 1075.
Contractor shall meet requirements of current version of Minimum Acceptable
Risk Standards for Exchanges (“MARS-E”) controls.
(a) If the order will involve CJIS data, FTI data, then the following shall apply in
lieu of section 14.a.(3):
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 18 of 44
The Contractor shall maintain a Security Management Certification from the
Federal Risk and Authorization Management Program (“FedRAMP”). A
“Security Management Certification” shall mean written confirmation fr om
FedRAMP that FedRAMP has assessed the Contractor’s information
technology Infrastructure, using a standardized approach to security
assessment, authorization, and continuous monitoring for cloud products
and services, and has certified that the Contractor meets FedRAMP
standards. Information technology “Infrastructure” shall mean the
Contractor’s entire collection of hardware, software, networks, data centers,
facilities and related equipment used to develop, test, operate, monitor,
manage and/or support information technology services. The Contractor
shall provide proof of current certification annually and upon State request.
No additional funding shall be allocated for these certifications,
authorizations, or audits as these are included in the Estimated Liability of
this Contract.
(b) If the order will contain FTI data, the following sentence also applies to
section 14.a.(3)(a) (FedRAMP) language above:
Contractor shall meet all applicable requirements of the most current
version of Internal Revenue Service Publication 1075.
(c) If the order will involve CMS data, the following sentence also applies to
section 14.a.(3)(a) language above:
Contractor shall meet requirements of current version of Minimum
Acceptable Risk Standards for Exchanges (“MARS-E”) controls.
(4) The Contractor must annually perform Penetration Tests and Vulnerability
Assessments against its Processing Environment. “Processing Environment”
shall mean the combination of software and hardware on which the Application
runs. “Application” shall mean the computer code that supports and
accomplishes the State’s requirements as set forth in this Contract. “Penetration
Tests” shall be in the form of attacks on the Contractor’s computer system, with
the purpose of discovering security weaknesses which have the potential to
gain access to the Processing Environment’s features and data. The
“Vulnerability Assessment” shall be designed and executed to define, identify,
and classify the security holes (vulnerabilities) in the Processing Environment.
The Contractor shall allow the State, at its option, to perform Penetration Tests
and Vulnerability Assessments on the Processing Environment.
(5) Upon State request, the Contractor shall provide a copy of all Confidential State
Data it holds. The Contractor shall provide such data on media and in a format
determined by the State.
(6) Upon termination of this Contract and in consultation with the State, the
Contractor shall destroy all Confidential State Data it holds (including any
copies such as backups) in accordance with the current version of National
Institute of Standards and Technology (“NIST”) Special Publication 800-88. The
Contractor shall provide a written confirmation of destruction to the State within
ten (10) business days after destruction.
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 19 of 44
(7) If the order will involve PCI data, the following shall apply:
Contractor shall be certified to host Payment Card Industry (“PCI”) data in
accordance with the current version of PCI DSS (“Data Security Standard”),
maintained by the PCI Security Standards Council.
b. Minimum Requirements
(1) The Contractor and all data centers used by the Contractor to host State data,
including those of all Subcontractors, must comply with the State’s Enterprise
Information Security Policies as amended periodically. The State’s Enterprise
Information Security Policies document is found at the following URL:
https://www.tn.gov/finance/strategic-technology-solutions/strategic-technology-
solutions/sts-security-policies.html.
(2) The Contractor agrees to maintain the Application so that it will run on a
current, manufacturer-supported Operating System. “Operating System” shall
mean the software that supports a computer's basic functions, such as
scheduling tasks, executing applications, and controlling peripherals.
(3) If the Application requires middleware or database software, Contractor shall
maintain middleware and database software versions that are at all times fully
compatible with current versions of the Operating System and Application to
ensure that security vulnerabilities are not introduced.
c. Business Continuity Requirements. The Contractor shall maintain set(s) of
documents, instructions, and procedures which enable the Contractor to respond to
accidents, disasters, emergencies, or threats without any stoppage or hindrance in
its key operations (“Business Continuity Requirements”). Business Continuity
Requirements shall include:
1. “Disaster Recovery Capabilities” refer to the actions the Contractor
takes to meet the Recovery Point and Recovery Time Objectives
defined below. Disaster Recovery Capabilities shall meet the
following objectives:
i. Recovery Point Objective (“RPO”). The RPO is defined as
the maximum targeted period in which data might be lost
from an IT service due to a major incident: The applicable
RPO will be defined in each Order.
ii. Recovery Time Objective (“RTO”). The RTO is defined as
the targeted duration of time and a service level within which
a business process must be restored after a disaster (or
disruption) in order to avoid unacceptable consequences
associated with a break in business continuity: The
applicable RTO will be defined in each Order.
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 20 of 44
2. The Contractor and the Subcontractor(s) shall perform at least one
Disaster Recovery Test every three hundred sixty-five (365) days. A
“Disaster Recovery Test” shall mean the process of verifying the
success of the restoration procedures that are executed after a
critical IT failure or disruption occurs. The Disaster Recovery Test
shall use actual State Data Sets that mirror production data, and
success shall be defined as the Contractor verifying that the
Contractor can meet the State’s RPO and RTO requirements. A
“Data Set” is defined as a collection of related sets of information
that is composed of separate elements but can be manipulated as a
unit by a computer. The Contractor shall provide written confirmation
to the State after each Disaster Recovery Test that its Disaster
Recovery Capabilities meet the RPO and RTO requirements.
3. The Contractor shall have the ability to provide base level protection
against Layer 3 and Layer 4 Distributed Denial of Service volume
based and protocol attacks such as SYN, UDP, and ICMP floods,
DNS amplification and reflection attacks.
4. The contractor shall have the ability to provide addition mitigation
against Layer 7 Distributed Denial of Service attacks such as HTTP
floods, WordPress XML-RPV Floods and Slowloris attacks.
d. In the event of a cyber breach, the Contractor will allow the State to communicate
directly with the Contractor’s technical staff and any forensics experts who are
assisting the Contractor with the breach analysis.
14. Prohibited Advertising or Marketing. The Contractor shall not suggest or imply in advertising or
marketing materials that Contractor's goods or services are endorsed by the State. The
restrictions on Contractor advertising or marketing materials under this Section shall survive the
termination of this Contract.
15. Public Accountability. If the Contractor is subject to Tenn. Code Ann. §§ 8-4-401, et seq., or if
this Contract involves the provision of services to citizens by the Contractor on behalf of the
State, the Contractor agrees to establish a system through which recipients of services may
present grievances about Contractor’s operation of the service program. The Contractor shall
also display in a prominent place, located near the passageway through which the public enters
in order to receive contract-supported services, a sign at least eleven inches (11") in height and
seventeen inches (17") in width stating the following:
NOTICE: THIS AGENCY IS A RECIPIENT OF TAXPAYER FUNDING. IF YOU OBSERVE AN
AGENCY DIRECTOR OR EMPLOYEE ENGAGING IN ANY ACTIVITY THAT YOU CONSIDER
TO BE ILLEGAL, IMPROPER, OR WASTEFUL, PLEASE CALL THE STATE COMPTROLLER’S
TOLL-FREE HOTLINE: 1-800-232-5454
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 21 of 44
The sign shall be of the form prescribed by the Comptroller of the Treasury. The contracting state
agency shall request copies of the sign from the Comptroller of the Treasury and provide signs to
contractors.
