Speak to an expert: 888-703-8127

sierra26 Terms and Conditions of Service

These Terms and Conditions of Service, along with our Services overview, Plans & Pricing, Policies, and other information on our website (collectively referred to herein as the “Agreement”) outline the terms and conditions regarding your use of our products and services. This Agreement is a legally binding contract between you and sierra26 so please read carefully. We agree to make the services available to you only upon your acceptance of this Agreement. If you do not accept this Agreement, do not purchase, register for, or use any of the services. By purchasing, registering for, and/or using our services you expressly acknowledge that you understand and have accepted this Agreement. 

As used herein and as the context requires, the term “we”, “us”, “our”, and “sierra26” shall mean Iron Mountain Information Management, LLC, and its affiliates and subsidiaries that may perform any services. The term “you”, “your”, and “Customer” shall mean the person or entity who accesses or uses the services and any person or entity who purchases services or creates an account for the services. The term “services” shall mean all products and services offered by sierra26 which may be further described on the sierra26 website, including but not limited to the Customer Account Dashboard, the Site, product offerings such as service bundles and all other services. The term “Deposits” and “items” means any of the Customer’s records, media, materials, images and electronically stored information, and other items stored with or processed by sierra26 as part of the services.  


  1. Changes To The Agreement. We reserve the right to modify this Agreement in any manner and at any time as we may determine in our sole and absolute discretion. We will post the most current version of the Agreement at www.sierra26.com (the “Site”), which shall be effective thirty (30) days after posting. If we make material modifications to the service bundles, we will notify you and such changes shall take effect thirty (30) days following notice to you. If you do not accept the changes, you must stop using the services and cancel your account within thirty (30) days of the notice of such material changes. Your continued use of the services more than thirty (30) days after we publish or send a notice about our changes to this Agreement means that you have consented to the updated terms. We may terminate your account or the services at any time, with or without cause, to be effective upon notice to you. If we terminate without cause, we will refund any pre-paid fees and arrange for the return of your Deposits back to you at our expense. 
  2. Your Account.
    1. One-Time Services. You may purchase certain services without establishing an account by completing the checkout process offered for the applicable service.  You represent and warrant that all information entered during checkout is true, accurate, and complete. 
    2. Recurring Plans. Access to our services requires you to obtain a log-in by completing a registration form and designating a user ID and password. When registering with sierra26 you must: (a) provide true, current, and complete information about your business on the registration form and (b) maintain the accuracy of such information so it continues to be true, current, and complete. You are entirely responsible for all materials and information that you upload, post, or otherwise transmit via the services. Only you may use your sierra26 log-in and you are responsible for all aspects of your log-in, including any order placed, instruction submitted, or file accessed using your login. Each authorized user must have a separate log-in. You may not share, loan, or transfer your ID or password. If you become aware of any unauthorized use of the Services or your log-in, or have any questions about your account please contact sierra26 Support via customersupport@sierra26.com or (888) 703-8127.
  3. Term.
    1. Recurring Plans. Your plan shall run for a minimum period of one (1) year, with the initial term of this Agreement commencing on the date of your registration and continuing for one (1) calendar year thereafter. Upon expiration of the initial term, your plan and the term will continue with automatic renewals (without the need to go through the services-interface “check-out” or execute a renewal order form) for additional one (1) year terms at the then-current rate outlined in the “Charges” section below, unless you cancel your services prior to the renewal date. Except as explicitly set forth below under “Trial Period,” you may not terminate this Agreement during the term, except in the event of a material breach by sierra26, in which case you shall provide us with at least thirty (30) days prior written notice and an opportunity to cure the breach.  Notwithstanding anything to the contrary, in the event that sierra26 continues to hold Deposits after the expiration or termination of this Agreement for any reason, the terms of this Agreement shall continue to apply until all Deposits have been removed from sierra26’s facility. 
