BUSINESS ASSOCIATE AGREEMENT
Last Updated: April 14, 2025
This Agreement, effective upon the creation of your physician account when you
agree to the statement "I have read and agree to the AbridgeRX Business
Associates Agreement, Terms of Service, and Privacy Policy," is made between
REMEDYRX, LLC ("Business Associate" and DBA as "AbridgeRx") and you, our
physician partner ("Covered Entity").
WHEREAS, the undersigned physician practice is a "Covered Entity" as that term is defined under HIPAA, which requires Covered Entities and certain of their service providers to enter into confidentiality agreements;
WHEREAS, Business Associate may create on behalf of, or receive from, the Covered Entity or the Covered Entity's other service providers protected health information ("PHI"); and
WHEREAS, upon creation or receipt of such PHI, Business Associate would be a "Business Associate" in relation to the Covered Entity, as that term is defined under HIPAA. NOW, THEREFORE, in consideration of the premises and the mutual promises contained herein, Covered Entity and Business Associate agree as follows:
1. Capitalized Terms. All capitalized terms herein not otherwise defined shall have the meaning ascribed to such terms under HIPAA, the HITECH Act, and the Privacy and Security Rules, as may be amended from time to time.
2. Business Associate's Responsibilities with Respect to Use and Disclosure of PHI. Business Associate agrees, with regard to its Use and/or Disclosure of the PHI, to do the following:
a. to Use and/or Disclose the PHI only: (i) in conjunction with the services it provides to Covered Entity ("the Services"), including sending text-based care plan reminders and motivational messages on behalf of Covered Entity as authorized by patients; (ii) consistent with the manner in which Covered Entity is permitted to Use and Disclose by 45 C.F.R. § 164.502 (as amended from time to time) and/or 45 C.F.R. § 164.512; (iii) for Business Associate's proper management and administration; (iv) to fulfill any present or future legal responsibilities; (v) as otherwise permitted or required by this Agreement; or (vi) as otherwise permitted or required by law.
b. to report to Covered Entity, in writing, any material Use and/or Disclosure of the PHI by Business Associate that is not permitted or required by this Agreement of which Business Associate becomes aware;
c. to use commercially reasonable efforts to maintain the security of the PHI and to prevent its Use and/or Disclosures contrary to this Agreement;
d. to the extent that Business Associate creates, receives, maintains, or transmits Electronic Protected Health Information as that term is defined by the Security Rule, on behalf of Covered Entity, to report to Covered Entity any Security Incident of which Business Associate becomes aware to the extent such incidents represent successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an Information System that contains or has access to the Electronic Protected Health Information of Covered Entity, and upon request by Covered Entity, report all unsuccessful attempts for which Business Associate has records;
e. to require all of Business Associate's subcontractors and agents utilized in providing the Services which Use and/or Disclose the PHI, to agree, in writing, to adhere to equivalent restrictions and conditions on the Use and/or Disclosure of the PHI that apply to Business Associate pursuant to this Agreement; and
f. to report to Covered Entity any breaches by subcontractors as required by Section 11.
3. Safeguards. Business Associate shall employ appropriate administrative, technical, and physical safeguards, consistent with the size and complexity of Business Associate's operations, to protect the confidentiality of PHI and to prevent the use or disclosure of PHI in any manner inconsistent with the terms of this Agreement, including meeting the requirements of 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.314, and 164.316, which includes Business Associate's obligation to have written policies and procedures in place to document its administrative, technical, and physical safeguards.
4. Access Requests. Business Associate shall process Covered Entity's requests to access records in the Designated Record Set and identified by Covered Entity so that Covered Entity can comply with 45 C.F.R. § 164.524.
5. Amendment Requests. Business Associate shall process Covered Entity's requests for amendment of the PHI in Business Associate's possession, solely upon Covered Entity's request and in a manner that allows Covered Entity to comply with 45 C.F.R. § 164.526 and in a manner that is consistent with the manner in which Covered Entity is amending the PHI in Covered Entity's possession.
