10.
11.
12.
13.
14.
Entity available to the Secretary for the purpose of determining Covered Entity’s and/or Sapphire
Digital’s compliance with HIPAA, then Sapphire Digital shall make its internal practices, books and
records available to the Secretary or the Secretary’s authorized representative.
Minimum Necessary. Covered Entity shall provide, and Sapphire Digital shall request, Use and
Disclose, only the minimum amount of PHI necessary to accomplish the purpose of the request, Use
or Disclosure. The Parties acknowledge that the Secretary may issue guidance with respect to the
definition of “minimum necessary” from time to time, and agree to stay informed of any relevant
changes to the definition.
Reporting of Security Breaches. In the event of a “Breach” of any “Unsecured” PHI that Sapphire
Digital accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds or uses on
behalf of Covered Entity, Sapphire Digital shall report such Breach to Covered Entity as soon as
practicable, but in no event later than thirty (30) days after the date on which the Breach is
discovered. “Breach” shall mean the unauthorized acquisition, access, Use, or Disclosure of
Unsecured PHI which compromises the security or privacy of such information, except where an
unauthorized person to whom the information is disclosed would not reasonably have been able to
retain such information. “Unsecured PHI’ shall mean PHI that is not rendered unusable, unreadable,
or indecipherable to unauthorized individuals through the use of a technology or methodology
specified by the Secretary (e.g., encryption). Notice of a Breach shall include, to the extent such
information is available: (i) the identification of each individual whose PHI has been, or is reasonably
believed to have been, accessed, acquired, or disclosed during the Breach, (ii) the date of the Breach,
if known, and the date of discovery of the Breach, (iii) the scope of the Breach, and (iv) Sapphire
Digital’s response to the Breach.
Responsibilities of Covered Entity. With regard to the Use and/or Disclosure of the PHI by Sapphire
Digital, Covered Entity hereby agrees:
a. that the Uses and Disclosures of the PHI by Sapphire Digital pursuant to this Addendum are, at
the time of execution and throughout the term of this Addendum will be, consistent with the form
of notice of privacy practices (the “Notice’’) that Covered Entity provides to individuals pursuant
to 45 C.F.R. § 164.520.
b. to notify Sapphire Digital , in writing and in a timely manner, of any arrangements permitted or
required of Covered Entity under 45 C.F.R. parts 160 and 164 that may impact in any manner the
Use and/or Disclosure of the PHI by Sapphire Digital under this Addendum including, but not
limited to, restrictions on Use and/or Disclosure of the PHI as provided for in 45 C.F.R.
§ 164.522 agreed to by Covered Entity, and to hold Sapphire Digital harmless from the financial
impact of any such agreement by Covered Entity; and
QO
tc obtain any consent or authorization that may be required under HIPAA or state law prior te
furnishing the PHI to Sapphire Digital.
Term. Unless otherwise terminated as provided in Section 14, this Addendum shall become effective
on the Effective Date and shall have a term that shall run concurrently with that of any oral or written
agreement by Sapphire Digital to provide Services to Covered Entity and will terminate without any
further action of the Parties upon the termination of all such agreements.
Termination
a. If either Party determines that the other Party has engaged in a pattern of activity that constitutes
12
