G
GenniRx

Business Associate Agreement

Effective Date: April 27, 2026

This Agreement is entered into between the Covered Entity (Customer — Cardiology Practice) and the Business Associate (GenniRx, Inc.)

🔒 HIPAA Notice: This Business Associate Agreement is required under HIPAA. By using GenniRx, the Covered Entity agrees to the terms of this Agreement.

1. PURPOSE

GenniRx will process Protected Health Information (PHI) to provide prescription tracking, communication, and workflow automation services on behalf of the Covered Entity.

2. PERMITTED USES

GenniRx may use PHI solely to perform services on behalf of the Covered Entity, including storage, transmission, and processing of prescription and patient data necessary to provide the GenniRx service.

3. SAFEGUARDS

GenniRx shall implement appropriate administrative, physical, and technical safeguards to protect PHI from unauthorized use or disclosure. This includes encryption at rest (AES-256) and in transit (TLS), role-based access controls, and immutable audit logging.

4. BREACH NOTIFICATION

GenniRx shall notify the Covered Entity of any breach of unsecured PHI without unreasonable delay and no later than 60 calendar days after discovery of the breach, in accordance with HIPAA Breach Notification Rules.

5. SUBPROCESSORS

GenniRx may utilize the following subcontractors who also handle PHI:

  • Supabase — Database storage and authentication
  • Twilio — SMS patient communications
  • Resend — Email staff notifications

GenniRx ensures subprocessors are bound by equivalent data protection obligations.

6. CUSTOMER RESPONSIBILITY

The Covered Entity is solely responsible for:

  • All clinical decisions and patient care
  • Accuracy of all data entered into GenniRx
  • Obtaining and maintaining patient consent for SMS communications
  • Compliance with all applicable healthcare regulations
  • Appropriate staffing and internal processes

7. MINIMUM NECESSARY

GenniRx will make reasonable efforts to use, disclose, and request only the minimum amount of PHI necessary to accomplish the intended purpose.

8. TERM

This Agreement remains in effect for the duration of the service relationship between GenniRx and the Covered Entity and survives termination with respect to PHI retained by GenniRx.

9. DATA RETENTION

PHI will be retained and archived in accordance with HIPAA compliance requirements for a minimum of six (6) years. Upon termination of services, PHI will be archived and not deleted in compliance with applicable regulations.

10. TERMINATION

This Agreement terminates upon termination of the GenniRx service subscription. Upon termination, GenniRx will archive PHI in accordance with HIPAA retention requirements.

11. AMENDMENTS

GenniRx reserves the right to amend this Agreement as required by changes in applicable law or regulation. Covered Entity will be notified of material amendments.

12. GOVERNING LAW

This Agreement is governed by the laws of the State of Florida and applicable federal law including HIPAA and the HITECH Act.

13. CONTACT

For BAA-related inquiries: support@gennirx.com | GenniRx, Inc. | DeLand, Florida, United States

Agreement Acknowledgment

By using the GenniRx platform, the Covered Entity acknowledges that they have read, understood, and agreed to the terms of this Business Associate Agreement.