16. Contractor Commitment to Diversity. The Contractor shall comply with and make reasonable
business efforts to exceed the commitment to diversity represented by the Contractor’s Response
to this Participating Addendum (Attachment E) and resulting in this Contract.
The Contractor shall assist the State in monitoring the Contractor’s performance of this
commitment by providing, as requested, a monthly report of participation in the performance of
this Contract by small business enterprises and businesses owned by minorities, women, service-
disabled veterans, and persons with disabilities. Such reports shall be provided to the State of
Tennessee Governor's Office of Diversity Business Enterprise in the TN Diversity Software
available online at:
https://tn.diversitysoftware.com/FrontEnd/StartCertification.asp?TN=tn&XID=9810
17. Unencumbered Personnel. The Contractor shall not restrict its employees, agents,
subcontractors or principals who perform services for the State under this Contract from
performing the same or similar services for the State after the termination of this Contract, either
as a State employee, an independent contractor, or an employee, agent, subcontractor or
principal of another contractor with the State.
18. Personally Identifiable Information. While performing its obligations under this Contract,
Contractor may have access to Personally Identifiable Information held by the State (“PII”). For
the purposes of this Contract, “PII” includes “Nonpublic Personal Information” as that term is
defined in Title V of the Gramm-Leach-Bliley Act of 1999 or any successor federal statute, and
the rules and regulations thereunder, all as may be amended or supplemented from time to time
(“GLBA”) and personally identifiable information and other data protected under any other
applicable laws, rule or regulation of any jurisdiction relating to disclosure or use of personal
information (“Privacy Laws”). Contractor agrees it shall not do or omit to do anything which would
cause the State to be in breach of any Privacy Laws. Contractor shall, and shall cause its
employees, agents and representatives to: (i) keep PII confidential and may use and disclose PII
only as necessary to carry out those specific aspects of the purpose for which the PII was
disclosed to Contractor and in accordance with this Contract, GLBA and Privacy Laws; and (ii)
implement and maintain appropriate technical and organizational measures regarding information
security to: (A) ensure the security and confidentiality of PII; (B) protect against any threats or
hazards to the security or integrity of PII; and (C) prevent unauthorized access to or use of PII.
Contractor shall immediately notify State: (1) of any disclosure or use of any PII by Contractor or
any of its employees, agents and representatives in breach of this Contract; and (2) of any
disclosure of any PII to Contractor or its employees, agents and representatives where the
purpose of such disclosure is not known to Contractor or its employees, agents and
representatives. The State reserves the right to review Contractor's policies and procedures
used to maintain the security and confidentiality of PII and Contractor shall, and cause its
employees, agents and representatives to, comply with all reasonable requests or directions from
the State to enable the State to verify or ensure that Contractor is in full compliance with its
obligations under this Contract in relation to PII. Upon termination or expiration of the Contract or
at the State’s direction at any time in its sole discretion, whichever is earlier, Contractor shall
immediately return to the State any and all PII which it has received under this Contract and shall
destroy all records of such PII.
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 22 of 44
The Contractor shall report to the State any instances of unauthorized access to or potential
disclosure of PII in the custody or control of Contractor (“Unauthorized Disclosure”) that come to
the Contractor’s attention. Any such report shall be made by the Contractor within twenty-four
(24) hours after the Unauthorized Disclosure has come to the attention of the Contractor.
Contractor shall take all necessary measures to halt any further Unauthorized Disclosures. The
Contractor, at the sole discretion of the State, shall provide no cost credit monitoring services for
individuals whose PII was affected by the Unauthorized Disclosure. The Contractor shall bear the
cost of notification to all individuals affected by the Unauthorized Disclosure, including individual
letters and public notice. The remedies set forth in this Section are not exclusive and are in
addition to any claims or remedies available to this State under this Contract or otherwise
available at law. The obligations set forth in this Section shall survive the termination of this
Contract.
19. Statewide Contract. This Contract establishes a source or sources of supply for all Tennessee
State Agencies. “Tennessee State Agency” refers to the various departments, institutions,
boards, commissions, and agencies of the executive branch of government of the State of
Tennessee with exceptions as addressed in Tenn. Comp. R. & Regs. 0690-03-01-.01. The
Contractor shall provide all goods or services and deliverables as required by this Contract to all
Tennessee State Agencies. The Contractor shall make this Contract available to the following
entities, who are authorized to and who may purchase off of this Statewide Contract (“Authorized
Users”):
a. all Tennessee State governmental entities (this includes the legislative branch; judicial
branch; and, commissions and boards of the State outside of the executive branch of
government);
b. Tennessee local governmental agencies;
c. members of the University of Tennessee or Tennessee Board of Regents systems;
d. any private nonprofit institution of higher education chartered in Tennessee; and,
e. any corporation which is exempted from taxation under 26 U.S.C. Section 501(c) (3), as
amended, and which contracts with the Department of Mental Health and Substance
Abuse to provide services to the public (Tenn. Code Ann. § 33-2-1001).
These Authorized Users may utilize this Contract by purchasing directly from the Contractor
according to their own procurement policies and procedures. The State is not responsible or
liable for the transactions between the Contractor and Authorized Users.
20. Survival. The terms, provisions, representations, and warranties contained in this Contract which
by their sense and context are intended to survive the performance and termination of this
Contract, shall so survive the completion of performance and termination of this Contract.
21. Inspection and Acceptance. The State shall have the right to inspect all goods or services
provided by Contractor under this Contract. If, upon inspection, the State determines that the
goods or services are Defective, the State shall notify Contractor, and Contractor shall re-deliver
the goods or provide the services at no additional cost to the State. If after a period of thirty (30)
days following delivery of goods or performance of services the State does not provide a notice of
any Defects, the goods or services shall be deemed to have been accepted by the State.
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 23 of 44
22. Term of Participating Addendum. This Contract shall be effective on 9/21/2020 (“Effective Date”)
and extend for a period of thirty-six (36) months after the Effective Date (“Term”). The State shall
have no obligation for goods or services provided by the Contractor prior to the Effective Date.
23. Renewal Options. This Contract may be renewed upon satisfactory completion of the Term. The
State reserves the right to execute up to two (2) renewal options under the same terms and
conditions for a period not to exceed twelve (12) months each by the State, at the State's sole
option. In no event, however, shall the maximum Term, including all renewals or extensions,
exceed a total of sixty (60) months.
24. Participating Addendum Term Extension. The State may extend the Term an additional period of
time, not to exceed one hundred-eighty (180) days beyond the expiration date of this Contract,
under the same terms and conditions, at the State’s sole option. In no event, however, shall the
maximum Term, including all renewals or extensions, exceed a total of sixty (60) months.
25. Warranty. Contractor represents and warrants that the term of the warranty (“Warranty Period”)
shall be the greater of the Term of this Contract or any other warranty generally offered by
Contractor, its suppliers, or manufacturers to customers of its goods or services. The goods or
services provided under this Contract shall conform to the terms and conditions of this Contract
throughout the Warranty Period. Any nonconformance of the goods or services to the terms and
conditions of this Contract shall constitute a “Defect” and shall be considered “Defective.” If
Contractor receives notice of a Defect during the Warranty Period, then Contractor shall correct
the Defect, at no additional charge.
