Search

Attachment A

SmartShopper Program.

Except as the parties may otherwise agree and document in an amendment, Sapphire Digital shall
adhere to the following requirements for the SmartShopper Program:

A. A Member shall be able to obtain provider related cost information for select medical
procedures as well as information regarding the availability of any associated Incentive
Reward Payment, by either contacting Sapphire Digital through a toll free telephone
number or a website, both of which shall be provided for by Sapphire Digital.

B. The list of medical procedures included in the SmartShopper Program are described in
“Attachment B”.

C. Sapphire Digital shall issue Incentive Reward Payments to Members in the amounts
mutually agreed upon by the Customer and Sapphire Digital as described in Attachment
B.

D. Prior to providing any information, Sapphire Digital shall require the Member to verify
Member’s eligible status to use the SmartShopper Program.

E. Following Sapphire Digital’s verification of eligibility, the Member shall indicate the
healthcare procedure to be performed as well as his/her initial preference, if they were to
have one, on the location to have the procedure performed.

F. Sapphire Digital shall provide to the Member cost-related information related to
Customer’s participating providers who can perform the requested procedure. Sapphire
Digital shall also inform the Member which providers, if any; will qualify the Member
for an Incentive Reward Payment.

G. Upon Sapphire Digital’s verification of the Member’s use of a provider that qualified
him/her for an Incentive Reward Payment, Sapphire Digital shall send the Incentive
Reward Payment to the Member. Sapphire Digital shall verify Member’s qualification for
an Incentive Reward Payment by confirming, utilizing claims payment information
provided by Anthem Inc. that a request for payment from the provider for the specific
service in question was received and processed by Anthem Inc.

H. Reporting: Sapphire Digital will provide the Customer with Standard Performance
Reports monthly, no later than the last day of the month following the applicable reporting
month (e.g., Sapphire Digital provides January reports by the last day of February).

I. Website and Phone Support:. Sapphire Digital will make available and maintain the
Sapphire Digital website for use by Members for the delivery of the Program. The website
will be hosted by Sapphire Digital , using industry standard security measures, and shall
be available twenty-four (24) hours per day to provide Members the capability to search
and identify relative costs and Member Incentive Reward information for select medical
procedures included in the applicable Program, with the exception of regularly scheduled
maintenance and downtime, which shall not occur during Sapphire Digital’s
regular business hours. Sapphire Digital shall also make available telephonic support
through a_ dedicated toll free telephone number to its Call Center during its standard
operating hours.

sn w Fw NY

EXHIBITA
TABLE OF CONTENTS
GENERAL CONDITIONS

DEFINITIONS

PROFESSIONAL ENGINEER STATUS
STANDARD OF CARE

CITY OF NASHUA REPRESENTATIVE
CHANGES TO SCOPE OF WORK
CIty OF NASHUA COOPERATION

DISCOVERY OF CONFLICTS, ERRORS, OMISSIONS, AMBIGUITIES, OR

DISCREPANCIES
TERMINATION OF CONTRACT
DISPUTE RESOLUTION

NO DAMAGES FOR DELAY
INSURANCE
INDEMNIFICATION

FISCAL CONTINGENCY
COMPENSATION
COMPLIANCE WITH APPLICABLE LAWS
NONDISCRIMINATION
ENDORSEMENT

ASSIGNMENTS, TRANSFER, DELEGATION, OR SUBCONTRACTING

CITY INSPECTION OF CONTRACT MATERIALS
DISPOSITION OF CONTRACT MATERIALS

PUBLIC RECORDS LAW, COPYRIGHTS, AND PATENTS
FINAL ACCEPTANCE

TAXES

NON-WAIVER OF TERMS AND CONDITIONS

RIGHTS AND REMEDIES

PROHIBITED INTERESTS

THIRD PARTY INTERESTS AND LIABILITIES
SURVIVAL OF RIGHTS AND OBLIGATIONS
SEVERABILITY

MODIFICATION OF CONTRACT AND ENTIRE AGREEMENT
CHOICE OF LAW AND VENUE

TIME IS OF THE ESSENCE

GC | of 1

GC--2
GC--2
GC--2
GC--3
GC--3
GC--3

GC--3
GC--4
GC--5
GC--6
GC--6
GC--7
GC--7
GC--7
GC--7
GC--8
GC--8
GC--8
GC--9
GC--9
GC--9
GC--10
GC--10
GC--10
GC--10
GC--10
GC.-11
GC--11
GC--11
GC--11]
GC—I1
GC-1}

Attachment B — Incentive Scale

The list of medical procedures and incentive amounts included in the Program shall be the standard list of
procedures for Customer’s geographic market. A copy of incentive list will be provided to the Customer
upon the request of Customer. Please provide a copy or include it when you send the revised contract for
review.

