Business Associate Agreement

This Business Associate Agreement (the “BAA”) is by and between River Records, Inc. (“Business Associate” or “BA”) and You (“Covered Entity”) who are parties to the Underlying Agreement (defined below) pursuant to which Business Associate performs the Services for or on behalf of Covered Entity and may create, receive, maintain, or transmit Protected Health Information (as defined below) for or on behalf of Covered Entity through the provision of the Services. Any capitalized term which is not otherwise defined in this BAA shall have the meaning ascribed to such term in the Underlying Agreement and any capitalized term used in this BAA, but not defined in either this BAA or the Underlying Agreement shall have the same meaning set forth in the HIPAA Regulations (as defined below).

WHEREAS, Covered Entity is a Covered Entity as that term is defined under the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-91), as amended, (“HIPAA”), and the regulations promulgated thereunder by the Secretary of the U.S. Department of Health and Human Services (“Secretary”), including, without limitation, the regulations codified at 45 C.F.R. Parts 160 and 164 (“HIPAA Regulations”);

WHEREAS, the parties intend to protect the privacy and provide for the security of the individually identifiable health information Disclosed by Covered Entity to Business Associate, or accessed, received, created, or transmitted by Business Associate, when providing the Service. Such PHI will be protected in compliance with HIPAA, the Health Information Technology for Economic and Clinical Health Act (Public Law 111-005) (“HITECH Act”) and its implementing regulations and guidance issued by the Secretary, and other applicable state and federal laws, all as amended from time to time; and

WHEREAS, Covered Entity is required under the HIPAA Regulations to enter into a Business Associate Agreement that meets certain requirements with respect to the Use and Disclosure of PHI, which are met by this BAA. Accordingly, to the extent required by HIPAA, Business Associate agrees to comply with this BAA.

In consideration of the foregoing, the requirements of HIPAA Regulations, including as amended pursuant to the HITECH Act, and for good and valuable consideration, the receipt and adequacy of which is hereby acknowledged, Covered Entity and Business Associate agree to be bound by the following terms and conditions.

NOW, THEREFORE, for good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties agree as follows

1.         DEFINTIONS

  1. “Breach” shall have the same meaning as the term “Breach” in the 45 C.F.R. §164.402.

  2. “Business Associate” shall mean River Records, Inc.

  3. “Consumer Users” shall mean individuals who utilize Business Associate’s consumer facing apps.

  4. “Designated Record Set” shall have the meaning given such term under 45 C.F.R. § 164.501.

  5. “Disclose” and “Disclosure” shall mean, with respect to PHI, the release, transfer, provision of access to, or divulging in any other manner of PHI outside of Business 1.6. Associate or to other than a member of its workforce, as set forth in 45 C.F.R. § 160.103

  6. “Electronic Protected Health Information” or “Electronic PHI” shall have the same meaning as the term “electronic protected health information” in 45 C.F.R. § 160.103, limited to the information that Business Associate creates, receives, maintains, or transmits from or on behalf of Covered Entity.

  7. “Effective Date” shall mean the earlier data of full execution of an Underlying Agreement, or the date Business Associate provides services or functions that constitute a Business Associate relationship, as set forth in 45 C.F.R. § 160.103.

  8. “Individual” shall have the same meaning as the term “individual” in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).

  9. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 164, Subpart E.

  10. “Protected Health Information” or “PHI” shall mean “individually identifiable health information,” as that term is defined in 45 C.F.R. § 160.103, limited to the information that Business Associate creates, receives, maintains, or transmits from or on behalf of Covered Entity.

  11. “Required by Law” shall have the same meaning as the term “required by law” in 45 C.F.R. § 160.103.

  12. “Secretary” shall mean the Secretary of the Department of Health and Human Services or his designee.

  13. “Security Incident” shall have the meaning given to such term under 45 C.F.R. § 164.304.

  14. “Services” shall mean the services for or functions on behalf of Covered Entity performed by Business Associate pursuant any Underlying Agreement, or, if no such agreement is in effect, the services or functions performed by Business Associate that constitute a Business Associate relationship, as set forth in 45 C.F.R. § 160.103.

  15. “Security Rule” shall mean the Security Standards at 45 C.F.R. Part 164, Subpart C.

  16. “Underlying Agreement” shall mean any service agreement(s) between Covered Entity and Business Associate which may be in effect now or from time to time.

  17. “Unsecured Protected Health Information” or “Unsecured PHI” shall have the meaning as the term “unsecured protected health information” in 45 C.F.R. §164.402.

