Business Associate Agreement

Last updated Feb 14, 2026

This Business Associate Agreement (“Agreement”) is entered into by and between the healthcare provider or prescriber (“Covered Entity” or “Physician”) and AlgoRxPro (“Business Associate”).

This Agreement becomes effective upon the Covered Entity’s access to, use of, or acceptance of Business Associate’s platform, products, or services.

1. PURPOSE AND SCOPE

The purpose of this Agreement is to satisfy the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), and implementing regulations at 45 CFR Parts 160 and 164.

Business Associate provides technology-enabled healthcare workflow services to support prescribing and medication access, including but not limited to:

  • Electronic prescribing (e-prescribing) workflows
  • Prescriber identity verification and credential-dependent workflows
  • Patient eligibility and coverage verification
  • Pharmacy and medical prior authorization processing
  • Real-Time Benefits Information (RTBI) services
  • Prescription routing, tracking, and status updates
  • Patient enrollment, intake, and consent workflows
  • Benefits investigation, cost transparency, and affordability support

In performing these services, Business Associate may create, receive, maintain, or transmit Protected Health Information (“PHI”) on behalf of the Covered Entity.

2. DEFINITIONS

Capitalized terms not otherwise defined shall have the meanings assigned under HIPAA and HITECH.

  • Protected Health Information (PHI): Individually identifiable health information maintained or transmitted in any form.
  • Electronic PHI (ePHI): PHI transmitted or stored electronically.
  • RTBI (Real-Time Benefits Information): The exchange of benefit, coverage, cost-sharing, and formulary information at or near the point of prescribing.
  • Prior Authorization: Administrative and clinical processes required by payers to approve pharmacy or medical benefits before medication dispensing or administration.
  • Security Incident: Any attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI.
  • Breach: A security incident involving PHI as defined under HIPAA.

3. PERMITTED USES AND DISCLOSURES OF PHI

Business Associate may use and disclose PHI solely for the following purposes:

    3.1 E-Prescribing and Medication Workflows

    To support the electronic creation, transmission, review, and management of prescriptions, including prescriber validation, routing to pharmacies, and prescription status communication.

    3.2 Eligibility and Coverage Verification

    To verify patient insurance eligibility, coverage status, benefit type, formulary inclusion, and payer rules relevant to prescribed therapies.

    3.3 Prior Authorization (Pharmacy and Medical)

    To initiate, manage, submit, track, and complete pharmacy and medical prior authorization requests, including clinical documentation exchange, payer responses, and determination status updates.

    3.4 Real-Time Benefits Information (RTBI)

    To retrieve, process, and display patient-specific benefit, cost-sharing, alternative therapy, and coverage information at the point of prescribing or medication selection.

    3.5 Patient Enrollment and Intake

    To collect, transmit, and manage patient enrollment data, consent forms, supporting documentation, and communications necessary to facilitate medication access and therapy initiation.

    3.6 Operational and Administrative Functions

    For internal platform operations, quality assurance, analytics, audit support, customer support, and system improvement, provided PHI is safeguarded and used in compliance with HIPAA.

    3.7 Legal and Regulatory Requirements

    As required by applicable law, regulation, subpoena, or governmental authority.

All uses and disclosures shall be limited to the minimum necessary to accomplish the intended purpose.

4. OBLIGATIONS OF BUSINESS ASSOCIATE

    4.1 Safeguards

    Business Associate shall implement appropriate administrative, physical, and technical safeguards to protect PHI and ePHI, including but not limited to:

    • Role-based access controls aligned with prescribing and authorization workflows
    • Authentication mechanisms for prescribers and authorized users
    • Secure data transmission during e-prescribing, RTBI, and payer exchanges
    • Monitoring and logging of access to prescription and authorization data
    • Workforce training related to healthcare privacy and security

    4.2 HIPAA Security Rule Compliance

    Business Associate shall comply with all applicable requirements of the HIPAA Security Rule (45 CFR §§ 164.302–318).

    4.3 Breach and Security Incident Notification

    Business Associate shall notify the Covered Entity without unreasonable delay, and in accordance with HIPAA timelines, upon discovery of:

    • Any Breach of unsecured PHI
    • Any Security Incident that compromises the confidentiality, integrity, or availability of PHI

    Notification shall include known details regarding the nature of the incident, affected data elements, mitigation efforts, and corrective actions.

    4.4 Mitigation

    Business Associate shall mitigate, to the extent practicable, any harmful effects resulting from unauthorized use or disclosure of PHI, particularly where such use impacts prescribing, benefit determinations, or patient access to medication.

5. SUBCONTRACTORS AND INTEGRATIONS

Business Associate may engage subcontractors, technology partners, pharmacies, payers, or network intermediaries to support e-prescribing, RTBI, eligibility, or prior authorization workflows.

Business Associate shall ensure that any such party that creates, receives, maintains, or transmits PHI:

  • Enters into a written agreement imposing HIPAA-compliant obligations
  • Implements safeguards appropriate to healthcare data exchange
  • Uses PHI solely to support authorized workflows

6. INDIVIDUAL RIGHTS SUPPORT

    6.1 Access

    Business Associate shall make PHI available as required to enable Covered Entity to comply with patient access requests.

    6.2 Amendment

    Business Associate shall accommodate amendments to PHI as directed by the Covered Entity.

    6.3 Accounting of Disclosures

    Business Associate shall maintain records of PHI disclosures and provide information necessary for accounting requests.

7. DATA RETENTION, RETURN, AND DESTRUCTION

Upon termination of services or cessation of PHI use:

  • Business Associate shall return or securely destroy PHI where feasible
  • If destruction is infeasible due to regulatory or operational constraints, Business Associate shall continue to safeguard PHI and limit further use

8. TERM AND TERMINATION

This Agreement remains in effect for as long as Business Associate maintains PHI on behalf of the Covered Entity.

Covered Entity may terminate this Agreement for material breach if Business Associate fails to cure such breach within a reasonable timeframe.

9. REGULATORY COOPERATION

Business Associate shall make internal practices, policies, and records related to PHI available to the U.S. Department of Health and Human Services for compliance determination purposes.

10. LIMITATION OF LIABILITY

To the extent permitted by law, Business Associate’s liability under this Agreement shall be limited to direct damages arising from willful misconduct or gross negligence.

11. AMENDMENT AND AUTOMATIC UPDATE

This Agreement shall automatically be amended to remain compliant with changes to HIPAA, HITECH, CMS requirements, and applicable federal or state healthcare privacy laws impacting e-prescribing, RTBI, or authorization workflows.

12. ELECTRONIC ACCEPTANCE

By accessing or using Business Associate’s services, the Covered Entity acknowledges and agrees to the terms of this Business Associate Agreement.