TOM MMS

Effective April 19, 2026 · version 2026-04-19-v2

Business Associate Agreement

This document is a working draft. It will be finalized following legal review. The effective version is denoted by the version field in the document header.

This Business Associate Agreement ("BAA") is entered into between TOM Pharmacy Consulting, LLC, a Texas limited liability company ("Business Associate"), and the Customer identified at the time of account registration ("Covered Entity"), effective on the date Customer executes this BAA electronically through the TOM MMS platform by checking the agreement box and submitting registration ("Effective Date").

This BAA forms part of, and is incorporated by reference into, the Terms of Service between the parties (the "Services Agreement"). This BAA applies to all Protected Health Information ("PHI") that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity through the TOM MMS platform.

1. Definitions

Capitalized terms not defined here have the meanings given in the HIPAA Rules. For clarity:

  • "HIPAA Rules" means the Administrative Simplification provisions of HIPAA, including the Privacy Rule (45 C.F.R. Part 160 and Part 164 Subparts A and E), the Security Rule (Subpart C), the Breach Notification Rule (Subpart D), and the Enforcement Rule, as amended by HITECH and implementing regulations.
  • "Protected Health Information" or "PHI" has the meaning given at 45 C.F.R. § 160.103 and is limited, for purposes of this BAA, to PHI that Business Associate creates, receives, maintains, or transmits for or on behalf of Covered Entity under the Services Agreement.
  • "Breach" has the meaning given at 45 C.F.R. § 164.402.
  • "Security Incident" has the meaning given at 45 C.F.R. § 164.304.
  • "Secretary" means the Secretary of the US Department of Health and Human Services or the Secretary's designee.

Categories of PHI Processed (Phase J, 2026-05-05)

For transparency, TOM MMS processes the following categories of PHI on behalf of Covered Entity:

  • (a) Patient names captured in case records and on facility-printed dispense labels.
  • (b) Medical record number identifiers — last-four MRN or full MRN per facility configuration.
  • (c) Patient allergy data captured at case creation and surfaced in allergen-conflict checks.
  • (d) Procedure-type and scheduled-date/time metadata associated with specific patients.
  • (e) Facility-administered medication records (drug, dose, route, schedule, witness, signoff timestamps) tied to a patient case.
  • (f) Surgeon and other clinician identifiers as they appear on case records.

Other categories within 45 C.F.R. § 160.103 — including Social Security Numbers, full dates of birth, payment-card data, and biometric identifiers — are not collected by the Service.

2. Obligations of Business Associate

2.1 Permitted Uses and Disclosures

Business Associate may use and disclose PHI only as necessary to perform its obligations under the Services Agreement or as required by law. Specifically, Business Associate may:

  • (a) Use and disclose PHI to provide the Service, including support, maintenance, error correction, security monitoring, and product improvement limited to aggregate non-identified analytics.
  • (b) Use PHI for the proper management and administration of Business Associate and to carry out its legal responsibilities, provided that Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially and the recipient will notify Business Associate of any Breach.
  • (c) Use PHI to provide Data Aggregation services, as defined in 45 C.F.R. § 164.501, relating to the health-care operations of Covered Entity, at Covered Entity's request.
  • (d) De-identify PHI in accordance with 45 C.F.R. § 164.514(a)–(c); de-identified information is no longer PHI and is not subject to this BAA.

Business Associate will not use or disclose PHI for sale, marketing, fundraising, or research without Covered Entity's prior written authorization. Business Associate will not use or disclose PHI in a manner that would violate HIPAA if done by Covered Entity, except as expressly permitted in this Section 2.1.

2.2 Minimum Necessary

Business Associate will make reasonable efforts to use, disclose, and request only the minimum PHI necessary to accomplish the intended purpose, consistent with 45 C.F.R. § 164.502(b).

2.3 Safeguards

Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI, in accordance with 45 C.F.R. §§ 164.308, 164.310, and 164.312. These safeguards include:

  • written information-security policies and an ongoing risk-analysis program;
  • workforce training and sanctions for violations;
  • facility access controls and device-security procedures at Business Associate's operating locations;
  • access-control mechanisms, including unique user identification, automatic logoff, role-based access, and authentication;
  • role-based scoping of patient identifiers — patient names and MRN identifiers are accessible only to facility-assigned staff (Owner, Admin, Pharmacist, PIC, Nurse, Auditor) authorized for the originating facility, with auditor access scoped to read-only compliance review;
  • audit controls that record and examine activity in systems that contain PHI, including audit-log entries on creation, view, edit, dispense, waste, and review of patient case records;
  • encryption of PHI at rest and in transit using industry-standard algorithms (TLS 1.2 or higher in transit; AES-256 or equivalent at rest);
  • integrity controls that detect unauthorized alteration; and
  • a documented contingency plan including data backup, disaster recovery, and emergency mode operation.

