Returning PatientsAccess your portal here

Online BAA

Business Associate Agreement

Parties Intro

This Business Associate Agreement (this“BAA”) is entered into by and between Vision Path, Inc. (“Business Associate”) and Retail Partner (“Covered Entity”) (collectively the “Parties”).

The Parties have agreed that Business Associate shall provide certain services (“Services”) as described in the Retail Partner Agreement mutually executed between the Parties (the “Agreement”) for or on behalf of the Covered Entity and that provision of the Services may involve PHI (as defined in Section 1.4). The purpose of this BAA is to set forth the obligations of Business Associate with respect to such PHI in accordance with applicable federal law.

1. Definitions

1. DEFINITIONS

  1. Unless otherwise specified in this BAA, all capitalized terms used in this BAA not otherwise defined have the meanings established for purposes of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively, “HIPAA”) and HITECH, as each is amended from time to time.
  2. Electronic Protected Health Information (“ePHI”) shall mean PHI as defined in Section 1.4 that is transmitted or maintained in electronic media.
  3. “HITECH” shall mean Subtitle D of the Health Information Technology for Economic and Clinical Health Act provisions of the American Recovery and Reinvestment Act of 2009, 42 U.S.C. §§ 17921-17954, and its implementing regulations.
  4. “PHI” shall mean Protected Health Information, as defined in 45 C.F.R. § 160.103, limited to the Protected Health Information received from, or received or created on behalf of, Covered Entity by Business Associate pursuant to the Agreement.
  5. “Privacy Rule” shall mean the federal privacy regulations issued pursuant to HIPAA, as amended from time to time.
  6. “Security Rule” shall mean the federal security regulations issued pursuant to HIPAA, as amended from time to time.
2. Responsibilities of Business Associate

2. RESPONSIBILITIES OF BUSINESS ASSOCIATE

With regard to its use and/or disclosure of PHI, Business Associate agrees to:

  1. not use and/or disclose PHI except as permitted or required by this BAA or as otherwise Required by Law, and to the extent that Business Associate is to carry out any of Covered Entity’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of those obligations;
  2. implement and use appropriate technical, physical and administrative safeguards to prevent use and/or disclosure of PHI other than as permitted or required by this BAA and comply with the Security Rule provisions applicable to business associates with respect to ePHI;
  3. report without unreasonable delay to Covered Entity: (i) any use and/or disclosure of PHI of which it becomes aware that is not permitted by this BAA; and/or (ii) any Security Incident of which Business Associate becomes aware. Notwithstanding the foregoing, Covered Entity acknowledges that Business Associate routinely experiences unsuccessful Security Incidents that do not result in a Breach of Unsecured PHI, such as pings, port scans, phishing attempts and other unsuccessful Security Incidents. Business Associate hereby notifies Covered Entity of such unsuccessful Security Incidents, and the Parties acknowledge and agree that no further notice shall be required of such unsuccessful Security Incidents;
  4. without unreasonable delay and in no case later than thirty (30) calendar days after discovery, Business Associate shall notify Covered Entity of a Breach of any Unsecured PHI all in accordance with 45 C.F.R. § 164.410.
  5. in accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2), ensure that any of its subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree, in writing, to no less restrictive restrictions and conditions on the use and/or disclosure of PHI that apply to Business Associate; including to the extent that Business Associate provides ePHI to a subcontractor, it shall require the subcontractor in writing to, where applicable, comply with the Security Rule with respect to that ePHI;
  6. make available its internal practices, books, and records relating to the use and/or disclosure of PHI to the Department of Health and Human Services ("HHS") for purposes of determining Covered Entity’s compliance with the Privacy Rule;
  7. within thirty (30) days after receiving a written request from Covered Entity, make available information necessary for Covered Entity to make an accounting of disclosures of PHI about an Individual as provided in 45 C.F.R. § 164.528. To the extent that Business Associate receives requests directly from Individuals to provide an accounting of Disclosures of PHI, Business Associate shall forward such request to Covered Entity. Covered Entity shall be responsible for responding to the Individual and notifying Business Associate if any action is required of Business Associate;
  8. mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use and/or disclosure of PHI by Business Associate that is not permitted by the requirements of this BAA;
  9. in the event that Business Associate in connection with the Services maintains a Designated Record Set of information of or about an Individual on behalf of Covered Entity, then the Business Associate shall make available that information in accordance with 45 C.F.R. § 164.524, including providing an electronic copy of the PHI, to Covered Entity. To the extent that Business Associate receives requests directly from Individuals to have access to their PHI or have PHI sent to a designated third party, Business Associate shall promptly forward such request to Covered Entity. Covered Entity shall be responsible for responding to the Individual and notifying Business Associate to the extent any action is required of Business Associate.;
  10. in the event that Business Associate in connection with the Services maintains a Designated Record Set of information of or about an Individual on behalf of Covered Entity, and to the extent that Business Associate receives requests from Covered Entity on behalf of Individuals to amend PHI in a Designated Record Set, Business Associate shall comply with such requests in accordance with 45 C.F.R. § 164.526. To the extent that Business Associate receives requests directly from Individuals to amend their PHI, Business Associate shall forward such request to the Covered Entity. Covered Entity shall be responsible for responding to the Individual and notifying Business Associate if any action is required of Business Associate;
  11. not directly or indirectly receive remuneration in exchange for any PHI as prohibited by 45 C.F.R. § 164.502(a)(5)(ii); and
  12. not make or cause to be made a communication about a product or service that is prohibited by 45 C.F.R. §§ 164.501 and 164.508(a)(3).
3. Other Permitted Uses and Disclosures of PHI

