Search

Attachment A

SmartShopper Program.

Except as the parties may otherwise agree and document in an amendment, Sapphire Digital shall
adhere to the following requirements for the SmartShopper Program:

A. A Member shall be able to obtain provider related cost information for select medical
procedures as well as information regarding the availability of any associated Incentive
Reward Payment, by either contacting Sapphire Digital through a toll free telephone
number or a website, both of which shall be provided for by Sapphire Digital.

B. The list of medical procedures included in the SmartShopper Program are described in
“Attachment B”.

C. Sapphire Digital shall issue Incentive Reward Payments to Members in the amounts
mutually agreed upon by the Customer and Sapphire Digital as described in Attachment
B.

D. Prior to providing any information, Sapphire Digital shall require the Member to verify
Member’s eligible status to use the SmartShopper Program.

E. Following Sapphire Digital’s verification of eligibility, the Member shall indicate the
healthcare procedure to be performed as well as his/her initial preference, if they were to
have one, on the location to have the procedure performed.

F. Sapphire Digital shall provide to the Member cost-related information related to
Customer’s participating providers who can perform the requested procedure. Sapphire
Digital shall also inform the Member which providers, if any; will qualify the Member for
an Incentive Reward Payment.

G. Upon Sapphire Digital’s verification of the Member’s use of a provider that qualified
him/her for an Incentive Reward Payment, Sapphire Digital shall send the Incentive
Reward Payment to the Member. Sapphire Digital shall verify Member’s qualification for
an Incentive Reward Payment by confirming, utilizing claims payment information
provided by Anthem Inc. that a request for payment from the provider for the specific
service in question was received and processed by Anthem Inc.

H. Reporting: Sapphire Digital will provide the Customer with Standard Performance
Reports monthly, no later than the last day of the month following the applicable reporting
month (e.g., Sapphire Digital provides January reports by the last day of February).

I. | Website and Phone Support: Sapphire Digital will make available and maintain the
Sapphire Digital website for use by Members for the delivery of the Program. The website
will be hosted by Sapphire Digital , using industry standard security measures, and shall
be available twenty-four (24) hours per day to provide Members the capability to search
and identify relative costs and Member Incentive Reward information for select medical
procedures included in the applicable Program, with the exception of regularly scheduled
maintenance and downtime, which shall not occur during Sapphire Digital’s regular
business hours. Sapphire Digital shall also make available telephonic support through a
dedicated toll free telephone number to its Call Center during its standard operating hours.

Attachment B — Incentive Scale

The list of medical procedures and incentive amounts included in the Program shall be the standard list of
procedures for Customer’s geographic market. A copy of incentive list will be provided to the Customer
upon the request of Customer. Please provide a copy or include it when you send the revised contract for
review.

)Nashua

NEW HAMPSHIRE’S GATE CITY

SmartShopper

Anthem.

SAVE MONEY WITH SMARTSHOPPER

Earn a reward check every time you and your family choose an eligible lower-cost, high-value doctor or facility for the health services
listed below. Keep this list for reference of procedure categories that could earn you reward dollars through SmartShopper.

To learn more, call 800-824-9127 or visit SmartShopper.com to log in and use SmartShopper.

Reward Amount Reward Amount Reward Amount

Save on these health care services

Back Surgery (Inpatient Laminectomy) $500 $250 N/A
Back Surgery (Outpatient Laminectomy, Diskectomy, Foraminotomy) | $250 $100 $50
Bariatric Surgery (Laparoscopic Gastric Bypass) $500 $250 N/A
Bladder Repair for Incontinence (Sling) $250 $100 $50
Bladder Scope (with Stent) $250 | $100 $50
Bone and Joint Imagining of Whole Body $150 $75 $50
Bone Density Study of Spine or Pelvis $50 $25 N/A
Breast Biopsy $250 $100 $50
Breast Lesion Removal (Contrast) $150 $75 $25
Breast Lumpectomy $150 $75 $50
Bronchoscopy $250 $75 $50
Bunionectomy $150 $75 $50
Colonoscopy $250 $75 $50
CT Scans $150 $75 $50
CTA (Computed Tomography Angiography) $150 $75 $50
Doppler Echo for Carotid Artery Evaluation $75 $25 N/A
Dysrhythmia Focus Ablation $500 $250 N/A
Ear - Surgery Insertion of Ventilating Tube $150 $75 $50
Echocardiogram - Transthoracic with Doppler (Complete) $75 §25 N/A
Echocardiogram - Transthoracic with Rest & Stress Test $75 $25 N/A
Echocardiogram - Transthoracic with Rest & Stress Test $75 $25 N/A
(Complete)

