Search

Attachment B — Incentive Scale

The list of medical procedures and incentive amounts included in the Program shall be the standard list of
procedures for Customer’s geographic market. A copy of incentive list will be provided to the Customer
upon the request of Customer. Please provide a copy or include it when you send the revised contract for
review.

Attachment C — Business Associate Agreement

BUSINESS ASSOCIATE ADDENDUM

This Business Associate Addendum (“Addendum”) by and between MDx Medical Inc. dba Sapphire
Digital and City of Nashua (“Covered Entity”), is entered into for the purposes of complying with the
Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Public Law 104-191, the Health
Information Technology for Economic and Clinical Health Act (the “HITECH Act’), Public Law 111-
005, and the regulations promulgated thereunder; 45 C.F.R. Parts 160 and Part 164, Subparts A, C, D and
E (Subpart E, together with the definitions in Subpart A is known as the “Standards for Privacy of
Individually Identifiable Health Information” (the “Privacy Rule”) and Subpart C, together with the
definitions in Subpart A, is known as the “Security Standards for the Protection of Electronic Protected
Health Information” (the “Security Rule”) Subpart D, together with the definitions in Subpart A is known
as the “Breach Notification Rule” (“Breach Notification Rule’) (the Privacy Rule, Breach Notification
Rule and the Security Rule are collectively called the “Privacy and Security Rules”) Sapphire Digital and
Covered Entity are each referred to herein as a “Party” and collectively referred to as the “Parties.”

WHEREAS, Covered Entity is a “Covered Entity” as that term is defined under HIPAA, which requires
Covered Entities and certain of their service providers to enter into business associate agreements;

WHEREAS, Sapphire Digital may create on behalf of, or receive from, the Covered Entity or the
Covered Entity’s other service providers protected health information (“PHI”); and

WHEREAS, upon creation or receipt of such PHI, Sapphire Digital would be a “Business Associate” in
relation to the Covered Entity, as that term is defined under HIPAA.

NOW, THEREFORE, in consideration of the premises and the mutual promises contained herein,
Covered Entity and Sapphire Digital hereby agree as follows:

1. Capitalized Terms. All capitalized terms herein not otherwise defined shall have the meaning ascribed to
such terms under HIPAA, the HITECH Act and the Privacy and Security Rules, as may be amended
from time to time.

2. Sapphire Digital’s Responsibilities with Respect to Use and Disclosure of PHI. Sapphire Digital
hereby agrees, with regard to its Use and/or Disclosure of the PHI, to do the following:

a. to Use and/or Disclose the PHI only: (i) in conjunction with the services it provides to Covered
Entity (“the Services’’); (ii) consistent with the manner in which Covered Entity is permitted to
Use and Disciose by 45 C.F.R. 164.502 (as amended from time to time) and/or 45 C.F.R. §
164.512; (iii) for Sapphire Digital’s proper management and administration; (iv) to fulfill any
present or future legal responsibilities; (v) as otherwise permitted or required by this Addendum;
or (vi) as otherwise permitted or required by law.

b. to report to Covered Entity, in writing, any material Use and/or Disclosure of the PHI by Sapphire
Digital that is not permitted or required by this Addendum of which Sapphire Digital becomes
aware;

c. to use commercially reasonable efforts to maintain the security of the PHI and to prevent its Use
and/or Disclosures contrary to this Addendum;

10

d. to the extent that Sapphire Digital creates, receives, maintains or transmits Electronic Protected
Health Information as that term is defined by the Security Rule, on behalf of Covered Entity to
report to Covered Entity any Security Incident of which Sapphire Digital becomes aware to the
extent such incidents represent successful unauthorized access, use, disclosure, modification, or
destruction of Unsecured Electronic Protected Health Information of Covered Entity; and

e. to require all of Sapphire Digital’s subcontractors and agents utilized in providing the Services
which Use and/or Disclose the PHI, to agree, in writing, to adhere to equivalent restrictions and
conditions on the Use and/or Disclosure of the PHI that apply to Sapphire Digital pursuant to this
Addendum.

