Menu

BAA

BUSINESS ASSOCIATE AGREEMENT

THIS BUSINESS ASSOCIATE AGREEMENT (the “BAA”) is incorporated by reference and made a part of the Sniffle Terms of Use and is entered into by and between Sniffle Health Inc. (“Business Associate”), and the applicable healthcare provider that has agreed to the Terms of Use (“Covered Entity”).

RECITALS

WHEREAS, Covered Entity and Business Associate are parties to one or more agreements or arrangements whereby Business Associate provides services for and on behalf of Covered Entity (the “Underlying Agreement(s)”), that may involve the use or disclosure of Protected Health Information (“PHI”), as defined below;

WHEREAS, the parties desire to safeguard PHI consistent with the applicable requirements of the Health Insurance Portability and Accountability Act of 1996 Pub. L. No. 104-191 (“HIPAA”), as amended by the final regulations promulgated pursuant to the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, as part of the American Recovery and Reinvestment Act of 2009, at Pub. L. No. 111-5, and the Privacy Rule, Security Rule and Breach Notification Rule (each as defined below) promulgated thereunder (collectively “HIPAA Rules”); and

WHEREAS, the parties agree that this BAA is only applicable if and when Business Associate is acting in such a way as to establish a business associate relationship with Covered Entity under 45 C.F.R. § 160.103.

NOW, THEREFORE, in consideration of the mutual promises below and the exchange of information pursuant to this BAA, Covered Entity and Business Associate hereby agree as follows:

  1. DEFINITIONS. For purposes of this BAA:
    1. Breach” shall have the same meaning given to such term in 45 C.F.R. § 164.402.
    2. Breach Notification Rule” shall mean the rule related to breach notification for Unsecured Protected Health Information codified at 45 C.F.R. Parts 160 and 164, Subpart D.
    3. Business Associate” shall have the same meaning given to such term in 45 C.F.R. § 160.103, and in reference to the party to this BAA shall mean the Business Associate identified in the opening paragraph when acting in such a way as to establish a business associate relationship under 45 C.F.R. § 160.103.
    4. Designated Record Set” shall have the same meaning given to such term in 45 C.F.R. § 164.501.
    5. Electronic Protected Health Information” or (“EPHI”) shall have the meaning given to such term in 45 C.F.R. § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
    6. Individual” shall have the same meaning given to such term in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
    7. Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information, codified at 45 C.F.R. Parts 160 and 164, Subparts A and E.
    8. Protected Health Information” or (“PHI”) shall have the meaning given to such term in 45 C.F.R. § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
    9. Required By Law” shall have the same meaning given to such term in 45 C.F.R. § 164.103.
    10. Secretary” shall mean the Secretary of the Department of Health and Human Services or his or her designee.
    11. Security Incident” shall have the same meaning given to such term in 45 C.F.R. § 164.304.
    12. Security Rule” shall mean the Security Standards for the Protection of Electronic Protected Health Information, codified at 45 C.F.R. Parts 160 and 164, Subparts A and C.
    13. Unsecured PHI” shall have the same meaning given to such term in 45 C.F.R. § 164.402, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
    14. All other terms used, but not otherwise defined, in this BAA, shall have the same meaning as those terms in HIPAA, the HITECH Act, or the HIPAA Rules, as applicable.
  2. PERMITTED USES AND DISCLOSURES OF BUSINESS ASSOCIATE
    1. Performing Functions and Services. Business Associate may use and disclose PHI to perform functions, activities or services for, or on behalf of Covered Entity, including as specified in the Underlying Agreement(s).
    2. Reporting Violations. Business Associate may use and disclose PHI as Required by Law and to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1).
    3. Use and Disclosure for Management and Administration. Business Associate may use and disclose PHI for the proper management and administration of its business and to carry out the legal responsibilities of Business Associate; however, Business Associate may only disclose PHI for such purposes if the disclosure is (i) Required by Law or (ii) Business Associate obtains reasonable assurances from any recipient of such PHI that (a) the PHI will remain confidential and be used or further disclosed only as Required by Law or for the purposes for which it was disclosed to the recipient, and (b) the recipient will notify Business Associate of any instances of which it is aware in which confidentiality of the PHI was breached.
    4. Data Aggregation. Business Associate may provide data aggregation services relating to the health care operations of Covered Entity as permitted by 45 C.F.R. §164.504(e)(2)(i)(B).
    5. De-Identification. Business Associate may de-identify PHI as permitted by 45 C.F.R. § 164.514, and may use and disclose de-identified information, provided that any such use or disclosure is consistent with applicable law. De-identified information no longer constitutes PHI subject to the terms and conditions of this BAA.
  3. PRIVACY RULE OBLIGATIONS OF BUSINESS ASSOCIATE.
    1. Limitation on Disclosure. Business Associate shall not use or disclose PHI other than as permitted or required by this BAA, the Underlying Agreements(s), or as Required by Law. Business Associate shall not use or disclose PHI in a manner that would violate the Privacy Rule if done by Covered Entity, unless expressly permitted to do so pursuant to the Privacy Rule and this BAA.
    2. Appropriate Safeguards. Business Associate shall use reasonable and appropriate safeguards to prevent use or disclosure of PHI other than as permitted by this BAA, the Underlying Agreement(s), or as Required by Law.
    3. Obligations on Behalf of Covered Entity. To the extent Business Associate carries out an obligation for which Covered Entity is responsible under the Privacy Rule, Business Associate must comply with the requirements of the Privacy Rule that apply to the Covered Entity in the performance of such obligation.
    4. Mitigation. Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of HIPAA, the Underlying Agreement(s), or this BAA.
    5. Reporting of Improper Use or Disclosure. Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted by this BAA promptly after Business Associate becomes aware of such use or disclosure.
    6. Business Associate’s Subcontractors. Business Associate shall ensure, consistent with 45 C.F.R. § 164.502(e)(1)(ii), that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to substantially similar restrictions and conditions that apply through this BAA to Business Associate with respect to such PHI.
    7. Access to PHI. Only to the extent Business Associate agrees to maintain PHI in a Designated Record Set on behalf of Covered Entity, Business Associate shall provide Covered Entity access to such PHI within fifteen (15) days of receipt of a written request by Covered Entity, in order for Covered Entity to meet its obligations under the Privacy Rule at 45 C.F.R. § 164.524. If an Individual submits a request for access directly to Business Associate, Business Associate shall notify Covered Entity after receiving such request. Covered Entity shall be responsible for responding to such requests.
    8. Amendment of PHI. Only to the extent Business Associate agrees to maintain PHI in a Designated Record Set on behalf of Covered Entity, Business Associate shall provide access to such PHI to Covered Entity, within thirty (30) days of receipt of a written request by Covered Entity, in order for Covered Entity to meet its obligations under 45 C.F.R. § 164.526. If an Individual requests an amendment of PHI directly from Business Associate, Business Associate shall notify Covered Entity after receiving such request. Covered Entity shall be responsible for responding to such requests. Any denial of amendment of PHI maintained by Business Associate shall be the responsibility of Covered Entity.
    9. Accounting/Documentation of Disclosures. To the extent applicable, Business Associate shall document disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with the Privacy Rule at 45 C.F.R. § 164.528. Business Associate shall provide Covered Entity with such documentation within thirty (30) days of receipt of a written request from Covered Entity. If an Individual submits a request for an accounting of disclosures of PHI directly to Business Associate, Business Associate shall notify Covered Entity of such request and provide Covered Entity the aforementioned documentation. Covered Entity shall be responsible for responding to such requests.
    10. Government Access to Records. Business Associate documentation its internal practices, books and records, relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity, for purposes of determining compliance with the HIPAA Rules.