Contractor represents and warrants that the State is authorized to possess and use all
equipment, materials, software, and deliverables provided under this Contract.
Contractor represents and warrants that all goods or services provided under this Contract shall
be provided in a timely and professional manner, by qualified and skilled individuals, and in
conformity with standards generally accepted in Contractor’s industry.
If Contractor fails to provide the goods or services as warranted, then Contractor will re-provide
the goods or services at no additional charge. If Contractor is unable or unwilling to re-provide
the goods or services as warranted, then the State shall be entitled to recover the fees paid to
Contractor for the Defective goods or services. Any exercise of the State’s rights under this
Section shall not prejudice the State’s rights to seek any other remedies available under this
Contract or applicable law.
26. State and Federal Compliance. The Contractor shall comply with all State and federal laws and
regulations applicable to Contractor in the Contractor’s performance of this Contract.
27. Nondiscrimination. The Contractor hereby agrees, warrants, and assures that no person shall be
excluded from participation in, be denied benefits of, or be otherwise subjected to discrimination
in the performance of this Contract or in the employment practices of the Contractor on the basis
of any classification protected by federal, Tennessee State constitutional, or statutory law. The
Contractor shall, upon request, show proof of such nondiscrimination and shall post in
conspicuous places, available to all employees and applicants, notices of nondiscrimination.
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 24 of 44
28. Administrative Fees. The Contractor shall pay the State an Administrative Fee of one (1) percent
(1.0% or 0.01) in accordance with the Terms and Conditions of the Master Agreement no later
than 60 days following the end of each calendar quarter. The State’s Administrative Fee shall be
submitted quarterly and is based on sales of products and services (less any charges for taxes or
shipping).
Period End Admin Fee Due
March 31 May 31
June 30 August 31
September 30 November 30
December 31 February 28
The administrative fee shall be submitted to the following address:
Ron Plumb, Director of Financial Management
Department of General Services
W.R. Snodgrass TN. Tower 24th Floor
312 Rosa L. Parks Avenue
Nashville, TN 37243
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 25 of 44
ATTACHMENT B
FEDERALLY MANDATED REQUIREMENTS FOR SERVICES CONTRACTS WITH
ACCESS TO FEDERAL TAX RETURN INFORMATION
Federal Tax Information (“FTI”) includes return or return information received directly from the
IRS or obtained through an authorized secondary source, such as Social Security
Administration (SSA), Federal Office of Child Support Enforcement (OCSE), Bureau of the
Fiscal Service (BFS), or Centers for Medicare and Medicaid Services (CMS), or another entity
acting on behalf of the IRS pursuant to an IRC 6103(p)(2)(B) Agreement. FTI includes any
information created by the recipient that is derived from federal return or return information
received from the IRS or obtained through a secondary source.
CONTRACT LANGUAGE FOR GENERAL SERVICES
I. PERFORMANCE
In performance of this Contract, the Contractor agrees to comply with and assume responsibility
for compliance by his or her employees with the following requirements:
(1) All work will be performed under the supervision of the Contractor or the Contractor's
responsible employees.
(2) The Contractor and the Contractor’s employees with access to or who use FTI must
meet the background check requirements defined in IRS Publication 1075.
(3) Any Federal tax returns or return information (hereafter referred to as returns or return
information) made available shall be used only for the purpose of carrying out the
provisions of this Contract. Information contained in such material shall be treated as
confidential and shall not be divulged or made known in any manner to any person
except as may be necessary in the performance of this Contract. Inspection by or
disclosure to anyone other than an officer or employee of the Contractor is prohibited.
(4) All returns and return information will be accounted for upon receipt and properly stored
before, during, and after processing. In addition, all related output and products will be
given the same level of protection as required for the source material.
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 26 of 44
(5) No work involving returns and return information furnished under this Contract will be
subcontracted without prior written approval of the IRS.
(6) The Contractor will maintain a list of employees authorized access. Such list will be
provided to the State and, upon request, to the IRS reviewing office.
(7) The State will have the right to void the Contract if the Contractor fails to provide the
safeguards described above.
II. CRIMINAL/CIVIL SANCTIONS
(1) Each officer or employee of any person to whom returns or return information is or may
be disclosed shall be notified in writing by such person that returns or return information
disclosed to such officer or employee can be used only for a purpose and to the extent
authorized herein, and that further disclosure of any such returns or return information
for a purpose or to an extent unauthorized herein constitutes a felony punishable upon
conviction by a fine of as much as $5,000 or imprisonment for as long as five years, or
both, together with the costs of prosecution. Such person shall also notify each such
officer and employee that any such unauthorized future disclosure of returns or return
information may also result in an award of civil damages against the officer or employee
in an amount not less than $1,000 with respect to each instance of unauthorized
disclosure. These penalties are prescribed by IRCs 7213 and 7431 and set forth at 26
CFR 301.6103(n)-1.
(2) Each officer or employee of any person to whom returns or return information is or may
be disclosed shall be notified in writing by such person that any return or return
information made available in any format shall be used only for the purpose of carrying
out the provisions of this Contract. Information contained in such material shall be
treated as confidential and shall not be divulged or made known in any manner to any
person except as may be necessary in the performance of this Contract. Inspection by or
disclosure to anyone without an official need-to-know constitutes a criminal
misdemeanor punishable upon conviction by a fine of as much as $1,000 or
imprisonment for as long as 1 year, or both, together with the costs of prosecution. Such
person shall also notify each such officer and employee that any such unauthorized
inspection or disclosure of returns or return information may also result in an award of
civil damages against the officer or employee in an amount equal to the sum of the
greater of $1,000 for each act of unauthorized inspection or disclosure with respect to
which such defendant is found liable or the sum of the actual damages sustained by the
plaintiff as a result of such unauthorized inspection or disclosure plus in the case of a
willful inspection or disclosure which is the result of gross negligence, punitive damages,
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 27 of 44
plus the costs of the action. The penalties are prescribed by IRCs 7213A and 7431 and
set forth at 26 CFR 301.6103(n)-1.
(3) Additionally, it is incumbent upon the Contractor to inform its officers and employees of
the penalties for improper disclosure imposed by the Privacy Act of 1974, 5 U.S.C. 552a.
Specifically, 5 U.S.C. 552a(i)(1), which is made applicable to Contractors by 5 U.S.C.
552a(m)(1), provides that any officer or employee of a Contractor, who by virtue of
his/her employment or official position, has possession of or access to State records
which contain individually identifiable information, the disclosure of which is prohibited by
the Privacy Act or regulations established thereunder, and who knowing that disclosure
of the specific material is so prohibited, willfully discloses the material in any manner to
any person or entity not entitled to receive it, shall be guilty of a misdemeanor and fined
not more than $5,000.
(4) Granting a Contractor access to FTI must be preceded by certifying that each individual
understands the State’s security policy and procedures for safeguarding IRS information.
Contractors must maintain their authorization to access FTI through annual
recertification. The initial certification and recertification must be documented and placed
in the State's files for review. As part of the certification and at least annually afterwards,
Contractors must be advised of the provisions of IRCs 7431, 7213, and 7213A (see
Exhibit 4, Sanctions for Unauthorized Disclosure, and Exhibit 5, Civil Damages for
Unauthorized Disclosure. The training provided before the initial certification and
annually thereafter must also cover the incident response policy and procedure for
reporting unauthorized disclosures and data breaches. (See Section 10) For both the
initial certification and the annual certification, the Contractor must sign, either with ink or
electronic signature, a confidentiality statement certifying their understanding of the
security requirements.
