• SiteLabs will pay Pharmacy $15 for each monitored collection of a NY state employee performed at their store
• Payment will be calculated at the end of each calendar month and will be sent to the address provided by Pharmacy within 30 days of the end of the month in which the collections occurred

• SiteLabs will provide Pharmacy, at no charge, with access to the necessary software platform which enables Pharmacy to perform monitored collections of NY state employees
• SiteLabs will provide Pharmacy, at no charge, with test kits to be used exclusively for monitored collections of NY state employees
• SiteLabs will provide Pharmacy with training and support materials on how to use the software platform for performing monitored collections
• SiteLabs will provide ongoing customer support to Pharmacy by email and phone

• Pharmacy will ensure staff follow the required procedures for verifying the identity of NY state employees, scanning test kits and NY state employee QR codes properly into the software platform and depositing test kits into the test kit collection containers
• Pharmacy will verify the number of test kits to be picked up at the end of each day and ensure kits are available to the courier at the agreed time
• Pharmacy will maintain all test kits at room temperature conditions (60-86 degrees F)
• Pharmacy will account for all test kits received and those used for testing NY State employees
• Pharmacy will make available for return any unused test kits in good condition at the end of the testing program

This BUSINESS ASSOCIATE (“Agreement”) is a binding contract between you (“Customer,” “you,” “your,” or “Covered Entity”) and SiteLabs, LLC, a North Carolina limited liability company (“SiteLabs,” “we,” “us,” or “Business Associate”) (collectively, the “Parties”).

 This Agreement governs your access to and use of the Services.

THIS AGREEMENT TAKES EFFECT WHEN YOU CLICK THE “I ACCEPT” BUTTON BELOW OR BY ACCESSING OR USING THE SERVICES (the “Effective Date”). BY CLICKING ON THE “I ACCEPT” BUTTON BELOW OR BY ACCESSING OR USING THE SERVICES YOU (A) ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTAND THIS AGREEMENT; (B) REPRESENT AND WARRANT THAT YOU HAVE THE RIGHT, POWER, AND AUTHORITY TO ENTER INTO THIS AGREEMENT AND, IF ENTERING INTO THIS AGREEMENT FOR AN ORGANIZATION, THAT YOU HAVE THE LEGAL AUTHORITY TO BIND THAT ORGANIZATION; AND (C) ACCEPT THIS AGREEMENT AND AGREE THAT YOU ARE LEGALLY BOUND BY ITS TERMS. 

IF YOU DO NOT ACCEPT THESE TERMS, YOU MAY NOT ACCESS OR USE THE SERVICES.

WHEREAS, the Parties have entered into or will enter into a SiteLabs Business Agreement (the “Services Agreement”), pursuant to which Business Associate provides or will provide certain services to or on behalf of Covered Entity;

WHEREAS, Covered Entity is committed to complying with HIPAA (as defined herein) with respect to the health information in the possession of Covered Entity;

WHEREAS, Business Associate is committed to complying with the applicable provisions of HIPAA related to Business Associate’s relationship with Covered Entity; and

WHEREAS, in the course of performing services under the Services Agreement, Business Associate will have access to and/or receive from Covered Entity and/or create on behalf of Covered Entity certain Protected Health Information that can be used or disclosed only in accordance with this Agreement, the Services Agreement, and HIPAA.

NOW, THEREFORE, the Parties agree as follows:

For purposes of this Agreement, the following terms shall have the following prescribed meaning:

"Breach” means the acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted under the HIPAA privacy rule which compromises the security or privacy of the Protected Health Information, or as defined in 45 CFR 164.402 as may be amended.

"Data Aggregation Services” means, with respect to Protected Health Information created or received by the Business Associate, the combining of such Protected Health Information by the Business Associate with protected health information (as defined in HIPAA) received by the Business Associate in its capacity as a business associate (as defined in HIPAA) of another covered entity (as defined in HIPAA), to permit data analyses that relate to the health care operations of the respective covered entities, including the Covered Entity.

"Electronic Media” means electronic storage material on which data is or may be recorded electronically, including, for example, devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card, and transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the Internet, extranet or intranet, leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media.

"Electronic Protected Health Information” means Protected Health Information that is (i) transmitted by Electronic Media, or (ii) maintained in any medium described as Electronic Media.

"HIPAA” means the security and privacy requirements applicable to Covered Entities as reflected in the Health Insurance Portability and Accountability Act 42 U.S.C. 1320d et. seq. and such regulations as may be promulgated thereunder from time to time (currently, 45 CFR 164.102 through 164.534).

