ChatMD & ChatRx Privacy Policy

ChatRx Privacy Policy 

Effective Date:  9-6-2025

This Privacy Policy explains how ChatRx (“ChatRx,” “we,” “us,” or “our”) collects, uses, discloses, and protects information in connection with our websites, applications, and services. We operate as a HIPAA-covered entity (and/or business associate for certain functions) when handling Protected Health Information (PHI). 

If you do not agree with this Policy, please do not use ChatRx. 

1) Information We Collect 

1. Identity & Contact — Name, date of birth, address, email, phone; account credentials; emergency contact (if provided).
   B. Health/Clinical (PHI) — Medical history, symptoms, medications, allergies, prior conditions, clinical questionnaires, chat transcripts, images/uploads; clinician notes, diagnoses, orders, and prescriptions once you consent to care.
   C. Verification & Guardian (handled by our identity vendor) — Identity/age/guardian verification artifacts (e.g., government ID images, liveness checks, relationship attestations) are collected, stored, and secured by our third-party identity verification provider, Persona, on ChatRx’s behalf. ChatRx does not store copies of these artifacts in its own systems. We receive only the verification outcome (e.g., pass/fail/flags), timestamps, and limited metadata needed for fraud prevention, compliance, and audit trails. 
   D. Location — IP-derived coarse location and, if you choose to share it, device/GPS location or typed attestation, used to confirm your presence in a serviceable state at the time of care. 
   E. Pharmacy & Treatment Logistics — Preferred pharmacy, prescription routing metadata, pick-up/delivery preferences, and fulfillment status information returned by networks or pharmacies. 
   F. Payments — Billing address and payment tokens from our PCI-DSS compliant processor (we do not store full card numbers). ChatRx is cash-pay only; we do not submit insurance claims. 
   G. Device, Usage & Cookies — Device identifiers, browser type, app version, pages/screens viewed, timestamps, and diagnostic logs; essential cookies; optional analytics (see Section 6). 
   H. Safety/QMS — Quality and safety data (e.g., audit logs, stewardship metrics, post-market surveillance, incident reports) required to operate an FDA-regulated software medical device and uphold clinical quality. 

2) How We Use Information 

We use information to: 

1. Operate Gates 1–6. Gate 2 (store-and-forward) triage and case prep using governed clinical content and AI-assisted workflows (no diagnosis at Gate 2). Gates 3–6 verify identity/guardian and location, establish the provider-patient relationship upon your Telehealth Treatment Consent, enable clinician review/authorization, and route prescriptions/notes. 

1. Provide Care & Support. Consultations, diagnosis/treatment where appropriate, follow-up messages, and care coordination (including pharmacies). 

1. Security, Fraud & Abuse Prevention. Detect and prevent misuse, duplicate/contradictory encounters, or attempts to obtain contraindicated medications. 

1. Quality Improvement, Safety & Stewardship. De-identified/aggregated analytics to improve protocols, measure outcomes, and publish antibiotic stewardship and safety metrics (see Section 5.A for your opt-out). 

1. Regulatory & Legal Compliance. HIPAA/HITECH, medical recordkeeping, audits, FDA post-market surveillance, and other applicable laws. 

1. Communications. In-app, email, and SMS about verification, visit status, pharmacy routing, and follow-up. You can choose to limit messages to essential only (see Section 5.B); required transactional/safety notices will still be sent. 

1. Research & Development. We may use de-identified/aggregated data to enhance service features and internal models. We do not allow vendors to use your PHI to train general-purpose AI models. If any activity would require your HIPAA authorization, we will seek it first. 

3) How We Disclose Information 

• Healthcare Providers & Pharmacies for treatment and fulfillment. 

• E-Prescribing & Clinical Networks (e.g., DoseSpot/Surescripts) and other services necessary for your care. 

• Vendors/Business Associates under BAAs or equivalent protections (cloud hosting, messaging, identity verification, limited non-PHI analytics). 

• Legal/Regulatory obligations (e.g., subpoenas, audits, reportable safety events). 

• De-identified Data for quality, safety, and stewardship reporting. 

