Standard Form — v2026.04
Business Associate Agreement
Effective April 15, 2026
This Business Associate Agreement ("BAA") supplements and is incorporated into the Terms of Service and any Master Service Agreement or Order Form (together, the "Service Agreement") between MonkeyWolf Digital LLC d/b/a ScriptRun("Business Associate") and the pharmacy or covered entity identified in the Service Agreement ("Covered Entity"). This BAA governs the handling of Protected Health Information ("PHI") created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity in connection with the ScriptRun pharmacy delivery platform (the "Service").
Capitalized terms not defined in this BAA have the meanings given in the HIPAA Rules (45 C.F.R. Parts 160, 162, and 164), the HITECH Act, and the Omnibus Rule.
1. Permitted Uses and Disclosures of PHI
Business Associate may use and disclose PHI only:
- To perform the Service and related obligations under the Service Agreement (including dispatching prescription deliveries, routing drivers, sending patient notifications, capturing proof of delivery, generating analytics for Covered Entity, and providing customer support);
- For the proper management and administration of Business Associate;
- To carry out legal responsibilities of Business Associate, provided any disclosure required by law is made in accordance with 45 C.F.R. § 164.504(e)(4);
- To provide data aggregation services to Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B), if requested;
- To report violations of law to appropriate federal and state authorities.
Business Associate will not use or disclose PHI in a manner that would violate the Privacy Rule if done by Covered Entity, except as permitted above.
2. Prohibited Uses
Business Associate shall not:
- Sell PHI.
- Use or disclose PHI for marketing, except as permitted by 45 C.F.R. § 164.508.
- Use PHI to train third-party machine-learning models for the benefit of any person other than Covered Entity.
- Disclose PHI to any subcontractor absent a written BAA on terms at least as protective as this BAA.
3. Safeguards
Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic PHI, consistent with the HIPAA Security Rule (45 C.F.R. §§ 164.308, 164.310, 164.312, and 164.316). Current safeguards are published at scriptrun.app/security and include encryption at rest (AES-256) and in transit (TLS 1.2 or higher), role-based access control, per-tenant row-level security, minimum-necessary access to PHI, audit logging, and periodic access reviews.
4. Minimum Necessary; Driver Restriction
Business Associate shall request, use, and disclose only the minimum PHI necessary to perform the Service. Drivers never see medication names, clinical details, or diagnosis information. The Service is architected so that the driver mobile application displays only patient first name, delivery address, pickup/drop-off instructions, and delivery window. Medication-level data is restricted to authorized pharmacy users.
5. Reporting of Use or Disclosure Not Permitted
Business Associate shall report to Covered Entity:
- Any use or disclosure of PHI not permitted by this BAA, within 24 hours of discovery;
- Any Security Incident of which Business Associate becomes aware, within 24 hoursof discovery. Unsuccessful, non-significant Security Incidents (such as routine port scans or blocked intrusion attempts) will be reported in aggregate at Covered Entity's request;
- Any Breach of Unsecured PHI as defined in 45 C.F.R. § 164.402, without unreasonable delay and in no case later than 10 calendar days after discovery. This timing is more protective than the 60-day cap in 45 C.F.R. § 164.410 to give Covered Entity operational runway to meet its own notification obligations.
Breach reports shall include, to the extent known at the time:
- A description of what happened, including date of the Breach and date of discovery;
- A description of the types of PHI involved;
- The number of individuals affected and identification of affected individuals when known;
- Steps Business Associate has taken to investigate and mitigate harm;
- Steps Business Associate will take to prevent recurrence.
6. Subcontractors
Business Associate shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to restrictions and conditions that are at least as protective as those in this BAA. A current list of subprocessors that may handle PHI is maintained at scriptrun.app/security#subprocessors. Covered Entity will be notified of material changes to this list with reasonable advance notice and may object in writing to any new subprocessor.
7. Access to PHI by Individuals
Within 10 business days of Covered Entity's written request, Business Associate shall make available PHI in a Designated Record Set as necessary for Covered Entity to meet its obligations under 45 C.F.R. § 164.524.
