Skip to content

DATA USE AGREEMENT

De-Identified Patient Data for Pre-Pilot Feasibility Analysis

This Data Use Agreement ("Agreement") is entered into as of ___, 2026 (the "Effective Date") by and between:

RECITALS

WHEREAS, [Pharmacy Partner] is a licensed community pharmacy that maintains protected health information ("PHI") of its patients in the ordinary course of pharmacy operations, including dispensing records, medication profiles, and demographic data maintained in the Rx30 pharmacy management system;

WHEREAS, Rx360 is developing a medication adherence wearable device and seeks to analyze de-identified pharmacy dispensing data to identify optimal patient cohorts for a pre-pilot feasibility assessment and future clinical pilot program;

WHEREAS, [Pharmacy Partner] will provide Rx360 with a Limited Data Set that has been de-identified in accordance with the HIPAA Safe Harbor method (45 CFR 164.514(b)(2)), removing all 18 categories of identifiers specified by the Safe Harbor standard;

WHEREAS, the parties wish to establish the terms under which this de-identified data may be used, protected, and ultimately destroyed;

NOW, THEREFORE, in consideration of the mutual covenants and agreements set forth herein, the parties agree as follows:

1. DEFINITIONS

"De-Identified Data" means patient dispensing and demographic data from which all 18 HIPAA Safe Harbor identifiers have been removed or generalized, such that the data cannot reasonably be used to identify an individual patient. The de-identification methodology is documented in the De-Identification Attestation (Exhibit A).

"Permitted Purpose" means the analysis of de-identified pharmacy dispensing patterns to identify patient cohorts suitable for the Rx360 medication adherence wearable pilot program, including but not limited to: PDC calculation, medication complexity analysis, comorbidity burden estimation, and demographic segmentation.

"Re-Identification" means any attempt to link, match, or otherwise connect De-Identified Data to specific individuals through any means, including but not limited to combining the data with external datasets, public records, or other information sources.

"Crosswalk File" means the mapping document maintained exclusively by [Pharmacy Partner] that links the sequential Patient_ID identifiers in the De-Identified Data to actual patient records in the Rx30 system.

2. PERMITTED USES AND DISCLOSURES

2.1 Rx360 may use the De-Identified Data solely for the Permitted Purpose described in Section 1. Any use of the data beyond the Permitted Purpose requires prior written consent from [Pharmacy Partner].

2.2 Rx360 may disclose the De-Identified Data internally to employees and contractors who have a legitimate need to access the data for the Permitted Purpose, provided that such individuals are bound by confidentiality obligations at least as restrictive as those contained in this Agreement.

2.3 Rx360 may include aggregate, non-patient-level statistical findings derived from the De-Identified Data in internal presentations, investor materials, and pilot program planning documents, provided that no individual patient can be identified from such aggregate findings.

2.4 Rx360 shall not publish, present at conferences, or submit for peer review any analysis of the De-Identified Data without prior written approval from [Pharmacy Partner] and, where applicable, Institutional Review Board approval through the USC School of Pharmacy.

3. PROHIBITED USES

3.1 Rx360 shall not attempt to Re-Identify any individual in the De-Identified Data through any means whatsoever.

3.2 Rx360 shall not contact, or attempt to contact, any individual who may be represented in the De-Identified Data.

3.3 Rx360 shall not sell, license, sublicense, or otherwise transfer the De-Identified Data to any third party without prior written consent from [Pharmacy Partner].

3.4 Rx360 shall not combine the De-Identified Data with any external dataset that could facilitate re-identification, including but not limited to public records, voter registration files, commercial data brokers, or social media data.

3.5 Rx360 shall not request, seek, or accept the Crosswalk File or any other re-identification key from [Pharmacy Partner] or any other source.

4. DATA SECURITY

4.1 Rx360 shall implement and maintain reasonable administrative, technical, and physical safeguards to protect the De-Identified Data from unauthorized access, use, or disclosure.

4.2 The De-Identified Data shall be stored in encrypted form (AES-256 or equivalent) at rest and transmitted only through encrypted channels (TLS 1.2 or higher).

4.3 Access to the De-Identified Data shall be limited to the minimum number of Rx360 personnel necessary to accomplish the Permitted Purpose, and Rx360 shall maintain a log of all individuals who access the data.

4.4 In the event of any unauthorized access to or disclosure of the De-Identified Data (a "Security Incident"), Rx360 shall notify [Pharmacy Partner] in writing within 48 hours of discovering the Security Incident and shall cooperate fully with [Pharmacy Partner] in investigating and mitigating the incident.

5. DATA RETENTION AND DESTRUCTION

5.1 Rx360 shall retain the De-Identified Data only for so long as necessary to accomplish the Permitted Purpose, and in no event longer than twelve (12) months from the Effective Date unless the parties mutually agree in writing to extend this period.

5.2 Upon completion of the Permitted Purpose, expiration of the retention period, or termination of this Agreement (whichever occurs first), Rx360 shall permanently destroy all copies of the De-Identified Data, including any copies stored in backup systems, within thirty (30) days.

5.3 Rx360 shall provide [Pharmacy Partner] with a written Certificate of Destruction confirming that all copies of the De-Identified Data have been permanently destroyed, including the method of destruction used and the date of destruction.

5.4 Notwithstanding the foregoing, Rx360 may retain aggregate statistical analyses derived from the De-Identified Data (but not the underlying patient-level data) beyond the destruction date, provided such aggregate analyses cannot be used to identify any individual.

