Our role: Business Associate
Under the Health Insurance Portability and Accountability Act (HIPAA), neolife operates as a Business Associate. The clinics and the compounding pharmacies that use neolife are the Covered Entities. They hold the relationship with the patient. We provide the software that routes a compounded-prescription order from a clinic to that clinic’s pharmacy, and routes the status and tracking back.
A Business Associate creates, receives, maintains, or transmits protected health information (PHI) on behalf of a Covered Entity. That is exactly what neolife does, and only what neolife does. We are bound by a Business Associate Agreement (BAA) with every Covered Entity whose PHI passes through our systems, and by the HIPAA Privacy, Security, and Breach Notification Rules at 45 CFR Parts 160 and 164.
We are not your provider
neolife does not practice medicine, does not prescribe, and does not fill prescriptions. We do not decide what treatment is appropriate for you. A licensed provider approves every order. Always. That provider works for the clinic, not for neolife. The pharmacy that compounds and ships your medication is a separately licensed entity.
Compounded medications are prepared by a state-licensed compounding pharmacy. They are not reviewed or approved by the U.S. Food and Drug Administration in the way commercially manufactured drugs are. Your clinic and pharmacy are responsible for the clinical and dispensing decisions; neolife is responsible only for moving the order safely between them.
PHI we process and why
We process the minimum information needed to route and track a fulfillment order. Depending on how a clinic configures neolife, this may include:
- Patient identifiers needed for dispensing and shipping — name, date of birth, shipping address, and contact details
- The order itself — the compounded formulation, strength, quantity, directions, and the approving provider’s identity
- Clinical context a provider chooses to attach to support approval, such as relevant intake notes or connected lab or vitals data
- Fulfillment metadata — order identifiers, pharmacy status, shipment and tracking events
We use this PHI for one purpose: order fulfillment routing on behalf of the Covered Entity. We do not sell PHI. We do not use it for our own marketing. We do not use it to build profiles of patients.
Our safeguards
We maintain administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of the PHI we handle, as required by the HIPAA Security Rule.
Administrative
- A designated Security Officer and Privacy Officer
- Workforce training on PHI handling, sanctions for violations, and role-based assignment of responsibility
- Documented risk analysis, risk management, and an incident response plan that is tested and reviewed
- Vendor due diligence before any subcontractor touches PHI
Physical
- PHI is hosted in U.S. data centers operated by HIPAA-eligible cloud providers under signed BAAs, with facility access controls and device and media controls
- No PHI is stored on unmanaged endpoints or removable media
Technical
- Encryption of PHI in transit (TLS 1.2+) and at rest (AES-256)
- Access controls enforced by least-privilege, role-based permissions and unique user identification
- Multi-factor authentication required for all workforce access to systems that handle PHI
- Audit logs that record access to and movement of PHI, retained and reviewed to detect anomalous activity
- Automatic session termination, integrity controls, and key management with regular rotation
Minimum necessary
We apply the minimum necessary standard to every flow. neolife is built to carry only the data elements a pharmacy needs to fill and ship a given order. Where a field is not required for fulfillment, we do not request it, store it, or pass it downstream. Internal access to PHI is limited to the workforce members and systems that need it to perform a specific function, and no further.
Business Associate Agreements
We execute a Business Associate Agreement with each Covered Entity — every clinic and every pharmacy — before any PHI flows. Each BAA defines the permitted uses and disclosures of PHI, requires the safeguards described in this notice, obligates us to report security incidents and breaches, and governs the return or destruction of PHI at the end of the relationship. We will not use or disclose PHI in any way the BAA and HIPAA do not permit.
PHI and our AI systems
neolife uses automated systems, including AI models, to draft order details so that a licensed provider can review and approve them in one tap. We treat these systems as we treat any other component that touches PHI.
- We minimize PHI sent to AI systems to what the drafting task actually requires
- Any AI provider that processes PHI on our behalf does so only under a signed Business Associate Agreement, within a HIPAA-eligible configuration
- PHI sent to a BAA-covered AI system is not used to train that provider’s general models
- The AI drafts; it never approves. A licensed provider at the clinic makes the final decision on every order
Subcontractors
Where neolife relies on subcontractors — cloud hosting, infrastructure, and the AI systems described above — that create, receive, maintain, or transmit PHI on our behalf, we bind each of them by a written agreement that imposes the same restrictions and safeguards that apply to us. A subcontractor that will not sign a compliant BAA does not touch PHI.
Breach notification
If neolife discovers a breach of unsecured PHI, we will notify the affected Covered Entity without unreasonable delay and no later than 60 calendar days after discovery, consistent with 45 CFR § 164.410. Our notice will include the information the Covered Entity needs to meet its own obligations to patients, the HHS Office for Civil Rights, and, where applicable, the media. As a Business Associate, we notify the Covered Entity; the Covered Entity, supported by us, handles notice to affected individuals.
Patient rights
HIPAA gives patients important rights over their PHI — including the right to access and obtain a copy of records, to request amendments, to request an accounting of disclosures, and to request restrictions on certain uses. Because neolife is a Business Associate and not your Covered Entity, these rights are exercised through your clinic or pharmacy, which holds your designated record set.
If you contact neolife directly with such a request, we will direct you to the appropriate Covered Entity and support that entity in fulfilling your request as our BAA requires.
No tracking on health-context pages
Consistent with the HHS Office for Civil Rights guidance issued in December 2022 on the use of online tracking technologies, neolife does not deploy third-party tracking technologies — advertising pixels, analytics trackers, or session-replay tools — on any page or interface where PHI or health-context information is present. We do not disclose PHI to advertising or marketing platforms, and we do not allow tracking code to fire in the fulfillment workflow.
Records retention
We retain HIPAA compliance documentation — including policies, procedures, risk analyses, training records, and audit and incident logs — for at least six years from the date of creation or the date last in effect, as required by 45 CFR § 164.316(b)(2). PHI processed for fulfillment is retained only as long as the governing BAA permits, and is returned or destroyed at the end of the relationship at the Covered Entity’s direction.
2025 Security Rule alignment
HHS has proposed updates to the HIPAA Security Rule that would make several long-standing best practices explicit requirements. neolife is built to meet them, including:
- Multi-factor authentication for access to systems that handle PHI
- Encryption of PHI in transit and at rest as a default, not an option
- Annual verification of safeguards, with regular technical testing and documented risk analysis
We track the rulemaking and will adjust our controls as the final rule is published.
Contact
Questions about how neolife handles PHI, or requests from a Covered Entity regarding a BAA, can be sent to [email protected]. Patients should contact their clinic or pharmacy to exercise individual rights.
This notice is provided for transparency. It is not a substitute for the governing Business Associate Agreement, and we may update it from time to time.