Terms and Conditions of Agreement

Last Updated: April 1, 2021

Terms and Conditions of Agreement

1. SERVICES

1.1 Vision Services Subject to Partner’s compliance with this Agreement (which includes the Service Agreement, these Terms and Conditions, and the Business Associate Agreement, collectively “Agreement”) during the Term, Visibly will provide the Vision Services to Partner Patients in accordance with and subject to this Agreement. The Vision Services will be provided through the website located at a URL to be provided to Partner (“the Service URL”). Visibly may change the Service URL from time to time upon reasonable advance notice to Partner.

1.2 Restrictions Partner will not (and will not allow anyone else to) attempt to interfere with or disrupt the Vision Services or the Software or attempt to gain access to any systems or networks that connect thereto (except as required to access and use the Vision Services). Partner will not (and will not allow anyone else to): (a) copy, modify or distribute any portion of the Vision Services or Software; (b) rent, lease, or provide access to the Vision Services or Software on a time-share or service bureau basis; (c) reverse engineer, decompile or disassemble any part of the Vision Services or Software; (d) transfer any of its rights hereunder (except as specified in Section 11.8), or (e) remove, alter or obscure any copyright, patent, trademark or other proprietary rights or confidentiality notice in or on any Intellectual Property Rights of Visibly.

2. OBLIGATIONS OF THE PARTIES

2.1 Promotion Throughout the Term (as defined below), Partner shall use reasonable efforts to endorse and promote Visibly’s Vision Services. All of Partner’s marketing, discussions, or other representations of features and offerings concerning the Vision Services will be approved by Visibly in advance, in writing (email acceptable), or provided by Visibly. Partner will not be entitled to make any other representation, warranty, guarantee or promise about Vision Services without prior written approval.

2.2 Branding Any use by either party of the other party’s Trademarks must be approved in writing by such party prior to its distribution, release, or publication. Unless otherwise approved in writing by the party that owns the Trademarks, each party will comply with the branding and trademark guidelines that the other party provides in writing. Subject to the this Agreement, each party hereby grants to the other party a non-exclusive and non-transferable (except in accordance with Section 11.8) license during the Term to use and display its Trademarks solely as approved and in accordance with the requirements of the granting party’s branding and trademark guidelines.

2.3 Doctor-Patient Relationship

(a) Visibly acknowledges and agrees that Partner may be creating a doctor-patient relationship with Partner Patients who use the Visibly Vision Services. Visibly will not interfere with this doctor-patient relationship.

(b) Partner shall use commercially reasonable efforts to (i) obtain information about each Partner Patient’s state of residence, and (ii) send such Partner Patients’ vision test results only to a doctor who is actively licensed to practice medicine in the state of residence of such patient.

(c) Partner will retain full responsibility for properly forming and maintaining the doctor-patient relationship between physicians and Partner Patients.

2.4 Communications with Visibly Users Except as set forth herein, communications by Visibly to Partner Patients will be limited to those relevant to delivery of Vision Services. Visibly shall not disclose, sell, assign, lease or otherwise provide Partner Patient Data to third parties or partner with any third parties to perform any action prohibited by this Agreement. Visibly reserves its rights to communicate with Partner Patients who were Visibly Users before the effective date of this Agreement without any restrictions under this Agreement applying to such communications.

2.5 Cooperation and Assistance As a condition to Visibly’s obligations hereunder, Partner shall at all times: (a) provide Visibly with good faith cooperation and access to such information, facilities, personnel (as necessary) and equipment as may be reasonably required by Visibly in order to provide the Vision Services, including, but not limited to, providing Visibly access to Partner Patient Data, security access, information, and software interfaces to Partner’s business applications; and (b) carry out in a timely manner all other Partner responsibilities set forth in this Agreement.

2.6 Telecommunications and Internet Services Partner acknowledges and agrees that Partner’s and its Partner Patients’ use of the Vision Services is dependent upon access to telecommunications and Internet services. Partner shall be solely responsible for acquiring and maintaining all telecommunications and Internet services and other hardware and software required to access and use the Vision Services, including, without limitation, any and all costs, fees, expenses, and taxes of any kind related to the foregoing. Visibly shall not be responsible for any loss or corruption of data, lost communications, or any other loss or damage of any kind arising from any such telecommunications and Internet services.

3. PAYMENT TERMS

3.1 Fees In consideration for Visibly providing the Vision Services, Partner shall pay to Visibly fees, with the payment terms as described in Section 1 of the Service Agreement.

3.2 Taxes All amounts and fees stated or referred to in this Agreement are exclusive of taxes, duties, levies, tariffs, and other governmental charges (including, without limitation, VAT) (collectively, “Taxes”). Partner shall be responsible for payment of all Taxes and any related interest and/or penalties resulting from any payments made hereunder, other than any taxes based on Visibly’s net income.