Esophagoscopy $400 $200 $100
Extremity Arterial Studies $50 $25 N/A
Extremity Venous Studies $50 $25 N/A
Eye Surgery - Cataract Removal $150 | $75 $50
Fetal Biophysical Profile $50 $25 N/A
Fetal Biophysical Profile (without Non-Stress Test) $50 $25 N/A
Fetal Ultrasound (Follow Up Exam) $50 $25 N/A
Fetal Ultrasound (Limited Exam) $50 $25 N/A
Gall Bladder Removal (Laparoscopic) $250 $100 $50

01/22

(lowest-cost)

(2nd lowest-cost)

(3rd lowest-cost)

>)Nashua SmartShopper’

Anthem.'9

SAVE MONEY WITH SMARTSHOPPER

To learn more, call 800-824-9127 or visit SmartShopper.com to log in and use SmartShopper.

Save on these health care services Neonaeammy" | qnaaaceams | yadamou
Groin - Hernia Repair $250 $100 $50
Hammertoe Correction $150 $75 $50
Hand Surgery - Carpal Tunnel $150 $75 $50
Heart Muscle Image Spect Mult $300 $150 $75
ofescional) Monitoring (physician or qualified $25 N/A N/A
Hepatobiliary System Imaging $150 $75 $25
Hip Replacement $500 $250 N/A
Hysterectomy $500 $250 N/A
(Laparoscopy Ovary and/or Fallopian Tube Removal $150 $75 N/A
Hysteroscopy $250 $100 $50
Kidney Stone Removal by Bladder Scope $150 $75 $25
Knee Replacement $500 $250 N/A
Knee Replacement - Partial $500 $250 $125
Knee Surgery (Arthroscopic) $250 $100 $50
Lab Services (Blood Draw Only) $25 N/A N/A
Laparoscopic Fibroid Removal $250 $125 $50
Laparoscopic Removal of Ovaries and/or Fallopian Tubes $250 $100 $50
Left Heart Catheterization $500 $250 $125
Lithotripsy - Fragmenting of Kidney Stones $250 $100 $50
wnawith Dye Angiography of the Neck without $150 $75 $25
Mammogram $50 $25 N/A
MRi (Now Includes Abdomen & Pelvis) $150 $75 $50
Nasal/Sinus - Corrective Surgery - Septoplasty $150 $75 $50
Nasal/Sinus - Endoscopy - Sinus Surgery $150 $150 $150
PET Scans $150 $150 $150
Physical Therapy $150 N/A N/A
Reduction Mammoplasty $500 $250 $125
Remicade Infusion Therapy $500 N/A N/A
Removal of Prostate Gland and Surrounding Tissue $500 $250 N/A
Removal of Thyroid Gland (Partial or Total Removal) $500 $250 N/A
Repair Finger Tendon $150 $75 $25
Repair of Umbilical Hernia (5 years and older) $250 $100 $50

01/22

Nashua SmartShopper

PM NEW HAMPSHIRE'S GATE CITY

Anthem.

SAVE MONEY WITH SMARTSHOPPER

To learn more, call 800-824-9127 or visit SmartShopper.com to log in and use SmartShopper.