Attachment C — Business Associate Agreement

BUSINESS ASSOCIATE ADDENDUM

This Business Associate Addendum (“Addendum”) by and between MDx Medical Inc. dba Sapphire
Digital and City of Nashua (“Covered Entity”), is entered into for the purposes of complying with the
Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Public Law 104-191, the Health
Information Technology for Economic and Clinical Health Act (the “HITECH Act’), Public Law 111-
005, and the regulations promulgated thereunder; 45 C.F.R. Parts 160 and Part 164, Subparts A, C, D and
E (Subpart E, together with the definitions in Subpart A is known as the “Standards for Privacy of
Individually Identifiable Health Information” (the “Privacy Rule”) and Subpart C, together with the
definitions in Subpart A, is known as the “Security Standards for the Protection of Electronic Protected
Health Information” (the “Security Rule”) Subpart D, together with the definitions in Subpart A is known
as the “Breach Notification Rule” (“Breach Notification Rule’) (the Privacy Rule, Breach Notification
Rule and the Security Rule are collectively called the “Privacy and Security Rules”) Sapphire Digital and
Covered Entity are each referred to herein as a “Party” and collectively referred to as the “Parties.”

WHEREAS, Covered Entity is a “Covered Entity” as that term is defined under HIPAA, which requires
Covered Entities and certain of their service providers to enter into business associate agreements;

WHEREAS, Sapphire Digital may create on behalf of, or receive from, the Covered Entity or the
Covered Entity’s other service providers protected health information (“PHI”); and

WHEREAS, upon creation or receipt of such PHI, Sapphire Digital would be a “Business Associate” in
relation to the Covered Entity, as that term is defined under HIPAA.

NOW, THEREFORE, in consideration of the premises and the mutual promises contained herein,
Covered Entity and Sapphire Digital hereby agree as follows:

1. Capitalized Terms. All capitalized terms herein not otherwise defined shall have the meaning ascribed to
such terms under HIPAA, the HITECH Act and the Privacy and Security Rules, as may be amended
from time to time.

2. Sapphire Digital’s Responsibilities with Respect to Use and Disclosure of PHI. Sapphire Digital
hereby agrees, with regard to its Use and/or Disclosure of the PHI, to do the following:

a. to Use and/or Disclose the PHI only: (i) in conjunction with the services it provides to Covered
Entity (“the Services’’); (ii) consistent with the manner in which Covered Entity is permitted to
Use and Disciose by 45 C.F.R. 164.502 (as amended from time to time) and/or 45 C.F.R. §
164.512; (iii) for Sapphire Digital’s proper management and administration; (iv) to fulfill any
present or future legal responsibilities; (v) as otherwise permitted or required by this Addendum;
or (vi) as otherwise permitted or required by law.

b. to report to Covered Entity, in writing, any material Use and/or Disclosure of the PHI by Sapphire
Digital that is not permitted or required by this Addendum of which Sapphire Digital becomes
aware;

c. to use commercially reasonable efforts to maintain the security of the PHI and to prevent its Use
and/or Disclosures contrary to this Addendum;

10

d. to the extent that Sapphire Digital creates, receives, maintains or transmits Electronic Protected
Health Information as that term is defined by the Security Rule, on behalf of Covered Entity to
report to Covered Entity any Security Incident of which Sapphire Digital becomes aware to the
extent such incidents represent successful unauthorized access, use, disclosure, modification, or
destruction of Unsecured Electronic Protected Health Information of Covered Entity; and

e. to require all of Sapphire Digital’s subcontractors and agents utilized in providing the Services
which Use and/or Disclose the PHI, to agree, in writing, to adhere to equivalent restrictions and
conditions on the Use and/or Disclosure of the PHI that apply to Sapphire Digital pursuant to this
Addendum.

