Exhibit 2: sierra26 Business Associate Agreement
This Business Associate Agreement (“BAA”) is an addendum to your Agreement with sierra26 and is
incorporated therein by reference. It is intended to supplement and amend the Agreement only in the
event and to the extent sierra26 meets, with respect to you, the definition of a Business Associate set
forth at 45 C.F.R. §160.103 and may Use and/or Disclose PHI on your behalf, as a Covered Entity.
Except to the extent modified in this BAA, all terms and conditions set forth in the Agreement shall
remain in full force and effect and govern the services.
sierra26 and Customer are entering into this BAA in order for both parties to meet their respective
obligations as they become effective and binding upon the parties under the HIPAA Privacy, Security,
and Breach Notification Rules along with any implementing regulations including those implemented
as part of the Omnibus Rule (collectively referred to as the “HIPAA Rules”), under which Customer is
a “Covered Entity” or “Business Associate” and sierra26 is a “Business Associate” of Customer. For
purposes of this Agreement, any references hereinafter to Business Associate shall be deemed
references to sierra26.
Capitalized terms used but not otherwise defined in this BAA shall have the same meanings
ascribed to those terms in the HIPAA Rules or in the Agreement, as applicable.
“Breach Notification Rule” shall mean the rule for Breach Notification for Unsecured
Protected Health Information at 45 CFR §164 Subpart D.
“Business Associate” shall mean sierra26 to the extent it receives, maintains, or transmits
Protected Health Information in delivering services to Customer.
“HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996.
“HITECH Act” shall mean the applicable provisions of the Health Information Technology for
Economic and Clinical Health Act, as incorporated in the American Recovery and Reinvestment
Act of 2009, and including any implementing regulations.
“Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health
Information at 45 CFR §160 and §164, Subparts A and E.
“Protected Health Information” or “PHI” shall have the same meaning as the term ‘protected
health information’ in 45 CFR §160.103 and shall be limited to the PHI created by Business
Associate on behalf of Customer or received from or on behalf of Customer pursuant to the
“Security Rule” shall mean the Security Standards for the Protection of Electronic Protected
Health Information at 45 CFR §160 and §164, Subparts A and C.
Obligations and Activities of Business Associate.
Business Associate agrees to not Use or further Disclose PHI other than as permitted or
required by this BAA or as required by law.
Business Associate agrees to use appropriate safeguards, and comply, as applicable, with
Subpart C of 45 CFR §164 with respect to electronic PHI, to prevent Uses or Disclosures of
the PHI other than as provided for by this BAA or the Agreement; however, the parties
acknowledge and agree it shall be the responsibility of Customer and not Business Associate
to comply with requirements under 45 CFR §164.312 to implement encryption or decryption
mechanisms for electronic PHI maintained on physical media (e.g. tapes) stored by Customer
with Business Associate.
Business Associate agrees to promptly report to Customer any Security Incident, Breach, or
other Use or Disclosure of PHI of which it becomes aware that is not permitted or required by
this BAA or the Agreement. In the event of a Breach, such notification shall be made in
accordance with and as required of a business associate by the HIPAA Rules, including without
limitation pursuant to 45 CFR 164.410, but in no event more than three (3) business days after
Business Associate has completed its internal investigation and confirmed a Breach as
occurred. Business Associate will provide reasonable assistance and cooperation in the
investigation of any such Breach and shall document the specific Deposits which have been
compromised, the identity of any unauthorized third party who may have accessed or received
the PHI, if known, and any actions that have been taken by Business Associate to mitigate the
effects of such Breach.
Business Associate shall, in accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), as
applicable, ensure that any business associate that is a subcontractor that creates, receives,
maintains, or transmits PHI on behalf of Business Associate for the purpose of assisting in
providing services pursuant to the Agreement, agrees to the same restrictions, conditions, and
requirements that apply to Business Associate with respect to such PHI through this BAA.
If Business Associate has custody of PHI in a Designated Record Set with respect to Individuals,
and if Customer so requests, Business Associate agrees to provide access to such PHI to
Customer by retrieving and delivering such PHI in accordance with the terms and conditions
of the Agreement, so that Customer may respond to an Individual in order to meet the
requirements of 45 CFR §164.524.
Business Associate agrees that if an amendment to PHI in a Designated Record Set in the
custody of Business Associate is required, and if Customer instructs Business Associate to
retrieve such PHI in accordance with the Agreement, Business Associate shall perform such
service so that Customer may make any amendment to such PHI as may be required by either
Customer or an Individual pursuant to 45 CFR §164.526.
Business Associate agrees to document and make available to Customer the information
required to provide an accounting of Disclosures of PHI, provided that Customer has provided
Business Associate with information sufficient to enable Business Associate to determine
which records or data received from or on behalf of Customer by Business Associate contain
PHI. The documentation of Disclosures shall contain such information as would be required for
Customer to respond to a request by an Individual for an accounting of Disclosures of PHI in
accordance with 45 CFR §164.528 or other provisions of the HIPAA Rules.
Business Associate shall promptly notify Customer of any requests by Individuals for access to
or knowledge or correction of PHI, without responding to such requests, and Customer shall
be responsible for receiving and responding to any such Individual requests.
