R
RxRecon Pro
Log In Get Started
← Back to Home

HIPAA Business Associate Agreement

Effective Date: January 1, 2025 · Last Updated: January 1, 2025

This Business Associate Agreement ("BAA") is entered into between RxRecon Pro ("Business Associate") and the pharmacy or healthcare organization ("Covered Entity") that accesses and uses the RxRecon Pro platform ("Service"). This BAA is incorporated by reference into the Terms of Service and is binding upon both parties.

This BAA is intended to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended, including the Health Information Technology for Economic and Clinical Health Act (HITECH), and their implementing regulations at 45 CFR Parts 160 and 164 (collectively, the "HIPAA Rules").

1. Definitions

Capitalized terms used but not otherwise defined in this BAA shall have the meanings given to them in the HIPAA Rules.

  • "Business Associate" means RxRecon Pro, a technology service provider that performs certain functions or activities on behalf of, or provides certain services to, a Covered Entity that involve the use or disclosure of Protected Health Information (PHI).
  • "Covered Entity" means the pharmacy, healthcare provider, or health plan that has entered into this agreement and is subject to the HIPAA Privacy Rule.
  • "Protected Health Information" or "PHI" means any information, including oral, written, or electronic, that is created or received by Covered Entity and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
  • "Electronic Protected Health Information" or "ePHI" means PHI that is transmitted by electronic media or maintained in electronic media.
  • "Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
  • "Breach" has the meaning given in 45 CFR § 164.402.

2. Permitted Uses and Disclosures of PHI

Business Associate may use and disclose PHI only as necessary to perform the services outlined in the Terms of Service and as specifically permitted by this BAA, or as required by law. Business Associate may not use or disclose PHI for any purpose other than as provided for by this BAA or as required by law, even if permitted by the HIPAA Rules without a Business Associate Agreement.

Specifically, Business Associate is permitted to use and disclose PHI solely for the following purposes:

  • Processing and analyzing pharmacy dispensing records, wholesaler invoices, and operational data to generate reconciliation reports, audit analytics, and compliance documentation;
  • Performing data aggregation, de-identification, and statistical analysis for quality assurance and product improvement purposes;
  • Storing and maintaining PHI in encrypted form for the duration of the subscription and applicable retention period;
  • Providing technical support, troubleshooting, and customer service related to the Service;
  • Complying with applicable laws, regulations, and legal process, including subpoenas and court orders, provided that Business Associate shall notify Covered Entity of such requirement to the extent permitted by law.

3. Safeguards

3.1 Administrative Safeguards

Business Associate shall implement and maintain the following administrative safeguards:

  • Security management process, including risk analysis, risk management, and sanction policies;
  • Assigned security responsibilities, including a designated Security Officer and Privacy Officer;
  • Workforce security, including authorization and supervision procedures;
  • Information access management, including role-based access controls and minimum necessary policies;
  • Security awareness and training programs for all personnel with access to PHI;
  • Security incident detection and response procedures;
  • Contingency planning, including data backup, disaster recovery, and emergency mode operation plans;
  • Periodic evaluation of security policies and procedures.

3.2 Physical Safeguards

Business Associate shall implement and maintain the following physical safeguards:

  • Facility access controls and workstation security measures;
  • Device and media controls, including disposal, media re-use, and accountability procedures;
  • Hosting of all electronic PHI in SOC 2 Type II certified data centers with 24/7 physical security, biometric access controls, and redundant power systems.

3.3 Technical Safeguards

Business Associate shall implement and maintain the following technical safeguards:

  • Access Control: Unique user identification, role-based access controls, automatic logoff, and encryption and decryption mechanisms;
  • Audit Controls: Comprehensive audit logging of all data access, modifications, and administrative actions, with logs retained for a minimum of 6 years;
  • Integrity Controls: Mechanisms to authenticate ePHI and protect it from improper alteration or destruction, including checksums and digital signatures;
  • Transmission Security: TLS 1.3 encryption for all data in transit, including end-to-end encryption for browser-to-server communication.

3.4 Encryption

All ePHI stored on Business Associate's systems shall be encrypted at rest using AES-256 encryption. All ePHI transmitted between Covered Entity and Business Associate shall be encrypted in transit using TLS 1.3. For the offline dashboard version of the Service, all data processing occurs locally within the user's browser and is never transmitted to Business Associate's servers.

4. Reporting and Mitigation

4.1 Security Incidents

Business Associate shall report to Covered Entity any Security Incident of which it becomes aware, including any attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI or interference with system operations. Reports shall be made within 24 hours of discovery via email to the Covered Entity's designated security contact.