"HITECH” means the Health Information Technology for Economic and Clinical Health Act of 2009 as reflected in 42 U.S.C. 17921 et. seq. and such regulations as may be promulgated thereunder from time to time.

"Minimum Necessary” means the minimum amount of Protected Health Information necessary to accomplish the intended purpose of the use, disclosure, or request or however the U.S. Department of Health and Human Services (“HHS”) may define or interpret such term from time to time.

"Protected Health Information” (or “PHI”) means individually identifiable health information created by, for or on behalf of the Covered Entity that is (i) transmitted by Electronic Media, (ii) maintained in any medium described as Electronic Media, or (iii) transmitted or maintained in any other form or medium. “Protected Health Information” does not include individually identifiable health information in: (i) education records covered by the Family Educational Right and Privacy Act (20 U.S.C. section 1232g(a)(4)(B)(iv)), or (ii) records described at 20 U.S.C. section 1232g(a)(4)(B)(iv), or (iii) regarding a person who has been deceased more than 50 years.

"Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

"Services Agreement” means the contract or agreement, whether in writing or otherwise, between the Covered Entity and the Business Associate, pursuant to which the Business Associate provides services to the Covered Entity of the type that require the parties to enter into this Agreement pursuant to HIPAA.

"Unsecured Protected Health Information” means Protected Health Information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary of Health and Human Services in the guidance issued under section 13402(h)(2) of HITECH.

Terms used but not defined in this Agreement shall have the meaning ascribed to them in HIPAA.

Business Associate shall be permitted and required to use Protected Health Information only as provided in the Services Agreement and this Agreement. The Business Associate shall not use or further disclose Protected Health Information in any manner that: (a) would violate the terms of this Agreement; or (b) if done by the Covered Entity, would violate HIPAA, except that (i) the Business Associate may use and disclose Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate, and (ii) the Business Associate may provide Data Aggregation Services relating to the health care operations of the Covered Entity. The Business Associate may disclose Protected Health Information for the purposes described in item (b)(i) of this Article 2 only if the disclosure is required by law or the Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person and that the person will notify the Business Associate of any instance where the confidentiality of the Protected Health Information has been breached.

Notwithstanding anything in the Services Agreement to the contrary, the Business Associate shall:

(e) Report to the Covered Entity any use or disclosure of the Protected Health Information not provided for by this Agreement, or any security incident of which it becomes aware, without unreasonable delay but in no event later than five (5) calendar days. The parties acknowledge and agree that this section constitutes notice by Business Associate to Covered Entity of the ongoing occurrence of incidents that may constitute security incidents but that are trivial and do not result in unauthorized access, use, or disclosure of PHI that is Electronic PHI, including without limitation pings and other broadcast attacks on Business Associate’s firewall, port scans,
unsuccessful log-on attempts, and denials of service, for which no additional notice to Covered Entity shall be required;

(f) Ensure that any agents, including any subcontractor, to whom it provides Protected Health Information received from, or created or received by the Business Associate on behalf of the Covered Entity agrees to the same restrictions and conditions that apply to the Business Associate with respect to such Protected Health Information (and, in the case of Electronic Protected Health Information, that such agents and subcontractors agree to implement reasonable and appropriate safeguards to protect it);

(g) Make available to any individual Protected Health Information about that individual only to the extent required by, and in accordance with, HIPAA (including pursuant to a Designated Record Set if applicable);

(h) Make available an individual’s Protected Health Information for amendment by that individual and incorporate any amendments to that individual’s Protected Health Information to the extent required by, and in accordance with, HIPAA, should Business Associate retain any health records on behalf of Covered Entity;

(i) Record for each disclosure of Protected Health Information not excepted from disclosure accounting under HIPAA, that Business Associate makes to a third party and when applicable under HIPAA: (i) the disclosure date; (ii) the name and (if known) address of the person or entity to whom Business Associate made the disclosure; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure (items i through iv, collectively, the “Disclosure Information”). For repetitive disclosures Business Associate makes to the same person or entity for a single purpose, Business Associate will provide (1) the Disclosure Information for the first of these repetitive disclosures; (2) the frequency or number of these repetitive disclosures; and (3) the date of the last of these repetitive disclosures. Business Associate will make disclosure tracking information available to Covered Entity within 20 days from the date Covered Entity made the request. Business Associate will follow all retention requirements for accounting of disclosures in accordance with HIPAA and HITECH.