Save on these health care services meme | Gowers, | maar
Repair of Ventral Hernia $250 $125 $50
Revision of Total Hip or Knee Replacement $500 $250 N/A
Shoulder Arthroscopy $250 $125 $50
Shoulder Surgery (Arthroscopic) $250 $100 $50
Sigmoidoscopy $150 $75 $25
Sleep Study (With Breathing Mask) $350 $175 $75
Sleep Study (Without Breathing Mask) $350 $175 $75
Sleep Study with or without CPAP $350 $175 $75
Spinal Fusion (Anterior or Posterior) $500 $250 N/A
Spinal Fusion of Neck - Front $500 $250 $125
Spirometry Test $25 N/A N/A
Spirometry Test, with Bronchodilation $25 N/A N/A
Stomach - Upper GI Examination (Endoscopy) $150 $75 $50
Tonsillectomy & Adenoidectomy $150 $75 $50
Total Hysterectomy (Laparoscopic) $150 $75 $25
Transvaginal Ultrasound (Non-Obstetrical) $50 $25 N/A
Transvaginal Ultrasound (Obstetrical) $50 $25 N/A
Tympanoplasty (Ear Drum Repair) $150 $75 N/A
Ultrasounds (Non-maternity) $50 $25 N/A
Upper Gi Endoscopy with Biopsy $250 N/A N/A
Urethra & Bladder Scope $250 $100 $50
Varicose Vein Treatment (Radio Wave) $500 N/A N/A
Vein Studies of Arms or Legs $50 $25 N/A
X-rays $25 N/A N/A

THE PERSONAL ASSISTANT TEAM !S AVAILABLE MONDAY THROUGH THURSDAY
FROM 8 A.M. TO 8 P.M. AND FRIDAY FROM 8 A.M. TO 6 P.M. ET.

The SmartShopper program Is offered by Sapphire Digital, an independent company. Incentives available for select procedures only. Payments are a taxable form of income. Rewards may be delivered
by check or an alternative form of payment. Members with coverage under Medicaid or Medicare are not eligible to receive incentive rewards under the SmartShopper program

Anthem Blue Cross and Blue Shield is the trade name of Anthem Health Plans of New Hampshire, inc. HMO plans are administered by Anthem Health Plans of New Hampshire, Inc and underwritten by
Matthew Thornton Health Plan, Inc. Independent licensees of the Blue Cross and Blue Shield Association. BANTHEM is a registered trademark of Anthem Insurance Companies, Inc. The Blue Cross
and Blue Shield names and symbols are registered marks of the Blue Cross and Blue Shield Association.

01/22

Attachment C — Business Associate Agreement

BUSINESS ASSOCIATE ADDENDUM

This Business Associate Addendum (“Addendum”) by and between MDx Medical Inc. dba Sapphire
Digital and City of Nashua (“Covered Entity”), is entered into for the purposes of complying with the
Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Public Law 104-191, the Health
Information Technology for Economic and Clinical Health Act (the “HITECH Act”), Public Law 111-005,
and the regulations promulgated thereunder; 45 C.F.R. Parts 160 and Part 164, Subparts A, C, D and E
(Subpart E, together with the definitions in Subpart A is known as the “Standards for Privacy of Individually
Identifiable Health Information” (the “Privacy Rule’) and Subpart C, together with the definitions in
Subpart A, is known as the “Security Standards for the Protection of Electronic Protected Health
Information” (the “Security Rule”) Subpart D, together with the definitions in Subpart A is known as the
“Breach Notification Rule” (“Breach Notification Rule’) (the Privacy Rule, Breach Notification Rule and
the Security Rule are collectively called the “Privacy and Security Rules”) Sapphire Digital and Covered
Entity are each referred to herein as a “Party” and collectively referred to as the “Parties.”

WHEREAS, Covered Entity is a “Covered Entity” as that term is defined under HIPAA, which requires
Covered Entities and certain of their service providers to enter into business associate agreements;

WHEREAS, Sapphire Digital may create on behalf of, or receive from, the Covered Entity or the Covered
Entity’s other service providers protected health information (“PHI”); and

WHEREAS, upon creation or receipt of such PHI, Sapphire Digital would be a “Business Associate” in
relation to the Covered Entity, as that term is defined under HIPAA.

NOW, THEREFORE, in consideration of the premises and the mutual promises contained herein,
Covered Entity and Sapphire Digital hereby agree as follows:

1. Capitalized Terms. A!l capitalized terms herein not otherwise defined shall have the meaning ascribed to
such terms under HIPAA, the HITECH Act and the Privacy and Security Rules, as may be amended from
time to time.

