What this page is
This is a plain-language overview of the Business Associate Agreement (BAA) that neolife enters into with the clinics and pharmacies it works with. It is not the agreement itself, and it is not legal advice. It exists so the person evaluating neolife understands the relationship before any real patient data moves.
neolife is the fulfillment rail that sits on top of your existing pharmacy software. Orders come in, a licensed provider approves every one, the pharmacy fills it, and tracking flows back. Most of those steps touch protected health information. That is why the paperwork below is not optional.
Why a BAA is required
Under the Health Insurance Portability and Accountability Act (HIPAA), a clinic or pharmacy that handles patient data is a covered entity. When a covered entity hands that data to a vendor that creates, receives, maintains, or transmits protected health information (PHI) on its behalf, that vendor is a business associate.
neolife is a business associate to the clinics and pharmacies it serves. We route compounded-prescription orders, hold order and patient data while a provider reviews and approves it, pass it to the pharmacy, and carry tracking and status back. That is squarely the work HIPAA defines as business associate activity.
HIPAA prohibits a covered entity from sharing PHI with a business associate unless a written BAA is in place first. So before neolife can touch a single record, we sign one. No BAA, no PHI. There are no exceptions to that order of operations.
What the BAA governs
The BAA defines the rules of the road for how neolife may handle PHI on a covered entity’s behalf. In broad terms it covers:
- The specific purposes for which neolife may use and disclose PHI, and the prohibition on everything else.
- The administrative, physical, and technical safeguards neolife must maintain to protect that PHI.
- The requirement that any subcontractor neolife uses agrees to the same protections in writing.
- How and when neolife must notify the covered entity of a breach or security incident.
- neolife’s obligation to support individuals’ rights to access, amend, and receive an accounting of disclosures of their information.
- What happens to the PHI when the relationship ends.
- The covered entity’s right to audit and the consequences of a material breach of the agreement.
The clauses below summarize the obligations neolife takes on as a business associate. They track the requirements of the HIPAA Privacy, Security, and Breach Notification Rules.
Permitted uses and disclosures
neolife uses PHI only to perform the fulfillment services the covered entity has engaged us for, and only as the BAA permits or requires. Concretely, that means routing orders, preparing draft order records for a licensed provider to review and approve, transmitting approved orders to the pharmacy, and returning status and tracking.
The agreement also allows neolife to use PHI for the narrow internal purposes HIPAA expressly permits a business associate to retain: our own proper management and administration, and to carry out our legal responsibilities. We do not sell PHI. We do not use it for marketing. We do not use it to train models in any way that would expose it. Any use not permitted by the BAA or required by law is prohibited.
Safeguards
neolife maintains administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PHI we handle, as required by the HIPAA Security Rule. That includes access controls, encryption of data in transit and at rest, audit logging, workforce training, and least-privilege access to records.
We agree to use appropriate safeguards to prevent any use or disclosure of PHI other than as the BAA provides, and to report uses, disclosures, and security incidents that the agreement and the law require us to report.
Subcontractor BAAs
neolife relies on a small set of infrastructure vendors to operate. To the extent any subcontractor creates, receives, maintains, or transmits PHI on our behalf, neolife obtains written assurances from that subcontractor agreeing to substantially the same restrictions and conditions that apply to neolife under the BAA. The chain of protection follows the data; it does not stop at our edge.
Breach notification
If neolife discovers a breach of unsecured PHI, or a use or disclosure not permitted by the BAA, we notify the affected covered entity without unreasonable delay and within the timeframe the agreement specifies, consistent with the HIPAA Breach Notification Rule. Our notice describes what happened, the categories of information involved, the individuals affected to the extent known, and the steps taken to investigate, mitigate, and prevent recurrence. This supports the covered entity in meeting its own notification duties to individuals, to the HHS Office for Civil Rights, and where applicable to the media and state regulators.
Supporting individual rights
Patients have rights over their own health information, and the covered entity is responsible for honoring them. neolife agrees to support those rights by:
- Making PHI we hold available so the covered entity can respond to an individual’s request for access to their records.
- Making PHI available for amendment, and incorporating amendments the covered entity directs.
- Documenting and making available the disclosures we have made, so the covered entity can provide an accounting of disclosures.
- Making our internal practices, books, and records relating to PHI available to the HHS Secretary for determining compliance.
Return or destruction of PHI on termination
When the BAA ends, neolife returns or securely destroys all PHI we received from, or created or received on behalf of, the covered entity, and retains no copies, where feasible. Where return or destruction is not feasible, we extend the protections of the BAA to that information and limit further uses and disclosures to the purposes that make return or destruction infeasible, for as long as we retain it. The same applies to PHI held by any subcontractor.
How to request and execute a BAA
Executing the BAA is the first step in working with neolife, and it happens before any production patient data flows. The process is short:
- Email [email protected] to request the agreement. Tell us which entity is signing and the role it plays in your fulfillment chain.
- We send our standard BAA. If your organization has its own form, send it over and we will review it.
- Both parties sign. We countersign and return a fully executed copy for your records.
- Only after the BAA is executed do we enable any environment that can receive, hold, or transmit PHI.
If you want the BAA in place in parallel with a sandbox evaluation, that is fine: test environments use synthetic data and no real PHI until the signed agreement is on file.
The executed BAA controls
This page is a summary for transparency. It is not the contract and confers no rights. The terms of the Business Associate Agreement that you and neolife actually sign govern the relationship, and that executed agreement controls over anything stated or implied here in the event of any difference. We may update this overview from time to time; updates to this page do not change the terms of a BAA already in force.
Contact
To request a BAA, ask a question about its terms, or send us your own form for review, email [email protected]. For privacy questions unrelated to contracting, reach us at [email protected].