This Agreement, effective upon the creation of your provider account when you agree to the statement "I have read and agree to the AbridgeRX Business Associates Agreement, Terms of Service, and Privacy Policy," is made between REMEDYRX, LLC ("Business Associate" and DBA as "AbridgeRx") and you, our provider partner ("Covered Entity").

WHEREAS, the undersigned provider practice is a "Covered Entity" as that term is defined under HIPAA, which requires Covered Entities and certain of their service providers to enter into confidentiality agreements;

WHEREAS, Business Associate provides a software technology platform to facilitate communication, virtual dispensing, and care management services for Covered Entity (the “Services”), including Care Plan features, and in connection with such Services, Business Associate may create on behalf of, or receive from, the Covered Entity or the Covered Entity's other service providers protected health information ("PHI"); and

WHEREAS, upon creation or receipt of such PHI, Business Associate would be a "Business Associate" in relation to the Covered Entity, as that term is defined under HIPAA. NOW, THEREFORE, in consideration of the premises and the mutual promises contained herein, Covered Entity and Business Associate agree as follows:

1. Definitions.
All capitalized terms herein not otherwise defined shall have the meaning ascribed to such terms under HIPAA, the HITECH Act, and the Privacy and Security Rules, as may be amended from time to time. For clarity:
 • Services: The software technology platform provided by Business Associate, including facilitation of prescriptions, communications (e.g., text-based Care Plan reminders), and payments.
 • PHI: Protected Health Information, as defined in 45 C.F.R. § 160.103.
 • Electronic PHI: Electronic Protected Health Information, as defined in 45 C.F.R. § 160.103.
 • Security Incident: As defined in 45 C.F.R. § 164.304.
 • Breach: As defined in 45 C.F.R. § 164.402.
 • Designated Record Set: As defined in 45 C.F.R. § 164.501.
 • Subcontractor: As defined in 45 C.F.R. § 160.103.
 • Data Aggregation: As defined in 45 C.F.R. § 164.501.
 • Parent Account: The primary Covered Entity account holder acting as the authorized representative and Security Administrator for the practice.
 • Sub-Accounts: Invited users linked to the Parent Account, categorized as "Provider" (operating under their own NPI/DEA), "Delegate" (operating under Parent authority), or "View Only" (administrative).
 • Organized Health Care Arrangement (OHCA): As defined in 45 C.F.R. § 160.103.
 • Workforce: As defined in 45 C.F.R. § 160.103.

2. Business Associate's Responsibilities with Respect to Use and Disclosure of PHI.
Business Associate agrees, with regard to its Use and/or Disclosure of the PHI, to do the following:
a. to Use and/or Disclose the PHI only: (i) in conjunction with the services it provides to Covered Entity ("the Services"), including sending text-based care plan reminders and motivational messages on behalf of Covered Entity as authorized by patients; (ii) consistent with the manner in which Covered Entity is permitted to Use and Disclose by 45 C.F.R. § 164.502 (as amended from time to time) and/or 45 C.F.R. § 164.512; (iii) for Business Associate's proper management and administration; (iv) to fulfill any present or future legal responsibilities; (v) as otherwise permitted or required by this Agreement; or (vi) as otherwise permitted or required by law.
b. to report to Covered Entity, in writing, any material Use and/or Disclosure of the PHI by Business Associate that is not permitted or required by this Agreement of which Business Associate becomes aware;
c. to use commercially reasonable efforts to maintain the security of the PHI and to prevent its Use and/or Disclosures contrary to this Agreement;
d. to the extent that Business Associate creates, receives, maintains, or transmits Electronic Protected Health Information as that term is defined by the Security Rule, on behalf of Covered Entity, to report to Covered Entity any Security Incident of which Business Associate becomes aware to the extent such incidents represent successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an Information System that contains or has access to the Electronic Protected Health Information of Covered Entity, and upon request by Covered Entity, report all unsuccessful attempts for which Business Associate has records;
e. to require all of Business Associate's subcontractors and agents utilized in providing the Services which Use and/or Disclose the PHI, to agree, in writing, to adhere to equivalent restrictions and conditions on the Use and/or Disclosure of the PHI that apply to Business Associate pursuant to this Agreement; and
f. to report to Covered Entity any breaches by subcontractors as required by Section 10.