3. OTHER PERMITTED USES AND DISCLOSURES OF PHI

Unless otherwise limited herein, in addition to any other uses and/or disclosures permitted or required by this BAA, Business Associate may:

  1. use, and disclose to third parties, the PHI in its possession as necessary to perform the Services to Covered Entity pursuant to the Agreement;
  2. use and disclose the PHI in its possession for its proper management and administration or to carry out the legal responsibilities of Business Associate, provided that any such disclosures are Required by Law or any third party to which Business Associate discloses PHI for those purposes provides assurances that: (a) the information will be held confidentially and used or further disclosed only as Required by Law or for the purposes for which it was disclosed to the third party; and (b) the third party will notify Business Associate of any instances of which it becomes aware in which the confidentiality of the information has been breached;
  3. perform Data Aggregation for the Health Care Operations of Covered Entity;
  4. de-identify the PHI in accordance with 45 C.F.R. § 164.514; and
  5. disclose PHI pursuant to a HIPAA-compliant Authorization on behalf of Covered Entity.
4. Term and Termination

4. TERM AND TERMINATION

  1. Term. The Term of this BAA shall be effective as of the Effective Date and shall terminate upon the final expiration or termination of the Agreement unless earlier terminated in accordance with Section 4.2 of this BAA.
  2. Termination. If Covered Entity knows of a pattern of activity or practice of Business Associate that constitutes a material breach or violation of this BAA then Covered Entity shall provide notice thereof to Business Associate. Such notice shall clearly specify the nature of the breach or violation. If, after a reasonable time period following the notice to Business Associate, Covered Entity reasonably determines that Business Associate has not cured the breach or ended the violation, Covered Entity may terminate this BAA.
  3. Effect of Termination or Expiration. Within thirty (30) days after the termination or expiration of this BAA, Business Associate shall return or destroy all PHI, if feasible to do so, including all PHI in possession of Business Associate’s subcontractors. If return or destruction of the PHI is not feasible, Business Associate shall extend any and all protections, limitations and restrictions contained in this BAA to Business Associate’s use and/or disclosure of any PHI retained after the termination or expiration of this BAA, and limit any further uses and/or disclosures solely to the purposes that make return or destruction of the PHI infeasible.
5. Miscellaneous

5. MISCELLANEOUS

  1. Construction of Terms. To the extent they are not clear, the terms of this BAA shall be construed to allow for compliance by the Parties with HIPAA or HITECH and implementing regulations as applicable and as promulgated and amended from time to time.
  2. No Third Party Beneficiaries. Nothing in this BAA shall confer upon any person other than the Parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.
  3. Governing Law. This BAA will be governed by and construed in accordance with the laws of Delaware (excluding its choice of law rules).
  4. Counterparts. This BAA may be executed in counterparts, each of which will constitute an original and all of which will be one and the same document.

Happiness Guaranteed.

Our #1 priority here at ContactsCart is your happiness. That means we stand by our service 100%, no matter what. If you have a problem, we'll do our best to solve it. Just reach out to our Customer Service Team and we will make it right. We're here for you.

Call us at (218) 505-1076 or email us at

Our customer service team is ready to help — 7 days a week from 9am-9pm Eastern Time.

Privacy PolicyTerms of ServiceAccessibility Policy

©2025 ContactsCart - All Rights Reserved