2. Sapphire Digital’s Responsibilities with Respect to Use and Disclosure of PHI. Sapphire Digital hereby
agrees, with regard to its Use and/or Disclosure of the PHI, to do the following:

a. to Use and/or Disclose the PHI only: (i) in conjunction with the services it provides to Covered
Entity (“the Services”); (11) consistent with the manner in which Covered Entity is permitted to Use
and Disclose by 45 C.F.R. 164.502 (as amended from time to time) and/or 45 C.F.R. § 164.512;
(iii) for Sapphire Digital’s proper management and administration; (iv) to fulfill any present or
future legal responsibilities; (v) as otherwise permitted or required by this Addendum; or (vi) as
otherwise permitted or required by law.

b. to report to Covered Entity, in writing, any material Use and/or Disclosure of the PHI by Sapphire
Digital that is not permitted or required by this Addendum of which Sapphire Digital becomes

aware;

c. to use commercially reasonable efforts to maintain the security of the PHI and to prevent its Use
and/or Disclosures contrary to this Addendum;

10

d. to the extent that Sapphire Digital creates, receives, maintains or transmits Electronic Protected
Health Information as that term is defined by the Security Rule, on behalf of Covered Entity to
report to Covered Entity any Security Incident of which Sapphire Digital becomes aware to the
extent such incidents represent successful unauthorized access, use, disclosure, modification, or
destruction of Unsecured Electronic Protected Health Information of Covered Entity; and

e. to require all of Sapphire Digital’s subcontractors and agents utilized in providing the Services
which Use and/or Disclose the PHI, to agree, in writing, to adhere to equivalent restrictions and
conditions on the Use and/or Disclosure of the PHI that apply to Sapphire Digital pursuant to this
Addendum.

. Safeguards. Sapphire Digital shall employ appropriate administrative, technical and physical

safeguards, consistent with the size and complexity of Sapphire Digital’s operations, to protect the
confidentiality of PHI and to prevent the use or disclosure of PHI in any manner inconsistent with the
terms of this Addendum, including meeting the requirements of 45 C.F.R. §§ 164.308, 164.310,
164.312, 164.314, and 164.316, which includes Sapphire Digital’s obligation to have written policies
and procedures in place to document its administrative, technical and physical safeguards.

Access Requests. Sapphire Digital shall process Covered Entity’s requests to access records in the
Designated Record Set and identified by Covered Entity so that Covered Entity can comply with 45
C.F.R. § 164.524.

Amendment Requests. Sapphire Digital shall process Covered Entity’s requests for amendment of the
PHI in Sapphire Digital’s possession, solely upon Covered Entity’s request and in a manner that allows
Covered Entity to comply with 45 C.F.R. § 164.526 and in a manner that is consistent with the manner
in which Covered Entity is amending the PHI in Covered Entity’s possession.

Accounting of Disclosures. The Parties agree that Sapphire Digital shall track and keep a record of all
Disclosures of PHI, and that Sapphire Digital shall provide to Covered Entity the information necessary
for Covered Entity to provide an accounting of Disclosures, in a manner compliant with 45 C.F.R.
§164.528, to individuals who request an accounting. In each case to the extent feasible, Sapphire
Digital shall provide at least the following information with respect to each such Disclosure: (a) the
date of the Disclosure; (b) the name of the entity or person who received the PHI; (c) a brief description
of the PHI disclosed; (d) a brief statement of the purpose of such Disclosure which includes an
explanation of the basis for such Disclosure. In the event that Sapphire Digital receives a request for
an accounting directly from an individual, Sapphire Digital shall forward such request to Covered
Entity in writing.

De-Identification. Sapphire Digital may de-identify PHI for lawful purposes, so long as such de-
identification conforms to the requirements of 45 C.F.R. § 164.514, as may be amended from time to
time and may use the PHI to provide data aggregation services relating to Covered Entity’s health care
operations.