    2. Cancellation.
      1. Account Closure. sierra26 charges fees to close your account and terminate the services, which are the charges incurred to return your Deposits to you and to pick up any shred bins from your location.  Account closure fees apply and will be assessed to close your account and terminate your services for any reason, except for cancellation during the Trial Period. 
      2. Early Termination Fee. If you elect to cancel your services during the term for any reason other than as explicitly permitted in this Section 3 (e.g. during the Trial Period or at the end of your annual term), then, in addition to the applicable account closure fees, you will be charged an early termination fee equal to your monthly plan price multiplied by the number of months remaining in the then-current term (“Early Termination Fee”). 
      3. Deposits will be returned to you only upon receipt of the account closure fees and the Early Termination Fee, as applicable.             
    3. One-Time Services. This Agreement shall commence upon order placement and continue until the service has been completed.  Orders for one-time services may only be canceled if you contact us before the day of your service.  If you would like to cancel an order for one-time services, please immediately contact sierra26 Support via customersupport@sierra26.com or (888) 703-8127.
  4. Charges. Rates, charges, and definitions of sierra26’s offered service bundles, along with available add-ons or incremental services, are specified on the Site. Rates and charges for services may be changed at any time by sierra26 upon written notice to you, provided that monthly recurring bundle rates will remain the same for your 1 year term. Add-ons and one-time services (purchased on top of bundle price, as needed), will be charged at the then-published price.  Monthly bundle rates may change after your term is complete, and any such pricing change will be communicated to you in writing before renewal. Published prices are exclusive of taxes and required fees, which will be charged as applicable. 
  5. Promotional Offers. We may make certain promotional offers available from time to time, which may be subject to differing conditions or limitations which shall be disclosed at the time of registration or purchase.  If you qualify for a promotional offer, the terms of the offer shall control over any conflicting terms and conditions in this Agreement. 
  6. Payment Terms. Customer is required to enroll in electronic auto-pay, and provide sierra26 with current, complete, accurate, and authorized payment method information (e.g. ACH or credit card information). sierra26 is authorized to charge the provided payment method in advance on a recurring basis for the Services selected. Payment will be due and charged on the date of your enrollment, and thereafter monthly on each anniversary (unless you registered on a day not contained in a given month, in which case you will be charged on the closest available date) for that month’s service bundle and will continue for as long as Customer renews their term. sierra26’s fees are fully earned upon payment and there are no refunds or credits for canceled, unused, or partially used services, except as otherwise set forth herein. Customer shall be liable for late charges totaling one percent (1%) per month of the outstanding balance, beginning the day after payment was due.     
  7. Customer Default. If Customer fails to pay sierra26’s charges within fourteen (14) days after the billing date, as established in the “Payment Terms” section above, sierra26 will suspend service until Customer becomes current with account, including applicable late fees. Suspended accounts will not be allowed to place orders for services, or view or access Deposits. If Customer fails to pay sierra26’s charges for two (2) consecutive billing dates sierra26 will send written notice informing Customer that Deposits may be securely destroyed in ninety (90) days. A final notice will be sent to Customer ten (10) days prior to secure destruction of the Deposits. sierra26 shall have all other rights and remedies as may be provided by law. In the event sierra26 takes any actions pursuant to this Section, it shall have no liability to Customer or anyone claiming by or through Customer. Customer shall pay sierra26’s standard price for secure destruction and shall otherwise remain responsible for any uncollected amounts.     