8. Amendment of PHI
Business Associate shall make PHI available for amendment and incorporate amendments as directed by Covered Entity under 45 C.F.R. § 164.526 within 15 business days of request.
9. Accounting of Disclosures
Business Associate shall document disclosures of PHI and information related to such disclosures as needed to permit Covered Entity to respond to a request for an accounting of disclosures under 45 C.F.R. § 164.528, and shall provide such information within 15 business days of request.
10. HHS Access
Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining Covered Entity's compliance with the HIPAA Rules.
11. Return or Destruction of PHI
Upon termination of the Service Agreement, Business Associate shall, at Covered Entity's election, return or destroy all PHI it still maintains in any form, and retain no copies. If return or destruction is not feasible, protections of this BAA continue to apply indefinitely to PHI retained, and further uses and disclosures shall be limited to those purposes that make return or destruction infeasible.
For the avoidance of doubt: Covered Entity may export its data at any time during the term in a portable format. Data ownership remains with Covered Entity.
12. Term and Termination
This BAA is effective on the date the Service Agreement becomes effective and continues for the term of the Service Agreement. Covered Entity may terminate this BAA and the Service Agreement for cause upon written notice if Business Associate has materially breached this BAA and has failed to cure within 30 days after written notice of breach, or immediately if cure is not feasible.
13. Indemnification
Business Associate shall indemnify and hold Covered Entity harmless from any third-party claim, regulatory fine, or reasonable breach-notification cost directly caused by Business Associate's material breach of this BAA or its negligent or willful failure to safeguard PHI. The aggregate limitation of liability in the Service Agreement does not apply to indemnification obligations under this Section or to a Breach of Unsecured PHI resulting from Business Associate's gross negligence or willful misconduct.
14. Regulatory Changes
The parties agree to amend this BAA as necessary to comply with changes in the HIPAA Rules. Business Associate will propose amendments promptly after any material regulatory change.
15. Interpretation; Relationship to Service Agreement
Any ambiguity in this BAA shall be resolved in favor of a meaning that complies with the HIPAA Rules. In the event of a conflict between this BAA and any other part of the Service Agreement, this BAA controls with respect to PHI.
16. Notices
Notices under this BAA must be in writing and sent to the Privacy Officer at privacy@scriptrun.app and to the business contact on file for Covered Entity. Notices are effective upon confirmed delivery.
17. Execution
This BAA is executed by countersignature on the Order Form, by click-through acceptance in the ScriptRun dashboard, or by separate signature page. Electronic signatures are valid.
FAQ
Do I need a BAA to use ScriptRun?
Yes, if you are a HIPAA Covered Entity (nearly every pharmacy). We will not transmit real PHI for any customer without a signed BAA on file.
Can I redline this BAA?
Yes. We aim to execute the standard form because it's been reviewed by counsel and by dozens of pharmacy GCs, which keeps review time under a week. But if your counsel requires a change, send markups to privacy@scriptrun.app.
Who signs on ScriptRun's side?
An authorized officer of MonkeyWolf Digital LLC. We will provide a countersigned copy within one business day of receiving a signed Order Form.
How fast do you report a breach?
Within 24 hours of discovery for suspected incidents, and within 10 calendar days for confirmed Breaches of Unsecured PHI — meaningfully faster than the 60-day cap the HIPAA Rules allow.
Do you have signed BAAs with your subprocessors?
Yes. Supabase (database and hosting), Twilio (SMS), Resend (email), Anthropic (label-recognition AI), and Vercel (app hosting) all provide signed BAAs or equivalent HIPAA-covered terms. See /security#subprocessors.
Contact
MonkeyWolf Digital LLC d/b/a ScriptRun
8052 NW 114 Pl, Miami, FL 33178
Privacy Officer: privacy@scriptrun.app
Support: support@scriptrun.app
This page is not a substitute for legal advice. It reflects ScriptRun's current standard BAA as of April 15, 2026 and is provided for review before signing an executed copy.