DEAready Business Associate Agreement
Effective as of acceptance. This Business Associate Agreement is effective as of the date the Customer accepts it (the "Effective Date"), recorded against the Customer's organization through the click-acceptance mechanism described in Section 18.
This Business Associate Agreement ("BAA" or "Agreement") is entered into by and between:
-
DEAready LLC, a Missouri limited liability company, doing business as "DEAready," with its principal place of business at 210 W Oklahoma St, Branson, MO 65616 ("Business Associate," "DEAready," "we," "us," or "our"); and
-
the customer organization that accepts this Agreement and uses the Service ("Customer," "Covered Entity," "you," or "your").
Business Associate and Customer are each a "Party" and together the "Parties."
Recitals
A. Customer is a "Covered Entity" or, with respect to protected health information it receives from an upstream covered entity, a "Business Associate" subject to the HIPAA Rules (in the latter case, DEAready acts as a Subcontractor and all obligations herein flow through to DEAready in the same manner).
B. DEAready provides a software-as-a-service controlled-substance recordkeeping and compliance platform (the "Service") that, among other functions, maintains controlled-substance logbook records (receipt, dispensing, administration, waste, transfer, disposal, and inventory), generates DEA inspection packs and state Prescription Drug Monitoring Program (PMP) / ASAP exports, and maintains a tamper-evident audit trail, as further described in the Terms of Service.
C. In performing the Service, DEAready creates, receives, maintains, or transmits Protected Health Information on behalf of Customer, making DEAready a "Business Associate" of Customer under the HIPAA Rules.
D. The Parties enter into this Agreement to comply with the applicable requirements of the HIPAA Rules, including 45 C.F.R. §§ 164.504(e) and 164.314(a), and to set forth the terms governing DEAready's permitted and required uses and disclosures of Protected Health Information.
NOW, THEREFORE, in consideration of the mutual promises below and the exchange of information pursuant to this Agreement, the Parties agree as follows.
1. Definitions
1.1. Catch-all. Capitalized terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in the HIPAA Rules. In the event of an inconsistency between this Agreement and the HIPAA Rules, the HIPAA Rules control, and any ambiguity in this Agreement shall be resolved to permit the Parties to comply with the HIPAA Rules.
1.2. Specific definitions. The following terms shall have the meanings set forth below:
(a) "Breach" shall have the meaning given in 45 C.F.R. § 164.402.
(b) "Business Associate" shall have the meaning given in 45 C.F.R. § 160.103, and in reference to a Party means DEAready.
(c) "Covered Entity" shall have the meaning given in 45 C.F.R. § 160.103, and in reference to a Party means Customer.
(d) "Designated Record Set" shall have the meaning given in 45 C.F.R. § 164.501.
(e) "Disclosure" (and "disclose") shall have the meaning given in 45 C.F.R. § 160.103.
(f) "Electronic Protected Health Information" or "ePHI" shall have the meaning given in 45 C.F.R. § 160.103, limited to PHI that DEAready creates, receives, maintains, or transmits for or on behalf of Customer.
(g) "Health Care Operations" shall have the meaning given in 45 C.F.R. § 164.501.
(h) "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, as amended, including by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act," Title XIII of the American Recovery and Reinvestment Act of 2009, Pub. L. 111-5).
(i) "HIPAA Rules" means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Part 160 and Part 164, as in effect and as amended from time to time.
(j) "Individual" shall have the meaning given in 45 C.F.R. § 160.103 and includes a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
(k) "Minimum Necessary" means the minimum-necessary standard set forth in 45 C.F.R. §§ 164.502(b) and 164.514(d).
(l) "Protected Health Information" or "PHI" shall have the meaning given in 45 C.F.R. § 160.103, limited to the information that DEAready creates, receives, maintains, or transmits for or on behalf of Customer.
(m) "Required By Law" shall have the meaning given in 45 C.F.R. § 164.103.
(n) "Secretary" means the Secretary of the U.S. Department of Health and Human Services ("HHS") or any officer or employee of HHS to whom the authority involved has been delegated, including the Office for Civil Rights ("OCR").
(o) "Security Incident" shall have the meaning given in 45 C.F.R. § 164.304.
(p) "Service" means the DEAready software-as-a-service platform and related services described in the Terms of Service.
(q) "Subcontractor" shall have the meaning given in 45 C.F.R. § 160.103.
(r) "Terms of Service" or "ToS" means the DEAready Terms of Service, subscription agreement, or master services agreement between the Parties governing Customer's use of the Service, into which this Agreement is incorporated.
(s) "Unsecured PHI" shall have the meaning given in 45 C.F.R. § 164.402, namely PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary.
2. Permitted and Required Uses and Disclosures of PHI
2.1. Performance of the Service. DEAready may use and disclose PHI as necessary to perform the Service for, and to fulfill its obligations to, Customer under the Terms of Service and this Agreement, including to: operate the controlled-substance logbook and recordkeeping functions; record and maintain controlled-substance transactions (receipt, dispensing, administration, waste, transfer, disposal, inventory, void, and correction); generate DEA inspection packs, DEA Form 41 and Form 106 outputs, and other compliance reports; generate and prepare state PMP / ASAP export files for Customer's submission; maintain the tamper-evident, hash-chained audit trail; provide data export and portability to Customer; and provide authentication, witness-verification, billing, support, and related operational functions.
