You are viewing the EligiVue Business Associate Agreement. Create an account to sign this agreement and get started.

Business Associate Agreement

What is a Business Associate Agreement (BAA)?

A Business Associate Agreement (BAA) is required when a service provider handles Protected Health Information (PHI) on behalf of a healthcare practice. It defines each party's responsibilities for safeguarding PHI and supporting compliance with applicable privacy and security requirements.

BUSINESS ASSOCIATE AGREEMENT

Between EligiVue LLC (Business Associate) and Your Practice (Covered Entity)

Effective Date: The date of electronic acceptance below.

PARTIES TO THIS AGREEMENT

COVERED ENTITY ("Practice" or "You"):

  • Practice Name: Your Practice
  • Address: As provided during account registration
  • Contact Email: As provided during account registration
  • Contact Phone: As provided during account registration

BUSINESS ASSOCIATE ("EligiVue" or "We"):

  • Company Name: EligiVue LLC
  • Address: 1255 Landsburn Circle, Westlake Village, CA 91361
  • Legal / HIPAA Notices: legal@eligivue.com
  • HIPAA Privacy Officer / Security Officer: EligiVue Privacy & Security Office, legal@eligivue.com

1. BACKGROUND AND PURPOSE

1.1 Purpose of Agreement

This Agreement establishes the permitted uses and disclosures of Protected Health Information (PHI) by EligiVue while providing insurance eligibility verification services to your Practice. This Agreement satisfies the Business Associate requirements under HIPAA Privacy and Security Rules (45 CFR Parts 160 and 164).

1.2 Services Provided

EligiVue provides automated vision insurance eligibility verification services by:

  • Accessing vision insurance provider and plan administrator portals supported by the Service from time to time (currently including, for example, VSP, EyeMed, Spectera, and MetLife Vision plans accessed via the VSP portal) using credentials you provide
  • Retrieving patient eligibility and benefits information
  • Displaying results to authorized users at your Practice
  • Temporarily storing data necessary to provide the Service
  • Generating eligibility reports and analytics for your Practice
  • Providing patient-facing PreCheck links (EligiVue PreCheck) that allow patients to submit their own eligibility information for your staff to review (PHI collected via EligiVue PreCheck is encrypted at rest and accessible only to your authorized staff)

1.3 Authorization

By signing this Agreement, Practice authorizes EligiVue, as its service provider acting on Practice's behalf for the limited purpose of eligibility verification and related administrative functions, to access payer and clearinghouse systems using credentials that Practice owns and provides or otherwise authorizes for such use.

2. DEFINITIONS

2.1 Key Terms

Terms used in this Agreement have the same meaning as those terms in 45 CFR Parts 160 and 164, including:

  • "Business Associate": EligiVue, the entity providing services to the Covered Entity
  • "Covered Entity": Your Practice, the healthcare provider subject to HIPAA
  • "Protected Health Information" (PHI): Individually identifiable health information transmitted or maintained by EligiVue on behalf of the Covered Entity, including but not limited to patient names, dates of birth, insurance member IDs, SSN last 4 digits, phone numbers, and eligibility/benefits information — whether submitted by Practice staff or by patients through EligiVue PreCheck
  • "Required by Law": A mandate in law, regulation, or court order
  • "Security Incident": The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information, or interference with system operations, as defined under applicable HIPAA regulations; provided, however, that routine unsuccessful events such as pings, port scans, denial-of-service attempts, malware blocked by preventive controls, and unsuccessful login attempts that do not result in unauthorized access to Protected Health Information will not, by themselves, constitute reportable Security Incidents under this Agreement
  • "Breach": Unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of such information

3. PERMITTED USES AND DISCLOSURES OF PHI

3.1 Services to Covered Entity

EligiVue may use and disclose PHI only as necessary to perform the following services:

a) Insurance Eligibility Verification:

