Business Associate Agreement

Template, version 1.0 · Last updated May 30, 2026

⚠ Template — not a final legal document This is a starting point for the BAA PharmaScript signs with pharmacy customers. It is not legal advice and has not been reviewed by a healthcare attorney. Before executing this agreement with any party, PharmaScript and the pharmacy must each have their own legal counsel review and customize the language. Use of this template without legal review is at the parties' own risk. 🖨 Print / save PDF

This Business Associate Agreement ("Agreement") is entered into as of ("Effective Date"), between ("Covered Entity") and PharmaScript ("Business Associate"). Covered Entity and Business Associate may be referred to individually as a "Party" and collectively as the "Parties."

This Agreement is intended to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act of 2009 ("HITECH"), and the implementing regulations at 45 CFR Parts 160 and 164 (the "HIPAA Rules"), as amended.

1. Definitions

Capitalized terms used but not defined in this Agreement have the meanings ascribed to them in the HIPAA Rules. For convenience, the following terms have the meanings set forth below:

Breach — has the meaning given in 45 CFR § 164.402.
Designated Record Set — has the meaning given in 45 CFR § 164.501.
Electronic Protected Health Information ("ePHI") — has the meaning given in 45 CFR § 160.103.
Individual — has the meaning given in 45 CFR § 160.103 and includes a person who qualifies as a personal representative under 45 CFR § 164.502(g).
Protected Health Information ("PHI") — has the meaning given in 45 CFR § 160.103, limited to information created, maintained, received, or transmitted by Business Associate on behalf of Covered Entity.
Required by Law — has the meaning given in 45 CFR § 164.103.
Security Incident — has the meaning given in 45 CFR § 164.304.
Subcontractor — has the meaning given in 45 CFR § 160.103.
Unsecured PHI — has the meaning given in 45 CFR § 164.402.

2. Permitted Uses and Disclosures of PHI

2.1 Services

Business Associate provides software-as-a-service that enables pharmacy delivery drivers to scan pharmacy manifests, build optimized delivery routes, capture proof of delivery (signature, photograph, time, GPS coordinates), and generate delivery reports and invoices for Covered Entity (the "Services"). In performing the Services, Business Associate may receive, create, maintain, transmit, or have access to PHI.

2.2 Permitted Uses

Business Associate may use and disclose PHI only as follows:

To perform the Services described in Section 2.1.
For Business Associate's proper management and administration, provided that any disclosure for this purpose is Required by Law or the recipient agrees in writing to (i) hold the PHI in confidence, (ii) use it only for the purpose disclosed, and (iii) notify Business Associate of any breach of the confidentiality of the PHI.
To provide Data Aggregation services to Covered Entity as that term is defined in 45 CFR § 164.501.
To report violations of law to appropriate federal and state authorities consistent with 45 CFR § 164.502(j)(1).
To de-identify PHI in accordance with 45 CFR § 164.514(b), and to use and disclose the resulting de-identified data without restriction.

2.3 Prohibited Uses

Business Associate shall not use or further disclose PHI other than as permitted or required by this Agreement, the HIPAA Rules, or as Required by Law. Specifically, Business Associate shall not:

Sell PHI, except as permitted under 45 CFR § 164.502(a)(5)(ii).
Use or disclose PHI for marketing purposes, except as permitted under 45 CFR § 164.508(a)(3).
Use or disclose PHI in any manner that would violate the HIPAA Rules if done by Covered Entity directly.

3. Safeguards

Business Associate shall implement and maintain administrative, physical, and technical safeguards in compliance with 45 CFR §§ 164.308, 164.310, and 164.312, designed to protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity. Without limiting the foregoing, Business Associate shall:

Encrypt all ePHI in transit using TLS 1.2 or higher.
Encrypt all ePHI at rest using industry-standard encryption (AES-256 or equivalent).
Maintain access controls limiting access to PHI to authorized personnel.
Maintain audit logs of access to and modifications of PHI for a minimum of six (6) years.
Apply the HIPAA Minimum Necessary standard (45 CFR § 164.502(b)) when using, disclosing, or requesting PHI.
Conduct regular security risk assessments in accordance with 45 CFR § 164.308(a)(1).

4. Subcontractors

In accordance with 45 CFR §§ 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate shall require any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate to agree in writing to substantially the same restrictions and conditions that apply to Business Associate under this Agreement.