4. OWNERSHIP

4.1 Vision Services and Software As between Visibly and Partner, the Vision Services and Software (and all copies of the Software), and all Intellectual Property Rights therein or relating thereto, are and shall remain the exclusive property of Visibly or its licensors.

4.2 Visibly User Data As between the parties, all right, title and interest in and to the Visibly User Data will be exclusively owned by Visibly.

4.3 Partner Patient Data As between the parties, all right, title and interest in and to the Partner Patient Data will be exclusively owned by Partner. Except for the rights expressly granted to Visibly herein, Partner reserves all rights in and to the Partner Patient Data to itself.

4.4 Data-Related Restrictions Neither party, as the party receiving the Partner Patient Data or Visibly User Data from the other party (as applicable), will, unless it has the relevant Partner Patient or Visibly User’s consent thereof, do any of the following with respect to the Partner Patient Data or Visibly User Data: (i) use such data; (ii) disclose, sell, assign, lease or otherwise provide such data to third parties; or (iii) commercially exploit such data in any form either directly or through a third party.

4.5 Trademarks Each party exclusively owns all right, title and interest in and to their respective Trademarks. Neither party may remove, alter or obscure any copyright, trademark, service mark or other proprietary rights notices incorporated in or accompanying the products or services of the party owning the Trademark. All goodwill from the use of such Trademarks will inure solely to the benefit of the party owning the Trademark.

5. CONFIDENTIALITY

5.1 Definition By virtue of this Agreement, the parties may have access to each other’s Confidential Information. “Confidential Information,” as used in this Agreement, means any written, machine-reproducible and/or visual materials that are Partner labeled as proprietary, confidential, or with words of similar meaning, and all information that is orally or visually disclosed, if not so marked, if it is identified as proprietary or confidential at the time of its disclosure or in a writing provided within thirty (30) days after disclosure, and any information of any nature described in this Agreement as confidential. Visibly Confidential Information includes, without limitation, the Visibly User Data, Vision Services and any Software whether in source or executable code, documentation, nonpublic financial information, pricing, business plans, techniques, methods, processes, and the results of any performance tests of the Vision Services or the Software. Partner Confidential Information includes, without limitation, Partner Patient Data. The terms of the Service Agreement (excluding these terms to the extent provided via URL) shall be deemed the Confidential Information of both parties and neither party shall disclose such information except to such party’s advisors, accountants, attorneys, investors (and prospective investors), and prospective acquirers that have a reasonable need to know such information, provided that any such third parties shall, before they may access such information, either (a) execute a binding agreement to keep such information confidential or (b) be subject to a professional obligation to maintain the confidentiality of such information.

5.2 Exclusions Confidential Information shall not include information that the receiving party can demonstrate: (a) is or becomes publicly known through no act or omission of the receiving party; (b) was in the receiving party’s lawful possession prior to the disclosure; (c) is rightfully disclosed to the receiving party by a third party without restriction on disclosure; or (d) is independently developed by the receiving party, which independent development can be shown by written evidence.

5.3 Use and Nondisclosure During the Term and for a period of three (3) years after expiration or termination of this Agreement, neither party shall make the other’s Confidential Information available to any third party or use the other’s Confidential Information for any purposes other than exercising its rights and performing its obligations under this Agreement. Each party shall take all reasonable steps to ensure that the other’s Confidential Information is not disclosed or distributed by its employees or agents in violation of the terms of this Agreement, and in no event will either party use less effort to protect the Confidential Information of the other party than it uses to protect its own Confidential Information of like importance. Each party will ensure that any agents or subcontractors that are permitted to access any of the other’s Confidential Information are legally bound to comply with the obligations set forth herein. Notwithstanding the foregoing, Confidential Information may be disclosed as required by any governmental agency, provided that before disclosing such information, if not legally barred, the disclosing party must provide the non-disclosing party with sufficient advance notice of the agency’s request for the information to enable the non-disclosing party to exercise any rights it may have to challenge or limit the agency’s authority to receive such Confidential Information.

6. REPRESENTATIONS AND WARRANTIES

6.1 Mutual Representations and Warranties Each party represents and warrants to the other party that: (a) it is duly organized, validly existing and in good standing under its jurisdiction of organization and has the right to enter into this Agreement; (b) the execution, delivery and performance of this Agreement are within the corporate powers of such party and have been duly authorized by all necessary corporate action on the part of such party, and constitute a valid and binding agreement of such party; and (c) this Agreement will not breach any agreement between the party and any third party or violate any Applicable Laws.

6.2 Partner Representations and Warranties Partner represents and warrants to Visibly that: (a) it has all rights, power and authority that are necessary for its collection, use and sharing of the Partner Patient Data as contemplated by this Agreement; (b) Partner’s use and provision of Partner Patient Data to Visibly, and its use of vision test results pursuant to this Agreement, will not breach any agreement between Partner and any third party or violate any Applicable Laws and (c) it has made or will make all disclosures and has secured or will secure all requisite consents required under the Applicable Laws from Partner Patients, and other individuals as applicable, necessary for it to provide the Partner Patient Data to Visibly and for Visibly to use such Partner Patient Data in connection with its provision of the Vision Services and any other services provided under this Agreement.