2.4 Subcontractors

Business Associate will not permit a subcontractor to create, receive, maintain, or transmit PHI on Business Associate's behalf unless the subcontractor has entered into a written BAA with Business Associate that imposes obligations at least as protective as those in this BAA, in accordance with 45 C.F.R. § 164.308(b)(3) and § 164.502(e)(1)(ii). A current list of subprocessors — including which handle PHI — is maintained at app.tompharmacy.com/legal/subprocessors and is the canonical reference. Business Associate will provide Covered Entity at least thirty (30) days' notice before engaging a new PHI-processing subcontractor; Covered Entity may object during that period and, if the objection cannot be resolved, may terminate the Services Agreement without penalty as a material breach.

2.5 Reporting

Security Incidents. Business Associate will report to Covered Entity Security Incidents of which it becomes aware in accordance with 45 C.F.R. § 164.410. Routine unsuccessful attempts (e.g., pings, failed login attempts, port scans) that do not result in unauthorized access, use, disclosure, modification, or destruction of PHI are reported, if at all, only on aggregate in periodic Service-status communications, and this paragraph satisfies the notice requirement for such attempts.

Breaches. Business Associate will notify Covered Entity of a Breach of Unsecured PHI without unreasonable delay, and in no case later than sixty (60) calendar days after discovery of the Breach (as "discovery" is defined in 45 C.F.R. § 164.410(a)(2)). The notification will include, to the extent known: the identification of each individual whose PHI is reasonably believed to have been accessed, acquired, used, or disclosed; a description of what happened; the date of the Breach; the date of discovery; the types of PHI involved (which may include patient names, MRN identifiers, allergy data, procedure metadata, and medication-administration records); any steps individuals should take; what Business Associate is doing to investigate, mitigate, and prevent recurrence; and contact procedures.

Other violations. Business Associate will report to Covered Entity any use or disclosure of PHI not permitted by this BAA of which it becomes aware, without unreasonable delay after discovery.

2.6 Individual Rights Support

Business Associate will support Covered Entity's fulfillment of individuals' rights under the Privacy Rule. Specifically:

  • Access (§ 164.524): Within ten (10) business days of Covered Entity's written request, Business Associate will make available to Covered Entity, in the form and format requested if readily producible, PHI maintained in a Designated Record Set so that Covered Entity may respond to an individual's access request.
  • Amendment (§ 164.526): Business Associate will incorporate amendments to PHI directed by Covered Entity within ten (10) business days of the request.
  • Accounting of disclosures (§ 164.528): Business Associate will document and, on written request, make available to Covered Entity information sufficient to permit Covered Entity to respond to a request for an accounting of disclosures.

2.7 Availability of Records

Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary, in a time and manner designated by the Secretary, for purposes of determining Covered Entity's compliance with HIPAA.

2.8 Audit

No more than once per twelve-month period, and on at least thirty (30) days' prior written notice, Covered Entity or its nominated auditor may audit Business Associate's compliance with this BAA. An audit may be in the form of a written questionnaire, a review of Business Associate's third-party security assessments (SOC 2 or equivalent, if available), or, where warranted, an on-site review during normal business hours conducted in a manner that does not unreasonably interfere with Business Associate's operations. Each party bears its own costs. More frequent audits may occur following a confirmed Breach attributable to Business Associate.

2.9 Mitigation

Business Associate will mitigate, to the extent practicable, any harmful effect known to Business Associate of a use or disclosure of PHI in violation of this BAA.

3. Obligations of Covered Entity

Covered Entity will:

  • (a) obtain any consent or authorization required by law before furnishing PHI to Business Associate or requesting Business Associate to carry out an activity that requires such consent or authorization;
  • (b) notify Business Associate of any restriction on the use or disclosure of PHI (including under § 164.522) that may affect Business Associate's permitted uses and disclosures;
  • (c) notify Business Associate of any changes in, or revocation of, permission by an individual to use or disclose PHI;
  • (d) not request Business Associate to use or disclose PHI in a manner that would violate HIPAA if done by Covered Entity, except as expressly permitted in Section 2.1 (for example, Data Aggregation or Business Associate's management and administration); and
  • (e) be responsible for its own compliance with the Privacy Rule with respect to uses and disclosures of PHI outside the Service.

4. Term and Termination

Term. This BAA begins on the Effective Date and remains in effect until the Services Agreement terminates, subject to the return/destruction obligations in Section 5.

