Business Associate Agreement
Effective on the date of the Covered Entity’s electronic acceptance
1. Parties and Effective Date
This Business Associate Agreement (this “Agreement” or “BAA”) is entered into as of the date of the Covered Entity’s electronic acceptance at signup (the “Effective Date”) by and between:
- the Covered Entity accepting this Agreement electronically at signup through its authorized representative (“Covered Entity”), whose legal name, entity type, and address are as recorded in its PEPTPlus account; and
- PEPTPlus LLC, a Wyoming limited liability company, with offices at 30 N Gould St STE N, Sheridan, WY 82801 (“Business Associate” or “PEPTPlus”).
Covered Entity and Business Associate are each a “Party” and collectively the “Parties.”
Recitals. Business Associate provides a marketplace and technology platform that connects healthcare providers and compounding pharmacies to facilitate the e-prescribing, fulfillment, and shipment of FDA-eligible compounded products to patients (the “Services”), pursuant to one or more underlying services agreements, order forms, or terms of service between the Parties (collectively, the “Underlying Agreement”). In performing the Services, Business Associate may create, receive, maintain, or transmit Protected Health Information on behalf of Covered Entity. This Agreement sets forth the terms under which Business Associate may do so in compliance with the HIPAA Rules. This Agreement is incorporated into and made a part of the Underlying Agreement.
Platform privacy posture (informational). Business Associate’s platform is designed to minimize PHI exposure, including through tokenization of patient identifiers, segregation of PHI in a dedicated data schema, and audited resolution of tokens to underlying PHI. These measures are described for context and do not limit Business Associate’s obligations under this Agreement.
2. Definitions
Capitalized terms used but not otherwise defined in this Agreement have the meanings given to them in the HIPAA Rules.
- “Breach” has the meaning given in 45 C.F.R. § 164.402.
- “Business Associate” has the meaning given in 45 C.F.R. § 160.103 and, for purposes of this Agreement, means PEPTPlus LLC.
- “Covered Entity” has the meaning given in 45 C.F.R. § 160.103.
- “Designated Record Set” has the meaning given in 45 C.F.R. § 164.501.
- “Electronic Protected Health Information” or “ePHI” means PHI that is transmitted by or maintained in electronic media, as defined in 45 C.F.R. § 160.103.
- “HIPAA Rules” means the Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule at 45 C.F.R. Parts 160 and 164, as amended, including by the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) and its implementing regulations.
- “Individual” has the meaning given in 45 C.F.R. § 160.103 and includes a person who qualifies as a personal representative under 45 C.F.R. § 164.502(g).
- “Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and E.
- “Protected Health Information” or “PHI” has the meaning given in 45 C.F.R. § 160.103, limited to information Business Associate creates, receives, maintains, or transmits for or on behalf of Covered Entity under this Agreement.
- “Required by Law” has the meaning given in 45 C.F.R. § 164.103.
- “Secretary” means the Secretary of the U.S. Department of Health and Human Services (“HHS”) or any officer or employee of HHS to whom authority has been delegated.
- “Security Incident” has the meaning given in 45 C.F.R. § 164.304.
- “Security Rule” means the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and C.
- “Subcontractor” has the meaning given in 45 C.F.R. § 160.103 and means a person or entity to whom Business Associate delegates a function, activity, or service, other than in the capacity of a member of its workforce, that involves the creation, receipt, maintenance, or transmission of PHI. Subcontractors may include, by way of example, compounding pharmacies, shipping/logistics carriers, and infrastructure or cloud vendors that handle PHI.
- “Unsecured PHI” has the meaning given in 45 C.F.R. § 164.402.
3. Permitted Uses and Disclosures of PHI by Business Associate
3.1 General. Business Associate may use or disclose PHI only as necessary to perform the Services, as permitted or required by this Agreement or the Underlying Agreement, or as Required by Law. Business Associate shall not use or disclose PHI in any manner that would violate the HIPAA Rules if done by Covered Entity, except as otherwise expressly permitted under Sections 3.3–3.4.
3.2 Minimum Necessary. Business Associate shall, to the extent practicable, limit its use, disclosure of, and request for PHI to the minimum necessary to accomplish the intended purpose of such use, disclosure, or request, consistent with 45 C.F.R. § 164.502(b) and applicable guidance.
3.3 Management and Administration. Business Associate may use PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities. Business Associate may disclose PHI for such purposes only if (a) the disclosure is Required by Law; or (b) Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially and used or further disclosed only as Required by Law or for the purpose for which it was disclosed, and that the recipient will notify Business Associate of any instance of which it becomes aware in which the confidentiality of the PHI has been breached.