Safeguards. Sapphire Digital shall employ appropriate administrative, technical and physical
safeguards, consistent with the size and complexity of Sapphire Digital’s operations, to protect the
confidentiality of PHI and to prevent the use or disclosure of PHI in any manner inconsistent with the
terms of this Addendum, including meeting the requirements of 45 C.F.R. §§ 164.308, 164.310,
164.312, 164.314, and 164.316, which includes Sapphire Digital’s obligation to have written policies
and procedures in place to document its administrative, technical and physical safeguards.

Access Requests. Sapphire Digital shall process Covered Entity’s requests to access records in the
Designated Record Set and identified by Covered Entity so that Covered Entity can comply with 45
C.F.R. § 164.524.

Amendment Requests. Sapphire Digital shall process Covered Entity’s requests for amendment of the
PHI in Sapphire Digital’s possession, solely upon Covered Entity’s request and in a manner that
allows Covered Entity to comply with 45 C.F.R. § 164.526 and in a manner that is consistent with the
manner in which Covered Entity is amending the PHI in Covered Entity’s possession.

Accounting of Disclosures. The Parties agree that Sapphire Digital shall track and keep a record of all
Disclosures of PHI, and that Sapphire Digital shall provide to Covered Entity the information
necessary for Covered Entity to provide an accounting of Disclosures, in a manner compliant with 45
C.F.R. §164.528, to individuals who request an accounting. In each case to the extent feasible,
Sapphire Digital shall provide at least the following information with respect to each such Disclosure:
(a) the date of the Disclosure; (b) the name of the entity or person who received the PHI; (c) a brief
description of the PHI disclosed; (d) a brief statement of the purpose of such Disclosure which
includes an explanation of the basis for such Disclosure. In the event that Sapphire Digital receives a
request for an accounting directly from an individual, Sapphire Digital shall forward such request to
Covered Entity in writing.

De-Identification. Sapphire Digital may de-identify PHI for lawful purposes, so long as such de-
identification conforms to the requirements of 45 C.F.R. § 164.514, as may be amended from time to
time and may use the PHi to provide data aggregation services relating to Covered Entity’s health
care operations.

Meet Covered Entity Obligations where Appropriate. If Sapphire Digital will perform a service for
Covered Entity that is an obligation of Covered Entity under the Privacy Rule, to meet the applicable
requirements in the performance of that service;

Requests from Secretary of Health and Human Services. If Sapphire Digital receives a request, made
by or on behalf of the Secretary of the United States Department of Health and Human Services (the
“Secretary”), requiring Sapphire Digital to make its internal practices, books, and records relating to
the Use and Disclosure of the PHI created or received by Sapphire Digital on behalf of Covered

11

10.

11.

12.

13.

14.

Entity available to the Secretary for the purpose of determining Covered Entity’s and/or Sapphire
Digital’s compliance with HIPAA, then Sapphire Digital shall make its internal practices, books and
records available to the Secretary or the Secretary’s authorized representative.

Minimum Necessary. Covered Entity shall provide, and Sapphire Digital shall request, Use and
Disclose, only the minimum amount of PHI necessary to accomplish the purpose of the request, Use
or Disclosure. The Parties acknowledge that the Secretary may issue guidance with respect to the
definition of “minimum necessary” from time to time, and agree to stay informed of any relevant
changes to the definition.

Reporting of Security Breaches. In the event of a “Breach” of any “Unsecured” PHI that Sapphire
Digital accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds or uses on
behalf of Covered Entity, Sapphire Digital shall report such Breach to Covered Entity as soon as
practicable, but in no event later than thirty (30) days after the date on which the Breach is
discovered. “Breach” shall mean the unauthorized acquisition, access, Use, or Disclosure of
Unsecured PHI which compromises the security or privacy of such information, except where an
unauthorized person to whom the information is disclosed would not reasonably have been able to
retain such information. “Unsecured PHI’ shall mean PHI that is not rendered unusable, unreadable,
or indecipherable to unauthorized individuals through the use of a technology or methodology
specified by the Secretary (e.g., encryption). Notice of a Breach shall include, to the extent such
information is available: (i) the identification of each individual whose PHI has been, or is reasonably
believed to have been, accessed, acquired, or disclosed during the Breach, (ii) the date of the Breach,
if known, and the date of discovery of the Breach, (iii) the scope of the Breach, and (iv) Sapphire
Digital’s response to the Breach.