3. Safeguards.
Business Associate shall employ appropriate administrative, technical, and physical safeguards, consistent with the size and complexity of Business Associate's operations, to protect the confidentiality of PHI and to prevent the use or disclosure of PHI in any manner inconsistent with the terms of this Agreement, including meeting the requirements of 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.314, and 164.316, which includes Business Associate's obligation to have written policies and procedures in place to document its administrative, technical, and physical safeguards.

4. Access Requests.
Business Associate shall process Covered Entity's requests to access records in the Designated Record Set and identified by Covered Entity so that Covered Entity can comply with 45 C.F.R. § 164.524. Limitation of Designated Record Set: The Parties acknowledge that Business Associate provides a communication and management platform and does not serve as the Covered Entity’s Electronic Medical Record (EMR). Covered Entity is solely responsible for maintaining the official legal medical record (Designated Record Set) in its own systems. Business Associate’s platform is a transient tool for facilitation; Covered Entity agrees to export, copy, or document relevant clinical data generated on the Platform into its own permanent records. Business Associate shall not be liable for Covered Entity’s failure to maintain a complete medical record.

5. Amendment Requests.
Business Associate shall process Covered Entity's requests for amendment of the PHI in Business Associate's possession, solely upon Covered Entity's request and in a manner that allows Covered Entity to comply with 45 C.F.R. § 164.526 and in a manner that is consistent with the manner in which Covered Entity is amending the PHI in Covered Entity's possession.

6. Accounting of Disclosures.
Business Associate shall track and keep a record of all Disclosures of PHI, and shall provide to Covered Entity the information necessary for Covered Entity to provide an accounting of Disclosures, in a manner compliant with 45 C.F.R. § 164.528, to individuals who request an accounting. In each case, Business Associate shall provide at least the following information with respect to each such Disclosure: (a) the date of the Disclosure; (b) the name of the entity or person who received the PHI; (c) a brief description of the PHI disclosed; (d) a brief statement of the purpose of such Disclosure which includes an explanation of the basis for such Disclosure. In the event that Business Associate receives a request for an accounting directly from an individual, Business Associate shall forward such request to Covered Entity in writing.

7. De-Identification.
Business Associate may de-identify Protected Health Information for lawful purposes, provided such de-identification conforms to the requirements of 45 C.F.R. § 164.514, as may be amended from time to time. Business Associate may use Protected Health Information to provide data aggregation services for the Covered Entity’s health care operations, as permitted by 45 C.F.R. § 164.504(e)(2)(i). In addition, Business Associate may use de-identified data derived from Protected Health Information for its own legitimate business purposes, including but not limited to platform improvement, analytics, research, and product development, provided such use complies with the de-identification standards in 45 C.F.R. § 164.514 and is consistent with any applicable patient authorizations (including the HIPAA Care Plan Authorization) and the terms of this Agreement.

8. Covered Entity Obligations Where Appropriate.
If Business Associate will perform a service for Covered Entity that is an obligation of Covered Entity under the Privacy Rule, Business Associate shall perform such service in accordance with the Privacy Rule.

9. Secretary's Right to Audit.
Business Associate shall make its internal practices, books, and records relating to the Use and Disclosure of the PHI available to the Secretary of Health and Human Services (the "Secretary") for purposes of determining Covered Entity's compliance with HIPAA. Business Associate shall cooperate with Covered Entity's audits of compliance with this Agreement (at Covered Entity's expense unless non-compliance is found). Audits are limited to once annually, during normal business hours, upon thirty (30) days written notice, and must be reasonable in scope so as not to disrupt Business Associate’s standard business operations.

10. Breach Reporting.
Business Associate shall, without unreasonable delay and in no event later than thirty (30) days following the date of discovery, report to Covered Entity any Breach of Unsecured PHI of which Business Associate becomes aware. Such notice shall include, to the extent such information is available: (a) the identification of each individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed during such Breach; (b) a brief description of what happened, including the date of the Breach and the date of the discovery of the Breach; (c) a description of the types of PHI that were involved in the Breach; (d) a brief description of what Business Associate is doing to investigate the Breach, to mitigate losses, and to protect against any further Breaches; and (e) any other information that Covered Entity is required to include in notification to the individual under 45 C.F.R. § 164.404(c).

11. Mitigation.
Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate in violation of the requirements of this Agreement.

12. Covered Entity Responsibilities.
With regard to the Use and/or Disclosure of the PHI by Business Associate, Covered Entity agrees:
a. that the Uses and Disclosures of the PHI by Business Associate pursuant to this Agreement are, at the time of execution and throughout the term of this Agreement will be, consistent with the form of notice of privacy practices (the "Notice") that Covered Entity provides to individuals pursuant to 45 C.F.R. § 164.520;
b. to notify Business Associate, in writing and in a timely manner, of any arrangements permitted or required of Covered Entity under 45 C.F.R. parts 160 and 164 that may impact in any manner the Use and/or Disclosure of the PHI by Business Associate under this Agreement including, but not limited to, restrictions on Use and/or Disclosure of the PHI as provided for in 45 C.F.R. § 164.522 agreed to by Covered Entity, and to hold Business Associate harmless from the financial impact of any such agreement by Covered Entity;
c. to obtain any consent or authorization that may be required under HIPAA or state law prior to furnishing the PHI to Business Associate;
d. Covered Entity, via the Parent Account, acts as the sole Security Administrator for its organization. Covered Entity is strictly responsible for managing all access controls, correctly provisioning Sub-Accounts, and immediately terminating access when a user's employment or affiliation ends.
e. Covered Entity warrants that "Delegate" and "View Only" Sub-Accounts are recognized members of the Covered Entity's Workforce under HIPAA. Covered Entity further warrants that "Provider" Sub-Accounts are operating as part of the Covered Entity's single legal entity or under a documented Organized Health Care Arrangement (OHCA).
f. If Covered Entity enables intra-practice data sharing within the Platform, Covered Entity warrants that such data sharing complies with HIPAA permissions for Treatment, Payment, and Health Care Operations, and that Covered Entity maintains the proper legal structure and patient consent (via their Notice of Privacy Practices) to authorize such sharing.


13. Term.
Unless otherwise terminated as provided in Section 14, this Agreement shall become effective on the Effective Date and shall have a term that shall run concurrently with that of any oral or written agreement by Business Associate to provide Services to Covered Entity and will terminate without any further action of the Parties upon the termination of all such agreements.

14. Termination
a. If either Party determines that the other Party has engaged in a pattern of activity that constitutes a material breach of the other Party's obligations under this Agreement, the non-breaching Party shall, within twenty (20) days of that determination, notify the breaching Party and the breaching Party shall have thirty (30) days from receipt of that notice to cure the breach or end the violation. If the breaching Party fails to take reasonable steps to effect such a cure within such a time period, the non-breaching Party may terminate all or part of the service relationship. In no event shall such termination have any effect on sums due from Covered Entity for any services provided by Business Associate under the engagement.
b. Where either Party has knowledge of a material breach by the other Party, and cure is not possible, the non-breaching Party shall terminate the portion of the arrangement for Services affected by the breach.

15. Effect of Termination.
Upon the event of termination of this Agreement, Business Associate agrees, where feasible, to return or destroy the PHI, which Business Associate still maintains in any form. Prior to doing so, Business Associate further agrees, to the extent feasible, to request the destruction of the PHI that is in the possession of its subcontractors or agents. If in Business Associate's opinion, it is not feasible for Business Associate or any subcontractors to return or destroy portions of the PHI, Business Associate shall, upon Covered Entity's written request, inform Covered Entity as to the specific reasons that make such return or destruction infeasible and limit any further use or disclosures to the purposes that make the return or destruction of those portions of the PHI infeasible and provide the protections described herein to that PHI.

16. Third Party Beneficiaries.
Nothing in this Agreement shall be construed to create any third party beneficiary rights in any person.

17. Counterparts.
This Agreement may be executed in any number of counterparts, each of which shall be deemed an original. Facsimile copies thereof shall be deemed to be originals.

18. Informal Resolution.
If any controversy, dispute, or claim arises between the Parties with respect to this Agreement, the Parties shall make good faith efforts to resolve such matters informally.

19. Indemnification
a. Covered Entity agrees to indemnify and hold harmless Business Associate from and against any and all claims, losses, damages, liabilities, costs, and expenses (including reasonable attorney's fees) arising out of or relating to Covered Entity's breach of this Agreement or violation of HIPAA, except to the extent such claims, losses, damages, liabilities, costs, and expenses are caused by the gross negligence or willful misconduct of Business Associate.This indemnification explicitly includes any claims arising from Covered Entity's improper configuration of access controls, failure to immediately revoke Sub-Account access, or unauthorized intra-practice data sharing.
b. Business Associate agrees to indemnify and hold harmless Covered Entity from and against any and all claims, losses, damages, liabilities, costs, and expenses (including reasonable attorney's fees) arising out of or relating to Business Associate’s breach of this Agreement or violation of HIPAA, except to the extent such claims, losses, damages, liabilities, costs, and expenses are caused by the gross negligence or willful misconduct of Covered Entity. Business Associate's indemnification obligation is capped at the total fees paid under the related services agreement in the prior 6 months.

20. Notices.
All notices, requests, approvals, demands, and other communications required or permitted to be given under this Agreement shall be in writing and delivered either personally, by certified mail with postage prepaid and return receipt requested, by overnight courier, or by email to the party to be notified. All communications will be deemed given when received.

21. Interpretation.
The provisions of this Agreement shall prevail over any provisions in any other agreements between Business Associate and Covered Entity that may conflict or appear inconsistent with any provision of this Agreement. This Agreement, together with the Prescriber Services Agreement, Terms of Service, and HIPAA Care Plan Authorization, constitutes the entire agreement regarding PHI handling. This Agreement shall be interpreted as broadly as necessary to implement and comply with HIPAA and the HITECH Act. The Parties agree that any ambiguity in this Agreement shall be resolved in favor of a meaning that complies with and is consistent with HIPAA and the HITECH Act.

22. Survival.
Sections 2, 3, 4, 6, 7, 11, 15, 19, 21, 22, 23, and 25 shall survive the termination of this Agreement.

23. Governing Law and Dispute Resolution
a. This Agreement shall be governed by and construed in accordance with the laws of the State of Illinois.
b. Any controversy or claim arising out of or relating to this Agreement shall be settled via arbitration in accordance with the rules of the American Arbitration Association.

24. HITECH Act Compliance.
Business Associate will comply with all applicable provisions of the HITECH Act.

25. Force Majeure.
Neither party shall be liable for delays or failures in performance resulting from causes beyond its reasonable control, including but not limited to acts of God, natural disasters, pandemics, war, terrorism, governmental actions, labor disputes, supply chain disruptions, or cyber attacks not resulting from the party’s failure to implement commercially reasonable security safeguards required under this Agreement or applicable law. For clarity, a cyber attack or security incident shall not constitute a force majeure event to the extent it arises from the party’s breach of its obligations under Section 3 (Safeguards) or failure to maintain appropriate administrative, technical, or physical protections for Protected Health Information. The affected party shall promptly notify the other party of the force majeure event, use commercially reasonable efforts to mitigate its effects, and resume performance as soon as practicable.

26. Assignment.
Neither party may assign this Agreement without the other party's prior written consent, except Business Associate may assign in connection with a merger, acquisition, or sale of assets.

27. Severability & Waiver.
If any provision is held invalid, the remainder remains enforceable. No waiver is effective unless in writing.

28. Amendment for Compliance with Law.
The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law, including, without limitation, any final modifications to the HIPAA Security Rule. In the event of a change in applicable law, the Parties agree to negotiate in good faith to adopt any necessary amendments within thirty (30) days of the effective date of such legal change.

29. Electronic Signature.
By clicking “I Agree” or otherwise creating an account and accessing the Platform, Covered Entity electronically signs and executes this Agreement in full compliance with the Electronic Signatures in Global and National Commerce Act (ESIGN) and the Uniform Electronic Transactions Act (UETA).