Exhibit 10.19

 

1ST AMENDMENT TO THE SERVICES AGREEMENT BETWEEN BOTTOMLINE TECHNOLOGIES, INC.
AND BANK OF AMERICA, N.A.    LOGO [g202687ex10_19pg001.jpg] Supplier Name:   
Bottomline Technologies, Inc.    Agreement Number:    CW136262 Supplier Address:
  

325 Corporate Drive

Portsmouth, NH 03801

United States

   Addendum Number:    CW242592 Supplier Telephone:    1-603-436-0700   
Addendum Effective Date:    9/29/2010

This Amendment, made and entered into this 29th day of September, 2010, by and
between BOTTOMLINE TECHNOLOGIES, INC. (the subcontractor, hereinafter referred
to as “Tech”) and BANK OF AMERICA, N.A. (the business associate, hereinafter
referred to as “Bank”).

WITNESSETH:

WHEREAS, Tech and Bank entered into that certain Services Agreement by and
between Tech and Bank effective the 9th day of September 2009, inclusive of the
Business Associate attached as SCHEDULE H Addendum (“Addendum”) to the Services
Agreement; and

WHEREAS, the American Recovery and Reinvestment Act of 2009, Public Law 111-005,
was signed into law on February 17, 2009 and includes provisions relating to the
privacy and security of protected health information (“PHI”) in Title XIII,
known as the “Health Information Technology for Economic and Clinical Health
Act” (“HITECH Act”); and

WHEREAS, with the passage of the HITECH Act, there are additional obligations
and compliance requirements imposed upon the Bank and Tech; and

WHEREAS, under its business associate agreements with the Covered Entities, Bank
is required to obtain contractual assurances from its subcontractors who receive
or obtain PHI of the Covered Entities in the course of providing services to
Bank that they will safeguard the PHI in accordance with applicable requirements
under the HIPAA Regulations and the HITECH Act; and

WHEREAS, the parties desire to amend the Addendum by adding the provision more
fully set out below to comply with the regulatory changes.

NOW, THEREFORE, in consideration of the premises hereof and the mutual benefits
to be derived hereby, the Addendum is hereby amended by adding the following
provisions as follows:

The Business Associate Addendum (or any underlying agreement between the parties
incorporating such provisions) is amended to add the following:

 

A. Definitions:

1. Breach means the acquisition, access, use, or disclosure of PHI in a manner
not permitted under the HIPAA Privacy or Security Rule that compromises the
security or privacy of the PHI, as defined in 45 C.F.R. §164.402 or that
constitutes a breach of information security regarding PHI under applicable
state law.



--------------------------------------------------------------------------------

B. Obligations of Tech effective February 17, 2010:

1. Training. Tech shall provide appropriate training to its employees regarding
Breaches and mitigation of potential damage.

2. Minimum Necessary. In requesting, using or disclosing PHI, Tech will use the
minimum necessary amount of information in accordance with § 13405(b) of HITECH
and any implementing regulations adopted thereunder.

3. Detecting Breaches. Tech agrees to exercise reasonable diligence to detect
Breaches of PHI.

4. Reporting Breaches. In addition to its obligations under § 4 of the Addendum,
Tech agrees to implement a thorough process for investigating Breach reports and
mitigating potential damage. Tech shall implement a security-breach notification
plan. Tech shall provide Bank with notification of a Breach without reasonable
delay, but in no case later than ten (10) days following the day Breach is
discovered or by exercise of reasonable diligence would have been discovered by
Tech. To the extent the information is available, notice to Bank shall include
the following:

 

  i. identification of the individuals whose PHI has been, or is reasonably
believed by Tech to have been, accessed, acquired or disclosed during the
Breach;

 

  ii. brief description of what happened, including the date of the Breach and
the date of the discovery of the Breach;

 

  iii. description of the types of PHI that were involved in the Breach (such as
whether the full name, social security number, date of birth, home address,
account number, diagnosis, or other types of information were involved);

 

  iv. any steps individuals the subject of the Breach should take to protect
themselves from potential harm that may result from the Breach; and,

 

  v. a brief description of what Tech is doing to investigate the Breach, to
mitigate the harm to the individuals, and to protect against further Breaches.

 

- 2 -



--------------------------------------------------------------------------------

5. Indemnification/Limitation of Liability: Tech acknowledges and agrees that
its indemnity obligation pursuant to Section 13.1 of the Agreement as well as
the exceptions to limitations of liability set forth in Section 14.3 of the
Agreement apply to its obligations set forth in this Addendum.

6. Electronic Health Records and Designated Record Sets. The parties acknowledge
that PHI provided to Bottomline consists solely of information about how a claim
to a health plan payer was adjudicated and the payment amount calculated. Bank
represents and warrants that it does not provide, and Tech represents and
warrants that it does not maintain, Electronic Health Records, as the term is
defined in Section 13400 of the HITECH Act, or Designated Record Sets and, in
the case of Tech, it does not store or index any information by “patient” or
allow search of any PHI by patient name or ID.

C. Relationship of the Parties: Nothing in this Amendment is intended to create
an agency relationship between the parties.

D. Inconsistencies: In the event of any inconsistencies in the terms of the
Business Associate Addendum and this Amendment, the terms of this Amendment
shall control with respect to the provisions set out herein.

E. All Other Provisions: Except as to the terms amended by this Amendment, all
other terms and conditions of the Agreement and the Addendum are declared by the
parties to be in full force and effect, and except as otherwise provided in this
Amendment, all defined terms used in this Amendment shall have the meanings set
forth for such terms in the Addendum.

F. Further Amendments: The parties acknowledge that further amendments to the
Business Associate Addendum may be necessary from time to time to comply with
requirements of applicable federal and state laws and regulations.

 

- 3 -



--------------------------------------------------------------------------------

IN WITNESS WHEREOF, the parties have caused this Amendment to be executed by
their duly authorized representatives this 29th day of September, 2010.

 

Bank       Tech   Bank of America, N.A.       Bottomline Technologies (de), Inc.
 

/s/ Dani Folsom

 

10-7-2010

   

/s/ Eric Morgan

 

9-30-10

Signature   Date     Signature   Date

Dani Folsom

   

Eric Morgan

(Printed Name)       (Printed Name)  

VP, Sourcing Manager

   

VP, Global Controller

(Title)       (Title)  

 

- 4 -