Responsibilities of Covered Entity. With regard to the Use and/or Disclosure of the PHI by Sapphire
Digital, Covered Entity hereby agrees:

a. that the Uses and Disclosures of the PHI by Sapphire Digital pursuant to this Addendum are, at
the time of execution and throughout the term of this Addendum will be, consistent with the form
of notice of privacy practices (the “Notice’’) that Covered Entity provides to individuals pursuant
to 45 C.F.R. § 164.520.

b. to notify Sapphire Digital , in writing and in a timely manner, of any arrangements permitted or
required of Covered Entity under 45 C.F.R. parts 160 and 164 that may impact in any manner the
Use and/or Disclosure of the PHI by Sapphire Digital under this Addendum including, but not
limited to, restrictions on Use and/or Disclosure of the PHI as provided for in 45 C.F.R.
§ 164.522 agreed to by Covered Entity, and to hold Sapphire Digital harmless from the financial
impact of any such agreement by Covered Entity; and

QO

tc obtain any consent or authorization that may be required under HIPAA or state law prior te
furnishing the PHI to Sapphire Digital.

Term. Unless otherwise terminated as provided in Section 14, this Addendum shall become effective
on the Effective Date and shall have a term that shall run concurrently with that of any oral or written
agreement by Sapphire Digital to provide Services to Covered Entity and will terminate without any
further action of the Parties upon the termination of all such agreements.

Termination

a. If either Party determines that the other Party has engaged in a pattern of activity that constitutes

12

15.

16.

17.

18.

19.

a material breach of the other Party’s obligations under this Addendum, the non-breaching Party
shall, within twenty (20) days of that determination, notify the breaching Party and the breaching
Party shall have thirty (30) days from receipt of that notice to cure the breach or end the violation.
If the breaching Party fails to take reasonable steps to effect such a cure within such a time
period, the non-breaching Party may terminate all or part of the service relationship. In no event
shall such termination have any effect on sums due from Covered Entity for any services
provided by Sapphire Digital under the engagement.

b. Where either Party has knowledge of a material breach by the other Party, and cure is not
possible, the non-breaching Party shall terminate the portion of the arrangement for Services
affected by the breach.

Effect_of Termination. Upon the event of termination of this Addendum, Sapphire Digital agrees,
where feasible, to return or destroy the PHI, which Sapphire Digital still maintains in any form. Prior
to doing so, Sapphire Digital further agrees, to the extent feasible, to request the destruction of the
PHI that is in the possession of its subcontractors or agents. If in Sapphire Digital’s opinion, it is not
feasible for Sapphire Digital or any subcontractors to return or destroy portions of the PHI, Sapphire
Digital shall, upon Covered Entity’s written request, inform Covered Entity as to the specific reasons
that make such return or destruction infeasible and limit any further use or disclosures to the purposes
that make the return or destruction of those portions of the PHI infeasible and provide the protections
described herein to that PHI.

Third Party Beneficiaries. Nothing in this Addendum shall be construed to create any third party
beneficiary rights in any person.

Counterparts. This Addendum may be executed in any number of counterparts, each of which shall
be deemed an original. Facsimile and pdf copies thereof shall be deemed to be originals.

Informal Resolution. If any controversy, dispute or claim arises between the Parties with respect to
this Addendum, the Parties shall make good faith efforts to resolve such matters informally.

Interpretation. The provisions of this Addendum shall prevail over any provisions in any other
agreements between Sapphire Digital and Covered Entity that may conflict or appear inconsistent
with any provision of this Addendum. This Addendum shall be interpreted as broadly as necessary to
implement and comply with HIPAA and the HITECH Act. The Parties agree that any ambiguity in
this Addendum shall be resolved in favor of a meaning that complies with and is consistent with
HIPAA and the HITECH Act.

13

Attachment D
Insurance Requirements

CITY OF NASHUA

CYBER INSURANCE REQUIREMENTS
Contractor shall carry and maintain in effect during the performance of services under this contract:

= General Liability insurance in the amount of $1,000,000 per occurrence; $2,000,000 aggregate;

= Cyber Liability insurance in the amount of $1,000,000 per incident, covering the City of Nashua’s
cost for computer and data loss restoration, notification costs, credit monitoring, and liability to
third parties from the Contractor’s failure to handle, manage, store and control personally
identifiable information.

