Eyefinity Optical Laboratory Business Associate Agreement
This Agreement is entered into between Eyefinity, Inc., a Delaware corporation (“Covered Entity”) and ___________________ (“Business Associate”), an optical laboratory which participates in electronic transactions and obtains related services through the Eyefinity web site and is effective as of XXX, XX, 201X, upon execution.
Whereas, under the terms of the Contract, Covered Entity is disclosing Protected Health Information (“PHI”) received from eye care providers utilizing Covered Entity’s website services to Business Associate. Whereas, Covered Entity and Business associate acknowledge that certain of their activities under the Contract are subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule (45 CFR Section 164.504) and the Security Rule (45 CFR Section 164.314) and the Standards for Security of Electronic Protected Health Information (45 CFR Part 160 and 164, Subpart C) and the Health Information Technology for Economic and Clinical Health Act (HITECH), and regulations thereunder, as amended from time to time.
- “Breach” shall have the same meaning as the term “breach” as used in 45 CFR 164.402 which states a breach is the acquisition, access, use, or disclosure of protected health information in a manner not permitted under 45 CFR 164 subpart E which compromises the security or privacy of the PHI.
- “Business Associate” shall mean the entity designated above.
- “Covered Entity” shall mean the entity designated above.
- “Electronic Protected health Information” (ePHI) has have the same meaning as the term “electronic protected health information” as defined in 45 CFR 160.103.
- “Individual” shall have the same meaning as the term “individual” as used in 45 CFR 160.103, and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g).
- “Parties” shall mean the Covered Entity and Business Associate jointly.
- “Privacy Rule” shall mean the Standards for Privacy of Individually identifiable health Information in 45 CFR Part 160 and Part 164 Subparts A and E.
- “Protected Health Information” (PHI) shall have the same meaning as the term “protected health information” in 45 CFR 160.103, limited to the information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.
- “Required By Law” shall have the same meaning as the term “required by law” in 45 CFR 164.103.
- “Secretary” shall mean the Secretary of the Department of Health and Human Services or designee.
- “Security Rule” shall mean the Security standards for Protection of Electronic Protected Health Information in 45 CFR part 160 and part 164, Subparts A and C.
Terms used but not otherwise defined in this Agreement shall have the same meaning as the meaning ascribed to those terms in the Health Insurance Portability and Accountability Act of 1996, as codified at 42 U.S.C. § 1302d (“HIPAA”), the Health Information Technology Act of 2009 (“HITECH Act”), as set forth in Sections 13400 through 13424, inclusive, of Public Law 111-5, and any current and future regulations promulgated under either are collectively referred to herein as the “Regulations”.
Obligations of Business Associate
Business Associate agrees:
- Not use or disclose PHI other than as permitted or required by the Agreement or as required by law;
- Use the appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by the Agreement;
- Report to Covered Entity, as soon as practicable, but no later than thirty (30) days after discovery, any use, disclosure or security incident of PHI not provided for by this Agreement as required at 45 CFR 164.410. Such report shall include all available information required, including: (i) the identity of each Individual whose PHI has been or believed to have been assessed, acquired, used or disclosed during the Breach, (ii) nature of the incident, (iii) the corrective actions Business Associate took or will take to prevent further incidents, (iv) any additional information as required relating to the Breach;
- If applicable, in accordance with 45 CFR 164.502(e)(l)(ii) and 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information;
- Make available PHI in a designated record set as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524;
- To conduct, where applicable, electronic transactions, for which the Department of Health and Human Services has established standards, on behalf of the Covered Entity, pursuant to the requirements of 45 CFR Part 162, and to require that any agent or subcontractor involved in conducting these transactions maintains compliance with these requirements;
- Make any amendment(s) to PHI I a designated record set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526;
- Maintain and make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528; and
- Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the Privacy and Security Rules;
- Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received on behalf of the Covered Entity available to the Covered Entity within ninety (90) days of the Covered Entity’s request, for the purpose of monitoring Business Associate’s compliance with the Agreement, HIPAA, the Privacy Rule, the Electronic Transactions Rule, and the HITECH Act, as applicable.
Permitted Uses and Disclosures by Business Associate
- Business Associate may use or disclose PHI as necessary to perform its obligations and services, provided that such use and disclosure would not violate the Privacy or Security rules;
- Business Associate may use or disclose PHI as required by law;
- Business Associate may use PHI to create de-identified health information in accordance with 45 CFR 164.514(b);
- Business Associate agrees to make use and disclosures and requests for PHI consistent with the minimum necessary procedures; and
- Business Associate may use PHI to report violations of the law to the appropriate Federal and State authorities, consistent with 45 CFR 164.502(j)(l).
Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions
- Covered Entity shall notify Business Associate of any limitation(s) in the notice of privacy practices of Covered Entity under 45 CFR 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI;
- Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI;
- Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
Permissible Requests by Covered Entity
Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under 45 CFR Part 164 Subpart E.
Term and Termination
- Term. The Term of this Agreement shall be effective as of the execution date of the Agreement and shall terminate when all PHI is destroyed or returned to the Covered Entity.
- Termination for Cause. Business Associate authorizes termination of the Agreement by Covered Entity, if Covered Entity determines Business Associate has committed violation or a material breach of the Agreement and Business Associate has not cured the breach or ended the violation within the time specified by Covered Entity. Covered Entity will provide Business Associate with a reasonable opportunity to cure such breach or violation.
- Obligations of Business Associate upon Termination. Upon termination of this Agreement for any reason, Business Associate, with respect to PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity; shall:
- Retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;
- Return or destroy the remaining PHI that the Business Associate still maintains in any form;
- In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make such return or destruction infeasible. Upon mutual further agreement of the Parties that return or destruction of PHI is infeasible, Business Associate shall continue to use appropriate safeguards to comply with 45 CFR Part 164 Subpart C with respect to ePHI to prevent use or disclosure of the PHI, other than as provided for in this Section, for as long as Business Associate retains the PHI;
- Not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set under “Permitted Uses and Disclosures By Business Associate” which applied prior to termination; and
- Return or destroy the PHI retained by Business Associate when it is no longer needed for proper management and administration or to carry out its legal responsibilities.
- Survival. The obligations of Business Associate under this Section shall survive the termination of this Agreement.
Business Associate shall, to the extent permitted by law, agree to indemnify and hold harmless the Covered Entity (including its officer, directors, employees, agents and administrators) from and against any all claims, causes of action, liabilities, damages, costs, and costs (including without limitation, reasonable attorney’s fees) arising out of or related to any breach of any of the terms and provisions of this Agreement by the Business Associate (including without limitation its employees, agents, representatives, contractors, or subcontractors).
- Regulatory References. A reference in this Agreement to a section in the Privacy and Security Rules means the section as in effect or amended.
- Amendment. The Parties agree to take such action as it is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the Privacy and Security Rules and any other applicable law.
- Interpretation. Any ambiguity in this Agreement shall be interpreted to permit compliance with the Privacy and Security Rules.
In witness whereof the parties have executed this Agreement with an effective date of ___________________ .
Name: (Please print)
Name: (Please print)