  • Access vision insurance provider and plan administrator portals supported by the Service from time to time (currently including, for example, VSP, EyeMed, Spectera, and MetLife Vision plans accessed via the VSP portal) using your credentials
  • Query patient eligibility and benefits information using patient name, date of birth, and member ID
  • Retrieve and display eligibility results to your authorized staff
  • Generate reports and analytics related to eligibility searches

b) Service Operations:

  • Provide technical support related to eligibility searches
  • Maintain and improve the Service functionality
  • Generate anonymized usage statistics (no PHI)

3.2 Limitations

EligiVue shall NOT:

  • Use or disclose PHI for any purpose other than those specified in Section 3.1
  • Sell PHI or use it for marketing purposes
  • Share PHI with third parties except as permitted by this Agreement
  • Use PHI for EligiVue's independent use except as permitted by law

3.3 Minimum Necessary

EligiVue will limit PHI use, disclosure, and requests to the minimum necessary to accomplish the intended purpose, except where disclosure is required by law.

4. OBLIGATIONS OF BUSINESS ASSOCIATE (ELIGIVUE)

4.1 HIPAA Compliance

EligiVue agrees to:

  • Not Use or Disclose PHI except as permitted by this Agreement or required by law
  • Implement Safeguards to prevent unauthorized use or disclosure of PHI, including:
    • Administrative safeguards (policies, training, access controls)
    • Physical safeguards (secure facilities, device security)
    • Technical safeguards (encryption, authentication, audit logs)
  • Comply with HIPAA Security Rule (45 CFR Part 164, Subpart C)
  • Report Security Incidents and Breaches as specified in Section 4.2

4.2 Breach and Security Incident Notification

In the event of a Breach of Unsecured Protected Health Information, or a material Security Incident involving Protected Health Information that requires notice or response under applicable law or this Agreement, EligiVue will notify the Practice as set forth below:

a) Notification Timeline:

  • EligiVue will notify the Practice without unreasonable delay after discovery of a reportable Breach, with a contractual target of 48 hours after discovery, and in no event later than the outside deadline required by applicable law
  • Notification via email to Practice's registered contact email

b) Required Information:

  • Description of what happened and when
  • Types of PHI involved (e.g., patient names, DOBs, member IDs, eligibility data)
  • Number of individuals affected (if known)
  • Steps EligiVue has taken to mitigate harm
  • Steps EligiVue recommends the Practice take
  • Contact information for questions

c) Investigation and Remediation:

  • EligiVue will investigate the incident
  • Implement measures to prevent recurrence
  • Provide documentation as reasonably requested

d) Regulatory Notifications and Allocation:

  • Unless expressly delegated by written agreement, the Practice (as Covered Entity) remains responsible for providing any required notice to affected individuals, regulators, or other third parties
  • EligiVue will cooperate with the Practice in fulfilling any federal (HIPAA) and state (including California Cal. Civ. Code § 1798.82) breach notification obligations
  • EligiVue will provide the Practice with sufficient information to enable the Practice to comply with its own notification obligations

e) Unsuccessful Attempts:

For purposes of this section, the parties acknowledge that routine unsuccessful attempts to access information systems — such as pings, port scans, denial-of-service attacks, or unsuccessful login attempts — do not constitute reportable Security Incidents under this Agreement, provided that no PHI is accessed, used, disclosed, or compromised.

4.3 Subcontractors and Agents

a) EligiVue ensures that all subcontractors that create, receive, maintain, or transmit PHI on its behalf agree to the same restrictions and conditions that apply to EligiVue under this Agreement, including the implementation of appropriate safeguards.

b) Categories of subcontractors may include:

  • Cloud infrastructure and hosting providers
  • Backup and disaster recovery providers
  • Support, monitoring, and security service providers
  • Payment processors (billing data only, not PHI)
  • Other service providers engaged to support the Service

c) EligiVue will not permit any subcontractor to create, receive, maintain, or transmit Protected Health Information on EligiVue's behalf unless that subcontractor is bound by written obligations that provide the same restrictions and conditions that apply to EligiVue under this Agreement, including appropriate safeguards. EligiVue will not process production Protected Health Information on any subcontractor infrastructure until any required Business Associate Agreement is in place. A current list of relevant subcontractor categories and BAA status will be made available upon request at legal@eligivue.com.