6. Accounting of Disclosures. Business Associate shall track and keep a record of all Disclosures of PHI, and shall provide to Covered Entity the information necessary for Covered Entity to provide an accounting of Disclosures, in a manner compliant with 45 C.F.R. § 164.528, to individuals who request an accounting. In each case, Business Associate shall provide at least the following information with respect to each such Disclosure: (a) the date of the Disclosure; (b) the name of the entity or person who received the PHI; (c) a brief description of the PHI disclosed; (d) a brief statement of the purpose of such Disclosure which includes an explanation of the basis for such Disclosure. In the event that Business Associate receives a request for an accounting directly from an individual, Business Associate shall forward such request to Covered Entity in writing.
7. De-Identification. Business Associate may de-identify PHI for lawful purposes, so long as such de-identification conforms to the requirements of 45 C.F.R. § 164.514, as may be amended from time to time, and may use the PHI to provide data aggregation services for Covered Entity’s healthcare operations, as permitted by 45 C.F.R. § 164.504(e)(2)(i).
8. Meet Covered Entity Obligations Where Appropriate. If Business Associate will perform a service for Covered Entity that is an obligation of Covered Entity under the Privacy Rule, to meet the applicable requirements in the performance of that service.
9. Requests from Secretary of Health and Human Services. If Business Associate receives a request, made by or on behalf of the Secretary of the United States Department of Health and Human Services (the "Secretary"), requiring Business Associate to make its internal practices, books, and records relating to the Use and Disclosure of the PHI created or received by Business Associate on behalf of Covered Entity available to the Secretary for the purpose of determining Covered Entity's and/or Business Associate's compliance with HIPAA, then Business Associate shall make its internal practices, books, and records available to the Secretary or the Secretary's authorized representative.
10. Minimum Necessary. Covered Entity shall provide, and Business Associate shall request, Use, and Disclose, only the minimum amount of PHI necessary to accomplish the purpose of the request, Use, or Disclosure. The Parties acknowledge that the Secretary may issue guidance with respect to the definition of "minimum necessary" from time to time, and agree to stay informed of any relevant changes to the definition.
11. Reporting of Security Breaches. In the event of a "Breach" of any "Unsecured" PHI that Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds or uses on behalf of Covered Entity, Business Associate shall report such Breach to Covered Entity as soon as practicable, but in no event later than ten (10) business days after the date on which the Breach is discovered. "Breach" shall mean the unauthorized acquisition, access, Use, or Disclosure of PHI which compromises the security or privacy of such information, except where an unauthorized person to whom the information is disclosed would not reasonably have been able to retain such information. "Unsecured PHI" shall mean PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary (e.g., encryption). Notice of a Breach shall include, to the extent such information is available: (i) the identification of each individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed during the Breach, (ii) the date of the Breach, if known, and the date of discovery of the Breach, (iii) the scope of the Breach, and (iv) Business Associate's response to the Breach. Business Associate will assist Covered Entity in meeting its breach notification obligations under 45 C.F.R. Part 164, Subpart D.
12. Responsibilities of Covered Entity. With regard to the Use and/or Disclosure of the PHI by Business Associate, Covered Entity agrees:
a. that the Uses and Disclosures of the PHI by Business Associate pursuant to this Agreement are, at the time of execution and throughout the term of this Agreement will be, consistent with the form of notice of privacy practices (the "Notice") that Covered Entity provides to individuals pursuant to 45 C.F.R. § 164.520;
b. to notify Business Associate, in writing and in a timely manner, of any arrangements permitted or required of Covered Entity under 45 C.F.R. parts 160 and 164 that may impact in any manner the Use and/or Disclosure of the PHI by Business Associate under this Agreement including, but not limited to, restrictions on Use and/or Disclosure of the PHI as provided for in 45 C.F.R. § 164.522 agreed to by Covered Entity, and to hold Business Associate harmless from the financial impact of any such agreement by Covered Entity; and
c. to obtain any consent or authorization that may be required under HIPAA or state law prior to furnishing the PHI to Business Associate.