To the extent the Business Associate is to carry out one or more of Customer's obligation(s)
under Subpart E of 45 CFR §164, Business Associate shall comply with the requirements of
Subpart E that apply to Customer in the performance of such obligation(s).
Business Associate agrees to make its internal practices, books, and records available to the
Secretary for purposes of determining compliance with the HIPAA Rules.
Permitted Uses and Disclosures by Business Associate.
Business Associate may Use or Disclose PHI as necessary to perform the services set forth in
Business Associate may Use or Disclose PHI as required by law.
Business Associate agrees to make reasonable efforts to limit PHI to the minimum necessary
to accomplish the intended purpose of the Use, Disclosure, or request.
may not Use or Disclose PHI in a manner that would violate Subpart E of 45 CFR §164 if done by
Business Associate may Disclose PHI for the proper management and administration of
Business Associate or to carry out the legal responsibilities of the Business Associate,
provided the Disclosures are required by law, or Business Associate obtains reasonable
assurances from the person to whom the information is disclosed that the information will
remain confidential and used or further disclosed only as required by law or for the purposes
for which it was disclosed to the person, and the person notifies Business Associate of any
instances of which it is aware in which the confidentiality of the information has been breached.
Obligations of Customer.
Customer shall not direct Business Associate to act in a manner that would not be compliant
with the HIPAA Rules.
Customer shall notify Business Associate of any limitation(s) in its notice of privacy practices of
Customer in accordance with 45 CFR §164.520, to the extent that such limitation may affect
Business Associate’s Use or Disclosure of PHI.
Customer shall notify Business Associate of any changes in, or revocation of, the permission by
an Individual to Use or Disclose their PHI, to the extent that such changes may affect Business
Associate’s Use or Disclosure of PHI.
Customer shall notify Business Associate in writing of any restriction to the Use or Disclosure
of PHI that Customer has agreed to in accordance with 45 CFR §164.522, to the extent that
such restriction may affect Business Associate’s Use or Disclosure of PHI.
Term and Termination.
Term. The term of this BAA shall continue for the term of the Agreement and shall terminate
automatically upon the later to occur of (i) the expiration or termination of the Agreement, or
(ii) when all PHI provided by Customer to Business Associate is destroyed or returned to
Termination for Cause. Upon a party’s knowledge of a material breach of the BAA by the other
party, the non-breaching party shall provide an opportunity for the breaching party to cure the
breach. If the breaching party does not cure the breach within thirty (30) days, following the
breaching party’s receipt of a written notice from the non-breaching party setting forth the
details of such material breach, then the non-breaching party shall have the right to terminate
this BAA and the Agreement according to the terms of the Agreement, or, if termination is not
feasible, shall report the problem to the Secretary or any other competent authority.
Effect of Termination.
Except as provided in Section 5.c.ii. below, upon termination of this BAA for any reason,
Business Associate shall return or destroy all PHI received from Customer in accordance
with the Agreement. This provision shall apply to PHI that is in the possession of
subcontractors or agents of Business Associate. Business Associate shall retain no copies
of the PHI.
In the event that Business Associate determines that returning or destroying the PHI is
infeasible, Business Associate shall provide to Customer notification of the conditions that
make return or destruction infeasible. Upon notice to Customer, Business Associate shall
extend the protections of this BAA to such PHI and limit further Uses and Disclosures of
such PHI to those purposes that make the return or destruction infeasible, for so long as
Business Associate maintains such PHI pursuant to the terms of the Agreement.
Injunctive Relief. Business Associate acknowledges that any unauthorized Use or Disclosure of
PHI by Business Associate may cause irreparable harm to Customer for which Customer shall
be entitled, if it so elects, to seek injunctive or other equitable relief.
Regulatory References. A reference in this BAA to a section of the HIPAA Rules shall mean that
section of HIPAA, the Privacy Rule, the Security Rule, the HITECH ACT, or the final Omnibus
Rules as amended and in effect, and for which compliance is required.
Amendment. This BAA is incorporated by reference into and made a part of the Agreement, and
as such may be amended from time to time by sierra26 as described therein, subject to
applicable law. Continued use of the services following amendment of this BAA shall indicate
your acceptance of such amendment.
Survival. The respective rights and obligations of Business Associate under Section 5(c)
above shall survive the termination of this BAA.
No Third Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor
shall anything herein confer, upon any person other than Customer, Business Associate and
their respective successors or assigns, any rights, remedies, obligations or liabilities
Independent Contractor. Business Associate, including its directors, officers, employees and
agents, is an independent contractor and not an agent (as defined under Federal common law
of agency) of Customer or a member of its workforce. Without limiting the generality of the
foregoing, Customer shall have no right to control, direct, or otherwise influence Business
Associate’s conduct in the course of performing the services, other than through the
enforcement of this BAA or the Agreement.
Precedence; Entire Agreement. Any ambiguity in this BAA shall be resolved to permit the parties
to comply with the HIPAA Rules. This BAA constitutes the entire agreement between the
parties with respect to the subject matter hereof, and shall supersede all previous
communications, representations, agreements and understandings relating to the HIPAA
Rules, including any and all prior business associate agreements between the parties.