  8. Updates To The Service. sierra26 can make necessary deployments of changes, updates or enhancements to the Services at any time. sierra26 may also add or remove functionalities or features, or suspend or stop the Services altogether.     
  9. Customer Instructions. Customer warrants that it is the owner or legal custodian of the Deposits and has full authority to store the Deposits and direct their disposition in accordance with this Agreement. sierra26 will perform services pursuant to the direction of Customer’s agent(s) identified pursuant to sierra26’s standards, including processing orders placed through Customer’s Account Dashboard. For the avoidance of doubt, any order placed using Customer’s log-in credentials or the log-in credentials of any authorized user shall constitute Customer’s representation that the identified persons have full authority to order any service, including disposal or removal of Deposits. Customer releases sierra26 from all liability by reason of the destruction of Deposits ordered using Customer’s or any authorized user’s account log-in.  
  10. Operational Procedures. Customer shall comply with sierra26’s reasonable operational requirements, as modified from time to time, regarding cartons, carton integrity, delivery/pickup/account closing volumes, preparation for pickup, security, secure shredding protocols, access, and similar matters. Without limiting the generality of the foregoing, Customer shall comply with all instructions, controls, and restrictions sierra26 may impose from time to time regarding access to the services and electronically stored information, including but not limited requirements relating to VPN devices, FTP connections, password standards, encryption, network requirements, and secure access protocols.     
  11. Force Majeure. Neither party shall be liable for any failure, loss (including loss of or damage to Deposits), claim, damage, delay or inability to perform caused by acts of God, governmental actions, labor unrest, acts of terrorism, riots, unusual traffic delays or other causes beyond its reasonable control. Customer is responsible for obtaining and maintaining all equipment, technology, and communication systems (including, without limitation, internet access) that are necessary or appropriate for Customer to access the services. sierra26 shall have no responsibility or liability for customer’s failure to access or use the services caused by or related in any manner to any failure of Customer to obtain and maintain all such equipment, technology, and communication systems.     
  12. Governmental Orders. sierra26 is authorized to comply with any subpoena or similar order related to the Deposits, at Customer’s expense, provided that sierra26 notifies Customer promptly upon receipt thereof, unless such notice is prohibited by law. sierra26 will cooperate with Customer’s efforts to quash or limit any subpoena, at Customer’s expense. 
  13. Confidentiality. "Confidential Information" means any information (i) contained in the Deposits, (ii) concerning or relating to the property, business and affairs of the party disclosing such information that is furnished to the receiving party, and (iii) regarding this Agreement, the services, and sierra26’s processes and procedures; except for information that was previously known to the receiving party free of any obligation to keep it confidential, is subsequently made public by the disclosing party or is disclosed by a third party having a legal right to make such disclosure. Confidential Information shall be used only in the manner contemplated by this Agreement and shall not be intentionally disclosed to third parties without the disclosing party’s written consent. sierra26 shall not obtain any rights of any sort in or to the Confidential Information of Customer contained in Deposits. sierra26 shall implement and maintain reasonable safeguards designed to protect Customer’s Confidential Information.  
  14. LIMITATION OF LIABILITY.