    11. Minimum Necessary. Business Associate agrees to comply with the minimum necessary standard for Business Associates as set forth in the Privacy Rule, 45 C.F.R. § 164.502(b).
  4. SECURITY RULE OBLIGATIONS OF BUSINESS ASSOCIATE.
    1. Compliance with the Security Rule. Business Associate shall comply with the Security Rule with respect to EPHI, and have in place reasonable and appropriate Administrative, Physical, and Technical Safeguards to protect the Confidentiality, Integrity, and Availability of EPHI and to prevent use or disclosure of EPHI other than as permitted by this BAA, the Underlying Agreement(s), or as Required by Law.
    2. Subcontractors. Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits EPHI on behalf of Business Associate agrees in writing to comply with the Security Rule with respect to such EPHI.
    3. Security Incident. Business Associate shall promptly report to Covered Entity any Security Incident involving EPHI of which it becomes aware. Business Associate shall not be required to report unsuccessful attempts and notice is hereby deemed provided, and no further notice will be provided, for unsuccessful Security Incidents, which shall include, but not be limited to, unauthorized access, use, disclosure, modification, or destruction, such as pings and other broadcast attacks on a firewall, port scans, unsuccessful login attempts, denial of service attacks, or interception of encrypted information, so long as such incidents do not result, to the extent Business Associate is aware, in unauthorized access, use or disclosure of Covered Entity’s EPHI.
  5. BREACH NOTIFICATION RULE OBLIGATIONS OF BUSINESS ASSOCIATE
    1. Notification Requirement. To the extent Business Associate accesses, retains, modifies, records, stores, destroys or otherwise holds, uses or discloses Unsecured PHI, following the discovery of a Breach of Unsecured PHI, Business Associate will notify Covered Entity of any such Breach in accordance with 45 C.F.R. § 164.410 without unreasonable delay, and in no case later than sixty (60) days after discovery of the Breach.
    2. Discovery of Breach. For purposes of reporting a Breach to Covered Entity, the discovery of a Breach shall occur on the first day on which such Breach is known to Business Associate or, by exercising reasonable diligence would have been known to any person (other than the person committing the Breach) who is an employee, officer or agent of the Business Associate.
    3. Contents of Notification. Any notice referenced above in Section V(A) of this BAA will include, to the extent known to the Business Associate, the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been accessed, acquired, used, or disclosed during such Breach.  Business Associate will also provide to Covered Entity other available information that the Covered Entity is required to include in its notification to the individual pursuant to the Breach Notification Rule.
  6. TERM AND TERMINATION
    1. Term. This BAA shall be effective as of the date acknowledged or agreed to by Covered Entity and shall terminate upon termination or expiration of the last Underlying Agreement between the parties or when either party terminates for cause as authorized below, whichever occurs sooner.
    2. Termination for Cause. Either party may terminate this BAA if it determines that the other party has breached a material term of this BAA, after providing written notice to the breaching party in sufficient detail to enable the breaching party to understand the specific nature of the breach, and shall allow a reasonable opportunity for the breaching party to cure the breach. If the breach is not cured within thirty (30) days of notice to the breaching party, the non-breaching party may terminate this BAA with thirty (30) days written notice to the breaching party; provided, however, that the non-breaching party shall be responsible for payment for services provided prior to the effective date of termination. Upon termination of this BA Agreement, Business Associate may immediately terminate Covered Entity’s access to the Services provided in the Underlying Agreement(s).
    3. Effect of Termination. The parties hereby acknowledge that Business Associate’s return or destruction of PHI is not feasible, and therefore, Business Associate may retain a copy of such PHI provided that: (i) the provisions of this Agreement shall continue to apply to any such information retained following termination of this Agreement; and (ii) Business Associate shall limit uses and disclosures of such PHI to those purposes that make the return or destruction thereof not feasible, for as long as Business Associate maintains such PHI.
  7. OBLIGATIONS OF COVERED ENTITY.
    1. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.
    2. To the extent Covered Entity has agreed to further limitations on uses and disclosures of PHI, Covered Entity shall notify Business Associate of such additional restrictions, including any limitations in or changes to Covered Entity’s Notice of Privacy Practices issued in accordance 45 C.F.R. § 164.520, to the extent such limitation(s) or change(s) may affect Business Associate’s use or disclosure of PHI.
    3. To the extent Covered Entity provides PHI to Business Associate, Covered Entity has obtained the consents, authorizations and/or other forms of legal permission required under HIPAA and other applicable law, if any.
    4. Covered Entity shall notify Business Associate, in writing, of any changes or revocation of permission by an Individual to use or disclose that Individual’s PHI, to the extent such change(s) or revocation affect(s) Business Associate’s use or disclosure of PHI.
    5. Covered Entity shall promptly notify Business Associate, in writing, of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent such restriction may affect Business Associate’s use or disclosure of PHI.
    6. Covered Entity represents that, to the extent Covered Entity provides PHI to Business Associate, such information is only the Minimum Necessary amount of PHI to accomplish the intended purpose of the disclosure.
    7. In the event the Secretary investigates any complaint against Business Associate or conducts a compliance review of Business Associate in connection with Business Associate’s activities performed under this BAA, Covered Entity agrees to reasonably cooperate with and assist Business Associate, as requested, in responding to such complaint or compliance review.
  8. MISCELLANEOUS
    1. Binding Effect. This BAA shall be binding upon and shall inure to the benefit of the parties, and any successor to the operations and business of the parties whether by operation of law or otherwise, including the parties’ heirs, legal representatives, successors, and permitted assigns. The preceding sentence shall not affect any restriction on assignment set forth elsewhere in this BAA.
    2. Notices. Business Associate may provide notices via postings on sniffle.com. All notices under this Agreement shall be sent in writing by traceable carrier to the addresses indicated below or such other address as a party may indicate with at least ten (10) days’ prior written notice to the other party. Business Associate may provide notices to Covered Entity under this Agreement to the email address specified below. Notices will be effective upon receipt. Any notices that do not comply with this section shall have no legal effect.

