Business Associate Agreement

This Business Associate Agreement (“BA Agreement”) is by and between Next Day Contacts, LLC, having its principal office at 207 E Ohio Street, #233, Chicago, IL, 60611 (“Visibly”), and Partner (as defined in the Contact Lens Store Agreement), (each a “Party” and collectively the “Parties”).

APPLICABILITY

Visibly and Partner have entered into a Contact Lens Store Agreement pursuant to which Visibly provides Contacts Services to Partner (“Service Agreement”). Consequently, Visibly may, but will not necessarily, provide services to Partner in a manner that gives Visibly access to Protected Health Information (“PHI”) as defined under 45 C.F.R. § 160.103.The terms of this BA Agreement apply only if and to the extent Partner implements the Contacts Services for use on behalf of a Covered Entity or is a Covered Entity and Visibly acts as a Business Associate of Partner pursuant to 45 C.F.R. § 160.103 as a consequence of Visibly’s access to information covered by applicable provisions of HIPAA or HITECH (as defined below).

RECITALS

WHEREAS, Partner recognizes that Visibly may need to use, disclose, create, or request Protected Health Information (“PHI”) (as defined below) that is subject to protection under the HIPAA Rules in the course of furnishing services for or on behalf of Partner pursuant to the Service Agreement; WHEREAS, Partner and Visibly mutually accept the terms of agreement set forth below in accordance with the requirements of the Privacy and Security Rules, and HITECH so that Visibly may use, disclose, create and request Protected Health Information in connection with furnishing services for or on behalf of Partner. NOW THEREFORE, in consideration of the mutual promises and covenants herein, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree as follows:

1. Definitions. Except as otherwise defined in this BA Agreement, capitalized terms shall have the definitions set forth in HIPAA, and if not defined by HIPAA, such terms shall have the definitions set forth in the Service Agreement. The following capitalized terms have the following meaning when used in this BA Agreement:
   1. Service Agreement means the Contact Lens Store Agreement entered into between Visibly and Partner, including the Terms and Conditions of the Agreement.
   2. Business Associate has the meaning ascribed to that term by 45 C.F.R. § 160.103.
   3. C.F.R. means the Code of Federal Regulations.
   4. Covered Entity has the meaning ascribed to that term by 45 C.F.R. § 160.103, for purposes of this BA Agreement, is a Covered Entity for which Visibly acts as a Business Associate pursuant to a business associate contract in compliance with the Privacy and Security Rules and HITECH.
   5. DHHS means the U.S. Department of Health and Human Services, its Secretary and its various components.
   6. Electronic Protected Health Information or ePHI has the meaning ascribed to that term in 45 C.F.R. § 160.103 and, for purposes of this BA Agreement, is ePHI that Visibly creates, receives, maintains or transmits for or on behalf of Partner acting as a Covered Entity or a Business Associate of one or more Covered Entities in the course of Visibly providing services under the Service Agreement.
   7. Health Care Operations has the meaning ascribed to that term by 45 C.F.R. § 164.501, as clarified by HITECH § 13406(a).
   8. HIPAA collectively means the administrative simplification provision of the Health Insurance Portability and Accountability Act enacted by the United States Congress, and its implementing regulations, including the Privacy Rule, the Breach Notification Rule, and the Security Rule, as amended from time to time, including by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and by the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule.
   9. HITECH means the Health Information Technology for Economic and Clinical Health Act (which is part of Public Law 111-005).
   10. Individual has the meaning ascribed to that term by 45 C.F.R. § 160.103.
   11. Privacy Rule means the federal regulation promulgated at 45 C.F.R. Part 164, Subpart E.
   12. Protected Health Information or PHI has the meaning ascribed to that term by 45 C.F.R. § 160.103 and, for purposes of this BA Agreement, is PHI that Visibly uses, creates, maintains, transmits or receives (i) on behalf of Partner acting as a Business Associate of one or more Covered Entities or as a Covered Entity, and (ii) in the course of performance of the Service Agreement. PHI includes ePHI and Unsecured PHI.
   13. Required By Law has the meaning ascribed to that term by 45 C.F.R. § 164.103.
   14. Security Incident has the meaning ascribed to that term by 45 C.F.R. § 164.304.
   15. Security Rule means the federal regulation promulgated at 45 C.F.R. Part 164, Subpart C.
   16. Unsecured Protected Health Information or Unsecured PHI has the meaning ascribed to that term by 45 C.F.R. § 164.402 and, for purposes of this BA Agreement, is Unsecured PHI that Visibly uses, creates, maintains, transmits or receives (i) on behalf of Partner acting as a Business Associate of one or more Covered Entities or as a Covered Entity, and (ii) in the course of performance of the Service Agreement.
2. Independent Contractor. Visibly is an independent contractor with respect to Partner in that Visibly furnishes Services, pursuant to the Service Agreement, for and on behalf of Partner, but does not and is not authorized to represent or otherwise serve as agent of Partner.
3. Privacy of Protected Health Information.
   1. Permitted Uses and Disclosures.
      1. Performance of the Service Agreement. Except as otherwise limited in this BA Agreement, Visibly may Use and Disclose Protected Health Information for, or on behalf of, Partner as specified in the Service Agreement; provided that any such Use or Disclosure would not violate HIPAA if done by Partner, unless expressly permitted under paragraph ii of this Section 3.
      2. Other Uses. Except as otherwise limited in this BA Agreement, Visibly may Use and Disclose Protected Health Information for the proper management and administration of Visibly and/or to carry out the legal responsibilities of Visibly, provided that any Disclosure may occur only if: (1) Required by Law; or (2) Visibly obtains written reasonable assurances from the person to whom the Protected Health Information is Disclosed that it will be held confidentially and Used or further Disclosed only as Required by Law or for the purpose for which it was Disclosed to the person, and the person notifies Visibly of any instances of which it becomes aware in which the confidentiality of the Protected Health Information has been breached. Visibly may also use PHI to provide Data Aggregation services to Partner as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
4. Responsibilities of the Parties with Respect to Protected Health Information
   1. Visibly Responsibilities. To the extent Visibly is acting as a Business Associate, Visibly agrees to the following:
      1. Limitations on Use and Disclosure. Visibly shall not Use and/or Disclose the Protected Health Information other than as permitted or required by the Service Agreement and/or this BA Agreement or as otherwise Required by Law. Visibly shall not disclose, capture, maintain, scan, index, transmit, share or Use Protected Health Information for any activity not authorized under the Service Agreement and/or this BA Agreement. Visibly Shall not use Protected Health Information for any advertising, Marketing or other commercial purpose of Visibly or any third party. Visibly shall not violate the HIPAA prohibition on the sale of Protected Health Information. Visibly shall make reasonable efforts to Use, Disclose, and/or request the minimum necessary Protected Health Information to accomplish the intended purpose of such Use, Disclosure, or request.
      2. Safeguards. Visibly shall: (1) use reasonable and appropriate safeguards to prevent inappropriate Use and Disclosure of Protected Health Information other than as provided for in this BA Agreement; and (2) comply with the applicable requirements of 45 CFR Part 164 Subpart C of the Security Rule.
      3. Reporting. Visibly shall report to Partner: (1) any Use and/or Disclosure of Protected Health Information that is not permitted or required by this BA Agreement of which Visibly becomes aware; (2) any Security Incident of which it becomes aware, provided that notice is hereby deemed given for Unsuccessful Security Incidents and no further notice of such Unsuccessful Security Incidents shall be given; and/or (3) any Breach of Partner’s Unsecured Protected Health Information that Visibly may discover (in accordance with 45 CFR § 164.410 of the Breach Notification Rule). Notification of a Breach will be made without unreasonable delay, but in no event more than thirty (30) business days after Visibly’s determination of a Breach. Taking into account the level of risk reasonably likely to be presented by the Use, Disclosure, Security Incident, or Breach, the timing of other reporting will be made consistent with Visibly’s and Partner’s legal obligations.
      4. For purposes of this Section, “Unsuccessful Security Incidents” mean, without limitation, pings and other broadcast attacks on Visibly’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, as long as no such incident results in unauthorized access, acquisition, Use, or Disclosure of Protected Health Information. Visibly’s obligation to report under this Section is not and will not be construed as an acknowledgement by Visibly of any fault or liability with respect to any Use, Disclosure, Security Incident, or Breach.