6.3 Visibly Representations and Warranties Visibly warrants to Partner that: (a) the Vision Services will meet the requirements set forth in the Service Agreement; (b) its use and provision of Visibly User Data to Partner pursuant to this Agreement will not breach any agreement between Visibly and any third party or violate any Applicable Laws and (c) it has made or will make all disclosures and has secured or will secure all requisite consents required under the Applicable Laws from Visibly Users and other individuals as applicable, necessary for it to collect, use and process the Visibly User Data and share such Visibly User Data with Partner in connection with its provision of the Vision Services and any other services provided under this Agreement. The sole and exclusive remedy for any breach of the warranty set forth in this Section 6.3(a) will be as set forth in Section 2 of the Service Agreement.

6.4 Disclaimer EXCEPT AS EXPRESSLY PROVIDED IN SECTIONS 6.1 THROUGH 6.3, NEITHER PARTY MAKES ANY REPRESENTATIONS OR WARRANTIES OF ANY KIND WHATSOEVER, EXPRESS OR IMPLIED, IN CONNECTION WITH THIS AGREEMENT, THE SOFTWARE OR THE VISION SERVICES. WITHOUT LIMITING THE FOREGOING, EXCEPT AS EXPRESSLY PROVIDED IN SECTION 6.3, VISIBLY DISCLAIMS ANY WARRANTY THAT THE VISION SERVICES WILL BE ERROR FREE OR UNINTERRUPTED OR THAT ALL ERRORS WILL BE CORRECTED. VISIBLY FURTHER DISCLAIMS ANY AND ALL WARRANTIES WITH RESPECT TO THE VISION SERVICES AS TO MERCHANTABILITY, ACCURACY OF ANY INFORMATION PROVIDED, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. VISIBLY FURTHER DISCLAIMS ANY AND ALL WARRANTIES ARISING FROM COURSE OF DEALING OR USAGE OF TRADE. NO ADVICE OR INFORMATION, WHETHER ORAL OR WRITTEN, OBTAINED FROM VISIBLY OR ELSEWHERE SHALL CREATE ANY WARRANTY NOT EXPRESSLY STATED IN THIS AGREEMENT.

7. INDEMNIFICATION

7.1 Visibly Indemnity Subject to Section 7.4, Visibly will defend, indemnify and hold Partner harmless from and against any damages, costs and expenses (including reasonable attorneys’ fees and other professional fees) awarded against Partner in a final non-appealable judgment or that are agreed to in settlement, to the extent based on a third-party claim: (i) that the Vision Services, as provided by Visibly, infringe any U.S. patent or copyright or misappropriate the trade secret of any third party, or (ii) arising out of Visibly’s breach of its representations and warranties under Section 6.3(b) or (c).

7.2 Partner Indemnity Partner will defend, indemnify and hold Visibly harmless from and against any damages, costs and expenses (including reasonable attorneys’ fees and other professional fees) awarded against Visibly in a final non-appealable judgment or that are agreed to in settlement to the extent based on a third-party claim that arises out of Partner’s breach of its representations and warranties.

7.3 Procedure The indemnifying party is obligated to indemnify the indemnified party provided that the indemnified party: (a) promptly notifies indemnifying party in writing of any such claim; (b) grants indemnifying party sole control of the defense and settlement of the claim; and (c) provides indemnifying party, at indemnifying party’s expense, with all assistance, information and authority reasonably required for the defense and settlement of the claim. The indemnifying party will not settle any claim that involves a remedy other than payment without the indemnified party’s prior written consent, which may not be unreasonably withheld or delayed. The indemnified party has the right to retain counsel, at its expense, to participate in the defense or settlement of any claim. The indemnifying party will not be liable for any settlement or compromise that indemnified party enters into without the indemnifying party’s prior written consent.

7.4 Injunction If Partner’s use of the Vision Services is, or in Visibly’s opinion is likely to be, enjoined due to the type of claim specified in Section 7.1, then Visibly will use commercially reasonable efforts to: (i) replace or modify the Vision Services to make it non-infringing and of equivalent functionality; or (ii) procure for Partner the right to continue using the Vision Services under the terms of this Agreement.

7.5 Sole Remedy THE FOREGOING PROVISIONS OF THIS SECTION 7 SET FORTH VISIBLY’S SOLE AND EXCLUSIVE OBLIGATIONS, AND PARTNER’S SOLE AND EXCLUSIVE REMEDIES, WITH RESPECT TO INFRINGEMENT OR MISAPPROPRIATION OF INTELLECTUAL PROPERTY RIGHTS OF ANY KIND BY USE OF THE VISION SERVICES.