3.4 Data Aggregation; De-Identification. Business Associate may use PHI to provide Data Aggregation services relating to the health care operations of Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B). Business Associate may de-identify PHI in accordance with 45 C.F.R. § 164.514(a)–(c); de-identified information is not PHI and is not subject to this Agreement.
4. Obligations of Business Associate
4.1 No Improper Use or Disclosure. Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law.
4.2 Safeguards. Business Associate shall use appropriate administrative, physical, and technical safeguards, and comply with the applicable requirements of the Security Rule (45 C.F.R. §§ 164.308, 164.310, 164.312, and 164.316), to prevent use or disclosure of PHI other than as provided for by this Agreement and to protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity.
4.3 Reporting of Unauthorized Use/Disclosure and Security Incidents. Business Associate shall report to Covered Entity:
- (a) any use or disclosure of PHI not provided for by this Agreement of which it becomes aware; and
- (b) any Security Incident of which it becomes aware.
The Parties acknowledge that this Section constitutes notice of the routine occurrence of unsuccessful Security Incidents (e.g., pings, port scans, and other attempts that do not result in unauthorized access, use, or disclosure of PHI), for which no additional notice is required unless requested by Covered Entity in writing. Reports of successful Security Incidents and unauthorized uses or disclosures shall be made without unreasonable delay and no later than thirty (30) calendar days after discovery.
4.4 Breach Notification. Following the discovery of a Breach of Unsecured PHI, Business Associate shall notify Covered Entity without unreasonable delay and in no case later than thirty (30) calendar days after discovery of the Breach (a Breach is treated as discovered as set forth in 45 C.F.R. § 164.410). The notification shall include, to the extent known and as required by 45 C.F.R. § 164.410(c): (a) identification of each Individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed; and (b) any other available information that Covered Entity is required to include in its notification to the Individual under 45 C.F.R. § 164.404(c). Business Associate shall supplement the notification with additional information as it becomes available.
4.5 Mitigation. Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to it of a use or disclosure of PHI by Business Associate in violation of this Agreement.
4.6 Subcontractors. Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such PHI, in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2). See Section 5.
4.7 Access to PHI (Individual Right of Access). To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall, within fifteen (15) days of a request from Covered Entity, make such PHI available to Covered Entity (or, as directed by Covered Entity, to the Individual) as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.524.
4.8 Amendment of PHI. To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall make such PHI available for amendment, and incorporate any amendment(s), as directed by Covered Entity, within fifteen (15) days of a request, in accordance with 45 C.F.R. § 164.526.
4.9 Accounting of Disclosures. Business Associate shall document disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosures in accordance with 45 C.F.R. § 164.528, and shall provide such information to Covered Entity (or, as directed, to the Individual) within fifteen (15) days of a request.
4.10 Covered Entity Obligations Under the Privacy Rule. To the extent Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligations.
4.11 Availability of Records to HHS. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary for purposes of determining compliance with the HIPAA Rules, subject to attorney-client and other applicable legal privileges.
4.12 Workforce Training and Sanctions. Business Associate shall train members of its workforce on the proper handling of PHI and apply appropriate sanctions for noncompliance, consistent with the Security Rule and Privacy Rule.
5. Subcontractors and Flow-Down
5.1 Written Agreements. In accordance with 45 C.F.R. §§ 164.308(b) and 164.502(e), Business Associate shall not permit any Subcontractor to create, receive, maintain, or transmit PHI on its behalf unless the Subcontractor has first entered into a written agreement with Business Associate that imposes restrictions and conditions on the Subcontractor that are at least as protective of PHI as those imposed on Business Associate under this Agreement.
5.2 Examples in the PEPTPlus Chain. Subcontractors may include, without limitation: (a) compounding pharmacies that receive prescriptions and patient information to fulfill and dropship products; (b) shipping and logistics carriers that handle PHI in connection with delivery; and (c) cloud, hosting, and infrastructure vendors that store or process PHI. Each such Subcontractor that handles PHI must be bound by a BAA or subcontractor agreement.
5.3 Responsibility. Business Associate remains responsible for ensuring its Subcontractors’ compliance, and the use of a Subcontractor does not relieve Business Associate of its obligations under this Agreement.
6. Obligations and Permitted Activities of Covered Entity
6.1 Notice of Privacy Practices. Covered Entity shall notify Business Associate of any limitation(s) in Covered Entity’s notice of privacy practices under 45 C.F.R. § 164.520, to the extent such limitation may affect Business Associate’s use or disclosure of PHI.