4.2 Breach Notification

In the event of a Breach of Unsecured PHI, Business Associate shall notify Covered Entity within 24 hours of discovery. Such notification shall include, to the extent possible:

  • The identification of each individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach;
  • The date and time of the Breach;
  • A description of the circumstances surrounding the Breach;
  • The types of PHI involved (e.g., names, dates, NDCs, prescription details);
  • The steps taken to mitigate the Breach and prevent further unauthorized access.

Business Associate shall cooperate with Covered Entity in all efforts to mitigate the harmful effects of any Breach and shall make available all information necessary for Covered Entity to comply with its breach notification obligations under 45 CFR § 164.410.

5. Subcontractors

Business Associate may engage subcontractors ("Subcontractors") to assist in providing the Service, provided that such Subcontractors agree to comply with the same restrictions and conditions that apply to Business Associate under this BAA with respect to PHI. Business Associate shall ensure that all Subcontractors enter into written agreements containing protections for PHI substantially similar to those in this BAA. Business Associate remains fully liable for all acts and omissions of its Subcontractors.

Current Subcontractors include: cloud hosting providers (AWS, Google Cloud), payment processors (Stripe), and email delivery services (SendGrid). All Subcontractors are HIPAA-compliant and bound by appropriate Business Associate Agreements.

6. Access to PHI

Business Associate shall make available to Covered Entity, or to an Individual as directed by Covered Entity, access to PHI in a Designated Record Set for the purpose of satisfying Covered Entity's obligations under 45 CFR § 164.524. Business Associate shall provide such access within 30 days of a request.

Business Associate shall make available to Covered Entity, or to an Individual as directed by Covered Entity, PHI for amendment and shall incorporate any amendments into the PHI as required by 45 CFR § 164.526.

Business Associate shall make available to Covered Entity the information required to provide an accounting of disclosures in accordance with 45 CFR § 164.528.

7. Minimum Necessary

Business Associate shall limit its use, disclosure, and requests for PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request, except where the HIPAA Rules otherwise require or permit a broader use or disclosure. Business Associate shall implement and enforce policies and procedures reasonably designed to ensure compliance with this minimum necessary standard.

8. Term and Termination

8.1 Term

This BAA shall be effective as of the date of your registration for the Service and shall continue until the termination of the Terms of Service or your subscription, whichever occurs later.

8.2 Termination for Cause

Covered Entity may terminate this BAA and the underlying Terms of Service immediately upon written notice if Business Associate breaches a material term of this BAA and fails to cure such breach within 30 days of receiving written notice. If cure is not possible, Covered Entity may terminate immediately.

8.3 Effect of Termination

Upon termination of this BAA for any reason, Business Associate shall:

  • Return to Covered Entity all PHI that Business Associate maintains in any form, unless return is not feasible;
  • If return is not feasible, destroy all PHI and provide written certification to Covered Entity that such destruction has been completed;
  • Retain no copies of PHI except as required by law or for litigation hold purposes, in which case such retained PHI shall continue to be protected in accordance with this BAA.

Business Associate's obligations under this BAA with respect to PHI shall survive the termination of this BAA and the underlying Terms of Service for the duration of any applicable data retention period.

9. Obligations of Covered Entity

Covered Entity shall:

  • Notify Business Associate of any limitation in its Notice of Privacy Practices that affects Business Associate's use or disclosure of PHI;
  • Notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, if such changes affect Business Associate's permitted or required uses and disclosures;
  • Notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522;
  • Not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity;
  • Ensure that all PHI provided to Business Associate is accurate, complete, and lawfully obtained.

10. General Provisions

10.1 Regulatory References

A reference in this BAA to a specific section of the HIPAA Rules means the section as in effect or as amended, and for which compliance is required.

10.2 Amendment

Business Associate and Covered Entity agree to amend this BAA as necessary to comply with changes in the HIPAA Rules or other applicable law. Either party may request amendment by written notice, and the parties shall negotiate in good faith to agree on appropriate amendments.

10.3 Severability

If any provision of this BAA is held invalid or unenforceable by a court of competent jurisdiction, the remaining provisions shall remain in full force and effect.

10.4 Governing Law

This BAA shall be governed by and construed in accordance with the laws of the State of New Jersey, without regard to its conflict of law provisions.

10.5 Entire Agreement

This BAA, together with the Terms of Service and Privacy Policy, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements, understandings, and negotiations.

11. Contact Information

For questions about this Business Associate Agreement or to report a security incident or Breach, please contact:

RxRecon Pro Privacy and Security Office
Email: security@rxreconpro.com
Phone: (877) 912-8348
Address: 197 State Route 18S, East Brunswick, NJ 08816

Security incidents should be reported immediately via email or phone. We operate a 24-hour incident response capability.

← Back to Home
© 2025 RxRecon Pro. All rights reserved.