    1. DECLARED VALUE OF DEPOSITS. CUSTOMER DECLARES, FOR THE PURPOSES OF THIS AGREEMENT, THAT (A) WITH RESPECT TO HARD-COPY (PAPER) RECORDS, MICROFILM, AND MICROFICHE STORED OR PROCESSED PURSUANT TO THIS AGREEMENT, THE VALUE OF SUCH ITEMS IS $1.00 PER CARTON, LINEAR FOOT OF OPEN-SHELF FILES, CONTAINER, OR OTHER STORAGE UNIT, AND (B) WITH RESPECT TO ROUND REEL TAPE, AUDIO TAPE, VIDEO TAPE, FILM, DATA TAPE, CARTRIDGES OR CASSETTES OR OTHER NON-PAPER MEDIA STORED OR PROCESSED PURSUANT TO THIS AGREEMENT, THE VALUE OF SUCH ITEMS IS EQUAL TO THE COST OF REPLACING THE PHYSICAL MEDIA. CUSTOMER ACKNOWLEDGES THAT IT HAS DECLINED TO DECLARE AN EXCESS VALUATION, FOR WHICH AN EXCESS VALUATION FEE WOULD HAVE BEEN CHARGED. DEPOSITS ARE NOT INSURED BY SIERRA26 AGAINST LOSS OR DAMAGE, HOWEVER CAUSED. CUSTOMER MAY INSURE DEPOSITS THROUGH THIRD-PARTY INSURERS FOR ANY AMOUNT, INCLUDING AMOUNTS IN EXCESS OF THE LIMITATION OF LIABILITY SET FORTH IN THIS AGREEMENT. CUSTOMER SHALL CAUSE ITS INSURERS OF DEPOSITS TO WAIVE ANY RIGHT OF SUBROGATION AGAINST SIERRA26.  
    2. MAXIMUM LIABILITY. SIERRA26 SHALL NOT BE LIABLE FOR ANY FOR ANY LOSSES, COSTS, DAMAGES, OR EXPENSES (INCLUDING BUT NOT LIMITED TO THE LOSS OR DESTRUCTION OF, OR DAMAGE TO, DEPOSITS, AND THE COSTS RESULTING FROM A LOSS OF A DEPOSIT CONSTITUTING A BREACH OF DATA SECURITY OR CONFIDENTIALITY), UNLESS AND TO THE EXTENT THE SAME WAS CAUSED BY SIERRA26’S NEGLIGENCE. TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, SIERRA26’S LIABILITY, IF ANY, FOR LOSS OR DESTRUCTION OF, OR DAMAGE TO, DEPOSITS IS LIMITED TO THE DECLARED VALUE OF EACH DEPOSIT AS DESCRIBED ABOVE. TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL SIERRA26’S TOTAL, AGGREGATE, AND CUMULATIVE LIABILITY UNDER THIS AGREEMENT (WHETHER ARISING IN CONTRACT, TORT, WARRANTY, INDEMNIFICATION, OR ANY OTHER LEGAL THEORY) EXCEED THE AMOUNT ACTUALLY PAID BY THE CUSTOMER IN THE PRIOR TWELVE (12) MONTHS FOR THE SERVICES. SIERRA26 SHALL NOT BE LIABLE FOR THE LOSS OF CONTENTS OF SHREDDING BINS UNLESS AND UNTIL THE CONTENTS ARE IN THE CUSTODY AND CONTROL OF SIERRA26.         
    3. NO CONSEQUENTIAL DAMAGES. IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL, SPECIAL OR PUNITIVE DAMAGES, OR FOR LOSS OF PROFITS OR LOSS OF DATA, REGARDLESS OF WHETHER AN ACTION IS BROUGHT IN TORT, CONTRACT OR UNDER ANY OTHER THEORY.         
  15. ITAR/EAR Compliance. Customer represents that none of the Deposits require protection from access by foreign persons because they contain technical information regarding defense articles or defense services within the meaning of the International Traffic in Arms Regulations (22 CFR 120) or technical data within the meaning of the Export Administration Regulations (15 CFR 730-774). If any of Customer’s Deposits do contain any such information, Customer shall notify sierra26 of the specific Deposits that contain such information and acknowledges that special storage and service rates may apply thereto.  
  16. Non-Custodial Status. sierra26’s performance of services shall not cause sierra26 to be deemed a “custodian” of the records or “designee” of Customer under state or federal law with respect to such records.     
  17. Notice of Claims. Claims by Customer must be presented in writing within a reasonable time, in no event longer than ninety (90) days after delivery or return of the Deposits to Customer, or ninety (90) days after Customer is notified of loss, damage or destruction to part or all of the Deposits. Unless otherwise expressly provided by law, no action may be brought by Customer against sierra26 with respect to any matter arising out of this Agreement or the services unless such action is commenced within one (1) year after the date of the act, omission, or event giving rise to the claim.     
  18. Notice of Loss. When Deposits have been lost, damaged or destroyed, sierra26 shall, upon confirmation of the event, report the matter in writing to Customer.     
  19. Safe Materials and Premises. Customer shall not store with sierra26 or place in shredding bins any material that is highly flammable, may attract vermin or insects, or is otherwise dangerous or unsafe to store or handle, or any material that is regulated by federal or state law or regulation relating to the environment or hazardous materials. Customer shall not store or transmit (i) negotiable instruments, jewelry, check stock or other items that have intrinsic value, (ii) defamatory, trade libelous, or otherwise unlawful information, or (iii) obscene, pornographic or indecent information in violation of applicable law. Customer warrants that it shall only place paper-based materials in the shredding bins. Customer warrants and covenants that its premises where sierra26 employees perform services (including pickups and deliveries) are and shall be free of hazardous substances or dangerous conditions. Customer shall reimburse sierra26 for damage to equipment or injury to personnel resulting from Customer’s breach of this warranty. Violation of this clause shall be grounds for termination of service.     
  20. Personal Information.