III. INSPECTION
The IRS and the State, with 24 hour notice, shall have the right to send its inspectors
into the offices and plants of the Contractor to inspect facilities and operations
performing any work with FTI under this Contract for compliance with requirements
defined in IRS Publication 1075. The right of inspection shall include the use of manual
and/or automated scanning tools to perform compliance and vulnerability assessments
of information technology (IT) assets that access, store, process or transmit FTI. On the
basis of such inspection, corrective actions may be required in cases where the
Contractor is found to be noncompliant with Contract safeguards.
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 28 of 44
ATTACHMENT C
FEDERALLY MANDATED REQUIREMENTS FOR TECHNOLOGYSERVICES
CONTRACTS WITH ACCESS TO FEDERAL TAX RETURN INFORMATION
Federal Tax Information (“FTI”) includes return or return information received directly from the
IRS or obtained through an authorized secondary source, such as Social Security
Administration (SSA), Federal Office of Child Support Enforcement (OCSE), Bureau of the
Fiscal Service (BFS), or Centers for Medicare and Medicaid Services (CMS), or another entity
acting on behalf of the IRS pursuant to an IRC 6103(p)(2)(B) Agreement. FTI includes any
information created by the recipient that is derived from federal return or return information
received from the IRS or obtained through a secondary source.
CONTRACT LANGUAGE FOR TECHNOLOGY SERVICES
I. PERFORMANCE
In performance of this Contract, the Contractor agrees to comply with and assume responsibility
for compliance by his or her employees with the following requirements:
(1) All work will be done under the supervision of the Contractor or the Contractor's
employees.
(2) The Contractor and the Contractor’s employees with access to or who use FTI must
meet the background check requirements defined in IRS Publication 1075.
(3) Any return or return information made available in any format shall be used only for the
purpose of carrying out the provisions of this Contract. Information contained in such
material will be treated as confidential and will not be divulged or made known in any
manner to any person except as may be necessary in the performance of this Contract.
Disclosure to anyone other than an officer or employee of the Contractor will be
prohibited.
(4) All returns and return information will be accounted for upon receipt and properly stored
before, during, and after processing. In addition, all related output will be given the same
level of protection as required for the source material.
(5) The contractor certifies that the data processed during the performance of this contract
will be completely purged from all data storage components of his or her computer
facility, and no output will be retained by the contractor at the time the work is
completed. If immediate purging of all data storage components is not possible, the
contractor certifies that any IRS data remaining in any storage component will be
safeguarded to prevent unauthorized disclosures.
(6) Any spoilage or any intermediate hard copy printout that may result during the
processing of IRS data will be given to the agency or his or her designee. When this is
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 29 of 44
not possible, the contractor will be responsible for the destruction of the spoilage or any
intermediate hard copy printouts, and will provide the agency or his or her designee with
a statement containing the date of destruction, description of material destroyed, and the
method used.
(7) All computer systems receiving, processing, storing or transmitting FTI must meet the
requirements defined in IRS Publication 1075. To meet functional and assurance
requirements, the security features of the environment must provide for the managerial,
operational, and technical controls. All security features must be available and activated
to protect against unauthorized use of and access to Federal Tax Information.
(8) No work involving Federal Tax Information furnished under this Contract will be
subcontracted without prior written approval of the IRS.
(9) The Contractor will maintain a list of employees authorized access. Such list will be
provided to the State and, upon request, to the IRS reviewing office.
(10) The State will have the right to void the Contract if the Contractor fails to provide the
safeguards described above.
II. CRIMINAL/CIVIL SANCTIONS
(1) Each officer or employee of any person to whom returns or return information is or may
be disclosed will be notified in writing by such person that returns or return information
disclosed to such officer or employee can be used only for a purpose and to the extent
authorized herein, and that further disclosure of any such returns or return information
for a purpose or to an extent unauthorized herein constitutes a felony punishable upon
conviction by a fine of as much as $5,000 or imprisonment for as long as 5 years, or
both, together with the costs of prosecution. Such person shall also notify each such
officer and employee that any such unauthorized further disclosure of returns or return
information may also result in an award of civil damages against the officer or employee
in an amount not less than $1,000 with respect to each instance of unauthorized
disclosure. These penalties are prescribed by IRCs 7213 and 7431 and set forth at 26
CFR 301.6103(n)-1.
(2) Each officer or employee of any person to whom returns or return information is or may
be disclosed shall be notified in writing by such person that any return or return
information made available in any format shall be used only for the purpose of carrying
out the provisions of this Contract. Information contained in such material shall be
treated as confidential and shall not be divulged or made known in any manner to any
person except as may be necessary in the performance of the Contract. Inspection by or
disclosure to anyone without an official need-to-know constitutes a criminal
misdemeanor punishable upon conviction by a fine of as much as $1,000 or
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 30 of 44
imprisonment for as long as 1 year, or both, together with the costs of prosecution. Such
person shall also notify each such officer and employee that any such unauthorized
inspection or disclosure of returns or return information may also result in an award of
civil damages against the officer or employee in an amount equal to the sum of the
greater of $1,000 for each act of unauthorized inspection or disclosure with respect to
which such defendant is found liable or the sum of the actual damages sustained by the
plaintiff as a result of such unauthorized inspection or disclosure plus in the case of a
willful inspection or disclosure which is the result of gross negligence, punitive damages,
plus the costs of the action. These penalties are prescribed by IRC 7213A and 7431 and
set forth at 26 CFR 301.6103(n)-1.
(3) Additionally, it is incumbent upon the Contractor to inform its officers and employees of
the penalties for improper disclosure imposed by the Privacy Act of 1974, 5 U.S.C. 552a.
Specifically, 5 U.S.C. 552a(i)(1), which is made applicable to Contractors by 5 U.S.C.
552a(m)(1), provides that any officer or employee of a Contractor, who by virtue of
his/her employment or official position, has possession of or access to State records
which contain individually identifiable information, the disclosure of which is prohibited by
the Privacy Act or regulations established thereunder, and who knowing that disclosure
of the specific material is prohibited, willfully discloses the material in any manner to any
person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not
more than $5,000.
(4) Granting a Contractor access to FTI must be preceded by certifying that each individual
understands the State’s security policy and procedures for safeguarding IRS information.
Contractors must maintain their authorization to access FTI through annual
recertification. The initial certification and recertification must be documented and placed
in the State's files for review. As part of the certification and at least annually afterwards,
Contractors must be advised of the provisions of IRCs 7431, 7213, and 7213A (see
Exhibit 4, Sanctions for Unauthorized Disclosure, and Exhibit 5, Civil Damages for
Unauthorized Disclosure). The training provided before the initial certification and
annually thereafter must also cover the incident response policy and procedure for
reporting unauthorized disclosures and data breaches. (See Section 10) For both the
initial certification and the annual certification, the Contractor must sign, either with ink or
electronic signature, a confidentiality statement certifying their understanding of the
security requirements.