      ADDRESSES FOR NOTICES

      FOR BUSINESS ASSOCIATE:

      Sniffle Health Inc.

      ATTN: info@sniffle.com

      FOR COVERED ENTITY:

      The notice address for Covered Entity is the email address or physical address associated with Covered Entity’s Sniffle account.

    3. Severability. If any provision of this BAA shall be held by a court of competent jurisdiction to be invalid, void, or unenforceable, such provision shall be construed in all respects as if such invalid or unenforceable provision were replaced with a valid and enforceable provision as similar as possible to the one replaced, and the remainder of this BAA shall continue in full force and effect and shall not be invalidated impaired or otherwise affected.
    4. Entire Agreement. This BAA contains the entire understanding of the parties hereto with regard to the subject matter hereof, and supersedes all other agreements and understandings, written and oral, relating to the subject matter hereof.
    5. The parties agree that in the event of any conflict, inconsistency, or discrepancy between the Underlying Agreement(s) and this BAA relating to any subject matter herein, the terms of this BAA shall prevail. Any ambiguity in this BAA shall be resolved to permit the parties to comply with the Privacy, Security, and Breach Notification Rules, and HIPAA.
    6. This Agreement is incorporated by reference into and made a part of the Terms of Use, and as such may be amended from time to time by Business Associate as described therein, subject to applicable law. Continued use of Business Associate’s services following amendment of this Agreement shall indicate Covered Entity’s acceptance of such amendment.
    7. Regulatory References. A reference in this BAA to a section in the Privacy, Security, or Breach Notification Rule means the section as in effect or as amended, and for which compliance is required.
    8. Waiver. The waiver of any one breach of this BAA shall not be construed as a waiver of any rights or remedies with respect to any other breach or subsequent breach.
    9. Survival. The respective rights and obligations of Business Associate under Section VI(C) of this BAA shall survive the termination of this BAA.
    10. Governing Law. This BAA shall be governed by and construed in accordance with the laws of the state of Texas. Venue regarding any action arising under this BAA shall be in the state of Texas. The parties submit to the jurisdiction of the courts of the state of Texas for resolution of all disputes related to this BAA, including the enforcement of any award or judgment arising out of arbitration provided under this BAA.
    11. No Third Party Rights. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than the Covered Entity, Business Associate and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
    12. Relationship of the Parties. For the purpose of this BAA, Business Associate is an independent contractor of Covered Entity, and shall not be considered an agent of Covered Entity.
    13. Limitation of Liability. Business Associate’s aggregate liability to Covered Entity or any third party arising out of this BAA, the services, or the parties’ relationship, shall by limited to the amounts expressed in the Limitation of Liability section(s) of the Sniffle Terms of Use. NOTWITHSTANDING THE FOREGOING, BUSINESS ASSOCIATE SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, PUNITIVE, SPECIAL, EXEMPLARY OR CONSEQUENTIAL LOSS OR DAMAGE, OR LOSS OF PROFITS, BUSINESS, OR DATA, OR DAMAGE TO REPUTATION ARISING OUT OF THIS BAA, THE SERVICES, OR THE PARTIES RELATIONSHIP, REGARDLESS OF WHETHER THE PARTIES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.
4856-1061-3679v1

Vision

Savings Example
Series
America’s Eyewear
1-800-Contacts
VisionDirect.com
Coastal.com
1-DAY ACUVUE MOIST (90 pack)
$63.00
$74.99
$85.00
$64.00
ACUVUE OASYS (12 pack)
$67.50
$72.99
$72.99
$67.50
ACUVUE OASYS for ASTIGMATISM
$40.00
$51.99
$44.99
$42.00
AIR OPTIX for ASTIGMATISM
$45.12
$69.99
$57.99
$59.00
AIR OPTIX AQUA
$31.15
$54.99
$49.99
$42.00
AIR OPTIX MULTIFOCAL
$59.10
$84.99
$84.99
$82.00
BIOFINITY
$34.12
$49.99
$48.99
$41.00
BIOFINITY TORIC
$42.95
$67.99
$68.99
$65.00
DAILIES AQUA PLUS 
(90 pack)
$45.00
$64.99
$59.99
$59.00
PROCLEAR TORIC
$54.34
$84.99
$71.59
$65.00
PROCLEAR MULTIFOCAL
$60.21
$99.99
$82.99
$73.00
PUREVISION 
MULTIFOCAL
$68.26
$79.99
$82.99
$73.00

Prices are six lenses per box (except where noted) and are subject to change without notice. Updated April 2021.