4.4 Access, Amendment, and Accounting

a) Access to PHI: Within a reasonable period, and in any event not later than 30 days after receiving a written request from the Practice (unless a longer period is permitted by applicable law), EligiVue will provide access to PHI in EligiVue's possession. Access will be provided in electronic format if readily producible.

b) Amendment of PHI: Within a reasonable period, and in any event not later than 30 days after receiving a written request from the Practice (unless a longer period is permitted by applicable law), EligiVue will amend PHI as directed by Practice. EligiVue will inform subcontractors of amendments.

c) Accounting of Disclosures: EligiVue will document disclosures of PHI. Within a reasonable period, and in any event not later than 30 days after receiving a written request from the Practice (unless a longer period is permitted by applicable law), EligiVue will provide an accounting of disclosures. The accounting covers 6 years prior to the request date.

4.5 Books and Records

EligiVue agrees to make its internal practices, books, and records relating to PHI use and disclosure available to:

  • The Secretary of Health and Human Services (HHS)
  • The Practice
  • For purposes of determining compliance with HIPAA

4.6 Data Security Measures

EligiVue implements the following safeguards:

a) Encryption:

  • PHI encrypted in transit (TLS 1.2+)
  • PHI and insurance portal credentials encrypted at rest (AES-256-GCM encryption)
  • PostgreSQL database with encrypted connections and role-based access controls

b) Access Controls:

  • User authentication required
  • Role-based access control with organization-level data isolation
  • Session timeouts (60 minutes inactivity)
  • Password requirements enforced

c) Audit Logging:

  • All PHI access logged in the PostgreSQL database
  • Logs retained for 6 years
  • Regular log review for suspicious activity

d) Data Retention:

  • Eligibility lookup screenshots managed per retention policy
  • Audit logs retained per HIPAA requirements (minimum 6 years)

e) Infrastructure:

  • Python/FastAPI backend application
  • PostgreSQL database with access controls
  • Hosting infrastructure (hosting provider BAA status tracked separately; see Appendix A)
  • Jinja2/Bootstrap 5 frontend with secure session management

f) Security Testing:

  • Periodic security assessments
  • Vulnerability scanning as part of development lifecycle
  • Penetration testing as part of the annual security review cycle

5. OBLIGATIONS OF COVERED ENTITY (PRACTICE)

5.1 Practice Responsibilities

The Practice agrees to:

a) Provide Accurate Information:

  • Ensure insurance portal credentials for each supported provider (currently including VSP, EyeMed, Spectera, and/or MetLife Vision plans accessed via the VSP portal) are current and accurate
  • Update credentials promptly when changed
  • Notify EligiVue of any security concerns

b) Authorize EligiVue's Use:

  • Practice confirms it has authority to authorize EligiVue to access insurance portals
  • Practice represents it has necessary rights to credentials provided

c) Inform EligiVue of Privacy Practices:

  • Notify EligiVue of limitations in Notice of Privacy Practices
  • Inform EligiVue of restricted uses/disclosures
  • Notify EligiVue of revocation of patient authorizations

d) Not Request Prohibited Uses:

  • Practice will not request EligiVue to use or disclose PHI in a manner that would violate HIPAA

5.2 User Management

The Practice agrees to:

  • Grant access only to authorized workforce members
  • Deactivate user accounts promptly when employees leave
  • Monitor user activity for appropriate use
  • Report suspected unauthorized access immediately to legal@eligivue.com

6. TERM AND TERMINATION

6.1 Term

This Agreement becomes effective on the date of electronic acceptance and continues until terminated as specified below.

6.2 Termination for Cause

Either party may terminate this Agreement if:

  • The other party breaches a material term
  • The breach is not cured within 30 days of written notice
  • Termination is required by law

6.3 Termination by Practice

The Practice may terminate this Agreement by terminating the underlying Service subscription in accordance with the Terms of Service or, if no self-service cancellation mechanism is available, by written notice to EligiVue at legal@eligivue.com. Termination will take effect as provided in the Terms of Service, except to the extent HIPAA requires continued obligations regarding Protected Health Information.