III. INSPECTION
The IRS and the State, with 24 hour notice, shall have the right to send its inspectors
into the offices and plants of the Contractor to inspect facilities and operations
performing any work with FTI under this Contract for compliance with requirements
defined in IRS Publication 1075. The IRS’ right of inspection shall include the use of
manual and/or automated scanning tools to perform compliance and vulnerability
assessments of information technology (IT) assets that access, store, process or
transmit FTI. On the basis of such inspection, corrective actions may be required in
cases where the Contractor is found to be noncompliant with Contract safeguards.
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 31 of 44
ATTACHMENT D
ATTESTATION RE PERSONNEL USED IN CONTRACT PERFORMANCE
SUBJECT CONTRACT NUMBER:
CONTRACTOR LEGAL ENTITY NAME:
SHI International Cor
p
EDISON VENDOR IDENTIFICATION NUMBER:
22
-3009648
The Contractor, identified above, does hereby attest, certify, warrant, and
assure that the
Contractor shall not knowing
ly utilize the services of an illegal
immigrant in the performance of this Contract and shall not knowingly utilize
the services of any subcontractor who will utilize the services of an illegal
immigrant in the performance of th
is Contract.
CONTRACTOR SIGNATURE
NOTICE: This attestation MUST be signed by an individual empowered to contractually bind the Contractor. Attach evidence
documenting the individual’s
authority to contractually bind the Contractor, unless the signatory is the Contractor’s chief
executive or president
.
Kristina Mann, Senior Lead Contract
Specialist
PRINTED NAME AND TITLE OF SIGNATORY
09/16/2020
DATE OF ATTESTATION
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 32 of 44
ATTACHMENT E
GOVERNOR'S OFFICE OF DIVERSITY BUSINESS ENTERPRISE
Efforts to Achieve Diversity Business Participation
The Governor's Office of Diversity Business Enterprise ("Go-DBE") is the State's central point of
contact to attract and assist minority-owned, woman-owned, service-disabled veteran-owned,
disabled-owned, and small business enterprises interested in competing in the State of Tennessee's
procurement and contracting activities. These diversity business enterprises are defined as follows:
Minority Business Enterprise (MBE) and Woman Business Enterprise (WBE)
Businesses that are a continuing, independent, for-profit business which performs a commercially
useful function, and is at least fifty-one percent (51%) owned and controlled by one (1) or more
individuals in the minority or woman category who were impeded from normal entry into the
economic mainstream because of past practices of discrimination based on race, ethnic background,
or gender.
Service-Disabled Veteran Business Enterprise (SDVBE)
"Service-disabled veteran-owned business" means a service-disabled veteran-owned business
located in the State of Tennessee that satisfies the criteria in Tenn. Code. Ann. § 12-3-1102(8).
"Service-disabled veteran" means any person who served honorably in active duty in the armed
forces of the United States with at least a twenty percent (20%) disability that is service-connected,
i.e., the disability was incurred or aggravated in the line of duty in the active military, naval or air
service.
Small Business Enterprise (SBE)
"Small business" means a business that is a continuing, independent, for profit business which
performs a commercially useful function with residence in Tennessee and has total gross receipts of
no more than ten million dollars ($10,000,000) averaged over a three-year period or employs no
more than ninety-nine (99) persons on a full-time basis.
"Disabled Business Enterprise (DSBE)
"Disabled Business Enterprise" means a business owned by a person with a disability that is a
continuing, independent, for-profit business that performs a commercially useful function, and is at
least fifty-one (51%) owned and controlled by one (1) or more persons with a disability, or, in the
case of any publicly-owned business, at least fifty one percent (51%) of the stock of which is owned
and controlled by one(1) or more persons with a disability and whose management and daily
business operations are under the control of one (1) or more persons with a disability.
For additional program eligibility information, visit:
https://www.tn.gov/generalservices/procurement/central-procurement-office--cpo-/governor-s-office-of-
diversity-business-enterprise--godbe--/program-eligibility.html
Instructions
As part of this Invitation to Bid, the respondent should complete the Diversity Utilization Plan below.
To assist in your effort to seek and solicit the participation of diversity businesses on this solicitation,
a directory of certified Diversity Business Enterprise firms may be found on the State's website at:
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 33 of 44
https://tn.diversitysoftware.com/FrontEnd/VendorSearchPublic.asp?TN=tn&XID=1215 directory or by
calling Go-DBE toll free at 866-894-5026.
RESPONDENT'S DIVERSITY UTILIZATION PLAN
Respondent's Company Name:
Solicitation Event Name:
Event Number:
Respondent's Contact Name:
Phone:
(
)
Email:
Does the Respondent qualify as the diversity business enterprise? ___ Yes ___ No
If yes, which designation does the Respondent qualify? ___MBE ___WBE ___DSBE___SDVBE __SBE
Certifying Agency:
Estimated level of participation by DBEs if awarded a contract pursuant to this ITB:
Diversity Business Information (List
all subcontractors, joint
-
ventures, and
suppliers)
% of
Contract
Estimated
Amount
MBE/ WBE/
SDVBE/ SBE
/ DSBE
Designation
Currently
Certified
(Yes or No)
Business Name:
Contact Name:
Contact Phone:
Business Name:
Contact Name:
Contact Phone:
If awarded a contract pursuant to this ITB, we confirm our commitment to make reasonable business
efforts to meet or exceed the commitment to diversity as represented in our Diversity Utilization Plan.
We shall assist the State in monitoring our performance of this commitment by providing, as
requested, a monthly report of participation in the performance of this Contract by small business
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 34 of 44
enterprises and businesses owned by minorities, women, service-disabled veterans and persons
with disabilities. Such reports shall be provided to the state of Tennessee Governor's Office of
Diversity Business Enterprise in the TN Diversity Software available online at:
https://tn.diversitysoftware.com/FrontEnd/StartCertification.asp?TN=tn&XID=9810
We further agree to request in writing and receive prior approval from the Central Procurement Office
for any changes to the use of the above listed diversity businesses.
Authorized Signature: _______________________________ Date: _________________
Kristina Mann, Senior Lead Contract Specialist
_
______________________
_
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 35 of 44
ATTACHMENT F
HIPAA BUSINESS ASSOCIATE AGREEMENT
COMPLIANCE WITH PRIVACY AND SECURITY RULES
THIS BUSINESS ASSOCIATE AGREEMENT (hereinafter “Agreement”) is between The State of
Tennessee, (hereinafter “Covered Entity”) and SHI International Corp. (hereinafter “Business Associate”).
Covered Entity and Business Associate may be referred to herein individually as “Party” or collectively as
“Parties.”
BACKGROUND
Parties acknowledges that they are subject to the Privacy and Security Rules (45 CFR Parts 160 and 164)
promulgated by the United States Department of Health and Human Services pursuant to the Health
Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191 as amended by Public
Law 111-5, Division A, Title XIII (the HITECH Act), in certain aspects of its operations.
Business Associate provides services to Covered Entity pursuant to one or more Orders entered into under
the Participating Addendum executed by the Parties under the NASPO ValuePoint Master Agreement for
Cloud Solutions, effective 9/9/2016 (such Orders, hereinafter referred to as “Service Contracts”).
In the course of executing Service Contracts, Business Associate may come into contact with, use, or
disclose Protected Health Information (“PHI”). Said Service Contract(s) are hereby incorporated by
reference and shall be taken and considered as a part of this document the same as if fully set out herein.