Business Associate maintains current Business Associate Agreements with the following Subcontractors that may handle PHI in providing the Services:

Cloudflare, Inc. — edge hosting, DNS, and email routing
Anthropic, PBC — optical character recognition of manifest images (image transmitted, not stored long-term)
Resend, Inc. — transactional email delivery of delivery reports
Clerk Inc. — user authentication (does not process PHI directly)
Stripe, Inc. — payment processing (does not process PHI)

Business Associate shall provide Covered Entity with reasonable notice before adding a new Subcontractor that will handle PHI.

5. Reporting

5.1 Reporting of Unauthorized Uses or Disclosures

Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including any Security Incident or Breach of Unsecured PHI, within the time frames required by the HIPAA Rules and not later than thirty (30) calendar days after discovery, subject to any law enforcement delay permitted under 45 CFR § 164.412.

5.2 Breach Notification

If Business Associate determines that a Breach of Unsecured PHI has occurred, it shall notify Covered Entity without unreasonable delay and in no event later than sixty (60) calendar days after discovery. The notification shall include the information required by 45 CFR § 164.410(c) to the extent such information is then available.

5.3 Aggregated Security Incidents

The Parties acknowledge that unsuccessful attempts to penetrate or access Business Associate's information systems occur with frequency and that individual reporting of such unsuccessful attempts would not be practical. This Agreement constitutes notice by Business Associate of, and Covered Entity's acknowledgment of, such ongoing unsuccessful attempts, including without limitation pings, port scans, denial-of-service attacks, and similar events that do not result in actual unauthorized access to PHI.

6. Individual Rights

6.1 Access

To the extent Business Associate maintains PHI in a Designated Record Set on behalf of Covered Entity, Business Associate shall, within thirty (30) days of a written request from Covered Entity, provide access to such PHI to enable Covered Entity to fulfill its obligations under 45 CFR § 164.524.

6.2 Amendment

Business Associate shall, within thirty (30) days of a written request from Covered Entity, make amendments to PHI in a Designated Record Set as directed by Covered Entity, in accordance with 45 CFR § 164.526.

6.3 Accounting of Disclosures

Business Associate shall document and make available to Covered Entity the information required to provide an accounting of disclosures in accordance with 45 CFR § 164.528 within thirty (30) days of a written request.

7. Audit

Business Associate shall, upon reasonable advance written notice and not more than once per calendar year (except in response to a suspected Breach), make its internal practices, books, and records relating to its use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules, and to Covered Entity for the purpose of confirming Business Associate's compliance with this Agreement.

8. Term and Termination

8.1 Term

This Agreement is effective as of the Effective Date and shall remain in effect until terminated as provided herein or until the underlying agreement between the Parties for the provision of the Services is terminated.

8.2 Termination for Cause

Either Party may terminate this Agreement and the underlying services agreement upon thirty (30) days' written notice to the other Party if the other Party materially breaches this Agreement and fails to cure such breach within such notice period.

8.3 Effect of Termination

Upon termination of this Agreement for any reason, Business Associate shall, where feasible, return to Covered Entity or destroy all PHI received from, or created or received on behalf of, Covered Entity that Business Associate still maintains in any form, and shall retain no copies of such PHI. Where return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible, for so long as Business Associate maintains such PHI.

9. Indemnification

Each Party shall indemnify, defend, and hold harmless the other Party from and against any and all third-party claims, damages, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to the indemnifying Party's breach of this Agreement. The Parties' respective liability for indemnification under this Section is subject to the limitations on liability set forth in the underlying services agreement between the Parties.

10. Miscellaneous

10.1 Regulatory References

A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended from time to time.

10.2 Amendment

The Parties shall negotiate in good faith to amend this Agreement as necessary for either Party to comply with changes in the HIPAA Rules or other applicable law.

10.3 Survival

The obligations of Business Associate under Sections 3, 5, 6, 7, 8.3, 9, and any other provisions that by their nature should survive termination, shall survive termination of this Agreement.

10.4 Interpretation

Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with the HIPAA Rules.

10.5 Entire Agreement

This Agreement, together with the underlying services agreement between the Parties, constitutes the entire agreement between the Parties with respect to its subject matter and supersedes all prior or contemporaneous agreements, understandings, or representations.

10.6 Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the State of Texas, without regard to its conflict-of-laws principles.

10.7 Counterparts

This Agreement may be executed in one or more counterparts, each of which shall be deemed an original, and all of which together shall constitute one and the same instrument. Electronic signatures shall have the same effect as original signatures.

Covered Entity

Entity name:

Signature:

Name & Title

Date:

Business Associate — PharmaScript

Entity name: PharmaScript

Signature:

Name & Title

Date: