Legal

Acceptable Use Policy

Effective Date: March 26, 2026

Last Updated: March 26, 2026

This Acceptable Use Policy ("AUP") governs the use of the ClinicTitan platform and related services (the "Platform") provided by ClinicTitan, Inc. ("ClinicTitan," "we," "us," or "our"). This AUP is incorporated into and forms part of our Terms of Service.

All users of the Platform --- including Tenant Operators, healthcare providers ("Providers"), staff ("Staff"), patients ("Patients"), and website visitors ("Website Visitors") --- must comply with this AUP. Violations may result in suspension or termination of access.

1. General Obligations

You agree to:

  • Use the Platform only for lawful purposes and in accordance with these policies

  • Comply with all applicable federal, state, and local laws and regulations

  • Respect the rights and privacy of other users

  • Maintain the security and confidentiality of your account credentials

  • Report any suspected security incidents, vulnerabilities, or policy violations to ClinicTitan promptly

2. Prohibited Activities

2.1 Illegal and Harmful Conduct

You may not use the Platform to:

  • Violate any applicable law, regulation, or court order

  • Engage in, facilitate, or promote illegal activities

  • Transmit any content that is unlawful, threatening, abusive, harassing, defamatory, obscene, or otherwise objectionable

  • Engage in fraud, identity theft, or misrepresentation

  • Violate the intellectual property rights of any third party

  • Facilitate money laundering, terrorist financing, or other financial crimes

2.2 Healthcare-Specific Prohibitions

You may not use the Platform to:

  • Practice medicine without a license: Provide medical advice, diagnosis, or treatment without holding the required professional licenses in the applicable jurisdiction(s)

  • Corporate practice of medicine (CPOM) violations: Structure or operate clinical services in a manner that violates any applicable state prohibition on the corporate practice of medicine, including exercising control over clinical decision-making by unlicensed individuals or entities

  • Prescribing violations: Issue prescriptions without a valid provider-patient relationship established in compliance with applicable state law; prescribe without appropriate clinical evaluation; prescribe controlled substances in violation of the Ryan Haight Online Pharmacy Consumer Protection Act (21 U.S.C. 829(e)), DEA regulations (21 CFR Parts 1300-1321), or applicable state prescribing laws; or prescribe controlled substances via telemedicine without satisfying a recognized exception to the in-person examination requirement under the Ryan Haight Act

  • Off-label promotion: Promote medications or treatments for uses not approved by the FDA, or make claims about drug efficacy or safety that are false, misleading, or not supported by substantial evidence, in violation of the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 301 et seq.) or FTC Act (15 U.S.C. 45)

  • Prescription fraud: Submit false, misleading, or incomplete medical information for the purpose of obtaining prescriptions

  • Controlled substance diversion: Obtain, distribute, or facilitate the distribution of controlled substances through deception, misrepresentation, or other unlawful means, including operating or facilitating a "pill mill" or high-volume prescribing operation lacking legitimate clinical purpose

  • Unlicensed pharmacy operations: Dispense medications without the required pharmacy licenses, or facilitate dispensing by unlicensed entities

  • HIPAA violations: Access, use, or disclose protected health information (PHI) in violation of the Health Insurance Portability and Accountability Act (42 U.S.C. 1320d et seq.), the HITECH Act (42 U.S.C. 17931 et seq.), their implementing regulations (45 CFR Parts 160 and 164), or in a manner not authorized by the applicable Business Associate Agreement

  • Operate in prohibited categories: Offer services related to illegal substances, unapproved medical devices, products that violate LegitScript certification standards, or products or services that violate applicable payment network operating rules

  • Patient exploitation: Engage in predatory billing practices, balance billing in violation of the No Surprises Act (Pub. L. 116-260, Division BB, Title I) where applicable, unnecessary treatments, or other conduct that exploits patients

  • Fraudulent billing: Submit or cause the submission of false claims for reimbursement to any federal or state healthcare program in violation of the False Claims Act (31 U.S.C. 3729-3733), the Anti-Kickback Statute (42 U.S.C. 1320a-7b(b)), or the Stark Law (42 U.S.C. 1395nn)

2.3 Technology and Platform Security Violations

You may not:

  • Attempt to gain unauthorized access to any account, system, network, or data

  • Reverse engineer, decompile, disassemble, or otherwise attempt to derive the source code of the Platform, except to the extent that such restriction is expressly prohibited by applicable law

  • Circumvent, disable, or interfere with security features, access controls, or digital rights management mechanisms

  • Probe, scan, or test the vulnerability of the Platform without prior written authorization from ClinicTitan (authorized vulnerability testing under our responsible disclosure program is excluded from this prohibition)

  • Introduce viruses, trojans, worms, logic bombs, malware, ransomware, or other harmful material

  • Engage in denial-of-service attacks or any activity that disrupts or degrades Platform performance

  • Use automated tools (bots, scrapers, crawlers, spiders) to access, index, or extract data from the Platform without written authorization

  • Abuse Platform APIs by exceeding documented rate limits, using APIs for purposes other than their intended function, or accessing APIs without valid authorization

  • Intercept or monitor communications not intended for you

  • Harvest, scrape, or systematically collect user information without authorization

  • Share, sell, sublicense, or transfer account credentials

  • Use the Platform to send unsolicited bulk communications (spam) or to conduct phishing attacks

2.4 Data Handling Violations

You may not:

  • Access PHI or personal data beyond what is necessary for your authorized role (violation of the minimum necessary standard)

  • Download, copy, or export PHI except as authorized by the applicable Tenant Operator and in accordance with HIPAA

  • Store PHI on unauthorized personal devices, cloud storage services, or email systems

  • Transmit PHI through unsecured channels (unencrypted email, text messages to personal phones, social media, etc.)