2.2. Management and administration of DEAready. DEAready may use PHI for the proper management and administration of DEAready or to carry out the legal responsibilities of DEAready.
2.3. Disclosures for DEAready's management and administration. DEAready may disclose PHI for the proper management and administration of DEAready or to carry out the legal responsibilities of DEAready, only if:
(a) the disclosure is Required By Law; or
(b) DEAready obtains reasonable assurances from the person to whom the PHI is disclosed that the PHI will be held confidentially and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to that person, and that the person will notify DEAready of any instance of which it becomes aware in which the confidentiality of the PHI has been breached.
2.4. Data aggregation. DEAready may use and disclose PHI to provide Data Aggregation services relating to the Health Care Operations of Customer, as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
2.5. De-identification. DEAready may use PHI to create de-identified information in accordance with 45 C.F.R. § 164.514(a)–(b). Information de-identified in accordance with that section is no longer PHI, and DEAready may use, maintain, and disclose such de-identified information to operate, maintain, secure, and improve the Service. DEAready does not sell de-identified information and does not use it for advertising, consistent with the DEAready Privacy Policy. Any creation of a limited data set shall be governed by a data use agreement meeting the requirements of 45 C.F.R. § 164.514(e).
2.6. Required By Law. DEAready may use and disclose PHI as Required By Law.
2.7. General limitations. Except as otherwise permitted by this Agreement, the Terms of Service, or the HIPAA Rules, or as Required By Law, DEAready shall not use or disclose PHI. DEAready shall not use or disclose PHI in a manner that would violate the requirements of the Privacy Rule (Subpart E of 45 C.F.R. Part 164) if done by Customer, except that DEAready may use and disclose PHI for the purposes set forth in Sections 2.2 through 2.5 if such use or disclosure would otherwise be permitted by the HIPAA Rules. DEAready shall make uses and disclosures of, and requests for, PHI consistent with Customer's Minimum Necessary policies and procedures to the extent practicable and as communicated to DEAready.
2.8. Customer obligations affecting permitted uses. Customer shall:
(a) notify DEAready of any limitation(s) in Customer's Notice of Privacy Practices under 45 C.F.R. § 164.520, to the extent that such limitation may affect DEAready's use or disclosure of PHI;
(b) notify DEAready of any changes in, or revocation of, an Individual's permission to use or disclose his or her PHI, to the extent that such change may affect DEAready's use or disclosure of PHI;
(c) notify DEAready of any restriction on the use or disclosure of PHI that Customer has agreed to or is required to abide by under 45 C.F.R. § 164.522, to the extent that such restriction may affect DEAready's use or disclosure of PHI; and
(d) not request DEAready to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Customer, except as permitted under Sections 2.2 through 2.5.
3. Obligations of DEAready
DEAready agrees to the following:
3.1. No improper use or disclosure. DEAready shall not use or further disclose PHI other than as permitted or required by this Agreement or as Required By Law.
3.2. Safeguards. DEAready shall use appropriate safeguards, and shall comply with Subpart C of 45 C.F.R. Part 164 (the Security Rule) with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this Agreement.
3.3. Security Rule compliance. DEAready shall comply with the applicable requirements of the Security Rule (Subpart C of 45 C.F.R. Part 164), including by implementing administrative safeguards (45 C.F.R. § 164.308), physical safeguards (45 C.F.R. § 164.310), technical safeguards (45 C.F.R. § 164.312), organizational requirements (45 C.F.R. § 164.314), and policies, procedures, and documentation requirements (45 C.F.R. § 164.316), in each case with respect to ePHI that DEAready creates, receives, maintains, or transmits on behalf of Customer. The technical and administrative safeguards DEAready maintains are summarized in Section 7 and are subject to ongoing change as required to maintain compliance.
3.4. Reporting. DEAready shall report to Customer:
(a) any use or disclosure of PHI not provided for by this Agreement of which DEAready becomes aware, including Breaches of Unsecured PHI as required by 45 C.F.R. § 164.410 (and as set forth in Section 6 of this Agreement); and
(b) any Security Incident of which DEAready becomes aware, in accordance with this Section. With respect to Security Incidents, the Parties acknowledge and agree that this Section constitutes notice by DEAready to Customer of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below). "Unsuccessful Security Incidents" include, without limitation, pings and other broadcast attacks on DEAready's firewall, port scans, unsuccessful log-on attempts, denial-of-service attacks, and any combination of the above, so long as no such incident results in unauthorized access, use, disclosure, modification, or destruction of PHI or interference with system operations in an information system containing PHI. No additional notice of Unsuccessful Security Incidents shall be required. DEAready shall report any Successful Security Incident that results in unauthorized access, use, disclosure, modification, or destruction of PHI, or interference with system operations in an information system containing PHI, without unreasonable delay and consistent with the timing set forth in Section 6.
3.5. Subcontractors. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), DEAready shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of DEAready agrees in writing to the same restrictions, conditions, and requirements that apply to DEAready with respect to such PHI, including the applicable requirements of 45 C.F.R. § 164.314(a). DEAready shall obtain and document satisfactory assurances, in the form of a written contract or other arrangement meeting the requirements of 45 C.F.R. §§ 164.504(e) and 164.314(a), that each such Subcontractor will appropriately safeguard the PHI. A current list of DEAready's Subcontractors that may handle PHI is maintained as described in Section 5.