Meet Covered Entity Obligations where Appropriate. If Sapphire Digital will perform a service for
Covered Entity that is an obligation of Covered Entity under the Privacy Rule, to meet the applicable
requirements in the performance of that service;

Requests from Secretary of Health and Human Services. If Sapphire Digital receives a request, made
by or on behalf of the Secretary of the United States Department of Health and Human Services (the
“Secretary”), requiring Sapphire Digital to make its internal practices, books, and records relating to
the Use and Disclosure of the PHI created or received by Sapphire Digital on behalf of Covered Entity

11

10.

11.

12.

13.

14.

available to the Secretary for the purpose of determining Covered Entity’s and/or Sapphire Digital’s
compliance with HIPAA, then Sapphire Digital shall make its internal practices, books and records
available to the Secretary or the Secretary’s authorized representative.

Minimum Necessary. Covered Entity shall provide, and Sapphire Digital shall request, Use and
Disclose, only the minimum amount of PHI necessary to accomplish the purpose of the request, Use or
Disclosure. The Parties acknowledge that the Secretary may issue guidance with respect to the
definition of “minimum necessary” from time to time, and agree to stay informed of any relevant
changes to the definition.

Reporting of Security Breaches. In the event of a “Breach” of any “Unsecured” PHI that Sapphire
Digital accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds or uses on
behalf of Covered Entity, Sapphire Digital shall report such Breach to Covered Entity as soon as
practicable, but in no event later than thirty (30) days after the date on which the Breach is discovered.
“Breach” shall mean the unauthorized acquisition, access, Use, or Disclosure of Unsecured PHI which
compromises the security or privacy of such information, except where an unauthorized person to
whom the information is disclosed would not reasonably have been able to retain such information.
“Unsecured PHI” shall mean PHI that is not rendered unusable, unreadable, or indecipherable to
unauthorized individuals through the use of a technology or methodology specified by the Secretary
(e.g., encryption). Notice of a Breach shall include, to the extent such information is available: (i) the
identification of each individual whose PHI has been, or is reasonably believed to have been, accessed,
acquired, or disclosed during the Breach, (ii) the date of the Breach, if known, and the date of discovery
of the Breach, (iii) the scope of the Breach, and (iv) Sapphire Digital’s response to the Breach.

Responsibilities of Covered Entity. With regard to the Use and/or Disclosure of the PHI by Sapphire
Digital, Covered Entity hereby agrees:

a. that the Uses and Disclosures of the PHI by Sapphire Digital pursuant to this Addendum are, at the
time of execution and throughout the term of this Addendum will be, consistent with the form of
notice of privacy practices (the “Notice”) that Covered Entity provides to individuals pursuant to
45 C.F.R. § 164.520.

b. to notify Sapphire Digital , in writing and in a timely manner, of any arrangements permitted or
required of Covered Entity under 45 C.F.R. parts 160 and 164 that may impact in any manner the
Use and/or Disclosure of the PHI by Sapphire Digital under this Addendum including, but not
limited to, restrictions on Use and/or Disclosure of the PHI as provided for in 45 C.F.R. § 164.522
agreed to by Covered Entity, and to hold Sapphire Digital harmless from the financial impact of
any such agreement by Covered Entity; and

c. to obtain any consent or authorization that may be required under HIPAA or state law prior to
furnishing the PHI to Sapphire Digital.

Term. Unless otherwise terminated as provided in Section 14, this Addendum shall become effective
on the Effective Date and shall have a term that shall run concurrently with that of any oral or written
agreement by Sapphire Digital to provide Services to Covered Entity and will terminate without any
further action of the Parties upon the termination of all such agreements.

Termination

a. Ifeither Party determines that the other Party has engaged in a pattern of activity that constitutes a
material breach of the other Party’s obligations under this Addendum, the non-breaching Party

12

15.

16.

17.

18.

19.

shall, within twenty (20) days of that determination, notify the breaching Party and the breaching
Party shall have thirty (30) days from receipt of that notice to cure the breach or end the violation.
If the breaching Party fails to take reasonable steps to effect such a cure within such a time period,
the non-breaching Party may terminate all or part of the service relationship. In no event shall such
termination have any effect on sums due from Covered Entity for any services provided by Sapphire
Digital under the engagement.

b. Where either Party has knowledge of a material breach by the other Party, and cure is not possible,
the non-breaching Party shall terminate the portion of the arrangement for Services affected by the
breach.