    1. EU Personal Data. Customer represents and warrants that it shall not provide sierra26 with any ‘Personal Data’ (as defined in GDPR), whether contained within the Deposits or otherwise, that is the subject of the General Data Protection Regulation (2016/679/EU) (“GDPR”). Customer must immediately contact sierra26 in the event Customer becomes aware that its Deposits contain any Personal Data.         
    2. California Consumer Privacy Act. If Customer is a ‘Business’ and provides ‘Personal Information’ to sierra26 (each as defined in the California Consumer Privacy Act of 2018 (“CCPA”)), whether contained within the Deposits or otherwise, Customer hereby agrees to sierra26’s Personal Information Privacy Addendum, which is attached as Exhibit 1 and hereby incorporated into this Agreement.
    3. Protected Health Information. If Customer provides ‘Protected Health Information’ to sierra26 where sierra26 is a ‘Business Associate’ of Customer (each as defined in the Health Insurance Portability and Accountability Act of 1996), whether contained in the Deposits or otherwise, Customer hereby agrees to sierra26’s Business Associate Agreement, which is attached as Exhibit 2 and hereby incorporated into this Agreement.         
  21. Separate Agreement. Customer understands that (i) the services offered by sierra26 are separate and unique from any other services offered by Iron Mountain Information Management, LLC and its affiliates and subsidiaries (“Iron Mountain)” and that this Agreement with sierra26 is separate from any other contracts or accounts it may have with Iron Mountain; (ii) if Customer, its parent, affiliates, subsidiaries, or any other entity which acquires, merges, or consolidates with Customer has any other agreement with Iron Mountain, this Agreement with sierra26 supersedes any such other agreements with respect to the services offered hereunder and shall continue pursuant to its terms; and (iii) sierra26 accounts and Iron Mountain accounts/inventory cannot be combined or merged in any way.     
  22. Miscellaneous. sierra26 may subcontract any or all of its obligations under this Agreement to third party vendors or subcontractors, provided that sierra26 shall remain directly liable to the Customer for the performance of such subcontracted obligations. Customer may not assign this Agreement in whole or in part, except to an affiliate, without the prior written consent of sierra26. An affiliate means any entity controlling, controlled by, under common control with, or having a common parent with sierra26 or Customer. sierra26 may exercise all rights granted to warehousemen by the Uniform Commercial Code as adopted in the state where the Deposits are stored. Customer represents and covenants that upon the commencement of this Agreement and throughout the term of this Agreement, that: (i) it is not identified on any restricted party lists; or located in countries identified on any restricted country lists; or using the goods or services for any restricted end uses; including those promulgated by the U.S. Departments of State, Commerce and Treasury; and (ii) it is and shall remain compliant with all laws and regulations applicable to its performance under this Agreement, including but not limited to export control and economic sanctions, will not take any action that will cause sierra26 to be in violation of such laws and regulations, and will not require sierra26 to directly or indirectly take any action that might cause it to be in violation of such laws and regulations. Customer will not provide sierra26 any goods, software, services and/or technical data subject to export controls and controlled at a level other than EAR99/AT. This Agreement shall be governed by the laws of the state in which Customer’s office identified in this Agreement is located except for conflicts of laws principles.
  23. Electronic Contract. We will send notices to you in electronic form only, for example via emails to your email address provided during registration or posted to your Customer Account Dashboard. You agree that any notices, agreements, disclosures or other communications that we send to you electronically will satisfy any legal communication requirements, including that such communications be in writing, and you agree to maintain a valid email address and check your email address and Customer Account Dashboard regularly.
  24. Entire Agreement. This Agreement constitutes the entire understanding of the parties and supersedes all previous communications, representations, agreements and understandings relating to the services provided by sierra26 to Customer with respect to the subject matter hereof.