3.6. Access to PHI. DEAready shall, to the extent DEAready maintains PHI in a Designated Record Set, make such PHI available to Customer (or, as directed by Customer, to an Individual or the Individual's designee) as necessary to satisfy Customer's obligations under 45 C.F.R. § 164.524. DEAready shall make such PHI available within a reasonable time, and in any event in time to allow Customer to meet its applicable response deadline under the HIPAA Rules, in an electronic, machine-readable format where the PHI is maintained electronically. The Service's self-service data-export functionality (Section 8) may be used to satisfy this obligation. If an Individual submits a request for access directly to DEAready, DEAready shall promptly forward the request to Customer, and Customer shall be responsible for responding to the Individual unless the Parties agree otherwise in writing. Customer is responsible for any access charges permitted under 45 C.F.R. § 164.524(c)(4).
3.7. Amendment of PHI. DEAready shall make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by Customer pursuant to 45 C.F.R. § 164.526, or take other measures as necessary to satisfy Customer's obligations under 45 C.F.R. § 164.526, within a reasonable time and in any event in time to allow Customer to meet its applicable deadline under the HIPAA Rules. Customer acknowledges that the Service's controlled-substance ledger is, by design and as required for DEA/state recordkeeping and tamper-evidence, append-only and immutable. Accordingly, where an amendment is required, it will be implemented through the Service's corrective recordkeeping mechanism (a documented void-and-correction or supplemental entry) rather than by deletion or overwriting of the original record, in a manner that preserves the integrity of the audit trail while reflecting the corrected information. If DEAready receives an amendment request directly from an Individual, DEAready shall promptly forward it to Customer.
3.8. Accounting of disclosures. DEAready shall document and maintain such disclosures of PHI and information related to such disclosures as would be required for Customer to respond to a request by an Individual for an accounting of disclosures in accordance with 45 C.F.R. § 164.528. DEAready shall make available to Customer the information required to provide an accounting of disclosures within a reasonable time and in any event in time to allow Customer to meet its applicable deadline under the HIPAA Rules. Such information shall include, for each accountable disclosure: the date of the disclosure; the name and (if known) address of the entity or person who received the PHI; a brief description of the PHI disclosed; and a brief statement of the purpose of the disclosure. If an Individual requests an accounting directly from DEAready, DEAready shall promptly forward the request to Customer.
3.9. Performance of Customer's Privacy Rule obligations. To the extent DEAready is to carry out one or more of Customer's obligations under Subpart E of 45 C.F.R. Part 164 (the Privacy Rule), DEAready shall comply with the requirements of Subpart E that apply to Customer in the performance of such obligation(s).
3.10. Availability of records to the Secretary. DEAready shall make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by DEAready on behalf of, Customer available to the Secretary for purposes of the Secretary determining Customer's compliance with the HIPAA Rules. Disclosure of such records to the Secretary shall not be deemed a breach of DEAready's confidentiality obligations. DEAready shall, to the extent practicable and permitted by law, notify Customer of any such request by the Secretary.
3.11. Mitigation. DEAready shall mitigate, to the extent practicable, any harmful effect that is known to DEAready of a use or disclosure of PHI by DEAready in violation of this Agreement, or of a Breach or Security Incident.
3.12. Minimum Necessary. When using, disclosing, or requesting PHI, DEAready shall make reasonable efforts to limit PHI to the Minimum Necessary to accomplish the intended purpose of the use, disclosure, or request, consistent with 45 C.F.R. §§ 164.502(b) and 164.514(d) and with Customer's Minimum Necessary policies as communicated to DEAready.
3.13. Direct liability acknowledgment. DEAready acknowledges that, under the HITECH Act and the HIPAA Rules, it is directly liable for and subject to civil and criminal penalties for, among other things: making uses and disclosures of PHI not authorized by this Agreement or Required By Law; failing to safeguard ePHI in accordance with the Security Rule; failing to provide Breach notification to Customer; failing to provide access to, or a copy of, ePHI to Customer, an Individual, or the Individual's designee as applicable; failing to disclose PHI to the Secretary to investigate DEAready's compliance; failing to provide an accounting of disclosures; failing to comply with the Minimum Necessary standard; failing to enter into compliant agreements with its Subcontractors; failing to make reasonable efforts to limit PHI to the Minimum Necessary; and taking any retaliatory action against any Individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing any act or practice that is unlawful under the HIPAA Rules. Nothing in this Agreement, including any limitation of liability, shall be construed to relieve DEAready of, or to permit DEAready to contract away, its direct statutory and regulatory liability under HIPAA and the HITECH Act.
3.14. No retaliation; no waiver of rights. DEAready shall not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any Individual or other person for exercising any right under, or for participating in any process established by, the HIPAA Rules, including the filing of a complaint. DEAready shall not require any Individual to waive any right under the HIPAA Rules as a condition of the provision of treatment, payment, enrollment, or eligibility for benefits.
4. Security Rule Business Associate Contract Terms (45 C.F.R. § 164.314(a))
In addition to and without limiting Section 3, with respect to ePHI, DEAready shall:
4.1. comply with the applicable requirements of Subpart C of 45 C.F.R. Part 164;
4.2. in accordance with 45 C.F.R. § 164.308(b)(2), ensure that any Subcontractor that creates, receives, maintains, or transmits ePHI on behalf of DEAready enters into a written contract or other arrangement that complies with 45 C.F.R. § 164.314(a); and
4.3. report to Customer any Security Incident of which it becomes aware, including Breaches of Unsecured PHI as required by 45 C.F.R. § 164.410, in accordance with Sections 3.4 and 6.