• No Sale of PHI. We do not sell PHI and do not use PHI for targeted advertising. 

• Identity Verification Provider (Persona): Persona collects and stores identity/guardian artifacts for verification. ChatRx receives the verification result and limited metadata; we do not store the underlying ID images or liveness recordings. 

4) Your Rights (HIPAA & State) 

When we maintain your information as PHI, you have HIPAA rights to access, request amendment, receive an accounting of disclosures, request restrictions, request confidential communications, and file a complaint with us or HHS OCR without retaliation. 
For non-PHI personal data covered by certain U.S. state laws (e.g., CA/CO/CT/UT/VA), you may have additional rights (access, deletion, correction, portability, opt-out of certain sharing). See Section 12. 

Contact privacy@chatrx.net to exercise rights. We respond within timeframes set by applicable law. 

5) Your Choices & Controls 

1. De-Identified Analytics/Stewardship Opt-Out (does not affect care)
   You may choose to exclude your de-identified data from analytics and stewardship reports:

• Toggle in Settings → Privacy: “Exclude my de-identified data from analytics/stewardship reports (does not affect care).” 

• Or email privacy@chatrx.net and we will apply the preference for your account. 

This opt-out does not apply to legally required reporting or to safety/quality activities that cannot be de-identified. It also does not stop operational processing of your identifiable data for your own care. 

1. Communications Preference: Essential-Only
   You may choose to limit communications to essential messages only:

• Toggle in Settings → Notifications: “Limit communications to essential messages only.” 

• Or email privacy@chatrx.net to set the preference. 

• You will still receive required transactional/safety notices (e.g., verification, visit status, pharmacy routing, legal notices). Marketing, surveys, tips, and product announcements will be minimized. 

1. Verification Artifacts

• To request access or deletion of verification artifacts held by Persona, contact privacy@chatrx.net we will coordinate your request with Persona and confirm outcome consistent with applicable law. 

You can change either preference at any time. Changes may take one billing/processing cycle to propagate across all systems. 

6) Cookies & Analytics 

We use essential cookies for authentication, security, and session continuity, and may use optional analytics (aggregated) to improve performance. We do not place PHI in URLs or analytics events. You can manage cookies via your browser or in-product controls where available. Some features may not function without essential cookies. 

7) Data Retention 

We retain medical records for the longer of our internal policy or the period required by applicable law (often 7–10 years after your last encounter; for minors, until age of majority + 7 years). Non-clinical logs are kept for shorter periods aligned to security and compliance. Verification artifacts (e.g., government ID images, liveness recordings) are retained by Persona under its retention schedule and legal obligations. ChatRx retains only the verification outcome and minimal metadata for as long as necessary to provide services, prevent fraud, and comply with law. 

8) Security 

We employ administrative, physical, and technical safeguards, including encryption in transit and at rest, least-privilege access controls, audit logging, vulnerability management, and workforce training. If a breach of unsecured PHI occurs, we will provide HIPAA-compliant notifications. Verification artifacts remain within Persona’s secured environment under contractual and legal protections (e.g., HIPAA BAA or equivalent, as applicable). ChatRx enforces role-based access to verification outcomes only and does not store the underlying documents in ChatRx systems. 

9) Children & Minors 

Minors may use ChatRx only with the consent and participation of a parent/guardian where required by law. We collect guardian verification artifacts when applicable and link minor records to guardian contacts as permitted. 

10) Payments 

ChatRx is cash-pay only. Payments are processed by third-party processors that are PCI-DSS compliant. We do not store full card numbers. 

11) Cross-Border Transfers 

ChatRx primarily processes and stores information in the United States. If vendors access data from other countries, they do so under contractual/legal protections consistent with HIPAA and applicable law. 

12) State Privacy Notice (U.S.) 

For residents of CA, CO, CT, UT, and VA, state laws may provide additional rights regarding non-PHI personal information. ChatRx does not sell personal information or share it for cross-context behavioral advertising. To exercise state-law rights, contact privacy@chatrx.net Mailing address available upon request.