Exhibit 1: sierra26 Personal Information Privacy Addendum

This Personal Information Privacy Addendum (“Addendum”) is an addendum to your Agreement with sierra26 and is incorporated therein by reference. It is intended to supplement the Agreement, including the Privacy Policy. Pursuant to the Agreement, sierra26 may Process Personal Information on behalf of Customer in connection with the services. To the extent that sierra26 Processes Personal Information on behalf of Customer, this Addendum sets forth the rights and obligations of the parties with respect to the CCPA, under which Customer is a “Business” and sierra26 is a “Service Provider” of Customer. 

  1. Definitions. For the purposes of this Addendum, capitalized terms shall have the following meanings, provided that capitalized terms not defined herein shall have the meanings ascribed to them in the Agreement:

    “CCPA” means the California Consumer Privacy Act of 2018.

    “Personal Information” means any data or information that is received by sierra26 from Customer, subject to the services under the Agreement, that relates to, describes, is capable of being associated with, or could be linked, directly or indirectly, with a particular natural person who is a California resident or household. Personal Information does not include publicly available information.

    “Process” means any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means.

  2. Restrictions on Use. sierra26 shall not retain, use, or disclose Personal Information for any purpose other than for the specific purpose of performing the services specified in the Agreement, as required under this Addendum, or as otherwise permitted under the CCPA.
  3. Permitted Use and Disclosure. Notwithstanding anything herein to the contrary, sierra26 may use or disclose Personal Information to carry out its legal responsibilities, including, but not limited to compliance with civil, criminal, or regulatory inquiries, investigations, subpoena, or summons by federal, state or local authorities.
  4. Individual Requests. sierra26 shall promptly notify Customer if sierra26 receives a request from any individual with respect to Personal Information that is Processed by sierra26 on behalf of Customer. If sierra26 is in possession of the requested Personal Information, upon Customer’s request, sierra26 shall promptly provide Customer with the Personal Information, so that Customer may respond to individual requests for access to or disclosure of Personal Information as required by the CCPA. sierra26’s retrieval of the requested Personal Information will be subject to the applicable charges or fees as set out in the Agreement.
  5. Deletion. At Customer’s request, but subject to the CCPA, sierra26 shall promptly and securely delete or destroy the Personal Information identified by the Customer. sierra26’s deletion of any Personal Information will be subject to the applicable charges or fees as set out in the Agreement. Notwithstanding anything herein to the contrary, if a request for destruction or deletion involves Personal Information in the form of a hard-copy record contained in the Customer’s Deposit(s), at Customer’s direction sierra26 shall either return the Deposit(s) to Customer or securely destroy the Deposit(s). For the avoidance of doubt, sierra26 shall not remove records from Deposits.
  6. Privacy Safeguards. sierra26 shall implement and maintain reasonable security procedures and practices that are appropriate for the protection of Personal Information from unauthorized access, destruction, use, modification or disclosure. This Addendum supplements, and does not replace, any existing obligations related to the privacy and security of Personal Information or other personal data as set forth in the Agreement.
  7. Order of Precedence. This Addendum is supplemental to the Agreement. The terms and conditions of the Agreement apply to, and govern, the rights and obligations of the parties under this Addendum. If any terms and conditions contained in this Addendum are in conflict with the terms and conditions set forth in the Agreement, the terms and conditions set forth in this Addendum shall be the controlling terms and conditions with respect to Personal Information.
  8. Miscellaneous. This Addendum is incorporated by reference into and made a part of the Agreement, and as such may be amended from time to time by sierra26 as described therein, subject to applicable law. Continued use of the services following amendment of this Addendum shall indicate your acceptance of such amendment.

Exhibit 2: sierra26 Business Associate Agreement

This Business Associate Agreement (“BAA”) is an addendum to your Agreement with sierra26 and is incorporated therein by reference. It is intended to supplement and amend the Agreement only in the event and to the extent sierra26 meets, with respect to you, the definition of a Business Associate set forth at 45 C.F.R. §160.103 and may Use and/or Disclose PHI on your behalf, as a Covered Entity. Except to the extent modified in this BAA, all terms and conditions set forth in the Agreement shall remain in full force and effect and govern the services.

sierra26 and Customer are entering into this BAA in order for both parties to meet their respective obligations as they become effective and binding upon the parties under the HIPAA Privacy, Security, and Breach Notification Rules along with any implementing regulations including those implemented as part of the Omnibus Rule (collectively referred to as the “HIPAA Rules”), under which Customer is a “Covered Entity” or “Business Associate” and sierra26 is a “Business Associate” of Customer. For purposes of this Agreement, any references hereinafter to Business Associate shall be deemed references to sierra26.

  1. Definitions.

    Capitalized terms used but not otherwise defined in this BAA shall have the same meanings ascribed to those terms in the HIPAA Rules or in the Agreement, as applicable.
    1. “Breach Notification Rule” shall mean the rule for Breach Notification for Unsecured Protected Health Information at 45 CFR §164 Subpart D.
    2. “Business Associate” shall mean sierra26 to the extent it receives, maintains, or transmits Protected Health Information in delivering services to Customer.
    3. “HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996.
    4. “HITECH Act” shall mean the applicable provisions of the Health Information Technology for Economic and Clinical Health Act, as incorporated in the American Recovery and Reinvestment Act of 2009, and including any implementing regulations.
    5. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR §160 and §164, Subparts A and E.
    6. “Protected Health Information” or “PHI” shall have the same meaning as the term ‘protected health information’ in 45 CFR §160.103 and shall be limited to the PHI created by Business Associate on behalf of Customer or received from or on behalf of Customer pursuant to the Agreement.
    7. “Security Rule” shall mean the Security Standards for the Protection of Electronic Protected Health Information at 45 CFR §160 and §164, Subparts A and C.
  2. Obligations and Activities of Business Associate.
    1. Business Associate agrees to not Use or further Disclose PHI other than as permitted or required by this BAA or as required by law.
    2. Business Associate agrees to use appropriate safeguards, and comply, as applicable, with Subpart C of 45 CFR §164 with respect to electronic PHI, to prevent Uses or Disclosures of the PHI other than as provided for by this BAA or the Agreement; however, the parties acknowledge and agree it shall be the responsibility of Customer and not Business Associate to comply with requirements under 45 CFR §164.312 to implement encryption or decryption mechanisms for electronic PHI maintained on physical media (e.g. tapes) stored by Customer with Business Associate.
    3. Business Associate agrees to promptly report to Customer any Security Incident, Breach, or other Use or Disclosure of PHI of which it becomes aware that is not permitted or required by this BAA or the Agreement. In the event of a Breach, such notification shall be made in accordance with and as required of a business associate by the HIPAA Rules, including without limitation pursuant to 45 CFR 164.410, but in no event more than three (3) business days after Business Associate has completed its internal investigation and confirmed a Breach as occurred. Business Associate will provide reasonable assistance and cooperation in the investigation of any such Breach and shall document the specific Deposits which have been compromised, the identity of any unauthorized third party who may have accessed or received the PHI, if known, and any actions that have been taken by Business Associate to mitigate the effects of such Breach.
    4. Business Associate shall, in accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), as applicable, ensure that any business associate that is a subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate for the purpose of assisting in providing services pursuant to the Agreement, agrees to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such PHI through this BAA.
    5. If Business Associate has custody of PHI in a Designated Record Set with respect to Individuals, and if Customer so requests, Business Associate agrees to provide access to such PHI to Customer by retrieving and delivering such PHI in accordance with the terms and conditions of the Agreement, so that Customer may respond to an Individual in order to meet the requirements of 45 CFR §164.524.
    6. Business Associate agrees that if an amendment to PHI in a Designated Record Set in the custody of Business Associate is required, and if Customer instructs Business Associate to retrieve such PHI in accordance with the Agreement, Business Associate shall perform such service so that Customer may make any amendment to such PHI as may be required by either Customer or an Individual pursuant to 45 CFR §164.526.
    7. Business Associate agrees to document and make available to Customer the information required to provide an accounting of Disclosures of PHI, provided that Customer has provided Business Associate with information sufficient to enable Business Associate to determine which records or data received from or on behalf of Customer by Business Associate contain PHI. The documentation of Disclosures shall contain such information as would be required for Customer to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR §164.528 or other provisions of the HIPAA Rules.
    8. Business Associate shall promptly notify Customer of any requests by Individuals for access to or knowledge or correction of PHI, without responding to such requests, and Customer shall be responsible for receiving and responding to any such Individual requests.
    9. To the extent the Business Associate is to carry out one or more of Customer's obligation(s) under Subpart E of 45 CFR §164, Business Associate shall comply with the requirements of Subpart E that apply to Customer in the performance of such obligation(s).