5. Subcontractors and Subprocessors
5.1. Authorization. Customer authorizes DEAready to engage Subcontractors and subprocessors to perform the Service, including the third-party service providers DEAready uses for cloud infrastructure, application hosting, data storage, authentication, transactional communications, error monitoring, billing, and similar functions.
5.2. Current subprocessors. As of the Effective Date, DEAready uses the following third-party service providers in connection with the Service:
(a) Amazon Web Services (AWS), region us-east-1 — cloud infrastructure, covered by the AWS HIPAA Business Associate Addendum, comprising: Amazon RDS (PostgreSQL database), Amazon S3 (audit/Merkle archive with Object Lock), AWS KMS (encryption key management), Amazon SES (transactional email), Amazon Cognito (authentication and multi-factor authentication), and AWS ECS Fargate (application hosting/compute). AWS handles PHI and operates as a Business Associate under that Addendum with respect to HIPAA-eligible services.
(b) Stripe — billing and subscription payments. No PHI is sent to Stripe; Stripe receives only Customer organization billing identifiers and account metadata. Because Stripe does not handle PHI, it is not engaged as a Business Associate.
(c) Sentry — application error and exception monitoring. DEAready configures this service to scrub tokens, cookies, and personally identifiable information before transmission (via a beforeSend filter); PHI is not intentionally transmitted to this service. Because it is not intended to and does not receive PHI, it is not engaged as a Business Associate.
(d) Google Maps Platform — address autocomplete for organization, location, and supplier/counterparty addresses only. This service receives only non-patient business address text entered by Customer's users; patient addresses are entered in a plain field and are not sent to Google. Accordingly, it is not engaged as a Business Associate.
5.3. Flow-down. For each Subcontractor that creates, receives, maintains, or transmits PHI on behalf of DEAready, DEAready shall obtain and maintain a written agreement imposing the same restrictions, conditions, and requirements that apply to DEAready under this Agreement and meeting the requirements of 45 C.F.R. §§ 164.504(e) and 164.314(a).
5.4. Changes to subprocessors. DEAready may add or replace Subcontractors and subprocessors from time to time. DEAready shall maintain a current list of its PHI-handling Subcontractors and shall make the current list available to Customer upon written request to the contact in Section 19. DEAready remains responsible for the performance of its Subcontractors with respect to PHI to the same extent as for its own performance.
6. Breach and Security Incident Notification
6.1. Discovery. A Breach or Security Incident shall be treated as discovered by DEAready as of the first day on which it is known to DEAready, or, by exercising reasonable diligence, would have been known to DEAready. DEAready shall be deemed to have knowledge of a Breach if the Breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the Breach) who is an employee, officer, or other agent of DEAready, as determined in accordance with the federal common law of agency.
6.2. Notice to Customer. Following the discovery of a Breach of Unsecured PHI, DEAready shall notify Customer of such Breach without unreasonable delay and in no case later than sixty (60) calendar days after discovery, consistent with 45 C.F.R. § 164.410(b) and subject to any law-enforcement delay permitted under 45 C.F.R. § 164.412. DEAready will use reasonable efforts to notify Customer promptly enough to enable Customer to satisfy its own notification deadlines, and shall report any Successful Security Incident that is not a Breach without unreasonable delay following discovery.
6.3. Content of notice. DEAready's notification to Customer under Section 6.2 shall include, to the extent possible at the time of the notice and thereafter promptly as information becomes available:
(a) the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by DEAready to have been, accessed, acquired, used, or disclosed during the Breach;
(b) a brief description of what happened, including the date of the Breach and the date of discovery of the Breach, if known;
(c) a description of the types of Unsecured PHI involved (such as name, date of birth, address, controlled-substance dispensing or administration data, or other identifiers);
(d) any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
(e) a brief description of what DEAready is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against further Breaches; and
(f) any other information that Customer is required to include in its notification to Individuals under 45 C.F.R. § 164.404(c).
6.4. Risk assessment. DEAready shall, in cooperation with Customer, conduct and document a risk assessment under 45 C.F.R. § 164.402 to determine whether an impermissible acquisition, access, use, or disclosure of Unsecured PHI compromises the security or privacy of the PHI. The assessment shall consider at least: (i) the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; (ii) the unauthorized person who used the PHI or to whom the disclosure was made; (iii) whether the PHI was actually acquired or viewed; and (iv) the extent to which the risk to the PHI has been mitigated. DEAready shall retain documentation of each such risk assessment and shall make it available to Customer and, as required, to the Secretary.
6.5. Encryption safe harbor. The Parties acknowledge that DEAready applies application-layer AES-256-GCM encryption to specified sensitive identifier fields, as described in Section 7.1. The encryption "safe harbor" recognized by the Secretary applies only to those specifically field-encrypted identifier fields when they are accessed in encrypted form; such fields, when not accessed in unencrypted form, are not "Unsecured PHI." Other PHI maintained in the Service that is not within the enumerated field-encrypted set may constitute Unsecured PHI, and nothing in this Section implies that all PHI in the Service is rendered secured. Nothing in this Section relieves DEAready of its obligation to report impermissible uses or disclosures and Security Incidents under Sections 3.4 and 6.
