Summary: RufusRx is committed to protecting your privacy and complying with HIPAA regulations. We collect only the information necessary to provide our services, we never sell your data, and we implement industry-standard security measures to protect all information in our care.
1. Introduction
RufusRx ("Company," "we," "us," or "our") operates the RufusRx prescription refill workflow automation platform. This Privacy Policy describes how we collect, use, disclose, and protect information when you use our website, applications, and services (collectively, the "Services").
By accessing or using our Services, you agree to this Privacy Policy. If you do not agree with our practices, please do not use our Services.
2. Information We Collect
2.1 Information You Provide Directly
- Account Information: Name, email address, phone number, practice name, and EHR system when you sign up for our waitlist or create an account.
- Practice Information: Information about your medical practice, including number of providers, specialty, and workflow preferences.
- Communications: Information you provide when you contact us for support, provide feedback, or otherwise communicate with us.
2.2 Protected Health Information (PHI)
When providing our Services to healthcare providers, we may process Protected Health Information (PHI) as defined under HIPAA. This includes:
- Patient names and identifiers
- Prescription and medication information
- Treatment and visit history relevant to refill decisions
- Lab results and clinical data necessary for rule evaluation
Important: RufusRx acts as a Business Associate under HIPAA. We process PHI only as directed by the healthcare provider (the Covered Entity) and in accordance with our Business Associate Agreement (BAA). We do not use PHI for marketing, sell PHI to third parties, or access PHI except as necessary to provide the Services.
2.3 Automatically Collected Information
- Usage Data: Information about how you interact with our Services, including features used, actions taken, and time spent.
- Device Information: Browser type, operating system, device identifiers, and IP address.
- Log Data: Server logs that record requests made to our servers, including timestamps, referral URLs, and error reports.
3. How We Use Your Information
We use collected information for the following purposes:
- Provide Services: To operate, maintain, and deliver the features and functionality of RufusRx.
- Process Refill Requests: To evaluate prescription refill requests against physician-defined protocols (PHI processing).
- Communicate: To send service-related communications, respond to inquiries, and provide customer support.
- Improve Services: To analyze usage patterns, diagnose technical issues, and enhance our platform.
- Security: To detect, prevent, and respond to security incidents, fraud, and abuse.
- Legal Compliance: To comply with applicable laws, regulations, and legal processes.
4. How We Share Your Information
We do not sell your personal information or PHI. We may share information only in the following circumstances:
- Service Providers: With vendors who assist in operating our Services (e.g., cloud hosting, analytics), bound by confidentiality obligations and, where applicable, BAAs.
- EHR Integration: With your Electronic Health Record system to retrieve and transmit data necessary for the Services, as authorized by you.
- Legal Requirements: When required by law, subpoena, court order, or government request.
- Safety and Rights: To protect the safety, rights, or property of RufusRx, our users, or the public.
- Business Transfers: In connection with a merger, acquisition, or sale of assets, with appropriate confidentiality protections.
- With Consent: With your explicit consent for purposes not described in this Policy.
5. HIPAA Compliance
RufusRx is designed to comply with the Health Insurance Portability and Accountability Act (HIPAA) and the HITECH Act. Our compliance measures include:
- Business Associate Agreements: We execute BAAs with all healthcare provider customers before processing PHI.
- Administrative Safeguards: Workforce training, access controls, and security policies.
- Physical Safeguards: Secure data center facilities with appropriate access controls.
- Technical Safeguards: Encryption in transit and at rest, access logging, automatic session timeouts, and multi-factor authentication.
- Breach Notification: Procedures to detect, report, and respond to security incidents in compliance with HIPAA requirements.
6. Data Security
We implement industry-standard security measures to protect your information:
- TLS/SSL encryption for all data in transit
- AES-256 encryption for data at rest
- Regular security assessments and penetration testing
- Role-based access controls
- Audit logging of all system access and PHI interactions
- Secure software development practices
- Employee background checks and security training
While we strive to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.
7. Data Retention
We retain information as follows:
- Account Information: For as long as your account is active and for a reasonable period thereafter for legal and business purposes.
- PHI: As directed by the healthcare provider and in accordance with HIPAA requirements. Healthcare providers control PHI retention; we delete PHI upon termination of services as specified in the BAA.
- Audit Logs: For a minimum of six (6) years as required by HIPAA.
- Waitlist Information: Until you request removal or become a customer.
8. Your Rights and Choices
8.1 Account Information
You may update or correct your account information by contacting us. You may request deletion of your account, subject to our legal retention requirements.
8.2 PHI Rights
Patients seeking to exercise their HIPAA rights (access, amendment, accounting of disclosures) should contact their healthcare provider directly. RufusRx will assist healthcare providers in responding to such requests as required by our BAA.
8.3 Marketing Communications
You may opt out of marketing emails by clicking "unsubscribe" in any marketing message or by contacting us. Service-related communications are not subject to opt-out.
8.4 California Residents
California residents have additional rights under the CCPA, including the right to know, delete, and opt-out of sales (we do not sell personal information). To exercise these rights, contact us at the information below.
9. Third-Party Links and Services
Our Services may contain links to third-party websites or integrate with third-party services (e.g., EHR systems). This Privacy Policy does not apply to those third parties. We encourage you to review their privacy policies.
10. Children's Privacy
Our Services are not directed to individuals under 18. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child, we will delete it promptly.
11. International Users
RufusRx is operated in the United States. If you access our Services from outside the U.S., your information will be transferred to and processed in the U.S., which may have different data protection laws than your jurisdiction.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated Policy on our website with a new "Last Updated" date and, where required, by email. Your continued use of the Services after changes constitutes acceptance of the updated Policy.
13. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us:
RufusRx
Email: [email protected]
General Inquiries: [email protected]
For HIPAA-related inquiries or to report a potential security incident, please contact us immediately at