Refill HIPAA and BAA: what to confirm
Refill is telehealth infrastructure, and because placing orders and running Refill Connect patient portals involves patient information, HIPAA considerations apply across the platform. Refill states HIPAA compliance on refill.co and offers platform BAA and compliance tooling as part of its infrastructure pitch, but it does not publish its BAA template or the specifics of its administrative, physical, and technical safeguards on its public site. The right move is to request its HIPAA documentation and a signed BAA in writing before you transmit any protected health information, and this page lists exactly what to ask for.
This page explains why a BAA matters for telehealth infrastructure and what HIPAA terms to verify before you share PHI with Refill.
Why does a BAA matter for telehealth infrastructure like Refill?
A business associate agreement is the HIPAA contract that governs how a vendor handling protected health information on a covered entity's behalf must safeguard, use, and disclose that data. When a clinic places a compounded order or runs a Refill Connect patient portal, patient details flow through Refill's platform, which generally makes Refill a business associate. Orders also route to 503A partner pharmacies and may involve Refill's provider network, each of which may handle PHI in the chain. That is why a signed platform BAA, plus documented safeguards and clarity on subcontractor BAAs, is the baseline a clinic should require. Refill markets HIPAA compliance and platform BAA tooling, but it does not publish its BAA template or safeguard details publicly, so a clinic should obtain both directly before sending any PHI.
What to confirm about Refill and HIPAA
Each row is a HIPAA criterion, what is publicly known about Refill, and the document or commitment to request before sharing PHI.
Sourced from Refill public materials (refill.co) and Fizy Health compare research on Refill, reviewed June 2026. HIPAA terms should be confirmed in writing with Refill and reviewed by your own counsel.
Bundle compliance in infrastructure, or start with a BAA at onboarding?
Refill
You want compliance tooling and LegitScript concierge bundled with telehealth infrastructure.
- You will request the platform BAA and safeguard documentation during onboarding.
- You plan to use Refill Connect or the provider network and accept the broader PHI scope.
- Your compliance team is comfortable reviewing vendor terms case by case.
Fizy Health
You want a BAA signed at onboarding and PHI access scoped from day one.
- You want a clinic BAA executed at onboarding before you place an order.
- You want patient-linked cart actions audited per line with organization-scoped access.
- You want PHI access controls built into the product, not negotiated after the fact.
What HIPAA-aware ordering looks like in practice.
A strong HIPAA posture shows up as scoped access, audited actions, and a clear trail of who did what — not just a clause in a contract.
-
Patient data scoped to the right team
Patient records and cart lines stay organization-scoped, so only authorized users in your clinic see PHI.
-
An audit trail on every order
Per-line order status and history give compliance a defensible record of fulfillment across partners.
-
Fewer paid orders rejected by the pharmacy
Cart validation catches issues before payment, reducing the back-and-forth that scatters PHI across email.
What clinics ask about Refill and HIPAA.
- Definition
Is Refill HIPAA-compliant?
Refill states HIPAA compliance on refill.co and offers platform BAA and compliance tooling, but it does not publish its safeguards or a BAA template publicly. Confirm its HIPAA posture and obtain a signed business associate agreement in writing before transmitting protected health information.
- BAA
Does Refill provide a business associate agreement?
Refill offers platform BAA as part of its telehealth infrastructure positioning, but does not publish a BAA template on refill.co. Because ordering and Refill Connect involve patient information, request a signed BAA before sharing PHI and have your counsel review the terms.
- Why
Why does telehealth infrastructure need a BAA?
A BAA is the HIPAA contract required when a vendor handles protected health information on a covered entity's behalf. Placing compounded orders and running patient portals routes patient details through Refill, which generally makes it a business associate, so a BAA is the baseline.
- Connect
Does Refill Connect change HIPAA scope?
Refill Connect adds a white-label patient portal with assessments and billing, which expands the PHI surfaces beyond clinic-side ordering alone. Ask how Refill Connect data is covered under the BAA, who can access it, and how it is logged.
- Partners
How is patient data shared with pharmacies and providers?
Orders route to 503A partner pharmacies and may involve Refill's provider network, each of which receives patient information to deliver care and fill prescriptions. Ask how PHI is transmitted and whether subcontractor business associate agreements are in place.
- Alternative
How does Fizy Health handle HIPAA and BAAs?
Fizy Health signs a clinic BAA at onboarding, keeps patient records organization-scoped, and audits patient-linked cart actions per line. PHI access controls are built into the product rather than negotiated after signing.
Sources reviewed June 2026
- Refill public website (refill.co), reviewed June 2026.
- HIPAA terms and any BAA should be confirmed in writing with Refill and reviewed by your own counsel.
- Fizy Health platform capabilities reflect the live product.
Start with a BAA at onboarding — not after a contract fight.
Fizy Health signs a clinic BAA before your first order and keeps patient access audited and scoped. Free to start.