6.6. Cooperation and cost allocation. DEAready shall cooperate with Customer in investigating, responding to, and mitigating any Breach or Security Incident and in fulfilling Customer's notification obligations. The allocation of costs of Breach response, including forensic investigation, notification, and credit monitoring, shall be as set forth in Section 11 (Indemnification).
7. Safeguards Summary
The following summarizes DEAready's principal technical and administrative safeguards as of the Effective Date. This summary is descriptive and may be updated as DEAready's safeguards evolve; it does not limit DEAready's obligation to comply with the Security Rule under Sections 3.3 and 4.
7.1. Field-level encryption. Enumerated sensitive identifiers are encrypted at the application layer using AES-256-GCM authenticated encryption before storage. These fields are: patient name, date of birth, and address (street, city, state, and ZIP) on transactions; the DEA registration number; user DEA number and National Provider Identifier (NPI); registrant business EIN; and stored credential numbers. The field-encryption backfill has been run, so existing rows of these fields, and not only new writes, are encrypted.
7.2. Encryption at rest. The primary database (Amazon RDS), backups, and object storage are encrypted at rest using AWS Key Management Service (KMS) managed keys.
7.3. Encryption in transit. All connections to the Service are protected by TLS 1.2 or higher, using certificates managed through AWS Certificate Manager. Application-to-database connections are encrypted.
7.4. Tenant isolation. Customer data is logically isolated through PostgreSQL row-level security (RLS) enforced at the database layer, scoped to each organization's identifier on every access.
7.5. Append-only, tamper-evident records. Controlled-substance transactions and the audit log are append-only; database triggers block updates and deletions. Corrections are made through explicit void-and-correction entries. The audit log is hash-chained (SHA-256), and daily Merkle roots are written to object storage under compliance-mode Object Lock with multi-year retention and cross-region replication, providing tamper-evidence.
7.6. Access control and authentication. Access requires authentication through Amazon Cognito with role-based authorization. Multi-factor authentication is required for all users, enforced by the Amazon Cognito user pool at sign-in. Sessions are subject to an idle timeout.
7.7. Witness verification. Witness attestations for waste and disposal events are verified server-side using personal identification numbers that are stored only as salted, computationally hardened hashes (scrypt), are never returned to clients, and are subject to rate-limiting and lockout protections.
7.8. Error-monitoring scrubbing. Error and exception monitoring is configured to scrub tokens, cookies, personally identifiable information, authentication credentials, and secrets before transmission, and session replay is disabled.
8. Data Access, Export, and Portability
8.1. Customer access to its data. Throughout the term of the Terms of Service and during any wind-down period, a user holding the Owner role may access, retrieve, and export Customer's data through the Service as a complete, portable export bundle. The export bundle is a ZIP containing: transactions.csv (the full controlled-substance ledger), containers.csv, drugs.csv, locations.csv (with DEA registration and expiry), inventory-events.csv, audit-log.csv (the full hash-chain with hashes), merkle-roots.json (daily Merkle roots and their S3 keys), and chain-verification.json (a chain-verification result computed at the time of export). The export bundle does not include a rendered Inspection Pack PDF; the Inspection Pack is generated separately on demand under Reports.
8.2. No access blocking. DEAready shall not, and shall not attempt to, withhold, block, or condition Customer's access to or export of Customer's PHI as a means of resolving a fee dispute or other commercial disagreement. DEAready shall make Customer's PHI available for retrieval and export on termination in accordance with Section 13, regardless of the status of any payment dispute.
9. Obligations of Customer
9.1. Customer represents and warrants that it has obtained and will maintain any consents, authorizations, and permissions necessary under the HIPAA Rules and other applicable law to permit DEAready to use and disclose PHI as contemplated by this Agreement and the Terms of Service.
9.2. Customer shall not provide DEAready with PHI in violation of the HIPAA Rules or other applicable law, and shall not request DEAready to use or disclose PHI in any manner not permitted under the HIPAA Rules if done by Customer.
9.3. Customer is responsible for its own compliance with the HIPAA Rules, including providing any Notice of Privacy Practices, responding to Individual rights requests (with DEAready's support as provided herein), and making its own Breach notifications to Individuals, the Secretary, and the media as required by 45 C.F.R. §§ 164.404, 164.406, and 164.408.
9.4. Customer is responsible for the administration of its own user accounts within the Service, including assigning the Owner, Admin, Staff, Witness-Only, and Read-Only roles, deactivating departed users, and safeguarding its credentials. Multi-factor authentication is required for all users via Amazon Cognito.
9.5. Customer is responsible for determining and maintaining record-retention periods applicable to it, and for meeting its own obligations to retain and produce controlled-substance records under 21 C.F.R. Part 1304 and applicable state law.
10. Compliance with Other Laws
This Agreement supplements, and does not supersede, any obligations of either Party under other applicable laws. Nothing in this Agreement shall be construed to require either Party to violate any applicable federal or state law, including the Controlled Substances Act and DEA recordkeeping requirements at 21 C.F.R. Parts 1304 and 1311, applicable state pharmacy and PMP laws, or the HIPAA Rules. Where the requirements of the HIPAA Rules conflict with a term of this Agreement, the HIPAA Rules control with respect to PHI.