In accordance with the federal privacy and security regulations set forth at 45 C.F.R. Part 160 and Part 164,
Subparts A, C, D and E, which require Covered Entity to have a written memorandum with each of its
Business Associates, the Parties wish to establish satisfactory assurances that Business Associate will
appropriately safeguard PHI and, therefore, make this Agreement.
DEFINITIONS
Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in
45 CFR §§ 160.103, 164.103, 164.304, 164.501 and 164.504.
1.1 “Breach of the Security of the [Business Associate’s Information] System” shall have the meaning
set out in its definition at T.C.A. § 47-18-2107
1.2 “Business Associate” shall have the meaning set out in its definition at 45 C.F.R. § 160.103.
1.3 “Covered Entity” shall have the meaning set out in its definition at 45 C.F.R. § 160.103.
1.4 “Designated Record Set” shall have the meaning set out in its definition at 45 C.F.R. § 164.501.
1.5 “Electronic Protected Health Care Information” shall have the meaning set out in its definition at 45
C.F.R. § 160.103.
1.6 “Genetic Information” shall have the meaning set out in its definition at 45 C.F.R. § 160.103.
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 36 of 44
1.7 “Health Care Operations” shall have the meaning set out in its definition at 45 C.F.R. § 164.501.
1.8 “Individual” shall have the same meaning as the term “individual” in 45 CFR § 160.103 and shall
include a person who qualifies as a personal representative in accordance with 45 CFR §
164.502(g).
1.9 “Information Holder” shall have the meaning set out in its definition at T.C.A. § 47-18-2107
1.10 “Marketing” shall have the meaning set out in its definition at 45 C.F.R. § 164.501.
1.11 “Personal information” shall have the meaning set out in its definition at T.C.A. § 47-18-2107
1.12 “Privacy Official” shall have the meaning as set out in its definition at 45 C.F.R. § 164.530(a)(1).
1.13 “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at
45 CFR Part 160 and Part 164, subparts A, and E.
1.14 “Protected Health Information” shall have the same meaning as the term “protected health
information” in 45 CFR § 160.103, limited to the information created or received by Business
Associate from or on behalf of Covered Entity.
1.15 “Required by Law” shall have the meaning set forth in 45 CFR § 164.512.
1.16 “Security Incident” shall have the meaning set out in its definition at 45 C.F.R. § 160.304.
1.17 “Security Rule” shall mean the Security Standards for the Protection of Electronic Protected Health
Information at 45 CFR Parts 160 and 164, Subparts A and C.
2. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE (Privacy Rule)
2.1 Business Associate is authorized to use PHI for the purposes of carrying out its duties under the
Services Contract. In the course of carrying out these duties, including but not limited to carrying
out the Covered Entity’s duties under HIPAA, Business Associate shall fully comply with the
requirements under the Privacy Rule applicable to "business associates," as that term is defined in
the Privacy Rule and not use or further disclose PHI other than as permitted or required by this
Agreement, the Service Contracts, or as Required By Law. Business Associate is subject to
requirements of the Privacy Rule as required by Public Law 111-5, Section 13404 [designated as
42 U.S.C. 17934] In case of any conflict between this Agreement and the Service Contracts, this
Agreement shall govern.
2.2 The Health Information Technology for Economic and Clinical Health Act (HITECH) was adopted as
part of the American Recovery and Reinvestment Act of 2009. HITECH and its implementing
regulations impose new requirements on Business Associates with respect to privacy, security, and
breach notification. Business Associate hereby acknowledges and agrees that to the extent it is
functioning as a Business Associate of Covered Entity, Business Associate shall comply with
HITECH. Business Associate and the Covered Entity further agree that the provisions of HIPAA
and HITECH that apply to business associates and that are required to be incorporated by
reference in a business associate agreement have been incorporated into this Agreement between
Business Associate and Covered Entity. Should any provision not be set forth specifically, it is as
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 37 of 44
if set forth in this Agreement in its entirety and is effective as of the Applicable Effective Date, and
as amended.
2.3 Business Associate shall use appropriate administrative, physical, and technical safeguards to
prevent use or disclosure of PHI other than as provided for by this Agreement, Services Contract(s),
or as Required By Law. This includes the implementation of Administrative, Physical, and
Technical Safeguards to reasonably and appropriately protect the Covered Entity’s PHI against any
reasonably anticipated threats or hazards, utilizing the technology commercially available to the
Business Associate. The Business Associate shall maintain appropriate documentation of its
compliance with the Privacy Rule, including, but not limited to, its policies, procedures, records of
training and sanctions of members of its Workforce.
2.4 Business Associate shall require any agent, including a subcontractor, to whom it provides PHI
received from, maintained, created or received by Business Associate on behalf of Covered Entity
or that carries out any duties for the Business Associate involving the use, custody, disclosure,
creation of, or access to PHI or other confidential information, to agree, by written contract with
Business Associate, to the same restrictions and conditions that apply through this Agreement to
Business Associate with respect to such information.
2.5 Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to
Business Associate of a use or disclosure of PHI by Business Associate in violation of the
requirements of this Agreement.
2.6 Business Associate shall require its employees, agents, and subcontractors to promptly report, to
Business Associate, immediately upon becoming aware of any use or disclosure of PHI in violation
of this Agreement. Business Associate shall report to Covered Entity any use or disclosure of the
PHI not provided for by this Agreement. Business Associate will also provide additional information
reasonably requested by the Covered Entity related to the breach.
2.7 As required by the Breach Notification Rule, Business Associate shall, and shall require its
subcontractor(s) to, maintain systems to monitor and detect a Breach of Unsecured PHI, whether
in paper or electronic form.
2.7.1 Business Associate shall provide to Covered Entity notice of a Provisional or Actual Breach of
Unsecured PHI immediately upon becoming aware of the Breach.
2.7.2 Business Associate shall cooperate with Covered Entity in timely providing the appropriate and
necessary information to Covered Entity.
2.7.3 Covered Entity shall make the final determination whether the Breach requires notification and
whether the notification shall be made by Covered Entity or Business Associate.
2.8 If Business Associate receives PHI from Covered Entity in a Designated Record Set, Business
Associate shall provide access, at the request of Covered Entity, to PHI in a Designated Record
Set to Covered Entity, in order to meet the requirements under 45 CFR § 164.524, provided that
Business Associate shall have at least 30 business days from Covered Entity notice to provide
access to, or deliver such information.
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 38 of 44
2.9 If Business Associate receives PHI from Covered Entity in a Designated Record Set, then Business
Associate shall make any amendments to PHI in a Designated Record Set that the Covered Entity
directs or agrees to pursuant to the 45 CFR § 164.526 at the request of Covered Entity or an
Individual, and in the time and manner designated by Covered Entity, provided that Business
Associate shall have at least 30 business days from Covered Entity notice to make an amendment.
2.10 Business Associate shall make its internal practices, books, and records including policies and
procedures and PHI, relating to the use and disclosure of PHI received from, created by or received
by Business Associate on behalf of, Covered Entity available to the Secretary of the United States
Department of Health in Human Services or the Secretary’s designee, in a time and manner
designated by the Secretary, for purposes of determining Covered Entity’s or Business Associate’s
compliance with the Privacy Rule.
2.11 Business Associate shall document disclosures of PHI and information related to such disclosures
as would be required for Covered Entity to respond to a request by an Individual for an accounting
of disclosure of PHI in accordance with 45 CFR § 164.528.
