REPORT/RECOMMENDATION TO THE BOARD OF SUPERVISORS
OF SAN BERNARDINO COUNTY
AND RECORD OF ACTION
May 6, 2025
FROM
LYNN FYHRLUND, Chief Information Officer, Innovation and Technology Department
SUBJECT
Title
Business Associate Agreement with ServiceNow, Inc. for Protected Health Information
End
RECOMMENDATION(S)
Recommendation
Approve non-financial Business Associate Agreement, including non-standard terms, with ServiceNow, Inc., to maintain regulatory compliance by safeguarding the County’s electronic protected health information that is transferred, processed, and stored to ServiceNow Inc., for the contract period beginning upon acceptance and continuing until June 21, 2026.
(Presenter: Lynn Fyhrlund, Chief Information Officer, 388-5501)
Body
COUNTY AND CHIEF EXECUTIVE OFFICER GOALS & OBJECTIVES
Provide for the Safety, Health and Social Service Needs of County Residents.
Operate in a Fiscally-Responsible and Business-Like Manner.
FINANCIAL IMPACT
Approval of this item will not result in the use of Discretionary General Funding (Net County Cost). The ServiceNow, Inc. (ServiceNow) Business Associate Agreement (BAA) is non-financial in nature and does not commit the County to make any purchases. If future purchases are made under the BAA, the Innovation and Technology Department (ITD) will adhere to County purchasing policies and return to the Board of Supervisors (Board) for approval, if necessary.
BACKGROUND INFORMATION
ITD utilizes ServiceNow software licenses, training, and professional installation/configuration services for service desk requests. ServiceNow is a software solution that provides capabilities to construct reusable workflow activities based on an organization’s business needs. To ensure appropriate use of this enterprise solution for workflow activities, the BAA increases ServiceNow’s capabilities to handle information designated as part of the County’s Health Insurance Portability and Accountability Act (HIPAA) Compliance Program (County Policy 14-03).
On June 22, 2021 (Item No. 49), the Board approved Public Sector Terms of Service Agreement No. 21-451 with ServiceNow, Inc., including non-standard terms, to purchase future subscription software licenses, training, and professional installation/configuration services.
Agreement No. 21-451 with ServiceNow includes a Data Processing Addendum that uniquely appoints specific HIPAA-related responsibilities to the County and ServiceNow. The BAA contains terms that differ from the standard County Business Associate Agreement and omits certain County standard Business Associate Agreement terms. While the parties negotiated certain Business Associate Agreement terms to County standards, ServiceNow would not agree to all County standard terms. The non-standard and missing terms include the following:
1. ServiceNow does not agree to indemnify the County from claims and expenses (including costs for reasonable attorney fees) that are caused by the BAA with respect to the use, access, maintenance or disclosure of electronic protected health information (ePHI).
• The County standard Business Associate Agreement requires the Business Associate to indemnify, defend and hold the County harmless from claims and expenses (including costs for reasonable attorney fees) that are caused by the Business Associate Agreement with respect to the use, access, maintenance or disclosure of ePHI.
• Potential Impact: The County may not contractually require ServiceNow to defend or reimburse the County for claims made against the County as a result of ServiceNow’s actions resulting in a breach of ePHI, which may exceed the total amount of the underlying purchase contract.
2. ServiceNow does not agree to provide appropriate liability insurance coverage.
• The County standard Business Associate Agreement requires the Business Associate to provide appropriate liability insurance coverage to cover claims and demands made for loss to any person arising from the breach of the security, privacy, or confidentiality obligations of Business Associate Agreement under the Business Associate Agreement and under HIPAA provisions.
• Potential Impact: The County has no assurance that ServiceNow will be financially responsible for claims that may arise under the BAA, which could result in expenses to the County that exceed the total the total amount of the underlying purchase contract.
3. ServiceNow’s liability to the County under the BAA is limited to the amounts received for the subscription service giving rise to the claim during the 12-month period preceding the first event giving rise to liability.
• The County standard Business Associate Agreement does not include a limitation of liability.
• Potential Impact: Costs and expenses related to a breach caused by ServiceNow could exceed the liability cap and the purchase contract amount leaving the County financially liable for the excess.
ITD recommends the approval of the BAA, including non-standard terms, to mitigate risk with the County’s HIPAA Compliance Program (County Policy 14-03).
PROCUREMENT
Not applicable.
REVIEW BY OTHERS
This item has been reviewed by County Counsel (Bonnie Uphold, Supervising Deputy County Counsel, 387-5455) on April 24, 2025; Purchasing (Jessica Barajas, Supervising Buyer, 387-2065) on March 7, 2025; Risk Management (Gregory Ustaszewski, Staff Analyst II, 386-9008) on March 10, 2025; Finance (Ivan Ramirez, Administrative Analyst, 387-4020) on March 24, 2025; and County Finance and Administration (Paloma Hernandez-Barker, Deputy Executive Officer, 387-5423) on March 24, 2025.