11. Indemnification and Allocation of Breach Costs
11.1. DEAready indemnity. DEAready shall indemnify, defend, and hold harmless Customer and its officers, directors, employees, and agents from and against any third-party claims, losses, liabilities, damages, fines, penalties, and reasonable expenses (including reasonable attorneys' fees) to the extent arising out of DEAready's breach of this Agreement or the negligence or willful misconduct of DEAready or its Subcontractors in the handling of PHI.
11.2. Customer indemnity. Customer shall indemnify, defend, and hold harmless DEAready and its officers, directors, employees, and agents from and against any third-party claims, losses, liabilities, damages, fines, penalties, and reasonable expenses (including reasonable attorneys' fees) to the extent arising out of Customer's breach of this Agreement, Customer's provision of PHI to DEAready in violation of applicable law, Customer's instructions that cause DEAready's non-compliance, or the negligence or willful misconduct of Customer.
11.3. Breach-response costs. As between the Parties, the costs of investigating, responding to, and providing notification of a Breach (including forensic investigation, notification to Individuals, the Secretary, and the media, and credit monitoring where appropriate) shall be borne by the Party whose act, omission, breach of this Agreement, negligence, or willful misconduct caused the Breach. Where both Parties contributed, such costs shall be allocated in proportion to each Party's relative fault.
11.4. No shifting of statutory penalties. Nothing in this Section or this Agreement shall be construed to shift, waive, or eliminate any civil money penalty, criminal penalty, or other statutory liability imposed by OCR or any other governmental authority directly upon the liable Party under HIPAA, the HITECH Act, or applicable law. Indemnification under this Section addresses allocation of liability as between the Parties only.
11.5. Limitation of liability. Except as provided in Section 11.6, each Party's aggregate liability arising out of or related to this Agreement shall be subject to the limitations of liability set forth in the Terms of Service.
11.6. Carve-outs. The limitations of liability in Section 11.5 and in the Terms of Service shall not apply to: (a) a Party's indemnification obligations under this Section; (b) damages arising from a Party's breach of its confidentiality or PHI-protection obligations under this Agreement; (c) a Party's gross negligence or willful misconduct; or (d) a Party's fraud. The cap applicable to the matters in clause (b), if any, shall be as separately negotiated by the Parties and, absent such negotiation, the matters in clauses (a) through (d) are not subject to the cap in Section 11.5.
12. Term and Termination
12.1. Term. This Agreement is effective as of the Effective Date and shall remain in effect until terminated in accordance with this Section or until all PHI provided by Customer to, or created or received by DEAready on behalf of, Customer is destroyed, returned, or protections are extended in accordance with Section 13. This Agreement shall survive termination or expiration of the Terms of Service with respect to any PHI that DEAready continues to retain.
12.2. Termination for cause by Customer. Customer may terminate this Agreement and the Terms of Service if Customer determines that DEAready has violated a material term of this Agreement and DEAready has failed to cure the violation within thirty (30) days of written notice, or where cure is not possible.
12.3. Cure or terminate on pattern of breach. If either Party knows of a pattern of activity or practice of the other Party that constitutes a material breach or violation of the other Party's obligations under this Agreement, the non-breaching Party shall take reasonable steps to cause the breaching Party to cure the breach or end the violation, as applicable, and, if such steps are unsuccessful, shall terminate this Agreement if feasible, or, if termination is not feasible, report the problem to the Secretary.
12.4. Effect of termination. Upon termination of this Agreement for any reason, DEAready shall comply with Section 13.
13. Return or Destruction of PHI Upon Termination; Required Retention
13.1. General rule. Except as provided in Sections 13.2 through 13.5, upon termination of this Agreement, DEAready shall, if feasible, return to Customer or destroy all PHI received from, or created or received by DEAready on behalf of, Customer that DEAready still maintains in any form, and shall retain no copies of such PHI.
13.2. Customer export window. Prior to or upon termination, and for a period of thirty (30) days following termination, DEAready shall make available to Customer the complete data-export bundle described in Section 8 so that Customer may obtain a copy of its records, including those records Customer is required to retain under 21 C.F.R. Part 1304 and applicable state law. After that thirty (30)-day window, records are retained under the retention and Object-Lock period described in Section 13.5 and are no longer interactively accessible through the Service. The Parties acknowledge that Customer is, and after termination remains, the registrant responsible under DEA and state law for retaining and producing its controlled-substance records, and that DEAready provides the export to enable Customer to fulfill that responsibility.
13.3. Infeasibility due to legal retention requirements and ledger integrity. The Parties expressly acknowledge and agree that the return or destruction of controlled-substance records maintained in the Service at termination is not feasible, because: (a) those records are Required By Law to be retained for the applicable retention periods (DEAready applies a default retention period of seven (7) years, which meets and exceeds the two-year federal minimum under 21 C.F.R. § 1304.04 under which records must remain available for DEA inspection and copying, as well as the longer periods required by several states, including Arkansas); and (b) those records reside in an append-only, hash-chained, tamper-evident ledger whose cryptographic integrity prohibits the selective deletion of individual records without destroying the integrity and inspection value of the entire audit trail.