Effect of Termination. Upon the event of termination of this Addendum, Sapphire Digital agrees, where

feasible, to return or destroy the PHI, which Sapphire Digital still maintains in any form. Prior to doing
so, Sapphire Digital further agrees, to the extent feasible, to request the destruction of the PHI that is in
the possession of its subcontractors or agents. If in Sapphire Digital’s opinion, it is not feasible for
Sapphire Digital or any subcontractors to return or destroy portions of the PHI, Sapphire Digital shall,
upon Covered Entity’s written request, inform Covered Entity as to the specific reasons that make such
return or destruction infeasible and limit any further use or disclosures to the purposes that make the
return or destruction of those portions of the PHI infeasible and provide the protections described herein
to that PHI.

Third Party Beneficiaries. Nothing in this Addendum shall be construed to create any third party
beneficiary rights in any person.

Counterparts. This Addendum may be executed in any number of counterparts, cach of which shall be
deemed an original. Facsimile and pdf copies thereof shall be deemed to be originals.

Informal Resolution. If any controversy, dispute or claim arises between the Parties with respect to this
Addendum, the Parties shall make good faith efforts to resolve such matters informally.

Interpretation. The provisions of this Addendum shall prevail over any provisions in any other
agreements between Sapphire Digital and Covered Entity that may conflict or appear inconsistent with
any provision of this Addendum. This Addendum shall be interpreted as broadly as necessary to
implement and comply with HIPAA and the HITECH Act. The Parties agree that any ambiguity in this
Addendum shall be resolved in favor of a meaning that complies with and is consistent with HIPAA
and the HITECH Act.

13

Attachment D
Insurance Requirements

CITY OF NASHUA

CYBER INSURANCE REQUIREMENTS
Contractor shall carry and maintain in effect during the performance of services under this contract:

* General Liability insurance in the amount of $1,000,000 per occurrence; $2,000,000 aggregate;

« Cyber Liability insurance in the amount of $1,000,000 per incident, covering the City of
Nashua’s cost for computer and data loss restoration, notification costs, credit monitoring, and
liability to third parties from the Contractor’s failure to handle, manage, store and control
personally identifiable information.

Contractor shall maintain in effect at all times during the performance under this contract all specified
insurance coverage with insurers. None of the requirements as to types and limits to be maintained by
Contractor are intended to and shall not in any manner limit or qualify the liabilities and obligations
assumed by Contractor under this contract. The City of Nashua shall not maintain any insurance on
behalf of Contractor. Subcontractors are subject to the same insurance requirements as Contractor and
it shall be the Contractor’s responsibility to ensure compliance of this requirement.

The Parties agree that Contractor shall have the status of and shall perform all work under this contract as
an independent contractor, maintaining control over all its consultants, sub consultants, contractors, or
subcontractors. The only contractual relationship created by this contract is between the City and
Contractor, and nothing in this contract shall create any contractual relationship between the City and
Contractor’s consultants, sub consultants, contractors, or subcontractors. The Parties also agree that
Contractor is not a City employee and that there shall be no:

(1) Withholding of income taxes by the City:

(2) Industrial insurance coverage provided by the City;

(3) Participation in group insurance plans which may be available to employees of the City;

(4) Participation or contributions by either the independent contractor or the City to the public
employee’s retirement system;

(5) Accumulation of vacation leave or sick leave provided by the City;

(6) Unemployment compensation coverage provided by the City.

Contractor will provide the City of Nashua with certificates of insurance for coverage as listed below
and endorsements affecting coverage required by the contract within ten calendar days after the City
issues the notice of award. The City of Nashua requires thirty days written notice of cancellation or
material change in coverage. The certificates and endorsements for each insurance policy must be signed
by a person authorized by the insurer. General Liability policies must name the City of Nashua as an
additional insured and reflect on the certificate of insurance. Contractor is responsible for filing
updated certificates of insurance with the City of Nashua's Risk Management Department during the life
of the contract.

* All deductibles and self-insured retentions shall be fully disclosed in the certificate(s) of
insurance.