Safeguards. Sapphire Digital shall employ appropriate administrative, technical and physical
safeguards, consistent with the size and complexity of Sapphire Digital’s operations, to protect the
confidentiality of PHI and to prevent the use or disclosure of PHI in any manner inconsistent with the
terms of this Addendum, including meeting the requirements of 45 C.F.R. §§ 164.308, 164.310,
164.312, 164.314, and 164.316, which includes Sapphire Digital’s obligation to have written policies
and procedures in place to document its administrative, technical and physical safeguards.

Access Requests. Sapphire Digital shall process Covered Entity’s requests to access records in the
Designated Record Set and identified by Covered Entity so that Covered Entity can comply with 45
C.F.R. § 164.524.

Amendment Requests. Sapphire Digital shall process Covered Entity’s requests for amendment of the
PHI in Sapphire Digital’s possession, solely upon Covered Entity’s request and in a manner that
allows Covered Entity to comply with 45 C.F.R. § 164.526 and in a manner that is consistent with the
manner in which Covered Entity is amending the PHI in Covered Entity’s possession.

Accounting of Disclosures. The Parties agree that Sapphire Digital shall track and keep a record of all
Disclosures of PHI, and that Sapphire Digital shall provide to Covered Entity the information
necessary for Covered Entity to provide an accounting of Disclosures, in a manner compliant with 45
C.F.R. §164.528, to individuals who request an accounting. In each case to the extent feasible,
Sapphire Digital shall provide at least the following information with respect to each such Disclosure:
(a) the date of the Disclosure; (b) the name of the entity or person who received the PHI; (c) a brief
description of the PHI disclosed; (d) a brief statement of the purpose of such Disclosure which
includes an explanation of the basis for such Disclosure. In the event that Sapphire Digital receives a
request for an accounting directly from an individual, Sapphire Digital shall forward such request to
Covered Entity in writing.

De-Identification. Sapphire Digital may de-identify PHI for lawful purposes, so long as such de-
identification conforms to the requirements of 45 C.F.R. § 164.514, as may be amended from time to
time and may use the PHi to provide data aggregation services relating to Covered Entity’s health
care operations.

Meet Covered Entity Obligations where Appropriate. If Sapphire Digital will perform a service for
Covered Entity that is an obligation of Covered Entity under the Privacy Rule, to meet the applicable
requirements in the performance of that service;

Requests from Secretary of Health and Human Services. If Sapphire Digital receives a request, made
by or on behalf of the Secretary of the United States Department of Health and Human Services (the
“Secretary”), requiring Sapphire Digital to make its internal practices, books, and records relating to
the Use and Disclosure of the PHI created or received by Sapphire Digital on behalf of Covered

11

10.

11.

12.

13.

14.

Entity available to the Secretary for the purpose of determining Covered Entity’s and/or Sapphire
Digital’s compliance with HIPAA, then Sapphire Digital shall make its internal practices, books and
records available to the Secretary or the Secretary’s authorized representative.

Minimum Necessary. Covered Entity shall provide, and Sapphire Digital shall request, Use and
Disclose, only the minimum amount of PHI necessary to accomplish the purpose of the request, Use
or Disclosure. The Parties acknowledge that the Secretary may issue guidance with respect to the
definition of “minimum necessary” from time to time, and agree to stay informed of any relevant
changes to the definition.

Reporting of Security Breaches. In the event of a “Breach” of any “Unsecured” PHI that Sapphire
Digital accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds or uses on
behalf of Covered Entity, Sapphire Digital shall report such Breach to Covered Entity as soon as
practicable, but in no event later than thirty (30) days after the date on which the Breach is
discovered. “Breach” shall mean the unauthorized acquisition, access, Use, or Disclosure of
Unsecured PHI which compromises the security or privacy of such information, except where an
unauthorized person to whom the information is disclosed would not reasonably have been able to
retain such information. “Unsecured PHI’ shall mean PHI that is not rendered unusable, unreadable,
or indecipherable to unauthorized individuals through the use of a technology or methodology
specified by the Secretary (e.g., encryption). Notice of a Breach shall include, to the extent such
information is available: (i) the identification of each individual whose PHI has been, or is reasonably
believed to have been, accessed, acquired, or disclosed during the Breach, (ii) the date of the Breach,
if known, and the date of discovery of the Breach, (iii) the scope of the Breach, and (iv) Sapphire
Digital’s response to the Breach.

