10.
11.
12.
13.
14.
available to the Secretary for the purpose of determining Covered Entity’s and/or Sapphire Digital’s
compliance with HIPAA, then Sapphire Digital shall make its internal practices, books and records
available to the Secretary or the Secretary’s authorized representative.
Minimum Necessary. Covered Entity shall provide, and Sapphire Digital shall request, Use and
Disclose, only the minimum amount of PHI necessary to accomplish the purpose of the request, Use or
Disclosure. The Parties acknowledge that the Secretary may issue guidance with respect to the
definition of “minimum necessary” from time to time, and agree to stay informed of any relevant
changes to the definition.
Reporting of Security Breaches. In the event of a “Breach” of any “Unsecured” PHI that Sapphire
Digital accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds or uses on
behalf of Covered Entity, Sapphire Digital shall report such Breach to Covered Entity as soon as
practicable, but in no event later than thirty (30) days after the date on which the Breach is discovered.
“Breach” shall mean the unauthorized acquisition, access, Use, or Disclosure of Unsecured PHI which
compromises the security or privacy of such information, except where an unauthorized person to
whom the information is disclosed would not reasonably have been able to retain such information.
“Unsecured PHI” shall mean PHI that is not rendered unusable, unreadable, or indecipherable to
unauthorized individuals through the use of a technology or methodology specified by the Secretary
(e.g., encryption). Notice of a Breach shall include, to the extent such information is available: (i) the
identification of each individual whose PHI has been, or is reasonably believed to have been, accessed,
acquired, or disclosed during the Breach, (ii) the date of the Breach, if known, and the date of discovery
of the Breach, (iii) the scope of the Breach, and (iv) Sapphire Digital’s response to the Breach.
Responsibilities of Covered Entity. With regard to the Use and/or Disclosure of the PHI by Sapphire
Digital, Covered Entity hereby agrees:
a. that the Uses and Disclosures of the PHI by Sapphire Digital pursuant to this Addendum are, at the
time of execution and throughout the term of this Addendum will be, consistent with the form of
notice of privacy practices (the “Notice”) that Covered Entity provides to individuals pursuant to
45 C.F.R. § 164.520.
b. to notify Sapphire Digital , in writing and in a timely manner, of any arrangements permitted or
required of Covered Entity under 45 C.F.R. parts 160 and 164 that may impact in any manner the
Use and/or Disclosure of the PHI by Sapphire Digital under this Addendum including, but not
limited to, restrictions on Use and/or Disclosure of the PHI as provided for in 45 C.F.R. § 164.522
agreed to by Covered Entity, and to hold Sapphire Digital harmless from the financial impact of
any such agreement by Covered Entity; and
c. to obtain any consent or authorization that may be required under HIPAA or state law prior to
furnishing the PHI to Sapphire Digital.
Term. Unless otherwise terminated as provided in Section 14, this Addendum shall become effective
on the Effective Date and shall have a term that shall run concurrently with that of any oral or written
agreement by Sapphire Digital to provide Services to Covered Entity and will terminate without any
further action of the Parties upon the termination of all such agreements.
Termination
a. Ifeither Party determines that the other Party has engaged in a pattern of activity that constitutes a
material breach of the other Party’s obligations under this Addendum, the non-breaching Party
12