13. Term. Unless otherwise terminated as provided in Section 14, this Agreement shall become effective on the Effective Date and shall have a term that shall run concurrently with that of any oral or written agreement by Business Associate to provide Services to Covered Entity and will terminate without any further action of the Parties upon the termination of all such agreements.
14. Termination
a. If either Party determines that the other Party has engaged in a pattern of activity that constitutes a material breach of the other Party's obligations under this Agreement, the non-breaching Party shall, within twenty (20) days of that determination, notify the breaching Party and the breaching Party shall have thirty (30) days from receipt of that notice to cure the breach or end the violation. If the breaching Party fails to take reasonable steps to effect such a cure within such a time period, the non-breaching Party may terminate all or part of the service relationship. In no event shall such termination have any effect on sums due from Covered Entity for any services provided by Business Associate under the engagement.
b. Where either Party has knowledge of a material breach by the other Party, and cure is not possible, the non-breaching Party shall terminate the portion of the arrangement for Services affected by the breach.
15. Effect of Termination. Upon the event of termination of this Agreement, Business Associate agrees, where feasible, to return or destroy the PHI, which Business Associate still maintains in any form. Prior to doing so, Business Associate further agrees, to the extent feasible, to request the destruction of the PHI that is in the possession of its subcontractors or agents. If in Business Associate's opinion, it is not feasible for Business Associate or any subcontractors to return or destroy portions of the PHI, Business Associate shall, upon Covered Entity's written request, inform Covered Entity as to the specific reasons that make such return or destruction infeasible and limit any further use or disclosures to the purposes that make the return or destruction of those portions of the PHI infeasible and provide the protections described herein to that PHI.
16. Third Party Beneficiaries. Nothing in this Agreement shall be construed to create any third party beneficiary rights in any person.
17. Counterparts. This Agreement may be executed in any number of counterparts, each of which shall be deemed an original. Facsimile copies thereof shall be deemed to be originals.
18. Informal Resolution. If any controversy, dispute, or claim arises between the Parties with respect to this Agreement, the Parties shall make good faith efforts to resolve such matters informally.
19. Indemnification
a. Covered Entity agrees to indemnify and hold harmless Business Associate from and against any and all claims, losses, damages, liabilities, costs, and expenses (including reasonable attorney's fees) arising out of or relating to Covered Entity's breach of this Agreement or violation of HIPAA, except to the extent such claims, losses, damages, liabilities, costs, and expenses are caused by the gross negligence or willful misconduct of Business Associate.
b. Business Associate agrees to indemnify and hold harmless Covered Entity from and against any and all claims, losses, damages, liabilities, costs, and expenses (including reasonable attorney's fees) arising out of or relating to Business Associate’s breach of this Agreement or violation of HIPAA, except to the extent such claims, losses, damages, liabilities, costs, and expenses are caused by the gross negligence or willful misconduct of Covered Entity.
20. Notices. All notices, requests, approvals, demands, and other communications required or permitted to be given under this Agreement shall be in writing and delivered either personally, or by certified mail with postage prepaid and return receipt requested, or by overnight courier to the party to be notified. All communications will be deemed given when received.
21. Interpretation. The provisions of this Agreement shall prevail over any provisions in any other agreements between Business Associate and Covered Entity that may conflict or appear inconsistent with any provision of this Agreement. This Agreement shall be interpreted as broadly as necessary to implement and comply with HIPAA and the HITECH Act. The Parties agree that any ambiguity in this Agreement shall be resolved in favor of a meaning that complies with and is consistent with HIPAA and the HITECH Act.
22. Survival. Sections 4, 6, 15, 19, and 22 shall survive the termination of this Agreement.
23. Governing Law and Dispute Resolution
a. This Agreement shall be governed by and construed in accordance with the laws of the State of Illinois.
b. Any controversy or claim arising out of or relating to this Agreement shall be settled via arbitration in accordance with the rules of the American Arbitration Association.
