top of page

BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement (“Agreement”) is a binding agreement between Lyv Health, Inc. (“Business Associate”) and the individual or entity that registers for, accesses, or uses the Lyv platform as an Associate (“Associate”).

​

By creating an account, signing up for, accessing, or using the Services, Associate agrees to be bound by this Agreement.

 

The “Effective Date” of this Agreement is the date Associate first creates an account or otherwise accesses or uses the Services. 

​

This Agreement is incorporated into and forms part of the Associate Terms of Service.

 

WHEREAS, Business Associate has a business relationship with one or more Covered Entities that has been memorialized in an underlying agreement (the “Underlying Contract”) pursuant to which Business Associate may be considered a “Business Associate” of Covered Entity as defined in Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended, including all pertinent regulations set forth in Title 45, Parts 160 and 164 of the Code of Federal Regulations issued by the U.S. Department of Health and Human Services as either have been amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”);

​

WHEREAS, the nature of the contractual relationship in the Underlying Contract between Covered Entity and Business Associate may involve the use and/or disclosure of Protected Health Information (“PHI”) from Business Associate to Associate; and

​

WHEREAS, the parties desire to comply with HIPAA and the Final Rule for Standards for Privacy of Individually Identifiable Health Information adopted by the United States Department of Health and Human Services and codified at 45 C.F.R. part 160 and part 164, subparts A & E (the “Privacy Rule”), the HIPAA Security Rule, codified at 45 C.F.R. Part 164 Subpart C (the “Security Rule”) and HITECH including 45 C.F.R. Sections 164.308, 164.310, 164.312 and 164.316. 

​

This Agreement is effective upon Associate’s registration for, access to, or use of the Services. Lyv may update this Agreement from time to time by providing notice through the Services or by email. Associate’s continued use of the Services after such notice constitutes acceptance of the updated Agreement.

​

NOW THEREFORE, the parties to this Agreement hereby agree as follows:

​

  1. Definitions. Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in 45 C.F.R. Parts 160 and 164, as may be amended from time to time.
     

  2. Obligations and Activities of Associate.

    1. Associate agrees not to use or further disclose PHI other than as permitted or required by this Agreement or as Required by Law, provided such use or disclosure would also be permissible by law by Business Associate. 

    2. Associate agrees to use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this Agreement. 

    3. Associate agrees to implement Administrative Safeguards, Physical Safeguards and Technical Safeguards (“Safeguards”) that reasonably and appropriately protect the confidentiality, integrity and availability of ePHI as required by the “Security Rule”, including those safeguards required pursuant to 45 C.F.R. §§164.308, 164.310, 164.312, 164.314 and 164.316, in the same manner that those requirements apply to Business Associate pursuant to 45 C.F.R. §164.504.

    4. Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Associate of a use or disclosure of PHI by Associate in violation of the requirements of this Agreement.

    5. Associate agrees to report to Business Associate any use or disclosure of PHI not permitted by this Agreement, including breaches of unsecured PHI as required by 45 C.F.R. §164.410, and any Security Incident of which it becomes aware. Notwithstanding the foregoing, the parties acknowledge and agree that this Section constitutes notice by Associate to Business Associate of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to Business Associate shall be required. “Unsuccessful Security Incidents” shall mean pings and other broadcast attacks on Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of electronic PHI.

    6. Associate agrees to ensure that in accordance with §164.502(e)(1)(ii), any subcontractors, contractors, or agentsthat create, receive, maintain, or transmit PHI on behalf of Associate agree to the same or substantially similar restrictions and conditions that apply to Associate with respect to such information. 

    7. Associate agrees to make any amendment(s) to PHI in a Designated Record Set that Business Associate directs or agrees to pursuant to 45 C.F.R. §164.526 at the request of Business Associate or an Individual, and in the time and manner designated by Business Associate. If Associate receives a request for amendment to PHI directly from an Individual, Associate shall notify Business Associate upon receipt of such request.

    8. Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received from, created, maintained or received by Associate on behalf of Business Associate available to Business Associate, or at the request of Business Associate, to the Secretary, in a time and manner designated by Business Associate or the Secretary, for the purposes of the Secretary determining Business Associate’s compliance with the Privacy Rule and Security Rule. 

    9. Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Business Associate to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §164.528.

    10. Associate agrees to provide to Business Associate or an Individual, in a time and manner designated by Business Associate, information collected in accordance with this Agreement, to permit Business Associate to respond to a request by an individual for an accounting of disclosures for PHI in accordance with 45 C.F.R. §164.528.

    11. To the extent Associate is to carry out a Business Associate’s obligation under the HIPAA Privacy Rule, Associate shall comply with the requirements of the Privacy Rule that apply to the Business Associate in the performance of such obligation.

    12. Associate shall, following the discovery of a Breach of Unsecured PHI, promptly and within no more than five (5) business days, notify Business Associate of such Breach.  Such notice shall include: (i) the identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by Associate to have been accessed, acquired or disclosed during such Breach; (ii) a brief description of what happened, including the date of the Breach and discovery of the Breach; (iii) a description of the type of Unsecured PHI that was involved in the Breach; (iv) a description of the investigation into the Breach, mitigation of harm to the individuals and protection against further Breaches; (v) the results of any and all investigation performed by Associate related to the Breach; and (vi) contact information of the most knowledgeable individual for Business Associate to contact relating to the Breach and its investigation into the Breach.

    13. Associate hereby agrees to comply with state laws applicable to an individual’s PHI and other personal information it receives from Business Associate.

    14. Associate agrees that no PHI may be received, maintained, stored, accessed or transmitted outside of the United States of America, except by or to a wholly owned subsidiary of Associate, or to Associate’s foreign operations, in which case the provisions of this Agreement shall apply completely and without exception to such foreign operations.

    15. Associate is not acting as a healthcare provider through the Lyv platform and is not authorized to provide clinical services through the platform unless expressly approved in writing by Business Associate. 

    16. Associate shall access PHI solely through the Lyv Health platform and solely during the term of Associate’s authorized relationship with Business Associate. Associate shall not download, store, retain, copy, or otherwise maintain PHI outside of the Lyv Health platform, except as expressly authorized in writing by Business Associate. Upon termination or suspension of Associate’s access, all access to PHI shall immediately cease.
       

  3. Permitted Uses and Disclosures by Associate.

    1. Except as otherwise limited to this Agreement, Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Business Associate, provided that such use or disclosure would not violate the Privacy Rule if done by Business Associate or the minimum necessary policies and procedures of Business Associate required by 45 C.F.R. §164.514(d). Associate acknowledges that all laboratory testing, prescriptions, and other healthcare services are initiated solely by the Individual or by third-party providers independent of Associate, and that Associate has no authority to order, prescribe, approve, or modify such services.

    2. Except as otherwise limited in this Agreement, Associate may use PHI for the proper management and administration of the Associate or to carry out the legal responsibilities of the Associate.

    3. Except as otherwise limited in this Agreement, Associate may disclose PHI for the proper management and administration of the Associate, provided that disclosures are Required By Law, or Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

    4. Except as otherwise limited in this Agreement, Associate may not use PHI to provide Data Aggregation services to Business Associate as permitted by 45 C.F.R. §164.504 (e)(2)(i)(B). Nothing in this Agreement shall restrict Business Associate from using PHI, including in aggregated or de-identified form, for analytics, quality improvement, operational, or product improvement purposes as permitted by applicable law.

    5. Associate is not authorized to De-Identify PHI in accordance with the standards set forth at 45 CFR 164.514. For the avoidance of doubt, Business Associate retains the right to de-identify PHI and to use such de-identified information for lawful purposes.

    6. Associate may access PHI only for Individuals who have affirmatively authorized such access through the Services, and only for the duration of such authorization. Individuals may revoke authorization at any time, in which case Associate’s access will be reduced or terminated accordingly.

  4.  Obligations of Business Associate.

    1. Business Associate shall notify Associate of any limitation(s) in the Notice of Privacy Practices of Business Associate in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect Associate’s use or disclosure of PHI. 

    2. Business Associate shall notify Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI to the extent that such changes may affect Associate’s use or disclosure of PHI. 

    3. Business Associate shall notify Associate of any restriction to the use or disclosure of PHI that Business Associate has agreed to in accordance with 45 C.F.R. §164.522, to the extent that such restriction may affect Associate’s use or disclosure of PHI.
       

  5. Permissible Requests by Business Associate.
    Business Associate shall not request Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Business Associate. For the avoidance of doubt, Associate is not authorized to perform data aggregation, analytics, or population-level analysis involving PHI, except as expressly directed by Business Associate for the limited purpose of supporting Business Associate’s operations.
     