2.12 Business Associate shall provide Covered Entity or an Individual, in time and manner designated
by Covered Entity, information collected in accordance with this Agreement, to permit Covered
Entity to respond to a request by an Individual for and accounting of disclosures of PHI in
accordance with 45 CFR § 164.528, provided that Business Associate shall have at least 30
business days from Covered Entity notice to provide access to, or deliver such information which
shall include, at minimum, (a) date of the disclosure; (b) name of the third party to whom the PHI
was disclosed and, if known, the address of the third party; (c) brief description of the disclosed
information; and (d) brief explanation of the purpose and basis for such disclosure. Business
Associate shall provide an accounting of disclosures directly to an individual when required by
section 13405(c) of Public Law 111-5 [designated as 42 U.S.C. 17935(c)].
2.13 Business Associate agrees it must limit any use, disclosure, or request for use or disclosure of PHI
to the minimum amount necessary to accomplish the intended purpose of the use, disclosure, or
request in accordance with the requirements of the Privacy Rule.
2.13.1 Business Associate represents to Covered Entity that all its uses and disclosures of, or
requests for, PHI shall be the minimum necessary in accordance with the Privacy Rule
requirements.
2.13.2 Covered Entity may, pursuant to the Privacy Rule, reasonably rely on any requested
disclosure as the minimum necessary for the stated purpose when the information is
requested by Business Associate.
2.13.3 Business Associate acknowledges that if Business Associate is also a covered entity, as
defined by the Privacy Rule, Business Associate is required, independent of Business
Associate's obligations under this Memorandum, to comply with the Privacy Rule's
minimum necessary requirements when making any request for PHI from Covered Entity.
2.14 Business Associate shall adequately and properly maintain all PHI received from, or created or
received on behalf of, Covered Entity
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 39 of 44
2.15 If Business Associate receives a request from an Individual for a copy of the individual's PHI, and
the PHI is in the sole possession of the Business Associate, Business Associate will provide the
requested copies to the individual and notify the Covered Entity of such action. If Business
Associate receives a request for PHI in the possession of the Covered Entity, or receives a request
to exercise other individual rights as set forth in the Privacy Rule, Business Associate shall notify
Covered Entity of such request and forward the request to Covered Entity. Business Associate
shall then assist Covered Entity in responding to the request.
2.16 Business Associate shall fully cooperate in good faith with and to assist Covered Entity in complying
with the requirements of the Privacy Rule.
3 OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE (Security Rule)
3.1 Business Associate shall fully comply with the requirements under the Security Rule applicable to
"business associates," as that term is defined in the Security Rule. In case of any conflict between
this Agreement and Service Agreements, this Agreement shall govern.
3.2 Business Associate shall implement administrative, physical, and technical safeguards that
reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic
PHI that it creates, receives, maintains, or transmits on behalf of the covered entity as required by
the Security Rule and Public Law 111-5. This includes specifically, but is not limited to, the utilization
of technology commercially available at the time to the Business Associate to protect the Covered
Entity’s PHI against any reasonably anticipated threats or hazards. The Business Associate
understands that it has an affirmative duty to perform a regular review or assessment of security
risks, conduct active risk management and supply best efforts to assure that only authorized
persons and devices access its computing systems and information storage, and that only
authorized transactions are allowed. The Business Associate will maintain appropriate
documentation to certify its compliance with the Security Rule.
3.3 Business Associate shall ensure that any agent, including a subcontractor, to whom it provides
electronic PHI received from or created for Covered Entity or that carries out any duties for the
Business Associate involving the use, custody, disclosure, creation of, or access to PHI supplied
by Covered Entity, to agree, by written contract (or the appropriate equivalent if the agent is a
government entity) with Business Associate, to the same restrictions and conditions that apply
through this Agreement to Business Associate with respect to such information.
3.4 Business Associate shall require its employees, agents, and subcontractors to report to Business
Associate within five (5) business days, any Security Incident (as that term is defined in 45 CFR §
164.304) of which it becomes aware. Business Associate shall promptly report any Security
Incident of which it becomes aware to Covered Entity.
3.5 Business Associate shall make its internal practices, books, and records including policies and
procedures relating to the security of electronic PHI received from, created by or received by
Business Associate on behalf of, Covered Entity available to the Secretary of the United States
Department of Health in Human Services or the Secretary’s designee, in a time and manner
designated by the Secretary, for purposes of determining Covered Entity’s or Business Associate’s
compliance with the Security Rule.
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 40 of 44
3.6 Business Associate shall fully cooperate in good faith with and to assist Covered Entity in complying
with the requirements of the Security Rule.
3.7 Notification for the purposes of Sections 2.8 and 3.4 shall be in writing made by email/fax, certified
mail or overnight parcel immediately upon becoming aware of the event, with supplemental
notification by facsimile and/or telephone as soon as practicable, to:
State of Tennessee
Central Procurement Office
WRS Tennessee Tower, 3
rd
Floor
312 Rosa L. Parks Ave, Nashville, TN 37243
Telephone: 615 741-1035
Fax: 615 741-0684
3.8 Business Associate identifies the following key contact persons for all matters relating to this
Agreement:
Business Associate shall notify Covered Entity of any change in the key contact during the term of this
Agreement in writing within ten (10) business days.
4. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE
4.1 Except as otherwise limited in this Agreement, Business Associate may use or disclose PHI to
perform functions, activities, or services for, or on behalf of, Covered Entity as specified in Service
Contract(s), provided that such use or disclosure would not violate the Privacy and Security Rule,
if done by Covered Entity. Business Associate’s disclosure of PHI shall be subject to the limited
data set and minimum necessary requirements of Section 13405(b) of Public Law 111-5,
[designated as 42 U.S.C. 13735(b)]
4.2 Except as otherwise limited in this Agreement, Business Associate may use PHI as required for
Business Associate's proper management and administration or to carry out the legal
responsibilities of the Business Associate.
4.3 Except as otherwise limited in this Agreement, Business Associate may disclose PHI for the proper
management and administration of the Business Associate, provided that disclosures are Required
By Law, or provided that, if Business Associate discloses any PHI to a third party for such a
purpose, Business Associate shall enter into a written agreement with such third party requiring the
third party to: (a) maintain the confidentiality, integrity, and availability of PHI and not to use or
further disclose such information except as Required By Law or for the purpose for which it was
disclosed, and (b) notify Business Associate of any instances in which it becomes aware in which
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 41 of 44
the confidentiality, integrity, and/or availability of the PHI is breached immediately upon becoming
aware.
4.4 Except as otherwise limited in this Agreement, Business Associate may use PHI to provide data
aggregation services to Covered Entity as permitted by 42 CFR § 164.504(e)(2)(i)(B).
4.5 Business Associate may use PHI to report violations of law to appropriate Federal and State
Authorities consistent with 45 CFR 164.502(j)(1).
4.6 Business Associate shall not use or disclose PHI that is Genetic Information for underwriting
purposes. Moreover, the sale, marketing or the sharing for commercial use or any purpose
construed by Covered Entity as the sale, marketing or commercial use of member’s personal or
financial information with affiliates, even if such sharing would be permitted by federal or state laws,
is prohibited.
4.7 Business Associate shall enter into written agreements that are substantially similar to this
Business Associate Agreements with any Subcontractor or agent which Business Associate
provides access to Protected Health Information.