24. HITECH Act Compliance. Business Associate will comply with all applicable provisions of the HITECH Act.
WHEREAS, the undersigned physician practice is a "Covered Entity" as that term is defined under HIPAA, which requires Covered Entities and certain of their service providers to enter into confidentiality agreements;
WHEREAS, Business Associate may create on behalf of, or receive from, the Covered Entity or the Covered Entity's other service providers protected health information ("PHI"); and
WHEREAS, upon creation or receipt of such PHI, Business Associate would be a "Business Associate" in relation to the Covered Entity, as that term is defined under HIPAA. NOW, THEREFORE, in consideration of the premises and the mutual promises contained herein, Covered Entity and Business Associate agree as follows:
1. Capitalized Terms. All capitalized terms herein not otherwise defined shall have the meaning ascribed to such terms under HIPAA, the HITECH Act, and the Privacy and Security Rules, as may be amended from time to time.
2. Business Associate's Responsibilities with Respect to Use and Disclosure of PHI. Business Associate agrees, with regard to its Use and/or Disclosure of the PHI, to do the following:
a. to Use and/or Disclose the PHI only: (i) in conjunction with the services it provides to Covered Entity ("the Services"), including sending text-based care plan reminders and motivational messages on behalf of Covered Entity as authorized by patients; (ii) consistent with the manner in which Covered Entity is permitted to Use and Disclose by 45 C.F.R. § 164.502 (as amended from time to time) and/or 45 C.F.R. § 164.512; (iii) for Business Associate's proper management and administration; (iv) to fulfill any present or future legal responsibilities; (v) as otherwise permitted or required by this Agreement; or (vi) as otherwise permitted or required by law.
b. to report to Covered Entity, in writing, any material Use and/or Disclosure of the PHI by Business Associate that is not permitted or required by this Agreement of which Business Associate becomes aware;
c. to use commercially reasonable efforts to maintain the security of the PHI and to prevent its Use and/or Disclosures contrary to this Agreement;
d. to the extent that Business Associate creates, receives, maintains, or transmits Electronic Protected Health Information as that term is defined by the Security Rule, on behalf of Covered Entity, to report to Covered Entity any Security Incident of which Business Associate becomes aware to the extent such incidents represent successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an Information System that contains or has access to the Electronic Protected Health Information of Covered Entity, and upon request by Covered Entity, report all unsuccessful attempts for which Business Associate has records;
e. to require all of Business Associate's subcontractors and agents utilized in providing the Services which Use and/or Disclose the PHI, to agree, in writing, to adhere to equivalent restrictions and conditions on the Use and/or Disclosure of the PHI that apply to Business Associate pursuant to this Agreement; and
f. to report to Covered Entity any breaches by subcontractors as required by Section 11.
3. Safeguards. Business Associate shall employ appropriate administrative, technical, and physical safeguards, consistent with the size and complexity of Business Associate's operations, to protect the confidentiality of PHI and to prevent the use or disclosure of PHI in any manner inconsistent with the terms of this Agreement, including meeting the requirements of 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.314, and 164.316, which includes Business Associate's obligation to have written policies and procedures in place to document its administrative, technical, and physical safeguards.
4. Access Requests. Business Associate shall process Covered Entity's requests to access records in the Designated Record Set and identified by Covered Entity so that Covered Entity can comply with 45 C.F.R. § 164.524.
5. Amendment Requests. Business Associate shall process Covered Entity's requests for amendment of the PHI in Business Associate's possession, solely upon Covered Entity's request and in a manner that allows Covered Entity to comply with 45 C.F.R. § 164.526 and in a manner that is consistent with the manner in which Covered Entity is amending the PHI in Covered Entity's possession.