  6. Term and Termination.

    1. The term of this Agreement shall begin as of the effective date of the date and shall terminate when all of the PHI provided by Business Associate to Associate, or created or received by Associate on behalf of Business Associate, is destroyed or returned to Business Associate, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions of this Section.

    2. Upon Business Associate’s knowledge of a material breach by Associate, Business Associate shall either: 

      1. Provide an opportunity for Associate to cure the breach or end the violation and terminate this Agreement if Associate does not cure the breach or end the violation within the time specified by Business Associate.

      2. Immediately terminate this Agreement if Associate has breached a material term of this Agreement and cure is not possible; or

      3. If neither termination nor cure is feasible, Business Associate shall report the violation to the Secretary.

    3. Except as provided in paragraph (d) of this Section, upon any termination or expiration of this Agreement, Associate shall return or destroy all PHI received from Business Associate or created or received by Associate on behalf of Business Associate.  This provision shall apply to PHI that is in the possession of Associates or agents of Associate. Associate shall retain no copies of the PHI.  Associate shall ensure that its Associates or vendors return or destroy any of Business Associate’s PHI received from Associate. 

    4. In the event that Associate determines that returning or destroying the PHI is infeasible, Associate shall provide to Business Associate notification of the conditions that make return or destruction infeasible.  Upon Business Associate’s written agreement that return, or destruction of PHI is infeasible, Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI for those purposes that make the return or destruction infeasible, for so long as Associate maintains such PHI. 

    5. The respective rights and obligations of Associate under Section 6(c) and (d) of this Agreement shall survive the termination of this Agreement.
       

  7. Miscellaneous.

    1. A reference in this Agreement to a section in the Privacy Rule or Security Rule means the section as in effect or as amended. 

    2. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Business Associate to comply with the requirements of HIPAA, the Privacy and Security Rules and HITECH.

    3. Any ambiguity in this Agreement shall be resolved to permit Business Associate to comply with HIPAA and HITECH.

    4. Associate is solely responsible for all decisions made by Associate regarding the safeguarding of PHI. 

    5. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer upon any person other than Business Associate, Associate and their respective successors and assigns, any rights, remedies, obligations or liabilities whatsoever. 

    6. Modification of the terms of this Agreement shall not be effective or binding upon the parties unless and until such modification is committed to writing and accepted by Associate as described above. 

    7. This Agreement shall be binding upon the parties hereto, and their respective legal representatives, trustees, receivers, successors and permitted assigns. 

    8. Should any provision of this Agreement be found unenforceable, it shall be deemed severable, and the balance of the Agreement shall continue in full force and effect as if the unenforceable provision had never been made a part hereof. 

    9. This Agreement and the rights and obligations of the parties hereunder shall in all respects be governed by, and construed in accordance with, the laws of the State of Delaware, including all matters of construction, validity and performance. 

    10. Any notices required under this Agreement may be provided by Business Associate via email and will be effective when sent or posted. 

    11. This Agreement, including such portions as are incorporated by reference herein, constitutes the entire agreement by, between and among the parties, and such parties acknowledge by their acceptance of this Agreement that they do not rely upon any representations or undertakings by any person or party, past or future, not expressly set forth in writing herein.

    12. Associate shall maintain or cause to be maintained sufficient insurance coverage as shall be necessary to insure Associate and its employees, agents, representatives or Associates against any and all claims or claims for damages arising under this Associate Agreement and such insurance coverage shall apply to all services provided by Associate or its agents or Associates pursuant to this Associate Agreement.

    13. Associate shall indemnify, hold harmless and defend Business Associate from and against any and all claims, losses, liabilities, costs and other expenses (including but not limited to, reasonable attorneys’ fees and costs, administrative penalties and fines, costs expended to notify individuals and/or to prevent or remedy possible identity theft, financial harm, reputational harm, or any other claims of harm related to a breach) incurred as a result of, or arising directly or indirectly out of or in connection with any acts or omissions of Associate, its employees, agents, representatives or Associates, under this Associate Agreement, including, but not limited to, negligent or intentional acts or omissions.  This provision shall survive termination of this Agreement.
       

  8. Independent Relationship. Nothing in this Agreement creates an employment, agency, partnership, or joint venture relationship between Business Associate and Associate. Associate is an independent professional and accesses PHI only as authorized by Individuals through the Services.
     

Associate acknowledges and agrees that by creating an account, signing up for, accessing, or using the Services, Associate is electronically accepting this Agreement and that such acceptance constitutes a legally binding agreement between Associate and Business Associate.

bottom of page