Acceptable Use Policy

This Acceptable Use Policy (“AUP”) governs your use of the MediChatApp platform and services (the “Services”). It applies to all users, including practice staff, contractors, and administrators. Capitalized terms have the meaning given in the Master Services Agreement (“MSA”). Where Protected Health Information (“PHI”) is processed, the Business Associate Addendum (BAA) also applies. Violations may result in suspension or termination as described below.

1) Core Principles

Compliance-first: Use the Services in accordance with applicable law (e.g., HIPAA, TCPA, CAN-SPAM, state privacy laws).
Minimum necessary: Share only what is needed for treatment, payment, or operations; avoid unnecessary PHI in open channels.
Security-by-default: Protect credentials, enable MFA where available, and use only approved, encrypted channels.
Patient respect: Honor consent, opt-outs, quiet hours, and content sensitivities in all communications.

2) Prohibited Uses

Illegal, harmful, or deceptive content: Anything unlawful, abusive, harassing, defamatory, or misleading.
Security abuse: Attempting to bypass authentication, probe or scan systems, inject code, or disrupt availability (DoS, spam, malware).
PHI mishandling: Storing or transmitting PHI outside approved, encrypted Services; exporting PHI to personal apps/devices.
Account sharing: Sharing logins or using generic accounts without attribution; impersonation of another user or patient.
Data scraping or resale: Unauthorized collection, mining, or resale of platform data, including patient and metadata.
Third-party policy violations: Using SMS/email/voice in ways that violate carrier, gateway, or anti-spam rules.

3) Messaging Rules (SMS, Email, In-App)

Consent & identification: Obtain appropriate consent and clearly identify your practice in outreach; honor STOP/opt-out immediately.
Quiet hours & frequency: Respect configurable quiet hours and avoid excessive frequency; use campaigns and throttles responsibly.
Content limits: No promotional claims inconsistent with medical guidance; avoid sensitive details in open-text SMS when unnecessary.
Templates & logs: Use approved templates; retain required audit logs. Do not delete or tamper with records.

4) API, Automations, and Integrations

Keys & scopes: Keep API keys secret, rotate regularly, and use least-privilege scopes. Do not embed secrets in client-side code.
Rate limits: Observe published limits and backoff guidance. Automated high-volume actions require prior approval.
Data flows: Do not push PHI into non-HIPAA systems. Validate destinations have a BAA (or equivalent) in place.
Event hooks: Handle webhooks securely (TLS, signature validation, replay protection). No long-running/blocking handlers.

5) Security & Access Controls

Least privilege: Grant users only the roles needed. Review access periodically; remove stale accounts promptly.
Device hygiene: Use updated OS/browsers; enable full-disk encryption on devices that access PHI.
Safe uploads: Only upload necessary files; do not upload executables or malicious payloads. Scanning may be enforced.
Incident reporting: Report suspected compromise immediately via the channels below; do not attempt self-remediation that risks further exposure.

6) Content Standards & Fair Use

Accuracy & respect: Keep communications factual, respectful, and appropriate for a clinical setting.
Intellectual property: Do not upload or distribute content you do not have rights to use.
Storage usage: Follow reasonable storage and retention limits. See our Data Retention & Deletion Policy.
Testing in production: Do not test bulk messaging or automation with real patients without authorization and guardrails.

7) Enforcement & Remediation

We may investigate suspected violations and may remove content, throttle features, suspend access, or terminate Services to protect patients, customers, and the platform. For severe or repeated violations, we may notify carriers, gateways, or authorities where required. Appeals and corrective action plans may be available at our discretion under the MSA.

8) Changes & Contact

We may update this AUP to reflect legal, security, and platform changes. Material updates will be communicated when feasible.

Report a Concern or Violation

Security & Compliance

Email: [email protected]

General Legal Inquiries

Legal

Email: [email protected]

Need clarification on a specific workflow?

We’ll help you configure compliant messaging, automations, and access controls.

Talk to Compliance