6. Accounting of Disclosures. Business Associate shall track and keep a record of all Disclosures of PHI, and shall provide to Covered Entity the information necessary for Covered Entity to provide an accounting of Disclosures, in a manner compliant with 45 C.F.R. § 164.528, to individuals who request an accounting. In each case, Business Associate shall provide at least the following information with respect to each such Disclosure: (a) the date of the Disclosure; (b) the name of the entity or person who received the PHI; (c) a brief description of the PHI disclosed; (d) a brief statement of the purpose of such Disclosure which includes an explanation of the basis for such Disclosure. In the event that Business Associate receives a request for an accounting directly from an individual, Business Associate shall forward such request to Covered Entity in writing.
7. De-Identification. Business Associate may de-identify PHI for lawful purposes, so long as such de-identification conforms to the requirements of 45 C.F.R. § 164.514, as may be amended from time to time, and may use the PHI to provide data aggregation services for Covered Entity’s healthcare operations, as permitted by 45 C.F.R. § 164.504(e)(2)(i).
8. Meet Covered Entity Obligations Where Appropriate. If Business Associate will perform a service for Covered Entity that is an obligation of Covered Entity under the Privacy Rule, to meet the applicable requirements in the performance of that service.
9. Requests from Secretary of Health and Human Services. If Business Associate receives a request, made by or on behalf of the Secretary of the United States Department of Health and Human Services (the "Secretary"), requiring Business Associate to make its internal practices, books, and records relating to the Use and Disclosure of the PHI created or received by Business Associate on behalf of Covered Entity available to the Secretary for the purpose of determining Covered Entity's and/or Business Associate's compliance with HIPAA, then Business Associate shall make its internal practices, books, and records available to the Secretary or the Secretary's authorized representative.
10. Minimum Necessary. Covered Entity shall provide, and Business Associate shall request, Use, and Disclose, only the minimum amount of PHI necessary to accomplish the purpose of the request, Use, or Disclosure. The Parties acknowledge that the Secretary may issue guidance with respect to the definition of "minimum necessary" from time to time, and agree to stay informed of any relevant changes to the definition.
11. Reporting of Security Breaches. In the event of a "Breach" of any "Unsecured" PHI that Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds or uses on behalf of Covered Entity, Business Associate shall report such Breach to Covered Entity as soon as practicable, but in no event later than ten (10) business days after the date on which the Breach is discovered. "Breach" shall mean the unauthorized acquisition, access, Use, or Disclosure of PHI which compromises the security or privacy of such information, except where an unauthorized person to whom the information is disclosed would not reasonably have been able to retain such information. "Unsecured PHI" shall mean PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary (e.g., encryption). Notice of a Breach shall include, to the extent such information is available: (i) the identification of each individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed during the Breach, (ii) the date of the Breach, if known, and the date of discovery of the Breach, (iii) the scope of the Breach, and (iv) Business Associate's response to the Breach. Business Associate will assist Covered Entity in meeting its breach notification obligations under 45 C.F.R. Part 164, Subpart D.
12. Responsibilities of Covered Entity. With regard to the Use and/or Disclosure of the PHI by Business Associate, Covered Entity agrees:
a. that the Uses and Disclosures of the PHI by Business Associate pursuant to this Agreement are, at the time of execution and throughout the term of this Agreement will be, consistent with the form of notice of privacy practices (the "Notice") that Covered Entity provides to individuals pursuant to 45 C.F.R. § 164.520;
b. to notify Business Associate, in writing and in a timely manner, of any arrangements permitted or required of Covered Entity under 45 C.F.R. parts 160 and 164 that may impact in any manner the Use and/or Disclosure of the PHI by Business Associate under this Agreement including, but not limited to, restrictions on Use and/or Disclosure of the PHI as provided for in 45 C.F.R. § 164.522 agreed to by Covered Entity, and to hold Business Associate harmless from the financial impact of any such agreement by Covered Entity; and
c. to obtain any consent or authorization that may be required under HIPAA or state law prior to furnishing the PHI to Business Associate.
13. Term. Unless otherwise terminated as provided in Section 14, this Agreement shall become effective on the Effective Date and shall have a term that shall run concurrently with that of any oral or written agreement by Business Associate to provide Services to Covered Entity and will terminate without any further action of the Parties upon the termination of all such agreements.