6. CROSSWALK FILE PROTECTIONS

6.1 The Crosswalk File shall remain exclusively in the possession and control of [Pharmacy Partner] at all times. The Crosswalk File shall not be transmitted to, shared with, or made accessible to Rx360 or any other party under any circumstances.

6.2 [Pharmacy Partner] shall store the Crosswalk File in encrypted form on [Pharmacy Partner]'s local pharmacy server, separate from the De-Identified Data. The Crosswalk File shall not be stored on any cloud service, shared drive, or external storage device.

6.3 Access to the Crosswalk File shall be limited to Gene Lang, PharmD and his designated co-pharmacist at [Pharmacy Partner].

7. TERM AND TERMINATION

7.1 This Agreement shall be effective as of the Effective Date and shall continue for twelve (12) months unless terminated earlier by either party.

7.2 Either party may terminate this Agreement at any time upon thirty (30) days' written notice to the other party.

7.3 [Pharmacy Partner] may terminate this Agreement immediately upon written notice if Rx360 breaches any material term of this Agreement, including but not limited to any attempt at Re-Identification or unauthorized disclosure of the De-Identified Data.

7.4 The obligations of Sections 3, 4, 5, and 6 shall survive termination of this Agreement.

8. REPRESENTATIONS AND WARRANTIES

8.1 [Pharmacy Partner] represents and warrants that the De-Identified Data has been de-identified in accordance with the HIPAA Safe Harbor method (45 CFR 164.514(b)(2)) and that [Pharmacy Partner] has no actual knowledge that the remaining information could be used to identify any individual.

8.2 Rx360 represents and warrants that it has the technical and organizational capacity to comply with the data security requirements of this Agreement.

8.3 Each party represents that the individual signing this Agreement has the authority to bind the party to its terms.

9. LIMITATION OF LIABILITY AND INDEMNIFICATION

9.1 Rx360 shall indemnify and hold harmless [Pharmacy Partner] and its officers, directors, employees, and agents from any claims, damages, losses, or expenses (including reasonable attorneys' fees) arising from Rx360's breach of this Agreement, including but not limited to any unauthorized use, disclosure, or re-identification attempt involving the De-Identified Data.

9.2 [Pharmacy Partner] shall indemnify and hold harmless Rx360 from any claims arising from [Pharmacy Partner]'s failure to properly de-identify the data in accordance with HIPAA Safe Harbor requirements.

10. GENERAL PROVISIONS

10.1 Governing Law. This Agreement shall be governed by the laws of the State of California.

10.2 Entire Agreement. This Agreement, including any exhibits attached hereto, constitutes the entire agreement between the parties with respect to the subject matter hereof.

10.3 Amendments. This Agreement may be amended only by written instrument signed by both parties.

10.4 Notices. All notices under this Agreement shall be in writing and delivered to the addresses set forth above.

10.5 Relationship of the Parties. Nothing in this Agreement shall be construed to create a partnership, joint venture, or agency relationship between the parties. This Agreement pertains solely to the use of de-identified data and does not constitute a Business Associate Agreement under HIPAA, as the data being shared has been de-identified per Safe Harbor and is no longer PHI.

IN WITNESS WHEREOF, the parties have executed this Agreement as of the Effective Date.

EXHIBIT A

De-Identification Attestation

I, Gene Lang, PharmD, in my capacity as HIPAA Privacy Officer of [Pharmacy Partner], hereby attest that the de-identified dataset provided to Rx360 Inc. pursuant to the Data Use Agreement dated ___, 2026 has been de-identified in accordance with the HIPAA Safe Harbor method specified at 45 CFR 164.514(b)(2).

Specifically, I attest that the following 18 categories of identifiers have been removed or generalized from the dataset:

(1) Names of patients, family members, and household members; (2) Geographic subdivisions smaller than state, with ZIP codes truncated to first three digits (geographic units with fewer than 20,000 population have been set to 000); (3) All elements of dates directly related to an individual, including birth date, admission date, discharge date, and date of death, with ages over 89 aggregated into a single category of 90+; (4) Telephone numbers; (5) Fax numbers; (6) Email addresses; (7) Social Security numbers; (8) Medical record numbers; (9) Health plan beneficiary numbers; (10) Account numbers; (11) Certificate and license numbers; (12) Vehicle identifiers and serial numbers; (13) Device identifiers and serial numbers; (14) Web URLs; (15) Internet Protocol addresses; (16) Biometric identifiers; (17) Full-face photographs and comparable images; (18) Any other unique identifying number, characteristic, or code.

I further attest that I have no actual knowledge that the remaining information in the dataset could be used, alone or in combination with other reasonably available information, to identify any individual patient.

The de-identification was performed on ___, 2026 and a Patient_ID crosswalk mapping file has been created and is stored in encrypted form on the [Pharmacy Partner] local pharmacy server. Access to this crosswalk file is restricted to myself and my designated co-pharmacist.


Gene Lang, PharmD

HIPAA Privacy Officer, [Pharmacy Partner]

Date: ______

COVERED ENTITY / DATA PROVIDER [Pharmacy Partner] ("Partner") Address: _____ HIPAA Privacy Officer: Gene Lang, PharmD DATA RECIPIENT Rx360 Inc. ("Rx360") Address: _____ Authorized Representative: Peyman Majd, President
[PHARMACY PARTNER] _____ Gene Lang, PharmD HIPAA Privacy Officer / Owner Date: ____ RX360 INC. _____ Peyman Majd President Date: ____