      5. Subcontractors. In accordance with 45 CFR §§ 164.502(e)(1)(ii) and 164.308(b)(2) of HIPAA, Visibly shall require its Subcontractors who create, receive, maintain, or transmit Protected Health Information on behalf of Visibly to agree in writing to: (1) the same or more stringent restrictions and conditions that apply to Visibly with respect to such Protected Health Information; (2) appropriately safeguard the Protected Health Information; and (3) comply with the applicable requirements of 45 CFR Part 164 Subpart C of the Security Rule. Visibly remains responsible for its Subcontractors’ compliance with obligations in this BA Agreement.
      6. Disclosure to the Secretary. Visibly shall make available its internal practices, records, and books relating to the Use and/or Disclosure of Protected Health Information received from Partner to the Secretary of the Department of Health and Human Services for purposes of determining Partner’s compliance with HIPAA, subject to attorney-client and other applicable legal privileges.
      7. Access. To the extent Visibly maintains Protected Health Information in a Designated Record Set for Partner, then Visibly, at the request of Partner, shall within ten (10) days make access to such Protected Health Information available to Partner in accordance with 45 CFR § 164.524 of the Privacy Rule. Consistent with 45 C.F.R. 164.524, Visibly’s obligation will be limited to the extent such PHI is in the sole possession of Visibly and is not duplicative of PHI held by Partner, or the Covered Entity to which Partner is acting as a Business Associate (if applicable). The provision of the access to the individual’s PHI and any denials of access to the PHI shall be the responsibility of Partner.
      8. Amendment. To the extent Visibly maintains Protected Health Information in a Designated Record Set for Partner, then Visibly, at the request of Partner, shall within thirty (30) days make available such Protected Health Information to Partner for amendment and incorporate any reasonably requested amendment in the Protected Health Information in accordance with 45 CFR § 164.526 of the Privacy Rule. The amendment of an individual’s PHI and all decisions related thereto shall be the responsibility of Partner.
      9. Accounting of Disclosure. Visibly, at the request of Partner, shall within thirty (30) days make available to Partner such information relating to Disclosures made by Visibly as required for Partner to make any requested accounting of Disclosures in accordance with 45 CFR § 164.528 of the Privacy Rule.
      10. Performance of a Covered Entity’s Obligations. To the extent Visibly is to carry out a Covered Entity’s obligation under the Privacy Rule, Visibly shall comply with the requirements of the Privacy Rule that apply to Partner in the performance of such obligation.
   2. Partner Responsibilities.
      1. No Impermissible Requests. Partner shall not request Visibly to Use or Disclose Protected Health Information in any manner that would not be permissible under HIPAA if done by a Covered Entity (unless permitted by HIPAA for a Business Associate).
      2. Safeguards and Appropriate Use of Protected Health Information. Partner is responsible for implementing appropriate privacy and security safeguards to protect its Protected Health Information in compliance with HIPAA. Without limitation, it is Partner’s obligation to encrypt and secure ePHI in its custody that is at rest or in motion using Encryption that is at least as stringent as the technologies and methodologies that DHHS deems, in guidance published on its web site pursuant to HITECH § 13402(h)(2), renders PHI unusable, unreadable, or indecipherable to unauthorized persons or entities. All email transmissions containing PHI shall be encrypted, secured and meet the standards under 45 C.F.R. § 164.312(e) for (i) transmission security and (ii) integrity controls and encryption.
      3. Notices of Privacy Practices. To the extent that it may impact Visibly’s use or disclosure of PHI, Partner agrees to inform Visibly in writing of: any limitation in its Notice of Privacy Practices; any changes to or revocation of a patient’s authorization with respect to PHI; and any restriction to a use or disclosure agreed to by Partner with respect to a patient’s PHI; any opt-out by a patient from marketing or fundraising activities by Partner.
      4. Minimum Necessary. Partner will, in its performance of the functions, activities and services involving PHI permitted by this BA Agreement, make reasonable efforts to use, disclose, or request only the minimum PHI reasonably necessary to accomplish the intended purpose of the use, disclosure or request as required by 45 C.F.R. § 164.502(b)(1) and HITECH § 13405(b), including the use of a “limited data set” as defined in 45 C.F.R. § 164.514(e)(2), to accomplish the intended purpose of such request, use, or disclosure.
5. Notices. Any notice that a party is required or desires to give under this BA Subcontract shall be delivered as set forth under Section 11.3 (Notices) of the Service Agreement Terms and Conditions.
6. Term and Termination. This BA Agreement shall continue in effect until the earlier of (1) termination by a Party for breach as set forth in this Section 6, or (2) expiration of the Service Agreement. Upon written notice, either Party immediately may terminate the Service Agreement and this BA Agreement if the other Party is in material breach or default of any obligation in this BA Agreement. Either party may provide the other a thirty (30) calendar day period to cure a material breach or default within such written notice. Upon expiration or termination of this BA Agreement, Visibly shall return or destroy all Protected Health Information in its possession, if it is feasible to do so, and as set forth in the applicable termination provisions of the Service Agreement. If it is not feasible to return or destroy any portions of the Protected Health Information upon termination of this BA Agreement, then Visibly shall extend the protections of this BA Agreement, without limitation, to such Protected Health Information and limit any further Use or Disclosure of the Protected Health Information to those purposes that make the return or destruction infeasible for the duration of the retention of the Protected Health Information.
7. Amendment. Upon the compliance date of a statute or regulation or amendment to statute or regulation that affects either party’s obligations under this BA Agreement, this BA Agreement will automatically amend such that the obligations imposed on the parties by this BA Agreement remain in compliance with all applicable statutes and regulations then in effect, unless a party elects to terminate this BA Agreement in accordance with Section 6 above.
8. Conflicts. The terms and conditions of this BA Agreement will override and control any conflicting term or condition of the Service Agreement and its Terms and Conditions or any other agreement or understanding between the parties.
9. Interpretation. The Parties intend that this BA Agreement be interpreted consistently with their intent to comply with HIPAA and other applicable federal and state law. This BA Agreement cannot authorize the Parties to Use or Disclose PHI in a manner that would violate any applicable rule or regulation of HIPPA and should not be interpreted to do so.
10. No Third-Party Beneficiaries. Nothing express or implied in this BA Agreement is intended to confer, nor shall anything in this BA Agreement confer, upon any person other than the Parties, and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.