Responsibilities of Covered Entity. With regard to the Use and/or Disclosure of the PHI by Sapphire
Digital, Covered Entity hereby agrees:

a. that the Uses and Disclosures of the PHI by Sapphire Digital pursuant to this Addendum are, at
the time of execution and throughout the term of this Addendum will be, consistent with the form
of notice of privacy practices (the “Notice’’) that Covered Entity provides to individuals pursuant
to 45 C.F.R. § 164.520.

b. to notify Sapphire Digital , in writing and in a timely manner, of any arrangements permitted or
required of Covered Entity under 45 C.F.R. parts 160 and 164 that may impact in any manner the
Use and/or Disclosure of the PHI by Sapphire Digital under this Addendum including, but not
limited to, restrictions on Use and/or Disclosure of the PHI as provided for in 45 C.F.R.
§ 164.522 agreed to by Covered Entity, and to hold Sapphire Digital harmless from the financial
impact of any such agreement by Covered Entity; and

QO

tc obtain any consent or authorization that may be required under HIPAA or state law prior te
furnishing the PHI to Sapphire Digital.

Term. Unless otherwise terminated as provided in Section 14, this Addendum shall become effective
on the Effective Date and shall have a term that shall run concurrently with that of any oral or written
agreement by Sapphire Digital to provide Services to Covered Entity and will terminate without any
further action of the Parties upon the termination of all such agreements.

Termination

a. If either Party determines that the other Party has engaged in a pattern of activity that constitutes

12

15.

16.

17.

18.

19.

a material breach of the other Party’s obligations under this Addendum, the non-breaching Party
shall, within twenty (20) days of that determination, notify the breaching Party and the breaching
Party shall have thirty (30) days from receipt of that notice to cure the breach or end the violation.
If the breaching Party fails to take reasonable steps to effect such a cure within such a time
period, the non-breaching Party may terminate all or part of the service relationship. In no event
shall such termination have any effect on sums due from Covered Entity for any services
provided by Sapphire Digital under the engagement.

b. Where either Party has knowledge of a material breach by the other Party, and cure is not
possible, the non-breaching Party shall terminate the portion of the arrangement for Services
affected by the breach.

Effect_of Termination. Upon the event of termination of this Addendum, Sapphire Digital agrees,
where feasible, to return or destroy the PHI, which Sapphire Digital still maintains in any form. Prior
to doing so, Sapphire Digital further agrees, to the extent feasible, to request the destruction of the
PHI that is in the possession of its subcontractors or agents. If in Sapphire Digital’s opinion, it is not
feasible for Sapphire Digital or any subcontractors to return or destroy portions of the PHI, Sapphire
Digital shall, upon Covered Entity’s written request, inform Covered Entity as to the specific reasons
that make such return or destruction infeasible and limit any further use or disclosures to the purposes
that make the return or destruction of those portions of the PHI infeasible and provide the protections
described herein to that PHI.

Third Party Beneficiaries. Nothing in this Addendum shall be construed to create any third party
beneficiary rights in any person.

Counterparts. This Addendum may be executed in any number of counterparts, each of which shall
be deemed an original. Facsimile and pdf copies thereof shall be deemed to be originals.

Informal Resolution. If any controversy, dispute or claim arises between the Parties with respect to
this Addendum, the Parties shall make good faith efforts to resolve such matters informally.

Interpretation. The provisions of this Addendum shall prevail over any provisions in any other
agreements between Sapphire Digital and Covered Entity that may conflict or appear inconsistent
with any provision of this Addendum. This Addendum shall be interpreted as broadly as necessary to
implement and comply with HIPAA and the HITECH Act. The Parties agree that any ambiguity in
this Addendum shall be resolved in favor of a meaning that complies with and is consistent with
HIPAA and the HITECH Act.

13

Attachment D
Insurance Requirements

CITY OF NASHUA

CYBER INSURANCE REQUIREMENTS
Contractor shall carry and maintain in effect during the performance of services under this contract:

= General Liability insurance in the amount of $1,000,000 per occurrence; $2,000,000 aggregate;

= Cyber Liability insurance in the amount of $1,000,000 per incident, covering the City of Nashua’s
cost for computer and data loss restoration, notification costs, credit monitoring, and liability to
third parties from the Contractor’s failure to handle, manage, store and control personally
identifiable information.

