Visit our Support Site
Contact Us

PO Box 1114
Dublin
US

Healthy Roster provides patient engagement, care coordination, telemedicine and outreach tools for Sports Medicine, Orthopedics and other medical specialties. We enable patients to communicate with providers, reducing communication gaps, phone tag, and readmissions. Use with Home Health & SNF’s to manage CJR and Cardiac bundled payments.

Business Associates Agreement

Business Associate Agreement

This BUSINESS ASSOCIATE AGREEMENT (the “BAA”) is entered into as of ____________________________ (the “Effective Date”) by and between Healthy Roster, Inc. a Delaware corporation (“Business Associate” or “Healthy Roster”) and _________________________________ (“Covered Entity” or "Licensee").

WITNESSETH

WHEREAS, Healthy Roster and Covered Entity desire to protect the privacy and provide for the security of Protected Health Information (as defined herein) used by or disclosed to Healthy Roster in compliance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and other applicable laws and regulations;

WHEREAS, This BAA is to be utilized in connection with a license to Healthy Roster’s Electronic Medical Record Software or the Sway Medical mobile software issued under Healthy Roster’s Standard Terms of Service or a Master Services Agreement, should one exist;

WHEREAS, the Parties hereto acknowledge that each Party has certain obligations under HIPAA, as amended, including those provisions of the American Recovery and Reinvestment Act of 2009 (“ARRA”), and the regulations implementing the requirements to maintain privacy and security of Protected Health Information found at 45 C.F.R. Parts 160,162, and 164.

NOW, THEREFORE, in consideration of the premises and the mutual covenants of this Agreement, the parties hereto agree as follows:

1. DEFINITIONS

Capitalized terms used, but not otherwise defined in this BAA, shall have the meanings given to them by the Master Service Agreement, if one exists, and if no such agreement exists, definitions shall have the meaning of Healthy Roster’s Standard Terms of Service. Additional definitions not outlined in either Software License Agreement shall have the meanings given in HIPAA and HITECH. For purposes of this BAA, the following terms shall have the following meanings:

a. Standard Terms of Service: “Standard Terms of Service” shall mean the terms of service that can be found at https://www.healthyroster.com/terms-of-use.

b. Master Service Agreement:  “MSA” is a master service agreement that governs the terms of licensing of Healthy Roster software by and between the two parties, should one exist.

c. Protected Health Information (herein “PHI”) means Individually Identifiable Health Information that Healthy Roster receives from Covered Entity or from another business associate of Covered Entity or which Healthy Roster creates for Covered Entity, which is transmitted or maintained in any form or medium. “Protected Health Information” shall not include education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. §1232g, or education records described in 20 U.S.C. §1232g(a)(4)(B)(iv).

d. Breach shall have the meaning given to such term under 45 C.F.R. §164.402.

e. HIPAA Rules shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Part 160 and 164.

f. Subcontractor shall have the meaning given to such term under 45 C.F.R. §160.103.

 

2. Use and Disclosure of PHI by Healthy Roster and Covered Entity.

a. Healthy Roster agrees to use and disclose PHI only for the following purposes:

i. Except as otherwise provided in this BAA, Healthy Roster may use or disclose PHI as reasonably necessary to provide the services described in the Master Service Agreement to Covered Entity, and to undertake other activities of Healthy Roster permitted or required of Healthy Roster by this BAA or as required by law;

ii. For the proper management and administration of Healthy Roster or to carry out the legal responsibilities of Healthy Roster, provided the disclosures are (A) required by law, or (B) Healthy Roster obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies Healthy Roster of any instances of which it is aware in which the confidentiality of the information has been breached;

iii. To provide data aggregation services relating to the balance characteristics or cognitive performance of persons or classes of persons tested using the Healthy Roster Software; or

iv. Where information has been de-identified in accordance with 45 C. F.R. 164.514(a)-(c).

b.     Healthy Roster agrees to make uses and disclosures of PHI consistent with minimum necessary requirements under HIPAA, including, but not limited to:

i. identification of persons or classes of persons needing access to PHI to carry out duties and the associated categories of information to which each person or class of persons is permitted to access;

ii. implementation of reasonable efforts to limit access of such persons or classes to PHI to the categories of information identified as necessary;

iii. implementation of policies and procedures or criteria designed to limit PHI disclosed to the information reasonably necessary to accomplish the purpose for which disclosure is sought;

iv. as necessary to permit Covered Entity to respond to requests by individuals for access to their PHI in accordance with 45 C.F.R. § 164.524, including by providing such information to Covered Entity, or at Covered Entity’s direction, to the individual, in the form and format requested, and within the timeframes required under the HIPAA Rules; and

v. limitation of any requests for information to the amount of information necessary to accomplish the purpose for which the request is made.

c. Healthy Roster may not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by Covered Entity.

