HIPAA Business Associate Agreement

Effective Date: January 1, 2025

Last Updated: October 1, 2025

Important Notice

This Business Associate Agreement (BAA) is automatically incorporated into your Service Agreement when you use C2 Track to store or process Protected Health Information (PHI). By using the Service to handle PHI, you agree to the terms of this BAA.

1. Definitions

Terms used in this Business Associate Agreement (BAA) that are not otherwise defined shall have the meanings given to them in 45 CFR §§ 160.103 and 164.501:

  • "Business Associate" shall mean C2 Track, LLC.
  • "Covered Entity" shall mean the pharmacy or healthcare organization subscribing to the Service.
  • "HIPAA Rules" shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164.
  • "Protected Health Information" or "PHI" shall have the meaning given to such term in 45 CFR § 160.103, limited to the information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.
  • "Service" shall mean the C2 Track controlled substance inventory management system.

2. Obligations of Business Associate

2.1 Permitted Uses and Disclosures

Business Associate may use or disclose PHI only as permitted by this BAA or as required by law. Business Associate shall not use or disclose PHI in a manner that would violate the HIPAA Privacy Rule if done by Covered Entity, except for:

  • Providing the Service to Covered Entity as described in the Terms of Service
  • Data aggregation services relating to the health care operations of Covered Entity
  • Management and administrative activities of Business Associate
  • Legal obligations that require disclosure of PHI

2.2 Safeguards

Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards to prevent use or disclosure of PHI other than as permitted by this BAA, including:

  • Encryption: All PHI transmitted over public networks is encrypted using TLS 1.2 or higher
  • Encryption at Rest: PHI stored in databases is encrypted using AES-256 encryption
  • Access Controls: Role-based access controls (RBAC) limit PHI access to authorized users only
  • Authentication: Multi-factor authentication and strong password policies
  • Audit Logging: Comprehensive audit trails track all access to and modifications of PHI
  • Secure Hosting: Data is hosted on HIPAA-compliant infrastructure (MongoDB Atlas, Vercel)
  • Regular Security Assessments: Periodic vulnerability assessments and penetration testing
  • Data Backup: Regular automated backups with encryption

2.3 Subcontractors

Business Associate shall ensure that any subcontractors or agents to whom it provides PHI agree to the same restrictions and conditions that apply to Business Associate with respect to such information. Current subcontractors include:

  • MongoDB, Inc. (Database hosting - MongoDB Atlas)
  • Vercel Inc. (Application hosting and CDN)
  • Stripe, Inc. (Payment processing - does not access PHI)

2.4 Breach Notification

Business Associate shall, following the discovery of a breach of unsecured PHI, notify Covered Entity of such breach in accordance with 45 CFR § 164.410. Such notification shall be made without unreasonable delay and in no case later than 10 business days after discovery of the breach. The notification shall include, to the extent known:

  • A description of what happened, including the date of the breach and the date of discovery
  • A description of the types of unsecured PHI involved (e.g., prescription numbers, medication records)
  • The identification of each individual whose unsecured PHI has been or is reasonably believed to have been accessed, acquired, used, or disclosed
  • A description of remedial actions taken or to be taken
  • Contact information for the individual at Business Associate responsible for the breach investigation

2.5 Access to PHI

Business Associate shall provide access to PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR § 164.524. Business Associate shall provide such access within 10 business days of receipt of a request from Covered Entity.

2.6 Amendment of PHI

Business Associate shall make PHI available for amendment and incorporate any amendments to PHI in accordance with 45 CFR § 164.526 within 10 business days of receipt of notice from Covered Entity.

2.7 Accounting of Disclosures

Business Associate shall document and make available to Covered Entity information regarding disclosures of PHI as necessary to satisfy Covered Entity's obligations under 45 CFR § 164.528 within 10 business days of receiving a request from Covered Entity.

2.8 Government Access

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the Department of Health and Human Services (HHS) for purposes of determining Covered Entity's compliance with the HIPAA Privacy Rule.

3. Obligations of Covered Entity

3.1 Permissible Requests

Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Privacy Rule if done by Covered Entity.

3.2 Notice of Privacy Practices

Covered Entity shall provide Business Associate with a copy of its Notice of Privacy Practices and any changes thereto.

3.3 Permissions and Restrictions

Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate's use or disclosure of PHI.

3.4 Restrictions

Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI.

4. Term and Termination

4.1 Term

This BAA shall be effective as of the date Covered Entity first uses the Service to create, receive, maintain, or transmit PHI, and shall terminate when all PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity.

4.2 Termination for Breach

Upon Covered Entity's knowledge of a material breach by Business Associate, Covered Entity shall:

  • Provide an opportunity for Business Associate to cure the breach or end the violation within a reasonable time period
  • Terminate the Service Agreement if Business Associate does not cure the breach or end the violation within the time specified
  • Report the violation to the Secretary of HHS if termination is not feasible

4.3 Effect of Termination

Upon termination of this BAA, Business Associate shall:

  • Return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form
  • Retain no copies of the PHI, except as required by law
  • Extend the protections of this BAA to such PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI

Data Retention Period: If Covered Entity cancels their subscription or allows it to expire, Business Associate will retain PHI for 30 days to allow Covered Entity to export their data. After 30 days, all PHI will be permanently deleted unless retention is required by law.

5. Miscellaneous

5.1 Regulatory References

A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended.

5.2 Amendment

The parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for Covered Entity or Business Associate to comply with the requirements of the HIPAA Rules.

5.3 Interpretation

Any ambiguity in this BAA shall be resolved in favor of a meaning that permits Covered Entity and Business Associate to comply with the HIPAA Rules.

5.4 Limitation of Liability

Business Associate's liability for any breach of this BAA shall be subject to the limitations of liability set forth in the Service Agreement between the parties.

6. Minimizing PHI in C2 Track

Recommendation: Minimize PHI Collection

C2 Track is designed for controlled substance inventory management, not patient records management. We strongly recommend that you avoid entering patient names or other patient identifiers into the system.

To minimize HIPAA compliance burden, we recommend:

  • Use prescription numbers only - Avoid entering patient names, dates of birth, addresses, or other patient identifiers
  • Focus on inventory - C2 Track is optimized for tracking medication quantities, not patient data
  • Integrate with your pharmacy management system - Use your PMS for patient records and C2 Track for DEA compliance

What constitutes PHI in C2 Track: If you enter prescription numbers along with any information that could identify a patient (such as patient name, DOB, address), that information becomes PHI and is covered by this BAA.

What does NOT constitute PHI: Medication names, NDC numbers, DEA schedules, lot numbers, expiration dates, wholesaler information, and prescription numbers alone (without patient identifiers) are generally not considered PHI.

7. Contact for HIPAA Matters

For any questions or concerns related to this Business Associate Agreement or HIPAA compliance, please contact our Privacy Officer:

C2 Track Privacy Officer

Email: info@c2track.com

Website: https://c2track.com

By using C2 Track to store or process Protected Health Information, you acknowledge that you have read, understood, and agree to be bound by this Business Associate Agreement. This BAA is automatically incorporated into your Service Agreement upon first use of the Service to handle PHI.