  • Use patient data for marketing, advertising, or any purpose not authorized by the patient and the applicable Tenant Operator

  • Sell or disclose patient information to third parties for any purpose not permitted by HIPAA

2.5 Content Standards

You may not upload, transmit, or store content that:

  • Contains false or misleading health claims

  • Promotes unproven or dangerous treatments without appropriate clinical evidence or regulatory authorization

  • Violates applicable advertising standards for healthcare services, including FTC guidelines on health-related marketing

  • Misrepresents the qualifications, credentials, or licensing status of any healthcare provider

  • Infringes any patent, trademark, copyright, or other intellectual property right

  • Contains personally identifiable information of others without their consent (outside of authorized clinical use)

3. Tenant Operator-Specific Obligations

Tenant Operators bear additional responsibilities:

3.1 Provider Oversight

  • Ensure all healthcare providers using the Platform are appropriately licensed, credentialed, and supervised

  • Verify that providers are licensed in each state where they deliver services

  • Maintain current provider information (NPI, DEA, state licenses) on the Platform

  • Promptly remove providers whose licenses are suspended, revoked, or restricted

3.2 Patient Safety

  • Establish and maintain clinical protocols for telehealth services

  • Implement emergency procedures for patients who present with urgent conditions during telehealth encounters

  • Ensure patients receive appropriate informed consent before telehealth services

  • Maintain procedures for referring patients to in-person care when telehealth is insufficient

3.3 Compliance Programs

  • Maintain a HIPAA compliance program appropriate to your practice

  • Conduct required HIPAA risk assessments

  • Train workforce members on privacy, security, and proper Platform use

  • Maintain records of workforce training

  • Designate a Privacy Officer and Security Officer as required by HIPAA

  • Report suspected breaches of PHI to ClinicTitan within 24 hours of discovery

3.4 Payment Compliance

  • Comply with all payment network rules and LegitScript requirements

  • Process charges and refunds accurately

  • Maintain transparent pricing for patients

  • Respond to payment disputes and chargebacks in a timely manner

4. Monitoring and Enforcement

4.1 Monitoring

ClinicTitan reserves the right, but does not assume the obligation, to monitor use of the Platform for compliance with this AUP. Monitoring may include review of audit logs, usage patterns, and content submitted to the Platform.

4.2 Investigation

ClinicTitan may investigate suspected violations of this AUP. You agree to cooperate with any investigation by providing requested information and access.

4.3 Enforcement Actions

If ClinicTitan determines that a violation of this AUP has occurred, we may take one or more of the following actions, in our sole discretion and proportionate to the severity of the violation:

Level 1 --- Warning: For first-time or minor violations, ClinicTitan will issue a written warning identifying the violation and requiring corrective action within a specified timeframe.

Level 2 --- Temporary Suspension: For repeated violations, failure to cure a warned violation, or violations that pose a risk to other users or data security, ClinicTitan may temporarily suspend the violating user's or Tenant Operator's access to the Platform pending investigation and resolution.

Level 3 --- Permanent Termination: For severe violations, violations involving patient safety, violations of law, or repeated failures to cure, ClinicTitan may permanently terminate the violating user's account or the Tenant Operator's service agreement.

Additional Actions (any level): In addition to the graduated actions above, ClinicTitan may:

  • Remove or disable access to violating content

  • Report the violation to applicable law enforcement agencies, healthcare regulatory agencies (including HHS Office for Civil Rights), state licensing boards, the DEA, the FDA, or other authorities as required by law or as ClinicTitan deems appropriate

  • Pursue any other remedy available at law or in equity

4.4 Notice and Cure

Except where immediate action is necessary to protect the security or integrity of the Platform, to prevent imminent harm to patients or other users, or to comply with legal requirements, ClinicTitan will provide written notice before taking enforcement action and will offer a reasonable opportunity (not less than ten (10) business days for curable violations) to cure the violation. Violations involving unlicensed practice, controlled substance diversion, HIPAA breaches, or illegal conduct are not subject to a cure period and may result in immediate suspension and referral to appropriate authorities.

5. Reporting Violations

If you become aware of a violation of this AUP, please report it to:

ClinicTitan, Inc.

Email: support@clinictitan.com

Website: clinictitan.com/contact

Reports will be reviewed and addressed promptly. You may submit reports anonymously. ClinicTitan will use reasonable efforts to maintain the confidentiality of the reporter's identity, subject to legal obligations. Retaliation against individuals who report violations in good faith is prohibited and constitutes a separate violation of this AUP.

6. Changes to This Policy

ClinicTitan reserves the right to modify this AUP at any time. Material changes will be communicated with at least thirty (30) days' notice by posting the updated AUP on the Website and notifying Tenant Operators via email. Continued use of the Platform after the effective date of any changes constitutes acceptance of the revised AUP. Non-material changes (such as typographical corrections or formatting updates) may take effect immediately upon posting.

7. Contact Us

If you have questions about this Acceptable Use Policy, please contact us:

ClinicTitan, Inc.

Email: support@clinictitan.com

Website: clinictitan.com/contact