Contractor shall maintain in effect at all times during the performance under this contract all specified
insurance coverage with insurers. None of the requirements as to types and limits to be maintained by
Contractor are intended to and shall not in any manner limit or qualify the liabilities and obligations
assumed by Contractor under this contract. The City of Nashua shall not maintain any insurance on
behalf of Contractor. Subcontractors are subject to the same insurance requirements as Contractor
and it shall be the Contractor’s responsibility to ensure compliance of this requirement.

The Parties agree that Contractor shall have the status of and shall perform all work under this contract
as an independent contractor, maintaining control over all its consultants, sub consultants, contractors, or
subcontractors. The only contractual relationship created by this contract is between the City and
Contractor, and nothing in this contract shall create any contractual relationship between the City and
Contractor’s consultants, sub consultants, contractors, or subcontractors. The Parties also agree that
Contractor is not a City employee and that there shall be no:

(1) Withholding of income taxes by the City:

(2) Industrial insurance coverage provided by the City;

(3) Participation in group insurance plans which may be available to employees of the City;

(4) Participation or contributions by either the independent contractor or the City to the public
employee’s retirement system;

(5) Accumulation of vacation leave or sick leave provided by the City;

(6) Unemployment compensation coverage provided by the City.

Contractor will provide the City of Nashua with certificates of insurance for coverage as listed below and
endorsements affecting coverage required by the contract within ten calendar days after the City issues
the notice of award. The City of Nashua requires thirty days written notice of cancellation or material
change in coverage. The certificates and endorsements for each insurance policy must be signed by a
person authorized by the insurer.General Liability polices must name the City of Nashua as an
additional insured and reflect on the certificate of insurance. Contractor is responsible for filing
updated certificates of insurance with the City of Nashua’s Risk Management Department during the life
of the contract.

= All deductibles and self-insured retentions shall be fully disclosed in the certificate(s) of insurance.

= If aggregate limits of less than $2,000,000 are imposed on bodily injury and property damage,
Contractor must maintain umbrella liability insurance of at least $1,000,000. All aggregates must
be fully disclosed on the required certificate of insurance.

14

= The specified insurance requirements do not relieve Contractor of its responsibilities or limit the
amount of its liability to the City or other persons, and Contractor is encouraged to purchase
such additional insurance, as it deems necessary.

= The insurance provided herein is primary, and no insurance held or owned by the City of Nashua
shall be called upon to contribute to a loss caused by Contractor.

= Contractor is responsible for and required to remedy all damage or loss to any property,
including property of the City, caused in whole or part by Contractor or anyone employed,
directed, or supervised by Contractor.

Regardless of any coverage provided by any insurance, Contractor agrees to indemnify and shall defend
and hold harmless the City, its agents, officials, employees and authorized representatives and their
employees from and against any and all suits, causes of action, legal or administrative proceedings,
arbitrations, claims, demands, damages, liabilities, interest, attorney's fees, costs and expenses of any
kind or nature in any manner caused, occasioned, or contributed to in whole or in part by reason of any
negligent act, omission, or fault or willful misconduct, whether active or passive, of Contractor or of
anyone acting under its direction or control or on its behalf in connection with or incidental to the
performance of this contract. Contractor’s indemnity, defense and hold harmless obligations, or portions
thereof, shall not apply to liability caused by the sole negligence or willful misconduct of the party
indemnified or held harmless.

15

an THE CITY OF NASHUA "The Gate City"

Administrative Services

Purchasing Department

July 4, 2019
Memo #20-003

TO: MAYOR DONCHESS
FINANCE COMMITTEE

SUBJECT: CONTRACT RENEWAL WITH THE HUMANE SOCIETY OF GREATER NASHUA FOR
FY20 (VALUE: $99,081)
DEPARTMENT: 109 CIVIC & COMMUNITY SERVICES; FUND: GENERAL

Please see attached communication from Heidi Peek-Kukulka, Health Officer, for the information
related to this request.

In accordance with § 5-84 A (4) Special Purchasing Procedures for Sole Source Procurements
Heidi Peek-Kukulka, Health Officer, Division of Public Health and the Purchasing Department

recommend approval of the contract with the Humane Society of Greater Nashua in the amount of
$99,081.

Respectfully,

an Kooken
Purchasing Manager

Cc: H. Peek-Kukulka J. Graziano

229 Main Street » Nashua, New Hampshire 03061 ¢ Phone (603) 589-3330 e Fax (603) 589-3233