Healthcare Logistics
MASTER SERVICES AGREEMENT — MEDICAL COURIER
This Master Services Agreement ("Agreement") is entered into as of the Effective Date the Customer accepts this Agreement through the Copergrine client portal between Copergrine LLC, a Texas limited liability company with its principal place of business in Houston, Texas, United States ("Copergrine"), and [Covered Entity legal name], a [entity type] organized under the laws of [state/country of incorporation], with its principal place of business at [principal place of business] ("Customer"). Copergrine and Customer are each a "Party" and collectively the "Parties."
1. Definitions
1.1 "Authorized User" means Customer's employees, contractors, or other personnel whom Customer authorizes to schedule pickups, request deliveries, or access the Customer Portal on Customer's behalf.
1.2 "BAA" means the Business Associate Agreement executed concurrently with this Agreement covering Copergrine's handling of Protected Health Information on Customer's behalf.
1.3 "Customer Data" means information Customer or its Authorized Users submit through the Customer Portal — pickup and drop-off addresses, contact phones, package descriptions, special-handling instructions, billing information, and any associated metadata.
1.4 "Customer Portal" means the web and mobile interfaces at courier.copergrine.com (and successor URLs) through which Customer schedules and tracks deliveries.
1.5 "Effective Date" means the date Customer clickwrap-accepts this Agreement in the Customer Portal (the same instant captured as the BAA Effective Date for purposes of the BAA).
1.6 "Job" means a single scheduled or on-demand pickup-and-delivery assignment between two physical addresses within the Service Area.
1.7 "PHI" has the meaning given in the BAA — generally, individually identifiable health information.
1.8 "Pricing Catalog" means the active version of Copergrine's published rate schedule effective on the date a Job is scheduled. The Pricing Catalog is surfaced in the Customer Portal and updated from time to time on at least thirty (30) days' notice for prospective Jobs.
1.9 "Services" means the medical-courier pickup, transport, and delivery services Copergrine provides through its driver workforce, plus access to the Customer Portal, real-time tracking, electronic proof-of-pickup and proof-of-delivery, and invoicing.
1.10 "Service Area" means the Greater Houston metropolitan region, with primary coverage of the Texas Medical Center and Reed Road / Med Center / Galleria / Memorial / Cypress corridors, plus any additional ZIP codes Copergrine has activated and confirmed for Customer in writing.
1.11 "Specimen" means biological samples (blood, urine, tissue, swabs, cultures, etc.) transported under chain-of-custody and, where applicable, temperature control.
2. Services
2.1 Pickup and Delivery. Copergrine will pick up and deliver Customer's packages — including, where applicable, Specimens and PHI — from any pickup address within the Service Area to any drop-off address within the Service Area, in accordance with this Agreement and the job-specific instructions Customer provides through the Customer Portal.
2.2 Customer Portal. Copergrine grants Customer a non-exclusive, non-transferable right during the Term to access and use the Customer Portal for the purpose of scheduling Jobs, monitoring Jobs in real time, viewing electronic proof-of-pickup/delivery records, downloading invoices, and paying invoices.
2.3 Workforce. Copergrine performs the Services using its own driver workforce. Drivers are W-2 employees or 1099 contractors of Copergrine, are background-checked, HIPAA-trained, and bound by confidentiality obligations no less protective than those in the BAA. Drivers are not employees, agents, or representatives of Customer.
2.4 Operational SLAs. Copergrine will use commercially reasonable efforts to meet the following service levels for each Job:
| Metric | Target |
|---|---|
| Pickup window — on-demand Job | within sixty (60) minutes of dispatch |
| Pickup window — scheduled Job | within the fifteen (15) minute window selected at scheduling |
| In-transit visibility | real-time GPS location in Customer Portal until proof-of-delivery |
| Temperature-controlled Specimens | maintained within the specified range from pickup to delivery |
| Chain-of-custody | tracking-number scan at pickup and at delivery, signature where requested |
| Proof-of-delivery | timestamped photo or signature available in Customer Portal within five (5) minutes of delivery |
3. Fees and Payment Terms
3.1 Per-Job Pricing. Customer pays for the Services on a per-Job basis at the rates published in the Pricing Catalog active on the date the Job is scheduled. **There is no monthly subscription, seat fee, setup fee, or minimum spend** unless a separate written addendum signed by both Parties establishes one.
3.2 Invoicing. Copergrine invoices Customer for completed Jobs in batches (typically daily). Each invoice itemizes the Jobs, the applicable Pricing Catalog rate, any surcharges (after-hours, hazardous-material, oversize, etc.), and the total due.
3.3 NET-3 Payment Terms. Each invoice is due **three (3) business days from issuance ("NET-3**"). Payment may be made through the Customer Portal (credit card, ACH, or saved payment method) or via a magic-link payment link emailed with each invoice. Invoices unpaid by NET-3 are past due.
3.4 Account Freeze for Past-Due Balances. If any invoice is more than three (3) calendar days past due, Copergrine may **freeze Customer's account** — meaning Customer will be blocked from scheduling new Jobs through the Customer Portal until the past-due balance is paid in full. In-flight Jobs already accepted by Copergrine will be completed. Account freeze is operational, not a termination event; unfreezing is automatic upon payment.
3.5 Late Charge. Past-due balances accrue a late charge of one and one-half percent (1.5%) per month or the maximum rate permitted by applicable law, whichever is less, until paid in full.
3.6 Taxes. All amounts payable are exclusive of taxes. Customer is responsible for all sales, use, and excise taxes assessed in connection with the Services, other than taxes on Copergrine's net income.
3.7 Disputed Charges. Customer must dispute an invoice charge in good faith and in writing within fifteen (15) calendar days of invoice issuance. Charges not timely disputed are deemed accepted. Copergrine will work with Customer in good faith to resolve disputes promptly.
3.8 Pricing Changes. Copergrine may update the Pricing Catalog on at least thirty (30) calendar days' prior notice through the Customer Portal or by email to Customer's billing contact. Updates apply prospectively to Jobs scheduled after the effective date of the change. Customer's continued use of the Services after the change-effective date constitutes acceptance.
4. Customer Obligations
4.1 Package Preparation. Customer is responsible for properly preparing each package for transport: appropriate primary container, leak-proof secondary container for liquid Specimens, biohazard labeling where required, temperature-control packaging (cold packs, dry ice, validated coolers) sufficient to maintain the specified temperature for the expected transit duration, and complete addressing and contact information at both pickup and drop-off.
4.2 Required Disclosures. Customer must disclose at the time of scheduling any package that contains: Specimens, PHI, controlled substances (Schedule II–V), dry ice, blood-borne pathogens, lithium batteries, perishable goods, or any material classified as hazardous under 49 C.F.R. or applicable state law. Failure to disclose may result in refusal of the Job at pickup, an additional handling surcharge, or, in the case of undisclosed hazards, civil liability under the Hazardous Materials Transportation Act.
4.3 Authorized Users. Customer is responsible for the acts and omissions of its Authorized Users in the Customer Portal, including the accuracy of pickup/drop-off information and the appropriateness of package contents.
4.4 Lawful Use. Customer will use the Services only for lawful purposes and in compliance with this Agreement, the Acceptable Use Policy executed concurrently, all applicable federal and state laws (including HIPAA, the Controlled Substances Act, and 49 C.F.R.), and Copergrine's published handling instructions.
5. Data; Confidentiality
5.1 Customer Data Ownership. Customer Data — including pickup and drop-off addresses, package descriptions, and PHI — is and remains the property of Customer. Copergrine processes Customer Data solely to provide the Services, in accordance with the BAA when PHI is involved.
5.2 Aggregated Operational Data. Copergrine may collect and use de-identified, aggregated operational data (route timing, mileage, SLA-attainment statistics) to improve the Services, plan capacity, and benchmark performance. Aggregated data does not include Customer Data or PHI in identifiable form.
5.3 Confidentiality. Each Party will protect the other Party's confidential information using at least the same degree of care it uses for its own confidential information (and not less than reasonable care). Confidential information does not include information that is publicly available, independently developed, rightfully received from a third party without confidentiality obligations, or required to be disclosed by law (with prompt notice to the other Party where lawful).
5.4 Security. Copergrine maintains administrative, physical, and technical safeguards consistent with HIPAA and industry standard for medical-courier operations, including driver background checks, HIPAA training, encrypted Customer Portal traffic, audit logging, and chain-of-custody controls. Detailed safeguards are described in the BAA.
6. Warranties; Disclaimers
6.1 Mutual Warranties. Each Party represents that it has the right, power, and authority to enter into this Agreement and to perform its obligations under it.
6.2 Service Warranty. Copergrine warrants that it will perform the Services in a professional and workmanlike manner, with personnel of suitable training and experience, and in compliance with applicable law.
6.3 Disclaimer. **EXCEPT AS EXPRESSLY SET FORTH IN THIS SECTION 6, THE SERVICES ARE PROVIDED "AS IS." COPERGRINE DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.** Copergrine does not guarantee uninterrupted Customer Portal availability or that every Job will meet every SLA target, though Copergrine commits to the service-level commitments in Section 2.4.
7. Service Credits
7.1 Credit Eligibility. If, in any calendar month, Copergrine's on-time pickup rate (as measured by Pickup Window in Section 2.4) across Customer's Jobs falls below ninety percent (90%), Customer is eligible to request a service credit equal to ten percent (10%) of the total Fees invoiced for that month.
7.2 Process. Customer must request credits in writing to accounts@copergrine.com within thirty (30) days of the month in question. Credits are issued against the next monthly invoice and are the Customer's sole and exclusive remedy for SLA shortfalls.
8. Indemnification
8.1 By Copergrine. Copergrine will defend Customer against any third-party claim arising from (a) the gross negligence or willful misconduct of Copergrine's driver workforce in the performance of the Services, or (b) Copergrine's material breach of the BAA. Copergrine will pay any damages or settlement amounts agreed to by Copergrine for such claims.
8.2 By Customer. Customer will defend Copergrine against any third-party claim arising from (a) Customer's failure to properly prepare or disclose package contents under Section 4 (including hazardous materials, controlled substances, or undisclosed dangerous goods), (b) Customer's misuse of the Services in violation of law, or (c) Customer Data infringing third-party rights.
8.3 Process. The indemnified Party will promptly notify the indemnifying Party of any claim, give the indemnifying Party sole control of the defense and settlement, and provide reasonable cooperation at the indemnifying Party's expense. The indemnifying Party will not settle any claim that imposes liability or admits fault on behalf of the indemnified Party without that Party's prior written consent (not unreasonably withheld).
9. Limitation of Liability
9.1 Cap. EXCEPT FOR (a) EITHER PARTY'S INDEMNIFICATION OBLIGATIONS IN SECTION 8, (b) BREACHES OF CONFIDENTIALITY UNDER SECTION 5.3, OR (c) BREACHES OF THE BAA, **EACH PARTY'S TOTAL CUMULATIVE LIABILITY ARISING OUT OF OR RELATING TO THIS AGREEMENT WILL NOT EXCEED THE GREATER OF (i) THE FEES PAID OR PAYABLE BY CUSTOMER TO COPERGRINE IN THE TWELVE (12) MONTHS PRECEDING THE CLAIM, OR (ii) US$10,000.**
9.2 Per-Job Cargo Limit. For loss of or damage to a package while in Copergrine's custody, Copergrine's liability per Job is capped at US$500 unless Customer has declared a higher value at the time of scheduling and paid the corresponding declared-value surcharge.
9.3 Excluded Damages. **EXCEPT FOR BREACHES OF CONFIDENTIALITY, THE BAA, OR EITHER PARTY'S INDEMNIFICATION OBLIGATIONS, NEITHER PARTY WILL BE LIABLE FOR INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, OR PUNITIVE DAMAGES, OR FOR LOST PROFITS, REVENUES, OR DATA**, even if advised of the possibility.
10. Term; Termination
10.1 Term. This Agreement begins on the Effective Date and continues until terminated as set forth below. There is no fixed subscription term — the relationship is at-will, governed by job-by-job invoicing.
10.2 Termination for Convenience. Either Party may terminate this Agreement at any time on thirty (30) days' written notice to the other Party.
10.3 Termination for Cause. Either Party may terminate this Agreement immediately on written notice if the other Party (a) materially breaches this Agreement and fails to cure within fifteen (15) days after written notice, (b) becomes insolvent or files for bankruptcy, or (c) ceases to do business.
10.4 Effect of Termination. On termination, (a) Customer's access to the Customer Portal will be deactivated, (b) Copergrine will complete any in-flight Jobs already accepted and invoice for them, (c) all outstanding invoices become immediately due, (d) Sections 5 (Confidentiality), 8 (Indemnification), 9 (Limitation of Liability), 11 (Miscellaneous), and the BAA survive for the periods stated therein.
11. Miscellaneous
11.1 Governing Law; Venue. This Agreement is governed by the laws of the State of Texas, without regard to conflict-of-laws principles. Each Party consents to the exclusive jurisdiction and venue of the state and federal courts located in Harris County, Texas.
11.2 Notices. Notices under this Agreement must be in writing and delivered: (a) to Copergrine at accounts@copergrine.com, with a copy to compliance@copergrine.com; (b) to Customer at the notification email on file with Customer's account in the Customer Portal. Notices are effective upon transmission with confirmation of receipt (which may be an automated read-receipt).
11.3 Force Majeure. Neither Party is liable for failure to perform to the extent caused by events beyond reasonable control — acts of God, natural disasters, war, terrorism, civil unrest, pandemic, internet/utility failure, or government action — provided the affected Party gives prompt notice and uses commercially reasonable efforts to resume performance. PHI breaches caused by such events remain subject to the BAA.
11.4 Assignment. Neither Party may assign this Agreement without the other Party's prior written consent, except that either Party may assign without consent in connection with a merger, acquisition, or sale of substantially all assets, provided the assignee agrees in writing to be bound. Any non-permitted assignment is void.
11.5 Independent Contractors. The Parties are independent contractors. No agency, partnership, joint venture, or employment relationship is created by this Agreement.
11.6 No Third-Party Beneficiaries. This Agreement is for the sole benefit of the Parties and does not create rights for any third party.
11.7 Severability. If any provision of this Agreement is held invalid or unenforceable, the remaining provisions remain in full force and effect, and the invalid provision will be reformed to the minimum extent necessary to make it enforceable.
11.8 Entire Agreement. This Agreement, together with the BAA, the Acceptable Use Policy, and any addenda signed by both Parties, constitutes the entire agreement between the Parties regarding the Services and supersedes all prior or contemporaneous agreements, representations, and understandings — written or oral — on the subject. The Pricing Catalog is incorporated by reference.
11.9 Amendment. Except for Pricing Catalog updates under Section 3.8, this Agreement may be amended only by a writing signed (or clickwrap-accepted) by both Parties.
11.10 Counterparts; Electronic Signature. This Agreement may be executed in counterparts, including by electronic clickwrap, each of which is deemed an original, and all of which together constitute one instrument. The Parties' clickwrap acceptances, captured as timestamped audit records with IP and SHA-256 fingerprint, are binding signatures under the federal E-SIGN Act (15 U.S.C. § 7001 et seq.) and the Texas Uniform Electronic Transactions Act (Tex. Bus. & Com. Code Ch. 322).
Signature Block
COPERGRINE LLC
Signed: clickwrap-accepted on the Effective Date Name: George Pounds Title: Chief Executive Officer Email: george@copergrine.com
CUSTOMER — [Covered Entity legal name]
Signed: clickwrap-accepted on the Effective Date Name: [authorized signatory] Title: [signatory title] Email: [signatory email]
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement ("BAA") supplements the Master Services Agreement ("MSA") between Copergrine LLC ("**Business Associate") and [Covered Entity legal name]**, with its principal place of business at [principal place of business] ("Covered Entity"), and is required under the Health Insurance Portability and Accountability Act of 1996, as amended by the HITECH Act, together with their implementing regulations at 45 CFR Parts 160, 162, and 164 ("HIPAA Rules").
Capitalized terms not defined herein have the meanings in the HIPAA Rules.
1. Definitions
- "Breach" has the meaning at 45 CFR §164.402. - "Designated Record Set" has the meaning at 45 CFR §164.501. - "Electronic PHI" or "ePHI" means PHI transmitted by or maintained in electronic media. - "Individual" has the meaning at 45 CFR §160.103. - "PHI" means Protected Health Information, as defined at 45 CFR §160.103, limited to PHI that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity under the MSA. - "Security Incident" has the meaning at 45 CFR §164.304. - "Unsecured PHI" has the meaning at 45 CFR §164.402.
2. Permitted and Required Uses and Disclosures
2.1 Business Associate may use and disclose PHI only as follows: (a) to perform the services described in the MSA; (b) for Business Associate's proper management and administration, or to carry out Business Associate's legal responsibilities, provided that disclosure to a third party requires either a legal requirement or reasonable assurances of confidentiality and Breach-notification; (c) to provide Data Aggregation services to Covered Entity, as defined at 45 CFR §164.501; (d) to de-identify PHI per 45 CFR §164.514(b), in which case the resulting information is no longer PHI; (e) as Required By Law.
2.2 Business Associate will not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity, except as provided in §2.1(b)–(d).
2.3 Business Associate will make uses, disclosures, and requests for PHI consistent with the Minimum Necessary standard at 45 CFR §164.502(b).
2.4 Business Associate will not sell PHI or use or disclose PHI for marketing purposes, except as permitted by 45 CFR §164.502(a)(5) and with Covered Entity's prior written authorization.
3. Safeguards
3.1 Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI as required by 45 CFR §§164.308, 164.310, 164.312, and 164.316, including without limitation:
(a) a written information security program aligned with the HIPAA Security Rule and the NIST SP 800-66 Rev. 2 implementation guide; (b) AES-256 encryption of ePHI at rest and TLS 1.2+ in transit; (c) role-based access controls with least-privilege enforcement; (d) audit logging covering access, modification, and transmission of ePHI, retained at least six (6) years; (e) workforce training at hire and at least annually thereafter; (f) a documented risk analysis updated at least annually and upon material changes; (g) an incident-response plan tested at least annually; (h) a sanctions policy for workforce members who violate policy; (i) business-continuity and contingency plans, including data backup, disaster recovery, and emergency-mode operation.
3.2 Business Associate will report to Covered Entity any use or disclosure of PHI not permitted by this BAA of which it becomes aware, and any Security Incident involving ePHI of which it becomes aware, **without unreasonable delay and in no event later than five (5) business days** after discovery. Unsuccessful attempts to penetrate (e.g., blocked port scans, failed login attempts) are reported in aggregate on a quarterly basis and do not require individual notice.
3.3 Business Associate will report any Breach of Unsecured PHI **without unreasonable delay and in no event later than thirty (30) calendar days** after discovery, including to the extent possible:
(a) the identity of each Individual whose Unsecured PHI was compromised; (b) a description of the nature of the Breach, including the types of PHI involved; (c) the date(s) of the Breach and of discovery; (d) Business Associate's investigation, mitigation, and remediation actions; (e) contact information for follow-up.
Covered Entity acknowledges that the 60-day Individual-notice clock under 45 CFR §164.404 runs from the date Covered Entity is made aware of the Breach, and the Parties will cooperate in good faith to meet it.
4. Subcontractors
4.1 Business Associate will enter into a written agreement with each subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate, imposing obligations that are at least as protective as those in this BAA and complying with 45 CFR §164.504(e)(5).
4.2 A current list of subcontractors is published at https://copergrine.com/legal/subprocessors. Business Associate will provide Covered Entity at least thirty (30) days' advance notice of any new subcontractor materially processing PHI; Covered Entity may object in good faith on reasonable grounds and terminate the affected services if the objection is not resolved.
5. Individual Rights
5.1 Access. Within fifteen (15) business days of Covered Entity's request, Business Associate will make PHI in a Designated Record Set available to Covered Entity (or, as Covered Entity directs, to the Individual) per 45 CFR §164.524.
5.2 Amendment. Within fifteen (15) business days of Covered Entity's request, Business Associate will make amendments to PHI in a Designated Record Set per 45 CFR §164.526.
5.3 Accounting. Business Associate will document disclosures of PHI and information related to such disclosures as would be required to respond to a request for an accounting under 45 CFR §164.528, and will provide such information to Covered Entity within thirty (30) days of request.
5.4 Restrictions. Business Associate will comply with restrictions on use or disclosure of PHI agreed to by Covered Entity, to the extent such restrictions are communicated to Business Associate in writing and practicable to implement in the Platform.
5.5 Right to Restrict Disclosures to Health Plans. Business Associate will support, on Covered Entity's request, the Individual's right under 45 CFR §164.522(a)(1)(vi) to restrict disclosures to a health plan where the Individual has paid for the item or service in full out of pocket.
5.6 Information Blocking. Business Associate will not engage in information blocking as defined at 45 CFR Part 171 and will support Covered Entity's compliance therewith.
6. Compliance with Covered Entity Obligations
6.1 If Business Associate, by delegation, performs an obligation of Covered Entity under Subpart E of 45 CFR Part 164, Business Associate will comply with the requirements of that Subpart that would apply to Covered Entity in performance of that obligation.
6.2 Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining compliance with the HIPAA Rules.
7. Term and Termination
7.1 This BAA is effective as of the MSA Effective Date and remains in effect so long as Business Associate creates, receives, maintains, or transmits PHI under the MSA.
7.2 Covered Entity may terminate the MSA and this BAA immediately if Business Associate has materially breached this BAA and failed to cure within thirty (30) days of written notice.
7.3 Upon termination, Business Associate will return or destroy all PHI and retain no copies, except that to the extent return or destruction is infeasible, Business Associate will extend the protections of this BAA to such PHI, limit further uses and disclosures to those purposes that make return or destruction infeasible, and return or destroy the PHI when no longer needed.
7.4 Backup media containing ePHI will be overwritten in the ordinary course within ninety (90) days following termination.
8. Miscellaneous
8.1 Regulatory Amendment. The Parties will amend this BAA from time to time as necessary to comply with changes in HIPAA or other applicable Laws.
8.2 Interpretation. Any ambiguity is resolved in favor of a meaning that permits the Parties to comply with HIPAA.
8.3 No Third-Party Beneficiaries. Nothing herein creates rights in any third party, including Individuals.
8.4 Conflict. In the event of conflict between this BAA and the MSA, this BAA controls with respect to PHI.
8.5 State Law. Where a state Law imposes stricter requirements on PHI (including, without limitation, California CMIA, Texas HB 300, New York state Law, Washington My Health My Data Act for categories within that statute's scope, and similar state statutes), Business Associate will comply with such Law.
8.6 42 CFR Part 2. If Business Associate receives records that are subject to 42 CFR Part 2 (substance use disorder records), Business Associate is a "Lawful Holder" and will comply with the Part 2 requirements, including redisclosure prohibitions and patient consent requirements.
Electronic acceptance. This BAA is accepted via clickwrap as part
of the same acceptance event that binds the parent Master Services
Agreement. By clicking "I agree" the authorized representative of
[Covered Entity legal name] (the Covered Entity) and Copergrine LLC
(the Business Associate) cause this BAA to take effect as of the
MSA Effective Date. The Acceptance & Acknowledgment record below —
capturing the signer's name, email, IP address, document hash, and
timestamp — constitutes a legally binding electronic signature under
the U.S. E-SIGN Act (15 U.S.C. § 7001) and UETA, satisfying the
§164.504(e)(2) written-contract requirement of the HIPAA Privacy Rule.
EXHIBIT A — MEDICAL COURIER SERVICES
This Exhibit A supplements the Business Associate Agreement ("BAA") between Copergrine LLC ("Business Associate") and [Covered Entity legal name] ("Covered Entity") and is incorporated by reference into that BAA. Capitalized terms not defined here have the meaning assigned in the BAA or, if not so defined, in the HIPAA Rules.
This Exhibit defines the scope of PHI handling specific to the Copergrine Medical Courier service, including its physical-transport nature, driver workforce, and route/proof-of-delivery telemetry.
A.1 Scope of PHI Handled
Under the courier service, Business Associate creates, receives, maintains, or transmits the following categories of PHI on Covered Entity's behalf:
(a) Identifiers visible on shipping labels and packaging, which may include patient name, date of birth, account or medical record number, pickup or delivery address, recipient name, and specimen identifiers tied to the Individual; (b) Order metadata describing the contents at a category level (e.g., "Lab specimen," "Pharmacy prescription," "Medical equipment"), priority class, temperature class, and special handling instructions provided by Covered Entity; (c) Chain-of-custody and proof-of-delivery records including driver pickup timestamps, photograph(s) of the package and/or delivery location, recipient signature image, and any rejection or exception notes captured by the driver; (d) Route and location telemetry tied to a specific delivery while in transit (driver GPS coordinates and timestamps), retained for the audit and dispute periods specified below; (e) Limited treatment context voluntarily provided by Covered Entity in special-instructions fields (e.g., "patient is in isolation — leave at front desk"), which Business Associate treats as PHI under the Minimum Necessary standard.
Business Associate does not access or read the clinical contents of sealed specimens or sealed pharmacy packages. PHI on the exterior of packages and in the platform fields above is treated as PHI under this BAA regardless of whether Business Associate's workforce actually views it.