8. LIMITATION OF LIABILITY

IN NO EVENT WILL VISIBLY BE LIABLE FOR ANY SPECIAL, INCIDENTAL, EXEMPLARY, PUNITIVE OR CONSEQUENTIAL DAMAGES (INCLUDING LOSS OF USE, DATA, BUSINESS OR PROFITS) OR FOR THE COST OF PROCURING SUBSTITUTE PRODUCTS OR SERVICES ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT OR THE USE, OPERATION OR PERFORMANCE OF THE VISION SERVICES, WHETHER SUCH LIABILITY ARISES FROM ANY CLAIM BASED UPON CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE), PRODUCT LIABILITY, OR OTHERWISE, AND WHETHER OR NOT VISIBLY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.

VISIBLY’S TOTAL AGGREGATE LIABILITY ARISING UNDER THIS AGREEMENT, FROM ALL CAUSES OF ACTION AND ALL THEORIES OF LIABILITY, WILL NOT EXCEED THE AMOUNTS PAID OR PAYABLE TO VISIBLY BY PARTNER DURING THE TWELVE MONTHS PRECEDING THE CLAIM.

9. COMPLIANCE WITH LAW

Each Party agrees to use commercially reasonable efforts to comply in all material respects with all Applicable Laws, including, without limitation, to the extent applicable, HIPAA, HITECH, any federal and state anti-kickback laws and regulations, any applicable federal and state privacy and data security laws and regulations (“Privacy and Security Laws”) and any rules of professional conduct as well as orders of all courts of law, in each case, pertaining to this Agreement and the performance of its respective obligations hereunder (collectively, the “Legal Requirements”); provided that “Legal Requirements” shall not include any state laws, statutes, rules or regulations which have been pre-empted by federal law, in which case, such federal law shall apply. Each party will notify the other party if in its opinion, the terms of this Agreement are likely to breach any Legal Requirements, and in which case, the parties will mutually cooperate and modify the provisions that might so violate any Legal Requirement.

10. TERM AND TERMINATION

10.1 Term The term of this Agreement is as set forth in Section 3 of the Service Agreement.

10.2 Termination for Cause Either party may terminate this Agreement upon written notice if the other party materially breaches this Agreement and fails to correct the breach within thirty (30) days following written notice specifying the breach; provided that the cure period for any default with respect to payment will be five (5) business days.

10.3 Termination for Insolvency Subject to Title 11 of the United States Code, if either party becomes or is declared insolvent or bankrupt, is the subject of any proceedings relating to its liquidation, insolvency, or for the appointment of a receiver or similar officer for it, or makes an assignment for the benefit of any creditor, then the other party may terminate this Agreement upon thirty (30) days’ written notice.

10.4 Rights and Obligations Upon Expiration or Termination Upon expiration or termination of this Agreement, Partner’s right to access and use the Vision Services shall immediately terminate, all fees and payments under the Agreement up to the effective date of termination will become immediately due and payable, and each party will return and make no further use of any Confidential Information, materials, or other items (and all copies thereof) belonging to the other party. Also upon expiration or termination of this Agreement, each party will cease use of the Trademarks of the other party; provided, that each party will: (a) have a reasonable time to remove the other party’s Trademarks from promotional materials; (b) be entitled to exhaust materials printed during the Term that include the other party’s Trademarks; and (c) not be required to remove any such printed materials from circulation.

10.5 Survival The rights and obligations of Visibly and Partner contained in Sections 4, 5, 6, 7, 8, 9, 10.4, 10.5, and 11 shall survive any expiration or termination of this Agreement.

11. GENERAL

11.1 Governing Law This Agreement and all matters arising out of or relating to this Agreement shall be governed by the laws of the State of Illinois, without regard to its conflict of law provisions. Any legal action or proceeding relating to this Agreement shall be brought exclusively in the state or federal courts located in Chicago, IL, USA. Visibly and Partner hereby agree to submit to the jurisdiction of, and agree that venue is proper in, those courts in any such legal action or proceeding.

11.2 Waiver The waiver by either party of any default or breach of this Agreement shall not constitute a waiver of any other or subsequent default or breach.

11.3 Notices All notices, including notices of address change, required to be sent hereunder shall be in writing and shall be sent to the signers of the Service Agreement at the addresses listed in the Service Agreement or delivered in person. The notices shall be deemed to have been given upon: (a) the date actually delivered in person; (b) the day after the date sent by overnight courier; or (c) three (3) days following the date such notice was mailed by first class mail. Notices may be confirmed by email or fax.

11.4 Severability In the event any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions of this Agreement shall remain in full force and effect.

11.5 Force Majeure Neither party shall be liable hereunder by reason of any failure or delay in the performance of its obligations hereunder (except for the payment of money) on account of events beyond the reasonable control of such party, which may include without limitation denial-of-service attacks, strikes, shortages, riots, insurrection, fires, flood, storm, explosions, acts of God, war, terrorism, governmental action, labor conditions, earthquakes and material shortages (each a “Force Majeure Event”). Upon the occurrence of a Force Majeure Event, the non-performing party will be excused from any further performance of its obligations effected by the Force Majeure Event for so long as the event continues and such party continues to use commercially reasonable efforts to resume performance.