6.4 Effect of Termination

Upon termination:

a) Return or Destruction of PHI:

  • Within 30 days of termination (or, if Practice has requested a data export under the Terms of Service, within 30 days of the end of the applicable data export period), EligiVue will, to the extent feasible, either:
    • Return all PHI in active systems to Practice in usable electronic format, OR
    • Destroy all PHI in active systems and certify destruction in writing

b) Backup Media:

  • To the extent return or destruction is not feasible for Protected Health Information maintained solely within encrypted backup media created in the ordinary course of business, EligiVue will continue to protect such information and will delete it in accordance with its standard backup rotation schedule, and will not restore or use such information except as required for disaster recovery, legal obligation, or documented security purposes

c) Infeasibility for Other Reasons:

  • If return or destruction is not feasible for reasons other than backup retention, EligiVue will:
    • Notify Practice of the conditions making return/destruction infeasible
    • Extend protections of this Agreement to retained PHI
    • Limit further uses/disclosures to purposes making return/destruction infeasible

d) Audit Logs Exception:

  • Audit logs containing PHI may be retained for 6 years per HIPAA requirements
  • Retained logs remain subject to this Agreement's protections

e) Subcontractors:

  • EligiVue will ensure subcontractors return or destroy PHI in accordance with this Section

6.5 Survival

The obligations of Section 6.4 (Effect of Termination) survive termination of this Agreement.

7. INDEMNIFICATION

7.1 Mutual Indemnification

Each party agrees to indemnify and hold harmless the other party from any claims, damages, or costs arising from:

  • Its breach of this Agreement
  • Its violation of HIPAA
  • Its negligent or wrongful acts related to PHI

7.2 Limitations

Indemnification does not apply to claims arising from the other party's actions or the inherent nature of the services provided.

8. LIMITATION OF LIABILITY

8.1 Service Limitations

EligiVue provides the Service "as-is" and makes no warranties regarding:

  • Accuracy of information from insurance portals (including, for example, VSP, EyeMed, Spectera, and MetLife Vision plans accessed via the VSP portal)
  • Availability of insurance portal systems
  • Completeness of benefits information

Nothing in this Section 8 limits or modifies EligiVue's obligations under this Agreement with respect to (a) the confidentiality and security of Protected Health Information, (b) compliance with applicable HIPAA requirements, (c) the indemnification obligations in Section 7, or (d) claims arising from EligiVue's gross negligence, willful misconduct, or unauthorized use or disclosure of Protected Health Information.

8.2 Liability Cap

Except for breaches of confidentiality or HIPAA violations, neither party's total liability shall exceed the amount paid by Practice to EligiVue in the 12 months preceding the claim.

8.3 No Consequential Damages

Neither party shall be liable for indirect, incidental, consequential, or punitive damages.

9. MISCELLANEOUS PROVISIONS

9.1 Regulatory Changes

The parties agree to amend this Agreement as necessary to comply with changes in HIPAA regulations or other applicable laws.

9.2 Interpretation

Any ambiguity in this Agreement shall be interpreted to permit compliance with HIPAA.

9.3 No Third-Party Beneficiaries

Nothing in this Agreement confers rights upon any person other than the parties and their successors.

9.4 Amendment

This Agreement may be amended only by written agreement signed by both parties. Either party may propose amendments necessary to comply with changes in HIPAA or other applicable law, which shall become effective upon mutual written agreement.

9.5 Entire Agreement

This Agreement, together with the EligiVue Terms of Service and Privacy Policy, constitutes the entire agreement between the parties regarding the handling of PHI. To the extent of any conflict between this Agreement and the Terms of Service or Privacy Policy, this Agreement controls with respect to Protected Health Information and HIPAA-related obligations.

9.6 Governing Law

This Agreement shall be governed by the laws of the State of California, without regard to conflicts of law principles, and by federal HIPAA regulations.