A.2 Physical and Operational Safeguards (in addition to BAA §3)
A.2.1 Driver workforce screening. Each driver who creates, receives, maintains, or transmits PHI on Covered Entity's behalf completes, prior to first pickup:
(a) identity verification; (b) a multi-state criminal background check covering at least the preceding seven (7) years; (c) motor vehicle record check; (d) HIPAA workforce training documented in the platform; and (e) acknowledgment of the Copergrine Medical Courier driver code of conduct, which incorporates 45 CFR Part 164 Subpart C by reference.
A.2.2 Vehicle and container safeguards. Vehicles used to transport PHI are operated under the following minimum standards:
(a) Packages remain in the locked passenger or cargo area of the vehicle when the driver is not in the vehicle; (b) Specimen containers carrying ePHI labels are secured in tamper-evident transport bags or sealed coolers, opened only by the named recipient; (c) Temperature-controlled containers used for cold-chain or cryogenic transport are inspected before each shift and validated against the order's temperature requirements; (d) Vehicles must not be left running and unattended with PHI inside; (e) Vehicle interiors are screened at the end of each shift to confirm no PHI has been left behind.
A.2.3 Driver device safeguards. The Copergrine driver mobile app:
(a) requires biometric or PIN authentication on each device session; (b) does not persist PHI to device local storage beyond the active route; (c) supports remote wipe of the driver account on device loss or driver termination; (d) transmits all ePHI to platform backends over TLS 1.2 or higher.
A.2.4 Photographic proof of delivery. Photographs captured at pickup and delivery are framed to depict only the package and immediate delivery context. Workforce members are trained to avoid incidental capture of identifiable patient features (faces, room contents). Photographs are stored encrypted at rest with access restricted to dispatch, the driver who captured the image, and the Covered Entity through the client portal.
A.2.5 Lost or compromised packages. Loss, theft, tampering, or suspected tampering of a package known or reasonably believed to contain PHI is treated as a presumptive Security Incident under BAA §3.2 and triggers the breach-notification process in BAA §3.3.
A.3 Retention and Destruction
The following minimum retention periods apply to the categories of records generated by the courier service:
| Record category | Minimum retention |
|---|---|
| Order and chain-of-custody records | 6 years |
| Driver audit logs (route, scans, exceptions) | 6 years |
| Photographic proof of delivery | 6 years |
| GPS route telemetry | 12 months |
| Driver biometric/PIN audit events | 6 years |
A.4 Permitted Subcontractors (categories)
Business Associate engages the following categories of subcontractors in support of the courier service. The current named list is published at https://copergrine.com/legal/subprocessors per BAA §4.2.
(a) Cloud-infrastructure provider (compute, object storage, managed Postgres); (b) Payment processor for invoice payment; (c) Telephony and SMS provider for dispatch and pickup notifications; (d) Maps / geocoding / routing provider — limited to address strings and route polylines, with patient identifiers withheld where not required for delivery; (e) Independent contractor drivers, each subject to the workforce screening in §A.2.1 and the driver-code-of-conduct described therein.
Business Associate will not engage a subcontractor that creates, receives, maintains, or transmits PHI under this Exhibit A without a written agreement that imposes obligations at least as protective as the BAA, per BAA §4.1.
A.5 Service-Specific Operational Commitments
A.5.1 Dispatch attribution. When a phone-in order is recorded by Copergrine's voice agent or by an admin on a caller's behalf, Business Associate captures the caller's identifying information in the order's special-instructions field for traceability. Where the caller is not the Covered Entity (e.g., an in-network referring clinic), Business Associate treats the caller as authorized only to initiate the pickup; billing and PHI access remain with the named Covered Entity on the order.
A.5.2 Real-time tracking visibility. Covered Entity, through its authorized users in the client portal, may view live driver location and order status while a delivery is in transit. Such visibility ends on delivery completion; historical route data is accessible to Covered Entity for 12 months and is then archived under §A.3.
A.5.3 In-app messaging. Direct messages between Covered Entity's authorized users, dispatch, and the assigned driver are subject to the ePHI safeguards in BAA §3.1 and are retained 6 years from the message date.