11.6 Compliance with Laws. Each party agrees to comply with all Applicable Laws with respect to its activities hereunder, including, but not limited to, HIPAA, HITECH and any export laws and regulations of the United States.

11.7 Relationship Between the Parties Nothing in this Agreement shall be construed to create a partnership, joint venture or agency relationship between the parties. Neither party will have the power to bind the other or to incur obligations on the other’s behalf without such other party’s prior written consent.

11.8 Assignment/Successors Neither party may assign or transfer this Agreement, in whole or in part, without the other party’s written consent, which consent will not be unreasonably withheld or delayed. No consent will be required in case of assignment by Visibly pursuant to operation of law in situations such as (a) direct or indirect acquisition of Visibly, or sale of all or substantially all stock or assets of Visibly, in a single transaction or a series of transactions; or (b) the merger of Visibly with another entity. Any attempted assignment or transfer in violation of this Section will be null and void. Subject to the foregoing restrictions, this Agreement shall inure to the benefit of the successors and permitted assigns of the parties.

11.9 Entire Agreement These Terms and Conditions together with the Service Agreement, Business Associate Agreement, and all exhibits hereto constitute the complete and exclusive agreement between the parties concerning its subject matter and supersedes all prior or contemporaneous agreements or understandings, written or oral, concerning the subject matter of this Agreement. This Agreement may not be modified or amended except in a writing signed by a duly authorized representative of each party.

11.10 Non-Exclusive Remedies Except as expressly set forth in the Agreement, the exercise by either party of any remedy under this Agreement will be without prejudice to its other remedies under this Agreement or otherwise.

11.11 Equitable Relief Each party acknowledges that a breach by the other party of any confidentiality or proprietary rights provision of this Agreement may cause the non-breaching party irreparable damage, for which the award of damages would not be adequate compensation. Consequently, the non-breaching party may institute an action to enjoin the breaching party from any and all acts in violation of those provisions, which remedy shall be cumulative and not exclusive, and a party may seek the entry of an injunction enjoining any breach or threatened breach of those provisions, in addition to any other relief to which the non-breaching party may be entitled at law or in equity.

11.12 No Third-Party Beneficiaries This Agreement is intended for the sole and exclusive benefit of the signatories and is not intended to benefit any third party. Only the parties to this Agreement may enforce it.

11.13 Counterparts This Agreement may be executed in counterparts, each of shall constitute an original, and all of which shall constitute one and the same instrument.

11.14 Headings The headings in this Agreement are for the convenience of reference only and have no legal effect.

12. DEFINITIONS

Applicable Laws” means all applicable laws, rules and regulations, including, without limitation, HIPAA, HITECH, any federal and state anti-kickback laws and regulations, and any federal and state privacy and data security laws and regulations that are applicable to a party.

HIPAA” means the Health Insurance Portability and Accountability Act of 1996, and all regulations promulgated thereunder, as amended from time to time.

HITECH” means Health Information Technology for Economic and Clinical Health Act, and all regulations promulgated thereunder, as amended from time to time.

Intellectual Property Rights” means any intellectual property in any jurisdiction throughout the world, including without limitation, any (i) trademarks, service marks, Internet domain names, logos, trade dress, trade names, and any other indicia of source, and all goodwill associated therewith and symbolized thereby; (ii) patents, patent applications and patent disclosures and inventions and discoveries (whether patentable or unpatentable); (iii) trade secrets and know-how (including rights in any ideas, research and development information, drawings, specifications, designs, plans, proposals and related information); (iv) copyrights and copyrightable works, including rights in software (source code and object code) and software systems, data, databases and related items, such as documentation; and (v) registrations and applications for any of the foregoing.

Visibly User” means any person who signs up for the Vision Services provided by Visibly. For clarity, all Partner Patients who sign up for Vision Services will also be considered Visibly Users after the successful sign up process.

Visibly User Data” means all data and information relating to Visibly Users collected or processed by Visibly during user registration and through the Vision Services. For clarity, Visibly User Data also includes data relating to Partner Patients who become Visibly Users (by signing up for the Vision Services) collected or processed by Visibly, including without limitation, vision test results.

Partner Patients” means patients of Partner to whom Partner has actively promoted, marketed, offered, or recommended Visibly’s Vision Services.

Partner Patient Data” means all data and information about the Partner Patients collected by Partner, and input or submitted into the Vision Services by Partner.

Vision Services” means the online vision testing services provided by Visibly.

Software” means any Visibly or third-party software used by Visibly to provide the Vision Services.

Term” means the term of the Agreement as defined in Section 10.

Trademarks” means a party’s trademarks, service marks, trade names, or logos used to identify that party or its products and services.

BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement (“BA Agreement”) is by and between Visibly, Inc., having its principal office at 207 E Ohio Street, #233, Chicago, IL, 60611 (“Visibly”), and Partner (as defined in the Service Agreement), (each a “Party” and collectively the “Parties”).

APPLICABILITY

Visibly and Partner have entered into a Service Agreement pursuant to which Visibly provides Vision Services to Partner. Consequently, Visibly may, but will not necessarily, provide services to Partner in a manner that gives Visibly access to Protected Health Information (“PHI”) as defined under 45 C.F.R. § 160.103.The terms of this BA Agreement apply only if and to the extent Partner implements the Vision Services for use on behalf of a Covered Entity or is a Covered Entity and Visibly acts as a Business Associate of Partner pursuant to 45 C.F.R. § 160.103 as a consequence of Visibly’s access to information covered by applicable provisions of HIPAA or HITECH (as defined below).

RECITALS

WHEREAS, Partner recognizes that Visibly may need to use, disclose, create, or request Protected Health Information (“PHI”) (as defined below) that is subject to protection under the HIPAA Rules in the course of furnishing services for or on behalf of Partner pursuant to the Service Agreement;

WHEREAS, Partner and Visibly mutually accept the terms of agreement set forth below in accordance with the requirements of the Privacy and Security Rules, and HITECH so that Visibly may use, disclose, create and request Protected Health Information in connection with furnishing services for or on behalf of Partner.

NOW THEREFORE, in consideration of the mutual promises and covenants herein, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree as follows:

  1. Definitions. Except as otherwise defined in this BA Agreement, capitalized terms shall have the definitions set forth in HIPAA, and if not defined by HIPAA, such terms shall have the definitions set forth in the Service Agreement. The following capitalized terms have the following meaning when used in this BA Agreement:

a) Service Agreement means the Service Agreement entered into between Visibly and Partner, including the Terms and Conditions of the Service Agreement.

b) Business Associate has the meaning ascribed to that term by 45 C.F.R. § 160.103.

c) C.F.R. means the Code of Federal Regulations.

d) Covered Entity has the meaning ascribed to that term by 45 C.F.R. § 160.103, for purposes of this BA Agreement, is a Covered Entity for which Visibly acts as a Business Associate pursuant to a business associate contract in compliance with the Privacy and Security Rules and HITECH.

e) DHHS means the U.S. Department of Health and Human Services, its Secretary and its various components.

f) Electronic Protected Health Information or ePHI has the meaning ascribed to that term in 45 C.F.R. § 160.103 and, for purposes of this BA Agreement, is ePHI that Visibly creates, receives, maintains or transmits for or on behalf of Partner acting as a Covered Entity or a Business Associate of one or more Covered Entities in the course of Visibly providing services under the Service Agreement.

g) Health Care Operations has the meaning ascribed to that term by 45 C.F.R. § 164.501, as clarified by HITECH § 13406(a).

h) HIPAA collectively means the administrative simplification provision of the Health Insurance Portability and Accountability Act enacted by the United States Congress, and its implementing regulations, including the Privacy Rule, the Breach Notification Rule, and the Security Rule, as amended from time to time, including by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and by the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule.

i) HITECH means the Health Information Technology for Economic and Clinical Health Act (which is part of Public Law 111-005).

j) Individual has the meaning ascribed to that term by 45 C.F.R. § 160.103.

k) Privacy Rule means the federal regulation promulgated at 45 C.F.R. Part 164, Subpart E.

l) Protected Health Information or PHI has the meaning ascribed to that term by 45 C.F.R. § 160.103 and, for purposes of this BA Agreement, is PHI that Visibly uses, creates, maintains, transmits or receives (i) on behalf of Partner acting as a Business Associate of one or more Covered Entities or as a Covered Entity, and (ii) in the course of performance of the Service Agreement. PHI includes ePHI and Unsecured PHI.

m) Required By Law has the meaning ascribed to that term by 45 C.F.R. § 164.103.

n) Security Incident has the meaning ascribed to that term by 45 C.F.R. § 164.304.

o) Security Rule means the federal regulation promulgated at 45 C.F.R. Part 164, Subpart C.

p) Unsecured Protected Health Information or Unsecured PHI has the meaning ascribed to that term by 45 C.F.R. § 164.402 and, for purposes of this BA Agreement, is Unsecured PHI that Visibly uses, creates, maintains, transmits or receives (i) on behalf of Partner acting as a Business Associate of one or more Covered Entities or as a Covered Entity, and (ii) in the course of performance of the Service Agreement.

2. Independent Contractor. Visibly is an independent contractor with respect to Partner in that Visibly furnishes Services, pursuant to the Service Agreement, for and on behalf of Partner, but does not and is not authorized to represent or otherwise serve as agent of Partner.