Contractor shall maintain in effect at all times during the performance under this contract all specified
insurance coverage with insurers. None of the requirements as to types and limits to be maintained by
Contractor are intended to and shall not in any manner limit or qualify the liabilities and obligations
assumed by Contractor under this contract. The City of Nashua shall not maintain any insurance on
behalf of Contractor. Subcontractors are subject to the same insurance requirements as Contractor
and it shall be the Contractor’s responsibility to ensure compliance of this requirement.

The Parties agree that Contractor shall have the status of and shall perform all work under this contract
as an independent contractor, maintaining control over all its consultants, sub consultants, contractors, or
subcontractors. The only contractual relationship created by this contract is between the City and
Contractor, and nothing in this contract shall create any contractual relationship between the City and
Contractor’s consultants, sub consultants, contractors, or subcontractors. The Parties also agree that
Contractor is not a City employee and that there shall be no:

(1) Withholding of income taxes by the City:

(2) Industrial insurance coverage provided by the City;

(3) Participation in group insurance plans which may be available to employees of the City;

(4) Participation or contributions by either the independent contractor or the City to the public
employee’s retirement system;

(5) Accumulation of vacation leave or sick leave provided by the City;

(6) Unemployment compensation coverage provided by the City.

Contractor will provide the City of Nashua with certificates of insurance for coverage as listed below and
endorsements affecting coverage required by the contract within ten calendar days after the City issues
the notice of award. The City of Nashua requires thirty days written notice of cancellation or material
change in coverage. The certificates and endorsements for each insurance policy must be signed by a
person authorized by the insurer.General Liability polices must name the City of Nashua as an
additional insured and reflect on the certificate of insurance. Contractor is responsible for filing
updated certificates of insurance with the City of Nashua’s Risk Management Department during the life
of the contract.

= All deductibles and self-insured retentions shall be fully disclosed in the certificate(s) of insurance.

= If aggregate limits of less than $2,000,000 are imposed on bodily injury and property damage,
Contractor must maintain umbrella liability insurance of at least $1,000,000. All aggregates must
be fully disclosed on the required certificate of insurance.

14

= The specified insurance requirements do not relieve Contractor of its responsibilities or limit the
amount of its liability to the City or other persons, and Contractor is encouraged to purchase
such additional insurance, as it deems necessary.

= The insurance provided herein is primary, and no insurance held or owned by the City of Nashua
shall be called upon to contribute to a loss caused by Contractor.

= Contractor is responsible for and required to remedy all damage or loss to any property,
including property of the City, caused in whole or part by Contractor or anyone employed,
directed, or supervised by Contractor.

Regardless of any coverage provided by any insurance, Contractor agrees to indemnify and shall defend
and hold harmless the City, its agents, officials, employees and authorized representatives and their
employees from and against any and all suits, causes of action, legal or administrative proceedings,
arbitrations, claims, demands, damages, liabilities, interest, attorney's fees, costs and expenses of any
kind or nature in any manner caused, occasioned, or contributed to in whole or in part by reason of any
negligent act, omission, or fault or willful misconduct, whether active or passive, of Contractor or of
anyone acting under its direction or control or on its behalf in connection with or incidental to the
performance of this contract. Contractor’s indemnity, defense and hold harmless obligations, or portions
thereof, shall not apply to liability caused by the sole negligence or willful misconduct of the party
indemnified or held harmless.

15

an THE CITY OF NASHUA "The Gate City"

Administrative Services

Purchasing Department

July 4, 2019
Memo #20-003

TO: MAYOR DONCHESS
FINANCE COMMITTEE

SUBJECT: CONTRACT RENEWAL WITH THE HUMANE SOCIETY OF GREATER NASHUA FOR
FY20 (VALUE: $99,081)
DEPARTMENT: 109 CIVIC & COMMUNITY SERVICES; FUND: GENERAL

Please see attached communication from Heidi Peek-Kukulka, Health Officer, for the information
related to this request.

In accordance with § 5-84 A (4) Special Purchasing Procedures for Sole Source Procurements
Heidi Peek-Kukulka, Health Officer, Division of Public Health and the Purchasing Department

recommend approval of the contract with the Humane Society of Greater Nashua in the amount of
$99,081.