13.4. Extension of protections. Because return or destruction is not feasible as set forth in Section 13.3, DEAready shall, for as long as it retains any such PHI:
(a) extend the protections of this Agreement, including the safeguards and Security Rule compliance obligations of Sections 3 and 4, to the retained PHI;
(b) limit further uses and disclosures of the retained PHI to those purposes that make the return or destruction of the PHI infeasible, namely: complying with legally mandated retention; responding to DEA or state-board inspection, audit, subpoena, or other lawful process; supporting Customer's own compliance, audit, defense, and recordkeeping needs; and enabling Customer's lawful retrieval of its records;
(c) make no other use or disclosure of the retained PHI; and
(d) continue to make the retained PHI available to the Secretary in accordance with Section 3.10 and to Customer in accordance with Sections 3.6 and 8.
13.5. Disposition after retention period. DEAready applies a default retention period of seven (7) years to controlled-substance records, backed by a seven (7)-year compliance-mode S3 Object Lock on the Merkle-root archive; this default meets the two-year federal minimum under 21 C.F.R. § 1304.04 and the longer periods required by applicable state law, and may be extended where a longer period is required by applicable state law or agreed with Customer. Because the records reside in an append-only, hash-chained, Object-Locked ledger, "return or destruction" at the end of the retention period is accomplished by de-identification of the retained records in accordance with 45 C.F.R. § 164.514, and/or by expiry of the Object-Lock retention period governing the underlying archive, after which the records are aged out under DEAready's data-lifecycle practices. Once a record is de-identified in accordance with 45 C.F.R. § 164.514, it is no longer PHI and the obligations of this Section no longer apply to it. DEAready does not perform per-customer cryptographic key destruction ("crypto-shredding") as a destruction mechanism: the field-level encryption uses a single shared key and is not segregated per customer, so destroying the key is not a per-customer destruction option.
13.6. Coexistence of inspection rights. Nothing in this Section shall be interpreted to impede either the Secretary's right of access under Section 3.10 or the DEA's and applicable state agencies' independent rights of inspection and copying under 21 C.F.R. Part 1304 and applicable state law, which are independent inspection rights that the Parties intend to be fully preserved.
14. No Third-Party Beneficiaries
Except as expressly provided in this Agreement, nothing in this Agreement is intended to confer, nor shall it confer, upon any person other than the Parties and their respective successors and permitted assigns any rights, remedies, obligations, or liabilities.
15. Relationship to the Terms of Service and Privacy Policy; Order of Precedence
15.1. Incorporation. This Agreement is incorporated into and made a part of the Terms of Service. Customer's acceptance of the Terms of Service, together with the click-acceptance described in Section 18, incorporates this Agreement.
15.2. Order of precedence. With respect to matters concerning the privacy or security of PHI or compliance with the HIPAA Rules, this Agreement controls. With respect to descriptions of data collection, use, and Subprocessors, the DEAready Privacy Policy controls. In all other respects, including the commercial relationship between the Parties, the Terms of Service govern. To the extent any provision of the Terms of Service or the Privacy Policy is inconsistent with the HIPAA Rules as applied to PHI, this Agreement controls and such provision shall be construed to permit compliance with the HIPAA Rules.
16. Amendment; Regulatory Changes
16.1. Amendment to comply with law. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for the Parties to comply with the requirements of the HIPAA Rules and any other applicable law. If either Party reasonably believes that a change in the HIPAA Rules requires amendment of this Agreement, the Parties shall negotiate in good faith to make such amendment.
16.2. General amendment. DEAready may otherwise amend this Agreement by posting a revised version and providing notice to Customer (which may be through the Service, by email, or through the click-acceptance mechanism). Material amendments will be subject to re-acceptance as described in Section 18. Customer's continued use of the Service after the effective date of a non-material amendment constitutes acceptance of that amendment.
16.3. Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits the Parties to comply with the HIPAA Rules.
17. Insurance and Safeguards
DEAready maintains commercially reasonable administrative, physical, and technical safeguards appropriate to protect PHI, as further described in Section 7. As the business and the volume of PHI it processes grow, DEAready will obtain and maintain insurance coverage (including cyber/privacy liability and technology errors-and-omissions coverage) appropriate to the scale of PHI processed. Upon Customer's reasonable written request, DEAready shall provide a summary of the insurance coverage then in effect.
18. Electronic Acceptance and Execution
18.1. Click-acceptance. This Agreement may be accepted electronically. By taking the affirmative action of clicking "I agree," checking a box specifically referencing this Business Associate Agreement, or otherwise indicating assent through the mechanism DEAready provides at sign-up or within the Service, the accepting Customer enters into this Agreement. Such electronic acceptance constitutes a valid and binding signature under the federal Electronic Signatures in Global and National Commerce Act (15 U.S.C. § 7001 et seq.) and the applicable Uniform Electronic Transactions Act.
18.2. Authority. The individual accepting this Agreement on behalf of Customer represents and warrants that he or she is authorized to bind Customer (including, where applicable, in his or her capacity as the registrant of record, an authorized agent, or a holder of a power of attorney) and to enter into this Agreement on Customer's behalf.
18.3. Acceptance record. DEAready records acceptance of this Agreement against the Customer's organization, including the date and time of acceptance and the accepting user account. DEAready will make a copy of the accepted Agreement available to Customer on request.
18.4. Versioning and re-acceptance. DEAready maintains version history of this Agreement. Upon a material amendment, DEAready will require Customer to re-accept the amended Agreement and will record the re-acceptance in the same manner.