A.6 Acceptance
By accepting the BAA together with this Exhibit A as part of the courier service signup or activation flow, Covered Entity binds itself to the additional courier-specific terms above. The Acceptance & Acknowledgment record captured at the time of clickwrap acceptance (signer name, signer email, IP address, document hash including this Exhibit, and timestamp) constitutes the written agreement contemplated by 45 CFR §164.504(e)(2).
ACCEPTABLE USE POLICY
This Acceptable Use Policy ("AUP") governs the use of the Copergrine Medical Courier service and Customer Portal by [Covered Entity legal name] ("Customer") and its Authorized Users. It supplements the Master Services Agreement ("MSA") and is binding on Customer and every Authorized User. Defined terms have the meanings in the MSA.
1. Prohibited Uses
Customer and its Authorized Users shall not, and shall not permit any third party to:
1.1 Illegal or Harmful Activities
- Use the Services in violation of any law, including the Controlled Substances Act and state PDMP rules; the Hazardous Materials Transportation Act (49 C.F.R.); HIPAA; anti-kickback laws (42 USC §1320a-7b); Stark Law; False Claims Act; AML/OFAC sanctions; or export-control laws. - Tender for transport any controlled substance, hazardous material, dangerous good, lithium battery, dry ice, or biohazard without the required disclosure at scheduling and any applicable licensing or permitting. - Tender any item Copergrine has notified Customer it will not carry (e.g., human organs intended for transplant, live animals, currency, firearms, explosives, radioactive material above background level). - Impersonate any person or misrepresent professional credentials, package contents, pickup or drop-off authority.
1.2 Security Violations
- Attempt to access accounts, packages, or Customer Portal data belonging to other customers. - Probe, scan, or test the vulnerability of the Customer Portal or Copergrine systems except under written authorization (responsible- disclosure policy at security@copergrine.com). - Interfere with or disrupt the Customer Portal, including DDoS, credential stuffing, or rate-limit abuse. - Upload or transmit malicious code, worms, viruses, ransomware, or similar.
1.3 Privacy Violations
- Process PHI handled by the Services for any purpose beyond what is permitted under the BAA, HIPAA Privacy Rule, or state medical-privacy laws. - Re-identify de-identified or aggregated operational data Copergrine has provided. - Use the Services to send unsolicited marketing through Customer-Portal messaging features (CAN-SPAM, TCPA, GDPR) or without required opt-in consent.
1.4 Content Restrictions
- Upload to the Customer Portal, or attach to a Job, content that is unlawful, infringing, defamatory, obscene, harassing, or that violates a third party's rights. - Use the Services to store, transport, or distribute child sexual abuse material, terrorist content, or counterfeit medications.
1.5 Integrity and Fair Use
- Disable, circumvent, or interfere with any Customer Portal usage limit, security control, billing control, or audit log. - Resell, re-brand, or offer the Services as a managed courier service to a third party without Copergrine's prior written consent. - Scrape, mirror, or bulk-export the Customer Portal other than via Copergrine-supported export endpoints.
1.6 Operational Misuse
- Schedule "dummy" or test pickups without notifying Copergrine, with the intent to occupy driver capacity. - Repeatedly cancel scheduled pickups after dispatch in a manner designed to deprive other customers of driver capacity (Copergrine may impose a late-cancellation surcharge per the Pricing Catalog). - Provide false pickup or drop-off contact information that causes a driver to make a futile trip; futile-attempt surcharges may apply.
2. Operational and Professional Responsibility
Customer is solely responsible for the contents, packaging, declared value, and labeling of every package Customer tenders, and for ensuring that the recipient at the drop-off address is authorized to receive it. Copergrine is a transportation provider — it does not inspect package contents in the ordinary course and does not provide clinical, pharmacy, or laboratory services.
3. Reporting; Cooperation
Customer shall report suspected AUP violations or security events to security@copergrine.com without undue delay and cooperate with investigation and remediation.
4. Enforcement
Copergrine may, with or without notice: (a) investigate suspected violations; (b) suspend or restrict offending workflows, users, or the Customer account; (c) refuse pickup of any particular Job; and (d) in cases of repeated, willful, or egregious violation, terminate the MSA per its terms. Copergrine will cooperate with law enforcement as required by law.
5. Updates
Copergrine may update this AUP with at least thirty (30) days' notice through the Customer Portal or by email to Customer's billing contact. Continued use after the effective date constitutes acceptance.