Respectfully,

an Kooken
Purchasing Manager

Cc: H. Peek-Kukulka J. Graziano

229 Main Street » Nashua, New Hampshire 03061 ¢ Phone (603) 589-3330 e Fax (603) 589-3233

THE CITY OF NASHUA “the Gate City’

Division of Public Health and Community Services

Community Services Department

June 28'*®, 2019

To: John Griffin, CFO; Daniel Kooken, Purchasing Manager
From: Heidi Peek-Kukulka, Health Officer

Subject: Renewal of Humane Society Contract for FY20

The Humane Society for Greater Nashua Corporation (HSFN) has provided
shelter, pound, isolation, and quarantine services for the City of
Nashua and has provided these services for over 20 years.

Nashua Revised Ordinances section 93-7 states, “The Mayor, with the
assistance and cooperation of the Dog Officer, shall select a suitable
place of confinement for impounded animals and those held under
suspicion of rabies and after biting.” HSFN has a proven record of
providing impoundment and quarantine services, has the facility space
to accommodate the needs of the City of Nashua’s Pound, and HSFN staff
has worked closely with City staff throughout the years to develop
sound policies and procedures to adequately provide efficient and
effective methods of handling impoundment and quarantine services.

The Division of Public Health and Community Services, Environmental
Health Department and the Nashua Police Department Animal Control
Officer work closely with HSFN and oversee the contract deliverables
and communications with HSFN.

The attached contract is effective July 1, 2019 through June 30, 2020
in the amount of $99,081, to be paid in equal monthly installments.
Services include shelter for dogs, cats, rabbits and various other
small animals, adoption of stray animals, veterinary services for
stray animals surrendered to the HSFN, owner location of stray
animals, quarantine of unvaccinated dogs and cats which have bit a
human or another animal, and processing of animals found to be
positive for rabies.

In accordance with § 5-84 A (4) Special Purchasing Procedures for
Sole Source Procurements, the Division of Public Health recommends
that the contract with HSFN located at 24 Ferry Road, Nashua, NH, be
renewed for an additional year.

229 Main Street e Nashua, New Hampshire 03060 e Phone (603) 589-3307 e Fax (603) 594-3434

AGREEMENT
Humane Society for Greater Nashua Corporation and the City of Nashua, NH

AGREEMENT made this day of , 2019 by and between the
City of Nashua, New Hampshire (hereinafter “City’), a municipal corporation with a
principal place of business at 229 Main Street, Nashua, New Hampshire 03061 (the “City”)
and Humane Society for Greater Nashua Corporation (HSFN) of 24 Ferry Road, Nashua,
NH, 03064, (hereinafter “Contractor’) (collectively referred to as the “Parties”). The Parties
hereby enter into this Independent Contractor Agreement (hereinafter “Agreement”) under
the terms and conditions set forth below.

SCOPE OF SERVICES
The Contractor agrees to perform the following services for the City:

The Humane Society for Greater Nashua Corporation shall be the designated “Pound” for
the City of Nashua, NH and will be responsible for animal impoundment services to the
City of Nashua, NH as outlined in this Scope of Services.

1. The HSFN will provide the following impoundment and quarantine services for
animals impounded by the Animal Control Officer or a Nashua Police Officer:

10-Day Bite Quarantine of canines (stray and owned);

10-Day Bite Quarantine of owned felines;

10-Day Bite Quarantine of owned ferrets;

7-Day Impoundment of stray canines;

Impoundment of stray felines for those with permanent ID only

Impoundment of stray ferrets for those with permanent ID only

2. In accordance with RSA 466:18-a, and Nashua Revised Ordinances 93-6
Impoundment of dogs, cats and ferrets found at large, HSFN will become the lawful
owner of any unclaimed animals as follows:

Canines —After 7 days

Felines — Immediately if nc permanent identification is found

Felines — After 7 days if permanent identification was found, but the animal
remained unclaimed

Ferrets — Immediately if no permanent identification is found

Ferrets-- After 7 days if permanent identification was found, but the animal
remained unclaimed

The HSEN shall be responsible for the care of any animal of which it becomes the lawful
owner.