d. Healthy Roster will use appropriate administrative, technical, and physical safeguards, and comply with Subpart C of 45 C. F.R. Part 164 with respect to Electronic PHI, to prevent use or disclosure of Electronic PHI other than as provided for by the BAA;

e. Healthy Roster will report to Covered Entity, as soon as reasonably practicable, but not later than within fifteen (15) days following the discovery by Healthy Roster, of any acquisition, access, use or disclosure of PHI not provided for in this BAA or not permitted under the applicable regulations, including, but not limited to, any impermissible access, acquisition, use or disclosure that is a Breach of unsecured PHI, together with any remedial or mitigating action taken or proposed to be taken with respect thereto. Healthy Roster will conduct a risk assessment with respect to any impermissible access, acquisition, use, or disclosure to determine the risk of actual compromise. Healthy Roster shall notify Covered Entity of any such impermissible access, acquisition, use, or disclosure, including the following information in such notice:

i. A brief description of how the impermissible access, acquisition, use, or disclosure occurred and how and when it was discovered;

ii. A description of whether unsecured PHI was involved in the impermissible access, acquisition, use, or disclosure, and the results of Healthy Roster’s risk assessment; and

iii. The steps Healthy Roster is taking to further investigate the impermissible access, acquisition, use, or disclosure to mitigate losses and to protect against further impermissible access, acquisition, use, or disclosure.

Healthy Roster shall cooperate with Covered Entity in mitigating any harmful effects of any such impermissible access, acquisition, use, or disclosure, and in making any required notification to individuals in the case of a Breach. Healthy Roster will make any amendment(s) to PHI in a record set directed or agreed to by the Covered Entity or take other measures as necessary to satisfy Covered Entity’s obligations under the HIPAA Rules related to amendment of PHI.

f. Healthy Roster will maintain and make available the information required to provide an accounting of disclosures to the Covered Entity within three (3) business days of a request for such information and as necessary to satisfy Covered Entity’s obligations under the HIPAA Rules related to accounting of disclosures. If Healthy Roster discloses PHI of Covered Entity in a manner that must be included in an accounting of disclosures under the HIPAA Rules, Healthy Roster will notify Covered Entity of such disclosure within seven (7) days.

g. To the extent the Healthy Roster is to carry out one or more of Covered Entity’s obligation(s) under the HIPAA Rules, Healthy Roster will comply with the requirements of the HIPAA Rules that apply to the Covered Entity in the performance of such obligation(s).

h. Healthy Roster will make its internal practices, books, and records available to the Secretary of Health and Human Services for purposes of determining compliance with the HIPAA Rules.

i. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Healthy Roster will ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of Healthy Roster agree to the same restrictions, conditions, and requirements that apply to Healthy Roster with respect to such information. Upon termination of this BAA, Healthy Roster shall return or destroy all PHI received from Covered Entity, if feasible, and if not feasible, shall extend the protections of this BAA to such PHI and limit further uses and disclosures. 

3. Use and Disclosure of Protected Health Information by Covered Entity

a. Covered Entity shall notify Healthy Roster of any limitation(s) in its privacy practices, to the extent that such limitation may affect Healthy Roster’s use or disclosure of PHI.

b. Covered Entity shall notify Healthy Roster of any changes in, or revocation of, the permission by an individual to use or disclose the individual’s PHI, to the extent that such changes may affect Healthy Roster’s use or disclosure of PHI.

c. Covered Entity shall notify Healthy Roster of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under the HIPAA Rules, to the extent that such restriction may affect Healthy Roster’s use or disclosure of PHI.

d. Covered Entity shall not request Healthy Roster to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity or other than as specifically described in this BAA.

 

4. Indemnification

Covered Entity agrees to defend, indemnify, and hold harmless Healthy Roster from and against any third-party claims, actions, proceedings, damages, costs, liabilities, losses, and expenses (including reasonable attorneys’ fees) arising out of or related to Covered Entity’s violation of the HIPAA Rules.


5. Notices

Any notice or communication required or permitted to be given hereunder may be delivered by hand, deposited with an overnight courier, or mailed by registered or certified mail, return receipt requested, postage prepaid, if to Healthy Roster, to the address below, and if to Company, to the address indicated below, or at such other address as may hereafter be furnished in writing by either Party hereto to the other. Such notice will be deemed to have been given as of the date it is delivered, mailed, or sent, whichever is earlier.

 

If to Company:

 

Name                                                                                                             

 

Attn:                                                                                                                

 

Address:                                                                                                         

 

City/State/Zip:                                                                                                

 

Phone:                                                                                                           

 

With an e-mail copy to:                                                                                  

 

If to Healthy Roster:

Healthy Roster, Inc.
Attn: Privacy Officer
PO Box 1114
Dublin, OH 43017 

With an e-mail copy to: privacy@healthyroster.com

Either Party may change the address to which notice or payment is to be sent by written notice to the other Party pursuant to the provisions of this IN WITNESS WHEREOF, the Parties have executed this Agreement as of the Effective Date.

Last Updated: 3/22/26