  18. “Use” or “Uses” mean, with respect to PHI, the sharing, employment, application, utilization, examination or analysis of such PHI within Business Associate’s internal operations, as set forth in 45 C.F.R. § 160.103

2.         OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE

  1. Restrictions on Uses and Disclosures of Protected Health Information. Business Associate shall not Use or Disclose PHI received, accessed, maintained, or created for or on behalf of Covered Entity except in accordance with any Underlying Agreement, or as permitted by this BAA or Required by Law. Business Associate shall not Use or Disclose PHI in any manner that would constitute a violation of the HIPAA Regulations if so Used or Disclosed by Covered Entity.

  2. Permitted Uses and Disclosures of Protected Health Information. Without limiting the generality of Section 2.1, Business Associate is permitted to:

    1. Use PHI for the proper management and administration of Business Associate;

    2. Use and Disclose PHI to carry out the legal responsibilities of Business Associate, provided that with respect to any such Disclosure either: (a) the Disclosure is Required by Law; or (b) Business Associate obtains an agreement from the person to whom the PHI is to be Disclosed that such person will hold the PHI in confidence and will not Use and further Disclose such PHI except as Required by Law and for the purpose(s) for which it was Disclosed by Business Associate to such person, and that such person will notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached;

    3. Use PHI for Data Aggregation purposes in connection with the Health Care Operations of Covered Entity; and

    4. Use PHI for purposes of de-identification of the PHI.

  3. Adequate Safeguards of PHI. Business Associate shall comply with Subpart C of 45 C.F.R. Part 164 with respect to PHI, to reasonably and appropriately protect the confidentially, integrity, and availability of e-PHI that it creates, receives, maintains or transmits on behalf of Covered Entity.

  4. Reporting Security Incidents and Non-Permitted Uses or Disclosures. Business Associate shall notify Covered Entity of any Use or Disclosure by Business Associate or its Subcontractors of PHI not specifically permitted by this BAA and each Security Incident, including Breaches of Unsecured PHI, within ten (10) business days of becoming aware. Notwithstanding the foregoing, Business Associate and Covered Entity acknowledge the ongoing existence and occurrence of attempted but ineffective Security Incidents that are trivial in nature, such as pings and other broadcast service attacks, and Covered Entity acknowledges and agrees that no additional notification to Covered Entity of such ineffective Security Incidents is required, as long as no such incident results in unauthorized access, Use or Disclosure of PHI. If Business Associate determines that a Breach of Unsecured PHI has occurred, Business Associate shall provide a written report to Covered Entity without unreasonable delay but no later than thirty (30) calendar days after discovery of the Breach. To the extent that information is available to Business Associate, Business Associate’s written report to Covered Entity shall be in accordance with 45 C.F.R. §164.410(c).

  5. Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate in violation of the requirements of this BAA.

  6. Agents and Subcontractors. Business Associate agrees to obtain from any agent, including a subcontractor to whom it provides Protected Health Information, reasonable assurances that it will adhere to substantially similar restrictions and conditions that apply to Business Associate under this BAA with respect to such information.

  7. Delegated Responsibilities. To the extent Business Associate is to carry out one or more of Covered Entity's obligation(s) under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation(s);

  8. Access to and Amendment of PHI. All Protected Health Information maintained by Business Associate in a Designated Record Set for Covered Entity will be available to Covered Entity for inspection and copying to enable Covered Entity to fulfill its obligations under 45 C.F.R. § 164.524 within fifteen (15) business days of a request by Covered Entity. To the extent that Business Associate maintains a Designated Record Set on behalf of Covered Entity, Business Associate shall amend the PHI it maintains (or which is maintained by its Subcontractors) in such Designated Record Sets to enable the Covered Entity to fulfill its obligations under 45 C.F.R. § 164.524 within fifteen (15) business days of a request by Covered Entity. Business Associate shall not be obligated to provide any such information directly to any Individual or person other than to Covered Entity.

  9. Access to Books and Records. Business Associate agrees to make internal practices, books, and records available to the Secretary, in a time and manner designated by the Secretary, for purposes of the Secretary's determining Covered Entity’s compliance with the Privacy Rule and Security Standards; provided, however, that time incurred by Business Associate in complying with any such request that exceeds its normal customer service parameters shall be charged to Covered Entity at Business Associate's then-current standard hourly rate.

  10. Accounting. To the extent that Business Associate maintains a Designated Record Set on behalf of Covered Entity, within thirty (30) days of receipt of a request from Covered Entity or an Individual for an accounting of disclosures of PHI, Business Associate and its Subcontractors shall make available to Covered Entity the information required to provide an accounting of disclosures to enable Covered Entity to fulfill its obligations under 45 C.F.R. § 164.528.