14. Termination
a. If either Party determines that the other Party has engaged in a pattern of activity that constitutes a material breach of the other Party's obligations under this Agreement, the non-breaching Party shall, within twenty (20) days of that determination, notify the breaching Party and the breaching Party shall have thirty (30) days from receipt of that notice to cure the breach or end the violation. If the breaching Party fails to take reasonable steps to effect such a cure within such a time period, the non-breaching Party may terminate all or part of the service relationship. In no event shall such termination have any effect on sums due from Covered Entity for any services provided by Business Associate under the engagement.
b. Where either Party has knowledge of a material breach by the other Party, and cure is not possible, the non-breaching Party shall terminate the portion of the arrangement for Services affected by the breach.
15. Effect of Termination. Upon the event of termination of this Agreement, Business Associate agrees, where feasible, to return or destroy the PHI, which Business Associate still maintains in any form. Prior to doing so, Business Associate further agrees, to the extent feasible, to request the destruction of the PHI that is in the possession of its subcontractors or agents. If in Business Associate's opinion, it is not feasible for Business Associate or any subcontractors to return or destroy portions of the PHI, Business Associate shall, upon Covered Entity's written request, inform Covered Entity as to the specific reasons that make such return or destruction infeasible and limit any further use or disclosures to the purposes that make the return or destruction of those portions of the PHI infeasible and provide the protections described herein to that PHI.
16. Third Party Beneficiaries. Nothing in this Agreement shall be construed to create any third party beneficiary rights in any person.
17. Counterparts. This Agreement may be executed in any number of counterparts, each of which shall be deemed an original. Facsimile copies thereof shall be deemed to be originals.
18. Informal Resolution. If any controversy, dispute, or claim arises between the Parties with respect to this Agreement, the Parties shall make good faith efforts to resolve such matters informally.
19. Indemnification
a. Covered Entity agrees to indemnify and hold harmless Business Associate from and against any and all claims, losses, damages, liabilities, costs, and expenses (including reasonable attorney's fees) arising out of or relating to Covered Entity's breach of this Agreement or violation of HIPAA, except to the extent such claims, losses, damages, liabilities, costs, and expenses are caused by the gross negligence or willful misconduct of Business Associate.
b. Business Associate agrees to indemnify and hold harmless Covered Entity from and against any and all claims, losses, damages, liabilities, costs, and expenses (including reasonable attorney's fees) arising out of or relating to Business Associate’s breach of this Agreement or violation of HIPAA, except to the extent such claims, losses, damages, liabilities, costs, and expenses are caused by the gross negligence or willful misconduct of Covered Entity.
20. Notices. All notices, requests, approvals, demands, and other communications required or permitted to be given under this Agreement shall be in writing and delivered either personally, or by certified mail with postage prepaid and return receipt requested, or by overnight courier to the party to be notified. All communications will be deemed given when received.
21. Interpretation. The provisions of this Agreement shall prevail over any provisions in any other agreements between Business Associate and Covered Entity that may conflict or appear inconsistent with any provision of this Agreement. This Agreement shall be interpreted as broadly as necessary to implement and comply with HIPAA and the HITECH Act. The Parties agree that any ambiguity in this Agreement shall be resolved in favor of a meaning that complies with and is consistent with HIPAA and the HITECH Act.
22. Survival. Sections 4, 6, 15, 19, and 22 shall survive the termination of this Agreement.
23. Governing Law and Dispute Resolution
a. This Agreement shall be governed by and construed in accordance with the laws of the State of Illinois.
b. Any controversy or claim arising out of or relating to this Agreement shall be settled via arbitration in accordance with the rules of the American Arbitration Association.
24. HITECH Act Compliance. Business Associate will comply with all applicable provisions of the HITECH Act.
AbridgeRx does not practice medicine or provide medical advice.
We are a platform that connects licensed physicians and their patients with pharmacies to facilitate the prescribing and dispensing of custom medications.
Always consult a qualified healthcare provider for medical advice and treatment.
© AbridgeRx 2025