9.7 Severability

If any provision is found invalid or unenforceable, the remaining provisions remain in effect.

9.8 Notices

All notices under this Agreement shall be sent to:

For Practice: Email address on file in account settings

For EligiVue LLC:

  • Legal notices: legal@eligivue.com
  • Address: 1255 Landsburn Circle, Westlake Village, CA 91361

10. ACKNOWLEDGMENT AND ACCEPTANCE

By electronically signing below, the Practice acknowledges that:

  • I am authorized to sign this Agreement on behalf of the Practice
  • I have read and understand this Agreement
  • The Practice agrees to be bound by the terms of this Agreement
  • I authorize EligiVue to access the vision insurance provider and plan administrator portals supported by the Service from time to time (currently including, for example, VSP, EyeMed, Spectera, and MetLife Vision plans accessed via the VSP portal) using credentials we provide
  • I understand this Agreement is required by HIPAA before EligiVue can provide services

ELECTRONIC ACCEPTANCE

This Agreement is accepted electronically through the EligiVue platform. When an authorized representative of the Practice accepts this Agreement in-app, the following information is captured and retained as the binding record of acceptance:

Covered Entity (Practice):

  • Accepted by: Full name of the accepting user (as registered in account)
  • Title/Role: As provided during acceptance
  • Organization: Practice name (as registered in account)
  • Date and time: UTC timestamp of acceptance
  • IP Address: Logged automatically for audit trail
  • Email: Account email of accepting user
  • BAA Version: Version number accepted

Business Associate (EligiVue LLC):

This Agreement is executed by EligiVue LLC and becomes binding on the Practice upon the Practice's electronic acceptance through the Service. EligiVue will maintain an electronic record of the Practice's acceptance, including the accepting account or organization, accepting user, timestamp, IP address or comparable audit metadata, and the Agreement version accepted.

Nic Camuccio, Authorized Signatory
EligiVue LLC
1255 Landsburn Circle, Westlake Village, CA 91361

APPENDIX A: DATA SECURITY SPECIFICATIONS

Current Security Measures Implemented:

Security ControlStatusDetails
Encryption in TransitImplementedTLS 1.2+ for all connections
Credential EncryptionImplementedAES-256-GCM encryption at rest
Session SecurityImplemented60-minute timeout, secure cookies
Audit LoggingImplementedAll PHI access logged to PostgreSQL
User AuthenticationImplementedPassword + email verification; multi-factor authentication (TOTP) is available for all user roles. Administrators are strongly encouraged to enable it.
Role-Based Access ControlImplementedOrganization-level data isolation
PostgreSQL DatabaseImplementedProduction database with access controls
Hosting EnvironmentCurrent: on-premises; target: HIPAA-eligible cloud deploymentHosting provider BAA required before production PHI on cloud infrastructure

APPENDIX B: INCIDENT RESPONSE CONTACTS

For Security Incidents or Breaches:

  • HIPAA Privacy & Security Office: legal@eligivue.com
  • Website: eligivue.com

Incident Reporting Process:

  1. Contact EligiVue immediately at legal@eligivue.com
  2. Document the incident details
  3. Await investigation and guidance
  4. Follow recommended remediation steps

APPENDIX C: PERMITTED DISCLOSURES

EligiVue may disclose PHI to the following categories of subcontractors:

  • Cloud Infrastructure Provider: For application hosting and data storage
  • Backup Service: For disaster recovery and data redundancy
  • Technical Support: For troubleshooting with Practice consent
  • Legal Counsel: For legal compliance and advice
  • Auditors: For HIPAA compliance audits

EligiVue ensures that all subcontractors that create, receive, maintain, or transmit PHI on its behalf agree to the same restrictions and conditions that apply to EligiVue under this Agreement.

DOCUMENT VERSION CONTROL

BAA Version: 2.0  |  Effective Date: April 26, 2026  |  Last Updated: April 26, 2026  |  Next Review Date: March 2027

End of Business Associate Agreement

Download Full BAA (PDF) Questions? Contact Us

EligiVue LLC — Instant Clarity. Total Benefits.