18.5. Counterpart signature (optional). In lieu of or in addition to electronic click-acceptance, the Parties may execute this Agreement by manual or electronic signature in one or more counterparts, each of which is deemed an original and all of which together constitute one instrument.
19. Notices
19.1. Notices to DEAready under this Agreement shall be sent to:
DEAready LLC (d/b/a DEAready) Attn: Privacy Officer / HIPAA Contact 210 W Oklahoma St, Branson, MO 65616 Email: support@deaready.com
19.2. Notices to Customer shall be sent to the primary administrative or Owner contact on file for Customer's account in the Service, or to such other address as Customer designates in writing.
19.3. Notices are deemed given: when delivered, if delivered personally or by email with confirmation of receipt; one (1) business day after deposit with a recognized overnight courier; or three (3) business days after mailing by certified U.S. mail, return receipt requested. Breach and Security Incident notices may be given by email to expedite notification and shall be promptly confirmed in writing.
20. Governing Law and Dispute Resolution
20.1. Governing law. This Agreement is governed by and construed in accordance with the laws of the State of Missouri, without regard to its conflict-of-laws principles, except to the extent preempted by federal law. The HIPAA Rules, the HITECH Act, and other applicable federal law govern and control over any conflicting provision of state law with respect to PHI.
20.2. Binding arbitration. Except as provided in Sections 20.5 and 20.7, any dispute, claim, or controversy arising out of or relating to this Agreement, including its breach, termination, enforcement, interpretation, or validity, shall be resolved by final and binding arbitration administered by the American Arbitration Association ("AAA") under its Commercial Arbitration Rules. Because this is a business-to-business agreement, the AAA's Supplementary Procedures for consumer-related disputes do not apply. The arbitration shall be conducted before a single arbitrator. The seat and venue of the arbitration shall be Taney County (Branson), Missouri. The arbitrator shall apply Missouri law (and the substantive law otherwise specified in this Agreement), and the Federal Arbitration Act (9 U.S.C. § 1 et seq.) governs the interpretation and enforcement of this agreement to arbitrate.
20.3. Confidentiality; costs; relief. The arbitration shall be confidential. Each Party shall bear its own costs and attorneys' fees, except as the AAA Rules or the arbitrator otherwise provide. The arbitrator may award any relief available in a court of competent jurisdiction.
20.4. Class-action and class-arbitration waiver. All disputes shall be resolved on an individual basis. The Parties waive any right to bring or participate in any class, collective, or representative arbitration or action, and the arbitrator shall have no authority to arbitrate any dispute as a class, collective, or representative proceeding.
20.5. Equitable relief and award enforcement; consent to court. Notwithstanding the agreement to arbitrate, either Party may bring an action for injunctive or other equitable relief, or to compel arbitration or to confirm, vacate, or enforce an arbitration award, in the state or federal courts located in Taney County, Missouri, and the Parties consent to the personal jurisdiction and venue of those courts for those purposes.
20.6. Jury-trial waiver. To the extent any matter proceeds in court, the Parties waive trial by jury.
20.7. Small claims. Either Party may bring a qualifying claim in small-claims court.
20.8. Preservation of HIPAA and regulatory authority. With respect to any matter concerning PHI, the HIPAA Rules and other applicable federal law control over any conflicting provision of this Section. Nothing in this Section limits or modifies either Party's statutory or regulatory obligations under HIPAA, the HITECH Act, the Controlled Substances Act, or applicable state law, or the authority of the Secretary, OCR, the DEA, or any other regulator, including their independent rights of access, inspection, investigation, and enforcement. This Section governs contract disputes between the Parties, consistent with the Terms of Service.
21. Miscellaneous
21.1. Survival. The obligations of DEAready and Customer under Sections 3, 4, 6, 11, 13, and 20, and any other provision that by its nature should survive, shall survive the termination or expiration of this Agreement for so long as DEAready retains any PHI and as otherwise necessary to give effect to such provisions.
21.2. Severability. If any provision of this Agreement is held invalid or unenforceable, the remaining provisions shall continue in full force and effect, and the invalid or unenforceable provision shall be reformed to the minimum extent necessary to make it valid and enforceable while preserving the Parties' intent and compliance with the HIPAA Rules.
21.3. No waiver. No failure or delay by either Party in exercising any right under this Agreement constitutes a waiver of that right. No waiver is effective unless in writing.
21.4. Assignment. Neither Party may assign this Agreement without the other Party's prior written consent, except that either Party may assign this Agreement, without consent, to a successor in connection with a merger, acquisition, or sale of all or substantially all of its assets, provided the successor agrees to be bound by this Agreement.
21.5. Independent contractors. The Parties are independent contractors. Nothing in this Agreement creates any partnership, joint venture, agency, or employment relationship between the Parties.
21.6. Entire agreement. This Agreement, together with the Terms of Service into which it is incorporated, constitutes the entire agreement between the Parties with respect to the subject matter of this Agreement and supersedes all prior or contemporaneous agreements and understandings, whether written or oral, concerning that subject matter.
OWNER MUST CONFIRM
The following item must be confirmed by the owner before this Agreement is published or relied upon:
- Insurance (Section 17) — confirm and, if appropriate, insert the actual insurance coverage DEAready carries. No policy or dollar amount is asserted in this document; the section is forward-looking only.