6.2 Changes in Authorization. Covered Entity shall notify Business Associate of any changes in, or revocation of, an Individual’s permission to use or disclose PHI, to the extent such change may affect Business Associate’s use or disclosure of PHI.
6.3 Restrictions. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI to which Covered Entity has agreed or is required to abide under 45 C.F.R. § 164.522, to the extent such restriction may affect Business Associate’s use or disclosure of PHI.
6.4 Permissible Requests. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity, except as permitted under Sections 3.3 and 3.4 of this Agreement.
7. Term and Termination
7.1 Term. This Agreement is effective as of the Effective Date and shall remain in effect until terminated in accordance with this Section or until all PHI is returned or destroyed pursuant to Section 7.4, whichever is later. This Agreement terminates automatically upon termination or expiration of the Underlying Agreement, subject to Section 7.4.
7.2 Termination for Cause. Upon either Party’s knowledge of a material breach of this Agreement by the other Party, the non-breaching Party shall either: (a) provide an opportunity for the breaching Party to cure the breach within thirty (30) days, and terminate this Agreement and the Underlying Agreement if the breach is not cured within that period; or (b) immediately terminate this Agreement and the Underlying Agreement if cure is not possible.
7.3 Termination by Covered Entity. If neither cure nor termination is feasible, the non-breaching Party may report the violation to the Secretary as contemplated by 45 C.F.R. § 164.504(e)(1)(ii).
7.4 Effect of Termination.
- (a) Return or Destruction. Upon termination of this Agreement, Business Associate shall, if feasible, return to Covered Entity or destroy all PHI received from, or created, maintained, or received by Business Associate on behalf of, Covered Entity that Business Associate still maintains in any form, and shall retain no copies of such PHI. This obligation extends to PHI in the possession of Subcontractors.
- (b) Infeasibility. If return or destruction is not feasible, Business Associate shall notify Covered Entity of the conditions that make return or destruction infeasible. Upon mutual agreement that return or destruction is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate retains the PHI.
8. Miscellaneous
8.1 Regulatory References. A reference in this Agreement to a section of the HIPAA Rules means the section as in effect or as amended.
8.2 Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as necessary for compliance with the requirements of the HIPAA Rules and any other applicable law. Amendments are effective upon mutual written agreement, including electronic acceptance of an updated version.
8.3 Interpretation. Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules. In the event of any inconsistency between this Agreement and the Underlying Agreement with respect to the subject matter of PHI, this Agreement shall control.
8.4 No Third-Party Beneficiaries. Nothing in this Agreement is intended to confer, nor shall confer, any rights, remedies, obligations, or liabilities upon any person other than the Parties, their respective successors, and permitted assigns.
8.5 Survival. The obligations of Business Associate under Section 7.4 (Effect of Termination) and any other provisions that by their nature should survive shall survive the termination of this Agreement.
8.6 Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State of Arizona, without regard to conflict-of-laws principles, except to the extent preempted by federal law.
8.7 Notices. All notices required under this Agreement shall be in writing and delivered to the addresses set forth above or as otherwise designated in writing. Notices to PEPTPlus must be sent to legal@pept.plus or to PEPTPlus LLC, 30 N Gould St STE N, Sheridan, WY 82801, Attn: Privacy Officer. Notices to Covered Entity may be sent to the contact information in its PEPTPlus account.
8.8 Counterparts; Electronic Signatures. This Agreement may be executed in counterparts and by electronic signature, each of which is deemed an original and all of which together constitute one instrument.
9. Acceptance
This Agreement is accepted electronically at signup by the Covered Entity’s authorized representative, who represents that they are authorized to bind the Covered Entity. The effective date is the acceptance date recorded by PEPTPlus, and PEPTPlus records the accepting user, organization, and timestamp as evidence of acceptance. The Business Associate is PEPTPlus LLC.
Related Agreements (Informational Note)
This BAA governs only the handling of PHI. It is not the appropriate instrument for parties that do not touch PHI:
- Certified LABS in the API marketplace that do NOT handle PHI sign a separate commercial/marketplace agreement (covering API supply, product listing, and platform terms), not this BAA. Supplying an FDA-eligible compound into the marketplace catalog, without receiving patient identity, prescription, or fulfillment PHI, is a commercial relationship rather than a business-associate relationship.
- Any vendor, lab, pharmacy, carrier, or infrastructure provider that does touch PHI must execute a BAA or subcontractor agreement with the flow-down protections described in Section 5 before receiving PHI.
When in doubt about whether a counterparty handles PHI, treat the relationship as PHI-touching and route it through a BAA.
PEPTPlus · PEPTPlus LLC · 30 N Gould St STE N, Sheridan, WY 82801 · legal@pept.plus