d. to the extent that Sapphire Digital creates, receives, maintains or transmits Electronic Protected
Health Information as that term is defined by the Security Rule, on behalf of Covered Entity to
report to Covered Entity any Security Incident of which Sapphire Digital becomes aware to the
extent such incidents represent successful unauthorized access, use, disclosure, modification, or
destruction of Unsecured Electronic Protected Health Information of Covered Entity; and
e. to require all of Sapphire Digital’s subcontractors and agents utilized in providing the Services
which Use and/or Disclose the PHI, to agree, in writing, to adhere to equivalent restrictions and
conditions on the Use and/or Disclosure of the PHI that apply to Sapphire Digital pursuant to this
Addendum.
. Safeguards. Sapphire Digital shall employ appropriate administrative, technical and physical
safeguards, consistent with the size and complexity of Sapphire Digital’s operations, to protect the
confidentiality of PHI and to prevent the use or disclosure of PHI in any manner inconsistent with the
terms of this Addendum, including meeting the requirements of 45 C.F.R. §§ 164.308, 164.310,
164.312, 164.314, and 164.316, which includes Sapphire Digital’s obligation to have written policies
and procedures in place to document its administrative, technical and physical safeguards.
Access Requests. Sapphire Digital shall process Covered Entity’s requests to access records in the
Designated Record Set and identified by Covered Entity so that Covered Entity can comply with 45
C.F.R. § 164.524.
Amendment Requests. Sapphire Digital shall process Covered Entity’s requests for amendment of the
PHI in Sapphire Digital’s possession, solely upon Covered Entity’s request and in a manner that allows
Covered Entity to comply with 45 C.F.R. § 164.526 and in a manner that is consistent with the manner
in which Covered Entity is amending the PHI in Covered Entity’s possession.
Accounting of Disclosures. The Parties agree that Sapphire Digital shall track and keep a record of all
Disclosures of PHI, and that Sapphire Digital shall provide to Covered Entity the information necessary
for Covered Entity to provide an accounting of Disclosures, in a manner compliant with 45 C.F.R.
§164.528, to individuals who request an accounting. In each case to the extent feasible, Sapphire
Digital shall provide at least the following information with respect to each such Disclosure: (a) the
date of the Disclosure; (b) the name of the entity or person who received the PHI; (c) a brief description
of the PHI disclosed; (d) a brief statement of the purpose of such Disclosure which includes an
explanation of the basis for such Disclosure. In the event that Sapphire Digital receives a request for
an accounting directly from an individual, Sapphire Digital shall forward such request to Covered
Entity in writing.
De-Identification. Sapphire Digital may de-identify PHI for lawful purposes, so long as such de-
identification conforms to the requirements of 45 C.F.R. § 164.514, as may be amended from time to
time and may use the PHI to provide data aggregation services relating to Covered Entity’s health care
operations.
Meet Covered Entity Obligations where Appropriate. If Sapphire Digital will perform a service for
Covered Entity that is an obligation of Covered Entity under the Privacy Rule, to meet the applicable
requirements in the performance of that service;
Requests from Secretary of Health and Human Services. If Sapphire Digital receives a request, made
by or on behalf of the Secretary of the United States Department of Health and Human Services (the
“Secretary”), requiring Sapphire Digital to make its internal practices, books, and records relating to
the Use and Disclosure of the PHI created or received by Sapphire Digital on behalf of Covered Entity
11
