Scriptlane← Back to site

HIPAA Business Associate Statement

Effective: April 2026.

Scriptlane is operated by BID Partners LLC. This page describes our Business Associate posture under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations (45 CFR Parts 160 and 164).

Our default posture: no PHI, no Business Associate relationship

Scriptlane is architected so that Protected Health Information (“PHI”) as defined at 45 CFR § 160.103 never enters our systems. We query EHR partner portals for aggregate reporting only. Every adapter response is validated against a deny-list of PHI field names and rejected if any individually identifying data is present. Results are cell-size floored at the partner portal.

Because Scriptlane does not receive, create, maintain, or transmit PHI on behalf of a Covered Entity, Scriptlane is generally not a Business Associate under HIPAA.

When a BAA is appropriate

We will execute a Business Associate Agreement on first review where a counterparty determines, in good faith, that a BAA is operationally required for their program. Typical triggers include:

  • A Covered Entity or Business Associate requires a BAA as a precondition of any commercial engagement, regardless of the data flow.
  • An EHR partner program’s standard partner agreement requires BAA flow-down from upstream partners.
  • The counterparty’s compliance review concludes that “incidental” business-associate obligations may apply.

Our BAA template

Our standard BAA follows the HHS sample Business Associate Agreement provisions and provides for:

  • Permitted uses limited to those necessary to provide the contracted service.
  • Implementation of the HIPAA Security Rule administrative, technical, and physical safeguards.
  • Breach notification to the counterparty without unreasonable delay and no later than 60 calendar days.
  • Flow-down of BAA terms to any subcontractor that receives PHI on behalf of the counterparty (Scriptlane does not engage such subcontractors under its default architecture).
  • Return or destruction of PHI, where applicable, on termination.

To request the BAA template for review and execution, email ben@scriptlanedata.com. Counterparty’s standard BAA is reviewed on first pass and is frequently accepted with minor edits.

What this statement is not

This page is a description of our posture. It is not itself a Business Associate Agreement, nor does it create a Business Associate relationship between any party and BID Partners LLC. A BAA becomes binding only when executed in writing by both parties.

Out of scope

Scriptlane explicitly excludes behavioral-health and substance-use-disorder data subject to 42 CFR Part 2.

Questions about this document? Email ben@scriptlanedata.com. Scriptlane is a product of BID Partners LLC.