3. Privacy of Protected Health Information.

a) Permitted Uses and Disclosures.

i) Performance of the Service Agreement. Except as otherwise limited in this BA Agreement, Visibly may Use and Disclose Protected Health Information for, or on behalf of, Partner as specified in the Service Agreement; provided that any such Use or Disclosure would not violate HIPAA if done by Partner, unless expressly permitted under paragraph ii of this Section 3.

ii) Other Uses. Except as otherwise limited in this BA Agreement, Visibly may Use and Disclose Protected Health Information for the proper management and administration of Visibly and/or to carry out the legal responsibilities of Visibly, provided that any Disclosure may occur only if: (1) Required by Law; or (2) Visibly obtains written reasonable assurances from the person to whom the Protected Health Information is Disclosed that it will be held confidentially and Used or further Disclosed only as Required by Law or for the purpose for which it was Disclosed to the person, and the person notifies Visibly of any instances of which it becomes aware in which the confidentiality of the Protected Health Information has been breached. Visibly may also use PHI to provide Data Aggregation services to Partner as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).

4. Responsibilities of the Parties with Respect to Protected Health Information

a) Visibly Responsibilities. To the extent Visibly is acting as a Business Associate, Visibly agrees to the following:

i) Limitations on Use and Disclosure. Visibly shall not Use and/or Disclose the Protected Health Information other than as permitted or required by the Service Agreement and/or this BA Agreement or as otherwise Required by Law. Visibly shall not disclose, capture, maintain, scan, index, transmit, share or Use Protected Health Information for any activity not authorized under the Service Agreement and/or this BA Agreement. Visibly Shall not use Protected Health Information for any advertising, Marketing or other commercial purpose of Visibly or any third party. Visibly shall not violate the HIPAA prohibition on the sale of Protected Health Information. Visibly shall make reasonable efforts to Use, Disclose, and/or request the minimum necessary Protected Health Information to accomplish the intended purpose of such Use, Disclosure, or request.

ii) Safeguards. Visibly shall: (1) use reasonable and appropriate safeguards to prevent inappropriate Use and Disclosure of Protected Health Information other than as provided for in this BA Agreement; and (2) comply with the applicable requirements of 45 CFR Part 164 Subpart C of the Security Rule.

iii) Reporting. Visibly shall report to Partner: (1) any Use and/or Disclosure of Protected Health Information that is not permitted or required by this BA Agreement of which Visibly becomes aware; (2) any Security Incident of which it becomes aware, provided that notice is hereby deemed given for Unsuccessful Security Incidents and no further notice of such Unsuccessful Security Incidents shall be given; and/or (3) any Breach of Partner’s Unsecured Protected Health Information that Visibly may discover (in accordance with 45 CFR § 164.410 of the Breach Notification Rule). Notification of a Breach will be made without unreasonable delay, but in no event more than thirty (30) business days after Visibly’s determination of a Breach. Taking into account the level of risk reasonably likely to be presented by the Use, Disclosure, Security Incident, or Breach, the timing of other reporting will be made consistent with Visibly’s and Partner’s legal obligations.

iv) For purposes of this Section, “Unsuccessful Security Incidents” mean, without limitation, pings and other broadcast attacks on Visibly’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, as long as no such incident results in unauthorized access, acquisition, Use, or Disclosure of Protected Health Information. Visibly’s obligation to report under this Section is not and will not be construed as an acknowledgement by Visibly of any fault or liability with respect to any Use, Disclosure, Security Incident, or Breach.

v) Subcontractors. In accordance with 45 CFR §§ 164.502(e)(1)(ii) and 164.308(b)(2) of HIPAA, Visibly shall require its Subcontractors who create, receive, maintain, or transmit Protected Health Information on behalf of Visibly to agree in writing to: (1) the same or more stringent restrictions and conditions that apply to Visibly with respect to such Protected Health Information; (2) appropriately safeguard the Protected Health Information; and (3) comply with the applicable requirements of 45 CFR Part 164 Subpart C of the Security Rule. Visibly remains responsible for its Subcontractors’ compliance with obligations in this BA Agreement.

vi) Disclosure to the Secretary. Visibly shall make available its internal practices, records, and books relating to the Use and/or Disclosure of Protected Health Information received from Partner to the Secretary of the Department of Health and Human Services for purposes of determining Partner’s compliance with HIPAA, subject to attorney-client and other applicable legal privileges.

vii) Access. To the extent Visibly maintains Protected Health Information in a Designated Record Set for Partner, then Visibly, at the request of Partner, shall within twenty (20) days make access to such Protected Health Information available to Partner in accordance with 45 CFR § 164.524 of the Privacy Rule. Consistent with 45 C.F.R. 164.524, Visibly’s obligation will be limited to the extent such PHI is in the sole possession of Visibly and is not duplicative of PHI held by Partner, or the Covered Entity to which Partner is acting as a Business Associate (if applicable). The provision of the access to the individual’s PHI and any denials of access to the PHI shall be the responsibility of Partner.