3.         COVERED ENTITY OBLIGATIONS

  1. Privacy Notice. Covered Entity shall notify Business Associate of any limitations(s) in Covered Entity’s notice of privacy practices in accordance with 45 C.F.R. § 164.520 to the extent that such changes may affect Business Associate's use or disclosure of Protected Health Information.

  2. Changes of Permission of Individual. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate's use or disclosure of Protected Health Information.

  3. Restrictions on Use or Disclosure. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of Protected Health Information. Covered Entity will not agree to any limitation or restriction requests in its notice of privacy practices or from Individuals that would cause Business Associate to violate this BAA or applicable law.

  4. Permissions. Covered Entity warrants that it has obtained any necessary authorizations, consents, and other permissions that may be required under applicable law prior to placing data, including without limitation PHI, on the Business Associate’s systems.

4.         TERM AND TERMINATION

  1. Term. The term of this BAA shall be effective as of the Effective Date and shall terminate as of the date that all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy the PHI, protections are extended to such information.

  2. Termination. Breach of this BAA shall be a material breach of the Underlying Agreement giving rise to a right of termination (subject to the applicable right to cure) under the Underlying Agreement.

  3. Effect of Termination. Upon termination of the Underlying Agreement for any reason, Business Associate shall return or destroy all Protected Health Information not necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate as well as Business Associate itself. When such information is returned or destroyed, Business Associate shall retain no copies of the Protected Health Information. In the event that Business Associate determines that returning or destroying the Protected Health Information is infeasible, Business Associate shall provide Covered Entity notification of the conditions that make return or destruction infeasible. Business Associate shall extend the protections of this BAA to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information. In the event that Covered Entity requires Business Associate to retain the Protected Health Information after termination of the Underlying Agreement, Covered Entity shall bear the reasonable cost of storage of such Protected Health Information for as long as storage by Business Associate is required.

  4. Infeasibility for BA to Destroy or Return PHI. Covered Entity and Business Associate hereby acknowledge and agree that, except in certain limited circumstances, in the event of the termination of the Underlying Agreement between Covered Entity and Business Associate, it will not be feasible for Business Associate to return PHI to Covered Entity or to destroy PHI, and Business Associate will need to retain such PHI in accordance with the terms of service and the privacy policy incorporated therein between BA and its Consumer Users.

5.         MISCELLANEOUS

  1. Amendment. Each party agrees to take such action as is reasonably necessary to amend this BAA from time to time as is necessary for Covered Entity to comply with the requirements of HIPAA Regulations as they may be amended from time to time; provided, however, that if such an amendment would materially increase the cost of Business Associate providing service under the Underlying Agreement, Business Associate shall have the option to terminate the Underlying Agreement on thirty (30) days advance notice.

  2. Survival. The respective rights and obligations of the parties in Sections 4 and 5.2 of this BAA shall survive the termination or expiration of the Underlying Agreement and this BAA.

  3. Entire Agreement. The Underlying Agreement together with this BAA constitutes the entire agreement between the parties with respect to the subject matter contained herein, and this BAA supersedes and replaces any former business associate agreement or addendum entered into by the parties.

  4. Conflict Between Agreements. In the event of a conflict between the terms of this BAA and the terms of the Underlying Agreement, the terms of this BAA shall prevail.

  5. Amendment; Waiver. Except as otherwise provided herein, no amendment or modification to this BAA or waiver of any provision hereof shall be effective except in a writing duly signed by both parties.

  6. Relationship of Parties. Notwithstanding anything to the contrary in any Underlying Agreement, Business Associate is an independent contractor and not an agent of Covered Entity under this BAA. Business Associate has the sole right and obligation to supervise, manage, contract, direct, procure, perform or cause to be performed all Business Associate obligations under this BAA.

  7. Interpretation. This BAA shall be interpreted as broadly as necessary to implement and comply with HIPAA, the HIPAA Regulations and the HITECH Act. The parties agree that any ambiguity in this BAA shall be resolved in favor of a meaning that complies and is consistent with such laws.

  8. No Third Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than the parties and the respective successors or assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever.

  9. Choice of Law. This BAA shall be governed by the laws of the State of Delaware regardless of the choice of law rules of any jurisdiction. Any ambiguities in this BAA shall be resolved in a manner that allows Covered Entity and Business Associate to comply with the Privacy Rule, and, if applicable, the Security Rule. The parties hereby agree and consent that the exclusive venue and jurisdiction for any and all disputes arising under or related to this BAA shall be in the federal or state courts in the State of Delaware and waive any contention that any such court is an improper venue for such disputes.