    10. Business Associate agrees to make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.
  3. Permitted Uses and Disclosures by Business Associate.
    1. Business Associate may Use or Disclose PHI as necessary to perform the services set forth in the Agreement.
    2. Business Associate may Use or Disclose PHI as required by law.
    3. Business Associate agrees to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the Use, Disclosure, or request.
    4. Business Associate may not Use or Disclose PHI in a manner that would violate Subpart E of 45 CFR §164 if done by Customer.
    5. Business Associate may Disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of the Business Associate, provided the Disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
  4. Obligations of Customer.
    1. Customer shall not direct Business Associate to act in a manner that would not be compliant with the HIPAA Rules.
    2. Customer shall notify Business Associate of any limitation(s) in its notice of privacy practices of Customer in accordance with 45 CFR §164.520, to the extent that such limitation may affect Business Associate’s Use or Disclosure of PHI.
    3. Customer shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to Use or Disclose their PHI, to the extent that such changes may affect Business Associate’s Use or Disclosure of PHI.
    4. Customer shall notify Business Associate in writing of any restriction to the Use or Disclosure of PHI that Customer has agreed to in accordance with 45 CFR §164.522, to the extent that such restriction may affect Business Associate’s Use or Disclosure of PHI.
  5. Term and Termination.
    1. Term. The term of this BAA shall continue for the term of the Agreement and shall terminate automatically upon the later to occur of (i) the expiration or termination of the Agreement, or (ii) when all PHI provided by Customer to Business Associate is destroyed or returned to Customer.
    2. Termination for Cause. Upon a party’s knowledge of a material breach of the BAA by the other party, the non-breaching party shall provide an opportunity for the breaching party to cure the breach. If the breaching party does not cure the breach within thirty (30) days, following the breaching party’s receipt of a written notice from the non-breaching party setting forth the details of such material breach, then the non-breaching party shall have the right to terminate this BAA and the Agreement according to the terms of the Agreement, or, if termination is not feasible, shall report the problem to the Secretary or any other competent authority.
    3. Effect of Termination.
      1. Except as provided in Section 5.c.ii. below, upon termination of this BAA for any reason, Business Associate shall return or destroy all PHI received from Customer in accordance with the Agreement. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI.
      2. In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Customer notification of the conditions that make return or destruction infeasible. Upon notice to Customer, Business Associate shall extend the protections of this BAA to such PHI and limit further Uses and Disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI pursuant to the terms of the Agreement.
  6. Miscellaneous.
    1. Injunctive Relief. Business Associate acknowledges that any unauthorized Use or Disclosure of PHI by Business Associate may cause irreparable harm to Customer for which Customer shall be entitled, if it so elects, to seek injunctive or other equitable relief.
    2. Regulatory References. A reference in this BAA to a section of the HIPAA Rules shall mean that section of HIPAA, the Privacy Rule, the Security Rule, the HITECH ACT, or the final Omnibus Rules as amended and in effect, and for which compliance is required.
    3. Amendment. This BAA is incorporated by reference into and made a part of the Agreement, and as such may be amended from time to time by sierra26 as described therein, subject to applicable law. Continued use of the services following amendment of this BAA shall indicate your acceptance of such amendment.
    4. Survival. The respective rights and obligations of Business Associate under Section 5(c) above shall survive the termination of this BAA.
    5. No Third Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than Customer, Business Associate and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
    6. Independent Contractor. Business Associate, including its directors, officers, employees and agents, is an independent contractor and not an agent (as defined under Federal common law of agency) of Customer or a member of its workforce. Without limiting the generality of the foregoing, Customer shall have no right to control, direct, or otherwise influence Business Associate’s conduct in the course of performing the services, other than through the enforcement of this BAA or the Agreement.
    7. Precedence; Entire Agreement. Any ambiguity in this BAA shall be resolved to permit the parties to comply with the HIPAA Rules. This BAA constitutes the entire agreement between the parties with respect to the subject matter hereof, and shall supersede all previous communications, representations, agreements and understandings relating to the HIPAA Rules, including any and all prior business associate agreements between the parties.