Termination for cause. Covered Entity may terminate this BAA and the Services Agreement if Business Associate has violated a material term of this BAA and fails to cure within thirty (30) days of written notice (or such longer period as the parties agree in writing). If cure is not feasible, termination is immediate. Business Associate has the same right if Covered Entity materially breaches this BAA in a manner that compels Business Associate to act in violation of the HIPAA Rules.

5. Return or Destruction of PHI

Upon termination of the Services Agreement, Business Associate will, if feasible, return to Covered Entity or destroy all PHI that Business Associate maintains in any form and retain no copies. The TOM MMS platform provides a self-service export mechanism that Covered Entity may use during the thirty (30) day post-cancellation read-only window. After that window, Business Associate will permanently delete remaining PHI and, on Covered Entity's written request, provide a written attestation of destruction within ten (10) business days.

If return or destruction is not feasible for some portion of PHI (for example, residual PHI in backup media subject to rolling retention), Business Associate will continue to extend the protections of this BAA to that PHI, limit further use or disclosure to the purposes that make return or destruction infeasible, and destroy that PHI as the backup media age out of rotation.

6. Indemnification

Mutual. Each party will indemnify and hold harmless the other from and against third-party claims, damages, and reasonable attorneys' fees to the extent arising from (a) the indemnifying party's breach of this BAA, or (b) the indemnifying party's negligence or willful misconduct in connection with PHI processed under this BAA.

Indemnification under this Section 6 is independent of the limitation of liability in the Services Agreement; provided that each party's aggregate liability for indemnification under this BAA is capped at the greater of (i) the insurance proceeds actually available under the policies described in Section 7 or (ii) three (3) times the fees paid or payable by Covered Entity to Business Associate during the twelve (12) months preceding the event giving rise to the claim. The parties agree this cap does not limit (A) a party's obligation to provide breach notification as required by the HIPAA Rules, (B) civil monetary penalties for which the responsible party is liable under the HIPAA Rules, or (C) fraud or willful misconduct.

7. Insurance

Business Associate will maintain, at its own expense, the following insurance coverages during the term of this BAA, with carriers rated A-VII or better:

  • Cyber and privacy liability, with minimum per-claim and aggregate limits of $15,000,000, covering HIPAA-related claims, regulatory investigations and fines to the extent insurable, and breach-response costs (notification, call center, credit monitoring). Placeholder — user to confirm actual policy limits before finalization.
  • Errors and omissions (technology), with minimum per-claim limits of $5,000,000. Placeholder — user to confirm.
  • Commercial general liability, with minimum per-occurrence limits of $1,000,000 and general aggregate of $2,000,000.

On Covered Entity's written request, Business Associate will provide a certificate of insurance naming Covered Entity as a certificate holder.

8. Amendment

The parties will amend this BAA as necessary to comply with changes to the HIPAA Rules. If either party reasonably believes that an amendment is required, it will notify the other, and the parties will negotiate in good faith to execute a written amendment within thirty (30) days.

9. Interpretation and Miscellaneous

Any ambiguity in this BAA is to be resolved in favor of a meaning that permits compliance with the HIPAA Rules. In the event of a conflict between this BAA and the Services Agreement or the Privacy Policy, this BAA controls with respect to PHI. This BAA is governed by the laws of the State of Texas, consistent with the governing-law provisions of the Services Agreement. No provision of this BAA is intended to confer third-party-beneficiary rights, except as required by applicable law.

Notices to Business Associate: legal@tompharmacy.com. Notices to Covered Entity: the billing email on file.

10. Privacy Officer and HIPAA Security Official

Business Associate has designated the following individual to serve as Privacy Officer under 45 C.F.R. § 164.530(a)(1) and as Security Official under 45 C.F.R. § 164.308(a)(2):

  • Name: Jonathan Lim, PharmD
  • Role: Privacy Officer / HIPAA Security Official
  • Contact: privacy@tompharmacy.com

Jonathan currently serves in both roles at Business Associate's single-operator stage. Designations will be split and updated as the team grows. Any change to the Privacy Officer designation is published through the same version-controlled mechanism as this BAA and will trigger a re-consent prompt on Covered Entity's next login.

11. Execution

By checking the BAA agreement box during registration, the individual identified as signatory represents and warrants that they are authorized to bind Covered Entity to this BAA and that all information provided during registration is accurate. The electronic record of that action, including timestamp, IP address, and the signatory's stated name and title, is retained by Business Associate and is admissible as evidence of execution under the Uniform Electronic Transactions Act as adopted in Texas.

Last updated: 2026-04-19