4.8 Business Associates shall implement and maintain information security policies that comply with
the HIPAA Security Rule.
5. OBLIGATIONS OF COVERED ENTITY
5.1 Covered Entity shall provide Business Associate with the Notice of Privacy Practices that Covered
Entity produces in accordance with 45 CFR § 164.520, as well as any changes to such notice.
Covered Entity shall notify Business Associate of any limitations in its notice that affect Business
Associate’s use or disclosure of PHI.
5.2 Covered Entity shall provide Business Associate with any changes in, or revocation of, permission
by an Individual to use or disclose PHI, if such changes affect Business Associate’s permitted or
required uses.
5.3 Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that
Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extent that such
restriction may affect Business Associate's use of PHI.
6. PERMISSIBLE REQUESTS BY COVERED ENTITY
Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not
be permissible under the Privacy or Security Rule, if done by Covered Entity.
7. TERM AND TERMINATION
7.1 Term. This Agreement shall be effective as of the date on which it is signed by both parties and shall
terminate when all of the PHI provided by Covered Entity to Business Associate, or created or
received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered
Entity, or, if it is infeasible to return or destroy PHI, Section 7.3. below shall apply.
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 42 of 44
7.2 Termination for Cause.
7.2.1 This Agreement authorizes and Business Associate acknowledges and agrees Covered Entity shall
have the right to immediately terminate this Agreement and Service Contracts in the event Business
Associate fails to comply with, or violates a material provision of, requirements of the Privacy and/or
Security Rule or this Memorandum.
7.2.2 Upon Covered Entity’s knowledge of a material breach by Business Associate, Covered Entity shall
either:
7.2.2.1 Provide a reasonable opportunity for Business Associate to cure the breach or end the
violation, or
7.2.2.2 If Business Associate has breached a material term of this Agreement and cure is not
possible or if Business Associate does not cure a curable breach or end the violation
within a reasonable time as specified by, and at the sole discretion of, Covered Entity,
Covered Entity may immediately terminate this Agreement and the Service Agreement.
7.2.2.3 If neither cure nor termination is feasible, Covered Entity shall report the violation to the
Secretary of the United States Department of Health in Human Services or the
Secretary’s designee.
7.3 Effect of Termination.
7.3.1 Except as provided in Section 7.3.2. below, upon termination of this Agreement, for any
reason, Business Associate shall return or destroy all PHI received from Covered Entity,
or created or received by Business Associate on behalf of, Covered Entity. This provision
shall apply to PHI that is in the possession of subcontractors or agents of Business
Associate. Business Associate shall retain no copies of the PHI.
7.3.2 In the event that Business Associate determines that returning or destroying the PHI is
not feasible, Business Associate shall provide to Covered Entity notification of the
conditions that make return or destruction unfeasible. Upon mutual agreement of the
Parties that return or destruction of PHI is unfeasible; Business Associate shall extend
the protections of this Memorandum to such PHI and limit further uses and disclosures
of such PHI to those purposes that make the return or destruction unfeasible, for so long
as Business Associate maintains such PHI.
8. MISCELLANEOUS
8.1 Regulatory Reference. A reference in this Agreement to a section in the Privacy and or Security
Rule means the section as in effect or as amended.
8.2 Indemnity. The Business Associate shall indemnify the Covered Entity and hold it harmless for any
claims, losses or other damages arising from or associated with any act or omission of Business
Associate under this Agreement. This includes the costs of responding to a breach of the
Agreement or the release of PHI contrary to the terms and conditions of this Agreement, the costs
of responding to a government enforcement action related to the breach, and any resultant fines,
penalties, or damages paid by the Covered Entity.
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 43 of 44
8.3 Amendment. The Parties agree to take such action as is necessary to amend this Agreement from
time to time as is necessary for Covered Entity to comply with the requirements of the Privacy and
Security Rules and the Health Insurance Portability and Accountability Act, Public Law 104-191,
including any amendments required by the United States Department of Health and Human
Services to implement the Health Information Technology for Economic and Clinical Health and
related regulations upon the effective date of such amendment, regardless of whether this
Agreement has been formally amended, including, but not limited to changes required by the
American Recovery and Reinvestment Act of 2009, Public Law 111-5.
8.4 Survival. The respective rights and obligations of Business Associate under Section 7.3. of this
Memorandum shall survive the termination of this Agreement.
8.5 Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits
Covered Entity and the Business Associate to comply with the Privacy and Security Rules.
8.6 Notices and Communications. All instructions, notices, consents, demands, or other communications
required or contemplated by this Agreement shall be in writing and shall be delivered by hand, by
facsimile transmission, by overnight courier service, or by first class mail, postage prepaid,
addressed to the respective party at the appropriate facsimile number or address as set forth below,
or to such other party, facsimile number, or address as may be hereafter specified by written notice.
COVERED ENTITY:
State of Tennessee
Central Procurement Office
WRS Tennessee Tower, 3
rd
Floor
312 Rosa L. Parks Ave, Nashville,
TN 37243
Telephone: 615 741-1035
Fax: 615 741-0684
BUSINESS ASSOCIATE:
Telephone:
Fax:
All instructions, notices, consents, demands, or other communications shall be considered
effectively given as of the date of hand delivery; as of the date specified for overnight courier
service delivery; as of three (3) business days after the date of mailing; or on the day the facsimile
transmission is received mechanically by the facsimile machine at the receiving location and
receipt is verbally confirmed by the sender.
8.7 Strict Compliance. No failure by any Party to insist upon strict compliance with any term or provision
of this Agreement, to exercise any option, to enforce any right, or to seek any remedy upon any
default of any other Party shall affect, or constitute a waiver of, any Party's right to insist upon such
strict compliance, exercise that option, enforce that right, or seek that remedy with respect to that
default or any prior, contemporaneous, or subsequent default. No custom or practice of the Parties
at variance with any provision of this Agreement shall affect, or constitute a waiver of, any Party's
right to demand strict compliance with all provisions of this Agreement
8.8 Severability. With respect to any provision of this Agreement finally determined by a court of
competent jurisdiction to be unenforceable, such court shall have jurisdiction to reform such
provision so that it is enforceable to the maximum extent permitted by applicable law, and the
NASPO ValuePoint
PARTICIPATING ADDENDUM
CLOUD SOLUTIONS 2016-2026
Lead by the State of Utah
Page 44 of 44
Parties shall abide by such court's determination. In the event that any provision of this Agreement
cannot be reformed, such provision shall be deemed to be severed from this Agreement, but every
other provision of this Agreement shall remain in full force and effect.
8.9 Governing Law. This Agreement shall be governed by and construed in accordance with the laws
of the State of Tennessee except to the extent that Tennessee law has been pre-empted by HIPAA.
8.10 Compensation. There shall be no remuneration for performance under this Agreement except as
specifically provided by, in, and through, existing administrative requirements of Tennessee State
government and services contracts referenced herein.
8.11 Security Breach. A violation of HIPAA or the Privacy or Security Rules constitutes a breach of this
Business Associate Agreement and a breach of the Service Contract(s) listed on page one of this
agreement, and shall be subject to all available remedies for such breach.
IN WITNESS WHEREOF,
COVERED ENTITY LEGAL ENTITY NAME:
Date:1$0($1'7,7/(
BUSINESS ASSOCIATE LEGAL ENTITY
NAME:
NAME AND TITLE
Date:
