Pharmacy Business Associate Agreement
Effective Date: May 15, 2026 | Version: baa-2026-05-15
This document is the agreement text presented for electronic acceptance in the Compounding Finder pharmacy portal.
1. Parties and purpose
This Pharmacy Business Associate Agreement (the "Agreement") is entered into by Silverforge Holdings LLC d/b/a Compounding Finder ("Compounding Finder" or "Business Associate") and the pharmacy, pharmacy organization, or other account holder that accepts this Agreement through the Compounding Finder pharmacy portal ("Pharmacy" or "Covered Entity").
This Agreement applies when Compounding Finder creates, receives, maintains, or transmits Protected Health Information on behalf of Pharmacy in connection with quote routing, patient referral coordination, pharmacy portal access, support, analytics, billing support, security, compliance, and related services (the "Services").
If Pharmacy is not acting as a HIPAA covered entity for a specific transaction, the parties agree that patient information shared through the Services will still be handled under the confidentiality, security, and use restrictions in this Agreement to the extent applicable.
2. Definitions
Capitalized terms not defined in this Agreement have the same meaning as in the HIPAA Rules. "HIPAA Rules" means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164, as amended.
"Protected Health Information" or "PHI" means protected health information, including electronic protected health information ("ePHI"), received from Pharmacy or created, received, maintained, or transmitted by Compounding Finder on behalf of Pharmacy.
"Patient Information" means patient, prescription, medication, contact, quote request, referral, billing, support, or related information processed through the Services, whether or not the information is PHI in a particular context.
3. Permitted uses and disclosures by Compounding Finder
Compounding Finder may use and disclose PHI only as permitted or required by this Agreement, by the applicable portal terms or service agreement, or as required by law.
Compounding Finder may use and disclose PHI as reasonably necessary to provide, operate, support, secure, improve, and document the Services, including routing quote requests, transmitting patient-selected pharmacy details, supporting patient and pharmacy communications, maintaining audit logs, preventing fraud or abuse, troubleshooting service issues, and performing billing or administrative functions related to the Services.
Compounding Finder may use PHI for its proper management and administration and to carry out its legal responsibilities. Compounding Finder may disclose PHI for those purposes only if the disclosure is required by law or if Compounding Finder obtains reasonable assurances that the recipient will keep the information confidential and use or further disclose it only as required by law or for the purpose for which it was disclosed.
Compounding Finder may provide data aggregation services relating to Pharmacy health care operations, and may de-identify PHI in accordance with 45 CFR 164.514. De-identified information is not PHI under this Agreement.
Compounding Finder will make uses, disclosures, and requests for PHI consistent with the minimum necessary standard when that standard applies.
Compounding Finder will not sell PHI or use PHI for marketing in a manner that would require an individual authorization under the HIPAA Rules unless the required authorization has been obtained.
4. Obligations of Compounding Finder
Compounding Finder will not use or disclose PHI other than as permitted by this Agreement or as required by law.
Compounding Finder will use appropriate administrative, technical, and physical safeguards to prevent use or disclosure of PHI other than as permitted by this Agreement. With respect to ePHI, Compounding Finder will comply with the applicable requirements of Subpart C of 45 CFR Part 164.
Compounding Finder will ensure that subcontractors that create, receive, maintain, or transmit PHI on behalf of Compounding Finder agree to restrictions, conditions, and requirements that are at least as protective as those that apply to Compounding Finder with respect to that PHI.
Compounding Finder will make its internal practices, books, and records relating to PHI received from, or created or received by Compounding Finder on behalf of, Pharmacy available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules.
5. Reporting incidents and breaches
Compounding Finder will report to Pharmacy any use or disclosure of PHI not permitted by this Agreement of which Compounding Finder becomes aware, including any Breach of Unsecured Protected Health Information as required by 45 CFR 164.410 and any Security Incident of which Compounding Finder becomes aware.
Compounding Finder will make the report without unreasonable delay and, for a Breach of Unsecured Protected Health Information, no later than ten business days after discovery unless a shorter period is required by law or the parties agree in writing to a different incident response process.
The report will include, to the extent known at the time, the nature of the incident, the PHI involved, affected individuals if known, mitigation steps taken or planned, and contact information for follow-up.
6. Individual rights and HIPAA support
To the extent PHI maintained by Compounding Finder is part of a Designated Record Set, Compounding Finder will make PHI available to Pharmacy as reasonably necessary for Pharmacy to satisfy access obligations under 45 CFR 164.524.
Compounding Finder will make PHI available for amendment and incorporate amendments as directed or agreed to by Pharmacy as reasonably necessary for Pharmacy to satisfy 45 CFR 164.526.
Compounding Finder will maintain and make available information required for an accounting of disclosures as reasonably necessary for Pharmacy to satisfy 45 CFR 164.528.
To the extent Compounding Finder carries out one or more of Pharmacy's obligations under Subpart E of 45 CFR Part 164, Compounding Finder will comply with the requirements of Subpart E that apply to Pharmacy in performing those obligations.
7. Pharmacy obligations
Pharmacy will not request Compounding Finder to use or disclose PHI in a manner that would violate the HIPAA Rules if done by Pharmacy.
Pharmacy will notify Compounding Finder of any limitation in Pharmacy's notice of privacy practices, restriction on use or disclosure, or revocation or change of permission by an individual, in each case to the extent the limitation, restriction, revocation, or change may affect Compounding Finder's use or disclosure of PHI.
Pharmacy is responsible for determining whether it is a covered entity, whether information it provides or receives is PHI, and whether its use of the Services complies with laws applicable to Pharmacy practice, licensure, prescriptions, dispensing, compounding, shipping, billing, and patient communications.
8. Term and termination
This Agreement is effective on the date Pharmacy accepts it electronically through the pharmacy portal and remains in effect while Compounding Finder maintains PHI on behalf of Pharmacy or while Pharmacy uses the Services, unless terminated earlier.
Pharmacy may terminate this Agreement if Compounding Finder materially breaches this Agreement and fails to cure the breach within a reasonable time after written notice, unless cure is not feasible. Compounding Finder may suspend or terminate the Services if Pharmacy materially breaches the portal terms or this Agreement.
Upon termination, if feasible, Compounding Finder will return or destroy PHI received from Pharmacy or created, received, maintained, or transmitted by Compounding Finder on behalf of Pharmacy. If return or destruction is not feasible or if retention is required by law, Compounding Finder will continue to protect the retained PHI and limit further uses and disclosures to the purposes that make return or destruction infeasible or legally required.
The obligations that by their nature should survive termination, including confidentiality, safeguards, return or destruction, and limits on retained PHI, will survive termination.
9. Miscellaneous
A reference in this Agreement to a section of the HIPAA Rules means the section as in effect or as amended.
The parties will take reasonable action necessary to amend this Agreement as needed for compliance with the HIPAA Rules or other applicable law.
Any ambiguity in this Agreement will be interpreted to permit compliance with the HIPAA Rules.
This Agreement may be accepted electronically. The individual accepting this Agreement on behalf of Pharmacy represents that they are authorized to bind Pharmacy. Electronic acceptance is intended to create a legally binding agreement to the fullest extent permitted by applicable law.
If this Agreement conflicts with any other agreement between the parties, this Agreement controls with respect to PHI and HIPAA matters. All non-HIPAA service terms remain governed by the applicable pharmacy portal terms or service agreement.