(j) Make its internal practices, books and records relating to the use and disclosure of Protected Health Information received from, or created or received by, the Business Associate on behalf of the Covered Entity available to the Secretary of Health and Human Services (or its delegate) for purposes of determining the Covered Entity’s compliance with HIPAA;

(k) Report to Covered Entity any successful Security Incident or Breach of Unsecured Protected Health Information known or suspected by Business Associate. Notice shall be in writing and provided to the Covered Entity without unreasonable delay, but no later than five
calendar days following the discovery of the Security Incident or Breach. Such notice will include, to the extent possible, the identification of each individual whose Protected Health Information has been or is reasonably believed by Business Associate to have been accessed, acquired, used, or disclosed during the Breach. Such notice shall also include the following information: (i) a brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known; (ii) a description of the types of Protected Health Information that were involved in the Breach (such as whether full name, social security number,
date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); (iii) any steps individuals should consider taking to protect themselves from potential harm resulting from the Breach; (iv) a brief description of what Business Associate is doing to investigate the Breach, to mitigate harm to individuals, and to protect against any further breaches; and (iv) contact procedures for obtaining additional information. If requested by the Covered Entity in writing, Business Associate shall provide the notifications to all affected individuals as required by HIPAA and applicable state law, which notifications shall be subject to the Covered Entity's approval;

(l) Not sell Protected Health Information or receive any direct or indirect remuneration in exchange for PHI, except as expressly permitted by HIPAA, this Agreement and the Services Agreement, and as approved in writing by the Covered Entity;

(m) Not transmit, to any individual for whom Business Associate has PHI, any communication about a product or service that encourages the recipient of the communication to purchase or use that product or service or is in violation of any of the marketing prohibitions set forth in the HITECH Act;

(n) Not maintain Protected Health Information outside of the United States and not allow anyone outside the United States to have access to Protected Health Information without the express, prior written consent of the Covered Entity; and

(o) At the termination of this Agreement, if feasible, return or destroy all Protected Health Information received from, or created or received by the Business Associate on behalf of the Covered Entity that the Business Associate still maintains in any form and retain no copies of such Protected Health Information; or, if such return or destruction is not feasible, extend the protections of this Agreement to the Protected Health Information and limit further uses and disclosures to those purposes that make the return or destruction of the Protected Health Information infeasible. Any such destruction hereunder shall render Protected Health Information unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified in guidance issued by the Secretary.

The Covered Entity shall notify the Business Associate of any limitation(s) in the Covered Entity’s notice of privacy practices in accordance with 45 CFR 164.520, to the extent that such limitation may affect the Business Associate’s use or disclosure of Protected Health Information.

The Covered Entity shall notify the Business Associate of any changes in, or revocation of, permission by an individual to use or disclose Protected Health Information, to the extent that such changes may affect the Business Associate’s use or disclosure of Protected Health Information.

The Covered Entity shall notify the Business Associate of any restriction to the use or disclosure of Protected Health Information that the Covered Entity has agreed to in accordance with 45 CFR 164.522, to the extent that such restriction may affect the Business Associate’s use or disclosure of Protected Health Information.

The Covered Entity shall not request the Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under HIPAA if done by the Covered Entity. Notwithstanding the foregoing language, the Business Associate may use or disclose Protected Health Information for Data Aggregation Services to the Covered Entity as permitted by 42 CFR 164.504(e)(2)(i)(B) or the management and administrative activities of the Business Associate in accordance with this Agreement.

This Agreement may be amended only in writing and only by the mutual consent of the parties. Notwithstanding the foregoing, this Agreement shall be deemed as automatically amended to the extent minimally necessary to comply with any changes to HIPAA, including any changes as a result of HITECH or amendments to HITECH.

This Agreement shall become effective as of the later of (i) the date set forth below or (ii) the date the HIPAA privacy and security requirements become effective with respect to the relationship between the Covered Entity and the Business Associate. This Agreement shall remain in effect until the earlier of: (i) the date the parties mutually agree in writing to terminate this Agreement, or (ii) the date the Services Agreement is terminated. No separate notice shall be required to terminate this Agreement upon termination of the Services Agreement.

This Agreement shall replace and supersede any prior business associate agreements entered into by the Covered Entity and the Business Associate, and such other business associate agreements shall be deemed canceled and of no further effect.

Notwithstanding anything in the Services Agreement to the contrary, if either party determines that the other party has violated a material provision of this Agreement, the non-breaching party may terminate this Agreement and the Services Agreement upon written notice to the breaching party.

Notwithstanding anything in the Services Agreement or any other agreement between the parties to the contrary, in the event of a Breach of Unsecured Protected Health Information by Business Associate or any employee, director, or other representative of Business Associate, Business Associate shall reimburse Covered Entity for all reasonable and substantiated costs and expenses incurred by Covered Entity to investigate, mitigate and resolve such Breach and to satisfy Covered Entity’s obligations under HIPAA/HITECH and the regulations promulgated thereunder to notify individuals. Covered Entity will submit an invoice to Business Associate explaining the costs and expenses incurred by Covered Entity and Business Associate shall make full payment to Covered Entity within 30 days of receipt of any undisputed invoice. In addition, Business Associate shall indemnify, defend, and hold harmless the Covered Entity and its affiliates and their respective present

and former principals, directors, employees, agents and contractors from and against any claim, cause of action, liability, damage, cost or expense, including but not limited to attorney’s fees, investigation costs, court costs, notification to individuals, and mitigation costs, arising out of or in connection with:

Covered Entity shall indemnify, defend, and hold harmless Business Associate and its affiliates and their respective present and former principals, directors, employees, agents and contractors from and against any claim, cause of action, liability, damage, cost or expense, including but not limited to attorney’s fees, investigation costs, court costs, notification to individuals, and mitigation costs, arising out of or in connection with: (a) a breach of this Agreement by Covered Entity; and (b) any negligent or wrongful acts or omissions of Covered Entity in the performance of its obligations under this Agreement or HIPAA/HITECH.

The provisions of this Article 7 shall survive termination or expiration of this Agreement. Notwithstanding any provision of the Services Agreement to the contrary, Business Associate’s responsibility for indemnification arising out of or in connection with this Agreement will be governed solely by this Article 7 and no provision set forth in the Services Agreement, including indemnification provisions thereunder will in any way alter or expand Business Associate’s indemnification liability hereunder.

It is the intent of the parties that the terms of this Agreement be interpreted so as to cause the Services Agreement to comply with the privacy and security requirements of HIPAA and the requirements of HITECH. Accordingly, this Agreement shall amend the Services Agreement to the extent provided herein regardless of whether this Agreement formally satisfies the requirements of the Services Agreement for amendment of the Services Agreement. To the extent any provisions of this Agreement conflict with the terms of the Services Agreement, this Agreement shall govern.

Section 9.1 Assignment. This Agreement may not be assigned by either party without the prior written consent of the other party, which consent shall not be unreasonably withheld. This Agreement shall be binding upon and inure to the benefit of the successors and permitted assigns hereof.

Section 9.2 Further Assurances. Each party will cooperate with the other and execute and deliver to the other party such other instruments and documents and take such other actions as

may be reasonably requested from time to time by the other party to carry out, evidence and confirm the intended purposes of this Agreement.

Section 9.3 Survival. Notwithstanding any contrary provision in this Agreement, the provisions of this Agreement shall continue in force beyond the term of this Agreement to the extent necessary or appropriate to give such provisions their intended effect, unless and until the parties specifically agree in writing to the contrary.

Section 9.4 Waiver. The rights and remedies of the parties are cumulative and not alternative. Neither the failure nor any delay on the part of any party in exercising any right, power, or privilege under this Agreement shall operate as a waiver thereof, nor shall any single or partial exercise of any such right, power or privilege preclude any other or further exercise thereof or exercise of any other right, power or privilege.

Section 9.5 Governing Law. This Agreement shall be governed by the laws of the jurisdiction provided in the Services Agreement. If the Services Agreement does not specify such a jurisdiction, this Agreement shall be governed by the laws of the State of North Carolina.

Section 9.6 Force Majeure. Neither party shall be liable or deemed to be in default for any delay or failure in performance under this Agreement or other interruption of services deemed resulting, directly or indirectly, from acts of God, civil or military authority, acts of public enemy, war, accidents, fires, explosions, earthquakes, pandemics, floods, or strikes, or similar cause beyond the reasonably control of either party.

Section 9.7 Relationship of Parties. None of the provisions of this Agreement is intended to create nor shall be deemed or construed to create any relationship between the parties hereto other than that of independent entities contracting with each other hereunder solely for the purpose of effecting the provisions of this Agreement.

Section 9.8 No Third Party Beneficiaries. Nothing herein is intended to give, nor shall have the effect of giving, any enforceable rights to any third parties who are not parties hereto or successors or permitted assigns of the parties hereto, whether such claims are asserted as third party beneficiary rights or otherwise.

Section 9.9 Counterparts. This Agreement may be executed in one or more counterparts each of which shall be deemed to be an original and all of which together shall constitute one and the same instrument.

Section 9.10 Notice. Notices required under this Agreement shall be sent by regular mail to the address of each party set forth below or such other address as that party may designate in a notice properly delivered to the other parties.