viii) Amendment. To the extent Visibly maintains Protected Health Information in a Designated Record Set for Partner, then Visibly, at the request of Partner, shall within thirty (30) days make available such Protected Health Information to Partner for amendment and incorporate any reasonably requested amendment in the Protected Health Information in accordance with 45 CFR § 164.526 of the Privacy Rule. The amendment of an individual’s PHI and all decisions related thereto shall be the responsibility of Partner.

ix) Accounting of Disclosure. Visibly, at the request of Partner, shall within thirty (30) days make available to Partner such information relating to Disclosures made by Visibly as required for Partner to make any requested accounting of Disclosures in accordance with 45 CFR § 164.528 of the Privacy Rule.

x) Performance of a Covered Entity’s Obligations. To the extent Visibly is to carry out a Covered Entity’s obligation under the Privacy Rule, Visibly shall comply with the requirements of the Privacy Rule that apply to Partner in the performance of such obligation.

b) Partner Responsibilities.

i) No Impermissible Requests. Partner shall not request Visibly to Use or Disclose Protected Health Information in any manner that would not be permissible under HIPAA if done by a Covered Entity (unless permitted by HIPAA for a Business Associate).

ii) Safeguards and Appropriate Use of Protected Health Information. Partner is responsible for implementing appropriate privacy and security safeguards to protect its Protected Health Information in compliance with HIPAA. Without limitation, it is Partner’s obligation to encrypt and secure ePHI in its custody that is at rest or in motion using Encryption that is at least as stringent as the technologies and methodologies that DHHS deems, in guidance published on its web site pursuant to HITECH § 13402(h)(2), renders PHI unusable, unreadable, or indecipherable to unauthorized persons or entities. All email transmissions containing PHI shall be encrypted, secured and meet the standards under 45 C.F.R. § 164.312(e) for (i) transmission security and (ii) integrity controls and encryption.

iii) Notices of Privacy Practices. To the extent that it may impact Visibly’s use or disclosure of PHI, Partner agrees to inform Visibly in writing of: any limitation in its Notice of Privacy Practices; any changes to or revocation of a patient’s authorization with respect to PHI; and any restriction to a use or disclosure agreed to by Partner with respect to a patient’s PHI; any opt-out by a patient from marketing or fundraising activities by Partner.

iv) Minimum Necessary. Partner will, in its performance of the functions, activities and services involving PHI permitted by this BA Agreement, make reasonable efforts to use, disclose, or request only the minimum PHI reasonably necessary to accomplish the intended purpose of the use, disclosure or request as required by 45 C.F.R. § 164.502(b)(1) and HITECH § 13405(b), including the use of a “limited data set” as defined in 45 C.F.R. § 164.514(e)(2), to accomplish the intended purpose of such request, use, or disclosure.

5. Notices. Any notice that a party is required or desires to give under this BA Subcontract shall be delivered as set forth under Section 11.3 (Notices) of the Service Agreement Terms and Conditions.

6. Term and Termination. This BA Agreement shall continue in effect until the earlier of (1) termination by a Party for breach as set forth in this Section 6, or (2) expiration of the Service Agreement. Upon written notice, either Party immediately may terminate the Service Agreement and this BA Agreement if the other Party is in material breach or default of any obligation in this BA Agreement. Either party may provide the other a thirty (30) calendar day period to cure a material breach or default within such written notice. Upon expiration or termination of this BA Agreement, Visibly shall return or destroy all Protected Health Information in its possession, if it is feasible to do so, and as set forth in the applicable termination provisions of the Service Agreement. If it is not feasible to return or destroy any portions of the Protected Health Information upon termination of this BA Agreement, then Visibly shall extend the protections of this BA Agreement, without limitation, to such Protected Health Information and limit any further Use or Disclosure of the Protected Health Information to those purposes that make the return or destruction infeasible for the duration of the retention of the Protected Health Information.

7. Amendment. Upon the compliance date of a statute or regulation or amendment to statute or regulation that affects either party’s obligations under this BA Agreement, this BA Agreement will automatically amend such that the obligations imposed on the parties by this BA Agreement remain in compliance with all applicable statutes and regulations then in effect, unless a party elects to terminate this BA Agreement in accordance with Section 6 above.

8. Conflicts. The terms and conditions of this BA Agreement will override and control any conflicting term or condition of the Service Agreement and its Terms and Conditions or any other agreement or understanding between the parties.

9. Interpretation. The Parties intend that this BA Agreement be interpreted consistently with their intent to comply with HIPAA and other applicable federal and state law. This BA Agreement cannot authorize the Parties to Use or Disclose PHI in a manner that would violate any applicable rule or regulation of HIPPA and should not be interpreted to do so.

10. No Third-Party Beneficiaries. Nothing express or implied in this BA Agreement is intended to confer, nor shall anything in this BA Agreement confer, upon any person other than the Parties, and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.