This Business Associate Agreement ("BAA") is entered into between RxRecon Pro ("Business Associate") and the pharmacy or healthcare organization ("Covered Entity") that accesses and uses the RxRecon Pro platform ("Service"). This BAA is incorporated by reference into the Terms of Service and is binding upon both parties.
This BAA is intended to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended, including the Health Information Technology for Economic and Clinical Health Act (HITECH), and their implementing regulations at 45 CFR Parts 160 and 164 (collectively, the "HIPAA Rules").
Capitalized terms used but not otherwise defined in this BAA shall have the meanings given to them in the HIPAA Rules.
Business Associate may use and disclose PHI only as necessary to perform the services outlined in the Terms of Service and as specifically permitted by this BAA, or as required by law. Business Associate may not use or disclose PHI for any purpose other than as provided for by this BAA or as required by law, even if permitted by the HIPAA Rules without a Business Associate Agreement.
Specifically, Business Associate is permitted to use and disclose PHI solely for the following purposes:
Business Associate shall implement and maintain the following administrative safeguards:
Business Associate shall implement and maintain the following physical safeguards:
Business Associate shall implement and maintain the following technical safeguards:
All ePHI stored on Business Associate's systems shall be encrypted at rest using AES-256 encryption. All ePHI transmitted between Covered Entity and Business Associate shall be encrypted in transit using TLS 1.3. For the offline dashboard version of the Service, all data processing occurs locally within the user's browser and is never transmitted to Business Associate's servers.
Business Associate shall report to Covered Entity any Security Incident of which it becomes aware, including any attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI or interference with system operations. Reports shall be made within 24 hours of discovery via email to the Covered Entity's designated security contact.
In the event of a Breach of Unsecured PHI, Business Associate shall notify Covered Entity within 24 hours of discovery. Such notification shall include, to the extent possible:
Business Associate shall cooperate with Covered Entity in all efforts to mitigate the harmful effects of any Breach and shall make available all information necessary for Covered Entity to comply with its breach notification obligations under 45 CFR § 164.410.
Business Associate may engage subcontractors ("Subcontractors") to assist in providing the Service, provided that such Subcontractors agree to comply with the same restrictions and conditions that apply to Business Associate under this BAA with respect to PHI. Business Associate shall ensure that all Subcontractors enter into written agreements containing protections for PHI substantially similar to those in this BAA. Business Associate remains fully liable for all acts and omissions of its Subcontractors.
Current Subcontractors include: cloud hosting providers (AWS, Google Cloud), payment processors (Stripe), and email delivery services (SendGrid). All Subcontractors are HIPAA-compliant and bound by appropriate Business Associate Agreements.
Business Associate shall make available to Covered Entity, or to an Individual as directed by Covered Entity, access to PHI in a Designated Record Set for the purpose of satisfying Covered Entity's obligations under 45 CFR § 164.524. Business Associate shall provide such access within 30 days of a request.
Business Associate shall make available to Covered Entity, or to an Individual as directed by Covered Entity, PHI for amendment and shall incorporate any amendments into the PHI as required by 45 CFR § 164.526.
Business Associate shall make available to Covered Entity the information required to provide an accounting of disclosures in accordance with 45 CFR § 164.528.
Business Associate shall limit its use, disclosure, and requests for PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request, except where the HIPAA Rules otherwise require or permit a broader use or disclosure. Business Associate shall implement and enforce policies and procedures reasonably designed to ensure compliance with this minimum necessary standard.
This BAA shall be effective as of the date of your registration for the Service and shall continue until the termination of the Terms of Service or your subscription, whichever occurs later.
Covered Entity may terminate this BAA and the underlying Terms of Service immediately upon written notice if Business Associate breaches a material term of this BAA and fails to cure such breach within 30 days of receiving written notice. If cure is not possible, Covered Entity may terminate immediately.
Upon termination of this BAA for any reason, Business Associate shall:
Business Associate's obligations under this BAA with respect to PHI shall survive the termination of this BAA and the underlying Terms of Service for the duration of any applicable data retention period.
Covered Entity shall:
A reference in this BAA to a specific section of the HIPAA Rules means the section as in effect or as amended, and for which compliance is required.
Business Associate and Covered Entity agree to amend this BAA as necessary to comply with changes in the HIPAA Rules or other applicable law. Either party may request amendment by written notice, and the parties shall negotiate in good faith to agree on appropriate amendments.
If any provision of this BAA is held invalid or unenforceable by a court of competent jurisdiction, the remaining provisions shall remain in full force and effect.
This BAA shall be governed by and construed in accordance with the laws of the State of New Jersey, without regard to its conflict of law provisions.
This BAA, together with the Terms of Service and Privacy Policy, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements, understandings, and negotiations.
For questions about this Business Associate Agreement or to report a security incident or Breach, please contact:
RxRecon Pro Privacy and Security Office
Email: security@rxreconpro.com
Phone: (877) 912-8348
Address: 197 State Route 18S, East Brunswick, NJ 08816
Security incidents should be reported immediately via email or phone. We operate a 24-hour incident response capability.